diff -pruN 15.3-3/commit 15.4-0ubuntu7/commit
--- 15.3-3/commit	2021-03-23 18:42:26.000000000 +0000
+++ 15.4-0ubuntu7/commit	2021-03-30 21:04:30.000000000 +0000
@@ -1 +1 @@
-630b8dedfd8434353bce80ff89f63fd3113b086d
\ No newline at end of file
+20e4d9486fcae54ee44d2323ae342ffe68c920e6
\ No newline at end of file
diff -pruN 15.3-3/csv.c 15.4-0ubuntu7/csv.c
--- 15.3-3/csv.c	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/csv.c	2021-03-30 20:55:03.000000000 +0000
@@ -55,8 +55,11 @@ parse_csv_data(char *data, char *data_en
 	size_t max = 0;
 	char *end = data_end;
 
-	if (!data || !end || end <= data || !n_columns || !list)
+	if (!data || !end || end <= data || !n_columns || !list) {
+		dprint(L"data:0x%lx end:0x%lx n_columns:%lu list:0x%lx\n",
+		       data, end, n_columns, list);
 		return EFI_INVALID_PARAMETER;
+	}
 
 	max = (uintptr_t)end - (uintptr_t)line + (end > line ? 1 : 0);
 
diff -pruN 15.3-3/debian/block_signed_deb 15.4-0ubuntu7/debian/block_signed_deb
--- 15.3-3/debian/block_signed_deb	2021-03-24 01:27:31.000000000 +0000
+++ 15.4-0ubuntu7/debian/block_signed_deb	1970-01-01 00:00:00.000000000 +0000
@@ -1,73 +0,0 @@
-#!/bin/sh
-#
-# Helper script for generating dbx entries for the Debian shim package
-#
-# GPL v2+
-#
-# Copyright 2020- Steve McIntyre <93sam@debian.org>
-
-REASON=""
-
-usage () {
-    echo "$0 <options> <deb1> ... <debN>"
-    echo
-    echo "generate hashes for the signed binaries in deb file(s) in"
-    echo "the correct format to go in the dbx.hashes file"
-    echo
-    echo " -r <reason> - the reason for the blacklisting, required for dbx"
-    echo
-    echo "and a list of .deb files to scan"
-}
-
-while getopts ":r:" o; do
-    case "${o}" in
-        r)
-            REASON=${OPTARG}
-            ;;
-        *)
-            echo "Unknown option ${o}"
-            usage
-            exit 1
-            ;;
-    esac
-done
-shift $((OPTIND-1))
-
-if [ "$REASON"x = ""x ]; then
-    echo "$0: Needs a reason to be specified"
-    echo
-    usage
-    exit 1
-fi
-
-for DEB in $@; do
-    DIR=$(mktemp -d)
-    if [ -f $DEB ]; then
-	BASEDEB=$(basename $DEB)
-	echo "###############################"
-	echo "# Files from $BASEDEB"
-	echo "# ($REASON)"
-	dpkg -x $DEB $DIR
-	for EFI in $(find $DIR -name *.signed); do
-	    BASE=$(basename $EFI)
-	    case $BASE in
-		*aa64*efi.signed)
-		    EFIARCH=aa64;;
-		*x64*efi.signed)
-		    EFIARCH=x64;;
-		*ia32*efi.signed)
-		    EFIARCH=ia32;;
-		*)
-		    echo "Can't determine EFI arch from $BASE. Abort"
-		    exit 1
-		    ;;
-	    esac
-	    echo "# $BASE"
-	    HASH=$(pesign --hash --padding --in $EFI | awk '{print $2}')
-	    echo "$HASH $EFIARCH"
-	done
-	echo "###############################"
-	echo
-    fi
-    rm -rf $DIR
-done
Binary files 15.3-3/debian/canonical-2021_amd64.esl and 15.4-0ubuntu7/debian/canonical-2021_amd64.esl differ
Binary files 15.3-3/debian/canonical-2021_arm64.esl and 15.4-0ubuntu7/debian/canonical-2021_arm64.esl differ
diff -pruN 15.3-3/debian/changelog 15.4-0ubuntu7/debian/changelog
--- 15.3-3/debian/changelog	2021-03-24 13:21:02.000000000 +0000
+++ 15.4-0ubuntu7/debian/changelog	2021-07-07 08:57:35.000000000 +0000
@@ -1,200 +1,196 @@
-shim (15.3-3) unstable; urgency=medium
+shim (15.4-0ubuntu7) hirsute; urgency=medium
 
-  * Update the timestamp for the 15.3-2 upload.
-  * Only include the upstream version in the Debian SBAT metadata, so
-    we don't break reproducibility on every minor packaging change.
-
- -- Steve McIntyre <93sam@debian.org>  Wed, 24 Mar 2021 13:21:05 +0000
-
-shim (15.3-2) unstable; urgency=medium
-
-  * Add missing build-dep on xxd for build-time unit tests
-
- -- Steve McIntyre <93sam@debian.org>  wed, 24 Mar 2021 02:21:53 +0000
-
-shim (15.3-1) unstable; urgency=medium
-
-  [ Steve McIntyre ]
-  * Switch to much-newer release with many fixes
-    + Particularly pulling in SBAT changes for better revocation support
-    + Remove all our old patches, no longer needed:
-      - avoid_null_vsprint.patch
-      - check_null_sn_ln.patch
-      - fixup_git.patch
-      - uname.patch
-      - use_compare_mem_gcc9.patch
-    + Now includes a vendor copy of gnu-efi with quite a few extra
-      fixes needed.
-    + Update copyright file to cover these changes
-  * Switch to using gcc-10 rather than gcc-9. Closes: #978521
-  * Add dbx entries for all our existing grub binaries
-    + They're insecure, let's break the chainloading hole.
-  * Add Debian SBAT data
-    + Add a Debian SBAT template, and rules to use it
-    + Adds a build-dep on dos2unix
-
- -- Steve McIntyre <93sam@debian.org>  Tue, 23 Mar 2021 23:39:48 +0000
-
-shim (15+1533136590.3beb971-10) unstable; urgency=medium
-
-  [ Debian Janitor ]
-  * Trim trailing whitespace.
-  * Use secure copyright file specification URI.
-  * debian/copyright: use spaces rather than tabs to start continuation
-    lines.
-  * Bump debhelper from old 11 to 12.
-  * Set debhelper-compat version in Build-Depends.
-  * Set upstream metadata fields: Bug-Database, Bug-Submit.
-  * Update standards version to 4.4.1, no changes needed.
-
-  [ Steve McIntyre ]
-  * Trivial changes to generating the inbuilt dbx if we're using it.
-  * Upload to pick up rotated Debian signing keys
-
- -- Steve McIntyre <93sam@debian.org>  Fri, 24 Jul 2020 01:22:46 +0100
-
-shim (15+1533136590.3beb971-9) unstable; urgency=medium
-
-  [ Steve McIntyre ]
-  * In the -helpers-ARCH-signed packages, change the version
-    dependency on shim-unsigned to be >= and not =. This will allow
-    for installation to still work in the window while we wait for the
-    template package to do its second trip through the
-    archive. Closes: #955356
-
- -- Steve McIntyre <93sam@debian.org>  Mon, 30 Mar 2020 15:19:08 +0100
-
-shim (15+1533136590.3beb971-8) unstable; urgency=medium
-
-  [ Steve McIntyre ]
-  * Use --padding when calling pesign to generate hashes for the dbx
-    list, as recommended by Peter Jones. No actual changes needed in
-    our list of hashes at this point - they work out the same either
-    way.
-  * Switch to using gcc-9 for builds, tweaking a patch from upstream
-    to fix a FTBFS. Closes: #925816
-  * Update debhelper compat level to 11 for shim and the
-    signing-template
-
- -- Steve McIntyre <93sam@debian.org>  Tue, 24 Mar 2020 16:51:10 +0000
-
-shim (15+1533136590.3beb971-7) unstable; urgency=medium
-
-  [ Ansgar Burchardt ]
-  * debian/control: Update Vcs-* fields
-
-  [ Steve McIntyre ]
-  * Backport needed crash fixes:
-    + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
-    + Fix OBJ_create() to tolerate a NULL sn and ln
-  * Build using gcc-7 to get better control of reproducibility during the
-    lifetime of Buster.
-  * Build in a dbx list to blacklist binaries that we know to not be
-    secure. Build-depend on a new (bug-fixed) version of pesign to
-    generate that list at build time, using a list of known bad hashes.
-  * Initial list of known bad hashes is just my personal test binary.
-
- -- Steve McIntyre <93sam@debian.org>  Wed, 08 May 2019 02:05:01 +0100
-
-shim (15+1533136590.3beb971-6) unstable; urgency=medium
-
-  [ Steve McIntyre ]
-  * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
-    clashes with the old shim-signed package for fbx64.efi.signed and
-    mmx64.efi.signed. Closes: #924619
-
-  [ Helmut Grohne ]
-  * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
-
- -- Steve McIntyre <93sam@debian.org>  Sat, 23 Mar 2019 18:19:13 +0000
-
-shim (15+1533136590.3beb971-5) unstable; urgency=medium
-
-  [ Ansgar Burchardt ]
-  * Correct maintainer address in signing template
-
-  [ Steve McIntyre ]
-  * Remove Rules-Requires-Root in the signing template. We manually install
-    things owned by root. There might be better ways to do this, but this
-    will do for now.
-
- -- Steve McIntyre <93sam@debian.org>  Tue, 12 Mar 2019 01:38:19 +0000
-
-shim (15+1533136590.3beb971-4) unstable; urgency=medium
-
-  [ Steve McIntyre ]
-  * No-change sourceful upload to get rebuilds (and hence build logs) from
-    the buildds. Hoping to get this version signed by Microsoft, so let's
-    make our setup as clean as possible.
-
- -- Steve McIntyre <93sam@debian.org>  Sat, 09 Mar 2019 22:24:23 +0000
-
-shim (15+1533136590.3beb971-3) unstable; urgency=medium
-
-  [ Philipp Hahn ]
-  * debian/rules: fixing permissions no longer required
-  * debian/rules: Disable ephemeral key on Debian.
-  * Rename binary package to 'shim-unsigned'
-  * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
-
-  [ Luca Boccassi ]
-  * Override lintian error about template rules file.
-  * Include /usr/share/dpkg/architecture.mk instead of shelling out.
-  * Add uname.patch to avoid embedding the kernel architecture in the
-    binary and to use a fixed string instead.
-
-  [ Steve McIntyre ]
-  * Change maintenance address to be the EFI team
-  * Add me and vorlon to the Uploaders list
-  * Rename the helper binary packages to shim-helpers-$arch.
-  * Update the signing-template JSON metadata to match new practice:
-    + Move all the data under a new top-level "packages" key
-    + Add an empty "trusted_certs" key - the helper binaries do not do any
-      further verification with an embedded key.
-
- -- Steve McIntyre <93sam@debian.org>  Fri, 08 Mar 2019 21:59:43 +0000
-
-shim (15+1533136590.3beb971-2) unstable; urgency=medium
-
-  * Update debian/watch.
-  * Update VCS to point to salsa.
-  * Fix debian/rules syntax for arm64 build.
-  * Enable build for i386.
-  * Ensure DEB_HOST_ARCH is set even if not present in the environment.
-  * Update Standards-Version.
-  * Update debian/copyright (drop reference to file no longer in source)
+  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
+  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
+  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
+  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)
 
- -- Steve Langasek <vorlon@debian.org>  Mon, 11 Feb 2019 05:18:18 +0000
+ -- Julian Andres Klode <juliank@ubuntu.com>  Wed, 07 Jul 2021 10:57:35 +0200
 
-shim (15+1533136590.3beb971-1) unstable; urgency=medium
+shim (15.4-0ubuntu5) hirsute; urgency=medium
 
-  * New upstream release.
-    - debian/patches/second-stage-path: dropped; the default loader path now
-      includes an arch suffix.
-    - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
-  * Drop remaining patches that were not being applied.
-  * Sync packaging from Ubuntu:
-    - debian/copyright: Update upstream source location.
-    - debian/control: add a Build-Depends on libelf-dev.
-    - Enable arm64 build.
-    - debian/patches/fixup_git.patch: don't run git in clean; we're not
-      really in a git tree.
-    - debian/rules, debian/shim.install: use the upstream install target as
-      intended, and move files to the target directory using dh_install.
+  * Rebuild in hirsute to get a more stable target to keep shim reproducible
+    for a longer time.
+
+ -- Julian Andres Klode <juliank@ubuntu.com>  Wed, 16 Jun 2021 12:52:45 +0200
+
+shim (15.4-0ubuntu3) impish; urgency=medium
+
+  [ Steve Langasek ]
+  * Use -Zxz compression, for compatibility with dpkg in older releases.
+    LP: #1925673
+
+  [ Julian Andres Klode ]
+  * Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
+    is causing systems to run out of EFI storage space, or just hang up
+    when trying to write it (LP: #1924605) (LP: #1928434)
+  * Further relax the check for variable mirroring on non-secureboot systems
+    avoiding boot failures on out of space conditons (pull request #372)
+
+  [ Seth Forshee ]
+  * Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136)
+    (pull request #378)
+
+ -- Julian Andres Klode <juliank@ubuntu.com>  Tue, 08 Jun 2021 16:42:17 +0200
+
+shim (15.4-0ubuntu2) hirsute; urgency=medium
+
+  [ Balint Reczey ]
+  * Fix boot on EFI 1.10 machines, for example on some MacBooks (LP: #1925010)
+
+  [ Dimitri John Ledkov ]
+  * Fix kernel warning when allocating MOK table (LP: #1925139)
+  * Fix booting with shim SBState disabled (LP: #1925140)
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 20 Apr 2021 15:24:29 +0100
+
+shim (15.4-0ubuntu1) hirsute; urgency=medium
+
+  [ Dimitri John Ledkov ]
+  * New upstream release 15.4 LP: #1921134
+    - Update the commit hash in debian/rules
+  * debian/rules: add request to sign EFI binaries with archive signing key.
+  * debian/rules: stop using ENABLE_SHIM_CERT=1.
+  * debian/rules: add canonical 2021 DBX.
+  * deiban/rules: start using DISABLE_EBS_PROTECTION=1 to allow
+    chainloading shim to shim, and shim to kernel.efi.
+  * Add shim-dbg package, skip stripping files.
+  * Update watch file, now uscan can generate new upstream tarballs.
+  * Upgrade to debhelper 12.
+  * Drop gnu-efi build-dep, now vendored upstream.
+  * Add debian/rules target to generate gnu-efi components.
+  * Do not clean gnu-efi Makefile.orig
+  * Remove fallback 5s delay with TPM. LP: #1922581
+  * Add xxd build-dep to run unittests.
+
+  [ Chris Coulson ]
+  * Drop patches that are fixed upstream:
+    - debian/patches/Fix-OBJ_create-to-tolerate-a-NULL-sn-and-ln.patch
+    - debian/patches/MokManager-avoid-unaligned.patch
+    - debian/patches/tpm-correctness-1.patch
+    - debian/patches/tpm-correctness-2.patch
+    - debian/patches/tpm-correctness-3.patch
+    - debian/patches/MokManager-hidpi-support.patch
+    - debian/patches/fix-path-checks.patch
+  * Drop the ENABLE_HTTPBOOT option - this is always built now.
+    - update debian/rules
+  * Add vendor SBAT metadata to shim.
+    - add debian/sbat.ubuntu.csv.in
+    - update debian/rules
+  * Add vendor dbx esl to include-binaries
+  * Build-depend on dos2unix
+    - update debian/control
+
+ -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 24 Mar 2021 11:32:25 +0000
+
+shim (15+1552672080.a4a1fbe-0ubuntu2) focal; urgency=medium
+
+  * d/patches/fix-path-checks.patch: Cherry-pick upstream fix for regression
+    in loading fwupd, or anything else specified as an argument (LP: #1864223)
+
+ -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 20 Mar 2020 16:19:14 +0100
+
+shim (15+1552672080.a4a1fbe-0ubuntu1) eoan; urgency=medium
+
+  * New upstream snapshot 15+1552672080.a4a1fbe.
+  * debian/patches/VLogError-Avoid-NULL-pointer-dereferences-in-V-Sprin.patch,
+    debian/patches/fixup_git.patch: drop patches included in upstream.
+  * debian/patches/MokManager-avoid-unaligned.patch: Fix compilation with GCC9:
+    avoid -Werror=address-of-packed-member errors in MokManager.
+  * debian/patches/tpm-correctness-1.patch,
+    debian/patches/tpm-correctness-2.patch: fix issues in TPM calls to ensure
+    the measurements are consistent with what is entered in the TPM event log.
+  * debian/patches/tpm-correctness-3.patch: Don't log duplicate identical
+    TPM events.
+  * debian/patches/MokManager-hidpi-support.patch: Do a little bit more to
+    try to get a more usable screen resolution for MokManager when running on
+    HiDPI screens; by trying to detect such cases and switching to mode 0.
+  * debian/rules: update COMMIT_ID explicitly for this new snapshot.
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Fri, 11 Oct 2019 16:32:32 -0400
+
+shim (15+1533136590.3beb971-0ubuntu2) eoan; urgency=medium
+
+  * debian/copyright: Update upstream source location.
+  * d/p/VLogError-Avoid-NULL-pointer-dereferences-in-V-Sprin.patch: Fix
+    NULL pointer dereferences that lead to an exception error on arm64.
+    (LP: #1811722)
+  * d/p/Fix-OBJ_create-to-tolerate-a-NULL-sn-and-ln.patch: Fix NULL
+    pointer dereference when calling OBJ_create() that leads to an
+    exception error on arm64. (LP: #1811901)
+  * debian/rules: Fix syntax of else statement when setting EFI_ARCH.
+
+ -- dann frazier <dannf@ubuntu.com>  Tue, 30 Apr 2019 12:45:02 -0600
+
+shim (15+1533136590.3beb971-0ubuntu1) cosmic; urgency=medium
+
+  [ Steve Langasek ]
+  * Fix Vcs link.
+
+  [ dann frazier ]
+  * Enable arm64 build.
+
+  [ Mathieu Trudel-Lapierre ]
+  * New upstream snapshot.
+  * debian/patches/abort_abort_abort.patch: dropped patch, included upstream.
+  * debian/rules:
     - define RELEASE and COMMIT_ID for the snapshot.
     - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
+  * debian/patches/fixup_git.patch: don't run git in clean; we're not really
+    in a git tree.
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 22 Aug 2018 10:52:10 -0400
+
+shim (13-0ubuntu2) bionic; urgency=medium
+
+  * debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some
+    of the structure of our binary, partly because abort() is thought to be an
+    external symbol, which causes some relocalisations to appear.
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 07 Nov 2017 10:19:04 -0500
+
+shim (13-0ubuntu1) artful; urgency=medium
+
+  * New upstream release: 13
+  * debian/control: add a Build-Depends on libelf-dev.
+  * debian/control: add Breaks: for the previous shim-signed builds given
+    that shim will now build and ship BOOT.CSV by itself.
+  * debian/rules:
     - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
       options: set MAKELEVEL.
     - Define an EFI_ARCH variable, and use that for paths to shim. This
       makes it possible to build a shim for other architectures than amd64.
-    - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
+    - Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed
       in the "right" final directories, and makes boot.csv for us.
     - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
       at compile-time for MokManager and fallback.
     - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
       and MokManager.
+  * debian/patches/second-stage-path: dropped; the default loader path now
+    includes an arch suffix.
+  * debian/patches/sbsigntool-no-pesign: dropped; no longer needed..
+  * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped,
+    included upstream.
+  * debian/shim.install: update paths in light of using shim's upstream install
+    target.
+  * debian/rules, debian/shim.install: make sure the 'make install' step does
+    what it's meant to do by upstream: we can easily make use of the end result
+    to have the files we need.
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Fri, 29 Sep 2017 15:11:28 -0400
 
- -- Steve Langasek <vorlon@debian.org>  Sat, 09 Feb 2019 07:23:19 +0000
+shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium
+
+  [ Steve Langasek ]
+  * Merge (not yet NEW cleared) changes from Debian branch.
+
+  [ Mathieu Trudel-Lapierre ]
+  * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard
+    against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu
+    for the patch. This will fix issues updating MokSBStateRT if the variable
+    already exists with different attributes. (LP: #1644806)
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 01 Dec 2016 16:55:50 -0500
 
 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
 
@@ -217,13 +213,13 @@ shim (0.9+1474479173.6c180c6-1) unstable
 
  -- Julien Cristau <jcristau@debian.org>  Sat, 15 Oct 2016 15:17:34 +0200
 
-shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
+shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium
 
   [ Helen Koike ]
-  * debian/copyright: add OpenSSL license
+  * debian/copyright: add OpenSSL license 
 
   [ Mathieu Trudel-Lapierre ]
-  * New upstream release.
+  * New upstream release. (LP: #1624096)
   * debian/copyright: patches should be BSD, like the rest of the upstream
     code.
   * debian/patches/unused-variable: dropped; applied upstream.
@@ -232,7 +228,7 @@ shim (0.9+1474479173.6c180c6-0ubuntu1) U
     file to properly pick up shim (shim$arch), MokManager (mm$arch), and
     fallback (fb$arch).
 
- -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 21 Sep 2016 20:29:44 -0400
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 22 Sep 2016 15:02:20 -0400
 
 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
 
@@ -245,7 +241,7 @@ shim (0.9+1465500757.14a5905-0ubuntu1) y
   * Refreshed patches.
     - Remaining patches:
       + second-stage-path
-      + sbsigntool-not-pesign
+      + sbsigntool-not-pesign 
   * debian/patches/unused-variable: remove unused variable size.
   * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
     match objcopy's version on Ubuntu.
diff -pruN 15.3-3/debian/control 15.4-0ubuntu7/debian/control
--- 15.3-3/debian/control	2021-03-24 13:15:07.000000000 +0000
+++ 15.4-0ubuntu7/debian/control	2021-07-07 08:57:35.000000000 +0000
@@ -1,26 +1,16 @@
 Source: shim
 Section: admin
 Priority: optional
-Maintainer: Debian EFI team <debian-efi@lists.debian.org>
-Uploaders: Steve Langasek <vorlon@debian.org>, Steve McIntyre <93sam@debian.org>
-Standards-Version: 4.4.1
-Build-Depends: debhelper-compat (= 12),
-	       gnu-efi (>= 3.0u),
-	       sbsigntool,
-	       openssl,
-	       libelf-dev,
-	       gcc-10,
-	       dos2unix,
-	       pesign (>= 0.112-5),
-	       xxd
-Vcs-Browser: https://salsa.debian.org/efi-team/shim
-Vcs-Git: https://salsa.debian.org/efi-team/shim.git
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
+Standards-Version: 4.5.0
+Build-Depends: debhelper-compat (= 12), libelf-dev, dos2unix, dh-buildinfo, xxd
+Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim
 
-Package: shim-unsigned
-Architecture: amd64 arm64 i386
+Package: shim
+Architecture: amd64 arm64
 Depends: ${shlibs:Depends}, ${misc:Depends}
-Conflicts: shim (<< 15+1533136590.3beb971-3~),
-Replaces: shim (<< 15+1533136590.3beb971-3~),
+Breaks: shim-signed (<< 1.33~)
 Description: boot loader to chain-load signed boot loaders under Secure Boot
  This package provides a minimalist boot loader which allows verifying
  signatures of other UEFI binaries against either the Secure Boot DB/DBX or
@@ -28,23 +18,15 @@ Description: boot loader to chain-load s
  infrequently-changing binary to be signed by the UEFI CA, while allowing
  an OS distributor to revision their main bootloader independently of the CA.
 
-Package: shim-helpers-amd64-signed-template
-Architecture: amd64
-Depends: ${misc:Depends},
-Description: boot loader to chain-load signed boot loaders (signing template)
- This package contains template files for shim-helpers-amd64-signed.
- This is only needed for Secure Boot signing.
-
-Package: shim-helpers-i386-signed-template
-Architecture: i386
-Depends: ${misc:Depends},
-Description: boot loader to chain-load signed boot loaders (signing template)
- This package contains template files for shim-helpers-i386-signed.
- This is only needed for Secure Boot signing.
-
-Package: shim-helpers-arm64-signed-template
-Architecture: arm64
-Depends: ${misc:Depends},
-Description: boot loader to chain-load signed boot loaders (signing template)
- This package contains template files for shim-helpers-arm64-signed.
- This is only needed for Secure Boot signing.
+Package: shim-dbg
+Architecture: amd64 arm64
+Section: debug
+Depends: ${shlibs:Depends}, ${misc:Depends}, shim (= ${binary:Version})
+Description: boot loader to chain-load signed boot loaders under Secure Boot (dbg symbols)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database.  Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ Debug symbols.
diff -pruN 15.3-3/debian/copyright 15.4-0ubuntu7/debian/copyright
--- 15.3-3/debian/copyright	2021-03-24 01:27:31.000000000 +0000
+++ 15.4-0ubuntu7/debian/copyright	2021-07-07 08:57:35.000000000 +0000
@@ -1,15 +1,15 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: shim
-Upstream-Contact: Peter Jones <pjones@redhat.com>
+Upstream-Contact: Matthew Garrett <mjg59@coreos.com>
 Source: https://github.com/rhboot/shim
 
 Files: *
-Copyright: 2012-2021 Red Hat, Inc
- 	2009-2016 Intel Corporation
+Copyright: 2012-2013 Red Hat, Inc
+	2009-2016 Intel Corporation
 License: BSD-2-Clause
 
 Files: debian/patches/*
-Copyright: 2021 Steve McIntyre
+Copyright: 2016 Canonical Ltd.
 License: BSD-2-Clause
 
 Files: crypt_blowfish.*
@@ -32,25 +32,25 @@ License: BSD-2-Clause
 
 Files: include/Http.h
 Copyright: 2016 Intel Corporation
- 	2015 Hewlett Packard Enterprise Development LP
+	2015 Hewlett Packard Enterprise Development LP
 License: BSD-2-Clause
 
 Files: include/PeImage.h
 Copyright: 2006-2010 Intel Corporation
- 	2008-2009 Apple Inc
+	2008-2009 Apple Inc
 License: BSD-2-Clause
 
 Files: lib/*.c
 Copyright: 2011-2012 Intel Corporation
- 	2012 <James.Bottomley@HansenPartnership.com>
- 	2012-2013 Red Hat, Inc
+	2012 <James.Bottomley@HansenPartnership.com>
+	2012-2013 Red Hat, Inc
 License: BSD-2-Clause
 
 Files: Cryptlib/OpenSSL/* Cryptlib/Include/openssl/*
 Copyright: 1998-2016 The OpenSSL Project
- 	1995-1998 Eric Young (eay@cryptsoft.com)
- 	2002 Sun Microsystems, Inc
- 	2005 Nokia
+	1995-1998 Eric Young (eay@cryptsoft.com)
+	2002 Sun Microsystems, Inc
+	2005 Nokia
 License: OpenSSL and Original-SSLeay
  OpenSSL License
  ---------------
@@ -162,7 +162,7 @@ Files: Cryptlib/Include/openssl/seed.h
 Copyright: 2007 KISA(Korea Information Security Agency)
 License: BSD-2-Clause
 
-Files: Cryptlib/OpenSSL/crypto/LPdir_nyi.c
+Files: Cryptlib/OpenSSL/crypto/o_dir.h Cryptlib/OpenSSL/crypto/LPdir_nyi.c
 Copyright: 2004, Richard Levitte <richard@levitte.org>
 License: BSD-2-Clause
 
@@ -227,167 +227,6 @@ License: BSD-3-Clause-Intel
  NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-Files: gnu-efi/*
-Copyright: 1999-2014 Hewlett-Packard Co.
-           2013 Jerry Hoemann <jerry.hoemann@hp.com>
-           2013 David Decotigny <decot@googlers.com>
-           2005 Intel Co
-           2014 Linaro Ltd. <ard.biesheuvel@linaro.org>
-License: BSD-3-clause-HP
-
-Files: gnu-efi/inc/* gnu-efi/lib/*
-Copyright: 1996-2013 Intel Corporation
-           2008-2009, Apple Inc. All rights reserved.
-           2011,2013 ARM. All rights reserved.
-License: BSD-2-clause-Intel
-
-Files: gnu-efi/lib/Makefile gnu-efi/lib/x86_64/callwrap.c
-Copyright: 1999-2001 Hewlett-Packard Co.
-           2007-2010 Intel Corp
-License: BSD-3-clause-HP
-
-Files: gnu-efi/inc/efipoint.h
-Copyright: 2014 by John Cronin
-License: Expat
-
-Files: gnu-efi/inc/protocol/efidbg.h gnu-efi/inc/protocol/ia64/eficontext.h
-Copyright: 1999-2007 Intel Corp.
-License: BSD-4-clause-Intel
-
-Files: gnu-efi/inc/aarch64/efibind.h
-       gnu-efi/inc/arm/efibind.h
-       gnu-efi/gnuefi/crt0-efi-arm.S
-       gnu-efi/gnuefi/crt0-efi-aarch64.S
-       gnu-efi/lib/aarch64/initplat.c
-       gnu-efi/lib/aarch64/math.c
-       gnu-efi/lib/arm/initplat.c
-       gnu-efi/lib/arm/math.c
-Copyright: 2014 - 2015 Linaro Ltd.
-License: BSD-2-clause-Linaro or GPL-2+
-
-License: BSD-2-clause-Linaro
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
-    notice and this list of conditions, without modification.
- 2. The name of the author may not be used to endorse or promote products
-    derived from this software without specific prior written permission.
-
-License: BSD-3-clause-HP
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- .
- * Redistributions of source code must retain the above copyright
-   notice, this list of conditions and the following disclaimer.
- * Redistributions in binary form must reproduce the above
-   copyright notice, this list of conditions and the following
-   disclaimer in the documentation and/or other materials
-   provided with the distribution.
- * Neither the name of Hewlett-Packard Co. nor the names of its
-   contributors may be used to endorse or promote products derived
-   from this software without specific prior written permission.
- .
- THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
- CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
- BE LIABLE FOR ANYDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
- THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
-License: BSD-2-clause-Intel
- Redistribution and use in source and binary forms, with or without modification, are permitted
- provided that the following conditions are met:
- .
- Redistributions of source code must retain the above copyright notice, this
- list of conditions and the following disclaimer.
- .
- Redistributions in binary form must reproduce the above copyright notice, this
- list of conditions and the following disclaimer in the documentation and/or
- other materials provided with the distribution.
- .
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
- FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL BE
- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE. THE EFI SPECIFICATION AND ALL OTHER INFORMATION
- ON THIS WEB SITE ARE PROVIDED "AS IS" WITH NO WARRANTIES, AND ARE SUBJECT
- TO CHANGE WITHOUT NOTICE.
-
-License: BSD-4-clause-Intel
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- .
- 1. Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
- .
- 2. Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in the
-    documentation and/or other materials provided with the distribution.
- .
- 3. All advertising materials mentioning features or use of this software
-    must display the following acknowledgement:
- .
-   This product includes software developed by Intel Corporation and
-   its contributors.
- .
- 4. Neither the name of Intel Corporation or its contributors may be
-    used to endorse or promote products derived from this software
-    without specific prior written permission.
- .
- THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION AND CONTRIBUTORS ``AS IS''
- AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR CONTRIBUTORS BE
- LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- THE POSSIBILITY OF SUCH DAMAGE.
-
-License: Expat
- Permission is hereby granted, free of charge, to any person obtaining a copy
- of this software and associated documentation files (the "Software"), to deal
- in the Software without restriction, including without limitation the rights
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- copies of the Software, and to permit persons to whom the Software is
- furnished to do so, subject to the following conditions:
- .
- The above copyright notice and this permission notice shall be included in
- all copies or substantial portions of the Software.
- .
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- THE SOFTWARE.
-
-License: GPL-2+
- Alternatively, this software may be distributed under the terms of the
- GNU General Public License as published by the Free Software Foundation;
- either version 2 of the License, or (at your option) any later version.
- .
- On Debian systems, the full text of the GNU General Public License version
- 2 can be found in the file `/usr/share/common-licenses/GPL-2'.
-
 License: BSD-2-Clause
  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
diff -pruN 15.3-3/debian/debian-dbx.hashes 15.4-0ubuntu7/debian/debian-dbx.hashes
--- 15.3-3/debian/debian-dbx.hashes	2021-03-24 01:27:31.000000000 +0000
+++ 15.4-0ubuntu7/debian/debian-dbx.hashes	1970-01-01 00:00:00.000000000 +0000
@@ -1,1188 +0,0 @@
-# debian-dbx.hashes
-#
-# This file contains the sha256 sums of the binaries that we want to
-# blacklist directly in our signed shim. Add entries below, with comments
-# to explain each entry (where possible).
-#
-# The data in this file needs should be of the form:
-#
-# <hex-encoded sha256 checksums> <arch>
-#
-# All other lines will be ignored. I'm using shell-style comments just
-# for clarity.
-#
-# The hashes are generated using:
-#
-#     pesign --hash --padding --in <binary>
-#
-# on *either* the signed or unsigned binary, pesign doesn't care
-# which. See the helper script block_signed_deb for an easy way to
-# generate this information.
-
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+16_arm64.deb
-# (allows use of the devicetree command in secure mode)
-# grubaa64.efi.signed
-1c88f32ebd6ecd1a84d83940f78b0d69168a4ff57a1f57fd070e7307899bbc99 aa64
-# grubnetaa64.efi.signed
-7f5074f42eb92f183fa8748c92992bae8b23a963bc9f8b85692ee7116dc3dcb0 aa64
-# gcdaa64.efi.signed
-d9e95ad9ea0e0df522f7f41ef9fd9cb5e65cfb0c285465aabd077023e6edb6ba aa64
-
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+17_arm64.deb
-# (allows use of the devicetree command in secure mode)
-# grubaa64.efi.signed
-77fb2b05450520eecdbbfa3070fb26405d151b576cd6dffc8cab6a2f0bcff10c aa64
-# grubnetaa64.efi.signed
-d70b41ea19ea19836198252ac90b1b6fca40ad6baa3911b4a27e886e6423426a aa64
-# gcdaa64.efi.signed
-44f20309d8b0f661da2c3cf225ba9c0f7b8a2d6ff3885ecba710e5907870ee24 aa64
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+10_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-751c16482bbf4453f268744dcf90b2b8555dd64199f89d2f86c644dfaacc01ef x64
-# grubx64.efi.signed
-a5f1bae582dcc2e8416c004bd56c04527c3f238a41428dd2b83d112b5c6d9667 x64
-# grubnetx64.efi.signed
-015bf9678451dbd2cc6e2fb4a1cdcfd0468ab0d70b19afd51dd2ee387899b6da x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+11_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-0be28827b3d666cd3e6010f337a60c45a3afba8a170774117b3fe2b92670e996 x64
-# grubx64.efi.signed
-6eacdc7c65174408622cfa9ba00302ef2dff2ff885e13b6490eeaf5737fd5748 x64
-# grubnetx64.efi.signed
-6aa9f1b9427817cb77723d6422b680b83d6faaf26b3599bd7fe1d7542f33dc9f x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+13_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-e85dda4456e2191d29dcd4f78504b85637b78ed49a0fd4fa0b22d60413cef907 x64
-# grubx64.efi.signed
-b6d25355011b8f9f8aa85b4bf6f0eb6f4077eb4705b62c24adf43a360eb00b35 x64
-# grubnetx64.efi.signed
-1acf21947d9b37e0f0eb095be0ef007f4d0a77f25de1d31d672a60b4d6d224d1 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+16_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-7d070db34e93665210de2cfccb6c2acbf762f1c64a830cfed01987bcb31003e5 x64
-# grubx64.efi.signed
-c7b57dae0631bf83f1ddf3782fa45c203034d15585cd3803fddea0e67f898bbb x64
-# grubnetx64.efi.signed
-3a087cbfee5747e708ad0eb461b1a219d44800610bf93e01bf2cda99fca85733 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+17_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-000f1547bb113601d65df9cb74ac62dd6d2ca85a0c2bb375c2f0ecedb59c84a4 x64
-# grubx64.efi.signed
-25677d1f00f5ec8af184844faedc4e0d2fb056711665d2bb5adb8cba396a6560 x64
-# grubnetx64.efi.signed
-2443f350c846fc8b9adf0281ffdaddb02a678616e23e97f62add19ec0c1d9b24 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+18_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-3060b72acb7bea0374c79f3f2aa695d59765090ded6732c85b9aba8bf3b7c099 x64
-# grubx64.efi.signed
-0afc5b94162632103bf4747a06c58d6c6aa88b66da6fe86251c313e1319a0a25 x64
-# grubnetx64.efi.signed
-fa72b0a14c76d5875a8718be938f995ca3a4870cd3610186bcc398824b2bc148 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+19_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-6e5b895654bce04ef5c4bcc3b169b9edb6c63cffe2b871d27290d94b4d842f27 x64
-# grubx64.efi.signed
-786ca7ed45ac4422e47275a89e44765732ca02da061f7dafb87acde792ba3ba2 x64
-# grubnetx64.efi.signed
-cc5f580dc70e5ad6d0bc3bdd4627fceb4177a3b78f4de221af37aa5dc78665a8 x64
-# grubnetx64-installer.efi.signed
-87066aa9201de0cf135707f4eed0ee60f578174310698312539c34782c1094e9 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+20+deb10u1_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-0d390c6d08e2836d9f222cb3b99efef4e506196a7bfae9f5fae36aee6032e77e x64
-# grubx64.efi.signed
-52e243c5a619442347811bfb910a1d2851f43b195cbef07705f3bf8314880b59 x64
-# grubnetx64.efi.signed
-6d29f8a3c575c67bb033b48cfc52840e91b1a69aa78c73bdc1337e3cf62ee10a x64
-# grubnetx64-installer.efi.signed
-cf757a1bb1bdaf9b58c0485385e086690ec590f2681e853b9d15a51818b120c2 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+20+deb10u2_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-a16043dd753c650157619d69d18c03c8453a0f2da56bdbff1d2348a84efc0dd4 x64
-# grubx64.efi.signed
-fa0d9a7274925078bde75505f00bcf98391309a9dc789ee3a5493fbf6362de36 x64
-# grubnetx64.efi.signed
-ef7b541191d1c6b65d4ab241368f7a979a89ccfe16da8e4c9f149c2424ec5710 x64
-# grubnetx64-installer.efi.signed
-78ed11f5a1eac5628a0e854bf7fd6de7642d13619cbd2412ce60c3f07d81002a x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+20+deb10u3_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-230ee05286d379aadfaafbb764c61ab3cd2a760f139cb00c2b38346570ddae21 x64
-# grubx64.efi.signed
-a9bde7f125657cb9e30974274b8b2762b2aa7cb86d8de9386a645a49077aaf8e x64
-# grubnetx64.efi.signed
-773c4fee4332fc029698ccb5d8fa55d7b9dc73eb12995bfb66567b30deed5ae1 x64
-# grubnetx64-installer.efi.signed
-1d0ff5d3680cf4353c98dfe766c0608f5ae30bad0fa923846d81ca86233abab8 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+20_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-ac484f162560cd3f83eaf90623b3fbfa2a093b05292ab57fb8ff668403694577 x64
-# grubx64.efi.signed
-1767e0481a19f72d1b33638deaef4661409e25285df025e8149bc6bbce4eee0f x64
-# grubnetx64.efi.signed
-4aa811079e9e59d2a0576a9c9174d18722ab6556cb088c2898bcf0a61dce88da x64
-# grubnetx64-installer.efi.signed
-10e431ea8b1a9e39e53b254d0e839b13a0ecb2a52566aaea9774e0467cc56d92 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+6_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-50b191787cbe9a9e6803171fc2dade8219c38159c0cc81a52e7606c843e58f1f x64
-# grubx64.efi.signed
-f6066e175e9a29bfe51ceeb65ac8d4157e389f1be36997e3fcd1ff6c6aa2d3cf x64
-# grubnetx64.efi.signed
-20a811ef02d85c0ef291c37c39c723d15c36c14d19a24e002371f9852c4bb231 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+8_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-8da15dd44a09cd33f6fac876c38985571fba189d647f91d00490bc15ca28dd94 x64
-# grubx64.efi.signed
-831e6b229bfcb7ebf6e55d3ae9c2a06a27dea9b1d755fa82271a91c69a41ce99 x64
-# grubnetx64.efi.signed
-46e54151a199fb0c990929b323adb76c1dd8217d417ff9ad1cd508531d3a6de6 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.02+dfsg1+9_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-f851c94d179ca17d07471a03958e309a4330b8079dfc402339e7b076f9874d38 x64
-# grubx64.efi.signed
-64460ab7507b4a2261a19060f6846134e292e68002f71ee27448c0c3cdc5ee98 x64
-# grubnetx64.efi.signed
-bd8409999f371329fef36821a53e7c52d83f4e31adbe33ef05e2f9b6bb72282d x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+10_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-c28557cb2d51dbe894a8705af07a3f086d46983c269c65db0db562644d71a9c4 x64
-# grubx64.efi.signed
-90bdff126fa4e77c99a89a29f8e9a9e7e7eb2659da465c157e93880b5a807a42 x64
-# grubnetx64.efi.signed
-bdb46833ae93c186a4a719301d5cfb078c11cc5d1e88cc341c346b10c58c8f5c x64
-# grubnetx64-installer.efi.signed
-ecada77dff34b45b2ec4b852266932e80a215ab0fed02df1685ef0237154513f x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+11_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-1ecb2f30ff67c2cd3caa63981b720b43986089590db3af36de12d9ce09abbe1c x64
-# grubx64.efi.signed
-54f557233a90ac4f6dc646d6881cbf1241436679868ae5087ccb527644a30dcd x64
-# grubnetx64.efi.signed
-872abcc3a9e8b61e42a6ba086b1ad34402c11ee27e7e72a63e9f7ac30e1d301f x64
-# grubnetx64-installer.efi.signed
-d990a6dfda341ef62012ea0fe28b771d450b9f8eee8c3ae9a94e0a064a8fceb4 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+12_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-e37afd68a8763bdec1c07265648b1e178542e5f1ec26e9e5598239d1e9c75bb6 x64
-# grubx64.efi.signed
-aa8b76efb930dbd417c68fee97265dd3a0379c73d3303b38a2a2a3560d361004 x64
-# grubnetx64.efi.signed
-ae5b0ed99bcd661f5c8d52b782dabe7b261421ed834b91cef1bb68a97e44cf9e x64
-# grubnetx64-installer.efi.signed
-554722fe7f7058258c49b7f87fe4ac1206902ec2451321367aceb66be2be0b5c x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+14_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-a09f52586ef0b1efcc1862d5e46f777442f6cf6cf2084baeb7f2b38e074eb397 x64
-# grubx64.efi.signed
-428d1d29ba544e8de6210febeb1cc669a956c996b43adf91d710fcfa505e35e3 x64
-# grubnetx64.efi.signed
-b077857baadb151c9e349f1eb38ad218e155e55a893aca9316728dc11256196c x64
-# grubnetx64-installer.efi.signed
-89283a8ad93e975242410b160c2b8424a7ff643eaa724becaee6d6254dec51e8 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+15_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-b1db19410bda63ee758e8cc3fd16b4ca7c1c352cc4b0e9124a67245256799342 x64
-# grubx64.efi.signed
-97809029ec2b5e8a9250ae6b0bc2d68b9f8984730f8eb0560cbcd54a43afcd2c x64
-# grubnetx64.efi.signed
-561a5ddce08a11d351ea62be8d28fd00a7bcdcf2e9dda40d465c39e94f507cdd x64
-# grubnetx64-installer.efi.signed
-31c713ad7db4f4cb4c9d58d186e6fb315664b065ae29e0e28fcce4f92cf45041 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+1_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-ab8da0a09896f9ab210356c61bd48de47c2e7ad6abb08ab5de2c9147b264e5ea x64
-# grubx64.efi.signed
-70f603a94492f77b0aaebaf7ed064e9f5897c423c516cefe520e204bbeebc1f7 x64
-# grubnetx64.efi.signed
-fc4b4cfb306816d51905def8f8988aaffc95417775d93fc46b070fbb69d77b9d x64
-# grubnetx64-installer.efi.signed
-e2dfeb689e935e438c5ad2c5f02771515ce53679210365ca3793e20831df9fd2 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+2_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-0634c3750da3dcbf941e8573dbea494ed82d3dbcea5030ac60f50e59f50dffbc x64
-# grubx64.efi.signed
-6a90324627ac8c5936f8c702d563ba05b1238c50320c67409db3b3b99941e6db x64
-# grubnetx64.efi.signed
-a3063dd2a30f0f37043209613cb58bfae5c2605e0e064c807bff744a9f861b68 x64
-# grubnetx64-installer.efi.signed
-eb731cdd4fe8bc0f5eb3e226d07f0f353ca15b3e01fd01383e52c43a6eb83149 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+3_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-9d35b71778d839d381b6c98772102ff19273f5e2d75038be0f751bc8a5f1e194 x64
-# grubx64.efi.signed
-8c07e3fc1f5ef2e283cdd44c43251a2f8ad94427fbc963121f9ca27ac336cff3 x64
-# grubnetx64.efi.signed
-75ed7bb9759727e7a1daced47fb861badbd4e66171372314b34add980e5f6f3b x64
-# grubnetx64-installer.efi.signed
-187cead49f41c2d9489cf37f01df901494e8fe106fa3b71ee3f9f1c25b5676fb x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+4_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-67c62b92d123e8dabf43e38b95fbb945776a45654f60c685f06239d47517005b x64
-# grubx64.efi.signed
-2081b098039fa438674eb752f56fa45fe98621143c2a8c412eefe57490907761 x64
-# grubnetx64.efi.signed
-f85d9f3c934f6259cbe2012cde75ef7cd7a13645210f6f070764d18c7587205d x64
-# grubnetx64-installer.efi.signed
-6040ba5a04deea62df207710a3a590a0f51426e4b760c6f16bff01662c2012bd x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+5_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-636f2e9bc9d8ec73b623d692e9ba3789cbd658b0caec6fc0509c6aa8d1067d85 x64
-# grubx64.efi.signed
-bb4e97d80dfc968af9094c87769d159803616a778f4923c26f8684c151984220 x64
-# grubnetx64.efi.signed
-d527122b8b6f294daf47bb3f6abc20a3495454d57a52d3a6e00828409438c826 x64
-# grubnetx64-installer.efi.signed
-223a531bca865d942e3a9e77abf95d21a5aa99fd11c2ba59c7473bc637e2e481 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+6_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-07970410f8f03b473ff34694dd9280d2c264d9268356e677e9946e3b778a94db x64
-# grubx64.efi.signed
-fe3c2a8c459cde5d38cec357905ea971ff54c30254a6cbb4a52521a49400d672 x64
-# grubnetx64.efi.signed
-ed8553dca668348dd8ec3fbeadf491f3fd571af73528a4a3022b88128bf290de x64
-# grubnetx64-installer.efi.signed
-85b058c02afa50ff10f90cfb7a3d6228fa415d0e176a2a17a9222cccaa12d7db x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+7_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-d2bc361c739436de457c4d22bed094932193b10c60089919fddf733c3ba2e0fe x64
-# grubx64.efi.signed
-3ccbb5ccd48d0df9e04dab91b22468a0121157b843d9565be18165ca5301b741 x64
-# grubnetx64.efi.signed
-2e53379217d63f0a1da3d62095f73b6c83ae865d96caa5460ca394aba0cac0a6 x64
-# grubnetx64-installer.efi.signed
-d6dc16ae717c1912c76b33cff9624d1c9cbe5694eee130f169188f658fb7577a x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+8_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-91ddb71a452eeaf0da54828acc65c15b07c455621091e66efa294c08e68bde0f x64
-# grubx64.efi.signed
-bb52dd8a063a15b6786e77941c30ea8f98e991aa3840a88e4eed41f6582b335a x64
-# grubnetx64.efi.signed
-4b80d0deb763d9acf37bf24ccf42cebdf74482c74bfb4d34df1289dc28b2d2de x64
-# grubnetx64-installer.efi.signed
-60ca9e465dc445284ffe1be7e9c968172c89636eaf9192e13a051c673b206681 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04+9_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-7a92fdc865ce1789edbf80754e7c62cf410e418cb5d24f95fbf1453e4868151e x64
-# grubx64.efi.signed
-3c0ac96386fc219dd5d1f0c55a1e6848eac92cec790d3d41e847a76387b00eef x64
-# grubnetx64.efi.signed
-403739eb24ec6588639255f2e5d914608b4f64cdf788256f0138bc91803910c0 x64
-# grubnetx64-installer.efi.signed
-59d51c1213bc20eaa07834a7092d96fd42c0fc4ff40b48e631f1564fd288a7d9 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04~rc1+1_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-6032dfd93b7e6ad7ed438ddd057ce6d50c2163b12a5d8b2cfea6557dc7215283 x64
-# grubx64.efi.signed
-5a2831c1006abc62a1f845d60875115ac4973470d1ecbc9ae167c38a888ec193 x64
-# grubnetx64.efi.signed
-f5f78bbdb76c517e1bb7937d6580af08308def1a9c5673b60525140f49b67f63 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04~rc1+2_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-7e28cc24ecf865d92c8c8cdd51d268fc8a0fbd998e15aff85b635a2c34db2d26 x64
-# grubx64.efi.signed
-54b4c63e31d4982844f6e3a64d8daa00bab5807e2217e1c1ce4f745a2b63eba2 x64
-# grubnetx64.efi.signed
-7b814d01a7bc0fab674832f353f4eb47c05934003611c7f5f323afb1c02c88c1 x64
-# grubnetx64-installer.efi.signed
-e5bf06310db498aee16a9dfdf9911e757f88d3464d9e11c57134ea8873842134 x64
-###############################
-
-###############################
-# Files from grub-efi-amd64-signed_1+2.04~rc1+3_amd64.deb
-# (unsafe chainload)
-# gcdx64.efi.signed
-c9e289be98cd0ac6aa7ed12cc87be8fd9638a665d8261619e914be6b47039bcf x64
-# grubx64.efi.signed
-01479b3bf9c9bb1dfa244266d8638417126568a00cfaf9ac0106ea6ca1ebc9ea x64
-# grubnetx64.efi.signed
-c26197fd9a38c0f150e9b9d190eebabee5965927574c38e8eb2302fa77f74758 x64
-# grubnetx64-installer.efi.signed
-b37d34cb6896e70fd9094b207977525a282c0d275470cfb093321f402beeb347 x64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+10_arm64.deb
-# (unsafe chainload)
-# gcdaa64.efi.signed
-68706ca2dcbc3d26a851f8c83e799ad8d833847319ac7c027ec9b2a36c9ffb7f aa64
-# grubnetaa64.efi.signed
-392e3d96e96cd63945c85338fc82977b5e9e7885e2fc87ad6442ad9e0a60e04a aa64
-# grubaa64.efi.signed
-2c061bbbffa7916f59e1aa1aafe0beecb12addeb7da285ab88cb922aaf3c2c13 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+11_arm64.deb
-# (unsafe chainload)
-# gcdaa64.efi.signed
-aa245861393c4899fe6463d9408e1f0681d65472c90ab84748777b8719753973 aa64
-# grubnetaa64.efi.signed
-08a56d16e4e0e793851deac39e0ec047fc89412d7efd504c5332c853f0ac6220 aa64
-# grubaa64.efi.signed
-5f1446a5ecc1266188e610a6c04b16e7ccec889132c97ffbfe9d5485ebf875a5 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+13_arm64.deb
-# (unsafe chainload)
-# gcdaa64.efi.signed
-fc66d3605ee10ae9410f7186ba506806015f7085da774876e7a310eaf33cdcde aa64
-# grubnetaa64.efi.signed
-d0d6dd75a9aadafd4cb0670e057bf407a622fc651cdb4e3a30c97f724fc1b2a1 aa64
-# grubaa64.efi.signed
-4a27ef7ddb69838da4477a811176841da98c4bc172596e3522cc5f1d94596764 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+16_arm64.deb
-# (unsafe chainload)
-# gcdaa64.efi.signed
-d9e95ad9ea0e0df522f7f41ef9fd9cb5e65cfb0c285465aabd077023e6edb6ba aa64
-# grubnetaa64.efi.signed
-7f5074f42eb92f183fa8748c92992bae8b23a963bc9f8b85692ee7116dc3dcb0 aa64
-# grubaa64.efi.signed
-1c88f32ebd6ecd1a84d83940f78b0d69168a4ff57a1f57fd070e7307899bbc99 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+17_arm64.deb
-# (unsafe chainload)
-# gcdaa64.efi.signed
-44f20309d8b0f661da2c3cf225ba9c0f7b8a2d6ff3885ecba710e5907870ee24 aa64
-# grubnetaa64.efi.signed
-d70b41ea19ea19836198252ac90b1b6fca40ad6baa3911b4a27e886e6423426a aa64
-# grubaa64.efi.signed
-77fb2b05450520eecdbbfa3070fb26405d151b576cd6dffc8cab6a2f0bcff10c aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+18_arm64.deb
-# (unsafe chainload)
-# gcdaa64.efi.signed
-56ae77da800c154e4052bf29948f03b8e7ac6e8de71cb4781fd67e250fe97c82 aa64
-# grubnetaa64.efi.signed
-a23dbe9f19a3c0f90075f5983a0e987017d385cb1efe769e6045dd4e7b36aa13 aa64
-# grubaa64.efi.signed
-57d3b997d68edf62d272fcfbc011fa903e1250a0c6bcc1afa4375fdb8b9df3d2 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+19_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-cde27acb3148c6eb144b7524cbbe23f110260fbeb31efed400ac35a36e5948fb aa64
-# gcdaa64.efi.signed
-159551a611a0fa6eee7dfa58bd3dd3a3a8e1d746c7f1102966f1fd7b27d001a4 aa64
-# grubnetaa64.efi.signed
-22d647e810179938388b2bedcde79fedee66396d751592e51742ccab1ef0bfad aa64
-# grubaa64.efi.signed
-5f59cdac3491d335ea4189963c014543cf867a0820dee1715fc3989816da6fe6 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+20+deb10u1_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-fc25726e6012bec4ca24e2f16c641747f5c68e40eae44b51ac3ca54125ab039e aa64
-# gcdaa64.efi.signed
-c05345ddac3792764685ee8e0dee4a59988a2205515b0bbee1fdc86cbd183dfb aa64
-# grubnetaa64.efi.signed
-a184bd36509cc0f60aca366c6c8008b9208e79c5cf7b44721d2106ef2ca2d673 aa64
-# grubaa64.efi.signed
-b5a6718a6011539b8d52583f41c78733b9e3520bca02d665f080b0fd9cc9b2c3 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+20+deb10u2_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-842a4f0e553de29ac8a4272994f8a6e177b99af6f581f5c406e9132e430b0765 aa64
-# gcdaa64.efi.signed
-1550ad5da63425d0f3a9799ac3eba9de99119ed1c6590e2609b805e33db502bd aa64
-# grubnetaa64.efi.signed
-01124e7d6014ba3195d9ad69065f21f3e752509a6ac59c9dad8e12c9f3ea6007 aa64
-# grubaa64.efi.signed
-25dacd2cd533d0b0fce7661712f87cd243cabe58aca6c0f04b8d5c77d6d66cc0 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+20+deb10u3_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-9a26dcb2fdd5ace465dd00b48b32dfa3348acd374c8d05ba1093259117098e03 aa64
-# gcdaa64.efi.signed
-010374717a5df2b8b39c1f67593e8624e0de96ee51a7cd81a3425cf968a89dae aa64
-# grubnetaa64.efi.signed
-55edc2038e1c1a35d05009653e2c5cb3a11e4a103ac10af64b475317e022065b aa64
-# grubaa64.efi.signed
-20b36be9f650df212f5dcb62cd7b95b7268a3909c46ee4532631e5ac2d577d7e aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+20_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-2fa14fcd9f4a162ca66bfaa6fce79f3ed4eefc848b9d0b5a6409e8d1630bfc1b aa64
-# gcdaa64.efi.signed
-1c5419269634ce3273ce0339d4d5d3d6314c3047b5be34ac5486806a48cb319c aa64
-# grubnetaa64.efi.signed
-c4992785b5e36b1f9968a6baf7982f9cc2fdf899258b9fb82ffa0ad0863ac1ce aa64
-# grubaa64.efi.signed
-51eca7f7d8bb4c7ba5f445e78e88013eaceb7234b5952466eade7fa1c97fca90 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+6_arm64.deb
-# (unsafe chainload)
-# gcdaa64.efi.signed
-28c791047d354d94d2896ced0b70c6264653d22bba861076dfd2db165d061bc1 aa64
-# grubnetaa64.efi.signed
-48938c738643cca4a12ffe9a8e3530a7b5929c3301a847cfe83c6804a7a719f0 aa64
-# grubaa64.efi.signed
-3fb809bd5040412ce55b8527f566679f4b1793da6244d476be598d4212a0594e aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+8_arm64.deb
-# (unsafe chainload)
-# gcdaa64.efi.signed
-9f319a12599a3437adae2d9a9ab9712baceb61dc62e1c23b6706c6733b5a7eb5 aa64
-# grubnetaa64.efi.signed
-2a78c0f77cca12de8cc39d8cdc1d6eac33625f8f03802682ecc258efb984ab2f aa64
-# grubaa64.efi.signed
-0f9eb9e9e3d114d5ea85d68bcadba8479b71d4ef101abdbddaae105a5e6a09fa aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.02+dfsg1+9_arm64.deb
-# (unsafe chainload)
-# gcdaa64.efi.signed
-50380d63966595c5a015d40c9da0981c9726f58de64e24e69a466d3b551a4ee9 aa64
-# grubnetaa64.efi.signed
-69a54b39881878cad2477c93a55a93dc343df0e763d894296f8cb9b20043695f aa64
-# grubaa64.efi.signed
-67a8268d112cb7f2f0cf7da6cdb0353b787da385963a53ea4d48a290e850e4f9 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+10_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-e58595799e89fbee6dabb99f28b0c7b0bf7f69c59d9fd1d52925be22dbb24b4e aa64
-# gcdaa64.efi.signed
-7db7318784c1bf486fa2e24596f1adfc2a239d79aaddc4c5058db3496191f039 aa64
-# grubnetaa64.efi.signed
-6368f7dd128ac7ffdb23ffb8ba96c36f6702d449a8f949abc4c55af7b74d63c1 aa64
-# grubaa64.efi.signed
-953cafee706632a24e6160c7a342a21924d56bdad851212ff4e160789256c7d9 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+11_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-49a2ba5e8fcdc8c89547ab8435fa8d7c11cee2bf881797d29efb9911186f4b4d aa64
-# gcdaa64.efi.signed
-29b5974e232a7ce58176c8b29188f3d954aba1da85cf1563f488710a91de7b3c aa64
-# grubnetaa64.efi.signed
-8e6f2e39dc35599166ad1187b6041e58a341961fe10649f2699f41f431138820 aa64
-# grubaa64.efi.signed
-8542405e2780521f4e258455efd50d1c238a77cb3755ab2f8b955cd8ae5c18f4 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+12_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-26245aa8fa49d2c4b717acb90fafd43e9260e24b8b143d5181f76ca54a10a8e3 aa64
-# gcdaa64.efi.signed
-cfc61808373fc54b1b696690ad4ba6b951b5afcda5597ff14e9219d9e14fa607 aa64
-# grubnetaa64.efi.signed
-2b0bd30da6309f8e268da955f380519aa2e904c1d873b40280232abe761535ee aa64
-# grubaa64.efi.signed
-c52cdb02ea4362bfb20a66dfabdabfc543dfa7f50279e3a4cc2b3545df4803c0 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+14_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-52f037b705da300a517955e0a0c1dcb77c52c998d8c52d10ce60d72130741b80 aa64
-# gcdaa64.efi.signed
-649572f5c42ec8e4d78e0bd47ad6490aea2de443ba3c4112dcce65c9b11b06c5 aa64
-# grubnetaa64.efi.signed
-108c1eeccce8beeb7a2ada1ad40133c5955a42d8f42e0d658c12ca9f84f5f4c2 aa64
-# grubaa64.efi.signed
-f9a2b1524fc3fc955bf7835a76e55c46edabe7ec280be8f1aaf3f527115d71ce aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+15_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-454446e653aee349cd2bc6eb79a43d3d2d2ea6cf134ed2ec1e21f8f5d19a6028 aa64
-# gcdaa64.efi.signed
-d430c2757f4425640dd36cfdca8496c25e0ce72e2cc69a8bbd98282733ec6f66 aa64
-# grubnetaa64.efi.signed
-f156da556c08dd5516fde3c39d59080aa0b580a05f45874e9a9d288f2e8f6530 aa64
-# grubaa64.efi.signed
-75eacb723cfcb621702db6c21b51d9d618d89ab87994d7621b227e89dc852b1e aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+1_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-aabbda6e2c80b2bbdd0dc8c56351f278c1c048ded0ddb89d9ba6ebc401c6f5e7 aa64
-# gcdaa64.efi.signed
-6ce7e4a55c47587125001795381f79125b17ce5b97a4ca8eb1a9b50867588633 aa64
-# grubnetaa64.efi.signed
-8079e03caf2cae406990b7394ab64ff31dc7817acc0f95460af73f79313cb177 aa64
-# grubaa64.efi.signed
-e3443d0331302352e7974e19c77372606ad379e75be87fe6ad0b02bceca8e0c0 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+2_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-18c9ef47f56afa717403f48b9faea79787a1e072f881f5bbdfa87b0a7875e9a2 aa64
-# gcdaa64.efi.signed
-75781365265f50cda6057c1ff221800954c1b521c1b95fecb23deddece330e90 aa64
-# grubnetaa64.efi.signed
-df4b7c255861c92db01c1ed0fb641af93b2b484c2a99c1a41b7dbbb09d36f1ca aa64
-# grubaa64.efi.signed
-a5309bd57b3a7a914fc56c826b39ab7d76eff431bcbe068a6d33e15a568289be aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+3_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-0bb4b98103b7019c54795e2703d4537e3deb4e911d1656050d04e2b35b2f4fa1 aa64
-# gcdaa64.efi.signed
-62cefbca0ef5026471ee8a349918976b866b35d3548ae02fdbd84430460a81e4 aa64
-# grubnetaa64.efi.signed
-9a6e34fb1eb4050ef7d88783c737cff882dd190948ccad8f64e43ae90fb49443 aa64
-# grubaa64.efi.signed
-6e8d88321cd4ad443530e663c0a1474ca07de20d68121279b41e9a8bfd14ae44 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+4_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-42e739c433d37f31139d0645b5a9736857747dc5fbac667242eb9100e84c7471 aa64
-# gcdaa64.efi.signed
-3a75240a23823a084c75919bd1d85e7d8647a041ea36f53a3f684b7c7d77c85a aa64
-# grubnetaa64.efi.signed
-7c5ed1931e7c73d65cf849d0a39e3d848b65c09ad0f365b6d30f82a3a6ddc3a4 aa64
-# grubaa64.efi.signed
-802fdff773bfd3ee8800c72666e2182bc312fc4d9559dfe3a473e0f3e49d50f6 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+5_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-988b61ac65d2dac3699c8297b90c2b33db89554dea50ae71101e34f1985a9a17 aa64
-# gcdaa64.efi.signed
-4ec8abd2028d4f9cbaaa1529f627593658347e954119cf4218bbd10b26c9b84f aa64
-# grubnetaa64.efi.signed
-64d41bf8cb984e09c7bb59cbeb16cce4289c3e8f780cc4d92868a4f1080f6540 aa64
-# grubaa64.efi.signed
-3f5bda50e30b4b509d736a52bc49a8f97736bf9f017185487f1d97c641ebc9cd aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+6_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-89b285aadd0c01a63dab295e9ce2483dbdcba5f39e0b5cc6bea0ab32083edca4 aa64
-# gcdaa64.efi.signed
-1329aadb9747665af656aacd1f773b134c9e976708d3122d0434bbcc36234091 aa64
-# grubnetaa64.efi.signed
-be9dd50c503d7863869918912d07906d2ab82a9e0384a705aaf6f84731f481a3 aa64
-# grubaa64.efi.signed
-f2f47ded847ab42bdda27dae05c8ff2b23795ce08a893ee52b58e97e69e6299e aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+7_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-f3bea191c76b49031984a6cba7e2e604ca14b7251ddb412929946b9a6e7b718b aa64
-# gcdaa64.efi.signed
-99b2f423c04de4475c1cd62d7db60724cb26c15686471efc0366cc68df21f043 aa64
-# grubnetaa64.efi.signed
-d74621dc3c81ddd385128bfe02df1c7446c8f72f1832d839b276782b4612ec35 aa64
-# grubaa64.efi.signed
-125c2c2954922899cc568f03dcfd0768162aef8cf3621f5919078abd85895b48 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+8_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-4d51ee0ab75a2499ac9f78f67305f5db54292ffa5497333c22a2bf617506aa00 aa64
-# gcdaa64.efi.signed
-7984b6e2f7795e33372fd61c547f3d5fedc3088f769aed1cb8fa8f524244656b aa64
-# grubnetaa64.efi.signed
-da49eb9b89d4efa92544fb282bbeb109cef3d51eb773f4844c0fda92767c3297 aa64
-# grubaa64.efi.signed
-7ef1088105ceec7602564ef2d6bffacb50cd4b36aa4f0c5b109197df1faaefac aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04+9_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-0e21d3ae473cf272cefe18d392ccee11c0bb3ca1d5aa1f230f0d9af303fa4fd2 aa64
-# gcdaa64.efi.signed
-bac83b595fc70bec02d77d6914cae34abf55e1dbc27e1956b83f3178b453fca3 aa64
-# grubnetaa64.efi.signed
-75814f4022b4a05e8301fc2dc69f077e3bef6b4e37ea6d713e61e73e49dab82e aa64
-# grubaa64.efi.signed
-e57b17e4b24ddfcb5b884c5599dee2ce371632cfffb802cfd7389141c87caecc aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04~rc1+1_arm64.deb
-# (unsafe chainload)
-# gcdaa64.efi.signed
-700583bb946209ce10492919983e7485c8b77eac02546cc50f6cea653ce47ee6 aa64
-# grubnetaa64.efi.signed
-f7c122cbbcecf56f758a24db0d508c4928426a6b89c6e1b23a2b3ad3b36120e1 aa64
-# grubaa64.efi.signed
-619566ff76fcbc69be425d05978ea66594cad057a014e47c2bf47c7ba2b8f823 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04~rc1+2_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-3535d8cadf8990b611e074dca2e3367f3e0564ec5147400cc3d2c70f78fbffad aa64
-# gcdaa64.efi.signed
-9f4971fcc79e395774d09a260ac2c8ce99be84910562bf6f813b259498f1f5b1 aa64
-# grubnetaa64.efi.signed
-79167c83c2a1d56cc9dd95f2dad9e89c84a4b29b75cb274ca9fc0a9fb508d73f aa64
-# grubaa64.efi.signed
-20d7527030b4ff660f45d332b3878d2ca832d100a7ede713f9276a7801c15dc6 aa64
-###############################
-
-###############################
-# Files from grub-efi-arm64-signed_1+2.04~rc1+3_arm64.deb
-# (unsafe chainload)
-# grubnetaa64-installer.efi.signed
-62e67264c891eac0a0e03353bb0688dc81822e1fa8074eeb67b0dc0faabc6ab8 aa64
-# gcdaa64.efi.signed
-234f2e35a9828d71dfb75f8dc2cf4055debf3793382173f1bd822b253788f51e aa64
-# grubnetaa64.efi.signed
-a4b83fad2c6f31166c19287817f19da0e0c32d212037440497c37301f8110cb6 aa64
-# grubaa64.efi.signed
-9c27fa6c35763d87b884979bbb9cd1dba30736e79919f9075cced9036899a164 aa64
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+10_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-7452267ea21a3db7ab7ea792d1e38175842ec836780829d080b8c87f2fec96ab ia32
-# grubia32.efi.signed
-9d382d8526a72eed850154794418946eb2dc9406444398c230934b89c3e27ea8 ia32
-# gcdia32.efi.signed
-00be056fd3dc31c820b82eecc80ea3c42f2938db4846d2395f607c5c42f11c75 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+11_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-1cc7feb306e9bf2b5f1f146956b1c4b54f63998dd3afe680d59826afc4508a71 ia32
-# grubia32.efi.signed
-61b9cc457b812b8a846479caba8988983dd8eeee9ce91697a11fbf5d9356adcd ia32
-# gcdia32.efi.signed
-ba34defc3a530be8b3b1096247d430dd2afbb22e0dbd01fad9b8b4b163cfdc1c ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+13_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-bbbbc7cc72f5422bc47df212f3465fa0c97541196c09722b4f09a7606893c8ef ia32
-# grubia32.efi.signed
-ba9be59351251d9ade96b0985ac97976b62b9b898b5bf8e2bc54078b49c36334 ia32
-# gcdia32.efi.signed
-78fc0e8cf04214b66755a22bbc4a1c741c12aa84568473bcb2eeeefaa9585157 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+16_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-749c1c47b959367aeed4444fca7eac834372843582a4f0036cbcb91145a8c92a ia32
-# grubia32.efi.signed
-094d5f2f4ed7e17fc247345e4e3d9943248e46540b1a7e93d69c8a4f298d82ed ia32
-# gcdia32.efi.signed
-beaa24fc8bc80b201780a78f6f3daa76a091f0e8bf868070849c3b2cdc689cf3 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+17_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-7287a09fc1c1bcc5679cc10df3ae6c8d0581c9cec87cfdc7f17219951b65044f ia32
-# grubia32.efi.signed
-a8328c2ebd02e9421d4e479ca89f4679162117cf7cc665a482b08561296a3e94 ia32
-# gcdia32.efi.signed
-ade048b70c915c68543a3dbf8f9671e1c6d71713587018be8afee1928e952816 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+18_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-c73ce912ef556f2bb79e5b196f3bb60d4193c70110cb081b557902716979837a ia32
-# grubia32.efi.signed
-4a6db01586f8b3b7afcabe1aeb9b5ee5ceaf687b2edd035f9391417280b7ae05 ia32
-# gcdia32.efi.signed
-3351926316357884fbb76508de54defb856a2a6a5316288b357a94124f035b6e ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+19_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-1e3e505052537f64cd600832015f2fcffeb3f737825fba97a695fb22c34ae88a ia32
-# grubia32.efi.signed
-e6e57a4e1efb1f778f8b6c21c06c2b6a7e961723124a4ec1e635ea5dc6a14e37 ia32
-# gcdia32.efi.signed
-58699d4b3cefc1ec876aafb49f96d82bf6b8be1c9c2d57c2fe022d5b0267ec6b ia32
-# grubnetia32-installer.efi.signed
-cd940d522723c40a3ff68988d0e6f9fe8c5378e09f2ad008f8016110a400cc08 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+20+deb10u1_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-bd995ba8f31b08d4ad0bbdcc77458078fcfe0ba6ab26790140ae79ff06d0e208 ia32
-# grubia32.efi.signed
-5689179d69d28d44f2692fd194cd0383cdedb06dee920418604d7ce59e620b0f ia32
-# gcdia32.efi.signed
-125d64eb8e9dcd6d1ce0b827678e297b7970e1ccc5c9aa4a40e66f228424a8e7 ia32
-# grubnetia32-installer.efi.signed
-812867c5f370926bf008d1d5b725c6b84285c9d573c7a1a763ffb766b690d309 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+20+deb10u2_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-d7e03fb15e8b414edffea34628af51bc6d8531533fff15c4d15b36ec15c4722e ia32
-# grubia32.efi.signed
-7721d3e8fb890e181e662f3f0334209b928bc8c6d63221669eb2ca252a21d898 ia32
-# gcdia32.efi.signed
-4f3c15dc10786b2c3909f9e7f47e90ce38e05ff501ac7c43d97d6ecb14cdf188 ia32
-# grubnetia32-installer.efi.signed
-9505fbe9e6f6649c01512d223edccbe48a8547579a069901bbfa569107d0ff5d ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+20+deb10u3_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-0a7fa9e881db701caef734b06c3df2ffe35120387bf70583e5b6513fdfc3cbba ia32
-# grubia32.efi.signed
-628ed2562d3a55b06f6f85687466d336571da6e8bfcd152dcfd99e283dd3d3cf ia32
-# gcdia32.efi.signed
-260d6f83057501f828a1228db30e31ccc2759a8ad22e31820da5d31962de072c ia32
-# grubnetia32-installer.efi.signed
-1adeb1ab647c92e4f84b5437e0761ea2a68ee9e2d23c09401618c11460d1df2e ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+20_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-a842279a836922c747d1b3b7c7e889a4f452e7f41951182ef8674b7c51a87b6c ia32
-# grubia32.efi.signed
-4d31740e6535ceb40c1ba94cf134e01562ac2948c20b197362d4a3d95a20aba2 ia32
-# gcdia32.efi.signed
-b79d6722df9efb56dd68139532869a0db0a71f098e0b4e255bb9eefebec1370e ia32
-# grubnetia32-installer.efi.signed
-5950debedb0e285bc044f7c38d61246b665dd97d7b7fee7b37f305fc0284e851 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+6_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-1a3f406a13f18091d4b0cacf73243c2412c0b6f680d77b7d3d3fd2474eb4edee ia32
-# grubia32.efi.signed
-d1b78e60448b4cd143b8082fcfdd568c10f6f3f88c66caae8544d28235f97890 ia32
-# gcdia32.efi.signed
-3a692049c326d35d8142ebad5d310fbfb43b39a890663d032343c156ddda8014 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+8_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-43aa9a91458f8e568c0d56825a5afb8363feaaf0ad41001a2ec8a9f6f309c84e ia32
-# grubia32.efi.signed
-3ae847080c6b795439cd8ef3b321b55a5f0c3ef7e96c56d6dd2270989e954f6a ia32
-# gcdia32.efi.signed
-707deb8c3dd037cf99859eb06d29ea099bd1a5eb98adb90bd51431750d047552 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.02+dfsg1+9_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-e77b11aa769dac9c94c3ded38b9b9d758411b2513ed3494dc3f5b5e9813de36f ia32
-# grubia32.efi.signed
-26637a34efbc7fa1e4ad1798369470ee007de56f00248380f767957491d6a8b7 ia32
-# gcdia32.efi.signed
-e3f4f529e7c59b899c05aff8d8a474fd281906c82351d52be72605e3f26ba393 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+10_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-9378aa2c6413177be1e9b5cac3dd2d713c1441aacf8ad089749a5ea38e562af3 ia32
-# grubia32.efi.signed
-77c579947aca8318f8d8e028233e61a38ebf11a813f709bd2a973a38b07719b2 ia32
-# gcdia32.efi.signed
-221b56b199620a0161fddc542df8c25b31de9ae568431441676ec46ea7b676bb ia32
-# grubnetia32-installer.efi.signed
-7fbdcd5e4462e47fb554100ea24032b2227e7244ffeb9849a029e4d7a04d04fb ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+11_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-89c74c14c7edc931552b20d6633c04d5dec8e30416dfe327959fb94135eb8e1c ia32
-# grubia32.efi.signed
-757635d4238cfee75d55f727fae624318873b0dcde345c3ff279bac152988d93 ia32
-# gcdia32.efi.signed
-8fbe67480fa29d994a5469606af1210c390dd96726d2f3d134fe5a2e73bcf42f ia32
-# grubnetia32-installer.efi.signed
-5da400ebab865de8349d40b51cd1628bfb9f8344d89ac7cbf18305f812451b75 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+12_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-6fc2731b9e8fecb3c911cbc6b8e768d2309f0cb37e5162f0d1ed30b53d91e8b6 ia32
-# grubia32.efi.signed
-f1d633c3e2c22839a28394f50c818985237ce7b2c8f00fd06bcce6f0b6f283ea ia32
-# gcdia32.efi.signed
-9b61c3f47a34e0f80b7c3fba54429fdc217faaac770c95e249da8320c0b64c09 ia32
-# grubnetia32-installer.efi.signed
-6af1084ff98f474180dade800676afeefab4a1f376fff66d70863ff5876bb94d ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+14_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-d918de4f46f81dacdab3ab940561c6da85004f6aa378c9b71e8c10318355ba2a ia32
-# grubia32.efi.signed
-8045e3319b25772bc910175f9750437066dcc284505c31c3da42382eb4288574 ia32
-# gcdia32.efi.signed
-aa1911408d66df101b469212bdff5ecc3f5b1255495958bbf936cc6ca9bc20d2 ia32
-# grubnetia32-installer.efi.signed
-59a2a0ca9fc7b1b35c0e2e527676b602ea8b106a308431bc51624cb985f72a1d ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+15_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-32d3ea4d596050771871b90964b58c7ae566ef9a2bfa99faec310b42abcfe8e1 ia32
-# grubia32.efi.signed
-8a7d726adedb427287ee2bd68b7a42a46a72debf63be2e5f103acd68a38b19e8 ia32
-# gcdia32.efi.signed
-c10be24afa7b227ac22ecdd73bfb78706574fd5371e2327a86e063aff43f5b1b ia32
-# grubnetia32-installer.efi.signed
-b98f4684b57f0746195e61a69ec2c19dcd35622e50f7ed537ee7231608fe5c68 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+1_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-f80c89fa33e78cc8091cf98a5abc7d152e225aa660fcb0f238d3ff9ddf3a020e ia32
-# grubia32.efi.signed
-152b22b0ff3d388cfaa96c93338ce49b21ec05025fb019daed5bc65fce4eaefe ia32
-# gcdia32.efi.signed
-b9964cb6c7b542044a6a23d5ee0f813b80e1a42a4f98cf61e10e851cd37c8b91 ia32
-# grubnetia32-installer.efi.signed
-1a6c8dc5bf614a4c4d8c29a87aa1ac10cb5c2bf48abcc36e46854a51758c295b ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+2_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-7d4dc3ab547f1ab3903659a214949e971544c89cf19d60364e218bfead8236a4 ia32
-# grubia32.efi.signed
-f9696e35544318378b7c3084f4d0c6857881bc1f0531af8642d70b1aa71b3cb1 ia32
-# gcdia32.efi.signed
-e1d90dac87530eecf15e137d1c711bf0ca5b173922848b7e694a01396a5dd903 ia32
-# grubnetia32-installer.efi.signed
-56b6ee99c7339eb7a3cc80e2470484abec52853ff358520f7a0c995c076fcd19 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+3_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-acea5f24beb615aa06662d4aa60737e65862623d398ff9f65e55bb56321e9330 ia32
-# grubia32.efi.signed
-a4b36bf9058f9ad9f7a750d29afdb85333b2636c636f0ae3618b10504e9db268 ia32
-# gcdia32.efi.signed
-e3608dea31c04c9f22c539f80a8f901bea05d3d973067d3352d2acd81c02aca3 ia32
-# grubnetia32-installer.efi.signed
-0d3d25beed1aa45c1efdb1aefc7fc22cd054acf1332a3295d2774a0e74a71bad ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+4_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-b02003597875e9467371460b229079190ba1d710825f22c3e5604bca2cfbbb00 ia32
-# grubia32.efi.signed
-237c5664bcfe43a226c623037e44e27745de4a70453151fbde60cb1eacc95efe ia32
-# gcdia32.efi.signed
-156169f3152284f50b1bb43f9bac73660c977f8a075a525aaee46ec0b293e8ef ia32
-# grubnetia32-installer.efi.signed
-645e7cec1e21857df57a59afd32e927c89a42e4f70494c44b941bf9b94ed4dde ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+5_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-73be4d9d26c6ecaaadd7021cf0777b7cb574d1ac3e029579bf59f4ccb0fa9b11 ia32
-# grubia32.efi.signed
-7719036ecd4a8462f2538ea13dec2a4949853f5672ea2f2c06a35e9d96759558 ia32
-# gcdia32.efi.signed
-c721a3db87af7278ce08e7643438a41a1185c2b322f7405f256df33c4cf69059 ia32
-# grubnetia32-installer.efi.signed
-ccb8877c61a22fedf8afc7160ee06c48f5e72c2e3d88364c9e3ed37bb41efa06 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+6_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-2dd444943e90e80e6a81038f1a185ad73dfe843b5fa09e19b8efa55b1eb32cb6 ia32
-# grubia32.efi.signed
-dd49bf0918188919552ce1a5885e1eb6181e5b829fa99e47f8a00b3ec065e51b ia32
-# gcdia32.efi.signed
-42f9512280205b015768762fab0baa03fc0f6a5c148fca84dff3de0d937693f2 ia32
-# grubnetia32-installer.efi.signed
-c6446f1cf18fe664ae79510893ae6e9fcf739b20886569df719065a0ff164ba7 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+7_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-58f15365ffea1e50ba1aec6be5e5cbfe373fcdad20c5777b69b702c621f216ee ia32
-# grubia32.efi.signed
-645fdf98cbfbef7c4da233da1c422df6c4090518abfae12c71061beac03c1fb1 ia32
-# gcdia32.efi.signed
-1d8bb3f36c97582912dbfa3ede92a66f34e30ba660ae5f3b0a5abd35a3d1efec ia32
-# grubnetia32-installer.efi.signed
-564ae6e6fdd724b632392e7f4faeca1dd7590da892e42cf2dbf3a4ed2d72d946 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+8_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-afb502ddae5e08d14db362a055059c2b7ed4e66ca88b2a251698081c58afd307 ia32
-# grubia32.efi.signed
-8413fb83d7eea5da8c6f008b025a4010de341b2bd5a1a884ee7ac834ee127cea ia32
-# gcdia32.efi.signed
-43fc800441d591739379e94f45fecfb3fc6d945ce5664de5a846295fd76599ac ia32
-# grubnetia32-installer.efi.signed
-5e62e820c1894504945cc85d3bdb9ee16098509dcee1488347f8f6648e59b27a ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04+9_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-ac4512b047239ef19e6448dfeaaca0326b26abfcb994339ed494008c10027881 ia32
-# grubia32.efi.signed
-bc2d6e36922df0718539a81d85e5d5d6616c1ad68adaf1cab1bb1455713975bb ia32
-# gcdia32.efi.signed
-9033ba45fff4004e5432d165cb199fd881fc793db4b580ad583cb089a8ed74f3 ia32
-# grubnetia32-installer.efi.signed
-346c335d0bf65561fe2ef0e828ee4053bf5a6977e6304d61571cc07e3c4ad288 ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04~rc1+1_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-818719068ad63ecdbc3f733c5db753b4a1df40deead6540ef18cfa38d9d5eec2 ia32
-# grubia32.efi.signed
-3554a98b3eee31e675af05db8e89964e2fbb981020e033e5eed456d71ad8caaf ia32
-# gcdia32.efi.signed
-58c6c0a67b94a2ad1c6236b85cbedb28ac3b2c83f9782519d88683fe941692bc ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04~rc1+2_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-fefdf4e9b76933daa0b333d892fa141181dd12678ec12230407fcd686a11b80e ia32
-# grubia32.efi.signed
-b58a2676cfb8523d61b058bbb3eb464ef9669b0f56303e59ecc077a638e8f600 ia32
-# gcdia32.efi.signed
-dac8b9c8818ec36e5d47551b94d22a4a2dd1112578264931575054e484707ddd ia32
-# grubnetia32-installer.efi.signed
-af50894a20b1fc0f5849507eac5eb1915f36a6d95f3942b749d69286360c39da ia32
-###############################
-
-###############################
-# Files from grub-efi-ia32-signed_1+2.04~rc1+3_i386.deb
-# (unsafe chainload)
-# grubnetia32.efi.signed
-ca011153062ffb166a3ca71619a26eef56da7447cc9434705d80d635ba9276ec ia32
-# grubia32.efi.signed
-38252c6c6c6e40a89a277447ce8913d1c15d3b59557e26bc2194151b4bcfce3d ia32
-# gcdia32.efi.signed
-26d1ed55a262b3c7fd45bf5babac38e898eb9a5503002e132d50ac5b6950c54a ia32
-# grubnetia32-installer.efi.signed
-df85a256b46cf9f3bac196d89f3e5456775d845111e89a5bcf7ac2bec794fac6 ia32
-###############################
-
diff -pruN 15.3-3/debian/generate_dbx_list 15.4-0ubuntu7/debian/generate_dbx_list
--- 15.3-3/debian/generate_dbx_list	2021-03-24 01:27:31.000000000 +0000
+++ 15.4-0ubuntu7/debian/generate_dbx_list	1970-01-01 00:00:00.000000000 +0000
@@ -1,27 +0,0 @@
-#!/bin/sh
-#
-# Helper script - generate a DBX file for inclusion into a shim build
-#
-# Takes an input file (e.g. debian-dbx.hashes) with data in the form
-#
-# <hex-encoded sha256 checksums> <arch>
-#
-# and generates a siglist of the hashes for just the architecture we
-# want. No point including all the hashes for all the arches, it just
-# bloats things and slows things down.
-
-set -e
-
-ARCH=$1
-IN=$2
-OUT=$3
-
-rm -f $OUT
-for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
-		  awk '{print $1}' | sort | uniq); do
-    echo "  Adding $HASH to dbx list"
-    efisiglist -o $OUT -a -h $HASH
-done
-
-# If we have an empty hashes file, create an empty DBX file
-touch $OUT
diff -pruN 15.3-3/debian/patches/359.patch 15.4-0ubuntu7/debian/patches/359.patch
--- 15.3-3/debian/patches/359.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/359.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,73 @@
+From: Dimitri John Ledkov <xnox@ubuntu.com>
+Date: Tue, 6 Apr 2021 14:58:00 +0100
+Subject: [PATCH] fallback: add compile option FALLBACK_NONINTERACTIVE
+
+In the cloud, all boots are non-interactive with keyboard and console
+access either typically not available or prohibited. Also clouds
+always do firstboot via fallback. This currently results in an
+unacceptable 5s boot delay whilst fallback offers interactive reset
+options that cannot be actioned.
+
+In Ubuntu, we'd like to make fallback noninteractive by default
+without any boot delays, due to bootspeed impact on firstboot of the
+preinstalled images.
+
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1922581
+
+Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
+---
+ Makefile   | 4 ++++
+ fallback.c | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/Makefile b/Makefile
+index 8c66459..d18fad5 100644
+--- a/Makefile
++++ b/Makefile
+@@ -61,6 +61,10 @@ ifneq ($(origin FALLBACK_VERBOSE), undefined)
+ 	CFLAGS += -DFALLBACK_VERBOSE
+ endif
+ 
++ifneq ($(origin FALLBACK_NONINTERACTIVE), undefined)
++	CFLAGS += -DFALLBACK_NONINTERACTIVE
++endif
++
+ ifneq ($(origin FALLBACK_VERBOSE_WAIT), undefined)
+ 	CFLAGS += -DFALLBACK_VERBOSE_WAIT=$(FALLBACK_VERBOSE_WAIT)
+ endif
+diff --git a/fallback.c b/fallback.c
+index 8d89917..1f229d2 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -1011,6 +1011,7 @@ get_fallback_no_reboot(void)
+ 	return 0;
+ }
+ 
++#ifndef FALLBACK_NONINTERACTIVE
+ static EFI_STATUS
+ set_fallback_no_reboot(void)
+ {
+@@ -1054,6 +1055,7 @@ get_user_choice(void)
+ 
+ 	return choice;
+ }
++#endif
+ 
+ extern EFI_STATUS
+ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab);
+@@ -1126,6 +1128,7 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 			try_start_first_option(image);
+ 		}
+ 
++#ifndef FALLBACK_NONINTERACTIVE
+ 		int timeout = draw_countdown();
+ 		if (timeout == 0)
+ 			goto reset;
+@@ -1141,6 +1144,7 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 		VerbosePrint(L"tpm present, starting the first image\n");
+ 		try_start_first_option(image);
+ reset:
++#endif
+ 		VerbosePrint(L"tpm present, resetting system\n");
+ 	}
+ 
diff -pruN 15.3-3/debian/patches/361.patch 15.4-0ubuntu7/debian/patches/361.patch
--- 15.3-3/debian/patches/361.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/361.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,37 @@
+From: Gary Lin <glin@suse.com>
+Date: Thu, 8 Apr 2021 16:23:03 +0800
+Subject: [PATCH] mok: allocate MOK config table as BootServicesData
+
+Linux kernel is picky when reserving the memory for x86 and it only
+expects BootServicesData:
+
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/platform/efi/quirks.c?h=v5.11#n254
+
+Otherwise, the following error would show during system boot:
+
+Apr 07 12:31:56.743925 localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000
+
+Although BootServicesData would be reclaimed after ExitBootService(),
+linux kernel reserves MOK config table when it detects the existence of
+the table, so it's fine to allocate the table as BootServicesData.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+Origin: https://patch-diff.githubusercontent.com/raw/rhboot/shim/pull/361.patch
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925139
+---
+ mok.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mok.c b/mok.c
+index 5ad9072..fc1ee04 100644
+--- a/mok.c
++++ b/mok.c
+@@ -1002,7 +1002,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 		npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT;
+ 		config_table = NULL;
+ 		efi_status = gBS->AllocatePages(AllocateAnyPages,
+-						EfiRuntimeServicesData,
++						EfiBootServicesData,
+ 						npages,
+ 						(EFI_PHYSICAL_ADDRESS *)&config_table);
+ 		if (EFI_ERROR(efi_status) || !config_table) {
diff -pruN 15.3-3/debian/patches/362.patch 15.4-0ubuntu7/debian/patches/362.patch
--- 15.3-3/debian/patches/362.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/362.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,36 @@
+From: Adam Williamson <awilliam@redhat.com>
+Date: Thu, 8 Apr 2021 22:39:02 -0700
+Subject: [PATCH] Don't set user_insecure_mode and ignore_db in
+ import_one_mok_state
+
+This seems completely incorrect and unnecessary, unless I'm
+missing something. We already set them both to 0 at the start of
+`import_mok_state`, which is the only thing that uses
+`import_one_mok_state`, so it's unnecessary. It's incorrect
+because it means those variables will be set to 0 even when they
+should be set to 1 - even if they are momentarily set to 1 when
+`import_one_mok_state` is called on the relevant variable, they
+immediately get set back to 0 when it's called on the *next*
+variable.
+
+Signed-off-by: Adam Williamson <awilliam@redhat.com>
+Origin: https://patch-diff.githubusercontent.com/raw/rhboot/shim/pull/361.patch
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925140
+---
+ mok.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index fc1ee04..9b8fc2b 100644
+--- a/mok.c
++++ b/mok.c
+@@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v,
+ 	EFI_STATUS ret = EFI_SUCCESS;
+ 	EFI_STATUS efi_status;
+ 
+-	user_insecure_mode = 0;
+-	ignore_db = 0;
+-
+ 	UINT32 attrs = 0;
+ 	BOOLEAN delete = FALSE;
+ 
diff -pruN 15.3-3/debian/patches/364.patch 15.4-0ubuntu7/debian/patches/364.patch
--- 15.3-3/debian/patches/364.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/364.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,59 @@
+From: Peter Jones <pjones@redhat.com>
+Date: Sat, 10 Apr 2021 16:05:23 -0400
+Subject: [PATCH] Don't call QueryVariableInfo() on EFI 1.10 machines
+
+The EFI 1.10 spec (and presumably earlier revisions as well) didn't have
+RT->QueryVariableInfo(), and on Chris Murphy's MacBookPro8,2 , that
+memory appears to be initialized randomly.
+
+This patch changes it to not call RT->QueryVariableInfo() if the
+EFI_RUNTIME_SERVICES table's major revision is less than two, and
+assumes our maximum variable size is 1024 in that case.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925010
+---
+ mok.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 9b8fc2b..beac0ff 100644
+--- a/mok.c
++++ b/mok.c
+@@ -261,6 +261,9 @@ static const uint8_t null_sha256[32] = { 0, };
+ 
+ typedef UINTN SIZE_T;
+ 
++#define EFI_MAJOR_VERSION(tablep) ((UINT16)((((tablep)->Hdr.Revision) >> 16) & 0xfffful))
++#define EFI_MINOR_VERSION(tablep) ((UINT16)(((tablep)->Hdr.Revision) & 0xfffful))
++
+ static EFI_STATUS
+ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp)
+ {
+@@ -270,11 +273,21 @@ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp)
+ 	uint64_t max_var_sz = 0;
+ 
+ 	*max_var_szp = 0;
+-	efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz,
+-					    &remaining_sz, &max_var_sz);
+-	if (EFI_ERROR(efi_status)) {
+-		perror(L"Could not get variable storage info: %r\n", efi_status);
+-		return efi_status;
++	if (EFI_MAJOR_VERSION(gRT) < 2) {
++		dprint(L"EFI %d.%d; no RT->QueryVariableInfo().  Using 1024!\n",
++		       EFI_MAJOR_VERSION(gRT), EFI_MINOR_VERSION(gRT));
++		max_var_sz = remaining_sz = max_storage_sz = 1024;
++		efi_status = EFI_SUCCESS;
++	} else {
++		dprint(L"calling RT->QueryVariableInfo() at 0x%lx\n",
++		       gRT->QueryVariableInfo);
++		efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz,
++						    &remaining_sz, &max_var_sz);
++		if (EFI_ERROR(efi_status)) {
++			perror(L"Could not get variable storage info: %r\n",
++			       efi_status);
++			return efi_status;
++		}
+ 	}
+ 
+ 	/*
diff -pruN 15.3-3/debian/patches/369.patch 15.4-0ubuntu7/debian/patches/369.patch
--- 15.3-3/debian/patches/369.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/369.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,41 @@
+From: Gary Lin <glin@suse.com>
+Date: Wed, 5 May 2021 11:25:07 +0800
+Subject: mok: relax the maximum variable size check
+
+Some UEFI environment such as u-boot doesn't implement
+QueryVariableInfo(), so we couldn't rely on the function to estimate the
+available space for RT variables. All we can do is to call SetVariable()
+directly and check the return value of SetVariable().
+
+Signed-off-by: Gary Lin <glin@suse.com>
+Origin: https://github.com/rhboot/shim/pull/369
+Bug-Ubuntuhttps://bugs.launchpad.net/bugs/1934780
+---
+ mok.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index a687a92..d3d0f25 100644
+--- a/mok.c
++++ b/mok.c
+@@ -362,13 +362,18 @@ mirror_mok_db(CHAR16 *name, CHAR8 *name8, EFI_GUID *guid, UINT32 attrs,
+ 	SIZE_T max_var_sz;
+ 
+ 	efi_status = get_max_var_sz(attrs, &max_var_sz);
+-	if (EFI_ERROR(efi_status)) {
++	if (EFI_ERROR(efi_status) && efi_status != EFI_UNSUPPORTED) {
+ 		LogError(L"Could not get maximum variable size: %r",
+ 			 efi_status);
+ 		return efi_status;
+ 	}
+ 
+-	if (FullDataSize <= max_var_sz) {
++	/* Some UEFI environment such as u-boot doesn't implement
++	 * QueryVariableInfo() and we will only get EFI_UNSUPPORTED when
++	 * querying the available space. In this case, we just mirror
++	 * the variable directly. */
++	if (FullDataSize <= max_var_sz || efi_status == EFI_UNSUPPORTED) {
++		efi_status = EFI_SUCCESS;
+ 		if (only_first)
+ 			efi_status = SetVariable(name, guid, attrs,
+ 						 FullDataSize, FullData);
diff -pruN 15.3-3/debian/patches/372.patch 15.4-0ubuntu7/debian/patches/372.patch
--- 15.3-3/debian/patches/372.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/372.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,53 @@
+From: Gary Lin <glin@suse.com>
+Date: Tue, 11 May 2021 10:41:43 +0800
+Subject: Relax the check for import_mok_state()
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+An openSUSE user reported(*) that shim 15.4 failed to boot the system
+with the following message:
+
+  "Could not create MokListXRT: Out of Resources"
+
+In the beginning, I thought it's caused by the growing size of
+vendor-dbx. However, we found the following messages after set
+SHIM_VERBOSE:
+
+  max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000
+  SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources
+
+Even though the firmware claimed the remaining storage size is 0x85EC
+and the maximum variable size is 0x8000, it still rejected MokListXRT
+with size 0x1404. It seems that the return values from QueryVariableInfo()
+are not reliable. Since this firmware didn't really support Secure Boot,
+the variable mirroring is not so critical, so we can just accept the
+failure of import_mok_state() and continue boot.
+
+(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ shim.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index c5cfbb8..40e4894 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ 	 * boot-services-only state variables are what we think they are.
+ 	 */
+ 	efi_status = import_mok_state(image_handle);
+-	if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
++	if (!secure_mode() &&
++	    (efi_status == EFI_INVALID_PARAMETER ||
++	     efi_status == EFI_OUT_OF_RESOURCES)) {
+ 		/*
+ 		 * Make copy failures fatal only if secure_mode is enabled, or
+-		 * the error was anything else than EFI_INVALID_PARAMETER.
++		 * the error was anything else than EFI_INVALID_PARAMETER or
++		 * EFI_OUT_OF_RESOURCES.
+ 		 * There are non-secureboot firmware implementations that don't
+ 		 * reserve enough EFI variable memory to fit the variable.
+ 		 */
diff -pruN 15.3-3/debian/patches/378.patch 15.4-0ubuntu7/debian/patches/378.patch
--- 15.3-3/debian/patches/378.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/378.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,55 @@
+From: Seth Forshee <seth.forshee@canonical.com>
+Date: Sat, 5 Jun 2021 07:34:44 -0500
+Subject: Don't unhook ExitBootServices() when EBS protection is disabled
+
+When EBS protection is disabled the code which hooks into EBS is
+complied out, but on unhook it's the code which restores Exit() that
+is disabled. This appears to be a mistake, and it can result in
+writing NULL to EBS in the boot services table.
+
+Fix this by moving the ifdefs to compile out the code to unhook EBS
+instead of the code to unhook Exit(). Also ifdef the definition of
+system_exit_boot_services to safeguard against its accidental use.
+
+Fixes: 4b0a61dc9a95 ("shim: compile time option to bypass the ExitBootServices() check")
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+---
+ replacements.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/replacements.c b/replacements.c
+index 278a8e7..daa2e0f 100644
+--- a/replacements.c
++++ b/replacements.c
+@@ -33,7 +33,9 @@ get_active_systab(void)
+ static typeof(systab->BootServices->LoadImage) system_load_image;
+ static typeof(systab->BootServices->StartImage) system_start_image;
+ static typeof(systab->BootServices->Exit) system_exit;
++#if !defined(DISABLE_EBS_PROTECTION)
+ static typeof(systab->BootServices->ExitBootServices) system_exit_boot_services;
++#endif /* !defined(DISABLE_EBS_PROTECTION) */
+ 
+ static EFI_HANDLE last_loaded_image;
+ 
+@@ -45,7 +47,9 @@ unhook_system_services(void)
+ 
+ 	systab->BootServices->LoadImage = system_load_image;
+ 	systab->BootServices->StartImage = system_start_image;
++#if !defined(DISABLE_EBS_PROTECTION)
+ 	systab->BootServices->ExitBootServices = system_exit_boot_services;
++#endif /* !defined(DISABLE_EBS_PROTECTION) */
+ 	gBS = systab->BootServices;
+ }
+ 
+@@ -181,11 +185,8 @@ hook_system_services(EFI_SYSTEM_TABLE *local_systab)
+ void
+ unhook_exit(void)
+ {
+-#if !defined(DISABLE_EBS_PROTECTION)
+ 	systab->BootServices->Exit = system_exit;
+ 	gBS = systab->BootServices;
+-#endif /* defined(DISABLE_EBS_PROTECTION) */
+-	return;
+ }
+ 
+ void
diff -pruN 15.3-3/debian/patches/379.patch 15.4-0ubuntu7/debian/patches/379.patch
--- 15.3-3/debian/patches/379.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/379.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,401 @@
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Mon, 7 Jun 2021 16:34:18 +0100
+Subject: shim: another attempt to fix load options handling
+
+The load options handling is quite complicated and tries to accomodate
+several scenarios, but there are currently multiple issues:
+
+- If the supplied LoadOptions is an EFI_LOAD_OPTION structure,
+second_stage gets initialized to the entire contents of the OptionalData
+field and load_options is initialized to NULL, which means it isn't
+possible to pass additional options to the second stage loader (and it
+looks like the intention is for this to be supported).
+
+- If the supplied LoadOptions contains 2 or more strings, the code seems
+to assume that shim was executed from the UEFI shell and that the first
+argument is the path of the shim executable, so it's ignored. But this
+breaks the ability to pass additional options to the second stage loader
+from BDS on firmware implementations that initialize LoadOptions to just
+the OptionalData field of the EFI_LOAD_OPTION, which is what EDK2 seems
+to do.
+
+This is moot anyway because this case (strings == 2) doesn't actually seem
+to work, as nothing sets loader_len and therefore second_stage is not set
+to the custom loader path.
+
+- If the supplied LoadOptions contains a single string that isn't shim's
+path, nothing sets loader_len and therefore second_stage isn't set at the
+end of set_second_stage.
+
+- set_second_stage replaces L' ' characters with L'\0' - whilst this is
+useful to NULL terminate the path for the second stage, it doesn't seem
+quite right to do this for the remaining LoadOptions data. Grub's
+chainloader command supplies additional arguments as a NULL-terminated
+space-delimited string via LoadOptions. Making it NULL-delimited seems to
+be incompatible with the kernel's commandline handling, which wouldn't
+work for scenarios where you might want to direct-boot a kernel image
+(wrapped in systemd's EFI stub) from shim.
+
+- handle_image passes the original LoadOptions to the second stage if
+load_options is NULL, which means that the second stage currently always
+gets shim's load options.
+
+I've made an attempt to try to fix things. After the initial
+checks in set_second_stage, it now does this:
+
+- Tries to parse LoadOptions as an EFI_LOAD_OPTION in order to extract
+the OptionalData if it is.
+- If it's not an EFI_LOAD_OPTION, check if the first string is the
+current shim path and ignore it if it is (the UEFI shell case).
+- Split LoadOptions in to a single NULL terminated string (used to
+initialize second_stage) and the unmodified remaining data (used to
+initialize load_options and load_options_size).
+
+I've also modified handle_image to always set LoadOptions and
+LoadOptionsSize. If shim is executed with no options, or is only
+executed with a single option to override the second stage loader
+path, the second stage is executed with LoadOptions = NULL and
+LoadOptionsSize = 0 now.
+
+I've tested this on EDK2 and I can load a custom loader with extra
+options from both BDS and the UEFI shell:
+
+FS0:\> shimx64.efi test.efi
+LoadOptionsSize: 0
+LoadOptions: (null)
+FS0:\> shimx64.efi       test.efi
+LoadOptionsSize: 0
+LoadOptions: (null)
+FS0:\> shimx64.efi test.efi foo bar
+LoadOptionsSize: 16
+LoadOptions: foo bar
+
+Origin: https://github.com/rhboot/shim/pull/379
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1929471
+---
+ include/ucs2.h |  27 --------
+ pe.c           |   6 +-
+ shim.c         | 200 ++++++++++++++++++++++++++-------------------------------
+ 3 files changed, 92 insertions(+), 141 deletions(-)
+
+diff --git a/include/ucs2.h b/include/ucs2.h
+index e43c341..ee038ce 100644
+--- a/include/ucs2.h
++++ b/include/ucs2.h
+@@ -81,31 +81,4 @@ is_all_nuls(UINT8 *data, UINTN data_size)
+ 	return true;
+ }
+ 
+-static inline UINTN
+-__attribute__((__unused__))
+-count_ucs2_strings(UINT8 *data, UINTN data_size)
+-{
+-	UINTN pos = 0;
+-	UINTN last_nul_pos = 0;
+-	UINTN num_nuls = 0;
+-	UINTN i;
+-
+-	if (data_size % 2 != 0)
+-		return 0;
+-
+-	for (i = pos; i < data_size; i++) {
+-		if (i % 2 != 0) {
+-			if (data[i] != 0)
+-				return 0;
+-		} else if (data[i] == 0) {
+-			last_nul_pos = i;
+-			num_nuls++;
+-		}
+-		pos = i;
+-	}
+-	if (num_nuls > 0 && last_nul_pos != pos - 1)
+-		return 0;
+-	return num_nuls;
+-}
+-
+ #endif /* SHIM_UCS2_H */
+diff --git a/pe.c b/pe.c
+index 365e32a..13bc397 100644
+--- a/pe.c
++++ b/pe.c
+@@ -1144,10 +1144,8 @@ handle_image (void *data, unsigned int datasize,
+ 	li->ImageSize = context.ImageSize;
+ 
+ 	/* Pass the load options to the second stage loader */
+-	if ( load_options ) {
+-		li->LoadOptions = load_options;
+-		li->LoadOptionsSize = load_options_size;
+-	}
++	li->LoadOptions = load_options;
++	li->LoadOptionsSize = load_options_size;
+ 
+ 	if (!found_entry_point) {
+ 		perror(L"Entry point is not within sections\n");
+diff --git a/shim.c b/shim.c
+index 40e4894..ecf6ee5 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1241,9 +1241,13 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle)
+ 	return efi_status;
+ }
+ 
++/*
++ * Extract the OptionalData and OptionalData fields from an
++ * EFI_LOAD_OPTION.
++ */
+ static inline EFI_STATUS
+-get_load_option_optional_data(UINT8 *data, UINTN data_size,
+-			      UINT8 **od, UINTN *ods)
++get_load_option_optional_data(VOID *data, UINT32 data_size,
++			      VOID **od, UINT32 *ods)
+ {
+ 	/*
+ 	 * If it's not at least Attributes + FilePathListLength +
+@@ -1253,7 +1257,8 @@ get_load_option_optional_data(UINT8 *data, UINTN data_size,
+ 	if (data_size < (sizeof(UINT32) + sizeof(UINT16) + 2 + 4))
+ 		return EFI_INVALID_PARAMETER;
+ 
+-	UINT8 *cur = data + sizeof(UINT32);
++	UINT8 *start = (UINT8 *)data;
++	UINT8 *cur = start + sizeof(UINT32);
+ 	UINT16 fplistlen = *(UINT16 *)cur;
+ 	/*
+ 	 * If there's not enough space for the file path list and the
+@@ -1263,8 +1268,8 @@ get_load_option_optional_data(UINT8 *data, UINTN data_size,
+ 		return EFI_INVALID_PARAMETER;
+ 
+ 	cur += sizeof(UINT16);
+-	UINTN limit = data_size - (cur - data) - fplistlen;
+-	UINTN i;
++	UINT32 limit = data_size - (cur - start) - fplistlen;
++	UINT32 i;
+ 	for (i = 0; i < limit ; i++) {
+ 		/* If the description isn't valid UCS2-LE, it's not valid. */
+ 		if (i % 2 != 0) {
+@@ -1380,6 +1385,57 @@ done:
+ 	return ret;
+ }
+ 
++/*
++ * Split the supplied load options in to a NULL terminated
++ * string representing the path of the second stage loader,
++ * and return a pointer to the remaining load options data
++ * and its remaining size.
++ *
++ * This expects the supplied load options to begin with a
++ * string that is either NULL terminated or terminated with
++ * a space and some optional data. It will return NULL if
++ * the supplied load options contains no spaces or NULL
++ * terminators.
++ */
++static CHAR16 *
++split_load_options(VOID *in, UINT32 in_size,
++		   VOID **remaining,
++		   UINT32 *remaining_size) {
++	UINTN i;
++	CHAR16 *arg0 = NULL;
++	CHAR16 *start = (CHAR16 *)in;
++
++	/* Skip spaces */
++	for (i = 0; i < in_size / sizeof(CHAR16); i++) {
++		if (*start != L' ')
++			break;
++
++		start++;
++	}
++
++	in_size -= ((VOID *)start - in);
++
++	/*
++	 * Ensure that the first argument is NULL terminated by
++	 * replacing L' ' with L'\0'.
++	 */
++	for (i = 0; i < in_size / sizeof(CHAR16); i++) {
++		if (start[i] == L' ' || start[i] == L'\0') {
++			start[i] = L'\0';
++			arg0 = (CHAR16 *)start;
++			break;
++		}
++	}
++
++	if (arg0) {
++		UINTN skip = i + 1;
++		*remaining_size = in_size - (skip * sizeof(CHAR16));
++		*remaining = *remaining_size > 0 ? start + skip : NULL;
++	}
++
++	return arg0;
++}
++
+ /*
+  * Check the load options to specify the second stage loader
+  */
+@@ -1387,20 +1443,11 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
+ {
+ 	EFI_STATUS efi_status;
+ 	EFI_LOADED_IMAGE *li = NULL;
+-	CHAR16 *start = NULL;
+-	UINTN remaining_size = 0;
++	VOID *remaining = NULL;
++	UINT32 remaining_size;
+ 	CHAR16 *loader_str = NULL;
+-	UINTN loader_len = 0;
+-	unsigned int i;
+-	UINTN second_stage_len;
+ 
+-	second_stage_len = (StrLen(DEFAULT_LOADER) + 1) * sizeof(CHAR16);
+-	second_stage = AllocatePool(second_stage_len);
+-	if (!second_stage) {
+-		perror(L"Could not allocate %lu bytes\n", second_stage_len);
+-		return EFI_OUT_OF_RESOURCES;
+-	}
+-	StrCpy(second_stage, DEFAULT_LOADER);
++	second_stage = DEFAULT_LOADER;
+ 	load_options = NULL;
+ 	load_options_size = 0;
+ 
+@@ -1499,105 +1546,44 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
+ 		return EFI_SUCCESS;
+ 
+ 	/*
+-	 * Check and see if this is just a list of strings.  If it's an
+-	 * EFI_LOAD_OPTION, it'll be 0, since we know EndEntire device path
+-	 * won't pass muster as UCS2-LE.
+-	 *
+-	 * If there are 3 strings, we're launched from the shell most likely,
+-	 * But we actually only care about the second one.
++	 * See if this is an EFI_LOAD_OPTION and extract the optional
++	 * data if it is. This will return an error if it is not a valid
++	 * EFI_LOAD_OPTION.
+ 	 */
+-	UINTN strings = count_ucs2_strings(li->LoadOptions,
+-					   li->LoadOptionsSize);
+-
+-	/*
+-	 * In some cases we get strings == 1 because BDS is using L' ' as the
+-	 * delimeter:
+-	 * 0000:74 00 65 00 73 00 74 00 2E 00 65 00 66 00 69 00 t.e.s.t...e.f.i.
+-	 * 0016:20 00 6F 00 6E 00 65 00 20 00 74 00 77 00 6F 00 ..o.n.e...t.w.o.
+-	 * 0032:20 00 74 00 68 00 72 00 65 00 65 00 00 00       ..t.h.r.e.e...
+-	 *
+-	 * If so replace it with NULs since the code already handles that
+-	 * case.
+-	 */
+-	if (strings == 1) {
+-		UINT16 *cur = start = li->LoadOptions;
+-
+-		/* replace L' ' with L'\0' if we find any */
+-		for (i = 0; i < li->LoadOptionsSize / 2; i++) {
+-			if (cur[i] == L' ')
+-				cur[i] = L'\0';
+-		}
+-
+-		/* redo the string count */
+-		strings = count_ucs2_strings(li->LoadOptions,
+-					     li->LoadOptionsSize);
+-	}
+-
+-	/*
+-	 * If it's not string data, try it as an EFI_LOAD_OPTION.
+-	 */
+-	if (strings == 0) {
+-		/*
+-		 * We at least didn't find /enough/ strings.  See if it works
+-		 * as an EFI_LOAD_OPTION.
+-		 */
+-		efi_status = get_load_option_optional_data(li->LoadOptions,
+-							   li->LoadOptionsSize,
+-							   (UINT8 **)&start,
+-							   &loader_len);
+-		if (EFI_ERROR(efi_status))
+-			return EFI_SUCCESS;
+-
+-		remaining_size = 0;
+-	} else if (strings >= 2) {
++	efi_status = get_load_option_optional_data(li->LoadOptions,
++						   li->LoadOptionsSize,
++						   &li->LoadOptions,
++						   &li->LoadOptionsSize);
++	if (EFI_ERROR(efi_status)) {
+ 		/*
++		 * it's not an EFI_LOAD_OPTION, so it's probably just a string
++		 * or list of strings.
++		 *
+ 		 * UEFI shell copies the whole line of the command into
+-		 * LoadOptions.  We ignore the string before the first L'\0',
+-		 * i.e. the name of this program.
++		 * LoadOptions. We ignore the first string, i.e. the name of this
++		 * program in this case.
+ 		 */
+-		UINT16 *cur = li->LoadOptions;
+-		for (i = 1; i < li->LoadOptionsSize / 2; i++) {
+-			if (cur[i - 1] == L'\0') {
+-				start = &cur[i];
+-				remaining_size = li->LoadOptionsSize - (i * 2);
+-				break;
+-			}
++		CHAR16 *loader_str = split_load_options(li->LoadOptions,
++							li->LoadOptionsSize,
++							&remaining,
++							&remaining_size);
++
++		if (loader_str && is_our_path(li, loader_str)) {
++			li->LoadOptions = remaining;
++			li->LoadOptionsSize = remaining_size;
+ 		}
+-
+-		remaining_size -= i * 2 + 2;
+-	} else if (strings == 1 && is_our_path(li, start)) {
+-		/*
+-		 * And then I found a version of BDS that gives us our own path
+-		 * in LoadOptions:
+-
+-77162C58                           5c 00 45 00 46 00 49 00          |\.E.F.I.|
+-77162C60  5c 00 42 00 4f 00 4f 00  54 00 5c 00 42 00 4f 00  |\.B.O.O.T.\.B.O.|
+-77162C70  4f 00 54 00 58 00 36 00  34 00 2e 00 45 00 46 00  |O.T.X.6.4...E.F.|
+-77162C80  49 00 00 00                                       |I...|
+-
+-		* which is just cruel... So yeah, just don't use it.
+-		*/
+-		return EFI_SUCCESS;
+ 	}
+ 
++	loader_str = split_load_options(li->LoadOptions, li->LoadOptionsSize,
++					&remaining, &remaining_size);
++
+ 	/*
+ 	 * Set up the name of the alternative loader and the LoadOptions for
+ 	 * the loader
+ 	 */
+-	if (loader_len > 0) {
+-		/* we might not always have a NULL at the end */
+-		loader_str = AllocatePool(loader_len + 2);
+-		if (!loader_str) {
+-			perror(L"Failed to allocate loader string\n");
+-			return EFI_OUT_OF_RESOURCES;
+-		}
+-
+-		for (i = 0; i < loader_len / 2; i++)
+-			loader_str[i] = start[i];
+-		loader_str[loader_len/2] = L'\0';
+-
++	if (loader_str) {
+ 		second_stage = loader_str;
+-		load_options = remaining_size ? start + (loader_len/2) : NULL;
++		load_options = remaining;
+ 		load_options_size = remaining_size;
+ 	}
+ 
+@@ -1777,12 +1763,6 @@ shim_fini(void)
+ 
+ 	unhook_exit();
+ 
+-	/*
+-	 * Free the space allocated for the alternative 2nd stage loader
+-	 */
+-	if (load_options_size > 0 && second_stage)
+-		FreePool(second_stage);
+-
+ 	console_fini();
+ }
+ 
diff -pruN 15.3-3/debian/patches/383.patch 15.4-0ubuntu7/debian/patches/383.patch
--- 15.3-3/debian/patches/383.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/383.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,134 @@
+From: Gary Lin <glin@suse.com>
+Date: Wed, 16 Jun 2021 16:13:32 +0800
+Subject: arm/aa64: fix the size of .rela* sections
+
+The previous commit(*) merged .rel* and .dyn* into .rodata, and this
+made ld to generate the wrong size for .rela* sections that covered
+other unrelated sections. When the EFI image was loaded, _relocate()
+went through the unexpected data and may cause unexpected crash.
+This commit moves .rel* and .dyn* out of .rodata in the ld script but
+also moves the related variables, such as _evrodata, _rodata_size,
+and _rodata_vsize, to the end of the new .dyn section, so that the
+crafted pe-coff section header for .rodata still covers our new
+.rela and .dyn sections.
+
+(*) 212ba30544f ("arm/aa64 targets: put .rel* and .dyn* in .rodata")
+
+Fix issue: https://github.com/rhboot/shim/issues/371
+
+Signed-off-by: Gary Lin <glin@suse.com>
+
+Origin: https://github.com/rhboot/shim/pull/383
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1928010
+---
+ Makefile            |  4 ++--
+ elf_aarch64_efi.lds | 24 ++++++++++++++++--------
+ elf_arm_efi.lds     | 24 ++++++++++++++++--------
+ 3 files changed, 34 insertions(+), 18 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index d18fad5..d7b60fc 100644
+--- a/Makefile
++++ b/Makefile
+@@ -247,7 +247,7 @@ ifneq ($(OBJCOPY_GTE224),1)
+ endif
+ 	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
+ 		-j .dynamic -j .rodata -j .rel* \
+-		-j .rela* -j .reloc -j .eh_frame \
++		-j .rela* -j .dyn -j .reloc -j .eh_frame \
+ 		-j .vendor_cert -j .sbat \
+ 		$(FORMAT) $< $@
+ 	# I am tired of wasting my time fighting binutils timestamp code.
+@@ -264,7 +264,7 @@ ifneq ($(OBJCOPY_GTE224),1)
+ endif
+ 	$(OBJCOPY) -D -j .text -j .sdata -j .data \
+ 		-j .dynamic -j .rodata -j .rel* \
+-		-j .rela* -j .reloc -j .eh_frame -j .sbat \
++		-j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
+ 		-j .debug_info -j .debug_abbrev -j .debug_aranges \
+ 		-j .debug_line -j .debug_str -j .debug_ranges \
+ 		-j .note.gnu.build-id \
+diff --git a/elf_aarch64_efi.lds b/elf_aarch64_efi.lds
+index 353b24a..42825fd 100644
+--- a/elf_aarch64_efi.lds
++++ b/elf_aarch64_efi.lds
+@@ -70,21 +70,29 @@ SECTIONS
+   .rodata :
+   {
+     _rodata = .;
+-    *(.rela.dyn)
+-    *(.rela.plt)
+-    *(.rela.got)
+-    *(.rela.data)
+-    *(.rela.data*)
+-
+     *(.rodata*)
+     *(.srodata)
+-    *(.dynsym)
+-    *(.dynstr)
+     . = ALIGN(16);
+     *(.note.gnu.build-id)
+     . = ALIGN(4096);
+     *(.vendor_cert)
+     *(.data.ident)
++    . = ALIGN(4096);
++  }
++  . = ALIGN(4096);
++  .rela :
++  {
++    *(.rela.dyn)
++    *(.rela.plt)
++    *(.rela.got)
++    *(.rela.data)
++    *(.rela.data*)
++  }
++  . = ALIGN(4096);
++  .dyn :
++  {
++    *(.dynsym)
++    *(.dynstr)
+     _evrodata = .;
+     . = ALIGN(4096);
+   }
+diff --git a/elf_arm_efi.lds b/elf_arm_efi.lds
+index e4e29bd..5334621 100644
+--- a/elf_arm_efi.lds
++++ b/elf_arm_efi.lds
+@@ -70,21 +70,29 @@ SECTIONS
+   .rodata :
+   {
+     _rodata = .;
+-    *(.rel.dyn)
+-    *(.rel.plt)
+-    *(.rel.got)
+-    *(.rel.data)
+-    *(.rel.data*)
+-
+     *(.rodata*)
+     *(.srodata)
+-    *(.dynsym)
+-    *(.dynstr)
+     . = ALIGN(16);
+     *(.note.gnu.build-id)
+     . = ALIGN(4096);
+     *(.vendor_cert)
+     *(.data.ident)
++    . = ALIGN(4096);
++  }
++  . = ALIGN(4096);
++  .rela :
++  {
++    *(.rela.dyn)
++    *(.rela.plt)
++    *(.rela.got)
++    *(.rela.data)
++    *(.rela.data*)
++  }
++  . = ALIGN(4096);
++  .dyn :
++  {
++    *(.dynsym)
++    *(.dynstr)
+     _evrodata = .;
+     . = ALIGN(4096);
+   }
diff -pruN 15.3-3/debian/patches/387.patch 15.4-0ubuntu7/debian/patches/387.patch
--- 15.3-3/debian/patches/387.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/387.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,38 @@
+From: Gary Lin <glin@suse.com>
+Date: Wed, 30 Jun 2021 16:34:51 +0800
+Subject: mok: delete the existing RT variables only when only_first=TRUE
+
+For the firmware without the variable writing issues, MOK variables are
+mirrored when only_first=TRUE. However, LibDeleteVariable() was called
+in maybe_mirror_one_mok_variable() when only_first=FALSE, and this
+could delete MOK variables that were just mirrored in the first round.
+
+This bug was hidden since LibDeleteVariable() deletes BS+RT+NV variables
+while we mirror MOK variables as BS+RT, and the firmware refused to
+delete the mirrored MOK variable due to mismatching attributes. However,
+some firmwares, such as VMWare, didn't enforce the attribute check and
+just deleted the variables with matched name and GUID. In such system,
+MokListRT was always removed before it reached OS.
+
+Fixes: https://github.com/rhboot/shim/issues/386
+
+Signed-off-by: Gary Lin <glin@suse.com>
+Origin: https://github.com/rhboot/shim/pull/387
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1934506
+---
+ mok.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mok.c b/mok.c
+index d3d0f25..86905a1 100644
+--- a/mok.c
++++ b/mok.c
+@@ -866,7 +866,7 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v,
+ 	BOOLEAN present = FALSE;
+ 
+ 	if (v->rtname) {
+-		if (!only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
++		if (only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
+ 			dprint(L"deleting \"%s\"\n", v->rtname);
+ 			efi_status = LibDeleteVariable(v->rtname, v->guid);
+ 			dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", v->rtname, efi_status);
diff -pruN 15.3-3/debian/patches/series 15.4-0ubuntu7/debian/patches/series
--- 15.3-3/debian/patches/series	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/series	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,11 @@
+359.patch
+361.patch
+362.patch
+364.patch
+ubuntu-no-addend-vendor-dbx.patch
+369.patch
+372.patch
+378.patch
+379.patch
+383.patch
+387.patch
diff -pruN 15.3-3/debian/patches/ubuntu-no-addend-vendor-dbx.patch 15.4-0ubuntu7/debian/patches/ubuntu-no-addend-vendor-dbx.patch
--- 15.3-3/debian/patches/ubuntu-no-addend-vendor-dbx.patch	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/patches/ubuntu-no-addend-vendor-dbx.patch	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,34 @@
+From: Julian Andres Klode <julian.klode@canonical.com>
+Date: Mon, 24 May 2021 11:45:45 +0200
+Subject: Do not addend vendor dbx in MokListX(RT) mirroring
+
+Our vendor dbx is 19KB; which is huge and causing a lot of
+laptops to run out of EFI variable storage space, or MacBooks
+will just hang, when mirroring to MokListXR
+
+Our kernels currently do not read MokListXRT anyway, so not
+mirroring the vendor dbx does not affect security of current
+kernels. Newer kernels do support vendor dbx, but we can just
+bake in the vendor dbx into the kernel images too, rather than
+rely on an EFI variable to pass that info through to the kernel.
+
+The kernel could even be told to read MokList{,X} directly, before
+calling ExitBootServices, in which case we could stop mirroring
+entirely.
+---
+ mok.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index beac0ff..a687a92 100644
+--- a/mok.c
++++ b/mok.c
+@@ -194,8 +194,6 @@ struct mok_state_variable mok_state_variables[] = {
+ 		     EFI_VARIABLE_NON_VOLATILE,
+ 	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
+ 	 .categorize_addend = categorize_deauthorized,
+-	 .addend = &vendor_deauthorized,
+-	 .addend_size = &vendor_deauthorized_size,
+ 	 .flags = MOK_MIRROR_KEYDB |
+ 		  MOK_MIRROR_DELETE_FIRST |
+ 		  MOK_VARIABLE_LOG,
diff -pruN 15.3-3/debian/rules 15.4-0ubuntu7/debian/rules
--- 15.3-3/debian/rules	2021-03-24 13:15:07.000000000 +0000
+++ 15.4-0ubuntu7/debian/rules	2021-07-07 08:57:35.000000000 +0000
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-include /usr/share/dpkg/architecture.mk
+include /usr/share/dpkg/default.mk
 
 # Other vendors, add your certs here.  No sense in using
 # dpkg-vendor --derives-from, because only Canonical-generated binaries will
@@ -8,78 +8,70 @@ include /usr/share/dpkg/architecture.mk
 # should be building the other binaries also.
 ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
 	cert=debian/canonical-uefi-ca.der
+	dbx=debian/canonical-2021_$(DEB_HOST_ARCH).esl
 	distributor=ubuntu
-COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
 else
 	cert=debian/debian-uefi-ca.der
 	distributor=debian
 endif
 
-deb_version             := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p")
-upstream_version        := $(shell echo $(deb_version) | sed -e "s/-[^-]*$$//")
-plain_upstream_version  := $(shell echo $(upstream_version) | sed -e "s/+dfsg.*//")
-
-DBX_LIST = dbx.esl
-DBX_HASHES = debian/$(distributor)-dbx.hashes
-SBAT_IN = debian/sbat.$(distributor).csv.in
-SBAT_DATA = data/sbat.$(distributor).csv
-
-include /usr/share/dpkg/architecture.mk
-
 ifeq ($(DEB_HOST_ARCH),amd64)
 export EFI_ARCH := x64
 endif
 ifeq ($(DEB_HOST_ARCH),arm64)
 export EFI_ARCH := aa64
 endif
-ifeq ($(DEB_HOST_ARCH),i386)
-export EFI_ARCH := ia32
-endif
 
-COMMON_OPTIONS += \
-	RELEASE=15.3 \
-	COMMIT_ID=XXXX \
+COMMON_OPTIONS = \
+	RELEASE=15 \
+	COMMIT_ID=20e4d9486fcae54ee44d2323ae342ffe68c920e6\
 	MAKELEVEL=0 \
-	ENABLE_HTTPBOOT=true \
+	FALLBACK_NONINTERACTIVE=1 \
 	VENDOR_CERT_FILE=$(cert) \
-	VENDOR_DBX_FILE=$(DBX_LIST) \
+	VENDOR_DBX_FILE=$(dbx) \
 	EFIDIR=$(distributor) \
-	CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
-	CC=$(DEB_HOST_GNU_TYPE)-gcc-10 \
+	DISABLE_EBS_PROTECTION=1 \
 	$(NULL)
 
-$(DBX_LIST): $(DBX_HASHES)
-	./debian/generate_dbx_list $(EFI_ARCH) $< $@
-
-$(SBAT_DATA): $(SBAT_IN)
-	rm -f $@
-	set -e; \
-	sed -e "s/@DEB_VERSION@/$(deb_version)/g" \
-		-e "s/@UPSTREAM_VERSION@/$(plain_upstream_version)/g" \
-		< $(SBAT_IN) > $(SBAT_DATA)
-	# If we have an empty $(SBAT_DATA), delete
-	if [ ! -s $(SBAT_DATA) ]; then rm -f $(SBAT_DATA); fi
-
 %:
-	dh $@
+	dh $@ --with buildinfo
 
 override_dh_auto_clean:
 	dh_auto_clean -- MAKELEVEL=0
-	rm -f $(DBX_LIST) $(SBAT_DATA) sbat.*.csv
+	rm -f data/sbat.$(distributor).csv sbat.$(distributor).csv
 
-override_dh_auto_build: $(DBX_LIST) $(SBAT_DATA)
+override_dh_auto_build:
+	sed -e "s/@DEB_VERSION@/$(DEB_VERSION)/g" \
+		<debian/sbat.$(distributor).csv.in \
+		>data/sbat.$(distributor).csv
 	dh_auto_build -- $(COMMON_OPTIONS)
 
 override_dh_auto_install:
 	dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
-	# Remove the copy of the source that's installed - we have git
-	# already...
-	rm -rf debian/tmp/usr
-	# And remove the extra removable-media copy of shim too, it's
-	# not needed for our build and causes debhelper to complain
-	rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI
-	./debian/signing-template.generate
+	rm -rf debian/tmp/usr/src
+	rm -rf debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI
+
+override_dh_strip:
+override_dh_dwz:
+override_dh_shlibdeps:
+	dh_shlibdeps -X.efi
+
+signing=debian/shim-$(DEB_VERSION)-signing/
+signingv=$(signing)/$(DEB_VERSION)
+signing_tar=$(DEB_SOURCE)_$(DEB_VERSION)_$(DEB_HOST_ARCH).tar.gz
+override_dh_builddeb:
+	dh_builddeb -- -Zxz
+	mkdir -p $(signingv)/control
+	echo 'tarball' >$(signingv)/control/options
+	chmod a-x debian/tmp/boot/efi/EFI/*/*.efi
+	cp debian/tmp/boot/efi/EFI/$(distributor)/*.efi $(signingv)/
+	cp debian/tmp/boot/efi/EFI/BOOT/*.efi $(signingv)/
+	tar -C $(signing) -czvf $(CURDIR)/../$(signing_tar) .
+	dpkg-distaddfile $(signing_tar) raw-signing -
+
+override_dh_clean:
+	rm -rf debian/shim-*-signing/
+	dh_clean -Xgnu-efi/lib/Makefile.orig
 
 generate-gnu-efi:
-	git -C gnu-efi archive --prefix=gnu-efi/ HEAD | xz -9 \
-		> ../shim_$(plain_upstream_version).orig-gnu-efi.tar.xz
+	git -C gnu-efi archive --prefix=gnu-efi/ HEAD | xz -9 > ../shim_$(DEB_VERSION_UPSTREAM).orig-gnu-efi.tar.xz
diff -pruN 15.3-3/debian/sbat.debian.csv.in 15.4-0ubuntu7/debian/sbat.debian.csv.in
--- 15.3-3/debian/sbat.debian.csv.in	2021-03-24 13:21:05.000000000 +0000
+++ 15.4-0ubuntu7/debian/sbat.debian.csv.in	1970-01-01 00:00:00.000000000 +0000
@@ -1 +0,0 @@
-shim.debian,1,Debian,shim,@UPSTREAM_VERSION@,https://tracker.debian.org/pkg/shim
diff -pruN 15.3-3/debian/sbat.ubuntu.csv.in 15.4-0ubuntu7/debian/sbat.ubuntu.csv.in
--- 15.3-3/debian/sbat.ubuntu.csv.in	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/sbat.ubuntu.csv.in	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1 @@
+shim.ubuntu,1,Ubuntu,shim,@DEB_VERSION@,https://www.ubuntu.com/
diff -pruN 15.3-3/debian/shim-dbg.install 15.4-0ubuntu7/debian/shim-dbg.install
--- 15.3-3/debian/shim-dbg.install	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/shim-dbg.install	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1 @@
+/usr/lib/debug
diff -pruN 15.3-3/debian/shim-helpers-amd64-signed-template.lintian-overrides 15.4-0ubuntu7/debian/shim-helpers-amd64-signed-template.lintian-overrides
--- 15.3-3/debian/shim-helpers-amd64-signed-template.lintian-overrides	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/shim-helpers-amd64-signed-template.lintian-overrides	1970-01-01 00:00:00.000000000 +0000
@@ -1 +0,0 @@
-shim-helpers-amd64-signed-template: missing-dep-for-interpreter
diff -pruN 15.3-3/debian/shim-helpers-arm64-signed-template.lintian-overrides 15.4-0ubuntu7/debian/shim-helpers-arm64-signed-template.lintian-overrides
--- 15.3-3/debian/shim-helpers-arm64-signed-template.lintian-overrides	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/shim-helpers-arm64-signed-template.lintian-overrides	1970-01-01 00:00:00.000000000 +0000
@@ -1 +0,0 @@
-shim-helpers-arm64-signed-template: missing-dep-for-interpreter
diff -pruN 15.3-3/debian/shim-helpers-i386-signed-template.lintian-overrides 15.4-0ubuntu7/debian/shim-helpers-i386-signed-template.lintian-overrides
--- 15.3-3/debian/shim-helpers-i386-signed-template.lintian-overrides	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/shim-helpers-i386-signed-template.lintian-overrides	1970-01-01 00:00:00.000000000 +0000
@@ -1 +0,0 @@
-shim-helpers-i386-signed-template: missing-dep-for-interpreter
diff -pruN 15.3-3/debian/shim-unsigned.install 15.4-0ubuntu7/debian/shim-unsigned.install
--- 15.3-3/debian/shim-unsigned.install	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/shim-unsigned.install	1970-01-01 00:00:00.000000000 +0000
@@ -1,4 +0,0 @@
-/boot/efi/EFI/*/shim*.efi /usr/lib/shim
-/boot/efi/EFI/*/mm*.efi /usr/lib/shim
-/boot/efi/EFI/*/fb*.efi /usr/lib/shim
-/boot/efi/EFI/*/BOOT*.CSV /usr/lib/shim
diff -pruN 15.3-3/debian/signing-template/changelog.in 15.4-0ubuntu7/debian/signing-template/changelog.in
--- 15.3-3/debian/signing-template/changelog.in	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/signing-template/changelog.in	1970-01-01 00:00:00.000000000 +0000
@@ -1,11 +0,0 @@
-shim-helpers-@arch@-signed (1+@version_mangled@) @distribution@; urgency=@urgency@
-
-  * Update to shim @version_binary@
-
- -- Debian signing service <ftpmaster@debian.org>  @date@
-
-shim-helpers-@arch@-signed (1) unstable; urgency=medium
-
-  * Add template source package for signing
-
- -- Philipp Matthias Hahn <pmhahn@debian.org>  Sat, 07 Apr 2018 17:16:27 +0200
diff -pruN 15.3-3/debian/signing-template/compat 15.4-0ubuntu7/debian/signing-template/compat
--- 15.3-3/debian/signing-template/compat	2021-03-24 01:27:31.000000000 +0000
+++ 15.4-0ubuntu7/debian/signing-template/compat	1970-01-01 00:00:00.000000000 +0000
@@ -1 +0,0 @@
-11
diff -pruN 15.3-3/debian/signing-template/control.in 15.4-0ubuntu7/debian/signing-template/control.in
--- 15.3-3/debian/signing-template/control.in	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/signing-template/control.in	1970-01-01 00:00:00.000000000 +0000
@@ -1,25 +0,0 @@
-Source: shim-helpers-@arch@-signed
-Section: admin
-Priority: optional
-Maintainer: Debian EFI team <debian-efi@lists.debian.org>
-Standards-Version: 4.3.0
-Build-Depends: debhelper (>= 10.1~),
- sbsigntool [amd64 arm64 i386],
- shim-unsigned (= @version_binary@),
-
-Package: shim-helpers-@arch@-signed
-Architecture: @arch@
-Conflicts: shim (<< 15+1533136590.3beb971-3~),
-Replaces: shim (<< 15+1533136590.3beb971-3~), shim-signed (<< 1.29),
-Breaks: shim-signed (<< 1.29),
-Depends: shim-unsigned (>= @version_binary@), ${misc:Depends},
-Built-Using: shim (= @version_binary@)
-Description: boot loader to chain-load signed boot loaders (signed by Debian)
- This package provides a minimalist boot loader which allows verifying
- signatures of other UEFI binaries against either the Secure Boot DB/DBX or
- against a built-in signature database.  Its purpose is to allow a small,
- infrequently-changing binary to be signed by the UEFI CA, while allowing
- an OS distributor to revision their main bootloader independently of the CA.
- .
- This package contains the MOK manager and fall-back manager signed by the
- Debian UEFI CA to be used by shim-signed.
diff -pruN 15.3-3/debian/signing-template/copyright 15.4-0ubuntu7/debian/signing-template/copyright
--- 15.3-3/debian/signing-template/copyright	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/signing-template/copyright	1970-01-01 00:00:00.000000000 +0000
@@ -1,51 +0,0 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Comment:
- This file describes only the shim-helpers-signed-* source package.
-
-Files: debian/signatures/*
-License: public-domain
- Digital signatures and certificates are presumed not to be
- copyrightable works, and no copyright is claimed for them.
-Comment:
- The signatures and certificates in this package cannot be regenerated
- as-is without the associated private key material, but they can be
- replaced using alternate private keys.
-
-Files: debian/rules
-Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
-License: GPL-2
- This package is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License version 2 as
- published by the Free Software Foundation.
- .
- This package is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
- .
- You should have received a copy of the GNU General Public License
- along with this package; if not, write to the Free Software
- Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
- .
- On Debian systems, the complete text of the GNU General Public
- License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
-
-Files: debian/*
-Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
-License: GPL-2+
- This package is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or (at
- your option) any later version.
- .
- This package is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
- .
- You should have received a copy of the GNU General Public License
- along with this package; if not, write to the Free Software
- Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
- .
- On Debian systems, the complete text of the GNU General Public
- License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
diff -pruN 15.3-3/debian/signing-template/README.source 15.4-0ubuntu7/debian/signing-template/README.source
--- 15.3-3/debian/signing-template/README.source	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/signing-template/README.source	1970-01-01 00:00:00.000000000 +0000
@@ -1,4 +0,0 @@
-This source package is generated by the Debian signing service from a
-template built by the shim package.  It should never be updated directly.
-
- -- Philipp Matthias Hahn <pmhahn@debian.org>  Sat, 07 Apr 2018 16:26:11 +0200
diff -pruN 15.3-3/debian/signing-template/rules 15.4-0ubuntu7/debian/signing-template/rules
--- 15.3-3/debian/signing-template/rules	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/signing-template/rules	1970-01-01 00:00:00.000000000 +0000
@@ -1,18 +0,0 @@
-#!/usr/bin/make -f
-
-SIG_DIR := debian/signatures/shim-unsigned
-
-%:
-	dh $@
-
-override_dh_auto_install:
-	set -e ; \
-	find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
-	while read sig; do \
-		install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
-		install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
-		sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
-	done
-
-override_dh_install:
-	dh_install --sourcedir=debian/tmp .
diff -pruN 15.3-3/debian/signing-template/source/format 15.4-0ubuntu7/debian/signing-template/source/format
--- 15.3-3/debian/signing-template/source/format	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/signing-template/source/format	1970-01-01 00:00:00.000000000 +0000
@@ -1 +0,0 @@
-3.0 (native)
diff -pruN 15.3-3/debian/signing-template.generate 15.4-0ubuntu7/debian/signing-template.generate
--- 15.3-3/debian/signing-template.generate	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/signing-template.generate	1970-01-01 00:00:00.000000000 +0000
@@ -1,41 +0,0 @@
-#!/bin/sh
-set -e -u
-
-distribution="$(dpkg-parsechangelog -S Distribution)"
-urgency="$(dpkg-parsechangelog -S Urgency)"
-date="$(dpkg-parsechangelog -S Date)"
-version_binary="$(dpkg-parsechangelog -S Version)"
-version_mangled="$(dpkg-parsechangelog -S Version | tr '-' '+')"
-
-subst () {
-	sed \
-		-e "s/@efi@/${EFI_ARCH}/g" \
-		-e "s/@arch@/${DEB_HOST_ARCH}/g" \
-		-e "s/@version_binary@/${version_binary}/g" \
-		-e "s/@version_mangled@/${version_mangled}/g" \
-		-e "s/@distribution@/${distribution}/g" \
-		-e "s/@urgency@/${urgency}/g" \
-		-e "s/@date@/${date}/g" \
-		"$@"
-}
-
-template='./debian/signing-template'
-pkg_name="shim-helpers-${DEB_HOST_ARCH}-signed-template"
-pkg_dir="debian/${pkg_name}/usr/share/code-signing/${pkg_name}"
-pkg_deb="${pkg_dir}/source-template/debian"
-
-install -o 0 -g 0 -m 0755 -d "${pkg_dir}"
-subst < ./debian/signing-template.json.in > "${pkg_dir}/files.json"
-
-find "${template}" -type f -printf '%P\n' |
-while read path
-do
-	src="${template}/${path}"
-	dst="${pkg_deb}/${path}"
-
-	install -o 0 -g 0 -m 0755 -d "${dst%/*}"
-	subst < "${src}" > "${dst%.in}"
-	chmod --reference="${src}" "${dst%.in}"
-done
-
-exit 0
diff -pruN 15.3-3/debian/signing-template.json.in 15.4-0ubuntu7/debian/signing-template.json.in
--- 15.3-3/debian/signing-template.json.in	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/signing-template.json.in	1970-01-01 00:00:00.000000000 +0000
@@ -1,11 +0,0 @@
-{
-  "packages": {
-    "shim-unsigned": {
-      "trusted_certs": [],
-      "files": [
-        {"sig_type": "efi", "file": "usr/lib/shim/fb@efi@.efi"},
-        {"sig_type": "efi", "file": "usr/lib/shim/mm@efi@.efi"}
-      ]
-    }
-  }
-}
diff -pruN 15.3-3/debian/source/include-binaries 15.4-0ubuntu7/debian/source/include-binaries
--- 15.3-3/debian/source/include-binaries	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/source/include-binaries	2021-07-07 08:57:35.000000000 +0000
@@ -1,2 +1,5 @@
 debian/canonical-uefi-ca.der
+debian/canonical-2021.esl
 debian/debian-uefi-ca.der
+debian/canonical-2021_amd64.esl
+debian/canonical-2021_arm64.esl
diff -pruN 15.3-3/debian/tests/01_sanity_tests.py 15.4-0ubuntu7/debian/tests/01_sanity_tests.py
--- 15.3-3/debian/tests/01_sanity_tests.py	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/tests/01_sanity_tests.py	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,54 @@
+#
+# UEFI Shim sanity checks for tests
+#
+# Copyright (C) 2019 Canonical, Ltd.
+# Author: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 3.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import subprocess
+import sys
+import unittest
+
+from uefi_tests_base import UEFITestsBase
+
+
+class SanityTests(UEFITestsBase):
+    '''
+    Sanity checks for uefi tests
+    '''
+
+    def testArchitectureSuffixes(self):
+        """Ensure sanity of our concept of architecture suffixes for UEFI"""
+    
+        machine = subprocess.check_output(['uname', '-m']).rstrip().decode('utf-8')
+        if machine == 'x86_64':
+            self.assertEquals('x64', self.arch_suffix)    
+            self.assertEquals('x86_64-efi', self.grub_arch)    
+            self.assertEquals('qemu-system-x86_64', self.qemu_arch)
+        elif machine == 'aarch64':
+            self.assertEquals('aa64', self.arch_suffix)    
+            self.assertEquals('arm64-efi', self.grub_arch)    
+            self.assertEquals('qemu-system-aarch64', self.qemu_arch)
+
+    def testQemuAvailable(self):
+        """Ensure QEMU is available for this architecture"""
+        try:
+            out = subprocess.run([self.qemu_arch, '-version'], stdout=None)
+            out.check_returncode()
+        except:
+            raise UEFINotAvailable(feature="qemu", arch=self.arch_machine,
+                                   details="%s failed to run" % self.qemu_arch)
+
+
+unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout, verbosity=2))
diff -pruN 15.3-3/debian/tests/05_signature_tests.py 15.4-0ubuntu7/debian/tests/05_signature_tests.py
--- 15.3-3/debian/tests/05_signature_tests.py	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/tests/05_signature_tests.py	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,89 @@
+#
+# UEFI signature validation
+#
+# Copyright (C) 2019 Canonical, Ltd.
+# Author: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 3.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import subprocess
+import sys
+import unittest
+import tempfile
+
+from pathlib import Path
+
+from uefi_tests_base import UEFITestsBase
+
+
+class TestSignatures(UEFITestsBase):
+    """
+    Validate UEFI signatures for common problems
+    """
+    @classmethod
+    def setUpClass(klass):
+        UEFITestsBase.setUpClass()
+
+
+    def testInstalledGrubIsSigned(self):
+        """Check that the GRUB copy we installed is correctly signed"""
+        installed_grub_file = Path(self.signed_grub_path)
+        self.assertTrue(installed_grub_file.exists())
+        signed_out = subprocess.run(['sbverify', '--list', self.signed_grub_path],
+                                    stdout=subprocess.PIPE)
+        self.assertIn(b'image signature issuers:', signed_out.stdout)
+
+    def testGrubSignatureValid(self):
+        """Ensure the installed GRUB binary from packaging is signed with the expected key"""
+        self.assertSignatureOK(self.canonical_ca, self.signed_grub_path)
+
+    def testInstalledShimIsSigned(self):
+        """Check that the installed shim is signed"""
+        installed_shim_file = Path(self.signed_shim_path)
+        self.assertTrue(installed_shim_file.exists())
+        signed_out = subprocess.run(['sbverify', '--list', self.signed_shim_path],
+                                    stdout=subprocess.PIPE)
+        self.assertIn(b'image signature issuers:', signed_out.stdout)
+
+    def testHaveSignedShimOnESP(self):
+        """Verify that packaging has provided a signed shim"""
+        signed_shim_file = Path(self.installed_shim)
+        self.assertTrue(signed_shim_file.exists())
+
+    def testSignaturesExist(self):
+        """Validate that a binary has non-zero signatures"""
+        unsigned_out = subprocess.run(['sbverify', '--list', self.unsigned_shim_path],
+                                      stderr=subprocess.PIPE, stdout=subprocess.PIPE)
+        self.assertIn(b'No signature table present', unsigned_out.stderr)
+        signed_out = subprocess.run(['sbverify', '--list', self.signed_shim_path],
+                                    stderr=subprocess.PIPE, stdout=subprocess.PIPE)
+        self.assertIn(b'image signature issuers:', signed_out.stdout)
+
+    def testSignatureIsReplayable(self):
+        """Attest that signature is retrievable from a binary and can be replayed"""
+        with tempfile.TemporaryDirectory() as tmpdirname:
+            subprocess.call(['sbattach',
+                             '--detach', os.path.join(tmpdirname, 'sig.pkcs7'),
+                             self.signed_shim_path])
+            pkcs7_certs = subprocess.run(['openssl', 'pkcs7',
+                                          '-inform', 'der',
+                                          '-in', os.path.join(tmpdirname, 'sig.pkcs7'),
+                                          '-print_certs'],
+                                          stdout=subprocess.PIPE)
+            with open(os.path.join(tmpdirname, 'out.crt'), 'ab+') as certstore:
+                certstore.write(pkcs7_certs.stdout)
+                self.assertSignatureOK(os.path.join(tmpdirname, 'out.crt'), self.signed_shim_path)
+
+
+unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout, verbosity=2))
diff -pruN 15.3-3/debian/tests/10_uefi_boot_tests.py 15.4-0ubuntu7/debian/tests/10_uefi_boot_tests.py
--- 15.3-3/debian/tests/10_uefi_boot_tests.py	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/tests/10_uefi_boot_tests.py	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,51 @@
+#
+# UEFI boot testing
+#
+# Copyright (C) 2019 Canonical, Ltd.
+# Author: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 3.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import subprocess
+import sys
+import unittest
+
+from uefi_tests_base import UEFITestsBase, UEFINotAvailable, UEFIVirtualMachine
+
+
+class UEFIBootTests(UEFITestsBase):
+    """
+    Validate UEFI signatures for common problems
+    """
+    @classmethod
+    def setUpClass(klass):
+        UEFITestsBase.setUpClass()
+        klass.base_image = UEFIVirtualMachine(arch=klass.image_arch)
+        #klass.base_image.prepare()
+
+    def testCanary(self):
+        """Validate that a control/canary (unchanged) image boots fine"""
+        canary = UEFIVirtualMachine(self.base_image)
+        canary.run()
+        self.assertBoots(canary)
+
+    def testNewShim(self):
+        """Validate that a new SHIM binary on the image will boot"""
+        new_shim = UEFIVirtualMachine(self.base_image)
+        new_shim.update(src='/usr/lib/shim/shimx64.efi.signed', dst='/boot/efi/EFI/ubuntu/shimx64.efi')
+        new_shim.update(src='/usr/lib/shim/shimx64.efi.signed', dst='/boot/efi/EFI/BOOT/BOOTX64.efi')
+        new_shim.run()
+        self.assertBoots(new_shim)
+
+
+unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout, verbosity=2))
diff -pruN 15.3-3/debian/tests/control 15.4-0ubuntu7/debian/tests/control
--- 15.3-3/debian/tests/control	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/tests/control	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,29 @@
+Test-Command: python3 debian/tests/01_sanity_tests.py
+Depends: @,
+  qemu-system-arm [arm64],
+  qemu-system-x86 [amd64],
+Restrictions: allow-stderr, needs-root, isolation-machine
+Features: test-name=sanity
+
+Test-Command: python3 debian/tests/05_signature_tests.py
+Depends: @,
+  sbsigntool,
+  grub-efi-arm64-signed [arm64],
+  grub-efi-amd64-signed [amd64],
+Restrictions: allow-stderr, needs-root, isolation-machine
+Features: test-name=signatures
+
+Test-Command: python3 debian/tests/10_uefi_boot_tests.py
+Depends: @,
+  autopkgtest,
+  genisoimage,
+  qemu-utils,
+  sbsigntool,
+  qemu-system-arm [arm64],
+  qemu-system-x86 [amd64],
+  ovmf [amd64],
+  qemu-efi-aarch64 [arm64],
+  grub-efi-arm64-signed [arm64],
+  grub-efi-amd64-signed [amd64],
+Restrictions: allow-stderr, needs-root, isolation-machine
+Features: test-name=boot-test
diff -pruN 15.3-3/debian/tests/uefi_tests_base.py 15.4-0ubuntu7/debian/tests/uefi_tests_base.py
--- 15.3-3/debian/tests/uefi_tests_base.py	1970-01-01 00:00:00.000000000 +0000
+++ 15.4-0ubuntu7/debian/tests/uefi_tests_base.py	2021-07-07 08:57:35.000000000 +0000
@@ -0,0 +1,241 @@
+#
+# UEFI validation/integration tests
+#
+# Copyright (C) 2019 Canonical, Ltd.
+# Author: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 3.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import lsb_release
+import os
+import shutil
+import stat
+import subprocess
+import tempfile
+from time import sleep
+import unittest
+
+
+class UEFINotAvailable(Exception):
+    """Exception class for unavailable UEFI features"""
+    def __init__(self, feature=None, arch=None, details=None):
+        self.message = "UEFI is not available"
+        if arch and feature:
+            self.message = "%s is not available on %s" % (feature, arch)
+        elif feature:
+            self.message = "%s is not available" % feature
+        if details:
+            self.message = self.message + ": %s" % details
+
+    def __str__(self):
+        return repr(self.message)
+
+class UEFITestsBase(unittest.TestCase):
+    '''
+    Common functionality for shim test cases
+    '''
+
+    @classmethod
+    def setUpClass(klass):
+        klass.arch_machine = os.uname().machine
+        klass.arch_suffix = ''
+        klass.grub_arch = ''
+        klass.qemu_arch = ''
+        if klass.arch_machine == 'x86_64':
+            klass.image_arch = 'amd64'
+            klass.arch_suffix = 'x64'
+            klass.grub_arch = 'x86_64-efi'
+            klass.qemu_arch = 'qemu-system-x86_64'
+        elif klass.arch_machine == 'aarch64':
+            klass.image_arch = 'arm64'
+            klass.arch_suffix = 'aa64'
+            klass.grub_arch = 'arm64-efi'
+            klass.qemu_arch = 'qemu-system-aarch64'
+        else:
+            raise UEFINotAvailable(feature='any UEFI Shim features', arch=klass.arch_machine)
+
+        # Base paths for the ESP.
+        klass.uefi_base_dir = os.path.join('/', 'boot', 'efi', 'EFI')
+        klass.uefi_boot_dir = os.path.join(klass.uefi_base_dir, 'BOOT')
+        klass.uefi_install_dir = os.path.join(klass.uefi_base_dir, 'ubuntu')
+
+        # CAs for signature validation
+        klass.canonical_ca = os.path.join('/usr/share/grub', 'canonical-uefi-ca.crt')
+
+        # Shim paths
+        klass.shim_pkg_dir = os.path.join('/', 'usr', 'lib', 'shim')
+        klass.unsigned_shim_path = os.path.join(klass.shim_pkg_dir, 'shim%s.efi' % klass.arch_suffix)
+        klass.signed_shim_path = os.path.join(klass.shim_pkg_dir, 'shim%s.efi.signed' % klass.arch_suffix)
+        klass.installed_shim = os.path.join(klass.uefi_install_dir, 'shim%s.efi' % klass.arch_suffix)
+        klass.removable_shim = os.path.join(klass.uefi_boot_dir, 'boot%s.efi' % klass.arch_suffix)
+
+        # GRUB paths
+        klass.grub_pkg_dir = os.path.join('/', 'usr', 'lib', 'grub', "%s-signed" % klass.grub_arch)
+        klass.signed_grub_path = os.path.join(klass.grub_pkg_dir, 'grub%s.efi.signed' % klass.arch_suffix)
+        klass.installed_grub = os.path.join(klass.uefi_install_dir, 'grub%s.efi' % klass.arch_suffix)
+
+        # OMVF paths
+        if klass.arch_machine == 'x86_64':
+            klass.uefi_code_path = '/usr/share/OVMF/OVMF_CODE.ms.fd'
+            klass.uefi_vars_path = '/usr/share/OVMF/OVMF_VARS.ms.fd'
+        elif klass.arch_machine == 'aarch64':
+            klass.uefi_code_path = '/usr/share/AAVMF/AAVMF_CODE.fd'
+            klass.uefi_vars_path = '/usr/share/AAVMF/AAVMF_VARS.fd'
+
+        subprocess.run(['modprobe', 'nbd'])
+
+    @classmethod
+    def tearDownClass(klass):
+        pass
+
+    def tearDown(self):
+        pass
+
+    def setUp(self):
+        pass
+
+
+    #
+    # Internal implementation details
+    #
+
+    @classmethod
+    def poll_text(klass, logpath, string, timeout=50):
+        '''Poll log file for a given string with a timeout.
+
+        Timeout is given in deciseconds.
+        '''
+        log = ''
+        while timeout > 0:
+            if os.path.exists(logpath):
+                break
+            timeout -= 1
+            sleep(0.1)
+        assert timeout > 0, 'Timed out waiting for file %s to appear' % logpath
+
+        with open(logpath) as f:
+            while timeout > 0:
+                line = f.readline()
+                if line:
+                    log += line
+                    if string in line:
+                        break
+                    continue
+                timeout -= 1
+                sleep(0.1)
+
+        assert timeout > 0, 'Timed out waiting for "%s":\n------------\n%s\n-------\n' % (string, log)
+
+
+    def assertSignatureOK(self, expected_signature, binary):
+        result = subprocess.check_call(['sbverify', '--cert', expected_signature, binary])
+        self.assertEquals(0, result)
+
+
+    def assertBoots(self, vm=None):
+        '''Assert that the VM is booted and ready for use'''
+        self.assertTrue(vm.ready())
+
+
+DEFAULT_METADATA = 'instance-id: nocloud\nlocal-hostname: autopkgtest\n'
+
+DEFAULT_USERDATA = """#cloud-config
+locale: en_US.UTF-8
+password: ubuntu
+chpasswd: { expire: False }
+ssh_pwauth: True
+manage_etc_hosts: True
+runcmd:
+ - (while [ ! -e /var/lib/cloud/instance/boot-finished ]; do sleep 1; done;
+    shutdown -P now) &
+"""
+
+#
+# VM management tools
+#
+class UEFIVirtualMachine(UEFITestsBase):
+
+    def __init__(self, base=None, arch=None):
+        self.autopkgtest_dir = tempfile.TemporaryDirectory()
+        os.makedirs(os.path.join(self.autopkgtest_dir.name, 'img'))
+        self.arch = arch
+        self.release = lsb_release.get_os_release()['CODENAME']
+        self.path = tempfile.mkstemp(dir=self.autopkgtest_dir.name)[1]
+        if not base:
+            subprocess.run(['wget',
+                            'http://cloud-images.ubuntu.com/%s/current/%s-server-cloudimg-%s.img'
+                            % (self.release, self.release, self.arch),
+                            '-O', '%s/base.img' % self.autopkgtest_dir.name])
+        else:
+            self.arch = base.arch
+            shutil.copy(base.path, os.path.join(self.autopkgtest_dir.name, 'base.img'))
+        shutil.copy(os.path.join(self.autopkgtest_dir.name, 'base.img'), self.path)
+        shutil.copy("%s" % self.uefi_vars_path, "%s.VARS.fd" % self.path) 
+
+    def _mount(self):
+        subprocess.run(['qemu-nbd', '--connect=/dev/nbd0', self.path])
+        # nbd doesn't show instantly...
+        sleep(1)
+        subprocess.run(['mount', '/dev/nbd0p1', os.path.join(self.autopkgtest_dir.name, 'img')])
+        subprocess.run(['mount', '/dev/nbd0p15', os.path.join(self.autopkgtest_dir.name, 'img', 'boot/efi')])
+
+    def _unmount(self):
+        subprocess.run(['umount', '/dev/nbd0p15'])
+        subprocess.run(['umount', '/dev/nbd0p1'])
+        subprocess.run(['qemu-nbd', '--disconnect', '/dev/nbd0'])
+
+    def prepare(self):
+        with open(os.path.join(self.autopkgtest_dir.name, 'meta-data'), 'w') as f:
+            f.write(DEFAULT_METADATA)
+        with open(os.path.join(self.autopkgtest_dir.name, 'user-data'), 'w') as f:
+            f.write(DEFAULT_USERDATA)
+
+        subprocess.run(['genisoimage', '-output', 'cloud-init.seed',
+                        '-volid', 'cidata', '-joliet', '-rock',
+                        '-quiet', 'user-data', 'meta-data'],
+                       cwd=self.autopkgtest_dir.name)
+
+    def list(self, path='/etc/'):
+        self._mount()
+        subprocess.run(['ls', '-l',  os.path.join(self.autopkgtest_dir.name, 'img', path)])
+        self._unmount()
+
+    def update(self, src=None, dst=None):
+        self._mount()
+        try:
+            os.makedirs(os.path.join(self.autopkgtest_dir.name, 'img', os.path.dirname(src)))
+        except FileExistsError:
+            pass
+        shutil.copy(src, os.path.join(self.autopkgtest_dir.name, 'img', dst))
+        self._unmount()
+
+    def run(self):
+        self.prepare()
+        # start qemu-system-$arch, output log to serial and capture to variable
+        subprocess.run([self.qemu_arch, '-m', '2048', '-nographic',
+                        '-serial', 'mon:stdio',
+                        '-drive', 'file=%s,if=pflash,format=raw,unit=0,readonly=on' % self.uefi_code_path,
+                        '-drive', 'file=%s.VARS.fd,if=pflash,format=raw,unit=1' % self.path,
+                        '-drive', 'file=%s,if=none,id=harddrive0' % self.path,
+                        '-device', 'virtio-blk-pci,drive=harddrive0,bootindex=0',
+                        '-drive', 'file=%s/cloud-init.seed,if=virtio,readonly' % self.autopkgtest_dir.name])
+
+    def ready(self):
+        """Returns true if the VM is booted and ready at userland"""
+        # check captured serial for our marker
+        self._mount()
+        result = os.path.exists(os.path.join(self.autopkgtest_dir.name, 'img', '/var/lib/cloud/instances/nocloud/boot-finished'))
+        self._unmount()
+        return result
+
+
diff -pruN 15.3-3/debian/ubuntu-dbx.hashes 15.4-0ubuntu7/debian/ubuntu-dbx.hashes
--- 15.3-3/debian/ubuntu-dbx.hashes	2021-03-24 01:27:31.000000000 +0000
+++ 15.4-0ubuntu7/debian/ubuntu-dbx.hashes	1970-01-01 00:00:00.000000000 +0000
@@ -1,22 +0,0 @@
-# debian-dbx.hashes
-#
-# This file contains the sha256 sums of the binaries that we want to
-# blacklist directly in our signed shim. Add entries below, with comments
-# to explain each entry (where possible).
-#
-# The data in this file needs should be of the form:
-#
-# <hex-encoded sha256 checksums> <arch>
-#
-# All other lines will be ignored. I'm using shell-style comments just
-# for clarity.
-#
-# The hashes are generated using:
-#
-#     pesign --hash --padding --in <binary>
-#
-# on *either* the signed or unsigned binary, pesign doesn't care
-# which. See the helper script block_signed_deb for an easy way to
-# generate this information.
-
-# ... This file intentionally left blank for now ...
diff -pruN 15.3-3/debian/upstream/metadata 15.4-0ubuntu7/debian/upstream/metadata
--- 15.3-3/debian/upstream/metadata	2021-03-24 01:27:31.000000000 +0000
+++ 15.4-0ubuntu7/debian/upstream/metadata	1970-01-01 00:00:00.000000000 +0000
@@ -1,2 +0,0 @@
-Bug-Database: https://github.com/rhboot/shim/issues
-Bug-Submit: https://github.com/rhboot/shim/issues/new
diff -pruN 15.3-3/debian/watch 15.4-0ubuntu7/debian/watch
--- 15.3-3/debian/watch	2021-03-24 01:00:17.000000000 +0000
+++ 15.4-0ubuntu7/debian/watch	2021-07-07 08:57:35.000000000 +0000
@@ -1,5 +1,4 @@
-# Compulsory line, this is a version 4 file
 version=4
-
-opts="repack,compression=xz,filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/shim-$1\.tar\.gz/" \
-  https://github.com/rhboot/shim/releases .*/v?(\d\S*)\.tar\.gz
+opts="mode=git, pgpmode=none, pretty=15+%ct.%h" \
+  https://github.com/rhboot/shim.git \
+  HEAD debian
diff -pruN 15.3-3/elf_aarch64_efi.lds 15.4-0ubuntu7/elf_aarch64_efi.lds
--- 15.3-3/elf_aarch64_efi.lds	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/elf_aarch64_efi.lds	2021-03-30 20:55:03.000000000 +0000
@@ -9,24 +9,12 @@ SECTIONS
     *(.text)
     *(.text.*)
     *(.gnu.linkonce.t.*)
-    *(.srodata)
-    *(.rodata*)
-    . = ALIGN(16);
-    _etext = .;
-  }
-
-  . = ALIGN(4096);
-  .dynamic  : { *(.dynamic) }
-
-  . = ALIGN(4096);
-  .note.gnu.build-id : {
-    *(.note.gnu.build-id)
-  }
-
-  . = ALIGN(4096);
-  .data.ident : {
-    *(.data.ident)
+    _evtext = .;
+    . = ALIGN(4096);
   }
+  _etext = .;
+  _text_size = . - _text;
+  _text_vsize = _evtext - _text;
 
   . = ALIGN(4096);
   .data :
@@ -39,6 +27,8 @@ SECTIONS
    *(.got.plt)
    *(.got)
 
+   *(.dynamic)
+
    /* the EFI loader doesn't seem to like a .bss section, so we stick
       it all into .data: */
    . = ALIGN(16);
@@ -48,44 +38,61 @@ SECTIONS
    *(.dynbss)
    *(.bss)
    *(COMMON)
-   . = ALIGN(16);
+   _evdata = .;
+   . = ALIGN(4096);
    _bss_end = .;
   }
+  _edata = .;
+  _data_vsize = _evdata - _data;
+  _data_size = . - _data;
 
+  /*
+   * Note that _sbat must be the beginning of the data, and _esbat must be the
+   * end and must be before any section padding.  The sbat self-check uses
+   * _esbat to find the bounds of the data, and if the padding is included, the
+   * CSV parser (correctly) rejects the data as having NUL values in one of the
+   * required columns.
+   */
   . = ALIGN(4096);
-  .vendor_cert :
+  .sbat :
   {
-    *(.vendor_cert)
+    _sbat = .;
+    *(.sbat)
+    *(.sbat.*)
+    _esbat = .;
+    . = ALIGN(4096);
+    _epsbat = .;
   }
+  _sbat_size = _epsbat - _sbat;
+  _sbat_vsize = _esbat - _sbat;
+
   . = ALIGN(4096);
-  .rela :
+  .rodata :
   {
+    _rodata = .;
     *(.rela.dyn)
     *(.rela.plt)
     *(.rela.got)
     *(.rela.data)
     *(.rela.data*)
+
+    *(.rodata*)
+    *(.srodata)
+    *(.dynsym)
+    *(.dynstr)
+    . = ALIGN(16);
+    *(.note.gnu.build-id)
+    . = ALIGN(4096);
+    *(.vendor_cert)
+    *(.data.ident)
+    _evrodata = .;
+    . = ALIGN(4096);
   }
-  _edata = .;
-  _data_size = . - _data;
-  . = ALIGN(4096);
-  .sbat :
-  {
-    _sbat = .;
-    *(.sbat)
-    *(.sbat.*)
-  }
-  _esbat = .;
-  _sbat_vsize = . - _sbat;
-  . = ALIGN(4096);
-  _sbat_size = . - _sbat;
+  _erodata = .;
+  _rodata_size = . - _rodata;
+  _rodata_vsize = _evrodata - _rodata;
   _alldata_size = . - _data;
 
-  . = ALIGN(4096);
-  .dynsym   : { *(.dynsym) }
-  . = ALIGN(4096);
-  .dynstr   : { *(.dynstr) }
-  . = ALIGN(4096);
   /DISCARD/ :
   {
     *(.rel.reloc)
diff -pruN 15.3-3/elf_arm_efi.lds 15.4-0ubuntu7/elf_arm_efi.lds
--- 15.3-3/elf_arm_efi.lds	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/elf_arm_efi.lds	2021-03-30 20:55:03.000000000 +0000
@@ -9,22 +9,12 @@ SECTIONS
     *(.text)
     *(.text.*)
     *(.gnu.linkonce.t.*)
-    *(.srodata)
-    *(.rodata*)
-    . = ALIGN(16);
-    _etext = .;
-  }
-  .dynamic  : { *(.dynamic) }
-
-  . = ALIGN(4096);
-  .note.gnu.build-id : {
-    *(.note.gnu.build-id)
-  }
-
-  . = ALIGN(4096);
-  .data.ident : {
-    *(.data.ident)
+    _evtext = .;
+    . = ALIGN(4096);
   }
+  _etext = .;
+  _text_size = . - _text;
+  _text_vsize = _evtext - _text;
 
   . = ALIGN(4096);
   .data :
@@ -33,10 +23,12 @@ SECTIONS
    *(.sdata)
    *(.data)
    *(.data1)
-   *(.data*)
+   *(.data.*)
    *(.got.plt)
    *(.got)
 
+   *(.dynamic)
+
    /* the EFI loader doesn't seem to like a .bss section, so we stick
       it all into .data: */
    . = ALIGN(16);
@@ -46,44 +38,61 @@ SECTIONS
    *(.dynbss)
    *(.bss)
    *(COMMON)
-   . = ALIGN(16);
+   _evdata = .;
+   . = ALIGN(4096);
    _bss_end = .;
   }
+  _edata = .;
+  _data_vsize = _evdata - _data;
+  _data_size = . - _data;
 
+  /*
+   * Note that _sbat must be the beginning of the data, and _esbat must be the
+   * end and must be before any section padding.  The sbat self-check uses
+   * _esbat to find the bounds of the data, and if the padding is included, the
+   * CSV parser (correctly) rejects the data as having NUL values in one of the
+   * required columns.
+   */
   . = ALIGN(4096);
-  .vendor_cert :
+  .sbat :
   {
-    *(.vendor_cert)
+    _sbat = .;
+    *(.sbat)
+    *(.sbat.*)
+    _esbat = .;
+    . = ALIGN(4096);
+    _epsbat = .;
   }
+  _sbat_size = _epsbat - _sbat;
+  _sbat_vsize = _esbat - _sbat;
+
   . = ALIGN(4096);
-  .rel :
+  .rodata :
   {
+    _rodata = .;
     *(.rel.dyn)
     *(.rel.plt)
     *(.rel.got)
     *(.rel.data)
     *(.rel.data*)
+
+    *(.rodata*)
+    *(.srodata)
+    *(.dynsym)
+    *(.dynstr)
+    . = ALIGN(16);
+    *(.note.gnu.build-id)
+    . = ALIGN(4096);
+    *(.vendor_cert)
+    *(.data.ident)
+    _evrodata = .;
+    . = ALIGN(4096);
   }
-  _edata = .;
-  _data_size = . - _data;
-  . = ALIGN(4096);
-  .sbat :
-  {
-    _sbat = .;
-    *(.sbat)
-    *(.sbat.*)
-  }
-  _esbat = .;
-  _sbat_vsize = . - _sbat;
-  . = ALIGN(4096);
-  _sbat_size = . - _sbat;
+  _erodata = .;
+  _rodata_size = . - _rodata;
+  _rodata_vsize = _evrodata - _rodata;
   _alldata_size = . - _data;
 
-  . = ALIGN(4096);
-  .dynsym   : { *(.dynsym) }
-  . = ALIGN(4096);
-  .dynstr   : { *(.dynstr) }
-  . = ALIGN(4096);
   /DISCARD/ :
   {
     *(.rel.reloc)
diff -pruN 15.3-3/.github/workflows/pullrequest.yml 15.4-0ubuntu7/.github/workflows/pullrequest.yml
--- 15.3-3/.github/workflows/pullrequest.yml	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/.github/workflows/pullrequest.yml	2021-03-30 20:55:03.000000000 +0000
@@ -110,14 +110,24 @@ jobs:
         id: update-submodules
         run: |
           make update
+      - name: Make a build directory for ${{ matrix.distro }} for ${{ matrix.efiarch }}
+        id: builddir
+        run: |
+          rm -rf build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          mkdir build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
         id: build
         run: |
-          make -s CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all || make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all
+          pwd
+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          make TOPDIR=.. -f ../Makefile CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
         id: install
         run: |
-          make -s CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install || make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+          pwd
+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
+          make TOPDIR=.. -f ../Makefile CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
           echo 'results:'
           find /destdir -type f
 
@@ -190,17 +200,21 @@ jobs:
         id: update-submodules
         run: |
           make update
+      - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }}
+        id: clean
+        run: |
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean
       - name: Run tests on ${{ matrix.distro }} for ${{ matrix.efiarch }}
         id: test
         run: |
-          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test
       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
         id: build
         run: |
-          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
         id: install
         run: |
-          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
           echo 'results:'
           find /destdir -type f
diff -pruN 15.3-3/gnu-efi/gnuefi/crt0-efi-aarch64.S 15.4-0ubuntu7/gnu-efi/gnuefi/crt0-efi-aarch64.S
--- 15.3-3/gnu-efi/gnuefi/crt0-efi-aarch64.S	2021-03-21 17:06:19.000000000 +0000
+++ 15.4-0ubuntu7/gnu-efi/gnuefi/crt0-efi-aarch64.S	2021-03-26 22:41:36.000000000 +0000
@@ -31,7 +31,7 @@ pe_header:
 	.short 	0
 coff_header:
 	.short	0xaa64				// AArch64
-	.short	3				// nr_sections
+	.short	4				// nr_sections
 	.long	0 				// TimeDateStamp
 	.long	0				// PointerToSymbolTable
 	.long	1				// NumberOfSymbols
@@ -44,7 +44,7 @@ optional_header:
 	.short	0x20b				// PE32+ format
 	.byte	0x02				// MajorLinkerVersion
 	.byte	0x14				// MinorLinkerVersion
-	.long	_data - _start			// SizeOfCode
+	.long	_text_size			// SizeOfCode
 	.long	_alldata_size			// SizeOfInitializedData
 	.long	0				// SizeOfUninitializedData
 	.long	_start - ImageBase		// AddressOfEntryPoint
@@ -62,7 +62,7 @@ extra_header_fields:
 	.short	0				// MinorSubsystemVersion
 	.long	0				// Win32VersionValue
 
-	.long	_esbat - ImageBase		// SizeOfImage
+	.long	_erodata - ImageBase		// SizeOfImage
 
 	// Everything before the kernel image is considered part of the header
 	.long	_start - ImageBase		// SizeOfHeaders
@@ -86,19 +86,22 @@ extra_header_fields:
 	// Section table
 section_table:
 	.ascii	".text\0\0\0"
-	.long	_data - _start		// VirtualSize
+	.long	_evtext - _start	// VirtualSize
 	.long	_start - ImageBase	// VirtualAddress
-	.long	_data - _start		// SizeOfRawData
+	.long	_etext - _start		// SizeOfRawData
 	.long	_start - ImageBase	// PointerToRawData
 
 	.long	0		// PointerToRelocations (0 for executables)
 	.long	0		// PointerToLineNumbers (0 for executables)
 	.short	0		// NumberOfRelocations  (0 for executables)
 	.short	0		// NumberOfLineNumbers  (0 for executables)
+	/*
+	 * EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_MEM_EXECUTE | EFI_IMAGE_SCN_CNT_CODE
+	 */
 	.long	0x60000020	// Characteristics (section flags)
 
 	.ascii	".data\0\0\0"
-	.long	_data_size		// VirtualSize
+	.long	_data_vsize		// VirtualSize
 	.long	_data - ImageBase	// VirtualAddress
 	.long	_data_size		// SizeOfRawData
 	.long	_data - ImageBase	// PointerToRawData
@@ -107,9 +110,12 @@ section_table:
 	.long	0		// PointerToLineNumbers (0 for executables)
 	.short	0		// NumberOfRelocations  (0 for executables)
 	.short	0		// NumberOfLineNumbers  (0 for executables)
+	/*
+	 * EFI_IMAGE_SCN_MEM_WRITE | EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_CNT_INITIALIZED_DATA
+	 */
 	.long	0xc0000040	// Characteristics (section flags)
 
-	.ascii  ".sbat\0\0\0"
+	.ascii	".sbat\0\0\0"
 	.long	_sbat_vsize		// VirtualSize
 	.long	_sbat - ImageBase	// VirtualAddress
 	.long	_sbat_size		// SizeOfRawData
@@ -119,6 +125,24 @@ section_table:
 	.long	0		// PointerToLineNumbers (0 for executables)
 	.short	0		// NumberOfRelocations  (0 for executables)
 	.short	0		// NumberOfLineNumbers  (0 for executables)
+	/*
+	 * EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_ALIGN_8BYTES | EFI_IMAGE_SCN_CNT_INITIALIZED_DATA
+	 */
+	.long	0x40400040	// Characteristics (section flags)
+
+	.ascii  ".rodata\0"
+	.long	_rodata_vsize		// VirtualSize
+	.long	_rodata - ImageBase	// VirtualAddress
+	.long	_rodata_size		// SizeOfRawData
+	.long	_rodata - ImageBase	// PointerToRawData
+
+	.long	0		// PointerToRelocations (0 for executables)
+	.long	0		// PointerToLineNumbers (0 for executables)
+	.short	0		// NumberOfRelocations  (0 for executables)
+	.short	0		// NumberOfLineNumbers  (0 for executables)
+	/*
+	 * EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_ALIGN_8BYTES | EFI_IMAGE_SCN_CNT_INITIALIZED_DATA
+	 */
 	.long	0x40400040	// Characteristics (section flags)
 
 	.align		12
diff -pruN 15.3-3/gnu-efi/gnuefi/crt0-efi-arm.S 15.4-0ubuntu7/gnu-efi/gnuefi/crt0-efi-arm.S
--- 15.3-3/gnu-efi/gnuefi/crt0-efi-arm.S	2021-03-21 17:06:19.000000000 +0000
+++ 15.4-0ubuntu7/gnu-efi/gnuefi/crt0-efi-arm.S	2021-03-26 22:41:36.000000000 +0000
@@ -31,7 +31,7 @@ pe_header:
 	.short 	0
 coff_header:
 	.short	0x1c2				// Mixed ARM/Thumb
-	.short	3				// nr_sections
+	.short	4				// nr_sections
 	.long	0 				// TimeDateStamp
 	.long	0				// PointerToSymbolTable
 	.long	1				// NumberOfSymbols
@@ -45,17 +45,17 @@ optional_header:
 	.short	0x10b				// PE32+ format
 	.byte	0x02				// MajorLinkerVersion
 	.byte	0x14				// MinorLinkerVersion
-	.long	_data - _start			// SizeOfCode
+	.long	_text_size			// SizeOfCode
 	.long	_alldata_size			// SizeOfInitializedData
 	.long	0				// SizeOfUninitializedData
 	.long	_start - ImageBase		// AddressOfEntryPoint
 	.long	_start - ImageBase		// BaseOfCode
-	.long	0				// BaseOfData
+	.long	_data - ImageBase		// BaseOfData
 
 extra_header_fields:
 	.long	0				// ImageBase
-	.long	0x20				// SectionAlignment
-	.long	0x8				// FileAlignment
+	.long	0x800				// SectionAlignment
+	.long	0x200				// FileAlignment
 	.short	0				// MajorOperatingSystemVersion
 	.short	0				// MinorOperatingSystemVersion
 	.short	0				// MajorImageVersion
@@ -64,7 +64,7 @@ extra_header_fields:
 	.short	0				// MinorSubsystemVersion
 	.long	0				// Win32VersionValue
 
-	.long	_esbat - ImageBase		// SizeOfImage
+	.long	_erodata - ImageBase		// SizeOfImage
 
 	// Everything before the kernel image is considered part of the header
 	.long	_start - ImageBase		// SizeOfHeaders
@@ -88,6 +88,7 @@ extra_header_fields:
 	// Section table
 section_table:
 
+#if 0
 	/*
 	 * The EFI application loader requires a relocation section
 	 * because EFI applications must be relocatable.  This is a
@@ -105,23 +106,37 @@ section_table:
 	.short	0			// NumberOfRelocations
 	.short	0			// NumberOfLineNumbers
 	.long	0x42100040		// Characteristics (section flags)
+#endif
 
-
-	.ascii	".text"
-	.byte	0
-	.byte	0
-	.byte	0        		// end of 0 padding of section name
-	.long	_edata - _start		// VirtualSize
+	.ascii	".text\0\0\0"
+	.long	_evtext - _start	// VirtualSize
 	.long	_start - ImageBase	// VirtualAddress
-	.long	_edata - _start		// SizeOfRawData
+	.long	_etext - _start		// SizeOfRawData
 	.long	_start - ImageBase	// PointerToRawData
 
 	.long	0		// PointerToRelocations (0 for executables)
 	.long	0		// PointerToLineNumbers (0 for executables)
 	.short	0		// NumberOfRelocations  (0 for executables)
 	.short	0		// NumberOfLineNumbers  (0 for executables)
-	.long	0xe0500020	// Characteristics (section flags)
+	/*
+	 * EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_MEM_EXECUTE | EFI_IMAGE_SCN_CNT_CODE
+	 */
+	.long	0x60000020	// Characteristics (section flags)
+
+	.ascii	".data\0\0\0"
+	.long	_data_vsize		// VirtualSize
+	.long	_data - ImageBase	// VirtualAddress
+	.long	_data_size		// SizeOfRawData
+	.long	_data - ImageBase	// PointerToRawData
 
+	.long	0		// PointerToRelocations (0 for executables)
+	.long	0		// PointerToLineNumbers (0 for executables)
+	.short	0		// NumberOfRelocations  (0 for executables)
+	.short	0		// NumberOfLineNumbers  (0 for executables)
+	/*
+	 * EFI_IMAGE_SCN_MEM_WRITE | EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_CNT_INITIALIZED_DATA
+	 */
+	.long	0xc0000040	// Characteristics (section flags)
 
 	.ascii	".sbat\0\0\0"
 	.long	_sbat_vsize		// VirtualSize
@@ -133,9 +148,28 @@ section_table:
 	.long	0		// PointerToLineNumbers (0 for executables)
 	.short	0		// NumberOfRelocations  (0 for executables)
 	.short	0		// NumberOfLineNumbers  (0 for executables)
+	/*
+	 * EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_ALIGN_8BYTES | EFI_IMAGE_SCN_CNT_INITIALIZED_DATA
+	 */
+	.long	0x40400040	// Characteristics (section flags)
+
+	.ascii  ".rodata\0"
+	.long	_rodata_vsize		// VirtualSize
+	.long	_rodata - ImageBase	// VirtualAddress
+	.long	_rodata_size		// SizeOfRawData
+	.long	_rodata - ImageBase	// PointerToRawData
+
+	.long	0		// PointerToRelocations (0 for executables)
+	.long	0		// PointerToLineNumbers (0 for executables)
+	.short	0		// NumberOfRelocations  (0 for executables)
+	.short	0		// NumberOfLineNumbers  (0 for executables)
+	/*
+	 * EFI_IMAGE_SCN_MEM_READ | EFI_IMAGE_SCN_ALIGN_8BYTES | EFI_IMAGE_SCN_CNT_INITIALIZED_DATA
+	 */
 	.long	0x40400040	// Characteristics (section flags)
 
 
+	.align 11
 _start:
 	stmfd		sp!, {r0-r2, lr}
 
diff -pruN 15.3-3/gnu-efi/Make.defaults 15.4-0ubuntu7/gnu-efi/Make.defaults
--- 15.3-3/gnu-efi/Make.defaults	2021-03-21 17:06:19.000000000 +0000
+++ 15.4-0ubuntu7/gnu-efi/Make.defaults	2021-03-26 22:41:36.000000000 +0000
@@ -92,7 +92,7 @@ endif
 #
 # Where to build the package
 #
-OBJDIR       := $(TOPDIR)/$(ARCH)
+OBJDIR       := $(abspath .)/$(ARCH)
 
 #
 # Variables below derived from variables above
diff -pruN 15.3-3/include/sbat.h 15.4-0ubuntu7/include/sbat.h
--- 15.3-3/include/sbat.h	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/include/sbat.h	2021-03-30 20:55:03.000000000 +0000
@@ -20,16 +20,16 @@
 	(UEFI_VAR_NV_BS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
 
 #if defined(ENABLE_SHIM_DEVEL)
-#define SBAT_VAR_NAME L"SBAT_DEVEL"
-#define SBAT_VAR_NAME8 "SBAT_DEVEL"
-#define SBAT_RT_VAR_NAME L"SbatRT_DEVEL"
-#define SBAT_RT_VAR_NAME8 "SbatRT_DEVEL"
+#define SBAT_VAR_NAME L"SbatLevel_DEVEL"
+#define SBAT_VAR_NAME8 "SbatLevel_DEVEL"
+#define SBAT_RT_VAR_NAME L"SbatLevelRT_DEVEL"
+#define SBAT_RT_VAR_NAME8 "SbatLevelRT_DEVEL"
 #define SBAT_VAR_ATTRS UEFI_VAR_NV_BS_RT
 #else
-#define SBAT_VAR_NAME L"SBAT"
-#define SBAT_VAR_NAME8 "SBAT"
-#define SBAT_RT_VAR_NAME L"SbatRT"
-#define SBAT_RT_VAR_NAME8 "SbatRT"
+#define SBAT_VAR_NAME L"SbatLevel"
+#define SBAT_VAR_NAME8 "SbatLevel"
+#define SBAT_RT_VAR_NAME L"SbatLevelRT"
+#define SBAT_RT_VAR_NAME8 "SbatLevelRT"
 #define SBAT_VAR_ATTRS UEFI_VAR_NV_BS
 #endif
 
@@ -51,6 +51,7 @@ extern list_t sbat_var;
 EFI_STATUS parse_sbat_var(list_t *entries);
 void cleanup_sbat_var(list_t *entries);
 EFI_STATUS set_sbat_uefi_variable(void);
+bool preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes);
 
 struct sbat_section_entry {
 	const CHAR8 *component_name;
diff -pruN 15.3-3/lib/Makefile 15.4-0ubuntu7/lib/Makefile
--- 15.3-3/lib/Makefile	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/lib/Makefile	2021-03-30 20:55:03.000000000 +0000
@@ -1,6 +1,6 @@
 TARGET = lib.a
 
-LIBFILES_UNSORTED := $(foreach x,$(wildcard *.c),$(patsubst %.c,%.o,$(x)))
+LIBFILES_UNSORTED := $(patsubst %.c,%.o,$(subst $(TOPDIR)/lib/,,$(wildcard $(TOPDIR)/lib/*.c)))
 LIBFILES := $(sort $(LIBFILES_UNSORTED))
 
 CRYPTDIR	= $(TOPDIR)/Cryptlib
diff -pruN 15.3-3/Make.defaults 15.4-0ubuntu7/Make.defaults
--- 15.3-3/Make.defaults	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/Make.defaults	2021-03-30 20:55:03.000000000 +0000
@@ -1,6 +1,7 @@
 
 # load the local configuration if it exists
 -include Make.local
+-include $(TOPDIR)/Make.local
 
 COMPILER	?= gcc
 CC		= $(CROSS_COMPILE)$(COMPILER)
diff -pruN 15.3-3/Makefile 15.4-0ubuntu7/Makefile
--- 15.3-3/Makefile	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/Makefile	2021-03-30 20:55:03.000000000 +0000
@@ -1,7 +1,7 @@
 default : all
 
 NAME		= shim
-VERSION		= 15.3
+VERSION		= 15.4
 ifneq ($(origin RELEASE),undefined)
 DASHRELEASE	?= -$(RELEASE)
 else
@@ -45,7 +45,7 @@ MOK_OBJS = MokManager.o PasswordCrypt.o
 ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
 FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
 ORIG_FALLBACK_SRCS = fallback.c
-SBATPATH = data/sbat.csv
+SBATPATH = $(TOPDIR)/data/sbat.csv
 
 ifeq ($(SOURCE_DATE_EPOCH),)
 	UNAME=$(shell uname -s -m -p -i -o)
@@ -111,7 +111,7 @@ sbat.%.csv : data/sbat.%.csv
 	$(DOS2UNIX) $(D2UFLAGS) $< $@
 	tail -c1 $@ | read -r _ || echo >> $@ # ensure a trailing newline
 
-VENDOR_SBATS := $(foreach x,$(wildcard data/sbat.*.csv),$(notdir $(x)))
+VENDOR_SBATS := $(sort $(foreach x,$(wildcard $(TOPDIR)/data/sbat.*.csv data/sbat.*.csv),$(notdir $(x))))
 
 sbat_data.o : | $(SBATPATH) $(VENDOR_SBATS)
 sbat_data.o : /dev/null
@@ -146,21 +146,23 @@ $(MMSONAME): $(MOK_OBJS) $(LIBS)
 
 gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
 gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
+	mkdir -p gnu-efi/lib gnu-efi/gnuefi
 	$(MAKE) -C gnu-efi \
 		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
+		-f $(TOPDIR)/gnu-efi/Makefile \
 		lib gnuefi inc
 
 Cryptlib/libcryptlib.a:
 	for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
-	$(MAKE) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
+	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
 
 Cryptlib/OpenSSL/libopenssl.a:
 	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
-	$(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
+	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
 
 lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
-	if [ ! -d lib ]; then mkdir lib ; fi
-	$(MAKE) VPATH=$(TOPDIR)/lib -C lib -f $(TOPDIR)/lib/Makefile lib.a
+	mkdir -p lib
+	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) -C lib -f $(TOPDIR)/lib/Makefile
 
 buildid : $(TOPDIR)/buildid.c
 	$(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
@@ -223,6 +225,7 @@ endif
 install-as-data : install-deps
 	$(INSTALL) -d -m 0755 $(DESTDIR)/$(DATATARGETDIR)
 	$(INSTALL) -m 0644 $(SHIMNAME) $(DESTDIR)/$(DATATARGETDIR)/
+	$(INSTALL) -m 0644 $(BOOTCSVNAME) $(DESTDIR)/$(DATATARGETDIR)/
 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
 	$(INSTALL) -m 0644 $(SHIMHASHNAME) $(DESTDIR)/$(DATATARGETDIR)/
 endif
@@ -239,7 +242,7 @@ ifneq ($(OBJCOPY_GTE224),1)
 	$(error objcopy >= 2.24 is required)
 endif
 	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
-		-j .dynamic -j .dynsym -j .rel* \
+		-j .dynamic -j .rodata -j .rel* \
 		-j .rela* -j .reloc -j .eh_frame \
 		-j .vendor_cert -j .sbat \
 		$(FORMAT) $< $@
@@ -256,7 +259,7 @@ ifneq ($(OBJCOPY_GTE224),1)
 	$(error objcopy >= 2.24 is required)
 endif
 	$(OBJCOPY) -D -j .text -j .sdata -j .data \
-		-j .dynamic -j .dynsym -j .rel* \
+		-j .dynamic -j .rodata -j .rel* \
 		-j .rela* -j .reloc -j .eh_frame -j .sbat \
 		-j .debug_info -j .debug_abbrev -j .debug_aranges \
 		-j .debug_line -j .debug_str -j .debug_ranges \
@@ -275,35 +278,46 @@ else
 endif
 
 test :
-	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all
+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all
 
 $(patsubst %.c,%,$(wildcard test-*.c)) :
-	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
 
 .PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test
 
 clean-test-objs:
-	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
 
 clean-gnu-efi:
-	$(MAKE) -C gnu-efi \
-		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
-		clean
+	@if [ -d gnu-efi ] ; then \
+		$(MAKE) -C gnu-efi \
+			ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
+			-f $(TOPDIR)/gnu-efi/Makefile \
+			clean ; \
+	fi
+
+clean-lib-objs:
+	@if [ -d lib ] ; then \
+		$(MAKE) -C lib TOPDIR=$(TOPDIR) -f $(TOPDIR)/lib/Makefile clean ; \
+	fi
 
 clean-shim-objs:
-	$(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean
 	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
 	@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
 	@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
 	@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
 
 clean-openssl-objs:
-	$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean
+	@if [ -d Cryptlib/OpenSSL ] ; then \
+		$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ; \
+	fi
 
 clean-cryptlib-objs:
-	$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
+	@if [ -d Cryptlib ] ; then \
+		$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ; \
+	fi
 
-clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs
+clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs
 
 GITTAG = $(VERSION)
 
diff -pruN 15.3-3/pe.c 15.4-0ubuntu7/pe.c
--- 15.3-3/pe.c	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/pe.c	2021-03-30 20:55:03.000000000 +0000
@@ -1054,6 +1054,8 @@ handle_image (void *data, unsigned int d
 				SBATBase = base;
 				/* +1 because of size vs last byte location */
 				SBATSize = end - base + 1;
+				dprint(L"sbat section base:0x%lx size:0x%lx\n",
+				       SBATBase, SBATSize);
 			}
 		}
 
diff -pruN 15.3-3/sbat.c 15.4-0ubuntu7/sbat.c
--- 15.3-3/sbat.c	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/sbat.c	2021-03-30 20:55:03.000000000 +0000
@@ -18,14 +18,20 @@ parse_sbat_section(char *section_base, s
 	size_t n;
 	char *strtab;
 
-	if (!section_base || !section_size || !n_entries || !entriesp)
+	if (!section_base || !section_size || !n_entries || !entriesp) {
+		dprint(L"section_base:0x%lx section_size:0x%lx\n",
+		       section_base, section_size);
+		dprint(L"n_entries:0x%lx entriesp:0x%lx\n",
+		       n_entries, entriesp);
 		return EFI_INVALID_PARAMETER;
+	}
 
 	INIT_LIST_HEAD(&csv);
 
 	efi_status =
 		parse_csv_data(section_base, end, SBAT_SECTION_COLUMNS, &csv);
 	if (EFI_ERROR(efi_status)) {
+		dprint(L"parse_csv_data failed: %r\n", efi_status);
 		return efi_status;
 	}
 
@@ -38,6 +44,8 @@ parse_sbat_section(char *section_base, s
 
 		if (row->n_columns < SBAT_SECTION_COLUMNS) {
 			efi_status = EFI_INVALID_PARAMETER;
+			dprint(L"row->n_columns:%lu SBAT_SECTION_COLUMNS:%lu\n",
+			       row->n_columns, SBAT_SECTION_COLUMNS);
 			goto err;
 		}
 
@@ -45,6 +53,7 @@ parse_sbat_section(char *section_base, s
 		allocsz += sizeof(struct sbat_section_entry);
 		for (i = 0; i < row->n_columns; i++) {
 			if (row->columns[i][0] == '\000') {
+				dprint(L"row[%lu].columns[%lu][0] == '\\000'\n", n, i);
 				efi_status = EFI_INVALID_PARAMETER;
 				goto err;
 			}
@@ -120,8 +129,8 @@ verify_single_entry(struct sbat_section_
 		sbat_var_gen = atoi((const char *)sbat_var_entry->component_generation);
 
 		if (sbat_gen < sbat_var_gen) {
-			dprint(L"component %a, generation %d, was revoked by SBAT variable",
-			       entry->component_name, sbat_gen);
+			dprint(L"component %a, generation %d, was revoked by %s variable\n",
+			       entry->component_name, sbat_gen, SBAT_VAR_NAME);
 			LogError(L"image did not pass SBAT verification\n");
 			return EFI_SECURITY_VIOLATION;
 		}
@@ -139,7 +148,7 @@ cleanup_sbat_var(list_t *entries)
 	list_for_each_safe(pos, tmp, entries) {
 		entry = list_entry(pos, struct sbat_var_entry, list);
 
-		if ((uintptr_t)entry < (uintptr_t)first && entry != NULL)
+		if (first == NULL || (uintptr_t)entry < (uintptr_t)first)
 			first = entry;
 
 		list_del(&entry->list);
@@ -157,7 +166,7 @@ verify_sbat_helper(list_t *local_sbat_va
 	struct sbat_var_entry *sbat_var_entry;
 
 	if (list_empty(local_sbat_var)) {
-		dprint(L"SBAT variable not present\n");
+		dprint(L"%s variable not present\n", SBAT_VAR_NAME);
 		return EFI_SUCCESS;
 	}
 
@@ -239,10 +248,10 @@ parse_sbat_var_data(list_t *entry_list,
 
 	INIT_LIST_HEAD(entry_list);
 
-	entries = (struct sbat_var_entry **)strtab;
-	strtab += sizeof(struct sbat_var_entry *) * n;
 	entry = (struct sbat_var_entry *)strtab;
 	strtab += sizeof(struct sbat_var_entry) * n;
+	entries = (struct sbat_var_entry **)strtab;
+	strtab += sizeof(struct sbat_var_entry *) * n;
 	n = 0;
 
 	list_for_each(pos, &csv) {
@@ -277,8 +286,10 @@ parse_sbat_var(list_t *entries)
 	UINTN datasize;
 	EFI_STATUS efi_status;
 
-	if (!entries)
+	if (!entries) {
+		dprint(L"entries is NULL\n");
 		return EFI_INVALID_PARAMETER;
+	}
 
 	efi_status = get_variable(SBAT_VAR_NAME, &data, &datasize, SHIM_LOCK_GUID);
 	if (EFI_ERROR(efi_status)) {
@@ -304,6 +315,14 @@ check_sbat_var_attributes(UINT32 attribu
 #endif
 }
 
+bool
+preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes)
+{
+	return check_sbat_var_attributes(attributes) &&
+	       sbatsize >= strlen(SBAT_VAR_SIG "1") &&
+	       !strncmp((const char *)sbat, SBAT_VAR_SIG, strlen(SBAT_VAR_SIG));
+}
+
 EFI_STATUS
 set_sbat_uefi_variable(void)
 {
@@ -316,19 +335,16 @@ set_sbat_uefi_variable(void)
 	efi_status = get_variable_attr(SBAT_VAR_NAME, &sbat, &sbatsize,
 				       SHIM_LOCK_GUID, &attributes);
 	/*
-	 * Always set the SBAT UEFI variable if it fails to read.
+	 * Always set the SbatLevel UEFI variable if it fails to read.
 	 *
-	 * Don't try to set the SBAT UEFI variable if attributes match and
-	 * the signature matches.
+	 * Don't try to set the SbatLevel UEFI variable if attributes match
+	 * and the signature matches.
 	 */
 	if (EFI_ERROR(efi_status)) {
 		dprint(L"SBAT read failed %r\n", efi_status);
-	} else if (check_sbat_var_attributes(attributes) &&
-		   sbatsize >= strlen(SBAT_VAR_SIG "1") &&
-		   strncmp((const char *)sbat, SBAT_VAR_SIG,
-	                   strlen(SBAT_VAR_SIG))) {
-		dprint("SBAT variable is %d bytes, attributes are 0x%08x\n",
-		       sbatsize, attributes);
+	} else if (preserve_sbat_uefi_variable(sbat, sbatsize, attributes)) {
+		dprint(L"%s variable is %d bytes, attributes are 0x%08x\n",
+		       SBAT_VAR_NAME, sbatsize, attributes);
 		FreePool(sbat);
 		return EFI_SUCCESS;
 	} else {
@@ -341,7 +357,8 @@ set_sbat_uefi_variable(void)
 		efi_status = set_variable(SBAT_VAR_NAME, SHIM_LOCK_GUID,
 		                          attributes, 0, "");
 		if (EFI_ERROR(efi_status)) {
-			dprint(L"SBAT variable delete failed %r\n", efi_status);
+			dprint(L"%s variable delete failed %r\n", SBAT_VAR_NAME,
+					efi_status);
 			return efi_status;
 		}
 	}
@@ -350,7 +367,8 @@ set_sbat_uefi_variable(void)
 	efi_status = set_variable(SBAT_VAR_NAME, SHIM_LOCK_GUID, SBAT_VAR_ATTRS,
 	                          sizeof(SBAT_VAR)-1, SBAT_VAR);
 	if (EFI_ERROR(efi_status)) {
-		dprint(L"SBAT variable writing failed %r\n", efi_status);
+		dprint(L"%s variable writing failed %r\n", SBAT_VAR_NAME,
+				efi_status);
 		return efi_status;
 	}
 
@@ -358,7 +376,7 @@ set_sbat_uefi_variable(void)
 	efi_status = get_variable(SBAT_VAR_NAME, &sbat, &sbatsize,
 				  SHIM_LOCK_GUID);
 	if (EFI_ERROR(efi_status)) {
-		dprint(L"SBAT read failed %r\n", efi_status);
+		dprint(L"%s read failed %r\n", SBAT_VAR_NAME, efi_status);
 		return efi_status;
 	}
 
@@ -368,7 +386,7 @@ set_sbat_uefi_variable(void)
 		       strlen(SBAT_VAR));
 		efi_status = EFI_INVALID_PARAMETER;
 	} else {
-		dprint(L"SBAT variable initialization succeeded\n");
+		dprint(L"%s variable initialization succeeded\n", SBAT_VAR_NAME);
 	}
 
 	FreePool(sbat);
diff -pruN 15.3-3/shim.c 15.4-0ubuntu7/shim.c
--- 15.3-3/shim.c	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/shim.c	2021-03-30 20:55:03.000000000 +0000
@@ -1895,7 +1895,7 @@ efi_main (EFI_HANDLE passed_image_handle
 		L"shim_init() failed",
 		L"import of SBAT data failed",
 		L"SBAT self-check failed",
-		L"SBAT UEFI variable setting failed",
+		SBAT_VAR_NAME L" UEFI variable setting failed",
 		NULL
 	};
 	enum {
@@ -1935,12 +1935,12 @@ efi_main (EFI_HANDLE passed_image_handle
 
 	efi_status = set_sbat_uefi_variable();
 	if (EFI_ERROR(efi_status) && secure_mode()) {
-		perror(L"SBAT variable initialization failed\n");
+		perror(L"%s variable initialization failed\n", SBAT_VAR_NAME);
 		msg = SET_SBAT;
 		goto die;
 	} else if (EFI_ERROR(efi_status)) {
-		dprint(L"SBAT variable initialization failed: %r\n",
-		       efi_status);
+		dprint(L"%s variable initialization failed: %r\n",
+		       SBAT_VAR_NAME, efi_status);
 	}
 
 	if (secure_mode()) {
@@ -1950,19 +1950,20 @@ efi_main (EFI_HANDLE passed_image_handle
 		INIT_LIST_HEAD(&sbat_var);
 		efi_status = parse_sbat_var(&sbat_var);
 		if (EFI_ERROR(efi_status)) {
-			perror(L"Parsing SBAT variable failed: %r\n",
-				efi_status);
+			perror(L"Parsing %s variable failed: %r\n",
+				SBAT_VAR_NAME, efi_status);
 			msg = IMPORT_SBAT;
 			goto die;
 		}
 
-		efi_status = handle_sbat(sbat_start, sbat_end - sbat_start);
+		efi_status = handle_sbat(sbat_start, sbat_end - sbat_start - 1);
 		if (EFI_ERROR(efi_status)) {
 			perror(L"Verifiying shim SBAT data failed: %r\n",
 			       efi_status);
 			msg = SBAT_SELF_CHECK;
 			goto die;
 		}
+		dprint(L"SBAT self-check succeeded\n");
 	}
 
 	init_openssl();
diff -pruN 15.3-3/test-sbat.c 15.4-0ubuntu7/test-sbat.c
--- 15.3-3/test-sbat.c	2021-03-23 18:39:44.000000000 +0000
+++ 15.4-0ubuntu7/test-sbat.c	2021-03-30 20:55:03.000000000 +0000
@@ -319,6 +319,7 @@ test_parse_sbat_section_too_many_elem(vo
 	struct sbat_section_entry *test_entries[] = {
 		&test_section_entry1, &test_section_entry2,
 	};
+	int rc = -1;
 
 	status = parse_sbat_section(section_base, section_size, &n, &entries);
 	assert_equal_return(status, EFI_SUCCESS, -1, "got %#hhx expected %#hhx\n");
@@ -341,10 +342,10 @@ test_parse_sbat_section_too_many_elem(vo
 #undef mkassert
 	}
 	assert_equal_goto(n, 2, fail, "got %zu expected %d\n");
-	return 0;
+	rc = 0;
 fail:
 	cleanup_sbat_section_entries(n, entries);
-	return -1;
+	return rc;
 }
 
 /*
@@ -439,14 +440,19 @@ test_verify_sbat_null_sbat_section(void)
 	list_t test_sbat_var;
 	size_t n = 0;
 	struct sbat_section_entry **entries = NULL;
+	int rc = -1;
 
 	INIT_LIST_HEAD(&test_sbat_var);
 	status = parse_sbat_var_data(&test_sbat_var, sbat_var_data, sizeof(sbat_var_data));
-	assert_equal_return(status, EFI_SUCCESS, -1, "got %#x expected %#x\n");
+	assert_equal_goto(status, EFI_SUCCESS, err, "got %#x expected %#x\n");
 
-	status = verify_sbat_helper(&sbat_var, n, entries);
-	assert_equal_return(status, EFI_SUCCESS, -1, "got %#x expected %#x\n");
-	return 0;
+	status = verify_sbat_helper(&test_sbat_var, n, entries);
+	assert_equal_goto(status, EFI_SUCCESS, err, "got %#x expected %#x\n");
+	rc = 0;
+err:
+	cleanup_sbat_var(&test_sbat_var);
+
+	return rc;
 }
 
 #if 0
@@ -902,6 +908,7 @@ test_parse_and_verify(void)
 	struct sbat_section_entry *test_entries[] = {
 		&test_section_entry1, &test_section_entry2,
 	};
+	int rc = -1;
 
 	status = parse_sbat_section(sbat_section, sizeof(sbat_section)-1,
 	                            &n_section_entries, &section_entries);
@@ -940,16 +947,71 @@ test_parse_and_verify(void)
 
 	INIT_LIST_HEAD(&sbat_var);
 	status = parse_sbat_var_data(&sbat_var, sbat_var_alloced, sbat_var_data_size);
+	free(sbat_var_alloced);
 	if (status != EFI_SUCCESS || list_empty(&sbat_var))
 		return -1;
 
 	status = verify_sbat(n_section_entries, section_entries);
+	assert_equal_goto(status, EFI_SECURITY_VIOLATION, err, "expected %#x got %#x\n");
 
-	assert_equal_return(status, EFI_SECURITY_VIOLATION, -1, "expected %#x got %#x\n");
-	cleanup_sbat_var(&sbat_var);
+	rc = 0;
+err:
 	cleanup_sbat_section_entries(n_section_entries, section_entries);
+	cleanup_sbat_var(&sbat_var);
 
-	return 0;
+	return rc;
+}
+
+int
+test_preserve_sbat_uefi_variable_good(void)
+{
+	char sbat[] = "sbat,1,\ncomponent,2,\n";
+	size_t sbat_size = sizeof(sbat);
+	UINT32 attributes = SBAT_VAR_ATTRS;
+
+	if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
+		return 0;
+	else
+		return -1;
+}
+
+int
+test_preserve_sbat_uefi_variable_bad_sig(void)
+{
+	char sbat[] = "bad_sig,1,\ncomponent,2,\n";
+	size_t sbat_size = sizeof(sbat);
+	UINT32 attributes = SBAT_VAR_ATTRS;
+
+	if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
+		return -1;
+	else
+		return 0;
+}
+
+int
+test_preserve_sbat_uefi_variable_bad_attr(void)
+{
+	char sbat[] = "sbat,1,\ncomponent,2,\n";
+	size_t sbat_size = sizeof(sbat);
+	UINT32 attributes = 0;
+
+	if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
+		return -1;
+	else
+		return 0;
+}
+
+int
+test_preserve_sbat_uefi_variable_bad_short(void)
+{
+	char sbat[] = "sba";
+	size_t sbat_size = sizeof(sbat);
+	UINT32 attributes = SBAT_VAR_ATTRS;
+
+	if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
+		return -1;
+	else
+		return 0;
 }
 
 int
@@ -989,6 +1051,11 @@ main(void)
 #endif
 	test(test_parse_and_verify);
 
+	test(test_preserve_sbat_uefi_variable_good);
+	test(test_preserve_sbat_uefi_variable_bad_sig);
+	test(test_preserve_sbat_uefi_variable_bad_attr);
+	test(test_preserve_sbat_uefi_variable_bad_short);
+
 	return 0;
 }