# # spec file for package shim # # Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # needssslcertforbuild Name: shim Version: 0.9 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot Url: https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. Source1: signature-opensuse.asc Source2: openSUSE-UEFI-CA-Certificate.crt Source3: shim-install Source4: SLES-UEFI-CA-Certificate.crt Source5: extract_signature.sh Source6: attach_signature.sh Source7: show_hash.sh Source8: show_signatures.sh Source9: openSUSE-UEFI-CA-Certificate-4096.crt Source10: timestamp.pl Source11: strip_signature.sh Source12: signature-sles.asc # PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch # PATCH-FIX-UPSTREAM shim-fix-gnu-efi-30w.patch glin@suse.com -- Adapt the change in gnu-efi 3.0w Patch2: shim-fix-gnu-efi-30w.patch # PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch glin@suse.com -- Fix the objcopy parameters for the EFI files Patch3: shim-fix-mokmanager-sections.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign BuildRequires: pesign-obs-integration Requires: perl-Bootloader BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-efi ExclusiveArch: x86_64 aarch64 %description shim is a trivial EFI application that, when run, attempts to open and execute another application. Authors: -------- Matthew Garrett %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch100 -p1 %build # first, build MokManager and fallback as they don't depend on a # specific certificate make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2>/dev/null # now build variants of shim that embed different certificates default='' suffixes=(opensuse sles) # check whether the project cert is a known one. If it is we build # just one shim that embeds this specific cert. If it's a devel # project we build all variants to simplify testing. if test -e %{_sourcedir}/_projectcert.crt ; then prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) if test "$prjissuer" = "$opensusesubject" ; then suffixes=(opensuse) elif test "$prjissuer" = "$slessubject" ; then suffixes=(sles) elif test "$prjsubject" = "$prjissuer" ; then suffixes=(devel opensuse sles) fi fi for suffix in "${suffixes[@]}"; do if test "$suffix" = "opensuse"; then cert=%{SOURCE2} cert2=%{SOURCE9} verify='openSUSE Secure Boot CA1' signature=%{SOURCE1} elif test "$suffix" = "sles"; then cert=%{SOURCE4} cert2='' verify='SUSE Linux Enterprise Secure Boot CA1' signature=%{SOURCE12} elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt cert2='' verify=`openssl x509 -in "$cert" -noout -email` signature='' test -e "$cert" || continue else echo "invalid suffix" false fi openssl x509 -in $cert -outform DER -out shim-$suffix.der rm -f shim_cert.h shim.cer shim.crt if [ -z "$cert2" ]; then # create empty local cert file, we don't need a local key pair as we # sign the mokmanager with our vendor key touch shim.crt touch shim.cer else cp $cert2 shim.crt fi # make sure cast warnings don't trigger post build check make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null # # assert correct certificate embedded grep -q "$verify" shim.efi # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx chmod 755 %{SOURCE10} # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi if test -n "$signature"; then head -1 "$signature" > hash1 cp shim.efi shim.efi.bak # pe header contains timestamp and checksum. we need to # restore that %{SOURCE10} --set-from-file "$signature" shim.efi pesign -h -P -i shim.efi > hash2 cat hash1 hash2 if ! cmp -s hash1 hash2; then echo "ERROR: $suffix binary changed, need to request new signature!" %if %{defined shim_enforce_ms_signature} false %endif mv shim.efi.bak shim-$suffix.efi rm shim.efi else # attach signature pesign -m "$signature" -i shim.efi -o shim-$suffix.efi rm -f shim.efi fi else mv shim.efi shim-$suffix.efi fi rm -f shim.cer shim.crt # make sure cert.o gets rebuilt rm -f cert.o done ln -s shim-${suffixes[0]}.efi shim.efi %install export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi' install -d %{buildroot}/%{_libdir}/efi cp -a shim*.efi %{buildroot}/%{_libdir}/efi install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi install -d %{buildroot}/%{_sbindir} install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ # install SUSE certificate install -d %{buildroot}/%{_sysconfdir}/uefi/certs/ for file in shim-*.der; do fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt done %clean %{?buildroot:%__rm -rf "%{buildroot}"} %post /sbin/update-bootloader --reinit || true %files %defattr(-,root,root) %doc COPYRIGHT %dir %{_libdir}/efi %{_libdir}/efi/shim.efi %{_libdir}/efi/shim-*.efi %{_libdir}/efi/shim-*.der %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi %{_sbindir}/shim-install %dir %{_sysconfdir}/uefi/ %dir %{_sysconfdir}/uefi/certs/ %{_sysconfdir}/uefi/certs/*.crt %changelog