proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-16 02:01:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1,546 Commits 1 Branch 3 Tags 11 MiB
proxmox/bookworm
Commit Graph

290 Commits

Author SHA1 Message Date
Fabian Grünbichler
348ed14e27 bump version to 16.0-1+pmx1 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2025-03-28 10:27:31 +01:00
Fabian Grünbichler
7145b93a4e d/watch: skip repacking 
to preserve upstream signature

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2025-03-28 10:27:31 +01:00
Fabian Grünbichler
71a5b86588 fix test segfaults 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2025-03-24 13:37:58 +01:00
Fabian Grünbichler
5ecfcdc1ef d/rules: set AUTOMATIC_DATE to current one 
revoking Grub binaries for the 2025-02 batch of CVEs

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2025-03-24 10:37:00 +01:00
Fabian Grünbichler
c3ed184285 drop patches 
these are all part of shim 16.0 and the current SBAT data is moved to
SbatLevel_Variable.txt and got updated for the last round of CVEs
already.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2025-03-24 10:20:41 +01:00
Fabian Grünbichler
944dceda74 add Proxmox gbp.conf 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2025-03-24 10:17:39 +01:00
Fabian Grünbichler
a67cdf30aa remove i386 template lintian overrides 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2025-03-24 10:14:57 +01:00
Fabian Grünbichler
9b01c19281 d/watch: mangle RC versions 
else 16.0.rc1 gets sorted higher than the final 16.0 release tarball.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit ccf52eb2256c3448d41c4c8bf45969491256570d)
 2025-03-24 10:13:53 +01:00
Steve McIntyre
d5a8e76353 Also make the rules-requires-root changes in the templates 
for our generated packages. Closes: #1092425

(cherry picked from commit 638db1de7fa7ea696d9a01b14ff9a636fa34b4db)

Conflicts:
	debian/signing-template/control.in

FG: adapt context
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2025-03-24 10:13:49 +01:00
Steve McIntyre
731a6d6295 Update changelog 
(cherry picked from commit fa4728b6daf0674409b1e0d34a98fcbfb99db5f4)
 2025-03-24 10:13:03 +01:00
Niels Thykier
ace6d61571 shim: Build without requiring root 
Closes: #1089432
(cherry picked from commit 8d003968ca8776c067fc01628971911f0cbd3c52)
 2025-03-24 10:11:39 +01:00
Mate Kukri
c93eb60bb5 Remove Ubuntu CA and dbx files from the repository 
(cherry picked from commit 57b6c43301b1943197eef3d816639277869231d7)

Conflicts:
	debian/rules

FG: adapted to Proxmox d/rules
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2025-03-24 10:11:13 +01:00
Steve McIntyre
438cee907c Stop building shim for i386 
Debian kernels are no longer signed for i386, it's time to stop
supporting i386 SB.

(cherry picked from commit a1e8635ac6e7e122e698c859628c5b5e41679dab)

Conflicts:
	debian/changelog

FG: dropped changelog part
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2025-03-24 10:10:14 +01:00
Fabian Grünbichler
711083b346 bump version to 15.8-1+pmx1 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2024-05-07 09:10:13 +02:00
Fabian Grünbichler
5fab91e34c dbx: generate our own UUID 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2024-05-07 09:10:13 +02:00
Fabian Grünbichler
437ba3a444 Release shimversion 15.8-1~deb12u1 
-----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmY2t7IRHHN0ZXZlQGVp
 bnZhbC5jb20ACgkQWHl5VzRCaE6LrQ//ZVPsTgt+cha/BTK71nKSY9CjkeLdxlJO
 wbBPvcDUZmNjI6snpjYfMNDsB9B3uOcxQ/8GvQUmUvp/EWu17qzFLpF4C+MFd7cY
 xJVF29tUxCM2Ug00wmskV8RI6pVmbSmI6YKknNMPuBBbaN58/tE6WESaSNKerHYH
 B/26C7+1rB92gK2RqqQqQIavpsDZL+nTHfFlAbp4cewCgR7otuIx1i8dW/4Ewrh9
 vMECv0664teGdf7nebShKgwutLtVSdvk2L+YMMd1l+FbcU6fhduLENZz/dc3WGLf
 4QqYRkHC8JMK7eDSAXzUc2ghIUmJT8xPrU/7I4I2Zsc+86XNOZGmiu6cTnocW/QT
 3+T9o2uNWDK+p2P0uP5Fp/Z9gfIzXzkMs7UALc5CTC1PHhUg6I1f+tcVfkef7Afx
 4dZwA/sF/sgg2931AJqCz1eQC+btEAmMRvcXAtsxK1OBdoSZMZ37nA6E+wdlyako
 PJEXe9842WHuynG4JaRCndoMfoNswxC40DEqzn6n+kXvlZeRggR039BGfEKORdtK
 fuMbHBuvpHOxo51GjyFHbGVh/8GhCxub4YWOgidPUBzheQMTVTuWmWujLAVGpAs9
 oZ+4v2n3yrfDPMvT9HtTHXG66Gisz25l24hL4enJPuBf7ti2bPCBuTAor1WcqWto
 hEeOYwszGJw=
 =Krhw
 -----END PGP SIGNATURE-----

Merge tag 'debian/15.8-1_deb12u1' into proxmox/bookworm

Release shimversion 15.8-1~deb12u1
 2024-05-07 09:00:42 +02:00
Steve McIntyre
9047a8e8ec *Actually* release 15.8-1~deb12u1 for bookworm 2024-05-04 22:28:42 +01:00
Steve McIntyre
b6990a9d7d Clean up better after build. Closes: #1046268 2024-05-04 22:06:34 +01:00
Steve McIntyre
9b91206a20 Install a copy of the Debian CA certificate into /usr/share/shim. 
Closes: #1069054
 2024-05-04 22:05:56 +01:00
Steve McIntyre
91350387a8 Release 15.8-1~deb12u1 for bookworm 2024-05-04 14:21:09 +01:00
Steve McIntyre
00d057c5fd Update version for bookworm 2024-05-03 16:18:29 +01:00
Steve McIntyre
bd9f3bf331 Force usage of newest revocations at build time 
Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:

"shim,4\ngrub,4\ngrub.peimage,2\n"

This should work with the current released grub builds in all of
buster, bullseye, bookwork and trixie/unstable. Let's not leave known
security holes in the wild.
 2024-05-03 16:06:30 +01:00
Steve McIntyre
bb0763da91 Cherry-pick latest grub revocation patches from upstream shim 
0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
 2024-05-03 16:06:18 +01:00
Steve McIntyre
2c85966cf3 Log if the build is nx-compatible or not 
Add a new simple script to do this: check_nx
 2024-05-03 16:03:35 +01:00
Steve McIntyre
487a9b02c1 Switch to 15.8 upstream and drop patches 2024-05-03 16:02:10 +01:00
Steve McIntyre
3cf4042d82 Tweak the UUID handling to be clearer 2024-05-02 22:13:14 +01:00
Bastien Roucariès
d6a5a165a3 Add salsa-ci.yml 2024-05-02 14:05:24 +00:00
Bastien Roucariès
be3d8a28b3 Add changelog entry 2024-04-29 09:56:29 +00:00
Bastien Roucariès
4a964bbad9 Add verification of upstream release 2024-04-29 09:56:05 +00:00
Bastien Roucariès
afef7adbba Fix d/watch 2024-04-29 09:55:58 +00:00
Bastien Roucariès
192a0b206a Closes: #936009 2024-04-29 09:55:31 +00:00
Debian Janitor
13d3737c61 Apply multi-arch hints. + shim-unsigned: Add Multi-Arch: same. 
Changes-By: apply-multiarch-hints
 2024-04-29 09:54:28 +00:00
Bastien Roucariès
c62e4f08ea Add machine smm=on 2024-04-16 15:05:51 +00:00
Bastien Roucariès
e5d065c169 Fix test failure 2024-04-15 20:07:29 +00:00
Bastien Roucariès
9f6871197e Fix depreciation warnings 2024-04-15 14:59:47 +00:00
Bastien Roucariès
71205e8fc8 Use popen for lsb_release 2024-04-15 14:54:14 +00:00
Bastien Roucariès
560b61840b Fix depends 2024-04-15 14:35:45 +00:00
Bastien Roucariès
5c55ced253 Update changelog 2024-04-15 14:35:31 +00:00
Bastien Roucariès
586dedee72 Port to debian 2024-04-15 14:15:23 +00:00
Bastien Roucariès
79b95f1092 Add ubuntu test 2024-04-15 14:15:22 +00:00
Steve McIntyre
f4f4e39e16 generate_dbx_list: pick a fixed UUID 
otherwise our build won't be reproducible, doh!
 2024-01-20 23:15:22 +00:00
Steve McIntyre
7686debad8 Tweak building with pesign changes 
We used to use efisiglist to generate the DBX list. Newer versions of
the pesign package don't include it any more, and the recommended
replacement tool is now efisecdb from efivar. Tweak the
generate_dbx_list script to work with both old and new. Let's make
backports easy...
 2023-11-02 00:47:18 +00:00
Fabian Grünbichler
a70e861754 bump version to 15.7-1+pmx1 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-04-04 12:13:02 +02:00
Fabian Grünbichler
215865f3de d/control: update Maintainer 
and Vcs-*

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-04-04 12:13:02 +02:00
Fabian Grünbichler
fab1728bf0 d/control: add empty version pinning package 
that our meta package can depend on to ensure *our* shim package is installed,
even if Debian at some point ships a higher version..

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-04-04 12:13:02 +02:00
Fabian Grünbichler
f5524b5a83 drop patch inapplicable for Proxmox 
we never shipped a broken Grub with SBAT 3

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-04-04 12:13:02 +02:00
Fabian Grünbichler
82bb143633 add Proxmox Uefi Secure Boot CA certificate 
for embedding in shim as trust anchor for signed EFI binaries. the
corresponding private key was generated on and is stored on a FIPS compliant
HSM.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-04-04 12:13:02 +02:00
Fabian Grünbichler
48e045aa1a add Proxmox file references to packaging 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-04-04 12:13:02 +02:00
Steve McIntyre
e02f5a2563 Release 15.7-1 2023-01-31 10:18:29 +00:00
Steve McIntyre
77729f4c4b Swith to using the upstream "enable NX" patch 2023-01-30 18:12:20 +00:00