Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
shim.7637
shim.spec
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File shim.spec of Package shim.7637
# # spec file for package shim # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # needssslcertforbuild %undefine _debuginfo_subpackages %undefine _build_create_debug Name: shim Version: 14 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot Url: https://github.com/rhboot/shim Source: https://github.com/rhboot/shim/releases/download/%{version}/%{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. # Note: For signature requesting, check SIGNATURE_UPDATE.txt Source1: signature-opensuse.asc Source2: openSUSE-UEFI-CA-Certificate.crt Source3: shim-install Source4: SLES-UEFI-CA-Certificate.crt Source5: extract_signature.sh Source6: attach_signature.sh Source7: show_hash.sh Source8: show_signatures.sh Source9: openSUSE-UEFI-CA-Certificate-4096.crt Source10: timestamp.pl Source11: strip_signature.sh Source12: signature-sles.asc Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch # PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names Patch2: shim-arch-independent-names.patch # PATCH-FIX-UPSTREAM shim-httpboot-include-console.h.patch glin@suse.com -- Include console.h in httpboot.c Patch3: shim-httpboot-include-console.h.patch # PATCH-FIX-UPSTREAM shim-remove-cryptpem.patch glin@suse.com -- Replace the functions in CryptPem.c with the null function Patch4: shim-remove-cryptpem.patch # PATCH-FIX-UPSTREAM shim-httpboot-amend-device-path.patch bsc#1065370 glin@suse.com -- Amend the device path matching rule for httpboot Patch5: shim-httpboot-amend-device-path.patch # PATCH-FIX-UPSTREAM shim-bsc1088585-handle-mok-allocations-better.patch bsc#1088585 glin@suse.com -- Handle the mok parameter allocations better Patch6: shim-bsc1088585-handle-mok-allocations-better.patch # PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-menu.patch bsc#1092000 glin@suse.com -- Show a countdown menu before reset Patch7: shim-bsc1092000-fallback-menu.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path Patch50: shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign BuildRequires: pesign-obs-integration %if 0%{?suse_version} > 1320 BuildRequires: update-bootloader-rpm-macros %endif %if 0%{?update_bootloader_requires:1} %update_bootloader_requires %else Requires: perl-Bootloader %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-efi # Disable AArch64 until we have the signature ExclusiveArch: x86_64 %description shim is a trivial EFI application that, when run, attempts to open and execute another application. %package -n shim-debuginfo Summary: UEFI shim loader - debug symbols Group: Development/Debug %description -n shim-debuginfo The debug symbols of UEFI shim loader %package -n shim-debugsource Summary: UEFI shim loader - debug source Group: Development/Debug %description -n shim-debugsource The source code of UEFI shim loader %prep %setup -q %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch50 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif %build # first, build MokManager and fallback as they don't depend on a # specific certificate make EFI_PATH=/usr/lib64 RELEASE=0 \ MMSTEM=MokManager FBSTEM=fallback \ MokManager.efi.debug fallback.efi.debug \ MokManager.efi fallback.efi # now build variants of shim that embed different certificates default='' suffixes=(opensuse sles) # check whether the project cert is a known one. If it is we build # just one shim that embeds this specific cert. If it's a devel # project we build all variants to simplify testing. if test -e %{_sourcedir}/_projectcert.crt ; then prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) if test "$prjissuer" = "$opensusesubject" ; then suffixes=(opensuse) elif test "$prjissuer" = "$slessubject" ; then suffixes=(sles) elif test "$prjsubject" = "$prjissuer" ; then suffixes=(devel opensuse sles) fi fi for suffix in "${suffixes[@]}"; do if test "$suffix" = "opensuse"; then cert=%{SOURCE2} cert2=%{SOURCE9} verify='openSUSE Secure Boot CA1' signature=%{SOURCE1} elif test "$suffix" = "sles"; then cert=%{SOURCE4} cert2='' verify='SUSE Linux Enterprise Secure Boot CA1' signature=%{SOURCE12} elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt cert2='' verify=`openssl x509 -in "$cert" -noout -email` signature='' test -e "$cert" || continue else echo "invalid suffix" false fi openssl x509 -in $cert -outform DER -out shim-$suffix.der rm -f shim_cert.h shim.cer shim.crt if [ -z "$cert2" ]; then # create empty local cert file, we don't need a local key pair as we # sign the mokmanager with our vendor key touch shim.crt touch shim.cer else cp $cert2 shim.crt fi # make sure cast warnings don't trigger post build check make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ DEFAULT_LOADER="\\\\\\\\grub.efi" \ shim.efi.debug shim.efi # # assert correct certificate embedded grep -q "$verify" shim.efi # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx chmod 755 %{SOURCE10} # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi if test -n "$signature"; then head -1 "$signature" > hash1 cp shim.efi shim.efi.bak # pe header contains timestamp and checksum. we need to # restore that %{SOURCE10} --set-from-file "$signature" shim.efi pesign -h -P -i shim.efi > hash2 cat hash1 hash2 if ! cmp -s hash1 hash2; then echo "ERROR: $suffix binary changed, need to request new signature!" %if %{defined shim_enforce_ms_signature} false %endif mv shim.efi.bak shim-$suffix.efi rm shim.efi else # attach signature pesign -m "$signature" -i shim.efi -o shim-$suffix.efi rm -f shim.efi fi else mv shim.efi shim-$suffix.efi fi mv shim.efi.debug shim-$suffix.debug rm -f shim.cer shim.crt # make sure cert.o gets rebuilt rm -f cert.o done ln -s shim-${suffixes[0]}.efi shim.efi mv shim-${suffixes[0]}.debug shim.debug # Collect the source for debugsource mkdir ../source find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} ../source/ \; mv ../source . %install export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi' install -d %{buildroot}/%{_libdir}/efi cp -a shim*.efi %{buildroot}/%{_libdir}/efi install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi install -d %{buildroot}/%{_sbindir} install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ # install SUSE certificate install -d %{buildroot}/%{_sysconfdir}/uefi/certs/ for file in shim-*.der; do fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt done # install the debug symbols install -d %{buildroot}/usr/lib/debug/%{_libdir}/efi install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi/MokManager.debug install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi/fallback.debug # install the debug source install -d %{buildroot}/usr/src/debug/%{name}-%{version} cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version} %clean %{?buildroot:%__rm -rf "%{buildroot}"} %post %if 0%{?update_bootloader_check_type_reinit_post:1} %update_bootloader_check_type_reinit_post grub2-efi %else /sbin/update-bootloader --reinit || true %endif %posttrans %{?update_bootloader_posttrans} %files %defattr(-,root,root) %doc COPYRIGHT %dir %{_libdir}/efi %{_libdir}/efi/shim.efi %{_libdir}/efi/shim-*.efi %{_libdir}/efi/shim-*.der %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi %{_sbindir}/shim-install %dir %{_sysconfdir}/uefi/ %dir %{_sysconfdir}/uefi/certs/ %{_sysconfdir}/uefi/certs/*.crt %files -n shim-debuginfo %defattr(-,root,root,-) /usr/lib/debug/%{_libdir}/efi/shim.debug /usr/lib/debug/%{_libdir}/efi/MokManager.debug /usr/lib/debug/%{_libdir}/efi/fallback.debug %files -n shim-debugsource %defattr(-,root,root,-) %dir /usr/src/debug/%{name}-%{version} /usr/src/debug/%{name}-%{version}/* %changelog
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor