1 shim (15.5-1) UNRELEASED; urgency=medium
3 * New upstream release fixing more bugs
4 + Remove all our old patches, all now upstream:
5 - Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
6 - MOK-BootServicesData.patch
7 - fix-broken-ia32-reloc.patch
8 - fix-import_one_mok_state.patch
9 - fix_arm64_rela_sections.patch
10 - relax_check_for_import_mok_state.patch
11 * Tweak setup for dh_auto_test so the tests work
12 * Add new build-dep on libefivar-dev for tests
14 -- Steve McIntyre <93sam@debian.org> Wed, 27 Apr 2022 22:50:08 +0100
16 shim (15.4-7) unstable; urgency=high
18 * Tweak how we call grub-install; don't abort on error. Not ideal
19 behaviour either, but don't break upgrades. Copy the behaviour
20 from the grub packages here. Closes: #990966
22 -- Steve McIntyre <93sam@debian.org> Mon, 12 Jul 2021 08:53:54 +0100
24 shim (15.4-6) unstable; urgency=high
26 * Add arm64 patch to tweak section layout and stop crashing
27 problems. Upstream issue #371. Closes: #990082, #990190
28 * In insecure mode, don't abort if we can't create the MokListXRT
29 variable. Upstream issue #372. Closes: #989962, #990158
31 -- Steve McIntyre <93sam@debian.org> Wed, 23 Jun 2021 19:03:54 +0100
33 shim (15.4-5) unstable; urgency=medium
35 * Add defensive code around calls to db_get. Don't fail if they
38 -- Steve McIntyre <93sam@debian.org> Thu, 06 May 2021 00:37:49 +0100
40 shim (15.4-4) unstable; urgency=medium
42 * Fix up those maintainer scripts - if we're not running on an EFI
43 system then exit cleanly.
45 -- Steve McIntyre <93sam@debian.org> Tue, 04 May 2021 17:53:21 +0100
47 shim (15.4-3) unstable; urgency=medium
49 * Add maintainer scripts to the template packages to manage
50 installing and removing fbXXX.efi and mmXXX.efi when we
51 install/remove the shim-helpers-$arch-signed packages.
54 -- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 20:48:49 +0100
56 shim (15.4-2) unstable; urgency=medium
58 * Add two further patches from upstream:
59 + fix import_one_mok_state() after split
60 + Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older
63 -- Steve McIntyre <93sam@debian.org> Wed, 21 Apr 2021 00:23:02 +0100
65 shim (15.4-1) unstable; urgency=medium
67 * New upstream release fixing more bugs: SBAT and arm64 support
68 * Print sha256 checksums of the EFI binaries when the build is done
69 * Add two patches from upstream:
70 + fix i386 binary relocations
71 + allocate MOK config table as BootServicesData
73 -- Steve McIntyre <93sam@debian.org> Wed, 31 Mar 2021 18:25:00 +0100
75 shim (15.3-3) unstable; urgency=medium
77 * Update the timestamp for the 15.3-2 upload.
78 * Only include the upstream version in the Debian SBAT metadata, so
79 we don't break reproducibility on every minor packaging change.
81 -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 13:21:05 +0000
83 shim (15.3-2) unstable; urgency=medium
85 * Add missing build-dep on xxd for build-time unit tests
87 -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 02:21:53 +0000
89 shim (15.3-1) unstable; urgency=medium
92 * Switch to much-newer release with many fixes
93 + Particularly pulling in SBAT changes for better revocation support
94 + Remove all our old patches, no longer needed:
95 - avoid_null_vsprint.patch
96 - check_null_sn_ln.patch
99 - use_compare_mem_gcc9.patch
100 + Now includes a vendor copy of gnu-efi with quite a few extra
102 + Update copyright file to cover these changes
103 * Switch to using gcc-10 rather than gcc-9. Closes: #978521
104 * Add dbx entries for all our existing grub binaries
105 + They're insecure, let's break the chainloading hole.
106 * Add Debian SBAT data
107 + Add a Debian SBAT template, and rules to use it
108 + Adds a build-dep on dos2unix
110 -- Steve McIntyre <93sam@debian.org> Tue, 23 Mar 2021 23:39:48 +0000
112 shim (15+1533136590.3beb971-10) unstable; urgency=medium
115 * Trim trailing whitespace.
116 * Use secure copyright file specification URI.
117 * debian/copyright: use spaces rather than tabs to start continuation
119 * Bump debhelper from old 11 to 12.
120 * Set debhelper-compat version in Build-Depends.
121 * Set upstream metadata fields: Bug-Database, Bug-Submit.
122 * Update standards version to 4.4.1, no changes needed.
125 * Trivial changes to generating the inbuilt dbx if we're using it.
126 * Upload to pick up rotated Debian signing keys
128 -- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 01:22:46 +0100
130 shim (15+1533136590.3beb971-9) unstable; urgency=medium
133 * In the -helpers-ARCH-signed packages, change the version
134 dependency on shim-unsigned to be >= and not =. This will allow
135 for installation to still work in the window while we wait for the
136 template package to do its second trip through the
137 archive. Closes: #955356
139 -- Steve McIntyre <93sam@debian.org> Mon, 30 Mar 2020 15:19:08 +0100
141 shim (15+1533136590.3beb971-8) unstable; urgency=medium
144 * Use --padding when calling pesign to generate hashes for the dbx
145 list, as recommended by Peter Jones. No actual changes needed in
146 our list of hashes at this point - they work out the same either
148 * Switch to using gcc-9 for builds, tweaking a patch from upstream
149 to fix a FTBFS. Closes: #925816
150 * Update debhelper compat level to 11 for shim and the
153 -- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000
155 shim (15+1533136590.3beb971-7) unstable; urgency=medium
158 * debian/control: Update Vcs-* fields
161 * Backport needed crash fixes:
162 + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
163 + Fix OBJ_create() to tolerate a NULL sn and ln
164 * Build using gcc-7 to get better control of reproducibility during the
166 * Build in a dbx list to blacklist binaries that we know to not be
167 secure. Build-depend on a new (bug-fixed) version of pesign to
168 generate that list at build time, using a list of known bad hashes.
169 * Initial list of known bad hashes is just my personal test binary.
171 -- Steve McIntyre <93sam@debian.org> Wed, 08 May 2019 02:05:01 +0100
173 shim (15+1533136590.3beb971-6) unstable; urgency=medium
176 * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
177 clashes with the old shim-signed package for fbx64.efi.signed and
178 mmx64.efi.signed. Closes: #924619
181 * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
183 -- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000
185 shim (15+1533136590.3beb971-5) unstable; urgency=medium
188 * Correct maintainer address in signing template
191 * Remove Rules-Requires-Root in the signing template. We manually install
192 things owned by root. There might be better ways to do this, but this
195 -- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000
197 shim (15+1533136590.3beb971-4) unstable; urgency=medium
200 * No-change sourceful upload to get rebuilds (and hence build logs) from
201 the buildds. Hoping to get this version signed by Microsoft, so let's
202 make our setup as clean as possible.
204 -- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000
206 shim (15+1533136590.3beb971-3) unstable; urgency=medium
209 * debian/rules: fixing permissions no longer required
210 * debian/rules: Disable ephemeral key on Debian.
211 * Rename binary package to 'shim-unsigned'
212 * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
215 * Override lintian error about template rules file.
216 * Include /usr/share/dpkg/architecture.mk instead of shelling out.
217 * Add uname.patch to avoid embedding the kernel architecture in the
218 binary and to use a fixed string instead.
221 * Change maintenance address to be the EFI team
222 * Add me and vorlon to the Uploaders list
223 * Rename the helper binary packages to shim-helpers-$arch.
224 * Update the signing-template JSON metadata to match new practice:
225 + Move all the data under a new top-level "packages" key
226 + Add an empty "trusted_certs" key - the helper binaries do not do any
227 further verification with an embedded key.
229 -- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
231 shim (15+1533136590.3beb971-2) unstable; urgency=medium
233 * Update debian/watch.
234 * Update VCS to point to salsa.
235 * Fix debian/rules syntax for arm64 build.
236 * Enable build for i386.
237 * Ensure DEB_HOST_ARCH is set even if not present in the environment.
238 * Update Standards-Version.
239 * Update debian/copyright (drop reference to file no longer in source)
241 -- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000
243 shim (15+1533136590.3beb971-1) unstable; urgency=medium
245 * New upstream release.
246 - debian/patches/second-stage-path: dropped; the default loader path now
247 includes an arch suffix.
248 - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
249 * Drop remaining patches that were not being applied.
250 * Sync packaging from Ubuntu:
251 - debian/copyright: Update upstream source location.
252 - debian/control: add a Build-Depends on libelf-dev.
253 - Enable arm64 build.
254 - debian/patches/fixup_git.patch: don't run git in clean; we're not
255 really in a git tree.
256 - debian/rules, debian/shim.install: use the upstream install target as
257 intended, and move files to the target directory using dh_install.
258 - define RELEASE and COMMIT_ID for the snapshot.
259 - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
260 - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
261 options: set MAKELEVEL.
262 - Define an EFI_ARCH variable, and use that for paths to shim. This
263 makes it possible to build a shim for other architectures than amd64.
264 - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
265 in the "right" final directories, and makes boot.csv for us.
266 - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
267 at compile-time for MokManager and fallback.
268 - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
271 -- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2019 07:23:19 +0000
273 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
276 * Initial Debian upload. Closes: #820052.
277 * Update Standards-Version.
278 * Embed the newly-minted Debian CA certificate.
279 * Vendorize debian/rules so that the same package can be used in both
280 Debian and Ubuntu without modification.
281 * Fix debian/copyright to match the spec (last match wins, not first)
282 * Fix shim.efi to not be executable.
284 * Support parallel builds, because eh why not
286 * Resync with Ubuntu, including patch to fix debian/copyright.
289 * Add some missing copyright holders in d/copyright, update
290 Upstream-Contact. Thanks to Helen Koike for the help.
292 -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
294 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
297 * debian/copyright: add OpenSSL license
299 [ Mathieu Trudel-Lapierre ]
300 * New upstream release.
301 * debian/copyright: patches should be BSD, like the rest of the upstream
303 * debian/patches/unused-variable: dropped; applied upstream.
304 * debian/patches/binutils-version-matching: dropped, fixed upstream.
305 * debian/shim.install: built EFI binaries were renamed; update our install
306 file to properly pick up shim (shim$arch), MokManager (mm$arch), and
309 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
311 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
313 * New upstream release.
314 - Better handle LoadOptions. (LP: #1581299)
315 - Measure state and second stage in TPM.
316 - Mirror MokSBState in runtime as MokSBStateRT.
317 - Fix failure to build with GCC 5. (LP: #1429978)
318 - Various bug fixes and other improvements.
322 + sbsigntool-not-pesign
323 * debian/patches/unused-variable: remove unused variable size.
324 * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
325 match objcopy's version on Ubuntu.
326 * debian/copyright: update copyright for patches.
328 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
330 shim (0.8-0ubuntu2) wily; urgency=medium
332 * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
334 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
336 shim (0.8-0ubuntu1) wily; urgency=medium
338 * New upstream release.
339 - Clarify meaning of insecure_mode. (LP: #1384973)
340 * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
341 debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
342 in the upstream release.
343 * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
346 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
348 shim (0.7-0ubuntu4) utopic; urgency=medium
350 * SECURITY UPDATE: heap overflow and out-of-bounds read access when
351 parsing DHCPv6 information
352 - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
353 when parsing data provided in DHCPv6 packets.
356 * SECURITY UPDATE: memory corruption when processing user-provided key
358 - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
359 key (MOK) lists and ignore them, avoiding possible memory corruption.
362 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
364 shim (0.7-0ubuntu2) utopic; urgency=medium
366 * Restore debian/patches/prototypes, which still is needed on shim 0.7
367 but only detected on the buildds.
368 * Update debian/patches/prototypes with some new declarations needed for
369 openssl 0.9.8za update.
371 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
373 shim (0.7-0ubuntu1) utopic; urgency=medium
375 * New upstream release.
376 - fix spurious error message when fallback.efi is not present, as will
377 always be the case for removable media. LP: #1297069.
378 - drop most patches, included upstream.
379 * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
380 openssl 0.9.8za in via upstream.
382 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
384 shim (0.4-0ubuntu5) utopic; urgency=low
386 * Install fallback.efi.signed as well, to lay the groundwork for fallback
387 handling (wanted when we have to move a drive between machines, or when
388 the firmware loses its marbles^W nvram).
390 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
392 shim (0.4-0ubuntu4) saucy; urgency=low
394 * debian/patches/fix-tftp-prototype: pass the right arguments to
395 EFI_PXE_BASE_CODE_TFTP_READ_FILE.
396 * debian/patches/build-with-Werror: Build with -Werror to catch future
397 prototype mismatches.
398 * debian/patches/fix-compiler-warnings: Fix remaining compiler
399 warnings in netboot.c.
400 * debian/patches/tftp-proper-nul-termination: fix nul termination
401 errors in filenames passed to tftp.
402 * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
405 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
407 shim (0.4-0ubuntu3) saucy; urgency=low
410 * Install MokManager.efi.signed in the package.
411 * debian/patches/no-output-by-default.patch: Don't print any
412 informational messages. Closes LP: #1074302.
415 * debian/patches/no-print-on-unsigned: Don't print an error message when
416 validating an unsigned binary as that tends to hang Lenovo machines.
419 -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
421 shim (0.4-0ubuntu2) saucy; urgency=low
423 * Add missing build-dependency on openssl.
425 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
427 shim (0.4-0ubuntu1) saucy; urgency=low
429 * New upstream release.
430 * Drop debian/patches/shim-before-loadimage; upstream has changed this to
431 not call loadimage at all.
432 * debian/patches/sbsigntool-not-pesign: Sign MokManager with
433 sbsigntool instead of pesign.
434 * Add a versioned build-dependency on gnu-efi.
436 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
438 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
440 * debian/patches/shim-before-loadimage: Use direct verification first
441 before LoadImage. Addresses an issue where Lenovo's SecureBoot
442 implementation pops an error message on any verification failure - avoid
443 calling LoadImage at all unless we have to.
445 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
447 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
449 * debian/patches/second-stage-path: Chainload grubx64.efi, not
452 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
454 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
456 * debian/patches/prototypes: Include missing prototypes, and disable
458 * Only build the package for amd64; we're not signing an i386 shim at this
459 stage so there's no point in building it.
461 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
463 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
466 * Include the Canonical Secure Boot master CA.
468 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700