shim-signed package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>

SOURCES/0001-Fix-the-potential-buffer-overflow.patch

@@ -0,0 +1,36 @@
+From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 4 Nov 2014 15:50:03 +0800
+Subject: [PATCH 1/7] Fix the potential buffer overflow
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ src/mokutil.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 5b34f22..93fb6fa 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
+ 	MokToggleVar tvar;
+ 	char *password = NULL;
+ 	unsigned int pw_len;
+-	efi_char16_t efichar_pass[SB_PASSWORD_MAX];
++	efi_char16_t efichar_pass[SB_PASSWORD_MAX+1];
+ 	int ret = -1;
+ 
+ 	printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX);
+@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state)
+ 	efichar_from_char (efichar_pass, password,
+ 			   SB_PASSWORD_MAX * sizeof(efi_char16_t));
+ 
+-	memcpy(tvar.password, efichar_pass,
+-	       SB_PASSWORD_MAX * sizeof(efi_char16_t));
++	memcpy(tvar.password, efichar_pass, sizeof(tvar.password));
+ 
+ 	tvar.mok_toggle_state = state;
+ 
+-- 
+2.7.4
+

SOURCES/0002-Fix-the-32bit-signedness-comparison.patch

@@ -0,0 +1,34 @@
+From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 24 Nov 2014 11:38:54 +0800
+Subject: [PATCH 2/7] Fix the 32bit signedness comparison
+
+---
+ src/mokutil.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 93fb6fa..a7e83f7 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
+ 
+ 		/* Mok */
+ 		read_size = read (fd, ptr, sizes[i]);
+-		if (read_size < 0 || read_size != sizes[i]) {
++		if (read_size < 0 || read_size != (int64_t)sizes[i]) {
+ 			fprintf (stderr, "Failed to read %s\n", files[i]);
+ 			goto error;
+ 		}
+@@ -1645,7 +1645,7 @@ export_moks ()
+ 			goto error;
+ 		}
+ 
+-		while (offset < list[i].mok_size) {
++		while (offset < (int64_t)list[i].mok_size) {
+ 			write_size = write (fd, list[i].mok + offset,
+ 						list[i].mok_size - offset);
+ 			if (write_size < 0) {
+-- 
+2.7.4
+

SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch

@@ -0,0 +1,42 @@
+From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 19 Jun 2015 16:53:36 -0400
+Subject: [PATCH 3/7] Build with -fshort-wchar so toggle passwords work right.
+
+This source tree uses:
+
+typedef wchar_t efi_char16_t;
+
+to define UEFI's UCS-2 character type.  On many platforms, wchar_t is
+32-bits by default.  As a result, efichar_from_char winds up writing
+4-byte characters instead of 2-byte characters.  In the case where we
+hash the password in mokutil, this works fine, because the same datatype
+is used, and the values are the same.  But for our feature toggles,
+where we store the raw data and shim is interpretting the character
+array, every other character winds up being L'\0', and verification
+fails.
+
+So always build with -fshort-wchar to ensure we get 2-byte character
+storage.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index fe28fb9..69d412a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -37,7 +37,7 @@ else
+ 	default_strict=no
+ fi
+ 
+-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11"
++WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar"
+ 
+ AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
+ 		enable_strict=$default_strict)
+-- 
+2.7.4
+

SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch

@@ -0,0 +1,32 @@
+From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 16 Jun 2015 17:06:30 -0400
+Subject: [PATCH 4/7] Don't allow sha1 on the mokutil command line.
+
+Related: rhbz#1115843
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index a7e83f7..1fb34f9 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
+ 	}
+ 
+ 	switch (len) {
++#if 0
+ 	case SHA_DIGEST_LENGTH*2:
+ 		*type = efi_guid_sha1;
+ 		hash_size = SHA_DIGEST_LENGTH;
+ 		break;
++#endif
+ 	case SHA224_DIGEST_LENGTH*2:
+ 		*type = efi_guid_sha224;
+ 		hash_size = SHA224_DIGEST_LENGTH;
+-- 
+2.7.4
+

SOURCES/0005-Make-all-efi_guid_t-const.patch

@@ -0,0 +1,87 @@
+From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 13 Jan 2016 16:05:21 +0800
+Subject: [PATCH 5/7] Make all efi_guid_t const
+
+All UEFI GUIDs defined in efivar are const. Declare all of them const
+to make gcc happy.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ src/mokutil.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 1fb34f9..d2c52b4 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
+ }
+ 
+ static uint32_t
+-efi_hash_size (efi_guid_t *hash_type)
++efi_hash_size (const efi_guid_t *hash_type)
+ {
+ 	if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) {
+ 		return SHA_DIGEST_LENGTH;
+@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type)
+ }
+ 
+ static uint32_t
+-signature_size (efi_guid_t *hash_type)
++signature_size (const efi_guid_t *hash_type)
+ {
+ 	uint32_t hash_size;
+ 
+@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size)
+ 
+ /* match the hash in the hash array and return the index if matched */
+ static int
+-match_hash_array (efi_guid_t *hash_type, const void *hash,
++match_hash_array (const efi_guid_t *hash_type, const void *hash,
+ 		  const void *hash_array, const uint32_t array_size)
+ {
+ 	uint32_t hash_size, hash_count;
+@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash,
+ }
+ 
+ static int
+-delete_data_from_list (efi_guid_t *var_guid, const char *var_name,
+-		       efi_guid_t *type, void *data, uint32_t data_size)
++delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
++		       const efi_guid_t *type, void *data, uint32_t data_size)
+ {
+ 	uint8_t *var_data = NULL;
+ 	size_t var_data_size = 0;
+@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size)
+ }
+ 
+ static int
+-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size,
+-	      efi_guid_t *vendor, const char *db_name)
++is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size,
++	      const efi_guid_t *vendor, const char *db_name)
+ {
+ 	uint8_t *var_data;
+ 	size_t var_data_size;
+@@ -1059,7 +1059,7 @@ done:
+ }
+ 
+ static int
+-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
++is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size,
+ 		  MokRequest req)
+ {
+ 	switch (req) {
+@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size,
+ }
+ 
+ static int
+-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size,
++in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size,
+ 		    MokRequest req)
+ {
+ 	uint8_t *authvar_data;
+-- 
+2.7.4
+

SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch

@@ -0,0 +1,37 @@
+From b68dca2d4de779387c4b5306bb9cfc9a3bab2572 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jun 2016 10:19:43 -0400
+Subject: [PATCH 6/7] mokutil: be explicit about file modes in all cases.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index d2c52b4..d554f6c 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
+ 		     | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ 		     | EFI_VARIABLE_RUNTIME_ACCESS;
+ 	ret = efi_set_variable (*var_guid, var_name,
+-				var_data, total, attributes);
++				var_data, total, attributes,
++				S_IRUSR | S_IWUSR);
+ 	if (ret < 0) {
+ 		fprintf (stderr, "Failed to write variable \"%s\": %m\n",
+ 			 var_name);
+@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req,
+ 		data_size = list_len;
+ 
+ 		if (efi_set_variable (efi_guid_shim, req_name,
+-				      data, data_size, attributes) < 0) {
++				      data, data_size, attributes,
++				      S_IRUSR | S_IWUSR) < 0) {
+ 			switch (req) {
+ 			case ENROLL_MOK:
+ 				fprintf (stderr, "Failed to enroll new keys\n");
+-- 
+2.7.4
+

SOURCES/0007-Add-bash-completion-file.patch

@@ -0,0 +1,98 @@
+From d16c76d139f9a9a56b49c0dd51cd9056f626031e Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jun 2016 10:20:14 -0400
+Subject: [PATCH 7/7] Add bash completion file.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Makefile.am  |  5 +++++
+ configure.ac | 17 +++++++++++++++++
+ data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 59 insertions(+)
+ create mode 100755 data/mokutil
+
+diff --git a/Makefile.am b/Makefile.am
+index 9f0d419..c17cc4a 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1 +1,6 @@
+ SUBDIRS = src man
++
++if ENABLE_BASH_COMPLETION
++  bashcompletiondir = $(BASH_COMPLETION_DIR)
++  dist_bashcompletion_DATA = data/mokutil
++endif
+diff --git a/configure.ac b/configure.ac
+index 69d412a..7b52a06 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
+ PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8])
+ PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12])
+ 
++AC_ARG_WITH([bash-completion-dir],
++    AS_HELP_STRING([--with-bash-completion-dir[=PATH]],
++        [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]),
++    [],
++    [with_bash_completion_dir=yes])
++
++if test "x$with_bash_completion_dir" = "xyes"; then
++    PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0],
++        [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"],
++        [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"])
++else
++    BASH_COMPLETION_DIR="$with_bash_completion_dir"
++fi
++
++AC_SUBST([BASH_COMPLETION_DIR])
++AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"])
++
+ AC_CONFIG_FILES([Makefile
+                  src/Makefile
+ 		 man/Makefile])
+diff --git a/data/mokutil b/data/mokutil
+new file mode 100755
+index 0000000..800b039
+--- /dev/null
++++ b/data/mokutil
+@@ -0,0 +1,37 @@
++#!/bin/bash
++
++_mokutil()
++{
++	local cur=${COMP_WORDS[COMP_CWORD]}
++
++	if [[ "$cur" == -* ]]; then
++		#COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) )
++		COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) )
++		[[ $COMPREPLY == *= ]] && compopt -o nospace
++		return 0
++	fi
++
++	case "${COMP_WORDS[COMP_CWORD-1]}" in
++	--import|-i|--delete|-d|--test-key|-t|--hash-file|-f)
++		_filedir
++		return 0
++		;;
++	--import-hash|--delete-hash)
++		COMPREPLY=( $( compgen -W "" ) )
++		return 0
++		;;
++	--set-verbosity)
++		COMPREPLY=( $( compgen -W "true false") )
++		return 0
++		;;
++	--generate-hash|-g)
++		COMPREPLY=( $( compgen -o nospace -P= -W "") )
++		return 0
++		;;
++	*)
++		return 0
++		;;
++	esac
++}
++
++complete -F _mokutil mokutil
+-- 
+2.7.4
+

SPECS/shim-signed.spec

@@ -0,0 +1,424 @@
+Name:           shim-signed
+Version:        12
+Release:        1%{?dist}%{?buildid}
+Summary:        First-stage UEFI bootloader
+%define unsigned_release 1%{?dist}
+
+License:        BSD
+URL:            http://www.codon.org.uk/~mjg59/shim/
+# incorporate mokutil for packaging simplicity
+%global mokutil_version 0.3.0
+Source0:        https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz
+Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
+Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
+Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
+Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
+Patch0005: 0005-Make-all-efi_guid_t-const.patch
+Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
+Patch0007: 0007-Add-bash-completion-file.patch
+
+Source1:	powerel.crt
+Source10:	shimx64.efi
+Source11:	shimia32.efi
+#Source12:	shimaa64.efi
+Source20:	BOOTX64.CSV
+Source21:	BOOTIA32.CSV
+Source22:	BOOTAA64.CSV
+
+%ifarch x86_64
+%global efiarch X64
+%global efiarchlc x64
+%global shimsrc %{SOURCE10}
+%global bootsrc %{SOURCE20}
+
+%global shimsrcia32 %{SOURCE11}
+%global bootsrcia32 %{SOURCE21}
+%define unsigned_dir_ia32 %{_datadir}/shim/ia32-%{version}-%{unsigned_release}/
+%endif
+%ifarch aarch64
+%global efiarch AA64
+%global efiarchlc aa64
+#%global shimsrc %{SOURCE12}
+%global bootsrc %{SOURCE22}
+%endif
+%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/
+
+BuildRequires: git
+BuildRequires: openssl-devel openssl
+BuildRequires: pesign >= 0.106-5%{dist}
+BuildRequires: efivar-devel
+BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release}
+%ifarch x86_64
+BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release}
+%endif
+
+# for mokutil's configure
+BuildRequires: autoconf automake
+
+# Shim is only required on platforms implementing the UEFI secure boot
+# protocol. The only one of those we currently wish to support is 64-bit x86.
+# Adding further platforms will require adding appropriate relocation code.
+ExclusiveArch: x86_64 aarch64
+
+%define debug_package \
+%ifnarch noarch\
+%global __debug_package 1\
+%package -n mokutil-debuginfo\
+Summary: Debug information for package %{name}\
+Group: Development/Debug\
+AutoReqProv: 0\
+%description -n mokutil-debuginfo\
+This package provides debug information for package %{name}.\
+Debug information is useful when developing applications that use this\
+package or when debugging this package.\
+%files -n mokutil-debuginfo -f debugfiles.list\
+%defattr(-,root,root)\
+%endif\
+%{nil}
+
+# Figure out the right file path to use
+%global efidir powerel
+
+%define ca_signed_arches x86_64
+%define rh_signed_arches x86_64 aarch64
+
+%description
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments. This package contains the version signed by
+the UEFI signing service.
+
+%package -n shim-%{efiarchlc}
+Summary: First-stage UEFI bootloader
+Requires: mokutil = %{version}-%{release}
+Provides: shim = %{version}-%{release}
+Obsoletes: shim
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
+# compatible with SysV (there's no red zone under UEFI) and there isn't a
+# POSIX-style C library.
+# BuildRequires: OpenSSL
+Provides: bundled(openssl) = 0.9.8zb
+
+%description -n shim-%{efiarchlc}
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments. This package contains the version signed by
+the UEFI signing service.
+
+%ifarch x86_64
+%package -n shim-ia32
+Summary: First-stage UEFI bootloader
+Requires: mokutil = %{version}-%{release}
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
+# compatible with SysV (there's no red zone under UEFI) and there isn't a
+# POSIX-style C library.
+# BuildRequires: OpenSSL
+Provides: bundled(openssl) = 0.9.8zb
+
+%description -n shim-ia32
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments. This package contains the version signed by
+the UEFI signing service.
+%endif
+
+%package -n mokutil
+Summary: Utilities for managing Secure Boot/MoK keys.
+
+%description -n mokutil
+Utilities for managing the "Machine's Own Keys" list.
+
+%prep
+%setup -T -q -a 0 -n shim-signed-%{version} -c
+git init
+git config user.email "example@example.com"
+git config user.name "rpmbuild -bp"
+git add .
+git commit -a -q -m "%{version} baseline."
+cd mokutil-%{mokutil_version}
+git am --ignore-whitespace --directory=mokutil-%{mokutil_version} %{patches} </dev/null
+git config --unset user.email
+git config --unset user.name
+cd ..
+
+%build
+%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
+%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
+
+%ifarch %{ca_signed_arches}
+pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
+if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
+	echo Invalid signature\! > /dev/stderr
+	echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
+	echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
+	exit 1
+fi
+cp %{shimsrc} shim%{efiarchlc}.efi
+%ifarch x86_64
+pesign -i %{shimsrcia32} -h -P > shimia32.hash
+if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
+	echo Invalid signature\! > /dev/stderr
+	echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
+	echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
+	exit 1
+fi
+cp %{shimsrcia32} shimia32.efi
+%endif
+%endif
+%ifarch %{rh_signed_arches}
+%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}  -o shim%{efiarchlc}-%{efidir}.efi
+%ifarch x86_64
+%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE1} -c %{SOURCE1}  -o shimia32-%{efidir}.efi
+%endif
+%endif
+%ifarch %{rh_signed_arches}
+%ifnarch %{ca_signed_arches}
+cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
+%endif
+%endif
+
+%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}
+%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE1} -c %{SOURCE1}
+
+%ifarch x86_64
+%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE1} -c %{SOURCE1} 
+%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE1} -c %{SOURCE1} 
+%endif
+
+cd mokutil-%{mokutil_version}
+./autogen.sh
+%configure
+make %{?_smp_mflags}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
+install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
+install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
+install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
+install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
+
+install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
+install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
+install -m 0644 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
+
+%ifarch aarch64
+# In case old boot entries aren't updated
+install -m 0644 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
+%endif
+
+%ifarch x86_64
+# In case old boot entries aren't updated
+install -m 0644 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
+install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
+
+install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
+install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
+install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
+install -m 0644 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
+install -m 0644 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
+
+install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
+install -m 0644 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
+%endif
+
+cd mokutil-%{mokutil_version}
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
+
+%files -n shim-%{efiarchlc}
+/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
+/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
+/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
+/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
+/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
+/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
+/boot/efi/EFI/%{efidir}/shim.efi
+
+%ifarch x86_64
+/boot/efi/EFI/%{efidir}/BOOT.CSV
+
+%files -n shim-ia32
+/boot/efi/EFI/%{efidir}/shimia32.efi
+/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
+/boot/efi/EFI/%{efidir}/mmia32.efi
+/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
+/boot/efi/EFI/BOOT/BOOTIA32.EFI
+/boot/efi/EFI/BOOT/fbia32.efi
+%endif
+
+%files -n mokutil
+%{!?_licensedir:%global license %%doc}
+%license mokutil-%{mokutil_version}/COPYING
+%doc mokutil-%{mokutil_version}/README
+%{_bindir}/mokutil
+%{_mandir}/man1/*
+%{_datadir}/bash-completion/completions/mokutil
+
+%changelog
+* Mon May 01 2017 Peter Jones <pjones@redhat.com> - 12-1
+- Update to 12-1 to work around a signtool.exe bug
+  Resolves: rhbz#1445393
+
+* Mon Apr 24 2017 Peter Jones <pjones@redhat.com> - 11-4
+- Another shot at better obsoletes.
+  Related: rhbz#1310764
+
+* Mon Apr 24 2017 Peter Jones <pjones@redhat.com> - 11-3
+- Fix Obsoletes
+  Related: rhbz#1310764
+
+* Thu Apr 13 2017 Peter Jones <pjones@redhat.com> - 11-2
+- Make sure Aarch64 still has shim.efi as well
+  Related: rhbz#1310766
+
+* Wed Apr 12 2017 Peter Jones <pjones@redhat.com> - 11-1
+- Rebuild with signed shim
+  Related: rhbz#1310766
+
+* Mon Apr 03 2017 Peter Jones <pjones@redhat.com> - 11-0.1
+- Update to 11-0.1 to match shim-11-1
+  Related: rhbz#1310766
+- Fix regression in PE loader
+  Related: rhbz#1310766
+- Fix case where BDS invokes us wrong and we exec shim again as a result
+  Related: rhbz#1310766
+
+* Mon Mar 27 2017 Peter Jones <pjones@redhat.com> - 10-0.1
+- Support ia32
+  Resolves: rhbz#1310766
+- Handle various different load option implementation differences
+- TPM 1 and TPM 2 support.
+- Update to OpenSSL 1.0.2k
+
+* Mon Jul 20 2015 Peter Jones <pjones@redhat.com> - 0.9-2
+- Apparently I'm *never* going to learn to build this in the right target
+  the first time through.
+  Related: rhbz#1100048
+
+* Mon Jun 29 2015 Peter Jones <pjones@redhat.com> - 0.9-0.1
+- Bump version for 0.9
+  Also use mokutil-0.3.0
+  Related: rhbz#1100048
+
+* Tue Jun 23 2015 Peter Jones <pjones@redhat.com> - 0.7-14.1
+- Fix mokutil_version usage.
+  Related: rhbz#1100048
+
+* Mon Jun 22 2015 Peter Jones <pjones@redhat.com> - 0.7-14
+- Pull in aarch64 build so they can compose that tree.
+  (-14 to match -unsigned)
+  Related: rhbz#1100048
+
+* Wed Feb 25 2015 Peter Jones <pjones@redhat.com> - 0.7-12
+- Fix some minor build bugs on Aarch64
+  Related: rhbz#1190191
+
+* Tue Feb 24 2015 Peter Jones <pjones@redhat.com> - 0.7-11
+- Fix section loading on Aarch64
+  Related: rhbz#1190191
+
+* Wed Dec 17 2014 Peter Jones <pjones@redhat.com> - 0.7-10
+- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right.
+  (I managed to fix the inputs but not the outputs in -9.)
+  Related: rhbz#1100048
+
+* Wed Dec 17 2014 Peter Jones <pjones@redhat.com> - 0.7-9
+- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right.
+  Related: rhbz#1100048
+
+* Tue Oct 21 2014 Peter Jones <pjones@redhat.com> - 0.7-8
+- Build for aarch64 as well 
+  Related: rhbz#1100048
+- out-of-bounds memory read flaw in DHCPv6 packet processing
+  Resolves: CVE-2014-3675
+- heap-based buffer overflow flaw in IPv6 address parsing
+  Resolves: CVE-2014-3676
+- memory corruption flaw when processing Machine Owner Keys (MOKs)
+  Resolves: CVE-2014-3677
+
+* Tue Sep 23 2014 Peter Jones <pjones@redhat.com> - 0.7-7
+- Make sure we use the right keys on Aarch64.
+  (It's only a demo at this stage.)
+  Related: rhbz#1100048
+
+* Tue Sep 23 2014 Peter Jones <pjones@redhat.com> - 0.7-6
+- Add ARM Aarch64.
+  Related: rhbz#1100048
+
+* Thu Feb 27 2014 Peter Jones <pjones@redhat.com> - 0.7-5.2
+- Get the right signatures on shim-redhat.efi
+  Related: rhbz#1064449
+
+* Thu Feb 27 2014 Peter Jones <pjones@redhat.com> - 0.7-5.1
+- Update for signed shim for RHEL 7
+  Resolves: rhbz#1064449
+
+* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-5
+- Fix shim-unsigned deps.
+  Related: rhbz#1032583
+
+* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-4
+- Make dhcp4 work better.
+  Related: rhbz#1032583
+
+* Thu Nov 14 2013 Peter Jones <pjones@redhat.com> - 0.7-3
+- Make lockdown include UEFI and other KEK/DB entries.
+  Related: rhbz#1030492
+
+* Fri Nov 08 2013 Peter Jones <pjones@redhat.com> - 0.7-2
+- Handle SetupMode better in lockdown as well
+  Related: rhbz#996863
+
+* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.7-1
+- Don't treat SetupMode variable's presence as meaning we're in SetupMode.
+  Related: rhbz#996863
+
+* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.6-3
+- Use the correct CA and signer certificates.
+  Related: rhbz#996863
+
+* Thu Oct 31 2013 Peter Jones <pjones@redhat.com> - 0.6-1
+- Update to 0.6-1
+  Resolves: rhbz#1008379
+
+* Wed Aug 07 2013 Peter Jones <pjones@redhat.com> - 0.4-3.2
+- Depend on newer pesign.
+  Related: rhbz#989442
+
+* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3.1
+- Rebuild with newer pesign
+  Related: rhbz#989442
+
+* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3
+- Update for RHEL signing with early test keys.
+  Related: rhbz#989442
+
+* Thu Jun 20 2013 Peter Jones <pjones@redhat.com> - 0.4-1
+- Provide a fallback for uninitialized Boot#### and BootOrder
+  Resolves: rhbz#963359
+- Move all signing from shim-unsigned to here
+- properly compare our generated hash from shim-unsigned with the hash of
+  the signed binary (as opposed to doing it manually)
+
+* Fri May 31 2013 Peter Jones <pjones@redhat.com> - 0.2-4.4
+- Re-sign to get alignments that match the new specification.
+  Resolves: rhbz#963361
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2-4.3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Jan 02 2013 Peter Jones <pjones@redhat.com> - 0.2-3.3
+- Add obsoletes and provides for earlier shim-signed packages, to cover
+  the package update cases where previous versions were installed.
+  Related: rhbz#888026
+
+* Mon Dec 17 2012 Peter Jones <pjones@redhat.com> - 0.2-3.2
+- Make the shim-unsigned dep be on the subpackage.
+
+* Sun Dec 16 2012 Peter Jones <pjones@redhat.com> - 0.2-3.1
+- Rebuild to provide "shim" package directly instead of just as a Provides:
+
+* Sat Dec 15 2012 Peter Jones <pjones@redhat.com> - 0.2-3
+- Also provide shim-fedora.efi, signed only by the fedora signer.
+- Fix the fedora signature on the result to actually be correct.
+- Update for shim-unsigned 0.2-3
+
+* Mon Dec 03 2012 Peter Jones <pjones@redhat.com> - 0.2-2
+- Initial build