Skip to content

Releases: rhboot/shim

shim-16.0

18 Mar 22:23
Compare
Choose a tag to compare

What's Changed

New Contributors

Full Changelog: 15.8...16.0

shim-16.0-rc1

04 Mar 15:30
Compare
Choose a tag to compare
shim-16.0-rc1 Pre-release
Pre-release

What's Changed

New Contributors

Full Changelog: 15.8...16.0-rc1

shim 15.8

23 Jan 19:01
Compare
Choose a tag to compare

What's New

* Various CVE fixes:
  CVE-2023-40546 mok: fix LogError() invocation
  CVE-2023-40547 - avoid incorrectly trusting HTTP headers
  CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
  CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
  CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
  CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries

What's Changed

New Contributors

Full Changelog: 15.7...15.8

shim 15.7

16 Nov 21:44
15.7
Compare
Choose a tag to compare

What's Changed

New Contributors

Full Changelog: 15.6...15.7

shim-15.6

07 Jun 18:35
15.6
Compare
Choose a tag to compare
  • What's Changed
  • New Contributors

shim 15.6 rc1

23 May 20:57
15.6-rc1
Compare
Choose a tag to compare
shim 15.6 rc1 Pre-release
Pre-release

What's Changed

New Contributors

Full Changelog: 15.5...15.6-rc1

15.5

15 Feb 18:22
15.5
Compare
Choose a tag to compare

What's Changed

  • Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357
  • mok: allocate MOK config table as BootServicesData by @lcp in #361
  • Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364
  • Relax the check for import_mok_state() by @lcp in #372
  • SBAT.md: trivial changes by @hallyn in #389
  • shim: another attempt to fix load options handling by @chrisccoulson in #379
  • Add tests for our load options parsing. by @vathpela in #390
  • arm/aa64: fix the size of .rela* sections by @lcp in #383
  • mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365
  • mok: relax the maximum variable size check by @lcp in #369
  • Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378
  • fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396
  • httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403
  • Fallback allocation errors by @vathpela in #402
  • shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406
  • str: remove duplicate parameter check by @xypron in #408
  • fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359
  • Test mok mirror by @vathpela in #394
  • Modify sbat.md to help with readability. by @eshiman in #398
  • csv: detect end of csv file correctly by @xypron in #404
  • Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413
  • tests: add "include-fixed" GCC directory to include directories by @diabonas in #415
  • pe: simplify generate_hash() by @xypron in #411
  • Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414
  • Fallback to default loader if parsed one does not exist by @julian-klode in #393
  • fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422
  • Better console checks by @vathpela in #416
  • docs: update SBAT UEFI variable name by @nicholasbishop in #421
  • Don't parse load options if invoked from removable media path by @julian-klode in #399
  • fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433
  • shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438
  • Shim 15.5 coverity by @vathpela in #439
  • Allocate mokvar table in runtime memory. by @vathpela in #447
  • Remove post-process-pe on 'make clean' by @vathpela in #448
  • pe: missing perror argument by @xypron in #443

New Contributors

Full Changelog: 15.4...15.5

shim 15.5 release candidate 2

10 Dec 22:23
15.5-rc2
Compare
Choose a tag to compare
Pre-release

What's Changed

  • Don't parse load options if invoked from removable media path by @julian-klode in #399
  • fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433
  • shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438
  • Shim 15.5 coverity by @vathpela in #439

Full Changelog: 15.5-rc1...15.5-rc2

shim 15.5 release candidate 1

12 Oct 14:54
15.5-rc1
Compare
Choose a tag to compare
Pre-release

What's Changed

  • Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357
  • mok: allocate MOK config table as BootServicesData by @lcp in #361
  • Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364
  • Relax the check for import_mok_state() by @lcp in #372
  • SBAT.md: trivial changes by @hallyn in #389
  • shim: another attempt to fix load options handling by @chrisccoulson in #379
  • Add tests for our load options parsing. by @vathpela in #390
  • arm/aa64: fix the size of .rela* sections by @lcp in #383
  • mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365
  • mok: relax the maximum variable size check by @lcp in #369
  • Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378
  • fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396
  • httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403
  • Fallback allocation errors by @vathpela in #402
  • shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406
  • str: remove duplicate parameter check by @xypron in #408
  • fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359
  • Test mok mirror by @vathpela in #394
  • Modify sbat.md to help with readability. by @eshiman in #398
  • csv: detect end of csv file correctly by @xypron in #404
  • Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413
  • tests: add "include-fixed" GCC directory to include directories by @diabonas in #415
  • pe: simplify generate_hash() by @xypron in #411
  • Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414
  • Fallback to default loader if parsed one does not exist by @julian-klode in #393
  • fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422
  • Better console checks by @vathpela in #416
  • docs: update SBAT UEFI variable name by @nicholasbishop in #421

New Contributors

Full Changelog: 15.4...15.5-rc1

As usual, please use the tarball attached below.

shim-15.4

30 Mar 21:07
15.4
Compare
Choose a tag to compare

This is a critical bugfix release. Don't use 15.3, as the SBAT self-check is
broken.

As usual, please use the shim-15.4.tar.bz2 tarball, rather than the other two archives github automatically produces.

Many thanks to all who helped out, including but not limited to these
contributions:

Chris Co (1):
      Makefile: sort vendor sbats to remove duplicates

Jan Setje-Eilers (3):
      Move the check for the SBAT variable properties to its own function.
      Fix SBAT variable content validation.
      Change SBAT variable name to SbatLevel

Peter Jones (13):
      CI: don't use 'make -s'; it's more trouble than help.
      arm/aa64: Swizzle some sections to make old sbsign happier.
      Make building outside of the top directory work.
      make: make 'make install-as-data' install BOOT*.CSV
      make: Fix search paths for vendor sbat.*.csv files
      test_parse_sbat_section_too_many_elem(): free section entries
      parse_sbat_var_data()/cleanup_sbat_var(): fix free logic
      test_verify_sbat_null_sbat_section(): call cleanup_sbat_var()
      Fix openssl's 'make clean'
      sbat: add more dprint()
      arm/aa64 targets: put .rel* and .dyn* in .rodata
      Fix an off-by-one on the sbat self-check.
      Update version to 15.4