8 changed files with 54 additions and 30 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/shim-15.8.tar.bz2
+SOURCES/shim-15.tar.bz2
--- a/.shim-unsigned-aarch64.metadata
+++ b/.shim-unsigned-aarch64.metadata
@ -1 +1 @@
-cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2
+c0e7c121f0c1aaa0332766def5a328d45064d78a SOURCES/shim-15.7.tar.bz2
--- a/SOURCES/0012-pe-align-section-size.patch
+++ b/SOURCES/0012-pe-align-section-size.patch
@ -0,0 +1,33 @@
+From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001
+From: Nicholas Bishop <nicholasbishop@google.com>
+Date: Mon, 19 Dec 2022 18:56:13 -0500
+Subject: [PATCH] pe: Align section size up to page size for mem attrs
+
+Setting memory attributes is generally done at page granularity, and
+this is enforced by checks in `get_mem_attrs` and
+`update_mem_attrs`. But unlike the section address, the section size
+isn't necessarily aligned to 4KiB. Round up the section size to fix
+this.
+
+Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
+---
+ pe.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/pe.c b/pe.c
+index 9a3679e16..5ad0914ba 100644
+--- a/pe.c
+++ b/pe.c
+@@ -1372,7 +1372,11 @@ handle_image (void *data, unsigned int datasize,
+ 				     + Section->Misc.VirtualSize - 1);
+ 
+ 		addr = (uintptr_t)base;
+-		length = (uintptr_t)end - (uintptr_t)base + 1;
+		// Align the length up to PAGE_SIZE. This is required because
+		// platforms generally set memory attributes at page
+		// granularity, but the section length (unlike the section
+		// address) is not required to be aligned.
+		length = ALIGN_VALUE((uintptr_t)end - (uintptr_t)base + 1, PAGE_SIZE);
+ 
+ 		if (Section->Characteristics & EFI_IMAGE_SCN_MEM_WRITE) {
+ 			set_attrs |= MEM_ATTR_W;
--- a/SOURCES/clsecureboot001.cer
+++ b/SOURCES/clsecureboot001.cer
--- a/SOURCES/sbat.redhat.csv
+++ b/SOURCES/sbat.redhat.csv
@ -1 +0,0 @@
-shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com
--- a/SOURCES/securebootca.cer
+++ b/SOURCES/securebootca.cer
--- a/SOURCES/shim.patches
+++ b/SOURCES/shim.patches
--- a/SPECS/shim-unsigned-aarch64.spec
+++ b/SPECS/shim-unsigned-aarch64.spec
@ -8,36 +8,35 @@
 %global __debug_install_post %{SOURCE100} aa64
 %undefine _debuginfo_subpackages

-%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
+%global efidir almalinux
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch aa64
 %global shimdir %{shimversiondir}/%{efiarch}

 Name:		shim-unsigned-aarch64
-Version:	15.8
-Release:	2.el8
+Version:	15.7
+Release:	2%{?dist}.alma
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	securebootca.cer
+Source1:	clsecureboot001.cer
 # currently here's what's in our dbx:
 # nothing.
 Source2:	dbx.esl
-Source3:	sbat.redhat.csv
-Source4:	shim.patches

 Source100:	shim-find-debuginfo.sh

-%include %{SOURCE4}
+Patch0012:	0012-pe-align-section-size.patch

 BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
-BuildRequires:	dos2unix findutils
+BuildRequires:	gnu-efi >= %{gnuefi_vre}
+BuildRequires:	gnu-efi-devel >= %{gnuefi_vre}

 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@ -82,11 +81,10 @@ git config --unset user.name
 mkdir build-%{efiarch}

 %build
-COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMIT_ID} "
+COMMITID=$(cat commit)
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
+MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="%{_smp_mflags}"
 if [ -f "%{SOURCE1}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
@ -100,11 +98,10 @@ make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
 cd ..

 %install
-COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMIT_ID} "
+COMMITID=$(cat commit)
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
+MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
 if [ -f "%{SOURCE1}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
@ -133,13 +130,8 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
-* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
- Rebuild to fix the commit ident and MAKEFLAGS
-  Resolves: RHEL-11259
-
-* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el8
- Update to shim-15.8 for CVE-2023-40547
-  Resolves: RHEL-11259
+* Thu May 19 2022 Eduard Abdullin <eabdullin@almalinux.org> - 15-6.alma
+- Use AlmaLinux cert

 * Tue May 26 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-6
 - Fix a shim crash when attempting to netboot
				`@ -1 +0,0 @@`
				`shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com`