(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=vyos%2Fcurrent 2025-02-11T15:43:37+00:00 2025-02-11T15:43:37+00:00 Peter Jones pjones@redhat.com 2023-06-30T18:48:17+00:00 urn:sha1:0322e10ecc0eb6a4acbea3f83f71b19a559aaec6 This adds an implementation of Exit() and UnloadImage(), removes the whole "loader_is_participating" mechanism and its supporting code, and removes DISABLE_EBS_PROTECTION. Signed-off-by: Peter Jones <pjones@redhat.com> 2024-12-13T22:19:21+00:00 Mike Beaton mjsbeaton@gmail.com 2023-08-27T10:57:43+00:00 urn:sha1:3cf0e099b4066d6615ffa7d11e5b62428dd1c4d5 cf https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2014231 Signed-off-by: Mike Beaton <mjsbeaton@gmail.com> 2024-11-12T22:11:15+00:00 William Douglas william.douglas@intel.com 2023-08-04T15:01:45+00:00 urn:sha1:f6674fec6204da2fe082f86af3f07698ee7aa6da Signed-off-by: William Douglas <william.douglas@intel.com> 2024-01-22T19:17:20+00:00 Jan Setje-Eilers jan.setjeeilers@oracle.com 2023-12-14T04:32:10+00:00 urn:sha1:6f395c23466a2bc08a28bbc216d6665ade0b117d The ability to automatically apply SBATLevel revocations varies from distro to distro. This allows distros that are able to automatically apply SBATLevel revocations when shim is updated to select a level by supplying SBAT_AUTOMATIC_DATE=<datestamp> on the make command line. Currently the following options are available: 2021030218 no revocations - useful for distros that need to rely on an externally delivered revocations.efi 2022052400 grub,2 2022111500 shim,2 grub,3 2023012900 shim,2 grub,3 grub.debian,4 If no datestamp is specified the build will default to the most recent 2023012900. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com> 2023-01-27T18:03:31+00:00 Peter Jones pjones@redhat.com 2022-11-17T17:31:31+00:00 urn:sha1:7c7642530fab73facaf3eac233cfbce29e10b0ef Currently by default, when we build shim we do not set the PE NX-compatibility DLL Characteristic flag. This signifies to the firmware that shim (including the components it loads) is not prepared for several related firmware changes: - non-executable stack - non-executable pages from AllocatePages()/AllocatePool()/etc. - non-writable 0 page (not strictly related but some firmware will be transitioning at the same time) - the need to use the UEFI 2.10 Memory Attribute Protocol to set page permissions. This patch changes that default to be enabled by default. Distributors of shim will need to ensure that either their builds disable this bit (using "post-process-pe -N"), or that the bootloaders and kernels you support loading are all compliant with this change. A new make variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so. Signed-off-by: Peter Jones <pjones@redhat.com> 2022-11-14T19:04:12+00:00 Nicholas Bishop nicholasbishop@google.com 2022-10-06T20:08:56+00:00 urn:sha1:0cf43ac6d78c6f47f8b91210639ac1aa63665f0b This changes the alignment of UINT64 data to 8 bytes on IA32, which matches EDK2's understanding of alignment. In particular this change affects the offset where shim writes `EFI_LOADED_IMAGE.ImageSize`. Fixes https://github.com/rhboot/shim/issues/515 Signed-off-by: Nicholas Bishop <nicholasbishop@google.com> 2022-05-13T19:08:56+00:00 Peter Jones pjones@redhat.com 2022-04-26T21:47:56+00:00 urn:sha1:d6eb9c6cc7826cea02f31580ac0e56726ae80ad5 Now that we've got "objcopy --target efi-app-aarch64" and similar, we don't have to go through heroic effort to try to make aarch64 builds work. This patch updates to a gnu-efi branch that has newer aarch64 crt0 code, and makes efi_aarch64_efi.lds be nearly identical to efi_x86_64_efi.lds. Signed-off-by: Peter Jones <pjones@redhat.com> 2021-10-12T14:50:44+00:00 Julian Andres Klode julian.klode@canonical.com 2021-08-04T08:46:45+00:00 urn:sha1:b43758465a553d289b9f92aa5892244f19c1a76d We see various reports of boot failures because the generated boot entries contain garbage/tagging that we do not expect, and that we then parse as a second stage boot loader. 2021-09-07T21:05:04+00:00 Peter Jones pjones@redhat.com 2021-08-02T17:09:28+00:00 urn:sha1:116a8310ab93d803fa51f9ba9f3d6d0cb691e2bf A couple of places snuck in where building with COMPILER=clang didn't work right; this makes them work again. Signed-off-by: Peter Jones <pjones@redhat.com> 2021-05-25T15:03:26+00:00 Peter Jones pjones@redhat.com 2021-05-14T00:42:18+00:00 urn:sha1:05875f3aed1c90fe071c66de05744ca2bcbc2b9e On some versions of binutils[0], including binutils-2.23.52.0.1-55.el7, do not correctly initialize the data when computing the PE optional header checksum. Unfortunately, this means that any time you get a build that reproduces correctly using the version of objcopy from those versions, it's just a matter of luck. This patch introduces a new utility program, post-process-pe, which does some basic validation of the resulting binaries, and if necessary, performs some minor repairs: - sets the timestamp to 0 - this was previously done with dd using constant offsets that aren't really safe. - re-computes the checksum. [0] I suspect, but have not yet fully verified, that this is accidentally fixed by the following upstream binutils commit: commit cf7a3c01d82abdf110ef85ab770e5997d8ac28ac Author: Alan Modra <amodra@gmail.com> Date: Tue Dec 15 22:09:30 2020 +1030 Lose some COFF/PE static vars, and peicode.h constify This patch tidies some COFF and PE code that unnecessarily used static variables to communicate between functions. v2 - MAP_PRIVATE was totally wrong... Signed-off-by: Peter Jones <pjones@redhat.com>