| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: 0fd3c7e8518
|
|
The gateway is not mandatory.
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: 69089e9c678
|
|
We previously only print the return status and it may not be clear
enough in some situations. Print the IP address and the gateway to help
the user to identify the possible errors.
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: 3abe94516c7
|
|
httpboot_fetch_buffer() should return EFI_NOT_FOUND to reflect the error
status when get_nic_handle() returns NULL.
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: 2be5c7dc4b0
|
|
This timeout can have the values [-1,0..0x7fff]; where -1 means "no timeout",
with MokManager going directly to the menu, and is capped to 0x7fff to avoid
unecessary long timeouts. The default remains 10, which will be used whenever
the MokTimeout variable isn't set.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
Upstream-commit-id: 93708c11083
|
|
'gcc -print-file-name=include' and 'gcc -print-libgcc-file-name' both
need -m32 when we're building 32-on-64 on some distros, so ensure that
gets propogated correctly.
Signed-off-by: Peter Jones <pjones@redhat.com>
Upstream-commit-id: 104d6e54ac7
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
Upstream-commit-id: dad59f8c0f36
|
|
|
|
|
|
We may end up with duplicates, let's not include hashes twice in the
shim binary blacklist
|
|
|
|
Fix some issues reported by lintian
See merge request efi-team/shim!5
|
|
Fixes: lintian: out-of-date-standards-version
See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html
|
|
Fixes: lintian: upstream-metadata-file-is-missing
See-also: https://lintian.debian.org/tags/upstream-metadata-file-is-missing.html
|
|
Fixes: lintian: uses-debhelper-compat-file
See-also: https://lintian.debian.org/tags/uses-debhelper-compat-file.html
|
|
Fixes: lintian: package-uses-old-debhelper-compat-version
See-also: https://lintian.debian.org/tags/package-uses-old-debhelper-compat-version.html
|
|
Fixes: lintian: tab-in-license-text
See-also: https://lintian.debian.org/tags/tab-in-license-text.html
|
|
Fixes: lintian: insecure-copyright-format-uri
See-also: https://lintian.debian.org/tags/insecure-copyright-format-uri.html
|
|
Fixes: lintian: file-contains-trailing-whitespace
See-also: https://lintian.debian.org/tags/file-contains-trailing-whitespace.html
|
|
Change the version dependency on shim-unsigned to be >= and not =.
This will allow for installation to still work in the window while we
wait for the template package to do its second trip through the
archive. Closes: #955356
|
|
|
|
|
|
|
|
Pull upstream commit aaa09b35e73c4a35fc119d225e5241199d7cf5aa to fix
an FTBFS.
|
|
for the dbx list, as recommended by Peter Jones. No actual changes
needed in our list of hashes at this point - they work out the same
either way.
|
|
|
|
Not needed now.
|
|
so they'll get an empty dbs list rather than breaking the build
|
|
It wouldn't hurt to keep a record of them.
|
|
While it maybe convenient for a developer to be able to do a build
w/o any dbx hashes, it prevents the $(DBX_LIST) target from having
a proper dependency on the $(DBX_HASHES) file. If a developer were
to add a new hash in a built tree, make would not detect that on
a subsequent build and would not update the $(DBX_LIST) file.
Continue to support a NULL $(DBX_LIST) build by touching the
$(DBX_LIST) file in case no efisiglist commands ran. Developers
can now create an empty $(DBX_HASHES) file to get that.
|
|
|
|
Without this we would silently ignore an efisiglist command error.
|
|
|
|
Changes:
crash fixes
generate dbx file at runtime
|
|
signed arm64 grub binaries that allow use of the devicetree command,
as found in
grub-efi-arm64-signed_1+2.02+dfsg1+16_arm64.deb
grub-efi-arm64-signed_1+2.02+dfsg1+17_arm64.deb
|
|
|
|
This allow us to block executing binaries with specific
checksums. Generate the dbx list at runtime from a simple list of
sha256 hashes, so we can update this easily. If we need to also
blacklist a cert later, we'll need to update this code to add that
option too.
Add a build-dep on pesign to get the needed efisiglist program.
|
|
To get better control of reproducibility during the lifetime of
Buster
|
|
|
|
Cherry-picked fix from upstream MR at
https://github.com/rhboot/shim/pull/174/commits/3a9e237b1baddf0d3192755406befb3e9fa5ca80
From: https://github.com/openssl/openssl/commit/f13615c5b828aeb8e3d9bf2545c803633d1c684f
Apply an upstream patch from OpenSSL to tolerate a NULL sn. This
avoids a NULL pointer reference in shim.c:verify_eku(). This was
discovered because it causes a crash on ARM where, unlike x86, it does
not necessarily have memory mapped at 0x0.
Fixes: 6c180c6004ac ("shim: verify Extended Key Usage flags")
Signed-off-by: dann frazier <dann.frazier@canonical.com>
|
|
Backport of upstream fix:
VLogError() calculates the size of format strings by using calls to
SPrint and VSPrint with a StrSize of 0 and NULL for an output
buffer. Unfortunately, this is an incorrect usage of (V)Sprint. A
StrSize of "0" is special-cased to mean "there is no limit". So, we
end up writing our string to address 0x0. This was discovered because
it causes a crash on ARM where, unlike x86, it does not necessarily
have memory mapped at 0x0.
Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
handles the size calculation and allocation for us.
Signed-off-by: Peter Jones <pjones@redhat.com>
Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
[dannf: commit message ]
Signed-off-by: dann frazier <dann.frazier@canonical.com>
|
|
debian/control: Update Vcs-* fields
See merge request efi-team/shim!4
|
|
|
|
|
|
|
|
to fix clashes with the old shim-signed package for fbx64.efi.signed
and mmx64.efi.signed. Closes: #924619
|
|
|
|
We manually install things owned by root. There might be better ways
to do this, but this will do for now.
|
|
|
|
Correct maintainer address in signing template
See merge request efi-team/shim!3
|
