317 lines
11 KiB
RPMSpec
317 lines
11 KiB
RPMSpec
%ifarch aarch64
|
|
%global efi_arch aa64
|
|
%global bootcsv BOOTAA64.CSV
|
|
%global bootefi BOOTAA64.EFI
|
|
%endif
|
|
|
|
%ifarch x86_64
|
|
%global efi_arch x64
|
|
%global bootcsv BOOTX64.CSV
|
|
%global bootefi BOOTX64.EFI
|
|
%endif
|
|
|
|
%global debug_package %{nil}
|
|
%global __debug_package 1
|
|
%global _binaries_in_noarch_packages_terminate_build 0
|
|
%undefine _debuginfo_subpackages
|
|
|
|
%global efidir %{_vendor}
|
|
%global shimdir %{_datadir}/shim/%{version}-%{release}/%{efi_arch}
|
|
%global shimefivendor /boot/efi/EFI/%{efi_vendor}/
|
|
%global shimBOOT /boot/efi/EFI/BOOT/
|
|
|
|
%global enable_sm 0
|
|
%global vendor_cert %{SOURCE3}
|
|
|
|
Name: shim
|
|
Version: 15.6
|
|
Release: 17
|
|
Summary: First-stage UEFI bootloader
|
|
ExclusiveArch: x86_64 aarch64
|
|
License: BSD
|
|
URL: https://github.com/rhboot/shim
|
|
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
|
|
Source1: BOOTAA64.CSV
|
|
Source2: BOOTX64.CSV
|
|
Source3: default-x509ca.der
|
|
|
|
Patch1:backport-CVE-2017-3735.patch
|
|
Patch2:backport-CVE-2017-3737.patch
|
|
Patch3:backport-CVE-2018-0732.patch
|
|
Patch4:backport-CVE-2018-0739.patch
|
|
Patch5:backport-CVE-2019-1563.patch
|
|
Patch6:backport-0001-CVE-2020-1971.patch
|
|
Patch7:backport-0002-CVE-2020-1971.patch
|
|
Patch8:backport-0003-CVE-2020-1971.patch
|
|
Patch9:backport-0004-CVE-2020-1971.patch
|
|
Patch10:backport-CVE-2021-23841.patch
|
|
Patch11:backport-CVE-2021-3712.patch
|
|
Patch12:backport-CVE-2022-0778.patch
|
|
Patch13:backport-CVE-2023-0286.patch
|
|
Patch14:backport-Fix-an-endless-loop-in-rsa_builtin_keygen.patch
|
|
Patch15:backport-Replaced-variable-time-GCD-with-consttime-inversion.patch
|
|
Patch16:backport-consttime-flag-changed.patch
|
|
Patch17:backport-CVE-2018-0737.patch
|
|
Patch18:backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch
|
|
Patch19:backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch
|
|
Patch20:backport-CVE-2021-23840.patch
|
|
Patch21:backport-CVE-2023-0464.patch
|
|
Patch22:backport-CVE-2023-3817.patch
|
|
Patch23:backport-CVE-2023-40546.patch
|
|
Patch24:backport-CryptoPkg-BaseCryptLib-Fix-buffer-overflow-issue-in-.patch
|
|
Patch25:backport-shim-Flush-the-memory-region-from-i-cache-before-exe.patch
|
|
Patch26:backport-pe-Align-section-size-up-to-page-size-for-mem-attrs.patch
|
|
Patch27:backport-load_cert_file-Fix-stack-issue.patch
|
|
Patch28:backport-mok-remove-MokListTrusted-from-PCR-7.patch
|
|
Patch29:backport-Don-t-loop-forever-in-load_certs-with-buggy-firmware.patch
|
|
Patch30:backport-CryptoPkg-BaseCryptLib-fix-NULL-dereference.patch
|
|
Patch31:backport-Discard-load-options-that-start-with-a-NUL.patch
|
|
Patch32:backport-pe-Fix-image-section-entry-point-validation.patch
|
|
Patch33:backport-Further-improve-load_certs-for-non-compliant-drivers.patch
|
|
Patch34:backport-Work-around-malformed-path-delimiters-in-file-paths-.patch
|
|
Patch35:backport-pe-only-process-RelocDir-Size-of-reloc-section.patch
|
|
Patch36:backport-Correctly-free-memory-allocated-in-handle_image.patch
|
|
Patch37:backport-CVE-2023-3446.patch
|
|
Patch38:backport-CVE-2023-5678.patch
|
|
Patch39: backport-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch
|
|
|
|
# Feature for shim SMx support
|
|
Patch9000:Feature-shim-openssl-add-ec-support.patch
|
|
Patch9001:Feature-shim-openssl-add-ecdsa-support.patch
|
|
Patch9002:Feature-shim-openssl-add-sm2-and-sm3-support.patch
|
|
Patch9003:Feature-shim-cryptlib-support-sm2-signature-verify.patch
|
|
Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch
|
|
|
|
BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel
|
|
|
|
%if 0%{?openEuler_sign_rsa}
|
|
BuildRequires: sign-openEuler
|
|
%endif
|
|
|
|
%ifarch aarch64
|
|
BuildRequires: binutils >= 2.37-7
|
|
%endif
|
|
Requires: dbxtool efi-filesystem mokutil
|
|
Provides: bundled(openssl) = 1.0.2j
|
|
Provides: shim-%{efi_arch} = %{version}-%{release}
|
|
Obsoletes: shim-%{efi_arch} < %{version}-%{release}
|
|
|
|
%description
|
|
Initial UEFI bootloader that handles chaining to a trusted full \
|
|
bootloader under secure boot environments.
|
|
|
|
%package debuginfo
|
|
Summary: Debug information for shim-unsigned
|
|
Requires: %{name}-debugsource = %{version}-%{release}
|
|
AutoReqProv: 0
|
|
|
|
%description debuginfo
|
|
This package provides debug information for package %{expand:%%{name}} \
|
|
Debug information is useful when developing applications that \
|
|
use this package or when debugging this package.
|
|
|
|
%package debugsource
|
|
Summary: Debug Source for shim-unsigned
|
|
AutoReqProv: 0
|
|
|
|
%description debugsource
|
|
This package provides debug information for package %{expand:%%{name}} \
|
|
Debug information is useful when developing applications that \
|
|
use this package or when debugging this package.
|
|
|
|
%prep
|
|
#chmod +x %{SOURCE100}
|
|
%autosetup -n shim-%{version} -p1 -S git
|
|
git config --unset user.email
|
|
git config --unset user.name
|
|
mkdir build-%{efi_arch}
|
|
|
|
%build
|
|
COMMITID=$(cat commit)
|
|
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
|
|
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
|
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
|
%if 0%{enable_sm}
|
|
MAKEFLAGS+="ENABLE_SHIM_SM=true "
|
|
%endif
|
|
%if "%{vendor_cert}" != ""
|
|
MAKEFLAGS+="VENDOR_CERT_FILE+=%{vendor_cert} "
|
|
%endif
|
|
MAKEFLAGS+="%{_smp_mflags}"
|
|
|
|
cd build-%{efi_arch}
|
|
make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' all
|
|
cd ..
|
|
|
|
%if 0%{?openEuler_sign_rsa}
|
|
echo "start sign"
|
|
|
|
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi
|
|
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi
|
|
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi
|
|
%endif
|
|
|
|
%install
|
|
COMMITID=$(cat commit)
|
|
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
|
|
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
|
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
|
|
|
cd build-%{efi_arch}
|
|
make ${MAKEFLAGS} \
|
|
DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' \
|
|
DESTDIR=${RPM_BUILD_ROOT} \
|
|
install-debuginfo install-debugsource
|
|
|
|
install -d -m 0700 ${RPM_BUILD_ROOT}/%{shimBOOT}
|
|
install -m 0700 fb%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT}
|
|
install -m 0700 mm%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT}
|
|
install -m 0700 shim%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT}/%{bootefi}
|
|
install -d -m 0700 ${RPM_BUILD_ROOT}/%{shimefivendor}
|
|
install -m 0700 *.efi ${RPM_BUILD_ROOT}/%{shimefivendor}
|
|
install -m 0700 *.hash ${RPM_BUILD_ROOT}/%{shimefivendor}
|
|
%ifarch aarch64
|
|
install -m 0700 %{SOURCE1} ${RPM_BUILD_ROOT}/%{shimefivendor}
|
|
%endif
|
|
%ifarch x86_64
|
|
install -m 0700 %{SOURCE2} ${RPM_BUILD_ROOT}/%{shimefivendor}
|
|
%endif
|
|
|
|
# install the debug symbols
|
|
install -d ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor}
|
|
install -m 644 fb%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor}
|
|
install -m 644 mm%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor}
|
|
install -m 644 shim%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor}
|
|
|
|
cd ..
|
|
|
|
%check
|
|
make test
|
|
|
|
%files
|
|
%license COPYRIGHT
|
|
%{shimBOOT}/fb%{efi_arch}.efi
|
|
%{shimBOOT}/mm%{efi_arch}.efi
|
|
%{shimBOOT}/%{bootefi}
|
|
%{shimefivendor}/%{bootcsv}
|
|
%{shimefivendor}/*.efi
|
|
%{shimefivendor}/*.hash
|
|
|
|
%files debuginfo
|
|
%defattr(-,root,root,-)
|
|
/usr/lib/debug/*
|
|
%exclude /usr/lib/debug/.build-id
|
|
|
|
%files debugsource
|
|
%defattr(-,root,root,-)
|
|
%dir /usr/src/debug/%{name}-%{version}-%{release}
|
|
/usr/src/debug/%{name}-%{version}-%{release}/*
|
|
|
|
%changelog
|
|
* Mon Dec 25 2023 zhangruifang <zhangruifang@h-partners.com> - 15.6-17
|
|
- backport patchs from upstream
|
|
|
|
* Mon Dec 18 2023 jinlun <jinlun@huawei.com> - 15.6-16
|
|
- fix CVE-2023-3446 CVE-2023-5678
|
|
|
|
* Thu Dec 7 2023 huangzq6 <huangzhenqiang2@huawei.com> - 15.6-15
|
|
- backport patches form upstream
|
|
|
|
* Thu Nov 16 2023 huangzq6 <huangzhenqiang2@huawei.com> - 15.6-14
|
|
- add signature for secureboot
|
|
|
|
* Tue Nov 7 2023 jinlun <jinlun@huawei.com> - 15.6-13
|
|
- fix CVE-2023-40546
|
|
|
|
* Sat Oct 28 2023 luhuaxin <luhuaxin1@huawei.com> - 15.6-12
|
|
- fix CVE-2023-0464 CVE-2023-3817
|
|
|
|
* Thu Jul 13 2023 jinlun <jinlun@huawei.com> - 15.6-11
|
|
- fix CVE-2018-0737 , CVE-2021-23840
|
|
|
|
* Thu Jun 08 2023 chendexi <chendexi@kylinos.cn> - 15.6-10
|
|
- delete debuginfo and debugsource subpackage buildarch
|
|
|
|
* Tue Feb 14 2023 jinlun <jinlun@huawei.com> - 15.6-9
|
|
- fix CVE-2023-0286 and add code check
|
|
|
|
* Tue Dec 13 2022 jinlun <jinlun@huawei.com> - 15.6-8
|
|
- add edition number
|
|
|
|
* Fri Nov 18 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-7
|
|
- Add some switch for easy to use
|
|
|
|
* Fri Nov 11 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-6
|
|
- Bugfix for SM2 certificate chain verify
|
|
|
|
* Fri Nov 11 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-5
|
|
- Bugfix for SMx feature
|
|
|
|
* Thu Nov 10 2022 jinlun <jinlun@huawei.com> - 15.6-4
|
|
- Add BuildRequires on the arrch64
|
|
|
|
* Tue Nov 8 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-3
|
|
- Optimize patches for SMx feature
|
|
|
|
* Mon Oct 31 2022 luhuaxin <luhuaxin1@huawei.com> - 15.6-2
|
|
- Feature: shim support SM2 and SM3
|
|
|
|
* Mon Oct 31 2022 jinlun <jinlun@huawei.com> - 15.6-1
|
|
- update version to 15.6
|
|
|
|
* Tue Sep 20 2022 jinlun <jinlun@huawei.com> - 15.4-5
|
|
- fix CVE-2017-3735 CVE-2017-3737 CVE-2018-0732 CVE-2018-0737
|
|
CVE-2018-0739 CVE-2019-1563 CVE-2020-1971 CVE-2021-23840
|
|
CVE-2021-23841 CVE-2022-0778 CVE-2021-3712
|
|
|
|
* Wed Jul 27 2022 jinlun <jinlun@huawei.com> - 15.4-4
|
|
- fix CVE-2022-28737
|
|
|
|
* Tue Jul 5 2022 Hugel <gengqihu1@h-partners.com> - 15.4-3
|
|
- fix shim occasionally crashes in _relocate() on AArch64
|
|
|
|
* Thu Mar 3 2022 panxiaohe <panxh.life@foxmail.com> - 15.4-2
|
|
- list files into debuginfo subpackage
|
|
|
|
* Fri Dec 17 2021 panxiaohe <panxiaohe@huawei.com> - 15.4-1
|
|
- update version to 15.4
|
|
|
|
* Tue Mar 9 2021 panxiaohe <panxiaohe@huawei.com> - 15-20
|
|
- modify efidir to _vendor
|
|
|
|
* Mon Jun 22 2020 leiju <leiju4@huawei.com> - 15-19
|
|
- fix unaligned point value with GCC9
|
|
|
|
* Tue Mar 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 15-18
|
|
- fix wrong information
|
|
|
|
* Mon Feb 24 2020 openEuler Buildteam <buildteam@openeuler.org> - 15-17
|
|
- Remove excess packaged files
|
|
|
|
* Thu Feb 13 2020 openEuler Buildteam <buildteam@openeuler.org> - 15-16
|
|
- add BuildRequires: gcc
|
|
|
|
* Sun Jan 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 15-15
|
|
- List debug files
|
|
|
|
* Wed Nov 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 15-14
|
|
- Remove excess install
|
|
|
|
* Thu Nov 21 2019 openEuler Buildteam <buildteam@openeuler.org> - 15-13
|
|
- Add defination of efi_arch
|
|
|
|
* Mon Nov 18 2019 openEuler Buildteam <buildteam@openeuler.org> - 15-12
|
|
- Add %{bootefi}
|
|
|
|
* Thu Nov 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 15-11
|
|
- Add arch x86_64
|
|
|
|
* Thu Sep 26 2019 openEuler Buildteam <buildteam@openeuler.org> - 15-10
|
|
- Add missing BOOTAA64.CSV
|
|
|
|
* Thu Sep 26 2019 openEuler Buildteam <buildteam@openeuler.org> - 15-9
|
|
- Package init
|
|
|
|
* Tue Sep 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 15-8
|
|
- Package init
|