21 changed files with 1003 additions and 249 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/mokutil-0.6.0.tar.gz
+SOURCES/0.3.0.tar.gz
--- a/.mokutil.metadata
+++ b/.mokutil.metadata
@ -1 +1 @@
-b38fa41703cae749d8f642d3218cdff5d5d9a8ec SOURCES/mokutil-0.6.0.tar.gz
+8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/0.3.0.tar.gz
--- a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch
+++ b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch
@ -0,0 +1,33 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 4 Nov 2014 15:50:03 +0800
+Subject: [PATCH] Fix the potential buffer overflow
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/mokutil.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 5b34f22..93fb6fa 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
+ 	MokToggleVar tvar;
+ 	char *password = NULL;
+ 	unsigned int pw_len;
+-	efi_char16_t efichar_pass[SB_PASSWORD_MAX];
+	efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
+ 	int ret = -1;
+ 
+ 	printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
+@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
+ 	efichar_from_char (efichar_pass, password,
+ 			   SB_PASSWORD_MAX * sizeof(efi_char16_t));
+ 
+-	memcpy(tvar.password, efichar_pass,
+-	       SB_PASSWORD_MAX * sizeof(efi_char16_t));
+	memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
+ 
+ 	tvar.mok_toggle_state = state;
+ 
--- a/SOURCES/0001-Show-usage-instead-of-aborting-on-bad-flags.patch
+++ b/SOURCES/0001-Show-usage-instead-of-aborting-on-bad-flags.patch
@ -1,31 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Tue, 17 May 2022 11:23:28 -0400
-Subject: [PATCH] Show usage instead of aborting on bad flags
-
-Aborting here just confuses users and is sufficiently unexpected to
-cause the filing of bugs.
-
-Related: https://bugzilla.redhat.com/show_bug.cgi?id=2087066
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
-(cherry picked from commit 82694cb1ce3b29c3705c25ae4cea3d07fe57b558)
---
- src/mokutil.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/src/mokutil.c b/src/mokutil.c
-index 5d725c9..e8228af 100644
--- a/src/mokutil.c
-+++ b/src/mokutil.c
-@@ -2087,10 +2087,9 @@ main (int argc, char *argv[])
- 			goto out;
- 		case 'h':
- 		case '?':
-+		default:
- 			command |= HELP;
- 			break;
-		default:
-			abort ();
- 		}
- 	}
- 
--- a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
+++ b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 24 Nov 2014 11:38:54 +0800
+Subject: [PATCH] Fix the 32bit signedness comparison
+
+---
+ src/mokutil.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 93fb6fa..a7e83f7 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
+ 
+ 		/* Mok */
+ 		read_size = read (fd, ptr, sizes[i]);
+-		if (read_size < 0 || read_size != sizes[i]) {
+		if (read_size < 0 || read_size != (int64_t)sizes[i]) {
+ 			fprintf (stderr, "Failed to read %s\n", files[i]);
+ 			goto error;
+ 		}
+@@ -1645,7 +1645,7 @@ export_moks ()
+ 			goto error;
+ 		}
+ 
+-		while (offset < list[i].mok_size) {
+		while (offset < (int64_t)list[i].mok_size) {
+ 			write_size = write (fd, list[i].mok + offset,
+ 						list[i].mok_size - offset);
+ 			if (write_size < 0) {
--- a/SOURCES/0002-mokutil-bugfix-del-unused-opt-s.patch
+++ b/SOURCES/0002-mokutil-bugfix-del-unused-opt-s.patch
@ -1,26 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: gaoyusong <gaoyusong2@huawei.com>
-Date: Mon, 30 May 2022 17:54:47 +0800
-Subject: [PATCH] mokutil bugfix: del unused opt "-s"
-
-The -s option can cause unexcepted result.
-
-Signed-off-by: gaoyusong <gaoyusong2@huawei.com>
-(cherry picked from commit 04791c29e198b18808bca519267e31c8d3786a08)
---
- src/mokutil.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/mokutil.c b/src/mokutil.c
-index e8228af..6982ade 100644
--- a/src/mokutil.c
-+++ b/src/mokutil.c
-@@ -1851,7 +1851,7 @@ main (int argc, char *argv[])
- 		};
- 
- 		int option_index = 0;
-		c = getopt_long (argc, argv, "cd:f:g::hi:lmpst:xDNPXv",
-+		c = getopt_long (argc, argv, "cd:f:g::hi:lmpt:xDNPXv",
- 				 long_options, &option_index);
- 
- 		if (c == -1)
--- a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
+++ b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
@ -0,0 +1,39 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 19 Jun 2015 16:53:36 -0400
+Subject: [PATCH] Build with -fshort-wchar so toggle passwords work right.
+
+This source tree uses:
+
+typedef wchar_t efi_char16_t;
+
+to define UEFI's UCS-2 character type.  On many platforms, wchar_t is
+32-bits by default.  As a result, efichar_from_char winds up writing
+4-byte characters instead of 2-byte characters.  In the case where we
+hash the password in mokutil, this works fine, because the same datatype
+is used, and the values are the same.  But for our feature toggles,
+where we store the raw data and shim is interpretting the character
+array, every other character winds up being L'\0', and verification
+fails.
+
+So always build with -fshort-wchar to ensure we get 2-byte character
+storage.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index fe28fb9..69d412a 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -37,7 +37,7 @@ else
+ 	default_strict=no
+ fi
+ 
+-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
+WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
+ 
+ AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
+ 		enable_strict=$default_strict)
--- a/SOURCES/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
+++ b/SOURCES/0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
@ -1,28 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Thu, 2 Jun 2022 12:56:31 -0400
-Subject: [PATCH] Fix leak of list in delete_data_from_req_var()
-
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
-(cherry picked from commit d978c18f61b877afaab45a82d260b525423b8248)
---
- src/util.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/util.c b/src/util.c
-index 621869f..6cd0302 100644
--- a/src/util.c
-+++ b/src/util.c
-@@ -295,8 +295,10 @@ delete_data_from_req_var (const MokRequest req, const efi_guid_t *type,
- 	}
- 
- 	/* the key or hash is not in this list */
-	if (start == NULL)
-		return 0;
-+	if (start == NULL) {
-+		ret = 0;
-+		goto done;
-+	}
- 
- 	/* all keys are removed */
- 	if (total == 0) {
--- a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
+++ b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
@ -0,0 +1,29 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 16 Jun 2015 17:06:30 -0400
+Subject: [PATCH] Don't allow sha1 on the mokutil command line.
+
+Related: rhbz#1115843
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index a7e83f7..1fb34f9 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
+ 	}
+ 
+ 	switch (len) {
+#if 0
+ 	case SHA_DIGEST_LENGTH*2:
+ 		*type = efi_guid_sha1;
+ 		hash_size = SHA_DIGEST_LENGTH;
+ 		break;
+#endif
+ 	case SHA224_DIGEST_LENGTH*2:
+ 		*type = efi_guid_sha224;
+ 		hash_size = SHA224_DIGEST_LENGTH;
--- a/SOURCES/0004-Fix-leak-of-fd-in-mok_get_variable.patch
+++ b/SOURCES/0004-Fix-leak-of-fd-in-mok_get_variable.patch
@ -1,70 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood@redhat.com>
-Date: Thu, 2 Jun 2022 13:00:22 -0400
-Subject: [PATCH] Fix leak of fd in mok_get_variable()
-
-On success, it was never closed.  Refactor the code to use a single
-egress path so its closure is clear.
-
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
-(cherry picked from commit e498f6460ff5aea6a7cd61a33087d03e88a2f52a)
---
- src/util.c | 24 +++++++++++++-----------
- 1 file changed, 13 insertions(+), 11 deletions(-)
-
-diff --git a/src/util.c b/src/util.c
-index 6cd0302..f7fc033 100644
--- a/src/util.c
-+++ b/src/util.c
-@@ -57,22 +57,21 @@ mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
- 		return fd;
- 
- 	rc = fstat(fd, &sb);
-	if (rc < 0) {
-err_close:
-		close(fd);
-		return rc;
-	}
-+	if (rc < 0)
-+		goto done;
- 
- 	if (sb.st_size == 0) {
- 		errno = ENOENT;
- 		rc = -1;
-		goto err_close;
-+		goto done;
- 	}
- 
- 	bufsz = sb.st_size;
- 	buf = calloc(1, bufsz);
-	if (!buf)
-		goto err_close;
-+	if (!buf) {
-+		rc = -1;
-+		goto done;
-+	}
- 
- 	while (pos < bufsz) {
- 		ssz = read(fd, &buf[pos], bufsz - pos);
-@@ -82,15 +81,18 @@ err_close:
- 			    errno == EINTR)
- 				continue;
- 			free(buf);
-			goto err_close;
-+			rc = -1;
-+			goto done;
- 		}
- 
- 		pos += ssz;
- 	}
- 	*datap = buf;
- 	*data_sizep = pos;
-
-	return 0;
-+	rc = 0;
-+done:
-+	close(fd);
-+	return rc;
- }
- 
- MokListNode*
--- a/SOURCES/0005-Make-all-efi_guid_t-const.patch
+++ b/SOURCES/0005-Make-all-efi_guid_t-const.patch
@ -0,0 +1,84 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 13 Jan 2016 16:05:21 +0800
+Subject: [PATCH] Make all efi_guid_t const
+
+All UEFI GUIDs defined in efivar are const. Declare all of them const
+to make gcc happy.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ src/mokutil.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 1fb34f9..d2c52b4 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
+ }
+ 
+ static uint32_t
+-efi_hash_size (efi_guid_t *hash_type)
+efi_hash_size (const efi_guid_t *hash_type)
+ {
+ 	if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
+ 		return SHA_DIGEST_LENGTH;
+@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
+ }
+ 
+ static uint32_t
+-signature_size (efi_guid_t *hash_type)
+signature_size (const efi_guid_t *hash_type)
+ {
+ 	uint32_t hash_size;
+ 
+@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
+ 
+ /* match the hash in the hash array and return the index if matched */
+ static int
+-match_hash_array (efi_guid_t *hash_type, const void *hash,
+match_hash_array (const efi_guid_t *hash_type, const void *hash,
+ 		  const void *hash_array, const uint32_t array_size)
+ {
+ 	uint32_t hash_size, hash_count;
+@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
+ }
+ 
+ static int
+-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
+-		       efi_guid_t *type, void *data, uint32_t data_size)
+delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
+		       const efi_guid_t *type, void *data, uint32_t data_size)
+ {
+ 	uint8_t *var_data = NULL;
+ 	size_t var_data_size = 0;
+@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
+ }
+ 
+ static int
+-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
+-	      efi_guid_t *vendor, const char *db_name)
+is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
+	      const efi_guid_t *vendor, const char *db_name)
+ {
+ 	uint8_t *var_data;
+ 	size_t var_data_size;
+@@ -1059,7 +1059,7 @@ done:
+ }
+ 
+ static int
+-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
+is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
+ 		  MokRequest req)
+ {
+ 	switch (req) {
+@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
+ }
+ 
+ static int
+-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
+in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
+ 		    MokRequest req)
+ {
+ 	uint8_t *authvar_data;
--- a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
+++ b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
@ -0,0 +1,34 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jun 2016 10:19:43 -0400
+Subject: [PATCH] mokutil: be explicit about file modes in all cases.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index d2c52b4..d554f6c 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
+ 		     | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ 		     | EFI_VARIABLE_RUNTIME_ACCESS;
+ 	ret = efi_set_variable (*var_guid, var_name,
+-				var_data, total, attributes);
+				var_data, total, attributes,
+				S_IRUSR | S_IWUSR);
+ 	if (ret < 0) {
+ 		fprintf (stderr, "Failed to write variable \"%s\": %m\n",
+ 			 var_name);
+@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
+ 		data_size = list_len;
+ 
+ 		if (efi_set_variable (efi_guid_shim, req_name,
+-				      data, data_size, attributes) < 0) {
+				      data, data_size, attributes,
+				      S_IRUSR | S_IWUSR) < 0) {
+ 			switch (req) {
+ 			case ENROLL_MOK:
+ 				fprintf (stderr, "Failed to enroll new keys\n");
--- a/SOURCES/0007-Add-bash-completion-file.patch
+++ b/SOURCES/0007-Add-bash-completion-file.patch
@ -0,0 +1,95 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jun 2016 10:20:14 -0400
+Subject: [PATCH] Add bash completion file.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ configure.ac | 17 +++++++++++++++++
+ Makefile.am  |  5 +++++
+ data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 59 insertions(+)
+ create mode 100755 data/mokutil
+
+diff --git a/configure.ac b/configure.ac
+index 69d412a..7b52a06 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
+ PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
+ PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
+ 
+AC_ARG_WITH([bash-completion-dir],
+    AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
+        [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
+    [],
+    [with_bash_completion_dir=yes])
+
+if test "x$with_bash_completion_dir" = "xyes"; then
+    PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
+        [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"],
+        [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"])
+else
+    BASH_COMPLETION_DIR="$with_bash_completion_dir"
+fi
+
+AC_SUBST([BASH_COMPLETION_DIR])
+AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
+
+ AC_CONFIG_FILES([Makefile
+                  src/Makefile
+ 		 man/Makefile])
+diff --git a/Makefile.am b/Makefile.am
+index 9f0d419..c17cc4a 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -1 +1,6 @@
+ SUBDIRS = src man
+
+if ENABLE_BASH_COMPLETION
+  bashcompletiondir = $(BASH_COMPLETION_DIR)
+  dist_bashcompletion_DATA = data/mokutil
+endif
+diff --git a/data/mokutil b/data/mokutil
+new file mode 100755
+index 0000000..800b039
+--- /dev/null
+++ b/data/mokutil
+@@ -0,0 +1,37 @@
+#!/bin/bash
+
+_mokutil()
+{
+	local cur=${COMP_WORDS[COMP_CWORD]}
+
+	if [[ "$cur" == -* ]]; then
+		#COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) )
+		COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) )
+		[[ $COMPREPLY == *= ]] && compopt -o nospace
+		return 0
+	fi
+
+	case "${COMP_WORDS[COMP_CWORD-1]}" in
+	--import|-i|--delete|-d|--test-key|-t|--hash-file|-f)
+		_filedir
+		return 0
+		;;
+	--import-hash|--delete-hash)
+		COMPREPLY=( $( compgen -W "" ) )
+		return 0
+		;;
+	--set-verbosity)
+		COMPREPLY=( $( compgen -W "true false") )
+		return 0
+		;;
+	--generate-hash|-g)
+		COMPREPLY=( $( compgen -o nospace -P= -W "") )
+		return 0
+		;;
+	*)
+		return 0
+		;;
+	esac
+}
+
+complete -F _mokutil mokutil
--- a/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
+++ b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon, 20 Jun 2016 11:18:17 -0500
+Subject: [PATCH] Fix typo in error message when the system lacks Secure Boot
+ support
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index d554f6c..27f1292 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
+ 		rc = efi_get_variable (efi_guid_global, "SecureBoot",
+ 				       &data, &data_size, &attributes);
+ 		if (rc < 0) {
+-			fprintf(stderr, "This system does't support Secure Boot\n");
+			fprintf(stderr, "This system doesn't support Secure Boot\n");
+ 			ret = -1;
+ 			goto out;
+ 		}
--- a/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
+++ b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 3 Apr 2017 16:33:38 -0400
+Subject: [PATCH] list_keys_in_var(): check errno correctly, not ret twice.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 27f1292..0be9e84 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
+ 
+ 	ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ 	if (ret < 0) {
+-		if (ret == ENOENT) {
+		if (errno == ENOENT) {
+ 			printf ("%s is empty\n", var_name);
+ 			return 0;
+ 		}
--- a/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
+++ b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
@ -0,0 +1,98 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 15 May 2018 11:20:15 -0400
+Subject: [PATCH] generate_hash() / generate_pw_hash(): don't use strlen() for
+ strncpy bounds
+
+New gcc rightly comlplains when we do the following:
+
+strncpy (dest, src, strlen(src));
+
+For two reasons:
+a) it doesn't copy the NUL byte
+b) it's otherwise the same thing strcpy() would have done
+
+This patch replaces that with stpncpy (just because it's slightly easier
+to use) and the real bounds for the destination.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 0be9e84..b508010 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
+ {
+ 	pw_crypt_t new_crypt;
+ 	char settings[SETTINGS_LEN];
+	char *next;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int hash_len, prefix_len;
+	int hash_len, settings_len = sizeof (settings) - 2;
+ 
+ 	if (!password || !pw_crypt || password[pw_len] != '\0')
+ 		return -1;
+@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
+ 	prefix = get_crypt_prefix (pw_crypt->method);
+ 	if (!prefix)
+ 		return -1;
+-	prefix_len = strlen(prefix);
+ 
+ 	pw_crypt->salt_size = get_salt_size (pw_crypt->method);
+ 	generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
+ 
+-	strncpy (settings, prefix, prefix_len);
+-	strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
+-		 pw_crypt->salt_size);
+-	settings[pw_crypt->salt_size + prefix_len] = '\0';
+	memset (settings, 0, sizeof (settings));
+	next = stpncpy (settings, prefix, settings_len);
+	if (pw_crypt->salt_size > settings_len - (next - settings)) {
+		errno = EOVERFLOW;
+		return -1;
+	}
+	next = stpncpy (next, (const char *)pw_crypt->salt,
+			pw_crypt->salt_size);
+	*next = '\0';
+ 
+ 	crypt_string = crypt (password, settings);
+ 	if (!crypt_string)
+@@ -1929,10 +1934,11 @@ static int
+ generate_pw_hash (const char *input_pw)
+ {
+ 	char settings[SETTINGS_LEN];
+        char *next;
+ 	char *password = NULL;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int prefix_len;
+	int settings_len = sizeof (settings) - 2;
+ 	unsigned int pw_len, salt_size;
+ 
+ 	if (input_pw) {
+@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw)
+ 	prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
+ 	if (!prefix)
+ 		return -1;
+-	prefix_len = strlen(prefix);
+ 
+-	strncpy (settings, prefix, prefix_len);
+	memset (settings, 0, sizeof (settings));
+	next = stpncpy (settings, prefix, settings_len);
+ 	salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
+-	generate_salt ((settings + prefix_len), salt_size);
+-	settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
+	if (salt_size > settings_len - (next - settings)) {
+		errno = EOVERFLOW;
+		return -1;
+	}
+	generate_salt (next, salt_size);
+	next += salt_size;
+	*next = '\0';
+ 
+ 	crypt_string = crypt (password, settings);
+ 	free (password);
--- a/SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch
+++ b/SOURCES/0011-Fix-a-integer-comparison-sign-issue.patch
@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 25 Jul 2018 10:27:34 -0400
+Subject: [PATCH] Fix a integer comparison sign issue.
+
+I introduced this, and it's stupid:
+
+mokutil.c: In function 'generate_pw_hash':
+mokutil.c:1971:16: error: comparison of integer expressions of different signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
+  if (salt_size > settings_len - (next - settings)) {
+                ^
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index b508010..ac15c73 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -1938,7 +1938,7 @@ generate_pw_hash (const char *input_pw)
+ 	char *password = NULL;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int settings_len = sizeof (settings) - 2;
+	unsigned int settings_len = sizeof (settings) - 2;
+ 	unsigned int pw_len, salt_size;
+ 
+ 	if (input_pw) {
--- a/SOURCES/0012-initial-mok-variables-code.patch
+++ b/SOURCES/0012-initial-mok-variables-code.patch
@ -0,0 +1,240 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 17 Aug 2020 14:18:31 -0400
+Subject: [PATCH] initial mok-variables code
+
+This patch adds support for getting mok variables from
+/sys/firmware/fi/mok-variables/$NAME , if they are present, as well as
+for checking MokListRT, MokListRT1, MokListRT2, etc., for any of the mok
+variables.
+
+Resolves: rhbz#1868820
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 151 insertions(+), 24 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index ac15c73..838599c 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -229,6 +229,63 @@ signature_size (const efi_guid_t *hash_type)
+ 	return 0;
+ }
+ 
+static int
+mok_get_variable(const char *name, uint8_t **datap, size_t *data_sizep)
+{
+	char filename[] = "/sys/firmware/efi/mok-variables/implausibly-long-mok-variable-name";
+	size_t filename_sz = sizeof(filename);
+	int fd, rc;
+	struct stat sb = { 0, };
+	uint8_t *buf;
+	size_t bufsz, pos = 0;
+	ssize_t ssz;
+
+	*datap = 0;
+	*data_sizep = 0;
+
+	snprintf(filename, filename_sz, "/sys/firmware/efi/mok-variables/%s", name);
+
+	fd = open(filename, O_RDONLY);
+	if (fd < 0)
+		return fd;
+
+	rc = fstat(fd, &sb);
+	if (rc < 0) {
+err_close:
+		close(fd);
+		return rc;
+	}
+
+	if (sb.st_size == 0) {
+		errno = ENOENT;
+		rc = -1;
+		goto err_close;
+	}
+
+	bufsz = sb.st_size;
+	buf = calloc(1, bufsz);
+	if (!buf)
+		goto err_close;
+
+	while (pos < bufsz) {
+		ssz = read(fd, &buf[pos], bufsz - pos);
+		if (ssz < 0) {
+			if (errno == EAGAIN ||
+			    errno == EWOULDBLOCK ||
+			    errno == EINTR)
+				continue;
+			free(buf);
+			goto err_close;
+		}
+
+		pos += ssz;
+	}
+	*datap = buf;
+	*data_sizep = pos;
+
+	return 0;
+}
+
+ static MokListNode*
+ build_mok_list (void *data, unsigned long data_size, uint32_t *mok_num)
+ {
+@@ -596,25 +653,44 @@ static int
+ list_keys_in_var (const char *var_name, const efi_guid_t guid)
+ {
+ 	uint8_t *data = NULL;
+-	size_t data_size;
+	char varname[] = "implausibly-long-mok-variable-name";
+	size_t data_sz, i, varname_sz = sizeof(varname);
+ 	uint32_t attributes;
+ 	int ret;
+ 
+-	ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+-	if (ret < 0) {
+-		if (errno == ENOENT) {
+-			printf ("%s is empty\n", var_name);
+-			return 0;
+	ret = mok_get_variable(var_name, &data, &data_sz);
+	if (ret >= 0) {
+		ret = list_keys (data, data_sz);
+		free(data);
+		return ret;
+	}
+
+	for (i = 0; i < SIZE_MAX; i++) {
+		if (i == 0) {
+			snprintf(varname, varname_sz, "%s", var_name);
+		} else {
+			snprintf(varname, varname_sz, "%s%zu", var_name, i);
+ 		}
+ 
+-		fprintf (stderr, "Failed to read %s: %m\n", var_name);
+-		return -1;
+		ret = efi_get_variable (guid, varname, &data, &data_sz,
+					&attributes);
+		if (ret < 0)
+			return 0;
+
+		ret = list_keys (data, data_sz);
+		free(data);
+		/*
+		 * If ret is < 0, the next one will error as well.
+		 * If ret is 0, we need to test the next variable.
+		 * If it's 1, that's a real answer.
+		 */
+		if (ret < 0)
+			return 0;
+		if (ret > 0)
+			return ret;
+ 	}
+ 
+-	ret = list_keys (data, data_size);
+-	free (data);
+-
+-	return ret;
+	return 0;
+ }
+ 
+ static int
+@@ -1013,22 +1089,15 @@ is_valid_cert (void *cert, uint32_t cert_size)
+ }
+ 
+ static int
+-is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
+-	      const efi_guid_t *vendor, const char *db_name)
+is_one_duplicate (const efi_guid_t *type,
+		  const void *data, const uint32_t data_size,
+		  uint8_t *var_data, size_t var_data_size)
+ {
+-	uint8_t *var_data;
+-	size_t var_data_size;
+-	uint32_t attributes;
+ 	uint32_t node_num;
+ 	MokListNode *list;
+ 	int ret = 0;
+ 
+-	if (!data || data_size == 0 || !db_name)
+-		return 0;
+-
+-	ret = efi_get_variable (*vendor, db_name, &var_data, &var_data_size,
+-				&attributes);
+-	if (ret < 0)
+	if (!data || data_size == 0)
+ 		return 0;
+ 
+ 	list = build_mok_list (var_data, var_data_size, &node_num);
+@@ -1060,11 +1129,69 @@ is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size
+ done:
+ 	if (list)
+ 		free (list);
+-	free (var_data);
+ 
+ 	return ret;
+ }
+ 
+static int
+is_duplicate (const efi_guid_t *type,
+	      const void *data, const uint32_t data_size,
+	      const efi_guid_t *vendor, const char *db_name)
+{
+	uint32_t attributes;
+	char varname[] = "implausibly-long-mok-variable-name";
+	size_t varname_sz = sizeof(varname);
+	int ret = 0;
+	size_t i;
+
+	if (!strncmp(db_name, "Mok", 3)) {
+		uint8_t *var_data = NULL;
+		size_t var_data_size = 0;
+		ret = mok_get_variable(db_name, &var_data, &var_data_size);
+		if (ret >= 0) {
+			ret = is_one_duplicate(type, data, data_size,
+					       var_data, var_data_size);
+			if (ret >= 0) {
+				free (var_data);
+				return ret;
+			}
+			var_data = NULL;
+			var_data_size = 0;
+		}
+	}
+
+	for (i = 0; i < SIZE_MAX; i++) {
+		uint8_t *var_data = NULL;
+		size_t var_data_size = 0;
+		if (i == 0) {
+			snprintf(varname, varname_sz, "%s", db_name);
+		} else {
+			snprintf(varname, varname_sz, "%s%zu", db_name, i);
+		}
+
+		ret = efi_get_variable (*vendor, varname,
+					&var_data, &var_data_size,
+					&attributes);
+		if (ret < 0)
+			return 0;
+
+		ret = is_one_duplicate(type, data, data_size,
+				       var_data, var_data_size);
+		free (var_data);
+		/*
+		 * If ret is < 0, the next one will error as well.
+		 * If ret is 0, we need to test the next variable.
+		 * If it's 1, that's a real answer.
+		 */
+		if (ret < 0)
+			return 0;
+		if (ret > 0)
+			return ret;
+	}
+
+	return 0;
+}
+
+ static int
+ is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
+ 		  MokRequest req)
--- a/SOURCES/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
+++ b/SOURCES/0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
@ -0,0 +1,193 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
+Date: Fri, 3 Dec 2021 14:18:31 +0100
+Subject: [PATCH] mokutil: enable setting fallback verbosity and noreboot mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Having mokutil handle FALLBACK_VERBOSE and FB_NO_REBOOT variables eases
+fallback debugging.
+
+Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
+(cherry picked from commit 57bc385827e7c0e0c86f30bbfa2d48ca9505537e)
+(cherry picked from commit 99d3990bdbbca0419dc97133f27d6932b3234224)
+[rharwood: no sb_check, no util renaming]
+(cherry picked from commit 157a0969bdb5e7df152b4241f90b48209c235f2f)
+[rharwood: flags are sparse now]
+---
+ src/mokutil.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ data/mokutil  |  8 +++++++
+ man/mokutil.1 | 10 +++++++++
+ 3 files changed, 88 insertions(+)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 838599c..1cec4e9 100644
+--- a/src/mokutil.c
+++ b/src/mokutil.c
+@@ -83,6 +83,8 @@
+ #define IMPORT_HASH        (1 << 21)
+ #define DELETE_HASH        (1 << 22)
+ #define VERBOSITY          (1 << 23)
+#define FB_VERBOSITY       (1 << 25)
+#define FB_NOREBOOT        (1 << 26)
+ 
+ #define DEFAULT_CRYPT_METHOD SHA512_BASED
+ #define DEFAULT_SALT_SIZE    SHA512_SALT_MAX
+@@ -152,6 +154,8 @@ print_help ()
+ 	printf ("  --import-hash <hash>\t\t\tImport a hash into MOK or MOKX\n");
+ 	printf ("  --delete-hash <hash>\t\t\tDelete a hash in MOK or MOKX\n");
+ 	printf ("  --set-verbosity <true/false>\t\tSet the verbosity bit for shim\n");
+	printf ("  --set-fallback-verbosity <true/false>\t\tSet the verbosity bit for fallback\n");
+	printf ("  --set-fallback-noreboot <true/false>\t\tPrevent fallback from automatically rebooting\n");
+ 	printf ("  --pk\t\t\t\t\tList the keys in PK\n");
+ 	printf ("  --kek\t\t\t\t\tList the keys in KEK\n");
+ 	printf ("  --db\t\t\t\t\tList the keys in db\n");
+@@ -2135,6 +2139,46 @@ set_verbosity (uint8_t verbosity)
+ 	return 0;
+ }
+ 
+static int
+set_fallback_verbosity (const uint8_t verbosity)
+{
+	if (verbosity) {
+		uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+				      | EFI_VARIABLE_BOOTSERVICE_ACCESS
+				      | EFI_VARIABLE_RUNTIME_ACCESS;
+		if (efi_set_variable (efi_guid_shim, "FALLBACK_VERBOSE",
+				      (uint8_t *)&verbosity, sizeof (verbosity),
+				      attributes, S_IRUSR | S_IWUSR) < 0) {
+			fprintf (stderr, "Failed to set FALLBACK_VERBOSE\n");
+			return -1;
+		}
+	} else {
+		return test_and_delete_var ("FALLBACK_VERBOSE");
+	}
+
+	return 0;
+}
+
+static int
+set_fallback_noreboot (const uint8_t noreboot)
+{
+	if (noreboot) {
+		uint32_t attributes = EFI_VARIABLE_NON_VOLATILE
+				      | EFI_VARIABLE_BOOTSERVICE_ACCESS
+				      | EFI_VARIABLE_RUNTIME_ACCESS;
+		if (efi_set_variable (efi_guid_shim, "FB_NO_REBOOT",
+				      (uint8_t *)&noreboot, sizeof (noreboot),
+				      attributes, S_IRUSR | S_IWUSR) < 0) {
+			fprintf (stderr, "Failed to set FB_NO_REBOOT\n");
+			return -1;
+		}
+	} else {
+		return test_and_delete_var ("FB_NO_REBOOT");
+	}
+
+	return 0;
+}
+
+ static inline int
+ list_db (DBName db_name)
+ {
+@@ -2169,6 +2213,8 @@ main (int argc, char *argv[])
+ 	unsigned int command = 0;
+ 	int use_root_pw = 0;
+ 	uint8_t verbosity = 0;
+	uint8_t fb_verbosity = 0;
+	uint8_t fb_noreboot = 0;
+ 	DBName db_name = MOK_LIST_RT;
+ 	int ret = -1;
+ 
+@@ -2207,6 +2253,8 @@ main (int argc, char *argv[])
+ 			{"import-hash",        required_argument, 0, 0  },
+ 			{"delete-hash",        required_argument, 0, 0  },
+ 			{"set-verbosity",      required_argument, 0, 0  },
+			{"set-fallback-verbosity", required_argument, 0, 0  },
+			{"set-fallback-noreboot", required_argument, 0, 0  },
+ 			{"pk",                 no_argument,       0, 0  },
+ 			{"kek",                no_argument,       0, 0  },
+ 			{"db",                 no_argument,       0, 0  },
+@@ -2270,6 +2318,22 @@ main (int argc, char *argv[])
+ 					verbosity = 0;
+ 				else
+ 					command |= HELP;
+			} else if (strcmp (option, "set-fallback-verbosity") == 0) {
+				command |= FB_VERBOSITY;
+				if (strcmp (optarg, "true") == 0)
+					fb_verbosity = 1;
+				else if (strcmp (optarg, "false") == 0)
+					fb_verbosity = 0;
+				else
+					command |= HELP;
+			} else if (strcmp (option, "set-fallback-noreboot") == 0) {
+				command |= FB_NOREBOOT;
+				if (strcmp (optarg, "true") == 0)
+					fb_noreboot = 1;
+				else if (strcmp (optarg, "false") == 0)
+					fb_noreboot = 0;
+				else
+					command |= HELP;
+ 			} else if (strcmp (option, "pk") == 0) {
+ 				if (db_name != MOK_LIST_RT) {
+ 					command |= HELP;
+@@ -2557,6 +2621,12 @@ main (int argc, char *argv[])
+ 		case VERBOSITY:
+ 			ret = set_verbosity (verbosity);
+ 			break;
+		case FB_VERBOSITY:
+			ret = set_fallback_verbosity (fb_verbosity);
+			break;
+		case FB_NOREBOOT:
+			ret = set_fallback_noreboot (fb_noreboot);
+			break;
+ 		default:
+ 			print_help ();
+ 			break;
+diff --git a/data/mokutil b/data/mokutil
+index 800b039..af6b6ff 100755
+--- a/data/mokutil
+++ b/data/mokutil
+@@ -24,6 +24,14 @@ _mokutil()
+ 		COMPREPLY=( $( compgen -W "true false") )
+ 		return 0
+ 		;;
+	--set-fallback-verbosity)
+		COMPREPLY=( $( compgen -W "true false") )
+		return 0
+		;;
+	--set-fallback-noreboot)
+		COMPREPLY=( $( compgen -W "true false") )
+		return 0
+		;;
+ 	--generate-hash|-g)
+ 		COMPREPLY=( $( compgen -o nospace -P= -W "") )
+ 		return 0
+diff --git a/man/mokutil.1 b/man/mokutil.1
+index 25fe8b4..30dcfb2 100644
+--- a/man/mokutil.1
+++ b/man/mokutil.1
+@@ -65,6 +65,10 @@ mokutil \- utility to manipulate machine owner keys
+ .br
+ \fBmokutil\fR [--set-verbosity (\fItrue\fR | \fIfalse\fR)]
+ .br
+\fBmokutil\fR [--set-fallback-verbosity (\fItrue\fR | \fIfalse\fR)]
+.br
+\fBmokutil\fR [--set-fallback-noreboot (\fItrue\fR | \fIfalse\fR)]
+.br
+ \fBmokutil\fR [--pk]
+ .br
+ \fBmokutil\fR [--kek]
+@@ -161,6 +165,12 @@ this is not the password hash.
+ \fB--set-verbosity\fR
+ Set the SHIM_VERBOSE to make shim more or less verbose
+ .TP
+\fB--set-fallback-verbosity\fR
+Set the FALLBACK_VERBOSE to make fallback more or less verbose
+.TP
+\fB--set-fallback-noreboot\fR
+Set the FB_NO_REBOOT to prevent fallback from automatically rebooting the system
+.TP
+ \fB--pk\fR
+ List the keys in the public Platform Key (PK)
+ .TP
--- a/SOURCES/mokutil.patches
+++ b/SOURCES/mokutil.patches
@ -1,4 +1,13 @@
-Patch0001: 0001-Show-usage-instead-of-aborting-on-bad-flags.patch
-Patch0002: 0002-mokutil-bugfix-del-unused-opt-s.patch
-Patch0003: 0003-Fix-leak-of-list-in-delete_data_from_req_var.patch
-Patch0004: 0004-Fix-leak-of-fd-in-mok_get_variable.patch
+Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
+Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
+Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
+Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
+Patch0005: 0005-Make-all-efi_guid_t-const.patch
+Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
+Patch0007: 0007-Add-bash-completion-file.patch
+Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
+Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
+Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
+Patch0011: 0011-Fix-a-integer-comparison-sign-issue.patch
+Patch0012: 0012-initial-mok-variables-code.patch
+Patch0013: 0013-mokutil-enable-setting-fallback-verbosity-and-norebo.patch
--- a/SPECS/mokutil.spec
+++ b/SPECS/mokutil.spec
@ -1,26 +1,17 @@
 Name:           mokutil
-Version:        0.6.0
-Release:        4%{?dist}
-Epoch:          2
+Version:        0.3.0
+Release:        12%{?dist}
+Epoch:          1
 Summary:        Tool to manage UEFI Secure Boot MoK Keys
 License:        GPLv3+
 URL:            https://github.com/lcp/mokutil
-Source0:        https://github.com/lcp/mokutil/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
-Source1:        mokutil.patches
-ExclusiveArch:  %{ix86} x86_64 aarch64 %{arm}
-
-BuildRequires:  autoconf
-BuildRequires:  automake
+ExclusiveArch:  %{ix86} x86_64 aarch64
+BuildRequires:  autoconf automake gnu-efi git openssl-devel openssl
 BuildRequires:  efivar-devel >= 31-1
-BuildRequires:  gcc
-BuildRequires:  git
-BuildRequires:  gnu-efi
-BuildRequires:  keyutils-libs-devel
-BuildRequires:  make
-BuildRequires:  openssl
-BuildRequires:  openssl-devel
+Source0:        https://github.com/lcp/mokutil/archive/%{version}.tar.gz
+Source1:        mokutil.patches
 Conflicts:      shim < 0.8-1%{?dist}
-Obsoletes:      mokutil < 0.2.0
+Obsoletes:      mokutil <= 1:0.3.0-1

 %include %{SOURCE1}

@ -29,17 +20,27 @@ mokutil provides a tool to manage keys for Secure Boot through the MoK
 ("Machine's Own Keys") mechanism.

 %prep
-%autosetup -S git_am -b 0 -T
+%setup -q -n %{name}-%{version}
+git init
+git config user.email "%{name}-owner@fedoraproject.org"
+git config user.name "Fedora Ninjas"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am %{patches} </dev/null
+git config --unset user.email
+git config --unset user.name

 %build
 ./autogen.sh
 %configure
-%{make_build}
+make %{?_smp_mflags}

 %install
-%{make_install}
+rm -rf %{buildroot}
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install

 %files
+%{!?_licensedir:%global license %%doc}
 %license COPYING
 %doc README
 %{_bindir}/mokutil
@ -47,77 +48,23 @@ mokutil provides a tool to manage keys for Secure Boot through the MoK
 %{_datadir}/bash-completion/completions/mokutil

 %changelog
-* Thu Oct 27 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.6.0-4
- Sync with Fedora at same NVR
- Resolves: #2084621
+* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 1:0.3.0-12
+- Add ability to set fallback verbose mode
+- Resolves: #2030704

-* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 2:0.5.0-3
- Add support for "mokutil --list-sbat-revocations" and
-  "mokutil --set-sbat-policy"
-  Related: CVE-2022-28737
+* Tue Jan 05 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-11
+- Bump NVR for brew to build the package
+  Related: rhbz##1907418

-* Thu May 05 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.5.0-2
- Add git to buildrequires
- Resolves: #2081474
+* Wed Dec 30 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.3.0-10
+- Add mokutil code to consume data from /sys/firmware/efi/mok-variables/
+  as well as attempting to consume numbered mok variables from efivarfs
+  when mok-variables aren't present (pjones)
+  Resolves: rhbz#1907418

-* Thu May 05 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.5.0-1
- New upstream version (0.5.0)
- Resolves: #2081474
-
-* Mon Mar 28 2022 Robbie Harwood <rharwood@redhat.com> - 2:0.4.0-9
- Add ability to change fallback verbose mode
- Resolves: #2069296
-
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-7
- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
-
-* Tue May 25 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-6
- Port to OpenSSL 3.0
-  Resolves: rhbz#1958040
-
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2:0.4.0-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Wed Mar 17 2021 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-4
- Add SBAT and mok-variables support
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.4.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.4.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.4.0-1
- Update to 0.4.0 release
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:0.3.0-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.3.0-14
- Pull one more upstream patch to keep this in sync with the f31 build.
-
-* Thu Oct 24 2019 Leigh Scott <leigh123linux@googlemail.com> - 1:0.3.0-14
- Apply upstream commits to fix FTBFS
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-11
- Rebuilt for libcrypt.so.2 (#1666033)
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:0.3.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+* Tue Jul 24 2018 Peter Jones <pjones@redhat.com> - 0.3.0-9
+- Minor obsoletes fix
+- Import some fixes from upstream

 * Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1:0.3.0-8
 - Rebuilt for switch to libxcrypt