Accepting request 315550 from home:gary_lin:branches:devel:openSUSE:Factory

- Update to 0.9 - Refresh patches + shim-fix-gnu-efi-30w.patch + shim-fix-mokmanager-sections.patch + shim-opensuse-cert-prompt.patch - Drop upstreamed patches + shim-bsc920515-fix-fallback-buffer-length.patch + shim-mokx-support.patch + shim-update-cryptlib.patch - Drop shim-bsc919675-uninstall-shim-protocols.patch since upstream fixed the bug in another way. - Drop shim-gcc5.patch which was fixed in another way OBS-URL: https://build.opensuse.org/request/show/315550 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=99
2015-07-08 08:54:24 +00:00 · 2015-07-08 08:54:24 +00:00 · fc4b3ef345
commit fc4b3ef345
parent 7df78e3843
12 changed files with 99 additions and 272449 deletions
--- a/shim-0.8.tar.bz2
+++ b/shim-0.8.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:4cea304dc6f6e5c429f602c42a4dda7b9c64f448a346bae78fb2c6c19c0cd0b3
 size 991166
--- a/shim-0.9.tar.bz2
+++ b/shim-0.9.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:f524af773af0c8bfce132c9cf1d43c501b479abf2d12fe26d9f419a3d9688ab5
 size 997797
--- a/shim-bsc919675-uninstall-shim-protocols.patch
+++ b/shim-bsc919675-uninstall-shim-protocols.patch
@ -1,145 +0,0 @@
 From 4f8bf8c570dadf8044e7f3f260c55e3e22630998 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 3 Mar 2015 16:53:11 +0800
 Subject: [PATCH] Uninstall shim protocols at Exit()
 Shim uninstalls its own protocol at the end of the program. However,
 if the loaded binary, e.g. grub2, calls Exit(), the uninstall function
 would never be called, i.e. the shim protocol handle existed even if
 shim was gone. This already caused crashes on the dell machines with
 the following steps:
 1. boot to grub2 and press 'C' for the grub2 shell
 2. type "exit" to quit the shell
 3. boot to grub2 again and boot an OS
 While grub2 uses the shim protocol to verify the OS image, it may get
 the old dead shim handle and crash the system.
 This commit adds uninstall_shim_protocols() to the hooked exit function
 and always hook Exit to clean up the protocol handle.
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
 replacements.c | 35 ++++++++++++++++++++++++++++-------
 replacements.h |  1 +
 shim.c         |  5 ++++-
 3 files changed, 33 insertions(+), 8 deletions(-)
 diff --git a/replacements.c b/replacements.c
 index f7623d9..4d96e57 100644
 --- a/replacements.c
 +++ b/replacements.c
@@ -74,6 +74,10 @@ unhook_system_services(void)
 		return;
 	systab->BootServices->Exit = system_exit;
 +
 +	if (hook_exit_only)
 +		return;
 +
 	systab->BootServices->LoadImage = system_load_image;
 	systab->BootServices->StartImage = system_start_image;
 	systab->BootServices->ExitBootServices = system_exit_boot_services;
@@ -167,10 +171,24 @@ do_exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus,
 {
 	EFI_STATUS status;
 	unhook_system_services();
 +	uninstall_shim_protocols();
 	status = systab->BootServices->Exit(ImageHandle, ExitStatus, ExitDataSize, ExitData);
 -	if (EFI_ERROR(status))
 +	if (EFI_ERROR(status)) {
 +		EFI_STATUS status2 = install_shim_protocols();
 +
 +		if (EFI_ERROR(status2)) {
 +			Print(L"Something has gone seriously wrong: %r\n",
 +				status2);
 +			Print(L"shim cannot continue, sorry.\n");
 +			systab->BootServices->Stall(5000000);
 +			systab->RuntimeServices->ResetSystem(
 +				EfiResetShutdown,
 +				EFI_SECURITY_VIOLATION, 0, NULL);
 +		}
 +
 		hook_system_services(systab);
 +	}
 	return status;
 }
@@ -182,6 +200,15 @@ hook_system_services(EFI_SYSTEM_TABLE *local_systab)
 	/* We need to hook various calls to make this work... */
 +	/* we need to hook Exit() so that we can allow users to quit the
 +	 * bootloader and still e.g. start a new one or run an internal
 +	 * shell. */
 +	system_exit = systab->BootServices->Exit;
 +	systab->BootServices->Exit = do_exit;
 +
 +	if (hook_exit_only)
 +		return;
 +
 	/* We need LoadImage() hooked so that fallback.c can load shim
 	 * without having to fake LoadImage as well.  This allows it
 	 * to call the system LoadImage(), and have us track the output
@@ -201,10 +228,4 @@ hook_system_services(EFI_SYSTEM_TABLE *local_systab)
 	 * and b) we can unwrap when we're done. */
 	system_exit_boot_services = systab->BootServices->ExitBootServices;
 	systab->BootServices->ExitBootServices = exit_boot_services;
 -
 -	/* we need to hook Exit() so that we can allow users to quit the
 -	 * bootloader and still e.g. start a new one or run an internal
 -	 * shell. */
 -	system_exit = systab->BootServices->Exit;
 -	systab->BootServices->Exit = do_exit;
 }
 diff --git a/replacements.h b/replacements.h
 index bd09424..928144d 100644
 --- a/replacements.h
 +++ b/replacements.h
@@ -37,6 +37,7 @@ typedef enum {
 extern verification_method_t verification_method;
 extern int loader_is_participating;
 +extern int hook_exit_only;
 extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab);
 extern void unhook_system_services(void);
 diff --git a/shim.c b/shim.c
 index d46494a..6fbe427 100644
 --- a/shim.c
 +++ b/shim.c
@@ -90,6 +90,7 @@ UINT8 *vendor_dbx;
  */
 verification_method_t verification_method;
 int loader_is_participating;
 +int exit_only;
 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -2100,6 +2101,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	/*
 	 * Tell the user that we're in insecure mode if necessary
 	 */
 +	hook_exit_only = 1;
 	if (user_insecure_mode) {
 		Print(L"Booting in insecure mode\n");
 		uefi_call_wrapper(BS->Stall, 1, 2000000);
@@ -2110,11 +2112,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 			 * that anything it boots has performed some
 			 * validation of the next image.
 			 */
 -			hook_system_services(systab);
 +			hook_exit_only = 0;
 			loader_is_participating = 0;
 		}
 	}
 +	hook_system_services(systab);
 	efi_status = install_shim_protocols();
 	if (EFI_ERROR(efi_status))
 		return efi_status;
 -- 
 2.1.4
--- a/shim-bsc920515-fix-fallback-buffer-length.patch
+++ b/shim-bsc920515-fix-fallback-buffer-length.patch
@ -1,54 +0,0 @@
 From 8bfaa280dc0fcc67e636f33f5c056d6f08b22ef5 Mon Sep 17 00:00:00 2001
 From: Laszlo Ersek <lersek@redhat.com>
 Date: Wed, 25 Feb 2015 18:45:41 +0000
 Subject: [PATCH] Fix length of allocated buffer for boot option comparison.
 The following commit:
  commit 4aac8a1179e160397d7ef8f1e3232cfb4f3373d6
  Author: Gary Ching-Pang Lin <glin@suse.com>
  Date:   Thu Mar 6 10:57:02 2014 +0800
    [fallback] Fix the data size for boot option comparison
 corrected the data size used for comparison, but also reduced the
 allocation so it doesn't include the trailing UTF16LE '\0\0' at the
 end of the string, with the result that the trailer of the buffer
 containing the string is overwritten, which OVMF detects as memory
 corruption.
 Increase the size of the storage buffer in a few places to correct
 this problem.
 Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
 Cc: Laszlo Ersek <lersek@redhat.com>
 Cc: Gary Ching-Pang Lin <glin@suse.com>
 ---
 fallback.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/fallback.c b/fallback.c
 index d10fb62..0c1a413 100644
 --- a/fallback.c
 +++ b/fallback.c
@@ -163,7 +163,7 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
 				StrLen(label)*2 + 2 + DevicePathSize(hddp) +
 				StrLen(arguments) * 2;
 -			CHAR8 *data = AllocateZeroPool(size);
 +			CHAR8 *data = AllocateZeroPool(size + 2);
 			CHAR8 *cursor = data;
 			*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
 			cursor += sizeof (UINT32);
@@ -234,7 +234,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
 		StrLen(label)*2 + 2 + DevicePathSize(dp) +
 		StrLen(arguments) * 2;
 -	CHAR8 *data = AllocateZeroPool(size);
 +	CHAR8 *data = AllocateZeroPool(size + 2);
 	if (!data)
 		return EFI_OUT_OF_RESOURCES;
 	CHAR8 *cursor = data;
 -- 
 2.1.4
--- a/shim-fix-gnu-efi-30w.patch
+++ b/shim-fix-gnu-efi-30w.patch
@ -1,4 +1,4 @@
-From d4e4bf4e1e03eb5685474d240929d3e3b50581f8 Mon Sep 17 00:00:00 2001
+From 7bfd197ba085e84db662decd9efc8ecf8a435ec2 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 25 Sep 2014 18:12:42 +0800
 Subject: [PATCH] Adapt the change in gnu-efi-3.0w
@ -11,7 +11,7 @@ Subject: [PATCH] Adapt the change in gnu-efi-3.0w
 4 files changed, 13 insertions(+), 6 deletions(-)
 diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h
-index 9e56ced..6b3bfbd 100644
+index b77838d..8a53eb7 100644
 --- a/Cryptlib/Include/OpenSslSupport.h
 +++ b/Cryptlib/Include/OpenSslSupport.h
@@ -16,12 +16,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@ -42,24 +42,24 @@ index 9e56ced..6b3bfbd 100644
 // #defines from EFI Application Toolkit required to buiild Open SSL
 //
 diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
-index 9719a27..dbd79fb 100644
+index 1769e67..e4f9eb5 100644
 --- a/Cryptlib/Makefile
 +++ b/Cryptlib/Makefile
-@@ -3,6 +3,7 @@ EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLU
+@@ -4,6 +4,7 @@ EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLU
 CFLAGS		= -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- 		  -Wall $(EFI_INCLUDES)
+ 		  -Wall $(EFI_INCLUDES) \
 		  -ffreestanding -I$(shell $(CC) -print-file-name=include)
 +CFLAGS          += -DGNU_EFI_USE_EXTERNAL_STDARG
 ifeq ($(ARCH),x86_64)
 	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
 diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
-index 7990b3c..967e55e 100644
+index 7bedb94..1f2c6d5 100644
 --- a/Cryptlib/OpenSSL/Makefile
 +++ b/Cryptlib/OpenSSL/Makefile
-@@ -18,6 +18,9 @@ endif
+@@ -19,6 +19,9 @@ endif
 ifeq ($(ARCH),arm)
- 	CFLAGS	+= -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ 	CFLAGS	+= -O2 -DTHIRTY_TWO_BIT
 endif
 +
 +CFLAGS          += -DGNU_EFI_USE_EXTERNAL_STDARG
@ -68,10 +68,10 @@ index 7990b3c..967e55e 100644
 TARGET		= libopenssl.a
 diff --git a/Makefile b/Makefile
-index 332a29b..52fd5b3 100644
+index 83cf374..9cfebc7 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -26,6 +26,8 @@ CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+@@ -28,6 +28,8 @@ CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
 		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
 		  $(EFI_INCLUDES)
@ -81,5 +81,5 @@ index 332a29b..52fd5b3 100644
 	CFLAGS	+= -DOVERRIDE_SECURITY_POLICY
 endif
 -- 
-1.8.4.5
+2.1.4
--- a/shim-fix-mokmanager-sections.patch
+++ b/shim-fix-mokmanager-sections.patch
@ -1,26 +1,38 @@
-From 61f1bfea2250c38b6c381a3876b41acf007f4289 Mon Sep 17 00:00:00 2001
+From fa7e46558ebdafeb7b5f4a3b843f309a678d4365 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 10 Nov 2014 17:19:58 +0800
-Subject: [PATCH 1/2] Fix objcopy parameters to include .rel and .rela
+Subject: [PATCH] Fix objcopy parameters to include .rel and .rela
-The objcopy parameters -j .rel* and -j .rela* looked like that the
+This is a quick hack for the old objcopy.
 two sections would be in the EFI binary, but it's actually not, and
 this caused MokManager.efi crash.
-Remove the asterisks to fix MokManager.efi.
+The asterisks support in objcopy was added in 2.24. For the distro
 with the older objcopy, some sections would be ignored and this could
 crash the program.
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
- Makefile | 8 ++++----
+ Makefile | 12 ++++--------
- 1 file changed, 4 insertions(+), 4 deletions(-)
+ 1 file changed, 4 insertions(+), 8 deletions(-)
 diff --git a/Makefile b/Makefile
-index 332a29b..39160c5 100644
+index 412496b..a791bcc 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -133,13 +133,13 @@ FORMAT		?= --target efi-app-$(ARCH)
+@@ -9,7 +9,6 @@ LD		= $(CROSS_COMPILE)ld
 OBJCOPY		= $(CROSS_COMPILE)objcopy
 ARCH		= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
 -OBJCOPY_GTE224  = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24)
 SUBDIRS		= Cryptlib lib
@@ -142,17 +141,14 @@ endif
 FORMAT		?= --target efi-app-$(ARCH)
 %.efi: %.so
 -ifneq ($(OBJCOPY_GTE224),1)
 -	$(error objcopy >= 2.24 is required)
 -endif
 	$(OBJCOPY) -j .text -j .sdata -j .data \
 -		-j .dynamic -j .dynsym  -j .rel* \
 -		-j .rela* -j .reloc -j .eh_frame \
@ -35,65 +47,7 @@ index 332a29b..39160c5 100644
 +		-j .rela -j .reloc -j .eh_frame \
 		-j .debug_info -j .debug_abbrev -j .debug_aranges \
 		-j .debug_line -j .debug_str -j .debug_ranges \
- 		$(FORMAT) $^ $@.debug
+ 		-j .note.gnu.build-id \
 -- 
-1.8.4.5
+2.1.4
 From a0d319c24c064b3275f4dc91cf141336fb7449fa Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 10 Nov 2014 17:31:15 +0800
 Subject: [PATCH 2/2] Add nostdinc to the CFLAGS for lib
 We don't need the headers from the standard include path.
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
 lib/Makefile  | 2 +-
 lib/console.c | 4 ++--
 lib/guid.c    | 1 -
 3 files changed, 3 insertions(+), 4 deletions(-)
 diff --git a/lib/Makefile b/lib/Makefile
 index ebd21a1..3c5101e 100644
 --- a/lib/Makefile
 +++ b/lib/Makefile
@@ -4,7 +4,7 @@ LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variab
 EFI_INCLUDES    = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include
 -CFLAGS          = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
 +CFLAGS          = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -nostdinc\
 		  -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror \
 		  $(EFI_INCLUDES)
 diff --git a/lib/console.c b/lib/console.c
 index 83ee679..fd8cc5c 100644
 --- a/lib/console.c
 +++ b/lib/console.c
@@ -4,8 +4,8 @@
  *
  * see COPYING file
  */
 -#include <efi/efi.h>
 -#include <efi/efilib.h>
 +#include <efi.h>
 +#include <efilib.h>
 #include <console.h>
 #include <variables.h>
 diff --git a/lib/guid.c b/lib/guid.c
 index 56ec952..c97a7ca 100644
 --- a/lib/guid.c
 +++ b/lib/guid.c
@@ -5,7 +5,6 @@
  */
 #include <guid.h>
 -#include <stdio.h>
 #ifndef BUILD_EFI
 /* EFI has %g for this, so it's only needed in platform c */
 -- 
 1.8.4.5
--- a/shim-gcc5.patch
+++ b/shim-gcc5.patch
@ -1,44 +0,0 @@
 --- shim-0.8.orig/Makefile
 +++ shim-0.8/Makefile
@@ -21,7 +21,7 @@ EFI_LDS		= elf_$(ARCH)_efi.lds
 DEFAULT_LOADER	:= \\\\grub.efi
 CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
 -		  -Werror=sign-compare \
 +		  -Werror=sign-compare -std=gnu89 \
 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
 		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
 		  $(EFI_INCLUDES)
 --- shim-0.8.orig/Cryptlib/Makefile
 +++ shim-0.8/Cryptlib/Makefile
@@ -2,7 +2,7 @@
 EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
 CFLAGS		= -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
 -		  -Wall $(EFI_INCLUDES)
 +		  -Wall $(EFI_INCLUDES) -std=gnu89
 CFLAGS          += -DGNU_EFI_USE_EXTERNAL_STDARG
 ifeq ($(ARCH),x86_64)
 --- shim-0.8.orig/Cryptlib/OpenSSL/Makefile
 +++ shim-0.8/Cryptlib/OpenSSL/Makefile
@@ -2,7 +2,7 @@
 EFI_INCLUDES	= -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
 CFLAGS		= -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
 -		  -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
 +		  -Wall -std=gnu89 $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
 ifeq ($(ARCH),x86_64)
 	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
 --- shim-0.8.orig/lib/Makefile
 +++ shim-0.8/lib/Makefile
@@ -5,7 +5,7 @@ LIBFILES = simple_file.o guid.o console.
 EFI_INCLUDES    = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include
 CFLAGS          = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -nostdinc\
 -		  -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror \
 +		  -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror -std=gnu89 \
 		  $(EFI_INCLUDES)
 ifeq ($(ARCH),x86_64)
--- a/shim-mokx-support.patch
+++ b/shim-mokx-support.patch
--- a/shim-opensuse-cert-prompt.patch
+++ b/shim-opensuse-cert-prompt.patch
@ -1,4 +1,4 @@
-From eeeb5117c7d30eef6ec8a09f884d6e6872e41638 Mon Sep 17 00:00:00 2001
+From 83b991190b82da422cff4e357e045ff993ecaa9d Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 18 Feb 2014 17:29:19 +0800
 Subject: [PATCH 1/3] Show the build-in certificate prompt
@ -17,22 +17,22 @@ again after reboot.
 The state will store in use_openSUSE_cert, a volatile RT variable.
 ---
- shim.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
+ shim.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 74 insertions(+), 2 deletions(-)
+ 1 file changed, 75 insertions(+), 2 deletions(-)
 diff --git a/shim.c b/shim.c
-index 6fbe427..112a141 100644
+index 4c6bdc5..4e8ed3a 100644
 --- a/shim.c
 +++ b/shim.c
@@ -91,6 +91,7 @@ UINT8 *vendor_dbx;
  */
 verification_method_t verification_method;
 int loader_is_participating;
 int exit_only;
 +BOOLEAN use_builtin_cert;
 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
-@@ -955,7 +956,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+@@ -959,7 +960,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	if (status == EFI_SUCCESS)
 		return status;
@ -41,7 +41,7 @@ index 6fbe427..112a141 100644
 		/*
 		 * Check against the shim build key
 		 */
-@@ -1709,7 +1710,7 @@ EFI_STATUS mirror_mok_list()
+@@ -1730,7 +1731,7 @@ EFI_STATUS mirror_mok_list()
 	if (efi_status != EFI_SUCCESS)
 		DataSize = 0;
@ -50,8 +50,8 @@ index 6fbe427..112a141 100644
 		FullDataSize = DataSize
 			     + sizeof (*CertList)
 			     + sizeof (EFI_GUID)
-@@ -2058,6 +2059,75 @@ uninstall_shim_protocols(void)
+@@ -2140,6 +2141,75 @@ shim_fini(void)
- 			  &shim_lock_guid, &shim_lock_interface);
+ 	setup_console(0);
 }
 +#define VENDOR_VERIFY L"openSUSE_Verify"
@ -123,23 +123,24 @@ index 6fbe427..112a141 100644
 +	return 0;
 +}
 +
- EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ extern EFI_STATUS
- {
+ efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
 	EFI_STATUS efi_status;
@@ -2114,6 +2184,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 			 */
 			hook_exit_only = 0;
 			loader_is_participating = 0;
 +			if (builtin_cert_prompt() != 0)
 +				return EFI_ABORTED;
 		}
 	}
@@ -2228,6 +2298,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	 */
 	check_mok_sb();
 +	if (secure_mode() && (builtin_cert_prompt() != 0))
 +		return EFI_ABORTED;
 +
 	efi_status = shim_init();
 	if (EFI_ERROR(efi_status)) {
 		Print(L"Something has gone seriously wrong: %r\n", efi_status);
 -- 
 2.1.4
-From 869b4633b647c00d13bdf9c2ad554e5d5b8b9670 Mon Sep 17 00:00:00 2001
+From bde21fc34f6c1293a4233e704d9890a14f4bff19 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 20 Feb 2014 16:57:08 +0800
 Subject: [PATCH 2/3] Support revoking the openSUSE cert
@ -155,10 +156,10 @@ will show up with an additional option to clear openSUSE_Verify
 2 files changed, 60 insertions(+), 3 deletions(-)
 diff --git a/MokManager.c b/MokManager.c
-index 442ab8f..7277968 100644
+index ee6dffb..68d4099 100644
 --- a/MokManager.c
 +++ b/MokManager.c
-@@ -1731,6 +1731,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
+@@ -1729,6 +1729,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
 	return -1;
 }
@ -192,7 +193,7 @@ index 442ab8f..7277968 100644
 static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
 {
 	X509 *X509Cert;
-@@ -2083,6 +2110,7 @@ typedef enum {
+@@ -2081,6 +2108,7 @@ typedef enum {
 	MOK_CHANGE_SB,
 	MOK_SET_PW,
 	MOK_CHANGE_DB,
@ -200,7 +201,7 @@ index 442ab8f..7277968 100644
 	MOK_KEY_ENROLL,
 	MOK_HASH_ENROLL
 } mok_menu_item;
-@@ -2094,7 +2122,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2092,7 +2120,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 				 void *MokPW, UINTN MokPWSize,
 				 void *MokDB, UINTN MokDBSize,
 				 void *MokXNew, UINTN MokXNewSize,
@ -210,7 +211,7 @@ index 442ab8f..7277968 100644
 {
 	CHAR16 **menu_strings;
 	mok_menu_item *menu_item;
-@@ -2168,6 +2197,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2166,6 +2195,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 	if (MokDB)
 		menucount++;
@ -220,7 +221,7 @@ index 442ab8f..7277968 100644
 	menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
 	if (!menu_strings)
-@@ -2237,6 +2269,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2235,6 +2267,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 		i++;
 	}
@ -233,7 +234,7 @@ index 442ab8f..7277968 100644
 	menu_strings[i] = L"Enroll key from disk";
 	menu_item[i] = MOK_KEY_ENROLL;
 	i++;
-@@ -2287,6 +2325,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2285,6 +2323,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 		case MOK_CHANGE_DB:
 			mok_db_prompt(MokDB, MokDBSize);
 			break;
@ -243,7 +244,7 @@ index 442ab8f..7277968 100644
 		case MOK_KEY_ENROLL:
 			mok_key_enroll();
 			break;
-@@ -2312,6 +2353,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2310,6 +2351,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
 	UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
 	UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
@ -251,7 +252,7 @@ index 442ab8f..7277968 100644
 	void *MokNew = NULL;
 	void *MokDel = NULL;
 	void *MokSB = NULL;
-@@ -2319,6 +2361,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2317,6 +2359,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	void *MokDB = NULL;
 	void *MokXNew = NULL;
 	void *MokXDel = NULL;
@ -259,7 +260,7 @@ index 442ab8f..7277968 100644
 	EFI_STATUS status;
 	status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
-@@ -2391,9 +2434,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2389,9 +2432,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 		console_error(L"Could not retrieve MokXDel", status);
 	}
@ -281,7 +282,7 @@ index 442ab8f..7277968 100644
 	if (MokNew)
 		FreePool (MokNew);
-@@ -2416,6 +2470,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2414,6 +2468,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	if (MokXDel)
 		FreePool (MokXDel);
@ -292,10 +293,10 @@ index 442ab8f..7277968 100644
 	LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
 	LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
 diff --git a/shim.c b/shim.c
-index 112a141..9ffac1f 100644
+index 4e8ed3a..8848e6a 100644
 --- a/shim.c
 +++ b/shim.c
-@@ -1819,7 +1819,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -1840,7 +1840,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	    check_var(L"MokPW") || check_var(L"MokAuth") ||
 	    check_var(L"MokDel") || check_var(L"MokDB") ||
 	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
@ -308,7 +309,7 @@ index 112a141..9ffac1f 100644
 2.1.4
-From 8d8ccfdebdd01601548d662ad8a43371d307e2f1 Mon Sep 17 00:00:00 2001
+From 3d22ec8e64253ec7edc4133d6122539f006c792e Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 7 Mar 2014 16:17:20 +0800
 Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
@ -321,10 +322,10 @@ LibDeleteVariable only works on the runtime variables.
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/MokManager.c b/MokManager.c
-index 7277968..b5d2454 100644
+index 68d4099..c7f2b65 100644
 --- a/MokManager.c
 +++ b/MokManager.c
-@@ -1745,7 +1745,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+@@ -1743,7 +1743,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
 	if (status != EFI_SUCCESS)
 		return -1;
--- a/shim-update-cryptlib.patch
+++ b/shim-update-cryptlib.patch
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,19 @@
 -------------------------------------------------------------------
 Mon Jul  6 09:06:02 UTC 2015 - glin@suse.com
 - Update to 0.9
 - Refresh patches
  + shim-fix-gnu-efi-30w.patch
  + shim-fix-mokmanager-sections.patch
  + shim-opensuse-cert-prompt.patch
 - Drop upstreamed patches
  + shim-bsc920515-fix-fallback-buffer-length.patch
  + shim-mokx-support.patch
  + shim-update-cryptlib.patch
 - Drop shim-bsc919675-uninstall-shim-protocols.patch since
  upstream fixed the bug in another way.
 - Drop shim-gcc5.patch which was fixed in another way
 -------------------------------------------------------------------
 Wed Apr  8 07:10:39 UTC 2015 - glin@suse.com
--- a/shim.spec
+++ b/shim.spec
@ -19,7 +19,7 @@
 # needssslcertforbuild
 Name:           shim
-Version:        0.8
+Version:        0.9
 Release:        0
 Summary:        UEFI shim loader
 License:        BSD-2-Clause
@ -40,23 +40,14 @@ Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 Source10:       timestamp.pl
 Source11:       strip_signature.sh
 Source12:       signature-sles.asc
 # PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
 Patch1:         shim-mokx-support.patch
 # PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
-Patch2:         shim-only-os-name.patch
+Patch1:         shim-only-os-name.patch
 # PATCH-FIX-UPSTREAM shim-fix-gnu-efi-30w.patch glin@suse.com -- Adapt the change in gnu-efi 3.0w
-Patch3:         shim-fix-gnu-efi-30w.patch
+Patch2:         shim-fix-gnu-efi-30w.patch
 # PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch glin@suse.com -- Fix the objcopy parameters for the EFI files
-Patch4:         shim-fix-mokmanager-sections.patch
+Patch3:         shim-fix-mokmanager-sections.patch
 # PATCH-FIX-UPSTREAM shim-bsc919675-uninstall-shim-protocols.patch bsc#919675 glin@suse.com -- Uinstall the shim protocols at Exit
 Patch5:         shim-bsc919675-uninstall-shim-protocols.patch
 # PATCH-FIX-UPSTREAM shim-bsc920515-fix-fallback-buffer-length.patch bsc#920515 glin@suse.com -- Fix the buffer size for the boot options
 Patch6:         shim-bsc920515-fix-fallback-buffer-length.patch
 # PATCH-FIX-UPSTREAM shim-update-cryptlib.patch glin@suse.com -- Update Cryptlib and openssl
 Patch7:         shim-update-cryptlib.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:       shim-opensuse-cert-prompt.patch
 Patch101:       shim-gcc5.patch
 BuildRequires:  gnu-efi >= 3.0t
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@ -83,16 +74,11 @@ Authors:
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch100 -p1
 %patch101 -p1
 %build
 # first, build MokManager and fallback as they don't depend on a
 # specific certificate
-make EFI_PATH=/usr/lib64 MokManager.efi fallback.efi 2>/dev/null
+make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2>/dev/null
 # now build variants of shim that embed different certificates
 default=''
@ -147,7 +133,7 @@ for suffix in "${suffixes[@]}"; do
 	    cp $cert2 shim.crt
    fi
    # make sure cast warnings don't trigger post build check
-    make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
+    make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
    #
    # assert correct certificate embedded
    grep -q "$verify" shim.efi