Copy shim.efi to /pxeboot for UEFI pxeboot support

Package a copy of the shim.efi file to /pxeboot to support UEFI secure boot. The recent grub2 update for CVE-2020-15705 requires the use of shim.efi in order to support kernel signature validation. Change-Id: If87925e1697b34d7ff1a7a770d9f13619dd9dd52 Partial-Bug: 1927730 Signed-off-by: Don Penney <don.penney@windriver.com>
2021-05-07 09:01:47 -04:00 · 2021-05-07 09:01:47 -04:00 · 1974b3f570
commit 1974b3f570
parent b1ac604703
2 changed files with 44 additions and 0 deletions
--- a/security/shim-signed/centos/meta_patches/0003-Support-pxeboot-secure-boot.patch
+++ b/security/shim-signed/centos/meta_patches/0003-Support-pxeboot-secure-boot.patch
@ -0,0 +1,43 @@
+From e8566efa702a88c1efe15daaf52b3a00446f1d8c Mon Sep 17 00:00:00 2001
+From: Don Penney <don.penney@windriver.com>
+Date: Thu, 6 May 2021 13:42:27 -0400
+Subject: [PATCH] Support pxeboot secure boot
+
+In order to support secure boot with pxeboot, we need to package the
+shim.efi file in /pxeboot/EFI, accessible to tftp for the UEFI
+install. As well, please note that while /boot/efi/EFI/centos/shim.efi
+and other files provided by the shim-x64 package are only accessible
+to root, the file under /pxeboot must have broader permissions so that
+the dnsmasq-tftp daemon is able to serve it to the requesting host.
+Therefore, its file permissions are set to be readable to all.
+
+Signed-off-by: Don Penney <don.penney@windriver.com>
+---
+ SPECS/shim-signed.spec | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
+index 20cdc80..978818a 100755
+--- a/SPECS/shim-signed.spec
+++ b/SPECS/shim-signed.spec
+@@ -227,6 +227,9 @@ install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.C
+ 
+ install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
+ install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
+
+# pxeboot support
+install -D -p -m 0755 shimx64.efi $RPM_BUILD_ROOT/pxeboot/EFI/shim.efi
+ %endif
+ 
+ cd mokutil-%{mokutil_version}
+@@ -243,6 +246,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
+ /boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
+ /boot/efi/EFI/BOOT/fallback.efi
+ /boot/efi/EFI/%{efidir}/shim.efi
+%attr(755,root,root) /pxeboot/EFI/shim.efi
+ 
+ %ifarch x86_64
+ /boot/efi/EFI/%{efidir}/BOOT.CSV
+-- 
+2.29.2
+
--- a/security/shim-signed/centos/meta_patches/PATCH_ORDER
+++ b/security/shim-signed/centos/meta_patches/PATCH_ORDER
@ -1,2 +1,3 @@
 0001-Titanium-release-info.patch
 0002-Use-presigned-binaries.patch
+0003-Support-pxeboot-secure-boot.patch