Accepting request 258747 from home:gary_lin:branches:devel:openSUSE:Factory

- Update to 0.8 - adapt the change in gnu-efi-3.0w - Enable aarch64 OBS-URL: https://build.opensuse.org/request/show/258747 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=90
2014-10-29 08:02:58 +00:00 · 2014-10-29 08:02:58 +00:00 · 7b2b297a5c
commit 7b2b297a5c
parent 0876ada789
13 changed files with 1617 additions and 5483 deletions
--- a/bug-889332_shim-mok-oob.patch
+++ b/bug-889332_shim-mok-oob.patch
@ -1,69 +0,0 @@
 Index: shim-0.7.318.81ee561d/MokManager.c
 ===================================================================
 --- shim-0.7.318.81ee561d.orig/MokManager.c
 +++ shim-0.7.318.81ee561d/MokManager.c
@@ -163,8 +163,18 @@ static UINT32 count_keys(void *Data, UIN
 	EFI_SIGNATURE_LIST *CertList = Data;
 	UINTN dbsize = DataSize;
 	UINT32 MokNum = 0;
 +	void *end = Data + DataSize;
 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
 +
 +		/* Use ptr arithmetics to ensure bounded access. Do not allow 0
 +		 * SignatureListSize that will cause endless loop.
 +		 */
 +		if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) {
 +			console_notify(L"Invalid MOK detected! Ignoring MOK List.");
 +			return 0;
 +		}
 +
 		if (CertList->SignatureListSize == 0 ||
 		    CertList->SignatureListSize <= CertList->SignatureSize) {
 			console_errorbox(L"Corrupted signature list");
@@ -192,6 +202,7 @@ static MokListNode *build_mok_list(UINT3
 	EFI_GUID CertType = X509_GUID;
 	UINTN dbsize = DataSize;
 	UINTN count = 0;
 +	void *end = Data + DataSize;
 	list = AllocatePool(sizeof(MokListNode) * num);
@@ -201,12 +212,24 @@ static MokListNode *build_mok_list(UINT3
 	}
 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
 +		/* CertList out of bounds? */
 +		if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) {
 +			FreePool(list);
 +			return NULL;
 +		}
 +
 		/* Omit the signature check here since we already did it
 		   in count_keys() */
 		Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
 		  sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
 +		/* Cert out of bounds? */
 +		if ((void *)(Cert + 1) > end || CertList->SignatureSize <= sizeof(EFI_GUID)) {
 +			FreePool(list);
 +			return NULL;
 +		}
 +
 		list[count].Type = CertList->SignatureType;
 		if (CompareGuid (&CertList->SignatureType, &CertType) == 0) {
 			list[count].MokSize = CertList->SignatureSize -
@@ -218,6 +241,12 @@ static MokListNode *build_mok_list(UINT3
 			list[count].Mok = (void *)Cert;
 		}
 +		/* MOK out of bounds? */
 +		if (list[count].MokSize > end - (void *)list[count].Mok) {
 +			FreePool(list);
 +			return NULL;
 +		}
 +
 		count++;
 		dbsize -= CertList->SignatureListSize;
 		CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
--- a/bug-889332_shim-overflow.patch
+++ b/bug-889332_shim-overflow.patch
@ -1,161 +0,0 @@
 diff --git a/netboot.c b/netboot.c
 index 5ef53f7..f01a9bc 100644
 --- a/netboot.c
 +++ b/netboot.c
@@ -116,29 +116,34 @@ BOOLEAN findNetboot(EFI_HANDLE device)
 static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt)
 {
 -	void *optr;
 -	EFI_DHCP6_PACKET_OPTION *option;
 -	CHAR8 *url;
 -	UINT32 urllen;
 +	void *optr = NULL, *end = NULL;
 +	EFI_DHCP6_PACKET_OPTION *option = NULL;
 +	CHAR8 *url = NULL;
 +	UINT32 urllen = 0;
 	optr = pkt->DhcpOptions;
 +	end = optr + sizeof(pkt->DhcpOptions);
 -	for(;;) {
 +	for (;;) {
 		option = (EFI_DHCP6_PACKET_OPTION *)optr;
 		if (ntohs(option->OpCode) == 0)
 -			return NULL;
 +			break;
 		if (ntohs(option->OpCode) == 59) {
 			/* This is the bootfile url option */
 			urllen = ntohs(option->Length);
 -			url = AllocateZeroPool(urllen+1);
 +			if ((void *)(option->Data + urllen) > end)
 +				break;
 +			url = AllocateZeroPool(urllen + 1);
 			if (!url)
 -				return NULL;
 +				break;
 			memcpy(url, option->Data, urllen);
 			return url;
 		}
 		optr += 4 + ntohs(option->Length);
 +		if (optr + sizeof(EFI_DHCP6_PACKET_OPTION) > end)
 +			break;
 	}
 	return NULL;
@@ -164,45 +169,60 @@ static CHAR16 str2ns(CHAR8 *str)
 static CHAR8 *str2ip6(CHAR8 *str)
 {
 -        UINT8 i, j, p;
 -	size_t len;
 -        CHAR8 *a, *b, t;
 -        static UINT16 ip[8];
 +	UINT8 i = 0, j = 0, p = 0;
 +	size_t len = 0, dotcount = 0;
 +	enum { MAX_IP6_DOTS = 7 };
 +	CHAR8 *a = NULL, *b = NULL, t = 0;
 +	static UINT16 ip[8];
 -        for(i=0; i < 8; i++) {
 -                ip[i] = 0;
 -        }
 -        len = strlen(str);
 -        a = b = str;
 -        for(i=p=0; i < len; i++, b++) {
 -                if (*b != ':')
 -                        continue;
 -                *b = '\0';
 -                ip[p++] = str2ns(a);
 -                *b = ':';
 -                a = b + 1;
 -                if ( *(b+1) == ':' )
 -                        break;
 -        }
 -        a = b = (str + len);
 -        for(j=len, p=7; j > i; j--, a--) {
 -                if (*a != ':')
 -                        continue;
 -                t = *b;
 -                *b = '\0';
 -                ip[p--] = str2ns(a+1);
 -                *b = t;
 -                b = a;
 -        }
 -        return (CHAR8 *)ip;
 +	memset(ip, 0, sizeof(ip));
 +
 +	/* Count amount of ':' to prevent overflows.
 +	 * max. count = 7. Returns an invalid ip6 that
 +	 * can be checked against
 +	 */
 +	for (a = str; *a != 0; ++a) {
 +		if (*a == ':')
 +			++dotcount;
 +	}
 +	if (dotcount > MAX_IP6_DOTS)
 +		return (CHAR8 *)ip;
 +
 +	len = strlen(str);
 +	a = b = str;
 +	for (i = p = 0; i < len; i++, b++) {
 +		if (*b != ':')
 +			continue;
 +		*b = '\0';
 +		ip[p++] = str2ns(a);
 +		*b = ':';
 +		a = b + 1;
 +		if (b[1] == ':' )
 +			break;
 +	}
 +	a = b = (str + len);
 +	for (j = len, p = 7; j > i; j--, a--) {
 +		if (*a != ':')
 +			continue;
 +		t = *b;
 +		*b = '\0';
 +		ip[p--] = str2ns(a+1);
 +		*b = t;
 +		b = a;
 +	}
 +	return (CHAR8 *)ip;
 }
 static BOOLEAN extract_tftp_info(CHAR8 *url)
 {
 	CHAR8 *start, *end;
 	CHAR8 ip6str[40];
 +	CHAR8 ip6inv[16];
 	CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
 +	// to check against str2ip6() errors
 +	memset(ip6inv, 0, sizeof(ip6inv));
 +
 	if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) {
 		Print(L"URLS MUST START WITH tftp://\n");
 		return FALSE;
@@ -217,7 +237,7 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
 	end = start;
 	while ((*end != '\0') && (*end != ']')) {
 		end++;
 -		if (end - start > 39) {
 +		if (end - start >= (int)sizeof(ip6str)) {
 			Print(L"TFTP URL includes malformed IPv6 address\n");
 			return FALSE;
 		}
@@ -226,10 +246,12 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
 		Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n");
 		return FALSE;
 	}
 -	memset(ip6str, 0, 40);
 +	memset(ip6str, 0, sizeof(ip6str));
 	memcpy(ip6str, start, end - start);
 	end++;
 	memcpy(&tftp_addr.v6, str2ip6(ip6str), 16);
 +	if (memcmp(&tftp_addr.v6, ip6inv, sizeof(ip6inv)) == 0)
 +		return FALSE;
 	full_path = AllocateZeroPool(strlen(end)+strlen(template)+1);
 	if (!full_path)
 		return FALSE;
--- a/shim-0.7.318.81ee561d.tar.bz2
+++ b/shim-0.7.318.81ee561d.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:161cdfa33c1221b9d86241d7b9803240c91d939251a5d6b5c8d8626b8d93cf7f
 size 1012687
--- a/shim-0.8.tar.bz2
+++ b/shim-0.8.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:4cea304dc6f6e5c429f602c42a4dda7b9c64f448a346bae78fb2c6c19c0cd0b3
 size 991166
--- a/shim-bnc863205-mokmanager-fix-hash-delete.patch
+++ b/shim-bnc863205-mokmanager-fix-hash-delete.patch
@ -1,60 +0,0 @@
 From 23cdee7b62fc62cd988d74b2180014595da9e4c5 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 13 Feb 2014 15:05:45 +0800
 Subject: [PATCH 1/2] MokManager: calculate the variable size correctly
 MokSize of the hash signature list includes the owner GUID,
 so we should not add the 16bytes compensation.
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
 MokManager.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
 Index: shim-0.7/MokManager.c
 ===================================================================
 --- shim-0.7.orig/MokManager.c
 +++ shim-0.7/MokManager.c
@@ -940,7 +940,9 @@ static EFI_STATUS write_back_mok_list (M
 		if (list[i].Mok == NULL)
 			continue;
 -		DataSize += sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
 +		DataSize += sizeof(EFI_SIGNATURE_LIST);
 +		if (CompareGuid(&(list[i].Type), &CertType) == 0)
 +			DataSize += sizeof(EFI_GUID);
 		DataSize += list[i].MokSize;
 	}
@@ -1046,6 +1048,7 @@ static void delete_hash_in_list (UINT8 *
 {
 	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
 	UINT32 sig_size;
 +	UINT32 list_num;
 	int i, del_ind;
 	void *start, *end;
 	UINT32 remain;
@@ -1057,8 +1060,10 @@ static void delete_hash_in_list (UINT8 *
 		    (mok[i].MokSize < sig_size))
 			continue;
 +		list_num = mok[i].MokSize / sig_size;
 +
 		del_ind = match_hash(hash, hash_size, 0, mok[i].Mok,
 -				     mok[i].MokSize);
 +				     list_num);
 		while (del_ind >= 0) {
 			/* Remove the hash */
 			if (sig_size == mok[i].MokSize) {
@@ -1073,9 +1078,10 @@ static void delete_hash_in_list (UINT8 *
 			mem_move(start, end, remain);
 			mok[i].MokSize -= sig_size;
 +			list_num--;
 			del_ind = match_hash(hash, hash_size, del_ind,
 -					     mok[i].Mok, mok[i].MokSize);
 +					     mok[i].Mok, list_num);
 		}
 	}
 }
--- a/shim-fix-gnu-efi-30w.patch
+++ b/shim-fix-gnu-efi-30w.patch
@ -0,0 +1,85 @@
 From d4e4bf4e1e03eb5685474d240929d3e3b50581f8 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 25 Sep 2014 18:12:42 +0800
 Subject: [PATCH] Adapt the change in gnu-efi-3.0w
 ---
 Cryptlib/Include/OpenSslSupport.h | 13 +++++++------
 Cryptlib/Makefile                 |  1 +
 Cryptlib/OpenSSL/Makefile         |  3 +++
 Makefile                          |  2 ++
 4 files changed, 13 insertions(+), 6 deletions(-)
 diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h
 index 9e56ced..6b3bfbd 100644
 --- a/Cryptlib/Include/OpenSslSupport.h
 +++ b/Cryptlib/Include/OpenSslSupport.h
@@ -16,12 +16,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #define __OPEN_SSL_SUPPORT_H__
 #include <efi.h>
 -#include <efilib.h>
 -#include <Base.h>
 -#include <Library/BaseLib.h>
 -#include <Library/BaseMemoryLib.h>
 -#include <Library/MemoryAllocationLib.h>
 -#include <Library/DebugLib.h>
 #define CONST const
@@ -63,6 +57,13 @@ typedef __builtin_va_list VA_LIST;
 #define va_end(Marker)                ((void)0)
 #endif
 +#include <efilib.h>
 +#include <Base.h>
 +#include <Library/BaseLib.h>
 +#include <Library/BaseMemoryLib.h>
 +#include <Library/MemoryAllocationLib.h>
 +#include <Library/DebugLib.h>
 +
 //
 // #defines from EFI Application Toolkit required to buiild Open SSL
 //
 diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
 index 9719a27..dbd79fb 100644
 --- a/Cryptlib/Makefile
 +++ b/Cryptlib/Makefile
@@ -3,6 +3,7 @@ EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLU
 CFLAGS		= -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
 		  -Wall $(EFI_INCLUDES)
 +CFLAGS          += -DGNU_EFI_USE_EXTERNAL_STDARG
 ifeq ($(ARCH),x86_64)
 	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
 diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
 index 7990b3c..967e55e 100644
 --- a/Cryptlib/OpenSSL/Makefile
 +++ b/Cryptlib/OpenSSL/Makefile
@@ -18,6 +18,9 @@ endif
 ifeq ($(ARCH),arm)
 	CFLAGS	+= -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
 endif
 +
 +CFLAGS          += -DGNU_EFI_USE_EXTERNAL_STDARG
 +
 LDFLAGS		= -nostdlib -znocombreloc
 TARGET		= libopenssl.a
 diff --git a/Makefile b/Makefile
 index 332a29b..52fd5b3 100644
 --- a/Makefile
 +++ b/Makefile
@@ -26,6 +26,8 @@ CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
 		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
 		  $(EFI_INCLUDES)
 +CFLAGS          += -DGNU_EFI_USE_EXTERNAL_STDARG
 +
 ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
 	CFLAGS	+= -DOVERRIDE_SECURITY_POLICY
 endif
 -- 
 1.8.4.5
--- a/shim-mokmanager-support-sha-family.patch
+++ b/shim-mokmanager-support-sha-family.patch
@ -1,449 +0,0 @@
 From f110c89b169505156741ee4ce4b0952e899ed0d8 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 3 Apr 2014 18:26:37 +0800
 Subject: [PATCH 1/5] MokManager: Support SHA1 hash in MOK
 Add SHA1 hash support and amend the code to make it easier to support
 other SHA digests.
 ---
 MokManager.c | 121 ++++++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 75 insertions(+), 46 deletions(-)
 Index: shim-0.7/MokManager.c
 ===================================================================
 --- shim-0.7.orig/MokManager.c
 +++ shim-0.7/MokManager.c
@@ -25,6 +25,9 @@
 #define EFI_VARIABLE_APPEND_WRITE 0x00000040
 EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
 +EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
 +EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
 +EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} };
 #define CERT_STRING L"Select an X509 certificate to enroll:\n\n"
 #define HASH_STRING L"Select a file to trust:\n\n"
@@ -93,31 +96,84 @@ done:
 	return status;
 }
 +static BOOLEAN is_sha_hash (EFI_GUID Type)
 +{
 +	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
 +	EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
 +	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
 +	EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
 +	EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
 +
 +	if (CompareGuid(&Type, &Sha1) == 0)
 +		return TRUE;
 +	else if (CompareGuid(&Type, &Sha224) == 0)
 +		return TRUE;
 +	else if (CompareGuid(&Type, &Sha256) == 0)
 +		return TRUE;
 +	else if (CompareGuid(&Type, &Sha384) == 0)
 +		return TRUE;
 +	else if (CompareGuid(&Type, &Sha512) == 0)
 +		return TRUE;
 +
 +	return FALSE;
 +}
 +
 +static UINT32 sha_size (EFI_GUID Type)
 +{
 +	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
 +	EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
 +	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
 +	EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
 +	EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
 +
 +	if (CompareGuid(&Type, &Sha1) == 0)
 +		return SHA1_DIGEST_SIZE;
 +	else if (CompareGuid(&Type, &Sha224) == 0)
 +		return SHA224_DIGEST_LENGTH;
 +	else if (CompareGuid(&Type, &Sha256) == 0)
 +		return SHA256_DIGEST_SIZE;
 +	else if (CompareGuid(&Type, &Sha384) == 0)
 +		return SHA384_DIGEST_LENGTH;
 +	else if (CompareGuid(&Type, &Sha512) == 0)
 +		return SHA512_DIGEST_LENGTH;
 +
 +	return 0;
 +}
 +
 +static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize)
 +{
 +	EFI_GUID CertType = X509_GUID;
 +	UINT32 hash_sig_size;
 +
 +	if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0)
 +		return TRUE;
 +
 +	if (!is_sha_hash (Type))
 +		return FALSE;
 +
 +	hash_sig_size = sha_size (Type) + sizeof(EFI_GUID);
 +	if (SigSize != hash_sig_size)
 +		return FALSE;
 +
 +	return TRUE;
 +}
 +
 static UINT32 count_keys(void *Data, UINTN DataSize)
 {
 	EFI_SIGNATURE_LIST *CertList = Data;
 -	EFI_GUID CertType = X509_GUID;
 -	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
 	UINTN dbsize = DataSize;
 	UINT32 MokNum = 0;
 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
 -		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
 -		    (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
 -			console_notify(L"Doesn't look like a key or hash");
 -			dbsize -= CertList->SignatureListSize;
 -			CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
 -						  CertList->SignatureListSize);
 -			continue;
 +		if (CertList->SignatureListSize == 0 ||
 +		    CertList->SignatureListSize <= CertList->SignatureSize) {
 +			console_errorbox(L"Corrupted signature list");
 +			return 0;
 		}
 -		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
 -		    (CertList->SignatureSize != 48)) {
 -			console_notify(L"Doesn't look like a valid hash");
 -			dbsize -= CertList->SignatureListSize;
 -			CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
 -						  CertList->SignatureListSize);
 -			continue;
 +		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
 +			console_errorbox(L"Invalid signature list found");
 +			return 0;
 		}
 		MokNum++;
@@ -134,7 +190,6 @@ static MokListNode *build_mok_list(UINT3
 	EFI_SIGNATURE_LIST *CertList = Data;
 	EFI_SIGNATURE_DATA *Cert;
 	EFI_GUID CertType = X509_GUID;
 -	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
 	UINTN dbsize = DataSize;
 	UINTN count = 0;
@@ -146,21 +201,8 @@ static MokListNode *build_mok_list(UINT3
 	}
 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
 -		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
 -		    (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
 -			dbsize -= CertList->SignatureListSize;
 -			CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
 -						  CertList->SignatureListSize);
 -			continue;
 -		}
 -
 -		if ((CompareGuid (&CertList->SignatureType, &HashType) == 0) &&
 -		    (CertList->SignatureSize != 48)) {
 -			dbsize -= CertList->SignatureListSize;
 -			CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
 -						  CertList->SignatureListSize);
 -			continue;
 -		}
 +		/* Omit the signature check here since we already did it
 +		   in count_keys() */
 		Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
 		  sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
@@ -380,22 +422,46 @@ static void show_x509_info (X509 *X509Ce
 	FreePool(text);
 }
 -static void show_sha256_digest (UINT8 *hash)
 +static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
 {
 +	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
 +	EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
 +	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
 +	EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
 +	EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
 	CHAR16 *text[5];
 	POOL_PRINT hash_string1;
 	POOL_PRINT hash_string2;
 	int i;
 +	int length;
 +
 +	if (CompareGuid(&Type, &Sha1) == 0) {
 +		length = SHA1_DIGEST_SIZE;
 +		text[0] = L"SHA1 hash";
 +	} else if (CompareGuid(&Type, &Sha224) == 0) {
 +		length = SHA224_DIGEST_LENGTH;
 +		text[0] = L"SHA224 hash";
 +	} else if (CompareGuid(&Type, &Sha256) == 0) {
 +		length = SHA256_DIGEST_SIZE;
 +		text[0] = L"SHA256 hash";
 +	} else if (CompareGuid(&Type, &Sha384) == 0) {
 +		length = SHA384_DIGEST_LENGTH;
 +		text[0] = L"SHA384 hash";
 +	} else if (CompareGuid(&Type, &Sha512) == 0) {
 +		length = SHA512_DIGEST_LENGTH;
 +		text[0] = L"SHA512 hash";
 +	} else {
 +		return;
 +	}
 	ZeroMem(&hash_string1, sizeof(hash_string1));
 	ZeroMem(&hash_string2, sizeof(hash_string2));
 -	text[0] = L"SHA256 hash";
 	text[1] = L"";
 -	for (i=0; i<16; i++)
 +	for (i=0; i<length/2; i++)
 		CatPrint(&hash_string1, L"%02x ", hash[i]);
 -	for (i=16; i<32; i++)
 +	for (i=length/2; i<length; i++)
 		CatPrint(&hash_string2, L"%02x ", hash[i]);
 	text[2] = hash_string1.str;
@@ -411,7 +477,7 @@ static void show_sha256_digest (UINT8 *h
 		FreePool(hash_string2.str);
 }
 -static void show_efi_hash (void *Mok, UINTN MokSize)
 +static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize)
 {
 	UINTN sig_size;
 	UINTN hash_num;
@@ -420,7 +486,7 @@ static void show_efi_hash (void *Mok, UI
 	int key_num = 0;
 	int i;
 -	sig_size = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
 +	sig_size = sha_size(Type) + sizeof(EFI_GUID);
 	if ((MokSize % sig_size) != 0) {
 		console_errorbox(L"Corrupted Hash List");
 		return;
@@ -429,7 +495,7 @@ static void show_efi_hash (void *Mok, UI
 	if (hash_num == 1) {
 		hash = (UINT8 *)Mok + sizeof(EFI_GUID);
 -		show_sha256_digest(hash);
 +		show_sha_digest(Type, hash);
 		return;
 	}
@@ -452,7 +518,7 @@ static void show_efi_hash (void *Mok, UI
 			break;
 		hash = (UINT8 *)Mok + sig_size*key_num + sizeof(EFI_GUID);
 -		show_sha256_digest(hash);
 +		show_sha_digest(Type, hash);
 	}
 	for (i=0; menu_strings[i] != NULL; i++)
@@ -467,7 +533,6 @@ static void show_mok_info (EFI_GUID Type
 	UINT8 hash[SHA1_DIGEST_SIZE];
 	X509 *X509Cert;
 	EFI_GUID CertType = X509_GUID;
 -	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
 	if (!Mok || MokSize == 0)
 		return;
@@ -488,8 +553,8 @@ static void show_mok_info (EFI_GUID Type
 			console_notify(L"Not a valid X509 certificate");
 			return;
 		}
 -	} else if (CompareGuid (&Type, &HashType) == 0) {
 -		show_efi_hash(Mok, MokSize);
 +	} else if (is_sha_hash(Type)) {
 +		show_efi_hash(Type, Mok, MokSize);
 	}
 }
@@ -504,15 +569,18 @@ static EFI_STATUS list_keys (void *KeyLi
 	if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) +
 			   sizeof(EFI_SIGNATURE_DATA))) {
 		console_notify(L"No MOK keys found");
 -		return 0;
 +		return EFI_NOT_FOUND;
 	}
 	MokNum = count_keys(KeyList, KeyListSize);
 +	if (MokNum == 0) {
 +		console_errorbox(L"Invalid key list");
 +		return EFI_ABORTED;
 +	}
 	keys = build_mok_list(MokNum, KeyList, KeyListSize);
 -
 	if (!keys) {
 -		console_notify(L"Failed to construct key list");
 -		return 0;
 +		console_errorbox(L"Failed to construct key list");
 +		return EFI_ABORTED;
 	}
 	menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (MokNum + 2));
@@ -837,7 +905,7 @@ static EFI_STATUS store_keys (void *MokN
 	return EFI_SUCCESS;
 }
 -static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
 +static INTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
 				    BOOLEAN MokX)
 {
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
@@ -974,7 +1042,7 @@ static EFI_STATUS write_back_mok_list (M
 		} else {
 			CertList->SignatureListSize = list[i].MokSize +
 						      sizeof(EFI_SIGNATURE_LIST);
 -			CertList->SignatureSize = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
 +			CertList->SignatureSize = sha_size(list[i].Type) + sizeof(EFI_GUID);
 			CopyMem(CertData, list[i].Mok, list[i].MokSize);
 		}
@@ -1043,10 +1111,9 @@ static void mem_move (void *dest, void *
 		d[i] = s[i];
 }
 -static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
 +static void delete_hash_in_list (EFI_GUID Type, UINT8 *hash, UINT32 hash_size,
 				 MokListNode *mok, INTN mok_num)
 {
 -	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
 	UINT32 sig_size;
 	UINT32 list_num;
 	int i, del_ind;
@@ -1056,7 +1123,7 @@ static void delete_hash_in_list (UINT8 *
 	sig_size = hash_size + sizeof(EFI_GUID);
 	for (i = 0; i < mok_num; i++) {
 -		if ((CompareGuid(&(mok[i].Type), &HashType) != 0) ||
 +		if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
 		    (mok[i].MokSize < sig_size))
 			continue;
@@ -1086,7 +1153,7 @@ static void delete_hash_in_list (UINT8 *
 	}
 }
 -static void delete_hash_list (void *hash_list, UINT32 list_size,
 +static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
 			      MokListNode *mok, INTN mok_num)
 {
 	UINT32 hash_size;
@@ -1095,7 +1162,7 @@ static void delete_hash_list (void *hash
 	UINT8 *hash;
 	int i;
 -	hash_size = SHA256_DIGEST_SIZE;
 +	hash_size = sha_size (Type);
 	sig_size = hash_size + sizeof(EFI_GUID);
 	if (list_size < sig_size)
 		return;
@@ -1105,7 +1172,7 @@ static void delete_hash_list (void *hash
 	hash = hash_list + sizeof(EFI_GUID);
 	for (i = 0; i < hash_num; i++) {
 -		delete_hash_in_list (hash, hash_size, mok, mok_num);
 +		delete_hash_in_list (Type, hash, hash_size, mok, mok_num);
 		hash += sig_size;
 	}
 }
@@ -1114,7 +1181,6 @@ static EFI_STATUS delete_keys (void *Mok
 {
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
 	EFI_GUID CertType = X509_GUID;
 -	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
 	EFI_STATUS efi_status;
 	CHAR16 *db_name;
 	CHAR16 *auth_name;
@@ -1161,7 +1227,13 @@ static EFI_STATUS delete_keys (void *Mok
 	efi_status = get_variable_attr (db_name, &MokListData, &MokListDataSize,
 				        shim_lock_guid, &attributes);
 -	if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
 +	if (efi_status != EFI_SUCCESS) {
 +		if (MokX)
 +			console_errorbox(L"Failed to retrieve MokListX");
 +		else
 +			console_errorbox(L"Failed to retrieve MokList");
 +		return EFI_ABORTED;
 +	} else if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
 		if (MokX) {
 			err_str1 = L"MokListX is compromised!";
 			err_str2 = L"Erase all keys in MokListX!";
@@ -1170,7 +1242,11 @@ static EFI_STATUS delete_keys (void *Mok
 			err_str2 = L"Erase all keys in MokList!";
 		}
 		console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
 -		LibDeleteVariable(db_name, &shim_lock_guid);
 +		uefi_call_wrapper(RT->SetVariable, 5, db_name,
 +				  &shim_lock_guid,
 +				  EFI_VARIABLE_NON_VOLATILE |
 +				  EFI_VARIABLE_BOOTSERVICE_ACCESS,
 +				  0, NULL);
 		return EFI_ACCESS_DENIED;
 	}
@@ -1180,23 +1256,56 @@ static EFI_STATUS delete_keys (void *Mok
 	/* Construct lists */
 	mok_num = count_keys(MokListData, MokListDataSize);
 +	if (mok_num == 0) {
 +		if (MokX) {
 +			err_str1 = L"Failed to construct the key list of MokListX";
 +			err_str2 = L"Reset MokListX!";
 +		} else {
 +			err_str1 = L"Failed to construct the key list of MokList";
 +			err_str2 = L"Reset MokList!";
 +		}
 +		console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
 +		uefi_call_wrapper(RT->SetVariable, 5, db_name,
 +				  &shim_lock_guid,
 +				  EFI_VARIABLE_NON_VOLATILE |
 +				  EFI_VARIABLE_BOOTSERVICE_ACCESS,
 +				  0, NULL);
 +		efi_status = EFI_ABORTED;
 +		goto error;
 +	}
 	mok = build_mok_list(mok_num, MokListData, MokListDataSize);
 +	if (!mok) {
 +		console_errorbox(L"Failed to construct key list");
 +		efi_status = EFI_ABORTED;
 +		goto error;
 +	}
 	del_num = count_keys(MokDel, MokDelSize);
 +	if (del_num == 0) {
 +		console_errorbox(L"Invalid key delete list");
 +		efi_status = EFI_ABORTED;
 +		goto error;
 +	}
 	del_key = build_mok_list(del_num, MokDel, MokDelSize);
 +	if (!del_key) {
 +		console_errorbox(L"Failed to construct key list");
 +		efi_status = EFI_ABORTED;
 +		goto error;
 +	}
 	/* Search and destroy */
 	for (i = 0; i < del_num; i++) {
 		if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
 			delete_cert(del_key[i].Mok, del_key[i].MokSize,
 				    mok, mok_num);
 -		} else if (CompareGuid(&(del_key[i].Type), &HashType) == 0) {
 -			delete_hash_list(del_key[i].Mok, del_key[i].MokSize,
 -					 mok, mok_num);
 +		} else if (is_sha_hash(del_key[i].Type)) {
 +			delete_hash_list(del_key[i].Type, del_key[i].Mok,
 +					 del_key[i].MokSize, mok, mok_num);
 		}
 	}
 	efi_status = write_back_mok_list(mok, mok_num, MokX);
 +error:
 	if (MokListData)
 		FreePool(MokListData);
 	if (mok)
--- a/shim-mokx-support.patch
+++ b/shim-mokx-support.patch
--- a/shim-opensuse-cert-prompt.patch
+++ b/shim-opensuse-cert-prompt.patch
@ -1,4 +1,4 @@
-From b13d18d4069032ccf6c885774e9eada6a1d80ddd Mon Sep 17 00:00:00 2001
+From e3b81e524747199fb7da29e5988cff79db1658a3 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 18 Feb 2014 17:29:19 +0800
 Subject: [PATCH 1/3] Show the build-in certificate prompt
@ -17,13 +17,13 @@ again after reboot.
 The state will store in use_openSUSE_cert, a volatile RT variable.
 ---
- shim.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------
+ shim.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 97 insertions(+), 19 deletions(-)
+ 1 file changed, 74 insertions(+), 2 deletions(-)
-Index: shim-0.7/shim.c
+diff --git a/shim.c b/shim.c
-===================================================================
+index d46494a..c14a54d 100644
--- shim-0.7.orig/shim.c
+--- a/shim.c
-+++ shim-0.7/shim.c
+++ b/shim.c
@@ -90,6 +90,7 @@ UINT8 *vendor_dbx;
  */
 verification_method_t verification_method;
@ -32,7 +32,7 @@ Index: shim-0.7/shim.c
 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
-@@ -817,7 +818,7 @@ static EFI_STATUS verify_buffer (char *d
+@@ -954,7 +955,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	if (status == EFI_SUCCESS)
 		return status;
@ -41,75 +41,16 @@ Index: shim-0.7/shim.c
 		/*
 		 * Check against the shim build key
 		 */
-@@ -1523,11 +1524,14 @@ EFI_STATUS mirror_mok_list()
+@@ -1708,7 +1709,7 @@ EFI_STATUS mirror_mok_list()
 	if (efi_status != EFI_SUCCESS)
 		DataSize = 0;
-	FullDataSize = DataSize
+-	if (vendor_cert_size) {
-		     + sizeof (*CertList)
+	if (vendor_cert_size && use_builtin_cert) {
-		     + sizeof (EFI_GUID)
+ 		FullDataSize = DataSize
-		     + vendor_cert_size
+ 			     + sizeof (*CertList)
-		     ;
+ 			     + sizeof (EFI_GUID)
-+	FullDataSize = DataSize;
+@@ -2057,6 +2058,75 @@ uninstall_shim_protocols(void)
 +	if (use_builtin_cert) {
 +		FullDataSize += sizeof (*CertList) +
 +				sizeof (EFI_GUID) +
 +				vendor_cert_size;
 +	} else if (DataSize == 0) {
 +		return EFI_SUCCESS;
 +	}
 	FullData = AllocatePool(FullDataSize);
 	if (!FullData) {
 		perror(L"Failed to allocate space for MokListRT\n");
@@ -1539,21 +1543,24 @@ EFI_STATUS mirror_mok_list()
 		CopyMem(p, Data, DataSize);
 		p += DataSize;
 	}
 -	CertList = (EFI_SIGNATURE_LIST *)p;
 -	p += sizeof (*CertList);
 -	CertData = (EFI_SIGNATURE_DATA *)p;
 -	p += sizeof (EFI_GUID);
 -
 -	CertList->SignatureType = EFI_CERT_X509_GUID;
 -	CertList->SignatureListSize = vendor_cert_size
 -				      + sizeof (*CertList)
 -				      + sizeof (*CertData)
 -				      -1;
 -	CertList->SignatureHeaderSize = 0;
 -	CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
 -	CertData->SignatureOwner = SHIM_LOCK_GUID;
 -	CopyMem(p, vendor_cert, vendor_cert_size);
 +	if (use_builtin_cert) {
 +		CertList = (EFI_SIGNATURE_LIST *)p;
 +		p += sizeof (*CertList);
 +		CertData = (EFI_SIGNATURE_DATA *)p;
 +		p += sizeof (EFI_GUID);
 +
 +		CertList->SignatureType = EFI_CERT_X509_GUID;
 +		CertList->SignatureListSize = vendor_cert_size
 +					      + sizeof (*CertList)
 +					      + sizeof (*CertData)
 +					      -1;
 +		CertList->SignatureHeaderSize = 0;
 +		CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
 +
 +		CertData->SignatureOwner = SHIM_LOCK_GUID;
 +		CopyMem(p, vendor_cert, vendor_cert_size);
 +	}
 	efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
 				       &shim_lock_guid,
@@ -1600,7 +1607,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE
 	    check_var(L"MokPW") || check_var(L"MokAuth") ||
 	    check_var(L"MokDel") || check_var(L"MokDB") ||
 	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
 -	    check_var(L"MokXAuth")) {
 +	    check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
 		efi_status = start_image(image_handle, MOK_MANAGER);
 		if (efi_status != EFI_SUCCESS) {
@@ -1840,6 +1847,75 @@ uninstall_shim_protocols(void)
 			  &shim_lock_guid, &shim_lock_interface);
 }
@ -185,7 +126,7 @@ Index: shim-0.7/shim.c
 EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 {
 	EFI_STATUS efi_status;
-@@ -1895,6 +1971,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha
+@@ -2112,6 +2182,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 			 */
 			hook_system_services(systab);
 			loader_is_participating = 0;
@ -194,11 +135,30 @@ Index: shim-0.7/shim.c
 		}
 	}
-Index: shim-0.7/MokManager.c
+-- 
-===================================================================
+1.8.4.5
--- shim-0.7.orig/MokManager.c
+
-+++ shim-0.7/MokManager.c
+
-@@ -1701,6 +1701,36 @@ static INTN mok_pw_prompt (void *MokPW,
+From 7b87b12059a9f26125f135ae649757346d26d6f8 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 20 Feb 2014 16:57:08 +0800
 Subject: [PATCH 2/3] Support revoking the openSUSE cert
 This is an openSUSE-only patch.
 To revoke the openSUSE cert, create ClearVerify, a NV RT variable,
 and store the password hash in the variable, and then MokManager
 will show up with an additional option to clear openSUSE_Verify
 ---
 MokManager.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 shim.c       |  2 +-
 2 files changed, 60 insertions(+), 3 deletions(-)
 diff --git a/MokManager.c b/MokManager.c
 index 442ab8f..7277968 100644
 --- a/MokManager.c
 +++ b/MokManager.c
@@ -1731,6 +1731,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
 	return -1;
 }
@ -216,10 +176,7 @@ Index: shim-0.7/MokManager.c
 +	if (status != EFI_SUCCESS)
 +		return -1;
 +
-+	status = uefi_call_wrapper(RT->SetVariable, 5,
+	status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
 +				   L"openSUSE_Verify", &shim_lock_guid,
 +				   EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
 +				   0, NULL);
 +	if (status != EFI_SUCCESS) {
 +		console_error(L"Failed to delete openSUSE_Verify", status);
 +		return -1;
@ -235,7 +192,7 @@ Index: shim-0.7/MokManager.c
 static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
 {
 	X509 *X509Cert;
-@@ -2053,6 +2083,7 @@ typedef enum {
+@@ -2083,6 +2110,7 @@ typedef enum {
 	MOK_CHANGE_SB,
 	MOK_SET_PW,
 	MOK_CHANGE_DB,
@ -243,7 +200,7 @@ Index: shim-0.7/MokManager.c
 	MOK_KEY_ENROLL,
 	MOK_HASH_ENROLL
 } mok_menu_item;
-@@ -2064,7 +2095,8 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+@@ -2094,7 +2122,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 				 void *MokPW, UINTN MokPWSize,
 				 void *MokDB, UINTN MokDBSize,
 				 void *MokXNew, UINTN MokXNewSize,
@ -253,7 +210,7 @@ Index: shim-0.7/MokManager.c
 {
 	CHAR16 **menu_strings;
 	mok_menu_item *menu_item;
-@@ -2138,6 +2170,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+@@ -2168,6 +2197,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 	if (MokDB)
 		menucount++;
@ -263,7 +220,7 @@ Index: shim-0.7/MokManager.c
 	menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
 	if (!menu_strings)
-@@ -2207,6 +2242,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+@@ -2237,6 +2269,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 		i++;
 	}
@ -276,7 +233,7 @@ Index: shim-0.7/MokManager.c
 	menu_strings[i] = L"Enroll key from disk";
 	menu_item[i] = MOK_KEY_ENROLL;
 	i++;
-@@ -2257,6 +2298,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+@@ -2287,6 +2325,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 		case MOK_CHANGE_DB:
 			mok_db_prompt(MokDB, MokDBSize);
 			break;
@ -286,7 +243,7 @@ Index: shim-0.7/MokManager.c
 		case MOK_KEY_ENROLL:
 			mok_key_enroll();
 			break;
-@@ -2282,6 +2326,7 @@ static EFI_STATUS check_mok_request(EFI_
+@@ -2312,6 +2353,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
 	UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
 	UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
@ -294,7 +251,7 @@ Index: shim-0.7/MokManager.c
 	void *MokNew = NULL;
 	void *MokDel = NULL;
 	void *MokSB = NULL;
-@@ -2289,6 +2334,7 @@ static EFI_STATUS check_mok_request(EFI_
+@@ -2319,6 +2361,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	void *MokDB = NULL;
 	void *MokXNew = NULL;
 	void *MokXDel = NULL;
@ -302,7 +259,7 @@ Index: shim-0.7/MokManager.c
 	EFI_STATUS status;
 	status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
-@@ -2361,9 +2407,20 @@ static EFI_STATUS check_mok_request(EFI_
+@@ -2391,9 +2434,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 		console_error(L"Could not retrieve MokXDel", status);
 	}
@ -324,7 +281,7 @@ Index: shim-0.7/MokManager.c
 	if (MokNew)
 		FreePool (MokNew);
-@@ -2386,6 +2443,9 @@ static EFI_STATUS check_mok_request(EFI_
+@@ -2416,6 +2470,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	if (MokXDel)
 		FreePool (MokXDel);
@ -334,3 +291,51 @@ Index: shim-0.7/MokManager.c
 	LibDeleteVariable(L"MokAuth", &shim_lock_guid);
 	LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
 	LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
 diff --git a/shim.c b/shim.c
 index c14a54d..1287eed 100644
 --- a/shim.c
 +++ b/shim.c
@@ -1818,7 +1818,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	    check_var(L"MokPW") || check_var(L"MokAuth") ||
 	    check_var(L"MokDel") || check_var(L"MokDB") ||
 	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
 -	    check_var(L"MokXAuth")) {
 +	    check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
 		efi_status = start_image(image_handle, MOK_MANAGER);
 		if (efi_status != EFI_SUCCESS) {
 -- 
 1.8.4.5
 From c7340fe9219777622fe58b6596f53a4cad739e9f Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 7 Mar 2014 16:17:20 +0800
 Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
 This is an openSUSE-only patch.
 LibDeleteVariable only works on the runtime variables.
 ---
 MokManager.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/MokManager.c b/MokManager.c
 index 7277968..b5d2454 100644
 --- a/MokManager.c
 +++ b/MokManager.c
@@ -1745,7 +1745,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
 	if (status != EFI_SUCCESS)
 		return -1;
 -	status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
 +	status = uefi_call_wrapper(RT->SetVariable, 5,
 +				   L"openSUSE_Verify", &shim_lock_guid,
 +				   EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
 +				   0, NULL);
 	if (status != EFI_SUCCESS) {
 		console_error(L"Failed to delete openSUSE_Verify", status);
 		return -1;
 -- 
 1.8.4.5
--- a/shim-signed-unsigned-compares.patch
+++ b/shim-signed-unsigned-compares.patch
@ -1,51 +0,0 @@
 Index: shim-0.7/MokManager.c
 ===================================================================
 --- shim-0.7.orig/MokManager.c
 +++ shim-0.7/MokManager.c
@@ -483,8 +483,8 @@ static void show_efi_hash (EFI_GUID Type
 	UINTN hash_num;
 	UINT8 *hash;
 	CHAR16 **menu_strings;
 -	int key_num = 0;
 -	int i;
 +	UINTN key_num = 0;
 +	UINTN i;
 	sig_size = sha_size(Type) + sizeof(EFI_GUID);
 	if ((MokSize % sig_size) != 0) {
@@ -562,7 +562,7 @@ static EFI_STATUS list_keys (void *KeyLi
 {
 	UINT32 MokNum = 0;
 	MokListNode *keys = NULL;
 -	int key_num = 0;
 +	UINT32 key_num = 0;
 	CHAR16 **menu_strings;
 	unsigned int i;
@@ -1088,7 +1088,7 @@ static int match_hash (UINT8 *hash, UINT
 		       void *hash_list, UINT32 list_num)
 {
 	UINT8 *ptr;
 -	int i;
 +	UINTN i;
 	ptr = hash_list + sizeof(EFI_GUID);
 	for (i = start; i < list_num; i++) {
@@ -1103,7 +1103,7 @@ static int match_hash (UINT8 *hash, UINT
 static void mem_move (void *dest, void *src, UINTN size)
 {
 	UINT8 *d, *s;
 -	int i;
 +	UINTN i;
 	d = (UINT8 *)dest;
 	s = (UINT8 *)src;
@@ -1160,7 +1160,7 @@ static void delete_hash_list (EFI_GUID T
 	UINT32 hash_num;
 	UINT32 sig_size;
 	UINT8 *hash;
 -	int i;
 +	UINT32 i;
 	hash_size = sha_size (Type);
 	sig_size = hash_size + sizeof(EFI_GUID);
--- a/shim-update-openssl-0.9.8zb.patch
+++ b/shim-update-openssl-0.9.8zb.patch
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Tue Oct 28 04:00:51 UTC 2014 - glin@suse.com
 - Update to 0.8
 - Add shim-fix-gnu-efi-30w.patch to adapt the change in
  gnu-efi-3.0w
 - Merge shim-signed-unsigned-compares.patch,
  shim-mokmanager-support-sha-family.patch and
  shim-bnc863205-mokmanager-fix-hash-delete.patch into
  shim-mokx-support.patch
 - Refresh shim-opensuse-cert-prompt.patch
 - Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch,
  bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch
 - Enable aarch64
 -------------------------------------------------------------------
 Mon Oct 13 13:09:14 UTC 2014 - jsegitz@novell.com
--- a/shim.spec
+++ b/shim.spec
@ -17,13 +17,9 @@
 # needssslcertforbuild
 %define commit      81ee561dde0213bc487aa1b701799f6d2faeaf31
 %define shortcommit 81ee561d
 Name:           shim
-# to ensure newer versions of the git export are always higher numbers the output of
+Version:        0.8
 # git rev-list master|wc -l is added before the git commit hash
 Version:        0.7.318.%{shortcommit}
 Release:        0
 Summary:        UEFI shim loader
 License:        BSD-2-Clause
@ -44,22 +40,12 @@ Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 Source10:       timestamp.pl
 Source11:       strip_signature.sh
 Source12:       signature-sles.asc
-# PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
+# REBASE PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
 Patch1:         shim-mokx-support.patch
 # PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
 Patch2:         shim-only-os-name.patch
-# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list
+# PATCH-FIX-UPSTREAM shim-fix-gnu-efi-30w.patch glin@suse.com -- Adapt the change in gnu-efi 3.0w
-Patch3:         shim-bnc863205-mokmanager-fix-hash-delete.patch
+Patch3:         shim-fix-gnu-efi-30w.patch
 # PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
 Patch4:         shim-mokmanager-support-sha-family.patch
 # PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jsegitz@suse.com -- Fixed some signed - unsigned comparisons
 Patch5:         shim-signed-unsigned-compares.patch
 # PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch glin@suse.com -- Update openssl to 0.9.8zb
 Patch6:         shim-update-openssl-0.9.8zb.patch
 # PATCH-FIX-UPSTREAM bug-889332_shim-overflow.patch krahmer@suse.com -- patch for overflow issue.
 Patch7:         bug-889332_shim-overflow.patch
 # PATCH-FIX-UPSTREAM bug-889332_shim-mok-oob.patch krahmer@suse.com -- patch for MOK OOB access.
 Patch8:         bug-889332_shim-mok-oob.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:       shim-opensuse-cert-prompt.patch
 BuildRequires:  gnu-efi >= 3.0t
@ -71,7 +57,7 @@ Requires:       perl-Bootloader
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 # For shim-install script
 Requires:       grub2-efi
-ExclusiveArch:  x86_64
+ExclusiveArch:  x86_64 aarch64
 %description
 shim is a trivial EFI application that, when run, attempts to open and
@ -88,11 +74,6 @@ Authors:
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch100 -p1
 %build