efi-boot-shim.git, branch 0.7

Bump version to 0.7.

2013-11-06T19:07:05+00:00

Do not use 0.6; on some machines it misunderstands the SetupMode variable. Signed-off-by: Peter Jones

Fix check logic for SetupMode variable.

2013-11-06T18:59:02+00:00

After going back and inspecting this further, the logic for "SetupMode" being present at all was incorrect. Also initialize our state earlier so it's sure to always be set. Signed-off-by: Peter Jones

Make tag its own make target, and make it sign tags.

2013-10-31T15:16:32+00:00

Signed-off-by: Peter Jones

Bump version to 0.6

2013-10-31T15:12:24+00:00

Signed-off-by: Peter Jones

Don't free GetVariable() return data without checking the status code.

2013-10-30T20:36:01+00:00

This breaks every machine from before Secure Boot was a thing. Signed-off-by: Peter Jones

We should be checking both mok and the system's SB settings

2013-10-28T14:41:03+00:00

When we call hook_system_services(), we're currently only checking mok's setting. We should use secure_mode() instead so it'll check both. Signed-off-by: Peter Jones

Revert "additional bounds-checking on section sizes"

2013-10-23T14:50:36+00:00

This reverts commit 21e40f0174814b3d91836e38c7cf95c8f2f1f3a4. In principle I like the idea of what's going on here, but generate_hash() really does need to have the expected result.

Don't reject all binaries without a certificate database.

2013-10-22T17:40:08+00:00

If a binary isn't signed, but its hash is enrolled in db, it won't have a certificate database. So in those cases, don't check it against certificate databases in db/dbx/etc, but we don't need to reject it outright. Signed-off-by: Peter Jones

additional bounds-checking on section sizes

2013-10-22T15:23:51+00:00

This adds additional bounds-checking on the section sizes. Also adds -Wsign-compare to the Makefile and replaces some signed variables with unsigned counteparts for robustness. Signed-off-by: Kees Cook

Bump version to 0.5

2013-10-04T21:04:21+00:00

Signed-off-by: Peter Jones