Commit Graph

62 Commits

Author SHA256 Message Date
Stephan Kulow
0876ada789 Accepting request 255752 from home:jsegitz:branches:devel:openSUSE:Factory
- Fixed buffer overflow and OOB access in shim trusted code path
  (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677)
  * added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch
- Added new certificate by Microsoft

OBS-URL: https://build.opensuse.org/request/show/255752
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=88
2014-10-13 13:58:14 +00:00
Stephan Kulow
2176e5a32f Accepting request 247405 from home:lnussel:branches:devel:openSUSE:Factory
- re-introduce build failure if shim_enforce_ms_signature is defined. That way
  a project like openSUSE:Factory can decide whether or not shim needs a valid
  MS signature.

OBS-URL: https://build.opensuse.org/request/show/247405
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=86
2014-09-03 13:40:07 +00:00
Gary Ching-Pang Lin
1f6a3cacb1 Accepting request 245146 from home:gary_lin:branches:devel:openSUSE:Factory
- update openssl to 0.9.8zb

OBS-URL: https://build.opensuse.org/request/show/245146
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=83
2014-08-19 06:06:07 +00:00
Gary Ching-Pang Lin
b8cbae7e99 Accepting request 244530 from home:jsegitz:UEFI:openSUSE:Factory
- updated shim to new version (OpenSSL 0.9.8za) and requested a new
  certificate from Microsoft. Removed
  * shim-allow-fallback-use-system-loadimage.patch
  * shim-bnc872503-check-key-encoding.patch
  * shim-bnc877003-fetch-from-the-same-device.patch
  * shim-correct-user_insecure-usage.patch
  * shim-fallback-avoid-duplicate-bootorder.patch
  * shim-fallback-improve-entries-creation.patch
  * shim-fix-dhcpv4-path-generation.patch
  * shim-fix-uninitialized-variable.patch
  * shim-fix-verify-mok.patch
  * shim-get-variable-check.patch
  * shim-improve-error-messages.patch
  * shim-mokmanager-delete-bs-var-right.patch
  * shim-mokmanager-handle-keystroke-error.patch
  * shim-remove-unused-variables.patch
  since they're included in upstream and rebased the remaining onces.
  Added shim-signed-unsigned-compares.patch to fix some compiler
  warnings

OBS-URL: https://build.opensuse.org/request/show/244530
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=81
2014-08-13 10:07:21 +00:00
Gary Ching-Pang Lin
23e59eef11 Accepting request 244297 from home:gary_lin:branches:devel:openSUSE:Factory
Keep shim-devel.efi for the devel project

OBS-URL: https://build.opensuse.org/request/show/244297
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=80
2014-08-12 09:40:50 +00:00
Stephan Kulow
08b33c6edf Accepting request 243992 from home:lnussel:branches:devel:openSUSE:Factory
fix typo in changes file that prevents the Factory submission

OBS-URL: https://build.opensuse.org/request/show/243992
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=79
2014-08-08 15:48:02 +00:00
Stephan Kulow
3bd935ea7f Accepting request 243951 from home:lnussel:branches:devel:openSUSE:Factory
- don't fail the build if the UEFI signing service signature can't
  be attached anymore. This way shim can still pass through staging
  projects. We will verify the correct signature for release builds
  using openQA instead.

OBS-URL: https://build.opensuse.org/request/show/243951
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=78
2014-08-08 13:19:04 +00:00
Gary Ching-Pang Lin
12d0642c1a Accepting request 243573 from home:michael-chang:branches:devel:openSUSE:Factory
- shim-install: fix GRUB shows broken letters at boot by calling
  grub2-install to initialize /boot/grub2 directory with files 
  needed by grub.cfg (bnc#889765)

OBS-URL: https://build.opensuse.org/request/show/243573
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=77
2014-08-04 09:46:50 +00:00
Gary Ching-Pang Lin
d6b79f1fb6 Accepting request 236110 from home:gary_lin:branches:devel:openSUSE:Factory
- remove the unused variables
- check the encoding of the keys (bnc#872503)
- fetch the netboot image from the same device (bnc#877003)
- Refresh shim-opensuse-cert-prompt.patch

OBS-URL: https://build.opensuse.org/request/show/236110
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=76
2014-06-03 02:49:47 +00:00
Gary Ching-Pang Lin
e0970dfd6a Accepting request 233853 from home:gary_lin:branches:devel:openSUSE:Factory
Use --reinit instead of --refresh in %post to update the files in /boot

OBS-URL: https://build.opensuse.org/request/show/233853
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=75
2014-05-14 10:01:52 +00:00
Gary Ching-Pang Lin
2562b2ffce Accepting request 231974 from home:michael-chang:branches:devel:openSUSE:Factory
- shim-install: fix boot partition and rollback support kluge
  (bnc#875385)

OBS-URL: https://build.opensuse.org/request/show/231974
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=74
2014-04-29 07:55:23 +00:00
Stephan Kulow
fa8f2b475d osc copypac from project:devel:openSUSE:Factory package:shim revision:71
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=73
2014-04-29 07:15:01 +00:00
OBS User buildservice-autocommit
b518987796 Updating link to change in openSUSE:Factory/shim revision 31.0
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=7a81e86df566f93dbe199635b458d416
2014-04-21 09:05:08 +00:00
Gary Ching-Pang Lin
e876d9efc6 Accepting request 229569 from home:gary_lin:branches:devel:openSUSE:Factory
Replace shim-mokmanager-support-sha1.patch with shim-mokmanager-support-sha-family.patch to support the SHA family

OBS-URL: https://build.opensuse.org/request/show/229569
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=71
2014-04-10 08:31:41 +00:00
Gary Ching-Pang Lin
e0fd4dbc38 Accepting request 229264 from home:gary_lin:branches:devel:openSUSE:Factory
Support SHA1 hashes in MOK

OBS-URL: https://build.opensuse.org/request/show/229264
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=70
2014-04-07 10:06:19 +00:00
Gary Ching-Pang Lin
062d82ccf6 Accepting request 228324 from home:michael-chang:branches:devel:openSUSE:Factory
- snapper rollback support (fate#317062)
  - refresh shim-install

OBS-URL: https://build.opensuse.org/request/show/228324
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=69
2014-03-31 13:30:21 +00:00
Gary Ching-Pang Lin
58137361ad Accepting request 225772 from home:gary_lin:branches:devel:openSUSE:Factory
Insert the right signature (bnc#867974)

OBS-URL: https://build.opensuse.org/request/show/225772
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=68
2014-03-13 03:25:28 +00:00
Gary Ching-Pang Lin
99fdefd1f8 Accepting request 225406 from home:gary_lin:branches:devel:openSUSE:Factory
Add shim-fix-uninitialized-variable.patch to fix the use of uninitialzed variables in lib

OBS-URL: https://build.opensuse.org/request/show/225406
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=67
2014-03-10 09:28:44 +00:00
Gary Ching-Pang Lin
cb72e488f1 Accepting request 224988 from home:gary_lin:branches:devel:openSUSE:Factory
- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
  variables the right way
- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
  correctly

OBS-URL: https://build.opensuse.org/request/show/224988
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=66
2014-03-07 09:40:50 +00:00
Gary Ching-Pang Lin
2d5468ae12 Accepting request 224833 from home:gary_lin:branches:devel:openSUSE:Factory
- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
  duplicate entries in BootOrder
- Add shim-allow-fallback-use-system-loadimage.patch to handle the
  shim protocol properly to keep only one protocol entity
- Refresh shim-opensuse-cert-prompt.patch

OBS-URL: https://build.opensuse.org/request/show/224833
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=65
2014-03-06 07:55:56 +00:00
Gary Ching-Pang Lin
466149ebe7 Accepting request 224828 from home:michael-chang:branches:devel:openSUSE:Factory
- shim-install: fix the $prefix to use grub2-mkrelpath for paths
  on btrfs subvolume (bnc#866690).

OBS-URL: https://build.opensuse.org/request/show/224828
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=64
2014-03-06 04:08:12 +00:00
Gary Ching-Pang Lin
898a347233 Accepting request 224565 from home:gary_lin:branches:devel:openSUSE:Factory
- Update signature-sles.asc: shim signed by UEFI signing service,
  based on code from "Thu Feb 20 11:57:01 UTC 2014"

OBS-URL: https://build.opensuse.org/request/show/224565
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=63
2014-03-04 06:40:16 +00:00
Gary Ching-Pang Lin
ac40989026 Accepting request 224563 from home:gary_lin:branches:devel:openSUSE:Factory
FATE#315002: Update shim-install to install shim.efi as the EFI default bootloader when none exists in \EFI\boot.

OBS-URL: https://build.opensuse.org/request/show/224563
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=62
2014-03-04 04:32:46 +00:00
Tomáš Chvátal
48acea1e89 Accepting request 223346 from home:gary_lin:branches:devel:openSUSE:Factory
Show the prompt to ask whether the user trusts the openSUSE certificate or not

OBS-URL: https://build.opensuse.org/request/show/223346
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=61
2014-02-28 10:04:44 +00:00
Gary Ching-Pang Lin
358e7af8a4 Accepting request 223224 from home:lnussel:branches:devel:openSUSE:Factory
- allow package to carry multiple signatures
- check correct certificate is embedded

OBS-URL: https://build.opensuse.org/request/show/223224
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=60
2014-02-21 02:21:37 +00:00
Gary Ching-Pang Lin
12d61956b5 Accepting request 223204 from home:lnussel:branches:devel:openSUSE:Factory
- always clean up generated files that embed certificates
  (shim_cert.h shim.cer shim.crt) to make sure next build loop
  rebuilds them properly

OBS-URL: https://build.opensuse.org/request/show/223204
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=59
2014-02-20 10:26:49 +00:00
Gary Ching-Pang Lin
18c5d7ff47 Accepting request 222658 from home:gary_lin:branches:devel:openSUSE:Factory
- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
  hash deletion operation to avoid ruining the whole list
  (bnc#863205)

OBS-URL: https://build.opensuse.org/request/show/222658
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=58
2014-02-18 03:46:55 +00:00
Gary Ching-Pang Lin
63a3d1b717 Accepting request 221745 from home:gary_lin:branches:devel:openSUSE:Factory
- Update shim-mokx-support.patch to support the resetting of MOK blacklist
- Fix the variable checking in get_variable_attr
- Improve the boot entry pathes and avoid generating the boot entries that are already there
- Update SUSE certificate
- Update scritps to remove the creation of the temporary nss database
- Remove the kernel version of the build server
- Match the the prefix of the project name properly by escaping the percent sign.

OBS-URL: https://build.opensuse.org/request/show/221745
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=57
2014-02-13 01:57:08 +00:00
f46b6f113f Accepting request 214707 from home:lnussel:branches:devel:openSUSE:Factory
- enable signature assertion also in SUSE: hierarchy

OBS-URL: https://build.opensuse.org/request/show/214707
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=55
2014-01-29 10:49:44 +00:00
Gary Ching-Pang Lin
1e4680c8fe Accepting request 209582 from home:gary_lin:branches:devel:openSUSE:Factory
handle the error status from ReadKeyStroke to avoid unexpected keys

OBS-URL: https://build.opensuse.org/request/show/209582
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=53
2013-12-06 07:16:12 +00:00
Gary Ching-Pang Lin
1640d5b323 Accepting request 209456 from home:gary_lin:branches:devel:openSUSE:Factory
Update to 0.7, include upstream patches, and support MOK blacklist

OBS-URL: https://build.opensuse.org/request/show/209456
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=52
2013-12-05 02:46:29 +00:00
Gary Ching-Pang Lin
123cf8931f Accepting request 205333 from home:fcrozat:branches:devel:openSUSE:Factory
- Update microsoft.asc: shim signed by UEFI signing service, based
  on code from "Tue Oct  1 04:29:29 UTC 2013".

OBS-URL: https://build.opensuse.org/request/show/205333
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=50
2013-10-31 10:33:54 +00:00
Gary Ching-Pang Lin
fe27947fc0 Accepting request 201531 from home:gary_lin:branches:devel:openSUSE:Factory
- Add shim-netboot-fixes.patch to include upstream netboot fixes
- Add shim-mokmanager-disable-gfx-console.patch to disable the
  graphics console to avoid system hang on some machines
- Add shim-bnc841426-silence-shim-protocols.patch to silence the
  shim protocols (bnc#841426)

OBS-URL: https://build.opensuse.org/request/show/201531
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=48
2013-10-01 07:06:21 +00:00
Gary Ching-Pang Lin
abecbcfee6 Accepting request 200505 from home:gary_lin:branches:devel:openSUSE:Factory
Create boot.csv in ESP for fallback.efi to restore the boot entry

OBS-URL: https://build.opensuse.org/request/show/200505
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=46
2013-09-25 08:08:02 +00:00
7d754a1d6f Accepting request 199366 from home:fcrozat:branches:devel:openSUSE:Factory
- Update microsoft.asc: shim signed by UEFI signing service, based
  on code from "Fri Sep  6 13:57:36 UTC 2013".
- Improve extract_signature.sh to work on current path.

OBS-URL: https://build.opensuse.org/request/show/199366
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=44
2013-09-17 09:17:43 +00:00
Gary Ching-Pang Lin
23b0639b8c Accepting request 197604 from home:lnussel:branches:devel:openSUSE:Factory
- set timestamp of PE file to time of the binary the signature was
  made for.
- make sure cert.o get's rebuilt for each target

- Update microsoft.asc: shim signed by UEFI signing service, based
  on code from "Wed Aug 28 15:54:38 UTC 2013"

OBS-URL: https://build.opensuse.org/request/show/197604
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=42
2013-09-09 03:29:33 +00:00
Gary Ching-Pang Lin
3436d7ba57 Accepting request 196735 from home:lnussel:branches:devel:openSUSE:Factory
- always build a shim that embeds the distro's certificate (e.g.
  shim-opensuse.efi). If the package is built in the devel project
  additionally shim-devel.efi is created. That allows us to either
  load grub2/kernel signed by the distro or signed by the devel
  project, depending on use case. Also shim-$distro.efi from the
  devel project can be used to request additional signatures.

OBS-URL: https://build.opensuse.org/request/show/196735
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=40
2013-08-29 08:43:23 +00:00
Gary Ching-Pang Lin
f83d4083f6 Accepting request 196609 from home:lnussel:branches:devel:openSUSE:Factory
- also include old openSUSE 4096 bit certificate to be able to still
  boot kernels signed with that key.
- add show_signatures script

OBS-URL: https://build.opensuse.org/request/show/196609
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=38
2013-08-28 09:32:58 +00:00
Gary Ching-Pang Lin
e60c1a0266 Accepting request 196493 from home:lnussel:branches:devel:openSUSE:Factory
- replace the 4096 bit openSUSE UEFI CA certificate with new a
  standard compliant 2048 bit one.

OBS-URL: https://build.opensuse.org/request/show/196493
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=36
2013-08-27 07:45:39 +00:00
Gary Ching-Pang Lin
79c0b9a33d Accepting request 195685 from home:lnussel:branches:devel:openSUSE:Factory
- fix shell syntax error

OBS-URL: https://build.opensuse.org/request/show/195685
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=34
2013-08-22 01:54:02 +00:00
Gary Ching-Pang Lin
dd00d3c666 Accepting request 186534 from home:lnussel:branches:devel:openSUSE:Factory
- don't include binary in the sources. Instead package the raw
  signature and attach it during build (bnc#813448).

OBS-URL: https://build.opensuse.org/request/show/186534
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=32
2013-08-09 09:33:45 +00:00
Gary Ching-Pang Lin
125b3129ee Accepting request 185349 from home:gary_lin:branches:devel:openSUSE:Factory
- Update shim-mokmanager-ui-revamp.patch to include fixes for
  MokManager
  + reboot the system after clearing MOK password
  + fetch more info from X509 name
  + check the suffix of the key file

OBS-URL: https://build.opensuse.org/request/show/185349
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=30
2013-08-01 02:49:52 +00:00
Gary Ching-Pang Lin
16ab868efc Accepting request 184039 from home:gary_lin:branches:devel:openSUSE:Factory
- Update to 0.4
- Rebase patches
  + shim-suse-build.patch
  + shim-mokmanager-support-crypt-hash-method.patch
  + shim-bnc804631-fix-broken-bootpath.patch
  + shim-bnc798043-no-doulbe-separators.patch
  + shim-bnc807760-change-pxe-2nd-loader-name.patch
  + shim-bnc808106-correct-certcount.patch 
  + shim-mokmanager-ui-revamp.patch
- Add patches
  + shim-merge-lf-loader-code.patch: merge the Linux Foundation
    loader UI code
  + shim-fix-pointer-casting.patch: fix a casting issue and the
    size of an empty vendor cert
  + shim-fix-simple-file-selector.patch: fix the buffer allocation
    in the simple file selector
- Remove upstreamed patches
  + shim-support-mok-delete.patch
  + shim-reboot-after-changes.patch
  + shim-clear-queued-key.patch
  + shim-local-key-sign-mokmanager.patch
  + shim-get-2nd-stage-loader.patch
  + shim-fix-loadoptions.patch
- Remove unused patch: shim-mokmanager-new-pw-hash.patch and
  shim-keep-unsigned-mokmanager.patch
- Install the vendor certificate to /etc/uefi/certs

OBS-URL: https://build.opensuse.org/request/show/184039
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=28
2013-07-23 04:44:22 +00:00
Gary Ching-Pang Lin
e6e545b72a Accepting request 174778 from home:gary_lin:branches:devel:openSUSE:Factory
Revamp the MokManager UI

OBS-URL: https://build.opensuse.org/request/show/174778
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=26
2013-05-08 06:52:29 +00:00
Gary Ching-Pang Lin
2e7d74adf8 Accepting request 162327 from home:gary_lin:branches:devel:openSUSE:Factory
bnc#813079: Call update-bootloader in %post to update *.efi in \efi\opensuse

OBS-URL: https://build.opensuse.org/request/show/162327
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=24
2013-04-03 06:25:09 +00:00
Gary Ching-Pang Lin
6c21f45551 Accepting request 157970 from home:gary_lin:branches:devel:openSUSE:Factory
bnc#807760: change the PXE 2nd stage loader name
bnc#808106: certificate count of the signature list

OBS-URL: https://build.opensuse.org/request/show/157970
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=22
2013-03-08 08:06:19 +00:00
Gary Ching-Pang Lin
e356a6eeae Accepting request 157208 from home:gary_lin:branches:devel:openSUSE:Factory
(bnc#798043#c4) remove double seperators from the bootpath

OBS-URL: https://build.opensuse.org/request/show/157208
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=20
2013-03-05 10:12:49 +00:00
Gary Ching-Pang Lin
d1f2afa617 Accepting request 156849 from home:lnussel:sbtest
- sign shim also with openSUSE certificate

OBS-URL: https://build.opensuse.org/request/show/156849
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=18
2013-03-01 03:32:55 +00:00
54f4730c79 add changes
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=17
2013-02-27 16:19:41 +00:00
e60042f553 fix
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=16
2013-02-27 15:47:35 +00:00