5cb902
Name:		shim
bf16f3
Version:	15.4
bf16f3
Release:	2%{?dist}
5cb902
Summary:	First-stage UEFI bootloader
5cb902
License:	BSD
5cb902
URL:		https://github.com/rhboot/shim/
5cb902
BuildRequires:	efi-filesystem
5cb902
BuildRequires:	efi-srpm-macros >= 3-2
5cb902
5cb902
ExclusiveArch:	%{efi}
5cb902
# but we don't build a .i686 package, just a shim-ia32.x86_64 package
5cb902
ExcludeArch:	%{ix86}
5cb902
# and we don't have shim-unsigned-arm builds *yet*
5cb902
ExcludeArch:	%{arm}
5cb902
5cb902
Source0:	shim.rpmmacros
034713
Source1:	redhatsecureboot501.cer
034713
Source2:	redhatsecurebootca5.cer
5cb902
5cb902
# keep these two lists of sources synched up arch-wise.  That is 0 and 10
5cb902
# match, 1 and 11 match, ...
5cb902
Source10:	BOOTAA64.CSV
5cb902
Source20:	shimaa64.efi
5cb902
Source11:	BOOTIA32.CSV
5cb902
Source21:	shimia32.efi
5cb902
Source12:	BOOTX64.CSV
5cb902
Source22:	shimx64.efi
5cb902
#Source13:	BOOTARM.CSV
5cb902
#Source23:	shimarm.efi
5cb902
5cb902
%include %{SOURCE0}
5cb902
5cb902
BuildRequires:	pesign >= 0.112-20.fc27
5cb902
# We need this because %%{efi} won't expand before choosing where to make
5cb902
# the src.rpm in koji, and we could be on a non-efi architecture, in which
5cb902
# case we won't have a valid expansion here...  To be solved in the future
5cb902
# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
5cb902
# we can just BuildRequires that.
5cb902
%ifarch x86_64
5cb902
BuildRequires:	%{unsignedx64} = %{shimverx64}
5cb902
BuildRequires:	%{unsignedia32} = %{shimveria32}
5cb902
%endif
5cb902
%ifarch aarch64
5cb902
BuildRequires:	%{unsignedaa64} = %{shimveraa64}
5cb902
%endif
5cb902
#%%ifarch arm
5cb902
#BuildRequires:	%%{unsignedarm} = %%{shimverarm}
5cb902
#%%endif
5cb902
5cb902
%description
5cb902
Initial UEFI bootloader that handles chaining to a trusted full bootloader
5cb902
under secure boot environments. This package contains the version signed by
5cb902
the UEFI signing service.
5cb902
5cb902
%define_pkg -a %{efi_arch} -p 1
5cb902
%if %{efi_has_alt_arch}
5cb902
%define_pkg -a %{efi_alt_arch}
5cb902
%endif
5cb902
5cb902
%prep
5cb902
cd %{_builddir}
5cb902
rm -rf shim-%{version}
5cb902
mkdir shim-%{version}
5cb902
5cb902
%build
5cb902
5cb902
cd shim-%{version}
5cb902
%if %{efi_has_alt_arch}
5cb902
%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
5cb902
%endif
5cb902
%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
5cb902
5cb902
%install
5cb902
rm -rf $RPM_BUILD_ROOT
5cb902
cd shim-%{version}
5cb902
install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
5cb902
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
5cb902
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
5cb902
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
5cb902
install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
5cb902
5cb902
%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
5cb902
%if %{efi_has_alt_arch}
5cb902
%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
5cb902
%endif
5cb902
5cb902
%if %{provide_legacy_shim}
5cb902
install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
5cb902
%endif
5cb902
5cb902
( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
5cb902
  | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
5cb902
5cb902
%define_files -a %{efi_arch} -A %{efi_arch_upper}
5cb902
%if %{efi_has_alt_arch}
5cb902
%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
5cb902
%endif
5cb902
5cb902
%if %{provide_legacy_shim}
5cb902
%{efi_esp_dir}/shim.efi
5cb902
%endif
5cb902
5cb902
%changelog
bf16f3
* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-2
bf16f3
- Fix build-deps on our shim-unsigned-* packages.
bf16f3
  Related: CVE-2020-14372 (and others)
bf16f3
bf16f3
* Mon Apr 05 2021 Peter Jones <pjones@redhat.com> - 15.4-1
bf16f3
- Update to shim 15.4
bf16f3
  - Support for revocations via the ".sbat" section and SBAT EFI variable
bf16f3
  - A new unit test framework and a bunch of unit tests
bf16f3
  - No external gnu-efi dependency
bf16f3
  - Better CI
bf16f3
  Resolves: CVE-2020-14372
bf16f3
  Resolves: CVE-2020-25632
bf16f3
  Resolves: CVE-2020-25647
bf16f3
  Resolves: CVE-2020-27749
bf16f3
  Resolves: CVE-2020-27779
bf16f3
  Resolves: CVE-2021-20225
bf16f3
  Resolves: CVE-2021-20233
034713
034713
* Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
034713
- Update once again for new signed shim builds.
bf16f3
  Resolves: rhbz#1862231
034713
034713
* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
034713
- Get rid of our %%dist hack for now.
034713
034713
* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
034713
- New signing keys
034713
  Related: CVE-2020-10713
034713
  Related: CVE-2020-14308
034713
  Related: CVE-2020-14309
034713
  Related: CVE-2020-14310
034713
  Related: CVE-2020-14311
034713
b1e9dd
* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
b1e9dd
- Fix firmware update bug in aarch64 caused by shim ignoring arguments
b1e9dd
- Fix a shim crash when attempting to netboot
b1e9dd
5cb902
* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
5cb902
- Update the shim-unsigned-aarch64 version number
5cb902
  Related: rhbz#1715879
5cb902
5cb902
* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10
5cb902
- Add a gating.yaml file so the package can be properly gated
5cb902
  Related: rhbz#1681809
5cb902
5cb902
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9
5cb902
- Bump the NVR
5cb902
  Related: rhbz#1715879
5cb902
5cb902
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7
5cb902
- Make EFI variable copying fatal only on secureboot enabled systems
5cb902
  Resolves: rhbz#1715879
5cb902
- Fix booting shim from an EFI shell using a relative path
5cb902
  Resolves: rhbz#1717061
5cb902
5cb902
* Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6
5cb902
- Fix MoK mirroring issue which breaks kdump without intervention
5cb902
  Resolves: rhbz#1668966
5cb902
5cb902
* Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5
5cb902
- Rebuild for signing once again. If the signer actually works, then:
5cb902
  Resolves: rhbz#1620941
5cb902
5cb902
* Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4
5cb902
- Rebuild for signing
5cb902
  Resolves: rhbz#1620941
5cb902
5cb902
* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com>
5cb902
- Release Bumped for el8 Mass Rebuild
5cb902
5cb902
* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
5cb902
- Release Bumped for el8+8 Mass Rebuild
5cb902
5cb902
* Mon Jul 23 2018 Peter Jones <pjones@redhat.com> - 15-1
5cb902
- Build for RHEL 8