T861: add VyOS UEFI CA alongside Debian UEFI CAHEADvyos/current

11 files changed, 66 insertions, 112 deletions

diff --git a/debian/changelog b/debian/changelog
index 6bb6dd27..f73fb890 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+shim (16.0-1+vyos1) UNRELEASED; urgency=medium
+
+  * Add VyOS's CA alongside Debian's.
+
+ -- Christian Breunig <christian@breunig.cc>  Wed, 02 Jul 2025 22:34:39 +0200
+
 shim (15.8-1) unstable; urgency=medium
 
   [ Steve McIntyre ]
diff --git a/debian/control b/debian/control
index a5e9d953..0daa1294 100644
--- a/debian/control
+++ b/debian/control
@@ -1,8 +1,8 @@
 Source: shim
 Section: admin
 Priority: optional
-Maintainer: Debian EFI team <debian-efi@lists.debian.org>
-Uploaders: Steve Langasek <vorlon@debian.org>, Steve McIntyre <93sam@debian.org>
+Maintainer: VyOS Package Maintainers <maintainers@vyos.net>
+Rules-Requires-Root: no
 Standards-Version: 4.6.2
 Build-Depends: debhelper-compat (= 12),
 	       gnu-efi (>= 3.0u),
@@ -15,8 +15,8 @@ Build-Depends: debhelper-compat (= 12),
 	       efivar,
 	       xxd,
 	       libefivar-dev
-Vcs-Browser: https://salsa.debian.org/efi-team/shim
-Vcs-Git: https://salsa.debian.org/efi-team/shim.git
+Vcs-Browser: https://github.com/vyos/efi-boot-shim
+Vcs-Git: https://github.com/vyos/efi-boot-shim.git
 
 Package: shim-unsigned
 Architecture: amd64 arm64
diff --git a/debian/debian-vyos-uefi-ca.esl b/debian/debian-vyos-uefi-ca.esl
new file mode 100644
index 00000000..110a1d15
--- /dev/null
+++ b/debian/debian-vyos-uefi-ca.esl
diff --git a/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch b/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
deleted file mode 100644
index 25977c16..00000000
--- a/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 63edf92f8ae11b884bc7d24aecb8229cbc4ae014 Mon Sep 17 00:00:00 2001
-From: Julian Andres Klode <julian.klode@canonical.com>
-Date: Fri, 5 Apr 2024 21:57:07 +0200
-Subject: [PATCH 1/2] sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
-
-Add the previous latest level to the switch for automatic.
-
-Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
----
- include/sbat_var_defs.h | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
-index f8cba029..04d708f2 100644
---- a/include/sbat_var_defs.h
-+++ b/include/sbat_var_defs.h
-@@ -47,6 +47,8 @@
- #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n"
- #elif SBAT_AUTOMATIC_DATE == 2023012900
- #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
-+#elif SBAT_AUTOMATIC_DATE == 2024010900
-+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n"
- #else
- #error "Unknown SBAT_AUTOMATIC_DATE"
- #endif /* SBAT_AUTOMATIC_DATE == */
-@@ -56,10 +58,10 @@
- 	SBAT_VAR_AUTOMATIC_REVOCATIONS
- 
- /*
-- * Revocations for January 2024 shim CVEs
-+ * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312
-  */
--#define SBAT_VAR_LATEST_DATE "2024010900"
--#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n"
-+#define SBAT_VAR_LATEST_DATE "2024040500"
-+#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n"
- #define SBAT_VAR_LATEST \
- 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
- 	SBAT_VAR_LATEST_REVOCATIONS
--- 
-2.39.2
-
diff --git a/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch b/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
deleted file mode 100644
index f1c3028d..00000000
--- a/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 3e1394e8e6fd0071a69196230f991612a960c154 Mon Sep 17 00:00:00 2001
-From: Julian Andres Klode <julian.klode@canonical.com>
-Date: Tue, 9 Apr 2024 18:55:12 +0200
-Subject: [PATCH 2/2] sbat: Also bump latest for grub,4 (and to todays date)
-
-Back in January we decided to bump the SBAT level for the shim
-CVE without bumping the grub level for the previous NTFS issues
-- CVE-2023-4692 CVE-2023-4693 - as not every vendor was signing
-the ntfs module.
-
-Catch up on this revocation to ensure it doesn't get lost. Doing
-so also allows us to remove the grub.debian,4 revocation as this
-happened before grub,4 and hence is obsolete.
-
-Also bump the date of the sbat variable to today's. Don't copy
-the April 5 one to a previous selection, as it wasn't shipped
-to anyone.
-
-Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
----
- include/sbat_var_defs.h | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
-index 04d708f2..5c7115b9 100644
---- a/include/sbat_var_defs.h
-+++ b/include/sbat_var_defs.h
-@@ -58,10 +58,13 @@
- 	SBAT_VAR_AUTOMATIC_REVOCATIONS
- 
- /*
-- * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312
-+ * Revocations for:
-+ * - January 2024 shim CVEs
-+ * - October 2023 grub CVEs
-+ * - Debian/Ubuntu (peimage) CVE-2024-2312
-  */
--#define SBAT_VAR_LATEST_DATE "2024040500"
--#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n"
-+#define SBAT_VAR_LATEST_DATE "2024040900"
-+#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,4\ngrub.peimage,2\n"
- #define SBAT_VAR_LATEST \
- 	SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
- 	SBAT_VAR_LATEST_REVOCATIONS
--- 
-2.39.2
-
diff --git a/debian/patches/series b/debian/patches/series
index 01fd2987..439fbe12 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
-0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
-0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
+test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch
diff --git a/debian/patches/test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch b/debian/patches/test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch
new file mode 100644
index 00000000..3ca5b967
--- /dev/null
+++ b/debian/patches/test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch
@@ -0,0 +1,45 @@
+From: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com>
+Date: Mon, 24 Mar 2025 12:58:56 +0100
+Subject: test-mock-variables: explicitly skip CONFIG_ONLY vars
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+otherwise we might pass invalid pointers to load_variables and cause
+segfaults in test cases.
+
+Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
+---
+Submitted upstream: https://github.com/rhboot/shim/pull/739/
+
+ test-mock-variables.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/test-mock-variables.c b/test-mock-variables.c
+index f869300..dd4a9eb 100644
+--- a/test-mock-variables.c
++++ b/test-mock-variables.c
+@@ -212,8 +212,10 @@ test_gnvn_helper(char *testvars)
+ 		 * mok mirroring that aren't really from mok; right now
+ 		 * this is a reasonable heuristic for that.
+ 		 */
+-		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY)
++		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY) {
++			mok_rt_vars[i] = "";
+ 			continue;
++		}
+ 		mok_rt_vars[i] = mok_state_variables[i].rtname8;
+ 	}
+ 
+@@ -313,8 +315,10 @@ test_get_variable_0(void)
+ 		 * mok mirroring that aren't really from mok; right now
+ 		 * this is a reasonable heuristic for that.
+ 		 */
+-		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY)
++		if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY) {
++			mok_rt_vars[i] = "";
+ 			continue;
++		}
+ 		mok_rt_vars[i] = mok_state_variables[i].rtname8;
+ 	}
+ 
diff --git a/debian/rules b/debian/rules
index 40a61670..1f55a9e9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,25 +2,15 @@
 
 include /usr/share/dpkg/architecture.mk
 
-# Other vendors, add your certs here.  No sense in using
-# dpkg-vendor --derives-from, because only Canonical-generated binaries will
-# be signed with this key; so if you are building your own shim binary you
-# should be building the other binaries also.
-ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
-	cert=debian/canonical-uefi-ca.der
-	distributor=ubuntu
-COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
-else
-	cert=debian/debian-uefi-ca.der
-	distributor=debian
-endif
+cert=debian/debian-vyos-uefi-ca.esl
+distributor=vyos
 
 deb_version             := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p")
 upstream_version        := $(shell echo $(deb_version) | sed -e "s/-[^-]*$$//")
 plain_upstream_version  := $(shell echo $(upstream_version) | sed -e "s/+dfsg.*//")
 
 DBX_LIST = dbx.esl
-DBX_HASHES = debian/$(distributor)-dbx.hashes
+DBX_HASHES = debian/debian-dbx.hashes
 SBAT_IN = debian/sbat.$(distributor).csv.in
 SBAT_DATA = data/sbat.$(distributor).csv
 
@@ -41,7 +31,7 @@ COMMON_OPTIONS += \
 	COMMIT_ID=657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa \
 	MAKELEVEL=0 \
 	ENABLE_HTTPBOOT=true \
-	VENDOR_CERT_FILE=$(cert) \
+	VENDOR_DB_FILE=$(cert) \
 	VENDOR_DBX_FILE=$(DBX_LIST) \
 	EFIDIR=$(distributor) \
 	CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
@@ -49,9 +39,9 @@ COMMON_OPTIONS += \
 	$(NULL)
 
 # Force shim to use the latest revocations by default to block some
-# older grub / peimage issues. This is:
-# "shim,4\ngrub,4\ngrub.peimage,2\n"
-COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900
+# older grub issues. This is:
+# "shim,4\ngrub,5\n"
+COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2025021800
 
 $(DBX_LIST): $(DBX_HASHES)
 	./debian/generate_dbx_list $(EFI_ARCH) $< $@
diff --git a/debian/sbat.vyos.csv.in b/debian/sbat.vyos.csv.in
new file mode 100644
index 00000000..4275733f
--- /dev/null
+++ b/debian/sbat.vyos.csv.in
@@ -0,0 +1 @@
+shim.vyos,1,VyOS,shim,@UPSTREAM_VERSION@,https://github.com/vyos/efi-boot-shim.git
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index d82be748..a97ddf5b 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -1,2 +1,4 @@
 debian/canonical-uefi-ca.der
 debian/debian-uefi-ca.der
+debian/vyos-uefi-ca.der
+debian/debian-vyos-uefi-ca.esl
diff --git a/debian/vyos-uefi-ca.der b/debian/vyos-uefi-ca.der
new file mode 100644
index 00000000..19b057db
--- /dev/null
+++ b/debian/vyos-uefi-ca.der