SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for shim-15.8-9.10.x86_64.rpm :

* Mon Sep 16 2024 Gary Ching-Pang Lin - Update shim-install to apply the missing fix for openSUSE Leap (bsc#1210382)
* 86b73d1 Fix that bootx64.efi is not updated on Leap- Update shim-install to use the \'removable\' way for SL-Micro (bsc#1230316)
* 433cc4e Always use the removable way for SL-Micro
* Tue Jun 25 2024 Dennis Tseng - Update asc files of shim-15.8 after being signed back from Microsoft, including: signature-opensuse.x86_64.asc, signature-opensuse.aarch64.asc, signature-sles.x86_64.asc, signature-sles.aarch64.asc.- Enable aarch64 signature comparison which was disabled temporarily before. Now, we got a real one. So it is enabled again.
* Tue Apr 02 2024 Gary Ching-Pang Lin - Introduce %shim_use_fde_tpm_helper macro so that the project can include the fde-tpm-helper-macros for the build targets other than Tumbleweed
* Mon Feb 26 2024 Dominique Leuenberger - Use %autosetup macro. Allows to eliminate the usage of deprecated PatchN.
* Sat Feb 17 2024 Joey Lee - Modified shim.spec file to add suffix string of project to filename of included certificates. e.g. rpm -pql shim-15.8-lp155.6.1.x86_64.rpm /etc/uefi /etc/uefi/certs /etc/uefi/certs/2B697CB1-shim-devel.crt /etc/uefi/certs/4659838C-shim-opensuse.crt /etc/uefi/certs/BCA4E38E-shim-sles.crt The original name of crt files are: /etc/uefi/certs/2B697CB1-shim.crt /etc/uefi/certs/4659838C-shim.crt /etc/uefi/certs/BCA4E38E-shim.crt It can indicate the souce project of certificates.
* Thu Feb 15 2024 Joey Lee - Sometimes SLE shim signature be Microsoft updated before openSUSE shim signature. When submit request on IBS for updating SLE shim, the submitreq project be generated, but it always be blocked by checking the signature of openSUSE shim. It doesn\'t make sense checking openSUSE shim signature when building SLE shim on SLE platform, and vice versa. So the following change adds the logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). When and only when hash mismatch and distro_id match with suffix, stop building. [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse) [#] when hash mismatch and distro_id match with suffix, stop building- Sync the changelog between openSUSE:Factory/shim with SLE-15-SP3/shim - Add CVE-2022-28737 number to \"Mon Mar 27 09:26:02 UTC 2023\" record - Add \"Thu Apr 13 05:28:10 UTC 2023\" record for updating shim-install for bsc#1210382. - Add \"Thu Apr 13 09:13:22 UTC 2023\" record for changing the logic of checking shim signature.
* Wed Feb 07 2024 Gary Ching-Pang Lin - Update shim-install to set the TPM2 SRK algorithm (bsc#1213945) 92d0f4305df73 Set the SRK algorithm for the TPM2 protector
* Fri Feb 02 2024 Gary Ching-Pang Lin - Limit the requirement of fde-tpm-helper-macros to the distro with suse_version 1600 and above (bsc#1219460)
* Sun Jan 28 2024 Dennis Tseng -- Update to version 15.8 - Various CVE fixes are already merged into this version mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546) avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547) Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548) Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549) pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550) pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551) - remove shim-Enable-the-NX-compatibility-flag-by-default.patch The codes in this patch are already existing in shim-15.8 The NX flag is disable which is same as the default value of shim-15.8, hence, not need to enable it by this patch now. - Patches (git log --oneline --reverse 15.7..15.8) 657b248 Make sbat_var.S parse right with buggy gcc/binutils 7c76425 Enable the NX compatibility flag by default. 89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper c7b3051 pe: Align section size up to page size for mem attrs e4f40ae pe: Add IS_PAGE_ALIGNED macro f23883c Don\'t loop forever in load_certs() with buggy firmware 1f38cb3 Optionally allow to keep shim protocol installed 102a658 Drop invalid calls to `CRYPTO_set_mem_functions` aae3df0 test-sbat: Fix exit code cca3933 Block Debian grub binaries with SBAT < 4 cf59f34 Further improve load_certs() for non-compliant drivers/firmwares 0601f44 SBAT-related documents formatting and spelling 0640e13 Add a security contact email address in README.md 0bfc397 Work around malformed path delimiters in file paths from DHCP a8b0b60 pe: only process RelocDir->Size of reloc section f7a4338 Skip testing msleep() 549d346 Rename \'msecs\' to \'usecs\' to avoid potential confusion 908c388 Change type of fallback_verbose_wait from int to unsigned long 05eae92 Add SbatLevel_Variable.txt to document the various revocations 243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL 89d25a1 Add a make rule for compile_commands.json 118ff87 Add gnu-stack notes f132655 test: Make our fake dprintf be a statement. be00279 Remove CentOS 7 test builds. 9964960 Split pe.c up even more. 569270d Test (and fix) ImageAddress() 61e9894 Verify signature before verifying sbat levels 1578b55 Add libFuzzer support for csv.c a0673e3 Fix a 1-byte memory leak in .sbat parsing. e246812 Add libFuzzer support to the .sbat parser. fd43eda Work around ImageAddress() usage mistake 1e985a3 Correctly free memory allocated in handle_image() dbbe3c8 mok: Avoid underflow in maximum variable size calculation 04111d4 Make some of the static analysis tools a little easier to run 7ba7440 compile_commands.json: remove stuff clang doesn\'t like 66e6579 CVE-2023-40546 mok: fix LogError() invocation f271826 Add primitives for overflow-checked arithmetic operations. 8372147 pe-relocate: Add a fuzzer for read_header() 5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries e912071 pe-relocate: make read_header() use checked arithmetic operations. 93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550 afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds. 96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system dae82f6 Further mitigations against CVE-2023-40546 as a class ea0f9df Allow SbatLevel data from external binary b078ef2 Always clear SbatLevel when Secure Boot is disabled 7dfb687 BS Variables for bootmgr revocations a967c0e shim should not self revoke 577cedd Print message when refusing to apply SbatLevel e801b0d sbat revocations: check the full section name 0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers 6f0c8d2 Print errors when setting/clearing memory attrs 57c0eed Updated Revocations for January 2024 CVEs 49c6d95 Fix some minor ia32 build issues. be8ff7c post-process-pe: Don\'t set the NX_COMPAT flag by default after all. 13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5 c46c975 Suppress \"Failed to open <..>\\revocations.efi\" when file does not exist 30a4f37 Rename \"previous\" revocations to \"automatic\" 6f395c2 Build time selectable automatic SBATLevel revocations a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER 993a345 Try to load revocations.efi even if directory read fails 1770a03 gitmodules: use shim-15.8 for gnu-efi branch 5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8
* Wed Jan 24 2024 Ludwig Nussel - Generate dbx during build so we don\'t include binary files in sources
* Thu Oct 05 2023 Ludwig Nussel - Don\'t require grub so shim can still be used with systemd-boot
* Wed Sep 20 2023 Michael Chang - Update shim-install to fix boot failure of ext4 root file system on RAID10 (bsc#1205855) 226c94ca5cfca Use hint in looking for root if possible
* Tue Sep 19 2023 Gary Ching-Pang Lin - Adopt the macros from fde-tpm-helper-macros to update the signature in the sealed key after a bootloader upgrade
* Mon May 15 2023 Gary Ching-Pang Lin - Update shim-install to amend full disk encryption support b540061e041b Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector f2e8143ce831 Use the long name to specify the grub2 key protector 72830120e5ea cryptodisk: support TPM authorized policies 49e7a0d307f3 Do not use tpm_record_pcrs unless the command is in command.lst
* Thu Apr 13 2023 Joey Lee - Sometimes SLE shim signature be Microsoft updated before openSUSE shim signature. When submit request on IBS for updating SLE shim, the submitreq project be generated, but it always be blocked by checking the signature of openSUSE shim. It doesn\'t make sense checking openSUSE shim signature when building SLE shim on SLE platform, and vice versa. So the following change adds the logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). When and only when hash mismatch and distro_id match with suffix, stop building. [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse) [#] when hash mismatch and distro_id match with suffix, stop building
* Thu Apr 13 2023 Joey Lee - Upgrade shim-install for bsc#1210382 After closing Leap-gap project since Leap 15.3, openSUSE Leap direct uses shim from SLE. So the ca_string is \'SUSE Linux Enterprise Secure Boot CA1\', not \'openSUSE Secure Boot CA1\'. It causes that the update_boot=no, so all files in /boot/efi/EFI/boot are not updated. The 86b73d1 patch added the logic that using ID field in os-release for checking Leap distro and set ca_string to \'SUSE Linux Enterprise Secure Boot CA1\'. Then /boot/efi/EFI/boot/
* can also be updated.- https://github.com/SUSE/shim-resources (git log --oneline) 86b73d1 Fix that bootx64.efi is not updated on Leap f2e8143 Use the long name to specify the grub2 key protector 7283012 cryptodisk: support TPM authorized policies 49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst 26c6bd5 Have grub take a snapshot of \"relevant\" TPM PCRs 5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot a5c5734 Introduce --no-grub-install option
* Mon Apr 10 2023 Joey Lee - Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to enable the NX compatibility flag when using post-process-pe after discussed with grub2 experts in mail. It\'s useful for further development and testing. (bsc#1205588)
* Mon Mar 27 2023 Joey Lee - Updated shim signature after shim 15.7 of SLE be signed back: signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737)
* Thu Jan 12 2023 Joey Lee - Removed shim-bsc1198101-opensuse-cert-prompt.patch (bsc#1198101) - Detail discussion is in bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1198101 - The shim community review and challenge this prompt. No other distro shows prompt (Have checked Fedora 37, CentOS 9 and Ubuntu 22.10). Currently, it blocked the review process of openSUSE shim. - Other distros lock-down kernel when secure boot is enabled. Some of them used different key for signing kernel binary with In-tree kernel module. And their build service does not provide signed Out-off-tree module.
* Fri Dec 09 2022 Joey Lee - Modified shim-install, add the following Olaf Kirch\'s patches to support full disk encryption: (jsc#PED-922) a5c57340740c Introduce --no-grub-install option 5c2c3addc51f Handle different cases of controlling cryptomount volumes during first stage boot 26c6bd5df7ae Have grub take a snapshot of \"relevant\" TPM PCRs
* Wed Nov 23 2022 Joey Lee - Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to disable the NX compatibility flag when using post-process-pe because grub2 is not ready. (bsc#1205588) - Kernel can boot with the NX compatibility flag since 82e0d6d76a2a7 be merged to v5.19. On the other hand, upstream is working on improve compressed kernel stage for NX: [PATCH v3 00/24] x86_64: Improvements at compressed kernel stage https://www.spinics.net/lists/kernel/msg4599636.html
* Fri Nov 18 2022 Joey Lee - Add shim-Enable-the-NX-compatibility-flag-by-default.patch to enable the NX compatibility flag by default. (jsc#PED-127)
* Fri Nov 18 2022 Joey Lee - Drop upstreamed patch: - shim-Enable-TDX-measurement-to-RTMR-register.patch - Enable TDX measurement to RTMR register (jsc#PED-1273) - 4fd484e4c2 15.7
* Thu Nov 17 2022 Joey Lee - Update to 15.7 (bsc#1198458)(jsc#PED-127) - Patches (git log --oneline --reverse 15.6..15.7) 0eb07e1 Make SBAT variable payload introspectable 092c2b2 Reference MokListRT instead of MokList 8b59b69 Add a link to the test plan in the readme. 4fd484e Enable TDX measurement to RTMR register 14d6339 Discard load-options that start with a NUL 5c537b3 shim: Flush the memory region from i-cache before execution 2d4ebb5 load_cert_file: Fix stack issue ea4911c load_cert_file: Use EFI RT memory function 0cf43ac Add -malign-double to IA32 compiler flags 17f0233 pe: Fix image section entry-point validation 5169769 make-archive: Build reproducible tarball aa1b289 mok: remove MokListTrusted from PCR 7 53509ea CryptoPkg/BaseCryptLib: fix NULL dereference 616c566 More coverity modeling ea0d0a5 Update shim\'s .sbat to sbat,3 dd8be98 Bump grub\'s sbat requirement to grub,3 1149161 (HEAD -> main, tag: 15.7, origin/main, origin/HEAD) Update version to 15.7 - 15.7 release note https://github.com/rhboot/shim/releases Make SBAT variable payload introspectable by AATTchrisccoulson in #483 Reference MokListRT instead of MokList by AATTesnowberg in #488 Add a link to the test plan in the readme. by AATTvathpela in #494 [V3] Enable TDX measurement to RTMR register by AATTkenplusplus in #485 Discard load-options that start with a NUL by AATTfrozencemetery in #505 load_cert_file bugs by AATTesnowberg in #523 Add -malign-double to IA32 compiler flags by AATTnicholasbishop in #516 pe: Fix image section entry-point validation by AATTiokomin in #518 make-archive: Build reproducible tarball by AATTjulian-klode in #527 mok: remove MokListTrusted from PCR 7 by AATTbaloo in #519 - Drop upstreamed patch: - shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch - Cryptlib/CryptAuthenticode: fix NULL pointer dereference in AuthenticodeVerify() - 53509eaf22 15.7 - shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch - For backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127) - The following patches are merged to 15.7 aa1b289a1a mok: remove MokListTrusted from PCR 7 0cf43ac6d7 Add -malign-double to IA32 compiler flags ea4911c2f3 load_cert_file: Use EFI RT memory function 2d4ebb5a79 load_cert_file: Fix stack issue 5c537b3d0c shim: Flush the memory region from i-cache before execution 14d6339829 Discard load-options that start with a NUL 092c2b2bbe Reference MokListRT instead of MokList 0eb07e11b2 Make SBAT variable payload introspectable
* Thu Nov 17 2022 Joey Lee - Update shim.changes, added missed shim 15.6-rc1 and 15.6 changelog to the item in Update to 15.6. (bsc#1198458)
* Tue Nov 15 2022 Joey Lee - Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127): aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from PCR 7 0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 compiler flags ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory function 2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue 5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region from i-cache before execution 14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start with a NUL 092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of MokList 0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload introspectable
* Tue Nov 15 2022 Joey Lee - Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support enhance shim measurement to TD RTMR. (jsc#PED-1273)
* Tue Nov 15 2022 Joey Lee - For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec and shim.changes: (jsc#PED-127) - Add some change log from SLE shim.changes to Factory shim.changes Those messages are added \"(sync shim.changes from SLE)\" tag. - Add the following changes to shim.spec - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch on openSUSE. - Enable the AArch64 signature check for SLE: [#] AArch64 signature signature=%{SOURCE13}
* Thu Sep 29 2022 Michael Chang - shim-install: ensure grub.cfg created is not overwritten after installing grub related files
* Mon Sep 12 2022 Kilian Hanich - Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066)
* Fri Aug 05 2022 Joey Lee - Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120)
* Fri Jul 29 2022 Joey Lee - Change the URL in SBAT section to mail:securityAATTsuse.de. (bsc#1193282)
* Mon Jul 25 2022 Joey Lee - Revoked the change in shim.spec for \"use common SBAT values (boo#1193282)\" - we need to build openSUSE Tumbleweed\'s shim on Leap 15.4 because Factory is unstable for building out a stable shim binary for signing. (bsc#1198458) - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4 because closing-the-leap-gap. So sbat_distro_
* variables are SLE version, not for openSUSE. (bsc#1198458)
* Tue Jun 28 2022 Joey Lee - Update to 15.6 (bsc#1198458) - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76 which is from upstream grub2.cve_2021_3695.ms keybase channel. - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to support efi-app-aarch64 target. So we need the following patches in bintuils: - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-
*-aarch64). - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch 32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-
*-aarch64) - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch d91c67e873 Re: Add support for AArch64 EFI (efi-
*-aarch64) - Patches (git log --oneline --reverse 15.5~..77144e5a4) 448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458) a2da05f shim: implement SBAT verification for the shim_lock protocol bda03b8 post-process-pe: Fix a missing return code check af18810 CI: don\'t cancel testing when one fails ba580f9 CI: remove EOL Fedoras from github actions bfeb4b3 Remove aarch64 build tests before f35 38cc646 CI: Add f36 and centos9 CI build tests. b5185cb post-process-pe: Fix format string warnings on 32-bit platforms 31094e5 tests: also look for system headers in multi-arch directories 4df989a mock-variables.c: fix gcc warning 6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled 2670c6a Allow MokListTrusted to be enabled by default 5c44aaf Add code of conduct d6eb9c6 Modernize aarch64 9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail de87985 make: don\'t treat cert.S specially 803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode 6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry. bb4b60e Add verify_image acfd48f Abstract out image reading 35d7378 Load additional certs from a signed binary 8ce2832 post-process-pe: there is no \'s\' argument. 465663e Add some missing PE image flag definitions 226fee2 PE Loader: support and require NX df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT f81a7cc SBAT revocation management abe41ab make: unbreak scan-build again for gnu-efi 610a1ac sbat.h: minor reformatting for legibility f28833f peimage.h: make our signature macros force the type 5d789ca Always initialize data/datasize before calling read_image() a50d364 sbat policy: make our policy change actions symbolic 5868789 load_certs: trust dir->Read() slightly less. a78673b mok.c: fix a trivial dead assignment 759f061 Fix preserve_sbat_uefi_variable() logic aa61fdf Give the Coverity scanner some more GCC blinders... 0214cd9 load_cert_file(): don\'t defererence NULL 1eca363 mok import: handle OOM case 75449bc sbat: Make nth_sbat_field() honor the size limit c0bcd04 shim-15.6~rc1 77144e5 SBAT Policy latest should be a one-shot - 15.5 release note https://github.com/rhboot/shim/releases Broken ia32 relocs and an unimportant submodule change. by AATTvathpela in #357 mok: allocate MOK config table as BootServicesData by AATTlcp in #361 Don\'t call QueryVariableInfo() on EFI 1.10 machines by AATTvathpela in #364 Relax the check for import_mok_state() by AATTlcp in #372 SBAT.md: trivial changes by AATThallyn in #389 shim: another attempt to fix load options handling by AATTchrisccoulson in #379 Add tests for our load options parsing. by AATTvathpela in #390 arm/aa64: fix the size of .rela
* sections by AATTlcp in #383 mok: fix potential buffer overrun in import_mok_state by AATTjyong2 in #365 mok: relax the maximum variable size check by AATTlcp in #369 Don\'t unhook ExitBootServices when EBS protection is disabled by AATTsforshee in #378 fallback: find_boot_option() needs to return the index for the boot entry in optnum by AATTjsetje in #396 httpboot: Ignore case when checking HTTP headers by AATTfrozencemetery in #403 Fallback allocation errors by AATTvathpela in #402 shim: avoid BOOTx64.EFI in message on other architectures by AATTxypron in #406 str: remove duplicate parameter check by AATTxypron in #408 fallback: add compile option FALLBACK_NONINTERACTIVE by AATTxnox in #359 Test mok mirror by AATTvathpela in #394 Modify sbat.md to help with readability. by AATTeshiman in #398 csv: detect end of csv file correctly by AATTxypron in #404 Specify that the .sbat section is ASCII not UTF-8 by AATTdaxtens in #413 tests: add \"include-fixed\" GCC directory to include directories by AATTdiabonas in #415 pe: simplify generate_hash() by AATTxypron in #411 Don\'t make shim abort when TPM log event fails (RHBZ #2002265) by AATTrmetrich in #414 Fallback to default loader if parsed one does not exist by AATTjulian-klode in #393 fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by AATTrmetrich in #422 Better console checks by AATTvathpela in #416 docs: update SBAT UEFI variable name by AATTnicholasbishop in #421 Don\'t parse load options if invoked from removable media path by AATTjulian-klode in #399 fallback: fix fallback not passing arguments of the first boot option by AATTmartinezjavier in #433 shim: Don\'t stop forever at \"Secure Boot not enabled\" notification by AATTrmetrich in #438 Shim 15.5 coverity by AATTvathpela in #439 Allocate mokvar table in runtime memory. by AATTvathpela in #447 Remove post-process-pe on \'make clean\' by AATTvathpela in #448 pe: missing perror argument by AATTxypron in #443 - 15.6-rc1 release note https://github.com/rhboot/shim/releases MokManager: removed Locate graphic output protocol fail error message by AATTjoeyli in #441 shim: implement SBAT verification for the shim_lock protocol by AATTchrisccoulson in #456 post-process-pe: Fix a missing return code check by AATTvathpela in #462 Update github actions matrix to be more useful by AATTfrozencemetery in #469 Add f36 and centos9 CI builds by AATTvathpela in #470 post-process-pe: Fix format string warnings on 32-bit platforms by AATTsteve-mcintyre in #464 tests: also look for system headers in multi-arch directories by AATTsteve-mcintyre in #466 tests: fix gcc warnings by AATTakodanev in #463 Allow MokListTrusted to be enabled by default by AATTesnowberg in #455 Add code of conduct by AATTfrozencemetery in #427 Re-add ARM AArch64 support by AATTvathpela in #468 Use ASCII as fallback if Unicode Box Drawing characters fail by AATTvathpela in #428 make: don\'t treat cert.S specially by AATTvathpela in #475 shim: use SHIM_DEVEL_VERBOSE when built in devel mode by AATTvathpela in #474 Break out of the inner sbat loop if we find the entry. by AATTvathpela in #476 Support loading additional certificates by AATTesnowberg in #446 Add support for NX (W^X) mitigations. by AATTvathpela in #459 Misc fixups from scan-build. by AATTvathpela in #477 Fix preserve_sbat_uefi_variable() logic by AATTjsetje in #478 - 15.6 release note https://github.com/rhboot/shim/releases MokManager: removed Locate graphic output protocol fail error message by AATTjoeyli in #441 shim: implement SBAT verification for the shim_lock protocol by AATTchrisccoulson in #456 post-process-pe: Fix a missing return code check by AATTvathpela in #462 Update github actions matrix to be more useful by AATTfrozencemetery in #469 Add f36 and centos9 CI builds by AATTvathpela in #470 post-process-pe: Fix format string warnings on 32-bit platforms by AATTsteve-mcintyre in #464 tests: also look for system headers in multi-arch directories by AATTsteve-mcintyre in #466 tests: fix gcc warnings by AATTakodanev in #463 Allow MokListTrusted to be enabled by default by AATTesnowberg in #455 Add code of conduct by AATTfrozencemetery in #427 Re-add ARM AArch64 support by AATTvathpela in #468 Use ASCII as fallback if Unicode Box Drawing characters fail by AATTvathpela in #428 make: don\'t treat cert.S specially by AATTvathpela in #475 shim: use SHIM_DEVEL_VERBOSE when built in devel mode by AATTvathpela in #474 Break out of the inner sbat loop if we find the entry. by AATTvathpela in #476 Support loading additional certificates by AATTesnowberg in #446 Add support for NX (W^X) mitigations. by AATTvathpela in #459 Misc fixups from scan-build. by AATTvathpela in #477 Fix preserve_sbat_uefi_variable() logic by AATTjsetje in #478 SBAT Policy latest should be a one-shot by AATTjsetje in #481 pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by AATTchriscoulson pe: Perform image verification earlier when loading grub by AATTchriscoulson Update advertised sbat generation number for shim by AATTjsetje Update SBAT generation requirements for 05/24/22 by AATTjsetje Also avoid CVE-2022-28737 in verify_image() by AATTvathpela - Drop upstreamed patch: - shim-bsc1184454-allocate-mok-config-table-BS.patch - Allocate MOK config table as BootServicesData to avoid the error message from linux kernel - 4068fd42c8 15.5-rc1~70 - shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch - Handle ignore_db and user_insecure_mode correctly - 822d07ad4f07 15.5-rc1~73 - shim-bsc1185621-relax-max-var-sz-check.patch - Relax the maximum variable size check for u-boot - 3f327f546c219634b2 15.5-rc1~49 - shim-bsc1185261-relax-import_mok_state-check.patch - Relax the check for import_mok_state() when Secure Boot is off - 9f973e4e95b113 15.5-rc1~67 - shim-bsc1185232-relax-loadoptions-length-check.patch - Relax the check for the LoadOptions length - ada7ff69bd8a95 15.5-rc1~52 - shim-fix-aa64-relsz.patch - Fix the size of rela
* sections for AArch64 - 34e3ef205c5d65 15.5-rc1~51 - shim-bsc1187260-fix-efi-1.10-machines.patch - Don\'t call QueryVariableInfo() on EFI 1.10 machines - 493bd940e5 15.5-rc1~69 - shim-bsc1185232-fix-config-table-copying.patch - Avoid buffer overflow when copying the MOK config table - 7501b6bb44 15.5-rc1~50 - shim-bsc1187696-avoid-deleting-rt-variables.patch - Avoid deleting the mirrored RT variables - b1fead0f7c9 15.5-rc1~37 - Add \"rm -f
*.o\" after building MokManager/fallback in shim.spec to make sure all object files gets rebuilt - reference: https://github.com/rhboot/shim/pull/461- The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included in shim-15.6.tar.bz2 - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch pe: Fix a buffer overflow when SizeOfRawData VirtualSize - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch pe: Perform image verification earlier when loading grub - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch Update advertised sbat generation number for shim - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch Update SBAT generation requirements for 05/24/22 - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch Also avoid CVE-2022-28737 in verify_image() - 0006-shim-15.6-rc2.patch - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch sbat: add the parsed SBAT variable entries to the debug log - 0008-bump-version-to-shim-15.6.patch- Add mokutil command to post script for setting sbat policy to latest mode when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. (bsc#1198458)- Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to show the prompt to ask whether the user trusts openSUSE certificate or not (bsc#1198101)- Updated vendor dbx binary and script (bsc#1198458) - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin file which includes all .der for testing environment.
* Tue Apr 12 2022 Ludwig Nussel - use common SBAT values (boo#1193282)
* Thu Jul 15 2021 Johannes Segitz - Update the SLE signatures (sync shim.changes from SLE)
* Thu Jul 01 2021 Gary Ching-Pang Lin - Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid deleting the mirrored RT variables (bsc#1187696)
* Mon Jun 21 2021 Gary Ching-Pang Lin (sync shim.changes from SLE)- Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621) + Also drop AArch64 suse-signed shim since we merged this patch- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261)- Add shim-bsc1185232-relax-loadoptions-length-check.patch to ignore the odd LoadOptions length (bsc#1185232)- shim-install: reset def_shim_efi to \"shim.efi\" if the given file doesn\'t exist- Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371- Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261)- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260)- Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232)
* Mon Jun 21 2021 Gary Ching-Pang Lin - Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232)
* Mon Jun 21 2021 Gary Ching-Pang Lin - Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261)- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260)
* Thu Jun 17 2021 Gary Ching-Pang Lin - Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371
* Fri Jun 04 2021 Gary Ching-Pang Lin - Add shim-bsc1185232-relax-loadoptions-length-check.patch to ignore the odd LoadOptions length (bsc#1185232)
* Fri Jun 04 2021 Gary Ching-Pang Lin - shim-install: reset def_shim_efi to \"shim.efi\" if the given file doesn\'t exist
* Wed May 19 2021 Gary Ching-Pang Lin - shim-install: instead of assuming \"removable\" for Azure, remove fallback.efi from \\EFI\\Boot and copy grub.efi/cfg to \\EFI\\Boot to make \\EFI\\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961)
* Tue May 11 2021 Gary Ching-Pang Lin - Add shim-bsc1185261-relax-import_mok_state-check.patch to relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261)
* Fri May 07 2021 Gary Ching-Pang Lin - shim-install: always assume \"removable\" for Azure to avoid the endless reset loop (bsc#1185464)
* Thu May 06 2021 Gary Ching-Pang Lin - Include suse-signed shim for AArch64 (bsc#1185621) (sync shim.changes from SLE)
* Thu May 06 2021 Gary Ching-Pang Lin - Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621)
* Mon May 03 2021 Gary Ching-Pang Lin - Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)
* Wed Apr 28 2021 Gary Ching-Pang Lin - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
* Thu Apr 22 2021 Gary Ching-Pang Lin - Enable the AArch64 signature check for SLE (sync shim.changes from SLE)
* Wed Apr 21 2021 Johannes Segitz - Update the SLE signatures (sync shim.changes from SLE)
* Thu Apr 08 2021 Gary Ching-Pang Lin - Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid the error message during linux system boot (bsc#1184454)
* Wed Apr 07 2021 Johannes Segitz - Add remove_build_id.patch to prevent the build id being added to the binary. That can cause issues with the signature
* Wed Mar 31 2021 Gary Ching-Pang Lin - Update to 15.4 (bsc#1182057) + Rename the SBAT variable and fix the self-check of SBAT + sbat: add more dprint() + arm/aa64: Swizzle some sections to make old sbsign happier + arm/aa64 targets: put .rel
* and .dyn
* in .rodata- Drop upstreamed patch: + shim-bsc1182057-sbat-variable-enhancement.patch
* Mon Mar 29 2021 Gary Ching-Pang Lin - Add shim-bsc1182057-sbat-variable-enhancement.patch to change the SBAT variable name and enhance the handling of SBAT (bsc#1182057)
* Wed Mar 24 2021 Gary Ching-Pang Lin - Update to 15.3 for SBAT support (bsc#1182057) + Drop gnu-efi from BuildRequires since upstream pull it into the tar ball.- Generate vender-specific SBAT metadata + Add dos2unix to BuildRequires since Makefile requires it for vendor SBAT- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt- Refresh patches + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-bsc1177315-verify-eku-codesign.patch - Unified with shim-bsc1177315-fix-buffer-use-after-free.patch- Drop upstreamed fixes + shim-correct-license-in-headers.patch + shim-always-mirror-mok-variables.patch + shim-bsc1175509-more-tpm-fixes.patch + shim-bsc1173411-only-check-efi-var-on-sb.patch + shim-fix-verify-eku.patch + gcc9-fix-warnings.patch + shim-fix-gnu-efi-3.0.11.patch + shim-bsc1177404-fix-a-use-of-strlen.patch + shim-do-not-write-string-literals.patch + shim-VLogError-Avoid-Null-pointer-dereferences.patch + shim-bsc1092000-fallback-menu.patch + shim-bsc1175509-tpm2-fixes.patch + shim-bsc1174512-correct-license-in-headers.patch + shim-bsc1182776-fix-crash-at-exit.patch- Drop shim-opensuse-cert-prompt.patch + All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore.
* Thu Mar 11 2021 Gary Ching-Pang Lin - Refresh shim-bsc1182776-fix-crash-at-exit.patch to do the cleanup also when Secure Boot is disabled (bsc#1183213, bsc#1182776)- Merged linker-version.pl into timestamp.pl and add the linker version to signature files accordingly
* Mon Mar 08 2021 Gary Ching-Pang Lin - Add shim-bsc1182776-fix-crash-at-exit.patch to fix the potential crash at Exit() (bsc#1182776)
* Fri Jan 22 2021 Gary Ching-Pang Lin - Update the SLE signature- Exclude some patches from x86_64 to avoid breaking the signature- Add shim-correct-license-in-headers.patch back for x86_64 to match the SLE signature- Add linker-version.pl to modify the EFI/PE header to match the SLE signature
  
ICM