diff -Nru shim-15.4/debian/canonical-uefi-ca.pem shim-15.4/debian/canonical-uefi-ca.pem --- shim-15.4/debian/canonical-uefi-ca.pem 2021-03-01 19:21:29.000000000 +0000 +++ shim-15.4/debian/canonical-uefi-ca.pem 1970-01-01 00:00:00.000000000 +0000 @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD -VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx -FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk -LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX -DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m -IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x -NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo -b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h -7Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7 -v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO -+ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr -yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk -YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO -BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj -MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB -Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu -b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB -CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd -B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH -WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx -U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd -7ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p -9JkU284DDgtmxBxtvbgnd8FClL38agq8 ------END CERTIFICATE----- diff -Nru shim-15.4/debian/changelog shim-15.4/debian/changelog --- shim-15.4/debian/changelog 2021-03-24 11:32:25.000000000 +0000 +++ shim-15.4/debian/changelog 2021-04-20 14:24:29.000000000 +0000 @@ -1,3 +1,14 @@ +shim (15.4-0ubuntu2) hirsute; urgency=medium + + [ Balint Reczey ] + * Fix boot on EFI 1.10 machines, for example on some MacBooks (LP: #1925010) + + [ Dimitri John Ledkov ] + * Fix kernel warning when allocating MOK table (LP: #1925139) + * Fix booting with shim SBState disabled (LP: #1925140) + + -- Dimitri John Ledkov Tue, 20 Apr 2021 15:24:29 +0100 + shim (15.4-0ubuntu1) hirsute; urgency=medium [ Dimitri John Ledkov ] diff -Nru shim-15.4/debian/patches/361.patch shim-15.4/debian/patches/361.patch --- shim-15.4/debian/patches/361.patch 1970-01-01 00:00:00.000000000 +0000 +++ shim-15.4/debian/patches/361.patch 2021-04-20 11:02:30.000000000 +0000 @@ -0,0 +1,38 @@ +From 33ca95024aa7e33218da5882d30b3ec690a11046 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Thu, 8 Apr 2021 16:23:03 +0800 +Subject: [PATCH] mok: allocate MOK config table as BootServicesData + +Linux kernel is picky when reserving the memory for x86 and it only +expects BootServicesData: + +https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/platform/efi/quirks.c?h=v5.11#n254 + +Otherwise, the following error would show during system boot: + +Apr 07 12:31:56.743925 localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000 + +Although BootServicesData would be reclaimed after ExitBootService(), +linux kernel reserves MOK config table when it detects the existence of +the table, so it's fine to allocate the table as BootServicesData. + +Signed-off-by: Gary Lin +Origin: https://patch-diff.githubusercontent.com/raw/rhboot/shim/pull/361.patch +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925139 +--- + mok.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mok.c b/mok.c +index 5ad9072be..fc1ee04da 100644 +--- a/mok.c ++++ b/mok.c +@@ -1002,7 +1002,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT; + config_table = NULL; + efi_status = gBS->AllocatePages(AllocateAnyPages, +- EfiRuntimeServicesData, ++ EfiBootServicesData, + npages, + (EFI_PHYSICAL_ADDRESS *)&config_table); + if (EFI_ERROR(efi_status) || !config_table) { diff -Nru shim-15.4/debian/patches/362.patch shim-15.4/debian/patches/362.patch --- shim-15.4/debian/patches/362.patch 1970-01-01 00:00:00.000000000 +0000 +++ shim-15.4/debian/patches/362.patch 2021-04-20 11:02:30.000000000 +0000 @@ -0,0 +1,37 @@ +From 975c2feaa47dc3b8d42d2995e09b5026ce66d7af Mon Sep 17 00:00:00 2001 +From: Adam Williamson +Date: Thu, 8 Apr 2021 22:39:02 -0700 +Subject: [PATCH] Don't set user_insecure_mode and ignore_db in + import_one_mok_state + +This seems completely incorrect and unnecessary, unless I'm +missing something. We already set them both to 0 at the start of +`import_mok_state`, which is the only thing that uses +`import_one_mok_state`, so it's unnecessary. It's incorrect +because it means those variables will be set to 0 even when they +should be set to 1 - even if they are momentarily set to 1 when +`import_one_mok_state` is called on the relevant variable, they +immediately get set back to 0 when it's called on the *next* +variable. + +Signed-off-by: Adam Williamson +Origin: https://patch-diff.githubusercontent.com/raw/rhboot/shim/pull/361.patch +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925140 +--- + mok.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/mok.c b/mok.c +index 5ad9072be..9e37d6ab5 100644 +--- a/mok.c ++++ b/mok.c +@@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v, + EFI_STATUS ret = EFI_SUCCESS; + EFI_STATUS efi_status; + +- user_insecure_mode = 0; +- ignore_db = 0; +- + UINT32 attrs = 0; + BOOLEAN delete = FALSE; + diff -Nru shim-15.4/debian/patches/364.patch shim-15.4/debian/patches/364.patch --- shim-15.4/debian/patches/364.patch 1970-01-01 00:00:00.000000000 +0000 +++ shim-15.4/debian/patches/364.patch 2021-04-20 08:25:05.000000000 +0000 @@ -0,0 +1,63 @@ +From 8b59591775a0412863aab9596ab87bdd493a9c1e Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Sat, 10 Apr 2021 16:05:23 -0400 +Subject: [PATCH] Don't call QueryVariableInfo() on EFI 1.10 machines + +The EFI 1.10 spec (and presumably earlier revisions as well) didn't have +RT->QueryVariableInfo(), and on Chris Murphy's MacBookPro8,2 , that +memory appears to be initialized randomly. + +This patch changes it to not call RT->QueryVariableInfo() if the +EFI_RUNTIME_SERVICES table's major revision is less than two, and +assumes our maximum variable size is 1024 in that case. + +Signed-off-by: Peter Jones +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925010 +--- + mok.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/mok.c b/mok.c +index 9b8fc2b..beac0ff 100644 +--- a/mok.c ++++ b/mok.c +@@ -261,6 +261,9 @@ static const uint8_t null_sha256[32] = { 0, }; + + typedef UINTN SIZE_T; + ++#define EFI_MAJOR_VERSION(tablep) ((UINT16)((((tablep)->Hdr.Revision) >> 16) & 0xfffful)) ++#define EFI_MINOR_VERSION(tablep) ((UINT16)(((tablep)->Hdr.Revision) & 0xfffful)) ++ + static EFI_STATUS + get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp) + { +@@ -270,11 +273,21 @@ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp) + uint64_t max_var_sz = 0; + + *max_var_szp = 0; +- efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz, +- &remaining_sz, &max_var_sz); +- if (EFI_ERROR(efi_status)) { +- perror(L"Could not get variable storage info: %r\n", efi_status); +- return efi_status; ++ if (EFI_MAJOR_VERSION(gRT) < 2) { ++ dprint(L"EFI %d.%d; no RT->QueryVariableInfo(). Using 1024!\n", ++ EFI_MAJOR_VERSION(gRT), EFI_MINOR_VERSION(gRT)); ++ max_var_sz = remaining_sz = max_storage_sz = 1024; ++ efi_status = EFI_SUCCESS; ++ } else { ++ dprint(L"calling RT->QueryVariableInfo() at 0x%lx\n", ++ gRT->QueryVariableInfo); ++ efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz, ++ &remaining_sz, &max_var_sz); ++ if (EFI_ERROR(efi_status)) { ++ perror(L"Could not get variable storage info: %r\n", ++ efi_status); ++ return efi_status; ++ } + } + + /* +-- +2.25.1 + diff -Nru shim-15.4/debian/patches/series shim-15.4/debian/patches/series --- shim-15.4/debian/patches/series 2021-03-24 11:32:25.000000000 +0000 +++ shim-15.4/debian/patches/series 2021-04-20 11:02:30.000000000 +0000 @@ -1 +1,4 @@ 359.patch +361.patch +362.patch +364.patch