diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6af0766
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/shim-15.tar.bz2
diff --git a/.shim.metadata b/.shim.metadata
new file mode 100644
index 0000000..5677fcd
--- /dev/null
+++ b/.shim.metadata
@@ -0,0 +1 @@
+2dc6308584187bf3ee88bf9b119938c72c5a5088 SOURCES/shim-15.tar.bz2
diff --git a/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
new file mode 100644
index 0000000..0779498
--- /dev/null
+++ b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
@@ -0,0 +1,60 @@
+From 9ab0d796bdc9cefdaa3b0df7434845d26c43d894 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+Date: Mon, 5 Nov 2018 14:51:16 +0100
+Subject: [PATCH 1/3] Make sure that MOK variables always get mirrored
+
+Without this, if a Mok variable doesn't exist in Boot Services, it will also
+not be copied to Runtime, even if we have data to be added to it (vendor cert).
+This patch makes sure that if we have extra data to append, we still mirror
+the variable.
+
+Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+---
+ mok.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 38675211e0e..00dd1ad3034 100644
+--- a/mok.c
++++ b/mok.c
+@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ UINT32 attrs = 0;
+ BOOLEAN delete = FALSE, present, addend;
+
++ addend = (v->addend_source && v->addend_size &&
++ *v->addend_source && *v->addend_size)
++ ? TRUE : FALSE;
++
+ efi_status = get_variable_attr(v->name,
+ &v->data, &v->data_size,
+ *v->guid, &attrs);
+- if (efi_status == EFI_NOT_FOUND)
++ if (efi_status == EFI_NOT_FOUND) {
++ if (v->rtname && addend) {
++ efi_status = mirror_one_mok_variable(v);
++ if (EFI_ERROR(efi_status) &&
++ ret != EFI_SECURITY_VIOLATION)
++ ret = efi_status;
++ }
++ /*
++ * after possibly adding, we can continue, no
++ * further checks to be done.
++ */
+ continue;
++ }
+ if (EFI_ERROR(efi_status)) {
+ perror(L"Could not verify %s: %r\n", v->name,
+ efi_status);
+@@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ }
+
+ present = (v->data && v->data_size) ? TRUE : FALSE;
+- addend = (v->addend_source && v->addend_size &&
+- *v->addend_source && *v->addend_size)
+- ? TRUE : FALSE;
+
+ if (v->flags & MOK_VARIABLE_MEASURE && present) {
+ /*
+--
+2.20.1
+
diff --git a/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch
new file mode 100644
index 0000000..fc2adbc
--- /dev/null
+++ b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch
@@ -0,0 +1,49 @@
+From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 21 Nov 2018 12:47:43 +0800
+Subject: [PATCH 2/3] mok: fix the mirroring of RT variables
+
+When there is no key in MokList, import_mok_state() just skipped MokList
+even though it should always mirror the vendor cert. Besides, the faulty
+check of 'present' and 'addend' invalidates the mirroring of MokListXRT,
+MokSBStateRT, and MokIgnoreDB.
+
+https://github.com/rhboot/shim/issues/154
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ mok.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 00dd1ad3034..41925abbb49 100644
+--- a/mok.c
++++ b/mok.c
+@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ &v->data, &v->data_size,
+ *v->guid, &attrs);
+ if (efi_status == EFI_NOT_FOUND) {
+- if (v->rtname && addend) {
+- efi_status = mirror_one_mok_variable(v);
+- if (EFI_ERROR(efi_status) &&
+- ret != EFI_SECURITY_VIOLATION)
+- ret = efi_status;
+- }
++ if (addend)
++ goto mirror_addend;
+ /*
+ * after possibly adding, we can continue, no
+ * further checks to be done.
+@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ }
+ }
+
+- if (v->rtname && present && addend) {
++mirror_addend:
++ if (v->rtname && (present || addend)) {
+ if (v->flags & MOK_MIRROR_DELETE_FIRST)
+ LibDeleteVariable(v->rtname, v->guid);
+
+--
+2.20.1
+
diff --git a/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
new file mode 100644
index 0000000..caded4e
--- /dev/null
+++ b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
@@ -0,0 +1,109 @@
+From 29c11483101b460869a5e0dba1f425073862127d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 31 Jan 2019 13:45:30 -0500
+Subject: [PATCH 3/3] mok: consolidate mirroring code in a helper instead of
+ using goto
+
+There's no reason to complicate the logic with a goto here, instead just
+pull the logic we're jumping to out to a helper function.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ mok.c | 41 ++++++++++++++++++++++++++++-------------
+ shim.h | 2 ++
+ 2 files changed, 30 insertions(+), 13 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 41925abbb49..2f495e6cf25 100644
+--- a/mok.c
++++ b/mok.c
+@@ -130,7 +130,8 @@ struct mok_state_variable mok_state_variables[] = {
+ { NULL, }
+ };
+
+-static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
++static EFI_STATUS nonnull(1)
++mirror_one_mok_variable(struct mok_state_variable *v)
+ {
+ EFI_STATUS efi_status = EFI_SUCCESS;
+ void *FullData = NULL;
+@@ -196,6 +197,29 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
+ return efi_status;
+ }
+
++/*
++ * Mirror a variable if it has an rtname, and preserve any
++ * EFI_SECURITY_VIOLATION status at the same time.
++ */
++static EFI_STATUS nonnull(1)
++maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret)
++{
++ EFI_STATUS efi_status;
++ if (v->rtname) {
++ if (v->flags & MOK_MIRROR_DELETE_FIRST)
++ LibDeleteVariable(v->rtname, v->guid);
++
++ efi_status = mirror_one_mok_variable(v);
++ if (EFI_ERROR(efi_status)) {
++ if (ret != EFI_SECURITY_VIOLATION)
++ ret = efi_status;
++ perror(L"Could not create %s: %r\n", v->rtname,
++ efi_status);
++ }
++ }
++ return ret;
++}
++
+ /*
+ * Verify our non-volatile MoK state. This checks the variables above
+ * accessable and have valid attributes. If they don't, it removes
+@@ -232,7 +256,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ *v->guid, &attrs);
+ if (efi_status == EFI_NOT_FOUND) {
+ if (addend)
+- goto mirror_addend;
++ ret = maybe_mirror_one_mok_variable(v, ret);
+ /*
+ * after possibly adding, we can continue, no
+ * further checks to be done.
+@@ -312,16 +336,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ }
+ }
+
+-mirror_addend:
+- if (v->rtname && (present || addend)) {
+- if (v->flags & MOK_MIRROR_DELETE_FIRST)
+- LibDeleteVariable(v->rtname, v->guid);
+-
+- efi_status = mirror_one_mok_variable(v);
+- if (EFI_ERROR(efi_status) &&
+- ret != EFI_SECURITY_VIOLATION)
+- ret = efi_status;
+- }
++ if (present)
++ ret = maybe_mirror_one_mok_variable(v, ret);
+ }
+
+ /*
+@@ -340,4 +356,4 @@ mirror_addend:
+ return ret;
+ }
+
+-// vim:fenc=utf-8:tw=75
++// vim:fenc=utf-8:tw=75:noet
+diff --git a/shim.h b/shim.h
+index 2b359d821e3..c26d5f06538 100644
+--- a/shim.h
++++ b/shim.h
+@@ -30,6 +30,8 @@
+
+ #include <stddef.h>
+
++#define nonnull(...) __attribute__((__nonnull__(__VA_ARGS__)))
++
+ #define min(a, b) ({(a) < (b) ? (a) : (b);})
+
+ #ifdef __x86_64__
+--
+2.20.1
+
diff --git a/SOURCES/0004-Make-VLogError-behave-as-expected.patch b/SOURCES/0004-Make-VLogError-behave-as-expected.patch
new file mode 100644
index 0000000..2e5ca64
--- /dev/null
+++ b/SOURCES/0004-Make-VLogError-behave-as-expected.patch
@@ -0,0 +1,50 @@
+From 0bff94b170116737e6e0838c35c0ac376542a5c0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 12 Feb 2019 18:04:49 -0500
+Subject: [PATCH 4/4] Make VLogError() behave as expected.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ errlog.c | 15 +++------------
+ 1 file changed, 3 insertions(+), 12 deletions(-)
+
+diff --git a/errlog.c b/errlog.c
+index 18be4822d53..eebb266d396 100644
+--- a/errlog.c
++++ b/errlog.c
+@@ -14,29 +14,20 @@ EFI_STATUS
+ VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
+ {
+ va_list args2;
+- UINTN size = 0, size2;
+ CHAR16 **newerrs;
+
+- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
+- va_copy(args2, args);
+- size2 = VSPrint(NULL, 0, fmt, args2);
+- va_end(args2);
+-
+ newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
+ (nerrs + 3) * sizeof(*errs));
+ if (!newerrs)
+ return EFI_OUT_OF_RESOURCES;
+
+- newerrs[nerrs] = AllocatePool(size*2+2);
++ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
+ if (!newerrs[nerrs])
+ return EFI_OUT_OF_RESOURCES;
+- newerrs[nerrs+1] = AllocatePool(size2*2+2);
++ va_copy(args2, args);
++ newerrs[nerrs+1] = VPoolPrint(fmt, args2);
+ if (!newerrs[nerrs+1])
+ return EFI_OUT_OF_RESOURCES;
+-
+- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
+- va_copy(args2, args);
+- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
+ va_end(args2);
+
+ nerrs += 2;
+--
+2.20.1
+
diff --git a/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch b/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch
new file mode 100644
index 0000000..8e3c47a
--- /dev/null
+++ b/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch
@@ -0,0 +1,97 @@
+From fea3f2ec1936cfb9ed0b3ee62d9d23698097b814 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Mar 2019 09:52:02 -0400
+Subject: [PATCH] Once again, try even harder to get binaries without
+ timestamps in them.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+$ objdump -x /builddir/build/BUILDROOT/shim-*/usr/share/shim/*/shimx64.efi | grep 'Time/Date'
+Time/Date Thu Jan 1 00:00:08 1970
+$ _
+
+"What is despair? I have known it—hear my song. Despair is when you’re
+debugging a kernel driver and you look at a memory dump and you see that
+a pointer has a value of 7."
+ - http://scholar.harvard.edu/files/mickens/files/thenightwatch.pdf
+
+objcopy only knows about -D for some targets.
+ld only believes in --no-insert-timestamp in some versions.
+dd takes off and nukes the site from orbit.
+
+It's the only way to be sure.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults | 4 ++++
+ Makefile | 6 ++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index e11ab5a7f2c..4c26c1adf1f 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -72,6 +72,7 @@ ifeq ($(ARCH),x86_64)
+ ARCH_SUFFIX ?= x64
+ ARCH_SUFFIX_UPPER ?= X64
+ ARCH_LDFLAGS ?=
++ TIMESTAMP_LOCATION := 136
+ endif
+ ifeq ($(ARCH),ia32)
+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
+@@ -81,6 +82,7 @@ ifeq ($(ARCH),ia32)
+ ARCH_SUFFIX ?= ia32
+ ARCH_SUFFIX_UPPER ?= IA32
+ ARCH_LDFLAGS ?=
++ TIMESTAMP_LOCATION := 136
+ endif
+ ifeq ($(ARCH),aarch64)
+ CFLAGS += -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096 -mstrict-align
+@@ -90,6 +92,7 @@ ifeq ($(ARCH),aarch64)
+ FORMAT := -O binary
+ SUBSYSTEM := 0xa
+ ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
++ TIMESTAMP_LOCATION := 72
+ endif
+ ifeq ($(ARCH),arm)
+ CFLAGS += -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mstrict-align
+@@ -99,6 +102,7 @@ ifeq ($(ARCH),arm)
+ FORMAT := -O binary
+ SUBSYSTEM := 0xa
+ ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
++ TIMESTAMP_LOCATION := 72
+ endif
+
+ FORMAT ?= --target efi-app-$(ARCH)
+diff --git a/Makefile b/Makefile
+index 115e7f08c0f..a012c9f0d16 100644
+--- a/Makefile
++++ b/Makefile
+@@ -189,11 +189,13 @@ endif
+ ifneq ($(OBJCOPY_GTE224),1)
+ $(error objcopy >= 2.24 is required)
+ endif
+- $(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \
++ $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
+ -j .dynamic -j .dynsym -j .rel* \
+ -j .rela* -j .reloc -j .eh_frame \
+ -j .vendor_cert \
+ $(FORMAT) $^ $@
++ # I am tired of wasting my time fighting binutils timestamp code.
++ dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
+
+ ifneq ($(origin ENABLE_SHIM_HASH),undefined)
+ %.hash : %.efi
+@@ -204,7 +206,7 @@ endif
+ ifneq ($(OBJCOPY_GTE224),1)
+ $(error objcopy >= 2.24 is required)
+ endif
+- $(OBJCOPY) -j .text -j .sdata -j .data \
++ $(OBJCOPY) -D -j .text -j .sdata -j .data \
+ -j .dynamic -j .dynsym -j .rel* \
+ -j .rela* -j .reloc -j .eh_frame \
+ -j .debug_info -j .debug_abbrev -j .debug_aranges \
+--
+2.20.1
+
diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer
new file mode 100644
index 0000000..b235400
Binary files /dev/null and b/SOURCES/securebootca.cer differ
diff --git a/SOURCES/shim-find-debuginfo.sh b/SOURCES/shim-find-debuginfo.sh
new file mode 100755
index 0000000..ce3d69e
--- /dev/null
+++ b/SOURCES/shim-find-debuginfo.sh
@@ -0,0 +1,412 @@
+#!/bin/bash
+#find-debuginfo.sh - automagically generate debug info and file list
+#for inclusion in an rpm spec file.
+#
+# Usage: find-debuginfo.sh [--strict-build-id] [-g] [-r]
+# [-o debugfiles.list]
+# [[-l filelist]... [-p 'pattern'] -o debuginfo.list]
+# [builddir]
+#
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# The --strict-build-id flag says to exit with failure status if
+# any ELF binary processed fails to contain a build-id note.
+# The -r flag says to use eu-strip --reloc-debug-sections.
+#
+# A single -o switch before any -l or -p switches simply renames
+# the primary output file from debugfiles.list to something else.
+# A -o switch that follows a -p switch or some -l switches produces
+# an additional output file with the debuginfo for the files in
+# the -l filelist file, or whose names match the -p pattern.
+# The -p argument is an grep -E -style regexp matching the a file name,
+# and must not use anchors (^ or $).
+#
+# All file names in switches are relative to builddir (. if not given).
+#
+
+# With -g arg, pass it to strip on libraries or executables.
+strip_g=false
+
+# with -r arg, pass --reloc-debug-sections to eu-strip.
+strip_r=false
+
+# Barf on missing build IDs.
+strict=false
+
+BUILDDIR=.
+out=debugfiles.list
+nout=0
+while [ $# -gt 0 ]; do
+ case "$1" in
+ --strict-build-id)
+ strict=true
+ ;;
+ -g)
+ strip_g=true
+ ;;
+ -o)
+ if [ -z "${lists[$nout]}" -a -z "${ptns[$nout]}" ]; then
+ out=$2
+ else
+ outs[$nout]=$2
+ ((nout++))
+ fi
+ shift
+ ;;
+ -l)
+ lists[$nout]="${lists[$nout]} $2"
+ shift
+ ;;
+ -p)
+ ptns[$nout]=$2
+ shift
+ ;;
+ -r)
+ strip_r=true
+ ;;
+ *)
+ BUILDDIR=$1
+ shift
+ break
+ ;;
+ esac
+ shift
+done
+
+i=0
+while ((i < nout)); do
+ outs[$i]="$BUILDDIR/${outs[$i]}"
+ l=''
+ for f in ${lists[$i]}; do
+ l="$l $BUILDDIR/$f"
+ done
+ lists[$i]=$l
+ ((++i))
+done
+
+LISTFILE="$BUILDDIR/$out"
+SOURCEFILE="$BUILDDIR/debugsources.list"
+LINKSFILE="$BUILDDIR/debuglinks.list"
+
+> "$SOURCEFILE"
+> "$LISTFILE"
+> "$LINKSFILE"
+
+debugdir="${RPM_BUILD_ROOT}/usr/lib/debug"
+
+strip_to_debug()
+{
+ local g=
+ local r=
+ $strip_r && r=--reloc-debug-sections
+ $strip_g && case "$(file -bi "$2")" in
+ application/x-sharedlib*) g=-g ;;
+ application/x-executable*) g=-g ;;
+ esac
+ eu-strip --remove-comment $r $g -f "$1" "$2" || exit
+ chmod 444 "$1" || exit
+}
+
+# Make a relative symlink to $1 called $3$2
+shopt -s extglob
+link_relative()
+{
+ local t="$1" f="$2" pfx="$3"
+ local fn="${f#/}" tn="${t#/}"
+ local fd td d
+
+ while fd="${fn%%/*}"; td="${tn%%/*}"; [ "$fd" = "$td" ]; do
+ fn="${fn#*/}"
+ tn="${tn#*/}"
+ done
+
+ d="${fn%/*}"
+ if [ "$d" != "$fn" ]; then
+ d="${d//+([!\/])/..}"
+ tn="${d}/${tn}"
+ fi
+
+ mkdir -p "$(dirname "$pfx$f")" && ln -snf "$tn" "$pfx$f"
+}
+
+# Make a symlink in /usr/lib/debug/$2 to $1
+debug_link()
+{
+ local l="/usr/lib/debug$2"
+ local t="$1"
+ echo >> "$LINKSFILE" "$l $t"
+ link_relative "$t" "$l" "$RPM_BUILD_ROOT"
+}
+
+# Provide .2, .3, ... symlinks to all filename instances of this build-id.
+make_id_dup_link()
+{
+ local id="$1" file="$2" idfile
+
+ local n=1
+ while true; do
+ idfile=".build-id/${id:0:2}/${id:2}.$n"
+ [ $# -eq 3 ] && idfile="${idfile}$3"
+ if [ ! -L "$RPM_BUILD_ROOT/usr/lib/debug/$idfile" ]; then
+ break
+ fi
+ n=$[$n+1]
+ done
+ debug_link "$file" "/$idfile"
+}
+
+# Make a build-id symlink for id $1 with suffix $3 to file $2.
+make_id_link()
+{
+ local id="$1" file="$2"
+ local idfile=".build-id/${id:0:2}/${id:2}"
+ [ $# -eq 3 ] && idfile="${idfile}$3"
+ local root_idfile="$RPM_BUILD_ROOT/usr/lib/debug/$idfile"
+
+ if [ ! -L "$root_idfile" ]; then
+ debug_link "$file" "/$idfile"
+ return
+ fi
+
+ make_id_dup_link "$@"
+
+ [ $# -eq 3 ] && return 0
+
+ local other=$(readlink -m "$root_idfile")
+ other=${other#$RPM_BUILD_ROOT}
+ if cmp -s "$root_idfile" "$RPM_BUILD_ROOT$file" ||
+ eu-elfcmp -q "$root_idfile" "$RPM_BUILD_ROOT$file" 2> /dev/null; then
+ # Two copies. Maybe one has to be setuid or something.
+ echo >&2 "*** WARNING: identical binaries are copied, not linked:"
+ echo >&2 " $file"
+ echo >&2 " and $other"
+ else
+ # This is pathological, break the build.
+ echo >&2 "*** ERROR: same build ID in nonidentical files!"
+ echo >&2 " $file"
+ echo >&2 " and $other"
+ exit 2
+ fi
+}
+
+get_debugfn()
+{
+ dn=$(dirname "${1#$RPM_BUILD_ROOT}")
+ [ "$dn" == "." ] && dn=""
+ bn=$(basename "$1" .so).debug
+ bn=$(basename "$bn" .debug).debug
+
+ debugdn=${debugdir}${dn}
+ debugfn=${debugdn}/${bn}
+
+ [ -n "$2" ] && shadowfn=$(basename "$2")
+}
+
+set -o pipefail
+
+strict_error=ERROR
+$strict || strict_error=WARNING
+
+handle_single_file()
+{
+ nlinks=$1 && shift
+ inum=$1 && shift
+ f=$1 && shift
+ shadow=$1 && shift
+ zf="$f"
+ [ -n "${shadowfn}" ] && zf="${shadowfn}"
+
+ get_debugfn "$f" "$shadow"
+ [ -f "${debugfn}" ] && return
+
+ # If this file has multiple links, keep track and make
+ # the corresponding .debug files all links to one file too.
+ if [ $nlinks -gt 1 ]; then
+ eval linked=\$linked_$inum
+ if [ -n "$linked" ]; then
+ eval id=\$linkedid_$inum
+ make_id_dup_link "$id" "$dn/$(basename ${zf})"
+ make_id_dup_link "$id" "/usr/lib/debug$dn/$bn" .debug
+ link=$debugfn
+ get_debugfn "$linked"
+ echo "hard linked $link to $debugfn"
+ mkdir -p "$(dirname "$link")" && ln -nf "$debugfn" "$link"
+ return
+ else
+ eval linked_$inum=\$f
+ echo "file $f has $[$nlinks - 1] other hard links"
+ fi
+ fi
+
+ echo "extracting debug info from $f"
+ echo /usr/lib/rpm/debugedit -b "$RPM_BUILD_DIR" -d /usr/src/debug \
+ -i -l "$SOURCEFILE" "$f"
+ id=$(/usr/lib/rpm/debugedit -b "$RPM_BUILD_DIR" -d /usr/src/debug \
+ -i -l "$SOURCEFILE" "$f") || exit
+ if [ $nlinks -gt 1 ]; then
+ eval linkedid_$inum=\$id
+ fi
+ if [ -z "$id" ]; then
+ echo >&2 "*** ${strict_error}: No build ID note found in $zf"
+ $strict && exit 2
+ fi
+
+ [ -x /usr/bin/gdb-add-index ] && /usr/bin/gdb-add-index "$zf" > /dev/null 2>&1
+
+ # A binary already copied into /usr/lib/debug doesn't get stripped,
+ # just has its file names collected and adjusted.
+ case "$dn" in
+ /usr/lib/debug/*)
+ [ -z "$id" ] || make_id_link "$id" "$dn/$(basename $zf)"
+ return ;;
+ esac
+
+ mkdir -p "${debugdn}"
+ if test -w "$f"; then
+ strip_to_debug "${debugfn}" "$f"
+ else
+ chmod u+w "$f"
+ strip_to_debug "${debugfn}" "$f"
+ chmod u-w "$f"
+ fi
+
+ if [ -n "$id" ]; then
+ make_id_link "$id" "$dn/$(basename ${zf})"
+ make_id_link "$id" "/usr/lib/debug$dn/$bn" .debug
+ fi
+}
+
+# Strip ELF binaries
+find "$RPM_BUILD_ROOT" ! -path "${debugdir}/*.debug" -type f \
+ \( -perm -0100 -or -perm -0010 -or -perm -0001 \) \
+ -print |
+file -N -f - | sed -n -e 's/^\(.*\):[ ]*.*ELF.*, not stripped.*/\1/p' |
+xargs --no-run-if-empty stat -c '%h %D_%i %n' |
+while read nlinks inum f; do
+ handle_single_file $nlinks $inum $f
+done || exit
+
+find "$RPM_BUILD_ROOT" ! -path "${debugdir}/*.debug" -type f \
+ -iname '*.efi' -print |
+file -N -f - | sed -n -e 's/^\(.*\):[ ]*.*PE32.*EFI .*/\1/p' |
+xargs --no-run-if-empty stat -c '%h %D_%i %n' |
+while read nlinks inum f; do
+ [ -f "$f" ] || continue
+ [ -f "${f%%.efi}.so" ] || continue
+ handle_single_file $nlinks $inum ${f%%.efi}.so $f
+done || exit
+
+# On Aarch64 file tells us "MS-DOS" instead of PE32+. Why not.
+find "$RPM_BUILD_ROOT" ! -path "${debugdir}/*.debug" -type f \
+ -iname '*.efi' -print |
+file -N -f - | sed -n -e 's/^\(.*\):[ ]MS-DOS.*/\1/p' |
+xargs --no-run-if-empty stat -c '%h %D_%i %n' |
+while read nlinks inum f; do
+ [ -f "$f" ] || continue
+ [ -f "${f%%.efi}.so" ] || continue
+ handle_single_file $nlinks $inum ${f%%.efi}.so $f
+done || exit
+# For each symlink whose target has a .debug file,
+# make a .debug symlink to that file.
+find "$RPM_BUILD_ROOT" ! -path "${debugdir}/*" -type l -print |
+while read f
+do
+ t=$(readlink -m "$f").debug
+ f=${f#$RPM_BUILD_ROOT}
+ t=${t#$RPM_BUILD_ROOT}
+ if [ -f "$debugdir$t" ]; then
+ echo "symlinked /usr/lib/debug$t to /usr/lib/debug${f}.debug"
+ debug_link "/usr/lib/debug$t" "${f}.debug"
+ fi
+done
+
+if [ -s "$SOURCEFILE" ]; then
+ mkdir -p "${RPM_BUILD_ROOT}/usr/src/debug"
+ LC_ALL=C sort -z -u "$SOURCEFILE" | grep -E -v -z '(<internal>|<built-in>)$' |
+ (cd "$RPM_BUILD_DIR"; cpio -pd0mL "${RPM_BUILD_ROOT}/usr/src/debug")
+ # stupid cpio creates new directories in mode 0700, fixup
+ find "${RPM_BUILD_ROOT}/usr/src/debug" -type d -print0 |
+ xargs --no-run-if-empty -0 chmod a+rx
+fi
+
+if [ -d "${RPM_BUILD_ROOT}/usr/lib" -o -d "${RPM_BUILD_ROOT}/usr/src" ]; then
+ ((nout > 0)) ||
+ test ! -d "${RPM_BUILD_ROOT}/usr/lib" ||
+ (cd "${RPM_BUILD_ROOT}/usr/lib"; find debug -type d) |
+ sed 's,^,%dir /usr/lib/,' >> "$LISTFILE"
+
+ (cd "${RPM_BUILD_ROOT}/usr"
+ test ! -d lib/debug || find lib/debug ! -type d
+ test ! -d src/debug || find src/debug -mindepth 1 -maxdepth 1
+ ) | sed 's,^,/usr/,' >> "$LISTFILE"
+fi
+
+# Append to $1 only the lines from stdin not already in the file.
+append_uniq()
+{
+ grep -F -f "$1" -x -v >> "$1"
+}
+
+# Helper to generate list of corresponding .debug files from a file list.
+filelist_debugfiles()
+{
+ local extra="$1"
+ shift
+ sed 's/^%[a-z0-9_][a-z0-9_]*([^)]*) *//
+s/^%[a-z0-9_][a-z0-9_]* *//
+/^$/d
+'"$extra" "$@"
+}
+
+# Write an output debuginfo file list based on given input file lists.
+filtered_list()
+{
+ local out="$1"
+ shift
+ test $# -gt 0 || return
+ grep -F -f <(filelist_debugfiles 's,^.*$,/usr/lib/debug&.debug,' "$@") \
+ -x $LISTFILE >> $out
+ sed -n -f <(filelist_debugfiles 's/[\\.*+#]/\\&/g
+h
+s,^.*$,s# &$##p,p
+g
+s,^.*$,s# /usr/lib/debug&.debug$##p,p
+' "$@") "$LINKSFILE" | append_uniq "$out"
+}
+
+# Write an output debuginfo file list based on an grep -E -style regexp.
+pattern_list()
+{
+ local out="$1" ptn="$2"
+ test -n "$ptn" || return
+ grep -E -x -e "$ptn" "$LISTFILE" >> "$out"
+ sed -n -r "\#^$ptn #s/ .*\$//p" "$LINKSFILE" | append_uniq "$out"
+}
+
+#
+# When given multiple -o switches, split up the output as directed.
+#
+i=0
+while ((i < nout)); do
+ > ${outs[$i]}
+ filtered_list ${outs[$i]} ${lists[$i]}
+ pattern_list ${outs[$i]} "${ptns[$i]}"
+ grep -Fvx -f ${outs[$i]} "$LISTFILE" > "${LISTFILE}.new"
+ mv "${LISTFILE}.new" "$LISTFILE"
+ ((++i))
+done
+if ((nout > 0)); then
+ # Now add the right %dir lines to each output list.
+ (cd "${RPM_BUILD_ROOT}"; find usr/lib/debug -type d) |
+ sed 's#^.*$#\\@^/&/@{h;s@^.*$@%dir /&@p;g;}#' |
+ LC_ALL=C sort -ur > "${LISTFILE}.dirs.sed"
+ i=0
+ while ((i < nout)); do
+ sed -n -f "${LISTFILE}.dirs.sed" "${outs[$i]}" | sort -u > "${outs[$i]}.new"
+ cat "${outs[$i]}" >> "${outs[$i]}.new"
+ mv -f "${outs[$i]}.new" "${outs[$i]}"
+ ((++i))
+ done
+ sed -n -f "${LISTFILE}.dirs.sed" "${LISTFILE}" | sort -u > "${LISTFILE}.new"
+ cat "$LISTFILE" >> "${LISTFILE}.new"
+ mv "${LISTFILE}.new" "$LISTFILE"
+fi
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
new file mode 100644
index 0000000..c42bf48
--- /dev/null
+++ b/SPECS/shim.spec
@@ -0,0 +1,376 @@
+Name: shim
+Version: 15
+Release: 5%{?dist}
+Summary: First-stage UEFI bootloader
+
+License: BSD
+URL: http://www.codon.org.uk/~mjg59/shim/
+Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
+Source1: securebootca.cer
+# currently here's what's in our dbx: # nothing.
+#Source2: dbx-x64.esl
+#Source3: dbx-aa64.esl
+Source4: shim-find-debuginfo.sh
+
+Patch0001: 0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
+Patch0002: 0002-mok-fix-the-mirroring-of-RT-variables.patch
+Patch0003: 0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
+Patch0004: 0004-Make-VLogError-behave-as-expected.patch
+Patch0005: 0005-Once-again-try-even-harder-to-get-binaries-without-t.patch
+
+BuildRequires: git openssl-devel openssl
+BuildRequires: pesign >= 0.106-1
+BuildRequires: gnu-efi >= 1:3.0.5-6.el7, gnu-efi-devel >= 1:3.0.5-6.el7
+
+# for xxd
+BuildRequires: vim-common
+
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
+# compatible with SysV (there's no red zone under UEFI) and there isn't a
+# POSIX-style C library.
+Provides: bundled(openssl) = 1.0.2j
+
+# Shim is only required on platforms implementing the UEFI secure boot
+# protocol. The only one of those we currently wish to support is 64-bit x86.
+# Adding further platforms will require adding appropriate relocation code.
+ExclusiveArch: x86_64 aarch64
+
+%ifarch x86_64
+%global efiarch x64
+%endif
+%ifarch aarch64
+%global efiarch aa64
+%endif
+
+# Figure out the right file path to use
+%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
+
+%define debug_package %{nil}
+%global __debug_package 1
+
+%global _binaries_in_noarch_packages_terminate_build 0
+
+%description
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments.
+
+%package -n shim-unsigned-%{efiarch}
+Summary: First-stage UEFI bootloader (unsigned data)
+
+%description -n shim-unsigned-%{efiarch}
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments.
+
+%package -n shim-unsigned-%{efiarch}-debuginfo
+Obsoletes: shim-debuginfo < 0.9
+Summary: Debug information for package %{name}
+Group: Development/Debug
+AutoReqProv: 0
+BuildArch: noarch
+
+%description -n shim-unsigned-%{efiarch}-debuginfo
+This package provides debug information for package %{name}.
+Debug information is useful when developing applications that use this
+package or when debugging this package.
+
+%ifarch x86_64
+%package -n shim-unsigned-ia32
+Summary: First-stage UEFI bootloader (unsigned data)
+
+%description -n shim-unsigned-ia32
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments.
+
+%package -n shim-unsigned-ia32-debuginfo
+Obsoletes: shim-debuginfo < 0.9
+Summary: Debug information for package %{name}
+Group: Development/Debug
+AutoReqProv: 0
+BuildArch: noarch
+
+%description -n shim-unsigned-ia32-debuginfo
+This package provides debug information for package %{name}.
+Debug information is useful when developing applications that use this
+package or when debugging this package.
+%endif
+
+%prep
+%setup -T -n %{name}-%{version}-%{release} -c
+%{__tar} -xo -f %{SOURCE0}
+mv %{name}-%{version} %{name}-%{version}-%{efiarch}
+cd %{name}-%{version}-%{efiarch}
+git init
+git config user.email "example@example.com"
+git config user.name "rpmbuild -bp"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am --ignore-whitespace %{patches} </dev/null
+git config --unset user.email
+git config --unset user.name
+
+%ifarch x86_64
+cd ..
+%{__tar} -xo -f %{SOURCE0}
+mv %{name}-%{version} %{name}-%{version}-ia32
+cd %{name}-%{version}-ia32
+git init
+git config user.email "example@example.com"
+git config user.name "rpmbuild -bp"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am --ignore-whitespace %{patches} </dev/null
+git config --unset user.email
+git config --unset user.name
+%endif
+
+%build
+COMMIT_ID=$(cat %{name}-%{version}-%{efiarch}/commit)
+MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMIT_ID=${COMMIT_ID}"
+%ifarch aarch64
+if [ -f "%{SOURCE1}" ]; then
+ MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+fi
+if [ -f "%{SOURCE3}" ]; then
+ MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
+fi
+%else
+if [ -f "%{SOURCE1}" ]; then
+ MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+fi
+if [ -f "%{SOURCE2}" ]; then
+ MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+fi
+%endif
+cd %{name}-%{version}-%{efiarch}
+make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim%{efiarch}.efi mm%{efiarch}.efi fb%{efiarch}.efi
+
+%ifarch x86_64
+cd ../%{name}-%{version}-ia32
+setarch linux32 make 'DEFAULT_LOADER=\\\\grubia32.efi' ARCH=ia32 ${MAKEFLAGS} shimia32.efi mmia32.efi fbia32.efi
+cd ../%{name}-%{version}-%{efiarch}
+%endif
+
+%install
+cd %{name}-%{version}-%{efiarch}
+pesign -h -P -i shim%{efiarch}.efi -h > shim%{efiarch}.hash
+install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
+install -m 0644 shim%{efiarch}.hash $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/shim%{efiarch}.hash
+for x in shim%{efiarch} mm%{efiarch} fb%{efiarch} ; do
+ install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
+ install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
+done
+
+%ifarch x86_64
+cd ../%{name}-%{version}-ia32
+pesign -h -P -i shimia32.efi -h > shimia32.hash
+install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+install -m 0644 shimia32.hash $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/shimia32.hash
+for x in shimia32 mmia32 fbia32 ; do
+ install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+ install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+done
+cd ../%{name}-%{version}-%{efiarch}
+%endif
+
+%ifarch x86_64
+%global __debug_install_post \
+ bash %{SOURCE4} \\\
+ %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+ %{?_find_debuginfo_opts} \\\
+ "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
+ rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+ mv debugfiles.list ../debugfiles-%{efiarch}.list \
+ cd .. \
+ cd %{name}-%{version}-ia32 \
+ bash %{SOURCE4} \\\
+ %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+ %{?_find_debuginfo_opts} \\\
+ "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-ia32" \
+ rm -f $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/*.so \
+ mv debugfiles.list ../debugfiles-ia32.list \
+ cd .. \
+ %{nil}
+%else
+%global __debug_install_post \
+ bash %{SOURCE4} \\\
+ %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+ %{?_find_debuginfo_opts} \\\
+ "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
+ rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+ mv debugfiles.list ../debugfiles-%{efiarch}.list \
+ cd .. \
+ %{nil}
+%endif
+
+%files -n shim-unsigned-%{efiarch}
+%dir %{_datadir}/shim
+%dir %{_datadir}/shim/%{efiarch}-%{version}-%{release}/
+%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.efi
+%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.hash
+
+%files -n shim-unsigned-%{efiarch}-debuginfo -f debugfiles-%{efiarch}.list
+%defattr(-,root,root)
+
+%ifarch x86_64
+%files -n shim-unsigned-ia32
+%dir %{_datadir}/shim
+%dir %{_datadir}/shim/ia32-%{version}-%{release}/
+%{_datadir}/shim/ia32-%{version}-%{release}/*.efi
+%{_datadir}/shim/ia32-%{version}-%{release}/*.hash
+
+%files -n shim-unsigned-ia32-debuginfo -f debugfiles-ia32.list
+%defattr(-,root,root)
+%endif
+
+%changelog
+* Mon Mar 18 2019 Peter Jones <pjones@redhat.com> - 15-5
+- Fix a couple more things that are breaking reproducability, and thus
+ breaking external review.
+ Related: rhbz#1649270
+
+* Fri Mar 15 2019 Peter Jones <pjones@redhat.com> - 15-4
+- Fight with binutils to try to get a binary without timestamps in it.
+ Again, but without breaking aarch64 this time.
+ Related: rhbz#1649270
+
+* Fri Mar 15 2019 Peter Jones <pjones@redhat.com> - 15-3
+- Fight with binutils to try to get a binary without timestamps in it. Again.
+ Related: rhbz#1649270
+
+* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
+- Fix MoK mirroring issue which breaks kdump without intervention
+ Related: rhbz#1649270
+
+* Mon Jun 18 2018 Peter Jones <pjones@redhat.com> - 15-1
+- Update to shim 15
+ Resolves: rhbz#1589961
+
+* Thu Apr 27 2017 Peter Jones <pjones@redhat.com> - 12-1
+- Update to 12-1 to work around a signtool.exe bug
+ Related: rhbz#1445393
+
+* Mon Apr 03 2017 Peter Jones <pjones@redhat.com> - 11-1
+- Update to 11-1
+ Related: rhbz#1310766
+- Fix regression in PE loader
+ Related: rhbz#1310766
+- Fix case where BDS invokes us wrong and we exec shim again as a result
+ Related: rhbz#1310766
+
+* Tue Mar 21 2017 Peter Jones <pjones@redhat.com> - 10-1
+- Update to 10-1
+- Support ia32
+ Resolves: rhbz#1310766
+- Handle various different load option implementation differences
+- TPM 1 and TPM 2 support.
+- Update to OpenSSL 1.0.2k
+
+* Mon Jun 22 2015 Peter Jones <pjones@redhat.com> - 0.9-1
+- Update to 0.9-1
+- Fix early call to BS->Exit()
+ Resolves: rhbz#1115843
+- Implement shim on aarch64
+ Resolves: rhbz#1100048
+ Resolves: rhbz#1190191
+
+* Mon Jun 22 2015 Peter Jones <pjones@redhat.com> - 0.7-14
+- Excise mokutil.
+ Related: rhbz#1100048
+
+* Mon Jun 22 2015 Peter Jones <pjones@redhat.com> - 0.7-13
+- Do a build for Aarch64 to make the tree composable.
+ Related: rhbz#1100048
+
+* Wed Feb 25 2015 Peter Jones <pjones@redhat.com> - 0.7-10
+- Fix a couple more minor bugs aavmf has found in fallback.
+ Related: rhbz#1190191
+- Build lib/ with the right CFLAGS
+ Related: rhbz#1190191
+
+* Tue Feb 24 2015 Peter Jones <pjones@redhat.com> - 0.7-9
+- Fix aarch64 section loading.
+ Related: rhbz#1190191
+
+* Tue Sep 30 2014 Peter Jones <pjones@redhat.com> - 0.7-8
+- Build -8 for arm as well.
+ Related: rhbz#1100048
+- out-of-bounds memory read flaw in DHCPv6 packet processing
+ Resolves: CVE-2014-3675
+- heap-based buffer overflow flaw in IPv6 address parsing
+ Resolves: CVE-2014-3676
+- memory corruption flaw when processing Machine Owner Keys (MOKs)
+ Resolves: CVE-2014-3677
+
+* Tue Sep 23 2014 Peter Jones <pjones@redhat.com> - 0.7-7
+- Use the right key for ARM Aarch64.
+
+* Sun Sep 21 2014 Peter Jones <pjones@redhat.com> - 0.7-6
+- Preliminary build for ARM Aarch64.
+
+* Tue Feb 18 2014 Peter Jones <pjones@redhat.com> - 0.7-5
+- Update for production signing
+ Resolves: rhbz#1064424
+ Related: rhbz#1064449
+
+* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-4
+- Make dhcpv4 paths work better when netbooting.
+ Resolves: rhbz#1032583
+
+* Thu Nov 14 2013 Peter Jones <pjones@redhat.com> - 0.7-3
+- Make lockdown include UEFI and other KEK/DB entries.
+ Resolves: rhbz#1030492
+
+* Fri Nov 08 2013 Peter Jones <pjones@redhat.com> - 0.7-2
+- Update lockdown to reflect SetupMode better as well
+ Related: rhbz#996863
+
+* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.7-1
+- Fix logic to handle SetupMode efi variable.
+ Related: rhbz#996863
+
+* Thu Oct 31 2013 Peter Jones <pjones@redhat.com> - 0.6-1
+- Fix a FreePool(NULL) call on machines too old for SB
+
+* Fri Oct 04 2013 Peter Jones <pjones@redhat.com> - 0.5-1
+- Update to 0.5
+
+* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3
+- Build with early RHEL test keys.
+ Related: rhbz#989442
+
+* Thu Jul 25 2013 Peter Jones <pjones@redhat.com> - 0.4-2
+- Fix minor RHEL 7.0 build issues
+ Resolves: rhbz#978766
+- Be less verbose by default
+
+* Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1
+- Update to 0.4
+
+* Fri Jun 07 2013 Peter Jones <pjones@redhat.com> - 0.3-2
+- Require gnu-efi-3.0q for now.
+- Don't allow mmx or sse during compilation.
+- Re-organize this so all real signing happens in shim-signed instead.
+- Split out mokutil
+
+* Wed Dec 12 2012 Peter Jones <pjones@redhat.com> - 0.2-3
+- Fix mokutil's idea of signature sizes.
+
+* Wed Nov 28 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-2
+- Fix secure_mode() always returning true
+
+* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-1
+- Update shim
+- Include mokutil
+- Add debuginfo package since mokutil is a userspace executable
+
+* Mon Oct 22 2012 Peter Jones <pjones@redhat.com> - 0.1-4
+- Produce an unsigned shim
+
+* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.1-3
+- Update how embedded cert and signing work.
+
+* Mon Aug 13 2012 Josh Boyer <jwboyer@redhat.com> - 0.1-2
+- Add patch to fix image size calculation
+
+* Mon Aug 13 2012 Matthew Garrett <mjg@redhat.com> - 0.1-1
+- initial release