Enable NX support at build time

As required by policy for signing new shim binaries.

3 files changed, 16 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index cd13ba24..edc61f41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,8 @@ shim (15.7-1) UNRELEASED; urgency=medium
     + Make sbat_var.S parse right with buggy gcc/binutils
   * Switch to using gcc-12. Closes: #1022180
   * Update to Standards-Version 4.6.2 (no changes needed)
+  * Enable NX support at build time, as required by policy for signing
+    new shim binaries.
 
  -- Steve McIntyre <93sam@debian.org>  Sun, 22 Jan 2023 13:12:14 +0000
 
diff --git a/debian/patches/Enable-NX.patch b/debian/patches/Enable-NX.patch
new file mode 100644
index 00000000..d75c1089
--- /dev/null
+++ b/debian/patches/Enable-NX.patch
@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index a9202f46..4f29fe12 100644
+--- a/Makefile
++++ b/Makefile
+@@ -255,7 +255,7 @@ endif
+ 		-j .rela* -j .dyn -j .reloc -j .eh_frame \
+ 		-j .vendor_cert -j .sbat -j .sbatlevel \
+ 		$(FORMAT) $< $@
+-	./post-process-pe -vv $@
++	./post-process-pe -n -vv $@
+ 
+ ifneq ($(origin ENABLE_SHIM_HASH),undefined)
+ %.hash : %.efi
diff --git a/debian/patches/series b/debian/patches/series
index f57b1788..b3ddfc8f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch
+Enable-NX.patch