diff --git a/.shim-signed.metadata b/.shim-signed.metadata
index 897b7da..8405870 100644
--- a/.shim-signed.metadata
+++ b/.shim-signed.metadata
@@ -1,4 +1,4 @@
8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/mokutil-0.3.0.tar.gz
a6499bf4e2e9038c79e00f3fea79c5dfd978eb16 SOURCES/shimaa64.efi
-09c724498ed275fb4a76f04700f5b2d39413405f SOURCES/shimia32.efi
-224b166130e25c00ac9a6c33d7816acc6b98cde5 SOURCES/shimx64.efi
+e609f8ddc446dc27a2aec3577e2b7869126662c0 SOURCES/shimia32.efi
+1316e2b5fb83b29acc00c5050799afb7ccd6b6e2 SOURCES/shimx64.efi
diff --git a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch
index ef8518f..f752a3f 100644
--- a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch
+++ b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch
@@ -1,7 +1,7 @@
From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 4 Nov 2014 15:50:03 +0800
-Subject: [PATCH 1/7] Fix the potential buffer overflow
+Subject: [PATCH 01/10] Fix the potential buffer overflow
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
@@ -9,7 +9,7 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
-index 5b34f22..93fb6fa 100644
+index 5b34f22fd98..93fb6fabcab 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
@@ -32,5 +32,5 @@ index 5b34f22..93fb6fa 100644
tvar.mok_toggle_state = state;
--
-2.7.4
+2.17.1
diff --git a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
index de24b1c..33ca700 100644
--- a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
+++ b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
@@ -1,14 +1,14 @@
From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 24 Nov 2014 11:38:54 +0800
-Subject: [PATCH 2/7] Fix the 32bit signedness comparison
+Subject: [PATCH 02/10] Fix the 32bit signedness comparison
---
src/mokutil.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
-index 93fb6fa..a7e83f7 100644
+index 93fb6fabcab..a7e83f71f0b 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
@@ -30,5 +30,5 @@ index 93fb6fa..a7e83f7 100644
list[i].mok_size - offset);
if (write_size < 0) {
--
-2.7.4
+2.17.1
diff --git a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
index 80a677a..a9fe4e9 100644
--- a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
+++ b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
@@ -1,7 +1,8 @@
From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 19 Jun 2015 16:53:36 -0400
-Subject: [PATCH 3/7] Build with -fshort-wchar so toggle passwords work right.
+Subject: [PATCH 03/10] Build with -fshort-wchar so toggle passwords work
+ right.
This source tree uses:
@@ -25,7 +26,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
-index fe28fb9..69d412a 100644
+index fe28fb92241..69d412ac633 100644
--- a/configure.ac
+++ b/configure.ac
@@ -37,7 +37,7 @@ else
@@ -38,5 +39,5 @@ index fe28fb9..69d412a 100644
AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
enable_strict=$default_strict)
--
-2.7.4
+2.17.1
diff --git a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
index 3e75fda..f45fd42 100644
--- a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
+++ b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
@@ -1,7 +1,7 @@
From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 16 Jun 2015 17:06:30 -0400
-Subject: [PATCH 4/7] Don't allow sha1 on the mokutil command line.
+Subject: [PATCH 04/10] Don't allow sha1 on the mokutil command line.
Related: rhbz#1115843
@@ -11,7 +11,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 2 insertions(+)
diff --git a/src/mokutil.c b/src/mokutil.c
-index a7e83f7..1fb34f9 100644
+index a7e83f71f0b..1fb34f9d3aa 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
@@ -28,5 +28,5 @@ index a7e83f7..1fb34f9 100644
*type = efi_guid_sha224;
hash_size = SHA224_DIGEST_LENGTH;
--
-2.7.4
+2.17.1
diff --git a/SOURCES/0005-Make-all-efi_guid_t-const.patch b/SOURCES/0005-Make-all-efi_guid_t-const.patch
index 0e12a37..b041fc4 100644
--- a/SOURCES/0005-Make-all-efi_guid_t-const.patch
+++ b/SOURCES/0005-Make-all-efi_guid_t-const.patch
@@ -1,7 +1,7 @@
From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 13 Jan 2016 16:05:21 +0800
-Subject: [PATCH 5/7] Make all efi_guid_t const
+Subject: [PATCH 05/10] Make all efi_guid_t const
All UEFI GUIDs defined in efivar are const. Declare all of them const
to make gcc happy.
@@ -12,7 +12,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
-index 1fb34f9..d2c52b4 100644
+index 1fb34f9d3aa..d2c52b4caaf 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
@@ -83,5 +83,5 @@ index 1fb34f9..d2c52b4 100644
{
uint8_t *authvar_data;
--
-2.7.4
+2.17.1
diff --git a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
index a0d87f3..af8b621 100644
--- a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
+++ b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
@@ -1,7 +1,7 @@
-From b68dca2d4de779387c4b5306bb9cfc9a3bab2572 Mon Sep 17 00:00:00 2001
+From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:19:43 -0400
-Subject: [PATCH 6/7] mokutil: be explicit about file modes in all cases.
+Subject: [PATCH 06/10] mokutil: be explicit about file modes in all cases.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
@@ -9,7 +9,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/mokutil.c b/src/mokutil.c
-index d2c52b4..d554f6c 100644
+index d2c52b4caaf..d554f6cca21 100644
--- a/src/mokutil.c
+++ b/src/mokutil.c
@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
@@ -33,5 +33,5 @@ index d2c52b4..d554f6c 100644
case ENROLL_MOK:
fprintf (stderr, "Failed to enroll new keys\n");
--
-2.7.4
+2.17.1
diff --git a/SOURCES/0007-Add-bash-completion-file.patch b/SOURCES/0007-Add-bash-completion-file.patch
index 725ad66..29720ad 100644
--- a/SOURCES/0007-Add-bash-completion-file.patch
+++ b/SOURCES/0007-Add-bash-completion-file.patch
@@ -1,29 +1,18 @@
-From d16c76d139f9a9a56b49c0dd51cd9056f626031e Mon Sep 17 00:00:00 2001
+From a797a566127f7469d744b2748f98d1fa5ea8d8f9 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 Jun 2016 10:20:14 -0400
-Subject: [PATCH 7/7] Add bash completion file.
+Subject: [PATCH 07/10] Add bash completion file.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
- Makefile.am | 5 +++++
configure.ac | 17 +++++++++++++++++
+ Makefile.am | 5 +++++
data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 59 insertions(+)
create mode 100755 data/mokutil
-diff --git a/Makefile.am b/Makefile.am
-index 9f0d419..c17cc4a 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1 +1,6 @@
- SUBDIRS = src man
-+
-+if ENABLE_BASH_COMPLETION
-+ bashcompletiondir = $(BASH_COMPLETION_DIR)
-+ dist_bashcompletion_DATA = data/mokutil
-+endif
diff --git a/configure.ac b/configure.ac
-index 69d412a..7b52a06 100644
+index 69d412ac633..7b52a063df0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
@@ -50,9 +39,20 @@ index 69d412a..7b52a06 100644
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile])
+diff --git a/Makefile.am b/Makefile.am
+index 9f0d4192515..c17cc4a86d8 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1 +1,6 @@
+ SUBDIRS = src man
++
++if ENABLE_BASH_COMPLETION
++ bashcompletiondir = $(BASH_COMPLETION_DIR)
++ dist_bashcompletion_DATA = data/mokutil
++endif
diff --git a/data/mokutil b/data/mokutil
new file mode 100755
-index 0000000..800b039
+index 00000000000..800b039e7f4
--- /dev/null
+++ b/data/mokutil
@@ -0,0 +1,37 @@
@@ -94,5 +94,5 @@ index 0000000..800b039
+
+complete -F _mokutil mokutil
--
-2.7.4
+2.17.1
diff --git a/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
new file mode 100644
index 0000000..5642502
--- /dev/null
+++ b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
@@ -0,0 +1,27 @@
+From b5f004ddbd8ef1f9f1d664d41d5dcc4272621080 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon, 20 Jun 2016 11:18:17 -0500
+Subject: [PATCH 08/10] Fix typo in error message when the system lacks Secure
+ Boot support
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index d554f6cca21..27f1292f3a9 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
+ rc = efi_get_variable (efi_guid_global, "SecureBoot",
+ &data, &data_size, &attributes);
+ if (rc < 0) {
+- fprintf(stderr, "This system does't support Secure Boot\n");
++ fprintf(stderr, "This system doesn't support Secure Boot\n");
+ ret = -1;
+ goto out;
+ }
+--
+2.17.1
+
diff --git a/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
new file mode 100644
index 0000000..0bed1d9
--- /dev/null
+++ b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
@@ -0,0 +1,27 @@
+From 2fa167f3905ebee27221fc2b1db4b79e215d8ca0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 3 Apr 2017 16:33:38 -0400
+Subject: [PATCH 09/10] list_keys_in_var(): check errno correctly, not ret
+ twice.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 27f1292f3a9..0be9e8491fd 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
+
+ ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ if (ret < 0) {
+- if (ret == ENOENT) {
++ if (errno == ENOENT) {
+ printf ("%s is empty\n", var_name);
+ return 0;
+ }
+--
+2.17.1
+
diff --git a/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
new file mode 100644
index 0000000..2d57007
--- /dev/null
+++ b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
@@ -0,0 +1,101 @@
+From 57f7c776dca0322fab107460cac71ac4b6e79b9a Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 15 May 2018 11:20:15 -0400
+Subject: [PATCH 10/10] generate_hash() / generate_pw_hash(): don't use
+ strlen() for strncpy bounds
+
+New gcc rightly comlplains when we do the following:
+
+strncpy (dest, src, strlen(src));
+
+For two reasons:
+a) it doesn't copy the NUL byte
+b) it's otherwise the same thing strcpy() would have done
+
+This patch replaces that with stpncpy (just because it's slightly easier
+to use) and the real bounds for the destination.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 0be9e8491fd..b5080107600 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
+ {
+ pw_crypt_t new_crypt;
+ char settings[SETTINGS_LEN];
++ char *next;
+ char *crypt_string;
+ const char *prefix;
+- int hash_len, prefix_len;
++ int hash_len, settings_len = sizeof (settings) - 2;
+
+ if (!password || !pw_crypt || password[pw_len] != '\0')
+ return -1;
+@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
+ prefix = get_crypt_prefix (pw_crypt->method);
+ if (!prefix)
+ return -1;
+- prefix_len = strlen(prefix);
+
+ pw_crypt->salt_size = get_salt_size (pw_crypt->method);
+ generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
+
+- strncpy (settings, prefix, prefix_len);
+- strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
+- pw_crypt->salt_size);
+- settings[pw_crypt->salt_size + prefix_len] = '\0';
++ memset (settings, 0, sizeof (settings));
++ next = stpncpy (settings, prefix, settings_len);
++ if (pw_crypt->salt_size > settings_len - (next - settings)) {
++ errno = EOVERFLOW;
++ return -1;
++ }
++ next = stpncpy (next, (const char *)pw_crypt->salt,
++ pw_crypt->salt_size);
++ *next = '\0';
+
+ crypt_string = crypt (password, settings);
+ if (!crypt_string)
+@@ -1929,10 +1934,11 @@ static int
+ generate_pw_hash (const char *input_pw)
+ {
+ char settings[SETTINGS_LEN];
++ char *next;
+ char *password = NULL;
+ char *crypt_string;
+ const char *prefix;
+- int prefix_len;
++ int settings_len = sizeof (settings) - 2;
+ unsigned int pw_len, salt_size;
+
+ if (input_pw) {
+@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw)
+ prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
+ if (!prefix)
+ return -1;
+- prefix_len = strlen(prefix);
+
+- strncpy (settings, prefix, prefix_len);
++ memset (settings, 0, sizeof (settings));
++ next = stpncpy (settings, prefix, settings_len);
+ salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
+- generate_salt ((settings + prefix_len), salt_size);
+- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
++ if (salt_size > settings_len - (next - settings)) {
++ errno = EOVERFLOW;
++ return -1;
++ }
++ generate_salt (next, salt_size);
++ next += salt_size;
++ *next = '\0';
+
+ crypt_string = crypt (password, settings);
+ free (password);
+--
+2.17.1
+
diff --git a/SOURCES/BOOTIA32.CSV b/SOURCES/BOOTIA32.CSV
index 1f0e21f..4e658b2 100644
Binary files a/SOURCES/BOOTIA32.CSV and b/SOURCES/BOOTIA32.CSV differ
diff --git a/SOURCES/BOOTX64.CSV b/SOURCES/BOOTX64.CSV
index da8cf51..7692a93 100644
Binary files a/SOURCES/BOOTX64.CSV and b/SOURCES/BOOTX64.CSV differ
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563..0000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt
deleted file mode 100644
index 321c4ec..0000000
--- a/SOURCES/centossecureboot001.crt
+++ /dev/null
@@ -1,81 +0,0 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number:
- b6:16:15:71:72:fb:31:7e
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org
- Validity
- Not Before: Aug 1 11:47:30 2018 GMT
- Not After : Dec 31 11:47:30 2037 GMT
- Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa:
- 76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51:
- cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2:
- 4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3:
- 24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0:
- bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18:
- 00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97:
- a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57:
- 6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35:
- 6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0:
- aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65:
- 53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46:
- f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f:
- 6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2:
- 76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4:
- 94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28:
- 4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef:
- 94:0f
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature
- X509v3 Subject Key Identifier:
- F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29
- X509v3 Authority Key Identifier:
- keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3
-
- Signature Algorithm: sha256WithRSAEncryption
- 97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c:
- dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da:
- 11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b:
- 2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a:
- 28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e:
- b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef:
- f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f:
- 0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56:
- a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30:
- 17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a:
- ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97:
- 58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c:
- 75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77:
- da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71:
- da:7f:89:1d
------BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
-BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
-FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx
-NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg
-BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4
-MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP
-f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2
-bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/
-VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR
-pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud
-EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb
-Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B
-AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G
-1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV
-IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv
-0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ
-+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD
-bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ==
------END CERTIFICATE-----
diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
index 5c1d022..0ee04e5 100644
--- a/SPECS/shim-signed.spec
+++ b/SPECS/shim-signed.spec
@@ -1,14 +1,23 @@
Name: shim-signed
-Version: 12
-Release: 2%{?dist}%{?buildid}
+Version: 15
+Release: 1%{?dist}%{?buildid}
Summary: First-stage UEFI bootloader
-%define unsigned_release 2%{?dist}
+%define unsigned_release 1%{?dist}
License: BSD
-URL: http://www.codon.org.uk/~mjg59/shim/
+URL: https://github.com/rhboot/shim/
# incorporate mokutil for packaging simplicity
%global mokutil_version 0.3.0
Source0: https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz
+Source1: secureboot.cer
+Source2: securebootca.cer
+Source10: shimx64.efi
+Source11: shimia32.efi
+Source12: shimaa64.efi
+Source20: BOOTX64.CSV
+Source21: BOOTIA32.CSV
+Source22: BOOTAA64.CSV
+
Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
@@ -16,16 +25,9 @@ Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
Patch0005: 0005-Make-all-efi_guid_t-const.patch
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
Patch0007: 0007-Add-bash-completion-file.patch
-
-Source1: centossecureboot001.crt
-Source2: centos-ca-secureboot.der
-%define pesign_name centossecureboot001
-Source10: shimx64.efi
-Source11: shimia32.efi
-#Source12: shimaa64.efi
-Source20: BOOTX64.CSV
-Source21: BOOTIA32.CSV
-Source22: BOOTAA64.CSV
+Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
+Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
+Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
%ifarch x86_64
%global efiarch X64
@@ -40,7 +42,7 @@ Source22: BOOTAA64.CSV
%ifarch aarch64
%global efiarch AA64
%global efiarchlc aa64
-#%global shimsrc %{SOURCE12}
+%global shimsrc %{SOURCE12}
%global bootsrc %{SOURCE22}
%endif
%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/
@@ -74,7 +76,7 @@ This package provides debug information for package %{name}.\
Debug information is useful when developing applications that use this\
package or when debugging this package.\
%files -n mokutil-debuginfo -f debugfiles.list\
-%defattr(-,root,root)\
+%defattr(-,root,root,-)\
%endif\
%{nil}
@@ -93,7 +95,7 @@ the UEFI signing service.
Summary: First-stage UEFI bootloader
Requires: mokutil = %{version}-%{release}
Provides: shim = %{version}-%{release}
-Obsoletes: shim
+Obsoletes: shim <= 12
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
# compatible with SysV (there's no red zone under UEFI) and there isn't a
# POSIX-style C library.
@@ -147,27 +149,27 @@ cd ..
%ifarch %{ca_signed_arches}
pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
- echo Invalid signature\! > /dev/stderr
- echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
- echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
- exit 1
+ echo Invalid signature\! > /dev/stderr
+ echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
+ echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
+ exit 1
fi
cp %{shimsrc} shim%{efiarchlc}.efi
%ifarch x86_64
pesign -i %{shimsrcia32} -h -P > shimia32.hash
if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
- echo Invalid signature\! > /dev/stderr
- echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
- echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
- exit 1
+ echo Invalid signature\! > /dev/stderr
+ echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
+ echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
+ exit 1
fi
cp %{shimsrcia32} shimia32.efi
%endif
%endif
%ifarch %{rh_signed_arches}
-%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shim%{efiarchlc}-%{efidir}.efi
+%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shim%{efiarchlc}-%{efidir}.efi
%ifarch x86_64
-%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shimia32-%{efidir}.efi
+%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shimia32-%{efidir}.efi
%endif
%endif
%ifarch %{rh_signed_arches}
@@ -176,12 +178,12 @@ cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
%endif
%endif
-%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
-%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
+%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
+%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
%ifarch x86_64
-%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
-%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
+%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
+%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
%endif
cd mokutil-%{mokutil_version}
@@ -191,56 +193,54 @@ make %{?_smp_mflags}
%install
rm -rf $RPM_BUILD_ROOT
-install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
-install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
-install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
-install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
-install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
-install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
-
-install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
-install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
-install -m 0644 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
-install -m 0644 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi
+install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
+install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
+install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
+install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
+install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
+
+install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
+install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
+install -m 0700 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
%ifarch aarch64
# In case old boot entries aren't updated
-install -m 0644 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
+install -m 0700 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
%endif
%ifarch x86_64
# In case old boot entries aren't updated
-install -m 0644 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
-install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
+install -m 0700 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
+install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
-install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
-install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
-install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
-install -m 0644 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
-install -m 0644 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
+install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
+install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
+install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
+install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
+install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
-install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
-install -m 0644 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
+install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
+install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
%endif
cd mokutil-%{mokutil_version}
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%files -n shim-%{efiarchlc}
+%defattr(0700,root,root,-)
/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
-/boot/efi/EFI/%{efidir}/MokManager.efi
/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
-/boot/efi/EFI/BOOT/fallback.efi
/boot/efi/EFI/%{efidir}/shim.efi
%ifarch x86_64
/boot/efi/EFI/%{efidir}/BOOT.CSV
%files -n shim-ia32
+%defattr(0700,root,root,-)
/boot/efi/EFI/%{efidir}/shimia32.efi
/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
/boot/efi/EFI/%{efidir}/mmia32.efi
@@ -258,11 +258,19 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
%{_datadir}/bash-completion/completions/mokutil
%changelog
-* Fri Aug 24 2018 Fabian Arrotin <arrfab@centos.org> - 12-2.el7
-- Rebuilt with new shim (built with new key/cert)
-
-* Thu Aug 31 2017 Karanbir Singh <kbsingh@centos.org> - 12-1.el7.centos
-- interim build
+* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
+- Update to shim version 15
+ Resolves: rhbz#1589962
+
+* Wed Jul 11 2018 Peter Jones <pjones@redhat.com> - 12-3
+- Fix broken file owner/modes
+ Resolves: rhbz#1595677
+
+* Sat Jun 23 2018 Peter Jones <pjones@redhat.com> - 12-2
+- Fix /boot/efi/... permissions to match the filesystem's requirements
+ Related: rhbz#1512749
+- Minor .spec cleanups
+ Related: rhbz#1512749
* Mon May 01 2017 Peter Jones <pjones@redhat.com> - 12-1
- Update to 12-1 to work around a signtool.exe bug