| Age | Commit message (Collapse) | Author |
|---|
|
When building in minimal chroot on build workers, like in Debian (where
make clean is called at the beginning of the build process), git will
not be available. Skip the git clean.
Signed-off-by: Luca Boccassi <bluca@debian.org>
Upstream-commit-id: be352762a01
|
|
The architecture is aarch64, not arch64.
Fixes: 750584c20775 ("Make 64-on-32 maybe work on x86_64.")
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Upstream-commit-id: e9f67aaa75a
|
|
The current code is incorrectly failing to load the fbaa64.efi image found
in Arm servers even though the UEFI shell code is able to properly load
and execute the same image.
The problem is due to the presence of a section header that has zero size
and address and marked "discardable" in the fbaa64.efi image.
Although there is already a check further down in the code to look for
the discardable bit and skip further verification checks if set, we never
get to that point due to the "end < base" check at the start of the loop.
Here is a dump of the fbaa64.efi image as compiled on an Arm machine
from the latest code in this repo:
% # First I used hexedit to change header byte from 'AA' to '86'
% # so that objdump was able to correctly parse the file:
% objdump -x -m aarch64 fbaa64.efi
fbaa64.efi: file format pei-x86-64
fbaa64.efi
architecture: i386:x86-64, flags 0x00000103:
HAS_RELOC, EXEC_P, D_PAGED
start address 0x0000000000000148
Characteristics 0x20e
executable
line numbers stripped
symbols stripped
debugging information removed
Time/Date Wed Dec 31 16:00:00 1969
Magic 020b (PE32+)
MajorLinkerVersion 2
MinorLinkerVersion 20
SizeOfCode 000b15d0
SizeOfInitializedData 00000000
SizeOfUninitializedData 00000000
AddressOfEntryPoint 0000000000000148
BaseOfCode 0000000000000148
ImageBase 0000000000000000
SectionAlignment 0000000000000020
FileAlignment 0000000000000008
MajorOSystemVersion 0
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 0
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 000b1718
SizeOfHeaders 00000148
CheckSum 00000000
Subsystem 0000000a (EFI application)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000000000
SizeOfStackCommit 0000000000000000
SizeOfHeapReserve 0000000000000000
SizeOfHeapCommit 0000000000000000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000006
The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved
Sections:
Idx Name Size VMA LMA File off Algn
0 .reloc 00000000 0000000000000000 0000000000000000 00000000 2**0
ALLOC, LOAD, READONLY, DATA
1 .text 000b15d0 0000000000000148 0000000000000148 00000148 2**4
CONTENTS, ALLOC, LOAD, CODE
SYMBOL TABLE:
no symbols
Signed-off-by: Maran Wilson <maran.wilson@oracle.com>
Reviewed-by: Aaron Young <aaron.young@oracle.com>
Reviewed-by: Jack Schwartz <jack.schwartz@oracle.com>
Upstream-commit-id: 6df7a8f5609
|
|
When shim is invoked from a relative path (e.g: from the UEFI shell), the
Loaded Image handle LoadOptions can be set to the binary relative path.
But the is_our_path() function only checks if LoadOptions is set to the
absolute path of shim to ignore it. So if a relative path is there, shim
would set itself as the secondary loader and invoke itself in a loop.
To prevent that, use the path in LoadOptions to calculate the absolute
path and compare it with the one in the Loader Image handle FilePath.
Resolves: bz#1622485
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Maran Wilson maran.wilson@oracle.com
Tested-by: Maran Wilson maran.wilson@oracle.com
Upstream-commit-id: e563bc3dcd1
|
|
The generate_path_from_image_path() doesn't properly handle the case when
shim is invoked using a relative path (e.g: from the EFI shell). In that
function, always the last component is stripped from absolute file path
to calculate the dirname, and this is concatenated with the image path.
But if the path is a relative one, the function will wrongly concatenate
the dirname with the relative image path, i.e:
Shell> FS0:
FS0:\> cd EFI
FS0:\EFI\> BOOT\BOOTX64.EFI
Failed to open \EFI\BOOT\BOOT\BOOTX64.EFI - Not found
Failed to load image \EFI\BOOT\BOOT\BOOTX64.EFI: Not found
start_image() returned Not found
Calculate the image path basename and concatenate that with the dirname.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Maran Wilson maran.wilson@oracle.com
Tested-by: Maran Wilson maran.wilson@oracle.com
Upstream-commit-id: a625fa5096c
|
|
In Ubuntu 14.04, the following code in old Makefile:
mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}
will create a directory named "{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}".
Signed-off-by: Ming Tan <ming.tan@intel.com>
Upstream-commit-id: 39b83455d68
|
|
This didn't seem to get documented anywhere, and this is as good a place as any.
Upstream-commit-id: 4fab7281a8c
|
|
Knowing the value of the reloc directory size is helpful for debugging,
cf. issue #131 [1],
[1]: https://github.com/rhboot/shim/issues/131
Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
Upstream-commit-id: dd3230d07f3
|
|
When writing MokList with EFI_VARIABLE_APPEND_WRITE, some HP laptops
may just return EFI_SUCCESS without writing the content into the flash,
so we have no way to detect if MokList is updated or not. Now we always
read MokList first and write it back with the new content.
https://github.com/rhboot/shim/issues/105
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: f442c8424b4
|
|
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: a98c20bbdbb
|
|
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: 0fd3c7e8518
|
|
The gateway is not mandatory.
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: 69089e9c678
|
|
We previously only print the return status and it may not be clear
enough in some situations. Print the IP address and the gateway to help
the user to identify the possible errors.
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: 3abe94516c7
|
|
httpboot_fetch_buffer() should return EFI_NOT_FOUND to reflect the error
status when get_nic_handle() returns NULL.
Signed-off-by: Gary Lin <glin@suse.com>
Upstream-commit-id: 2be5c7dc4b0
|
|
This timeout can have the values [-1,0..0x7fff]; where -1 means "no timeout",
with MokManager going directly to the menu, and is capped to 0x7fff to avoid
unecessary long timeouts. The default remains 10, which will be used whenever
the MokTimeout variable isn't set.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
Upstream-commit-id: 93708c11083
|
|
'gcc -print-file-name=include' and 'gcc -print-libgcc-file-name' both
need -m32 when we're building 32-on-64 on some distros, so ensure that
gets propogated correctly.
Signed-off-by: Peter Jones <pjones@redhat.com>
Upstream-commit-id: 104d6e54ac7
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
Upstream-commit-id: dad59f8c0f36
|
|
|
|
|
|
We may end up with duplicates, let's not include hashes twice in the
shim binary blacklist
|
|
|
|
Fix some issues reported by lintian
See merge request efi-team/shim!5
|
|
Fixes: lintian: out-of-date-standards-version
See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html
|
|
Fixes: lintian: upstream-metadata-file-is-missing
See-also: https://lintian.debian.org/tags/upstream-metadata-file-is-missing.html
|
|
Fixes: lintian: uses-debhelper-compat-file
See-also: https://lintian.debian.org/tags/uses-debhelper-compat-file.html
|
|
Fixes: lintian: package-uses-old-debhelper-compat-version
See-also: https://lintian.debian.org/tags/package-uses-old-debhelper-compat-version.html
|
|
Fixes: lintian: tab-in-license-text
See-also: https://lintian.debian.org/tags/tab-in-license-text.html
|
|
Fixes: lintian: insecure-copyright-format-uri
See-also: https://lintian.debian.org/tags/insecure-copyright-format-uri.html
|
|
Fixes: lintian: file-contains-trailing-whitespace
See-also: https://lintian.debian.org/tags/file-contains-trailing-whitespace.html
|
|
Change the version dependency on shim-unsigned to be >= and not =.
This will allow for installation to still work in the window while we
wait for the template package to do its second trip through the
archive. Closes: #955356
|
|
|
|
|
|
|
|
Pull upstream commit aaa09b35e73c4a35fc119d225e5241199d7cf5aa to fix
an FTBFS.
|
|
for the dbx list, as recommended by Peter Jones. No actual changes
needed in our list of hashes at this point - they work out the same
either way.
|
|
|
|
Not needed now.
|
|
so they'll get an empty dbs list rather than breaking the build
|
|
It wouldn't hurt to keep a record of them.
|
|
While it maybe convenient for a developer to be able to do a build
w/o any dbx hashes, it prevents the $(DBX_LIST) target from having
a proper dependency on the $(DBX_HASHES) file. If a developer were
to add a new hash in a built tree, make would not detect that on
a subsequent build and would not update the $(DBX_LIST) file.
Continue to support a NULL $(DBX_LIST) build by touching the
$(DBX_LIST) file in case no efisiglist commands ran. Developers
can now create an empty $(DBX_HASHES) file to get that.
|
|
|
|
Without this we would silently ignore an efisiglist command error.
|
|
|
|
Changes:
crash fixes
generate dbx file at runtime
|
|
signed arm64 grub binaries that allow use of the devicetree command,
as found in
grub-efi-arm64-signed_1+2.02+dfsg1+16_arm64.deb
grub-efi-arm64-signed_1+2.02+dfsg1+17_arm64.deb
|
|
|
|
This allow us to block executing binaries with specific
checksums. Generate the dbx list at runtime from a simple list of
sha256 hashes, so we can update this easily. If we need to also
blacklist a cert later, we'll need to update this code to add that
option too.
Add a build-dep on pesign to get the needed efisiglist program.
|
|
To get better control of reproducibility during the lifetime of
Buster
|
|
|
|
Cherry-picked fix from upstream MR at
https://github.com/rhboot/shim/pull/174/commits/3a9e237b1baddf0d3192755406befb3e9fa5ca80
From: https://github.com/openssl/openssl/commit/f13615c5b828aeb8e3d9bf2545c803633d1c684f
Apply an upstream patch from OpenSSL to tolerate a NULL sn. This
avoids a NULL pointer reference in shim.c:verify_eku(). This was
discovered because it causes a crash on ARM where, unlike x86, it does
not necessarily have memory mapped at 0x0.
Fixes: 6c180c6004ac ("shim: verify Extended Key Usage flags")
Signed-off-by: dann frazier <dann.frazier@canonical.com>
|
