From ce5a310ea0ec72638afb710d6672523e9ff4ce54 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Thu, 13 Oct 2016 09:07:31 +0200 Subject: Add some missing copyright holders in d/copyright, update Upstream-Contact. --- debian/changelog | 7 ++++- debian/copyright | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 83 insertions(+), 6 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index a0c171c8..44e425dd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,6 @@ shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium + [ Steve Langasek ] * Initial Debian upload. Closes: #820052. * Update Standards-Version. * Embed the newly-minted Debian CA certificate. @@ -12,7 +13,11 @@ shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium * Update Vcs-Bzr. * Resync with Ubuntu, including patch to fix debian/copyright. - -- Steve Langasek Sat, 01 Oct 2016 14:18:53 -0700 + [ Julien Cristau ] + * Add some missing copyright holders in d/copyright, update + Upstream-Contact. + + -- Julien Cristau Thu, 13 Oct 2016 09:07:20 +0200 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium diff --git a/debian/copyright b/debian/copyright index 6c8adf16..ab542047 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,20 +1,54 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: shim -Upstream-Contact: Matthew Garrett +Upstream-Contact: Matthew Garrett Source: https://github.com/mjg59/shim.git Files: * -Copyright: 2012 Red Hat, Inc - 2009-2012 Intel Corporation +Copyright: 2012-2013 Red Hat, Inc + 2009-2016 Intel Corporation License: BSD-2-Clause Files: debian/patches/* Copyright: 2016 Canonical Ltd. License: BSD-2-Clause +Files: crypt_blowfish.* +License: public-domain + No copyright is claimed, and the software is hereby placed in the public + domain. In case this attempt to disclaim copyright and place the software + in the public domain is deemed null and void, then the software is + Copyright (c) 2000-2011 Solar Designer and it is hereby released to the + general public under the following terms: + . + Redistribution and use in source and binary forms, with or without + modification, are permitted. + . + There's ABSOLUTELY NO WARRANTY, express or implied. + +Files: httpboot.* +Copyright: 2015 SUSE LINUX GmbH +License: BSD-2-Clause + +Files: include/Http.h +Copyright: 2016 Intel Corporation + 2015 Hewlett Packard Enterprise Development LP +License: BSD-2-Clause + +Files: include/PeImage.h +Copyright: 2006-2010 Intel Corporation + 2008-2009 Apple Inc +License: BSD-2-Clause + +Files: lib/*.c +Copyright: 2011-2012 Intel Corporation + 2012 + 2012-2013 Red Hat, Inc + Files: Cryptlib/OpenSSL/* Cryptlib/Include/openssl/* Copyright: 1998-2016 The OpenSSL Project 1995-1998 Eric Young (eay@cryptsoft.com) + 2002 Sun Microsystems, Inc + 2005 Nokia License: OpenSSL and Original-SSLeay OpenSSL License --------------- @@ -23,7 +57,7 @@ License: OpenSSL and Original-SSLeay are met: . 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + notice, this list of conditions and the following disclaimer. . 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in @@ -101,7 +135,7 @@ License: OpenSSL and Original-SSLeay Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-). - 4. If you include any Windows specific code (or a derivative thereof) from + 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" . @@ -122,6 +156,44 @@ License: OpenSSL and Original-SSLeay copied and put under another distribution licence [including the GNU Public Licence.] +Files: Cryptlib/Include/openssl/seed.h +Copyright: 2007 KISA(Korea Information Security Agency) +License: BSD-2-Clause + +Files: Cryptlib/OpenSSL/crypto/o_dir.h Cryptlib/OpenSSL/crypto/LPdir_nyi.c +Copyright: 2004, Richard Levitte +License: BSD-2-Clause + +Files: Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c +Copyright: 2004 Kungliga Tekniska Högskolan +License: BSD-3-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + License: BSD-2-Clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions -- cgit v1.2.3 From 19d90b863ddf93b00677b87cdf0ec05e55bf8447 Mon Sep 17 00:00:00 2001 From: Julien Cristau Date: Sat, 15 Oct 2016 15:30:50 +0200 Subject: More debian/copyright tweaks --- debian/changelog | 4 ++-- debian/copyright | 35 ++++++++++++++++++++++++++++++++++- 2 files changed, 36 insertions(+), 3 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 44e425dd..07286132 100644 --- a/debian/changelog +++ b/debian/changelog @@ -15,9 +15,9 @@ shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium [ Julien Cristau ] * Add some missing copyright holders in d/copyright, update - Upstream-Contact. + Upstream-Contact. Thanks to Helen Koike for the help. - -- Julien Cristau Thu, 13 Oct 2016 09:07:20 +0200 + -- Julien Cristau Sat, 15 Oct 2016 15:17:34 +0200 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium diff --git a/debian/copyright b/debian/copyright index ab542047..7c08287c 100644 --- a/debian/copyright +++ b/debian/copyright @@ -13,6 +13,7 @@ Copyright: 2016 Canonical Ltd. License: BSD-2-Clause Files: crypt_blowfish.* +Copyright: none License: public-domain No copyright is claimed, and the software is hereby placed in the public domain. In case this attempt to disclaim copyright and place the software @@ -43,6 +44,7 @@ Files: lib/*.c Copyright: 2011-2012 Intel Corporation 2012 2012-2013 Red Hat, Inc +License: BSD-2-Clause Files: Cryptlib/OpenSSL/* Cryptlib/Include/openssl/* Copyright: 1998-2016 The OpenSSL Project @@ -166,7 +168,7 @@ License: BSD-2-Clause Files: Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c Cryptlib/OpenSSL/crypto/x509v3/v3_pcia.c Copyright: 2004 Kungliga Tekniska Högskolan -License: BSD-3-Clause +License: BSD-3-Clause-Institute Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -194,6 +196,37 @@ License: BSD-3-Clause OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +Files: Cryptlib/OpenSSL/crypto/bn/rsaz_exp.h +Copyright: 2012, Intel Corporation +License: BSD-3-Clause-Intel + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are + met: + . + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the + distribution. + . + * Neither the name of the Intel Corporation nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY + EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + License: BSD-2-Clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions -- cgit v1.2.3 From 3b43f33d7163db4b67e27c6e715b32834a79b9e3 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:21:03 -0400 Subject: Update changelog for released 0.9+1474479173.6c180c6-0ubuntu1 --- debian/changelog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index a0c171c8..8911474f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,13 +14,13 @@ shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium -- Steve Langasek Sat, 01 Oct 2016 14:18:53 -0700 -shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium +shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium [ Helen Koike ] * debian/copyright: add OpenSSL license [ Mathieu Trudel-Lapierre ] - * New upstream release. + * New upstream release. (LP: #1624096) * debian/copyright: patches should be BSD, like the rest of the upstream code. * debian/patches/unused-variable: dropped; applied upstream. @@ -29,7 +29,7 @@ shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium file to properly pick up shim (shim$arch), MokManager (mm$arch), and fallback (fb$arch). - -- Mathieu Trudel-Lapierre Wed, 21 Sep 2016 20:29:44 -0400 + -- Mathieu Trudel-Lapierre Thu, 22 Sep 2016 15:02:20 -0400 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium -- cgit v1.2.3 From bd98c8fd1c1bd2eeb4b1c84c861e59e8ccf25111 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:24:36 -0400 Subject: Update changelog/changes for released 0.9+1474479173.6c180c6-1ubuntu1 --- debian/changelog | 13 ++++ debian/control | 3 +- ...01-shim-fix-the-mirroring-MokSBState-fail.patch | 71 ++++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 8911474f..8dc7b8ff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium + + [ Steve Langasek ] + * Merge (not yet NEW cleared) changes from Debian branch. + + [ Mathieu Trudel-Lapierre ] + * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard + against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu + for the patch. This will fix issues updating MokSBStateRT if the variable + already exists with different attributes. (LP: #1644806) + + -- Mathieu Trudel-Lapierre Thu, 01 Dec 2016 16:55:50 -0500 + shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium * Initial Debian upload. Closes: #820052. diff --git a/debian/control b/debian/control index 25b0b47e..06d4239b 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,8 @@ Source: shim Section: admin Priority: optional -Maintainer: Steve Langasek +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Steve Langasek Standards-Version: 3.9.8 Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk diff --git a/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch b/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch new file mode 100644 index 00000000..61117d80 --- /dev/null +++ b/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch @@ -0,0 +1,71 @@ +From 1681bd7282e606e961c0d1bfafcf807a32bc912d Mon Sep 17 00:00:00 2001 +From: Ivan Hu +Date: Tue, 22 Nov 2016 06:26:01 +0800 +Subject: [PATCH] shim: fix the mirroring MokSBState fail +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1644806 + +Some machines have already embedded MokSBStateRT varaible with +EFI_VARIABLE_NON_VOLATILE attribute, and some users might disable shim +vailidation manually by creating MokSBStateRT. It causes mirroring MokSBState +fail because the variable cannot be set with different attribute again, and gets +error massage every time when booting. + +Fix it with checking the MokSBStateRT existence and deleting it before +mirroring it. + +Signed-off-by: Ivan Hu +Signed-off-by: Mathieu Trudel-Lapierre +--- + shim.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/shim.c b/shim.c +index c69961b..90ea784 100644 +--- a/shim.c ++++ b/shim.c +@@ -2013,18 +2013,32 @@ EFI_STATUS mirror_mok_sb_state() + UINTN DataSize = 0; + + efi_status = get_variable(L"MokSBState", &Data, &DataSize, shim_lock_guid); +- if (efi_status != EFI_SUCCESS) +- return efi_status; ++ if (efi_status == EFI_SUCCESS) { ++ UINT8 *Data_RT = NULL; ++ UINTN DataSize_RT = 0; ++ ++ efi_status = get_variable(L"MokSBStateRT", &Data_RT, ++ &DataSize_RT, shim_lock_guid); ++ if (efi_status == EFI_SUCCESS) { ++ efi_status = uefi_call_wrapper(RT->SetVariable, 5, ++ L"MokSBStateRT", ++ &shim_lock_guid, ++ EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS ++ | EFI_VARIABLE_NON_VOLATILE, ++ 0, NULL); ++ } + +- efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokSBStateRT", +- &shim_lock_guid, +- EFI_VARIABLE_BOOTSERVICE_ACCESS +- | EFI_VARIABLE_RUNTIME_ACCESS, +- DataSize, Data); +- if (efi_status != EFI_SUCCESS) { +- console_error(L"Failed to set MokSBStateRT", efi_status); ++ efi_status = uefi_call_wrapper(RT->SetVariable, 5, ++ L"MokSBStateRT", ++ &shim_lock_guid, ++ EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS, ++ DataSize, Data); ++ if (efi_status != EFI_SUCCESS) { ++ console_error(L"Failed to set MokSBStateRT", efi_status); ++ } + } +- + return efi_status; + } + +-- +2.7.4 + diff --git a/debian/patches/series b/debian/patches/series index a5f3392d..34c3f92b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ second-stage-path sbsigntool-not-pesign +0001-shim-fix-the-mirroring-MokSBState-fail.patch -- cgit v1.2.3 From 11c5b79d30e8641e61899afabf97162490e1e763 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:37:56 -0400 Subject: New upstream snapshot: 12+1501864225.b586175. --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 2454a41f..f91a2ae1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium + + * New upstream snapshot: 12+1501864225.b586175. + + -- Mathieu Trudel-Lapierre Fri, 04 Aug 2017 12:33:22 -0400 + shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium [ Steve Langasek ] -- cgit v1.2.3 From ba899c3d3cb74847cf6eb296daf569d6e5af0b0d Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:38:30 -0400 Subject: debian/control: add a Build-Depends on libnss3-tools for pk12-util. --- debian/changelog | 1 + debian/control | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index f91a2ae1..47076085 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium * New upstream snapshot: 12+1501864225.b586175. + * debian/control: add a Build-Depends on libnss3-tools for pk12-util. -- Mathieu Trudel-Lapierre Fri, 04 Aug 2017 12:33:22 -0400 diff --git a/debian/control b/debian/control index 06d4239b..824230b8 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Steve Langasek Standards-Version: 3.9.8 -Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libnss3-tools Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk Package: shim -- cgit v1.2.3 From 62a4fa2d312ab6964812e5641a74aa6d4cfeec2c Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:39:07 -0400 Subject: * debian/rules: - Update dh_auto_build/dh_auto_clean for new upstream options: set MAKELEVEL. --- debian/changelog | 3 +++ debian/rules | 7 ++++++- 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 47076085..d59d15cb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,9 @@ shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium * New upstream snapshot: 12+1501864225.b586175. * debian/control: add a Build-Depends on libnss3-tools for pk12-util. + * debian/rules: + - Update dh_auto_build/dh_auto_clean for new upstream options: set + MAKELEVEL. -- Mathieu Trudel-Lapierre Fri, 04 Aug 2017 12:33:22 -0400 diff --git a/debian/rules b/debian/rules index f368a197..db3ca61f 100755 --- a/debian/rules +++ b/debian/rules @@ -13,8 +13,13 @@ endif %: dh $@ --parallel +override_dh_auto_clean: + dh_auto_clean -- MAKELEVEL=0 override_dh_auto_build: - dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=$(cert) + dh_auto_build -- \ + MAKELEVEL=0 \ + EFI_PATH=/usr/lib \ + VENDOR_CERT_FILE=$(cert) override_dh_fixperms: dh_fixperms -- cgit v1.2.3 From 94190a1cd8faa7217ac9c83f0b3e6bcad302ca53 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:39:45 -0400 Subject: Set DEFAULT_LOADER; this makes second-stage-path unnecessary. --- debian/changelog | 3 +++ debian/patches/second-stage-path | 24 ------------------------ debian/patches/series | 1 - debian/rules | 1 + 4 files changed, 4 insertions(+), 25 deletions(-) delete mode 100644 debian/patches/second-stage-path (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index d59d15cb..e697abf1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,9 @@ shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium * debian/rules: - Update dh_auto_build/dh_auto_clean for new upstream options: set MAKELEVEL. + - Set DEFAULT_LOADER; this makes second-stage-path unnecessary. + * debian/patches/second-stage-path: dropped. + -- Mathieu Trudel-Lapierre Fri, 04 Aug 2017 12:33:22 -0400 diff --git a/debian/patches/second-stage-path b/debian/patches/second-stage-path deleted file mode 100644 index da53af8e..00000000 --- a/debian/patches/second-stage-path +++ /dev/null @@ -1,24 +0,0 @@ -Description: Chainload grubx64.efi, not grub.efi - We qualify the second stage bootloader image with the architecture name, - so we're forwards-compatible with any future 32-bit implementations. - (Non-SB grub doesn't conflict, since the image will be named bootia32.efi - anyway, not grub.efi.) -Author: Steve Langasek - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -25,7 +25,7 @@ EFI_LIBS = -lefi -lgnuefi --start-group - EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o - EFI_LDS = elf_$(ARCH)_efi.lds - --DEFAULT_LOADER := \\\\grub.efi -+DEFAULT_LOADER := \\\\grubx64.efi - CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ - -Werror=sign-compare -ffreestanding -std=gnu89 \ diff --git a/debian/patches/series b/debian/patches/series index 34c3f92b..20fe73c2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,2 @@ -second-stage-path sbsigntool-not-pesign 0001-shim-fix-the-mirroring-MokSBState-fail.patch diff --git a/debian/rules b/debian/rules index db3ca61f..e51de0b7 100755 --- a/debian/rules +++ b/debian/rules @@ -19,6 +19,7 @@ override_dh_auto_build: dh_auto_build -- \ MAKELEVEL=0 \ EFI_PATH=/usr/lib \ + DEFAULT_LOADER=\\\grubx64.efi \ VENDOR_CERT_FILE=$(cert) override_dh_fixperms: -- cgit v1.2.3 From ea54c7675ffc8f9d435206db8798a3428c15734f Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:42:12 -0400 Subject: debian/patches/sbsigntool-no-pesign: refreshed. --- debian/changelog | 2 +- debian/patches/sbsigntool-not-pesign | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index e697abf1..e54306d1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,7 +7,7 @@ shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium MAKELEVEL. - Set DEFAULT_LOADER; this makes second-stage-path unnecessary. * debian/patches/second-stage-path: dropped. - + * debian/patches/sbsigntool-no-pesign: refreshed. -- Mathieu Trudel-Lapierre Fri, 04 Aug 2017 12:33:22 -0400 diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign index 9629cb12..1220cabd 100644 --- a/debian/patches/sbsigntool-not-pesign +++ b/debian/patches/sbsigntool-not-pesign @@ -13,14 +13,14 @@ Index: b/Makefile =================================================================== --- a/Makefile +++ b/Makefile -@@ -158,8 +158,8 @@ endif +@@ -206,8 +206,8 @@ endif -j .note.gnu.build-id \ $(FORMAT) $^ $@.debug -%.efi.signed: %.efi certdb/secmod.db -- pesign -n certdb -i $< -c "shim" -s -o $@ -f +- $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f +%.efi.signed: %.efi shim.crt + sbsign --key shim.key --cert shim.crt $< clean: - $(MAKE) -C Cryptlib clean + $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean -- cgit v1.2.3 From 5d42729fe393fc11b20730b86aac7f4f861ca68e Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:42:42 -0400 Subject: Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. --- debian/changelog | 2 ++ debian/rules | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index e54306d1..147cdbc3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,8 @@ shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium - Update dh_auto_build/dh_auto_clean for new upstream options: set MAKELEVEL. - Set DEFAULT_LOADER; this makes second-stage-path unnecessary. + - Define an EFI_ARCH variable, and use that for paths to shim. This + makes it possible to build a shim for other architectures than amd64. * debian/patches/second-stage-path: dropped. * debian/patches/sbsigntool-no-pesign: refreshed. diff --git a/debian/rules b/debian/rules index e51de0b7..7edcae3b 100755 --- a/debian/rules +++ b/debian/rules @@ -10,6 +10,10 @@ else cert=debian/debian-uefi-ca.der endif +ifeq ($(DEB_HOST_ARCH),amd64) +export EFI_ARCH := x64 +endif + %: dh $@ --parallel @@ -19,9 +23,9 @@ override_dh_auto_build: dh_auto_build -- \ MAKELEVEL=0 \ EFI_PATH=/usr/lib \ - DEFAULT_LOADER=\\\grubx64.efi \ + DEFAULT_LOADER=\\\grub$(EFI_ARCH).efi \ VENDOR_CERT_FILE=$(cert) override_dh_fixperms: dh_fixperms - chmod a-x debian/shim/usr/lib/shim/shimx64.efi + chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi -- cgit v1.2.3 From 5ca483b97b9d1c1373fd17346dbf207c18455019 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:43:08 -0400 Subject: debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. --- debian/changelog | 2 + ...01-shim-fix-the-mirroring-MokSBState-fail.patch | 71 ---------------------- debian/patches/series | 1 - 3 files changed, 2 insertions(+), 72 deletions(-) delete mode 100644 debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 147cdbc3..9ee00d3b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,8 @@ shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium makes it possible to build a shim for other architectures than amd64. * debian/patches/second-stage-path: dropped. * debian/patches/sbsigntool-no-pesign: refreshed. + * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, + included upstream. -- Mathieu Trudel-Lapierre Fri, 04 Aug 2017 12:33:22 -0400 diff --git a/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch b/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch deleted file mode 100644 index 61117d80..00000000 --- a/debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 1681bd7282e606e961c0d1bfafcf807a32bc912d Mon Sep 17 00:00:00 2001 -From: Ivan Hu -Date: Tue, 22 Nov 2016 06:26:01 +0800 -Subject: [PATCH] shim: fix the mirroring MokSBState fail -Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1644806 - -Some machines have already embedded MokSBStateRT varaible with -EFI_VARIABLE_NON_VOLATILE attribute, and some users might disable shim -vailidation manually by creating MokSBStateRT. It causes mirroring MokSBState -fail because the variable cannot be set with different attribute again, and gets -error massage every time when booting. - -Fix it with checking the MokSBStateRT existence and deleting it before -mirroring it. - -Signed-off-by: Ivan Hu -Signed-off-by: Mathieu Trudel-Lapierre ---- - shim.c | 34 ++++++++++++++++++++++++---------- - 1 file changed, 24 insertions(+), 10 deletions(-) - -diff --git a/shim.c b/shim.c -index c69961b..90ea784 100644 ---- a/shim.c -+++ b/shim.c -@@ -2013,18 +2013,32 @@ EFI_STATUS mirror_mok_sb_state() - UINTN DataSize = 0; - - efi_status = get_variable(L"MokSBState", &Data, &DataSize, shim_lock_guid); -- if (efi_status != EFI_SUCCESS) -- return efi_status; -+ if (efi_status == EFI_SUCCESS) { -+ UINT8 *Data_RT = NULL; -+ UINTN DataSize_RT = 0; -+ -+ efi_status = get_variable(L"MokSBStateRT", &Data_RT, -+ &DataSize_RT, shim_lock_guid); -+ if (efi_status == EFI_SUCCESS) { -+ efi_status = uefi_call_wrapper(RT->SetVariable, 5, -+ L"MokSBStateRT", -+ &shim_lock_guid, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS -+ | EFI_VARIABLE_NON_VOLATILE, -+ 0, NULL); -+ } - -- efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokSBStateRT", -- &shim_lock_guid, -- EFI_VARIABLE_BOOTSERVICE_ACCESS -- | EFI_VARIABLE_RUNTIME_ACCESS, -- DataSize, Data); -- if (efi_status != EFI_SUCCESS) { -- console_error(L"Failed to set MokSBStateRT", efi_status); -+ efi_status = uefi_call_wrapper(RT->SetVariable, 5, -+ L"MokSBStateRT", -+ &shim_lock_guid, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS, -+ DataSize, Data); -+ if (efi_status != EFI_SUCCESS) { -+ console_error(L"Failed to set MokSBStateRT", efi_status); -+ } - } -- - return efi_status; - } - --- -2.7.4 - diff --git a/debian/patches/series b/debian/patches/series index 20fe73c2..b8e0e105 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1 @@ sbsigntool-not-pesign -0001-shim-fix-the-mirroring-MokSBState-fail.patch -- cgit v1.2.3 From 33da8726b4035061190266e3e0c25d87f95d646a Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 7 Aug 2017 17:43:53 -0400 Subject: Fix typo for DEFAULT_LOADER: missing a backslash, also needs quoting. --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/rules b/debian/rules index 7edcae3b..f35661c1 100755 --- a/debian/rules +++ b/debian/rules @@ -23,7 +23,7 @@ override_dh_auto_build: dh_auto_build -- \ MAKELEVEL=0 \ EFI_PATH=/usr/lib \ - DEFAULT_LOADER=\\\grub$(EFI_ARCH).efi \ + DEFAULT_LOADER='\\\\grub$(EFI_ARCH).efi' \ VENDOR_CERT_FILE=$(cert) override_dh_fixperms: -- cgit v1.2.3 From 48d77ce60605698c2fc8fb92c6891ba76d3415c6 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 9 Aug 2017 20:40:15 -0400 Subject: New upstream snapshot: 12+1502324945.478f9bb. --- debian/changelog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 9ee00d3b..8b81400a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ -shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium +shim (12+1502324945.478f9bb-0) UNRELEASED; urgency=medium - * New upstream snapshot: 12+1501864225.b586175. + * New upstream snapshot: 12+1502324945.478f9bb. * debian/control: add a Build-Depends on libnss3-tools for pk12-util. * debian/rules: - Update dh_auto_build/dh_auto_clean for new upstream options: set @@ -13,7 +13,7 @@ shim (12+1501864225.b586175-0) UNRELEASED; urgency=medium * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. - -- Mathieu Trudel-Lapierre Fri, 04 Aug 2017 12:33:22 -0400 + -- Mathieu Trudel-Lapierre Wed, 09 Aug 2017 20:39:15 -0400 shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium -- cgit v1.2.3 From 0123496a8a4483df3d743b791c9bdcfb45409a76 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 13:56:15 -0400 Subject: New upstream snapshot: 12+1503074702.5202f80. --- debian/changelog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 8b81400a..b9528e99 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ -shim (12+1502324945.478f9bb-0) UNRELEASED; urgency=medium +shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium - * New upstream snapshot: 12+1502324945.478f9bb. + * New upstream snapshot: 12+1503074702.5202f80. * debian/control: add a Build-Depends on libnss3-tools for pk12-util. * debian/rules: - Update dh_auto_build/dh_auto_clean for new upstream options: set @@ -13,7 +13,7 @@ shim (12+1502324945.478f9bb-0) UNRELEASED; urgency=medium * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. - -- Mathieu Trudel-Lapierre Wed, 09 Aug 2017 20:39:15 -0400 + -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 13:55:45 -0400 shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium -- cgit v1.2.3 From cff1facf80f327dbd43654221ea5704e24a0dc1d Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 13:57:22 -0400 Subject: debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. --- debian/changelog | 4 ++-- debian/rules | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index b9528e99..56ba2c4d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,10 +5,10 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium * debian/rules: - Update dh_auto_build/dh_auto_clean for new upstream options: set MAKELEVEL. - - Set DEFAULT_LOADER; this makes second-stage-path unnecessary. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. - * debian/patches/second-stage-path: dropped. + * debian/patches/second-stage-path: dropped; the default loader path now + includes an arch suffix. * debian/patches/sbsigntool-no-pesign: refreshed. * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. diff --git a/debian/rules b/debian/rules index f35661c1..b03e2ee2 100755 --- a/debian/rules +++ b/debian/rules @@ -23,7 +23,6 @@ override_dh_auto_build: dh_auto_build -- \ MAKELEVEL=0 \ EFI_PATH=/usr/lib \ - DEFAULT_LOADER='\\\\grub$(EFI_ARCH).efi' \ VENDOR_CERT_FILE=$(cert) override_dh_fixperms: -- cgit v1.2.3 From 661d3ea1dc23ebe589593dd9cc772a1d436c417b Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 13:57:47 -0400 Subject: Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. --- debian/changelog | 2 ++ debian/rules | 1 + 2 files changed, 3 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 56ba2c4d..79d7966e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium MAKELEVEL. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. + - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built + at compile-time for MokManager and fallback. * debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. * debian/patches/sbsigntool-no-pesign: refreshed. diff --git a/debian/rules b/debian/rules index b03e2ee2..b5f21367 100755 --- a/debian/rules +++ b/debian/rules @@ -23,6 +23,7 @@ override_dh_auto_build: dh_auto_build -- \ MAKELEVEL=0 \ EFI_PATH=/usr/lib \ + ENABLE_SHIM_CERT=1 \ VENDOR_CERT_FILE=$(cert) override_dh_fixperms: -- cgit v1.2.3 From 402fafb47564efc2281966aa39f9d2d25d73aec4 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 13:58:39 -0400 Subject: Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager. Also drop debian/patches/sbsigntool-no-pesign: with this change from upstream it is no longer needed.. --- debian/changelog | 4 +++- debian/patches/sbsigntool-not-pesign | 26 -------------------------- debian/patches/series | 1 - debian/rules | 1 + 4 files changed, 4 insertions(+), 28 deletions(-) delete mode 100644 debian/patches/sbsigntool-not-pesign (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 79d7966e..4afcdf19 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,9 +9,11 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium makes it possible to build a shim for other architectures than amd64. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. + - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback + and MokManager. * debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. - * debian/patches/sbsigntool-no-pesign: refreshed. + * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign deleted file mode 100644 index 1220cabd..00000000 --- a/debian/patches/sbsigntool-not-pesign +++ /dev/null @@ -1,26 +0,0 @@ -Description: Sign MokManager with sbsigntool instead of pesign - Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use - the same thing for signing MokManager with our ephemeral key. This also - avoids an additional build dependency on libnss3-tools. -Author: Steve Langasek -Forwarded: not-needed - ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -206,8 +206,8 @@ endif - -j .note.gnu.build-id \ - $(FORMAT) $^ $@.debug - --%.efi.signed: %.efi certdb/secmod.db -- $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f -+%.efi.signed: %.efi shim.crt -+ sbsign --key shim.key --cert shim.crt $< - - clean: - $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean diff --git a/debian/patches/series b/debian/patches/series index b8e0e105..e69de29b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +0,0 @@ -sbsigntool-not-pesign diff --git a/debian/rules b/debian/rules index b5f21367..3dc47aee 100755 --- a/debian/rules +++ b/debian/rules @@ -24,6 +24,7 @@ override_dh_auto_build: MAKELEVEL=0 \ EFI_PATH=/usr/lib \ ENABLE_SHIM_CERT=1 \ + ENABLE_SBSIGN=1 \ VENDOR_CERT_FILE=$(cert) override_dh_fixperms: -- cgit v1.2.3 From 2993c0ee31017782413e48980f8380881cdbd137 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 21:23:41 -0400 Subject: debian/patches/fix_makefile_phony.patch: fix a makefile bug causing shim to fail to build, because it gets confused about the .signed efi files. --- debian/changelog | 2 ++ debian/patches/fix_makefile_phony.patch | 22 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 25 insertions(+) create mode 100644 debian/patches/fix_makefile_phony.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 4afcdf19..6cd52d7f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -16,6 +16,8 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. + * debian/patches/fix_makefile_phony.patch: fix a makefile bug causing shim + to fail to build, because it gets confused about the .signed efi files. -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 13:55:45 -0400 diff --git a/debian/patches/fix_makefile_phony.patch b/debian/patches/fix_makefile_phony.patch new file mode 100644 index 00000000..8a8d4749 --- /dev/null +++ b/debian/patches/fix_makefile_phony.patch @@ -0,0 +1,22 @@ +From: Mathieu Trudel-Lapierre +Subject: Fix Makefile to successfully build for shim with cert and sbsign + +sbsign needs shim.key and shim.crt, but the only target that exists in +makefile is shim.crt. shim.key is a side-effect building shim.crt. + +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -362,6 +362,6 @@ archive: tag + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" + +-.PHONY : install-deps ++.PHONY : install-deps shim.key + + export ARCH CC LD OBJCOPY EFI_INCLUDE diff --git a/debian/patches/series b/debian/patches/series index e69de29b..268dc0e6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1 @@ +fix_makefile_phony.patch -- cgit v1.2.3 From ee22d4255df975c59181e9258c1919cff227d68b Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 21:33:03 -0400 Subject: debian/rules: clean up after *.signed files. --- debian/changelog | 1 + debian/rules | 2 ++ 2 files changed, 3 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 6cd52d7f..bbfa72b7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -18,6 +18,7 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium included upstream. * debian/patches/fix_makefile_phony.patch: fix a makefile bug causing shim to fail to build, because it gets confused about the .signed efi files. + * debian/rules: clean up after *.signed files. -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 13:55:45 -0400 diff --git a/debian/rules b/debian/rules index 3dc47aee..0403988b 100755 --- a/debian/rules +++ b/debian/rules @@ -19,6 +19,8 @@ endif override_dh_auto_clean: dh_auto_clean -- MAKELEVEL=0 + rm -f *.signed + override_dh_auto_build: dh_auto_build -- \ MAKELEVEL=0 \ -- cgit v1.2.3 From f841331ca35ec67599457bb1cd102a0f6a195025 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 22:21:11 -0400 Subject: Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: set MAKELEVEL. --- debian/changelog | 4 ++-- debian/rules | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index bbfa72b7..55f902e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,8 +3,8 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium * New upstream snapshot: 12+1503074702.5202f80. * debian/control: add a Build-Depends on libnss3-tools for pk12-util. * debian/rules: - - Update dh_auto_build/dh_auto_clean for new upstream options: set - MAKELEVEL. + - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream + options: set MAKELEVEL. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built diff --git a/debian/rules b/debian/rules index 0403988b..179d09a8 100755 --- a/debian/rules +++ b/debian/rules @@ -29,6 +29,9 @@ override_dh_auto_build: ENABLE_SBSIGN=1 \ VENDOR_CERT_FILE=$(cert) +override_dh_auto_install: + dh_auto_install -- MAKELEVEL=0 + override_dh_fixperms: dh_fixperms chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi -- cgit v1.2.3 From 3f5806e428da5992390aca796d8cbaa72879337d Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 22:38:38 -0400 Subject: Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed in the "right" final directories, and makes boot.csv for us. --- debian/changelog | 2 ++ debian/rules | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 55f902e3..0c33fcb6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium options: set MAKELEVEL. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. + - Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed + in the "right" final directories, and makes boot.csv for us. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback diff --git a/debian/rules b/debian/rules index 179d09a8..d863ab7d 100755 --- a/debian/rules +++ b/debian/rules @@ -30,7 +30,7 @@ override_dh_auto_build: VENDOR_CERT_FILE=$(cert) override_dh_auto_install: - dh_auto_install -- MAKELEVEL=0 + dh_auto_install -- MAKELEVEL=0 EFIDIR=ubuntu override_dh_fixperms: dh_fixperms -- cgit v1.2.3 From 7d562b4949fda4bd683d312f42285875f5ef4b65 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 29 Aug 2017 22:45:27 -0400 Subject: debian/shim.install: update paths in light of using shim's upstream install target. --- debian/changelog | 2 ++ debian/shim.install | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 0c33fcb6..d445ec4b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -21,6 +21,8 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium * debian/patches/fix_makefile_phony.patch: fix a makefile bug causing shim to fail to build, because it gets confused about the .signed efi files. * debian/rules: clean up after *.signed files. + * debian/shim.install: update paths in light of using shim's upstream install + target. -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 13:55:45 -0400 diff --git a/debian/shim.install b/debian/shim.install index f37f6d19..0f5a04b4 100644 --- a/debian/shim.install +++ b/debian/shim.install @@ -1,3 +1,3 @@ -shim*.efi /usr/lib/shim -mm*.efi.signed /usr/lib/shim -fb*.efi.signed /usr/lib/shim +/boot/efi/EFI/ubuntu/shim*.efi /usr/lib/shim +/boot/efi/EFI/ubuntu/mm*.efi.signed /usr/lib/shim +/boot/efi/EFI/ubuntu/fb*.efi.signed /usr/lib/shim -- cgit v1.2.3 From b37fef52049e3d9b32d73eb6db3e9058d875fd9a Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Thu, 31 Aug 2017 19:07:19 -0400 Subject: debian/control: add a Build-Depends on libelf-dev. --- debian/changelog | 5 +++-- debian/control | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index d445ec4b..830e763d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,8 @@ -shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium +shim (12+1503074702.5202f80-0ubuntu1~test3) artful; urgency=medium * New upstream snapshot: 12+1503074702.5202f80. * debian/control: add a Build-Depends on libnss3-tools for pk12-util. + * debian/control: add a Build-Depends on libelf-dev. * debian/rules: - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: set MAKELEVEL. @@ -24,7 +25,7 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium * debian/shim.install: update paths in light of using shim's upstream install target. - -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 13:55:45 -0400 + -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 22:45:30 -0400 shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium diff --git a/debian/control b/debian/control index 824230b8..febdfb9c 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Steve Langasek Standards-Version: 3.9.8 -Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libnss3-tools +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libnss3-tools, libelf-dev Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk Package: shim -- cgit v1.2.3 From 0e7f9a71d62abba31357b842825d38fd3fa3f18b Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Thu, 31 Aug 2017 19:08:49 -0400 Subject: debian/patches/buildid_write_return.patch: workaround our strict compile rules failing the build: make sure write calls check the return value. --- debian/changelog | 2 ++ debian/patches/buildid_write_return.patch | 35 +++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 38 insertions(+) create mode 100644 debian/patches/buildid_write_return.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 830e763d..806465b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -24,6 +24,8 @@ shim (12+1503074702.5202f80-0ubuntu1~test3) artful; urgency=medium * debian/rules: clean up after *.signed files. * debian/shim.install: update paths in light of using shim's upstream install target. + * debian/patches/buildid_write_return.patch: workaround our strict compile + rules failing the build: make sure write calls check the return value. -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 22:45:30 -0400 diff --git a/debian/patches/buildid_write_return.patch b/debian/patches/buildid_write_return.patch new file mode 100644 index 00000000..268cbd33 --- /dev/null +++ b/debian/patches/buildid_write_return.patch @@ -0,0 +1,35 @@ +--- + buildid.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +Index: b/buildid.c +=================================================================== +--- a/buildid.c ++++ b/buildid.c +@@ -113,6 +113,7 @@ static void handle_one(char *f) + char *b = NULL; + size_t sz; + uint8_t *data; ++ ssize_t written; + + if (!strcmp(f, "-")) { + fd = STDIN_FILENO; +@@ -132,10 +133,14 @@ static void handle_one(char *f) + b = alloca(sz * 2 + 1); + data2hex(data, sz, b); + if (b) { +- write(1, f, strlen(f)); +- write(1, " ", 1); +- write(1, b, strlen(b)); +- write(1, "\n", 1); ++ written = write(1, f, strlen(f)); ++ if (written < 0) ++ errx(1, "Error writing build id"); ++ written = write(1, " ", 1); ++ written = write(1, b, strlen(b)); ++ if (written < 0) ++ errx(1, "Error writing build id"); ++ written = write(1, "\n", 1); + } + } + elf_end(elf); diff --git a/debian/patches/series b/debian/patches/series index 268dc0e6..0f0fda43 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ fix_makefile_phony.patch +buildid_write_return.patch -- cgit v1.2.3 From c3fa7299807746320f6b6bbe7779a77152856c08 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Thu, 31 Aug 2017 19:10:10 -0400 Subject: debian/rules, debian/shim.install: make sure the 'make install' step does what it's meant to do by upstream: we can easily make use of the end result to have the files we need. --- debian/changelog | 3 +++ debian/rules | 20 +++++++++++++------- debian/shim.install | 7 ++++--- 3 files changed, 20 insertions(+), 10 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 806465b0..086a2d20 100644 --- a/debian/changelog +++ b/debian/changelog @@ -26,6 +26,9 @@ shim (12+1503074702.5202f80-0ubuntu1~test3) artful; urgency=medium target. * debian/patches/buildid_write_return.patch: workaround our strict compile rules failing the build: make sure write calls check the return value. + * debian/rules, debian/shim.install: make sure the 'make install' step does + what it's meant to do by upstream: we can easily make use of the end result + to have the files we need. -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 22:45:30 -0400 diff --git a/debian/rules b/debian/rules index d863ab7d..cf799825 100755 --- a/debian/rules +++ b/debian/rules @@ -6,14 +6,25 @@ # should be building the other binaries also. ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes) cert=debian/canonical-uefi-ca.der + distributor=ubuntu else cert=debian/debian-uefi-ca.der + distributor=debian endif ifeq ($(DEB_HOST_ARCH),amd64) export EFI_ARCH := x64 endif +COMMON_OPTIONS = \ + MAKELEVEL=0 \ + EFI_PATH=/usr/lib \ + ENABLE_SHIM_CERT=1 \ + ENABLE_SBSIGN=1 \ + VENDOR_CERT_FILE=$(cert) \ + EFIDIR=$(distributor) \ + $(NULL) + %: dh $@ --parallel @@ -22,15 +33,10 @@ override_dh_auto_clean: rm -f *.signed override_dh_auto_build: - dh_auto_build -- \ - MAKELEVEL=0 \ - EFI_PATH=/usr/lib \ - ENABLE_SHIM_CERT=1 \ - ENABLE_SBSIGN=1 \ - VENDOR_CERT_FILE=$(cert) + dh_auto_build -- $(COMMON_OPTIONS) override_dh_auto_install: - dh_auto_install -- MAKELEVEL=0 EFIDIR=ubuntu + dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS) override_dh_fixperms: dh_fixperms diff --git a/debian/shim.install b/debian/shim.install index 0f5a04b4..268df256 100644 --- a/debian/shim.install +++ b/debian/shim.install @@ -1,3 +1,4 @@ -/boot/efi/EFI/ubuntu/shim*.efi /usr/lib/shim -/boot/efi/EFI/ubuntu/mm*.efi.signed /usr/lib/shim -/boot/efi/EFI/ubuntu/fb*.efi.signed /usr/lib/shim +/boot/efi/EFI/*/shim*.efi /usr/lib/shim +/boot/efi/EFI/*/mm*.efi /usr/lib/shim +/boot/efi/EFI/*/fb*.efi /usr/lib/shim +/boot/efi/EFI/*/BOOT*.CSV /usr/lib/shim -- cgit v1.2.3 From a97c2654996184b9a327630bc020f24f70a8b0da Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Thu, 31 Aug 2017 19:11:13 -0400 Subject: changelog: ~test3 wasn't released; prepare for another test upload. Signed-off-by: Mathieu Trudel-Lapierre --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 086a2d20..e7cfd4f1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -shim (12+1503074702.5202f80-0ubuntu1~test3) artful; urgency=medium +shim (12+1503074702.5202f80-0ubuntu1~test4) UNRELEASED; urgency=medium * New upstream snapshot: 12+1503074702.5202f80. * debian/control: add a Build-Depends on libnss3-tools for pk12-util. -- cgit v1.2.3 From 544696f3ade15d70a5d8389c481e964a164cd3de Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 13 Sep 2017 12:11:21 -0700 Subject: Drop PHONY fix patch; merged upstream. --- debian/changelog | 2 -- debian/patches/fix_makefile_phony.patch | 22 ---------------------- debian/patches/series | 1 - 3 files changed, 25 deletions(-) delete mode 100644 debian/patches/fix_makefile_phony.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index e7cfd4f1..bef19f35 100644 --- a/debian/changelog +++ b/debian/changelog @@ -19,8 +19,6 @@ shim (12+1503074702.5202f80-0ubuntu1~test4) UNRELEASED; urgency=medium * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. - * debian/patches/fix_makefile_phony.patch: fix a makefile bug causing shim - to fail to build, because it gets confused about the .signed efi files. * debian/rules: clean up after *.signed files. * debian/shim.install: update paths in light of using shim's upstream install target. diff --git a/debian/patches/fix_makefile_phony.patch b/debian/patches/fix_makefile_phony.patch deleted file mode 100644 index 8a8d4749..00000000 --- a/debian/patches/fix_makefile_phony.patch +++ /dev/null @@ -1,22 +0,0 @@ -From: Mathieu Trudel-Lapierre -Subject: Fix Makefile to successfully build for shim with cert and sbsign - -sbsign needs shim.key and shim.crt, but the only target that exists in -makefile is shim.crt. shim.key is a side-effect building shim.crt. - ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -362,6 +362,6 @@ archive: tag - @rm -rf /tmp/shim-$(VERSION) - @echo "The archive is in shim-$(VERSION).tar.bz2" - --.PHONY : install-deps -+.PHONY : install-deps shim.key - - export ARCH CC LD OBJCOPY EFI_INCLUDE diff --git a/debian/patches/series b/debian/patches/series index 0f0fda43..db9eed12 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1 @@ -fix_makefile_phony.patch buildid_write_return.patch -- cgit v1.2.3 From 1bb5cf18d0cb6a846c88fa65cd2809e4c1105c39 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 13 Sep 2017 12:12:27 -0700 Subject: New upstream snapshot: 13~git1505328970.9c1c35c5 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index bef19f35..91638001 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ -shim (12+1503074702.5202f80-0ubuntu1~test4) UNRELEASED; urgency=medium +shim (13~git1505328970.9c1c35c5-0ubuntu1~test1) UNRELEASED; urgency=medium - * New upstream snapshot: 12+1503074702.5202f80. + * New upstream snapshot: 13~git1505328970.9c1c35c5 * debian/control: add a Build-Depends on libnss3-tools for pk12-util. * debian/control: add a Build-Depends on libelf-dev. * debian/rules: -- cgit v1.2.3 From 21fbf908f79c48fe0a7082465268e65d7b89d062 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 27 Sep 2017 12:45:29 -0400 Subject: New upstream snapshot: 13~git1505328971.0780644a --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 91638001..e9fd3ba5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ -shim (13~git1505328970.9c1c35c5-0ubuntu1~test1) UNRELEASED; urgency=medium +shim (13~git1505328971.0780644a-0ubuntu1~test1) UNRELEASED; urgency=medium - * New upstream snapshot: 13~git1505328970.9c1c35c5 + * New upstream snapshot: 13~git1505328971.0780644a * debian/control: add a Build-Depends on libnss3-tools for pk12-util. * debian/control: add a Build-Depends on libelf-dev. * debian/rules: -- cgit v1.2.3 From 52b46c08f66fb2c5525b7b6efe6c89e0455bdb34 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 27 Sep 2017 12:46:14 -0400 Subject: Ignore unused-variable errors. --- debian/changelog | 1 + debian/rules | 2 ++ 2 files changed, 3 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index e9fd3ba5..d439d761 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,7 @@ shim (13~git1505328971.0780644a-0ubuntu1~test1) UNRELEASED; urgency=medium at compile-time for MokManager and fallback. - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager. + - Ignore unused-variable errors. * debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. diff --git a/debian/rules b/debian/rules index cf799825..3ea5da40 100755 --- a/debian/rules +++ b/debian/rules @@ -25,6 +25,8 @@ COMMON_OPTIONS = \ EFIDIR=$(distributor) \ $(NULL) +CPPFLAGS += -Wno-error=unused-variable + %: dh $@ --parallel -- cgit v1.2.3 From 926d9476901166a54b71bef61ee5ce93f9712697 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 27 Sep 2017 12:54:05 -0400 Subject: debian/control: add Breaks: for the previous shim-signed builds given that shim will now build and ship BOOT.CSV by itself. --- debian/changelog | 2 ++ debian/control | 1 + 2 files changed, 3 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index d439d761..6a423ca2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,8 @@ shim (13~git1505328971.0780644a-0ubuntu1~test1) UNRELEASED; urgency=medium * New upstream snapshot: 13~git1505328971.0780644a * debian/control: add a Build-Depends on libnss3-tools for pk12-util. * debian/control: add a Build-Depends on libelf-dev. + * debian/control: add Breaks: for the previous shim-signed builds given + that shim will now build and ship BOOT.CSV by itself. * debian/rules: - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: set MAKELEVEL. diff --git a/debian/control b/debian/control index febdfb9c..d0caba5e 100644 --- a/debian/control +++ b/debian/control @@ -10,6 +10,7 @@ Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk Package: shim Architecture: amd64 Depends: ${shlibs:Depends}, ${misc:Depends} +Breaks: shim-signed (<< 1.33~) Description: boot loader to chain-load signed boot loaders under Secure Boot This package provides a minimalist boot loader which allows verifying signatures of other UEFI binaries against either the Secure Boot DB/DBX or -- cgit v1.2.3 From e85582f4ca53cd6ae9079db04929ce1986fff577 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 27 Sep 2017 12:55:12 -0400 Subject: We don't really need libnss3-tools. --- debian/changelog | 1 - debian/control | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 6a423ca2..005a1457 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,6 @@ shim (13~git1505328971.0780644a-0ubuntu1~test1) UNRELEASED; urgency=medium * New upstream snapshot: 13~git1505328971.0780644a - * debian/control: add a Build-Depends on libnss3-tools for pk12-util. * debian/control: add a Build-Depends on libelf-dev. * debian/control: add Breaks: for the previous shim-signed builds given that shim will now build and ship BOOT.CSV by itself. diff --git a/debian/control b/debian/control index d0caba5e..ea901e5d 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Steve Langasek Standards-Version: 3.9.8 -Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libnss3-tools, libelf-dev +Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk Package: shim -- cgit v1.2.3 From a9cd148a1ee45beb601867a7f0584ea4918d1bf7 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 27 Sep 2017 13:10:32 -0400 Subject: New upstream snapshot: 13~git1506531982.23ce039 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 005a1457..6751cc8f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ -shim (13~git1505328971.0780644a-0ubuntu1~test1) UNRELEASED; urgency=medium +shim (13~git1506531982.23ce039-0ubuntu1~test1) UNRELEASED; urgency=medium - * New upstream snapshot: 13~git1505328971.0780644a + * New upstream snapshot: 13~git1506531982.23ce039 * debian/control: add a Build-Depends on libelf-dev. * debian/control: add Breaks: for the previous shim-signed builds given that shim will now build and ship BOOT.CSV by itself. -- cgit v1.2.3 From 2f7a1c0b6838d7b32c58d6fc3351100d1f7f3e95 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Fri, 29 Sep 2017 11:22:09 -0400 Subject: New upstream release: 13 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 6751cc8f..6ad19edf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,6 @@ -shim (13~git1506531982.23ce039-0ubuntu1~test1) UNRELEASED; urgency=medium +shim (13-0ubuntu1) UNRELEASED; urgency=medium - * New upstream snapshot: 13~git1506531982.23ce039 + * New upstream release: 13 * debian/control: add a Build-Depends on libelf-dev. * debian/control: add Breaks: for the previous shim-signed builds given that shim will now build and ship BOOT.CSV by itself. -- cgit v1.2.3 From 04acbb3ee336d40822a47045308045872abd7cb8 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Fri, 29 Sep 2017 11:24:56 -0400 Subject: Don't need to set -Wno-error=unused-variable anymore Signed-off-by: Mathieu Trudel-Lapierre --- debian/changelog | 1 - debian/rules | 2 -- 2 files changed, 3 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 6ad19edf..a849dca5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -15,7 +15,6 @@ shim (13-0ubuntu1) UNRELEASED; urgency=medium at compile-time for MokManager and fallback. - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager. - - Ignore unused-variable errors. * debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. diff --git a/debian/rules b/debian/rules index 3ea5da40..cf799825 100755 --- a/debian/rules +++ b/debian/rules @@ -25,8 +25,6 @@ COMMON_OPTIONS = \ EFIDIR=$(distributor) \ $(NULL) -CPPFLAGS += -Wno-error=unused-variable - %: dh $@ --parallel -- cgit v1.2.3 From 560a356bc7fd03341c7ff7ce9560e9e32cfb264c Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Fri, 29 Sep 2017 11:26:01 -0400 Subject: Drop buildid_write_return.patch; no longer needed. Signed-off-by: Mathieu Trudel-Lapierre --- debian/changelog | 2 -- debian/patches/buildid_write_return.patch | 35 ------------------------------- debian/patches/series | 1 - 3 files changed, 38 deletions(-) delete mode 100644 debian/patches/buildid_write_return.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index a849dca5..7048958f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -23,8 +23,6 @@ shim (13-0ubuntu1) UNRELEASED; urgency=medium * debian/rules: clean up after *.signed files. * debian/shim.install: update paths in light of using shim's upstream install target. - * debian/patches/buildid_write_return.patch: workaround our strict compile - rules failing the build: make sure write calls check the return value. * debian/rules, debian/shim.install: make sure the 'make install' step does what it's meant to do by upstream: we can easily make use of the end result to have the files we need. diff --git a/debian/patches/buildid_write_return.patch b/debian/patches/buildid_write_return.patch deleted file mode 100644 index 268cbd33..00000000 --- a/debian/patches/buildid_write_return.patch +++ /dev/null @@ -1,35 +0,0 @@ ---- - buildid.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -Index: b/buildid.c -=================================================================== ---- a/buildid.c -+++ b/buildid.c -@@ -113,6 +113,7 @@ static void handle_one(char *f) - char *b = NULL; - size_t sz; - uint8_t *data; -+ ssize_t written; - - if (!strcmp(f, "-")) { - fd = STDIN_FILENO; -@@ -132,10 +133,14 @@ static void handle_one(char *f) - b = alloca(sz * 2 + 1); - data2hex(data, sz, b); - if (b) { -- write(1, f, strlen(f)); -- write(1, " ", 1); -- write(1, b, strlen(b)); -- write(1, "\n", 1); -+ written = write(1, f, strlen(f)); -+ if (written < 0) -+ errx(1, "Error writing build id"); -+ written = write(1, " ", 1); -+ written = write(1, b, strlen(b)); -+ if (written < 0) -+ errx(1, "Error writing build id"); -+ written = write(1, "\n", 1); - } - } - elf_end(elf); diff --git a/debian/patches/series b/debian/patches/series index db9eed12..e69de29b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +0,0 @@ -buildid_write_return.patch -- cgit v1.2.3 From dbbe142c747516748dc05be595e3a06f791cc2c1 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Fri, 29 Sep 2017 11:29:25 -0400 Subject: Don't need to clean after .signed files, upstream Makefile does it now. Signed-off-by: Mathieu Trudel-Lapierre --- debian/changelog | 1 - debian/rules | 1 - 2 files changed, 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 7048958f..3175b19c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -20,7 +20,6 @@ shim (13-0ubuntu1) UNRELEASED; urgency=medium * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. - * debian/rules: clean up after *.signed files. * debian/shim.install: update paths in light of using shim's upstream install target. * debian/rules, debian/shim.install: make sure the 'make install' step does diff --git a/debian/rules b/debian/rules index cf799825..8c3863ef 100755 --- a/debian/rules +++ b/debian/rules @@ -30,7 +30,6 @@ COMMON_OPTIONS = \ override_dh_auto_clean: dh_auto_clean -- MAKELEVEL=0 - rm -f *.signed override_dh_auto_build: dh_auto_build -- $(COMMON_OPTIONS) -- cgit v1.2.3 From 4a3efbe436c66ad0519563045c401e7191dc1bbd Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Fri, 29 Sep 2017 15:11:42 -0400 Subject: releasing package shim version 13-0ubuntu1 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 3175b19c..f55cf3c3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -shim (13-0ubuntu1) UNRELEASED; urgency=medium +shim (13-0ubuntu1) artful; urgency=medium * New upstream release: 13 * debian/control: add a Build-Depends on libelf-dev. @@ -26,7 +26,7 @@ shim (13-0ubuntu1) UNRELEASED; urgency=medium what it's meant to do by upstream: we can easily make use of the end result to have the files we need. - -- Mathieu Trudel-Lapierre Tue, 29 Aug 2017 22:45:30 -0400 + -- Mathieu Trudel-Lapierre Fri, 29 Sep 2017 15:11:28 -0400 shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium -- cgit v1.2.3 From 81b34c16318358dda4aaf8701250dab3b0401b7d Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Mon, 6 Nov 2017 09:18:08 -0500 Subject: debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some of the structure of our binary, partly because abort() is thought to be an external symbol, which causes some relocalisations to appear. --- debian/changelog | 8 ++++++++ debian/patches/abort_abort_abort.patch | 18 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 27 insertions(+) create mode 100644 debian/patches/abort_abort_abort.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index f55cf3c3..c5832328 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +shim (13-0ubuntu2) UNRELEASED; urgency=medium + + * debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some + of the structure of our binary, partly because abort() is thought to be an + external symbol, which causes some relocalisations to appear. + + -- Mathieu Trudel-Lapierre Mon, 06 Nov 2017 09:13:01 -0500 + shim (13-0ubuntu1) artful; urgency=medium * New upstream release: 13 diff --git a/debian/patches/abort_abort_abort.patch b/debian/patches/abort_abort_abort.patch new file mode 100644 index 00000000..2afdac4c --- /dev/null +++ b/debian/patches/abort_abort_abort.patch @@ -0,0 +1,18 @@ +From: Peter Jones +Subject: define abort to avoid an unnecessary reloc. + +--- + Cryptlib/Include/OpenSslSupport.h | 1 + + 1 file changed, 1 insertion(+) + +Index: b/Cryptlib/Include/OpenSslSupport.h +=================================================================== +--- a/Cryptlib/Include/OpenSslSupport.h ++++ b/Cryptlib/Include/OpenSslSupport.h +@@ -380,5 +380,6 @@ extern FILE *stdout; + #define atoi(nptr) AsciiStrDecimalToUintn(nptr) + #define gettimeofday(tvp,tz) do { (tvp)->tv_sec = time(NULL); (tvp)->tv_usec = 0; } while (0) + #define gmtime_r(timer,result) (result = NULL) ++#define abort() + + #endif diff --git a/debian/patches/series b/debian/patches/series index e69de29b..ae84c759 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1 @@ +abort_abort_abort.patch -- cgit v1.2.3 From d49114cbb96e016b205743032d4eb379aacada4f Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 7 Nov 2017 10:18:58 -0500 Subject: Clean up old patches. --- debian/patches/gcc-5.diff | 45 ------- debian/patches/gcc5-includes-stdarg.patch | 129 -------------------- debian/patches/prototypes | 191 ------------------------------ 3 files changed, 365 deletions(-) delete mode 100644 debian/patches/gcc-5.diff delete mode 100644 debian/patches/gcc5-includes-stdarg.patch delete mode 100644 debian/patches/prototypes (limited to 'debian') diff --git a/debian/patches/gcc-5.diff b/debian/patches/gcc-5.diff deleted file mode 100644 index e706c3ab..00000000 --- a/debian/patches/gcc-5.diff +++ /dev/null @@ -1,45 +0,0 @@ ---- - Cryptlib/Makefile | 2 +- - Cryptlib/OpenSSL/Makefile | 2 +- - Makefile | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -19,7 +19,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(A - EFI_LDS = elf_$(ARCH)_efi.lds - - DEFAULT_LOADER := \\\\grubx64.efi --CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -+CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ - -Werror=sign-compare \ - "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ -Index: b/Cryptlib/Makefile -=================================================================== ---- a/Cryptlib/Makefile -+++ b/Cryptlib/Makefile -@@ -1,7 +1,7 @@ - - EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - --CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ -+CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ - -Wall $(EFI_INCLUDES) - - ifeq ($(ARCH),x86_64) -Index: b/Cryptlib/OpenSSL/Makefile -=================================================================== ---- a/Cryptlib/OpenSSL/Makefile -+++ b/Cryptlib/OpenSSL/Makefile -@@ -1,7 +1,7 @@ - - EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - --CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ -+CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC - - ifeq ($(ARCH),x86_64) diff --git a/debian/patches/gcc5-includes-stdarg.patch b/debian/patches/gcc5-includes-stdarg.patch deleted file mode 100644 index 57cf4a8e..00000000 --- a/debian/patches/gcc5-includes-stdarg.patch +++ /dev/null @@ -1,129 +0,0 @@ -From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 7 Apr 2015 11:59:25 -0400 -Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on - x86. - -Basically they messed around with stdarg some and now we need to do it -the other way. - -Signed-off-by: Peter Jones ---- - Cryptlib/Include/OpenSslSupport.h | 4 +++- - Cryptlib/Makefile | 3 ++- - Cryptlib/OpenSSL/Makefile | 5 +++-- - Makefile | 17 ++++++----------- - MokManager.c | 1 + - 5 files changed, 15 insertions(+), 15 deletions(-) - -Index: b/Cryptlib/Include/OpenSslSupport.h -=================================================================== ---- a/Cryptlib/Include/OpenSslSupport.h -+++ b/Cryptlib/Include/OpenSslSupport.h -@@ -34,7 +34,7 @@ typedef VOID *FILE; - // - // Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h - // --#if !defined(__CC_ARM) // if va_list is not already defined -+#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined - /* - * These are now unconditionally #defined by GNU_EFI's efistdarg.h, - * so we should #undef them here before providing a new definition. -@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST; - portably, hence it is provided by a Standard C header file. - For pre-Standard C compilers, here is a version that usually works - (but watch out!): */ -+#ifndef offsetof - #define offsetof(type, member) ( (int) & ((type*)0) -> member ) -+#endif - - // - // Basic types from EFI Application Toolkit required to buiild Open SSL -Index: b/Cryptlib/Makefile -=================================================================== ---- a/Cryptlib/Makefile -+++ b/Cryptlib/Makefile -@@ -2,7 +2,8 @@ - EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - - CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ -- -Wall $(EFI_INCLUDES) -+ -Wall $(EFI_INCLUDES) \ -+ -ffreestanding -I$(shell $(CC) -print-file-name=include) - - ifeq ($(ARCH),x86_64) - CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ -Index: b/Cryptlib/OpenSSL/Makefile -=================================================================== ---- a/Cryptlib/OpenSSL/Makefile -+++ b/Cryptlib/OpenSSL/Makefile -@@ -2,6 +2,7 @@ - EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol - - CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ -+ -ffreestanding -I$(shell $(CC) -print-file-name=include) \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC - - ifeq ($(ARCH),x86_64) -@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32) - -m32 -DTHIRTY_TWO_BIT - endif - ifeq ($(ARCH),aarch64) -- CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include) -+ CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG - endif - ifeq ($(ARCH),arm) -- CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include) -+ CFLAGS += -O2 -DTHIRTY_TWO_BIT - endif - LDFLAGS = -nostdlib -znocombreloc - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -21,7 +21,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds - DEFAULT_LOADER := \\\\grubx64.efi - CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ -- -Werror=sign-compare \ -+ -Werror=sign-compare -ffreestanding \ -+ -I$(shell $(CC) -print-file-name=include) \ - "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ - "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ - $(EFI_INCLUDES) -@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY - endif - - ifeq ($(ARCH),x86_64) -- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ -+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -+ -maccumulate-outgoing-args \ - -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI - endif - ifeq ($(ARCH),ia32) -- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 --endif -- --ifeq ($(ARCH),aarch64) -- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) --endif -- --ifeq ($(ARCH),arm) -- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include) -+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -+ -maccumulate-outgoing-args -m32 - endif - - ifneq ($(origin VENDOR_CERT_FILE), undefined) -Index: b/MokManager.c -=================================================================== ---- a/MokManager.c -+++ b/MokManager.c -@@ -1,5 +1,6 @@ - #include - #include -+#include - #include - #include - #include "shim.h" diff --git a/debian/patches/prototypes b/debian/patches/prototypes deleted file mode 100644 index 7191e102..00000000 --- a/debian/patches/prototypes +++ /dev/null @@ -1,191 +0,0 @@ -Description: Include missing prototypes, and disable use of BIO_new_file - Pull in missing prototypes for functions that are not yet upstream in - gnu-efi, and #ifdef out references to BIO_new_file(), BIO_new_fp(), and - X509_load_{cert,crl}_file since the prototypes are themselves #ifdef'ed - out. - . - Without these prototypes, we get implicit conversions on amd64, which - are sensibly treated as a build failure by Launchpad. -Author: Steve Langasek - -Index: shim/Cryptlib/Library/BaseMemoryLib.h -=================================================================== ---- /dev/null -+++ shim/Cryptlib/Library/BaseMemoryLib.h -@@ -0,0 +1,41 @@ -+#ifndef __BASE_MEMORY_LIB__ -+#define __BASE_MEMORY_LIB__ -+ -+CHAR8 * -+ScanMem8 ( -+ IN CHAR8 *Buffer, -+ IN UINTN Size, -+ IN CHAR8 Value -+ ); -+ -+UINT32 -+WriteUnaligned32( -+ UINT32 *Buffer, -+ UINT32 Value -+ ); -+ -+CHAR8 * -+AsciiStrCat( -+ CHAR8 *Destination, -+ CHAR8 *Source -+ ); -+ -+CHAR8 * -+AsciiStrCpy( -+ CHAR8 *Destination, -+ CHAR8 *Source -+ ); -+ -+CHAR8 * -+AsciiStrnCpy( -+ CHAR8 *Destination, -+ CHAR8 *Source, -+ UINTN count -+ ); -+ -+UINTN -+AsciiStrSize( -+ CHAR8 *string -+ ); -+ -+#endif -Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c -+++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c -@@ -157,6 +157,7 @@ - } - OPENSSL_free(tmp_data2); - } -+#ifndef OPENSSL_NO_STDIO - else if (strncmp(val->value, "file:", 5) == 0) - { - unsigned char buf[2048]; -@@ -194,6 +195,7 @@ - goto err; - } - } -+#endif - else if (strncmp(val->value, "text:", 5) == 0) - { - val_len = strlen(val->value + 5); -Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c -+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c -@@ -186,11 +186,13 @@ - int ret; - BIO *in=NULL; - -+#ifndef OPENSSL_NO_STDIO - #ifdef OPENSSL_SYS_VMS - in=BIO_new_file(name, "r"); - #else - in=BIO_new_file(name, "rb"); - #endif -+#endif - if (in == NULL) - { - if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE) -Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c -+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c -@@ -92,11 +92,13 @@ - LHASH *ltmp; - BIO *in=NULL; - -+#ifndef OPENSSL_NO_STDIO - #ifdef OPENSSL_SYS_VMS - in=BIO_new_file(file, "r"); - #else - in=BIO_new_file(file, "rb"); - #endif -+#endif - if (in == NULL) - { - CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB); -Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c -+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c -@@ -93,12 +93,14 @@ - { - BIO *bio_err; - ERR_load_crypto_strings(); -+#ifndef OPENSSL_NO_STDIO - if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL) - { - BIO_printf(bio_err,"Auto configuration failed\n"); - ERR_print_errors(bio_err); - BIO_free(bio_err); - } -+#endif - exit(1); - } - -Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c -+++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c -@@ -374,11 +374,15 @@ - BIO *in; - EVP_PKEY *key; - fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id); -+#ifndef OPENSSL_NO_STDIO - in = BIO_new_file(key_id, "r"); - if (!in) - return NULL; - key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL); - BIO_free(in); -+#else -+ return NULL; -+#endif - return key; - } - #endif -Index: shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c -=================================================================== ---- shim.orig/Cryptlib/OpenSSL/crypto/x509/by_dir.c -+++ shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c -@@ -92,8 +92,10 @@ - static int new_dir(X509_LOOKUP *lu); - static void free_dir(X509_LOOKUP *lu); - static int add_cert_dir(BY_DIR *ctx,const char *dir,int type); -+#ifndef OPENSSL_NO_STDIO - static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name, - X509_OBJECT *ret); -+#endif - X509_LOOKUP_METHOD x509_dir_lookup= - { - "Load certs from files in a directory", -@@ -102,7 +104,11 @@ - NULL, /* init */ - NULL, /* shutdown */ - dir_ctrl, /* ctrl */ -+#ifdef OPENSSL_NO_STDIO -+ NULL, /* get_by_subject */ -+#else - get_cert_by_subject, /* get_by_subject */ -+#endif - NULL, /* get_by_issuer_serial */ - NULL, /* get_by_fingerprint */ - NULL, /* get_by_alias */ -@@ -242,6 +248,7 @@ - return(1); - } - -+#ifndef OPENSSL_NO_STDIO - static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, - X509_OBJECT *ret) - { -@@ -383,3 +390,4 @@ - if (b != NULL) BUF_MEM_free(b); - return(ok); - } -+#endif -- cgit v1.2.3 From d1d148eac95886bee501167f8b44ce2cdeeaa66f Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 7 Nov 2017 10:19:35 -0500 Subject: releasing package shim version 13-0ubuntu2 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index c5832328..af00dc51 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,10 @@ -shim (13-0ubuntu2) UNRELEASED; urgency=medium +shim (13-0ubuntu2) bionic; urgency=medium * debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some of the structure of our binary, partly because abort() is thought to be an external symbol, which causes some relocalisations to appear. - -- Mathieu Trudel-Lapierre Mon, 06 Nov 2017 09:13:01 -0500 + -- Mathieu Trudel-Lapierre Tue, 07 Nov 2017 10:19:04 -0500 shim (13-0ubuntu1) artful; urgency=medium -- cgit v1.2.3 From fac86c74039c4beb712beaf5676e5523346058c1 Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Mon, 23 Apr 2018 18:09:05 -0700 Subject: Fix Vcs link. --- debian/changelog | 6 ++++++ debian/control | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index af00dc51..81f39670 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +shim (13-0ubuntu3) UNRELEASED; urgency=medium + + * Fix Vcs link. + + -- Steve Langasek Mon, 23 Apr 2018 18:08:31 -0700 + shim (13-0ubuntu2) bionic; urgency=medium * debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some diff --git a/debian/control b/debian/control index ea901e5d..12df554b 100644 --- a/debian/control +++ b/debian/control @@ -5,7 +5,7 @@ Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Steve Langasek Standards-Version: 3.9.8 Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev -Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk +Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim Package: shim Architecture: amd64 -- cgit v1.2.3 From 3802e1ad5adf91f955b9f1408950e28bad10d830 Mon Sep 17 00:00:00 2001 From: dann frazier Date: Tue, 24 Apr 2018 12:40:56 -0600 Subject: Enable arm64 build. --- debian/changelog | 4 ++++ debian/control | 2 +- debian/rules | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 81f39670..57cbf847 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,11 @@ shim (13-0ubuntu3) UNRELEASED; urgency=medium + [ Steve Langasek ] * Fix Vcs link. + [ dann frazier ] + * Enable arm64 build. + -- Steve Langasek Mon, 23 Apr 2018 18:08:31 -0700 shim (13-0ubuntu2) bionic; urgency=medium diff --git a/debian/control b/debian/control index 12df554b..c8b8ffa0 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf- Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim Package: shim -Architecture: amd64 +Architecture: amd64 arm64 Depends: ${shlibs:Depends}, ${misc:Depends} Breaks: shim-signed (<< 1.33~) Description: boot loader to chain-load signed boot loaders under Secure Boot diff --git a/debian/rules b/debian/rules index 8c3863ef..6c2cef1e 100755 --- a/debian/rules +++ b/debian/rules @@ -14,6 +14,8 @@ endif ifeq ($(DEB_HOST_ARCH),amd64) export EFI_ARCH := x64 +else ($(DEB_HOST_ARCH),arm64) +export EFI_ARCH := aa64 endif COMMON_OPTIONS = \ -- cgit v1.2.3 From 25f42a7c6071edfff27f6a4ee674da86652e2190 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 24 Jul 2018 16:25:42 -0400 Subject: New upstream snapshot. --- debian/changelog | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 57cbf847..d1162720 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -shim (13-0ubuntu3) UNRELEASED; urgency=medium +shim (15+1531942534.dd3230d-0ubuntu1) UNRELEASED; urgency=medium [ Steve Langasek ] * Fix Vcs link. @@ -6,7 +6,10 @@ shim (13-0ubuntu3) UNRELEASED; urgency=medium [ dann frazier ] * Enable arm64 build. - -- Steve Langasek Mon, 23 Apr 2018 18:08:31 -0700 + [ Mathieu Trudel-Lapierre ] + * New upstream snapshot. + + -- Mathieu Trudel-Lapierre Tue, 24 Jul 2018 16:24:51 -0400 shim (13-0ubuntu2) bionic; urgency=medium -- cgit v1.2.3 From 0283a7456e3c16c3c2430160e57ea4f838dc94dc Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 24 Jul 2018 16:26:53 -0400 Subject: debian/patches/abort_abort_abort.patch: dropped patch, included upstream. --- debian/changelog | 1 + debian/patches/abort_abort_abort.patch | 18 ------------------ debian/patches/series | 1 - 3 files changed, 1 insertion(+), 19 deletions(-) delete mode 100644 debian/patches/abort_abort_abort.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index d1162720..5ea26c7d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -8,6 +8,7 @@ shim (15+1531942534.dd3230d-0ubuntu1) UNRELEASED; urgency=medium [ Mathieu Trudel-Lapierre ] * New upstream snapshot. + * debian/patches/abort_abort_abort.patch: dropped patch, included upstream. -- Mathieu Trudel-Lapierre Tue, 24 Jul 2018 16:24:51 -0400 diff --git a/debian/patches/abort_abort_abort.patch b/debian/patches/abort_abort_abort.patch deleted file mode 100644 index 2afdac4c..00000000 --- a/debian/patches/abort_abort_abort.patch +++ /dev/null @@ -1,18 +0,0 @@ -From: Peter Jones -Subject: define abort to avoid an unnecessary reloc. - ---- - Cryptlib/Include/OpenSslSupport.h | 1 + - 1 file changed, 1 insertion(+) - -Index: b/Cryptlib/Include/OpenSslSupport.h -=================================================================== ---- a/Cryptlib/Include/OpenSslSupport.h -+++ b/Cryptlib/Include/OpenSslSupport.h -@@ -380,5 +380,6 @@ extern FILE *stdout; - #define atoi(nptr) AsciiStrDecimalToUintn(nptr) - #define gettimeofday(tvp,tz) do { (tvp)->tv_sec = time(NULL); (tvp)->tv_usec = 0; } while (0) - #define gmtime_r(timer,result) (result = NULL) -+#define abort() - - #endif diff --git a/debian/patches/series b/debian/patches/series index ae84c759..e69de29b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +0,0 @@ -abort_abort_abort.patch -- cgit v1.2.3 From f42b58fc50c5906a61f2f949f526d56f4cfc48d9 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 24 Jul 2018 16:39:07 -0400 Subject: * debian/rules: - define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. --- debian/changelog | 3 +++ debian/rules | 3 +++ 2 files changed, 6 insertions(+) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 5ea26c7d..5630d819 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,9 @@ shim (15+1531942534.dd3230d-0ubuntu1) UNRELEASED; urgency=medium [ Mathieu Trudel-Lapierre ] * New upstream snapshot. * debian/patches/abort_abort_abort.patch: dropped patch, included upstream. + * debian/rules: + - define RELEASE and COMMIT_ID for the snapshot. + - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. -- Mathieu Trudel-Lapierre Tue, 24 Jul 2018 16:24:51 -0400 diff --git a/debian/rules b/debian/rules index 6c2cef1e..35668dfe 100755 --- a/debian/rules +++ b/debian/rules @@ -19,8 +19,11 @@ export EFI_ARCH := aa64 endif COMMON_OPTIONS = \ + RELEASE=15 \ + COMMIT_ID=dd3230d07f369cc39caaa7eb23558a64586d2713 \ MAKELEVEL=0 \ EFI_PATH=/usr/lib \ + ENABLE_HTTPBOOT=true \ ENABLE_SHIM_CERT=1 \ ENABLE_SBSIGN=1 \ VENDOR_CERT_FILE=$(cert) \ -- cgit v1.2.3 From ad536b8717e068bed101ed8f495e7f7eb93a713d Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 24 Jul 2018 18:13:48 -0400 Subject: debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. --- debian/changelog | 2 ++ debian/patches/fixup_git.patch | 19 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 22 insertions(+) create mode 100644 debian/patches/fixup_git.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 5630d819..7253cb18 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,8 @@ shim (15+1531942534.dd3230d-0ubuntu1) UNRELEASED; urgency=medium * debian/rules: - define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. + * debian/patches/fixup_git.patch: don't run git in clean; we're not really + in a git tree. -- Mathieu Trudel-Lapierre Tue, 24 Jul 2018 16:24:51 -0400 diff --git a/debian/patches/fixup_git.patch b/debian/patches/fixup_git.patch new file mode 100644 index 00000000..33e9305d --- /dev/null +++ b/debian/patches/fixup_git.patch @@ -0,0 +1,19 @@ +From: Mathieu Trudel-Lapierre +Subject: We're not in a git tree, don't try to git clean. + +--- + Makefile | 1 - + 1 file changed, 1 deletion(-) + +Index: b/Makefile +=================================================================== +--- a/Makefile ++++ b/Makefile +@@ -225,7 +225,6 @@ clean-shim-objs: + @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME) + @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid + @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa] +- @git clean -f -d -e 'Cryptlib/OpenSSL/*' + + clean: clean-shim-objs + $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean diff --git a/debian/patches/series b/debian/patches/series index e69de29b..767bfb59 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1 @@ +fixup_git.patch -- cgit v1.2.3 From 3f6670a9203b40d30fd5e8cec2547383379cbd42 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 14 Aug 2018 14:49:36 -0400 Subject: releasing package shim version 15+1531942534.dd3230d-0ubuntu1 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 7253cb18..516c913d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -shim (15+1531942534.dd3230d-0ubuntu1) UNRELEASED; urgency=medium +shim (15+1531942534.dd3230d-0ubuntu1) cosmic; urgency=medium [ Steve Langasek ] * Fix Vcs link. @@ -15,7 +15,7 @@ shim (15+1531942534.dd3230d-0ubuntu1) UNRELEASED; urgency=medium * debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. - -- Mathieu Trudel-Lapierre Tue, 24 Jul 2018 16:24:51 -0400 + -- Mathieu Trudel-Lapierre Tue, 14 Aug 2018 13:37:35 -0400 shim (13-0ubuntu2) bionic; urgency=medium -- cgit v1.2.3 From 637de4775eb08483806cd585289727cd258f1a93 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Tue, 21 Aug 2018 14:24:09 -0400 Subject: Update to new snapshot --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 516c913d..647e0ca8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -shim (15+1531942534.dd3230d-0ubuntu1) cosmic; urgency=medium +shim (15+1533136590.3beb971-0ubuntu1) UNRELEASED; urgency=medium [ Steve Langasek ] * Fix Vcs link. @@ -15,7 +15,7 @@ shim (15+1531942534.dd3230d-0ubuntu1) cosmic; urgency=medium * debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. - -- Mathieu Trudel-Lapierre Tue, 14 Aug 2018 13:37:35 -0400 + -- Mathieu Trudel-Lapierre Tue, 21 Aug 2018 14:22:55 -0400 shim (13-0ubuntu2) bionic; urgency=medium -- cgit v1.2.3 From d2b378f8a44da21274bdb425406b27cc416e5666 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 22 Aug 2018 10:06:32 -0400 Subject: Make sure we pass the right COMMIT_ID to build --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'debian') diff --git a/debian/rules b/debian/rules index 35668dfe..4c92c804 100755 --- a/debian/rules +++ b/debian/rules @@ -20,7 +20,7 @@ endif COMMON_OPTIONS = \ RELEASE=15 \ - COMMIT_ID=dd3230d07f369cc39caaa7eb23558a64586d2713 \ + COMMIT_ID=3beb971b10659cf78144ddc5eeea83501384440c \ MAKELEVEL=0 \ EFI_PATH=/usr/lib \ ENABLE_HTTPBOOT=true \ -- cgit v1.2.3 From 9c12130f9cd2ae11a9336813dd1f1669c0b64ad0 Mon Sep 17 00:00:00 2001 From: Mathieu Trudel-Lapierre Date: Wed, 22 Aug 2018 14:47:35 -0400 Subject: releasing package shim version 15+1533136590.3beb971-0ubuntu1 --- debian/changelog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index 647e0ca8..0110d094 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -shim (15+1533136590.3beb971-0ubuntu1) UNRELEASED; urgency=medium +shim (15+1533136590.3beb971-0ubuntu1) cosmic; urgency=medium [ Steve Langasek ] * Fix Vcs link. @@ -15,7 +15,7 @@ shim (15+1533136590.3beb971-0ubuntu1) UNRELEASED; urgency=medium * debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. - -- Mathieu Trudel-Lapierre Tue, 21 Aug 2018 14:22:55 -0400 + -- Mathieu Trudel-Lapierre Wed, 22 Aug 2018 10:52:10 -0400 shim (13-0ubuntu2) bionic; urgency=medium -- cgit v1.2.3