diff --git a/default-x509ca.der b/default-x509ca.der new file mode 100644 index 0000000000000000000000000000000000000000..0fe8086805491fb96302947c3abfa7005b32dba1 Binary files /dev/null and b/default-x509ca.der differ diff --git a/shim.spec b/shim.spec index c1741f6406533b7a68796bbf00e84784bdc29487..ed66cbc79554f040a36a8bea1673355216231ba6 100644 --- a/shim.spec +++ b/shim.spec @@ -21,11 +21,11 @@ %global shimBOOT /boot/efi/EFI/BOOT/ %global enable_sm 0 -%global vendor_cert %{nil} +%global vendor_cert %{SOURCE3} Name: shim Version: 15.6 -Release: 13 +Release: 14 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -33,6 +33,7 @@ URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 Source1: BOOTAA64.CSV Source2: BOOTX64.CSV +Source3: default-x509ca.der Patch1:backport-CVE-2017-3735.patch Patch2:backport-CVE-2017-3737.patch @@ -66,6 +67,11 @@ Patch9003:Feature-shim-cryptlib-support-sm2-signature-verify.patch Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel + +%if 0%{?openEuler_sign_rsa} +BuildRequires: sign-openEuler +%endif + %ifarch aarch64 BuildRequires: binutils >= 2.37-7 %endif @@ -121,6 +127,14 @@ cd build-%{efi_arch} make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' all cd .. +%if 0%{?openEuler_sign_rsa} +echo "start sign" + +/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi +/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi +/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi +%endif + %install COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " @@ -178,6 +192,9 @@ make test /usr/src/debug/%{name}-%{version}-%{release}/* %changelog +* Thu Nov 16 2023 huangzq6 - 15.6-14 +- add signature for secureboot + * Tue Nov 7 2023 jinlun - 15.6-13 - fix CVE-2023-40546