Add shim-$arch-signed-template support

for getting the MOK-manager and fall-back binary to be signed by Debians
singing service instead of using an ephemeral key.

Closes: #922228
This commit is contained in:
Philipp Hahn 2018-04-07 20:47:49 +02:00 committed by Luca Boccassi
parent c2dbb9ef4e
commit f7add2255f
12 changed files with 181 additions and 0 deletions

1
debian/changelog vendored
View File

@ -4,6 +4,7 @@ shim (15+1533136590.3beb971-3) UNRELEASED; urgency=medium
* debian/rules: fixing permissions no longer required
* debian/rules: Disable ephemeral key on Debian.
* Rename binary package to 'shim-unsigned'
* Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
-- Luca Boccassi <bluca@debian.org> Fri, 15 Feb 2019 19:50:10 +0000

21
debian/control vendored
View File

@ -18,3 +18,24 @@ Description: boot loader to chain-load signed boot loaders under Secure Boot
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of the CA.
Package: shim-amd64-signed-template
Architecture: amd64
Depends: ${misc:Depends},
Description: boot loader to chain-load signed boot loaders (signing template)
This package contains template files for shim-amd64-signed.
This is only needed for Secure Boot singing.
Package: shim-i386-signed-template
Architecture: i386
Depends: ${misc:Depends},
Description: boot loader to chain-load signed boot loaders (signing template)
This package contains template files for shim-i386-signed.
This is only needed for Secure Boot singing.
Package: shim-arm64-signed-template
Architecture: arm64
Depends: ${misc:Depends},
Description: boot loader to chain-load signed boot loaders (signing template)
This package contains template files for shim-arm64-signed.
This is only needed for Secure Boot singing.

1
debian/rules vendored
View File

@ -46,3 +46,4 @@ override_dh_auto_build:
override_dh_auto_install:
dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
./debian/signing-template.generate

41
debian/signing-template.generate vendored Executable file
View File

@ -0,0 +1,41 @@
#!/bin/sh
set -e -u
distribution="$(dpkg-parsechangelog -S Distribution)"
urgency="$(dpkg-parsechangelog -S Urgency)"
date="$(dpkg-parsechangelog -S Date)"
version_binary="$(dpkg-parsechangelog -S Version)"
version_mangled="$(dpkg-parsechangelog -S Version | tr '-' '+')"
subst () {
sed \
-e "s/@efi@/${EFI_ARCH}/g" \
-e "s/@arch@/${DEB_HOST_ARCH}/g" \
-e "s/@version_binary@/${version_binary}/g" \
-e "s/@version_mangled@/${version_mangled}/g" \
-e "s/@distribution@/${distribution}/g" \
-e "s/@urgency@/${urgency}/g" \
-e "s/@date@/${date}/g" \
"$@"
}
template='./debian/signing-template'
pkg_name="shim-${DEB_HOST_ARCH}-signed-template"
pkg_dir="debian/${pkg_name}/usr/share/code-signing/${pkg_name}"
pkg_deb="${pkg_dir}/source-template/debian"
install -o 0 -g 0 -m 0755 -d "${pkg_dir}"
subst < ./debian/signing-template.json.in > "${pkg_dir}/files.json"
find "${template}" -type f -printf '%P\n' |
while read path
do
src="${template}/${path}"
dst="${pkg_deb}/${path}"
install -o 0 -g 0 -m 0755 -d "${dst%/*}"
subst < "${src}" > "${dst%.in}"
chmod --reference="${src}" "${dst%.in}"
done
exit 0

6
debian/signing-template.json.in vendored Normal file
View File

@ -0,0 +1,6 @@
{"shim-unsigned": {
"files": [
{"sig_type": "efi", "file": "usr/lib/shim/fb@efi@.efi"},
{"sig_type": "efi", "file": "usr/lib/shim/mm@efi@.efi"}
]
}}

4
debian/signing-template/README.source vendored Normal file
View File

@ -0,0 +1,4 @@
This source package is generated by the Debian signing service from a
template built by the shim package. It should never be updated directly.
-- Philipp Matthias Hahn <pmhahn@debian.org> Sat, 07 Apr 2018 16:26:11 +0200

11
debian/signing-template/changelog.in vendored Normal file
View File

@ -0,0 +1,11 @@
shim-@arch@-signed (1+@version_mangled@) @distribution@; urgency=@urgency@
* Update to shim @version_binary@
-- Debian signing service <ftpmaster@debian.org> @date@
shim-@arch@-signed (1) unstable; urgency=medium
* Add template source package for signing
-- Philipp Matthias Hahn <pmhahn@debian.org> Sat, 07 Apr 2018 17:16:27 +0200

1
debian/signing-template/compat vendored Normal file
View File

@ -0,0 +1 @@
9

25
debian/signing-template/control.in vendored Normal file
View File

@ -0,0 +1,25 @@
Source: shim-@arch@-signed
Section: admin
Priority: optional
Maintainer: Steve Langasek <vorlon@debian.org>
Standards-Version: 3.9.8
Build-Depends: debhelper (>= 10.1~),
sbsigntool [amd64 arm64 i386],
shim-unsigned (= @version_binary@),
Rules-Requires-Root: no
Package: shim-@arch@-signed
Architecture: @arch@
Conflicts: shim (<< 15+1533136590.3beb971-3~),
Replaces: shim (<< 15+1533136590.3beb971-3~),
Depends: shim-unsigned (= @version_binary@), ${misc:Depends},
Built-Using: shim (= @version_binary@)
Description: boot loader to chain-load signed boot loaders (signed by Debian)
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of the CA.
.
This package contains the MOK manager and fall-back manager signed by the
Debian UEFI CA to be used by shim-signed.

51
debian/signing-template/copyright vendored Normal file
View File

@ -0,0 +1,51 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Comment:
This file describes only the shim-signed source package.
Files: debian/signatures/*
License: public-domain
Digital signatures and certificates are presumed not to be
copyrightable works, and no copyright is claimed for them.
Comment:
The signatures and certificates in this package cannot be regenerated
as-is without the associated private key material, but they can be
replaced using alternate private keys.
Files: debian/rules
Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
License: GPL-2
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as
published by the Free Software Foundation.
.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
.
On Debian systems, the complete text of the GNU General Public
License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
Files: debian/*
Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
License: GPL-2+
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version.
.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
.
On Debian systems, the complete text of the GNU General Public
License version 2 can be found in `/usr/share/common-licenses/GPL-2'.

18
debian/signing-template/rules vendored Executable file
View File

@ -0,0 +1,18 @@
#!/usr/bin/make -f
SIG_DIR := debian/signatures/shim-unsigned
%:
dh $@
override_dh_auto_install:
set -e ; \
find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
while read sig; do \
install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
done
override_dh_install:
dh_install --sourcedir=debian/tmp .

1
debian/signing-template/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (native)