<feed xmlns='http://www.w3.org/2005/Atom'>
<title>efi-boot-shim.git/cert.S, branch rolling</title>
<subtitle> (mirror of https://github.com/vyos/efi-boot-shim.git)
</subtitle>
<id>https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=rolling</id>
<link rel='self' href='https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=rolling'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/'/>
<updated>2024-05-03T13:36:51+00:00</updated>
<entry>
<title>New upstream version 15.8</title>
<updated>2024-05-03T13:36:51+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2024-02-17T17:35:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=f898e219b4b06cf2bb7af18b5cc7a00754d3d274'/>
<id>urn:sha1:f898e219b4b06cf2bb7af18b5cc7a00754d3d274</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Fix up a bunch of our license statements and add SPDX most places</title>
<updated>2021-02-16T08:12:48+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2020-12-11T20:54:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=aedb8470bd673385139ac3189ecd9edf4794af16'/>
<id>urn:sha1:aedb8470bd673385139ac3189ecd9edf4794af16</id>
<content type='text'>
The license statements in our source files were getting to be a giant
mess, and mostly they all just say the same thing.  I've switched most
of it to SPDX labels, but left copyright statements in place (where they
were not obviously incorrect copy-paste jobs that I did...).

If there's some change here you don't think is valid, let me know and
we can fix it up together.

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
</content>
</entry>
<entry>
<title>Add support for vendor_db built-in shim authorized list.</title>
<updated>2020-07-24T02:22:04+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2020-07-23T16:36:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=dd3a5d71252a1f94e37f1a4c8841d253630b305a'/>
<id>urn:sha1:dd3a5d71252a1f94e37f1a4c8841d253630b305a</id>
<content type='text'>
Potential new signing strategies ( for example signing grub, fwupdate
and vmlinuz with separate certificates ) require shim to support a
vendor provided bundle of trusted certificates and hashes, which allows
shim to trust EFI binaries matching either certificate by signature or
hash in the vendor_db.  Functionality is similar to vendor_dbx.

This also improves the mirroring quite a bit.
Upstream: pr#206
</content>
</entry>
<entry>
<title>Make cert.S not impossible to read.</title>
<updated>2020-07-24T00:53:24+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2020-07-23T04:08:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=7d542805ba5c48185128a2351bb315a5648fe3d7'/>
<id>urn:sha1:7d542805ba5c48185128a2351bb315a5648fe3d7</id>
<content type='text'>
Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
Upstream: pr#206
</content>
</entry>
<entry>
<title>Add support for 32-bit ARM</title>
<updated>2014-08-12T14:54:05+00:00</updated>
<author>
<name>Ard Biesheuvel</name>
<email>ard.biesheuvel@linaro.org</email>
</author>
<published>2014-08-12T13:33:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=fa525bc4632e04346fae82a98ce23b31c6cfc86d'/>
<id>urn:sha1:fa525bc4632e04346fae82a98ce23b31c6cfc86d</id>
<content type='text'>
This adds support for building the shim for a 32-bit ARM UEFI environment.

Signed-off-by: Ard Biesheuvel &lt;ard.biesheuvel@linaro.org&gt;
</content>
</entry>
<entry>
<title>Make vendor_cert/vendor_dbx actually replaceable by an external tool.</title>
<updated>2013-10-01T18:03:16+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2013-09-09T18:43:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=02388bcd58e73effdc828e8df9bbf5553c594835'/>
<id>urn:sha1:02388bcd58e73effdc828e8df9bbf5553c594835</id>
<content type='text'>
This moves them both to be computed at runtime from a pointer+offset
rather than just a pointer, so that their real address can be entirely
derived from the section they're in.

This means you can replace the whole .vendor_cert section with a new one
with certs that don't have the same size.
</content>
</entry>
<entry>
<title>Fix some pointer casting issues.</title>
<updated>2013-06-11T18:59:48+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2013-06-11T18:58:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=23002e8e5c03800845afae8aaa7e42770c3e5d17'/>
<id>urn:sha1:23002e8e5c03800845afae8aaa7e42770c3e5d17</id>
<content type='text'>
This also fixes the size of an empty vendor_cert or dbx_cert.

Signed-off-by: Peter Jones &lt;shim-owner@fedoraproject.org&gt;
</content>
</entry>
<entry>
<title>Make .vendor_cert get the right flags set.</title>
<updated>2013-06-10T21:36:23+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2013-06-10T21:27:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=030d4748cbaa9952a06e0430c7313a3e3da8f0e3'/>
<id>urn:sha1:030d4748cbaa9952a06e0430c7313a3e3da8f0e3</id>
<content type='text'>
Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
</content>
</entry>
<entry>
<title>Move embedded certificates to their own section.</title>
<updated>2013-06-10T21:35:33+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2013-03-20T17:18:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=4541fce44f88d335b9a72e1cc07687e4198e4847'/>
<id>urn:sha1:4541fce44f88d335b9a72e1cc07687e4198e4847</id>
<content type='text'>
With this change, the embedded certificate and dbx lists (vendor_cert,
vendor_cert_size, vendor_dbx, and vendor_dbx_size) wind up being in a
section named .vendor_cert, and so will look something like:
------
fenchurch:~/devel/github.com/shim$ objdump -h shim.efi

shim.efi:     file format pei-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .eh_frame     000174a8  0000000000005000  0000000000005000  00000400  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .text         000aa7e1  000000000001d000  000000000001d000  00017a00  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  2 .reloc        0000000a  00000000000c8000  00000000000c8000  000c2200  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .data         00031228  00000000000c9000  00000000000c9000  000c2400  2**5
                  CONTENTS, ALLOC, LOAD, DATA
  4 .vendor_cert  00000375  00000000000fb000  00000000000fb000  000f3800  2**0
                  CONTENTS, READONLY
  5 .dynamic      000000f0  00000000000fc000  00000000000fc000  000f3c00  2**3
                  CONTENTS, ALLOC, LOAD, DATA
  6 .rela         0002afa8  00000000000fd000  00000000000fd000  000f3e00  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .dynsym       0000f1f8  0000000000128000  0000000000128000  0011ee00  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
------

This simplifies a security audit, because it means that different
versions of shim with substantially the same code with different keys
will be more easily comperable, and therefore logic differences may be
more easily identified.

This also means that if there's a trusted build you want to use, you can
remove the certificates, implant new ones, and have it signed, and the
code sections won't change.

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
</content>
</entry>
<entry>
<title>vendor_cert_size's size in the binary should be 4, not -4.</title>
<updated>2013-06-10T21:35:33+00:00</updated>
<author>
<name>Peter Jones</name>
<email>pjones@redhat.com</email>
</author>
<published>2013-03-20T17:16:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/efi-boot-shim.git/commit/?id=829fd24f18a72f5d3b15b54293cb78c4aecd1971'/>
<id>urn:sha1:829fd24f18a72f5d3b15b54293cb78c4aecd1971</id>
<content type='text'>
The thing about subtraction is that the minuend needs to be before the
subtrahend in the text.

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
</content>
</entry>
</feed>
