diff --git a/SOURCES/0001-Add-vendor-esl.patch b/SOURCES/0001-Add-vendor-esl.patch
deleted file mode 100644
index c7de89d..0000000
--- a/SOURCES/0001-Add-vendor-esl.patch
+++ /dev/null
@@ -1,318 +0,0 @@
-From ad8b20e8e2cd71418a536a8068f8e37222bd3855 Mon Sep 17 00:00:00 2001
-From: Patrick Uiterwijk <patrick@puiterwijk.org>
-Date: Sat, 21 Jul 2018 04:12:57 +0200
-Subject: [PATCH] Implement vendor EFI Signature List (ESL)
-
-Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
----
- Make.defaults | 3 ++
- cert.S | 30 +++++++++++++++
- mok.c | 100 +++++++++++++++++++++++++++++---------------------
- shim.c | 25 +++++++++++++
- shim.h | 2 +
- 5 files changed, 119 insertions(+), 41 deletions(-)
-
-diff --git a/Make.defaults b/Make.defaults
-index bbfc1d7f..d8b4ba25 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -124,6 +124,9 @@ CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/sha
- ifneq ($(origin VENDOR_CERT_FILE), undefined)
- CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
- endif
-+ifneq ($(origin VENDOR_ESL_FILE), undefined)
-+ CFLAGS += -DVENDOR_ESL_FILE=\"$(VENDOR_ESL_FILE)\"
-+endif
- ifneq ($(origin VENDOR_DBX_FILE), undefined)
- CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
- endif
-diff --git a/cert.S b/cert.S
-index cfc4525b..7ad782ab 100644
---- a/cert.S
-+++ b/cert.S
-@@ -8,12 +8,18 @@ cert_table:
- #else
- .long 0
- #endif
-+#if defined(VENDOR_ESL_FILE)
-+ .long vendor_esl_priv_end - vendor_esl_priv
-+#else
-+ .long 0
-+#endif
- #if defined(VENDOR_DBX_FILE)
- .long vendor_dbx_priv_end - vendor_dbx_priv
- #else
- .long 0
- #endif
- .long vendor_cert_priv - cert_table
-+ .long vendor_esl_priv - cert_table
- .long vendor_dbx_priv - cert_table
- #if defined(VENDOR_CERT_FILE)
- .data
-@@ -39,6 +45,30 @@ vendor_cert_priv:
- .section .vendor_cert, "a", %progbits
- vendor_cert_priv_end:
- #endif
-+#if defined(VENDOR_ESL_FILE)
-+ .data
-+ .align 1
-+ .type vendor_esl_priv, %object
-+ .size vendor_esl_priv, vendor_esl_priv_end-vendor_esl_priv
-+ .section .vendor_cert, "a", %progbits
-+vendor_esl_priv:
-+.incbin VENDOR_ESL_FILE
-+vendor_esl_priv_end:
-+#else
-+ .bss
-+ .type vendor_esl_priv, %object
-+ .size vendor_esl_priv, 1
-+ .section .vendor_cert, "a", %progbits
-+vendor_esl_priv:
-+ .zero 1
-+
-+ .data
-+ .align 4
-+ .type vendor_esl_size_priv, %object
-+ .size vendor_esl_size_priv, 4
-+ .section .vendor_cert, "a", %progbits
-+vendor_esl_priv_end:
-+#endif
- #if defined(VENDOR_DBX_FILE)
- .data
- .align 1
-diff --git a/mok.c b/mok.c
-index 38675211..7734806b 100644
---- a/mok.c
-+++ b/mok.c
-@@ -62,12 +62,6 @@ struct mok_state_variable {
- EFI_GUID *guid;
- UINT8 *data;
- UINTN data_size;
-- /*
-- * These two are indirect pointers just to make initialization
-- * saner...
-- */
-- UINT8 **addend_source;
-- UINT32 *addend_size;
- UINT32 yes_attr;
- UINT32 no_attr;
- UINT32 flags;
-@@ -75,10 +69,11 @@ struct mok_state_variable {
- UINT8 *state;
- };
-
--#define MOK_MIRROR_KEYDB 0x01
--#define MOK_MIRROR_DELETE_FIRST 0x02
--#define MOK_VARIABLE_MEASURE 0x04
--#define MOK_VARIABLE_LOG 0x08
-+#define MOK_MIRROR_KEYDB 0x01
-+#define MOK_MIRROR_DELETE_FIRST 0x02
-+#define MOK_VARIABLE_MEASURE 0x04
-+#define MOK_VARIABLE_LOG 0x08
-+#define MOK_VARIABLE_APPEND_CERT 0x10
-
- struct mok_state_variable mok_state_variables[] = {
- {.name = L"MokList",
-@@ -88,10 +83,9 @@ struct mok_state_variable mok_state_variables[] = {
- .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS |
- EFI_VARIABLE_NON_VOLATILE,
- .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
-- .addend_source = &vendor_cert,
-- .addend_size = &vendor_cert_size,
- .flags = MOK_MIRROR_KEYDB |
-- MOK_VARIABLE_LOG,
-+ MOK_VARIABLE_LOG |
-+ MOK_VARIABLE_APPEND_CERT,
- .pcr = 14,
- },
- {.name = L"MokListX",
-@@ -138,40 +132,54 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
- uint8_t *p = NULL;
-
- if ((v->flags & MOK_MIRROR_KEYDB) &&
-- v->addend_source && *v->addend_source &&
-- v->addend_size && *v->addend_size) {
-- EFI_SIGNATURE_LIST *CertList = NULL;
-- EFI_SIGNATURE_DATA *CertData = NULL;
-- FullDataSize = v->data_size
-- + sizeof (*CertList)
-- + sizeof (EFI_GUID)
-- + *v->addend_size;
-+ (v->flags & MOK_VARIABLE_APPEND_CERT)) {
-+ FullDataSize = v->data_size;
-+
-+ if (vendor_esl_size) {
-+ FullDataSize += vendor_esl_size;
-+ }
-+ if (vendor_cert_size) {
-+ FullDataSize += sizeof (EFI_SIGNATURE_LIST)
-+ + sizeof (EFI_GUID)
-+ + vendor_cert_size;
-+ }
-+
- FullData = AllocatePool(FullDataSize);
- if (!FullData) {
- perror(L"Failed to allocate space for MokListRT\n");
- return EFI_OUT_OF_RESOURCES;
- }
- p = FullData;
--
- if (!EFI_ERROR(efi_status) && v->data_size > 0) {
- CopyMem(p, v->data, v->data_size);
- p += v->data_size;
- }
-- CertList = (EFI_SIGNATURE_LIST *)p;
-- p += sizeof (*CertList);
-- CertData = (EFI_SIGNATURE_DATA *)p;
-- p += sizeof (EFI_GUID);
--
-- CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;
-- CertList->SignatureListSize = *v->addend_size
-- + sizeof (*CertList)
-- + sizeof (*CertData)
-- -1;
-- CertList->SignatureHeaderSize = 0;
-- CertList->SignatureSize = *v->addend_size + sizeof (EFI_GUID);
--
-- CertData->SignatureOwner = SHIM_LOCK_GUID;
-- CopyMem(p, *v->addend_source, *v->addend_size);
-+
-+ if (vendor_esl_size) {
-+ CopyMem(p, vendor_esl, vendor_esl_size);
-+ p += vendor_esl_size;
-+ }
-+
-+ if (vendor_cert_size) {
-+ EFI_SIGNATURE_LIST *CertList = NULL;
-+ EFI_SIGNATURE_DATA *CertData = NULL;
-+
-+ CertList = (EFI_SIGNATURE_LIST *)p;
-+ p += sizeof (*CertList);
-+ CertData = (EFI_SIGNATURE_DATA *)p;
-+ p += sizeof (EFI_GUID);
-+
-+ CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;
-+ CertList->SignatureListSize = vendor_cert_size
-+ + sizeof (*CertList)
-+ + sizeof (*CertData)
-+ -1;
-+ CertList->SignatureHeaderSize = 0;
-+ CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
-+
-+ CertData->SignatureOwner = SHIM_LOCK_GUID;
-+ CopyMem(p, vendor_cert, vendor_cert_size);
-+ }
-
- if (v->data && v->data_size)
- FreePool(v->data);
-@@ -223,11 +231,24 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
- UINT32 attrs = 0;
- BOOLEAN delete = FALSE, present, addend;
-
-+ addend = (v->flags & MOK_VARIABLE_APPEND_CERT) != 0;
-+
- efi_status = get_variable_attr(v->name,
- &v->data, &v->data_size,
- *v->guid, &attrs);
-- if (efi_status == EFI_NOT_FOUND)
-+ if (efi_status == EFI_NOT_FOUND) {
-+ if (v->rtname && addend) {
-+ efi_status = mirror_one_mok_variable(v);
-+ if (EFI_ERROR(efi_status) &&
-+ ret != EFI_SECURITY_VIOLATION)
-+ ret = efi_status;
-+ }
-+ /*
-+ * after possibly adding, we can continue, no
-+ * further checks to be done.
-+ */
- continue;
-+ }
- if (EFI_ERROR(efi_status)) {
- perror(L"Could not verify %s: %r\n", v->name,
- efi_status);
-@@ -272,9 +293,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
- }
-
- present = (v->data && v->data_size) ? TRUE : FALSE;
-- addend = (v->addend_source && v->addend_size &&
-- *v->addend_source && *v->addend_size)
-- ? TRUE : FALSE;
-
- if (v->flags & MOK_VARIABLE_MEASURE && present) {
- /*
-diff --git a/shim.c b/shim.c
-index 05fc6500..64b79da5 100644
---- a/shim.c
-+++ b/shim.c
-@@ -66,14 +66,18 @@ static UINT32 load_options_size;
- */
- extern struct {
- UINT32 vendor_cert_size;
-+ UINT32 vendor_esl_size;
- UINT32 vendor_dbx_size;
- UINT32 vendor_cert_offset;
-+ UINT32 vendor_esl_offset;
- UINT32 vendor_dbx_offset;
- } cert_table;
-
- UINT32 vendor_cert_size;
-+UINT32 vendor_esl_size;
- UINT32 vendor_dbx_size;
- UINT8 *vendor_cert;
-+UINT8 *vendor_esl;
- UINT8 *vendor_dbx;
-
- /*
-@@ -1065,6 +1069,25 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
- }
- #endif /* defined(ENABLE_SHIM_CERT) */
-
-+ /*
-+ * Check against a built-in EFI Signature List (ESL)
-+ */
-+ if (vendor_esl_size &&
-+ check_db_cert_in_ram((EFI_SIGNATURE_LIST*)vendor_esl,
-+ vendor_esl_size,
-+ cert,
-+ sha256hash,
-+ L"Shim",
-+ SHIM_LOCK_GUID) == DATA_FOUND) {
-+ update_verification_method(VERIFIED_BY_CERT);
-+ // tpm_measurement is done by check_db_cert_in_ram
-+ efi_status = EFI_SUCCESS;
-+ drain_openssl_errors();
-+ return efi_status;
-+ } else {
-+ LogError(L"check_db_cert_in_ram(vendor_esl) failed\n");
-+ }
-+
- /*
- * And finally, check against shim's built-in key
- */
-@@ -2541,8 +2564,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- verification_method = VERIFIED_BY_NOTHING;
-
- vendor_cert_size = cert_table.vendor_cert_size;
-+ vendor_esl_size = cert_table.vendor_esl_size;
- vendor_dbx_size = cert_table.vendor_dbx_size;
- vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
-+ vendor_esl = (UINT8 *)&cert_table + cert_table.vendor_esl_offset;
- vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
- CHAR16 *msgs[] = {
- L"import_mok_state() failed\n",
-diff --git a/shim.h b/shim.h
-index 2b359d82..2e411040 100644
---- a/shim.h
-+++ b/shim.h
-@@ -167,8 +167,10 @@ extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath);
- extern EFI_STATUS import_mok_state(EFI_HANDLE image_handle);
-
- extern UINT32 vendor_cert_size;
-+extern UINT32 vendor_esl_size;
- extern UINT32 vendor_dbx_size;
- extern UINT8 *vendor_cert;
-+extern UINT8 *vendor_esl;
- extern UINT8 *vendor_dbx;
-
- extern UINT8 user_insecure_mode;
diff --git a/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
new file mode 100644
index 0000000..0779498
--- /dev/null
+++ b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
@@ -0,0 +1,60 @@
+From 9ab0d796bdc9cefdaa3b0df7434845d26c43d894 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+Date: Mon, 5 Nov 2018 14:51:16 +0100
+Subject: [PATCH 1/3] Make sure that MOK variables always get mirrored
+
+Without this, if a Mok variable doesn't exist in Boot Services, it will also
+not be copied to Runtime, even if we have data to be added to it (vendor cert).
+This patch makes sure that if we have extra data to append, we still mirror
+the variable.
+
+Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+---
+ mok.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 38675211e0e..00dd1ad3034 100644
+--- a/mok.c
++++ b/mok.c
+@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ UINT32 attrs = 0;
+ BOOLEAN delete = FALSE, present, addend;
+
++ addend = (v->addend_source && v->addend_size &&
++ *v->addend_source && *v->addend_size)
++ ? TRUE : FALSE;
++
+ efi_status = get_variable_attr(v->name,
+ &v->data, &v->data_size,
+ *v->guid, &attrs);
+- if (efi_status == EFI_NOT_FOUND)
++ if (efi_status == EFI_NOT_FOUND) {
++ if (v->rtname && addend) {
++ efi_status = mirror_one_mok_variable(v);
++ if (EFI_ERROR(efi_status) &&
++ ret != EFI_SECURITY_VIOLATION)
++ ret = efi_status;
++ }
++ /*
++ * after possibly adding, we can continue, no
++ * further checks to be done.
++ */
+ continue;
++ }
+ if (EFI_ERROR(efi_status)) {
+ perror(L"Could not verify %s: %r\n", v->name,
+ efi_status);
+@@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ }
+
+ present = (v->data && v->data_size) ? TRUE : FALSE;
+- addend = (v->addend_source && v->addend_size &&
+- *v->addend_source && *v->addend_size)
+- ? TRUE : FALSE;
+
+ if (v->flags & MOK_VARIABLE_MEASURE && present) {
+ /*
+--
+2.20.1
+
diff --git a/SOURCES/0002-MokListRT-Fatal.patch b/SOURCES/0002-MokListRT-Fatal.patch
deleted file mode 100644
index 6590ae9..0000000
--- a/SOURCES/0002-MokListRT-Fatal.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 9a2dd0a945720634b9f3608c3b3dfb99fafd4465 Mon Sep 17 00:00:00 2001
-From: Patrick Uiterwijk <patrick@puiterwijk.org>
-Date: Thu, 6 Dec 2018 10:08:45 +0100
-Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled
- systems
-
-I have come across systems that are unwilling to reserve enough memory for
-a MokListRT big enough for big certificates.
-This seems to be the case with firmware implementations that do not support
-secureboot, which is probably the reason they went with much lower variable
-storage.
-
-This patch set makes sure we can still boot on those systems, by only
-making the copy action fatal if the system has secure boot enabled, or if
-the error was anything other than EFI_INVALID_PARAMETER.
-
-Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
----
- shim.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index fcc11eb3..89ef0036 100644
---- a/shim.c
-+++ b/shim.c
-@@ -2632,9 +2632,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- die:
- console_print(L"Something has gone seriously wrong: %s: %r\n",
- msgs[msg], efi_status);
-- msleep(5000000);
-- gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION,
-- 0, NULL);
-+ /*
-+ * Make copy failures fatal only if secure_mode is enabled, or
-+ * the error was anything else than EFI_INVALID_PARAMETER.
-+ * There are non-secureboot firmware implementations that don't
-+ * reserve enough EFI variable memory to fit the variable.
-+ */
-+ if (secure_mode() || efi_status != EFI_INVALID_PARAMETER) {
-+ msleep(5000000);
-+ gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION,
-+ 0, NULL);
-+ }
- }
-
- efi_status = shim_init();
diff --git a/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch
new file mode 100644
index 0000000..fc2adbc
--- /dev/null
+++ b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch
@@ -0,0 +1,49 @@
+From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 21 Nov 2018 12:47:43 +0800
+Subject: [PATCH 2/3] mok: fix the mirroring of RT variables
+
+When there is no key in MokList, import_mok_state() just skipped MokList
+even though it should always mirror the vendor cert. Besides, the faulty
+check of 'present' and 'addend' invalidates the mirroring of MokListXRT,
+MokSBStateRT, and MokIgnoreDB.
+
+https://github.com/rhboot/shim/issues/154
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ mok.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 00dd1ad3034..41925abbb49 100644
+--- a/mok.c
++++ b/mok.c
+@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ &v->data, &v->data_size,
+ *v->guid, &attrs);
+ if (efi_status == EFI_NOT_FOUND) {
+- if (v->rtname && addend) {
+- efi_status = mirror_one_mok_variable(v);
+- if (EFI_ERROR(efi_status) &&
+- ret != EFI_SECURITY_VIOLATION)
+- ret = efi_status;
+- }
++ if (addend)
++ goto mirror_addend;
+ /*
+ * after possibly adding, we can continue, no
+ * further checks to be done.
+@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ }
+ }
+
+- if (v->rtname && present && addend) {
++mirror_addend:
++ if (v->rtname && (present || addend)) {
+ if (v->flags & MOK_MIRROR_DELETE_FIRST)
+ LibDeleteVariable(v->rtname, v->guid);
+
+--
+2.20.1
+
diff --git a/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
new file mode 100644
index 0000000..caded4e
--- /dev/null
+++ b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
@@ -0,0 +1,109 @@
+From 29c11483101b460869a5e0dba1f425073862127d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 31 Jan 2019 13:45:30 -0500
+Subject: [PATCH 3/3] mok: consolidate mirroring code in a helper instead of
+ using goto
+
+There's no reason to complicate the logic with a goto here, instead just
+pull the logic we're jumping to out to a helper function.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ mok.c | 41 ++++++++++++++++++++++++++++-------------
+ shim.h | 2 ++
+ 2 files changed, 30 insertions(+), 13 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 41925abbb49..2f495e6cf25 100644
+--- a/mok.c
++++ b/mok.c
+@@ -130,7 +130,8 @@ struct mok_state_variable mok_state_variables[] = {
+ { NULL, }
+ };
+
+-static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
++static EFI_STATUS nonnull(1)
++mirror_one_mok_variable(struct mok_state_variable *v)
+ {
+ EFI_STATUS efi_status = EFI_SUCCESS;
+ void *FullData = NULL;
+@@ -196,6 +197,29 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
+ return efi_status;
+ }
+
++/*
++ * Mirror a variable if it has an rtname, and preserve any
++ * EFI_SECURITY_VIOLATION status at the same time.
++ */
++static EFI_STATUS nonnull(1)
++maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret)
++{
++ EFI_STATUS efi_status;
++ if (v->rtname) {
++ if (v->flags & MOK_MIRROR_DELETE_FIRST)
++ LibDeleteVariable(v->rtname, v->guid);
++
++ efi_status = mirror_one_mok_variable(v);
++ if (EFI_ERROR(efi_status)) {
++ if (ret != EFI_SECURITY_VIOLATION)
++ ret = efi_status;
++ perror(L"Could not create %s: %r\n", v->rtname,
++ efi_status);
++ }
++ }
++ return ret;
++}
++
+ /*
+ * Verify our non-volatile MoK state. This checks the variables above
+ * accessable and have valid attributes. If they don't, it removes
+@@ -232,7 +256,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ *v->guid, &attrs);
+ if (efi_status == EFI_NOT_FOUND) {
+ if (addend)
+- goto mirror_addend;
++ ret = maybe_mirror_one_mok_variable(v, ret);
+ /*
+ * after possibly adding, we can continue, no
+ * further checks to be done.
+@@ -312,16 +336,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ }
+ }
+
+-mirror_addend:
+- if (v->rtname && (present || addend)) {
+- if (v->flags & MOK_MIRROR_DELETE_FIRST)
+- LibDeleteVariable(v->rtname, v->guid);
+-
+- efi_status = mirror_one_mok_variable(v);
+- if (EFI_ERROR(efi_status) &&
+- ret != EFI_SECURITY_VIOLATION)
+- ret = efi_status;
+- }
++ if (present)
++ ret = maybe_mirror_one_mok_variable(v, ret);
+ }
+
+ /*
+@@ -340,4 +356,4 @@ mirror_addend:
+ return ret;
+ }
+
+-// vim:fenc=utf-8:tw=75
++// vim:fenc=utf-8:tw=75:noet
+diff --git a/shim.h b/shim.h
+index 2b359d821e3..c26d5f06538 100644
+--- a/shim.h
++++ b/shim.h
+@@ -30,6 +30,8 @@
+
+ #include <stddef.h>
+
++#define nonnull(...) __attribute__((__nonnull__(__VA_ARGS__)))
++
+ #define min(a, b) ({(a) < (b) ? (a) : (b);})
+
+ #ifdef __x86_64__
+--
+2.20.1
+
diff --git a/SOURCES/0004-Make-VLogError-behave-as-expected.patch b/SOURCES/0004-Make-VLogError-behave-as-expected.patch
new file mode 100644
index 0000000..2e5ca64
--- /dev/null
+++ b/SOURCES/0004-Make-VLogError-behave-as-expected.patch
@@ -0,0 +1,50 @@
+From 0bff94b170116737e6e0838c35c0ac376542a5c0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 12 Feb 2019 18:04:49 -0500
+Subject: [PATCH 4/4] Make VLogError() behave as expected.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ errlog.c | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/errlog.c b/errlog.c
+index 18be4822d53..eebb266d396 100644
+--- a/errlog.c
++++ b/errlog.c
+@@ -14,29 +14,20 @@ EFI_STATUS
+ VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
+ {
+ va_list args2;
+- UINTN size = 0, size2;
+ CHAR16 **newerrs;
+
+- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
+- va_copy(args2, args);
+- size2 = VSPrint(NULL, 0, fmt, args2);
+- va_end(args2);
+-
+ newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
+ (nerrs + 3) * sizeof(*errs));
+ if (!newerrs)
+ return EFI_OUT_OF_RESOURCES;
+
+- newerrs[nerrs] = AllocatePool(size*2+2);
++ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
+ if (!newerrs[nerrs])
+ return EFI_OUT_OF_RESOURCES;
+- newerrs[nerrs+1] = AllocatePool(size2*2+2);
++ va_copy(args2, args);
++ newerrs[nerrs+1] = VPoolPrint(fmt, args2);
+ if (!newerrs[nerrs+1])
+ return EFI_OUT_OF_RESOURCES;
+-
+- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
+- va_copy(args2, args);
+- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
+ va_end(args2);
+
+ nerrs += 2;
+--
+2.20.1
+
diff --git a/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch b/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch
new file mode 100644
index 0000000..8e3c47a
--- /dev/null
+++ b/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch
@@ -0,0 +1,97 @@
+From fea3f2ec1936cfb9ed0b3ee62d9d23698097b814 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Mar 2019 09:52:02 -0400
+Subject: [PATCH] Once again, try even harder to get binaries without
+ timestamps in them.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+$ objdump -x /builddir/build/BUILDROOT/shim-*/usr/share/shim/*/shimx64.efi | grep 'Time/Date'
+Time/Date Thu Jan 1 00:00:08 1970
+$ _
+
+"What is despair? I have known it—hear my song. Despair is when you’re
+debugging a kernel driver and you look at a memory dump and you see that
+a pointer has a value of 7."
+ - http://scholar.harvard.edu/files/mickens/files/thenightwatch.pdf
+
+objcopy only knows about -D for some targets.
+ld only believes in --no-insert-timestamp in some versions.
+dd takes off and nukes the site from orbit.
+
+It's the only way to be sure.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults | 4 ++++
+ Makefile | 6 ++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index e11ab5a7f2c..4c26c1adf1f 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -72,6 +72,7 @@ ifeq ($(ARCH),x86_64)
+ ARCH_SUFFIX ?= x64
+ ARCH_SUFFIX_UPPER ?= X64
+ ARCH_LDFLAGS ?=
++ TIMESTAMP_LOCATION := 136
+ endif
+ ifeq ($(ARCH),ia32)
+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
+@@ -81,6 +82,7 @@ ifeq ($(ARCH),ia32)
+ ARCH_SUFFIX ?= ia32
+ ARCH_SUFFIX_UPPER ?= IA32
+ ARCH_LDFLAGS ?=
++ TIMESTAMP_LOCATION := 136
+ endif
+ ifeq ($(ARCH),aarch64)
+ CFLAGS += -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096 -mstrict-align
+@@ -90,6 +92,7 @@ ifeq ($(ARCH),aarch64)
+ FORMAT := -O binary
+ SUBSYSTEM := 0xa
+ ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
++ TIMESTAMP_LOCATION := 72
+ endif
+ ifeq ($(ARCH),arm)
+ CFLAGS += -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mstrict-align
+@@ -99,6 +102,7 @@ ifeq ($(ARCH),arm)
+ FORMAT := -O binary
+ SUBSYSTEM := 0xa
+ ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
++ TIMESTAMP_LOCATION := 72
+ endif
+
+ FORMAT ?= --target efi-app-$(ARCH)
+diff --git a/Makefile b/Makefile
+index 115e7f08c0f..a012c9f0d16 100644
+--- a/Makefile
++++ b/Makefile
+@@ -189,11 +189,13 @@ endif
+ ifneq ($(OBJCOPY_GTE224),1)
+ $(error objcopy >= 2.24 is required)
+ endif
+- $(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \
++ $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
+ -j .dynamic -j .dynsym -j .rel* \
+ -j .rela* -j .reloc -j .eh_frame \
+ -j .vendor_cert \
+ $(FORMAT) $^ $@
++ # I am tired of wasting my time fighting binutils timestamp code.
++ dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
+
+ ifneq ($(origin ENABLE_SHIM_HASH),undefined)
+ %.hash : %.efi
+@@ -204,7 +206,7 @@ endif
+ ifneq ($(OBJCOPY_GTE224),1)
+ $(error objcopy >= 2.24 is required)
+ endif
+- $(OBJCOPY) -j .text -j .sdata -j .data \
++ $(OBJCOPY) -D -j .text -j .sdata -j .data \
+ -j .dynamic -j .dynsym -j .rel* \
+ -j .rela* -j .reloc -j .eh_frame \
+ -j .debug_info -j .debug_abbrev -j .debug_aranges \
+--
+2.20.1
+
diff --git a/SOURCES/centos.esl b/SOURCES/centos.esl
deleted file mode 100644
index c0815a7..0000000
Binary files a/SOURCES/centos.esl and /dev/null differ
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index d43865d..c42bf48 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,20 +1,22 @@
Name: shim
Version: 15
-Release: 2%{?dist}
+Release: 5%{?dist}
Summary: First-stage UEFI bootloader
License: BSD
URL: http://www.codon.org.uk/~mjg59/shim/
Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-#Source1: centos.crt
+Source1: securebootca.cer
# currently here's what's in our dbx: # nothing.
#Source2: dbx-x64.esl
#Source3: dbx-aa64.esl
Source4: shim-find-debuginfo.sh
-Source5: centos.esl
-Patch0: 0001-Add-vendor-esl.patch
-Patch1: 0002-MokListRT-Fatal.patch
+Patch0001: 0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
+Patch0002: 0002-mok-fix-the-mirroring-of-RT-variables.patch
+Patch0003: 0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
+Patch0004: 0004-Make-VLogError-behave-as-expected.patch
+Patch0005: 0005-Once-again-try-even-harder-to-get-binaries-without-t.patch
BuildRequires: git openssl-devel openssl
BuildRequires: pesign >= 0.106-1
@@ -122,8 +124,8 @@ git config --unset user.name
%endif
%build
-COMMITID=$(cat %{name}-%{version}-%{efiarch}/commit)
-MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMITID=${COMMITID}"
+COMMIT_ID=$(cat %{name}-%{version}-%{efiarch}/commit)
+MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMIT_ID=${COMMIT_ID}"
%ifarch aarch64
if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
@@ -131,10 +133,6 @@ fi
if [ -f "%{SOURCE3}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
fi
-if [ -f "%{SOURCE5}" ]; then
- MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
-fi
-
%else
if [ -f "%{SOURCE1}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
@@ -142,17 +140,13 @@ fi
if [ -f "%{SOURCE2}" ]; then
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
-if [ -f "%{SOURCE5}" ]; then
- MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
-fi
-
%endif
cd %{name}-%{version}-%{efiarch}
make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim%{efiarch}.efi mm%{efiarch}.efi fb%{efiarch}.efi
%ifarch x86_64
cd ../%{name}-%{version}-ia32
-setarch linux32 -B make 'DEFAULT_LOADER=\\\\grubia32.efi' ARCH=ia32 ${MAKEFLAGS} shimia32.efi mmia32.efi fbia32.efi
+setarch linux32 make 'DEFAULT_LOADER=\\\\grubia32.efi' ARCH=ia32 ${MAKEFLAGS} shimia32.efi mmia32.efi fbia32.efi
cd ../%{name}-%{version}-%{efiarch}
%endif
@@ -229,12 +223,23 @@ cd ../%{name}-%{version}-%{efiarch}
%endif
%changelog
-* Thu Dec 06 2018 Fabian Arrotin <arrfab@centos.org> - 15-2.el7.centos
-- 0002-MokListRT-Fatal.patch (https://github.com/rhboot/shim/pull/157) (#15522)
-
-* Tue Oct 30 2018 Fabian Arrotin <arrfab@centos.org> - 15-1.el7.centos
-- Added 0001-Add-vendor-esl.patch (Patrick Uiterwijk)
-- Rebuilt with combined centos.esl (so new and previous crt)
+* Mon Mar 18 2019 Peter Jones <pjones@redhat.com> - 15-5
+- Fix a couple more things that are breaking reproducability, and thus
+ breaking external review.
+ Related: rhbz#1649270
+
+* Fri Mar 15 2019 Peter Jones <pjones@redhat.com> - 15-4
+- Fight with binutils to try to get a binary without timestamps in it.
+ Again, but without breaking aarch64 this time.
+ Related: rhbz#1649270
+
+* Fri Mar 15 2019 Peter Jones <pjones@redhat.com> - 15-3
+- Fight with binutils to try to get a binary without timestamps in it. Again.
+ Related: rhbz#1649270
+
+* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
+- Fix MoK mirroring issue which breaks kdump without intervention
+ Related: rhbz#1649270
* Mon Jun 18 2018 Peter Jones <pjones@redhat.com> - 15-1
- Update to shim 15