proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-06-06 19:56:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Import Debian changes 0.9+1474479173.6c180c6-1

Browse Source 
shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium

  [ Steve Langasek ]
  * Initial Debian upload.  Closes: #820052.
  * Update Standards-Version.
  * Embed the newly-minted Debian CA certificate.
  * Vendorize debian/rules so that the same package can be used in both
    Debian and Ubuntu without modification.
  * Fix debian/copyright to match the spec (last match wins, not first)
  * Fix shim.efi to not be executable.
  * Add watchfile.
  * Support parallel builds, because eh why not
  * Update Vcs-Bzr.
  * Resync with Ubuntu, including patch to fix debian/copyright.

  [ Julien Cristau ]
  * Add some missing copyright holders in d/copyright, update
    Upstream-Contact.  Thanks to Helen Koike for the help.

shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium

  [ Helen Koike ]
  * debian/copyright: add OpenSSL license 

  [ Mathieu Trudel-Lapierre ]
  * New upstream release.
  * debian/copyright: patches should be BSD, like the rest of the upstream
    code.
  * debian/patches/unused-variable: dropped; applied upstream.
  * debian/patches/binutils-version-matching: dropped, fixed upstream.
  * debian/shim.install: built EFI binaries were renamed; update our install
    file to properly pick up shim (shim$arch), MokManager (mm$arch), and
    fallback (fb$arch).

shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium

  * New upstream release.
    - Better handle LoadOptions. (LP: #1581299)
    - Measure state and second stage in TPM.
    - Mirror MokSBState in runtime as MokSBStateRT.
    - Fix failure to build with GCC 5. (LP: #1429978)
    - Various bug fixes and other improvements.
  * Refreshed patches.
    - Remaining patches:
      + second-stage-path
      + sbsigntool-not-pesign 
  * debian/patches/unused-variable: remove unused variable size.
  * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
    match objcopy's version on Ubuntu.
  * debian/copyright: update copyright for patches.

shim (0.8-0ubuntu2) wily; urgency=medium

  * No-change rebuild against gnu-efi 3.0v-5ubuntu1.

shim (0.8-0ubuntu1) wily; urgency=medium

  * New upstream release.
    - Clarify meaning of insecure_mode. (LP: #1384973)
  * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
    debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
    in the upstream release.
  * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
    refreshed.

shim (0.7-0ubuntu4) utopic; urgency=medium

  * SECURITY UPDATE: heap overflow and out-of-bounds read access when
    parsing DHCPv6 information
    - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
      when parsing data provided in DHCPv6 packets.
    - CVE-2014-3675
    - CVE-2014-3676
  * SECURITY UPDATE: memory corruption when processing user-provided key
    lists
    - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
      key (MOK) lists and ignore them, avoiding possible memory corruption.
    - CVE-2014-3677

shim (0.7-0ubuntu2) utopic; urgency=medium

  * Restore debian/patches/prototypes, which still is needed on shim 0.7
    but only detected on the buildds.
  * Update debian/patches/prototypes with some new declarations needed for
    openssl 0.9.8za update.

shim (0.7-0ubuntu1) utopic; urgency=medium

  * New upstream release.
    - fix spurious error message when fallback.efi is not present, as will
      always be the case for removable media.  LP: #1297069.
    - drop most patches, included upstream.
  * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
    openssl 0.9.8za in via upstream.

shim (0.4-0ubuntu5) utopic; urgency=low

  * Install fallback.efi.signed as well, to lay the groundwork for fallback
    handling (wanted when we have to move a drive between machines, or when
    the firmware loses its marbles^W nvram).

shim (0.4-0ubuntu4) saucy; urgency=low

  * debian/patches/fix-tftp-prototype: pass the right arguments to
    EFI_PXE_BASE_CODE_TFTP_READ_FILE.
  * debian/patches/build-with-Werror: Build with -Werror to catch future
    prototype mismatches.
  * debian/patches/fix-compiler-warnings: Fix remaining compiler
    warnings in netboot.c.
  * debian/patches/tftp-proper-nul-termination: fix nul termination
    errors in filenames passed to tftp.
  * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
    the netboot code.

shim (0.4-0ubuntu3) saucy; urgency=low

  [ Steve Langasek ]
  * Install MokManager.efi.signed in the package.
  * debian/patches/no-output-by-default.patch: Don't print any
    informational messages.  Closes LP: #1074302.

  [ Stéphane Graber ]
  * debian/patches/no-print-on-unsigned: Don't print an error message when
    validating an unsigned binary as that tends to hang Lenovo machines.
    (LP: #1087501)

shim (0.4-0ubuntu2) saucy; urgency=low

  * Add missing build-dependency on openssl.

shim (0.4-0ubuntu1) saucy; urgency=low

  * New upstream release.
  * Drop debian/patches/shim-before-loadimage; upstream has changed this to
    not call loadimage at all.
  * debian/patches/sbsigntool-not-pesign: Sign MokManager with
    sbsigntool instead of pesign.
  * Add a versioned build-dependency on gnu-efi.

shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low

  * debian/patches/shim-before-loadimage: Use direct verification first
    before LoadImage.  Addresses an issue where Lenovo's SecureBoot
    implementation pops an error message on any verification failure - avoid
    calling LoadImage at all unless we have to.

shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low

  * debian/patches/second-stage-path: Chainload grubx64.efi, not
    grub.efi.

shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low

  * debian/patches/prototypes: Include missing prototypes, and disable
    use of BIO_new_file.
  * Only build the package for amd64; we're not signing an i386 shim at this
    stage so there's no point in building it.

shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low

  * Initial release.
  * Include the Canonical Secure Boot master CA.
This commit is contained in:
Julien Cristau 2016-10-15 15:17:34 +02:00 committed by Mathieu Trudel-Lapierre
parent bbfd2ab18f
commit c117735c20
17 changed files with 917 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
debian/canonical-uefi-ca.der vendored Normal file
View File

Binary file not shown.

196
debian/changelog vendored Normal file
View File

@ -0,0 +1,196 @@
shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
[ Steve Langasek ]
* Initial Debian upload. Closes: #820052.
* Update Standards-Version.
* Embed the newly-minted Debian CA certificate.
* Vendorize debian/rules so that the same package can be used in both
Debian and Ubuntu without modification.
* Fix debian/copyright to match the spec (last match wins, not first)
* Fix shim.efi to not be executable.
* Add watchfile.
* Support parallel builds, because eh why not
* Update Vcs-Bzr.
* Resync with Ubuntu, including patch to fix debian/copyright.
[ Julien Cristau ]
* Add some missing copyright holders in d/copyright, update
Upstream-Contact. Thanks to Helen Koike for the help.
-- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
[ Helen Koike ]
* debian/copyright: add OpenSSL license
[ Mathieu Trudel-Lapierre ]
* New upstream release.
* debian/copyright: patches should be BSD, like the rest of the upstream
code.
* debian/patches/unused-variable: dropped; applied upstream.
* debian/patches/binutils-version-matching: dropped, fixed upstream.
* debian/shim.install: built EFI binaries were renamed; update our install
file to properly pick up shim (shim$arch), MokManager (mm$arch), and
fallback (fb$arch).
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
* New upstream release.
- Better handle LoadOptions. (LP: #1581299)
- Measure state and second stage in TPM.
- Mirror MokSBState in runtime as MokSBStateRT.
- Fix failure to build with GCC 5. (LP: #1429978)
- Various bug fixes and other improvements.
* Refreshed patches.
- Remaining patches:
+ second-stage-path
+ sbsigntool-not-pesign
* debian/patches/unused-variable: remove unused variable size.
* debian/patches/binutils-version-matching: revert d9a4c912 to correctly
match objcopy's version on Ubuntu.
* debian/copyright: update copyright for patches.
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
shim (0.8-0ubuntu2) wily; urgency=medium
* No-change rebuild against gnu-efi 3.0v-5ubuntu1.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
shim (0.8-0ubuntu1) wily; urgency=medium
* New upstream release.
- Clarify meaning of insecure_mode. (LP: #1384973)
* debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
in the upstream release.
* debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
refreshed.
-- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
shim (0.7-0ubuntu4) utopic; urgency=medium
* SECURITY UPDATE: heap overflow and out-of-bounds read access when
parsing DHCPv6 information
- debian/patches/CVE-2014-3675.patch: apply proper bounds checking
when parsing data provided in DHCPv6 packets.
- CVE-2014-3675
- CVE-2014-3676
* SECURITY UPDATE: memory corruption when processing user-provided key
lists
- debian/patches/CVE-2014-3677.patch: detect malformed machine owner
key (MOK) lists and ignore them, avoiding possible memory corruption.
- CVE-2014-3677
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
shim (0.7-0ubuntu2) utopic; urgency=medium
* Restore debian/patches/prototypes, which still is needed on shim 0.7
but only detected on the buildds.
* Update debian/patches/prototypes with some new declarations needed for
openssl 0.9.8za update.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
shim (0.7-0ubuntu1) utopic; urgency=medium
* New upstream release.
- fix spurious error message when fallback.efi is not present, as will
always be the case for removable media. LP: #1297069.
- drop most patches, included upstream.
* debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
openssl 0.9.8za in via upstream.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
shim (0.4-0ubuntu5) utopic; urgency=low
* Install fallback.efi.signed as well, to lay the groundwork for fallback
handling (wanted when we have to move a drive between machines, or when
the firmware loses its marbles^W nvram).
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
shim (0.4-0ubuntu4) saucy; urgency=low
* debian/patches/fix-tftp-prototype: pass the right arguments to
EFI_PXE_BASE_CODE_TFTP_READ_FILE.
* debian/patches/build-with-Werror: Build with -Werror to catch future
prototype mismatches.
* debian/patches/fix-compiler-warnings: Fix remaining compiler
warnings in netboot.c.
* debian/patches/tftp-proper-nul-termination: fix nul termination
errors in filenames passed to tftp.
* debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
the netboot code.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
shim (0.4-0ubuntu3) saucy; urgency=low
[ Steve Langasek ]
* Install MokManager.efi.signed in the package.
* debian/patches/no-output-by-default.patch: Don't print any
informational messages. Closes LP: #1074302.
[ Stéphane Graber ]
* debian/patches/no-print-on-unsigned: Don't print an error message when
validating an unsigned binary as that tends to hang Lenovo machines.
(LP: #1087501)
-- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
shim (0.4-0ubuntu2) saucy; urgency=low
* Add missing build-dependency on openssl.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
shim (0.4-0ubuntu1) saucy; urgency=low
* New upstream release.
* Drop debian/patches/shim-before-loadimage; upstream has changed this to
not call loadimage at all.
* debian/patches/sbsigntool-not-pesign: Sign MokManager with
sbsigntool instead of pesign.
* Add a versioned build-dependency on gnu-efi.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
* debian/patches/shim-before-loadimage: Use direct verification first
before LoadImage. Addresses an issue where Lenovo's SecureBoot
implementation pops an error message on any verification failure - avoid
calling LoadImage at all unless we have to.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
* debian/patches/second-stage-path: Chainload grubx64.efi, not
grub.efi.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
* debian/patches/prototypes: Include missing prototypes, and disable
use of BIO_new_file.
* Only build the package for amd64; we're not signing an i386 shim at this
stage so there's no point in building it.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
* Initial release.
* Include the Canonical Secure Boot master CA.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700

1
debian/compat vendored Normal file
View File

@ -0,0 +1 @@
9

17
debian/control vendored Normal file
View File

@ -0,0 +1,17 @@
Source: shim
Section: admin
Priority: optional
Maintainer: Steve Langasek <vorlon@debian.org>
Standards-Version: 3.9.8
Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl
Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk
Package: shim
Architecture: amd64
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: boot loader to chain-load signed boot loaders under Secure Boot
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of the CA.

254
debian/copyright vendored Normal file
View File

@ -0,0 +1,254 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: shim
Upstream-Contact: Matthew Garrett <mjg59@coreos.com>
Source: https://github.com/mjg59/shim.git
Files: *
Copyright: 2012-2013 Red Hat, Inc
2009-2016 Intel Corporation
License: BSD-2-Clause
Files: debian/patches/*
Copyright: 2016 Canonical Ltd.
License: BSD-2-Clause
Files: crypt_blowfish.*
Copyright: none
License: public-domain
No copyright is claimed, and the software is hereby placed in the public
domain. In case this attempt to disclaim copyright and place the software
in the public domain is deemed null and void, then the software is
Copyright (c) 2000-2011 Solar Designer and it is hereby released to the
general public under the following terms:
.
Redistribution and use in source and binary forms, with or without
modification, are permitted.
.
There's ABSOLUTELY NO WARRANTY, express or implied.
Files: httpboot.*
Copyright: 2015 SUSE LINUX GmbH
License: BSD-2-Clause
Files: include/Http.h
Copyright: 2016 Intel Corporation
2015 Hewlett Packard Enterprise Development LP
License: BSD-2-Clause
Files: include/PeImage.h
Copyright: 2006-2010 Intel Corporation
2008-2009 Apple Inc
License: BSD-2-Clause
Files: lib/*.c
Copyright: 2011-2012 Intel Corporation
2012 <James.Bottomley@HansenPartnership.com>
2012-2013 Red Hat, Inc
License: BSD-2-Clause
Files: Cryptlib/OpenSSL/* Cryptlib/Include/openssl/*
Copyright: 1998-2016 The OpenSSL Project
1995-1998 Eric Young (eay@cryptsoft.com)
2002 Sun Microsystems, Inc
2005 Nokia
License: OpenSSL and Original-SSLeay
OpenSSL License
---------------
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
.
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
.
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
.
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
endorse or promote products derived from this software without
prior written permission. For written permission, please contact
openssl-core@openssl.org.
.
5. Products derived from this software may not be called "OpenSSL"
nor may "OpenSSL" appear in their names without prior written
permission of the OpenSSL Project.
.
6. Redistributions of any form whatsoever must retain the following
acknowledgment:
"This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)"
.
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
====================================================================
.
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com). This product includes software written by Tim
Hudson (tjh@cryptsoft.com).
.
Original SSLeay License
-----------------------
This package is an SSL implementation written
by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
.
This library is free for commercial and non-commercial use as long as
the following conditions are aheared to. The following conditions
apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation
included with this distribution is covered by the same copyright terms
except that the holder is Tim Hudson (tjh@cryptsoft.com).
.
Copyright remains Eric Young's, and as such any Copyright notices in
the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution
as the author of the parts of the library used.
This can be in the form of a textual message at program startup or
in documentation (online or textual) provided with the package.
.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
"This product includes cryptographic software written by
Eric Young (eay@cryptsoft.com)"
The word 'cryptographic' can be left out if the rouines from the library
being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from
the apps directory (application code) you must include an acknowledgement:
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
.
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
.
The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be
copied and put under another distribution licence
[including the GNU Public Licence.]
Files: Cryptlib/Include/openssl/seed.h
Copyright: 2007 KISA(Korea Information Security Agency)
License: BSD-2-Clause
Files: Cryptlib/OpenSSL/crypto/o_dir.h Cryptlib/OpenSSL/crypto/LPdir_nyi.c
Copyright: 2004, Richard Levitte <richard@levitte.org>
License: BSD-2-Clause
Files: Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c
Copyright: 2004 Kungliga Tekniska Högskolan
License: BSD-3-Clause-Institute
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
.
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
.
3. Neither the name of the Institute nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
.
THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
Files: Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h
Copyright: 2012, Intel Corporation
License: BSD-3-Clause-Intel
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
.
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the
distribution.
.
* Neither the name of the Intel Corporation nor the names of its
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
.
THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
License: BSD-2-Clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
.
Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
.
Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the
distribution.
.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.

BIN
debian/debian-uefi-ca.der vendored Normal file
View File

Binary file not shown.

45
debian/patches/gcc-5.diff vendored Normal file
View File

@ -0,0 +1,45 @@
---
Cryptlib/Makefile | 2 +-
Cryptlib/OpenSSL/Makefile | 2 +-
Makefile | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
Index: b/Makefile
===================================================================
--- a/Makefile
+++ b/Makefile
@@ -19,7 +19,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(A
EFI_LDS = elf_$(ARCH)_efi.lds
DEFAULT_LOADER := \\\\grubx64.efi
-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
-Werror=sign-compare \
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
Index: b/Cryptlib/Makefile
===================================================================
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -1,7 +1,7 @@
EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
-CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
+CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-Wall $(EFI_INCLUDES)
ifeq ($(ARCH),x86_64)
Index: b/Cryptlib/OpenSSL/Makefile
===================================================================
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -1,7 +1,7 @@
EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
+CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
ifeq ($(ARCH),x86_64)

129
debian/patches/gcc5-includes-stdarg.patch vendored Normal file
View File

@ -0,0 +1,129 @@
From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 7 Apr 2015 11:59:25 -0400
Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on
x86.
Basically they messed around with stdarg some and now we need to do it
the other way.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Cryptlib/Include/OpenSslSupport.h | 4 +++-
Cryptlib/Makefile | 3 ++-
Cryptlib/OpenSSL/Makefile | 5 +++--
Makefile | 17 ++++++-----------
MokManager.c | 1 +
5 files changed, 15 insertions(+), 15 deletions(-)
Index: b/Cryptlib/Include/OpenSslSupport.h
===================================================================
--- a/Cryptlib/Include/OpenSslSupport.h
+++ b/Cryptlib/Include/OpenSslSupport.h
@@ -34,7 +34,7 @@ typedef VOID *FILE;
//
// Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h
//
-#if !defined(__CC_ARM) // if va_list is not already defined
+#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined
/*
* These are now unconditionally #defined by GNU_EFI's efistdarg.h,
* so we should #undef them here before providing a new definition.
@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST;
portably, hence it is provided by a Standard C header file.
For pre-Standard C compilers, here is a version that usually works
(but watch out!): */
+#ifndef offsetof
#define offsetof(type, member) ( (int) & ((type*)0) -> member )
+#endif
//
// Basic types from EFI Application Toolkit required to buiild Open SSL
Index: b/Cryptlib/Makefile
===================================================================
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -2,7 +2,8 @@
EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- -Wall $(EFI_INCLUDES)
+ -Wall $(EFI_INCLUDES) \
+ -ffreestanding -I$(shell $(CC) -print-file-name=include)
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
Index: b/Cryptlib/OpenSSL/Makefile
===================================================================
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -2,6 +2,7 @@
EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
+ -ffreestanding -I$(shell $(CC) -print-file-name=include) \
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
ifeq ($(ARCH),x86_64)
@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32)
-m32 -DTHIRTY_TWO_BIT
endif
ifeq ($(ARCH),aarch64)
- CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG
endif
ifeq ($(ARCH),arm)
- CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ CFLAGS += -O2 -DTHIRTY_TWO_BIT
endif
LDFLAGS = -nostdlib -znocombreloc
Index: b/Makefile
===================================================================
--- a/Makefile
+++ b/Makefile
@@ -21,7 +21,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds
DEFAULT_LOADER := \\\\grubx64.efi
CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- -Werror=sign-compare \
+ -Werror=sign-compare -ffreestanding \
+ -I$(shell $(CC) -print-file-name=include) \
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
$(EFI_INCLUDES)
@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY
endif
ifeq ($(ARCH),x86_64)
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
+ -maccumulate-outgoing-args \
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
endif
ifeq ($(ARCH),ia32)
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
-endif
-
-ifeq ($(ARCH),aarch64)
- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
-endif
-
-ifeq ($(ARCH),arm)
- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
+ -maccumulate-outgoing-args -m32
endif
ifneq ($(origin VENDOR_CERT_FILE), undefined)
Index: b/MokManager.c
===================================================================
--- a/MokManager.c
+++ b/MokManager.c
@@ -1,5 +1,6 @@
#include <efi.h>
#include <efilib.h>
+#include <stdarg.h>
#include <Library/BaseCryptLib.h>
#include <openssl/x509.h>
#include "shim.h"

191
debian/patches/prototypes vendored Normal file
View File

@ -0,0 +1,191 @@
Description: Include missing prototypes, and disable use of BIO_new_file
Pull in missing prototypes for functions that are not yet upstream in
gnu-efi, and #ifdef out references to BIO_new_file(), BIO_new_fp(), and
X509_load_{cert,crl}_file since the prototypes are themselves #ifdef'ed
out.
.
Without these prototypes, we get implicit conversions on amd64, which
are sensibly treated as a build failure by Launchpad.
Author: Steve Langasek <steve.langasek@ubuntu.com>
Index: shim/Cryptlib/Library/BaseMemoryLib.h
===================================================================
--- /dev/null
+++ shim/Cryptlib/Library/BaseMemoryLib.h
@@ -0,0 +1,41 @@
+#ifndef __BASE_MEMORY_LIB__
+#define __BASE_MEMORY_LIB__
+
+CHAR8 *
+ScanMem8 (
+ IN CHAR8 *Buffer,
+ IN UINTN Size,
+ IN CHAR8 Value
+ );
+
+UINT32
+WriteUnaligned32(
+ UINT32 *Buffer,
+ UINT32 Value
+ );
+
+CHAR8 *
+AsciiStrCat(
+ CHAR8 *Destination,
+ CHAR8 *Source
+ );
+
+CHAR8 *
+AsciiStrCpy(
+ CHAR8 *Destination,
+ CHAR8 *Source
+ );
+
+CHAR8 *
+AsciiStrnCpy(
+ CHAR8 *Destination,
+ CHAR8 *Source,
+ UINTN count
+ );
+
+UINTN
+AsciiStrSize(
+ CHAR8 *string
+ );
+
+#endif
Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
+++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
@@ -157,6 +157,7 @@
}
OPENSSL_free(tmp_data2);
}
+#ifndef OPENSSL_NO_STDIO
else if (strncmp(val->value, "file:", 5) == 0)
{
unsigned char buf[2048];
@@ -194,6 +195,7 @@
goto err;
}
}
+#endif
else if (strncmp(val->value, "text:", 5) == 0)
{
val_len = strlen(val->value + 5);
Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c
+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c
@@ -186,11 +186,13 @@
int ret;
BIO *in=NULL;
+#ifndef OPENSSL_NO_STDIO
#ifdef OPENSSL_SYS_VMS
in=BIO_new_file(name, "r");
#else
in=BIO_new_file(name, "rb");
#endif
+#endif
if (in == NULL)
{
if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE)
Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
@@ -92,11 +92,13 @@
LHASH *ltmp;
BIO *in=NULL;
+#ifndef OPENSSL_NO_STDIO
#ifdef OPENSSL_SYS_VMS
in=BIO_new_file(file, "r");
#else
in=BIO_new_file(file, "rb");
#endif
+#endif
if (in == NULL)
{
CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
@@ -93,12 +93,14 @@
{
BIO *bio_err;
ERR_load_crypto_strings();
+#ifndef OPENSSL_NO_STDIO
if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL)
{
BIO_printf(bio_err,"Auto configuration failed\n");
ERR_print_errors(bio_err);
BIO_free(bio_err);
}
+#endif
exit(1);
}
Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
+++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
@@ -374,11 +374,15 @@
BIO *in;
EVP_PKEY *key;
fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id);
+#ifndef OPENSSL_NO_STDIO
in = BIO_new_file(key_id, "r");
if (!in)
return NULL;
key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL);
BIO_free(in);
+#else
+ return NULL;
+#endif
return key;
}
#endif
Index: shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/x509/by_dir.c
+++ shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c
@@ -92,8 +92,10 @@
static int new_dir(X509_LOOKUP *lu);
static void free_dir(X509_LOOKUP *lu);
static int add_cert_dir(BY_DIR *ctx,const char *dir,int type);
+#ifndef OPENSSL_NO_STDIO
static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name,
X509_OBJECT *ret);
+#endif
X509_LOOKUP_METHOD x509_dir_lookup=
{
"Load certs from files in a directory",
@@ -102,7 +104,11 @@
NULL, /* init */
NULL, /* shutdown */
dir_ctrl, /* ctrl */
+#ifdef OPENSSL_NO_STDIO
+ NULL, /* get_by_subject */
+#else
get_cert_by_subject, /* get_by_subject */
+#endif
NULL, /* get_by_issuer_serial */
NULL, /* get_by_fingerprint */
NULL, /* get_by_alias */
@@ -242,6 +248,7 @@
return(1);
}
+#ifndef OPENSSL_NO_STDIO
static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
X509_OBJECT *ret)
{
@@ -383,3 +390,4 @@
if (b != NULL) BUF_MEM_free(b);
return(ok);
}
+#endif

26
debian/patches/sbsigntool-not-pesign vendored Normal file
View File

@ -0,0 +1,26 @@
Description: Sign MokManager with sbsigntool instead of pesign
Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use
the same thing for signing MokManager with our ephemeral key. This also
avoids an additional build dependency on libnss3-tools.
Author: Steve Langasek <steve.langasek@canonical.com>
Forwarded: not-needed
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Index: b/Makefile
===================================================================
--- a/Makefile
+++ b/Makefile
@@ -158,8 +158,8 @@ endif
-j .note.gnu.build-id \
$(FORMAT) $^ $@.debug
-%.efi.signed: %.efi certdb/secmod.db
- pesign -n certdb -i $< -c "shim" -s -o $@ -f
+%.efi.signed: %.efi shim.crt
+ sbsign --key shim.key --cert shim.crt $<
clean:
$(MAKE) -C Cryptlib clean

24
debian/patches/second-stage-path vendored Normal file
View File

@ -0,0 +1,24 @@
Description: Chainload grubx64.efi, not grub.efi
We qualify the second stage bootloader image with the architecture name,
so we're forwards-compatible with any future 32-bit implementations.
(Non-SB grub doesn't conflict, since the image will be named bootia32.efi
anyway, not grub.efi.)
Author: Steve Langasek <steve.langasek@ubuntu.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: b/Makefile
===================================================================
--- a/Makefile
+++ b/Makefile
@@ -25,7 +25,7 @@ EFI_LIBS = -lefi -lgnuefi --start-group
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS = elf_$(ARCH)_efi.lds
-DEFAULT_LOADER := \\\\grub.efi
+DEFAULT_LOADER := \\\\grubx64.efi
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
-Werror=sign-compare -ffreestanding -std=gnu89 \

2
debian/patches/series vendored Normal file
View File

@ -0,0 +1,2 @@
second-stage-path
sbsigntool-not-pesign

21
debian/rules vendored Executable file
View File

@ -0,0 +1,21 @@
#!/usr/bin/make -f
# Other vendors, add your certs here. No sense in using
# dpkg-vendor --derives-from, because only Canonical-generated binaries will
# be signed with this key; so if you are building your own shim binary you
# should be building the other binaries also.
ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
cert=debian/canonical-uefi-ca.der
else
cert=debian/debian-uefi-ca.der
endif
%:
dh $@ --parallel
override_dh_auto_build:
dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=$(cert)
override_dh_fixperms:
dh_fixperms
chmod a-x debian/shim/usr/lib/shim/shimx64.efi

3
debian/shim.install vendored Normal file
View File

@ -0,0 +1,3 @@
shim*.efi /usr/lib/shim
mm*.efi.signed /usr/lib/shim
fb*.efi.signed /usr/lib/shim

1
debian/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (quilt)

2
debian/source/include-binaries vendored Normal file
View File

@ -0,0 +1,2 @@
debian/canonical-uefi-ca.der
debian/debian-uefi-ca.der

5
debian/watch vendored Normal file
View File

@ -0,0 +1,5 @@
# Compulsory line, this is a version 4 file
version=4
opts="repack,compression=xz,filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/shim-$1\.tar\.gz/" \
https://github.com/mjg59/shim/releases .*/v?(\d\S*)\.tar\.gz