pool/shim
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3bd935ea7f
shim/shim.spec
Stephan Kulow 3bd935ea7f Accepting request 243951 from home:lnussel:branches:devel:openSUSE:Factory 
- don't fail the build if the UEFI signing service signature can't
  be attached anymore. This way shim can still pass through staging
  projects. We will verify the correct signature for release builds
  using openQA instead.

OBS-URL: https://build.opensuse.org/request/show/243951
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=78
2014-08-08 13:19:04 +00:00

252 lines
9.7 KiB
RPMSpec
Raw Blame History

#
# spec file for package shim
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# needssslcertforbuild
Name: shim
Version: 0.7
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
Group: System/Boot
Url: https://github.com/mjg59/shim
Source: %{name}-%{version}.tar.bz2
# run "extract_signature.sh shim.efi" where shim.efi is the binary
# with the signature from the UEFI signing service.
Source1: signature-opensuse.asc
Source2: openSUSE-UEFI-CA-Certificate.crt
Source3: shim-install
Source4: SLES-UEFI-CA-Certificate.crt
Source5: extract_signature.sh
Source6: attach_signature.sh
Source7: show_hash.sh
Source8: show_signatures.sh
Source9: openSUSE-UEFI-CA-Certificate-4096.crt
Source10: timestamp.pl
Source11: strip_signature.sh
Source12: signature-sles.asc
# PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch glin@suse.com -- Fix the error handling in verify_mok()
Patch1: shim-fix-verify-mok.patch
# PATCH-FIX-UPSTREAM shim-improve-error-messages.patch glin@suse.com -- Improve the error messages
Patch2: shim-improve-error-messages.patch
# PATCH-FIX-UPSTREAM shim-correct-user_insecure-usage.patch glin@suse.com -- Correct the usage of the user insecure mode variable
Patch3: shim-correct-user_insecure-usage.patch
# PATCH-FIX-UPSTREAM shim-fix-dhcpv4-path-generation.patch glin@suse.com -- Fix path generation for DHCPv4 bootloader
Patch4: shim-fix-dhcpv4-path-generation.patch
# PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
Patch5: shim-mokx-support.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch glin@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys
Patch6: shim-mokmanager-handle-keystroke-error.patch
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
Patch7: shim-only-os-name.patch
# PATCH-FIX-UPSTREAM shim-get-variable-check.patch glin@suse.com -- Fix the variable checking in get_variable_attr
Patch8: shim-get-variable-check.patch
# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch glin@suse.com -- Improve the boot entry pathes and avoid generating the boot entries that are already there
Patch9: shim-fallback-improve-entries-creation.patch
# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list
Patch10: shim-bnc863205-mokmanager-fix-hash-delete.patch
# PATCH-FIX-UPSTREAM shim-fallback-avoid-duplicate-bootorder.patch glin@suse.com -- Fix the duplicate BootOrder entries generated by fallback.efi
Patch11: shim-fallback-avoid-duplicate-bootorder.patch
# PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch glin@suse.com -- Handle the shim protocol properly to keep only one protocol entity
Patch12: shim-allow-fallback-use-system-loadimage.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch glin@suse.com -- Delete BootService non-volatile variables the right way
Patch13: shim-mokmanager-delete-bs-var-right.patch
# PATCH-FIX-UPSTREAM shim-fix-uninitialized-variable.patch glin@suse.com -- Initialize the variable in lib properly
Patch14: shim-fix-uninitialized-variable.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
Patch15: shim-mokmanager-support-sha-family.patch
# PATCH-FIX-UPSTREAM shim-remove-unused-variables.patch glin@suse.com -- Remove unused variables
Patch16: shim-remove-unused-variables.patch
# PATCH-FIX-UPSTREAM shim-bnc872503-check-key-encoding.patch bnc#872503 glin@suse.com -- Check the key encoding before using it
Patch17: shim-bnc872503-check-key-encoding.patch
# PATCH-FIX-UPSTREAM shim-bnc877003-fetch-from-the-same-device.patch bnc#877003 glin@suse.com -- Fetch the netboot image from the same device
Patch18: shim-bnc877003-fetch-from-the-same-device.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-opensuse-cert-prompt.patch
BuildRequires: gnu-efi >= 3.0t
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
BuildRequires: pesign
BuildRequires: pesign-obs-integration
Requires: perl-Bootloader
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# For shim-install script
Requires: grub2-efi
ExclusiveArch: x86_64
%description
shim is a trivial EFI application that, when run, attempts to open and
execute another application.
Authors:
--------
Matthew Garrett <mjg59@srcf.ucam.org>
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch100 -p1
%build
# first, build MokManager and fallback as they don't depend on a
# specific certificate
make EFI_PATH=/usr/lib64 MokManager.efi fallback.efi 2>/dev/null
# now build variants of shim that embed different certificates
default=''
suffixes=(opensuse sles)
# check whether the project cert is a known one. If it is we build
# just one shim that embeds this specific cert. If it's a devel
# project we build all variants to simplify testing.
if test -e %{_sourcedir}/_projectcert.crt ; then
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
if test "$prjissuer" = "$opensusesubject" ; then
suffixes=(opensuse)
elif test "$prjissuer" = "$slessubject" ; then
suffixes=(sles)
elif test "$prjsubject" = "$prjissuer" ; then
suffixes=(devel opensuse sles)
fi
fi
for suffix in "${suffixes[@]}"; do
if test "$suffix" = "opensuse"; then
cert=%{SOURCE2}
cert2=%{SOURCE9}
verify='openSUSE Secure Boot CA1'
signature=%{SOURCE1}
elif test "$suffix" = "sles"; then
cert=%{SOURCE4}
cert2=''
verify='SUSE Linux Enterprise Secure Boot CA1'
signature=%{SOURCE12}
elif test "$suffix" = "devel"; then
cert=%{_sourcedir}/_projectcert.crt
cert2=''
verify=`openssl x509 -in "$cert" -noout -email`
signature=''
test -e "$cert" || continue
else
echo "invalid suffix"
false
fi
openssl x509 -in $cert -outform DER -out shim-$suffix.der
rm -f shim_cert.h shim.cer shim.crt
if [ -z "$cert2" ]; then
# create empty local cert file, we don't need a local key pair as we
# sign the mokmanager with our vendor key
touch shim.crt
touch shim.cer
else
cp $cert2 shim.crt
fi
# make sure cast warnings don't trigger post build check
make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
#
# assert correct certificate embedded
grep -q "$verify" shim.efi
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
chmod 755 %{SOURCE10}
# alternative: verify signature
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
if test -n "$signature"; then
head -1 "$signature" > hash1
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to
# restore that
%{SOURCE10} --set-from-file "$signature" shim.efi
pesign -h -P -i shim.efi > hash2
cat hash1 hash2
if ! cmp -s hash1 hash2; then
echo "ERROR: $suffix binary changed, need to request new signature!"
mv shim.efi.bak shim-$suffix.efi
rm shim.efi
else
# attach signature
pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
rm -f shim.efi
fi
fi
rm -f shim.cer shim.crt
# make sure cert.o gets rebuilt
rm -f cert.o
done
ln -s shim-${suffixes[0]}.efi shim.efi
%install
export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
install -d %{buildroot}/%{_libdir}/efi
cp -a shim*.efi %{buildroot}/%{_libdir}/efi
install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi
install -d %{buildroot}/%{_sbindir}
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
# install SUSE certificate
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
for file in shim-*.der; do
fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt
done
%clean
%{?buildroot:%__rm -rf "%{buildroot}"}
%post
/sbin/update-bootloader --reinit || true
%files
%defattr(-,root,root)
%doc COPYRIGHT
%dir %{_libdir}/efi
%{_libdir}/efi/shim.efi
%{_libdir}/efi/shim-*.efi
%{_libdir}/efi/shim-*.der
%{_libdir}/efi/MokManager.efi
%{_libdir}/efi/fallback.efi
%{_sbindir}/shim-install
%dir %{_sysconfdir}/uefi/
%dir %{_sysconfdir}/uefi/certs/
%{_sysconfdir}/uefi/certs/*.crt
%changelog
Reference in New Issue View Git Blame Copy Permalink