Update shim to v15.8 (#10995)

Signed-off-by: Chris Co <chrco@microsoft.com>
Co-authored-by: Dan Streetman <ddstreet@ieee.org>
Co-authored-by: Dan Streetman <ddstreet@microsoft.com>

Author: 3 people

.github/workflows/validate-cg-manifest.sh

@@ -52,6 +52,7 @@ ignore_no_source_tarball=" \
   python-rpm-generators \
   qt-rpm-macros \
   sgx-backwards-compatibility \
+  shim \
   web-assets \
   "
 

LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md

@@ -1986,6 +1986,8 @@
                 "sgpio",
                 "shared-mime-info",
                 "sharutils",
+                "shim-unsigned-aarch64",
+                "shim-unsigned-x64",
                 "sip",
                 "sisu",
                 "skkdic",
@@ -2417,9 +2419,6 @@
                 "sdbus-cpp",
                 "sgx-backwards-compatibility",
                 "shim",
-                "shim-unsigned",
-                "shim-unsigned-aarch64",
-                "shim-unsigned-x64",
                 "skopeo",
                 "span-lite",
                 "sriov-network-device-plugin",

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -1,4 +1,5 @@
 %global debug_package %{nil}
+%global efidir BOOT
 %ifarch x86_64
 %global buildarch x86_64
 %global grubefiname grubx64.efi
@@ -12,7 +13,7 @@
 Summary:        Signed GRand Unified Bootloader for %{buildarch} systems
 Name:           grub2-efi-binary-signed-%{buildarch}
 Version:        2.06
-Release:        21%{?dist}
+Release:        22%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -42,6 +43,8 @@ specifically created for installing on %{buildarch} systems
 Summary:        GRand Unified Bootloader
 Group:          Applications/System
 Requires:       grub2-tools-minimal = %{version}-%{release}
+Recommends:     shim >= 15.8-3
+Conflicts:      shim < 15.8-3
 
 # Some distros split 'grub2' into more subpackages. For now we're bundling it all together
 # inside the default package and adding these 'Provides' to make installation more user-friendly
@@ -58,6 +61,8 @@ specifically created for installing on %{buildarch} systems
 Summary:        GRand Unified Bootloader
 Group:          Applications/System
 Requires:       grub2-tools-minimal = %{version}-%{release}
+Recommends:     shim >= 15.8-3
+Conflicts:      shim < 15.8-3
 
 %description -n grub2-efi-binary-noprefix
 This package contains the GRUB EFI image with no prefix directory set and is signed for secure boot. The package is
@@ -68,17 +73,20 @@ specifically created for installing on %{buildarch} systems
 %build
 
 %install
-mkdir -p %{buildroot}/boot/efi/EFI/BOOT
-cp %{SOURCE2} %{buildroot}/boot/efi/EFI/BOOT/%{grubefiname}
-cp %{SOURCE3} %{buildroot}/boot/efi/EFI/BOOT/%{grubpxeefiname}
+mkdir -p %{buildroot}/boot/efi/EFI/%{efidir}
+cp %{SOURCE2} %{buildroot}/boot/efi/EFI/%{efidir}/%{grubefiname}
+cp %{SOURCE3} %{buildroot}/boot/efi/EFI/%{efidir}/%{grubpxeefiname}
 
 %files -n grub2-efi-binary
-/boot/efi/EFI/BOOT/%{grubefiname}
+/boot/efi/EFI/%{efidir}/%{grubefiname}
 
 %files -n grub2-efi-binary-noprefix
-/boot/efi/EFI/BOOT/%{grubpxeefiname}
+/boot/efi/EFI/%{efidir}/%{grubpxeefiname}
 
 %changelog
+* Sun Nov 10 2024 Chris Co <chrco@microsoft.com> - 2.06-22
+- Set efidir location to BOOT for eventual use in changing to "azurelinux"
+
 * Mon Oct 28 2024 Chris Co <chrco@microsoft.com> - 2.06-21
 - Bump release number to match grub release
 

SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec

@@ -1,12 +1,13 @@
 %define debug_package %{nil}
+%define efidir BOOT
 %define __os_install_post %{nil}
 # Gnulib does not produce source tarball releases, and grub's bootstrap.conf
 # bakes in a specific commit id to pull (GNULIB_REVISION).
 %global gnulibversion d271f868a8df9bbec29049d01e056481b7a1a263
 Summary:        GRand Unified Bootloader
 Name:           grub2
 Version:        2.06
-Release:        21%{?dist}
+Release:        22%{?dist}
 License:        GPLv3+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -173,6 +174,8 @@ Unsigned GRUB UEFI image
 Summary:        GRUB UEFI image
 Group:          System Environment/Base
 Requires:       %{name}-tools-minimal = %{version}-%{release}
+Recommends:     shim >= 15.8-3
+Conflicts:      shim < 15.8-3
 
 # Some distros split 'grub2' into more subpackages. For now we're bundling it all together
 # inside the default package and adding these 'Provides' to make installation more user-friendly
@@ -188,6 +191,8 @@ GRUB UEFI bootloader binaries
 Summary:        GRUB UEFI image with no prefix directory set
 Group:          System Environment/Base
 Requires:       %{name}-tools-minimal = %{version}-%{release}
+Recommends:     shim >= 15.8-3
+Conflicts:      shim < 15.8-3
 
 %description efi-binary-noprefix
 GRUB UEFI bootloader binaries with no prefix directory set
@@ -320,7 +325,7 @@ install -d %{buildroot}%{_datadir}/grub2-efi
 %endif
 
 # Install to efi directory
-EFI_BOOT_DIR=%{buildroot}/boot/efi/EFI/BOOT
+EFI_BOOT_DIR=%{buildroot}/boot/efi/EFI/%{efidir}
 GRUB_MODULE_NAME=
 GRUB_MODULE_SOURCE=
 
@@ -394,18 +399,18 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME
 
 %files efi-binary
 %ifarch x86_64
-/boot/efi/EFI/BOOT/grubx64.efi
+/boot/efi/EFI/%{efidir}/grubx64.efi
 %endif
 %ifarch aarch64
-/boot/efi/EFI/BOOT/grubaa64.efi
+/boot/efi/EFI/%{efidir}/grubaa64.efi
 %endif
 
 %files efi-binary-noprefix
 %ifarch x86_64
-/boot/efi/EFI/BOOT/grubx64-noprefix.efi
+/boot/efi/EFI/%{efidir}/grubx64-noprefix.efi
 %endif
 %ifarch aarch64
-/boot/efi/EFI/BOOT/grubaa64-noprefix.efi
+/boot/efi/EFI/%{efidir}/grubaa64-noprefix.efi
 %endif
 
 %ifarch aarch64
@@ -428,6 +433,10 @@ cp $GRUB_PXE_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_PXE_MODULE_NAME
 %config(noreplace) %{_sysconfdir}/grub.d/41_custom
 
 %changelog
+* Sun Nov 10 2024 Chris Co <chrco@microsoft.com> - 2.06-22
+- Set efidir location to BOOT for eventual use in changing to "azurelinux"
+- Bump release to also force signing with the new Azure Linux secure boot key
+
 * Mon Oct 28 2024 Chris Co <chrco@microsoft.com> - 2.06-21
 - Add Fedora SBAT entries
 

SPECS/grub2/grub2.spec

@@ -0,0 +1,3 @@
+
+For details on how to test this package during development, see the
+TESTING file in the shim package.

SPECS/shim-unsigned-aarch64/TESTING

@@ -0,0 +1,4 @@
+shim.azurelinux,1,Microsoft,shim,15.8,https://github.com/microsoft/azurelinux
+shim.rh,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64
+shim.redhat,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64
+shim.fedora,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64