BR efitools

.gitignore

@@ -1,2 +1 @@
-SOURCES/redhatsecurebootca5.cer
 SOURCES/shim-15.8.tar.bz2

.shim-unsigned-x64.metadata

@@ -1,2 +1 @@
-e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
 cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2

SOURCES/sbat.almalinux.csv

@@ -0,0 +1 @@
+shim.almalinux,3,AlmaLinux,shim,15.8,security@almalinux.org

SOURCES/sbat.redhat.csv

@@ -1 +0,0 @@
-shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com

SPECS/shim-unsigned-x64.spec

@@ -1,14 +1,7 @@
 %global pesign_vre 0.106-1
-%global gnuefi_vre 1:3.0.5-6
 %global openssl_vre 1.0.2j
 
-%global debug_package %{nil}
-%global __debug_package 1
-%global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} x64 ia32
-%undefine _debuginfo_subpackages
-
-%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
+%global efidir almalinux
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch x64
@@ -16,23 +9,32 @@
 %global efialtarch ia32
 %global shimaltdir %{shimversiondir}/%{efialtarch}
 
+%global debug_package %{nil}
+%global __debug_package 1
+%global _binaries_in_noarch_packages_terminate_build 0
+%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
+%undefine _debuginfo_subpackages
+
 Name:		shim-unsigned-%{efiarch}
 Version:	15.8
-Release:	2.el8
+Release:	2.el9.alma.1
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	redhatsecurebootca5.cer
 # currently here's what's in our dbx:
 # nothing.
 Source2:	dbx.esl
-Source3:	sbat.redhat.csv
+Source3:	sbat.almalinux.csv
 Source4:	shim.patches
 
 Source100:	shim-find-debuginfo.sh
 
+Source101:  almalinux-sb-cert-1.der
+Source102:  almalinux-sb-cert-2.der
+Source103:  almalinux-sb-cert-3.der
+
 %include %{SOURCE4}
 
 BuildRequires:	gcc make
@@ -40,6 +42,7 @@ BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
 BuildRequires:	dos2unix findutils
+BuildRequires:  efitools
 
 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@@ -67,7 +70,6 @@ Provides:	bundled(openssl) = %{openssl_vre}
 
 %package debuginfo
 Summary:	Debug information for shim-unsigned-%{efiarch}
-Requires:	%{name}-debugsource = %{version}-%{release}
 Group:		Development/Debug
 AutoReqProv:	0
 BuildArch:	noarch
@@ -78,7 +80,6 @@ BuildArch:	noarch
 %package -n shim-unsigned-%{efialtarch}-debuginfo
 Summary:	Debug information for shim-unsigned-%{efialtarch}
 Group:		Development/Debug
-Requires:	%{name}-debugsource = %{version}-%{release}
 AutoReqProv:	0
 BuildArch:	noarch
 
@@ -103,17 +104,26 @@ mkdir build-%{efialtarch}
 cp %{SOURCE3} data/
 
 %build
+# Prepare vendor_db.esl file
+openssl x509 -inform DER -in %{SOURCE101} -out 01.pem
+openssl x509 -inform DER -in %{SOURCE102} -out 02.pem
+openssl x509 -inform DER -in %{SOURCE103} -out 03.pem
+cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl
+cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl
+cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl
+cat 01.esl 02.esl 03.esl > vendor_db.esl
+
 COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
 MAKEFLAGS+="%{_smp_mflags}"
-if [ -s "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
+if [ -s vendor_db.esl ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl"
 fi
 if [ -s "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
 
 cd build-%{efiarch}
@@ -122,23 +132,17 @@ make ${MAKEFLAGS} \
 	all
 cd ..
 
-cd build-%{efialtarch}
-setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \
-	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
-	all
-cd ..
-
 %install
 COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
-if [ -s "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
+if [ -s vendor_db.esl ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl"
 fi
 if [ -s "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
 
 cd build-%{efiarch}
@@ -148,13 +152,6 @@ make ${MAKEFLAGS} \
 	install-as-data install-debuginfo install-debugsource
 cd ..
 
-cd build-%{efialtarch}
-setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
-	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
-	DESTDIR=${RPM_BUILD_ROOT} \
-	install-as-data install-debuginfo install-debugsource
-cd ..
-
 %files
 %license COPYRIGHT
 %dir %{shimrootdir}
@@ -164,73 +161,89 @@ cd ..
 %{shimdir}/*.efi
 %{shimdir}/*.hash
 
-%files -n shim-unsigned-%{efialtarch}
-%license COPYRIGHT
-%dir %{shimrootdir}
-%dir %{shimversiondir}
-%dir %{shimaltdir}
-%{shimaltdir}/*.CSV
-%{shimaltdir}/*.efi
-%{shimaltdir}/*.hash
-
 %files debuginfo -f build-%{efiarch}/debugfiles.list
 
-%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
-
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
-* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
+* Tue Mar 26 2024 Eduard Abdullin <eabdullin@almalinux.org> - 15.8-2.el9.alma.1
+- Update to shim-15.8
+
+* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el9
 - Rebuild to fix the commit ident and MAKEFLAGS
-  Resolves: RHEL-11259
+  Resolves: RHEL-11262
 
-* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el8
+* Tue Jan 23 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el9
 - Update to shim-15.8 for CVE-2023-40547
-  Resolves: RHEL-11259
+  Resolves: RHEL-11262
 
-* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
-- Update to shim-15.6
-  Resolves: CVE-2022-28737
+* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
+- Update to shim-15.6 for CVE-2022-28737
 
-* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
-- Fix an incorrect allocation size.
-  Related: rhbz#1877253
+* Tue May 24 2022 Peter Jones <pjones@redhat.com> - 15.6~rc1-1.el9
+- Update to shim-15.6~rc1 for CVE-2022-28737
 
-* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
-- Fix a load-address-dependent forever loop.
-  Resolves: rhbz#1861977
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-  Related: CVE-2020-15705
-  Related: CVE-2020-15706
-  Related: CVE-2020-15707
+* Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1
+- Update to shim-15.5
+  Related: rhbz#1932057
 
-* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
-- Implement Lenny's workaround
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
+* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
+- Fix the sbat data to actually match /this/ product.
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
 
-* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
-- Once more with the MokListRT config table patch added.
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
+* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
+- Build with the correct certificate trust list for this OS.
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
 
-* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
-- Rebuild for bug fixes and new signing keys
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
+* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
+- Fix the ia32 build.
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
+
+* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
+- Update to shim 15.4
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
+  - A new unit test framework and a bunch of unit tests
+  - No external gnu-efi dependency
+  - Better CI
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
+
+* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
+- Update to shim 15.3
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
+  - A new unit test framework and a bunch of unit tests
+  - No external gnu-efi dependency
+  - Better CI
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
 
 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
 - Make EFI variable copying fatal only on secureboot enabled systems
@@ -242,17 +255,24 @@ cd ..
 - Fix MoK mirroring issue which breaks kdump without intervention
   Related: rhbz#1668966
 
-* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
+* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
+- better checking for bad linker output
+- flicker-free console if there's no error output
+- improved http boot support
+- better protocol re-installation
+- dhcp proxy support
+- tpm measurement even when verification is disabled
+- REQUIRE_TPM build flag
+- more reproducable builds
+- measurement of everything verified through shim_verify()
+- coverity and scan-build checker make targets
+- misc cleanups
 
-* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
-- Actually update to the *real* 13 final.
-  Related: rhbz#1489604
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 
-* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
-- Actually update to 13 final.
-
-* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
+* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1
 - Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
 - This will (eventually) supersede what's in the "shim" package so we can
   make "shim" hold the signed one, which will confuse fewer people.