6 changed files with 2 additions and 166 deletions
--- a/backport-Align-section-size-up-to-page-size-for-mem-attrs.patch
+++ b/backport-Align-section-size-up-to-page-size-for-mem-attrs.patch
@ -1,33 +0,0 @@
 From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001
 From: Nicholas Bishop <nicholasbishop@google.com>
 Date: Mon, 19 Dec 2022 18:56:13 -0500
 Subject: [PATCH] pe: Align section size up to page size for mem attrs
 Setting memory attributes is generally done at page granularity, and
 this is enforced by checks in `get_mem_attrs` and
 `update_mem_attrs`. But unlike the section address, the section size
 isn't necessarily aligned to 4KiB. Round up the section size to fix
 this.
 Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
 ---
 pe.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/pe.c b/pe.c
 index 9a3679e16..5ad0914ba 100644
 --- a/pe.c
 +++ b/pe.c
@@ -1372,7 +1372,11 @@ handle_image (void *data, unsigned int datasize,
 				     + Section->Misc.VirtualSize - 1);
 		addr = (uintptr_t)base;
 -		length = (uintptr_t)end - (uintptr_t)base + 1;
 +		// Align the length up to PAGE_SIZE. This is required because
 +		// platforms generally set memory attributes at page
 +		// granularity, but the section length (unlike the section
 +		// address) is not required to be aligned.
 +		length = ALIGN_VALUE((uintptr_t)end - (uintptr_t)base + 1, PAGE_SIZE);
 		if (Section->Characteristics & EFI_IMAGE_SCN_MEM_WRITE) {
 			set_attrs |= MEM_ATTR_W;
--- a/backport-Fix-the-issue-that-the-gBS-LoadImage-pointer-was-emp.patch
+++ b/backport-Fix-the-issue-that-the-gBS-LoadImage-pointer-was-emp.patch
@ -1,39 +0,0 @@
 From 712097206702f26e96be3f7ba79eb52d00e1f658 Mon Sep 17 00:00:00 2001
 From: jinlun <869793317@qq.com>
 Date: Sat, 2 Nov 2024 17:21:22 +0800
 Subject: [PATCH] Fix the issue that the gBS->LoadImage pointer was empty.
 The interface shouldn't be replaced at the shim_fini
 stage When the vendor certificate doesn't exist.
 Signed-off-by: jinlun <869793317@qq.com>
 Signed-off-by: xuce <xuce10@h-partners.com>
 ---
 shim.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)
 diff --git a/shim.c b/shim.c
 index 547b052..aa74610 100644
 --- a/shim.c
 +++ b/shim.c
@@ -1651,11 +1651,12 @@ shim_fini(void)
 	uninstall_shim_protocols();
 	if (secure_mode()) {
 -
 -		/*
 -		 * Remove our hooks from system services.
 -		 */
 -		unhook_system_services();
 +		if (vendor_authorized_size || vendor_deauthorized_size) {
 +			/*
 +			* Remove our hooks from system services.
 +			*/
 +			unhook_system_services();
 +		}
 	}
 	unhook_exit();
 -- 
 2.33.0
--- a/backport-shim-don-t-set-second_stage-to-the-empty-string.patch
+++ b/backport-shim-don-t-set-second_stage-to-the-empty-string.patch
@ -1,54 +0,0 @@
 From 0287c6b14c77eeb3e3c61996330850d43d937a2b Mon Sep 17 00:00:00 2001
 From: Jonathan Davies <jonathan.davies@nutanix.com>
 Date: Thu, 22 Feb 2024 16:24:01 +0000
 Subject: [PATCH] shim: don't set second_stage to the empty string
 When LoadOptions is either L" " or L"shim.efi ", parse_load_options sets
 second_stage to the empty string. This is unlikely to be what is intended, and
 typically leads to a non-obvious failure mode.
 The failure happens because parse_load_options's call to split_load_options
 (after eating shim's own filename, if present) returns the empty string. Since
 init_grub typically passes second_stage to start_image, this causes read_image
 to concatenate the empty string onto the directory name. This means PathName
 refers to the directory, not the path to a pe image. Then load_image
 successfully opens a handle on the directory and reads "data" from it. It only
 eventually fails when handle_image calls read_header which finds that this data
 isn't in fact a pe header, reporting "Invalid image".
 This scenario has been seen when shim is loaded via rEFInd 0.11.5, which sets
 LoadOptions to the name of the shim program followed by a space character.
 Instead, modify parse_load_options to leave second_stage set to its default
 value rather than the empty string.
 Reference:https://github.com/rhboot/shim/commit/0287c6b14c77eeb3e3c61996330850d43d937a2b
 Conflict:NA
 Signed-off-by: Jonathan Davies <jonathan.davies@nutanix.com>
 ---
 load-options.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/load-options.c b/load-options.c
 index a8c6e1a..8b92e37 100644
 --- a/load-options.c
 +++ b/load-options.c
@@ -447,10 +447,12 @@ parse_load_options(EFI_LOADED_IMAGE *li)
 	/*
 	 * Set up the name of the alternative loader and the LoadOptions for
 -	 * the loader
 +	 * the loader if it's not the empty string.
 	 */
 	if (loader_str) {
 -		second_stage = loader_str;
 +		if (*loader_str) {
 +			second_stage = loader_str;
 +		}
 		load_options = remaining;
 		load_options_size = remaining_size;
 	}
 -- 
 2.33.0
--- a/shim.spec
+++ b/shim.spec
@ -25,7 +25,7 @@
 Name:	   	   shim
 Version:	   15.7
-Release:	   16
+Release:	   11
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@ -34,8 +34,6 @@ Source0:	   https://github.com/rhboot/shim/releases/download/%{version}/shim-%{v
 Source1:	   BOOTAA64.CSV
 Source2:	   BOOTX64.CSV
 Source3:	   openEuler_ca.der
 Source4:	   shimaa64-cfca.efi
 Source5:	   shimx64-cfca.efi
 Patch1:backport-CVE-2023-40546.patch
 Patch2:backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch
@ -53,9 +51,6 @@ Patch13:backport-CVE-2023-0465.patch
 Patch14:backport-CVE-2023-2650.patch
 Patch15:backport-CVE-2024-0727.patch
 Patch16:backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch
 Patch17:backport-Align-section-size-up-to-page-size-for-mem-attrs.patch
 Patch18:backport-shim-don-t-set-second_stage-to-the-empty-string.patch
 Patch19:backport-Fix-the-issue-that-the-gBS-LoadImage-pointer-was-emp.patch 
 # Feature for shim SMx support
 Patch9000:Feature-shim-openssl-add-ec-support.patch
@ -80,14 +75,6 @@ Obsoletes:     shim-%{efi_arch} < %{version}-%{release}
 Initial UEFI bootloader that handles chaining to a trusted full \
 bootloader under secure boot environments.
 %package signed
 Summary:	signed shim
 Requires:	%{name} = %{version}-%{release}
 AutoReqProv:	0
 %description signed
 signed shim 
 %package debuginfo
 Summary:	Debug information for shim-unsigned
 Requires:	%{name}-debugsource = %{version}-%{release}
@ -135,7 +122,7 @@ cd ..
 echo "start sign"
 sh /usr/lib/rpm/brp-ebs-sign --efi %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi || [ $? -eq 2 ] && echo "failed to sign, skip signgture"
 sh /usr/lib/rpm/brp-ebs-sign --efi %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi || [ $? -eq 2 ] && echo "failed to sign, skip signgture"
-sh /usr/lib/rpm/brp-ebs-sign --efi %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi || [ $? -eq 2 ] && echo "failed to sign, skip signgture"
+sh /usr/lib/rpm/brp-ebs-sign --efi %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi || [ $? -eq 2 ] & echo "failed to sign, skip signgture"
 mv %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi.sig %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi ||:
 mv %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi.sig %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi ||:
 mv %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi.sig %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi ||:
@ -162,11 +149,9 @@ install -m 0700 *.efi ${RPM_BUILD_ROOT}/%{shimefivendor}
 install -m 0700 *.hash ${RPM_BUILD_ROOT}/%{shimefivendor}
 %ifarch aarch64
 install -m 0700 %{SOURCE1} ${RPM_BUILD_ROOT}/%{shimefivendor}
 install -m 0700 %{SOURCE4} ${RPM_BUILD_ROOT}/%{shimBOOT}/BOOTAA64_CFCA.EFI
 %endif
 %ifarch x86_64
 install -m 0700 %{SOURCE2} ${RPM_BUILD_ROOT}/%{shimefivendor}
 install -m 0700 %{SOURCE5} ${RPM_BUILD_ROOT}/%{shimBOOT}/BOOTX64_CFCA.EFI
 %endif
 %if "%{_vendor}" != "openEuler"
    iconv -f UTF-16LE -t UTF-8 ${RPM_BUILD_ROOT}/%{shimefivendor}/%{bootcsv} > /tmp/%{bootcsv}.tmp
@ -194,14 +179,6 @@ make test
 %{shimefivendor}/*.efi
 %{shimefivendor}/*.hash
 %files signed
 %ifarch aarch64 
 %{shimBOOT}/BOOTAA64_CFCA.EFI
 %endif
 %ifarch x86_64
 %{shimBOOT}/BOOTX64_CFCA.EFI
 %endif
 %files debuginfo
 %defattr(-,root,root,-)
 /usr/lib/debug/*
@ -213,21 +190,6 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*
 %changelog
 * Mon Jan 20 2025 xuce <xuce10@h-partners.com> -15.7-16
 - fix the issue that the gBS->LoadImage pointer was empty.
 * Tue Oct 29 2024 yanglongkang <yanglongkang@h-partners.com> -15.7-15
 - Correct the signature code.
 * Tue Oct 22 2024 fuanan <fuanan3@h-partners.com> -15.7-14
 - backport patch from upstream
 * Wed May 29 2024 jinlun <jinlun@huawei.com> -15.7-13
 - add CFCA sign shim
 * Fri May 17 2024 wangcheng <wangcheng156@huawei.com> - 15.7-12
 - Align section size up to page size for mem attrs
 * Wed May 8 2024 lijuzhang <lijuzhang@inspur.com> - 15.7-11
 - replace vendor for BOOTX64.CSV or BOOTAA64.CSV
--- a/shimaa64-cfca.efi
+++ b/shimaa64-cfca.efi
--- a/shimx64-cfca.efi
+++ b/shimx64-cfca.efi