From 09b7c524d446c38d44cd395b7492c611c8bb13fb Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <andrew.lukoshko@gmail.com>
Date: Wed, 15 Sep 2021 12:46:23 +0000
Subject: [PATCH] AlmaLinux changes

---
 .shim.metadata                  |   4 ++--
 SOURCES/BOOTAA64.CSV            | Bin 184 -> 124 bytes
 SOURCES/BOOTIA32.CSV            | Bin 184 -> 124 bytes
 SOURCES/BOOTX64.CSV             | Bin 182 -> 122 bytes
 SOURCES/clsecureboot001.cer     | Bin 0 -> 1561 bytes
 SOURCES/redhatsecureboot501.cer | Bin 964 -> 0 bytes
 SOURCES/redhatsecurebootca5.cer | Bin 920 -> 0 bytes
 SOURCES/shim.rpmmacros          |   7 +++---
 SPECS/shim.spec                 |  38 ++++++++++++++++----------------
 9 files changed, 25 insertions(+), 24 deletions(-)
 create mode 100644 SOURCES/clsecureboot001.cer
 delete mode 100644 SOURCES/redhatsecureboot501.cer
 delete mode 100644 SOURCES/redhatsecurebootca5.cer

diff --git a/.shim.metadata b/.shim.metadata
index 24b7aab..473aeab 100644
--- a/.shim.metadata
+++ b/.shim.metadata
@@ -1,3 +1,3 @@
 8ab193ad7addd71e4a820081f36d47e5ef727d28 SOURCES/shimaa64.efi
-d3178fb0a2d662e2457e4a5cd13d1224e2aac1c2 SOURCES/shimia32.efi
-9fb692b46fc70fd07a9acbbabc8e1c50d0e9a481 SOURCES/shimx64.efi
+ea800341a41765d0a06611220063d3aef8453dab SOURCES/shimia32.efi
+9f0ee5b4f212db7d228c8f985d4f15410c4922ed SOURCES/shimx64.efi
diff --git a/SOURCES/BOOTAA64.CSV b/SOURCES/BOOTAA64.CSV
index 2dad06e30e5c8f08d7ba2dd1a6bdfe2a05065d4d..3ef9ab912bd5e9e68661f89ee324b147d9282064 100644
GIT binary patch
delta 37
ncmdnNSTjL}-H{=OA(tU>qNA$_l*!=3kjaq8P|8rjz{LOnup0;@

delta 97
zcmb=~!8k!iHHaaVA%#JK!Gj@@p#(^~GUNg2RE8pk0wB(0C<d|>CMvrc5v7p92dE{F
Lp_HM5fr|kE$VC#q

diff --git a/SOURCES/BOOTIA32.CSV b/SOURCES/BOOTIA32.CSV
index 4e658b2f4fc811efe3f482f81efef435dab58626..a45da43844da52778badecb23ca75128fa8b98b6 100644
GIT binary patch
delta 37
ncmdnNSTjL}-H{=OA(tU>qNA$_l*!=3kjaq8P|8rjz{LOnup0;@

delta 97
zcmb=~!8k!iHHaaVA%#JK!Gj@@p#(^~GUNg2RE8pk0wB(0C<d|>CMvrc5v7p92dE{F
Lp_HM5fr|kE$VC#q

diff --git a/SOURCES/BOOTX64.CSV b/SOURCES/BOOTX64.CSV
index 7692a93c84b493eba48422b79eb9186fad5d0a34..38a9ef0a67ed2de1e037a1e119941ec1fb374836 100644
GIT binary patch
delta 37
ncmdnSST#Y4-H{=OA(tU>qP?pKl*!=3kjaq8P|8rjz{LOnuNw#)

delta 97
zcmb>0#yCMrHHaaVA%#JK!Gj@@p#(^~GUNg2RE8pk0wB(0C<d|>CMvob5v7p92dE{F
Lp_HM5fr|kE#h((k

diff --git a/SOURCES/clsecureboot001.cer b/SOURCES/clsecureboot001.cer
new file mode 100644
index 0000000000000000000000000000000000000000..ca9ce5d92a13320a2995ed90f173ea719a132d8f
GIT binary patch
literal 1561
zcmZ`(Yfuwc6wXbS1jzzo5X>OBh=_zHxtj+9!bnI+p+=zweAJF{O%_-i65K3=V6`P`
zg!+Oiw$+NM3{cvRbwp7M<Fi^Fr&c?izU+V&99!x@6`xhd?qX>9<FB1_&iCE(?RW0E
z&?}q_y~s1afDicmiPrXi7P+NN-Rg^uj^4IR2t$PvWWGG#!%zUkK|ENy6Bok?LP0Si
zl<*5p_;iSIK?o`>c2G4W<HU+cYnj7oca~D53o|Qp3OorWau_ihrzdHqvK-?+R0(Az
z7|Q9ubd^k*lcpFCo(5Anpa4|{fVtHS>9CPDY!P9nY%kz?r;WtSRH=h<lwx`vX3o>8
zU|e*l3WsV{DvoP4TGbnDs9{5GAcS5Z!6h(4C{7Uq1bAm>@_|6YFE-;+7(G78M}rNd
zop2L0iATV2PECX)*l5Dk>U3O<$HA#wY63bL*TU2^EXQ6+VmX8d(^It7PU5jJhO385
zA`5A%ieN~rfG#CiV@9QqDqzb&l8`jD9Hy((P@^7aCo5+n4C4+6Mny(D>xqpR<A~4@
zqmyQ^`5uyXjdNXZcUIak6XmF^#>~zVhEx6umhZ5RVFal3r5M(h>Ej0sf_MTi2<Nf+
z5WW`xUfsxU^u*bvD~p;BZT`ZlS{`kb44-UksA{RrQuYYu^$hfNSXL8{z3Jxm_5F?=
z<~F*2-+9$rbMCAi1d`_Zr}s=-r<7cKDqWaAboR!y?hlMv-_7Y>%d}hSB1Z;Kc<pEI
zo~_rU(~Ubq_aFXn;F5XqA%9oLTJwXR?&~1GwLE>x_Vo?>QeGcGz_P@TPE#k$jU}t{
z=C4WMHPazOp*1PT3fm+ruI6lS_~q`^8L{y-bu+Gf%@__g=3FU^|HN|Z8E=KQmHrw0
zI*CrQY%Us>cb>W=8$P+bYg<Ipp*uG-uRY9I)=;lh+*`M_f1Y7^OmN1n@88dtY`TB&
z&A#Sjt$r(C0C=Fq3;I|`u0fO?O{@ff=LjG2poWX4A##`kll@8lL|;M~!&GD_l~&rW
zu#R4IMTK2SR#{zE!c|776l?)j3WM1z7!)J|0HI(hl#j&__~HWxjH5WMt_peJFsrki
z-H!kr@_n)ZoF*%rE{bu|o|m*GX*i7&n}AG#QSV0XKPQV|<lQM6!;${WwM^NW&&X&P
z%K^fWC?s;@w!OA)=U3-;uM`$-Z10+y`}^@nFZh!<er@Fc^0NQ?P52te#}GZ#L6I=1
zv=#*dR;*aIp$zyQxcNaq1i5D*pq>w+q?~#eYnR*Y9;aJhXnxTwk!v=F7YKwQfz8bV
zV01@f!?{5q0>0>7n9VhhK+@rCzjllgEbu48Bs8(uEH~tubc=NhbLDzdL9qcd<u52+
zf|(19MO>0ymIeCpOTfNz>=FRp+_ZMjPwTEfKR;4G<Kvk*tA=j<{X^%7$o0qY(8gE4
zMR%(wK0mdkX;<}ikJ4&txj4N+v2)2|^j_8;%~IJBH?iv*pQS1Da&~s<<tNF1ZV-ox
zd5=;=BDJQ)G#DRaNUixX;k_%f4n#+mdpdf2_P0BAXx(kGW6*Q}bZ)=>dG@D`O}rr^
zO(!d6#<-~YhKw(p3S9X|dM{X}bRc<Q#{En72-1ke-=gM9=k_)XXUto3bVId`h?NYq
z5|?y&!&kM(x-dNSru2cWcW+$X;r_TP*<X5nNp2-D%e0u4Vj3;N<42<pz7yr&M!6Ax
W>;161eWzPCUA!^tNx{O73;zPg)%xE6

literal 0
HcmV?d00001

diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer
deleted file mode 100644
index dfa7afb4699f9da2610ccf889eac6269b4e368ad..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 964
zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JW;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR
z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1
z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;ur#$aF^m%DHMTG?G_-(n4bpHr
zK*K-{;sAMU4hYUn&&$k9S1<({MvOa}7?qIy&dAEZ+{DPwV9><K#ni;e$guu=$oGnW
ze{{oo4vWd1n!$3g^ztl!_Wv4lt|gVP^V*bb`N;0x-qaiSXHHkmzWs6U{Jid~uVjQg
zS|4oqT*Lc+uD;qaYn_Hg^JFa_EuSZy?0Iy83a6;$&5WqJujk4gL%(Y6nYHpy@FtO-
zI~y5)_8s6+n=H%YpD8crt=~7@zh0G9QRPZ<dz0De%SPtcf3$e--Fk_&Kdvn~A$+=Z
zjOU^6zn^^Wte#r5CaJDwO8j%(=sWDELl$$aKKNU>?_b=fyaz_nMgbCq_4}%h&s@!!
ze1+-H$r$aU3#Wbib#?#k&uh{GYUM6Zj@vtn;gxywxjzdyRhQhFw_E3gr&3h2=~R{1
zj&**wnV1<F7#CL<lo{{<LtR#wk?}tZlL3PPABe{f;;}F@u{Riqf%vK*K92zx8;3R<
zBP%OAGqZs#NSu#Fj75a)p2Xa}PuW-5*w#BgITbU_UEMAhoR(yjStJa^8br?IFMY0&
zvCGqM^6b4C+!I~OX3g(MjvHXQ1jY>`gIDK=C)Q=HpH6<5w#musUBRX5*FRT%+S?q^
zlC!X|$Tr`#TvsL{<Y0K?+I^?zUePz-=pFj8T<x94=a+xmVxuemx>aXYvlkoIbiCkx
z5_D~Q*@8!%rFvVIJk+SN&YvaV#ohSi<j#kdYU%ve0*xzt6Mo$i_FKQ0FZk`5lqSjS
zx-&8V_J9BMIr_kdrLkp>!kzD4u!L^;lrQW*W7-1#!tQ%Ev()B&_RmzfDxh^SOyp9_
zQ{CMgMRQYpd7N(ray<%vF*_r`|Ig1qJ?keW%w>8X>p8K%ckRW_k5{=r91h)XDEdQO
n!11<!7-Rf#_4ogJ(r+uSeDnC`u02t&`}F@;ywy&4ViW)XFOYW9

diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
deleted file mode 100644
index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 920
zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k
zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW<?}
zm~e4wa$-(uQHeuQYDz|8iC%Jku7R95uaSX)nSrH&g`ugjS(G@hv4w%5p#_vndj~Wz
zDj|ECk(GhDiIJbdpox)-sfm%1;oPoQj^Z+n3p+UXFTAqySFqmPd3*j?Ys@hSTEP8<
zf#2*zv*WjwCq+F|Q?70*n-_6VPwv(E$rjn}*LF=h`h($l`O@&r`;HrrOo-N1I9RfZ
zxvgQ_lF0WfJ6z&|9Ilj$E@Ww)^ZxU(`JeguueG>6NxP$#b?ru1p1aqn$3D)YB{Qqo
zjCvjz?|=HkE#3AN-xTZpws*U~)f@D<hHx*rr)(NEvzYZp!}C-TDRu*$;<gRCi<g-#
z^KFcsxIBILE9>Z{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({
zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOF<JVRuW=00a#lZ%F2C~5TmgQp+V-Y!%
zzx26A#x764$+P!na8Gn8n>D{5oE&78StJa^8n7$i2k94PWc<&<YQPMnkb@nV)_}pz
z$RPVX&M7PHOp)E}n3L-lp9;}?o3i@APVs%}E9D|KM%wramRy`J6~x-Y+I90o>xr*#
z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx
zk5XXYstAL9d+iK-w@u$FES<YPN5Z<$i*sS8`10oxUvmRDUKTjPckPLhB$Kz)rb~A;
z7pqN`Wn_C2lv%-c*}%nRLuvV$khM?pl$8F*{-4ao^K*vP9Lw!IjTb)uU|-JJoj<4R
z;o3irGXj>ybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw}
Pd!}BnFF!b8N6JS4>O*3Z

diff --git a/SOURCES/shim.rpmmacros b/SOURCES/shim.rpmmacros
index f477f25..9f43046 100644
--- a/SOURCES/shim.rpmmacros
+++ b/SOURCES/shim.rpmmacros
@@ -13,9 +13,9 @@
 %global shimefix64 %{expand:%{SOURCE22}}
 #%%global shimefiarm %%{expand:%%{SOURCE23}
 
-%global shimveraa64 15-7.el8_1
-%global shimveria32 15.4-4.el8_1
-%global shimverx64 15.4-4.el8_1
+%global shimveraa64 15-6.el8
+%global shimveria32 15.4-4.el8.alma
+%global shimverx64 15.4-4.el8.alma
 #%%global shimverarm 15-1.el8
 
 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
@@ -48,6 +48,7 @@ Requires: mokutil >= 1:0.3.0-1						\
 Requires: efi-filesystem						\
 Provides: shim-signed-%{-a*} = %{version}-%{release}			\
 Requires: dbxtool >= 0.6-3						\
+Requires: %{efi_esp_dir}/grub%{-a*}.efi					\
 %{expand:%%if 0%%{-p*}							\
 Provides: shim = %{version}-%{release}					\
 Provides: shim-signed = %{version}-%{release}				\
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index e73f31f..cc236ad 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,3 +1,8 @@
+%global dist %{?dist}.alma
+%global efi_vendor almalinux
+%global efidir almalinux
+%global efi_esp_dir /boot/efi/EFI/%{efidir}
+
 Name:		shim
 Version:	15.4
 Release:	2%{?dist}
@@ -14,8 +19,8 @@ ExcludeArch:	%{ix86}
 ExcludeArch:	%{arm}
 
 Source0:	shim.rpmmacros
-Source1:	redhatsecureboot501.cer
-Source2:	redhatsecurebootca5.cer
+Source1:	clsecureboot001.cer
+# Source2:	alnsecurebootca.cer
 
 # keep these two lists of sources synched up arch-wise.  That is 0 and 10
 # match, 1 and 11 match, ...
@@ -101,27 +106,20 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
 %endif
 
 %changelog
-* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15.4-2
-- Fix build-deps on our shim-unsigned-* packages.
-  Related: CVE-2020-14372 (and others)
+* Wed Apr 21 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 15.4-2.alma
+- Update to upstream 15.4 version
+- Add support for Secure Boot
 
-* Mon Apr 05 2021 Peter Jones <pjones@redhat.com> - 15.4-1
-- Update to shim 15.4
-  - Support for revocations via the ".sbat" section and SBAT EFI variable
-  - A new unit test framework and a bunch of unit tests
-  - No external gnu-efi dependency
-  - Better CI
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Mon Mar 15 2021 Andrei Lukoshko <alukoshko@almalinux.org> - 15-16.alma.1
+- AlmaLinux changes
+
+* Mon Sep 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-16
+- Fix an incorrect allocation size
+  Resolves: rhbz#1877253
 
 * Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
 - Update once again for new signed shim builds.
-  Resolves: rhbz#1862231
+  Resolves: rhbz#1861977
 
 * Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
 - Get rid of our %%dist hack for now.
@@ -136,7 +134,9 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
 
 * Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
 - Fix firmware update bug in aarch64 caused by shim ignoring arguments
+  Resolves: rhbz#1830871
 - Fix a shim crash when attempting to netboot
+  Resolves: rhbz#1795654
 
 * Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
 - Update the shim-unsigned-aarch64 version number