Rebase to get new hardware support

Resolves: #RHEL-125778
2026-01-09 14:59:44 +00:00 · 2026-01-09 14:59:44 +00:00 · 30a3b93cc5
commit 30a3b93cc5
parent 29b2a84fc5
12 changed files with 390 additions and 309 deletions
--- a/.gitignore
+++ b/.gitignore
@ -107,3 +107,6 @@
 /DBXUpdate-20241101-x64.cab
 /fwupd-1.9.31.tar.xz
 /DBXUpdate-20250507-legacy-x64.cab
+/fwupd-2.0.19.tar.xz
+/40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6-DBXUpdate-20250507-x64.cab
+/1.7.tar.gz
--- a/0001-Correctly-migrate-from-v2-to-database-schema-v10.patch
+++ b/0001-Correctly-migrate-from-v2-to-database-schema-v10.patch
@ -1,47 +0,0 @@
-From 6fc21ec8364babc2edc57d6a39ee44c1e72cc6b2 Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Sun, 18 Feb 2024 10:23:03 +0000
-Subject: [PATCH] Correctly migrate from v2 to database schema v10
-
-Artificially bump the schema version to v11 to ensure the migration is done.
-
-diff --git a/src/fu-history.c b/src/fu-history.c
-index 21a4fd3e8..3be03c3a7 100644
--- a/src/fu-history.c
-+++ b/src/fu-history.c
-@@ -21,7 +21,20 @@
- #include "fu-history.h"
- #include "fu-security-attr-common.h"
- 
-#define FU_HISTORY_CURRENT_SCHEMA_VERSION 10
-+/*
-+ * v1	legacy schema
-+ * v2	initial schema
-+ * v3	add checksum_device to history
-+ * v4	add protocol to history
-+ * v5	create table approved_firmware
-+ * v6	create table blocked_firmware
-+ * v7	create table hsi_history
-+ * v8	add release_id to history
-+ * v9	add appstream_id to history
-+ * v10	add version_format to history
-+ * v11	no changes, bumped due to bungled migration to v10
-+ */
-+#define FU_HISTORY_CURRENT_SCHEMA_VERSION 11
- 
- static void
- fu_history_finalize(GObject *object);
-@@ -466,11 +479,12 @@ fu_history_create_or_migrate(FuHistory *self, guint schema_ver, GError **error)
- 	case 8:
- 		if (!fu_history_migrate_database_v8(self, error))
- 			return FALSE;
-		break;
- 	/* fall through */
- 	case 9:
-+	case 10:
- 		if (!fu_history_migrate_database_v9(self, error))
- 			return FALSE;
-+		/* no longer fall through */
- 		break;
- 	default:
- 		/* this is probably okay, but return an error if we ever delete
--- a/0001-Disable-the-UEFI-plugins-on-32bit-x86.patch
+++ b/0001-Disable-the-UEFI-plugins-on-32bit-x86.patch
@ -0,0 +1,31 @@
+From f14115c509eeadfc65dafb78e2f7b8718de29eff Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 12 Jan 2026 10:16:19 +0000
+Subject: [PATCH] Disable the UEFI plugins on 32bit x86
+
+Although UEFI on 32 bit i686 is certainly possible to support, the dbx update
+for IA32 has been downloaded only *once* by real users of fwupd, the other
+downloads all being by bots or people syncing the entire LVFS repo.
+
+There have been no KEKs uploaded for 32 bit-only targets, and all the platforms
+are seemlying EOL. I'm not even going to bother to upload the next dbx for IA32.
+---
+ meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 16cad5108..b0b610ad5 100644
+--- a/meson.build
+++ b/meson.build
+@@ -885,7 +885,7 @@ if dbusmock.returncode() != 0 and get_option('umockdev_tests').allowed()
+ endif
+ 
+ allow_uefi = host_machine.system() in ['linux', 'freebsd'] and \
+-  host_machine.cpu_family() in ['x86', 'x86_64', 'aarch64', 'riscv64', 'loongarch64']
+  host_machine.cpu_family() in ['x86_64', 'aarch64', 'riscv64', 'loongarch64']
+ 
+ subdir('generate-build')
+ subdir('libfwupd')
+-- 
+2.52.0
+
--- a/0001-Revert-Require-gnu-efi-3.0.18-or-later.patch
+++ b/0001-Revert-Require-gnu-efi-3.0.18-or-later.patch
@ -0,0 +1,45 @@
+From 856cde012b6ee114b8ce44e090651adbc6c6ddf8 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 12 Jan 2026 12:07:40 +0000
+Subject: [PATCH] Revert "Require gnu-efi 3.0.18 or later"
+
+This reverts commit 26c6ec5c1e7765fb5dc6a4df511ab21ee6c6e67a.
+---
+ efi/meson.build | 6 ++++++
+ meson.build     | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/efi/meson.build b/efi/meson.build
+index a034bc2..af4bfa3 100644
+--- a/efi/meson.build
+++ b/efi/meson.build
+@@ -45,6 +45,12 @@ if efi_libdir == ''
+   endif
+ endif
+ 
+have_gnu_efi = gnu_efi_path_arch != '' and efi_libdir != ''
+
+if not have_gnu_efi and not gnuefi.found()
+  error('gnu-efi headers were not found')
+endif
+
+ # The name we need to look for on this arch and OS: elf_x86_64_fbsd_efi.lds
+ lds_os = ''
+ if host_cpu == 'x86_64' and host_machine.system() == 'freebsd'
+diff --git a/meson.build b/meson.build
+index d632aaa..7052105 100644
+--- a/meson.build
+++ b/meson.build
+@@ -13,7 +13,8 @@ cc_ld = find_program(cc.get_linker_id())
+ objcopy = find_program('objcopy')
+ objcopy_version = run_command(objcopy, '--version', check: true).stdout().split('\n')[0].split(' ')[-1]
+ 
+-gnuefi = dependency('gnu-efi', version: '>= 3.0.18')
+# pkgconfig introduced in 3.0.18, allows compiling against older
+gnuefi = dependency('gnu-efi', required: false)
+ prefix = get_option('prefix')
+ libdir = join_paths(prefix, get_option('libdir'))
+ libexecdir = join_paths(prefix, get_option('libexecdir'))
+-- 
+2.52.0
+
--- a/0001-Revert-trivial-Remove-some-dead-JCat-compat-code.patch
+++ b/0001-Revert-trivial-Remove-some-dead-JCat-compat-code.patch
@ -0,0 +1,118 @@
+From 8c5c3fe46c4a10eafd8a11f888216f61448121f3 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Fri, 9 Jan 2026 16:36:24 +0000
+Subject: [PATCH] Revert "trivial: Remove some dead JCat compat code"
+
+This reverts commit b3cd790875065fdda7b8bf7328c325af8ce30a52 so we can build
+on RHEL 9 without also upreving libjcat.
+
+(cherry picked from commit 4f6726f410cedcae7707366d89ef36f9d370950b)
+---
+ meson.build      |  2 +-
+ src/fu-cabinet.c | 12 +++++++++++-
+ src/fu-engine.c  |  9 +++++++++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index 5726be646..1766ce8b6 100644
+--- a/meson.build
+++ b/meson.build
+@@ -360,7 +360,7 @@ if build_standalone
+ endif
+ libjcat = dependency(
+   'jcat',
+-  version: '>= 0.2.0',
+  version: '>= 0.1.6',
+   fallback: ['libjcat', 'libjcat_dep'],
+ )
+ libjsonglib = dependency(
+diff --git a/src/fu-cabinet.c b/src/fu-cabinet.c
+index dabc1eb6d..28b91b450 100644
+--- a/src/fu-cabinet.c
+++ b/src/fu-cabinet.c
+@@ -12,6 +12,11 @@
+ 
+ #include "fu-cabinet.h"
+ 
+/* fixed in 0.1.14 */
+#ifndef JCAT_CHECK_VERSION
+#define JCAT_CHECK_VERSION LIBJCAT_CHECK_VERSION
+#endif
+
+ /**
+  * FuCabinet:
+  *
+@@ -225,6 +230,7 @@ fu_cabinet_parse_release(FuCabinet *self,
+ 
+ 	/* the jcat file signed the *checksum of the payload*, not the payload itself */
+ 	item = jcat_file_get_item_by_id(self->jcat_file, basename, NULL);
+#if JCAT_CHECK_VERSION(0, 2, 0)
+ 	if (item != NULL && jcat_item_has_target(item)) {
+ 		g_autofree gchar *checksum_sha256 = NULL;
+ 		g_autofree gchar *checksum_sha512 = NULL;
+@@ -265,7 +271,9 @@ fu_cabinet_parse_release(FuCabinet *self,
+ 			g_info("verified indirect payload %s: %u", basename, results->len);
+ 			release_flags |= FWUPD_RELEASE_FLAG_TRUSTED_PAYLOAD;
+ 		}
+-	} else if (item != NULL) {
+	}
+#endif
+	if (item != NULL) {
+ 		g_autoptr(GBytes) blob = NULL;
+ 		g_autoptr(GError) error_local = NULL;
+ 		g_autoptr(GPtrArray) results = NULL;
+@@ -1079,10 +1087,12 @@ fu_cabinet_init(FuCabinet *self)
+ 	self->builder = xb_builder_new();
+ 	self->jcat_file = jcat_file_new();
+ 	self->jcat_context = jcat_context_new();
+#if JCAT_CHECK_VERSION(0, 1, 13)
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA256);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA512);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_PKCS7);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_GPG);
+#endif
+ }
+ 
+ static void
+diff --git a/src/fu-engine.c b/src/fu-engine.c
+index 498b6ebf8..9f2df208d 100644
+--- a/src/fu-engine.c
+++ b/src/fu-engine.c
+@@ -76,6 +76,11 @@
+ /* only needed until we hard depend on jcat 0.1.3 */
+ #include <libjcat/jcat-version.h>
+ 
+/* fixed in 0.1.14 */
+#ifndef JCAT_CHECK_VERSION
+#define JCAT_CHECK_VERSION LIBJCAT_CHECK_VERSION
+#endif
+
+ #ifdef HAVE_SYSTEMD
+ #include "fu-systemd.h"
+ #endif
+@@ -9336,10 +9341,12 @@ fu_engine_constructed(GObject *obj)
+ 
+ 	/* setup Jcat context */
+ 	self->jcat_context = jcat_context_new();
+#if JCAT_CHECK_VERSION(0, 1, 13)
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA256);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA512);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_PKCS7);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_GPG);
+#endif
+ 	keyring_path = fu_path_from_kind(FU_PATH_KIND_LOCALSTATEDIR_PKG);
+ 	jcat_context_set_keyring_path(self->jcat_context, keyring_path);
+ 	pkidir_fw = fu_path_build(FU_PATH_KIND_SYSCONFDIR, "pki", "fwupd", NULL);
+@@ -9349,7 +9356,9 @@ fu_engine_constructed(GObject *obj)
+ 
+ 	/* add some runtime versions of things the daemon depends on */
+ 	fu_engine_add_runtime_version(self, "org.freedesktop.fwupd", VERSION);
+#if JCAT_CHECK_VERSION(0, 1, 11)
+ 	fu_engine_add_runtime_version(self, "com.hughsie.libjcat", jcat_version_string());
+#endif
+ 	fu_engine_add_runtime_version(self, "com.hughsie.libxmlb", xb_version_string());
+ 
+ 	/* optional kernel version */
+-- 
+2.52.0
+
--- a/0001-generate_binary-Add-NX-COMPAT-flag-manually-when-gen.patch
+++ b/0001-generate_binary-Add-NX-COMPAT-flag-manually-when-gen.patch
@ -1,91 +0,0 @@
-From cfd61f6958a46d5e9687f87caf04c94680382a9f Mon Sep 17 00:00:00 2001
-From: Nicolas Frayer <nfrayer@redhat.com>
-Date: Wed, 1 Feb 2023 12:13:45 +0100
-Subject: [PATCH] generate_binary: Add NX COMPAT flag manually when genpeimg
- missing
-
-When genpeimg or python3-pefile is missing, add the NX COMPAT flag
-manually by setting bit8 of the DllCharacteristics in the optional
-header, clear the TimeDateStamp and update the checksum.
---
- efi/generate_binary.py | 50 ++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 48 insertions(+), 2 deletions(-)
-
-diff --git a/efi/generate_binary.py b/efi/generate_binary.py
-index 7b802e7..10ab0b3 100755
--- a/efi/generate_binary.py
-+++ b/efi/generate_binary.py
-@@ -10,6 +10,13 @@
- import subprocess
- import sys
- import argparse
-+import os
-+import struct
-+
-+COFF_HDR_OFFSET = 0x80
-+OPTIONALHDR_CHECKSUM = COFF_HDR_OFFSET + 0x58
-+OPTIONALHDR_DLLCHARACTERISTICS = COFF_HDR_OFFSET + 0x5E
-+PEHEADER_TIMEDATASTAMP = COFF_HDR_OFFSET + 0x8
- 
- 
- def _run_objcopy(args):
-@@ -66,6 +73,27 @@ def _run_genpeimg(args):
-         sys.exit(1)
- 
- 
-+def generate_checksum(data):
-+    checksum_offset: int = OPTIONALHDR_CHECKSUM
-+    checksum: int = 0
-+    remainder: int = len(data) % 4
-+    data_len: int = len(data) + ((4 - remainder) * (remainder != 0))
-+    for i in range(int(data_len / 4)):
-+        if i == int(checksum_offset / 4):
-+            continue
-+        if i + 1 == (int(data_len / 4)) and remainder:
-+            dword = struct.unpack("I", data[i * 4 :] + (b"\0" * (4 - remainder)))[0]
-+        else:
-+            dword = struct.unpack("I", data[i * 4 : i * 4 + 4])[0]
-+        checksum += dword
-+        if checksum >= 2**32:
-+            checksum = (checksum & 0xFFFFFFFF) + (checksum >> 32)
-+    checksum = (checksum & 0xFFFF) + (checksum >> 16)
-+    checksum = checksum + (checksum >> 16)
-+    checksum = checksum & 0xFFFF
-+    return checksum + len(data)
-+
-+
- def _add_nx_pefile(args):
-     # unnecessary if we have genpeimg
-     if args.genpeimg:
-@@ -73,8 +101,26 @@ def _add_nx_pefile(args):
-     try:
-         import pefile
-     except ImportError:
-        print("Unable to add NX support to binaries without genpeimg or python3-pefile")
-        sys.exit(1)
-+        print("Adding NX support manually to the binary")
-+        with open(args.outfile, "r+b") as fh:
-+            buf = bytearray(fh.read(os.path.getsize(args.outfile)))
-+            fh.seek(0)
-+            DllCharacteristics = struct.unpack_from(
-+                "<H", buf, OPTIONALHDR_DLLCHARACTERISTICS
-+            )[0]
-+            DllCharacteristics |= 0x100
-+            struct.pack_into(
-+                "<H", buf, OPTIONALHDR_DLLCHARACTERISTICS, DllCharacteristics
-+            )
-+
-+            # set the timestamp to 0
-+            struct.pack_into("<I", buf, PEHEADER_TIMEDATASTAMP, 0x0)
-+
-+            # as we have set the NX COMPAT bit, regenerate the checksum
-+            struct.pack_into("<I", buf, OPTIONALHDR_CHECKSUM, generate_checksum(buf))
-+            fh.write(buf)
-+
-+        return
- 
-     pe = pefile.PE(args.outfile)
-     pe.OPTIONAL_HEADER.DllCharacteristics |= pefile.DLL_CHARACTERISTICS[
-- 
-2.39.1
-
--- a/fwupd.spec
+++ b/fwupd.spec
@ -1,11 +1,17 @@
-%global glib2_version 2.45.8
+%global glib2_version 2.68.0
 %global libxmlb_version 0.1.3
-%global libgusb_version 0.3.5
+%global libusb_version 1.0.9
 %global libcurl_version 7.62.0
 %global libjcat_version 0.1.0
-%global systemd_version 231
+%global systemd_version 249
 %global json_glib_version 1.1.1

+# to use this feature use `rpmbuild -ba fwupd.spec --with=libfwupdcompat`
+%bcond_with libfwupdcompat
+%if %{with libfwupdcompat} || 0%{?rhel}
+%global libfwupd_19x_version 31
+%endif
+
 # although we ship a few tiny python files these are utilities that 99.99%
 # of users do not need -- use this to avoid dragging python onto CoreOS
 %global __requires_exclude ^%{python3}$
@ -14,21 +20,26 @@
 %ifnarch ppc64le
 %global enable_tests 1
 %endif
+%global __meson_wrap_mode nodownload

-%global enable_dummy 1
-
-# fwupd.efi is only available on these arches
-%ifarch x86_64 aarch64
-%global have_uefi 1
+%if 0%{?fedora} >= 30 || 0%{?rhel} >= 10
+%global have_gi_docgen 1
 %endif

-# gpio.h is only available on these arches
-%ifarch x86_64 aarch64
-%global have_gpio 1
+# fwupd.efi is only available on these arches
+%ifarch x86_64 aarch64 riscv64
+%global have_uefi 1
+%define sb_ca		%{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
+%define sb_cer		%{_datadir}/pki/sb-certs/secureboot-fwupd-%{_arch}.cer
+%if 0%{?centos}
+%define sb_key		centossecureboot202
+%else
+%define sb_key		redhatsecureboot802
+%endif
 %endif

 # flashrom is only available on these arches
-%ifarch i686 x86_64 armv7hl aarch64 ppc64le
+%ifarch i686 x86_64 armv7hl aarch64 ppc64le riscv64
 %global have_flashrom 1
 %endif

@ -36,79 +47,77 @@
 %global have_msr 1
 %endif

-# Until we actually have seen it outside x86
-%ifarch i686 x86_64
-%global have_thunderbolt 1
-%endif
-
 # only available recently
 %if 0%{?fedora} >= 30
 %global have_modem_manager 1
 %endif

+%if 0%{?fedora}
+%global have_passim 1
+%endif
+
 Summary:   Firmware update daemon
 Name:      fwupd
-Version:   1.9.31
+Version:   2.0.19
 Release:   1%{?dist}
-License:   LGPLv2+
+License:   LGPL-2.1-or-later
 URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
-Source2:   http://people.freedesktop.org/~hughsient/releases/fwupd-efi-1.4.tar.xz
+%if 0%{?libfwupd_19x_version}
+Source1:   https://github.com/fwupd/%{name}-efi/archive/refs/tags/1.7.tar.gz
+Source2:   https://github.com/fwupd/%{name}/releases/download/1.9.%{libfwupd_19x_version}/%{name}-1.9.%{libfwupd_19x_version}.tar.xz
+%endif

-Patch101:  0001-generate_binary-Add-NX-COMPAT-flag-manually-when-gen.patch
+Source24:  https://fwupd.org/downloads/40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6-DBXUpdate-20250507-x64.cab

-Source10:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20100307-x64.cab
-Source11:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20140413-x64.cab
-Source12:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20160809-x64.cab
-Source13:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-aa64.cab
-Source14:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-ia32.cab
-Source15:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-x64.cab
-Source16:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20210429-x64.cab
-Source17:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20220812-aa64.cab
-Source18:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20220812-ia32.cab
-Source19:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20220812-x64.cab
-Source20:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20230509-aa64.cab
-Source21:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20230509-ia32.cab
-Source22:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20230509-x64.cab
-Source23:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20241101-x64.cab
-Source24:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20250507-legacy-x64.cab
+Patch101:  0001-Revert-trivial-Remove-some-dead-JCat-compat-code.patch
+Patch102:  0001-Disable-the-UEFI-plugins-on-32bit-x86.patch

-# these are numbered high just to keep them wildly away from colliding with
-# the real package sources, in order to reduce churn.
-Source300:   redhatsecurebootca3.cer
-Source301:   redhatsecureboot301.cer
-Source500:   redhatsecurebootca5.cer
-Source503:   redhatsecureboot503.cer
+Patch201:  0001-Revert-Require-gnu-efi-3.0.18-or-later.patch

 BuildRequires: gettext
+BuildRequires: hwdata
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: libxmlb-devel >= %{libxmlb_version}
-BuildRequires: libgudev1-devel
-BuildRequires: libgusb-devel >= %{libgusb_version}
+BuildRequires: libusb1-devel >= %{libusb_version}
 BuildRequires: libcurl-devel >= %{libcurl_version}
 BuildRequires: libjcat-devel >= %{libjcat_version}
 BuildRequires: polkit-devel >= 0.103
+BuildRequires: protobuf-c-devel
+BuildRequires: python3-packaging
+BuildRequires: python3-jinja2
 BuildRequires: sqlite-devel
 BuildRequires: systemd >= %{systemd_version}
 BuildRequires: systemd-devel
 BuildRequires: libarchive-devel
+BuildRequires: libcbor-devel
+BuildRequires: libblkid-devel
+BuildRequires: readline-devel
+BuildRequires: libmnl-devel
+%if 0%{?have_passim}
+BuildRequires: passim-devel
+%endif
 BuildRequires: gobject-introspection-devel
 %ifarch %{valgrind_arches}
 BuildRequires: valgrind
 BuildRequires: valgrind-devel
 %endif
+%if 0%{?have_gi_docgen}
+BuildRequires: gi-docgen
+%endif
 BuildRequires: gnutls-devel
 BuildRequires: gnutls-utils
 BuildRequires: meson
 BuildRequires: json-glib-devel >= %{json_glib_version}
 BuildRequires: vala
-BuildRequires: bash-completion
+BuildRequires: pkgconfig(bash-completion)
 BuildRequires: git-core
 %if 0%{?have_flashrom}
 BuildRequires: flashrom-devel >= 1.2-2
 %endif
 BuildRequires: libdrm-devel
-BuildRequires: python3-jinja2
+# For fu-polkit-test
+BuildRequires: polkit

 %if 0%{?have_modem_manager}
 BuildRequires: ModemManager-glib-devel >= 1.10.0
@ -117,8 +126,8 @@ BuildRequires: libmbim-devel
 %endif

 %if 0%{?have_uefi}
-BuildRequires: efivar-devel >= 33
 BuildRequires: python3 python3-cairo python3-gobject
+BuildRequires: python3-pefile
 BuildRequires: pango-devel
 BuildRequires: cairo-devel cairo-gobject-devel
 BuildRequires: freetype
@ -127,6 +136,7 @@ BuildRequires: google-noto-sans-cjk-ttc-fonts
 BuildRequires: gnu-efi-devel
 BuildRequires: tpm2-tss-devel >= 2.2.3
 BuildRequires: pesign >= 113-20
+BuildRequires: system-sb-certs
 %endif

 Requires(post): systemd
@ -135,19 +145,33 @@ Requires(postun): systemd

 Requires: glib2%{?_isa} >= %{glib2_version}
 Requires: libxmlb%{?_isa} >= %{libxmlb_version}
-Requires: libgusb%{?_isa} >= %{libgusb_version}
 Requires: shared-mime-info

-Obsoletes: fwupd-sign < 0.1.6
-Obsoletes: libebitdo < 0.7.5-3
-Obsoletes: libdfu < 1.0.0
-Obsoletes: fwupd-labels < 1.1.0-1
+# deliberately has no _isa as libusbx in RHEL-9 does not include it
+Requires: libusb1 >= %{libusb_version}
+
+%if 0%{?rhel} > 7 || 0%{?fedora} > 28
+Recommends: python3
+%endif

 Obsoletes: dbxtool < 9
 Provides: dbxtool

+%if 0%{?rhel} > 7
+Obsoletes: fwupdate < 11-4
+Obsoletes: fwupdate-efi < 11-4
+
+Provides: fwupdate
+Provides: fwupdate-efi
+%endif
+
 # optional, but a really good idea
 Recommends: udisks2
+Recommends: bluez
+Recommends: jq
+%if 0%{?have_passim}
+Recommends: passim
+%endif

 %if 0%{?have_modem_manager}
 Recommends: %{name}-plugin-modem-manager
@ -155,6 +179,10 @@ Recommends: %{name}-plugin-modem-manager
 %if 0%{?have_flashrom}
 Recommends: %{name}-plugin-flashrom
 %endif
+%if 0%{?have_uefi}
+Recommends: %{name}-efi
+Recommends: %{name}-plugin-uefi-capsule-data
+%endif

 %description
 fwupd is a daemon to allow session software to update device firmware.
@ -195,22 +223,68 @@ This provides the optional package which is only required on hardware that
 can be flashed using flashrom. It is probably not required on servers.
 %endif

+%if 0%{?have_uefi}
+%package plugin-uefi-capsule-data
+Summary: Localized data for the UEFI UX capsule
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description plugin-uefi-capsule-data
+This provides the pregenerated BMP artwork for the UX capsule, which allows the
+"Installing firmware update…" localized text to be shown during a UEFI firmware
+update operation. This subpackage is probably not required on embedded hardware
+or server machines.
+%endif
+
 %prep
 %setup -q

+%patch -p1 101
+%patch -p1 102
+
+# the EFI helper
+%if 0%{?libfwupd_19x_version}
 mkdir -p subprojects/fwupd-efi
-tar xfvs %{SOURCE2} -C subprojects/fwupd-efi --strip-components=1
+tar xfvs %{SOURCE1} -C subprojects/fwupd-efi --strip-components=1
 cd subprojects/fwupd-efi
-%patch101 -p1
+%patch -p1 201
 cd -
+%endif
+
+# and the old version for libfwupd1
+%if 0%{?libfwupd_19x_version}
+tar xfs %{SOURCE2}
+%endif

 %build

+%if 0%{?libfwupd_19x_version}
+cd fwupd-1.9.%{libfwupd_19x_version}
 %meson \
+    -Dbuild=library \
    -Ddocs=disabled \
-    -Dlvfs=disabled \
-    -Dlaunchd=disabled \
-    -Dpassim=disabled \
+    -Dcbor=disabled \
+    -Dpolkit=disabled \
+    -Dtests=false \
+    -Dbash_completion=false \
+    -Dplugin_msr=disabled \
+    -Dintrospection=disabled \
+    -Dlaunchd=disabled
+%meson_build
+cd -
+%endif
+
+%meson \
+    -Dsupported_build=enabled \
+    -Dumockdev_tests=disabled \
+%if 0%{?have_uefi}
+    -Defi_binary=true \
+    -Dfwupd-efi:genpeimg=disabled \
+%endif
+%if 0%{?have_gi_docgen}
+    -Ddocs=enabled \
+%else
+    -Ddocs=disabled \
+%endif
 %if 0%{?enable_tests}
    -Dtests=true \
 %else
@ -221,54 +295,21 @@ cd -
 %else
    -Dplugin_flashrom=disabled \
 %endif
-%if 0%{?have_msr}
-    -Dplugin_msr=enabled \
-%else
-    -Dplugin_msr=disabled \
-%endif
-%if 0%{?have_gpio}
-    -Dplugin_gpio=enabled \
-%else
-    -Dplugin_gpio=disabled \
-%endif
-%if 0%{?have_uefi}
-    -Dplugin_uefi_capsule=enabled \
-    -Dplugin_uefi_pk=enabled \
-    -Dplugin_tpm=enabled \
-    -Defi_os_dir=%{efi_vendor} \
-%ifarch x86_64
-    -Dfwupd-efi:efi_sbat_distro_id="rhel" \
-    -Dfwupd-efi:efi_sbat_distro_summary="Red Hat Enterprise Linux" \
-    -Dfwupd-efi:efi_sbat_distro_pkgname="%{name}" \
-    -Dfwupd-efi:efi_sbat_distro_version="%{version}" \
-    -Dfwupd-efi:efi_sbat_distro_url="mail:secalert@redhat.com" \
-    -Dfwupd-efi:efi-libdir="/usr/lib64" \
-%endif
-%else
-    -Dplugin_uefi_capsule=disabled \
-    -Dplugin_uefi_pk=disabled \
-    -Dplugin_tpm=disabled \
-%endif
 %if 0%{?have_modem_manager}
    -Dplugin_modem_manager=enabled \
 %else
    -Dplugin_modem_manager=disabled \
+%endif
+    -Dbluez=disabled \
+    -Dlvfs=disabled \
+%if 0%{?have_passim}
+    -Dpassim=enabled \
+%else
+    -Dpassim=disabled \
 %endif
    -Dman=true \
    -Dsystemd_unit_user="" \
-    -Dcompat_cli=true \
-    -Dbluez=disabled \
-    -Dcbor=disabled \
-    -Dplugin_android_boot=disabled \
-    -Dplugin_cfu=disabled \
-    -Dplugin_igsc=disabled \
-    -Dplugin_intel_me=disabled \
-    -Dplugin_logitech_bulkcontroller=disabled \
-    -Dplugin_logitech_scribe=disabled \
-    -Dplugin_mtd=disabled \
-    -Dplugin_powerd=disabled \
-    -Dplugin_uf2=disabled \
-    -Dsupported_build=enabled
+    -Dbluez=enabled

 %meson_build

@ -278,25 +319,30 @@ cd -
 %endif

 %install
+
+%if 0%{?libfwupd_19x_version}
+cd fwupd-1.9.%{libfwupd_19x_version}
+%meson_install
+cd -
+%endif
+
 %meson_install

 # on RHEL the LVFS is disabled by default
-mkdir -p %{buildroot}/%{_datadir}/dbxtool
 install \
-  %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} \
-  %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} \
-  %{SOURCE22} %{SOURCE23} %{SOURCE24} \
-  %{buildroot}/%{_datadir}/dbxtool
+  %{SOURCE24} \
+  %{buildroot}/%{_datadir}/fwupd/remotes.d/vendor/firmware/

 # sign fwupd.efi loader
 %ifarch x86_64
 %global efiarch x64
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
-%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
-rm -fv %{fwup_efi_fn}.tmp
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{sb_ca} -c %{sb_cer} -n %{sb_key}
 %endif

+# literally pointless if we are building fwupd-efi as a subproject
+rm -f %{buildroot}%{_libdir}/pkgconfig/fwupd-efi.pc
+
 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg

 # workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1757948
@ -320,6 +366,10 @@ done
 %postun
 %systemd_postun_with_restart fwupd.service fwupd-refresh.timer

+%triggerun -- fedora-release-common < 39-0.28
+# For upgrades from versions before fwupd-refresh.timer was enabled by default
+systemctl --no-reload preset fwupd-refresh.timer &>/dev/null || :
+
 %files -f %{name}.lang
 %doc README.md
 %license COPYING
@ -329,19 +379,15 @@ done
 %ifarch x86_64
 %{_libexecdir}/fwupd/fwupd-detect-cet
 %endif
-%{_libexecdir}/fwupd/fwupdoffline
 %if 0%{?have_uefi}
 %{_libexecdir}/fwupd/efi/*.efi
 %ifarch x86_64
 %{_libexecdir}/fwupd/efi/*.efi.signed
 %endif
-%{_bindir}/fwupdate
-%endif
-%{_bindir}/dfu-tool
 %{_bindir}/dbxtool
+%endif
 %{_bindir}/fwupdmgr
 %{_bindir}/fwupdtool
-%{_bindir}/fwupdagent
 %dir %{_sysconfdir}/fwupd
 %dir %{_sysconfdir}/fwupd/bios-settings.d
 %{_sysconfdir}/fwupd/bios-settings.d/README.md
@ -354,6 +400,7 @@ done
 %if 0%{?have_msr}
 /usr/lib/modules-load.d/fwupd-msr.conf
 %endif
+/usr/lib/modules-load.d/fwupd-i2c.conf
 %{_datadir}/dbus-1/system.d/org.freedesktop.fwupd.conf
 %{_datadir}/bash-completion/completions/fwupdmgr
 %{_datadir}/bash-completion/completions/fwupdtool
@ -364,51 +411,43 @@ done
 %dir %{_datadir}/fwupd/remotes.d
 %dir %{_datadir}/fwupd/remotes.d/vendor
 %dir %{_datadir}/fwupd/remotes.d/vendor/firmware
+%{_datadir}/fwupd/remotes.d/vendor/firmware/*.cab
 %{_datadir}/fwupd/remotes.d/vendor/firmware/README.md
 %{_datadir}/dbus-1/interfaces/org.freedesktop.fwupd.xml
 %{_datadir}/polkit-1/actions/org.freedesktop.fwupd.policy
 %{_datadir}/polkit-1/rules.d/org.freedesktop.fwupd.rules
 %{_datadir}/dbus-1/system-services/org.freedesktop.fwupd.service
-%dir %{_datadir}/dbxtool
-%{_datadir}/dbxtool/DBXUpdate-20100307-x64.cab
-%{_datadir}/dbxtool/DBXUpdate-20140413-x64.cab
-%{_datadir}/dbxtool/DBXUpdate-20160809-x64.cab
-%{_datadir}/dbxtool/DBXUpdate-20200729-aa64.cab
-%{_datadir}/dbxtool/DBXUpdate-20200729-ia32.cab
-%{_datadir}/dbxtool/DBXUpdate-20200729-x64.cab
-%{_datadir}/dbxtool/DBXUpdate-20210429-x64.cab
-%{_datadir}/dbxtool/DBXUpdate-20220812-aa64.cab
-%{_datadir}/dbxtool/DBXUpdate-20220812-ia32.cab
-%{_datadir}/dbxtool/DBXUpdate-20220812-x64.cab
-%{_datadir}/dbxtool/DBXUpdate-20230509-aa64.cab
-%{_datadir}/dbxtool/DBXUpdate-20230509-ia32.cab
-%{_datadir}/dbxtool/DBXUpdate-20230509-x64.cab
-%{_datadir}/dbxtool/DBXUpdate-20241101-x64.cab
-%{_datadir}/dbxtool/DBXUpdate-20250507-legacy-x64.cab
-%{_mandir}/man1/*
+%{_mandir}/man1/fwupdtool.1*
+%if 0%{?have_uefi}
+%{_mandir}/man1/dbxtool.*
+%endif
+%{_mandir}/man1/fwupdmgr.1*
 %{_mandir}/man5/*
 %{_mandir}/man8/*
 %{_datadir}/metainfo/org.freedesktop.fwupd.metainfo.xml
-%{_datadir}/icons/hicolor/scalable/apps/org.freedesktop.fwupd.svg
+%{_datadir}/icons/hicolor/*/apps/org.freedesktop.fwupd.*
 %{_datadir}/fwupd/firmware_packager.py
 %{_datadir}/fwupd/simple_client.py
 %{_datadir}/fwupd/add_capsule_header.py
 %{_datadir}/fwupd/install_dell_bios_exe.py
-%{_unitdir}/fwupd-offline-update.service
 %{_unitdir}/fwupd.service
 %{_unitdir}/fwupd-refresh.service
 %{_unitdir}/fwupd-refresh.timer
-%{_unitdir}/system-update.target.wants/
 %dir %{_localstatedir}/lib/fwupd
 %dir %{_localstatedir}/cache/fwupd
 %dir %{_datadir}/fwupd/quirks.d
 %{_datadir}/fwupd/quirks.d/builtin.quirk.gz
+%if 0%{?have_gi_docgen}
+%{_datadir}/doc/fwupd/*.html
+%endif
 %if 0%{?have_uefi}
 %config(noreplace)%{_sysconfdir}/grub.d/35_fwupd
 %endif
+%if 0%{?libfwupd_19x_version}
 %{_libdir}/libfwupd.so.2*
+%endif
+%{_libdir}/libfwupd.so.3*
 %{_libdir}/girepository-1.0/Fwupd-2.0.typelib
-/usr/lib/udev/rules.d/*.rules
 /usr/lib/systemd/system-shutdown/fwupd.shutdown
 %dir %{_libdir}/fwupd-%{version}
 %{_libdir}/fwupd-%{version}/libfwupd*.so
@ -423,43 +462,39 @@ done
 %{_libdir}/fwupd-%{version}/libfu_plugin_flashrom.so
 %endif
 %if 0%{?have_uefi}
+%files plugin-uefi-capsule-data
 %{_datadir}/fwupd/uefi-capsule-ux.tar.xz
 %endif

 %files devel
 %{_datadir}/gir-1.0/Fwupd-2.0.gir
-%{_datadir}/vala/vapi
-%{_includedir}/fwupd-1
-%{_libdir}/libfwupd*.so
-%{_libdir}/pkgconfig/fwupd.pc
-%if 0%{?have_uefi}
-%{_libdir}/pkgconfig/fwupd-efi.pc
+%if 0%{?have_gi_docgen}
+%{_datadir}/doc/fwupd/libfwupdplugin
+%{_datadir}/doc/fwupd/libfwupd
+%{_datadir}/doc/libfwupdplugin
+%{_datadir}/doc/libfwupd
 %endif
+%{_datadir}/vala/vapi
+%if 0%{?libfwupd_19x_version}
+%{_includedir}/fwupd-1
+%endif
+%{_includedir}/fwupd-3
+%{_libdir}/libfwupd.so
+%{_libdir}/pkgconfig/fwupd.pc

 %files tests
 %if 0%{?enable_tests}
 %{_datadir}/fwupd/host-emulate.d/*.json.gz
-%dir %{_datadir}/installed-tests/fwupd
-%{_datadir}/installed-tests/fwupd/tests/*
-%{_datadir}/installed-tests/fwupd/fwupd-tests.xml
-%{_datadir}/installed-tests/fwupd/*.test
-%{_datadir}/installed-tests/fwupd/*.cab
-%{_datadir}/installed-tests/fwupd/fakedevice124.jcat
-%{_datadir}/installed-tests/fwupd/fakedevice124.bin
-%{_datadir}/installed-tests/fwupd/fakedevice124.metainfo.xml
-%{_datadir}/installed-tests/fwupd/*.sh
-%{_datadir}/installed-tests/fwupd/*.zip
-%if 0%{?have_uefi}
-%{_datadir}/installed-tests/fwupd/efi
-%endif
-%{_datadir}/installed-tests/fwupd/chassis_type
-%{_datadir}/installed-tests/fwupd/sys_vendor
-%{_libexecdir}/installed-tests/fwupd/*
-%dir %{_sysconfdir}/fwupd/remotes.d
+%{_datadir}/installed-tests/fwupd
+%{_libexecdir}/installed-tests/fwupd
 %{_datadir}/fwupd/remotes.d/fwupd-tests.conf
 %endif

 %changelog
+* Fri Jan 09 2026 Richard Hughes <richard@hughsie.com> 2.0.19-1
+- Rebase to get new hardware support
+- Resolves: #RHEL-125778
+
 * Fri Jul 11 2025 Richard Hughes <richard@hughsie.com> 1.9.31-1
 - Rebase to get new hardware support
 - Resolves: #RHEL-82423
--- a/redhatsecureboot301.cer
+++ b/redhatsecureboot301.cer
--- a/redhatsecureboot503.cer
+++ b/redhatsecureboot503.cer
--- a/redhatsecurebootca3.cer
+++ b/redhatsecurebootca3.cer
--- a/redhatsecurebootca5.cer
+++ b/redhatsecurebootca5.cer
--- a/19
+++ b/19
@ -1,17 +1,4 @@
+SHA512 (fwupd-2.0.19.tar.xz) = a4db6a776cbbedc54cd929899e9df7029f7ca9931a82c5a7661f48bcdc60c7dd18c926254b1b90e1fad225269fbe81f5323cba7ab37624b044c888648dce1944
+SHA512 (1.7.tar.gz) = db0857e76964c6e36dd8708fe3b4a0b56290543c374e40a9e1f0919e0016d59de6bd6d2e4f43fb2ddd706841917b60d36da086e1290d3351283504d287083a7e
 SHA512 (fwupd-1.9.31.tar.xz) = ce9cd5129d0bcbedade6ba11f661fd3350445557d3116f479a8628376e9e8d6a933e6d2632ac3576d47ad9dbf0eafd54480d2765be86f776e8f04f689287ec80
-SHA512 (fwupd-efi-1.4.tar.xz) = c330409861a8c1e332a0d4fd49c54ef2c5bf7cdaca99d14de39b50fb35f0c490e9f7f7a4c9dd48181bd509cd358c43eb23659536aea93408c1fefb47629e4991
-SHA512 (DBXUpdate-20100307-x64.cab) = f8ad56cf015f4cdc5c305856ff1f7a8589c25a2a671708c61883f427f38eb9b6a7abd3f2c8d79ef9d5076222255e42585917f8705a2a4b13f860bad4e02ec409
-SHA512 (DBXUpdate-20140413-x64.cab) = 75771876a2309fa8ca083c2e76520173d434229b7cacf1e7636bd9b1bc4f871d745c348b9792bfb65fd9f40ef54c25bb427b1431151e817e7050b7829456731a
-SHA512 (DBXUpdate-20160809-x64.cab) = c27c564999ae84515540f1a598cd0fd9ef3a80cdfaaf439f1c4cb04eaee0e73074548b6d76c21ca3af1ba9c4c0625907e821582998eb5617e33ecd412e6c8a13
-SHA512 (DBXUpdate-20200729-aa64.cab) = 7a0cea13ed9b645fd9f1d5e3410a451d83643a75f5dc603272b0771b093f2c012f9a19419160403631c250cf64127ad2ce1c8fa2079b04064af73fe85b9add33
-SHA512 (DBXUpdate-20200729-ia32.cab) = 578ec9cccf2001b8bfa54b66809a1662269677050e74bd3225536fbd2be56a8162c48669bd16ea553723580195df1693a28dc01fc1cf62ff06e36a2c5568f74f
-SHA512 (DBXUpdate-20200729-x64.cab) = b8b195167d286a3f16aaa7c89149a0d5b4c8f53080e3265758b912f250fa655533c603359b7d1c989ebad6953ce443809b3317ec1d00f750326945ee0537e43b
-SHA512 (DBXUpdate-20210429-x64.cab) = 7bc5e7780d105da89da367fbde7c33427bed6c37752b0ae6933793dfe96121c87e49629f14c3b762fc138b10e5c5b6db821dbdc56039ab761e3dca977fc7f817
-SHA512 (DBXUpdate-20220812-aa64.cab) = 422ebd0b9d15a26ad12b98798229615a1f5e272a95993934de0cd9d4e4e75589b41eae6366b52b4e25e8766bd7cf74f95d220b719649b1f3864603e46c18c193
-SHA512 (DBXUpdate-20220812-ia32.cab) = 09094cc747f865e21fc815199d6ad5b6d3b1c9e19621497e3fe7cdfc4b96e144e721673bdff9ea6204dd465e8a8e2da1cc2b4a4badfd1f4f82c54eace11acb42
-SHA512 (DBXUpdate-20220812-x64.cab) = 03dde66a31241ccaa562c57bd9b6b824f2a6b5a1d10affe32ee5a0452056609c981f8f7633bfc65fd0c7da79455b071dd9e02b6af7c880fb1c4a6ffdf577bcdc
-SHA512 (DBXUpdate-20230509-aa64.cab) = 259f2373d6ab4cd031fe8b993825ba4cf922306afb3da1617d7b4e9d4ac918018b463135f58ace884a2ceec01789f3b2b31aaf63e63501503e4efbcf46ce567b
-SHA512 (DBXUpdate-20230509-ia32.cab) = e9983039fa5283bf8357c75874842d06ac76a36e90c76406ab864a2b76f557f9649e84be3eb20ab473486cd60a08847ece0ef4015145357969067561338a7977
-SHA512 (DBXUpdate-20230509-x64.cab) = b2893b431adc3b155335a07e035979a2bf08b7c06975bde7c5561f5e5c1d8ed55f337e7a4782e6ad5c4c50c286cf474a1be356991784c88c23315c467fca30bb
-SHA512 (DBXUpdate-20241101-x64.cab) = 0a2883908e15c405c2b8b3adf84b3c322f3ddcb9cae8658bbe4ef99a2b575865654339a3b901db7bb2088b7a669a335be04c50134e7e2168871fc397e1a096b6
-SHA512 (DBXUpdate-20250507-legacy-x64.cab) = 12e2a24582be6b6653d68b6c99f8c667165883c79bada6d8f3b01b4867b4574343b75e88b014b37a4479a9bed9ae9542c59cbd084fdb44facf0f8b2efda9fec6
+SHA512 (40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6-DBXUpdate-20250507-x64.cab) = f94e4f44a62621fc0a032a99613df81452bfc8eefc41f473708a43502fb298b477ed9d902166c833278397303a166d29ed891d797fe8e3b3afece5d6bc9645f2