--- /dev/null
- prototypes
+second-stage-path
+sbsigntool-not-pesign
- gcc-5.diff
- gcc5-includes-stdarg.patch
--- /dev/null
- EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude
++VERSION = 0.9
++RELEASE :=
++ifneq ($(RELEASE),"")
++ RELEASE:="-$(RELEASE)"
++endif
++
+CC = $(CROSS_COMPILE)gcc
+LD = $(CROSS_COMPILE)ld
+OBJCOPY = $(CROSS_COMPILE)objcopy
+
+ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
++OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.version //g' | cut -f1-2 -d.` \>= 2.24)
+
+SUBDIRS = Cryptlib lib
+
+LIB_PATH = /usr/lib64
+
+EFI_INCLUDE := /usr/include/efi
- -Werror=sign-compare \
++EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I$(shell pwd)/include
+EFI_PATH := /usr/lib64/gnuefi
+
+LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
+EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
+
+EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
+EFI_LDS = elf_$(ARCH)_efi.lds
+
+DEFAULT_LOADER := \\\\grubx64.efi
+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
++ -Werror=sign-compare -ffreestanding -std=gnu89 \
++ -I$(shell $(CC) -print-file-name=include) \
+ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
+ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
+ $(EFI_INCLUDES)
+
+ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
+ CFLAGS += -DOVERRIDE_SECURITY_POLICY
+endif
+
+ifeq ($(ARCH),x86_64)
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
++ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
++ -maccumulate-outgoing-args \
++ -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
++ -DNO_BUILTIN_VA_FUNCS \
++ "-DEFI_ARCH=L\"x64\"" \
++ "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
+endif
+ifeq ($(ARCH),ia32)
-
++ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
++ -maccumulate-outgoing-args -m32 \
++ "-DEFI_ARCH=L\"ia32\"" \
++ "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
+endif
- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
- endif
-
- ifeq ($(ARCH),arm)
- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ifeq ($(ARCH),aarch64)
- LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
-
- VERSION = 0.8
++ CFLAGS += "-DEFI_ARCH=L\"aa64\"" \
++ "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
+endif
+
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+endif
+ifneq ($(origin VENDOR_DBX_FILE), undefined)
+ CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
+endif
+
- OBJS = shim.o netboot.o cert.o replacements.o version.o
++LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
+
+TARGET = shim.efi MokManager.efi.signed fallback.efi.signed
- SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h
++OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o
+KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
- $(MAKE) -C lib
++SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
+MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
+MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
+FALLBACK_OBJS = fallback.o
+FALLBACK_SRCS = fallback.c
+
+all: $(TARGET)
+
+shim.crt:
+ ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+
+shim.cer: shim.crt
+ openssl x509 -outform der -in $< -out $@
+
+shim_cert.h: shim.cer
+ echo "static UINT8 shim_cert[] = {" > $@
+ hexdump -v -e '1/1 "0x%02x, "' $< >> $@
+ echo "};" >> $@
+
+version.c : version.c.in
+ sed -e "s,@@VERSION@@,$(VERSION)," \
+ -e "s,@@UNAME@@,$(shell uname -a)," \
+ -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
+ < version.c.in > version.c
+
+certdb/secmod.db: shim.crt
+ -mkdir certdb
+ pk12util -d certdb/ -i shim.p12 -W "" -K ""
+ certutil -d certdb/ -A -i shim.crt -n shim -t u
+
+shim.o: $(SOURCES) shim_cert.h
++shim.o: $(wildcard *.h)
+
+cert.o : cert.S
+ $(CC) $(CFLAGS) -c -o $@ $<
+
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+ $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
+
+fallback.o: $(FALLBACK_SRCS)
+
+fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+ $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
+
+MokManager.o: $(MOK_SOURCES)
+
+MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+ $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
+
+Cryptlib/libcryptlib.a:
+ $(MAKE) -C Cryptlib
+
+Cryptlib/OpenSSL/libopenssl.a:
+ $(MAKE) -C Cryptlib/OpenSSL
+
+lib/lib.a:
++ $(MAKE) CFLAGS="$(CFLAGS)" -C lib
+
+ifeq ($(ARCH),aarch64)
+FORMAT := -O binary
+SUBSYSTEM := 0xa
+LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+endif
+
+ifeq ($(ARCH),arm)
+FORMAT := -O binary
+SUBSYSTEM := 0xa
+LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+endif
+
+FORMAT ?= --target efi-app-$(ARCH)
+
+%.efi: %.so
++ifneq ($(OBJCOPY_GTE224),1)
++ $(error objcopy >= 2.24 is required)
++endif
+ $(OBJCOPY) -j .text -j .sdata -j .data \
+ -j .dynamic -j .dynsym -j .rel* \
+ -j .rela* -j .reloc -j .eh_frame \
+ -j .vendor_cert \
+ $(FORMAT) $^ $@
+ $(OBJCOPY) -j .text -j .sdata -j .data \
+ -j .dynamic -j .dynsym -j .rel* \
+ -j .rela* -j .reloc -j .eh_frame \
+ -j .debug_info -j .debug_abbrev -j .debug_aranges \
+ -j .debug_line -j .debug_str -j .debug_ranges \
++ -j .note.gnu.build-id \
+ $(FORMAT) $^ $@.debug
+
+%.efi.signed: %.efi certdb/secmod.db
+ pesign -n certdb -i $< -c "shim" -s -o $@ -f
+
+clean:
+ $(MAKE) -C Cryptlib clean
+ $(MAKE) -C Cryptlib/OpenSSL clean
+ $(MAKE) -C lib clean
+ rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb
+ rm -f *.debug *.so *.efi *.tar.* version.c
+
+GITTAG = $(VERSION)
+
+test-archive:
+ @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
+ @mkdir -p /tmp/shim-$(VERSION)-tmp
+ @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
+ @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
+ @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
+ @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
+ @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
+ @rm -rf /tmp/shim-$(VERSION)
+ @echo "The archive is in shim-$(VERSION).tar.bz2"
+
+tag:
+ git tag --sign $(GITTAG) refs/heads/master
+
+archive: tag
+ @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
+ @mkdir -p /tmp/shim-$(VERSION)-tmp
+ @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
+ @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
+ @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
+ @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
+ @rm -rf /tmp/shim-$(VERSION)
+ @echo "The archive is in shim-$(VERSION).tar.bz2"
+
+export ARCH CC LD OBJCOPY EFI_INCLUDE
--- /dev/null
- EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude
++VERSION = 0.9
++RELEASE :=
++ifneq ($(RELEASE),"")
++ RELEASE:="-$(RELEASE)"
++endif
++
+CC = $(CROSS_COMPILE)gcc
+LD = $(CROSS_COMPILE)ld
+OBJCOPY = $(CROSS_COMPILE)objcopy
+
+ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
++OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.version //g' | cut -f1-2 -d.` \>= 2.24)
+
+SUBDIRS = Cryptlib lib
+
+LIB_PATH = /usr/lib64
+
+EFI_INCLUDE := /usr/include/efi
- -Werror=sign-compare \
++EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I$(shell pwd)/include
+EFI_PATH := /usr/lib64/gnuefi
+
+LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
+EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
+
+EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
+EFI_LDS = elf_$(ARCH)_efi.lds
+
+DEFAULT_LOADER := \\\\grub.efi
+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
++ -Werror=sign-compare -ffreestanding -std=gnu89 \
++ -I$(shell $(CC) -print-file-name=include) \
+ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
+ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
+ $(EFI_INCLUDES)
+
+ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
+ CFLAGS += -DOVERRIDE_SECURITY_POLICY
+endif
+
+ifeq ($(ARCH),x86_64)
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
++ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
++ -maccumulate-outgoing-args \
++ -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
++ -DNO_BUILTIN_VA_FUNCS \
++ "-DEFI_ARCH=L\"x64\"" \
++ "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
+endif
+ifeq ($(ARCH),ia32)
-
++ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
++ -maccumulate-outgoing-args -m32 \
++ "-DEFI_ARCH=L\"ia32\"" \
++ "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
+endif
- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
- endif
-
- ifeq ($(ARCH),arm)
- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ifeq ($(ARCH),aarch64)
- LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
-
- VERSION = 0.8
++ CFLAGS += "-DEFI_ARCH=L\"aa64\"" \
++ "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
+endif
+
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+endif
+ifneq ($(origin VENDOR_DBX_FILE), undefined)
+ CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
+endif
+
- OBJS = shim.o netboot.o cert.o replacements.o version.o
++LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1
+
+TARGET = shim.efi MokManager.efi.signed fallback.efi.signed
- SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h
++OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o
+KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
- $(MAKE) -C lib
++SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h
+MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o
+MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h
+FALLBACK_OBJS = fallback.o
+FALLBACK_SRCS = fallback.c
+
+all: $(TARGET)
+
+shim.crt:
+ ./make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
+
+shim.cer: shim.crt
+ openssl x509 -outform der -in $< -out $@
+
+shim_cert.h: shim.cer
+ echo "static UINT8 shim_cert[] = {" > $@
+ hexdump -v -e '1/1 "0x%02x, "' $< >> $@
+ echo "};" >> $@
+
+version.c : version.c.in
+ sed -e "s,@@VERSION@@,$(VERSION)," \
+ -e "s,@@UNAME@@,$(shell uname -a)," \
+ -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
+ < version.c.in > version.c
+
+certdb/secmod.db: shim.crt
+ -mkdir certdb
+ pk12util -d certdb/ -i shim.p12 -W "" -K ""
+ certutil -d certdb/ -A -i shim.crt -n shim -t u
+
+shim.o: $(SOURCES) shim_cert.h
++shim.o: $(wildcard *.h)
+
+cert.o : cert.S
+ $(CC) $(CFLAGS) -c -o $@ $<
+
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+ $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
+
+fallback.o: $(FALLBACK_SRCS)
+
+fallback.so: $(FALLBACK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+ $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
+
+MokManager.o: $(MOK_SOURCES)
+
+MokManager.so: $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a lib/lib.a
+ $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
+
+Cryptlib/libcryptlib.a:
+ $(MAKE) -C Cryptlib
+
+Cryptlib/OpenSSL/libopenssl.a:
+ $(MAKE) -C Cryptlib/OpenSSL
+
+lib/lib.a:
++ $(MAKE) CFLAGS="$(CFLAGS)" -C lib
+
+ifeq ($(ARCH),aarch64)
+FORMAT := -O binary
+SUBSYSTEM := 0xa
+LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+endif
+
+ifeq ($(ARCH),arm)
+FORMAT := -O binary
+SUBSYSTEM := 0xa
+LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
+endif
+
+FORMAT ?= --target efi-app-$(ARCH)
+
+%.efi: %.so
++ifneq ($(OBJCOPY_GTE224),1)
++ $(error objcopy >= 2.24 is required)
++endif
+ $(OBJCOPY) -j .text -j .sdata -j .data \
+ -j .dynamic -j .dynsym -j .rel* \
+ -j .rela* -j .reloc -j .eh_frame \
+ -j .vendor_cert \
+ $(FORMAT) $^ $@
+ $(OBJCOPY) -j .text -j .sdata -j .data \
+ -j .dynamic -j .dynsym -j .rel* \
+ -j .rela* -j .reloc -j .eh_frame \
+ -j .debug_info -j .debug_abbrev -j .debug_aranges \
+ -j .debug_line -j .debug_str -j .debug_ranges \
++ -j .note.gnu.build-id \
+ $(FORMAT) $^ $@.debug
+
+%.efi.signed: %.efi certdb/secmod.db
+ pesign -n certdb -i $< -c "shim" -s -o $@ -f
+
+clean:
+ $(MAKE) -C Cryptlib clean
+ $(MAKE) -C Cryptlib/OpenSSL clean
+ $(MAKE) -C lib clean
+ rm -rf $(TARGET) $(OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb
+ rm -f *.debug *.so *.efi *.tar.* version.c
+
+GITTAG = $(VERSION)
+
+test-archive:
+ @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
+ @mkdir -p /tmp/shim-$(VERSION)-tmp
+ @git archive --format=tar $(shell git branch | awk '/^*/ { print $$2 }') | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
+ @git diff | ( cd /tmp/shim-$(VERSION)-tmp/ ; patch -s -p1 -b -z .gitdiff )
+ @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
+ @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
+ @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
+ @rm -rf /tmp/shim-$(VERSION)
+ @echo "The archive is in shim-$(VERSION).tar.bz2"
+
+tag:
+ git tag --sign $(GITTAG) refs/heads/master
+
+archive: tag
+ @rm -rf /tmp/shim-$(VERSION) /tmp/shim-$(VERSION)-tmp
+ @mkdir -p /tmp/shim-$(VERSION)-tmp
+ @git archive --format=tar $(GITTAG) | ( cd /tmp/shim-$(VERSION)-tmp/ ; tar x )
+ @mv /tmp/shim-$(VERSION)-tmp/ /tmp/shim-$(VERSION)/
+ @git log -1 --pretty=format:%H > /tmp/shim-$(VERSION)/commit
+ @dir=$$PWD; cd /tmp; tar -c --bzip2 -f $$dir/shim-$(VERSION).tar.bz2 shim-$(VERSION)
+ @rm -rf /tmp/shim-$(VERSION)
+ @echo "The archive is in shim-$(VERSION).tar.bz2"
+
+export ARCH CC LD OBJCOPY EFI_INCLUDE
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS = elf_$(ARCH)_efi.lds
-DEFAULT_LOADER := \\\\grub.efi
+DEFAULT_LOADER := \\\\grubx64.efi
- CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- -Werror=sign-compare -ffreestanding \
+ -Werror=sign-compare -ffreestanding -std=gnu89 \
-I$(shell $(CC) -print-file-name=include) \
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
-j .rela* -j .reloc -j .eh_frame \
-j .debug_info -j .debug_abbrev -j .debug_aranges \
-j .debug_line -j .debug_str -j .debug_ranges \
+ -j .note.gnu.build-id \
$(FORMAT) $^ $@.debug
-%.efi.signed: %.efi certdb/secmod.db
- pesign -n certdb -i $< -c "shim" -s -o $@ -f
+%.efi.signed: %.efi shim.crt
+ sbsign --key shim.key --cert shim.crt $<
clean:
$(MAKE) -C Cryptlib clean
--- /dev/null
- shim (0.8-0ubuntu3) UNRELEASED; urgency=medium
++shim (0.9+1465500757.14a5905-0ubuntu1) UNRELEASED; urgency=medium
+
++ * New upstream release.
++
+ [ Matthias Klose ]
+ * Fix build with GCC 5, forcing -std=gnu89 to not rely on stdint.h
+ required by efibind.h, and not found with -nostdinc. (LP: #1429978)
+
+ [ Mathieu Trudel-Lapierre ]
+ * More GCC 5 fixes: stdarg.h and other include tweaks, cherry-pick from
+ d51739a4.
+
- -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Tue, 12 May 2015 21:43:35 -0400
++ -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 12:02:21 -0400
+
+shim (0.8-0ubuntu2) wily; urgency=medium
+
+ * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
+
+shim (0.8-0ubuntu1) wily; urgency=medium
+
+ * New upstream release.
+ - Clarify meaning of insecure_mode. (LP: #1384973)
+ * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
+ debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
+ in the upstream release.
+ * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
+ refreshed.
+
+ -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
+
+shim (0.7-0ubuntu4) utopic; urgency=medium
+
+ * SECURITY UPDATE: heap overflow and out-of-bounds read access when
+ parsing DHCPv6 information
+ - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
+ when parsing data provided in DHCPv6 packets.
+ - CVE-2014-3675
+ - CVE-2014-3676
+ * SECURITY UPDATE: memory corruption when processing user-provided key
+ lists
+ - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
+ key (MOK) lists and ignore them, avoiding possible memory corruption.
+ - CVE-2014-3677
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
+
+shim (0.7-0ubuntu2) utopic; urgency=medium
+
+ * Restore debian/patches/prototypes, which still is needed on shim 0.7
+ but only detected on the buildds.
+ * Update debian/patches/prototypes with some new declarations needed for
+ openssl 0.9.8za update.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
+
+shim (0.7-0ubuntu1) utopic; urgency=medium
+
+ * New upstream release.
+ - fix spurious error message when fallback.efi is not present, as will
+ always be the case for removable media. LP: #1297069.
+ - drop most patches, included upstream.
+ * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
+ openssl 0.9.8za in via upstream.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
+
+shim (0.4-0ubuntu5) utopic; urgency=low
+
+ * Install fallback.efi.signed as well, to lay the groundwork for fallback
+ handling (wanted when we have to move a drive between machines, or when
+ the firmware loses its marbles^W nvram).
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
+
+shim (0.4-0ubuntu4) saucy; urgency=low
+
+ * debian/patches/fix-tftp-prototype: pass the right arguments to
+ EFI_PXE_BASE_CODE_TFTP_READ_FILE.
+ * debian/patches/build-with-Werror: Build with -Werror to catch future
+ prototype mismatches.
+ * debian/patches/fix-compiler-warnings: Fix remaining compiler
+ warnings in netboot.c.
+ * debian/patches/tftp-proper-nul-termination: fix nul termination
+ errors in filenames passed to tftp.
+ * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
+ the netboot code.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
+
+shim (0.4-0ubuntu3) saucy; urgency=low
+
+ [ Steve Langasek ]
+ * Install MokManager.efi.signed in the package.
+ * debian/patches/no-output-by-default.patch: Don't print any
+ informational messages. Closes LP: #1074302.
+
+ [ Stéphane Graber ]
+ * debian/patches/no-print-on-unsigned: Don't print an error message when
+ validating an unsigned binary as that tends to hang Lenovo machines.
+ (LP: #1087501)
+
+ -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
+
+shim (0.4-0ubuntu2) saucy; urgency=low
+
+ * Add missing build-dependency on openssl.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
+
+shim (0.4-0ubuntu1) saucy; urgency=low
+
+ * New upstream release.
+ * Drop debian/patches/shim-before-loadimage; upstream has changed this to
+ not call loadimage at all.
+ * debian/patches/sbsigntool-not-pesign: Sign MokManager with
+ sbsigntool instead of pesign.
+ * Add a versioned build-dependency on gnu-efi.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
+
+shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
+
+ * debian/patches/shim-before-loadimage: Use direct verification first
+ before LoadImage. Addresses an issue where Lenovo's SecureBoot
+ implementation pops an error message on any verification failure - avoid
+ calling LoadImage at all unless we have to.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
+
+shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
+
+ * debian/patches/second-stage-path: Chainload grubx64.efi, not
+ grub.efi.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
+
+shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
+
+ * debian/patches/prototypes: Include missing prototypes, and disable
+ use of BIO_new_file.
+ * Only build the package for amd64; we're not signing an i386 shim at this
+ stage so there's no point in building it.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
+
+shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
+
+ * Initial release.
+ * Include the Canonical Secure Boot master CA.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700
--- /dev/null
- prototypes
+second-stage-path
+sbsigntool-not-pesign
- gcc-5.diff
- gcc5-includes-stdarg.patch