From 5431e42a3e1cb1b4a31817558269e63e685b8ad2 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Fri, 26 Feb 2021 23:12:20 +0000
Subject: [PATCH 1/5] Implement shim fallback support.

Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
---
 gadget/gadget-amd64.yaml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/gadget/gadget-amd64.yaml b/gadget/gadget-amd64.yaml
index 51ea32a..79d03f8 100644
--- a/gadget/gadget-amd64.yaml
+++ b/gadget/gadget-amd64.yaml
@@ -29,10 +29,18 @@ volumes:
         update:
           edition: 2
         content:
+          - source: shim.efi.signed
+            target: EFI/BOOT/BOOTX64.efi
+          - source: fbx64.efi
+            target: EFI/BOOT/fbx64.efi
+          - source: BOOTX64.CSV
+            target: EFI/ubuntu/BOOTX64.CSV
           - source: grubx64.efi
-            target: EFI/boot/grubx64.efi
+            target: EFI/ubuntu/grubx64.efi
+          - source: mmx64.efi
+            target: EFI/ubuntu/mmx64.efi
           - source: shim.efi.signed
-            target: EFI/boot/bootx64.efi
+            target: EFI/ubuntu/shimx64.efi
       - name: ubuntu-boot
         role: system-boot
         filesystem: ext4

From 3a0e8d3491d2479b9350e9e6ed7ed0d0fed0117e Mon Sep 17 00:00:00 2001
From: Oliver Calder <oliver.calder@canonical.com>
Date: Mon, 25 Sep 2023 00:23:23 -0500
Subject: [PATCH 2/5] Implement shim fallback support for aa64.

Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
---
 gadget/gadget-arm64.yaml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/gadget/gadget-arm64.yaml b/gadget/gadget-arm64.yaml
index a87bc11..270e410 100644
--- a/gadget/gadget-arm64.yaml
+++ b/gadget/gadget-arm64.yaml
@@ -13,10 +13,18 @@ volumes:
         update:
           edition: 2
         content:
+          - source: shim.efi.signed
+            target: EFI/BOOT/BOOTAA64.efi
+          - source: fbaa64.efi
+            target: EFI/BOOT/fbaa64.efi
+          - source: BOOTAA64.CSV
+            target: EFI/ubuntu/BOOTAA64.CSV
           - source: grubaa64.efi
-            target: EFI/boot/grubaa64.efi
+            target: EFI/ubuntu/grubaa64.efi
+          - source: mmaa64.efi
+            target: EFI/ubuntu/mmaa64.efi
           - source: shim.efi.signed
-            target: EFI/boot/bootaa64.efi
+            target: EFI/ubuntu/shimaa64.efi
       - name: ubuntu-boot
         role: system-boot
         filesystem: ext4

From b4197ab513c12d95782b4eb1994693cc5ab59091 Mon Sep 17 00:00:00 2001
From: Oliver Calder <oliver.calder@canonical.com>
Date: Tue, 26 Sep 2023 10:34:22 -0500
Subject: [PATCH 3/5] set up `fb${arch}.efi`, `mm${arch}.efi`, and
 `BOOT${arch}.CSV` correctly

Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
---
 snapcraft.yaml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/snapcraft.yaml b/snapcraft.yaml
index 2309b20..e07ea8f 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -52,27 +52,44 @@ parts:
       grub_target=x86_64
       grub_bin=grubx64.efi.signed
       shim_bin=shimx64.efi.dualsigned
+      fb_bin=fbx64.efi
+      mm_bin=mmx64.efi
+      boot_csv=BOOTX64.CSV
       if [ "$CRAFT_TARGET_ARCH" = arm64 ]; then
           grub_target=arm64
           grub_bin=grubaa64.efi.signed
           shim_bin=shimaa64.efi.dualsigned
+          fb_bin=fbaa64.efi
+          mm_bin=mmaa64.efi
+          boot_csv=BOOTAA64.CSV
       fi
 
       # Make sure we have signatures from the UC certificates
       shim_path="$CRAFT_PART_INSTALL"/usr/lib/shim/$shim_bin
       grub_path="$CRAFT_PART_INSTALL"/usr/lib/grub/"$grub_target"-efi-signed/$grub_bin
+      fb_path="$CRAFT_PART_INSTALL"/usr/lib/shim/$fb_bin
+      mm_path="$CRAFT_PART_INSTALL"/usr/lib/shim/$mm_bin
+      csv_path="$CRAFT_PART_INSTALL"/usr/lib/shim/$boot_csv
       #sbverify --list "$shim_path" | grep -E 'Canonical Ltd. Secure Boot Signing \(Ubuntu Core'
       #sbverify --list "$grub_path" | grep -E 'Canonical Ltd. Secure Boot Signing \(Ubuntu Core'
+      #sbverify --list "$fb_path"   | grep -E 'Canonical Ltd. Secure Boot Signing \(Ubuntu Core'
+      #sbverify --list "$mm_path"   | grep -E 'Canonical Ltd. Secure Boot Signing \(Ubuntu Core'
 
-      # Move shim/grub to the expected path
+      # Move assets to the expected paths
       install -m 644 "$shim_path" "$CRAFT_PART_INSTALL"/shim.efi.signed
       install -m 644 "$grub_path" "$CRAFT_PART_INSTALL"/${grub_bin%.signed}
+      install -m 644 "$fb_path"   "$CRAFT_PART_INSTALL"/$fb_bin
+      install -m 644 "$mm_path"   "$CRAFT_PART_INSTALL"/$mm_bin
+      install -m 644 "$csv_path"  "$CRAFT_PART_INSTALL"/$boot_csv
 
       # Remove all the bits we do not need, keeping changelogs and copyrights
       # (using organize/prime is not possible due to different names per arch - x64/aa64)
       find "$CRAFT_PART_INSTALL"/ -type f,l \
                 -not -path "$SNAPCRAFT_PART_INSTALL"/shim.efi.signed \
                 -not -path "$SNAPCRAFT_PART_INSTALL"/${grub_bin%.signed} \
+                -not -path "$SNAPCRAFT_PART_INSTALL"/$fb_bin \
+                -not -path "$SNAPCRAFT_PART_INSTALL"/$mm_bin \
+                -not -path "$SNAPCRAFT_PART_INSTALL"/$boot_csv \
                 -not -path "$SNAPCRAFT_PART_INSTALL"/usr/share/doc/grub-efi-$CRAFT_TARGET_ARCH-signed/'*' \
            -and -not -path "$SNAPCRAFT_PART_INSTALL"/'usr/share/doc/shim-signed/*' \
            -delete

From 7538629c6c8c6bdb58e4e2dde48c333484053126 Mon Sep 17 00:00:00 2001
From: Oliver Calder <oliver.calder@canonical.com>
Date: Tue, 26 Sep 2023 10:49:34 -0500
Subject: [PATCH 4/5] assume snapd 2.61 for handling assets in /EFI/ubuntu

Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
---
 snapcraft.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/snapcraft.yaml b/snapcraft.yaml
index e07ea8f..ae94c1e 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -25,9 +25,9 @@ hooks:
       # DO NOT check this API key into a publicly accessible VCS
       MODEL_APIKEY: ""
 
-# Min version to support shim 15.7
+# Min version to support shim 15.7 and assets in /EFI/ubuntu
 assumes:
-  - snapd2.59.3
+  - snapd2.61
 
 parts:
   mbr:

From d38d6a6a0d054ec52e5963e4fabc44780def4ba1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alfonso=20S=C3=A1nchez-Beato?=
 <alfonso.sanchez-beato@canonical.com>
Date: Fri, 7 Jul 2023 17:08:09 +0100
Subject: [PATCH 5/5] gadget: remove shim from boot partition

As it is not really used at all from there.

Signed-off-by: Oliver Calder <oliver.calder@canonical.com>
---
 gadget/gadget-amd64.yaml | 2 --
 gadget/gadget-arm64.yaml | 2 --
 2 files changed, 4 deletions(-)

diff --git a/gadget/gadget-amd64.yaml b/gadget/gadget-amd64.yaml
index 79d03f8..469eb92 100644
--- a/gadget/gadget-amd64.yaml
+++ b/gadget/gadget-amd64.yaml
@@ -52,8 +52,6 @@ volumes:
         content:
           - source: grubx64.efi
             target: EFI/boot/grubx64.efi
-          - source: shim.efi.signed
-            target: EFI/boot/bootx64.efi
       - name: ubuntu-save
         role: system-save
         filesystem: ext4
diff --git a/gadget/gadget-arm64.yaml b/gadget/gadget-arm64.yaml
index 270e410..1534405 100644
--- a/gadget/gadget-arm64.yaml
+++ b/gadget/gadget-arm64.yaml
@@ -36,8 +36,6 @@ volumes:
         content:
           - source: grubaa64.efi
             target: EFI/boot/grubaa64.efi
-          - source: shim.efi.signed
-            target: EFI/boot/bootaa64.efi
       - name: ubuntu-save
         role: system-save
         filesystem: ext4