Accepting request 985418 from home:joeyli:branches:devel:openSUSE:Factory

Update to 15.6 (bsc#1198458)

OBS-URL: https://build.opensuse.org/request/show/985418
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=187

dbx-cert.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c872989a35b85ff4a284871d95bae930f6372a31f3353e72890775bf151e5ff2
-size 7052
+oid sha256:ce6458fd78dfe56700ddfc82b6e72de3823735c449400c06379234eaa12e8f85
+size 8416

shim-15.4.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8344473dd10569588b8238a4656b8fab226714eea9f5363f8c410aa8a5090297
-size 1260475

shim-15.6.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eab91644a3efe91a666399f5d8eb3eed0e04d04f79d4b6c0b278ef7747a239a5
+size 1343748

shim-bsc1184454-allocate-mok-config-table-BS.patch

@@ -1,39 +0,0 @@
-From 33ca95024aa7e33218da5882d30b3ec690a11046 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Thu, 8 Apr 2021 16:23:03 +0800
-Subject: [PATCH] mok: allocate MOK config table as BootServicesData
-
-Linux kernel is picky when reserving the memory for x86 and it only
-expects BootServicesData:
-
-https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/platform/efi/quirks.c?h=v5.11#n254
-
-Otherwise, the following error would show during system boot:
-
-Apr 07 12:31:56.743925 localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000
-
-Although BootServicesData would be reclaimed after ExitBootService(),
-linux kernel reserves MOK config table when it detects the existence of
-the table, so it's fine to allocate the table as BootServicesData.
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- mok.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/mok.c b/mok.c
-index 5ad9072b..fc1ee04d 100644
---- a/mok.c
-+++ b/mok.c
-@@ -1002,7 +1002,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
- 		npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT;
- 		config_table = NULL;
- 		efi_status = gBS->AllocatePages(AllocateAnyPages,
--						EfiRuntimeServicesData,
-+						EfiBootServicesData,
- 						npages,
- 						(EFI_PHYSICAL_ADDRESS *)&config_table);
- 		if (EFI_ERROR(efi_status) || !config_table) {
--- 
-2.29.2
-

shim-bsc1185232-fix-config-table-copying.patch

@@ -1,52 +0,0 @@
-From 42c6148c7ebd026862ab96405e78191ff8ebf298 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Mon, 21 Jun 2021 16:38:02 +0800
-Subject: [PATCH] mok: skip the empty variables when copying the data to MOK
- config table
-
-When calculating the size of the MOK config table, we skip the empty
-variables. However, when copying the data, we copied the zeroed config
-templates for those empty variables, and this could cause crash since we
-may write more data than the allocated pages. This commit skips the
-empty variables when copying the data so that the size of copied data
-matches config_sz.
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- mok.c | 18 ++++++++++--------
- 1 file changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/mok.c b/mok.c
-index beac0ff6..add21223 100644
---- a/mok.c
-+++ b/mok.c
-@@ -1028,16 +1028,18 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
- 	for (i = 0; p && mok_state_variables[i].name != NULL; i++) {
- 		struct mok_state_variable *v = &mok_state_variables[i];
- 
--		ZeroMem(&config_template, sizeof(config_template));
--		strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
--		config_template.name[255] = '\0';
-+		if (v->data && v->data_size) {
-+			ZeroMem(&config_template, sizeof(config_template));
-+			strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
-+			config_template.name[255] = '\0';
- 
--		config_template.data_size = v->data_size;
-+			config_template.data_size = v->data_size;
- 
--		CopyMem(p, &config_template, sizeof(config_template));
--		p += sizeof(config_template);
--		CopyMem(p, v->data, v->data_size);
--		p += v->data_size;
-+			CopyMem(p, &config_template, sizeof(config_template));
-+			p += sizeof(config_template);
-+			CopyMem(p, v->data, v->data_size);
-+			p += v->data_size;
-+		}
- 	}
- 	if (p) {
- 		ZeroMem(&config_template, sizeof(config_template));
--- 
-2.31.1
-

shim-bsc1185232-relax-loadoptions-length-check.patch

@@ -1,42 +0,0 @@
-From 795c62cb023886d39f1ee15977dc3194e01da57f Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Fri, 4 Jun 2021 17:02:31 +0800
-Subject: [PATCH] shim: don't fail on the odd LoadOptions length
-
-Some firmware feeds the LoadOptions with an odd length when booting from
-an USB device(*). We should only skip this kind of LoadOptions, not fail
-it, or the user won't be able to boot the system from USB or CD-ROM.
-
-(*) https://bugzilla.suse.com/show_bug.cgi?id=1185232#c62
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- shim.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index c5cfbb83..dd563cf6 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1411,9 +1411,16 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
- 		return efi_status;
- 	}
- 
--	/* Sanity check since we make several assumptions about the length */
-+	/* Sanity check since we make several assumptions about the length
-+	 * Some firmware feeds the following load option when booting from
-+	 * an USB device:
-+	 *
-+	 *    0x46 0x4a 0x00 |FJ.|
-+	 *
-+	 * The string is meaningless for shim and so just ignore it.
-+	 * */
- 	if (li->LoadOptionsSize % 2 != 0)
--		return EFI_INVALID_PARAMETER;
-+		return EFI_SUCCESS;
- 
- 	/* So, load options are a giant pain in the ass.  If we're invoked
- 	 * from the EFI shell, we get something like this:
--- 
-2.31.1
-

shim-bsc1185261-relax-import_mok_state-check.patch

@@ -1,57 +0,0 @@
-From 3e33205b9c957624df7e30a2e5e2847f23d37989 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Tue, 11 May 2021 10:41:43 +0800
-Subject: [PATCH] Relax the check for import_mok_state()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-An openSUSE user reported(*) that shim 15.4 failed to boot the system
-with the following message:
-
-  "Could not create MokListXRT: Out of Resources"
-
-In the beginning, I thought it's caused by the growing size of
-vendor-dbx. However, we found the following messages after set
-SHIM_VERBOSE:
-
-  max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000
-  SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources
-
-Even though the firmware claimed the remaining storage size is 0x85EC,
-it still rejected MokListXRT with size 0x1404. It seems that the return
-values from QueryVariableInfo() are not reliable. Since this firmware
-didn't really support Secure Boot, the variable mirroring is not so
-critical, so we can just accept the failure of import_mok_state() and
-continue boot.
-
-(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- shim.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index c5cfbb83..d38ae2f0 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 	 * boot-services-only state variables are what we think they are.
- 	 */
- 	efi_status = import_mok_state(image_handle);
--	if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
-+	if (!secure_mode() && 
-+	    (efi_status == EFI_INVALID_PARAMETER ||
-+	     efi_status == EFI_OUT_OF_RESOURCES)) {
- 		/*
- 		 * Make copy failures fatal only if secure_mode is enabled, or
--		 * the error was anything else than EFI_INVALID_PARAMETER.
-+		 * the error was anything else than EFI_INVALID_PARAMETER or
-+		 * EFI_OUT_OF_RESOURCES.
- 		 * There are non-secureboot firmware implementations that don't
- 		 * reserve enough EFI variable memory to fit the variable.
- 		 */
--- 
-2.31.1
-

shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch

@@ -1,41 +0,0 @@
-From 822d07ad4f07ef66fe447a130e1027c88d02a394 Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Thu, 8 Apr 2021 22:39:02 -0700
-Subject: [PATCH] Fix handling of ignore_db and user_insecure_mode
-
-In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split
-up into a function that manages the whole mok state, and one that
-handles the state machine for an individual state variable.
-Unfortunately, the code that initializes the global ignore_db and
-user_insecure_mode was copied from import_mok_state() into the new
-import_one_mok_state() function, and thus re-initializes that state each
-time it processes a MoK state variable, before even assessing if that
-variable is set.  As a result, we never honor either flag, and the
-machine owner cannot disable trusting the system firmware's db/dbx
-databases or disable validation altogether.
-
-This patch removes the extra re-initialization, allowing those variables
-to be set properly.
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
----
- mok.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/mok.c b/mok.c
-index 5ad9072b..9e37d6ab 100644
---- a/mok.c
-+++ b/mok.c
-@@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v,
- 	EFI_STATUS ret = EFI_SUCCESS;
- 	EFI_STATUS efi_status;
- 
--	user_insecure_mode = 0;
--	ignore_db = 0;
--
- 	UINT32 attrs = 0;
- 	BOOLEAN delete = FALSE;
- 
--- 
-2.31.1
-

shim-bsc1185621-relax-max-var-sz-check.patch

@@ -1,38 +0,0 @@
-commit 690ec2419a8c2c4246450e447629adc85f9a6f40
-Author: Gary Lin <glin@suse.com>
-Date:   Wed May 5 11:25:07 2021 +0800
-
-    mok: relax the maximum variable size check
-    
-    Some UEFI environment such as u-boot doesn't implement
-    QueryVariableInfo(), so we couldn't rely on the function to estimate the
-    available space for RT variables. All we can do is to call SetVariable()
-    directly and check the return value of SetVariable().
-    
-    Signed-off-by: Gary Lin <glin@suse.com>
-
-diff --git a/mok.c b/mok.c
-index 5ad9072b..1f9820e7 100644
---- a/mok.c
-+++ b/mok.c
-@@ -351,13 +351,18 @@ mirror_mok_db(CHAR16 *name, CHAR8 *name8, EFI_GUID *guid, UINT32 attrs,
- 	SIZE_T max_var_sz;
- 
- 	efi_status = get_max_var_sz(attrs, &max_var_sz);
--	if (EFI_ERROR(efi_status)) {
-+	if (EFI_ERROR(efi_status) && efi_status != EFI_UNSUPPORTED) {
- 		LogError(L"Could not get maximum variable size: %r",
- 			 efi_status);
- 		return efi_status;
- 	}
- 
--	if (FullDataSize <= max_var_sz) {
-+	/* Some UEFI environment such as u-boot doesn't implement
-+	 * QueryVariableInfo() and we will only get EFI_UNSUPPORTED when
-+	 * querying the available space. In this case, we just mirror
-+	 * the variable directly. */
-+	if (FullDataSize <= max_var_sz || efi_status == EFI_UNSUPPORTED) {
-+		efi_status = EFI_SUCCESS;
- 		if (only_first)
- 			efi_status = SetVariable(name, guid, attrs,
- 						 FullDataSize, FullData);

shim-bsc1187260-fix-efi-1.10-machines.patch

@@ -1,62 +0,0 @@
-From 493bd940e5c6e28e673034687de7adef9529efff Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Sat, 10 Apr 2021 16:05:23 -0400
-Subject: [PATCH] Don't call QueryVariableInfo() on EFI 1.10 machines
-
-The EFI 1.10 spec (and presumably earlier revisions as well) didn't have
-RT->QueryVariableInfo(), and on Chris Murphy's MacBookPro8,2 , that
-memory appears to be initialized randomly.
-
-This patch changes it to not call RT->QueryVariableInfo() if the
-EFI_RUNTIME_SERVICES table's major revision is less than two, and
-assumes our maximum variable size is 1024 in that case.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- mok.c | 23 ++++++++++++++++++-----
- 1 file changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/mok.c b/mok.c
-index 9b8fc2bc..beac0ff6 100644
---- a/mok.c
-+++ b/mok.c
-@@ -261,6 +261,9 @@ static const uint8_t null_sha256[32] = { 0, };
- 
- typedef UINTN SIZE_T;
- 
-+#define EFI_MAJOR_VERSION(tablep) ((UINT16)((((tablep)->Hdr.Revision) >> 16) & 0xfffful))
-+#define EFI_MINOR_VERSION(tablep) ((UINT16)(((tablep)->Hdr.Revision) & 0xfffful))
-+
- static EFI_STATUS
- get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp)
- {
-@@ -270,11 +273,21 @@ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp)
- 	uint64_t max_var_sz = 0;
- 
- 	*max_var_szp = 0;
--	efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz,
--					    &remaining_sz, &max_var_sz);
--	if (EFI_ERROR(efi_status)) {
--		perror(L"Could not get variable storage info: %r\n", efi_status);
--		return efi_status;
-+	if (EFI_MAJOR_VERSION(gRT) < 2) {
-+		dprint(L"EFI %d.%d; no RT->QueryVariableInfo().  Using 1024!\n",
-+		       EFI_MAJOR_VERSION(gRT), EFI_MINOR_VERSION(gRT));
-+		max_var_sz = remaining_sz = max_storage_sz = 1024;
-+		efi_status = EFI_SUCCESS;
-+	} else {
-+		dprint(L"calling RT->QueryVariableInfo() at 0x%lx\n",
-+		       gRT->QueryVariableInfo);
-+		efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz,
-+						    &remaining_sz, &max_var_sz);
-+		if (EFI_ERROR(efi_status)) {
-+			perror(L"Could not get variable storage info: %r\n",
-+			       efi_status);
-+			return efi_status;
-+		}
- 	}
- 
- 	/*
--- 
-2.31.1
-

shim-bsc1187696-avoid-deleting-rt-variables.patch

@@ -1,41 +0,0 @@
-From 14f6e10b8272ce34d3c373e000c583e5345b526b Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Wed, 30 Jun 2021 16:34:51 +0800
-Subject: [PATCH] mok: delete the existing RT variables only when
- only_first=TRUE
-
-For the firmware without the variable writing issues, MOK variables are
-mirrored when only_first=TRUE. However, LibDeleteVariable() was called
-in maybe_mirror_one_mok_variable() when only_first=FALSE, and this
-could delete MOK variables that were just mirrored in the first round.
-
-This bug was hidden since LibDeleteVariable() deletes BS+RT+NV variables
-while we mirror MOK variables as BS+RT, and the firmware refused to
-delete the mirrored MOK variable due to mismatching attributes. However,
-some firmwares, such as VMWare, didn't enforce the attribute check and
-just deleted the variables with matched name and GUID. In such system,
-MokListRT was always removed before it reached OS.
-
-Fixes: https://github.com/rhboot/shim/issues/386
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- mok.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/mok.c b/mok.c
-index beac0ff6..5ea39d54 100644
---- a/mok.c
-+++ b/mok.c
-@@ -863,7 +863,7 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v,
- 	BOOLEAN present = FALSE;
- 
- 	if (v->rtname) {
--		if (!only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
-+		if (only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
- 			dprint(L"deleting \"%s\"\n", v->rtname);
- 			efi_status = LibDeleteVariable(v->rtname, v->guid);
- 			dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", v->rtname, efi_status);
--- 
-2.31.1
-

shim-bsc1198101-opensuse-cert-prompt.patch

@@ -0,0 +1,306 @@
+From 49355a83722494099caeb23b46637b2c94a6ab9e Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 18 Feb 2014 17:29:19 +0800
+Subject: [PATCH 1/3] Show the build-in certificate prompt
+
+This is an openSUSE-only patch.
+
+Pop up a window to ask if the user is willing to trust the built-in
+openSUSE certificate.
+
+If yes, set openSUSE_Verify, a BootService variable, to 1, and shim
+won't bother the user afterward.
+
+If no, continue the booting process without using the built-in
+certificate to verify the EFI images, and the window will show up
+again after reboot.
+
+The state will store in use_openSUSE_cert, a volatile RT variable.
+---
+ mok.c  |  3 ++-
+ shim.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ shim.h |  1 +
+ 3 files changed, 71 insertions(+), 2 deletions(-)
+
+Index: shim-15.6~rc1+77144e5a/mok.c
+===================================================================
+--- shim-15.6~rc1+77144e5a.orig/mok.c
++++ shim-15.6~rc1+77144e5a/mok.c
+@@ -46,7 +46,8 @@ static EFI_STATUS check_mok_request(EFI_
+ 	    check_var(L"MokPW") || check_var(L"MokAuth") ||
+ 	    check_var(L"MokDel") || check_var(L"MokDB") ||
+ 	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
+-	    check_var(L"MokXAuth") || check_var(L"MokListTrustedNew")) {
++	    check_var(L"MokXAuth") || check_var(L"MokListTrustedNew") ||
++	    check_var(L"ClearVerify")) {
+ 		efi_status = start_image(image_handle, MOK_MANAGER);
+ 
+ 		if (EFI_ERROR(efi_status)) {
+@@ -62,7 +63,8 @@ static vendor_addend_category_t
+ categorize_authorized(struct mok_state_variable *v)
+ {
+ 	if (!(v->addend && v->addend_size &&
+-	      *v->addend && *v->addend_size)) {
++	      *v->addend && *v->addend_size &&
++	      use_builtin_cert)) {
+ 		return VENDOR_ADDEND_NONE;
+ 	}
+ 
+Index: shim-15.6~rc1+77144e5a/shim.c
+===================================================================
+--- shim-15.6~rc1+77144e5a.orig/shim.c
++++ shim-15.6~rc1+77144e5a/shim.c
+@@ -496,6 +496,8 @@ verify_one_signature(WIN_CERTIFICATE_EFI
+ 	}
+ 
+ 	efi_status = EFI_NOT_FOUND;
++	if (!use_builtin_cert)
++		return efi_status;
+ #if defined(ENABLE_SHIM_CERT)
+ 	/*
+ 	 * Check against the shim build key
+@@ -1572,6 +1574,69 @@ shim_fini(void)
+ 	console_fini();
+ }
+ 
++#define VENDOR_VERIFY L"openSUSE_Verify"
++
++/* Show the built-in certificate prompt if necessary */
++static int builtin_cert_prompt(void)
++{
++	EFI_STATUS status;
++	UINT32 attributes;
++	UINTN len = sizeof(UINT8);
++	UINT8 data;
++
++	use_builtin_cert = FALSE;
++
++	if (vendor_cert_size == 0)
++		return 0;
++
++	status = gRT->GetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID,
++				  &attributes, &len, (void *)&data);
++	if (status != EFI_SUCCESS ||
++	    (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) {
++		int choice;
++
++		if (status != EFI_NOT_FOUND)
++			LibDeleteVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID);
++
++		CHAR16 *str[] = {L"Trust openSUSE Certificate",
++				 L"",
++				 L"Do you agree to use the built-in openSUSE certificate",
++				 L"to verify boot loaders and kernels?",
++				 NULL};
++		choice = console_yes_no(str);
++		if (choice != 1) {
++			data = 0;
++			goto done;
++		}
++
++		data = 1;
++		status = gRT->SetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID,
++					  EFI_VARIABLE_NON_VOLATILE |
++					  EFI_VARIABLE_BOOTSERVICE_ACCESS,
++					  sizeof(UINT8), &data);
++		if (status != EFI_SUCCESS) {
++			console_error(L"Failed to set openSUSE_Verify", status);
++			return -1;
++		}
++	}
++
++	use_builtin_cert = TRUE;
++	data = 1;
++
++done:
++	/* Setup a runtime variable to show the current state */
++	status = gRT->SetVariable(L"use_openSUSE_cert", &SHIM_LOCK_GUID,
++				  EFI_VARIABLE_BOOTSERVICE_ACCESS |
++				  EFI_VARIABLE_RUNTIME_ACCESS,
++				  sizeof(UINT8), &data);
++	if (status != EFI_SUCCESS) {
++		console_error(L"Failed to set use_openSUSE_cert", status);
++		return -1;
++	}
++
++	return 0;
++}
++
+ extern EFI_STATUS
+ efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
+ 
+@@ -1712,6 +1777,9 @@ efi_main (EFI_HANDLE passed_image_handle
+ 	 */
+ 	debug_hook();
+ 
++	if (secure_mode() && (builtin_cert_prompt() != 0))
++		return EFI_ABORTED;
++
+ 	efi_status = set_sbat_uefi_variable();
+ 	if (EFI_ERROR(efi_status) && secure_mode()) {
+ 		perror(L"%s variable initialization failed\n", SBAT_VAR_NAME);
+Index: shim-15.6~rc1+77144e5a/MokManager.c
+===================================================================
+--- shim-15.6~rc1+77144e5a.orig/MokManager.c
++++ shim-15.6~rc1+77144e5a/MokManager.c
+@@ -1864,6 +1864,36 @@ mokpw_done:
+ 	return EFI_SUCCESS;
+ }
+ 
++static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
++	EFI_STATUS status;
++
++        if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1)
++                return 0;
++
++	if (ClearVerifySize == PASSWORD_CRYPT_SIZE) {
++		status = match_password((PASSWORD_CRYPT *)ClearVerify, NULL, 0,
++					 NULL, NULL);
++	} else {
++		status = EFI_INVALID_PARAMETER;
++	}
++	if (status != EFI_SUCCESS)
++		return -1;
++
++	status = gRT->SetVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID,
++				  EFI_VARIABLE_BOOTSERVICE_ACCESS |
++				  EFI_VARIABLE_NON_VOLATILE,
++				  0, NULL);
++	if (status != EFI_SUCCESS) {
++		console_error(L"Failed to delete openSUSE_Verify", status);
++		return -1;
++	}
++
++	console_notify(L"The system must now be rebooted");
++	gRT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL);
++	console_notify(L"Failed to reboot");
++	return -1;
++}
++
+ static BOOLEAN verify_certificate(UINT8 * cert, UINTN size)
+ {
+ 	X509 *X509Cert;
+@@ -2195,6 +2225,7 @@ typedef enum {
+ 	MOK_CHANGE_SB,
+ 	MOK_SET_PW,
+ 	MOK_CHANGE_DB,
++	MOK_CLEAR_VERIFY,
+ 	MOK_KEY_ENROLL,
+ 	MOK_HASH_ENROLL,
+ 	MOK_CHANGE_TML
+@@ -2217,7 +2248,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+ 				 void *MokDB, UINTN MokDBSize,
+ 				 void *MokXNew, UINTN MokXNewSize,
+ 				 void *MokXDel, UINTN MokXDelSize,
+-				 void *MokTML, UINTN MokTMLSize)
++				 void *MokTML, UINTN MokTMLSize,
++				 void *ClearVerify, UINTN ClearVerifySize)
++
+ {
+ 	CHAR16 **menu_strings = NULL;
+ 	mok_menu_item *menu_item = NULL;
+@@ -2296,6 +2329,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+ 		if (MokTML)
+ 			menucount++;
+ 
++		if (ClearVerify)
++			menucount++;
++
+ 		menu_strings = AllocateZeroPool(sizeof(CHAR16 *) *
+ 						(menucount + 1));
+ 		if (!menu_strings)
+@@ -2373,6 +2409,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+ 			i++;
+ 		}
+ 
++		if (ClearVerify) {
++			menu_strings[i] = L"Revoke openSUSE certificate";
++			menu_item[i] = MOK_CLEAR_VERIFY;
++			i++;
++		}
++
+ 		menu_strings[i] = L"Enroll key from disk";
+ 		menu_item[i] = MOK_KEY_ENROLL;
+ 		i++;
+@@ -2477,6 +2519,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+ 			if (!EFI_ERROR(efi_status))
+ 				MokDB = NULL;
+ 			break;
++		case MOK_CLEAR_VERIFY:
++			mok_clear_verify_prompt(ClearVerify, ClearVerifySize);
++			break;
+ 		case MOK_KEY_ENROLL:
+ 			efi_status = mok_key_enroll();
+ 			break;
+@@ -2519,6 +2564,7 @@ static EFI_STATUS check_mok_request(EFI_
+ {
+ 	UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
+ 	UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0, MokTMLSize = 0;
++	UINTN ClearVerifySize = 0;
+ 	void *MokNew = NULL;
+ 	void *MokDel = NULL;
+ 	void *MokSB = NULL;
+@@ -2527,6 +2573,7 @@ static EFI_STATUS check_mok_request(EFI_
+ 	void *MokXNew = NULL;
+ 	void *MokXDel = NULL;
+ 	void *MokTML = NULL;
++	void *ClearVerify = NULL;
+ 	EFI_STATUS efi_status;
+ 
+ 	efi_status = get_variable(L"MokNew", (UINT8 **) & MokNew, &MokNewSize,
+@@ -2611,9 +2658,20 @@ static EFI_STATUS check_mok_request(EFI_
+ 		console_error(L"Could not retrieve MokXDel", efi_status);
+ 	}
+ 
++	efi_status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify,
++				  &ClearVerifySize, SHIM_LOCK_GUID);
++	if (!EFI_ERROR(efi_status)) {
++		efi_status = LibDeleteVariable(L"ClearVerify", &SHIM_LOCK_GUID);
++		if (EFI_ERROR(efi_status))
++			console_notify(L"Failed to delete ClearVerify");
++	} else if (EFI_ERROR(efi_status) && efi_status != EFI_NOT_FOUND) {
++		console_error(L"Could not retrieve ClearVerify", efi_status);
++	}
++
+ 	enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize,
+ 		       MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize,
+-		       MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize);
++		       MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize,
++		       ClearVerify, ClearVerifySize);
+ 
+ 	if (MokNew)
+ 		FreePool(MokNew);
+@@ -2639,6 +2697,9 @@ static EFI_STATUS check_mok_request(EFI_
+ 	if (MokTML)
+ 		FreePool(MokTML);
+ 
++	if (ClearVerify)
++		FreePool (ClearVerify);
++
+ 	LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
+ 	LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID);
+ 	LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
+Index: shim-15.6~rc1+77144e5a/globals.c
+===================================================================
+--- shim-15.6~rc1+77144e5a.orig/globals.c
++++ shim-15.6~rc1+77144e5a/globals.c
+@@ -25,6 +25,7 @@ UINT8 *build_cert;
+  */
+ verification_method_t verification_method;
+ int loader_is_participating;
++BOOLEAN use_builtin_cert;
+ 
+ UINT8 user_insecure_mode;
+ UINT8 ignore_db;
+Index: shim-15.6~rc1+77144e5a/shim.h
+===================================================================
+--- shim-15.6~rc1+77144e5a.orig/shim.h
++++ shim-15.6~rc1+77144e5a/shim.h
+@@ -268,6 +268,7 @@ extern UINT8 mok_policy;
+ extern UINT8 in_protocol;
+ extern void *load_options;
+ extern UINT32 load_options_size;
++extern BOOLEAN use_builtin_cert;
+ 
+ BOOLEAN secure_mode (void);
+ 

shim-fix-aa64-relsz.patch

@@ -1,132 +0,0 @@
-From 9828f65f3e9de29da7bc70cb71069cc1d7ca1b4a Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Wed, 16 Jun 2021 16:13:32 +0800
-Subject: [PATCH] arm/aa64: fix the size of .rela* sections
-
-The previous commit(*) merged .rel* and .dyn* into .rodata, and this
-made ld to generate the wrong size for .rela* sections that covered
-other unrelated sections. When the EFI image was loaded, _relocate()
-went through the unexpected data and may cause unexpected crash.
-This commit moves .rel* and .dyn* out of .rodata in the ld script but
-also moves the related variables, such as _evrodata, _rodata_size,
-and _rodata_vsize, to the end of the new .dyn section, so that the
-crafted pe-coff section header for .rodata still covers our new
-.rela and .dyn sections.
-
-(*) 212ba30544f ("arm/aa64 targets: put .rel* and .dyn* in .rodata")
-
-Fix issue: https://github.com/rhboot/shim/issues/371
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- Makefile            |  4 ++--
- elf_aarch64_efi.lds | 24 ++++++++++++++++--------
- elf_arm_efi.lds     | 24 ++++++++++++++++--------
- 3 files changed, 34 insertions(+), 18 deletions(-)
-
-Index: shim-15.4/Makefile
-===================================================================
---- shim-15.4.orig/Makefile
-+++ shim-15.4/Makefile
-@@ -243,7 +243,7 @@ ifneq ($(OBJCOPY_GTE224),1)
- endif
- 	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
- 		-j .dynamic -j .rodata -j .rel* \
--		-j .rela* -j .reloc -j .eh_frame \
-+		-j .rela* -j .dyn -j .reloc -j .eh_frame \
- 		-j .vendor_cert -j .sbat \
- 		$(FORMAT) $< $@
- 	# I am tired of wasting my time fighting binutils timestamp code.
-@@ -260,7 +260,7 @@ ifneq ($(OBJCOPY_GTE224),1)
- endif
- 	$(OBJCOPY) -D -j .text -j .sdata -j .data \
- 		-j .dynamic -j .rodata -j .rel* \
--		-j .rela* -j .reloc -j .eh_frame -j .sbat \
-+		-j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
- 		-j .debug_info -j .debug_abbrev -j .debug_aranges \
- 		-j .debug_line -j .debug_str -j .debug_ranges \
- 		-j .note.gnu.build-id \
-Index: shim-15.4/elf_aarch64_efi.lds
-===================================================================
---- shim-15.4.orig/elf_aarch64_efi.lds
-+++ shim-15.4/elf_aarch64_efi.lds
-@@ -70,21 +70,29 @@ SECTIONS
-   .rodata :
-   {
-     _rodata = .;
--    *(.rela.dyn)
--    *(.rela.plt)
--    *(.rela.got)
--    *(.rela.data)
--    *(.rela.data*)
--
-     *(.rodata*)
-     *(.srodata)
--    *(.dynsym)
--    *(.dynstr)
-     . = ALIGN(16);
-     *(.note.gnu.build-id)
-     . = ALIGN(4096);
-     *(.vendor_cert)
-     *(.data.ident)
-+    . = ALIGN(4096);
-+  }
-+  . = ALIGN(4096);
-+  .rela :
-+  {
-+    *(.rela.dyn)
-+    *(.rela.plt)
-+    *(.rela.got)
-+    *(.rela.data)
-+    *(.rela.data*)
-+  }
-+  . = ALIGN(4096);
-+  .dyn :
-+  {
-+    *(.dynsym)
-+    *(.dynstr)
-     _evrodata = .;
-     . = ALIGN(4096);
-   }
-Index: shim-15.4/elf_arm_efi.lds
-===================================================================
---- shim-15.4.orig/elf_arm_efi.lds
-+++ shim-15.4/elf_arm_efi.lds
-@@ -70,21 +70,29 @@ SECTIONS
-   .rodata :
-   {
-     _rodata = .;
--    *(.rel.dyn)
--    *(.rel.plt)
--    *(.rel.got)
--    *(.rel.data)
--    *(.rel.data*)
--
-     *(.rodata*)
-     *(.srodata)
--    *(.dynsym)
--    *(.dynstr)
-     . = ALIGN(16);
-     *(.note.gnu.build-id)
-     . = ALIGN(4096);
-     *(.vendor_cert)
-     *(.data.ident)
-+    . = ALIGN(4096);
-+  }
-+  . = ALIGN(4096);
-+  .rela :
-+  {
-+    *(.rela.dyn)
-+    *(.rela.plt)
-+    *(.rela.got)
-+    *(.rela.data)
-+    *(.rela.data*)
-+  }
-+  . = ALIGN(4096);
-+  .dyn :
-+  {
-+    *(.dynsym)
-+    *(.dynstr)
-     _evrodata = .;
-     . = ALIGN(4096);
-   }

shim.changes

@@ -1,3 +1,159 @@
+-------------------------------------------------------------------
+Tue Jun 28 04:03:45 UTC 2022 - Joey Lee <jlee@suse.com>
+
+- Update to 15.6 (bsc#1198458)
+    - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76
+      which is from upstream grub2.cve_2021_3695.ms keybase channel.
+    - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to
+      support efi-app-aarch64 target. So we need the following patches in bintuils:
+        - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch
+                b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64).
+        - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch
+                32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64)
+        - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch
+                d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64)
+    - Patches (git log --oneline --reverse 15.5~..77144e5a4)
+        448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458)
+        a2da05f shim: implement SBAT verification for the shim_lock protocol
+        bda03b8 post-process-pe: Fix a missing return code check
+        af18810 CI: don't cancel testing when one fails
+        ba580f9 CI: remove EOL Fedoras from github actions
+        bfeb4b3 Remove aarch64 build tests before f35
+        38cc646 CI: Add f36 and centos9 CI build tests.
+        b5185cb post-process-pe: Fix format string warnings on 32-bit platforms
+        31094e5 tests: also look for system headers in multi-arch directories
+        4df989a mock-variables.c: fix gcc warning
+        6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled
+        2670c6a Allow MokListTrusted to be enabled by default
+        5c44aaf Add code of conduct
+        d6eb9c6 Modernize aarch64
+        9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail
+        de87985 make: don't treat cert.S specially
+        803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode
+        6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry.
+        bb4b60e Add verify_image
+        acfd48f Abstract out image reading
+        35d7378 Load additional certs from a signed binary
+        8ce2832 post-process-pe: there is no 's' argument.
+        465663e Add some missing PE image flag definitions
+        226fee2 PE Loader: support and require NX
+        df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX
+        b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT
+        f81a7cc SBAT revocation management
+        abe41ab make: unbreak scan-build again for gnu-efi
+        610a1ac sbat.h: minor reformatting for legibility
+        f28833f peimage.h: make our signature macros force the type
+        5d789ca Always initialize data/datasize before calling read_image()
+        a50d364 sbat policy: make our policy change actions symbolic
+        5868789 load_certs: trust dir->Read() slightly less.
+        a78673b mok.c: fix a trivial dead assignment
+        759f061 Fix preserve_sbat_uefi_variable() logic
+        aa61fdf Give the Coverity scanner some more GCC blinders...
+        0214cd9 load_cert_file(): don't defererence NULL
+        1eca363 mok import: handle OOM case
+        75449bc sbat: Make nth_sbat_field() honor the size limit
+        c0bcd04 shim-15.6~rc1
+        77144e5 SBAT Policy latest should be a one-shot
+    - 15.5 release note https://github.com/rhboot/shim/releases
+	Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357
+	mok: allocate MOK config table as BootServicesData by @lcp in #361
+	Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364
+	Relax the check for import_mok_state() by @lcp in #372
+	SBAT.md: trivial changes by @hallyn in #389
+	shim: another attempt to fix load options handling by @chrisccoulson in #379
+	Add tests for our load options parsing. by @vathpela in #390
+	arm/aa64: fix the size of .rela* sections by @lcp in #383
+	mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365
+	mok: relax the maximum variable size check by @lcp in #369
+	Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378
+	fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396
+	httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403
+	Fallback allocation errors by @vathpela in #402
+	shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406
+	str: remove duplicate parameter check by @xypron in #408
+	fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359
+	Test mok mirror by @vathpela in #394
+	Modify sbat.md to help with readability. by @eshiman in #398
+	csv: detect end of csv file correctly by @xypron in #404
+	Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413
+	tests: add "include-fixed" GCC directory to include directories by @diabonas in #415
+	pe: simplify generate_hash() by @xypron in #411
+	Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414
+	Fallback to default loader if parsed one does not exist by @julian-klode in #393
+	fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422
+	Better console checks by @vathpela in #416
+	docs: update SBAT UEFI variable name by @nicholasbishop in #421
+	Don't parse load options if invoked from removable media path by @julian-klode in #399
+	fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433
+	shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438
+	Shim 15.5 coverity by @vathpela in #439
+	Allocate mokvar table in runtime memory. by @vathpela in #447
+	Remove post-process-pe on 'make clean' by @vathpela in #448
+	pe: missing perror argument by @xypron in #443
+    - Drop upstreamed patch:
+	- shim-bsc1184454-allocate-mok-config-table-BS.patch
+		- Allocate MOK config table as BootServicesData to avoid the error message
+		  from linux kernel
+		- 4068fd42c8		15.5-rc1~70
+	- shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+		- Handle ignore_db and user_insecure_mode correctly
+		- 822d07ad4f07		15.5-rc1~73
+	- shim-bsc1185621-relax-max-var-sz-check.patch
+		- Relax the maximum variable size check for u-boot
+		- 3f327f546c219634b2	15.5-rc1~49
+	- shim-bsc1185261-relax-import_mok_state-check.patch
+		- Relax the check for import_mok_state() when Secure Boot is off
+		- 9f973e4e95b113	15.5-rc1~67
+	- shim-bsc1185232-relax-loadoptions-length-check.patch
+		- Relax the check for the LoadOptions length
+		- ada7ff69bd8a95	15.5-rc1~52
+	- shim-fix-aa64-relsz.patch
+		- Fix the size of rela* sections for AArch64
+		- 34e3ef205c5d65	15.5-rc1~51
+	- shim-bsc1187260-fix-efi-1.10-machines.patch
+		- Don't call QueryVariableInfo() on EFI 1.10 machines
+		- 493bd940e5		15.5-rc1~69
+	- shim-bsc1185232-fix-config-table-copying.patch
+		- Avoid buffer overflow when copying the MOK config table
+		- 7501b6bb44		15.5-rc1~50
+	- shim-bsc1187696-avoid-deleting-rt-variables.patch
+		- Avoid deleting the mirrored RT variables
+		- b1fead0f7c9		15.5-rc1~37
+    - Add "rm -f *.o" after building MokManager/fallback in shim.spec
+      to make sure all object files gets rebuilt
+        - reference: https://github.com/rhboot/shim/pull/461
+- The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included
+  in shim-15.6.tar.bz2 
+    - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch
+        pe: Fix a buffer overflow when SizeOfRawData VirtualSize 
+    - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch
+        pe: Perform image verification earlier when loading grub
+    - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch
+        Update advertised sbat generation number for shim
+    - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch
+        Update SBAT generation requirements for 05/24/22
+    - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch
+        Also avoid CVE-2022-28737 in verify_image()
+    - 0006-shim-15.6-rc2.patch
+    - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch
+        sbat: add the parsed SBAT variable entries to the debug log
+    - 0008-bump-version-to-shim-15.6.patch
+- Add mokutil command to post script for setting sbat policy to latest mode
+  when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created.
+  (bsc#1198458)
+- Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to
+  show the prompt to ask whether the user trusts openSUSE certificate or not
+  (bsc#1198101)
+- Updated vendor dbx binary and script (bsc#1198458)
+    - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding
+      SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
+    - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding
+      openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
+    - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt
+      and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment.
+    - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin
+      file which includes all .der for testing environment.
+
 -------------------------------------------------------------------
 Thu Jul  1 04:07:03 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 

shim.spec

@@ -36,7 +36,7 @@
 %endif
 
 Name:           shim
-Version:        15.4
+Version:        15.6
 Release:        0
 Summary:        UEFI shim loader
 License:        BSD-2-Clause
@@ -75,26 +75,10 @@ Patch3:         shim-bsc1177315-verify-eku-codesign.patch
 Patch4:         shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
 # PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container
 Patch5:         remove_build_id.patch
-# PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 glin@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel
-Patch6:         shim-bsc1184454-allocate-mok-config-table-BS.patch
-# PATCH-FIX-UPSTREAM shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch bsc#1184454 glin@suse.com -- Handle ignore_db and user_insecure_mode correctly
-Patch7:         shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
-# PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 glin@suse.com -- Relax the maximum variable size check for u-boot
-Patch8:         shim-bsc1185621-relax-max-var-sz-check.patch
-# PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch bsc#1185261 glin@suse.com -- Relax the check for import_mok_state() when Secure Boot is off
-Patch9:         shim-bsc1185261-relax-import_mok_state-check.patch
-# PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch bsc#1185232 glin@suse.com -- Relax the check for the LoadOptions length
-Patch10:        shim-bsc1185232-relax-loadoptions-length-check.patch
-# PATCH-FIX-UPSTREAM shim-fix-aa64-relsz.patch glin@suse.com -- Fix the size of rela* sections for AArch64
-Patch11:        shim-fix-aa64-relsz.patch
 # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT
-Patch12:        shim-disable-export-vendor-dbx.patch
-# PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 glin@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines
-Patch13:        shim-bsc1187260-fix-efi-1.10-machines.patch
-# PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 glin@suse.com -- Avoid buffer overflow when copying the MOK config table
-Patch14:        shim-bsc1185232-fix-config-table-copying.patch
-# PATCH-FIX-UPSTREAM shim-bsc1187696-avoid-deleting-rt-variables.patch bsc#1187696 glin@suse.com -- Avoid deleting the mirrored RT variables
-Patch15:        shim-bsc1187696-avoid-deleting-rt-variables.patch
+Patch6:         shim-disable-export-vendor-dbx.patch
+# PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
+Patch100:	shim-bsc1198101-opensuse-cert-prompt.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -111,6 +95,7 @@ Requires:       perl-Bootloader
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 # For shim-install script
 Requires:       grub2-%{grubplatform}
+Requires:       mokutil
 ExclusiveArch:  x86_64 aarch64
 
 %description
@@ -139,15 +124,7 @@ The source code of UEFI shim loader
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
+%patch100 -p1
 
 %build
 # generate the vendor SBAT metadata
@@ -168,6 +145,8 @@ make RELEASE=0 \
      MMSTEM=MokManager FBSTEM=fallback \
      MokManager.efi.debug fallback.efi.debug \
      MokManager.efi fallback.efi
+# make sure all object files gets rebuilt
+rm -f *.o
 
 # now build variants of shim that embed different certificates
 default=''
@@ -318,6 +297,22 @@ cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}
 /sbin/update-bootloader --reinit || true
 %endif
 
+# copy from kernel-scriptlets/cert-script
+is_efi () {
+    local msg rc=0
+# The below statement fails if mokutil isn't installed or UEFI is unsupported.
+# It doesn't fail if UEFI is available but secure boot is off.
+    msg="$(mokutil --sb-state 2>&1)" || rc=$?
+    return $rc
+}
+# run mokutil for setting sbat policy to latest mode
+SBAT_POLICY=/sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23
+if is_efi; then
+        if [ ! -f "$SBAT_POLICY" ]; then
+                mokutil --set-sbat-policy latest
+        fi
+fi
+
 %if %{defined update_bootloader_posttrans}
 %posttrans
 %{?update_bootloader_posttrans}