efi-boot-shim.git, branch 15.5-rc2

Minor coverity fixes

2021-12-10T22:08:21+00:00

- one missing free - one minor deadcode issue - two unchecked allocations - one debug hexdump of a variable we just freed Signed-off-by: Peter Jones

stdarg: use sysv varargs when we build with coverity

2021-12-10T22:08:21+00:00

cov-analysis-linux64-2020.09 is a lot more successful than the older versions at building, but it still has some... issues. Among them, it is of the belief that this: void foo(char *fmt, ...) { __builtin_va_list ap; __builtin_ms_va_start(ap, fmt); /* <- here */ ... } is an uninitialized use of "ap". This patch adds defined(__COVERITY__) to the list of criteria for using sysv va lists, which it has no such confusion about. Signed-off-by: Peter Jones

shim: Don't stop forever at "Secure Boot not enabled" notification

2021-12-10T19:59:22+00:00

Requesting a keystroke when Secure Boot is not enabled and verbosity is enabled is really annoying. Signed-off-by: Renaud Métrich

fallback: fix fallback not passing arguments of the first boot option

2021-12-10T19:56:54+00:00

The buffer used to read the data in the CSV is declared as a stack variable in the try_boot_csv() function, but a pointer to the arguments field of the first boot option is stored in the global first_new_option_args variable. Later, when is used set the arguments to boot the first entry, the variable points to memory that no longer exists. This leads to booting an entry with garbage as arguments instead of the correct value. Reported-by: Alexander Larsson Signed-off-by: Javier Martinez Canillas

Introduce a new MOK variable called MokListTrustedRT

2021-11-03T15:30:28+00:00

Introduce a new MOK variable called MokListTrustedRT. It allows an end-user to decide if they want to trust MOKList keys within the soon to be booted Linux kernel. This variable does not change any functionality within shim itself. When Linux boots, if MokListTrustedRT is set and EFI_VARIABLE_NON_VOLATILE is not set, keys in MokListRT are loaded into the .machine keyring instead of the .platform keyring. Signed-off-by: Eric Snowberg

Fix a component version in SBAT.example.md

2021-11-03T15:28:38+00:00

In the bug2 section, the first Debian `.sbat` has a `grub,1` component. But at this point in the story, `grub,1` has been revoked by the update in the bug1 section. Updated it to `grub,2` so that it passes that check. Signed-off-by: Nicholas Bishop

Bump the version number to 15.5~rc1

2021-11-03T15:28:38+00:00

Signed-off-by: Peter Jones

shim: Don't parse load options if invoked from removable media path

2021-10-12T14:50:44+00:00

We see various reports of boot failures because the generated boot entries contain garbage/tagging that we do not expect, and that we then parse as a second stage boot loader.

Extract is_removable_media_path() out of should_use_fallback()

2021-10-12T14:50:44+00:00

Simple refactoring that extracts the path checking on the given loaded image. This will be useful to check if we were booted via removable media path in other places.

docs: update SBAT UEFI variable name

2021-10-12T14:41:14+00:00

The name of the SBAT UEFI variable changed from "SBAT" to "SbatLevel" in 27da4170f0fb30acde91a37e0256dfcfe76ea69e. Update the documentation to match. Signed-off-by: Nicholas Bishop