efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

Age	Commit message (Collapse)	Author
2021-03-24	Rebuild the new upstream version for busterdebian/15.3-1_deb10u1	Steve McIntyre

2021-03-23	Switch to using the 15.3 release from upstream	Steve McIntyre

2021-03-23	Fix up some of the options we're using at build time	Steve McIntyre
	Definitely don't want to be setting EFI_PATH, as that over-rides the vendored gnu-efi. Argh
2021-03-23	Improve how the dbx hashes are handled	Steve McIntyre
	Only include the hashes for the architecture we're building for - no point in adding bloat and delay here. Add a script "block_signed_deb" to scan a set of .deb files, extract the hashes for .efi binaries and list them in the format wanted for the dbx hashes file. Split out the code to use that file from the rules file into a separate helper.
2021-03-23	Tweak the gnu-efi tarball code	Steve McIntyre

2021-03-23	Add an extra rule to generate the extra gnu-efi tarball	Steve McIntyre
	Thanks to Dmitri John Ledkov for help
2021-03-23	Add Debian SBAT data to the shim build	Steve McIntyre
	Add a Debian SBAT template, and rules to use it Adds a build-dep on dos2unix
2021-02-21	Remove artifacts that upstream installs that we don't use	Steve McIntyre
	... to keep debhelper from complaining
2021-02-21	Switch to using gcc-10 rather than gcc-9. Closes: #978521	Steve McIntyre

2021-02-21	Switch to newer upstream "release" 15+1613861442.888f5b5	Steve McIntyre
	Many many updates, but caring mainly about SBAT support
2020-07-24	Use sort and uniq - minimise the size of the list here	Steve McIntyre
	We may end up with duplicates, let's not include hashes twice in the shim binary blacklist
2020-03-24	Update debhelper compat level to 11	Steve McIntyre

2020-03-24	Switch to using gcc-9 for builds. Closes: #925826	Steve McIntyre
	Pull upstream commit aaa09b35e73c4a35fc119d225e5241199d7cf5aa to fix an FTBFS.
2019-05-06	Output efisiglist commands to the build log	dann frazier
	It wouldn't hurt to keep a record of them.
2019-05-06	Require dbx hashes	dann frazier
	While it maybe convenient for a developer to be able to do a build w/o any dbx hashes, it prevents the $(DBX_LIST) target from having a proper dependency on the $(DBX_HASHES) file. If a developer were to add a new hash in a built tree, make would not detect that on a subsequent build and would not update the $(DBX_LIST) file. Continue to support a NULL $(DBX_LIST) build by touching the $(DBX_LIST) file in case no efisiglist commands ran. Developers can now create an empty $(DBX_HASHES) file to get that.
2019-05-06	Use $@ instead of referencing ${DBX_LIST} in multiple places	dann frazier

2019-05-06	'set -e' the code that generates the dbx list	dann frazier
	Without this we would silently ignore an efisiglist command error.
2019-05-06	Remove unnecessary exports	dann frazier

2019-05-04	Generate a vendor dbx file at build time	Steve McIntyre
	This allow us to block executing binaries with specific checksums. Generate the dbx list at runtime from a simple list of sha256 hashes, so we can update this easily. If we need to also blacklist a cert later, we'll need to update this code to add that option too. Add a build-dep on pesign to get the needed efisiglist program.
2019-05-03	Build using gcc-7	Steve McIntyre
	To get better control of reproducibility during the lifetime of Buster
2019-03-23	Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)	Helmut Grohne

2019-02-15	Include /usr/share/dpkg/architecture.mk instead of shelling out.	Luca Boccassi

2019-02-15	Add shim-$arch-signed-template support	Philipp Hahn
	for getting the MOK-manager and fall-back binary to be signed by Debians singing service instead of using an ephemeral key. Closes: #922228
2019-02-15	Disable ephemeral key on Debian	Philipp Hahn
	shim creates an ephemeral key, which gets embedded into shim and is used to sign the corresponding mok-manager (mm.efi) and fall-back-manager (fb.efi). This makes the build unreproducible. For Debian we will get those two binaries signed by our Debian-UEFI-CA, which is the primary (and only) key embedded in shim.
2019-02-15	debian/rules: fixing permissions no longer required	Philipp Hahn
	as Makefiles used "install -m 0644" by now.
2019-02-10	Ensure DEB_HOST_ARCH is set even if not present in the environment.	Steve Langasek

2019-02-10	Enable build for i386.	Steve Langasek

2019-02-10	Fix debian/rules syntax for arm64 build.	Steve Langasek

2018-08-22	Make sure we pass the right COMMIT_ID to build	Mathieu Trudel-Lapierre

2018-07-24	* debian/rules:	Mathieu Trudel-Lapierre
	- define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
2018-04-24	Enable arm64 build.	dann frazier

2017-09-29	Don't need to clean after .signed files, upstream Makefile does it now.	Mathieu Trudel-Lapierre
	Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
2017-09-29	Don't need to set -Wno-error=unused-variable anymore	Mathieu Trudel-Lapierre
	Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
2017-09-27	Ignore unused-variable errors.	Mathieu Trudel-Lapierre

2017-08-31	debian/rules, debian/shim.install: make sure the 'make install' step does ↵	Mathieu Trudel-Lapierre
	what it's meant to do by upstream: we can easily make use of the end result to have the files we need.
2017-08-29	Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed in ↵	Mathieu Trudel-Lapierre
	the "right" final directories, and makes boot.csv for us.
2017-08-29	Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: ↵	Mathieu Trudel-Lapierre
	set MAKELEVEL.
2017-08-29	debian/rules: clean up after *.signed files.	Mathieu Trudel-Lapierre

2017-08-29	Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and ↵	Mathieu Trudel-Lapierre
	MokManager. Also drop debian/patches/sbsigntool-no-pesign: with this change from upstream it is no longer needed..
2017-08-29	Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at ↵	Mathieu Trudel-Lapierre
	compile-time for MokManager and fallback.
2017-08-29	debian/patches/second-stage-path: dropped; the default loader path now ↵	Mathieu Trudel-Lapierre
	includes an arch suffix.
2017-08-07	Fix typo for DEFAULT_LOADER: missing a backslash, also needs quoting.	Mathieu Trudel-Lapierre

2017-08-07	Define an EFI_ARCH variable, and use that for paths to shim. This makes it ↵	Mathieu Trudel-Lapierre
	possible to build a shim for other architectures than amd64.
2017-08-07	Set DEFAULT_LOADER; this makes second-stage-path unnecessary.	Mathieu Trudel-Lapierre

2017-08-07	* debian/rules:	Mathieu Trudel-Lapierre
	- Update dh_auto_build/dh_auto_clean for new upstream options: set MAKELEVEL.
2016-10-01	fix path we're chmodding, for current upstream	Steve Langasek

2016-10-01	* Initial Debian upload. Closes: #820052.	Steve Langasek
	* Update Standards-Version. * Embed the newly-minted Debian CA certificate. * Vendorize debian/rules so that the same package can be used in both Debian and Ubuntu without modification. * Fix debian/copyright to match the spec (last match wins, not first) * Fix shim.efi to not be executable. * Add watchfile. * Support parallel builds, because eh why not * Update Vcs-Bzr.
2012-10-04	Use a clearer name for the VENDOR_CERT_FILE.	Steve Langasek

2012-10-04	Pull newer upstream snapshot, which fixes verification of the signature on ↵	Steve Langasek
	our signed GRUB efi
2012-10-03	Include the Canonical Secure Boot master CA (cert.der) and include as	Steve Langasek
	cert.h at build time.