Change the version dependency on shim-unsigned to be >= and not =.
This will allow for installation to still work in the window while we
wait for the template package to do its second trip through the
archive. Closes: #955356
While it maybe convenient for a developer to be able to do a build
w/o any dbx hashes, it prevents the $(DBX_LIST) target from having
a proper dependency on the $(DBX_HASHES) file. If a developer were
to add a new hash in a built tree, make would not detect that on
a subsequent build and would not update the $(DBX_LIST) file.
Continue to support a NULL $(DBX_LIST) build by touching the
$(DBX_LIST) file in case no efisiglist commands ran. Developers
can now create an empty $(DBX_HASHES) file to get that.
signed arm64 grub binaries that allow use of the devicetree command,
as found in
grub-efi-arm64-signed_1+2.02+dfsg1+16_arm64.deb
grub-efi-arm64-signed_1+2.02+dfsg1+17_arm64.deb
This allow us to block executing binaries with specific
checksums. Generate the dbx list at runtime from a simple list of
sha256 hashes, so we can update this easily. If we need to also
blacklist a cert later, we'll need to update this code to add that
option too.
Add a build-dep on pesign to get the needed efisiglist program.
Cherry-picked fix from upstream MR at
3a9e237b1b
From: f13615c5b8
Apply an upstream patch from OpenSSL to tolerate a NULL sn. This
avoids a NULL pointer reference in shim.c:verify_eku(). This was
discovered because it causes a crash on ARM where, unlike x86, it does
not necessarily have memory mapped at 0x0.
Fixes: 6c180c6004 ("shim: verify Extended Key Usage flags")
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Backport of upstream fix:
VLogError() calculates the size of format strings by using calls to
SPrint and VSPrint with a StrSize of 0 and NULL for an output
buffer. Unfortunately, this is an incorrect usage of (V)Sprint. A
StrSize of "0" is special-cased to mean "there is no limit". So, we
end up writing our string to address 0x0. This was discovered because
it causes a crash on ARM where, unlike x86, it does not necessarily
have memory mapped at 0x0.
Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
handles the size calculation and allocation for us.
Signed-off-by: Peter Jones <pjones@redhat.com>
Fixes: 25f6fd08cd ("try to show errors more usefully.")
[dannf: commit message ]
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Move all the data under a new top-level "packages" key
Add an empty "trusted_certs" key - the helper binaries do not do any
further verification with an embedded key.
Remove potential confusion with shim-signed. We will now end up with
shim-helpers-$arch-signed to make it clear that they just contain the
helper binaries (fb.efi and mm.efi)
