(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=14 2017-12-19T21:52:01+00:00 2017-12-19T21:52:01+00:00 Peter Jones pjones@redhat.com 2017-12-19T21:49:43+00:00 urn:sha1:02e2fc61bd2fb7f0045f15db105de7b8ace3029f Signed-off-by: Peter Jones <pjones@redhat.com> 2017-12-19T21:52:01+00:00 Peter Jones pjones@redhat.com 2017-11-03T16:21:37+00:00 urn:sha1:0f5032818980f3151ad684f9d5a88188f2489a61 Signed-off-by: Peter Jones <pjones@redhat.com> 2017-12-19T21:52:01+00:00 Peter Jones pjones@redhat.com 2017-11-02T22:05:12+00:00 urn:sha1:97a3f6cf94365141b98363d29a88865f6876e5a6 Signed-off-by: Peter Jones <pjones@redhat.com> 2017-12-19T21:36:55+00:00 Peter Jones pjones@redhat.com 2017-11-02T22:12:17+00:00 urn:sha1:b9e81483bb96b1fb471a981dff625807eb0a58ca Signed-off-by: Peter Jones <pjones@redhat.com> 2017-09-29T15:10:49+00:00 Peter Jones pjones@redhat.com 2017-08-31T19:21:26+00:00 urn:sha1:5e827007b3d95c4ce999422462248f5e7d3f270f shim 13: - OpenSSL reverted to 1.0.2k to make the cert chaining of existing deployments stay working - Better PCR usage for TPM - TPM documentation in README.tpm - More configurable build via make variables: ENABLE_SHIM_CERT ENABLE_SHIM_HASH ENABLE_SBSIGN LIBDIR EFIDIR VENDOR_CERT_FILE VENDOR_DB_FILE - Better MoK documentation in MokVars.txt - Better debuginfo generation - Lots of minor bug fixes. Signed-off-by: Peter Jones <pjones@redhat.com> 2017-09-29T15:10:32+00:00 Mathieu Trudel-Lapierre mathieu.trudel-lapierre@canonical.com 2017-09-29T15:05:05+00:00 urn:sha1:cc08ed0e280f8ba3a26fbd9469e64704aaef75af Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> 2017-09-29T15:10:32+00:00 Peter Jones pjones@redhat.com 2017-09-29T15:01:10+00:00 urn:sha1:dca65ca25417c16f89024d4d2a3619a0967139c4 If you build with ENABLE_SHIM_CERT=1, the include chain right now winds up meaning shim_cert is defined in a header that gets included in netboot.c as well, which never uses it: In file included from shim.h:125:0, from netboot.c:36: shim_cert.h:1:14: error: ‘shim_cert’ defined but not used [-Werror=unused-variable] static UINT8 shim_cert[] = { ^~~~~~~~~ cc1: all warnings being treated as errors So make that okay by adding __attribute__((__unused__)) to the variable decl. Signed-off-by: Peter Jones <pjones@redhat.com> 2017-09-29T15:10:32+00:00 Peter Jones pjones@redhat.com 2017-09-29T15:03:52+00:00 urn:sha1:d8f4773408b5ba2a3dabccdfa36f68ac337eb155 2017-09-26T15:16:45+00:00 Peter Jones pjones@redhat.com 2017-09-26T14:52:46+00:00 urn:sha1:23ce039c434d164a3848c829b237899cc17c1d21 Cyphermox discovered that when you run this: ( printf "\xff\x00\xfe\x00" ; echo "shimx64.efi,foo,,This is the boot entry for foo" ) | sed -z 's/./&\x00/g' on some debian machines, printf(1) doesn't interpret the \x.. characters, and that results in this being the encoded text: 00000000 5c 78 66 66 5c 78 66 65 73 00 68 00 69 00 6d 00 |\xff\xfes.h.i.m.| 00000010 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 2c 00 |x.6.4...e.f.i.,.| 00000020 66 00 6f 00 6f 00 2c 00 2c 00 54 00 68 00 69 00 |f.o.o.,.,.T.h.i.| which... yeah, that's wrong. So instead, use iconv instead of printf+sed to encode it in UCS-2. Unfortunately, that means we don't get endian markers, because for some reason iconv(1) doesn't have any way to say it should include them. But that's okay; fallback already handles not having them and just assumes the second byte being \x00 means UCS-2LE. Signed-off-by: Peter Jones <pjones@redhat.com> 2017-09-19T18:58:51+00:00 Peter Jones pjones@redhat.com 2017-09-19T18:55:47+00:00 urn:sha1:49e9775e07cf4b29d7323e2892246e83b7451efc Commit 1e71734992 inadvertantly switched ARM's LDFLAGS+=--defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) to be before LDFLAGS is set, and so it got clobbered away. Signed-off-by: Peter Jones <pjones@redhat.com>