Import Debian changes 0.9+1474479173.6c180c6-1ubuntu1debian/0.9+1474479173.6c180c6-1ubuntu1

shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium

  [ Steve Langasek ]
  * Merge (not yet NEW cleared) changes from Debian branch.

  [ Mathieu Trudel-Lapierre ]
  * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard
    against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu
    for the patch. This will fix issues updating MokSBStateRT if the variable
    already exists with different attributes. (LP: #1644806)

5 files changed, 96 insertions, 120 deletions

diff --git a/debian/changelog b/debian/changelog
index 07286132..8dc7b8ff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,18 @@
-shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
+shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium
 
   [ Steve Langasek ]
+  * Merge (not yet NEW cleared) changes from Debian branch.
+
+  [ Mathieu Trudel-Lapierre ]
+  * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard
+    against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu
+    for the patch. This will fix issues updating MokSBStateRT if the variable
+    already exists with different attributes. (LP: #1644806)
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 01 Dec 2016 16:55:50 -0500
+
+shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
+
   * Initial Debian upload.  Closes: #820052.
   * Update Standards-Version.
   * Embed the newly-minted Debian CA certificate.
@@ -13,19 +25,15 @@ shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
   * Update Vcs-Bzr.
   * Resync with Ubuntu, including patch to fix debian/copyright.
 
-  [ Julien Cristau ]
-  * Add some missing copyright holders in d/copyright, update
-    Upstream-Contact.  Thanks to Helen Koike for the help.
+ -- Steve Langasek <vorlon@debian.org>  Sat, 01 Oct 2016 14:18:53 -0700
 
- -- Julien Cristau <jcristau@debian.org>  Sat, 15 Oct 2016 15:17:34 +0200
-
-shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
+shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium
 
   [ Helen Koike ]
   * debian/copyright: add OpenSSL license 
 
   [ Mathieu Trudel-Lapierre ]
-  * New upstream release.
+  * New upstream release. (LP: #1624096)
   * debian/copyright: patches should be BSD, like the rest of the upstream
     code.
   * debian/patches/unused-variable: dropped; applied upstream.
@@ -34,7 +42,7 @@ shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
     file to properly pick up shim (shim$arch), MokManager (mm$arch), and
     fallback (fb$arch).
 
- -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 21 Sep 2016 20:29:44 -0400
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 22 Sep 2016 15:02:20 -0400
 
 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
 
diff --git a/debian/control b/debian/control
index 25b0b47e..06d4239b 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
 Source: shim
 Section: admin
 Priority: optional
-Maintainer: Steve Langasek <vorlon@debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
 Standards-Version: 3.9.8
 Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl
 Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk
diff --git a/debian/copyright b/debian/copyright
index 7c08287c..6c8adf16 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,56 +1,20 @@
 Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: shim
-Upstream-Contact: Matthew Garrett <mjg59@coreos.com>
+Upstream-Contact: Matthew Garrett <mjg@redhat.com>
 Source: https://github.com/mjg59/shim.git
 
 Files: *
-Copyright: 2012-2013 Red Hat, Inc
-	2009-2016 Intel Corporation
+Copyright: 2012 Red Hat, Inc
+	2009-2012 Intel Corporation
 License: BSD-2-Clause
 
 Files: debian/patches/*
 Copyright: 2016 Canonical Ltd.
 License: BSD-2-Clause
 
-Files: crypt_blowfish.*
-Copyright: none
-License: public-domain
-  No copyright is claimed, and the software is hereby placed in the public
-  domain.  In case this attempt to disclaim copyright and place the software
-  in the public domain is deemed null and void, then the software is
-  Copyright (c) 2000-2011 Solar Designer and it is hereby released to the
-  general public under the following terms:
-  .
-  Redistribution and use in source and binary forms, with or without
-  modification, are permitted.
-  .
-  There's ABSOLUTELY NO WARRANTY, express or implied.
-
-Files: httpboot.*
-Copyright: 2015 SUSE LINUX GmbH
-License: BSD-2-Clause
-
-Files: include/Http.h
-Copyright: 2016 Intel Corporation
-	2015 Hewlett Packard Enterprise Development LP
-License: BSD-2-Clause
-
-Files: include/PeImage.h
-Copyright: 2006-2010 Intel Corporation
-	2008-2009 Apple Inc
-License: BSD-2-Clause
-
-Files: lib/*.c
-Copyright: 2011-2012 Intel Corporation
-	2012 <James.Bottomley@HansenPartnership.com>
-	2012-2013 Red Hat, Inc
-License: BSD-2-Clause
-
 Files: Cryptlib/OpenSSL/* Cryptlib/Include/openssl/*
 Copyright: 1998-2016 The OpenSSL Project
 	1995-1998 Eric Young (eay@cryptsoft.com)
-	2002 Sun Microsystems, Inc
-	2005 Nokia
 License: OpenSSL and Original-SSLeay
  OpenSSL License
  ---------------
@@ -59,7 +23,7 @@ License: OpenSSL and Original-SSLeay
  are met:
  .
  1. Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
+    notice, this list of conditions and the following disclaimer. 
  .
  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in
@@ -137,7 +101,7 @@ License: OpenSSL and Original-SSLeay
      Eric Young (eay@cryptsoft.com)"
     The word 'cryptographic' can be left out if the rouines from the library
     being used are not cryptographic related :-).
- 4. If you include any Windows specific code (or a derivative thereof) from
+ 4. If you include any Windows specific code (or a derivative thereof) from 
     the apps directory (application code) you must include an acknowledgement:
     "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  .
@@ -158,75 +122,6 @@ License: OpenSSL and Original-SSLeay
  copied and put under another distribution licence
  [including the GNU Public Licence.]
 
-Files: Cryptlib/Include/openssl/seed.h
-Copyright: 2007 KISA(Korea Information Security Agency)
-License: BSD-2-Clause
-
-Files: Cryptlib/OpenSSL/crypto/o_dir.h Cryptlib/OpenSSL/crypto/LPdir_nyi.c
-Copyright: 2004, Richard Levitte <richard@levitte.org>
-License: BSD-2-Clause
-
-Files: Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c
-Copyright: 2004 Kungliga Tekniska Högskolan
-License: BSD-3-Clause-Institute
-  Redistribution and use in source and binary forms, with or without
-  modification, are permitted provided that the following conditions
-  are met:
-  .
-  1. Redistributions of source code must retain the above copyright
-     notice, this list of conditions and the following disclaimer.
-  .
-  2. Redistributions in binary form must reproduce the above copyright
-     notice, this list of conditions and the following disclaimer in the
-     documentation and/or other materials provided with the distribution.
-  .
-  3. Neither the name of the Institute nor the names of its contributors
-     may be used to endorse or promote products derived from this software
-     without specific prior written permission.
-  .
-  THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
-  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-  ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
-  FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-  OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-  SUCH DAMAGE.
-
-Files: Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h
-Copyright: 2012, Intel Corporation
-License: BSD-3-Clause-Intel
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are
- met:
- .
- *  Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
- .
- *  Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in the
-    documentation and/or other materials provided with the
-    distribution.
- .
- *  Neither the name of the Intel Corporation nor the names of its
-    contributors may be used to endorse or promote products derived from
-    this software without specific prior written permission.
- .
- THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY
- EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR
- CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
- LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
 License: BSD-2-Clause
  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
diff --git a/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch b/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch
new file mode 100644
index 00000000..61117d80
--- /dev/null
+++ b/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch
@@ -0,0 +1,71 @@
+From 1681bd7282e606e961c0d1bfafcf807a32bc912d Mon Sep 17 00:00:00 2001
+From: Ivan Hu <ivan.hu@canonical.com>
+Date: Tue, 22 Nov 2016 06:26:01 +0800
+Subject: [PATCH] shim: fix the mirroring MokSBState fail
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1644806
+
+Some machines have already embedded MokSBStateRT varaible with
+EFI_VARIABLE_NON_VOLATILE attribute, and some users might disable shim
+vailidation manually by creating MokSBStateRT. It causes mirroring MokSBState
+fail because the variable cannot be set with different attribute again, and gets
+error massage every time when booting.
+
+Fix it with checking the MokSBStateRT existence and deleting it before
+mirroring it.
+
+Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
+Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+---
+ shim.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index c69961b..90ea784 100644
+--- a/shim.c
++++ b/shim.c
+@@ -2013,18 +2013,32 @@ EFI_STATUS mirror_mok_sb_state()
+ 	UINTN DataSize = 0;
+ 
+ 	efi_status = get_variable(L"MokSBState", &Data, &DataSize, shim_lock_guid);
+-	if (efi_status != EFI_SUCCESS)
+-		return efi_status;
++	if (efi_status == EFI_SUCCESS) {
++		UINT8 *Data_RT = NULL;
++		UINTN DataSize_RT = 0;
++
++		efi_status = get_variable(L"MokSBStateRT", &Data_RT,
++					  &DataSize_RT, shim_lock_guid);
++		if (efi_status == EFI_SUCCESS) {
++			efi_status = uefi_call_wrapper(RT->SetVariable, 5,
++						L"MokSBStateRT",
++						&shim_lock_guid,
++						EFI_VARIABLE_BOOTSERVICE_ACCESS
++						| EFI_VARIABLE_RUNTIME_ACCESS
++						| EFI_VARIABLE_NON_VOLATILE,
++						0, NULL);
++		}
+ 
+-	efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokSBStateRT",
+-				       &shim_lock_guid,
+-				       EFI_VARIABLE_BOOTSERVICE_ACCESS
+-				       | EFI_VARIABLE_RUNTIME_ACCESS,
+-				       DataSize, Data);
+-	if (efi_status != EFI_SUCCESS) {
+-		console_error(L"Failed to set MokSBStateRT", efi_status);
++		efi_status = uefi_call_wrapper(RT->SetVariable, 5,
++					       L"MokSBStateRT",
++					       &shim_lock_guid,
++					       EFI_VARIABLE_BOOTSERVICE_ACCESS
++					       | EFI_VARIABLE_RUNTIME_ACCESS,
++					       DataSize, Data);
++		if (efi_status != EFI_SUCCESS) {
++			console_error(L"Failed to set MokSBStateRT", efi_status);
++		}
+ 	}
+-
+ 	return efi_status;
+ }
+ 
+-- 
+2.7.4
+
diff --git a/debian/patches/series b/debian/patches/series
index a5f3392d..34c3f92b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 second-stage-path
 sbsigntool-not-pesign
+0001-shim-fix-the-mirroring-MokSBState-fail.patch