Accepting request 1035798 from home:joeyli:branches:devel:openSUSE:Factory

Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127)

OBS-URL: https://build.opensuse.org/request/show/1035798
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=194

shim-Enable-TDX-measurement-to-RTMR-register.patch

@@ -0,0 +1,240 @@
+From 4fd484e4c29364b4fdf4d043556fa0a210c5fdfc Mon Sep 17 00:00:00 2001
+From: Lu Ken <ken.lu@intel.com>
+Date: Sun, 22 May 2022 16:02:20 +0800
+Subject: [PATCH] Enable TDX measurement to RTMR register
+
+Intel Trust Domain Extensions (Intel TDX) extends Virtual Machine
+Extensions (VMX) and Multi-Key Total Memory Encryption (MK-TME) with a
+new kind of virtual machine guest called a Trust Domain(TD)[1].  A TD
+runs in a CPU mode that is designed to protect the confidentiality of
+its memory contents and its CPU state from any other software, including
+the hosting Virtual Machine Monitor (VMM).
+
+Trust Domain Virtual Firmware (TDVF) is required to provide Intel TDX
+implementation and service for EFI_CC_MEASUREMENT_PROTOCOL[2]. The bugzilla
+for TDVF is at https://bugzilla.tianocore.org/show_bug.cgi?id=3625.
+
+To support CC measurement/attestation with Intel TDX technology, these 4
+RTMR registers will be extended by TDX service like TPM/TPM2 PCR:
+
+- RTMR[0] for TDVF configuration
+- RTMR[1] for the TD OS loader and kernel
+- RTMR[2] for the OS application
+- RTMR[3] reserved for special usage only
+
+Add a TDX Implementation for CC Measurement protocol along with
+TPM/TPM2 protocol.
+
+References:
+[1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf
+[2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf
+[3] https://software.intel.com/content/dam/develop/external/us/en/documents/intel-tdx-guest-hypervisor-communication-interface-1.0-344426-002.pdf
+
+Signed-off-by: Lu Ken <ken.lu@intel.com>
+[rharwood: style pass on code and commit message]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ include/cc.h   | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ include/guid.h |  1 +
+ lib/guid.c     |  1 +
+ shim.h         |  1 +
+ tpm.c          | 48 ++++++++++++++++++++++++++++
+ 5 files changed, 136 insertions(+)
+ create mode 100644 include/cc.h
+
+diff --git a/include/cc.h b/include/cc.h
+new file mode 100644
+index 0000000..8b12720
+--- /dev/null
++++ b/include/cc.h
+@@ -0,0 +1,85 @@
++// SPDX-License-Identifier: BSD-2-Clause-Patent
++
++#ifndef SHIM_CC_H
++#define SHIM_CC_H
++
++typedef struct {
++	uint8_t Major;
++	uint8_t Minor;
++} EFI_CC_VERSION;
++
++#define EFI_CC_TYPE_NONE 0
++#define EFI_CC_TYPE_SEV  1
++#define EFI_CC_TYPE_TDX  2
++
++typedef struct {
++	uint8_t Type;
++	uint8_t SubType;
++} EFI_CC_TYPE;
++
++typedef uint32_t EFI_CC_EVENT_LOG_BITMAP;
++typedef uint32_t EFI_CC_EVENT_LOG_FORMAT;
++typedef uint32_t EFI_CC_EVENT_ALGORITHM_BITMAP;
++typedef uint32_t EFI_CC_MR_INDEX;
++
++#define TDX_MR_INDEX_MRTD  0
++#define TDX_MR_INDEX_RTMR0 1
++#define TDX_MR_INDEX_RTMR1 2
++#define TDX_MR_INDEX_RTMR2 3
++#define TDX_MR_INDEX_RTMR3 4
++
++#define EFI_CC_EVENT_LOG_FORMAT_TCG_2 0x00000002
++#define EFI_CC_BOOT_HASH_ALG_SHA384   0x00000004
++#define EFI_CC_EVENT_HEADER_VERSION   1
++
++typedef struct tdEFI_CC_EVENT_HEADER {
++	uint32_t HeaderSize;
++	uint16_t HeaderVersion;
++	EFI_CC_MR_INDEX MrIndex;
++	uint32_t EventType;
++} __attribute__((packed)) EFI_CC_EVENT_HEADER;
++
++typedef struct tdEFI_CC_EVENT {
++	uint32_t Size;
++	EFI_CC_EVENT_HEADER Header;
++	uint8_t Event[1];
++} __attribute__((packed)) EFI_CC_EVENT;
++
++typedef struct tdEFI_CC_BOOT_SERVICE_CAPABILITY {
++	uint8_t Size;
++	EFI_CC_VERSION StructureVersion;
++	EFI_CC_VERSION ProtocolVersion;
++	EFI_CC_EVENT_ALGORITHM_BITMAP HashAlgorithmBitmap;
++	EFI_CC_EVENT_LOG_BITMAP SupportedEventLogs;
++	EFI_CC_TYPE CcType;
++} EFI_CC_BOOT_SERVICE_CAPABILITY;
++
++struct efi_cc_protocol
++{
++	EFI_STATUS (EFIAPI *get_capability) (
++		struct efi_cc_protocol *this,
++		EFI_CC_BOOT_SERVICE_CAPABILITY *ProtocolCapability);
++	EFI_STATUS (EFIAPI *get_event_log) (
++		struct efi_cc_protocol *this,
++		EFI_CC_EVENT_LOG_FORMAT EventLogFormat,
++		EFI_PHYSICAL_ADDRESS *EventLogLocation,
++		EFI_PHYSICAL_ADDRESS *EventLogLastEntry,
++		BOOLEAN *EventLogTruncated);
++	EFI_STATUS (EFIAPI *hash_log_extend_event) (
++		struct efi_cc_protocol *this,
++		uint64_t Flags,
++		EFI_PHYSICAL_ADDRESS DataToHash,
++		uint64_t DataToHashLen,
++		EFI_CC_EVENT *EfiCcEvent);
++	EFI_STATUS (EFIAPI *map_pcr_to_mr_index) (
++		struct efi_cc_protocol *this,
++		uint32_t PcrIndex,
++		EFI_CC_MR_INDEX *MrIndex);
++};
++
++typedef struct efi_cc_protocol efi_cc_protocol_t;
++
++#define EFI_CC_FLAG_PE_COFF_IMAGE 0x0000000000000010
++
++#endif /* SHIM_CC_H */
++// vim:fenc=utf-8:tw=75
+diff --git a/include/guid.h b/include/guid.h
+index d9910ff..dad63f0 100644
+--- a/include/guid.h
++++ b/include/guid.h
+@@ -29,6 +29,7 @@ extern EFI_GUID EFI_IP6_CONFIG_GUID;
+ extern EFI_GUID EFI_LOADED_IMAGE_GUID;
+ extern EFI_GUID EFI_TPM_GUID;
+ extern EFI_GUID EFI_TPM2_GUID;
++extern EFI_GUID EFI_CC_MEASUREMENT_PROTOCOL_GUID;
+ extern EFI_GUID EFI_SECURE_BOOT_DB_GUID;
+ extern EFI_GUID EFI_SIMPLE_FILE_SYSTEM_GUID;
+ extern EFI_GUID SECURITY_PROTOCOL_GUID;
+diff --git a/lib/guid.c b/lib/guid.c
+index e100c92..904629e 100644
+--- a/lib/guid.c
++++ b/lib/guid.c
+@@ -28,6 +28,7 @@ EFI_GUID EFI_IP6_CONFIG_GUID = { 0x937fe521, 0x95ae, 0x4d1a, {0x89, 0x29, 0x48,
+ EFI_GUID EFI_LOADED_IMAGE_GUID = EFI_LOADED_IMAGE_PROTOCOL_GUID;
+ EFI_GUID EFI_TPM_GUID = { 0xf541796d, 0xa62e, 0x4954, {0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd } };
+ EFI_GUID EFI_TPM2_GUID = { 0x607f766c, 0x7455, 0x42be, {0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f } };
++EFI_GUID EFI_CC_MEASUREMENT_PROTOCOL_GUID = { 0x96751a3d, 0x72f4, 0x41a6, {0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b } };
+ EFI_GUID EFI_SECURE_BOOT_DB_GUID =  { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f } };
+ EFI_GUID EFI_SIMPLE_FILE_SYSTEM_GUID = SIMPLE_FILE_SYSTEM_PROTOCOL;
+ EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } };
+diff --git a/shim.h b/shim.h
+index 7e9d10e..14824c6 100644
+--- a/shim.h
++++ b/shim.h
+@@ -186,6 +186,7 @@
+ #include "include/simple_file.h"
+ #include "include/str.h"
+ #include "include/tpm.h"
++#include "include/cc.h"
+ #include "include/ucs2.h"
+ #include "include/variables.h"
+ #include "include/hexdump.h"
+diff --git a/tpm.c b/tpm.c
+index 41f3665..388f8d1 100644
+--- a/tpm.c
++++ b/tpm.c
+@@ -108,6 +108,45 @@ static EFI_STATUS tpm_locate_protocol(efi_tpm_protocol_t **tpm,
+ 	return EFI_NOT_FOUND;
+ }
+ 
++static EFI_STATUS cc_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size,
++				   UINT8 pcr, const CHAR8 *log, UINTN logsize,
++				   UINT32 type, BOOLEAN is_pe_image)
++{
++	EFI_STATUS efi_status;
++	EFI_CC_EVENT *event;
++	efi_cc_protocol_t *cc;
++	EFI_CC_MR_INDEX mr;
++	uint64_t flags = is_pe_image ? EFI_CC_FLAG_PE_COFF_IMAGE : 0;
++
++	efi_status = LibLocateProtocol(&EFI_CC_MEASUREMENT_PROTOCOL_GUID,
++				       (VOID **)&cc);
++	if (EFI_ERROR(efi_status) || !cc)
++		return EFI_SUCCESS;
++
++	efi_status = cc->map_pcr_to_mr_index(cc, pcr, &mr);
++	if (EFI_ERROR(efi_status))
++		return EFI_NOT_FOUND;
++
++	UINTN event_size = sizeof(*event) - sizeof(event->Event) + logsize;
++
++	event = AllocatePool(event_size);
++	if (!event) {
++		perror(L"Unable to allocate event structure\n");
++		return EFI_OUT_OF_RESOURCES;
++	}
++
++	event->Header.HeaderSize = sizeof(EFI_CC_EVENT_HEADER);
++	event->Header.HeaderVersion = EFI_CC_EVENT_HEADER_VERSION;
++	event->Header.MrIndex = mr;
++	event->Header.EventType = type;
++	event->Size = event_size;
++	CopyMem(event->Event, (VOID *)log, logsize);
++	efi_status = cc->hash_log_extend_event(cc, flags, buf, (UINT64)size,
++					       event);
++	FreePool(event);
++	return efi_status;
++}
++
+ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size,
+ 				    UINT8 pcr, const CHAR8 *log, UINTN logsize,
+ 				    UINT32 type, CHAR8 *hash)
+@@ -118,6 +157,15 @@ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size,
+ 	BOOLEAN old_caps;
+ 	EFI_TCG2_BOOT_SERVICE_CAPABILITY caps;
+ 
++	/* CC guest like TDX or SEV will measure the buffer and log the event,
++	   extend the result into a specific CC MR like TCG's PCR. It could
++	   coexists with TCG's TPM 1.2 and TPM 2.
++	*/
++	efi_status = cc_log_event_raw(buf, size, pcr, log, logsize, type,
++				      (hash != NULL));
++	if (EFI_ERROR(efi_status))
++		return efi_status;
++
+ 	efi_status = tpm_locate_protocol(&tpm, &tpm2, &old_caps, &caps);
+ 	if (EFI_ERROR(efi_status)) {
+ #ifdef REQUIRE_TPM
+-- 
+2.35.3
+

shim-bsc1198101-opensuse-cert-prompt.patch

@@ -22,10 +22,10 @@ The state will store in use_openSUSE_cert, a volatile RT variable.
  shim.h |  1 +
  3 files changed, 71 insertions(+), 2 deletions(-)
 
-Index: shim-15.6~rc1+77144e5a/mok.c
+Index: shim-15.6/mok.c
 ===================================================================
---- shim-15.6~rc1+77144e5a.orig/mok.c
-+++ shim-15.6~rc1+77144e5a/mok.c
+--- shim-15.6.orig/mok.c
++++ shim-15.6/mok.c
 @@ -46,7 +46,8 @@ static EFI_STATUS check_mok_request(EFI_
  	    check_var(L"MokPW") || check_var(L"MokAuth") ||
  	    check_var(L"MokDel") || check_var(L"MokDB") ||
@@ -46,10 +46,10 @@ Index: shim-15.6~rc1+77144e5a/mok.c
  		return VENDOR_ADDEND_NONE;
  	}
  
-Index: shim-15.6~rc1+77144e5a/shim.c
+Index: shim-15.6/shim.c
 ===================================================================
---- shim-15.6~rc1+77144e5a.orig/shim.c
-+++ shim-15.6~rc1+77144e5a/shim.c
+--- shim-15.6.orig/shim.c
++++ shim-15.6/shim.c
 @@ -496,6 +496,8 @@ verify_one_signature(WIN_CERTIFICATE_EFI
  	}
  
@@ -59,7 +59,7 @@ Index: shim-15.6~rc1+77144e5a/shim.c
  #if defined(ENABLE_SHIM_CERT)
  	/*
  	 * Check against the shim build key
-@@ -1572,6 +1574,69 @@ shim_fini(void)
+@@ -1568,6 +1570,69 @@ shim_fini(void)
  	console_fini();
  }
  
@@ -129,7 +129,7 @@ Index: shim-15.6~rc1+77144e5a/shim.c
  extern EFI_STATUS
  efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
  
-@@ -1712,6 +1777,9 @@ efi_main (EFI_HANDLE passed_image_handle
+@@ -1708,6 +1773,9 @@ efi_main (EFI_HANDLE passed_image_handle
  	 */
  	debug_hook();
  
@@ -139,10 +139,10 @@ Index: shim-15.6~rc1+77144e5a/shim.c
  	efi_status = set_sbat_uefi_variable();
  	if (EFI_ERROR(efi_status) && secure_mode()) {
  		perror(L"%s variable initialization failed\n", SBAT_VAR_NAME);
-Index: shim-15.6~rc1+77144e5a/MokManager.c
+Index: shim-15.6/MokManager.c
 ===================================================================
---- shim-15.6~rc1+77144e5a.orig/MokManager.c
-+++ shim-15.6~rc1+77144e5a/MokManager.c
+--- shim-15.6.orig/MokManager.c
++++ shim-15.6/MokManager.c
 @@ -1864,6 +1864,36 @@ mokpw_done:
  	return EFI_SUCCESS;
  }
@@ -280,10 +280,10 @@ Index: shim-15.6~rc1+77144e5a/MokManager.c
  	LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
  	LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID);
  	LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
-Index: shim-15.6~rc1+77144e5a/globals.c
+Index: shim-15.6/globals.c
 ===================================================================
---- shim-15.6~rc1+77144e5a.orig/globals.c
-+++ shim-15.6~rc1+77144e5a/globals.c
+--- shim-15.6.orig/globals.c
++++ shim-15.6/globals.c
 @@ -25,6 +25,7 @@ UINT8 *build_cert;
   */
  verification_method_t verification_method;
@@ -292,11 +292,11 @@ Index: shim-15.6~rc1+77144e5a/globals.c
  
  UINT8 user_insecure_mode;
  UINT8 ignore_db;
-Index: shim-15.6~rc1+77144e5a/shim.h
+Index: shim-15.6/shim.h
 ===================================================================
---- shim-15.6~rc1+77144e5a.orig/shim.h
-+++ shim-15.6~rc1+77144e5a/shim.h
-@@ -268,6 +268,7 @@ extern UINT8 mok_policy;
+--- shim-15.6.orig/shim.h
++++ shim-15.6/shim.h
+@@ -270,6 +270,7 @@ extern UINT8 mok_policy;
  extern UINT8 in_protocol;
  extern void *load_options;
  extern UINT32 load_options_size;

shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch

@@ -0,0 +1,672 @@
+From 0eb07e11b20680200d3ce9c5bc59299121a75388 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Tue, 31 May 2022 22:21:26 +0100
+Subject: [PATCH 01/12] Make SBAT variable payload introspectable
+
+Given a set of EFI variables and boot assets, it should be possible
+to compute what the value of PCR 7 will be on the next boot.
+
+As shim manages the contents of the SbatLevel variable and this is
+measured to PCR 7, export the payloads that shim contains in a new
+COFF section (.sbatlevel) so that it can be introspected by code
+outside of shim.
+
+The new section works a bit like .vendor_cert - it contains a header
+and then the payload. In this case, the header contains no size fields
+because the strings are NULL terminated. Shim uses this new section
+internally in set_sbat_uefi_variable.
+
+The .sbatlevel section starts with a 4 byte version field which is
+not used by shim but may be useful for external auditors if the
+format of the section contents change in the future.
+
+Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
+---
+ Makefile                |  7 ++++---
+ elf_aarch64_efi.lds     |  4 ++++
+ elf_ia32_efi.lds        |  4 ++++
+ elf_ia64_efi.lds        |  4 ++++
+ elf_x86_64_efi.lds      |  4 ++++
+ include/sbat.h          | 32 --------------------------------
+ include/sbat_var_defs.h | 38 ++++++++++++++++++++++++++++++++++++++
+ include/test.mk         |  2 +-
+ sbat.c                  | 21 ++++++++++++++++-----
+ sbat_var.S              | 20 ++++++++++++++++++++
+ shim.h                  |  1 +
+ 11 files changed, 96 insertions(+), 41 deletions(-)
+ create mode 100644 include/sbat_var_defs.h
+ create mode 100644 sbat_var.S
+
+diff --git a/Makefile b/Makefile
+index 24ac314..866611c 100644
+--- a/Makefile
++++ b/Makefile
+@@ -38,9 +38,9 @@ CFLAGS += -DENABLE_SHIM_CERT
+ else
+ TARGETS += $(MMNAME) $(FBNAME)
+ endif
+-OBJS	= shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o load-options.o
++OBJS	= shim.o globals.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o sbat_var.o pe.o httpboot.o csv.o load-options.o
+ KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+-ORIG_SOURCES	= shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h) cert.S
++ORIG_SOURCES	= shim.c globals.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h) cert.S sbat_var.S
+ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o globals.o
+ ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
+ FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o globals.o
+@@ -253,7 +253,7 @@ endif
+ 	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
+ 		-j .dynamic -j .rodata -j .rel* \
+ 		-j .rela* -j .dyn -j .reloc -j .eh_frame \
+-		-j .vendor_cert -j .sbat \
++		-j .vendor_cert -j .sbat -j .sbatlevel \
+ 		$(FORMAT) $< $@
+ 	./post-process-pe -vv $@
+ 
+@@ -269,6 +269,7 @@ endif
+ 	$(OBJCOPY) -D -j .text -j .sdata -j .data \
+ 		-j .dynamic -j .rodata -j .rel* \
+ 		-j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
++		-j .sbatlevel \
+ 		-j .debug_info -j .debug_abbrev -j .debug_aranges \
+ 		-j .debug_line -j .debug_str -j .debug_ranges \
+ 		-j .note.gnu.build-id \
+diff --git a/elf_aarch64_efi.lds b/elf_aarch64_efi.lds
+index 60c55ba..0861f5e 100644
+--- a/elf_aarch64_efi.lds
++++ b/elf_aarch64_efi.lds
+@@ -34,6 +34,10 @@ SECTIONS
+   .data.ident : {
+     *(.data.ident)
+   }
++  . = ALIGN(4096);
++  .sbatlevel : {
++    *(.sbatlevel)
++  }
+ 
+   . = ALIGN(4096);
+   .data :
+diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds
+index 497a3a1..e8da91b 100644
+--- a/elf_ia32_efi.lds
++++ b/elf_ia32_efi.lds
+@@ -28,6 +28,10 @@ SECTIONS
+   .data.ident : {
+     *(.data.ident)
+   }
++  . = ALIGN(4096);
++  .sbatlevel : {
++    *(.sbatlevel)
++  }
+ 
+   . = ALIGN(4096);
+   .data :
+diff --git a/elf_ia64_efi.lds b/elf_ia64_efi.lds
+index 2669b85..a219560 100644
+--- a/elf_ia64_efi.lds
++++ b/elf_ia64_efi.lds
+@@ -34,6 +34,10 @@ SECTIONS
+   .data.ident : {
+     *(.data.ident)
+   }
++  . = ALIGN(4096);
++  .sbatlevel : {
++    *(.sbatlevel)
++  }
+ 
+   . = ALIGN(4096);
+   .data :
+diff --git a/elf_x86_64_efi.lds b/elf_x86_64_efi.lds
+index bcc6527..39aff6b 100644
+--- a/elf_x86_64_efi.lds
++++ b/elf_x86_64_efi.lds
+@@ -35,6 +35,10 @@ SECTIONS
+   .data.ident : {
+     *(.data.ident)
+   }
++  . = ALIGN(4096);
++  .sbatlevel : {
++    *(.sbatlevel)
++  }
+ 
+   . = ALIGN(4096);
+   .data :
+diff --git a/include/sbat.h b/include/sbat.h
+index aca4359..c94c4fb 100644
+--- a/include/sbat.h
++++ b/include/sbat.h
+@@ -6,38 +6,6 @@
+ #ifndef SBAT_H_
+ #define SBAT_H_
+ 
+-#define SBAT_VAR_SIG "sbat,"
+-#define SBAT_VAR_VERSION "1,"
+-#define SBAT_VAR_ORIGINAL_DATE "2021030218"
+-#define SBAT_VAR_ORIGINAL \
+-	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_ORIGINAL_DATE "\n"
+-
+-#if defined(ENABLE_SHIM_DEVEL)
+-#define SBAT_VAR_PREVIOUS_DATE "2022020101"
+-#define SBAT_VAR_PREVIOUS_REVOCATIONS "component,2\n"
+-#define SBAT_VAR_PREVIOUS \
+-	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
+-	SBAT_VAR_PREVIOUS_REVOCATIONS
+-
+-#define SBAT_VAR_LATEST_DATE "2022050100"
+-#define SBAT_VAR_LATEST_REVOCATIONS "component,2\nothercomponent,2\n"
+-#define SBAT_VAR_LATEST \
+-	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
+-	SBAT_VAR_LATEST_REVOCATIONS
+-#else /* !ENABLE_SHIM_DEVEL */
+-#define SBAT_VAR_PREVIOUS_DATE SBAT_VAR_ORIGINAL_DATE
+-#define SBAT_VAR_PREVIOUS_REVOCATIONS
+-#define SBAT_VAR_PREVIOUS \
+-	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
+-	SBAT_VAR_PREVIOUS_REVOCATIONS
+-
+-#define SBAT_VAR_LATEST_DATE "2022052400"
+-#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,2\n"
+-#define SBAT_VAR_LATEST \
+-	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
+-	SBAT_VAR_LATEST_REVOCATIONS
+-#endif /* ENABLE_SHIM_DEVEL */
+-
+ #define UEFI_VAR_NV_BS \
+ 	(EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS)
+ #define UEFI_VAR_NV_BS_RT                                              \
+diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
+new file mode 100644
+index 0000000..c656b56
+--- /dev/null
++++ b/include/sbat_var_defs.h
+@@ -0,0 +1,38 @@
++// SPDX-License-Identifier: BSD-2-Clause-Patent
++
++#ifndef SBAT_VAR_DEFS_H_
++#define SBAT_VAR_DEFS_H_
++
++#define SBAT_VAR_SIG "sbat,"
++#define SBAT_VAR_VERSION "1,"
++#define SBAT_VAR_ORIGINAL_DATE "2021030218"
++#define SBAT_VAR_ORIGINAL \
++	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_ORIGINAL_DATE "\n"
++
++#if defined(ENABLE_SHIM_DEVEL)
++#define SBAT_VAR_PREVIOUS_DATE "2022020101"
++#define SBAT_VAR_PREVIOUS_REVOCATIONS "component,2\n"
++#define SBAT_VAR_PREVIOUS \
++	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
++	SBAT_VAR_PREVIOUS_REVOCATIONS
++
++#define SBAT_VAR_LATEST_DATE "2022050100"
++#define SBAT_VAR_LATEST_REVOCATIONS "component,2\nothercomponent,2\n"
++#define SBAT_VAR_LATEST \
++	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
++	SBAT_VAR_LATEST_REVOCATIONS
++#else /* !ENABLE_SHIM_DEVEL */
++#define SBAT_VAR_PREVIOUS_DATE SBAT_VAR_ORIGINAL_DATE
++#define SBAT_VAR_PREVIOUS_REVOCATIONS
++#define SBAT_VAR_PREVIOUS \
++	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
++	SBAT_VAR_PREVIOUS_REVOCATIONS
++
++#define SBAT_VAR_LATEST_DATE "2022052400"
++#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,2\n"
++#define SBAT_VAR_LATEST \
++	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
++	SBAT_VAR_LATEST_REVOCATIONS
++#endif /* ENABLE_SHIM_DEVEL */
++
++#endif /* !SBAT_VAR_DEFS_H_ */
+diff --git a/include/test.mk b/include/test.mk
+index e965c60..c0e2409 100644
+--- a/include/test.mk
++++ b/include/test.mk
+@@ -92,7 +92,7 @@ test-mock-variables: CFLAGS+=-DHAVE_SHIM_LOCK_GUID
+ test-mok-mirror_FILES = mok.c globals.c tpm.c lib/guid.c lib/variables.c mock-variables.c
+ test-mok-mirror: CFLAGS+=-DHAVE_START_IMAGE -DHAVE_SHIM_LOCK_GUID
+ 
+-test-sbat_FILES = csv.c lib/variables.c lib/guid.c
++test-sbat_FILES = csv.c lib/variables.c lib/guid.c sbat_var.S
+ test-sbat :: CFLAGS+=-DHAVE_GET_VARIABLE -DHAVE_GET_VARIABLE_ATTR -DHAVE_SHIM_LOCK_GUID
+ 
+ test-str_FILES = lib/string.c
+diff --git a/sbat.c b/sbat.c
+index f1d6e98..a08c5b2 100644
+--- a/sbat.c
++++ b/sbat.c
+@@ -5,6 +5,11 @@
+ 
+ #include "shim.h"
+ 
++extern struct {
++	UINT32 previous_offset;
++	UINT32 latest_offset;
++} sbat_var_payload_header;
++
+ EFI_STATUS
+ parse_sbat_section(char *section_base, size_t section_size,
+ 		   size_t *n_entries,
+@@ -399,6 +404,9 @@ set_sbat_uefi_variable(void)
+ 	EFI_STATUS efi_status = EFI_SUCCESS;
+ 	UINT32 attributes = 0;
+ 
++	char *sbat_var_previous;
++	char *sbat_var_latest;
++
+ 	UINT8 *sbat = NULL;
+ 	UINT8 *sbat_policy = NULL;
+ 	UINTN sbatsize = 0;
+@@ -407,27 +415,30 @@ set_sbat_uefi_variable(void)
+ 	char *sbat_var = NULL;
+ 	bool reset_sbat = false;
+ 
++	sbat_var_previous = (char *)&sbat_var_payload_header + sbat_var_payload_header.previous_offset;
++	sbat_var_latest = (char *)&sbat_var_payload_header + sbat_var_payload_header.latest_offset;
++
+ 	efi_status = get_variable_attr(SBAT_POLICY, &sbat_policy,
+ 				       &sbat_policysize, SHIM_LOCK_GUID,
+ 				       &attributes);
+ 	if (EFI_ERROR(efi_status)) {
+ 		dprint("Default sbat policy: previous\n");
+-		sbat_var = SBAT_VAR_PREVIOUS;
++		sbat_var = sbat_var_previous;
+ 	} else {
+ 		switch (*sbat_policy) {
+ 			case SBAT_POLICY_LATEST:
+ 				dprint("Custom sbat policy: latest\n");
+-				sbat_var = SBAT_VAR_LATEST;
++				sbat_var = sbat_var_latest;
+ 				clear_sbat_policy();
+ 				break;
+ 			case SBAT_POLICY_PREVIOUS:
+ 				dprint("Custom sbat policy: previous\n");
+-				sbat_var = SBAT_VAR_PREVIOUS;
++				sbat_var = sbat_var_previous;
+ 				break;
+ 			case SBAT_POLICY_RESET:
+ 				if (secure_mode()) {
+ 					console_print(L"Cannot reset SBAT policy: Secure Boot is enabled.\n");
+-					sbat_var = SBAT_VAR_PREVIOUS;
++					sbat_var = sbat_var_previous;
+ 				} else {
+ 					dprint(L"Custom SBAT policy: reset OK\n");
+ 					reset_sbat = true;
+@@ -438,7 +449,7 @@ set_sbat_uefi_variable(void)
+ 			default:
+ 				console_error(L"SBAT policy state %llu is invalid",
+ 					      EFI_INVALID_PARAMETER);
+-				sbat_var = SBAT_VAR_PREVIOUS;
++				sbat_var = sbat_var_previous;
+ 				clear_sbat_policy();
+ 				break;
+ 		}
+diff --git a/sbat_var.S b/sbat_var.S
+new file mode 100644
+index 0000000..a115077
+--- /dev/null
++++ b/sbat_var.S
+@@ -0,0 +1,20 @@
++// SPDX-License-Identifier: BSD-2-Clause-Patent
++
++#include "include/sbat_var_defs.h"
++
++	.section .sbatlevel, "a", %progbits
++	.balignl 4, 0
++	.4byte  0 /* format version for external parsers */
++	.globl  sbat_var_payload_header
++	.type   sbat_var_payload_header, %object
++	.size   sbat_var_payload_header, .Lsbat_var_payload_header_end - sbat_var_payload_header
++sbat_var_payload_header:
++	.4byte  .Lsbat_var_previous - sbat_var_payload_header
++	.4byte  .Lsbat_var_latest - sbat_var_payload_header
++.Lsbat_var_payload_header_end:
++	.balign	1, 0
++.Lsbat_var_previous:
++	.asciz SBAT_VAR_PREVIOUS
++	.balign	1, 0
++.Lsbat_var_latest:
++	.asciz SBAT_VAR_LATEST
+diff --git a/shim.h b/shim.h
+index b5272b9..7e9d10e 100644
+--- a/shim.h
++++ b/shim.h
+@@ -179,6 +179,7 @@
+ #include "include/pe.h"
+ #include "include/replacements.h"
+ #include "include/sbat.h"
++#include "include/sbat_var_defs.h"
+ #if defined(OVERRIDE_SECURITY_POLICY)
+ #include "include/security_policy.h"
+ #endif
+-- 
+2.35.3
+
+
+From 092c2b2bbed950727e41cf450b61c794881c33e7 Mon Sep 17 00:00:00 2001
+From: Eric Snowberg <eric.snowberg@oracle.com>
+Date: Fri, 17 Jun 2022 12:37:28 -0400
+Subject: [PATCH 02/12] Reference MokListRT instead of MokList
+
+When calling back into shim from grub, the MokListRT may contain additional
+entries not available in the original MokList, an example being the certs
+included via user_cert. Use the MokListRT instead when calling check_db_cert
+and check_db_hash.
+
+Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
+---
+ shim.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index fdd205e..27b74ce 100644
+--- a/shim.c
++++ b/shim.c
+@@ -397,22 +397,22 @@ static EFI_STATUS check_allowlist (WIN_CERTIFICATE_EFI_PKCS *cert,
+ 	}
+ #endif
+ 
+-	if (check_db_hash(L"MokList", SHIM_LOCK_GUID, sha256hash,
++	if (check_db_hash(L"MokListRT", SHIM_LOCK_GUID, sha256hash,
+ 			  SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID)
+ 				== DATA_FOUND) {
+ 		verification_method = VERIFIED_BY_HASH;
+ 		update_verification_method(VERIFIED_BY_HASH);
+ 		return EFI_SUCCESS;
+ 	} else {
+-		LogError(L"check_db_hash(MokList, sha256hash) != DATA_FOUND\n");
++		LogError(L"check_db_hash(MokListRT, sha256hash) != DATA_FOUND\n");
+ 	}
+-	if (cert && check_db_cert(L"MokList", SHIM_LOCK_GUID, cert, sha256hash)
++	if (cert && check_db_cert(L"MokListRT", SHIM_LOCK_GUID, cert, sha256hash)
+ 			== DATA_FOUND) {
+ 		verification_method = VERIFIED_BY_CERT;
+ 		update_verification_method(VERIFIED_BY_CERT);
+ 		return EFI_SUCCESS;
+ 	} else if (cert) {
+-		LogError(L"check_db_cert(MokList, sha256hash) != DATA_FOUND\n");
++		LogError(L"check_db_cert(MokListRT, sha256hash) != DATA_FOUND\n");
+ 	}
+ 
+ 	update_verification_method(VERIFIED_BY_NOTHING);
+-- 
+2.35.3
+
+
+From 14d63398298c8de23036a4cf61594108b7345863 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 23 Aug 2022 12:07:16 -0400
+Subject: [PATCH 05/12] Discard load-options that start with a NUL
+
+In 6c8d08c0af4768c715b79c8ec25141d56e34f8b4 ("shim: Ignore UEFI
+LoadOptions that are just NUL characters."), a check was added to
+discard load options that are entirely NUL.  We now see some firmwares
+that start LoadOptions with a NUL, and then follow it with garbage (path
+to directory containing loaders).  Widen the check to just discard
+anything that starts with a NUL.
+
+Resolves: #490
+Related: #95
+See-also: https://bugzilla.redhat.com/show_bug.cgi?id=2113005
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ include/ucs2.h | 18 ------------------
+ load-options.c |  7 ++++++-
+ 2 files changed, 6 insertions(+), 19 deletions(-)
+
+diff --git a/include/ucs2.h b/include/ucs2.h
+index ee038ce..87eab32 100644
+--- a/include/ucs2.h
++++ b/include/ucs2.h
+@@ -63,22 +63,4 @@ StrCSpn(const CHAR16 *s, const CHAR16 *reject)
+ 	return ret;
+ }
+ 
+-/*
+- * Test if an entire buffer is nothing but NUL characters.  This
+- * implementation "gracefully" ignores the difference between the
+- * UTF-8/ASCII 1-byte NUL and the UCS-2 2-byte NUL.
+- */
+-static inline bool
+-__attribute__((__unused__))
+-is_all_nuls(UINT8 *data, UINTN data_size)
+-{
+-	UINTN i;
+-
+-	for (i = 0; i < data_size; i++) {
+-		if (data[i] != 0)
+-			return false;
+-	}
+-	return true;
+-}
+-
+ #endif /* SHIM_UCS2_H */
+diff --git a/load-options.c b/load-options.c
+index c6bb742..a8c6e1a 100644
+--- a/load-options.c
++++ b/load-options.c
+@@ -404,8 +404,13 @@ parse_load_options(EFI_LOADED_IMAGE *li)
+ 
+ 	/*
+ 	 * Apparently sometimes we get L"\0\0"?  Which isn't useful at all.
++	 *
++	 * Possibly related, but some boards have additional data before the
++	 * size which is garbage (it's a weird path to the directory
++	 * containing the loaders).  Known boards that do this: Kontron VX3040
++	 * (AMI), ASUS B85M-E, and at least one "older Dell laptop".
+ 	 */
+-	if (is_all_nuls(li->LoadOptions, li->LoadOptionsSize))
++	if (((CHAR16 *)li->LoadOptions)[0] == 0)
+ 		return EFI_SUCCESS;
+ 
+ 	/*
+-- 
+2.35.3
+
+
+From 5c537b3d0cf8c393dad2e61d49aade68f3af1401 Mon Sep 17 00:00:00 2001
+From: dann frazier <dann.frazier@canonical.com>
+Date: Tue, 6 Sep 2022 09:28:22 -0600
+Subject: [PATCH 06/12] shim: Flush the memory region from i-cache before
+ execution
+
+We've seen crashes in early GRUB code on an ARM Cortex-A72-based
+platform that point at seemingly harmless instructions. Flushing
+the i-cache of those instructions prior to executing has been
+shown to avoid the problem, which has parallels with this story:
+  https://www.mail-archive.com/osv-dev@googlegroups.com/msg06203.html
+
+Add a cache flushing utility function and provide an implementation
+using a GCC intrinsic. This will need to be extended to support other
+compilers. Note that this intrinsic is a no-op for x86 platforms.
+
+This fixes issue #498.
+
+Signed-off-by: dann frazier <dann.frazier@canonical.com>
+---
+ include/compiler.h | 6 ++++++
+ pe.c               | 3 +++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/include/compiler.h b/include/compiler.h
+index b4bf103..b0d595f 100644
+--- a/include/compiler.h
++++ b/include/compiler.h
+@@ -192,5 +192,11 @@
+  */
+ #define unreachable() __builtin_unreachable()
+ 
++#if defined(__GNUC__)
++#define cache_invalidate(begin, end)  __builtin___clear_cache(begin, end)
++#else /* __GNUC__ */
++#error shim has no cache_invalidate() implementation for this compiler
++#endif /* __GNUC__ */
++
+ #endif /* !COMPILER_H_ */
+ // vim:fenc=utf-8:tw=75:et
+diff --git a/pe.c b/pe.c
+index ba3e2bb..f94530a 100644
+--- a/pe.c
++++ b/pe.c
+@@ -1196,6 +1196,9 @@ handle_image (void *data, unsigned int datasize,
+ 
+ 	CopyMem(buffer, data, context.SizeOfHeaders);
+ 
++	/* Flush the instruction cache for the region holding the image */
++	cache_invalidate(buffer, buffer + context.ImageSize);
++
+ 	*entry_point = ImageAddress(buffer, context.ImageSize, context.EntryPoint);
+ 	if (!*entry_point) {
+ 		perror(L"Entry point is invalid\n");
+-- 
+2.35.3
+
+
+From 2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef Mon Sep 17 00:00:00 2001
+From: Eric Snowberg <eric.snowberg@oracle.com>
+Date: Wed, 2 Nov 2022 10:39:43 -0600
+Subject: [PATCH 07/12] load_cert_file: Fix stack issue
+
+0214cd9cef5a fixes a NULL pointer dereference problem, it introduces two
+new problems.  First it incorrectly assumes li.FilePath is a string.
+Second, it puts EFI_LOADED_IMAGE li on the stack. It has been found
+that not all archectures can handle this being on the stack.
+
+The shim_li variable will be setup properly from the read_image
+call. Use the global shim_li variable instead when calling
+verify_image.
+
+Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
+---
+ shim.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index 27b74ce..0d919ce 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1395,7 +1395,6 @@ EFI_STATUS
+ load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName)
+ {
+ 	EFI_STATUS efi_status;
+-	EFI_LOADED_IMAGE li;
+ 	PE_COFF_LOADER_IMAGE_CONTEXT context;
+ 	EFI_IMAGE_SECTION_HEADER *Section;
+ 	EFI_SIGNATURE_LIST *certlist;
+@@ -1410,10 +1409,7 @@ load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName)
+ 	if (EFI_ERROR(efi_status))
+ 		return efi_status;
+ 
+-	memset(&li, 0, sizeof(li));
+-	memcpy(&li.FilePath[0], filename, MIN(StrSize(filename), sizeof(li.FilePath)));
+-
+-	efi_status = verify_image(data, datasize, &li, &context);
++	efi_status = verify_image(data, datasize, shim_li, &context);
+ 	if (EFI_ERROR(efi_status))
+ 		return efi_status;
+ 
+-- 
+2.35.3
+
+
+From ea4911c2f3ce8f8f703a1476febac86bb16b00fd Mon Sep 17 00:00:00 2001
+From: Eric Snowberg <eric.snowberg@oracle.com>
+Date: Wed, 2 Nov 2022 10:45:23 -0600
+Subject: [PATCH 08/12] load_cert_file: Use EFI RT memory function
+
+Use the EFI RT memory function CopyMem instead of memcpy in load_cert_file.
+
+Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
+---
+ shim.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index 0d919ce..4437898 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1429,8 +1429,8 @@ load_cert_file(EFI_HANDLE image_handle, CHAR16 *filename, CHAR16 *PathName)
+ 			user_cert_size += certlist->SignatureListSize;;
+ 			user_cert = ReallocatePool(user_cert, original,
+ 						   user_cert_size);
+-			memcpy(user_cert + original, pointer,
+-			       certlist->SignatureListSize);
++			CopyMem(user_cert + original, pointer,
++			        certlist->SignatureListSize);
+ 		}
+ 	}
+ 	FreePool(data);
+-- 
+2.35.3
+
+
+From 0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Mon Sep 17 00:00:00 2001
+From: Nicholas Bishop <nicholasbishop@google.com>
+Date: Thu, 6 Oct 2022 16:08:56 -0400
+Subject: [PATCH 09/12] Add -malign-double to IA32 compiler flags
+
+This changes the alignment of UINT64 data to 8 bytes on IA32, which
+matches EDK2's understanding of alignment. In particular this change
+affects the offset where shim writes `EFI_LOADED_IMAGE.ImageSize`.
+
+Fixes https://github.com/rhboot/shim/issues/515
+
+Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
+---
+ Make.defaults | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index dfed9c4..c46164a 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -71,7 +71,7 @@ ifeq ($(ARCH),x86_64)
+ endif
+ ifeq ($(ARCH),ia32)
+ 	ARCH_CFLAGS		?= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
+-				   $(CLANG_BUGS) -m32 \
++				   $(CLANG_BUGS) -m32 -malign-double \
+ 				   -DMDE_CPU_IA32 -DPAGE_SIZE=4096
+ 	ARCH_GNUEFI		?= ia32
+ 	ARCH_SUFFIX		?= ia32
+-- 
+2.35.3
+
+
+From aa1b289a1a16774afc3143b8948d97261f0872d0 Mon Sep 17 00:00:00 2001
+From: Arthur Gautier <arthur.gautier@arista.com>
+Date: Fri, 21 Oct 2022 13:20:45 -0700
+Subject: [PATCH 12/12] mok: remove MokListTrusted from PCR 7
+
+MokListTrusted was added by mistake to PCR 7 in 4e513405. The value of
+MokListTrusted does not alter the behavior of secure boot so, as per
+https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36
+(section 3.3.4 PCR usage) so it should not be factored in the value of
+PCR 7.
+
+See:
+  https://github.com/rhboot/shim/pull/423
+  https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f
+
+Fixes https://github.com/rhboot/shim/issues/484
+Fixes https://github.com/rhboot/shim/issues/492
+
+Signed-off-by: Arthur Gautier <arthur.gautier@arista.com>
+---
+ mok.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/mok.c b/mok.c
+index 63ddfca..9811b35 100644
+--- a/mok.c
++++ b/mok.c
+@@ -178,7 +178,6 @@ struct mok_state_variable mok_state_variable_data[] = {
+ 		     EFI_VARIABLE_NON_VOLATILE,
+ 	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
+ 	 .flags = MOK_MIRROR_DELETE_FIRST |
+-		  MOK_VARIABLE_MEASURE |
+ 		  MOK_VARIABLE_INVERSE |
+ 		  MOK_VARIABLE_LOG,
+ 	 .pcr = 14,
+-- 
+2.35.3
+

shim.changes

@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Tue Nov 15 08:06:24 UTC 2022 - Joey Lee <jlee@suse.com>
+
+- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following
+  patches between 15.6 with aa1b289a1a (jsc#PED-127):
+    aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from PCR 7
+    0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 compiler flags
+    ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory function
+    2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue
+    5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region from i-cache before execution
+    14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start with a NUL
+    092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of MokList
+    0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload introspectable
+
+-------------------------------------------------------------------
+Tue Nov 15 08:06:05 UTC 2022 - Joey Lee <jlee@suse.com>
+
+- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support
+  enhance shim measurement to TD RTMR. (jsc#PED-1273) 
+
+-------------------------------------------------------------------
+Tue Nov 15 07:53:59 UTC 2022 - Joey Lee <jlee@suse.com>
+
+- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec
+  and shim.changes: (jsc#PED-127)
+    - Add some change log from SLE shim.changes to Factory shim.changes
+      Those messages are added "(sync shim.changes from SLE)" tag.
+    - Add the following changes to shim.spec
+	- only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch
+          on openSUSE.
+	- Enable the AArch64 signature check for SLE:
+		# AArch64 signature
+		signature=%{SOURCE13} 
+
 -------------------------------------------------------------------
 Thu Sep 29 02:42:35 UTC 2022 - Michael Chang <mchang@suse.com>
 
@@ -192,6 +226,11 @@ Tue Apr 12 06:35:16 UTC 2022 - Ludwig Nussel <lnussel@suse.de>
 
 - use common SBAT values (boo#1193282)
 
+-------------------------------------------------------------------
+Thu Jul 15 08:13:26 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Update the SLE signatures (sync shim.changes from SLE)
+
 -------------------------------------------------------------------
 Thu Jul  1 04:07:03 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 
@@ -201,6 +240,40 @@ Thu Jul  1 04:07:03 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 -------------------------------------------------------------------
 Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 
+(sync shim.changes from SLE)
+- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
+  vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
+  the size of MokListXRT (bsc#1185261)
+  + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
+- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+  to handle ignore_db and user_insecure_mode correctly
+  (bsc#1185441, bsc#1187071)
+- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the
+  maximum variable size check for u-boot (bsc#1185621)
+  + Also drop AArch64 suse-signed shim since we merged this patch
+- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax
+  the check for import_mok_state() when Secure Boot is off.
+  (bsc#1185261)
+- Add shim-bsc1185232-relax-loadoptions-length-check.patch to
+  ignore the odd LoadOptions length (bsc#1185232)
+- shim-install: reset def_shim_efi to "shim.efi" if the given
+  file doesn't exist
+- Add shim-fix-aa64-relsz.patch to fix the size of rela sections
+  for AArch64
+  Fix: https://github.com/rhboot/shim/issues/371
+- Add shim-disable-export-vendor-dbx.patch to disable exporting
+  vendor-dbx to MokListXRT since writing a large RT variable
+  could crash some machines (bsc#1185261)
+- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the
+  potential crash when calling QueryVariableInfo in EFI 1.10
+  machines (bsc#1187260)
+- Add shim-bsc1185232-fix-config-table-copying.patch to avoid
+  buffer overflow when copying data to the MOK config table
+  (bsc#1185232)
+
+-------------------------------------------------------------------
+Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
 - Add shim-bsc1185232-fix-config-table-copying.patch to avoid
   buffer overflow when copying data to the MOK config table
   (bsc#1185232)
@@ -255,6 +328,12 @@ Fri May  7 08:33:49 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 - shim-install: always assume "removable" for Azure to avoid the
   endless reset loop (bsc#1185464)
 
+-------------------------------------------------------------------
+Thu May  6 06:45:39 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Include suse-signed shim for AArch64 (bsc#1185621)
+  (sync shim.changes from SLE)
+
 -------------------------------------------------------------------
 Thu May  6 03:18:32 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 
@@ -276,6 +355,16 @@ Wed Apr 28 09:28:30 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
   the size of MokListXRT (bsc#1185261) 
   + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
 
+-------------------------------------------------------------------
+Thu Apr 22 03:26:48 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Enable the AArch64 signature check for SLE (sync shim.changes from SLE)
+
+-------------------------------------------------------------------
+Wed Apr 21 05:44:35 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Update the SLE signatures (sync shim.changes from SLE)
+
 -------------------------------------------------------------------
 Thu Apr  8 08:44:27 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 

shim.spec

@@ -77,6 +77,10 @@ Patch4:         shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
 Patch5:         remove_build_id.patch
 # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT
 Patch6:         shim-disable-export-vendor-dbx.patch
+# PATCH-FIX-UPSTREAM shim-Enable-TDX-measurement-to-RTMR-register.patch jsc#PED-1273 jlee@suse.com -- Impl: [TDX Guest] TDX: Enhance shim measurement to TD RTMR
+Patch7:		shim-Enable-TDX-measurement-to-RTMR-register.patch
+# PATCH-FIX-UPSTREAM shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch jsc#PED-127 jlee@suse.com -- Impl: Upgrade shim in SLE 15-SP5 and openSUSE TW for some issues
+Patch8:		shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch
 # PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:	shim-bsc1198101-opensuse-cert-prompt.patch
 BuildRequires:  dos2unix
@@ -124,7 +128,11 @@ The source code of UEFI shim loader
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
 %patch100 -p1
+%endif
 
 %build
 # generate the vendor SBAT metadata
@@ -189,9 +197,7 @@ for suffix in "${suffixes[@]}"; do
 	signature=%{SOURCE11}
 %else
 	# AArch64 signature
-	# Disable AArch64 signature attachment temporarily
-	# until we get a real one.
-	#signature=%{SOURCE13}
+	signature=%{SOURCE13}
 %endif
     elif test "$suffix" = "devel"; then
 	cert=%{_sourcedir}/_projectcert.crt