import shim-unsigned-x64-15.6-1.el8

.gitignore

-SOURCES/shim-15.4.tar.bz2
+SOURCES/shim-15.6.tar.bz2

.shim-unsigned-x64.metadata

-d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2
+3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2

SOURCES/sbat.rocky.csv

-shim.rocky,1,Rocky Linux,shim,15.4-4,security@rockylinux.org
+shim.rocky,2,Rocky Linux,shim,15.6,security@rockylinux.org

SOURCES/shim-find-debuginfo.sh

@@ -20,9 +20,9 @@ fi
 findsource()
 {
     (
-        cd "${RPM_BUILD_ROOT}"
-        find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
-        find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
+        cd ${RPM_BUILD_ROOT}
+        find usr/src/debug/ -type d | sed "s,^,%dir /,"
+        find usr/src/debug/ -type f | sed "s,^,/,"
     )
 }
 
@@ -32,12 +32,9 @@ finddebug()
     declare -a dirs=()
     declare -a files=()
     declare -a excludes=()
-    declare -a tmp=()
 
-    pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
-
-    mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
-    for x in "${tmp[@]}" ; do
+    pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
+    for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
         if ! [ -e "${x}" ]; then
             break
         fi
@@ -60,10 +57,8 @@ finddebug()
             excludes[${#excludes[@]}]=${x%%.debug}
         fi
     done
-    for x in "${files[@]}" ; do
-        declare name
-
-        name=$(dirname "/${x}")
+    for x in ${files[@]} ; do
+        declare name=$(dirname /${x})
         while [ "${name}" != "/" ]; do
             case "${name}" in
             "/usr/lib/debug"|"/usr/lib"|"/usr")
@@ -72,24 +67,24 @@ finddebug()
                 dirs[${#dirs[@]}]=${name}
                 ;;
             esac
-            name=$(dirname "${name}")
+            name=$(dirname ${name})
         done
     done
 
     popd >/dev/null 2>&1
-    for x in "${dirs[@]}" ; do
+    for x in ${dirs[@]} ; do
         echo "%dir ${x}"
     done | sort | uniq
-    for x in "${files[@]}" ; do
+    for x in ${files[@]} ; do
         echo "/${x}"
     done | sort | uniq
-    for x in "${excludes[@]}" ; do
+    for x in ${excludes[@]} ; do
         echo "%exclude /${x}"
     done
 }
 
-findsource > "build-${mainarch}/debugsource.list"
-finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
+findsource > build-${mainarch}/debugsource.list
+finddebug ${mainarch} > build-${mainarch}/debugfiles.list
 if [ -v altarch ]; then
-    finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
+    finddebug ${altarch} > build-${altarch}/debugfiles.list
 fi

SPECS/shim-unsigned-x64.spec

 %global pesign_vre 0.106-1
+%global gnuefi_vre 1:3.0.5-6
 %global openssl_vre 1.0.2j
 
+%global debug_package %{nil}
+%global __debug_package 1
+%global _binaries_in_noarch_packages_terminate_build 0
+%global __debug_install_post %{SOURCE100} x64 ia32
+%undefine _debuginfo_subpackages
+
 %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/rocky/'))
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
@@ -9,62 +16,25 @@
 %global efialtarch ia32
 %global shimaltdir %{shimversiondir}/%{efialtarch}
 
-%global debug_package %{nil}
-%global __debug_package 1
-%global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
-%undefine _debuginfo_subpackages
-
-# currently here's what's in our dbx: nothing
-%global dbxfile %{nil}
-
 Name:                 shim-unsigned-%{efiarch}
-Version:              15.4
-Release:              4%{?dist}
+Version:              15.6
+Release:              1.el8
 Summary:              First-stage UEFI bootloader
 ExclusiveArch:        x86_64
 License:              BSD
 URL:                  https://github.com/rhboot/shim
 Source0:              https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-%if 0%{?dbxfile}
-Source2:              %{dbxfile}
-%endif
+# currently here's what's in our dbx:
+# nothing.
+Source2:              dbx.esl
+Source4:              shim.patches
 
 Source100:            shim-find-debuginfo.sh
 Source90000:          sbat.rocky.csv
 Source90001:          rocky-root-ca.der
 
-Patch2:               0001-Fix-handling-of-ignore_db-and-user_insecure_mode.patch
-Patch3:               0002-shim-15.4-branch-update-.gitmodules-to-point-at-shim.patch
-Patch4:               0003-Fix-a-broken-file-header-on-ia32.patch
-Patch5:               0004-mok-allocate-MOK-config-table-as-BootServicesData.patch
-Patch6:               0005-Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
-Patch7:               0006-Post-process-our-PE-to-be-sure.patch
-Patch8:               0007-Relax-the-check-for-import_mok_state.patch
-Patch9:               0008-SBAT.md-trivial-fixes.patch
-Patch10:              0009-SBAT.md-fix-will-should.patch
-Patch11:              0010-shim-another-attempt-to-fix-load-options-handling.patch
-Patch12:              0011-.gitignore-ignore-.gdb-not-just-.gdbinit.patch
-Patch13:              0012-shim-rename-pause-to-wait_for_debug.patch
-Patch14:              0013-test.h-make-some-of-the-asserts-a-little-more-friend.patch
-Patch15:              0014-test.h-add-some-decls-for-some-of-the-stuff-in-efili.patch
-Patch16:              0015-test.c-Conditionally-do-not-declare-stuff-that-s-in-.patch
-Patch17:              0016-Make-test-cases-link-against-libefi.a.patch
-Patch18:              0017-test.c-add-some-simple-mock-functions-for-BS-Allocat.patch
-Patch19:              0018-test.h-add-assert_not_equal_.patch
-Patch20:              0019-test-Add-a-basic-traceback-printer.patch
-Patch21:              0020-shim-move-the-bulk-of-set_second_stage-to-its-own-fi.patch
-Patch22:              0021-Add-a-tester-for-parse_load_options.patch
-Patch23:              0022-shim-don-t-fail-on-the-odd-LoadOptions-length.patch
-Patch24:              0023-arm-aa64-fix-the-size-of-.rela-sections.patch
-Patch25:              0024-mok-fix-potential-buffer-overrun-in-import_mok_state.patch
-Patch26:              0025-mok-relax-the-maximum-variable-size-check.patch
-Patch27:              0026-Don-t-unhook-ExitBootServices-when-EBS-protection-is.patch
-Patch28:              PR393-1.patch
-Patch29:              PR393-2.patch
-Patch30:              PR396.patch
-Patch31:              PR399-1.patch
-Patch32:              PR399-2.patch
+
+%include %{SOURCE4}
 
 BuildRequires:        gcc make
 BuildRequires:        elfutils-libelf-devel
@@ -98,6 +68,7 @@ Provides:             bundled(openssl) = %{openssl_vre}
 
 %package debuginfo
 Summary:              Debug information for shim-unsigned-%{efiarch}
+Requires:             %{name}-debugsource = %{version}-%{release}
 Group:                Development/Debug
 AutoReqProv:          0
 BuildArch:            noarch
@@ -108,6 +79,7 @@ BuildArch:            noarch
 %package -n shim-unsigned-%{efialtarch}-debuginfo
 Summary:              Debug information for shim-unsigned-%{efialtarch}
 Group:                Development/Debug
+Requires:             %{name}-debugsource = %{version}-%{release}
 AutoReqProv:          0
 BuildArch:            noarch
 
@@ -124,7 +96,7 @@ BuildArch:            noarch
 %debug_desc
 
 %prep
-%autosetup -S git -n shim-%{version}
+%autosetup -S git_am -n shim-%{version}
 git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
@@ -137,14 +109,12 @@ MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 MAKEFLAGS+="%{_smp_mflags}"
-if [ -f "%{SOURCE90001}" ]; then
+if [ -s "%{SOURCE90001}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE90001}"
 fi
-%if 0%{?dbxfile}
-if [ -f "%{SOURCE2}" ]; then
+if [ -s "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
-%endif
 
 cd build-%{efiarch}
 make ${MAKEFLAGS} \
@@ -153,8 +123,7 @@ make ${MAKEFLAGS} \
 cd ..
 
 cd build-%{efialtarch}
-setarch linux32 -B make ${MAKEFLAGS} \
-	ARCH=%{efialtarch} \
+setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \
 	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
 	all
 cd ..
@@ -163,15 +132,13 @@ cd ..
 COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-if [ -f "%{SOURCE90001}" ]; then
+MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
+if [ -s "%{SOURCE90001}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE90001}"
 fi
-%if 0%{?dbxfile}
-if [ -f "%{SOURCE2}" ]; then
+if [ -s "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
-%endif
 
 cd build-%{efiarch}
 make ${MAKEFLAGS} \
@@ -181,8 +148,7 @@ make ${MAKEFLAGS} \
 cd ..
 
 cd build-%{efialtarch}
-setarch linux32 make ${MAKEFLAGS} \
-	ARCH=%{efialtarch} \
+setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
 	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
 	DESTDIR=${RPM_BUILD_ROOT} \
 	install-as-data install-debuginfo install-debugsource
@@ -193,18 +159,18 @@ cd ..
 %dir %{shimrootdir}
 %dir %{shimversiondir}
 %dir %{shimdir}
+%{shimdir}/*.CSV
 %{shimdir}/*.efi
 %{shimdir}/*.hash
-%{shimdir}/*.CSV
 
 %files -n shim-unsigned-%{efialtarch}
 %license COPYRIGHT
 %dir %{shimrootdir}
 %dir %{shimversiondir}
 %dir %{shimaltdir}
+%{shimaltdir}/*.CSV
 %{shimaltdir}/*.efi
 %{shimaltdir}/*.hash
-%{shimaltdir}/*.CSV
 
 %files debuginfo -f build-%{efiarch}/debugfiles.list
 
@@ -213,87 +179,76 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
-* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
+* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
+- shim 15.6
+
+* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
 - Remove main branch
 
-* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
+* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
 - Adding more patches based on review board feedback https://github.com/rhboot/shim-review/issues/194#issuecomment-894187000 and cherry-pick patches for shim-reivew git 15.4..4583db41ea58195956d4cdf97c43a195939f906b
 
-* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
+* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
 - cherry-pick patches for shim-reivew git 15.4..4d64389c6c941d21548b06423b8131c872e3c3c7 and bump version to .1.2
 
-* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
+* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
 - cherry-pick patches for shim-reivew git format-patch 15.4..9f973e4e95b1136b8c98051dbbdb1773072cc998
 
-* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
+* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
 - Adding prod certs
 
-* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
+* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
 - Updating Rocky test CA
 
-* Sun Nov 14 2021 Sherif Nagy <sherif@rockylinux.org> - 15.4-4
+* Tue Aug 16 2022 Sherif Nagy <sherif@rockylinux.org> - 15.6-1
 - Adding Rocky testing CA
 
-* Sun Nov 14 2021 Louis Abel <label@rockylinux.org> - 15.4-4
+* Tue Aug 16 2022 Louis Abel <label@rockylinux.org> - 15.6-1
 - Debranding work for shim-unsigned
 
-* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
-- Fix the sbat data to actually match /this/ product.
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
-
-* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
-- Build with the correct certificate trust list for this OS.
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
-
-* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
-- Fix the ia32 build.
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
-
-* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
-- Update to shim 15.4
-  - Support for revocations via the ".sbat" section and SBAT EFI variable
-  - A new unit test framework and a bunch of unit tests
-  - No external gnu-efi dependency
-  - Better CI
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
-
-* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
-- Update to shim 15.3
-  - Support for revocations via the ".sbat" section and SBAT EFI variable
-  - A new unit test framework and a bunch of unit tests
-  - No external gnu-efi dependency
-  - Better CI
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
+- Update to shim-15.6
+  Resolves: CVE-2022-28737
+
+* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
+- Fix an incorrect allocation size.
+  Related: rhbz#1877253
+
+* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
+- Fix a load-address-dependent forever loop.
+  Resolves: rhbz#1861977
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
+  Related: CVE-2020-15705
+  Related: CVE-2020-15706
+  Related: CVE-2020-15707
+
+* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
+- Implement Lenny's workaround
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
+
+* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
+- Once more with the MokListRT config table patch added.
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
+
+* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
+- Rebuild for bug fixes and new signing keys
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
 
 * Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
 - Make EFI variable copying fatal only on secureboot enabled systems