Add shim-$arch-signed-template support

for getting the MOK-manager and fall-back binary to be signed by Debians
singing service instead of using an ephemeral key.

Closes: #922228
This commit is contained in:
Philipp Hahn 2018-04-07 20:47:49 +02:00 committed by Luca Boccassi
parent c2dbb9ef4e
commit f7add2255f
12 changed files with 181 additions and 0 deletions

1
debian/changelog vendored
View File

@ -4,6 +4,7 @@ shim (15+1533136590.3beb971-3) UNRELEASED; urgency=medium
* debian/rules: fixing permissions no longer required * debian/rules: fixing permissions no longer required
* debian/rules: Disable ephemeral key on Debian. * debian/rules: Disable ephemeral key on Debian.
* Rename binary package to 'shim-unsigned' * Rename binary package to 'shim-unsigned'
* Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
-- Luca Boccassi <bluca@debian.org> Fri, 15 Feb 2019 19:50:10 +0000 -- Luca Boccassi <bluca@debian.org> Fri, 15 Feb 2019 19:50:10 +0000

21
debian/control vendored
View File

@ -18,3 +18,24 @@ Description: boot loader to chain-load signed boot loaders under Secure Boot
against a built-in signature database. Its purpose is to allow a small, against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of the CA. an OS distributor to revision their main bootloader independently of the CA.
Package: shim-amd64-signed-template
Architecture: amd64
Depends: ${misc:Depends},
Description: boot loader to chain-load signed boot loaders (signing template)
This package contains template files for shim-amd64-signed.
This is only needed for Secure Boot singing.
Package: shim-i386-signed-template
Architecture: i386
Depends: ${misc:Depends},
Description: boot loader to chain-load signed boot loaders (signing template)
This package contains template files for shim-i386-signed.
This is only needed for Secure Boot singing.
Package: shim-arm64-signed-template
Architecture: arm64
Depends: ${misc:Depends},
Description: boot loader to chain-load signed boot loaders (signing template)
This package contains template files for shim-arm64-signed.
This is only needed for Secure Boot singing.

1
debian/rules vendored
View File

@ -46,3 +46,4 @@ override_dh_auto_build:
override_dh_auto_install: override_dh_auto_install:
dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS) dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
./debian/signing-template.generate

41
debian/signing-template.generate vendored Executable file
View File

@ -0,0 +1,41 @@
#!/bin/sh
set -e -u
distribution="$(dpkg-parsechangelog -S Distribution)"
urgency="$(dpkg-parsechangelog -S Urgency)"
date="$(dpkg-parsechangelog -S Date)"
version_binary="$(dpkg-parsechangelog -S Version)"
version_mangled="$(dpkg-parsechangelog -S Version | tr '-' '+')"
subst () {
sed \
-e "s/@efi@/${EFI_ARCH}/g" \
-e "s/@arch@/${DEB_HOST_ARCH}/g" \
-e "s/@version_binary@/${version_binary}/g" \
-e "s/@version_mangled@/${version_mangled}/g" \
-e "s/@distribution@/${distribution}/g" \
-e "s/@urgency@/${urgency}/g" \
-e "s/@date@/${date}/g" \
"$@"
}
template='./debian/signing-template'
pkg_name="shim-${DEB_HOST_ARCH}-signed-template"
pkg_dir="debian/${pkg_name}/usr/share/code-signing/${pkg_name}"
pkg_deb="${pkg_dir}/source-template/debian"
install -o 0 -g 0 -m 0755 -d "${pkg_dir}"
subst < ./debian/signing-template.json.in > "${pkg_dir}/files.json"
find "${template}" -type f -printf '%P\n' |
while read path
do
src="${template}/${path}"
dst="${pkg_deb}/${path}"
install -o 0 -g 0 -m 0755 -d "${dst%/*}"
subst < "${src}" > "${dst%.in}"
chmod --reference="${src}" "${dst%.in}"
done
exit 0

6
debian/signing-template.json.in vendored Normal file
View File

@ -0,0 +1,6 @@
{"shim-unsigned": {
"files": [
{"sig_type": "efi", "file": "usr/lib/shim/fb@efi@.efi"},
{"sig_type": "efi", "file": "usr/lib/shim/mm@efi@.efi"}
]
}}

4
debian/signing-template/README.source vendored Normal file
View File

@ -0,0 +1,4 @@
This source package is generated by the Debian signing service from a
template built by the shim package. It should never be updated directly.
-- Philipp Matthias Hahn <pmhahn@debian.org> Sat, 07 Apr 2018 16:26:11 +0200

11
debian/signing-template/changelog.in vendored Normal file
View File

@ -0,0 +1,11 @@
shim-@arch@-signed (1+@version_mangled@) @distribution@; urgency=@urgency@
* Update to shim @version_binary@
-- Debian signing service <ftpmaster@debian.org> @date@
shim-@arch@-signed (1) unstable; urgency=medium
* Add template source package for signing
-- Philipp Matthias Hahn <pmhahn@debian.org> Sat, 07 Apr 2018 17:16:27 +0200

1
debian/signing-template/compat vendored Normal file
View File

@ -0,0 +1 @@
9

25
debian/signing-template/control.in vendored Normal file
View File

@ -0,0 +1,25 @@
Source: shim-@arch@-signed
Section: admin
Priority: optional
Maintainer: Steve Langasek <vorlon@debian.org>
Standards-Version: 3.9.8
Build-Depends: debhelper (>= 10.1~),
sbsigntool [amd64 arm64 i386],
shim-unsigned (= @version_binary@),
Rules-Requires-Root: no
Package: shim-@arch@-signed
Architecture: @arch@
Conflicts: shim (<< 15+1533136590.3beb971-3~),
Replaces: shim (<< 15+1533136590.3beb971-3~),
Depends: shim-unsigned (= @version_binary@), ${misc:Depends},
Built-Using: shim (= @version_binary@)
Description: boot loader to chain-load signed boot loaders (signed by Debian)
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of the CA.
.
This package contains the MOK manager and fall-back manager signed by the
Debian UEFI CA to be used by shim-signed.

51
debian/signing-template/copyright vendored Normal file
View File

@ -0,0 +1,51 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Comment:
This file describes only the shim-signed source package.
Files: debian/signatures/*
License: public-domain
Digital signatures and certificates are presumed not to be
copyrightable works, and no copyright is claimed for them.
Comment:
The signatures and certificates in this package cannot be regenerated
as-is without the associated private key material, but they can be
replaced using alternate private keys.
Files: debian/rules
Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
License: GPL-2
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 2 as
published by the Free Software Foundation.
.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
.
On Debian systems, the complete text of the GNU General Public
License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
Files: debian/*
Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
License: GPL-2+
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at
your option) any later version.
.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
.
On Debian systems, the complete text of the GNU General Public
License version 2 can be found in `/usr/share/common-licenses/GPL-2'.

18
debian/signing-template/rules vendored Executable file
View File

@ -0,0 +1,18 @@
#!/usr/bin/make -f
SIG_DIR := debian/signatures/shim-unsigned
%:
dh $@
override_dh_auto_install:
set -e ; \
find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
while read sig; do \
install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
done
override_dh_install:
dh_install --sourcedir=debian/tmp .

1
debian/signing-template/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (native)