SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for shim-15.7-150300.4.16.1.x86_64.rpm :

* Fri Apr 21 2023 jleeAATTsuse.com- Updated shim.changes to add CVE-2022-28737 number for bsc#1198458. The issue be fixed by upgrade to shim 15.7. (bsc#1198458, CVE-2022-28737)
* Thu Apr 13 2023 jleeAATTsuse.com- Sometimes SLE shim signature be Microsoft updated before openSUSE shim signature. When submit request on IBS for updating SLE shim, the submitreq project be generated, but it always be blocked by checking the signature of openSUSE shim. It doesn\'t make sense checking openSUSE shim signature when building SLE shim on SLE platform, and vice versa. So the following change adds the logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). When and only when hash mismatch and distro_id match with suffix, stop building. [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse) [#] when hash mismatch and distro_id match with suffix, stop building
* Thu Apr 13 2023 jleeAATTsuse.com- Upgrade shim-install for bsc#1210382 After closing Leap-gap project since Leap 15.3, openSUSE Leap direct uses shim from SLE. So the ca_string is \'SUSE Linux Enterprise Secure Boot CA1\', not \'openSUSE Secure Boot CA1\'. It causes that the update_boot=no, so all files in /boot/efi/EFI/boot are not updated. The 86b73d1 patch added the logic that using ID field in os-release for checking Leap distro and set ca_string to \'SUSE Linux Enterprise Secure Boot CA1\'. Then /boot/efi/EFI/boot/
* can also be updated.- https://github.com/SUSE/shim-resources (git log --oneline) 86b73d1 Fix that bootx64.efi is not updated on Leap f2e8143 Use the long name to specify the grub2 key protector 7283012 cryptodisk: support TPM authorized policies 49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst 26c6bd5 Have grub take a snapshot of \"relevant\" TPM PCRs 5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot a5c5734 Introduce --no-grub-install option
* Tue Mar 21 2023 jleeAATTsuse.com- Updated shim signature after shim 15.7 be signed back: signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737)
* Wed Nov 23 2022 jleeAATTsuse.com- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to disable the NX compatibility flag when using post-process-pe because grub2 is not ready. (bsc#1205588) - Kernel can boot with the NX compatibility flag since 82e0d6d76a2a7 be merged to v5.19. On the other hand, upstream is working on improve compressed kernel stage for NX: [PATCH v3 00/24] x86_64: Improvements at compressed kernel stage https://www.spinics.net/lists/kernel/msg4599636.html
* Fri Nov 18 2022 jleeAATTsuse.com- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to enable the NX compatibility flag by default. (jsc#PED-127)
* Fri Nov 18 2022 jleeAATTsuse.com- Drop upstreamed patch: - shim-Enable-TDX-measurement-to-RTMR-register.patch - Enable TDX measurement to RTMR register (jsc#PED-1273) - 4fd484e4c2 15.7
* Thu Nov 17 2022 jleeAATTsuse.com- Update to 15.7 (bsc#1198458)(jsc#PED-127) - Patches (git log --oneline --reverse 15.6..15.7) 0eb07e1 Make SBAT variable payload introspectable 092c2b2 Reference MokListRT instead of MokList 8b59b69 Add a link to the test plan in the readme. 4fd484e Enable TDX measurement to RTMR register 14d6339 Discard load-options that start with a NUL 5c537b3 shim: Flush the memory region from i-cache before execution 2d4ebb5 load_cert_file: Fix stack issue ea4911c load_cert_file: Use EFI RT memory function 0cf43ac Add -malign-double to IA32 compiler flags 17f0233 pe: Fix image section entry-point validation 5169769 make-archive: Build reproducible tarball aa1b289 mok: remove MokListTrusted from PCR 7 53509ea CryptoPkg/BaseCryptLib: fix NULL dereference 616c566 More coverity modeling ea0d0a5 Update shim\'s .sbat to sbat,3 dd8be98 Bump grub\'s sbat requirement to grub,3 1149161 (HEAD -> main, tag: 15.7, origin/main, origin/HEAD) Update version to 15.7 - 15.7 release note https://github.com/rhboot/shim/releases Make SBAT variable payload introspectable by AATTchrisccoulson in #483 Reference MokListRT instead of MokList by AATTesnowberg in #488 Add a link to the test plan in the readme. by AATTvathpela in #494 [V3] Enable TDX measurement to RTMR register by AATTkenplusplus in #485 Discard load-options that start with a NUL by AATTfrozencemetery in #505 load_cert_file bugs by AATTesnowberg in #523 Add -malign-double to IA32 compiler flags by AATTnicholasbishop in #516 pe: Fix image section entry-point validation by AATTiokomin in #518 make-archive: Build reproducible tarball by AATTjulian-klode in #527 mok: remove MokListTrusted from PCR 7 by AATTbaloo in #519 - Drop upstreamed patch: - shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch - Cryptlib/CryptAuthenticode: fix NULL pointer dereference in AuthenticodeVerify() - 53509eaf22 15.7 - shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch - For backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127) - The following patches are merged to 15.7 aa1b289a1a mok: remove MokListTrusted from PCR 7 0cf43ac6d7 Add -malign-double to IA32 compiler flags ea4911c2f3 load_cert_file: Use EFI RT memory function 2d4ebb5a79 load_cert_file: Fix stack issue 5c537b3d0c shim: Flush the memory region from i-cache before execution 14d6339829 Discard load-options that start with a NUL 092c2b2bbe Reference MokListRT instead of MokList 0eb07e11b2 Make SBAT variable payload introspectable
* Thu Nov 17 2022 jleeAATTsuse.com- Update shim.changes, added missed shim 15.6-rc1 and 15.6 changelog to the item in Update to 15.6. (bsc#1198458)
* Tue Nov 15 2022 jleeAATTsuse.com- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127): aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from PCR 7 0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 compiler flags ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory function 2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue 5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region from i-cache before execution 14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start with a NUL 092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of MokList 0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload introspectable
* Tue Nov 15 2022 jleeAATTsuse.com- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support enhance shim measurement to TD RTMR. (jsc#PED-1273)
* Tue Nov 15 2022 jleeAATTsuse.com- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec and shim.changes: (jsc#PED-127) - Add some change log from SLE shim.changes to Factory shim.changes Those messages are added \"(sync shim.changes from SLE)\" tag. - Add the following changes to shim.spec - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch on openSUSE. - Enable the AArch64 signature check for SLE: [#] AArch64 signature signature=%{SOURCE13}
* Thu Sep 29 2022 mchangAATTsuse.com- shim-install: ensure grub.cfg created is not overwritten after installing grub related files
* Mon Sep 12 2022 khanich.opensourceAATTgmx.de- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066)
* Fri Aug 05 2022 jleeAATTsuse.com- Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120)
* Fri Jul 29 2022 jleeAATTsuse.com- Change the URL in SBAT section to mail:securityAATTsuse.de. (bsc#1193282)
* Mon Jul 25 2022 jleeAATTsuse.com- Revoked the change in shim.spec for \"use common SBAT values (boo#1193282)\" - we need to build openSUSE Tumbleweed\'s shim on Leap 15.4 because Factory is unstable for building out a stable shim binary for signing. (bsc#1198458) - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4 because closing-the-leap-gap. So sbat_distro_
* variables are SLE version, not for openSUSE. (bsc#1198458)
* Tue Jun 28 2022 jleeAATTsuse.com- Update to 15.6 (bsc#1198458) - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76 which is from upstream grub2.cve_2021_3695.ms keybase channel. - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to support efi-app-aarch64 target. So we need the following patches in bintuils: - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-
*-aarch64). - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch 32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-
*-aarch64) - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch d91c67e873 Re: Add support for AArch64 EFI (efi-
*-aarch64) - Patches (git log --oneline --reverse 15.5~..77144e5a4) 448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458) a2da05f shim: implement SBAT verification for the shim_lock protocol bda03b8 post-process-pe: Fix a missing return code check af18810 CI: don\'t cancel testing when one fails ba580f9 CI: remove EOL Fedoras from github actions bfeb4b3 Remove aarch64 build tests before f35 38cc646 CI: Add f36 and centos9 CI build tests. b5185cb post-process-pe: Fix format string warnings on 32-bit platforms 31094e5 tests: also look for system headers in multi-arch directories 4df989a mock-variables.c: fix gcc warning 6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled 2670c6a Allow MokListTrusted to be enabled by default 5c44aaf Add code of conduct d6eb9c6 Modernize aarch64 9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail de87985 make: don\'t treat cert.S specially 803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode 6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry. bb4b60e Add verify_image acfd48f Abstract out image reading 35d7378 Load additional certs from a signed binary 8ce2832 post-process-pe: there is no \'s\' argument. 465663e Add some missing PE image flag definitions 226fee2 PE Loader: support and require NX df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT f81a7cc SBAT revocation management abe41ab make: unbreak scan-build again for gnu-efi 610a1ac sbat.h: minor reformatting for legibility f28833f peimage.h: make our signature macros force the type 5d789ca Always initialize data/datasize before calling read_image() a50d364 sbat policy: make our policy change actions symbolic 5868789 load_certs: trust dir->Read() slightly less. a78673b mok.c: fix a trivial dead assignment 759f061 Fix preserve_sbat_uefi_variable() logic aa61fdf Give the Coverity scanner some more GCC blinders... 0214cd9 load_cert_file(): don\'t defererence NULL 1eca363 mok import: handle OOM case 75449bc sbat: Make nth_sbat_field() honor the size limit c0bcd04 shim-15.6~rc1 77144e5 SBAT Policy latest should be a one-shot - 15.5 release note https://github.com/rhboot/shim/releases Broken ia32 relocs and an unimportant submodule change. by AATTvathpela in #357 mok: allocate MOK config table as BootServicesData by AATTlcp in #361 Don\'t call QueryVariableInfo() on EFI 1.10 machines by AATTvathpela in #364 Relax the check for import_mok_state() by AATTlcp in #372 SBAT.md: trivial changes by AATThallyn in #389 shim: another attempt to fix load options handling by AATTchrisccoulson in #379 Add tests for our load options parsing. by AATTvathpela in #390 arm/aa64: fix the size of .rela
* sections by AATTlcp in #383 mok: fix potential buffer overrun in import_mok_state by AATTjyong2 in #365 mok: relax the maximum variable size check by AATTlcp in #369 Don\'t unhook ExitBootServices when EBS protection is disabled by AATTsforshee in #378 fallback: find_boot_option() needs to return the index for the boot entry in optnum by AATTjsetje in #396 httpboot: Ignore case when checking HTTP headers by AATTfrozencemetery in #403 Fallback allocation errors by AATTvathpela in #402 shim: avoid BOOTx64.EFI in message on other architectures by AATTxypron in #406 str: remove duplicate parameter check by AATTxypron in #408 fallback: add compile option FALLBACK_NONINTERACTIVE by AATTxnox in #359 Test mok mirror by AATTvathpela in #394 Modify sbat.md to help with readability. by AATTeshiman in #398 csv: detect end of csv file correctly by AATTxypron in #404 Specify that the .sbat section is ASCII not UTF-8 by AATTdaxtens in #413 tests: add \"include-fixed\" GCC directory to include directories by AATTdiabonas in #415 pe: simplify generate_hash() by AATTxypron in #411 Don\'t make shim abort when TPM log event fails (RHBZ #2002265) by AATTrmetrich in #414 Fallback to default loader if parsed one does not exist by AATTjulian-klode in #393 fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by AATTrmetrich in #422 Better console checks by AATTvathpela in #416 docs: update SBAT UEFI variable name by AATTnicholasbishop in #421 Don\'t parse load options if invoked from removable media path by AATTjulian-klode in #399 fallback: fix fallback not passing arguments of the first boot option by AATTmartinezjavier in #433 shim: Don\'t stop forever at \"Secure Boot not enabled\" notification by AATTrmetrich in #438 Shim 15.5 coverity by AATTvathpela in #439 Allocate mokvar table in runtime memory. by AATTvathpela in #447 Remove post-process-pe on \'make clean\' by AATTvathpela in #448 pe: missing perror argument by AATTxypron in #443 - 15.6-rc1 release note https://github.com/rhboot/shim/releases MokManager: removed Locate graphic output protocol fail error message by AATTjoeyli in #441 shim: implement SBAT verification for the shim_lock protocol by AATTchrisccoulson in #456 post-process-pe: Fix a missing return code check by AATTvathpela in #462 Update github actions matrix to be more useful by AATTfrozencemetery in #469 Add f36 and centos9 CI builds by AATTvathpela in #470 post-process-pe: Fix format string warnings on 32-bit platforms by AATTsteve-mcintyre in #464 tests: also look for system headers in multi-arch directories by AATTsteve-mcintyre in #466 tests: fix gcc warnings by AATTakodanev in #463 Allow MokListTrusted to be enabled by default by AATTesnowberg in #455 Add code of conduct by AATTfrozencemetery in #427 Re-add ARM AArch64 support by AATTvathpela in #468 Use ASCII as fallback if Unicode Box Drawing characters fail by AATTvathpela in #428 make: don\'t treat cert.S specially by AATTvathpela in #475 shim: use SHIM_DEVEL_VERBOSE when built in devel mode by AATTvathpela in #474 Break out of the inner sbat loop if we find the entry. by AATTvathpela in #476 Support loading additional certificates by AATTesnowberg in #446 Add support for NX (W^X) mitigations. by AATTvathpela in #459 Misc fixups from scan-build. by AATTvathpela in #477 Fix preserve_sbat_uefi_variable() logic by AATTjsetje in #478 - 15.6 release note https://github.com/rhboot/shim/releases MokManager: removed Locate graphic output protocol fail error message by AATTjoeyli in #441 shim: implement SBAT verification for the shim_lock protocol by AATTchrisccoulson in #456 post-process-pe: Fix a missing return code check by AATTvathpela in #462 Update github actions matrix to be more useful by AATTfrozencemetery in #469 Add f36 and centos9 CI builds by AATTvathpela in #470 post-process-pe: Fix format string warnings on 32-bit platforms by AATTsteve-mcintyre in #464 tests: also look for system headers in multi-arch directories by AATTsteve-mcintyre in #466 tests: fix gcc warnings by AATTakodanev in #463 Allow MokListTrusted to be enabled by default by AATTesnowberg in #455 Add code of conduct by AATTfrozencemetery in #427 Re-add ARM AArch64 support by AATTvathpela in #468 Use ASCII as fallback if Unicode Box Drawing characters fail by AATTvathpela in #428 make: don\'t treat cert.S specially by AATTvathpela in #475 shim: use SHIM_DEVEL_VERBOSE when built in devel mode by AATTvathpela in #474 Break out of the inner sbat loop if we find the entry. by AATTvathpela in #476 Support loading additional certificates by AATTesnowberg in #446 Add support for NX (W^X) mitigations. by AATTvathpela in #459 Misc fixups from scan-build. by AATTvathpela in #477 Fix preserve_sbat_uefi_variable() logic by AATTjsetje in #478 SBAT Policy latest should be a one-shot by AATTjsetje in #481 pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by AATTchriscoulson pe: Perform image verification earlier when loading grub by AATTchriscoulson Update advertised sbat generation number for shim by AATTjsetje Update SBAT generation requirements for 05/24/22 by AATTjsetje Also avoid CVE-2022-28737 in verify_image() by AATTvathpela - Drop upstreamed patch: - shim-bsc1184454-allocate-mok-config-table-BS.patch - Allocate MOK config table as BootServicesData to avoid the error message from linux kernel - 4068fd42c8 15.5-rc1~70 - shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch - Handle ignore_db and user_insecure_mode correctly - 822d07ad4f07 15.5-rc1~73 - shim-bsc1185621-relax-max-var-sz-check.patch - Relax the maximum variable size check for u-boot - 3f327f546c219634b2 15.5-rc1~49 - shim-bsc1185261-relax-import_mok_state-check.patch - Relax the check for import_mok_state() when Secure Boot is off - 9f973e4e95b113 15.5-rc1~67 - shim-bsc1185232-relax-loadoptions-length-check.patch - Relax the check for the LoadOptions length - ada7ff69bd8a95 15.5-rc1~52 - shim-fix-aa64-relsz.patch - Fix the size of rela
* sections for AArch64 - 34e3ef205c5d65 15.5-rc1~51 - shim-bsc1187260-fix-efi-1.10-machines.patch - Don\'t call QueryVariableInfo() on EFI 1.10 machines - 493bd940e5 15.5-rc1~69 - shim-bsc1185232-fix-config-table-copying.patch - Avoid buffer overflow when copying the MOK config table - 7501b6bb44 15.5-rc1~50 - shim-bsc1187696-avoid-deleting-rt-variables.patch - Avoid deleting the mirrored RT variables - b1fead0f7c9 15.5-rc1~37 - Add \"rm -f
*.o\" after building MokManager/fallback in shim.spec to make sure all object files gets rebuilt - reference: https://github.com/rhboot/shim/pull/461- The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included in shim-15.6.tar.bz2 - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch pe: Fix a buffer overflow when SizeOfRawData VirtualSize - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch pe: Perform image verification earlier when loading grub - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch Update advertised sbat generation number for shim - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch Update SBAT generation requirements for 05/24/22 - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch Also avoid CVE-2022-28737 in verify_image() - 0006-shim-15.6-rc2.patch - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch sbat: add the parsed SBAT variable entries to the debug log - 0008-bump-version-to-shim-15.6.patch- Add mokutil command to post script for setting sbat policy to latest mode when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. (bsc#1198458)- Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to show the prompt to ask whether the user trusts openSUSE certificate or not (bsc#1198101)- Updated vendor dbx binary and script (bsc#1198458) - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin file which includes all .der for testing environment.
* Tue Apr 12 2022 lnusselAATTsuse.de- use common SBAT values (boo#1193282)
* Thu Jul 15 2021 jsegitzAATTsuse.com- Update the SLE signatures (sync shim.changes from SLE)
* Thu Jul 01 2021 glinAATTsuse.com- Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid deleting the mirrored RT variables (bsc#1187696)
* Mon Jun 21 2021 glinAATTsuse.com(sync shim.changes from SLE)- Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621) + Also drop AArch64 suse-signed shim since we merged this patch- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261)- Add shim-bsc1185232-relax-loadoptions-length-check.patch to ignore the odd LoadOptions length (bsc#1185232)- shim-install: reset def_shim_efi to \"shim.efi\" if the given file doesn\'t exist- Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371- Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261)- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260)- Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232)
* Mon Jun 21 2021 glinAATTsuse.com- Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232)
* Mon Jun 21 2021 glinAATTsuse.com- Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261)- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260)
* Thu Jun 17 2021 glinAATTsuse.com- Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371
* Fri Jun 04 2021 glinAATTsuse.com- Add shim-bsc1185232-relax-loadoptions-length-check.patch to ignore the odd LoadOptions length (bsc#1185232)
* Fri Jun 04 2021 glinAATTsuse.com- shim-install: reset def_shim_efi to \"shim.efi\" if the given file doesn\'t exist
* Wed May 19 2021 glinAATTsuse.com- shim-install: instead of assuming \"removable\" for Azure, remove fallback.efi from \\EFI\\Boot and copy grub.efi/cfg to \\EFI\\Boot to make \\EFI\\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961)
* Tue May 11 2021 glinAATTsuse.com- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261)
* Fri May 07 2021 glinAATTsuse.com- shim-install: always assume \"removable\" for Azure to avoid the endless reset loop (bsc#1185464)
* Thu May 06 2021 glinAATTsuse.com- Include suse-signed shim for AArch64 (bsc#1185621) (sync shim.changes from SLE)
* Thu May 06 2021 glinAATTsuse.com- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621)
* Mon May 03 2021 glinAATTsuse.com- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)
* Wed Apr 28 2021 glinAATTsuse.com- Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
* Thu Apr 22 2021 glinAATTsuse.com- Enable the AArch64 signature check for SLE (sync shim.changes from SLE)
* Wed Apr 21 2021 jsegitzAATTsuse.com- Update the SLE signatures (sync shim.changes from SLE)
* Thu Apr 08 2021 glinAATTsuse.com- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid the error message during linux system boot (bsc#1184454)
* Wed Apr 07 2021 jsegitzAATTsuse.com- Add remove_build_id.patch to prevent the build id being added to the binary. That can cause issues with the signature
* Wed Mar 31 2021 glinAATTsuse.com- Update to 15.4 (bsc#1182057) + Rename the SBAT variable and fix the self-check of SBAT + sbat: add more dprint() + arm/aa64: Swizzle some sections to make old sbsign happier + arm/aa64 targets: put .rel
* and .dyn
* in .rodata- Drop upstreamed patch: + shim-bsc1182057-sbat-variable-enhancement.patch
* Mon Mar 29 2021 glinAATTsuse.com- Add shim-bsc1182057-sbat-variable-enhancement.patch to change the SBAT variable name and enhance the handling of SBAT (bsc#1182057)
* Wed Mar 24 2021 glinAATTsuse.com- Update to 15.3 for SBAT support (bsc#1182057) + Drop gnu-efi from BuildRequires since upstream pull it into the tar ball.- Generate vender-specific SBAT metadata + Add dos2unix to BuildRequires since Makefile requires it for vendor SBAT- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt- Refresh patches + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-bsc1177315-verify-eku-codesign.patch - Unified with shim-bsc1177315-fix-buffer-use-after-free.patch- Drop upstreamed fixes + shim-correct-license-in-headers.patch + shim-always-mirror-mok-variables.patch + shim-bsc1175509-more-tpm-fixes.patch + shim-bsc1173411-only-check-efi-var-on-sb.patch + shim-fix-verify-eku.patch + gcc9-fix-warnings.patch + shim-fix-gnu-efi-3.0.11.patch + shim-bsc1177404-fix-a-use-of-strlen.patch + shim-do-not-write-string-literals.patch + shim-VLogError-Avoid-Null-pointer-dereferences.patch + shim-bsc1092000-fallback-menu.patch + shim-bsc1175509-tpm2-fixes.patch + shim-bsc1174512-correct-license-in-headers.patch + shim-bsc1182776-fix-crash-at-exit.patch- Drop shim-opensuse-cert-prompt.patch + All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore.
* Thu Mar 11 2021 glinAATTsuse.com- Refresh shim-bsc1182776-fix-crash-at-exit.patch to do the cleanup also when Secure Boot is disabled (bsc#1183213, bsc#1182776)- Merged linker-version.pl into timestamp.pl and add the linker version to signature files accordingly
* Mon Mar 08 2021 glinAATTsuse.com- Add shim-bsc1182776-fix-crash-at-exit.patch to fix the potential crash at Exit() (bsc#1182776)
* Fri Jan 22 2021 glinAATTsuse.com- Update the SLE signature- Exclude some patches from x86_64 to avoid breaking the signature- Add shim-correct-license-in-headers.patch back for x86_64 to match the SLE signature- Add linker-version.pl to modify the EFI/PE header to match the SLE signature
* Wed Nov 04 2020 glinAATTsuse.com- Disable the signature attachment for AArch64 temporarily until we get a real one.
* Mon Nov 02 2020 glinAATTsuse.com- Add shim-bsc1177315-verify-eku-codesign.patch to check CodeSign in the signer\'s EKU (bsc#1177315)- Add shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch to fix NULL pointer dereference in AuthenticodeVerify() (bsc#1177789, CVE-2019-14584)- shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315)- Add shim-bsc1177315-fix-buffer-use-after-free.patch to fix buffer use-after-free at the end of the EKU verification (bsc#1177315)
* Wed Oct 14 2020 glinAATTsuse.com- Add shim-bsc1177404-fix-a-use-of-strlen.patch to fix the length of the option data string to launch the program correctly (bsc#1177404)- Add shim-bsc1175509-more-tpm-fixes.patch to fix the file path in the tpm even log (bsc#1175509)
* Mon Sep 14 2020 glinAATTsuse.com- Add shim-VLogError-Avoid-Null-pointer-dereferences.patch to fix VLogError crash in AArch64 (jsc#SLE-15824)- Add shim-fix-verify-eku.patch to fix the potential crash at verify_eku() (jsc#SLE-15824)- Add shim-do-not-write-string-literals.patch to fix the potential crash when accessing the DEFAULT_LOADER string (jsc#SLE-15824)
* Fri Sep 04 2020 guillaume.gardetAATTopensuse.org- Enable build on aarch64
* Mon Aug 24 2020 glinAATTsuse.com- shim-install: install MokManager to \\EFI\\boot to process the pending MOK request (bsc#1175626, bsc#1175656)
* Fri Aug 21 2020 glinAATTsuse.com- Add shim-bsc1175509-tpm2-fixes.patch to fix the TPM2 measurement (bsc#1175509)
* Thu Aug 06 2020 glinAATTsuse.com- Amend the check of %shim_enforce_ms_signature
* Fri Jul 31 2020 jsegitzAATTsuse.com- Updated openSUSE signature
* Mon Jul 27 2020 glinAATTsuse.com- Replace shim-correct-license-in-headers.patch with the upstream commit: shim-bsc1174512-correct-license-in-headers.patch (bsc#1174512)
* Wed Jul 22 2020 glinAATTsuse.com- Update the path to grub-tpm.efi in shim-install (bsc#1174320)
* Fri Jul 10 2020 glinAATTsuse.com- Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994) + Add dbx-cert.tar.xz which contains the certificates to block and a script, generate-vendor-dbx.sh, to generate vendor-dbx.bin + Add vendor-dbx.bin as the vendor dbx to block unwanted keys- Drop shim-opensuse-signed.efi + We don\'t need it anymore
* Fri Jul 10 2020 glinAATTsuse.com- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check EFI variable copying when Secure Boot is enabled (bsc#1173411)
* Tue Mar 31 2020 glinAATTsuse.com- Use the full path of efibootmgr to avoid errors when invoking shim-install from packagekitd (bsc#1168104)
* Mon Mar 30 2020 glinAATTsuse.com- Use \"suse_version\" instead of \"sle_version\" to avoid shim_lib64_share_compat being set in Tumbleweed forever.
* Mon Mar 16 2020 glinAATTsuse.com- Add shim-fix-gnu-efi-3.0.11.patch to fix the build error caused by the upgrade of gnu-efi
* Wed Nov 27 2019 mchangAATTsuse.com- shim-install: add check for btrfs is used as root file system to enable relative path lookup for file. (bsc#1153953)
* Fri Aug 16 2019 glinAATTsuse.com- Fix a typo in shim-install (bsc#1145802)
* Fri Apr 19 2019 mliskaAATTsuse.cz- Add gcc9-fix-warnings.patch (bsc#1121268).
* Mon Apr 15 2019 glinAATTsuse.com- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary (bsc#1113225)
* Fri Apr 12 2019 glinAATTsuse.com- Disable AArch64 build (FATE#325971) + AArch64 machines don\'t use UEFI CA, at least for now.
* Thu Apr 11 2019 jsegitzAATTsuse.com- Updated shim signature: signature-sles.x86_64.asc (bsc#1120026)
* Thu Feb 14 2019 rwAATTsuse.com- Fix conditions for \'/usr/share/efi\'-move (FATE#326960)
* Mon Jan 28 2019 glinAATTsuse.com- Amend shim.spec to remove $RPM_BUILD_ROOT
* Thu Jan 17 2019 rwAATTsuse.com- Move \'efi\'-executables to \'/usr/share/efi\' (FATE#326960) (preparing the move to \'noarch\' for this package)
* Mon Jan 14 2019 glinAATTsuse.com- Update shim-install to handle the partitioned MD devices (bsc#1119762, bsc#1119763)
* Thu Dec 20 2018 glinAATTsuse.com- Update to 15+git47 (bsc#1120026, FATE#325971) + git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d- Retire the old openSUSE 4096 bit certificate + Those programs are already out of maintenance.- Add shim-always-mirror-mok-variables.patch to mirror MOK variables correctly- Add shim-correct-license-in-headers.patch to correct the license declaration- Refresh patches: + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-bsc1092000-fallback-menu.patch + shim-opensuse-cert-prompt.patch- Drop upstreamed patches: + shim-bsc1088585-handle-mok-allocations-better.patch + shim-httpboot-amend-device-path.patch + shim-httpboot-include-console.h.patch + shim-only-os-name.patch + shim-remove-cryptpem.patch
* Wed Dec 05 2018 glinAATTsuse.com- Update shim-install to specify the target for grub2-install and change the boot efi file name according to the architecture (bsc#1118363, FATE#325971)
* Tue Aug 21 2018 glinAATTsuse.com- Enable AArch64 build (FATE#325971) + Also add the aarch64 signature files and rename the x86_64 signature files
* Tue May 29 2018 glinAATTsuse.com- Add shim-bsc1092000-fallback-menu.patch to show a menu before system reset ((bsc#1092000))
* Tue Apr 10 2018 glinAATTsuse.com- Add shim-bsc1088585-handle-mok-allocations-better.patch to avoid double-freeing after enrolling a key from the disk (bsc#1088585) + Also refresh shim-opensuse-cert-prompt.patch due to the change in MokManager.c
* Tue Apr 03 2018 glinAATTsuse.com- Install the certificates with a shim suffix to avoid conflicting with other packages (bsc#1087847)
* Fri Mar 23 2018 glinAATTsuse.com- Add the missing leading backlash to the DEFAULT_LOADER (bsc#1086589)
* Fri Jan 05 2018 glinAATTsuse.com- Add shim-httpboot-amend-device-path.patch to amend the device path matching rule for httpboot (bsc#1065370)
* Thu Jan 04 2018 glinAATTsuse.com- Update to 14 (bsc#1054712)- Adjust make commands in spec- Drop upstreamed fixes + shim-add-fallback-verbose-print.patch + shim-back-to-openssl-1.0.2e.patch + shim-fallback-workaround-masked-ami-variables.patch + shim-fix-fallback-double-free.patch + shim-fix-httpboot-crash.patch + shim-fix-openssl-flags.patch + shim-more-tpm-measurement.patch- Add shim-httpboot-include-console.h.patch to include console.h in httpboot.c to avoid build failure- Add shim-remove-cryptpem.patch to replace functions in CryptPem.c with the null function- Update SUSE/openSUSE specific patches + shim-only-os-name.patch + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-opensuse-cert-prompt.patch
* Fri Dec 29 2017 ngompa13AATTgmail.com- Fix debuginfo + debugsource subpackage generation for RPM 4.14- Set the RPM groups correctly for debug{info,source} subpackages- Drop deprecated and out of date Authors information in description
* Wed Sep 13 2017 glinAATTsuse.com- Add shim-back-to-openssl-1.0.2e.patch to avoid rejecting some legit certificates (bsc#1054712)- Add the stderr mask back while compiling MokManager.efi since the warnings in Cryptlib is back after reverting the openssl commits.
* Tue Aug 29 2017 glinAATTsuse.com- Add shim-add-fallback-verbose-print.patch to print the debug messages in fallback.efi dynamically- Refresh shim-fallback-workaround-masked-ami-variables.patch- Add shim-more-tpm-measurement.patch to measure more components and support TPM better
* Wed Aug 23 2017 glinAATTsuse.com- Add upstream fixes + shim-fix-httpboot-crash.patch + shim-fix-openssl-flags.patch + shim-fix-fallback-double-free.patch + shim-fallback-workaround-masked-ami-variables.patch- Remove the stderr mask while compiling MokManager.efi since the warnings in Cryptlib were fixed.
* Tue Aug 22 2017 glinAATTsuse.com- Add shim-arch-independent-names.patch to use the Arch-independent names. (bsc#1054712)- Refresh shim-change-debug-file-path.patch- Disable shim-opensuse-cert-prompt.patch automatically in SLE- Diable AArch64 until we have a real user and aarch64 signature
* Fri Jul 14 2017 bwiedemannAATTsuse.com- Make build reproducible by avoiding race between find and cp
* Thu Jun 22 2017 glinAATTsuse.com- Update to 12- Rename the result EFI images due to the upstream name change + shimx64 -> shim + mmx64 -> MokManager + fbx64 -> fallback- Refresh patches: + shim-only-os-name.patch + shim-change-debug-file-path.patch + shim-opensuse-cert-prompt.patch- Drop upstreamed patches: + shim-httpboot-support.patch + shim-bsc973496-mokmanager-no-append-write.patch + shim-bsc991885-fix-sig-length.patch + shim-update-openssl-1.0.2g.patch + shim-update-openssl-1.0.2h.patch
* Tue May 23 2017 glinAATTsuse.com- Add the build flag to enable HTTPBoot
* Wed Mar 22 2017 mchangAATTsuse.com- shim-install: add option --suse-enable-tpm (fate#315831)
* Fri Jan 13 2017 mchangAATTsuse.com- Support %posttrans with marcos provided by update-bootloader-rpm-macros package (bsc#997317)
* Fri Nov 18 2016 glinAATTsuse.com- Add SIGNATURE_UPDATE.txt to state the steps to update signature-
*.asc- Update the comment of strip_signature.sh
* Wed Sep 21 2016 mchangAATTsuse.com- shim-install :
* add option --no-nvram (bsc#999818)
* improve removable media and fallback mode handling
* Fri Aug 19 2016 mchangAATTsuse.com- shim-install : fix regression of password prompt (bsc#993764)
* Fri Aug 05 2016 glinAATTsuse.com- Add shim-bsc991885-fix-sig-length.patch to fix the signature length passed to Authenticode (bsc#991885)
* Wed Aug 03 2016 glinAATTsuse.com- Update shim-bsc973496-mokmanager-no-append-write.patch to try append write first
* Tue Aug 02 2016 glinAATTsuse.com- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h- Bump the requirement of gnu-efi due to the HTTPBoot support
* Mon Aug 01 2016 glinAATTsuse.com- Add shim-httpboot-support.patch to support HTTPBoot- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6- Drop patches since they are merged into shim-update-openssl-1.0.2g.patch + shim-update-openssl-1.0.2d.patch + shim-gcc5.patch + shim-bsc950569-fix-cryptlib-va-functions.patch + shim-fix-aarch64.patch- Refresh shim-change-debug-file-path.patch- Add shim-bsc973496-mokmanager-no-append-write.patch to work around the firmware that doesn\'t support APPEND_WRITE (bsc973496)- shim-install : remove \'\
\' from the help message (bsc#991188)- shim-install : print a message if there is no valid EFI partition (bsc#991187)
* Mon May 09 2016 rwAATTsuse.com- shim-install : support simple MD RAID1 target devices (FATE#314829)
* Wed May 04 2016 agrafAATTsuse.com- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438)
* Wed Mar 09 2016 mchangAATTsuse.com- shim-install : fix typing ESC can escape to parent config which is in command mode and cannot return back (bsc#966701)- shim-install : fix no which command for JeOS (bsc#968264)
* Thu Dec 03 2015 jsegitzAATTnovell.com- acquired updated signature from Microsoft
* Mon Nov 09 2015 glinAATTsuse.com- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the definition of va functions to avoid the potential crash (bsc#950569)- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to MokListRT (bsc#950801)- Drop shim-fix-mokmanager-sections.patch as we are using the newer binutils now- Refresh shim-change-debug-file-path.patch
* Thu Oct 08 2015 jsegitzAATTnovell.com- acquired updated signature from Microsoft
* Tue Sep 15 2015 mchangAATTsuse.com- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release if it is empty or not set by user (bsc#942519)
* Thu Jul 16 2015 glinAATTsuse.com- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d- Refresh shim-gcc5.patch and add it back since we really need it- Add shim-change-debug-file-path.patch to change the debug file path in shim.efi + also add the debuginfo and debugsource subpackages- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore
* Mon Jul 06 2015 glinAATTsuse.com- Update to 0.9- Refresh patches + shim-fix-gnu-efi-30w.patch + shim-fix-mokmanager-sections.patch + shim-opensuse-cert-prompt.patch- Drop upstreamed patches + shim-bsc920515-fix-fallback-buffer-length.patch + shim-mokx-support.patch + shim-update-cryptlib.patch- Drop shim-bsc919675-uninstall-shim-protocols.patch since upstream fixed the bug in another way.- Drop shim-gcc5.patch which was fixed in another way
* Wed Apr 08 2015 glinAATTsuse.com- Fix tags in the spec file
* Tue Apr 07 2015 glinAATTsuse.com- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and openssl to 0.9.8zf- Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall the shim protocols at Exit (bsc#919675)- Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust the buffer size for the boot options (bsc#920515)- Refresh shim-opensuse-cert-prompt.patch
* Thu Apr 02 2015 crrodriguezAATTopensuse.org- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5
* Tue Feb 17 2015 mchangAATTsuse.com- shim-install : fix cryptodisk installation (boo#917427)
* Tue Nov 11 2014 glinAATTsuse.com- Add shim-fix-mokmanager-sections.patch to fix the objcopy parameters for the EFI files
* Tue Oct 28 2014 glinAATTsuse.com- Update to 0.8- Add shim-fix-gnu-efi-30w.patch to adapt the change in gnu-efi-3.0w- Merge shim-signed-unsigned-compares.patch, shim-mokmanager-support-sha-family.patch and shim-bnc863205-mokmanager-fix-hash-delete.patch into shim-mokx-support.patch- Refresh shim-opensuse-cert-prompt.patch- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch, bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch- Enable aarch64
* Mon Oct 13 2014 jsegitzAATTnovell.com- Fixed buffer overflow and OOB access in shim trusted code path (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677)
* added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch- Added new certificate by Microsoft
  
ICM