Merge "Debian: shim-unsigned: porting from LAT"

2022-10-17 17:52:29 +00:00 · 2022-10-17 17:52:29 +00:00 · cc93a2bcb6
parent 9ad77012d2 0535f5b0ae
commit cc93a2bcb6
6 changed files with 34 additions and 132 deletions
--- a/security/shim-unsigned/debian/deb_patches/0001-shim-replace-the-debian-cert-file-with-ours.patch
+++ b/security/shim-unsigned/debian/deb_patches/0001-shim-replace-the-debian-cert-file-with-ours.patch
@ -0,0 +1,26 @@
+From 7bf206a8899a5df0bbc361a39eb5b38a6f0b0882 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Thu, 25 Aug 2022 18:10:28 +0800
+Subject: [PATCH] shim: replace the debian cert file with ours
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ debian/rules | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/debian/rules b/debian/rules
+index 58620be..0434c4d 100755
+--- a/debian/rules
+++ b/debian/rules
+@@ -11,7 +11,7 @@ ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
+ 	distributor=ubuntu
+ COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
+ else
+-	cert=debian/debian-uefi-ca.der
+	cert=tis-shim.der
+ 	distributor=debian
+ endif
+ 
+-- 
+2.17.1
+
--- a/security/shim-unsigned/debian/deb_patches/series
+++ b/security/shim-unsigned/debian/deb_patches/series
@ -0,0 +1 @@
+0001-shim-replace-the-debian-cert-file-with-ours.patch
--- a/security/shim-unsigned/debian/meta_data.yaml
+++ b/security/shim-unsigned/debian/meta_data.yaml
@ -1,13 +1,14 @@
 ---
-debver: 15.4-7
+debver: 15+1533136590.3beb971
 debname: shim
 dl_path:
-  name: shim-debian-15.4-7.tar.gz
-  url: https://salsa.debian.org/efi-team/shim/-/archive/debian/15.4-7/shim-debian-15.4-7.tar.gz
-  md5sum: f2ceaa268acb6eb9bbe08b839371e04a
-  sha256sum: a4ec39a11c75c95f268403f27125dd002aaf8511afb4fe476bc2d89d97f41eb3
+  name: shim-debian-15+1533136590.3beb971.tar.bz2
+  url: "https://salsa.debian.org/efi-team/shim/-/archive/debian/\
+        15+1533136590.3beb971-10/shim-debian-15+1533136590.3beb971-10.tar.bz2"
+  md5sum: eb6db0c9b8b4257d77ed07a81cd3a7b8
+  sha256sum: 06341378fc89836ee3355ff9ade263105a9ab445de8b065c0989eec8c55769c8
 src_files:
-  - files/tis-shim.crt
+  - files/tis-shim.der
 revision:
  dist: $STX_DIST
  PKG_GITREVCOUNT: true
--- a/security/shim-unsigned/debian/patches/0001-Use-Titanium-certificate.patch
+++ b/security/shim-unsigned/debian/patches/0001-Use-Titanium-certificate.patch
@ -1,125 +0,0 @@
-From f6e8ace9a9783a1645cb6141ba5788790963cda3 Mon Sep 17 00:00:00 2001
-From: Yue Tao <Yue.Tao@windriver.com>
-Date: Mon, 15 Jan 2018 13:25:04 -0500
-Subject: [PATCH] Use Titanium certificate
-
-Signed-off-by: Scott Little <scott.little@windriver.com>
-Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
---
- Make.defaults |  6 ++++++
- Makefile      | 33 +++++++++++++++++++--------------
- 2 files changed, 25 insertions(+), 14 deletions(-)
-
-diff --git a/Make.defaults b/Make.defaults
-index a775083..656669d 100644
--- a/Make.defaults
-+++ b/Make.defaults
-@@ -56,6 +56,12 @@ CLANG_BUGS	= $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,)
- 
- COMMIT_ID ?= $(shell if [ -e .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo master; fi)
- 
-+# We compile a certificate into shim.  Usually this is a one-time generated
-+# certificate (make-certs script) however we want to include a custom
-+# certificate for which we have the key.  We use the key to sign the kernel and
-+# grub down the road
-+INTERNAL_CERT = tis-shim
-+
- ifeq ($(ARCH),x86_64)
- 	ARCH_CFLAGS		?= -mno-mmx -mno-sse -mno-red-zone -nostdinc \
- 				   $(CLANG_BUGS) -m64 \
-diff --git a/Makefile b/Makefile
-index 8c66459..919e002 100644
--- a/Makefile
-+++ b/Makefile
-@@ -37,9 +37,10 @@ TARGETS	+= $(MMNAME).signed $(FBNAME).signed
- CFLAGS += -DENABLE_SHIM_CERT
- else
- TARGETS += $(MMNAME) $(FBNAME)
-+CFLAGS += -DENABLE_SHIM_CERT
- endif
- OBJS	= shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o sbat.o sbat_data.o pe.o httpboot.o csv.o
-KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
-+KEYS    = shim_cert.h ocsp.* ca.* $(INTERNAL_CERT).crt $(INTERNAL_CERT).csr $(INTERNAL_CERT).p12 $(INTERNAL_CERT).pem $(INTERNAL_CERT).key $(INTERNAL_CERT).cer
- ORIG_SOURCES	= shim.c mok.c netboot.c replacements.c tpm.c errlog.c sbat.c pe.c httpboot.c shim.h version.h $(wildcard include/*.h)
- MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
- ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
-@@ -75,14 +76,18 @@ endif
- update :
- 	git submodule update --init --recursive
- 
-shim.crt:
-	$(TOPDIR)/make-certs shim shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
-+# certificate is now provided in source.  To generate a random certificate,
-+# uncomment this rule
-+#$(INTERNAL_CERT).crt:
-+#	$(TOPDIR)/make-certs $(INTERNAL_CERT) shim@xn--u4h.net all codesign 1.3.6.1.4.1.311.10.3.1 </dev/null
- 
-shim.cer: shim.crt
-+$(INTERNAL_CERT).cer: $(INTERNAL_CERT).crt
- 	$(OPENSSL) x509 -outform der -in $< -out $@
- 
- .NOTPARALLEL: shim_cert.h
-shim_cert.h: shim.cer
-+# name "shim_cert.h" rather than "$(INTERNAL_CERT).h" used so C files can just
-+# use a fixed name for #include
-+shim_cert.h: $(INTERNAL_CERT).cer
- 	echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@
- 	$(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@
- 	echo "};" >> $@
-@@ -93,15 +98,13 @@ version.c : $(TOPDIR)/version.c.in
- 		-e "s,@@COMMIT@@,$(COMMIT_ID)," \
- 		< $< > $@
- 
-certdb/secmod.db: shim.crt
-+certdb/secmod.db: $(INTERNAL_CERT).crt
- 	-mkdir certdb
-	$(PK12UTIL) -d certdb/ -i shim.p12 -W "" -K ""
-	$(CERTUTIL) -d certdb/ -A -i shim.crt -n shim -t u
-+	$(PK12UTIL) -d certdb/ -i $(INTERNAL_CERT).p12 -W "" -K ""
-+	$(CERTUTIL) -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u
- 
- shim.o: $(SOURCES)
-ifneq ($(origin ENABLE_SHIM_CERT),undefined)
- shim.o: shim_cert.h
-endif
- shim.o: $(wildcard $(TOPDIR)/*.h)
- 
- cert.o : $(TOPDIR)/cert.S
-@@ -267,10 +270,10 @@ endif
- 		$< $@
- 
- ifneq ($(origin ENABLE_SBSIGN),undefined)
-%.efi.signed: %.efi shim.key shim.crt
-+%.efi.signed: %.efi $(INTERNAL_CERT).key $(INTERNAL_CERT).crt
- 	@$(SBSIGN) \
-		--key shim.key \
-		--cert shim.crt \
-+		--key $(INTERNAL_CERT).key \
-+		--cert $(INTERNAL_CERT).crt \
- 		--output $@ $<
- else
- %.efi.signed: %.efi certdb/secmod.db
-@@ -302,9 +305,11 @@ clean-lib-objs:
- 	fi
- 
- clean-shim-objs:
-+	@mv $(INTERNAL_CERT).crt $(INTERNAL_CERT).crt.back
- 	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
- 	@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
- 	@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
-+	@mv $(INTERNAL_CERT).crt.back $(INTERNAL_CERT).crt
- 	@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
- 
- clean-openssl-objs:
-@@ -331,7 +336,7 @@ tag:
- archive: tag
- 	@./make-archive $(if $(call get-config,shim.origin),--origin "$(call get-config,shim.origin)") --release "$(VERSION)" "$(GITTAG)" "shim-$(GITTAG)"
- 
-.PHONY : install-deps shim.key
-+.PHONY : install-deps $(INTERNAL_CERT).key
- 
- export ARCH CC CROSS_COMPILE LD OBJCOPY EFI_INCLUDE EFI_INCLUDES OPTIMIZATIONS
- export FEATUREFLAGS WARNFLAGS WERRFLAGS
-- 
-2.25.1
-
--- a/security/shim-unsigned/debian/patches/series
+++ b/security/shim-unsigned/debian/patches/series
@ -1 +0,0 @@
-0001-Use-Titanium-certificate.patch
--- a/security/shim-unsigned/files/tis-shim.der
+++ b/security/shim-unsigned/files/tis-shim.der
				`@ -0,0 +1 @@`
				`0001-shim-replace-the-debian-cert-file-with-ours.patch`