packages/shim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!111 [sync] PR-110: shim模块添加安全启动签名

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot 2023-12-05 06:47:27 +00:00 committed by Gitee
commit 255c1ac3e1
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
default-x509ca.der Normal file
View File

Binary file not shown.

21
shim.spec
View File

@ -21,11 +21,11 @@
%global shimBOOT /boot/efi/EFI/BOOT/
%global enable_sm 0
%global vendor_cert %{nil}
%global vendor_cert %{SOURCE3}
Name: shim
Version: 15.6
Release: 13
Release: 14
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64 aarch64
License: BSD
@ -33,6 +33,7 @@ URL: https://github.com/rhboot/shim
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
Source1: BOOTAA64.CSV
Source2: BOOTX64.CSV
Source3: default-x509ca.der
Patch1:backport-CVE-2017-3735.patch
Patch2:backport-CVE-2017-3737.patch
@ -66,6 +67,11 @@ Patch9003:Feature-shim-cryptlib-support-sm2-signature-verify.patch
Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch
BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel
%if 0%{?openEuler_sign_rsa}
BuildRequires: sign-openEuler
%endif
%ifarch aarch64
BuildRequires: binutils >= 2.37-7
%endif
@ -121,6 +127,14 @@ cd build-%{efi_arch}
make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' all
cd ..
%if 0%{?openEuler_sign_rsa}
echo "start sign"
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi
%endif
%install
COMMITID=$(cat commit)
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
@ -178,6 +192,9 @@ make test
/usr/src/debug/%{name}-%{version}-%{release}/*
%changelog
* Thu Nov 16 2023 huangzq6 <huangzhenqiang2@huawei.com> - 15.6-14
- add signature for secureboot
* Tue Nov 7 2023 jinlun <jinlun@huawei.com> - 15.6-13
- fix CVE-2023-40546