%global openssl_vre 1.0.2j %global shimrootdir %{_datadir}/shim/ %global shimversiondir %{shimrootdir}/15.4-5 %global efiarch x64 %global shimdir %{shimversiondir}/%{efiarch} %global efialtarch ia32 %global shimaltdir %{shimversiondir}/%{efialtarch} # THIS IS A COMPLETE HACK # WE USE THE FILES FROM FEDORA'S PRECOMPILED SHIM-UNSIGNED AND SHIM RPMS AND RE-PACKAGE THEM # WE DO THIS TO RETAIN SECUREBOOT COMPATIBILITY # WE ALSO USE OLDER VERSION 15.4 DUE TO THIS BUG WHICH PREVENTS SOME OLD SYSTEMS FROM BOOTING: # https://bugzilla.redhat.com/show_bug.cgi?id=2113005 # THE VERSION 15.6-X IS JUST FOR VERSION DEPENDENCY COMPATIBILITY Name: shim-unsigned-%{efiarch} Version: 15.6 Release: 4 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: fedora-precompiled-15.4.tar.gz # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a # POSIX-style C library. # BuildRequires: OpenSSL Provides: bundled(openssl) = %{openssl_vre} %global desc \ Initial UEFI bootloader that handles chaining to a trusted full \ bootloader under secure boot environments. %description %desc %package -n shim-unsigned-%{efialtarch} Summary: First-stage UEFI bootloader (unsigned data) Provides: bundled(openssl) = %{openssl_vre} %description -n shim-unsigned-%{efialtarch} %desc %prep tar -xf %{SOURCE0} %install mv usr %{buildroot}/ %files %license COPYRIGHT %dir %{shimrootdir} %dir %{shimversiondir} %dir %{shimdir} %{shimdir}/*.efi %{shimdir}/*.hash %{shimdir}/*.CSV %files -n shim-unsigned-%{efialtarch} %license COPYRIGHT %dir %{shimrootdir} %dir %{shimversiondir} %dir %{shimaltdir} %{shimaltdir}/*.efi %{shimaltdir}/*.hash %{shimaltdir}/*.CSV %changelog * Tue Jun 07 2022 Peter Jones - 15.6-1 - Update to shim-15.6 Resolves: CVE-2022-28737 * Thu Mar 10 2022 Peter Jones - 15.5-1 - Update to shim 15.5 - lots of minor fixes * Tue Mar 30 2021 Peter Jones - 15.4-1 - Update to shim 15.4 - Support for revocations via the ".sbat" section and SBAT EFI variable - A new unit test framework and a bunch of unit tests - No external gnu-efi dependency - Better CI Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 * Wed Mar 24 2021 Peter Jones - 15.3-0~1 - Update to shim 15.3 - Support for revocations via the ".sbat" section and SBAT EFI variable - A new unit test framework and a bunch of unit tests - No external gnu-efi dependency - Better CI Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 * Thu Apr 05 2018 Peter Jones - 15-1 - Update to shim 15 - better checking for bad linker output - flicker-free console if there's no error output - improved http boot support - better protocol re-installation - dhcp proxy support - tpm measurement even when verification is disabled - REQUIRE_TPM build flag - more reproducable builds - measurement of everything verified through shim_verify() - coverity and scan-build checker make targets - misc cleanups * Fri Feb 09 2018 Fedora Release Engineering - 13-0.2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Fri Aug 18 2017 Peter Jones - 13-0.1 - Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one. - This will (eventually) supersede what's in the "shim" package so we can make "shim" hold the signed one, which will confuse fewer people.