summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-07-23shim: Extend invalid reloc size warning messagePaul Menzel
Knowing the value of the reloc directory size is helpful for debugging, cf. issue #131 [1], [1]: https://github.com/rhboot/shim/issues/131 Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de> Upstream-commit-id: dd3230d07f3
2020-07-23MokManager: Stop using EFI_VARIABLE_APPEND_WRITEGary Lin
When writing MokList with EFI_VARIABLE_APPEND_WRITE, some HP laptops may just return EFI_SUCCESS without writing the content into the flash, so we have no way to detect if MokList is updated or not. Now we always read MokList first and write it back with the new content. https://github.com/rhboot/shim/issues/105 Signed-off-by: Gary Lin <glin@suse.com> Upstream-commit-id: f442c8424b4
2020-07-23Fix typo in debug path in shim.hGary Lin
Signed-off-by: Gary Lin <glin@suse.com> Upstream-commit-id: a98c20bbdbb
2020-07-23httpboot: show the error message for the ChildHandleGary Lin
Signed-off-by: Gary Lin <glin@suse.com> Upstream-commit-id: 0fd3c7e8518
2020-07-23httpboot: allow the IPv4 gateway to be emptyGary Lin
The gateway is not mandatory. Signed-off-by: Gary Lin <glin@suse.com> Upstream-commit-id: 69089e9c678
2020-07-23httpboot: print more messages when it fails to set IPGary Lin
We previously only print the return status and it may not be clear enough in some situations. Print the IP address and the gateway to help the user to identify the possible errors. Signed-off-by: Gary Lin <glin@suse.com> Upstream-commit-id: 3abe94516c7
2020-07-23httpboot: return EFI_NOT_FOUND when it fails to find the NIC handleGary Lin
httpboot_fetch_buffer() should return EFI_NOT_FOUND to reflect the error status when get_nic_handle() returns NULL. Signed-off-by: Gary Lin <glin@suse.com> Upstream-commit-id: 2be5c7dc4b0
2020-07-23Let MokManager follow a MokTimeout var for timeout length for the promptMathieu Trudel-Lapierre
This timeout can have the values [-1,0..0x7fff]; where -1 means "no timeout", with MokManager going directly to the menu, and is capped to 0x7fff to avoid unecessary long timeouts. The default remains 10, which will be used whenever the MokTimeout variable isn't set. Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com> Upstream-commit-id: 93708c11083
2020-07-23Makefiles: ensure -m32 gets propogated to our gcc parameter queriesPeter Jones
'gcc -print-file-name=include' and 'gcc -print-libgcc-file-name' both need -m32 when we're building 32-on-64 on some distros, so ensure that gets propogated correctly. Signed-off-by: Peter Jones <pjones@redhat.com> Upstream-commit-id: 104d6e54ac7
2020-07-23Make some things dprint() instead of console_print()Peter Jones
Signed-off-by: Peter Jones <pjones@redhat.com> Upstream-commit-id: dad59f8c0f36
2020-07-24Prepare 15+1533136590.3beb971-10 uploaddebian/15+1533136590.3beb971-10Steve McIntyre
2020-07-24Minimal-change upload to pick up rotated Debian signing keysSteve McIntyre
2020-07-24Use sort and uniq - minimise the size of the list hereSteve McIntyre
We may end up with duplicates, let's not include hashes twice in the shim binary blacklist
2020-07-24Typo fixSteve McIntyre
2020-06-12Merge branch 'lintian-fixes' into 'master'Mario Limonciello
Fix some issues reported by lintian See merge request efi-team/shim!5
2020-04-01Update standards version to 4.4.1, no changes needed.Debian Janitor
Fixes: lintian: out-of-date-standards-version See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html
2020-04-01Set upstream metadata fields: Bug-Database, Bug-Submit.Debian Janitor
Fixes: lintian: upstream-metadata-file-is-missing See-also: https://lintian.debian.org/tags/upstream-metadata-file-is-missing.html
2020-04-01Set debhelper-compat version in Build-Depends.Debian Janitor
Fixes: lintian: uses-debhelper-compat-file See-also: https://lintian.debian.org/tags/uses-debhelper-compat-file.html
2020-04-01Bump debhelper from old 11 to 12.Debian Janitor
Fixes: lintian: package-uses-old-debhelper-compat-version See-also: https://lintian.debian.org/tags/package-uses-old-debhelper-compat-version.html
2020-04-01debian/copyright: use spaces rather than tabs to start continuation lines.Debian Janitor
Fixes: lintian: tab-in-license-text See-also: https://lintian.debian.org/tags/tab-in-license-text.html
2020-04-01Use secure copyright file specification URI.Debian Janitor
Fixes: lintian: insecure-copyright-format-uri See-also: https://lintian.debian.org/tags/insecure-copyright-format-uri.html
2020-04-01Trim trailing whitespace.Debian Janitor
Fixes: lintian: file-contains-trailing-whitespace See-also: https://lintian.debian.org/tags/file-contains-trailing-whitespace.html
2020-03-30Tweak the version dependency of the -helpers-ARCH-signed packagesdebian/15+1533136590.3beb971-9Steve McIntyre
Change the version dependency on shim-unsigned to be >= and not =. This will allow for installation to still work in the window while we wait for the template package to do its second trip through the archive. Closes: #955356
2020-03-30Ignore debian/filesSteve McIntyre
2020-03-24Prepare Debian release 15+1533136590.3beb971-8debian/15+1533136590.3beb971-8Steve McIntyre
2020-03-24Update debhelper compat level to 11Steve McIntyre
2020-03-24Switch to using gcc-9 for builds. Closes: #925826Steve McIntyre
Pull upstream commit aaa09b35e73c4a35fc119d225e5241199d7cf5aa to fix an FTBFS.
2019-05-08Use --padding when calling pesign to generate hashesSteve McIntyre
for the dbx list, as recommended by Peter Jones. No actual changes needed in our list of hashes at this point - they work out the same either way.
2019-05-08Prepare Debian release 15+1533136590.3beb971-7debian/15+1533136590.3beb971-7Steve McIntyre
2019-05-08Remove the hash for Sledge's test arm64 grub binarySteve McIntyre
Not needed now.
2019-05-07Add an empty list of hashes for the Ubuntu buildSteve McIntyre
so they'll get an empty dbs list rather than breaking the build
2019-05-06Output efisiglist commands to the build logdann frazier
It wouldn't hurt to keep a record of them.
2019-05-06Require dbx hashesdann frazier
While it maybe convenient for a developer to be able to do a build w/o any dbx hashes, it prevents the $(DBX_LIST) target from having a proper dependency on the $(DBX_HASHES) file. If a developer were to add a new hash in a built tree, make would not detect that on a subsequent build and would not update the $(DBX_LIST) file. Continue to support a NULL $(DBX_LIST) build by touching the $(DBX_LIST) file in case no efisiglist commands ran. Developers can now create an empty $(DBX_HASHES) file to get that.
2019-05-06Use $@ instead of referencing ${DBX_LIST} in multiple placesdann frazier
2019-05-06'set -e' the code that generates the dbx listdann frazier
Without this we would silently ignore an efisiglist command error.
2019-05-06Remove unnecessary exportsdann frazier
2019-05-06Merge branch 'hack' from 93samSteve McIntyre
Changes: crash fixes generate dbx file at runtime
2019-05-06Add more hashes that we want to blacklistSteve McIntyre
signed arm64 grub binaries that allow use of the devicetree command, as found in grub-efi-arm64-signed_1+2.02+dfsg1+16_arm64.deb grub-efi-arm64-signed_1+2.02+dfsg1+17_arm64.deb
2019-05-06Add initial file with test checksums for the dbx listSteve McIntyre
2019-05-04Generate a vendor dbx file at build timeSteve McIntyre
This allow us to block executing binaries with specific checksums. Generate the dbx list at runtime from a simple list of sha256 hashes, so we can update this easily. If we need to also blacklist a cert later, we'll need to update this code to add that option too. Add a build-dep on pesign to get the needed efisiglist program.
2019-05-03Build using gcc-7Steve McIntyre
To get better control of reproducibility during the lifetime of Buster
2019-05-03Update VCS-* fields in debian/controlSteve McIntyre
2019-05-03Fix OBJ_create() to tolerate a NULL sn and lnSteve McIntyre
Cherry-picked fix from upstream MR at https://github.com/rhboot/shim/pull/174/commits/3a9e237b1baddf0d3192755406befb3e9fa5ca80 From: https://github.com/openssl/openssl/commit/f13615c5b828aeb8e3d9bf2545c803633d1c684f Apply an upstream patch from OpenSSL to tolerate a NULL sn. This avoids a NULL pointer reference in shim.c:verify_eku(). This was discovered because it causes a crash on ARM where, unlike x86, it does not necessarily have memory mapped at 0x0. Fixes: 6c180c6004ac ("shim: verify Extended Key Usage flags") Signed-off-by: dann frazier <dann.frazier@canonical.com>
2019-05-03VLogError(): Avoid NULL pointer dereferences in (V)Sprint callsSteve McIntyre
Backport of upstream fix: VLogError() calculates the size of format strings by using calls to SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer. Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize of "0" is special-cased to mean "there is no limit". So, we end up writing our string to address 0x0. This was discovered because it causes a crash on ARM where, unlike x86, it does not necessarily have memory mapped at 0x0. Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which handles the size calculation and allocation for us. Signed-off-by: Peter Jones <pjones@redhat.com> Fixes: 25f6fd08cd26 ("try to show errors more usefully.") [dannf: commit message ] Signed-off-by: dann frazier <dann.frazier@canonical.com>
2019-03-25Merge branch 'update-vcs-fields' into 'master'Steve McIntyre
debian/control: Update Vcs-* fields See merge request efi-team/shim!4
2019-03-25debian/control: Update Vcs-* fieldsAnsgar Burchardt
2019-03-23Prepare Debian release 15+1533136590.3beb971-6debian/15+1533136590.3beb971-6Steve McIntyre
2019-03-23Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)Helmut Grohne
2019-03-23Add Provides: and Breaks: to shim-helpers-$arch-signedSteve McIntyre
to fix clashes with the old shim-signed package for fbx64.efi.signed and mmx64.efi.signed. Closes: #924619
2019-03-12Prepare Debian release 15+1533136590.3beb971-5debian/15+1533136590.3beb971-5Steve McIntyre
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-26 06:14:58 +0000