mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-08-05 18:49:27 +00:00
Add shim-$arch-signed-template support
for getting the MOK-manager and fall-back binary to be signed by Debians singing service instead of using an ephemeral key. Closes: #922228
This commit is contained in:
parent
c2dbb9ef4e
commit
f7add2255f
1
debian/changelog
vendored
1
debian/changelog
vendored
@ -4,6 +4,7 @@ shim (15+1533136590.3beb971-3) UNRELEASED; urgency=medium
|
|||||||
* debian/rules: fixing permissions no longer required
|
* debian/rules: fixing permissions no longer required
|
||||||
* debian/rules: Disable ephemeral key on Debian.
|
* debian/rules: Disable ephemeral key on Debian.
|
||||||
* Rename binary package to 'shim-unsigned'
|
* Rename binary package to 'shim-unsigned'
|
||||||
|
* Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
|
||||||
|
|
||||||
-- Luca Boccassi <bluca@debian.org> Fri, 15 Feb 2019 19:50:10 +0000
|
-- Luca Boccassi <bluca@debian.org> Fri, 15 Feb 2019 19:50:10 +0000
|
||||||
|
|
||||||
|
21
debian/control
vendored
21
debian/control
vendored
@ -18,3 +18,24 @@ Description: boot loader to chain-load signed boot loaders under Secure Boot
|
|||||||
against a built-in signature database. Its purpose is to allow a small,
|
against a built-in signature database. Its purpose is to allow a small,
|
||||||
infrequently-changing binary to be signed by the UEFI CA, while allowing
|
infrequently-changing binary to be signed by the UEFI CA, while allowing
|
||||||
an OS distributor to revision their main bootloader independently of the CA.
|
an OS distributor to revision their main bootloader independently of the CA.
|
||||||
|
|
||||||
|
Package: shim-amd64-signed-template
|
||||||
|
Architecture: amd64
|
||||||
|
Depends: ${misc:Depends},
|
||||||
|
Description: boot loader to chain-load signed boot loaders (signing template)
|
||||||
|
This package contains template files for shim-amd64-signed.
|
||||||
|
This is only needed for Secure Boot singing.
|
||||||
|
|
||||||
|
Package: shim-i386-signed-template
|
||||||
|
Architecture: i386
|
||||||
|
Depends: ${misc:Depends},
|
||||||
|
Description: boot loader to chain-load signed boot loaders (signing template)
|
||||||
|
This package contains template files for shim-i386-signed.
|
||||||
|
This is only needed for Secure Boot singing.
|
||||||
|
|
||||||
|
Package: shim-arm64-signed-template
|
||||||
|
Architecture: arm64
|
||||||
|
Depends: ${misc:Depends},
|
||||||
|
Description: boot loader to chain-load signed boot loaders (signing template)
|
||||||
|
This package contains template files for shim-arm64-signed.
|
||||||
|
This is only needed for Secure Boot singing.
|
||||||
|
1
debian/rules
vendored
1
debian/rules
vendored
@ -46,3 +46,4 @@ override_dh_auto_build:
|
|||||||
|
|
||||||
override_dh_auto_install:
|
override_dh_auto_install:
|
||||||
dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
|
dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
|
||||||
|
./debian/signing-template.generate
|
||||||
|
41
debian/signing-template.generate
vendored
Executable file
41
debian/signing-template.generate
vendored
Executable file
@ -0,0 +1,41 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
set -e -u
|
||||||
|
|
||||||
|
distribution="$(dpkg-parsechangelog -S Distribution)"
|
||||||
|
urgency="$(dpkg-parsechangelog -S Urgency)"
|
||||||
|
date="$(dpkg-parsechangelog -S Date)"
|
||||||
|
version_binary="$(dpkg-parsechangelog -S Version)"
|
||||||
|
version_mangled="$(dpkg-parsechangelog -S Version | tr '-' '+')"
|
||||||
|
|
||||||
|
subst () {
|
||||||
|
sed \
|
||||||
|
-e "s/@efi@/${EFI_ARCH}/g" \
|
||||||
|
-e "s/@arch@/${DEB_HOST_ARCH}/g" \
|
||||||
|
-e "s/@version_binary@/${version_binary}/g" \
|
||||||
|
-e "s/@version_mangled@/${version_mangled}/g" \
|
||||||
|
-e "s/@distribution@/${distribution}/g" \
|
||||||
|
-e "s/@urgency@/${urgency}/g" \
|
||||||
|
-e "s/@date@/${date}/g" \
|
||||||
|
"$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
template='./debian/signing-template'
|
||||||
|
pkg_name="shim-${DEB_HOST_ARCH}-signed-template"
|
||||||
|
pkg_dir="debian/${pkg_name}/usr/share/code-signing/${pkg_name}"
|
||||||
|
pkg_deb="${pkg_dir}/source-template/debian"
|
||||||
|
|
||||||
|
install -o 0 -g 0 -m 0755 -d "${pkg_dir}"
|
||||||
|
subst < ./debian/signing-template.json.in > "${pkg_dir}/files.json"
|
||||||
|
|
||||||
|
find "${template}" -type f -printf '%P\n' |
|
||||||
|
while read path
|
||||||
|
do
|
||||||
|
src="${template}/${path}"
|
||||||
|
dst="${pkg_deb}/${path}"
|
||||||
|
|
||||||
|
install -o 0 -g 0 -m 0755 -d "${dst%/*}"
|
||||||
|
subst < "${src}" > "${dst%.in}"
|
||||||
|
chmod --reference="${src}" "${dst%.in}"
|
||||||
|
done
|
||||||
|
|
||||||
|
exit 0
|
6
debian/signing-template.json.in
vendored
Normal file
6
debian/signing-template.json.in
vendored
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
{"shim-unsigned": {
|
||||||
|
"files": [
|
||||||
|
{"sig_type": "efi", "file": "usr/lib/shim/fb@efi@.efi"},
|
||||||
|
{"sig_type": "efi", "file": "usr/lib/shim/mm@efi@.efi"}
|
||||||
|
]
|
||||||
|
}}
|
4
debian/signing-template/README.source
vendored
Normal file
4
debian/signing-template/README.source
vendored
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
This source package is generated by the Debian signing service from a
|
||||||
|
template built by the shim package. It should never be updated directly.
|
||||||
|
|
||||||
|
-- Philipp Matthias Hahn <pmhahn@debian.org> Sat, 07 Apr 2018 16:26:11 +0200
|
11
debian/signing-template/changelog.in
vendored
Normal file
11
debian/signing-template/changelog.in
vendored
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
shim-@arch@-signed (1+@version_mangled@) @distribution@; urgency=@urgency@
|
||||||
|
|
||||||
|
* Update to shim @version_binary@
|
||||||
|
|
||||||
|
-- Debian signing service <ftpmaster@debian.org> @date@
|
||||||
|
|
||||||
|
shim-@arch@-signed (1) unstable; urgency=medium
|
||||||
|
|
||||||
|
* Add template source package for signing
|
||||||
|
|
||||||
|
-- Philipp Matthias Hahn <pmhahn@debian.org> Sat, 07 Apr 2018 17:16:27 +0200
|
1
debian/signing-template/compat
vendored
Normal file
1
debian/signing-template/compat
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
9
|
25
debian/signing-template/control.in
vendored
Normal file
25
debian/signing-template/control.in
vendored
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
Source: shim-@arch@-signed
|
||||||
|
Section: admin
|
||||||
|
Priority: optional
|
||||||
|
Maintainer: Steve Langasek <vorlon@debian.org>
|
||||||
|
Standards-Version: 3.9.8
|
||||||
|
Build-Depends: debhelper (>= 10.1~),
|
||||||
|
sbsigntool [amd64 arm64 i386],
|
||||||
|
shim-unsigned (= @version_binary@),
|
||||||
|
Rules-Requires-Root: no
|
||||||
|
|
||||||
|
Package: shim-@arch@-signed
|
||||||
|
Architecture: @arch@
|
||||||
|
Conflicts: shim (<< 15+1533136590.3beb971-3~),
|
||||||
|
Replaces: shim (<< 15+1533136590.3beb971-3~),
|
||||||
|
Depends: shim-unsigned (= @version_binary@), ${misc:Depends},
|
||||||
|
Built-Using: shim (= @version_binary@)
|
||||||
|
Description: boot loader to chain-load signed boot loaders (signed by Debian)
|
||||||
|
This package provides a minimalist boot loader which allows verifying
|
||||||
|
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
|
||||||
|
against a built-in signature database. Its purpose is to allow a small,
|
||||||
|
infrequently-changing binary to be signed by the UEFI CA, while allowing
|
||||||
|
an OS distributor to revision their main bootloader independently of the CA.
|
||||||
|
.
|
||||||
|
This package contains the MOK manager and fall-back manager signed by the
|
||||||
|
Debian UEFI CA to be used by shim-signed.
|
51
debian/signing-template/copyright
vendored
Normal file
51
debian/signing-template/copyright
vendored
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
|
||||||
|
Comment:
|
||||||
|
This file describes only the shim-signed source package.
|
||||||
|
|
||||||
|
Files: debian/signatures/*
|
||||||
|
License: public-domain
|
||||||
|
Digital signatures and certificates are presumed not to be
|
||||||
|
copyrightable works, and no copyright is claimed for them.
|
||||||
|
Comment:
|
||||||
|
The signatures and certificates in this package cannot be regenerated
|
||||||
|
as-is without the associated private key material, but they can be
|
||||||
|
replaced using alternate private keys.
|
||||||
|
|
||||||
|
Files: debian/rules
|
||||||
|
Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
|
||||||
|
License: GPL-2
|
||||||
|
This package is free software; you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License version 2 as
|
||||||
|
published by the Free Software Foundation.
|
||||||
|
.
|
||||||
|
This package is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
.
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this package; if not, write to the Free Software
|
||||||
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
|
.
|
||||||
|
On Debian systems, the complete text of the GNU General Public
|
||||||
|
License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
|
||||||
|
|
||||||
|
Files: debian/*
|
||||||
|
Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
|
||||||
|
License: GPL-2+
|
||||||
|
This package is free software; you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation; either version 2 of the License, or (at
|
||||||
|
your option) any later version.
|
||||||
|
.
|
||||||
|
This package is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
.
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with this package; if not, write to the Free Software
|
||||||
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
|
.
|
||||||
|
On Debian systems, the complete text of the GNU General Public
|
||||||
|
License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
|
18
debian/signing-template/rules
vendored
Executable file
18
debian/signing-template/rules
vendored
Executable file
@ -0,0 +1,18 @@
|
|||||||
|
#!/usr/bin/make -f
|
||||||
|
|
||||||
|
SIG_DIR := debian/signatures/shim-unsigned
|
||||||
|
|
||||||
|
%:
|
||||||
|
dh $@
|
||||||
|
|
||||||
|
override_dh_auto_install:
|
||||||
|
set -e ; \
|
||||||
|
find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
|
||||||
|
while read sig; do \
|
||||||
|
install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
|
||||||
|
install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
|
||||||
|
sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
|
||||||
|
done
|
||||||
|
|
||||||
|
override_dh_install:
|
||||||
|
dh_install --sourcedir=debian/tmp .
|
1
debian/signing-template/source/format
vendored
Normal file
1
debian/signing-template/source/format
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
3.0 (native)
|
Loading…
Reference in New Issue
Block a user