summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2019-02-15Add shim-$arch-signed-template supportPhilipp Hahn
for getting the MOK-manager and fall-back binary to be signed by Debians singing service instead of using an ephemeral key. Closes: #922228
2019-02-15Rename to shim-unsignedPhilipp Hahn
as all EFI binaries are now unsigned. They are useless to any normal user as - shim is useless without being signed by an external UEFI CA. - mm and fb won't be loaded by shim as they are now no longer linked to corresponding shim by the ephemeral key any longer.
2019-02-15Disable ephemeral key on DebianPhilipp Hahn
shim creates an ephemeral key, which gets embedded into shim and is used to sign the corresponding mok-manager (mm*.efi) and fall-back-manager (fb*.efi). This makes the build unreproducible. For Debian we will get those two binaries signed by our Debian-UEFI-CA, which is the primary (and only) key embedded in shim.
2019-02-15debian/rules: fixing permissions no longer requiredPhilipp Hahn
as Makefiles used "install -m 0644" by now.
2019-02-11releasing package shim version 15+1533136590.3beb971-2debian/15+1533136590.3beb971-2Steve Langasek
2019-02-10Update debian/copyright (drop reference to file no longer in source)Steve Langasek
2019-02-10Update Standards-Version.Steve Langasek
2019-02-10Ensure DEB_HOST_ARCH is set even if not present in the environment.Steve Langasek
2019-02-10Enable build for i386.Steve Langasek
2019-02-10Fix debian/rules syntax for arm64 build.Steve Langasek
2019-02-10Update VCS to point to salsa.Steve Langasek
2019-02-10Update debian/watch.Steve Langasek
2019-02-09* New upstream release.debian/15+1533136590.3beb971-1Steve Langasek
- debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. - debian/patches/sbsigntool-no-pesign: dropped; no longer needed. * Drop remaining patches that were not being applied. * Sync packaging from Ubuntu: - debian/copyright: Update upstream source location. - debian/control: add a Build-Depends on libelf-dev. - Enable arm64 build. - debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. - debian/rules, debian/shim.install: use the upstream install target as intended, and move files to the target directory using dh_install. - define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: set MAKELEVEL. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. - Set EFIDIR=$distro for dh_auto_install; that will let files be installed in the "right" final directories, and makes boot.csv for us. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager.
2019-02-09null merge of the Ubuntu git historySteve Langasek
2018-08-22releasing package shim version 15+1533136590.3beb971-0ubuntu1debian/15+1533136590.3beb971-0ubuntu1Mathieu Trudel-Lapierre
2018-08-22Make sure we pass the right COMMIT_ID to buildMathieu Trudel-Lapierre
2018-08-21Update to new snapshotMathieu Trudel-Lapierre
2018-08-21New upstream version 15+1533136590.3beb971upstream/15+1533136590.3beb971Mathieu Trudel-Lapierre
2018-08-21Update upstream source from tag 'upstream/15+1533136590.3beb971'Mathieu Trudel-Lapierre
Update to upstream version '15+1533136590.3beb971' with Debian dir 26714b7953c3d4b1f6aa8b95e9e1e026d455a008
2018-08-14releasing package shim version 15+1531942534.dd3230d-0ubuntu1debian/15+1531942534.dd3230d-0ubuntu1Mathieu Trudel-Lapierre
2018-07-24debian/patches/fixup_git.patch: don't run git in clean; we're not really in ↵Mathieu Trudel-Lapierre
a git tree.
2018-07-24* debian/rules:Mathieu Trudel-Lapierre
- define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
2018-07-24debian/patches/abort_abort_abort.patch: dropped patch, included upstream.Mathieu Trudel-Lapierre
2018-07-24New upstream snapshot.Mathieu Trudel-Lapierre
2018-07-24New upstream version 15+1531942534.dd3230dupstream/15+1531942534.dd3230dMathieu Trudel-Lapierre
2018-07-24Update upstream source from tag 'upstream/15+1531942534.dd3230d'Mathieu Trudel-Lapierre
Update to upstream version '15+1531942534.dd3230d' with Debian dir 8b167be00338c76b0ddc9164059ce6090c274641
2018-04-24Enable arm64 build.dann frazier
2018-04-23Fix Vcs link.Steve Langasek
2018-04-05Bump version to 15Version_1515Peter Jones
2018-04-05Audit get_variable() calls for correct FreePool() use.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-05Fix get_variable() usage in setup_verbosity()Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-05Make setup_console(-1) do GetMode() and call it from setup_verbosity()Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-05Make handle_image() use console_print() not console_notify() on successPeter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-05Fix lib/ rebuild-on-change dependencies in the MakefilePeter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-05Get rid of dprinta(), it's uselessPeter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-04tpm_log_event_raw(): be more careful about EFI_NOT_FOUNDPeter Jones
Don't return EFI_NOT_FOUND from tpm_log_event*() unless we're in REQUIRE_TPM mode. Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-04Make the 'something has gone seriously wrong' message less ambiguousPeter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-04read_header(): fix the case where signatures have been removed.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-04-04Add another TODO for shim-16Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-23Add some TODO items for shim-16Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-23.travis.yml: update travis to get newer gnu-efi.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-23Revert "Allow shim to handle multiple trusted certificates"Peter Jones
This was merged before it was really ready - verify_trusted_cert needs to check each certificate against vendor_dbx, "dbx", and "MokListX", or else it can enable a blacklisted certificate accidentally. This reverts commit 8721bbe6fb1bfdfbc8bd16e05673929e4cbbdedc.
2018-03-20Revert "MokManager: stop using StrnCat"Peter Jones
This reverts commit 6aa5a62515d62139a2d3b34626fac8910e864a3d. Everything Hans said was correct. But StrnCat() is in gnu-efi 3.0.8, and using just StrCpy() here confuses coverity. I'd rather have a CI page that's not completely full of chaff, but a little bit of redundancy in the code. Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-19Fix i386 pointer type error.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-15Avoid a minor scan-build complaint.Peter Jones
scan-build doesn't like it when we assign return values but don't use them. Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-15Work around clang bugs for scan-build.Peter Jones
I don't think the x86 binaries clang builds will actually work unless they just infer -maccumulate-outgoing-args from __attribute__((__ms_abi__), but it's nice to have the analyzer working. Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-14travis: Fix a typoPeter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-14Fix the working directory we start in.Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-14Add some configs for CI using github+travis+dockerPeter Jones
Signed-off-by: Peter Jones <pjones@redhat.com>
2018-03-14Allow shim to handle multiple trusted certificatesMichael Brown
Allow shim to perform verification against a list of trusted certificates by simply concatenating the DER files. Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-29 10:58:47 +0000