diff options
| -rw-r--r-- | .pc/.quilt_patches | 1 | ||||
| -rw-r--r-- | .pc/.quilt_series | 1 | ||||
| -rw-r--r-- | .pc/.version | 1 | ||||
| -rw-r--r-- | .pc/applied-patches | 2 | ||||
| -rw-r--r-- | .pc/sbsigntool-not-pesign/Makefile | 197 | ||||
| -rw-r--r-- | .pc/second-stage-path/Makefile | 197 | ||||
| -rw-r--r-- | Cryptlib/Library/BaseMemoryLib.h | 0 | ||||
| -rw-r--r-- | Makefile | 6 | ||||
| -rw-r--r-- | debian/canonical-uefi-ca.der | bin | 0 -> 1080 bytes | |||
| -rw-r--r-- | debian/changelog | 153 | ||||
| -rw-r--r-- | debian/compat | 1 | ||||
| -rw-r--r-- | debian/control | 18 | ||||
| -rw-r--r-- | debian/copyright | 33 | ||||
| -rw-r--r-- | debian/patches/gcc-5.diff | 45 | ||||
| -rw-r--r-- | debian/patches/gcc5-includes-stdarg.patch | 129 | ||||
| -rw-r--r-- | debian/patches/prototypes | 191 | ||||
| -rw-r--r-- | debian/patches/sbsigntool-not-pesign | 26 | ||||
| -rw-r--r-- | debian/patches/second-stage-path | 24 | ||||
| -rw-r--r-- | debian/patches/series | 2 | ||||
| -rwxr-xr-x | debian/rules | 7 | ||||
| -rw-r--r-- | debian/shim.install | 3 | ||||
| -rw-r--r-- | debian/source/format | 1 | ||||
| -rw-r--r-- | debian/source/include-binaries | 1 |
23 files changed, 1036 insertions, 3 deletions
diff --git a/.pc/.quilt_patches b/.pc/.quilt_patches new file mode 100644 index 00000000..6857a8d4 --- /dev/null +++ b/.pc/.quilt_patches @@ -0,0 +1 @@ +debian/patches diff --git a/.pc/.quilt_series b/.pc/.quilt_series new file mode 100644 index 00000000..c2067066 --- /dev/null +++ b/.pc/.quilt_series @@ -0,0 +1 @@ +series diff --git a/.pc/.version b/.pc/.version new file mode 100644 index 00000000..0cfbf088 --- /dev/null +++ b/.pc/.version @@ -0,0 +1 @@ +2 diff --git a/.pc/applied-patches b/.pc/applied-patches new file mode 100644 index 00000000..a5f3392d --- /dev/null +++ b/.pc/applied-patches @@ -0,0 +1,2 @@ +second-stage-path +sbsigntool-not-pesign diff --git a/.pc/sbsigntool-not-pesign/Makefile b/.pc/sbsigntool-not-pesign/Makefile new file mode 100644 index 00000000..2c760ef8 --- /dev/null +++ b/.pc/sbsigntool-not-pesign/Makefile @@ -0,0 +1,197 @@ +VERSION = 0.9 +RELEASE := +ifneq ($(RELEASE),"") + RELEASE:="-$(RELEASE)" +endif + +CC = $(CROSS_COMPILE)gcc +LD = $(CROSS_COMPILE)ld +OBJCOPY = $(CROSS_COMPILE)objcopy + +ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) +OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.version //g' | cut -f1-2 -d.` \>= 2.24) + +SUBDIRS = Cryptlib lib + +LIB_PATH = /usr/lib64 + +EFI_INCLUDE := /usr/include/efi +EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I$(shell pwd)/include +EFI_PATH := /usr/lib64/gnuefi + +LIB_GCC = $(shell $(CC) -print-libgcc-file-name) +EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) + +EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o +EFI_LDS = elf_$(ARCH)_efi.lds + +DEFAULT_LOADER := \\\\grubx64.efi +CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare -ffreestanding -std=gnu89 \ + -I$(shell $(CC) -print-file-name=include) \ + "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ + "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ + $(EFI_INCLUDES) + +ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) + CFLAGS += -DOVERRIDE_SECURITY_POLICY +endif + +ifeq ($(ARCH),x86_64) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ + -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ + -DNO_BUILTIN_VA_FUNCS \ + "-DEFI_ARCH=L\"x64\"" \ + "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\"" +endif +ifeq ($(ARCH),ia32) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ + -maccumulate-outgoing-args -m32 \ + "-DEFI_ARCH=L\"ia32\"" \ + "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\"" +endif +ifeq ($(ARCH),aarch64) + CFLAGS += "-DEFI_ARCH=L\"aa64\"" \ + "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\"" +endif + +ifneq ($(origin VENDOR_CERT_FILE), undefined) + CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" +endif +ifneq ($(origin VENDOR_DBX_FILE), undefined) + CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\" +endif + +LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 + +TARGET = shim.efi MokManager.efi.signed fallback.efi.signed +OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o +KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer +SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h +MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o +MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h +FALLBACK_OBJS = fallback.o +FALLBACK_SRCS = fallback.c + +all: $(TARGET) + +shim.crt: + ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null + +shim.cer: shim.crt + openssl x509 -outform der -in $< -out $@ + +shim_cert.h: shim.cer + echo "static UINT8 shim_cert[] = {" > $@ + hexdump -v -e '1/1 "0x%02x, "' $< >> $@ + echo "};" >> $@ + +version.c : version.c.in + sed -e "s,@@VERSION@@,$(VERSION)," \ + -e "s,@@UNAME@@,$(shell uname -a)," \ + -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \ + < version.c.in > version.c + +certdb/secmod.db: shim.crt + -mkdir certdb + pk12util -d certdb/ -i shim.p12 -W "" -K "" + certutil -d certdb/ -A -i shim.crt -n shim -t u + +shim.o: $(SOURCES) shim_cert.h +shim.o: $(wildcard *.h) + +cert.o : cert.S + $(CC) $(CFLAGS) -c -o $@ $< + +shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) + +fallback.o: $(FALLBACK_SRCS) + +fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) + +MokManager.o: $(MOK_SOURCES) + +MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a + +Cryptlib/libcryptlib.a: + $(MAKE) -C Cryptlib + +Cryptlib/OpenSSL/libopenssl.a: + $(MAKE) -C Cryptlib/OpenSSL + +lib/lib.a: + $(MAKE) CFLAGS="$(CFLAGS)" -C lib + +ifeq ($(ARCH),aarch64) +FORMAT := -O binary +SUBSYSTEM := 0xa +LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +endif + +ifeq ($(ARCH),arm) +FORMAT := -O binary +SUBSYSTEM := 0xa +LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +endif + +FORMAT ?= --target efi-app-$(ARCH) + +%.efi: %.so +ifneq ($(OBJCOPY_GTE224),1) + $(error objcopy >= 2.24 is required) +endif + $(OBJCOPY) -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel* \ + -j .rela* -j .reloc -j .eh_frame \ + -j .vendor_cert \ + $(FORMAT) $^ $@ + $(OBJCOPY) -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel* \ + -j .rela* -j .reloc -j .eh_frame \ + -j .debug_info -j .debug_abbrev -j .debug_aranges \ + -j .debug_line -j .debug_str -j .debug_ranges \ + -j .note.gnu.build-id \ + $(FORMAT) $^ $@.debug + +%.efi.signed: %.efi certdb/secmod.db + pesign -n certdb -i $< -c "shim" -s -o $@ -f + +clean: + $(MAKE) -C Cryptlib clean + $(MAKE) -C Cryptlib/OpenSSL clean + $(MAKE) -C lib clean + rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb + rm -f *.debug *.so *.efi *.tar.* version.c + +GITTAG = $(VERSION) + +test-archive: + @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp + @mkdir -p /tmp/shim-$(VERSION)-tmp + @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) + @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff ) + @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ + @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit + @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" + +tag: + git tag --sign $(GITTAG) refs/heads/master + +archive: tag + @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp + @mkdir -p /tmp/shim-$(VERSION)-tmp + @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) + @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ + @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit + @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" + +export ARCH CC LD OBJCOPY EFI_INCLUDE diff --git a/.pc/second-stage-path/Makefile b/.pc/second-stage-path/Makefile new file mode 100644 index 00000000..640ecf2b --- /dev/null +++ b/.pc/second-stage-path/Makefile @@ -0,0 +1,197 @@ +VERSION = 0.9 +RELEASE := +ifneq ($(RELEASE),"") + RELEASE:="-$(RELEASE)" +endif + +CC = $(CROSS_COMPILE)gcc +LD = $(CROSS_COMPILE)ld +OBJCOPY = $(CROSS_COMPILE)objcopy + +ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) +OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.version //g' | cut -f1-2 -d.` \>= 2.24) + +SUBDIRS = Cryptlib lib + +LIB_PATH = /usr/lib64 + +EFI_INCLUDE := /usr/include/efi +EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I$(shell pwd)/include +EFI_PATH := /usr/lib64/gnuefi + +LIB_GCC = $(shell $(CC) -print-libgcc-file-name) +EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) + +EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o +EFI_LDS = elf_$(ARCH)_efi.lds + +DEFAULT_LOADER := \\\\grub.efi +CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare -ffreestanding -std=gnu89 \ + -I$(shell $(CC) -print-file-name=include) \ + "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ + "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ + $(EFI_INCLUDES) + +ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) + CFLAGS += -DOVERRIDE_SECURITY_POLICY +endif + +ifeq ($(ARCH),x86_64) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ + -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ + -DNO_BUILTIN_VA_FUNCS \ + "-DEFI_ARCH=L\"x64\"" \ + "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\"" +endif +ifeq ($(ARCH),ia32) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ + -maccumulate-outgoing-args -m32 \ + "-DEFI_ARCH=L\"ia32\"" \ + "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\"" +endif +ifeq ($(ARCH),aarch64) + CFLAGS += "-DEFI_ARCH=L\"aa64\"" \ + "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\"" +endif + +ifneq ($(origin VENDOR_CERT_FILE), undefined) + CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" +endif +ifneq ($(origin VENDOR_DBX_FILE), undefined) + CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\" +endif + +LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 + +TARGET = shim.efi MokManager.efi.signed fallback.efi.signed +OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o +KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer +SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h +MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o +MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h +FALLBACK_OBJS = fallback.o +FALLBACK_SRCS = fallback.c + +all: $(TARGET) + +shim.crt: + ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null + +shim.cer: shim.crt + openssl x509 -outform der -in $< -out $@ + +shim_cert.h: shim.cer + echo "static UINT8 shim_cert[] = {" > $@ + hexdump -v -e '1/1 "0x%02x, "' $< >> $@ + echo "};" >> $@ + +version.c : version.c.in + sed -e "s,@@VERSION@@,$(VERSION)," \ + -e "s,@@UNAME@@,$(shell uname -a)," \ + -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \ + < version.c.in > version.c + +certdb/secmod.db: shim.crt + -mkdir certdb + pk12util -d certdb/ -i shim.p12 -W "" -K "" + certutil -d certdb/ -A -i shim.crt -n shim -t u + +shim.o: $(SOURCES) shim_cert.h +shim.o: $(wildcard *.h) + +cert.o : cert.S + $(CC) $(CFLAGS) -c -o $@ $< + +shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) + +fallback.o: $(FALLBACK_SRCS) + +fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) + +MokManager.o: $(MOK_SOURCES) + +MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a + $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a + +Cryptlib/libcryptlib.a: + $(MAKE) -C Cryptlib + +Cryptlib/OpenSSL/libopenssl.a: + $(MAKE) -C Cryptlib/OpenSSL + +lib/lib.a: + $(MAKE) CFLAGS="$(CFLAGS)" -C lib + +ifeq ($(ARCH),aarch64) +FORMAT := -O binary +SUBSYSTEM := 0xa +LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +endif + +ifeq ($(ARCH),arm) +FORMAT := -O binary +SUBSYSTEM := 0xa +LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) +endif + +FORMAT ?= --target efi-app-$(ARCH) + +%.efi: %.so +ifneq ($(OBJCOPY_GTE224),1) + $(error objcopy >= 2.24 is required) +endif + $(OBJCOPY) -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel* \ + -j .rela* -j .reloc -j .eh_frame \ + -j .vendor_cert \ + $(FORMAT) $^ $@ + $(OBJCOPY) -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel* \ + -j .rela* -j .reloc -j .eh_frame \ + -j .debug_info -j .debug_abbrev -j .debug_aranges \ + -j .debug_line -j .debug_str -j .debug_ranges \ + -j .note.gnu.build-id \ + $(FORMAT) $^ $@.debug + +%.efi.signed: %.efi certdb/secmod.db + pesign -n certdb -i $< -c "shim" -s -o $@ -f + +clean: + $(MAKE) -C Cryptlib clean + $(MAKE) -C Cryptlib/OpenSSL clean + $(MAKE) -C lib clean + rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb + rm -f *.debug *.so *.efi *.tar.* version.c + +GITTAG = $(VERSION) + +test-archive: + @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp + @mkdir -p /tmp/shim-$(VERSION)-tmp + @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) + @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff ) + @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ + @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit + @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" + +tag: + git tag --sign $(GITTAG) refs/heads/master + +archive: tag + @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp + @mkdir -p /tmp/shim-$(VERSION)-tmp + @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x ) + @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/ + @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit + @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION) + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" + +export ARCH CC LD OBJCOPY EFI_INCLUDE diff --git a/Cryptlib/Library/BaseMemoryLib.h b/Cryptlib/Library/BaseMemoryLib.h deleted file mode 100644 index e69de29b..00000000 --- a/Cryptlib/Library/BaseMemoryLib.h +++ /dev/null @@ -25,7 +25,7 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o EFI_LDS = elf_$(ARCH)_efi.lds -DEFAULT_LOADER := \\\\grub.efi +DEFAULT_LOADER := \\\\grubx64.efi CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ -Werror=sign-compare -ffreestanding -std=gnu89 \ @@ -158,8 +158,8 @@ endif -j .note.gnu.build-id \ $(FORMAT) $^ $@.debug -%.efi.signed: %.efi certdb/secmod.db - pesign -n certdb -i $< -c "shim" -s -o $@ -f +%.efi.signed: %.efi shim.crt + sbsign --key shim.key --cert shim.crt $< clean: $(MAKE) -C Cryptlib clean diff --git a/debian/canonical-uefi-ca.der b/debian/canonical-uefi-ca.der Binary files differnew file mode 100644 index 00000000..b4098d9c --- /dev/null +++ b/debian/canonical-uefi-ca.der diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 00000000..90acab33 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,153 @@ +shim (0.9+1465500757.14a5905-0ubuntu1) UNRELEASED; urgency=medium + + * New upstream release. + + [ Matthias Klose ] + * Fix build with GCC 5, forcing -std=gnu89 to not rely on stdint.h + required by efibind.h, and not found with -nostdinc. (LP: #1429978) + + [ Mathieu Trudel-Lapierre ] + * More GCC 5 fixes: stdarg.h and other include tweaks, cherry-pick from + d51739a4. + + -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 12:02:21 -0400 + +shim (0.8-0ubuntu2) wily; urgency=medium + + * No-change rebuild against gnu-efi 3.0v-5ubuntu1. + + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000 + +shim (0.8-0ubuntu1) wily; urgency=medium + + * New upstream release. + - Clarify meaning of insecure_mode. (LP: #1384973) + * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, + debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included + in the upstream release. + * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: + refreshed. + + -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400 + +shim (0.7-0ubuntu4) utopic; urgency=medium + + * SECURITY UPDATE: heap overflow and out-of-bounds read access when + parsing DHCPv6 information + - debian/patches/CVE-2014-3675.patch: apply proper bounds checking + when parsing data provided in DHCPv6 packets. + - CVE-2014-3675 + - CVE-2014-3676 + * SECURITY UPDATE: memory corruption when processing user-provided key + lists + - debian/patches/CVE-2014-3677.patch: detect malformed machine owner + key (MOK) lists and ignore them, avoiding possible memory corruption. + - CVE-2014-3677 + + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000 + +shim (0.7-0ubuntu2) utopic; urgency=medium + + * Restore debian/patches/prototypes, which still is needed on shim 0.7 + but only detected on the buildds. + * Update debian/patches/prototypes with some new declarations needed for + openssl 0.9.8za update. + + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700 + +shim (0.7-0ubuntu1) utopic; urgency=medium + + * New upstream release. + - fix spurious error message when fallback.efi is not present, as will + always be the case for removable media. LP: #1297069. + - drop most patches, included upstream. + * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick + openssl 0.9.8za in via upstream. + + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000 + +shim (0.4-0ubuntu5) utopic; urgency=low + + * Install fallback.efi.signed as well, to lay the groundwork for fallback + handling (wanted when we have to move a drive between machines, or when + the firmware loses its marbles^W nvram). + + -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200 + +shim (0.4-0ubuntu4) saucy; urgency=low + + * debian/patches/fix-tftp-prototype: pass the right arguments to + EFI_PXE_BASE_CODE_TFTP_READ_FILE. + * debian/patches/build-with-Werror: Build with -Werror to catch future + prototype mismatches. + * debian/patches/fix-compiler-warnings: Fix remaining compiler + warnings in netboot.c. + * debian/patches/tftp-proper-nul-termination: fix nul termination + errors in filenames passed to tftp. + * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to + the netboot code. + + -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700 + +shim (0.4-0ubuntu3) saucy; urgency=low + + [ Steve Langasek ] + * Install MokManager.efi.signed in the package. + * debian/patches/no-output-by-default.patch: Don't print any + informational messages. Closes LP: #1074302. + + [ Stéphane Graber ] + * debian/patches/no-print-on-unsigned: Don't print an error message when + validating an unsigned binary as that tends to hang Lenovo machines. + (LP: #1087501) + + -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200 + +shim (0.4-0ubuntu2) saucy; urgency=low + + * Add missing build-dependency on openssl. + + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000 + +shim (0.4-0ubuntu1) saucy; urgency=low + + * New upstream release. + * Drop debian/patches/shim-before-loadimage; upstream has changed this to + not call loadimage at all. + * debian/patches/sbsigntool-not-pesign: Sign MokManager with + sbsigntool instead of pesign. + * Add a versioned build-dependency on gnu-efi. + + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700 + +shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low + + * debian/patches/shim-before-loadimage: Use direct verification first + before LoadImage. Addresses an issue where Lenovo's SecureBoot + implementation pops an error message on any verification failure - avoid + calling LoadImage at all unless we have to. + + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700 + +shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low + + * debian/patches/second-stage-path: Chainload grubx64.efi, not + grub.efi. + + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700 + +shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low + + * debian/patches/prototypes: Include missing prototypes, and disable + use of BIO_new_file. + * Only build the package for amd64; we're not signing an i386 shim at this + stage so there's no point in building it. + + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000 + +shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low + + * Initial release. + * Include the Canonical Secure Boot master CA. + + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700 diff --git a/debian/compat b/debian/compat new file mode 100644 index 00000000..ec635144 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 00000000..0f71c7f7 --- /dev/null +++ b/debian/control @@ -0,0 +1,18 @@ +Source: shim +Section: admin +Priority: optional +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org> +Standards-Version: 3.9.3 +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl +Vcs-Bzr: lp:ubuntu/shim + +Package: shim +Architecture: amd64 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: boot loader to chain-load signed boot loaders under Secure Boot + This package provides a minimalist boot loader which allows verifying + signatures of other UEFI binaries against either the Secure Boot DB/DBX or + against a built-in signature database. Its purpose is to allow a small, + infrequently-changing binary to be signed by the UEFI CA, while allowing + an OS distributor to revision their main bootloader independently of the CA. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 00000000..d9f12756 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,33 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: shim +Upstream-Contact: Matthew Garrett <mjg@redhat.com> +Source: https://github.com/mjg59/shim.git + +Files: * +Copyright: 2012 Red Hat, Inc + 2009-2012 Intel Corporation +License: BSD-2-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/debian/patches/gcc-5.diff b/debian/patches/gcc-5.diff new file mode 100644 index 00000000..e706c3ab --- /dev/null +++ b/debian/patches/gcc-5.diff @@ -0,0 +1,45 @@ +--- + Cryptlib/Makefile | 2 +- + Cryptlib/OpenSSL/Makefile | 2 +- + Makefile | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -19,7 +19,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(A + EFI_LDS = elf_$(ARCH)_efi.lds + + DEFAULT_LOADER := \\\\grubx64.efi +-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ ++CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare \ + "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ +Index: b/Cryptlib/Makefile +=================================================================== +--- a/Cryptlib/Makefile ++++ b/Cryptlib/Makefile +@@ -1,7 +1,7 @@ + + EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + +-CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ ++CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ + -Wall $(EFI_INCLUDES) + + ifeq ($(ARCH),x86_64) +Index: b/Cryptlib/OpenSSL/Makefile +=================================================================== +--- a/Cryptlib/OpenSSL/Makefile ++++ b/Cryptlib/OpenSSL/Makefile +@@ -1,7 +1,7 @@ + + EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + +-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ ++CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ + -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC + + ifeq ($(ARCH),x86_64) diff --git a/debian/patches/gcc5-includes-stdarg.patch b/debian/patches/gcc5-includes-stdarg.patch new file mode 100644 index 00000000..57cf4a8e --- /dev/null +++ b/debian/patches/gcc5-includes-stdarg.patch @@ -0,0 +1,129 @@ +From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001 +From: Peter Jones <pjones@redhat.com> +Date: Tue, 7 Apr 2015 11:59:25 -0400 +Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on + x86. + +Basically they messed around with stdarg some and now we need to do it +the other way. + +Signed-off-by: Peter Jones <pjones@redhat.com> +--- + Cryptlib/Include/OpenSslSupport.h | 4 +++- + Cryptlib/Makefile | 3 ++- + Cryptlib/OpenSSL/Makefile | 5 +++-- + Makefile | 17 ++++++----------- + MokManager.c | 1 + + 5 files changed, 15 insertions(+), 15 deletions(-) + +Index: b/Cryptlib/Include/OpenSslSupport.h +=================================================================== +--- a/Cryptlib/Include/OpenSslSupport.h ++++ b/Cryptlib/Include/OpenSslSupport.h +@@ -34,7 +34,7 @@ typedef VOID *FILE; + //
+ // Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h
+ //
+-#if !defined(__CC_ARM) // if va_list is not already defined
++#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined
+ /*
+ * These are now unconditionally #defined by GNU_EFI's efistdarg.h,
+ * so we should #undef them here before providing a new definition.
+@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST; + portably, hence it is provided by a Standard C header file.
+ For pre-Standard C compilers, here is a version that usually works
+ (but watch out!): */
++#ifndef offsetof
+ #define offsetof(type, member) ( (int) & ((type*)0) -> member )
++#endif
+
+ //
+ // Basic types from EFI Application Toolkit required to buiild Open SSL
+Index: b/Cryptlib/Makefile +=================================================================== +--- a/Cryptlib/Makefile ++++ b/Cryptlib/Makefile +@@ -2,7 +2,8 @@ + EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + + CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ +- -Wall $(EFI_INCLUDES) ++ -Wall $(EFI_INCLUDES) \ ++ -ffreestanding -I$(shell $(CC) -print-file-name=include) + + ifeq ($(ARCH),x86_64) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ +Index: b/Cryptlib/OpenSSL/Makefile +=================================================================== +--- a/Cryptlib/OpenSSL/Makefile ++++ b/Cryptlib/OpenSSL/Makefile +@@ -2,6 +2,7 @@ + EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + + CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ ++ -ffreestanding -I$(shell $(CC) -print-file-name=include) \ + -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC + + ifeq ($(ARCH),x86_64) +@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32) + -m32 -DTHIRTY_TWO_BIT + endif + ifeq ($(ARCH),aarch64) +- CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include) ++ CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG + endif + ifeq ($(ARCH),arm) +- CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include) ++ CFLAGS += -O2 -DTHIRTY_TWO_BIT + endif + LDFLAGS = -nostdlib -znocombreloc + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -21,7 +21,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds + DEFAULT_LOADER := \\\\grubx64.efi + CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ +- -Werror=sign-compare \ ++ -Werror=sign-compare -ffreestanding \ ++ -I$(shell $(CC) -print-file-name=include) \ + "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ + "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ + $(EFI_INCLUDES) +@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY + endif + + ifeq ($(ARCH),x86_64) +- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ ++ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ ++ -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + endif + ifeq ($(ARCH),ia32) +- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 +-endif +- +-ifeq ($(ARCH),aarch64) +- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) +-endif +- +-ifeq ($(ARCH),arm) +- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) ++ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ ++ -maccumulate-outgoing-args -m32 + endif + + ifneq ($(origin VENDOR_CERT_FILE), undefined) +Index: b/MokManager.c +=================================================================== +--- a/MokManager.c ++++ b/MokManager.c +@@ -1,5 +1,6 @@ + #include <efi.h> + #include <efilib.h> ++#include <stdarg.h> + #include <Library/BaseCryptLib.h> + #include <openssl/x509.h> + #include "shim.h" diff --git a/debian/patches/prototypes b/debian/patches/prototypes new file mode 100644 index 00000000..7191e102 --- /dev/null +++ b/debian/patches/prototypes @@ -0,0 +1,191 @@ +Description: Include missing prototypes, and disable use of BIO_new_file + Pull in missing prototypes for functions that are not yet upstream in + gnu-efi, and #ifdef out references to BIO_new_file(), BIO_new_fp(), and + X509_load_{cert,crl}_file since the prototypes are themselves #ifdef'ed + out. + . + Without these prototypes, we get implicit conversions on amd64, which + are sensibly treated as a build failure by Launchpad. +Author: Steve Langasek <steve.langasek@ubuntu.com> + +Index: shim/Cryptlib/Library/BaseMemoryLib.h +=================================================================== +--- /dev/null ++++ shim/Cryptlib/Library/BaseMemoryLib.h +@@ -0,0 +1,41 @@ ++#ifndef __BASE_MEMORY_LIB__ ++#define __BASE_MEMORY_LIB__ ++ ++CHAR8 * ++ScanMem8 ( ++ IN CHAR8 *Buffer, ++ IN UINTN Size, ++ IN CHAR8 Value ++ ); ++ ++UINT32 ++WriteUnaligned32( ++ UINT32 *Buffer, ++ UINT32 Value ++ ); ++ ++CHAR8 * ++AsciiStrCat( ++ CHAR8 *Destination, ++ CHAR8 *Source ++ ); ++ ++CHAR8 * ++AsciiStrCpy( ++ CHAR8 *Destination, ++ CHAR8 *Source ++ ); ++ ++CHAR8 * ++AsciiStrnCpy( ++ CHAR8 *Destination, ++ CHAR8 *Source, ++ UINTN count ++ ); ++ ++UINTN ++AsciiStrSize( ++ CHAR8 *string ++ ); ++ ++#endif +Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c ++++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c +@@ -157,6 +157,7 @@ + } + OPENSSL_free(tmp_data2); + } ++#ifndef OPENSSL_NO_STDIO + else if (strncmp(val->value, "file:", 5) == 0) + { + unsigned char buf[2048]; +@@ -194,6 +195,7 @@ + goto err; + } + } ++#endif + else if (strncmp(val->value, "text:", 5) == 0) + { + val_len = strlen(val->value + 5); +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c +@@ -186,11 +186,13 @@ + int ret; + BIO *in=NULL; + ++#ifndef OPENSSL_NO_STDIO + #ifdef OPENSSL_SYS_VMS + in=BIO_new_file(name, "r"); + #else + in=BIO_new_file(name, "rb"); + #endif ++#endif + if (in == NULL) + { + if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE) +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c +@@ -92,11 +92,13 @@ + LHASH *ltmp; + BIO *in=NULL; + ++#ifndef OPENSSL_NO_STDIO + #ifdef OPENSSL_SYS_VMS + in=BIO_new_file(file, "r"); + #else + in=BIO_new_file(file, "rb"); + #endif ++#endif + if (in == NULL) + { + CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB); +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c +@@ -93,12 +93,14 @@ + { + BIO *bio_err; + ERR_load_crypto_strings(); ++#ifndef OPENSSL_NO_STDIO + if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL) + { + BIO_printf(bio_err,"Auto configuration failed\n"); + ERR_print_errors(bio_err); + BIO_free(bio_err); + } ++#endif + exit(1); + } + +Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c ++++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c +@@ -374,11 +374,15 @@ + BIO *in; + EVP_PKEY *key; + fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id); ++#ifndef OPENSSL_NO_STDIO + in = BIO_new_file(key_id, "r"); + if (!in) + return NULL; + key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL); + BIO_free(in); ++#else ++ return NULL; ++#endif + return key; + } + #endif +Index: shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/x509/by_dir.c ++++ shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c +@@ -92,8 +92,10 @@ + static int new_dir(X509_LOOKUP *lu); + static void free_dir(X509_LOOKUP *lu); + static int add_cert_dir(BY_DIR *ctx,const char *dir,int type); ++#ifndef OPENSSL_NO_STDIO + static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name, + X509_OBJECT *ret); ++#endif + X509_LOOKUP_METHOD x509_dir_lookup= + { + "Load certs from files in a directory", +@@ -102,7 +104,11 @@ + NULL, /* init */ + NULL, /* shutdown */ + dir_ctrl, /* ctrl */ ++#ifdef OPENSSL_NO_STDIO ++ NULL, /* get_by_subject */ ++#else + get_cert_by_subject, /* get_by_subject */ ++#endif + NULL, /* get_by_issuer_serial */ + NULL, /* get_by_fingerprint */ + NULL, /* get_by_alias */ +@@ -242,6 +248,7 @@ + return(1); + } + ++#ifndef OPENSSL_NO_STDIO + static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, + X509_OBJECT *ret) + { +@@ -383,3 +390,4 @@ + if (b != NULL) BUF_MEM_free(b); + return(ok); + } ++#endif diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign new file mode 100644 index 00000000..c91a6475 --- /dev/null +++ b/debian/patches/sbsigntool-not-pesign @@ -0,0 +1,26 @@ +Description: Sign MokManager with sbsigntool instead of pesign + Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use + the same thing for signing MokManager with our ephemeral key. This also + avoids an additional build dependency on libnss3-tools. +Author: Steve Langasek <steve.langasek@canonical.com> +Forwarded: not-needed + +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -144,8 +144,8 @@ FORMAT ?= --target efi-app-$(ARCH) + -j .debug_line -j .debug_str -j .debug_ranges \ + $(FORMAT) $^ $@.debug + +-%.efi.signed: %.efi certdb/secmod.db +- pesign -n certdb -i $< -c "shim" -s -o $@ -f ++%.efi.signed: %.efi shim.crt ++ sbsign --key shim.key --cert shim.crt $< + + clean: + $(MAKE) -C Cryptlib clean diff --git a/debian/patches/second-stage-path b/debian/patches/second-stage-path new file mode 100644 index 00000000..fef139c9 --- /dev/null +++ b/debian/patches/second-stage-path @@ -0,0 +1,24 @@ +Description: Chainload grubx64.efi, not grub.efi + We qualify the second stage bootloader image with the architecture name, + so we're forwards-compatible with any future 32-bit implementations. + (Non-SB grub doesn't conflict, since the image will be named bootia32.efi + anyway, not grub.efi.) +Author: Steve Langasek <steve.langasek@ubuntu.com> + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -18,7 +18,7 @@ EFI_LIBS = -lefi -lgnuefi --start-group + EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o + EFI_LDS = elf_$(ARCH)_efi.lds + +-DEFAULT_LOADER := \\\\grub.efi ++DEFAULT_LOADER := \\\\grubx64.efi + CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare \ diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..a5f3392d --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +second-stage-path +sbsigntool-not-pesign diff --git a/debian/rules b/debian/rules new file mode 100755 index 00000000..28523b56 --- /dev/null +++ b/debian/rules @@ -0,0 +1,7 @@ +#!/usr/bin/make -f + +%: + dh $@ + +override_dh_auto_build: + dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=debian/canonical-uefi-ca.der diff --git a/debian/shim.install b/debian/shim.install new file mode 100644 index 00000000..97d99c43 --- /dev/null +++ b/debian/shim.install @@ -0,0 +1,3 @@ +shim.efi /usr/lib/shim +MokManager.efi.signed /usr/lib/shim +fallback.efi.signed /usr/lib/shim diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 00000000..163aaf8d --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 00000000..5be73be9 --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1 @@ +debian/canonical-uefi-ca.der |