mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-06-07 04:22:12 +00:00
c117735c20
shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
[ Steve Langasek ]
* Initial Debian upload. Closes: #820052.
* Update Standards-Version.
* Embed the newly-minted Debian CA certificate.
* Vendorize debian/rules so that the same package can be used in both
Debian and Ubuntu without modification.
* Fix debian/copyright to match the spec (last match wins, not first)
* Fix shim.efi to not be executable.
* Add watchfile.
* Support parallel builds, because eh why not
* Update Vcs-Bzr.
* Resync with Ubuntu, including patch to fix debian/copyright.
[ Julien Cristau ]
* Add some missing copyright holders in d/copyright, update
Upstream-Contact. Thanks to Helen Koike for the help.
shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
[ Helen Koike ]
* debian/copyright: add OpenSSL license
[ Mathieu Trudel-Lapierre ]
* New upstream release.
* debian/copyright: patches should be BSD, like the rest of the upstream
code.
* debian/patches/unused-variable: dropped; applied upstream.
* debian/patches/binutils-version-matching: dropped, fixed upstream.
* debian/shim.install: built EFI binaries were renamed; update our install
file to properly pick up shim (shim$arch), MokManager (mm$arch), and
fallback (fb$arch).
shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
* New upstream release.
- Better handle LoadOptions. (LP: #1581299)
- Measure state and second stage in TPM.
- Mirror MokSBState in runtime as MokSBStateRT.
- Fix failure to build with GCC 5. (LP: #1429978)
- Various bug fixes and other improvements.
* Refreshed patches.
- Remaining patches:
+ second-stage-path
+ sbsigntool-not-pesign
* debian/patches/unused-variable: remove unused variable size.
* debian/patches/binutils-version-matching: revert d9a4c912 to correctly
match objcopy's version on Ubuntu.
* debian/copyright: update copyright for patches.
shim (0.8-0ubuntu2) wily; urgency=medium
* No-change rebuild against gnu-efi 3.0v-5ubuntu1.
shim (0.8-0ubuntu1) wily; urgency=medium
* New upstream release.
- Clarify meaning of insecure_mode. (LP: #1384973)
* debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
in the upstream release.
* debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
refreshed.
shim (0.7-0ubuntu4) utopic; urgency=medium
* SECURITY UPDATE: heap overflow and out-of-bounds read access when
parsing DHCPv6 information
- debian/patches/CVE-2014-3675.patch: apply proper bounds checking
when parsing data provided in DHCPv6 packets.
- CVE-2014-3675
- CVE-2014-3676
* SECURITY UPDATE: memory corruption when processing user-provided key
lists
- debian/patches/CVE-2014-3677.patch: detect malformed machine owner
key (MOK) lists and ignore them, avoiding possible memory corruption.
- CVE-2014-3677
shim (0.7-0ubuntu2) utopic; urgency=medium
* Restore debian/patches/prototypes, which still is needed on shim 0.7
but only detected on the buildds.
* Update debian/patches/prototypes with some new declarations needed for
openssl 0.9.8za update.
shim (0.7-0ubuntu1) utopic; urgency=medium
* New upstream release.
- fix spurious error message when fallback.efi is not present, as will
always be the case for removable media. LP: #1297069.
- drop most patches, included upstream.
* debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
openssl 0.9.8za in via upstream.
shim (0.4-0ubuntu5) utopic; urgency=low
* Install fallback.efi.signed as well, to lay the groundwork for fallback
handling (wanted when we have to move a drive between machines, or when
the firmware loses its marbles^W nvram).
shim (0.4-0ubuntu4) saucy; urgency=low
* debian/patches/fix-tftp-prototype: pass the right arguments to
EFI_PXE_BASE_CODE_TFTP_READ_FILE.
* debian/patches/build-with-Werror: Build with -Werror to catch future
prototype mismatches.
* debian/patches/fix-compiler-warnings: Fix remaining compiler
warnings in netboot.c.
* debian/patches/tftp-proper-nul-termination: fix nul termination
errors in filenames passed to tftp.
* debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
the netboot code.
shim (0.4-0ubuntu3) saucy; urgency=low
[ Steve Langasek ]
* Install MokManager.efi.signed in the package.
* debian/patches/no-output-by-default.patch: Don't print any
informational messages. Closes LP: #1074302.
[ Stéphane Graber ]
* debian/patches/no-print-on-unsigned: Don't print an error message when
validating an unsigned binary as that tends to hang Lenovo machines.
(LP: #1087501)
shim (0.4-0ubuntu2) saucy; urgency=low
* Add missing build-dependency on openssl.
shim (0.4-0ubuntu1) saucy; urgency=low
* New upstream release.
* Drop debian/patches/shim-before-loadimage; upstream has changed this to
not call loadimage at all.
* debian/patches/sbsigntool-not-pesign: Sign MokManager with
sbsigntool instead of pesign.
* Add a versioned build-dependency on gnu-efi.
shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
* debian/patches/shim-before-loadimage: Use direct verification first
before LoadImage. Addresses an issue where Lenovo's SecureBoot
implementation pops an error message on any verification failure - avoid
calling LoadImage at all unless we have to.
shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
* debian/patches/second-stage-path: Chainload grubx64.efi, not
grub.efi.
shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
* debian/patches/prototypes: Include missing prototypes, and disable
use of BIO_new_file.
* Only build the package for amd64; we're not signing an i386 shim at this
stage so there's no point in building it.
shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
* Initial release.
* Include the Canonical Secure Boot master CA.
130 lines
5.3 KiB
Diff
130 lines
5.3 KiB
Diff
From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001
|
|
From: Peter Jones <pjones@redhat.com>
|
|
Date: Tue, 7 Apr 2015 11:59:25 -0400
|
|
Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on
|
|
x86.
|
|
|
|
Basically they messed around with stdarg some and now we need to do it
|
|
the other way.
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
---
|
|
Cryptlib/Include/OpenSslSupport.h | 4 +++-
|
|
Cryptlib/Makefile | 3 ++-
|
|
Cryptlib/OpenSSL/Makefile | 5 +++--
|
|
Makefile | 17 ++++++-----------
|
|
MokManager.c | 1 +
|
|
5 files changed, 15 insertions(+), 15 deletions(-)
|
|
|
|
Index: b/Cryptlib/Include/OpenSslSupport.h
|
|
===================================================================
|
|
--- a/Cryptlib/Include/OpenSslSupport.h
|
|
+++ b/Cryptlib/Include/OpenSslSupport.h
|
|
@@ -34,7 +34,7 @@ typedef VOID *FILE;
|
|
//
|
|
// Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h
|
|
//
|
|
-#if !defined(__CC_ARM) // if va_list is not already defined
|
|
+#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined
|
|
/*
|
|
* These are now unconditionally #defined by GNU_EFI's efistdarg.h,
|
|
* so we should #undef them here before providing a new definition.
|
|
@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST;
|
|
portably, hence it is provided by a Standard C header file.
|
|
For pre-Standard C compilers, here is a version that usually works
|
|
(but watch out!): */
|
|
+#ifndef offsetof
|
|
#define offsetof(type, member) ( (int) & ((type*)0) -> member )
|
|
+#endif
|
|
|
|
//
|
|
// Basic types from EFI Application Toolkit required to buiild Open SSL
|
|
Index: b/Cryptlib/Makefile
|
|
===================================================================
|
|
--- a/Cryptlib/Makefile
|
|
+++ b/Cryptlib/Makefile
|
|
@@ -2,7 +2,8 @@
|
|
EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
|
|
|
|
CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
|
|
- -Wall $(EFI_INCLUDES)
|
|
+ -Wall $(EFI_INCLUDES) \
|
|
+ -ffreestanding -I$(shell $(CC) -print-file-name=include)
|
|
|
|
ifeq ($(ARCH),x86_64)
|
|
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
|
|
Index: b/Cryptlib/OpenSSL/Makefile
|
|
===================================================================
|
|
--- a/Cryptlib/OpenSSL/Makefile
|
|
+++ b/Cryptlib/OpenSSL/Makefile
|
|
@@ -2,6 +2,7 @@
|
|
EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
|
|
|
|
CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
|
|
+ -ffreestanding -I$(shell $(CC) -print-file-name=include) \
|
|
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
|
|
|
|
ifeq ($(ARCH),x86_64)
|
|
@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32)
|
|
-m32 -DTHIRTY_TWO_BIT
|
|
endif
|
|
ifeq ($(ARCH),aarch64)
|
|
- CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include)
|
|
+ CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG
|
|
endif
|
|
ifeq ($(ARCH),arm)
|
|
- CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
|
|
+ CFLAGS += -O2 -DTHIRTY_TWO_BIT
|
|
endif
|
|
LDFLAGS = -nostdlib -znocombreloc
|
|
|
|
Index: b/Makefile
|
|
===================================================================
|
|
--- a/Makefile
|
|
+++ b/Makefile
|
|
@@ -21,7 +21,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds
|
|
DEFAULT_LOADER := \\\\grubx64.efi
|
|
CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
|
|
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
|
|
- -Werror=sign-compare \
|
|
+ -Werror=sign-compare -ffreestanding \
|
|
+ -I$(shell $(CC) -print-file-name=include) \
|
|
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
|
|
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
|
|
$(EFI_INCLUDES)
|
|
@@ -31,19 +32,13 @@ ifneq ($(origin OVERRIDE_SECURITY_POLICY
|
|
endif
|
|
|
|
ifeq ($(ARCH),x86_64)
|
|
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
|
|
+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
|
|
+ -maccumulate-outgoing-args \
|
|
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
|
|
endif
|
|
ifeq ($(ARCH),ia32)
|
|
- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
|
|
-endif
|
|
-
|
|
-ifeq ($(ARCH),aarch64)
|
|
- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
|
|
-endif
|
|
-
|
|
-ifeq ($(ARCH),arm)
|
|
- CFLAGS += -ffreestanding -I$(shell $(CC) -print-file-name=include)
|
|
+ CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
|
|
+ -maccumulate-outgoing-args -m32
|
|
endif
|
|
|
|
ifneq ($(origin VENDOR_CERT_FILE), undefined)
|
|
Index: b/MokManager.c
|
|
===================================================================
|
|
--- a/MokManager.c
|
|
+++ b/MokManager.c
|
|
@@ -1,5 +1,6 @@
|
|
#include <efi.h>
|
|
#include <efilib.h>
|
|
+#include <stdarg.h>
|
|
#include <Library/BaseCryptLib.h>
|
|
#include <openssl/x509.h>
|
|
#include "shim.h"
|