proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-07-25 19:45:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager.

Browse Source 
Also drop debian/patches/sbsigntool-no-pesign: with this change from upstream
it is no longer needed..
This commit is contained in:
Mathieu Trudel-Lapierre 2017-08-29 13:58:39 -04:00
parent 661d3ea1dc
commit 402fafb475
4 changed files with 4 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
debian/changelog vendored
View File

@ -9,9 +9,11 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium
makes it possible to build a shim for other architectures than amd64.
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
at compile-time for MokManager and fallback.
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
and MokManager.
* debian/patches/second-stage-path: dropped; the default loader path now
includes an arch suffix.
* debian/patches/sbsigntool-no-pesign: refreshed.
* debian/patches/sbsigntool-no-pesign: dropped; no longer needed..
* debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped,
included upstream.

26
debian/patches/sbsigntool-not-pesign vendored
View File

@ -1,26 +0,0 @@
Description: Sign MokManager with sbsigntool instead of pesign
Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use
the same thing for signing MokManager with our ephemeral key. This also
avoids an additional build dependency on libnss3-tools.
Author: Steve Langasek <steve.langasek@canonical.com>
Forwarded: not-needed
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: b/Makefile
===================================================================
--- a/Makefile
+++ b/Makefile
@@ -206,8 +206,8 @@ endif
-j .note.gnu.build-id \
$(FORMAT) $^ $@.debug
-%.efi.signed: %.efi certdb/secmod.db
- $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f
+%.efi.signed: %.efi shim.crt
+ sbsign --key shim.key --cert shim.crt $<
clean:
$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean

1
debian/patches/series vendored
View File

@ -1 +0,0 @@
sbsigntool-not-pesign

1
debian/rules vendored
View File

@ -24,6 +24,7 @@ override_dh_auto_build:
MAKELEVEL=0 \
EFI_PATH=/usr/lib \
ENABLE_SHIM_CERT=1 \
ENABLE_SBSIGN=1 \
VENDOR_CERT_FILE=$(cert)
override_dh_fixperms: