1 shim (15.7-1) UNRELEASED; urgency=medium
3 * New upstream release fixing more bugs
4 * Add a further patch from upstream:
5 + Make sbat_var.S parse right with buggy gcc/binutils
7 -- Steve McIntyre <93sam@debian.org> Sun, 22 Jan 2023 13:12:14 +0000
9 shim (15.6-1) unstable; urgency=medium
11 * New upstream release fixing more bugs
12 + Remove all our old patches, all now upstream:
13 - fix-32b-format-strings.patch
14 - fix-test-includes.patch
16 -- Steve McIntyre <93sam@debian.org> Thu, 21 Jul 2022 14:04:01 +0200
18 shim (15.5-1) UNRELEASED; urgency=medium
20 * New upstream release fixing more bugs
21 + Remove all our old patches, all now upstream:
22 - Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
23 - MOK-BootServicesData.patch
24 - fix-broken-ia32-reloc.patch
25 - fix-import_one_mok_state.patch
26 - fix_arm64_rela_sections.patch
27 - relax_check_for_import_mok_state.patch
28 * Fix format strings for 32-bit builds
29 * Tweak setup for dh_auto_test so the tests work
30 * Add new build-dep on libefivar-dev for tests
32 -- Steve McIntyre <93sam@debian.org> Wed, 27 Apr 2022 22:50:08 +0100
34 shim (15.4-7) unstable; urgency=high
36 * Tweak how we call grub-install; don't abort on error. Not ideal
37 behaviour either, but don't break upgrades. Copy the behaviour
38 from the grub packages here. Closes: #990966
40 -- Steve McIntyre <93sam@debian.org> Mon, 12 Jul 2021 08:53:54 +0100
42 shim (15.4-6) unstable; urgency=high
44 * Add arm64 patch to tweak section layout and stop crashing
45 problems. Upstream issue #371. Closes: #990082, #990190
46 * In insecure mode, don't abort if we can't create the MokListXRT
47 variable. Upstream issue #372. Closes: #989962, #990158
49 -- Steve McIntyre <93sam@debian.org> Wed, 23 Jun 2021 19:03:54 +0100
51 shim (15.4-5) unstable; urgency=medium
53 * Add defensive code around calls to db_get. Don't fail if they
56 -- Steve McIntyre <93sam@debian.org> Thu, 06 May 2021 00:37:49 +0100
58 shim (15.4-4) unstable; urgency=medium
60 * Fix up those maintainer scripts - if we're not running on an EFI
61 system then exit cleanly.
63 -- Steve McIntyre <93sam@debian.org> Tue, 04 May 2021 17:53:21 +0100
65 shim (15.4-3) unstable; urgency=medium
67 * Add maintainer scripts to the template packages to manage
68 installing and removing fbXXX.efi and mmXXX.efi when we
69 install/remove the shim-helpers-$arch-signed packages.
72 -- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 20:48:49 +0100
74 shim (15.4-2) unstable; urgency=medium
76 * Add two further patches from upstream:
77 + fix import_one_mok_state() after split
78 + Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older
81 -- Steve McIntyre <93sam@debian.org> Wed, 21 Apr 2021 00:23:02 +0100
83 shim (15.4-1) unstable; urgency=medium
85 * New upstream release fixing more bugs: SBAT and arm64 support
86 * Print sha256 checksums of the EFI binaries when the build is done
87 * Add two patches from upstream:
88 + fix i386 binary relocations
89 + allocate MOK config table as BootServicesData
91 -- Steve McIntyre <93sam@debian.org> Wed, 31 Mar 2021 18:25:00 +0100
93 shim (15.3-3) unstable; urgency=medium
95 * Update the timestamp for the 15.3-2 upload.
96 * Only include the upstream version in the Debian SBAT metadata, so
97 we don't break reproducibility on every minor packaging change.
99 -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 13:21:05 +0000
101 shim (15.3-2) unstable; urgency=medium
103 * Add missing build-dep on xxd for build-time unit tests
105 -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 02:21:53 +0000
107 shim (15.3-1) unstable; urgency=medium
110 * Switch to much-newer release with many fixes
111 + Particularly pulling in SBAT changes for better revocation support
112 + Remove all our old patches, no longer needed:
113 - avoid_null_vsprint.patch
114 - check_null_sn_ln.patch
117 - use_compare_mem_gcc9.patch
118 + Now includes a vendor copy of gnu-efi with quite a few extra
120 + Update copyright file to cover these changes
121 * Switch to using gcc-10 rather than gcc-9. Closes: #978521
122 * Add dbx entries for all our existing grub binaries
123 + They're insecure, let's break the chainloading hole.
124 * Add Debian SBAT data
125 + Add a Debian SBAT template, and rules to use it
126 + Adds a build-dep on dos2unix
128 -- Steve McIntyre <93sam@debian.org> Tue, 23 Mar 2021 23:39:48 +0000
130 shim (15+1533136590.3beb971-10) unstable; urgency=medium
133 * Trim trailing whitespace.
134 * Use secure copyright file specification URI.
135 * debian/copyright: use spaces rather than tabs to start continuation
137 * Bump debhelper from old 11 to 12.
138 * Set debhelper-compat version in Build-Depends.
139 * Set upstream metadata fields: Bug-Database, Bug-Submit.
140 * Update standards version to 4.4.1, no changes needed.
143 * Trivial changes to generating the inbuilt dbx if we're using it.
144 * Upload to pick up rotated Debian signing keys
146 -- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 01:22:46 +0100
148 shim (15+1533136590.3beb971-9) unstable; urgency=medium
151 * In the -helpers-ARCH-signed packages, change the version
152 dependency on shim-unsigned to be >= and not =. This will allow
153 for installation to still work in the window while we wait for the
154 template package to do its second trip through the
155 archive. Closes: #955356
157 -- Steve McIntyre <93sam@debian.org> Mon, 30 Mar 2020 15:19:08 +0100
159 shim (15+1533136590.3beb971-8) unstable; urgency=medium
162 * Use --padding when calling pesign to generate hashes for the dbx
163 list, as recommended by Peter Jones. No actual changes needed in
164 our list of hashes at this point - they work out the same either
166 * Switch to using gcc-9 for builds, tweaking a patch from upstream
167 to fix a FTBFS. Closes: #925816
168 * Update debhelper compat level to 11 for shim and the
171 -- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000
173 shim (15+1533136590.3beb971-7) unstable; urgency=medium
176 * debian/control: Update Vcs-* fields
179 * Backport needed crash fixes:
180 + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
181 + Fix OBJ_create() to tolerate a NULL sn and ln
182 * Build using gcc-7 to get better control of reproducibility during the
184 * Build in a dbx list to blacklist binaries that we know to not be
185 secure. Build-depend on a new (bug-fixed) version of pesign to
186 generate that list at build time, using a list of known bad hashes.
187 * Initial list of known bad hashes is just my personal test binary.
189 -- Steve McIntyre <93sam@debian.org> Wed, 08 May 2019 02:05:01 +0100
191 shim (15+1533136590.3beb971-6) unstable; urgency=medium
194 * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
195 clashes with the old shim-signed package for fbx64.efi.signed and
196 mmx64.efi.signed. Closes: #924619
199 * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
201 -- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000
203 shim (15+1533136590.3beb971-5) unstable; urgency=medium
206 * Correct maintainer address in signing template
209 * Remove Rules-Requires-Root in the signing template. We manually install
210 things owned by root. There might be better ways to do this, but this
213 -- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000
215 shim (15+1533136590.3beb971-4) unstable; urgency=medium
218 * No-change sourceful upload to get rebuilds (and hence build logs) from
219 the buildds. Hoping to get this version signed by Microsoft, so let's
220 make our setup as clean as possible.
222 -- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000
224 shim (15+1533136590.3beb971-3) unstable; urgency=medium
227 * debian/rules: fixing permissions no longer required
228 * debian/rules: Disable ephemeral key on Debian.
229 * Rename binary package to 'shim-unsigned'
230 * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
233 * Override lintian error about template rules file.
234 * Include /usr/share/dpkg/architecture.mk instead of shelling out.
235 * Add uname.patch to avoid embedding the kernel architecture in the
236 binary and to use a fixed string instead.
239 * Change maintenance address to be the EFI team
240 * Add me and vorlon to the Uploaders list
241 * Rename the helper binary packages to shim-helpers-$arch.
242 * Update the signing-template JSON metadata to match new practice:
243 + Move all the data under a new top-level "packages" key
244 + Add an empty "trusted_certs" key - the helper binaries do not do any
245 further verification with an embedded key.
247 -- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
249 shim (15+1533136590.3beb971-2) unstable; urgency=medium
251 * Update debian/watch.
252 * Update VCS to point to salsa.
253 * Fix debian/rules syntax for arm64 build.
254 * Enable build for i386.
255 * Ensure DEB_HOST_ARCH is set even if not present in the environment.
256 * Update Standards-Version.
257 * Update debian/copyright (drop reference to file no longer in source)
259 -- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000
261 shim (15+1533136590.3beb971-1) unstable; urgency=medium
263 * New upstream release.
264 - debian/patches/second-stage-path: dropped; the default loader path now
265 includes an arch suffix.
266 - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
267 * Drop remaining patches that were not being applied.
268 * Sync packaging from Ubuntu:
269 - debian/copyright: Update upstream source location.
270 - debian/control: add a Build-Depends on libelf-dev.
271 - Enable arm64 build.
272 - debian/patches/fixup_git.patch: don't run git in clean; we're not
273 really in a git tree.
274 - debian/rules, debian/shim.install: use the upstream install target as
275 intended, and move files to the target directory using dh_install.
276 - define RELEASE and COMMIT_ID for the snapshot.
277 - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
278 - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
279 options: set MAKELEVEL.
280 - Define an EFI_ARCH variable, and use that for paths to shim. This
281 makes it possible to build a shim for other architectures than amd64.
282 - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
283 in the "right" final directories, and makes boot.csv for us.
284 - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
285 at compile-time for MokManager and fallback.
286 - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
289 -- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2019 07:23:19 +0000
291 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
294 * Initial Debian upload. Closes: #820052.
295 * Update Standards-Version.
296 * Embed the newly-minted Debian CA certificate.
297 * Vendorize debian/rules so that the same package can be used in both
298 Debian and Ubuntu without modification.
299 * Fix debian/copyright to match the spec (last match wins, not first)
300 * Fix shim.efi to not be executable.
302 * Support parallel builds, because eh why not
304 * Resync with Ubuntu, including patch to fix debian/copyright.
307 * Add some missing copyright holders in d/copyright, update
308 Upstream-Contact. Thanks to Helen Koike for the help.
310 -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
312 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
315 * debian/copyright: add OpenSSL license
317 [ Mathieu Trudel-Lapierre ]
318 * New upstream release.
319 * debian/copyright: patches should be BSD, like the rest of the upstream
321 * debian/patches/unused-variable: dropped; applied upstream.
322 * debian/patches/binutils-version-matching: dropped, fixed upstream.
323 * debian/shim.install: built EFI binaries were renamed; update our install
324 file to properly pick up shim (shim$arch), MokManager (mm$arch), and
327 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
329 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
331 * New upstream release.
332 - Better handle LoadOptions. (LP: #1581299)
333 - Measure state and second stage in TPM.
334 - Mirror MokSBState in runtime as MokSBStateRT.
335 - Fix failure to build with GCC 5. (LP: #1429978)
336 - Various bug fixes and other improvements.
340 + sbsigntool-not-pesign
341 * debian/patches/unused-variable: remove unused variable size.
342 * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
343 match objcopy's version on Ubuntu.
344 * debian/copyright: update copyright for patches.
346 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
348 shim (0.8-0ubuntu2) wily; urgency=medium
350 * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
352 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
354 shim (0.8-0ubuntu1) wily; urgency=medium
356 * New upstream release.
357 - Clarify meaning of insecure_mode. (LP: #1384973)
358 * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
359 debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
360 in the upstream release.
361 * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
364 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
366 shim (0.7-0ubuntu4) utopic; urgency=medium
368 * SECURITY UPDATE: heap overflow and out-of-bounds read access when
369 parsing DHCPv6 information
370 - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
371 when parsing data provided in DHCPv6 packets.
374 * SECURITY UPDATE: memory corruption when processing user-provided key
376 - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
377 key (MOK) lists and ignore them, avoiding possible memory corruption.
380 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
382 shim (0.7-0ubuntu2) utopic; urgency=medium
384 * Restore debian/patches/prototypes, which still is needed on shim 0.7
385 but only detected on the buildds.
386 * Update debian/patches/prototypes with some new declarations needed for
387 openssl 0.9.8za update.
389 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
391 shim (0.7-0ubuntu1) utopic; urgency=medium
393 * New upstream release.
394 - fix spurious error message when fallback.efi is not present, as will
395 always be the case for removable media. LP: #1297069.
396 - drop most patches, included upstream.
397 * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
398 openssl 0.9.8za in via upstream.
400 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
402 shim (0.4-0ubuntu5) utopic; urgency=low
404 * Install fallback.efi.signed as well, to lay the groundwork for fallback
405 handling (wanted when we have to move a drive between machines, or when
406 the firmware loses its marbles^W nvram).
408 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
410 shim (0.4-0ubuntu4) saucy; urgency=low
412 * debian/patches/fix-tftp-prototype: pass the right arguments to
413 EFI_PXE_BASE_CODE_TFTP_READ_FILE.
414 * debian/patches/build-with-Werror: Build with -Werror to catch future
415 prototype mismatches.
416 * debian/patches/fix-compiler-warnings: Fix remaining compiler
417 warnings in netboot.c.
418 * debian/patches/tftp-proper-nul-termination: fix nul termination
419 errors in filenames passed to tftp.
420 * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
423 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
425 shim (0.4-0ubuntu3) saucy; urgency=low
428 * Install MokManager.efi.signed in the package.
429 * debian/patches/no-output-by-default.patch: Don't print any
430 informational messages. Closes LP: #1074302.
433 * debian/patches/no-print-on-unsigned: Don't print an error message when
434 validating an unsigned binary as that tends to hang Lenovo machines.
437 -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
439 shim (0.4-0ubuntu2) saucy; urgency=low
441 * Add missing build-dependency on openssl.
443 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
445 shim (0.4-0ubuntu1) saucy; urgency=low
447 * New upstream release.
448 * Drop debian/patches/shim-before-loadimage; upstream has changed this to
449 not call loadimage at all.
450 * debian/patches/sbsigntool-not-pesign: Sign MokManager with
451 sbsigntool instead of pesign.
452 * Add a versioned build-dependency on gnu-efi.
454 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
456 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
458 * debian/patches/shim-before-loadimage: Use direct verification first
459 before LoadImage. Addresses an issue where Lenovo's SecureBoot
460 implementation pops an error message on any verification failure - avoid
461 calling LoadImage at all unless we have to.
463 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
465 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
467 * debian/patches/second-stage-path: Chainload grubx64.efi, not
470 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
472 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
474 * debian/patches/prototypes: Include missing prototypes, and disable
476 * Only build the package for amd64; we're not signing an i386 shim at this
477 stage so there's no point in building it.
479 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
481 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
484 * Include the Canonical Secure Boot master CA.
486 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700