From fa8f2b475d1bc441a01c6c122822fe505cb274e18d4646380d0ec853263b7157 Mon Sep 17 00:00:00 2001
From: Stephan Kulow <coolo@suse.com>
Date: Tue, 29 Apr 2014 07:15:01 +0000
Subject: [PATCH] osc copypac from project:devel:openSUSE:Factory package:shim
 revision:71

OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=73
---
 SLES-UEFI-CA-Certificate.crt                  |  52 +-
 attach_signature.sh                           |  11 +-
 extract_signature.sh                          |  13 +-
 ...-allow-fallback-use-system-loadimage.patch | 240 +++++++
 ...bnc863205-mokmanager-fix-hash-delete.patch |  86 +++
 shim-fallback-avoid-duplicate-bootorder.patch | 177 +++++
 shim-fallback-improve-entries-creation.patch  | 365 ++++++++++
 shim-fix-uninitialized-variable.patch         |  60 ++
 shim-get-variable-check.patch                 |  27 +
 shim-install                                  |  87 ++-
 shim-mokmanager-delete-bs-var-right.patch     |  69 ++
 shim-mokmanager-support-sha-family.patch      | 627 ++++++++++++++++++
 shim-mokx-support.patch                       | 101 ++-
 shim-only-os-name.patch                       |  13 +
 shim-opensuse-cert-prompt.patch               | 390 +++++++++++
 shim.changes                                  | 110 +++
 shim.spec                                     |  90 ++-
 show_hash.sh                                  |  11 +-
 show_signatures.sh                            |  11 +-
 microsoft.asc => signature-opensuse.asc       |   0
 signature-sles.asc                            | 188 ++++++
 strip_signature.sh                            |  11 +-
 22 files changed, 2597 insertions(+), 142 deletions(-)
 create mode 100644 shim-allow-fallback-use-system-loadimage.patch
 create mode 100644 shim-bnc863205-mokmanager-fix-hash-delete.patch
 create mode 100644 shim-fallback-avoid-duplicate-bootorder.patch
 create mode 100644 shim-fallback-improve-entries-creation.patch
 create mode 100644 shim-fix-uninitialized-variable.patch
 create mode 100644 shim-get-variable-check.patch
 create mode 100644 shim-mokmanager-delete-bs-var-right.patch
 create mode 100644 shim-mokmanager-support-sha-family.patch
 create mode 100644 shim-only-os-name.patch
 create mode 100644 shim-opensuse-cert-prompt.patch
 rename microsoft.asc => signature-opensuse.asc (100%)
 create mode 100644 signature-sles.asc

diff --git a/SLES-UEFI-CA-Certificate.crt b/SLES-UEFI-CA-Certificate.crt
index 56f3fce..480fa09 100644
--- a/SLES-UEFI-CA-Certificate.crt
+++ b/SLES-UEFI-CA-Certificate.crt
@@ -1,39 +1,29 @@
 -----BEGIN CERTIFICATE-----
-MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
+MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
 RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
 MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
 IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
-QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG
+QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG
 A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
 VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
-CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
-AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR
-QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d
-FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ
-BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O
-d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B
-J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt
-HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi
-yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc
-dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/
-cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+
-KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw
-DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w
-gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr
-BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG
-A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51
-eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN
-AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
-AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS
-1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI
-eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5
-Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt
-z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P
-yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv
-4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc
-ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC
-OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z
-yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV
-a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8=
+CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p
+ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE
+WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv
+abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7
+e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+
+whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/
+MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs
+qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51
+eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE
+BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx
+EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu
+ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU
+Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw
+pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL
+jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M
+rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3
+SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0
+rvc1p6G0YWtO
 -----END CERTIFICATE-----
diff --git a/attach_signature.sh b/attach_signature.sh
index 9492186..689a7e4 100644
--- a/attach_signature.sh
+++ b/attach_signature.sh
@@ -11,13 +11,4 @@ fi
 
 outfile="${infile%.efi}-signed.efi"
 
-nssdir=`mktemp -d`
-cleanup()
-{
-	rm -r "$nssdir"
-}
-trap cleanup EXIT
-echo > "$nssdir/pw"
-certutil -f "$nssdir/pw" -d "$nssdir" -N
-
-pesign -n "$nssdir" -m "$sig" -i "$infile" -o "$outfile"
+pesign -m "$sig" -i "$infile" -o "$outfile"
diff --git a/extract_signature.sh b/extract_signature.sh
index e92e8a6..0a989e5 100644
--- a/extract_signature.sh
+++ b/extract_signature.sh
@@ -9,16 +9,7 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
 	exit 1
 fi
 
-nssdir=`mktemp -d`
-cleanup()
-{
-	rm -r "$nssdir"
-}
-trap cleanup EXIT
-echo > "$nssdir/pw"
-certutil -f "$nssdir/pw" -d "$nssdir" -N
-
 # wtf?
-(pesign -n "$nssdir" -h -P -i "$infile";
+(pesign -h -P -i "$infile";
 perl $(dirname $0)/timestamp.pl "$infile";
-pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat
+pesign -a -f -e /dev/stdout -i "$infile")|cat
diff --git a/shim-allow-fallback-use-system-loadimage.patch b/shim-allow-fallback-use-system-loadimage.patch
new file mode 100644
index 0000000..c54b068
--- /dev/null
+++ b/shim-allow-fallback-use-system-loadimage.patch
@@ -0,0 +1,240 @@
+From 06495f692fa748a553ffbde8bfae2974d8c791c0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 14 Feb 2014 15:38:25 -0500
+Subject: [PATCH] Allow fallback to use the system's LoadImage/StartImage .
+
+Track use of the system's LoadImage(), and when the next StartImage()
+call is for an image the system verified, allow that to count as
+participating, since it has been verified by the system's db.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ replacements.c |   68 ++++++++++++++++++++++++++++++++++++++++++++-
+ replacements.h |    3 ++
+ shim.c         |   85 ++++++++++++++++++++++++++++++++++-----------------------
+ 3 files changed, 121 insertions(+), 35 deletions(-)
+
+--- a/replacements.c
++++ b/replacements.c
+@@ -60,26 +60,82 @@
+ 
+ static EFI_SYSTEM_TABLE *systab;
+ 
++static typeof(systab->BootServices->LoadImage) system_load_image;
+ static typeof(systab->BootServices->StartImage) system_start_image;
+ static typeof(systab->BootServices->Exit) system_exit;
+ static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services;
+ 
++static EFI_HANDLE last_loaded_image;
++
+ void
+ unhook_system_services(void)
+ {
+ 	systab->BootServices->Exit = system_exit;
++	systab->BootServices->LoadImage = system_load_image;
+ 	systab->BootServices->StartImage = system_start_image;
+ 	systab->BootServices->ExitBootServices = system_exit_boot_services;
+ }
+ 
+ static EFI_STATUS EFIAPI
++load_image(BOOLEAN BootPolicy, EFI_HANDLE ParentImageHandle,
++	EFI_DEVICE_PATH *DevicePath, VOID *SourceBuffer,
++	UINTN SourceSize, EFI_HANDLE *ImageHandle)
++{
++	EFI_STATUS status;
++	unhook_system_services();
++
++	status = systab->BootServices->LoadImage(BootPolicy,
++			ParentImageHandle, DevicePath,
++			SourceBuffer, SourceSize, ImageHandle);
++	hook_system_services(systab);
++	if (EFI_ERROR(status))
++		last_loaded_image = NULL;
++	else
++		last_loaded_image = *ImageHandle;
++	return status;
++}
++
++static EFI_STATUS EFIAPI
+ start_image(EFI_HANDLE image_handle, UINTN *exit_data_size, CHAR16 **exit_data)
+ {
+ 	EFI_STATUS status;
+ 	unhook_system_services();
++
++	/* We have to uninstall shim's protocol here, because if we're
++	 * On the fallback.efi path, then our call pathway is:
++	 *
++	 * shim->fallback->shim->grub
++	 * ^               ^      ^
++	 * |               |      \- gets protocol #0
++	 * |               \- installs its protocol (#1)
++	 * \- installs its protocol (#0)
++	 * and if we haven't removed this, then grub will get the *first*
++	 * shim's protocol, but it'll get the second shim's systab
++	 * replacements.  So even though it will participate and verify
++	 * the kernel, the systab never finds out.
++	 */
++	if (image_handle == last_loaded_image) {
++		loader_is_participating = 1;
++		uninstall_shim_protocols();
++	}
+ 	status = systab->BootServices->StartImage(image_handle, exit_data_size, exit_data);
+-	if (EFI_ERROR(status))
++	if (EFI_ERROR(status)) {
++		if (image_handle == last_loaded_image) {
++			EFI_STATUS status2 = install_shim_protocols();
++
++			if (EFI_ERROR(status2)) {
++				Print(L"Something has gone seriously wrong: %d\n",
++					status2);
++				Print(L"shim cannot continue, sorry.\n");
++				systab->BootServices->Stall(5000000);
++				systab->RuntimeServices->ResetSystem(
++					EfiResetShutdown,
++					EFI_SECURITY_VIOLATION, 0, NULL);
++			}
++		}
+ 		hook_system_services(systab);
++		loader_is_participating = 0;
++	}
+ 	return status;
+ }
+ 
+@@ -123,6 +179,16 @@ hook_system_services(EFI_SYSTEM_TABLE *l
+ 
+ 	/* We need to hook various calls to make this work... */
+ 
++	/* We need LoadImage() hooked so that fallback.c can load shim
++	 * without having to fake LoadImage as well.  This allows it
++	 * to call the system LoadImage(), and have us track the output
++	 * and mark loader_is_participating in start_image.  This means
++	 * anything added by fallback has to be verified by the system db,
++	 * which we want to preserve anyway, since that's all launching
++	 * through BDS gives us. */
++	system_load_image = systab->BootServices->LoadImage;
++	systab->BootServices->LoadImage = load_image;
++
+ 	/* we need StartImage() so that we can allow chain booting to an
+ 	 * image trusted by the firmware */
+ 	system_start_image = systab->BootServices->StartImage;
+--- a/replacements.h
++++ b/replacements.h
+@@ -41,4 +41,7 @@ extern int loader_is_participating;
+ extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab);
+ extern void unhook_system_services(void);
+ 
++extern EFI_STATUS install_shim_protocols(void);
++extern void uninstall_shim_protocols(void);
++
+ #endif /* SHIM_REPLACEMENTS_H */
+--- a/shim.c
++++ b/shim.c
+@@ -1719,11 +1719,56 @@ EFI_STATUS set_second_stage (EFI_HANDLE
+ 	return EFI_SUCCESS;
+ }
+ 
+-EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
++static SHIM_LOCK shim_lock_interface;
++static EFI_HANDLE shim_lock_handle;
++
++EFI_STATUS
++install_shim_protocols(void)
++{
++	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
++	EFI_STATUS efi_status;
++	/*
++	 * Install the protocol
++	 */
++	efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4,
++			  &shim_lock_handle, &shim_lock_guid,
++			  EFI_NATIVE_INTERFACE, &shim_lock_interface);
++	if (EFI_ERROR(efi_status)) {
++		console_error(L"Could not install security protocol",
++			      efi_status);
++		return efi_status;
++	}
++
++#if defined(OVERRIDE_SECURITY_POLICY)
++	/*
++	 * Install the security protocol hook
++	 */
++	security_policy_install(shim_verify);
++#endif
++
++	return EFI_SUCCESS;
++}
++
++void
++uninstall_shim_protocols(void)
+ {
+ 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+-	static SHIM_LOCK shim_lock_interface;
+-	EFI_HANDLE handle = NULL;
++#if defined(OVERRIDE_SECURITY_POLICY)
++	/*
++	 * Clean up the security protocol hook
++	 */
++	security_policy_uninstall();
++#endif
++
++	/*
++	 * If we're back here then clean everything up before exiting
++	 */
++	uefi_call_wrapper(BS->UninstallProtocolInterface, 3, shim_lock_handle,
++			  &shim_lock_guid, &shim_lock_interface);
++}
++
++EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
++{
+ 	EFI_STATUS efi_status;
+ 
+ 	verification_method = VERIFIED_BY_NOTHING;
+@@ -1776,24 +1821,9 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha
+ 		loader_is_participating = 0;
+ 	}
+ 
+-	/*
+-	 * Install the protocol
+-	 */
+-	efi_status = uefi_call_wrapper(BS->InstallProtocolInterface, 4,
+-			  &handle, &shim_lock_guid, EFI_NATIVE_INTERFACE,
+-			  &shim_lock_interface);
+-	if (EFI_ERROR(efi_status)) {
+-		console_error(L"Could not install security protocol",
+-			      efi_status);
++	efi_status = install_shim_protocols();
++	if (EFI_ERROR(efi_status))
+ 		return efi_status;
+-	}
+-
+-#if defined(OVERRIDE_SECURITY_POLICY)
+-	/*
+-	 * Install the security protocol hook
+-	 */
+-	security_policy_install(shim_verify);
+-#endif
+ 
+ 	/*
+ 	 * Enter MokManager if necessary
+@@ -1820,20 +1850,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha
+ 
+ 	efi_status = init_grub(image_handle);
+ 
+-#if defined(OVERRIDE_SECURITY_POLICY)
+-	/*
+-	 * Clean up the security protocol hook
+-	 */
+-	security_policy_uninstall();
+-#endif
+-
+-	/*
+-	 * If we're back here then clean everything up before exiting
+-	 */
+-	uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle,
+-			  &shim_lock_guid, &shim_lock_interface);
+-
+-
++	uninstall_shim_protocols();
+ 	/*
+ 	 * Remove our hooks from system services.
+ 	 */
diff --git a/shim-bnc863205-mokmanager-fix-hash-delete.patch b/shim-bnc863205-mokmanager-fix-hash-delete.patch
new file mode 100644
index 0000000..c476741
--- /dev/null
+++ b/shim-bnc863205-mokmanager-fix-hash-delete.patch
@@ -0,0 +1,86 @@
+From 23cdee7b62fc62cd988d74b2180014595da9e4c5 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 13 Feb 2014 15:05:45 +0800
+Subject: [PATCH 1/2] MokManager: calculate the variable size correctly
+
+MokSize of the hash signature list includes the owner GUID,
+so we should not add the 16bytes compensation.
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ MokManager.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index e79a8e0..e0cc143 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -934,7 +934,9 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num,
+ 		if (list[i].Mok == NULL)
+ 			continue;
+ 
+-		DataSize += sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
++		DataSize += sizeof(EFI_SIGNATURE_LIST);
++		if (CompareGuid(&(list[i].Type), &CertType) == 0)
++			DataSize += sizeof(EFI_GUID);
+ 		DataSize += list[i].MokSize;
+ 	}
+ 
+-- 
+1.8.4.5
+
+
+From 6b70c15cd8a83e0e62088bc4f2f8e84e818d2b73 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Mon, 17 Feb 2014 17:49:55 +0800
+Subject: [PATCH 2/2] MokManager: fix the hash list counting in delete
+
+match_hash() requests the number of keys in a list and it was
+mistakenly replaced with the size of the Mok node. This would
+made MokManager to remove the whole Mok node instead of one
+hash.
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ MokManager.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index e0cc143..5af5ce6 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1042,6 +1042,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+ {
+ 	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
+ 	UINT32 sig_size;
++	UINT32 list_num;
+ 	int i, del_ind;
+ 	void *start, *end;
+ 	UINT32 remain;
+@@ -1053,8 +1054,10 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+ 		    (mok[i].MokSize < sig_size))
+ 			continue;
+ 
++		list_num = mok[i].MokSize / sig_size;
++
+ 		del_ind = match_hash(hash, hash_size, 0, mok[i].Mok,
+-				     mok[i].MokSize);
++				     list_num);
+ 		while (del_ind >= 0) {
+ 			/* Remove the hash */
+ 			if (sig_size == mok[i].MokSize) {
+@@ -1069,9 +1072,10 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+ 
+ 			mem_move(start, end, remain);
+ 			mok[i].MokSize -= sig_size;
++			list_num--;
+ 
+ 			del_ind = match_hash(hash, hash_size, del_ind,
+-					     mok[i].Mok, mok[i].MokSize);
++					     mok[i].Mok, list_num);
+ 		}
+ 	}
+ }
+-- 
+1.8.4.5
+
diff --git a/shim-fallback-avoid-duplicate-bootorder.patch b/shim-fallback-avoid-duplicate-bootorder.patch
new file mode 100644
index 0000000..6dad135
--- /dev/null
+++ b/shim-fallback-avoid-duplicate-bootorder.patch
@@ -0,0 +1,177 @@
+From 99858938a08dbdd892cc5438ec49b4262077017d Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 6 Mar 2014 11:58:36 +0800
+Subject: [PATCH 1/3] [fallback] Avoid duplicate old BootOrder
+
+set_boot_order() already copies the old BootOrder to the variable,
+bootorder. Besides, we can adjust BootOrder when adding the newly
+generated boot option. So, we don't have to copy the old one again
+in update_boot_order(). This avoid the duplicate entries in BootOrder.
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ fallback.c | 39 +++++++++++++--------------------------
+ 1 file changed, 13 insertions(+), 26 deletions(-)
+
+diff --git a/fallback.c b/fallback.c
+index 44638ec..8aee618 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -204,12 +204,12 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
+ 				return EFI_OUT_OF_RESOURCES;
+ 
+ 			int j = 0;
++			newbootorder[0] = i & 0xffff;
+ 			if (nbootorder) {
+-				for (j = 0; j < nbootorder; j++)
+-					newbootorder[j] = bootorder[j];
++				for (j = 1; j < nbootorder + 1; j++)
++					newbootorder[j] = bootorder[j-1];
+ 				FreePool(bootorder);
+ 			}
+-			newbootorder[j] = i & 0xffff;
+ 			bootorder = newbootorder;
+ 			nbootorder += 1;
+ #ifdef DEBUG_FALLBACK
+@@ -307,28 +307,17 @@ set_boot_order(void)
+ EFI_STATUS
+ update_boot_order(void)
+ {
+-	CHAR16 *oldbootorder;
+ 	UINTN size;
++	UINTN len = 0;
+ 	EFI_GUID global = EFI_GLOBAL_VARIABLE;
+ 	CHAR16 *newbootorder = NULL;
++	EFI_STATUS rc;
+ 
+-	oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size);
+-	if (oldbootorder) {
+-		int n = size / sizeof (CHAR16) + nbootorder;
+-
+-		newbootorder = AllocateZeroPool(n * sizeof (CHAR16));
+-		if (!newbootorder)
+-			return EFI_OUT_OF_RESOURCES;
+-		CopyMem(newbootorder, bootorder, nbootorder * sizeof (CHAR16));
+-		CopyMem(newbootorder + nbootorder, oldbootorder, size);
+-		size = n * sizeof (CHAR16);
+-	} else {
+-		size = nbootorder * sizeof(CHAR16);
+-		newbootorder = AllocateZeroPool(size);
+-		if (!newbootorder)
+-			return EFI_OUT_OF_RESOURCES;
+-		CopyMem(newbootorder, bootorder, size);
+-	}
++	size = nbootorder * sizeof(CHAR16);
++	newbootorder = AllocateZeroPool(size);
++	if (!newbootorder)
++		return EFI_OUT_OF_RESOURCES;
++	CopyMem(newbootorder, bootorder, size);
+ 
+ #ifdef DEBUG_FALLBACK
+ 	Print(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16));
+@@ -337,13 +326,11 @@ update_boot_order(void)
+ 		Print(L"%04x ", newbootorder[j]);
+ 	Print(L"\n");
+ #endif
+-
+-	if (oldbootorder) {
++	rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global,
++			       NULL, &len, NULL);
++	if (rc == EFI_BUFFER_TOO_SMALL)
+ 		LibDeleteVariable(L"BootOrder", &global);
+-		FreePool(oldbootorder);
+-	}
+ 
+-	EFI_STATUS rc;
+ 	rc = uefi_call_wrapper(RT->SetVariable, 5, L"BootOrder", &global,
+ 					EFI_VARIABLE_NON_VOLATILE |
+ 					 EFI_VARIABLE_BOOTSERVICE_ACCESS |
+-- 
+1.8.4.5
+
+
+From 80c15a7e90d8f51b09211994895a64ec5e4f5c1e Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 6 Mar 2014 10:57:02 +0800
+Subject: [PATCH 2/3] [fallback] Fix the data size for boot option comparison
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ fallback.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fallback.c b/fallback.c
+index 8aee618..156115f 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -231,7 +231,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
+ {
+ 	int size = sizeof(UINT32) + sizeof (UINT16) +
+ 		StrLen(label)*2 + 2 + DevicePathSize(dp) +
+-		StrLen(arguments) * 2 + 2;
++		StrLen(arguments) * 2;
+ 
+ 	CHAR8 *data = AllocateZeroPool(size);
+ 	if (!data)
+-- 
+1.8.4.5
+
+
+From 70ffe93b85380a9866ebf3a99b35dde0b332cd65 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Wed, 5 Mar 2014 18:14:09 +0800
+Subject: [PATCH 3/3] [fallback] Try to boot the first boot option anyway
+
+Some UEFI implementations never care the boot options, so the
+restored boot options could be just ignored and this results in
+endless reboot.
+To avoid this situation, this commit makes fallback.efi to
+load the first matched boot option even if there is not boot
+option to be restored.
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ fallback.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fallback.c b/fallback.c
+index 156115f..777e708 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -226,8 +226,9 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
+ }
+ 
+ EFI_STATUS
+-find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
+-		CHAR16 *arguments, UINT16 *optnum)
++find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
++                 CHAR16 *filename, CHAR16 *label, CHAR16 *arguments,
++                 UINT16 *optnum)
+ {
+ 	int size = sizeof(UINT32) + sizeof (UINT16) +
+ 		StrLen(label)*2 + 2 + DevicePathSize(dp) +
+@@ -278,6 +279,12 @@ find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
+ 			continue;
+ 
+ 		/* at this point, we have duplicate data. */
++		if (!first_new_option) {
++			first_new_option = DuplicateDevicePath(fulldp);
++			first_new_option_args = arguments;
++			first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
++		}
++
+ 		*optnum = i;
+ 		FreePool(candidate);
+ 		FreePool(data);
+@@ -403,7 +410,7 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ #endif
+ 
+ 	UINT16 option;
+-	rc = find_boot_option(dp, fullpath, label, arguments, &option);
++	rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option);
+ 	if (EFI_ERROR(rc)) {
+ 		add_boot_option(dp, full_device_path, fullpath, label, arguments);
+ 	} else if (option != 0) {
+-- 
+1.8.4.5
+
diff --git a/shim-fallback-improve-entries-creation.patch b/shim-fallback-improve-entries-creation.patch
new file mode 100644
index 0000000..efe5c52
--- /dev/null
+++ b/shim-fallback-improve-entries-creation.patch
@@ -0,0 +1,365 @@
+From 9ba08c4e8e7cf9b001497a0752652e0ece0b2b84 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 31 Jan 2014 10:30:24 -0500
+Subject: [PATCH 1/2] For HD() device paths, use just the media node and later.
+
+UEFI 2.x section 3.1.2 provides for "short-form device path", where the
+first element specified is a "hard drive media device path", so that you
+can move a disk around on different buses without invalidating your
+device path.  Fallback has not been using this option, though in most
+cases efibootmgr has.
+
+Note that we still keep the full device path, because LoadImage()
+isn't necessarily the layer where HD() works - one some systems BDS is
+responsible for resolving the full path and passes that to LoadImage()
+instead.  So we have to do LoadImage() with the full path.
+---
+ fallback.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 78 insertions(+), 25 deletions(-)
+
+diff --git a/fallback.c b/fallback.c
+index 82ddbf2..7f4201e 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -15,6 +15,27 @@
+ EFI_LOADED_IMAGE *this_image = NULL;
+ 
+ static EFI_STATUS
++FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType,
++		  EFI_DEVICE_PATH **Out)
++{
++	EFI_DEVICE_PATH *dp = In;
++	if (!In || !Out)
++		return EFI_INVALID_PARAMETER;
++
++	for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) {
++		if (DevicePathType(dp) == Type &&
++				DevicePathSubType(dp) == SubType) {
++			*Out = DuplicateDevicePath(dp);
++			if (!*Out)
++				return EFI_OUT_OF_RESOURCES;
++			return EFI_SUCCESS;
++		}
++	}
++	*Out = NULL;
++	return EFI_NOT_FOUND;
++}
++
++static EFI_STATUS
+ get_file_size(EFI_FILE_HANDLE fh, UINT64 *retsize)
+ {
+ 	EFI_STATUS rc;
+@@ -93,7 +114,9 @@ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen)
+ {
+ 	UINT64 len;
+ 	
+-	len = StrLen(dirname) + StrLen(filename) + StrLen(L"\\EFI\\\\") + 2;
++	len = StrLen(L"\\EFI\\") + StrLen(dirname)
++	    + StrLen(L"\\") + StrLen(filename)
++	    + 2;
+ 
+ 	CHAR16 *fullpath = AllocateZeroPool(len*sizeof(CHAR16));
+ 	if (!fullpath) {
+@@ -119,7 +142,8 @@ VOID *first_new_option_args = NULL;
+ UINTN first_new_option_size = 0;
+ 
+ EFI_STATUS
+-add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *arguments)
++add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
++		CHAR16 *filename, CHAR16 *label, CHAR16 *arguments)
+ {
+ 	static int i = 0;
+ 	CHAR16 varname[] = L"Boot0000";
+@@ -136,24 +160,31 @@ add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *ar
+ 		void *var = LibGetVariable(varname, &global);
+ 		if (!var) {
+ 			int size = sizeof(UINT32) + sizeof (UINT16) +
+-				StrLen(label)*2 + 2 + DevicePathSize(dp) +
+-				StrLen(arguments) * 2 + 2;
++				StrLen(label)*2 + 2 + DevicePathSize(hddp) +
++				StrLen(arguments) * 2;
+ 
+ 			CHAR8 *data = AllocateZeroPool(size);
+ 			CHAR8 *cursor = data;
+ 			*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
+ 			cursor += sizeof (UINT32);
+-			*(UINT16 *)cursor = DevicePathSize(dp);
++			*(UINT16 *)cursor = DevicePathSize(hddp);
+ 			cursor += sizeof (UINT16);
+ 			StrCpy((CHAR16 *)cursor, label);
+ 			cursor += StrLen(label)*2 + 2;
+-			CopyMem(cursor, dp, DevicePathSize(dp));
+-			cursor += DevicePathSize(dp);
++			CopyMem(cursor, hddp, DevicePathSize(hddp));
++			cursor += DevicePathSize(hddp);
+ 			StrCpy((CHAR16 *)cursor, arguments);
+ 
+ 			Print(L"Creating boot entry \"%s\" with label \"%s\" "
+ 					L"for file \"%s\"\n",
+ 				varname, label, filename);
++
++			if (!first_new_option) {
++				first_new_option = DuplicateDevicePath(fulldp);
++				first_new_option_args = arguments;
++				first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
++			}
++
+ 			rc = uefi_call_wrapper(RT->SetVariable, 5, varname,
+ 				&global, EFI_VARIABLE_NON_VOLATILE |
+ 					 EFI_VARIABLE_BOOTSERVICE_ACCESS |
+@@ -254,7 +285,10 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 	if (EFI_ERROR(rc))
+ 		return rc;
+ 	
+-	EFI_DEVICE_PATH *dph = NULL, *dpf = NULL, *dp = NULL;
++	EFI_DEVICE_PATH *dph = NULL;
++	EFI_DEVICE_PATH *file = NULL;
++	EFI_DEVICE_PATH *full_device_path = NULL;
++	EFI_DEVICE_PATH *dp = NULL;
+ 	
+ 	dph = DevicePathFromHandle(this_image->DeviceHandle);
+ 	if (!dph) {
+@@ -262,19 +296,31 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 		goto err;
+ 	}
+ 
+-	dpf = FileDevicePath(fh, fullpath);
+-	if (!dpf) {
++	file = FileDevicePath(fh, fullpath);
++	if (!file) {
+ 		rc = EFI_OUT_OF_RESOURCES;
+ 		goto err;
+ 	}
+ 
+-	dp = AppendDevicePath(dph, dpf);
+-	if (!dp) {
++	full_device_path = AppendDevicePath(dph, file);
++	if (!full_device_path) {
+ 		rc = EFI_OUT_OF_RESOURCES;
+ 		goto err;
+ 	}
+ 
++	rc = FindSubDevicePath(full_device_path,
++				MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp);
++	if (EFI_ERROR(rc)) {
++		if (rc == EFI_NOT_FOUND) {
++			dp = full_device_path;
++		} else {
++			rc = EFI_OUT_OF_RESOURCES;
++			goto err;
++		}
++	}
++
+ #ifdef DEBUG_FALLBACK
++	{
+ 	UINTN s = DevicePathSize(dp);
+ 	int i;
+ 	UINT8 *dpv = (void *)dp;
+@@ -287,20 +333,16 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 
+ 	CHAR16 *dps = DevicePathToStr(dp);
+ 	Print(L"device path: \"%s\"\n", dps);
+-#endif
+-	if (!first_new_option) {
+-		CHAR16 *dps = DevicePathToStr(dp);
+-		Print(L"device path: \"%s\"\n", dps);
+-		first_new_option = DuplicateDevicePath(dp);
+-		first_new_option_args = arguments;
+-		first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
+ 	}
++#endif
+ 
+-	add_boot_option(dp, fullpath, label, arguments);
++	add_boot_option(dp, full_device_path, fullpath, label, arguments);
+ 
+ err:
+-	if (dpf)
+-		FreePool(dpf);
++	if (file)
++		FreePool(file);
++	if (full_device_path)
++		FreePool(full_device_path);
+ 	if (dp)
+ 		FreePool(dp);
+ 	if (fullpath)
+@@ -622,8 +664,19 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
+ 			       first_new_option, NULL, 0,
+ 			       &image_handle);
+ 	if (EFI_ERROR(rc)) {
+-		Print(L"LoadImage failed: %d\n", rc);
+-		uefi_call_wrapper(BS->Stall, 1, 2000000);
++		CHAR16 *dps = DevicePathToStr(first_new_option);
++		UINTN s = DevicePathSize(first_new_option);
++		int i;
++		UINT8 *dpv = (void *)first_new_option;
++		Print(L"LoadImage failed: %d\nDevice path: \"%s\"\n", rc, dps);
++		for (i = 0; i < s; i++) {
++			if (i > 0 && i % 16 == 0)
++				Print(L"\n");
++			Print(L"%02x ", dpv[i]);
++		}
++		Print(L"\n");
++
++		uefi_call_wrapper(BS->Stall, 1, 500000000);
+ 		return rc;
+ 	}
+ 
+@@ -637,7 +690,7 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
+ 	rc = uefi_call_wrapper(BS->StartImage, 3, image_handle, NULL, NULL);
+ 	if (EFI_ERROR(rc)) {
+ 		Print(L"StartImage failed: %d\n", rc);
+-		uefi_call_wrapper(BS->Stall, 1, 2000000);
++		uefi_call_wrapper(BS->Stall, 1, 500000000);
+ 	}
+ 	return rc;
+ }
+-- 
+1.8.4.5
+
+
+From 23ed6291df5dd34789829607a97b3605b739a629 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 31 Jan 2014 10:31:10 -0500
+Subject: [PATCH 2/2] Attempt to re-use existing entries when possible.
+
+Some firmwares seem to ignore our boot entries and put their fallback
+entries back on top.  Right now that results in a lot of boot entries
+for our stuff, a la https://bugzilla.redhat.com/show_bug.cgi?id=995834 .
+
+Instead of that happening, if we simply find existing entries that match
+the entry we would create and move them to the top of the boot order,
+the machine will continue to operate in failure mode (which we can't
+avoid), but at least we won't create thousands of extra entries.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ fallback.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 98 insertions(+), 1 deletion(-)
+
+diff --git a/fallback.c b/fallback.c
+index 7f4201e..044e4ba 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -226,6 +226,85 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
+ }
+ 
+ EFI_STATUS
++find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
++		CHAR16 *arguments, UINT16 *optnum)
++{
++	int size = sizeof(UINT32) + sizeof (UINT16) +
++		StrLen(label)*2 + 2 + DevicePathSize(dp) +
++		StrLen(arguments) * 2 + 2;
++
++	CHAR8 *data = AllocateZeroPool(size);
++	if (!data)
++		return EFI_OUT_OF_RESOURCES;
++	CHAR8 *cursor = data;
++	*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
++	cursor += sizeof (UINT32);
++	*(UINT16 *)cursor = DevicePathSize(dp);
++	cursor += sizeof (UINT16);
++	StrCpy((CHAR16 *)cursor, label);
++	cursor += StrLen(label)*2 + 2;
++	CopyMem(cursor, dp, DevicePathSize(dp));
++	cursor += DevicePathSize(dp);
++	StrCpy((CHAR16 *)cursor, arguments);
++
++	int i = 0;
++	CHAR16 varname[] = L"Boot0000";
++	CHAR16 hexmap[] = L"0123456789ABCDEF";
++	EFI_GUID global = EFI_GLOBAL_VARIABLE;
++	EFI_STATUS rc;
++
++	CHAR8 *candidate = AllocateZeroPool(size);
++	if (!candidate) {
++		FreePool(data);
++		return EFI_OUT_OF_RESOURCES;
++	}
++
++	for(i = 0; i < nbootorder && i < 0x10000; i++) {
++		varname[4] = hexmap[(bootorder[i] & 0xf000) >> 12];
++		varname[5] = hexmap[(bootorder[i] & 0x0f00) >> 8];
++		varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4];
++		varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0];
++
++		UINTN candidate_size = size;
++		rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global,
++					NULL, &candidate_size, candidate);
++		if (EFI_ERROR(rc))
++			continue;
++
++		if (candidate_size != size)
++			continue;
++
++		if (CompareMem(candidate, data, size))
++			continue;
++
++		/* at this point, we have duplicate data. */
++		*optnum = i;
++		FreePool(candidate);
++		FreePool(data);
++		return EFI_SUCCESS;
++	}
++	FreePool(candidate);
++	FreePool(data);
++	return EFI_NOT_FOUND;
++}
++
++EFI_STATUS
++set_boot_order(void)
++{
++	CHAR16 *oldbootorder;
++	UINTN size;
++	EFI_GUID global = EFI_GLOBAL_VARIABLE;
++
++	oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size);
++	if (oldbootorder) {
++		nbootorder = size / sizeof (CHAR16);
++		bootorder = oldbootorder;
++	}
++	return EFI_SUCCESS;
++
++}
++
++EFI_STATUS
+ update_boot_order(void)
+ {
+ 	CHAR16 *oldbootorder;
+@@ -336,7 +415,23 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 	}
+ #endif
+ 
+-	add_boot_option(dp, full_device_path, fullpath, label, arguments);
++	UINT16 option;
++	rc = find_boot_option(dp, fullpath, label, arguments, &option);
++	if (EFI_ERROR(rc)) {
++		add_boot_option(dp, full_device_path, fullpath, label, arguments);
++	} else if (option != 0) {
++		CHAR16 *newbootorder;
++		newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder);
++		if (!newbootorder)
++			return EFI_OUT_OF_RESOURCES;
++
++		newbootorder[0] = bootorder[option];
++		CopyMem(newbootorder + 1, bootorder, sizeof (CHAR16) * option);
++		CopyMem(newbootorder + option + 1, bootorder + option + 1,
++			sizeof (CHAR16) * (nbootorder - option - 1));
++		FreePool(bootorder);
++		bootorder = newbootorder;
++	}
+ 
+ err:
+ 	if (file)
+@@ -710,6 +805,8 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 
+ 	Print(L"System BootOrder not found.  Initializing defaults.\n");
+ 
++	set_boot_order();
++
+ 	rc = find_boot_options(this_image->DeviceHandle);
+ 	if (EFI_ERROR(rc)) {
+ 		Print(L"Error: could not find boot options: %d\n", rc);
+-- 
+1.8.4.5
+
diff --git a/shim-fix-uninitialized-variable.patch b/shim-fix-uninitialized-variable.patch
new file mode 100644
index 0000000..e1c9b9c
--- /dev/null
+++ b/shim-fix-uninitialized-variable.patch
@@ -0,0 +1,60 @@
+From ccf21ef9a8868aacf9084400a15d73fcc24a6d39 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Nov 2013 09:21:53 -0500
+Subject: [PATCH 1/2] Fix wrong sizeof().
+
+CHAR16* vs CHAR16**, so the result is the same on all platforms.
+
+Detected by coverity.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ lib/shell.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/shell.c b/lib/shell.c
+index 51de4e0..7337834 100644
+--- a/lib/shell.c
++++ b/lib/shell.c
+@@ -35,7 +35,7 @@ argsplit(EFI_HANDLE image, int *argc, CHAR16*** ARGV)
+ 
+ 	(*argc)++;		/* we counted spaces, so add one for initial */
+ 
+-	*ARGV = AllocatePool(*argc * sizeof(*ARGV));
++	*ARGV = AllocatePool(*argc * sizeof(**ARGV));
+ 	if (!*ARGV) {
+ 		return EFI_OUT_OF_RESOURCES;
+ 	}
+-- 
+1.8.4.5
+
+
+From c4277cf343555646dbf0c17679108983af1e8887 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Nov 2013 09:24:01 -0500
+Subject: [PATCH 2/2] Initialize entries before we pass it to another function.
+
+Coverity scan noticed that entries is uninitialized when we pass its
+location to another function.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ lib/simple_file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/simple_file.c b/lib/simple_file.c
+index 3af0ec8..d345d87 100644
+--- a/lib/simple_file.c
++++ b/lib/simple_file.c
+@@ -415,7 +415,7 @@ simple_file_selector(EFI_HANDLE *im, CHAR16 **title, CHAR16 *name,
+ 		     CHAR16 *filter, CHAR16 **result)
+ {
+ 	EFI_STATUS status;
+-	CHAR16 **entries;
++	CHAR16 **entries = NULL;
+ 	EFI_FILE_INFO *dmp;
+ 	int count, select, len;
+ 	CHAR16 *newname, *selected;
+-- 
+1.8.4.5
+
diff --git a/shim-get-variable-check.patch b/shim-get-variable-check.patch
new file mode 100644
index 0000000..53801e6
--- /dev/null
+++ b/shim-get-variable-check.patch
@@ -0,0 +1,27 @@
+From 293f28d1fe3921c5348c60948b4dedcef5042d5b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Nov 2013 10:55:37 -0500
+Subject: [PATCH] Error check the right thing in get_variable_attr() when
+ allocating.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ lib/variables.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/variables.c b/lib/variables.c
+index 81bd34d..3a9735e 100644
+--- a/lib/variables.c
++++ b/lib/variables.c
+@@ -224,7 +224,7 @@ get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner,
+ 		return efi_status;
+ 
+ 	*data = AllocateZeroPool(*len);
+-	if (!data)
++	if (!*data)
+ 		return EFI_OUT_OF_RESOURCES;
+ 	
+ 	efi_status = uefi_call_wrapper(RT->GetVariable, 5, var, &owner,
+-- 
+1.8.4.5
+
diff --git a/shim-install b/shim-install
index 250a3c9..93c1ddc 100644
--- a/shim-install
+++ b/shim-install
@@ -4,14 +4,18 @@ rootdir=
 bootdir=
 efidir=
 install_device=
+efibootdir=
+ca_string=
 removable=no
 clean=no
 sysconfdir="/etc"
 libdir="/usr/lib64"
 source_dir="$libdir/efi"
 grub_probe="`which grub2-probe`"
+grub_mkrelpath="`which grub2-mkrelpath`"
 self="`basename $0`"
 grub_cfg="/boot/grub2/grub.cfg"
+update_boot=no
 
 # Get GRUB_DISTRIBUTOR.
 if test -f "${sysconfdir}/default/grub" ; then
@@ -26,6 +30,14 @@ fi
 efi_distributor="$bootloader_id"
 bootloader_id="${bootloader_id}-secureboot"
 
+case "$bootloader_id" in
+    "sle"*)
+        ca_string='SUSE Linux Enterprise Secure Boot CA1';;
+    "opensuse"*)
+        ca_string='openSUSE Secure Boot CA1';;
+    *) ca_string="";;
+esac
+
 usage () {
     echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
     echo
@@ -169,18 +181,32 @@ fi
 
 if test -n "$efidir"; then
     efi_file=shim.efi
+    efibootdir="$efidir/EFI/boot"
+    mkdir -p "$efibootdir" || exit 1
     efidir="$efidir/EFI/$efi_distributor"
     mkdir -p "$efidir" || exit 1
 else
     exit 1;
 fi
 
+if test -f "$efibootdir/bootx64.efi"; then
+    if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/bootx64.efi"); then
+        update_boot=yes
+    fi
+else
+    update_boot=yes
+fi
+
 if test "$clean" = "yes"; then
     rm -f "${efidir}/shim.efi"
     rm -f "${efidir}/MokManager.efi"
     rm -f "${efidir}/grub.efi"
     rm -f "${efidir}/grub.cfg"
     rm -f "${efidir}/boot.csv"
+    if test "$update_boot" = "yes"; then
+        rm -f "${efibootdir}/bootx64.efi"
+        rm -f "${efibootdir}/fallback.efi"
+    fi
     efibootmgr="`which efibootmgr`"
     if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then
         # Delete old entries from the same distributor.
@@ -196,17 +222,70 @@ cp "${source_dir}/shim.efi" "${efidir}"
 cp "${source_dir}/MokManager.efi" "${efidir}"
 cp "${source_dir}/grub.efi" "${efidir}"
 echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv"
+if test "$update_boot" = "yes"; then
+    cp "${source_dir}/shim.efi" "${efibootdir}/bootx64.efi"
+    cp "${source_dir}/fallback.efi" "${efibootdir}"
+fi
+
+
+make_grubcfg () {
 
 grub_cfg_dirname=`dirname $grub_cfg`
 grub_cfg_basename=`basename $grub_cfg`
 cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"`
+descriptive_config="snapshot_submenu.cfg"
+root_fstype=`$grub_probe -t fs /`
+boot_fstype=`$grub_probe -t fs /boot`
+if [ "x${root_fstype}" != "xbtrfs" ] ||
+   [ "x${boot_fstype}" != "xbtrfs" ]; then
+    echo "/ is not on btrfs" >&2
+    exit 1;
+fi
+
+if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue" &&
+   test "x$root_fstype" = "xbtrfs" &&
+   test "x$boot_fstype" = "xbtrfs"; then
+
+cat <<EOF
+set btrfs_relative_path="yes"
+set extra_cmdline=""
+btrfs_subvolid=""
+btrfs_subvol="/"
+
+export btrfs_relative_path
+export extra_cmdline
 
-(cat << EOF
 search --fs-uuid --set=root ${cfg_fs_uuid}
-set prefix=(\${root})${grub_cfg_dirname}
+
+set timeout=0
+
+terminal_input console
+terminal_output console
+
+menuentry 'default' {
+  btrfs_subvol=""
+  configfile /boot/grub2/grub.cfg
+  btrfs_subvol="/"
+}
+
+if [ -f "/.snapshots/${descriptive_config}" ]; then
+  source "/.snapshots/${descriptive_config}"
+fi
+
 EOF
-echo "configfile \$prefix/${grub_cfg_basename}") \
-> "${efidir}/grub.cfg"
+
+else
+
+cat <<EOF
+search --fs-uuid --set=root ${cfg_fs_uuid}
+set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}`
+configfile \$prefix/${grub_cfg_basename}
+EOF
+fi
+
+}
+
+make_grubcfg > "${efidir}/grub.cfg"
 
 efibootmgr="`which efibootmgr`"
 if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then
diff --git a/shim-mokmanager-delete-bs-var-right.patch b/shim-mokmanager-delete-bs-var-right.patch
new file mode 100644
index 0000000..3e244c0
--- /dev/null
+++ b/shim-mokmanager-delete-bs-var-right.patch
@@ -0,0 +1,69 @@
+From 3c545d630917d76d91a8491f8759927f512e56f2 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Fri, 7 Mar 2014 16:56:14 +0800
+Subject: [PATCH] MokManager: delete the BS+NV variables the right way
+
+LibDeleteVariable assumes that the variable is RT+NV and it
+won't work on a BS+NV variable.
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ MokManager.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index f5ed379..4ea28ef 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1112,7 +1112,16 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) {
+ 			return -1;
+ 		}
+ 	} else {
+-		LibDeleteVariable(L"MokSBState", &shim_lock_guid);
++		efi_status = uefi_call_wrapper(RT->SetVariable,
++					       5, L"MokSBState",
++					       &shim_lock_guid,
++					       EFI_VARIABLE_NON_VOLATILE |
++					       EFI_VARIABLE_BOOTSERVICE_ACCESS,
++					       0, NULL);
++		if (efi_status != EFI_SUCCESS) {
++			console_notify(L"Failed to delete Secure Boot state");
++			return -1;
++		}
+ 	}
+ 
+ 	console_notify(L"The system must now be rebooted");
+@@ -1224,7 +1233,16 @@ static INTN mok_db_prompt (void *MokDB, UINTN MokDBSize) {
+ 			return -1;
+ 		}
+ 	} else {
+-		LibDeleteVariable(L"MokDBState", &shim_lock_guid);
++		efi_status = uefi_call_wrapper(RT->SetVariable, 5,
++					       L"MokDBState",
++					       &shim_lock_guid,
++					       EFI_VARIABLE_NON_VOLATILE |
++					       EFI_VARIABLE_BOOTSERVICE_ACCESS,
++					       0, NULL);
++		if (efi_status != EFI_SUCCESS) {
++			console_notify(L"Failed to delete DB state");
++			return -1;
++		}
+ 	}
+ 
+ 	console_notify(L"The system must now be rebooted");
+@@ -1261,7 +1279,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
+ 		if (console_yes_no((CHAR16 *[]){L"Clear MOK password?", NULL}) == 0)
+ 			return 0;
+ 
+-		LibDeleteVariable(L"MokPWStore", &shim_lock_guid);
++		uefi_call_wrapper(RT->SetVariable, 5, L"MokPWStore",
++				  &shim_lock_guid,
++				  EFI_VARIABLE_NON_VOLATILE
++				  | EFI_VARIABLE_BOOTSERVICE_ACCESS,
++				  0, NULL);
+ 		LibDeleteVariable(L"MokPW", &shim_lock_guid);
+ 		console_notify(L"The system must now be rebooted");
+ 		uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0,
+-- 
+1.8.4.5
+
diff --git a/shim-mokmanager-support-sha-family.patch b/shim-mokmanager-support-sha-family.patch
new file mode 100644
index 0000000..872be75
--- /dev/null
+++ b/shim-mokmanager-support-sha-family.patch
@@ -0,0 +1,627 @@
+From f110c89b169505156741ee4ce4b0952e899ed0d8 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 3 Apr 2014 18:26:37 +0800
+Subject: [PATCH 1/5] MokManager: Support SHA1 hash in MOK
+
+Add SHA1 hash support and amend the code to make it easier to support
+other SHA digests.
+---
+ MokManager.c | 121 ++++++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 75 insertions(+), 46 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index 5af5ce6..7cf31c1 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -93,27 +93,58 @@ done:
+ 	return status;
+ }
+ 
++static BOOLEAN is_sha_hash (EFI_GUID Type)
++{
++	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
++	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
++
++	if (CompareGuid(&Type, &Sha1) == 0)
++		return TRUE;
++	else if (CompareGuid(&Type, &Sha256) == 0)
++		return TRUE;
++
++	return FALSE;
++}
++
++static UINT32 sha_size (EFI_GUID Type)
++{
++	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
++	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
++
++	if (CompareGuid(&Type, &Sha1) == 0)
++		return SHA1_DIGEST_SIZE;
++	else if (CompareGuid(&Type, &Sha256) == 0)
++		return SHA256_DIGEST_SIZE;
++
++	return 0;
++}
++
++static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize)
++{
++	EFI_GUID CertType = X509_GUID;
++	UINT32 hash_sig_size;
++
++	if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0)
++		return TRUE;
++
++	if (!is_sha_hash (Type))
++		return FALSE;
++
++	hash_sig_size = sha_size (Type) + sizeof(EFI_GUID);
++	if (SigSize != hash_sig_size)
++		return FALSE;
++
++	return TRUE;
++}
++
+ static UINT32 count_keys(void *Data, UINTN DataSize)
+ {
+ 	EFI_SIGNATURE_LIST *CertList = Data;
+-	EFI_GUID CertType = X509_GUID;
+-	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
+ 	UINTN dbsize = DataSize;
+ 	UINT32 MokNum = 0;
+ 
+ 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
+-		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
+-		    (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
+-			console_notify(L"Doesn't look like a key or hash");
+-			dbsize -= CertList->SignatureListSize;
+-			CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
+-						  CertList->SignatureListSize);
+-			continue;
+-		}
+-
+-		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
+-		    (CertList->SignatureSize != 48)) {
+-			console_notify(L"Doesn't look like a valid hash");
++		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
+ 			dbsize -= CertList->SignatureListSize;
+ 			CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
+ 						  CertList->SignatureListSize);
+@@ -134,7 +165,6 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
+ 	EFI_SIGNATURE_LIST *CertList = Data;
+ 	EFI_SIGNATURE_DATA *Cert;
+ 	EFI_GUID CertType = X509_GUID;
+-	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
+ 	UINTN dbsize = DataSize;
+ 	UINTN count = 0;
+ 
+@@ -146,16 +176,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
+ 	}
+ 
+ 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
+-		if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
+-		    (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
+-			dbsize -= CertList->SignatureListSize;
+-			CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
+-						  CertList->SignatureListSize);
+-			continue;
+-		}
+-
+-		if ((CompareGuid (&CertList->SignatureType, &HashType) == 0) &&
+-		    (CertList->SignatureSize != 48)) {
++		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
+ 			dbsize -= CertList->SignatureListSize;
+ 			CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
+ 						  CertList->SignatureListSize);
+@@ -380,22 +401,34 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
+ 	FreePool(text);
+ }
+ 
+-static void show_sha256_digest (UINT8 *hash)
++static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
+ {
++	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
++	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ 	CHAR16 *text[5];
+ 	POOL_PRINT hash_string1;
+ 	POOL_PRINT hash_string2;
+ 	int i;
++	int length;
++
++	if (CompareGuid(&Type, &Sha1) == 0) {
++		length = SHA1_DIGEST_SIZE;
++		text[0] = L"SHA1 hash";
++	} else if (CompareGuid(&Type, &Sha256) == 0) {
++		length = SHA256_DIGEST_SIZE;
++		text[0] = L"SHA256 hash";
++	} else {
++		return;
++	}
+ 
+ 	ZeroMem(&hash_string1, sizeof(hash_string1));
+ 	ZeroMem(&hash_string2, sizeof(hash_string2));
+ 
+-	text[0] = L"SHA256 hash";
+ 	text[1] = L"";
+ 
+-	for (i=0; i<16; i++)
++	for (i=0; i<length/2; i++)
+ 		CatPrint(&hash_string1, L"%02x ", hash[i]);
+-	for (i=16; i<32; i++)
++	for (i=length/2; i<length; i++)
+ 		CatPrint(&hash_string2, L"%02x ", hash[i]);
+ 
+ 	text[2] = hash_string1.str;
+@@ -411,7 +444,7 @@ static void show_sha256_digest (UINT8 *hash)
+ 		FreePool(hash_string2.str);
+ }
+ 
+-static void show_efi_hash (void *Mok, UINTN MokSize)
++static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize)
+ {
+ 	UINTN sig_size;
+ 	UINTN hash_num;
+@@ -420,7 +453,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
+ 	int key_num = 0;
+ 	int i;
+ 
+-	sig_size = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
++	sig_size = sha_size(Type) + sizeof(EFI_GUID);
+ 	if ((MokSize % sig_size) != 0) {
+ 		console_errorbox(L"Corrupted Hash List");
+ 		return;
+@@ -429,7 +462,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
+ 
+ 	if (hash_num == 1) {
+ 		hash = (UINT8 *)Mok + sizeof(EFI_GUID);
+-		show_sha256_digest(hash);
++		show_sha_digest(Type, hash);
+ 		return;
+ 	}
+ 
+@@ -452,7 +485,7 @@ static void show_efi_hash (void *Mok, UINTN MokSize)
+ 			break;
+ 
+ 		hash = (UINT8 *)Mok + sig_size*key_num + sizeof(EFI_GUID);
+-		show_sha256_digest(hash);
++		show_sha_digest(Type, hash);
+ 	}
+ 
+ 	for (i=0; menu_strings[i] != NULL; i++)
+@@ -467,7 +500,6 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
+ 	UINT8 hash[SHA1_DIGEST_SIZE];
+ 	X509 *X509Cert;
+ 	EFI_GUID CertType = X509_GUID;
+-	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
+ 
+ 	if (!Mok || MokSize == 0)
+ 		return;
+@@ -488,8 +520,8 @@ static void show_mok_info (EFI_GUID Type, void *Mok, UINTN MokSize)
+ 			console_notify(L"Not a valid X509 certificate");
+ 			return;
+ 		}
+-	} else if (CompareGuid (&Type, &HashType) == 0) {
+-		show_efi_hash(Mok, MokSize);
++	} else if (is_sha_hash(Type)) {
++		show_efi_hash(Type, Mok, MokSize);
+ 	}
+ }
+ 
+@@ -968,7 +1000,7 @@ static EFI_STATUS write_back_mok_list (MokListNode *list, INTN key_num,
+ 		} else {
+ 			CertList->SignatureListSize = list[i].MokSize +
+ 						      sizeof(EFI_SIGNATURE_LIST);
+-			CertList->SignatureSize = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
++			CertList->SignatureSize = sha_size(list[i].Type) + sizeof(EFI_GUID);
+ 
+ 			CopyMem(CertData, list[i].Mok, list[i].MokSize);
+ 		}
+@@ -1040,7 +1072,6 @@ static void mem_move (void *dest, void *src, UINTN size)
+ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+ 				 MokListNode *mok, INTN mok_num)
+ {
+-	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
+ 	UINT32 sig_size;
+ 	UINT32 list_num;
+ 	int i, del_ind;
+@@ -1050,8 +1081,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+ 	sig_size = hash_size + sizeof(EFI_GUID);
+ 
+ 	for (i = 0; i < mok_num; i++) {
+-		if ((CompareGuid(&(mok[i].Type), &HashType) != 0) ||
+-		    (mok[i].MokSize < sig_size))
++		if (!is_sha_hash(mok[i].Type) || (mok[i].MokSize < sig_size))
+ 			continue;
+ 
+ 		list_num = mok[i].MokSize / sig_size;
+@@ -1080,7 +1110,7 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+ 	}
+ }
+ 
+-static void delete_hash_list (void *hash_list, UINT32 list_size,
++static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
+ 			      MokListNode *mok, INTN mok_num)
+ {
+ 	UINT32 hash_size;
+@@ -1089,7 +1119,7 @@ static void delete_hash_list (void *hash_list, UINT32 list_size,
+ 	UINT8 *hash;
+ 	int i;
+ 
+-	hash_size = SHA256_DIGEST_SIZE;
++	hash_size = sha_size (Type);
+ 	sig_size = hash_size + sizeof(EFI_GUID);
+ 	if (list_size < sig_size)
+ 		return;
+@@ -1108,7 +1138,6 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ {
+ 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ 	EFI_GUID CertType = X509_GUID;
+-	EFI_GUID HashType = EFI_CERT_SHA256_GUID;
+ 	EFI_STATUS efi_status;
+ 	CHAR16 *db_name;
+ 	CHAR16 *auth_name;
+@@ -1183,9 +1212,9 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ 		if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
+ 			delete_cert(del_key[i].Mok, del_key[i].MokSize,
+ 				    mok, mok_num);
+-		} else if (CompareGuid(&(del_key[i].Type), &HashType) == 0) {
+-			delete_hash_list(del_key[i].Mok, del_key[i].MokSize,
+-					 mok, mok_num);
++		} else if (is_sha_hash(del_key[i].Type)) {
++			delete_hash_list(del_key[i].Type, del_key[i].Mok,
++					 del_key[i].MokSize, mok, mok_num);
+ 		}
+ 	}
+ 
+-- 
+1.8.4.5
+
+
+From 9a0aaf045859be5ba3abdaaf06683cb9ab0b6c57 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Wed, 9 Apr 2014 16:49:25 +0800
+Subject: [PATCH 2/5] MokManager: fix the return value and type
+
+There are some functions that the return value and the type
+didn't match.
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ MokManager.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index 7cf31c1..b09f5b8 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -536,7 +536,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
+ 	if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) +
+ 			   sizeof(EFI_SIGNATURE_DATA))) {
+ 		console_notify(L"No MOK keys found");
+-		return 0;
++		return EFI_NOT_FOUND;
+ 	}
+ 
+ 	MokNum = count_keys(KeyList, KeyListSize);
+@@ -544,7 +544,7 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
+ 
+ 	if (!keys) {
+ 		console_notify(L"Failed to construct key list");
+-		return 0;
++		return EFI_ABORTED;
+ 	}
+ 
+ 	menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (MokNum + 2));
+@@ -863,7 +863,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate,
+ 	return EFI_SUCCESS;
+ }
+ 
+-static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
++static INTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
+ 				    BOOLEAN MokX)
+ {
+ 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+-- 
+1.8.4.5
+
+
+From 790eb376dbe692d4702d807f24c1be7a492a5717 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 10 Apr 2014 14:39:43 +0800
+Subject: [PATCH 3/5] MokManager: Add more key list safe checks
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ MokManager.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 56 insertions(+), 4 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index b09f5b8..c5501f3 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -144,6 +144,12 @@ static UINT32 count_keys(void *Data, UINTN DataSize)
+ 	UINT32 MokNum = 0;
+ 
+ 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
++		if (CertList->SignatureListSize == 0 ||
++		    CertList->SignatureListSize <= CertList->SignatureSize) {
++			console_errorbox(L"Corrupted signature list");
++			return 0;
++		}
++
+ 		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
+ 			dbsize -= CertList->SignatureListSize;
+ 			CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
+@@ -540,10 +546,13 @@ static EFI_STATUS list_keys (void *KeyList, UINTN KeyListSize, CHAR16 *title)
+ 	}
+ 
+ 	MokNum = count_keys(KeyList, KeyListSize);
++	if (MokNum == 0) {
++		console_errorbox(L"Invalid key list");
++		return EFI_ABORTED;
++	}
+ 	keys = build_mok_list(MokNum, KeyList, KeyListSize);
+-
+ 	if (!keys) {
+-		console_notify(L"Failed to construct key list");
++		console_errorbox(L"Failed to construct key list");
+ 		return EFI_ABORTED;
+ 	}
+ 
+@@ -1184,7 +1193,13 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ 
+ 	efi_status = get_variable_attr (db_name, &MokListData, &MokListDataSize,
+ 				        shim_lock_guid, &attributes);
+-	if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
++	if (efi_status != EFI_SUCCESS) {
++		if (MokX)
++			console_errorbox(L"Failed to retrieve MokListX");
++		else
++			console_errorbox(L"Failed to retrieve MokList");
++		return EFI_ABORTED;
++	} else if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
+ 		if (MokX) {
+ 			err_str1 = L"MokListX is compromised!";
+ 			err_str2 = L"Erase all keys in MokListX!";
+@@ -1193,7 +1208,11 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ 			err_str2 = L"Erase all keys in MokList!";
+ 		}
+ 		console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
+-		LibDeleteVariable(db_name, &shim_lock_guid);
++		uefi_call_wrapper(RT->SetVariable, 5, db_name,
++				  &shim_lock_guid,
++				  EFI_VARIABLE_NON_VOLATILE |
++				  EFI_VARIABLE_BOOTSERVICE_ACCESS,
++				  0, NULL);
+ 		return EFI_ACCESS_DENIED;
+ 	}
+ 
+@@ -1203,9 +1222,41 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ 
+ 	/* Construct lists */
+ 	mok_num = count_keys(MokListData, MokListDataSize);
++	if (mok_num == 0) {
++		if (MokX) {
++			err_str1 = L"Failed to construct the key list of MokListX";
++			err_str2 = L"Reset MokListX!";
++		} else {
++			err_str1 = L"Failed to construct the key list of MokList";
++			err_str2 = L"Reset MokList!";
++		}
++		console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
++		uefi_call_wrapper(RT->SetVariable, 5, db_name,
++				  &shim_lock_guid,
++				  EFI_VARIABLE_NON_VOLATILE |
++				  EFI_VARIABLE_BOOTSERVICE_ACCESS,
++				  0, NULL);
++		efi_status = EFI_ABORTED;
++		goto error;
++	}
+ 	mok = build_mok_list(mok_num, MokListData, MokListDataSize);
++	if (!mok) {
++		console_errorbox(L"Failed to construct key list");
++		efi_status = EFI_ABORTED;
++		goto error;
++	}
+ 	del_num = count_keys(MokDel, MokDelSize);
++	if (del_num == 0) {
++		console_errorbox(L"Invalid key delete list");
++		efi_status = EFI_ABORTED;
++		goto error;
++	}
+ 	del_key = build_mok_list(del_num, MokDel, MokDelSize);
++	if (!del_key) {
++		console_errorbox(L"Failed to construct key list");
++		efi_status = EFI_ABORTED;
++		goto error;
++	}
+ 
+ 	/* Search and destroy */
+ 	for (i = 0; i < del_num; i++) {
+@@ -1220,6 +1271,7 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ 
+ 	efi_status = write_back_mok_list(mok, mok_num, MokX);
+ 
++error:
+ 	if (MokListData)
+ 		FreePool(MokListData);
+ 	if (mok)
+-- 
+1.8.4.5
+
+
+From a2879e575439b019d1eff5b32ca8b59d1e2e1503 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 10 Apr 2014 15:29:14 +0800
+Subject: [PATCH 4/5] MokManager: Support SHA224, SHA384, and SHA512
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ MokManager.c | 40 +++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index c5501f3..117cf9b 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -25,6 +25,9 @@
+ #define EFI_VARIABLE_APPEND_WRITE 0x00000040
+ 
+ EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
++EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
++EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
++EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} };
+ 
+ #define CERT_STRING L"Select an X509 certificate to enroll:\n\n"
+ #define HASH_STRING L"Select a file to trust:\n\n"
+@@ -96,12 +99,21 @@ done:
+ static BOOLEAN is_sha_hash (EFI_GUID Type)
+ {
+ 	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
++	EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
+ 	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
++	EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
++	EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
+ 
+ 	if (CompareGuid(&Type, &Sha1) == 0)
+ 		return TRUE;
++	else if (CompareGuid(&Type, &Sha224) == 0)
++		return TRUE;
+ 	else if (CompareGuid(&Type, &Sha256) == 0)
+ 		return TRUE;
++	else if (CompareGuid(&Type, &Sha384) == 0)
++		return TRUE;
++	else if (CompareGuid(&Type, &Sha512) == 0)
++		return TRUE;
+ 
+ 	return FALSE;
+ }
+@@ -109,12 +121,21 @@ static BOOLEAN is_sha_hash (EFI_GUID Type)
+ static UINT32 sha_size (EFI_GUID Type)
+ {
+ 	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
++	EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
+ 	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
++	EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
++	EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
+ 
+ 	if (CompareGuid(&Type, &Sha1) == 0)
+ 		return SHA1_DIGEST_SIZE;
++	else if (CompareGuid(&Type, &Sha224) == 0)
++		return SHA224_DIGEST_LENGTH;
+ 	else if (CompareGuid(&Type, &Sha256) == 0)
+ 		return SHA256_DIGEST_SIZE;
++	else if (CompareGuid(&Type, &Sha384) == 0)
++		return SHA384_DIGEST_LENGTH;
++	else if (CompareGuid(&Type, &Sha512) == 0)
++		return SHA512_DIGEST_LENGTH;
+ 
+ 	return 0;
+ }
+@@ -410,7 +431,10 @@ static void show_x509_info (X509 *X509Cert, UINT8 *hash)
+ static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
+ {
+ 	EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
++	EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
+ 	EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
++	EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
++	EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
+ 	CHAR16 *text[5];
+ 	POOL_PRINT hash_string1;
+ 	POOL_PRINT hash_string2;
+@@ -420,9 +444,18 @@ static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
+ 	if (CompareGuid(&Type, &Sha1) == 0) {
+ 		length = SHA1_DIGEST_SIZE;
+ 		text[0] = L"SHA1 hash";
++	} else if (CompareGuid(&Type, &Sha224) == 0) {
++		length = SHA224_DIGEST_LENGTH;
++		text[0] = L"SHA224 hash";
+ 	} else if (CompareGuid(&Type, &Sha256) == 0) {
+ 		length = SHA256_DIGEST_SIZE;
+ 		text[0] = L"SHA256 hash";
++	} else if (CompareGuid(&Type, &Sha384) == 0) {
++		length = SHA384_DIGEST_LENGTH;
++		text[0] = L"SHA384 hash";
++	} else if (CompareGuid(&Type, &Sha512) == 0) {
++		length = SHA512_DIGEST_LENGTH;
++		text[0] = L"SHA512 hash";
+ 	} else {
+ 		return;
+ 	}
+@@ -1078,7 +1111,7 @@ static void mem_move (void *dest, void *src, UINTN size)
+ 		d[i] = s[i];
+ }
+ 
+-static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
++static void delete_hash_in_list (EFI_GUID Type, UINT8 *hash, UINT32 hash_size,
+ 				 MokListNode *mok, INTN mok_num)
+ {
+ 	UINT32 sig_size;
+@@ -1090,7 +1123,8 @@ static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+ 	sig_size = hash_size + sizeof(EFI_GUID);
+ 
+ 	for (i = 0; i < mok_num; i++) {
+-		if (!is_sha_hash(mok[i].Type) || (mok[i].MokSize < sig_size))
++		if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
++		    (mok[i].MokSize < sig_size))
+ 			continue;
+ 
+ 		list_num = mok[i].MokSize / sig_size;
+@@ -1138,7 +1172,7 @@ static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
+ 	hash = hash_list + sizeof(EFI_GUID);
+ 
+ 	for (i = 0; i < hash_num; i++) {
+-		delete_hash_in_list (hash, hash_size, mok, mok_num);
++		delete_hash_in_list (Type, hash, hash_size, mok, mok_num);
+ 		hash += sig_size;
+ 	}
+ }
+-- 
+1.8.4.5
+
+
+From 04955238a98734aac8df7ad46a732e130681acfd Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 10 Apr 2014 15:55:35 +0800
+Subject: [PATCH 5/5] MokManager: Discard the list contains an invalid
+ signature
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ MokManager.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index 117cf9b..b896836 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -172,10 +172,8 @@ static UINT32 count_keys(void *Data, UINTN DataSize)
+ 		}
+ 
+ 		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
+-			dbsize -= CertList->SignatureListSize;
+-			CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
+-						  CertList->SignatureListSize);
+-			continue;
++			console_errorbox(L"Invalid signature list found");
++			return 0;
+ 		}
+ 
+ 		MokNum++;
+@@ -203,12 +201,8 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize) {
+ 	}
+ 
+ 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
+-		if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
+-			dbsize -= CertList->SignatureListSize;
+-			CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
+-						  CertList->SignatureListSize);
+-			continue;
+-		}
++		/* Omit the signature check here since we already did it
++		   in count_keys() */
+ 
+ 		Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
+ 		  sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
+-- 
+1.8.4.5
+
diff --git a/shim-mokx-support.patch b/shim-mokx-support.patch
index f19a7f4..608b47b 100644
--- a/shim-mokx-support.patch
+++ b/shim-mokx-support.patch
@@ -1,10 +1,12 @@
-From 8614cf8c164049e77d702eb234d608d5342e975b Mon Sep 17 00:00:00 2001
+From 58b8e54ef60d488886a9f0d0877b7187eb200d07 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 24 Oct 2013 17:02:08 +0800
-Subject: [PATCH 1/9] Support MOK blacklist
+Subject: [PATCH 01/10] Support MOK blacklist
 
 The new blacklist, MokListX, stores the keys and hashes that are
 banned.
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++----------
  shim.c       |   3 +-
@@ -510,7 +512,7 @@ index f5ed379..b9b42b6 100644
  	return EFI_SUCCESS;
  }
 diff --git a/shim.c b/shim.c
-index 9ae1936..c133bb2 100644
+index cf93d65..2c23a2f 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -1510,7 +1510,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@@ -524,14 +526,15 @@ index 9ae1936..c133bb2 100644
  
  		if (efi_status != EFI_SUCCESS) {
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From f36f4093bb72344242949b16b83905cefb93d3cd Mon Sep 17 00:00:00 2001
+From d2980a5cbee887223405a24be44ffd5bb439e3f1 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 24 Oct 2013 17:32:31 +0800
-Subject: [PATCH 2/9] MokManager: show the hash list properly
+Subject: [PATCH 02/10] MokManager: show the hash list properly
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
  1 file changed, 71 insertions(+), 11 deletions(-)
@@ -675,14 +678,15 @@ index b9b42b6..5575a94 100644
  
  	for (i=0; menu_strings[i] != NULL; i++)
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From f1073a9bc757008d44b5b86cb5002a3654faf2d2 Mon Sep 17 00:00:00 2001
+From 9c4b5d58385c64056adb5386c097219665f2f50d Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 25 Oct 2013 16:54:25 +0800
-Subject: [PATCH 3/9] MokManager: delete the hash properly
+Subject: [PATCH 03/10] MokManager: delete the hash properly
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
  1 file changed, 114 insertions(+), 10 deletions(-)
@@ -840,14 +844,15 @@ index 5575a94..23bdeef 100644
  	}
  
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From b5cb83a92620b0b41857f3e3a292d1577eb3a3a5 Mon Sep 17 00:00:00 2001
+From 54ce2f9605990c00f9cafae7cab22a1c885828c1 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 25 Oct 2013 17:05:10 +0800
-Subject: [PATCH 4/9] MokManager: Match all hashes in the list
+Subject: [PATCH 04/10] MokManager: Match all hashes in the list
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 24 ++++++++++++++----------
  1 file changed, 14 insertions(+), 10 deletions(-)
@@ -908,15 +913,17 @@ index 23bdeef..5b40e19 100644
  	}
  }
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From 70a4e12d2e6ba37541d0b78ec3c8ed5e8da9a941 Mon Sep 17 00:00:00 2001
+From 4c1912c8521cca4d320a1417abff6f7954809a20 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 25 Oct 2013 18:30:48 +0800
-Subject: [PATCH 5/9] MokManager: Write the hash list properly
+Subject: [PATCH 05/10] MokManager: Write the hash list properly
 
 also return to the previous entry in the list
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 30 +++++++++++++++++++-----------
  1 file changed, 19 insertions(+), 11 deletions(-)
@@ -991,20 +998,21 @@ index 5b40e19..e79a8e0 100644
  
  	efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From 225e5fca2f7cf63e365b77243d6e43b1eb9860c8 Mon Sep 17 00:00:00 2001
+From 8b96a93bda39617efbe51f24d1dc606ad8835d26 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 28 Oct 2013 15:08:40 +0800
-Subject: [PATCH 6/9] Copy the MOK blacklist to a RT variable
+Subject: [PATCH 06/10] Copy the MOK blacklist to a RT variable
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  shim.c | 29 +++++++++++++++++++++++++++++
  1 file changed, 29 insertions(+)
 
 diff --git a/shim.c b/shim.c
-index c133bb2..a0383a8 100644
+index 2c23a2f..ccb3071 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -1480,6 +1480,33 @@ EFI_STATUS mirror_mok_list()
@@ -1041,7 +1049,7 @@ index c133bb2..a0383a8 100644
   * Check if a variable exists
   */
  static BOOLEAN check_var(CHAR16 *varname)
-@@ -1795,6 +1822,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
+@@ -1799,6 +1826,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
  	 */
  	efi_status = mirror_mok_list();
  
@@ -1051,20 +1059,21 @@ index c133bb2..a0383a8 100644
  	 * Create the runtime MokIgnoreDB variable so the kernel can make
  	 * use of it
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From f9db55b719281ce491780ecd4ec269c5286a7251 Mon Sep 17 00:00:00 2001
+From 044d04dbed3ef3f2f3004a770e3751eabc052c2c Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 28 Oct 2013 16:36:34 +0800
-Subject: [PATCH 7/9] No newline for console_notify
+Subject: [PATCH 07/10] No newline for console_notify
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  shim.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/shim.c b/shim.c
-index a0383a8..a2e0862 100644
+index ccb3071..e30a464 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -470,7 +470,7 @@ static BOOLEAN secure_mode (void)
@@ -1086,13 +1095,13 @@ index a0383a8..a2e0862 100644
  	}
  
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From 0bf2da5c7d9442f3249fc977b3fbffab924a374c Mon Sep 17 00:00:00 2001
+From 0e97d1576fcc1924f0f17b7f31baf1dd74a7f83e Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 4 Nov 2013 14:45:33 +0800
-Subject: [PATCH 8/9] Verify the EFI images with MOK blacklist
+Subject: [PATCH 08/10] Verify the EFI images with MOK blacklist
 
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
@@ -1100,7 +1109,7 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/shim.c b/shim.c
-index a2e0862..5f5e9a6 100644
+index e30a464..efd3d85 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -365,6 +365,7 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
@@ -1127,13 +1136,13 @@ index a2e0862..5f5e9a6 100644
  	return EFI_SUCCESS;
  }
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From 20ced27d1785bceaf814c07ca0d5686506a119ad Mon Sep 17 00:00:00 2001
+From a166edaa42ef96eaf5b000d0e4ad71779b745d68 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 4 Nov 2013 17:51:55 +0800
-Subject: [PATCH 9/9] Exclude ca.crt while signing EFI images
+Subject: [PATCH 09/10] Exclude ca.crt while signing EFI images
 
 If ca.crt was added into the certificate database, ca.crt would be the first
 certificate in the signature. Because shim couldn't verify ca.crt with the
@@ -1158,5 +1167,33 @@ index e65d28d..5e3fa9e 100644
  	certutil -d certdb/ -A -i shim.crt -n shim -t u
  
 -- 
-1.8.1.4
+1.8.4.5
+
+
+From cce37bfa5298e8e9c12d3509c78592f711699c4f Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 11 Feb 2014 14:11:15 +0800
+Subject: [PATCH 10/10] Make shim to check MokXAuth for MOKX reset
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ shim.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/shim.c b/shim.c
+index efd3d85..7093c45 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1547,7 +1547,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+ 	if (check_var(L"MokNew") || check_var(L"MokSB") ||
+ 	    check_var(L"MokPW") || check_var(L"MokAuth") ||
+ 	    check_var(L"MokDel") || check_var(L"MokDB") ||
+-	    check_var(L"MokXNew") || check_var(L"MokXDel")) {
++	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
++	    check_var(L"MokXAuth")) {
+ 		efi_status = start_image(image_handle, MOK_MANAGER);
+ 
+ 		if (efi_status != EFI_SUCCESS) {
+-- 
+1.8.4.5
 
diff --git a/shim-only-os-name.patch b/shim-only-os-name.patch
new file mode 100644
index 0000000..076b7d6
--- /dev/null
+++ b/shim-only-os-name.patch
@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index 91e6bcd..6ed5ba7 100644
+--- a/Makefile
++++ b/Makefile
+@@ -63,7 +63,7 @@ shim_cert.h: shim.cer
+ 
+ version.c : version.c.in
+ 	sed	-e "s,@@VERSION@@,$(VERSION)," \
+-		-e "s,@@UNAME@@,$(shell uname -a)," \
++		-e "s,@@UNAME@@,$(shell uname -o)," \
+ 		-e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
+ 		< version.c.in > version.c
+ 
diff --git a/shim-opensuse-cert-prompt.patch b/shim-opensuse-cert-prompt.patch
new file mode 100644
index 0000000..a7bba19
--- /dev/null
+++ b/shim-opensuse-cert-prompt.patch
@@ -0,0 +1,390 @@
+From 2082ad15e0b3413845a1ddc10c2953dcd95beb83 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 18 Feb 2014 17:29:19 +0800
+Subject: [PATCH 1/3] Show the build-in certificate prompt
+
+This is an openSUSE-only patch.
+
+Pop up a window to ask if the user is willing to trust the built-in
+openSUSE certificate.
+
+If yes, set openSUSE_Verify, a BootService variable, to 1, and shim
+won't bother the user afterward.
+
+If no, continue the booting process without using the built-in
+certificate to verify the EFI images, and the window will show up
+again after reboot.
+
+The state will store in use_openSUSE_cert, a volatile RT variable.
+---
+ shim.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 97 insertions(+), 19 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index 0b20191..a483ce3 100644
+--- a/shim.c
++++ b/shim.c
+@@ -82,6 +82,7 @@ UINT8 *vendor_dbx;
+  */
+ verification_method_t verification_method;
+ int loader_is_participating;
++BOOLEAN use_builtin_cert;
+ 
+ #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
+ 
+@@ -752,7 +753,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+ 	if (status == EFI_SUCCESS)
+ 		return status;
+ 
+-	if (cert) {
++	if (cert && use_builtin_cert) {
+ 		/*
+ 		 * Check against the shim build key
+ 		 */
+@@ -1418,11 +1419,14 @@ EFI_STATUS mirror_mok_list()
+ 	if (efi_status != EFI_SUCCESS)
+ 		DataSize = 0;
+ 
+-	FullDataSize = DataSize
+-		     + sizeof (*CertList)
+-		     + sizeof (EFI_GUID)
+-		     + vendor_cert_size
+-		     ;
++	FullDataSize = DataSize;
++	if (use_builtin_cert) {
++		FullDataSize += sizeof (*CertList) +
++				sizeof (EFI_GUID) +
++				vendor_cert_size;
++	} else if (DataSize == 0) {
++		return EFI_SUCCESS;
++	}
+ 	FullData = AllocatePool(FullDataSize);
+ 	if (!FullData) {
+ 		Print(L"Failed to allocate space for MokListRT\n");
+@@ -1434,21 +1438,24 @@ EFI_STATUS mirror_mok_list()
+ 		CopyMem(p, Data, DataSize);
+ 		p += DataSize;
+ 	}
+-	CertList = (EFI_SIGNATURE_LIST *)p;
+-	p += sizeof (*CertList);
+-	CertData = (EFI_SIGNATURE_DATA *)p;
+-	p += sizeof (EFI_GUID);
+ 
+-	CertList->SignatureType = EFI_CERT_X509_GUID;
+-	CertList->SignatureListSize = vendor_cert_size
+-				      + sizeof (*CertList)
+-				      + sizeof (*CertData)
+-				      -1;
+-	CertList->SignatureHeaderSize = 0;
+-	CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
++	if (use_builtin_cert) {
++		CertList = (EFI_SIGNATURE_LIST *)p;
++		p += sizeof (*CertList);
++		CertData = (EFI_SIGNATURE_DATA *)p;
++		p += sizeof (EFI_GUID);
+ 
+-	CertData->SignatureOwner = SHIM_LOCK_GUID;
+-	CopyMem(p, vendor_cert, vendor_cert_size);
++		CertList->SignatureType = EFI_CERT_X509_GUID;
++		CertList->SignatureListSize = vendor_cert_size
++					      + sizeof (*CertList)
++					      + sizeof (*CertData)
++					      -1;
++		CertList->SignatureHeaderSize = 0;
++		CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
++
++		CertData->SignatureOwner = SHIM_LOCK_GUID;
++		CopyMem(p, vendor_cert, vendor_cert_size);
++	}
+ 
+ 	efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
+ 				       &shim_lock_guid,
+@@ -1767,6 +1774,75 @@ uninstall_shim_protocols(void)
+ 			  &shim_lock_guid, &shim_lock_interface);
+ }
+ 
++#define VENDOR_VERIFY L"openSUSE_Verify"
++
++/* Show the built-in certificate prompt if necessary */
++static int builtin_cert_prompt(void)
++{
++	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
++	EFI_STATUS status;
++	UINT32 attributes;
++	UINTN len = sizeof(UINT8);
++	UINT8 data;
++
++	use_builtin_cert = FALSE;
++
++	if (vendor_cert_size == 0)
++		return 0;
++
++	status = uefi_call_wrapper(RT->GetVariable, 5, VENDOR_VERIFY,
++				   &shim_lock_guid, &attributes,
++				   &len, &data);
++	if (status != EFI_SUCCESS ||
++	    (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) {
++		int choice;
++
++		if (status != EFI_NOT_FOUND)
++			LibDeleteVariable(VENDOR_VERIFY, &shim_lock_guid);
++
++		CHAR16 *str[] = {L"Trust openSUSE Certificate",
++				 L"",
++				 L"Do you agree to use the built-in openSUSE certificate",
++				 L"to verify boot loaders and kernels?",
++				 NULL};
++		choice = console_yes_no(str);
++		if (choice != 1) {
++			data = 0;
++			goto done;
++		}
++
++		data = 1;
++		status = uefi_call_wrapper(RT->SetVariable, 5,
++					   VENDOR_VERIFY,
++					   &shim_lock_guid,
++					   EFI_VARIABLE_NON_VOLATILE |
++					   EFI_VARIABLE_BOOTSERVICE_ACCESS,
++					   sizeof(UINT8), &data);
++		if (status != EFI_SUCCESS) {
++			console_error(L"Failed to set openSUSE_Verify", status);
++			return -1;
++		}
++	}
++
++	use_builtin_cert = TRUE;
++	data = 1;
++
++done:
++	/* Setup a runtime variable to show the current state */
++	status = uefi_call_wrapper(RT->SetVariable, 5,
++				   L"use_openSUSE_cert",
++				   &shim_lock_guid,
++				   EFI_VARIABLE_BOOTSERVICE_ACCESS |
++				   EFI_VARIABLE_RUNTIME_ACCESS,
++				   sizeof(UINT8), &data);
++	if (status != EFI_SUCCESS) {
++		console_error(L"Failed to set use_openSUSE_cert", status);
++		return -1;
++	}
++
++	return 0;
++}
++
+ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ {
+ 	EFI_STATUS efi_status;
+@@ -1819,6 +1895,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ 		 */
+ 		hook_system_services(systab);
+ 		loader_is_participating = 0;
++		if (builtin_cert_prompt() != 0)
++			return EFI_ABORTED;
+ 	}
+ 
+ 	efi_status = install_shim_protocols();
+-- 
+1.8.4.5
+
+
+From 57b6062bc614d5638e66f8c5ac62106b812c6d1a Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Thu, 20 Feb 2014 16:57:08 +0800
+Subject: [PATCH 2/3] Support revoking the openSUSE cert
+
+This is an openSUSE-only patch.
+
+To revoke the openSUSE cert, create ClearVerify, a NV RT variable,
+and store the password hash in the variable, and then MokManager
+will show up with an additional option to clear openSUSE_Verify
+---
+ MokManager.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
+ shim.c       |  2 +-
+ 2 files changed, 60 insertions(+), 3 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index 71a3137..a03eea4 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1570,6 +1570,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
+ 	return -1;
+ }
+ 
++static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
++	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
++	EFI_STATUS status;
++
++        if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1)
++                return 0;
++
++	if (ClearVerifySize == PASSWORD_CRYPT_SIZE) {
++		status = match_password((PASSWORD_CRYPT *)ClearVerify, NULL, 0,
++					 NULL, NULL);
++	}
++	if (status != EFI_SUCCESS)
++		return -1;
++
++	status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
++	if (status != EFI_SUCCESS) {
++		console_error(L"Failed to delete openSUSE_Verify", status);
++		return -1;
++	}
++
++	console_notify(L"The system must now be rebooted");
++	uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm,
++			  EFI_SUCCESS, 0, NULL);
++	console_notify(L"Failed to reboot");
++	return -1;
++}
++
+ static BOOLEAN verify_certificate(void *cert, UINTN size)
+ {
+ 	X509 *X509Cert;
+@@ -1903,6 +1930,7 @@ typedef enum {
+ 	MOK_CHANGE_SB,
+ 	MOK_SET_PW,
+ 	MOK_CHANGE_DB,
++	MOK_CLEAR_VERIFY,
+ 	MOK_KEY_ENROLL,
+ 	MOK_HASH_ENROLL
+ } mok_menu_item;
+@@ -1914,7 +1942,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+ 				 void *MokPW, UINTN MokPWSize,
+ 				 void *MokDB, UINTN MokDBSize,
+ 				 void *MokXNew, UINTN MokXNewSize,
+-				 void *MokXDel, UINTN MokXDelSize)
++				 void *MokXDel, UINTN MokXDelSize,
++				 void *ClearVerify, UINTN ClearVerifySize)
+ {
+ 	CHAR16 **menu_strings;
+ 	mok_menu_item *menu_item;
+@@ -1988,6 +2017,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+ 	if (MokDB)
+ 		menucount++;
+ 
++	if (ClearVerify)
++		menucount++;
++
+ 	menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
+ 
+ 	if (!menu_strings)
+@@ -2057,6 +2089,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+ 		i++;
+ 	}
+ 
++	if (ClearVerify) {
++		menu_strings[i] = L"Revoke openSUSE certificate";
++		menu_item[i] = MOK_CLEAR_VERIFY;
++		i++;
++	}
++
+ 	menu_strings[i] = L"Enroll key from disk";
+ 	menu_item[i] = MOK_KEY_ENROLL;
+ 	i++;
+@@ -2107,6 +2145,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+ 		case MOK_CHANGE_DB:
+ 			mok_db_prompt(MokDB, MokDBSize);
+ 			break;
++		case MOK_CLEAR_VERIFY:
++			mok_clear_verify_prompt(ClearVerify, ClearVerifySize);
++			break;
+ 		case MOK_KEY_ENROLL:
+ 			mok_key_enroll();
+ 			break;
+@@ -2132,6 +2173,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+ 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ 	UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
+ 	UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
++	UINTN ClearVerifySize = 0;
+ 	void *MokNew = NULL;
+ 	void *MokDel = NULL;
+ 	void *MokSB = NULL;
+@@ -2139,6 +2181,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+ 	void *MokDB = NULL;
+ 	void *MokXNew = NULL;
+ 	void *MokXDel = NULL;
++	void *ClearVerify = NULL;
+ 	EFI_STATUS status;
+ 
+ 	status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
+@@ -2211,9 +2254,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+ 		console_error(L"Could not retrieve MokXDel", status);
+ 	}
+ 
++	status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify, &ClearVerifySize,
++				shim_lock_guid);
++	if (status == EFI_SUCCESS) {
++		if (LibDeleteVariable(L"ClearVerify", &shim_lock_guid) != EFI_SUCCESS) {
++			console_notify(L"Failed to delete ClearVerify");
++		}
++	} else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
++		console_error(L"Could not retrieve ClearVerify", status);
++	}
++
+ 	enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize,
+ 		       MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize,
+-		       MokXNew, MokXNewSize, MokXDel, MokXDelSize);
++		       MokXNew, MokXNewSize, MokXDel, MokXDelSize,
++		       ClearVerify, ClearVerifySize);
+ 
+ 	if (MokNew)
+ 		FreePool (MokNew);
+@@ -2236,6 +2290,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+ 	if (MokXDel)
+ 		FreePool (MokXDel);
+ 
++	if (ClearVerify)
++		FreePool (ClearVerify);
++
+ 	LibDeleteVariable(L"MokAuth", &shim_lock_guid);
+ 	LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
+ 	LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
+diff --git a/shim.c b/shim.c
+index a483ce3..3b00e6c 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1529,7 +1529,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+ 	    check_var(L"MokPW") || check_var(L"MokAuth") ||
+ 	    check_var(L"MokDel") || check_var(L"MokDB") ||
+ 	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
+-	    check_var(L"MokXAuth")) {
++	    check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
+ 		efi_status = start_image(image_handle, MOK_MANAGER);
+ 
+ 		if (efi_status != EFI_SUCCESS) {
+-- 
+1.8.4.5
+
+
+From 8d1fc876a8117bdfa2d1e8975725e03660eadc7c Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Fri, 7 Mar 2014 16:17:20 +0800
+Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
+
+This is an openSUSE-only patch.
+
+LibDeleteVariable only works on the runtime variables.
+---
+ MokManager.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index a03eea4..d4f107d 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1584,7 +1584,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+ 	if (status != EFI_SUCCESS)
+ 		return -1;
+ 
+-	status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
++	status = uefi_call_wrapper(RT->SetVariable, 5,
++				   L"openSUSE_Verify", &shim_lock_guid,
++				   EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
++				   0, NULL);
+ 	if (status != EFI_SUCCESS) {
+ 		console_error(L"Failed to delete openSUSE_Verify", status);
+ 		return -1;
+-- 
+1.8.4.5
+
diff --git a/shim.changes b/shim.changes
index 465b298..73c47f0 100644
--- a/shim.changes
+++ b/shim.changes
@@ -1,3 +1,113 @@
+-------------------------------------------------------------------
+Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com
+
+- Replace shim-mokmanager-support-sha1.patch with
+  shim-mokmanager-support-sha-family.patch to support the SHA
+  family
+
+-------------------------------------------------------------------
+Mon Apr  7 09:32:21 UTC 2014 - glin@suse.com
+
+- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in
+  MOK
+
+-------------------------------------------------------------------
+Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com
+
+- snapper rollback support (fate#317062)
+  - refresh shim-install
+
+-------------------------------------------------------------------
+Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com
+
+- Insert the right signature (bnc#867974)
+
+-------------------------------------------------------------------
+Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com
+
+- Add shim-fix-uninitialized-variable.patch to fix the use of
+  uninitialzed variables in lib 
+
+-------------------------------------------------------------------
+Fri Mar  7 09:09:12 UTC 2014 - glin@suse.com
+
+- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
+  variables the right way
+- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
+  correctly
+
+-------------------------------------------------------------------
+Thu Mar  6 07:37:57 UTC 2014 - glin@suse.com
+
+- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
+  duplicate entries in BootOrder
+- Add shim-allow-fallback-use-system-loadimage.patch to handle the
+  shim protocol properly to keep only one protocol entity
+- Refresh shim-opensuse-cert-prompt.patch
+
+-------------------------------------------------------------------
+Thu Mar  6 03:53:49 UTC 2014 - mchang@suse.com
+
+- shim-install: fix the $prefix to use grub2-mkrelpath for paths
+  on btrfs subvolume (bnc#866690).
+
+-------------------------------------------------------------------
+Tue Mar  4 04:19:05 UTC 2014 - glin@suse.com
+
+- FATE#315002: Update shim-install to install shim.efi as the EFI
+  default bootloader when none exists in \EFI\boot.
+
+-------------------------------------------------------------------
+Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com
+
+- Update signature-sles.asc: shim signed by UEFI signing service,
+  based on code from "Thu Feb 20 11:57:01 UTC 2014"
+
+-------------------------------------------------------------------
+Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com
+
+- Add shim-opensuse-cert-prompt.patch to show the prompt to ask
+  whether the user trusts the openSUSE certificate or not
+
+-------------------------------------------------------------------
+Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de
+
+- allow package to carry multiple signatures
+- check correct certificate is embedded
+
+-------------------------------------------------------------------
+Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de
+
+- always clean up generated files that embed certificates
+  (shim_cert.h shim.cer shim.crt) to make sure next build loop
+  rebuilds them properly
+
+-------------------------------------------------------------------
+Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com
+
+- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
+  hash deletion operation to avoid ruining the whole list
+  (bnc#863205)
+
+-------------------------------------------------------------------
+Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com
+
+- Update shim-mokx-support.patch to support the resetting of MOK
+  blacklist
+- Add shim-get-variable-check.patch to fix the variable checking
+  in get_variable_attr
+- Add shim-improve-fallback-entries-creation.patch to improve the
+  boot entry pathes and avoid generating the boot entries that
+  are already there
+- Update SUSE certificate
+- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
+  extract_signature.sh and show_signatures.sh to remove the
+  creation of the temporary nss database
+- Add shim-only-os-name.patch: remove the kernel version of the
+  build server
+- Match the the prefix of the project name properly by escaping the 
+  percent sign.
+
 -------------------------------------------------------------------
 Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de
 
diff --git a/shim.spec b/shim.spec
index cdc712e..38d63a0 100644
--- a/shim.spec
+++ b/shim.spec
@@ -28,7 +28,7 @@ Url:            https://github.com/mjg59/shim
 Source:         %{name}-%{version}.tar.bz2
 # run "extract_signature.sh shim.efi" where shim.efi is the binary
 # with the signature from the UEFI signing service.
-Source1:        microsoft.asc
+Source1:        signature-opensuse.asc
 Source2:        openSUSE-UEFI-CA-Certificate.crt
 Source3:        shim-install
 Source4:        SLES-UEFI-CA-Certificate.crt
@@ -38,6 +38,8 @@ Source7:        show_hash.sh
 Source8:        show_signatures.sh
 Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 Source10:       timestamp.pl
+Source11:       strip_signature.sh
+Source12:       signature-sles.asc
 # PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch glin@suse.com -- Fix the error handling in verify_mok()
 Patch1:         shim-fix-verify-mok.patch
 # PATCH-FIX-UPSTREAM shim-improve-error-messages.patch glin@suse.com -- Improve the error messages
@@ -50,6 +52,26 @@ Patch4:         shim-fix-dhcpv4-path-generation.patch
 Patch5:         shim-mokx-support.patch
 # PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch glin@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys
 Patch6:         shim-mokmanager-handle-keystroke-error.patch
+# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
+Patch7:         shim-only-os-name.patch
+# PATCH-FIX-UPSTREAM shim-get-variable-check.patch glin@suse.com -- Fix the variable checking in get_variable_attr 
+Patch8:         shim-get-variable-check.patch
+# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch glin@suse.com -- Improve the boot entry pathes and avoid generating the boot entries that are already there 
+Patch9:         shim-fallback-improve-entries-creation.patch
+# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list
+Patch10:        shim-bnc863205-mokmanager-fix-hash-delete.patch
+# PATCH-FIX-UPSTREAM shim-fallback-avoid-duplicate-bootorder.patch glin@suse.com -- Fix the duplicate BootOrder entries generated by fallback.efi
+Patch11:        shim-fallback-avoid-duplicate-bootorder.patch
+# PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch glin@suse.com -- Handle the shim protocol properly to keep only one protocol entity
+Patch12:        shim-allow-fallback-use-system-loadimage.patch
+# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch glin@suse.com -- Delete BootService non-volatile variables the right way
+Patch13:        shim-mokmanager-delete-bs-var-right.patch
+# PATCH-FIX-UPSTREAM shim-fix-uninitialized-variable.patch glin@suse.com -- Initialize the variable in lib properly
+Patch14:        shim-fix-uninitialized-variable.patch
+# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
+Patch15:        shim-mokmanager-support-sha-family.patch
+# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
+Patch100:       shim-opensuse-cert-prompt.patch
 BuildRequires:  gnu-efi >= 3.0t
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -78,6 +100,16 @@ Authors:
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch100 -p1
 
 %build
 # first, build MokManager and fallback as they don't depend on a
@@ -108,12 +140,18 @@ for suffix in "${suffixes[@]}"; do
     if test "$suffix" = "opensuse"; then
 	cert=%{SOURCE2}
 	cert2=%{SOURCE9}
+	verify='openSUSE Secure Boot CA1'
+	signature=%{SOURCE1}
     elif test "$suffix" = "sles"; then
 	cert=%{SOURCE4}
 	cert2=''
+	verify='SUSE Linux Enterprise Secure Boot CA1'
+	signature=%{SOURCE12}
     elif test "$suffix" = "devel"; then
 	cert=%{_sourcedir}/_projectcert.crt
 	cert2=''
+	verify=`openssl x509 -in "$cert" -noout -email`
+	signature=''
 	test -e "$cert" || continue
     else
 	echo "invalid suffix"
@@ -121,6 +159,7 @@ for suffix in "${suffixes[@]}"; do
     fi
 
     openssl x509 -in $cert -outform DER -out shim-$suffix.der
+    rm -f shim_cert.h shim.cer shim.crt
     if [ -z "$cert2" ]; then
 	    # create empty local cert file, we don't need a local key pair as we
 	    # sign the mokmanager with our vendor key
@@ -128,35 +167,38 @@ for suffix in "${suffixes[@]}"; do
 	    touch shim.cer
     else
 	    cp $cert2 shim.crt
-	    rm -f shim.cer
     fi
     # make sure cast warnings don't trigger post build check
     make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
+    #
+    # assert correct certificate embedded
+    grep -q "$verify" shim.efi
     # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
-    chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10}
+    chmod 755 %{SOURCE10}
     # alternative: verify signature
     #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
-    head -1 %{SOURCE1} > hash1
-    cp shim.efi shim.efi.bak
-    # pe header contains timestamp and checksum. we need to
-    # restore that
-    %{SOURCE10} --set-from-file %{SOURCE1} shim.efi
-    %{SOURCE7} shim.efi > hash2
-    cat hash1 hash2
-    if ! cmp -s hash1 hash2; then
-	    echo "ERROR: binary changed, need to request new signature!"
-	    # don't fail in devel projects
-	    prj="%{_project}"
-	    if [ "${prj%%:*}" = "openSUSE" -o "${prj%%:*}" = "SUSE" ]; then
-		    false
-	    fi
-	    mv shim.efi.bak shim-$suffix.efi
-	    rm shim.efi
-    else
-	    # attach signature
-	    %{SOURCE6} %{SOURCE1} shim.efi
-	    mv shim-signed.efi shim-$suffix.efi
-	    rm -f shim.efi
+    if test -n "$signature"; then
+	head -1 "$signature" > hash1
+	cp shim.efi shim.efi.bak
+	# pe header contains timestamp and checksum. we need to
+	# restore that
+	%{SOURCE10} --set-from-file "$signature" shim.efi
+	pesign -h -P -i shim.efi > hash2
+	cat hash1 hash2
+	if ! cmp -s hash1 hash2; then
+		echo "ERROR: $suffix binary changed, need to request new signature!"
+		# don't fail in devel projects
+		prj="%{_project}"
+		if [ "${prj%%%:*}" = "openSUSE" -o "${prj%%%:*}" = "SUSE" ]; then
+			false
+		fi
+		mv shim.efi.bak shim-$suffix.efi
+		rm shim.efi
+	else
+		# attach signature
+		pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
+		rm -f shim.efi
+	fi
     fi
     rm -f shim.cer shim.crt
     # make sure cert.o gets rebuilt
diff --git a/show_hash.sh b/show_hash.sh
index 82c4944..a485768 100644
--- a/show_hash.sh
+++ b/show_hash.sh
@@ -9,13 +9,4 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
 	exit 1
 fi
 
-nssdir=`mktemp -d`
-cleanup()
-{
-	rm -r "$nssdir"
-}
-trap cleanup EXIT
-echo > "$nssdir/pw"
-certutil -f "$nssdir/pw" -d "$nssdir" -N
-
-pesign -n "$nssdir" -h -P -i "$infile"
+pesign -h -P -i "$infile"
diff --git a/show_signatures.sh b/show_signatures.sh
index d9bdb6e..ab9acdb 100644
--- a/show_signatures.sh
+++ b/show_signatures.sh
@@ -9,13 +9,4 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
 	exit 1
 fi
 
-nssdir=`mktemp -d`
-cleanup()
-{
-	rm -r "$nssdir"
-}
-trap cleanup EXIT
-echo > "$nssdir/pw"
-certutil -f "$nssdir/pw" -d "$nssdir" -N
-
-pesign -n "$nssdir" -S -i "$infile"
+pesign -S -i "$infile"
diff --git a/microsoft.asc b/signature-opensuse.asc
similarity index 100%
rename from microsoft.asc
rename to signature-opensuse.asc
diff --git a/signature-sles.asc b/signature-sles.asc
new file mode 100644
index 0000000..d88c3c8
--- /dev/null
+++ b/signature-sles.asc
@@ -0,0 +1,188 @@
+hash: f31fd461c5e99510403fc97c1da2d8a9cbe270597d32badf8fd66b77495f8d94
+# 2069-04-10 06:07:54
+timestamp: babababa
+checksum: 61c9
+-----BEGIN AUTHENTICODE SIGNATURE-----
+MIIh9AYJKoZIhvcNAQcCoIIh5TCCIeECAQExDzANBglghkgBZQMEAgEFADBcBgor
+BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
+ZQMEAgEFAAQg8x/UYcXplRBAP8l8HaLYqcvicFl9Mrrfj9Zrd0lfjZSgggs8MIIF
+JDCCBAygAwIBAgITMwAAAApmQvP0n7c3lgABAAAACjANBgkqhkiG9w0BAQsFADCB
+gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
+ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
+TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0
+MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
+aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
+cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu
+ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s
+ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG
+CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23
+BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc
+cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH
+SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE
+GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP
+ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT
+KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV
+HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo
+dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw
+MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo
+dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB
+MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA
+A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3
+We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC
+5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g
+78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj
+PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+
+Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDAN
+BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
+b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
+dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5
+IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1
+WjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
+B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UE
+AxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwft
+kn0LsnO/DArGSkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gy
+u4xHye5xvCFPmop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6
+K6VROF31+7rbeALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk5
+5dqyYotNvzhw4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxh
+Z4pb/V6th3+6hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYw
+ggFyMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK
+8yU3HU6hJnsPIHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkr
+BgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw
+AwEB/zAfBgNVHSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBT
+MFGgT6BNhktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0
+cy9NaWNDb3JUaGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEE
+VDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl
+cnRzL01pY0NvclRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0B
+AQsFAAOCAgEANQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lY
+NKYWC4KqXa2C2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ
+2w/8d56Vc5GIyr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8
+uSs9SSsfMvxqIWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLR
+B7+7dN/cHo+A1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K67
+3YaFmCwhTDMr8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0
+HYw9Rw5EpuSwmzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6Q
+I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJy
+lYaw8TVhahn1sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpc
+Aj/lluOFWzw+P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79An
+oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghYrMIIW
+JwIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
+BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEr
+MCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAA
+AApmQvP0n7c3lgABAAAACjANBglghkgBZQMEAgEFAKCCAREwGQYJKoZIhvcNAQkD
+MQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJ
+KoZIhvcNAQkEMSIEIJrzMZcr8o7z/mk2WCbI8fEz7nZbYeVPQtJjL0exXBCxMIGk
+BgorBgEEAYI3AgEMMYGVMIGSoF6AXABoAHQAdABwADoALwAvAHcAdwB3AC4AbQBp
+AGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAHcAaABkAGMALwBoAGMAbAAvAGQAZQBm
+AGEAdQBsAHQALgBtAHMAcAB4oTCALmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS93
+aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAjHDQORfm8d8T
+eyJMiPDMRPFiO/aBL7UtF4rtDUeYi+c9UU6KDVXHi19Z9DNt3pkRRm4DxFVdDPXU
+P1TFD8HWbQPQ7YGGRjDOv1BwxZ+5F6xmNgoxUh0khKisi3l0LPq6Zauee7ebgly3
+6A6GQSKlaXH7MXxMsgbvGFdXAQs/KVMb3xzuttby/jcQ9lxoMr4SVcM6Vu6fFZ24
+DWhHFtONzHFSvJ3Sf10d8teTvikrIaXg7pzNU+T7+sMXsiyhVhWiFFFtetaaxtT4
+vcKDuGHNP797WM1YYxZz+2sMbWyi81h+We6ReHn0V+UUW4b7i4yh0p2Vy3xPrzb6
+TgGQIyi536GCE00wghNJBgorBgEEAYI3AwMBMYITOTCCEzUGCSqGSIb3DQEHAqCC
+EyYwghMiAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE9BgsqhkiG9w0BCRABBKCCASwE
+ggEoMIIBJAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCAqAR+tIZOx
+IQiET4LQ+OsCmH0VlrTUkAPePwl/JtC8pAIGUt6TDOrUGBMyMDE0MDIyNzAxMDcz
+My43NzNaMAcCAQGAAgH0oIG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
+V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
+IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERT
+RSBFU046QzBGNC0zMDg2LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0
+YW1wIFNlcnZpY2Wggg7QMIIGcTCCBFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG
+9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
+BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEy
+MDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
+MTAwHhcNMTAwNzAxMjEzNjU1WhcNMjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJV
+UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
+ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt
+ZS1TdGFtcCBQQ0EgMjAxMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKkdDbx3EYo6IOz8E5f1+n9plGt0VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vw
+FVMnBDEfQRsalR3OCROOfGEwWbEwRA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNF
+DdDq9UeBzb8kYDJYYEbyWEeGMoQedGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC7
+32H8RsEnHSRnEnIaIYqvS2SJUGKxXf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOW
+RH7v0Ev9buWayrGo8noqCjHw2k4GkbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJ
+k3jN/LzAyURdXhacAQVPIk0CAwEAAaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEA
+MB0GA1UdDgQWBBTVYzpcijGQ80N7fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4K
+AFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
+GDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRw
+Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJB
+dXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5o
+dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8y
+MDEwLTA2LTIzLmNydDCBoAYDVR0gAQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEw
+PQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9D
+UFMvZGVmYXVsdC5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABv
+AGwAaQBjAHkAXwBTAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQAD
+ggIBAAfmiFEN4sbgmD+BcQM9naOhIW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/1
+5/B4vceoniXj+bzta1RXCCtRgkQS+7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRW
+S3TvQhDIr79/xn/yN31aPxzymXlKkVIArzgPF/UveYFl2am1a+THzvbKegBvSzBE
+JCI8z+0DpZaPWSm8tv0E4XCfMkon/VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/
+3cVKC5Em4jnsGUpxY517IW3DnKOiPPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9
+nhquBEKDuLWAmyI4ILUl5WTs9/S/fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5H
+moDF0M2n0O99g/DhO3EJ3110mCIIYdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv3
+3nJ+YWtvd6mBy6cJrDm77MbL2IK0cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI
+5pgt6o3gMy4SKfXAL1QnIffIrE7aKLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0
+MkvfY3v1mYovG8chr1m1rtxEPJdQcdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0e
+GTgvvM9YBS7vDaBQNdrvCScc1bN+NR4Iuto229Nfj950iEkSMIIE2jCCA8KgAwIB
+AgITMwAAACiQZ7kEsDxuZgAAAAAAKDANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQG
+EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
+A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg
+VGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0xMzAzMjcyMDEzMTNaFw0xNDA2MjcyMDEz
+MTNaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE
+BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0wCwYD
+VQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2LURF
+RjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdpUi/akidSiGckmve4C3c5GP4zLmJ
+xMcbvee10/vtrs8x/vNmsEQD2plnCFq/dQYiEYnQZ1LM+s+SN0Xo+vG9M9PMc+O4
+IaSgFX3LL8QDBdo/lnPTWeWYTQtWhi+dR9HWX52R6ceE2ZVrMky0awBS4EHTPGl0
+qM7MfWidUlXmcH8UB6KeZ7CGRPMzP3Ndxij4F19SAS1EL9bteAi45TsvwLnDS8O3
+Oy/TprWcsUhK3TIJVqEbS1rTqiYnDBJDYMVq19pADWCYiUG7k3Pdv/7EjFvO+lUn
+yk1Nmm99EWyxRyOwTHxsfwahdIIfUngY6QYaFlCawzrdgYH3mydyIX91AgMBAAGj
+ggEbMIIBFzAdBgNVHQ4EFgQU3JgInXnRBLKLR8Nx0Izns+awU50wHwYDVR0jBBgw
+FoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDov
+L2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGltU3RhUENB
+XzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0
+cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNUaW1TdGFQQ0FfMjAx
+MC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCDAN
+BgkqhkiG9w0BAQsFAAOCAQEAgiLztz1kfhJL/Cb84OS30MQUTgn+q1aa0VqYpr6M
+QR6UtDK+hLS3RXbj72AYJIeoz+m00VQpvMrkyxJ7wPHUDp8xMxsRP3o73d0CqhjK
+yjz6luNsu6+7yYQ+x9gMhctyCwEbpPUxERAMRaVaSJl+2r5Fhte6TeSB/9NYCnZl
+Blkv9sJCzwTJqxv6YZ3185hJcLFJ0GTEIejuYBdTfusC2miVi/UKPAHbo7WYFFF0
+nlPp2nKYZqBfKc+Prx+CnNPr5vFMG1T46DLcwRXDrCpudAUWg+NEmJ/L7+gweX+v
+UqU6H99lx43+J9hHGZIItIs0jmknNxoC9pGzlSL/CEgq/qGCA3kwggJhAgEBMIHj
+oYG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G
+A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0w
+CwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2
+LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiJQoB
+ATAJBgUrDgMCGgUAAxUA8120HsdfO2ZOZQ7emART9hWnH0SggcIwgb+kgbwwgbkx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
+b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1P
+UFIxJzAlBgNVBAsTHm5DaXBoZXIgTlRTIEVTTjpCMDI3LUM2RjgtMUQ4ODErMCkG
+A1UEAxMiTWljcm9zb2Z0IFRpbWUgU291cmNlIE1hc3RlciBDbG9jazANBgkqhkiG
+9w0BAQUFAAIFANa4+LowIhgPMjAxNDAyMjYyMzM1MjJaGA8yMDE0MDIyNzIzMzUy
+MlowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA1rj4ugIBADAKAgEAAgIM/AIB/zAH
+AgEAAgIV3zAKAgUA1rpKOgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZ
+CgMBoAowCAIBAAIDFuNgoQowCAIBAAIDB6EgMA0GCSqGSIb3DQEBBQUAA4IBAQBm
+lwBgKM7WFYZn7KoOxHuc0HCwn9KJ7P2+V1ixjuYcd9TJPbpom+P6TqrtdVyqC1qN
+P1ika8uTrueq+WIyDkpbBeRjgRPxywB8p6swJXn3a8FQJlYM8wZlX6k4DXOQ5a1I
+8Df1MoZedlnFIJFCuailsPek9CZSuawhHvQu6tutrNrCtOJpHGwP/g7QhqDby6MU
+9W08fcBbMQ+Q+NN9R+O5914iiyXTxNYply2O6zmRRXVV8Os49n6MAdLMQwlW/Hjf
+Qx9xsPgmOpnwA3IVmPCEtJnHbNPnmX23cB3zQ5HQ8Rgzh4a2iGFTUKVLQzP2XbJI
+GAt0fd2U/pFkRHTpexsrMYIC9TCCAvECAQEwgZMwfDELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
+Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh
+bXAgUENBIDIwMTACEzMAAAAokGe5BLA8bmYAAAAAACgwDQYJYIZIAWUDBAIBBQCg
+ggEyMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQg
+igCH0fhbYKLF4fSmxZObvVlmifs8MaWR0dGzScGuExwwgeIGCyqGSIb3DQEJEAIM
+MYHSMIHPMIHMMIGxBBTzXbQex187Zk5lDt6YBFP2FacfRDCBmDCBgKR+MHwxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k
+MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jv
+c29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAAKJBnuQSwPG5mAAAAAAAoMBYE
+FP/tXYkB9TLyFTNFAIYorcmDMtYiMA0GCSqGSIb3DQEBCwUABIIBABg8AdKpFO37
+Mdc4SKY28D2Sff2uoRuCoLxMZPhC7rR14gC1sXKSBHIoNyMBR32mYJnJsTAgJRwT
+YTEmsHYl6l37/tkLAsRS21lt+YuynR9/fdGlwvqxc41HkUHdcTRjvsetVZ7v2HSz
+vpCBje4TsAaxblVCsyXiH94CyMR3Aq6brcoG+QJKh14NFLLLIxN2melZYivfcAJR
+ES78bXBRGa6hPqsvOIZ6USSC1rAwHodonNcp4Xb1QMPoXKcMPyUAYdzz0q673Mec
+hsP7HKqhezXDmpGe6Hg4RrO/In7qyRok6LZ4DH5hsp6dp0Omcgqm3kmcqTTNmtF6
+0JelOr7e+os=
+-----END AUTHENTICODE SIGNATURE-----
diff --git a/strip_signature.sh b/strip_signature.sh
index f22cabf..ccda812 100644
--- a/strip_signature.sh
+++ b/strip_signature.sh
@@ -10,13 +10,4 @@ fi
 
 outfile="${infile%.efi}-unsigned.efi"
 
-nssdir=`mktemp -d`
-cleanup()
-{
-	rm -r "$nssdir"
-}
-trap cleanup EXIT
-echo > "$nssdir/pw"
-certutil -f "$nssdir/pw" -d "$nssdir" -N
-
-pesign -n "$nssdir" -r -i "$infile" -o "$outfile"
+pesign -r -i "$infile" -o "$outfile"