diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec old mode 100644 new mode 100755 index 9cfcb2f..f6ce87e --- a/SPECS/shim-signed.spec +++ b/SPECS/shim-signed.spec @@ -2,18 +2,20 @@ Name: shim-signed Version: 15 Release: 1%{?_tis_dist}.%{tis_patch_ver} Summary: First-stage UEFI bootloader -%define unsigned_release 1%{?dist} License: BSD URL: https://github.com/rhboot/shim/ # incorporate mokutil for packaging simplicity %global mokutil_version 0.3.0 +%global srcbasename shimx64 +%global srcbasenameia32 shimia32 + Source0: https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz Source1: centossecureboot001.crt Source2: centos-ca-secureboot.der %define pesign_name centossecureboot001 -Source10: shimx64.efi -Source11: shimia32.efi +Source10: %{srcbasename}.efi +Source11: %{srcbasenameia32}.efi Source12: shimaa64.efi Source20: BOOTX64.CSV Source21: BOOTIA32.CSV @@ -52,11 +54,17 @@ BuildRequires: git BuildRequires: openssl-devel openssl BuildRequires: pesign >= 0.106-5%{dist} BuildRequires: efivar-devel -BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release} +BuildRequires: shim-unsigned-%{efiarchlc} %ifarch x86_64 -BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release} +BuildRequires: shim-unsigned-ia32 %endif +# Rather than hardcode a release, we get the release from the installed shim-unsigned package +%define unsigned_release %(rpm -q shim-unsigned-x64 --info | grep Release | awk '{print $3}') +%define unsigned_dir "%{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/" +%define unsigned_release_ia32 %(rpm -q shim-unsigned-ia32 --info | grep Release | awk '{print $3}') +%define unsigned_dir_ia32 "%{_datadir}/shim/ia32-%{version}-%{unsigned_release_ia32}/" + # for mokutil's configure BuildRequires: autoconf automake @@ -148,39 +156,34 @@ cd .. %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} %ifarch %{ca_signed_arches} -pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash -if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then - echo Invalid signature\! > /dev/stderr - echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr - echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr - exit 1 + +# if we already have a presigned EFI image, then do not do signing -- just +# use the presigned one. +if [ -e %{unsigned_dir}%{srcbasename}-presigned.efi ]; then + cp %{unsigned_dir}%{srcbasename}-presigned.efi %{srcbasename}.efi + cp %{unsigned_dir}%{srcbasename}-presigned.efi shim%{efiarchlc}.efi +else + cp %{shimsrc} shim%{efiarchlc}.efi fi -cp %{shimsrc} shim%{efiarchlc}.efi %ifarch x86_64 -pesign -i %{shimsrcia32} -h -P > shimia32.hash -if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then - echo Invalid signature\! > /dev/stderr - echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr - echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr - exit 1 +if [ -e %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi ]; then + cp %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi %{srcbasenameia32}.efi +else + cp %{shimsrcia32} %{srcbasenameia32}.efi fi -cp %{shimsrcia32} shimia32.efi -%endif -%endif -%ifarch %{rh_signed_arches} -%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shim%{efiarchlc}-%{efidir}.efi -%ifarch x86_64 -%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shimia32-%{efidir}.efi -%endif -%endif -%ifarch %{rh_signed_arches} -%ifnarch %{ca_signed_arches} -cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi %endif %endif -%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} +if [ -e %{unsigned_dir}mm%{efiarchlc}-presigned.efi ]; then + cp %{unsigned_dir}mm%{efiarchlc}-presigned.efi mm%{efiarchlc}.efi +else + %pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} +fi +if [ -e %{unsigned_dir}fb%{efiarchlc}-presigned.efi ]; then + cp %{unsigned_dir}fb%{efiarchlc}-presigned.efi fb%{efiarchlc}.efi +else + %pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} +fi %ifarch x86_64 %pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} @@ -196,7 +199,7 @@ make %{?_smp_mflags} rm -rf $RPM_BUILD_ROOT install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi -install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi +#install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV @@ -218,7 +221,7 @@ install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi -install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi +#install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV @@ -232,7 +235,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %files -n shim-%{efiarchlc} %defattr(0700,root,root,-) /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi -/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi +#/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi /boot/efi/EFI/%{efidir}/MokManager.efi /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV @@ -247,7 +250,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install %files -n shim-ia32 %defattr(0700,root,root,-) /boot/efi/EFI/%{efidir}/shimia32.efi -/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi +#/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi /boot/efi/EFI/%{efidir}/mmia32.efi /boot/efi/EFI/%{efidir}/BOOTIA32.CSV /boot/efi/EFI/BOOT/BOOTIA32.EFI -- 1.8.3.1