Releases: rhboot/shim
Releases · rhboot/shim
shim-16.0
What's Changed
- Validate that a supplied vendor cert is not in PEM format by @steve-mcintyre in #646
- sbat: Add grub.peimage,2 to latest (CVE-2024-2312) by @julian-klode in #651
- sbat: Also bump latest for grub,4 (and to todays date) by @julian-klode in #653
- undo change that limits certificate files to a single file by @jsetje in #659
- shim: don't set second_stage to the empty string by @jjd27 in #640
- Fix SBAT.md for today's consensus about numbers by @aronowski in #672
- Update Code of Conduct contact address by @aronowski in #683
- make-certs: Handle missing OpenSSL installation by @aronowski in #595
- Update MokVars.txt by @mikebeaton in #598
- export DEFINES for sub makefile by @bryteise in #600
- Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition by @vittyvk in #609
- Null-terminate 'arguments' in fallback by @vittyvk in #611
- Fix "Verifiying" typo in error message by @chrisbainbridge in #706
- Update Fedora CI targets by @vathpela in #708
- Force gcc to produce DWARF4 so that gdb can use it by @mikebeaton in #607
- Minor housekeeping 2024121700 by @vathpela in #709
- Discard load-options that start with WINDOWS by @Metabolix in #621
- Fix the issue that the gBS->LoadImage pointer was empty. by @15058718379 in #703
- shim: Allow data after the end of device path node in load options by @dbnicholson in #694
- Handle network file not found like disks by @dbnicholson in #695
- Update gnu-efi submodule for EFI_HTTP_ERROR by @vathpela in #674
- Increase EFI file alignment by @lumag in #673
- avoid EFIv2 runtime services on Apple x86 machines by @eduardacatrinei in #690
- Improve shortcut performance when comparing two boolean expressions by @dennis-tseng99 in #667
- Provide better error message when MokManager is not found by @rmetrich in #663
- tpm: Boot with a warning if the event log is full by @kukrimate in #657
- MokManager: remove redundant logical constraints by @xypron in #409
- Test import_mok_state() when MokListRT would be bigger than available size by @vathpela in #417
- test-mok-mirror: minor bug fix by @vathpela in #715
- Fix file system browser hang when enrolling MOK from disk by @miczyg1 in #622
- Ignore a minor clang-tidy nit by @vathpela in #716
- Allow fallback to default loader when encountering errors on network boot by @nathan-omeara in #666
- test.mk: don't use a temporary random.bin by @vathpela in #718
- pe: Enhance debug report for update_mem_attrs by @jongwu in #594
- Multiple certificate handling improvements by @rosslagerwall in #644
- Generate SbatLevel Metadata from SbatLevel_Variable.txt by @jsetje in #711
- Apply EKU check with compile option by @dennis-tseng99 in #664
- Add configuration option to boot an alternative 2nd stage by @esnowberg in #608
- Loader protocol (with Device Path resolution support) by @kukrimate in #656
- netboot cleanup for additional files by @jsetje in #686
- Document how revocations can be delivered by @jsetje in #722
- post-process-pe: add tests to validate NX compliance by @vathpela in #705
- regression: CopyMem() in ad8692e copies out of bounds by @jsetje in #725
- Save the debug and error logs in mok-variables by @vathpela in #726
- Add features for the Host Security ID program by @vathpela in #660
- Mirror some more efi variables to mok-variables by @vathpela in #723
- This adds DXE Services measurements to HSI and uses them for NX by @vathpela in #724
- Add shim's current NX_COMPAT status to HSIStatus by @vathpela in #727
- README.tpm: reflect that vendor_db is in fact logged as "vendor_db" by @jsetje in #728
- Reject HTTP message with duplicate Content-Length header fields by @dennis-tseng99 in #637
- Disable log saving by @vathpela in #729
- fallback: don't add new boot order entries backwards by @vathpela in #730
- Misc fixes... by @vathpela in #735
- README.tpm: Update MokList entry to MokListRT by @trungams in #732
- SBAT Level update for February 2025 GRUB CVEs by @jsetje in #736
New Contributors
- @jjd27 made their first contribution in #640
- @mikebeaton made their first contribution in #598
- @bryteise made their first contribution in #600
- @vittyvk made their first contribution in #609
- @chrisbainbridge made their first contribution in #706
- @Metabolix made their first contribution in #621
- @15058718379 made their first contribution in #703
- @dbnicholson made their first contribution in #694
- @lumag made their first contribution in #673
- @eduardacatrinei made their first contribution in #690
- @kukrimate made their first contribution in #657
- @miczyg1 made their first contribution in #622
- @nathan-omeara made their first contribution in #666
- @jongwu made their first contribution in #594
- @rosslagerwall made their first contribution in #644
- @trungams made their first contribution in #732
Full Changelog: 15.8...16.0
shim-16.0-rc1
What's Changed
- Validate that a supplied vendor cert is not in PEM format by @steve-mcintyre in #646
- sbat: Add grub.peimage,2 to latest (CVE-2024-2312) by @julian-klode in #651
- sbat: Also bump latest for grub,4 (and to todays date) by @julian-klode in #653
- undo change that limits certificate files to a single file by @jsetje in #659
- shim: don't set second_stage to the empty string by @jjd27 in #640
- Fix SBAT.md for today's consensus about numbers by @aronowski in #672
- Update Code of Conduct contact address by @aronowski in #683
- make-certs: Handle missing OpenSSL installation by @aronowski in #595
- Update MokVars.txt by @mikebeaton in #598
- export DEFINES for sub makefile by @bryteise in #600
- Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition by @vittyvk in #609
- Null-terminate 'arguments' in fallback by @vittyvk in #611
- Fix "Verifiying" typo in error message by @chrisbainbridge in #706
- Update Fedora CI targets by @vathpela in #708
- Force gcc to produce DWARF4 so that gdb can use it by @mikebeaton in #607
- Minor housekeeping 2024121700 by @vathpela in #709
- Discard load-options that start with WINDOWS by @Metabolix in #621
- Fix the issue that the gBS->LoadImage pointer was empty. by @15058718379 in #703
- shim: Allow data after the end of device path node in load options by @dbnicholson in #694
- Handle network file not found like disks by @dbnicholson in #695
- Update gnu-efi submodule for EFI_HTTP_ERROR by @vathpela in #674
- Increase EFI file alignment by @lumag in #673
- avoid EFIv2 runtime services on Apple x86 machines by @eduardacatrinei in #690
- Improve shortcut performance when comparing two boolean expressions by @dennis-tseng99 in #667
- Provide better error message when MokManager is not found by @rmetrich in #663
- tpm: Boot with a warning if the event log is full by @kukrimate in #657
- MokManager: remove redundant logical constraints by @xypron in #409
- Test import_mok_state() when MokListRT would be bigger than available size by @vathpela in #417
- test-mok-mirror: minor bug fix by @vathpela in #715
- Fix file system browser hang when enrolling MOK from disk by @miczyg1 in #622
- Ignore a minor clang-tidy nit by @vathpela in #716
- Allow fallback to default loader when encountering errors on network boot by @nathan-omeara in #666
- test.mk: don't use a temporary random.bin by @vathpela in #718
- pe: Enhance debug report for update_mem_attrs by @jongwu in #594
- Multiple certificate handling improvements by @rosslagerwall in #644
- Generate SbatLevel Metadata from SbatLevel_Variable.txt by @jsetje in #711
- Apply EKU check with compile option by @dennis-tseng99 in #664
- Add configuration option to boot an alternative 2nd stage by @esnowberg in #608
- Loader protocol (with Device Path resolution support) by @kukrimate in #656
- netboot cleanup for additional files by @jsetje in #686
- Document how revocations can be delivered by @jsetje in #722
- post-process-pe: add tests to validate NX compliance by @vathpela in #705
- regression: CopyMem() in ad8692e copies out of bounds by @jsetje in #725
- Save the debug and error logs in mok-variables by @vathpela in #726
- Add features for the Host Security ID program by @vathpela in #660
- Mirror some more efi variables to mok-variables by @vathpela in #723
- This adds DXE Services measurements to HSI and uses them for NX by @vathpela in #724
- Add shim's current NX_COMPAT status to HSIStatus by @vathpela in #727
- README.tpm: reflect that vendor_db is in fact logged as "vendor_db" by @jsetje in #728
- Reject HTTP message with duplicate Content-Length header fields by @dennis-tseng99 in #637
- Disable log saving by @vathpela in #729
- fallback: don't add new boot order entries backwards by @vathpela in #730
New Contributors
- @jjd27 made their first contribution in #640
- @mikebeaton made their first contribution in #598
- @bryteise made their first contribution in #600
- @vittyvk made their first contribution in #609
- @chrisbainbridge made their first contribution in #706
- @Metabolix made their first contribution in #621
- @15058718379 made their first contribution in #703
- @dbnicholson made their first contribution in #694
- @lumag made their first contribution in #673
- @eduardacatrinei made their first contribution in #690
- @kukrimate made their first contribution in #657
- @miczyg1 made their first contribution in #622
- @nathan-omeara made their first contribution in #666
- @jongwu made their first contribution in #594
- @rosslagerwall made their first contribution in #644
Full Changelog: 15.8...16.0-rc1
shim 15.8
What's New
* Various CVE fixes:
CVE-2023-40546 mok: fix LogError() invocation
CVE-2023-40547 - avoid incorrectly trusting HTTP headers
CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
What's Changed
- Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in #535
- Enable the NX compatibility flag by default. by @vathpela in #530
- CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in #546
- pe: Align section size up to page size for mem attrs by @nicholasbishop in #539
- Don't loop forever in load_certs() with buggy firmware by @rmetrich in #547
- Optionally allow to keep shim protocol installed by @bluca in #565
- Drop invalid calls to
CRYPTO_set_mem_functions
by @nicholasbishop in #537 - test-sbat: Fix exit code by @nicholasbishop in #540
- Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in #550
- SBAT-related documents formatting and spelling by @aronowski in #566
- Add a security contact email address in README.md by @vathpela in #572
- Add SbatLevel_Variable.txt to document the various revocations by @jsetje in #569
- Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in #576
- Minor housekeeping by @vathpela in #578
- Test ImageAddress() by @vathpela in #579
- Verify signature before verifying sbat levels by @jsetje in #583
- Add libFuzzer support for csv.c and sbat.c by @vathpela in #584
- mok: Avoid underflow in maximum variable size calculation by @alpernebbi in #587
- Housekeeping by @vathpela in #605
- mok: fix LogError() invocation by @vathpela in #577
New Contributors
- @bluca made their first contribution in #565
- @aronowski made their first contribution in #566
- @alpernebbi made their first contribution in #587
Full Changelog: 15.7...15.8
shim 15.7
What's Changed
- Make SBAT variable payload introspectable by @chrisccoulson in #483
- Reference MokListRT instead of MokList by @esnowberg in #488
- Add a link to the test plan in the readme. by @vathpela in #494
- [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485
- Discard load-options that start with a NUL by @frozencemetery in #505
- load_cert_file bugs by @esnowberg in #523
- Add -malign-double to IA32 compiler flags by @nicholasbishop in #516
- pe: Fix image section entry-point validation by @iokomin in #518
- make-archive: Build reproducible tarball by @julian-klode in #527
- mok: remove MokListTrusted from PCR 7 by @baloo in #519
New Contributors
- @kenplusplus made their first contribution in #485
- @iokomin made their first contribution in #518
- @baloo made their first contribution in #519
Full Changelog: 15.6...15.7
shim-15.6
- What's Changed
- MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441
- shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456
- post-process-pe: Fix a missing return code check by @vathpela in #462
- Update github actions matrix to be more useful by @frozencemetery in #469
- Add f36 and centos9 CI builds by @vathpela in #470
- post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464
- tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466
- tests: fix gcc warnings by @akodanev in #463
- Allow MokListTrusted to be enabled by default by @esnowberg in #455
- Add code of conduct by @frozencemetery in #427
- Re-add ARM AArch64 support by @vathpela in #468
- Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428
- make: don't treat cert.S specially by @vathpela in #475
- shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474
- Break out of the inner sbat loop if we find the entry. by @vathpela in #476
- Support loading additional certificates by @esnowberg in #446
- Add support for NX (W^X) mitigations. by @vathpela in #459
- Misc fixups from scan-build. by @vathpela in #477
- Fix preserve_sbat_uefi_variable() logic by @jsetje in #478
- SBAT Policy latest should be a one-shot by @jsetje in #481
- pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson
- pe: Perform image verification earlier when loading grub by @chriscoulson
- Update advertised sbat generation number for shim by @jsetje
- Update SBAT generation requirements for 05/24/22 by @jsetje
- Also avoid CVE-2022-28737 in verify_image() by @vathpela
- New Contributors
- @joeyli made their first contribution in #441
- @akodanev made their first contribution in #463
- @esnowberg made their first contribution in #455
- Full Changelog**: 15.5...15.6
shim 15.6 rc1
What's Changed
- MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441
- shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456
- post-process-pe: Fix a missing return code check by @vathpela in #462
- Update github actions matrix to be more useful by @frozencemetery in #469
- Add f36 and centos9 CI builds by @vathpela in #470
- post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464
- tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466
- tests: fix gcc warnings by @akodanev in #463
- Allow MokListTrusted to be enabled by default by @esnowberg in #455
- Add code of conduct by @frozencemetery in #427
- Re-add ARM AArch64 support by @vathpela in #468
- Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428
- make: don't treat cert.S specially by @vathpela in #475
- shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474
- Break out of the inner sbat loop if we find the entry. by @vathpela in #476
- Support loading additional certificates by @esnowberg in #446
- Add support for NX (W^X) mitigations. by @vathpela in #459
- Misc fixups from scan-build. by @vathpela in #477
- Fix preserve_sbat_uefi_variable() logic by @jsetje in #478
New Contributors
- @joeyli made their first contribution in #441
- @akodanev made their first contribution in #463
- @esnowberg made their first contribution in #455
Full Changelog: 15.5...15.6-rc1
15.5
What's Changed
- Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357
- mok: allocate MOK config table as BootServicesData by @lcp in #361
- Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364
- Relax the check for import_mok_state() by @lcp in #372
- SBAT.md: trivial changes by @hallyn in #389
- shim: another attempt to fix load options handling by @chrisccoulson in #379
- Add tests for our load options parsing. by @vathpela in #390
- arm/aa64: fix the size of .rela* sections by @lcp in #383
- mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365
- mok: relax the maximum variable size check by @lcp in #369
- Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378
- fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396
- httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403
- Fallback allocation errors by @vathpela in #402
- shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406
- str: remove duplicate parameter check by @xypron in #408
- fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359
- Test mok mirror by @vathpela in #394
- Modify sbat.md to help with readability. by @eshiman in #398
- csv: detect end of csv file correctly by @xypron in #404
- Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413
- tests: add "include-fixed" GCC directory to include directories by @diabonas in #415
- pe: simplify generate_hash() by @xypron in #411
- Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414
- Fallback to default loader if parsed one does not exist by @julian-klode in #393
- fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422
- Better console checks by @vathpela in #416
- docs: update SBAT UEFI variable name by @nicholasbishop in #421
- Don't parse load options if invoked from removable media path by @julian-klode in #399
- fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433
- shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438
- Shim 15.5 coverity by @vathpela in #439
- Allocate mokvar table in runtime memory. by @vathpela in #447
- Remove post-process-pe on 'make clean' by @vathpela in #448
- pe: missing perror argument by @xypron in #443
New Contributors
- @hallyn made their first contribution in #389
- @jyong2 made their first contribution in #365
- @sforshee made their first contribution in #378
- @frozencemetery made their first contribution in #403
- @xypron made their first contribution in #406
- @eshiman made their first contribution in #398
- @daxtens made their first contribution in #413
- @rmetrich made their first contribution in #414
- @julian-klode made their first contribution in #393
Full Changelog: 15.4...15.5
shim 15.5 release candidate 2
What's Changed
- Don't parse load options if invoked from removable media path by @julian-klode in #399
- fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433
- shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438
- Shim 15.5 coverity by @vathpela in #439
Full Changelog: 15.5-rc1...15.5-rc2
shim 15.5 release candidate 1
What's Changed
- Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357
- mok: allocate MOK config table as BootServicesData by @lcp in #361
- Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364
- Relax the check for import_mok_state() by @lcp in #372
- SBAT.md: trivial changes by @hallyn in #389
- shim: another attempt to fix load options handling by @chrisccoulson in #379
- Add tests for our load options parsing. by @vathpela in #390
- arm/aa64: fix the size of .rela* sections by @lcp in #383
- mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365
- mok: relax the maximum variable size check by @lcp in #369
- Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378
- fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396
- httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403
- Fallback allocation errors by @vathpela in #402
- shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406
- str: remove duplicate parameter check by @xypron in #408
- fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359
- Test mok mirror by @vathpela in #394
- Modify sbat.md to help with readability. by @eshiman in #398
- csv: detect end of csv file correctly by @xypron in #404
- Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413
- tests: add "include-fixed" GCC directory to include directories by @diabonas in #415
- pe: simplify generate_hash() by @xypron in #411
- Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414
- Fallback to default loader if parsed one does not exist by @julian-klode in #393
- fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422
- Better console checks by @vathpela in #416
- docs: update SBAT UEFI variable name by @nicholasbishop in #421
New Contributors
- @hallyn made their first contribution in #389
- @jyong2 made their first contribution in #365
- @sforshee made their first contribution in #378
- @frozencemetery made their first contribution in #403
- @xypron made their first contribution in #406
- @eshiman made their first contribution in #398
- @daxtens made their first contribution in #413
- @rmetrich made their first contribution in #414
Full Changelog: 15.4...15.5-rc1
As usual, please use the tarball attached below.
shim-15.4
This is a critical bugfix release. Don't use 15.3, as the SBAT self-check is
broken.
As usual, please use the shim-15.4.tar.bz2
tarball, rather than the other two archives github automatically produces.
Many thanks to all who helped out, including but not limited to these
contributions:
Chris Co (1):
Makefile: sort vendor sbats to remove duplicates
Jan Setje-Eilers (3):
Move the check for the SBAT variable properties to its own function.
Fix SBAT variable content validation.
Change SBAT variable name to SbatLevel
Peter Jones (13):
CI: don't use 'make -s'; it's more trouble than help.
arm/aa64: Swizzle some sections to make old sbsign happier.
Make building outside of the top directory work.
make: make 'make install-as-data' install BOOT*.CSV
make: Fix search paths for vendor sbat.*.csv files
test_parse_sbat_section_too_many_elem(): free section entries
parse_sbat_var_data()/cleanup_sbat_var(): fix free logic
test_verify_sbat_null_sbat_section(): call cleanup_sbat_var()
Fix openssl's 'make clean'
sbat: add more dprint()
arm/aa64 targets: put .rel* and .dyn* in .rodata
Fix an off-by-one on the sbat self-check.
Update version to 15.4