Update to shim-16.1

Signed-off-by: Peter Jones <pjones@redhat.com>

0001-CFLAGS-add-Wno-error-address-of-packed-member.patch

@@ -1,25 +0,0 @@
-From 79f8e33de536909810578371dbc8a3043517b216 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 21 Jan 2020 14:37:59 -0500
-Subject: [PATCH] CFLAGS: add -Wno-error=address-of-packed-member
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- Make.defaults | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/Make.defaults b/Make.defaults
-index e11ab5a7f2c..065b17445b5 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -41,6 +41,7 @@ EFI_LDS		= $(TOPDIR)/elf_$(ARCH)_efi.lds
- 
- CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
- 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
-+		  -Wno-error=address-of-packed-member -Wno-error=pointer-sign \
- 		  -Werror=sign-compare -ffreestanding -std=gnu89 \
- 		  -I$(shell $(CC) -print-file-name=include) \
- 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
--- 
-2.24.1
-

0002-Fix-a-typo.patch

@@ -1,26 +0,0 @@
-From 67756daa55f48f1166b3526dca1309e32c99ad89 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 12 Nov 2019 14:34:51 -0500
-Subject: [PATCH] Fix a typo
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- lib/console.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/console.c b/lib/console.c
-index 3fee403e2a8..39f29faadc4 100644
---- a/lib/console.c
-+++ b/lib/console.c
-@@ -360,7 +360,7 @@ static struct {
- 	{  EFI_SECURITY_VIOLATION,     L"Security Violation"},
- 
- 	// warnings
--	{  EFI_WARN_UNKOWN_GLYPH,      L"Warning Unknown Glyph"},
-+	{  EFI_WARN_UNKNOWN_GLYPH,     L"Warning Unknown Glyph"},
- 	{  EFI_WARN_DELETE_FAILURE,    L"Warning Delete Failure"},
- 	{  EFI_WARN_WRITE_FAILURE,     L"Warning Write Failure"},
- 	{  EFI_WARN_BUFFER_TOO_SMALL,  L"Warning Buffer Too Small"},
--- 
-2.23.0
-

rpminspect.yaml

@@ -0,0 +1,41 @@
+# rpminspect configuration
+
+---
+common:
+    workdir: /var/tmp/rpminspect
+    profiledir: /usr/share/rpminspect/profiles/fedora
+koji:
+    hub: https://koji.fedoraproject.org/kojihub
+    download_ursine: https://kojipkgs.fedoraproject.org
+    download_mbs: https://kojipkgs.fedoraproject.org
+commands:
+    msgunfmt: msgunfmt
+    desktop-file-validate: desktop-file-validate
+    abidiff: abidiff
+    kmidiff: kmidiff
+    annocheck: annocheck
+    udevadm: udevadm
+vendor:
+    vendor_data_dir: /usr/share/rpminspect
+    licensedb:
+        - /usr/share/fedora-license-data/licenses/fedora-licenses.json
+    favor_release: newest
+inspections:
+    abidiff: off
+    disttag: off
+    manpage: off
+    javabytecode: off
+metadata:
+    # Required Vendor string.  This is part of the RPM header and is
+    # the value expected in packages checked by rpminspect.
+    vendor: Fedora Project
+
+    # Allowed build host subdomain.  The RPM header contains information about
+    # where the package was built.  rpminspect verifies the hostnames are in
+    # the expected subdomain listed below.
+    #
+    # This is an array of allowed subdomains.
+    buildhost_subdomain:
+        - .fedoraproject.org
+        - .bos.redhat.com
+

sbat.redhat.csv.in

@@ -0,0 +1,3 @@
+shim.rh,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
+shim.redhat,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
+shim.fedora,3,The Fedora Project,shim,@@VERSION@@-@@RELEASE@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64

shim-unsigned-aarch64.spec

@@ -1,12 +1,14 @@
 %global pesign_vre 0.106-1
-%global gnuefi_vre 1:3.0.8-1
 %global openssl_vre 1.0.2j
+%global shim_commit_id afc49558b34548644c1cd0ad1b6526a9470182ed
 
-%global debug_package %{nil}
-%global __debug_package 1
-%global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} aa64
-%undefine _debuginfo_subpackages
+# For prereleases, % global prerelease rc2, and downpatch Makefile
+%if %{defined prerelease}
+%global dashpre -%{prerelease}
+%global dotpre .%{prerelease}
+%global tildepre ~%{prerelease}
+%global zdpd 0%{dotpre}.
+%endif
 
 %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
 %global shimrootdir %{_datadir}/shim/
@@ -14,36 +16,40 @@
 %global efiarch aa64
 %global shimdir %{shimversiondir}/%{efiarch}
 
+%global debug_package %{nil}
+%global __debug_package 1
+%global _binaries_in_noarch_packages_terminate_build 0
+%global __debug_install_post %{SOURCE100} %{efiarch}
+%undefine _debuginfo_subpackages
+
+# currently here's what's in our dbx: nothing
+%global dbxfile %{nil}
+
 Name:		shim-unsigned-aarch64
-Version:	15
-Release:	2%{?dist}
+Version:	16.1
+Release:	1
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
-License:	BSD
+License:	BSD-2-Clause AND OpenSSL
 URL:		https://github.com/rhboot/shim
-Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	fedora-ca.cer
-# currently here's what's in our dbx:
-# grub2-efi-2.00-11.fc18.x86_64:
-# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
-# gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151
-# grub2-efi-2.00-11.fc19.x86_64:
-# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
-# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
-# woops.
-Source2:	dbx.esl
+Source0:	https://github.com/rhboot/shim/releases/download/%{version}%{?dashpre}/shim-%{version}%{?dotpre}.tar.bz2
+Source1:	fedora-ca-20200709.cer
+%if 0%{?dbxfile}
+Source2:	%{dbxfile}
+%endif
+Source3:	sbat.redhat.csv.in
+Source4:	shim.patches
 
 Source100:	shim-find-debuginfo.sh
 
-Patch0001:	0001-CFLAGS-add-Wno-error-address-of-packed-member.patch
-Patch0002:	0002-Fix-a-typo.patch
+%include %{SOURCE4}
 
-BuildRequires:  gcc
+BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
-BuildRequires:	gnu-efi >= %{gnuefi_vre}
-BuildRequires:	gnu-efi-devel >= %{gnuefi_vre}
+BuildRequires:	dos2unix findutils
+BuildRequires:	sed
 
 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@@ -64,7 +70,6 @@ use this package or when debugging this package.
 
 %package debuginfo
 Summary:	Debug information for shim-unsigned-aarch64
-Requires:	%{name}-debugsource = %{version}-%{release}
 AutoReqProv:	0
 BuildArch:	noarch
 
@@ -84,41 +89,51 @@ BuildArch:	noarch
 git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
+sed -e 's/@@VERSION@@/%{version}/g' \
+    -e 's/@@RELEASE@@/%{release}/g' \
+    < %{SOURCE3} > data/sbat.redhat.csv
 
 %build
-COMMITID=$(cat commit)
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
+COMMIT_ID=%{shim_commit_id}
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
-MAKEFLAGS+="%{_smp_mflags}"
+MAKEFLAGS+="ENABLE_SHIM_HASH=true "
+MAKEFLAGS+=" %{_smp_mflags} "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
 fi
+%if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
 fi
+%endif
 
 cd build-%{efiarch}
-make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
+make ${MAKEFLAGS} \
+	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
+	all
 cd ..
 
 %install
-COMMITID=$(cat commit)
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
+COMMIT_ID=%{shim_commit_id}
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
 fi
+%if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
 fi
+%endif
 
 cd build-%{efiarch}
 make ${MAKEFLAGS} \
 	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
 	DESTDIR=${RPM_BUILD_ROOT} \
 	install-as-data install-debuginfo install-debugsource
+install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimdir}/"
 cd ..
 
 %files
@@ -128,15 +143,40 @@ cd ..
 %dir %{shimdir}
 %{shimdir}/*.efi
 %{shimdir}/*.hash
+%{shimdir}/*.CSV
 
 %files debuginfo -f build-%{efiarch}/debugfiles.list
 
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
-* Tue Jan 21 2020 Peter Jones <pjones@redhat.com> - 15-2
-- Fix a minor rebuild issue; note that this means it won't match the
-  result that's in shim-15-8.
+* Wed Sep 03 2025 Peter Jones <pjones@redhat.com> - 16.1-1
+- Update to shim-16.1
+
+* Fri Mar 22 2024 Nicolas Frayer <nfrayer@redhat.com>
+- Migrate to SPDX license
+- Please refer to https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2
+
+* Thu Mar 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2
+- Update to shim-15.8
+  Resolves: CVE-2023-40546
+  Resolves: CVE-2023-40547
+  Resolves: CVE-2023-40548
+  Resolves: CVE-2023-40549
+  Resolves: CVE-2023-40550
+  Resolves: CVE-2023-40551
+  Resolves: rhbz#2113005
+  Resolves: rhbz#2189197
+  Resolves: rhbz#2238884
+  Resolves: rhbz#2259264
+
+* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2
+- Add pjones's aarch64 relocation fix
+- Resolves: #2101248
+
+* Wed Jun 15 2022 Peter Jones <pjones@redhat.com> - 15.6-1
+- Update to shim-15.6
+  Resolves: CVE-2022-28737
 
 * Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15

sources

@@ -1 +1 @@
-SHA512 (shim-15.tar.bz2) = f7dfac774d644111431ca56da76b5575b891b0abad970b318edaede11a0d83c869728bc39cb6af3689bdb203c6826545caf8ddd3d14228831027e334963cf957
+SHA512 (shim-16.1.tar.bz2) = ca5f80e82f3b80b622028f03ef23105c98ee1b6a25f52a59c823080a3202dd4b9962266489296e99f955eb92e36ce13e0b1d57f688350006bba45f2718f159fb