rebase shim patch to CentOS 7.6 version
Test: Pass build and multi-node deploy test Depends-On: https://review.openstack.org/627922 Story: 2004522 Task: 28438 Change-Id: I838e71c0334515ad2e34cbad968188b81f908d6a Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
This commit is contained in:
parent
d26fe93b36
commit
245592c60e
@ -16,7 +16,7 @@ index afd533b..de216b6
|
||||
+++ b/SPECS/shim.spec
|
||||
@@ -1,6 +1,6 @@
|
||||
Name: shim
|
||||
Version: 12
|
||||
Version: 15
|
||||
-Release: 1%{?dist}
|
||||
+Release: 1.el7%{?_tis_dist}.%{tis_patch_ver}
|
||||
Summary: First-stage UEFI bootloader
|
||||
|
@ -4,8 +4,8 @@ Date: Mon, 15 Jan 2018 13:22:09 -0500
|
||||
Subject: [PATCH 2/2] Add Ti certificate
|
||||
|
||||
---
|
||||
SPECS/shim.spec | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
SPECS/shim.spec | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
mode change 100644 => 100755 SPECS/shim.spec
|
||||
|
||||
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
|
||||
@ -14,17 +14,18 @@ new mode 100755
|
||||
index de216b6..83da6cd
|
||||
--- a/SPECS/shim.spec
|
||||
+++ b/SPECS/shim.spec
|
||||
@@ -11,6 +11,9 @@ Source1: centos.crt
|
||||
#Source2: dbx-x64.esl
|
||||
@@ -14,8 +14,10 @@ Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-
|
||||
#Source3: dbx-aa64.esl
|
||||
Source4: shim-find-debuginfo.sh
|
||||
Source5: centos.esl
|
||||
+Source1000: tis-shim.crt
|
||||
+
|
||||
|
||||
Patch0: 0001-Add-vendor-esl.patch
|
||||
+Patch1000: 0001-Use-Titanium-certificate.patch
|
||||
|
||||
BuildRequires: git openssl-devel openssl
|
||||
BuildRequires: pesign >= 0.106-1
|
||||
@@ -101,6 +104,7 @@ git commit -a -q -m "%{version} baseline."
|
||||
@@ -106,6 +108,7 @@ git commit -a -q -m "%{version} baseline."
|
||||
git am --ignore-whitespace %{patches} </dev/null
|
||||
git config --unset user.email
|
||||
git config --unset user.name
|
||||
@ -32,7 +33,7 @@ index de216b6..83da6cd
|
||||
|
||||
%ifarch x86_64
|
||||
cd ..
|
||||
@@ -115,6 +119,7 @@ git commit -a -q -m "%{version} baseline."
|
||||
@@ -120,6 +123,7 @@ git commit -a -q -m "%{version} baseline."
|
||||
git am --ignore-whitespace %{patches} </dev/null
|
||||
git config --unset user.email
|
||||
git config --unset user.name
|
||||
|
@ -4,16 +4,17 @@ Date: Mon, 15 Jan 2018 13:25:04 -0500
|
||||
Subject: [PATCH] Use Titanium certificate
|
||||
|
||||
---
|
||||
Makefile | 26 ++++++++++++++++++--------
|
||||
1 file changed, 18 insertions(+), 8 deletions(-)
|
||||
Make.defaults | 6 ++++++
|
||||
Makefile | 20 ++++++++++++--------
|
||||
2 files changed, 18 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 6ece282..bb4f7f9 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -36,6 +36,12 @@ FBNAME = fallback
|
||||
diff --git a/Make.defaults b/Make.defaults
|
||||
index 3cec82d..d7606db 100644
|
||||
--- a/Make.defaults
|
||||
+++ b/Make.defaults
|
||||
@@ -51,6 +51,12 @@ CLANG_BUGS = $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,)
|
||||
|
||||
COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)
|
||||
COMMIT_ID ?= $(shell if [ -e .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo master; fi)
|
||||
|
||||
+# We compile a certificate into shim. Usually this is a one-time generated
|
||||
+# certificate (make-certs script) however we want to include a custom
|
||||
@ -24,51 +25,56 @@ index 6ece282..bb4f7f9 100644
|
||||
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
|
||||
CFLAGS += -DOVERRIDE_SECURITY_POLICY
|
||||
endif
|
||||
@@ -90,7 +96,7 @@ LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsym
|
||||
|
||||
TARGET = $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed
|
||||
OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 115e7f0..8964a97 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -34,7 +34,7 @@ else
|
||||
TARGETS += $(MMNAME) $(FBNAME)
|
||||
endif
|
||||
OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
|
||||
-KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
|
||||
+KEYS = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
|
||||
SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
|
||||
ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
|
||||
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
|
||||
MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
|
||||
@@ -104,13 +110,17 @@ endif
|
||||
ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
|
||||
@@ -52,14 +52,18 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
|
||||
|
||||
all: $(TARGET)
|
||||
all: $(TARGETS)
|
||||
|
||||
-shim.crt:
|
||||
- ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
|
||||
- $(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
|
||||
+# certificate is now provided in source. To generate a random certificate,
|
||||
+# uncomment this rule
|
||||
+#$(INTERNAL_CERT).crt:
|
||||
+# ./make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
|
||||
+# $(TOPDIR)/make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
|
||||
|
||||
-shim.cer: shim.crt
|
||||
+$(INTERNAL_CERT).cer: $(INTERNAL_CERT).crt
|
||||
openssl x509 -outform der -in $< -out $@
|
||||
$(OPENSSL) x509 -outform der -in $< -out $@
|
||||
|
||||
.NOTPARALLEL: shim_cert.h
|
||||
-shim_cert.h: shim.cer
|
||||
+# name "shim_cert.h" rather than "$(INTERNAL_CERT).h" used so C files can just
|
||||
+# use a fixed name for #include
|
||||
+shim_cert.h: $(INTERNAL_CERT).cer
|
||||
echo "static UINT8 shim_cert[] = {" > $@
|
||||
hexdump -v -e '1/1 "0x%02x, "' $< >> $@
|
||||
echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
|
||||
$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
|
||||
echo "};" >> $@
|
||||
@@ -121,10 +131,10 @@ version.c : version.c.in
|
||||
-e "s,@@COMMIT@@,$(COMMITID)," \
|
||||
< version.c.in > version.c
|
||||
@@ -70,10 +74,10 @@ version.c : $(TOPDIR)/version.c.in
|
||||
-e "s,@@COMMIT@@,$(COMMIT_ID)," \
|
||||
< $< > $@
|
||||
|
||||
-certdb/secmod.db: shim.crt
|
||||
+certdb/secmod.db: $(INTERNAL_CERT).crt
|
||||
-mkdir certdb
|
||||
- pk12util -d certdb/ -i shim.p12 -W "" -K ""
|
||||
- certutil -d certdb/ -A -i shim.crt -n shim -t u
|
||||
+ pk12util -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
|
||||
+ certutil -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
|
||||
- $(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
|
||||
- $(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
|
||||
+ $(PK12UTIL) -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
|
||||
+ $(CERTUTIL) -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
|
||||
|
||||
shim.o: $(SOURCES) shim_cert.h
|
||||
shim.o: $(wildcard *.h)
|
||||
shim.o: $(SOURCES)
|
||||
ifneq ($(origin ENABLE_SHIM_CERT),undefined)
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
@ -1 +1 @@
|
||||
mirror:Source/shim-12-1.el7.centos.src.rpm
|
||||
mirror:Source/shim-15-1.el7.centos.src.rpm
|
||||
|
Loading…
Reference in New Issue
Block a user