CentOS 8: Upgrade shim-signed to version 15

(1)Release Version Upgrade (2)Matching code changes with el7 to el8 For CentOS 7, shim-signed srpm for shim-signed for CentOS 8, shim srpm for shim-signed Story: 2006729 Task: 37913 Change-Id: I7d6a1c5550ace8ae8b3a539befc4e1f084ce1e18 Signed-off-by: Long Li <lilong-neu@neusoft.com>
2019-12-31 11:32:17 +08:00 · 2019-12-31 11:32:17 +08:00 · 5659544f25
commit 5659544f25
parent 6cf6e96910
6 changed files with 80 additions and 155 deletions
--- a/security/shim-signed/centos/build_srpm.data
+++ b/security/shim-signed/centos/build_srpm.data
@ -1 +1 @@
-TIS_PATCH_VER=2
+TIS_PATCH_VER=1
--- a/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch
+++ b/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch
@ -4,21 +4,22 @@ Date: Tue, 16 Jan 2018 08:14:08 -0500
 Subject: [PATCH 1/2] Titanium release info
 ---
- SPECS/shim-signed.spec | 2 +-
+ SPECS/shim.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
+diff --git a/SPECS/shim.spec b/SPECS/shim.spec
-index d2a13b1..9cfcb2f 100644
+index 4296515..f004748 100644
--- a/SPECS/shim-signed.spec
+--- a/SPECS/shim.spec
-+++ b/SPECS/shim-signed.spec
+++ b/SPECS/shim.spec
-@@ -1,6 +1,6 @@
+@@ -6,7 +6,7 @@
 Name:           shim-signed
 Version:        15
 -Release:        1%{?dist}%{?buildid}
 +Release:        1%{?_tis_dist}.%{tis_patch_ver}
 Summary:        First-stage UEFI bootloader
 %define unsigned_release 1%{?dist}
 Name:		shim
 Version:	15
 -Release:	8%{?dist}
 +Release:	8%{?_tis_dist}.%{tis_patch_ver}
 Summary:	First-stage UEFI bootloader
 License:	BSD
 URL:		https://github.com/rhboot/shim/
 -- 
-1.8.3.1
+2.7.4
--- a/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch
+++ b/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch
@ -1,151 +1,44 @@
-diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
+diff --git a/SPECS/shim.spec b/SPECS/shim.spec
-old mode 100644
+index f004748..1fd493c 100644
-new mode 100755
+--- a/SPECS/shim.spec
-index 9cfcb2f..f6ce87e
+++ b/SPECS/shim.spec
--- a/SPECS/shim-signed.spec
+@@ -19,6 +19,9 @@ ExcludeArch:	%{ix86}
-+++ b/SPECS/shim-signed.spec
+ # and we don't have shim-unsigned-arm builds *yet*
-@@ -2,18 +2,20 @@ Name:           shim-signed
+ ExcludeArch:	%{arm}
 Version:        15
 Release:        1%{?_tis_dist}.%{tis_patch_ver}
 Summary:        First-stage UEFI bootloader
 -%define unsigned_release 1%{?dist}
 License:        BSD
 URL:            https://github.com/rhboot/shim/
 # incorporate mokutil for packaging simplicity
 %global mokutil_version 0.3.0
 +%global srcbasename shimx64
 +%global srcbasenameia32 shimia32
 +
- Source0:        https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz
+ Source0:	shim.rpmmacros
 Source1:	centossecureboot001.crt
 Source2:	centos-ca-secureboot.der
- %define pesign_name centossecureboot001
+@@ -28,9 +31,9 @@ Source2:	centos-ca-secureboot.der
-Source10:       shimx64.efi
+ Source10:	BOOTAA64.CSV
-Source11:       shimia32.efi
+ Source20:	shimaa64.efi
-+Source10:	%{srcbasename}.efi
+ Source11:	BOOTIA32.CSV
-+Source11:	%{srcbasenameia32}.efi
+-Source21:	shimia32.efi
- Source12:       shimaa64.efi
+Source21:	%{srcbasenameia32}.efi
- Source20:       BOOTX64.CSV
+ Source12:	BOOTX64.CSV
- Source21:       BOOTIA32.CSV
+-Source22:	shimx64.efi
-@@ -52,11 +54,17 @@ BuildRequires: git
+Source22:	%{srcbasename}.efi
- BuildRequires: openssl-devel openssl
+ #Source13:	BOOTARM.CSV
- BuildRequires: pesign >= 0.106-5%{dist}
+ #Source23:	shimarm.efi
- BuildRequires: efivar-devel
+ 
-BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release}
+@@ -43,11 +46,11 @@ BuildRequires:	pesign >= 0.112-20.fc27
-+BuildRequires: shim-unsigned-%{efiarchlc}
+ # (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
 # we can just BuildRequires that.
 %ifarch x86_64
-BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release}
+-BuildRequires:	%{unsignedx64} = %{shimverx64}
-+BuildRequires: shim-unsigned-ia32
+-BuildRequires:	%{unsignedia32} = %{shimveria32}
 +BuildRequires:	%{unsignedx64}
 +BuildRequires:	%{unsignedia32}
 %endif
- 
+ %ifarch aarch64
-+# Rather than hardcode a release, we get the release from the installed shim-unsigned package
+-BuildRequires:	%{unsignedaa64} = %{shimveraa64}
-+%define unsigned_release %(rpm -q shim-unsigned-x64 --info | grep Release | awk '{print $3}')
+BuildRequires:	%{unsignedaa64}
 +%define unsigned_dir "%{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/"
 +%define unsigned_release_ia32 %(rpm -q shim-unsigned-ia32 --info | grep Release | awk '{print $3}')
 +%define unsigned_dir_ia32 "%{_datadir}/shim/ia32-%{version}-%{unsigned_release_ia32}/"
 +
 # for mokutil's configure
 BuildRequires: autoconf automake
@@ -148,39 +156,34 @@ cd ..
 %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
 %ifarch %{ca_signed_arches}
 -pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
 -if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
 -  echo Invalid signature\! > /dev/stderr
 -  echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
 -  echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
 -  exit 1
 +
 +# if we already have a presigned EFI image, then do not do signing -- just
 +# use the presigned one.
 +if  [ -e %{unsigned_dir}%{srcbasename}-presigned.efi ]; then
 +        cp %{unsigned_dir}%{srcbasename}-presigned.efi %{srcbasename}.efi
 +        cp %{unsigned_dir}%{srcbasename}-presigned.efi shim%{efiarchlc}.efi
 +else
 +        cp %{shimsrc} shim%{efiarchlc}.efi
 fi
 -cp %{shimsrc} shim%{efiarchlc}.efi
 %ifarch x86_64
 -pesign -i %{shimsrcia32} -h -P > shimia32.hash
 -if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
 -  echo Invalid signature\! > /dev/stderr
 -  echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
 -  echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
 -  exit 1
 +if  [ -e %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi ]; then
 +        cp %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi %{srcbasenameia32}.efi
 +else
 +	cp %{shimsrcia32} %{srcbasenameia32}.efi
 fi
 -cp %{shimsrcia32} shimia32.efi
 -%endif
 -%endif
 -%ifarch %{rh_signed_arches}
 -%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shim%{efiarchlc}-%{efidir}.efi
 -%ifarch x86_64
 -%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shimia32-%{efidir}.efi
 -%endif
 -%endif
 -%ifarch %{rh_signed_arches}
 -%ifnarch %{ca_signed_arches}
 -cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
 %endif
- %endif
+ #%%ifarch arm
- 
+ #BuildRequires:	%%{unsignedarm} = %%{shimverarm}
 -%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
 -%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
 +if  [ -e %{unsigned_dir}mm%{efiarchlc}-presigned.efi ]; then
 +	cp %{unsigned_dir}mm%{efiarchlc}-presigned.efi mm%{efiarchlc}.efi
 +else
 +	%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
 +fi
 +if  [ -e %{unsigned_dir}fb%{efiarchlc}-presigned.efi ]; then
 +	cp %{unsigned_dir}fb%{efiarchlc}-presigned.efi fb%{efiarchlc}.efi
 +else
 +	%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
 +fi
 %ifarch x86_64
 %pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
@@ -196,7 +199,7 @@ make %{?_smp_mflags}
 rm -rf $RPM_BUILD_ROOT
 install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
 install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
 -install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
 +#install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
 install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
 install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
 install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
@@ -218,7 +221,7 @@ install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
 install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
 install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
 -install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
 +#install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
 install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
 install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
@@ -232,7 +235,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 %files -n shim-%{efiarchlc}
 %defattr(0700,root,root,-)
 /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
 -/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
 +#/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
 /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
 /boot/efi/EFI/%{efidir}/MokManager.efi
 /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
@@ -247,7 +250,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 %files -n shim-ia32
 %defattr(0700,root,root,-)
 /boot/efi/EFI/%{efidir}/shimia32.efi
 -/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
 +#/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
 /boot/efi/EFI/%{efidir}/mmia32.efi
 /boot/efi/EFI/%{efidir}/BOOTIA32.CSV
 /boot/efi/EFI/BOOT/BOOTIA32.EFI
 -- 
-1.8.3.1
+2.7.4
--- a/security/shim-signed/centos/meta_patches/0003-Fix-shimver-directory.patch
+++ b/security/shim-signed/centos/meta_patches/0003-Fix-shimver-directory.patch
@ -0,0 +1,30 @@
 From 49520cf6a3c826de7b4c8c0842c24991770d9db2 Mon Sep 17 00:00:00 2001
 From: Long Li <lilong-neu@neusoft.com>
 Date: Wed, 12 Feb 2020 20:16:15 +0800
 Subject: [PATCH] Fix shimver directory
 Signed-off-by: Long Li <lilong-neu@neusoft.com>
 ---
 SOURCES/shim.rpmmacros | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/SOURCES/shim.rpmmacros b/SOURCES/shim.rpmmacros
 index 26e7e72..c14a03f 100644
 --- a/SOURCES/shim.rpmmacros
 +++ b/SOURCES/shim.rpmmacros
@@ -13,9 +13,9 @@
 %global shimefix64 %{expand:%{SOURCE22}}
 #%%global shimefiarm %%{expand:%%{SOURCE23}
 -%global shimveraa64 15-2.el8
 -%global shimveria32 15-2.el8
 -%global shimverx64 15-2.el8
 +%global shimveraa64 15-2.el8%{?_tis_dist}.%{tis_patch_ver}
 +%global shimveria32 15-2.el8%{?_tis_dist}.%{tis_patch_ver}
 +%global shimverx64 15-2.el8%{?_tis_dist}.%{tis_patch_ver}
 #%%global shimverarm 15-1.el8
 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
 -- 
 2.7.4
--- a/security/shim-signed/centos/meta_patches/PATCH_ORDER
+++ b/security/shim-signed/centos/meta_patches/PATCH_ORDER
@ -1,2 +1,3 @@
 0001-Titanium-release-info.patch
 0002-Use-presigned-binaries.patch
 0003-Fix-shimver-directory.patch
--- a/security/shim-signed/centos/srpm_path
+++ b/security/shim-signed/centos/srpm_path
@ -1 +1 @@
-mirror:Source/shim-signed-15-1.el7.centos.src.rpm
+mirror:Source/shim-15-8.el8.src.rpm
`@ -1 +1 @@`
	`mirror:Source/shim-signed-15-1.el7.centos.src.rpm`	`mirror:Source/shim-15-8.el8.src.rpm`