[shim-signed] Update to shim 0.8
Peter Jones
pjones at fedoraproject.org
Fri Oct 24 22:15:32 UTC 2014
commit e5d6859b97ca4c18493b17ecb44bff8ebefe9b49
Author: Peter Jones <pjones at redhat.com>
Date: Fri Oct 24 18:09:20 2014 -0400
Update to shim 0.8
rhbz#1148230
rhbz#1148231
rhbz#1148232
- Handle building on aarch64 as well
Signed-off-by: Peter Jones <pjones at redhat.com>
.gitignore | 4 ++--
shim-signed.spec | 46 ++++++++++++++++++++++++++++++++++++----------
sources | 3 ++-
3 files changed, 40 insertions(+), 13 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e7dbb40..f9ae468 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-/shim.efi
-/BOOT.CSV
+BOOT.CSV
+shim*.efi
diff --git a/shim-signed.spec b/shim-signed.spec
index 8422ca1..2fda94e 100644
--- a/shim-signed.spec
+++ b/shim-signed.spec
@@ -1,13 +1,20 @@
+%ifarch x86_64
+%global efiarch x64
+%endif
+%ifarch aarch64
+%global efiarch aa64
+%endif
+
Name: shim-signed
-Version: 0.7
-Release: 2%{?dist}
+Version: 0.8
+Release: 1%{?dist}
Summary: First-stage UEFI bootloader
Provides: shim = %{version}-%{release}
-%define unsignedver %{version}-1%{?dist}
+%define unsignedver 0.8-1%{?dist}
License: BSD
URL: http://www.codon.org.uk/~mjg59/shim/
-Source0: shim.efi
+Source0: shim%{efiarch}.efi
Source1: BOOT.CSV
BuildRequires: shim-unsigned = %{unsignedver}
@@ -17,7 +24,7 @@ BuildRequires: pesign >= 0.100-1%{dist}
# compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library.
# BuildRequires: OpenSSL
-Provides: bundled(openssl) = 0.9.8w
+Provides: bundled(openssl) = 0.9.8zb
# Shim is only required on platforms implementing the UEFI secure boot
# protocol. The only one of those we currently wish to support is 64-bit x86.
@@ -34,6 +41,9 @@ ExclusiveArch: x86_64
%global efidir fedora
%endif
+%define ca_signed_arches x86_64
+%define rh_signed_arches x86_64 aarch64
+
%description
Initial UEFI bootloader that handles chaining to a trusted full bootloader
under secure boot environments. This package contains the version signed by
@@ -41,8 +51,7 @@ the UEFI signing service.
%package -n shim
Summary: First-stage UEFI bootloader
-Requires: shim-unsigned = %{unsignedver}
-Requires: mokutil = %{unsignedver}
+Requires: mokutil >= 1:0.2.0-1
Provides: shim-signed = %{version}-%{release}
Obsoletes: shim-signed < %{version}-%{release}
@@ -61,13 +70,23 @@ mkdir shim-signed-%{version}
%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
cd shim-signed-%{version}
+%ifarch %{ca_signed_arches}
pesign -i %{SOURCE0} -h -P > shim.hash
if ! cmp shim.hash %{_datadir}/shim/shim.hash ; then
echo Invalid signature\! > /dev/stderr
exit 1
fi
cp %{SOURCE0} shim.efi
-%pesign -s -i %{_datadir}/shim/shim.efi -o shim-fedora.efi
+%endif
+%ifarch %{rh_signed_arches}
+%pesign -s -i shim.efi -o shim-%{efidir}.efi
+%endif
+%ifarch %{rh_signed_arches}
+%ifnarch %{ca_signed_arches}
+cp shim-%{efidir}.efi shim.efi
+%endif
+%endif
+
%pesign -s -i %{_datadir}/shim/MokManager.efi -o MokManager.efi
%pesign -s -i %{_datadir}/shim/fallback.efi -o fallback.efi
@@ -76,7 +95,7 @@ rm -rf $RPM_BUILD_ROOT
cd shim-signed-%{version}
install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
-install -m 0644 shim-fedora.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-fedora.efi
+install -m 0644 shim-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi
install -m 0644 MokManager.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
@@ -86,13 +105,20 @@ install -m 0644 fallback.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi
%files -n shim
/boot/efi/EFI/%{efidir}/shim.efi
-/boot/efi/EFI/%{efidir}/shim-fedora.efi
+/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi
/boot/efi/EFI/%{efidir}/MokManager.efi
/boot/efi/EFI/%{efidir}/BOOT.CSV
/boot/efi/EFI/BOOT/BOOTX64.EFI
/boot/efi/EFI/BOOT/fallback.efi
%changelog
+* Fri Oct 24 2014 Peter Jones <pjones at redhat.com> - 0.8-1
+- Update to shim 0.8
+ rhbz#1148230
+ rhbz#1148231
+ rhbz#1148232
+- Handle building on aarch64 as well
+
* Fri Jul 18 2014 Peter Jones <pjones at redhat.com> - 0.7-2
- Don't do multi-signing; too many machines screw up verification.
Resolves: rhbz#1049749
diff --git a/sources b/sources
index f977def..5b1882a 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,3 @@
49acd7f998e96a9e10fded83ee71086b BOOT.CSV
-aa8eae148f6ac90c370eb50c88b974e1 shim.efi
+abd377408acc02ee7f2f16320ee9b49a shimx64.efi
+7d02a6fcbc097efb2c0e3d462a8916b3 shimaa64.efi
More information about the scm-commits
mailing list