Commit Graph

8 Commits

Author SHA1 Message Date
Fabian Grünbichler
b82f91d3ec fix CVE-2023-48733: disable EFI shell in SB mode
since the shell allows circumvention of Secure Boot restrictions, for example
via raw memory access or execution of scripts on the ESP.

see Links in the patch for details.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit 334229c409)
2024-02-15 14:36:17 +01:00
Fabian Grünbichler
ad29794b22 cherry-pick patches for PXE CVEs
CVE-2023-45229-CVE-2023-45237, taken from upstream announcement/issue at
https://bugzilla.tianocore.org/show_bug.cgi?id=4518

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry-picked from commit fee1be4819)
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
2024-01-22 12:45:42 +01:00
Fiona Ebner
c252b4e501 add patch to work around older guest kernel bug
by limiting the phys-bits to 46 instead of 47. On Ubuntu 18.04 with
kernel 4.15, using 47 leads to a strange issue where initialization of
VirtIO devices would fail.

Reported in the community forum:
https://forum.proxmox.com/threads/127410/

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
2023-06-06 16:05:21 +02:00
Thomas Lamprecht
7728bf381b fix #4696: Revert "ArmVirtPkg: make EFI_LOADER_DATA non-executable"
> Continue to allow bootloaders to execute memory allocated as
> EFI_LOADER_DATA until GRUB fixes are more generally available.
> (Closes: #1025656)

-- a0be41b75c

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-05-24 10:56:07 +02:00
Thomas Lamprecht
5b38a120b6 debian: add patch to enforce the basic x86-64 march
this is mostly done to secure against a future change of the default
march that may come from the x86-64-v* microarchitecture level [0]
concept that is currently being developed and by some more bleeding
edge  distros even already adopted.

[0]: https://en.wikipedia.org/wiki/X86-64#Microarchitecture_levels

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2023-03-07 09:38:47 +01:00
Thomas Lamprecht
7e8a639bcf drop superfluous resolution patch
commit 862ea6e836 ("OvmfPkg: change qemu default resolution to
1280x800") made our patch that changed it to 1024x768 obsolete.

Note that QEMU is planning to change their default from 1024x768 to
1280x800 in QEMU 7.0, so that's where that new value is coming from.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2022-03-01 15:20:17 +01:00
Thomas Lamprecht
e2ab583755 change default resolution to 1024x768
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-11-15 16:46:46 +01:00
Thomas Lamprecht
a65627a818 debian: update build and packaging from Debian upstream
Among other thing this now ships OVMF code/vars with secureboot and
MS keys enrolled, allowing Win11 final to get installed and secure
boot support in general.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2021-10-05 14:11:09 +02:00