diff options
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/changelog | 8 | ||||
| -rw-r--r-- | debian/patches/build-with-Werror | 16 | ||||
| -rw-r--r-- | debian/patches/fix-compiler-warnings | 49 | ||||
| -rw-r--r-- | debian/patches/fix-tftp-prototype | 42 | ||||
| -rw-r--r-- | debian/patches/netboot-cleanup | 106 | ||||
| -rw-r--r-- | debian/patches/no-output-by-default.patch | 51 | ||||
| -rw-r--r-- | debian/patches/no-print-on-unsigned | 19 | ||||
| -rw-r--r-- | debian/patches/second-stage-path | 22 | ||||
| -rw-r--r-- | debian/patches/series | 7 | ||||
| -rw-r--r-- | debian/patches/tftp-proper-nul-termination | 81 |
10 files changed, 19 insertions, 382 deletions
diff --git a/debian/changelog b/debian/changelog index 435a120e..da743e39 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +shim (0.7-0ubuntu1) UNRELEASED; urgency=medium + + * New upstream release. + - fix spurious error message when fallback.efi is not present, as will + always be the case for removable media. LP: #1297069. + + -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 06 Oct 2014 15:39:49 -0700 + shim (0.4-0ubuntu5) utopic; urgency=low * Install fallback.efi.signed as well, to lay the groundwork for fallback diff --git a/debian/patches/build-with-Werror b/debian/patches/build-with-Werror deleted file mode 100644 index f39048a0..00000000 --- a/debian/patches/build-with-Werror +++ /dev/null @@ -1,16 +0,0 @@ -Description: Build with -Werror to catch future prototype mismatches. -Author: Steve Langasek <steve.langasek@ubuntu.com> - -Index: shim/Makefile -=================================================================== ---- shim.orig/Makefile -+++ shim/Makefile -@@ -15,7 +15,7 @@ - EFI_LDS = elf_$(ARCH)_efi.lds - - CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -- -fshort-wchar -Wall -mno-red-zone -maccumulate-outgoing-args \ -+ -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ - -mno-mmx -mno-sse \ - $(EFI_INCLUDES) - ifeq ($(ARCH),x86_64) diff --git a/debian/patches/fix-compiler-warnings b/debian/patches/fix-compiler-warnings deleted file mode 100644 index b90c9f2a..00000000 --- a/debian/patches/fix-compiler-warnings +++ /dev/null @@ -1,49 +0,0 @@ -Description: Fix remaining compiler warnings in netboot.c - Fix remaining compiler warnings in netboot.c, so that the source builds - cleanly under -Wall -Werror. -Author: Steve Langasek <steve.langasek@ubuntu.com> - -=== modified file 'netboot.c' -Index: shim/netboot.c -=================================================================== ---- shim.orig/netboot.c -+++ shim/netboot.c -@@ -53,7 +53,7 @@ - - static EFI_PXE_BASE_CODE *pxe; - static EFI_IP_ADDRESS tftp_addr; --static char *full_path; -+static UINT8 *full_path; - - - typedef struct { -@@ -111,7 +111,7 @@ - for (i=0; i < (bs / sizeof(EFI_HANDLE)); i++) { - status = uefi_call_wrapper(BS->OpenProtocol, 6, hbuf[i], - &pxe_base_code_protocol, -- &pxe, image_handle, NULL, -+ (void **)&pxe, image_handle, NULL, - EFI_OPEN_PROTOCOL_GET_PROTOCOL); - - if (status != EFI_SUCCESS) { -@@ -261,9 +261,9 @@ - return FALSE; - memset(full_path, 0, strlen((UINT8 *)end)+strlen((UINT8 *)template)); - memcpy(full_path, end, strlen((UINT8 *)end)); -- end = strrchr(full_path, '/'); -+ end = strrchr((char *)full_path, '/'); - if (!end) -- end = full_path; -+ end = (char *)full_path; - memcpy(end, template, strlen((UINT8 *)template)); - - return TRUE; -@@ -297,7 +297,7 @@ - - memcpy(tmp, template, 12); - tmp[13] = '\0'; -- full_path = tmp; -+ full_path = (UINT8 *)tmp; - - /* Note we don't capture the filename option here because we know its shim.efi - * We instead assume the filename at the end of the path is going to be grubx64.efi diff --git a/debian/patches/fix-tftp-prototype b/debian/patches/fix-tftp-prototype deleted file mode 100644 index ba500cb5..00000000 --- a/debian/patches/fix-tftp-prototype +++ /dev/null @@ -1,42 +0,0 @@ -Description: pass the right arguments to EFI_PXE_BASE_CODE_TFTP_READ_FILE - A wrong pointer was being passed to EFI_PXE_BASE_CODE_TFTP_READ_FILE, - preventing us from getting the file size back from the tftp call, ensuring - that we don't have enough information to properly secureboot-validate the - retrieved image. -Author: Steve Langasek <steve.langasek@ubuntu.com> - -=== modified file 'netboot.c' ---- a/netboot.c 2013-05-31 19:34:11 +0000 -+++ b/netboot.c 2013-09-20 16:07:27 +0000 -@@ -326,7 +326,7 @@ - return rc; - } - --EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINTN *bufsiz) -+EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINT64 *bufsiz) - { - EFI_STATUS rc; - EFI_PXE_BASE_CODE_TFTP_OPCODE read = EFI_PXE_BASE_CODE_TFTP_READ_FILE; -@@ -344,7 +344,7 @@ - - try_again: - rc = uefi_call_wrapper(pxe->Mtftp, 10, pxe, read, *buffer, overwrite, -- &bufsiz, &blksz, &tftp_addr, full_path, NULL, nobuffer); -+ bufsiz, &blksz, &tftp_addr, full_path, NULL, nobuffer); - - if (rc == EFI_BUFFER_TOO_SMALL) { - /* try again, doubling buf size */ - -=== modified file 'shim.c' ---- a/shim.c 2013-08-08 15:12:06 +0000 -+++ b/shim.c 2013-09-20 16:12:39 +0000 -@@ -1161,7 +1161,7 @@ - EFI_DEVICE_PATH *path; - CHAR16 *PathName = NULL; - void *sourcebuffer = NULL; -- UINTN sourcesize = 0; -+ UINT64 sourcesize = 0; - void *data = NULL; - int datasize; - - diff --git a/debian/patches/netboot-cleanup b/debian/patches/netboot-cleanup deleted file mode 100644 index e94e2c7d..00000000 --- a/debian/patches/netboot-cleanup +++ /dev/null @@ -1,106 +0,0 @@ -Description: roll-up of miscellaneous fixes to the netboot code - Pull of various fixes from - <https://github.com/vorlonofportland/shim/tree/netboot-cleanup>, currently - awaiting merge upstream. -Author: Steve Langasek <steve.langasek@ubuntu.com> - -Index: shim/netboot.c -=================================================================== ---- shim.orig/netboot.c -+++ shim/netboot.c -@@ -141,11 +141,11 @@ - return rc; - } - --static char *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) -+static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) - { - void *optr; - EFI_DHCP6_PACKET_OPTION *option; -- char *url; -+ CHAR8 *url; - UINT32 urllen; - - optr = pkt->DhcpOptions; -@@ -159,10 +159,9 @@ - if (ntohs(option->OpCode) == 59) { - /* This is the bootfile url option */ - urllen = ntohs(option->Length); -- url = AllocatePool(urllen+2); -+ url = AllocateZeroPool(urllen+1); - if (!url) - return NULL; -- memset(url, 0, urllen+2); - memcpy(url, option->Data, urllen); - return url; - } -@@ -225,17 +224,17 @@ - return (UINT8 *)ip; - } - --static BOOLEAN extract_tftp_info(char *url) -+static BOOLEAN extract_tftp_info(CHAR8 *url) - { - CHAR8 *start, *end; -- char ip6str[128]; -+ char ip6str[40]; - CHAR8 *template = (CHAR8 *)"/grubx64.efi"; - - if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { - Print(L"URLS MUST START WITH tftp://\n"); - return FALSE; - } -- start = (CHAR8 *)url + 7; -+ start = url + 7; - if (*start != '[') { - Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); - return FALSE; -@@ -245,12 +244,16 @@ - end = start; - while ((*end != '\0') && (*end != ']')) { - end++; -+ if (end - start > 39) { -+ Print(L"TFTP URL includes malformed IPv6 address\n"); -+ return FALSE; -+ } - } - if (end == '\0') { - Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); - return FALSE; - } -- memset(ip6str, 0, 128); -+ memset(ip6str, 0, 40); - memcpy(ip6str, start, end - start); - end++; - memcpy(&tftp_addr.v6, str2ip6(ip6str), 16); -@@ -270,14 +273,16 @@ - static EFI_STATUS parseDhcp6() - { - EFI_PXE_BASE_CODE_DHCPV6_PACKET *packet = (EFI_PXE_BASE_CODE_DHCPV6_PACKET *)&pxe->Mode->DhcpAck.Raw; -- char *bootfile_url; -- -+ CHAR8 *bootfile_url; - - bootfile_url = get_v6_bootfile_url(packet); -- if (extract_tftp_info(bootfile_url) == FALSE) -- return EFI_NOT_FOUND; - if (!bootfile_url) - return EFI_NOT_FOUND; -+ if (extract_tftp_info(bootfile_url) == FALSE) { -+ FreePool(bootfile_url); -+ return EFI_NOT_FOUND; -+ } -+ FreePool(bootfile_url); - return EFI_SUCCESS; - } - -@@ -350,6 +355,8 @@ - goto try_again; - } - -+ if (rc != EFI_SUCCESS && *buffer) { -+ FreePool(*buffer); -+ } - return rc; -- - } diff --git a/debian/patches/no-output-by-default.patch b/debian/patches/no-output-by-default.patch deleted file mode 100644 index 52cda502..00000000 --- a/debian/patches/no-output-by-default.patch +++ /dev/null @@ -1,51 +0,0 @@ -Description: Don't print any informational messages - Unless the operation has failed, we shouldn't print anything at all while - booting. Suppress informational messages about the current SecureBoot - policy or how the image's signature was verified. -Author: Steve Langasek <steve.langasek@canonical.com> -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1074302 - -Index: shim/shim.c -=================================================================== ---- shim.orig/shim.c -+++ shim/shim.c -@@ -430,7 +430,6 @@ - - /* FIXME - more paranoia here? */ - if (status != EFI_SUCCESS || sb != 1) { -- Print(L"Secure boot not enabled\n"); - return FALSE; - } - -@@ -438,7 +437,6 @@ - (void *)&setupmode); - - if (status == EFI_SUCCESS && setupmode == 1) { -- Print(L"Platform is in setup mode\n"); - return FALSE; - } - -@@ -698,7 +696,6 @@ - status = check_whitelist(cert, sha256hash, sha1hash); - - if (status == EFI_SUCCESS) { -- Print(L"Binary is whitelisted\n"); - return status; - } - -@@ -710,7 +707,6 @@ - shim_cert, sizeof(shim_cert), sha256hash, - SHA256_DIGEST_SIZE)) { - status = EFI_SUCCESS; -- Print(L"Binary is verified by the vendor certificate\n"); - return status; - } - -@@ -723,7 +719,6 @@ - vendor_cert, vendor_cert_size, sha256hash, - SHA256_DIGEST_SIZE)) { - status = EFI_SUCCESS; -- Print(L"Binary is verified by the vendor certificate\n"); - return status; - } - diff --git a/debian/patches/no-print-on-unsigned b/debian/patches/no-print-on-unsigned deleted file mode 100644 index 6dcc0977..00000000 --- a/debian/patches/no-print-on-unsigned +++ /dev/null @@ -1,19 +0,0 @@ -Description: Don't print any message when validating an unsigned binary - Printing the error message when validating an unsigned binary was causing - the boot to hang on Lenovo machines, possibly because of a broken Print() - implementation in those firmware (or some interaction with grub). -Author: Stéphane Graber <stgraber@ubuntu.com> -Bug-Ubuntu: https://bugs.launchpad.net/bugs/1087501 - -Index: shim-clean/shim.c -=================================================================== ---- shim-clean.orig/shim.c 2013-08-08 16:19:11.886403060 +0200 -+++ shim-clean/shim.c 2013-08-08 16:20:09.590405204 +0200 -@@ -652,7 +652,6 @@ - unsigned int size = datasize; - - if (context->SecDir->Size == 0) { -- Print(L"Empty security header\n"); - return EFI_INVALID_PARAMETER; - } - diff --git a/debian/patches/second-stage-path b/debian/patches/second-stage-path index 63c5d443..d9265bea 100644 --- a/debian/patches/second-stage-path +++ b/debian/patches/second-stage-path @@ -5,16 +5,16 @@ Description: Chainload grubx64.efi, not grub.efi anyway, not grub.efi.) Author: Steve Langasek <steve.langasek@ubuntu.com> -Index: shim/shim.c +Index: shim/Makefile =================================================================== ---- shim.orig/shim.c -+++ shim/shim.c -@@ -43,7 +43,7 @@ - #include "shim_cert.h" - #include "ucs2.h" - --#define DEFAULT_LOADER L"\\grub.efi" -+#define DEFAULT_LOADER L"\\grubx64.efi" - #define FALLBACK L"\\fallback.efi" - #define MOK_MANAGER L"\\MokManager.efi" +--- shim.orig/Makefile ++++ shim/Makefile +@@ -14,7 +14,7 @@ + EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o + EFI_LDS = elf_$(ARCH)_efi.lds +-DEFAULT_LOADER := \\\\grub.efi ++DEFAULT_LOADER := \\\\grubx64.efi + CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ + -mno-mmx -mno-sse -fno-builtin \ diff --git a/debian/patches/series b/debian/patches/series index f37a5e39..78756329 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,10 +1,3 @@ prototypes second-stage-path sbsigntool-not-pesign -no-output-by-default.patch -no-print-on-unsigned -fix-tftp-prototype -build-with-Werror -fix-compiler-warnings -tftp-proper-nul-termination -netboot-cleanup diff --git a/debian/patches/tftp-proper-nul-termination b/debian/patches/tftp-proper-nul-termination deleted file mode 100644 index 0a105d86..00000000 --- a/debian/patches/tftp-proper-nul-termination +++ /dev/null @@ -1,81 +0,0 @@ -Description: fix nul termination errors in filenames passed to tftp - Fix various errors in the tftp string handling, to ensure we always have - properly nul-terminated strings. -Author: Steve Langasek <steve.langasek@ubuntu.com> - -Index: shim/netboot.c -=================================================================== ---- shim.orig/netboot.c -+++ shim/netboot.c -@@ -227,15 +227,15 @@ - - static BOOLEAN extract_tftp_info(char *url) - { -- char *start, *end; -+ CHAR8 *start, *end; - char ip6str[128]; -- char *template = "/grubx64.efi"; -+ CHAR8 *template = (CHAR8 *)"/grubx64.efi"; - - if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { - Print(L"URLS MUST START WITH tftp://\n"); - return FALSE; - } -- start = url + 7; -+ start = (CHAR8 *)url + 7; - if (*start != '[') { - Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); - return FALSE; -@@ -250,21 +250,19 @@ - Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); - return FALSE; - } -- *end = '\0'; - memset(ip6str, 0, 128); -- memcpy(ip6str, start, strlen((UINT8 *)start)); -- *end = ']'; -+ memcpy(ip6str, start, end - start); - end++; - memcpy(&tftp_addr.v6, str2ip6(ip6str), 16); -- full_path = AllocatePool(strlen((UINT8 *)end)+strlen((UINT8 *)template)+1); -+ full_path = AllocateZeroPool(strlen(end)+strlen(template)+1); - if (!full_path) - return FALSE; -- memset(full_path, 0, strlen((UINT8 *)end)+strlen((UINT8 *)template)); -- memcpy(full_path, end, strlen((UINT8 *)end)); -- end = strrchr((char *)full_path, '/'); -+ memcpy(full_path, end, strlen(end)); -+ end = (CHAR8 *)strrchr((char *)full_path, '/'); - if (!end) -- end = (char *)full_path; -- memcpy(end, template, strlen((UINT8 *)template)); -+ end = (CHAR8 *)full_path; -+ memcpy(end, template, strlen(template)); -+ end[strlen(template)] = '\0'; - - return TRUE; - } -@@ -285,19 +283,15 @@ - - static EFI_STATUS parseDhcp4() - { -- char *template = "/grubx64.efi"; -- char *tmp = AllocatePool(16); -+ CHAR8 *template = (CHAR8 *)"/grubx64.efi"; -+ full_path = AllocateZeroPool(strlen(template)+1); - -- -- if (!tmp) -+ if (!full_path) - return EFI_OUT_OF_RESOURCES; - -- - memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4); - -- memcpy(tmp, template, 12); -- tmp[13] = '\0'; -- full_path = (UINT8 *)tmp; -+ memcpy(full_path, template, strlen(template)); - - /* Note we don't capture the filename option here because we know its shim.efi - * We instead assume the filename at the end of the path is going to be grubx64.efi |