]>
git.proxmox.com Git - efi-boot-shim.git/log
Steve McIntyre [Sat, 4 May 2024 13:21:09 +0000 (14:21 +0100)]
Release 15.8-1~deb12u1 for bookworm
Steve McIntyre [Fri, 3 May 2024 15:18:29 +0000 (16:18 +0100)]
Update version for bookworm
Steve McIntyre [Fri, 3 May 2024 13:46:24 +0000 (14:46 +0100)]
Force usage of newest revocations at build time
Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:
"shim,4\ngrub,4\ngrub.peimage,2\n"
This should work with the current released grub builds in all of
buster, bullseye, bookwork and trixie/unstable. Let's not leave known
security holes in the wild.
Steve McIntyre [Thu, 25 Apr 2024 23:58:46 +0000 (00:58 +0100)]
Cherry-pick latest grub revocation patches from upstream shim
0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
Steve McIntyre [Thu, 25 Apr 2024 21:42:28 +0000 (22:42 +0100)]
Log if the build is nx-compatible or not
Add a new simple script to do this: check_nx
Steve McIntyre [Sun, 21 Apr 2024 17:15:46 +0000 (18:15 +0100)]
Switch to 15.8 upstream and drop patches
Steve McIntyre [Sat, 17 Feb 2024 17:35:37 +0000 (17:35 +0000)]
New upstream version 15.8
Steve McIntyre [Sat, 17 Feb 2024 17:19:57 +0000 (17:19 +0000)]
Tweak the UUID handling to be clearer
Bastien Roucariès [Thu, 2 May 2024 14:05:24 +0000 (14:05 +0000)]
Add salsa-ci.yml
Steve McIntyre [Mon, 29 Apr 2024 09:59:09 +0000 (09:59 +0000)]
Merge branch 'fixes20240429' into 'master'
Apply multi-arch hints. + shim-unsigned: Add Multi-Arch: same.
See merge request efi-team/shim!15
Bastien Roucariès [Mon, 29 Apr 2024 09:56:29 +0000 (09:56 +0000)]
Add changelog entry
Bastien Roucariès [Mon, 15 Apr 2024 08:58:49 +0000 (08:58 +0000)]
Add verification of upstream release
Bastien Roucariès [Mon, 15 Apr 2024 08:33:18 +0000 (08:33 +0000)]
Fix d/watch
Bastien Roucariès [Mon, 15 Apr 2024 08:26:53 +0000 (08:26 +0000)]
Closes: #936009
Debian Janitor [Mon, 6 Mar 2023 12:07:42 +0000 (12:07 +0000)]
Apply multi-arch hints. + shim-unsigned: Add Multi-Arch: same.
Changes-By: apply-multiarch-hints
Steve McIntyre [Wed, 17 Apr 2024 20:21:14 +0000 (20:21 +0000)]
Merge branch 'tests' into 'master'
Tests
See merge request efi-team/shim!14
Bastien Roucariès [Tue, 16 Apr 2024 09:21:04 +0000 (09:21 +0000)]
Add machine smm=on
Bastien Roucariès [Mon, 15 Apr 2024 15:59:28 +0000 (15:59 +0000)]
Fix test failure
Bastien Roucariès [Mon, 15 Apr 2024 14:59:47 +0000 (14:59 +0000)]
Fix depreciation warnings
Bastien Roucariès [Mon, 15 Apr 2024 14:54:14 +0000 (14:54 +0000)]
Use popen for lsb_release
Bastien Roucariès [Mon, 15 Apr 2024 14:35:45 +0000 (14:35 +0000)]
Fix depends
Bastien Roucariès [Mon, 15 Apr 2024 14:16:07 +0000 (14:16 +0000)]
Update changelog
Bastien Roucariès [Mon, 15 Apr 2024 14:11:26 +0000 (14:11 +0000)]
Port to debian
Bastien Roucariès [Mon, 15 Apr 2024 14:06:23 +0000 (14:06 +0000)]
Add ubuntu test
Steve McIntyre [Sat, 20 Jan 2024 22:40:27 +0000 (22:40 +0000)]
generate_dbx_list: pick a fixed UUID
otherwise our build won't be reproducible, doh!
Steve McIntyre [Wed, 1 Nov 2023 23:37:50 +0000 (23:37 +0000)]
Tweak building with pesign changes
We used to use efisiglist to generate the DBX list. Newer versions of
the pesign package don't include it any more, and the recommended
replacement tool is now efisecdb from efivar. Tweak the
generate_dbx_list script to work with both old and new. Let's make
backports easy...
Steve McIntyre [Tue, 31 Jan 2023 10:18:29 +0000 (10:18 +0000)]
Release 15.7-1
Steve McIntyre [Mon, 30 Jan 2023 18:12:20 +0000 (18:12 +0000)]
Swith to using the upstream "enable NX" patch
Steve McIntyre [Sun, 29 Jan 2023 23:35:03 +0000 (23:35 +0000)]
Block Debian grub binaries with sbat < 4 (see #
1024617 )
Steve McIntyre [Tue, 24 Jan 2023 22:37:23 +0000 (22:37 +0000)]
Enable NX support at build time
As required by policy for signing new shim binaries.
Steve McIntyre [Sun, 22 Jan 2023 15:12:23 +0000 (15:12 +0000)]
Update upstream commit hash in build
We're using
657b2483ca6e9fcf2ad8ac7ee577ff546d24c3aa , which is the
15.7 release plus the one patch we're applying.
Steve McIntyre [Sun, 22 Jan 2023 14:06:29 +0000 (14:06 +0000)]
Update to Standards-Version 4.6.2 (no changes needed)
Steve McIntyre [Sun, 22 Jan 2023 14:02:25 +0000 (14:02 +0000)]
Switch to using gcc-12
Closes: #1022180
Steve McIntyre [Sun, 22 Jan 2023 13:14:06 +0000 (13:14 +0000)]
Switch to new upstream (15.7)
Also import patch to deal with buggy binutils
Steve McIntyre [Sun, 22 Jan 2023 13:05:11 +0000 (13:05 +0000)]
Update upstream source from tag 'upstream/15.7'
Update to upstream version '15.7'
with Debian dir
f802105ae061241b13ab962854f56388092fc703
Steve McIntyre [Sun, 22 Jan 2023 13:05:10 +0000 (13:05 +0000)]
New upstream version 15.7
Steve McIntyre [Thu, 21 Jul 2022 12:04:36 +0000 (13:04 +0100)]
Release 15.6-1
Steve McIntyre [Wed, 22 Jun 2022 23:23:21 +0000 (00:23 +0100)]
Start packaging updates for the new 15.6 upstream release
Remove all our patches, all upstream now
Steve McIntyre [Wed, 22 Jun 2022 23:16:56 +0000 (00:16 +0100)]
New upstream version 15.6
Steve McIntyre [Wed, 22 Jun 2022 23:16:56 +0000 (00:16 +0100)]
Update upstream source from tag 'upstream/15.6'
Update to upstream version '15.6'
with Debian dir
952ad3d5a92a2003f3496a79d1875a951c255396
Steve McIntyre [Sun, 1 May 2022 18:17:48 +0000 (19:17 +0100)]
Update the 32-bit format patch after upstream review
Steve McIntyre [Thu, 28 Apr 2022 11:51:50 +0000 (12:51 +0100)]
Add patch headers for our patches now I've pushed PRs
Steve McIntyre [Wed, 27 Apr 2022 23:53:26 +0000 (00:53 +0100)]
Try again on the string format fix
Steve McIntyre [Wed, 27 Apr 2022 23:47:27 +0000 (00:47 +0100)]
Fix format strings for 32-bit builds
Steve McIntyre [Wed, 27 Apr 2022 23:19:27 +0000 (00:19 +0100)]
Add new build-dep on libefivar-dev for tests
Steve McIntyre [Wed, 27 Apr 2022 22:15:28 +0000 (23:15 +0100)]
Try again with includes
Steve McIntyre [Wed, 27 Apr 2022 22:15:28 +0000 (23:15 +0100)]
Tweak setup for dh_auto_test so the tests work
Steve McIntyre [Wed, 27 Apr 2022 21:50:33 +0000 (22:50 +0100)]
Start packaging updates for the new 15.51 upstream release
Remove all our patches, all upstream now.
Steve McIntyre [Wed, 27 Apr 2022 21:41:59 +0000 (22:41 +0100)]
New upstream version 15.5
Steve McIntyre [Wed, 27 Apr 2022 21:41:59 +0000 (22:41 +0100)]
Update upstream source from tag 'upstream/15.5'
Update to upstream version '15.5'
with Debian dir
3ac353daa3d32301e3b225b2b6f446200a2c682f
Steve McIntyre [Mon, 12 Jul 2021 08:51:50 +0000 (09:51 +0100)]
Tweak how we call grub-install; don't abort on error
Not ideal behaviour either, but don't break upgrades. Copy the
behaviour from the grub packages here. Closes: #990966
Steve McIntyre [Wed, 23 Jun 2021 18:05:01 +0000 (19:05 +0100)]
Release 15.4-6
Steve McIntyre [Tue, 22 Jun 2021 21:19:08 +0000 (22:19 +0100)]
In insecure mode, don't abort if we can't create the MokListXRT var
Upstream issue #372. Closes: #989962, #990158
Steve McIntyre [Mon, 21 Jun 2021 11:43:33 +0000 (12:43 +0100)]
Add arm64 patch to tweak section layout and stop crashing problems
Upstream issue #371. Closes: #990082, #990190
Steve McIntyre [Wed, 5 May 2021 23:40:56 +0000 (00:40 +0100)]
Add defensive code around calls to db_get
Don't fail if they return errors.
Steve McIntyre [Tue, 4 May 2021 13:45:00 +0000 (14:45 +0100)]
Fix up the template maintainer scripts
if we're not running on an EFI system then exit cleanly
Steve McIntyre [Mon, 3 May 2021 19:52:35 +0000 (20:52 +0100)]
Add maintainer scripts to the template packages
Manage installing and removing fbXXX.efi and mmXXX.efi when we
install/remove the shim-helpers-$arch-signed packages. Closes: #966845
Steve McIntyre [Tue, 20 Apr 2021 23:25:59 +0000 (00:25 +0100)]
Add changelog for 15.4-2 with new patches
Steve McIntyre [Tue, 20 Apr 2021 23:25:20 +0000 (00:25 +0100)]
Don't call QueryVariableInfo() on EFI 1.10 machines
New patch from upstream, don't break old Macs
Steve McIntyre [Tue, 20 Apr 2021 23:24:31 +0000 (00:24 +0100)]
Fix handling of ignore_db and user_insecure_mode
Extra patch from upstream
Steve McIntyre [Sat, 17 Apr 2021 14:57:22 +0000 (15:57 +0100)]
Stop hardcoding the release version in the rules file
We can grab it from the changelog already
Steve McIntyre [Sat, 17 Apr 2021 14:52:42 +0000 (15:52 +0100)]
Clean more things
Steve McIntyre [Sat, 17 Apr 2021 14:49:51 +0000 (15:49 +0100)]
Prep for releasing based on 15.4
Steve McIntyre [Wed, 14 Apr 2021 20:42:57 +0000 (21:42 +0100)]
allocate MOK config table as BootServicesData
Another patch from upstream, needed with newer kernels on x86
Steve McIntyre [Wed, 31 Mar 2021 19:51:26 +0000 (20:51 +0100)]
Add one more patch from upstream to fix i386 binary relocations
Steve McIntyre [Wed, 31 Mar 2021 17:52:40 +0000 (18:52 +0100)]
Move the sha256sum call to the end of the install phase
Make the output easier to find
Steve McIntyre [Wed, 31 Mar 2021 17:42:38 +0000 (18:42 +0100)]
Override dh_auto_build setting INSTALL, cut down on build noise
Steve McIntyre [Wed, 31 Mar 2021 17:27:09 +0000 (18:27 +0100)]
Update to the 15.4 release
Steve McIntyre [Wed, 31 Mar 2021 17:24:30 +0000 (18:24 +0100)]
Update upstream source from tag 'upstream/15.4'
Update to upstream version '15.4'
with Debian dir
93160080661283eee071d2c92a27ce9b39acb998
Steve McIntyre [Wed, 31 Mar 2021 17:24:24 +0000 (18:24 +0100)]
New upstream version 15.4
Steve McIntyre [Wed, 24 Mar 2021 16:34:14 +0000 (16:34 +0000)]
Print sha256 checksums of the EFI binaries when the build is done
Steve McIntyre [Wed, 24 Mar 2021 13:23:26 +0000 (13:23 +0000)]
Tweak the SBAT data to keep reproducibility
Only include the upstream version in the Debian SBAT metadata, so
we don't break reproducibility on every minor packaging change.
Steve McIntyre [Wed, 24 Mar 2021 02:21:53 +0000 (02:21 +0000)]
Add missing build-dep on xxd for build-time unit tests
Steve McIntyre [Tue, 23 Mar 2021 23:49:46 +0000 (23:49 +0000)]
New upstream version 15.3
Steve McIntyre [Tue, 23 Mar 2021 23:49:46 +0000 (23:49 +0000)]
Update upstream source from tag 'upstream/15.3'
Update to upstream version '15.3'
with Debian dir
1b484f1c1ac270604a5a1451b34de4b0865c6211
Steve McIntyre [Tue, 23 Mar 2021 23:43:27 +0000 (23:43 +0000)]
Switch to using the 15.3 release from upstream
Steve McIntyre [Tue, 23 Mar 2021 23:38:30 +0000 (23:38 +0000)]
Remove all out outstanding patches
* cast-CHAR8-string-handling.patch no longer needed
* fix-Make.coverity-bashisms.patch went upstream
Steve McIntyre [Mon, 15 Mar 2021 21:39:49 +0000 (21:39 +0000)]
Update copyright file
Update a couple of top-level changes, copy in gnu-efi information from
the gnu-efi package
Steve McIntyre [Mon, 15 Mar 2021 20:19:01 +0000 (20:19 +0000)]
Fix up some of the options we're using at build time
Definitely don't want to be setting EFI_PATH, as that over-rides the
vendored gnu-efi. Argh
Steve McIntyre [Sun, 14 Mar 2021 16:04:15 +0000 (16:04 +0000)]
Improve how the dbx hashes are handled
Only include the hashes for the architecture we're building for - no
point in adding bloat and delay here.
Add a script "block_signed_deb" to scan a set of .deb files, extract
the hashes for .efi binaries and list them in the format wanted for
the dbx hashes file.
Split out the code to use that file from the rules file into a
separate helper.
Steve McIntyre [Sat, 13 Mar 2021 20:00:58 +0000 (20:00 +0000)]
Tweak the gnu-efi tarball code
Steve McIntyre [Sat, 13 Mar 2021 19:43:00 +0000 (19:43 +0000)]
Add an extra rule to generate the extra gnu-efi tarball
Thanks to Dmitri John Ledkov for help
Steve McIntyre [Sat, 13 Mar 2021 19:06:37 +0000 (19:06 +0000)]
Add Debian SBAT data to the shim build
Add a Debian SBAT template, and rules to use it
Adds a build-dep on dos2unix
Steve McIntyre [Sat, 13 Mar 2021 18:59:25 +0000 (18:59 +0000)]
Add dbx entries for all our existing grub binaries
They're insecure, let's break the chainloading hole
Steve McIntyre [Sun, 21 Feb 2021 17:06:12 +0000 (17:06 +0000)]
Change changelog to shut lintian up
Steve McIntyre [Sun, 21 Feb 2021 16:14:14 +0000 (16:14 +0000)]
Remove artifacts that upstream installs that we don't use
... to keep debhelper from complaining
Steve McIntyre [Sun, 21 Feb 2021 15:25:06 +0000 (15:25 +0000)]
Add new patch cast-CHAR8-string-handling.patch
Cast CHAR8 strings to use (const char *) when using string functions
Looks like gnu-efi definitions of CHAR8 are problematic
Steve McIntyre [Sun, 21 Feb 2021 15:06:56 +0000 (15:06 +0000)]
Trivial change to remove bashisms in Make.coverity
Steve McIntyre [Sun, 21 Feb 2021 14:27:01 +0000 (14:27 +0000)]
Remove all our old patches, no longer needed:
- avoid_null_vsprint.patch
- check_null_sn_ln.patch
- fixup_git.patch
- uname.patch
- use_compare_mem_gcc9.patch
Steve McIntyre [Sun, 21 Feb 2021 13:53:17 +0000 (13:53 +0000)]
Switch to using gcc-10 rather than gcc-9. Closes: #978521
Steve McIntyre [Sun, 21 Feb 2021 13:50:33 +0000 (13:50 +0000)]
Switch to newer upstream "release" 15+
1613861442 .
888f5b5
Many many updates, but caring mainly about SBAT support
Steve McIntyre [Sun, 21 Feb 2021 13:46:16 +0000 (13:46 +0000)]
Update upstream source from tag 'upstream/15+
1613861442 .
888f5b5 '
Update to upstream version '15+
1613861442 .
888f5b5 '
with Debian dir
15b0853a73144b1f8571ce2bebc2eea68af4a8e3
Jan Setje-Eilers [Fri, 19 Feb 2021 23:40:42 +0000 (15:40 -0800)]
Add --set-section-alignment '.sbat=512' to objcopy command line
Chris Coulson [Wed, 15 Jul 2020 11:33:27 +0000 (12:33 +0100)]
Include missing .text sections in PE/COFF binary
At the default -Os optimization level, gcc emits ".text.startup"
and ".text.unlikely" sections for static initializers and noreturn
functions which end up in the intermediate ELF binary:
$ objdump -h build-x64/shimx64.efi.so
build-x64/shimx64.efi.so: file format elf64-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .text
00046e7b 0000000000001000 0000000000001000 00001000 2**10
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .text.startup
00000118 0000000000047e7b 0000000000047e7b 00047e7b 2**0
CONTENTS, ALLOC, LOAD, READONLY, CODE
2 .text.unlikely
00000046 0000000000047f93 0000000000047f93 00047f93 2**0
CONTENTS, ALLOC, LOAD, READONLY, CODE
3 .data
000315e8 0000000000048000 0000000000048000 00048000 2**9
These additional .text.* sections are omitted from the final PE/COFF
binary, resulting in a crash when processing the ctors. Taking a look at
_init_array in gdb:
(gdb) p/x &_init_array
$1 = 0x78510
(gdb) p/x &_init_array_end
$2 = 0x7851c
(gdb) x/x (void*)&_init_array
0x78510 <_init_array>: 0x00047e7b
(gdb) x/x (void*)(&_init_array)+8
0x78518 <_init_array+8>: 0x00000000
See that 0x00047e7b falls inside the padding between the .text and .data
sections:
$ objdump -h build-x64/shimx64.efi
build-x64/shimx64.efi: file format pei-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .text
00046e7b 0000000000001000 0000000000001000 00000400 2**10
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data
000315e8 0000000000048000 0000000000048000 00047400 2**9
Adjust the linker script to merge the .text.startup and .text.unlikely
sections in to the .text section.
[edited by pjones to use .text.* instead of naming the sections
individually, and to sync up with what other arches have in .text]
Chris Coulson [Fri, 19 Feb 2021 17:37:00 +0000 (17:37 +0000)]
build: Pass the correct paths to sbsign
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Peter Jones [Fri, 19 Feb 2021 19:23:57 +0000 (14:23 -0500)]
sbat: Fix two NULL derefs found with "gcc -fanalyzer"
"gcc -fanalyzer" found two NULL pointer checks we're missing in sbat.c:
include/str.h: In function ‘get_sbat_field.part.0’:
sbat.c:20:14: error: dereference of NULL ‘offset’ [CWE-476] [-Werror=analyzer-null-dereference]
20 | if (!*offset)
and
include/str.h: In function ‘parse_sbat’:
sbat.c:140:27: error: dereference of NULL ‘current’ [CWE-476] [-Werror=analyzer-null-dereference]
140 | } while (entry && *current != '\0');
Both are simple, and this patch fixes them.
Signed-off-by: Peter Jones <pjones@redhat.com>
Javier Martinez Canillas [Wed, 17 Feb 2021 13:03:48 +0000 (14:03 +0100)]
sbat: make shim to parse it's own .sbat section on init
This is needed for shim to verify itself when booting, to make sure that
shim binaries can't be executed anymore after been revoked by SBAT.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Javier Martinez Canillas [Thu, 18 Feb 2021 00:12:49 +0000 (01:12 +0100)]
shim: initialize OpenSSL after parsing SBAT data
A following patch will make shim to verify its .sbat section and it
should be done before doing the OpenSSL initialization. But having
the debugger attached may be useful at this point.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Javier Martinez Canillas [Wed, 17 Feb 2021 13:03:01 +0000 (14:03 +0100)]
sbat: include NULL terminator when calculating buffer end in parse_sbat()
The parse_sbat() function is currently removing the last character of the
passed buffer, which will usually be a null-terminated string to parse.
There's no reason to do this and just take the whole size as specified by
the caller.
Reported-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Peter Jones [Wed, 17 Feb 2021 23:33:36 +0000 (18:33 -0500)]
pe.c: move sbat verification to its own function.
handle_image() is quite huge and complex.
This patch moves the SBAT validation code from handle_image() to a new
function, handle_sbat().
Signed-off-by: Peter Jones <pjones@redhat.com>