diff --git a/.gitignore b/.gitignore
index 953d727..a250cf7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/shim-0.9.tar.bz2
+SOURCES/shim-12.tar.bz2
diff --git a/.shim.metadata b/.shim.metadata
index 93bda97..d93caad 100644
--- a/.shim.metadata
+++ b/.shim.metadata
@@ -1 +1 @@
-44c1b426f515b86581f163ec85c9e3bb08bc9042 SOURCES/shim-0.9.tar.bz2
+5c5a5738bd0412cb1f42ac2b9dace11c3495ed5b SOURCES/shim-12.tar.bz2
diff --git a/SOURCES/0001-Typo-on-aarch64.patch b/SOURCES/0001-Typo-on-aarch64.patch
deleted file mode 100644
index 851fe4a..0000000
--- a/SOURCES/0001-Typo-on-aarch64.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From db142ce288a63db2e8f7858ba7564158cc7a64e5 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 30 Jun 2015 14:54:43 -0400
-Subject: [PATCH] Typo on aarch64 :/
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 46d0234..1181b8a 100644
---- a/Makefile
-+++ b/Makefile
-@@ -52,7 +52,7 @@ ifeq ($(ARCH),ia32)
- 		"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
- endif
- ifeq ($(ARCH),aarch64)
--	CFLAGS += "-DEFI_ARCH=L\"aa64\""
-+	CFLAGS += "-DEFI_ARCH=L\"aa64\"" \
- 		"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
- endif
- 
--- 
-2.4.3
-
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index 8cc3fb8..d1316b0 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,5 +1,5 @@
 Name:           shim
-Version:        0.9
+Version:        12
 Release:        1%{?dist}
 Summary:        First-stage UEFI bootloader
 
@@ -8,14 +8,13 @@ URL:            http://www.codon.org.uk/~mjg59/shim/
 Source0:	https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2
 Source1:	securebootca.cer
 # currently here's what's in our dbx: # nothing.
-#Source2:	dbx.esl
-Source3:	shim-find-debuginfo.sh
-
-Patch0001:	0001-Typo-on-aarch64.patch
+#Source2:	dbx-x64.esl
+#Source3:	dbx-aa64.esl
+Source4:	shim-find-debuginfo.sh
 
 BuildRequires: git openssl-devel openssl
 BuildRequires: pesign >= 0.106-1
-BuildRequires: gnu-efi >= 1:3.0.2, gnu-efi-devel >= 1:3.0.2
+BuildRequires: gnu-efi >= 1:3.0.5-6.el7, gnu-efi-devel >= 1:3.0.5-6.el7
 
 # for xxd
 BuildRequires: vim-common
@@ -23,8 +22,7 @@ BuildRequires: vim-common
 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
 # POSIX-style C library.
-# BuildRequires: OpenSSL
-Provides: bundled(openssl) = 0.9.8w
+Provides: bundled(openssl) = 1.0.2j
 
 # Shim is only required on platforms implementing the UEFI secure boot
 # protocol. The only one of those we currently wish to support is 64-bit x86.
@@ -44,14 +42,16 @@ ExclusiveArch: x86_64 aarch64
 %define debug_package %{nil}
 %global __debug_package 1
 
+%global _binaries_in_noarch_packages_terminate_build 0
+
 %description
 Initial UEFI bootloader that handles chaining to a trusted full bootloader
 under secure boot environments.
 
-%package -n shim-unsigned
+%package -n shim-unsigned-%{efiarch}
 Summary: First-stage UEFI bootloader (unsigned data)
 
-%description -n shim-unsigned
+%description -n shim-unsigned-%{efiarch}
 Initial UEFI bootloader that handles chaining to a trusted full bootloader
 under secure boot environments.
 
@@ -67,12 +67,32 @@ This package provides debug information for package %{name}.
 Debug information is useful when developing applications that use this
 package or when debugging this package.
 
+%ifarch x86_64
+%package -n shim-unsigned-ia32
+Summary: First-stage UEFI bootloader (unsigned data)
+
+%description -n shim-unsigned-ia32
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments.
+
+%package -n shim-unsigned-ia32-debuginfo
+Obsoletes: shim-debuginfo < 0.9
+Summary: Debug information for package %{name}
+Group: Development/Debug
+AutoReqProv: 0
+BuildArch: noarch
+
+%description -n shim-unsigned-ia32-debuginfo
+This package provides debug information for package %{name}.
+Debug information is useful when developing applications that use this
+package or when debugging this package.
+%endif
+
 %prep
-%setup -n %{name}-%{version}-%{efiarch} -T -c
-cd %{_builddir}
+%setup -T -n %{name}-%{version}-%{release} -c
 %{__tar} -xo -f %{SOURCE0}
 mv %{name}-%{version} %{name}-%{version}-%{efiarch}
-%setup -q -D -T -n %{name}-%{version}-%{efiarch}/%{name}-%{version}
+cd %{name}-%{version}-%{efiarch}
 git init
 git config user.email "example@example.com"
 git config user.name "rpmbuild -bp"
@@ -82,39 +102,141 @@ git am --ignore-whitespace %{patches} </dev/null
 git config --unset user.email
 git config --unset user.name
 
+%ifarch x86_64
+cd ..
+%{__tar} -xo -f %{SOURCE0}
+mv %{name}-%{version} %{name}-%{version}-ia32
+cd %{name}-%{version}-ia32
+git init
+git config user.email "example@example.com"
+git config user.name "rpmbuild -bp"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am --ignore-whitespace %{patches} </dev/null
+git config --unset user.email
+git config --unset user.name
+%endif
+
 %build
-MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1}"
-# MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
-MAKEFLAGS="$MAKEFLAGS RELEASE=%{release}"
-make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
+COMMITID=$(cat %{name}-%{version}-%{efiarch}/commit)
+MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMITID=${COMMITID}"
+%ifarch aarch64
+if [ -f "%{SOURCE1}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+fi
+if [ -f "%{SOURCE3}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
+fi
+%else
+if [ -f "%{SOURCE1}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+fi
+if [ -f "%{SOURCE2}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+fi
+%endif
+cd %{name}-%{version}-%{efiarch}
+make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim%{efiarch}.efi mm%{efiarch}.efi fb%{efiarch}.efi
+
+%ifarch x86_64
+cd ../%{name}-%{version}-ia32
+setarch linux32 -B make 'DEFAULT_LOADER=\\\\grubia32.efi' ARCH=ia32 ${MAKEFLAGS} shimia32.efi mmia32.efi fbia32.efi
+cd ../%{name}-%{version}-%{efiarch}
+%endif
 
 %install
-rm -rf $RPM_BUILD_ROOT
-pesign -h -P -i shim.efi -h > shim.hash
+cd %{name}-%{version}-%{efiarch}
+pesign -h -P -i shim%{efiarch}.efi -h > shim%{efiarch}.hash
 install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
-install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/shim.hash
-for x in shim fallback MokManager ; do
+install -m 0644 shim%{efiarch}.hash $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/shim%{efiarch}.hash
+for x in shim%{efiarch} mm%{efiarch} fb%{efiarch} ; do
 	install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
 	install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/
 done
 
+%ifarch x86_64
+cd ../%{name}-%{version}-ia32
+pesign -h -P -i shimia32.efi -h > shimia32.hash
+install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+install -m 0644 shimia32.hash $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/shimia32.hash
+for x in shimia32 mmia32 fbia32 ; do
+	install -m 0644 $x.efi $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+	install -m 0644 $x.so $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/
+done
+cd ../%{name}-%{version}-%{efiarch}
+%endif
+
+%ifarch x86_64
 %global __debug_install_post						\
-	bash %{SOURCE3}							\\\
+	bash %{SOURCE4}							\\\
+		%{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+		%{?_find_debuginfo_opts} 				\\\
+		"%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
+	rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+	mv debugfiles.list ../debugfiles-%{efiarch}.list		\
+	cd ..								\
+	cd %{name}-%{version}-ia32					\
+	bash %{SOURCE4}							\\\
 		%{?_missing_build_ids_terminate_build:--strict-build-id}\\\
-		%{?_find_debuginfo_opts} "%{_builddir}/%{?buildsubdir}"	\
-	rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so		\
+		%{?_find_debuginfo_opts}				\\\
+		"%{_builddir}/%{?buildsubdir}/%{name}-%{version}-ia32"	\
+	rm -f $RPM_BUILD_ROOT%{_datadir}/shim/ia32-%{version}-%{release}/*.so \
+	mv debugfiles.list ../debugfiles-ia32.list			\
+	cd ..								\
 	%{nil}
+%else
+%global __debug_install_post						\
+	bash %{SOURCE4}							\\\
+		%{?_missing_build_ids_terminate_build:--strict-build-id}\\\
+		%{?_find_debuginfo_opts}				\\\
+		"%{_builddir}/%{?buildsubdir}/%{name}-%{version}-%{efiarch}" \
+	rm -f $RPM_BUILD_ROOT%{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.so \
+	mv debugfiles.list ../debugfiles-%{efiarch}.list		\
+	cd ..								\
+	%{nil}
+%endif
 
-%files -n shim-unsigned
+%files -n shim-unsigned-%{efiarch}
 %dir %{_datadir}/shim
 %dir %{_datadir}/shim/%{efiarch}-%{version}-%{release}/
 %{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.efi
 %{_datadir}/shim/%{efiarch}-%{version}-%{release}/*.hash
 
-%files -n shim-unsigned-%{efiarch}-debuginfo -f debugfiles.list
+%files -n shim-unsigned-%{efiarch}-debuginfo -f debugfiles-%{efiarch}.list
 %defattr(-,root,root)
 
+%ifarch x86_64
+%files -n shim-unsigned-ia32
+%dir %{_datadir}/shim
+%dir %{_datadir}/shim/ia32-%{version}-%{release}/
+%{_datadir}/shim/ia32-%{version}-%{release}/*.efi
+%{_datadir}/shim/ia32-%{version}-%{release}/*.hash
+
+%files -n shim-unsigned-ia32-debuginfo -f debugfiles-ia32.list
+%defattr(-,root,root)
+%endif
+
 %changelog
+* Thu Apr 27 2017 Peter Jones <pjones@redhat.com> - 12-1
+- Update to 12-1 to work around a signtool.exe bug
+  Related: rhbz#1445393
+
+* Mon Apr 03 2017 Peter Jones <pjones@redhat.com> - 11-1
+- Update to 11-1
+  Related: rhbz#1310766
+- Fix regression in PE loader
+  Related: rhbz#1310766
+- Fix case where BDS invokes us wrong and we exec shim again as a result
+  Related: rhbz#1310766
+
+* Tue Mar 21 2017 Peter Jones <pjones@redhat.com> - 10-1
+- Update to 10-1
+- Support ia32
+  Resolves: rhbz#1310766
+- Handle various different load option implementation differences
+- TPM 1 and TPM 2 support.
+- Update to OpenSSL 1.0.2k
+
 * Mon Jun 22 2015 Peter Jones <pjones@redhat.com> - 0.9-1
 - Update to 0.9-1
 - Fix early call to BS->Exit()