.gitignore

@@ -1,14 +0,0 @@
-SOURCES/BOOTAA64.CSV
-SOURCES/BOOTIA32.CSV
-SOURCES/BOOTX64.CSV
-SOURCES/fbaa64.efi
-SOURCES/fbia32.efi
-SOURCES/fbx64.efi
-SOURCES/mmaa64.efi
-SOURCES/mmia32.efi
-SOURCES/mmx64.efi
-SOURCES/redhatsecureboot501.cer
-SOURCES/redhatsecurebootca5.cer
-SOURCES/shimaa64.efi
-SOURCES/shimia32.efi
-SOURCES/shimx64.efi

.shim.metadata

@@ -1,14 +0,0 @@
-fe978419c312c0c415d52befb4f6561e2d9556a7 SOURCES/BOOTAA64.CSV
-9650b41c0227b343478d03f4d7fcd6c8d3744440 SOURCES/BOOTIA32.CSV
-6801abf1c4d54f15f869470c99e480433940407a SOURCES/BOOTX64.CSV
-317f45115504f1ba56f0113dc217460e3c26cf82 SOURCES/fbaa64.efi
-4fd02a6b3ec5dc58fcba1a3d8dec69e0cb86f5d5 SOURCES/fbia32.efi
-b26bb4ed41e96d6e2b2471dc5d50f0f2c88ff884 SOURCES/fbx64.efi
-b2e0f92dba676facda778be739e2959f5e51c077 SOURCES/mmaa64.efi
-e8316a74f06a29385eeb7fd734f582e60dc7a2a4 SOURCES/mmia32.efi
-77f25d23c6b0bb2f79a47d574f8af5ffe91e2466 SOURCES/mmx64.efi
-ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
-e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
-750bd7932437b1fb6610c233f69db1b70d67fab1 SOURCES/shimaa64.efi
-0cd6ef62726de2f1321bfe6b70f47b788ac38666 SOURCES/shimia32.efi
-86855303a18b978cf90d6c244bfe30897f449996 SOURCES/shimx64.efi

SOURCES/shim.rpmmacros

@@ -1,208 +0,0 @@
-%global debug_package %{nil}
-%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
-%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
-%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
-
-%global grub_version 2.02-87.el8_1.11
-
-%global bootcsvaa64 %{expand:%{SOURCE10}}
-%global bootcsvia32 %{expand:%{SOURCE11}}
-%global bootcsvx64 %{expand:%{SOURCE12}}
-#%%global bootcsvarm %%{expand:%%{SOURCE13}}
-
-%global shimefiaa64 %{expand:%{SOURCE20}}
-%global shimefiia32 %{expand:%{SOURCE21}}
-%global shimefix64 %{expand:%{SOURCE22}}
-#%%global shimefiarm %%{expand:%%{SOURCE23}
-
-%global fbefiaa64 %{expand:%{SOURCE30}}
-%global fbefiia32 %{expand:%{SOURCE31}}
-%global fbefix64 %{expand:%{SOURCE32}}
-#%%global fbefiarm %%{expand:%%{SOURCE33}
-
-%global mmefiaa64 %{expand:%{SOURCE40}}
-%global mmefiia32 %{expand:%{SOURCE41}}
-%global mmefix64 %{expand:%{SOURCE42}}
-#%%global mmefiarm %%{expand:%%{SOURCE43}
-
-%global shimveraa64 15-7.el8_1
-%global shimveria32 15.8-2.el8
-%global shimverx64 15.8-2.el8
-#%%global shimverarm 15-1.el8
-
-%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
-%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
-%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
-#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
-
-%global unsignedaa64 shim-unsigned-aarch64
-%global unsignedia32 shim-unsigned-ia32
-%global unsignedx64 shim-unsigned-x64
-#%%global unsignedarm shim-unsigned-arm
-
-%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
-%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
-%global shimefi %{expand:%{shimefi%{efi_arch}}}
-%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
-%global shimver %{expand:%{shimver%{efi_arch}}}
-%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
-%global shimdir %{expand:%{shimdir%{efi_arch}}}
-%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
-%global fbefi %{expand:%{fbefi%{efi_arch}}}
-%global fbefialt %{expand:%{fbefi%{?efi_alt_arch}}}
-%global mmefi %{expand:%{mmefi%{efi_arch}}}
-%global mmefialt %{expand:%{mmefi%{?efi_alt_arch}}}
-
-%global unsignednone shim-unsigned-none
-%global unsigned %{expand:%%{unsigned%{efi_arch}}}
-%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}}
-
-%define define_pkg(a:p:)						\
-%{expand:%%package -n shim-%{-a*}}					\
-Summary: First-stage UEFI bootloader					\
-Requires: mokutil >= 1:0.3.0-1						\
-Requires: efi-filesystem						\
-Provides: shim-signed-%{-a*} = %{version}-%{release}			\
-Requires: dbxtool >= 0.6-3						\
-Conflicts: grub2-efi-%{-a*} < %{grub_version}				\
-%{expand:%%if 0%%{-p*}							\
-Provides: shim = %{version}-%{release}					\
-Provides: shim-signed = %{version}-%{release}				\
-Obsoletes: shim-signed < %{version}-%{release}				\
-Obsoletes: shim < %{version}-%{release}					\
-%%endif}								\
-# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI	\
-# is not compatible with SysV (there's no red zone under UEFI) and	\
-# there isn't a POSIX-style C library.					\
-# BuildRequires: OpenSSL						\
-Provides: bundled(openssl) = 1.0.2j					\
-									\
-%{expand:%%description -n shim-%{-a*}}					\
-Initial UEFI bootloader that handles chaining to a trusted full		\
-bootloader under secure boot environments. This package contains the	\
-version signed by the UEFI signing service.				\
-%{nil}
-
-# -a <efiarch>
-# -i <input>
-%define hash(a:i:d:)								\
-	if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
-		pesign -i %{-i*} -h -P > shim.hash				\
-		read file0 hash0 < shim.hash					\
-		read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
-		if ! [ "$hash0" = "$hash1" ] ; then				\
-			echo Invalid signature\! > /dev/stderr			\
-			echo $hash0 vs $hash1					\
-			exit 1							\
-		fi								\
-	fi									\
-	%{nil}
-
-# -i <input>
-# -o <output>
-%define sign(i:o:n:a:c:)									\
-	%{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}}	\
-	%{nil}
-
-# -b <binary prefix>
-# -a <efiarch>
-# -i <input>
-%define distrosign(b:a:d:)							\
-	if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
-		if [ "%{-b*}%{-a*}" = "shim%{efi_arch}" ] ; then		\
-			cp -av "%{shimefi}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "shim%{efi_alt_arch}" ] ; then		\
-			cp -av "%{shimefialt}" %{-b*}%{-a*}-unsigned.efi	\
-		elif [ "%{-b*}%{-a*}" = "mm%{efi_arch}" ] ; then		\
-			cp -av "%{mmefi}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "mm%{efi_alt_arch}" ] ; then		\
-			cp -av "%{mmefialt}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "fb%{efi_arch}" ] ; then		\
-			cp -av "%{fbefi}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "fb%{efi_alt_arch}" ] ; then		\
-			cp -av "%{fbefialt}" %{-b*}%{-a*}-unsigned.efi		\
-		fi								\
-	else									\
-		cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
-	fi									\
-	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} } \
-	%{nil}
-
-# -a <efiarch>
-# -A <EFIARCH>
-# -b <1|0> # signed by this builder?
-# -c <1|0> # signed by UEFI CA?
-# -i <shimARCH.efi>
-# -d /usr/share dir for this build (full path)
-%define define_build(a:A:b:c:i:d:)					\
-if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then		\
-	%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}}			\
-fi									\
-cp %{-i*} shim%{-a*}.efi						\
-if [ "%{-b*}" = "yes" ] ; then						\
-	%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}}		\
-	mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi		\
-fi									\
-if [ "%{-c*}" = "no" ] ||						\
-   [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
-	cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi			\
-fi									\
-%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}}			\
-mv mm%{-a*}-signed.efi mm%{-a*}.efi					\
-%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}}			\
-mv fb%{-a*}-signed.efi fb%{-a*}.efi					\
-rm -vf									\\\
-	mm%{-a*}-unsigned.efi						\\\
-	fb%{-a*}-unsigned.efi						\\\
-	shim%{-a*}-unsigned.efi						\
-%{nil}
-
-# -a <efiarch>
-# -A <EFIARCH>
-# -b <BOOTCSV>
-%define do_install(a:A:b:)						\
-install -m 0700 shim%{-a*}.efi						\\\
-	$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi			\
-install -m 0700 shim%{-a*}-%{efi_vendor}.efi				\\\
-	$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi	\
-install -m 0700 mm%{-a*}.efi						\\\
-	$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi			\
-install -m 0700 %{-b*}							\\\
-	$RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV			\
-install -m 0700 shim%{-a*}.efi						\\\
-	$RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI			\
-install -m 0700 fb%{-a*}.efi						\\\
-	$RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi			\
-%nil
-
-# -a <efiarch>
-# -A <EFIARCH>
-%define define_files(a:A:)						\
-%{expand:%%files -n shim-%{-a*}}					\
-%%verify(not mtime) %{efi_esp_dir}/*%{-a*}*.efi				\
-%%verify(not mtime) %{efi_esp_dir}/BOOT%{-A*}.CSV			\
-%%verify(not mtime) %{efi_esp_boot}/*%{-a*}.efi				\
-%%verify(not mtime) %{efi_esp_boot}/*%{-A*}.EFI				\
-%{nil}
-
-%ifarch x86_64
-%global is_signed yes
-%global is_alt_signed yes
-%global provide_legacy_shim 1
-%endif
-%ifarch aarch64
-%global is_signed no
-%global is_alt_signed no
-%global provide_legacy_shim 1
-%endif
-%ifnarch x86_64 aarch64
-%global is_signed no
-%global is_alt_signed no
-%global provide_legacy_shim 0
-%endif
-
-%if ! 0%{?vendor:1}
-%global vendor nopenopenope
-%endif
-
-# vim:filetype=rpmmacros

SPECS/shim.spec

@@ -1,206 +0,0 @@
-Name:		shim
-Version:	15.8
-Release:	4%{?dist}
-Summary:	First-stage UEFI bootloader
-License:	BSD
-URL:		https://github.com/rhboot/shim/
-BuildRequires:	efi-filesystem
-BuildRequires:	efi-srpm-macros >= 3-2
-
-ExclusiveArch:	%{efi}
-# but we don't build a .i686 package, just a shim-ia32.x86_64 package
-ExcludeArch:	%{ix86}
-# and we don't have shim-unsigned-arm builds *yet*
-ExcludeArch:	%{arm}
-
-Source0:	shim.rpmmacros
-Source1:	redhatsecureboot501.cer
-Source2:	redhatsecurebootca5.cer
-
-# keep these two lists of sources synched up arch-wise.  That is 0 and 10
-# match, 1 and 11 match, ...
-Source10:	BOOTAA64.CSV
-Source20:	shimaa64.efi
-Source30:	mmaa64.efi
-Source40:	fbaa64.efi
-Source11:	BOOTIA32.CSV
-Source21:	shimia32.efi
-Source31:	mmia32.efi
-Source41:	fbia32.efi
-Source12:	BOOTX64.CSV
-Source22:	shimx64.efi
-Source32:	mmx64.efi
-Source42:	fbx64.efi
-#Source13:	BOOTARM.CSV
-#Source23:	shimarm.efi
-#Source33:	mmarm.efi
-#Source43:	fbarm.efi
-
-%include %{SOURCE0}
-
-BuildRequires:	pesign >= 0.112-20.fc27
-# Right now we're just including all of the parts from them as sources here
-# to make the build+errata process less maddening.  We do this because
-# %%{efi} won't expand before choosing where to make the src.rpm in koji,
-# and we could be on a non-efi architecture, in which case we won't have a
-# valid expansion here...
-# %% ifarch x86_64
-# BuildRequires:	%% {unsignedx64} = %% {shimverx64}
-# BuildRequires:	%% {unsignedia32} = %% {shimveria32}
-# %% endif
-# %% ifarch aarch64
-# BuildRequires:	%% {unsignedaa64} = %% {shimveraa64}
-# %% endif
-#%%ifarch arm
-#BuildRequires:	%%{unsignedarm} = %%{shimverarm}
-#%%endif
-
-%description
-Initial UEFI bootloader that handles chaining to a trusted full bootloader
-under secure boot environments. This package contains the version signed by
-the UEFI signing service.
-
-%define_pkg -a %{efi_arch} -p 1
-%if %{efi_has_alt_arch}
-%define_pkg -a %{efi_alt_arch}
-%endif
-
-%prep
-cd %{_builddir}
-rm -rf shim-%{version}
-mkdir shim-%{version}
-
-%build
-export PS4='${LINENO}: '
-
-cd shim-%{version}
-# Temporarily using _sourcedir to avoid build dep annoyances.
-%if %{efi_has_alt_arch}
-%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{_sourcedir}
-%endif
-%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{_sourcedir}
-
-%install
-rm -rf $RPM_BUILD_ROOT
-cd shim-%{version}
-install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
-install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
-install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
-install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
-install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
-
-%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
-%if %{efi_has_alt_arch}
-%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
-%endif
-
-%if %{provide_legacy_shim}
-install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
-%endif
-
-( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
-  | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
-
-%define_files -a %{efi_arch} -A %{efi_arch_upper}
-%if %{efi_has_alt_arch}
-%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
-%endif
-
-%if %{provide_legacy_shim}
-%verify(not mtime) %{efi_esp_dir}/shim.efi
-%endif
-
-%changelog
-* Tue Apr 16 2024 Peter Jones <pjones@redhat.com> - 15.8-4
-- Bump the release to *-4* to work around a build system issue.
-  Related: RHEL-11259
-
-* Wed Apr 10 2024 Peter Jones <pjones@redhat.com> - 15.8-3
-- Bump the release to -3 to work around a build system issue.
-  Related: RHEL-11259
-
-* Thu Mar 28 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
-- Fix rpm verify issue found in testing.
-  Related: RHEL-11259
-
-* Thu Mar 21 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el8
-- Update to shim-15.8 for CVE-2023-40547
-  Resolves: RHEL-11259
-
-* Wed Apr 20 2022 Peter Jones <pjones@redhat.com> - 15.5-2.el8
-- Include the actual signed shim binaries.
-  Resolves: rhbz#1970632
-  Resolves: rhbz#1982071
-  Resolves: rhbz#2000946
-  Resolves: rhbz#2002265
-
-* Tue Apr 19 2022 Peter Jones <pjones@redhat.com> - 15.5-1
-- Update to shim-15.5
-  Resolves: rhbz#1970632
-  Resolves: rhbz#1982071
-  Resolves: rhbz#2000946
-  Resolves: rhbz#2002265
-
-* Mon Sep 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-16
-- Fix an incorrect allocation size
-  Resolves: rhbz#1877253
-
-* Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
-- Update once again for new signed shim builds.
-  Resolves: rhbz#1861977
-
-* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
-- Get rid of our %%dist hack for now.
-
-* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
-- New signing keys
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-
-* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
-- Fix firmware update bug in aarch64 caused by shim ignoring arguments
-  Resolves: rhbz#1830871
-- Fix a shim crash when attempting to netboot
-  Resolves: rhbz#1795654
-
-* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
-- Update the shim-unsigned-aarch64 version number
-  Related: rhbz#1715879
-
-* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10
-- Add a gating.yaml file so the package can be properly gated
-  Related: rhbz#1681809
-
-* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9
-- Bump the NVR
-  Related: rhbz#1715879
-
-* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7
-- Make EFI variable copying fatal only on secureboot enabled systems
-  Resolves: rhbz#1715879
-- Fix booting shim from an EFI shell using a relative path
-  Resolves: rhbz#1717061
-
-* Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6
-- Fix MoK mirroring issue which breaks kdump without intervention
-  Resolves: rhbz#1668966
-
-* Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5
-- Rebuild for signing once again. If the signer actually works, then:
-  Resolves: rhbz#1620941
-
-* Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4
-- Rebuild for signing
-  Resolves: rhbz#1620941
-
-* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com>
-- Release Bumped for el8 Mass Rebuild
-
-* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
-- Release Bumped for el8+8 Mass Rebuild
-
-* Mon Jul 23 2018 Peter Jones <pjones@redhat.com> - 15-1
-- Build for RHEL 8