* New upstream release.debian/15+1533136590.3beb971-1

  - debian/patches/second-stage-path: dropped; the default loader path now
    includes an arch suffix.
  - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
  - debian/copyright: Update upstream source location.
  - debian/control: add a Build-Depends on libelf-dev.
  - Enable arm64 build.
  - debian/patches/fixup_git.patch: don't run git in clean; we're not
    really in a git tree.
  - debian/rules, debian/shim.install: use the upstream install target as
    intended, and move files to the target directory using dh_install.
  - define RELEASE and COMMIT_ID for the snapshot.
  - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
  - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
    options: set MAKELEVEL.
  - Define an EFI_ARCH variable, and use that for paths to shim. This
    makes it possible to build a shim for other architectures than amd64.
  - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
    in the "right" final directories, and makes boot.csv for us.
  - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
    at compile-time for MokManager and fallback.
  - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
    and MokManager.

1 files changed, 151 insertions, 2 deletions

diff --git a/shim.h b/shim.h
index 52cbfeb9..2b359d82 100644
--- a/shim.h
+++ b/shim.h
@@ -1,6 +1,128 @@
-#include "PeImage.h"
+#ifndef SHIM_H_
+#define SHIM_H_
 
-extern EFI_GUID SHIM_LOCK_GUID;
+#if defined __GNUC__ && defined __GNUC_MINOR__
+# define GNUC_PREREQ(maj, min) \
+        ((__GNUC__ << 16) + __GNUC_MINOR__ >= ((maj) << 16) + (min))
+#else
+# define GNUC_PREREQ(maj, min) 0
+#endif
+#if defined __clang_major__ && defined __clang_minor__
+# define CLANG_PREREQ(maj, min) \
+  ((__clang_major__ << 16) + __clang_minor__ >= ((maj) << 16) + (min))
+#else
+# define CLANG_PREREQ(maj, min) 0
+#endif
+
+#if defined(__x86_64__)
+#if !defined(GNU_EFI_USE_MS_ABI)
+#error On x86_64 you must use ms_abi (GNU_EFI_USE_MS_ABI) in gnu-efi and shim.
+#endif
+/* gcc 4.5.4 is the first documented release with -mabi=ms */
+#if !GNUC_PREREQ(4, 7) && !CLANG_PREREQ(3, 4)
+#error On x86_64 you must have a compiler new enough to support __attribute__((__ms_abi__))
+#endif
+#endif
+
+#include <efi.h>
+#include <efilib.h>
+#undef uefi_call_wrapper
+
+#include <stddef.h>
+
+#define min(a, b) ({(a) < (b) ? (a) : (b);})
+
+#ifdef __x86_64__
+#ifndef DEFAULT_LOADER
+#define DEFAULT_LOADER L"\\grubx64.efi"
+#endif
+#ifndef DEFAULT_LOADER_CHAR
+#define DEFAULT_LOADER_CHAR "\\grubx64.efi"
+#endif
+#ifndef EFI_ARCH
+#define EFI_ARCH L"x64"
+#endif
+#ifndef DEBUGDIR
+#define DEBUGDIR L"/usr/lib/debug/usr/share/shim/x64/"
+#endif
+#endif
+
+#if defined(__i686__) || defined(__i386__)
+#ifndef DEFAULT_LOADER
+#define DEFAULT_LOADER L"\\grubia32.efi"
+#endif
+#ifndef DEFAULT_LOADER_CHAR
+#define DEFAULT_LOADER_CHAR "\\grubia32.efi"
+#endif
+#ifndef EFI_ARCH
+#define EFI_ARCH L"ia32"
+#endif
+#ifndef DEBUGDIR
+#define DEBUGDIR L"/usr/lib/debug/usr/share/shim/ia32/"
+#endif
+#endif
+
+#if defined(__aarch64__)
+#ifndef DEFAULT_LOADER
+#define DEFAULT_LOADER L"\\grubaa64.efi"
+#endif
+#ifndef DEFAULT_LOADER_CHAR
+#define DEFAULT_LOADER_CHAR "\\grubaa64.efi"
+#endif
+#ifndef EFI_ARCH
+#define EFI_ARCH L"aa64"
+#endif
+#ifndef DEBUGDIR
+#define DEBUGDIR L"/usr/lib/debug/usr/share/shim/aa64/"
+#endif
+#endif
+
+#if defined(__arm__)
+#ifndef DEFAULT_LOADER
+#define DEFAULT_LOADER L"\\grubarm.efi"
+#endif
+#ifndef DEFAULT_LOADER_CHAR
+#define DEFAULT_LOADER_CHAR "\\grubarm.efi"
+#endif
+#ifndef EFI_ARCH
+#define EFI_ARCH L"arm"
+#endif
+#ifndef DEBUGDIR
+#define DEBUGDIR L"/usr/lib/debug/usr/share/shim/arm/"
+#endif
+#endif
+
+#define FALLBACK L"\\fb" EFI_ARCH L".efi"
+#define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
+
+#include "include/configtable.h"
+#include "include/console.h"
+#include "include/crypt_blowfish.h"
+#include "include/efiauthenticated.h"
+#include "include/errors.h"
+#include "include/execute.h"
+#include "include/guid.h"
+#include "include/Http.h"
+#include "include/httpboot.h"
+#include "include/Ip4Config2.h"
+#include "include/Ip6Config.h"
+#include "include/netboot.h"
+#include "include/PasswordCrypt.h"
+#include "include/PeImage.h"
+#include "include/replacements.h"
+#if defined(OVERRIDE_SECURITY_POLICY)
+#include "include/security_policy.h"
+#endif
+#include "include/simple_file.h"
+#include "include/str.h"
+#include "include/tpm.h"
+#include "include/ucs2.h"
+#include "include/variables.h"
+
+#include "version.h"
+#ifdef ENABLE_SHIM_CERT
+#include "shim_cert.h"
+#endif
 
 INTERFACE_DECL(_SHIM_LOCK);
 
@@ -37,3 +159,30 @@ typedef struct _SHIM_LOCK {
 
 extern EFI_STATUS shim_init(void);
 extern void shim_fini(void);
+extern EFI_STATUS LogError_(const char *file, int line, const char *func, CHAR16 *fmt, ...);
+extern EFI_STATUS VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args);
+extern VOID PrintErrors(VOID);
+extern VOID ClearErrors(VOID);
+extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath);
+extern EFI_STATUS import_mok_state(EFI_HANDLE image_handle);
+
+extern UINT32 vendor_cert_size;
+extern UINT32 vendor_dbx_size;
+extern UINT8 *vendor_cert;
+extern UINT8 *vendor_dbx;
+
+extern UINT8 user_insecure_mode;
+extern UINT8 ignore_db;
+extern UINT8 in_protocol;
+
+#define perror_(file, line, func, fmt, ...) ({					\
+		UINTN __perror_ret = 0;						\
+		if (!in_protocol)						\
+			__perror_ret = console_print((fmt), ##__VA_ARGS__);	\
+		LogError_(file, line, func, fmt, ##__VA_ARGS__);		\
+		__perror_ret;							\
+	})
+#define perror(fmt, ...) perror_(__FILE__, __LINE__, __func__, fmt, ## __VA_ARGS__)
+#define LogError(fmt, ...) LogError_(__FILE__, __LINE__, __func__, fmt, ## __VA_ARGS__)
+
+#endif /* SHIM_H_ */