Merge git into history

2025-08-14 05:09:40 +00:00 · 2016-09-19 15:42:43 -07:00 · 2016-09-19 15:42:43 -07:00 · dd00e8761d
commit dd00e8761d
parent d7e4fd12a1 cffaa5078d
12 changed files with 2942 additions and 16 deletions
--- a/.pc/applied-patches
+++ b/.pc/applied-patches
@ -1,2 +1,4 @@
 second-stage-path
 sbsigntool-not-pesign
+unused-variable
+binutils-version-matching
--- a/.pc/binutils-version-matching/Makefile
+++ b/.pc/binutils-version-matching/Makefile
@ -0,0 +1,197 @@
+VERSION		= 0.9
+RELEASE		:=
+ifneq ($(RELEASE),"")
+	RELEASE:="-$(RELEASE)"
+endif
+
+CC		= $(CROSS_COMPILE)gcc
+LD		= $(CROSS_COMPILE)ld
+OBJCOPY		= $(CROSS_COMPILE)objcopy
+
+ARCH		= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
+OBJCOPY_GTE224  = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.version //g' | cut -f1-2 -d.` \>= 2.24)
+
+SUBDIRS		= Cryptlib lib
+
+LIB_PATH	= /usr/lib64
+
+EFI_INCLUDE	:= /usr/include/efi
+EFI_INCLUDES	= -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I$(shell pwd)/include
+EFI_PATH	:= /usr/lib64/gnuefi
+
+LIB_GCC		= $(shell $(CC) -print-libgcc-file-name)
+EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) 
+
+EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
+EFI_LDS		= elf_$(ARCH)_efi.lds
+
+DEFAULT_LOADER	:= \\\\grubx64.efi
+CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
+		  -Werror=sign-compare -ffreestanding -std=gnu89 \
+		  -I$(shell $(CC) -print-file-name=include) \
+		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
+		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
+		  $(EFI_INCLUDES)
+
+ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
+	CFLAGS	+= -DOVERRIDE_SECURITY_POLICY
+endif
+
+ifeq ($(ARCH),x86_64)
+	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
+		-maccumulate-outgoing-args \
+		-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
+		-DNO_BUILTIN_VA_FUNCS \
+		"-DEFI_ARCH=L\"x64\"" \
+		"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
+endif
+ifeq ($(ARCH),ia32)
+	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
+		-maccumulate-outgoing-args -m32 \
+		"-DEFI_ARCH=L\"ia32\"" \
+		"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
+endif
+ifeq ($(ARCH),aarch64)
+	CFLAGS += "-DEFI_ARCH=L\"aa64\"" \
+		"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
+endif
+
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
+	CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+endif
+ifneq ($(origin VENDOR_DBX_FILE), undefined)
+	CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
+endif
+
+LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
+
+TARGET	= shim.efi MokManager.efi.signed fallback.efi.signed
+OBJS	= shim.o netboot.o cert.o replacements.o tpm.o version.o
+KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
+MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
+MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
+FALLBACK_OBJS = fallback.o
+FALLBACK_SRCS = fallback.c
+
+all: $(TARGET)
+
+shim.crt:
+	./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+
+shim.cer: shim.crt
+	openssl x509 -outform der -in $< -out $@
+
+shim_cert.h: shim.cer
+	echo "static UINT8 shim_cert[] = {" > $@
+	hexdump -v -e '1/1 "0x%02x, "' $< >> $@
+	echo "};" >> $@
+
+version.c : version.c.in
+	sed	-e "s,@@VERSION@@,$(VERSION)," \
+		-e "s,@@UNAME@@,$(shell uname -a)," \
+		-e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
+		< version.c.in > version.c
+
+certdb/secmod.db: shim.crt
+	-mkdir certdb
+	pk12util -d certdb/ -i shim.p12 -W "" -K ""
+	certutil -d certdb/ -A -i shim.crt -n shim -t u
+
+shim.o: $(SOURCES) shim_cert.h
+shim.o: $(wildcard *.h)
+
+cert.o : cert.S
+	$(CC) $(CFLAGS) -c -o $@ $<
+
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
+
+fallback.o: $(FALLBACK_SRCS)
+
+fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
+
+MokManager.o: $(MOK_SOURCES)
+
+MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
+
+Cryptlib/libcryptlib.a:
+	$(MAKE) -C Cryptlib
+
+Cryptlib/OpenSSL/libopenssl.a:
+	$(MAKE) -C Cryptlib/OpenSSL
+
+lib/lib.a:
+	$(MAKE) CFLAGS="$(CFLAGS)" -C lib
+
+ifeq ($(ARCH),aarch64)
+FORMAT		:= -O binary
+SUBSYSTEM	:= 0xa
+LDFLAGS		+= --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+endif
+
+ifeq ($(ARCH),arm)
+FORMAT		:= -O binary
+SUBSYSTEM	:= 0xa
+LDFLAGS		+= --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+endif
+
+FORMAT		?= --target efi-app-$(ARCH)
+
+%.efi: %.so
+ifneq ($(OBJCOPY_GTE224),1)
+	$(error objcopy >= 2.24 is required)
+endif
+	$(OBJCOPY) -j .text -j .sdata -j .data \
+		-j .dynamic -j .dynsym  -j .rel* \
+		-j .rela* -j .reloc -j .eh_frame \
+		-j .vendor_cert \
+		$(FORMAT)  $^ $@
+	$(OBJCOPY) -j .text -j .sdata -j .data \
+		-j .dynamic -j .dynsym  -j .rel* \
+		-j .rela* -j .reloc -j .eh_frame \
+		-j .debug_info -j .debug_abbrev -j .debug_aranges \
+		-j .debug_line -j .debug_str -j .debug_ranges \
+		-j .note.gnu.build-id \
+		$(FORMAT) $^ $@.debug
+
+%.efi.signed: %.efi shim.crt
+	sbsign --key shim.key --cert shim.crt $<
+
+clean:
+	$(MAKE) -C Cryptlib clean
+	$(MAKE) -C Cryptlib/OpenSSL clean
+	$(MAKE) -C lib clean
+	rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb
+	rm -f *.debug *.so *.efi *.tar.* version.c
+
+GITTAG = $(VERSION)
+
+test-archive:
+	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
+	@mkdir -p /tmp/shim-$(VERSION)-tmp
+	@git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
+	@git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
+	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
+	@git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
+	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
+	@rm -rf /tmp/shim-$(VERSION)
+	@echo "The archive is in shim-$(VERSION).tar.bz2"
+
+tag:
+	git tag --sign $(GITTAG) refs/heads/master
+
+archive: tag
+	@rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
+	@mkdir -p /tmp/shim-$(VERSION)-tmp
+	@git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
+	@mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
+	@git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
+	@dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
+	@rm -rf /tmp/shim-$(VERSION)
+	@echo "The archive is in shim-$(VERSION).tar.bz2"
+
+export ARCH CC LD OBJCOPY EFI_INCLUDE
--- a/.pc/unused-variable/shim.c
+++ b/.pc/unused-variable/shim.c
--- a/2
+++ b/2
@ -9,7 +9,7 @@ LD		= $(CROSS_COMPILE)ld
 OBJCOPY		= $(CROSS_COMPILE)objcopy

 ARCH		= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
-OBJCOPY_GTE224  = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.version //g' | cut -f1-2 -d.` \>= 2.24)
+OBJCOPY_GTE224  = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24)

 SUBDIRS		= Cryptlib lib

--- a/debian/changelog
+++ b/debian/changelog
@ -1,16 +1,21 @@
-shim (0.9+1465500757.14a5905-0ubuntu1) UNRELEASED; urgency=medium
+shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium

  * New upstream release.
- 
-  [ Matthias Klose ]
-  * Fix build with GCC 5, forcing -std=gnu89 to not rely on stdint.h
-    required by efibind.h, and not found with -nostdinc. (LP: #1429978)
+    - Better handle LoadOptions. (LP: #1581299)
+    - Measure state and second stage in TPM.
+    - Mirror MokSBState in runtime as MokSBStateRT.
+    - Fix failure to build with GCC 5. (LP: #1429978)
+    - Various bug fixes and other improvements.
+  * Refreshed patches.
+    - Remaining patches:
+      + second-stage-path
+      + sbsigntool-not-pesign 
+  * debian/patches/unused-variable: remove unused variable size.
+  * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
+    match objcopy's version on Ubuntu.
+  * debian/copyright: update copyright for patches.

-  [ Mathieu Trudel-Lapierre ]
-  * More GCC 5 fixes: stdarg.h and other include tweaks, cherry-pick from
-    d51739a4.
-
- -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 26 Jul 2016 12:02:21 -0400
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 26 Jul 2016 16:48:32 -0400

 shim (0.8-0ubuntu2) wily; urgency=medium

--- a/debian/copyright
+++ b/debian/copyright
@ -3,6 +3,24 @@ Upstream-Name: shim
 Upstream-Contact: Matthew Garrett <mjg@redhat.com>
 Source: https://github.com/mjg59/shim.git

+Files: debian/patches/*
+Copyright: 2016 Canonical Ltd.
+License: GPL-2
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License can be found in `/usr/share/common-licenses/GPL-2'.
+
 Files: *
 Copyright: 2012 Red Hat, Inc
 	2009-2012 Intel Corporation
--- a/debian/patches/binutils-version-matching
+++ b/debian/patches/binutils-version-matching
@ -0,0 +1,26 @@
+From: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+Subject: Revert d9a4c912 to fix matching binutils version on Ubuntu.
+
+That commit breaks on Ubuntu as we don't just have "version xyz", but rather
+just the version number at the end of the version string, which looks like
+this:
+
+  "GNU objcopy (GNU Binutils for Ubuntu) 2.26"
+
+---
+ Makefile |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: b/Makefile
+===================================================================
+--- a/Makefile
+++ b/Makefile
+@@ -9,7 +9,7 @@ LD		= $(CROSS_COMPILE)ld
+ OBJCOPY		= $(CROSS_COMPILE)objcopy
+ 
+ ARCH		= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
+-OBJCOPY_GTE224  = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.version //g' | cut -f1-2 -d.` \>= 2.24)
+OBJCOPY_GTE224  = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24)
+ 
+ SUBDIRS		= Cryptlib lib
+ 
--- a/debian/patches/sbsigntool-not-pesign
+++ b/debian/patches/sbsigntool-not-pesign
@ -13,8 +13,8 @@ Index: b/Makefile
 ===================================================================
 --- a/Makefile
 +++ b/Makefile
-@@ -144,8 +144,8 @@ FORMAT		?= --target efi-app-$(ARCH)
- 		-j .debug_line -j .debug_str -j .debug_ranges \
+@@ -158,8 +158,8 @@ endif
+ 		-j .note.gnu.build-id \
 		$(FORMAT) $^ $@.debug
 
 -%.efi.signed: %.efi certdb/secmod.db
--- a/debian/patches/second-stage-path
+++ b/debian/patches/second-stage-path
@ -13,7 +13,7 @@ Index: b/Makefile
 ===================================================================
 --- a/Makefile
 +++ b/Makefile
-@@ -18,7 +18,7 @@ EFI_LIBS	= -lefi -lgnuefi --start-group
+@@ -25,7 +25,7 @@ EFI_LIBS	= -lefi -lgnuefi --start-group
 EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
 EFI_LDS		= elf_$(ARCH)_efi.lds
 
@ -21,4 +21,4 @@ Index: b/Makefile
 +DEFAULT_LOADER	:= \\\\grubx64.efi
 CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- 		  -Werror=sign-compare \
+ 		  -Werror=sign-compare -ffreestanding -std=gnu89 \
--- a/debian/patches/series
+++ b/debian/patches/series
@ -1,2 +1,4 @@
 second-stage-path
 sbsigntool-not-pesign
+unused-variable
+binutils-version-matching
--- a/debian/patches/unused-variable
+++ b/debian/patches/unused-variable
@ -0,0 +1,19 @@
+From: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+Subject: Remove unused variable; pointed out by Werror=unused-variable
+
+---
+ shim.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+Index: b/shim.c
+===================================================================
+--- a/shim.c
+++ b/shim.c
+@@ -1118,7 +1118,6 @@ static EFI_STATUS handle_image (void *da
+ 	EFI_STATUS efi_status;
+ 	char *buffer;
+ 	int i;
+-	unsigned int size;
+ 	EFI_IMAGE_SECTION_HEADER *Section;
+ 	char *base, *end;
+ 	PE_COFF_LOADER_IMAGE_CONTEXT context;
--- a/shim.c
+++ b/shim.c
@ -1118,7 +1118,6 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize,
 	EFI_STATUS efi_status;
 	char *buffer;
 	int i;
-	unsigned int size;
 	EFI_IMAGE_SECTION_HEADER *Section;
 	char *base, *end;
 	PE_COFF_LOADER_IMAGE_CONTEXT context;