diff options
| -rw-r--r-- | .pc/applied-patches | 1 | ||||
| -rw-r--r-- | .pc/sbsigntool-not-pesign/Makefile | 120 | ||||
| -rw-r--r-- | Makefile | 4 | ||||
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | debian/patches/sbsigntool-not-pesign | 22 | ||||
| -rw-r--r-- | debian/patches/series | 1 |
7 files changed, 149 insertions, 3 deletions
diff --git a/.pc/applied-patches b/.pc/applied-patches index 42f8afa0..78756329 100644 --- a/.pc/applied-patches +++ b/.pc/applied-patches @@ -1,2 +1,3 @@ prototypes second-stage-path +sbsigntool-not-pesign diff --git a/.pc/sbsigntool-not-pesign/Makefile b/.pc/sbsigntool-not-pesign/Makefile new file mode 100644 index 00000000..412eba5e --- /dev/null +++ b/.pc/sbsigntool-not-pesign/Makefile @@ -0,0 +1,120 @@ +ARCH = $(shell uname -m | sed s,i[3456789]86,ia32,) + +SUBDIRS = Cryptlib + +LIB_PATH = /usr/lib64 + +EFI_INCLUDE = /usr/include/efi +EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol +EFI_PATH = /usr/lib64/gnuefi + +LIB_GCC = $(shell $(CC) -print-libgcc-file-name) +EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) + +EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o +EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds + +CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ + -Wall -mno-red-zone \ + $(EFI_INCLUDES) +ifeq ($(ARCH),x86_64) + CFLAGS += -DEFI_FUNCTION_WRAPPER +endif +ifneq ($(origin VENDOR_CERT_FILE), undefined) + CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" +endif + +LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) + +VERSION = 0.2 + +TARGET = shim.efi MokManager.efi.signed +OBJS = shim.o netboot.o cert.o dbx.o +KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key +SOURCES = shim.c shim.h netboot.c signature.h PeImage.h +MOK_OBJS = MokManager.o +MOK_SOURCES = MokManager.c shim.h + +all: $(TARGET) + +shim.crt: + ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null + +shim.cer: shim.crt + openssl x509 -outform der -in $< -out $@ + +shim_cert.h: shim.cer + echo "static UINT8 shim_cert[] = {" > $@ + hexdump -v -e '1/1 "0x%02x, "' $< >> $@ + echo "};" >> $@ + +certdb/secmod.db: shim.crt + -mkdir certdb + certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt + pk12util -d certdb/ -i shim.p12 -W "" -K "" + certutil -d certdb/ -A -i shim.crt -n shim -t u + +shim.o: $(SOURCES) shim_cert.h + +cert.o : cert.S + $(CC) $(CFLAGS) -c -o $@ $< + +dbx.o : dbx.S + $(CC) $(CFLAGS) -c -o $@ $< + +shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) + +MokManager.o: $(SOURCES) + +MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) + +Cryptlib/libcryptlib.a: + $(MAKE) -C Cryptlib + +Cryptlib/OpenSSL/libopenssl.a: + $(MAKE) -C Cryptlib/OpenSSL + +%.efi: %.so + objcopy -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel \ + -j .rela -j .reloc -j .eh_frame \ + --target=efi-app-$(ARCH) $^ $@ + objcopy -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel \ + -j .rela -j .reloc -j .eh_frame \ + -j .debug_info -j .debug_abbrev -j .debug_aranges \ + -j .debug_line -j .debug_str -j .debug_ranges \ + --target=efi-app-$(ARCH) $^ $@.debug + +%.efi.signed: %.efi certdb/secmod.db + pesign -n certdb -i $< -c "shim" -s -o $@ -f + +clean: + $(MAKE) -C Cryptlib clean + $(MAKE) -C Cryptlib/OpenSSL clean + rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(KEYS) certdb + rm -f *.debug *.so + +GITTAG = $(VERSION) + +test-archive: + @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp + @mkdir -p /tmp/shim-$(VERSION)-tmp + @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) + @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff ) + @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ + @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" + +archive: + git tag $(GITTAG) refs/heads/master + @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp + @mkdir -p /tmp/shim-$(VERSION)-tmp + @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) + @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ + @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" @@ -88,8 +88,8 @@ Cryptlib/OpenSSL/libopenssl.a: -j .debug_line -j .debug_str -j .debug_ranges \ --target=efi-app-$(ARCH) $^ $@.debug -%.efi.signed: %.efi certdb/secmod.db - pesign -n certdb -i $< -c "shim" -s -o $@ -f +%.efi.signed: %.efi shim.crt + sbsign --key shim.key --cert shim.crt $< clean: $(MAKE) -C Cryptlib clean diff --git a/debian/changelog b/debian/changelog index e43b513a..62c3aa4f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ shim (0.2+20121127.9c0c64eb-0ubuntu1) UNRELEASED; urgency=low * New upstream snapshot. * Drop debian/patches/shim-before-loadimage; upstream has changed this to not call loadimage at all. + * debian/patches/sbsigntool-not-pesign: Sign MokManager with + sbsigntool instead of pesign. -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 12 Dec 2012 16:36:12 -0800 diff --git a/debian/control b/debian/control index 0e27bb52..ef0b876e 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org> Standards-Version: 3.9.3 -Build-Depends: debhelper (>= 9), gnu-efi +Build-Depends: debhelper (>= 9), gnu-efi, sbsigntool Vcs-Bzr: lp:ubuntu/shim Package: shim diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign new file mode 100644 index 00000000..66b0f121 --- /dev/null +++ b/debian/patches/sbsigntool-not-pesign @@ -0,0 +1,22 @@ +Description: Sign MokManager with sbsigntool instead of pesign + Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use + the same thing for signing MokManager with our ephemeral key. This also + avoids an additional build dependency on libnss3-tools. +Author: Steve Langasek <steve.langasek@canonical.com> +Forwarded: not-needed + +Index: shim/Makefile +=================================================================== +--- shim.orig/Makefile ++++ shim/Makefile +@@ -88,8 +88,8 @@ + -j .debug_line -j .debug_str -j .debug_ranges \ + --target=efi-app-$(ARCH) $^ $@.debug + +-%.efi.signed: %.efi certdb/secmod.db +- pesign -n certdb -i $< -c "shim" -s -o $@ -f ++%.efi.signed: %.efi shim.crt ++ sbsign --key shim.key --cert shim.crt $< + + clean: + $(MAKE) -C Cryptlib clean diff --git a/debian/patches/series b/debian/patches/series index 42f8afa0..78756329 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ prototypes second-stage-path +sbsigntool-not-pesign |