Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in at 2015-08-21 07:38:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2015-04-22 01:10:27.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2015-08-21 07:38:56.000000000 +0200
@@ -1,0 +2,26 @@
+Thu Jul 16 06:49:01 UTC 2015 - glin@suse.com
+
+- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d
+- Refresh shim-gcc5.patch and add it back since we really need it
+- Add shim-change-debug-file-path.patch to change the debug file
+ path in shim.efi
+ + also add the debuginfo and debugsource subpackages
+- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore
+
+-------------------------------------------------------------------
+Mon Jul 6 09:06:02 UTC 2015 - glin@suse.com
+
+- Update to 0.9
+- Refresh patches
+ + shim-fix-gnu-efi-30w.patch
+ + shim-fix-mokmanager-sections.patch
+ + shim-opensuse-cert-prompt.patch
+- Drop upstreamed patches
+ + shim-bsc920515-fix-fallback-buffer-length.patch
+ + shim-mokx-support.patch
+ + shim-update-cryptlib.patch
+- Drop shim-bsc919675-uninstall-shim-protocols.patch since
+ upstream fixed the bug in another way.
+- Drop shim-gcc5.patch which was fixed in another way
+
+-------------------------------------------------------------------
Old:
----
shim-0.8.tar.bz2
shim-bsc919675-uninstall-shim-protocols.patch
shim-bsc920515-fix-fallback-buffer-length.patch
shim-fix-gnu-efi-30w.patch
shim-mokx-support.patch
shim-update-cryptlib.patch
New:
----
shim-0.9.tar.bz2
shim-change-debug-file-path.patch
shim-update-openssl-1.0.2d.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.6MzlGi/_old 2015-08-21 07:38:58.000000000 +0200
+++ /var/tmp/diff_new_pack.6MzlGi/_new 2015-08-21 07:38:58.000000000 +0200
@@ -18,8 +18,10 @@
# needssslcertforbuild
+%undefine _build_create_debug
+
Name: shim
-Version: 0.8
+Version: 0.9
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
@@ -40,23 +42,18 @@
Source10: timestamp.pl
Source11: strip_signature.sh
Source12: signature-sles.asc
-# PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
-Patch1: shim-mokx-support.patch
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
-Patch2: shim-only-os-name.patch
-# PATCH-FIX-UPSTREAM shim-fix-gnu-efi-30w.patch glin@suse.com -- Adapt the change in gnu-efi 3.0w
-Patch3: shim-fix-gnu-efi-30w.patch
+Patch1: shim-only-os-name.patch
# PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch glin@suse.com -- Fix the objcopy parameters for the EFI files
-Patch4: shim-fix-mokmanager-sections.patch
-# PATCH-FIX-UPSTREAM shim-bsc919675-uninstall-shim-protocols.patch bsc#919675 glin@suse.com -- Uinstall the shim protocols at Exit
-Patch5: shim-bsc919675-uninstall-shim-protocols.patch
-# PATCH-FIX-UPSTREAM shim-bsc920515-fix-fallback-buffer-length.patch bsc#920515 glin@suse.com -- Fix the buffer size for the boot options
-Patch6: shim-bsc920515-fix-fallback-buffer-length.patch
-# PATCH-FIX-UPSTREAM shim-update-cryptlib.patch glin@suse.com -- Update Cryptlib and openssl
-Patch7: shim-update-cryptlib.patch
+Patch3: shim-fix-mokmanager-sections.patch
+# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2d.patch glin@suse.com -- Update openssl to 1.0.2d
+Patch4: shim-update-openssl-1.0.2d.patch
+# PATCH-FIX-UPSTREAM shim-gcc5.patch glin@suse.com -- Specify the gnu89 standard
+Patch5: shim-gcc5.patch
+# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
+Patch50: shim-change-debug-file-path.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-opensuse-cert-prompt.patch
-Patch101: shim-gcc5.patch
BuildRequires: gnu-efi >= 3.0t
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
@@ -72,7 +69,19 @@
shim is a trivial EFI application that, when run, attempts to open and
execute another application.
+%package -n shim-debuginfo
+Summary: UEFI shim loader - debug symbols
+Group: System/Boot
+
+%description -n shim-debuginfo
+The debug symbols of UEFI shim loader
+
+%package -n shim-debugsource
+Summary: UEFI shim loader - debug source
+Group: System/Boot
+%description -n shim-debugsource
+The source code of UEFI shim loader
Authors:
--------
@@ -81,18 +90,15 @@
%prep
%setup -q
%patch1 -p1
-%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
-%patch6 -p1
-%patch7 -p1
+%patch50 -p1
%patch100 -p1
-%patch101 -p1
%build
# first, build MokManager and fallback as they don't depend on a
# specific certificate
-make EFI_PATH=/usr/lib64 MokManager.efi fallback.efi 2>/dev/null
+make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2>/dev/null
# now build variants of shim that embed different certificates
default=''
@@ -147,7 +153,7 @@
cp $cert2 shim.crt
fi
# make sure cast warnings don't trigger post build check
- make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
+ make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
#
# assert correct certificate embedded
grep -q "$verify" shim.efi
@@ -178,12 +184,18 @@
else
mv shim.efi shim-$suffix.efi
fi
+ mv shim.efi.debug shim-$suffix.debug
rm -f shim.cer shim.crt
# make sure cert.o gets rebuilt
rm -f cert.o
done
ln -s shim-${suffixes[0]}.efi shim.efi
+mv shim-${suffixes[0]}.debug shim.debug
+
+# Collect the source for debugsource
+mkdir source
+find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} source/ \;
%install
export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
@@ -201,6 +213,16 @@
install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt
done
+# install the debug symbols
+install -d %{buildroot}/usr/lib/debug/%{_libdir}/efi
+install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi
+install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi/MokManager.debug
+install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi/fallback.debug
+
+# install the debug source
+install -d %{buildroot}/usr/src/debug/%{name}-%{version}
+cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}
+
%clean
%{?buildroot:%__rm -rf "%{buildroot}"}
@@ -221,4 +243,15 @@
%dir %{_sysconfdir}/uefi/certs/
%{_sysconfdir}/uefi/certs/*.crt
+%files -n shim-debuginfo
+%defattr(-,root,root,-)
+/usr/lib/debug/%{_libdir}/efi/shim.debug
+/usr/lib/debug/%{_libdir}/efi/MokManager.debug
+/usr/lib/debug/%{_libdir}/efi/fallback.debug
+
+%files -n shim-debugsource
+%defattr(-,root,root,-)
+%dir /usr/src/debug/%{name}-%{version}
+/usr/src/debug/%{name}-%{version}/*
+
%changelog
++++++ shim-0.8.tar.bz2 -> shim-0.9.tar.bz2 ++++++
++++ 272642 lines of diff (skipped)
++++++ shim-change-debug-file-path.patch ++++++
From a2b1ceac7093798d770cf50c8a2a78f7051c7be9 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Wed, 15 Jul 2015 18:15:40 +0800
Subject: [PATCH] Change the debug file path
Signed-off-by: Gary Ching-Pang Lin
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 48e2a7d..081c9a8 100644
--- a/Makefile
+++ b/Makefile
@@ -43,7 +43,7 @@ ifeq ($(ARCH),x86_64)
-maccumulate-outgoing-args \
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
"-DEFI_ARCH=L\"x64\"" \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
+ "-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\""
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
--
2.1.4
++++++ shim-fix-mokmanager-sections.patch ++++++
--- /var/tmp/diff_new_pack.6MzlGi/_old 2015-08-21 07:38:59.000000000 +0200
+++ /var/tmp/diff_new_pack.6MzlGi/_new 2015-08-21 07:38:59.000000000 +0200
@@ -1,26 +1,38 @@
-From 61f1bfea2250c38b6c381a3876b41acf007f4289 Mon Sep 17 00:00:00 2001
+From fa7e46558ebdafeb7b5f4a3b843f309a678d4365 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Mon, 10 Nov 2014 17:19:58 +0800
-Subject: [PATCH 1/2] Fix objcopy parameters to include .rel and .rela
+Subject: [PATCH] Fix objcopy parameters to include .rel and .rela
-The objcopy parameters -j .rel* and -j .rela* looked like that the
-two sections would be in the EFI binary, but it's actually not, and
-this caused MokManager.efi crash.
+This is a quick hack for the old objcopy.
-Remove the asterisks to fix MokManager.efi.
+The asterisks support in objcopy was added in 2.24. For the distro
+with the older objcopy, some sections would be ignored and this could
+crash the program.
Signed-off-by: Gary Ching-Pang Lin
---
- Makefile | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
+ Makefile | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/Makefile b/Makefile
-index 332a29b..39160c5 100644
+index 412496b..a791bcc 100644
--- a/Makefile
+++ b/Makefile
-@@ -133,13 +133,13 @@ FORMAT ?= --target efi-app-$(ARCH)
+@@ -9,7 +9,6 @@ LD = $(CROSS_COMPILE)ld
+ OBJCOPY = $(CROSS_COMPILE)objcopy
+
+ ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
+-OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24)
+
+ SUBDIRS = Cryptlib lib
+
+@@ -142,17 +141,14 @@ endif
+ FORMAT ?= --target efi-app-$(ARCH)
%.efi: %.so
+-ifneq ($(OBJCOPY_GTE224),1)
+- $(error objcopy >= 2.24 is required)
+-endif
$(OBJCOPY) -j .text -j .sdata -j .data \
- -j .dynamic -j .dynsym -j .rel* \
- -j .rela* -j .reloc -j .eh_frame \
@@ -35,65 +47,7 @@
+ -j .rela -j .reloc -j .eh_frame \
-j .debug_info -j .debug_abbrev -j .debug_aranges \
-j .debug_line -j .debug_str -j .debug_ranges \
- $(FORMAT) $^ $@.debug
---
-1.8.4.5
-
-
-From a0d319c24c064b3275f4dc91cf141336fb7449fa Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin
-Date: Mon, 10 Nov 2014 17:31:15 +0800
-Subject: [PATCH 2/2] Add nostdinc to the CFLAGS for lib
-
-We don't need the headers from the standard include path.
-
-Signed-off-by: Gary Ching-Pang Lin
----
- lib/Makefile | 2 +-
- lib/console.c | 4 ++--
- lib/guid.c | 1 -
- 3 files changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/lib/Makefile b/lib/Makefile
-index ebd21a1..3c5101e 100644
---- a/lib/Makefile
-+++ b/lib/Makefile
-@@ -4,7 +4,7 @@ LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variab
-
- EFI_INCLUDES = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include
-
--CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -nostdinc\
- -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror \
- $(EFI_INCLUDES)
-
-diff --git a/lib/console.c b/lib/console.c
-index 83ee679..fd8cc5c 100644
---- a/lib/console.c
-+++ b/lib/console.c
-@@ -4,8 +4,8 @@
- *
- * see COPYING file
- */
--#include
--#include
-+#include
-+#include
-
- #include
- #include
-diff --git a/lib/guid.c b/lib/guid.c
-index 56ec952..c97a7ca 100644
---- a/lib/guid.c
-+++ b/lib/guid.c
-@@ -5,7 +5,6 @@
- */
-
- #include
--#include
-
- #ifndef BUILD_EFI
- /* EFI has %g for this, so it's only needed in platform c */
+ -j .note.gnu.build-id \
--
-1.8.4.5
+2.1.4
++++++ shim-gcc5.patch ++++++
--- /var/tmp/diff_new_pack.6MzlGi/_old 2015-08-21 07:38:59.000000000 +0200
+++ /var/tmp/diff_new_pack.6MzlGi/_new 2015-08-21 07:38:59.000000000 +0200
@@ -1,44 +1,62 @@
---- shim-0.8.orig/Makefile
-+++ shim-0.8/Makefile
-@@ -21,7 +21,7 @@ EFI_LDS = elf_$(ARCH)_efi.lds
- DEFAULT_LOADER := \\\\grub.efi
- CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
- -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
-- -Werror=sign-compare \
-+ -Werror=sign-compare -std=gnu89 \
- "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
- "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
- $(EFI_INCLUDES)
---- shim-0.8.orig/Cryptlib/Makefile
-+++ shim-0.8/Cryptlib/Makefile
+From a508082e41339d929ae598c964562946287c1938 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin
+Date: Mon, 13 Jul 2015 16:33:52 +0800
+Subject: [PATCH] Specify the gnu89 standard
+
+According to the gcc5 porting guideline (*), gcc5 defaults to
+-std=gnu11 instead of -std=gnu89. Append -std=gnu89 to CFLAGS
+to avoid the potential problems.
+
+(*) https://gcc.gnu.org/gcc-5/porting_to.html
+
+Based on the patch from Cristian Rodriguez
+
+Signed-off-by: Gary Ching-Pang Lin
+---
+ Cryptlib/Makefile | 2 +-
+ Cryptlib/OpenSSL/Makefile | 2 +-
+ Makefile | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
+index cb18440..9a92304 100644
+--- a/Cryptlib/Makefile
++++ b/Cryptlib/Makefile
@@ -2,7 +2,7 @@
EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-- -Wall $(EFI_INCLUDES)
-+ -Wall $(EFI_INCLUDES) -std=gnu89
- CFLAGS += -DGNU_EFI_USE_EXTERNAL_STDARG
+- -Wall $(EFI_INCLUDES) \
++ -Wall $(EFI_INCLUDES) -std=gnu89 \
+ -ffreestanding -I$(shell $(CC) -print-file-name=include)
ifeq ($(ARCH),x86_64)
---- shim-0.8.orig/Cryptlib/OpenSSL/Makefile
-+++ shim-0.8/Cryptlib/OpenSSL/Makefile
+diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
+index 3f87a94..ab6e7dd 100644
+--- a/Cryptlib/OpenSSL/Makefile
++++ b/Cryptlib/OpenSSL/Makefile
@@ -2,7 +2,7 @@
- EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+ EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Icrypto/asn1 -Icrypto/evp -Icrypto/modes
CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
-- -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
-+ -Wall -std=gnu89 $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
-
- ifeq ($(ARCH),x86_64)
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
---- shim-0.8.orig/lib/Makefile
-+++ shim-0.8/lib/Makefile
-@@ -5,7 +5,7 @@ LIBFILES = simple_file.o guid.o console.
- EFI_INCLUDES = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include
-
- CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -nostdinc\
-- -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror \
-+ -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror -std=gnu89 \
- $(EFI_INCLUDES)
+- -ffreestanding -I$(shell $(CC) -print-file-name=include) \
++ -ffreestanding -std=gnu89 -I$(shell $(CC) -print-file-name=include) \
+ -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_POSIX_IO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_RC2 -DOPENSSL_NO_IDEA -DOPENSSL_NO_BF -DOPENSSL_NO_CAST -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_DSA -DOPENSSL_NO_EC -DOPENSSL_NO_ECDH -DOPENSSL_NO_ECDSA -DOPENSSL_NO_SRP -DOPENSSL_NO_ENGINE -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
ifeq ($(ARCH),x86_64)
+diff --git a/Makefile b/Makefile
+index 1181b8a..48e2a7d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -28,7 +28,7 @@ EFI_LDS = elf_$(ARCH)_efi.lds
+ DEFAULT_LOADER := \\\\grub.efi
+ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
+- -Werror=sign-compare -ffreestanding \
++ -Werror=sign-compare -ffreestanding -std=gnu89 \
+ -I$(shell $(CC) -print-file-name=include) \
+ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
+ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
+--
+2.1.4
+
++++++ shim-opensuse-cert-prompt.patch ++++++
--- /var/tmp/diff_new_pack.6MzlGi/_old 2015-08-21 07:38:59.000000000 +0200
+++ /var/tmp/diff_new_pack.6MzlGi/_new 2015-08-21 07:38:59.000000000 +0200
@@ -1,4 +1,4 @@
-From eeeb5117c7d30eef6ec8a09f884d6e6872e41638 Mon Sep 17 00:00:00 2001
+From 83b991190b82da422cff4e357e045ff993ecaa9d Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Tue, 18 Feb 2014 17:29:19 +0800
Subject: [PATCH 1/3] Show the build-in certificate prompt
@@ -17,22 +17,22 @@
The state will store in use_openSUSE_cert, a volatile RT variable.
---
- shim.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 74 insertions(+), 2 deletions(-)
+ shim.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 75 insertions(+), 2 deletions(-)
diff --git a/shim.c b/shim.c
-index 6fbe427..112a141 100644
+index 4c6bdc5..4e8ed3a 100644
--- a/shim.c
+++ b/shim.c
@@ -91,6 +91,7 @@ UINT8 *vendor_dbx;
+ */
verification_method_t verification_method;
int loader_is_participating;
- int exit_only;
+BOOLEAN use_builtin_cert;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
-@@ -955,7 +956,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+@@ -959,7 +960,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
if (status == EFI_SUCCESS)
return status;
@@ -41,7 +41,7 @@
/*
* Check against the shim build key
*/
-@@ -1709,7 +1710,7 @@ EFI_STATUS mirror_mok_list()
+@@ -1730,7 +1731,7 @@ EFI_STATUS mirror_mok_list()
if (efi_status != EFI_SUCCESS)
DataSize = 0;
@@ -50,8 +50,8 @@
FullDataSize = DataSize
+ sizeof (*CertList)
+ sizeof (EFI_GUID)
-@@ -2058,6 +2059,75 @@ uninstall_shim_protocols(void)
- &shim_lock_guid, &shim_lock_interface);
+@@ -2140,6 +2141,75 @@ shim_fini(void)
+ setup_console(0);
}
+#define VENDOR_VERIFY L"openSUSE_Verify"
@@ -123,23 +123,24 @@
+ return 0;
+}
+
- EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
- {
- EFI_STATUS efi_status;
-@@ -2114,6 +2184,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
- */
- hook_exit_only = 0;
- loader_is_participating = 0;
-+ if (builtin_cert_prompt() != 0)
-+ return EFI_ABORTED;
- }
- }
+ extern EFI_STATUS
+ efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
+@@ -2228,6 +2298,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ */
+ check_mok_sb();
+
++ if (secure_mode() && (builtin_cert_prompt() != 0))
++ return EFI_ABORTED;
++
+ efi_status = shim_init();
+ if (EFI_ERROR(efi_status)) {
+ Print(L"Something has gone seriously wrong: %r\n", efi_status);
--
2.1.4
-From 869b4633b647c00d13bdf9c2ad554e5d5b8b9670 Mon Sep 17 00:00:00 2001
+From bde21fc34f6c1293a4233e704d9890a14f4bff19 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Thu, 20 Feb 2014 16:57:08 +0800
Subject: [PATCH 2/3] Support revoking the openSUSE cert
@@ -155,10 +156,10 @@
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
-index 442ab8f..7277968 100644
+index ee6dffb..68d4099 100644
--- a/MokManager.c
+++ b/MokManager.c
-@@ -1731,6 +1731,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
+@@ -1729,6 +1729,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
return -1;
}
@@ -192,7 +193,7 @@
static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
{
X509 *X509Cert;
-@@ -2083,6 +2110,7 @@ typedef enum {
+@@ -2081,6 +2108,7 @@ typedef enum {
MOK_CHANGE_SB,
MOK_SET_PW,
MOK_CHANGE_DB,
@@ -200,7 +201,7 @@
MOK_KEY_ENROLL,
MOK_HASH_ENROLL
} mok_menu_item;
-@@ -2094,7 +2122,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2092,7 +2120,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
void *MokPW, UINTN MokPWSize,
void *MokDB, UINTN MokDBSize,
void *MokXNew, UINTN MokXNewSize,
@@ -210,7 +211,7 @@
{
CHAR16 **menu_strings;
mok_menu_item *menu_item;
-@@ -2168,6 +2197,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2166,6 +2195,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (MokDB)
menucount++;
@@ -220,7 +221,7 @@
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
if (!menu_strings)
-@@ -2237,6 +2269,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2235,6 +2267,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
i++;
}
@@ -233,7 +234,7 @@
menu_strings[i] = L"Enroll key from disk";
menu_item[i] = MOK_KEY_ENROLL;
i++;
-@@ -2287,6 +2325,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2285,6 +2323,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
case MOK_CHANGE_DB:
mok_db_prompt(MokDB, MokDBSize);
break;
@@ -243,7 +244,7 @@
case MOK_KEY_ENROLL:
mok_key_enroll();
break;
-@@ -2312,6 +2353,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2310,6 +2351,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
@@ -251,7 +252,7 @@
void *MokNew = NULL;
void *MokDel = NULL;
void *MokSB = NULL;
-@@ -2319,6 +2361,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2317,6 +2359,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
void *MokDB = NULL;
void *MokXNew = NULL;
void *MokXDel = NULL;
@@ -259,7 +260,7 @@
EFI_STATUS status;
status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
-@@ -2391,9 +2434,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2389,9 +2432,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
console_error(L"Could not retrieve MokXDel", status);
}
@@ -281,7 +282,7 @@
if (MokNew)
FreePool (MokNew);
-@@ -2416,6 +2470,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2414,6 +2468,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
if (MokXDel)
FreePool (MokXDel);
@@ -292,10 +293,10 @@
LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
diff --git a/shim.c b/shim.c
-index 112a141..9ffac1f 100644
+index 4e8ed3a..8848e6a 100644
--- a/shim.c
+++ b/shim.c
-@@ -1819,7 +1819,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -1840,7 +1840,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
check_var(L"MokXNew") || check_var(L"MokXDel") ||
@@ -308,7 +309,7 @@
2.1.4
-From 8d8ccfdebdd01601548d662ad8a43371d307e2f1 Mon Sep 17 00:00:00 2001
+From 3d22ec8e64253ec7edc4133d6122539f006c792e Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Fri, 7 Mar 2014 16:17:20 +0800
Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
@@ -321,10 +322,10 @@
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/MokManager.c b/MokManager.c
-index 7277968..b5d2454 100644
+index 68d4099..c7f2b65 100644
--- a/MokManager.c
+++ b/MokManager.c
-@@ -1745,7 +1745,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+@@ -1743,7 +1743,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
if (status != EFI_SUCCESS)
return -1;
++++++ shim-update-openssl-1.0.2d.patch ++++++
++++ 146195 lines (skipped)