File shim.spec of Package shim

# spec file for package shim
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via

# needssslcertforbuild

Name:           shim
Version:        0.7
Release:        0
Summary:        UEFI shim loader
License:        BSD-2-Clause
Group:          System/Boot
Source:         %{name}-%{version}.tar.bz2
# run " shim.efi" where shim.efi is the binary
# with the signature from the UEFI signing service.
Source1:        signature-opensuse.asc
Source2:        openSUSE-UEFI-CA-Certificate.crt
Source3:        shim-install
Source4:        SLES-UEFI-CA-Certificate.crt
Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
Source12:       signature-sles.asc
# PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch -- Fix the error handling in verify_mok()
Patch1:         shim-fix-verify-mok.patch
# PATCH-FIX-UPSTREAM shim-improve-error-messages.patch -- Improve the error messages
Patch2:         shim-improve-error-messages.patch
# PATCH-FIX-UPSTREAM shim-correct-user_insecure-usage.patch -- Correct the usage of the user insecure mode variable
Patch3:         shim-correct-user_insecure-usage.patch
# PATCH-FIX-UPSTREAM shim-fix-dhcpv4-path-generation.patch -- Fix path generation for DHCPv4 bootloader
Patch4:         shim-fix-dhcpv4-path-generation.patch
# PATCH-FIX-UPSTREAM shim-mokx-support.patch -- Support MOK blacklist
Patch5:         shim-mokx-support.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch -- Handle the error status from ReadKeyStroke to avoid the unexpected keys
Patch6:         shim-mokmanager-handle-keystroke-error.patch
# PATCH-FIX-SUSE shim-only-os-name.patch -- Only include the OS name in version.c
Patch7:         shim-only-os-name.patch
# PATCH-FIX-UPSTREAM shim-get-variable-check.patch -- Fix the variable checking in get_variable_attr 
Patch8:         shim-get-variable-check.patch
# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch -- Improve the boot entry pathes and avoid generating the boot entries that are already there 
Patch9:         shim-fallback-improve-entries-creation.patch
# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 -- Fix the hash deletion operation to avoid ruining the whole list
Patch10:        shim-bnc863205-mokmanager-fix-hash-delete.patch
# PATCH-FIX-UPSTREAM shim-fallback-avoid-duplicate-bootorder.patch -- Fix the duplicate BootOrder entries generated by fallback.efi
Patch11:        shim-fallback-avoid-duplicate-bootorder.patch
# PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch bnc#868342 -- Handle the shim protocol properly to keep only one protocol entity
Patch12:        shim-allow-fallback-use-system-loadimage.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch -- Delete BootService non-volatile variables the right way
Patch13:        shim-mokmanager-delete-bs-var-right.patch
# PATCH-FIX-UPSTREAM shim-fix-uninitialized-variable.patch -- Initialize the variable in lib properly
Patch14:        shim-fix-uninitialized-variable.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch -- Support SHA hashes in MOK
Patch15:        shim-mokmanager-support-sha-family.patch
# PATCH-FIX-UPSTREAM shim-remove-unused-variables.patch -- Remove unused variables
Patch16:        shim-remove-unused-variables.patch
# PATCH-FIX-UPSTREAM shim-bnc872503-check-key-encoding.patch bnc#872503 -- Check the key encoding before using it
Patch17:        shim-bnc872503-check-key-encoding.patch
# PATCH-FIX-UPSTREAM shim-bnc877003-fetch-from-the-same-device.patch bnc#877003 -- Fetch the netboot image from the same device
Patch18:        shim-bnc877003-fetch-from-the-same-device.patch
Patch19:        bug-889332_shim-mok-oob.patch
Patch20:        bug-889332_shim-overflow.patch

BuildRequires:  gnu-efi >= 3.0t
BuildRequires:  mozilla-nss-tools
BuildRequires:  openssl >= 0.9.8
BuildRequires:  pesign
BuildRequires:  pesign-obs-integration
Requires:       perl-Bootloader
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
# For shim-install script
Requires:       grub2-efi
ExclusiveArch:  x86_64

shim is a trivial EFI application that, when run, attempts to open and
execute another application.

    Matthew Garrett <>

%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1

# first, build MokManager and fallback as they don't depend on a
# specific certificate
make EFI_PATH=/usr/lib64 MokManager.efi fallback.efi 2>/dev/null

# now build variants of shim that embed different certificates
suffixes=(opensuse sles)
# check whether the project cert is a known one. If it is we build
# just one shim that embeds this specific cert. If it's a devel
# project we build all variants to simplify testing.
if test -e %{_sourcedir}/_projectcert.crt ; then
    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
    opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
    slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
    if test "$prjissuer" = "$opensusesubject" ; then 
    elif test "$prjissuer" = "$slessubject" ; then
    elif test "$prjsubject" = "$prjissuer" ; then
	suffixes=(devel opensuse sles)

for suffix in "${suffixes[@]}"; do
    if test "$suffix" = "opensuse"; then
	verify='openSUSE Secure Boot CA1'
    elif test "$suffix" = "sles"; then
	verify='SUSE Linux Enterprise Secure Boot CA1'
    elif test "$suffix" = "devel"; then
	verify=`openssl x509 -in "$cert" -noout -email`
	test -e "$cert" || continue
	echo "invalid suffix"

    openssl x509 -in $cert -outform DER -out shim-$suffix.der
    rm -f shim_cert.h shim.cer shim.crt
    if [ -z "$cert2" ]; then
	    # create empty local cert file, we don't need a local key pair as we
	    # sign the mokmanager with our vendor key
	    touch shim.crt
	    touch shim.cer
	    cp $cert2 shim.crt
    # make sure cast warnings don't trigger post build check
    make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
    # assert correct certificate embedded
    grep -q "$verify" shim.efi
    # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
    chmod 755 %{SOURCE10}
    # alternative: verify signature
    #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
    if test -n "$signature"; then
        head -1 "$signature" > hash1
        cp shim.efi shim.efi.bak
        # pe header contains timestamp and checksum. we need to
        # restore that
        %{SOURCE10} --set-from-file "$signature" shim.efi
        pesign -h -P -i shim.efi > hash2
        cat hash1 hash2
        if ! cmp -s hash1 hash2; then
            echo "ERROR: $suffix binary changed, need to request new signature!"
            # don't fail in devel projects
            if [ "${prj%%%:*}" = "openSUSE" -o "${prj%%%:*}" = "SUSE" ]; then
            mv shim.efi.bak shim-$suffix.efi
            rm shim.efi
            # attach signature
            pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
            rm -f shim.efi
    rm -f shim.cer shim.crt
    # make sure cert.o gets rebuilt
    rm -f cert.o

ln -s shim-${suffixes[0]}.efi shim.efi

export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
install -d %{buildroot}/%{_libdir}/efi
cp -a shim*.efi %{buildroot}/%{_libdir}/efi
install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi
install -d %{buildroot}/%{_sbindir}
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
# install SUSE certificate
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
for file in shim-*.der; do
    fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
    install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt

%{?buildroot:%__rm -rf "%{buildroot}"}

/sbin/update-bootloader --reinit || true

%dir %{_libdir}/efi
%dir %{_sysconfdir}/uefi/
%dir %{_sysconfdir}/uefi/certs/

openSUSE Build Service is sponsored by