diff options
Diffstat (limited to 'debian')
| -rw-r--r-- | debian/canonical-uefi-ca.der | bin | 0 -> 1080 bytes | |||
| -rw-r--r-- | debian/changelog | 93 | ||||
| -rw-r--r-- | debian/compat | 1 | ||||
| -rw-r--r-- | debian/control | 18 | ||||
| -rw-r--r-- | debian/copyright | 33 | ||||
| -rw-r--r-- | debian/patches/prototypes | 120 | ||||
| -rw-r--r-- | debian/patches/sbsigntool-not-pesign | 22 | ||||
| -rw-r--r-- | debian/patches/second-stage-path | 20 | ||||
| -rw-r--r-- | debian/patches/series | 3 | ||||
| -rwxr-xr-x | debian/rules | 7 | ||||
| -rw-r--r-- | debian/shim.install | 3 | ||||
| -rw-r--r-- | debian/source/format | 1 | ||||
| -rw-r--r-- | debian/source/include-binaries | 1 |
13 files changed, 322 insertions, 0 deletions
diff --git a/debian/canonical-uefi-ca.der b/debian/canonical-uefi-ca.der Binary files differnew file mode 100644 index 00000000..b4098d9c --- /dev/null +++ b/debian/canonical-uefi-ca.der diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 00000000..da743e39 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,93 @@ +shim (0.7-0ubuntu1) UNRELEASED; urgency=medium + + * New upstream release. + - fix spurious error message when fallback.efi is not present, as will + always be the case for removable media. LP: #1297069. + + -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 06 Oct 2014 15:39:49 -0700 + +shim (0.4-0ubuntu5) utopic; urgency=low + + * Install fallback.efi.signed as well, to lay the groundwork for fallback + handling (wanted when we have to move a drive between machines, or when + the firmware loses its marbles^W nvram). + + -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200 + +shim (0.4-0ubuntu4) saucy; urgency=low + + * debian/patches/fix-tftp-prototype: pass the right arguments to + EFI_PXE_BASE_CODE_TFTP_READ_FILE. + * debian/patches/build-with-Werror: Build with -Werror to catch future + prototype mismatches. + * debian/patches/fix-compiler-warnings: Fix remaining compiler + warnings in netboot.c. + * debian/patches/tftp-proper-nul-termination: fix nul termination + errors in filenames passed to tftp. + * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to + the netboot code. + + -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700 + +shim (0.4-0ubuntu3) saucy; urgency=low + + [ Steve Langasek ] + * Install MokManager.efi.signed in the package. + * debian/patches/no-output-by-default.patch: Don't print any + informational messages. Closes LP: #1074302. + + [ Stéphane Graber ] + * debian/patches/no-print-on-unsigned: Don't print an error message when + validating an unsigned binary as that tends to hang Lenovo machines. + (LP: #1087501) + + -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200 + +shim (0.4-0ubuntu2) saucy; urgency=low + + * Add missing build-dependency on openssl. + + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000 + +shim (0.4-0ubuntu1) saucy; urgency=low + + * New upstream release. + * Drop debian/patches/shim-before-loadimage; upstream has changed this to + not call loadimage at all. + * debian/patches/sbsigntool-not-pesign: Sign MokManager with + sbsigntool instead of pesign. + * Add a versioned build-dependency on gnu-efi. + + -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700 + +shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low + + * debian/patches/shim-before-loadimage: Use direct verification first + before LoadImage. Addresses an issue where Lenovo's SecureBoot + implementation pops an error message on any verification failure - avoid + calling LoadImage at all unless we have to. + + -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700 + +shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low + + * debian/patches/second-stage-path: Chainload grubx64.efi, not + grub.efi. + + -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700 + +shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low + + * debian/patches/prototypes: Include missing prototypes, and disable + use of BIO_new_file. + * Only build the package for amd64; we're not signing an i386 shim at this + stage so there's no point in building it. + + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000 + +shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low + + * Initial release. + * Include the Canonical Secure Boot master CA. + + -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700 diff --git a/debian/compat b/debian/compat new file mode 100644 index 00000000..ec635144 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 00000000..0f71c7f7 --- /dev/null +++ b/debian/control @@ -0,0 +1,18 @@ +Source: shim +Section: admin +Priority: optional +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> +XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org> +Standards-Version: 3.9.3 +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl +Vcs-Bzr: lp:ubuntu/shim + +Package: shim +Architecture: amd64 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: boot loader to chain-load signed boot loaders under Secure Boot + This package provides a minimalist boot loader which allows verifying + signatures of other UEFI binaries against either the Secure Boot DB/DBX or + against a built-in signature database. Its purpose is to allow a small, + infrequently-changing binary to be signed by the UEFI CA, while allowing + an OS distributor to revision their main bootloader independently of the CA. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 00000000..d9f12756 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,33 @@ +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: shim +Upstream-Contact: Matthew Garrett <mjg@redhat.com> +Source: https://github.com/mjg59/shim.git + +Files: * +Copyright: 2012 Red Hat, Inc + 2009-2012 Intel Corporation +License: BSD-2-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + . + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/debian/patches/prototypes b/debian/patches/prototypes new file mode 100644 index 00000000..f1d85ffd --- /dev/null +++ b/debian/patches/prototypes @@ -0,0 +1,120 @@ +Description: Include missing prototypes, and disable use of BIO_new_file + Pull in one missing prototype for ScanMem8() that's not yet upstream in + gnu-efi, and #ifdef out references to BIO_new_file() and BIO_new_fp() + since the prototypes are themselves #ifdef'ed out. + . + Without these prototypes, we get implicit conversions on amd64, which + are sensibly treated as a build failure by Launchpad. +Author: Steve Langasek <steve.langasek@ubuntu.com> + +Index: shim/Cryptlib/Library/BaseMemoryLib.h +=================================================================== +--- /dev/null ++++ shim/Cryptlib/Library/BaseMemoryLib.h +@@ -0,0 +1,11 @@ ++#ifndef __BASE_MEMORY_LIB__ ++#define __BASE_MEMORY_LIB__ ++ ++CHAR8 * ++ScanMem8 ( ++ IN CHAR8 *Buffer, ++ IN UINTN Size, ++ IN CHAR8 Value ++ ); ++ ++#endif +Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c ++++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c +@@ -157,6 +157,7 @@ + } + OPENSSL_free(tmp_data2); + } ++#ifndef OPENSSL_NO_STDIO + else if (strncmp(val->value, "file:", 5) == 0) + { + unsigned char buf[2048]; +@@ -194,6 +195,7 @@ + goto err; + } + } ++#endif + else if (strncmp(val->value, "text:", 5) == 0) + { + val_len = strlen(val->value + 5); +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c +@@ -186,11 +186,13 @@ + int ret; + BIO *in=NULL; + ++#ifndef OPENSSL_NO_STDIO + #ifdef OPENSSL_SYS_VMS + in=BIO_new_file(name, "r"); + #else + in=BIO_new_file(name, "rb"); + #endif ++#endif + if (in == NULL) + { + if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE) +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c +@@ -92,11 +92,13 @@ + LHASH *ltmp; + BIO *in=NULL; + ++#ifndef OPENSSL_NO_STDIO + #ifdef OPENSSL_SYS_VMS + in=BIO_new_file(file, "r"); + #else + in=BIO_new_file(file, "rb"); + #endif ++#endif + if (in == NULL) + { + CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB); +Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c ++++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c +@@ -93,12 +93,14 @@ + { + BIO *bio_err; + ERR_load_crypto_strings(); ++#ifndef OPENSSL_NO_STDIO + if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL) + { + BIO_printf(bio_err,"Auto configuration failed\n"); + ERR_print_errors(bio_err); + BIO_free(bio_err); + } ++#endif + exit(1); + } + +Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c +=================================================================== +--- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c ++++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c +@@ -374,11 +374,15 @@ + BIO *in; + EVP_PKEY *key; + fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id); ++#ifndef OPENSSL_NO_STDIO + in = BIO_new_file(key_id, "r"); + if (!in) + return NULL; + key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL); + BIO_free(in); ++#else ++ return NULL; ++#endif + return key; + } + #endif diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign new file mode 100644 index 00000000..66b0f121 --- /dev/null +++ b/debian/patches/sbsigntool-not-pesign @@ -0,0 +1,22 @@ +Description: Sign MokManager with sbsigntool instead of pesign + Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use + the same thing for signing MokManager with our ephemeral key. This also + avoids an additional build dependency on libnss3-tools. +Author: Steve Langasek <steve.langasek@canonical.com> +Forwarded: not-needed + +Index: shim/Makefile +=================================================================== +--- shim.orig/Makefile ++++ shim/Makefile +@@ -88,8 +88,8 @@ + -j .debug_line -j .debug_str -j .debug_ranges \ + --target=efi-app-$(ARCH) $^ $@.debug + +-%.efi.signed: %.efi certdb/secmod.db +- pesign -n certdb -i $< -c "shim" -s -o $@ -f ++%.efi.signed: %.efi shim.crt ++ sbsign --key shim.key --cert shim.crt $< + + clean: + $(MAKE) -C Cryptlib clean diff --git a/debian/patches/second-stage-path b/debian/patches/second-stage-path new file mode 100644 index 00000000..d9265bea --- /dev/null +++ b/debian/patches/second-stage-path @@ -0,0 +1,20 @@ +Description: Chainload grubx64.efi, not grub.efi + We qualify the second stage bootloader image with the architecture name, + so we're forwards-compatible with any future 32-bit implementations. + (Non-SB grub doesn't conflict, since the image will be named bootia32.efi + anyway, not grub.efi.) +Author: Steve Langasek <steve.langasek@ubuntu.com> + +Index: shim/Makefile +=================================================================== +--- shim.orig/Makefile ++++ shim/Makefile +@@ -14,7 +14,7 @@ + EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o + EFI_LDS = elf_$(ARCH)_efi.lds + +-DEFAULT_LOADER := \\\\grub.efi ++DEFAULT_LOADER := \\\\grubx64.efi + CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ + -mno-mmx -mno-sse -fno-builtin \ diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..78756329 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,3 @@ +prototypes +second-stage-path +sbsigntool-not-pesign diff --git a/debian/rules b/debian/rules new file mode 100755 index 00000000..28523b56 --- /dev/null +++ b/debian/rules @@ -0,0 +1,7 @@ +#!/usr/bin/make -f + +%: + dh $@ + +override_dh_auto_build: + dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=debian/canonical-uefi-ca.der diff --git a/debian/shim.install b/debian/shim.install new file mode 100644 index 00000000..97d99c43 --- /dev/null +++ b/debian/shim.install @@ -0,0 +1,3 @@ +shim.efi /usr/lib/shim +MokManager.efi.signed /usr/lib/shim +fallback.efi.signed /usr/lib/shim diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 00000000..163aaf8d --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/include-binaries b/debian/source/include-binaries new file mode 100644 index 00000000..5be73be9 --- /dev/null +++ b/debian/source/include-binaries @@ -0,0 +1 @@ +debian/canonical-uefi-ca.der |