Switch to 15.8 upstream and drop patches

debian/changelog

@@ -1,7 +1,15 @@
-shim (15.7-2) UNRELEASED; urgency=medium
+shim (15.8-1) UNRELEASED; urgency=medium
 
   [ Steve McIntyre ]
   * Cope with changes in pesign packaging.
+  * New upstream release fixing more bugs
+  * Remove all our existing patches, no longer needed:
+    + Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now
+      upstream)
+    + Enable-NX.patch (we don't want NX just yet until the whole boot
+      stack is NX-capable)
+    + block-grub-sbat3-debian.patch (not needed now upstream grub SBAT
+      is 4)
 
   [ Bastien Roucariès ]
   * Port autopkgtest from ubuntu
@@ -9,7 +17,7 @@ shim (15.7-2) UNRELEASED; urgency=medium
     shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009).
   * Fix debian/watch and check signature
 
- -- Bastien Roucariès <rouca@debian.org>  Mon, 29 Apr 2024 09:55:13 +0000
+ -- Steve McIntyre <93sam@debian.org>  Thu, 25 Apr 2024 22:16:12 +0100
 
 shim (15.7-1) unstable; urgency=medium
 

debian/patches/Enable-NX.patch

@@ -1,79 +0,0 @@
-commit 7c7642530fab73facaf3eac233cfbce29e10b0ef
-Author: Peter Jones <pjones@redhat.com>
-Date:   Thu Nov 17 12:31:31 2022 -0500
-
-    Enable the NX compatibility flag by default.
-    
-    Currently by default, when we build shim we do not set the PE
-    NX-compatibility DLL Characteristic flag.  This signifies to the
-    firmware that shim (including the components it loads) is not prepared
-    for several related firmware changes:
-    
-    - non-executable stack
-    - non-executable pages from AllocatePages()/AllocatePool()/etc.
-    - non-writable 0 page (not strictly related but some firmware will be
-      transitioning at the same time)
-    - the need to use the UEFI 2.10 Memory Attribute Protocol to set page
-      permissions.
-    
-    This patch changes that default to be enabled by default.  Distributors
-    of shim will need to ensure that either their builds disable this bit
-    (using "post-process-pe -N"), or that the bootloaders and kernels you
-    support loading are all compliant with this change.  A new make
-    variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so.
-    
-    Signed-off-by: Peter Jones <pjones@redhat.com>
-
-diff --git a/BUILDING b/BUILDING
-index 3b2e85d3..17cd98d3 100644
---- a/BUILDING
-+++ b/BUILDING
-@@ -78,6 +78,9 @@ Variables you could set to customize the build:
- - OSLABEL
-   This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
-   By default this is the same value as EFIDIR .
-+- POST_PROCESS_PE_FLAGS
-+  This allows you to add flags to the invocation of "post-process-pe", for
-+  example to disable the NX compatibility flag.
- 
- Vendor SBAT data:
- It will sometimes be requested by reviewers that a build includes extra
-diff --git a/Make.defaults b/Make.defaults
-index c46164a3..9af89f4e 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -139,6 +139,8 @@ CFLAGS		= $(FEATUREFLAGS) \
- 		  $(INCLUDES) \
- 		  $(DEFINES)
- 
-+POST_PROCESS_PE_FLAGS =
-+
- ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
- 	DEFINES	+= -DOVERRIDE_SECURITY_POLICY
- endif
-diff --git a/Makefile b/Makefile
-index a9202f46..f0f53f8f 100644
---- a/Makefile
-+++ b/Makefile
-@@ -255,7 +255,7 @@ endif
- 		-j .rela* -j .dyn -j .reloc -j .eh_frame \
- 		-j .vendor_cert -j .sbat -j .sbatlevel \
- 		$(FORMAT) $< $@
--	./post-process-pe -vv $@
-+	./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@
- 
- ifneq ($(origin ENABLE_SHIM_HASH),undefined)
- %.hash : %.efi
-diff --git a/post-process-pe.c b/post-process-pe.c
-index de8f4a38..f39fdddf 100644
---- a/post-process-pe.c
-+++ b/post-process-pe.c
-@@ -42,7 +42,7 @@ static int verbosity;
- 		0;                                               \
- 	})
- 
--static bool set_nx_compat = false;
-+static bool set_nx_compat = true;
- 
- typedef uint8_t UINT8;
- typedef uint16_t UINT16;

debian/patches/Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch

@@ -1,104 +0,0 @@
-From 657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 5 Dec 2022 17:57:36 -0500
-Subject: [PATCH] Make sbat_var.S parse right with buggy gcc/binutils
-
-In https://github.com/rhboot/shim/issues/533 , iokomin noticed that
-gas in binutils before 2.36 appears to be incorrectly concatenating
-string literals in '.asciz' directives, including an extra NUL character
-in between the strings, and this will cause us to incorrectly parse the
-.sbatlevel section in shim binaries.
-
-This patch adds test cases that will cause the build to fail if this has
-happened, as well as changing sbat_var.S to to use '.ascii' and '.byte'
-to construct the data, rather than using '.asciz'.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- include/test.mk |  2 +-
- sbat_var.S      |  6 ++++--
- test-sbat.c     | 32 ++++++++++++++++++++++++++++++++
- 3 files changed, 37 insertions(+), 3 deletions(-)
-
-diff --git a/include/test.mk b/include/test.mk
-index c0e24095..c37b8446 100644
---- a/include/test.mk
-+++ b/include/test.mk
-@@ -92,7 +92,7 @@ test-mock-variables: CFLAGS+=-DHAVE_SHIM_LOCK_GUID
- test-mok-mirror_FILES = mok.c globals.c tpm.c lib/guid.c lib/variables.c mock-variables.c
- test-mok-mirror: CFLAGS+=-DHAVE_START_IMAGE -DHAVE_SHIM_LOCK_GUID
- 
--test-sbat_FILES = csv.c lib/variables.c lib/guid.c sbat_var.S
-+test-sbat_FILES = csv.c lib/variables.c lib/guid.c sbat_var.S mock-variables.c
- test-sbat :: CFLAGS+=-DHAVE_GET_VARIABLE -DHAVE_GET_VARIABLE_ATTR -DHAVE_SHIM_LOCK_GUID
- 
- test-str_FILES = lib/string.c
-diff --git a/sbat_var.S b/sbat_var.S
-index a115077a..2a813a40 100644
---- a/sbat_var.S
-+++ b/sbat_var.S
-@@ -14,7 +14,9 @@ sbat_var_payload_header:
- .Lsbat_var_payload_header_end:
- 	.balign	1, 0
- .Lsbat_var_previous:
--	.asciz SBAT_VAR_PREVIOUS
-+	.ascii SBAT_VAR_PREVIOUS
-+	.byte	0
- 	.balign	1, 0
- .Lsbat_var_latest:
--	.asciz SBAT_VAR_LATEST
-+	.ascii SBAT_VAR_LATEST
-+	.byte 0
-diff --git a/test-sbat.c b/test-sbat.c
-index 72bebe7a..65bc6a84 100644
---- a/test-sbat.c
-+++ b/test-sbat.c
-@@ -1107,6 +1107,36 @@ test_preserve_sbat_uefi_variable_bad_short(void)
- 		return 0;
- }
- 
-+static int
-+test_sbat_var_asciz(void)
-+{
-+	EFI_STATUS status;
-+	char buf[1024] = "";
-+	UINT32 attrs = 0;
-+	UINTN size = sizeof(buf);
-+	char expected[] = SBAT_VAR_PREVIOUS;
-+
-+	status = set_sbat_uefi_variable();
-+	if (status != EFI_SUCCESS)
-+		return -1;
-+
-+	status = RT->GetVariable(SBAT_VAR_NAME, &SHIM_LOCK_GUID, &attrs, &size, buf);
-+	if (status != EFI_SUCCESS)
-+		return -1;
-+
-+	/*
-+	 * this should be enough to get past "sbat,", which handles the
-+	 * first error.
-+	 */
-+	if (size < (strlen(SBAT_VAR_SIG) + 2) || size != strlen(expected))
-+		return -1;
-+
-+	if (strncmp(expected, buf, size) != 0)
-+		return -1;
-+
-+	return 0;
-+}
-+
- int
- main(void)
- {
-@@ -1155,6 +1185,8 @@ main(void)
- 	test(test_preserve_sbat_uefi_variable_version_older);
- 	test(test_preserve_sbat_uefi_variable_version_olderlonger);
- 
-+	test(test_sbat_var_asciz);
-+
- 	return 0;
- }
- 
--- 
-2.30.2
-

debian/patches/block-grub-sbat3-debian.patch

@@ -1,19 +0,0 @@
-diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
-index 6b01573e..5b1a764f 100644
---- a/include/sbat_var_defs.h
-+++ b/include/sbat_var_defs.h
-@@ -35,8 +35,12 @@
- 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
- 	SBAT_VAR_PREVIOUS_REVOCATIONS
- 
--#define SBAT_VAR_LATEST_DATE "2022111500"
--#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\n"
-+/*
-+ * Debian's grub.3 update was broken - some binaries included the SBAT
-+ * data update but not the security patches :-(
-+ */
-+#define SBAT_VAR_LATEST_DATE "2023012900"
-+#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
- #define SBAT_VAR_LATEST \
- 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
- 	SBAT_VAR_LATEST_REVOCATIONS

debian/patches/series

@@ -1,3 +0,0 @@
-Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch
-Enable-NX.patch
-block-grub-sbat3-debian.patch