efi-boot-shim.git, branch Release_3.0.0

Don't close file twice in should_use_fallback error path

2016-07-18T19:28:12+00:00

When fallback.efi is not present, the should_use_fallback error path attempts to close a file that has already been closed, resulting in a hang. This issue only affects certain systems. This is a regression from version 0.8 and was introduced by commit 4794822. Signed-off-by: Benjamin Antin

makefile: Fix detecting objcopy version

2016-06-30T20:31:43+00:00

Signed-off-by: Carlo Caione

shim: Fix unused variable error

2016-06-30T20:25:21+00:00

Signed-off-by: Carlo Caione

Sign MokManager with sbsigntool instead of pesign

2016-06-30T19:43:11+00:00

Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use the same thing for signing MokManager with our ephemeral key. This also avoids an additional build dependency on libnss3-tools.

Chainload grubx64.efi, not grub.efi

2016-06-30T19:42:21+00:00

We qualify the second stage bootloader image with the architecture name, so we're forwards-compatible with any future 32-bit implementations. (Non-SB grub doesn't conflict, since the image will be named bootia32.efi anyway, not grub.efi.)

shim: make the PE loader less overzealous on rejections

2016-06-09T19:32:37+00:00

Work around binutils version string weirdness.

2016-05-18T14:33:38+00:00

Nick Clifton wrote to me and explained: Subject: SHIM - objcopy version check broken by RHEL 7.3 binutils Hi Peter, We (the tools group) have run across a small problem with the shim package for RHEL 7.3, whilst testing out a new version of the binutils. It complains that it needs a version of objcopy that is >= 2.23, despite the fact that the version is actually 2.25.1. I tracked the problem down to an extraneous space at the end of the version string being produced by objcopy: "GNU objcopy version 2.25.1-8.el7 " The Makefile in the shim package uses this rule to test the version of objcopy: OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24) But, because of that extra space, the sed expression clips the entire line and so the test fails. The extra space is there because normally the version number would be followed by a date. For example: "GNU objcopy version 2.23.52.0.1-56.el7 20130226" So in this case the sed will extract the date, not the version number, but the test will still pass. I could fix the binutils to remove the space, although it would be a bit messy and it would not fix the problem when a date is appended to the version number. Instead, I would like to propose a small patch to the shim Makefile. If you change the line to: OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.version //g' | cut -f1-2 -d.` \>= 2.24) then the test will work as intended, with or without an extra space at the end of the version and with or without a date appended. Would it be possible to have this change added to the shim package ? Cheers Signed-off-by: Peter Jones

Measure state and second stage into TPM

2016-05-11T15:11:05+00:00

Add support for measuring the MOK database and secure boot state into a TPM, and do the same for the second stage loader. This avoids a hole in TPM measurement between the firmware and the second stage loader.

shim: dealing with only one string on loadoption

2016-05-11T15:10:17+00:00

The second stage set is not working after commit 3322257e611e2000f79726d295bb4845bbe449e7 for those which load option only have one string. Signed-off-by: Ivan Hu

shim: mirror MokSBState in runtime so the kernel can make use of it.

2016-03-22T15:14:31+00:00

Signed-off-by: Mathieu Trudel-Lapierre