debian/0000755000000000000000000000000012217766775007212 5ustar debian/changelog0000644000000000000000000000550012217766772011061 0ustar shim (0.4-0ubuntu4) saucy; urgency=low * debian/patches/fix-tftp-prototype: pass the right arguments to EFI_PXE_BASE_CODE_TFTP_READ_FILE. * debian/patches/build-with-Werror: Build with -Werror to catch future prototype mismatches. * debian/patches/fix-compiler-warnings: Fix remaining compiler warnings in netboot.c. * debian/patches/tftp-proper-nul-termination: fix nul termination errors in filenames passed to tftp. * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to the netboot code. -- Steve Langasek Mon, 23 Sep 2013 00:30:00 -0700 shim (0.4-0ubuntu3) saucy; urgency=low [ Steve Langasek ] * Install MokManager.efi.signed in the package. * debian/patches/no-output-by-default.patch: Don't print any informational messages. Closes LP: #1074302. [ Stéphane Graber ] * debian/patches/no-print-on-unsigned: Don't print an error message when validating an unsigned binary as that tends to hang Lenovo machines. (LP: #1087501) -- Stéphane Graber Thu, 08 Aug 2013 17:12:12 +0200 shim (0.4-0ubuntu2) saucy; urgency=low * Add missing build-dependency on openssl. -- Steve Langasek Tue, 02 Jul 2013 20:30:43 +0000 shim (0.4-0ubuntu1) saucy; urgency=low * New upstream release. * Drop debian/patches/shim-before-loadimage; upstream has changed this to not call loadimage at all. * debian/patches/sbsigntool-not-pesign: Sign MokManager with sbsigntool instead of pesign. * Add a versioned build-dependency on gnu-efi. -- Steve Langasek Tue, 02 Jul 2013 12:53:24 -0700 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low * debian/patches/shim-before-loadimage: Use direct verification first before LoadImage. Addresses an issue where Lenovo's SecureBoot implementation pops an error message on any verification failure - avoid calling LoadImage at all unless we have to. -- Steve Langasek Wed, 10 Oct 2012 15:28:40 -0700 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low * debian/patches/second-stage-path: Chainload grubx64.efi, not grub.efi. -- Steve Langasek Fri, 05 Oct 2012 11:20:58 -0700 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low * debian/patches/prototypes: Include missing prototypes, and disable use of BIO_new_file. * Only build the package for amd64; we're not signing an i386 shim at this stage so there's no point in building it. -- Steve Langasek Thu, 04 Oct 2012 17:47:04 +0000 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low * Initial release. * Include the Canonical Secure Boot master CA. -- Steve Langasek Thu, 04 Oct 2012 00:01:06 -0700 debian/patches/0000755000000000000000000000000012217766775010641 5ustar debian/patches/series0000644000000000000000000000031212217765701012036 0ustar prototypes second-stage-path sbsigntool-not-pesign no-output-by-default.patch no-print-on-unsigned fix-tftp-prototype build-with-Werror fix-compiler-warnings tftp-proper-nul-termination netboot-cleanup debian/patches/prototypes0000644000000000000000000000657512033345365013011 0ustar Description: Include missing prototypes, and disable use of BIO_new_file Pull in one missing prototype for ScanMem8() that's not yet upstream in gnu-efi, and #ifdef out references to BIO_new_file() and BIO_new_fp() since the prototypes are themselves #ifdef'ed out. . Without these prototypes, we get implicit conversions on amd64, which are sensibly treated as a build failure by Launchpad. Author: Steve Langasek Index: shim/Cryptlib/Library/BaseMemoryLib.h =================================================================== --- /dev/null +++ shim/Cryptlib/Library/BaseMemoryLib.h @@ -0,0 +1,11 @@ +#ifndef __BASE_MEMORY_LIB__ +#define __BASE_MEMORY_LIB__ + +CHAR8 * +ScanMem8 ( + IN CHAR8 *Buffer, + IN UINTN Size, + IN CHAR8 Value + ); + +#endif Index: shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c =================================================================== --- shim.orig/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c +++ shim/Cryptlib/OpenSSL/crypto/x509v3/v3_pci.c @@ -157,6 +157,7 @@ } OPENSSL_free(tmp_data2); } +#ifndef OPENSSL_NO_STDIO else if (strncmp(val->value, "file:", 5) == 0) { unsigned char buf[2048]; @@ -194,6 +195,7 @@ goto err; } } +#endif else if (strncmp(val->value, "text:", 5) == 0) { val_len = strlen(val->value + 5); Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c =================================================================== --- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_def.c +++ shim/Cryptlib/OpenSSL/crypto/conf/conf_def.c @@ -186,11 +186,13 @@ int ret; BIO *in=NULL; +#ifndef OPENSSL_NO_STDIO #ifdef OPENSSL_SYS_VMS in=BIO_new_file(name, "r"); #else in=BIO_new_file(name, "rb"); #endif +#endif if (in == NULL) { if (ERR_GET_REASON(ERR_peek_last_error()) == BIO_R_NO_SUCH_FILE) Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c =================================================================== --- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_lib.c +++ shim/Cryptlib/OpenSSL/crypto/conf/conf_lib.c @@ -92,11 +92,13 @@ LHASH *ltmp; BIO *in=NULL; +#ifndef OPENSSL_NO_STDIO #ifdef OPENSSL_SYS_VMS in=BIO_new_file(file, "r"); #else in=BIO_new_file(file, "rb"); #endif +#endif if (in == NULL) { CONFerr(CONF_F_CONF_LOAD,ERR_R_SYS_LIB); Index: shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c =================================================================== --- shim.orig/Cryptlib/OpenSSL/crypto/conf/conf_sap.c +++ shim/Cryptlib/OpenSSL/crypto/conf/conf_sap.c @@ -93,12 +93,14 @@ { BIO *bio_err; ERR_load_crypto_strings(); +#ifndef OPENSSL_NO_STDIO if ((bio_err=BIO_new_fp(stderr, BIO_NOCLOSE)) != NULL) { BIO_printf(bio_err,"Auto configuration failed\n"); ERR_print_errors(bio_err); BIO_free(bio_err); } +#endif exit(1); } Index: shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c =================================================================== --- shim.orig/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c +++ shim/Cryptlib/OpenSSL/crypto/engine/eng_openssl.c @@ -374,11 +374,15 @@ BIO *in; EVP_PKEY *key; fprintf(stderr, "(TEST_ENG_OPENSSL_PKEY)Loading Private key %s\n", key_id); +#ifndef OPENSSL_NO_STDIO in = BIO_new_file(key_id, "r"); if (!in) return NULL; key = PEM_read_bio_PrivateKey(in, NULL, 0, NULL); BIO_free(in); +#else + return NULL; +#endif return key; } #endif debian/patches/no-print-on-unsigned0000644000000000000000000000140212200733225014523 0ustar Description: Don't print any message when validating an unsigned binary Printing the error message when validating an unsigned binary was causing the boot to hang on Lenovo machines, possibly because of a broken Print() implementation in those firmware (or some interaction with grub). Author: Stéphane Graber Bug-Ubuntu: https://bugs.launchpad.net/bugs/1087501 Index: shim-clean/shim.c =================================================================== --- shim-clean.orig/shim.c 2013-08-08 16:19:11.886403060 +0200 +++ shim-clean/shim.c 2013-08-08 16:20:09.590405204 +0200 @@ -652,7 +652,6 @@ unsigned int size = datasize; if (context->SecDir->Size == 0) { - Print(L"Empty security header\n"); return EFI_INVALID_PARAMETER; } debian/patches/sbsigntool-not-pesign0000644000000000000000000000142012062510403014772 0ustar Description: Sign MokManager with sbsigntool instead of pesign Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use the same thing for signing MokManager with our ephemeral key. This also avoids an additional build dependency on libnss3-tools. Author: Steve Langasek Forwarded: not-needed Index: shim/Makefile =================================================================== --- shim.orig/Makefile +++ shim/Makefile @@ -88,8 +88,8 @@ -j .debug_line -j .debug_str -j .debug_ranges \ --target=efi-app-$(ARCH) $^ $@.debug -%.efi.signed: %.efi certdb/secmod.db - pesign -n certdb -i $< -c "shim" -s -o $@ -f +%.efi.signed: %.efi shim.crt + sbsign --key shim.key --cert shim.crt $< clean: $(MAKE) -C Cryptlib clean debian/patches/fix-tftp-prototype0000644000000000000000000000255112217073104014344 0ustar Description: pass the right arguments to EFI_PXE_BASE_CODE_TFTP_READ_FILE A wrong pointer was being passed to EFI_PXE_BASE_CODE_TFTP_READ_FILE, preventing us from getting the file size back from the tftp call, ensuring that we don't have enough information to properly secureboot-validate the retrieved image. Author: Steve Langasek === modified file 'netboot.c' --- a/netboot.c 2013-05-31 19:34:11 +0000 +++ b/netboot.c 2013-09-20 16:07:27 +0000 @@ -326,7 +326,7 @@ return rc; } -EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINTN *bufsiz) +EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINT64 *bufsiz) { EFI_STATUS rc; EFI_PXE_BASE_CODE_TFTP_OPCODE read = EFI_PXE_BASE_CODE_TFTP_READ_FILE; @@ -344,7 +344,7 @@ try_again: rc = uefi_call_wrapper(pxe->Mtftp, 10, pxe, read, *buffer, overwrite, - &bufsiz, &blksz, &tftp_addr, full_path, NULL, nobuffer); + bufsiz, &blksz, &tftp_addr, full_path, NULL, nobuffer); if (rc == EFI_BUFFER_TOO_SMALL) { /* try again, doubling buf size */ === modified file 'shim.c' --- a/shim.c 2013-08-08 15:12:06 +0000 +++ b/shim.c 2013-09-20 16:12:39 +0000 @@ -1161,7 +1161,7 @@ EFI_DEVICE_PATH *path; CHAR16 *PathName = NULL; void *sourcebuffer = NULL; - UINTN sourcesize = 0; + UINT64 sourcesize = 0; void *data = NULL; int datasize; debian/patches/fix-compiler-warnings0000644000000000000000000000273312217106726014775 0ustar Description: Fix remaining compiler warnings in netboot.c Fix remaining compiler warnings in netboot.c, so that the source builds cleanly under -Wall -Werror. Author: Steve Langasek === modified file 'netboot.c' Index: shim/netboot.c =================================================================== --- shim.orig/netboot.c +++ shim/netboot.c @@ -53,7 +53,7 @@ static EFI_PXE_BASE_CODE *pxe; static EFI_IP_ADDRESS tftp_addr; -static char *full_path; +static UINT8 *full_path; typedef struct { @@ -111,7 +111,7 @@ for (i=0; i < (bs / sizeof(EFI_HANDLE)); i++) { status = uefi_call_wrapper(BS->OpenProtocol, 6, hbuf[i], &pxe_base_code_protocol, - &pxe, image_handle, NULL, + (void **)&pxe, image_handle, NULL, EFI_OPEN_PROTOCOL_GET_PROTOCOL); if (status != EFI_SUCCESS) { @@ -261,9 +261,9 @@ return FALSE; memset(full_path, 0, strlen((UINT8 *)end)+strlen((UINT8 *)template)); memcpy(full_path, end, strlen((UINT8 *)end)); - end = strrchr(full_path, '/'); + end = strrchr((char *)full_path, '/'); if (!end) - end = full_path; + end = (char *)full_path; memcpy(end, template, strlen((UINT8 *)template)); return TRUE; @@ -297,7 +297,7 @@ memcpy(tmp, template, 12); tmp[13] = '\0'; - full_path = tmp; + full_path = (UINT8 *)tmp; /* Note we don't capture the filename option here because we know its shim.efi * We instead assume the filename at the end of the path is going to be grubx64.efi debian/patches/tftp-proper-nul-termination0000644000000000000000000000457512217766641016174 0ustar Description: fix nul termination errors in filenames passed to tftp Fix various errors in the tftp string handling, to ensure we always have properly nul-terminated strings. Author: Steve Langasek Index: shim/netboot.c =================================================================== --- shim.orig/netboot.c +++ shim/netboot.c @@ -227,15 +227,15 @@ static BOOLEAN extract_tftp_info(char *url) { - char *start, *end; + CHAR8 *start, *end; char ip6str[128]; - char *template = "/grubx64.efi"; + CHAR8 *template = (CHAR8 *)"/grubx64.efi"; if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { Print(L"URLS MUST START WITH tftp://\n"); return FALSE; } - start = url + 7; + start = (CHAR8 *)url + 7; if (*start != '[') { Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; @@ -250,21 +250,19 @@ Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; } - *end = '\0'; memset(ip6str, 0, 128); - memcpy(ip6str, start, strlen((UINT8 *)start)); - *end = ']'; + memcpy(ip6str, start, end - start); end++; memcpy(&tftp_addr.v6, str2ip6(ip6str), 16); - full_path = AllocatePool(strlen((UINT8 *)end)+strlen((UINT8 *)template)+1); + full_path = AllocateZeroPool(strlen(end)+strlen(template)+1); if (!full_path) return FALSE; - memset(full_path, 0, strlen((UINT8 *)end)+strlen((UINT8 *)template)); - memcpy(full_path, end, strlen((UINT8 *)end)); - end = strrchr((char *)full_path, '/'); + memcpy(full_path, end, strlen(end)); + end = (CHAR8 *)strrchr((char *)full_path, '/'); if (!end) - end = (char *)full_path; - memcpy(end, template, strlen((UINT8 *)template)); + end = (CHAR8 *)full_path; + memcpy(end, template, strlen(template)); + end[strlen(template)] = '\0'; return TRUE; } @@ -285,19 +283,15 @@ static EFI_STATUS parseDhcp4() { - char *template = "/grubx64.efi"; - char *tmp = AllocatePool(16); + CHAR8 *template = (CHAR8 *)"/grubx64.efi"; + full_path = AllocateZeroPool(strlen(template)+1); - - if (!tmp) + if (!full_path) return EFI_OUT_OF_RESOURCES; - memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4); - memcpy(tmp, template, 12); - tmp[13] = '\0'; - full_path = (UINT8 *)tmp; + memcpy(full_path, template, strlen(template)); /* Note we don't capture the filename option here because we know its shim.efi * We instead assume the filename at the end of the path is going to be grubx64.efi debian/patches/netboot-cleanup0000644000000000000000000000512112217766213013645 0ustar Description: roll-up of miscellaneous fixes to the netboot code Pull of various fixes from , currently awaiting merge upstream. Author: Steve Langasek Index: shim/netboot.c =================================================================== --- shim.orig/netboot.c +++ shim/netboot.c @@ -141,11 +141,11 @@ return rc; } -static char *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) +static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) { void *optr; EFI_DHCP6_PACKET_OPTION *option; - char *url; + CHAR8 *url; UINT32 urllen; optr = pkt->DhcpOptions; @@ -159,10 +159,9 @@ if (ntohs(option->OpCode) == 59) { /* This is the bootfile url option */ urllen = ntohs(option->Length); - url = AllocatePool(urllen+2); + url = AllocateZeroPool(urllen+1); if (!url) return NULL; - memset(url, 0, urllen+2); memcpy(url, option->Data, urllen); return url; } @@ -225,17 +224,17 @@ return (UINT8 *)ip; } -static BOOLEAN extract_tftp_info(char *url) +static BOOLEAN extract_tftp_info(CHAR8 *url) { CHAR8 *start, *end; - char ip6str[128]; + char ip6str[40]; CHAR8 *template = (CHAR8 *)"/grubx64.efi"; if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) { Print(L"URLS MUST START WITH tftp://\n"); return FALSE; } - start = (CHAR8 *)url + 7; + start = url + 7; if (*start != '[') { Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; @@ -245,12 +244,16 @@ end = start; while ((*end != '\0') && (*end != ']')) { end++; + if (end - start > 39) { + Print(L"TFTP URL includes malformed IPv6 address\n"); + return FALSE; + } } if (end == '\0') { Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n"); return FALSE; } - memset(ip6str, 0, 128); + memset(ip6str, 0, 40); memcpy(ip6str, start, end - start); end++; memcpy(&tftp_addr.v6, str2ip6(ip6str), 16); @@ -270,14 +273,16 @@ static EFI_STATUS parseDhcp6() { EFI_PXE_BASE_CODE_DHCPV6_PACKET *packet = (EFI_PXE_BASE_CODE_DHCPV6_PACKET *)&pxe->Mode->DhcpAck.Raw; - char *bootfile_url; - + CHAR8 *bootfile_url; bootfile_url = get_v6_bootfile_url(packet); - if (extract_tftp_info(bootfile_url) == FALSE) - return EFI_NOT_FOUND; if (!bootfile_url) return EFI_NOT_FOUND; + if (extract_tftp_info(bootfile_url) == FALSE) { + FreePool(bootfile_url); + return EFI_NOT_FOUND; + } + FreePool(bootfile_url); return EFI_SUCCESS; } @@ -350,6 +355,8 @@ goto try_again; } + if (rc != EFI_SUCCESS && *buffer) { + FreePool(*buffer); + } return rc; - } debian/patches/no-output-by-default.patch0000644000000000000000000000261112165124740015644 0ustar Description: Don't print any informational messages Unless the operation has failed, we shouldn't print anything at all while booting. Suppress informational messages about the current SecureBoot policy or how the image's signature was verified. Author: Steve Langasek Bug-Ubuntu: https://bugs.launchpad.net/bugs/1074302 Index: shim/shim.c =================================================================== --- shim.orig/shim.c +++ shim/shim.c @@ -430,7 +430,6 @@ /* FIXME - more paranoia here? */ if (status != EFI_SUCCESS || sb != 1) { - Print(L"Secure boot not enabled\n"); return FALSE; } @@ -438,7 +437,6 @@ (void *)&setupmode); if (status == EFI_SUCCESS && setupmode == 1) { - Print(L"Platform is in setup mode\n"); return FALSE; } @@ -698,7 +696,6 @@ status = check_whitelist(cert, sha256hash, sha1hash); if (status == EFI_SUCCESS) { - Print(L"Binary is whitelisted\n"); return status; } @@ -710,7 +707,6 @@ shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; - Print(L"Binary is verified by the vendor certificate\n"); return status; } @@ -723,7 +719,6 @@ vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; - Print(L"Binary is verified by the vendor certificate\n"); return status; } debian/patches/second-stage-path0000644000000000000000000000126112164570701014051 0ustar Description: Chainload grubx64.efi, not grub.efi We qualify the second stage bootloader image with the architecture name, so we're forwards-compatible with any future 32-bit implementations. (Non-SB grub doesn't conflict, since the image will be named bootia32.efi anyway, not grub.efi.) Author: Steve Langasek Index: shim/shim.c =================================================================== --- shim.orig/shim.c +++ shim/shim.c @@ -43,7 +43,7 @@ #include "shim_cert.h" #include "ucs2.h" -#define DEFAULT_LOADER L"\\grub.efi" +#define DEFAULT_LOADER L"\\grubx64.efi" #define FALLBACK L"\\fallback.efi" #define MOK_MANAGER L"\\MokManager.efi" debian/patches/build-with-Werror0000644000000000000000000000111412217106574014070 0ustar Description: Build with -Werror to catch future prototype mismatches. Author: Steve Langasek Index: shim/Makefile =================================================================== --- shim.orig/Makefile +++ shim/Makefile @@ -15,7 +15,7 @@ EFI_LDS = elf_$(ARCH)_efi.lds CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -mno-red-zone -maccumulate-outgoing-args \ + -fshort-wchar -Wall -Werror -mno-red-zone -maccumulate-outgoing-args \ -mno-mmx -mno-sse \ $(EFI_INCLUDES) ifeq ($(ARCH),x86_64) debian/copyright0000644000000000000000000000277612017532432011134 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: shim Upstream-Contact: Matthew Garrett Source: https://github.com/mjg59/shim.git Files: * Copyright: 2012 Red Hat, Inc 2009-2012 Intel Corporation License: BSD-2-Clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. . Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/compat0000644000000000000000000000000212017532432010363 0ustar 9 debian/canonical-uefi-ca.der0000644000000000000000000000207012033204601013106 0ustar 040 A$,g0  *H  01 0 UGB10U Isle of Man10U Douglas10U Canonical Ltd.1402U +Canonical Ltd. Master Certificate Authority0 120412111251Z 420411111251Z01 0 UGB10U Isle of Man10U Douglas10U Canonical Ltd.1402U +Canonical Ltd. Master Certificate Authority0"0  *H 0 [:t!]aVr~-LbmHύa'nU=9T@;4y{z-}YϦNڮRLƙ Ngex]8JJz¢!-TA5Wl)PJ~ꙩh;2yh-~Rɛ+hIٕP@[Ųq\Wq@ [-PRkndO[ aZB!ٹTBRrIdzl$p M2ѠWM㯥>C00U *#eZ&4Zc0U#0 *#eZ&4Zc0U00 U0CU<0:08642http://www.canonical.com/secure-boot-master-ca.crl0  *H  ?}v+zmRPGwҮW2:UVv Qۚ\?sڔj8m9qtv>V#5UG[AL b s^ֵz~>~f[9HQS1S;upLF=hG}QĚϣ]풻3Qs fm'wBj debian/rules0000755000000000000000000000021112217105470010237 0ustar #!/usr/bin/make -f %: dh $@ override_dh_auto_build: dh_auto_build -- EFI_PATH=/usr/lib VENDOR_CERT_FILE=debian/canonical-uefi-ca.der debian/shim.install0000644000000000000000000000007312165072441011520 0ustar shim.efi /usr/lib/shim MokManager.efi.signed /usr/lib/shim debian/source/0000755000000000000000000000000012217766775010512 5ustar debian/source/format0000644000000000000000000000001412017532432011673 0ustar 3.0 (quilt) debian/source/include-binaries0000644000000000000000000000003512033225446013625 0ustar debian/canonical-uefi-ca.der debian/control0000644000000000000000000000147412164634151010602 0ustar Source: shim Section: admin Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Steve Langasek Standards-Version: 3.9.3 Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl Vcs-Bzr: lp:ubuntu/shim Package: shim Architecture: amd64 Depends: ${shlibs:Depends}, ${misc:Depends} Description: boot loader to chain-load signed boot loaders under Secure Boot This package provides a minimalist boot loader which allows verifying signatures of other UEFI binaries against either the Secure Boot DB/DBX or against a built-in signature database. Its purpose is to allow a small, infrequently-changing binary to be signed by the UEFI CA, while allowing an OS distributor to revision their main bootloader independently of the CA.