diff --git a/.gitignore b/.gitignore index e7dbb40..f9ae468 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -/shim.efi -/BOOT.CSV +BOOT.CSV +shim*.efi diff --git a/shim-signed.spec b/shim-signed.spec index 8422ca1..2fda94e 100644 --- a/shim-signed.spec +++ b/shim-signed.spec @@ -1,13 +1,20 @@ +%ifarch x86_64 +%global efiarch x64 +%endif +%ifarch aarch64 +%global efiarch aa64 +%endif + Name: shim-signed -Version: 0.7 -Release: 2%{?dist} +Version: 0.8 +Release: 1%{?dist} Summary: First-stage UEFI bootloader Provides: shim = %{version}-%{release} -%define unsignedver %{version}-1%{?dist} +%define unsignedver 0.8-1%{?dist} License: BSD URL: http://www.codon.org.uk/~mjg59/shim/ -Source0: shim.efi +Source0: shim%{efiarch}.efi Source1: BOOT.CSV BuildRequires: shim-unsigned = %{unsignedver} @@ -17,7 +24,7 @@ BuildRequires: pesign >= 0.100-1%{dist} # compatible with SysV (there's no red zone under UEFI) and there isn't a # POSIX-style C library. # BuildRequires: OpenSSL -Provides: bundled(openssl) = 0.9.8w +Provides: bundled(openssl) = 0.9.8zb # Shim is only required on platforms implementing the UEFI secure boot # protocol. The only one of those we currently wish to support is 64-bit x86. @@ -34,6 +41,9 @@ ExclusiveArch: x86_64 %global efidir fedora %endif +%define ca_signed_arches x86_64 +%define rh_signed_arches x86_64 aarch64 + %description Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by @@ -41,8 +51,7 @@ the UEFI signing service. %package -n shim Summary: First-stage UEFI bootloader -Requires: shim-unsigned = %{unsignedver} -Requires: mokutil = %{unsignedver} +Requires: mokutil >= 1:0.2.0-1 Provides: shim-signed = %{version}-%{release} Obsoletes: shim-signed < %{version}-%{release} @@ -61,13 +70,23 @@ mkdir shim-signed-%{version} %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} cd shim-signed-%{version} +%ifarch %{ca_signed_arches} pesign -i %{SOURCE0} -h -P > shim.hash if ! cmp shim.hash %{_datadir}/shim/shim.hash ; then echo Invalid signature\! > /dev/stderr exit 1 fi cp %{SOURCE0} shim.efi -%pesign -s -i %{_datadir}/shim/shim.efi -o shim-fedora.efi +%endif +%ifarch %{rh_signed_arches} +%pesign -s -i shim.efi -o shim-%{efidir}.efi +%endif +%ifarch %{rh_signed_arches} +%ifnarch %{ca_signed_arches} +cp shim-%{efidir}.efi shim.efi +%endif +%endif + %pesign -s -i %{_datadir}/shim/MokManager.efi -o MokManager.efi %pesign -s -i %{_datadir}/shim/fallback.efi -o fallback.efi @@ -76,7 +95,7 @@ rm -rf $RPM_BUILD_ROOT cd shim-signed-%{version} install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi -install -m 0644 shim-fedora.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-fedora.efi +install -m 0644 shim-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi install -m 0644 MokManager.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV @@ -86,13 +105,20 @@ install -m 0644 fallback.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi %files -n shim /boot/efi/EFI/%{efidir}/shim.efi -/boot/efi/EFI/%{efidir}/shim-fedora.efi +/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi /boot/efi/EFI/%{efidir}/MokManager.efi /boot/efi/EFI/%{efidir}/BOOT.CSV /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/fallback.efi %changelog +* Fri Oct 24 2014 Peter Jones - 0.8-1 +- Update to shim 0.8 + rhbz#1148230 + rhbz#1148231 + rhbz#1148232 +- Handle building on aarch64 as well + * Fri Jul 18 2014 Peter Jones - 0.7-2 - Don't do multi-signing; too many machines screw up verification. Resolves: rhbz#1049749 diff --git a/sources b/sources index f977def..5b1882a 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ 49acd7f998e96a9e10fded83ee71086b BOOT.CSV -aa8eae148f6ac90c370eb50c88b974e1 shim.efi +abd377408acc02ee7f2f16320ee9b49a shimx64.efi +7d02a6fcbc097efb2c0e3d462a8916b3 shimaa64.efi