From f4bf84f7c52ca6b105e03ad22ef3f891d6b37364 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: May 04 2021 23:08:46 +0000 Subject: Minor updates to fix some minor bugs. - Mark signed shim packages as protected in dnf. Resolves: rhbz#1874541 - Conflict with older fwupd, but don't require it. Resolves: rhbz#1877751 Signed-off-by: Peter Jones --- diff --git a/BOOTARM.CSV b/BOOTARM.CSV new file mode 100644 index 0000000..f2da467 Binary files /dev/null and b/BOOTARM.CSV differ diff --git a/shim.conf b/shim.conf new file mode 100644 index 0000000..d25f720 --- /dev/null +++ b/shim.conf @@ -0,0 +1,4 @@ +shim-aa64 +shim-arm +shim-ia32 +shim-x64 diff --git a/shim.rpmmacros b/shim.rpmmacros index 4e38a42..c1b4307 100644 --- a/shim.rpmmacros +++ b/shim.rpmmacros @@ -50,7 +50,6 @@ Summary: First-stage UEFI bootloader \ Requires: mokutil >= 1:0.3.0-15 \ Requires: efi-filesystem \ Provides: shim-signed-%{-a*} = %{version}-%{release} \ -Requires: fwupd >= %{fwupd_version} \ Conflicts: fwupd < %{fwupd_version} \ Requires: grub2-efi-%{-a*} >= %{grub_version} \ Conflicts: grub2-efi-%{-a*} < %{grub_version} \ diff --git a/shim.spec b/shim.spec index fda0a97..0770c72 100644 --- a/shim.spec +++ b/shim.spec @@ -5,12 +5,12 @@ Name: shim Version: 15.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: First-stage UEFI bootloader License: BSD URL: https://github.com/rhboot/shim/ BuildRequires: efi-filesystem -BuildRequires: efi-srpm-macros >= 3-2 +BuildRequires: efi-srpm-macros >= 5-1 ExclusiveArch: %{efi} # but we don't build a .i686 package, just a shim-ia32.x86_64 package @@ -19,6 +19,7 @@ ExcludeArch: %{ix86} ExcludeArch: %{arm} Source0: shim.rpmmacros +Source1: shim.conf # keep these two lists of sources synched up arch-wise. That is 0 and 10 # match, 1 and 11 match, ... @@ -28,8 +29,8 @@ Source11: BOOTIA32.CSV Source21: shimia32.efi Source12: BOOTX64.CSV Source22: shimx64.efi -#Source13: BOOTARM.CSV -#Source23: shimarm.efi +Source13: BOOTARM.CSV +Source23: shimarm.efi %include %{SOURCE0} @@ -45,10 +46,8 @@ BuildRequires: %{unsignedia32} = %{shimveria32} %endif %ifarch aarch64 BuildRequires: %{unsignedaa64} = %{shimveraa64} +BuildRequires: %{unsignedarm} = %{shimverarm} %endif -#%%ifarch arm -#BuildRequires: %%{unsignedarm} = %%{shimverarm} -#%%endif %description Initial UEFI bootloader that handles chaining to a trusted full bootloader @@ -90,6 +89,8 @@ install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/ %if %{provide_legacy_shim} install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi %endif +install -D -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/ +install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/ ( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \ | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file} @@ -98,11 +99,20 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi %if %{provide_legacy_shim} %{efi_esp_dir}/shim.efi %endif +%{_sysconfdir}/dnf/protected.d/shim.conf + %if %{efi_has_alt_arch} %define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper} +%{_sysconfdir}/dnf/protected.d/shim.conf %endif %changelog +* Tue Apr 06 2021 Peter Jones - 15.4-3 +- Mark signed shim packages as protected in dnf. + Resolves: rhbz#1874541 +- Conflict with older fwupd, but don't require it. + Resolves: rhbz#1877751 + * Tue Apr 06 2021 Peter Jones - 15.4-2 - Update to shim 15.4 - Support for revocations via the ".sbat" section and SBAT EFI variable