diff options
Diffstat (limited to 'debian/patches')
| -rw-r--r-- | debian/patches/gcc-5.diff | 45 | ||||
| -rw-r--r-- | debian/patches/gcc5-includes-stdarg.patch | 129 | ||||
| -rw-r--r-- | debian/patches/prototypes | 191 | ||||
| -rw-r--r-- | debian/patches/sbsigntool-not-pesign | 26 | ||||
| -rw-r--r-- | debian/patches/second-stage-path | 24 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
6 files changed, 417 insertions, 0 deletions
diff --git a/debian/patches/gcc-5.diff b/debian/patches/gcc-5.diff new file mode 100644 index 00000000..e706c3ab --- /dev/null +++ b/debian/patches/gcc-5.diff @@ -0,0 +1,45 @@ +--- + Cryptlib/Makefile | 2 +- + Cryptlib/OpenSSL/Makefile | 2 +- + Makefile | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -19,7 +19,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(A + EFI_LDS = elf_$(ARCH)_efi.lds + + DEFAULT_LOADER := \\\\grubx64.efi +-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ ++CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare \ + "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ +Index: b/Cryptlib/Makefile +=================================================================== +--- a/Cryptlib/Makefile ++++ b/Cryptlib/Makefile +@@ -1,7 +1,7 @@ + + EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + +-CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ ++CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ + -Wall $(EFI_INCLUDES) + + ifeq ($(ARCH),x86_64) +Index: b/Cryptlib/OpenSSL/Makefile +=================================================================== +--- a/Cryptlib/OpenSSL/Makefile ++++ b/Cryptlib/OpenSSL/Makefile +@@ -1,7 +1,7 @@ + + EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + +-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ ++CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ + -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC + + ifeq ($(ARCH),x86_64) diff --git a/debian/patches/gcc5-includes-stdarg.patch b/debian/patches/gcc5-includes-stdarg.patch new file mode 100644 index 00000000..57cf4a8e --- /dev/null +++ b/debian/patches/gcc5-includes-stdarg.patch @@ -0,0 +1,129 @@ +From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001 +From: Peter Jones <pjones@redhat.com> +Date: Tue, 7 Apr 2015 11:59:25 -0400 +Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on + x86. + +Basically they messed around with stdarg some and now we need to do it +the other way. + +Signed-off-by: Peter Jones <pjones@redhat.com> +--- + Cryptlib/Include/OpenSslSupport.h | 4 +++- + Cryptlib/Makefile | 3 ++- + Cryptlib/OpenSSL/Makefile | 5 +++-- + Makefile | 17 ++++++----------- + MokManager.c | 1 + + 5 files changed, 15 insertions(+), 15 deletions(-) + +Index: b/Cryptlib/Include/OpenSslSupport.h +=================================================================== +--- a/Cryptlib/Include/OpenSslSupport.h ++++ b/Cryptlib/Include/OpenSslSupport.h +@@ -34,7 +34,7 @@ typedef VOID *FILE; + //
+ // Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h
+ //
+-#if !defined(__CC_ARM) // if va_list is not already defined
++#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined
+ /*
+ * These are now unconditionally #defined by GNU_EFI's efistdarg.h,
+ * so we should #undef them here before providing a new definition.
+@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST; + portably, hence it is provided by a Standard C header file.
+ For pre-Standard C compilers, here is a version that usually works
+ (but watch out!): */
++#ifndef offsetof
+ #define offsetof(type, member) ( (int) & ((type*)0) -> member )
++#endif
+
+ //
+ // Basic types from EFI Application Toolkit required to buiild Open SSL
+Index: b/Cryptlib/Makefile +=================================================================== +--- a/Cryptlib/Makefile ++++ b/Cryptlib/Makefile +@@ -2,7 +2,8 @@ + EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + + CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ +- -Wall $(EFI_INCLUDES) ++ -Wall $(EFI_INCLUDES) \ ++ -ffreestanding -I$(shell $(CC) -print-file-name=include) + + ifeq ($(ARCH),x86_64) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ +Index: b/Cryptlib/OpenSSL/Makefile +=================================================================== +--- a/Cryptlib/OpenSSL/Makefile ++++ b/Cryptlib/OpenSSL/Makefile +@@ -2,6 +2,7 @@ + EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + + CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ ++ -ffreestanding -I$(shell $(CC) -print-file-name=include) \ + -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC + + ifeq ($(ARCH),x86_64) +@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32) + -m32 -DTHIRTY_TWO_BIT + endif + ifeq ($(ARCH),aarch64) +- CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include) ++ CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG + endif + ifeq ($(ARCH),arm) +- CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include) ++ CFLAGS += -O2 -DTHIRTY_TWO_BIT + endif + LDFLAGS = -nostdlib -znocombreloc + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -21,7 +21,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds + DEFAULT_LOADER := \\\\grubx64.efi + CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ +- -Werror=sign-compare \ ++ -Werror=sign-compare -ffreestanding \ ++ -I$(shell $(CC) -print-file-name=include) \ + "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ + "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ + $(EFI_INCLUDES) +@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY + endif + + ifeq ($(ARCH),x86_64) +- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ ++ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ ++ -maccumulate-outgoing-args \ + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI + endif + ifeq ($(ARCH),ia32) +- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 +-endif +- +-ifeq ($(ARCH),aarch64) +- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) +-endif +- +-ifeq ($(ARCH),arm) +- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) ++ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ ++ -maccumulate-outgoing-args -m32 + endif + + ifneq ($(origin VENDOR_CERT_FILE), undefined) +Index: b/MokManager.c +=================================================================== +--- a/MokManager.c ++++ b/MokManager.c +@@ -1,5 +1,6 @@ + #include <efi.h> + #include <efilib.h> ++#include <stdarg.h> + #include <Library/BaseCryptLib.h> + #include <openssl/x509.h> + #include "shim.h" diff --git a/debian/patches/prototypes b/debian/patches/prototypes new file mode 100644 index 00000000..7191e102 --- /dev/null +++ b/debian/patches/prototypes @@ -0,0 +1,191 @@ +Description: Include missing prototypes, and disable use of BIO_new_file + Pull in missing prototypes for functions that are not yet upstream in + gnu-efi, and #ifdef out references to BIO_new_file(), BIO_new_fp(), and + X509_load_{cert,crl}_file since the prototypes are themselves #ifdef'ed + out. + . + Without these prototypes, we get implicit conversions on amd64, which + are sensibly treated as a build failure by Launchpad. +Author: Steve Langasek <steve.langasek@ubuntu.com> + +Index: shim/Cryptlib/Library/BaseMemoryLib.h +=================================================================== +--- /dev/null ++++ shim/Cryptlib/Library/BaseMemoryLib.h +@@ -0,0 +1,41 @@ ++#ifndef __BASE_MEMORY_LIB__ ++#define __BASE_MEMORY_LIB__ ++ ++CHAR8 * ++ScanMem8 ( ++ IN CHAR8 *Buffer, ++ IN UINTN Size, ++ IN CHAR8 Value ++ ); ++ ++UINT32 ++WriteUnaligned32( ++ UINT32 *Buffer, ++ UINT32 Value ++ ); ++ ++CHAR8 * ++AsciiStrCat( ++ CHAR8 *Destination, ++ CHAR8 *Source ++ ); ++ ++CHAR8 * ++AsciiStrCpy( ++ CHAR8 *Destination, ++ CHAR8 *Source ++ ); ++ ++CHAR8 * ++AsciiStrnCpy( ++ CHAR8 *Destination, ++ CHAR8 *Source, ++ UINTN count ++ ); ++ ++UINTN ++AsciiStrSize( ++ CHAR8 *string ++ ); ++ ++#endif +Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c ++++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c +@@ -157,6 +157,7 @@ + } + OPENSSL_free(tmp_data2); + } ++#ifndef OPENSSL_NO_STDIO + else if (strncmp(val->value, "file:", 5) == 0) + { + unsigned char buf[2048]; +@@ -194,6 +195,7 @@ + goto err; + } + } ++#endif + else if (strncmp(val->value, "text:", 5) == 0) + { + val_len = strlen(val->value + 5); +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c +@@ -186,11 +186,13 @@ + int ret; + BIO *in=NULL; + ++#ifndef OPENSSL_NO_STDIO + #ifdef OPENSSL_SYS_VMS + in=BIO_new_file(name, "r"); + #else + in=BIO_new_file(name, "rb"); + #endif ++#endif + if (in == NULL) + { + if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE) +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c +@@ -92,11 +92,13 @@ + LHASH *ltmp; + BIO *in=NULL; + ++#ifndef OPENSSL_NO_STDIO + #ifdef OPENSSL_SYS_VMS + in=BIO_new_file(file, "r"); + #else + in=BIO_new_file(file, "rb"); + #endif ++#endif + if (in == NULL) + { + CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB); +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c +@@ -93,12 +93,14 @@ + { + BIO *bio_err; + ERR_load_crypto_strings(); ++#ifndef OPENSSL_NO_STDIO + if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL) + { + BIO_printf(bio_err,"Auto configuration failed\n"); + ERR_print_errors(bio_err); + BIO_free(bio_err); + } ++#endif + exit(1); + } + +Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c ++++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c +@@ -374,11 +374,15 @@ + BIO *in; + EVP_PKEY *key; + fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id); ++#ifndef OPENSSL_NO_STDIO + in = BIO_new_file(key_id, "r"); + if (!in) + return NULL; + key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL); + BIO_free(in); ++#else ++ return NULL; ++#endif + return key; + } + #endif +Index: shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/x509/by_dir.c ++++ shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c +@@ -92,8 +92,10 @@ + static int new_dir(X509_LOOKUP *lu); + static void free_dir(X509_LOOKUP *lu); + static int add_cert_dir(BY_DIR *ctx,const char *dir,int type); ++#ifndef OPENSSL_NO_STDIO + static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name, + X509_OBJECT *ret); ++#endif + X509_LOOKUP_METHOD x509_dir_lookup= + { + "Load certs from files in a directory", +@@ -102,7 +104,11 @@ + NULL, /* init */ + NULL, /* shutdown */ + dir_ctrl, /* ctrl */ ++#ifdef OPENSSL_NO_STDIO ++ NULL, /* get_by_subject */ ++#else + get_cert_by_subject, /* get_by_subject */ ++#endif + NULL, /* get_by_issuer_serial */ + NULL, /* get_by_fingerprint */ + NULL, /* get_by_alias */ +@@ -242,6 +248,7 @@ + return(1); + } + ++#ifndef OPENSSL_NO_STDIO + static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, + X509_OBJECT *ret) + { +@@ -383,3 +390,4 @@ + if (b != NULL) BUF_MEM_free(b); + return(ok); + } ++#endif diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign new file mode 100644 index 00000000..9629cb12 --- /dev/null +++ b/debian/patches/sbsigntool-not-pesign @@ -0,0 +1,26 @@ +Description: Sign MokManager with sbsigntool instead of pesign + Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use + the same thing for signing MokManager with our ephemeral key. This also + avoids an additional build dependency on libnss3-tools. +Author: Steve Langasek <steve.langasek@canonical.com> +Forwarded: not-needed + +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -158,8 +158,8 @@ endif + -j .note.gnu.build-id \ + $(FORMAT) $^ $@.debug + +-%.efi.signed: %.efi certdb/secmod.db +- pesign -n certdb -i $< -c "shim" -s -o $@ -f ++%.efi.signed: %.efi shim.crt ++ sbsign --key shim.key --cert shim.crt $< + + clean: + $(MAKE) -C Cryptlib clean diff --git a/debian/patches/second-stage-path b/debian/patches/second-stage-path new file mode 100644 index 00000000..da53af8e --- /dev/null +++ b/debian/patches/second-stage-path @@ -0,0 +1,24 @@ +Description: Chainload grubx64.efi, not grub.efi + We qualify the second stage bootloader image with the architecture name, + so we're forwards-compatible with any future 32-bit implementations. + (Non-SB grub doesn't conflict, since the image will be named bootia32.efi + anyway, not grub.efi.) +Author: Steve Langasek <steve.langasek@ubuntu.com> + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -25,7 +25,7 @@ EFI_LIBS = -lefi -lgnuefi --start-group + EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o + EFI_LDS = elf_$(ARCH)_efi.lds + +-DEFAULT_LOADER := \\\\grub.efi ++DEFAULT_LOADER := \\\\grubx64.efi + CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare -ffreestanding -std=gnu89 \ diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..a5f3392d --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +second-stage-path +sbsigntool-not-pesign |