From 16a16a4545ac55e08abd0491841c6a39f330fafd Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Fri, 31 May 2024 16:38:25 +0000
Subject: [PATCH] Import from AlmaLinux stable repository

---
 .fwupd.metadata                               |   9 --
 .gitignore                                    |   1 +
 ...usr-libexec-platform-python-for-RHEL.patch |  29 ++++
 ...permissions-of-redfish.conf-at-insta.patch |  28 ++++
 ...ate-users-using-IPMI-when-we-know-it.patch |  47 ++++++
 ...edfish-passwords-to-a-file-readable-.patch | 141 ++++++++++++++++++
 SOURCES/redhatsecureboot301.cer               | Bin 839 -> 0 bytes
 SOURCES/redhatsecureboot503.cer               | Bin 964 -> 0 bytes
 SOURCES/redhatsecurebootca3.cer               | Bin 977 -> 0 bytes
 SOURCES/redhatsecurebootca5.cer               | Bin 920 -> 0 bytes
 SPECS/fwupd.spec                              |  39 +++--
 11 files changed, 272 insertions(+), 22 deletions(-)
 delete mode 100644 .fwupd.metadata
 create mode 100644 SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch
 create mode 100644 SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch
 create mode 100644 SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch
 create mode 100644 SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch
 delete mode 100644 SOURCES/redhatsecureboot301.cer
 delete mode 100644 SOURCES/redhatsecureboot503.cer
 delete mode 100644 SOURCES/redhatsecurebootca3.cer
 delete mode 100644 SOURCES/redhatsecurebootca5.cer

diff --git a/.fwupd.metadata b/.fwupd.metadata
deleted file mode 100644
index 19c69f0..0000000
--- a/.fwupd.metadata
+++ /dev/null
@@ -1,9 +0,0 @@
-b2620c36bd23ca699567fd4e4add039ee4375247 SOURCES/DBXUpdate-20100307-x64.cab
-dfdb1d0d42c1563ca63bd45c7e2ddc48cbfc5023 SOURCES/DBXUpdate-20140413-x64.cab
-a5f73c606abb93bf61625e4628d27a2cd460f162 SOURCES/DBXUpdate-20160809-x64.cab
-b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab
-3fb407561768a3a2f5fb49d7738b5e0650e70810 SOURCES/DBXUpdate-20200729-ia32.cab
-89db93c9d9d20f81791a262e817b99d8882c8bb0 SOURCES/DBXUpdate-20200729-x64.cab
-59006fd556faeacc8185075c8fe7826249a2da32 SOURCES/fwupd-1.7.8.tar.xz
-1a586c3634ef190e6128351ee60fd17d0e584f7c SOURCES/fwupd-efi-1.3.tar.xz
-a62a28924d26cd49b6441170795a237ba33ec192 SOURCES/libjcat-0.1.9.tar.xz
diff --git a/.gitignore b/.gitignore
index 5b65834..00d15ca 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,7 @@ SOURCES/DBXUpdate-20160809-x64.cab
 SOURCES/DBXUpdate-20200729-aa64.cab
 SOURCES/DBXUpdate-20200729-ia32.cab
 SOURCES/DBXUpdate-20200729-x64.cab
+SOURCES/almalinuxsecurebootca0.cer
 SOURCES/fwupd-1.7.8.tar.xz
 SOURCES/fwupd-efi-1.3.tar.xz
 SOURCES/libjcat-0.1.9.tar.xz
diff --git a/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch b/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch
new file mode 100644
index 0000000..4bc0dc7
--- /dev/null
+++ b/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch
@@ -0,0 +1,29 @@
+From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Tue, 22 Aug 2023 10:05:27 +0100
+Subject: [PATCH] Use /usr/libexec/platform-python for RHEL
+
+---
+ meson.build | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index bb406d616..ac90c8ee6 100644
+--- a/meson.build
++++ b/meson.build
+@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes',
+ endif
+ 
+ bashcomp = dependency('bash-completion', required: false)
+-if host_machine.system() != 'freebsd'
+-  python3 = find_program('python3')
+-else
+-  python3 = find_program('python3.8', 'python3', 'python3.9')
+-endif
++python3 = find_program('/usr/libexec/platform-python')
+ 
+ if get_option('gnutls')
+   gnutls = dependency('gnutls', version : '>= 3.6.0')
+-- 
+2.41.0
+
diff --git a/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch b/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch
new file mode 100644
index 0000000..b3f334e
--- /dev/null
+++ b/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch
@@ -0,0 +1,28 @@
+From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Tue, 20 Sep 2022 08:06:12 +0100
+Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install
+ time
+
+Although typically we set the password using fu_plugin_set_secure_config_value()
+or something like Ansible or Puppet -- the user could just edit the file with
+vim and we still want the permissions set correctly.
+---
+ plugins/redfish/meson.build | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
+index 34ba4b7f6..7b19574de 100644
+--- a/plugins/redfish/meson.build
++++ b/plugins/redfish/meson.build
+@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish',
+ 
+ install_data(['redfish.conf'],
+   install_dir:  join_paths(sysconfdir, 'fwupd'),
++  install_mode: 'rw-r-----',
+ )
+ 
+ if get_option('tests')
+-- 
+2.39.1
+
diff --git a/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch b/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch
new file mode 100644
index 0000000..f7ec617
--- /dev/null
+++ b/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch
@@ -0,0 +1,47 @@
+From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Tue, 20 Sep 2022 09:13:52 +0100
+Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's
+ going to work
+
+Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI
+implementations are not specification compliant and do entirely the wrong thing.
+---
+ plugins/redfish/fu-plugin-redfish.c | 8 ++++++++
+ plugins/redfish/redfish.quirk       | 2 +-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c
+index deb0fe742..3972d4b4b 100644
+--- a/plugins/redfish/fu-plugin-redfish.c
++++ b/plugins/redfish/fu-plugin-redfish.c
+@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error)
+ #ifdef HAVE_LINUX_IPMI_H
+ 	/* we got neither a type 42 entry or config value, lets try IPMI */
+ 	if (fu_redfish_backend_get_username(data->backend) == NULL) {
++		if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) {
++			g_set_error_literal(error,
++					    FWUPD_ERROR,
++					    FWUPD_ERROR_NOT_SUPPORTED,
++					    "no username and password specified, "
++					    "and no vendor quirk for 'ipmi-create-user'");
++			return FALSE;
++		}
+ 		if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) {
+ 			g_debug("attempting to create user using IPMI");
+ 			if (!fu_redfish_plugin_ipmi_create_user(plugin, error))
+diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk
+index b12439926..5e9722fda 100644
+--- a/plugins/redfish/redfish.quirk
++++ b/plugins/redfish/redfish.quirk
+@@ -1,6 +1,6 @@
+ # Lenovo ThinkSystem
+ [42f00735-c9ab-5374-bd63-a5deee5881e0]
+-Flags = wildcard-targets,reset-required
++Flags = wildcard-targets,reset-required,ipmi-create-user
+ 
+ [REDFISH\VENDOR_Lenovo&ID_BMC-Backup]
+ ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary
+-- 
+2.39.1
+
diff --git a/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch b/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch
new file mode 100644
index 0000000..f9e717d
--- /dev/null
+++ b/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch
@@ -0,0 +1,141 @@
+From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Wed, 21 Sep 2022 14:56:10 +0100
+Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by
+ users
+
+When the redfish plugin automatically creates an OPERATOR user account on the
+BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it
+is chmod'ed to 0660 before writing the file with g_key_file_save_to_file().
+
+Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with
+the keyfile string data.
+I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being
+used to copy permissions, but alas not.
+
+GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666,
+which undoes the previous chmod().
+
+Use g_file_set_contents_full() with the correct mode for newer GLib versions,
+and provide a fallback with the same semantics for older versions.
+---
+ contrib/fwupd.spec.in         |  3 ++
+ libfwupdplugin/fu-plugin.c    | 65 +++++++++++++++++++++++++++++------
+ libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++
+ 3 files changed, 114 insertions(+), 11 deletions(-)
+
+diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in
+index a50e30a9c..0854fcf4f 100644
+--- a/contrib/fwupd.spec.in
++++ b/contrib/fwupd.spec.in
+@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do
+     fi
+ done
+ 
++# ensure this is private
++chmod 0660 /etc/fwupd/redfish.conf
++
+ %preun
+ %systemd_preun fwupd.service
+ 
+diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c
+index 18042a028..04951de85 100644
+--- a/libfwupdplugin/fu-plugin.c
++++ b/libfwupdplugin/fu-plugin.c
+@@ -9,6 +9,7 @@
+ #include "config.h"
+ 
+ #include <errno.h>
++#include <fcntl.h>
+ #include <fwupd.h>
+ #include <glib/gstdio.h>
+ #include <gmodule.h>
+@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value,
+ 	return g_key_file_save_to_file(keyfile, conf_path, error);
+ }
+ 
++#if !GLIB_CHECK_VERSION(2, 66, 0)
++
++#define G_FILE_SET_CONTENTS_CONSISTENT 0
++typedef guint GFileSetContentsFlags;
++static gboolean
++g_file_set_contents_full(const gchar *filename,
++			 const gchar *contents,
++			 gssize length,
++			 GFileSetContentsFlags flags,
++			 int mode,
++			 GError **error)
++{
++	gint fd;
++	gssize wrote;
++
++	if (length < 0)
++		length = strlen(contents);
++	fd = g_open(filename, O_CREAT, mode);
++	if (fd <= 0) {
++		g_set_error(error,
++			    G_IO_ERROR,
++			    G_IO_ERROR_FAILED,
++			    "could not open %s file",
++			    filename);
++		return FALSE;
++	}
++	wrote = write(fd, contents, length);
++	if (wrote != length) {
++		g_set_error(error,
++			    G_IO_ERROR,
++			    G_IO_ERROR_FAILED,
++			    "did not write %s file",
++			    filename);
++		g_close(fd, NULL);
++		return FALSE;
++	}
++	return g_close(fd, error);
++}
++#endif
++
+ /**
+  * fu_plugin_set_secure_config_value:
+  * @self: a #FuPlugin
+@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
+ 				  GError **error)
+ {
+ 	g_autofree gchar *conf_path = fu_plugin_get_config_filename(self);
+-	gint ret;
++	g_autofree gchar *data = NULL;
++	g_autoptr(GKeyFile) keyfile = g_key_file_new();
+ 
+ 	g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE);
+ 	g_return_val_if_fail(error == NULL || *error == NULL, FALSE);
+@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
+ 		g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path);
+ 		return FALSE;
+ 	}
+-	ret = g_chmod(conf_path, 0660);
+-	if (ret == -1) {
+-		g_set_error(error,
+-			    FWUPD_ERROR,
+-			    FWUPD_ERROR_INTERNAL,
+-			    "failed to set permissions on %s",
+-			    conf_path);
++	if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error))
+ 		return FALSE;
+-	}
+-
+-	return fu_plugin_set_config_value(self, key, value, error);
++	g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value);
++	data = g_key_file_to_data(keyfile, NULL, error);
++	if (data == NULL)
++		return FALSE;
++	return g_file_set_contents_full(conf_path,
++					data,
++					-1,
++					G_FILE_SET_CONTENTS_CONSISTENT,
++					0660,
++					error);
+ }
+ 
+ /**
+-- 
+2.39.1
+
diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer
deleted file mode 100644
index 4ff8b79e6736e566dbf39603e0887a53345aa4e4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 839
zcmXqLVs<uYV$xo~%*4pV#L4h}zvyHQr&Ia{ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF
zn1$tnQd1N>5=#_<Q<F=JQWc!?^Gg&ooE;UiQ!5n=H4T*v6ySO}8O4N)Q<D>OQj1C)
zic(WD5=-=w^K%X4#CZ)(42%qc(A3<>AWEFq*xbO#zzobaj4}u^)G^S4Sf`BDy5h|A
zyv)3GQtWJER6_O@BP#=Q6C*!^K@%evQxhX2!zT5vqmx`?o`(oz{$eeCezR_cLPyl%
zHpef<Z?c)s9bV+G*2GY{zUlen&--<nt5(QI#He!|D#@MA6@S7f!DrgWI=@zC&C^a<
zS^NJVseCT_+kC+hmfzF#Tx_$BdDsQaxH<oTd&Lst*YdY!eYroouj_1-&+(6kqHpHi
znY}t@nRQ&w=1_h6OY<eQl|Q`<JrTM7n!i`t_o#KdW$w9@pD!~JJ80ql!v4;Yj`D4+
zCJ#<$T1i;hJiEmZa%<xJ%U=UFoRVA<Io&opOJuT!pLNleeH**jw6<(2uj!q8$Hi$^
z<>qUbuO&%O^nA}y6#9BjM%~U7Q(5kw6_YN1epR)|xb9Elg4_B`%!~|-ixmyz4P=2K
zFU!Xw#v&5#_@80Rp3FS`6#W&an$HJBb(91l2O=<O00WVcA<H>d+v%~@6}B_2%&Mg`
zDvt6_STWb-ZhXD^RgaJz3Cq5o4B43+oEZD&XVQnj{jXOGHfUJJB>qmC?A`ut>Ahpw
zdM-|DZzz7Yc^I3-u|J*vqdKqQ`kIF?LJd~2r8XOg&f%Z+Yj((@r{(*;Y?_w8rSDJJ
zntk_K74NJ(drfx5hIZaKImf>p{fSPd=}qfHlV8OA-0dHz$M#&#on!XF_3NjY{(Hxy
zbKN4k{8NvC{Y9;Yo!51>R!)l5n2-{5CgAUe(k!NLc|1u*B2w==ttY-NzWb+N=75O&
zzv2uf{%c3S9%5x`<-dQv`g=w9>l=;D-vz#WO}UeuefPU1`=|Tw9$I=mIi&>vg+x|L

diff --git a/SOURCES/redhatsecureboot503.cer b/SOURCES/redhatsecureboot503.cer
deleted file mode 100644
index 50e375c7461e78286033119e7b6f9d55fdb3543c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 964
zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JY;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR
z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1
z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;G%zqQvWODrHMTG?G_-(n4bpHr
zK*K-{;sAMU4hYUn&&$k9S1>g&CdwU6j7rFUXJlnyZerwTFlb`rVrpV!WSFGBlyl!b
z@AvOl&N7VJBQfm-*Gb3trqyBYpMP7O)-t#1KVhSL*Xm1lv+vaB_D}D5y>Gs;>;9|c
zS*nVeCj;4XQ<W5EH}Tym*%7#-`^=J5b6<()Q(oN)UG=c#X@PDG|D|)8BFXE`LN70!
z({ppBocU#L2Mzmw%yzNu{TCnYNRo7l+8N3Ar9?sTf%8%I4E>qR$0JPJB$l15Dm#Ah
z*G9?ng;qBhTt7zi_9piI<x>B1HKryy*<#h?ozG0H9pAq!Hx`|9`sDeVhoQ|+Ba2Qv
zo-yfhS&G=>BcJvO?o=@Oz`Lz_kxrWF{OxXgEW`@xmVMa7-nq`c>PBzQ|M_C~MBFr9
zPrLh_iJ6gsadCw~nE?+l)MbSk8UM2|888^|fq48N9t$%QdxL=(h_4Fb^B8ckacHwK
zva+%>GaJZ)#Q9jnSVS6UDoF(Enx4Ng{cq63UVh2ku$$W8v?Qy{B4HrbAaW*u>2r;Y
zU7miEXYbA6p6F6GYkog++yK)hFm4zb1h29y$1xV|D)`m!I6+~4tbNet)HA$J5+1X7
z^`aP;7*9J<6!|s6!sq4b3!SQO4a7XU<hYNmSt)Sj{sGGme_8wLH;80w@%iX1pZIcx
z0HbhszX{Wf-ZPa(;$1I}aZKu3Gg0`%X1>c(LMA*hcX#E?K3&s2<&fsu=j-COdYrFG
zd%)%2@WE8TTRmd4$Nz&#rSC6shKtRebdaxGHOuddxkF-v`v-gbQf5te+s{&O)6ChW
zul|X<TE>wxt5?3lD7D<Zy*<)^qe1vpo8k7zPNfShjXovv+vL_x{LZ@Qx1!(5?Fo~D
krrxM3=gkuDU3No_PxZqi?)hb&YG1?o*9G0@RS=B?0A4m<y8r+H

diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer
deleted file mode 100644
index b2354007b9668258683b99a68fa5bdd3067c31b1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 977
zcmXqLVm@oo#I$t*GZP~d6DPykKFO2}lmD>>ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF
zn1$tnQd1N>5=#_<Q<F=JQWc!?^Gg&ooE;UiQ!5n=H4T*v6ySO}8O4N)Q<D>OQj1C)
zic(WD5=-=w^K%X4#CZ)(42%qc(8R>VG)kP;*xbO#zzoWzwslR6O2{5!WMyD(V&rEq
zXkz4IYGPz$nC+~<?2{)QQnbB!-tOilfvp!W+5DVoSG#L+<>vi6EDouC4!V-;tv&JA
zN}nf->iaHo2tM8rAb&8=Njdj{a^${=Z?aE)&k<1VH{Q3Wx7jKD-_5CYum4K4d~JV`
z`ccOE*<7!m22LI4&u3g0F3h!NN?ysm?c*7~^lIfF3D-Xhnr_&uU!bJ$?ZS8WW+A0-
zr9raw{Iep~On)hDAUrqc*pZy>@YoE^;z#ABPp))utMY{K9XOZuN+87Vv97^}gccFK
z6&c%&T=rzVyKuJ1S>c?R<K#PxtGGq~?cMg~=gYe$SJ$!S^;`(O<ep~wX+Qso!rIJ(
zZL23GL@b?{ZqYAz@%i~&roT+gj0}v68`m2&t}&1W#<DCQix`WDgIJ50%Q>q?77kYS
zv==`X%}M<cV^9l{R%R(PC~3f|U}4}Ae=0{`6H>C|0a-81!fL?G$oL;QPJxLO7^jR3
zp{b9(0{X(lQ;+K%h_CKtxc%nd+9kH!CBia&JkgcqO9LvF9(I1~^2+p(_fBqs&+@+g
zjZG)^b(y8?lr#NV`RkoR|I-BpaSiJiPBV7drX0Bbe!0fPB95K&)ygj1YM5%bK;(6L
z=7Y@r2hM%A`uyr;o|A^(c{icYtu_B=WuE^MZ_<<d&TsQv+iB;vWxkm>i|1QMhsQHT
z<L>4}wg*#%C!d<*ePQAKPyWoS|9R;jPUx*P-5Ksuo_~6c3tyKHzf+y+r*{_;vOAw>
zmv4Wk&h*1hGe;ze)#t#BH;PsH)$e|FOmna8+@9jW!^ymRMf{q+C84h)mppfN*sxn6
NnfI|Q%N6m!6aeL$dME$@

diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
deleted file mode 100644
index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 920
zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k
zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW<?}
zm~e4wa$-(uQHeuQYDz|8iC%Jku7R95uaSX)nSrH&g`ugjS(G@hv4w%5p#_vndj~Wz
zDj|ECk(GhDiIJbdpox)-sfm%1;oPoQj^Z+n3p+UXFTAqySFqmPd3*j?Ys@hSTEP8<
zf#2*zv*WjwCq+F|Q?70*n-_6VPwv(E$rjn}*LF=h`h($l`O@&r`;HrrOo-N1I9RfZ
zxvgQ_lF0WfJ6z&|9Ilj$E@Ww)^ZxU(`JeguueG>6NxP$#b?ru1p1aqn$3D)YB{Qqo
zjCvjz?|=HkE#3AN-xTZpws*U~)f@D<hHx*rr)(NEvzYZp!}C-TDRu*$;<gRCi<g-#
z^KFcsxIBILE9>Z{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({
zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOF<JVRuW=00a#lZ%F2C~5TmgQp+V-Y!%
zzx26A#x764$+P!na8Gn8n>D{5oE&78StJa^8n7$i2k94PWc<&<YQPMnkb@nV)_}pz
z$RPVX&M7PHOp)E}n3L-lp9;}?o3i@APVs%}E9D|KM%wramRy`J6~x-Y+I90o>xr*#
z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx
zk5XXYstAL9d+iK-w@u$FES<YPN5Z<$i*sS8`10oxUvmRDUKTjPckPLhB$Kz)rb~A;
z7pqN`Wn_C2lv%-c*}%nRLuvV$khM?pl$8F*{-4ao^K*vP9Lw!IjTb)uU|-JJoj<4R
z;o3irGXj>ybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw}
Pd!}BnFF!b8N6JS4>O*3Z

diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec
index 15ce573..9549e0f 100644
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@@ -1,3 +1,7 @@
+%global efi_vendor almalinux
+%global efidir almalinux
+%global efi_esp_dir /boot/efi/EFI/%{efidir}
+
 %global glib2_version 2.45.8
 %global libxmlb_version 0.1.3
 %global libgusb_version 0.2.11
@@ -40,7 +44,7 @@
 Summary:   Firmware update daemon
 Name:      fwupd
 Version:   1.7.8
-Release:   1%{?dist}
+Release:   2%{?dist}.alma
 License:   LGPLv2+
 URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
@@ -56,10 +60,12 @@ Source15:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-x64.cab
 
 # these are numbered high just to keep them wildly away from colliding with
 # the real package sources, in order to reduce churn.
-Source300:   redhatsecurebootca3.cer
-Source301:   redhatsecureboot301.cer
-Source500:   redhatsecurebootca5.cer
-Source503:   redhatsecureboot503.cer
+Source300:   almalinuxsecurebootca0.cer
+
+Patch1:    0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch
+Patch2:    0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch
+Patch3:    0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch
+Patch4:    0001-Use-usr-libexec-platform-python-for-RHEL.patch
 
 BuildRequires: efi-srpm-macros
 BuildRequires: gettext
@@ -163,7 +169,7 @@ Requires: %{name}%{?_isa} = %{version}-%{release}
 Data files for installed tests.
 
 %prep
-%setup -q
+%autosetup -p1
 
 mkdir -p subprojects/libjcat
 tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1
@@ -215,11 +221,11 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
     -Dplugin_uefi_capsule=true \
     -Dplugin_uefi_pk=false \
 %ifarch x86_64
-    -Dfwupd-efi:efi_sbat_distro_id="rhel" \
-    -Dfwupd-efi:efi_sbat_distro_summary="Red Hat Enterprise Linux" \
+    -Dfwupd-efi:efi_sbat_distro_id="almalinux" \
+    -Dfwupd-efi:efi_sbat_distro_summary="AlmaLinux" \
     -Dfwupd-efi:efi_sbat_distro_pkgname="%{name}" \
     -Dfwupd-efi:efi_sbat_distro_version="%{version}" \
-    -Dfwupd-efi:efi_sbat_distro_url="mail:secalert@redhat.com" \
+    -Dfwupd-efi:efi_sbat_distro_url="mail:security@almalinux.org" \
     -Dfwupd-efi:efi-libdir="/usr/lib64" \
 %endif
     -Dplugin_tpm=false \
@@ -267,9 +273,7 @@ install %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15}
 %ifarch x86_64
 %global efiarch x64
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
-%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
-rm -fv %{fwup_efi_fn}.tmp
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE300} -c %{SOURCE301} -n clsecureboot001
 %endif
 
 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
@@ -491,6 +495,9 @@ done
 %if 0%{?have_uefi}
 %{_datadir}/fwupd/uefi-capsule-ux.tar.xz
 %endif
+%if 0%{?have_modem_manager}
+%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so
+%endif
 
 %files devel
 %{_datadir}/gir-1.0/Fwupd-2.0.gir
@@ -526,6 +533,12 @@ done
 %endif
 
 %changelog
+* Wed Sep 27 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1.7.8-2.alma
+- Use AlmaLinux cert
+
+* Mon Feb 20 2023 Richard Hughes <richard@hughsie.com> 1.7.8-2
+- Backport the Redfish security fixes which affect IDRAC.
+- Resolves: rhbz#2170950
 * Wed Jun 15 2022 Richard Hughes <richard@hughsie.com> 1.7.8-1
 - New upstream release
 - Resolves: rhbz#2095668
@@ -657,7 +670,7 @@ done
 * Wed Aug 29 2018 Richard Hughes <richard@hughsie.com> 1.1.1-5
 - Include the certificates for secure boot signing
 
-* Tue Aug 23 2018 Richard Hughes <richard@hughsie.com> 1.1.1-4
+* Thu Aug 23 2018 Richard Hughes <richard@hughsie.com> 1.1.1-4
 - Rebuild to get the EFI executable signed with the Red Hat key
 
 * Thu Aug 23 2018 Richard Hughes <richard@hughsie.com> 1.1.1-3