diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1d48086 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/shimaa64.efi +SOURCES/shimia32.efi +SOURCES/shimx64.efi diff --git a/.shim.metadata b/.shim.metadata new file mode 100644 index 0000000..f997f90 --- /dev/null +++ b/.shim.metadata @@ -0,0 +1,3 @@ +750bd7932437b1fb6610c233f69db1b70d67fab1 SOURCES/shimaa64.efi +96ea5ec6612ad2d49dfa812897fc2f70ebee6b9d SOURCES/shimia32.efi +b7adea991a31e4392910db8b7ee63faff39e9207 SOURCES/shimx64.efi diff --git a/SOURCES/BOOTAA64.CSV b/SOURCES/BOOTAA64.CSV new file mode 100644 index 0000000..2dad06e Binary files /dev/null and b/SOURCES/BOOTAA64.CSV differ diff --git a/SOURCES/BOOTIA32.CSV b/SOURCES/BOOTIA32.CSV new file mode 100644 index 0000000..4e658b2 Binary files /dev/null and b/SOURCES/BOOTIA32.CSV differ diff --git a/SOURCES/BOOTX64.CSV b/SOURCES/BOOTX64.CSV new file mode 100644 index 0000000..7692a93 Binary files /dev/null and b/SOURCES/BOOTX64.CSV differ diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer new file mode 100644 index 0000000..dfa7afb Binary files /dev/null and b/SOURCES/redhatsecureboot501.cer differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer new file mode 100644 index 0000000..dfb0284 Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ diff --git a/SOURCES/shim.rpmmacros b/SOURCES/shim.rpmmacros new file mode 100644 index 0000000..ec33c1d --- /dev/null +++ b/SOURCES/shim.rpmmacros @@ -0,0 +1,171 @@ +%global debug_package %{nil} +%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt} +%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} +%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} + +%global bootcsvaa64 %{expand:%{SOURCE10}} +%global bootcsvia32 %{expand:%{SOURCE11}} +%global bootcsvx64 %{expand:%{SOURCE12}} +#%%global bootcsvarm %%{expand:%%{SOURCE13}} + +%global shimefiaa64 %{expand:%{SOURCE20}} +%global shimefiia32 %{expand:%{SOURCE21}} +%global shimefix64 %{expand:%{SOURCE22}} +#%%global shimefiarm %%{expand:%%{SOURCE23} + +%global shimveraa64 15-6.el8 +%global shimveria32 15-9.el8 +%global shimverx64 15-9.el8 +#%%global shimverarm 15-1.el8 + +%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64 +%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32 +%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64 +#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm + +%global unsignedaa64 shim-unsigned-aarch64 +%global unsignedia32 shim-unsigned-ia32 +%global unsignedx64 shim-unsigned-x64 +#%%global unsignedarm shim-unsigned-arm + +%global bootcsv %{expand:%{bootcsv%{efi_arch}}} +%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}} +%global shimefi %{expand:%{shimefi%{efi_arch}}} +%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}} +%global shimver %{expand:%{shimver%{efi_arch}}} +%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}} +%global shimdir %{expand:%{shimdir%{efi_arch}}} +%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}} + +%global unsignednone shim-unsigned-none +%global unsigned %{expand:%%{unsigned%{efi_arch}}} +%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}} + +%define define_pkg(a:p:) \ +%{expand:%%package -n shim-%{-a*}} \ +Summary: First-stage UEFI bootloader \ +Requires: mokutil >= 1:0.3.0-1 \ +Requires: efi-filesystem \ +Provides: shim-signed-%{-a*} = %{version}-%{release} \ +Requires: dbxtool >= 0.6-3 \ +%{expand:%%if 0%%{-p*} \ +Provides: shim = %{version}-%{release} \ +Provides: shim-signed = %{version}-%{release} \ +Obsoletes: shim-signed < %{version}-%{release} \ +Obsoletes: shim < %{version}-%{release} \ +%%endif} \ +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \ +# is not compatible with SysV (there's no red zone under UEFI) and \ +# there isn't a POSIX-style C library. \ +# BuildRequires: OpenSSL \ +Provides: bundled(openssl) = 1.0.2j \ + \ +%{expand:%%description -n shim-%{-a*}} \ +Initial UEFI bootloader that handles chaining to a trusted full \ +bootloader under secure boot environments. This package contains the \ +version signed by the UEFI signing service. \ +%{nil} + +# -a +# -i +%define hash(a:i:d:) \ + pesign -i %{-i*} -h -P > shim.hash \ + read file0 hash0 < shim.hash \ + read file1 hash1 < %{-d*}/shim%{-a*}.hash \ + if ! [ "$hash0" = "$hash1" ]; then \ + echo Invalid signature\! > /dev/stderr \ + echo $hash0 vs $hash1 \ + exit 1 \ + fi \ + %{nil} + +# -i +# -o +%define sign(i:o:n:a:c:) \ + %{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}} \ + %{nil} + +# -b +# -a +# -i +%define distrosign(b:a:d:) \ + cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \ + %{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} }\ + %{nil} + +# -a +# -A +# -b <1|0> # signed by this builder? +# -c <1|0> # signed by UEFI CA? +# -i +%define define_build(a:A:b:c:i:d:) \ +if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then \ + %{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \ +fi \ +cp %{-i*} shim%{-a*}.efi \ +if [ "%{-b*}" = "yes" ]; then \ + %{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \ + mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \ +fi \ +if [ "%{-c*}" = "no" ]; then \ + cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \ +fi \ +%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \ +mv mm%{-a*}-signed.efi mm%{-a*}.efi \ +%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \ +mv fb%{-a*}-signed.efi fb%{-a*}.efi \ +rm -vf \\\ + mm%{-a*}-unsigned.efi \\\ + fb%{-a*}-unsigned.efi \\\ + shim%{-a*}-unsigned.efi \ +%{nil} + +# -a +# -A +# -b +%define do_install(a:A:b:) \ +install -m 0700 shim%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \ +install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \ +install -m 0700 mm%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \ +install -m 0700 %{-b*} \\\ + $RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV \ +install -m 0700 shim%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI \ +install -m 0700 fb%{-a*}.efi \\\ + $RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi \ +%nil + +# -a +# -A +%define define_files(a:A:) \ +%{expand:%%files -n shim-%{-a*}} \ +%{efi_esp_dir}/*%{-a*}*.efi \ +%{efi_esp_dir}/BOOT%{-A*}.CSV \ +%{efi_esp_boot}/*%{-a*}.efi \ +%{efi_esp_boot}/*%{-A*}.EFI \ +%{nil} + +%ifarch x86_64 +%global is_signed yes +%global is_alt_signed yes +%global provide_legacy_shim 1 +%endif +%ifarch aarch64 +%global is_signed no +%global is_alt_signed no +%global provide_legacy_shim 1 +%endif +%ifnarch x86_64 aarch64 +%global is_signed no +%global is_alt_signed no +%global provide_legacy_shim 0 +%endif + +%if ! 0%{?vendor:1} +%global vendor nopenopenope +%endif + +# vim:filetype=rpmmacros diff --git a/SPECS/shim.spec b/SPECS/shim.spec new file mode 100644 index 0000000..c21b6cb --- /dev/null +++ b/SPECS/shim.spec @@ -0,0 +1,166 @@ +Name: shim +Version: 15 +Release: 16%{?dist} +Summary: First-stage UEFI bootloader +License: BSD +URL: https://github.com/rhboot/shim/ +BuildRequires: efi-filesystem +BuildRequires: efi-srpm-macros >= 3-2 + +ExclusiveArch: %{efi} +# but we don't build a .i686 package, just a shim-ia32.x86_64 package +ExcludeArch: %{ix86} +# and we don't have shim-unsigned-arm builds *yet* +ExcludeArch: %{arm} + +Source0: shim.rpmmacros +Source1: redhatsecureboot501.cer +Source2: redhatsecurebootca5.cer + +# keep these two lists of sources synched up arch-wise. That is 0 and 10 +# match, 1 and 11 match, ... +Source10: BOOTAA64.CSV +Source20: shimaa64.efi +Source11: BOOTIA32.CSV +Source21: shimia32.efi +Source12: BOOTX64.CSV +Source22: shimx64.efi +#Source13: BOOTARM.CSV +#Source23: shimarm.efi + +%include %{SOURCE0} + +BuildRequires: pesign >= 0.112-20.fc27 +# We need this because %%{efi} won't expand before choosing where to make +# the src.rpm in koji, and we could be on a non-efi architecture, in which +# case we won't have a valid expansion here... To be solved in the future +# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so +# we can just BuildRequires that. +%ifarch x86_64 +BuildRequires: %{unsignedx64} = %{shimverx64} +BuildRequires: %{unsignedia32} = %{shimveria32} +%endif +%ifarch aarch64 +BuildRequires: %{unsignedaa64} = %{shimveraa64} +%endif +#%%ifarch arm +#BuildRequires: %%{unsignedarm} = %%{shimverarm} +#%%endif + +%description +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. + +%define_pkg -a %{efi_arch} -p 1 +%if %{efi_has_alt_arch} +%define_pkg -a %{efi_alt_arch} +%endif + +%prep +cd %{_builddir} +rm -rf shim-%{version} +mkdir shim-%{version} + +%build + +cd shim-%{version} +%if %{efi_has_alt_arch} +%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt} +%endif +%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir} + +%install +rm -rf $RPM_BUILD_ROOT +cd shim-%{version} +install -D -d -m 0755 $RPM_BUILD_ROOT/boot/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/ +install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/ + +%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv} +%if %{efi_has_alt_arch} +%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt} +%endif + +%if %{provide_legacy_shim} +install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi +%endif + +( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \ + | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file} + +%define_files -a %{efi_arch} -A %{efi_arch_upper} +%if %{efi_has_alt_arch} +%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper} +%endif + +%if %{provide_legacy_shim} +%{efi_esp_dir}/shim.efi +%endif + +%changelog +* Mon Sep 21 2020 Javier Martinez Canillas - 15-16 +- Fix an incorrect allocation size + Resolves: rhbz#1877253 + +* Fri Jul 31 2020 Peter Jones - 15-15 +- Update once again for new signed shim builds. + Resolves: rhbz#1861977 + +* Tue Jul 28 2020 Peter Jones - 15-14 +- Get rid of our %%dist hack for now. + +* Tue Jul 28 2020 Peter Jones - 15-13 +- New signing keys + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + +* Thu Jun 11 2020 Javier Martinez Canillas - 15-12 +- Fix firmware update bug in aarch64 caused by shim ignoring arguments + Resolves: rhbz#1830871 +- Fix a shim crash when attempting to netboot + Resolves: rhbz#1795654 + +* Fri Jun 07 2019 Javier Martinez Canillas - 15-11 +- Update the shim-unsigned-aarch64 version number + Related: rhbz#1715879 + +* Fri Jun 07 2019 Javier Martinez Canillas - 15-10 +- Add a gating.yaml file so the package can be properly gated + Related: rhbz#1681809 + +* Wed Jun 05 2019 Javier Martinez Canillas - 15-9 +- Bump the NVR + Related: rhbz#1715879 + +* Wed Jun 05 2019 Javier Martinez Canillas - 15-7 +- Make EFI variable copying fatal only on secureboot enabled systems + Resolves: rhbz#1715879 +- Fix booting shim from an EFI shell using a relative path + Resolves: rhbz#1717061 + +* Thu Mar 14 2019 Peter Jones - 15-6 +- Fix MoK mirroring issue which breaks kdump without intervention + Resolves: rhbz#1668966 + +* Thu Jan 24 2019 Peter Jones - 15-5 +- Rebuild for signing once again. If the signer actually works, then: + Resolves: rhbz#1620941 + +* Tue Oct 16 2018 Peter Jones - 15-4 +- Rebuild for signing + Resolves: rhbz#1620941 + +* Mon Aug 13 2018 Troy Dawson +- Release Bumped for el8 Mass Rebuild + +* Sat Aug 11 2018 Troy Dawson +- Release Bumped for el8+8 Mass Rebuild + +* Mon Jul 23 2018 Peter Jones - 15-1 +- Build for RHEL 8