.gitignore

@@ -1,14 +1,4 @@
-SOURCES/BOOTAA64.CSV
-SOURCES/BOOTIA32.CSV
-SOURCES/BOOTX64.CSV
-SOURCES/fbaa64.efi
-SOURCES/fbia32.efi
 SOURCES/fbx64.efi
-SOURCES/mmaa64.efi
-SOURCES/mmia32.efi
 SOURCES/mmx64.efi
-SOURCES/redhatsecureboot501.cer
-SOURCES/redhatsecurebootca5.cer
 SOURCES/shimaa64.efi
-SOURCES/shimia32.efi
 SOURCES/shimx64.efi

.shim.metadata

@@ -1,14 +1,4 @@
-fe978419c312c0c415d52befb4f6561e2d9556a7 SOURCES/BOOTAA64.CSV
+9ca9cfa834aedfaf3efe2216bfa1cb7c286ee1c0 SOURCES/fbx64.efi
-9650b41c0227b343478d03f4d7fcd6c8d3744440 SOURCES/BOOTIA32.CSV
+5eb0ac78eee6aeeaf44a3f11d002b4fe00af6916 SOURCES/mmx64.efi
-6801abf1c4d54f15f869470c99e480433940407a SOURCES/BOOTX64.CSV
+4312f246b6ba692040383f10358ac9a5927207de SOURCES/shimaa64.efi
-317f45115504f1ba56f0113dc217460e3c26cf82 SOURCES/fbaa64.efi
+783fb77783e9d0c4c400b723dfd0f02f006616ae SOURCES/shimx64.efi
-4fd02a6b3ec5dc58fcba1a3d8dec69e0cb86f5d5 SOURCES/fbia32.efi
-b26bb4ed41e96d6e2b2471dc5d50f0f2c88ff884 SOURCES/fbx64.efi
-b2e0f92dba676facda778be739e2959f5e51c077 SOURCES/mmaa64.efi
-e8316a74f06a29385eeb7fd734f582e60dc7a2a4 SOURCES/mmia32.efi
-77f25d23c6b0bb2f79a47d574f8af5ffe91e2466 SOURCES/mmx64.efi
-ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
-e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
-750bd7932437b1fb6610c233f69db1b70d67fab1 SOURCES/shimaa64.efi
-0cd6ef62726de2f1321bfe6b70f47b788ac38666 SOURCES/shimia32.efi
-86855303a18b978cf90d6c244bfe30897f449996 SOURCES/shimx64.efi

SOURCES/shim.rpmmacros

@@ -3,40 +3,31 @@
 %global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
 %global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
 
-%global grub_version 2.02-87.el8_1.11
-
 %global bootcsvaa64 %{expand:%{SOURCE10}}
-%global bootcsvia32 %{expand:%{SOURCE11}}
 %global bootcsvx64 %{expand:%{SOURCE12}}
 #%%global bootcsvarm %%{expand:%%{SOURCE13}}
 
 %global shimefiaa64 %{expand:%{SOURCE20}}
-%global shimefiia32 %{expand:%{SOURCE21}}
 %global shimefix64 %{expand:%{SOURCE22}}
 #%%global shimefiarm %%{expand:%%{SOURCE23}
 
 %global fbefiaa64 %{expand:%{SOURCE30}}
-%global fbefiia32 %{expand:%{SOURCE31}}
 %global fbefix64 %{expand:%{SOURCE32}}
 #%%global fbefiarm %%{expand:%%{SOURCE33}
 
 %global mmefiaa64 %{expand:%{SOURCE40}}
-%global mmefiia32 %{expand:%{SOURCE41}}
 %global mmefix64 %{expand:%{SOURCE42}}
 #%%global mmefiarm %%{expand:%%{SOURCE43}
 
-%global shimveraa64 15-7.el8_1
+%global shimveraa64 15-6.el9
-%global shimveria32 15.8-2.el8
+%global shimverx64 15.6-1.el9
-%global shimverx64 15.8-2.el8
 #%%global shimverarm 15-1.el8
 
 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
-%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
 %global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
 #%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
 
 %global unsignedaa64 shim-unsigned-aarch64
-%global unsignedia32 shim-unsigned-ia32
 %global unsignedx64 shim-unsigned-x64
 #%%global unsignedarm shim-unsigned-arm
 
@@ -64,7 +55,6 @@ Requires: mokutil >= 1:0.3.0-1						\
 Requires: efi-filesystem						\
 Provides: shim-signed-%{-a*} = %{version}-%{release}			\
 Requires: dbxtool >= 0.6-3						\
-Conflicts: grub2-efi-%{-a*} < %{grub_version}				\
 %{expand:%%if 0%%{-p*}							\
 Provides: shim = %{version}-%{release}					\
 Provides: shim-signed = %{version}-%{release}				\
@@ -179,15 +169,15 @@ install -m 0700 fb%{-a*}.efi						\\\
 # -A <EFIARCH>
 %define define_files(a:A:)						\
 %{expand:%%files -n shim-%{-a*}}					\
-%%verify(not mtime) %{efi_esp_dir}/*%{-a*}*.efi				\
+%{efi_esp_dir}/*%{-a*}*.efi						\
-%%verify(not mtime) %{efi_esp_dir}/BOOT%{-A*}.CSV			\
+%{efi_esp_dir}/BOOT%{-A*}.CSV						\
-%%verify(not mtime) %{efi_esp_boot}/*%{-a*}.efi				\
+%{efi_esp_boot}/*%{-a*}.efi						\
-%%verify(not mtime) %{efi_esp_boot}/*%{-A*}.EFI				\
+%{efi_esp_boot}/*%{-A*}.EFI						\
 %{nil}
 
 %ifarch x86_64
 %global is_signed yes
-%global is_alt_signed yes
+%global is_alt_signed no
 %global provide_legacy_shim 1
 %endif
 %ifarch aarch64

SPECS/shim.spec

@@ -1,17 +1,15 @@
 Name:		shim
-Version:	15.8
+Version:	15.6
-Release:	4%{?dist}
+Release:	1.el9
 Summary:	First-stage UEFI bootloader
 License:	BSD
 URL:		https://github.com/rhboot/shim/
 BuildRequires:	efi-filesystem
-BuildRequires:	efi-srpm-macros >= 3-2
+BuildRequires:	efi-srpm-macros >= 6
 
 ExclusiveArch:	%{efi}
-# but we don't build a .i686 package, just a shim-ia32.x86_64 package
-ExcludeArch:	%{ix86}
 # and we don't have shim-unsigned-arm builds *yet*
-ExcludeArch:	%{arm}
+ExcludeArch:	%{arm} %{ix86}
 
 Source0:	shim.rpmmacros
 Source1:	redhatsecureboot501.cer
@@ -23,10 +21,6 @@ Source10:	BOOTAA64.CSV
 Source20:	shimaa64.efi
 Source30:	mmaa64.efi
 Source40:	fbaa64.efi
-Source11:	BOOTIA32.CSV
-Source21:	shimia32.efi
-Source31:	mmia32.efi
-Source41:	fbia32.efi
 Source12:	BOOTX64.CSV
 Source22:	shimx64.efi
 Source32:	mmx64.efi
@@ -39,18 +33,18 @@ Source42:	fbx64.efi
 %include %{SOURCE0}
 
 BuildRequires:	pesign >= 0.112-20.fc27
-# Right now we're just including all of the parts from them as sources here
+# We need this because %%{efi} won't expand before choosing where to make
-# to make the build+errata process less maddening.  We do this because
+# the src.rpm in koji, and we could be on a non-efi architecture, in which
-# %%{efi} won't expand before choosing where to make the src.rpm in koji,
+# case we won't have a valid expansion here...  To be solved in the future
-# and we could be on a non-efi architecture, in which case we won't have a
+# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
-# valid expansion here...
+# we can just BuildRequires that.
-# %% ifarch x86_64
+%ifarch x86_64
-# BuildRequires:	%% {unsignedx64} = %% {shimverx64}
+## BuildRequires:	%% {unsignedx64} = %% {shimverx64}
-# BuildRequires:	%% {unsignedia32} = %% {shimveria32}
+BuildRequires:	shim-unsigned-x64 = 15.6-1.el9
-# %% endif
+%endif
-# %% ifarch aarch64
+%ifarch aarch64
-# BuildRequires:	%% {unsignedaa64} = %% {shimveraa64}
+BuildRequires:	%{unsignedaa64} = %{shimveraa64}
-# %% endif
+%endif
 #%%ifarch arm
 #BuildRequires:	%%{unsignedarm} = %%{shimverarm}
 #%%endif
@@ -74,11 +68,10 @@ mkdir shim-%{version}
 export PS4='${LINENO}: '
 
 cd shim-%{version}
-# Temporarily using _sourcedir to avoid build dep annoyances.
 %if %{efi_has_alt_arch}
-%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{_sourcedir}
+%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
 %endif
-%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{_sourcedir}
+%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
 
 %install
 rm -rf $RPM_BUILD_ROOT
@@ -107,94 +100,59 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
 %endif
 
 %if %{provide_legacy_shim}
-%verify(not mtime) %{efi_esp_dir}/shim.efi
+%{efi_esp_dir}/shim.efi
 %endif
 
 %changelog
-* Tue Apr 16 2024 Peter Jones <pjones@redhat.com> - 15.8-4
+* Mon Jun 06 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
-- Bump the release to *-4* to work around a build system issue.
+- Update to shim-15.6
-  Related: RHEL-11259
+  Resolves: CVE-2022-28737
 
-* Wed Apr 10 2024 Peter Jones <pjones@redhat.com> - 15.8-3
+* Thu Apr 14 2022 Peter Jones <pjones@redhat.com> - 15.5-2.el9
-- Bump the release to -3 to work around a build system issue.
+- Attempt to make aarch64 build.
-  Related: RHEL-11259
+  Related: rhbz#1932057
 
-* Thu Mar 28 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
+* Thu Apr 14 2022 Peter Jones <pjones@redhat.com> - 15.5-1.el9
-- Fix rpm verify issue found in testing.
+- Rebuild for rhel-9.0.0
-  Related: RHEL-11259
+  Resolves: rhbz#1932057
-
-* Thu Mar 21 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el8
-- Update to shim-15.8 for CVE-2023-40547
-  Resolves: RHEL-11259
-
-* Wed Apr 20 2022 Peter Jones <pjones@redhat.com> - 15.5-2.el8
-- Include the actual signed shim binaries.
-  Resolves: rhbz#1970632
-  Resolves: rhbz#1982071
-  Resolves: rhbz#2000946
-  Resolves: rhbz#2002265
-
-* Tue Apr 19 2022 Peter Jones <pjones@redhat.com> - 15.5-1
-- Update to shim-15.5
-  Resolves: rhbz#1970632
-  Resolves: rhbz#1982071
-  Resolves: rhbz#2000946
-  Resolves: rhbz#2002265
 
 * Mon Sep 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-16
 - Fix an incorrect allocation size
-  Resolves: rhbz#1877253
 
 * Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
 - Update once again for new signed shim builds.
-  Resolves: rhbz#1861977
 
 * Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
 - Get rid of our %%dist hack for now.
 
 * Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
 - New signing keys
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
 
 * Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
 - Fix firmware update bug in aarch64 caused by shim ignoring arguments
-  Resolves: rhbz#1830871
 - Fix a shim crash when attempting to netboot
-  Resolves: rhbz#1795654
 
 * Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
 - Update the shim-unsigned-aarch64 version number
-  Related: rhbz#1715879
 
 * Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10
 - Add a gating.yaml file so the package can be properly gated
-  Related: rhbz#1681809
 
 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9
 - Bump the NVR
-  Related: rhbz#1715879
 
 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7
 - Make EFI variable copying fatal only on secureboot enabled systems
-  Resolves: rhbz#1715879
 - Fix booting shim from an EFI shell using a relative path
-  Resolves: rhbz#1717061
 
 * Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6
 - Fix MoK mirroring issue which breaks kdump without intervention
-  Resolves: rhbz#1668966
 
 * Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5
 - Rebuild for signing once again. If the signer actually works, then:
-  Resolves: rhbz#1620941
 
 * Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4
 - Rebuild for signing
-  Resolves: rhbz#1620941
 
 * Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com>
 - Release Bumped for el8 Mass Rebuild