* New upstream release.debian/15+1533136590.3beb971-1

  - debian/patches/second-stage-path: dropped; the default loader path now
    includes an arch suffix.
  - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
  - debian/copyright: Update upstream source location.
  - debian/control: add a Build-Depends on libelf-dev.
  - Enable arm64 build.
  - debian/patches/fixup_git.patch: don't run git in clean; we're not
    really in a git tree.
  - debian/rules, debian/shim.install: use the upstream install target as
    intended, and move files to the target directory using dh_install.
  - define RELEASE and COMMIT_ID for the snapshot.
  - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
  - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
    options: set MAKELEVEL.
  - Define an EFI_ARCH variable, and use that for paths to shim. This
    makes it possible to build a shim for other architectures than amd64.
  - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
    in the "right" final directories, and makes boot.csv for us.
  - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
    at compile-time for MokManager and fallback.
  - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
    and MokManager.

1 files changed, 48 insertions, 56 deletions

diff --git a/lib/security_policy.c b/lib/security_policy.c
index 9af3a107..211f1cfd 100644
--- a/lib/security_policy.c
+++ b/lib/security_policy.c
@@ -9,7 +9,8 @@
 #include <efi.h>
 #include <efilib.h>
 
-#include <guid.h>
+#include "shim.h"
+
 #include <variables.h>
 #include <simple_file.h>
 #include <errors.h>
@@ -55,14 +56,14 @@ static SecurityHook extra_check = NULL;
 static EFI_SECURITY_FILE_AUTHENTICATION_STATE esfas = NULL;
 static EFI_SECURITY2_FILE_AUTHENTICATION es2fa = NULL;
 
-static EFI_STATUS thunk_security_policy_authentication(
+extern EFI_STATUS thunk_security_policy_authentication(
 	const EFI_SECURITY_PROTOCOL *This,
 	UINT32 AuthenticationStatus,
 	const EFI_DEVICE_PATH_PROTOCOL *DevicePath
 						       ) 
 __attribute__((unused));
 
-static EFI_STATUS thunk_security2_policy_authentication(
+extern EFI_STATUS thunk_security2_policy_authentication(
 	const EFI_SECURITY2_PROTOCOL *This,
 	const EFI_DEVICE_PATH_PROTOCOL *DevicePath,
 	VOID *FileBuffer,
@@ -80,16 +81,14 @@ security2_policy_authentication (
 	BOOLEAN	BootPolicy
 				 )
 {
-	EFI_STATUS status, auth;
+	EFI_STATUS efi_status, auth;
 
 	/* Chain original security policy */
 
-	status = uefi_call_wrapper(es2fa, 5, This, DevicePath, FileBuffer,
-				   FileSize, BootPolicy);
-
+	efi_status = es2fa(This, DevicePath, FileBuffer, FileSize, BootPolicy);
 	/* if OK, don't bother with MOK check */
-	if (status == EFI_SUCCESS)
-		return status;
+	if (!EFI_ERROR(efi_status))
+		return efi_status;
 
 	if (extra_check)
 		auth = extra_check(FileBuffer, FileSize);
@@ -100,7 +99,7 @@ security2_policy_authentication (
 		/* return previous status, which is the correct one
 		 * for the platform: may be either EFI_ACCESS_DENIED
 		 * or EFI_SECURITY_VIOLATION */
-		return status;
+		return efi_status;
 
 	return auth;
 }
@@ -112,7 +111,7 @@ security_policy_authentication (
 	const EFI_DEVICE_PATH_PROTOCOL *DevicePathConst
 	)
 {
-	EFI_STATUS status, fail_status;
+	EFI_STATUS efi_status, fail_status;
 	EFI_DEVICE_PATH *DevPath 
 		= DuplicateDevicePath((EFI_DEVICE_PATH *)DevicePathConst),
 		*OrigDevPath = DevPath;
@@ -121,50 +120,49 @@ security_policy_authentication (
 	VOID *FileBuffer;
 	UINTN FileSize;
 	CHAR16* DevPathStr;
+	EFI_GUID SIMPLE_FS_PROTOCOL = EFI_SIMPLE_FILE_SYSTEM_PROTOCOL_GUID;
 
 	/* Chain original security policy */
-	status = uefi_call_wrapper(esfas, 3, This, AuthenticationStatus,
-				   DevicePathConst);
-
+	efi_status = esfas(This, AuthenticationStatus, DevicePathConst);
 	/* if OK avoid checking MOK: It's a bit expensive to
 	 * read the whole file in again (esfas already did this) */
-	if (status == EFI_SUCCESS)
+	if (!EFI_ERROR(efi_status))
 		goto out;
 
 	/* capture failure status: may be either EFI_ACCESS_DENIED or
 	 * EFI_SECURITY_VIOLATION */
-	fail_status = status;
+	fail_status = efi_status;
 
-	status = uefi_call_wrapper(BS->LocateDevicePath, 3,
-				   &SIMPLE_FS_PROTOCOL, &DevPath, &h);
-	if (status != EFI_SUCCESS)
+	efi_status = gBS->LocateDevicePath(&SIMPLE_FS_PROTOCOL, &DevPath, &h);
+	if (EFI_ERROR(efi_status))
 		goto out;
 
 	DevPathStr = DevicePathToStr(DevPath);
 
-	status = simple_file_open_by_handle(h, DevPathStr, &f,
-					    EFI_FILE_MODE_READ);
+	efi_status = simple_file_open_by_handle(h, DevPathStr, &f,
+						EFI_FILE_MODE_READ);
 	FreePool(DevPathStr);
-	if (status != EFI_SUCCESS)
+	if (EFI_ERROR(efi_status))
 		goto out;
 
-	status = simple_file_read_all(f, &FileSize, &FileBuffer);
-	simple_file_close(f);
-	if (status != EFI_SUCCESS)
+	efi_status = simple_file_read_all(f, &FileSize, &FileBuffer);
+	f->Close(f);
+	if (EFI_ERROR(efi_status))
 		goto out;
 
 	if (extra_check)
-		status = extra_check(FileBuffer, FileSize);
+		efi_status = extra_check(FileBuffer, FileSize);
 	else
-		status = EFI_SECURITY_VIOLATION;
+		efi_status = EFI_SECURITY_VIOLATION;
 	FreePool(FileBuffer);
 
-	if (status == EFI_ACCESS_DENIED || status == EFI_SECURITY_VIOLATION)
+	if (efi_status == EFI_ACCESS_DENIED ||
+	    efi_status == EFI_SECURITY_VIOLATION)
 		/* return what the platform originally said */
-		status = fail_status;
+		efi_status = fail_status;
  out:
 	FreePool(OrigDevPath);
-	return status;
+	return efi_status;
 }
 
 
@@ -265,7 +263,7 @@ security_policy_install(SecurityHook hook)
 {
 	EFI_SECURITY_PROTOCOL *security_protocol;
 	EFI_SECURITY2_PROTOCOL *security2_protocol = NULL;
-	EFI_STATUS status;
+	EFI_STATUS efi_status;
 
 	if (esfas)
 		/* Already Installed */
@@ -274,26 +272,24 @@ security_policy_install(SecurityHook hook)
 	/* Don't bother with status here.  The call is allowed
 	 * to fail, since SECURITY2 was introduced in PI 1.2.1
 	 * If it fails, use security2_protocol == NULL as indicator */
-	uefi_call_wrapper(BS->LocateProtocol, 3,
-			  &SECURITY2_PROTOCOL_GUID, NULL,
-			  &security2_protocol);
-
-	status = uefi_call_wrapper(BS->LocateProtocol, 3,
-				   &SECURITY_PROTOCOL_GUID, NULL,
-				   &security_protocol);
-	if (status != EFI_SUCCESS)
+	LibLocateProtocol(&SECURITY2_PROTOCOL_GUID,
+			  (VOID **) &security2_protocol);
+
+	efi_status = LibLocateProtocol(&SECURITY_PROTOCOL_GUID,
+				       (VOID **) &security_protocol);
+	if (EFI_ERROR(efi_status))
 		/* This one is mandatory, so there's a serious problem */
-		return status;
+		return efi_status;
 
 	if (security2_protocol) {
 		es2fa = security2_protocol->FileAuthentication;
-		security2_protocol->FileAuthentication = 
-			thunk_security2_policy_authentication;
+		security2_protocol->FileAuthentication =
+			(EFI_SECURITY2_FILE_AUTHENTICATION) thunk_security2_policy_authentication;
 	}
 
 	esfas = security_protocol->FileAuthenticationState;
 	security_protocol->FileAuthenticationState =
-		thunk_security_policy_authentication;
+		(EFI_SECURITY_FILE_AUTHENTICATION_STATE) thunk_security_policy_authentication;
 
 	if (hook)
 		extra_check = hook;
@@ -304,17 +300,15 @@ security_policy_install(SecurityHook hook)
 EFI_STATUS
 security_policy_uninstall(void)
 {
-	EFI_STATUS status;
+	EFI_STATUS efi_status;
 
 	if (esfas) {
 		EFI_SECURITY_PROTOCOL *security_protocol;
 
-		status = uefi_call_wrapper(BS->LocateProtocol, 3,
-					   &SECURITY_PROTOCOL_GUID, NULL,
-					   &security_protocol);
-
-		if (status != EFI_SUCCESS)
-			return status;
+		efi_status = LibLocateProtocol(&SECURITY_PROTOCOL_GUID,
+					       (VOID **) &security_protocol);
+		if (EFI_ERROR(efi_status))
+			return efi_status;
 
 		security_protocol->FileAuthenticationState = esfas;
 		esfas = NULL;
@@ -326,12 +320,10 @@ security_policy_uninstall(void)
 	if (es2fa) {
 		EFI_SECURITY2_PROTOCOL *security2_protocol;
 
-		status = uefi_call_wrapper(BS->LocateProtocol, 3,
-					   &SECURITY2_PROTOCOL_GUID, NULL,
-					   &security2_protocol);
-
-		if (status != EFI_SUCCESS)
-			return status;
+		efi_status = LibLocateProtocol(&SECURITY2_PROTOCOL_GUID,
+					       (VOID **) &security2_protocol);
+		if (EFI_ERROR(efi_status))
+			return efi_status;
 
 		security2_protocol->FileAuthentication = es2fa;
 		es2fa = NULL;