[shim/f19] Require gnu-efi-3.0q for now.
Peter Jones
pjones at fedoraproject.org
Fri Jun 7 20:56:54 UTC 2013
commit 6e8ffa58260ed5a20df13d928fe7afd30b123c0e
Author: Peter Jones <pjones at redhat.com>
Date: Fri Jun 7 16:56:37 2013 -0400
Require gnu-efi-3.0q for now.
- Don't allow mmx or sse during compilation.
- Re-organize this so all real signing happens in shim-signed instead.
- Split out mokutil
shim.spec | 36 +++++++++++++++++++-----------------
1 files changed, 19 insertions(+), 17 deletions(-)
---
diff --git a/shim.spec b/shim.spec
index 420b79e..0df7275 100644
--- a/shim.spec
+++ b/shim.spec
@@ -25,11 +25,11 @@ Source3: dbx.esl
Patch0: 0001-Fix-grub-path.patch
Patch1: 0001-Don-t-use-MMX-and-SSE-registers-they-aren-t-initiali.patch
Patch2: mokutil-correct-moklistrt-size.patch
-Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch
+#Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch
BuildRequires: gnu-efi git openssl-devel openssl
-BuildRequires: pesign >= 0.104-1
-BuildRequires: gnu-efi >= 3.0t
+BuildRequires: pesign >= 0.106-1
+BuildRequires: gnu-efi = 3.0q
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a
@@ -61,6 +61,12 @@ Summary: First-stage UEFI bootloader (unsigned data)
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments.
+%package -n mokutil
+Summary: Utilities for managing Secure Boot/MoK keys.
+
+%description -n mokutil
+Utilities for managing the "Machine's Own Keys" list.
+
%prep
%setup -q -n shim-%{version}
%setup -q -a 2 -D -T
@@ -72,10 +78,6 @@ git commit -a -q -m "%{version} baseline."
git am %{patches} </dev/null
%build
-%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
-%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
-#pesign %{vendor_token_str} %{vendor_cert_str} -C vendor.cer
-
MAKEFLAGS=""
if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1}"
@@ -88,13 +90,12 @@ cd ..
%install
rm -rf $RPM_BUILD_ROOT
-%pesign -s -i shim.efi -e shim.sig
+pesign -h -i shim.efi -h > shim.hash
install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/
install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
-install -m 0644 shim.sig $RPM_BUILD_ROOT%{_datadir}/shim/shim.sig
-%pesign -s -i fallback.efi -o $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
-install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
-%pesign -s -i MokManager.efi -o $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
+install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash
+install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
+install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi
cd mokutil-%{mokutilver}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
# now install our .debug files...
@@ -102,22 +103,23 @@ cd ..
install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/
install -m 0644 shim.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/shim.efi.debug
install -m 0644 fallback.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/fallback.efi.debug
-install -D -d -m 0755 $RPM_BUILD_ROOT/usr/lib/debug/boot/efi/EFI/%{efidir}/MokManager.efi.debug
-
-%post
+install -m 0644 MokManager.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/shim/MokManager.efi.debug
%files -n shim-unsigned
%doc
%dir %{_datadir}/shim
-%dir /boot/efi/EFI/%{efidir}
%{_datadir}/shim/*
-/boot/efi/EFI/%{efidir}/MokManager.efi
+
+%files -n mokutil
/usr/bin/mokutil
/usr/share/man/man1/mokutil.1.gz
%changelog
* Fri Jun 07 2013 Peter Jones <pjones at redhat.com> - 0.3-2
+- Require gnu-efi-3.0q for now.
- Don't allow mmx or sse during compilation.
+- Re-organize this so all real signing happens in shim-signed instead.
+- Split out mokutil
* Wed Dec 12 2012 Peter Jones <pjones at redhat.com> - 0.2-3
- Fix mokutil's idea of signature sizes.
More information about the scm-commits
mailing list