(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=15.8 2024-01-22T19:17:20+00:00 2024-01-22T19:17:20+00:00 Jan Setje-Eilers jan.setjeeilers@oracle.com 2023-12-14T04:32:10+00:00 urn:sha1:6f395c23466a2bc08a28bbc216d6665ade0b117d The ability to automatically apply SBATLevel revocations varies from distro to distro. This allows distros that are able to automatically apply SBATLevel revocations when shim is updated to select a level by supplying SBAT_AUTOMATIC_DATE=<datestamp> on the make command line. Currently the following options are available: 2021030218 no revocations - useful for distros that need to rely on an externally delivered revocations.efi 2022052400 grub,2 2022111500 shim,2 grub,3 2023012900 shim,2 grub,3 grub.debian,4 If no datestamp is specified the build will default to the most recent 2023012900. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com> 2023-01-27T18:03:31+00:00 Peter Jones pjones@redhat.com 2022-11-17T17:31:31+00:00 urn:sha1:7c7642530fab73facaf3eac233cfbce29e10b0ef Currently by default, when we build shim we do not set the PE NX-compatibility DLL Characteristic flag. This signifies to the firmware that shim (including the components it loads) is not prepared for several related firmware changes: - non-executable stack - non-executable pages from AllocatePages()/AllocatePool()/etc. - non-writable 0 page (not strictly related but some firmware will be transitioning at the same time) - the need to use the UEFI 2.10 Memory Attribute Protocol to set page permissions. This patch changes that default to be enabled by default. Distributors of shim will need to ensure that either their builds disable this bit (using "post-process-pe -N"), or that the bootloaders and kernels you support loading are all compliant with this change. A new make variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so. Signed-off-by: Peter Jones <pjones@redhat.com> 2022-11-14T19:04:12+00:00 Nicholas Bishop nicholasbishop@google.com 2022-10-06T20:08:56+00:00 urn:sha1:0cf43ac6d78c6f47f8b91210639ac1aa63665f0b This changes the alignment of UINT64 data to 8 bytes on IA32, which matches EDK2's understanding of alignment. In particular this change affects the offset where shim writes `EFI_LOADED_IMAGE.ImageSize`. Fixes https://github.com/rhboot/shim/issues/515 Signed-off-by: Nicholas Bishop <nicholasbishop@google.com> 2022-05-13T19:08:56+00:00 Peter Jones pjones@redhat.com 2022-04-26T21:47:56+00:00 urn:sha1:d6eb9c6cc7826cea02f31580ac0e56726ae80ad5 Now that we've got "objcopy --target efi-app-aarch64" and similar, we don't have to go through heroic effort to try to make aarch64 builds work. This patch updates to a gnu-efi branch that has newer aarch64 crt0 code, and makes efi_aarch64_efi.lds be nearly identical to efi_x86_64_efi.lds. Signed-off-by: Peter Jones <pjones@redhat.com> 2021-10-12T14:50:44+00:00 Julian Andres Klode julian.klode@canonical.com 2021-08-04T08:46:45+00:00 urn:sha1:b43758465a553d289b9f92aa5892244f19c1a76d We see various reports of boot failures because the generated boot entries contain garbage/tagging that we do not expect, and that we then parse as a second stage boot loader. 2021-09-07T21:05:04+00:00 Peter Jones pjones@redhat.com 2021-08-02T17:09:28+00:00 urn:sha1:116a8310ab93d803fa51f9ba9f3d6d0cb691e2bf A couple of places snuck in where building with COMPILER=clang didn't work right; this makes them work again. Signed-off-by: Peter Jones <pjones@redhat.com> 2021-05-25T15:03:26+00:00 Peter Jones pjones@redhat.com 2021-05-14T00:42:18+00:00 urn:sha1:05875f3aed1c90fe071c66de05744ca2bcbc2b9e On some versions of binutils[0], including binutils-2.23.52.0.1-55.el7, do not correctly initialize the data when computing the PE optional header checksum. Unfortunately, this means that any time you get a build that reproduces correctly using the version of objcopy from those versions, it's just a matter of luck. This patch introduces a new utility program, post-process-pe, which does some basic validation of the resulting binaries, and if necessary, performs some minor repairs: - sets the timestamp to 0 - this was previously done with dd using constant offsets that aren't really safe. - re-computes the checksum. [0] I suspect, but have not yet fully verified, that this is accidentally fixed by the following upstream binutils commit: commit cf7a3c01d82abdf110ef85ab770e5997d8ac28ac Author: Alan Modra <amodra@gmail.com> Date: Tue Dec 15 22:09:30 2020 +1030 Lose some COFF/PE static vars, and peicode.h constify This patch tidies some COFF and PE code that unnecessarily used static variables to communicate between functions. v2 - MAP_PRIVATE was totally wrong... Signed-off-by: Peter Jones <pjones@redhat.com> 2021-03-25T18:36:53+00:00 Peter Jones pjones@redhat.com 2021-03-24T21:51:48+00:00 urn:sha1:8578b75f9c18fd267c8a0746192ab3f051561df2 This also makes the cross-build targets (and not the others) /use/ this functionality, so we'll catch it if we break it again. This fixes issue #340. Signed-off-by: Peter Jones <pjones@redhat.com> 2021-03-22T20:43:44+00:00 Peter Jones pjones@redhat.com 2021-03-21T17:14:20+00:00 urn:sha1:e03ce7ed85195107fce206c7390263ff9afeaece Signed-off-by: Peter Jones <pjones@redhat.com> 2021-03-16T17:23:17+00:00 Paul Moore pmoore2@cisco.com 2020-10-20T17:26:37+00:00 urn:sha1:6fa1c8e6820421a5ca3c422cf8c7a7c6d7851460 If the file Make.local exists, use it as a source of local build configuration by including it in Make.defaults. (cherry picked from commit 57e38a1ebf73 in the shim-15.2 branch) Signed-off-by: Paul Moore <pmoore2@cisco.com>