efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

Age	Commit message (Collapse)	Author
2023-06-23	Split pe.c up even more.	Peter Jones
	This moves the parts of pe.c that don't depend on Cryptlib into pe-relocate.c, so we can write test cases for them without having to make a second openssl build without EFI support. Signed-off-by: Peter Jones <pjones@redhat.com>
2022-05-17	Add verify_image	Eric Snowberg
	In the future we will want to examine binaries without wanting to execute them. Create verify_image based off existing handle_image code. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
2022-04-05	shim: implement SBAT verification for the shim_lock protocol	Chris Coulson
	This implements SBAT verification via the shim_lock protocol by moving verification inside the existing verify_buffer() function that is shared by both shim_verify() and handle_image(). The .sbat section is optional for code verified via the shim_lock protocol, unlike for code that is verified and executed directly by shim. For executables that don't have a .sbat section, verification is skipped when using the protocol. A vendor can enforce SBAT verification for code verified via the shim_lock protocol by revoking all pre-SBAT binaries via a dbx update or by using vendor_dbx and then only signing binaries that have a .sbat section from that point. Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
2021-09-10	pe: simplify generate_hash()	Heinrich Schuchardt
	Copying the value of datasize_in to two further variables and then using all three randomly in the code makes it hard to read. datasize_in is never changed in generate_hash() so we can do with this parameter alone. Rename it to datasize. Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2021-02-19	sbat: make shim to parse it's own .sbat section on init	Javier Martinez Canillas
	This is needed for shim to verify itself when booting, to make sure that shim binaries can't be executed anymore after been revoked by SBAT. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
2021-02-13	Move a bunch of PE-related stuff out of shim.c	Peter Jones
	Signed-off-by: Peter Jones <pjones@redhat.com>
2021-01-29	Renaming PeImage.h to pe.h wasn't actually a good idea.	Peter Jones
	I renamed PeImage.h to pe.h when I de-capitalized them, but this turns out to be a bad idea because we already have a pe.h on the SBAT branch. Woops. This moves it to peimage.h Signed-off-by: Peter Jones <pjones@redhat.com>
2021-01-29	Always use lower case for our local include file names.	Peter Jones
	clang-format doesn't allow you to specify an include sort order, and just assumes asciibetical is a pretty good order, which doesn't work as well as you would hope. This makes them all lower case so they don't need to be re-sorted. I also went through and checked that we're using quoted local includes at all the appropriate places. Signed-off-by: Peter Jones <pjones@redhat.com>