From 8c7597611a8ca207dcebe2e9d4f0e14eef0a564b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 21 Mar 2024 15:22:45 -0400
Subject: [PATCH] Update to shim-15.8 for CVE-2023-40547

  Resolves: RHEL-11259

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 shim.rpmmacros |  7 +++++--
 shim.spec      | 35 +++++++++++++++++++----------------
 sources        | 12 ++++++------
 3 files changed, 30 insertions(+), 24 deletions(-)

diff --git a/shim.rpmmacros b/shim.rpmmacros
index 177650f..0d1cdba 100644
--- a/shim.rpmmacros
+++ b/shim.rpmmacros
@@ -3,6 +3,8 @@
 %global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
 %global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
 
+%global grub_version 2.02-87.el8_1.11
+
 %global bootcsvaa64 %{expand:%{SOURCE10}}
 %global bootcsvia32 %{expand:%{SOURCE11}}
 %global bootcsvx64 %{expand:%{SOURCE12}}
@@ -24,8 +26,8 @@
 #%%global mmefiarm %%{expand:%%{SOURCE43}
 
 %global shimveraa64 15-7.el8_1
-%global shimveria32 15.5-1.el8
-%global shimverx64 15.5-1.el8
+%global shimveria32 15.8-2.el8
+%global shimverx64 15.8-2.el8
 #%%global shimverarm 15-1.el8
 
 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
@@ -62,6 +64,7 @@ Requires: mokutil >= 1:0.3.0-1						\
 Requires: efi-filesystem						\
 Provides: shim-signed-%{-a*} = %{version}-%{release}			\
 Requires: dbxtool >= 0.6-3						\
+Conflicts: grub2-efi-%{-a*} < %{grub_version}				\
 %{expand:%%if 0%%{-p*}							\
 Provides: shim = %{version}-%{release}					\
 Provides: shim-signed = %{version}-%{release}				\
diff --git a/shim.spec b/shim.spec
index b07d26c..692292e 100644
--- a/shim.spec
+++ b/shim.spec
@@ -1,6 +1,6 @@
 Name:		shim
-Version:	15.5
-Release:	2.el8
+Version:	15.8
+Release:	1.el8
 Summary:	First-stage UEFI bootloader
 License:	BSD
 URL:		https://github.com/rhboot/shim/
@@ -39,20 +39,18 @@ Source42:	fbx64.efi
 %include %{SOURCE0}
 
 BuildRequires:	pesign >= 0.112-20.fc27
-# We need this because %%{efi} won't expand before choosing where to make
-# the src.rpm in koji, and we could be on a non-efi architecture, in which
-# case we won't have a valid expansion here...  To be solved in the future
-# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
-# we can just BuildRequires that.
-%ifarch x86_64
+# Right now we're just including all of the parts from them as sources here
+# to make the build+errata process less maddening.  We do this because
+# %%{efi} won't expand before choosing where to make the src.rpm in koji,
+# and we could be on a non-efi architecture, in which case we won't have a
+# valid expansion here...
+# %% ifarch x86_64
 # BuildRequires:	%% {unsignedx64} = %% {shimverx64}
 # BuildRequires:	%% {unsignedia32} = %% {shimveria32}
-BuildRequires:	%{unsignedx64} = %{shimverx64}
-BuildRequires:	%{unsignedia32} = %{shimveria32}
-%endif
-%ifarch aarch64
-BuildRequires:	%{unsignedaa64} = %{shimveraa64}
-%endif
+# %% endif
+# %% ifarch aarch64
+# BuildRequires:	%% {unsignedaa64} = %% {shimveraa64}
+# %% endif
 #%%ifarch arm
 #BuildRequires:	%%{unsignedarm} = %%{shimverarm}
 #%%endif
@@ -76,10 +74,11 @@ mkdir shim-%{version}
 export PS4='${LINENO}: '
 
 cd shim-%{version}
+# Temporarily using _sourcedir to avoid build dep annoyances.
 %if %{efi_has_alt_arch}
-%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
+%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{_sourcedir}
 %endif
-%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
+%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{_sourcedir}
 
 %install
 rm -rf $RPM_BUILD_ROOT
@@ -112,6 +111,10 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
 %endif
 
 %changelog
+* Thu Mar 21 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el8
+- Update to shim-15.8 for CVE-2023-40547
+  Resolves: RHEL-11259
+
 * Wed Apr 20 2022 Peter Jones <pjones@redhat.com> - 15.5-2.el8
 - Include the actual signed shim binaries.
   Resolves: rhbz#1970632
diff --git a/sources b/sources
index 389bf76..0e4e3e6 100644
--- a/sources
+++ b/sources
@@ -4,9 +4,9 @@ SHA512 (BOOTIA32.CSV) = 149f3c07b3acffacc80f20d17033db86a0696f2db8de7e6a8e3b03a5
 SHA512 (BOOTX64.CSV) = 3ed565c94bfc6f94136780ebbfebc0b19cb408b80e459bfece5de2e478d66605c1c7dd9f4186864cedbd420626945ae7b86e938e2d67f0163de596d05d859e0b
 SHA512 (mmaa64.efi) = cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
 SHA512 (fbaa64.efi) = cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-SHA512 (shimx64.efi) = 355659cae40d1d5ec9d41ff105b0b63a5a89f7bfda4cab8fe845440a90dffb3d8210ad286505b87606019adcd0a23fc0aad0779cf9b2407b061cc56de62e918b
-SHA512 (fbia32.efi) = f9381cfb9ac27c059a6e81fde1b8e1cbb5db6bf36233f73a78c8d61a516172df03483dc04545ad94dea6d6d7e7a62ffef712bbf29a656104b7855488bbce13d8
-SHA512 (mmia32.efi) = 3109592ea6a2b018362e5eb75c02b7754e02eb48e4df9bdff60b95d6de605bd292163a261df7095ce44382216546caeb53715a63b12e70b9a07504de23ce1bf6
-SHA512 (fbx64.efi) = 026c58715e832092dfd1ee83a598a29b94f275f25622f6ebd1ee95785b3f69b5c61adec2857ddb04f0af7c9c112d6e344965453bb0d2f1f92c102a58fe88ade3
-SHA512 (mmx64.efi) = 4c376a2da330705f4f857c360dfd5b8a8e44ace16674f54f2eda492ff7adb33e789535a19fadaf7cb98d6d001490f036b2c17d866c4dfa2c964f106c5a34479e
-SHA512 (shimia32.efi) = 573d8397c53a2b54f2b165ea6ace2267257f3b53d58d6edc4ff094f3007ac05287d5963898f9062e08e550ed476f3aa9b42640d699312d3d00180cebef4c24a4
+SHA512 (shimia32.efi) = 15e0684657d89a9b6ed77de2647ef3c1c7be8c1011bb95650a03247b4b41bcf7802168df97526a12b2d51410b4323392754621a16a28fff3b12f647c46592822
+SHA512 (shimx64.efi) = e709eaf50892d6d57ac172338b8a8d3f95950ecbc79b9d9dd9d70c53d63fe8587953e765361fbc0c610c3d57fbe4ab8638b4136c32395dfef200cad8f6b04d46
+SHA512 (fbia32.efi) = 431c2a39768ff39de15eb5ff4baa8cfab0ac954a6e553290e45ac1b3021edd6079b461ca84a2ee50f692dfc8e3df6d841556e4036d7b939d5a52f092cdcccabd
+SHA512 (fbx64.efi) = ef87ff4af625265d83ef5f4b72f7dc83cb24cc6761d8bd6ba85bf2fc07301a16ed2f529fe39f981b4c11e2bf4dff33bb03fbc3c294de15448e7760ad843216b8
+SHA512 (mmia32.efi) = 647219648ba213c85a163fe682c932f8af3ff1e2a5891381186ff07854aaf1ad081f06110b5cc4db32cc18460a876804884bc8cec0134024853119860bb23661
+SHA512 (mmx64.efi) = 145e7aac670df63f46050ae1892fbca5cf001326a75624c7bf3f2a574f8e97cb322525571385ad159803cc4883a4bb5d4ed17d0a446c78418203163146a45876