efi-boot-shim.git - (mirror of https://github.com/vyos/efi-boot-shim.git)

Age	Commit message (Collapse)	Author
2024-05-03	New upstream version 15.8	Steve McIntyre

2022-04-27	New upstream version 15.5upstream/15.5	Steve McIntyre

2021-03-23	New upstream version 15.3upstream/15.3	Steve McIntyre

2018-07-24	New upstream version 15+1531942534.dd3230dupstream/15+1531942534.dd3230d	Mathieu Trudel-Lapierre

2017-09-13	New upstream version 13~git1505328970.9c1c35c5upstream/13_git1505328970.9c1c35c5	Mathieu Trudel-Lapierre

2016-07-26	Import upstream version 0.9+1465500757.14a5905	Mathieu Trudel-Lapierre

2014-08-27	Don't name something exit().	Peter Jones
	On aarch64 due to some terrifying include chain we wind up with Cryptlib's definition of exit here. I'm not a glutton for punishment, so I'm just changing the name so it's not coliding. Signed-off-by: Peter Jones <pjones@redhat.com>
2014-08-12	unhook_system_services: bail on systab == NULL	Ard Biesheuvel
	Prevent unhook_system_services() from dereferencing a NULL systab, which may occur if hook_system_services() has never been called. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2014-02-14	Allow fallback to use the system's LoadImage/StartImage .	Peter Jones
	Track use of the system's LoadImage(), and when the next StartImage() call is for an image the system verified, allow that to count as participating, since it has been verified by the system's db. Signed-off-by: Peter Jones <pjones@redhat.com>
2013-11-19	Clarify meaning of insecure_mode	Matthew Garrett
	insecure_mode was intended to indicate that the user had explicity disabled checks with mokutil, which means it wasn't the opposite of secure_mode(). Change the names to clarify this and don't show the insecure mode message unless the user has explicitly enabled that mode. Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
2013-10-04	Unhook system services as we exit.	Peter Jones
	If we never find a valid thing to boot, we need to undo the weird things we've done. Signed-off-by: Peter Jones <pjones@redhat.com>
2013-10-01	Harden shim against non-participating bootloaders.	Peter Jones
	It works like this: during startup of shim, we hook into the system's ExitBootServices() and StartImage(). If the system's StartImage() is called, we automatically unhook, because we're chainloading to something the system can verify. When shim's verify is called, we record what kind of certificate the image was verified against. If the call /succeeds/, we remove our hooks. If ExitBootServices() is called, we check how the bootloader verified whatever it is loading. If it was verified by its hash, we unhook everything and call the system's EBS(). If it was verified by certificate, we check if it has called shim_verify(). If it has, we unhook everything and call the system's EBS() If the bootloader has not verified anything, and is itself verified by a certificate, we display a security violation warning and halt the machine.