integ/security/shim-signed/centos/meta_patches/0003-Support-pxeboot-secure-boot.patch
Don Penney 1974b3f570 Copy shim.efi to /pxeboot for UEFI pxeboot support
Package a copy of the shim.efi file to /pxeboot to support UEFI secure
boot. The recent grub2 update for CVE-2020-15705 requires the use of
shim.efi in order to support kernel signature validation.

Change-Id: If87925e1697b34d7ff1a7a770d9f13619dd9dd52
Partial-Bug: 1927730
Signed-off-by: Don Penney <don.penney@windriver.com>
2021-05-07 11:48:35 -04:00

44 lines
1.6 KiB
Diff

From e8566efa702a88c1efe15daaf52b3a00446f1d8c Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Thu, 6 May 2021 13:42:27 -0400
Subject: [PATCH] Support pxeboot secure boot
In order to support secure boot with pxeboot, we need to package the
shim.efi file in /pxeboot/EFI, accessible to tftp for the UEFI
install. As well, please note that while /boot/efi/EFI/centos/shim.efi
and other files provided by the shim-x64 package are only accessible
to root, the file under /pxeboot must have broader permissions so that
the dnsmasq-tftp daemon is able to serve it to the requesting host.
Therefore, its file permissions are set to be readable to all.
Signed-off-by: Don Penney <don.penney@windriver.com>
---
SPECS/shim-signed.spec | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
index 20cdc80..978818a 100755
--- a/SPECS/shim-signed.spec
+++ b/SPECS/shim-signed.spec
@@ -227,6 +227,9 @@ install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.C
install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
+
+# pxeboot support
+install -D -p -m 0755 shimx64.efi $RPM_BUILD_ROOT/pxeboot/EFI/shim.efi
%endif
cd mokutil-%{mokutil_version}
@@ -243,6 +246,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
/boot/efi/EFI/BOOT/fallback.efi
/boot/efi/EFI/%{efidir}/shim.efi
+%attr(755,root,root) /pxeboot/EFI/shim.efi
%ifarch x86_64
/boot/efi/EFI/%{efidir}/BOOT.CSV
--
2.29.2