1 shim (15.4-6) UNRELEASED; urgency=high
3 * Add arm64 patch to tweak section layout and stop crashing
4 problems. Upstream issue #371. Closes: #990082, #990190
5 * In insecure mode, don't abort if we can't create the MokListXRT
6 variable. Upstream issue #372. Closes: #989962, #990158
8 -- Steve McIntyre <93sam@debian.org> Tue, 22 Jun 2021 22:16:54 +0100
10 shim (15.4-5) unstable; urgency=medium
12 * Add defensive code around calls to db_get. Don't fail if they
15 -- Steve McIntyre <93sam@debian.org> Thu, 06 May 2021 00:37:49 +0100
17 shim (15.4-4) unstable; urgency=medium
19 * Fix up those maintainer scripts - if we're not running on an EFI
20 system then exit cleanly.
22 -- Steve McIntyre <93sam@debian.org> Tue, 04 May 2021 17:53:21 +0100
24 shim (15.4-3) unstable; urgency=medium
26 * Add maintainer scripts to the template packages to manage
27 installing and removing fbXXX.efi and mmXXX.efi when we
28 install/remove the shim-helpers-$arch-signed packages.
31 -- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 20:48:49 +0100
33 shim (15.4-2) unstable; urgency=medium
35 * Add two further patches from upstream:
36 + fix import_one_mok_state() after split
37 + Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older
40 -- Steve McIntyre <93sam@debian.org> Wed, 21 Apr 2021 00:23:02 +0100
42 shim (15.4-1) unstable; urgency=medium
44 * New upstream release fixing more bugs: SBAT and arm64 support
45 * Print sha256 checksums of the EFI binaries when the build is done
46 * Add two patches from upstream:
47 + fix i386 binary relocations
48 + allocate MOK config table as BootServicesData
50 -- Steve McIntyre <93sam@debian.org> Wed, 31 Mar 2021 18:25:00 +0100
52 shim (15.3-3) unstable; urgency=medium
54 * Update the timestamp for the 15.3-2 upload.
55 * Only include the upstream version in the Debian SBAT metadata, so
56 we don't break reproducibility on every minor packaging change.
58 -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 13:21:05 +0000
60 shim (15.3-2) unstable; urgency=medium
62 * Add missing build-dep on xxd for build-time unit tests
64 -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 02:21:53 +0000
66 shim (15.3-1) unstable; urgency=medium
69 * Switch to much-newer release with many fixes
70 + Particularly pulling in SBAT changes for better revocation support
71 + Remove all our old patches, no longer needed:
72 - avoid_null_vsprint.patch
73 - check_null_sn_ln.patch
76 - use_compare_mem_gcc9.patch
77 + Now includes a vendor copy of gnu-efi with quite a few extra
79 + Update copyright file to cover these changes
80 * Switch to using gcc-10 rather than gcc-9. Closes: #978521
81 * Add dbx entries for all our existing grub binaries
82 + They're insecure, let's break the chainloading hole.
83 * Add Debian SBAT data
84 + Add a Debian SBAT template, and rules to use it
85 + Adds a build-dep on dos2unix
87 -- Steve McIntyre <93sam@debian.org> Tue, 23 Mar 2021 23:39:48 +0000
89 shim (15+1533136590.3beb971-10) unstable; urgency=medium
92 * Trim trailing whitespace.
93 * Use secure copyright file specification URI.
94 * debian/copyright: use spaces rather than tabs to start continuation
96 * Bump debhelper from old 11 to 12.
97 * Set debhelper-compat version in Build-Depends.
98 * Set upstream metadata fields: Bug-Database, Bug-Submit.
99 * Update standards version to 4.4.1, no changes needed.
102 * Trivial changes to generating the inbuilt dbx if we're using it.
103 * Upload to pick up rotated Debian signing keys
105 -- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 01:22:46 +0100
107 shim (15+1533136590.3beb971-9) unstable; urgency=medium
110 * In the -helpers-ARCH-signed packages, change the version
111 dependency on shim-unsigned to be >= and not =. This will allow
112 for installation to still work in the window while we wait for the
113 template package to do its second trip through the
114 archive. Closes: #955356
116 -- Steve McIntyre <93sam@debian.org> Mon, 30 Mar 2020 15:19:08 +0100
118 shim (15+1533136590.3beb971-8) unstable; urgency=medium
121 * Use --padding when calling pesign to generate hashes for the dbx
122 list, as recommended by Peter Jones. No actual changes needed in
123 our list of hashes at this point - they work out the same either
125 * Switch to using gcc-9 for builds, tweaking a patch from upstream
126 to fix a FTBFS. Closes: #925816
127 * Update debhelper compat level to 11 for shim and the
130 -- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000
132 shim (15+1533136590.3beb971-7) unstable; urgency=medium
135 * debian/control: Update Vcs-* fields
138 * Backport needed crash fixes:
139 + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
140 + Fix OBJ_create() to tolerate a NULL sn and ln
141 * Build using gcc-7 to get better control of reproducibility during the
143 * Build in a dbx list to blacklist binaries that we know to not be
144 secure. Build-depend on a new (bug-fixed) version of pesign to
145 generate that list at build time, using a list of known bad hashes.
146 * Initial list of known bad hashes is just my personal test binary.
148 -- Steve McIntyre <93sam@debian.org> Wed, 08 May 2019 02:05:01 +0100
150 shim (15+1533136590.3beb971-6) unstable; urgency=medium
153 * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
154 clashes with the old shim-signed package for fbx64.efi.signed and
155 mmx64.efi.signed. Closes: #924619
158 * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
160 -- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000
162 shim (15+1533136590.3beb971-5) unstable; urgency=medium
165 * Correct maintainer address in signing template
168 * Remove Rules-Requires-Root in the signing template. We manually install
169 things owned by root. There might be better ways to do this, but this
172 -- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000
174 shim (15+1533136590.3beb971-4) unstable; urgency=medium
177 * No-change sourceful upload to get rebuilds (and hence build logs) from
178 the buildds. Hoping to get this version signed by Microsoft, so let's
179 make our setup as clean as possible.
181 -- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000
183 shim (15+1533136590.3beb971-3) unstable; urgency=medium
186 * debian/rules: fixing permissions no longer required
187 * debian/rules: Disable ephemeral key on Debian.
188 * Rename binary package to 'shim-unsigned'
189 * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
192 * Override lintian error about template rules file.
193 * Include /usr/share/dpkg/architecture.mk instead of shelling out.
194 * Add uname.patch to avoid embedding the kernel architecture in the
195 binary and to use a fixed string instead.
198 * Change maintenance address to be the EFI team
199 * Add me and vorlon to the Uploaders list
200 * Rename the helper binary packages to shim-helpers-$arch.
201 * Update the signing-template JSON metadata to match new practice:
202 + Move all the data under a new top-level "packages" key
203 + Add an empty "trusted_certs" key - the helper binaries do not do any
204 further verification with an embedded key.
206 -- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
208 shim (15+1533136590.3beb971-2) unstable; urgency=medium
210 * Update debian/watch.
211 * Update VCS to point to salsa.
212 * Fix debian/rules syntax for arm64 build.
213 * Enable build for i386.
214 * Ensure DEB_HOST_ARCH is set even if not present in the environment.
215 * Update Standards-Version.
216 * Update debian/copyright (drop reference to file no longer in source)
218 -- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000
220 shim (15+1533136590.3beb971-1) unstable; urgency=medium
222 * New upstream release.
223 - debian/patches/second-stage-path: dropped; the default loader path now
224 includes an arch suffix.
225 - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
226 * Drop remaining patches that were not being applied.
227 * Sync packaging from Ubuntu:
228 - debian/copyright: Update upstream source location.
229 - debian/control: add a Build-Depends on libelf-dev.
230 - Enable arm64 build.
231 - debian/patches/fixup_git.patch: don't run git in clean; we're not
232 really in a git tree.
233 - debian/rules, debian/shim.install: use the upstream install target as
234 intended, and move files to the target directory using dh_install.
235 - define RELEASE and COMMIT_ID for the snapshot.
236 - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
237 - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
238 options: set MAKELEVEL.
239 - Define an EFI_ARCH variable, and use that for paths to shim. This
240 makes it possible to build a shim for other architectures than amd64.
241 - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
242 in the "right" final directories, and makes boot.csv for us.
243 - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
244 at compile-time for MokManager and fallback.
245 - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
248 -- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2019 07:23:19 +0000
250 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
253 * Initial Debian upload. Closes: #820052.
254 * Update Standards-Version.
255 * Embed the newly-minted Debian CA certificate.
256 * Vendorize debian/rules so that the same package can be used in both
257 Debian and Ubuntu without modification.
258 * Fix debian/copyright to match the spec (last match wins, not first)
259 * Fix shim.efi to not be executable.
261 * Support parallel builds, because eh why not
263 * Resync with Ubuntu, including patch to fix debian/copyright.
266 * Add some missing copyright holders in d/copyright, update
267 Upstream-Contact. Thanks to Helen Koike for the help.
269 -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
271 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
274 * debian/copyright: add OpenSSL license
276 [ Mathieu Trudel-Lapierre ]
277 * New upstream release.
278 * debian/copyright: patches should be BSD, like the rest of the upstream
280 * debian/patches/unused-variable: dropped; applied upstream.
281 * debian/patches/binutils-version-matching: dropped, fixed upstream.
282 * debian/shim.install: built EFI binaries were renamed; update our install
283 file to properly pick up shim (shim$arch), MokManager (mm$arch), and
286 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
288 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
290 * New upstream release.
291 - Better handle LoadOptions. (LP: #1581299)
292 - Measure state and second stage in TPM.
293 - Mirror MokSBState in runtime as MokSBStateRT.
294 - Fix failure to build with GCC 5. (LP: #1429978)
295 - Various bug fixes and other improvements.
299 + sbsigntool-not-pesign
300 * debian/patches/unused-variable: remove unused variable size.
301 * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
302 match objcopy's version on Ubuntu.
303 * debian/copyright: update copyright for patches.
305 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
307 shim (0.8-0ubuntu2) wily; urgency=medium
309 * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
311 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
313 shim (0.8-0ubuntu1) wily; urgency=medium
315 * New upstream release.
316 - Clarify meaning of insecure_mode. (LP: #1384973)
317 * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
318 debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
319 in the upstream release.
320 * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
323 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
325 shim (0.7-0ubuntu4) utopic; urgency=medium
327 * SECURITY UPDATE: heap overflow and out-of-bounds read access when
328 parsing DHCPv6 information
329 - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
330 when parsing data provided in DHCPv6 packets.
333 * SECURITY UPDATE: memory corruption when processing user-provided key
335 - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
336 key (MOK) lists and ignore them, avoiding possible memory corruption.
339 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
341 shim (0.7-0ubuntu2) utopic; urgency=medium
343 * Restore debian/patches/prototypes, which still is needed on shim 0.7
344 but only detected on the buildds.
345 * Update debian/patches/prototypes with some new declarations needed for
346 openssl 0.9.8za update.
348 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
350 shim (0.7-0ubuntu1) utopic; urgency=medium
352 * New upstream release.
353 - fix spurious error message when fallback.efi is not present, as will
354 always be the case for removable media. LP: #1297069.
355 - drop most patches, included upstream.
356 * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
357 openssl 0.9.8za in via upstream.
359 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
361 shim (0.4-0ubuntu5) utopic; urgency=low
363 * Install fallback.efi.signed as well, to lay the groundwork for fallback
364 handling (wanted when we have to move a drive between machines, or when
365 the firmware loses its marbles^W nvram).
367 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
369 shim (0.4-0ubuntu4) saucy; urgency=low
371 * debian/patches/fix-tftp-prototype: pass the right arguments to
372 EFI_PXE_BASE_CODE_TFTP_READ_FILE.
373 * debian/patches/build-with-Werror: Build with -Werror to catch future
374 prototype mismatches.
375 * debian/patches/fix-compiler-warnings: Fix remaining compiler
376 warnings in netboot.c.
377 * debian/patches/tftp-proper-nul-termination: fix nul termination
378 errors in filenames passed to tftp.
379 * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
382 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
384 shim (0.4-0ubuntu3) saucy; urgency=low
387 * Install MokManager.efi.signed in the package.
388 * debian/patches/no-output-by-default.patch: Don't print any
389 informational messages. Closes LP: #1074302.
392 * debian/patches/no-print-on-unsigned: Don't print an error message when
393 validating an unsigned binary as that tends to hang Lenovo machines.
396 -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
398 shim (0.4-0ubuntu2) saucy; urgency=low
400 * Add missing build-dependency on openssl.
402 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
404 shim (0.4-0ubuntu1) saucy; urgency=low
406 * New upstream release.
407 * Drop debian/patches/shim-before-loadimage; upstream has changed this to
408 not call loadimage at all.
409 * debian/patches/sbsigntool-not-pesign: Sign MokManager with
410 sbsigntool instead of pesign.
411 * Add a versioned build-dependency on gnu-efi.
413 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
415 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
417 * debian/patches/shim-before-loadimage: Use direct verification first
418 before LoadImage. Addresses an issue where Lenovo's SecureBoot
419 implementation pops an error message on any verification failure - avoid
420 calling LoadImage at all unless we have to.
422 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
424 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
426 * debian/patches/second-stage-path: Chainload grubx64.efi, not
429 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
431 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
433 * debian/patches/prototypes: Include missing prototypes, and disable
435 * Only build the package for amd64; we're not signing an i386 shim at this
436 stage so there's no point in building it.
438 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
440 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
443 * Include the Canonical Secure Boot master CA.
445 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700