From 0166e422611ed7a2d7fec1a60a94a9e1461e5e68 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 12 Feb 2026 18:00:36 +0000
Subject: [PATCH] sys-boot/shim: Version bump to 16.1

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
 .../coreos-overlay/sys-boot/shim/Manifest     |  2 +-
 .../sys-boot/shim/shim-15.8-r3.ebuild         | 73 -------------------
 .../sys-boot/shim/shim-16.1.ebuild            | 48 ++++++++++++
 3 files changed, 49 insertions(+), 74 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-16.1.ebuild

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest
index aeb21c8d0a..14c90a2ca8 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest
@@ -1 +1 @@
-DIST shim-15.8.tar.bz2 2315201 BLAKE2B 24da29cf45a08bceffc15682fcdd16e34e42d3b33f2a0b2e528193d8e3455a034b6242c13cebf43db481f73a83329effd9812f0d1e04861ecf7329e54f9059b9 SHA512 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1
+DIST shim-16.1.tar.bz2 2348998 BLAKE2B f2aef8d1e8cbd65c911133807747b1f654ebbde465db8ed21d39825af4ec898e937bf35e2e77f59a76cdcdaa45873bc0f9dfbfa33f6acbbc6db8e5f689847841 SHA512 ca5f80e82f3b80b622028f03ef23105c98ee1b6a25f52a59c823080a3202dd4b9962266489296e99f955eb92e36ce13e0b1d57f688350006bba45f2718f159fb
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild
deleted file mode 100644
index c2cd0941b4..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8-r3.ebuild
+++ /dev/null
@@ -1,73 +0,0 @@
-# Copyright 2015 CoreOS, Inc.
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-inherit multilib
-
-DESCRIPTION="UEFI Shim loader"
-HOMEPAGE="https://github.com/rhboot/shim"
-SRC_URI="https://github.com/rhboot/shim/releases/download/${PV}/shim-${PV}.tar.bz2"
-KEYWORDS="amd64 arm64"
-
-LICENSE="BSD"
-SLOT="0"
-IUSE="official"
-
-RDEPEND=""
-# TODO: Would be ideal to depend on sys-boot/gnu-efi package, but
-# currently the shim insists on using the bundled copy. This will need
-# to be addressed by patching this check out after making sure that
-# our copy of gnu-efi is as usable as the bundled one.
-DEPEND="
-  dev-libs/openssl
-  coreos-base/coreos-sb-keys
-"
-
-PATCHES=(
-	"${FILESDIR}/0001-Fix-parallel-build-of-gnu-efi.patch"
-	"${FILESDIR}/0002-Fix-build-with-binutils-2-46.patch"
-)
-
-src_compile() {
-  local emake_args=(
-    CROSS_COMPILE="${CHOST}-"
-  )
-
-  sed -e "s/@@VERSION@@/${PVR}/" "${FILESDIR}"/sbat.csv.in >"${WORKDIR}/sbat.csv" || die
-
-  # Apparently our environment already has the ARCH variable in
-  # it, and Makefile picks it up instead of figuring it out
-  # itself with the compiler -dumpmachine flag. But also it
-  # expects a different format of the values. It wants x86_64
-  # instead of amd64, and aarch64 instead of arm64.
-  if use amd64; then
-    emake_args+=( ARCH=x86_64 )
-  elif use arm64; then
-    emake_args+=( ARCH=aarch64 )
-  fi
-  emake_args+=( ENABLE_SBSIGN=1 )
-  emake_args+=( SBATPATH="${WORKDIR}/sbat.csv" )
-
-  if use official; then
-    if [ -z "${SHIM_SIGNING_CERTIFICATE}" ]; then
-      die "use production flag needs env SHIM_SIGNING_CERTIFICATE"
-    fi
-    emake_args+=( VENDOR_CERT_FILE="${SHIM_SIGNING_CERTIFICATE}" )
-  else
-    emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" )
-  fi
-  emake "${emake_args[@]}" || die
-}
-
-src_install() {
-  local suffix
-  suffix=''
-  if use amd64; then
-    suffix=x64
-  elif use arm64; then
-    suffix=aa64
-  fi
-  insinto /usr/lib/shim
-  newins "shim${suffix}.efi" "shim${suffix}.efi"
-  newins "mm${suffix}.efi" "mm${suffix}.efi"
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-16.1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-16.1.ebuild
new file mode 100644
index 0000000000..8607c621c4
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-16.1.ebuild
@@ -0,0 +1,48 @@
+# Copyright 2015 CoreOS, Inc.
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="UEFI Shim loader"
+HOMEPAGE="https://github.com/rhboot/shim"
+SRC_URI="https://github.com/rhboot/shim/releases/download/${PV}/shim-${PV}.tar.bz2"
+KEYWORDS="amd64 arm64"
+
+LICENSE="BSD"
+SLOT="0"
+IUSE="official"
+
+# TODO: Would be ideal to depend on sys-boot/gnu-efi package, but
+# currently the shim insists on using the bundled copy. This will need
+# to be addressed by patching this check out after making sure that
+# our copy of gnu-efi is as usable as the bundled one.
+DEPEND="
+	dev-libs/openssl
+"
+BDEPEND="
+	coreos-base/coreos-sb-keys
+"
+
+PATCHES=(
+	"${FILESDIR}/0001-Fix-parallel-build-of-gnu-efi.patch"
+	"${FILESDIR}/0002-Fix-build-with-binutils-2-46.patch"
+)
+
+src_compile() {
+	use official && [[ -z ${SHIM_SIGNING_CERTIFICATE} ]] &&
+		die "USE=official but SHIM_SIGNING_CERTIFICATE environment variable is unset"
+
+	sed -e "s/@@VERSION@@/${PVR}/" "${FILESDIR}"/sbat.csv.in >"${WORKDIR}/sbat.csv" || die
+
+	unset ARCH
+	emake \
+		CROSS_COMPILE="${CHOST}-" \
+		ENABLE_SBSIGN=1 \
+		SBATPATH="${WORKDIR}"/sbat.csv \
+		VENDOR_CERT_FILE=$(usex official "${SHIM_SIGNING_CERTIFICATE}" "${BROOT}"/usr/share/sb_keys/shim.der)
+}
+
+src_install() {
+	insinto /usr/lib/shim
+	doins shim?*.efi mm?*.efi
+}