12 files changed, 86 insertions, 426 deletions
diff --git a/debian/changelog b/debian/changelog
index 07286132..ffc86a2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,33 @@
+shim (15+1533136590.3beb971-1) unstable; urgency=medium
+
+  * New upstream release.
+    - debian/patches/second-stage-path: dropped; the default loader path now
+      includes an arch suffix.
+    - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
+  * Drop remaining patches that were not being applied.
+  * Sync packaging from Ubuntu:
+    - debian/copyright: Update upstream source location.
+    - debian/control: add a Build-Depends on libelf-dev.
+    - Enable arm64 build.
+    - debian/patches/fixup_git.patch: don't run git in clean; we're not
+      really in a git tree.
+    - debian/rules, debian/shim.install: use the upstream install target as
+      intended, and move files to the target directory using dh_install.
+    - define RELEASE and COMMIT_ID for the snapshot.
+    - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
+    - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
+      options: set MAKELEVEL.
+    - Define an EFI_ARCH variable, and use that for paths to shim. This
+      makes it possible to build a shim for other architectures than amd64.
+    - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
+      in the "right" final directories, and makes boot.csv for us.
+    - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
+      at compile-time for MokManager and fallback.
+    - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
+      and MokManager.
+
+ -- Steve Langasek <vorlon@debian.org>  Sat, 09 Feb 2019 07:23:19 +0000
+
 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
 
   [ Steve Langasek ]
diff --git a/debian/control b/debian/control
index 25b0b47e..9db22062 100644
--- a/debian/control
+++ b/debian/control
@@ -3,11 +3,11 @@ Section: admin
 Priority: optional
 Maintainer: Steve Langasek <vorlon@debian.org>
 Standards-Version: 3.9.8
-Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl
-Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk
+Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev
+Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim
 
 Package: shim
-Architecture: amd64
+Architecture: amd64 arm64
 Depends: ${shlibs:Depends}, ${misc:Depends}
 Description: boot loader to chain-load signed boot loaders under Secure Boot
  This package provides a minimalist boot loader which allows verifying
diff --git a/debian/copyright b/debian/copyright
index 7c08287c..64b3f578 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,7 +1,7 @@
 Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: shim
 Upstream-Contact: Matthew Garrett <mjg59@coreos.com>
-Source: https://github.com/mjg59/shim.git
+Source: https://github.com/rhboot/shim
 
 Files: *
 Copyright: 2012-2013 Red Hat, Inc
diff --git a/debian/patches/fixup_git.patch b/debian/patches/fixup_git.patch
new file mode 100644
index 00000000..33e9305d
--- /dev/null
+++ b/debian/patches/fixup_git.patch
@@ -0,0 +1,19 @@
+From: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
+Subject: We're not in a git tree, don't try to git clean.
+
+---
+ Makefile |    1 -
+ 1 file changed, 1 deletion(-)
+
+Index: b/Makefile
+===================================================================
+--- a/Makefile
++++ b/Makefile
+@@ -225,7 +225,6 @@ clean-shim-objs:
+ 	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
+ 	@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
+ 	@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
+-	@git clean -f -d -e 'Cryptlib/OpenSSL/*'
+ 
+ clean: clean-shim-objs
+ 	$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
diff --git a/debian/patches/gcc-5.diff b/debian/patches/gcc-5.diff
deleted file mode 100644
index e706c3ab..00000000
--- a/debian/patches/gcc-5.diff
+++ /dev/null
@@ -1,45 +0,0 @@
----
- Cryptlib/Makefile         |    2 +-
- Cryptlib/OpenSSL/Makefile |    2 +-
- Makefile                  |    2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-Index: b/Makefile
-===================================================================
---- a/Makefile
-+++ b/Makefile
-@@ -19,7 +19,7 @@ EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(A
- EFI_LDS		= elf_$(ARCH)_efi.lds
- 
- DEFAULT_LOADER	:= \\\\grubx64.efi
--CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-+CFLAGS		= -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
- 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- 		  -Werror=sign-compare \
- 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
-Index: b/Cryptlib/Makefile
-===================================================================
---- a/Cryptlib/Makefile
-+++ b/Cryptlib/Makefile
-@@ -1,7 +1,7 @@
- 
- EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
- 
--CFLAGS		= -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-+CFLAGS		= -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- 		  -Wall $(EFI_INCLUDES)
- 
- ifeq ($(ARCH),x86_64)
-Index: b/Cryptlib/OpenSSL/Makefile
-===================================================================
---- a/Cryptlib/OpenSSL/Makefile
-+++ b/Cryptlib/OpenSSL/Makefile
-@@ -1,7 +1,7 @@
- 
- EFI_INCLUDES	= -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
- 
--CFLAGS		= -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
-+CFLAGS		= -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
- 		  -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
- 
- ifeq ($(ARCH),x86_64)
diff --git a/debian/patches/gcc5-includes-stdarg.patch b/debian/patches/gcc5-includes-stdarg.patch
deleted file mode 100644
index 57cf4a8e..00000000
--- a/debian/patches/gcc5-includes-stdarg.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 7 Apr 2015 11:59:25 -0400
-Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on
- x86.
-
-Basically they messed around with stdarg some and now we need to do it
-the other way.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- Cryptlib/Include/OpenSslSupport.h |    4 +++-
- Cryptlib/Makefile                 |    3 ++-
- Cryptlib/OpenSSL/Makefile         |    5 +++--
- Makefile                          |   17 ++++++-----------
- MokManager.c                      |    1 +
- 5 files changed, 15 insertions(+), 15 deletions(-)
-
-Index: b/Cryptlib/Include/OpenSslSupport.h
-===================================================================
---- a/Cryptlib/Include/OpenSslSupport.h
-+++ b/Cryptlib/Include/OpenSslSupport.h
-@@ -34,7 +34,7 @@ typedef VOID  *FILE;
- //
- // Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h
- //
--#if !defined(__CC_ARM) // if va_list is not already defined
-+#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined
- /*
-  * These are now unconditionally #defined by GNU_EFI's efistdarg.h,
-  * so we should #undef them here before providing a new definition.
-@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST;
-    portably, hence it is provided by a Standard C header file.
-    For pre-Standard C compilers, here is a version that usually works
-    (but watch out!): */
-+#ifndef offsetof
- #define offsetof(type, member) ( (int) & ((type*)0) -> member )
-+#endif
- 
- //
- // Basic types from EFI Application Toolkit required to buiild Open SSL
-Index: b/Cryptlib/Makefile
-===================================================================
---- a/Cryptlib/Makefile
-+++ b/Cryptlib/Makefile
-@@ -2,7 +2,8 @@
- EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
- 
- CFLAGS		= -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
--		  -Wall $(EFI_INCLUDES)
-+		  -Wall $(EFI_INCLUDES) \
-+		  -ffreestanding -I$(shell $(CC) -print-file-name=include)
- 
- ifeq ($(ARCH),x86_64)
- 	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
-Index: b/Cryptlib/OpenSSL/Makefile
-===================================================================
---- a/Cryptlib/OpenSSL/Makefile
-+++ b/Cryptlib/OpenSSL/Makefile
-@@ -2,6 +2,7 @@
- EFI_INCLUDES	= -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
- 
- CFLAGS		= -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
-+		  -ffreestanding -I$(shell $(CC) -print-file-name=include) \
- 		  -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
- 
- ifeq ($(ARCH),x86_64)
-@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32)
- 		-m32 -DTHIRTY_TWO_BIT
- endif
- ifeq ($(ARCH),aarch64)
--	CFLAGS	+= -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include)
-+	CFLAGS	+= -O2 -DSIXTY_FOUR_BIT_LONG
- endif
- ifeq ($(ARCH),arm)
--	CFLAGS	+= -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
-+	CFLAGS	+= -O2 -DTHIRTY_TWO_BIT
- endif
- LDFLAGS		= -nostdlib -znocombreloc
- 
-Index: b/Makefile
-===================================================================
---- a/Makefile
-+++ b/Makefile
-@@ -21,7 +21,8 @@ EFI_LDS		= elf_$(ARCH)_efi.lds
- DEFAULT_LOADER	:= \\\\grubx64.efi
- CFLAGS		= -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
- 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
--		  -Werror=sign-compare \
-+		  -Werror=sign-compare -ffreestanding \
-+		  -I$(shell $(CC) -print-file-name=include) \
- 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
- 		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
- 		  $(EFI_INCLUDES)
-@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY
- endif
- 
- ifeq ($(ARCH),x86_64)
--	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
-+	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
-+		-maccumulate-outgoing-args \
- 		-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
- endif
- ifeq ($(ARCH),ia32)
--	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
--endif
--
--ifeq ($(ARCH),aarch64)
--	CFLAGS	+= -ffreestanding -I$(shell $(CC) -print-file-name=include)
--endif
--
--ifeq ($(ARCH),arm)
--	CFLAGS	+= -ffreestanding -I$(shell $(CC) -print-file-name=include)
-+	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
-+		-maccumulate-outgoing-args -m32
- endif
- 
- ifneq ($(origin VENDOR_CERT_FILE), undefined)
-Index: b/MokManager.c
-===================================================================
---- a/MokManager.c
-+++ b/MokManager.c
-@@ -1,5 +1,6 @@
- #include <efi.h>
- #include <efilib.h>
-+#include <stdarg.h>
- #include <Library/BaseCryptLib.h>
- #include <openssl/x509.h>
- #include "shim.h"
diff --git a/debian/patches/prototypes b/debian/patches/prototypes
deleted file mode 100644
index 7191e102..00000000
--- a/debian/patches/prototypes
+++ /dev/null
@@ -1,191 +0,0 @@
-Description: Include missing prototypes, and disable use of BIO_new_file
- Pull in missing prototypes for functions that are not yet upstream in
- gnu-efi, and #ifdef out references to BIO_new_file(), BIO_new_fp(), and
- X509_load_{cert,crl}_file since the prototypes are themselves #ifdef'ed
- out.
- .
- Without these prototypes, we get implicit conversions on amd64, which
- are sensibly treated as a build failure by Launchpad.
-Author: Steve Langasek <steve.langasek@ubuntu.com>
-
-Index: shim/Cryptlib/Library/BaseMemoryLib.h
-===================================================================
---- /dev/null
-+++ shim/Cryptlib/Library/BaseMemoryLib.h
-@@ -0,0 +1,41 @@
-+#ifndef __BASE_MEMORY_LIB__
-+#define __BASE_MEMORY_LIB__
-+
-+CHAR8 *
-+ScanMem8 (
-+    IN CHAR8          *Buffer,
-+    IN UINTN           Size,
-+    IN CHAR8           Value
-+    );
-+
-+UINT32
-+WriteUnaligned32(
-+    UINT32            *Buffer,
-+    UINT32             Value
-+    );
-+
-+CHAR8 *
-+AsciiStrCat(
-+    CHAR8             *Destination,
-+    CHAR8             *Source
-+    );
-+
-+CHAR8 *
-+AsciiStrCpy(
-+    CHAR8             *Destination,
-+    CHAR8             *Source
-+    );
-+
-+CHAR8 *
-+AsciiStrnCpy(
-+    CHAR8             *Destination,
-+    CHAR8             *Source,
-+    UINTN              count
-+    );
-+
-+UINTN
-+AsciiStrSize(
-+    CHAR8             *string
-+    );
-+
-+#endif
-Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
-===================================================================
---- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
-+++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
-@@ -157,6 +157,7 @@
- 				}
- 			OPENSSL_free(tmp_data2);
- 			}
-+#ifndef OPENSSL_NO_STDIO
- 		else if (strncmp(val->value, "file:", 5) == 0)
- 			{
- 			unsigned char buf[2048];
-@@ -194,6 +195,7 @@
- 				goto err;
- 				}
- 			}
-+#endif
- 		else if (strncmp(val->value, "text:", 5) == 0)
- 			{
- 			val_len = strlen(val->value + 5);
-Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c
-===================================================================
---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c
-+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c
-@@ -186,11 +186,13 @@
- 	int ret;
- 	BIO *in=NULL;
- 
-+#ifndef OPENSSL_NO_STDIO
- #ifdef OPENSSL_SYS_VMS
- 	in=BIO_new_file(name, "r");
- #else
- 	in=BIO_new_file(name, "rb");
- #endif
-+#endif
- 	if (in == NULL)
- 		{
- 		if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE)
-Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
-===================================================================
---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
-+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
-@@ -92,11 +92,13 @@
- 	LHASH *ltmp;
- 	BIO *in=NULL;
- 
-+#ifndef OPENSSL_NO_STDIO
- #ifdef OPENSSL_SYS_VMS
- 	in=BIO_new_file(file, "r");
- #else
- 	in=BIO_new_file(file, "rb");
- #endif
-+#endif
- 	if (in == NULL)
- 		{
- 		CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
-Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
-===================================================================
---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
-+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
-@@ -93,12 +93,14 @@
- 		{
- 		BIO *bio_err;
- 		ERR_load_crypto_strings();
-+#ifndef OPENSSL_NO_STDIO
- 		if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL)
- 			{
- 			BIO_printf(bio_err,"Auto configuration failed\n");
- 			ERR_print_errors(bio_err);
- 			BIO_free(bio_err);
- 			}
-+#endif
- 		exit(1);
- 		}
- 
-Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
-===================================================================
---- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
-+++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
-@@ -374,11 +374,15 @@
- 	BIO *in;
- 	EVP_PKEY *key;
- 	fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id);
-+#ifndef OPENSSL_NO_STDIO
- 	in = BIO_new_file(key_id, "r");
- 	if (!in)
- 		return NULL;
- 	key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL);
- 	BIO_free(in);
-+#else
-+	return NULL;
-+#endif
- 	return key;
- 	}
- #endif
-Index: shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c
-===================================================================
---- shim.orig/Cryptlib/OpenSSL/crypto/x509/by_dir.c
-+++ shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c
-@@ -92,8 +92,10 @@
- static int new_dir(X509_LOOKUP *lu);
- static void free_dir(X509_LOOKUP *lu);
- static int add_cert_dir(BY_DIR *ctx,const char *dir,int type);
-+#ifndef OPENSSL_NO_STDIO
- static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name,
- 	X509_OBJECT *ret);
-+#endif
- X509_LOOKUP_METHOD x509_dir_lookup=
- 	{
- 	"Load certs from files in a directory",
-@@ -102,7 +104,11 @@
- 	NULL, 			/* init */
- 	NULL,			/* shutdown */
- 	dir_ctrl,		/* ctrl */
-+#ifdef OPENSSL_NO_STDIO
-+	NULL,			/* get_by_subject */
-+#else
- 	get_cert_by_subject,	/* get_by_subject */
-+#endif
- 	NULL,			/* get_by_issuer_serial */
- 	NULL,			/* get_by_fingerprint */
- 	NULL,			/* get_by_alias */
-@@ -242,6 +248,7 @@
- 	return(1);
- 	}
- 
-+#ifndef OPENSSL_NO_STDIO
- static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
- 	     X509_OBJECT *ret)
- 	{
-@@ -383,3 +390,4 @@
- 	if (b != NULL) BUF_MEM_free(b);
- 	return(ok);
- 	}
-+#endif
diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign
deleted file mode 100644
index 9629cb12..00000000
--- a/debian/patches/sbsigntool-not-pesign
+++ /dev/null
@@ -1,26 +0,0 @@
-Description: Sign MokManager with sbsigntool instead of pesign
- Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use
- the same thing for signing MokManager with our ephemeral key.  This also
- avoids an additional build dependency on libnss3-tools.
-Author: Steve Langasek <steve.langasek@canonical.com>
-Forwarded: not-needed
-
----
- Makefile |    4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-Index: b/Makefile
-===================================================================
---- a/Makefile
-+++ b/Makefile
-@@ -158,8 +158,8 @@ endif
- 		-j .note.gnu.build-id \
- 		$(FORMAT) $^ $@.debug
- 
--%.efi.signed: %.efi certdb/secmod.db
--	pesign -n certdb -i $< -c "shim" -s -o $@ -f
-+%.efi.signed: %.efi shim.crt
-+	sbsign --key shim.key --cert shim.crt $<
- 
- clean:
- 	$(MAKE) -C Cryptlib clean
diff --git a/debian/patches/second-stage-path b/debian/patches/second-stage-path
deleted file mode 100644
index da53af8e..00000000
--- a/debian/patches/second-stage-path
+++ /dev/null
@@ -1,24 +0,0 @@
-Description: Chainload grubx64.efi, not grub.efi
- We qualify the second stage bootloader image with the architecture name,
- so we're forwards-compatible with any future 32-bit implementations.
- (Non-SB grub doesn't conflict, since the image will be named bootia32.efi
- anyway, not grub.efi.)
-Author: Steve Langasek <steve.langasek@ubuntu.com>
-
----
- Makefile |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: b/Makefile
-===================================================================
---- a/Makefile
-+++ b/Makefile
-@@ -25,7 +25,7 @@ EFI_LIBS	= -lefi -lgnuefi --start-group
- EFI_CRT_OBJS 	= $(EFI_PATH)/crt0-efi-$(ARCH).o
- EFI_LDS		= elf_$(ARCH)_efi.lds
- 
--DEFAULT_LOADER	:= \\\\grub.efi
-+DEFAULT_LOADER	:= \\\\grubx64.efi
- CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
- 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- 		  -Werror=sign-compare -ffreestanding -std=gnu89 \
diff --git a/debian/patches/series b/debian/patches/series
index a5f3392d..767bfb59 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
-second-stage-path
-sbsigntool-not-pesign
+fixup_git.patch
diff --git a/debian/rules b/debian/rules
index f368a197..4c92c804 100755
--- a/debian/rules
+++ b/debian/rules
@@ -6,16 +6,42 @@
 # should be building the other binaries also.
 ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
 	cert=debian/canonical-uefi-ca.der
+	distributor=ubuntu
 else
 	cert=debian/debian-uefi-ca.der
+	distributor=debian
 endif
 
+ifeq ($(DEB_HOST_ARCH),amd64)
+export EFI_ARCH := x64
+else ($(DEB_HOST_ARCH),arm64)
+export EFI_ARCH := aa64
+endif
+
+COMMON_OPTIONS = \
+	RELEASE=15 \
+	COMMIT_ID=3beb971b10659cf78144ddc5eeea83501384440c \
+	MAKELEVEL=0 \
+	EFI_PATH=/usr/lib \
+	ENABLE_HTTPBOOT=true \
+	ENABLE_SHIM_CERT=1 \
+	ENABLE_SBSIGN=1 \
+	VENDOR_CERT_FILE=$(cert) \
+	EFIDIR=$(distributor) \
+	$(NULL)
+
 %:
 	dh $@ --parallel
 
+override_dh_auto_clean:
+	dh_auto_clean -- MAKELEVEL=0
+
 override_dh_auto_build:
-	dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=$(cert)
+	dh_auto_build -- $(COMMON_OPTIONS)
+
+override_dh_auto_install:
+	dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
 
 override_dh_fixperms:
 	dh_fixperms
-	chmod a-x debian/shim/usr/lib/shim/shimx64.efi
+	chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi
diff --git a/debian/shim.install b/debian/shim.install
index f37f6d19..268df256 100644
--- a/debian/shim.install
+++ b/debian/shim.install
@@ -1,3 +1,4 @@
-shim*.efi /usr/lib/shim
-mm*.efi.signed /usr/lib/shim
-fb*.efi.signed /usr/lib/shim
+/boot/efi/EFI/*/shim*.efi /usr/lib/shim
+/boot/efi/EFI/*/mm*.efi /usr/lib/shim
+/boot/efi/EFI/*/fb*.efi /usr/lib/shim
+/boot/efi/EFI/*/BOOT*.CSV /usr/lib/shim