since the shell allows circumvention of Secure Boot restrictions, for example
via raw memory access or execution of scripts on the ESP.
see Links in the patch for details.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit 334229c409)
CVE-2023-45229-CVE-2023-45237, taken from upstream announcement/issue at
https://bugzilla.tianocore.org/show_bug.cgi?id=4518
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry-picked from commit fee1be4819)
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
by limiting the phys-bits to 46 instead of 47. On Ubuntu 18.04 with
kernel 4.15, using 47 leads to a strange issue where initialization of
VirtIO devices would fail.
Reported in the community forum:
https://forum.proxmox.com/threads/127410/
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
> Continue to allow bootloaders to execute memory allocated as
> EFI_LOADER_DATA until GRUB fixes are more generally available.
> (Closes: #1025656)
-- a0be41b75c
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
this is mostly done to secure against a future change of the default
march that may come from the x86-64-v* microarchitecture level [0]
concept that is currently being developed and by some more bleeding
edge distros even already adopted.
[0]: https://en.wikipedia.org/wiki/X86-64#Microarchitecture_levels
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
commit 862ea6e836 ("OvmfPkg: change qemu default resolution to
1280x800") made our patch that changed it to 1024x768 obsolete.
Note that QEMU is planning to change their default from 1024x768 to
1280x800 in QEMU 7.0, so that's where that new value is coming from.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Among other thing this now ships OVMF code/vars with secureboot and
MS keys enrolled, allowing Win11 final to get installed and secure
boot support in general.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
