import shim-unsigned-x64-15.8-2.el8

.gitignore

@@ -1 +1,2 @@
+SOURCES/redhatsecurebootca5.cer
 SOURCES/shim-15.8.tar.bz2

.shim-unsigned-x64.metadata

@@ -1 +1,2 @@
+e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
 cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2

SOURCES/sbat.almalinux.csv

@@ -1 +0,0 @@
-shim.almalinux,3,AlmaLinux,shim,15.8,security@almalinux.org

SOURCES/sbat.redhat.csv

@@ -0,0 +1 @@
+shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com

SPECS/shim-unsigned-x64.spec

@@ -1,7 +1,14 @@
 %global pesign_vre 0.106-1
+%global gnuefi_vre 1:3.0.5-6
 %global openssl_vre 1.0.2j
 
-%global efidir almalinux
+%global debug_package %{nil}
+%global __debug_package 1
+%global _binaries_in_noarch_packages_terminate_build 0
+%global __debug_install_post %{SOURCE100} x64 ia32
+%undefine _debuginfo_subpackages
+
+%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch x64
@@ -9,32 +16,23 @@
 %global efialtarch ia32
 %global shimaltdir %{shimversiondir}/%{efialtarch}
 
-%global debug_package %{nil}
-%global __debug_package 1
-%global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
-%undefine _debuginfo_subpackages
-
 Name:		shim-unsigned-%{efiarch}
 Version:	15.8
-Release:	2.el9.alma.1
+Release:	2.el8
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
+Source1:	redhatsecurebootca5.cer
 # currently here's what's in our dbx:
 # nothing.
 Source2:	dbx.esl
-Source3:	sbat.almalinux.csv
+Source3:	sbat.redhat.csv
 Source4:	shim.patches
 
 Source100:	shim-find-debuginfo.sh
 
-Source101:  almalinux-sb-cert-1.der
-Source102:  almalinux-sb-cert-2.der
-Source103:  almalinux-sb-cert-3.der
-
 %include %{SOURCE4}
 
 BuildRequires:	gcc make
@@ -42,7 +40,6 @@ BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
 BuildRequires:	dos2unix findutils
-BuildRequires:  efitools
 
 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@@ -70,6 +67,7 @@ Provides:	bundled(openssl) = %{openssl_vre}
 
 %package debuginfo
 Summary:	Debug information for shim-unsigned-%{efiarch}
+Requires:	%{name}-debugsource = %{version}-%{release}
 Group:		Development/Debug
 AutoReqProv:	0
 BuildArch:	noarch
@@ -80,6 +78,7 @@ BuildArch:	noarch
 %package -n shim-unsigned-%{efialtarch}-debuginfo
 Summary:	Debug information for shim-unsigned-%{efialtarch}
 Group:		Development/Debug
+Requires:	%{name}-debugsource = %{version}-%{release}
 AutoReqProv:	0
 BuildArch:	noarch
 
@@ -104,26 +103,17 @@ mkdir build-%{efialtarch}
 cp %{SOURCE3} data/
 
 %build
-# Prepare vendor_db.esl file
-openssl x509 -inform DER -in %{SOURCE101} -out 01.pem
-openssl x509 -inform DER -in %{SOURCE102} -out 02.pem
-openssl x509 -inform DER -in %{SOURCE103} -out 03.pem
-cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl
-cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl
-cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl
-cat 01.esl 02.esl 03.esl > vendor_db.esl
-
 COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
 MAKEFLAGS+="%{_smp_mflags}"
-if [ -s vendor_db.esl ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl"
+if [ -s "%{SOURCE1}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
 fi
 if [ -s "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
 fi
 
 cd build-%{efiarch}
@@ -132,17 +122,23 @@ make ${MAKEFLAGS} \
 	all
 cd ..
 
+cd build-%{efialtarch}
+setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \
+	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
+	all
+cd ..
+
 %install
 COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
-if [ -s vendor_db.esl ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl"
+if [ -s "%{SOURCE1}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
 fi
 if [ -s "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
 fi
 
 cd build-%{efiarch}
@@ -152,6 +148,13 @@ make ${MAKEFLAGS} \
 	install-as-data install-debuginfo install-debugsource
 cd ..
 
+cd build-%{efialtarch}
+setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
+	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
+	DESTDIR=${RPM_BUILD_ROOT} \
+	install-as-data install-debuginfo install-debugsource
+cd ..
+
 %files
 %license COPYRIGHT
 %dir %{shimrootdir}
@@ -161,89 +164,73 @@ cd ..
 %{shimdir}/*.efi
 %{shimdir}/*.hash
 
+%files -n shim-unsigned-%{efialtarch}
+%license COPYRIGHT
+%dir %{shimrootdir}
+%dir %{shimversiondir}
+%dir %{shimaltdir}
+%{shimaltdir}/*.CSV
+%{shimaltdir}/*.efi
+%{shimaltdir}/*.hash
+
 %files debuginfo -f build-%{efiarch}/debugfiles.list
 
+%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
+
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
-* Tue Mar 26 2024 Eduard Abdullin <eabdullin@almalinux.org> - 15.8-2.el9.alma.1
-- Update to shim-15.8
-
-* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el9
+* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
 - Rebuild to fix the commit ident and MAKEFLAGS
-  Resolves: RHEL-11262
+  Resolves: RHEL-11259
 
-* Tue Jan 23 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el9
+* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el8
 - Update to shim-15.8 for CVE-2023-40547
-  Resolves: RHEL-11262
+  Resolves: RHEL-11259
 
-* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
-- Update to shim-15.6 for CVE-2022-28737
+* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
+- Update to shim-15.6
+  Resolves: CVE-2022-28737
 
-* Tue May 24 2022 Peter Jones <pjones@redhat.com> - 15.6~rc1-1.el9
-- Update to shim-15.6~rc1 for CVE-2022-28737
+* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
+- Fix an incorrect allocation size.
+  Related: rhbz#1877253
 
-* Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1
-- Update to shim-15.5
-  Related: rhbz#1932057
+* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
+- Fix a load-address-dependent forever loop.
+  Resolves: rhbz#1861977
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
+  Related: CVE-2020-15705
+  Related: CVE-2020-15706
+  Related: CVE-2020-15707
 
-* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
-- Fix the sbat data to actually match /this/ product.
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
+- Implement Lenny's workaround
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
 
-* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
-- Build with the correct certificate trust list for this OS.
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
+- Once more with the MokListRT config table patch added.
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
 
-* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
-- Fix the ia32 build.
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
-
-* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
-- Update to shim 15.4
-  - Support for revocations via the ".sbat" section and SBAT EFI variable
-  - A new unit test framework and a bunch of unit tests
-  - No external gnu-efi dependency
-  - Better CI
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
-
-* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
-- Update to shim 15.3
-  - Support for revocations via the ".sbat" section and SBAT EFI variable
-  - A new unit test framework and a bunch of unit tests
-  - No external gnu-efi dependency
-  - Better CI
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
+- Rebuild for bug fixes and new signing keys
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
 
 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
 - Make EFI variable copying fatal only on secureboot enabled systems
@@ -255,24 +242,17 @@ cd ..
 - Fix MoK mirroring issue which breaks kdump without intervention
   Related: rhbz#1668966
 
-* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
+* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
-- better checking for bad linker output
-- flicker-free console if there's no error output
-- improved http boot support
-- better protocol re-installation
-- dhcp proxy support
-- tpm measurement even when verification is disabled
-- REQUIRE_TPM build flag
-- more reproducable builds
-- measurement of everything verified through shim_verify()
-- coverity and scan-build checker make targets
-- misc cleanups
 
-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
+- Actually update to the *real* 13 final.
+  Related: rhbz#1489604
 
-* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1
+* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
+- Actually update to 13 final.
+
+* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
 - Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
 - This will (eventually) supersede what's in the "shim" package so we can
   make "shim" hold the signed one, which will confuse fewer people.