From e8566efa702a88c1efe15daaf52b3a00446f1d8c Mon Sep 17 00:00:00 2001 From: Don Penney Date: Thu, 6 May 2021 13:42:27 -0400 Subject: [PATCH] Support pxeboot secure boot In order to support secure boot with pxeboot, we need to package the shim.efi file in /pxeboot/EFI, accessible to tftp for the UEFI install. As well, please note that while /boot/efi/EFI/centos/shim.efi and other files provided by the shim-x64 package are only accessible to root, the file under /pxeboot must have broader permissions so that the dnsmasq-tftp daemon is able to serve it to the requesting host. Therefore, its file permissions are set to be readable to all. Signed-off-by: Don Penney --- SPECS/shim-signed.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec index 20cdc80..978818a 100755 --- a/SPECS/shim-signed.spec +++ b/SPECS/shim-signed.spec @@ -227,6 +227,9 @@ install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.C install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi + +# pxeboot support +install -D -p -m 0755 shimx64.efi $RPM_BUILD_ROOT/pxeboot/EFI/shim.efi %endif cd mokutil-%{mokutil_version} @@ -243,6 +246,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install /boot/efi/EFI/BOOT/fb%{efiarchlc}.efi /boot/efi/EFI/BOOT/fallback.efi /boot/efi/EFI/%{efidir}/shim.efi +%attr(755,root,root) /pxeboot/EFI/shim.efi %ifarch x86_64 /boot/efi/EFI/%{efidir}/BOOT.CSV -- 2.29.2