ca285f90f5
Amend the check of %shim_enforce_ms_signature so that we can disable the signature check by defining shim_enforce_ms_signature as 0 OBS-URL: https://build.opensuse.org/request/show/824673 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=162
322 lines
11 KiB
RPMSpec
322 lines
11 KiB
RPMSpec
#
|
|
# spec file for package shim
|
|
#
|
|
# Copyright (c) 2020 SUSE LLC
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
|
#
|
|
# needssslcertforbuild
|
|
|
|
|
|
%undefine _debuginfo_subpackages
|
|
%undefine _build_create_debug
|
|
%ifarch aarch64
|
|
%define grubplatform arm64-efi
|
|
%else
|
|
%define grubplatform %{_target_cpu}-efi
|
|
%endif
|
|
%if %{defined sle_version} && 0%{?sle_version} <= 150000
|
|
%define sysefidir /usr/lib64/efi
|
|
%else
|
|
%define sysefibasedir %{_datadir}/efi
|
|
%define sysefidir %{sysefibasedir}/%{_target_cpu}
|
|
%if "%{grubplatform}" == "x86_64-efi" && 0%{?suse_version} < 1600
|
|
# provide compatibility sym-link for residual kiwi, etc.
|
|
%define shim_lib64_share_compat 1
|
|
%endif
|
|
%endif
|
|
|
|
Name: shim
|
|
Version: 15+git47
|
|
Release: 0
|
|
Summary: UEFI shim loader
|
|
License: BSD-2-Clause
|
|
Group: System/Boot
|
|
URL: https://github.com/rhboot/shim
|
|
Source: %{name}-%{version}.tar.bz2
|
|
# run "extract_signature.sh shim.efi" where shim.efi is the binary
|
|
# with the signature from the UEFI signing service.
|
|
# Note: For signature requesting, check SIGNATURE_UPDATE.txt
|
|
Source1: signature-opensuse.x86_64.asc
|
|
Source2: openSUSE-UEFI-CA-Certificate.crt
|
|
Source3: shim-install
|
|
Source4: SLES-UEFI-CA-Certificate.crt
|
|
Source5: extract_signature.sh
|
|
Source6: attach_signature.sh
|
|
Source7: show_hash.sh
|
|
Source8: show_signatures.sh
|
|
Source9: timestamp.pl
|
|
Source10: strip_signature.sh
|
|
Source11: signature-sles.x86_64.asc
|
|
Source12: signature-opensuse.aarch64.asc
|
|
Source13: signature-sles.aarch64.asc
|
|
Source50: dbx-cert.tar.xz
|
|
# vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
|
|
Source51: vendor-dbx.bin
|
|
Source99: SIGNATURE_UPDATE.txt
|
|
# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
|
|
Patch1: shim-arch-independent-names.patch
|
|
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
|
|
Patch2: shim-change-debug-file-path.patch
|
|
# PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-menu.patch bsc#1092000 glin@suse.com -- Show a menu before reset
|
|
Patch3: shim-bsc1092000-fallback-menu.patch
|
|
# PATCH-FIX-UPSTREAM shim-always-mirror-mok-variables.patch glin@suse.com -- Mirror MOK variables correctly
|
|
Patch4: shim-always-mirror-mok-variables.patch
|
|
# PATCH-FIX-UPSTREAM shim-bsc1174512-correct-license-in-headers.patch glin@suse.com -- Fix the license header in errlog.c and mok.c
|
|
Patch5: shim-bsc1174512-correct-license-in-headers.patch
|
|
# PATCH-FIX-UPSTREAM gcc9-fix-warnings.patch mliska@suse.cz -- MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid
|
|
Patch6: gcc9-fix-warnings.patch
|
|
# PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch glin@suse.com -- Fix the build error caused by the typo fix in gnu-efi 3.0.11
|
|
Patch7: shim-fix-gnu-efi-3.0.11.patch
|
|
# PATCH-FIX-UPSTREAM shim-bsc1173411-only-check-efi-var-on-sb.patch bsc#1173411 glin@suse.com -- Make EFI variable copying check only fatal on SB systems
|
|
Patch8: shim-bsc1173411-only-check-efi-var-on-sb.patch
|
|
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
|
|
Patch100: shim-opensuse-cert-prompt.patch
|
|
BuildRequires: gnu-efi >= 3.0.3
|
|
BuildRequires: mozilla-nss-tools
|
|
BuildRequires: openssl >= 0.9.8
|
|
BuildRequires: pesign
|
|
BuildRequires: pesign-obs-integration
|
|
%if 0%{?suse_version} > 1320
|
|
BuildRequires: update-bootloader-rpm-macros
|
|
%endif
|
|
%if 0%{?update_bootloader_requires:1}
|
|
%update_bootloader_requires
|
|
%else
|
|
Requires: perl-Bootloader
|
|
%endif
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
# For shim-install script
|
|
Requires: grub2-%{grubplatform}
|
|
ExclusiveArch: x86_64
|
|
|
|
%description
|
|
shim is a trivial EFI application that, when run, attempts to open and
|
|
execute another application.
|
|
|
|
%package -n shim-debuginfo
|
|
Summary: UEFI shim loader - debug symbols
|
|
Group: Development/Debug
|
|
|
|
%description -n shim-debuginfo
|
|
The debug symbols of UEFI shim loader
|
|
|
|
%package -n shim-debugsource
|
|
Summary: UEFI shim loader - debug source
|
|
Group: Development/Debug
|
|
|
|
%description -n shim-debugsource
|
|
The source code of UEFI shim loader
|
|
|
|
|
|
%prep
|
|
%setup -q
|
|
%patch1 -p1
|
|
%patch2 -p1
|
|
%patch3 -p1
|
|
%patch4 -p1
|
|
%patch5 -p1
|
|
%patch6 -p1
|
|
%patch7 -p1
|
|
%patch8 -p1
|
|
%if 0%{?is_opensuse} == 1
|
|
%patch100 -p1
|
|
%endif
|
|
|
|
%build
|
|
# first, build MokManager and fallback as they don't depend on a
|
|
# specific certificate
|
|
make EFI_PATH=/usr/lib64 RELEASE=0 \
|
|
MMSTEM=MokManager FBSTEM=fallback \
|
|
MokManager.efi.debug fallback.efi.debug \
|
|
MokManager.efi fallback.efi
|
|
|
|
# now build variants of shim that embed different certificates
|
|
default=''
|
|
suffixes=(opensuse sles)
|
|
# check whether the project cert is a known one. If it is we build
|
|
# just one shim that embeds this specific cert. If it's a devel
|
|
# project we build all variants to simplify testing.
|
|
if test -e %{_sourcedir}/_projectcert.crt ; then
|
|
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
|
|
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
|
|
opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
|
|
slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
|
|
if test "$prjissuer" = "$opensusesubject" ; then
|
|
suffixes=(opensuse)
|
|
elif test "$prjissuer" = "$slessubject" ; then
|
|
suffixes=(sles)
|
|
elif test "$prjsubject" = "$prjissuer" ; then
|
|
suffixes=(devel opensuse sles)
|
|
fi
|
|
fi
|
|
|
|
for suffix in "${suffixes[@]}"; do
|
|
if test "$suffix" = "opensuse"; then
|
|
cert=%{SOURCE2}
|
|
verify='openSUSE Secure Boot CA1'
|
|
%ifarch x86_64
|
|
signature=%{SOURCE1}
|
|
%else
|
|
# AArch64 signature
|
|
signature=%{SOURCE12}
|
|
%endif
|
|
elif test "$suffix" = "sles"; then
|
|
cert=%{SOURCE4}
|
|
verify='SUSE Linux Enterprise Secure Boot CA1'
|
|
%ifarch x86_64
|
|
signature=%{SOURCE11}
|
|
%else
|
|
# AArch64 signature
|
|
signature=%{SOURCE13}
|
|
%endif
|
|
elif test "$suffix" = "devel"; then
|
|
cert=%{_sourcedir}/_projectcert.crt
|
|
verify=`openssl x509 -in "$cert" -noout -email`
|
|
signature=''
|
|
test -e "$cert" || continue
|
|
else
|
|
echo "invalid suffix"
|
|
false
|
|
fi
|
|
|
|
openssl x509 -in $cert -outform DER -out shim-$suffix.der
|
|
make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \
|
|
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
|
|
DEFAULT_LOADER="\\\\\\\\grub.efi" \
|
|
VENDOR_DBX_FILE=%{SOURCE51} \
|
|
shim.efi.debug shim.efi
|
|
#
|
|
# assert correct certificate embedded
|
|
grep -q "$verify" shim.efi
|
|
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
|
|
chmod 755 %{SOURCE9}
|
|
# alternative: verify signature
|
|
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
|
|
if test -n "$signature"; then
|
|
head -1 "$signature" > hash1
|
|
cp shim.efi shim.efi.bak
|
|
# pe header contains timestamp and checksum. we need to
|
|
# restore that
|
|
%{SOURCE9} --set-from-file "$signature" shim.efi
|
|
pesign -h -P -i shim.efi > hash2
|
|
cat hash1 hash2
|
|
if ! cmp -s hash1 hash2; then
|
|
echo "ERROR: $suffix binary changed, need to request new signature!"
|
|
%if %{defined shim_enforce_ms_signature} && 0%{?shim_enforce_ms_signature} > 0
|
|
false
|
|
%endif
|
|
mv shim.efi.bak shim-$suffix.efi
|
|
rm shim.efi
|
|
else
|
|
# attach signature
|
|
pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
|
|
rm -f shim.efi
|
|
fi
|
|
else
|
|
mv shim.efi shim-$suffix.efi
|
|
fi
|
|
mv shim.efi.debug shim-$suffix.debug
|
|
# remove the build cert if exists
|
|
rm -f shim_cert.h shim.cer shim.crt
|
|
# make sure all object files gets rebuilt
|
|
rm -f *.o
|
|
done
|
|
|
|
ln -s shim-${suffixes[0]}.efi shim.efi
|
|
mv shim-${suffixes[0]}.debug shim.debug
|
|
|
|
# Collect the source for debugsource
|
|
mkdir ../source
|
|
find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} ../source/ \;
|
|
mv ../source .
|
|
|
|
%install
|
|
export BRP_PESIGN_FILES='%{sysefidir}/shim*.efi %{sysefidir}/MokManager.efi %{sysefidir}/fallback.efi'
|
|
install -d %{buildroot}/%{sysefidir}
|
|
cp -a shim*.efi %{buildroot}/%{sysefidir}
|
|
install -m 444 shim-*.der %{buildroot}/%{sysefidir}
|
|
install -m 644 MokManager.efi %{buildroot}/%{sysefidir}/MokManager.efi
|
|
install -m 644 fallback.efi %{buildroot}/%{sysefidir}/fallback.efi
|
|
install -d %{buildroot}/%{_sbindir}
|
|
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
|
|
# install SUSE certificate
|
|
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
|
|
for file in shim-*.der; do
|
|
fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
|
|
install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-shim.crt
|
|
done
|
|
%if %{defined shim_lib64_share_compat}
|
|
[ "%{sysefidir}" != "/usr/lib64/efi" ] || exit 1
|
|
# provide compatibility sym-link for residual "consumers"
|
|
install -d %{buildroot}/usr/lib64/efi
|
|
ln -srf %{buildroot}/%{sysefidir}/*.efi %{buildroot}/usr/lib64/efi/
|
|
%endif
|
|
|
|
# install the debug symbols
|
|
install -d %{buildroot}/usr/lib/debug/%{sysefidir}
|
|
install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{sysefidir}
|
|
install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/MokManager.debug
|
|
install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/fallback.debug
|
|
|
|
# install the debug source
|
|
install -d %{buildroot}/usr/src/debug/%{name}-%{version}
|
|
cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}
|
|
|
|
%clean
|
|
%{?buildroot:%__rm -rf "%{buildroot}"}
|
|
|
|
%post
|
|
%if 0%{?update_bootloader_check_type_reinit_post:1}
|
|
%update_bootloader_check_type_reinit_post grub2-efi
|
|
%else
|
|
/sbin/update-bootloader --reinit || true
|
|
%endif
|
|
|
|
%if %{defined update_bootloader_posttrans}
|
|
%posttrans
|
|
%{?update_bootloader_posttrans}
|
|
%endif
|
|
|
|
%files
|
|
%defattr(-,root,root)
|
|
%doc COPYRIGHT
|
|
%dir %{?sysefibasedir}
|
|
%dir %{sysefidir}
|
|
%{sysefidir}/shim.efi
|
|
%{sysefidir}/shim-*.efi
|
|
%{sysefidir}/shim-*.der
|
|
%{sysefidir}/MokManager.efi
|
|
%{sysefidir}/fallback.efi
|
|
%{_sbindir}/shim-install
|
|
%dir %{_sysconfdir}/uefi/
|
|
%dir %{_sysconfdir}/uefi/certs/
|
|
%{_sysconfdir}/uefi/certs/*.crt
|
|
%if %{defined shim_lib64_share_compat}
|
|
# provide compatibility sym-link for previous kiwi, etc.
|
|
%dir /usr/lib64/efi
|
|
/usr/lib64/efi/*.efi
|
|
%endif
|
|
|
|
%files -n shim-debuginfo
|
|
%defattr(-,root,root,-)
|
|
/usr/lib/debug%{sysefidir}/shim.debug
|
|
/usr/lib/debug%{sysefidir}/MokManager.debug
|
|
/usr/lib/debug%{sysefidir}/fallback.debug
|
|
|
|
%files -n shim-debugsource
|
|
%defattr(-,root,root,-)
|
|
%dir /usr/src/debug/%{name}-%{version}
|
|
/usr/src/debug/%{name}-%{version}/*
|
|
|
|
%changelog
|