shim (15.4-7~deb10u1) buster; urgency=high * Tweak how we call grub-install; don't abort on error. Not ideal behaviour either, but don't break upgrades. Copy the behaviour from the grub packages here. Bug #990966 -- Steve McIntyre <93sam@debian.org> Mon, 12 Jul 2021 08:59:53 +0100 shim (15.4-6~deb10u1) buster; urgency=high * Add arm64 patch to tweak section layout and stop crashing problems. Upstream issue #371. Closes: #990082, #990190 * In insecure mode, don't abort if we can't create the MokListXRT variable. Upstream issue #372. Closes: #989962, #990158 -- Steve McIntyre <93sam@debian.org> Wed, 23 Jun 2021 19:08:54 +0100 shim (15.4-5~deb10u1) buster; urgency=medium * Add defensive code around calls to db_get. Don't fail if they return errors. -- Steve McIntyre <93sam@debian.org> Sat, 08 May 2021 00:14:00 +0100 shim (15.4-4~deb10u1) unstable; urgency=medium * Fix up those maintainer scripts - if we're not running on an EFI system then exit cleanly. -- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 21:31:33 +0100 shim (15.4-3~deb10u1) buster; urgency=medium * Add maintainer scripts to the template packages to manage installing and removing fbXXX.efi and mmXXX.efi when we install/remove the shim-helpers-$arch-signed packages. Closes: #966845 -- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 21:31:33 +0100 shim (15.4-2~deb10u1) buster; urgency=medium * Add two further patches from upstream: + fix import_one_mok_state() after split + Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older Intel Mac machines) -- Steve McIntyre <93sam@debian.org> Wed, 21 Apr 2021 01:06:27 +0100 shim (15.4-1~deb10u1) buster; urgency=medium * New upstream release fixing more bugs: SBAT and arm64 support * Print sha256 checksums of the EFI binaries when the build is done * Add two patches from upstream: + fix i386 binary relocations + allocate MOK config table as BootServicesData -- Steve McIntyre <93sam@debian.org> Wed, 31 Mar 2021 19:56:02 +0100 shim (15.3-1~deb10u3) buster; urgency=medium * Only include the upstream version in the Debian SBAT metadata, so we don't break reproducibility on every minor packaging change. -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 13:31:51 +0000 shim (15.3-1~deb10u2) buster; urgency=medium * Add missing build-dep on xxd for build-time unit tests -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 02:26:22 +0000 shim (15.3-1~deb10u1) buster; urgency=medium * Rebuild the new upstream version for buster * Switch to gcc-8 for building * Switch to much-newer release with many fixes + Particularly pulling in SBAT changes for better revocation support + Remove all our old patches, no longer needed: - avoid_null_vsprint.patch - check_null_sn_ln.patch - fixup_git.patch - uname.patch - use_compare_mem_gcc9.patch + Now includes a vendor copy of gnu-efi with quite a few extra fixes needed. + Update copyright file to cover these changes * Add dbx entries for all our existing grub binaries + They're insecure, let's break the chainloading hole. * Add Debian SBAT data + Add a Debian SBAT template, and rules to use it + Adds a build-dep on dos2unix -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 01:09:20 +0000 shim (15+1533136590.3beb971-10) unstable; urgency=medium [ Debian Janitor ] * Trim trailing whitespace. * Use secure copyright file specification URI. * debian/copyright: use spaces rather than tabs to start continuation lines. * Bump debhelper from old 11 to 12. * Set debhelper-compat version in Build-Depends. * Set upstream metadata fields: Bug-Database, Bug-Submit. * Update standards version to 4.4.1, no changes needed. [ Steve McIntyre ] * Trivial changes to generating the inbuilt dbx if we're using it. * Upload to pick up rotated Debian signing keys -- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 01:22:46 +0100 shim (15+1533136590.3beb971-9) unstable; urgency=medium [ Steve McIntyre ] * In the -helpers-ARCH-signed packages, change the version dependency on shim-unsigned to be >= and not =. This will allow for installation to still work in the window while we wait for the template package to do its second trip through the archive. Closes: #955356 -- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 00:57:16 +0100 shim (15+1533136590.3beb971-8) unstable; urgency=medium [ Steve McIntyre ] * Use --padding when calling pesign to generate hashes for the dbx list, as recommended by Peter Jones. No actual changes needed in our list of hashes at this point - they work out the same either way. * Switch to using gcc-9 for builds, tweaking a patch from upstream to fix a FTBFS. Closes: #925816 * Update debhelper compat level to 11 for shim and the signing-template -- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000 shim (15+1533136590.3beb971-7) unstable; urgency=medium [ Ansgar Burchardt ] * debian/control: Update Vcs-* fields [ Steve McIntyre ] * Backport needed crash fixes: + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls + Fix OBJ_create() to tolerate a NULL sn and ln * Build using gcc-7 to get better control of reproducibility during the lifetime of Buster. * Build in a dbx list to blacklist binaries that we know to not be secure. Build-depend on a new (bug-fixed) version of pesign to generate that list at build time, using a list of known bad hashes. * Initial list of known bad hashes is just my personal test binary. -- Steve McIntyre <93sam@debian.org> Wed, 08 May 2019 02:05:01 +0100 shim (15+1533136590.3beb971-6) unstable; urgency=medium [ Steve McIntyre ] * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix clashes with the old shim-signed package for fbx64.efi.signed and mmx64.efi.signed. Closes: #924619 [ Helmut Grohne ] * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152) -- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000 shim (15+1533136590.3beb971-5) unstable; urgency=medium [ Ansgar Burchardt ] * Correct maintainer address in signing template [ Steve McIntyre ] * Remove Rules-Requires-Root in the signing template. We manually install things owned by root. There might be better ways to do this, but this will do for now. -- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000 shim (15+1533136590.3beb971-4) unstable; urgency=medium [ Steve McIntyre ] * No-change sourceful upload to get rebuilds (and hence build logs) from the buildds. Hoping to get this version signed by Microsoft, so let's make our setup as clean as possible. -- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000 shim (15+1533136590.3beb971-3) unstable; urgency=medium [ Philipp Hahn ] * debian/rules: fixing permissions no longer required * debian/rules: Disable ephemeral key on Debian. * Rename binary package to 'shim-unsigned' * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228) [ Luca Boccassi ] * Override lintian error about template rules file. * Include /usr/share/dpkg/architecture.mk instead of shelling out. * Add uname.patch to avoid embedding the kernel architecture in the binary and to use a fixed string instead. [ Steve McIntyre ] * Change maintenance address to be the EFI team * Add me and vorlon to the Uploaders list * Rename the helper binary packages to shim-helpers-$arch. * Update the signing-template JSON metadata to match new practice: + Move all the data under a new top-level "packages" key + Add an empty "trusted_certs" key - the helper binaries do not do any further verification with an embedded key. -- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000 shim (15+1533136590.3beb971-2) unstable; urgency=medium * Update debian/watch. * Update VCS to point to salsa. * Fix debian/rules syntax for arm64 build. * Enable build for i386. * Ensure DEB_HOST_ARCH is set even if not present in the environment. * Update Standards-Version. * Update debian/copyright (drop reference to file no longer in source) -- Steve Langasek Mon, 11 Feb 2019 05:18:18 +0000 shim (15+1533136590.3beb971-1) unstable; urgency=medium * New upstream release. - debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. - debian/patches/sbsigntool-no-pesign: dropped; no longer needed. * Drop remaining patches that were not being applied. * Sync packaging from Ubuntu: - debian/copyright: Update upstream source location. - debian/control: add a Build-Depends on libelf-dev. - Enable arm64 build. - debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. - debian/rules, debian/shim.install: use the upstream install target as intended, and move files to the target directory using dh_install. - define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: set MAKELEVEL. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. - Set EFIDIR=$distro for dh_auto_install; that will let files be installed in the "right" final directories, and makes boot.csv for us. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager. -- Steve Langasek Sat, 09 Feb 2019 07:23:19 +0000 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium [ Steve Langasek ] * Initial Debian upload. Closes: #820052. * Update Standards-Version. * Embed the newly-minted Debian CA certificate. * Vendorize debian/rules so that the same package can be used in both Debian and Ubuntu without modification. * Fix debian/copyright to match the spec (last match wins, not first) * Fix shim.efi to not be executable. * Add watchfile. * Support parallel builds, because eh why not * Update Vcs-Bzr. * Resync with Ubuntu, including patch to fix debian/copyright. [ Julien Cristau ] * Add some missing copyright holders in d/copyright, update Upstream-Contact. Thanks to Helen Koike for the help. -- Julien Cristau Sat, 15 Oct 2016 15:17:34 +0200 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium [ Helen Koike ] * debian/copyright: add OpenSSL license [ Mathieu Trudel-Lapierre ] * New upstream release. * debian/copyright: patches should be BSD, like the rest of the upstream code. * debian/patches/unused-variable: dropped; applied upstream. * debian/patches/binutils-version-matching: dropped, fixed upstream. * debian/shim.install: built EFI binaries were renamed; update our install file to properly pick up shim (shim$arch), MokManager (mm$arch), and fallback (fb$arch). -- Mathieu Trudel-Lapierre Wed, 21 Sep 2016 20:29:44 -0400 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium * New upstream release. - Better handle LoadOptions. (LP: #1581299) - Measure state and second stage in TPM. - Mirror MokSBState in runtime as MokSBStateRT. - Fix failure to build with GCC 5. (LP: #1429978) - Various bug fixes and other improvements. * Refreshed patches. - Remaining patches: + second-stage-path + sbsigntool-not-pesign * debian/patches/unused-variable: remove unused variable size. * debian/patches/binutils-version-matching: revert d9a4c912 to correctly match objcopy's version on Ubuntu. * debian/copyright: update copyright for patches. -- Mathieu Trudel-Lapierre Tue, 26 Jul 2016 16:48:32 -0400 shim (0.8-0ubuntu2) wily; urgency=medium * No-change rebuild against gnu-efi 3.0v-5ubuntu1. -- Steve Langasek Tue, 12 May 2015 17:48:30 +0000 shim (0.8-0ubuntu1) wily; urgency=medium * New upstream release. - Clarify meaning of insecure_mode. (LP: #1384973) * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included in the upstream release. * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: refreshed. -- Mathieu Trudel-Lapierre Mon, 11 May 2015 19:50:49 -0400 shim (0.7-0ubuntu4) utopic; urgency=medium * SECURITY UPDATE: heap overflow and out-of-bounds read access when parsing DHCPv6 information - debian/patches/CVE-2014-3675.patch: apply proper bounds checking when parsing data provided in DHCPv6 packets. - CVE-2014-3675 - CVE-2014-3676 * SECURITY UPDATE: memory corruption when processing user-provided key lists - debian/patches/CVE-2014-3677.patch: detect malformed machine owner key (MOK) lists and ignore them, avoiding possible memory corruption. - CVE-2014-3677 -- Steve Langasek Wed, 08 Oct 2014 06:40:40 +0000 shim (0.7-0ubuntu2) utopic; urgency=medium * Restore debian/patches/prototypes, which still is needed on shim 0.7 but only detected on the buildds. * Update debian/patches/prototypes with some new declarations needed for openssl 0.9.8za update. -- Steve Langasek Tue, 07 Oct 2014 16:20:08 -0700 shim (0.7-0ubuntu1) utopic; urgency=medium * New upstream release. - fix spurious error message when fallback.efi is not present, as will always be the case for removable media. LP: #1297069. - drop most patches, included upstream. * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick openssl 0.9.8za in via upstream. -- Steve Langasek Tue, 07 Oct 2014 05:40:41 +0000 shim (0.4-0ubuntu5) utopic; urgency=low * Install fallback.efi.signed as well, to lay the groundwork for fallback handling (wanted when we have to move a drive between machines, or when the firmware loses its marbles^W nvram). -- Steve Langasek Mon, 04 Aug 2014 12:11:13 +0200 shim (0.4-0ubuntu4) saucy; urgency=low * debian/patches/fix-tftp-prototype: pass the right arguments to EFI_PXE_BASE_CODE_TFTP_READ_FILE. * debian/patches/build-with-Werror: Build with -Werror to catch future prototype mismatches. * debian/patches/fix-compiler-warnings: Fix remaining compiler warnings in netboot.c. * debian/patches/tftp-proper-nul-termination: fix nul termination errors in filenames passed to tftp. * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to the netboot code. -- Steve Langasek Mon, 23 Sep 2013 00:30:00 -0700 shim (0.4-0ubuntu3) saucy; urgency=low [ Steve Langasek ] * Install MokManager.efi.signed in the package. * debian/patches/no-output-by-default.patch: Don't print any informational messages. Closes LP: #1074302. [ Stéphane Graber ] * debian/patches/no-print-on-unsigned: Don't print an error message when validating an unsigned binary as that tends to hang Lenovo machines. (LP: #1087501) -- Stéphane Graber Thu, 08 Aug 2013 17:12:12 +0200 shim (0.4-0ubuntu2) saucy; urgency=low * Add missing build-dependency on openssl. -- Steve Langasek Tue, 02 Jul 2013 20:30:43 +0000 shim (0.4-0ubuntu1) saucy; urgency=low * New upstream release. * Drop debian/patches/shim-before-loadimage; upstream has changed this to not call loadimage at all. * debian/patches/sbsigntool-not-pesign: Sign MokManager with sbsigntool instead of pesign. * Add a versioned build-dependency on gnu-efi. -- Steve Langasek Tue, 02 Jul 2013 12:53:24 -0700 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low * debian/patches/shim-before-loadimage: Use direct verification first before LoadImage. Addresses an issue where Lenovo's SecureBoot implementation pops an error message on any verification failure - avoid calling LoadImage at all unless we have to. -- Steve Langasek Wed, 10 Oct 2012 15:28:40 -0700 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low * debian/patches/second-stage-path: Chainload grubx64.efi, not grub.efi. -- Steve Langasek Fri, 05 Oct 2012 11:20:58 -0700 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low * debian/patches/prototypes: Include missing prototypes, and disable use of BIO_new_file. * Only build the package for amd64; we're not signing an i386 shim at this stage so there's no point in building it. -- Steve Langasek Thu, 04 Oct 2012 17:47:04 +0000 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low * Initial release. * Include the Canonical Secure Boot master CA. -- Steve Langasek Thu, 04 Oct 2012 00:01:06 -0700