%ifarch aarch64 %global efi_arch aa64 %global bootcsv BOOTAA64.CSV %global bootefi BOOTAA64.EFI %endif %ifarch x86_64 %global efi_arch x64 %global bootcsv BOOTX64.CSV %global bootefi BOOTX64.EFI %endif %global debug_package %{nil} %global __debug_package 1 %global _binaries_in_noarch_packages_terminate_build 0 %undefine _debuginfo_subpackages %global efidir %{_vendor} %global shimdir %{_datadir}/shim/%{version}-%{release}/%{efi_arch} %global shimefivendor /boot/efi/EFI/%{efi_vendor}/ %global shimBOOT /boot/efi/EFI/BOOT/ Name: shim Version: 15 Release: 24 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 Source1: BOOTAA64.CSV Source2: BOOTX64.CSV Patch0: Hook-exit-when-shim_lock-protocol-installed.patch Patch1: VLogError-Avoid-NULL-pointer-dereferences-in-V-Sprint.patch Patch2: backport-CVE-2022-28737.patch Patch3: backport-CVE-2017-3735.patch Patch4: backport-CVE-2017-3737.patch Patch5: backport-CVE-2018-0732.patch Patch6: backport-Fix-an-endless-loop-in-rsa_builtin_keygen.patch Patch7: backport-Replaced-variable-time-GCD-with-consttime-inversion.patch Patch8: backport-consttime-flag-changed.patch Patch9: backport-CVE-2018-0737.patch Patch10: backport-CVE-2018-0739.patch Patch11: backport-CVE-2019-1563.patch Patch12: backport-0001-CVE-2020-1971.patch Patch13: backport-0002-CVE-2020-1971.patch Patch14: backport-0003-CVE-2020-1971.patch Patch15: backport-0004-CVE-2020-1971.patch Patch16: backport-make-update-EVP_F_EVP_DECRYPTUPDATE.patch Patch17: backport-make-update-EVP_F_EVP_DECRYPTDECRYPTUPDATE.patch Patch18: backport-CVE-2021-23840.patch Patch19: backport-CVE-2021-23841.patch Patch20: backport-CVE-2022-0778.patch Patch21: backport-CVE-2021-3712.patch BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc Requires: dbxtool efi-filesystem mokutil Provides: bundled(openssl) = 1.0.2j Provides: shim-%{efi_arch} Obsoletes: shim-%{efi_arch} %description Initial UEFI bootloader that handles chaining to a trusted full \ bootloader under secure boot environments. %package debuginfo Summary: Debug information for shim-unsigned Requires: %{name}-debugsource = %{version}-%{release} AutoReqProv: 0 BuildArch: noarch %description debuginfo This package provides debug information for package %{expand:%%{name}} \ Debug information is useful when developing applications that \ use this package or when debugging this package. %package debugsource Summary: Debug Source for shim-unsigned AutoReqProv: 0 BuildArch: noarch %description debugsource This package provides debug information for package %{expand:%%{name}} \ Debug information is useful when developing applications that \ use this package or when debugging this package. %prep #chmod +x %{SOURCE100} %autosetup -n shim-%{version} -S git git config --unset user.email git config --unset user.name mkdir build-%{efi_arch} %build COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " MAKEFLAGS+="%{_smp_mflags}" cd build-%{efi_arch} make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' all cd .. %install COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " cd build-%{efi_arch} make ${MAKEFLAGS} \ DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' \ DESTDIR=${RPM_BUILD_ROOT} \ install-debuginfo install-debugsource install -d -m 0700 ${RPM_BUILD_ROOT}/%{shimBOOT} install -m 0700 fb%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT} install -m 0700 mm%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT} install -m 0700 shim%{efi_arch}.efi ${RPM_BUILD_ROOT}/%{shimBOOT}/%{bootefi} install -d -m 0700 ${RPM_BUILD_ROOT}/%{shimefivendor} install -m 0700 *.efi ${RPM_BUILD_ROOT}/%{shimefivendor} install -m 0700 *.hash ${RPM_BUILD_ROOT}/%{shimefivendor} %ifarch aarch64 install -m 0700 %{SOURCE1} ${RPM_BUILD_ROOT}/%{shimefivendor} %endif %ifarch x86_64 install -m 0700 %{SOURCE2} ${RPM_BUILD_ROOT}/%{shimefivendor} %endif cd .. %files %license COPYRIGHT %{shimBOOT}/fb%{efi_arch}.efi %{shimBOOT}/mm%{efi_arch}.efi %{shimBOOT}/%{bootefi} %{shimefivendor}/%{bootcsv} %{shimefivendor}/*.efi %{shimefivendor}/*.hash %files debuginfo %defattr(-,root,root,-) /usr/lib/debug/* /usr/lib/debug/.build-id/* %files debugsource %defattr(-,root,root,-) %dir /usr/src/debug/%{name}-%{version}-%{release} /usr/src/debug/%{name}-%{version}-%{release}/* %changelog * Tue Sep 20 2022 gaoyusong - 15-24 - fix CVE-2021-23840 CVE-2021-23841 CVE-2022-0778 CVE-2021-3712 * Mon Sep 19 2022 gaoyusong - 15-23 - fix CVE-2017-3735 CVE-2017-3737 CVE-2018-0732 CVE-2018-0737 CVE-2018-0739 CVE-2019-1563 CVE-2020-1971 * Thu Jul 28 2022 Hugel - 15-22 - fix CVE-2022-28737 * Wed Mar 17 2021 yangzhuangzhuang - 15-21 - modify efider to _vendor * Tue Feb 9 2021 Steven Y.Gui - 15-20 - backport some upstream patches * Tue Mar 10 2020 openEuler Buildteam - 15-18 - fix wrong information * Mon Feb 24 2020 openEuler Buildteam - 15-17 - Remove excess packaged files * Thu Feb 13 2020 openEuler Buildteam - 15-16 - add BuildRequires: gcc * Sun Jan 12 2020 openEuler Buildteam - 15-15 - List debug files * Tue Nov 27 2019 openEuler Buildteam - 15-14 - Remove excess install * Thu Nov 21 2019 openEuler Buildteam - 15-13 - Add defination of efi_arch * Mon Nov 18 2019 openEuler Buildteam - 15-12 - Add %{bootefi} * Thu Nov 14 2019 openEuler Buildteam - 15-11 - Add arch x86_64 * Thu Sep 26 2019 openEuler Buildteam - 15-10 - Add missing BOOTAA64.CSV * Thu Sep 26 2019 openEuler Buildteam - 15-9 - Package init * Tue Sep 24 2019 openEuler Buildteam - 15-8 - Package init