-
-
15.85914984a · ·
shim 15.8: What's changed * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Add make infrastructure to set the NX_COMPAT flag by @vathpela in https://github.com/rhboot/shim/pull/530 * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in https://github.com/rhboot/shim/pull/535 * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in https://github.com/rhboot/shim/pull/537 * pe: Align section size up to page size for mem attrs by @nicholasbishop in https://github.com/rhboot/shim/pull/539 * test-sbat: Fix exit code by @vathpela in https://github.com/rhboot/shim/pull/540 * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in https://github.com/rhboot/shim/pull/541 * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in https://github.com/rhboot/shim/pull/546 * Don't loop forever in load_certs() with buggy firmware by @rmetrich in https://github.com/rhboot/shim/pull/547 * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in https://github.com/rhboot/shim/pull/550 * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in https://github.com/rhboot/shim/pull/551 * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in https://github.com/rhboot/shim/pull/560 * pe: only process RelocDir->Size of reloc section by @mikebeaton in https://github.com/rhboot/shim/pull/562 * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in https://github.com/rhboot/shim/pull/563 * Optionally allow to keep shim protocol installed by @bluca in https://github.com/rhboot/shim/pull/565 * SBAT-related documents formatting and spelling by @aronowski in https://github.com/rhboot/shim/pull/566 * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in https://github.com/rhboot/shim/pull/569 * Add a security contact email address in README.md by @vathpela in https://github.com/rhboot/shim/pull/572 * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in https://github.com/rhboot/shim/pull/576 * mok: fix LogError() invocation by @vathpela in https://github.com/rhboot/shim/pull/577 * Minor housekeeping by @vathpela in https://github.com/rhboot/shim/pull/578 * Test ImageAddress() by @vathpela in https://github.com/rhboot/shim/pull/579 * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in https://github.com/rhboot/shim/pull/580 * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in https://github.com/rhboot/shim/pull/581 * Verify signature before verifying sbat levels by @jsetje in https://github.com/rhboot/shim/pull/583 * Add libFuzzer support for csv.c and sbat.c by @vathpela in https://github.com/rhboot/shim/pull/584 * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in https://github.com/rhboot/shim/pull/587 * Housekeeping by @vathpela in https://github.com/rhboot/shim/pull/605 Signed-off-by: Peter Jones <pjones@redhat.com>
-
-
15.711491619 · ·
shim 15.7 What's Changed * Make SBAT variable payload introspectable by @chrisccoulson in https://github.com/rhboot/shim/pull/483 * Reference MokListRT instead of MokList by @esnowberg in https://github.com/rhboot/shim/pull/488 * Add a link to the test plan in the readme. by @vathpela in https://github.com/rhboot/shim/pull/494 * [V3] Enable TDX measurement to RTMR register by @kenplusplus in https://github.com/rhboot/shim/pull/485 * Discard load-options that start with a NUL by @frozencemetery in https://github.com/rhboot/shim/pull/505 * load_cert_file bugs by @esnowberg in https://github.com/rhboot/shim/pull/523 * Add -malign-double to IA32 compiler flags by @nicholasbishop in https://github.com/rhboot/shim/pull/516 * pe: Fix image section entry-point validation by @iokomin in https://github.com/rhboot/shim/pull/518 * make-archive: Build reproducible tarball by @julian-klode in https://github.com/rhboot/shim/pull/527 * mok: remove MokListTrusted from PCR 7 by @baloo in https://github.com/rhboot/shim/pull/519 * Shim 15.7 version update by @vathpela in https://github.com/rhboot/shim/pull/528 New Contributors * @kenplusplus made their first contribution in https://github.com/rhboot/shim/pull/485 * @iokomin made their first contribution in https://github.com/rhboot/shim/pull/518 * @baloo made their first contribution in https://github.com/rhboot/shim/pull/519 **Full Changelog**: https://github.com/rhboot/shim/compare/15.6...15.7
-
-
15.6505cdb67 · ·
shim-15.6 - What's Changed * MokManager: removed Locate graphic output protocol fail error message by @joeyli in https://github.com/rhboot/shim/pull/441 * shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in https://github.com/rhboot/shim/pull/456 * post-process-pe: Fix a missing return code check by @vathpela in https://github.com/rhboot/shim/pull/462 * Update github actions matrix to be more useful by @frozencemetery in https://github.com/rhboot/shim/pull/469 * Add f36 and centos9 CI builds by @vathpela in https://github.com/rhboot/shim/pull/470 * post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in https://github.com/rhboot/shim/pull/464 * tests: also look for system headers in multi-arch directories by @steve-mcintyre in https://github.com/rhboot/shim/pull/466 * tests: fix gcc warnings by @akodanev in https://github.com/rhboot/shim/pull/463 * Allow MokListTrusted to be enabled by default by @esnowberg in https://github.com/rhboot/shim/pull/455 * Add code of conduct by @frozencemetery in https://github.com/rhboot/shim/pull/427 * Re-add ARM AArch64 support by @vathpela in https://github.com/rhboot/shim/pull/468 * Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in https://github.com/rhboot/shim/pull/428 * make: don't treat cert.S specially by @vathpela in https://github.com/rhboot/shim/pull/475 * shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in https://github.com/rhboot/shim/pull/474 * Break out of the inner sbat loop if we find the entry. by @vathpela in https://github.com/rhboot/shim/pull/476 * Support loading additional certificates by @esnowberg in https://github.com/rhboot/shim/pull/446 * Add support for NX (W^X) mitigations. by @vathpela in https://github.com/rhboot/shim/pull/459 * Misc fixups from scan-build. by @vathpela in https://github.com/rhboot/shim/pull/477 * Fix preserve_sbat_uefi_variable() logic by @jsetje in https://github.com/rhboot/shim/pull/478 * SBAT Policy latest should be a one-shot by @jsetje in https://github.com/rhboot/shim/pull/481 * pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson * pe: Perform image verification earlier when loading grub by @chriscoulson * Update advertised sbat generation number for shim by @jsetje * Update SBAT generation requirements for 05/24/22 by @jsetje * Also avoid CVE-2022-28737 in verify_image() by @vathpela - New Contributors * @joeyli made their first contribution in https://github.com/rhboot/shim/pull/441 * @akodanev made their first contribution in https://github.com/rhboot/shim/pull/463 * @esnowberg made their first contribution in https://github.com/rhboot/shim/pull/455 - Full Changelog**: https://github.com/rhboot/shim/compare/15.5...15.6
-
15.6-rc28ee1e1c1 · ·
shim-15.6~rc2 - What's Changed * SBAT Policy latest should be a one-shot by @jsetje in https://github.com/rhboot/shim/pull/481 * pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson * pe: Perform image verification earlier when loading grub by @chriscoulson * Update advertised sbat generation number for shim by @jsetje * Update SBAT generation requirements for 05/24/22 by @jsetje * Also avoid CVE-2022-28737 in verify_image() by @vathpela - Full Changelog**: https://github.com/rhboot/shim/compare/15.6-rc1..15.6-rc2
-
-
15.5f2c598bb · ·
shim 15.5 Much thanks to those who tested this release. Changes from -rc2: - Make Mok config table be runtime services memory - Remove post-process-pe on 'make clean' - pe: missing perror argument **Incremental changelog**: https://github.com/rhboot/shim/compare/15.5-rc2...15.5 From 15.4, the following people contributed code: - Peter Jones (46) - Heinrich Schuchardt (7) - Gary Lin (6) - Renaud Métrich (4) - Julian Andres Klode (4) - Serge Hallyn (2) - Robbie Harwood (2) - Nicholas Bishop (2) - João Paulo Rechi Vita (2) - Seth Forshee (1) - Jonathan Yong (1) - Jonas Witschel (1) - Javier Martinez Canillas (1) - Jan Setje-Eilers (1) - Esther Shimanovich (1) - Eric Snowberg (1) - Dimitri John Ledkov (1) - Daniel Axtens (1) - Chris Coulson (1) - Adam Williamson (1) **Full changelog**: https://github.com/rhboot/shim/compare/15.4...15.5
-
15.5-rc2d0df9304 · ·
shim 15.5 release candidate 2 What's Changed * docs: update SBAT UEFI variable name by @nicholasbishop in https://github.com/rhboot/shim/pull/421 * Don't parse load options if invoked from removable media path by @julian-klode in https://github.com/rhboot/shim/pull/399 * fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in https://github.com/rhboot/shim/pull/433 * shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in https://github.com/rhboot/shim/pull/438 * Shim 15.5 coverity by @vathpela in https://github.com/rhboot/shim/pull/439 New Contributors * @hallyn made their first contribution in https://github.com/rhboot/shim/pull/389 * @jyong2 made their first contribution in https://github.com/rhboot/shim/pull/365 * @sforshee made their first contribution in https://github.com/rhboot/shim/pull/378 * @frozencemetery made their first contribution in https://github.com/rhboot/shim/pull/403 * @xypron made their first contribution in https://github.com/rhboot/shim/pull/406 * @eshiman made their first contribution in https://github.com/rhboot/shim/pull/398 * @daxtens made their first contribution in https://github.com/rhboot/shim/pull/413 * @rmetrich made their first contribution in https://github.com/rhboot/shim/pull/414 * @julian-klode made their first contribution in https://github.com/rhboot/shim/pull/393 **Full Changelog**: https://github.com/rhboot/shim/compare/15.5-rc1...15.5-rc2