| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: shim | Distribution: SUSE Linux Framework One |
| Version: 15.8 | Vendor: SUSE LLC <https://www.suse.com/> |
| Release: slfo.1.3.1 | Build date: Thu Sep 19 08:27:27 2024 |
| Group: System/Boot | Build host: reproducible |
| Size: 1929087 | Source RPM: shim-15.8-slfo.1.3.1.src.rpm |
| Packager: https://www.suse.com/ | |
| Url: https://github.com/rhboot/shim | |
| Summary: UEFI shim loader | |
shim is a trivial EFI application that, when run, attempts to open and execute another application.
BSD-2-Clause
* Thu Sep 19 2024 glin@suse.com
- Update shim-install to limit the scope of the 'removable'
SL-Micro to the image booting with TPM2 unsealing (bsc#1210382)
* 769e41d Limit the removable option to encrypted SL-Micro
* Mon Sep 16 2024 glin@suse.com
- Update shim-install to use the 'removable' way for SL-Micro
(bsc#1230316)
* 433cc4e Always use the removable way for SL-Micro
* Sun May 19 2024 dennis.tseng@suse.com
-- Update to version 15.8
- Various CVE fixes are already merged into this version
mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550)
pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)
- remove shim-Enable-the-NX-compatibility-flag-by-default.patch
The codes in this patch are already existing in shim-15.8
The NX flag is disable which is same as the default value of shim-15.8,
hence, not need to enable it by this patch now.
- Patches (git log --oneline --reverse 15.7..15.8)
657b248 Make sbat_var.S parse right with buggy gcc/binutils
7c76425 Enable the NX compatibility flag by default.
89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
c7b3051 pe: Align section size up to page size for mem attrs
e4f40ae pe: Add IS_PAGE_ALIGNED macro
f23883c Don't loop forever in load_certs() with buggy firmware
1f38cb3 Optionally allow to keep shim protocol installed
102a658 Drop invalid calls to `CRYPTO_set_mem_functions`
aae3df0 test-sbat: Fix exit code
cca3933 Block Debian grub binaries with SBAT < 4
cf59f34 Further improve load_certs() for non-compliant drivers/firmwares
0601f44 SBAT-related documents formatting and spelling
0640e13 Add a security contact email address in README.md
0bfc397 Work around malformed path delimiters in file paths from DHCP
a8b0b60 pe: only process RelocDir->Size of reloc section
f7a4338 Skip testing msleep()
549d346 Rename 'msecs' to 'usecs' to avoid potential confusion
908c388 Change type of fallback_verbose_wait from int to unsigned long
05eae92 Add SbatLevel_Variable.txt to document the various revocations
243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL
89d25a1 Add a make rule for compile_commands.json
118ff87 Add gnu-stack notes
f132655 test: Make our fake dprintf be a statement.
be00279 Remove CentOS 7 test builds.
9964960 Split pe.c up even more.
569270d Test (and fix) ImageAddress()
61e9894 Verify signature before verifying sbat levels
1578b55 Add libFuzzer support for csv.c
a0673e3 Fix a 1-byte memory leak in .sbat parsing.
e246812 Add libFuzzer support to the .sbat parser.
fd43eda Work around ImageAddress() usage mistake
1e985a3 Correctly free memory allocated in handle_image()
dbbe3c8 mok: Avoid underflow in maximum variable size calculation
04111d4 Make some of the static analysis tools a little easier to run
7ba7440 compile_commands.json: remove stuff clang doesn't like
66e6579 CVE-2023-40546 mok: fix LogError() invocation
f271826 Add primitives for overflow-checked arithmetic operations.
8372147 pe-relocate: Add a fuzzer for read_header()
5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
e912071 pe-relocate: make read_header() use checked arithmetic operations.
93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550
afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
dae82f6 Further mitigations against CVE-2023-40546 as a class
ea0f9df Allow SbatLevel data from external binary
b078ef2 Always clear SbatLevel when Secure Boot is disabled
7dfb687 BS Variables for bootmgr revocations
a967c0e shim should not self revoke
577cedd Print message when refusing to apply SbatLevel
e801b0d sbat revocations: check the full section name
0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers
6f0c8d2 Print errors when setting/clearing memory attrs
57c0eed Updated Revocations for January 2024 CVEs
49c6d95 Fix some minor ia32 build issues.
be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all.
13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5
c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist
30a4f37 Rename "previous" revocations to "automatic"
6f395c2 Build time selectable automatic SBATLevel revocations
a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER
993a345 Try to load revocations.efi even if directory read fails
1770a03 gitmodules: use shim-15.8 for gnu-efi branch
5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8
* Thu Mar 14 2024 glin@suse.com
- Update shim-install to set the SRK algorithm for the grub2
TPM2 key protector (bsc#1213945)
92d0f4305df73 Set the SRK algorithm for the TPM2 protector
- Add the missing BuildRequires: update-bootloader-rpm-macros
for the update_bootloader_* macros in %post and %posttrans
* Wed Sep 20 2023 glin@suse.com
- Update shim-install to fix boot failure of ext4 root file system
on RAID10 (bsc#1205855)
226c94ca5cfca Use hint in looking for root if possible
- Adopt the macros from fde-tpm-helper-macros to update the
signature in the sealed key after a bootloader upgrade
* Thu Jul 13 2023 glin@suse.com
- Upgrade shim-install to support TPM 2.0 Key File
b540061 Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector
* Tue Jul 11 2023 meissner@suse.com
- remove compat efi dir and binaries
* Mon Jun 12 2023 meissner@suse.com
- Update shim to 15.7-150300.4.16.1 from SLE15-SP3
- include aarch64 shims.
- do not require shim-susesigned, was a workaround on 15-sp2.
- quieten factory-auto bot as we are not buiding from source:
- shim-arch-independent-names.patch removed
- shim-change-debug-file-path.patch removed
* Wed Apr 26 2023 dennis.tseng@suse.com
- Update shim to 15.7-150300.4.11.1 from SLE15-SP3
+ Version: 15.7, "Thu Mar 17 2023"
+ Update the SLE signatures
+ Include the fixes for bsc#1205588, bsc#1202120, bsc#1201066,
(bsc#1198458, CVE-2022-28737), bsc#1198101, bsc#1193315, bsc#1193282
* Thu Apr 13 2023 jlee@suse.com
- Upgrade shim-install for bsc#1210382
After closing Leap-gap project since Leap 15.3, openSUSE Leap direct
uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot
CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no,
so all files in /boot/efi/EFI/boot are not updated.
The 86b73d1 patch added the logic that using ID field in os-release for
checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure
Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated.
- https://github.com/SUSE/shim-resources (git log --oneline)
86b73d1 Fix that bootx64.efi is not updated on Leap
f2e8143 Use the long name to specify the grub2 key protector
7283012 cryptodisk: support TPM authorized policies
49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst
26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs
5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot
a5c5734 Introduce --no-grub-install option
* Tue Aug 17 2021 meissner@suse.com
- restore the shim-susesigned installation via buildrequires here.
* Thu Jul 22 2021 jlee@suse.com
- Update to shim to 15.4-4.7.1 from SLE15-SP3
+ Version: 15.4, "Thu Jul 15 2021"
+ Update the SLE signatures
+ Include the fixes for bsc#1187696, bsc#1185261, bsc#1185441,
bsc#1187071, bsc#1185621, bsc#1185261, bsc#1185232, bsc#1185261,
bsc#1187260, bsc#1185232.
- Remove shim-install because the shim-install is updated in SLE
15.4 RPM.
* Wed May 26 2021 glin@suse.com
- shim-install: remove the unexpected residual "removable" label
for Azure (bsc#1185464, bsc#1185961)
* Wed May 19 2021 glin@suse.com
- shim-install: instead of assuming "removable" for Azure, remove
fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
to make \EFI\Boot bootable and keep the boot option created by
efibootmgr (bsc#1185464, bsc#1185961)
* Fri May 07 2021 glin@suse.com
- shim-install: always assume "removable" for Azure to avoid the
endless reset loop (bsc#1185464)
* Tue Apr 27 2021 glin@suse.com
- Also package the debuginfo and debugsource
- Drop COPYRIGHT file since it's already in the shim rpm package
* Tue Apr 27 2021 glin@suse.com
- Update to the unified shim binary from SLE15-SP3 for SBAT support
(bsc#1182057)
+ Version: 15.4, "Thu Apr 22 03:26:48 UTC 2021"
+ Merged EKU codesign check (bsc#1177315)
- Drop merged patches
+ shim-arch-independent-names.patch
+ shim-change-debug-file-path.patch
+ shim-bsc1092000-fallback-menu.patch
+ shim-always-mirror-mok-variables.patch
+ shim-correct-license-in-headers.patch
+ gcc9-fix-warnings.patch
+ shim-fix-gnu-efi-3.0.11.patch
+ shim-bsc1173411-only-check-efi-var-on-sb.patch
- Drop shim-opensuse-cert-prompt.patch since the openSUSE kernel
enabled lockdown.
* Fri Oct 16 2020 glin@suse.com
- Include suse-signed shim (bsc#1177315)
- shim-install: Support changing default shim efi binary in
/usr/etc/default/shim and /etc/default/shim (bsc#1177315)
* Mon Aug 24 2020 glin@suse.com
- shim-install: install MokManager to \EFI\boot to process the
pending MOK request (bsc#1175626, bsc#1175656)
* Thu Aug 06 2020 glin@suse.com
- Amend the check of %shim_enforce_ms_signature
* Fri Jul 31 2020 jsegitz@suse.com
- Updated SUSE signature
* Wed Jul 22 2020 glin@suse.com
- Update the path to grub-tpm.efi in shim-install (bsc#1174320)
* Fri Jul 10 2020 glin@suse.com
- Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994)
+ Add dbx-cert.tar.xz which contains the certificates to block
and a script, generate-vendor-dbx.sh, to generate
vendor-dbx.bin
+ Add vendor-dbx.bin as the vendor dbx to block unwanted keys
- Drop shim-opensuse-signed.efi
+ We don't need it anymore
* Fri Jul 10 2020 glin@suse.com
- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check
EFI variable copying when Secure Boot is enabled (bsc#1173411)
* Tue Mar 31 2020 glin@suse.com
- Use the full path of efibootmgr to avoid errors when invoking
shim-install from packagekitd (bsc#1168104)
* Mon Mar 30 2020 glin@suse.com
- Use "suse_version" instead of "sle_version" to avoid
shim_lib64_share_compat being set in Tumbleweed forever.
* Mon Mar 16 2020 glin@suse.com
- Add shim-fix-gnu-efi-3.0.11.patch to fix the build error caused
by the upgrade of gnu-efi
* Wed Nov 27 2019 mchang@suse.com
- shim-install: add check for btrfs is used as root file system to enable
relative path lookup for file. (bsc#1153953)
* Fri Aug 16 2019 glin@suse.com
- Fix a typo in shim-install (bsc#1145802)
* Fri Apr 19 2019 mliska@suse.cz
- Add gcc9-fix-warnings.patch (bsc#1121268).
* Mon Apr 15 2019 glin@suse.com
- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary
(bsc#1113225)
* Fri Apr 12 2019 glin@suse.com
- Disable AArch64 build (FATE#325971)
+ AArch64 machines don't use UEFI CA, at least for now.
* Thu Apr 11 2019 jsegitz@suse.com
- Updated shim signature: signature-sles.x86_64.asc (bsc#1120026)
* Thu Feb 14 2019 rw@suse.com
- Fix conditions for '/usr/share/efi'-move (FATE#326960)
* Mon Jan 28 2019 glin@suse.com
- Amend shim.spec to remove $RPM_BUILD_ROOT
* Thu Jan 17 2019 rw@suse.com
- Move 'efi'-executables to '/usr/share/efi' (FATE#326960)
(preparing the move to 'noarch' for this package)
* Mon Jan 14 2019 glin@suse.com
- Update shim-install to handle the partitioned MD devices
(bsc#1119762, bsc#1119763)
* Thu Dec 20 2018 glin@suse.com
- Update to 15+git47 (bsc#1120026, FATE#325971)
+ git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d
- Retire the old openSUSE 4096 bit certificate
+ Those programs are already out of maintenance.
- Add shim-always-mirror-mok-variables.patch to mirror MOK
variables correctly
- Add shim-correct-license-in-headers.patch to correct the license
declaration
- Refresh patches:
+ shim-arch-independent-names.patch
+ shim-change-debug-file-path.patch
+ shim-bsc1092000-fallback-menu.patch
+ shim-opensuse-cert-prompt.patch
- Drop upstreamed patches:
+ shim-bsc1088585-handle-mok-allocations-better.patch
+ shim-httpboot-amend-device-path.patch
+ shim-httpboot-include-console.h.patch
+ shim-only-os-name.patch
+ shim-remove-cryptpem.patch
* Wed Dec 05 2018 glin@suse.com
- Update shim-install to specify the target for grub2-install and
change the boot efi file name according to the architecture
(bsc#1118363, FATE#325971)
* Tue Aug 21 2018 glin@suse.com
- Enable AArch64 build (FATE#325971)
+ Also add the aarch64 signature files and rename the x86_64
signature files
* Tue May 29 2018 glin@suse.com
- Add shim-bsc1092000-fallback-menu.patch to show a menu before
system reset ((bsc#1092000))
* Tue Apr 10 2018 glin@suse.com
- Add shim-bsc1088585-handle-mok-allocations-better.patch to avoid
double-freeing after enrolling a key from the disk (bsc#1088585)
+ Also refresh shim-opensuse-cert-prompt.patch due to the change
in MokManager.c
* Tue Apr 03 2018 glin@suse.com
- Install the certificates with a shim suffix to avoid conflicting
with other packages (bsc#1087847)
* Fri Mar 23 2018 glin@suse.com
- Add the missing leading backlash to the DEFAULT_LOADER
(bsc#1086589)
* Fri Jan 05 2018 glin@suse.com
- Add shim-httpboot-amend-device-path.patch to amend the device
path matching rule for httpboot (bsc#1065370)
* Thu Jan 04 2018 glin@suse.com
- Update to 14 (bsc#1054712)
- Adjust make commands in spec
- Drop upstreamed fixes
+ shim-add-fallback-verbose-print.patch
+ shim-back-to-openssl-1.0.2e.patch
+ shim-fallback-workaround-masked-ami-variables.patch
+ shim-fix-fallback-double-free.patch
+ shim-fix-httpboot-crash.patch
+ shim-fix-openssl-flags.patch
+ shim-more-tpm-measurement.patch
- Add shim-httpboot-include-console.h.patch to include console.h
in httpboot.c to avoid build failure
- Add shim-remove-cryptpem.patch to replace functions in CryptPem.c
with the null function
- Update SUSE/openSUSE specific patches
+ shim-only-os-name.patch
+ shim-arch-independent-names.patch
+ shim-change-debug-file-path.patch
+ shim-opensuse-cert-prompt.patch
* Fri Dec 29 2017 ngompa13@gmail.com
- Fix debuginfo + debugsource subpackage generation for RPM 4.14
- Set the RPM groups correctly for debug{info,source} subpackages
- Drop deprecated and out of date Authors information in description
* Wed Sep 13 2017 glin@suse.com
- Add shim-back-to-openssl-1.0.2e.patch to avoid rejecting some
legit certificates (bsc#1054712)
- Add the stderr mask back while compiling MokManager.efi since the
warnings in Cryptlib is back after reverting the openssl commits.
* Tue Aug 29 2017 glin@suse.com
- Add shim-add-fallback-verbose-print.patch to print the debug
messages in fallback.efi dynamically
- Refresh shim-fallback-workaround-masked-ami-variables.patch
- Add shim-more-tpm-measurement.patch to measure more components
and support TPM better
* Wed Aug 23 2017 glin@suse.com
- Add upstream fixes
+ shim-fix-httpboot-crash.patch
+ shim-fix-openssl-flags.patch
+ shim-fix-fallback-double-free.patch
+ shim-fallback-workaround-masked-ami-variables.patch
- Remove the stderr mask while compiling MokManager.efi since the
warnings in Cryptlib were fixed.
* Tue Aug 22 2017 glin@suse.com
- Add shim-arch-independent-names.patch to use the Arch-independent
names. (bsc#1054712)
- Refresh shim-change-debug-file-path.patch
- Disable shim-opensuse-cert-prompt.patch automatically in SLE
- Diable AArch64 until we have a real user and aarch64 signature
* Fri Jul 14 2017 bwiedemann@suse.com
- Make build reproducible by avoiding race between find and cp
* Thu Jun 22 2017 glin@suse.com
- Update to 12
- Rename the result EFI images due to the upstream name change
+ shimx64 -> shim
+ mmx64 -> MokManager
+ fbx64 -> fallback
- Refresh patches:
+ shim-only-os-name.patch
+ shim-change-debug-file-path.patch
+ shim-opensuse-cert-prompt.patch
- Drop upstreamed patches:
+ shim-httpboot-support.patch
+ shim-bsc973496-mokmanager-no-append-write.patch
+ shim-bsc991885-fix-sig-length.patch
+ shim-update-openssl-1.0.2g.patch
+ shim-update-openssl-1.0.2h.patch
* Tue May 23 2017 glin@suse.com
- Add the build flag to enable HTTPBoot
* Wed Mar 22 2017 mchang@suse.com
- shim-install: add option --suse-enable-tpm (fate#315831)
* Fri Jan 13 2017 mchang@suse.com
- Support %posttrans with marcos provided by update-bootloader-rpm-macros
package (bsc#997317)
* Fri Nov 18 2016 glin@suse.com
- Add SIGNATURE_UPDATE.txt to state the steps to update
signature-*.asc
- Update the comment of strip_signature.sh
* Wed Sep 21 2016 mchang@suse.com
- shim-install :
* add option --no-nvram (bsc#999818)
* improve removable media and fallback mode handling
* Fri Aug 19 2016 mchang@suse.com
- shim-install : fix regression of password prompt (bsc#993764)
* Fri Aug 05 2016 glin@suse.com
- Add shim-bsc991885-fix-sig-length.patch to fix the signature
length passed to Authenticode (bsc#991885)
* Wed Aug 03 2016 glin@suse.com
- Update shim-bsc973496-mokmanager-no-append-write.patch to try
append write first
* Tue Aug 02 2016 glin@suse.com
- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h
- Bump the requirement of gnu-efi due to the HTTPBoot support
* Mon Aug 01 2016 glin@suse.com
- Add shim-httpboot-support.patch to support HTTPBoot
- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g
and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6
- Drop patches since they are merged into
shim-update-openssl-1.0.2g.patch
+ shim-update-openssl-1.0.2d.patch
+ shim-gcc5.patch
+ shim-bsc950569-fix-cryptlib-va-functions.patch
+ shim-fix-aarch64.patch
- Refresh shim-change-debug-file-path.patch
- Add shim-bsc973496-mokmanager-no-append-write.patch to work
around the firmware that doesn't support APPEND_WRITE (bsc973496)
- shim-install : remove '\n' from the help message (bsc#991188)
- shim-install : print a message if there is no valid EFI partition
(bsc#991187)
* Mon May 09 2016 rw@suse.com
- shim-install : support simple MD RAID1 target devices (FATE#314829)
* Wed May 04 2016 agraf@suse.com
- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438)
* Wed Mar 09 2016 mchang@suse.com
- shim-install : fix typing ESC can escape to parent config which is
in command mode and cannot return back (bsc#966701)
- shim-install : fix no which command for JeOS (bsc#968264)
* Thu Dec 03 2015 jsegitz@novell.com
- acquired updated signature from Microsoft
* Mon Nov 09 2015 glin@suse.com
- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the
definition of va functions to avoid the potential crash
(bsc#950569)
- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to
MokListRT (bsc#950801)
- Drop shim-fix-mokmanager-sections.patch as we are using the
newer binutils now
- Refresh shim-change-debug-file-path.patch
* Thu Oct 08 2015 jsegitz@novell.com
- acquired updated signature from Microsoft
* Tue Sep 15 2015 mchang@suse.com
- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release
if it is empty or not set by user (bsc#942519)
* Thu Jul 16 2015 glin@suse.com
- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d
- Refresh shim-gcc5.patch and add it back since we really need it
- Add shim-change-debug-file-path.patch to change the debug file
path in shim.efi
+ also add the debuginfo and debugsource subpackages
- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore
* Mon Jul 06 2015 glin@suse.com
- Update to 0.9
- Refresh patches
+ shim-fix-gnu-efi-30w.patch
+ shim-fix-mokmanager-sections.patch
+ shim-opensuse-cert-prompt.patch
- Drop upstreamed patches
+ shim-bsc920515-fix-fallback-buffer-length.patch
+ shim-mokx-support.patch
+ shim-update-cryptlib.patch
- Drop shim-bsc919675-uninstall-shim-protocols.patch since
upstream fixed the bug in another way.
- Drop shim-gcc5.patch which was fixed in another way
* Wed Apr 08 2015 glin@suse.com
- Fix tags in the spec file
* Tue Apr 07 2015 glin@suse.com
- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and
openssl to 0.9.8zf
- Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall
the shim protocols at Exit (bsc#919675)
- Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust
the buffer size for the boot options (bsc#920515)
- Refresh shim-opensuse-cert-prompt.patch
* Thu Apr 02 2015 crrodriguez@opensuse.org
- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5
* Tue Feb 17 2015 mchang@suse.com
- shim-install : fix cryptodisk installation (boo#917427)
* Tue Nov 11 2014 glin@suse.com
- Add shim-fix-mokmanager-sections.patch to fix the objcopy
parameters for the EFI files
* Tue Oct 28 2014 glin@suse.com
- Update to 0.8
- Add shim-fix-gnu-efi-30w.patch to adapt the change in
gnu-efi-3.0w
- Merge shim-signed-unsigned-compares.patch,
shim-mokmanager-support-sha-family.patch and
shim-bnc863205-mokmanager-fix-hash-delete.patch into
shim-mokx-support.patch
- Refresh shim-opensuse-cert-prompt.patch
- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch,
bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch
- Enable aarch64
* Mon Oct 13 2014 jsegitz@novell.com
- Fixed buffer overflow and OOB access in shim trusted code path
(bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677)
* added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch
- Added new certificate by Microsoft
* Wed Sep 03 2014 lnussel@suse.de
- re-introduce build failure if shim_enforce_ms_signature is defined. That way
a project like openSUSE:Factory can decide whether or not shim needs a valid
MS signature.
* Tue Aug 19 2014 glin@suse.com
- Add shim-update-openssl-0.9.8zb.patch to update openssl to
0.9.8zb
* Tue Aug 12 2014 jsegitz@suse.com
- updated shim to new version (OpenSSL 0.9.8za) and requested a new
certificate from Microsoft. Removed
* shim-allow-fallback-use-system-loadimage.patch
* shim-bnc872503-check-key-encoding.patch
* shim-bnc877003-fetch-from-the-same-device.patch
* shim-correct-user_insecure-usage.patch
* shim-fallback-avoid-duplicate-bootorder.patch
* shim-fallback-improve-entries-creation.patch
* shim-fix-dhcpv4-path-generation.patch
* shim-fix-uninitialized-variable.patch
* shim-fix-verify-mok.patch
* shim-get-variable-check.patch
* shim-improve-error-messages.patch
* shim-mokmanager-delete-bs-var-right.patch
* shim-mokmanager-handle-keystroke-error.patch
* shim-remove-unused-variables.patch
since they're included in upstream and rebased the remaining onces.
Added shim-signed-unsigned-compares.patch to fix some compiler
warnings
* Tue Aug 12 2014 glin@suse.com
- Keep shim-devel.efi for the devel project
* Fri Aug 08 2014 lnussel@suse.de
- don't fail the build if the UEFI signing service signature can't
be attached anymore. This way shim can still pass through staging
projects. We will verify the correct signature for release builds
using openQA instead.
* Mon Aug 04 2014 mchang@suse.com
- shim-install: fix GRUB shows broken letters at boot by calling
grub2-install to initialize /boot/grub2 directory with files
needed by grub.cfg (bnc#889765)
* Wed May 28 2014 glin@suse.com
- Add shim-remove-unused-variables.patch to remove the unused
variables
- Add shim-bnc872503-check-key-encoding.patch to check the encoding
of the keys (bnc#872503)
- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the
netboot image from the same device (bnc#877003)
- Refresh shim-opensuse-cert-prompt.patch
* Wed May 14 2014 glin@suse.com
- Use --reinit instead of --refresh in %post to update the files
in /boot
* Tue Apr 29 2014 mchang@suse.com
- shim-install: fix boot partition and rollback support kluge
(bnc#875385)
* Thu Apr 10 2014 glin@suse.com
- Replace shim-mokmanager-support-sha1.patch with
shim-mokmanager-support-sha-family.patch to support the SHA
family
* Mon Apr 07 2014 glin@suse.com
- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in
MOK
* Mon Mar 31 2014 mchang@suse.com
- snapper rollback support (fate#317062)
- refresh shim-install
* Thu Mar 13 2014 glin@suse.com
- Insert the right signature (bnc#867974)
* Mon Mar 10 2014 glin@suse.com
- Add shim-fix-uninitialized-variable.patch to fix the use of
uninitialzed variables in lib
* Fri Mar 07 2014 glin@suse.com
- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
variables the right way
- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
correctly
* Thu Mar 06 2014 glin@suse.com
- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
duplicate entries in BootOrder
- Add shim-allow-fallback-use-system-loadimage.patch to handle the
shim protocol properly to keep only one protocol entity
- Refresh shim-opensuse-cert-prompt.patch
* Thu Mar 06 2014 mchang@suse.com
- shim-install: fix the $prefix to use grub2-mkrelpath for paths
on btrfs subvolume (bnc#866690).
* Tue Mar 04 2014 glin@suse.com
- FATE#315002: Update shim-install to install shim.efi as the EFI
default bootloader when none exists in \EFI\boot.
* Thu Feb 27 2014 fcrozat@suse.com
- Update signature-sles.asc: shim signed by UEFI signing service,
based on code from "Thu Feb 20 11:57:01 UTC 2014"
* Fri Feb 21 2014 glin@suse.com
- Add shim-opensuse-cert-prompt.patch to show the prompt to ask
whether the user trusts the openSUSE certificate or not
* Thu Feb 20 2014 lnussel@suse.de
- allow package to carry multiple signatures
- check correct certificate is embedded
* Thu Feb 20 2014 lnussel@suse.de
- always clean up generated files that embed certificates
(shim_cert.h shim.cer shim.crt) to make sure next build loop
rebuilds them properly
* Mon Feb 17 2014 glin@suse.com
- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
hash deletion operation to avoid ruining the whole list
(bnc#863205)
* Tue Feb 11 2014 glin@suse.com
- Update shim-mokx-support.patch to support the resetting of MOK
blacklist
- Add shim-get-variable-check.patch to fix the variable checking
in get_variable_attr
- Add shim-fallback-improve-entries-creation.patch to improve the
boot entry pathes and avoid generating the boot entries that
are already there
- Update SUSE certificate
- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
extract_signature.sh and show_signatures.sh to remove the
creation of the temporary nss database
- Add shim-only-os-name.patch: remove the kernel version of the
build server
- Match the the prefix of the project name properly by escaping the
percent sign.
* Wed Jan 22 2014 lnussel@suse.de
- enable signature assertion also in SUSE: hierarchy
* Fri Dec 06 2013 glin@suse.com
- Add shim-mokmanager-handle-keystroke-error.patch to handle the
error status from ReadKeyStroke to avoid unexpected keys
* Thu Dec 05 2013 glin@suse.com
- Update to 0.7
- Add upstream patches:
+ shim-fix-verify-mok.patch
+ shim-improve-error-messages.patch
+ shim-correct-user_insecure-usage.patch
+ shim-fix-dhcpv4-path-generation.patch
- Add shim-mokx-support.patch to support the MOK blacklist
(Fate#316531)
- Drop upstreamed patches
+ shim-fix-pointer-casting.patch
+ shim-merge-lf-loader-code.patch
+ shim-fix-simple-file-selector.patch
+ shim-mokmanager-support-crypt-hash-method.patch
+ shim-bnc804631-fix-broken-bootpath.patch
+ shim-bnc798043-no-doulbe-separators.patch
+ shim-bnc807760-change-pxe-2nd-loader-name.patch
+ shim-bnc808106-correct-certcount.patch
+ shim-mokmanager-ui-revamp.patch
+ shim-netboot-fixes.patch
+ shim-mokmanager-disable-gfx-console.patch
- Drop shim-suse-build.patch: it's not necessary anymore
- Drop shim-bnc841426-silence-shim-protocols.patch: shim is not
verbose by default
* Thu Oct 31 2013 fcrozat@suse.com
- Update microsoft.asc: shim signed by UEFI signing service, based
on code from "Tue Oct 1 04:29:29 UTC 2013".
* Tue Oct 01 2013 glin@suse.com
- Add shim-netboot-fixes.patch to include upstream netboot fixes
- Add shim-mokmanager-disable-gfx-console.patch to disable the
graphics console to avoid system hang on some machines
- Add shim-bnc841426-silence-shim-protocols.patch to silence the
shim protocols (bnc#841426)
* Wed Sep 25 2013 glin@suse.com
- Create boot.csv in ESP for fallback.efi to restore the boot entry
* Tue Sep 17 2013 fcrozat@suse.com
- Update microsoft.asc: shim signed by UEFI signing service, based
on code from "Fri Sep 6 13:57:36 UTC 2013".
- Improve extract_signature.sh to work on current path.
* Fri Sep 06 2013 lnussel@suse.de
- set timestamp of PE file to time of the binary the signature was
made for.
- make sure cert.o get's rebuilt for each target
* Fri Sep 06 2013 fcrozat@suse.com
- Update microsoft.asc: shim signed by UEFI signing service, based
on code from "Wed Aug 28 15:54:38 UTC 2013"
* Wed Aug 28 2013 lnussel@suse.de
- always build a shim that embeds the distro's certificate (e.g.
shim-opensuse.efi). If the package is built in the devel project
additionally shim-devel.efi is created. That allows us to either
load grub2/kernel signed by the distro or signed by the devel
project, depending on use case. Also shim-$distro.efi from the
devel project can be used to request additional signatures.
* Wed Aug 28 2013 lnussel@suse.de
- also include old openSUSE 4096 bit certificate to be able to still
boot kernels signed with that key.
- add show_signatures script
* Tue Aug 27 2013 lnussel@suse.de
- replace the 4096 bit openSUSE UEFI CA certificate with new a
standard compliant 2048 bit one.
* Tue Aug 20 2013 lnussel@suse.de
- fix shell syntax error
* Wed Aug 07 2013 lnussel@suse.de
- don't include binary in the sources. Instead package the raw
signature and attach it during build (bnc#813448).
* Tue Jul 30 2013 glin@suse.com
- Update shim-mokmanager-ui-revamp.patch to include fixes for
MokManager
+ reboot the system after clearing MOK password
+ fetch more info from X509 name
+ check the suffix of the key file
* Tue Jul 23 2013 glin@suse.com
- Update to 0.4
- Rebase patches
+ shim-suse-build.patch
+ shim-mokmanager-support-crypt-hash-method.patch
+ shim-bnc804631-fix-broken-bootpath.patch
+ shim-bnc798043-no-doulbe-separators.patch
+ shim-bnc807760-change-pxe-2nd-loader-name.patch
+ shim-bnc808106-correct-certcount.patch
+ shim-mokmanager-ui-revamp.patch
- Add patches
+ shim-merge-lf-loader-code.patch: merge the Linux Foundation
loader UI code
+ shim-fix-pointer-casting.patch: fix a casting issue and the
size of an empty vendor cert
+ shim-fix-simple-file-selector.patch: fix the buffer allocation
in the simple file selector
- Remove upstreamed patches
+ shim-support-mok-delete.patch
+ shim-reboot-after-changes.patch
+ shim-clear-queued-key.patch
+ shim-local-key-sign-mokmanager.patch
+ shim-get-2nd-stage-loader.patch
+ shim-fix-loadoptions.patch
- Remove unused patch: shim-mokmanager-new-pw-hash.patch and
shim-keep-unsigned-mokmanager.patch
- Install the vendor certificate to /etc/uefi/certs
* Wed May 08 2013 glin@suse.com
- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI
* Wed Apr 03 2013 glin@suse.com
- Call update-bootloader in %post to update *.efi in \efi\opensuse
(bnc#813079)
* Fri Mar 08 2013 glin@suse.com
- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the
PXE 2nd stage loader name (bnc#807760)
- Add shim-bnc808106-correct-certcount.patch to correct the
certificate count of the signature list (bnc#808106)
* Fri Mar 01 2013 glin@suse.com
- Add shim-bnc798043-no-doulbe-separators.patch to remove double
seperators from the bootpath (bnc#798043#c4)
* Thu Feb 28 2013 lnussel@suse.de
- sign shim also with openSUSE certificate
* Wed Feb 27 2013 mls@suse.de
- identify project, export certificate as DER file
- don't create an unused extra keypair
* Thu Feb 21 2013 glin@suse.com
- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken
bootpath generated in generate_path(). (bnc#804631)
* Mon Feb 11 2013 fcrozat@suse.com
- Update with shim signed by UEFI signing service, based on code
from "Thu Feb 7 06:56:19 UTC 2013".
* Thu Feb 07 2013 lnussel@suse.de
- prepare for having a signed shim from the UEFI signing service
* Thu Feb 07 2013 glin@suse.com
- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert
- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned
MokManager and sign it later.
* Wed Feb 06 2013 mchang@suse.com
- Add shim-install utility
- Add Recommends to grub2-efi
* Wed Jan 30 2013 glin@suse.com
- Add shim-mokmanager-support-crypt-hash-method.patch to support
password hash from /etc/shadow (FATE#314506)
* Tue Jan 29 2013 glin@suse.com
- Embed openSUSE-UEFI-CA-Certificate.crt in shim
- Rename shim-unsigned.efi to shim-opensuse.efi.
* Fri Jan 18 2013 glin@suse.com
- Update shim-mokmanager-new-pw-hash.patch to extend the password
hash format
- Rename shim.efi as shim-unsigned.efi
* Wed Jan 16 2013 glin@suse.com
- Merge patches for FATE#314506
+ Add shim-support-mok-delete.patch to add support for deleting
specific keys
+ Add shim-mokmanager-new-pw-hash.patch to support the new
password hash.
- Drop shim-correct-mok-size.patch which is included in
shim-support-mok-delete.patch
- Merge shim-remove-debug-code.patch and
shim-local-sign-mokmanager.patch into
shim-local-key-sign-mokmanager.patch
- Install COPYRIGHT
* Tue Jan 15 2013 glin@suse.com
- Add shim-fix-loadoptions.patch to adopt the UEFI shell style
LoadOptions (bnc#798043)
- Drop shim-check-pk-kek.patch since upstream rejected the patch
due to violation of SPEC.
- Install EFI binaries to /usr/lib64/efi
* Wed Dec 26 2012 glin@suse.com
- Update shim-reboot-after-changes.patch to avoid rebooting the
system after enrolling keys/hashes from the file system
- Add shim-correct-mok-size.patch to correct the size of MOK
- Add shim-clear-queued-key.patch to clear the queued key and show
the menu properly
* Wed Dec 12 2012 fcrozat@suse.com
- Remove shim-rpmlintrc, it wasn't fixing the error, hide error
stdout to prevent post build check to get triggered by cast
warnings in openSSL code
- Add shim-remove-debug-code.patch: remove debug code
* Wed Dec 12 2012 glin@suse.com
- Add shim-rpmlintrc to filter 64bit portability errors
* Tue Dec 11 2012 glin@suse.com
- Add shim-local-sign-mokmanager.patch to create a local certicate
to sign MokManager
- Add shim-get-2nd-stage-loader.patch to get the second stage
loader path from the load options
- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK
- Add shim-reboot-after-changes.patch to reboot the system after
enrolling or erasing keys
- Install the EFI images to /usr/lib64/shim instead of the EFI
partition
- Update the mail address of the author
* Fri Nov 02 2012 glin@suse.com
- Add new package shim 0.2 (FATE#314484)
+ It's in fact git 2fd180a92 since there is no tag for 0.2
/etc/uefi /etc/uefi/certs /etc/uefi/certs/BCA4E38E-shim.crt /usr/sbin/shim-install /usr/share/doc/packages/shim /usr/share/doc/packages/shim/COPYRIGHT /usr/share/efi /usr/share/efi/x86_64 /usr/share/efi/x86_64/MokManager.efi /usr/share/efi/x86_64/fallback.efi /usr/share/efi/x86_64/shim-sles.der /usr/share/efi/x86_64/shim-sles.efi /usr/share/efi/x86_64/shim.efi
Generated by rpm2html 1.8.1
Fabrice Bellet, Sun Oct 27 00:10:13 2024