match_hash() requests the number of keys in a list and it was
mistakenly replaced with the size of the Mok node. This would
made MokManager to remove the whole Mok node instead of one
hash.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
match_hash() requests the number of keys in a list and it was
mistakenly replaced with the size of the Mok node. This would
made MokManager to remove the whole Mok node instead of one
hash.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
MokSize of the hash signature list includes the owner GUID,
so we should not add the 16bytes compensation.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
MokSize of the hash signature list includes the owner GUID,
so we should not add the 16bytes compensation.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
When we made lib build with the correct CFLAGS, it inherited
-Werror=sign-compare, and I fixed up some parameters on
console_print_box() and console_print_box_at() to avoid sign comparison
errors.
The fixups were *completely wrong*, as some behavior relies on negative
values. So this fixes them in a completely different way, by casting
appropriately to signed types where we're doing comparisons.
Signed-off-by: Peter Jones <pjones@redhat.com>
When we made lib build with the correct CFLAGS, it inherited
-Werror=sign-compare, and I fixed up some parameters on
console_print_box() and console_print_box_at() to avoid sign comparison
errors.
The fixups were *completely wrong*, as some behavior relies on negative
values. So this fixes them in a completely different way, by casting
appropriately to signed types where we're doing comparisons.
Signed-off-by: Peter Jones <pjones@redhat.com>
Right now applications run by shim get our wrapper for Exit(), but it
doesn't do as much cleanup as it should - shim itself also exits, but
currently is not doing all the cleanup it should be doing.
This changes it so all of shim's cleanup is also performed.
Based on a patch and lots of review from Gary Lin.
Signed-off-by: Peter Jones <pjones@redhat.com>
Right now applications run by shim get our wrapper for Exit(), but it
doesn't do as much cleanup as it should - shim itself also exits, but
currently is not doing all the cleanup it should be doing.
This changes it so all of shim's cleanup is also performed.
Based on a patch and lots of review from Gary Lin.
Signed-off-by: Peter Jones <pjones@redhat.com>
Right now if shim_verify() sees secure_mode()==0, it exits with
EFI_SUCCESS, but accidentally leaves in_protocol=1. This means any
other call will have supressed error/warning messages.
That's wrong, so don't do it.
Signed-off-by: Peter Jones <pjones@redhat.com>
Right now if shim_verify() sees secure_mode()==0, it exits with
EFI_SUCCESS, but accidentally leaves in_protocol=1. This means any
other call will have supressed error/warning messages.
That's wrong, so don't do it.
Signed-off-by: Peter Jones <pjones@redhat.com>
Don't run MokManager on any random error from start_image(second_stage);
only try it if it /is/ the second stage, or if start_image gave us
EFI_SECURITY_VIOLATION.
Signed-off-by: Peter Jones <pjones@redhat.com>
Don't run MokManager on any random error from start_image(second_stage);
only try it if it /is/ the second stage, or if start_image gave us
EFI_SECURITY_VIOLATION.
Signed-off-by: Peter Jones <pjones@redhat.com>
The wildcard support was introduced in objcopy since binutils 2.24.
However, objcopy < 2.24 never issues any warning message with the
wildcard and a faulty binary will be generated. This commit makes
the build failed as a notification for the usage of binutils < 2.24.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
The wildcard support was introduced in objcopy since binutils 2.24.
However, objcopy < 2.24 never issues any warning message with the
wildcard and a faulty binary will be generated. This commit makes
the build failed as a notification for the usage of binutils < 2.24.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
- Clarify meaning of insecure_mode. (LP: #1384973)
* debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
in the upstream release.
* debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
refreshed.
We depend on there being a .hash section in the binary, and that's not
the case on distributions that default to building with gnu-style ELF
hashes. Explicitly request sysv-style hashes in order to avoid building
broken binaries.
Signed-off-by: Matthew Garrett <mjg59@coreos.com>
We depend on there being a .hash section in the binary, and that's not
the case on distributions that default to building with gnu-style ELF
hashes. Explicitly request sysv-style hashes in order to avoid building
broken binaries.
Signed-off-by: Matthew Garrett <mjg59@coreos.com>
