%ifarch aarch64 %global efi_arch aa64 %global bootcsv BOOTAA64.CSV %global bootefi BOOTAA64.EFI %endif %ifarch x86_64 %global efi_arch x64 %global bootcsv BOOTX64.CSV %global bootefi BOOTX64.EFI %endif %global debug_package %{nil} %global __debug_package 1 %global _binaries_in_noarch_packages_terminate_build 0 %undefine _debuginfo_subpackages %global efidir %{_vendor} %global shimdir %{_datadir}/shim/%{version}-%{release}/%{efi_arch} %global shimefivendor /boot/efi/EFI/%{efi_vendor}/ %global shimBOOT /boot/efi/EFI/BOOT/ %global enable_sm 0 %global vendor_cert %{SOURCE3} Name: shim Version: 15.6 Release: 17 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 Source1: BOOTAA64.CSV Source2: BOOTX64.CSV Source3: default-x509ca.der Patch1:backport-CVE-2017-3735.patch Patch2:backport-CVE-2017-3737.patch Patch3:backport-CVE-2018-0732.patch Patch4:backport-CVE-2018-0739.patch Patch5:backport-CVE-2019-1563.patch Patch6:backport-0001-CVE-2020-1971.patch Patch7:backport-0002-CVE-2020-1971.patch Patch8:backport-0003-CVE-2020-1971.patch Patch9:backport-0004-CVE-2020-1971.patch Patch10:backport-CVE-2021-23841.patch Patch11:backport-CVE-2021-3712.patch Patch12:backport-CVE-2022-0778.patch Patch13:backport-CVE-2023-0286.patch Patch14:backport-Fix-an-endless-loop-in-rsa_builtin_keygen.patch Patch15:backport-Replaced-variable-time-GCD-with-consttime-inversion.patch Patch16:backport-consttime-flag-changed.patch Patch17:backport-CVE-2018-0737.patch Patch18:backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch Patch19:backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch Patch20:backport-CVE-2021-23840.patch Patch21:backport-CVE-2023-0464.patch Patch22:backport-CVE-2023-3817.patch Patch23:backport-CVE-2023-40546.patch Patch24:backport-CryptoPkg-BaseCryptLib-Fix-buffer-overflow-issue-in-.patch Patch25:backport-shim-Flush-the-memory-region-from-i-cache-before-exe.patch Patch26:backport-pe-Align-section-size-up-to-page-size-for-mem-attrs.patch Patch27:backport-load_cert_file-Fix-stack-issue.patch Patch28:backport-mok-remove-MokListTrusted-from-PCR-7.patch Patch29:backport-Don-t-loop-forever-in-load_certs-with-buggy-firmware.patch Patch30:backport-CryptoPkg-BaseCryptLib-fix-NULL-dereference.patch Patch31:backport-Discard-load-options-that-start-with-a-NUL.patch Patch32:backport-pe-Fix-image-section-entry-point-validation.patch Patch33:backport-Further-improve-load_certs-for-non-compliant-drivers.patch Patch34:backport-Work-around-malformed-path-delimiters-in-file-paths-.patch Patch35:backport-pe-only-process-RelocDir-Size-of-reloc-section.patch Patch36:backport-Correctly-free-memory-allocated-in-handle_image.patch Patch37:backport-CVE-2023-3446.patch Patch38:backport-CVE-2023-5678.patch Patch39: backport-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch # Feature for shim SMx support Patch9000:Feature-shim-openssl-add-ec-support.patch Patch9001:Feature-shim-openssl-add-ecdsa-support.patch Patch9002:Feature-shim-openssl-add-sm2-and-sm3-support.patch Patch9003:Feature-shim-cryptlib-support-sm2-signature-verify.patch Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel %if 0%{?openEuler_sign_rsa} BuildRequires: sign-openEuler %endif %ifarch aarch64 BuildRequires: binutils >= 2.37-7 %endif Requires: dbxtool efi-filesystem mokutil Provides: bundled(openssl) = 1.0.2j Provides: shim-%{efi_arch} = %{version}-%{release} Obsoletes: shim-%{efi_arch} < %{version}-%{release} %description Initial UEFI bootloader that handles chaining to a trusted full \ bootloader under secure boot environments. %package debuginfo Summary: Debug information for shim-unsigned Requires: %{name}-debugsource = %{version}-%{release} AutoReqProv: 0 %description debuginfo This package provides debug information for package %{expand:%%{name}} \ Debug information is useful when developing applications that \ use this package or when debugging this package. %package debugsource Summary: Debug Source for shim-unsigned AutoReqProv: 0 %description debugsource This package provides debug information for package %{expand:%%{name}} \ Debug information is useful when developing applications that \ use this package or when debugging this package. %prep #chmod +x %{SOURCE100} %autosetup -n shim-%{version} -p1 -S git git config --unset user.email git config --unset user.name mkdir build-%{efi_arch} %build COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " %if 0%{enable_sm} MAKEFLAGS+="ENABLE_SHIM_SM=true " %endif %if "%{vendor_cert}" != "" MAKEFLAGS+="VENDOR_CERT_FILE+=%{vendor_cert} " %endif MAKEFLAGS+="%{_smp_mflags}" cd build-%{efi_arch} make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' all cd .. %if 0%{?openEuler_sign_rsa} echo "start sign" /opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi /opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi /opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi %endif %install COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " cd build-%{efi_arch} make ${MAKEFLAGS} \ DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-debuginfo install-debugsource install -d -m 0700 ${RPM_BUILD_ROOT}/%{shimBOOT} install -m 0700 fb%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT} install -m 0700 mm%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT} install -m 0700 shim%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT}/%{bootefi} install -d -m 0700 ${RPM_BUILD_ROOT}/%{shimefivendor} install -m 0700 *.efi ${RPM_BUILD_ROOT}/%{shimefivendor} install -m 0700 *.hash ${RPM_BUILD_ROOT}/%{shimefivendor} %ifarch aarch64 install -m 0700 %{SOURCE1} ${RPM_BUILD_ROOT}/%{shimefivendor} %endif %ifarch x86_64 install -m 0700 %{SOURCE2} ${RPM_BUILD_ROOT}/%{shimefivendor} %endif # install the debug symbols install -d ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor} install -m 644 fb%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor} install -m 644 mm%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor} install -m 644 shim%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor} cd .. %check make test %files %license COPYRIGHT %{shimBOOT}/fb%{efi_arch}.efi %{shimBOOT}/mm%{efi_arch}.efi %{shimBOOT}/%{bootefi} %{shimefivendor}/%{bootcsv} %{shimefivendor}/*.efi %{shimefivendor}/*.hash %files debuginfo %defattr(-,root,root,-) /usr/lib/debug/* %exclude /usr/lib/debug/.build-id %files debugsource %defattr(-,root,root,-) %dir /usr/src/debug/%{name}-%{version}-%{release} /usr/src/debug/%{name}-%{version}-%{release}/* %changelog * Mon Dec 25 2023 zhangruifang - 15.6-17 - backport patchs from upstream * Mon Dec 18 2023 jinlun - 15.6-16 - fix CVE-2023-3446 CVE-2023-5678 * Thu Dec 7 2023 huangzq6 - 15.6-15 - backport patches form upstream * Thu Nov 16 2023 huangzq6 - 15.6-14 - add signature for secureboot * Tue Nov 7 2023 jinlun - 15.6-13 - fix CVE-2023-40546 * Sat Oct 28 2023 luhuaxin - 15.6-12 - fix CVE-2023-0464 CVE-2023-3817 * Thu Jul 13 2023 jinlun - 15.6-11 - fix CVE-2018-0737 , CVE-2021-23840 * Thu Jun 08 2023 chendexi - 15.6-10 - delete debuginfo and debugsource subpackage buildarch * Tue Feb 14 2023 jinlun - 15.6-9 - fix CVE-2023-0286 and add code check * Tue Dec 13 2022 jinlun - 15.6-8 - add edition number * Fri Nov 18 2022 luhuaxin - 15.6-7 - Add some switch for easy to use * Fri Nov 11 2022 luhuaxin - 15.6-6 - Bugfix for SM2 certificate chain verify * Fri Nov 11 2022 luhuaxin - 15.6-5 - Bugfix for SMx feature * Thu Nov 10 2022 jinlun - 15.6-4 - Add BuildRequires on the arrch64 * Tue Nov 8 2022 luhuaxin - 15.6-3 - Optimize patches for SMx feature * Mon Oct 31 2022 luhuaxin - 15.6-2 - Feature: shim support SM2 and SM3 * Mon Oct 31 2022 jinlun - 15.6-1 - update version to 15.6 * Tue Sep 20 2022 jinlun - 15.4-5 - fix CVE-2017-3735 CVE-2017-3737 CVE-2018-0732 CVE-2018-0737 CVE-2018-0739 CVE-2019-1563 CVE-2020-1971 CVE-2021-23840 CVE-2021-23841 CVE-2022-0778 CVE-2021-3712 * Wed Jul 27 2022 jinlun - 15.4-4 - fix CVE-2022-28737 * Tue Jul 5 2022 Hugel - 15.4-3 - fix shim occasionally crashes in _relocate() on AArch64 * Thu Mar 3 2022 panxiaohe - 15.4-2 - list files into debuginfo subpackage * Fri Dec 17 2021 panxiaohe - 15.4-1 - update version to 15.4 * Tue Mar 9 2021 panxiaohe - 15-20 - modify efidir to _vendor * Mon Jun 22 2020 leiju - 15-19 - fix unaligned point value with GCC9 * Tue Mar 10 2020 openEuler Buildteam - 15-18 - fix wrong information * Mon Feb 24 2020 openEuler Buildteam - 15-17 - Remove excess packaged files * Thu Feb 13 2020 openEuler Buildteam - 15-16 - add BuildRequires: gcc * Sun Jan 12 2020 openEuler Buildteam - 15-15 - List debug files * Wed Nov 27 2019 openEuler Buildteam - 15-14 - Remove excess install * Thu Nov 21 2019 openEuler Buildteam - 15-13 - Add defination of efi_arch * Mon Nov 18 2019 openEuler Buildteam - 15-12 - Add %{bootefi} * Thu Nov 14 2019 openEuler Buildteam - 15-11 - Add arch x86_64 * Thu Sep 26 2019 openEuler Buildteam - 15-10 - Add missing BOOTAA64.CSV * Thu Sep 26 2019 openEuler Buildteam - 15-9 - Package init * Tue Sep 24 2019 openEuler Buildteam - 15-8 - Package init