Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP4:Update
shim-susesigned
shim-susesigned.spec
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File shim-susesigned.spec of Package shim-susesigned
# # spec file for package shim-susesigned # # Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # # needssslcertforbuild %undefine _debuginfo_subpackages %undefine _build_create_debug %ifarch aarch64 %define grubplatform arm64-efi %else %define grubplatform %{_target_cpu}-efi %endif %if %{defined sle_version} && 0%{?sle_version} <= 150000 %define sysefidir /usr/lib64/efi %else %define sysefibasedir %{_datadir}/efi %define sysefidir %{sysefibasedir}/%{_target_cpu} %if "%{grubplatform}" == "x86_64-efi" && 0%{?suse_version} < 1600 # provide compatibility sym-link for residual kiwi, etc. %define shim_lib64_share_compat 1 %endif %endif Name: shim-susesigned Version: 15.4 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot URL: https://github.com/rhboot/shim Source: shim-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. # Note: For signature requesting, check SIGNATURE_UPDATE.txt Source1: signature-opensuse.x86_64.asc Source2: openSUSE-UEFI-CA-Certificate.crt Source3: shim-install Source4: SLES-UEFI-CA-Certificate.crt Source5: extract_signature.sh Source6: attach_signature.sh Source7: show_hash.sh Source8: show_signatures.sh Source9: timestamp.pl Source10: strip_signature.sh Source11: signature-sles.x86_64.asc Source12: signature-opensuse.aarch64.asc Source13: signature-sles.aarch64.asc Source50: dbx-cert.tar.xz # vendor-dbx*.bin are generated by generate-vendor-dbx.sh in dbx-cert.tar.xz Source51: vendor-dbx.bin Source52: vendor-dbx-sles.bin Source53: vendor-dbx-opensuse.bin Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names Patch1: shim-arch-independent-names.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path Patch2: shim-change-debug-file-path.patch # PATCH-FIX-SUSE shim-bsc1177315-verify-eku-codesign.patch bsc#1177315 glin@suse.com -- Verify CodeSign in the signer's EKU Patch3: shim-bsc1177315-verify-eku-codesign.patch # PATCH-FIX-UPSTREAM shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789 glin@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify() Patch4: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch # PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container Patch5: remove_build_id.patch # PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 glin@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch # PATCH-FIX-UPSTREAM shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch bsc#1184454 glin@suse.com -- Handle ignore_db and user_insecure_mode correctly Patch7: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch # PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 glin@suse.com -- Relax the maximum variable size check for u-boot Patch8: shim-bsc1185621-relax-max-var-sz-check.patch # PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch bsc#1185261 glin@suse.com -- Relax the check for import_mok_state() when Secure Boot is off Patch9: shim-bsc1185261-relax-import_mok_state-check.patch # PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch bsc#1185232 glin@suse.com -- Relax the check for the LoadOptions length Patch10: shim-bsc1185232-relax-loadoptions-length-check.patch # PATCH-FIX-UPSTREAM shim-fix-aa64-relsz.patch glin@suse.com -- Fix the size of rela* sections for AArch64 Patch11: shim-fix-aa64-relsz.patch # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT Patch12: shim-disable-export-vendor-dbx.patch # PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 glin@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines Patch13: shim-bsc1187260-fix-efi-1.10-machines.patch # PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 glin@suse.com -- Avoid buffer overflow when copying the MOK config table Patch14: shim-bsc1185232-fix-config-table-copying.patch # PATCH-FIX-UPSTREAM shim-bsc1187696-avoid-deleting-rt-variables.patch bsc#1187696 glin@suse.com -- Avoid deleting the mirrored RT variables Patch15: shim-bsc1187696-avoid-deleting-rt-variables.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign BuildRequires: pesign-obs-integration %if 0%{?suse_version} > 1320 BuildRequires: update-bootloader-rpm-macros %endif %if 0%{?update_bootloader_requires:1} %update_bootloader_requires %else Requires: perl-Bootloader %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-%{grubplatform} # Exclusively build shim-susesigned for AArch64 (bsc#1185621) ExclusiveArch: aarch64 Conflicts: shim %description shim is a trivial EFI application that, when run, attempts to open and execute another application. %prep %setup -q -n shim-%{version} %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %build # generate the vendor SBAT metadata %if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0 distro_id="opensuse" distro_name="The openSUSE project" %else distro_id="sle" distro_name="SUSE Linux Enterprise" %endif distro_sbat=1 sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security-team@suse.de" echo "${sbat}" > data/sbat.vendor.csv # [SHIM ONLY] Skip MokManager.efi and fallback.efi # first, build MokManager and fallback as they don't depend on a # specific certificate #make RELEASE=0 \ # MMSTEM=MokManager FBSTEM=fallback \ # MokManager.efi.debug fallback.efi.debug \ # MokManager.efi fallback.efi # now build variants of shim that embed different certificates default='' suffix="susesigned" cert=%{SOURCE4} verify='SUSE Linux Enterprise Secure Boot CA1' vendor_dbx=%{SOURCE52} openssl x509 -in $cert -outform DER -out shim-$suffix.der make RELEASE=0 SHIMSTEM=shim \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ DEFAULT_LOADER="\\\\\\\\grub.efi" \ VENDOR_DBX_FILE=$vendor_dbx \ shim.efi.debug shim.efi # # assert correct certificate embedded grep -q "$verify" shim.efi mv shim.efi shim-$suffix.efi %install export BRP_PESIGN_FILES='%{sysefidir}/shim*.efi' install -d %{buildroot}/%{sysefidir} cp -a shim*.efi %{buildroot}/%{sysefidir} install -m 444 shim-*.der %{buildroot}/%{sysefidir} install -d %{buildroot}/%{_sbindir} # install SUSE certificate install -d %{buildroot}/%{_sysconfdir}/uefi/certs/ for file in shim-*.der; do fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-shim.crt done %if %{defined shim_lib64_share_compat} [ "%{sysefidir}" != "/usr/lib64/efi" ] || exit 1 # provide compatibility sym-link for residual "consumers" install -d %{buildroot}/usr/lib64/efi ln -srf %{buildroot}/%{sysefidir}/*.efi %{buildroot}/usr/lib64/efi/ %endif %clean %{?buildroot:%__rm -rf "%{buildroot}"} %post %if 0%{?update_bootloader_check_type_reinit_post:1} %update_bootloader_check_type_reinit_post grub2-efi %else /sbin/update-bootloader --reinit || true %endif %if %{defined update_bootloader_posttrans} %posttrans %{?update_bootloader_posttrans} %endif %files %defattr(-,root,root) %doc COPYRIGHT %dir %{?sysefibasedir} %dir %{sysefidir} %{sysefidir}/shim-*.efi %{sysefidir}/shim-*.der %dir %{_sysconfdir}/uefi/ %dir %{_sysconfdir}/uefi/certs/ %{_sysconfdir}/uefi/certs/*.crt %if %{defined shim_lib64_share_compat} # provide compatibility sym-link for previous kiwi, etc. %dir /usr/lib64/efi /usr/lib64/efi/*.efi %endif %changelog
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor