22 changed files with 58 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
-SOURCES/shim-15.tar.bz2
+/shim-*.tar.bz2
+*.rpm
--- a/.shim-unsigned-aarch64.metadata
+++ b/.shim-unsigned-aarch64.metadata
@ -1 +1 @@
-2dc6308584187bf3ee88bf9b119938c72c5a5088 SOURCES/shim-15.tar.bz2
+2dc6308584187bf3ee88bf9b119938c72c5a5088 shim-15.tar.bz2
--- a/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
+++ b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
--- a/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch
+++ b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch
--- a/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
+++ b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
--- a/SOURCES/0004-Make-VLogError-behave-as-expected.patch
+++ b/SOURCES/0004-Make-VLogError-behave-as-expected.patch
--- a/SOURCES/0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch
+++ b/SOURCES/0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch
--- a/SOURCES/0006-Make-some-things-dprint-instead-of-console_print.patch
+++ b/SOURCES/0006-Make-some-things-dprint-instead-of-console_print.patch
--- a/SOURCES/0007-shim-Properly-generate-absolute-paths-from-relative-.patch
+++ b/SOURCES/0007-shim-Properly-generate-absolute-paths-from-relative-.patch
--- a/SOURCES/0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch
+++ b/SOURCES/0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch
--- a/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch
+++ b/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch
--- a/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch
+++ b/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch
--- a/0011-RHEL-9-disable-Wpointer-sign-for-now.patch
+++ b/0011-RHEL-9-disable-Wpointer-sign-for-now.patch
@ -0,0 +1,25 @@
+From 7e7fa748c8651ca3d9fdd55f0ad891c816949ff5 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 6 Aug 2021 16:43:37 -0400
+Subject: [PATCH] RHEL-9: disable -Wpointer-sign for now
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Make.defaults b/Make.defaults
+index e11ab5a7f2c..9b28720d186 100644
+--- a/Make.defaults
+++ b/Make.defaults
+@@ -42,6 +42,7 @@ EFI_LDS		= $(TOPDIR)/elf_$(ARCH)_efi.lds
+ CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
+ 		  -Werror=sign-compare -ffreestanding -std=gnu89 \
+		  -Wno-pointer-sign -Wno-address-of-packed-member \
+ 		  -I$(shell $(CC) -print-file-name=include) \
+ 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
+ 		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
+-- 
+2.31.1
+
--- a/8
+++ b/8
@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+if [ $# -ne 1 ]; then
+	echo "usage: ./build <release>" 1>&2
+	exit 1
+fi
+arm-koji build $1 `fedpkg giturl`
+
--- a/SOURCES/dbx.esl
+++ b/SOURCES/dbx.esl
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: manual.sst_desktop.shim.functional}
--- a/rhtest.cer
+++ b/rhtest.cer
--- a/secureboot.cer
+++ b/secureboot.cer
--- a/SOURCES/securebootca.cer
+++ b/SOURCES/securebootca.cer
--- a/SOURCES/shim-find-debuginfo.sh
+++ b/SOURCES/shim-find-debuginfo.sh
--- a/SPECS/shim-unsigned-aarch64.spec
+++ b/SPECS/shim-unsigned-aarch64.spec
@ -16,7 +16,7 @@

 Name:		shim-unsigned-aarch64
 Version:	15
-Release:	7%{?dist}
+Release:	6%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
 License:	BSD
@ -39,7 +39,9 @@ Patch0007:	0007-shim-Properly-generate-absolute-paths-from-relative-.patch
 Patch0008:	0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch
 Patch0009:	0009-Fix-a-use-of-strlen-instead-of-Strlen.patch
 Patch0010:	0010-translate_slashes-don-t-write-to-string-literals.patch
+Patch0011:	0011-RHEL-9-disable-Wpointer-sign-for-now.patch

+BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
@ -137,10 +139,6 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
-* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15-7
- Backport this to EL 8 so we can build-dep on the right version.
-  Related: CVE-2020-14372 (and others)
-
 * Tue May 26 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-6
 - Fix a shim crash when attempting to netboot
  Resolves: rhbz#1840036
@ -163,8 +161,19 @@ cd ..
 - Fix MoK mirroring issue which breaks kdump without intervention
  Related: rhbz#1668966

-* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
+* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
+- better checking for bad linker output
+- flicker-free console if there's no error output
+- improved http boot support
+- better protocol re-installation
+- dhcp proxy support
+- tpm measurement even when verification is disabled
+- REQUIRE_TPM build flag
+- more reproducable builds
+- measurement of everything verified through shim_verify()
+- coverity and scan-build checker make targets
+- misc cleanups

 * Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
 - Actually update to the *real* 13 final.
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (shim-15.tar.bz2) = f7dfac774d644111431ca56da76b5575b891b0abad970b318edaede11a0d83c869728bc39cb6af3689bdb203c6826545caf8ddd3d14228831027e334963cf957
				`@ -0,0 +1 @@`
				`SHA512 (shim-15.tar.bz2) = f7dfac774d644111431ca56da76b5575b891b0abad970b318edaede11a0d83c869728bc39cb6af3689bdb203c6826545caf8ddd3d14228831027e334963cf957`