diff --git a/debian/canonical-uefi-ca.der b/debian/canonical-uefi-ca.der new file mode 100644 index 0000000..b4098d9 Binary files /dev/null and b/debian/canonical-uefi-ca.der differ diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..0728613 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,196 @@ +shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium + + [ Steve Langasek ] + * Initial Debian upload. Closes: #820052. + * Update Standards-Version. + * Embed the newly-minted Debian CA certificate. + * Vendorize debian/rules so that the same package can be used in both + Debian and Ubuntu without modification. + * Fix debian/copyright to match the spec (last match wins, not first) + * Fix shim.efi to not be executable. + * Add watchfile. + * Support parallel builds, because eh why not + * Update Vcs-Bzr. + * Resync with Ubuntu, including patch to fix debian/copyright. + + [ Julien Cristau ] + * Add some missing copyright holders in d/copyright, update + Upstream-Contact. Thanks to Helen Koike for the help. + + -- Julien Cristau Sat, 15 Oct 2016 15:17:34 +0200 + +shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium + + [ Helen Koike ] + * debian/copyright: add OpenSSL license + + [ Mathieu Trudel-Lapierre ] + * New upstream release. + * debian/copyright: patches should be BSD, like the rest of the upstream + code. + * debian/patches/unused-variable: dropped; applied upstream. + * debian/patches/binutils-version-matching: dropped, fixed upstream. + * debian/shim.install: built EFI binaries were renamed; update our install + file to properly pick up shim (shim$arch), MokManager (mm$arch), and + fallback (fb$arch). + + -- Mathieu Trudel-Lapierre Wed, 21 Sep 2016 20:29:44 -0400 + +shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium + + * New upstream release. + - Better handle LoadOptions. (LP: #1581299) + - Measure state and second stage in TPM. + - Mirror MokSBState in runtime as MokSBStateRT. + - Fix failure to build with GCC 5. (LP: #1429978) + - Various bug fixes and other improvements. + * Refreshed patches. + - Remaining patches: + + second-stage-path + + sbsigntool-not-pesign + * debian/patches/unused-variable: remove unused variable size. + * debian/patches/binutils-version-matching: revert d9a4c912 to correctly + match objcopy's version on Ubuntu. + * debian/copyright: update copyright for patches. + + -- Mathieu Trudel-Lapierre Tue, 26 Jul 2016 16:48:32 -0400 + +shim (0.8-0ubuntu2) wily; urgency=medium + + * No-change rebuild against gnu-efi 3.0v-5ubuntu1. + + -- Steve Langasek Tue, 12 May 2015 17:48:30 +0000 + +shim (0.8-0ubuntu1) wily; urgency=medium + + * New upstream release. + - Clarify meaning of insecure_mode. (LP: #1384973) + * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, + debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included + in the upstream release. + * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: + refreshed. + + -- Mathieu Trudel-Lapierre Mon, 11 May 2015 19:50:49 -0400 + +shim (0.7-0ubuntu4) utopic; urgency=medium + + * SECURITY UPDATE: heap overflow and out-of-bounds read access when + parsing DHCPv6 information + - debian/patches/CVE-2014-3675.patch: apply proper bounds checking + when parsing data provided in DHCPv6 packets. + - CVE-2014-3675 + - CVE-2014-3676 + * SECURITY UPDATE: memory corruption when processing user-provided key + lists + - debian/patches/CVE-2014-3677.patch: detect malformed machine owner + key (MOK) lists and ignore them, avoiding possible memory corruption. + - CVE-2014-3677 + + -- Steve Langasek Wed, 08 Oct 2014 06:40:40 +0000 + +shim (0.7-0ubuntu2) utopic; urgency=medium + + * Restore debian/patches/prototypes, which still is needed on shim 0.7 + but only detected on the buildds. + * Update debian/patches/prototypes with some new declarations needed for + openssl 0.9.8za update. + + -- Steve Langasek Tue, 07 Oct 2014 16:20:08 -0700 + +shim (0.7-0ubuntu1) utopic; urgency=medium + + * New upstream release. + - fix spurious error message when fallback.efi is not present, as will + always be the case for removable media. LP: #1297069. + - drop most patches, included upstream. + * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick + openssl 0.9.8za in via upstream. + + -- Steve Langasek Tue, 07 Oct 2014 05:40:41 +0000 + +shim (0.4-0ubuntu5) utopic; urgency=low + + * Install fallback.efi.signed as well, to lay the groundwork for fallback + handling (wanted when we have to move a drive between machines, or when + the firmware loses its marbles^W nvram). + + -- Steve Langasek Mon, 04 Aug 2014 12:11:13 +0200 + +shim (0.4-0ubuntu4) saucy; urgency=low + + * debian/patches/fix-tftp-prototype: pass the right arguments to + EFI_PXE_BASE_CODE_TFTP_READ_FILE. + * debian/patches/build-with-Werror: Build with -Werror to catch future + prototype mismatches. + * debian/patches/fix-compiler-warnings: Fix remaining compiler + warnings in netboot.c. + * debian/patches/tftp-proper-nul-termination: fix nul termination + errors in filenames passed to tftp. + * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to + the netboot code. + + -- Steve Langasek Mon, 23 Sep 2013 00:30:00 -0700 + +shim (0.4-0ubuntu3) saucy; urgency=low + + [ Steve Langasek ] + * Install MokManager.efi.signed in the package. + * debian/patches/no-output-by-default.patch: Don't print any + informational messages. Closes LP: #1074302. + + [ Stéphane Graber ] + * debian/patches/no-print-on-unsigned: Don't print an error message when + validating an unsigned binary as that tends to hang Lenovo machines. + (LP: #1087501) + + -- Stéphane Graber Thu, 08 Aug 2013 17:12:12 +0200 + +shim (0.4-0ubuntu2) saucy; urgency=low + + * Add missing build-dependency on openssl. + + -- Steve Langasek Tue, 02 Jul 2013 20:30:43 +0000 + +shim (0.4-0ubuntu1) saucy; urgency=low + + * New upstream release. + * Drop debian/patches/shim-before-loadimage; upstream has changed this to + not call loadimage at all. + * debian/patches/sbsigntool-not-pesign: Sign MokManager with + sbsigntool instead of pesign. + * Add a versioned build-dependency on gnu-efi. + + -- Steve Langasek Tue, 02 Jul 2013 12:53:24 -0700 + +shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low + + * debian/patches/shim-before-loadimage: Use direct verification first + before LoadImage. Addresses an issue where Lenovo's SecureBoot + implementation pops an error message on any verification failure - avoid + calling LoadImage at all unless we have to. + + -- Steve Langasek Wed, 10 Oct 2012 15:28:40 -0700 + +shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low + + * debian/patches/second-stage-path: Chainload grubx64.efi, not + grub.efi. + + -- Steve Langasek Fri, 05 Oct 2012 11:20:58 -0700 + +shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low + + * debian/patches/prototypes: Include missing prototypes, and disable + use of BIO_new_file. + * Only build the package for amd64; we're not signing an i386 shim at this + stage so there's no point in building it. + + -- Steve Langasek Thu, 04 Oct 2012 17:47:04 +0000 + +shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low + + * Initial release. + * Include the Canonical Secure Boot master CA. + + -- Steve Langasek Thu, 04 Oct 2012 00:01:06 -0700 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..25b0b47 --- /dev/null +++ b/debian/control @@ -0,0 +1,17 @@ +Source: shim +Section: admin +Priority: optional +Maintainer: Steve Langasek +Standards-Version: 3.9.8 +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl +Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk + +Package: shim +Architecture: amd64 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: boot loader to chain-load signed boot loaders under Secure Boot + This package provides a minimalist boot loader which allows verifying + signatures of other UEFI binaries against either the Secure Boot DB/DBX or + against a built-in signature database. Its purpose is to allow a small, + infrequently-changing binary to be signed by the UEFI CA, while allowing + an OS distributor to revision their main bootloader independently of the CA. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..7c08287 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,254 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: shim +Upstream-Contact: Matthew Garrett +Source: https://github.com/mjg59/shim.git + +Files: * +Copyright: 2012-2013 Red Hat, Inc + 2009-2016 Intel Corporation +License: BSD-2-Clause + +Files: debian/patches/* +Copyright: 2016 Canonical Ltd. +License: BSD-2-Clause + +Files: crypt_blowfish.* +Copyright: none +License: public-domain + No copyright is claimed, and the software is hereby placed in the public + domain. In case this attempt to disclaim copyright and place the software + in the public domain is deemed null and void, then the software is + Copyright (c) 2000-2011 Solar Designer and it is hereby released to the + general public under the following terms: + . + Redistribution and use in source and binary forms, with or without + modification, are permitted. + . + There's ABSOLUTELY NO WARRANTY, express or implied. + +Files: httpboot.* +Copyright: 2015 SUSE LINUX GmbH +License: BSD-2-Clause + +Files: include/Http.h +Copyright: 2016 Intel Corporation + 2015 Hewlett Packard Enterprise Development LP +License: BSD-2-Clause + +Files: include/PeImage.h +Copyright: 2006-2010 Intel Corporation + 2008-2009 Apple Inc +License: BSD-2-Clause + +Files: lib/*.c +Copyright: 2011-2012 Intel Corporation + 2012 + 2012-2013 Red Hat, Inc +License: BSD-2-Clause + +Files: Cryptlib/OpenSSL/* Cryptlib/Include/openssl/* +Copyright: 1998-2016 The OpenSSL Project + 1995-1998 Eric Young (eay@cryptsoft.com) + 2002 Sun Microsystems, Inc + 2005 Nokia +License: OpenSSL and Original-SSLeay + OpenSSL License + --------------- + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + . + 3. All advertising materials mentioning features or use of this + software must display the following acknowledgment: + "This product includes software developed by the OpenSSL Project + for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + . + 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + endorse or promote products derived from this software without + prior written permission. For written permission, please contact + openssl-core@openssl.org. + . + 5. Products derived from this software may not be called "OpenSSL" + nor may "OpenSSL" appear in their names without prior written + permission of the OpenSSL Project. + . + 6. Redistributions of any form whatsoever must retain the following + acknowledgment: + "This product includes software developed by the OpenSSL Project + for use in the OpenSSL Toolkit (http://www.openssl.org/)" + . + THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. + ==================================================================== + . + This product includes cryptographic software written by Eric Young + (eay@cryptsoft.com). This product includes software written by Tim + Hudson (tjh@cryptsoft.com). + . + Original SSLeay License + ----------------------- + This package is an SSL implementation written + by Eric Young (eay@cryptsoft.com). + The implementation was written so as to conform with Netscapes SSL. + . + This library is free for commercial and non-commercial use as long as + the following conditions are aheared to. The following conditions + apply to all code found in this distribution, be it the RC4, RSA, + lhash, DES, etc., code; not just the SSL code. The SSL documentation + included with this distribution is covered by the same copyright terms + except that the holder is Tim Hudson (tjh@cryptsoft.com). + . + Copyright remains Eric Young's, and as such any Copyright notices in + the code are not to be removed. + If this package is used in a product, Eric Young should be given attribution + as the author of the parts of the library used. + This can be in the form of a textual message at program startup or + in documentation (online or textual) provided with the package. + . + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + "This product includes cryptographic software written by + Eric Young (eay@cryptsoft.com)" + The word 'cryptographic' can be left out if the rouines from the library + being used are not cryptographic related :-). + 4. If you include any Windows specific code (or a derivative thereof) from + the apps directory (application code) you must include an acknowledgement: + "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + . + THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + . + The licence and distribution terms for any publically available version or + derivative of this code cannot be changed. i.e. this code cannot simply be + copied and put under another distribution licence + [including the GNU Public Licence.] + +Files: Cryptlib/Include/openssl/seed.h +Copyright: 2007 KISA(Korea Information Security Agency) +License: BSD-2-Clause + +Files: Cryptlib/OpenSSL/crypto/o_dir.h Cryptlib/OpenSSL/crypto/LPdir_nyi.c +Copyright: 2004, Richard Levitte +License: BSD-2-Clause + +Files: Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c +Copyright: 2004 Kungliga Tekniska Högskolan +License: BSD-3-Clause-Institute + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +Files: Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h +Copyright: 2012, Intel Corporation +License: BSD-3-Clause-Intel + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + . + * Neither the name of the Intel Corporation nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY + EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +License: BSD-2-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/debian/debian-uefi-ca.der b/debian/debian-uefi-ca.der new file mode 100644 index 0000000..1dd6ee1 Binary files /dev/null and b/debian/debian-uefi-ca.der differ diff --git a/debian/patches/gcc-5.diff b/debian/patches/gcc-5.diff new file mode 100644 index 0000000..e706c3a --- /dev/null +++ b/debian/patches/gcc-5.diff @@ -0,0 +1,45 @@ +--- + Cryptlib/Makefile | 2 +- + Cryptlib/OpenSSL/Makefile | 2 +- + Makefile | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -19,7 +19,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(A + EFI_LDS = elf_$(ARCH)_efi.lds + + DEFAULT_LOADER := \\\\grubx64.efi +-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ ++CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare \ + "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ +Index: b/Cryptlib/Makefile +=================================================================== +--- a/Cryptlib/Makefile ++++ b/Cryptlib/Makefile +@@ -1,7 +1,7 @@ + + EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + +-CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ ++CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ + -Wall $(EFI_INCLUDES) + + ifeq ($(ARCH),x86_64) +Index: b/Cryptlib/OpenSSL/Makefile +=================================================================== +--- a/Cryptlib/OpenSSL/Makefile ++++ b/Cryptlib/OpenSSL/Makefile +@@ -1,7 +1,7 @@ + + EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + +-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ ++CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ + -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC + + ifeq ($(ARCH),x86_64) diff --git a/debian/patches/gcc5-includes-stdarg.patch b/debian/patches/gcc5-includes-stdarg.patch new file mode 100644 index 0000000..57cf4a8 --- /dev/null +++ b/debian/patches/gcc5-includes-stdarg.patch @@ -0,0 +1,129 @@ +From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 7 Apr 2015 11:59:25 -0400 +Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on + x86. + +Basically they messed around with stdarg some and now we need to do it +the other way. + +Signed-off-by: Peter Jones +--- + Cryptlib/Include/OpenSslSupport.h | 4 +++- + Cryptlib/Makefile | 3 ++- + Cryptlib/OpenSSL/Makefile | 5 +++-- + Makefile | 17 ++++++----------- + MokManager.c | 1 + + 5 files changed, 15 insertions(+), 15 deletions(-) + +Index: b/Cryptlib/Include/OpenSslSupport.h +=================================================================== +--- a/Cryptlib/Include/OpenSslSupport.h ++++ b/Cryptlib/Include/OpenSslSupport.h +@@ -34,7 +34,7 @@ typedef VOID *FILE; + // + // Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h + // +-#if !defined(__CC_ARM) // if va_list is not already defined ++#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined + /* + * These are now unconditionally #defined by GNU_EFI's efistdarg.h, + * so we should #undef them here before providing a new definition. +@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST; + portably, hence it is provided by a Standard C header file. + For pre-Standard C compilers, here is a version that usually works + (but watch out!): */ ++#ifndef offsetof + #define offsetof(type, member) ( (int) & ((type*)0) -> member ) ++#endif + + // + // Basic types from EFI Application Toolkit required to buiild Open SSL +Index: b/Cryptlib/Makefile +=================================================================== +--- a/Cryptlib/Makefile ++++ b/Cryptlib/Makefile +@@ -2,7 +2,8 @@ + EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + + CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ +- -Wall $(EFI_INCLUDES) ++ -Wall $(EFI_INCLUDES) \ ++ -ffreestanding -I$(shell $(CC) -print-file-name=include) + + ifeq ($(ARCH),x86_64) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ +Index: b/Cryptlib/OpenSSL/Makefile +=================================================================== +--- a/Cryptlib/OpenSSL/Makefile ++++ b/Cryptlib/OpenSSL/Makefile +@@ -2,6 +2,7 @@ + EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + + CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ ++ -ffreestanding -I$(shell $(CC) -print-file-name=include) \ + -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC + + ifeq ($(ARCH),x86_64) +@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32) + -m32 -DTHIRTY_TWO_BIT + endif + ifeq ($(ARCH),aarch64) +- CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include) ++ CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG + endif + ifeq ($(ARCH),arm) +- CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include) ++ CFLAGS += -O2 -DTHIRTY_TWO_BIT + endif + LDFLAGS = -nostdlib -znocombreloc + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -21,7 +21,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds + DEFAULT_LOADER := \\\\grubx64.efi + CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ +- -Werror=sign-compare \ ++ -Werror=sign-compare -ffreestanding \ ++ -I$(shell $(CC) -print-file-name=include) \ + "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ + "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ + $(EFI_INCLUDES) +@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY + endif + + ifeq ($(ARCH),x86_64) +- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ ++ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ ++ -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + endif + ifeq ($(ARCH),ia32) +- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 +-endif +- +-ifeq ($(ARCH),aarch64) +- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) +-endif +- +-ifeq ($(ARCH),arm) +- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) ++ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ ++ -maccumulate-outgoing-args -m32 + endif + + ifneq ($(origin VENDOR_CERT_FILE), undefined) +Index: b/MokManager.c +=================================================================== +--- a/MokManager.c ++++ b/MokManager.c +@@ -1,5 +1,6 @@ + #include + #include ++#include + #include + #include + #include "shim.h" diff --git a/debian/patches/prototypes b/debian/patches/prototypes new file mode 100644 index 0000000..7191e10 --- /dev/null +++ b/debian/patches/prototypes @@ -0,0 +1,191 @@ +Description: Include missing prototypes, and disable use of BIO_new_file + Pull in missing prototypes for functions that are not yet upstream in + gnu-efi, and #ifdef out references to BIO_new_file(), BIO_new_fp(), and + X509_load_{cert,crl}_file since the prototypes are themselves #ifdef'ed + out. + . + Without these prototypes, we get implicit conversions on amd64, which + are sensibly treated as a build failure by Launchpad. +Author: Steve Langasek + +Index: shim/Cryptlib/Library/BaseMemoryLib.h +=================================================================== +--- /dev/null ++++ shim/Cryptlib/Library/BaseMemoryLib.h +@@ -0,0 +1,41 @@ ++#ifndef __BASE_MEMORY_LIB__ ++#define __BASE_MEMORY_LIB__ ++ ++CHAR8 * ++ScanMem8 ( ++ IN CHAR8 *Buffer, ++ IN UINTN Size, ++ IN CHAR8 Value ++ ); ++ ++UINT32 ++WriteUnaligned32( ++ UINT32 *Buffer, ++ UINT32 Value ++ ); ++ ++CHAR8 * ++AsciiStrCat( ++ CHAR8 *Destination, ++ CHAR8 *Source ++ ); ++ ++CHAR8 * ++AsciiStrCpy( ++ CHAR8 *Destination, ++ CHAR8 *Source ++ ); ++ ++CHAR8 * ++AsciiStrnCpy( ++ CHAR8 *Destination, ++ CHAR8 *Source, ++ UINTN count ++ ); ++ ++UINTN ++AsciiStrSize( ++ CHAR8 *string ++ ); ++ ++#endif +Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c ++++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c +@@ -157,6 +157,7 @@ + } + OPENSSL_free(tmp_data2); + } ++#ifndef OPENSSL_NO_STDIO + else if (strncmp(val->value, "file:", 5) == 0) + { + unsigned char buf[2048]; +@@ -194,6 +195,7 @@ + goto err; + } + } ++#endif + else if (strncmp(val->value, "text:", 5) == 0) + { + val_len = strlen(val->value + 5); +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c +@@ -186,11 +186,13 @@ + int ret; + BIO *in=NULL; + ++#ifndef OPENSSL_NO_STDIO + #ifdef OPENSSL_SYS_VMS + in=BIO_new_file(name, "r"); + #else + in=BIO_new_file(name, "rb"); + #endif ++#endif + if (in == NULL) + { + if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE) +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c +@@ -92,11 +92,13 @@ + LHASH *ltmp; + BIO *in=NULL; + ++#ifndef OPENSSL_NO_STDIO + #ifdef OPENSSL_SYS_VMS + in=BIO_new_file(file, "r"); + #else + in=BIO_new_file(file, "rb"); + #endif ++#endif + if (in == NULL) + { + CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB); +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c +@@ -93,12 +93,14 @@ + { + BIO *bio_err; + ERR_load_crypto_strings(); ++#ifndef OPENSSL_NO_STDIO + if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL) + { + BIO_printf(bio_err,"Auto configuration failed\n"); + ERR_print_errors(bio_err); + BIO_free(bio_err); + } ++#endif + exit(1); + } + +Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c ++++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c +@@ -374,11 +374,15 @@ + BIO *in; + EVP_PKEY *key; + fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id); ++#ifndef OPENSSL_NO_STDIO + in = BIO_new_file(key_id, "r"); + if (!in) + return NULL; + key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL); + BIO_free(in); ++#else ++ return NULL; ++#endif + return key; + } + #endif +Index: shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/x509/by_dir.c ++++ shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c +@@ -92,8 +92,10 @@ + static int new_dir(X509_LOOKUP *lu); + static void free_dir(X509_LOOKUP *lu); + static int add_cert_dir(BY_DIR *ctx,const char *dir,int type); ++#ifndef OPENSSL_NO_STDIO + static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name, + X509_OBJECT *ret); ++#endif + X509_LOOKUP_METHOD x509_dir_lookup= + { + "Load certs from files in a directory", +@@ -102,7 +104,11 @@ + NULL, /* init */ + NULL, /* shutdown */ + dir_ctrl, /* ctrl */ ++#ifdef OPENSSL_NO_STDIO ++ NULL, /* get_by_subject */ ++#else + get_cert_by_subject, /* get_by_subject */ ++#endif + NULL, /* get_by_issuer_serial */ + NULL, /* get_by_fingerprint */ + NULL, /* get_by_alias */ +@@ -242,6 +248,7 @@ + return(1); + } + ++#ifndef OPENSSL_NO_STDIO + static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, + X509_OBJECT *ret) + { +@@ -383,3 +390,4 @@ + if (b != NULL) BUF_MEM_free(b); + return(ok); + } ++#endif diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign new file mode 100644 index 0000000..9629cb1 --- /dev/null +++ b/debian/patches/sbsigntool-not-pesign @@ -0,0 +1,26 @@ +Description: Sign MokManager with sbsigntool instead of pesign + Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use + the same thing for signing MokManager with our ephemeral key. This also + avoids an additional build dependency on libnss3-tools. +Author: Steve Langasek +Forwarded: not-needed + +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -158,8 +158,8 @@ endif + -j .note.gnu.build-id \ + $(FORMAT) $^ $@.debug + +-%.efi.signed: %.efi certdb/secmod.db +- pesign -n certdb -i $< -c "shim" -s -o $@ -f ++%.efi.signed: %.efi shim.crt ++ sbsign --key shim.key --cert shim.crt $< + + clean: + $(MAKE) -C Cryptlib clean diff --git a/debian/patches/second-stage-path b/debian/patches/second-stage-path new file mode 100644 index 0000000..da53af8 --- /dev/null +++ b/debian/patches/second-stage-path @@ -0,0 +1,24 @@ +Description: Chainload grubx64.efi, not grub.efi + We qualify the second stage bootloader image with the architecture name, + so we're forwards-compatible with any future 32-bit implementations. + (Non-SB grub doesn't conflict, since the image will be named bootia32.efi + anyway, not grub.efi.) +Author: Steve Langasek + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -25,7 +25,7 @@ EFI_LIBS = -lefi -lgnuefi --start-group + EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o + EFI_LDS = elf_$(ARCH)_efi.lds + +-DEFAULT_LOADER := \\\\grub.efi ++DEFAULT_LOADER := \\\\grubx64.efi + CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare -ffreestanding -std=gnu89 \ diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..a5f3392 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +second-stage-path +sbsigntool-not-pesign diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..f368a19 --- /dev/null +++ b/debian/rules @@ -0,0 +1,21 @@ +#!/usr/bin/make -f + +# Other vendors, add your certs here. No sense in using +# dpkg-vendor --derives-from, because only Canonical-generated binaries will +# be signed with this key; so if you are building your own shim binary you +# should be building the other binaries also. +ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes) + cert=debian/canonical-uefi-ca.der +else + cert=debian/debian-uefi-ca.der +endif + +%: + dh $@ --parallel + +override_dh_auto_build: + dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=$(cert) + +override_dh_fixperms: + dh_fixperms + chmod a-x debian/shim/usr/lib/shim/shimx64.efi diff --git a/debian/shim.install b/debian/shim.install new file mode 100644 index 0000000..f37f6d1 --- /dev/null +++ b/debian/shim.install @@ -0,0 +1,3 @@ +shim*.efi /usr/lib/shim +mm*.efi.signed /usr/lib/shim +fb*.efi.signed /usr/lib/shim diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 0000000..d82be74 --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1,2 @@ +debian/canonical-uefi-ca.der +debian/debian-uefi-ca.der diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..361d88c --- /dev/null +++ b/debian/watch @@ -0,0 +1,5 @@ +# Compulsory line, this is a version 4 file +version=4 + +opts="repack,compression=xz,filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/shim-$1\.tar\.gz/" \ + https://github.com/mjg59/shim/releases .*/v?(\d\S*)\.tar\.gz