12d61956b5
- always clean up generated files that embed certificates (shim_cert.h shim.cer shim.crt) to make sure next build loop rebuilds them properly OBS-URL: https://build.opensuse.org/request/show/223204 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=59
336 lines
12 KiB
Plaintext
336 lines
12 KiB
Plaintext
-------------------------------------------------------------------
|
|
Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de
|
|
|
|
- always clean up generated files that embed certificates
|
|
(shim_cert.h shim.cer shim.crt) to make sure next build loop
|
|
rebuilds them properly
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com
|
|
|
|
- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
|
|
hash deletion operation to avoid ruining the whole list
|
|
(bnc#863205)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com
|
|
|
|
- Update shim-mokx-support.patch to support the resetting of MOK
|
|
blacklist
|
|
- Add shim-get-variable-check.patch to fix the variable checking
|
|
in get_variable_attr
|
|
- Add shim-improve-fallback-entries-creation.patch to improve the
|
|
boot entry pathes and avoid generating the boot entries that
|
|
are already there
|
|
- Update SUSE certificate
|
|
- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
|
|
extract_signature.sh and show_signatures.sh to remove the
|
|
creation of the temporary nss database
|
|
- Add shim-only-os-name.patch: remove the kernel version of the
|
|
build server
|
|
- Match the the prefix of the project name properly by escaping the
|
|
percent sign.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de
|
|
|
|
- enable signature assertion also in SUSE: hierarchy
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Dec 6 06:44:43 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-mokmanager-handle-keystroke-error.patch to handle the
|
|
error status from ReadKeyStroke to avoid unexpected keys
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 5 02:05:13 UTC 2013 - glin@suse.com
|
|
|
|
- Update to 0.7
|
|
- Add upstream patches:
|
|
+ shim-fix-verify-mok.patch
|
|
+ shim-improve-error-messages.patch
|
|
+ shim-correct-user_insecure-usage.patch
|
|
+ shim-fix-dhcpv4-path-generation.patch
|
|
- Add shim-mokx-support.patch to support the MOK blacklist
|
|
(Fate#316531)
|
|
- Drop upstreamed patches
|
|
+ shim-fix-pointer-casting.patch
|
|
+ shim-merge-lf-loader-code.patch
|
|
+ shim-fix-simple-file-selector.patch
|
|
+ shim-mokmanager-support-crypt-hash-method.patch
|
|
+ shim-bnc804631-fix-broken-bootpath.patch
|
|
+ shim-bnc798043-no-doulbe-separators.patch
|
|
+ shim-bnc807760-change-pxe-2nd-loader-name.patch
|
|
+ shim-bnc808106-correct-certcount.patch
|
|
+ shim-mokmanager-ui-revamp.patch
|
|
+ shim-netboot-fixes.patch
|
|
+ shim-mokmanager-disable-gfx-console.patch
|
|
- Drop shim-suse-build.patch: it's not necessary anymore
|
|
- Drop shim-bnc841426-silence-shim-protocols.patch: shim is not
|
|
verbose by default
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 31 09:11:18 UTC 2013 - fcrozat@suse.com
|
|
|
|
- Update microsoft.asc: shim signed by UEFI signing service, based
|
|
on code from "Tue Oct 1 04:29:29 UTC 2013".
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Oct 1 04:29:29 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-netboot-fixes.patch to include upstream netboot fixes
|
|
- Add shim-mokmanager-disable-gfx-console.patch to disable the
|
|
graphics console to avoid system hang on some machines
|
|
- Add shim-bnc841426-silence-shim-protocols.patch to silence the
|
|
shim protocols (bnc#841426)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 25 07:17:54 UTC 2013 - glin@suse.com
|
|
|
|
- Create boot.csv in ESP for fallback.efi to restore the boot entry
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Sep 17 10:53:50 CEST 2013 - fcrozat@suse.com
|
|
|
|
- Update microsoft.asc: shim signed by UEFI signing service, based
|
|
on code from "Fri Sep 6 13:57:36 UTC 2013".
|
|
- Improve extract_signature.sh to work on current path.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 6 13:57:36 UTC 2013 - lnussel@suse.de
|
|
|
|
- set timestamp of PE file to time of the binary the signature was
|
|
made for.
|
|
- make sure cert.o get's rebuilt for each target
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Sep 6 11:48:14 CEST 2013 - fcrozat@suse.com
|
|
|
|
- Update microsoft.asc: shim signed by UEFI signing service, based
|
|
on code from "Wed Aug 28 15:54:38 UTC 2013"
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de
|
|
|
|
- always build a shim that embeds the distro's certificate (e.g.
|
|
shim-opensuse.efi). If the package is built in the devel project
|
|
additionally shim-devel.efi is created. That allows us to either
|
|
load grub2/kernel signed by the distro or signed by the devel
|
|
project, depending on use case. Also shim-$distro.efi from the
|
|
devel project can be used to request additional signatures.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de
|
|
|
|
- also include old openSUSE 4096 bit certificate to be able to still
|
|
boot kernels signed with that key.
|
|
- add show_signatures script
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de
|
|
|
|
- replace the 4096 bit openSUSE UEFI CA certificate with new a
|
|
standard compliant 2048 bit one.
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 20 11:48:25 UTC 2013 - lnussel@suse.de
|
|
|
|
- fix shell syntax error
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 7 15:51:36 UTC 2013 - lnussel@suse.de
|
|
|
|
- don't include binary in the sources. Instead package the raw
|
|
signature and attach it during build (bnc#813448).
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com
|
|
|
|
- Update shim-mokmanager-ui-revamp.patch to include fixes for
|
|
MokManager
|
|
+ reboot the system after clearing MOK password
|
|
+ fetch more info from X509 name
|
|
+ check the suffix of the key file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com
|
|
|
|
- Update to 0.4
|
|
- Rebase patches
|
|
+ shim-suse-build.patch
|
|
+ shim-mokmanager-support-crypt-hash-method.patch
|
|
+ shim-bnc804631-fix-broken-bootpath.patch
|
|
+ shim-bnc798043-no-doulbe-separators.patch
|
|
+ shim-bnc807760-change-pxe-2nd-loader-name.patch
|
|
+ shim-bnc808106-correct-certcount.patch
|
|
+ shim-mokmanager-ui-revamp.patch
|
|
- Add patches
|
|
+ shim-merge-lf-loader-code.patch: merge the Linux Foundation
|
|
loader UI code
|
|
+ shim-fix-pointer-casting.patch: fix a casting issue and the
|
|
size of an empty vendor cert
|
|
+ shim-fix-simple-file-selector.patch: fix the buffer allocation
|
|
in the simple file selector
|
|
- Remove upstreamed patches
|
|
+ shim-support-mok-delete.patch
|
|
+ shim-reboot-after-changes.patch
|
|
+ shim-clear-queued-key.patch
|
|
+ shim-local-key-sign-mokmanager.patch
|
|
+ shim-get-2nd-stage-loader.patch
|
|
+ shim-fix-loadoptions.patch
|
|
- Remove unused patch: shim-mokmanager-new-pw-hash.patch and
|
|
shim-keep-unsigned-mokmanager.patch
|
|
- Install the vendor certificate to /etc/uefi/certs
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 8 06:40:12 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Apr 3 03:54:22 UTC 2013 - glin@suse.com
|
|
|
|
- Call update-bootloader in %post to update *.efi in \efi\opensuse
|
|
(bnc#813079)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 8 06:53:47 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the
|
|
PXE 2nd stage loader name (bnc#807760)
|
|
- Add shim-bnc808106-correct-certcount.patch to correct the
|
|
certificate count of the signature list (bnc#808106)
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Mar 1 10:07:55 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-bnc798043-no-doulbe-separators.patch to remove double
|
|
seperators from the bootpath (bnc#798043#c4)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 28 08:57:48 UTC 2013 - lnussel@suse.de
|
|
|
|
- sign shim also with openSUSE certificate
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 27 15:52:53 CET 2013 - mls@suse.de
|
|
|
|
- identify project, export certificate as DER file
|
|
- don't create an unused extra keypair
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 21 10:08:12 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken
|
|
bootpath generated in generate_path(). (bnc#804631)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 11 12:15:25 UTC 2013 - fcrozat@suse.com
|
|
|
|
- Update with shim signed by UEFI signing service, based on code
|
|
from "Thu Feb 7 06:56:19 UTC 2013".
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 7 13:54:06 UTC 2013 - lnussel@suse.de
|
|
|
|
- prepare for having a signed shim from the UEFI signing service
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 7 06:56:19 UTC 2013 - glin@suse.com
|
|
|
|
- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert
|
|
- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned
|
|
MokManager and sign it later.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 6 06:35:45 UTC 2013 - mchang@suse.com
|
|
|
|
- Add shim-install utility
|
|
- Add Recommends to grub2-efi
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 30 09:00:31 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-mokmanager-support-crypt-hash-method.patch to support
|
|
password hash from /etc/shadow (FATE#314506)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 29 03:20:48 UTC 2013 - glin@suse.com
|
|
|
|
- Embed openSUSE-UEFI-CA-Certificate.crt in shim
|
|
- Rename shim-unsigned.efi to shim-opensuse.efi.
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Jan 18 10:06:13 UTC 2013 - glin@suse.com
|
|
|
|
- Update shim-mokmanager-new-pw-hash.patch to extend the password
|
|
hash format
|
|
- Rename shim.efi as shim-unsigned.efi
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jan 16 08:01:55 UTC 2013 - glin@suse.com
|
|
|
|
- Merge patches for FATE#314506
|
|
+ Add shim-support-mok-delete.patch to add support for deleting
|
|
specific keys
|
|
+ Add shim-mokmanager-new-pw-hash.patch to support the new
|
|
password hash.
|
|
- Drop shim-correct-mok-size.patch which is included in
|
|
shim-support-mok-delete.patch
|
|
- Merge shim-remove-debug-code.patch and
|
|
shim-local-sign-mokmanager.patch into
|
|
shim-local-key-sign-mokmanager.patch
|
|
- Install COPYRIGHT
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jan 15 03:17:53 UTC 2013 - glin@suse.com
|
|
|
|
- Add shim-fix-loadoptions.patch to adopt the UEFI shell style
|
|
LoadOptions (bnc#798043)
|
|
- Drop shim-check-pk-kek.patch since upstream rejected the patch
|
|
due to violation of SPEC.
|
|
- Install EFI binaries to /usr/lib64/efi
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 26 07:05:02 UTC 2012 - glin@suse.com
|
|
|
|
- Update shim-reboot-after-changes.patch to avoid rebooting the
|
|
system after enrolling keys/hashes from the file system
|
|
- Add shim-correct-mok-size.patch to correct the size of MOK
|
|
- Add shim-clear-queued-key.patch to clear the queued key and show
|
|
the menu properly
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 12 15:16:18 UTC 2012 - fcrozat@suse.com
|
|
|
|
- Remove shim-rpmlintrc, it wasn't fixing the error, hide error
|
|
stdout to prevent post build check to get triggered by cast
|
|
warnings in openSSL code
|
|
- Add shim-remove-debug-code.patch: remove debug code
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 12 04:01:52 UTC 2012 - glin@suse.com
|
|
|
|
- Add shim-rpmlintrc to filter 64bit portability errors
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 11 07:36:32 UTC 2012 - glin@suse.com
|
|
|
|
- Add shim-local-sign-mokmanager.patch to create a local certicate
|
|
to sign MokManager
|
|
- Add shim-get-2nd-stage-loader.patch to get the second stage
|
|
loader path from the load options
|
|
- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK
|
|
- Add shim-reboot-after-changes.patch to reboot the system after
|
|
enrolling or erasing keys
|
|
- Install the EFI images to /usr/lib64/shim instead of the EFI
|
|
partition
|
|
- Update the mail address of the author
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Nov 2 08:19:37 UTC 2012 - glin@suse.com
|
|
|
|
- Add new package shim 0.2 (FATE#314484)
|
|
+ It's in fact git 2fd180a92 since there is no tag for 0.2
|
|
|