summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-06-04Only run MokManager if asked or a security violation occurs.Peter Jones
Don't run MokManager on any random error from start_image(second_stage); only try it if it /is/ the second stage, or if start_image gave us EFI_SECURITY_VIOLATION. Signed-off-by: Peter Jones <pjones@redhat.com>
2015-05-12More GCC 5 fixes: stdarg.h and other include tweaks, cherry-pick fromMathieu Trudel-Lapierre
d51739a4.
2015-05-12Fix build with GCC 5, forcing -std=gnu89 to not rely on stdint.hMathieu Trudel-Lapierre
required by efibind.h, and not found with -nostdinc. (LP: #1429978)
2015-05-12Make the build failed with objcopy < 2.24Gary Ching-Pang Lin
The wildcard support was introduced in objcopy since binutils 2.24. However, objcopy < 2.24 never issues any warning message with the wildcard and a faulty binary will be generated. This commit makes the build failed as a notification for the usage of binutils < 2.24. Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
2015-05-12Update Cryptlib and opensslGary Ching-Pang Lin
Update Cryptlib to r16559 and openssl to 0.9.8zf Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
2015-05-12releasing package shim version 0.8-0ubuntu2Steve Langasek
2015-05-11* New upstream release.Mathieu Trudel-Lapierre
- Clarify meaning of insecure_mode. (LP: #1384973) * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included in the upstream release. * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: refreshed.
2015-05-10Reapplying all patchesMathieu Trudel-Lapierre
2015-05-07Add bug tag for insecure_mode semantics changes in 0.8.Mathieu Trudel-Lapierre
2015-05-06debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:Mathieu Trudel-Lapierre
refreshed.
2015-05-06debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,Mathieu Trudel-Lapierre
debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included in the upstream release.
2015-05-06New upstream release.Mathieu Trudel-Lapierre
2015-05-06Import upstream version 0.8Mathieu Trudel-Lapierre
2015-05-06Unapplying patches to prevent spurious conflicts.Mathieu Trudel-Lapierre
2015-05-05Merge upstream git branch for release 0.7Steve Langasek
2015-05-05Fix the version number; this was uploaded for some reason as -0ubuntu4, not ↵Steve Langasek
-0ubuntu3.
2015-04-15Explicitly request sysv-style ELF hash sectionsMatthew Garrett
We depend on there being a .hash section in the binary, and that's not the case on distributions that default to building with gnu-style ELF hashes. Explicitly request sysv-style hashes in order to avoid building broken binaries. Signed-off-by: Matthew Garrett <mjg59@coreos.com>
2015-04-13gcc 5.0 changes some include bits, so copy what arm does on x86.Peter Jones
Basically they messed around with stdarg some and now we need to do it the other way. Signed-off-by: Peter Jones <pjones@redhat.com>
2015-04-13Make lib/ use the right CFLAGS.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2015-04-13Make lib/ build right with the cflags it should be using...Peter Jones
... but isn't. Signed-off-by: Peter Jones <pjones@redhat.com>
2015-04-13Fix length of allocated buffer for boot option comparison.Laszlo Ersek
The following commit: commit 4aac8a1179e160397d7ef8f1e3232cfb4f3373d6 Author: Gary Ching-Pang Lin <glin@suse.com> Date: Thu Mar 6 10:57:02 2014 +0800 [fallback] Fix the data size for boot option comparison corrected the data size used for comparison, but also reduced the allocation so it doesn't include the trailing UTF16LE '\0\0' at the end of the string, with the result that the trailer of the buffer containing the string is overwritten, which OVMF detects as memory corruption. Increase the size of the storage buffer in a few places to correct this problem. Signed-off-by: Richard W.M. Jones <rjones@redhat.com> Cc: Laszlo Ersek <lersek@redhat.com> Cc: Gary Ching-Pang Lin <glin@suse.com>
2015-04-13fallback: Fix comparison between signed and unsigned in debugging code.Richard W.M. Jones
fallback.c: In function ‘update_boot_order’: fallback.c:334:17: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare] for (j = 0 ; j < size / sizeof (CHAR16); j++) ^ fallback.c: In function ‘add_to_boot_list’: fallback.c:402:16: error: comparison between signed and unsigned integer expressions [-Werror=sign-compare] for (i = 0; i < s; i++) { ^ Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
2015-04-13Don't install our protocols if we're not in secure mode.Peter Jones
System services haven't been hooked if we're not in secure mode, so do_exit() will never be called. In this case shim never gets control once grub exits, which means if booting fails and the firmware tries another boot option, it'll attempt to talk to the shim protocol we installed. This is wrong, because it is allowed to have been cleared from ram at this time, since the task it's under has exited. So just don't install the protocols when we're not enforcing. This version also has a message and a 2-second stall after calling start_image(), so that we can tell if we are on the expected return path of our execution flow.
2015-04-13Align the sections we're loading, and check for validity /after/ discarding.Peter Jones
Turns out a) the codegen on aarch64 generates code that has real alignment needs, and b) if we check the length of discardable sections before discarding them, we error for no reason. So do the error checking in the right order, and always enforce some alignment because we know we have to. Signed-off-by: Peter Jones <pjones@redhat.com>
2014-12-11Add nostdinc to the CFLAGS for libGary Ching-Pang Lin
We don't need the headers from the standard include path. Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
2014-10-13Bump version to 0.8Peter Jones
2014-10-08releasing package shim version 0.7-0ubuntu3Steve Langasek
2014-10-08* SECURITY UPDATE: heap overflow and out-of-bounds read access whenSteve Langasek
parsing DHCPv6 information - debian/patches/CVE-2014-3675.patch: apply proper bounds checking when parsing data provided in DHCPv6 packets. - CVE-2014-3675 - CVE-2014-3676 * SECURITY UPDATE: memory corruption when processing user-provided key lists - debian/patches/CVE-2014-3677.patch: detect malformed machine owner key (MOK) lists and ignore them, avoiding possible memory corruption. - CVE-2014-3677
2014-10-07releasing package shim version 0.7-0ubuntu2Steve Langasek
2014-10-07Update debian/patches/prototypes with some new declarations needed forSteve Langasek
openssl 0.9.8za update.
2014-10-07Restore debian/patches/prototypes, which still is needed on shim 0.7Steve Langasek
but only detected on the buildds.
2014-10-07releasing package shim version 0.7-0ubuntu1Steve Langasek
2014-10-07debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pickSteve Langasek
openssl 0.9.8za in via upstream.
2014-10-07Drop prototypes patch, apparently not needed upstreamSteve Langasek
2014-10-07drop most patches, included upstream.Steve Langasek
2014-10-06Merge upstream version 0.7Steve Langasek
2014-10-06Import upstream version 0.7Steve Langasek
2014-10-02Correctly reject bad tftp addresses earlier, rather than later.Peter Jones
This check is for end == NULL but was meant to be *end == '\0'. Without this change, we'll pass a plausibly bad address (i.e. one with no ']' at the end) to Mtftp(... READ_FILE ...), which should fail correctly, but our error messaging will be inconsistent. Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-02Use -Werror=sign-compare .Peter Jones
I'm going to have to fix any errors that have this anyway, so may as well do it here properly. Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-02Make another integer compare be signed/unsigned safe as well.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-02OOB access when parsing MOK List/Certificates on MOK enrollmentSebastian Krahmer
2014-10-02shim buffer overflow on ipv6 option parsingSebastian Krahmer
2014-10-02Another testplan error.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-02Cryptlib: remove the unused filesGary Ching-Pang Lin
I mistakenly added CryptPkcs7VerifyNull.c which may make Pkcs7Verify always return FALSE. Besides CryptPkcs7VerifyNull.c, there are some functions we would never use. This commit removes those files to avoid any potential trouble. Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
2014-10-02Don't verify images with the empty build keyGary Ching-Pang Lin
We replaced the build key with an empty file while compiling shim for our distro. Skip the verification with the empty build key since this makes no sense. Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
2014-10-02Fix some minor testplan errors.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-10-02Don't append an empty cert list to MokListRT if vendor_cert_size is 0.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2014-09-30Actually find the relocations correctly and process them that way.Peter Jones
Find the relocations based on the *file* address in the old binary, because it's only the same as the virtual address some of the time. Also perform some extra validation before processing it, and don't bail out in /error/ if both ReloceBase and RelocEnd are null - that condition is fine. Signed-off-by: Peter Jones <pjones@redhat.com>
2014-09-30Revert header changesPeter Jones
Revert "Do the same for ia32..." and "Generate a sane PE header on shim, fallback, and MokManager." This reverts commit 6744a7ef8eca44948565c3d1244ec931ed3f6fee. and commit 0e7ba5947eb38b79de2051ecf3b95055e620475c. These are premature and I can do this without such drastic measures. Signed-off-by: Peter Jones <pjones@redhat.com>
2014-09-21Make list_keys() index variables all be signed.Peter Jones
We build with -Werror=signed-compare in fedora/rhel rpms, and this showed up. Signed-off-by: Peter Jones <pjones@redhat.com>
generated by cgit v1.2.3 (git 2.39.1) at 2025-09-02 18:49:17 +0000