Initial review for el9 aarch64 shim submission

Dockerfile

@@ -0,0 +1,41 @@
+# Container to build CIQ's patched shim in a reproducible way
+#
+# It inserts a static repo for buildtime deps, then performs the rpmbuild/compilation, then outputs a comparison of binaries
+# 
+# Build and tag locally with:   docker build --tag ciq-shim-review:9 ./
+#
+
+FROM --platform=linux/arm64 rockylinux/rockylinux:9.2 AS arm64
+ENV EL_PLATFORM el9
+ENV shim_release 15.8-0.$EL_PLATFORM
+
+# Copy and extract src rpm and macros, modify setarch in spec file because 32-bit mod is not allowed inside containers:
+COPY rpmmacros  /root/.rpmmacros
+COPY shim-unsigned-aarch64-$shim_release.src.rpm /root
+RUN rpm -ivh /root/shim-unsigned-aarch64-$shim_release.src.rpm
+
+# already-built shim binaries for comparison:
+COPY shimaa64.efi /
+
+# Remove all repos, and point *only* to our static one with the necessary BuildRequires
+# We don't want to contaminate the build with anything different - it must be reproducible
+RUN rm -f /etc/yum.repos.d/*.repo
+COPY ciq_static_shim.repo  /etc/yum.repos.d/
+
+# Install necessary packages, and run the build:
+RUN dnf -y install dnf-plugins-core rpm-build;  dnf -y  builddep /builddir/build/SPECS/shim-unsigned-aarch64.spec
+RUN rpmbuild -bb /builddir/build/SPECS/shim-unsigned-aarch64.spec
+
+
+# Put resulting RPM in a temp folder (optionally mounted on host system for extraction)
+RUN mkdir -p /shim_result
+RUN rpm2cpio /builddir/build/RPMS/aarch64/shim-unsigned-aarch64-$shim_release.aarch64.rpm | cpio -diu -D /shim_result
+
+
+
+# Insert shim-compare.sh script and run
+COPY shim-compare.sh  /root
+RUN chmod 0755 /root/shim-compare.sh;  /root/shim-compare.sh
+
+
+

ciq_sb_ca.cer

@@ -0,0 +1,38 @@
+-----BEGIN CERTIFICATE-----
+MIIGjTCCBHWgAwIBAgIQfFHVzML9szKBDVE2GPxNATANBgkqhkiG9w0BAQwFADBl
+MQswCQYDVQQGEwJVUzEPMA0GA1UECBMGTmV2YWRhMQ0wCwYDVQQHEwRSZW5vMRYw
+FAYDVQQKEw1DdHJsIElRLCBJbmMuMR4wHAYDVQQDExVDdHJsIElRLCBJbmMuIFJv
+b3QgQ0EwHhcNMjMwNDIxMTUwOTMwWhcNNDgwNDIwMjM1OTU5WjBoMQswCQYDVQQG
+EwJVUzEPMA0GA1UECBMGTmV2YWRhMQ0wCwYDVQQHEwRSZW5vMRYwFAYDVQQKEw1D
+dHJsIElRLCBJbmMuMSEwHwYDVQQDExhDdHJsIElRLCBJbmMuIElzc3VpbmcgQ0Ew
+ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC6FonbLsKcNGwYsezQGazS
++R5rAq2fRVGbI5VzQmL6AjZ7gy4x7ovV7nW232GRSJM1cZmpXq9BgYprrkstsr7A
+LtgXCVQqwup0X38embgXoJr8rq2iE5O9ESIgaAIulxJPCRtzPa4G6SWDxt+t9TYB
+uJlJktC6ZscodPfT+JPZ6jS9b1t2gKmbn24N7O4UlP4FzVhYKdR+k8eNuDChZBsd
+tlXKA2Y/i+Dsg1bbcTdQ4lv8BCF3S7SyPoreCXZuKyyesWfchJv5++f4Pu4P6qsg
+RnFiRHT5xVKmoIzDZHsHvZh4BWzkFwlUq5zmrT+3bQcangJMv+S31gkSW1RUlrz4
+z3y/rex5127Ww7TEdFd5zo4jqQtYduh7MSQMgMUgvYC7SCwHWZIrCb/9MilU/PCz
+npRZkQk57oy7QXqFaegsSMeFzgITBL3MRvEStBQuD9rq1SQHjwpKNiDVGgVPuc8z
+xHV1zm9LXWhWwM/2pBdbv8eCxyzuYJJIOxNIdtAmyPbgt4U9/XD4lg4RQtOHrv0D
+dDgghhRkVGHCVPA3kqyXoA19p1tJPJj9mesI8M0HVeIWtO1SH8/9wRIGgE+Zy/pl
+JaeQuo3m+J6H+SKFLmlnDPYVSSRVPmePdK3WJEw+c0ZJtosnVDPrH1X9vavYsKjE
+4rLiuYMvZS/toyl1y1q3hwIDAQABo4IBNDCCATAwHwYDVR0jBBgwFoAU3EXJ+n9i
+o/keZA3WIBYE5nxfhm4wDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybC5lbnRlcnByaXNlLnNlY3Rp
+Z28uY29tL0N0cmxJUUluY1Jvb3RDQS5jcmwwgYEGCCsGAQUFBwEBBHUwczBBBggr
+BgEFBQcwAoY1aHR0cDovL2NydC5lbnRlcnByaXNlLnNlY3RpZ28uY29tL0N0cmxJ
+UUluY1Jvb3RDQS5jcnQwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmVudGVycHJp
+c2Uuc2VjdGlnby5jb20wHQYDVR0OBBYEFJMirmCI7u+In58FqnNCnS8Ih6nNMA0G
+CSqGSIb3DQEBDAUAA4ICAQCHYZbCwJNFeNIUnE5ntRVjpr8rFU4/sdXy6g6Yyxji
+0altfBVJ57pNHCIsPoxabdQvNEHu2IL2PYXac/RGbWYf5V8jnJzJ32Vjng/+VhGw
+JUSWJpq1Pxl5ZlOHrCOEsVep1n6EAIr2TlVnCdDS9HBvjBIvDxKoVw1UJxVAXENb
+L38fte4AHVo4Y5BIbZc2ONPrMxzpqf+b7tTH3I8Gnz9a4TcqdIxj+DAE5jqNmxxi
+gSVYXSsWczgIbuZc1MdWvRhYauW4wUaEASyRRJjVptdN4qlmpiHauvBssvvHC/bm
+FKGLy8jMexcFhN8Wwd9yT2fjA3+GSokQ1FgvU2ws/2SwxwOWyAgllAOI47dPnTcF
+Ec/h3hJT6gPzvJvpO6l2iUOmoPEHYfbmmCVguze42WFSKj/WktAu+DHb8jCkk7pq
+cj/JOuNzjTiofkl9oiG4tkNu6IMGSG0Q4YSk9VDpPfKlmDdNveoDUVdIHY5eaaoS
+XoYwxhE9fhrMgmNG9uv+yp25PajIQRH6+u5LqUrmKJdQP7+uoz9zRWRLEIFZ7Bry
+n83P6JZBQ58KhXV9HdhORHVvkSUjb0BWrTfgCjXDGhZpvX3II/6kuRn3fR1R/a+t
+Z/N3lf2StJECyfe41VJrsFU27A7OqixQWFD5KUgUjvpXBbIk27klrgq4kuz4RIL8
+vQ==
+-----END CERTIFICATE-----

ciq_static_shim.repo

@@ -0,0 +1,21 @@
+[rocky-appstream-92]
+name=Rocky Linux 9.2 AppStream
+baseurl=https://dl.rockylinux.org/vault/rocky/9.2/AppStream/aarch64/os/
+gpgcheck=1
+enabled=1
+gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-9
+
+[rocky-baseos-92]
+name=Rocky Linux 9.2 BaseOS
+baseurl=https://dl.rockylinux.org/vault/rocky/9.2/BaseOS/aarch64/os/
+gpgcheck=1
+enabled=1
+gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-9
+
+[rocky-crb-92]
+name=Rocky Linux 9.2 CRB
+baseurl=https://dl.rockylinux.org/vault/rocky/9.2/CRB/aarch64/os/
+gpgcheck=1
+enabled=1
+gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-9
+