From 67f27a60ae0143cfd6a7cc24f4543c7a317a90a6 Mon Sep 17 00:00:00 2001
From: Johnny Hughes <johnny@centos.org>
Date: Oct 24 2018 15:45:22 +0000
Subject: shim with new CentOS Secureboot


---

diff --git a/SOURCES/0001-Add-vendor-esl.patch b/SOURCES/0001-Add-vendor-esl.patch
new file mode 100644
index 0000000..1058298
--- /dev/null
+++ b/SOURCES/0001-Add-vendor-esl.patch
@@ -0,0 +1,168 @@
+From bc1e30ee1e7940e0e70eab9afd55b6e355ef9899 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+Date: Sat, 21 Jul 2018 03:27:26 +0200
+Subject: [PATCH] Add vendor_esl
+
+Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+---
+ Makefile |  3 +++
+ cert.S   | 30 ++++++++++++++++++++++++++++++
+ shim.c   | 36 +++++++++++++++++++++++++++++++++++-
+ 3 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 6ece282..78688e0 100644
+--- a/Makefile
++++ b/Makefile
+@@ -82,6 +82,9 @@ endif
+ ifneq ($(origin VENDOR_CERT_FILE), undefined)
+ 	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+ endif
++ifneq ($(origin VENDOR_ESL_FILE), undefined)
++	CFLAGS += -DVENDOR_ESL_FILE=\"$(VENDOR_ESL_FILE)\"
++endif
+ ifneq ($(origin VENDOR_DBX_FILE), undefined)
+ 	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
+ endif
+diff --git a/cert.S b/cert.S
+index cfc4525..7ad782a 100644
+--- a/cert.S
++++ b/cert.S
+@@ -8,12 +8,18 @@ cert_table:
+ #else
+ 	.long	0
+ #endif
++#if defined(VENDOR_ESL_FILE)
++	.long	vendor_esl_priv_end - vendor_esl_priv
++#else
++	.long	0
++#endif
+ #if defined(VENDOR_DBX_FILE)
+ 	.long	vendor_dbx_priv_end - vendor_dbx_priv
+ #else
+ 	.long	0
+ #endif
+ 	.long	vendor_cert_priv - cert_table
++	.long	vendor_esl_priv - cert_table
+ 	.long	vendor_dbx_priv - cert_table
+ #if defined(VENDOR_CERT_FILE)
+ 	.data
+@@ -39,6 +45,30 @@ vendor_cert_priv:
+ 	.section .vendor_cert, "a", %progbits
+ vendor_cert_priv_end:
+ #endif
++#if defined(VENDOR_ESL_FILE)
++	.data
++	.align	1
++	.type	vendor_esl_priv, %object
++	.size	vendor_esl_priv, vendor_esl_priv_end-vendor_esl_priv
++	.section .vendor_cert, "a", %progbits
++vendor_esl_priv:
++.incbin VENDOR_ESL_FILE
++vendor_esl_priv_end:
++#else
++	.bss
++	.type	vendor_esl_priv, %object
++	.size	vendor_esl_priv, 1
++	.section .vendor_cert, "a", %progbits
++vendor_esl_priv:
++	.zero	1
++
++	.data
++	.align 4
++	.type	vendor_esl_size_priv, %object
++	.size	vendor_esl_size_priv, 4
++	.section .vendor_cert, "a", %progbits
++vendor_esl_priv_end:
++#endif
+ #if defined(VENDOR_DBX_FILE)
+ 	.data
+ 	.align	1
+diff --git a/shim.c b/shim.c
+index f8a1e67..d99134f 100644
+--- a/shim.c
++++ b/shim.c
+@@ -84,14 +84,18 @@ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8,
+  */
+ extern struct {
+ 	UINT32 vendor_cert_size;
++	UINT32 vendor_esl_size;
+ 	UINT32 vendor_dbx_size;
+ 	UINT32 vendor_cert_offset;
++	UINT32 vendor_esl_offset;
+ 	UINT32 vendor_dbx_offset;
+ } cert_table;
+ 
+ UINT32 vendor_cert_size;
++UINT32 vendor_esl_size;
+ UINT32 vendor_dbx_size;
+ UINT8 *vendor_cert;
++UINT8 *vendor_esl;
+ UINT8 *vendor_dbx;
+ 
+ /*
+@@ -1029,6 +1033,18 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+ 			return status;
+ 		}
+ 
++		/*
++		 * Check if there's a vendor ESL built-in
++		 */
++		if (vendor_esl_size &&
++			check_db_cert_in_ram((EFI_SIGNATURE_LIST*)vendor_esl,
++					     vendor_esl_size,
++					     cert,
++					     sha256hash) == DATA_FOUND) {
++			status = EFI_SUCCESS;
++			return status;
++		}
++
+ 		/*
+ 		 * And finally, check against shim's built-in key
+ 		 */
+@@ -1973,6 +1989,22 @@ EFI_STATUS mirror_mok_list()
+ 
+ 		CertData->SignatureOwner = SHIM_LOCK_GUID;
+ 		CopyMem(p, vendor_cert, vendor_cert_size);
++	} else if (vendor_esl_size) {
++		FullDataSize = DataSize
++			     + vendor_esl_size
++			     ;
++		FullData = AllocatePool(FullDataSize);
++		if (!FullData) {
++			perror(L"Failed to allocate space for MokListRT\n");
++			return EFI_OUT_OF_RESOURCES;
++		}
++		p = FullData;
++
++		if (efi_status == EFI_SUCCESS && DataSize > 0) {
++			CopyMem(p, Data, DataSize);
++			p += DataSize;
++		}
++		CopyMem(p, vendor_esl, vendor_esl_size);
+ 	} else {
+ 		FullDataSize = DataSize;
+ 		FullData = Data;
+@@ -2606,7 +2638,7 @@ shim_init(void)
+ 	set_second_stage (global_image_handle);
+ 
+ 	if (secure_mode()) {
+-		if (vendor_cert_size || vendor_dbx_size) {
++		if (vendor_cert_size || vendor_esl_size || vendor_dbx_size) {
+ 			/*
+ 			 * If shim includes its own certificates then ensure
+ 			 * that anything it boots has performed some
+@@ -2706,8 +2738,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ 	verification_method = VERIFIED_BY_NOTHING;
+ 
+ 	vendor_cert_size = cert_table.vendor_cert_size;
++	vendor_esl_size = cert_table.vendor_esl_size;
+ 	vendor_dbx_size = cert_table.vendor_dbx_size;
+ 	vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
++	vendor_esl = (UINT8 *)&cert_table + cert_table.vendor_esl_offset;
+ 	vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
+ 
+ 	/*
+-- 
+2.18.0
+
diff --git a/SOURCES/centos.esl b/SOURCES/centos.esl
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/SOURCES/centos.esl
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index d1316b0..a7778ba 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,16 +1,19 @@
 Name:           shim
 Version:        12
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        First-stage UEFI bootloader
 
 License:        BSD
 URL:            http://www.codon.org.uk/~mjg59/shim/
 Source0:	https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	securebootca.cer
+#Source1:	centos.crt
 # currently here's what's in our dbx: # nothing.
 #Source2:	dbx-x64.esl
 #Source3:	dbx-aa64.esl
 Source4:	shim-find-debuginfo.sh
+Source5:        centos.esl
+
+Patch0:         0001-Add-vendor-esl.patch
 
 BuildRequires: git openssl-devel openssl
 BuildRequires: pesign >= 0.106-1
@@ -127,6 +130,9 @@ fi
 if [ -f "%{SOURCE3}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
 fi
+if [ -f "%{SOURCE5}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
+fi
 %else
 if [ -f "%{SOURCE1}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
@@ -134,6 +140,9 @@ fi
 if [ -f "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
+if [ -f "%{SOURCE5}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
+fi
 %endif
 cd %{name}-%{version}-%{efiarch}
 make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim%{efiarch}.efi mm%{efiarch}.efi fb%{efiarch}.efi
@@ -217,6 +226,10 @@ cd ../%{name}-%{version}-%{efiarch}
 %endif
 
 %changelog
+* Mon Jul 23 2018 Fabian Arrotin <arrfab@centos.org> - 12-2.el7.centos
+- Added 0001-Add-vendor-esl.patch (Patrick Uiterwijk)
+- Rebuilt with combined centos.esl (so new and previous crt)
+
 * Thu Apr 27 2017 Peter Jones <pjones@redhat.com> - 12-1
 - Update to 12-1 to work around a signtool.exe bug
   Related: rhbz#1445393