From 7309cd6e65f260ab07bef677a2129c2a84e8769a Mon Sep 17 00:00:00 2001 From: Qin Fandong Date: Thu, 31 Jul 2025 13:51:11 +0800 Subject: [PATCH] Add shim to dnf protected packages list (cherry picked from commit 45d19ed6bd5e5007db571c5627a2c369813d4b37) --- shim.conf | 1 + shim.spec | 11 ++++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 shim.conf diff --git a/shim.conf b/shim.conf new file mode 100644 index 0000000..39cc4ff --- /dev/null +++ b/shim.conf @@ -0,0 +1 @@ +shim diff --git a/shim.spec b/shim.spec index 97dedce..be2f244 100644 --- a/shim.spec +++ b/shim.spec @@ -25,7 +25,7 @@ Name: shim Version: 15.7 -Release: 16 +Release: 17 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -36,6 +36,7 @@ Source2: BOOTX64.CSV Source3: openEuler_ca.der Source4: shimaa64-cfca.efi Source5: shimx64-cfca.efi +Source6: shim.conf Patch1:backport-CVE-2023-40546.patch Patch2:backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch @@ -180,6 +181,10 @@ install -m 644 fb%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefi install -m 644 mm%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor} install -m 644 shim%{efi_arch}.efi.debug ${RPM_BUILD_ROOT}/usr/lib/debug/%{shimefivendor} +# install dnf protection config +install -d $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/ +install -m 0644 %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/ + cd .. %check @@ -193,6 +198,7 @@ make test %{shimefivendor}/%{bootcsv} %{shimefivendor}/*.efi %{shimefivendor}/*.hash +%{_sysconfdir}/dnf/protected.d/shim.conf %files signed %ifarch aarch64 @@ -213,6 +219,9 @@ make test /usr/src/debug/%{name}-%{version}-%{release}/* %changelog +* Thu Jul 31 2025 Qin Fandong - 15.7-17 +- Add shim to dnf protected packages list + * Mon Jan 20 2025 xuce -15.7-16 - fix the issue that the gBS->LoadImage pointer was empty. -- Gitee