starlingx
/
integ
Code Issues Proposed changes

rebase shim-signed patch to CentOS 7.6 version 

Test:
Pass build and multi-node deploy test

Depends-On: https://review.openstack.org/627932/

Story: 2004522
Task: 28439

Change-Id: Ia10f16834721cc2aa1a148557f8fc614954c5c07
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
This commit is contained in:
Martin, Chen 2019-01-02 14:46:35 +08:00
parent f879cb1e2a
commit 0c6391af4e
3 changed files with 57 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch
View File

@ -13,7 +13,7 @@ index d2a13b1..9cfcb2f 100644
+++ b/SPECS/shim-signed.spec +++ b/SPECS/shim-signed.spec
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
Name: shim-signed Name: shim-signed
Version: 12 Version: 15
-Release: 1%{?dist}%{?buildid} -Release: 1%{?dist}%{?buildid}
+Release: 1%{?_tis_dist}.%{tis_patch_ver} +Release: 1%{?_tis_dist}.%{tis_patch_ver}
Summary: First-stage UEFI bootloader Summary: First-stage UEFI bootloader

106
security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch
View File

@ -4,30 +4,31 @@ new mode 100755
index 9cfcb2f..f6ce87e index 9cfcb2f..f6ce87e
--- a/SPECS/shim-signed.spec --- a/SPECS/shim-signed.spec
+++ b/SPECS/shim-signed.spec +++ b/SPECS/shim-signed.spec
@@ -2,7 +2,6 @@ Name: shim-signed @@ -2,18 +2,20 @@ Name: shim-signed
Version: 12 Version: 15
Release: 1%{?_tis_dist}.%{tis_patch_ver} Release: 1%{?_tis_dist}.%{tis_patch_ver}
Summary: First-stage UEFI bootloader Summary: First-stage UEFI bootloader
-%define unsigned_release 1%{?dist} -%define unsigned_release 1%{?dist}
License: BSD License: BSD
URL: http://www.codon.org.uk/~mjg59/shim/ URL: https://github.com/rhboot/shim/
@@ -16,10 +15,12 @@ Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch # incorporate mokutil for packaging simplicity
Patch0005: 0005-Make-all-efi_guid_t-const.patch %global mokutil_version 0.3.0
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
Patch0007: 0007-Add-bash-completion-file.patch
+%global srcbasename shimx64 +%global srcbasename shimx64
+%global srcbasenameia32 shimia32 +%global srcbasenameia32 shimia32
+
Source1: centos.crt Source0: https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz
-Source10: shimx64.efi Source1: centossecureboot001.crt
-Source11: shimia32.efi Source2: centos-ca-secureboot.der
%define pesign_name centossecureboot001
-Source10: shimx64.efi
-Source11: shimia32.efi
+Source10: %{srcbasename}.efi +Source10: %{srcbasename}.efi
+Source11: %{srcbasenameia32}.efi +Source11: %{srcbasenameia32}.efi
#Source12: shimaa64.efi Source12: shimaa64.efi
Source20: BOOTX64.CSV Source20: BOOTX64.CSV
Source21: BOOTIA32.CSV Source21: BOOTIA32.CSV
@@ -47,11 +48,17 @@ BuildRequires: git @@ -52,11 +54,17 @@ BuildRequires: git
BuildRequires: openssl-devel openssl BuildRequires: openssl-devel openssl
BuildRequires: pesign >= 0.106-5%{dist} BuildRequires: pesign >= 0.106-5%{dist}
BuildRequires: efivar-devel BuildRequires: efivar-devel
@ -47,16 +48,16 @@ index 9cfcb2f..f6ce87e
# for mokutil's configure # for mokutil's configure
BuildRequires: autoconf automake BuildRequires: autoconf automake
@@ -143,39 +150,34 @@ cd .. @@ -148,39 +156,34 @@ cd ..
%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
%ifarch %{ca_signed_arches} %ifarch %{ca_signed_arches}
-pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash -pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
-if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then -if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
- echo Invalid signature\! > /dev/stderr - echo Invalid signature\! > /dev/stderr
- echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr - echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
- echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr - echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
- exit 1 - exit 1
+ +
+# if we already have a presigned EFI image, then do not do signing -- just +# if we already have a presigned EFI image, then do not do signing -- just
+# use the presigned one. +# use the presigned one.
@ -70,10 +71,10 @@ index 9cfcb2f..f6ce87e
%ifarch x86_64 %ifarch x86_64
-pesign -i %{shimsrcia32} -h -P > shimia32.hash -pesign -i %{shimsrcia32} -h -P > shimia32.hash
-if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then -if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
- echo Invalid signature\! > /dev/stderr - echo Invalid signature\! > /dev/stderr
- echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr - echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
- echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr - echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
- exit 1 - exit 1
+if [ -e %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi ]; then +if [ -e %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi ]; then
+ cp %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi %{srcbasenameia32}.efi + cp %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi %{srcbasenameia32}.efi
+else +else
@ -83,9 +84,9 @@ index 9cfcb2f..f6ce87e
-%endif -%endif
-%endif -%endif
-%ifarch %{rh_signed_arches} -%ifarch %{rh_signed_arches}
-%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} -o shim%{efiarchlc}-%{efidir}.efi -%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shim%{efiarchlc}-%{efidir}.efi
-%ifarch x86_64 -%ifarch x86_64
-%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE1} -c %{SOURCE1} -o shimia32-%{efidir}.efi -%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shimia32-%{efidir}.efi
-%endif -%endif
-%endif -%endif
-%ifarch %{rh_signed_arches} -%ifarch %{rh_signed_arches}
@ -94,54 +95,57 @@ index 9cfcb2f..f6ce87e
%endif %endif
%endif %endif
-%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} -%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
-%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} -%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
+if [ -e %{unsigned_dir}mm%{efiarchlc}-presigned.efi ]; then +if [ -e %{unsigned_dir}mm%{efiarchlc}-presigned.efi ]; then
+ cp %{unsigned_dir}mm%{efiarchlc}-presigned.efi mm%{efiarchlc}.efi + cp %{unsigned_dir}mm%{efiarchlc}-presigned.efi mm%{efiarchlc}.efi
+else +else
+ %pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} + %pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
+fi +fi
+if [ -e %{unsigned_dir}fb%{efiarchlc}-presigned.efi ]; then +if [ -e %{unsigned_dir}fb%{efiarchlc}-presigned.efi ]; then
+ cp %{unsigned_dir}fb%{efiarchlc}-presigned.efi fb%{efiarchlc}.efi + cp %{unsigned_dir}fb%{efiarchlc}-presigned.efi fb%{efiarchlc}.efi
+else +else
+ %pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1} + %pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
+fi +fi
%ifarch x86_64 %ifarch x86_64
%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE1} -c %{SOURCE1} %pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
@@ -191,7 +193,7 @@ make %{?_smp_mflags} @@ -196,7 +199,7 @@ make %{?_smp_mflags}
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
-install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi -install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
+#install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi +#install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
@@ -218,7 +221,7 @@ install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
@@ -211,7 +213,7 @@ install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi -install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi +#install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
-install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
+#install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
install -m 0644 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
install -m 0644 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
@@ -224,7 +226,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
@@ -232,7 +235,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%files -n shim-%{efiarchlc} %files -n shim-%{efiarchlc}
%defattr(0700,root,root,-)
/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
-/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi -/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
+#/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi +#/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
/boot/efi/EFI/%{efidir}/MokManager.efi
/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI @@ -247,7 +250,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
@@ -236,7 +238,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%files -n shim-ia32 %files -n shim-ia32
%defattr(0700,root,root,-)
/boot/efi/EFI/%{efidir}/shimia32.efi /boot/efi/EFI/%{efidir}/shimia32.efi
-/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi -/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
+#/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi +#/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
/boot/efi/EFI/%{efidir}/mmia32.efi /boot/efi/EFI/%{efidir}/mmia32.efi
/boot/efi/EFI/%{efidir}/BOOTIA32.CSV /boot/efi/EFI/%{efidir}/BOOTIA32.CSV
/boot/efi/EFI/BOOT/BOOTIA32.EFI /boot/efi/EFI/BOOT/BOOTIA32.EFI
--
1.8.3.1

2
security/shim-signed/centos/srpm_path
View File

@ -1 +1 @@
mirror:Source/shim-signed-12-1.el7.centos.src.rpm mirror:Source/shim-signed-15-1.el7.centos.src.rpm