Migrate to SPDX license

This is part of https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2
The license analysis is here http://miroslav.suchy.cz/fedora/spdx-reports/shim.html

.gitignore

@@ -1,3 +1,6 @@
-/shim-0.1.tar.bz2
-/shim-0.2.tar.bz2
-/mokutil-0.1.0.tar.bz2
+shim*.efi
+*.rpm
+*/
+.build*.log
+*~
+.*.sw?

0001-Fix-grub-path.patch

@@ -1,25 +0,0 @@
-From aedb12117d5de52b3b2a49008e5e052f4369bda9 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg59@srcf.ucam.org>
-Date: Mon, 26 Nov 2012 19:31:05 -0500
-Subject: [PATCH] Fix grub path
-
----
- shim.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/shim.c b/shim.c
-index 4d490b9..88c8209 100644
---- a/shim.c
-+++ b/shim.c
-@@ -42,7 +42,7 @@
- #include "netboot.h"
- #include "shim_cert.h"
- 
--#define SECOND_STAGE L"\\grub.efi"
-+#define SECOND_STAGE L"\\grubx64.efi"
- #define MOK_MANAGER L"\\MokManager.efi"
- 
- static EFI_SYSTEM_TABLE *systab;
--- 
-1.8.0
-

0002-Remove-extraneous-debug-code.patch

@@ -1,25 +0,0 @@
-From a949ce8f56363b48fa32fd4b0c6e656e95b08e06 Mon Sep 17 00:00:00 2001
-From: Fedora Ninjas <shim-owner@fedoraproject.org>
-Date: Wed, 28 Nov 2012 12:14:50 -0500
-Subject: [PATCH] Remove extraneous debug code
-
----
- shim.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index 88c8209..d0acd0a 100644
---- a/shim.c
-+++ b/shim.c
-@@ -416,8 +416,6 @@ static BOOLEAN secure_mode (void)
- 	UINT8 sb, setupmode;
- 	UINT32 attributes;
- 
--	return TRUE;
--
- 	if (insecure_mode)
- 		return FALSE;
- 
--- 
-1.8.0
-

mokutil-correct-moklistrt-size.patch

@@ -1,54 +0,0 @@
-From jwboyer@redhat.com Tue Dec 11 11:12:04 2012
-Return-Path: jwboyer@redhat.com
-Received: from zmta04.collab.prod.int.phx2.redhat.com (LHLO
- zmta04.collab.prod.int.phx2.redhat.com) (10.5.81.11) by
- zmail14.collab.prod.int.phx2.redhat.com with LMTP; Tue, 11 Dec 2012
- 11:12:04 -0500 (EST)
-Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
-	by zmta04.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 02F16D0D4D
-	for <pjones@mail.corp.redhat.com>; Tue, 11 Dec 2012 11:12:04 -0500 (EST)
-Received: from hansolo.jdub.homelinux.org ([10.3.113.16])
-	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qBBGC1N7022642
-	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
-	Tue, 11 Dec 2012 11:12:03 -0500
-Date: Tue, 11 Dec 2012 11:12:01 -0500
-From: Josh Boyer <jwboyer@redhat.com>
-To: pjones@redhat.com
-Cc: mjg59@srcf.ucam.org
-Subject: [PATCH] Fix SignatureSize field when importing a new cert
-Message-ID: <20121211161200.GA999@hansolo.jdub.homelinux.org>
-MIME-Version: 1.0
-Content-Type: text/plain; charset=us-ascii
-Content-Disposition: inline
-User-Agent: Mutt/1.5.21 (2010-09-15)
-X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
-Status: RO
-Content-Length: 842
-Lines: 25
-
-The SignatureSize field should be the length of the certificate plus
-16 per the UEFI spec.  Remove the extraneous addition of
-sizeof(EFI_SIGNATURE_DATA) from the calculation so that certs enrolled
-in MokListRT are parsable.
----
- src/mokutil.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/mokutil-0.1.0/src/mokutil.c b/mokutil-0.1.0/src/mokutil.c
-index ca46488..f94aee4 100644
---- a/mokutil-0.1.0/src/mokutil.c
-+++ b/mokutil-0.1.0/src/mokutil.c
-@@ -485,8 +485,7 @@ import_moks (char **files, uint32_t total)
- 		CertList->SignatureListSize = sizes[i] +
- 		   sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1;
- 		CertList->SignatureHeaderSize = 0;
--		CertList->SignatureSize = sizes[i] +
--			sizeof(EFI_SIGNATURE_DATA) + 16;
-+		CertList->SignatureSize = sizes[i] + 16;
- 		CertData->SignatureOwner = SHIM_LOCK_GUID;
- 
- 		fd = open (files[i], O_RDONLY);
--- 
-1.8.0.1
-
-

shim-image-size.patch

@@ -1,63 +0,0 @@
-From d3a9d4e8404e0f402fb371066f0e405ed3cecc29 Mon Sep 17 00:00:00 2001
-From: Matthew Garrett <mjg@redhat.com>
-Date: Tue, 14 Aug 2012 06:50:00 -0400
-Subject: [PATCH] Use the file size, not the image size field, for
- verification.
-
----
- shim.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index 2d9044d..6a3c054 100644
---- a/shim.c
-+++ b/shim.c
-@@ -555,7 +555,7 @@ done:
- /*
-  * Read the binary header and grab appropriate information from it
-  */
--static EFI_STATUS read_header(void *data,
-+static EFI_STATUS read_header(void *data, unsigned int datasize,
- 			      PE_COFF_LOADER_IMAGE_CONTEXT *context)
- {
- 	EFI_IMAGE_DOS_HEADER *DosHdr = data;
-@@ -590,7 +590,7 @@ static EFI_STATUS read_header(void *data,
- 	context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
- 	context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
- 
--	if (context->SecDir->VirtualAddress >= context->ImageSize) {
-+	if (context->SecDir->VirtualAddress >= datasize) {
- 		Print(L"Malformed security header\n");
- 		return EFI_INVALID_PARAMETER;
- 	}
-@@ -606,7 +606,8 @@ static EFI_STATUS read_header(void *data,
- /*
-  * Once the image has been loaded it needs to be validated and relocated
-  */
--static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
-+static EFI_STATUS handle_grub (void *data, unsigned int datasize,
-+			       EFI_LOADED_IMAGE *li)
- {
- 	EFI_STATUS efi_status;
- 	char *buffer;
-@@ -615,7 +616,7 @@ static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
- 	char *base, *end;
- 	PE_COFF_LOADER_IMAGE_CONTEXT context;
- 
--	efi_status = read_header(data, &context);
-+	efi_status = read_header(data, datasize, &context);
- 	if (efi_status != EFI_SUCCESS) {
- 		Print(L"Failed to read header\n");
- 		return efi_status;
-@@ -843,7 +844,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
- 	if (!secure_mode())
- 		return EFI_SUCCESS;
- 
--	status = read_header(buffer, &context);
-+	status = read_header(buffer, size, &context);
- 
- 	if (status != EFI_SUCCESS)
- 		return status;
--- 
-1.7.11.2
-

shim-vendor-cert-file.patch

@@ -1,129 +0,0 @@
-From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 13 Aug 2012 17:06:46 -0400
-Subject: [PATCH] Allow specification of vendor_cert through a build command
- line option.
-
-This allows you to specify the vendor_cert as a file on the command line
-during build.
----
- Makefile | 16 +++++++++++-----
- cert.S   | 32 ++++++++++++++++++++++++++++++++
- cert.h   |  1 -
- shim.c   |  6 +++---
- 4 files changed, 46 insertions(+), 9 deletions(-)
- create mode 100644 cert.S
- delete mode 100644 cert.h
-
-diff --git a/Makefile b/Makefile
-index 1e3a020..66b105f 100644
---- a/Makefile
-+++ b/Makefile
-@@ -14,24 +14,30 @@ EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
- EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
- EFI_LDS		= $(EFI_PATH)/elf_$(ARCH)_efi.lds
- 
--
- CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- 		  -Wall -mno-red-zone \
- 		  $(EFI_INCLUDES)
- ifeq ($(ARCH),x86_64)
- 	CFLAGS	+= -DEFI_FUNCTION_WRAPPER
- endif
-+ifneq ($(origin VENDOR_CERT_FILE), undefined)
-+	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
-+endif
-+
- LDFLAGS		= -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
- 
--TARGET		= shim.efi
--OBJS		= shim.o shim.so
--SOURCES		= shim.c shim.h signature.h PeImage.h cert.h
-+TARGET	= shim.efi
-+OBJS	= shim.o cert.o
-+SOURCES	= shim.c shim.h signature.h PeImage.h
- 
- all: $(TARGET)
- 
- shim.o: $(SOURCES)
- 
--shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
-+cert.o : cert.S
-+	$(CC) $(CFLAGS) -c -o $@ $<
-+
-+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
- 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
- 
- Cryptlib/libcryptlib.a:
-diff --git a/cert.S b/cert.S
-new file mode 100644
-index 0000000..129bab5
---- /dev/null
-+++ b/cert.S
-@@ -0,0 +1,32 @@
-+#if defined(VENDOR_CERT_FILE)
-+	.globl	vendor_cert
-+	.data
-+	.align	16
-+	.type	vendor_cert, @object
-+	.size	vendor_cert_size, vendor_cert_size-vendor_cert
-+vendor_cert:
-+.incbin VENDOR_CERT_FILE
-+
-+	.globl	vendor_cert_size
-+	.data
-+	.align	16
-+	.type	vendor_cert_size, @object
-+	.size	vendor_cert_size, 4
-+vendor_cert_size:
-+	.long	vendor_cert_size - vendor_cert
-+#else
-+	.globl	vendor_cert
-+	.bss
-+	.type	vendor_cert, @object
-+	.size	vendor_cert, 1
-+vendor_cert:
-+	.zero	1
-+
-+	.globl	vendor_cert_size
-+	.data
-+	.align 4
-+	.type	vendor_cert_size, @object
-+	.size	vendor_cert_size, 4
-+vendor_cert_size:
-+	.long	1
-+#endif
-diff --git a/cert.h b/cert.h
-deleted file mode 100644
-index 380bc04..0000000
---- a/cert.h
-+++ /dev/null
-@@ -1 +0,0 @@
--static UINT8 vendor_cert[] = {0x00};
-diff --git a/shim.c b/shim.c
-index fc3dafc..2d9044d 100644
---- a/shim.c
-+++ b/shim.c
-@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
- /*
-  * The vendor certificate used for validating the second stage loader
-  */
--
--#include "cert.h"
-+extern UINT8 vendor_cert[];
-+extern UINT32 vendor_cert_size;
- 
- #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
- 
-@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
- 
- 	if (!AuthenticodeVerify(cert->CertData,
- 				context->SecDir->Size - sizeof(cert->Hdr),
--				vendor_cert, sizeof(vendor_cert), hash,
-+				vendor_cert, vendor_cert_size, hash,
- 				SHA256_DIGEST_SIZE)) {
- 		Print(L"Invalid signature\n");
- 		status = EFI_ACCESS_DENIED;
--- 
-1.7.11.2
-

shim.conf

@@ -0,0 +1,4 @@
+shim-aa64
+shim-arm
+shim-ia32
+shim-x64

shim.rpmmacros

@@ -0,0 +1,174 @@
+%global debug_package %{nil}
+%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
+%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
+%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
+
+%global grub_version 2.06~rc1
+%global fwupd_version 1.5.8
+
+%global bootcsvaa64 %{expand:%{SOURCE10}}
+%global bootcsvarm %{expand:%{SOURCE13}}
+%global bootcsvia32 %{expand:%{SOURCE11}}
+%global bootcsvx64 %{expand:%{SOURCE12}}
+
+%global shimefiaa64 %{expand:%{SOURCE20}}
+%global shimefiarm %{expand:%{SOURCE23}}
+%global shimefiia32 %{expand:%{SOURCE21}}
+%global shimefix64 %{expand:%{SOURCE22}}
+
+%global shimveraa64 15.6-2
+%global shimverarm 15.4-1.fc34
+%global shimveria32 15.6-1
+%global shimverx64 15.6-1
+
+%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
+%global shimdirarm %{_datadir}/shim/%{shimverarm}/arm
+%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
+%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
+
+%global unsignedaa64 shim-unsigned-aarch64
+%global unsignedarm shim-unsigned-arm
+%global unsignedia32 shim-unsigned-ia32
+%global unsignedx64 shim-unsigned-x64
+
+%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
+%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
+%global shimefi %{expand:%{shimefi%{efi_arch}}}
+%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
+%global shimver %{expand:%{shimver%{efi_arch}}}
+%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
+%global shimdir %{expand:%{shimdir%{efi_arch}}}
+%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
+
+%global unsignednone shim-unsigned-none
+%global unsigned %{expand:%%{unsigned%{efi_arch}}}
+%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}}
+
+%define define_pkg(a:p:)						\
+%{expand:%%package -n shim-%{-a*}}					\
+Summary: First-stage UEFI bootloader					\
+Requires: mokutil >= 1:0.3.0-15						\
+Requires: efi-filesystem						\
+Provides: shim-signed-%{-a*} = %{version}-%{release}			\
+Conflicts: fwupd < %{fwupd_version}					\
+Requires: grub2-efi-%{-a*} >= %{grub_version}				\
+Conflicts: grub2-efi-%{-a*} < %{grub_version}				\
+%{expand:%%if 0%%{-p*}							\
+Provides: shim = %{version}-%{release}					\
+Provides: shim-signed = %{version}-%{release}				\
+Obsoletes: shim-signed < %{version}-%{release}				\
+Obsoletes: shim < %{version}-%{release}					\
+%%endif}								\
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI	\
+# is not compatible with SysV (there's no red zone under UEFI) and	\
+# there isn't a POSIX-style C library.					\
+# BuildRequires: OpenSSL						\
+Provides: bundled(openssl) = 1.0.2j					\
+									\
+%{expand:%%description -n shim-%{-a*}}					\
+Initial UEFI bootloader that handles chaining to a trusted full		\
+bootloader under secure boot environments. This package contains the	\
+version signed by the UEFI signing service.				\
+%{nil}
+
+# -a <efiarch>
+# -i <input>
+%define hash(a:i:d:)							\
+	pesign -i %{-i*} -h -P > shim.hash				\
+	read file0 hash0 < shim.hash					\
+	read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
+	if ! [ "$hash0" = "$hash1" ]; then				\
+		echo Invalid signature\! > /dev/stderr			\
+		echo $hash0 vs $hash1					\
+		exit 1							\
+	fi								\
+	%{nil}
+
+# -i <input>
+# -o <output>
+%define sign(i:o:)							\
+	%{expand:%%pesign -s -i %{-i*} -o %{-o*}}			\
+	%{nil}
+
+# -b <binary prefix>
+# -a <efiarch>
+# -i <input>
+%define distrosign(b:a:d:)						\
+	cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
+	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi}\
+	%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <1|0> # signed by this builder?
+# -c <1|0> # signed by UEFI CA?
+# -i <shimARCH.efi>
+%define define_build(a:A:b:c:i:d:)					\
+if [ "%{-c*}" = "yes" ]; then						\
+	%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}}			\
+fi									\
+cp %{-i*} shim%{-a*}.efi						\
+if [ "%{-b*}" = "yes" ]; then						\
+	%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}}		\
+	mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi		\
+fi									\
+if [ "%{-c*}" = "no" ] && [ "%{-b*}" = "yes" ]; then			\
+	cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi			\
+fi									\
+%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}}			\
+mv mm%{-a*}-signed.efi mm%{-a*}.efi					\
+%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}}			\
+mv fb%{-a*}-signed.efi fb%{-a*}.efi					\
+rm -vf									\\\
+	mm%{-a*}-unsigned.efi						\\\
+	fb%{-a*}-unsigned.efi						\\\
+	shim%{-a*}-unsigned.efi						\
+%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <BOOTCSV>
+%define do_install(a:A:b:)						\
+install -m 0700 shim%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi			\
+install -m 0700 mm%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi			\
+install -m 0700 %{-b*}							\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV			\
+install -m 0700 shim%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI			\
+install -m 0700 fb%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi			\
+%nil
+
+# -a <efiarch>
+# -A <EFIARCH>
+%define define_files(a:A:)						\
+%{expand:%%files -n shim-%{-a*}}					\
+%{efi_esp_dir}/*%{-a*}*.efi						\
+%{efi_esp_dir}/BOOT%{-A*}.CSV						\
+%{efi_esp_boot}/*%{-a*}.efi						\
+%{efi_esp_boot}/*%{-A*}.EFI						\
+%{nil}
+
+%ifarch x86_64
+%global is_signed yes
+%global is_alt_signed no
+%global provide_legacy_shim 1
+%endif
+%ifarch aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 1
+%endif
+%ifnarch x86_64 aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 0
+%endif
+
+%if ! 0%{?vendor:1}
+%global vendor nopenopenope
+%endif
+
+# vim:filetype=rpmmacros

shim.spec

@@ -1,129 +1,304 @@
-Name:           shim
-Version:        0.2
-Release:        3%{?dist}
-Summary:        First-stage UEFI bootloader
+# this is to make us only expand %%{dist} if we're on a modularity build.
+# it's 2 macros make vim's \c not put a brace at the end of the changelog.
+%global _dist %{expand:%{?_module_build:%%{?dist}}}
+%global dist %{expand:%%{_dist}}
 
-License:        BSD
-URL:            http://www.codon.org.uk/~mjg59/shim/
-Source0:        http://www.codon.org.uk/~mjg59/shim/shim-%{version}.tar.bz2
-Source1:	fedora-ca.cer
+Name:		shim
+Version:	15.6
+Release:	2%{?dist}
+Summary:	First-stage UEFI bootloader
+License:	BSD-3-Clause
+URL:		https://github.com/rhboot/shim/
+BuildRequires:	efi-filesystem
+BuildRequires:	efi-srpm-macros >= 5-1
 
-# incorporate mokutil for packaging simplicity
-%global mokutilver 0.1.0
-Source2:	http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2
+ExclusiveArch:	%{efi}
+# but we don't build a .i686 package, just a shim-ia32.x86_64 package
+ExcludeArch:	%{ix86}
+# but we don't build a .arm package, just a shim-arm.aarch64 package
+ExcludeArch:	%{arm}
 
-# currently here's what's in our dbx:
-# grub2-efi-2.00-11.fc18.x86_64:
-# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
-# gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151
-# grub2-efi-2.00-11.fc19.x86_64:
-# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
-# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
-# woops.
-Source3:	dbx.esl
+Source0:	shim.rpmmacros
+Source1:	shim.conf
 
-Patch0:		0001-Fix-grub-path.patch
-Patch1:		0002-Remove-extraneous-debug-code.patch
-Patch2:		mokutil-correct-moklistrt-size.patch
+# keep these two lists of sources synched up arch-wise.  That is 0 and 10
+# match, 1 and 11 match, ...
+Source10:	BOOTAA64.CSV
+Source20:	shimaa64.efi
+Source11:	BOOTIA32.CSV
+Source21:	shimia32.efi
+Source12:	BOOTX64.CSV
+Source22:	shimx64.efi
+#Source13:	BOOTARM.CSV
+#Source23:	shimarm.efi
 
-BuildRequires: gnu-efi git openssl-devel openssl
-BuildRequires: pesign >= 0.99-9
+%include %{SOURCE0}
 
-# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
-# compatible with SysV (there's no red zone under UEFI) and there isn't a
-# POSIX-style C library.
-# BuildRequires: OpenSSL
-Provides: bundled(openssl) = 0.9.8w
-
-# Shim is only required on platforms implementing the UEFI secure boot
-# protocol. The only one of those we currently wish to support is 64-bit x86.
-# Adding further platforms will require adding appropriate relocation code.
-ExclusiveArch: x86_64
-
-# Figure out the right file path to use
-%if 0%{?rhel}
-%global efidir redhat
+BuildRequires:	pesign >= 0.112-20.fc27
+# We need this because %%{efi} won't expand before choosing where to make
+# the src.rpm in koji, and we could be on a non-efi architecture, in which
+# case we won't have a valid expansion here...  To be solved in the future
+# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
+# we can just BuildRequires that.
+%ifarch x86_64
+BuildRequires: %{unsignedx64} = %{shimverx64}
+BuildRequires: %{unsignedia32} = %{shimveria32}
 %endif
-%if 0%{?fedora}
-%global efidir fedora
+%ifarch aarch64
+BuildRequires: %{unsignedaa64} = %{shimveraa64}
+#BuildRequires: %% {unsignedarm} = %% {shimverarm}
 %endif
 
 %description
 Initial UEFI bootloader that handles chaining to a trusted full bootloader
-under secure boot environments.
+under secure boot environments. This package contains the version signed by
+the UEFI signing service.
 
-%package -n shim-unsigned
-Summary: First-stage UEFI bootloader (unsigned data)
-
-%description -n shim-unsigned
-Initial UEFI bootloader that handles chaining to a trusted full bootloader
-under secure boot environments.
+%define_pkg -a %{efi_arch} -p 1
+%if %{efi_has_alt_arch}
+%define_pkg -a %{efi_alt_arch}
+%endif
 
 %prep
-%setup -q -n shim-%{version}
-%setup -q -a 2 -D -T
-git init
-git config user.email "shim-owner@fedoraproject.org"
-git config user.name "Fedora Ninjas"
-git add .
-git commit -a -q -m "%{version} baseline."
-git am %{patches} </dev/null
+cd %{_builddir}
+rm -rf shim-%{version}
+mkdir shim-%{version}
 
 %build
-%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
-%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
-#pesign %{vendor_token_str} %{vendor_cert_str} -C vendor.cer
 
-MAKEFLAGS=""
-if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1}"
-fi
-make %{?_smp_mflags} ${MAKEFLAGS}
-cd mokutil-%{mokutilver}
-%configure
-make %{?_smp_mflags}
-cd ..
+cd shim-%{version}
+%if %{efi_has_alt_arch}
+%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b no -c %{is_alt_signed} -d %{shimdiralt}
+%endif
+%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b no -c %{is_signed} -d %{shimdir}
 
 %install
 rm -rf $RPM_BUILD_ROOT
-%pesign -s -i shim.efi -e shim.sig
-install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/
-install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
-install -m 0644 shim.sig $RPM_BUILD_ROOT%{_datadir}/shim/shim.sig
-install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
-%pesign -s -i MokManager.efi -o $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
-cd mokutil-%{mokutilver}
-make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
+cd shim-%{version}
+install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
 
+%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
+%if %{efi_has_alt_arch}
+%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
+%endif
 
-%files -n shim-unsigned
-%doc
-%dir %{_datadir}/shim
-%{_datadir}/shim/*
-/boot/efi/EFI/%{efidir}/MokManager.efi
-/usr/bin/mokutil
-/usr/share/man/man1/mokutil.1.gz
+%if %{provide_legacy_shim}
+install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
+%endif
+install -D -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+
+( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
+  | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
+
+%define_files -a %{efi_arch} -A %{efi_arch_upper}
+%if %{provide_legacy_shim}
+%{efi_esp_dir}/shim.efi
+%endif
+%{_sysconfdir}/dnf/protected.d/shim.conf
+
+%if %{efi_has_alt_arch}
+%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
+%{_sysconfdir}/dnf/protected.d/shim.conf
+%endif
 
 %changelog
-* Wed Dec 12 2012 Peter Jones <pjones@redhat.com> - 0.2-3
-- Fix mokutil's idea of signature sizes.
+* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2
+- Update aarch64 (only) with relocation fixes
+- Resolves: #2101248
 
-* Wed Nov 28 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-2
-- Fix secure_mode() always returning true
+* Wed Jun 15 2022 Peter Jones <pjones@redhat.com> - 15.6-1
+- Update to shim-15.6
+  Resolves: CVE-2022-28737
 
-* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-1
-- Update shim
-- Include mokutil
-- Add debuginfo package since mokutil is a userspace executable
+* Wed May 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 15.4-5
+- Bump release to build for F35
 
-* Mon Oct 22 2012 Peter Jones <pjones@redhat.com> - 0.1-4
-- Produce an unsigned shim
+* Wed Apr 21 2021 Javier Martinez Canillas <javierm@redhat.com> - 15.4-4
+- Fix handling of ignore_db and user_insecure_mode (pjones)
+- Fix booting on pre-UEFI Macs (pjones)
+- Fix mok variable storage allocation region (glin)
+  Resolves: rhbz#1948432
+- Fix the package version in the .sbat data (pjones)
 
-* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.1-3
-- Update how embedded cert and signing work.
+* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-3
+- Mark signed shim packages as protected in dnf.
+  Resolves: rhbz#1874541
+- Conflict with older fwupd, but don't require it.
+  Resolves: rhbz#1877751
 
-* Mon Aug 13 2012 Josh Boyer <jwboyer@redhat.com> - 0.1-2
-- Add patch to fix image size calculation
+* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-2
+- Update to shim 15.4
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
+  - A new unit test framework and a bunch of unit tests
+  - No external gnu-efi dependency
+  - Better CI
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
 
-* Mon Aug 13 2012 Matthew Garrett <mjg@redhat.com> - 0.1-1
-- initial release
+* Tue Oct 02 2018 Peter Jones <pjones@redhat.com> - 15-8
+- Build a -8 because I can't tag -7 into f30 for pretty meh reasons.
+
+* Tue Oct 02 2018 Peter Jones <pjones@redhat.com> - 15-7
+- Rebuild just because I'm dumb.
+
+* Tue Oct 02 2018 Peter Jones <pjones@redhat.com> - 15-6
+- Put the legacy shim.efi binary in the right subpackage
+  Resolves: rhbz#1631989
+
+* Fri May 04 2018 Peter Jones <pjones@redhat.com> - 15-5
+- Rework the .spec to use efi-rpm-macros.
+
+* Fri May 04 2018 Peter Jones <pjones@redhat.com> - 15-4
+- Fix directory permissions to be 0700 on FAT filesystems
+
+* Mon Apr 30 2018 Peter Jones <pjones@redhat.com> - 15-3
+- Pick a release value that'll be higher than what's in F28.
+
+* Mon Apr 30 2018 Peter Jones <pjones@redhat.com> - 15-1
+- Fix BOOT*.CSV and update release to -1
+
+* Tue Apr 24 2018 Peter Jones <pjones@redhat.com> - 15-0.1
+- Update to shim 15.
+- more reproduceable build
+- better checking for bad linker output
+- flicker-free console if there's no error output
+- improved http boot support
+- better protocol re-installation
+- dhcp proxy support
+- tpm measurement even when verification is disabled
+- more reproducable builds
+- measurement of everything verified through shim_verify()
+- coverity and scan-build checker make targets
+- misc cleanups
+
+* Tue Mar 06 2018 Peter Jones <pjones@redhat.com> - 13-5
+- Back off to the thing we had in 13-0.8 until I get new signatures.
+
+* Wed Feb 28 2018 Peter Jones <pjones@redhat.com> - 13-4
+- Fix an inverted test that crept in in the signing macro.  (Woops.)
+
+* Wed Feb 28 2018 Peter Jones <pjones@redhat.com> - 13-2
+- Pivot the shim-signed package to be here.
+
+* Wed Nov 01 2017 Peter Jones <pjones@redhat.com> - 13-1
+- Now with the actual signed 64-bit build of shim 13 for x64 as well.
+- Make everything under /boot/efi be mode 0700, since that's what FAT will
+  show anyway, so that rpm -V is correct.
+  Resolves: rhbz#1508516
+
+* Tue Oct 24 2017 Peter Jones <pjones@redhat.com> - 13-0.8
+- Now with signed 32-bit x86 build.
+  Related: rhbz#1474861
+
+* Wed Oct 04 2017 Peter Jones <pjones@redhat.com> - 13-0.7
+- Make /boot/efi/EFI/fedora/shim.efi still exist on aarch64 as well.
+  Resolves: rhbz#1497854
+
+* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-0.6
+- Fix binary format issue on Aarch64
+  Resolves: rhbz#1489604
+
+* Tue Sep 05 2017 Peter Jones <pjones@redhat.com> - 13-0.5
+- Make /boot/efi/EFI/fedora/shim.efi still exist on x86_64, since some
+  machines have boot entries that point to it.
+
+* Tue Aug 29 2017 Peter Jones <pjones@redhat.com> - 13-0.4
+- Make our provides not get silently ignore by rpmbuild...
+
+* Fri Aug 25 2017 Peter Jones <pjones@redhat.com> - 13-0.3
+- x64: use the new fbx64.efi and mm64.efi as fallback.efi and MokManager.efi
+- Provide: "shim" in x64 and aa64 builds
+
+* Thu Aug 24 2017 Peter Jones <pjones@redhat.com> - 13-0.2
+- Obsolete old shim builds.
+
+* Tue Aug 22 2017 Peter Jones <pjones@redhat.com> - 13-0.1
+- Initial (partially unsigned) build for multi-arch support on x64/ia32.
+
+* Thu Mar 23 2017 Petr Šabata <contyk@redhat.com> - 0.8-9
+- Re-enable dist tag for module builds
+
+* Tue Feb 17 2015 Peter Jones <pjones@redhat.com> - 0.8-8
+- Don't dual-sign shim-%%{efidir}.efi either.
+  Resolves: rhbz#1184765
+
+* Tue Feb 17 2015 Peter Jones <pjones@redhat.com> - 0.8-8
+- Require dbxtool
+
+* Wed Dec 17 2014 Peter Jones <pjones@redhat.com> - 0.8-7
+- Wrong -signed changes got built for aarch64 last time, for dumb reasons.
+  Related: rhbz#1170289
+
+* Fri Dec 05 2014 Peter Jones <pjones@redhat.com> - 0.8-6
+- Rebuild once more so we can use a different -unsigned version on different
+  arches (because we can't tag a newer build into aarch64 without an x86
+  update to match.)
+  Related: rhbz#1170289
+
+* Wed Dec 03 2014 Peter Jones <pjones@redhat.com> - 0.8-5
+- Rebuild for aarch64 path fixes
+  Related: rhbz#1170289
+
+* Thu Oct 30 2014 Peter Jones <pjones@redhat.com> - 0.8-2
+- Remove the dist tag so people don't complain about what it says.
+
+* Fri Oct 24 2014 Peter Jones <pjones@redhat.com> - 0.8-1
+- Update to shim 0.8
+  rhbz#1148230
+  rhbz#1148231
+  rhbz#1148232
+- Handle building on aarch64 as well
+
+* Fri Jul 18 2014 Peter Jones <pjones@redhat.com> - 0.7-2
+- Don't do multi-signing; too many machines screw up verification.
+  Resolves: rhbz#1049749
+
+* Wed Nov 13 2013 Peter Jones <pjones@redhat.com> - 0.7-1
+- Update to shim 0.7
+  Resolves: rhbz#1023767
+
+* Thu Oct 24 2013 Peter Jones <pjones@redhat.com> - 0.5-1
+- Update to shim 0.5
+
+* Thu Jun 20 2013 Peter Jones <pjones@redhat.com> - 0.4-1
+- Provide a fallback for uninitialized Boot#### and BootOrder
+  Resolves: rhbz#963359
+- Move all signing from shim-unsigned to here
+- properly compare our generated hash from shim-unsigned with the hash of
+  the signed binary (as opposed to doing it manually)
+
+* Fri May 31 2013 Peter Jones <pjones@redhat.com> - 0.2-4.4
+- Re-sign to get alignments that match the new specification.
+  Resolves: rhbz#963361
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2-4.3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Jan 02 2013 Peter Jones <pjones@redhat.com> - 0.2-3.3
+- Add obsoletes and provides for earlier shim-signed packages, to cover
+  the package update cases where previous versions were installed.
+  Related: rhbz#888026
+
+* Mon Dec 17 2012 Peter Jones <pjones@redhat.com> - 0.2-3.2
+- Make the shim-unsigned dep be on the subpackage.
+
+* Sun Dec 16 2012 Peter Jones <pjones@redhat.com> - 0.2-3.1
+- Rebuild to provide "shim" package directly instead of just as a Provides:
+
+* Sat Dec 15 2012 Peter Jones <pjones@redhat.com> - 0.2-3
+- Also provide shim-fedora.efi, signed only by the fedora signer.
+- Fix the fedora signature on the result to actually be correct.
+- Update for shim-unsigned 0.2-3
+
+* Mon Dec 03 2012 Peter Jones <pjones@redhat.com> - 0.2-2
+- Initial build

sources

@@ -1,2 +1,3 @@
-b13a2fa37897e1508e871a5bf0a87369  shim-0.2.tar.bz2
-485218c423aef15de46d55d6de48c98b  mokutil-0.1.0.tar.bz2
+SHA512 (shimx64.efi) = 06488f3f5daf09b3e37e160721e9bf4c68a3ea17dcd19fad7dd1d7edbcf4c218a5b6264e7780bef46e400213459c1a8c9a0c4c1c48f7fe5d7b55b868dbdc3823
+SHA512 (shimia32.efi) = 8241bed8c3e2789741da15e265efb6a1d35d02c4ffbfd21428910c9e366575137a3d9d0c73aa10e62d59d81a98496668a05c5ac7f18a677ccb54e884db48f507
+SHA512 (shimaa64.efi) = b2b77ebbdeda9f9110dd9a6ef4ad15ae57b53ce01ef5c912163159226dc39d5ed35e0dbcfa46dc8ab9f714b63aaea52cd42746aa54155313b43dd27dd57a62f5