From 647a218f2545c1b69c1386b1b15293ce6f9b20f9 Mon Sep 17 00:00:00 2001 From: jmckenna Date: Fri, 6 Apr 2018 10:39:25 -0400 Subject: [PATCH] Uprev shim to version 12 Update the shim package to version 12. This change requires regeneration of the patch and meta-patch files. Depends-On: https://review.openstack.org/#/c/578440 Change-Id: Ic6a61b7aad02d8931a9fa854679a0c6490144a8d --- .../0001-Titanium-release-info.patch | 24 +++ .../0001-Use-presigned-binary.patch | 66 -------- ...-than-hardcode-shim-unsigned-version.patch | 55 ------- .../0002-Use-presigned-binaries.patch | 147 ++++++++++++++++++ .../centos/meta_patches/PATCH_ORDER | 4 +- extended/shim-signed/centos/srpm_path | 2 +- .../meta_patches/0001-Embed-TiS-cert.patch | 31 ---- .../meta_patches/0001-Objcopy-version.patch | 12 -- .../meta_patches/0001-Ti-version-string.patch | 27 ++++ .../0002-Add-Ti-certificate.patch | 45 ++++++ .../centos/meta_patches/PATCH_ORDER | 5 +- .../centos/meta_patches/spec.arch.patch | 12 -- .../centos/patches/0001-Objcopy-version.patch | 19 --- ...ch => 0001-Use-Titanium-certificate.patch} | 40 +++-- extended/shim-unsigned/centos/srpm_path | 2 +- 15 files changed, 272 insertions(+), 219 deletions(-) create mode 100644 extended/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch delete mode 100644 extended/shim-signed/centos/meta_patches/0001-Use-presigned-binary.patch delete mode 100644 extended/shim-signed/centos/meta_patches/0001-calculate-rather-than-hardcode-shim-unsigned-version.patch create mode 100644 extended/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch delete mode 100644 extended/shim-unsigned/centos/meta_patches/0001-Embed-TiS-cert.patch delete mode 100644 extended/shim-unsigned/centos/meta_patches/0001-Objcopy-version.patch create mode 100644 extended/shim-unsigned/centos/meta_patches/0001-Ti-version-string.patch create mode 100644 extended/shim-unsigned/centos/meta_patches/0002-Add-Ti-certificate.patch delete mode 100644 extended/shim-unsigned/centos/meta_patches/spec.arch.patch delete mode 100644 extended/shim-unsigned/centos/patches/0001-Objcopy-version.patch rename extended/shim-unsigned/centos/patches/{0001-Use-TiS-cert.patch => 0001-Use-Titanium-certificate.patch} (63%) diff --git a/extended/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch b/extended/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch new file mode 100644 index 000000000..78aebe62a --- /dev/null +++ b/extended/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch @@ -0,0 +1,24 @@ +From a19b16baa019609714fb741db4e3c73d67f2adf1 Mon Sep 17 00:00:00 2001 +From: jmckenna +Date: Tue, 16 Jan 2018 08:14:08 -0500 +Subject: [PATCH 1/2] Titanium release info + +--- + SPECS/shim-signed.spec | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec +index d2a13b1..9cfcb2f 100644 +--- a/SPECS/shim-signed.spec ++++ b/SPECS/shim-signed.spec +@@ -1,6 +1,6 @@ + Name: shim-signed + Version: 12 +-Release: 1%{?dist}%{?buildid} ++Release: 1%{?_tis_dist}.%{tis_patch_ver} + Summary: First-stage UEFI bootloader + %define unsigned_release 1%{?dist} + +-- +1.8.3.1 + diff --git a/extended/shim-signed/centos/meta_patches/0001-Use-presigned-binary.patch b/extended/shim-signed/centos/meta_patches/0001-Use-presigned-binary.patch deleted file mode 100644 index f1da0c517..000000000 --- a/extended/shim-signed/centos/meta_patches/0001-Use-presigned-binary.patch +++ /dev/null @@ -1,66 +0,0 @@ ---- a/SPECS/shim-signed.spec 2017-01-05 14:12:11.584037112 -0500 -+++ b/SPECS/shim-signed.spec 2017-01-05 14:20:57.281934890 -0500 -@@ -1,9 +1,13 @@ - Name: shim-signed - Version: 0.9 --Release: 2%{?dist} -+Release: 2%{?_tis_dist}.%{tis_patch_ver} - Summary: First-stage UEFI bootloader - Provides: shim = %{version}-%{release} --%define unsigned_release 1.el7.centos -+ -+# note that tis_patch_ver cannot be used in the unsigned_release definition, -+# as the variable represents the patch level of shim-signed, and we have to -+# specifiy the patch of shim-unsigned -+%define unsigned_release 1.el7%{_tis_dist}.1 - - License: BSD - URL: http://www.codon.org.uk/~mjg59/shim/ -@@ -112,25 +116,35 @@ - %define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} - %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} - -+# if we already have a presigned EFI image, then do not do signing -- just -+# use the presigned one. -+ -+if [ -e %{unsigned_dir}shim-presigned.efi ]; then -+ cp %{unsigned_dir}shim-presigned.efi shim.efi -+ cp %{unsigned_dir}shim-presigned.efi shim-%{efidir}.efi -+else - %ifarch %{ca_signed_arches} --pesign -i %{shimsrc} -h -P > shim.hash --if ! cmp shim.hash %{unsigned_dir}shim.hash ; then -- echo Invalid signature\! > /dev/stderr -- exit 1 --fi --cp %{shimsrc} shim.efi -+ cp %{unsigned_dir}shim.efi shim-unsigned.efi - %endif - %ifarch %{rh_signed_arches} --%pesign -s -i %{unsigned_dir}shim.efi -a %{SOURCE3} -c %{SOURCE3} -o shim-%{efidir}.efi -+ %pesign -s -i %{unsigned_dir}shim.efi -a %{SOURCE3} -c %{SOURCE3} -o shim-%{efidir}.efi - %endif - %ifarch %{rh_signed_arches} --%ifnarch %{ca_signed_arches} --cp shim-%{efidir}.efi shim.efi --%endif -+ cp shim-%{efidir}.efi shim.efi - %endif -+fi # end "if shim-presigned.efi exists" - --%pesign -s -i %{unsigned_dir}MokManager.efi -o MokManager.efi -a %{SOURCE3} -c %{SOURCE3} --%pesign -s -i %{unsigned_dir}fallback.efi -o fallback.efi -a %{SOURCE3} -c %{SOURCE3} -+if [ -e %{unsigned_dir}MokManager-presigned.efi ]; then -+ cp %{unsigned_dir}MokManager-presigned.efi MokManager.efi -+else -+ %pesign -s -i %{unsigned_dir}MokManager.efi -o MokManager.efi -a %{SOURCE3} -c %{SOURCE3} -+fi -+ -+if [ -e %{unsigned_dir}fallback-presigned.efi ]; then -+ cp %{unsigned_dir}fallback-presigned.efi fallback.efi -+else -+ %pesign -s -i %{unsigned_dir}fallback.efi -o fallback.efi -a %{SOURCE3} -c %{SOURCE3} -+fi - - cd mokutil-%{mokutil_version} - ./autogen.sh diff --git a/extended/shim-signed/centos/meta_patches/0001-calculate-rather-than-hardcode-shim-unsigned-version.patch b/extended/shim-signed/centos/meta_patches/0001-calculate-rather-than-hardcode-shim-unsigned-version.patch deleted file mode 100644 index 0e49009bc..000000000 --- a/extended/shim-signed/centos/meta_patches/0001-calculate-rather-than-hardcode-shim-unsigned-version.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 1c898dfc32b11e94ad90ab76fcff2ba2b65dfa6d Mon Sep 17 00:00:00 2001 -From: Scott Little -Date: Tue, 31 Jan 2017 16:51:23 -0500 -Subject: [PATCH] calculate rather than hardcode shim-unsigned version - ---- - SPECS/shim-signed.spec | 13 ++++++------- - 1 file changed, 6 insertions(+), 7 deletions(-) - -diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec -index f271a05..1b00621 100644 ---- a/SPECS/shim-signed.spec -+++ b/SPECS/shim-signed.spec -@@ -4,10 +4,6 @@ Release: 2%{?_tis_dist}.%{tis_patch_ver} - Summary: First-stage UEFI bootloader - Provides: shim = %{version}-%{release} - --# note that tis_patch_ver cannot be used in the unsigned_release definition, --# as the variable represents the patch level of shim-signed, and we have to --# specifiy the patch of shim-unsigned --%define unsigned_release 1.el7%{_tis_dist}.1 - - License: BSD - URL: http://www.codon.org.uk/~mjg59/shim/ -@@ -32,14 +28,13 @@ Source5: BOOT.CSV - %global efiarchlc aa64 - %global shimsrc %{SOURCE2} - %endif --%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/ -+ - - BuildRequires: git - BuildRequires: openssl-devel openssl - BuildRequires: pesign >= 0.106-5%{dist} - BuildRequires: efivar-devel --# BuildRequires: shim-unsigned = %{version}-%{unsigned_release} --BuildRequires: shim-unsigned = %{version}-%{unsigned_release} -+BuildRequires: shim-unsigned - - # for mokutil's configure - BuildRequires: autoconf automake -@@ -119,6 +114,10 @@ git config --unset user.name - # if we already have a presigned EFI image, then do not do signing -- just - # use the presigned one. - -+# %define unsigned_release 1.el7%{_tis_dist}.1 -+%global unsigned_release %(rpm -q --queryformat '%%{RELEASE}' shim-unsigned | sort --version-sort | tail -1) -+%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/ -+ - if [ -e %{unsigned_dir}shim-presigned.efi ]; then - cp %{unsigned_dir}shim-presigned.efi shim.efi - cp %{unsigned_dir}shim-presigned.efi shim-%{efidir}.efi --- -1.8.3.1 - diff --git a/extended/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch b/extended/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch new file mode 100644 index 000000000..baa00fd95 --- /dev/null +++ b/extended/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch @@ -0,0 +1,147 @@ +diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec +old mode 100644 +new mode 100755 +index 9cfcb2f..f6ce87e +--- a/SPECS/shim-signed.spec ++++ b/SPECS/shim-signed.spec +@@ -2,7 +2,6 @@ Name: shim-signed + Version: 12 + Release: 1%{?_tis_dist}.%{tis_patch_ver} + Summary: First-stage UEFI bootloader +-%define unsigned_release 1%{?dist} + + License: BSD + URL: http://www.codon.org.uk/~mjg59/shim/ +@@ -16,10 +15,12 @@ Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch + Patch0005: 0005-Make-all-efi_guid_t-const.patch + Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch + Patch0007: 0007-Add-bash-completion-file.patch ++%global srcbasename shimx64 ++%global srcbasenameia32 shimia32 + + Source1: centos.crt +-Source10: shimx64.efi +-Source11: shimia32.efi ++Source10: %{srcbasename}.efi ++Source11: %{srcbasenameia32}.efi + #Source12: shimaa64.efi + Source20: BOOTX64.CSV + Source21: BOOTIA32.CSV +@@ -47,11 +48,17 @@ BuildRequires: git + BuildRequires: openssl-devel openssl + BuildRequires: pesign >= 0.106-5%{dist} + BuildRequires: efivar-devel +-BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release} ++BuildRequires: shim-unsigned-%{efiarchlc} + %ifarch x86_64 +-BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release} ++BuildRequires: shim-unsigned-ia32 + %endif + ++# Rather than hardcode a release, we get the release from the installed shim-unsigned package ++%define unsigned_release %(rpm -q shim-unsigned-x64 --info | grep Release | awk '{print $3}') ++%define unsigned_dir "%{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/" ++%define unsigned_release_ia32 %(rpm -q shim-unsigned-ia32 --info | grep Release | awk '{print $3}') ++%define unsigned_dir_ia32 "%{_datadir}/shim/ia32-%{version}-%{unsigned_release_ia32}/" ++ + # for mokutil's configure + BuildRequires: autoconf automake + +@@ -143,39 +150,34 @@ cd .. + %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} + + %ifarch %{ca_signed_arches} +-pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash +-if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then +- echo Invalid signature\! > /dev/stderr +- echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr +- echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr +- exit 1 ++ ++# if we already have a presigned EFI image, then do not do signing -- just ++# use the presigned one. ++if [ -e %{unsigned_dir}%{srcbasename}-presigned.efi ]; then ++ cp %{unsigned_dir}%{srcbasename}-presigned.efi %{srcbasename}.efi ++ cp %{unsigned_dir}%{srcbasename}-presigned.efi shim%{efiarchlc}.efi ++else ++ cp %{shimsrc} shim%{efiarchlc}.efi + fi +-cp %{shimsrc} shim%{efiarchlc}.efi + %ifarch x86_64 +-pesign -i %{shimsrcia32} -h -P > shimia32.hash +-if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then +- echo Invalid signature\! > /dev/stderr +- echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr +- echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr +- exit 1 ++if [ -e %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi ]; then ++ cp %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi %{srcbasenameia32}.efi ++else ++ cp %{shimsrcia32} %{srcbasenameia32}.efi + fi +-cp %{shimsrcia32} shimia32.efi +-%endif +-%endif +-%ifarch %{rh_signed_arches} +-%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} -o shim%{efiarchlc}-%{efidir}.efi +-%ifarch x86_64 +-%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE1} -c %{SOURCE1} -o shimia32-%{efidir}.efi +-%endif +-%endif +-%ifarch %{rh_signed_arches} +-%ifnarch %{ca_signed_arches} +-cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi + %endif + %endif + +-%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} +-%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} ++if [ -e %{unsigned_dir}mm%{efiarchlc}-presigned.efi ]; then ++ cp %{unsigned_dir}mm%{efiarchlc}-presigned.efi mm%{efiarchlc}.efi ++else ++ %pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} ++fi ++if [ -e %{unsigned_dir}fb%{efiarchlc}-presigned.efi ]; then ++ cp %{unsigned_dir}fb%{efiarchlc}-presigned.efi fb%{efiarchlc}.efi ++else ++ %pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} ++fi + + %ifarch x86_64 + %pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE1} -c %{SOURCE1} +@@ -191,7 +193,7 @@ make %{?_smp_mflags} + rm -rf $RPM_BUILD_ROOT + install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ + install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi +-install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi ++#install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi + install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi + install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV + +@@ -211,7 +213,7 @@ install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV + + install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi + install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi +-install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi ++#install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi + install -m 0644 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi + install -m 0644 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV + +@@ -224,7 +226,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install + + %files -n shim-%{efiarchlc} + /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi +-/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi ++#/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi + /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi + /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV + /boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI +@@ -236,7 +238,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install + + %files -n shim-ia32 + /boot/efi/EFI/%{efidir}/shimia32.efi +-/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi ++#/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi + /boot/efi/EFI/%{efidir}/mmia32.efi + /boot/efi/EFI/%{efidir}/BOOTIA32.CSV + /boot/efi/EFI/BOOT/BOOTIA32.EFI diff --git a/extended/shim-signed/centos/meta_patches/PATCH_ORDER b/extended/shim-signed/centos/meta_patches/PATCH_ORDER index db82cf4d0..88969c0f1 100644 --- a/extended/shim-signed/centos/meta_patches/PATCH_ORDER +++ b/extended/shim-signed/centos/meta_patches/PATCH_ORDER @@ -1,2 +1,2 @@ -0001-Use-presigned-binary.patch -0001-calculate-rather-than-hardcode-shim-unsigned-version.patch +0001-Titanium-release-info.patch +0002-Use-presigned-binaries.patch diff --git a/extended/shim-signed/centos/srpm_path b/extended/shim-signed/centos/srpm_path index f206620ca..26e944f98 100644 --- a/extended/shim-signed/centos/srpm_path +++ b/extended/shim-signed/centos/srpm_path @@ -1 +1 @@ -mirror:Source/shim-signed-0.9-2.el7.src.rpm +mirror:Source/shim-signed-12-1.el7.centos.src.rpm diff --git a/extended/shim-unsigned/centos/meta_patches/0001-Embed-TiS-cert.patch b/extended/shim-unsigned/centos/meta_patches/0001-Embed-TiS-cert.patch deleted file mode 100644 index 9e187490f..000000000 --- a/extended/shim-unsigned/centos/meta_patches/0001-Embed-TiS-cert.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/SPECS/shim.spec b/SPECS/shim.spec -index 6aa8346..a8945ab 100644 ---- a/SPECS/shim.spec -+++ b/SPECS/shim.spec -@@ -1,6 +1,6 @@ - Name: shim - Version: 0.9 --Release: 1.el7.centos -+Release: 1.el7%{?_tis_dist}.%{tis_patch_ver} - Summary: First-stage UEFI bootloader - - License: BSD -@@ -10,8 +10,10 @@ Source1: centos.crt - # currently here's what's in our dbx: # nothing. - #Source2: dbx.esl - Source3: shim-find-debuginfo.sh -+Source4: tis-shim.crt - - Patch0001: 0001-Typo-on-aarch64.patch -+Patch0002: 0001-Use-TiS-cert.patch - - BuildRequires: git openssl-devel openssl - BuildRequires: pesign >= 0.106-1 -@@ -81,6 +83,7 @@ git commit -a -q -m "%{version} baseline." - git am --ignore-whitespace %{patches} = 0.106-1 diff --git a/extended/shim-unsigned/centos/meta_patches/0001-Ti-version-string.patch b/extended/shim-unsigned/centos/meta_patches/0001-Ti-version-string.patch new file mode 100644 index 000000000..840528f8b --- /dev/null +++ b/extended/shim-unsigned/centos/meta_patches/0001-Ti-version-string.patch @@ -0,0 +1,27 @@ +From fc1f1853e99c5afaae334b0c37296e34e9cf19fd Mon Sep 17 00:00:00 2001 +From: root +Date: Mon, 15 Jan 2018 13:09:41 -0500 +Subject: [PATCH 1/2] Ti version string + +--- + SPECS/shim.spec | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + mode change 100755 => 100644 SPECS/shim.spec + +diff --git a/SPECS/shim.spec b/SPECS/shim.spec +old mode 100755 +new mode 100644 +index afd533b..de216b6 +--- a/SPECS/shim.spec ++++ b/SPECS/shim.spec +@@ -1,6 +1,6 @@ + Name: shim + Version: 12 +-Release: 1%{?dist} ++Release: 1.el7%{?_tis_dist}.%{tis_patch_ver} + Summary: First-stage UEFI bootloader + + License: BSD +-- +1.8.3.1 + diff --git a/extended/shim-unsigned/centos/meta_patches/0002-Add-Ti-certificate.patch b/extended/shim-unsigned/centos/meta_patches/0002-Add-Ti-certificate.patch new file mode 100644 index 000000000..4b52100ef --- /dev/null +++ b/extended/shim-unsigned/centos/meta_patches/0002-Add-Ti-certificate.patch @@ -0,0 +1,45 @@ +From fb4da7f4d7d8e8565371ed236150de2e4bb47b95 Mon Sep 17 00:00:00 2001 +From: root +Date: Mon, 15 Jan 2018 13:22:09 -0500 +Subject: [PATCH 2/2] Add Ti certificate + +--- + SPECS/shim.spec | 5 +++++ + 1 file changed, 5 insertions(+) + mode change 100644 => 100755 SPECS/shim.spec + +diff --git a/SPECS/shim.spec b/SPECS/shim.spec +old mode 100644 +new mode 100755 +index de216b6..83da6cd +--- a/SPECS/shim.spec ++++ b/SPECS/shim.spec +@@ -11,6 +11,9 @@ Source1: centos.crt + #Source2: dbx-x64.esl + #Source3: dbx-aa64.esl + Source4: shim-find-debuginfo.sh ++Source1000: tis-shim.crt ++ ++Patch1000: 0001-Use-Titanium-certificate.patch + + BuildRequires: git openssl-devel openssl + BuildRequires: pesign >= 0.106-1 +@@ -101,6 +104,7 @@ git commit -a -q -m "%{version} baseline." + git am --ignore-whitespace %{patches} -Date: Thu, 19 Jan 2017 15:05:16 -0500 -Subject: [PATCH] Better parting of objcopy version - - -diff --git a/Makefile b/Makefile -index e8b291e..02388ac 100644 ---- a/Makefile -+++ b/Makefile -@@ -9,7 +9,7 @@ LD = $(CROSS_COMPILE)ld - OBJCOPY = $(CROSS_COMPILE)objcopy - - ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) --OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24) -+OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*version //g' | cut -f1-2 -d.` \>= 2.24) - - SUBDIRS = Cryptlib lib - diff --git a/extended/shim-unsigned/centos/patches/0001-Use-TiS-cert.patch b/extended/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch similarity index 63% rename from extended/shim-unsigned/centos/patches/0001-Use-TiS-cert.patch rename to extended/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch index 07703cc26..d366690f8 100644 --- a/extended/shim-unsigned/centos/patches/0001-Use-TiS-cert.patch +++ b/extended/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch @@ -1,16 +1,19 @@ -From 6a0a1ea93362b7f9f2f5242e847ae1e0ef15de04 Mon Sep 17 00:00:00 2001 -From: jmckenna -Date: Thu, 5 Jan 2017 08:54:32 -0500 -Subject: [PATCH] Use Titanium Cloud certificate +From 057532ac6c77d20ae8d6ce0354e7ef67b1870eb6 Mon Sep 17 00:00:00 2001 +From: root +Date: Mon, 15 Jan 2018 13:25:04 -0500 +Subject: [PATCH] Use Titanium certificate +--- + Makefile | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile -index 1181b8a..e8b291e 100644 +index 6ece282..bb4f7f9 100644 --- a/Makefile +++ b/Makefile -@@ -34,6 +34,12 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ - $(EFI_INCLUDES) +@@ -36,6 +36,12 @@ FBNAME = fallback + + COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi) +# We compile a certificate into shim. Usually this is a one-time generated +# certificate (make-certs script) however we want to include a custom @@ -21,16 +24,16 @@ index 1181b8a..e8b291e 100644 ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) CFLAGS += -DOVERRIDE_SECURITY_POLICY endif -@@ -67,7 +73,7 @@ LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsym +@@ -90,7 +96,7 @@ LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsym - TARGET = shim.efi MokManager.efi.signed fallback.efi.signed - OBJS = shim.o netboot.o cert.o replacements.o version.o + TARGET = $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed + OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o -KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer -+KEYS = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer - SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h ++KEYS = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer + SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h -@@ -76,13 +82,17 @@ FALLBACK_SRCS = fallback.c +@@ -104,13 +110,17 @@ endif all: $(TARGET) @@ -52,8 +55,8 @@ index 1181b8a..e8b291e 100644 echo "static UINT8 shim_cert[] = {" > $@ hexdump -v -e '1/1 "0x%02x, "' $< >> $@ echo "};" >> $@ -@@ -93,10 +103,10 @@ version.c : version.c.in - -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \ +@@ -121,10 +131,10 @@ version.c : version.c.in + -e "s,@@COMMIT@@,$(COMMITID)," \ < version.c.in > version.c -certdb/secmod.db: shim.crt @@ -65,4 +68,7 @@ index 1181b8a..e8b291e 100644 + certutil -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u shim.o: $(SOURCES) shim_cert.h - + shim.o: $(wildcard *.h) +-- +1.8.3.1 + diff --git a/extended/shim-unsigned/centos/srpm_path b/extended/shim-unsigned/centos/srpm_path index 738f15200..19f9a3f9e 100644 --- a/extended/shim-unsigned/centos/srpm_path +++ b/extended/shim-unsigned/centos/srpm_path @@ -1 +1 @@ -mirror:Source/shim-0.9-1.el7.centos.src.rpm +mirror:Source/shim-12-1.el7.centos.src.rpm