ubiquity

Merge ~xnox/ubiquity:drop-shim-signed-vendorize into ubiquity:master

  1. Git
  2. lp:~xnox/ubiquity
  3. drop-shim-signed-vendorize
  4. Merge into master
Proposed by Dimitri John Ledkov
Status: Rejected
Rejected by: Dimitri John Ledkov
Proposed branch: ~xnox/ubiquity:drop-shim-signed-vendorize
Merge into: ubiquity:master
Diff against target: 136 lines (+11/-22)
10 files modified
d-i/Makefile (+0/-1)
d-i/get-sources (+0/-5)
d-i/lists/amd64 (+0/-1)
d-i/manifest (+0/-1)
d-i/update-control (+0/-1)
debian/changelog (+5/-0)
debian/control (+1/-0)
debian/rules (+0/-9)
dev/null (+0/-1)
scripts/simple-plugins (+5/-3)
Reviewer Review Type Date Requested Status
Ubuntu Installer Team Pending
Review via email: mp+384771@code.launchpad.net

Commit message

Do not vendorize shim-signed scripts

Simply use shim-signed scripts that are installed in live session already anyway.

I actually have no idea why shim-signed got vendorized inside ubiquity, given that the scripts we call have always been available in the live session, as shim-signed has always been preinstalled on amd64, since its inception.

To post a comment you must log in.
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

TODO: test this

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Actually bootloaders are not preinstalled in the filesystem squashfs. Instead shim-signed is only in the pool, and is only installed in target.

Which imho is a waste of time, but oh well.

Unmerged commits

571cb72... by Dimitri John Ledkov

Do not vendorize shim-signed scripts, simply use shim-signed scripts that are installed in live session already anyway.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/d-i/Makefile b/d-i/Makefile
2index fe85c58..7b3b478 100644
3--- a/d-i/Makefile
4+++ b/d-i/Makefile
5@@ -14,7 +14,6 @@ PACKAGES += $(shell cat $(LISTDIR)/$(DEB_HOST_ARCH))
6 endif
7 # We don't need to build console-setup.
8 PACKAGES := $(filter-out console-setup,$(PACKAGES))
9-PACKAGES := $(filter-out shim-signed,$(PACKAGES))
10
11 update:
12 @perl -MDpkg::Deps -e1 >/dev/null 2>&1 || { \
13diff --git a/d-i/get-sources b/d-i/get-sources
14index 500a824..48c7fcb 100755
15--- a/d-i/get-sources
16+++ b/d-i/get-sources
17@@ -107,11 +107,6 @@ for subdir in .svn Fonts Keyboard/acm Keyboard/ckb Keyboard/locale; do
18 rm -rf "$SOURCEDIR/console-setup/$subdir"
19 done
20
21-# We don't need binary blobs from shim-signed.
22-for subdir in MicCorUEFCA2011_2011-06-27.crt shimx64.efi.signed; do
23- rm -rf "$SOURCEDIR/shim-signed/$subdir"
24-done
25-
26 # Add a warning to budding hackers.
27 cat > "$SOURCEDIR/README" <<EOF
28 The files in this directory are updated automatically from the distribution
29diff --git a/d-i/lists/amd64 b/d-i/lists/amd64
30index ef9de81..8bc806e 100644
31--- a/d-i/lists/amd64
32+++ b/d-i/lists/amd64
33@@ -1,3 +1,2 @@
34 grub-installer
35 partman-efi
36-shim-signed
37diff --git a/d-i/manifest b/d-i/manifest
38index ce11a8d..432d4a7 100644
39--- a/d-i/manifest
40+++ b/d-i/manifest
41@@ -28,6 +28,5 @@ partman-swapfile 1
42 partman-target 98ubuntu1
43 partman-xfs 66
44 preseed 1.71ubuntu11
45-shim-signed 1.40.3
46 tzsetup 1:0.94ubuntu2
47 user-setup 1.63ubuntu6
48diff --git a/d-i/update-control b/d-i/update-control
49index 0f75835..98f0716 100755
50--- a/d-i/update-control
51+++ b/d-i/update-control
52@@ -88,7 +88,6 @@ for my $bd ($parsed->get_deps()) {
53 for my $source (<source/*/debian/control>) {
54 # We don't build console-setup, so skip its build-dependencies.
55 next if $source eq 'source/console-setup/debian/control';
56- next if $source eq 'source/shim-signed/debian/control';
57 open SOURCE, '<', $source or die "can't open $source: $!";
58 while (<SOURCE>) {
59 if (/^Build-Depends(?:-Indep)?:\s*(.*)/i) {
60diff --git a/debian/changelog b/debian/changelog
61index ee46088..90baaf8 100644
62--- a/debian/changelog
63+++ b/debian/changelog
64@@ -1,9 +1,14 @@
65 ubiquity (20.10.2) UNRELEASED; urgency=medium
66
67+ [ Jean-Baptiste Lallement ]
68 * zsys-setup: Use persistent device name for vdevs (LP: #1880869)
69 * Only export pools created during installation and containing dataset
70 mounted under /target (LP: #1875045)
71
72+ [ Dimitri John Ledkov ]
73+ * Do not vendorize shim-signed scripts, simply use shim-signed scripts
74+ that are installed in live session already anyway.
75+
76 -- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com> Wed, 27 May 2020 13:49:15 +0200
77
78 ubiquity (20.10.1) groovy; urgency=medium
79diff --git a/debian/control b/debian/control
80index c946244..86c658f 100644
81--- a/debian/control
82+++ b/debian/control
83@@ -97,6 +97,7 @@ Depends: adduser,
84 python3-pam,
85 rdate,
86 sbsigntool [amd64],
87+ shim-signed [amd64],
88 ubiquity-artwork-${mangled-version},
89 ubiquity-casper,
90 ubiquity-frontend-${mangled-version},
91diff --git a/debian/rules b/debian/rules
92index 105aab1..bf2ac50 100755
93--- a/debian/rules
94+++ b/debian/rules
95@@ -212,15 +212,6 @@ endif
96 d-i/source/debian-installer-utils/post-base-installer.d/10register-module \
97 > debian/oem-config/usr/lib/ubiquity/debian-installer-utils/register-module.post-base-installer-oem
98 chmod +x debian/oem-config/usr/lib/ubiquity/debian-installer-utils/register-module.post-base-installer-oem
99-ifeq ($(DEB_HOST_ARCH),amd64)
100- install d-i/source/shim-signed/openssl.cnf \
101- debian/ubiquity/usr/lib/ubiquity/shim-signed/openssl.cnf
102- sed 's,/usr/lib/shim/mok/openssl.cnf,/usr/lib/ubiquity/shim-signed/openssl.cnf,g' \
103- d-i/source/shim-signed/update-secureboot-policy \
104- > debian/ubiquity/usr/lib/ubiquity/shim-signed/update-secureboot-policy
105- chmod +x debian/ubiquity/usr/lib/ubiquity/shim-signed/update-secureboot-policy
106-endif
107-
108 touch install-stamp
109
110 tests: install-stamp
111diff --git a/debian/ubiquity.dirs-amd64 b/debian/ubiquity.dirs-amd64
112deleted file mode 100644
113index 9c24380..0000000
114--- a/debian/ubiquity.dirs-amd64
115+++ /dev/null
116@@ -1 +0,0 @@
117-usr/lib/ubiquity/shim-signed
118diff --git a/scripts/simple-plugins b/scripts/simple-plugins
119index 2558385..77fc89b 100755
120--- a/scripts/simple-plugins
121+++ b/scripts/simple-plugins
122@@ -24,9 +24,11 @@ if [ "$1" = "prepare" ]; then
123 db_get ubiquity/secureboot_key
124 if [ -n "$RET" ]; then
125 mkdir -p /var/lib/shim-signed/mok
126- /usr/lib/ubiquity/shim-signed/update-secureboot-policy --new-key
127- printf '%s\n%s\n' "$RET" "$RET" | mokutil --import /var/lib/shim-signed/mok/MOK.der >/dev/null || true
128- mokutil --timeout -1 >/dev/null || true
129+ /usr/sbin/update-secureboot-policy --new-key
130+ if [ -e /var/lib/shim-signed/mok/MOK.der ]; then
131+ printf '%s\n%s\n' "$RET" "$RET" | mokutil --import /var/lib/shim-signed/mok/MOK.der >/dev/null || true
132+ mokutil --timeout -1 >/dev/null || true
133+ fi
134 fi
135 # Always clear secureboot key.
136 db_set ubiquity/secureboot_key ''

Subscribers

People subscribed via source and target branches