1181 lines
47 KiB
Plaintext
1181 lines
47 KiB
Plaintext
-------------------------------------------------------------------
|
|
Sun May 19 15:08:27 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
|
|
|
|
-- Update to version 15.8
|
|
- Various CVE fixes are already merged into this version
|
|
mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
|
|
avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
|
|
Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
|
|
Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
|
|
pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550)
|
|
pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)
|
|
- remove shim-Enable-the-NX-compatibility-flag-by-default.patch
|
|
The codes in this patch are already existing in shim-15.8
|
|
The NX flag is disable which is same as the default value of shim-15.8,
|
|
hence, not need to enable it by this patch now.
|
|
- Patches (git log --oneline --reverse 15.7..15.8)
|
|
657b248 Make sbat_var.S parse right with buggy gcc/binutils
|
|
7c76425 Enable the NX compatibility flag by default.
|
|
89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
|
|
c7b3051 pe: Align section size up to page size for mem attrs
|
|
e4f40ae pe: Add IS_PAGE_ALIGNED macro
|
|
f23883c Don't loop forever in load_certs() with buggy firmware
|
|
1f38cb3 Optionally allow to keep shim protocol installed
|
|
102a658 Drop invalid calls to `CRYPTO_set_mem_functions`
|
|
aae3df0 test-sbat: Fix exit code
|
|
cca3933 Block Debian grub binaries with SBAT < 4
|
|
cf59f34 Further improve load_certs() for non-compliant drivers/firmwares
|
|
0601f44 SBAT-related documents formatting and spelling
|
|
0640e13 Add a security contact email address in README.md
|
|
0bfc397 Work around malformed path delimiters in file paths from DHCP
|
|
a8b0b60 pe: only process RelocDir->Size of reloc section
|
|
f7a4338 Skip testing msleep()
|
|
549d346 Rename 'msecs' to 'usecs' to avoid potential confusion
|
|
908c388 Change type of fallback_verbose_wait from int to unsigned long
|
|
05eae92 Add SbatLevel_Variable.txt to document the various revocations
|
|
243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL
|
|
89d25a1 Add a make rule for compile_commands.json
|
|
118ff87 Add gnu-stack notes
|
|
f132655 test: Make our fake dprintf be a statement.
|
|
be00279 Remove CentOS 7 test builds.
|
|
9964960 Split pe.c up even more.
|
|
569270d Test (and fix) ImageAddress()
|
|
61e9894 Verify signature before verifying sbat levels
|
|
1578b55 Add libFuzzer support for csv.c
|
|
a0673e3 Fix a 1-byte memory leak in .sbat parsing.
|
|
e246812 Add libFuzzer support to the .sbat parser.
|
|
fd43eda Work around ImageAddress() usage mistake
|
|
1e985a3 Correctly free memory allocated in handle_image()
|
|
dbbe3c8 mok: Avoid underflow in maximum variable size calculation
|
|
04111d4 Make some of the static analysis tools a little easier to run
|
|
7ba7440 compile_commands.json: remove stuff clang doesn't like
|
|
66e6579 CVE-2023-40546 mok: fix LogError() invocation
|
|
f271826 Add primitives for overflow-checked arithmetic operations.
|
|
8372147 pe-relocate: Add a fuzzer for read_header()
|
|
5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
|
|
e912071 pe-relocate: make read_header() use checked arithmetic operations.
|
|
93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
|
|
e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550
|
|
afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
|
|
96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
|
|
dae82f6 Further mitigations against CVE-2023-40546 as a class
|
|
ea0f9df Allow SbatLevel data from external binary
|
|
b078ef2 Always clear SbatLevel when Secure Boot is disabled
|
|
7dfb687 BS Variables for bootmgr revocations
|
|
a967c0e shim should not self revoke
|
|
577cedd Print message when refusing to apply SbatLevel
|
|
e801b0d sbat revocations: check the full section name
|
|
0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers
|
|
6f0c8d2 Print errors when setting/clearing memory attrs
|
|
57c0eed Updated Revocations for January 2024 CVEs
|
|
49c6d95 Fix some minor ia32 build issues.
|
|
be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all.
|
|
13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5
|
|
c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist
|
|
30a4f37 Rename "previous" revocations to "automatic"
|
|
6f395c2 Build time selectable automatic SBATLevel revocations
|
|
a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER
|
|
993a345 Try to load revocations.efi even if directory read fails
|
|
1770a03 gitmodules: use shim-15.8 for gnu-efi branch
|
|
5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 14 06:05:12 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Update shim-install to set the SRK algorithm for the grub2
|
|
TPM2 key protector (bsc#1213945)
|
|
92d0f4305df73 Set the SRK algorithm for the TPM2 protector
|
|
- Add the missing BuildRequires: update-bootloader-rpm-macros
|
|
for the update_bootloader_* macros in %post and %posttrans
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 20 09:00:36 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Update shim-install to fix boot failure of ext4 root file system
|
|
on RAID10 (bsc#1205855)
|
|
226c94ca5cfca Use hint in looking for root if possible
|
|
- Adopt the macros from fde-tpm-helper-macros to update the
|
|
signature in the sealed key after a bootloader upgrade
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 13 07:20:50 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Upgrade shim-install to support TPM 2.0 Key File
|
|
b540061 Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 11 14:02:16 UTC 2023 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- remove compat efi dir and binaries
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jun 12 11:12:36 UTC 2023 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- Update shim to 15.7-150300.4.16.1 from SLE15-SP3
|
|
- include aarch64 shims.
|
|
- do not require shim-susesigned, was a workaround on 15-sp2.
|
|
|
|
- quieten factory-auto bot as we are not buiding from source:
|
|
- shim-arch-independent-names.patch removed
|
|
- shim-change-debug-file-path.patch removed
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 26 07:09:48 UTC 2023 - Dennis Tseng <dennis.tseng@suse.com>
|
|
|
|
- Update shim to 15.7-150300.4.11.1 from SLE15-SP3
|
|
+ Version: 15.7, "Thu Mar 17 2023"
|
|
+ Update the SLE signatures
|
|
+ Include the fixes for bsc#1205588, bsc#1202120, bsc#1201066,
|
|
(bsc#1198458, CVE-2022-28737), bsc#1198101, bsc#1193315, bsc#1193282
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 13 05:28:10 UTC 2023 - Joey Lee <jlee@suse.com>
|
|
|
|
- Upgrade shim-install for bsc#1210382
|
|
After closing Leap-gap project since Leap 15.3, openSUSE Leap direct
|
|
uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot
|
|
CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no,
|
|
so all files in /boot/efi/EFI/boot are not updated.
|
|
|
|
The 86b73d1 patch added the logic that using ID field in os-release for
|
|
checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure
|
|
Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated.
|
|
- https://github.com/SUSE/shim-resources (git log --oneline)
|
|
86b73d1 Fix that bootx64.efi is not updated on Leap
|
|
f2e8143 Use the long name to specify the grub2 key protector
|
|
7283012 cryptodisk: support TPM authorized policies
|
|
49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst
|
|
26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs
|
|
5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot
|
|
a5c5734 Introduce --no-grub-install option
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 17 09:29:05 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- restore the shim-susesigned installation via buildrequires here.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 22 06:47:20 UTC 2021 - jlee@suse.com
|
|
|
|
- Update to shim to 15.4-4.7.1 from SLE15-SP3
|
|
+ Version: 15.4, "Thu Jul 15 2021"
|
|
+ Update the SLE signatures
|
|
+ Include the fixes for bsc#1187696, bsc#1185261, bsc#1185441,
|
|
bsc#1187071, bsc#1185621, bsc#1185261, bsc#1185232, bsc#1185261,
|
|
bsc#1187260, bsc#1185232.
|
|
- Remove shim-install because the shim-install is updated in SLE
|
|
15.4 RPM.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 26 11:50:43 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- shim-install: remove the unexpected residual "removable" label
|
|
for Azure (bsc#1185464, bsc#1185961)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 19 01:31:02 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- shim-install: instead of assuming "removable" for Azure, remove
|
|
fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
|
|
to make \EFI\Boot bootable and keep the boot option created by
|
|
efibootmgr (bsc#1185464, bsc#1185961)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri May 7 08:46:32 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- shim-install: always assume "removable" for Azure to avoid the
|
|
endless reset loop (bsc#1185464)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 27 08:58:26 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Also package the debuginfo and debugsource
|
|
- Drop COPYRIGHT file since it's already in the shim rpm package
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 27 01:33:36 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Update to the unified shim binary from SLE15-SP3 for SBAT support
|
|
(bsc#1182057)
|
|
+ Version: 15.4, "Thu Apr 22 03:26:48 UTC 2021"
|
|
+ Merged EKU codesign check (bsc#1177315)
|
|
- Drop merged patches
|
|
+ shim-arch-independent-names.patch
|
|
+ shim-change-debug-file-path.patch
|
|
+ shim-bsc1092000-fallback-menu.patch
|
|
+ shim-always-mirror-mok-variables.patch
|
|
+ shim-correct-license-in-headers.patch
|
|
+ gcc9-fix-warnings.patch
|
|
+ shim-fix-gnu-efi-3.0.11.patch
|
|
+ shim-bsc1173411-only-check-efi-var-on-sb.patch
|
|
- Drop shim-opensuse-cert-prompt.patch since the openSUSE kernel
|
|
enabled lockdown.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 16 02:00:45 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Include suse-signed shim (bsc#1177315)
|
|
- shim-install: Support changing default shim efi binary in
|
|
/usr/etc/default/shim and /etc/default/shim (bsc#1177315)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 24 09:12:18 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- shim-install: install MokManager to \EFI\boot to process the
|
|
pending MOK request (bsc#1175626, bsc#1175656)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Aug 6 09:43:19 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Amend the check of %shim_enforce_ms_signature
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 31 08:05:05 UTC 2020 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Updated SUSE signature
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jul 22 09:23:02 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Update the path to grub-tpm.efi in shim-install (bsc#1174320)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 10 07:21:27 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994)
|
|
+ Add dbx-cert.tar.xz which contains the certificates to block
|
|
and a script, generate-vendor-dbx.sh, to generate
|
|
vendor-dbx.bin
|
|
+ Add vendor-dbx.bin as the vendor dbx to block unwanted keys
|
|
- Drop shim-opensuse-signed.efi
|
|
+ We don't need it anymore
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 10 06:28:44 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check
|
|
EFI variable copying when Secure Boot is enabled (bsc#1173411)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 31 08:38:56 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Use the full path of efibootmgr to avoid errors when invoking
|
|
shim-install from packagekitd (bsc#1168104)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 30 06:20:47 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Use "suse_version" instead of "sle_version" to avoid
|
|
shim_lib64_share_compat being set in Tumbleweed forever.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 16 09:42:34 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Add shim-fix-gnu-efi-3.0.11.patch to fix the build error caused
|
|
by the upgrade of gnu-efi
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 27 06:23:11 UTC 2019 - Michael Chang <mchang@suse.com>
|
|
|
|
- shim-install: add check for btrfs is used as root file system to enable
|
|
relative path lookup for file. (bsc#1153953)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 16 04:07:30 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Fix a typo in shim-install (bsc#1145802)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 19 10:32:11 UTC 2019 - Martin Liška <mliska@suse.cz>
|
|
|
|
- Add gcc9-fix-warnings.patch (bsc#1121268).
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 15 09:24:07 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary
|
|
(bsc#1113225)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Apr 12 08:50:49 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Disable AArch64 build (FATE#325971)
|
|
+ AArch64 machines don't use UEFI CA, at least for now.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 11 15:52:47 UTC 2019 - jsegitz@suse.com
|
|
|
|
- Updated shim signature: signature-sles.x86_64.asc (bsc#1120026)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 14 17:03:00 UTC 2019 - rw@suse.com
|
|
|
|
- Fix conditions for '/usr/share/efi'-move (FATE#326960)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 28 03:18:53 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Amend shim.spec to remove $RPM_BUILD_ROOT
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 17 17:12:14 UTC 2019 - rw@suse.com
|
|
|
|
- Move 'efi'-executables to '/usr/share/efi' (FATE#326960)
|
|
(preparing the move to 'noarch' for this package)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 14 09:48:59 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Update shim-install to handle the partitioned MD devices
|
|
(bsc#1119762, bsc#1119763)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 20 04:13:00 UTC 2018 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Update to 15+git47 (bsc#1120026, FATE#325971)
|
|
+ git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d
|
|
- Retire the old openSUSE 4096 bit certificate
|
|
+ Those programs are already out of maintenance.
|
|
- Add shim-always-mirror-mok-variables.patch to mirror MOK
|
|
variables correctly
|
|
- Add shim-correct-license-in-headers.patch to correct the license
|
|
declaration
|
|
- Refresh patches:
|
|
+ shim-arch-independent-names.patch
|
|
+ shim-change-debug-file-path.patch
|
|
+ shim-bsc1092000-fallback-menu.patch
|
|
+ shim-opensuse-cert-prompt.patch
|
|
- Drop upstreamed patches:
|
|
+ shim-bsc1088585-handle-mok-allocations-better.patch
|
|
+ shim-httpboot-amend-device-path.patch
|
|
+ shim-httpboot-include-console.h.patch
|
|
+ shim-only-os-name.patch
|
|
+ shim-remove-cryptpem.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 5 10:28:00 UTC 2018 - Gary Ching-Pang Lin <glin@suse.com>
|
|
|
|
- Update shim-install to specify the target for grub2-install and
|
|
change the boot efi file name according to the architecture
|
|
(bsc#1118363, FATE#325971)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 21 07:36:36 UTC 2018 - glin@suse.com
|
|
|
|
- Enable AArch64 build (FATE#325971)
|
|
+ Also add the aarch64 signature files and rename the x86_64
|
|
signature files
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 29 06:41:59 UTC 2018 - glin@suse.com
|
|
|
|
- Add shim-bsc1092000-fallback-menu.patch to show a menu before
|
|
system reset ((bsc#1092000))
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 10 03:45:39 UTC 2018 - glin@suse.com
|
|
|
|
- Add shim-bsc1088585-handle-mok-allocations-better.patch to avoid
|
|
double-freeing after enrolling a key from the disk (bsc#1088585)
|
|
+ Also refresh shim-opensuse-cert-prompt.patch due to the change
|
|
in MokManager.c
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 3 08:37:55 UTC 2018 - glin@suse.com
|
|
|
|
- Install the certificates with a shim suffix to avoid conflicting
|
|
with other packages (bsc#1087847)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 23 04:47:35 UTC 2018 - glin@suse.com
|
|
|
|
- Add the missing leading backlash to the DEFAULT_LOADER
|
|
(bsc#1086589)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 5 08:41:42 UTC 2018 - glin@suse.com
|
|
|
|
- Add shim-httpboot-amend-device-path.patch to amend the device
|
|
path matching rule for httpboot (bsc#1065370)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 4 08:17:44 UTC 2018 - glin@suse.com
|
|
|
|
- Update to 14 (bsc#1054712)
|
|
- Adjust make commands in spec
|
|
- Drop upstreamed fixes
|
|
+ shim-add-fallback-verbose-print.patch
|
|
+ shim-back-to-openssl-1.0.2e.patch
|
|
+ shim-fallback-workaround-masked-ami-variables.patch
|
|
+ shim-fix-fallback-double-free.patch
|
|
+ shim-fix-httpboot-crash.patch
|
|
+ shim-fix-openssl-flags.patch
|
|
+ shim-more-tpm-measurement.patch
|
|
- Add shim-httpboot-include-console.h.patch to include console.h
|
|
in httpboot.c to avoid build failure
|
|
- Add shim-remove-cryptpem.patch to replace functions in CryptPem.c
|
|
with the null function
|
|
- Update SUSE/openSUSE specific patches
|
|
+ shim-only-os-name.patch
|
|
+ shim-arch-independent-names.patch
|
|
+ shim-change-debug-file-path.patch
|
|
+ shim-opensuse-cert-prompt.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 29 18:41:12 UTC 2017 - ngompa13@gmail.com
|
|
|
|
- Fix debuginfo + debugsource subpackage generation for RPM 4.14
|
|
- Set the RPM groups correctly for debug{info,source} subpackages
|
|
- Drop deprecated and out of date Authors information in description
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 13 04:13:21 UTC 2017 - glin@suse.com
|
|
|
|
- Add shim-back-to-openssl-1.0.2e.patch to avoid rejecting some
|
|
legit certificates (bsc#1054712)
|
|
- Add the stderr mask back while compiling MokManager.efi since the
|
|
warnings in Cryptlib is back after reverting the openssl commits.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 29 08:44:25 UTC 2017 - glin@suse.com
|
|
|
|
- Add shim-add-fallback-verbose-print.patch to print the debug
|
|
messages in fallback.efi dynamically
|
|
- Refresh shim-fallback-workaround-masked-ami-variables.patch
|
|
- Add shim-more-tpm-measurement.patch to measure more components
|
|
and support TPM better
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 23 10:28:44 UTC 2017 - glin@suse.com
|
|
|
|
- Add upstream fixes
|
|
+ shim-fix-httpboot-crash.patch
|
|
+ shim-fix-openssl-flags.patch
|
|
+ shim-fix-fallback-double-free.patch
|
|
+ shim-fallback-workaround-masked-ami-variables.patch
|
|
- Remove the stderr mask while compiling MokManager.efi since the
|
|
warnings in Cryptlib were fixed.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 22 04:51:08 UTC 2017 - glin@suse.com
|
|
|
|
- Add shim-arch-independent-names.patch to use the Arch-independent
|
|
names. (bsc#1054712)
|
|
- Refresh shim-change-debug-file-path.patch
|
|
- Disable shim-opensuse-cert-prompt.patch automatically in SLE
|
|
- Diable AArch64 until we have a real user and aarch64 signature
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jul 14 16:40:52 UTC 2017 - bwiedemann@suse.com
|
|
|
|
- Make build reproducible by avoiding race between find and cp
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jun 22 03:26:00 UTC 2017 - glin@suse.com
|
|
|
|
- Update to 12
|
|
- Rename the result EFI images due to the upstream name change
|
|
+ shimx64 -> shim
|
|
+ mmx64 -> MokManager
|
|
+ fbx64 -> fallback
|
|
- Refresh patches:
|
|
+ shim-only-os-name.patch
|
|
+ shim-change-debug-file-path.patch
|
|
+ shim-opensuse-cert-prompt.patch
|
|
- Drop upstreamed patches:
|
|
+ shim-httpboot-support.patch
|
|
+ shim-bsc973496-mokmanager-no-append-write.patch
|
|
+ shim-bsc991885-fix-sig-length.patch
|
|
+ shim-update-openssl-1.0.2g.patch
|
|
+ shim-update-openssl-1.0.2h.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue May 23 03:44:48 UTC 2017 - glin@suse.com
|
|
|
|
- Add the build flag to enable HTTPBoot
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 22 10:54:41 UTC 2017 - mchang@suse.com
|
|
|
|
- shim-install: add option --suse-enable-tpm (fate#315831)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 13 09:21:49 UTC 2017 - mchang@suse.com
|
|
|
|
- Support %posttrans with marcos provided by update-bootloader-rpm-macros
|
|
package (bsc#997317)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 18 09:23:01 UTC 2016 - glin@suse.com
|
|
|
|
- Add SIGNATURE_UPDATE.txt to state the steps to update
|
|
signature-*.asc
|
|
- Update the comment of strip_signature.sh
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 21 09:55:40 UTC 2016 - mchang@suse.com
|
|
|
|
- shim-install :
|
|
* add option --no-nvram (bsc#999818)
|
|
* improve removable media and fallback mode handling
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 19 06:46:59 UTC 2016 - mchang@suse.com
|
|
|
|
- shim-install : fix regression of password prompt (bsc#993764)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 5 02:53:54 UTC 2016 - glin@suse.com
|
|
|
|
- Add shim-bsc991885-fix-sig-length.patch to fix the signature
|
|
length passed to Authenticode (bsc#991885)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 3 09:10:25 UTC 2016 - glin@suse.com
|
|
|
|
- Update shim-bsc973496-mokmanager-no-append-write.patch to try
|
|
append write first
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 2 02:59:46 UTC 2016 - glin@suse.com
|
|
|
|
- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h
|
|
- Bump the requirement of gnu-efi due to the HTTPBoot support
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 1 09:01:59 UTC 2016 - glin@suse.com
|
|
|
|
- Add shim-httpboot-support.patch to support HTTPBoot
|
|
- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g
|
|
and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6
|
|
- Drop patches since they are merged into
|
|
shim-update-openssl-1.0.2g.patch
|
|
+ shim-update-openssl-1.0.2d.patch
|
|
+ shim-gcc5.patch
|
|
+ shim-bsc950569-fix-cryptlib-va-functions.patch
|
|
+ shim-fix-aarch64.patch
|
|
- Refresh shim-change-debug-file-path.patch
|
|
- Add shim-bsc973496-mokmanager-no-append-write.patch to work
|
|
around the firmware that doesn't support APPEND_WRITE (bsc973496)
|
|
- shim-install : remove '\n' from the help message (bsc#991188)
|
|
- shim-install : print a message if there is no valid EFI partition
|
|
(bsc#991187)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon May 9 11:20:56 UTC 2016 - rw@suse.com
|
|
|
|
- shim-install : support simple MD RAID1 target devices (FATE#314829)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 4 10:40:52 UTC 2016 - agraf@suse.com
|
|
|
|
- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 9 07:15:52 UTC 2016 - mchang@suse.com
|
|
|
|
- shim-install : fix typing ESC can escape to parent config which is
|
|
in command mode and cannot return back (bsc#966701)
|
|
- shim-install : fix no which command for JeOS (bsc#968264)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 3 10:26:14 UTC 2015 - jsegitz@novell.com
|
|
|
|
- acquired updated signature from Microsoft
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Nov 9 08:22:43 UTC 2015 - glin@suse.com
|
|
|
|
- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the
|
|
definition of va functions to avoid the potential crash
|
|
(bsc#950569)
|
|
- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to
|
|
MokListRT (bsc#950801)
|
|
- Drop shim-fix-mokmanager-sections.patch as we are using the
|
|
newer binutils now
|
|
- Refresh shim-change-debug-file-path.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 8 06:49:43 UTC 2015 - jsegitz@novell.com
|
|
|
|
- acquired updated signature from Microsoft
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 15 05:03:10 UTC 2015 - mchang@suse.com
|
|
|
|
- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release
|
|
if it is empty or not set by user (bsc#942519)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jul 16 06:49:01 UTC 2015 - glin@suse.com
|
|
|
|
- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d
|
|
- Refresh shim-gcc5.patch and add it back since we really need it
|
|
- Add shim-change-debug-file-path.patch to change the debug file
|
|
path in shim.efi
|
|
+ also add the debuginfo and debugsource subpackages
|
|
- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jul 6 09:06:02 UTC 2015 - glin@suse.com
|
|
|
|
- Update to 0.9
|
|
- Refresh patches
|
|
+ shim-fix-gnu-efi-30w.patch
|
|
+ shim-fix-mokmanager-sections.patch
|
|
+ shim-opensuse-cert-prompt.patch
|
|
- Drop upstreamed patches
|
|
+ shim-bsc920515-fix-fallback-buffer-length.patch
|
|
+ shim-mokx-support.patch
|
|
+ shim-update-cryptlib.patch
|
|
- Drop shim-bsc919675-uninstall-shim-protocols.patch since
|
|
upstream fixed the bug in another way.
|
|
- Drop shim-gcc5.patch which was fixed in another way
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 8 07:10:39 UTC 2015 - glin@suse.com
|
|
|
|
- Fix tags in the spec file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 7 07:42:06 UTC 2015 - glin@suse.com
|
|
|
|
- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and
|
|
openssl to 0.9.8zf
|
|
- Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall
|
|
the shim protocols at Exit (bsc#919675)
|
|
- Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust
|
|
the buffer size for the boot options (bsc#920515)
|
|
- Refresh shim-opensuse-cert-prompt.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 2 16:31:28 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 17 06:02:34 UTC 2015 - mchang@suse.com
|
|
|
|
- shim-install : fix cryptodisk installation (boo#917427)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 11 04:26:00 UTC 2014 - glin@suse.com
|
|
|
|
- Add shim-fix-mokmanager-sections.patch to fix the objcopy
|
|
parameters for the EFI files
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 28 04:00:51 UTC 2014 - glin@suse.com
|
|
|
|
- Update to 0.8
|
|
- Add shim-fix-gnu-efi-30w.patch to adapt the change in
|
|
gnu-efi-3.0w
|
|
- Merge shim-signed-unsigned-compares.patch,
|
|
shim-mokmanager-support-sha-family.patch and
|
|
shim-bnc863205-mokmanager-fix-hash-delete.patch into
|
|
shim-mokx-support.patch
|
|
- Refresh shim-opensuse-cert-prompt.patch
|
|
- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch,
|
|
bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch
|
|
- Enable aarch64
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 13 13:09:14 UTC 2014 - jsegitz@novell.com
|
|
|
|
- Fixed buffer overflow and OOB access in shim trusted code path
|
|
(bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677)
|
|
* added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch
|
|
- Added new certificate by Microsoft
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 3 12:32:25 UTC 2014 - lnussel@suse.de
|
|
|
|
- re-introduce build failure if shim_enforce_ms_signature is defined. That way
|
|
a project like openSUSE:Factory can decide whether or not shim needs a valid
|
|
MS signature.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 19 04:38:36 UTC 2014 - glin@suse.com
|
|
|
|
- Add shim-update-openssl-0.9.8zb.patch to update openssl to
|
|
0.9.8zb
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 12 14:19:36 UTC 2014 - jsegitz@suse.com
|
|
|
|
- updated shim to new version (OpenSSL 0.9.8za) and requested a new
|
|
certificate from Microsoft. Removed
|
|
* shim-allow-fallback-use-system-loadimage.patch
|
|
* shim-bnc872503-check-key-encoding.patch
|
|
* shim-bnc877003-fetch-from-the-same-device.patch
|
|
* shim-correct-user_insecure-usage.patch
|
|
* shim-fallback-avoid-duplicate-bootorder.patch
|
|
* shim-fallback-improve-entries-creation.patch
|
|
* shim-fix-dhcpv4-path-generation.patch
|
|
* shim-fix-uninitialized-variable.patch
|
|
* shim-fix-verify-mok.patch
|
|
* shim-get-variable-check.patch
|
|
* shim-improve-error-messages.patch
|
|
* shim-mokmanager-delete-bs-var-right.patch
|
|
* shim-mokmanager-handle-keystroke-error.patch
|
|
* shim-remove-unused-variables.patch
|
|
since they're included in upstream and rebased the remaining onces.
|
|
Added shim-signed-unsigned-compares.patch to fix some compiler
|
|
warnings
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 12 09:18:42 UTC 2014 - glin@suse.com
|
|
|
|
- Keep shim-devel.efi for the devel project
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Aug 8 11:18:36 UTC 2014 - lnussel@suse.de
|
|
|
|
- don't fail the build if the UEFI signing service signature can't
|
|
be attached anymore. This way shim can still pass through staging
|
|
projects. We will verify the correct signature for release builds
|
|
using openQA instead.
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Aug 4 07:53:22 UTC 2014 - mchang@suse.com
|
|
|
|
- shim-install: fix GRUB shows broken letters at boot by calling
|
|
grub2-install to initialize /boot/grub2 directory with files
|
|
needed by grub.cfg (bnc#889765)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 28 04:13:33 UTC 2014 - glin@suse.com
|
|
|
|
- Add shim-remove-unused-variables.patch to remove the unused
|
|
variables
|
|
- Add shim-bnc872503-check-key-encoding.patch to check the encoding
|
|
of the keys (bnc#872503)
|
|
- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the
|
|
netboot image from the same device (bnc#877003)
|
|
- Refresh shim-opensuse-cert-prompt.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 14 09:39:02 UTC 2014 - glin@suse.com
|
|
|
|
- Use --reinit instead of --refresh in %post to update the files
|
|
in /boot
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Apr 29 07:38:11 UTC 2014 - mchang@suse.com
|
|
|
|
- shim-install: fix boot partition and rollback support kluge
|
|
(bnc#875385)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com
|
|
|
|
- Replace shim-mokmanager-support-sha1.patch with
|
|
shim-mokmanager-support-sha-family.patch to support the SHA
|
|
family
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Apr 7 09:32:21 UTC 2014 - glin@suse.com
|
|
|
|
- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in
|
|
MOK
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com
|
|
|
|
- snapper rollback support (fate#317062)
|
|
- refresh shim-install
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com
|
|
|
|
- Insert the right signature (bnc#867974)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com
|
|
|
|
- Add shim-fix-uninitialized-variable.patch to fix the use of
|
|
uninitialzed variables in lib
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 7 09:09:12 UTC 2014 - glin@suse.com
|
|
|
|
- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
|
|
variables the right way
|
|
- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
|
|
correctly
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 6 07:37:57 UTC 2014 - glin@suse.com
|
|
|
|
- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
|
|
duplicate entries in BootOrder
|
|
- Add shim-allow-fallback-use-system-loadimage.patch to handle the
|
|
shim protocol properly to keep only one protocol entity
|
|
- Refresh shim-opensuse-cert-prompt.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 6 03:53:49 UTC 2014 - mchang@suse.com
|
|
|
|
- shim-install: fix the $prefix to use grub2-mkrelpath for paths
|
|
on btrfs subvolume (bnc#866690).
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 4 04:19:05 UTC 2014 - glin@suse.com
|
|
|
|
- FATE#315002: Update shim-install to install shim.efi as the EFI
|
|
default bootloader when none exists in \EFI\boot.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com
|
|
|
|
- Update signature-sles.asc: shim signed by UEFI signing service,
|
|
based on code from "Thu Feb 20 11:57:01 UTC 2014"
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com
|
|
|
|
- Add shim-opensuse-cert-prompt.patch to show the prompt to ask
|
|
whether the user trusts the openSUSE certificate or not
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de
|
|
|
|
- allow package to carry multiple signatures
|
|
- check correct certificate is embedded
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de
|
|
|
|
- always clean up generated files that embed certificates
|
|
(shim_cert.h shim.cer shim.crt) to make sure next build loop
|
|
rebuilds them properly
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com
|
|
|
|
- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
|
|
hash deletion operation to avoid ruining the whole list
|
|
(bnc#863205)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com
|
|
|
|
- Update shim-mokx-support.patch to support the resetting of MOK
|
|
blacklist
|
|
- Add shim-get-variable-check.patch to fix the variable checking
|
|
in get_variable_attr
|
|
- Add shim-fallback-improve-entries-creation.patch to improve the
|
|
boot entry pathes and avoid generating the boot entries that
|
|
are already there
|
|
- Update SUSE certificate
|
|
- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
|
|
extract_signature.sh and show_signatures.sh to remove the
|
|
creation of the temporary nss database
|
|
- Add shim-only-os-name.patch: remove the kernel version of the
|
|
build server
|
|
- Match the the prefix of the project name properly by escaping the
|
|
percent sign.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de
|
|
|
|
- enable signature assertion also in SUSE: hierarchy
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 6 06:44:43 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-mokmanager-handle-keystroke-error.patch to handle the
|
|
error status from ReadKeyStroke to avoid unexpected keys
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 5 02:05:13 UTC 2013 - glin@suse.com
|
|
|
|
- Update to 0.7
|
|
- Add upstream patches:
|
|
+ shim-fix-verify-mok.patch
|
|
+ shim-improve-error-messages.patch
|
|
+ shim-correct-user_insecure-usage.patch
|
|
+ shim-fix-dhcpv4-path-generation.patch
|
|
- Add shim-mokx-support.patch to support the MOK blacklist
|
|
(Fate#316531)
|
|
- Drop upstreamed patches
|
|
+ shim-fix-pointer-casting.patch
|
|
+ shim-merge-lf-loader-code.patch
|
|
+ shim-fix-simple-file-selector.patch
|
|
+ shim-mokmanager-support-crypt-hash-method.patch
|
|
+ shim-bnc804631-fix-broken-bootpath.patch
|
|
+ shim-bnc798043-no-doulbe-separators.patch
|
|
+ shim-bnc807760-change-pxe-2nd-loader-name.patch
|
|
+ shim-bnc808106-correct-certcount.patch
|
|
+ shim-mokmanager-ui-revamp.patch
|
|
+ shim-netboot-fixes.patch
|
|
+ shim-mokmanager-disable-gfx-console.patch
|
|
- Drop shim-suse-build.patch: it's not necessary anymore
|
|
- Drop shim-bnc841426-silence-shim-protocols.patch: shim is not
|
|
verbose by default
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 31 09:11:18 UTC 2013 - fcrozat@suse.com
|
|
|
|
- Update microsoft.asc: shim signed by UEFI signing service, based
|
|
on code from "Tue Oct 1 04:29:29 UTC 2013".
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 1 04:29:29 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-netboot-fixes.patch to include upstream netboot fixes
|
|
- Add shim-mokmanager-disable-gfx-console.patch to disable the
|
|
graphics console to avoid system hang on some machines
|
|
- Add shim-bnc841426-silence-shim-protocols.patch to silence the
|
|
shim protocols (bnc#841426)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 25 07:17:54 UTC 2013 - glin@suse.com
|
|
|
|
- Create boot.csv in ESP for fallback.efi to restore the boot entry
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 17 10:53:50 CEST 2013 - fcrozat@suse.com
|
|
|
|
- Update microsoft.asc: shim signed by UEFI signing service, based
|
|
on code from "Fri Sep 6 13:57:36 UTC 2013".
|
|
- Improve extract_signature.sh to work on current path.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 6 13:57:36 UTC 2013 - lnussel@suse.de
|
|
|
|
- set timestamp of PE file to time of the binary the signature was
|
|
made for.
|
|
- make sure cert.o get's rebuilt for each target
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 6 11:48:14 CEST 2013 - fcrozat@suse.com
|
|
|
|
- Update microsoft.asc: shim signed by UEFI signing service, based
|
|
on code from "Wed Aug 28 15:54:38 UTC 2013"
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de
|
|
|
|
- always build a shim that embeds the distro's certificate (e.g.
|
|
shim-opensuse.efi). If the package is built in the devel project
|
|
additionally shim-devel.efi is created. That allows us to either
|
|
load grub2/kernel signed by the distro or signed by the devel
|
|
project, depending on use case. Also shim-$distro.efi from the
|
|
devel project can be used to request additional signatures.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de
|
|
|
|
- also include old openSUSE 4096 bit certificate to be able to still
|
|
boot kernels signed with that key.
|
|
- add show_signatures script
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de
|
|
|
|
- replace the 4096 bit openSUSE UEFI CA certificate with new a
|
|
standard compliant 2048 bit one.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 20 11:48:25 UTC 2013 - lnussel@suse.de
|
|
|
|
- fix shell syntax error
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 7 15:51:36 UTC 2013 - lnussel@suse.de
|
|
|
|
- don't include binary in the sources. Instead package the raw
|
|
signature and attach it during build (bnc#813448).
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com
|
|
|
|
- Update shim-mokmanager-ui-revamp.patch to include fixes for
|
|
MokManager
|
|
+ reboot the system after clearing MOK password
|
|
+ fetch more info from X509 name
|
|
+ check the suffix of the key file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com
|
|
|
|
- Update to 0.4
|
|
- Rebase patches
|
|
+ shim-suse-build.patch
|
|
+ shim-mokmanager-support-crypt-hash-method.patch
|
|
+ shim-bnc804631-fix-broken-bootpath.patch
|
|
+ shim-bnc798043-no-doulbe-separators.patch
|
|
+ shim-bnc807760-change-pxe-2nd-loader-name.patch
|
|
+ shim-bnc808106-correct-certcount.patch
|
|
+ shim-mokmanager-ui-revamp.patch
|
|
- Add patches
|
|
+ shim-merge-lf-loader-code.patch: merge the Linux Foundation
|
|
loader UI code
|
|
+ shim-fix-pointer-casting.patch: fix a casting issue and the
|
|
size of an empty vendor cert
|
|
+ shim-fix-simple-file-selector.patch: fix the buffer allocation
|
|
in the simple file selector
|
|
- Remove upstreamed patches
|
|
+ shim-support-mok-delete.patch
|
|
+ shim-reboot-after-changes.patch
|
|
+ shim-clear-queued-key.patch
|
|
+ shim-local-key-sign-mokmanager.patch
|
|
+ shim-get-2nd-stage-loader.patch
|
|
+ shim-fix-loadoptions.patch
|
|
- Remove unused patch: shim-mokmanager-new-pw-hash.patch and
|
|
shim-keep-unsigned-mokmanager.patch
|
|
- Install the vendor certificate to /etc/uefi/certs
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 8 06:40:12 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 3 03:54:22 UTC 2013 - glin@suse.com
|
|
|
|
- Call update-bootloader in %post to update *.efi in \efi\opensuse
|
|
(bnc#813079)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 8 06:53:47 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the
|
|
PXE 2nd stage loader name (bnc#807760)
|
|
- Add shim-bnc808106-correct-certcount.patch to correct the
|
|
certificate count of the signature list (bnc#808106)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 1 10:07:55 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-bnc798043-no-doulbe-separators.patch to remove double
|
|
seperators from the bootpath (bnc#798043#c4)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 28 08:57:48 UTC 2013 - lnussel@suse.de
|
|
|
|
- sign shim also with openSUSE certificate
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 27 15:52:53 CET 2013 - mls@suse.de
|
|
|
|
- identify project, export certificate as DER file
|
|
- don't create an unused extra keypair
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 21 10:08:12 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken
|
|
bootpath generated in generate_path(). (bnc#804631)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 11 12:15:25 UTC 2013 - fcrozat@suse.com
|
|
|
|
- Update with shim signed by UEFI signing service, based on code
|
|
from "Thu Feb 7 06:56:19 UTC 2013".
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 7 13:54:06 UTC 2013 - lnussel@suse.de
|
|
|
|
- prepare for having a signed shim from the UEFI signing service
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 7 06:56:19 UTC 2013 - glin@suse.com
|
|
|
|
- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert
|
|
- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned
|
|
MokManager and sign it later.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 6 06:35:45 UTC 2013 - mchang@suse.com
|
|
|
|
- Add shim-install utility
|
|
- Add Recommends to grub2-efi
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 30 09:00:31 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-mokmanager-support-crypt-hash-method.patch to support
|
|
password hash from /etc/shadow (FATE#314506)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 29 03:20:48 UTC 2013 - glin@suse.com
|
|
|
|
- Embed openSUSE-UEFI-CA-Certificate.crt in shim
|
|
- Rename shim-unsigned.efi to shim-opensuse.efi.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 18 10:06:13 UTC 2013 - glin@suse.com
|
|
|
|
- Update shim-mokmanager-new-pw-hash.patch to extend the password
|
|
hash format
|
|
- Rename shim.efi as shim-unsigned.efi
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 16 08:01:55 UTC 2013 - glin@suse.com
|
|
|
|
- Merge patches for FATE#314506
|
|
+ Add shim-support-mok-delete.patch to add support for deleting
|
|
specific keys
|
|
+ Add shim-mokmanager-new-pw-hash.patch to support the new
|
|
password hash.
|
|
- Drop shim-correct-mok-size.patch which is included in
|
|
shim-support-mok-delete.patch
|
|
- Merge shim-remove-debug-code.patch and
|
|
shim-local-sign-mokmanager.patch into
|
|
shim-local-key-sign-mokmanager.patch
|
|
- Install COPYRIGHT
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 15 03:17:53 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-fix-loadoptions.patch to adopt the UEFI shell style
|
|
LoadOptions (bnc#798043)
|
|
- Drop shim-check-pk-kek.patch since upstream rejected the patch
|
|
due to violation of SPEC.
|
|
- Install EFI binaries to /usr/lib64/efi
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 26 07:05:02 UTC 2012 - glin@suse.com
|
|
|
|
- Update shim-reboot-after-changes.patch to avoid rebooting the
|
|
system after enrolling keys/hashes from the file system
|
|
- Add shim-correct-mok-size.patch to correct the size of MOK
|
|
- Add shim-clear-queued-key.patch to clear the queued key and show
|
|
the menu properly
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 12 15:16:18 UTC 2012 - fcrozat@suse.com
|
|
|
|
- Remove shim-rpmlintrc, it wasn't fixing the error, hide error
|
|
stdout to prevent post build check to get triggered by cast
|
|
warnings in openSSL code
|
|
- Add shim-remove-debug-code.patch: remove debug code
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 12 04:01:52 UTC 2012 - glin@suse.com
|
|
|
|
- Add shim-rpmlintrc to filter 64bit portability errors
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 11 07:36:32 UTC 2012 - glin@suse.com
|
|
|
|
- Add shim-local-sign-mokmanager.patch to create a local certicate
|
|
to sign MokManager
|
|
- Add shim-get-2nd-stage-loader.patch to get the second stage
|
|
loader path from the load options
|
|
- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK
|
|
- Add shim-reboot-after-changes.patch to reboot the system after
|
|
enrolling or erasing keys
|
|
- Install the EFI images to /usr/lib64/shim instead of the EFI
|
|
partition
|
|
- Update the mail address of the author
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 2 08:19:37 UTC 2012 - glin@suse.com
|
|
|
|
- Add new package shim 0.2 (FATE#314484)
|
|
+ It's in fact git 2fd180a92 since there is no tag for 0.2
|
|
|