diff --git a/.shim.metadata b/.shim.metadata
new file mode 100644
index 0000000..7f2a942
--- /dev/null
+++ b/.shim.metadata
@@ -0,0 +1,7 @@
+d193e3e3cf19148c8ac867de8e1ae39f9b66afec SOURCES/DB.auth
+7686b4eb198c0efb70dae703dc8d71885d462ab0 SOURCES/0.7.tar.gz
+b8452a8a6a929d4938391d106e810fd517430bbc SOURCES/PK.auth
+66895070de7ebfc2d49324ad24ee53debcc540db SOURCES/securebootca.cer
+4c954f56aa4273f24bb45c6e8b0084a67999c251 SOURCES/KEK.auth
+f4e556118ee4f4dec187db15dc8767b92e99461d SOURCES/mokutil-0.2.0.tar.bz2
+531f3d9eb430649609695efd3d97ff3f6b8b9326 SOURCES/0.3.tar.gz
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
- 
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
- 
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/0001-Fix-path-generation-for-Dhcpv4-bootloader.patch b/SOURCES/0001-Fix-path-generation-for-Dhcpv4-bootloader.patch
new file mode 100644
index 0000000..5bbcb2d
--- /dev/null
+++ b/SOURCES/0001-Fix-path-generation-for-Dhcpv4-bootloader.patch
@@ -0,0 +1,124 @@
+From 0ca010d2f46a4bd49d79a529efb74680110012b5 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 20 Nov 2013 12:20:23 -0500
+Subject: [PATCH] Fix path generation for Dhcpv4 bootloader.
+
+Right now we always look for e.g. "\grubx64.efi", which is completely
+wrong.  This makes it look for the path shim was loaded from and modify
+that to end in a sanitized version of our default loader name.
+
+Resolves: rhbz#1032583
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ include/str.h | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ netboot.c     | 28 +++++++++++++++++++++-------
+ 2 files changed, 66 insertions(+), 7 deletions(-)
+ create mode 100644 include/str.h
+
+diff --git a/include/str.h b/include/str.h
+new file mode 100644
+index 0000000..0f3e003
+--- /dev/null
++++ b/include/str.h
+@@ -0,0 +1,45 @@
++#ifndef SHIM_STR_H
++#define SHIM_STR_H
++
++static inline
++__attribute__((unused))
++unsigned long strnlena(const CHAR8 *s, unsigned long n)
++{
++	unsigned long i;
++	for (i = 0; i <= n; i++)
++		if (s[i] == '\0')
++			break;
++	return i;
++}
++
++static inline
++__attribute__((unused))
++CHAR8 *
++strncpya(CHAR8 *dest, const CHAR8 *src, unsigned long n)
++{
++	unsigned long i;
++
++	for (i = 0; i < n && src[i] != '\0'; i++)
++		dest[i] = src[i];
++	for (; i < n; i++)
++		dest[i] = '\0';
++
++	return dest;
++}
++
++static inline
++__attribute__((unused))
++CHAR8 *
++strcata(CHAR8 *dest, const CHAR8 *src)
++{
++	unsigned long dest_len = strlena(dest);
++	unsigned long i;
++
++	for (i = 0; src[i] != '\0'; i++)
++		dest[dest_len + i] = src[i];
++	dest[dest_len + i] = '\0';
++
++	return dest;
++}
++
++#endif /* SHIM_STR_H */
+diff --git a/netboot.c b/netboot.c
+index a83c82a..1732dc7 100644
+--- a/netboot.c
++++ b/netboot.c
+@@ -38,6 +38,7 @@
+ #include <string.h>
+ #include "shim.h"
+ #include "netboot.h"
++#include "str.h"
+ 
+ static inline unsigned short int __swap16(unsigned short int x)
+ {
+@@ -305,19 +306,32 @@ static EFI_STATUS parseDhcp6()
+ 
+ static EFI_STATUS parseDhcp4()
+ {
+-	CHAR8 *template = (CHAR8 *)DEFAULT_LOADER_CHAR;
+-	full_path = AllocateZeroPool(strlen(template)+1);
++	CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
++	UINTN template_len = strlen(template) + 1;
++
++	UINTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127);
++	UINTN i;
++	UINT8 *dir = pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile;
++
++	for (i = dir_len; i >= 0; i--) {
++		if (dir[i] == '/')
++			break;
++	}
++	dir_len = (i >= 0) ? i + 1 : 0;
++
++	full_path = AllocateZeroPool(dir_len + template_len);
+ 
+ 	if (!full_path)
+ 		return EFI_OUT_OF_RESOURCES;
+ 
++	if (dir_len > 0) {
++		strncpya(full_path, dir, dir_len);
++		if (full_path[dir_len-1] == '/' && template[0] == '/')
++			full_path[dir_len-1] = '\0';
++	}
++	strcata(full_path, template);
+ 	memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4);
+ 
+-	memcpy(full_path, template, strlen(template));
+-
+-	/* Note we don't capture the filename option here because we know its shim.efi
+-	 * We instead assume the filename at the end of the path is going to be grubx64.efi
+-	 */
+ 	return EFI_SUCCESS;
+ }
+ 
+-- 
+1.8.3.1
+
diff --git a/SOURCES/0001-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch b/SOURCES/0001-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch
new file mode 100644
index 0000000..62712c3
--- /dev/null
+++ b/SOURCES/0001-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch
@@ -0,0 +1,40 @@
+From 36c3ce078d59abe148cd5045c0a8d9b9f7ffb88e Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 21 Nov 2013 11:26:08 -0500
+Subject: [PATCH] Lengths that might be -1 can't be unsigned, Peter.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ netboot.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/netboot.c b/netboot.c
+index 1732dc7..07e2773 100644
+--- a/netboot.c
++++ b/netboot.c
+@@ -307,10 +307,10 @@ static EFI_STATUS parseDhcp6()
+ static EFI_STATUS parseDhcp4()
+ {
+ 	CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
+-	UINTN template_len = strlen(template) + 1;
++	INTN template_len = strlen(template) + 1;
+ 
+-	UINTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127);
+-	UINTN i;
++	INTN dir_len = strnlena(pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile, 127);
++	INTN i;
+ 	UINT8 *dir = pxe->Mode->DhcpAck.Dhcpv4.BootpBootFile;
+ 
+ 	for (i = dir_len; i >= 0; i--) {
+@@ -329,6 +329,8 @@ static EFI_STATUS parseDhcp4()
+ 		if (full_path[dir_len-1] == '/' && template[0] == '/')
+ 			full_path[dir_len-1] = '\0';
+ 	}
++	if (dir_len == 0 && dir[0] != '/' && template[0] == '/')
++		template++;
+ 	strcata(full_path, template);
+ 	memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4);
+ 
+-- 
+1.8.3.1
+
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
new file mode 100644
index 0000000..1867183
--- /dev/null
+++ b/SPECS/shim.spec
@@ -0,0 +1,182 @@
+Name:           shim
+Version:        0.7
+Release:        4%{?dist}
+Summary:        First-stage UEFI bootloader
+
+License:        BSD
+URL:            http://www.codon.org.uk/~mjg59/shim/
+Source0:	https://github.com/mjg59/shim/archive/%{version}.tar.gz
+Source1:	securebootca.cer
+
+# incorporate mokutil for packaging simplicity
+%global mokutilver 0.2.0
+Source2:	https://github.com/lcp/mokutil/archive/mokutil-%{mokutilver}.tar.bz2
+
+# currently here's what's in our dbx:
+# nothing.
+#Source3:	dbx.esl
+%global lockdownver 0.3
+Source4:	https://github.com/vathpela/lockdown/archive/%{lockdownver}.tar.gz
+Source5:	DB.auth
+Source6:	KEK.auth
+Source7:	PK.auth
+Patch0000:	0001-Fix-path-generation-for-Dhcpv4-bootloader.patch
+Patch0002:	0001-Lengths-that-might-be-1-can-t-be-unsigned-Peter.patch
+
+BuildRequires: git openssl-devel openssl
+BuildRequires: pesign >= 0.106-1
+BuildRequires: gnu-efi = 3.0u, gnu-efi-devel = 3.0u
+
+# for xxd
+BuildRequires: vim-common
+
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
+# compatible with SysV (there's no red zone under UEFI) and there isn't a
+# POSIX-style C library.
+# BuildRequires: OpenSSL
+Provides: bundled(openssl) = 0.9.8w
+
+# Shim is only required on platforms implementing the UEFI secure boot
+# protocol. The only one of those we currently wish to support is 64-bit x86.
+# Adding further platforms will require adding appropriate relocation code.
+ExclusiveArch: x86_64
+
+# Figure out the right file path to use
+%if 0%{?rhel}
+%global efidir redhat
+%endif
+%if 0%{?fedora}
+%global efidir fedora
+%endif
+
+%description
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments.
+
+%package -n shim-unsigned
+Summary: First-stage UEFI bootloader (unsigned data)
+
+%description -n shim-unsigned
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments.
+
+%package -n mokutil
+Summary: Utilities for managing Secure Boot/MoK keys.
+
+%description -n mokutil
+Utilities for managing the "Machine's Own Keys" list.
+
+%prep
+%setup -q
+%setup -q -a 2 -D -T
+%setup -q -a 4 -D -T
+
+git init
+git config user.email "shim-owner@fedoraproject.org"
+git config user.name "Fedora Ninjas"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am %{patches} </dev/null
+
+%build
+MAKEFLAGS=""
+if [ -f "%{SOURCE1}" ]; then
+	MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1}"
+fi
+# MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}"
+make 'DEFAULT_LOADER=\\\\grubx64.efi' ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi
+cd mokutil-%{mokutilver}
+%configure
+make %{?_smp_mflags}
+cd ../lockdown-%{lockdownver}/
+cp %{SOURCE5} %{SOURCE6} %{SOURCE7} ./
+xxd -i DB.auth > DB.h
+xxd -i KEK.auth > KEK.h
+xxd -i PK.auth > PK.h
+make DB_FILE=%{SOURCE5} KEK_FILE=%{SOURCE6} PK_FILE=%{SOURCE7} lockdown.efi
+
+%install
+rm -rf $RPM_BUILD_ROOT
+pesign -h -P -i shim.efi -h > shim.hash
+install -D -d -m 0755 $RPM_BUILD_ROOT%{_datadir}/shim/
+install -m 0644 shim.efi $RPM_BUILD_ROOT%{_datadir}/shim/shim.efi
+install -m 0644 shim.hash $RPM_BUILD_ROOT%{_datadir}/shim/shim.hash
+install -m 0644 fallback.efi $RPM_BUILD_ROOT%{_datadir}/shim/fallback.efi
+install -m 0644 MokManager.efi $RPM_BUILD_ROOT%{_datadir}/shim/MokManager.efi
+cd mokutil-%{mokutilver}
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
+cd ../lockdown-%{lockdownver}
+install -m 0644 lockdown.efi $RPM_BUILD_ROOT%{_datadir}/shim/lockdown.efi
+
+%files -n shim-unsigned
+%doc
+%dir %{_datadir}/shim
+%{_datadir}/shim/*
+
+%files -n mokutil
+/usr/bin/mokutil
+/usr/share/man/man1/mokutil.1.gz
+
+%changelog
+* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-4
+- Make dhcpv4 paths work better when netbooting.
+  Resolves: rhbz#1032583
+
+* Thu Nov 14 2013 Peter Jones <pjones@redhat.com> - 0.7-3
+- Make lockdown include UEFI and other KEK/DB entries.
+  Resolves: rhbz#1030492
+
+* Fri Nov 08 2013 Peter Jones <pjones@redhat.com> - 0.7-2
+- Update lockdown to reflect SetupMode better as well
+  Related: rhbz#996863
+
+* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.7-1
+- Fix logic to handle SetupMode efi variable.
+  Related: rhbz#996863
+
+* Thu Oct 31 2013 Peter Jones <pjones@redhat.com> - 0.6-1
+- Fix a FreePool(NULL) call on machines too old for SB
+
+* Fri Oct 04 2013 Peter Jones <pjones@redhat.com> - 0.5-1
+- Update to 0.5
+
+* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3
+- Build with early RHEL test keys.
+  Related: rhbz#989442
+
+* Thu Jul 25 2013 Peter Jones <pjones@redhat.com> - 0.4-2
+- Fix minor RHEL 7.0 build issues
+  Resolves: rhbz#978766
+- Be less verbose by default
+
+* Tue Jun 11 2013 Peter Jones <pjones@redhat.com> - 0.4-1
+- Update to 0.4
+
+* Fri Jun 07 2013 Peter Jones <pjones@redhat.com> - 0.3-2
+- Require gnu-efi-3.0q for now.
+- Don't allow mmx or sse during compilation.
+- Re-organize this so all real signing happens in shim-signed instead.
+- Split out mokutil
+
+* Wed Dec 12 2012 Peter Jones <pjones@redhat.com> - 0.2-3
+- Fix mokutil's idea of signature sizes.
+
+* Wed Nov 28 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-2
+- Fix secure_mode() always returning true
+
+* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.2-1
+- Update shim
+- Include mokutil
+- Add debuginfo package since mokutil is a userspace executable
+
+* Mon Oct 22 2012 Peter Jones <pjones@redhat.com> - 0.1-4
+- Produce an unsigned shim
+
+* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.1-3
+- Update how embedded cert and signing work.
+
+* Mon Aug 13 2012 Josh Boyer <jwboyer@redhat.com> - 0.1-2
+- Add patch to fix image size calculation
+
+* Mon Aug 13 2012 Matthew Garrett <mjg@redhat.com> - 0.1-1
+- initial release