Update to shim 15.3

- Support for revocations via the ".sbat" section and SBAT EFI variable - A new unit test framework and a bunch of unit tests - No external gnu-efi dependency - Better CI So far, one known issue: building in subdirs is more or less completely broken. Patched here and pushed upstream. Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-25 16:30:21 -04:00
11 changed files with 394 additions and 41 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,8 @@
+*~
 *.tar.*
-clog
 *.rpm
+.build*.log
+.*.sw?
+clog
+rhtest.cer
 shim-*/
--- a/0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch
+++ b/0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch
@ -0,0 +1,65 @@
+From ab40c869a2765262d9a911fe6284a606fd1fe0d6 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 24 Mar 2021 16:02:18 -0400
+Subject: [PATCH 1/2] CI: don't use 'make -s'; it's more trouble than help.
+
+This hides more subtle failures way too well; nerf it out.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ .github/workflows/pullrequest.yml | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
+index 41ca282c887..6df69833346 100644
+--- a/.github/workflows/pullrequest.yml
+++ b/.github/workflows/pullrequest.yml
+@@ -110,14 +110,18 @@ jobs:
+         id: update-submodules
+         run: |
+           make update
+      - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+        id: clean
+        run: |
+          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean
+       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: build
+         run: |
+-          make -s CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all || make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all
+          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
+       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: install
+         run: |
+-          make -s CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install || make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+           echo 'results:'
+           find /destdir -type f
+ 
+@@ -190,17 +194,21 @@ jobs:
+         id: update-submodules
+         run: |
+           make update
+      - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+        id: clean
+        run: |
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean
+       - name: Run tests on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: test
+         run: |
+-          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test
+       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: build
+         run: |
+-          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
+       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: install
+         run: |
+-          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+           echo 'results:'
+           find /destdir -type f
+-- 
+2.30.2
+
--- a/0002-Make-building-outside-of-the-top-directory-work.patch
+++ b/0002-Make-building-outside-of-the-top-directory-work.patch
@ -0,0 +1,177 @@
+From fbd1a9b47c04ca0b917482dbb84625d4732054b3 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 24 Mar 2021 17:51:48 -0400
+Subject: [PATCH 2/2] Make building outside of the top directory work.
+
+This also makes the cross-build targets (and not the others) /use/ this
+functionality, so we'll catch it if we break it again.
+
+This fixes issue #340.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ .github/workflows/pullrequest.yml | 16 ++++++++----
+ Make.defaults                     |  1 +
+ Makefile                          | 43 ++++++++++++++++++++-----------
+ lib/Makefile                      |  2 +-
+ 5 files changed, 42 insertions(+), 22 deletions(-)
+
+diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
+index 6df69833346..5329496c6a8 100644
+--- a/.github/workflows/pullrequest.yml
+++ b/.github/workflows/pullrequest.yml
+@@ -110,18 +110,24 @@ jobs:
+         id: update-submodules
+         run: |
+           make update
+-      - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+-        id: clean
+      - name: Make a build directory for ${{ matrix.distro }} for ${{ matrix.efiarch }}
+        id: builddir
+         run: |
+-          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean
+          rm -rf build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          mkdir build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
+       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: build
+         run: |
+-          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
+          pwd
+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          make TOPDIR=.. -f ../Makefile CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
+       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: install
+         run: |
+-          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+          pwd
+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          make TOPDIR=.. -f ../Makefile CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+           echo 'results:'
+           find /destdir -type f
+ 
+diff --git a/Make.defaults b/Make.defaults
+index b7721547dee..a775083ee0b 100644
+--- a/Make.defaults
+++ b/Make.defaults
+@@ -1,6 +1,7 @@
+ 
+ # load the local configuration if it exists
+ -include Make.local
+-include $(TOPDIR)/Make.local
+ 
+ COMPILER	?= gcc
+ CC		= $(CROSS_COMPILE)$(COMPILER)
+diff --git a/Makefile b/Makefile
+index e349c6f9d49..b2f33b17289 100644
+--- a/Makefile
+++ b/Makefile
+@@ -45,7 +45,7 @@ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
+ ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
+ FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
+ ORIG_FALLBACK_SRCS = fallback.c
+-SBATPATH = data/sbat.csv
+SBATPATH = $(TOPDIR)/data/sbat.csv
+ 
+ ifeq ($(SOURCE_DATE_EPOCH),)
+ 	UNAME=$(shell uname -s -m -p -i -o)
+@@ -146,21 +146,23 @@ $(MMSONAME): $(MOK_OBJS) $(LIBS)
+ 
+ gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
+ gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
+	mkdir -p gnu-efi/lib gnu-efi/gnuefi
+ 	$(MAKE) -C gnu-efi \
+ 		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
+		-f $(TOPDIR)/gnu-efi/Makefile \
+ 		lib gnuefi inc
+ 
+ Cryptlib/libcryptlib.a:
+ 	for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
+-	$(MAKE) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
+	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
+ 
+ Cryptlib/OpenSSL/libopenssl.a:
+ 	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
+-	$(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
+	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
+ 
+ lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
+-	if [ ! -d lib ]; then mkdir lib ; fi
+-	$(MAKE) VPATH=$(TOPDIR)/lib -C lib -f $(TOPDIR)/lib/Makefile lib.a
+	mkdir -p lib
+	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) -C lib -f $(TOPDIR)/lib/Makefile
+ 
+ buildid : $(TOPDIR)/buildid.c
+ 	$(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
+@@ -275,35 +277,46 @@ else
+ endif
+ 
+ test :
+-	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all
+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all
+ 
+ $(patsubst %.c,%,$(wildcard test-*.c)) :
+-	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
+ 
+ .PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test
+ 
+ clean-test-objs:
+-	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
+ 
+ clean-gnu-efi:
+-	$(MAKE) -C gnu-efi \
+-		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
+-		clean
+	@if [ -d gnu-efi ] ; then \
+		$(MAKE) -C gnu-efi \
+			ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
+			-f $(TOPDIR)/gnu-efi/Makefile \
+			clean ; \
+	fi
+
+clean-lib-objs:
+	@if [ -d lib ] ; then \
+		$(MAKE) -C lib TOPDIR=$(TOPDIR) -f $(TOPDIR)/lib/Makefile clean ; \
+	fi
+ 
+ clean-shim-objs:
+-	$(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean
+ 	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
+ 	@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
+ 	@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
+ 	@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
+ 
+ clean-openssl-objs:
+-	$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean
+	@if [ -d Cryptlib/Openssl ] ; then \
+		$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ; \
+	fi
+ 
+ clean-cryptlib-objs:
+-	$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
+	@if [ -d Cryptlib ] ; then \
+		$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ; \
+	fi
+ 
+-clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs
+clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs
+ 
+ GITTAG = $(VERSION)
+ 
+diff --git a/lib/Makefile b/lib/Makefile
+index 6d83f789a91..de59476270e 100644
+--- a/lib/Makefile
+++ b/lib/Makefile
+@@ -1,6 +1,6 @@
+ TARGET = lib.a
+ 
+-LIBFILES_UNSORTED := $(foreach x,$(wildcard *.c),$(patsubst %.c,%.o,$(x)))
+LIBFILES_UNSORTED := $(patsubst %.c,%.o,$(subst $(TOPDIR)/lib/,,$(wildcard $(TOPDIR)/lib/*.c)))
+ LIBFILES := $(sort $(LIBFILES_UNSORTED))
+ 
+ CRYPTDIR	= $(TOPDIR)/Cryptlib
+-- 
+2.30.2
+
--- a/0003-Make-building-outside-of-this-directory-work.patch
+++ b/0003-Make-building-outside-of-this-directory-work.patch
@ -0,0 +1,26 @@
+From 65ecce23f005c4d611f48996112d4592164594cf Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 24 Mar 2021 17:50:17 -0400
+Subject: [PATCH] Make building outside of this directory work.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ gnu-efi/Make.defaults | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gnu-efi/Make.defaults b/gnu-efi/Make.defaults
+index 362bd1f8238..fd1d123d851 100755
+--- a/gnu-efi/Make.defaults
+++ b/gnu-efi/Make.defaults
+@@ -92,7 +92,7 @@ endif
+ #
+ # Where to build the package
+ #
+-OBJDIR       := $(TOPDIR)/$(ARCH)
+OBJDIR       := $(abspath .)/$(ARCH)
+ 
+ #
+ # Variables below derived from variables above
+-- 
+2.30.2
+
--- a/README.md
+++ b/README.md
@ -0,0 +1,3 @@
+# shim-unsigned-x64
+
+The shim-unsigned-x64 package
--- a/fedora-ca-20200709.cer
+++ b/fedora-ca-20200709.cer
--- a/rhtest.cer
+++ b/rhtest.cer
--- a/sbat.redhat.csv
+++ b/sbat.redhat.csv
@ -0,0 +1 @@
+shim.redhat,1,The Fedora Project,shim,15.3,https://src.fedoraproject.org/rpms/shim-unsigned-x64
--- a/shim-find-debuginfo.sh
+++ b/shim-find-debuginfo.sh
@ -20,9 +20,9 @@ fi
 findsource()
 {
    (
-        cd ${RPM_BUILD_ROOT}
-        find usr/src/debug/ -type d | sed "s,^,%dir /,"
-        find usr/src/debug/ -type f | sed "s,^,/,"
+        cd "${RPM_BUILD_ROOT}"
+        find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
+        find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
    )
 }

@ -32,9 +32,12 @@ finddebug()
    declare -a dirs=()
    declare -a files=()
    declare -a excludes=()
+    declare -a tmp=()

-    pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
-    for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
+    pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
+
+    mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
+    for x in "${tmp[@]}" ; do
        if ! [ -e "${x}" ]; then
            break
        fi
@ -57,8 +60,10 @@ finddebug()
            excludes[${#excludes[@]}]=${x%%.debug}
        fi
    done
-    for x in ${files[@]} ; do
-        declare name=$(dirname /${x})
+    for x in "${files[@]}" ; do
+        declare name
+
+        name=$(dirname "/${x}")
        while [ "${name}" != "/" ]; do
            case "${name}" in
            "/usr/lib/debug"|"/usr/lib"|"/usr")
@ -67,24 +72,24 @@ finddebug()
                dirs[${#dirs[@]}]=${name}
                ;;
            esac
-            name=$(dirname ${name})
+            name=$(dirname "${name}")
        done
    done

    popd >/dev/null 2>&1
-    for x in ${dirs[@]} ; do
+    for x in "${dirs[@]}" ; do
        echo "%dir ${x}"
    done | sort | uniq
-    for x in ${files[@]} ; do
+    for x in "${files[@]}" ; do
        echo "/${x}"
    done | sort | uniq
-    for x in ${excludes[@]} ; do
+    for x in "${excludes[@]}" ; do
        echo "%exclude /${x}"
    done
 }

-findsource > build-${mainarch}/debugsource.list
-finddebug ${mainarch} > build-${mainarch}/debugfiles.list
+findsource > "build-${mainarch}/debugsource.list"
+finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
 if [ -v altarch ]; then
-    finddebug ${altarch} > build-${altarch}/debugfiles.list
+    finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
 fi
--- a/shim-unsigned-aarch64.spec
+++ b/shim-unsigned-aarch64.spec
@ -1,46 +1,49 @@
 %global pesign_vre 0.106-1
-%global gnuefi_vre 1:3.0.8-1
 %global openssl_vre 1.0.2j

-%global debug_package %{nil}
-%global __debug_package 1
-%global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} aa64
-%undefine _debuginfo_subpackages
-
 %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch aa64
 %global shimdir %{shimversiondir}/%{efiarch}
+%global efialtarch arm
+%global shimaltdir %{shimversiondir}/%{efialtarch}
+
+%global debug_package %{nil}
+%global __debug_package 1
+%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
+%global _binaries_in_noarch_packages_terminate_build 0
+%undefine _debuginfo_subpackages
+
+# currently here's what's in our dbx: nothing
+%global dbxfile %{nil}

 Name:		shim-unsigned-aarch64
-Version:	15
+Version:	15.3
 Release:	1%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	fedora-ca.cer
-# currently here's what's in our dbx:
-# grub2-efi-2.00-11.fc18.x86_64:
-# grubx64.efi 6ac839881e73504047c06a1aac0c4763408ecb3642783c8acf77a2d393ea5cd7
-# gcdx64.efi 065cd63bab696ad2f4732af9634d66f2c0d48f8a3134b8808750d378550be151
-# grub2-efi-2.00-11.fc19.x86_64:
-# grubx64.efi 49ece9a10a9403b32c8e0c892fd9afe24a974323c96f2cc3dd63608754bf9b45
-# gcdx64.efi 99fcaa957786c155a92b40be9c981c4e4685b8c62b408cb0f6cb2df9c30b9978
-# woops.
-Source2:	dbx.esl
+Source1:	fedora-ca-20200709.cer
+%if 0%{?dbxfile}
+Source2:	%{dbxfile}
+%endif
+Source3:	sbat.redhat.csv

 Source100:	shim-find-debuginfo.sh

+Patch0001:	0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch
+Patch0002:	0002-Make-building-outside-of-the-top-directory-work.patch
+Patch0003:	0003-Make-building-outside-of-this-directory-work.patch
+
 BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
-BuildRequires:	gnu-efi >= %{gnuefi_vre}
-BuildRequires:	gnu-efi-devel >= %{gnuefi_vre}
+BuildRequires:	dos2unix findutils
+BuildRequires:	binutils-arm-linux-gnu gcc-arm-linux-gnu

 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@ -59,15 +62,29 @@ use this package or when debugging this package.
 %description
 %desc

+%package -n shim-unsigned-%{efialtarch}
+Summary:	First-stage UEFI bootloader (unsigned data)
+Provides:	bundled(openssl) = %{openssl_vre}
+
+%description -n shim-unsigned-%{efialtarch}
+%desc
+
 %package debuginfo
-Summary:	Debug information for shim-unsigned-aarch64
-Requires:	%{name}-debugsource = %{version}-%{release}
+Summary:	Debug information for shim-unsigned-%{efiarch}
 AutoReqProv:	0
 BuildArch:	noarch

 %description debuginfo
 %debug_desc

+%package -n shim-unsigned-%{efialtarch}-debuginfo
+Summary:	Debug information for shim-unsigned-%{efialtarch}
+AutoReqProv:	0
+BuildArch:	noarch
+
+%description -n shim-unsigned-%{efialtarch}-debuginfo
+%debug_desc
+
 %package debugsource
 Summary:	Debug Source for shim-unsigned
 AutoReqProv:	0
@ -81,41 +98,66 @@ BuildArch:	noarch
 git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
+mkdir build-%{efialtarch}
+cp %{SOURCE3} data/

 %build
 COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="%{_smp_mflags}"
 if [ -f "%{SOURCE1}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
+%if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
+%endif

 cd build-%{efiarch}
-make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
+make ${MAKEFLAGS} \
+	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
+	all
+cd ..
+
+cd build-%{efialtarch}
+make ${MAKEFLAGS} \
+	ARCH=%{efialtarch} CROSS_COMPILE=arm-linux-gnu- \
+	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
+	all
 cd ..

 %install
 COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 if [ -f "%{SOURCE1}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
+%if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
+%endif

 cd build-%{efiarch}
 make ${MAKEFLAGS} \
 	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
 	DESTDIR=${RPM_BUILD_ROOT} \
 	install-as-data install-debuginfo install-debugsource
+install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimdir}/"
+cd ..
+
+cd build-%{efialtarch}
+make ${MAKEFLAGS} \
+	ARCH=%{efialtarch} CROSS_COMPILE=arm-linux-gnu- \
+	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
+	DESTDIR=${RPM_BUILD_ROOT} \
+	install-as-data install-debuginfo install-debugsource
+install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimaltdir}/"
 cd ..

 %files
@ -125,12 +167,42 @@ cd ..
 %dir %{shimdir}
 %{shimdir}/*.efi
 %{shimdir}/*.hash
+%{shimdir}/*.CSV
+
+%files -n shim-unsigned-%{efialtarch}
+%license COPYRIGHT
+%dir %{shimrootdir}
+%dir %{shimversiondir}
+%dir %{shimaltdir}
+%{shimaltdir}/*.efi
+%{shimaltdir}/*.hash
+%{shimaltdir}/*.CSV

 %files debuginfo -f build-%{efiarch}/debugfiles.list

+%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
+
 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
+* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-1
+- Update to shim 15.3
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
+  - A new unit test framework and a bunch of unit tests
+  - No external gnu-efi dependency
+  - Better CI
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
+
+* Tue Jan 21 2020 Peter Jones <pjones@redhat.com> - 15-2
+- Fix a minor rebuild issue; note that this means it won't match the
+  result that's in shim-15-8.
+
 * Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
 - better checking for bad linker output
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (shim-15.tar.bz2) = f7dfac774d644111431ca56da76b5575b891b0abad970b318edaede11a0d83c869728bc39cb6af3689bdb203c6826545caf8ddd3d14228831027e334963cf957
+SHA512 (shim-15.3.tar.bz2) = 48de811917b5b60311788467786a7259b5efe8e61ff9af01d37d3138c98309310562c91c6e83ed11924c20774bfee5184b44b901c51e15be4167b97281655e65
				`@ -0,0 +1 @@`
				`shim.redhat,1,The Fedora Project,shim,15.3,https://src.fedoraproject.org/rpms/shim-unsigned-x64`