diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e57fc72
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+SOURCES/fbx64.efi
+SOURCES/mmx64.efi
+SOURCES/shimaa64.efi
+SOURCES/shimx64.efi
diff --git a/.shim.metadata b/.shim.metadata
new file mode 100644
index 0000000..ca47a99
--- /dev/null
+++ b/.shim.metadata
@@ -0,0 +1,4 @@
+cf5667660f4920bc291595441e27e82578b4103d SOURCES/fbx64.efi
+c51e8bfbb8d340a130c7e2b45edbd46ad2bda8f1 SOURCES/mmx64.efi
+750bd7932437b1fb6610c233f69db1b70d67fab1 SOURCES/shimaa64.efi
+7476966216dd8c2e6c2203728a01719be289dd54 SOURCES/shimx64.efi
diff --git a/SOURCES/BOOTAA64.CSV b/SOURCES/BOOTAA64.CSV
new file mode 100644
index 0000000..2dad06e
Binary files /dev/null and b/SOURCES/BOOTAA64.CSV differ
diff --git a/SOURCES/BOOTX64.CSV b/SOURCES/BOOTX64.CSV
new file mode 100644
index 0000000..77b070b
Binary files /dev/null and b/SOURCES/BOOTX64.CSV differ
diff --git a/SOURCES/fbaa64.efi b/SOURCES/fbaa64.efi
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/SOURCES/fbaa64.efi
diff --git a/SOURCES/mmaa64.efi b/SOURCES/mmaa64.efi
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/SOURCES/mmaa64.efi
diff --git a/SOURCES/redhatsecureboot501.cer b/SOURCES/redhatsecureboot501.cer
new file mode 100644
index 0000000..dfa7afb
Binary files /dev/null and b/SOURCES/redhatsecureboot501.cer differ
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
new file mode 100644
index 0000000..dfb0284
Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ
diff --git a/SOURCES/shim.rpmmacros b/SOURCES/shim.rpmmacros
new file mode 100644
index 0000000..00f1b51
--- /dev/null
+++ b/SOURCES/shim.rpmmacros
@@ -0,0 +1,198 @@
+%global debug_package %{nil}
+%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
+%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
+%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
+
+%global bootcsvaa64 %{expand:%{SOURCE10}}
+%global bootcsvx64 %{expand:%{SOURCE12}}
+#%%global bootcsvarm %%{expand:%%{SOURCE13}}
+
+%global shimefiaa64 %{expand:%{SOURCE20}}
+%global shimefix64 %{expand:%{SOURCE22}}
+#%%global shimefiarm %%{expand:%%{SOURCE23}
+
+%global fbefiaa64 %{expand:%{SOURCE30}}
+%global fbefix64 %{expand:%{SOURCE32}}
+#%%global fbefiarm %%{expand:%%{SOURCE33}
+
+%global mmefiaa64 %{expand:%{SOURCE40}}
+%global mmefix64 %{expand:%{SOURCE42}}
+#%%global mmefiarm %%{expand:%%{SOURCE43}
+
+%global shimveraa64 15-6.el9
+%global shimverx64 15.5-1.el9
+#%%global shimverarm 15-1.el8
+
+%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
+%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
+#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
+
+%global unsignedaa64 shim-unsigned-aarch64
+%global unsignedx64 shim-unsigned-x64
+#%%global unsignedarm shim-unsigned-arm
+
+%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
+%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
+%global shimefi %{expand:%{shimefi%{efi_arch}}}
+%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
+%global shimver %{expand:%{shimver%{efi_arch}}}
+%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
+%global shimdir %{expand:%{shimdir%{efi_arch}}}
+%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
+%global fbefi %{expand:%{fbefi%{efi_arch}}}
+%global fbefialt %{expand:%{fbefi%{?efi_alt_arch}}}
+%global mmefi %{expand:%{mmefi%{efi_arch}}}
+%global mmefialt %{expand:%{mmefi%{?efi_alt_arch}}}
+
+%global unsignednone shim-unsigned-none
+%global unsigned %{expand:%%{unsigned%{efi_arch}}}
+%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}}
+
+%define define_pkg(a:p:) \
+%{expand:%%package -n shim-%{-a*}} \
+Summary: First-stage UEFI bootloader \
+Requires: mokutil >= 1:0.3.0-1 \
+Requires: efi-filesystem \
+Provides: shim-signed-%{-a*} = %{version}-%{release} \
+Requires: dbxtool >= 0.6-3 \
+%{expand:%%if 0%%{-p*} \
+Provides: shim = %{version}-%{release} \
+Provides: shim-signed = %{version}-%{release} \
+Obsoletes: shim-signed < %{version}-%{release} \
+Obsoletes: shim < %{version}-%{release} \
+%%endif} \
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \
+# is not compatible with SysV (there's no red zone under UEFI) and \
+# there isn't a POSIX-style C library. \
+# BuildRequires: OpenSSL \
+Provides: bundled(openssl) = 1.0.2j \
+ \
+%{expand:%%description -n shim-%{-a*}} \
+Initial UEFI bootloader that handles chaining to a trusted full \
+bootloader under secure boot environments. This package contains the \
+version signed by the UEFI signing service. \
+%{nil}
+
+# -a <efiarch>
+# -i <input>
+%define hash(a:i:d:) \
+ if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
+ pesign -i %{-i*} -h -P > shim.hash \
+ read file0 hash0 < shim.hash \
+ read file1 hash1 < %{-d*}/shim%{-a*}.hash \
+ if ! [ "$hash0" = "$hash1" ] ; then \
+ echo Invalid signature\! > /dev/stderr \
+ echo $hash0 vs $hash1 \
+ exit 1 \
+ fi \
+ fi \
+ %{nil}
+
+# -i <input>
+# -o <output>
+%define sign(i:o:n:a:c:) \
+ %{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}} \
+ %{nil}
+
+# -b <binary prefix>
+# -a <efiarch>
+# -i <input>
+%define distrosign(b:a:d:) \
+ if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
+ if [ "%{-b*}%{-a*}" = "shim%{efi_arch}" ] ; then \
+ cp -av "%{shimefi}" %{-b*}%{-a*}-unsigned.efi \
+ elif [ "%{-b*}%{-a*}" = "shim%{efi_alt_arch}" ] ; then \
+ cp -av "%{shimefialt}" %{-b*}%{-a*}-unsigned.efi \
+ elif [ "%{-b*}%{-a*}" = "mm%{efi_arch}" ] ; then \
+ cp -av "%{mmefi}" %{-b*}%{-a*}-unsigned.efi \
+ elif [ "%{-b*}%{-a*}" = "mm%{efi_alt_arch}" ] ; then \
+ cp -av "%{mmefialt}" %{-b*}%{-a*}-unsigned.efi \
+ elif [ "%{-b*}%{-a*}" = "fb%{efi_arch}" ] ; then \
+ cp -av "%{fbefi}" %{-b*}%{-a*}-unsigned.efi \
+ elif [ "%{-b*}%{-a*}" = "fb%{efi_alt_arch}" ] ; then \
+ cp -av "%{fbefialt}" %{-b*}%{-a*}-unsigned.efi \
+ fi \
+ else \
+ cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \
+ fi \
+ %{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} } \
+ %{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <1|0> # signed by this builder?
+# -c <1|0> # signed by UEFI CA?
+# -i <shimARCH.efi>
+# -d /usr/share dir for this build (full path)
+%define define_build(a:A:b:c:i:d:) \
+if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then \
+ %{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \
+fi \
+cp %{-i*} shim%{-a*}.efi \
+if [ "%{-b*}" = "yes" ] ; then \
+ %{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \
+ mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi \
+fi \
+if [ "%{-c*}" = "no" ] || \
+ [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then \
+ cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi \
+fi \
+%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \
+mv mm%{-a*}-signed.efi mm%{-a*}.efi \
+%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \
+mv fb%{-a*}-signed.efi fb%{-a*}.efi \
+rm -vf \\\
+ mm%{-a*}-unsigned.efi \\\
+ fb%{-a*}-unsigned.efi \\\
+ shim%{-a*}-unsigned.efi \
+%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <BOOTCSV>
+%define do_install(a:A:b:) \
+install -m 0700 shim%{-a*}.efi \\\
+ $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi \
+install -m 0700 shim%{-a*}-%{efi_vendor}.efi \\\
+ $RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi \
+install -m 0700 mm%{-a*}.efi \\\
+ $RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi \
+install -m 0700 %{-b*} \\\
+ $RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV \
+install -m 0700 shim%{-a*}.efi \\\
+ $RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI \
+install -m 0700 fb%{-a*}.efi \\\
+ $RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi \
+%nil
+
+# -a <efiarch>
+# -A <EFIARCH>
+%define define_files(a:A:) \
+%{expand:%%files -n shim-%{-a*}} \
+%{efi_esp_dir}/*%{-a*}*.efi \
+%{efi_esp_dir}/BOOT%{-A*}.CSV \
+%{efi_esp_boot}/*%{-a*}.efi \
+%{efi_esp_boot}/*%{-A*}.EFI \
+%{nil}
+
+%ifarch x86_64
+%global is_signed yes
+%global is_alt_signed no
+%global provide_legacy_shim 1
+%endif
+%ifarch aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 1
+%endif
+%ifnarch x86_64 aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 0
+%endif
+
+%if ! 0%{?vendor:1}
+%global vendor nopenopenope
+%endif
+
+# vim:filetype=rpmmacros
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
new file mode 100644
index 0000000..21f97a4
--- /dev/null
+++ b/SPECS/shim.spec
@@ -0,0 +1,160 @@
+Name: shim
+Version: 15.5
+Release: 2.el9
+Summary: First-stage UEFI bootloader
+License: BSD
+URL: https://github.com/rhboot/shim/
+BuildRequires: efi-filesystem
+BuildRequires: efi-srpm-macros >= 6
+
+ExclusiveArch: %{efi}
+# and we don't have shim-unsigned-arm builds *yet*
+ExcludeArch: %{arm} %{ix86}
+
+Source0: shim.rpmmacros
+Source1: redhatsecureboot501.cer
+Source2: redhatsecurebootca5.cer
+
+# keep these two lists of sources synched up arch-wise. That is 0 and 10
+# match, 1 and 11 match, ...
+Source10: BOOTAA64.CSV
+Source20: shimaa64.efi
+Source30: mmaa64.efi
+Source40: fbaa64.efi
+Source12: BOOTX64.CSV
+Source22: shimx64.efi
+Source32: mmx64.efi
+Source42: fbx64.efi
+#Source13: BOOTARM.CSV
+#Source23: shimarm.efi
+#Source33: mmarm.efi
+#Source43: fbarm.efi
+
+%include %{SOURCE0}
+
+BuildRequires: pesign >= 0.112-20.fc27
+# We need this because %%{efi} won't expand before choosing where to make
+# the src.rpm in koji, and we could be on a non-efi architecture, in which
+# case we won't have a valid expansion here... To be solved in the future
+# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
+# we can just BuildRequires that.
+%ifarch x86_64
+## BuildRequires: %% {unsignedx64} = %% {shimverx64}
+BuildRequires: shim-unsigned-x64 = 15.5-1.el9
+%endif
+%ifarch aarch64
+BuildRequires: %{unsignedaa64} = %{shimveraa64}
+%endif
+#%%ifarch arm
+#BuildRequires: %%{unsignedarm} = %%{shimverarm}
+#%%endif
+
+%description
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments. This package contains the version signed by
+the UEFI signing service.
+
+%define_pkg -a %{efi_arch} -p 1
+%if %{efi_has_alt_arch}
+%define_pkg -a %{efi_alt_arch}
+%endif
+
+%prep
+cd %{_builddir}
+rm -rf shim-%{version}
+mkdir shim-%{version}
+
+%build
+export PS4='${LINENO}: '
+
+cd shim-%{version}
+%if %{efi_has_alt_arch}
+%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
+%endif
+%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+cd shim-%{version}
+install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
+
+%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
+%if %{efi_has_alt_arch}
+%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
+%endif
+
+%if %{provide_legacy_shim}
+install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
+%endif
+
+( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
+ | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
+
+%define_files -a %{efi_arch} -A %{efi_arch_upper}
+%if %{efi_has_alt_arch}
+%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
+%endif
+
+%if %{provide_legacy_shim}
+%{efi_esp_dir}/shim.efi
+%endif
+
+%changelog
+* Thu Apr 14 2022 Peter Jones <pjones@redhat.com> - 15.5-2.el9
+- Attempt to make aarch64 build.
+ Related: rhbz#1932057
+
+* Thu Apr 14 2022 Peter Jones <pjones@redhat.com> - 15.5-1.el9
+- Rebuild for rhel-9.0.0
+ Resolves: rhbz#1932057
+
+* Mon Sep 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-16
+- Fix an incorrect allocation size
+
+* Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
+- Update once again for new signed shim builds.
+
+* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
+- Get rid of our %%dist hack for now.
+
+* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
+- New signing keys
+
+* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
+- Fix firmware update bug in aarch64 caused by shim ignoring arguments
+- Fix a shim crash when attempting to netboot
+
+* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
+- Update the shim-unsigned-aarch64 version number
+
+* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10
+- Add a gating.yaml file so the package can be properly gated
+
+* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9
+- Bump the NVR
+
+* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7
+- Make EFI variable copying fatal only on secureboot enabled systems
+- Fix booting shim from an EFI shell using a relative path
+
+* Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6
+- Fix MoK mirroring issue which breaks kdump without intervention
+
+* Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5
+- Rebuild for signing once again. If the signer actually works, then:
+
+* Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4
+- Rebuild for signing
+
+* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com>
+- Release Bumped for el8 Mass Rebuild
+
+* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
+- Release Bumped for el8+8 Mass Rebuild
+
+* Mon Jul 23 2018 Peter Jones <pjones@redhat.com> - 15-1
+- Build for RHEL 8