From 0c6391af4ec952097d87bfec768895568d3ddc4d Mon Sep 17 00:00:00 2001 From: "Martin, Chen" Date: Wed, 2 Jan 2019 14:46:35 +0800 Subject: [PATCH] rebase shim-signed patch to CentOS 7.6 version Test: Pass build and multi-node deploy test Depends-On: https://review.openstack.org/627932/ Story: 2004522 Task: 28439 Change-Id: Ia10f16834721cc2aa1a148557f8fc614954c5c07 Signed-off-by: Martin, Chen --- .../0001-Titanium-release-info.patch | 2 +- .../0002-Use-presigned-binaries.patch | 106 +++++++++--------- security/shim-signed/centos/srpm_path | 2 +- 3 files changed, 57 insertions(+), 53 deletions(-) diff --git a/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch b/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch index 78aebe62a..48fdb08bb 100644 --- a/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch +++ b/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch @@ -13,7 +13,7 @@ index d2a13b1..9cfcb2f 100644 +++ b/SPECS/shim-signed.spec @@ -1,6 +1,6 @@ Name: shim-signed - Version: 12 + Version: 15 -Release: 1%{?dist}%{?buildid} +Release: 1%{?_tis_dist}.%{tis_patch_ver} Summary: First-stage UEFI bootloader diff --git a/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch b/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch index baa00fd95..d9a3a12cd 100644 --- a/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch +++ b/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch @@ -4,30 +4,31 @@ new mode 100755 index 9cfcb2f..f6ce87e --- a/SPECS/shim-signed.spec +++ b/SPECS/shim-signed.spec -@@ -2,7 +2,6 @@ Name: shim-signed - Version: 12 +@@ -2,18 +2,20 @@ Name: shim-signed + Version: 15 Release: 1%{?_tis_dist}.%{tis_patch_ver} Summary: First-stage UEFI bootloader -%define unsigned_release 1%{?dist} License: BSD - URL: http://www.codon.org.uk/~mjg59/shim/ -@@ -16,10 +15,12 @@ Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch - Patch0005: 0005-Make-all-efi_guid_t-const.patch - Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch - Patch0007: 0007-Add-bash-completion-file.patch + URL: https://github.com/rhboot/shim/ + # incorporate mokutil for packaging simplicity + %global mokutil_version 0.3.0 +%global srcbasename shimx64 +%global srcbasenameia32 shimia32 - - Source1: centos.crt --Source10: shimx64.efi --Source11: shimia32.efi ++ + Source0: https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz + Source1: centossecureboot001.crt + Source2: centos-ca-secureboot.der + %define pesign_name centossecureboot001 +-Source10: shimx64.efi +-Source11: shimia32.efi +Source10: %{srcbasename}.efi +Source11: %{srcbasenameia32}.efi - #Source12: shimaa64.efi - Source20: BOOTX64.CSV - Source21: BOOTIA32.CSV -@@ -47,11 +48,17 @@ BuildRequires: git + Source12: shimaa64.efi + Source20: BOOTX64.CSV + Source21: BOOTIA32.CSV +@@ -52,11 +54,17 @@ BuildRequires: git BuildRequires: openssl-devel openssl BuildRequires: pesign >= 0.106-5%{dist} BuildRequires: efivar-devel @@ -47,16 +48,16 @@ index 9cfcb2f..f6ce87e # for mokutil's configure BuildRequires: autoconf automake -@@ -143,39 +150,34 @@ cd .. +@@ -148,39 +156,34 @@ cd .. %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} %ifarch %{ca_signed_arches} -pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash -if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then -- echo Invalid signature\! > /dev/stderr -- echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr -- echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr -- exit 1 +- echo Invalid signature\! > /dev/stderr +- echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr +- echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr +- exit 1 + +# if we already have a presigned EFI image, then do not do signing -- just +# use the presigned one. @@ -70,10 +71,10 @@ index 9cfcb2f..f6ce87e %ifarch x86_64 -pesign -i %{shimsrcia32} -h -P > shimia32.hash -if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then -- echo Invalid signature\! > /dev/stderr -- echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr -- echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr -- exit 1 +- echo Invalid signature\! > /dev/stderr +- echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr +- echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr +- exit 1 +if [ -e %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi ]; then + cp %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi %{srcbasenameia32}.efi +else @@ -83,9 +84,9 @@ index 9cfcb2f..f6ce87e -%endif -%endif -%ifarch %{rh_signed_arches} --%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} -o shim%{efiarchlc}-%{efidir}.efi +-%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shim%{efiarchlc}-%{efidir}.efi -%ifarch x86_64 --%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE1} -c %{SOURCE1} -o shimia32-%{efidir}.efi +-%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shimia32-%{efidir}.efi -%endif -%endif -%ifarch %{rh_signed_arches} @@ -94,54 +95,57 @@ index 9cfcb2f..f6ce87e %endif %endif --%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} --%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} +-%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} +-%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} +if [ -e %{unsigned_dir}mm%{efiarchlc}-presigned.efi ]; then + cp %{unsigned_dir}mm%{efiarchlc}-presigned.efi mm%{efiarchlc}.efi +else -+ %pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} ++ %pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} +fi +if [ -e %{unsigned_dir}fb%{efiarchlc}-presigned.efi ]; then + cp %{unsigned_dir}fb%{efiarchlc}-presigned.efi fb%{efiarchlc}.efi +else -+ %pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} ++ %pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} +fi %ifarch x86_64 - %pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE1} -c %{SOURCE1} -@@ -191,7 +193,7 @@ make %{?_smp_mflags} + %pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} +@@ -196,7 +199,7 @@ make %{?_smp_mflags} rm -rf $RPM_BUILD_ROOT - install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ - install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi --install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi -+#install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi - install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi - install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV + install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ + install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi +-install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi ++#install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi + install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi + install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi + install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV +@@ -218,7 +221,7 @@ install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV -@@ -211,7 +213,7 @@ install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV - - install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi - install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi --install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi -+#install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi - install -m 0644 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi - install -m 0644 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV - -@@ -224,7 +226,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install + install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi + install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi +-install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi ++#install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi + install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi + install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV +@@ -232,7 +235,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %files -n shim-%{efiarchlc} + %defattr(0700,root,root,-) /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi -/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi +#/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi + /boot/efi/EFI/%{efidir}/MokManager.efi /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV - /boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI -@@ -236,7 +238,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install - +@@ -247,7 +250,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %files -n shim-ia32 + %defattr(0700,root,root,-) /boot/efi/EFI/%{efidir}/shimia32.efi -/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi +#/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi /boot/efi/EFI/%{efidir}/mmia32.efi /boot/efi/EFI/%{efidir}/BOOTIA32.CSV /boot/efi/EFI/BOOT/BOOTIA32.EFI +-- +1.8.3.1 + diff --git a/security/shim-signed/centos/srpm_path b/security/shim-signed/centos/srpm_path index 26e944f98..90af5a681 100644 --- a/security/shim-signed/centos/srpm_path +++ b/security/shim-signed/centos/srpm_path @@ -1 +1 @@ -mirror:Source/shim-signed-12-1.el7.centos.src.rpm +mirror:Source/shim-signed-15-1.el7.centos.src.rpm