fa8f2b475d
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=73
247 lines
9.2 KiB
RPMSpec
247 lines
9.2 KiB
RPMSpec
#
|
|
# spec file for package shim
|
|
#
|
|
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
# needssslcertforbuild
|
|
|
|
Name: shim
|
|
Version: 0.7
|
|
Release: 0
|
|
Summary: UEFI shim loader
|
|
License: BSD-2-Clause
|
|
Group: System/Boot
|
|
Url: https://github.com/mjg59/shim
|
|
Source: %{name}-%{version}.tar.bz2
|
|
# run "extract_signature.sh shim.efi" where shim.efi is the binary
|
|
# with the signature from the UEFI signing service.
|
|
Source1: signature-opensuse.asc
|
|
Source2: openSUSE-UEFI-CA-Certificate.crt
|
|
Source3: shim-install
|
|
Source4: SLES-UEFI-CA-Certificate.crt
|
|
Source5: extract_signature.sh
|
|
Source6: attach_signature.sh
|
|
Source7: show_hash.sh
|
|
Source8: show_signatures.sh
|
|
Source9: openSUSE-UEFI-CA-Certificate-4096.crt
|
|
Source10: timestamp.pl
|
|
Source11: strip_signature.sh
|
|
Source12: signature-sles.asc
|
|
# PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch glin@suse.com -- Fix the error handling in verify_mok()
|
|
Patch1: shim-fix-verify-mok.patch
|
|
# PATCH-FIX-UPSTREAM shim-improve-error-messages.patch glin@suse.com -- Improve the error messages
|
|
Patch2: shim-improve-error-messages.patch
|
|
# PATCH-FIX-UPSTREAM shim-correct-user_insecure-usage.patch glin@suse.com -- Correct the usage of the user insecure mode variable
|
|
Patch3: shim-correct-user_insecure-usage.patch
|
|
# PATCH-FIX-UPSTREAM shim-fix-dhcpv4-path-generation.patch glin@suse.com -- Fix path generation for DHCPv4 bootloader
|
|
Patch4: shim-fix-dhcpv4-path-generation.patch
|
|
# PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
|
|
Patch5: shim-mokx-support.patch
|
|
# PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch glin@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys
|
|
Patch6: shim-mokmanager-handle-keystroke-error.patch
|
|
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
|
|
Patch7: shim-only-os-name.patch
|
|
# PATCH-FIX-UPSTREAM shim-get-variable-check.patch glin@suse.com -- Fix the variable checking in get_variable_attr
|
|
Patch8: shim-get-variable-check.patch
|
|
# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch glin@suse.com -- Improve the boot entry pathes and avoid generating the boot entries that are already there
|
|
Patch9: shim-fallback-improve-entries-creation.patch
|
|
# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list
|
|
Patch10: shim-bnc863205-mokmanager-fix-hash-delete.patch
|
|
# PATCH-FIX-UPSTREAM shim-fallback-avoid-duplicate-bootorder.patch glin@suse.com -- Fix the duplicate BootOrder entries generated by fallback.efi
|
|
Patch11: shim-fallback-avoid-duplicate-bootorder.patch
|
|
# PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch glin@suse.com -- Handle the shim protocol properly to keep only one protocol entity
|
|
Patch12: shim-allow-fallback-use-system-loadimage.patch
|
|
# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch glin@suse.com -- Delete BootService non-volatile variables the right way
|
|
Patch13: shim-mokmanager-delete-bs-var-right.patch
|
|
# PATCH-FIX-UPSTREAM shim-fix-uninitialized-variable.patch glin@suse.com -- Initialize the variable in lib properly
|
|
Patch14: shim-fix-uninitialized-variable.patch
|
|
# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
|
|
Patch15: shim-mokmanager-support-sha-family.patch
|
|
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
|
|
Patch100: shim-opensuse-cert-prompt.patch
|
|
BuildRequires: gnu-efi >= 3.0t
|
|
BuildRequires: mozilla-nss-tools
|
|
BuildRequires: openssl >= 0.9.8
|
|
BuildRequires: pesign
|
|
BuildRequires: pesign-obs-integration
|
|
Requires: perl-Bootloader
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
Recommends: grub2-efi
|
|
ExclusiveArch: x86_64
|
|
|
|
%description
|
|
shim is a trivial EFI application that, when run, attempts to open and
|
|
execute another application.
|
|
|
|
|
|
|
|
Authors:
|
|
--------
|
|
Matthew Garrett <mjg59@srcf.ucam.org>
|
|
|
|
%prep
|
|
%setup -q
|
|
%patch1 -p1
|
|
%patch2 -p1
|
|
%patch3 -p1
|
|
%patch4 -p1
|
|
%patch5 -p1
|
|
%patch6 -p1
|
|
%patch7 -p1
|
|
%patch8 -p1
|
|
%patch9 -p1
|
|
%patch10 -p1
|
|
%patch11 -p1
|
|
%patch12 -p1
|
|
%patch13 -p1
|
|
%patch14 -p1
|
|
%patch15 -p1
|
|
%patch100 -p1
|
|
|
|
%build
|
|
# first, build MokManager and fallback as they don't depend on a
|
|
# specific certificate
|
|
make EFI_PATH=/usr/lib64 MokManager.efi fallback.efi 2>/dev/null
|
|
|
|
# now build variants of shim that embed different certificates
|
|
default=''
|
|
suffixes=(opensuse sles)
|
|
# check whether the project cert is a known one. If it is we build
|
|
# just one shim that embeds this specific cert. If it's a devel
|
|
# project we build all variants to simplify testing.
|
|
if test -e %{_sourcedir}/_projectcert.crt ; then
|
|
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
|
|
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
|
|
opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
|
|
slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
|
|
if test "$prjissuer" = "$opensusesubject" ; then
|
|
suffixes=(opensuse)
|
|
elif test "$prjissuer" = "$slessubject" ; then
|
|
suffixes=(sles)
|
|
elif test "$prjsubject" = "$prjissuer" ; then
|
|
suffixes=(devel opensuse sles)
|
|
fi
|
|
fi
|
|
|
|
for suffix in "${suffixes[@]}"; do
|
|
if test "$suffix" = "opensuse"; then
|
|
cert=%{SOURCE2}
|
|
cert2=%{SOURCE9}
|
|
verify='openSUSE Secure Boot CA1'
|
|
signature=%{SOURCE1}
|
|
elif test "$suffix" = "sles"; then
|
|
cert=%{SOURCE4}
|
|
cert2=''
|
|
verify='SUSE Linux Enterprise Secure Boot CA1'
|
|
signature=%{SOURCE12}
|
|
elif test "$suffix" = "devel"; then
|
|
cert=%{_sourcedir}/_projectcert.crt
|
|
cert2=''
|
|
verify=`openssl x509 -in "$cert" -noout -email`
|
|
signature=''
|
|
test -e "$cert" || continue
|
|
else
|
|
echo "invalid suffix"
|
|
false
|
|
fi
|
|
|
|
openssl x509 -in $cert -outform DER -out shim-$suffix.der
|
|
rm -f shim_cert.h shim.cer shim.crt
|
|
if [ -z "$cert2" ]; then
|
|
# create empty local cert file, we don't need a local key pair as we
|
|
# sign the mokmanager with our vendor key
|
|
touch shim.crt
|
|
touch shim.cer
|
|
else
|
|
cp $cert2 shim.crt
|
|
fi
|
|
# make sure cast warnings don't trigger post build check
|
|
make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
|
|
#
|
|
# assert correct certificate embedded
|
|
grep -q "$verify" shim.efi
|
|
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
|
|
chmod 755 %{SOURCE10}
|
|
# alternative: verify signature
|
|
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
|
|
if test -n "$signature"; then
|
|
head -1 "$signature" > hash1
|
|
cp shim.efi shim.efi.bak
|
|
# pe header contains timestamp and checksum. we need to
|
|
# restore that
|
|
%{SOURCE10} --set-from-file "$signature" shim.efi
|
|
pesign -h -P -i shim.efi > hash2
|
|
cat hash1 hash2
|
|
if ! cmp -s hash1 hash2; then
|
|
echo "ERROR: $suffix binary changed, need to request new signature!"
|
|
# don't fail in devel projects
|
|
prj="%{_project}"
|
|
if [ "${prj%%%:*}" = "openSUSE" -o "${prj%%%:*}" = "SUSE" ]; then
|
|
false
|
|
fi
|
|
mv shim.efi.bak shim-$suffix.efi
|
|
rm shim.efi
|
|
else
|
|
# attach signature
|
|
pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
|
|
rm -f shim.efi
|
|
fi
|
|
fi
|
|
rm -f shim.cer shim.crt
|
|
# make sure cert.o gets rebuilt
|
|
rm -f cert.o
|
|
done
|
|
|
|
ln -s shim-${suffixes[0]}.efi shim.efi
|
|
|
|
%install
|
|
export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
|
|
install -d %{buildroot}/%{_libdir}/efi
|
|
cp -a shim*.efi %{buildroot}/%{_libdir}/efi
|
|
install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
|
|
install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
|
|
install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi
|
|
install -d %{buildroot}/%{_sbindir}
|
|
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
|
|
# install SUSE certificate
|
|
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
|
|
for file in shim-*.der; do
|
|
fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
|
|
install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt
|
|
done
|
|
|
|
%clean
|
|
%{?buildroot:%__rm -rf "%{buildroot}"}
|
|
|
|
%post
|
|
/sbin/update-bootloader --refresh || true
|
|
|
|
%files
|
|
%defattr(-,root,root)
|
|
%doc COPYRIGHT
|
|
%dir %{_libdir}/efi
|
|
%{_libdir}/efi/shim.efi
|
|
%{_libdir}/efi/shim-*.efi
|
|
%{_libdir}/efi/shim-*.der
|
|
%{_libdir}/efi/MokManager.efi
|
|
%{_libdir}/efi/fallback.efi
|
|
%{_sbindir}/shim-install
|
|
%dir %{_sysconfdir}/uefi/
|
|
%dir %{_sysconfdir}/uefi/certs/
|
|
%{_sysconfdir}/uefi/certs/*.crt
|
|
|
|
%changelog
|