diff options
| -rw-r--r-- | Makefile | 6 | ||||
| -rw-r--r-- | buildid.c | 13 | ||||
| -rw-r--r-- | commit | 2 | ||||
| -rw-r--r-- | debian/canonical-uefi-ca.der | bin | 1080 -> 0 bytes | |||
| -rw-r--r-- | debian/changelog | 243 | ||||
| -rw-r--r-- | debian/compat | 1 | ||||
| -rw-r--r-- | debian/control | 19 | ||||
| -rw-r--r-- | debian/copyright | 254 | ||||
| -rw-r--r-- | debian/debian-uefi-ca.der | bin | 930 -> 0 bytes | |||
| -rw-r--r-- | debian/patches/buildid_write_return.patch | 35 | ||||
| -rw-r--r-- | debian/patches/gcc-5.diff | 45 | ||||
| -rw-r--r-- | debian/patches/gcc5-includes-stdarg.patch | 129 | ||||
| -rw-r--r-- | debian/patches/prototypes | 191 | ||||
| -rw-r--r-- | debian/patches/series | 1 | ||||
| -rwxr-xr-x | debian/rules | 45 | ||||
| -rw-r--r-- | debian/shim.install | 4 | ||||
| -rw-r--r-- | debian/source/format | 1 | ||||
| -rw-r--r-- | debian/source/include-binaries | 2 | ||||
| -rw-r--r-- | debian/watch | 5 |
19 files changed, 13 insertions, 983 deletions
@@ -1,4 +1,4 @@ -VERSION = 12 +VERSION = 13 ifneq ($(origin RELEASE),undefined) DASHRELEASE ?= -$(RELEASE) else @@ -171,7 +171,7 @@ shim.cer: shim.crt .NOTPARALLEL: shim_cert.h shim_cert.h: shim.cer - echo "static UINT8 shim_cert[] = {" > $@ + echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@ $(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@ echo "};" >> $@ @@ -337,7 +337,7 @@ clean: $(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean $(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME) - rm -f *.debug *.so *.efi *.efi.* *.tar.* version.c + rm -f *.debug *.so *.efi *.efi.* *.tar.* version.c buildid GITTAG = $(VERSION) @@ -113,6 +113,7 @@ static void handle_one(char *f) char *b = NULL; size_t sz; uint8_t *data; + ssize_t written; if (!strcmp(f, "-")) { fd = STDIN_FILENO; @@ -132,10 +133,14 @@ static void handle_one(char *f) b = alloca(sz * 2 + 1); data2hex(data, sz, b); if (b) { - write(1, f, strlen(f)); - write(1, " ", 1); - write(1, b, strlen(b)); - write(1, "\n", 1); + written = write(1, f, strlen(f)); + if (written < 0) + errx(1, "Error writing build id"); + written = write(1, " ", 1); + written = write(1, b, strlen(b)); + if (written < 0) + errx(1, "Error writing build id"); + written = write(1, "\n", 1); } } elf_end(elf); @@ -1 +1 @@ -23ce039c434d164a3848c829b237899cc17c1d21
\ No newline at end of file +5e827007b3d95c4ce999422462248f5e7d3f270f
\ No newline at end of file diff --git a/debian/canonical-uefi-ca.der b/debian/canonical-uefi-ca.der Binary files differdeleted file mode 100644 index b4098d9c..00000000 --- a/debian/canonical-uefi-ca.der +++ /dev/null diff --git a/debian/changelog b/debian/changelog deleted file mode 100644 index 005a1457..00000000 --- a/debian/changelog +++ /dev/null @@ -1,243 +0,0 @@ -shim (13~git1505328971.0780644a-0ubuntu1~test1) UNRELEASED; urgency=medium - - * New upstream snapshot: 13~git1505328971.0780644a - * debian/control: add a Build-Depends on libelf-dev. - * debian/control: add Breaks: for the previous shim-signed builds given - that shim will now build and ship BOOT.CSV by itself. - * debian/rules: - - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream - options: set MAKELEVEL. - - Define an EFI_ARCH variable, and use that for paths to shim. This - makes it possible to build a shim for other architectures than amd64. - - Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed - in the "right" final directories, and makes boot.csv for us. - - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built - at compile-time for MokManager and fallback. - - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback - and MokManager. - - Ignore unused-variable errors. - * debian/patches/second-stage-path: dropped; the default loader path now - includes an arch suffix. - * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. - * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, - included upstream. - * debian/rules: clean up after *.signed files. - * debian/shim.install: update paths in light of using shim's upstream install - target. - * debian/patches/buildid_write_return.patch: workaround our strict compile - rules failing the build: make sure write calls check the return value. - * debian/rules, debian/shim.install: make sure the 'make install' step does - what it's meant to do by upstream: we can easily make use of the end result - to have the files we need. - - -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 29 Aug 2017 22:45:30 -0400 - -shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium - - [ Steve Langasek ] - * Merge (not yet NEW cleared) changes from Debian branch. - - [ Mathieu Trudel-Lapierre ] - * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard - against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu - for the patch. This will fix issues updating MokSBStateRT if the variable - already exists with different attributes. (LP: #1644806) - - -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 01 Dec 2016 16:55:50 -0500 - -shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium - - [ Steve Langasek ] - * Initial Debian upload. Closes: #820052. - * Update Standards-Version. - * Embed the newly-minted Debian CA certificate. - * Vendorize debian/rules so that the same package can be used in both - Debian and Ubuntu without modification. - * Fix debian/copyright to match the spec (last match wins, not first) - * Fix shim.efi to not be executable. - * Add watchfile. - * Support parallel builds, because eh why not - * Update Vcs-Bzr. - * Resync with Ubuntu, including patch to fix debian/copyright. - - [ Julien Cristau ] - * Add some missing copyright holders in d/copyright, update - Upstream-Contact. Thanks to Helen Koike for the help. - - -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200 - -shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium - - [ Helen Koike ] - * debian/copyright: add OpenSSL license - - [ Mathieu Trudel-Lapierre ] - * New upstream release. (LP: #1624096) - * debian/copyright: patches should be BSD, like the rest of the upstream - code. - * debian/patches/unused-variable: dropped; applied upstream. - * debian/patches/binutils-version-matching: dropped, fixed upstream. - * debian/shim.install: built EFI binaries were renamed; update our install - file to properly pick up shim (shim$arch), MokManager (mm$arch), and - fallback (fb$arch). - - -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 22 Sep 2016 15:02:20 -0400 - -shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium - - * New upstream release. - - Better handle LoadOptions. (LP: #1581299) - - Measure state and second stage in TPM. - - Mirror MokSBState in runtime as MokSBStateRT. - - Fix failure to build with GCC 5. (LP: #1429978) - - Various bug fixes and other improvements. - * Refreshed patches. - - Remaining patches: - + second-stage-path - + sbsigntool-not-pesign - * debian/patches/unused-variable: remove unused variable size. - * debian/patches/binutils-version-matching: revert d9a4c912 to correctly - match objcopy's version on Ubuntu. - * debian/copyright: update copyright for patches. - - -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400 - -shim (0.8-0ubuntu2) wily; urgency=medium - - * No-change rebuild against gnu-efi 3.0v-5ubuntu1. - - -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000 - -shim (0.8-0ubuntu1) wily; urgency=medium - - * New upstream release. - - Clarify meaning of insecure_mode. (LP: #1384973) - * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, - debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included - in the upstream release. - * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: - refreshed. - - -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400 - -shim (0.7-0ubuntu4) utopic; urgency=medium - - * SECURITY UPDATE: heap overflow and out-of-bounds read access when - parsing DHCPv6 information - - debian/patches/CVE-2014-3675.patch: apply proper bounds checking - when parsing data provided in DHCPv6 packets. - - CVE-2014-3675 - - CVE-2014-3676 - * SECURITY UPDATE: memory corruption when processing user-provided key - lists - - debian/patches/CVE-2014-3677.patch: detect malformed machine owner - key (MOK) lists and ignore them, avoiding possible memory corruption. - - CVE-2014-3677 - - -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000 - -shim (0.7-0ubuntu2) utopic; urgency=medium - - * Restore debian/patches/prototypes, which still is needed on shim 0.7 - but only detected on the buildds. - * Update debian/patches/prototypes with some new declarations needed for - openssl 0.9.8za update. - - -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700 - -shim (0.7-0ubuntu1) utopic; urgency=medium - - * New upstream release. - - fix spurious error message when fallback.efi is not present, as will - always be the case for removable media. LP: #1297069. - - drop most patches, included upstream. - * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick - openssl 0.9.8za in via upstream. - - -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000 - -shim (0.4-0ubuntu5) utopic; urgency=low - - * Install fallback.efi.signed as well, to lay the groundwork for fallback - handling (wanted when we have to move a drive between machines, or when - the firmware loses its marbles^W nvram). - - -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200 - -shim (0.4-0ubuntu4) saucy; urgency=low - - * debian/patches/fix-tftp-prototype: pass the right arguments to - EFI_PXE_BASE_CODE_TFTP_READ_FILE. - * debian/patches/build-with-Werror: Build with -Werror to catch future - prototype mismatches. - * debian/patches/fix-compiler-warnings: Fix remaining compiler - warnings in netboot.c. - * debian/patches/tftp-proper-nul-termination: fix nul termination - errors in filenames passed to tftp. - * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to - the netboot code. - - -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700 - -shim (0.4-0ubuntu3) saucy; urgency=low - - [ Steve Langasek ] - * Install MokManager.efi.signed in the package. - * debian/patches/no-output-by-default.patch: Don't print any - informational messages. Closes LP: #1074302. - - [ Stéphane Graber ] - * debian/patches/no-print-on-unsigned: Don't print an error message when - validating an unsigned binary as that tends to hang Lenovo machines. - (LP: #1087501) - - -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200 - -shim (0.4-0ubuntu2) saucy; urgency=low - - * Add missing build-dependency on openssl. - - -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000 - -shim (0.4-0ubuntu1) saucy; urgency=low - - * New upstream release. - * Drop debian/patches/shim-before-loadimage; upstream has changed this to - not call loadimage at all. - * debian/patches/sbsigntool-not-pesign: Sign MokManager with - sbsigntool instead of pesign. - * Add a versioned build-dependency on gnu-efi. - - -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700 - -shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low - - * debian/patches/shim-before-loadimage: Use direct verification first - before LoadImage. Addresses an issue where Lenovo's SecureBoot - implementation pops an error message on any verification failure - avoid - calling LoadImage at all unless we have to. - - -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700 - -shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low - - * debian/patches/second-stage-path: Chainload grubx64.efi, not - grub.efi. - - -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700 - -shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low - - * debian/patches/prototypes: Include missing prototypes, and disable - use of BIO_new_file. - * Only build the package for amd64; we're not signing an i386 shim at this - stage so there's no point in building it. - - -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000 - -shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low - - * Initial release. - * Include the Canonical Secure Boot master CA. - - -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700 diff --git a/debian/compat b/debian/compat deleted file mode 100644 index ec635144..00000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -9 diff --git a/debian/control b/debian/control deleted file mode 100644 index ea901e5d..00000000 --- a/debian/control +++ /dev/null @@ -1,19 +0,0 @@ -Source: shim -Section: admin -Priority: optional -Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> -XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org> -Standards-Version: 3.9.8 -Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev -Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk - -Package: shim -Architecture: amd64 -Depends: ${shlibs:Depends}, ${misc:Depends} -Breaks: shim-signed (<< 1.33~) -Description: boot loader to chain-load signed boot loaders under Secure Boot - This package provides a minimalist boot loader which allows verifying - signatures of other UEFI binaries against either the Secure Boot DB/DBX or - against a built-in signature database. Its purpose is to allow a small, - infrequently-changing binary to be signed by the UEFI CA, while allowing - an OS distributor to revision their main bootloader independently of the CA. diff --git a/debian/copyright b/debian/copyright deleted file mode 100644 index 7c08287c..00000000 --- a/debian/copyright +++ /dev/null @@ -1,254 +0,0 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ -Upstream-Name: shim -Upstream-Contact: Matthew Garrett <mjg59@coreos.com> -Source: https://github.com/mjg59/shim.git - -Files: * -Copyright: 2012-2013 Red Hat, Inc - 2009-2016 Intel Corporation -License: BSD-2-Clause - -Files: debian/patches/* -Copyright: 2016 Canonical Ltd. -License: BSD-2-Clause - -Files: crypt_blowfish.* -Copyright: none -License: public-domain - No copyright is claimed, and the software is hereby placed in the public - domain. In case this attempt to disclaim copyright and place the software - in the public domain is deemed null and void, then the software is - Copyright (c) 2000-2011 Solar Designer and it is hereby released to the - general public under the following terms: - . - Redistribution and use in source and binary forms, with or without - modification, are permitted. - . - There's ABSOLUTELY NO WARRANTY, express or implied. - -Files: httpboot.* -Copyright: 2015 SUSE LINUX GmbH -License: BSD-2-Clause - -Files: include/Http.h -Copyright: 2016 Intel Corporation - 2015 Hewlett Packard Enterprise Development LP -License: BSD-2-Clause - -Files: include/PeImage.h -Copyright: 2006-2010 Intel Corporation - 2008-2009 Apple Inc -License: BSD-2-Clause - -Files: lib/*.c -Copyright: 2011-2012 Intel Corporation - 2012 <James.Bottomley@HansenPartnership.com> - 2012-2013 Red Hat, Inc -License: BSD-2-Clause - -Files: Cryptlib/OpenSSL/* Cryptlib/Include/openssl/* -Copyright: 1998-2016 The OpenSSL Project - 1995-1998 Eric Young (eay@cryptsoft.com) - 2002 Sun Microsystems, Inc - 2005 Nokia -License: OpenSSL and Original-SSLeay - OpenSSL License - --------------- - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - . - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - . - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in - the documentation and/or other materials provided with the - distribution. - . - 3. All advertising materials mentioning features or use of this - software must display the following acknowledgment: - "This product includes software developed by the OpenSSL Project - for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - . - 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - endorse or promote products derived from this software without - prior written permission. For written permission, please contact - openssl-core@openssl.org. - . - 5. Products derived from this software may not be called "OpenSSL" - nor may "OpenSSL" appear in their names without prior written - permission of the OpenSSL Project. - . - 6. Redistributions of any form whatsoever must retain the following - acknowledgment: - "This product includes software developed by the OpenSSL Project - for use in the OpenSSL Toolkit (http://www.openssl.org/)" - . - THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - OF THE POSSIBILITY OF SUCH DAMAGE. - ==================================================================== - . - This product includes cryptographic software written by Eric Young - (eay@cryptsoft.com). This product includes software written by Tim - Hudson (tjh@cryptsoft.com). - . - Original SSLeay License - ----------------------- - This package is an SSL implementation written - by Eric Young (eay@cryptsoft.com). - The implementation was written so as to conform with Netscapes SSL. - . - This library is free for commercial and non-commercial use as long as - the following conditions are aheared to. The following conditions - apply to all code found in this distribution, be it the RC4, RSA, - lhash, DES, etc., code; not just the SSL code. The SSL documentation - included with this distribution is covered by the same copyright terms - except that the holder is Tim Hudson (tjh@cryptsoft.com). - . - Copyright remains Eric Young's, and as such any Copyright notices in - the code are not to be removed. - If this package is used in a product, Eric Young should be given attribution - as the author of the parts of the library used. - This can be in the form of a textual message at program startup or - in documentation (online or textual) provided with the package. - . - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - 1. Redistributions of source code must retain the copyright - notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - 3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - "This product includes cryptographic software written by - Eric Young (eay@cryptsoft.com)" - The word 'cryptographic' can be left out if the rouines from the library - being used are not cryptographic related :-). - 4. If you include any Windows specific code (or a derivative thereof) from - the apps directory (application code) you must include an acknowledgement: - "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - . - THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - SUCH DAMAGE. - . - The licence and distribution terms for any publically available version or - derivative of this code cannot be changed. i.e. this code cannot simply be - copied and put under another distribution licence - [including the GNU Public Licence.] - -Files: Cryptlib/Include/openssl/seed.h -Copyright: 2007 KISA(Korea Information Security Agency) -License: BSD-2-Clause - -Files: Cryptlib/OpenSSL/crypto/o_dir.h Cryptlib/OpenSSL/crypto/LPdir_nyi.c -Copyright: 2004, Richard Levitte <richard@levitte.org> -License: BSD-2-Clause - -Files: Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c -Copyright: 2004 Kungliga Tekniska Högskolan -License: BSD-3-Clause-Institute - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - . - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - . - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - . - 3. Neither the name of the Institute nor the names of its contributors - may be used to endorse or promote products derived from this software - without specific prior written permission. - . - THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - SUCH DAMAGE. - -Files: Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h -Copyright: 2012, Intel Corporation -License: BSD-3-Clause-Intel - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are - met: - . - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - . - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the - distribution. - . - * Neither the name of the Intel Corporation nor the names of its - contributors may be used to endorse or promote products derived from - this software without specific prior written permission. - . - THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY - EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR - CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -License: BSD-2-Clause - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions - are met: - . - Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. - . - Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the - distribution. - . - THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS - FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/debian/debian-uefi-ca.der b/debian/debian-uefi-ca.der Binary files differdeleted file mode 100644 index 1dd6ee16..00000000 --- a/debian/debian-uefi-ca.der +++ /dev/null diff --git a/debian/patches/buildid_write_return.patch b/debian/patches/buildid_write_return.patch deleted file mode 100644 index 268cbd33..00000000 --- a/debian/patches/buildid_write_return.patch +++ /dev/null @@ -1,35 +0,0 @@ ---- - buildid.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -Index: b/buildid.c -=================================================================== ---- a/buildid.c -+++ b/buildid.c -@@ -113,6 +113,7 @@ static void handle_one(char *f) - char *b = NULL; - size_t sz; - uint8_t *data; -+ ssize_t written; - - if (!strcmp(f, "-")) { - fd = STDIN_FILENO; -@@ -132,10 +133,14 @@ static void handle_one(char *f) - b = alloca(sz * 2 + 1); - data2hex(data, sz, b); - if (b) { -- write(1, f, strlen(f)); -- write(1, " ", 1); -- write(1, b, strlen(b)); -- write(1, "\n", 1); -+ written = write(1, f, strlen(f)); -+ if (written < 0) -+ errx(1, "Error writing build id"); -+ written = write(1, " ", 1); -+ written = write(1, b, strlen(b)); -+ if (written < 0) -+ errx(1, "Error writing build id"); -+ written = write(1, "\n", 1); - } - } - elf_end(elf); diff --git a/debian/patches/gcc-5.diff b/debian/patches/gcc-5.diff deleted file mode 100644 index e706c3ab..00000000 --- a/debian/patches/gcc-5.diff +++ /dev/null @@ -1,45 +0,0 @@ ---- - Cryptlib/Makefile | 2 +- - Cryptlib/OpenSSL/Makefile | 2 +- - Makefile | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -19,7 +19,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(A - EFI_LDS = elf_$(ARCH)_efi.lds - - DEFAULT_LOADER := \\\\grubx64.efi --CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -+CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ - -Werror=sign-compare \ - "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ -Index: b/Cryptlib/Makefile -=================================================================== ---- a/Cryptlib/Makefile -+++ b/Cryptlib/Makefile -@@ -1,7 +1,7 @@ - - EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - --CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ -+CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ - -Wall $(EFI_INCLUDES) - - ifeq ($(ARCH),x86_64) -Index: b/Cryptlib/OpenSSL/Makefile -=================================================================== ---- a/Cryptlib/OpenSSL/Makefile -+++ b/Cryptlib/OpenSSL/Makefile -@@ -1,7 +1,7 @@ - - EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - --CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ -+CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC - - ifeq ($(ARCH),x86_64) diff --git a/debian/patches/gcc5-includes-stdarg.patch b/debian/patches/gcc5-includes-stdarg.patch deleted file mode 100644 index 57cf4a8e..00000000 --- a/debian/patches/gcc5-includes-stdarg.patch +++ /dev/null @@ -1,129 +0,0 @@ -From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001 -From: Peter Jones <pjones@redhat.com> -Date: Tue, 7 Apr 2015 11:59:25 -0400 -Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on - x86. - -Basically they messed around with stdarg some and now we need to do it -the other way. - -Signed-off-by: Peter Jones <pjones@redhat.com> ---- - Cryptlib/Include/OpenSslSupport.h | 4 +++- - Cryptlib/Makefile | 3 ++- - Cryptlib/OpenSSL/Makefile | 5 +++-- - Makefile | 17 ++++++----------- - MokManager.c | 1 + - 5 files changed, 15 insertions(+), 15 deletions(-) - -Index: b/Cryptlib/Include/OpenSslSupport.h -=================================================================== ---- a/Cryptlib/Include/OpenSslSupport.h -+++ b/Cryptlib/Include/OpenSslSupport.h -@@ -34,7 +34,7 @@ typedef VOID *FILE; - //
- // Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h
- //
--#if !defined(__CC_ARM) // if va_list is not already defined
-+#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined
- /*
- * These are now unconditionally #defined by GNU_EFI's efistdarg.h,
- * so we should #undef them here before providing a new definition.
-@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST; - portably, hence it is provided by a Standard C header file.
- For pre-Standard C compilers, here is a version that usually works
- (but watch out!): */
-+#ifndef offsetof
- #define offsetof(type, member) ( (int) & ((type*)0) -> member )
-+#endif
-
- //
- // Basic types from EFI Application Toolkit required to buiild Open SSL
-Index: b/Cryptlib/Makefile -=================================================================== ---- a/Cryptlib/Makefile -+++ b/Cryptlib/Makefile -@@ -2,7 +2,8 @@ - EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - - CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ -- -Wall $(EFI_INCLUDES) -+ -Wall $(EFI_INCLUDES) \ -+ -ffreestanding -I$(shell $(CC) -print-file-name=include) - - ifeq ($(ARCH),x86_64) - CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ -Index: b/Cryptlib/OpenSSL/Makefile -=================================================================== ---- a/Cryptlib/OpenSSL/Makefile -+++ b/Cryptlib/OpenSSL/Makefile -@@ -2,6 +2,7 @@ - EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - - CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ -+ -ffreestanding -I$(shell $(CC) -print-file-name=include) \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC - - ifeq ($(ARCH),x86_64) -@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32) - -m32 -DTHIRTY_TWO_BIT - endif - ifeq ($(ARCH),aarch64) -- CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include) -+ CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG - endif - ifeq ($(ARCH),arm) -- CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include) -+ CFLAGS += -O2 -DTHIRTY_TWO_BIT - endif - LDFLAGS = -nostdlib -znocombreloc - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -21,7 +21,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds - DEFAULT_LOADER := \\\\grubx64.efi - CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ -- -Werror=sign-compare \ -+ -Werror=sign-compare -ffreestanding \ -+ -I$(shell $(CC) -print-file-name=include) \ - "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ - "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ - $(EFI_INCLUDES) -@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY - endif - - ifeq ($(ARCH),x86_64) -- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ -+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -+ -maccumulate-outgoing-args \ - -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI - endif - ifeq ($(ARCH),ia32) -- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 --endif -- --ifeq ($(ARCH),aarch64) -- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) --endif -- --ifeq ($(ARCH),arm) -- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) -+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -+ -maccumulate-outgoing-args -m32 - endif - - ifneq ($(origin VENDOR_CERT_FILE), undefined) -Index: b/MokManager.c -=================================================================== ---- a/MokManager.c -+++ b/MokManager.c -@@ -1,5 +1,6 @@ - #include <efi.h> - #include <efilib.h> -+#include <stdarg.h> - #include <Library/BaseCryptLib.h> - #include <openssl/x509.h> - #include "shim.h" diff --git a/debian/patches/prototypes b/debian/patches/prototypes deleted file mode 100644 index 7191e102..00000000 --- a/debian/patches/prototypes +++ /dev/null @@ -1,191 +0,0 @@ -Description: Include missing prototypes, and disable use of BIO_new_file - Pull in missing prototypes for functions that are not yet upstream in - gnu-efi, and #ifdef out references to BIO_new_file(), BIO_new_fp(), and - X509_load_{cert,crl}_file since the prototypes are themselves #ifdef'ed - out. - . - Without these prototypes, we get implicit conversions on amd64, which - are sensibly treated as a build failure by Launchpad. -Author: Steve Langasek <steve.langasek@ubuntu.com> - -Index: shim/Cryptlib/Library/BaseMemoryLib.h -=================================================================== ---- /dev/null -+++ shim/Cryptlib/Library/BaseMemoryLib.h -@@ -0,0 +1,41 @@ -+#ifndef __BASE_MEMORY_LIB__ -+#define __BASE_MEMORY_LIB__ -+ -+CHAR8 * -+ScanMem8 ( -+ IN CHAR8 *Buffer, -+ IN UINTN Size, -+ IN CHAR8 Value -+ ); -+ -+UINT32 -+WriteUnaligned32( -+ UINT32 *Buffer, -+ UINT32 Value -+ ); -+ -+CHAR8 * -+AsciiStrCat( -+ CHAR8 *Destination, -+ CHAR8 *Source -+ ); -+ -+CHAR8 * -+AsciiStrCpy( -+ CHAR8 *Destination, -+ CHAR8 *Source -+ ); -+ -+CHAR8 * -+AsciiStrnCpy( -+ CHAR8 *Destination, -+ CHAR8 *Source, -+ UINTN count -+ ); -+ -+UINTN -+AsciiStrSize( -+ CHAR8 *string -+ ); -+ -+#endif -Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c -+++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c -@@ -157,6 +157,7 @@ - } - OPENSSL_free(tmp_data2); - } -+#ifndef OPENSSL_NO_STDIO - else if (strncmp(val->value, "file:", 5) == 0) - { - unsigned char buf[2048]; -@@ -194,6 +195,7 @@ - goto err; - } - } -+#endif - else if (strncmp(val->value, "text:", 5) == 0) - { - val_len = strlen(val->value + 5); -Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c -+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c -@@ -186,11 +186,13 @@ - int ret; - BIO *in=NULL; - -+#ifndef OPENSSL_NO_STDIO - #ifdef OPENSSL_SYS_VMS - in=BIO_new_file(name, "r"); - #else - in=BIO_new_file(name, "rb"); - #endif -+#endif - if (in == NULL) - { - if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE) -Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c -+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c -@@ -92,11 +92,13 @@ - LHASH *ltmp; - BIO *in=NULL; - -+#ifndef OPENSSL_NO_STDIO - #ifdef OPENSSL_SYS_VMS - in=BIO_new_file(file, "r"); - #else - in=BIO_new_file(file, "rb"); - #endif -+#endif - if (in == NULL) - { - CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB); -Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c -+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c -@@ -93,12 +93,14 @@ - { - BIO *bio_err; - ERR_load_crypto_strings(); -+#ifndef OPENSSL_NO_STDIO - if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL) - { - BIO_printf(bio_err,"Auto configuration failed\n"); - ERR_print_errors(bio_err); - BIO_free(bio_err); - } -+#endif - exit(1); - } - -Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c -+++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c -@@ -374,11 +374,15 @@ - BIO *in; - EVP_PKEY *key; - fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id); -+#ifndef OPENSSL_NO_STDIO - in = BIO_new_file(key_id, "r"); - if (!in) - return NULL; - key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL); - BIO_free(in); -+#else -+ return NULL; -+#endif - return key; - } - #endif -Index: shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/x509/by_dir.c -+++ shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c -@@ -92,8 +92,10 @@ - static int new_dir(X509_LOOKUP *lu); - static void free_dir(X509_LOOKUP *lu); - static int add_cert_dir(BY_DIR *ctx,const char *dir,int type); -+#ifndef OPENSSL_NO_STDIO - static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name, - X509_OBJECT *ret); -+#endif - X509_LOOKUP_METHOD x509_dir_lookup= - { - "Load certs from files in a directory", -@@ -102,7 +104,11 @@ - NULL, /* init */ - NULL, /* shutdown */ - dir_ctrl, /* ctrl */ -+#ifdef OPENSSL_NO_STDIO -+ NULL, /* get_by_subject */ -+#else - get_cert_by_subject, /* get_by_subject */ -+#endif - NULL, /* get_by_issuer_serial */ - NULL, /* get_by_fingerprint */ - NULL, /* get_by_alias */ -@@ -242,6 +248,7 @@ - return(1); - } - -+#ifndef OPENSSL_NO_STDIO - static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, - X509_OBJECT *ret) - { -@@ -383,3 +390,4 @@ - if (b != NULL) BUF_MEM_free(b); - return(ok); - } -+#endif diff --git a/debian/patches/series b/debian/patches/series deleted file mode 100644 index db9eed12..00000000 --- a/debian/patches/series +++ /dev/null @@ -1 +0,0 @@ -buildid_write_return.patch diff --git a/debian/rules b/debian/rules deleted file mode 100755 index 3ea5da40..00000000 --- a/debian/rules +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/make -f - -# Other vendors, add your certs here. No sense in using -# dpkg-vendor --derives-from, because only Canonical-generated binaries will -# be signed with this key; so if you are building your own shim binary you -# should be building the other binaries also. -ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes) - cert=debian/canonical-uefi-ca.der - distributor=ubuntu -else - cert=debian/debian-uefi-ca.der - distributor=debian -endif - -ifeq ($(DEB_HOST_ARCH),amd64) -export EFI_ARCH := x64 -endif - -COMMON_OPTIONS = \ - MAKELEVEL=0 \ - EFI_PATH=/usr/lib \ - ENABLE_SHIM_CERT=1 \ - ENABLE_SBSIGN=1 \ - VENDOR_CERT_FILE=$(cert) \ - EFIDIR=$(distributor) \ - $(NULL) - -CPPFLAGS += -Wno-error=unused-variable - -%: - dh $@ --parallel - -override_dh_auto_clean: - dh_auto_clean -- MAKELEVEL=0 - rm -f *.signed - -override_dh_auto_build: - dh_auto_build -- $(COMMON_OPTIONS) - -override_dh_auto_install: - dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS) - -override_dh_fixperms: - dh_fixperms - chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi diff --git a/debian/shim.install b/debian/shim.install deleted file mode 100644 index 268df256..00000000 --- a/debian/shim.install +++ /dev/null @@ -1,4 +0,0 @@ -/boot/efi/EFI/*/shim*.efi /usr/lib/shim -/boot/efi/EFI/*/mm*.efi /usr/lib/shim -/boot/efi/EFI/*/fb*.efi /usr/lib/shim -/boot/efi/EFI/*/BOOT*.CSV /usr/lib/shim diff --git a/debian/source/format b/debian/source/format deleted file mode 100644 index 163aaf8d..00000000 --- a/debian/source/format +++ /dev/null @@ -1 +0,0 @@ -3.0 (quilt) diff --git a/debian/source/include-binaries b/debian/source/include-binaries deleted file mode 100644 index d82be748..00000000 --- a/debian/source/include-binaries +++ /dev/null @@ -1,2 +0,0 @@ -debian/canonical-uefi-ca.der -debian/debian-uefi-ca.der diff --git a/debian/watch b/debian/watch deleted file mode 100644 index 361d88c4..00000000 --- a/debian/watch +++ /dev/null @@ -1,5 +0,0 @@ -# Compulsory line, this is a version 4 file -version=4 - -opts="repack,compression=xz,filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/shim-$1\.tar\.gz/" \ - https://github.com/mjg59/shim/releases .*/v?(\d\S*)\.tar\.gz |