From 245592c60e831cc7a6843b8da84333a3d265e7e3 Mon Sep 17 00:00:00 2001
From: "Martin, Chen" <haochuan.z.chen@intel.com>
Date: Wed, 2 Jan 2019 14:06:57 +0800
Subject: [PATCH] rebase shim patch to CentOS 7.6 version

Test:
Pass build and multi-node deploy test

Depends-On: https://review.openstack.org/627922

Story: 2004522
Task: 28438

Change-Id: I838e71c0334515ad2e34cbad968188b81f908d6a
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
---
 .../meta_patches/0001-Ti-version-string.patch |  2 +-
 .../0002-Add-Ti-certificate.patch             | 21 +++---
 .../0001-Use-Titanium-certificate.patch       | 66 ++++++++++---------
 security/shim-unsigned/centos/srpm_path       |  2 +-
 4 files changed, 49 insertions(+), 42 deletions(-)

diff --git a/security/shim-unsigned/centos/meta_patches/0001-Ti-version-string.patch b/security/shim-unsigned/centos/meta_patches/0001-Ti-version-string.patch
index 840528f8b..b38f191c2 100644
--- a/security/shim-unsigned/centos/meta_patches/0001-Ti-version-string.patch
+++ b/security/shim-unsigned/centos/meta_patches/0001-Ti-version-string.patch
@@ -16,7 +16,7 @@ index afd533b..de216b6
 +++ b/SPECS/shim.spec
 @@ -1,6 +1,6 @@
  Name:           shim
- Version:        12
+ Version:        15
 -Release:        1%{?dist}
 +Release:        1.el7%{?_tis_dist}.%{tis_patch_ver}
  Summary:        First-stage UEFI bootloader
diff --git a/security/shim-unsigned/centos/meta_patches/0002-Add-Ti-certificate.patch b/security/shim-unsigned/centos/meta_patches/0002-Add-Ti-certificate.patch
index 4b52100ef..825552e3a 100644
--- a/security/shim-unsigned/centos/meta_patches/0002-Add-Ti-certificate.patch
+++ b/security/shim-unsigned/centos/meta_patches/0002-Add-Ti-certificate.patch
@@ -4,8 +4,8 @@ Date: Mon, 15 Jan 2018 13:22:09 -0500
 Subject: [PATCH 2/2] Add Ti certificate
 
 ---
- SPECS/shim.spec | 5 +++++
- 1 file changed, 5 insertions(+)
+ SPECS/shim.spec | 4 ++++
+ 1 file changed, 4 insertions(+)
  mode change 100644 => 100755 SPECS/shim.spec
 
 diff --git a/SPECS/shim.spec b/SPECS/shim.spec
@@ -14,17 +14,18 @@ new mode 100755
 index de216b6..83da6cd
 --- a/SPECS/shim.spec
 +++ b/SPECS/shim.spec
-@@ -11,6 +11,9 @@ Source1:	centos.crt
- #Source2:	dbx-x64.esl
- #Source3:	dbx-aa64.esl
- Source4:	shim-find-debuginfo.sh
+@@ -14,8 +14,10 @@ Source0:        https://github.com/mjg59/shim/releases/download/%{version}/shim-
+ #Source3:       dbx-aa64.esl
+ Source4:        shim-find-debuginfo.sh
+ Source5:	centos.esl
 +Source1000:     tis-shim.crt
-+
-+Patch1000:      0001-Use-Titanium-certificate.patch
+ 
+ Patch0:		0001-Add-vendor-esl.patch
++Patch1000:	0001-Use-Titanium-certificate.patch
  
  BuildRequires: git openssl-devel openssl
  BuildRequires: pesign >= 0.106-1
-@@ -101,6 +104,7 @@ git commit -a -q -m "%{version} baseline."
+@@ -106,6 +108,7 @@ git commit -a -q -m "%{version} baseline."
  git am --ignore-whitespace %{patches} </dev/null
  git config --unset user.email
  git config --unset user.name
@@ -32,7 +33,7 @@ index de216b6..83da6cd
  
  %ifarch x86_64
  cd ..
-@@ -115,6 +119,7 @@ git commit -a -q -m "%{version} baseline."
+@@ -120,6 +123,7 @@ git commit -a -q -m "%{version} baseline."
  git am --ignore-whitespace %{patches} </dev/null
  git config --unset user.email
  git config --unset user.name
diff --git a/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch b/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch
index d366690f8..5b2deec67 100644
--- a/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch
+++ b/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch
@@ -4,16 +4,17 @@ Date: Mon, 15 Jan 2018 13:25:04 -0500
 Subject: [PATCH] Use Titanium certificate
 
 ---
- Makefile | 26 ++++++++++++++++++--------
- 1 file changed, 18 insertions(+), 8 deletions(-)
+ Make.defaults |  6 ++++++
+ Makefile      | 20 ++++++++++++--------
+ 2 files changed, 18 insertions(+), 8 deletions(-)
 
-diff --git a/Makefile b/Makefile
-index 6ece282..bb4f7f9 100644
---- a/Makefile
-+++ b/Makefile
-@@ -36,6 +36,12 @@ FBNAME		= fallback
+diff --git a/Make.defaults b/Make.defaults
+index 3cec82d..d7606db 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -51,6 +51,12 @@ CLANG_BUGS	= $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,)
  
- COMMITID ?= $(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)
+ COMMIT_ID ?= $(shell if [ -e .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo master; fi)
  
 +# We compile a certificate into shim.  Usually this is a one-time generated
 +# certificate (make-certs script) however we want to include a custom
@@ -24,51 +25,56 @@ index 6ece282..bb4f7f9 100644
  ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
  	CFLAGS	+= -DOVERRIDE_SECURITY_POLICY
  endif
-@@ -90,7 +96,7 @@ LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsym
- 
- TARGET	= $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed
- OBJS	= shim.o netboot.o cert.o replacements.o tpm.o version.o
+diff --git a/Makefile b/Makefile
+index 115e7f0..8964a97 100644
+--- a/Makefile
++++ b/Makefile
+@@ -34,7 +34,7 @@ else
+ TARGETS += $(MMNAME) $(FBNAME)
+ endif
+ OBJS	= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o
 -KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
 +KEYS    = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
- SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
+ ORIG_SOURCES	= shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h)
  MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
- MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
-@@ -104,13 +110,17 @@ endif
+ ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
+@@ -52,14 +52,18 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
  
- all: $(TARGET)
+ all: $(TARGETS)
  
 -shim.crt:
--	./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+-	$(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
 +# certificate is now provided in source.  To generate a random certificate,
 +# uncomment this rule
 +#$(INTERNAL_CERT).crt:
-+#	./make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
++#	$(TOPDIR)/make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
  
 -shim.cer: shim.crt
 +$(INTERNAL_CERT).cer: $(INTERNAL_CERT).crt
- 	openssl x509 -outform der -in $< -out $@
+ 	$(OPENSSL) x509 -outform der -in $< -out $@
  
+ .NOTPARALLEL: shim_cert.h
 -shim_cert.h: shim.cer
 +# name "shim_cert.h" rather than "$(INTERNAL_CERT).h" used so C files can just
 +# use a fixed name for #include
 +shim_cert.h: $(INTERNAL_CERT).cer
- 	echo "static UINT8 shim_cert[] = {" > $@
- 	hexdump -v -e '1/1 "0x%02x, "' $< >> $@
+ 	echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
+ 	$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
  	echo "};" >> $@
-@@ -121,10 +131,10 @@ version.c : version.c.in
- 		-e "s,@@COMMIT@@,$(COMMITID)," \
- 		< version.c.in > version.c
+@@ -70,10 +74,10 @@ version.c : $(TOPDIR)/version.c.in
+ 		-e "s,@@COMMIT@@,$(COMMIT_ID)," \
+ 		< $< > $@
  
 -certdb/secmod.db: shim.crt
 +certdb/secmod.db: $(INTERNAL_CERT).crt
  	-mkdir certdb
--	pk12util -d certdb/ -i shim.p12 -W "" -K ""
--	certutil -d certdb/ -A -i shim.crt -n shim -t u
-+	pk12util -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
-+	certutil -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
+-	$(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
+-	$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
++	$(PK12UTIL) -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
++	$(CERTUTIL) -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
  
- shim.o: $(SOURCES) shim_cert.h
- shim.o: $(wildcard *.h)
+ shim.o: $(SOURCES)
+ ifneq ($(origin ENABLE_SHIM_CERT),undefined)
 -- 
 1.8.3.1
 
diff --git a/security/shim-unsigned/centos/srpm_path b/security/shim-unsigned/centos/srpm_path
index 19f9a3f9e..eb27711fa 100644
--- a/security/shim-unsigned/centos/srpm_path
+++ b/security/shim-unsigned/centos/srpm_path
@@ -1 +1 @@
-mirror:Source/shim-12-1.el7.centos.src.rpm
+mirror:Source/shim-15-1.el7.centos.src.rpm