New upstream version 13

parent 77e5c6e4
VERSION = 12
VERSION = 13
ifneq ($(origin RELEASE),undefined)
DASHRELEASE ?= -$(RELEASE)
else
......@@ -171,7 +171,7 @@ shim.cer: shim.crt
.NOTPARALLEL: shim_cert.h
shim_cert.h: shim.cer
echo "static UINT8 shim_cert[] = {" > $@
echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
echo "};" >> $@
......@@ -337,7 +337,7 @@ clean:
$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean
$(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean
rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
rm -f *.debug *.so *.efi *.efi.* *.tar.* version.c
rm -f *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
GITTAG = $(VERSION)
......
......@@ -113,6 +113,7 @@ static void handle_one(char *f)
char *b = NULL;
size_t sz;
uint8_t *data;
ssize_t written;
if (!strcmp(f, "-")) {
fd = STDIN_FILENO;
......@@ -132,10 +133,14 @@ static void handle_one(char *f)
b = alloca(sz * 2 + 1);
data2hex(data, sz, b);
if (b) {
write(1, f, strlen(f));
write(1, " ", 1);
write(1, b, strlen(b));
write(1, "\n", 1);
written = write(1, f, strlen(f));
if (written < 0)
errx(1, "Error writing build id");
written = write(1, " ", 1);
written = write(1, b, strlen(b));
if (written < 0)
errx(1, "Error writing build id");
written = write(1, "\n", 1);
}
}
elf_end(elf);
......
23ce039c434d164a3848c829b237899cc17c1d21
\ No newline at end of file
5e827007b3d95c4ce999422462248f5e7d3f270f
\ No newline at end of file
shim (13~git1505328971.0780644a-0ubuntu1~test1) UNRELEASED; urgency=medium
* New upstream snapshot: 13~git1505328971.0780644a
* debian/control: add a Build-Depends on libelf-dev.
* debian/control: add Breaks: for the previous shim-signed builds given
that shim will now build and ship BOOT.CSV by itself.
* debian/rules:
- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
options: set MAKELEVEL.
- Define an EFI_ARCH variable, and use that for paths to shim. This
makes it possible to build a shim for other architectures than amd64.
- Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed
in the "right" final directories, and makes boot.csv for us.
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
at compile-time for MokManager and fallback.
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
and MokManager.
- Ignore unused-variable errors.
* debian/patches/second-stage-path: dropped; the default loader path now
includes an arch suffix.
* debian/patches/sbsigntool-no-pesign: dropped; no longer needed..
* debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped,
included upstream.
* debian/rules: clean up after *.signed files.
* debian/shim.install: update paths in light of using shim's upstream install
target.
* debian/patches/buildid_write_return.patch: workaround our strict compile
rules failing the build: make sure write calls check the return value.
* debian/rules, debian/shim.install: make sure the 'make install' step does
what it's meant to do by upstream: we can easily make use of the end result
to have the files we need.
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 29 Aug 2017 22:45:30 -0400
shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium
[ Steve Langasek ]
* Merge (not yet NEW cleared) changes from Debian branch.
[ Mathieu Trudel-Lapierre ]
* debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard
against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu
for the patch. This will fix issues updating MokSBStateRT if the variable
already exists with different attributes. (LP: #1644806)
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 01 Dec 2016 16:55:50 -0500
shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
[ Steve Langasek ]
* Initial Debian upload. Closes: #820052.
* Update Standards-Version.
* Embed the newly-minted Debian CA certificate.
* Vendorize debian/rules so that the same package can be used in both
Debian and Ubuntu without modification.
* Fix debian/copyright to match the spec (last match wins, not first)
* Fix shim.efi to not be executable.
* Add watchfile.
* Support parallel builds, because eh why not
* Update Vcs-Bzr.
* Resync with Ubuntu, including patch to fix debian/copyright.
[ Julien Cristau ]
* Add some missing copyright holders in d/copyright, update
Upstream-Contact. Thanks to Helen Koike for the help.
-- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium
[ Helen Koike ]
* debian/copyright: add OpenSSL license
[ Mathieu Trudel-Lapierre ]
* New upstream release. (LP: #1624096)
* debian/copyright: patches should be BSD, like the rest of the upstream
code.
* debian/patches/unused-variable: dropped; applied upstream.
* debian/patches/binutils-version-matching: dropped, fixed upstream.
* debian/shim.install: built EFI binaries were renamed; update our install
file to properly pick up shim (shim$arch), MokManager (mm$arch), and
fallback (fb$arch).
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 22 Sep 2016 15:02:20 -0400
shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
* New upstream release.
- Better handle LoadOptions. (LP: #1581299)
- Measure state and second stage in TPM.
- Mirror MokSBState in runtime as MokSBStateRT.
- Fix failure to build with GCC 5. (LP: #1429978)
- Various bug fixes and other improvements.
* Refreshed patches.
- Remaining patches:
+ second-stage-path
+ sbsigntool-not-pesign
* debian/patches/unused-variable: remove unused variable size.
* debian/patches/binutils-version-matching: revert d9a4c912 to correctly
match objcopy's version on Ubuntu.
* debian/copyright: update copyright for patches.
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
shim (0.8-0ubuntu2) wily; urgency=medium
* No-change rebuild against gnu-efi 3.0v-5ubuntu1.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
shim (0.8-0ubuntu1) wily; urgency=medium
* New upstream release.
- Clarify meaning of insecure_mode. (LP: #1384973)
* debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
in the upstream release.
* debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
refreshed.
-- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
shim (0.7-0ubuntu4) utopic; urgency=medium
* SECURITY UPDATE: heap overflow and out-of-bounds read access when
parsing DHCPv6 information
- debian/patches/CVE-2014-3675.patch: apply proper bounds checking
when parsing data provided in DHCPv6 packets.
- CVE-2014-3675
- CVE-2014-3676
* SECURITY UPDATE: memory corruption when processing user-provided key
lists
- debian/patches/CVE-2014-3677.patch: detect malformed machine owner
key (MOK) lists and ignore them, avoiding possible memory corruption.
- CVE-2014-3677
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
shim (0.7-0ubuntu2) utopic; urgency=medium
* Restore debian/patches/prototypes, which still is needed on shim 0.7
but only detected on the buildds.
* Update debian/patches/prototypes with some new declarations needed for
openssl 0.9.8za update.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
shim (0.7-0ubuntu1) utopic; urgency=medium
* New upstream release.
- fix spurious error message when fallback.efi is not present, as will
always be the case for removable media. LP: #1297069.
- drop most patches, included upstream.
* debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
openssl 0.9.8za in via upstream.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
shim (0.4-0ubuntu5) utopic; urgency=low
* Install fallback.efi.signed as well, to lay the groundwork for fallback
handling (wanted when we have to move a drive between machines, or when
the firmware loses its marbles^W nvram).
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
shim (0.4-0ubuntu4) saucy; urgency=low
* debian/patches/fix-tftp-prototype: pass the right arguments to
EFI_PXE_BASE_CODE_TFTP_READ_FILE.
* debian/patches/build-with-Werror: Build with -Werror to catch future
prototype mismatches.
* debian/patches/fix-compiler-warnings: Fix remaining compiler
warnings in netboot.c.
* debian/patches/tftp-proper-nul-termination: fix nul termination
errors in filenames passed to tftp.
* debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
the netboot code.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
shim (0.4-0ubuntu3) saucy; urgency=low
[ Steve Langasek ]
* Install MokManager.efi.signed in the package.
* debian/patches/no-output-by-default.patch: Don't print any
informational messages. Closes LP: #1074302.
[ Stéphane Graber ]
* debian/patches/no-print-on-unsigned: Don't print an error message when
validating an unsigned binary as that tends to hang Lenovo machines.
(LP: #1087501)
-- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
shim (0.4-0ubuntu2) saucy; urgency=low
* Add missing build-dependency on openssl.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
shim (0.4-0ubuntu1) saucy; urgency=low
* New upstream release.
* Drop debian/patches/shim-before-loadimage; upstream has changed this to
not call loadimage at all.
* debian/patches/sbsigntool-not-pesign: Sign MokManager with
sbsigntool instead of pesign.
* Add a versioned build-dependency on gnu-efi.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
* debian/patches/shim-before-loadimage: Use direct verification first
before LoadImage. Addresses an issue where Lenovo's SecureBoot
implementation pops an error message on any verification failure - avoid
calling LoadImage at all unless we have to.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
* debian/patches/second-stage-path: Chainload grubx64.efi, not
grub.efi.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
* debian/patches/prototypes: Include missing prototypes, and disable
use of BIO_new_file.
* Only build the package for amd64; we're not signing an i386 shim at this
stage so there's no point in building it.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
* Initial release.
* Include the Canonical Secure Boot master CA.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700
Source: shim
Section: admin
Priority: optional
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
Standards-Version: 3.9.8
Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev
Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk
Package: shim
Architecture: amd64
Depends: ${shlibs:Depends}, ${misc:Depends}
Breaks: shim-signed (<< 1.33~)
Description: boot loader to chain-load signed boot loaders under Secure Boot
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of the CA.
This diff is collapsed.
---
buildid.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
Index: b/buildid.c
===================================================================
--- a/buildid.c
+++ b/buildid.c
@@ -113,6 +113,7 @@ static void handle_one(char *f)
char *b = NULL;
size_t sz;
uint8_t *data;
+ ssize_t written;
if (!strcmp(f, "-")) {
fd = STDIN_FILENO;
@@ -132,10 +133,14 @@ static void handle_one(char *f)
b = alloca(sz * 2 + 1);
data2hex(data, sz, b);
if (b) {
- write(1, f, strlen(f));
- write(1, " ", 1);
- write(1, b, strlen(b));
- write(1, "\n", 1);
+ written = write(1, f, strlen(f));
+ if (written < 0)
+ errx(1, "Error writing build id");
+ written = write(1, " ", 1);
+ written = write(1, b, strlen(b));
+ if (written < 0)
+ errx(1, "Error writing build id");
+ written = write(1, "\n", 1);
}
}
elf_end(elf);
---
Cryptlib/Makefile | 2 +-
Cryptlib/OpenSSL/Makefile | 2 +-
Makefile | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
Index: b/Makefile
===================================================================
--- a/Makefile
+++ b/Makefile
@@ -19,7 +19,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(A
EFI_LDS = elf_$(ARCH)_efi.lds
DEFAULT_LOADER := \\\\grubx64.efi
-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
-Werror=sign-compare \
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
Index: b/Cryptlib/Makefile
===================================================================
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -1,7 +1,7 @@
EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
-CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
+CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-Wall $(EFI_INCLUDES)
ifeq ($(ARCH),x86_64)
Index: b/Cryptlib/OpenSSL/Makefile
===================================================================
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -1,7 +1,7 @@
EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
+CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
ifeq ($(ARCH),x86_64)
From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 7 Apr 2015 11:59:25 -0400
Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on
x86.
Basically they messed around with stdarg some and now we need to do it
the other way.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Cryptlib/Include/OpenSslSupport.h | 4 +++-
Cryptlib/Makefile | 3 ++-
Cryptlib/OpenSSL/Makefile | 5 +++--
Makefile | 17 ++++++-----------
MokManager.c | 1 +
5 files changed, 15 insertions(+), 15 deletions(-)
Index: b/Cryptlib/Include/OpenSslSupport.h
===================================================================
--- a/Cryptlib/Include/OpenSslSupport.h
+++ b/Cryptlib/Include/OpenSslSupport.h
@@ -34,7 +34,7 @@ typedef VOID *FILE;
//
// Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h
//
-#if !defined(__CC_ARM) // if va_list is not already defined
+#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined
/*
* These are now unconditionally #defined by GNU_EFI's efistdarg.h,
* so we should #undef them here before providing a new definition.
@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST;
portably, hence it is provided by a Standard C header file.
For pre-Standard C compilers, here is a version that usually works
(but watch out!): */
+#ifndef offsetof
#define offsetof(type, member) ( (int) & ((type*)0) -> member )
+#endif
//
// Basic types from EFI Application Toolkit required to buiild Open SSL
Index: b/Cryptlib/Makefile
===================================================================
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -2,7 +2,8 @@
EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- -Wall $(EFI_INCLUDES)
+ -Wall $(EFI_INCLUDES) \
+ -ffreestanding -I$(shell $(CC) -print-file-name=include)
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
Index: b/Cryptlib/OpenSSL/Makefile
===================================================================
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -2,6 +2,7 @@
EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
+ -ffreestanding -I$(shell $(CC) -print-file-name=include) \
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
ifeq ($(ARCH),x86_64)
@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32)
-m32 -DTHIRTY_TWO_BIT
endif
ifeq ($(ARCH),aarch64)
- CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG
endif
ifeq ($(ARCH),arm)
- CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ CFLAGS += -O2 -DTHIRTY_TWO_BIT
endif
LDFLAGS = -nostdlib -znocombreloc
Index: b/Makefile
===================================================================
--- a/Makefile
+++ b/Makefile
@@ -21,7 +21,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds
DEFAULT_LOADER := \\\\grubx64.efi
CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- -Werror=sign-compare \
+ -Werror=sign-compare -ffreestanding \
+ -I$(shell $(CC) -print-file-name=include) \
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
$(EFI_INCLUDES)
@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY
endif
ifeq ($(ARCH),x86_64)
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
+ -maccumulate-outgoing-args \
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
endif
ifeq ($(ARCH),ia32)
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
-endif
-
-ifeq ($(ARCH),aarch64)
- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
-endif
-
-ifeq ($(ARCH),arm)
- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
+ -maccumulate-outgoing-args -m32
endif
ifneq ($(origin VENDOR_CERT_FILE), undefined)
Index: b/MokManager.c
===================================================================
--- a/MokManager.c
+++ b/MokManager.c
@@ -1,5 +1,6 @@
#include <efi.h>
#include <efilib.h>
+#include <stdarg.h>
#include <Library/BaseCryptLib.h>
#include <openssl/x509.h>
#include "shim.h"
Description: Include missing prototypes, and disable use of BIO_new_file
Pull in missing prototypes for functions that are not yet upstream in
gnu-efi, and #ifdef out references to BIO_new_file(), BIO_new_fp(), and
X509_load_{cert,crl}_file since the prototypes are themselves #ifdef'ed
out.
.
Without these prototypes, we get implicit conversions on amd64, which
are sensibly treated as a build failure by Launchpad.
Author: Steve Langasek <steve.langasek@ubuntu.com>
Index: shim/Cryptlib/Library/BaseMemoryLib.h
===================================================================
--- /dev/null
+++ shim/Cryptlib/Library/BaseMemoryLib.h
@@ -0,0 +1,41 @@
+#ifndef __BASE_MEMORY_LIB__
+#define __BASE_MEMORY_LIB__
+
+CHAR8 *
+ScanMem8 (
+ IN CHAR8 *Buffer,
+ IN UINTN Size,
+ IN CHAR8 Value
+ );
+
+UINT32
+WriteUnaligned32(
+ UINT32 *Buffer,
+ UINT32 Value
+ );
+
+CHAR8 *
+AsciiStrCat(
+ CHAR8 *Destination,
+ CHAR8 *Source
+ );
+
+CHAR8 *
+AsciiStrCpy(
+ CHAR8 *Destination,
+ CHAR8 *Source
+ );
+
+CHAR8 *
+AsciiStrnCpy(
+ CHAR8 *Destination,
+ CHAR8 *Source,
+ UINTN count
+ );
+
+UINTN
+AsciiStrSize(
+ CHAR8 *string
+ );
+
+#endif
Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
+++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c
@@ -157,6 +157,7 @@
}
OPENSSL_free(tmp_data2);
}
+#ifndef OPENSSL_NO_STDIO
else if (strncmp(val->value, "file:", 5) == 0)
{
unsigned char buf[2048];
@@ -194,6 +195,7 @@
goto err;
}
}
+#endif
else if (strncmp(val->value, "text:", 5) == 0)
{
val_len = strlen(val->value + 5);
Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c
+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c
@@ -186,11 +186,13 @@
int ret;
BIO *in=NULL;
+#ifndef OPENSSL_NO_STDIO
#ifdef OPENSSL_SYS_VMS
in=BIO_new_file(name, "r");
#else
in=BIO_new_file(name, "rb");
#endif
+#endif
if (in == NULL)
{
if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE)
Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c
@@ -92,11 +92,13 @@
LHASH *ltmp;
BIO *in=NULL;
+#ifndef OPENSSL_NO_STDIO
#ifdef OPENSSL_SYS_VMS
in=BIO_new_file(file, "r");
#else
in=BIO_new_file(file, "rb");
#endif
+#endif
if (in == NULL)
{
CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB);
Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
+++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c
@@ -93,12 +93,14 @@
{
BIO *bio_err;
ERR_load_crypto_strings();
+#ifndef OPENSSL_NO_STDIO
if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL)
{
BIO_printf(bio_err,"Auto configuration failed\n");
ERR_print_errors(bio_err);
BIO_free(bio_err);
}
+#endif
exit(1);
}
Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
+++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c
@@ -374,11 +374,15 @@
BIO *in;
EVP_PKEY *key;
fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id);
+#ifndef OPENSSL_NO_STDIO
in = BIO_new_file(key_id, "r");
if (!in)
return NULL;
key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL);
BIO_free(in);
+#else
+ return NULL;
+#endif
return key;
}
#endif
Index: shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c
===================================================================
--- shim.orig/Cryptlib/OpenSSL/crypto/x509/by_dir.c
+++ shim/Cryptlib/OpenSSL/crypto/x509/by_dir.c
@@ -92,8 +92,10 @@
static int new_dir(X509_LOOKUP *lu);
static void free_dir(X509_LOOKUP *lu);
static int add_cert_dir(BY_DIR *ctx,const char *dir,int type);
+#ifndef OPENSSL_NO_STDIO
static int get_cert_by_subject(X509_LOOKUP *xl,int type,X509_NAME *name,
X509_OBJECT *ret);
+#endif
X509_LOOKUP_METHOD x509_dir_lookup=
{
"Load certs from files in a directory",
@@ -102,7 +104,11 @@
NULL, /* init */
NULL, /* shutdown */
dir_ctrl, /* ctrl */
+#ifdef OPENSSL_NO_STDIO
+ NULL, /* get_by_subject */
+#else
get_cert_by_subject, /* get_by_subject */
+#endif
NULL, /* get_by_issuer_serial */
NULL, /* get_by_fingerprint */
NULL, /* get_by_alias */
@@ -242,6 +248,7 @@
return(1);
}
+#ifndef OPENSSL_NO_STDIO
static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
X509_OBJECT *ret)
{
@@ -383,3 +390,4 @@
if (b != NULL) BUF_MEM_free(b);
return(ok);
}
+#endif
buildid_write_return.patch
#!/usr/bin/make -f
# Other vendors, add your certs here. No sense in using
# dpkg-vendor --derives-from, because only Canonical-generated binaries will
# be signed with this key; so if you are building your own shim binary you
# should be building the other binaries also.
ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
cert=debian/canonical-uefi-ca.der
distributor=ubuntu
else
cert=debian/debian-uefi-ca.der
distributor=debian
endif
ifeq ($(DEB_HOST_ARCH),amd64)
export EFI_ARCH := x64
endif
COMMON_OPTIONS = \
MAKELEVEL=0 \
EFI_PATH=/usr/lib \
ENABLE_SHIM_CERT=1 \
ENABLE_SBSIGN=1 \
VENDOR_CERT_FILE=$(cert) \
EFIDIR=$(distributor) \
$(NULL)
CPPFLAGS += -Wno-error=unused-variable
%:
dh $@ --parallel
override_dh_auto_clean:
dh_auto_clean -- MAKELEVEL=0
rm -f *.signed
override_dh_auto_build:
dh_auto_build -- $(COMMON_OPTIONS)
override_dh_auto_install:
dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
</