Update shim to v15.8

[christopherco]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Update the Azure Linux 3.0 shim to the latest version v15.8.
This change also adds MOK Manager (mm) support for allowing users to enroll their own keys into the system.
We do build fallback.efi as well, but for Azure Linux 3.0, we will not be utilizing it in order to keep consistency with our 3.0 preview and previous offerings. We will re-evaluate bringing in fallback.efi in the next major OS release.
Additionally, this new shim embeds our updated Azure Linux Trusted Base CA certificate.
This update also includes the signed shim and mm binaries into the "shim" package for wider use.
We also deprecate the previous "shim-unsigned" package as it is no longer needed, and we update the references in the ARM64 image definitions to the "shim" package.
Finally, the change bumps the grub package to ensure it gets signed with the newer key and the RPM dependencies are set such that this shim and grub should update together.

Signed-off-by: Chris Co chrco@microsoft.com

Does this affect the toolchain?

NO

Associated issues

• https://microsoft.visualstudio.com/OS/_workitems/edit/48576481
• Supersedes Chrco/shim 15 8 #10903 and Update shim to 15.8 #8406

Test Methodology

• Pipeline build id: 672965
• Image Test build: 673763
  • shim boots as expected when Microsoft UEFI CA is selected as certificate. Expected for grub binary to not boot since it is not signed in test build. On ISO, MOK does not boot as expected since toolkit changes are needed to add mm.efi to the ISO. On standard images, MOK does get verified correctly and boots to allow enrolling keys and hashes.
  • images and ISO boots (and installs in case of ISO) successfully when secure boot is disabled.

[manuelh-dev]

Just a q: Here, for the aarch64 case, we intentionally want azurelinux?

[rlmenge]

Both shim-unsigned-x64.spec and shim-unsigned-aarch64.spec use %global efidir azurelinux. Unclear if this is still intentional as it matches how other distros offer shim but does not match our shim.spec now.

Our actual signed shim rpm (from shim.spec) still uses the old file paths /boot/efi/EFI/BOOT/boot{arch}.efi as of commit 93c34aa

[manuelh-dev]

Renders empty to me. Probably want to list the patch files listed above. I know the PR is not ready for review. Just pre-emptively iterating over it.

[manuelh-dev]

None of the patches required any more due to version bumps, thus empty?

[rlmenge]

looks to be an artifact from using the fedora spec :) 73c0c00