File shim.spec of Package shim
334
1
#2
# spec file for package shim3
#4
# Copyright (c) 2021 SUSE LLC5
#6
# All modifications and additions to the file contributed by third parties7
# remain the property of their copyright owners, unless otherwise agreed8
# upon. The license for this file, and modifications and additions to the9
# file, is the same license as for the pristine package itself (unless the10
# license for the pristine package is not an Open Source License, in which11
# case the license is the MIT License). An "Open Source License" is a12
# license that conforms to the Open Source Definition (Version 1.9)13
# published by the Open Source Initiative.14
15
# Please submit bugfixes or comments via https://bugs.opensuse.org/16
#17
# needssslcertforbuild18
19
20
%undefine _debuginfo_subpackages21
%undefine _build_create_debug22
%ifarch aarch6423
%define grubplatform arm64-efi24
%else25
%define grubplatform %{_target_cpu}-efi26
%endif27
%if %{defined sle_version} && 0%{?sle_version} <= 15000028
%define sysefidir /usr/lib64/efi29
%else30
%define sysefibasedir %{_datadir}/efi31
%define sysefidir %{sysefibasedir}/%{_target_cpu}32
%if "%{grubplatform}" == "x86_64-efi" && 0%{?suse_version} < 160033
# provide compatibility sym-link for residual kiwi, etc.34
%define shim_lib64_share_compat 135
%endif36
%endif37
38
Name: shim39
Version: 15.440
Release: 041
Summary: UEFI shim loader42
License: BSD-2-Clause43
Group: System/Boot44
URL: https://github.com/rhboot/shim45
Source: %{name}-%{version}.tar.bz246
# run "extract_signature.sh shim.efi" where shim.efi is the binary47
# with the signature from the UEFI signing service.48
# Note: For signature requesting, check SIGNATURE_UPDATE.txt49
Source1: signature-opensuse.x86_64.asc50
Source2: openSUSE-UEFI-CA-Certificate.crt51
Source3: shim-install52
Source4: SLES-UEFI-CA-Certificate.crt53
Source5: extract_signature.sh54
Source6: attach_signature.sh55
Source7: show_hash.sh56
Source8: show_signatures.sh57
Source9: timestamp.pl58
Source10: strip_signature.sh59
Source11: signature-sles.x86_64.asc60
Source12: signature-opensuse.aarch64.asc61
Source13: signature-sles.aarch64.asc62
Source50: dbx-cert.tar.xz63
# vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz64
Source51: vendor-dbx.bin65
Source99: SIGNATURE_UPDATE.txt66
# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names67
Patch1: shim-arch-independent-names.patch68
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path69
Patch2: shim-change-debug-file-path.patch70
# PATCH-FIX-SUSE shim-bsc1177315-verify-eku-codesign.patch bsc#1177315 glin@suse.com -- Verify CodeSign in the signer's EKU71
Patch3: shim-bsc1177315-verify-eku-codesign.patch72
# PATCH-FIX-UPSTREAM shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789 glin@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify()73
Patch4: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch74
# PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container75
Patch5: remove_build_id.patch76
# PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 glin@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel77
Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch78
BuildRequires: dos2unix79
BuildRequires: mozilla-nss-tools80
BuildRequires: openssl >= 0.9.881
BuildRequires: pesign82
BuildRequires: pesign-obs-integration83
%ifarch aarch6484
# Pull in shim-susesigned for bsc#118562185
BuildRequires: shim-susesigned86
%endif87
%if 0%{?suse_version} > 132088
BuildRequires: update-bootloader-rpm-macros89
%endif90
%if 0%{?update_bootloader_requires:1}91
%update_bootloader_requires92
%else93
Requires: perl-Bootloader94
%endif95
BuildRoot: %{_tmppath}/%{name}-%{version}-build96
# For shim-install script97
Requires: grub2-%{grubplatform}98
ExclusiveArch: x86_64 aarch6499
100
%description101
shim is a trivial EFI application that, when run, attempts to open and102
execute another application.103
104
%package -n shim-debuginfo105
Summary: UEFI shim loader - debug symbols106
Group: Development/Debug107
108
%description -n shim-debuginfo109
The debug symbols of UEFI shim loader110
111
%package -n shim-debugsource112
Summary: UEFI shim loader - debug source113
Group: Development/Debug114
115
%description -n shim-debugsource116
The source code of UEFI shim loader117
118
119
%prep120
%setup -q121
%patch1 -p1122
%patch2 -p1123
%patch3 -p1124
%patch4 -p1125
%patch5 -p1126
%patch6 -p1127
128
%build129
# generate the vendor SBAT metadata130
%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0131
distro_id="opensuse"132
distro_name="The openSUSE project"133
%else134
distro_id="sle"135
distro_name="SUSE Linux Enterprise"136
%endif137
distro_sbat=1138
sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security-team@suse.de"139
echo "${sbat}" > data/sbat.vendor.csv140
141
# first, build MokManager and fallback as they don't depend on a142
# specific certificate143
make RELEASE=0 \144
MMSTEM=MokManager FBSTEM=fallback \145
MokManager.efi.debug fallback.efi.debug \146
MokManager.efi fallback.efi147
148
# now build variants of shim that embed different certificates149
default=''150
suffixes=(opensuse sles)151
# check whether the project cert is a known one. If it is we build152
# just one shim that embeds this specific cert. If it's a devel153
# project we build all variants to simplify testing.154
if test -e %{_sourcedir}/_projectcert.crt ; then155
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)156
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)157
opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)158
slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)159
if test "$prjissuer" = "$opensusesubject" ; then 160
suffixes=(opensuse)161
elif test "$prjissuer" = "$slessubject" ; then162
suffixes=(sles)163
elif test "$prjsubject" = "$prjissuer" ; then164
suffixes=(devel opensuse sles)165
fi166
fi167
168
for suffix in "${suffixes[@]}"; do169
if test "$suffix" = "opensuse"; then170
cert=%{SOURCE2}171
verify='openSUSE Secure Boot CA1'172
%ifarch x86_64173
signature=%{SOURCE1}174
%else175
# AArch64 signature176
# Disable AArch64 signature attachment temporarily177
# until we get a real one.178
#signature=%{SOURCE12}179
%endif180
elif test "$suffix" = "sles"; then181
cert=%{SOURCE4}182
verify='SUSE Linux Enterprise Secure Boot CA1'183
%ifarch x86_64184
signature=%{SOURCE11}185
%else186
# AArch64 signature187
signature=%{SOURCE13}188
%endif189
elif test "$suffix" = "devel"; then190
cert=%{_sourcedir}/_projectcert.crt191
verify=`openssl x509 -in "$cert" -noout -email`192
signature=''193
test -e "$cert" || continue194
else195
echo "invalid suffix"196
false197
fi198
199
openssl x509 -in $cert -outform DER -out shim-$suffix.der200
make RELEASE=0 SHIMSTEM=shim \201
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \202
DEFAULT_LOADER="\\\\\\\\grub.efi" \203
VENDOR_DBX_FILE=%{SOURCE51} \204
shim.efi.debug shim.efi205
#206
# assert correct certificate embedded207
grep -q "$verify" shim.efi208
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx209
chmod 755 %{SOURCE9}210
# alternative: verify signature211
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi212
if test -n "$signature"; then213
head -1 "$signature" > hash1214
cp shim.efi shim.efi.bak215
# pe header contains timestamp and checksum. we need to216
# restore that217
%{SOURCE9} --set-from-file "$signature" shim.efi218
pesign -h -P -i shim.efi > hash2219
cat hash1 hash2220
if ! cmp -s hash1 hash2; then221
echo "ERROR: $suffix binary changed, need to request new signature!"222
%if %{defined shim_enforce_ms_signature} && 0%{?shim_enforce_ms_signature} > 0223
false224
%endif225
mv shim.efi.bak shim-$suffix.efi226
rm shim.efi227
else228
# attach signature229
pesign -m "$signature" -i shim.efi -o shim-$suffix.efi230
rm -f shim.efi231
fi232
else233
mv shim.efi shim-$suffix.efi234
fi235
mv shim.efi.debug shim-$suffix.debug236
# remove the build cert if exists237
rm -f shim_cert.h shim.cer shim.crt238
# make sure all object files gets rebuilt239
rm -f *.o240
done241
242
ln -s shim-${suffixes[0]}.efi shim.efi243
mv shim-${suffixes[0]}.debug shim.debug244
245
# Collect the source for debugsource246
mkdir ../source247
find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} ../source/ \;248
mv ../source .249
250
%install251
export BRP_PESIGN_FILES='%{sysefidir}/shim*.efi %{sysefidir}/MokManager.efi %{sysefidir}/fallback.efi'252
install -d %{buildroot}/%{sysefidir}253
cp -a shim*.efi %{buildroot}/%{sysefidir}254
install -m 444 shim-*.der %{buildroot}/%{sysefidir}255
install -m 644 MokManager.efi %{buildroot}/%{sysefidir}/MokManager.efi256
install -m 644 fallback.efi %{buildroot}/%{sysefidir}/fallback.efi257
install -d %{buildroot}/%{_sbindir}258
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/259
# install SUSE certificate260
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/261
for file in shim-*.der; do262
fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')263
install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-shim.crt264
done265
%if %{defined shim_lib64_share_compat}266
[ "%{sysefidir}" != "/usr/lib64/efi" ] || exit 1267
# provide compatibility sym-link for residual "consumers"268
install -d %{buildroot}/usr/lib64/efi269
ln -srf %{buildroot}/%{sysefidir}/*.efi %{buildroot}/usr/lib64/efi/270
%endif271
272
# install the debug symbols273
install -d %{buildroot}/usr/lib/debug/%{sysefidir}274
install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{sysefidir}275
install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/MokManager.debug276
install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/fallback.debug277
278
# install the debug source279
install -d %{buildroot}/usr/src/debug/%{name}-%{version}280
cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}281
282
%ifarch aarch64283
# install suse-signed shim (bsc#1185621) 284
install -m 444 %{sysefidir}/shim-susesigned.* %{buildroot}/%{sysefidir}285
%endif286
287
%clean288
%{?buildroot:%__rm -rf "%{buildroot}"}289
290
%post291
%if 0%{?update_bootloader_check_type_reinit_post:1} 292
%update_bootloader_check_type_reinit_post grub2-efi293
%else294
/sbin/update-bootloader --reinit || true295
%endif296
297
%if %{defined update_bootloader_posttrans}298
%posttrans299
%{?update_bootloader_posttrans}300
%endif301
302
%files303
%defattr(-,root,root)304
%doc COPYRIGHT305
%dir %{?sysefibasedir}306
%dir %{sysefidir}307
%{sysefidir}/shim.efi308
%{sysefidir}/shim-*.efi309
%{sysefidir}/shim-*.der310
%{sysefidir}/MokManager.efi311
%{sysefidir}/fallback.efi312
%{_sbindir}/shim-install313
%dir %{_sysconfdir}/uefi/314
%dir %{_sysconfdir}/uefi/certs/315
%{_sysconfdir}/uefi/certs/*.crt316
%if %{defined shim_lib64_share_compat}317
# provide compatibility sym-link for previous kiwi, etc.318
%dir /usr/lib64/efi319
/usr/lib64/efi/*.efi320
%endif321
322
%files -n shim-debuginfo323
%defattr(-,root,root,-)324
/usr/lib/debug%{sysefidir}/shim.debug325
/usr/lib/debug%{sysefidir}/MokManager.debug326
/usr/lib/debug%{sysefidir}/fallback.debug327
328
%files -n shim-debugsource329
%defattr(-,root,root,-)330
%dir /usr/src/debug/%{name}-%{version}331
/usr/src/debug/%{name}-%{version}/*332
333
%changelog334