- Jul 24, 2020
-
-
Steve McIntyre authored
-
Steve McIntyre authored
We may end up with duplicates, let's not include hashes twice in the shim binary blacklist
-
Steve McIntyre authored
- Jun 12, 2020
-
-
Mario Limonciello authored
Fix some issues reported by lintian See merge request efi-team/shim!5
-
- Apr 01, 2020
-
-
Janitor authored
Fixes: lintian: out-of-date-standards-version See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html
-
Janitor authored
Fixes: lintian: upstream-metadata-file-is-missing See-also: https://lintian.debian.org/tags/upstream-metadata-file-is-missing.html
-
Janitor authored
Fixes: lintian: uses-debhelper-compat-file See-also: https://lintian.debian.org/tags/uses-debhelper-compat-file.html
-
Janitor authored
Fixes: lintian: package-uses-old-debhelper-compat-version See-also: https://lintian.debian.org/tags/package-uses-old-debhelper-compat-version.html
-
Janitor authored
Fixes: lintian: tab-in-license-text See-also: https://lintian.debian.org/tags/tab-in-license-text.html
-
Janitor authored
Fixes: lintian: insecure-copyright-format-uri See-also: https://lintian.debian.org/tags/insecure-copyright-format-uri.html
-
Janitor authored
Fixes: lintian: file-contains-trailing-whitespace See-also: https://lintian.debian.org/tags/file-contains-trailing-whitespace.html
-
- Mar 30, 2020
-
-
Steve McIntyre authored
Change the version dependency on shim-unsigned to be >= and not =. This will allow for installation to still work in the window while we wait for the template package to do its second trip through the archive. Closes: #955356
-
Steve McIntyre authored
-
- Mar 24, 2020
-
-
Steve McIntyre authored
-
Steve McIntyre authored
Pull upstream commit aaa09b35e73c4a35fc119d225e5241199d7cf5aa to fix an FTBFS.
- May 08, 2019
-
-
Steve McIntyre authored
for the dbx list, as recommended by Peter Jones. No actual changes needed in our list of hashes at this point - they work out the same either way.
-
Steve McIntyre authored
Not needed now.
-
- May 07, 2019
-
-
Steve McIntyre authored
so they'll get an empty dbs list rather than breaking the build
-
- May 06, 2019
-
-
dann frazier authored
It wouldn't hurt to keep a record of them.
-
dann frazier authored
While it maybe convenient for a developer to be able to do a build w/o any dbx hashes, it prevents the $(DBX_LIST) target from having a proper dependency on the $(DBX_HASHES) file. If a developer were to add a new hash in a built tree, make would not detect that on a subsequent build and would not update the $(DBX_LIST) file. Continue to support a NULL $(DBX_LIST) build by touching the $(DBX_LIST) file in case no efisiglist commands ran. Developers can now create an empty $(DBX_HASHES) file to get that.
-
dann frazier authored
-
dann frazier authored
Without this we would silently ignore an efisiglist command error.
-
dann frazier authored
-
Steve McIntyre authored
Changes: crash fixes generate dbx file at runtime
-
Steve McIntyre authored
signed arm64 grub binaries that allow use of the devicetree command, as found in grub-efi-arm64-signed_1+2.02+dfsg1+16_arm64.deb grub-efi-arm64-signed_1+2.02+dfsg1+17_arm64.deb
-
Steve McIntyre authored
-
- May 04, 2019
-
-
Steve McIntyre authored
This allow us to block executing binaries with specific checksums. Generate the dbx list at runtime from a simple list of sha256 hashes, so we can update this easily. If we need to also blacklist a cert later, we'll need to update this code to add that option too. Add a build-dep on pesign to get the needed efisiglist program.
-
- May 03, 2019
-
-
Steve McIntyre authored
To get better control of reproducibility during the lifetime of Buster
-
Steve McIntyre authored
-
Steve McIntyre authored
Cherry-picked fix from upstream MR at https://github.com/rhboot/shim/pull/174/commits/3a9e237b1baddf0d3192755406befb3e9fa5ca80 From: https://github.com/openssl/openssl/commit/f13615c5b828aeb8e3d9bf2545c803633d1c684f Apply an upstream patch from OpenSSL to tolerate a NULL sn. This avoids a NULL pointer reference in shim.c:verify_eku(). This was discovered because it causes a crash on ARM where, unlike x86, it does not necessarily have memory mapped at 0x0. Fixes: 6c180c60 ("shim: verify Extended Key Usage flags") Signed-off-by: dann frazier <dann.frazier@canonical.com>
-
Steve McIntyre authored
Backport of upstream fix: VLogError() calculates the size of format strings by using calls to SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer. Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize of "0" is special-cased to mean "there is no limit". So, we end up writing our string to address 0x0. This was discovered because it causes a crash on ARM where, unlike x86, it does not necessarily have memory mapped at 0x0. Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which handles the size calculation and allocation for us. Signed-off-by: Peter Jones <pjones@redhat.com> Fixes: 25f6fd08 ("try to show errors more usefully.") [dannf: commit message ] Signed-off-by: dann frazier <dann.frazier@canonical.com>
-
- Mar 25, 2019
-
-
Steve McIntyre authored
debian/control: Update Vcs-* fields See merge request efi-team/shim!4
-
Ansgar authored
-
- Mar 23, 2019
-
-
-
Steve McIntyre authored
to fix clashes with the old shim-signed package for fbx64.efi.signed and mmx64.efi.signed. Closes: #924619
- Mar 12, 2019