shim-16.0

What's Changed

• Validate that a supplied vendor cert is not in PEM format by @steve-mcintyre in #646
• sbat: Add grub.peimage,2 to latest (CVE-2024-2312) by @julian-klode in #651
• sbat: Also bump latest for grub,4 (and to todays date) by @julian-klode in #653
• undo change that limits certificate files to a single file by @jsetje in #659
• shim: don't set second_stage to the empty string by @jjd27 in #640
• Fix SBAT.md for today's consensus about numbers by @aronowski in #672
• Update Code of Conduct contact address by @aronowski in #683
• make-certs: Handle missing OpenSSL installation by @aronowski in #595
• Update MokVars.txt by @mikebeaton in #598
• export DEFINES for sub makefile by @bryteise in #600
• Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition by @vittyvk in #609
• Null-terminate 'arguments' in fallback by @vittyvk in #611
• Fix "Verifiying" typo in error message by @chrisbainbridge in #706
• Update Fedora CI targets by @vathpela in #708
• Force gcc to produce DWARF4 so that gdb can use it by @mikebeaton in #607
• Minor housekeeping 2024121700 by @vathpela in #709
• Discard load-options that start with WINDOWS by @Metabolix in #621
• Fix the issue that the gBS->LoadImage pointer was empty. by @15058718379 in #703
• shim: Allow data after the end of device path node in load options by @dbnicholson in #694
• Handle network file not found like disks by @dbnicholson in #695
• Update gnu-efi submodule for EFI_HTTP_ERROR by @vathpela in #674
• Increase EFI file alignment by @lumag in #673
• avoid EFIv2 runtime services on Apple x86 machines by @eduardacatrinei in #690
• Improve shortcut performance when comparing two boolean expressions by @dennis-tseng99 in #667
• Provide better error message when MokManager is not found by @rmetrich in #663
• tpm: Boot with a warning if the event log is full by @kukrimate in #657
• MokManager: remove redundant logical constraints by @xypron in #409
• Test import_mok_state() when MokListRT would be bigger than available size by @vathpela in #417
• test-mok-mirror: minor bug fix by @vathpela in #715
• Fix file system browser hang when enrolling MOK from disk by @miczyg1 in #622
• Ignore a minor clang-tidy nit by @vathpela in #716
• Allow fallback to default loader when encountering errors on network boot by @nathan-omeara in #666
• test.mk: don't use a temporary random.bin by @vathpela in #718
• pe: Enhance debug report for update_mem_attrs by @jongwu in #594
• Multiple certificate handling improvements by @rosslagerwall in #644
• Generate SbatLevel Metadata from SbatLevel_Variable.txt by @jsetje in #711
• Apply EKU check with compile option by @dennis-tseng99 in #664
• Add configuration option to boot an alternative 2nd stage by @esnowberg in #608
• Loader protocol (with Device Path resolution support) by @kukrimate in #656
• netboot cleanup for additional files by @jsetje in #686
• Document how revocations can be delivered by @jsetje in #722
• post-process-pe: add tests to validate NX compliance by @vathpela in #705
• regression: CopyMem() in ad8692e copies out of bounds by @jsetje in #725
• Save the debug and error logs in mok-variables by @vathpela in #726
• Add features for the Host Security ID program by @vathpela in #660
• Mirror some more efi variables to mok-variables by @vathpela in #723
• This adds DXE Services measurements to HSI and uses them for NX by @vathpela in #724
• Add shim's current NX_COMPAT status to HSIStatus by @vathpela in #727
• README.tpm: reflect that vendor_db is in fact logged as "vendor_db" by @jsetje in #728
• Reject HTTP message with duplicate Content-Length header fields by @dennis-tseng99 in #637
• Disable log saving by @vathpela in #729
• fallback: don't add new boot order entries backwards by @vathpela in #730
• Misc fixes... by @vathpela in #735
• README.tpm: Update MokList entry to MokListRT by @trungams in #732
• SBAT Level update for February 2025 GRUB CVEs by @jsetje in #736

New Contributors

• @jjd27 made their first contribution in #640
• @mikebeaton made their first contribution in #598
• @bryteise made their first contribution in #600
• @vittyvk made their first contribution in #609
• @chrisbainbridge made their first contribution in #706
• @Metabolix made their first contribution in #621
• @15058718379 made their first contribution in #703
• @dbnicholson made their first contribution in #694
• @lumag made their first contribution in #673
• @eduardacatrinei made their first contribution in #690
• @kukrimate made their first contribution in #657
• @miczyg1 made their first contribution in #622
• @nathan-omeara made their first contribution in #666
• @jongwu made their first contribution in #594
• @rosslagerwall made their first contribution in #644
• @trungams made their first contribution in #732

Full Changelog: 15.8...16.0

shim-16.0-rc1

What's Changed

• Validate that a supplied vendor cert is not in PEM format by @steve-mcintyre in #646
• sbat: Add grub.peimage,2 to latest (CVE-2024-2312) by @julian-klode in #651
• sbat: Also bump latest for grub,4 (and to todays date) by @julian-klode in #653
• undo change that limits certificate files to a single file by @jsetje in #659
• shim: don't set second_stage to the empty string by @jjd27 in #640
• Fix SBAT.md for today's consensus about numbers by @aronowski in #672
• Update Code of Conduct contact address by @aronowski in #683
• make-certs: Handle missing OpenSSL installation by @aronowski in #595
• Update MokVars.txt by @mikebeaton in #598
• export DEFINES for sub makefile by @bryteise in #600
• Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition by @vittyvk in #609
• Null-terminate 'arguments' in fallback by @vittyvk in #611
• Fix "Verifiying" typo in error message by @chrisbainbridge in #706
• Update Fedora CI targets by @vathpela in #708
• Force gcc to produce DWARF4 so that gdb can use it by @mikebeaton in #607
• Minor housekeeping 2024121700 by @vathpela in #709
• Discard load-options that start with WINDOWS by @Metabolix in #621
• Fix the issue that the gBS->LoadImage pointer was empty. by @15058718379 in #703
• shim: Allow data after the end of device path node in load options by @dbnicholson in #694
• Handle network file not found like disks by @dbnicholson in #695
• Update gnu-efi submodule for EFI_HTTP_ERROR by @vathpela in #674
• Increase EFI file alignment by @lumag in #673
• avoid EFIv2 runtime services on Apple x86 machines by @eduardacatrinei in #690
• Improve shortcut performance when comparing two boolean expressions by @dennis-tseng99 in #667
• Provide better error message when MokManager is not found by @rmetrich in #663
• tpm: Boot with a warning if the event log is full by @kukrimate in #657
• MokManager: remove redundant logical constraints by @xypron in #409
• Test import_mok_state() when MokListRT would be bigger than available size by @vathpela in #417
• test-mok-mirror: minor bug fix by @vathpela in #715
• Fix file system browser hang when enrolling MOK from disk by @miczyg1 in #622
• Ignore a minor clang-tidy nit by @vathpela in #716
• Allow fallback to default loader when encountering errors on network boot by @nathan-omeara in #666
• test.mk: don't use a temporary random.bin by @vathpela in #718
• pe: Enhance debug report for update_mem_attrs by @jongwu in #594
• Multiple certificate handling improvements by @rosslagerwall in #644
• Generate SbatLevel Metadata from SbatLevel_Variable.txt by @jsetje in #711
• Apply EKU check with compile option by @dennis-tseng99 in #664
• Add configuration option to boot an alternative 2nd stage by @esnowberg in #608
• Loader protocol (with Device Path resolution support) by @kukrimate in #656
• netboot cleanup for additional files by @jsetje in #686
• Document how revocations can be delivered by @jsetje in #722
• post-process-pe: add tests to validate NX compliance by @vathpela in #705
• regression: CopyMem() in ad8692e copies out of bounds by @jsetje in #725
• Save the debug and error logs in mok-variables by @vathpela in #726
• Add features for the Host Security ID program by @vathpela in #660
• Mirror some more efi variables to mok-variables by @vathpela in #723
• This adds DXE Services measurements to HSI and uses them for NX by @vathpela in #724
• Add shim's current NX_COMPAT status to HSIStatus by @vathpela in #727
• README.tpm: reflect that vendor_db is in fact logged as "vendor_db" by @jsetje in #728
• Reject HTTP message with duplicate Content-Length header fields by @dennis-tseng99 in #637
• Disable log saving by @vathpela in #729
• fallback: don't add new boot order entries backwards by @vathpela in #730

New Contributors

• @jjd27 made their first contribution in #640
• @mikebeaton made their first contribution in #598
• @bryteise made their first contribution in #600
• @vittyvk made their first contribution in #609
• @chrisbainbridge made their first contribution in #706
• @Metabolix made their first contribution in #621
• @15058718379 made their first contribution in #703
• @dbnicholson made their first contribution in #694
• @lumag made their first contribution in #673
• @eduardacatrinei made their first contribution in #690
• @kukrimate made their first contribution in #657
• @miczyg1 made their first contribution in #622
• @nathan-omeara made their first contribution in #666
• @jongwu made their first contribution in #594
• @rosslagerwall made their first contribution in #644

Full Changelog: 15.8...16.0-rc1

shim 15.8

What's New

* Various CVE fixes:
  CVE-2023-40546 mok: fix LogError() invocation
  CVE-2023-40547 - avoid incorrectly trusting HTTP headers
  CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
  CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
  CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
  CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries

What's Changed

• Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in #535
• Enable the NX compatibility flag by default. by @vathpela in #530
• CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in #546
• pe: Align section size up to page size for mem attrs by @nicholasbishop in #539
• Don't loop forever in load_certs() with buggy firmware by @rmetrich in #547
• Optionally allow to keep shim protocol installed by @bluca in #565
• Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in #537
• test-sbat: Fix exit code by @nicholasbishop in #540
• Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in #550
• SBAT-related documents formatting and spelling by @aronowski in #566
• Add a security contact email address in README.md by @vathpela in #572
• Add SbatLevel_Variable.txt to document the various revocations by @jsetje in #569
• Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in #576
• Minor housekeeping by @vathpela in #578
• Test ImageAddress() by @vathpela in #579
• Verify signature before verifying sbat levels by @jsetje in #583
• Add libFuzzer support for csv.c and sbat.c by @vathpela in #584
• mok: Avoid underflow in maximum variable size calculation by @alpernebbi in #587
• Housekeeping by @vathpela in #605
• mok: fix LogError() invocation by @vathpela in #577

New Contributors

• @bluca made their first contribution in #565
• @aronowski made their first contribution in #566
• @alpernebbi made their first contribution in #587

Full Changelog: 15.7...15.8

shim 15.7

What's Changed

• Make SBAT variable payload introspectable by @chrisccoulson in #483
• Reference MokListRT instead of MokList by @esnowberg in #488
• Add a link to the test plan in the readme. by @vathpela in #494
• [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485
• Discard load-options that start with a NUL by @frozencemetery in #505
• load_cert_file bugs by @esnowberg in #523
• Add -malign-double to IA32 compiler flags by @nicholasbishop in #516
• pe: Fix image section entry-point validation by @iokomin in #518
• make-archive: Build reproducible tarball by @julian-klode in #527
• mok: remove MokListTrusted from PCR 7 by @baloo in #519

New Contributors

• @kenplusplus made their first contribution in #485
• @iokomin made their first contribution in #518
• @baloo made their first contribution in #519

Full Changelog: 15.6...15.7

shim-15.6

• What's Changed

• MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441
• shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456
• post-process-pe: Fix a missing return code check by @vathpela in #462
• Update github actions matrix to be more useful by @frozencemetery in #469
• Add f36 and centos9 CI builds by @vathpela in #470
• post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464
• tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466
• tests: fix gcc warnings by @akodanev in #463
• Allow MokListTrusted to be enabled by default by @esnowberg in #455
• Add code of conduct by @frozencemetery in #427
• Re-add ARM AArch64 support by @vathpela in #468
• Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428
• make: don't treat cert.S specially by @vathpela in #475
• shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474
• Break out of the inner sbat loop if we find the entry. by @vathpela in #476
• Support loading additional certificates by @esnowberg in #446
• Add support for NX (W^X) mitigations. by @vathpela in #459
• Misc fixups from scan-build. by @vathpela in #477
• Fix preserve_sbat_uefi_variable() logic by @jsetje in #478
• SBAT Policy latest should be a one-shot by @jsetje in #481
• pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson
• pe: Perform image verification earlier when loading grub by @chriscoulson
• Update advertised sbat generation number for shim by @jsetje
• Update SBAT generation requirements for 05/24/22 by @jsetje
• Also avoid CVE-2022-28737 in verify_image() by @vathpela

• New Contributors

• @joeyli made their first contribution in #441
• @akodanev made their first contribution in #463
• @esnowberg made their first contribution in #455

• Full Changelog**: 15.5...15.6

shim 15.6 rc1

What's Changed

• MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441
• shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456
• post-process-pe: Fix a missing return code check by @vathpela in #462
• Update github actions matrix to be more useful by @frozencemetery in #469
• Add f36 and centos9 CI builds by @vathpela in #470
• post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464
• tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466
• tests: fix gcc warnings by @akodanev in #463
• Allow MokListTrusted to be enabled by default by @esnowberg in #455
• Add code of conduct by @frozencemetery in #427
• Re-add ARM AArch64 support by @vathpela in #468
• Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428
• make: don't treat cert.S specially by @vathpela in #475
• shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474
• Break out of the inner sbat loop if we find the entry. by @vathpela in #476
• Support loading additional certificates by @esnowberg in #446
• Add support for NX (W^X) mitigations. by @vathpela in #459
• Misc fixups from scan-build. by @vathpela in #477
• Fix preserve_sbat_uefi_variable() logic by @jsetje in #478

New Contributors

• @joeyli made their first contribution in #441
• @akodanev made their first contribution in #463
• @esnowberg made their first contribution in #455

Full Changelog: 15.5...15.6-rc1

15.5

What's Changed

• Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357
• mok: allocate MOK config table as BootServicesData by @lcp in #361
• Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364
• Relax the check for import_mok_state() by @lcp in #372
• SBAT.md: trivial changes by @hallyn in #389
• shim: another attempt to fix load options handling by @chrisccoulson in #379
• Add tests for our load options parsing. by @vathpela in #390
• arm/aa64: fix the size of .rela* sections by @lcp in #383
• mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365
• mok: relax the maximum variable size check by @lcp in #369
• Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378
• fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396
• httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403
• Fallback allocation errors by @vathpela in #402
• shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406
• str: remove duplicate parameter check by @xypron in #408
• fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359
• Test mok mirror by @vathpela in #394
• Modify sbat.md to help with readability. by @eshiman in #398
• csv: detect end of csv file correctly by @xypron in #404
• Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413
• tests: add "include-fixed" GCC directory to include directories by @diabonas in #415
• pe: simplify generate_hash() by @xypron in #411
• Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414
• Fallback to default loader if parsed one does not exist by @julian-klode in #393
• fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422
• Better console checks by @vathpela in #416
• docs: update SBAT UEFI variable name by @nicholasbishop in #421
• Don't parse load options if invoked from removable media path by @julian-klode in #399
• fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433
• shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438
• Shim 15.5 coverity by @vathpela in #439
• Allocate mokvar table in runtime memory. by @vathpela in #447
• Remove post-process-pe on 'make clean' by @vathpela in #448
• pe: missing perror argument by @xypron in #443

New Contributors

• @hallyn made their first contribution in #389
• @jyong2 made their first contribution in #365
• @sforshee made their first contribution in #378
• @frozencemetery made their first contribution in #403
• @xypron made their first contribution in #406
• @eshiman made their first contribution in #398
• @daxtens made their first contribution in #413
• @rmetrich made their first contribution in #414
• @julian-klode made their first contribution in #393

Full Changelog: 15.4...15.5

shim 15.5 release candidate 2

What's Changed

• Don't parse load options if invoked from removable media path by @julian-klode in #399
• fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433
• shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438
• Shim 15.5 coverity by @vathpela in #439

Full Changelog: 15.5-rc1...15.5-rc2

shim 15.5 release candidate 1

What's Changed

• Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357
• mok: allocate MOK config table as BootServicesData by @lcp in #361
• Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364
• Relax the check for import_mok_state() by @lcp in #372
• SBAT.md: trivial changes by @hallyn in #389
• shim: another attempt to fix load options handling by @chrisccoulson in #379
• Add tests for our load options parsing. by @vathpela in #390
• arm/aa64: fix the size of .rela* sections by @lcp in #383
• mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365
• mok: relax the maximum variable size check by @lcp in #369
• Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378
• fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396
• httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403
• Fallback allocation errors by @vathpela in #402
• shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406
• str: remove duplicate parameter check by @xypron in #408
• fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359
• Test mok mirror by @vathpela in #394
• Modify sbat.md to help with readability. by @eshiman in #398
• csv: detect end of csv file correctly by @xypron in #404
• Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413
• tests: add "include-fixed" GCC directory to include directories by @diabonas in #415
• pe: simplify generate_hash() by @xypron in #411
• Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414
• Fallback to default loader if parsed one does not exist by @julian-klode in #393
• fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422
• Better console checks by @vathpela in #416
• docs: update SBAT UEFI variable name by @nicholasbishop in #421

New Contributors

• @hallyn made their first contribution in #389
• @jyong2 made their first contribution in #365
• @sforshee made their first contribution in #378
• @frozencemetery made their first contribution in #403
• @xypron made their first contribution in #406
• @eshiman made their first contribution in #398
• @daxtens made their first contribution in #413
• @rmetrich made their first contribution in #414

Full Changelog: 15.4...15.5-rc1

As usual, please use the tarball attached below.

shim-15.4

This is a critical bugfix release. Don't use 15.3, as the SBAT self-check is
broken.

As usual, please use the shim-15.4.tar.bz2 tarball, rather than the other two archives github automatically produces.

Many thanks to all who helped out, including but not limited to these
contributions:

Chris Co (1):
      Makefile: sort vendor sbats to remove duplicates

Jan Setje-Eilers (3):
      Move the check for the SBAT variable properties to its own function.
      Fix SBAT variable content validation.
      Change SBAT variable name to SbatLevel

Peter Jones (13):
      CI: don't use 'make -s'; it's more trouble than help.
      arm/aa64: Swizzle some sections to make old sbsign happier.
      Make building outside of the top directory work.
      make: make 'make install-as-data' install BOOT*.CSV
      make: Fix search paths for vendor sbat.*.csv files
      test_parse_sbat_section_too_many_elem(): free section entries
      parse_sbat_var_data()/cleanup_sbat_var(): fix free logic
      test_verify_sbat_null_sbat_section(): call cleanup_sbat_var()
      Fix openssl's 'make clean'
      sbat: add more dprint()
      arm/aa64 targets: put .rel* and .dyn* in .rodata
      Fix an off-by-one on the sbat self-check.
      Update version to 15.4