| Age | Commit message (Collapse) | Author |
|---|
|
|
|
We don't need the functions in CryptPem.c.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
in_protocol is declared in console.h, so httpboot.c has to include the
header.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
We should get out of the loop once the uri node is not the last node in
the device path.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Originally, we check if the last 2 nodes in the device path are
IPv4()/Uri() or IPv6()/Uri() to determine whether httpboot is used or
not. However, since UEFI 2.7, the DNS node will be inserted between the
IP node and the URI node if the server provides the DNS server address.
This commit changes the matching rule to search IP node and URI node
and ignore any node between those two nodes.
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Make sure if we chainload things, a chainloaded bootloader will be able to use
the latest systab replacements and protocols. They need to match for things
to validate correctly.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
|
|
of the structure of our binary, partly because abort() is thought to be an external symbol, which causes some relocalisations to appear.
|
|
|
|
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
|
|
|
|
with Debian dir e38346a2eec5376ccf228af4ba0e2d170f07448f
|
|
with Debian dir e38346a2eec5376ccf228af4ba0e2d170f07448f
|
|
|
|
shim 13:
- OpenSSL reverted to 1.0.2k to make the cert chaining of existing deployments stay working
- Better PCR usage for TPM
- TPM documentation in README.tpm
- More configurable build via make variables:
ENABLE_SHIM_CERT
ENABLE_SHIM_HASH
ENABLE_SBSIGN
LIBDIR
EFIDIR
VENDOR_CERT_FILE
VENDOR_DB_FILE
- Better MoK documentation in MokVars.txt
- Better debuginfo generation
- Lots of minor bug fixes.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
If you build with ENABLE_SHIM_CERT=1, the include chain right now winds
up meaning shim_cert is defined in a header that gets included in
netboot.c as well, which never uses it:
In file included from shim.h:125:0,
from netboot.c:36:
shim_cert.h:1:14: error: ‘shim_cert’ defined but not used [-Werror=unused-variable]
static UINT8 shim_cert[] = {
^~~~~~~~~
cc1: all warnings being treated as errors
So make that okay by adding __attribute__((__unused__)) to the variable
decl.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
|
|
'upstream/13_git1506531982.23ce039'
with Debian dir bc85d2ed9d59b8c9e8d4bf33603c75c11feec4f8
|
|
|
|
|
|
shim will now build and ship BOOT.CSV by itself.
|
|
|
|
|
|
Cyphermox discovered that when you run this:
( printf "\xff\x00\xfe\x00" ; echo "shimx64.efi,foo,,This is the boot entry for foo" ) | sed -z 's/./&\x00/g'
on some debian machines, printf(1) doesn't interpret the \x.. characters,
and that results in this being the encoded text:
00000000 5c 78 66 66 5c 78 66 65 73 00 68 00 69 00 6d 00 |\xff\xfes.h.i.m.|
00000010 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 2c 00 |x.6.4...e.f.i.,.|
00000020 66 00 6f 00 6f 00 2c 00 2c 00 54 00 68 00 69 00 |f.o.o.,.,.T.h.i.|
which... yeah, that's wrong. So instead, use iconv instead of
printf+sed to encode it in UCS-2. Unfortunately, that means we don't
get endian markers, because for some reason iconv(1) doesn't have any way
to say it should include them. But that's okay; fallback already
handles not having them and just assumes the second byte being \x00
means UCS-2LE.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Commit 1e71734992 inadvertantly switched ARM's
LDFLAGS+=--defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) to be before LDFLAGS is set,
and so it got clobbered away.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
'upstream/13_git1505328971.0780644a'
with Debian dir 8d0dcc2dc48e0c1bf2e174c33432be6f73754e7a
|
|
shim_cert.h is required by other pieces (such as netboot.o, cert.o) and
might not be built by the time these targets are reached. In that case the
build would fail as it can't find a required header.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
It should not be left around after clean since it's a generated file.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
|
|
|
|
'upstream/13_git1505328970.9c1c35c5'
with Debian dir 676fec75f526e6b8072deb5302628d27abfc7449
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
I'm still having some trouble with the offsetof() definition, so just
nerf it to what stddef.h would say anyway.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
I think this works around most of them.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Disable DES completely since it's already old and insecure.
This makes MokManager not support the DES based password hash but
probably no one is using it.
Signed-off-by: Gary Lin <glin@suse.com>
|
