From b9bff0b0890c29895178021ab9b2a41831e474c1 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Jul 15 2019 17:15:28 +0000 Subject: Re-enable secureboot enrollment Follow Laszlo's suggestions from: https://bugzilla.redhat.com/show_bug.cgi?id=1701710#c12 --- diff --git a/.gitignore b/.gitignore index bbfdb74..86a25ac 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /qemu-ovmf-secureboot-*.tar.gz /edk2-*.tar.gz /softfloat-20180726-gitb64af41.tar.xz +/qemu-ovmf-secureboot-20190521-gitf158f12.tar.xz diff --git a/RedHatSecureBootPkKek1.pem b/RedHatSecureBootPkKek1.pem new file mode 100644 index 0000000..d302362 --- /dev/null +++ b/RedHatSecureBootPkKek1.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV +BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG +9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx +MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L +RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw ++d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31 +huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B +bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr +3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x +y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID +AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy +YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww +HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD +ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c +3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N +1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol +qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw +NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL +R+SqIs/vdWGA40O3SFdzET14m2k= +-----END CERTIFICATE----- diff --git a/edk2.spec b/edk2.spec index d48caa3..86b354d 100644 --- a/edk2.spec +++ b/edk2.spec @@ -13,13 +13,11 @@ %global edk2_stable_date 201905 %global edk2_stable_str edk2-stable%{edk2_stable_date} %global openssl_version 1.1.1b -%global qosb_version 1.1.3 +%global qosb_version 20190521-gitf158f12 %global softfloat_version 20180726-gitb64af41 - -# enrollment is hanging with stable 201905, -# so temporarily disable it -%global skip_enroll 1 +# Enable this to skip secureboot enrollment, if problems pop up +%global skip_enroll 0 %define qosb_testing 0 @@ -58,7 +56,7 @@ Name: edk2 # to use YYYMMDD to avoid needing to bump package epoch # due to previous 'git' Version: Version: %{edk2_stable_date}01stable -Release: 1%{dist} +Release: 2%{dist} Summary: EFI Development Kit II License: BSD-2-Clause-Patent @@ -69,8 +67,10 @@ URL: http://www.tianocore.org/edk2/ Source0: https://github.com/tianocore/edk2/archive/%{edk2_stable_str}.tar.gz#/edk2-%{edk2_stable_str}.tar.gz Source1: openssl-%{openssl_version}-hobbled.tar.xz Source2: ovmf-whitepaper-c770f8c.txt -Source3: https://github.com/puiterwijk/qemu-ovmf-secureboot/archive/v%{qosb_version}/qemu-ovmf-secureboot-%{qosb_version}.tar.gz +#Source3: https://github.com/puiterwijk/qemu-ovmf-secureboot/archive/v{qosb_version}/qemu-ovmf-secureboot-{qosb_version}.tar.gz +Source3: qemu-ovmf-secureboot-%{qosb_version}.tar.xz Source4: softfloat-%{softfloat_version}.tar.xz +Source5: RedHatSecureBootPkKek1.pem Source10: hobble-openssl Source11: build-iso.sh Source12: update-tarball.sh @@ -133,6 +133,7 @@ BuildRequires: nasm BuildRequires: qemu-img BuildRequires: genisoimage BuildRequires: bc +BuildRequires: sed # These are for QOSB BuildRequires: python3-requests @@ -260,6 +261,14 @@ mv qemu-ovmf-secureboot-%{qosb_version}/LICENSE LICENSE.qosb %autopatch -p1 base64 --decode < MdeModulePkg/Logo/Logo-OpenSSL.bmp.b64 > MdeModulePkg/Logo/Logo-OpenSSL.bmp +# Extract OEM string from the RH cert, as described here +# https://bugzilla.tianocore.org/show_bug.cgi?id=1747#c2 +sed \ + -e 's/^-----BEGIN CERTIFICATE-----$/4e32566d-8e9e-4f52-81d3-5bb9715f9727:/' \ + -e '/^-----END CERTIFICATE-----$/d' \ + %{_sourcedir}/RedHatSecureBootPkKek1.pem \ +| tr -d '\n' \ +> PkKek1.oemstr %build @@ -333,6 +342,7 @@ python3 qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator \ --ovmf-binary ovmf/OVMF_CODE.secboot.fd \ --ovmf-template-vars ovmf/OVMF_VARS.fd \ --uefi-shell-iso ovmf/UefiShell.iso \ + --oem-string "$(< PkKek1.oemstr)" \ --skip-testing \ ovmf/OVMF_VARS.secboot.fd %else @@ -591,6 +601,11 @@ install qemu-ovmf-secureboot-%{qosb_version}/ovmf-vars-generator %{buildroot}%{_ %changelog +* Mon Jul 15 2019 Cole Robinson - 20190501stable-2 +- License is now BSD-2-Clause-Patent +- Re-enable secureboot enrollment +- Use qemu-ovmf-secureboot from git + * Thu Jul 11 2019 Cole Robinson - 20190501stable-1 - Update to stable-201905 - Update to openssl-1.1.1b diff --git a/sources b/sources index 47de423..f2a6378 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (qemu-ovmf-secureboot-1.1.3.tar.gz) = f830a525f66379e8e3c61d006fab49547e6709f7aa0f95e70f23c7d26407cc804a0ced9dcfd26af63391d603e9cb5a0714c222c7cdca8599e41852e22e13be80 SHA512 (edk2-edk2-stable201905.tar.gz) = 91188923f7d1ab83c0d6abf7ec6d59f357d0341a617ad6a3ae05f3d0e041dff43f62b014b0c5fc5d15e16d8f1c279c581a5cd64b31e3d52b340d7ef90adb50f1 SHA512 (openssl-1.1.1b-hobbled.tar.xz) = 8055b19bfeec41fe0607c04d468d2f16a1e5fe02642c8deb67b00878be7e28ab266d13da41b9576800cba0b9448253f26f72ab8889d666f5d23103648f80bea1 SHA512 (softfloat-20180726-gitb64af41.tar.xz) = f079debd1bfcc0fe64329a8947b0689ef49246793edcdd28a2879f6550c652b0cf0f53ac4f6f5ab61ac4f7933972e0019d0ab63eb9931b6884c2909f3a5ead30 +SHA512 (qemu-ovmf-secureboot-20190521-gitf158f12.tar.xz) = 4dde79864996398cc8cc39cdf859c1ca64ca0d360b0e5e41af9d9f054d36e1c4999e4324c5140a7329bec9b8d131e773ab8ebc28aba8d3f9f63c25517ee9221a