diff --git a/.gitignore b/.gitignore
index a250cf7..6af0766 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/shim-12.tar.bz2
+SOURCES/shim-15.tar.bz2
diff --git a/.shim.metadata b/.shim.metadata
index d93caad..5677fcd 100644
--- a/.shim.metadata
+++ b/.shim.metadata
@@ -1 +1 @@
-5c5a5738bd0412cb1f42ac2b9dace11c3495ed5b SOURCES/shim-12.tar.bz2
+2dc6308584187bf3ee88bf9b119938c72c5a5088 SOURCES/shim-15.tar.bz2
diff --git a/SOURCES/0001-Add-vendor-esl.patch b/SOURCES/0001-Add-vendor-esl.patch
deleted file mode 100644
index 1058298..0000000
--- a/SOURCES/0001-Add-vendor-esl.patch
+++ /dev/null
@@ -1,168 +0,0 @@
-From bc1e30ee1e7940e0e70eab9afd55b6e355ef9899 Mon Sep 17 00:00:00 2001
-From: Patrick Uiterwijk <patrick@puiterwijk.org>
-Date: Sat, 21 Jul 2018 03:27:26 +0200
-Subject: [PATCH] Add vendor_esl
-
-Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
----
- Makefile | 3 +++
- cert.S | 30 ++++++++++++++++++++++++++++++
- shim.c | 36 +++++++++++++++++++++++++++++++++++-
- 3 files changed, 68 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 6ece282..78688e0 100644
---- a/Makefile
-+++ b/Makefile
-@@ -82,6 +82,9 @@ endif
- ifneq ($(origin VENDOR_CERT_FILE), undefined)
- CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
- endif
-+ifneq ($(origin VENDOR_ESL_FILE), undefined)
-+ CFLAGS += -DVENDOR_ESL_FILE=\"$(VENDOR_ESL_FILE)\"
-+endif
- ifneq ($(origin VENDOR_DBX_FILE), undefined)
- CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
- endif
-diff --git a/cert.S b/cert.S
-index cfc4525..7ad782a 100644
---- a/cert.S
-+++ b/cert.S
-@@ -8,12 +8,18 @@ cert_table:
- #else
- .long 0
- #endif
-+#if defined(VENDOR_ESL_FILE)
-+ .long vendor_esl_priv_end - vendor_esl_priv
-+#else
-+ .long 0
-+#endif
- #if defined(VENDOR_DBX_FILE)
- .long vendor_dbx_priv_end - vendor_dbx_priv
- #else
- .long 0
- #endif
- .long vendor_cert_priv - cert_table
-+ .long vendor_esl_priv - cert_table
- .long vendor_dbx_priv - cert_table
- #if defined(VENDOR_CERT_FILE)
- .data
-@@ -39,6 +45,30 @@ vendor_cert_priv:
- .section .vendor_cert, "a", %progbits
- vendor_cert_priv_end:
- #endif
-+#if defined(VENDOR_ESL_FILE)
-+ .data
-+ .align 1
-+ .type vendor_esl_priv, %object
-+ .size vendor_esl_priv, vendor_esl_priv_end-vendor_esl_priv
-+ .section .vendor_cert, "a", %progbits
-+vendor_esl_priv:
-+.incbin VENDOR_ESL_FILE
-+vendor_esl_priv_end:
-+#else
-+ .bss
-+ .type vendor_esl_priv, %object
-+ .size vendor_esl_priv, 1
-+ .section .vendor_cert, "a", %progbits
-+vendor_esl_priv:
-+ .zero 1
-+
-+ .data
-+ .align 4
-+ .type vendor_esl_size_priv, %object
-+ .size vendor_esl_size_priv, 4
-+ .section .vendor_cert, "a", %progbits
-+vendor_esl_priv_end:
-+#endif
- #if defined(VENDOR_DBX_FILE)
- .data
- .align 1
-diff --git a/shim.c b/shim.c
-index f8a1e67..d99134f 100644
---- a/shim.c
-+++ b/shim.c
-@@ -84,14 +84,18 @@ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8,
- */
- extern struct {
- UINT32 vendor_cert_size;
-+ UINT32 vendor_esl_size;
- UINT32 vendor_dbx_size;
- UINT32 vendor_cert_offset;
-+ UINT32 vendor_esl_offset;
- UINT32 vendor_dbx_offset;
- } cert_table;
-
- UINT32 vendor_cert_size;
-+UINT32 vendor_esl_size;
- UINT32 vendor_dbx_size;
- UINT8 *vendor_cert;
-+UINT8 *vendor_esl;
- UINT8 *vendor_dbx;
-
- /*
-@@ -1029,6 +1033,18 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
- return status;
- }
-
-+ /*
-+ * Check if there's a vendor ESL built-in
-+ */
-+ if (vendor_esl_size &&
-+ check_db_cert_in_ram((EFI_SIGNATURE_LIST*)vendor_esl,
-+ vendor_esl_size,
-+ cert,
-+ sha256hash) == DATA_FOUND) {
-+ status = EFI_SUCCESS;
-+ return status;
-+ }
-+
- /*
- * And finally, check against shim's built-in key
- */
-@@ -1973,6 +1989,22 @@ EFI_STATUS mirror_mok_list()
-
- CertData->SignatureOwner = SHIM_LOCK_GUID;
- CopyMem(p, vendor_cert, vendor_cert_size);
-+ } else if (vendor_esl_size) {
-+ FullDataSize = DataSize
-+ + vendor_esl_size
-+ ;
-+ FullData = AllocatePool(FullDataSize);
-+ if (!FullData) {
-+ perror(L"Failed to allocate space for MokListRT\n");
-+ return EFI_OUT_OF_RESOURCES;
-+ }
-+ p = FullData;
-+
-+ if (efi_status == EFI_SUCCESS && DataSize > 0) {
-+ CopyMem(p, Data, DataSize);
-+ p += DataSize;
-+ }
-+ CopyMem(p, vendor_esl, vendor_esl_size);
- } else {
- FullDataSize = DataSize;
- FullData = Data;
-@@ -2606,7 +2638,7 @@ shim_init(void)
- set_second_stage (global_image_handle);
-
- if (secure_mode()) {
-- if (vendor_cert_size || vendor_dbx_size) {
-+ if (vendor_cert_size || vendor_esl_size || vendor_dbx_size) {
- /*
- * If shim includes its own certificates then ensure
- * that anything it boots has performed some
-@@ -2706,8 +2738,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- verification_method = VERIFIED_BY_NOTHING;
-
- vendor_cert_size = cert_table.vendor_cert_size;
-+ vendor_esl_size = cert_table.vendor_esl_size;
- vendor_dbx_size = cert_table.vendor_dbx_size;
- vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset;
-+ vendor_esl = (UINT8 *)&cert_table + cert_table.vendor_esl_offset;
- vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset;
-
- /*
---
-2.18.0
-
diff --git a/SOURCES/centos.esl b/SOURCES/centos.esl
deleted file mode 100644
index c0815a7..0000000
Binary files a/SOURCES/centos.esl and /dev/null differ
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index a7778ba..97117dd 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,19 +1,16 @@
Name: shim
-Version: 12
-Release: 2%{?dist}
+Version: 15
+Release: 1%{?dist}
Summary: First-stage UEFI bootloader
License: BSD
URL: http://www.codon.org.uk/~mjg59/shim/
-Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-#Source1: centos.crt
+Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
+Source1: securebootca.cer
# currently here's what's in our dbx: # nothing.
-#Source2: dbx-x64.esl
-#Source3: dbx-aa64.esl
-Source4: shim-find-debuginfo.sh
-Source5: centos.esl
-
-Patch0: 0001-Add-vendor-esl.patch
+#Source2: dbx-x64.esl
+#Source3: dbx-aa64.esl
+Source4: shim-find-debuginfo.sh
BuildRequires: git openssl-devel openssl
BuildRequires: pesign >= 0.106-1
@@ -125,23 +122,17 @@ COMMITID=$(cat %{name}-%{version}-%{efiarch}/commit)
MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMITID=${COMMITID}"
%ifarch aarch64
if [ -f "%{SOURCE1}" ]; then
- MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+ MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
fi
if [ -f "%{SOURCE3}" ]; then
- MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
-fi
-if [ -f "%{SOURCE5}" ]; then
- MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
+ MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
fi
%else
if [ -f "%{SOURCE1}" ]; then
- MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+ MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
fi
if [ -f "%{SOURCE2}" ]; then
- MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
-fi
-if [ -f "%{SOURCE5}" ]; then
- MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}"
+ MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
fi
%endif
cd %{name}-%{version}-%{efiarch}
@@ -159,8 +150,8 @@ pesign -h -P -i shim%{efiarch}.efi -h > shim%{efiarch}.hash
install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
install -m 0644 shim%{efiarch}.hash $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/shim%{efiarch}.hash
for x in shim%{efiarch} mm%{efiarch} fb%{efiarch} ; do
- install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
- install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
+ install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
+ install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
done
%ifarch x86_64
@@ -169,40 +160,40 @@ pesign -h -P -i shimia32.efi -h > shimia32.hash
install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
install -m 0644 shimia32.hash $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/shimia32.hash
for x in shimia32 mmia32 fbia32 ; do
- install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
- install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+ install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+ install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
done
cd ../%{name}-%{version}-%{efiarch}
%endif
%ifarch x86_64
-%global __debug_install_post \
- bash %{SOURCE4} \\\
- %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
- %{?_find_debuginfo_opts} \\\
- "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
- rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
- mv debugfiles.list ../debugfiles-%{efiarch}.list \
- cd .. \
- cd %{name}-%{version}-ia32 \
- bash %{SOURCE4} \\\
- %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
- %{?_find_debuginfo_opts} \\\
- "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-ia32" \
- rm -f $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/*.so \
- mv debugfiles.list ../debugfiles-ia32.list \
- cd .. \
- %{nil}
+%global __debug_install_post \
+ bash %{SOURCE4} \\\
+ %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+ %{?_find_debuginfo_opts} \\\
+ "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
+ rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+ mv debugfiles.list ../debugfiles-%{efiarch}.list \
+ cd .. \
+ cd %{name}-%{version}-ia32 \
+ bash %{SOURCE4} \\\
+ %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+ %{?_find_debuginfo_opts} \\\
+ "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-ia32" \
+ rm -f $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/*.so \
+ mv debugfiles.list ../debugfiles-ia32.list \
+ cd .. \
+ %{nil}
%else
-%global __debug_install_post \
- bash %{SOURCE4} \\\
- %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
- %{?_find_debuginfo_opts} \\\
- "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
- rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
- mv debugfiles.list ../debugfiles-%{efiarch}.list \
- cd .. \
- %{nil}
+%global __debug_install_post \
+ bash %{SOURCE4} \\\
+ %{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+ %{?_find_debuginfo_opts} \\\
+ "%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
+ rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+ mv debugfiles.list ../debugfiles-%{efiarch}.list \
+ cd .. \
+ %{nil}
%endif
%files -n shim-unsigned-%{efiarch}
@@ -226,9 +217,9 @@ cd ../%{name}-%{version}-%{efiarch}
%endif
%changelog
-* Mon Jul 23 2018 Fabian Arrotin <arrfab@centos.org> - 12-2.el7.centos
-- Added 0001-Add-vendor-esl.patch (Patrick Uiterwijk)
-- Rebuilt with combined centos.esl (so new and previous crt)
+* Mon Jun 18 2018 Peter Jones <pjones@redhat.com> - 15-1
+- Update to shim 15
+ Resolves: rhbz#1589961
* Thu Apr 27 2017 Peter Jones <pjones@redhat.com> - 12-1
- Update to 12-1 to work around a signtool.exe bug