packages/shim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

shim模块添加安全启动签名

Browse Source
This commit is contained in:
jinlun 2024-02-28 16:50:05 +08:00
parent 3accad21a8
commit 2ec03fcf21
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
openEuler_ca.der Normal file
View File

Binary file not shown.

21
shim.spec
View File

@ -21,11 +21,11 @@
%global shimBOOT /boot/efi/EFI/BOOT/
%global enable_sm 0
%global vendor_cert %{nil}
%global vendor_cert %{SOURCE3}
Name: shim
Version: 15.7
Release: 6
Release: 7
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64 aarch64
License: BSD
@ -33,6 +33,7 @@ URL: https://github.com/rhboot/shim
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
Source1: BOOTAA64.CSV
Source2: BOOTX64.CSV
Source3: openEuler_ca.der
Patch1:backport-CVE-2023-40546.patch
Patch2:backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch
@ -60,6 +61,11 @@ Patch9004:Feature-shim-support-sm2-and-sm3-algorithm.patch
Patch9005:Feature-add-tpcm-support-with-ipmi-channel.patch
BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel
%if 0%{?openEuler_sign_rsa}
BuildRequires: sign-openEuler
%endif
%ifarch aarch64
BuildRequires: binutils >= 2.37-7
%endif
@ -115,6 +121,14 @@ cd build-%{efi_arch}
make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efi_arch}.efi' all
cd ..
%if 0%{?openEuler_sign_rsa}
echo "start sign"
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi
%endif
%install
COMMITID=$(cat commit)
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
@ -172,6 +186,9 @@ make test
/usr/src/debug/%{name}-%{version}-%{release}/*
%changelog
* Wed Feb 28 2024 jinlun <jinlun@huawei.com> - 15.7-7
- add signature for secureboot
* Wed Feb 28 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 15.7-6
- fix CVE-2023-3446 CVE-2023-0465 CVE-2023-2650 CVE-2024-0727