dann frazier [Mon, 6 May 2019 19:38:07 +0000 (13:38 -0600)]
Require dbx hashes
While it maybe convenient for a developer to be able to do a build
w/o any dbx hashes, it prevents the $(DBX_LIST) target from having
a proper dependency on the $(DBX_HASHES) file. If a developer were
to add a new hash in a built tree, make would not detect that on
a subsequent build and would not update the $(DBX_LIST) file.
Continue to support a NULL $(DBX_LIST) build by touching the
$(DBX_LIST) file in case no efisiglist commands ran. Developers
can now create an empty $(DBX_HASHES) file to get that.
Steve McIntyre [Sat, 4 May 2019 17:52:08 +0000 (18:52 +0100)]
Generate a vendor dbx file at build time
This allow us to block executing binaries with specific
checksums. Generate the dbx list at runtime from a simple list of
sha256 hashes, so we can update this easily. If we need to also
blacklist a cert later, we'll need to update this code to add that
option too.
Add a build-dep on pesign to get the needed efisiglist program.
Apply an upstream patch from OpenSSL to tolerate a NULL sn. This
avoids a NULL pointer reference in shim.c:verify_eku(). This was
discovered because it causes a crash on ARM where, unlike x86, it does
not necessarily have memory mapped at 0x0.
Steve McIntyre [Fri, 3 May 2019 00:41:52 +0000 (01:41 +0100)]
VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
Backport of upstream fix:
VLogError() calculates the size of format strings by using calls to
SPrint and VSPrint with a StrSize of 0 and NULL for an output
buffer. Unfortunately, this is an incorrect usage of (V)Sprint. A
StrSize of "0" is special-cased to mean "there is no limit". So, we
end up writing our string to address 0x0. This was discovered because
it causes a crash on ARM where, unlike x86, it does not necessarily
have memory mapped at 0x0.
Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
handles the size calculation and allocation for us.
Signed-off-by: Peter Jones <pjones@redhat.com> Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
[dannf: commit message ] Signed-off-by: dann frazier <dann.frazier@canonical.com>
Steve McIntyre [Fri, 8 Mar 2019 22:04:53 +0000 (22:04 +0000)]
Update the signing-template JSON metadata
Move all the data under a new top-level "packages" key
Add an empty "trusted_certs" key - the helper binaries do not do any
further verification with an embedded key.
Steve McIntyre [Wed, 6 Mar 2019 22:28:28 +0000 (22:28 +0000)]
Rename all the packages containg the helper binaries
Remove potential confusion with shim-signed. We will now end up with
shim-helpers-$arch-signed to make it clear that they just contain the
helper binaries (fb.efi and mm.efi)
Luca Boccassi [Wed, 6 Jun 2018 22:02:16 +0000 (23:02 +0100)]
Override lintian error about template rules file
Lintian parses the shebang in the rules files of the templates packages
and complains that there is no dependency on make. But they are special
packages, so override it.
Philipp Hahn [Sun, 8 Apr 2018 09:09:10 +0000 (11:09 +0200)]
Rename to shim-unsigned
as all EFI binaries are now unsigned. They are useless to any normal
user as
- shim is useless without being signed by an external UEFI CA.
- mm and fb won't be loaded by shim as they are now no longer linked to
corresponding shim by the ephemeral key any longer.
Philipp Hahn [Sat, 7 Apr 2018 11:06:30 +0000 (13:06 +0200)]
Disable ephemeral key on Debian
shim creates an ephemeral key, which gets embedded into shim and is used
to sign the corresponding mok-manager (mm*.efi) and fall-back-manager
(fb*.efi).
This makes the build unreproducible.
For Debian we will get those two binaries signed by our Debian-UEFI-CA,
which is the primary (and only) key embedded in shim.
Steve Langasek [Sun, 10 Feb 2019 05:28:06 +0000 (21:28 -0800)]
* New upstream release.
- debian/patches/second-stage-path: dropped; the default loader path now
includes an arch suffix.
- debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
- debian/copyright: Update upstream source location.
- debian/control: add a Build-Depends on libelf-dev.
- Enable arm64 build.
- debian/patches/fixup_git.patch: don't run git in clean; we're not
really in a git tree.
- debian/rules, debian/shim.install: use the upstream install target as
intended, and move files to the target directory using dh_install.
- define RELEASE and COMMIT_ID for the snapshot.
- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
options: set MAKELEVEL.
- Define an EFI_ARCH variable, and use that for paths to shim. This
makes it possible to build a shim for other architectures than amd64.
- Set EFIDIR=$distro for dh_auto_install; that will let files be installed
in the "right" final directories, and makes boot.csv for us.
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
at compile-time for MokManager and fallback.
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
and MokManager.
debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some of the structure of our binary, partly because abort() is thought to be an external symbol, which causes some relocalisations to appear.
debian/rules, debian/shim.install: make sure the 'make install' step does what it's meant to do by upstream: we can easily make use of the end result to have the files we need.