10 files changed, 218 insertions, 0 deletions
diff --git a/debian/canonical-uefi-ca.der b/debian/canonical-uefi-ca.der
new file mode 100644
index 00000000..b4098d9c
--- /dev/null
+++ b/debian/canonical-uefi-ca.der
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 00000000..1856f5d0
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,147 @@
+shim (0.9-0) eos; urgency=medium
+
+  * Add new 'shim-efi-image' package to install shim.efi to
+    /boot/efi/EFI/BOOT/bootx64.efi
+  * New upstream release
+
+ -- carlo <carlo@localhost>  Thu, 30 Jun 2016 18:58:31 +0200
+
+shim (0.8-0ubuntu2) wily; urgency=medium
+
+  * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 12 May 2015 17:48:30 +0000
+
+shim (0.8-0ubuntu1) wily; urgency=medium
+
+  * New upstream release.
+    - Clarify meaning of insecure_mode. (LP: #1384973)
+  * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
+    debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
+    in the upstream release.
+  * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
+    refreshed.
+
+ -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com>  Mon, 11 May 2015 19:50:49 -0400
+
+shim (0.7-0ubuntu4) utopic; urgency=medium
+
+  * SECURITY UPDATE: heap overflow and out-of-bounds read access when
+    parsing DHCPv6 information
+    - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
+      when parsing data provided in DHCPv6 packets.
+    - CVE-2014-3675
+    - CVE-2014-3676
+  * SECURITY UPDATE: memory corruption when processing user-provided key
+    lists
+    - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
+      key (MOK) lists and ignore them, avoiding possible memory corruption.
+    - CVE-2014-3677
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 08 Oct 2014 06:40:40 +0000
+
+shim (0.7-0ubuntu2) utopic; urgency=medium
+
+  * Restore debian/patches/prototypes, which still is needed on shim 0.7
+    but only detected on the buildds.
+  * Update debian/patches/prototypes with some new declarations needed for
+    openssl 0.9.8za update.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 16:20:08 -0700
+
+shim (0.7-0ubuntu1) utopic; urgency=medium
+
+  * New upstream release.
+    - fix spurious error message when fallback.efi is not present, as will
+      always be the case for removable media.  LP: #1297069.
+    - drop most patches, included upstream.
+  * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
+    openssl 0.9.8za in via upstream.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 05:40:41 +0000
+
+shim (0.4-0ubuntu5) utopic; urgency=low
+
+  * Install fallback.efi.signed as well, to lay the groundwork for fallback
+    handling (wanted when we have to move a drive between machines, or when
+    the firmware loses its marbles^W nvram).
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Aug 2014 12:11:13 +0200
+
+shim (0.4-0ubuntu4) saucy; urgency=low
+
+  * debian/patches/fix-tftp-prototype: pass the right arguments to
+    EFI_PXE_BASE_CODE_TFTP_READ_FILE.
+  * debian/patches/build-with-Werror: Build with -Werror to catch future
+    prototype mismatches.
+  * debian/patches/fix-compiler-warnings: Fix remaining compiler
+    warnings in netboot.c.
+  * debian/patches/tftp-proper-nul-termination: fix nul termination
+    errors in filenames passed to tftp.
+  * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
+    the netboot code.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Sep 2013 00:30:00 -0700
+
+shim (0.4-0ubuntu3) saucy; urgency=low
+
+  [ Steve Langasek ]
+  * Install MokManager.efi.signed in the package.
+  * debian/patches/no-output-by-default.patch: Don't print any
+    informational messages.  Closes LP: #1074302.
+
+  [ Stéphane Graber ]
+  * debian/patches/no-print-on-unsigned: Don't print an error message when
+    validating an unsigned binary as that tends to hang Lenovo machines.
+    (LP: #1087501)
+
+ -- Stéphane Graber <stgraber@ubuntu.com>  Thu, 08 Aug 2013 17:12:12 +0200
+
+shim (0.4-0ubuntu2) saucy; urgency=low
+
+  * Add missing build-dependency on openssl.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 20:30:43 +0000
+
+shim (0.4-0ubuntu1) saucy; urgency=low
+
+  * New upstream release.
+  * Drop debian/patches/shim-before-loadimage; upstream has changed this to
+    not call loadimage at all.
+  * debian/patches/sbsigntool-not-pesign: Sign MokManager with
+    sbsigntool instead of pesign.
+  * Add a versioned build-dependency on gnu-efi.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 12:53:24 -0700
+
+shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
+
+  * debian/patches/shim-before-loadimage: Use direct verification first
+    before LoadImage.  Addresses an issue where Lenovo's SecureBoot
+    implementation pops an error message on any verification failure - avoid
+    calling LoadImage at all unless we have to.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 10 Oct 2012 15:28:40 -0700
+
+shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
+
+  * debian/patches/second-stage-path: Chainload grubx64.efi, not
+    grub.efi.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Oct 2012 11:20:58 -0700
+
+shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
+
+  * debian/patches/prototypes: Include missing prototypes, and disable
+    use of BIO_new_file.
+  * Only build the package for amd64; we're not signing an i386 shim at this
+    stage so there's no point in building it.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 17:47:04 +0000
+
+shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
+
+  * Initial release.
+  * Include the Canonical Secure Boot master CA.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 00:01:06 -0700
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 00000000..ec635144
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 00000000..d1f77131
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,23 @@
+Source: shim
+Section: admin
+Priority: optional
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
+Standards-Version: 3.9.3
+Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, dh-exec
+Vcs-Bzr: lp:ubuntu/shim
+
+Package: shim
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: boot loader to chain-load signed boot loaders under Secure Boot
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database.  Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+
+Package: shim-efi-image
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: shim EFI image installed as bootx64.efi
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 00000000..d9f12756
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,33 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: shim
+Upstream-Contact: Matthew Garrett <mjg@redhat.com>
+Source: https://github.com/mjg59/shim.git
+
+Files: *
+Copyright: 2012 Red Hat, Inc
+	2009-2012 Intel Corporation
+License: BSD-2-Clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+ Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the
+ distribution.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 00000000..28523b56
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,7 @@
+#!/usr/bin/make -f
+
+%:
+	dh $@
+
+override_dh_auto_build:
+	dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=debian/canonical-uefi-ca.der
diff --git a/debian/shim-efi-image.install b/debian/shim-efi-image.install
new file mode 100644
index 00000000..bbc51957
--- /dev/null
+++ b/debian/shim-efi-image.install
@@ -0,0 +1,2 @@
+#!/usr/bin/dh-exec
+shim.efi => /boot/efi/EFI/BOOT/bootx64.efi
diff --git a/debian/shim.install b/debian/shim.install
new file mode 100644
index 00000000..97d99c43
--- /dev/null
+++ b/debian/shim.install
@@ -0,0 +1,3 @@
+shim.efi /usr/lib/shim
+MokManager.efi.signed /usr/lib/shim
+fallback.efi.signed /usr/lib/shim
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 00000000..163aaf8d
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
new file mode 100644
index 00000000..5be73be9
--- /dev/null
+++ b/debian/source/include-binaries
@@ -0,0 +1 @@
+debian/canonical-uefi-ca.der