.gitignore

@@ -1,2 +1,8 @@
-SOURCES/redhatsecurebootca5.cer
-SOURCES/shim-15.8.tar.bz2
+*~
+*.tar.*
+*.rpm
+.build*.log
+.*.sw?
+clog
+rhtest.cer
+shim-*/

.shim-unsigned-x64.metadata

@@ -1,2 +1 @@
-e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
-cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2
+cdec924ca437a4509dcb178396996ddf92c11183 shim-15.8.tar.bz2

README.md

@@ -0,0 +1,3 @@
+# shim-unsigned-x64
+
+The shim-unsigned-x64 package

SOURCES/sbat.redhat.csv

@@ -1 +0,0 @@
-shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: manual.sst_desktop.shim.functional}

rpminspect.yaml

@@ -0,0 +1,15 @@
+---
+inspections:
+  # These just flag when things change "too much"
+  changedfiles: off
+  filesize: off
+  patches: off
+  upstream: off
+
+  # shim is... well, shim
+  disttag: off
+
+
+elf:
+  # This is PE-land
+  exclude_path: ".*.efi.debug"

sbat.centos.csv

@@ -0,0 +1 @@
+shim.centos,3,The CentOS Project,shim,15.8,security@centos.org

shim-find-debuginfo.sh

@@ -20,9 +20,9 @@ fi
 findsource()
 {
     (
-        cd ${RPM_BUILD_ROOT}
-        find usr/src/debug/ -type d | sed "s,^,%dir /,"
-        find usr/src/debug/ -type f | sed "s,^,/,"
+        cd "${RPM_BUILD_ROOT}"
+        find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
+        find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
     )
 }
 
@@ -32,9 +32,12 @@ finddebug()
     declare -a dirs=()
     declare -a files=()
     declare -a excludes=()
+    declare -a tmp=()
 
-    pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
-    for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
+    pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
+
+    mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
+    for x in "${tmp[@]}" ; do
         if ! [ -e "${x}" ]; then
             break
         fi
@@ -57,8 +60,10 @@ finddebug()
             excludes[${#excludes[@]}]=${x%%.debug}
         fi
     done
-    for x in ${files[@]} ; do
-        declare name=$(dirname /${x})
+    for x in "${files[@]}" ; do
+        declare name
+
+        name=$(dirname "/${x}")
         while [ "${name}" != "/" ]; do
             case "${name}" in
             "/usr/lib/debug"|"/usr/lib"|"/usr")
@@ -67,24 +72,24 @@ finddebug()
                 dirs[${#dirs[@]}]=${name}
                 ;;
             esac
-            name=$(dirname ${name})
+            name=$(dirname "${name}")
         done
     done
 
     popd >/dev/null 2>&1
-    for x in ${dirs[@]} ; do
+    for x in "${dirs[@]}" ; do
         echo "%dir ${x}"
     done | sort | uniq
-    for x in ${files[@]} ; do
+    for x in "${files[@]}" ; do
         echo "/${x}"
     done | sort | uniq
-    for x in ${excludes[@]} ; do
+    for x in "${excludes[@]}" ; do
         echo "%exclude /${x}"
     done
 }
 
-findsource > build-${mainarch}/debugsource.list
-finddebug ${mainarch} > build-${mainarch}/debugfiles.list
+findsource > "build-${mainarch}/debugsource.list"
+finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
 if [ -v altarch ]; then
-    finddebug ${altarch} > build-${altarch}/debugfiles.list
+    finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
 fi

shim-unsigned-x64.spec

@@ -1,13 +1,6 @@
 %global pesign_vre 0.106-1
-%global gnuefi_vre 1:3.0.5-6
 %global openssl_vre 1.0.2j
 
-%global debug_package %{nil}
-%global __debug_package 1
-%global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} x64 ia32
-%undefine _debuginfo_subpackages
-
 %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
@@ -16,19 +9,27 @@
 %global efialtarch ia32
 %global shimaltdir %{shimversiondir}/%{efialtarch}
 
+%global debug_package %{nil}
+%global __debug_package 1
+%global _binaries_in_noarch_packages_terminate_build 0
+%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
+%undefine _debuginfo_subpackages
+
+# currently here's what's in our dbx: nothing
+%global dbxfile %{nil}
+
 Name:		shim-unsigned-%{efiarch}
 Version:	15.8
-Release:	2.el8
+Release:	1.el9.centos
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	redhatsecurebootca5.cer
-# currently here's what's in our dbx:
-# nothing.
-Source2:	dbx.esl
-Source3:	sbat.redhat.csv
+%if 0%{?dbxfile}
+Source2:	%{dbxfile}
+%endif
+Source3:	sbat.centos.csv
 Source4:	shim.patches
 
 Source100:	shim-find-debuginfo.sh
@@ -40,6 +41,7 @@ BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
 BuildRequires:	dos2unix findutils
+BuildRequires:  system-sb-certs
 
 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@@ -67,7 +69,6 @@ Provides:	bundled(openssl) = %{openssl_vre}
 
 %package debuginfo
 Summary:	Debug information for shim-unsigned-%{efiarch}
-Requires:	%{name}-debugsource = %{version}-%{release}
 Group:		Development/Debug
 AutoReqProv:	0
 BuildArch:	noarch
@@ -78,7 +79,6 @@ BuildArch:	noarch
 %package -n shim-unsigned-%{efialtarch}-debuginfo
 Summary:	Debug information for shim-unsigned-%{efialtarch}
 Group:		Development/Debug
-Requires:	%{name}-debugsource = %{version}-%{release}
 AutoReqProv:	0
 BuildArch:	noarch
 
@@ -103,18 +103,20 @@ mkdir build-%{efialtarch}
 cp %{SOURCE3} data/
 
 %build
-COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
+COMMITID=$(cat commit)
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
 MAKEFLAGS+="%{_smp_mflags}"
-if [ -s "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
+if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
 fi
-if [ -s "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
+%if 0%{?dbxfile}
+if [ -f "%{SOURCE2}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
+%endif
 
 cd build-%{efiarch}
 make ${MAKEFLAGS} \
@@ -122,24 +124,20 @@ make ${MAKEFLAGS} \
 	all
 cd ..
 
-cd build-%{efialtarch}
-setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \
-	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
-	all
-cd ..
-
 %install
-COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
+COMMITID=$(cat commit)
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
-if [ -s "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
+if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
 fi
-if [ -s "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
+%if 0%{?dbxfile}
+if [ -f "%{SOURCE2}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
+%endif
 
 cd build-%{efiarch}
 make ${MAKEFLAGS} \
@@ -148,89 +146,89 @@ make ${MAKEFLAGS} \
 	install-as-data install-debuginfo install-debugsource
 cd ..
 
-cd build-%{efialtarch}
-setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
-	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
-	DESTDIR=${RPM_BUILD_ROOT} \
-	install-as-data install-debuginfo install-debugsource
-cd ..
-
 %files
 %license COPYRIGHT
 %dir %{shimrootdir}
 %dir %{shimversiondir}
 %dir %{shimdir}
-%{shimdir}/*.CSV
 %{shimdir}/*.efi
 %{shimdir}/*.hash
-
-%files -n shim-unsigned-%{efialtarch}
-%license COPYRIGHT
-%dir %{shimrootdir}
-%dir %{shimversiondir}
-%dir %{shimaltdir}
-%{shimaltdir}/*.CSV
-%{shimaltdir}/*.efi
-%{shimaltdir}/*.hash
+%{shimdir}/*.CSV
 
 %files debuginfo -f build-%{efiarch}/debugfiles.list
 
-%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
-
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
-* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
-- Rebuild to fix the commit ident and MAKEFLAGS
-  Resolves: RHEL-11259
+* Thu Feb 08 2024 Brian Stinson <bstinson@redhat.com> - 15.8-1.el9.centos
+- Update to shim-15.8
+  Resolves: RHEL-4391
 
-* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el8
-- Update to shim-15.8 for CVE-2023-40547
-  Resolves: RHEL-11259
-
-* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
+* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
 - Update to shim-15.6
   Resolves: CVE-2022-28737
 
-* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
-- Fix an incorrect allocation size.
-  Related: rhbz#1877253
+* Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1
+- Update to shim-15.5
+  Related: rhbz#1932057
 
-* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
-- Fix a load-address-dependent forever loop.
-  Resolves: rhbz#1861977
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-  Related: CVE-2020-15705
-  Related: CVE-2020-15706
-  Related: CVE-2020-15707
+* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
+- Fix the sbat data to actually match /this/ product.
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
 
-* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
-- Implement Lenny's workaround
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
+* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
+- Build with the correct certificate trust list for this OS.
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
 
-* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
-- Once more with the MokListRT config table patch added.
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
+* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
+- Fix the ia32 build.
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
 
-* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
-- Rebuild for bug fixes and new signing keys
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
+* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
+- Update to shim 15.4
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
+  - A new unit test framework and a bunch of unit tests
+  - No external gnu-efi dependency
+  - Better CI
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
+
+* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
+- Update to shim 15.3
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
+  - A new unit test framework and a bunch of unit tests
+  - No external gnu-efi dependency
+  - Better CI
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
 
 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
 - Make EFI variable copying fatal only on secureboot enabled systems
@@ -242,17 +240,24 @@ cd ..
 - Fix MoK mirroring issue which breaks kdump without intervention
   Related: rhbz#1668966
 
-* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
+* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
+- better checking for bad linker output
+- flicker-free console if there's no error output
+- improved http boot support
+- better protocol re-installation
+- dhcp proxy support
+- tpm measurement even when verification is disabled
+- REQUIRE_TPM build flag
+- more reproducable builds
+- measurement of everything verified through shim_verify()
+- coverity and scan-build checker make targets
+- misc cleanups
 
-* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
-- Actually update to the *real* 13 final.
-  Related: rhbz#1489604
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 
-* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
-- Actually update to 13 final.
-
-* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
+* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1
 - Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
 - This will (eventually) supersede what's in the "shim" package so we can
   make "shim" hold the signed one, which will confuse fewer people.

sources

@@ -0,0 +1 @@
+SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1