-
1402e2fc61 · ·
shim 14 - Important bug fix release The shim EFI binary cannot have sections whose offset is not a multiple of the file header offset, or else signtool.exe will generate an incorrect signature that cannot be verified. Currently we generate a PLT section that is incorrectly aligned, due to an error in rebasing OpenSSL to fix a different issue. This version rectifies that error, as well as adding --no-undefined to the final link, so that any such missing symbol will cause a build error. This doesn't necessarily solve the file offset problem in all cases, but it does solve it in all the cases we've actually seen so far.
-
latest-release02e2fc61 · ·
shim 14 - Important bug fix release The shim EFI binary cannot have sections whose offset is not a multiple of the file header offset, or else signtool.exe will generate an incorrect signature that cannot be verified. Currently we generate a PLT section that is incorrectly aligned, due to an error in rebasing OpenSSL to fix a different issue. This version rectifies that error, as well as adding --no-undefined to the final link, so that any such missing symbol will cause a build error. This doesn't necessarily solve the file offset problem in all cases, but it does solve it in all the cases we've actually seen so far.
-
135e827007 · ·
shim 13: - OpenSSL reverted to 1.0.2k to make the cert chaining of existing deployments stay working - Better PCR usage for TPM - TPM documentation in README.tpm - More configurable build via make variables: ENABLE_SHIM_CERT ENABLE_SHIM_HASH ENABLE_SBSIGN LIBDIR EFIDIR VENDOR_CERT_FILE VENDOR_DB_FILE - Better MoK documentation in MokVars.txt - Better debuginfo generation - Lots of minor bug fixes.
-
-
-
-
-
-
-
0.9c340e8ce · ·
shim 0.9 ======== Gary Ching-Pang Lin (19): Add nostdinc to the CFLAGS for lib Update Cryptlib and openssl Make the build failed with objcopy < 2.24 Support MOK blacklist MokManager: show the hash list properly MokManager: delete the hash properly MokManager: Match all hashes in the list MokManager: Write the hash list properly Copy the MOK blacklist to a RT variable Verify the EFI images with MOK blacklist Make shim to check MokXAuth for MOKX reset MokManager: calculate the variable size correctly MokManager: fix the hash list counting in delete MokManager: Support SHA1 hash in MOK MokManager: fix the return value and type MokManager: Add more key list safe checks MokManager: Support SHA224, SHA384, and SHA512 MokManager: Discard the list contains an invalid signature MokManager: fix comparison between signed and unsigned integer Laszlo Ersek (1): Fix length of allocated buffer for boot option comparison. Matthew Garrett (1): Explicitly request sysv-style ELF hash sections Peter Jones (17): Align the sections we're loading, and check for validity /after/ discarding. Don't install our protocols if we're not in secure mode. Make lib/ build right with the cflags it should be using... Make lib/ use the right CFLAGS. gcc 5.0 changes some include bits, so copy what arm does on x86. Only run MokManager if asked or a security violation occurs. Don't leave in_protocol==1 when shim_verify() isn't enforcing. Ensure that apps launched by shim get correct BS->Exit() behavior Fix console_print_box*() parameters. MokManager: Nerf SHA-1 again for actual hashes and signatures. Don't print anything or delay when start_image() succeeds. More incorrect unsigned vs signed fixups from yours truly. Add a conditional point for a debugger to attach. Only be verbose the first time secure_mode() is called. Make sure our build-id notes wind up at a reasonable place. Improve our debuginfo path print 0.9 Richard W.M. Jones (1): fallback: Fix comparison between signed and unsigned in debugging code. -
-
-
-
-