Blob Blame Raw
Name:           shim
Version:        0.2
Release:        1%{?dist}
Summary:        First-stage UEFI bootloader

License:        BSD
Source1:	fedora-ca.cer

# incorporate mokutil for packaging simplicity
%global mokutilver 0.1.0

# currently here's what's in our dbx:
# grub2-efi-2.00-11.fc18.x86_64:
# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
# gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151
# grub2-efi-2.00-11.fc19.x86_64:
# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
# woops.
Source3:	dbx.esl

Patch0:		0001-Fix-grub-path.patch

BuildRequires: gnu-efi git openssl-devel
BuildRequires: pesign >= 0.99-9

# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library.
# BuildRequires: OpenSSL
Provides: bundled(openssl) = 0.9.8w

# Shim is only required on platforms implementing the UEFI secure boot
# protocol. The only one of those we currently wish to support is 64-bit x86.
# Adding further platforms will require adding appropriate relocation code.
ExclusiveArch: x86_64

# Figure out the right file path to use
%if 0%{?rhel}
%global efidir redhat
%if 0%{?fedora}
%global efidir fedora

Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.

%package -n shim-unsigned
Summary: First-stage UEFI bootloader (unsigned data)

%description -n shim-unsigned
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.

%setup -q -n shim-%{version}
git init
git config ""
git config "Fedora Ninjas"
git add .
git commit -a -q -m "%{version} baseline."
git am %{patches} </dev/null
%setup -q -a 2 -D -T

%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
#pesign %{vendor_token_str} %{vendor_cert_str} -C vendor.cer

if [ -f "%{SOURCE1}" ]; then
make %{?_smp_mflags} ${MAKEFLAGS}
cd mokutil-%{mokutilver}
make %{?_smp_mflags}
cd ..

%pesign -s -i shim.efi -e shim.sig
install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/
install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
install -m 0644 shim.sig $RPM_BUILD_ROOT%{_datadir}/shim/shim.sig
install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
%pesign -s -i shim.efi -o $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
%pesign -s -i MokManager.efi -o $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
cd mokutil-%{mokutilver}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install

%files -n shim-unsigned
%dir %{_datadir}/shim


* Mon Nov 26 2012 Matthew Garrett <> - 0.2-1
- Update shim
- Include mokutil
- Add debuginfo package since mokutil is a userspace executable

* Mon Oct 22 2012 Peter Jones <> - 0.1-4
- Produce an unsigned shim

* Tue Aug 14 2012 Peter Jones <> - 0.1-3
- Update how embedded cert and signing work.

* Mon Aug 13 2012 Josh Boyer <> - 0.1-2
- Add patch to fix image size calculation

* Mon Aug 13 2012 Matthew Garrett <> - 0.1-1
- initial release