(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=master 2021-03-23T23:34:12+00:00 2021-03-23T23:34:12+00:00 Steve McIntyre steve@einval.com 2021-03-15T21:39:49+00:00 urn:sha1:e6b19d2db7be7f9535cc06ecb8493e1336c7b78d Update a couple of top-level changes, copy in gnu-efi information from the gnu-efi package 2020-04-01T06:39:14+00:00 Debian Janitor janitor@jelmer.uk 2020-04-01T06:39:14+00:00 urn:sha1:e1df2a1d8734ec256e5be3513c023dd75a791725 Fixes: lintian: tab-in-license-text See-also: https://lintian.debian.org/tags/tab-in-license-text.html 2020-04-01T06:38:44+00:00 Debian Janitor janitor@jelmer.uk 2020-04-01T06:38:44+00:00 urn:sha1:1a8bb34c7ee4789f47f1f7bb4dc904ae127230c6 Fixes: lintian: insecure-copyright-format-uri See-also: https://lintian.debian.org/tags/insecure-copyright-format-uri.html 2019-02-11T05:16:09+00:00 Steve Langasek steve.langasek@canonical.com 2019-02-11T05:16:09+00:00 urn:sha1:47660e6730236617dfc1a264db2d98f35692f7c1 2019-02-10T05:32:44+00:00 Steve Langasek steve.langasek@canonical.com 2019-02-10T05:28:06+00:00 urn:sha1:ab4c731c1dd379acd3e95971af57401fb0a650a1 - debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. - debian/patches/sbsigntool-no-pesign: dropped; no longer needed. * Drop remaining patches that were not being applied. * Sync packaging from Ubuntu: - debian/copyright: Update upstream source location. - debian/control: add a Build-Depends on libelf-dev. - Enable arm64 build. - debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. - debian/rules, debian/shim.install: use the upstream install target as intended, and move files to the target directory using dh_install. - define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: set MAKELEVEL. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. - Set EFIDIR=$distro for dh_auto_install; that will let files be installed in the "right" final directories, and makes boot.csv for us. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager. 2017-08-04T16:10:50+00:00 Julien Cristau jcristau@debian.org 2016-10-15T13:17:34+00:00 urn:sha1:c117735c205dea04b1a0dbaaa6dfdb0b11250ea7 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium [ Steve Langasek ] * Initial Debian upload. Closes: #820052. * Update Standards-Version. * Embed the newly-minted Debian CA certificate. * Vendorize debian/rules so that the same package can be used in both Debian and Ubuntu without modification. * Fix debian/copyright to match the spec (last match wins, not first) * Fix shim.efi to not be executable. * Add watchfile. * Support parallel builds, because eh why not * Update Vcs-Bzr. * Resync with Ubuntu, including patch to fix debian/copyright. [ Julien Cristau ] * Add some missing copyright holders in d/copyright, update Upstream-Contact. Thanks to Helen Koike for the help. shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium [ Helen Koike ] * debian/copyright: add OpenSSL license [ Mathieu Trudel-Lapierre ] * New upstream release. * debian/copyright: patches should be BSD, like the rest of the upstream code. * debian/patches/unused-variable: dropped; applied upstream. * debian/patches/binutils-version-matching: dropped, fixed upstream. * debian/shim.install: built EFI binaries were renamed; update our install file to properly pick up shim (shim$arch), MokManager (mm$arch), and fallback (fb$arch). shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium * New upstream release. - Better handle LoadOptions. (LP: #1581299) - Measure state and second stage in TPM. - Mirror MokSBState in runtime as MokSBStateRT. - Fix failure to build with GCC 5. (LP: #1429978) - Various bug fixes and other improvements. * Refreshed patches. - Remaining patches: + second-stage-path + sbsigntool-not-pesign * debian/patches/unused-variable: remove unused variable size. * debian/patches/binutils-version-matching: revert d9a4c912 to correctly match objcopy's version on Ubuntu. * debian/copyright: update copyright for patches. shim (0.8-0ubuntu2) wily; urgency=medium * No-change rebuild against gnu-efi 3.0v-5ubuntu1. shim (0.8-0ubuntu1) wily; urgency=medium * New upstream release. - Clarify meaning of insecure_mode. (LP: #1384973) * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included in the upstream release. * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: refreshed. shim (0.7-0ubuntu4) utopic; urgency=medium * SECURITY UPDATE: heap overflow and out-of-bounds read access when parsing DHCPv6 information - debian/patches/CVE-2014-3675.patch: apply proper bounds checking when parsing data provided in DHCPv6 packets. - CVE-2014-3675 - CVE-2014-3676 * SECURITY UPDATE: memory corruption when processing user-provided key lists - debian/patches/CVE-2014-3677.patch: detect malformed machine owner key (MOK) lists and ignore them, avoiding possible memory corruption. - CVE-2014-3677 shim (0.7-0ubuntu2) utopic; urgency=medium * Restore debian/patches/prototypes, which still is needed on shim 0.7 but only detected on the buildds. * Update debian/patches/prototypes with some new declarations needed for openssl 0.9.8za update. shim (0.7-0ubuntu1) utopic; urgency=medium * New upstream release. - fix spurious error message when fallback.efi is not present, as will always be the case for removable media. LP: #1297069. - drop most patches, included upstream. * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick openssl 0.9.8za in via upstream. shim (0.4-0ubuntu5) utopic; urgency=low * Install fallback.efi.signed as well, to lay the groundwork for fallback handling (wanted when we have to move a drive between machines, or when the firmware loses its marbles^W nvram). shim (0.4-0ubuntu4) saucy; urgency=low * debian/patches/fix-tftp-prototype: pass the right arguments to EFI_PXE_BASE_CODE_TFTP_READ_FILE. * debian/patches/build-with-Werror: Build with -Werror to catch future prototype mismatches. * debian/patches/fix-compiler-warnings: Fix remaining compiler warnings in netboot.c. * debian/patches/tftp-proper-nul-termination: fix nul termination errors in filenames passed to tftp. * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to the netboot code. shim (0.4-0ubuntu3) saucy; urgency=low [ Steve Langasek ] * Install MokManager.efi.signed in the package. * debian/patches/no-output-by-default.patch: Don't print any informational messages. Closes LP: #1074302. [ Stéphane Graber ] * debian/patches/no-print-on-unsigned: Don't print an error message when validating an unsigned binary as that tends to hang Lenovo machines. (LP: #1087501) shim (0.4-0ubuntu2) saucy; urgency=low * Add missing build-dependency on openssl. shim (0.4-0ubuntu1) saucy; urgency=low * New upstream release. * Drop debian/patches/shim-before-loadimage; upstream has changed this to not call loadimage at all. * debian/patches/sbsigntool-not-pesign: Sign MokManager with sbsigntool instead of pesign. * Add a versioned build-dependency on gnu-efi. shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low * debian/patches/shim-before-loadimage: Use direct verification first before LoadImage. Addresses an issue where Lenovo's SecureBoot implementation pops an error message on any verification failure - avoid calling LoadImage at all unless we have to. shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low * debian/patches/second-stage-path: Chainload grubx64.efi, not grub.efi. shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low * debian/patches/prototypes: Include missing prototypes, and disable use of BIO_new_file. * Only build the package for amd64; we're not signing an i386 shim at this stage so there's no point in building it. shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low * Initial release. * Include the Canonical Secure Boot master CA. 2016-10-15T13:30:50+00:00 Julien Cristau julien@betterave.cristau.org 2016-10-15T13:30:50+00:00 urn:sha1:19d90b863ddf93b00677b87cdf0ec05e55bf8447 2016-10-13T07:07:31+00:00 Julien Cristau julien@betterave.cristau.org 2016-10-13T07:07:31+00:00 urn:sha1:ce5a310ea0ec72638afb710d6672523e9ff4ce54 2016-10-01T21:18:49+00:00 Steve Langasek steve.langasek@canonical.com 2016-10-01T21:18:49+00:00 urn:sha1:b65e78ec015a308c1798e602c94502327cc90cd9 2016-10-01T20:11:17+00:00 Steve Langasek steve.langasek@canonical.com 2016-10-01T20:11:17+00:00 urn:sha1:21ebe03556d7030055644f46efd3c165396a7a75 * Update Standards-Version. * Embed the newly-minted Debian CA certificate. * Vendorize debian/rules so that the same package can be used in both Debian and Ubuntu without modification. * Fix debian/copyright to match the spec (last match wins, not first) * Fix shim.efi to not be executable. * Add watchfile. * Support parallel builds, because eh why not * Update Vcs-Bzr.