%ifarch aarch64 %global efi_arch aa64 %global bootcsv BOOTAA64.CSV %global bootefi BOOTAA64.EFI %endif %ifarch x86_64 %global efi_arch x64 %global bootcsv BOOTX64.CSV %global bootefi BOOTX64.EFI %endif %global debug_package %{nil} %global __debug_package 1 %global _binaries_in_noarch_packages_terminate_build 0 %undefine _debuginfo_subpackages %global efidir %{_vendor} %global shimdir %{_datadir}/shim/%{version}-%{release}/%{efi_arch} %global shimefivendor /boot/efi/EFI/%{efi_vendor}/ %global shimBOOT /boot/efi/EFI/BOOT/ Name: shim Version: 15 Release: 36 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 Source1: BOOTAA64.CSV Source2: BOOTX64.CSV Patch0: Hook-exit-when-shim_lock-protocol-installed.patch Patch1: VLogError-Avoid-NULL-pointer-dereferences-in-V-Sprint.patch Patch2: backport-CVE-2022-28737.patch Patch3: backport-CVE-2017-3735.patch Patch4: backport-CVE-2017-3737.patch Patch5: backport-CVE-2018-0732.patch Patch6: backport-Fix-an-endless-loop-in-rsa_builtin_keygen.patch Patch7: backport-Replaced-variable-time-GCD-with-consttime-inversion.patch Patch8: backport-consttime-flag-changed.patch Patch9: backport-CVE-2018-0737.patch Patch10: backport-CVE-2018-0739.patch Patch11: backport-CVE-2019-1563.patch Patch12: backport-0001-CVE-2020-1971.patch Patch13: backport-0002-CVE-2020-1971.patch Patch14: backport-0003-CVE-2020-1971.patch Patch15: backport-0004-CVE-2020-1971.patch Patch16: backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch Patch17: backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch Patch18: backport-CVE-2021-23840.patch Patch19: backport-CVE-2021-23841.patch Patch20: backport-CVE-2022-0778.patch Patch21: backport-CVE-2021-3712.patch Patch22: backport-CVE-2023-0286.patch Patch23: backport-CVE-2023-0464.patch Patch24: backport-CVE-2023-3817.patch Patch25: backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch Patch26: backport-CVE-2023-40547-avoid-incorrectly-trusting-HTTP-heade.patch Patch27: backport-CVE-2023-3446.patch Patch28: backport-CVE-2023-0465.patch Patch29: backport-CVE-2023-2650.patch Patch30: backport-Fix-the-issue-that-the-gBS-LoadImage-pointer-was-emp.patch # Feature Patch9000: Feature-add-tpcm-support-with-ipmi-channel.patch Patch9001: fix-the-bug-for-fb-and-mok-do-some-clean-code.patch Patch9002: Feature-add-control-switch-to-optimized-exception-handling.patch Patch9003: Feature-Convert-file-name-from-wide-char-to-narrow-char.patch BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc Requires: dbxtool efi-filesystem mokutil Provides: bundled(openssl) = 1.0.2j Provides: shim-%{efi_arch} = %{version}-%{release} Obsoletes: shim-%{efi_arch} < %{version}-%{release} %description Initial UEFI bootloader that handles chaining to a trusted full \ bootloader under secure boot environments. %package debuginfo Summary: Debug information for shim-unsigned Requires: %{name}-debugsource = %{version}-%{release} AutoReqProv: 0 BuildArch: noarch %description debuginfo This package provides debug information for package %{expand:%%{name}} \ Debug information is useful when developing applications that \ use this package or when debugging this package. %package debugsource Summary: Debug Source for shim-unsigned AutoReqProv: 0 BuildArch: noarch %description debugsource This package provides debug information for package %{expand:%%{name}} \ Debug information is useful when developing applications that \ use this package or when debugging this package. %prep #chmod +x %{SOURCE100} %autosetup -n shim-%{version} -S git git config --unset user.email git config --unset user.name mkdir build-%{efi_arch} %build COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " MAKEFLAGS+="%{_smp_mflags}" cd build-%{efi_arch} make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' all cd .. %install COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " cd build-%{efi_arch} make ${MAKEFLAGS} \ DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-debuginfo install-debugsource install -d -m 0700 ${RPM_BUILD_ROOT}/%{shimBOOT} install -m 0700 fb%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT} install -m 0700 mm%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT} install -m 0700 shim%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT}/%{bootefi} install -d -m 0700 ${RPM_BUILD_ROOT}/%{shimefivendor} install -m 0700 *.efi ${RPM_BUILD_ROOT}/%{shimefivendor} install -m 0700 *.hash ${RPM_BUILD_ROOT}/%{shimefivendor} %ifarch aarch64 install -m 0700 %{SOURCE1} ${RPM_BUILD_ROOT}/%{shimefivendor} %endif %ifarch x86_64 install -m 0700 %{SOURCE2} ${RPM_BUILD_ROOT}/%{shimefivendor} %endif cd .. %files %license COPYRIGHT %{shimBOOT}/fb%{efi_arch}.efi %{shimBOOT}/mm%{efi_arch}.efi %{shimBOOT}/%{bootefi} %{shimefivendor}/%{bootcsv} %{shimefivendor}/*.efi %{shimefivendor}/*.hash %files debuginfo %defattr(-,root,root,-) /usr/lib/debug/* /usr/lib/debug/.build-id/* %files debugsource %defattr(-,root,root,-) %dir /usr/src/debug/%{name}-%{version}-%{release} /usr/src/debug/%{name}-%{version}-%{release}/* %changelog * Tue Feb 11 2025 fuanan - 15-36 - fix the issue that the gBS->LoadImage pointer was empty. * Wed Feb 28 2024 zhengxiaoxiao - 15-35 - fix CVE-2023-3446 CVE-2023-0465 CVE-2023-2650 * Tue Jan 30 2024 jinlun - 15-34 - fix CVE-2023-40547 CVE-2023-40551 * Sat Oct 14 2023 ExtinctFire - 15-33 - fix CVE-2023-0464 CVE-2023-3817 * Thu Jul 13 2023 jinlun - 15-32 - Convert file name from wide char to narrow char * Wed Jun 14 2023 jinlun - 15-31 - add control switch to optimized exception handling. * Sat May 27 2023 jinlun - 15-30 - fix the response_length is modified. * Fri Mar 17 2023 huangzq6 - 15-29 - fix the bug for fb and mok, do some clean code. * Wed Mar 8 2023 huangzq6 - 15-28 - support no tpcm scenes temporary * Wed Mar 1 2023 jinlun - 15-27 - add tpcm support with ipmi channel * Wed Feb 15 2023 jinlun - 15-26 - fix CVE-2023-0286 * Tue Dec 13 2022 jinlun - 15-25 - add edition number * Tue Sep 20 2022 gaoyusong - 15-24 - fix CVE-2021-23840 CVE-2021-23841 CVE-2022-0778 CVE-2021-3712 * Mon Sep 19 2022 gaoyusong - 15-23 - fix CVE-2017-3735 CVE-2017-3737 CVE-2018-0732 CVE-2018-0737 CVE-2018-0739 CVE-2019-1563 CVE-2020-1971 * Thu Jul 28 2022 Hugel - 15-22 - fix CVE-2022-28737 * Wed Mar 17 2021 yangzhuangzhuang - 15-21 - modify efidir to _vendor * Tue Feb 9 2021 Steven Y.Gui - 15-20 - backport some upstream patches * Tue Mar 10 2020 openEuler Buildteam - 15-18 - fix wrong information * Mon Feb 24 2020 openEuler Buildteam - 15-17 - Remove excess packaged files * Thu Feb 13 2020 openEuler Buildteam - 15-16 - add BuildRequires: gcc * Sun Jan 12 2020 openEuler Buildteam - 15-15 - List debug files * Tue Nov 27 2019 openEuler Buildteam - 15-14 - Remove excess install * Thu Nov 21 2019 openEuler Buildteam - 15-13 - Add defination of efi_arch * Mon Nov 18 2019 openEuler Buildteam - 15-12 - Add %{bootefi} * Thu Nov 14 2019 openEuler Buildteam - 15-11 - Add arch x86_64 * Thu Sep 26 2019 openEuler Buildteam - 15-10 - Add missing BOOTAA64.CSV * Thu Sep 26 2019 openEuler Buildteam - 15-9 - Package init * Tue Sep 24 2019 openEuler Buildteam - 15-8 - Package init