diff options
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | debian/control | 8 | ||||
| -rw-r--r-- | debian/debian-vyos-uefi-ca.esl | bin | 0 -> 2351 bytes | |||
| -rw-r--r-- | debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch | 42 | ||||
| -rw-r--r-- | debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch | 47 | ||||
| -rw-r--r-- | debian/patches/series | 3 | ||||
| -rw-r--r-- | debian/patches/test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch | 45 | ||||
| -rwxr-xr-x | debian/rules | 24 | ||||
| -rw-r--r-- | debian/sbat.vyos.csv.in | 1 | ||||
| -rw-r--r-- | debian/source/include-binaries | 2 | ||||
| -rw-r--r-- | debian/vyos-uefi-ca.der | bin | 0 -> 1333 bytes |
11 files changed, 66 insertions, 112 deletions
diff --git a/debian/changelog b/debian/changelog index 6bb6dd27..f73fb890 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +shim (16.0-1+vyos1) UNRELEASED; urgency=medium + + * Add VyOS's CA alongside Debian's. + + -- Christian Breunig <christian@breunig.cc> Wed, 02 Jul 2025 22:34:39 +0200 + shim (15.8-1) unstable; urgency=medium [ Steve McIntyre ] diff --git a/debian/control b/debian/control index a5e9d953..0daa1294 100644 --- a/debian/control +++ b/debian/control @@ -1,8 +1,8 @@ Source: shim Section: admin Priority: optional -Maintainer: Debian EFI team <debian-efi@lists.debian.org> -Uploaders: Steve Langasek <vorlon@debian.org>, Steve McIntyre <93sam@debian.org> +Maintainer: VyOS Package Maintainers <maintainers@vyos.net> +Rules-Requires-Root: no Standards-Version: 4.6.2 Build-Depends: debhelper-compat (= 12), gnu-efi (>= 3.0u), @@ -15,8 +15,8 @@ Build-Depends: debhelper-compat (= 12), efivar, xxd, libefivar-dev -Vcs-Browser: https://salsa.debian.org/efi-team/shim -Vcs-Git: https://salsa.debian.org/efi-team/shim.git +Vcs-Browser: https://github.com/vyos/efi-boot-shim +Vcs-Git: https://github.com/vyos/efi-boot-shim.git Package: shim-unsigned Architecture: amd64 arm64 diff --git a/debian/debian-vyos-uefi-ca.esl b/debian/debian-vyos-uefi-ca.esl Binary files differnew file mode 100644 index 00000000..110a1d15 --- /dev/null +++ b/debian/debian-vyos-uefi-ca.esl diff --git a/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch b/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch deleted file mode 100644 index 25977c16..00000000 --- a/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 63edf92f8ae11b884bc7d24aecb8229cbc4ae014 Mon Sep 17 00:00:00 2001 -From: Julian Andres Klode <julian.klode@canonical.com> -Date: Fri, 5 Apr 2024 21:57:07 +0200 -Subject: [PATCH 1/2] sbat: Add grub.peimage,2 to latest (CVE-2024-2312) - -Add the previous latest level to the switch for automatic. - -Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> ---- - include/sbat_var_defs.h | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h -index f8cba029..04d708f2 100644 ---- a/include/sbat_var_defs.h -+++ b/include/sbat_var_defs.h -@@ -47,6 +47,8 @@ - #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n" - #elif SBAT_AUTOMATIC_DATE == 2023012900 - #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n" -+#elif SBAT_AUTOMATIC_DATE == 2024010900 -+#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n" - #else - #error "Unknown SBAT_AUTOMATIC_DATE" - #endif /* SBAT_AUTOMATIC_DATE == */ -@@ -56,10 +58,10 @@ - SBAT_VAR_AUTOMATIC_REVOCATIONS - - /* -- * Revocations for January 2024 shim CVEs -+ * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312 - */ --#define SBAT_VAR_LATEST_DATE "2024010900" --#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n" -+#define SBAT_VAR_LATEST_DATE "2024040500" -+#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n" - #define SBAT_VAR_LATEST \ - SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \ - SBAT_VAR_LATEST_REVOCATIONS --- -2.39.2 - diff --git a/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch b/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch deleted file mode 100644 index f1c3028d..00000000 --- a/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 3e1394e8e6fd0071a69196230f991612a960c154 Mon Sep 17 00:00:00 2001 -From: Julian Andres Klode <julian.klode@canonical.com> -Date: Tue, 9 Apr 2024 18:55:12 +0200 -Subject: [PATCH 2/2] sbat: Also bump latest for grub,4 (and to todays date) - -Back in January we decided to bump the SBAT level for the shim -CVE without bumping the grub level for the previous NTFS issues -- CVE-2023-4692 CVE-2023-4693 - as not every vendor was signing -the ntfs module. - -Catch up on this revocation to ensure it doesn't get lost. Doing -so also allows us to remove the grub.debian,4 revocation as this -happened before grub,4 and hence is obsolete. - -Also bump the date of the sbat variable to today's. Don't copy -the April 5 one to a previous selection, as it wasn't shipped -to anyone. - -Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> ---- - include/sbat_var_defs.h | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h -index 04d708f2..5c7115b9 100644 ---- a/include/sbat_var_defs.h -+++ b/include/sbat_var_defs.h -@@ -58,10 +58,13 @@ - SBAT_VAR_AUTOMATIC_REVOCATIONS - - /* -- * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312 -+ * Revocations for: -+ * - January 2024 shim CVEs -+ * - October 2023 grub CVEs -+ * - Debian/Ubuntu (peimage) CVE-2024-2312 - */ --#define SBAT_VAR_LATEST_DATE "2024040500" --#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n" -+#define SBAT_VAR_LATEST_DATE "2024040900" -+#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,4\ngrub.peimage,2\n" - #define SBAT_VAR_LATEST \ - SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \ - SBAT_VAR_LATEST_REVOCATIONS --- -2.39.2 - diff --git a/debian/patches/series b/debian/patches/series index 01fd2987..439fbe12 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1 @@ -0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch -0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch +test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch diff --git a/debian/patches/test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch b/debian/patches/test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch new file mode 100644 index 00000000..3ca5b967 --- /dev/null +++ b/debian/patches/test-mock-variables-explicitly-skip-CONFIG_ONLY-vars.patch @@ -0,0 +1,45 @@ +From: =?utf-8?q?Fabian_Gr=C3=BCnbichler?= <f.gruenbichler@proxmox.com> +Date: Mon, 24 Mar 2025 12:58:56 +0100 +Subject: test-mock-variables: explicitly skip CONFIG_ONLY vars +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +otherwise we might pass invalid pointers to load_variables and cause +segfaults in test cases. + +Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> +--- +Submitted upstream: https://github.com/rhboot/shim/pull/739/ + + test-mock-variables.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/test-mock-variables.c b/test-mock-variables.c +index f869300..dd4a9eb 100644 +--- a/test-mock-variables.c ++++ b/test-mock-variables.c +@@ -212,8 +212,10 @@ test_gnvn_helper(char *testvars) + * mok mirroring that aren't really from mok; right now + * this is a reasonable heuristic for that. + */ +- if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY) ++ if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY) { ++ mok_rt_vars[i] = ""; + continue; ++ } + mok_rt_vars[i] = mok_state_variables[i].rtname8; + } + +@@ -313,8 +315,10 @@ test_get_variable_0(void) + * mok mirroring that aren't really from mok; right now + * this is a reasonable heuristic for that. + */ +- if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY) ++ if (mok_state_variables[i].flags & MOK_VARIABLE_CONFIG_ONLY) { ++ mok_rt_vars[i] = ""; + continue; ++ } + mok_rt_vars[i] = mok_state_variables[i].rtname8; + } + diff --git a/debian/rules b/debian/rules index 40a61670..1f55a9e9 100755 --- a/debian/rules +++ b/debian/rules @@ -2,25 +2,15 @@ include /usr/share/dpkg/architecture.mk -# Other vendors, add your certs here. No sense in using -# dpkg-vendor --derives-from, because only Canonical-generated binaries will -# be signed with this key; so if you are building your own shim binary you -# should be building the other binaries also. -ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes) - cert=debian/canonical-uefi-ca.der - distributor=ubuntu -COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1 -else - cert=debian/debian-uefi-ca.der - distributor=debian -endif +cert=debian/debian-vyos-uefi-ca.esl +distributor=vyos deb_version := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p") upstream_version := $(shell echo $(deb_version) | sed -e "s/-[^-]*$$//") plain_upstream_version := $(shell echo $(upstream_version) | sed -e "s/+dfsg.*//") DBX_LIST = dbx.esl -DBX_HASHES = debian/$(distributor)-dbx.hashes +DBX_HASHES = debian/debian-dbx.hashes SBAT_IN = debian/sbat.$(distributor).csv.in SBAT_DATA = data/sbat.$(distributor).csv @@ -41,7 +31,7 @@ COMMON_OPTIONS += \ COMMIT_ID=657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa \ MAKELEVEL=0 \ ENABLE_HTTPBOOT=true \ - VENDOR_CERT_FILE=$(cert) \ + VENDOR_DB_FILE=$(cert) \ VENDOR_DBX_FILE=$(DBX_LIST) \ EFIDIR=$(distributor) \ CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \ @@ -49,9 +39,9 @@ COMMON_OPTIONS += \ $(NULL) # Force shim to use the latest revocations by default to block some -# older grub / peimage issues. This is: -# "shim,4\ngrub,4\ngrub.peimage,2\n" -COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2024010900 +# older grub issues. This is: +# "shim,4\ngrub,5\n" +COMMON_OPTIONS += SBAT_AUTOMATIC_DATE=2025021800 $(DBX_LIST): $(DBX_HASHES) ./debian/generate_dbx_list $(EFI_ARCH) $< $@ diff --git a/debian/sbat.vyos.csv.in b/debian/sbat.vyos.csv.in new file mode 100644 index 00000000..4275733f --- /dev/null +++ b/debian/sbat.vyos.csv.in @@ -0,0 +1 @@ +shim.vyos,1,VyOS,shim,@UPSTREAM_VERSION@,https://github.com/vyos/efi-boot-shim.git diff --git a/debian/source/include-binaries b/debian/source/include-binaries index d82be748..a97ddf5b 100644 --- a/debian/source/include-binaries +++ b/debian/source/include-binaries @@ -1,2 +1,4 @@ debian/canonical-uefi-ca.der debian/debian-uefi-ca.der +debian/vyos-uefi-ca.der +debian/debian-vyos-uefi-ca.esl diff --git a/debian/vyos-uefi-ca.der b/debian/vyos-uefi-ca.der Binary files differnew file mode 100644 index 00000000..19b057db --- /dev/null +++ b/debian/vyos-uefi-ca.der |