(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=Release_3.0.0 2014-08-12T14:54:05+00:00 2014-08-12T14:54:05+00:00 Ard Biesheuvel ard.biesheuvel@linaro.org 2014-08-12T13:33:22+00:00 urn:sha1:fa525bc4632e04346fae82a98ce23b31c6cfc86d This adds support for building the shim for a 32-bit ARM UEFI environment. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> 2013-10-01T18:03:16+00:00 Peter Jones pjones@redhat.com 2013-09-09T18:43:04+00:00 urn:sha1:02388bcd58e73effdc828e8df9bbf5553c594835 This moves them both to be computed at runtime from a pointer+offset rather than just a pointer, so that their real address can be entirely derived from the section they're in. This means you can replace the whole .vendor_cert section with a new one with certs that don't have the same size. 2013-06-11T18:59:48+00:00 Peter Jones pjones@redhat.com 2013-06-11T18:58:25+00:00 urn:sha1:23002e8e5c03800845afae8aaa7e42770c3e5d17 This also fixes the size of an empty vendor_cert or dbx_cert. Signed-off-by: Peter Jones <shim-owner@fedoraproject.org> 2013-06-10T21:36:23+00:00 Peter Jones pjones@redhat.com 2013-06-10T21:27:48+00:00 urn:sha1:030d4748cbaa9952a06e0430c7313a3e3da8f0e3 Signed-off-by: Peter Jones <pjones@redhat.com> 2013-06-10T21:35:33+00:00 Peter Jones pjones@redhat.com 2013-03-20T17:18:34+00:00 urn:sha1:4541fce44f88d335b9a72e1cc07687e4198e4847 With this change, the embedded certificate and dbx lists (vendor_cert, vendor_cert_size, vendor_dbx, and vendor_dbx_size) wind up being in a section named .vendor_cert, and so will look something like: ------ fenchurch:~/devel/github.com/shim$ objdump -h shim.efi shim.efi: file format pei-x86-64 Sections: Idx Name Size VMA LMA File off Algn 0 .eh_frame 000174a8 0000000000005000 0000000000005000 00000400 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 1 .text 000aa7e1 000000000001d000 000000000001d000 00017a00 2**4 CONTENTS, ALLOC, LOAD, READONLY, CODE 2 .reloc 0000000a 00000000000c8000 00000000000c8000 000c2200 2**0 CONTENTS, ALLOC, LOAD, READONLY, DATA 3 .data 00031228 00000000000c9000 00000000000c9000 000c2400 2**5 CONTENTS, ALLOC, LOAD, DATA 4 .vendor_cert 00000375 00000000000fb000 00000000000fb000 000f3800 2**0 CONTENTS, READONLY 5 .dynamic 000000f0 00000000000fc000 00000000000fc000 000f3c00 2**3 CONTENTS, ALLOC, LOAD, DATA 6 .rela 0002afa8 00000000000fd000 00000000000fd000 000f3e00 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA 7 .dynsym 0000f1f8 0000000000128000 0000000000128000 0011ee00 2**3 CONTENTS, ALLOC, LOAD, READONLY, DATA ------ This simplifies a security audit, because it means that different versions of shim with substantially the same code with different keys will be more easily comperable, and therefore logic differences may be more easily identified. This also means that if there's a trusted build you want to use, you can remove the certificates, implant new ones, and have it signed, and the code sections won't change. Signed-off-by: Peter Jones <pjones@redhat.com> 2013-06-10T21:35:33+00:00 Peter Jones pjones@redhat.com 2013-03-20T17:16:08+00:00 urn:sha1:829fd24f18a72f5d3b15b54293cb78c4aecd1971 The thing about subtraction is that the minuend needs to be before the subtrahend in the text. Signed-off-by: Peter Jones <pjones@redhat.com> 2012-09-06T20:43:30+00:00 Peter Jones pjones@redhat.com 2012-09-06T20:32:41+00:00 urn:sha1:bcd0a4e8df98f26b726fa9a18ad37b4bca16a285 2012-09-06T16:13:44+00:00 Peter Jones pjones@redhat.com 2012-08-13T21:06:46+00:00 urn:sha1:178b5681b89cbaf59b69ba341e4cabb061bf8281 This allows you to specify the vendor_cert as a file on the command line during build.