diff --git a/SLES-UEFI-CA-Certificate.crt b/SLES-UEFI-CA-Certificate.crt
index 480fa09..56f3fce 100644
--- a/SLES-UEFI-CA-Certificate.crt
+++ b/SLES-UEFI-CA-Certificate.crt
@@ -1,29 +1,39 @@
 -----BEGIN CERTIFICATE-----
-MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
+MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
 RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
 MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
 IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
-QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG
+QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG
 A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
 VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
-CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p
-ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE
-WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv
-abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7
-e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+
-whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/
-MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs
-qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51
-eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE
-BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx
-EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu
-ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU
-Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw
-pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL
-jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M
-rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3
-SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0
-rvc1p6G0YWtO
+CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR
+QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d
+FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ
+BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O
+d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B
+J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt
+HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi
+yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc
+dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/
+cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+
+KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w
+gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr
+BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG
+A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51
+eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN
+AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
+AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS
+1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI
+eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5
+Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt
+z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P
+yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv
+4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc
+ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC
+OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z
+yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV
+a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8=
 -----END CERTIFICATE-----
diff --git a/attach_signature.sh b/attach_signature.sh
index 689a7e4..9492186 100644
--- a/attach_signature.sh
+++ b/attach_signature.sh
@@ -11,4 +11,13 @@ fi
 
 outfile="${infile%.efi}-signed.efi"
 
-pesign -m "$sig" -i "$infile" -o "$outfile"
+nssdir=`mktemp -d`
+cleanup()
+{
+	rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
+pesign -n "$nssdir" -m "$sig" -i "$infile" -o "$outfile"
diff --git a/extract_signature.sh b/extract_signature.sh
index 0a989e5..e92e8a6 100644
--- a/extract_signature.sh
+++ b/extract_signature.sh
@@ -9,7 +9,16 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
 	exit 1
 fi
 
+nssdir=`mktemp -d`
+cleanup()
+{
+	rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
 # wtf?
-(pesign -h -P -i "$infile";
+(pesign -n "$nssdir" -h -P -i "$infile";
 perl $(dirname $0)/timestamp.pl "$infile";
-pesign -a -f -e /dev/stdout -i "$infile")|cat
+pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat
diff --git a/signature-opensuse.asc b/microsoft.asc
similarity index 100%
rename from signature-opensuse.asc
rename to microsoft.asc
diff --git a/shim-allow-fallback-use-system-loadimage.patch b/shim-allow-fallback-use-system-loadimage.patch
deleted file mode 100644
index c54b068..0000000
--- a/shim-allow-fallback-use-system-loadimage.patch
+++ /dev/null
@@ -1,240 +0,0 @@
-From 06495f692fa748a553ffbde8bfae2974d8c791c0 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 14 Feb 2014 15:38:25 -0500
-Subject: [PATCH] Allow fallback to use the system's LoadImage/StartImage .
-
-Track use of the system's LoadImage(), and when the next StartImage()
-call is for an image the system verified, allow that to count as
-participating, since it has been verified by the system's db.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- replacements.c |   68 ++++++++++++++++++++++++++++++++++++++++++++-
- replacements.h |    3 ++
- shim.c         |   85 ++++++++++++++++++++++++++++++++++-----------------------
- 3 files changed, 121 insertions(+), 35 deletions(-)
-
---- a/replacements.c
-+++ b/replacements.c
-@@ -60,26 +60,82 @@
- 
- static EFI_SYSTEM_TABLE *systab;
- 
-+static typeof(systab->BootServices->LoadImage) system_load_image;
- static typeof(systab->BootServices->StartImage) system_start_image;
- static typeof(systab->BootServices->Exit) system_exit;
- static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services;
- 
-+static EFI_HANDLE last_loaded_image;
-+
- void
- unhook_system_services(void)
- {
- 	systab->BootServices->Exit = system_exit;
-+	systab->BootServices->LoadImage = system_load_image;
- 	systab->BootServices->StartImage = system_start_image;
- 	systab->BootServices->ExitBootServices = system_exit_boot_services;
- }
- 
- static EFI_STATUS EFIAPI
-+load_image(BOOLEAN BootPolicy, EFI_HANDLE ParentImageHandle,
-+	EFI_DEVICE_PATH *DevicePath, VOID *SourceBuffer,
-+	UINTN SourceSize, EFI_HANDLE *ImageHandle)
-+{
-+	EFI_STATUS status;
-+	unhook_system_services();
-+
-+	status = systab->BootServices->LoadImage(BootPolicy,
-+			ParentImageHandle, DevicePath,
-+			SourceBuffer, SourceSize, ImageHandle);
-+	hook_system_services(systab);
-+	if (EFI_ERROR(status))
-+		last_loaded_image = NULL;
-+	else
-+		last_loaded_image = *ImageHandle;
-+	return status;
-+}
-+
-+static EFI_STATUS EFIAPI
- start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 **exit_data)
- {
- 	EFI_STATUS status;
- 	unhook_system_services();
-+
-+	/* We have to uninstall shim's protocol here, because if we're
-+	 * On the fallback.efi path, then our call pathway is:
-+	 *
-+	 * shim->fallback->shim->grub
-+	 * ^               ^      ^
-+	 * |               |      \- gets protocol #0
-+	 * |               \- installs its protocol (#1)
-+	 * \- installs its protocol (#0)
-+	 * and if we haven't removed this, then grub will get the *first*
-+	 * shim's protocol, but it'll get the second shim's systab
-+	 * replacements.  So even though it will participate and verify
-+	 * the kernel, the systab never finds out.
-+	 */
-+	if (image_handle == last_loaded_image) {
-+		loader_is_participating = 1;
-+		uninstall_shim_protocols();
-+	}
- 	status = systab->BootServices->StartImage(image_handle, exit_data_size, exit_data);
--	if (EFI_ERROR(status))
-+	if (EFI_ERROR(status)) {
-+		if (image_handle == last_loaded_image) {
-+			EFI_STATUS status2 = install_shim_protocols();
-+
-+			if (EFI_ERROR(status2)) {
-+				Print(L"Something has gone seriously wrong: %d\n",
-+					status2);
-+				Print(L"shim cannot continue, sorry.\n");
-+				systab->BootServices->Stall(5000000);
-+				systab->RuntimeServices->ResetSystem(
-+					EfiResetShutdown,
-+					EFI_SECURITY_VIOLATION, 0, NULL);
-+			}
-+		}
- 		hook_system_services(systab);
-+		loader_is_participating = 0;
-+	}
- 	return status;
- }
- 
-@@ -123,6 +179,16 @@ hook_system_services(EFI_SYSTEM_TABLE *l
- 
- 	/* We need to hook various calls to make this work... */
- 
-+	/* We need LoadImage() hooked so that fallback.c can load shim
-+	 * without having to fake LoadImage as well.  This allows it
-+	 * to call the system LoadImage(), and have us track the output
-+	 * and mark loader_is_participating in start_image.  This means
-+	 * anything added by fallback has to be verified by the system db,
-+	 * which we want to preserve anyway, since that's all launching
-+	 * through BDS gives us. */
-+	system_load_image = systab->BootServices->LoadImage;
-+	systab->BootServices->LoadImage = load_image;
-+
- 	/* we need StartImage() so that we can allow chain booting to an
- 	 * image trusted by the firmware */
- 	system_start_image = systab->BootServices->StartImage;
---- a/replacements.h
-+++ b/replacements.h
-@@ -41,4 +41,7 @@ extern int loader_is_participating;
- extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab);
- extern void unhook_system_services(void);
- 
-+extern EFI_STATUS install_shim_protocols(void);
-+extern void uninstall_shim_protocols(void);
-+
- #endif /* SHIM_REPLACEMENTS_H */
---- a/shim.c
-+++ b/shim.c
-@@ -1719,11 +1719,56 @@ EFI_STATUS set_second_stage (EFI_HANDLE
- 	return EFI_SUCCESS;
- }
- 
--EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
-+static SHIM_LOCK shim_lock_interface;
-+static EFI_HANDLE shim_lock_handle;
-+
-+EFI_STATUS
-+install_shim_protocols(void)
-+{
-+	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
-+	EFI_STATUS efi_status;
-+	/*
-+	 * Install the protocol
-+	 */
-+	efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4,
-+			  &shim_lock_handle, &shim_lock_guid,
-+			  EFI_NATIVE_INTERFACE, &shim_lock_interface);
-+	if (EFI_ERROR(efi_status)) {
-+		console_error(L"Could not install security protocol",
-+			      efi_status);
-+		return efi_status;
-+	}
-+
-+#if defined(OVERRIDE_SECURITY_POLICY)
-+	/*
-+	 * Install the security protocol hook
-+	 */
-+	security_policy_install(shim_verify);
-+#endif
-+
-+	return EFI_SUCCESS;
-+}
-+
-+void
-+uninstall_shim_protocols(void)
- {
- 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
--	static SHIM_LOCK shim_lock_interface;
--	EFI_HANDLE handle = NULL;
-+#if defined(OVERRIDE_SECURITY_POLICY)
-+	/*
-+	 * Clean up the security protocol hook
-+	 */
-+	security_policy_uninstall();
-+#endif
-+
-+	/*
-+	 * If we're back here then clean everything up before exiting
-+	 */
-+	uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle,
-+			  &shim_lock_guid, &shim_lock_interface);
-+}
-+
-+EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
-+{
- 	EFI_STATUS efi_status;
- 
- 	verification_method = VERIFIED_BY_NOTHING;
-@@ -1776,24 +1821,9 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha
- 		loader_is_participating = 0;
- 	}
- 
--	/*
--	 * Install the protocol
--	 */
--	efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4,
--			  &handle, &shim_lock_guid, EFI_NATIVE_INTERFACE,
--			  &shim_lock_interface);
--	if (EFI_ERROR(efi_status)) {
--		console_error(L"Could not install security protocol",
--			      efi_status);
-+	efi_status = install_shim_protocols();
-+	if (EFI_ERROR(efi_status))
- 		return efi_status;
--	}
--
--#if defined(OVERRIDE_SECURITY_POLICY)
--	/*
--	 * Install the security protocol hook
--	 */
--	security_policy_install(shim_verify);
--#endif
- 
- 	/*
- 	 * Enter MokManager if necessary
-@@ -1820,20 +1850,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha
- 
- 	efi_status = init_grub(image_handle);
- 
--#if defined(OVERRIDE_SECURITY_POLICY)
--	/*
--	 * Clean up the security protocol hook
--	 */
--	security_policy_uninstall();
--#endif
--
--	/*
--	 * If we're back here then clean everything up before exiting
--	 */
--	uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle,
--			  &shim_lock_guid, &shim_lock_interface);
--
--
-+	uninstall_shim_protocols();
- 	/*
- 	 * Remove our hooks from system services.
- 	 */
diff --git a/shim-bnc863205-mokmanager-fix-hash-delete.patch b/shim-bnc863205-mokmanager-fix-hash-delete.patch
deleted file mode 100644
index c476741..0000000
--- a/shim-bnc863205-mokmanager-fix-hash-delete.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 23cdee7b62fc62cd988d74b2180014595da9e4c5 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Thu, 13 Feb 2014 15:05:45 +0800
-Subject: [PATCH 1/2] MokManager: calculate the variable size correctly
-
-MokSize of the hash signature list includes the owner GUID,
-so we should not add the 16bytes compensation.
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- MokManager.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/MokManager.c b/MokManager.c
-index e79a8e0..e0cc143 100644
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -934,7 +934,9 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num,
- 		if (list[i].Mok == NULL)
- 			continue;
- 
--		DataSize += sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
-+		DataSize += sizeof(EFI_SIGNATURE_LIST);
-+		if (CompareGuid(&(list[i].Type), &CertType) == 0)
-+			DataSize += sizeof(EFI_GUID);
- 		DataSize += list[i].MokSize;
- 	}
- 
--- 
-1.8.4.5
-
-
-From 6b70c15cd8a83e0e62088bc4f2f8e84e818d2b73 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Mon, 17 Feb 2014 17:49:55 +0800
-Subject: [PATCH 2/2] MokManager: fix the hash list counting in delete
-
-match_hash() requests the number of keys in a list and it was
-mistakenly replaced with the size of the Mok node. This would
-made MokManager to remove the whole Mok node instead of one
-hash.
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- MokManager.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/MokManager.c b/MokManager.c
-index e0cc143..5af5ce6 100644
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -1042,6 +1042,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
- {
- 	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
- 	UINT32 sig_size;
-+	UINT32 list_num;
- 	int i, del_ind;
- 	void *start, *end;
- 	UINT32 remain;
-@@ -1053,8 +1054,10 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
- 		    (mok[i].MokSize < sig_size))
- 			continue;
- 
-+		list_num = mok[i].MokSize / sig_size;
-+
- 		del_ind = match_hash(hash, hash_size, 0, mok[i].Mok,
--				     mok[i].MokSize);
-+				     list_num);
- 		while (del_ind >= 0) {
- 			/* Remove the hash */
- 			if (sig_size == mok[i].MokSize) {
-@@ -1069,9 +1072,10 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
- 
- 			mem_move(start, end, remain);
- 			mok[i].MokSize -= sig_size;
-+			list_num--;
- 
- 			del_ind = match_hash(hash, hash_size, del_ind,
--					     mok[i].Mok, mok[i].MokSize);
-+					     mok[i].Mok, list_num);
- 		}
- 	}
- }
--- 
-1.8.4.5
-
diff --git a/shim-fallback-avoid-duplicate-bootorder.patch b/shim-fallback-avoid-duplicate-bootorder.patch
deleted file mode 100644
index 6dad135..0000000
--- a/shim-fallback-avoid-duplicate-bootorder.patch
+++ /dev/null
@@ -1,177 +0,0 @@
-From 99858938a08dbdd892cc5438ec49b4262077017d Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Thu, 6 Mar 2014 11:58:36 +0800
-Subject: [PATCH 1/3] [fallback] Avoid duplicate old BootOrder
-
-set_boot_order() already copies the old BootOrder to the variable,
-bootorder. Besides, we can adjust BootOrder when adding the newly
-generated boot option. So, we don't have to copy the old one again
-in update_boot_order(). This avoid the duplicate entries in BootOrder.
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- fallback.c | 39 +++++++++++++--------------------------
- 1 file changed, 13 insertions(+), 26 deletions(-)
-
-diff --git a/fallback.c b/fallback.c
-index 44638ec..8aee618 100644
---- a/fallback.c
-+++ b/fallback.c
-@@ -204,12 +204,12 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
- 				return EFI_OUT_OF_RESOURCES;
- 
- 			int j = 0;
-+			newbootorder[0] = i & 0xffff;
- 			if (nbootorder) {
--				for (j = 0; j < nbootorder; j++)
--					newbootorder[j] = bootorder[j];
-+				for (j = 1; j < nbootorder + 1; j++)
-+					newbootorder[j] = bootorder[j-1];
- 				FreePool(bootorder);
- 			}
--			newbootorder[j] = i & 0xffff;
- 			bootorder = newbootorder;
- 			nbootorder += 1;
- #ifdef DEBUG_FALLBACK
-@@ -307,28 +307,17 @@ set_boot_order(void)
- EFI_STATUS
- update_boot_order(void)
- {
--	CHAR16 *oldbootorder;
- 	UINTN size;
-+	UINTN len = 0;
- 	EFI_GUID global = EFI_GLOBAL_VARIABLE;
- 	CHAR16 *newbootorder = NULL;
-+	EFI_STATUS rc;
- 
--	oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size);
--	if (oldbootorder) {
--		int n = size / sizeof (CHAR16) + nbootorder;
--
--		newbootorder = AllocateZeroPool(n * sizeof (CHAR16));
--		if (!newbootorder)
--			return EFI_OUT_OF_RESOURCES;
--		CopyMem(newbootorder, bootorder, nbootorder * sizeof (CHAR16));
--		CopyMem(newbootorder + nbootorder, oldbootorder, size);
--		size = n * sizeof (CHAR16);
--	} else {
--		size = nbootorder * sizeof(CHAR16);
--		newbootorder = AllocateZeroPool(size);
--		if (!newbootorder)
--			return EFI_OUT_OF_RESOURCES;
--		CopyMem(newbootorder, bootorder, size);
--	}
-+	size = nbootorder * sizeof(CHAR16);
-+	newbootorder = AllocateZeroPool(size);
-+	if (!newbootorder)
-+		return EFI_OUT_OF_RESOURCES;
-+	CopyMem(newbootorder, bootorder, size);
- 
- #ifdef DEBUG_FALLBACK
- 	Print(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16));
-@@ -337,13 +326,11 @@ update_boot_order(void)
- 		Print(L"%04x ", newbootorder[j]);
- 	Print(L"\n");
- #endif
--
--	if (oldbootorder) {
-+	rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global,
-+			       NULL, &len, NULL);
-+	if (rc == EFI_BUFFER_TOO_SMALL)
- 		LibDeleteVariable(L"BootOrder", &global);
--		FreePool(oldbootorder);
--	}
- 
--	EFI_STATUS rc;
- 	rc = uefi_call_wrapper(RT->SetVariable, 5, L"BootOrder", &global,
- 					EFI_VARIABLE_NON_VOLATILE |
- 					 EFI_VARIABLE_BOOTSERVICE_ACCESS |
--- 
-1.8.4.5
-
-
-From 80c15a7e90d8f51b09211994895a64ec5e4f5c1e Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Thu, 6 Mar 2014 10:57:02 +0800
-Subject: [PATCH 2/3] [fallback] Fix the data size for boot option comparison
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- fallback.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fallback.c b/fallback.c
-index 8aee618..156115f 100644
---- a/fallback.c
-+++ b/fallback.c
-@@ -231,7 +231,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
- {
- 	int size = sizeof(UINT32) + sizeof (UINT16) +
- 		StrLen(label)*2 + 2 + DevicePathSize(dp) +
--		StrLen(arguments) * 2 + 2;
-+		StrLen(arguments) * 2;
- 
- 	CHAR8 *data = AllocateZeroPool(size);
- 	if (!data)
--- 
-1.8.4.5
-
-
-From 70ffe93b85380a9866ebf3a99b35dde0b332cd65 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Wed, 5 Mar 2014 18:14:09 +0800
-Subject: [PATCH 3/3] [fallback] Try to boot the first boot option anyway
-
-Some UEFI implementations never care the boot options, so the
-restored boot options could be just ignored and this results in
-endless reboot.
-To avoid this situation, this commit makes fallback.efi to
-load the first matched boot option even if there is not boot
-option to be restored.
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- fallback.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/fallback.c b/fallback.c
-index 156115f..777e708 100644
---- a/fallback.c
-+++ b/fallback.c
-@@ -226,8 +226,9 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
- }
- 
- EFI_STATUS
--find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
--		CHAR16 *arguments, UINT16 *optnum)
-+find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
-+                 CHAR16 *filename, CHAR16 *label, CHAR16 *arguments,
-+                 UINT16 *optnum)
- {
- 	int size = sizeof(UINT32) + sizeof (UINT16) +
- 		StrLen(label)*2 + 2 + DevicePathSize(dp) +
-@@ -278,6 +279,12 @@ find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
- 			continue;
- 
- 		/* at this point, we have duplicate data. */
-+		if (!first_new_option) {
-+			first_new_option = DuplicateDevicePath(fulldp);
-+			first_new_option_args = arguments;
-+			first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
-+		}
-+
- 		*optnum = i;
- 		FreePool(candidate);
- 		FreePool(data);
-@@ -403,7 +410,7 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
- #endif
- 
- 	UINT16 option;
--	rc = find_boot_option(dp, fullpath, label, arguments, &option);
-+	rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option);
- 	if (EFI_ERROR(rc)) {
- 		add_boot_option(dp, full_device_path, fullpath, label, arguments);
- 	} else if (option != 0) {
--- 
-1.8.4.5
-
diff --git a/shim-fallback-improve-entries-creation.patch b/shim-fallback-improve-entries-creation.patch
deleted file mode 100644
index efe5c52..0000000
--- a/shim-fallback-improve-entries-creation.patch
+++ /dev/null
@@ -1,365 +0,0 @@
-From 9ba08c4e8e7cf9b001497a0752652e0ece0b2b84 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 31 Jan 2014 10:30:24 -0500
-Subject: [PATCH 1/2] For HD() device paths, use just the media node and later.
-
-UEFI 2.x section 3.1.2 provides for "short-form device path", where the
-first element specified is a "hard drive media device path", so that you
-can move a disk around on different buses without invalidating your
-device path.  Fallback has not been using this option, though in most
-cases efibootmgr has.
-
-Note that we still keep the full device path, because LoadImage()
-isn't necessarily the layer where HD() works - one some systems BDS is
-responsible for resolving the full path and passes that to LoadImage()
-instead.  So we have to do LoadImage() with the full path.
----
- fallback.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++---------------
- 1 file changed, 78 insertions(+), 25 deletions(-)
-
-diff --git a/fallback.c b/fallback.c
-index 82ddbf2..7f4201e 100644
---- a/fallback.c
-+++ b/fallback.c
-@@ -15,6 +15,27 @@
- EFI_LOADED_IMAGE *this_image = NULL;
- 
- static EFI_STATUS
-+FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType,
-+		  EFI_DEVICE_PATH **Out)
-+{
-+	EFI_DEVICE_PATH *dp = In;
-+	if (!In || !Out)
-+		return EFI_INVALID_PARAMETER;
-+
-+	for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) {
-+		if (DevicePathType(dp) == Type &&
-+				DevicePathSubType(dp) == SubType) {
-+			*Out = DuplicateDevicePath(dp);
-+			if (!*Out)
-+				return EFI_OUT_OF_RESOURCES;
-+			return EFI_SUCCESS;
-+		}
-+	}
-+	*Out = NULL;
-+	return EFI_NOT_FOUND;
-+}
-+
-+static EFI_STATUS
- get_file_size(EFI_FILE_HANDLE fh, UINT64 *retsize)
- {
- 	EFI_STATUS rc;
-@@ -93,7 +114,9 @@ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen)
- {
- 	UINT64 len;
- 	
--	len = StrLen(dirname) + StrLen(filename) + StrLen(L"\\EFI\\\\") + 2;
-+	len = StrLen(L"\\EFI\\") + StrLen(dirname)
-+	    + StrLen(L"\\") + StrLen(filename)
-+	    + 2;
- 
- 	CHAR16 *fullpath = AllocateZeroPool(len*sizeof(CHAR16));
- 	if (!fullpath) {
-@@ -119,7 +142,8 @@ VOID *first_new_option_args = NULL;
- UINTN first_new_option_size = 0;
- 
- EFI_STATUS
--add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *arguments)
-+add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
-+		CHAR16 *filename, CHAR16 *label, CHAR16 *arguments)
- {
- 	static int i = 0;
- 	CHAR16 varname[] = L"Boot0000";
-@@ -136,24 +160,31 @@ add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *ar
- 		void *var = LibGetVariable(varname, &global);
- 		if (!var) {
- 			int size = sizeof(UINT32) + sizeof (UINT16) +
--				StrLen(label)*2 + 2 + DevicePathSize(dp) +
--				StrLen(arguments) * 2 + 2;
-+				StrLen(label)*2 + 2 + DevicePathSize(hddp) +
-+				StrLen(arguments) * 2;
- 
- 			CHAR8 *data = AllocateZeroPool(size);
- 			CHAR8 *cursor = data;
- 			*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
- 			cursor += sizeof (UINT32);
--			*(UINT16 *)cursor = DevicePathSize(dp);
-+			*(UINT16 *)cursor = DevicePathSize(hddp);
- 			cursor += sizeof (UINT16);
- 			StrCpy((CHAR16 *)cursor, label);
- 			cursor += StrLen(label)*2 + 2;
--			CopyMem(cursor, dp, DevicePathSize(dp));
--			cursor += DevicePathSize(dp);
-+			CopyMem(cursor, hddp, DevicePathSize(hddp));
-+			cursor += DevicePathSize(hddp);
- 			StrCpy((CHAR16 *)cursor, arguments);
- 
- 			Print(L"Creating boot entry \"%s\" with label \"%s\" "
- 					L"for file \"%s\"\n",
- 				varname, label, filename);
-+
-+			if (!first_new_option) {
-+				first_new_option = DuplicateDevicePath(fulldp);
-+				first_new_option_args = arguments;
-+				first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
-+			}
-+
- 			rc = uefi_call_wrapper(RT->SetVariable, 5, varname,
- 				&global, EFI_VARIABLE_NON_VOLATILE |
- 					 EFI_VARIABLE_BOOTSERVICE_ACCESS |
-@@ -254,7 +285,10 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
- 	if (EFI_ERROR(rc))
- 		return rc;
- 	
--	EFI_DEVICE_PATH *dph = NULL, *dpf = NULL, *dp = NULL;
-+	EFI_DEVICE_PATH *dph = NULL;
-+	EFI_DEVICE_PATH *file = NULL;
-+	EFI_DEVICE_PATH *full_device_path = NULL;
-+	EFI_DEVICE_PATH *dp = NULL;
- 	
- 	dph = DevicePathFromHandle(this_image->DeviceHandle);
- 	if (!dph) {
-@@ -262,19 +296,31 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
- 		goto err;
- 	}
- 
--	dpf = FileDevicePath(fh, fullpath);
--	if (!dpf) {
-+	file = FileDevicePath(fh, fullpath);
-+	if (!file) {
- 		rc = EFI_OUT_OF_RESOURCES;
- 		goto err;
- 	}
- 
--	dp = AppendDevicePath(dph, dpf);
--	if (!dp) {
-+	full_device_path = AppendDevicePath(dph, file);
-+	if (!full_device_path) {
- 		rc = EFI_OUT_OF_RESOURCES;
- 		goto err;
- 	}
- 
-+	rc = FindSubDevicePath(full_device_path,
-+				MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp);
-+	if (EFI_ERROR(rc)) {
-+		if (rc == EFI_NOT_FOUND) {
-+			dp = full_device_path;
-+		} else {
-+			rc = EFI_OUT_OF_RESOURCES;
-+			goto err;
-+		}
-+	}
-+
- #ifdef DEBUG_FALLBACK
-+	{
- 	UINTN s = DevicePathSize(dp);
- 	int i;
- 	UINT8 *dpv = (void *)dp;
-@@ -287,20 +333,16 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
- 
- 	CHAR16 *dps = DevicePathToStr(dp);
- 	Print(L"device path: \"%s\"\n", dps);
--#endif
--	if (!first_new_option) {
--		CHAR16 *dps = DevicePathToStr(dp);
--		Print(L"device path: \"%s\"\n", dps);
--		first_new_option = DuplicateDevicePath(dp);
--		first_new_option_args = arguments;
--		first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
- 	}
-+#endif
- 
--	add_boot_option(dp, fullpath, label, arguments);
-+	add_boot_option(dp, full_device_path, fullpath, label, arguments);
- 
- err:
--	if (dpf)
--		FreePool(dpf);
-+	if (file)
-+		FreePool(file);
-+	if (full_device_path)
-+		FreePool(full_device_path);
- 	if (dp)
- 		FreePool(dp);
- 	if (fullpath)
-@@ -622,8 +664,19 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
- 			       first_new_option, NULL, 0,
- 			       &image_handle);
- 	if (EFI_ERROR(rc)) {
--		Print(L"LoadImage failed: %d\n", rc);
--		uefi_call_wrapper(BS->Stall, 1, 2000000);
-+		CHAR16 *dps = DevicePathToStr(first_new_option);
-+		UINTN s = DevicePathSize(first_new_option);
-+		int i;
-+		UINT8 *dpv = (void *)first_new_option;
-+		Print(L"LoadImage failed: %d\nDevice path: \"%s\"\n", rc, dps);
-+		for (i = 0; i < s; i++) {
-+			if (i > 0 && i % 16 == 0)
-+				Print(L"\n");
-+			Print(L"%02x ", dpv[i]);
-+		}
-+		Print(L"\n");
-+
-+		uefi_call_wrapper(BS->Stall, 1, 500000000);
- 		return rc;
- 	}
- 
-@@ -637,7 +690,7 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
- 	rc = uefi_call_wrapper(BS->StartImage, 3, image_handle, NULL, NULL);
- 	if (EFI_ERROR(rc)) {
- 		Print(L"StartImage failed: %d\n", rc);
--		uefi_call_wrapper(BS->Stall, 1, 2000000);
-+		uefi_call_wrapper(BS->Stall, 1, 500000000);
- 	}
- 	return rc;
- }
--- 
-1.8.4.5
-
-
-From 23ed6291df5dd34789829607a97b3605b739a629 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 31 Jan 2014 10:31:10 -0500
-Subject: [PATCH 2/2] Attempt to re-use existing entries when possible.
-
-Some firmwares seem to ignore our boot entries and put their fallback
-entries back on top.  Right now that results in a lot of boot entries
-for our stuff, a la https://bugzilla.redhat.com/show_bug.cgi?id=995834 .
-
-Instead of that happening, if we simply find existing entries that match
-the entry we would create and move them to the top of the boot order,
-the machine will continue to operate in failure mode (which we can't
-avoid), but at least we won't create thousands of extra entries.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- fallback.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 98 insertions(+), 1 deletion(-)
-
-diff --git a/fallback.c b/fallback.c
-index 7f4201e..044e4ba 100644
---- a/fallback.c
-+++ b/fallback.c
-@@ -226,6 +226,85 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
- }
- 
- EFI_STATUS
-+find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
-+		CHAR16 *arguments, UINT16 *optnum)
-+{
-+	int size = sizeof(UINT32) + sizeof (UINT16) +
-+		StrLen(label)*2 + 2 + DevicePathSize(dp) +
-+		StrLen(arguments) * 2 + 2;
-+
-+	CHAR8 *data = AllocateZeroPool(size);
-+	if (!data)
-+		return EFI_OUT_OF_RESOURCES;
-+	CHAR8 *cursor = data;
-+	*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
-+	cursor += sizeof (UINT32);
-+	*(UINT16 *)cursor = DevicePathSize(dp);
-+	cursor += sizeof (UINT16);
-+	StrCpy((CHAR16 *)cursor, label);
-+	cursor += StrLen(label)*2 + 2;
-+	CopyMem(cursor, dp, DevicePathSize(dp));
-+	cursor += DevicePathSize(dp);
-+	StrCpy((CHAR16 *)cursor, arguments);
-+
-+	int i = 0;
-+	CHAR16 varname[] = L"Boot0000";
-+	CHAR16 hexmap[] = L"0123456789ABCDEF";
-+	EFI_GUID global = EFI_GLOBAL_VARIABLE;
-+	EFI_STATUS rc;
-+
-+	CHAR8 *candidate = AllocateZeroPool(size);
-+	if (!candidate) {
-+		FreePool(data);
-+		return EFI_OUT_OF_RESOURCES;
-+	}
-+
-+	for(i = 0; i < nbootorder && i < 0x10000; i++) {
-+		varname[4] = hexmap[(bootorder[i] & 0xf000) >> 12];
-+		varname[5] = hexmap[(bootorder[i] & 0x0f00) >> 8];
-+		varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4];
-+		varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0];
-+
-+		UINTN candidate_size = size;
-+		rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global,
-+					NULL, &candidate_size, candidate);
-+		if (EFI_ERROR(rc))
-+			continue;
-+
-+		if (candidate_size != size)
-+			continue;
-+
-+		if (CompareMem(candidate, data, size))
-+			continue;
-+
-+		/* at this point, we have duplicate data. */
-+		*optnum = i;
-+		FreePool(candidate);
-+		FreePool(data);
-+		return EFI_SUCCESS;
-+	}
-+	FreePool(candidate);
-+	FreePool(data);
-+	return EFI_NOT_FOUND;
-+}
-+
-+EFI_STATUS
-+set_boot_order(void)
-+{
-+	CHAR16 *oldbootorder;
-+	UINTN size;
-+	EFI_GUID global = EFI_GLOBAL_VARIABLE;
-+
-+	oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size);
-+	if (oldbootorder) {
-+		nbootorder = size / sizeof (CHAR16);
-+		bootorder = oldbootorder;
-+	}
-+	return EFI_SUCCESS;
-+
-+}
-+
-+EFI_STATUS
- update_boot_order(void)
- {
- 	CHAR16 *oldbootorder;
-@@ -336,7 +415,23 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
- 	}
- #endif
- 
--	add_boot_option(dp, full_device_path, fullpath, label, arguments);
-+	UINT16 option;
-+	rc = find_boot_option(dp, fullpath, label, arguments, &option);
-+	if (EFI_ERROR(rc)) {
-+		add_boot_option(dp, full_device_path, fullpath, label, arguments);
-+	} else if (option != 0) {
-+		CHAR16 *newbootorder;
-+		newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder);
-+		if (!newbootorder)
-+			return EFI_OUT_OF_RESOURCES;
-+
-+		newbootorder[0] = bootorder[option];
-+		CopyMem(newbootorder + 1, bootorder, sizeof (CHAR16) * option);
-+		CopyMem(newbootorder + option + 1, bootorder + option + 1,
-+			sizeof (CHAR16) * (nbootorder - option - 1));
-+		FreePool(bootorder);
-+		bootorder = newbootorder;
-+	}
- 
- err:
- 	if (file)
-@@ -710,6 +805,8 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
- 
- 	Print(L"System BootOrder not found.  Initializing defaults.\n");
- 
-+	set_boot_order();
-+
- 	rc = find_boot_options(this_image->DeviceHandle);
- 	if (EFI_ERROR(rc)) {
- 		Print(L"Error: could not find boot options: %d\n", rc);
--- 
-1.8.4.5
-
diff --git a/shim-fix-uninitialized-variable.patch b/shim-fix-uninitialized-variable.patch
deleted file mode 100644
index e1c9b9c..0000000
--- a/shim-fix-uninitialized-variable.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From ccf21ef9a8868aacf9084400a15d73fcc24a6d39 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 15 Nov 2013 09:21:53 -0500
-Subject: [PATCH 1/2] Fix wrong sizeof().
-
-CHAR16* vs CHAR16**, so the result is the same on all platforms.
-
-Detected by coverity.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- lib/shell.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/shell.c b/lib/shell.c
-index 51de4e0..7337834 100644
---- a/lib/shell.c
-+++ b/lib/shell.c
-@@ -35,7 +35,7 @@ argsplit(EFI_HANDLE image, int *argc, CHAR16*** ARGV)
- 
- 	(*argc)++;		/* we counted spaces, so add one for initial */
- 
--	*ARGV = AllocatePool(*argc * sizeof(*ARGV));
-+	*ARGV = AllocatePool(*argc * sizeof(**ARGV));
- 	if (!*ARGV) {
- 		return EFI_OUT_OF_RESOURCES;
- 	}
--- 
-1.8.4.5
-
-
-From c4277cf343555646dbf0c17679108983af1e8887 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 15 Nov 2013 09:24:01 -0500
-Subject: [PATCH 2/2] Initialize entries before we pass it to another function.
-
-Coverity scan noticed that entries is uninitialized when we pass its
-location to another function.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- lib/simple_file.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/simple_file.c b/lib/simple_file.c
-index 3af0ec8..d345d87 100644
---- a/lib/simple_file.c
-+++ b/lib/simple_file.c
-@@ -415,7 +415,7 @@ simple_file_selector(EFI_HANDLE *im, CHAR16 **title, CHAR16 *name,
- 		     CHAR16 *filter, CHAR16 **result)
- {
- 	EFI_STATUS status;
--	CHAR16 **entries;
-+	CHAR16 **entries = NULL;
- 	EFI_FILE_INFO *dmp;
- 	int count, select, len;
- 	CHAR16 *newname, *selected;
--- 
-1.8.4.5
-
diff --git a/shim-get-variable-check.patch b/shim-get-variable-check.patch
deleted file mode 100644
index 53801e6..0000000
--- a/shim-get-variable-check.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 293f28d1fe3921c5348c60948b4dedcef5042d5b Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 15 Nov 2013 10:55:37 -0500
-Subject: [PATCH] Error check the right thing in get_variable_attr() when
- allocating.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- lib/variables.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/variables.c b/lib/variables.c
-index 81bd34d..3a9735e 100644
---- a/lib/variables.c
-+++ b/lib/variables.c
-@@ -224,7 +224,7 @@ get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner,
- 		return efi_status;
- 
- 	*data = AllocateZeroPool(*len);
--	if (!data)
-+	if (!*data)
- 		return EFI_OUT_OF_RESOURCES;
- 	
- 	efi_status = uefi_call_wrapper(RT->GetVariable, 5, var, &owner,
--- 
-1.8.4.5
-
diff --git a/shim-install b/shim-install
index 93c1ddc..250a3c9 100644
--- a/shim-install
+++ b/shim-install
@@ -4,18 +4,14 @@ rootdir=
 bootdir=
 efidir=
 install_device=
-efibootdir=
-ca_string=
 removable=no
 clean=no
 sysconfdir="/etc"
 libdir="/usr/lib64"
 source_dir="$libdir/efi"
 grub_probe="`which grub2-probe`"
-grub_mkrelpath="`which grub2-mkrelpath`"
 self="`basename $0`"
 grub_cfg="/boot/grub2/grub.cfg"
-update_boot=no
 
 # Get GRUB_DISTRIBUTOR.
 if test -f "${sysconfdir}/default/grub" ; then
@@ -30,14 +26,6 @@ fi
 efi_distributor="$bootloader_id"
 bootloader_id="${bootloader_id}-secureboot"
 
-case "$bootloader_id" in
-    "sle"*)
-        ca_string='SUSE Linux Enterprise Secure Boot CA1';;
-    "opensuse"*)
-        ca_string='openSUSE Secure Boot CA1';;
-    *) ca_string="";;
-esac
-
 usage () {
     echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
     echo
@@ -181,32 +169,18 @@ fi
 
 if test -n "$efidir"; then
     efi_file=shim.efi
-    efibootdir="$efidir/EFI/boot"
-    mkdir -p "$efibootdir" || exit 1
     efidir="$efidir/EFI/$efi_distributor"
     mkdir -p "$efidir" || exit 1
 else
     exit 1;
 fi
 
-if test -f "$efibootdir/bootx64.efi"; then
-    if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/bootx64.efi"); then
-        update_boot=yes
-    fi
-else
-    update_boot=yes
-fi
-
 if test "$clean" = "yes"; then
     rm -f "${efidir}/shim.efi"
     rm -f "${efidir}/MokManager.efi"
     rm -f "${efidir}/grub.efi"
     rm -f "${efidir}/grub.cfg"
     rm -f "${efidir}/boot.csv"
-    if test "$update_boot" = "yes"; then
-        rm -f "${efibootdir}/bootx64.efi"
-        rm -f "${efibootdir}/fallback.efi"
-    fi
     efibootmgr="`which efibootmgr`"
     if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then
         # Delete old entries from the same distributor.
@@ -222,70 +196,17 @@ cp "${source_dir}/shim.efi" "${efidir}"
 cp "${source_dir}/MokManager.efi" "${efidir}"
 cp "${source_dir}/grub.efi" "${efidir}"
 echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv"
-if test "$update_boot" = "yes"; then
-    cp "${source_dir}/shim.efi" "${efibootdir}/bootx64.efi"
-    cp "${source_dir}/fallback.efi" "${efibootdir}"
-fi
-
-
-make_grubcfg () {
 
 grub_cfg_dirname=`dirname $grub_cfg`
 grub_cfg_basename=`basename $grub_cfg`
 cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"`
-descriptive_config="snapshot_submenu.cfg"
-root_fstype=`$grub_probe -t fs /`
-boot_fstype=`$grub_probe -t fs /boot`
-if [ "x${root_fstype}" != "xbtrfs" ] ||
-   [ "x${boot_fstype}" != "xbtrfs" ]; then
-    echo "/ is not on btrfs" >&2
-    exit 1;
-fi
-
-if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue" &&
-   test "x$root_fstype" = "xbtrfs" &&
-   test "x$boot_fstype" = "xbtrfs"; then
-
-cat <<EOF
-set btrfs_relative_path="yes"
-set extra_cmdline=""
-btrfs_subvolid=""
-btrfs_subvol="/"
-
-export btrfs_relative_path
-export extra_cmdline
 
+(cat << EOF
 search --fs-uuid --set=root ${cfg_fs_uuid}
-
-set timeout=0
-
-terminal_input console
-terminal_output console
-
-menuentry 'default' {
-  btrfs_subvol=""
-  configfile /boot/grub2/grub.cfg
-  btrfs_subvol="/"
-}
-
-if [ -f "/.snapshots/${descriptive_config}" ]; then
-  source "/.snapshots/${descriptive_config}"
-fi
-
+set prefix=(\${root})${grub_cfg_dirname}
 EOF
-
-else
-
-cat <<EOF
-search --fs-uuid --set=root ${cfg_fs_uuid}
-set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}`
-configfile \$prefix/${grub_cfg_basename}
-EOF
-fi
-
-}
-
-make_grubcfg > "${efidir}/grub.cfg"
+echo "configfile \$prefix/${grub_cfg_basename}") \
+> "${efidir}/grub.cfg"
 
 efibootmgr="`which efibootmgr`"
 if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then
diff --git a/shim-mokmanager-delete-bs-var-right.patch b/shim-mokmanager-delete-bs-var-right.patch
deleted file mode 100644
index 3e244c0..0000000
--- a/shim-mokmanager-delete-bs-var-right.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 3c545d630917d76d91a8491f8759927f512e56f2 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Fri, 7 Mar 2014 16:56:14 +0800
-Subject: [PATCH] MokManager: delete the BS+NV variables the right way
-
-LibDeleteVariable assumes that the variable is RT+NV and it
-won't work on a BS+NV variable.
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- MokManager.c | 28 +++++++++++++++++++++++++---
- 1 file changed, 25 insertions(+), 3 deletions(-)
-
-diff --git a/MokManager.c b/MokManager.c
-index f5ed379..4ea28ef 100644
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -1112,7 +1112,16 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) {
- 			return -1;
- 		}
- 	} else {
--		LibDeleteVariable(L"MokSBState", &shim_lock_guid);
-+		efi_status = uefi_call_wrapper(RT->SetVariable,
-+					       5, L"MokSBState",
-+					       &shim_lock_guid,
-+					       EFI_VARIABLE_NON_VOLATILE |
-+					       EFI_VARIABLE_BOOTSERVICE_ACCESS,
-+					       0, NULL);
-+		if (efi_status != EFI_SUCCESS) {
-+			console_notify(L"Failed to delete Secure Boot state");
-+			return -1;
-+		}
- 	}
- 
- 	console_notify(L"The system must now be rebooted");
-@@ -1224,7 +1233,16 @@ static INTN mok_db_prompt (void *MokDB, UINTN MokDBSize) {
- 			return -1;
- 		}
- 	} else {
--		LibDeleteVariable(L"MokDBState", &shim_lock_guid);
-+		efi_status = uefi_call_wrapper(RT->SetVariable, 5,
-+					       L"MokDBState",
-+					       &shim_lock_guid,
-+					       EFI_VARIABLE_NON_VOLATILE |
-+					       EFI_VARIABLE_BOOTSERVICE_ACCESS,
-+					       0, NULL);
-+		if (efi_status != EFI_SUCCESS) {
-+			console_notify(L"Failed to delete DB state");
-+			return -1;
-+		}
- 	}
- 
- 	console_notify(L"The system must now be rebooted");
-@@ -1261,7 +1279,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
- 		if (console_yes_no((CHAR16 *[]){L"Clear MOK password?", NULL}) == 0)
- 			return 0;
- 
--		LibDeleteVariable(L"MokPWStore", &shim_lock_guid);
-+		uefi_call_wrapper(RT->SetVariable, 5, L"MokPWStore",
-+				  &shim_lock_guid,
-+				  EFI_VARIABLE_NON_VOLATILE
-+				  | EFI_VARIABLE_BOOTSERVICE_ACCESS,
-+				  0, NULL);
- 		LibDeleteVariable(L"MokPW", &shim_lock_guid);
- 		console_notify(L"The system must now be rebooted");
- 		uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0,
--- 
-1.8.4.5
-
diff --git a/shim-mokmanager-support-sha-family.patch b/shim-mokmanager-support-sha-family.patch
deleted file mode 100644
index 872be75..0000000
--- a/shim-mokmanager-support-sha-family.patch
+++ /dev/null
@@ -1,627 +0,0 @@
-From f110c89b169505156741ee4ce4b0952e899ed0d8 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Thu, 3 Apr 2014 18:26:37 +0800
-Subject: [PATCH 1/5] MokManager: Support SHA1 hash in MOK
-
-Add SHA1 hash support and amend the code to make it easier to support
-other SHA digests.
----
- MokManager.c | 121 ++++++++++++++++++++++++++++++++++++-----------------------
- 1 file changed, 75 insertions(+), 46 deletions(-)
-
-diff --git a/MokManager.c b/MokManager.c
-index 5af5ce6..7cf31c1 100644
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -93,27 +93,58 @@ done:
- 	return status;
- }
- 
-+static BOOLEAN is_sha_hash (EFI_GUID Type)
-+{
-+	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
-+	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
-+
-+	if (CompareGuid(&Type, &Sha1) == 0)
-+		return TRUE;
-+	else if (CompareGuid(&Type, &Sha256) == 0)
-+		return TRUE;
-+
-+	return FALSE;
-+}
-+
-+static UINT32 sha_size (EFI_GUID Type)
-+{
-+	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
-+	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
-+
-+	if (CompareGuid(&Type, &Sha1) == 0)
-+		return SHA1_DIGEST_SIZE;
-+	else if (CompareGuid(&Type, &Sha256) == 0)
-+		return SHA256_DIGEST_SIZE;
-+
-+	return 0;
-+}
-+
-+static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize)
-+{
-+	EFI_GUID CertType = X509_GUID;
-+	UINT32 hash_sig_size;
-+
-+	if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0)
-+		return TRUE;
-+
-+	if (!is_sha_hash (Type))
-+		return FALSE;
-+
-+	hash_sig_size = sha_size (Type) + sizeof(EFI_GUID);
-+	if (SigSize != hash_sig_size)
-+		return FALSE;
-+
-+	return TRUE;
-+}
-+
- static UINT32 count_keys(void *Data, UINTN DataSize)
- {
- 	EFI_SIGNATURE_LIST *CertList = Data;
--	EFI_GUID CertType = X509_GUID;
--	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
- 	UINTN dbsize = DataSize;
- 	UINT32 MokNum = 0;
- 
- 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
--		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
--		    (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
--			console_notify(L"Doesn't look like a key or hash");
--			dbsize -= CertList->SignatureListSize;
--			CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
--						  CertList->SignatureListSize);
--			continue;
--		}
--
--		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
--		    (CertList->SignatureSize != 48)) {
--			console_notify(L"Doesn't look like a valid hash");
-+		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
- 			dbsize -= CertList->SignatureListSize;
- 			CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- 						  CertList->SignatureListSize);
-@@ -134,7 +165,6 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
- 	EFI_SIGNATURE_LIST *CertList = Data;
- 	EFI_SIGNATURE_DATA *Cert;
- 	EFI_GUID CertType = X509_GUID;
--	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
- 	UINTN dbsize = DataSize;
- 	UINTN count = 0;
- 
-@@ -146,16 +176,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
- 	}
- 
- 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
--		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
--		    (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
--			dbsize -= CertList->SignatureListSize;
--			CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
--						  CertList->SignatureListSize);
--			continue;
--		}
--
--		if ((CompareGuid (&CertList->SignatureType, &HashType) == 0) &&
--		    (CertList->SignatureSize != 48)) {
-+		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
- 			dbsize -= CertList->SignatureListSize;
- 			CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- 						  CertList->SignatureListSize);
-@@ -380,22 +401,34 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
- 	FreePool(text);
- }
- 
--static void show_sha256_digest (UINT8 *hash)
-+static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
- {
-+	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
-+	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
- 	CHAR16 *text[5];
- 	POOL_PRINT hash_string1;
- 	POOL_PRINT hash_string2;
- 	int i;
-+	int length;
-+
-+	if (CompareGuid(&Type, &Sha1) == 0) {
-+		length = SHA1_DIGEST_SIZE;
-+		text[0] = L"SHA1 hash";
-+	} else if (CompareGuid(&Type, &Sha256) == 0) {
-+		length = SHA256_DIGEST_SIZE;
-+		text[0] = L"SHA256 hash";
-+	} else {
-+		return;
-+	}
- 
- 	ZeroMem(&hash_string1, sizeof(hash_string1));
- 	ZeroMem(&hash_string2, sizeof(hash_string2));
- 
--	text[0] = L"SHA256 hash";
- 	text[1] = L"";
- 
--	for (i=0; i<16; i++)
-+	for (i=0; i<length/2; i++)
- 		CatPrint(&hash_string1, L"%02x ", hash[i]);
--	for (i=16; i<32; i++)
-+	for (i=length/2; i<length; i++)
- 		CatPrint(&hash_string2, L"%02x ", hash[i]);
- 
- 	text[2] = hash_string1.str;
-@@ -411,7 +444,7 @@ static void show_sha256_digest (UINT8 *hash)
- 		FreePool(hash_string2.str);
- }
- 
--static void show_efi_hash (void *Mok, UINTN MokSize)
-+static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize)
- {
- 	UINTN sig_size;
- 	UINTN hash_num;
-@@ -420,7 +453,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
- 	int key_num = 0;
- 	int i;
- 
--	sig_size = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
-+	sig_size = sha_size(Type) + sizeof(EFI_GUID);
- 	if ((MokSize % sig_size) != 0) {
- 		console_errorbox(L"Corrupted Hash List");
- 		return;
-@@ -429,7 +462,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
- 
- 	if (hash_num == 1) {
- 		hash = (UINT8 *)Mok + sizeof(EFI_GUID);
--		show_sha256_digest(hash);
-+		show_sha_digest(Type, hash);
- 		return;
- 	}
- 
-@@ -452,7 +485,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
- 			break;
- 
- 		hash = (UINT8 *)Mok + sig_size*key_num + sizeof(EFI_GUID);
--		show_sha256_digest(hash);
-+		show_sha_digest(Type, hash);
- 	}
- 
- 	for (i=0; menu_strings[i] != NULL; i++)
-@@ -467,7 +500,6 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
- 	UINT8 hash[SHA1_DIGEST_SIZE];
- 	X509 *X509Cert;
- 	EFI_GUID CertType = X509_GUID;
--	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
- 
- 	if (!Mok || MokSize == 0)
- 		return;
-@@ -488,8 +520,8 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
- 			console_notify(L"Not a valid X509 certificate");
- 			return;
- 		}
--	} else if (CompareGuid (&Type, &HashType) == 0) {
--		show_efi_hash(Mok, MokSize);
-+	} else if (is_sha_hash(Type)) {
-+		show_efi_hash(Type, Mok, MokSize);
- 	}
- }
- 
-@@ -968,7 +1000,7 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num,
- 		} else {
- 			CertList->SignatureListSize = list[i].MokSize +
- 						      sizeof(EFI_SIGNATURE_LIST);
--			CertList->SignatureSize = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
-+			CertList->SignatureSize = sha_size(list[i].Type) + sizeof(EFI_GUID);
- 
- 			CopyMem(CertData, list[i].Mok, list[i].MokSize);
- 		}
-@@ -1040,7 +1072,6 @@ static void mem_move (void *dest, void *src, UINTN size)
- static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
- 				 MokListNode *mok, INTN mok_num)
- {
--	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
- 	UINT32 sig_size;
- 	UINT32 list_num;
- 	int i, del_ind;
-@@ -1050,8 +1081,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
- 	sig_size = hash_size + sizeof(EFI_GUID);
- 
- 	for (i = 0; i < mok_num; i++) {
--		if ((CompareGuid(&(mok[i].Type), &HashType) != 0) ||
--		    (mok[i].MokSize < sig_size))
-+		if (!is_sha_hash(mok[i].Type) || (mok[i].MokSize < sig_size))
- 			continue;
- 
- 		list_num = mok[i].MokSize / sig_size;
-@@ -1080,7 +1110,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
- 	}
- }
- 
--static void delete_hash_list (void *hash_list, UINT32 list_size,
-+static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
- 			      MokListNode *mok, INTN mok_num)
- {
- 	UINT32 hash_size;
-@@ -1089,7 +1119,7 @@ static void delete_hash_list (void *hash_list, UINT32 list_size,
- 	UINT8 *hash;
- 	int i;
- 
--	hash_size = SHA256_DIGEST_SIZE;
-+	hash_size = sha_size (Type);
- 	sig_size = hash_size + sizeof(EFI_GUID);
- 	if (list_size < sig_size)
- 		return;
-@@ -1108,7 +1138,6 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
- {
- 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
- 	EFI_GUID CertType = X509_GUID;
--	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
- 	EFI_STATUS efi_status;
- 	CHAR16 *db_name;
- 	CHAR16 *auth_name;
-@@ -1183,9 +1212,9 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
- 		if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
- 			delete_cert(del_key[i].Mok, del_key[i].MokSize,
- 				    mok, mok_num);
--		} else if (CompareGuid(&(del_key[i].Type), &HashType) == 0) {
--			delete_hash_list(del_key[i].Mok, del_key[i].MokSize,
--					 mok, mok_num);
-+		} else if (is_sha_hash(del_key[i].Type)) {
-+			delete_hash_list(del_key[i].Type, del_key[i].Mok,
-+					 del_key[i].MokSize, mok, mok_num);
- 		}
- 	}
- 
--- 
-1.8.4.5
-
-
-From 9a0aaf045859be5ba3abdaaf06683cb9ab0b6c57 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Wed, 9 Apr 2014 16:49:25 +0800
-Subject: [PATCH 2/5] MokManager: fix the return value and type
-
-There are some functions that the return value and the type
-didn't match.
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- MokManager.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/MokManager.c b/MokManager.c
-index 7cf31c1..b09f5b8 100644
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -536,7 +536,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
- 	if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) +
- 			   sizeof(EFI_SIGNATURE_DATA))) {
- 		console_notify(L"No MOK keys found");
--		return 0;
-+		return EFI_NOT_FOUND;
- 	}
- 
- 	MokNum = count_keys(KeyList, KeyListSize);
-@@ -544,7 +544,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
- 
- 	if (!keys) {
- 		console_notify(L"Failed to construct key list");
--		return 0;
-+		return EFI_ABORTED;
- 	}
- 
- 	menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (MokNum + 2));
-@@ -863,7 +863,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate,
- 	return EFI_SUCCESS;
- }
- 
--static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
-+static INTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
- 				    BOOLEAN MokX)
- {
- 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
--- 
-1.8.4.5
-
-
-From 790eb376dbe692d4702d807f24c1be7a492a5717 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Thu, 10 Apr 2014 14:39:43 +0800
-Subject: [PATCH 3/5] MokManager: Add more key list safe checks
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- MokManager.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 56 insertions(+), 4 deletions(-)
-
-diff --git a/MokManager.c b/MokManager.c
-index b09f5b8..c5501f3 100644
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -144,6 +144,12 @@ static UINT32 count_keys(void *Data, UINTN DataSize)
- 	UINT32 MokNum = 0;
- 
- 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
-+		if (CertList->SignatureListSize == 0 ||
-+		    CertList->SignatureListSize <= CertList->SignatureSize) {
-+			console_errorbox(L"Corrupted signature list");
-+			return 0;
-+		}
-+
- 		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
- 			dbsize -= CertList->SignatureListSize;
- 			CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
-@@ -540,10 +546,13 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
- 	}
- 
- 	MokNum = count_keys(KeyList, KeyListSize);
-+	if (MokNum == 0) {
-+		console_errorbox(L"Invalid key list");
-+		return EFI_ABORTED;
-+	}
- 	keys = build_mok_list(MokNum, KeyList, KeyListSize);
--
- 	if (!keys) {
--		console_notify(L"Failed to construct key list");
-+		console_errorbox(L"Failed to construct key list");
- 		return EFI_ABORTED;
- 	}
- 
-@@ -1184,7 +1193,13 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
- 
- 	efi_status = get_variable_attr (db_name, &MokListData, &MokListDataSize,
- 				        shim_lock_guid, &attributes);
--	if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
-+	if (efi_status != EFI_SUCCESS) {
-+		if (MokX)
-+			console_errorbox(L"Failed to retrieve MokListX");
-+		else
-+			console_errorbox(L"Failed to retrieve MokList");
-+		return EFI_ABORTED;
-+	} else if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
- 		if (MokX) {
- 			err_str1 = L"MokListX is compromised!";
- 			err_str2 = L"Erase all keys in MokListX!";
-@@ -1193,7 +1208,11 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
- 			err_str2 = L"Erase all keys in MokList!";
- 		}
- 		console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
--		LibDeleteVariable(db_name, &shim_lock_guid);
-+		uefi_call_wrapper(RT->SetVariable, 5, db_name,
-+				  &shim_lock_guid,
-+				  EFI_VARIABLE_NON_VOLATILE |
-+				  EFI_VARIABLE_BOOTSERVICE_ACCESS,
-+				  0, NULL);
- 		return EFI_ACCESS_DENIED;
- 	}
- 
-@@ -1203,9 +1222,41 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
- 
- 	/* Construct lists */
- 	mok_num = count_keys(MokListData, MokListDataSize);
-+	if (mok_num == 0) {
-+		if (MokX) {
-+			err_str1 = L"Failed to construct the key list of MokListX";
-+			err_str2 = L"Reset MokListX!";
-+		} else {
-+			err_str1 = L"Failed to construct the key list of MokList";
-+			err_str2 = L"Reset MokList!";
-+		}
-+		console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
-+		uefi_call_wrapper(RT->SetVariable, 5, db_name,
-+				  &shim_lock_guid,
-+				  EFI_VARIABLE_NON_VOLATILE |
-+				  EFI_VARIABLE_BOOTSERVICE_ACCESS,
-+				  0, NULL);
-+		efi_status = EFI_ABORTED;
-+		goto error;
-+	}
- 	mok = build_mok_list(mok_num, MokListData, MokListDataSize);
-+	if (!mok) {
-+		console_errorbox(L"Failed to construct key list");
-+		efi_status = EFI_ABORTED;
-+		goto error;
-+	}
- 	del_num = count_keys(MokDel, MokDelSize);
-+	if (del_num == 0) {
-+		console_errorbox(L"Invalid key delete list");
-+		efi_status = EFI_ABORTED;
-+		goto error;
-+	}
- 	del_key = build_mok_list(del_num, MokDel, MokDelSize);
-+	if (!del_key) {
-+		console_errorbox(L"Failed to construct key list");
-+		efi_status = EFI_ABORTED;
-+		goto error;
-+	}
- 
- 	/* Search and destroy */
- 	for (i = 0; i < del_num; i++) {
-@@ -1220,6 +1271,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
- 
- 	efi_status = write_back_mok_list(mok, mok_num, MokX);
- 
-+error:
- 	if (MokListData)
- 		FreePool(MokListData);
- 	if (mok)
--- 
-1.8.4.5
-
-
-From a2879e575439b019d1eff5b32ca8b59d1e2e1503 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Thu, 10 Apr 2014 15:29:14 +0800
-Subject: [PATCH 4/5] MokManager: Support SHA224, SHA384, and SHA512
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- MokManager.c | 40 +++++++++++++++++++++++++++++++++++++---
- 1 file changed, 37 insertions(+), 3 deletions(-)
-
-diff --git a/MokManager.c b/MokManager.c
-index c5501f3..117cf9b 100644
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -25,6 +25,9 @@
- #define EFI_VARIABLE_APPEND_WRITE 0x00000040
- 
- EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
-+EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
-+EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
-+EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} };
- 
- #define CERT_STRING L"Select an X509 certificate to enroll:\n\n"
- #define HASH_STRING L"Select a file to trust:\n\n"
-@@ -96,12 +99,21 @@ done:
- static BOOLEAN is_sha_hash (EFI_GUID Type)
- {
- 	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
-+	EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
- 	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
-+	EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
-+	EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
- 
- 	if (CompareGuid(&Type, &Sha1) == 0)
- 		return TRUE;
-+	else if (CompareGuid(&Type, &Sha224) == 0)
-+		return TRUE;
- 	else if (CompareGuid(&Type, &Sha256) == 0)
- 		return TRUE;
-+	else if (CompareGuid(&Type, &Sha384) == 0)
-+		return TRUE;
-+	else if (CompareGuid(&Type, &Sha512) == 0)
-+		return TRUE;
- 
- 	return FALSE;
- }
-@@ -109,12 +121,21 @@ static BOOLEAN is_sha_hash (EFI_GUID Type)
- static UINT32 sha_size (EFI_GUID Type)
- {
- 	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
-+	EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
- 	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
-+	EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
-+	EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
- 
- 	if (CompareGuid(&Type, &Sha1) == 0)
- 		return SHA1_DIGEST_SIZE;
-+	else if (CompareGuid(&Type, &Sha224) == 0)
-+		return SHA224_DIGEST_LENGTH;
- 	else if (CompareGuid(&Type, &Sha256) == 0)
- 		return SHA256_DIGEST_SIZE;
-+	else if (CompareGuid(&Type, &Sha384) == 0)
-+		return SHA384_DIGEST_LENGTH;
-+	else if (CompareGuid(&Type, &Sha512) == 0)
-+		return SHA512_DIGEST_LENGTH;
- 
- 	return 0;
- }
-@@ -410,7 +431,10 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
- static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
- {
- 	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
-+	EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
- 	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
-+	EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
-+	EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
- 	CHAR16 *text[5];
- 	POOL_PRINT hash_string1;
- 	POOL_PRINT hash_string2;
-@@ -420,9 +444,18 @@ static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
- 	if (CompareGuid(&Type, &Sha1) == 0) {
- 		length = SHA1_DIGEST_SIZE;
- 		text[0] = L"SHA1 hash";
-+	} else if (CompareGuid(&Type, &Sha224) == 0) {
-+		length = SHA224_DIGEST_LENGTH;
-+		text[0] = L"SHA224 hash";
- 	} else if (CompareGuid(&Type, &Sha256) == 0) {
- 		length = SHA256_DIGEST_SIZE;
- 		text[0] = L"SHA256 hash";
-+	} else if (CompareGuid(&Type, &Sha384) == 0) {
-+		length = SHA384_DIGEST_LENGTH;
-+		text[0] = L"SHA384 hash";
-+	} else if (CompareGuid(&Type, &Sha512) == 0) {
-+		length = SHA512_DIGEST_LENGTH;
-+		text[0] = L"SHA512 hash";
- 	} else {
- 		return;
- 	}
-@@ -1078,7 +1111,7 @@ static void mem_move (void *dest, void *src, UINTN size)
- 		d[i] = s[i];
- }
- 
--static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
-+static void delete_hash_in_list (EFI_GUID Type, UINT8 *hash, UINT32 hash_size,
- 				 MokListNode *mok, INTN mok_num)
- {
- 	UINT32 sig_size;
-@@ -1090,7 +1123,8 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
- 	sig_size = hash_size + sizeof(EFI_GUID);
- 
- 	for (i = 0; i < mok_num; i++) {
--		if (!is_sha_hash(mok[i].Type) || (mok[i].MokSize < sig_size))
-+		if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
-+		    (mok[i].MokSize < sig_size))
- 			continue;
- 
- 		list_num = mok[i].MokSize / sig_size;
-@@ -1138,7 +1172,7 @@ static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
- 	hash = hash_list + sizeof(EFI_GUID);
- 
- 	for (i = 0; i < hash_num; i++) {
--		delete_hash_in_list (hash, hash_size, mok, mok_num);
-+		delete_hash_in_list (Type, hash, hash_size, mok, mok_num);
- 		hash += sig_size;
- 	}
- }
--- 
-1.8.4.5
-
-
-From 04955238a98734aac8df7ad46a732e130681acfd Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Thu, 10 Apr 2014 15:55:35 +0800
-Subject: [PATCH 5/5] MokManager: Discard the list contains an invalid
- signature
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- MokManager.c | 14 ++++----------
- 1 file changed, 4 insertions(+), 10 deletions(-)
-
-diff --git a/MokManager.c b/MokManager.c
-index 117cf9b..b896836 100644
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -172,10 +172,8 @@ static UINT32 count_keys(void *Data, UINTN DataSize)
- 		}
- 
- 		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
--			dbsize -= CertList->SignatureListSize;
--			CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
--						  CertList->SignatureListSize);
--			continue;
-+			console_errorbox(L"Invalid signature list found");
-+			return 0;
- 		}
- 
- 		MokNum++;
-@@ -203,12 +201,8 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
- 	}
- 
- 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
--		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
--			dbsize -= CertList->SignatureListSize;
--			CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
--						  CertList->SignatureListSize);
--			continue;
--		}
-+		/* Omit the signature check here since we already did it
-+		   in count_keys() */
- 
- 		Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
- 		  sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
--- 
-1.8.4.5
-
diff --git a/shim-mokx-support.patch b/shim-mokx-support.patch
index 608b47b..f19a7f4 100644
--- a/shim-mokx-support.patch
+++ b/shim-mokx-support.patch
@@ -1,12 +1,10 @@
-From 58b8e54ef60d488886a9f0d0877b7187eb200d07 Mon Sep 17 00:00:00 2001
+From 8614cf8c164049e77d702eb234d608d5342e975b Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 24 Oct 2013 17:02:08 +0800
-Subject: [PATCH 01/10] Support MOK blacklist
+Subject: [PATCH 1/9] Support MOK blacklist
 
 The new blacklist, MokListX, stores the keys and hashes that are
 banned.
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++----------
  shim.c       |   3 +-
@@ -512,7 +510,7 @@ index f5ed379..b9b42b6 100644
  	return EFI_SUCCESS;
  }
 diff --git a/shim.c b/shim.c
-index cf93d65..2c23a2f 100644
+index 9ae1936..c133bb2 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -1510,7 +1510,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@@ -526,15 +524,14 @@ index cf93d65..2c23a2f 100644
  
  		if (efi_status != EFI_SUCCESS) {
 -- 
-1.8.4.5
+1.8.1.4
 
 
-From d2980a5cbee887223405a24be44ffd5bb439e3f1 Mon Sep 17 00:00:00 2001
+From f36f4093bb72344242949b16b83905cefb93d3cd Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 24 Oct 2013 17:32:31 +0800
-Subject: [PATCH 02/10] MokManager: show the hash list properly
+Subject: [PATCH 2/9] MokManager: show the hash list properly
 
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
  1 file changed, 71 insertions(+), 11 deletions(-)
@@ -678,15 +675,14 @@ index b9b42b6..5575a94 100644
  
  	for (i=0; menu_strings[i] != NULL; i++)
 -- 
-1.8.4.5
+1.8.1.4
 
 
-From 9c4b5d58385c64056adb5386c097219665f2f50d Mon Sep 17 00:00:00 2001
+From f1073a9bc757008d44b5b86cb5002a3654faf2d2 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 25 Oct 2013 16:54:25 +0800
-Subject: [PATCH 03/10] MokManager: delete the hash properly
+Subject: [PATCH 3/9] MokManager: delete the hash properly
 
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
  1 file changed, 114 insertions(+), 10 deletions(-)
@@ -844,15 +840,14 @@ index 5575a94..23bdeef 100644
  	}
  
 -- 
-1.8.4.5
+1.8.1.4
 
 
-From 54ce2f9605990c00f9cafae7cab22a1c885828c1 Mon Sep 17 00:00:00 2001
+From b5cb83a92620b0b41857f3e3a292d1577eb3a3a5 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 25 Oct 2013 17:05:10 +0800
-Subject: [PATCH 04/10] MokManager: Match all hashes in the list
+Subject: [PATCH 4/9] MokManager: Match all hashes in the list
 
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 24 ++++++++++++++----------
  1 file changed, 14 insertions(+), 10 deletions(-)
@@ -913,17 +908,15 @@ index 23bdeef..5b40e19 100644
  	}
  }
 -- 
-1.8.4.5
+1.8.1.4
 
 
-From 4c1912c8521cca4d320a1417abff6f7954809a20 Mon Sep 17 00:00:00 2001
+From 70a4e12d2e6ba37541d0b78ec3c8ed5e8da9a941 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 25 Oct 2013 18:30:48 +0800
-Subject: [PATCH 05/10] MokManager: Write the hash list properly
+Subject: [PATCH 5/9] MokManager: Write the hash list properly
 
 also return to the previous entry in the list
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 30 +++++++++++++++++++-----------
  1 file changed, 19 insertions(+), 11 deletions(-)
@@ -998,21 +991,20 @@ index 5b40e19..e79a8e0 100644
  
  	efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
 -- 
-1.8.4.5
+1.8.1.4
 
 
-From 8b96a93bda39617efbe51f24d1dc606ad8835d26 Mon Sep 17 00:00:00 2001
+From 225e5fca2f7cf63e365b77243d6e43b1eb9860c8 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 28 Oct 2013 15:08:40 +0800
-Subject: [PATCH 06/10] Copy the MOK blacklist to a RT variable
+Subject: [PATCH 6/9] Copy the MOK blacklist to a RT variable
 
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  shim.c | 29 +++++++++++++++++++++++++++++
  1 file changed, 29 insertions(+)
 
 diff --git a/shim.c b/shim.c
-index 2c23a2f..ccb3071 100644
+index c133bb2..a0383a8 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -1480,6 +1480,33 @@ EFI_STATUS mirror_mok_list()
@@ -1049,7 +1041,7 @@ index 2c23a2f..ccb3071 100644
   * Check if a variable exists
   */
  static BOOLEAN check_var(CHAR16 *varname)
-@@ -1799,6 +1826,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
+@@ -1795,6 +1822,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
  	 */
  	efi_status = mirror_mok_list();
  
@@ -1059,21 +1051,20 @@ index 2c23a2f..ccb3071 100644
  	 * Create the runtime MokIgnoreDB variable so the kernel can make
  	 * use of it
 -- 
-1.8.4.5
+1.8.1.4
 
 
-From 044d04dbed3ef3f2f3004a770e3751eabc052c2c Mon Sep 17 00:00:00 2001
+From f9db55b719281ce491780ecd4ec269c5286a7251 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 28 Oct 2013 16:36:34 +0800
-Subject: [PATCH 07/10] No newline for console_notify
+Subject: [PATCH 7/9] No newline for console_notify
 
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  shim.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/shim.c b/shim.c
-index ccb3071..e30a464 100644
+index a0383a8..a2e0862 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -470,7 +470,7 @@ static BOOLEAN secure_mode (void)
@@ -1095,13 +1086,13 @@ index ccb3071..e30a464 100644
  	}
  
 -- 
-1.8.4.5
+1.8.1.4
 
 
-From 0e97d1576fcc1924f0f17b7f31baf1dd74a7f83e Mon Sep 17 00:00:00 2001
+From 0bf2da5c7d9442f3249fc977b3fbffab924a374c Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 4 Nov 2013 14:45:33 +0800
-Subject: [PATCH 08/10] Verify the EFI images with MOK blacklist
+Subject: [PATCH 8/9] Verify the EFI images with MOK blacklist
 
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
@@ -1109,7 +1100,7 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/shim.c b/shim.c
-index e30a464..efd3d85 100644
+index a2e0862..5f5e9a6 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -365,6 +365,7 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
@@ -1136,13 +1127,13 @@ index e30a464..efd3d85 100644
  	return EFI_SUCCESS;
  }
 -- 
-1.8.4.5
+1.8.1.4
 
 
-From a166edaa42ef96eaf5b000d0e4ad71779b745d68 Mon Sep 17 00:00:00 2001
+From 20ced27d1785bceaf814c07ca0d5686506a119ad Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 4 Nov 2013 17:51:55 +0800
-Subject: [PATCH 09/10] Exclude ca.crt while signing EFI images
+Subject: [PATCH 9/9] Exclude ca.crt while signing EFI images
 
 If ca.crt was added into the certificate database, ca.crt would be the first
 certificate in the signature. Because shim couldn't verify ca.crt with the
@@ -1167,33 +1158,5 @@ index e65d28d..5e3fa9e 100644
  	certutil -d certdb/ -A -i shim.crt -n shim -t u
  
 -- 
-1.8.4.5
-
-
-From cce37bfa5298e8e9c12d3509c78592f711699c4f Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Tue, 11 Feb 2014 14:11:15 +0800
-Subject: [PATCH 10/10] Make shim to check MokXAuth for MOKX reset
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- shim.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/shim.c b/shim.c
-index efd3d85..7093c45 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1547,7 +1547,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
- 	if (check_var(L"MokNew") || check_var(L"MokSB") ||
- 	    check_var(L"MokPW") || check_var(L"MokAuth") ||
- 	    check_var(L"MokDel") || check_var(L"MokDB") ||
--	    check_var(L"MokXNew") || check_var(L"MokXDel")) {
-+	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
-+	    check_var(L"MokXAuth")) {
- 		efi_status = start_image(image_handle, MOK_MANAGER);
- 
- 		if (efi_status != EFI_SUCCESS) {
--- 
-1.8.4.5
+1.8.1.4
 
diff --git a/shim-only-os-name.patch b/shim-only-os-name.patch
deleted file mode 100644
index 076b7d6..0000000
--- a/shim-only-os-name.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 91e6bcd..6ed5ba7 100644
---- a/Makefile
-+++ b/Makefile
-@@ -63,7 +63,7 @@ shim_cert.h: shim.cer
- 
- version.c : version.c.in
- 	sed	-e "s,@@VERSION@@,$(VERSION)," \
--		-e "s,@@UNAME@@,$(shell uname -a)," \
-+		-e "s,@@UNAME@@,$(shell uname -o)," \
- 		-e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
- 		< version.c.in > version.c
- 
diff --git a/shim-opensuse-cert-prompt.patch b/shim-opensuse-cert-prompt.patch
deleted file mode 100644
index a7bba19..0000000
--- a/shim-opensuse-cert-prompt.patch
+++ /dev/null
@@ -1,390 +0,0 @@
-From 2082ad15e0b3413845a1ddc10c2953dcd95beb83 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Tue, 18 Feb 2014 17:29:19 +0800
-Subject: [PATCH 1/3] Show the build-in certificate prompt
-
-This is an openSUSE-only patch.
-
-Pop up a window to ask if the user is willing to trust the built-in
-openSUSE certificate.
-
-If yes, set openSUSE_Verify, a BootService variable, to 1, and shim
-won't bother the user afterward.
-
-If no, continue the booting process without using the built-in
-certificate to verify the EFI images, and the window will show up
-again after reboot.
-
-The state will store in use_openSUSE_cert, a volatile RT variable.
----
- shim.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------
- 1 file changed, 97 insertions(+), 19 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index 0b20191..a483ce3 100644
---- a/shim.c
-+++ b/shim.c
-@@ -82,6 +82,7 @@ UINT8 *vendor_dbx;
-  */
- verification_method_t verification_method;
- int loader_is_participating;
-+BOOLEAN use_builtin_cert;
- 
- #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
- 
-@@ -752,7 +753,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
- 	if (status == EFI_SUCCESS)
- 		return status;
- 
--	if (cert) {
-+	if (cert && use_builtin_cert) {
- 		/*
- 		 * Check against the shim build key
- 		 */
-@@ -1418,11 +1419,14 @@ EFI_STATUS mirror_mok_list()
- 	if (efi_status != EFI_SUCCESS)
- 		DataSize = 0;
- 
--	FullDataSize = DataSize
--		     + sizeof (*CertList)
--		     + sizeof (EFI_GUID)
--		     + vendor_cert_size
--		     ;
-+	FullDataSize = DataSize;
-+	if (use_builtin_cert) {
-+		FullDataSize += sizeof (*CertList) +
-+				sizeof (EFI_GUID) +
-+				vendor_cert_size;
-+	} else if (DataSize == 0) {
-+		return EFI_SUCCESS;
-+	}
- 	FullData = AllocatePool(FullDataSize);
- 	if (!FullData) {
- 		Print(L"Failed to allocate space for MokListRT\n");
-@@ -1434,21 +1438,24 @@ EFI_STATUS mirror_mok_list()
- 		CopyMem(p, Data, DataSize);
- 		p += DataSize;
- 	}
--	CertList = (EFI_SIGNATURE_LIST *)p;
--	p += sizeof (*CertList);
--	CertData = (EFI_SIGNATURE_DATA *)p;
--	p += sizeof (EFI_GUID);
- 
--	CertList->SignatureType = EFI_CERT_X509_GUID;
--	CertList->SignatureListSize = vendor_cert_size
--				      + sizeof (*CertList)
--				      + sizeof (*CertData)
--				      -1;
--	CertList->SignatureHeaderSize = 0;
--	CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
-+	if (use_builtin_cert) {
-+		CertList = (EFI_SIGNATURE_LIST *)p;
-+		p += sizeof (*CertList);
-+		CertData = (EFI_SIGNATURE_DATA *)p;
-+		p += sizeof (EFI_GUID);
- 
--	CertData->SignatureOwner = SHIM_LOCK_GUID;
--	CopyMem(p, vendor_cert, vendor_cert_size);
-+		CertList->SignatureType = EFI_CERT_X509_GUID;
-+		CertList->SignatureListSize = vendor_cert_size
-+					      + sizeof (*CertList)
-+					      + sizeof (*CertData)
-+					      -1;
-+		CertList->SignatureHeaderSize = 0;
-+		CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
-+
-+		CertData->SignatureOwner = SHIM_LOCK_GUID;
-+		CopyMem(p, vendor_cert, vendor_cert_size);
-+	}
- 
- 	efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
- 				       &shim_lock_guid,
-@@ -1767,6 +1774,75 @@ uninstall_shim_protocols(void)
- 			  &shim_lock_guid, &shim_lock_interface);
- }
- 
-+#define VENDOR_VERIFY L"openSUSE_Verify"
-+
-+/* Show the built-in certificate prompt if necessary */
-+static int builtin_cert_prompt(void)
-+{
-+	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
-+	EFI_STATUS status;
-+	UINT32 attributes;
-+	UINTN len = sizeof(UINT8);
-+	UINT8 data;
-+
-+	use_builtin_cert = FALSE;
-+
-+	if (vendor_cert_size == 0)
-+		return 0;
-+
-+	status = uefi_call_wrapper(RT->GetVariable, 5, VENDOR_VERIFY,
-+				   &shim_lock_guid, &attributes,
-+				   &len, &data);
-+	if (status != EFI_SUCCESS ||
-+	    (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) {
-+		int choice;
-+
-+		if (status != EFI_NOT_FOUND)
-+			LibDeleteVariable(VENDOR_VERIFY, &shim_lock_guid);
-+
-+		CHAR16 *str[] = {L"Trust openSUSE Certificate",
-+				 L"",
-+				 L"Do you agree to use the built-in openSUSE certificate",
-+				 L"to verify boot loaders and kernels?",
-+				 NULL};
-+		choice = console_yes_no(str);
-+		if (choice != 1) {
-+			data = 0;
-+			goto done;
-+		}
-+
-+		data = 1;
-+		status = uefi_call_wrapper(RT->SetVariable, 5,
-+					   VENDOR_VERIFY,
-+					   &shim_lock_guid,
-+					   EFI_VARIABLE_NON_VOLATILE |
-+					   EFI_VARIABLE_BOOTSERVICE_ACCESS,
-+					   sizeof(UINT8), &data);
-+		if (status != EFI_SUCCESS) {
-+			console_error(L"Failed to set openSUSE_Verify", status);
-+			return -1;
-+		}
-+	}
-+
-+	use_builtin_cert = TRUE;
-+	data = 1;
-+
-+done:
-+	/* Setup a runtime variable to show the current state */
-+	status = uefi_call_wrapper(RT->SetVariable, 5,
-+				   L"use_openSUSE_cert",
-+				   &shim_lock_guid,
-+				   EFI_VARIABLE_BOOTSERVICE_ACCESS |
-+				   EFI_VARIABLE_RUNTIME_ACCESS,
-+				   sizeof(UINT8), &data);
-+	if (status != EFI_SUCCESS) {
-+		console_error(L"Failed to set use_openSUSE_cert", status);
-+		return -1;
-+	}
-+
-+	return 0;
-+}
-+
- EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
- {
- 	EFI_STATUS efi_status;
-@@ -1819,6 +1895,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 		 */
- 		hook_system_services(systab);
- 		loader_is_participating = 0;
-+		if (builtin_cert_prompt() != 0)
-+			return EFI_ABORTED;
- 	}
- 
- 	efi_status = install_shim_protocols();
--- 
-1.8.4.5
-
-
-From 57b6062bc614d5638e66f8c5ac62106b812c6d1a Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Thu, 20 Feb 2014 16:57:08 +0800
-Subject: [PATCH 2/3] Support revoking the openSUSE cert
-
-This is an openSUSE-only patch.
-
-To revoke the openSUSE cert, create ClearVerify, a NV RT variable,
-and store the password hash in the variable, and then MokManager
-will show up with an additional option to clear openSUSE_Verify
----
- MokManager.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
- shim.c       |  2 +-
- 2 files changed, 60 insertions(+), 3 deletions(-)
-
-diff --git a/MokManager.c b/MokManager.c
-index 71a3137..a03eea4 100644
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -1570,6 +1570,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
- 	return -1;
- }
- 
-+static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
-+	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
-+	EFI_STATUS status;
-+
-+        if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1)
-+                return 0;
-+
-+	if (ClearVerifySize == PASSWORD_CRYPT_SIZE) {
-+		status = match_password((PASSWORD_CRYPT *)ClearVerify, NULL, 0,
-+					 NULL, NULL);
-+	}
-+	if (status != EFI_SUCCESS)
-+		return -1;
-+
-+	status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
-+	if (status != EFI_SUCCESS) {
-+		console_error(L"Failed to delete openSUSE_Verify", status);
-+		return -1;
-+	}
-+
-+	console_notify(L"The system must now be rebooted");
-+	uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm,
-+			  EFI_SUCCESS, 0, NULL);
-+	console_notify(L"Failed to reboot");
-+	return -1;
-+}
-+
- static BOOLEAN verify_certificate(void *cert, UINTN size)
- {
- 	X509 *X509Cert;
-@@ -1903,6 +1930,7 @@ typedef enum {
- 	MOK_CHANGE_SB,
- 	MOK_SET_PW,
- 	MOK_CHANGE_DB,
-+	MOK_CLEAR_VERIFY,
- 	MOK_KEY_ENROLL,
- 	MOK_HASH_ENROLL
- } mok_menu_item;
-@@ -1914,7 +1942,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
- 				 void *MokPW, UINTN MokPWSize,
- 				 void *MokDB, UINTN MokDBSize,
- 				 void *MokXNew, UINTN MokXNewSize,
--				 void *MokXDel, UINTN MokXDelSize)
-+				 void *MokXDel, UINTN MokXDelSize,
-+				 void *ClearVerify, UINTN ClearVerifySize)
- {
- 	CHAR16 **menu_strings;
- 	mok_menu_item *menu_item;
-@@ -1988,6 +2017,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
- 	if (MokDB)
- 		menucount++;
- 
-+	if (ClearVerify)
-+		menucount++;
-+
- 	menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
- 
- 	if (!menu_strings)
-@@ -2057,6 +2089,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
- 		i++;
- 	}
- 
-+	if (ClearVerify) {
-+		menu_strings[i] = L"Revoke openSUSE certificate";
-+		menu_item[i] = MOK_CLEAR_VERIFY;
-+		i++;
-+	}
-+
- 	menu_strings[i] = L"Enroll key from disk";
- 	menu_item[i] = MOK_KEY_ENROLL;
- 	i++;
-@@ -2107,6 +2145,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
- 		case MOK_CHANGE_DB:
- 			mok_db_prompt(MokDB, MokDBSize);
- 			break;
-+		case MOK_CLEAR_VERIFY:
-+			mok_clear_verify_prompt(ClearVerify, ClearVerifySize);
-+			break;
- 		case MOK_KEY_ENROLL:
- 			mok_key_enroll();
- 			break;
-@@ -2132,6 +2173,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
- 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
- 	UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
- 	UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
-+	UINTN ClearVerifySize = 0;
- 	void *MokNew = NULL;
- 	void *MokDel = NULL;
- 	void *MokSB = NULL;
-@@ -2139,6 +2181,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
- 	void *MokDB = NULL;
- 	void *MokXNew = NULL;
- 	void *MokXDel = NULL;
-+	void *ClearVerify = NULL;
- 	EFI_STATUS status;
- 
- 	status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
-@@ -2211,9 +2254,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
- 		console_error(L"Could not retrieve MokXDel", status);
- 	}
- 
-+	status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify, &ClearVerifySize,
-+				shim_lock_guid);
-+	if (status == EFI_SUCCESS) {
-+		if (LibDeleteVariable(L"ClearVerify", &shim_lock_guid) != EFI_SUCCESS) {
-+			console_notify(L"Failed to delete ClearVerify");
-+		}
-+	} else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
-+		console_error(L"Could not retrieve ClearVerify", status);
-+	}
-+
- 	enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize,
- 		       MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize,
--		       MokXNew, MokXNewSize, MokXDel, MokXDelSize);
-+		       MokXNew, MokXNewSize, MokXDel, MokXDelSize,
-+		       ClearVerify, ClearVerifySize);
- 
- 	if (MokNew)
- 		FreePool (MokNew);
-@@ -2236,6 +2290,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
- 	if (MokXDel)
- 		FreePool (MokXDel);
- 
-+	if (ClearVerify)
-+		FreePool (ClearVerify);
-+
- 	LibDeleteVariable(L"MokAuth", &shim_lock_guid);
- 	LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
- 	LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
-diff --git a/shim.c b/shim.c
-index a483ce3..3b00e6c 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1529,7 +1529,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
- 	    check_var(L"MokPW") || check_var(L"MokAuth") ||
- 	    check_var(L"MokDel") || check_var(L"MokDB") ||
- 	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
--	    check_var(L"MokXAuth")) {
-+	    check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
- 		efi_status = start_image(image_handle, MOK_MANAGER);
- 
- 		if (efi_status != EFI_SUCCESS) {
--- 
-1.8.4.5
-
-
-From 8d1fc876a8117bdfa2d1e8975725e03660eadc7c Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Fri, 7 Mar 2014 16:17:20 +0800
-Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
-
-This is an openSUSE-only patch.
-
-LibDeleteVariable only works on the runtime variables.
----
- MokManager.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/MokManager.c b/MokManager.c
-index a03eea4..d4f107d 100644
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -1584,7 +1584,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
- 	if (status != EFI_SUCCESS)
- 		return -1;
- 
--	status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
-+	status = uefi_call_wrapper(RT->SetVariable, 5,
-+				   L"openSUSE_Verify", &shim_lock_guid,
-+				   EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
-+				   0, NULL);
- 	if (status != EFI_SUCCESS) {
- 		console_error(L"Failed to delete openSUSE_Verify", status);
- 		return -1;
--- 
-1.8.4.5
-
diff --git a/shim.changes b/shim.changes
index 73c47f0..465b298 100644
--- a/shim.changes
+++ b/shim.changes
@@ -1,113 +1,3 @@
--------------------------------------------------------------------
-Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com
-
-- Replace shim-mokmanager-support-sha1.patch with
-  shim-mokmanager-support-sha-family.patch to support the SHA
-  family
-
--------------------------------------------------------------------
-Mon Apr  7 09:32:21 UTC 2014 - glin@suse.com
-
-- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in
-  MOK
-
--------------------------------------------------------------------
-Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com
-
-- snapper rollback support (fate#317062)
-  - refresh shim-install
-
--------------------------------------------------------------------
-Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com
-
-- Insert the right signature (bnc#867974)
-
--------------------------------------------------------------------
-Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com
-
-- Add shim-fix-uninitialized-variable.patch to fix the use of
-  uninitialzed variables in lib 
-
--------------------------------------------------------------------
-Fri Mar  7 09:09:12 UTC 2014 - glin@suse.com
-
-- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
-  variables the right way
-- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
-  correctly
-
--------------------------------------------------------------------
-Thu Mar  6 07:37:57 UTC 2014 - glin@suse.com
-
-- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
-  duplicate entries in BootOrder
-- Add shim-allow-fallback-use-system-loadimage.patch to handle the
-  shim protocol properly to keep only one protocol entity
-- Refresh shim-opensuse-cert-prompt.patch
-
--------------------------------------------------------------------
-Thu Mar  6 03:53:49 UTC 2014 - mchang@suse.com
-
-- shim-install: fix the $prefix to use grub2-mkrelpath for paths
-  on btrfs subvolume (bnc#866690).
-
--------------------------------------------------------------------
-Tue Mar  4 04:19:05 UTC 2014 - glin@suse.com
-
-- FATE#315002: Update shim-install to install shim.efi as the EFI
-  default bootloader when none exists in \EFI\boot.
-
--------------------------------------------------------------------
-Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com
-
-- Update signature-sles.asc: shim signed by UEFI signing service,
-  based on code from "Thu Feb 20 11:57:01 UTC 2014"
-
--------------------------------------------------------------------
-Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com
-
-- Add shim-opensuse-cert-prompt.patch to show the prompt to ask
-  whether the user trusts the openSUSE certificate or not
-
--------------------------------------------------------------------
-Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de
-
-- allow package to carry multiple signatures
-- check correct certificate is embedded
-
--------------------------------------------------------------------
-Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de
-
-- always clean up generated files that embed certificates
-  (shim_cert.h shim.cer shim.crt) to make sure next build loop
-  rebuilds them properly
-
--------------------------------------------------------------------
-Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com
-
-- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
-  hash deletion operation to avoid ruining the whole list
-  (bnc#863205)
-
--------------------------------------------------------------------
-Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com
-
-- Update shim-mokx-support.patch to support the resetting of MOK
-  blacklist
-- Add shim-get-variable-check.patch to fix the variable checking
-  in get_variable_attr
-- Add shim-improve-fallback-entries-creation.patch to improve the
-  boot entry pathes and avoid generating the boot entries that
-  are already there
-- Update SUSE certificate
-- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
-  extract_signature.sh and show_signatures.sh to remove the
-  creation of the temporary nss database
-- Add shim-only-os-name.patch: remove the kernel version of the
-  build server
-- Match the the prefix of the project name properly by escaping the 
-  percent sign.
-
 -------------------------------------------------------------------
 Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de
 
diff --git a/shim.spec b/shim.spec
index 38d63a0..cdc712e 100644
--- a/shim.spec
+++ b/shim.spec
@@ -28,7 +28,7 @@ Url:            https://github.com/mjg59/shim
 Source:         %{name}-%{version}.tar.bz2
 # run "extract_signature.sh shim.efi" where shim.efi is the binary
 # with the signature from the UEFI signing service.
-Source1:        signature-opensuse.asc
+Source1:        microsoft.asc
 Source2:        openSUSE-UEFI-CA-Certificate.crt
 Source3:        shim-install
 Source4:        SLES-UEFI-CA-Certificate.crt
@@ -38,8 +38,6 @@ Source7:        show_hash.sh
 Source8:        show_signatures.sh
 Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 Source10:       timestamp.pl
-Source11:       strip_signature.sh
-Source12:       signature-sles.asc
 # PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch glin@suse.com -- Fix the error handling in verify_mok()
 Patch1:         shim-fix-verify-mok.patch
 # PATCH-FIX-UPSTREAM shim-improve-error-messages.patch glin@suse.com -- Improve the error messages
@@ -52,26 +50,6 @@ Patch4:         shim-fix-dhcpv4-path-generation.patch
 Patch5:         shim-mokx-support.patch
 # PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch glin@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys
 Patch6:         shim-mokmanager-handle-keystroke-error.patch
-# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
-Patch7:         shim-only-os-name.patch
-# PATCH-FIX-UPSTREAM shim-get-variable-check.patch glin@suse.com -- Fix the variable checking in get_variable_attr 
-Patch8:         shim-get-variable-check.patch
-# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch glin@suse.com -- Improve the boot entry pathes and avoid generating the boot entries that are already there 
-Patch9:         shim-fallback-improve-entries-creation.patch
-# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list
-Patch10:        shim-bnc863205-mokmanager-fix-hash-delete.patch
-# PATCH-FIX-UPSTREAM shim-fallback-avoid-duplicate-bootorder.patch glin@suse.com -- Fix the duplicate BootOrder entries generated by fallback.efi
-Patch11:        shim-fallback-avoid-duplicate-bootorder.patch
-# PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch glin@suse.com -- Handle the shim protocol properly to keep only one protocol entity
-Patch12:        shim-allow-fallback-use-system-loadimage.patch
-# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch glin@suse.com -- Delete BootService non-volatile variables the right way
-Patch13:        shim-mokmanager-delete-bs-var-right.patch
-# PATCH-FIX-UPSTREAM shim-fix-uninitialized-variable.patch glin@suse.com -- Initialize the variable in lib properly
-Patch14:        shim-fix-uninitialized-variable.patch
-# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
-Patch15:        shim-mokmanager-support-sha-family.patch
-# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
-Patch100:       shim-opensuse-cert-prompt.patch
 BuildRequires:  gnu-efi >= 3.0t
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -100,16 +78,6 @@ Authors:
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch100 -p1
 
 %build
 # first, build MokManager and fallback as they don't depend on a
@@ -140,18 +108,12 @@ for suffix in "${suffixes[@]}"; do
     if test "$suffix" = "opensuse"; then
 	cert=%{SOURCE2}
 	cert2=%{SOURCE9}
-	verify='openSUSE Secure Boot CA1'
-	signature=%{SOURCE1}
     elif test "$suffix" = "sles"; then
 	cert=%{SOURCE4}
 	cert2=''
-	verify='SUSE Linux Enterprise Secure Boot CA1'
-	signature=%{SOURCE12}
     elif test "$suffix" = "devel"; then
 	cert=%{_sourcedir}/_projectcert.crt
 	cert2=''
-	verify=`openssl x509 -in "$cert" -noout -email`
-	signature=''
 	test -e "$cert" || continue
     else
 	echo "invalid suffix"
@@ -159,7 +121,6 @@ for suffix in "${suffixes[@]}"; do
     fi
 
     openssl x509 -in $cert -outform DER -out shim-$suffix.der
-    rm -f shim_cert.h shim.cer shim.crt
     if [ -z "$cert2" ]; then
 	    # create empty local cert file, we don't need a local key pair as we
 	    # sign the mokmanager with our vendor key
@@ -167,38 +128,35 @@ for suffix in "${suffixes[@]}"; do
 	    touch shim.cer
     else
 	    cp $cert2 shim.crt
+	    rm -f shim.cer
     fi
     # make sure cast warnings don't trigger post build check
     make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
-    #
-    # assert correct certificate embedded
-    grep -q "$verify" shim.efi
     # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
-    chmod 755 %{SOURCE10}
+    chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10}
     # alternative: verify signature
     #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
-    if test -n "$signature"; then
-	head -1 "$signature" > hash1
-	cp shim.efi shim.efi.bak
-	# pe header contains timestamp and checksum. we need to
-	# restore that
-	%{SOURCE10} --set-from-file "$signature" shim.efi
-	pesign -h -P -i shim.efi > hash2
-	cat hash1 hash2
-	if ! cmp -s hash1 hash2; then
-		echo "ERROR: $suffix binary changed, need to request new signature!"
-		# don't fail in devel projects
-		prj="%{_project}"
-		if [ "${prj%%%:*}" = "openSUSE" -o "${prj%%%:*}" = "SUSE" ]; then
-			false
-		fi
-		mv shim.efi.bak shim-$suffix.efi
-		rm shim.efi
-	else
-		# attach signature
-		pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
-		rm -f shim.efi
-	fi
+    head -1 %{SOURCE1} > hash1
+    cp shim.efi shim.efi.bak
+    # pe header contains timestamp and checksum. we need to
+    # restore that
+    %{SOURCE10} --set-from-file %{SOURCE1} shim.efi
+    %{SOURCE7} shim.efi > hash2
+    cat hash1 hash2
+    if ! cmp -s hash1 hash2; then
+	    echo "ERROR: binary changed, need to request new signature!"
+	    # don't fail in devel projects
+	    prj="%{_project}"
+	    if [ "${prj%%:*}" = "openSUSE" -o "${prj%%:*}" = "SUSE" ]; then
+		    false
+	    fi
+	    mv shim.efi.bak shim-$suffix.efi
+	    rm shim.efi
+    else
+	    # attach signature
+	    %{SOURCE6} %{SOURCE1} shim.efi
+	    mv shim-signed.efi shim-$suffix.efi
+	    rm -f shim.efi
     fi
     rm -f shim.cer shim.crt
     # make sure cert.o gets rebuilt
diff --git a/show_hash.sh b/show_hash.sh
index a485768..82c4944 100644
--- a/show_hash.sh
+++ b/show_hash.sh
@@ -9,4 +9,13 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
 	exit 1
 fi
 
-pesign -h -P -i "$infile"
+nssdir=`mktemp -d`
+cleanup()
+{
+	rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
+pesign -n "$nssdir" -h -P -i "$infile"
diff --git a/show_signatures.sh b/show_signatures.sh
index ab9acdb..d9bdb6e 100644
--- a/show_signatures.sh
+++ b/show_signatures.sh
@@ -9,4 +9,13 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
 	exit 1
 fi
 
-pesign -S -i "$infile"
+nssdir=`mktemp -d`
+cleanup()
+{
+	rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
+pesign -n "$nssdir" -S -i "$infile"
diff --git a/signature-sles.asc b/signature-sles.asc
deleted file mode 100644
index d88c3c8..0000000
--- a/signature-sles.asc
+++ /dev/null
@@ -1,188 +0,0 @@
-hash: f31fd461c5e99510403fc97c1da2d8a9cbe270597d32badf8fd66b77495f8d94
-# 2069-04-10 06:07:54
-timestamp: babababa
-checksum: 61c9
------BEGIN AUTHENTICODE SIGNATURE-----
-MIIh9AYJKoZIhvcNAQcCoIIh5TCCIeECAQExDzANBglghkgBZQMEAgEFADBcBgor
-BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
-ZQMEAgEFAAQg8x/UYcXplRBAP8l8HaLYqcvicFl9Mrrfj9Zrd0lfjZSgggs8MIIF
-JDCCBAygAwIBAgITMwAAAApmQvP0n7c3lgABAAAACjANBgkqhkiG9w0BAQsFADCB
-gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
-ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
-TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0
-MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
-aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
-cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu
-ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s
-ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG
-CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23
-BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc
-cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH
-SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE
-GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP
-ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT
-KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV
-HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo
-dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw
-MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo
-dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB
-MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA
-A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3
-We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC
-5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g
-78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj
-PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+
-Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDAN
-BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
-b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
-dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5
-IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1
-WjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
-B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UE
-AxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwft
-kn0LsnO/DArGSkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gy
-u4xHye5xvCFPmop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6
-K6VROF31+7rbeALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk5
-5dqyYotNvzhw4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxh
-Z4pb/V6th3+6hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYw
-ggFyMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK
-8yU3HU6hJnsPIHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkr
-BgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw
-AwEB/zAfBgNVHSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBT
-MFGgT6BNhktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0
-cy9NaWNDb3JUaGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEE
-VDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl
-cnRzL01pY0NvclRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0B
-AQsFAAOCAgEANQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lY
-NKYWC4KqXa2C2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ
-2w/8d56Vc5GIyr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8
-uSs9SSsfMvxqIWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLR
-B7+7dN/cHo+A1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K67
-3YaFmCwhTDMr8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0
-HYw9Rw5EpuSwmzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6Q
-I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJy
-lYaw8TVhahn1sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpc
-Aj/lluOFWzw+P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79An
-oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghYrMIIW
-JwIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
-BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEr
-MCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAA
-AApmQvP0n7c3lgABAAAACjANBglghkgBZQMEAgEFAKCCAREwGQYJKoZIhvcNAQkD
-MQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJ
-KoZIhvcNAQkEMSIEIJrzMZcr8o7z/mk2WCbI8fEz7nZbYeVPQtJjL0exXBCxMIGk
-BgorBgEEAYI3AgEMMYGVMIGSoF6AXABoAHQAdABwADoALwAvAHcAdwB3AC4AbQBp
-AGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAHcAaABkAGMALwBoAGMAbAAvAGQAZQBm
-AGEAdQBsAHQALgBtAHMAcAB4oTCALmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS93
-aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAjHDQORfm8d8T
-eyJMiPDMRPFiO/aBL7UtF4rtDUeYi+c9UU6KDVXHi19Z9DNt3pkRRm4DxFVdDPXU
-P1TFD8HWbQPQ7YGGRjDOv1BwxZ+5F6xmNgoxUh0khKisi3l0LPq6Zauee7ebgly3
-6A6GQSKlaXH7MXxMsgbvGFdXAQs/KVMb3xzuttby/jcQ9lxoMr4SVcM6Vu6fFZ24
-DWhHFtONzHFSvJ3Sf10d8teTvikrIaXg7pzNU+T7+sMXsiyhVhWiFFFtetaaxtT4
-vcKDuGHNP797WM1YYxZz+2sMbWyi81h+We6ReHn0V+UUW4b7i4yh0p2Vy3xPrzb6
-TgGQIyi536GCE00wghNJBgorBgEEAYI3AwMBMYITOTCCEzUGCSqGSIb3DQEHAqCC
-EyYwghMiAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE9BgsqhkiG9w0BCRABBKCCASwE
-ggEoMIIBJAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCAqAR+tIZOx
-IQiET4LQ+OsCmH0VlrTUkAPePwl/JtC8pAIGUt6TDOrUGBMyMDE0MDIyNzAxMDcz
-My43NzNaMAcCAQGAAgH0oIG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
-V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
-IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERT
-RSBFU046QzBGNC0zMDg2LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0
-YW1wIFNlcnZpY2Wggg7QMIIGcTCCBFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG
-9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
-BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEy
-MDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
-MTAwHhcNMTAwNzAxMjEzNjU1WhcNMjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJV
-UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
-ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt
-ZS1TdGFtcCBQQ0EgMjAxMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AKkdDbx3EYo6IOz8E5f1+n9plGt0VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vw
-FVMnBDEfQRsalR3OCROOfGEwWbEwRA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNF
-DdDq9UeBzb8kYDJYYEbyWEeGMoQedGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC7
-32H8RsEnHSRnEnIaIYqvS2SJUGKxXf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOW
-RH7v0Ev9buWayrGo8noqCjHw2k4GkbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJ
-k3jN/LzAyURdXhacAQVPIk0CAwEAAaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEA
-MB0GA1UdDgQWBBTVYzpcijGQ80N7fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4K
-AFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
-GDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRw
-Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJB
-dXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5o
-dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8y
-MDEwLTA2LTIzLmNydDCBoAYDVR0gAQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEw
-PQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9D
-UFMvZGVmYXVsdC5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABv
-AGwAaQBjAHkAXwBTAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQAD
-ggIBAAfmiFEN4sbgmD+BcQM9naOhIW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/1
-5/B4vceoniXj+bzta1RXCCtRgkQS+7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRW
-S3TvQhDIr79/xn/yN31aPxzymXlKkVIArzgPF/UveYFl2am1a+THzvbKegBvSzBE
-JCI8z+0DpZaPWSm8tv0E4XCfMkon/VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/
-3cVKC5Em4jnsGUpxY517IW3DnKOiPPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9
-nhquBEKDuLWAmyI4ILUl5WTs9/S/fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5H
-moDF0M2n0O99g/DhO3EJ3110mCIIYdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv3
-3nJ+YWtvd6mBy6cJrDm77MbL2IK0cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI
-5pgt6o3gMy4SKfXAL1QnIffIrE7aKLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0
-MkvfY3v1mYovG8chr1m1rtxEPJdQcdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0e
-GTgvvM9YBS7vDaBQNdrvCScc1bN+NR4Iuto229Nfj950iEkSMIIE2jCCA8KgAwIB
-AgITMwAAACiQZ7kEsDxuZgAAAAAAKDANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQG
-EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
-A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg
-VGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0xMzAzMjcyMDEzMTNaFw0xNDA2MjcyMDEz
-MTNaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE
-BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0wCwYD
-VQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2LURF
-RjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggEiMA0G
-CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdpUi/akidSiGckmve4C3c5GP4zLmJ
-xMcbvee10/vtrs8x/vNmsEQD2plnCFq/dQYiEYnQZ1LM+s+SN0Xo+vG9M9PMc+O4
-IaSgFX3LL8QDBdo/lnPTWeWYTQtWhi+dR9HWX52R6ceE2ZVrMky0awBS4EHTPGl0
-qM7MfWidUlXmcH8UB6KeZ7CGRPMzP3Ndxij4F19SAS1EL9bteAi45TsvwLnDS8O3
-Oy/TprWcsUhK3TIJVqEbS1rTqiYnDBJDYMVq19pADWCYiUG7k3Pdv/7EjFvO+lUn
-yk1Nmm99EWyxRyOwTHxsfwahdIIfUngY6QYaFlCawzrdgYH3mydyIX91AgMBAAGj
-ggEbMIIBFzAdBgNVHQ4EFgQU3JgInXnRBLKLR8Nx0Izns+awU50wHwYDVR0jBBgw
-FoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDov
-L2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGltU3RhUENB
-XzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0
-cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNUaW1TdGFQQ0FfMjAx
-MC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCDAN
-BgkqhkiG9w0BAQsFAAOCAQEAgiLztz1kfhJL/Cb84OS30MQUTgn+q1aa0VqYpr6M
-QR6UtDK+hLS3RXbj72AYJIeoz+m00VQpvMrkyxJ7wPHUDp8xMxsRP3o73d0CqhjK
-yjz6luNsu6+7yYQ+x9gMhctyCwEbpPUxERAMRaVaSJl+2r5Fhte6TeSB/9NYCnZl
-Blkv9sJCzwTJqxv6YZ3185hJcLFJ0GTEIejuYBdTfusC2miVi/UKPAHbo7WYFFF0
-nlPp2nKYZqBfKc+Prx+CnNPr5vFMG1T46DLcwRXDrCpudAUWg+NEmJ/L7+gweX+v
-UqU6H99lx43+J9hHGZIItIs0jmknNxoC9pGzlSL/CEgq/qGCA3kwggJhAgEBMIHj
-oYG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G
-A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0w
-CwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2
-LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiJQoB
-ATAJBgUrDgMCGgUAAxUA8120HsdfO2ZOZQ7emART9hWnH0SggcIwgb+kgbwwgbkx
-CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
-b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1P
-UFIxJzAlBgNVBAsTHm5DaXBoZXIgTlRTIEVTTjpCMDI3LUM2RjgtMUQ4ODErMCkG
-A1UEAxMiTWljcm9zb2Z0IFRpbWUgU291cmNlIE1hc3RlciBDbG9jazANBgkqhkiG
-9w0BAQUFAAIFANa4+LowIhgPMjAxNDAyMjYyMzM1MjJaGA8yMDE0MDIyNzIzMzUy
-MlowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA1rj4ugIBADAKAgEAAgIM/AIB/zAH
-AgEAAgIV3zAKAgUA1rpKOgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZ
-CgMBoAowCAIBAAIDFuNgoQowCAIBAAIDB6EgMA0GCSqGSIb3DQEBBQUAA4IBAQBm
-lwBgKM7WFYZn7KoOxHuc0HCwn9KJ7P2+V1ixjuYcd9TJPbpom+P6TqrtdVyqC1qN
-P1ika8uTrueq+WIyDkpbBeRjgRPxywB8p6swJXn3a8FQJlYM8wZlX6k4DXOQ5a1I
-8Df1MoZedlnFIJFCuailsPek9CZSuawhHvQu6tutrNrCtOJpHGwP/g7QhqDby6MU
-9W08fcBbMQ+Q+NN9R+O5914iiyXTxNYply2O6zmRRXVV8Os49n6MAdLMQwlW/Hjf
-Qx9xsPgmOpnwA3IVmPCEtJnHbNPnmX23cB3zQ5HQ8Rgzh4a2iGFTUKVLQzP2XbJI
-GAt0fd2U/pFkRHTpexsrMYIC9TCCAvECAQEwgZMwfDELMAkGA1UEBhMCVVMxEzAR
-BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
-Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh
-bXAgUENBIDIwMTACEzMAAAAokGe5BLA8bmYAAAAAACgwDQYJYIZIAWUDBAIBBQCg
-ggEyMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQg
-igCH0fhbYKLF4fSmxZObvVlmifs8MaWR0dGzScGuExwwgeIGCyqGSIb3DQEJEAIM
-MYHSMIHPMIHMMIGxBBTzXbQex187Zk5lDt6YBFP2FacfRDCBmDCBgKR+MHwxCzAJ
-BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k
-MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jv
-c29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAAKJBnuQSwPG5mAAAAAAAoMBYE
-FP/tXYkB9TLyFTNFAIYorcmDMtYiMA0GCSqGSIb3DQEBCwUABIIBABg8AdKpFO37
-Mdc4SKY28D2Sff2uoRuCoLxMZPhC7rR14gC1sXKSBHIoNyMBR32mYJnJsTAgJRwT
-YTEmsHYl6l37/tkLAsRS21lt+YuynR9/fdGlwvqxc41HkUHdcTRjvsetVZ7v2HSz
-vpCBje4TsAaxblVCsyXiH94CyMR3Aq6brcoG+QJKh14NFLLLIxN2melZYivfcAJR
-ES78bXBRGa6hPqsvOIZ6USSC1rAwHodonNcp4Xb1QMPoXKcMPyUAYdzz0q673Mec
-hsP7HKqhezXDmpGe6Hg4RrO/In7qyRok6LZ4DH5hsp6dp0Omcgqm3kmcqTTNmtF6
-0JelOr7e+os=
------END AUTHENTICODE SIGNATURE-----
diff --git a/strip_signature.sh b/strip_signature.sh
index ccda812..f22cabf 100644
--- a/strip_signature.sh
+++ b/strip_signature.sh
@@ -10,4 +10,13 @@ fi
 
 outfile="${infile%.efi}-unsigned.efi"
 
-pesign -r -i "$infile" -o "$outfile"
+nssdir=`mktemp -d`
+cleanup()
+{
+	rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
+pesign -n "$nssdir" -r -i "$infile" -o "$outfile"