diff --git a/backport-shim-don-t-set-second_stage-to-the-empty-string.patch b/backport-shim-don-t-set-second_stage-to-the-empty-string.patch
new file mode 100644
index 0000000000000000000000000000000000000000..4bc6805c1f139903172e86949df76a5be9127ca9
--- /dev/null
+++ b/backport-shim-don-t-set-second_stage-to-the-empty-string.patch
@@ -0,0 +1,54 @@
+From 0287c6b14c77eeb3e3c61996330850d43d937a2b Mon Sep 17 00:00:00 2001
+From: Jonathan Davies <jonathan.davies@nutanix.com>
+Date: Thu, 22 Feb 2024 16:24:01 +0000
+Subject: [PATCH] shim: don't set second_stage to the empty string
+
+When LoadOptions is either L" " or L"shim.efi ", parse_load_options sets
+second_stage to the empty string. This is unlikely to be what is intended, and
+typically leads to a non-obvious failure mode.
+
+The failure happens because parse_load_options's call to split_load_options
+(after eating shim's own filename, if present) returns the empty string. Since
+init_grub typically passes second_stage to start_image, this causes read_image
+to concatenate the empty string onto the directory name. This means PathName
+refers to the directory, not the path to a pe image. Then load_image
+successfully opens a handle on the directory and reads "data" from it. It only
+eventually fails when handle_image calls read_header which finds that this data
+isn't in fact a pe header, reporting "Invalid image".
+
+This scenario has been seen when shim is loaded via rEFInd 0.11.5, which sets
+LoadOptions to the name of the shim program followed by a space character.
+
+Instead, modify parse_load_options to leave second_stage set to its default
+value rather than the empty string.
+
+Reference:https://github.com/rhboot/shim/commit/0287c6b14c77eeb3e3c61996330850d43d937a2b
+Conflict:NA
+
+Signed-off-by: Jonathan Davies <jonathan.davies@nutanix.com>
+---
+ load-options.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/load-options.c b/load-options.c
+index a8c6e1a..8b92e37 100644
+--- a/load-options.c
++++ b/load-options.c
+@@ -447,10 +447,12 @@ parse_load_options(EFI_LOADED_IMAGE *li)
+ 
+ 	/*
+ 	 * Set up the name of the alternative loader and the LoadOptions for
+-	 * the loader
++	 * the loader if it's not the empty string.
+ 	 */
+ 	if (loader_str) {
+-		second_stage = loader_str;
++		if (*loader_str) {
++			second_stage = loader_str;
++		}
+ 		load_options = remaining;
+ 		load_options_size = remaining_size;
+ 	}
+-- 
+2.33.0
+
diff --git a/shim.spec b/shim.spec
index bff032d7cc9275e371b5a4e8c8e6066911507ede..08a7d12d577297357fbe35aca0a26d11391a45dc 100644
--- a/shim.spec
+++ b/shim.spec
@@ -25,7 +25,7 @@
 
 Name:	   	   shim
 Version:	   15.7
-Release:	   12
+Release:	   14
 Summary:	   First-stage UEFI bootloader
 ExclusiveArch:     x86_64 aarch64
 License:	   BSD
@@ -34,6 +34,8 @@ Source0:	   https://github.com/rhboot/shim/releases/download/%{version}/shim-%{v
 Source1:	   BOOTAA64.CSV
 Source2:	   BOOTX64.CSV
 Source3:	   openEuler_ca.der
+Source4:	   shimaa64-cfca.efi
+Source5:	   shimx64-cfca.efi
 
 Patch1:backport-CVE-2023-40546.patch
 Patch2:backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch
@@ -52,6 +54,7 @@ Patch14:backport-CVE-2023-2650.patch
 Patch15:backport-CVE-2024-0727.patch
 Patch16:backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch
 Patch17:backport-Align-section-size-up-to-page-size-for-mem-attrs.patch
+Patch18:backport-shim-don-t-set-second_stage-to-the-empty-string.patch
 
 # Feature for shim SMx support
 Patch9000:Feature-shim-openssl-add-ec-support.patch
@@ -76,6 +79,14 @@ Obsoletes:     shim-%{efi_arch} < %{version}-%{release}
 Initial UEFI bootloader that handles chaining to a trusted full \
 bootloader under secure boot environments.
 
+%package signed
+Summary:	signed shim
+Requires:	%{name} = %{version}-%{release}
+AutoReqProv:	0
+
+%description signed
+signed shim 
+
 %package debuginfo
 Summary:	Debug information for shim-unsigned
 Requires:	%{name}-debugsource = %{version}-%{release}
@@ -150,9 +161,11 @@ install -m 0700 *.efi ${RPM_BUILD_ROOT}/%{shimefivendor}
 install -m 0700 *.hash ${RPM_BUILD_ROOT}/%{shimefivendor}
 %ifarch aarch64
 install -m 0700 %{SOURCE1} ${RPM_BUILD_ROOT}/%{shimefivendor}
+install -m 0700 %{SOURCE4} ${RPM_BUILD_ROOT}/%{shimBOOT}/BOOTAA64_CFCA.EFI
 %endif
 %ifarch x86_64
 install -m 0700 %{SOURCE2} ${RPM_BUILD_ROOT}/%{shimefivendor}
+install -m 0700 %{SOURCE5} ${RPM_BUILD_ROOT}/%{shimBOOT}/BOOTX64_CFCA.EFI
 %endif
 %if "%{_vendor}" != "openEuler"
     iconv -f UTF-16LE -t UTF-8 ${RPM_BUILD_ROOT}/%{shimefivendor}/%{bootcsv} > /tmp/%{bootcsv}.tmp
@@ -180,6 +193,14 @@ make test
 %{shimefivendor}/*.efi
 %{shimefivendor}/*.hash
 
+%files signed
+%ifarch aarch64 
+%{shimBOOT}/BOOTAA64_CFCA.EFI
+%endif
+%ifarch x86_64
+%{shimBOOT}/BOOTX64_CFCA.EFI
+%endif
+
 %files debuginfo
 %defattr(-,root,root,-)
 /usr/lib/debug/*
@@ -191,6 +212,12 @@ make test
 /usr/src/debug/%{name}-%{version}-%{release}/*
 
 %changelog
+* Tue Oct 22 2024 fuanan <fuanan3@h-partners.com> -15.7-14
+- backport patch from upstream
+
+* Wed May 29 2024 jinlun <jinlun@huawei.com> -15.7-13
+- add CFCA sign shim
+
 * Fri May 17 2024 wangcheng <wangcheng156@huawei.com> - 15.7-12
 - Align section size up to page size for mem attrs
 
diff --git a/shimaa64-cfca.efi b/shimaa64-cfca.efi
new file mode 100644
index 0000000000000000000000000000000000000000..36a468df34b8c7fc25e92eebf738ea5cb1342757
Binary files /dev/null and b/shimaa64-cfca.efi differ
diff --git a/shimx64-cfca.efi b/shimx64-cfca.efi
new file mode 100644
index 0000000000000000000000000000000000000000..772d43a172ddb2012ac027fdbf66368cc3a5d68a
Binary files /dev/null and b/shimx64-cfca.efi differ