diff --git a/.shim-signed.metadata b/.shim-signed.metadata index 897b7da..8405870 100644 --- a/.shim-signed.metadata +++ b/.shim-signed.metadata @@ -1,4 +1,4 @@ 8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/mokutil-0.3.0.tar.gz a6499bf4e2e9038c79e00f3fea79c5dfd978eb16 SOURCES/shimaa64.efi -09c724498ed275fb4a76f04700f5b2d39413405f SOURCES/shimia32.efi -224b166130e25c00ac9a6c33d7816acc6b98cde5 SOURCES/shimx64.efi +e609f8ddc446dc27a2aec3577e2b7869126662c0 SOURCES/shimia32.efi +1316e2b5fb83b29acc00c5050799afb7ccd6b6e2 SOURCES/shimx64.efi diff --git a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch index ef8518f..f752a3f 100644 --- a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch +++ b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch @@ -1,7 +1,7 @@ From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 4 Nov 2014 15:50:03 +0800 -Subject: [PATCH 1/7] Fix the potential buffer overflow +Subject: [PATCH 01/10] Fix the potential buffer overflow Signed-off-by: Gary Ching-Pang Lin --- @@ -9,7 +9,7 @@ Signed-off-by: Gary Ching-Pang Lin 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c -index 5b34f22..93fb6fa 100644 +index 5b34f22fd98..93fb6fabcab 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state) @@ -32,5 +32,5 @@ index 5b34f22..93fb6fa 100644 tvar.mok_toggle_state = state; -- -2.7.4 +2.17.1 diff --git a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch index de24b1c..33ca700 100644 --- a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch +++ b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch @@ -1,14 +1,14 @@ From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 24 Nov 2014 11:38:54 +0800 -Subject: [PATCH 2/7] Fix the 32bit signedness comparison +Subject: [PATCH 02/10] Fix the 32bit signedness comparison --- src/mokutil.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c -index 93fb6fa..a7e83f7 100644 +index 93fb6fabcab..a7e83f71f0b 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, @@ -30,5 +30,5 @@ index 93fb6fa..a7e83f7 100644 list[i].mok_size - offset); if (write_size < 0) { -- -2.7.4 +2.17.1 diff --git a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch index 80a677a..a9fe4e9 100644 --- a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch +++ b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch @@ -1,7 +1,8 @@ From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Fri, 19 Jun 2015 16:53:36 -0400 -Subject: [PATCH 3/7] Build with -fshort-wchar so toggle passwords work right. +Subject: [PATCH 03/10] Build with -fshort-wchar so toggle passwords work + right. This source tree uses: @@ -25,7 +26,7 @@ Signed-off-by: Peter Jones 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac -index fe28fb9..69d412a 100644 +index fe28fb92241..69d412ac633 100644 --- a/configure.ac +++ b/configure.ac @@ -37,7 +37,7 @@ else @@ -38,5 +39,5 @@ index fe28fb9..69d412a 100644 AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval, enable_strict=$default_strict) -- -2.7.4 +2.17.1 diff --git a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch index 3e75fda..f45fd42 100644 --- a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch +++ b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch @@ -1,7 +1,7 @@ From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 16 Jun 2015 17:06:30 -0400 -Subject: [PATCH 4/7] Don't allow sha1 on the mokutil command line. +Subject: [PATCH 04/10] Don't allow sha1 on the mokutil command line. Related: rhbz#1115843 @@ -11,7 +11,7 @@ Signed-off-by: Peter Jones 1 file changed, 2 insertions(+) diff --git a/src/mokutil.c b/src/mokutil.c -index a7e83f7..1fb34f9 100644 +index a7e83f71f0b..1fb34f9d3aa 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type) @@ -28,5 +28,5 @@ index a7e83f7..1fb34f9 100644 *type = efi_guid_sha224; hash_size = SHA224_DIGEST_LENGTH; -- -2.7.4 +2.17.1 diff --git a/SOURCES/0005-Make-all-efi_guid_t-const.patch b/SOURCES/0005-Make-all-efi_guid_t-const.patch index 0e12a37..b041fc4 100644 --- a/SOURCES/0005-Make-all-efi_guid_t-const.patch +++ b/SOURCES/0005-Make-all-efi_guid_t-const.patch @@ -1,7 +1,7 @@ From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Wed, 13 Jan 2016 16:05:21 +0800 -Subject: [PATCH 5/7] Make all efi_guid_t const +Subject: [PATCH 05/10] Make all efi_guid_t const All UEFI GUIDs defined in efivar are const. Declare all of them const to make gcc happy. @@ -12,7 +12,7 @@ Signed-off-by: Gary Lin 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c -index 1fb34f9..d2c52b4 100644 +index 1fb34f9d3aa..d2c52b4caaf 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len) @@ -83,5 +83,5 @@ index 1fb34f9..d2c52b4 100644 { uint8_t *authvar_data; -- -2.7.4 +2.17.1 diff --git a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch index a0d87f3..af8b621 100644 --- a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch +++ b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch @@ -1,7 +1,7 @@ -From b68dca2d4de779387c4b5306bb9cfc9a3bab2572 Mon Sep 17 00:00:00 2001 +From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 14 Jun 2016 10:19:43 -0400 -Subject: [PATCH 6/7] mokutil: be explicit about file modes in all cases. +Subject: [PATCH 06/10] mokutil: be explicit about file modes in all cases. Signed-off-by: Peter Jones --- @@ -9,7 +9,7 @@ Signed-off-by: Peter Jones 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/mokutil.c b/src/mokutil.c -index d2c52b4..d554f6c 100644 +index d2c52b4caaf..d554f6cca21 100644 --- a/src/mokutil.c +++ b/src/mokutil.c @@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, @@ -33,5 +33,5 @@ index d2c52b4..d554f6c 100644 case ENROLL_MOK: fprintf (stderr, "Failed to enroll new keys\n"); -- -2.7.4 +2.17.1 diff --git a/SOURCES/0007-Add-bash-completion-file.patch b/SOURCES/0007-Add-bash-completion-file.patch index 725ad66..29720ad 100644 --- a/SOURCES/0007-Add-bash-completion-file.patch +++ b/SOURCES/0007-Add-bash-completion-file.patch @@ -1,29 +1,18 @@ -From d16c76d139f9a9a56b49c0dd51cd9056f626031e Mon Sep 17 00:00:00 2001 +From a797a566127f7469d744b2748f98d1fa5ea8d8f9 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 14 Jun 2016 10:20:14 -0400 -Subject: [PATCH 7/7] Add bash completion file. +Subject: [PATCH 07/10] Add bash completion file. Signed-off-by: Peter Jones --- - Makefile.am | 5 +++++ configure.ac | 17 +++++++++++++++++ + Makefile.am | 5 +++++ data/mokutil | 37 +++++++++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+) create mode 100755 data/mokutil -diff --git a/Makefile.am b/Makefile.am -index 9f0d419..c17cc4a 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -1 +1,6 @@ - SUBDIRS = src man -+ -+if ENABLE_BASH_COMPLETION -+ bashcompletiondir = $(BASH_COMPLETION_DIR) -+ dist_bashcompletion_DATA = data/mokutil -+endif diff --git a/configure.ac b/configure.ac -index 69d412a..7b52a06 100644 +index 69d412ac633..7b52a063df0 100644 --- a/configure.ac +++ b/configure.ac @@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset]) @@ -50,9 +39,20 @@ index 69d412a..7b52a06 100644 AC_CONFIG_FILES([Makefile src/Makefile man/Makefile]) +diff --git a/Makefile.am b/Makefile.am +index 9f0d4192515..c17cc4a86d8 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1 +1,6 @@ + SUBDIRS = src man ++ ++if ENABLE_BASH_COMPLETION ++ bashcompletiondir = $(BASH_COMPLETION_DIR) ++ dist_bashcompletion_DATA = data/mokutil ++endif diff --git a/data/mokutil b/data/mokutil new file mode 100755 -index 0000000..800b039 +index 00000000000..800b039e7f4 --- /dev/null +++ b/data/mokutil @@ -0,0 +1,37 @@ @@ -94,5 +94,5 @@ index 0000000..800b039 + +complete -F _mokutil mokutil -- -2.7.4 +2.17.1 diff --git a/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch new file mode 100644 index 0000000..5642502 --- /dev/null +++ b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch @@ -0,0 +1,27 @@ +From b5f004ddbd8ef1f9f1d664d41d5dcc4272621080 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Mon, 20 Jun 2016 11:18:17 -0500 +Subject: [PATCH 08/10] Fix typo in error message when the system lacks Secure + Boot support + +Signed-off-by: Tyler Hicks +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index d554f6cca21..27f1292f3a9 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -2297,7 +2297,7 @@ main (int argc, char *argv[]) + rc = efi_get_variable (efi_guid_global, "SecureBoot", + &data, &data_size, &attributes); + if (rc < 0) { +- fprintf(stderr, "This system does't support Secure Boot\n"); ++ fprintf(stderr, "This system doesn't support Secure Boot\n"); + ret = -1; + goto out; + } +-- +2.17.1 + diff --git a/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch new file mode 100644 index 0000000..0bed1d9 --- /dev/null +++ b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch @@ -0,0 +1,27 @@ +From 2fa167f3905ebee27221fc2b1db4b79e215d8ca0 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 3 Apr 2017 16:33:38 -0400 +Subject: [PATCH 09/10] list_keys_in_var(): check errno correctly, not ret + twice. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 27f1292f3a9..0be9e8491fd 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid) + + ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); + if (ret < 0) { +- if (ret == ENOENT) { ++ if (errno == ENOENT) { + printf ("%s is empty\n", var_name); + return 0; + } +-- +2.17.1 + diff --git a/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch new file mode 100644 index 0000000..2d57007 --- /dev/null +++ b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch @@ -0,0 +1,101 @@ +From 57f7c776dca0322fab107460cac71ac4b6e79b9a Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 15 May 2018 11:20:15 -0400 +Subject: [PATCH 10/10] generate_hash() / generate_pw_hash(): don't use + strlen() for strncpy bounds + +New gcc rightly comlplains when we do the following: + +strncpy (dest, src, strlen(src)); + +For two reasons: +a) it doesn't copy the NUL byte +b) it's otherwise the same thing strcpy() would have done + +This patch replaces that with stpncpy (just because it's slightly easier +to use) and the real bounds for the destination. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 0be9e8491fd..b5080107600 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) + { + pw_crypt_t new_crypt; + char settings[SETTINGS_LEN]; ++ char *next; + char *crypt_string; + const char *prefix; +- int hash_len, prefix_len; ++ int hash_len, settings_len = sizeof (settings) - 2; + + if (!password || !pw_crypt || password[pw_len] != '\0') + return -1; +@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) + prefix = get_crypt_prefix (pw_crypt->method); + if (!prefix) + return -1; +- prefix_len = strlen(prefix); + + pw_crypt->salt_size = get_salt_size (pw_crypt->method); + generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size); + +- strncpy (settings, prefix, prefix_len); +- strncpy (settings + prefix_len, (const char *)pw_crypt->salt, +- pw_crypt->salt_size); +- settings[pw_crypt->salt_size + prefix_len] = '\0'; ++ memset (settings, 0, sizeof (settings)); ++ next = stpncpy (settings, prefix, settings_len); ++ if (pw_crypt->salt_size > settings_len - (next - settings)) { ++ errno = EOVERFLOW; ++ return -1; ++ } ++ next = stpncpy (next, (const char *)pw_crypt->salt, ++ pw_crypt->salt_size); ++ *next = '\0'; + + crypt_string = crypt (password, settings); + if (!crypt_string) +@@ -1929,10 +1934,11 @@ static int + generate_pw_hash (const char *input_pw) + { + char settings[SETTINGS_LEN]; ++ char *next; + char *password = NULL; + char *crypt_string; + const char *prefix; +- int prefix_len; ++ int settings_len = sizeof (settings) - 2; + unsigned int pw_len, salt_size; + + if (input_pw) { +@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw) + prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD); + if (!prefix) + return -1; +- prefix_len = strlen(prefix); + +- strncpy (settings, prefix, prefix_len); ++ memset (settings, 0, sizeof (settings)); ++ next = stpncpy (settings, prefix, settings_len); + salt_size = get_salt_size (DEFAULT_CRYPT_METHOD); +- generate_salt ((settings + prefix_len), salt_size); +- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0'; ++ if (salt_size > settings_len - (next - settings)) { ++ errno = EOVERFLOW; ++ return -1; ++ } ++ generate_salt (next, salt_size); ++ next += salt_size; ++ *next = '\0'; + + crypt_string = crypt (password, settings); + free (password); +-- +2.17.1 + diff --git a/SOURCES/BOOTIA32.CSV b/SOURCES/BOOTIA32.CSV index 1f0e21f..4e658b2 100644 Binary files a/SOURCES/BOOTIA32.CSV and b/SOURCES/BOOTIA32.CSV differ diff --git a/SOURCES/BOOTX64.CSV b/SOURCES/BOOTX64.CSV index da8cf51..7692a93 100644 Binary files a/SOURCES/BOOTX64.CSV and b/SOURCES/BOOTX64.CSV differ diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der deleted file mode 100644 index 44a2563..0000000 Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt deleted file mode 100644 index 321c4ec..0000000 --- a/SOURCES/centossecureboot001.crt +++ /dev/null @@ -1,81 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - b6:16:15:71:72:fb:31:7e - Signature Algorithm: sha256WithRSAEncryption - Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org - Validity - Not Before: Aug 1 11:47:30 2018 GMT - Not After : Dec 31 11:47:30 2037 GMT - Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public Key: (2048 bit) - Modulus (2048 bit): - 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa: - 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51: - cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2: - 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3: - 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0: - bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18: - 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97: - a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57: - 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35: - 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0: - aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65: - 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46: - f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f: - 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2: - 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4: - 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28: - 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef: - 94:0f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Key Usage: - Digital Signature - X509v3 Subject Key Identifier: - F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29 - X509v3 Authority Key Identifier: - keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3 - - Signature Algorithm: sha256WithRSAEncryption - 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c: - dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da: - 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b: - 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a: - 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e: - b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef: - f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f: - 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56: - a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30: - 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a: - ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97: - 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c: - 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77: - da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71: - da:7f:89:1d ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV -BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB -FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx -NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg -BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4 -MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP -f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2 -bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/ -VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR -pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud -EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb -Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B -AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G -1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV -IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv -0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ -+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD -bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ== ------END CERTIFICATE----- diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec index 5c1d022..0ee04e5 100644 --- a/SPECS/shim-signed.spec +++ b/SPECS/shim-signed.spec @@ -1,14 +1,23 @@ Name: shim-signed -Version: 12 -Release: 2%{?dist}%{?buildid} +Version: 15 +Release: 1%{?dist}%{?buildid} Summary: First-stage UEFI bootloader -%define unsigned_release 2%{?dist} +%define unsigned_release 1%{?dist} License: BSD -URL: http://www.codon.org.uk/~mjg59/shim/ +URL: https://github.com/rhboot/shim/ # incorporate mokutil for packaging simplicity %global mokutil_version 0.3.0 Source0: https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz +Source1: secureboot.cer +Source2: securebootca.cer +Source10: shimx64.efi +Source11: shimia32.efi +Source12: shimaa64.efi +Source20: BOOTX64.CSV +Source21: BOOTIA32.CSV +Source22: BOOTAA64.CSV + Patch0001: 0001-Fix-the-potential-buffer-overflow.patch Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch @@ -16,16 +25,9 @@ Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch Patch0005: 0005-Make-all-efi_guid_t-const.patch Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch Patch0007: 0007-Add-bash-completion-file.patch - -Source1: centossecureboot001.crt -Source2: centos-ca-secureboot.der -%define pesign_name centossecureboot001 -Source10: shimx64.efi -Source11: shimia32.efi -#Source12: shimaa64.efi -Source20: BOOTX64.CSV -Source21: BOOTIA32.CSV -Source22: BOOTAA64.CSV +Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch +Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch +Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch %ifarch x86_64 %global efiarch X64 @@ -40,7 +42,7 @@ Source22: BOOTAA64.CSV %ifarch aarch64 %global efiarch AA64 %global efiarchlc aa64 -#%global shimsrc %{SOURCE12} +%global shimsrc %{SOURCE12} %global bootsrc %{SOURCE22} %endif %define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/ @@ -74,7 +76,7 @@ This package provides debug information for package %{name}.\ Debug information is useful when developing applications that use this\ package or when debugging this package.\ %files -n mokutil-debuginfo -f debugfiles.list\ -%defattr(-,root,root)\ +%defattr(-,root,root,-)\ %endif\ %{nil} @@ -93,7 +95,7 @@ the UEFI signing service. Summary: First-stage UEFI bootloader Requires: mokutil = %{version}-%{release} Provides: shim = %{version}-%{release} -Obsoletes: shim +Obsoletes: shim <= 12 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a # POSIX-style C library. @@ -147,27 +149,27 @@ cd .. %ifarch %{ca_signed_arches} pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then - echo Invalid signature\! > /dev/stderr - echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr - echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr - exit 1 + echo Invalid signature\! > /dev/stderr + echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr + echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr + exit 1 fi cp %{shimsrc} shim%{efiarchlc}.efi %ifarch x86_64 pesign -i %{shimsrcia32} -h -P > shimia32.hash if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then - echo Invalid signature\! > /dev/stderr - echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr - echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr - exit 1 + echo Invalid signature\! > /dev/stderr + echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr + echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr + exit 1 fi cp %{shimsrcia32} shimia32.efi %endif %endif %ifarch %{rh_signed_arches} -%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shim%{efiarchlc}-%{efidir}.efi +%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shim%{efiarchlc}-%{efidir}.efi %ifarch x86_64 -%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shimia32-%{efidir}.efi +%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shimia32-%{efidir}.efi %endif %endif %ifarch %{rh_signed_arches} @@ -176,12 +178,12 @@ cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi %endif %endif -%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} +%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 +%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 %ifarch x86_64 -%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} +%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 +%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 %endif cd mokutil-%{mokutil_version} @@ -191,56 +193,54 @@ make %{?_smp_mflags} %install rm -rf $RPM_BUILD_ROOT -install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ -install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi -install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi -install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi -install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi -install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV - -install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ -install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI -install -m 0644 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi -install -m 0644 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi +install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ +install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi +install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi +install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi +install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV + +install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ +install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI +install -m 0700 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi %ifarch aarch64 # In case old boot entries aren't updated -install -m 0644 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi +install -m 0700 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi %endif %ifarch x86_64 # In case old boot entries aren't updated -install -m 0644 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi -install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV +install -m 0700 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi +install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV -install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi -install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi -install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi -install -m 0644 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi -install -m 0644 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV +install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi +install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi +install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi +install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi +install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV -install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI -install -m 0644 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi +install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI +install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi %endif cd mokutil-%{mokutil_version} make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %files -n shim-%{efiarchlc} +%defattr(0700,root,root,-) /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi /boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi -/boot/efi/EFI/%{efidir}/MokManager.efi /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV /boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI /boot/efi/EFI/BOOT/fb%{efiarchlc}.efi -/boot/efi/EFI/BOOT/fallback.efi /boot/efi/EFI/%{efidir}/shim.efi %ifarch x86_64 /boot/efi/EFI/%{efidir}/BOOT.CSV %files -n shim-ia32 +%defattr(0700,root,root,-) /boot/efi/EFI/%{efidir}/shimia32.efi /boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi /boot/efi/EFI/%{efidir}/mmia32.efi @@ -258,11 +258,19 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %{_datadir}/bash-completion/completions/mokutil %changelog -* Fri Aug 24 2018 Fabian Arrotin - 12-2.el7 -- Rebuilt with new shim (built with new key/cert) - -* Thu Aug 31 2017 Karanbir Singh - 12-1.el7.centos -- interim build +* Fri Jul 20 2018 Peter Jones - 15-1 +- Update to shim version 15 + Resolves: rhbz#1589962 + +* Wed Jul 11 2018 Peter Jones - 12-3 +- Fix broken file owner/modes + Resolves: rhbz#1595677 + +* Sat Jun 23 2018 Peter Jones - 12-2 +- Fix /boot/efi/... permissions to match the filesystem's requirements + Related: rhbz#1512749 +- Minor .spec cleanups + Related: rhbz#1512749 * Mon May 01 2017 Peter Jones - 12-1 - Update to 12-1 to work around a signtool.exe bug