From 4cb377d5185e88f351d91af24082982badd6c90b Mon Sep 17 00:00:00 2001
From: huangzq6 <huangzhenqiang2@huawei.com>
Date: Thu, 16 Nov 2023 16:22:32 +0800
Subject: [PATCH] add signature for secureboot

(cherry picked from commit 97675e692008c9637ba8d33ac90ff99dbd0a7ee7)
---
 default-x509ca.der | Bin 0 -> 1529 bytes
 shim.spec          |  21 +++++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 default-x509ca.der

diff --git a/default-x509ca.der b/default-x509ca.der
new file mode 100644
index 0000000000000000000000000000000000000000..0fe8086805491fb96302947c3abfa7005b32dba1
GIT binary patch
literal 1529
zcmXqLV*P5+#C&%FGZP~dlOV$h;j@e49+k`s4cswt7OVMf170>xtu~Lg@4SqR+^h@+
zsfOGJoNUaYEX+Ji&W?tB20S1RHxH|4URqJ2p^$+9h|k5tnO~5a=USSRT4X3_zz-5*
z=ivy>NX?4^Vwf@x9!~et#JqHu{JeCSxopBr&VB|8;=D%2hK7bFhNcFFrWR2W{6+?*
z#)bw!F^B-Y9MZ(3gd7BntPIReO#BQ6O-x)&O-zgoS08vtnFgM|S};ZHy!D<dC+g~2
zC#_i0yY#`<##c)?wm$n6#<5nsU$w;dX7@z?p000?%GPI=KRhE4**n)<p)~l`?2l7!
zclgYmA(X5c(eV0su*pI70JBi$S3!4cqY8rp)`~r{PxvdK7^q-U`t?lgr1Sb07^Y1w
zQ~va-|Jl9;7XSBOn>{xzM|I}Ut9x1Adw=P><a_c^UunXVXK&|-G%eAoZhmsed}0Ha
z(%yIXF8sDs63Lm;H}S>eNi%;>`4~}Kz_9Kp@AAWy5f612>r}rLQ9af&=OxGA?Q3mM
zY;s>G&#fAoeu>v=k9t)R^F$r4kMYM2CNtjHwmg4w9n-hU3lmRqoo04;<@tL<$<l(1
z!%=hBD$P=Um!<sV<K9IkY0oqxlKt)d8%`gcel2|#L-YS>yye+5`)XQe&hdQgt#)7c
zFsDw{hb#A=S*>9^Fm>nMLjqH-eD>YBC8#iEvv}4+hC@A9LQec?yUFr4Of%!1c*u<1
ziaSp<eVkm_*ORwnbBtAS#j^^5))xmCFH?N*@%Z0&6Q7^#QnJ%Je9ey2bBCq*hhsg{
zeeO%|TC`nuviL;pn0|u~OWijVfBx|<uA!9sh>*&0g=L|sO!d6ckLp6NRNg6_&3=m^
z&FfM^^p{Kx7TdpJe<TjJ<QYud*)qHQ=x))9xsyaq$_>vuRxjFnV(#nZ^P}Wut7yc%
zD9~nNW@KPo+&I^uah8D)Fqz8=Gcx{X;V@tWQcR4D2C^VAJ{B<+5jp8qlQK-t-t?5b
zVtm+zanaMSwm%KzLDI@B5(Z)o*cI@B6!3%0WC7;THUmXA&V)7(#<m|$jJzx&VnV^0
z>3NAIMWw|h3PJh#B?``t27(ABj38YMjL0b%n2CWYn2|wAAxE-g|5lAHo_33M7kk)q
z>{r{@R;+pVRY2<Y+g%@h_lkzT7EcOKn<OWB&_QGGsk`g#Z>!9`sa*Qk^gv~PhPRup
z3%9QDX;nv$I=;@R01w5@j~U~l-|x<|lt01!KKciPwPDwC-aY$X%&}M@$-Ch7y|Dj`
zkq=z&xJql;?h_1H-<Z8mXYbt0r&!k1JzW0XYW~l@34XrbCo9VN^m%UF(AdD#Sj}_k
z=&gSr-7}8{9pk)lKlO3+AqzW$drr-KA0E_QSgGH?D8w=0_rt<pOnFDWH@z18Xt@98
zAFjpEgbELuJzK}}^~VNVndcUDkDLnvF6xG#x#K#|`k&&AeaY+Ae?4?zZy&qI&P6^|
zmoL25TGV^}&>Ojp{)Lj)b5DHMyUP1|U7l&AmD==-)#aN{CZs+JTi~JE(vb9f4)?1=
znTNjz{?zyp^))5=gN%DF!;B+e45PN6IikkPSI1$X@Qa^~X~u>H<|%&}k_=|f?LR+N
z!nY+N=5uk++@)@O$ytxz`RqNs)INF5Jw@5|n@Z}8Dhzv>lLh=1O>O-@ud{94mIc;R
zzV4ZtaQ|evl*5GB%)ag%L8I!A;nfRd@9?nl-Pzp!r|_r0a#G{kO;^LuO;PyG*m&LW
zVfoJTHM7^x?N*vuA#_#qR<GG?vp98?x`gL53*yD3a<6swxKxOD-@P-hZ+}vL+mU(y
HCD#K0t%G{k

literal 0
HcmV?d00001

diff --git a/shim.spec b/shim.spec
index c1741f6..ed66cbc 100644
--- a/shim.spec
+++ b/shim.spec
@@ -21,11 +21,11 @@
 %global shimBOOT  /boot/efi/EFI/BOOT/
 
 %global enable_sm 0
-%global vendor_cert %{nil}
+%global vendor_cert %{SOURCE3}
 
 Name:	   	   shim
 Version:	   15.6
-Release:	   13
+Release:	   14
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@@ -33,6 +33,7 @@ URL:	 	   https://github.com/rhboot/shim
 Source0:	   https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
 Source1:	   BOOTAA64.CSV
 Source2:	   BOOTX64.CSV
+Source3:	   default-x509ca.der
 
 Patch1:backport-CVE-2017-3735.patch
 Patch2:backport-CVE-2017-3737.patch
@@ -66,6 +67,11 @@ Patch9003:Feature-shim-cryptlib-support-sm2-signature-verify.patch
 Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch
 
 BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel
+
+%if 0%{?openEuler_sign_rsa}
+BuildRequires: sign-openEuler
+%endif
+
 %ifarch aarch64
 BuildRequires: binutils >= 2.37-7
 %endif
@@ -121,6 +127,14 @@ cd build-%{efi_arch}
 make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' all
 cd ..
 
+%if 0%{?openEuler_sign_rsa}
+echo "start sign"
+
+/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi
+/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi
+/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi
+%endif
+
 %install
 COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
@@ -178,6 +192,9 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Thu Nov 16 2023 huangzq6 <huangzhenqiang2@huawei.com> - 15.6-14
+- add signature for secureboot
+
 * Tue Nov 7 2023 jinlun <jinlun@huawei.com> - 15.6-13
 - fix CVE-2023-40546
 
-- 
Gitee