Update to shim 15.3

- Support for revocations via the ".sbat" section and SBAT EFI variable - A new unit test framework and a bunch of unit tests - No external gnu-efi dependency - Better CI So far, one known issue: building in subdirs is more or less completely broken. Patched here and pushed upstream. Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 Signed-off-by: Peter Jones <pjones@redhat.com>
2021-03-25 16:30:21 -04:00
15 changed files with 380 additions and 118 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,8 @@
+*~
 *.tar.*
-clog
 *.rpm
+.build*.log
+.*.sw?
+clog
+rhtest.cer
 shim-*/
--- a/0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch
+++ b/0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch
@ -0,0 +1,65 @@
+From ab40c869a2765262d9a911fe6284a606fd1fe0d6 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 24 Mar 2021 16:02:18 -0400
+Subject: [PATCH 1/2] CI: don't use 'make -s'; it's more trouble than help.
+
+This hides more subtle failures way too well; nerf it out.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ .github/workflows/pullrequest.yml | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
+index 41ca282c887..6df69833346 100644
+--- a/.github/workflows/pullrequest.yml
+++ b/.github/workflows/pullrequest.yml
+@@ -110,14 +110,18 @@ jobs:
+         id: update-submodules
+         run: |
+           make update
+      - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+        id: clean
+        run: |
+          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean
+       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: build
+         run: |
+-          make -s CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all || make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all
+          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
+       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: install
+         run: |
+-          make -s CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install || make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+           echo 'results:'
+           find /destdir -type f
+ 
+@@ -190,17 +194,21 @@ jobs:
+         id: update-submodules
+         run: |
+           make update
+      - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+        id: clean
+        run: |
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean
+       - name: Run tests on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: test
+         run: |
+-          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test
+       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: build
+         run: |
+-          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
+       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: install
+         run: |
+-          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+           echo 'results:'
+           find /destdir -type f
+-- 
+2.30.2
+
--- a/0002-Make-building-outside-of-the-top-directory-work.patch
+++ b/0002-Make-building-outside-of-the-top-directory-work.patch
@ -0,0 +1,177 @@
+From fbd1a9b47c04ca0b917482dbb84625d4732054b3 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 24 Mar 2021 17:51:48 -0400
+Subject: [PATCH 2/2] Make building outside of the top directory work.
+
+This also makes the cross-build targets (and not the others) /use/ this
+functionality, so we'll catch it if we break it again.
+
+This fixes issue #340.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ .github/workflows/pullrequest.yml | 16 ++++++++----
+ Make.defaults                     |  1 +
+ Makefile                          | 43 ++++++++++++++++++++-----------
+ lib/Makefile                      |  2 +-
+ 5 files changed, 42 insertions(+), 22 deletions(-)
+
+diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
+index 6df69833346..5329496c6a8 100644
+--- a/.github/workflows/pullrequest.yml
+++ b/.github/workflows/pullrequest.yml
+@@ -110,18 +110,24 @@ jobs:
+         id: update-submodules
+         run: |
+           make update
+-      - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+-        id: clean
+      - name: Make a build directory for ${{ matrix.distro }} for ${{ matrix.efiarch }}
+        id: builddir
+         run: |
+-          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean
+          rm -rf build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          mkdir build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
+       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: build
+         run: |
+-          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
+          pwd
+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          make TOPDIR=.. -f ../Makefile CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
+       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+         id: install
+         run: |
+-          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+          pwd
+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          make TOPDIR=.. -f ../Makefile CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+           echo 'results:'
+           find /destdir -type f
+ 
+diff --git a/Make.defaults b/Make.defaults
+index b7721547dee..a775083ee0b 100644
+--- a/Make.defaults
+++ b/Make.defaults
+@@ -1,6 +1,7 @@
+ 
+ # load the local configuration if it exists
+ -include Make.local
+-include $(TOPDIR)/Make.local
+ 
+ COMPILER	?= gcc
+ CC		= $(CROSS_COMPILE)$(COMPILER)
+diff --git a/Makefile b/Makefile
+index e349c6f9d49..b2f33b17289 100644
+--- a/Makefile
+++ b/Makefile
+@@ -45,7 +45,7 @@ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
+ ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
+ FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
+ ORIG_FALLBACK_SRCS = fallback.c
+-SBATPATH = data/sbat.csv
+SBATPATH = $(TOPDIR)/data/sbat.csv
+ 
+ ifeq ($(SOURCE_DATE_EPOCH),)
+ 	UNAME=$(shell uname -s -m -p -i -o)
+@@ -146,21 +146,23 @@ $(MMSONAME): $(MOK_OBJS) $(LIBS)
+ 
+ gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
+ gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
+	mkdir -p gnu-efi/lib gnu-efi/gnuefi
+ 	$(MAKE) -C gnu-efi \
+ 		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
+		-f $(TOPDIR)/gnu-efi/Makefile \
+ 		lib gnuefi inc
+ 
+ Cryptlib/libcryptlib.a:
+ 	for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
+-	$(MAKE) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
+	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
+ 
+ Cryptlib/OpenSSL/libopenssl.a:
+ 	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
+-	$(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
+	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
+ 
+ lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
+-	if [ ! -d lib ]; then mkdir lib ; fi
+-	$(MAKE) VPATH=$(TOPDIR)/lib -C lib -f $(TOPDIR)/lib/Makefile lib.a
+	mkdir -p lib
+	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) -C lib -f $(TOPDIR)/lib/Makefile
+ 
+ buildid : $(TOPDIR)/buildid.c
+ 	$(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
+@@ -275,35 +277,46 @@ else
+ endif
+ 
+ test :
+-	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all
+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all
+ 
+ $(patsubst %.c,%,$(wildcard test-*.c)) :
+-	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
+ 
+ .PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test
+ 
+ clean-test-objs:
+-	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
+ 
+ clean-gnu-efi:
+-	$(MAKE) -C gnu-efi \
+-		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
+-		clean
+	@if [ -d gnu-efi ] ; then \
+		$(MAKE) -C gnu-efi \
+			ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
+			-f $(TOPDIR)/gnu-efi/Makefile \
+			clean ; \
+	fi
+
+clean-lib-objs:
+	@if [ -d lib ] ; then \
+		$(MAKE) -C lib TOPDIR=$(TOPDIR) -f $(TOPDIR)/lib/Makefile clean ; \
+	fi
+ 
+ clean-shim-objs:
+-	$(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean
+ 	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
+ 	@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
+ 	@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
+ 	@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
+ 
+ clean-openssl-objs:
+-	$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean
+	@if [ -d Cryptlib/Openssl ] ; then \
+		$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ; \
+	fi
+ 
+ clean-cryptlib-objs:
+-	$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
+	@if [ -d Cryptlib ] ; then \
+		$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ; \
+	fi
+ 
+-clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs
+clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs
+ 
+ GITTAG = $(VERSION)
+ 
+diff --git a/lib/Makefile b/lib/Makefile
+index 6d83f789a91..de59476270e 100644
+--- a/lib/Makefile
+++ b/lib/Makefile
+@@ -1,6 +1,6 @@
+ TARGET = lib.a
+ 
+-LIBFILES_UNSORTED := $(foreach x,$(wildcard *.c),$(patsubst %.c,%.o,$(x)))
+LIBFILES_UNSORTED := $(patsubst %.c,%.o,$(subst $(TOPDIR)/lib/,,$(wildcard $(TOPDIR)/lib/*.c)))
+ LIBFILES := $(sort $(LIBFILES_UNSORTED))
+ 
+ CRYPTDIR	= $(TOPDIR)/Cryptlib
+-- 
+2.30.2
+
--- a/0003-Make-building-outside-of-this-directory-work.patch
+++ b/0003-Make-building-outside-of-this-directory-work.patch
@ -0,0 +1,26 @@
+From 65ecce23f005c4d611f48996112d4592164594cf Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 24 Mar 2021 17:50:17 -0400
+Subject: [PATCH] Make building outside of this directory work.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ gnu-efi/Make.defaults | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gnu-efi/Make.defaults b/gnu-efi/Make.defaults
+index 362bd1f8238..fd1d123d851 100755
+--- a/gnu-efi/Make.defaults
+++ b/gnu-efi/Make.defaults
+@@ -92,7 +92,7 @@ endif
+ #
+ # Where to build the package
+ #
+-OBJDIR       := $(TOPDIR)/$(ARCH)
+OBJDIR       := $(abspath .)/$(ARCH)
+ 
+ #
+ # Variables below derived from variables above
+-- 
+2.30.2
+
--- a/README.md
+++ b/README.md
@ -0,0 +1,3 @@
+# shim-unsigned-x64
+
+The shim-unsigned-x64 package
--- a/dbx.esl
+++ b/dbx.esl
--- a/fedora-ca-20200709.cer
+++ b/fedora-ca-20200709.cer
--- a/rhtest.cer
+++ b/rhtest.cer
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -1,41 +0,0 @@
-# rpminspect configuration
-
---
-common:
-    workdir: /var/tmp/rpminspect
-    profiledir: /usr/share/rpminspect/profiles/fedora
-koji:
-    hub: https://koji.fedoraproject.org/kojihub
-    download_ursine: https://kojipkgs.fedoraproject.org
-    download_mbs: https://kojipkgs.fedoraproject.org
-commands:
-    msgunfmt: msgunfmt
-    desktop-file-validate: desktop-file-validate
-    abidiff: abidiff
-    kmidiff: kmidiff
-    annocheck: annocheck
-    udevadm: udevadm
-vendor:
-    vendor_data_dir: /usr/share/rpminspect
-    licensedb:
-        - /usr/share/fedora-license-data/licenses/fedora-licenses.json
-    favor_release: newest
-inspections:
-    abidiff: off
-    disttag: off
-    manpage: off
-    javabytecode: off
-metadata:
-    # Required Vendor string.  This is part of the RPM header and is
-    # the value expected in packages checked by rpminspect.
-    vendor: Fedora Project
-
-    # Allowed build host subdomain.  The RPM header contains information about
-    # where the package was built.  rpminspect verifies the hostnames are in
-    # the expected subdomain listed below.
-    #
-    # This is an array of allowed subdomains.
-    buildhost_subdomain:
-        - .fedoraproject.org
-        - .bos.redhat.com
-
--- a/sbat.redhat.csv
+++ b/sbat.redhat.csv
@ -0,0 +1 @@
+shim.redhat,1,The Fedora Project,shim,15.3,https://src.fedoraproject.org/rpms/shim-unsigned-x64
--- a/sbat.redhat.csv.in
+++ b/sbat.redhat.csv.in
@ -1,3 +0,0 @@
-shim.rh,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
-shim.redhat,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
-shim.fedora,3,The Fedora Project,shim,@@VERSION@@-@@RELEASE@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
--- a/shim-find-debuginfo.sh
+++ b/shim-find-debuginfo.sh
@ -20,9 +20,9 @@ fi
 findsource()
 {
    (
-        cd ${RPM_BUILD_ROOT}
-        find usr/src/debug/ -type d | sed "s,^,%dir /,"
-        find usr/src/debug/ -type f | sed "s,^,/,"
+        cd "${RPM_BUILD_ROOT}"
+        find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
+        find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
    )
 }

@ -32,9 +32,12 @@ finddebug()
    declare -a dirs=()
    declare -a files=()
    declare -a excludes=()
+    declare -a tmp=()

-    pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
-    for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
+    pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
+
+    mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
+    for x in "${tmp[@]}" ; do
        if ! [ -e "${x}" ]; then
            break
        fi
@ -57,8 +60,10 @@ finddebug()
            excludes[${#excludes[@]}]=${x%%.debug}
        fi
    done
-    for x in ${files[@]} ; do
-        declare name=$(dirname /${x})
+    for x in "${files[@]}" ; do
+        declare name
+
+        name=$(dirname "/${x}")
        while [ "${name}" != "/" ]; do
            case "${name}" in
            "/usr/lib/debug"|"/usr/lib"|"/usr")
@ -67,24 +72,24 @@ finddebug()
                dirs[${#dirs[@]}]=${name}
                ;;
            esac
-            name=$(dirname ${name})
+            name=$(dirname "${name}")
        done
    done

    popd >/dev/null 2>&1
-    for x in ${dirs[@]} ; do
+    for x in "${dirs[@]}" ; do
        echo "%dir ${x}"
    done | sort | uniq
-    for x in ${files[@]} ; do
+    for x in "${files[@]}" ; do
        echo "/${x}"
    done | sort | uniq
-    for x in ${excludes[@]} ; do
+    for x in "${excludes[@]}" ; do
        echo "%exclude /${x}"
    done
 }

-findsource > build-${mainarch}/debugsource.list
-finddebug ${mainarch} > build-${mainarch}/debugfiles.list
+findsource > "build-${mainarch}/debugsource.list"
+finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
 if [ -v altarch ]; then
-    finddebug ${altarch} > build-${altarch}/debugfiles.list
+    finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
 fi
--- a/shim-unsigned-aarch64.spec
+++ b/shim-unsigned-aarch64.spec
@ -1,55 +1,49 @@
 %global pesign_vre 0.106-1
 %global openssl_vre 1.0.2j
-%global shim_commit_id afc49558b34548644c1cd0ad1b6526a9470182ed
-
-# For prereleases, % global prerelease rc2, and downpatch Makefile
-%if %{defined prerelease}
-%global dashpre -%{prerelease}
-%global dotpre .%{prerelease}
-%global tildepre ~%{prerelease}
-%global zdpd 0%{dotpre}.
-%endif

 %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch aa64
 %global shimdir %{shimversiondir}/%{efiarch}
+%global efialtarch arm
+%global shimaltdir %{shimversiondir}/%{efialtarch}

 %global debug_package %{nil}
 %global __debug_package 1
+%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
 %global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} %{efiarch}
 %undefine _debuginfo_subpackages

 # currently here's what's in our dbx: nothing
 %global dbxfile %{nil}

 Name:		shim-unsigned-aarch64
-Version:	16.1
-Release:	1
+Version:	15.3
+Release:	1%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
-License:	BSD-2-Clause AND OpenSSL
+License:	BSD
 URL:		https://github.com/rhboot/shim
-Source0:	https://github.com/rhboot/shim/releases/download/%{version}%{?dashpre}/shim-%{version}%{?dotpre}.tar.bz2
+Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
 Source1:	fedora-ca-20200709.cer
 %if 0%{?dbxfile}
 Source2:	%{dbxfile}
 %endif
-Source3:	sbat.redhat.csv.in
-Source4:	shim.patches
+Source3:	sbat.redhat.csv

 Source100:	shim-find-debuginfo.sh

-%include %{SOURCE4}
+Patch0001:	0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch
+Patch0002:	0002-Make-building-outside-of-the-top-directory-work.patch
+Patch0003:	0003-Make-building-outside-of-this-directory-work.patch

 BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
 BuildRequires:	dos2unix findutils
-BuildRequires:	sed
+BuildRequires:	binutils-arm-linux-gnu gcc-arm-linux-gnu

 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@ -68,14 +62,29 @@ use this package or when debugging this package.
 %description
 %desc

+%package -n shim-unsigned-%{efialtarch}
+Summary:	First-stage UEFI bootloader (unsigned data)
+Provides:	bundled(openssl) = %{openssl_vre}
+
+%description -n shim-unsigned-%{efialtarch}
+%desc
+
 %package debuginfo
-Summary:	Debug information for shim-unsigned-aarch64
+Summary:	Debug information for shim-unsigned-%{efiarch}
 AutoReqProv:	0
 BuildArch:	noarch

 %description debuginfo
 %debug_desc

+%package -n shim-unsigned-%{efialtarch}-debuginfo
+Summary:	Debug information for shim-unsigned-%{efialtarch}
+AutoReqProv:	0
+BuildArch:	noarch
+
+%description -n shim-unsigned-%{efialtarch}-debuginfo
+%debug_desc
+
 %package debugsource
 Summary:	Debug Source for shim-unsigned
 AutoReqProv:	0
@ -85,26 +94,25 @@ BuildArch:	noarch
 %debug_desc

 %prep
-%autosetup -S git_am -n shim-%{version}
+%autosetup -S git -n shim-%{version}
 git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
-sed -e 's/@@VERSION@@/%{version}/g' \
-    -e 's/@@RELEASE@@/%{release}/g' \
-    < %{SOURCE3} > data/sbat.redhat.csv
+mkdir build-%{efialtarch}
+cp %{SOURCE3} data/

 %build
-COMMIT_ID=%{shim_commit_id}
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
+COMMITID=$(cat commit)
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-MAKEFLAGS+=" %{_smp_mflags} "
+MAKEFLAGS+="%{_smp_mflags}"
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
 %endif

@ -114,17 +122,24 @@ make ${MAKEFLAGS} \
 	all
 cd ..

+cd build-%{efialtarch}
+make ${MAKEFLAGS} \
+	ARCH=%{efialtarch} CROSS_COMPILE=arm-linux-gnu- \
+	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
+	all
+cd ..
+
 %install
-COMMIT_ID=%{shim_commit_id}
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
+COMMITID=$(cat commit)
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
 %endif

@ -136,6 +151,15 @@ make ${MAKEFLAGS} \
 install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimdir}/"
 cd ..

+cd build-%{efialtarch}
+make ${MAKEFLAGS} \
+	ARCH=%{efialtarch} CROSS_COMPILE=arm-linux-gnu- \
+	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
+	DESTDIR=${RPM_BUILD_ROOT} \
+	install-as-data install-debuginfo install-debugsource
+install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimaltdir}/"
+cd ..
+
 %files
 %license COPYRIGHT
 %dir %{shimrootdir}
@ -145,38 +169,39 @@ cd ..
 %{shimdir}/*.hash
 %{shimdir}/*.CSV

+%files -n shim-unsigned-%{efialtarch}
+%license COPYRIGHT
+%dir %{shimrootdir}
+%dir %{shimversiondir}
+%dir %{shimaltdir}
+%{shimaltdir}/*.efi
+%{shimaltdir}/*.hash
+%{shimaltdir}/*.CSV
+
 %files debuginfo -f build-%{efiarch}/debugfiles.list

+%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
+
 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
-* Wed Sep 03 2025 Peter Jones <pjones@redhat.com> - 16.1-1
- Update to shim-16.1
+* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-1
+- Update to shim 15.3
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
+  - A new unit test framework and a bunch of unit tests
+  - No external gnu-efi dependency
+  - Better CI
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233

-* Fri Mar 22 2024 Nicolas Frayer <nfrayer@redhat.com>
- Migrate to SPDX license
- Please refer to https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2
-
-* Thu Mar 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2
- Update to shim-15.8
-  Resolves: CVE-2023-40546
-  Resolves: CVE-2023-40547
-  Resolves: CVE-2023-40548
-  Resolves: CVE-2023-40549
-  Resolves: CVE-2023-40550
-  Resolves: CVE-2023-40551
-  Resolves: rhbz#2113005
-  Resolves: rhbz#2189197
-  Resolves: rhbz#2238884
-  Resolves: rhbz#2259264
-
-* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2
- Add pjones's aarch64 relocation fix
- Resolves: #2101248
-
-* Wed Jun 15 2022 Peter Jones <pjones@redhat.com> - 15.6-1
- Update to shim-15.6
-  Resolves: CVE-2022-28737
+* Tue Jan 21 2020 Peter Jones <pjones@redhat.com> - 15-2
+- Fix a minor rebuild issue; note that this means it won't match the
+  result that's in shim-15-8.

 * Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
--- a/shim.patches
+++ b/shim.patches
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (shim-16.1.tar.bz2) = ca5f80e82f3b80b622028f03ef23105c98ee1b6a25f52a59c823080a3202dd4b9962266489296e99f955eb92e36ce13e0b1d57f688350006bba45f2718f159fb
+SHA512 (shim-15.3.tar.bz2) = 48de811917b5b60311788467786a7259b5efe8e61ff9af01d37d3138c98309310562c91c6e83ed11924c20774bfee5184b44b901c51e15be4167b97281655e65
				`@ -0,0 +1 @@`
				`shim.redhat,1,The Fedora Project,shim,15.3,https://src.fedoraproject.org/rpms/shim-unsigned-x64`