proxmox-mirrors/efi-boot-shim
1
0
Fork 0
mirror of https://git.proxmox.com/git/efi-boot-shim synced 2025-08-14 03:16:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
236 Commits 1 Branch 3 Tags 11 MiB
8b0389dd27
Commit Graph

236 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Steve Langasek
8b0389dd27 Fix the version number; this was uploaded for some reason as -0ubuntu4, not -0ubuntu3. 2015-05-05 08:59:32 -07:00
Steve Langasek
e82e770609 releasing package shim version 0.7-0ubuntu3 2014-10-08 06:41:01 +00:00
Steve Langasek
3586772f0c * SECURITY UPDATE: heap overflow and out-of-bounds read access when 
parsing DHCPv6 information
  - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
    when parsing data provided in DHCPv6 packets.
  - CVE-2014-3675
  - CVE-2014-3676
* SECURITY UPDATE: memory corruption when processing user-provided key
  lists
  - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
    key (MOK) lists and ignore them, avoiding possible memory corruption.
  - CVE-2014-3677
 2014-10-08 06:40:28 +00:00
Steve Langasek
bc9b5d6386 releasing package shim version 0.7-0ubuntu2 2014-10-07 16:20:10 -07:00
Steve Langasek
4960f3580e Update debian/patches/prototypes with some new declarations needed for 
openssl 0.9.8za update.
 2014-10-07 16:20:02 -07:00
Steve Langasek
172647da18 Restore debian/patches/prototypes, which still is needed on shim 0.7 
but only detected on the buildds.
 2014-10-07 09:40:06 -07:00
Steve Langasek
db8383ad9f releasing package shim version 0.7-0ubuntu1 2014-10-07 05:40:45 +00:00
Steve Langasek
1e963007c0 debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick 
openssl 0.9.8za in via upstream.
 2014-10-07 05:35:11 +00:00
Steve Langasek
e34fca619d Drop prototypes patch, apparently not needed upstream 2014-10-07 00:30:44 +00:00
Steve Langasek
c61b06bc69 drop most patches, included upstream. 2014-10-07 00:30:39 +00:00
Steve Langasek
59945b252e Merge upstream version 0.7 2014-10-06 17:17:33 -07:00
Steve Langasek
72bb39c023 Import upstream version 0.7 2014-10-06 15:39:48 -07:00
Steve Langasek
5fc0e7f624 releasing package shim version 0.4-0ubuntu5 2014-08-04 12:11:22 +02:00
Steve Langasek
d53fb652ed Install fallback.efi.signed as well, to lay the groundwork for fallback 
handling (wanted when we have to move a drive between machines, or when
the firmware loses its marbles^W nvram).
 2013-09-26 18:45:36 -07:00
Steve Langasek
eb32f5bab0 releasing package shim version 0.4-0ubuntu4 2013-09-23 00:30:04 -07:00
Steve Langasek
84a3bbdf33 debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to 
the netboot code.
 2013-09-23 00:29:29 -07:00
Steve Langasek
0c74470db4 debian/patches/tftp-proper-nul-termination: fix nul termination 
errors in filenames passed to tftp.
 2013-09-20 17:05:30 -05:00
Steve Langasek
c43e3c7c0e Fix remaining compiler warnings in netboot.c. 2013-09-20 18:03:50 +00:00
Steve Langasek
990ce02ddd typo 2013-09-20 18:01:37 +00:00
Steve Langasek
5a187fadda Build with -Werror to catch future prototype mismatches. 2013-09-20 12:55:24 -05:00
Steve Langasek
4d21772d2a Commit missing .pc bits 2013-09-20 17:53:06 +00:00
Steve Langasek
50ab550ada debian/patches/fix-tftp-prototype: pass the right arguments to 
EFI_PXE_BASE_CODE_TFTP_READ_FILE.
 2013-09-20 11:23:28 -05:00
Stéphane Graber
4c13d15aab releasing version 0.4-0ubuntu3 2013-08-08 17:12:20 +02:00
Stéphane Graber
0929c5e5f5 Fix for LP: #1087501 2013-08-08 17:12:06 +02:00
Steve Langasek
44ecc6a350 debian/patches/no-output-by-default.patch: Don't print any 
informational messages.  Closes LP: #1074302.
 2013-07-03 22:48:01 +00:00
Steve Langasek
0c50644a00 Install MokManager.efi.signed in the package. 2013-07-03 12:02:10 -07:00
Steve Langasek
6657ac38fc releasing version 0.4-0ubuntu2 2013-07-02 20:30:47 +00:00
Steve Langasek
15d7c608de Add missing build-dependency on openssl. 2013-07-02 20:30:43 +00:00
Steve Langasek
63eea134e0 releasing version 0.4-0ubuntu1 2013-07-02 12:53:29 -07:00
Steve Langasek
84ac2e5551 Only one new upstream release, no need to say it twice ;) 2013-07-02 12:53:23 -07:00
Steve Langasek
e77adb281e Bump the versioned build-dep on gnu-efi to one that supports current shim 2013-07-02 15:31:11 +00:00
Steve Langasek
1b5fb6c04f Merge upstream release 0.4 2013-07-02 15:29:48 +00:00
Steve Langasek
bfab8d6791 Import upstream version 0.4 2013-07-02 15:24:04 +00:00
Peter Jones
d141608bf8 Bump version to 0.4 
Since I've finally merged in the "sections" branch, best to increment
the version number.

Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-06-10 17:51:57 -04:00
Peter Jones
ff1409c37b Make DBX be included in build if the environment is set right. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-06-10 17:51:57 -04:00
Peter Jones
f80edcbe7d Make .vendor_cert get the right flags set. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-06-10 17:36:23 -04:00
Peter Jones
63bdfd8501 add a .gitignore 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-06-10 17:36:22 -04:00
Peter Jones
c682b514bf Move embedded certificates to their own section. 
With this change, the embedded certificate and dbx lists (vendor_cert,
vendor_cert_size, vendor_dbx, and vendor_dbx_size) wind up being in a
section named .vendor_cert, and so will look something like:
------
fenchurch:~/devel/github.com/shim$ objdump -h shim.efi

shim.efi:     file format pei-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .eh_frame     000174a8  0000000000005000  0000000000005000  00000400  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .text         000aa7e1  000000000001d000  000000000001d000  00017a00  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  2 .reloc        0000000a  00000000000c8000  00000000000c8000  000c2200  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .data         00031228  00000000000c9000  00000000000c9000  000c2400  2**5
                  CONTENTS, ALLOC, LOAD, DATA
  4 .vendor_cert  00000375  00000000000fb000  00000000000fb000  000f3800  2**0
                  CONTENTS, READONLY
  5 .dynamic      000000f0  00000000000fc000  00000000000fc000  000f3c00  2**3
                  CONTENTS, ALLOC, LOAD, DATA
  6 .rela         0002afa8  00000000000fd000  00000000000fd000  000f3e00  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .dynsym       0000f1f8  0000000000128000  0000000000128000  0011ee00  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
------

This simplifies a security audit, because it means that different
versions of shim with substantially the same code with different keys
will be more easily comperable, and therefore logic differences may be
more easily identified.

This also means that if there's a trusted build you want to use, you can
remove the certificates, implant new ones, and have it signed, and the
code sections won't change.

Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-06-10 17:35:33 -04:00
Peter Jones
6b4255de12 vendor_cert_size's size in the binary should be 4, not -4. 
The thing about subtraction is that the minuend needs to be before the
subtrahend in the text.

Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-06-10 17:35:33 -04:00
Peter Jones
1de10962e7 Remove FALLBACK_OBJS during clean as well. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-06-10 17:34:55 -04:00
Peter Jones
acf2e8ed1a Make sure all the Makefiles use the same arguments for mmx/sse/ms_abi. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-06-10 16:38:05 -04:00
Peter Jones
6cd79ef950 EFI_PXE_BASE_CODE_DHCPV6_PACKET is in gnu-efi-3.0t 2013-05-31 15:34:11 -04:00
Peter Jones
632503aa07 Don't use MMX and SSE registers, they aren't initialized. 
GCC 4.8.0 will try to use these by default, and you'll wind up looping
across the (uninitialized!) trap handler for uninitialized instructions.

Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-05-31 15:34:11 -04:00
Peter Jones
8e7e92beb8 Bump version to 0.3 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-05-16 11:03:32 -04:00
Peter Jones
aa55fcf149 Use MS ABI instead of terrible wrappers. 
This means that we now require gnu-efi 3.0s

Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-05-16 10:21:15 -04:00
Peter Jones
5bb3e64ed8 Use the correct define on Open. 
The value here doesn't actually change any, but we should still use the
right name.

Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-05-15 13:38:44 -04:00
Peter Jones
c9d11306e4 Add some error messages when things don't work. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-05-15 13:38:27 -04:00
Peter Jones
2e7fc28d92 Remove some unnecessary code. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-05-15 13:38:00 -04:00
Peter Jones
35b0b55b3e Fix some minor type errors. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-05-15 13:37:15 -04:00
Peter Jones
40cf2a423d Pass parameters correctly when booting. 
Signed-off-by: Peter Jones <pjones@redhat.com>
 2013-05-14 13:10:52 -04:00