.gitignore

@@ -1,4 +1,3 @@
-SOURCES/fbx64.efi
-SOURCES/mmx64.efi
 SOURCES/shimaa64.efi
+SOURCES/shimia32.efi
 SOURCES/shimx64.efi

.shim.metadata

@@ -1,4 +1,3 @@
-bfee65ae45498fefd64b16edf9993415b625cb3c SOURCES/shimaa64.efi
+8ab193ad7addd71e4a820081f36d47e5ef727d28 SOURCES/shimaa64.efi
-8d5251f1166c9dd43426903459fe95d4bd262483 SOURCES/shimx64.efi
+c04dd5db5d91e8d1f597f2bfd878f55eba05a125 SOURCES/shimia32.efi
-122b21c2da0ca4ee839d4bb6beff7ddffd68f1a0 SOURCES/fbx64.efi
+9a08a40a69ba8ad6292a19aca367d819e875d789 SOURCES/shimx64.efi
-a4f7a273cc9a531a6ef125b91353f479cfa5f79c SOURCES/mmx64.efi

SOURCES/shim.rpmmacros

@@ -4,30 +4,27 @@
 %global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
 
 %global bootcsvaa64 %{expand:%{SOURCE10}}
+%global bootcsvia32 %{expand:%{SOURCE11}}
 %global bootcsvx64 %{expand:%{SOURCE12}}
 #%%global bootcsvarm %%{expand:%%{SOURCE13}}
 
 %global shimefiaa64 %{expand:%{SOURCE20}}
+%global shimefiia32 %{expand:%{SOURCE21}}
 %global shimefix64 %{expand:%{SOURCE22}}
 #%%global shimefiarm %%{expand:%%{SOURCE23}
 
-%global fbefiaa64 %{expand:%{SOURCE30}}
+%global shimveraa64 15-7.el8_1
-%global fbefix64 %{expand:%{SOURCE32}}
+%global shimveria32 15.6-1.el8
-#%%global fbefiarm %%{expand:%%{SOURCE33}
+%global shimverx64 15.6-1.el8
-
-%global mmefiaa64 %{expand:%{SOURCE40}}
-%global mmefix64 %{expand:%{SOURCE42}}
-#%%global mmefiarm %%{expand:%%{SOURCE43}
-
-%global shimveraa64 15-6.el9.alma.1
-%global shimverx64 15.6-1.el9.alma.1
 #%%global shimverarm 15-1.el8
 
 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
+%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
 %global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
 #%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
 
 %global unsignedaa64 shim-unsigned-aarch64
+%global unsignedia32 shim-unsigned-ia32
 %global unsignedx64 shim-unsigned-x64
 #%%global unsignedarm shim-unsigned-arm
 
@@ -39,10 +36,6 @@
 %global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
 %global shimdir %{expand:%{shimdir%{efi_arch}}}
 %global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
-%global fbefi %{expand:%{fbefi%{efi_arch}}}
-%global fbefialt %{expand:%{fbefi%{?efi_alt_arch}}}
-%global mmefi %{expand:%{mmefi%{efi_arch}}}
-%global mmefialt %{expand:%{mmefi%{?efi_alt_arch}}}
 
 %global unsignednone shim-unsigned-none
 %global unsigned %{expand:%%{unsigned%{efi_arch}}}
@@ -55,11 +48,6 @@ Requires: mokutil >= 1:0.3.0-1						\
 Requires: efi-filesystem						\
 Provides: shim-signed-%{-a*} = %{version}-%{release}			\
 Requires: dbxtool >= 0.6-3						\
-%{expand:%ifarch x86_64						\
-# SecureBoot keys dependencies						\
-Requires: almalinux(grub2-sig-key) >= 202303				\
-Requires: almalinux(kernel-sig-key) >= 202303				\
-%endif}				\
 %{expand:%%if 0%%{-p*}							\
 Provides: shim = %{version}-%{release}					\
 Provides: shim-signed = %{version}-%{release}				\
@@ -80,17 +68,15 @@ version signed by the UEFI signing service.				\
 
 # -a <efiarch>
 # -i <input>
-%define hash(a:i:d:)								\
+%define hash(a:i:d:)							\
-	if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
+	pesign -i %{-i*} -h -P > shim.hash				\
-		pesign -i %{-i*} -h -P > shim.hash				\
+	read file0 hash0 < shim.hash					\
-		read file0 hash0 < shim.hash					\
+	read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
-		read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
+	if ! [ "$hash0" = "$hash1" ]; then				\
-		if ! [ "$hash0" = "$hash1" ] ; then				\
+		echo Invalid signature\! > /dev/stderr			\
-			echo Invalid signature\! > /dev/stderr			\
+		echo $hash0 vs $hash1					\
-			echo $hash0 vs $hash1					\
+		exit 1							\
-			exit 1							\
+	fi								\
-		fi								\
-	fi									\
 	%{nil}
 
 # -i <input>
@@ -102,25 +88,9 @@ version signed by the UEFI signing service.				\
 # -b <binary prefix>
 # -a <efiarch>
 # -i <input>
-%define distrosign(b:a:d:)							\
+%define distrosign(b:a:d:)						\
-	if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
+	cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
-		if [ "%{-b*}%{-a*}" = "shim%{efi_arch}" ] ; then		\
+	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} }\
-			cp -av "%{shimefi}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "shim%{efi_alt_arch}" ] ; then		\
-			cp -av "%{shimefialt}" %{-b*}%{-a*}-unsigned.efi	\
-		elif [ "%{-b*}%{-a*}" = "mm%{efi_arch}" ] ; then		\
-			cp -av "%{mmefi}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "mm%{efi_alt_arch}" ] ; then		\
-			cp -av "%{mmefialt}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "fb%{efi_arch}" ] ; then		\
-			cp -av "%{fbefi}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "fb%{efi_alt_arch}" ] ; then		\
-			cp -av "%{fbefialt}" %{-b*}%{-a*}-unsigned.efi		\
-		fi								\
-	else									\
-		cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
-	fi									\
-	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} } \
 	%{nil}
 
 # -a <efiarch>
@@ -128,18 +98,16 @@ version signed by the UEFI signing service.				\
 # -b <1|0> # signed by this builder?
 # -c <1|0> # signed by UEFI CA?
 # -i <shimARCH.efi>
-# -d /usr/share dir for this build (full path)
 %define define_build(a:A:b:c:i:d:)					\
 if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then		\
 	%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}}			\
 fi									\
 cp %{-i*} shim%{-a*}.efi						\
-if [ "%{-b*}" = "yes" ] ; then						\
+if [ "%{-b*}" = "yes" ]; then						\
 	%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}}		\
 	mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi		\
 fi									\
-if [ "%{-c*}" = "no" ] ||						\
+if [ "%{-c*}" = "no" ]; then						\
-   [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
 	cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi			\
 fi									\
 %{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}}			\
@@ -182,7 +150,7 @@ install -m 0700 fb%{-a*}.efi						\\\
 
 %ifarch x86_64
 %global is_signed yes
-%global is_alt_signed no
+%global is_alt_signed yes
 %global provide_legacy_shim 1
 %endif
 %ifarch aarch64

SPECS/shim.spec

@@ -1,38 +1,32 @@
-%global dist %{?dist}.alma
-%global efi_vendor almalinux
-%global efidir almalinux
-%global efi_esp_dir /boot/efi/EFI/%{efidir}
-
 Name:		shim
 Version:	15.6
-Release:	1.el9.alma.1
+Release:	1%{?dist}
 Summary:	First-stage UEFI bootloader
 License:	BSD
 URL:		https://github.com/rhboot/shim/
 BuildRequires:	efi-filesystem
-BuildRequires:	efi-srpm-macros >= 6
+BuildRequires:	efi-srpm-macros >= 3-2
 
 ExclusiveArch:	%{efi}
+# but we don't build a .i686 package, just a shim-ia32.x86_64 package
+ExcludeArch:	%{ix86}
 # and we don't have shim-unsigned-arm builds *yet*
-ExcludeArch:	%{arm} %{ix86}
+ExcludeArch:	%{arm}
 
 Source0:	shim.rpmmacros
-Source1:	almalinuxsecurebootca0.cer
+Source1:	redhatsecureboot501.cer
+Source2:	redhatsecurebootca5.cer
 
 # keep these two lists of sources synched up arch-wise.  That is 0 and 10
 # match, 1 and 11 match, ...
 Source10:	BOOTAA64.CSV
 Source20:	shimaa64.efi
-Source30:	mmaa64.efi
+Source11:	BOOTIA32.CSV
-Source40:	fbaa64.efi
+Source21:	shimia32.efi
 Source12:	BOOTX64.CSV
 Source22:	shimx64.efi
-Source32:	mmx64.efi
-Source42:	fbx64.efi
 #Source13:	BOOTARM.CSV
 #Source23:	shimarm.efi
-#Source33:	mmarm.efi
-#Source43:	fbarm.efi
 
 %include %{SOURCE0}
 
@@ -43,8 +37,8 @@ BuildRequires:	pesign >= 0.112-20.fc27
 # (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
 # we can just BuildRequires that.
 %ifarch x86_64
-## BuildRequires:	%% {unsignedx64} = %% {shimverx64}
+BuildRequires:	%{unsignedx64} = %{shimverx64}
-BuildRequires:	shim-unsigned-x64 = 15.6-1.el9.alma.1
+BuildRequires:	%{unsignedia32} = %{shimveria32}
 %endif
 %ifarch aarch64
 BuildRequires:	%{unsignedaa64} = %{shimveraa64}
@@ -69,7 +63,6 @@ rm -rf shim-%{version}
 mkdir shim-%{version}
 
 %build
-export PS4='${LINENO}: '
 
 cd shim-%{version}
 %if %{efi_has_alt_arch}
@@ -108,58 +101,64 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
 %endif
 
 %changelog
-* Thu Mar 09 2023 Eduard Abdullin <eabdullin@almalinux.org> - 15.6-1.el9.alma.1
+* Mon Jun 06 2022 Peter Jones <pjones@redhat.com> - 15.6-1
-- Use AlmaLinux cert
-
-* Mon Jun 06 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
 - Update to shim-15.6
   Resolves: CVE-2022-28737
 
-* Thu Apr 14 2022 Peter Jones <pjones@redhat.com> - 15.5-2.el9
-- Attempt to make aarch64 build.
-  Related: rhbz#1932057
-
-* Thu Apr 14 2022 Peter Jones <pjones@redhat.com> - 15.5-1.el9
-- Rebuild for rhel-9.0.0
-  Resolves: rhbz#1932057
-
 * Mon Sep 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-16
 - Fix an incorrect allocation size
+  Resolves: rhbz#1877253
 
 * Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
 - Update once again for new signed shim builds.
+  Resolves: rhbz#1861977
 
 * Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
 - Get rid of our %%dist hack for now.
 
 * Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
 - New signing keys
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
 
 * Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
 - Fix firmware update bug in aarch64 caused by shim ignoring arguments
+  Resolves: rhbz#1830871
 - Fix a shim crash when attempting to netboot
+  Resolves: rhbz#1795654
 
 * Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
 - Update the shim-unsigned-aarch64 version number
+  Related: rhbz#1715879
 
 * Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10
 - Add a gating.yaml file so the package can be properly gated
+  Related: rhbz#1681809
 
 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9
 - Bump the NVR
+  Related: rhbz#1715879
 
 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7
 - Make EFI variable copying fatal only on secureboot enabled systems
+  Resolves: rhbz#1715879
 - Fix booting shim from an EFI shell using a relative path
+  Resolves: rhbz#1717061
 
 * Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6
 - Fix MoK mirroring issue which breaks kdump without intervention
+  Resolves: rhbz#1668966
 
 * Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5
 - Rebuild for signing once again. If the signer actually works, then:
+  Resolves: rhbz#1620941
 
 * Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4
 - Rebuild for signing
+  Resolves: rhbz#1620941
 
 * Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com>
 - Release Bumped for el8 Mass Rebuild