Uprev shim to version 12
Update the shim package to version 12. This change requires regeneration of the patch and meta-patch files. Depends-On: https://review.openstack.org/#/c/578440 Change-Id: Ic6a61b7aad02d8931a9fa854679a0c6490144a8d
This commit is contained in:
parent
1d9e289e39
commit
647a218f25
@ -0,0 +1,24 @@
|
|||||||
|
From a19b16baa019609714fb741db4e3c73d67f2adf1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: jmckenna <jason.mckenna@windriver.com>
|
||||||
|
Date: Tue, 16 Jan 2018 08:14:08 -0500
|
||||||
|
Subject: [PATCH 1/2] Titanium release info
|
||||||
|
|
||||||
|
---
|
||||||
|
SPECS/shim-signed.spec | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
|
||||||
|
index d2a13b1..9cfcb2f 100644
|
||||||
|
--- a/SPECS/shim-signed.spec
|
||||||
|
+++ b/SPECS/shim-signed.spec
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
Name: shim-signed
|
||||||
|
Version: 12
|
||||||
|
-Release: 1%{?dist}%{?buildid}
|
||||||
|
+Release: 1%{?_tis_dist}.%{tis_patch_ver}
|
||||||
|
Summary: First-stage UEFI bootloader
|
||||||
|
%define unsigned_release 1%{?dist}
|
||||||
|
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
@ -1,66 +0,0 @@
|
|||||||
--- a/SPECS/shim-signed.spec 2017-01-05 14:12:11.584037112 -0500
|
|
||||||
+++ b/SPECS/shim-signed.spec 2017-01-05 14:20:57.281934890 -0500
|
|
||||||
@@ -1,9 +1,13 @@
|
|
||||||
Name: shim-signed
|
|
||||||
Version: 0.9
|
|
||||||
-Release: 2%{?dist}
|
|
||||||
+Release: 2%{?_tis_dist}.%{tis_patch_ver}
|
|
||||||
Summary: First-stage UEFI bootloader
|
|
||||||
Provides: shim = %{version}-%{release}
|
|
||||||
-%define unsigned_release 1.el7.centos
|
|
||||||
+
|
|
||||||
+# note that tis_patch_ver cannot be used in the unsigned_release definition,
|
|
||||||
+# as the variable represents the patch level of shim-signed, and we have to
|
|
||||||
+# specifiy the patch of shim-unsigned
|
|
||||||
+%define unsigned_release 1.el7%{_tis_dist}.1
|
|
||||||
|
|
||||||
License: BSD
|
|
||||||
URL: http://www.codon.org.uk/~mjg59/shim/
|
|
||||||
@@ -112,25 +116,35 @@
|
|
||||||
%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
|
|
||||||
%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
|
|
||||||
|
|
||||||
+# if we already have a presigned EFI image, then do not do signing -- just
|
|
||||||
+# use the presigned one.
|
|
||||||
+
|
|
||||||
+if [ -e %{unsigned_dir}shim-presigned.efi ]; then
|
|
||||||
+ cp %{unsigned_dir}shim-presigned.efi shim.efi
|
|
||||||
+ cp %{unsigned_dir}shim-presigned.efi shim-%{efidir}.efi
|
|
||||||
+else
|
|
||||||
%ifarch %{ca_signed_arches}
|
|
||||||
-pesign -i %{shimsrc} -h -P > shim.hash
|
|
||||||
-if ! cmp shim.hash %{unsigned_dir}shim.hash ; then
|
|
||||||
- echo Invalid signature\! > /dev/stderr
|
|
||||||
- exit 1
|
|
||||||
-fi
|
|
||||||
-cp %{shimsrc} shim.efi
|
|
||||||
+ cp %{unsigned_dir}shim.efi shim-unsigned.efi
|
|
||||||
%endif
|
|
||||||
%ifarch %{rh_signed_arches}
|
|
||||||
-%pesign -s -i %{unsigned_dir}shim.efi -a %{SOURCE3} -c %{SOURCE3} -o shim-%{efidir}.efi
|
|
||||||
+ %pesign -s -i %{unsigned_dir}shim.efi -a %{SOURCE3} -c %{SOURCE3} -o shim-%{efidir}.efi
|
|
||||||
%endif
|
|
||||||
%ifarch %{rh_signed_arches}
|
|
||||||
-%ifnarch %{ca_signed_arches}
|
|
||||||
-cp shim-%{efidir}.efi shim.efi
|
|
||||||
-%endif
|
|
||||||
+ cp shim-%{efidir}.efi shim.efi
|
|
||||||
%endif
|
|
||||||
+fi # end "if shim-presigned.efi exists"
|
|
||||||
|
|
||||||
-%pesign -s -i %{unsigned_dir}MokManager.efi -o MokManager.efi -a %{SOURCE3} -c %{SOURCE3}
|
|
||||||
-%pesign -s -i %{unsigned_dir}fallback.efi -o fallback.efi -a %{SOURCE3} -c %{SOURCE3}
|
|
||||||
+if [ -e %{unsigned_dir}MokManager-presigned.efi ]; then
|
|
||||||
+ cp %{unsigned_dir}MokManager-presigned.efi MokManager.efi
|
|
||||||
+else
|
|
||||||
+ %pesign -s -i %{unsigned_dir}MokManager.efi -o MokManager.efi -a %{SOURCE3} -c %{SOURCE3}
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+if [ -e %{unsigned_dir}fallback-presigned.efi ]; then
|
|
||||||
+ cp %{unsigned_dir}fallback-presigned.efi fallback.efi
|
|
||||||
+else
|
|
||||||
+ %pesign -s -i %{unsigned_dir}fallback.efi -o fallback.efi -a %{SOURCE3} -c %{SOURCE3}
|
|
||||||
+fi
|
|
||||||
|
|
||||||
cd mokutil-%{mokutil_version}
|
|
||||||
./autogen.sh
|
|
@ -1,55 +0,0 @@
|
|||||||
From 1c898dfc32b11e94ad90ab76fcff2ba2b65dfa6d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Scott Little <scott.little@windriver.com>
|
|
||||||
Date: Tue, 31 Jan 2017 16:51:23 -0500
|
|
||||||
Subject: [PATCH] calculate rather than hardcode shim-unsigned version
|
|
||||||
|
|
||||||
---
|
|
||||||
SPECS/shim-signed.spec | 13 ++++++-------
|
|
||||||
1 file changed, 6 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
|
|
||||||
index f271a05..1b00621 100644
|
|
||||||
--- a/SPECS/shim-signed.spec
|
|
||||||
+++ b/SPECS/shim-signed.spec
|
|
||||||
@@ -4,10 +4,6 @@ Release: 2%{?_tis_dist}.%{tis_patch_ver}
|
|
||||||
Summary: First-stage UEFI bootloader
|
|
||||||
Provides: shim = %{version}-%{release}
|
|
||||||
|
|
||||||
-# note that tis_patch_ver cannot be used in the unsigned_release definition,
|
|
||||||
-# as the variable represents the patch level of shim-signed, and we have to
|
|
||||||
-# specifiy the patch of shim-unsigned
|
|
||||||
-%define unsigned_release 1.el7%{_tis_dist}.1
|
|
||||||
|
|
||||||
License: BSD
|
|
||||||
URL: http://www.codon.org.uk/~mjg59/shim/
|
|
||||||
@@ -32,14 +28,13 @@ Source5: BOOT.CSV
|
|
||||||
%global efiarchlc aa64
|
|
||||||
%global shimsrc %{SOURCE2}
|
|
||||||
%endif
|
|
||||||
-%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/
|
|
||||||
+
|
|
||||||
|
|
||||||
BuildRequires: git
|
|
||||||
BuildRequires: openssl-devel openssl
|
|
||||||
BuildRequires: pesign >= 0.106-5%{dist}
|
|
||||||
BuildRequires: efivar-devel
|
|
||||||
-# BuildRequires: shim-unsigned = %{version}-%{unsigned_release}
|
|
||||||
-BuildRequires: shim-unsigned = %{version}-%{unsigned_release}
|
|
||||||
+BuildRequires: shim-unsigned
|
|
||||||
|
|
||||||
# for mokutil's configure
|
|
||||||
BuildRequires: autoconf automake
|
|
||||||
@@ -119,6 +114,10 @@ git config --unset user.name
|
|
||||||
# if we already have a presigned EFI image, then do not do signing -- just
|
|
||||||
# use the presigned one.
|
|
||||||
|
|
||||||
+# %define unsigned_release 1.el7%{_tis_dist}.1
|
|
||||||
+%global unsigned_release %(rpm -q --queryformat '%%{RELEASE}' shim-unsigned | sort --version-sort | tail -1)
|
|
||||||
+%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/
|
|
||||||
+
|
|
||||||
if [ -e %{unsigned_dir}shim-presigned.efi ]; then
|
|
||||||
cp %{unsigned_dir}shim-presigned.efi shim.efi
|
|
||||||
cp %{unsigned_dir}shim-presigned.efi shim-%{efidir}.efi
|
|
||||||
--
|
|
||||||
1.8.3.1
|
|
||||||
|
|
@ -0,0 +1,147 @@
|
|||||||
|
diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
|
||||||
|
old mode 100644
|
||||||
|
new mode 100755
|
||||||
|
index 9cfcb2f..f6ce87e
|
||||||
|
--- a/SPECS/shim-signed.spec
|
||||||
|
+++ b/SPECS/shim-signed.spec
|
||||||
|
@@ -2,7 +2,6 @@ Name: shim-signed
|
||||||
|
Version: 12
|
||||||
|
Release: 1%{?_tis_dist}.%{tis_patch_ver}
|
||||||
|
Summary: First-stage UEFI bootloader
|
||||||
|
-%define unsigned_release 1%{?dist}
|
||||||
|
|
||||||
|
License: BSD
|
||||||
|
URL: http://www.codon.org.uk/~mjg59/shim/
|
||||||
|
@@ -16,10 +15,12 @@ Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
|
||||||
|
Patch0005: 0005-Make-all-efi_guid_t-const.patch
|
||||||
|
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
|
||||||
|
Patch0007: 0007-Add-bash-completion-file.patch
|
||||||
|
+%global srcbasename shimx64
|
||||||
|
+%global srcbasenameia32 shimia32
|
||||||
|
|
||||||
|
Source1: centos.crt
|
||||||
|
-Source10: shimx64.efi
|
||||||
|
-Source11: shimia32.efi
|
||||||
|
+Source10: %{srcbasename}.efi
|
||||||
|
+Source11: %{srcbasenameia32}.efi
|
||||||
|
#Source12: shimaa64.efi
|
||||||
|
Source20: BOOTX64.CSV
|
||||||
|
Source21: BOOTIA32.CSV
|
||||||
|
@@ -47,11 +48,17 @@ BuildRequires: git
|
||||||
|
BuildRequires: openssl-devel openssl
|
||||||
|
BuildRequires: pesign >= 0.106-5%{dist}
|
||||||
|
BuildRequires: efivar-devel
|
||||||
|
-BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release}
|
||||||
|
+BuildRequires: shim-unsigned-%{efiarchlc}
|
||||||
|
%ifarch x86_64
|
||||||
|
-BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release}
|
||||||
|
+BuildRequires: shim-unsigned-ia32
|
||||||
|
%endif
|
||||||
|
|
||||||
|
+# Rather than hardcode a release, we get the release from the installed shim-unsigned package
|
||||||
|
+%define unsigned_release %(rpm -q shim-unsigned-x64 --info | grep Release | awk '{print $3}')
|
||||||
|
+%define unsigned_dir "%{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/"
|
||||||
|
+%define unsigned_release_ia32 %(rpm -q shim-unsigned-ia32 --info | grep Release | awk '{print $3}')
|
||||||
|
+%define unsigned_dir_ia32 "%{_datadir}/shim/ia32-%{version}-%{unsigned_release_ia32}/"
|
||||||
|
+
|
||||||
|
# for mokutil's configure
|
||||||
|
BuildRequires: autoconf automake
|
||||||
|
|
||||||
|
@@ -143,39 +150,34 @@ cd ..
|
||||||
|
%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
|
||||||
|
|
||||||
|
%ifarch %{ca_signed_arches}
|
||||||
|
-pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
|
||||||
|
-if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
|
||||||
|
- echo Invalid signature\! > /dev/stderr
|
||||||
|
- echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
|
||||||
|
- echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
|
||||||
|
- exit 1
|
||||||
|
+
|
||||||
|
+# if we already have a presigned EFI image, then do not do signing -- just
|
||||||
|
+# use the presigned one.
|
||||||
|
+if [ -e %{unsigned_dir}%{srcbasename}-presigned.efi ]; then
|
||||||
|
+ cp %{unsigned_dir}%{srcbasename}-presigned.efi %{srcbasename}.efi
|
||||||
|
+ cp %{unsigned_dir}%{srcbasename}-presigned.efi shim%{efiarchlc}.efi
|
||||||
|
+else
|
||||||
|
+ cp %{shimsrc} shim%{efiarchlc}.efi
|
||||||
|
fi
|
||||||
|
-cp %{shimsrc} shim%{efiarchlc}.efi
|
||||||
|
%ifarch x86_64
|
||||||
|
-pesign -i %{shimsrcia32} -h -P > shimia32.hash
|
||||||
|
-if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
|
||||||
|
- echo Invalid signature\! > /dev/stderr
|
||||||
|
- echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
|
||||||
|
- echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
|
||||||
|
- exit 1
|
||||||
|
+if [ -e %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi ]; then
|
||||||
|
+ cp %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi %{srcbasenameia32}.efi
|
||||||
|
+else
|
||||||
|
+ cp %{shimsrcia32} %{srcbasenameia32}.efi
|
||||||
|
fi
|
||||||
|
-cp %{shimsrcia32} shimia32.efi
|
||||||
|
-%endif
|
||||||
|
-%endif
|
||||||
|
-%ifarch %{rh_signed_arches}
|
||||||
|
-%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} -o shim%{efiarchlc}-%{efidir}.efi
|
||||||
|
-%ifarch x86_64
|
||||||
|
-%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE1} -c %{SOURCE1} -o shimia32-%{efidir}.efi
|
||||||
|
-%endif
|
||||||
|
-%endif
|
||||||
|
-%ifarch %{rh_signed_arches}
|
||||||
|
-%ifnarch %{ca_signed_arches}
|
||||||
|
-cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
|
-%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}
|
||||||
|
-%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}
|
||||||
|
+if [ -e %{unsigned_dir}mm%{efiarchlc}-presigned.efi ]; then
|
||||||
|
+ cp %{unsigned_dir}mm%{efiarchlc}-presigned.efi mm%{efiarchlc}.efi
|
||||||
|
+else
|
||||||
|
+ %pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}
|
||||||
|
+fi
|
||||||
|
+if [ -e %{unsigned_dir}fb%{efiarchlc}-presigned.efi ]; then
|
||||||
|
+ cp %{unsigned_dir}fb%{efiarchlc}-presigned.efi fb%{efiarchlc}.efi
|
||||||
|
+else
|
||||||
|
+ %pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}
|
||||||
|
+fi
|
||||||
|
|
||||||
|
%ifarch x86_64
|
||||||
|
%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE1} -c %{SOURCE1}
|
||||||
|
@@ -191,7 +193,7 @@ make %{?_smp_mflags}
|
||||||
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
|
||||||
|
install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
|
||||||
|
-install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
|
||||||
|
+#install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
|
||||||
|
install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
|
||||||
|
install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
|
||||||
|
|
||||||
|
@@ -211,7 +213,7 @@ install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
|
||||||
|
|
||||||
|
install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
|
||||||
|
install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
|
||||||
|
-install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
|
||||||
|
+#install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
|
||||||
|
install -m 0644 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
|
||||||
|
install -m 0644 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
|
||||||
|
|
||||||
|
@@ -224,7 +226,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
|
||||||
|
|
||||||
|
%files -n shim-%{efiarchlc}
|
||||||
|
/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
|
||||||
|
-/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
|
||||||
|
+#/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
|
||||||
|
/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
|
||||||
|
/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
|
||||||
|
/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
|
||||||
|
@@ -236,7 +238,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
|
||||||
|
|
||||||
|
%files -n shim-ia32
|
||||||
|
/boot/efi/EFI/%{efidir}/shimia32.efi
|
||||||
|
-/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
|
||||||
|
+#/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
|
||||||
|
/boot/efi/EFI/%{efidir}/mmia32.efi
|
||||||
|
/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
|
||||||
|
/boot/efi/EFI/BOOT/BOOTIA32.EFI
|
@ -1,2 +1,2 @@
|
|||||||
0001-Use-presigned-binary.patch
|
0001-Titanium-release-info.patch
|
||||||
0001-calculate-rather-than-hardcode-shim-unsigned-version.patch
|
0002-Use-presigned-binaries.patch
|
||||||
|
@ -1 +1 @@
|
|||||||
mirror:Source/shim-signed-0.9-2.el7.src.rpm
|
mirror:Source/shim-signed-12-1.el7.centos.src.rpm
|
||||||
|
@ -1,31 +0,0 @@
|
|||||||
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
|
|
||||||
index 6aa8346..a8945ab 100644
|
|
||||||
--- a/SPECS/shim.spec
|
|
||||||
+++ b/SPECS/shim.spec
|
|
||||||
@@ -1,6 +1,6 @@
|
|
||||||
Name: shim
|
|
||||||
Version: 0.9
|
|
||||||
-Release: 1.el7.centos
|
|
||||||
+Release: 1.el7%{?_tis_dist}.%{tis_patch_ver}
|
|
||||||
Summary: First-stage UEFI bootloader
|
|
||||||
|
|
||||||
License: BSD
|
|
||||||
@@ -10,8 +10,10 @@ Source1: centos.crt
|
|
||||||
# currently here's what's in our dbx: # nothing.
|
|
||||||
#Source2: dbx.esl
|
|
||||||
Source3: shim-find-debuginfo.sh
|
|
||||||
+Source4: tis-shim.crt
|
|
||||||
|
|
||||||
Patch0001: 0001-Typo-on-aarch64.patch
|
|
||||||
+Patch0002: 0001-Use-TiS-cert.patch
|
|
||||||
|
|
||||||
BuildRequires: git openssl-devel openssl
|
|
||||||
BuildRequires: pesign >= 0.106-1
|
|
||||||
@@ -81,6 +83,7 @@ git commit -a -q -m "%{version} baseline."
|
|
||||||
git am --ignore-whitespace %{patches} </dev/null
|
|
||||||
git config --unset user.email
|
|
||||||
git config --unset user.name
|
|
||||||
+cp %{SOURCE4} .
|
|
||||||
|
|
||||||
%build
|
|
||||||
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1}"
|
|
@ -1,12 +0,0 @@
|
|||||||
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
|
|
||||||
index 901e861..b6a6d0e 100644
|
|
||||||
--- a/SPECS/shim.spec
|
|
||||||
+++ b/SPECS/shim.spec
|
|
||||||
@@ -14,6 +14,7 @@ Source4: tis-shim.crt
|
|
||||||
|
|
||||||
Patch0001: 0001-Typo-on-aarch64.patch
|
|
||||||
Patch0002: 0001-Use-TiS-cert.patch
|
|
||||||
+Patch0003: 0001-Objcopy-version.patch
|
|
||||||
|
|
||||||
BuildRequires: git openssl-devel openssl
|
|
||||||
BuildRequires: pesign >= 0.106-1
|
|
@ -0,0 +1,27 @@
|
|||||||
|
From fc1f1853e99c5afaae334b0c37296e34e9cf19fd Mon Sep 17 00:00:00 2001
|
||||||
|
From: root <root@yow-cgts4-lx.wrs.com>
|
||||||
|
Date: Mon, 15 Jan 2018 13:09:41 -0500
|
||||||
|
Subject: [PATCH 1/2] Ti version string
|
||||||
|
|
||||||
|
---
|
||||||
|
SPECS/shim.spec | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
mode change 100755 => 100644 SPECS/shim.spec
|
||||||
|
|
||||||
|
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
|
||||||
|
old mode 100755
|
||||||
|
new mode 100644
|
||||||
|
index afd533b..de216b6
|
||||||
|
--- a/SPECS/shim.spec
|
||||||
|
+++ b/SPECS/shim.spec
|
||||||
|
@@ -1,6 +1,6 @@
|
||||||
|
Name: shim
|
||||||
|
Version: 12
|
||||||
|
-Release: 1%{?dist}
|
||||||
|
+Release: 1.el7%{?_tis_dist}.%{tis_patch_ver}
|
||||||
|
Summary: First-stage UEFI bootloader
|
||||||
|
|
||||||
|
License: BSD
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
@ -0,0 +1,45 @@
|
|||||||
|
From fb4da7f4d7d8e8565371ed236150de2e4bb47b95 Mon Sep 17 00:00:00 2001
|
||||||
|
From: root <root@yow-cgts4-lx.wrs.com>
|
||||||
|
Date: Mon, 15 Jan 2018 13:22:09 -0500
|
||||||
|
Subject: [PATCH 2/2] Add Ti certificate
|
||||||
|
|
||||||
|
---
|
||||||
|
SPECS/shim.spec | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
mode change 100644 => 100755 SPECS/shim.spec
|
||||||
|
|
||||||
|
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
|
||||||
|
old mode 100644
|
||||||
|
new mode 100755
|
||||||
|
index de216b6..83da6cd
|
||||||
|
--- a/SPECS/shim.spec
|
||||||
|
+++ b/SPECS/shim.spec
|
||||||
|
@@ -11,6 +11,9 @@ Source1: centos.crt
|
||||||
|
#Source2: dbx-x64.esl
|
||||||
|
#Source3: dbx-aa64.esl
|
||||||
|
Source4: shim-find-debuginfo.sh
|
||||||
|
+Source1000: tis-shim.crt
|
||||||
|
+
|
||||||
|
+Patch1000: 0001-Use-Titanium-certificate.patch
|
||||||
|
|
||||||
|
BuildRequires: git openssl-devel openssl
|
||||||
|
BuildRequires: pesign >= 0.106-1
|
||||||
|
@@ -101,6 +104,7 @@ git commit -a -q -m "%{version} baseline."
|
||||||
|
git am --ignore-whitespace %{patches} </dev/null
|
||||||
|
git config --unset user.email
|
||||||
|
git config --unset user.name
|
||||||
|
+cp %{SOURCE1000} .
|
||||||
|
|
||||||
|
%ifarch x86_64
|
||||||
|
cd ..
|
||||||
|
@@ -115,6 +119,7 @@ git commit -a -q -m "%{version} baseline."
|
||||||
|
git am --ignore-whitespace %{patches} </dev/null
|
||||||
|
git config --unset user.email
|
||||||
|
git config --unset user.name
|
||||||
|
+cp %{SOURCE1000} .
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%build
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
@ -1,3 +1,2 @@
|
|||||||
0001-Embed-TiS-cert.patch
|
0001-Ti-version-string.patch
|
||||||
0001-Objcopy-version.patch
|
0002-Add-Ti-certificate.patch
|
||||||
spec.arch.patch
|
|
||||||
|
@ -1,12 +0,0 @@
|
|||||||
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
|
|
||||||
index b6a6d0e..dcfb66e 100644
|
|
||||||
--- a/SPECS/shim.spec
|
|
||||||
+++ b/SPECS/shim.spec
|
|
||||||
@@ -65,7 +65,6 @@ Obsoletes: shim-debuginfo < 0.9
|
|
||||||
Summary: Debug information for package %{name}
|
|
||||||
Group: Development/Debug
|
|
||||||
AutoReqProv: 0
|
|
||||||
-BuildArch: noarch
|
|
||||||
|
|
||||||
%description -n shim-unsigned-%{efiarch}-debuginfo
|
|
||||||
This package provides debug information for package %{name}.
|
|
@ -1,19 +0,0 @@
|
|||||||
From 551015b9e0a7b226840ccb758d2fcbd4430d83d5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: jmckenna <jason.mckenna@windriver.com>
|
|
||||||
Date: Thu, 19 Jan 2017 15:05:16 -0500
|
|
||||||
Subject: [PATCH] Better parting of objcopy version
|
|
||||||
|
|
||||||
|
|
||||||
diff --git a/Makefile b/Makefile
|
|
||||||
index e8b291e..02388ac 100644
|
|
||||||
--- a/Makefile
|
|
||||||
+++ b/Makefile
|
|
||||||
@@ -9,7 +9,7 @@ LD = $(CROSS_COMPILE)ld
|
|
||||||
OBJCOPY = $(CROSS_COMPILE)objcopy
|
|
||||||
|
|
||||||
ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
|
|
||||||
-OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24)
|
|
||||||
+OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*version //g' | cut -f1-2 -d.` \>= 2.24)
|
|
||||||
|
|
||||||
SUBDIRS = Cryptlib lib
|
|
||||||
|
|
@ -1,16 +1,19 @@
|
|||||||
From 6a0a1ea93362b7f9f2f5242e847ae1e0ef15de04 Mon Sep 17 00:00:00 2001
|
From 057532ac6c77d20ae8d6ce0354e7ef67b1870eb6 Mon Sep 17 00:00:00 2001
|
||||||
From: jmckenna <jason.mckenna@windriver.com>
|
From: root <root@yow-cgts4-lx.wrs.com>
|
||||||
Date: Thu, 5 Jan 2017 08:54:32 -0500
|
Date: Mon, 15 Jan 2018 13:25:04 -0500
|
||||||
Subject: [PATCH] Use Titanium Cloud certificate
|
Subject: [PATCH] Use Titanium certificate
|
||||||
|
|
||||||
|
---
|
||||||
|
Makefile | 26 ++++++++++++++++++--------
|
||||||
|
1 file changed, 18 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
diff --git a/Makefile b/Makefile
|
diff --git a/Makefile b/Makefile
|
||||||
index 1181b8a..e8b291e 100644
|
index 6ece282..bb4f7f9 100644
|
||||||
--- a/Makefile
|
--- a/Makefile
|
||||||
+++ b/Makefile
|
+++ b/Makefile
|
||||||
@@ -34,6 +34,12 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
|
@@ -36,6 +36,12 @@ FBNAME = fallback
|
||||||
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
|
|
||||||
$(EFI_INCLUDES)
|
COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)
|
||||||
|
|
||||||
+# We compile a certificate into shim. Usually this is a one-time generated
|
+# We compile a certificate into shim. Usually this is a one-time generated
|
||||||
+# certificate (make-certs script) however we want to include a custom
|
+# certificate (make-certs script) however we want to include a custom
|
||||||
@ -21,16 +24,16 @@ index 1181b8a..e8b291e 100644
|
|||||||
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
|
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
|
||||||
CFLAGS += -DOVERRIDE_SECURITY_POLICY
|
CFLAGS += -DOVERRIDE_SECURITY_POLICY
|
||||||
endif
|
endif
|
||||||
@@ -67,7 +73,7 @@ LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsym
|
@@ -90,7 +96,7 @@ LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsym
|
||||||
|
|
||||||
TARGET = shim.efi MokManager.efi.signed fallback.efi.signed
|
TARGET = $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed
|
||||||
OBJS = shim.o netboot.o cert.o replacements.o version.o
|
OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o
|
||||||
-KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
|
-KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
|
||||||
+KEYS = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
|
+KEYS = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
|
||||||
SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h
|
SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
|
||||||
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
|
MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
|
||||||
MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
|
MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
|
||||||
@@ -76,13 +82,17 @@ FALLBACK_SRCS = fallback.c
|
@@ -104,13 +110,17 @@ endif
|
||||||
|
|
||||||
all: $(TARGET)
|
all: $(TARGET)
|
||||||
|
|
||||||
@ -52,8 +55,8 @@ index 1181b8a..e8b291e 100644
|
|||||||
echo "static UINT8 shim_cert[] = {" > $@
|
echo "static UINT8 shim_cert[] = {" > $@
|
||||||
hexdump -v -e '1/1 "0x%02x, "' $< >> $@
|
hexdump -v -e '1/1 "0x%02x, "' $< >> $@
|
||||||
echo "};" >> $@
|
echo "};" >> $@
|
||||||
@@ -93,10 +103,10 @@ version.c : version.c.in
|
@@ -121,10 +131,10 @@ version.c : version.c.in
|
||||||
-e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
|
-e "s,@@COMMIT@@,$(COMMITID)," \
|
||||||
< version.c.in > version.c
|
< version.c.in > version.c
|
||||||
|
|
||||||
-certdb/secmod.db: shim.crt
|
-certdb/secmod.db: shim.crt
|
||||||
@ -65,4 +68,7 @@ index 1181b8a..e8b291e 100644
|
|||||||
+ certutil -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
|
+ certutil -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
|
||||||
|
|
||||||
shim.o: $(SOURCES) shim_cert.h
|
shim.o: $(SOURCES) shim_cert.h
|
||||||
|
shim.o: $(wildcard *.h)
|
||||||
|
--
|
||||||
|
1.8.3.1
|
||||||
|
|
@ -1 +1 @@
|
|||||||
mirror:Source/shim-0.9-1.el7.centos.src.rpm
|
mirror:Source/shim-12-1.el7.centos.src.rpm
|
||||||
|
Loading…
Reference in New Issue
Block a user