From bd98c8fd1c1bd2eeb4b1c84c861e59e8ccf25111 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:24:36 -0400 Subject: Update changelog/changes for released 0.9+1474479173.6c180c6-1ubuntu1 --- ...01-shim-fix-the-mirroring-MokSBState-fail.patch | 71 ++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 72 insertions(+) create mode 100644 debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch (limited to 'debian/patches') diff --git a/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch b/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch new file mode 100644 index 00000000..61117d80 --- /dev/null +++ b/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch @@ -0,0 +1,71 @@ +From 1681bd7282e606e961c0d1bfafcf807a32bc912d Mon Sep 17 00:00:00 2001 +From: Ivan Hu +Date: Tue, 22 Nov 2016 06:26:01 +0800 +Subject: [PATCH] shim: fix the mirroring MokSBState fail +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1644806 + +Some machines have already embedded MokSBStateRT varaible with +EFI_VARIABLE_NON_VOLATILE attribute, and some users might disable shim +vailidation manually by creating MokSBStateRT. It causes mirroring MokSBState +fail because the variable cannot be set with different attribute again, and gets +error massage every time when booting. + +Fix it with checking the MokSBStateRT existence and deleting it before +mirroring it. + +Signed-off-by: Ivan Hu +Signed-off-by: Mathieu Trudel-Lapierre +--- + shim.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/shim.c b/shim.c +index c69961b..90ea784 100644 +--- a/shim.c ++++ b/shim.c +@@ -2013,18 +2013,32 @@ EFI_STATUS mirror_mok_sb_state() + UINTN DataSize = 0; + + efi_status = get_variable(L"MokSBState", &Data, &DataSize, shim_lock_guid); +- if (efi_status != EFI_SUCCESS) +- return efi_status; ++ if (efi_status == EFI_SUCCESS) { ++ UINT8 *Data_RT = NULL; ++ UINTN DataSize_RT = 0; ++ ++ efi_status = get_variable(L"MokSBStateRT", &Data_RT, ++ &DataSize_RT, shim_lock_guid); ++ if (efi_status == EFI_SUCCESS) { ++ efi_status = uefi_call_wrapper(RT->SetVariable, 5, ++ L"MokSBStateRT", ++ &shim_lock_guid, ++ EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS ++ | EFI_VARIABLE_NON_VOLATILE, ++ 0, NULL); ++ } + +- efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokSBStateRT", +- &shim_lock_guid, +- EFI_VARIABLE_BOOTSERVICE_ACCESS +- | EFI_VARIABLE_RUNTIME_ACCESS, +- DataSize, Data); +- if (efi_status != EFI_SUCCESS) { +- console_error(L"Failed to set MokSBStateRT", efi_status); ++ efi_status = uefi_call_wrapper(RT->SetVariable, 5, ++ L"MokSBStateRT", ++ &shim_lock_guid, ++ EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS, ++ DataSize, Data); ++ if (efi_status != EFI_SUCCESS) { ++ console_error(L"Failed to set MokSBStateRT", efi_status); ++ } + } +- + return efi_status; + } + +-- +2.7.4 + diff --git a/debian/patches/series b/debian/patches/series index a5f3392d..34c3f92b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ second-stage-path sbsigntool-not-pesign +0001-shim-fix-the-mirroring-MokSBState-fail.patch -- cgit v1.2.3 From 94190a1cd8faa7217ac9c83f0b3e6bcad302ca53 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:39:45 -0400 Subject: Set DEFAULT_LOADER; this makes second-stage-path unnecessary. --- debian/changelog | 3 +++ debian/patches/second-stage-path | 24 ------------------------ debian/patches/series | 1 - debian/rules | 1 + 4 files changed, 4 insertions(+), 25 deletions(-) delete mode 100644 debian/patches/second-stage-path (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index d59d15cb..e697abf1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,9 @@ shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium * debian/rules: - Update dh_auto_build/dh_auto_clean for new upstream options: set MAKELEVEL. + - Set DEFAULT_LOADER; this makes second-stage-path unnecessary. + * debian/patches/second-stage-path: dropped. + -- Mathieu Trudel-Lapierre Fri, 04 Aug 2017 12:33:22 -0400 diff --git a/debian/patches/second-stage-path b/debian/patches/second-stage-path deleted file mode 100644 index da53af8e..00000000 --- a/debian/patches/second-stage-path +++ /dev/null @@ -1,24 +0,0 @@ -Description: Chainload grubx64.efi, not grub.efi - We qualify the second stage bootloader image with the architecture name, - so we're forwards-compatible with any future 32-bit implementations. - (Non-SB grub doesn't conflict, since the image will be named bootia32.efi - anyway, not grub.efi.) -Author: Steve Langasek - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -25,7 +25,7 @@ EFI_LIBS = -lefi -lgnuefi --start-group - EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o - EFI_LDS = elf_$(ARCH)_efi.lds - --DEFAULT_LOADER := \\\\grub.efi -+DEFAULT_LOADER := \\\\grubx64.efi - CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ - -Werror=sign-compare -ffreestanding -std=gnu89 \ diff --git a/debian/patches/series b/debian/patches/series index 34c3f92b..20fe73c2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,2 @@ -second-stage-path sbsigntool-not-pesign 0001-shim-fix-the-mirroring-MokSBState-fail.patch diff --git a/debian/rules b/debian/rules index db3ca61f..e51de0b7 100755 --- a/debian/rules +++ b/debian/rules @@ -19,6 +19,7 @@ override_dh_auto_build: dh_auto_build -- \ MAKELEVEL=0 \ EFI_PATH=/usr/lib \ + DEFAULT_LOADER=\\\grubx64.efi \ VENDOR_CERT_FILE=$(cert) override_dh_fixperms: -- cgit v1.2.3 From ea54c7675ffc8f9d435206db8798a3428c15734f Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:42:12 -0400 Subject: debian/patches/sbsigntool-no-pesign: refreshed. --- debian/changelog | 2 +- debian/patches/sbsigntool-not-pesign | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index e697abf1..e54306d1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,7 +7,7 @@ shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium MAKELEVEL. - Set DEFAULT_LOADER; this makes second-stage-path unnecessary. * debian/patches/second-stage-path: dropped. - + * debian/patches/sbsigntool-no-pesign: refreshed. -- Mathieu Trudel-Lapierre Fri, 04 Aug 2017 12:33:22 -0400 diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign index 9629cb12..1220cabd 100644 --- a/debian/patches/sbsigntool-not-pesign +++ b/debian/patches/sbsigntool-not-pesign @@ -13,14 +13,14 @@ Index: b/Makefile =================================================================== --- a/Makefile +++ b/Makefile -@@ -158,8 +158,8 @@ endif +@@ -206,8 +206,8 @@ endif -j .note.gnu.build-id \ $(FORMAT) $^ $@.debug -%.efi.signed: %.efi certdb/secmod.db -- pesign -n certdb -i $< -c "shim" -s -o $@ -f +- $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f +%.efi.signed: %.efi shim.crt + sbsign --key shim.key --cert shim.crt $< clean: - $(MAKE) -C Cryptlib clean + $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean -- cgit v1.2.3 From 5ca483b97b9d1c1373fd17346dbf207c18455019 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:43:08 -0400 Subject: debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. --- debian/changelog | 2 + ...01-shim-fix-the-mirroring-MokSBState-fail.patch | 71 ---------------------- debian/patches/series | 1 - 3 files changed, 2 insertions(+), 72 deletions(-) delete mode 100644 debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index 147cdbc3..9ee00d3b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,8 @@ shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium makes it possible to build a shim for other architectures than amd64. * debian/patches/second-stage-path: dropped. * debian/patches/sbsigntool-no-pesign: refreshed. + * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, + included upstream. -- Mathieu Trudel-Lapierre Fri, 04 Aug 2017 12:33:22 -0400 diff --git a/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch b/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch deleted file mode 100644 index 61117d80..00000000 --- a/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 1681bd7282e606e961c0d1bfafcf807a32bc912d Mon Sep 17 00:00:00 2001 -From: Ivan Hu -Date: Tue, 22 Nov 2016 06:26:01 +0800 -Subject: [PATCH] shim: fix the mirroring MokSBState fail -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1644806 - -Some machines have already embedded MokSBStateRT varaible with -EFI_VARIABLE_NON_VOLATILE attribute, and some users might disable shim -vailidation manually by creating MokSBStateRT. It causes mirroring MokSBState -fail because the variable cannot be set with different attribute again, and gets -error massage every time when booting. - -Fix it with checking the MokSBStateRT existence and deleting it before -mirroring it. - -Signed-off-by: Ivan Hu -Signed-off-by: Mathieu Trudel-Lapierre ---- - shim.c | 34 ++++++++++++++++++++++++---------- - 1 file changed, 24 insertions(+), 10 deletions(-) - -diff --git a/shim.c b/shim.c -index c69961b..90ea784 100644 ---- a/shim.c -+++ b/shim.c -@@ -2013,18 +2013,32 @@ EFI_STATUS mirror_mok_sb_state() - UINTN DataSize = 0; - - efi_status = get_variable(L"MokSBState", &Data, &DataSize, shim_lock_guid); -- if (efi_status != EFI_SUCCESS) -- return efi_status; -+ if (efi_status == EFI_SUCCESS) { -+ UINT8 *Data_RT = NULL; -+ UINTN DataSize_RT = 0; -+ -+ efi_status = get_variable(L"MokSBStateRT", &Data_RT, -+ &DataSize_RT, shim_lock_guid); -+ if (efi_status == EFI_SUCCESS) { -+ efi_status = uefi_call_wrapper(RT->SetVariable, 5, -+ L"MokSBStateRT", -+ &shim_lock_guid, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS -+ | EFI_VARIABLE_NON_VOLATILE, -+ 0, NULL); -+ } - -- efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokSBStateRT", -- &shim_lock_guid, -- EFI_VARIABLE_BOOTSERVICE_ACCESS -- | EFI_VARIABLE_RUNTIME_ACCESS, -- DataSize, Data); -- if (efi_status != EFI_SUCCESS) { -- console_error(L"Failed to set MokSBStateRT", efi_status); -+ efi_status = uefi_call_wrapper(RT->SetVariable, 5, -+ L"MokSBStateRT", -+ &shim_lock_guid, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS, -+ DataSize, Data); -+ if (efi_status != EFI_SUCCESS) { -+ console_error(L"Failed to set MokSBStateRT", efi_status); -+ } - } -- - return efi_status; - } - --- -2.7.4 - diff --git a/debian/patches/series b/debian/patches/series index 20fe73c2..b8e0e105 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1 @@ sbsigntool-not-pesign -0001-shim-fix-the-mirroring-MokSBState-fail.patch -- cgit v1.2.3 From 402fafb47564efc2281966aa39f9d2d25d73aec4 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 13:58:39 -0400 Subject: Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager. Also drop debian/patches/sbsigntool-no-pesign: with this change from upstream it is no longer needed.. --- debian/changelog | 4 +++- debian/patches/sbsigntool-not-pesign | 26 -------------------------- debian/patches/series | 1 - debian/rules | 1 + 4 files changed, 4 insertions(+), 28 deletions(-) delete mode 100644 debian/patches/sbsigntool-not-pesign (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index 79d7966e..4afcdf19 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,9 +9,11 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium makes it possible to build a shim for other architectures than amd64. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. + - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback + and MokManager. * debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. - * debian/patches/sbsigntool-no-pesign: refreshed. + * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign deleted file mode 100644 index 1220cabd..00000000 --- a/debian/patches/sbsigntool-not-pesign +++ /dev/null @@ -1,26 +0,0 @@ -Description: Sign MokManager with sbsigntool instead of pesign - Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use - the same thing for signing MokManager with our ephemeral key. This also - avoids an additional build dependency on libnss3-tools. -Author: Steve Langasek -Forwarded: not-needed - ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -206,8 +206,8 @@ endif - -j .note.gnu.build-id \ - $(FORMAT) $^ $@.debug - --%.efi.signed: %.efi certdb/secmod.db -- $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f -+%.efi.signed: %.efi shim.crt -+ sbsign --key shim.key --cert shim.crt $< - - clean: - $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean diff --git a/debian/patches/series b/debian/patches/series index b8e0e105..e69de29b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +0,0 @@ -sbsigntool-not-pesign diff --git a/debian/rules b/debian/rules index b5f21367..3dc47aee 100755 --- a/debian/rules +++ b/debian/rules @@ -24,6 +24,7 @@ override_dh_auto_build: MAKELEVEL=0 \ EFI_PATH=/usr/lib \ ENABLE_SHIM_CERT=1 \ + ENABLE_SBSIGN=1 \ VENDOR_CERT_FILE=$(cert) override_dh_fixperms: -- cgit v1.2.3 From 2993c0ee31017782413e48980f8380881cdbd137 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 21:23:41 -0400 Subject: debian/patches/fix_makefile_phony.patch: fix a makefile bug causing shim to fail to build, because it gets confused about the .signed efi files. --- debian/changelog | 2 ++ debian/patches/fix_makefile_phony.patch | 22 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 25 insertions(+) create mode 100644 debian/patches/fix_makefile_phony.patch (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index 4afcdf19..6cd52d7f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -16,6 +16,8 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. + * debian/patches/fix_makefile_phony.patch: fix a makefile bug causing shim + to fail to build, because it gets confused about the .signed efi files. -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 13:55:45 -0400 diff --git a/debian/patches/fix_makefile_phony.patch b/debian/patches/fix_makefile_phony.patch new file mode 100644 index 00000000..8a8d4749 --- /dev/null +++ b/debian/patches/fix_makefile_phony.patch @@ -0,0 +1,22 @@ +From: Mathieu Trudel-Lapierre +Subject: Fix Makefile to successfully build for shim with cert and sbsign + +sbsign needs shim.key and shim.crt, but the only target that exists in +makefile is shim.crt. shim.key is a side-effect building shim.crt. + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -362,6 +362,6 @@ archive: tag + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" + +-.PHONY : install-deps ++.PHONY : install-deps shim.key + + export ARCH CC LD OBJCOPY EFI_INCLUDE diff --git a/debian/patches/series b/debian/patches/series index e69de29b..268dc0e6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1 @@ +fix_makefile_phony.patch -- cgit v1.2.3 From 0e7f9a71d62abba31357b842825d38fd3fa3f18b Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Thu, 31 Aug 2017 19:08:49 -0400 Subject: debian/patches/buildid_write_return.patch: workaround our strict compile rules failing the build: make sure write calls check the return value. --- debian/changelog | 2 ++ debian/patches/buildid_write_return.patch | 35 +++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 38 insertions(+) create mode 100644 debian/patches/buildid_write_return.patch (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index 830e763d..806465b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -24,6 +24,8 @@ shim (12+1503074702.5202f80-0ubuntu1~test3) artful; urgency=medium * debian/rules: clean up after *.signed files. * debian/shim.install: update paths in light of using shim's upstream install target. + * debian/patches/buildid_write_return.patch: workaround our strict compile + rules failing the build: make sure write calls check the return value. -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 22:45:30 -0400 diff --git a/debian/patches/buildid_write_return.patch b/debian/patches/buildid_write_return.patch new file mode 100644 index 00000000..268cbd33 --- /dev/null +++ b/debian/patches/buildid_write_return.patch @@ -0,0 +1,35 @@ +--- + buildid.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +Index: b/buildid.c +=================================================================== +--- a/buildid.c ++++ b/buildid.c +@@ -113,6 +113,7 @@ static void handle_one(char *f) + char *b = NULL; + size_t sz; + uint8_t *data; ++ ssize_t written; + + if (!strcmp(f, "-")) { + fd = STDIN_FILENO; +@@ -132,10 +133,14 @@ static void handle_one(char *f) + b = alloca(sz * 2 + 1); + data2hex(data, sz, b); + if (b) { +- write(1, f, strlen(f)); +- write(1, " ", 1); +- write(1, b, strlen(b)); +- write(1, "\n", 1); ++ written = write(1, f, strlen(f)); ++ if (written < 0) ++ errx(1, "Error writing build id"); ++ written = write(1, " ", 1); ++ written = write(1, b, strlen(b)); ++ if (written < 0) ++ errx(1, "Error writing build id"); ++ written = write(1, "\n", 1); + } + } + elf_end(elf); diff --git a/debian/patches/series b/debian/patches/series index 268dc0e6..0f0fda43 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ fix_makefile_phony.patch +buildid_write_return.patch -- cgit v1.2.3 From 544696f3ade15d70a5d8389c481e964a164cd3de Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 13 Sep 2017 12:11:21 -0700 Subject: Drop PHONY fix patch; merged upstream. --- debian/changelog | 2 -- debian/patches/fix_makefile_phony.patch | 22 ---------------------- debian/patches/series | 1 - 3 files changed, 25 deletions(-) delete mode 100644 debian/patches/fix_makefile_phony.patch (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index e7cfd4f1..bef19f35 100644 --- a/debian/changelog +++ b/debian/changelog @@ -19,8 +19,6 @@ shim (12+1503074702.5202f80-0ubuntu1~test4) UNRELEASED; urgency=medium * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. - * debian/patches/fix_makefile_phony.patch: fix a makefile bug causing shim - to fail to build, because it gets confused about the .signed efi files. * debian/rules: clean up after *.signed files. * debian/shim.install: update paths in light of using shim's upstream install target. diff --git a/debian/patches/fix_makefile_phony.patch b/debian/patches/fix_makefile_phony.patch deleted file mode 100644 index 8a8d4749..00000000 --- a/debian/patches/fix_makefile_phony.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Mathieu Trudel-Lapierre -Subject: Fix Makefile to successfully build for shim with cert and sbsign - -sbsign needs shim.key and shim.crt, but the only target that exists in -makefile is shim.crt. shim.key is a side-effect building shim.crt. - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -362,6 +362,6 @@ archive: tag - @rm -rf /tmp/shim-$(VERSION) - @echo "The archive is in shim-$(VERSION).tar.bz2" - --.PHONY : install-deps -+.PHONY : install-deps shim.key - - export ARCH CC LD OBJCOPY EFI_INCLUDE diff --git a/debian/patches/series b/debian/patches/series index 0f0fda43..db9eed12 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1 @@ -fix_makefile_phony.patch buildid_write_return.patch -- cgit v1.2.3 From 560a356bc7fd03341c7ff7ce9560e9e32cfb264c Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Fri, 29 Sep 2017 11:26:01 -0400 Subject: Drop buildid_write_return.patch; no longer needed. Signed-off-by: Mathieu Trudel-Lapierre --- debian/changelog | 2 -- debian/patches/buildid_write_return.patch | 35 ------------------------------- debian/patches/series | 1 - 3 files changed, 38 deletions(-) delete mode 100644 debian/patches/buildid_write_return.patch (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index a849dca5..7048958f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -23,8 +23,6 @@ shim (13-0ubuntu1) UNRELEASED; urgency=medium * debian/rules: clean up after *.signed files. * debian/shim.install: update paths in light of using shim's upstream install target. - * debian/patches/buildid_write_return.patch: workaround our strict compile - rules failing the build: make sure write calls check the return value. * debian/rules, debian/shim.install: make sure the 'make install' step does what it's meant to do by upstream: we can easily make use of the end result to have the files we need. diff --git a/debian/patches/buildid_write_return.patch b/debian/patches/buildid_write_return.patch deleted file mode 100644 index 268cbd33..00000000 --- a/debian/patches/buildid_write_return.patch +++ /dev/null @@ -1,35 +0,0 @@ ---- - buildid.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -Index: b/buildid.c -=================================================================== ---- a/buildid.c -+++ b/buildid.c -@@ -113,6 +113,7 @@ static void handle_one(char *f) - char *b = NULL; - size_t sz; - uint8_t *data; -+ ssize_t written; - - if (!strcmp(f, "-")) { - fd = STDIN_FILENO; -@@ -132,10 +133,14 @@ static void handle_one(char *f) - b = alloca(sz * 2 + 1); - data2hex(data, sz, b); - if (b) { -- write(1, f, strlen(f)); -- write(1, " ", 1); -- write(1, b, strlen(b)); -- write(1, "\n", 1); -+ written = write(1, f, strlen(f)); -+ if (written < 0) -+ errx(1, "Error writing build id"); -+ written = write(1, " ", 1); -+ written = write(1, b, strlen(b)); -+ if (written < 0) -+ errx(1, "Error writing build id"); -+ written = write(1, "\n", 1); - } - } - elf_end(elf); diff --git a/debian/patches/series b/debian/patches/series index db9eed12..e69de29b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +0,0 @@ -buildid_write_return.patch -- cgit v1.2.3 From 81b34c16318358dda4aaf8701250dab3b0401b7d Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 6 Nov 2017 09:18:08 -0500 Subject: debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some of the structure of our binary, partly because abort() is thought to be an external symbol, which causes some relocalisations to appear. --- debian/changelog | 8 ++++++++ debian/patches/abort_abort_abort.patch | 18 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 27 insertions(+) create mode 100644 debian/patches/abort_abort_abort.patch (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index f55cf3c3..c5832328 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +shim (13-0ubuntu2) UNRELEASED; urgency=medium + + * debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some + of the structure of our binary, partly because abort() is thought to be an + external symbol, which causes some relocalisations to appear. + + -- Mathieu Trudel-Lapierre Mon, 06 Nov 2017 09:13:01 -0500 + shim (13-0ubuntu1) artful; urgency=medium * New upstream release: 13 diff --git a/debian/patches/abort_abort_abort.patch b/debian/patches/abort_abort_abort.patch new file mode 100644 index 00000000..2afdac4c --- /dev/null +++ b/debian/patches/abort_abort_abort.patch @@ -0,0 +1,18 @@ +From: Peter Jones +Subject: define abort to avoid an unnecessary reloc. + +--- + Cryptlib/Include/OpenSslSupport.h | 1 + + 1 file changed, 1 insertion(+) + +Index: b/Cryptlib/Include/OpenSslSupport.h +=================================================================== +--- a/Cryptlib/Include/OpenSslSupport.h ++++ b/Cryptlib/Include/OpenSslSupport.h +@@ -380,5 +380,6 @@ extern FILE *stdout; + #define atoi(nptr) AsciiStrDecimalToUintn(nptr) + #define gettimeofday(tvp,tz) do { (tvp)->tv_sec = time(NULL); (tvp)->tv_usec = 0; } while (0) + #define gmtime_r(timer,result) (result = NULL) ++#define abort() + + #endif diff --git a/debian/patches/series b/debian/patches/series index e69de29b..ae84c759 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1 @@ +abort_abort_abort.patch -- cgit v1.2.3 From d49114cbb96e016b205743032d4eb379aacada4f Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 7 Nov 2017 10:18:58 -0500 Subject: Clean up old patches. --- debian/patches/gcc-5.diff | 45 ------- debian/patches/gcc5-includes-stdarg.patch | 129 -------------------- debian/patches/prototypes | 191 ------------------------------ 3 files changed, 365 deletions(-) delete mode 100644 debian/patches/gcc-5.diff delete mode 100644 debian/patches/gcc5-includes-stdarg.patch delete mode 100644 debian/patches/prototypes (limited to 'debian/patches') diff --git a/debian/patches/gcc-5.diff b/debian/patches/gcc-5.diff deleted file mode 100644 index e706c3ab..00000000 --- a/debian/patches/gcc-5.diff +++ /dev/null @@ -1,45 +0,0 @@ ---- - Cryptlib/Makefile | 2 +- - Cryptlib/OpenSSL/Makefile | 2 +- - Makefile | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -19,7 +19,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(A - EFI_LDS = elf_$(ARCH)_efi.lds - - DEFAULT_LOADER := \\\\grubx64.efi --CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -+CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ - -Werror=sign-compare \ - "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ -Index: b/Cryptlib/Makefile -=================================================================== ---- a/Cryptlib/Makefile -+++ b/Cryptlib/Makefile -@@ -1,7 +1,7 @@ - - EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - --CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ -+CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ - -Wall $(EFI_INCLUDES) - - ifeq ($(ARCH),x86_64) -Index: b/Cryptlib/OpenSSL/Makefile -=================================================================== ---- a/Cryptlib/OpenSSL/Makefile -+++ b/Cryptlib/OpenSSL/Makefile -@@ -1,7 +1,7 @@ - - EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - --CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ -+CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC - - ifeq ($(ARCH),x86_64) diff --git a/debian/patches/gcc5-includes-stdarg.patch b/debian/patches/gcc5-includes-stdarg.patch deleted file mode 100644 index 57cf4a8e..00000000 --- a/debian/patches/gcc5-includes-stdarg.patch +++ /dev/null @@ -1,129 +0,0 @@ -From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 7 Apr 2015 11:59:25 -0400 -Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on - x86. - -Basically they messed around with stdarg some and now we need to do it -the other way. - -Signed-off-by: Peter Jones ---- - Cryptlib/Include/OpenSslSupport.h | 4 +++- - Cryptlib/Makefile | 3 ++- - Cryptlib/OpenSSL/Makefile | 5 +++-- - Makefile | 17 ++++++----------- - MokManager.c | 1 + - 5 files changed, 15 insertions(+), 15 deletions(-) - -Index: b/Cryptlib/Include/OpenSslSupport.h -=================================================================== ---- a/Cryptlib/Include/OpenSslSupport.h -+++ b/Cryptlib/Include/OpenSslSupport.h -@@ -34,7 +34,7 @@ typedef VOID *FILE; - // - // Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h - // --#if !defined(__CC_ARM) // if va_list is not already defined -+#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined - /* - * These are now unconditionally #defined by GNU_EFI's efistdarg.h, - * so we should #undef them here before providing a new definition. -@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST; - portably, hence it is provided by a Standard C header file. - For pre-Standard C compilers, here is a version that usually works - (but watch out!): */ -+#ifndef offsetof - #define offsetof(type, member) ( (int) & ((type*)0) -> member ) -+#endif - - // - // Basic types from EFI Application Toolkit required to buiild Open SSL -Index: b/Cryptlib/Makefile -=================================================================== ---- a/Cryptlib/Makefile -+++ b/Cryptlib/Makefile -@@ -2,7 +2,8 @@ - EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - - CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ -- -Wall $(EFI_INCLUDES) -+ -Wall $(EFI_INCLUDES) \ -+ -ffreestanding -I$(shell $(CC) -print-file-name=include) - - ifeq ($(ARCH),x86_64) - CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ -Index: b/Cryptlib/OpenSSL/Makefile -=================================================================== ---- a/Cryptlib/OpenSSL/Makefile -+++ b/Cryptlib/OpenSSL/Makefile -@@ -2,6 +2,7 @@ - EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - - CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ -+ -ffreestanding -I$(shell $(CC) -print-file-name=include) \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC - - ifeq ($(ARCH),x86_64) -@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32) - -m32 -DTHIRTY_TWO_BIT - endif - ifeq ($(ARCH),aarch64) -- CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include) -+ CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG - endif - ifeq ($(ARCH),arm) -- CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include) -+ CFLAGS += -O2 -DTHIRTY_TWO_BIT - endif - LDFLAGS = -nostdlib -znocombreloc - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -21,7 +21,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds - DEFAULT_LOADER := \\\\grubx64.efi - CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ -- -Werror=sign-compare \ -+ -Werror=sign-compare -ffreestanding \ -+ -I$(shell $(CC) -print-file-name=include) \ - "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ - "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ - $(EFI_INCLUDES) -@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY - endif - - ifeq ($(ARCH),x86_64) -- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ -+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -+ -maccumulate-outgoing-args \ - -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI - endif - ifeq ($(ARCH),ia32) -- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 --endif -- --ifeq ($(ARCH),aarch64) -- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) --endif -- --ifeq ($(ARCH),arm) -- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) -+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -+ -maccumulate-outgoing-args -m32 - endif - - ifneq ($(origin VENDOR_CERT_FILE), undefined) -Index: b/MokManager.c -=================================================================== ---- a/MokManager.c -+++ b/MokManager.c -@@ -1,5 +1,6 @@ - #include - #include -+#include - #include - #include - #include "shim.h" diff --git a/debian/patches/prototypes b/debian/patches/prototypes deleted file mode 100644 index 7191e102..00000000 --- a/debian/patches/prototypes +++ /dev/null @@ -1,191 +0,0 @@ -Description: Include missing prototypes, and disable use of BIO_new_file - Pull in missing prototypes for functions that are not yet upstream in - gnu-efi, and #ifdef out references to BIO_new_file(), BIO_new_fp(), and - X509_load_{cert,crl}_file since the prototypes are themselves #ifdef'ed - out. - . - Without these prototypes, we get implicit conversions on amd64, which - are sensibly treated as a build failure by Launchpad. -Author: Steve Langasek - -Index: shim/Cryptlib/Library/BaseMemoryLib.h -=================================================================== ---- /dev/null -+++ shim/Cryptlib/Library/BaseMemoryLib.h -@@ -0,0 +1,41 @@ -+#ifndef __BASE_MEMORY_LIB__ -+#define __BASE_MEMORY_LIB__ -+ -+CHAR8 * -+ScanMem8 ( -+ IN CHAR8 *Buffer, -+ IN UINTN Size, -+ IN CHAR8 Value -+ ); -+ -+UINT32 -+WriteUnaligned32( -+ UINT32 *Buffer, -+ UINT32 Value -+ ); -+ -+CHAR8 * -+AsciiStrCat( -+ CHAR8 *Destination, -+ CHAR8 *Source -+ ); -+ -+CHAR8 * -+AsciiStrCpy( -+ CHAR8 *Destination, -+ CHAR8 *Source -+ ); -+ -+CHAR8 * -+AsciiStrnCpy( -+ CHAR8 *Destination, -+ CHAR8 *Source, -+ UINTN count -+ ); -+ -+UINTN -+AsciiStrSize( -+ CHAR8 *string -+ ); -+ -+#endif -Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c -+++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c -@@ -157,6 +157,7 @@ - } - OPENSSL_free(tmp_data2); - } -+#ifndef OPENSSL_NO_STDIO - else if (strncmp(val->value, "file:", 5) == 0) - { - unsigned char buf[2048]; -@@ -194,6 +195,7 @@ - goto err; - } - } -+#endif - else if (strncmp(val->value, "text:", 5) == 0) - { - val_len = strlen(val->value + 5); -Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c -+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c -@@ -186,11 +186,13 @@ - int ret; - BIO *in=NULL; - -+#ifndef OPENSSL_NO_STDIO - #ifdef OPENSSL_SYS_VMS - in=BIO_new_file(name, "r"); - #else - in=BIO_new_file(name, "rb"); - #endif -+#endif - if (in == NULL) - { - if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE) -Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c -+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c -@@ -92,11 +92,13 @@ - LHASH *ltmp; - BIO *in=NULL; - -+#ifndef OPENSSL_NO_STDIO - #ifdef OPENSSL_SYS_VMS - in=BIO_new_file(file, "r"); - #else - in=BIO_new_file(file, "rb"); - #endif -+#endif - if (in == NULL) - { - CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB); -Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c -+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c -@@ -93,12 +93,14 @@ - { - BIO *bio_err; - ERR_load_crypto_strings(); -+#ifndef OPENSSL_NO_STDIO - if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL) - { - BIO_printf(bio_err,"Auto configuration failed\n"); - ERR_print_errors(bio_err); - BIO_free(bio_err); - } -+#endif - exit(1); - } - -Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c -+++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c -@@ -374,11 +374,15 @@ - BIO *in; - EVP_PKEY *key; - fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id); -+#ifndef OPENSSL_NO_STDIO - in = BIO_new_file(key_id, "r"); - if (!in) - return NULL; - key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL); - BIO_free(in); -+#else -+ return NULL; -+#endif - return key; - } - #endif -Index: shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/x509/by_dir.c -+++ shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c -@@ -92,8 +92,10 @@ - static int new_dir(X509_LOOKUP *lu); - static void free_dir(X509_LOOKUP *lu); - static int add_cert_dir(BY_DIR *ctx,const char *dir,int type); -+#ifndef OPENSSL_NO_STDIO - static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name, - X509_OBJECT *ret); -+#endif - X509_LOOKUP_METHOD x509_dir_lookup= - { - "Load certs from files in a directory", -@@ -102,7 +104,11 @@ - NULL, /* init */ - NULL, /* shutdown */ - dir_ctrl, /* ctrl */ -+#ifdef OPENSSL_NO_STDIO -+ NULL, /* get_by_subject */ -+#else - get_cert_by_subject, /* get_by_subject */ -+#endif - NULL, /* get_by_issuer_serial */ - NULL, /* get_by_fingerprint */ - NULL, /* get_by_alias */ -@@ -242,6 +248,7 @@ - return(1); - } - -+#ifndef OPENSSL_NO_STDIO - static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, - X509_OBJECT *ret) - { -@@ -383,3 +390,4 @@ - if (b != NULL) BUF_MEM_free(b); - return(ok); - } -+#endif -- cgit v1.2.3 From 0283a7456e3c16c3c2430160e57ea4f838dc94dc Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 24 Jul 2018 16:26:53 -0400 Subject: debian/patches/abort_abort_abort.patch: dropped patch, included upstream. --- debian/changelog | 1 + debian/patches/abort_abort_abort.patch | 18 ------------------ debian/patches/series | 1 - 3 files changed, 1 insertion(+), 19 deletions(-) delete mode 100644 debian/patches/abort_abort_abort.patch (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index d1162720..5ea26c7d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,7 @@ shim (15+1531942534.dd3230d-0ubuntu1) UNRELEASED; urgency=medium [ Mathieu Trudel-Lapierre ] * New upstream snapshot. + * debian/patches/abort_abort_abort.patch: dropped patch, included upstream. -- Mathieu Trudel-Lapierre Tue, 24 Jul 2018 16:24:51 -0400 diff --git a/debian/patches/abort_abort_abort.patch b/debian/patches/abort_abort_abort.patch deleted file mode 100644 index 2afdac4c..00000000 --- a/debian/patches/abort_abort_abort.patch +++ /dev/null @@ -1,18 +0,0 @@ -From: Peter Jones -Subject: define abort to avoid an unnecessary reloc. - ---- - Cryptlib/Include/OpenSslSupport.h | 1 + - 1 file changed, 1 insertion(+) - -Index: b/Cryptlib/Include/OpenSslSupport.h -=================================================================== ---- a/Cryptlib/Include/OpenSslSupport.h -+++ b/Cryptlib/Include/OpenSslSupport.h -@@ -380,5 +380,6 @@ extern FILE *stdout; - #define atoi(nptr) AsciiStrDecimalToUintn(nptr) - #define gettimeofday(tvp,tz) do { (tvp)->tv_sec = time(NULL); (tvp)->tv_usec = 0; } while (0) - #define gmtime_r(timer,result) (result = NULL) -+#define abort() - - #endif diff --git a/debian/patches/series b/debian/patches/series index ae84c759..e69de29b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +0,0 @@ -abort_abort_abort.patch -- cgit v1.2.3 From ad536b8717e068bed101ed8f495e7f7eb93a713d Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 24 Jul 2018 18:13:48 -0400 Subject: debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. --- debian/changelog | 2 ++ debian/patches/fixup_git.patch | 19 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 22 insertions(+) create mode 100644 debian/patches/fixup_git.patch (limited to 'debian/patches') diff --git a/debian/changelog b/debian/changelog index 5630d819..7253cb18 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,8 @@ shim (15+1531942534.dd3230d-0ubuntu1) UNRELEASED; urgency=medium * debian/rules: - define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. + * debian/patches/fixup_git.patch: don't run git in clean; we're not really + in a git tree. -- Mathieu Trudel-Lapierre Tue, 24 Jul 2018 16:24:51 -0400 diff --git a/debian/patches/fixup_git.patch b/debian/patches/fixup_git.patch new file mode 100644 index 00000000..33e9305d --- /dev/null +++ b/debian/patches/fixup_git.patch @@ -0,0 +1,19 @@ +From: Mathieu Trudel-Lapierre +Subject: We're not in a git tree, don't try to git clean. + +--- + Makefile | 1 - + 1 file changed, 1 deletion(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -225,7 +225,6 @@ clean-shim-objs: + @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME) + @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid + @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa] +- @git clean -f -d -e 'Cryptlib/OpenSSL/*' + + clean: clean-shim-objs + $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean diff --git a/debian/patches/series b/debian/patches/series index e69de29b..767bfb59 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1 @@ +fixup_git.patch -- cgit v1.2.3