3bd935ea7f
- don't fail the build if the UEFI signing service signature can't be attached anymore. This way shim can still pass through staging projects. We will verify the correct signature for release builds using openQA instead. OBS-URL: https://build.opensuse.org/request/show/243951 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=78
252 lines
9.7 KiB
RPMSpec
252 lines
9.7 KiB
RPMSpec
#
|
|
# spec file for package shim
|
|
#
|
|
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
# needssslcertforbuild
|
|
|
|
Name: shim
|
|
Version: 0.7
|
|
Release: 0
|
|
Summary: UEFI shim loader
|
|
License: BSD-2-Clause
|
|
Group: System/Boot
|
|
Url: https://github.com/mjg59/shim
|
|
Source: %{name}-%{version}.tar.bz2
|
|
# run "extract_signature.sh shim.efi" where shim.efi is the binary
|
|
# with the signature from the UEFI signing service.
|
|
Source1: signature-opensuse.asc
|
|
Source2: openSUSE-UEFI-CA-Certificate.crt
|
|
Source3: shim-install
|
|
Source4: SLES-UEFI-CA-Certificate.crt
|
|
Source5: extract_signature.sh
|
|
Source6: attach_signature.sh
|
|
Source7: show_hash.sh
|
|
Source8: show_signatures.sh
|
|
Source9: openSUSE-UEFI-CA-Certificate-4096.crt
|
|
Source10: timestamp.pl
|
|
Source11: strip_signature.sh
|
|
Source12: signature-sles.asc
|
|
# PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch glin@suse.com -- Fix the error handling in verify_mok()
|
|
Patch1: shim-fix-verify-mok.patch
|
|
# PATCH-FIX-UPSTREAM shim-improve-error-messages.patch glin@suse.com -- Improve the error messages
|
|
Patch2: shim-improve-error-messages.patch
|
|
# PATCH-FIX-UPSTREAM shim-correct-user_insecure-usage.patch glin@suse.com -- Correct the usage of the user insecure mode variable
|
|
Patch3: shim-correct-user_insecure-usage.patch
|
|
# PATCH-FIX-UPSTREAM shim-fix-dhcpv4-path-generation.patch glin@suse.com -- Fix path generation for DHCPv4 bootloader
|
|
Patch4: shim-fix-dhcpv4-path-generation.patch
|
|
# PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
|
|
Patch5: shim-mokx-support.patch
|
|
# PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch glin@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys
|
|
Patch6: shim-mokmanager-handle-keystroke-error.patch
|
|
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
|
|
Patch7: shim-only-os-name.patch
|
|
# PATCH-FIX-UPSTREAM shim-get-variable-check.patch glin@suse.com -- Fix the variable checking in get_variable_attr
|
|
Patch8: shim-get-variable-check.patch
|
|
# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch glin@suse.com -- Improve the boot entry pathes and avoid generating the boot entries that are already there
|
|
Patch9: shim-fallback-improve-entries-creation.patch
|
|
# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list
|
|
Patch10: shim-bnc863205-mokmanager-fix-hash-delete.patch
|
|
# PATCH-FIX-UPSTREAM shim-fallback-avoid-duplicate-bootorder.patch glin@suse.com -- Fix the duplicate BootOrder entries generated by fallback.efi
|
|
Patch11: shim-fallback-avoid-duplicate-bootorder.patch
|
|
# PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch glin@suse.com -- Handle the shim protocol properly to keep only one protocol entity
|
|
Patch12: shim-allow-fallback-use-system-loadimage.patch
|
|
# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch glin@suse.com -- Delete BootService non-volatile variables the right way
|
|
Patch13: shim-mokmanager-delete-bs-var-right.patch
|
|
# PATCH-FIX-UPSTREAM shim-fix-uninitialized-variable.patch glin@suse.com -- Initialize the variable in lib properly
|
|
Patch14: shim-fix-uninitialized-variable.patch
|
|
# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
|
|
Patch15: shim-mokmanager-support-sha-family.patch
|
|
# PATCH-FIX-UPSTREAM shim-remove-unused-variables.patch glin@suse.com -- Remove unused variables
|
|
Patch16: shim-remove-unused-variables.patch
|
|
# PATCH-FIX-UPSTREAM shim-bnc872503-check-key-encoding.patch bnc#872503 glin@suse.com -- Check the key encoding before using it
|
|
Patch17: shim-bnc872503-check-key-encoding.patch
|
|
# PATCH-FIX-UPSTREAM shim-bnc877003-fetch-from-the-same-device.patch bnc#877003 glin@suse.com -- Fetch the netboot image from the same device
|
|
Patch18: shim-bnc877003-fetch-from-the-same-device.patch
|
|
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
|
|
Patch100: shim-opensuse-cert-prompt.patch
|
|
BuildRequires: gnu-efi >= 3.0t
|
|
BuildRequires: mozilla-nss-tools
|
|
BuildRequires: openssl >= 0.9.8
|
|
BuildRequires: pesign
|
|
BuildRequires: pesign-obs-integration
|
|
Requires: perl-Bootloader
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
# For shim-install script
|
|
Requires: grub2-efi
|
|
ExclusiveArch: x86_64
|
|
|
|
%description
|
|
shim is a trivial EFI application that, when run, attempts to open and
|
|
execute another application.
|
|
|
|
|
|
|
|
Authors:
|
|
--------
|
|
Matthew Garrett <mjg59@srcf.ucam.org>
|
|
|
|
%prep
|
|
%setup -q
|
|
%patch1 -p1
|
|
%patch2 -p1
|
|
%patch3 -p1
|
|
%patch4 -p1
|
|
%patch5 -p1
|
|
%patch6 -p1
|
|
%patch7 -p1
|
|
%patch8 -p1
|
|
%patch9 -p1
|
|
%patch10 -p1
|
|
%patch11 -p1
|
|
%patch12 -p1
|
|
%patch13 -p1
|
|
%patch14 -p1
|
|
%patch15 -p1
|
|
%patch16 -p1
|
|
%patch17 -p1
|
|
%patch18 -p1
|
|
%patch100 -p1
|
|
|
|
%build
|
|
# first, build MokManager and fallback as they don't depend on a
|
|
# specific certificate
|
|
make EFI_PATH=/usr/lib64 MokManager.efi fallback.efi 2>/dev/null
|
|
|
|
# now build variants of shim that embed different certificates
|
|
default=''
|
|
suffixes=(opensuse sles)
|
|
# check whether the project cert is a known one. If it is we build
|
|
# just one shim that embeds this specific cert. If it's a devel
|
|
# project we build all variants to simplify testing.
|
|
if test -e %{_sourcedir}/_projectcert.crt ; then
|
|
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
|
|
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
|
|
opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
|
|
slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
|
|
if test "$prjissuer" = "$opensusesubject" ; then
|
|
suffixes=(opensuse)
|
|
elif test "$prjissuer" = "$slessubject" ; then
|
|
suffixes=(sles)
|
|
elif test "$prjsubject" = "$prjissuer" ; then
|
|
suffixes=(devel opensuse sles)
|
|
fi
|
|
fi
|
|
|
|
for suffix in "${suffixes[@]}"; do
|
|
if test "$suffix" = "opensuse"; then
|
|
cert=%{SOURCE2}
|
|
cert2=%{SOURCE9}
|
|
verify='openSUSE Secure Boot CA1'
|
|
signature=%{SOURCE1}
|
|
elif test "$suffix" = "sles"; then
|
|
cert=%{SOURCE4}
|
|
cert2=''
|
|
verify='SUSE Linux Enterprise Secure Boot CA1'
|
|
signature=%{SOURCE12}
|
|
elif test "$suffix" = "devel"; then
|
|
cert=%{_sourcedir}/_projectcert.crt
|
|
cert2=''
|
|
verify=`openssl x509 -in "$cert" -noout -email`
|
|
signature=''
|
|
test -e "$cert" || continue
|
|
else
|
|
echo "invalid suffix"
|
|
false
|
|
fi
|
|
|
|
openssl x509 -in $cert -outform DER -out shim-$suffix.der
|
|
rm -f shim_cert.h shim.cer shim.crt
|
|
if [ -z "$cert2" ]; then
|
|
# create empty local cert file, we don't need a local key pair as we
|
|
# sign the mokmanager with our vendor key
|
|
touch shim.crt
|
|
touch shim.cer
|
|
else
|
|
cp $cert2 shim.crt
|
|
fi
|
|
# make sure cast warnings don't trigger post build check
|
|
make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
|
|
#
|
|
# assert correct certificate embedded
|
|
grep -q "$verify" shim.efi
|
|
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
|
|
chmod 755 %{SOURCE10}
|
|
# alternative: verify signature
|
|
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
|
|
if test -n "$signature"; then
|
|
head -1 "$signature" > hash1
|
|
cp shim.efi shim.efi.bak
|
|
# pe header contains timestamp and checksum. we need to
|
|
# restore that
|
|
%{SOURCE10} --set-from-file "$signature" shim.efi
|
|
pesign -h -P -i shim.efi > hash2
|
|
cat hash1 hash2
|
|
if ! cmp -s hash1 hash2; then
|
|
echo "ERROR: $suffix binary changed, need to request new signature!"
|
|
mv shim.efi.bak shim-$suffix.efi
|
|
rm shim.efi
|
|
else
|
|
# attach signature
|
|
pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
|
|
rm -f shim.efi
|
|
fi
|
|
fi
|
|
rm -f shim.cer shim.crt
|
|
# make sure cert.o gets rebuilt
|
|
rm -f cert.o
|
|
done
|
|
|
|
ln -s shim-${suffixes[0]}.efi shim.efi
|
|
|
|
%install
|
|
export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
|
|
install -d %{buildroot}/%{_libdir}/efi
|
|
cp -a shim*.efi %{buildroot}/%{_libdir}/efi
|
|
install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
|
|
install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
|
|
install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi
|
|
install -d %{buildroot}/%{_sbindir}
|
|
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
|
|
# install SUSE certificate
|
|
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
|
|
for file in shim-*.der; do
|
|
fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
|
|
install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt
|
|
done
|
|
|
|
%clean
|
|
%{?buildroot:%__rm -rf "%{buildroot}"}
|
|
|
|
%post
|
|
/sbin/update-bootloader --reinit || true
|
|
|
|
%files
|
|
%defattr(-,root,root)
|
|
%doc COPYRIGHT
|
|
%dir %{_libdir}/efi
|
|
%{_libdir}/efi/shim.efi
|
|
%{_libdir}/efi/shim-*.efi
|
|
%{_libdir}/efi/shim-*.der
|
|
%{_libdir}/efi/MokManager.efi
|
|
%{_libdir}/efi/fallback.efi
|
|
%{_sbindir}/shim-install
|
|
%dir %{_sysconfdir}/uefi/
|
|
%dir %{_sysconfdir}/uefi/certs/
|
|
%{_sysconfdir}/uefi/certs/*.crt
|
|
|
|
%changelog
|