From 54992a3735cf462205c6bfba94a489e0a6d001228344105264828f2c5351746e Mon Sep 17 00:00:00 2001
From: Jiri Slaby <jslaby@suse.com>
Date: Thu, 28 Mar 2013 11:00:02 +0000
Subject: [PATCH] Accepting request 161508 from
home:michael-chang:branches:Base:System
- package Secure Boot CA file as /usr/lib64/efi/grub.der which
could be used to verify signed image from build server
- add openSUSE-UEFI-CA-Certificate.crt, openSUSE Secure Boot CA
- add SLES-UEFI-CA-Certificate.crt, SUSE Linux Enterprise Secure
Boot CA
OBS-URL: https://build.opensuse.org/request/show/161508
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=32
---
SLES-UEFI-CA-Certificate.crt | 39 ++++++++++++++++++++++++++
grub2.changes | 9 ++++++
grub2.spec | 48 ++++++++++++++++++++++++++++----
openSUSE-UEFI-CA-Certificate.crt | 37 ++++++++++++++++++++++++
4 files changed, 128 insertions(+), 5 deletions(-)
create mode 100644 SLES-UEFI-CA-Certificate.crt
create mode 100644 openSUSE-UEFI-CA-Certificate.crt
diff --git a/SLES-UEFI-CA-Certificate.crt b/SLES-UEFI-CA-Certificate.crt
new file mode 100644
index 0000000..56f3fce
--- /dev/null
+++ b/SLES-UEFI-CA-Certificate.crt
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
+RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
+MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
+IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
+QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG
+A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
+VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
+IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
+CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR
+QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d
+FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ
+BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O
+d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B
+J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt
+HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi
+yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc
+dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/
+cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+
+KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w
+gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr
+BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG
+A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51
+eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN
+AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
+AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS
+1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI
+eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5
+Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt
+z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P
+yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv
+4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc
+ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC
+OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z
+yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV
+a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8=
+-----END CERTIFICATE-----
diff --git a/grub2.changes b/grub2.changes
index f8e3bf9..2ee24d6 100644
--- a/grub2.changes
+++ b/grub2.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Mar 28 02:57:47 UTC 2013 - mchang@suse.com
+
+- package Secure Boot CA file as /usr/lib64/efi/grub.der which
+ could be used to verify signed image from build server
+- add openSUSE-UEFI-CA-Certificate.crt, openSUSE Secure Boot CA
+- add SLES-UEFI-CA-Certificate.crt, SUSE Linux Enterprise Secure
+ Boot CA
+
-------------------------------------------------------------------
Mon Mar 25 17:37:59 UTC 2013 - dvaleev@suse.com
diff --git a/grub2.spec b/grub2.spec
index 13a6525..e1314ac 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -48,6 +48,7 @@ BuildRequires: xz-devel
%ifarch x86_64
%if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
BuildRequires: pesign-obs-integration
+BuildRequires: openssl >= 0.9.8
%endif
%endif
@@ -102,6 +103,8 @@ Source6: grub2-once
Source7: 20_memtest86+
Source8: Makefile.util.am
Source9: Makefile.core.am
+Source10: openSUSE-UEFI-CA-Certificate.crt
+Source11: SLES-UEFI-CA-Certificate.crt
Source1000: PATCH_POLICY
Patch0: grub2-correct-font-path.patch
Patch1: rename-grub-info-file-to-grub2.patch
@@ -313,6 +316,33 @@ GRUB_MODULES="${CD_MODULES} ${FS_MODULES} ${PXE_MODULES} mdraid09 mdraid1x lvm"
#./grub-mkimage -O %{grubefiarch} -o grub.efi -d grub-core part_gpt hfsplus fat \
# ext2 btrfs normal chain boot configfile linux appleldr minicmd \
# loadbios reboot halt search font gfxterm
+
+%ifarch x86_64
+%if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
+if test -e %{_sourcedir}/_projectcert.crt ; then
+ prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
+ prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
+ opensusesubject=$(openssl x509 -in %{SOURCE10} -noout -subject_hash)
+ slessubject=$(openssl x509 -in %{SOURCE11} -noout -subject_hash)
+ if test "$prjissuer" = "$opensusesubject" ; then
+ cert=%{SOURCE10}
+ fi
+ if test "$prjissuer" = "$slessubject" ; then
+ cert=%{SOURCE11}
+ fi
+ if test "$prjsubject" = "$prjissuer" ; then
+ cert=%{_sourcedir}/_projectcert.crt
+ fi
+fi
+if test -z "$cert" ; then
+ echo "cannot identify project, assuming openSUSE signing"
+ cert=%{SOURCE10}
+fi
+
+openssl x509 -in $cert -outform DER -out grub.der
+%endif
+%endif
+
cd ..
%endif
@@ -343,11 +373,6 @@ make %{?_smp_mflags}
%install
%ifarch %{efi}
-%ifarch x86_64
-%if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
-export BRP_PESIGN_FILES="%{_libdir}/%{name}/%{grubefiarch}/grub.efi"
-%endif
-%endif
cd build-efi
make DESTDIR=$RPM_BUILD_ROOT install
@@ -363,6 +388,13 @@ install -m 644 grub.efi $RPM_BUILD_ROOT%{_libdir}/%{name}/%{grubefiarch}/.
install -d $RPM_BUILD_ROOT%{sysefidir}
ln -sf ../../../%{_libdir}/%{name}/%{grubefiarch}/grub.efi $RPM_BUILD_ROOT%{sysefidir}/grub.efi
+%ifarch x86_64
+%if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
+export BRP_PESIGN_FILES="%{_libdir}/%{name}/%{grubefiarch}/grub.efi"
+install -m 444 grub.der $RPM_BUILD_ROOT%{sysefidir}/
+%endif
+%endif
+
cd ..
%endif
@@ -593,6 +625,12 @@ fi
%{_libdir}/%{name}/%{grubefiarch}/modinfo.sh
%dir %{sysefidir}
%{sysefidir}/grub.efi
+
+%ifarch x86_64
+%if 0%{?suse_version} >= 1230 || 0%{?suse_version} == 1110
+%{sysefidir}/grub.der
+%endif
+%endif
%endif
%changelog
diff --git a/openSUSE-UEFI-CA-Certificate.crt b/openSUSE-UEFI-CA-Certificate.crt
new file mode 100644
index 0000000..7a4c704
--- /dev/null
+++ b/openSUSE-UEFI-CA-Certificate.crt
@@ -0,0 +1,37 @@
+-----BEGIN CERTIFICATE-----
+MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
+blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
+bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
+EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz
+MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
+BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv
+amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8
+YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN
+z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh
+O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/
+w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf
+RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM
+ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx
+ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg
+i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i
+EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH
+CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg
+4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ
+DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79
+aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg
+Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w
+ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y
+Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu
+Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/
+phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD
+dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0
+nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD
+eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c
+sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO
+Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3
+BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG
+A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI
+xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp
+4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL
+-----END CERTIFICATE-----