From 42616597861a7b940fe65e44f16c6925ddc46aa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AF=92=E6=B1=9F=E8=88=9F?= Date: Mon, 26 Feb 2024 15:48:45 +0000 Subject: [PATCH 1/4] =?UTF-8?q?shim=E6=A8=A1=E5=9D=97=E6=B7=BB=E5=8A=A0?= =?UTF-8?q?=E5=AE=89=E5=85=A8=E5=90=AF=E5=8A=A8=E7=AD=BE=E5=90=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 寒江舟 --- shim.spec | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/shim.spec b/shim.spec index ed13b46..dba474d 100644 --- a/shim.spec +++ b/shim.spec @@ -21,11 +21,11 @@ %global shimBOOT /boot/efi/EFI/BOOT/ %global enable_sm 0 -%global vendor_cert %{nil} +%global vendor_cert %{SOURCE3} Name: shim Version: 15.7 -Release: 5 +Release: 6 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -33,6 +33,7 @@ URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 Source1: BOOTAA64.CSV Source2: BOOTX64.CSV +Source3: openEuler_ca.der Patch1:backport-CVE-2023-40546.patch Patch2:backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch @@ -56,6 +57,11 @@ Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch Patch9005:Feature-add-tpcm-support-with-ipmi-channel.patch BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel + +%if 0%{?openEuler_sign_rsa} +BuildRequires: sign-openEuler +%endif + %ifarch aarch64 BuildRequires: binutils >= 2.37-7 %endif @@ -111,6 +117,14 @@ cd build-%{efi_arch} make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' all cd .. +%if 0%{?openEuler_sign_rsa} +echo "start sign" + +/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi +/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi +/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi +%endif + %install COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " @@ -168,6 +182,9 @@ make test /usr/src/debug/%{name}-%{version}-%{release}/* %changelog +* Mon Feb 26 2024 huangzq6 - 15.7-6 +- add signature for secureboot + * Mon Feb 19 2024 jinlun -15.7-5 - fix CVE-2023-0464 -- Gitee From 7842159e2f52fbdc9430ca0fbf8d467c11bdd3d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=AF=92=E6=B1=9F=E8=88=9F?= Date: Mon, 26 Feb 2024 15:51:45 +0000 Subject: [PATCH 2/4] =?UTF-8?q?=E6=96=B0=E5=A2=9EopenEuler=E5=AE=89?= =?UTF-8?q?=E5=85=A8=E5=90=AF=E5=8A=A8=E6=A0=B9=E8=AF=81=E4=B9=A6=E6=96=87?= =?UTF-8?q?=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 寒江舟 --- openEuler_ca.der.der | Bin 0 -> 1529 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 openEuler_ca.der.der diff --git a/openEuler_ca.der.der b/openEuler_ca.der.der new file mode 100644 index 0000000000000000000000000000000000000000..0fe8086805491fb96302947c3abfa7005b32dba1 GIT binary patch literal 1529 zcmXqLV*P5+#C&%FGZP~dlOV$h;j@e49+k`s4cswt7OVMf170>xtu~Lg@4SqR+^h@+ zsfOGJoNUaYEX+Ji&W?tB20S1RHxH|4URqJ2p^$+9h|k5tnO~5a=USSRT4X3_zz-5* z=ivy>NX?4^Vwf@x9!~et#JqHu{JeCSxopBr&VB|8;=D%2hK7bFhNcFFrWR2W{6+?* z#)bw!F^B-Y9MZ(3gd7BntPIReO#BQ6O-x)&O-zgoS08vtnFgM|S};ZHy!D{xzM|I}Ut9x1Adw=P>eNi%;>`4~}Kz_9Kp@AAWy5f612>r}rLQ9af&=OxGA?Q3mM zY;s>G&#fAoeu>v=k9t)R^F$r4kMYM2CNtjHwmg4w9n-hU3lmRqoo04;<@tL<$yye+5`)XQe&hdQgt#)7c zFsDw{hb#A=S*>9^Fm>nMLjqH-eD>YBC8#iEvv}4+hC@A9LQec?yUFr4Of%!1c*u<1 ziaSp*&0g=L|sO!d6ckLp6NRNg6_&3=m^ z&FfM^^p{Kx7TdpJevuRxjFnV(#nZ^P}Wut7yc% zD9~nNW@KPo+&I^uah8D)Fqz8=Gcx{X;V@tWQcR4D2C^VAJ{B<+5jp8qlQK-t-t?5b zVtm+zanaMSwm%KzLDI@B5(Z)o*cI@B6!3%0WC7;THUmXA&V)7(#3NAIMWw|h3PJh#B?``t27(ABj38YMjL0b%n2CWYn2|wAAxE-g|5lAHo_33M7kk)q z>{r{@R;+pVRY2!9`sa*Qk^gv~PhPRup z3%9QDX;nv$I=;@R01w5@j~U~l-|x<|lt01!KKciPwPDwC-aY$X%&}M@$-Ch7y|Dj` zkq=z&xJql;?h_1H-Ojp{)Lj)b5DHMyUP1|U7l&AmD==-)#aN{CZs+JTi~JE(vb9f4)?1= znTNjz{?zyp^))5=gN%DF!;B+e45PN6IikkPSI1$X@Qa^~X~u>H<|%&}k_=|f?LR+N z!nY+N=5uk++@)@O$ytxz`RqNs)INF5Jw@5|n@Z}8Dhzv>lLh=1O>O-@ud{94mIc;R zzV4ZtaQ|evl*5GB%)ag%L8I!A;nfRd@9?nl-Pzp!r|_r0a#G{kO;^LuO;PyG*m&LW zVfoJTHM7^x?N*vuA#_#qR Date: Tue, 27 Feb 2024 01:23:32 +0000 Subject: [PATCH 3/4] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20open?= =?UTF-8?q?Euler=5Fca.der.der?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- openEuler_ca.der.der | Bin 1529 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 openEuler_ca.der.der diff --git a/openEuler_ca.der.der b/openEuler_ca.der.der deleted file mode 100644 index 0fe8086805491fb96302947c3abfa7005b32dba1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1529 zcmXqLV*P5+#C&%FGZP~dlOV$h;j@e49+k`s4cswt7OVMf170>xtu~Lg@4SqR+^h@+ zsfOGJoNUaYEX+Ji&W?tB20S1RHxH|4URqJ2p^$+9h|k5tnO~5a=USSRT4X3_zz-5* z=ivy>NX?4^Vwf@x9!~et#JqHu{JeCSxopBr&VB|8;=D%2hK7bFhNcFFrWR2W{6+?* z#)bw!F^B-Y9MZ(3gd7BntPIReO#BQ6O-x)&O-zgoS08vtnFgM|S};ZHy!D{xzM|I}Ut9x1Adw=P>eNi%;>`4~}Kz_9Kp@AAWy5f612>r}rLQ9af&=OxGA?Q3mM zY;s>G&#fAoeu>v=k9t)R^F$r4kMYM2CNtjHwmg4w9n-hU3lmRqoo04;<@tL<$yye+5`)XQe&hdQgt#)7c zFsDw{hb#A=S*>9^Fm>nMLjqH-eD>YBC8#iEvv}4+hC@A9LQec?yUFr4Of%!1c*u<1 ziaSp*&0g=L|sO!d6ckLp6NRNg6_&3=m^ z&FfM^^p{Kx7TdpJevuRxjFnV(#nZ^P}Wut7yc% zD9~nNW@KPo+&I^uah8D)Fqz8=Gcx{X;V@tWQcR4D2C^VAJ{B<+5jp8qlQK-t-t?5b zVtm+zanaMSwm%KzLDI@B5(Z)o*cI@B6!3%0WC7;THUmXA&V)7(#3NAIMWw|h3PJh#B?``t27(ABj38YMjL0b%n2CWYn2|wAAxE-g|5lAHo_33M7kk)q z>{r{@R;+pVRY2!9`sa*Qk^gv~PhPRup z3%9QDX;nv$I=;@R01w5@j~U~l-|x<|lt01!KKciPwPDwC-aY$X%&}M@$-Ch7y|Dj` zkq=z&xJql;?h_1H-Ojp{)Lj)b5DHMyUP1|U7l&AmD==-)#aN{CZs+JTi~JE(vb9f4)?1= znTNjz{?zyp^))5=gN%DF!;B+e45PN6IikkPSI1$X@Qa^~X~u>H<|%&}k_=|f?LR+N z!nY+N=5uk++@)@O$ytxz`RqNs)INF5Jw@5|n@Z}8Dhzv>lLh=1O>O-@ud{94mIc;R zzV4ZtaQ|evl*5GB%)ag%L8I!A;nfRd@9?nl-Pzp!r|_r0a#G{kO;^LuO;PyG*m&LW zVfoJTHM7^x?N*vuA#_#qR Date: Tue, 27 Feb 2024 01:26:18 +0000 Subject: [PATCH 4/4] =?UTF-8?q?=E9=87=8D=E5=91=BD=E5=90=8DopenEuler=20CA?= =?UTF-8?q?=E8=AF=81=E4=B9=A6=E6=96=87=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 寒江舟 --- openEuler_ca.der | Bin 0 -> 1529 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 openEuler_ca.der diff --git a/openEuler_ca.der b/openEuler_ca.der new file mode 100644 index 0000000000000000000000000000000000000000..0fe8086805491fb96302947c3abfa7005b32dba1 GIT binary patch literal 1529 zcmXqLV*P5+#C&%FGZP~dlOV$h;j@e49+k`s4cswt7OVMf170>xtu~Lg@4SqR+^h@+ zsfOGJoNUaYEX+Ji&W?tB20S1RHxH|4URqJ2p^$+9h|k5tnO~5a=USSRT4X3_zz-5* z=ivy>NX?4^Vwf@x9!~et#JqHu{JeCSxopBr&VB|8;=D%2hK7bFhNcFFrWR2W{6+?* z#)bw!F^B-Y9MZ(3gd7BntPIReO#BQ6O-x)&O-zgoS08vtnFgM|S};ZHy!D{xzM|I}Ut9x1Adw=P>eNi%;>`4~}Kz_9Kp@AAWy5f612>r}rLQ9af&=OxGA?Q3mM zY;s>G&#fAoeu>v=k9t)R^F$r4kMYM2CNtjHwmg4w9n-hU3lmRqoo04;<@tL<$yye+5`)XQe&hdQgt#)7c zFsDw{hb#A=S*>9^Fm>nMLjqH-eD>YBC8#iEvv}4+hC@A9LQec?yUFr4Of%!1c*u<1 ziaSp*&0g=L|sO!d6ckLp6NRNg6_&3=m^ z&FfM^^p{Kx7TdpJevuRxjFnV(#nZ^P}Wut7yc% zD9~nNW@KPo+&I^uah8D)Fqz8=Gcx{X;V@tWQcR4D2C^VAJ{B<+5jp8qlQK-t-t?5b zVtm+zanaMSwm%KzLDI@B5(Z)o*cI@B6!3%0WC7;THUmXA&V)7(#3NAIMWw|h3PJh#B?``t27(ABj38YMjL0b%n2CWYn2|wAAxE-g|5lAHo_33M7kk)q z>{r{@R;+pVRY2!9`sa*Qk^gv~PhPRup z3%9QDX;nv$I=;@R01w5@j~U~l-|x<|lt01!KKciPwPDwC-aY$X%&}M@$-Ch7y|Dj` zkq=z&xJql;?h_1H-Ojp{)Lj)b5DHMyUP1|U7l&AmD==-)#aN{CZs+JTi~JE(vb9f4)?1= znTNjz{?zyp^))5=gN%DF!;B+e45PN6IikkPSI1$X@Qa^~X~u>H<|%&}k_=|f?LR+N z!nY+N=5uk++@)@O$ytxz`RqNs)INF5Jw@5|n@Z}8Dhzv>lLh=1O>O-@ud{94mIc;R zzV4ZtaQ|evl*5GB%)ag%L8I!A;nfRd@9?nl-Pzp!r|_r0a#G{kO;^LuO;PyG*m&LW zVfoJTHM7^x?N*vuA#_#qR