9 changed files with 944 additions and 334 deletions
--- a/.fwupd.metadata
+++ b/.fwupd.metadata
@ -4,6 +4,16 @@ a5f73c606abb93bf61625e4628d27a2cd460f162 SOURCES/DBXUpdate-20160809-x64.cab
 b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab
 3fb407561768a3a2f5fb49d7738b5e0650e70810 SOURCES/DBXUpdate-20200729-ia32.cab
 89db93c9d9d20f81791a262e817b99d8882c8bb0 SOURCES/DBXUpdate-20200729-x64.cab
-59006fd556faeacc8185075c8fe7826249a2da32 SOURCES/fwupd-1.7.8.tar.xz
-1a586c3634ef190e6128351ee60fd17d0e584f7c SOURCES/fwupd-efi-1.3.tar.xz
-a62a28924d26cd49b6441170795a237ba33ec192 SOURCES/libjcat-0.1.9.tar.xz
+cd2bbe591438fe893b4042dc03d30659c1e31756 SOURCES/DBXUpdate-20210429-x64.cab
+d3ae610f5b6e602feded54eae8d67ddb7c60e64f SOURCES/DBXUpdate-20220812-aa64.cab
+0ac8508ef7a86959e6ab03deec256b19df29677f SOURCES/DBXUpdate-20220812-ia32.cab
+60f9aa664cb7588e33ce56d621dafa9b5a71e072 SOURCES/DBXUpdate-20220812-x64.cab
+46a42362cd34c0d103cf534ca431508d24715e51 SOURCES/DBXUpdate-20230509-aa64.cab
+23d9544ef0f9b39a76d258f6d4a4a54d8f7592b2 SOURCES/DBXUpdate-20230509-ia32.cab
+bc6a604b29918d67d5fef745ad4375ca3d43d05e SOURCES/DBXUpdate-20230509-x64.cab
+a8c8f0cc046ecff12e425484bc5ec1eb7fe49e90 SOURCES/fwupd-1.9.13.tar.xz
+147b36f75fca288fd01d9ed4150866344d57df27 SOURCES/fwupd-efi-1.4.tar.xz
+4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer
+33e260486f5c12e47b72b90dfb779ca892f56c45 SOURCES/redhatsecureboot503.cer
+cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
+e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
--- a/.gitignore
+++ b/.gitignore
@ -4,6 +4,16 @@ SOURCES/DBXUpdate-20160809-x64.cab
 SOURCES/DBXUpdate-20200729-aa64.cab
 SOURCES/DBXUpdate-20200729-ia32.cab
 SOURCES/DBXUpdate-20200729-x64.cab
-SOURCES/fwupd-1.7.8.tar.xz
-SOURCES/fwupd-efi-1.3.tar.xz
-SOURCES/libjcat-0.1.9.tar.xz
+SOURCES/DBXUpdate-20210429-x64.cab
+SOURCES/DBXUpdate-20220812-aa64.cab
+SOURCES/DBXUpdate-20220812-ia32.cab
+SOURCES/DBXUpdate-20220812-x64.cab
+SOURCES/DBXUpdate-20230509-aa64.cab
+SOURCES/DBXUpdate-20230509-ia32.cab
+SOURCES/DBXUpdate-20230509-x64.cab
+SOURCES/fwupd-1.9.13.tar.xz
+SOURCES/fwupd-efi-1.4.tar.xz
+SOURCES/redhatsecureboot301.cer
+SOURCES/redhatsecureboot503.cer
+SOURCES/redhatsecurebootca3.cer
+SOURCES/redhatsecurebootca5.cer
--- a/SOURCES/0001-Correctly-migrate-from-v2-to-database-schema-v10.patch
+++ b/SOURCES/0001-Correctly-migrate-from-v2-to-database-schema-v10.patch
@ -0,0 +1,47 @@
+From 6fc21ec8364babc2edc57d6a39ee44c1e72cc6b2 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Sun, 18 Feb 2024 10:23:03 +0000
+Subject: [PATCH] Correctly migrate from v2 to database schema v10
+
+Artificially bump the schema version to v11 to ensure the migration is done.
+
+diff --git a/src/fu-history.c b/src/fu-history.c
+index 21a4fd3e8..3be03c3a7 100644
+--- a/src/fu-history.c
+++ b/src/fu-history.c
+@@ -21,7 +21,20 @@
+ #include "fu-history.h"
+ #include "fu-security-attr-common.h"
+ 
+-#define FU_HISTORY_CURRENT_SCHEMA_VERSION 10
+/*
+ * v1	legacy schema
+ * v2	initial schema
+ * v3	add checksum_device to history
+ * v4	add protocol to history
+ * v5	create table approved_firmware
+ * v6	create table blocked_firmware
+ * v7	create table hsi_history
+ * v8	add release_id to history
+ * v9	add appstream_id to history
+ * v10	add version_format to history
+ * v11	no changes, bumped due to bungled migration to v10
+ */
+#define FU_HISTORY_CURRENT_SCHEMA_VERSION 11
+ 
+ static void
+ fu_history_finalize(GObject *object);
+@@ -466,11 +479,12 @@ fu_history_create_or_migrate(FuHistory *self, guint schema_ver, GError **error)
+ 	case 8:
+ 		if (!fu_history_migrate_database_v8(self, error))
+ 			return FALSE;
+-		break;
+ 	/* fall through */
+ 	case 9:
+	case 10:
+ 		if (!fu_history_migrate_database_v9(self, error))
+ 			return FALSE;
+		/* no longer fall through */
+ 		break;
+ 	default:
+ 		/* this is probably okay, but return an error if we ever delete
--- a/SOURCES/0001-generate_binary-Add-NX-COMPAT-flag-manually-when-gen.patch
+++ b/SOURCES/0001-generate_binary-Add-NX-COMPAT-flag-manually-when-gen.patch
@ -0,0 +1,91 @@
+From cfd61f6958a46d5e9687f87caf04c94680382a9f Mon Sep 17 00:00:00 2001
+From: Nicolas Frayer <nfrayer@redhat.com>
+Date: Wed, 1 Feb 2023 12:13:45 +0100
+Subject: [PATCH] generate_binary: Add NX COMPAT flag manually when genpeimg
+ missing
+
+When genpeimg or python3-pefile is missing, add the NX COMPAT flag
+manually by setting bit8 of the DllCharacteristics in the optional
+header, clear the TimeDateStamp and update the checksum.
+---
+ efi/generate_binary.py | 50 ++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 48 insertions(+), 2 deletions(-)
+
+diff --git a/efi/generate_binary.py b/efi/generate_binary.py
+index 7b802e7..10ab0b3 100755
+--- a/efi/generate_binary.py
+++ b/efi/generate_binary.py
+@@ -10,6 +10,13 @@
+ import subprocess
+ import sys
+ import argparse
+import os
+import struct
+
+COFF_HDR_OFFSET = 0x80
+OPTIONALHDR_CHECKSUM = COFF_HDR_OFFSET + 0x58
+OPTIONALHDR_DLLCHARACTERISTICS = COFF_HDR_OFFSET + 0x5E
+PEHEADER_TIMEDATASTAMP = COFF_HDR_OFFSET + 0x8
+ 
+ 
+ def _run_objcopy(args):
+@@ -66,6 +73,27 @@ def _run_genpeimg(args):
+         sys.exit(1)
+ 
+ 
+def generate_checksum(data):
+    checksum_offset: int = OPTIONALHDR_CHECKSUM
+    checksum: int = 0
+    remainder: int = len(data) % 4
+    data_len: int = len(data) + ((4 - remainder) * (remainder != 0))
+    for i in range(int(data_len / 4)):
+        if i == int(checksum_offset / 4):
+            continue
+        if i + 1 == (int(data_len / 4)) and remainder:
+            dword = struct.unpack("I", data[i * 4 :] + (b"\0" * (4 - remainder)))[0]
+        else:
+            dword = struct.unpack("I", data[i * 4 : i * 4 + 4])[0]
+        checksum += dword
+        if checksum >= 2**32:
+            checksum = (checksum & 0xFFFFFFFF) + (checksum >> 32)
+    checksum = (checksum & 0xFFFF) + (checksum >> 16)
+    checksum = checksum + (checksum >> 16)
+    checksum = checksum & 0xFFFF
+    return checksum + len(data)
+
+
+ def _add_nx_pefile(args):
+     # unnecessary if we have genpeimg
+     if args.genpeimg:
+@@ -73,8 +101,26 @@ def _add_nx_pefile(args):
+     try:
+         import pefile
+     except ImportError:
+-        print("Unable to add NX support to binaries without genpeimg or python3-pefile")
+-        sys.exit(1)
+        print("Adding NX support manually to the binary")
+        with open(args.outfile, "r+b") as fh:
+            buf = bytearray(fh.read(os.path.getsize(args.outfile)))
+            fh.seek(0)
+            DllCharacteristics = struct.unpack_from(
+                "<H", buf, OPTIONALHDR_DLLCHARACTERISTICS
+            )[0]
+            DllCharacteristics |= 0x100
+            struct.pack_into(
+                "<H", buf, OPTIONALHDR_DLLCHARACTERISTICS, DllCharacteristics
+            )
+
+            # set the timestamp to 0
+            struct.pack_into("<I", buf, PEHEADER_TIMEDATASTAMP, 0x0)
+
+            # as we have set the NX COMPAT bit, regenerate the checksum
+            struct.pack_into("<I", buf, OPTIONALHDR_CHECKSUM, generate_checksum(buf))
+            fh.write(buf)
+
+        return
+ 
+     pe = pefile.PE(args.outfile)
+     pe.OPTIONAL_HEADER.DllCharacteristics |= pefile.DLL_CHARACTERISTICS[
+-- 
+2.39.1
+
--- a/SOURCES/redhatsecureboot301.cer
+++ b/SOURCES/redhatsecureboot301.cer
--- a/SOURCES/redhatsecureboot503.cer
+++ b/SOURCES/redhatsecureboot503.cer
--- a/SOURCES/redhatsecurebootca3.cer
+++ b/SOURCES/redhatsecurebootca3.cer
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec