(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=vyos%2Fcurrent 2025-03-14T15:05:05+00:00 2025-03-14T15:05:05+00:00 Peter Jones pjones@redhat.com 2025-03-12T20:28:14+00:00 urn:sha1:db1f1dac7e7f49b985d1c338c667c34424cb8d54 It breaks every time somehow. Signed-off-by: Peter Jones <pjones@redhat.com> 2025-02-26T14:39:46+00:00 Peter Jones pjones@redhat.com 2025-02-25T19:33:50+00:00 urn:sha1:9c423e09cd9a0196888253b16fe7022deadc20fc In d972515e608e ("Save the debug and error logs in mok-variables") had a few deficiencies: 1) the size of the result table isn't correctly computed when either errlog or dbglog is 0 sized (much more likely for the former), 2) when we save the error log we leak the allocation for the previous mok variables, and 3) original mok variables were allocated with AllocatePages(), but the new ones were allocated with AllocateZeroPool(). The former guarantees page alignment, which we want here. This fixes all three of these. Signed-off-by: Peter Jones <pjones@redhat.com> 2025-02-26T00:40:54+00:00 Peter Jones pjones@redhat.com 2025-02-25T14:00:20+00:00 urn:sha1:c5c5287b8a0da20b711601921dc34a9cfa2e39db Signed-off-by: Peter Jones <pjones@redhat.com> 2025-02-26T00:40:54+00:00 Peter Jones pjones@redhat.com 2025-02-21T00:20:47+00:00 urn:sha1:89e615081af5fbafefeae5b09def3a003e467838 hughsie asked me to also make it observable at runtime whether the shim binary that was used to boot was set as NX_COMPAT or not. This adds that into the HSIStatus data as "shim-has-nx-compat-set". Signed-off-by: Peter Jones <pjones@redhat.com> 2025-02-26T00:40:54+00:00 Peter Jones pjones@redhat.com 2025-02-25T16:44:11+00:00 urn:sha1:3bce11831343ba6e67740f23ab3a6c6f09bc0bca When we're parsing the PE header of shim itself from the Loaded Image object, the signatures aren't present, but the Certificate Table entry in the Data Directory has not been cleared, so it'll fail verification. We know when we're doing that, so this patch makes that test optional. Signed-off-by: Peter Jones <pjones@redhat.com> 2025-02-26T00:40:54+00:00 Peter Jones pjones@redhat.com 2025-02-25T15:41:41+00:00 urn:sha1:1baf1efb37e2728104765477b12b70aeef3090af This changes all the HSI bitfield operations to print a string showing the change instead of just hex values. Signed-off-by: Peter Jones <pjones@redhat.com> 2025-02-26T00:40:54+00:00 Peter Jones pjones@redhat.com 2025-02-24T17:00:33+00:00 urn:sha1:c868d54def8cebd151964fdeaa8257932b8cfc39 Signed-off-by: Peter Jones <pjones@redhat.com> 2025-02-24T20:58:16+00:00 Peter Jones pjones@redhat.com 2025-02-20T19:44:10+00:00 urn:sha1:9269e9b0aa15ae9832f7eba6c5eeef0c5e1f4edb This adds three more entries to our HSI data: has-dxe-services-table: technically only tells us if UEFI's LocateProtocol will give us a DXE services table, but practically also tells us if the machine is implementing DXE in any way. has-get-memory-space-descriptor: tells us if DXE->GetMemorySpaceDescriptor is populated has-set-memory-space-descriptor: tells us if DXE->SetMemorySpaceDescriptor is populated Signed-off-by: Peter Jones <pjones@redhat.com> 2025-02-24T20:58:16+00:00 Peter Jones pjones@redhat.com 2024-06-27T19:19:38+00:00 urn:sha1:c41b1f066b9f279b70d933095f277eddbd7c6433 This adds DXE implementations of get_mem_attrs() and update_mem_attrs() for machines that implement DXE but don't yet have the EFI_MEMORY_ATTRIBUTE_PROTOCOL. Signed-off-by: Peter Jones <pjones@redhat.com> 2025-02-24T20:26:20+00:00 Peter Jones pjones@redhat.com 2025-02-18T20:10:22+00:00 urn:sha1:b216543d691050d6cdd37c3500571cf67882f1bc Previously the mok mirror state flags were only used in the mok mirroring code. But there are other consumers of that data, namely our variable test cases, and it's useful for them to be able to check the flags. Signed-off-by: Peter Jones <pjones@redhat.com>