starlingx/integ
Code Issues Proposed changes
integ/extended/shim-signed/centos/meta_patches/0001-Use-presigned-binary.patch
Dean Troyer 3cd12006bb StarlingX open source release updates 
Signed-off-by: Dean Troyer <dtroyer@gmail.com>
2018-05-31 07:36:35 -07:00

67 lines
2.5 KiB
Diff
Raw Blame History

--- a/SPECS/shim-signed.spec 2017-01-05 14:12:11.584037112 -0500
+++ b/SPECS/shim-signed.spec 2017-01-05 14:20:57.281934890 -0500
@@ -1,9 +1,13 @@
Name: shim-signed
Version: 0.9
-Release: 2%{?dist}
+Release: 2%{?_tis_dist}.%{tis_patch_ver}
Summary: First-stage UEFI bootloader
Provides: shim = %{version}-%{release}
-%define unsigned_release 1.el7.centos
+
+# note that tis_patch_ver cannot be used in the unsigned_release definition,
+# as the variable represents the patch level of shim-signed, and we have to
+# specifiy the patch of shim-unsigned
+%define unsigned_release 1.el7%{_tis_dist}.1
License: BSD
URL: http://www.codon.org.uk/~mjg59/shim/
@@ -112,25 +116,35 @@
%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
+# if we already have a presigned EFI image, then do not do signing -- just
+# use the presigned one.
+
+if [ -e %{unsigned_dir}shim-presigned.efi ]; then
+ cp %{unsigned_dir}shim-presigned.efi shim.efi
+ cp %{unsigned_dir}shim-presigned.efi shim-%{efidir}.efi
+else
%ifarch %{ca_signed_arches}
-pesign -i %{shimsrc} -h -P > shim.hash
-if ! cmp shim.hash %{unsigned_dir}shim.hash ; then
- echo Invalid signature\! > /dev/stderr
- exit 1
-fi
-cp %{shimsrc} shim.efi
+ cp %{unsigned_dir}shim.efi shim-unsigned.efi
%endif
%ifarch %{rh_signed_arches}
-%pesign -s -i %{unsigned_dir}shim.efi -a %{SOURCE3} -c %{SOURCE3} -o shim-%{efidir}.efi
+ %pesign -s -i %{unsigned_dir}shim.efi -a %{SOURCE3} -c %{SOURCE3} -o shim-%{efidir}.efi
%endif
%ifarch %{rh_signed_arches}
-%ifnarch %{ca_signed_arches}
-cp shim-%{efidir}.efi shim.efi
-%endif
+ cp shim-%{efidir}.efi shim.efi
%endif
+fi # end "if shim-presigned.efi exists"
-%pesign -s -i %{unsigned_dir}MokManager.efi -o MokManager.efi -a %{SOURCE3} -c %{SOURCE3}
-%pesign -s -i %{unsigned_dir}fallback.efi -o fallback.efi -a %{SOURCE3} -c %{SOURCE3}
+if [ -e %{unsigned_dir}MokManager-presigned.efi ]; then
+ cp %{unsigned_dir}MokManager-presigned.efi MokManager.efi
+else
+ %pesign -s -i %{unsigned_dir}MokManager.efi -o MokManager.efi -a %{SOURCE3} -c %{SOURCE3}
+fi
+
+if [ -e %{unsigned_dir}fallback-presigned.efi ]; then
+ cp %{unsigned_dir}fallback-presigned.efi fallback.efi
+else
+ %pesign -s -i %{unsigned_dir}fallback.efi -o fallback.efi -a %{SOURCE3} -c %{SOURCE3}
+fi
cd mokutil-%{mokutil_version}
./autogen.sh
View Git Blame Copy Permalink