| Age | Commit message (Collapse) | Author |
|---|
|
In some cases the -Werror / -Wfoo / -Wno-foo / -Wno-error=foo bits
aren't propagating in a way that clang is happy with, so we get errors
about unused variables and the like in Cryptlib and OpenSSL.
We're never going to fix those nits in this tree, so this patch tries
even harder to make the compiler ignore them, or at least not end the
build with a benign error.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
This make target doesn't actually use any of the objects built by the
compiler, so there's no concern about using an untested compiler or
anything like that.
It doesn't really need the warnings to show either, and they're
obnoxious, so this commit takes them out for that build target.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Right now when doing test builds with clang, we wind up getting an error
from two different definitions of CLANG_PREREQ() in the headers.
It might be that we can just rip one of these out, but for now I'm just
making one of them conditional.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
cf https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2014231
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
|
|
This updates CI targets for Fedora distros to newer releases. It also
disables IA32 builds on f40 and f41. Something is broken in the include
files for the ia32-on-x64 buildroot, and I don't think anyone is
actually doing ia32-on-x64 builds in the wild anyway. At the same time,
ia32 is pretty much dead to begin with. This takes the test out.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
"make update" with newer distros is giving us:
fatal: detected dubious ownership in repository at '/__w/shim/shim'
To add an exception for this directory, call:
git config --global --add safe.directory /__w/shim/shim
So that's exactly what I'm trying.
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
|
|
In case CSV entry contains boot argument (e.g. an image to load for shim)
it must be null-terminated. While populate_stanza() makes sure 'arguments'
end with '\0', add_boot_option() doesn't account for it in 'size'
calculations. E.g. for the following CSV entry:
shimx64.efi,6.6.0-0.rc0.20230904git708283abf896.6.fc40.x86_64,\EFI\Linux\5f93b3c9cf1c488a99786fb8e99fb840-6.6.0-0.rc0.20230904git708283abf896.6.fc40.x86_64.efi,Comment
the resulting variable after 'fallback' looks like:
# hexdump /sys/firmware/efi/efivars/Boot0004-8be4df61-93ca-11d2-aa0d-00e098032b8c | tail -3
0000180 0038 0036 005f 0036 0034 002e 0065 0066
0000190 0069
0000192
Add trailing '\0' to 'size' calculations in add_boot_option() when
'arguments' is not empty. The resulting variable looks like:
# hexdump /sys/firmware/efi/efivars/Boot0004-8be4df61-93ca-11d2-aa0d-00e098032b8c | tail -3
0000180 0038 0036 005f 0036 0034 002e 0065 0066
0000190 0069 0000
0000194
and the specified image is loaded by shim without issues.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
The code actually uses EFI_SECURE_BOOT_DB_GUID which is defined in
include/guid.h, drop the unused EFI_IMAGE_SECURITY_DATABASE_GUID define
from shim.c
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
|
|
Signed-off-by: William Douglas <william.douglas@intel.com>
|
|
- Update documented mirrored variable attributes from RT to BS,RT
- Add missing MokSBStateRT
- Clarify that MokIgnoreDB is a mirror of MokDBState
- Add missing attributes for MokPWStore
Signed-off-by: Mike Beaton <mjsbeaton@gmail.com>
|
|
If there is no OpenSSL installation on the system, where the
`make-certs` script is run at, no error message will be shown; instead
the script will fail silently and no certificates will be generated.
This change introduces a simple check, if the `openssl` binary is
present and informs the user, if it's missing, shortening debugging time
from minutes to mere seconds.
A bashism has been used so a pretty message gets printed without moving
the check to a section before `set -e`.
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
As per https://github.com/rhboot/shim/issues/634, the current consensus
seems to be for generation numbers to only ever go up and not get reset.
This has been clarified and an example related to this behavior has been
described.
Signed-off-by: Kamil Aronowski <kamil.aronowski@yahoo.com>
|
|
When LoadOptions is either L" " or L"shim.efi ", parse_load_options sets
second_stage to the empty string. This is unlikely to be what is intended, and
typically leads to a non-obvious failure mode.
The failure happens because parse_load_options's call to split_load_options
(after eating shim's own filename, if present) returns the empty string. Since
init_grub typically passes second_stage to start_image, this causes read_image
to concatenate the empty string onto the directory name. This means PathName
refers to the directory, not the path to a pe image. Then load_image
successfully opens a handle on the directory and reads "data" from it. It only
eventually fails when handle_image calls read_header which finds that this data
isn't in fact a pe header, reporting "Invalid image".
This scenario has been seen when shim is loaded via rEFInd 0.11.5, which sets
LoadOptions to the name of the shim program followed by a space character.
Instead, modify parse_load_options to leave second_stage set to its default
value rather than the empty string.
Signed-off-by: Jonathan Davies <jonathan.davies@nutanix.com>
|
|
In the ea0f9df "Allow SbatLevel data from external binary" patch
the code that tries to load any certificate file that starts with
shim_certificate was changed to only accept shim_certificate.efi
which defeats the entire point of reading through the directory.
This change reverts that.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
|
|
|
|
|
|
|
|
Closes: #1069054
|
|
|
|
Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:
"shim,4\ngrub,4\ngrub.peimage,2\n"
This should work with the current released grub builds in all of
buster, bullseye, bookwork and trixie/unstable. Let's not leave known
security holes in the wild.
|
|
0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
|
|
Add a new simple script to do this: check_nx
|
|
Debian kernels are no longer signed for i386, it's time to stop
supporting i386 SB.
|
|
|
|
|
|
|
|
|
|
Apply multi-arch hints. + shim-unsigned: Add Multi-Arch: same.
See merge request efi-team/shim!15
|
|
|
|
|
|
|
|
|
|
Changes-By: apply-multiarch-hints
|
|
Tests
See merge request efi-team/shim!14
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Back in January we decided to bump the SBAT level for the shim
CVE without bumping the grub level for the previous NTFS issues
- CVE-2023-4692 CVE-2023-4693 - as not every vendor was signing
the ntfs module.
Catch up on this revocation to ensure it doesn't get lost. Doing
so also allows us to remove the grub.debian,4 revocation as this
happened before grub,4 and hence is obsolete.
Also bump the date of the sbat variable to today's. Don't copy
the April 5 one to a previous selection, as it wasn't shipped
to anyone.
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
|
|
Add the previous latest level to the switch for automatic.
Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
|
|
If we see "BEGIN", it's likely a PEM certificate and won't work. Fail
the build early and say so.
Fixes #645
Signed-off-by: Steve McIntyre <steve@einval.com>
|
|
What's changed
* Various CVE fixes:
CVE-2023-40546 mok: fix LogError() invocation
CVE-2023-40547 - avoid incorrectly trusting HTTP headers
CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
* Add make infrastructure to set the NX_COMPAT flag by @vathpela in https://github.com/rhboot/shim/pull/530
* Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in https://github.com/rhboot/shim/pull/535
* Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in https://github.com/rhboot/shim/pull/537
* pe: Align section size up to page size for mem attrs by @nicholasbishop in https://github.com/rhboot/shim/pull/539
* test-sbat: Fix exit code by @vathpela in https://github.com/rhboot/shim/pull/540
* pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in https://github.com/rhboot/shim/pull/541
* CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in https://github.com/rhboot/shim/pull/546
* Don't loop forever in load_certs() with buggy firmware by @rmetrich in https://github.com/rhboot/shim/pull/547
* Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in https://github.com/rhboot/shim/pull/550
* Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in https://github.com/rhboot/shim/pull/551
* Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in https://github.com/rhboot/shim/pull/560
* pe: only process RelocDir->Size of reloc section by @mikebeaton in https://github.com/rhboot/shim/pull/562
* Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in https://github.com/rhboot/shim/pull/563
* Optionally allow to keep shim protocol installed by @bluca in https://github.com/rhboot/shim/pull/565
* SBAT-related documents formatting and spelling by @aronowski in https://github.com/rhboot/shim/pull/566
* Add SbatLevel_Variable.txt to document the various revocations by @jsetje in https://github.com/rhboot/shim/pull/569
* Add a security contact email address in README.md by @vathpela in https://github.com/rhboot/shim/pull/572
* Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in https://github.com/rhboot/shim/pull/576
* mok: fix LogError() invocation by @vathpela in https://github.com/rhboot/shim/pull/577
* Minor housekeeping by @vathpela in https://github.com/rhboot/shim/pull/578
* Test ImageAddress() by @vathpela in https://github.com/rhboot/shim/pull/579
* FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in https://github.com/rhboot/shim/pull/580
* Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in https://github.com/rhboot/shim/pull/581
* Verify signature before verifying sbat levels by @jsetje in https://github.com/rhboot/shim/pull/583
* Add libFuzzer support for csv.c and sbat.c by @vathpela in https://github.com/rhboot/shim/pull/584
* mok: Avoid underflow in maximum variable size calculation by @alpernebbi in https://github.com/rhboot/shim/pull/587
* Housekeeping by @vathpela in https://github.com/rhboot/shim/pull/605
Signed-off-by: Peter Jones <pjones@redhat.com>
|
