%global pesign_vre 0.106-1 %global gnuefi_vre 1:3.0.5-6 %global openssl_vre 1.0.2j %global debug_package %{nil} %global __debug_package 1 %global _binaries_in_noarch_packages_terminate_build 0 %global __debug_install_post %{SOURCE100} x64 ia32 %undefine _debuginfo_subpackages %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) %global efiarch x64 %global efialtarch ia32 %global shimdir %{_datadir}/%{name}/%{version}-%{release}/%{efiarch} %global shimaltdir %{_datadir}/%{name}/%{version}-%{release}/%{efialtarch} Name: shim-unsigned-%{efiarch} Version: 12 Release: 2%{?dist} Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 Source1: fedora-ca.cer # currently here's what's in our dbx: # grub2-efi-2.00-11.fc18.x86_64: # grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7 # gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151 # grub2-efi-2.00-11.fc19.x86_64: # grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45 # gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978 # woops. Source2: dbx.esl Source100: shim-find-debuginfo.sh BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} BuildRequires: gnu-efi >= %{gnuefi_vre} BuildRequires: gnu-efi-devel >= %{gnuefi_vre} # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a # POSIX-style C library. # BuildRequires: OpenSSL Provides: bundled(openssl) = %{openssl_vre} Obsoletes: shim-unsigned < %{version}-%{release} %global desc \ Initial UEFI bootloader that handles chaining to a trusted full \ bootloader under secure boot environments. %global debug_desc \ This package provides debug information for package %{expand:%%{name}} \ Debug information is useful when developing applications that \ use this package or when debugging this package. %description %desc %package -n shim-unsigned-%{efialtarch} Summary: First-stage UEFI bootloader (unsigned data) Provides: bundled(openssl) = %{openssl_vre} %description -n shim-unsigned-%{efialtarch} %desc %package -n shim-unsigned-%{efiarch}-debuginfo Obsoletes: shim-debuginfo < %{version}-%{release} Provides: shim-debuginfo = %{version}-%{release} Summary: Debug information for shim-unsigned-%{efiarch} Group: Development/Debug AutoReqProv: 0 BuildArch: noarch %description -n shim-unsigned-%{efiarch}-debuginfo %debug_desc %package -n shim-unsigned-%{efialtarch}-debuginfo Summary: Debug information for shim-unsigned-%{efialtarch} Group: Development/Debug AutoReqProv: 0 BuildArch: noarch %description -n shim-unsigned-%{efialtarch}-debuginfo %debug_desc %package -n shim-unsigned-debugsource Summary: Debug Source for shim-unsigned Group: Development/Debug AutoReqProv: 0 BuildArch: noarch %description -n shim-unsigned-debugsource %debug_desc %prep %autosetup -S git -n shim-%{version} git config --unset user.email git config --unset user.name mkdir build-%{efiarch} %if 0%{?efialtarch:1} mkdir build-%{efialtarch} %endif %build cd build-%{efiarch} COMMITID=$(cat ../commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=%{name} RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " if [ -f "%{SOURCE1}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" fi if [ -f "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all cd .. %if 0%{?efialtarch:1} cd build-%{efialtarch} setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' all cd .. %endif %install cd build-%{efiarch} COMMITID=$(cat ../commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=%{name} RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " if [ -f "%{SOURCE1}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" fi if [ -f "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi make ${MAKEFLAGS} \ DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-as-data install-debuginfo install-debugsource cd .. %if 0%{?efialtarch:1} cd build-%{efialtarch} setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \ DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-as-data install-debuginfo install-debugsource cd .. %endif %files -n shim-unsigned-%{efiarch} %license COPYRIGHT %dir %{shimdir} %{shimdir}/*.efi %{shimdir}/*.hash %files -n shim-unsigned-%{efiarch}-debuginfo -f build-%{efiarch}/debugfiles.list %defattr(-,root,root) %files -n shim-unsigned-debugsource -f build-%{efiarch}/debugsource.list %defattr(-,root,root) %if 0%{?efialtarch:1} %files -n shim-unsigned-%{efialtarch} %license COPYRIGHT %dir %{shimaltdir} %{shimaltdir}/*.efi %{shimaltdir}/*.hash %files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list %defattr(-,root,root) %endif %changelog * Tue Jun 13 2017 Peter Jones - 0.9-2 - do the ia32 thing here. * Fri Apr 28 2017 Petr Ĺ abata - 0.9-1 - Updating to 0.9 to enable building with gcc7 - Mostly mirroring the key shim-unsigned-aarch64 0.9 changes * Wed Dec 03 2014 Peter Jones - 0.8-2 - Fix bootloader path and whitelist certificates on ARM Aarch64. Resolves: rhbz#1170289 * Tue Oct 14 2014 Peter Jones - 0.8-1 - Update to 0.8 Related: rhbz#1148230 Related: rhbz#1148231 Related: rhbz#1148232 * Wed Nov 06 2013 Peter Jones - 0.7-1 - Fix logic to handle SetupMode efi variable. * Thu Oct 31 2013 Peter Jones - 0.6-1 - Fix a FreePool(NULL) call on machines too old for SB * Fri Oct 04 2013 Peter Jones - 0.5-1 - Update to 0.5 * Tue Jun 11 2013 Peter Jones - 0.4-1 - Update to 0.4 * Fri Jun 07 2013 Peter Jones - 0.3-2 - Require gnu-efi-3.0q for now. - Don't allow mmx or sse during compilation. - Re-organize this so all real signing happens in shim-signed instead. - Split out mokutil * Wed Dec 12 2012 Peter Jones - 0.2-3 - Fix mokutil's idea of signature sizes. * Wed Nov 28 2012 Matthew Garrett - 0.2-2 - Fix secure_mode() always returning true * Mon Nov 26 2012 Matthew Garrett - 0.2-1 - Update shim - Include mokutil - Add debuginfo package since mokutil is a userspace executable * Mon Oct 22 2012 Peter Jones - 0.1-4 - Produce an unsigned shim * Tue Aug 14 2012 Peter Jones - 0.1-3 - Update how embedded cert and signing work. * Mon Aug 13 2012 Josh Boyer - 0.1-2 - Add patch to fix image size calculation * Mon Aug 13 2012 Matthew Garrett - 0.1-1 - initial release