From 5659544f2553f4e8d86ce4f8865f167a9458677a Mon Sep 17 00:00:00 2001
From: Long Li <lilong-neu@neusoft.com>
Date: Tue, 31 Dec 2019 11:32:17 +0800
Subject: [PATCH] CentOS 8: Upgrade shim-signed to version 15

(1)Release Version Upgrade
(2)Matching code changes with el7 to el8

For CentOS 7, shim-signed srpm for shim-signed
for CentOS 8, shim srpm for shim-signed

Story: 2006729
Task: 37913

Change-Id: I7d6a1c5550ace8ae8b3a539befc4e1f084ce1e18
Signed-off-by: Long Li <lilong-neu@neusoft.com>
---
 security/shim-signed/centos/build_srpm.data   |   2 +-
 .../0001-Titanium-release-info.patch          |  27 +--
 .../0002-Use-presigned-binaries.patch         | 173 ++++--------------
 .../0003-Fix-shimver-directory.patch          |  30 +++
 .../centos/meta_patches/PATCH_ORDER           |   1 +
 security/shim-signed/centos/srpm_path         |   2 +-
 6 files changed, 80 insertions(+), 155 deletions(-)
 create mode 100644 security/shim-signed/centos/meta_patches/0003-Fix-shimver-directory.patch

diff --git a/security/shim-signed/centos/build_srpm.data b/security/shim-signed/centos/build_srpm.data
index 70b4b5dcb..8aeb55368 100644
--- a/security/shim-signed/centos/build_srpm.data
+++ b/security/shim-signed/centos/build_srpm.data
@@ -1 +1 @@
-TIS_PATCH_VER=2
+TIS_PATCH_VER=1
diff --git a/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch b/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch
index 48fdb08bb..b1336b35f 100644
--- a/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch
+++ b/security/shim-signed/centos/meta_patches/0001-Titanium-release-info.patch
@@ -4,21 +4,22 @@ Date: Tue, 16 Jan 2018 08:14:08 -0500
 Subject: [PATCH 1/2] Titanium release info
 
 ---
- SPECS/shim-signed.spec | 2 +-
+ SPECS/shim.spec | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
-index d2a13b1..9cfcb2f 100644
---- a/SPECS/shim-signed.spec
-+++ b/SPECS/shim-signed.spec
-@@ -1,6 +1,6 @@
- Name:           shim-signed
- Version:        15
--Release:        1%{?dist}%{?buildid}
-+Release:        1%{?_tis_dist}.%{tis_patch_ver}
- Summary:        First-stage UEFI bootloader
- %define unsigned_release 1%{?dist}
+diff --git a/SPECS/shim.spec b/SPECS/shim.spec
+index 4296515..f004748 100644
+--- a/SPECS/shim.spec
++++ b/SPECS/shim.spec
+@@ -6,7 +6,7 @@
  
+ Name:		shim
+ Version:	15
+-Release:	8%{?dist}
++Release:	8%{?_tis_dist}.%{tis_patch_ver}
+ Summary:	First-stage UEFI bootloader
+ License:	BSD
+ URL:		https://github.com/rhboot/shim/
 -- 
-1.8.3.1
+2.7.4
 
diff --git a/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch b/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch
index d9a3a12cd..38c56f6df 100644
--- a/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch
+++ b/security/shim-signed/centos/meta_patches/0002-Use-presigned-binaries.patch
@@ -1,151 +1,44 @@
-diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
-old mode 100644
-new mode 100755
-index 9cfcb2f..f6ce87e
---- a/SPECS/shim-signed.spec
-+++ b/SPECS/shim-signed.spec
-@@ -2,18 +2,20 @@ Name:           shim-signed
- Version:        15
- Release:        1%{?_tis_dist}.%{tis_patch_ver}
- Summary:        First-stage UEFI bootloader
--%define unsigned_release 1%{?dist}
+diff --git a/SPECS/shim.spec b/SPECS/shim.spec
+index f004748..1fd493c 100644
+--- a/SPECS/shim.spec
++++ b/SPECS/shim.spec
+@@ -19,6 +19,9 @@ ExcludeArch:	%{ix86}
+ # and we don't have shim-unsigned-arm builds *yet*
+ ExcludeArch:	%{arm}
  
- License:        BSD
- URL:            https://github.com/rhboot/shim/
- # incorporate mokutil for packaging simplicity
- %global mokutil_version 0.3.0
 +%global srcbasename shimx64
 +%global srcbasenameia32 shimia32
 +
- Source0:        https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz
+ Source0:	shim.rpmmacros
  Source1:	centossecureboot001.crt
  Source2:	centos-ca-secureboot.der
- %define pesign_name centossecureboot001
--Source10:       shimx64.efi
--Source11:       shimia32.efi
-+Source10:	%{srcbasename}.efi
-+Source11:	%{srcbasenameia32}.efi
- Source12:       shimaa64.efi
- Source20:       BOOTX64.CSV
- Source21:       BOOTIA32.CSV
-@@ -52,11 +54,17 @@ BuildRequires: git
- BuildRequires: openssl-devel openssl
- BuildRequires: pesign >= 0.106-5%{dist}
- BuildRequires: efivar-devel
--BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release}
-+BuildRequires: shim-unsigned-%{efiarchlc}
+@@ -28,9 +31,9 @@ Source2:	centos-ca-secureboot.der
+ Source10:	BOOTAA64.CSV
+ Source20:	shimaa64.efi
+ Source11:	BOOTIA32.CSV
+-Source21:	shimia32.efi
++Source21:	%{srcbasenameia32}.efi
+ Source12:	BOOTX64.CSV
+-Source22:	shimx64.efi
++Source22:	%{srcbasename}.efi
+ #Source13:	BOOTARM.CSV
+ #Source23:	shimarm.efi
+ 
+@@ -43,11 +46,11 @@ BuildRequires:	pesign >= 0.112-20.fc27
+ # (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
+ # we can just BuildRequires that.
  %ifarch x86_64
--BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release}
-+BuildRequires: shim-unsigned-ia32
+-BuildRequires:	%{unsignedx64} = %{shimverx64}
+-BuildRequires:	%{unsignedia32} = %{shimveria32}
++BuildRequires:	%{unsignedx64}
++BuildRequires:	%{unsignedia32}
  %endif
- 
-+# Rather than hardcode a release, we get the release from the installed shim-unsigned package
-+%define unsigned_release %(rpm -q shim-unsigned-x64 --info | grep Release | awk '{print $3}')
-+%define unsigned_dir "%{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/"
-+%define unsigned_release_ia32 %(rpm -q shim-unsigned-ia32 --info | grep Release | awk '{print $3}')
-+%define unsigned_dir_ia32 "%{_datadir}/shim/ia32-%{version}-%{unsigned_release_ia32}/"
-+
- # for mokutil's configure
- BuildRequires: autoconf automake
- 
-@@ -148,39 +156,34 @@ cd ..
- %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
- 
- %ifarch %{ca_signed_arches}
--pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
--if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
--  echo Invalid signature\! > /dev/stderr
--  echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
--  echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
--  exit 1
-+
-+# if we already have a presigned EFI image, then do not do signing -- just
-+# use the presigned one.
-+if  [ -e %{unsigned_dir}%{srcbasename}-presigned.efi ]; then
-+        cp %{unsigned_dir}%{srcbasename}-presigned.efi %{srcbasename}.efi
-+        cp %{unsigned_dir}%{srcbasename}-presigned.efi shim%{efiarchlc}.efi
-+else
-+        cp %{shimsrc} shim%{efiarchlc}.efi
- fi
--cp %{shimsrc} shim%{efiarchlc}.efi
- %ifarch x86_64
--pesign -i %{shimsrcia32} -h -P > shimia32.hash
--if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
--  echo Invalid signature\! > /dev/stderr
--  echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
--  echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
--  exit 1
-+if  [ -e %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi ]; then
-+        cp %{unsigned_dir_ia32}%{srcbasenameia32}-presigned.efi %{srcbasenameia32}.efi
-+else
-+	cp %{shimsrcia32} %{srcbasenameia32}.efi
- fi
--cp %{shimsrcia32} shimia32.efi
--%endif
--%endif
--%ifarch %{rh_signed_arches}
--%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shim%{efiarchlc}-%{efidir}.efi
--%ifarch x86_64
--%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shimia32-%{efidir}.efi
--%endif
--%endif
--%ifarch %{rh_signed_arches}
--%ifnarch %{ca_signed_arches}
--cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
+ %ifarch aarch64
+-BuildRequires:	%{unsignedaa64} = %{shimveraa64}
++BuildRequires:	%{unsignedaa64}
  %endif
- %endif
- 
--%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
--%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
-+if  [ -e %{unsigned_dir}mm%{efiarchlc}-presigned.efi ]; then
-+	cp %{unsigned_dir}mm%{efiarchlc}-presigned.efi mm%{efiarchlc}.efi
-+else
-+	%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
-+fi
-+if  [ -e %{unsigned_dir}fb%{efiarchlc}-presigned.efi ]; then
-+	cp %{unsigned_dir}fb%{efiarchlc}-presigned.efi fb%{efiarchlc}.efi
-+else
-+	%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
-+fi
- 
- %ifarch x86_64
- %pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
-@@ -196,7 +199,7 @@ make %{?_smp_mflags}
- rm -rf $RPM_BUILD_ROOT
- install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
- install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
--install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
-+#install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
- install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
- install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
- install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
-@@ -218,7 +221,7 @@ install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
- 
- install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
- install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
--install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
-+#install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
- install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
- install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
- 
-@@ -232,7 +235,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
- %files -n shim-%{efiarchlc}
- %defattr(0700,root,root,-)
- /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
--/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
-+#/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
- /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
- /boot/efi/EFI/%{efidir}/MokManager.efi
- /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
-@@ -247,7 +250,7 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
- %files -n shim-ia32
- %defattr(0700,root,root,-)
- /boot/efi/EFI/%{efidir}/shimia32.efi
--/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
-+#/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
- /boot/efi/EFI/%{efidir}/mmia32.efi
- /boot/efi/EFI/%{efidir}/BOOTIA32.CSV
- /boot/efi/EFI/BOOT/BOOTIA32.EFI
+ #%%ifarch arm
+ #BuildRequires:	%%{unsignedarm} = %%{shimverarm}
 -- 
-1.8.3.1
+2.7.4
 
diff --git a/security/shim-signed/centos/meta_patches/0003-Fix-shimver-directory.patch b/security/shim-signed/centos/meta_patches/0003-Fix-shimver-directory.patch
new file mode 100644
index 000000000..0ef27a45f
--- /dev/null
+++ b/security/shim-signed/centos/meta_patches/0003-Fix-shimver-directory.patch
@@ -0,0 +1,30 @@
+From 49520cf6a3c826de7b4c8c0842c24991770d9db2 Mon Sep 17 00:00:00 2001
+From: Long Li <lilong-neu@neusoft.com>
+Date: Wed, 12 Feb 2020 20:16:15 +0800
+Subject: [PATCH] Fix shimver directory
+
+Signed-off-by: Long Li <lilong-neu@neusoft.com>
+---
+ SOURCES/shim.rpmmacros | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/SOURCES/shim.rpmmacros b/SOURCES/shim.rpmmacros
+index 26e7e72..c14a03f 100644
+--- a/SOURCES/shim.rpmmacros
++++ b/SOURCES/shim.rpmmacros
+@@ -13,9 +13,9 @@
+ %global shimefix64 %{expand:%{SOURCE22}}
+ #%%global shimefiarm %%{expand:%%{SOURCE23}
+ 
+-%global shimveraa64 15-2.el8
+-%global shimveria32 15-2.el8
+-%global shimverx64 15-2.el8
++%global shimveraa64 15-2.el8%{?_tis_dist}.%{tis_patch_ver}
++%global shimveria32 15-2.el8%{?_tis_dist}.%{tis_patch_ver}
++%global shimverx64 15-2.el8%{?_tis_dist}.%{tis_patch_ver}
+ #%%global shimverarm 15-1.el8
+ 
+ %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
+-- 
+2.7.4
+
diff --git a/security/shim-signed/centos/meta_patches/PATCH_ORDER b/security/shim-signed/centos/meta_patches/PATCH_ORDER
index 88969c0f1..d053a746c 100644
--- a/security/shim-signed/centos/meta_patches/PATCH_ORDER
+++ b/security/shim-signed/centos/meta_patches/PATCH_ORDER
@@ -1,2 +1,3 @@
 0001-Titanium-release-info.patch
 0002-Use-presigned-binaries.patch
+0003-Fix-shimver-directory.patch
diff --git a/security/shim-signed/centos/srpm_path b/security/shim-signed/centos/srpm_path
index 90af5a681..f2c675151 100644
--- a/security/shim-signed/centos/srpm_path
+++ b/security/shim-signed/centos/srpm_path
@@ -1 +1 @@
-mirror:Source/shim-signed-15-1.el7.centos.src.rpm
+mirror:Source/shim-15-8.el8.src.rpm