| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Debian kernels are no longer signed for i386, it's time to stop
supporting i386 SB.
|
|
Changes-By: apply-multiarch-hints
|
|
otherwise our build won't be reproducible, doh!
|
|
We used to use efisiglist to generate the DBX list. Newer versions of
the pesign package don't include it any more, and the recommended
replacement tool is now efisecdb from efivar. Tweak the
generate_dbx_list script to work with both old and new. Let's make
backports easy...
|
|
|
|
Closes: #1022180
|
|
|
|
|
|
Add a Debian SBAT template, and rules to use it
Adds a build-dep on dos2unix
|
|
|
|
Fixes: lintian: out-of-date-standards-version
See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html
|
|
Fixes: lintian: uses-debhelper-compat-file
See-also: https://lintian.debian.org/tags/uses-debhelper-compat-file.html
|
|
Fixes: lintian: package-uses-old-debhelper-compat-version
See-also: https://lintian.debian.org/tags/package-uses-old-debhelper-compat-version.html
|
|
|
|
Pull upstream commit aaa09b35e73c4a35fc119d225e5241199d7cf5aa to fix
an FTBFS.
|
|
|
|
This allow us to block executing binaries with specific
checksums. Generate the dbx list at runtime from a simple list of
sha256 hashes, so we can update this easily. If we need to also
blacklist a cert later, we'll need to update this code to add that
option too.
Add a build-dep on pesign to get the needed efisiglist program.
|
|
To get better control of reproducibility during the lifetime of
Buster
|
|
|
|
Remove potential confusion with shim-signed. We will now end up with
shim-helpers-$arch-signed to make it clear that they just contain the
helper binaries (fb.efi and mm.efi)
|
|
Add me and vorlon to the Uploaders list
|
|
|
|
for getting the MOK-manager and fall-back binary to be signed by Debians
singing service instead of using an ephemeral key.
Closes: #922228
|
|
as all EFI binaries are now unsigned. They are useless to any normal
user as
- shim is useless without being signed by an external UEFI CA.
- mm and fb won't be loaded by shim as they are now no longer linked to
corresponding shim by the ephemeral key any longer.
|
|
|
|
|
|
|
|
- debian/patches/second-stage-path: dropped; the default loader path now
includes an arch suffix.
- debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
- debian/copyright: Update upstream source location.
- debian/control: add a Build-Depends on libelf-dev.
- Enable arm64 build.
- debian/patches/fixup_git.patch: don't run git in clean; we're not
really in a git tree.
- debian/rules, debian/shim.install: use the upstream install target as
intended, and move files to the target directory using dh_install.
- define RELEASE and COMMIT_ID for the snapshot.
- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
options: set MAKELEVEL.
- Define an EFI_ARCH variable, and use that for paths to shim. This
makes it possible to build a shim for other architectures than amd64.
- Set EFIDIR=$distro for dh_auto_install; that will let files be installed
in the "right" final directories, and makes boot.csv for us.
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
at compile-time for MokManager and fallback.
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
and MokManager.
|
|
|
|
|
|
|
|
shim will now build and ship BOOT.CSV by itself.
|
|
|
|
|
|
|
|
* Update Standards-Version.
* Embed the newly-minted Debian CA certificate.
* Vendorize debian/rules so that the same package can be used in both
Debian and Ubuntu without modification.
* Fix debian/copyright to match the spec (last match wins, not first)
* Fix shim.efi to not be executable.
* Add watchfile.
* Support parallel builds, because eh why not
* Update Vcs-Bzr.
|
|
|
|
|
|
in 3.0k to build the netboot support.
|
|
sbsigntool instead of pesign.
|
|
stage so there's no point in building it.
|
|
|
|
|
