| Age | Commit message (Collapse) | Author |
|
|
|
|
|
If SecureBoot is enabled, check that our shim binary is signed by at
least one of the certificates enrolled in firmware.
|
|
|
|
from multiple signed shims.
* Move the verification logic out into a new helper script
verify_combine_sigs - see comments there for how it works.
* Rename the existing shim binaries and CA cert to match
* Include some extra certs and binaries for testing with
|
|
If we have DKMS modules installed:
+ Check to see if a DKMS MOK key has been created and enrolled;
+ Check that all the DKMS modules are signed with that key;
If successful, don't tell users to disable Secure Boot.
Closes: #1108278.
Add dependencies on openssl and kmod for shim-signed-common,
needed for implementing these check.
|
|
|
|
else the dpkg-query doesn't work.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
using substvars to make things more automatic in future.
|
|
|
|
Update build-dep on shim-unsigned to use 15.8-1.
Update SBAT to revoke grub binaries with sbat < 4.
Stop building for i386.
|
|
Closes: #1042964, #1041449, #932358
|
|
|
|
|
|
We now have arm64 signed shims again \o/
Closes: #1008942, #992073
Pulls multiple other bugfixes in for the signed version:
Make sbat_var.S parse right with buggy gcc/binutils
Enable NX support at build time, as required by policy for signing
new shim binaries.
Update build-dep on shim-unsigned to use 15.7-1
Block Debian grub binaries with sbat < 4 (see #1024617)
|
|
|
|
Pulls multiple bugfixes in for the signed version:
* Add arm64 patch to tweak section layout and stop crashing
problems. Upstream issue #371. (#990082, #990190)
* In insecure mode, don't abort if we can't create the MokListXRT
variable. Upstream issue #372. (#989962, #990158)
Update build-dep on shim-unsigned to use 15.4-6~deb10u1
|
|
|
|
|
|
Closes: #988047, #988056
|
|
|
|
And various other minor packaging tweaks
Add a different description at package build time to warn users that
shim-signed on arm64 is *not* actually signed. Add a doc link to the
wiki for more details.
Comment out a lintian override for arm64
|
|
Pick up the version of shim we're using properly.
|
|
* Build against new signed binaries corresponding to
15+1533136590.3beb971-7
* Update Build-Depends and Depends to match. Closes: #928107
|
|
For update-secureboot-policy etc. Closes: #929673
|
|
Separate this from the actual signed shim binaries so that we can
sensibly support co-installability using Multi-Arch. Closes: #928486
|
|
That *does* match the source we've used, we're only using -5 due to
toolchain changes elsewhere. dak rejected us when using -5. Ick :-(
|
|
No changes needed...
|
|
|
|
|
|
To fix a bug in the PE/COFF checksum that otherwise breaks the build
|
|
* We're now building for 3 arches
* Depend on the right grub-efi-$arch-bin package Gfor each arch
* Depend on the right shim-helpers-$arch-signed package for each
arch
* Remove the old Replaces: and Breaks:, as we don't clash with files
from the shim binary package any more.
|
|
* Specific version of shim-unsigned to avoid the binary changes
caused by toolchain updates between -5 and -6
* We now don't care about the version of sbsigntool, hopefully!
|
|
Add me and Steve Langasek as uploaders
|
|
* Add Breaks: shim (<= 0.9+1474479173.6c180c6-1), Closes: #924100
* +nmu2 fixed the installability problem caused by waiting for
|
|
shim-signed (1.28+nmu2) unstable; urgency=medium
* Non-maintainer upload.
* Copy the helper binaries from the shim binary so that we no longer
need to depend on it. See #922179 for more details. Add a Replaces:
shim and to allow us to over-write binaries there.
* Explicitly uploading in a chroot with older binaries installed for
shim and sbsigntool, and update Build-Depends to point to those
speficic versions. This package will *not* function with other
versions installed.
|
|
shim-signed (1.28) unstable; urgency=medium
* Initial Debian upload, based on Ubuntu package.
|