Import Debian changes 0.9+1474479173.6c180c6-1debian/0.9+1474479173.6c180c6-1

shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium

  [ Steve Langasek ]
  * Initial Debian upload.  Closes: #820052.
  * Update Standards-Version.
  * Embed the newly-minted Debian CA certificate.
  * Vendorize debian/rules so that the same package can be used in both
    Debian and Ubuntu without modification.
  * Fix debian/copyright to match the spec (last match wins, not first)
  * Fix shim.efi to not be executable.
  * Add watchfile.
  * Support parallel builds, because eh why not
  * Update Vcs-Bzr.
  * Resync with Ubuntu, including patch to fix debian/copyright.

  [ Julien Cristau ]
  * Add some missing copyright holders in d/copyright, update
    Upstream-Contact.  Thanks to Helen Koike for the help.

shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium

  [ Helen Koike ]
  * debian/copyright: add OpenSSL license 

  [ Mathieu Trudel-Lapierre ]
  * New upstream release.
  * debian/copyright: patches should be BSD, like the rest of the upstream
    code.
  * debian/patches/unused-variable: dropped; applied upstream.
  * debian/patches/binutils-version-matching: dropped, fixed upstream.
  * debian/shim.install: built EFI binaries were renamed; update our install
    file to properly pick up shim (shim$arch), MokManager (mm$arch), and
    fallback (fb$arch).

shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium

  * New upstream release.
    - Better handle LoadOptions. (LP: #1581299)
    - Measure state and second stage in TPM.
    - Mirror MokSBState in runtime as MokSBStateRT.
    - Fix failure to build with GCC 5. (LP: #1429978)
    - Various bug fixes and other improvements.
  * Refreshed patches.
    - Remaining patches:
      + second-stage-path
      + sbsigntool-not-pesign 
  * debian/patches/unused-variable: remove unused variable size.
  * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
    match objcopy's version on Ubuntu.
  * debian/copyright: update copyright for patches.

shim (0.8-0ubuntu2) wily; urgency=medium

  * No-change rebuild against gnu-efi 3.0v-5ubuntu1.

shim (0.8-0ubuntu1) wily; urgency=medium

  * New upstream release.
    - Clarify meaning of insecure_mode. (LP: #1384973)
  * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
    debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
    in the upstream release.
  * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
    refreshed.

shim (0.7-0ubuntu4) utopic; urgency=medium

  * SECURITY UPDATE: heap overflow and out-of-bounds read access when
    parsing DHCPv6 information
    - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
      when parsing data provided in DHCPv6 packets.
    - CVE-2014-3675
    - CVE-2014-3676
  * SECURITY UPDATE: memory corruption when processing user-provided key
    lists
    - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
      key (MOK) lists and ignore them, avoiding possible memory corruption.
    - CVE-2014-3677

shim (0.7-0ubuntu2) utopic; urgency=medium

  * Restore debian/patches/prototypes, which still is needed on shim 0.7
    but only detected on the buildds.
  * Update debian/patches/prototypes with some new declarations needed for
    openssl 0.9.8za update.

shim (0.7-0ubuntu1) utopic; urgency=medium

  * New upstream release.
    - fix spurious error message when fallback.efi is not present, as will
      always be the case for removable media.  LP: #1297069.
    - drop most patches, included upstream.
  * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
    openssl 0.9.8za in via upstream.

shim (0.4-0ubuntu5) utopic; urgency=low

  * Install fallback.efi.signed as well, to lay the groundwork for fallback
    handling (wanted when we have to move a drive between machines, or when
    the firmware loses its marbles^W nvram).

shim (0.4-0ubuntu4) saucy; urgency=low

  * debian/patches/fix-tftp-prototype: pass the right arguments to
    EFI_PXE_BASE_CODE_TFTP_READ_FILE.
  * debian/patches/build-with-Werror: Build with -Werror to catch future
    prototype mismatches.
  * debian/patches/fix-compiler-warnings: Fix remaining compiler
    warnings in netboot.c.
  * debian/patches/tftp-proper-nul-termination: fix nul termination
    errors in filenames passed to tftp.
  * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
    the netboot code.

shim (0.4-0ubuntu3) saucy; urgency=low

  [ Steve Langasek ]
  * Install MokManager.efi.signed in the package.
  * debian/patches/no-output-by-default.patch: Don't print any
    informational messages.  Closes LP: #1074302.

  [ Stéphane Graber ]
  * debian/patches/no-print-on-unsigned: Don't print an error message when
    validating an unsigned binary as that tends to hang Lenovo machines.
    (LP: #1087501)

shim (0.4-0ubuntu2) saucy; urgency=low

  * Add missing build-dependency on openssl.

shim (0.4-0ubuntu1) saucy; urgency=low

  * New upstream release.
  * Drop debian/patches/shim-before-loadimage; upstream has changed this to
    not call loadimage at all.
  * debian/patches/sbsigntool-not-pesign: Sign MokManager with
    sbsigntool instead of pesign.
  * Add a versioned build-dependency on gnu-efi.

shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low

  * debian/patches/shim-before-loadimage: Use direct verification first
    before LoadImage.  Addresses an issue where Lenovo's SecureBoot
    implementation pops an error message on any verification failure - avoid
    calling LoadImage at all unless we have to.

shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low

  * debian/patches/second-stage-path: Chainload grubx64.efi, not
    grub.efi.

shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low

  * debian/patches/prototypes: Include missing prototypes, and disable
    use of BIO_new_file.
  * Only build the package for amd64; we're not signing an i386 shim at this
    stage so there's no point in building it.

shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low

  * Initial release.
  * Include the Canonical Secure Boot master CA.

17 files changed, 917 insertions, 0 deletions

diff --git a/debian/canonical-uefi-ca.der b/debian/canonical-uefi-ca.der
new file mode 100644
index 00000000..b4098d9c
--- /dev/null
+++ b/debian/canonical-uefi-ca.der
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 00000000..07286132
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,196 @@
+shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
+
+  [ Steve Langasek ]
+  * Initial Debian upload.  Closes: #820052.
+  * Update Standards-Version.
+  * Embed the newly-minted Debian CA certificate.
+  * Vendorize debian/rules so that the same package can be used in both
+    Debian and Ubuntu without modification.
+  * Fix debian/copyright to match the spec (last match wins, not first)
+  * Fix shim.efi to not be executable.
+  * Add watchfile.
+  * Support parallel builds, because eh why not
+  * Update Vcs-Bzr.
+  * Resync with Ubuntu, including patch to fix debian/copyright.
+
+  [ Julien Cristau ]
+  * Add some missing copyright holders in d/copyright, update
+    Upstream-Contact.  Thanks to Helen Koike for the help.
+
+ -- Julien Cristau <jcristau@debian.org>  Sat, 15 Oct 2016 15:17:34 +0200
+
+shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
+
+  [ Helen Koike ]
+  * debian/copyright: add OpenSSL license 
+
+  [ Mathieu Trudel-Lapierre ]
+  * New upstream release.
+  * debian/copyright: patches should be BSD, like the rest of the upstream
+    code.
+  * debian/patches/unused-variable: dropped; applied upstream.
+  * debian/patches/binutils-version-matching: dropped, fixed upstream.
+  * debian/shim.install: built EFI binaries were renamed; update our install
+    file to properly pick up shim (shim$arch), MokManager (mm$arch), and
+    fallback (fb$arch).
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 21 Sep 2016 20:29:44 -0400
+
+shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
+
+  * New upstream release.
+    - Better handle LoadOptions. (LP: #1581299)
+    - Measure state and second stage in TPM.
+    - Mirror MokSBState in runtime as MokSBStateRT.
+    - Fix failure to build with GCC 5. (LP: #1429978)
+    - Various bug fixes and other improvements.
+  * Refreshed patches.
+    - Remaining patches:
+      + second-stage-path
+      + sbsigntool-not-pesign 
+  * debian/patches/unused-variable: remove unused variable size.
+  * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
+    match objcopy's version on Ubuntu.
+  * debian/copyright: update copyright for patches.
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 26 Jul 2016 16:48:32 -0400
+
+shim (0.8-0ubuntu2) wily; urgency=medium
+
+  * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 12 May 2015 17:48:30 +0000
+
+shim (0.8-0ubuntu1) wily; urgency=medium
+
+  * New upstream release.
+    - Clarify meaning of insecure_mode. (LP: #1384973)
+  * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
+    debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
+    in the upstream release.
+  * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
+    refreshed.
+
+ -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com>  Mon, 11 May 2015 19:50:49 -0400
+
+shim (0.7-0ubuntu4) utopic; urgency=medium
+
+  * SECURITY UPDATE: heap overflow and out-of-bounds read access when
+    parsing DHCPv6 information
+    - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
+      when parsing data provided in DHCPv6 packets.
+    - CVE-2014-3675
+    - CVE-2014-3676
+  * SECURITY UPDATE: memory corruption when processing user-provided key
+    lists
+    - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
+      key (MOK) lists and ignore them, avoiding possible memory corruption.
+    - CVE-2014-3677
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 08 Oct 2014 06:40:40 +0000
+
+shim (0.7-0ubuntu2) utopic; urgency=medium
+
+  * Restore debian/patches/prototypes, which still is needed on shim 0.7
+    but only detected on the buildds.
+  * Update debian/patches/prototypes with some new declarations needed for
+    openssl 0.9.8za update.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 16:20:08 -0700
+
+shim (0.7-0ubuntu1) utopic; urgency=medium
+
+  * New upstream release.
+    - fix spurious error message when fallback.efi is not present, as will
+      always be the case for removable media.  LP: #1297069.
+    - drop most patches, included upstream.
+  * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
+    openssl 0.9.8za in via upstream.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 05:40:41 +0000
+
+shim (0.4-0ubuntu5) utopic; urgency=low
+
+  * Install fallback.efi.signed as well, to lay the groundwork for fallback
+    handling (wanted when we have to move a drive between machines, or when
+    the firmware loses its marbles^W nvram).
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Aug 2014 12:11:13 +0200
+
+shim (0.4-0ubuntu4) saucy; urgency=low
+
+  * debian/patches/fix-tftp-prototype: pass the right arguments to
+    EFI_PXE_BASE_CODE_TFTP_READ_FILE.
+  * debian/patches/build-with-Werror: Build with -Werror to catch future
+    prototype mismatches.
+  * debian/patches/fix-compiler-warnings: Fix remaining compiler
+    warnings in netboot.c.
+  * debian/patches/tftp-proper-nul-termination: fix nul termination
+    errors in filenames passed to tftp.
+  * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
+    the netboot code.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Sep 2013 00:30:00 -0700
+
+shim (0.4-0ubuntu3) saucy; urgency=low
+
+  [ Steve Langasek ]
+  * Install MokManager.efi.signed in the package.
+  * debian/patches/no-output-by-default.patch: Don't print any
+    informational messages.  Closes LP: #1074302.
+
+  [ Stéphane Graber ]
+  * debian/patches/no-print-on-unsigned: Don't print an error message when
+    validating an unsigned binary as that tends to hang Lenovo machines.
+    (LP: #1087501)
+
+ -- Stéphane Graber <stgraber@ubuntu.com>  Thu, 08 Aug 2013 17:12:12 +0200
+
+shim (0.4-0ubuntu2) saucy; urgency=low
+
+  * Add missing build-dependency on openssl.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 20:30:43 +0000
+
+shim (0.4-0ubuntu1) saucy; urgency=low
+
+  * New upstream release.
+  * Drop debian/patches/shim-before-loadimage; upstream has changed this to
+    not call loadimage at all.
+  * debian/patches/sbsigntool-not-pesign: Sign MokManager with
+    sbsigntool instead of pesign.
+  * Add a versioned build-dependency on gnu-efi.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 12:53:24 -0700
+
+shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
+
+  * debian/patches/shim-before-loadimage: Use direct verification first
+    before LoadImage.  Addresses an issue where Lenovo's SecureBoot
+    implementation pops an error message on any verification failure - avoid
+    calling LoadImage at all unless we have to.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 10 Oct 2012 15:28:40 -0700
+
+shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
+
+  * debian/patches/second-stage-path: Chainload grubx64.efi, not
+    grub.efi.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Oct 2012 11:20:58 -0700
+
+shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
+
+  * debian/patches/prototypes: Include missing prototypes, and disable
+    use of BIO_new_file.
+  * Only build the package for amd64; we're not signing an i386 shim at this
+    stage so there's no point in building it.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 17:47:04 +0000
+
+shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
+
+  * Initial release.
+  * Include the Canonical Secure Boot master CA.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 00:01:06 -0700
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 00000000..ec635144
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 00000000..25b0b47e
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,17 @@
+Source: shim
+Section: admin
+Priority: optional
+Maintainer: Steve Langasek <vorlon@debian.org>
+Standards-Version: 3.9.8
+Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl
+Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk
+
+Package: shim
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: boot loader to chain-load signed boot loaders under Secure Boot
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database.  Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 00000000..7c08287c
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,254 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: shim
+Upstream-Contact: Matthew Garrett <mjg59@coreos.com>
+Source: https://github.com/mjg59/shim.git
+
+Files: *
+Copyright: 2012-2013 Red Hat, Inc
+	2009-2016 Intel Corporation
+License: BSD-2-Clause
+
+Files: debian/patches/*
+Copyright: 2016 Canonical Ltd.
+License: BSD-2-Clause
+
+Files: crypt_blowfish.*
+Copyright: none
+License: public-domain
+  No copyright is claimed, and the software is hereby placed in the public
+  domain.  In case this attempt to disclaim copyright and place the software
+  in the public domain is deemed null and void, then the software is
+  Copyright (c) 2000-2011 Solar Designer and it is hereby released to the
+  general public under the following terms:
+  .
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted.
+  .
+  There's ABSOLUTELY NO WARRANTY, express or implied.
+
+Files: httpboot.*
+Copyright: 2015 SUSE LINUX GmbH
+License: BSD-2-Clause
+
+Files: include/Http.h
+Copyright: 2016 Intel Corporation
+	2015 Hewlett Packard Enterprise Development LP
+License: BSD-2-Clause
+
+Files: include/PeImage.h
+Copyright: 2006-2010 Intel Corporation
+	2008-2009 Apple Inc
+License: BSD-2-Clause
+
+Files: lib/*.c
+Copyright: 2011-2012 Intel Corporation
+	2012 <James.Bottomley@HansenPartnership.com>
+	2012-2013 Red Hat, Inc
+License: BSD-2-Clause
+
+Files: Cryptlib/OpenSSL/* Cryptlib/Include/openssl/*
+Copyright: 1998-2016 The OpenSSL Project
+	1995-1998 Eric Young (eay@cryptsoft.com)
+	2002 Sun Microsystems, Inc
+	2005 Nokia
+License: OpenSSL and Original-SSLeay
+ OpenSSL License
+ ---------------
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+ .
+ 3. All advertising materials mentioning features or use of this
+    software must display the following acknowledgment:
+    "This product includes software developed by the OpenSSL Project
+    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ .
+ 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+    endorse or promote products derived from this software without
+    prior written permission. For written permission, please contact
+    openssl-core@openssl.org.
+ .
+ 5. Products derived from this software may not be called "OpenSSL"
+    nor may "OpenSSL" appear in their names without prior written
+    permission of the OpenSSL Project.
+ .
+ 6. Redistributions of any form whatsoever must retain the following
+    acknowledgment:
+    "This product includes software developed by the OpenSSL Project
+    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ .
+ THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
+ ====================================================================
+ .
+ This product includes cryptographic software written by Eric Young
+ (eay@cryptsoft.com).  This product includes software written by Tim
+ Hudson (tjh@cryptsoft.com).
+ .
+ Original SSLeay License
+ -----------------------
+ This package is an SSL implementation written
+ by Eric Young (eay@cryptsoft.com).
+ The implementation was written so as to conform with Netscapes SSL.
+ .
+ This library is free for commercial and non-commercial use as long as
+ the following conditions are aheared to.  The following conditions
+ apply to all code found in this distribution, be it the RC4, RSA,
+ lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ included with this distribution is covered by the same copyright terms
+ except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ .
+ Copyright remains Eric Young's, and as such any Copyright notices in
+ the code are not to be removed.
+ If this package is used in a product, Eric Young should be given attribution
+ as the author of the parts of the library used.
+ This can be in the form of a textual message at program startup or
+ in documentation (online or textual) provided with the package.
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the copyright
+    notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+ 3. All advertising materials mentioning features or use of this software
+    must display the following acknowledgement:
+    "This product includes cryptographic software written by
+     Eric Young (eay@cryptsoft.com)"
+    The word 'cryptographic' can be left out if the rouines from the library
+    being used are not cryptographic related :-).
+ 4. If you include any Windows specific code (or a derivative thereof) from
+    the apps directory (application code) you must include an acknowledgement:
+    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ .
+ THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+ .
+ The licence and distribution terms for any publically available version or
+ derivative of this code cannot be changed.  i.e. this code cannot simply be
+ copied and put under another distribution licence
+ [including the GNU Public Licence.]
+
+Files: Cryptlib/Include/openssl/seed.h
+Copyright: 2007 KISA(Korea Information Security Agency)
+License: BSD-2-Clause
+
+Files: Cryptlib/OpenSSL/crypto/o_dir.h Cryptlib/OpenSSL/crypto/LPdir_nyi.c
+Copyright: 2004, Richard Levitte <richard@levitte.org>
+License: BSD-2-Clause
+
+Files: Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c
+Copyright: 2004 Kungliga Tekniska Högskolan
+License: BSD-3-Clause-Institute
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions
+  are met:
+  .
+  1. Redistributions of source code must retain the above copyright
+     notice, this list of conditions and the following disclaimer.
+  .
+  2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+  .
+  3. Neither the name of the Institute nor the names of its contributors
+     may be used to endorse or promote products derived from this software
+     without specific prior written permission.
+  .
+  THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+  FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+  OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+  SUCH DAMAGE.
+
+Files: Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h
+Copyright: 2012, Intel Corporation
+License: BSD-3-Clause-Intel
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+ .
+ *  Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ .
+ *  Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the
+    distribution.
+ .
+ *  Neither the name of the Intel Corporation nor the names of its
+    contributors may be used to endorse or promote products derived from
+    this software without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY
+ EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR
+ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License: BSD-2-Clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+ Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the
+ distribution.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/debian/debian-uefi-ca.der b/debian/debian-uefi-ca.der
new file mode 100644
index 00000000..1dd6ee16
--- /dev/null
+++ b/debian/debian-uefi-ca.der
diff --git a/debian/patches/gcc-5.diff b/debian/patches/gcc-5.diff
new file mode 100644
index 00000000..e706c3ab
--- /dev/null
+++ b/debian/patches/gcc-5.diff
@@ -0,0 +1,45 @@
+---
+ Cryptlib/Makefile         |    2 +-
+ Cryptlib/OpenSSL/Makefile |    2 +-
+ Makefile                  |    2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+Index: b/Makefile
+===================================================================
+--- a/Makefile
++++ b/Makefile
+@@ -19,7 +19,7 @@ EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(A
+ EFI_LDS		= elf_$(ARCH)_efi.lds
+ 
+ DEFAULT_LOADER	:= \\\\grubx64.efi
+-CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
++CFLAGS		= -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
+ 		  -Werror=sign-compare \
+ 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
+Index: b/Cryptlib/Makefile
+===================================================================
+--- a/Cryptlib/Makefile
++++ b/Cryptlib/Makefile
+@@ -1,7 +1,7 @@
+ 
+ EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+ 
+-CFLAGS		= -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
++CFLAGS		= -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
+ 		  -Wall $(EFI_INCLUDES)
+ 
+ ifeq ($(ARCH),x86_64)
+Index: b/Cryptlib/OpenSSL/Makefile
+===================================================================
+--- a/Cryptlib/OpenSSL/Makefile
++++ b/Cryptlib/OpenSSL/Makefile
+@@ -1,7 +1,7 @@
+ 
+ EFI_INCLUDES	= -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+ 
+-CFLAGS		= -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
++CFLAGS		= -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
+ 		  -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
+ 
+ ifeq ($(ARCH),x86_64)
diff --git a/debian/patches/gcc5-includes-stdarg.patch b/debian/patches/gcc5-includes-stdarg.patch
new file mode 100644
index 00000000..57cf4a8e
--- /dev/null
+++ b/debian/patches/gcc5-includes-stdarg.patch
@@ -0,0 +1,129 @@
+From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 7 Apr 2015 11:59:25 -0400
+Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on
+ x86.
+
+Basically they messed around with stdarg some and now we need to do it
+the other way.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Cryptlib/Include/OpenSslSupport.h |    4 +++-
+ Cryptlib/Makefile                 |    3 ++-
+ Cryptlib/OpenSSL/Makefile         |    5 +++--
+ Makefile                          |   17 ++++++-----------
+ MokManager.c                      |    1 +
+ 5 files changed, 15 insertions(+), 15 deletions(-)
+
+Index: b/Cryptlib/Include/OpenSslSupport.h
+===================================================================
+--- a/Cryptlib/Include/OpenSslSupport.h
++++ b/Cryptlib/Include/OpenSslSupport.h
+@@ -34,7 +34,7 @@ typedef VOID  *FILE;
+ //

+ // Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h

+ //

+-#if !defined(__CC_ARM) // if va_list is not already defined

++#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined

+ /*

+  * These are now unconditionally #defined by GNU_EFI's efistdarg.h,

+  * so we should #undef them here before providing a new definition.

+@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST;
+    portably, hence it is provided by a Standard C header file.

+    For pre-Standard C compilers, here is a version that usually works

+    (but watch out!): */

++#ifndef offsetof

+ #define offsetof(type, member) ( (int) & ((type*)0) -> member )

++#endif

+ 

+ //

+ // Basic types from EFI Application Toolkit required to buiild Open SSL

+Index: b/Cryptlib/Makefile
+===================================================================
+--- a/Cryptlib/Makefile
++++ b/Cryptlib/Makefile
+@@ -2,7 +2,8 @@
+ EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+ 
+ CFLAGS		= -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
+-		  -Wall $(EFI_INCLUDES)
++		  -Wall $(EFI_INCLUDES) \
++		  -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ 
+ ifeq ($(ARCH),x86_64)
+ 	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
+Index: b/Cryptlib/OpenSSL/Makefile
+===================================================================
+--- a/Cryptlib/OpenSSL/Makefile
++++ b/Cryptlib/OpenSSL/Makefile
+@@ -2,6 +2,7 @@
+ EFI_INCLUDES	= -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+ 
+ CFLAGS		= -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
++		  -ffreestanding -I$(shell $(CC) -print-file-name=include) \
+ 		  -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
+ 
+ ifeq ($(ARCH),x86_64)
+@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32)
+ 		-m32 -DTHIRTY_TWO_BIT
+ endif
+ ifeq ($(ARCH),aarch64)
+-	CFLAGS	+= -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include)
++	CFLAGS	+= -O2 -DSIXTY_FOUR_BIT_LONG
+ endif
+ ifeq ($(ARCH),arm)
+-	CFLAGS	+= -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
++	CFLAGS	+= -O2 -DTHIRTY_TWO_BIT
+ endif
+ LDFLAGS		= -nostdlib -znocombreloc
+ 
+Index: b/Makefile
+===================================================================
+--- a/Makefile
++++ b/Makefile
+@@ -21,7 +21,8 @@ EFI_LDS		= elf_$(ARCH)_efi.lds
+ DEFAULT_LOADER	:= \\\\grubx64.efi
+ CFLAGS		= -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
+-		  -Werror=sign-compare \
++		  -Werror=sign-compare -ffreestanding \
++		  -I$(shell $(CC) -print-file-name=include) \
+ 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
+ 		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
+ 		  $(EFI_INCLUDES)
+@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY
+ endif
+ 
+ ifeq ($(ARCH),x86_64)
+-	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
++	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
++		-maccumulate-outgoing-args \
+ 		-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
+ endif
+ ifeq ($(ARCH),ia32)
+-	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
+-endif
+-
+-ifeq ($(ARCH),aarch64)
+-	CFLAGS	+= -ffreestanding -I$(shell $(CC) -print-file-name=include)
+-endif
+-
+-ifeq ($(ARCH),arm)
+-	CFLAGS	+= -ffreestanding -I$(shell $(CC) -print-file-name=include)
++	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
++		-maccumulate-outgoing-args -m32
+ endif
+ 
+ ifneq ($(origin VENDOR_CERT_FILE), undefined)
+Index: b/MokManager.c
+===================================================================
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1,5 +1,6 @@
+ #include <efi.h>
+ #include <efilib.h>
++#include <stdarg.h>
+ #include <Library/BaseCryptLib.h>
+ #include <openssl/x509.h>
+ #include "shim.h"
diff --git a/debian/patches/prototypes b/debian/patches/prototypes
new file mode 100644
index 00000000..7191e102
--- /dev/null
+++ b/debian/patches/prototypes
@@ -0,0 +1,191 @@
+Description: Include missing prototypes, and disable use of BIO_new_file
+ Pull in missing prototypes for functions that are not yet upstream in
+ gnu-efi, and #ifdef out references to BIO_new_file(), BIO_new_fp(), and
+ X509_load_{cert,crl}_file since the prototypes are themselves #ifdef'ed
+ out.
+ .
+ Without these prototypes, we get implicit conversions on amd64, which
+ are sensibly treated as a build failure by Launchpad.
+Author: Steve Langasek <steve.langasek@ubuntu.com>
+
+Index: shim/Cryptlib/Library/BaseMemoryLib.h
+===================================================================
+--- /dev/null
++++ shim/Cryptlib/Library/BaseMemoryLib.h
+@@ -0,0 +1,41 @@
++#ifndef __BASE_MEMORY_LIB__
++#define __BASE_MEMORY_LIB__
++
++CHAR8 *
++ScanMem8 (
++    IN CHAR8          *Buffer,
++    IN UINTN           Size,
++    IN CHAR8           Value
++    );
++
++UINT32
++WriteUnaligned32(
++    UINT32            *Buffer,
++    UINT32             Value
++    );
++
++CHAR8 *
++AsciiStrCat(
++    CHAR8             *Destination,
++    CHAR8             *Source
++    );
++
++CHAR8 *
++AsciiStrCpy(
++    CHAR8             *Destination,
++    CHAR8             *Source
++    );
++
++CHAR8 *
++AsciiStrnCpy(
++    CHAR8             *Destination,
++    CHAR8             *Source,
++    UINTN              count
++    );
++
++UINTN
++AsciiStrSize(
++    CHAR8             *string
++    );
++
++#endif
+Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
+===================================================================
+--- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
++++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
+@@ -157,6 +157,7 @@
+ 				}
+ 			OPENSSL_free(tmp_data2);
+ 			}
++#ifndef OPENSSL_NO_STDIO
+ 		else if (strncmp(val->value, "file:", 5) == 0)
+ 			{
+ 			unsigned char buf[2048];
+@@ -194,6 +195,7 @@
+ 				goto err;
+ 				}
+ 			}
++#endif
+ 		else if (strncmp(val->value, "text:", 5) == 0)
+ 			{
+ 			val_len = strlen(val->value + 5);
+Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c
+===================================================================
+--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c
++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c
+@@ -186,11 +186,13 @@
+ 	int ret;
+ 	BIO *in=NULL;
+ 
++#ifndef OPENSSL_NO_STDIO
+ #ifdef OPENSSL_SYS_VMS
+ 	in=BIO_new_file(name, "r");
+ #else
+ 	in=BIO_new_file(name, "rb");
+ #endif
++#endif
+ 	if (in == NULL)
+ 		{
+ 		if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE)
+Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
+===================================================================
+--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
+@@ -92,11 +92,13 @@
+ 	LHASH *ltmp;
+ 	BIO *in=NULL;
+ 
++#ifndef OPENSSL_NO_STDIO
+ #ifdef OPENSSL_SYS_VMS
+ 	in=BIO_new_file(file, "r");
+ #else
+ 	in=BIO_new_file(file, "rb");
+ #endif
++#endif
+ 	if (in == NULL)
+ 		{
+ 		CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
+Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
+===================================================================
+--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
+@@ -93,12 +93,14 @@
+ 		{
+ 		BIO *bio_err;
+ 		ERR_load_crypto_strings();
++#ifndef OPENSSL_NO_STDIO
+ 		if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL)
+ 			{
+ 			BIO_printf(bio_err,"Auto configuration failed\n");
+ 			ERR_print_errors(bio_err);
+ 			BIO_free(bio_err);
+ 			}
++#endif
+ 		exit(1);
+ 		}
+ 
+Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
+===================================================================
+--- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
++++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
+@@ -374,11 +374,15 @@
+ 	BIO *in;
+ 	EVP_PKEY *key;
+ 	fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id);
++#ifndef OPENSSL_NO_STDIO
+ 	in = BIO_new_file(key_id, "r");
+ 	if (!in)
+ 		return NULL;
+ 	key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL);
+ 	BIO_free(in);
++#else
++	return NULL;
++#endif
+ 	return key;
+ 	}
+ #endif
+Index: shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c
+===================================================================
+--- shim.orig/Cryptlib/OpenSSL/crypto/x509/by_dir.c
++++ shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c
+@@ -92,8 +92,10 @@
+ static int new_dir(X509_LOOKUP *lu);
+ static void free_dir(X509_LOOKUP *lu);
+ static int add_cert_dir(BY_DIR *ctx,const char *dir,int type);
++#ifndef OPENSSL_NO_STDIO
+ static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name,
+ 	X509_OBJECT *ret);
++#endif
+ X509_LOOKUP_METHOD x509_dir_lookup=
+ 	{
+ 	"Load certs from files in a directory",
+@@ -102,7 +104,11 @@
+ 	NULL, 			/* init */
+ 	NULL,			/* shutdown */
+ 	dir_ctrl,		/* ctrl */
++#ifdef OPENSSL_NO_STDIO
++	NULL,			/* get_by_subject */
++#else
+ 	get_cert_by_subject,	/* get_by_subject */
++#endif
+ 	NULL,			/* get_by_issuer_serial */
+ 	NULL,			/* get_by_fingerprint */
+ 	NULL,			/* get_by_alias */
+@@ -242,6 +248,7 @@
+ 	return(1);
+ 	}
+ 
++#ifndef OPENSSL_NO_STDIO
+ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
+ 	     X509_OBJECT *ret)
+ 	{
+@@ -383,3 +390,4 @@
+ 	if (b != NULL) BUF_MEM_free(b);
+ 	return(ok);
+ 	}
++#endif
diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign
new file mode 100644
index 00000000..9629cb12
--- /dev/null
+++ b/debian/patches/sbsigntool-not-pesign
@@ -0,0 +1,26 @@
+Description: Sign MokManager with sbsigntool instead of pesign
+ Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use
+ the same thing for signing MokManager with our ephemeral key.  This also
+ avoids an additional build dependency on libnss3-tools.
+Author: Steve Langasek <steve.langasek@canonical.com>
+Forwarded: not-needed
+
+---
+ Makefile |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: b/Makefile
+===================================================================
+--- a/Makefile
++++ b/Makefile
+@@ -158,8 +158,8 @@ endif
+ 		-j .note.gnu.build-id \
+ 		$(FORMAT) $^ $@.debug
+ 
+-%.efi.signed: %.efi certdb/secmod.db
+-	pesign -n certdb -i $< -c "shim" -s -o $@ -f
++%.efi.signed: %.efi shim.crt
++	sbsign --key shim.key --cert shim.crt $<
+ 
+ clean:
+ 	$(MAKE) -C Cryptlib clean
diff --git a/debian/patches/second-stage-path b/debian/patches/second-stage-path
new file mode 100644
index 00000000..da53af8e
--- /dev/null
+++ b/debian/patches/second-stage-path
@@ -0,0 +1,24 @@
+Description: Chainload grubx64.efi, not grub.efi
+ We qualify the second stage bootloader image with the architecture name,
+ so we're forwards-compatible with any future 32-bit implementations.
+ (Non-SB grub doesn't conflict, since the image will be named bootia32.efi
+ anyway, not grub.efi.)
+Author: Steve Langasek <steve.langasek@ubuntu.com>
+
+---
+ Makefile |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: b/Makefile
+===================================================================
+--- a/Makefile
++++ b/Makefile
+@@ -25,7 +25,7 @@ EFI_LIBS	= -lefi -lgnuefi --start-group
+ EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
+ EFI_LDS		= elf_$(ARCH)_efi.lds
+ 
+-DEFAULT_LOADER	:= \\\\grub.efi
++DEFAULT_LOADER	:= \\\\grubx64.efi
+ CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
+ 		  -Werror=sign-compare -ffreestanding -std=gnu89 \
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 00000000..a5f3392d
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+second-stage-path
+sbsigntool-not-pesign
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 00000000..f368a197
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,21 @@
+#!/usr/bin/make -f
+
+# Other vendors, add your certs here.  No sense in using
+# dpkg-vendor --derives-from, because only Canonical-generated binaries will
+# be signed with this key; so if you are building your own shim binary you
+# should be building the other binaries also.
+ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
+	cert=debian/canonical-uefi-ca.der
+else
+	cert=debian/debian-uefi-ca.der
+endif
+
+%:
+	dh $@ --parallel
+
+override_dh_auto_build:
+	dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=$(cert)
+
+override_dh_fixperms:
+	dh_fixperms
+	chmod a-x debian/shim/usr/lib/shim/shimx64.efi
diff --git a/debian/shim.install b/debian/shim.install
new file mode 100644
index 00000000..f37f6d19
--- /dev/null
+++ b/debian/shim.install
@@ -0,0 +1,3 @@
+shim*.efi /usr/lib/shim
+mm*.efi.signed /usr/lib/shim
+fb*.efi.signed /usr/lib/shim
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 00000000..163aaf8d
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
new file mode 100644
index 00000000..d82be748
--- /dev/null
+++ b/debian/source/include-binaries
@@ -0,0 +1,2 @@
+debian/canonical-uefi-ca.der
+debian/debian-uefi-ca.der
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 00000000..361d88c4
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,5 @@
+# Compulsory line, this is a version 4 file
+version=4
+
+opts="repack,compression=xz,filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/shim-$1\.tar\.gz/" \
+  https://github.com/mjg59/shim/releases .*/v?(\d\S*)\.tar\.gz