12 files changed, 308 insertions, 34 deletions

diff --git a/debian/BOOT.CSV.utf8 b/debian/BOOT.CSV.utf8
deleted file mode 100644
index f763f9a6..00000000
--- a/debian/BOOT.CSV.utf8
+++ /dev/null
@@ -1 +0,0 @@
-shim.efi,Endless OS,,This is the boot entry for Endless OS
diff --git a/debian/canonical-uefi-ca.der b/debian/canonical-uefi-ca.der
new file mode 100644
index 00000000..b4098d9c
--- /dev/null
+++ b/debian/canonical-uefi-ca.der
diff --git a/debian/changelog b/debian/changelog
index 1856f5d0..07286132 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,59 @@
-shim (0.9-0) eos; urgency=medium
+shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
 
-  * Add new 'shim-efi-image' package to install shim.efi to
-    /boot/efi/EFI/BOOT/bootx64.efi
-  * New upstream release
+  [ Steve Langasek ]
+  * Initial Debian upload.  Closes: #820052.
+  * Update Standards-Version.
+  * Embed the newly-minted Debian CA certificate.
+  * Vendorize debian/rules so that the same package can be used in both
+    Debian and Ubuntu without modification.
+  * Fix debian/copyright to match the spec (last match wins, not first)
+  * Fix shim.efi to not be executable.
+  * Add watchfile.
+  * Support parallel builds, because eh why not
+  * Update Vcs-Bzr.
+  * Resync with Ubuntu, including patch to fix debian/copyright.
+
+  [ Julien Cristau ]
+  * Add some missing copyright holders in d/copyright, update
+    Upstream-Contact.  Thanks to Helen Koike for the help.
+
+ -- Julien Cristau <jcristau@debian.org>  Sat, 15 Oct 2016 15:17:34 +0200
+
+shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
+
+  [ Helen Koike ]
+  * debian/copyright: add OpenSSL license 
+
+  [ Mathieu Trudel-Lapierre ]
+  * New upstream release.
+  * debian/copyright: patches should be BSD, like the rest of the upstream
+    code.
+  * debian/patches/unused-variable: dropped; applied upstream.
+  * debian/patches/binutils-version-matching: dropped, fixed upstream.
+  * debian/shim.install: built EFI binaries were renamed; update our install
+    file to properly pick up shim (shim$arch), MokManager (mm$arch), and
+    fallback (fb$arch).
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 21 Sep 2016 20:29:44 -0400
 
- -- carlo <carlo@localhost>  Thu, 30 Jun 2016 18:58:31 +0200
+shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
+
+  * New upstream release.
+    - Better handle LoadOptions. (LP: #1581299)
+    - Measure state and second stage in TPM.
+    - Mirror MokSBState in runtime as MokSBStateRT.
+    - Fix failure to build with GCC 5. (LP: #1429978)
+    - Various bug fixes and other improvements.
+  * Refreshed patches.
+    - Remaining patches:
+      + second-stage-path
+      + sbsigntool-not-pesign 
+  * debian/patches/unused-variable: remove unused variable size.
+  * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
+    match objcopy's version on Ubuntu.
+  * debian/copyright: update copyright for patches.
+
+ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 26 Jul 2016 16:48:32 -0400
 
 shim (0.8-0ubuntu2) wily; urgency=medium
 
diff --git a/debian/control b/debian/control
index d1f77131..25b0b47e 100644
--- a/debian/control
+++ b/debian/control
@@ -1,11 +1,10 @@
 Source: shim
 Section: admin
 Priority: optional
-Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
-XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
-Standards-Version: 3.9.3
-Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, dh-exec
-Vcs-Bzr: lp:ubuntu/shim
+Maintainer: Steve Langasek <vorlon@debian.org>
+Standards-Version: 3.9.8
+Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl
+Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk
 
 Package: shim
 Architecture: amd64
@@ -16,8 +15,3 @@ Description: boot loader to chain-load signed boot loaders under Secure Boot
  against a built-in signature database.  Its purpose is to allow a small,
  infrequently-changing binary to be signed by the UEFI CA, while allowing
  an OS distributor to revision their main bootloader independently of the CA.
-
-Package: shim-efi-image
-Architecture: amd64
-Depends: ${shlibs:Depends}, ${misc:Depends}
-Description: shim EFI image installed as bootx64.efi
diff --git a/debian/copyright b/debian/copyright
index d9f12756..7c08287c 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,11 +1,232 @@
 Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: shim
-Upstream-Contact: Matthew Garrett <mjg@redhat.com>
+Upstream-Contact: Matthew Garrett <mjg59@coreos.com>
 Source: https://github.com/mjg59/shim.git
 
 Files: *
-Copyright: 2012 Red Hat, Inc
-	2009-2012 Intel Corporation
+Copyright: 2012-2013 Red Hat, Inc
+	2009-2016 Intel Corporation
+License: BSD-2-Clause
+
+Files: debian/patches/*
+Copyright: 2016 Canonical Ltd.
+License: BSD-2-Clause
+
+Files: crypt_blowfish.*
+Copyright: none
+License: public-domain
+  No copyright is claimed, and the software is hereby placed in the public
+  domain.  In case this attempt to disclaim copyright and place the software
+  in the public domain is deemed null and void, then the software is
+  Copyright (c) 2000-2011 Solar Designer and it is hereby released to the
+  general public under the following terms:
+  .
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted.
+  .
+  There's ABSOLUTELY NO WARRANTY, express or implied.
+
+Files: httpboot.*
+Copyright: 2015 SUSE LINUX GmbH
+License: BSD-2-Clause
+
+Files: include/Http.h
+Copyright: 2016 Intel Corporation
+	2015 Hewlett Packard Enterprise Development LP
+License: BSD-2-Clause
+
+Files: include/PeImage.h
+Copyright: 2006-2010 Intel Corporation
+	2008-2009 Apple Inc
+License: BSD-2-Clause
+
+Files: lib/*.c
+Copyright: 2011-2012 Intel Corporation
+	2012 <James.Bottomley@HansenPartnership.com>
+	2012-2013 Red Hat, Inc
+License: BSD-2-Clause
+
+Files: Cryptlib/OpenSSL/* Cryptlib/Include/openssl/*
+Copyright: 1998-2016 The OpenSSL Project
+	1995-1998 Eric Young (eay@cryptsoft.com)
+	2002 Sun Microsystems, Inc
+	2005 Nokia
+License: OpenSSL and Original-SSLeay
+ OpenSSL License
+ ---------------
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+ .
+ 3. All advertising materials mentioning features or use of this
+    software must display the following acknowledgment:
+    "This product includes software developed by the OpenSSL Project
+    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ .
+ 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+    endorse or promote products derived from this software without
+    prior written permission. For written permission, please contact
+    openssl-core@openssl.org.
+ .
+ 5. Products derived from this software may not be called "OpenSSL"
+    nor may "OpenSSL" appear in their names without prior written
+    permission of the OpenSSL Project.
+ .
+ 6. Redistributions of any form whatsoever must retain the following
+    acknowledgment:
+    "This product includes software developed by the OpenSSL Project
+    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ .
+ THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
+ ====================================================================
+ .
+ This product includes cryptographic software written by Eric Young
+ (eay@cryptsoft.com).  This product includes software written by Tim
+ Hudson (tjh@cryptsoft.com).
+ .
+ Original SSLeay License
+ -----------------------
+ This package is an SSL implementation written
+ by Eric Young (eay@cryptsoft.com).
+ The implementation was written so as to conform with Netscapes SSL.
+ .
+ This library is free for commercial and non-commercial use as long as
+ the following conditions are aheared to.  The following conditions
+ apply to all code found in this distribution, be it the RC4, RSA,
+ lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ included with this distribution is covered by the same copyright terms
+ except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ .
+ Copyright remains Eric Young's, and as such any Copyright notices in
+ the code are not to be removed.
+ If this package is used in a product, Eric Young should be given attribution
+ as the author of the parts of the library used.
+ This can be in the form of a textual message at program startup or
+ in documentation (online or textual) provided with the package.
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ 1. Redistributions of source code must retain the copyright
+    notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the distribution.
+ 3. All advertising materials mentioning features or use of this software
+    must display the following acknowledgement:
+    "This product includes cryptographic software written by
+     Eric Young (eay@cryptsoft.com)"
+    The word 'cryptographic' can be left out if the rouines from the library
+    being used are not cryptographic related :-).
+ 4. If you include any Windows specific code (or a derivative thereof) from
+    the apps directory (application code) you must include an acknowledgement:
+    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ .
+ THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+ .
+ The licence and distribution terms for any publically available version or
+ derivative of this code cannot be changed.  i.e. this code cannot simply be
+ copied and put under another distribution licence
+ [including the GNU Public Licence.]
+
+Files: Cryptlib/Include/openssl/seed.h
+Copyright: 2007 KISA(Korea Information Security Agency)
+License: BSD-2-Clause
+
+Files: Cryptlib/OpenSSL/crypto/o_dir.h Cryptlib/OpenSSL/crypto/LPdir_nyi.c
+Copyright: 2004, Richard Levitte <richard@levitte.org>
+License: BSD-2-Clause
+
+Files: Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c
+Copyright: 2004 Kungliga Tekniska Högskolan
+License: BSD-3-Clause-Institute
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions
+  are met:
+  .
+  1. Redistributions of source code must retain the above copyright
+     notice, this list of conditions and the following disclaimer.
+  .
+  2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+  .
+  3. Neither the name of the Institute nor the names of its contributors
+     may be used to endorse or promote products derived from this software
+     without specific prior written permission.
+  .
+  THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+  ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+  IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+  ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+  FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+  DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+  OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+  LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+  OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+  SUCH DAMAGE.
+
+Files: Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h
+Copyright: 2012, Intel Corporation
+License: BSD-3-Clause-Intel
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+ .
+ *  Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ .
+ *  Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in the
+    documentation and/or other materials provided with the
+    distribution.
+ .
+ *  Neither the name of the Intel Corporation nor the names of its
+    contributors may be used to endorse or promote products derived from
+    this software without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY
+ EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR
+ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
 License: BSD-2-Clause
  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
diff --git a/debian/debian-uefi-ca.der b/debian/debian-uefi-ca.der
new file mode 100644
index 00000000..1dd6ee16
--- /dev/null
+++ b/debian/debian-uefi-ca.der
diff --git a/debian/endless-ca.cer b/debian/endless-ca.cer
deleted file mode 100644
index 6d000a63..00000000
--- a/debian/endless-ca.cer
+++ /dev/null
diff --git a/debian/rules b/debian/rules
index 7ebe0e6f..f368a197 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,11 +1,21 @@
 #!/usr/bin/make -f
 
+# Other vendors, add your certs here.  No sense in using
+# dpkg-vendor --derives-from, because only Canonical-generated binaries will
+# be signed with this key; so if you are building your own shim binary you
+# should be building the other binaries also.
+ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
+	cert=debian/canonical-uefi-ca.der
+else
+	cert=debian/debian-uefi-ca.der
+endif
+
 %:
-	dh $@
+	dh $@ --parallel
 
 override_dh_auto_build:
-	dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=debian/endless-ca.cer
-	cp -v shim.efi bootx64.efi
-	cp -v MokManager.efi.signed MokManager.efi
-	cp -v fallback.efi.signed fallback.efi
-	iconv -t utf-16le debian/BOOT.CSV.utf8 > BOOT.CSV
+	dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=$(cert)
+
+override_dh_fixperms:
+	dh_fixperms
+	chmod a-x debian/shim/usr/lib/shim/shimx64.efi
diff --git a/debian/shim-efi-image.install b/debian/shim-efi-image.install
deleted file mode 100644
index be39aa40..00000000
--- a/debian/shim-efi-image.install
+++ /dev/null
@@ -1,5 +0,0 @@
-bootx64.efi /boot/efi/EFI/BOOT/
-fallback.efi /boot/efi/EFI/BOOT/
-MokManager.efi  /boot/efi/EFI/endless/
-shim.efi /boot/efi/EFI/endless/
-BOOT.CSV /boot/efi/EFI/endless/
diff --git a/debian/shim.install b/debian/shim.install
index 97d99c43..f37f6d19 100644
--- a/debian/shim.install
+++ b/debian/shim.install
@@ -1,3 +1,3 @@
-shim.efi /usr/lib/shim
-MokManager.efi.signed /usr/lib/shim
-fallback.efi.signed /usr/lib/shim
+shim*.efi /usr/lib/shim
+mm*.efi.signed /usr/lib/shim
+fb*.efi.signed /usr/lib/shim
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index 9ff1281c..d82be748 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -1 +1,2 @@
-debian/endless-ca.cer
+debian/canonical-uefi-ca.der
+debian/debian-uefi-ca.der
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 00000000..361d88c4
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,5 @@
+# Compulsory line, this is a version 4 file
+version=4
+
+opts="repack,compression=xz,filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/shim-$1\.tar\.gz/" \
+  https://github.com/mjg59/shim/releases .*/v?(\d\S*)\.tar\.gz