shim (15.4-7~deb10u1) buster; urgency=high
* Tweak how we call grub-install; don't abort on error. Not ideal
behaviour either, but don't break upgrades. Copy the behaviour
from the grub packages here. Bug #990966
-- Steve McIntyre <93sam@debian.org> Mon, 12 Jul 2021 08:59:53 +0100
shim (15.4-6~deb10u1) buster; urgency=high
* Add arm64 patch to tweak section layout and stop crashing
problems. Upstream issue #371. Closes: #990082, #990190
* In insecure mode, don't abort if we can't create the MokListXRT
variable. Upstream issue #372. Closes: #989962, #990158
-- Steve McIntyre <93sam@debian.org> Wed, 23 Jun 2021 19:08:54 +0100
shim (15.4-5~deb10u1) buster; urgency=medium
* Add defensive code around calls to db_get. Don't fail if they
return errors.
-- Steve McIntyre <93sam@debian.org> Sat, 08 May 2021 00:14:00 +0100
shim (15.4-4~deb10u1) unstable; urgency=medium
* Fix up those maintainer scripts - if we're not running on an EFI
system then exit cleanly.
-- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 21:31:33 +0100
shim (15.4-3~deb10u1) buster; urgency=medium
* Add maintainer scripts to the template packages to manage
installing and removing fbXXX.efi and mmXXX.efi when we
install/remove the shim-helpers-$arch-signed packages.
Closes: #966845
-- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 21:31:33 +0100
shim (15.4-2~deb10u1) buster; urgency=medium
* Add two further patches from upstream:
+ fix import_one_mok_state() after split
+ Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older
Intel Mac machines)
-- Steve McIntyre <93sam@debian.org> Wed, 21 Apr 2021 01:06:27 +0100
shim (15.4-1~deb10u1) buster; urgency=medium
* New upstream release fixing more bugs: SBAT and arm64 support
* Print sha256 checksums of the EFI binaries when the build is done
* Add two patches from upstream:
+ fix i386 binary relocations
+ allocate MOK config table as BootServicesData
-- Steve McIntyre <93sam@debian.org> Wed, 31 Mar 2021 19:56:02 +0100
shim (15.3-1~deb10u3) buster; urgency=medium
* Only include the upstream version in the Debian SBAT metadata, so
we don't break reproducibility on every minor packaging change.
-- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 13:31:51 +0000
shim (15.3-1~deb10u2) buster; urgency=medium
* Add missing build-dep on xxd for build-time unit tests
-- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 02:26:22 +0000
shim (15.3-1~deb10u1) buster; urgency=medium
* Rebuild the new upstream version for buster
* Switch to gcc-8 for building
* Switch to much-newer release with many fixes
+ Particularly pulling in SBAT changes for better revocation support
+ Remove all our old patches, no longer needed:
- avoid_null_vsprint.patch
- check_null_sn_ln.patch
- fixup_git.patch
- uname.patch
- use_compare_mem_gcc9.patch
+ Now includes a vendor copy of gnu-efi with quite a few extra
fixes needed.
+ Update copyright file to cover these changes
* Add dbx entries for all our existing grub binaries
+ They're insecure, let's break the chainloading hole.
* Add Debian SBAT data
+ Add a Debian SBAT template, and rules to use it
+ Adds a build-dep on dos2unix
-- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 01:09:20 +0000
shim (15+1533136590.3beb971-10) unstable; urgency=medium
[ Debian Janitor ]
* Trim trailing whitespace.
* Use secure copyright file specification URI.
* debian/copyright: use spaces rather than tabs to start continuation
lines.
* Bump debhelper from old 11 to 12.
* Set debhelper-compat version in Build-Depends.
* Set upstream metadata fields: Bug-Database, Bug-Submit.
* Update standards version to 4.4.1, no changes needed.
[ Steve McIntyre ]
* Trivial changes to generating the inbuilt dbx if we're using it.
* Upload to pick up rotated Debian signing keys
-- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 01:22:46 +0100
shim (15+1533136590.3beb971-9) unstable; urgency=medium
[ Steve McIntyre ]
* In the -helpers-ARCH-signed packages, change the version
dependency on shim-unsigned to be >= and not =. This will allow
for installation to still work in the window while we wait for the
template package to do its second trip through the
archive. Closes: #955356
-- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 00:57:16 +0100
shim (15+1533136590.3beb971-8) unstable; urgency=medium
[ Steve McIntyre ]
* Use --padding when calling pesign to generate hashes for the dbx
list, as recommended by Peter Jones. No actual changes needed in
our list of hashes at this point - they work out the same either
way.
* Switch to using gcc-9 for builds, tweaking a patch from upstream
to fix a FTBFS. Closes: #925816
* Update debhelper compat level to 11 for shim and the
signing-template
-- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000
shim (15+1533136590.3beb971-7) unstable; urgency=medium
[ Ansgar Burchardt ]
* debian/control: Update Vcs-* fields
[ Steve McIntyre ]
* Backport needed crash fixes:
+ VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
+ Fix OBJ_create() to tolerate a NULL sn and ln
* Build using gcc-7 to get better control of reproducibility during the
lifetime of Buster.
* Build in a dbx list to blacklist binaries that we know to not be
secure. Build-depend on a new (bug-fixed) version of pesign to
generate that list at build time, using a list of known bad hashes.
* Initial list of known bad hashes is just my personal test binary.
-- Steve McIntyre <93sam@debian.org> Wed, 08 May 2019 02:05:01 +0100
shim (15+1533136590.3beb971-6) unstable; urgency=medium
[ Steve McIntyre ]
* Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
clashes with the old shim-signed package for fbx64.efi.signed and
mmx64.efi.signed. Closes: #924619
[ Helmut Grohne ]
* Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
-- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000
shim (15+1533136590.3beb971-5) unstable; urgency=medium
[ Ansgar Burchardt ]
* Correct maintainer address in signing template
[ Steve McIntyre ]
* Remove Rules-Requires-Root in the signing template. We manually install
things owned by root. There might be better ways to do this, but this
will do for now.
-- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000
shim (15+1533136590.3beb971-4) unstable; urgency=medium
[ Steve McIntyre ]
* No-change sourceful upload to get rebuilds (and hence build logs) from
the buildds. Hoping to get this version signed by Microsoft, so let's
make our setup as clean as possible.
-- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000
shim (15+1533136590.3beb971-3) unstable; urgency=medium
[ Philipp Hahn ]
* debian/rules: fixing permissions no longer required
* debian/rules: Disable ephemeral key on Debian.
* Rename binary package to 'shim-unsigned'
* Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
[ Luca Boccassi ]
* Override lintian error about template rules file.
* Include /usr/share/dpkg/architecture.mk instead of shelling out.
* Add uname.patch to avoid embedding the kernel architecture in the
binary and to use a fixed string instead.
[ Steve McIntyre ]
* Change maintenance address to be the EFI team
* Add me and vorlon to the Uploaders list
* Rename the helper binary packages to shim-helpers-$arch.
* Update the signing-template JSON metadata to match new practice:
+ Move all the data under a new top-level "packages" key
+ Add an empty "trusted_certs" key - the helper binaries do not do any
further verification with an embedded key.
-- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
shim (15+1533136590.3beb971-2) unstable; urgency=medium
* Update debian/watch.
* Update VCS to point to salsa.
* Fix debian/rules syntax for arm64 build.
* Enable build for i386.
* Ensure DEB_HOST_ARCH is set even if not present in the environment.
* Update Standards-Version.
* Update debian/copyright (drop reference to file no longer in source)
-- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000
shim (15+1533136590.3beb971-1) unstable; urgency=medium
* New upstream release.
- debian/patches/second-stage-path: dropped; the default loader path now
includes an arch suffix.
- debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
- debian/copyright: Update upstream source location.
- debian/control: add a Build-Depends on libelf-dev.
- Enable arm64 build.
- debian/patches/fixup_git.patch: don't run git in clean; we're not
really in a git tree.
- debian/rules, debian/shim.install: use the upstream install target as
intended, and move files to the target directory using dh_install.
- define RELEASE and COMMIT_ID for the snapshot.
- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
options: set MAKELEVEL.
- Define an EFI_ARCH variable, and use that for paths to shim. This
makes it possible to build a shim for other architectures than amd64.
- Set EFIDIR=$distro for dh_auto_install; that will let files be installed
in the "right" final directories, and makes boot.csv for us.
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
at compile-time for MokManager and fallback.
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
and MokManager.
-- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2019 07:23:19 +0000
shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
[ Steve Langasek ]
* Initial Debian upload. Closes: #820052.
* Update Standards-Version.
* Embed the newly-minted Debian CA certificate.
* Vendorize debian/rules so that the same package can be used in both
Debian and Ubuntu without modification.
* Fix debian/copyright to match the spec (last match wins, not first)
* Fix shim.efi to not be executable.
* Add watchfile.
* Support parallel builds, because eh why not
* Update Vcs-Bzr.
* Resync with Ubuntu, including patch to fix debian/copyright.
[ Julien Cristau ]
* Add some missing copyright holders in d/copyright, update
Upstream-Contact. Thanks to Helen Koike for the help.
-- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
[ Helen Koike ]
* debian/copyright: add OpenSSL license
[ Mathieu Trudel-Lapierre ]
* New upstream release.
* debian/copyright: patches should be BSD, like the rest of the upstream
code.
* debian/patches/unused-variable: dropped; applied upstream.
* debian/patches/binutils-version-matching: dropped, fixed upstream.
* debian/shim.install: built EFI binaries were renamed; update our install
file to properly pick up shim (shim$arch), MokManager (mm$arch), and
fallback (fb$arch).
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
* New upstream release.
- Better handle LoadOptions. (LP: #1581299)
- Measure state and second stage in TPM.
- Mirror MokSBState in runtime as MokSBStateRT.
- Fix failure to build with GCC 5. (LP: #1429978)
- Various bug fixes and other improvements.
* Refreshed patches.
- Remaining patches:
+ second-stage-path
+ sbsigntool-not-pesign
* debian/patches/unused-variable: remove unused variable size.
* debian/patches/binutils-version-matching: revert d9a4c912 to correctly
match objcopy's version on Ubuntu.
* debian/copyright: update copyright for patches.
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
shim (0.8-0ubuntu2) wily; urgency=medium
* No-change rebuild against gnu-efi 3.0v-5ubuntu1.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
shim (0.8-0ubuntu1) wily; urgency=medium
* New upstream release.
- Clarify meaning of insecure_mode. (LP: #1384973)
* debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
in the upstream release.
* debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
refreshed.
-- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
shim (0.7-0ubuntu4) utopic; urgency=medium
* SECURITY UPDATE: heap overflow and out-of-bounds read access when
parsing DHCPv6 information
- debian/patches/CVE-2014-3675.patch: apply proper bounds checking
when parsing data provided in DHCPv6 packets.
- CVE-2014-3675
- CVE-2014-3676
* SECURITY UPDATE: memory corruption when processing user-provided key
lists
- debian/patches/CVE-2014-3677.patch: detect malformed machine owner
key (MOK) lists and ignore them, avoiding possible memory corruption.
- CVE-2014-3677
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
shim (0.7-0ubuntu2) utopic; urgency=medium
* Restore debian/patches/prototypes, which still is needed on shim 0.7
but only detected on the buildds.
* Update debian/patches/prototypes with some new declarations needed for
openssl 0.9.8za update.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
shim (0.7-0ubuntu1) utopic; urgency=medium
* New upstream release.
- fix spurious error message when fallback.efi is not present, as will
always be the case for removable media. LP: #1297069.
- drop most patches, included upstream.
* debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
openssl 0.9.8za in via upstream.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
shim (0.4-0ubuntu5) utopic; urgency=low
* Install fallback.efi.signed as well, to lay the groundwork for fallback
handling (wanted when we have to move a drive between machines, or when
the firmware loses its marbles^W nvram).
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
shim (0.4-0ubuntu4) saucy; urgency=low
* debian/patches/fix-tftp-prototype: pass the right arguments to
EFI_PXE_BASE_CODE_TFTP_READ_FILE.
* debian/patches/build-with-Werror: Build with -Werror to catch future
prototype mismatches.
* debian/patches/fix-compiler-warnings: Fix remaining compiler
warnings in netboot.c.
* debian/patches/tftp-proper-nul-termination: fix nul termination
errors in filenames passed to tftp.
* debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
the netboot code.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
shim (0.4-0ubuntu3) saucy; urgency=low
[ Steve Langasek ]
* Install MokManager.efi.signed in the package.
* debian/patches/no-output-by-default.patch: Don't print any
informational messages. Closes LP: #1074302.
[ Stéphane Graber ]
* debian/patches/no-print-on-unsigned: Don't print an error message when
validating an unsigned binary as that tends to hang Lenovo machines.
(LP: #1087501)
-- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
shim (0.4-0ubuntu2) saucy; urgency=low
* Add missing build-dependency on openssl.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
shim (0.4-0ubuntu1) saucy; urgency=low
* New upstream release.
* Drop debian/patches/shim-before-loadimage; upstream has changed this to
not call loadimage at all.
* debian/patches/sbsigntool-not-pesign: Sign MokManager with
sbsigntool instead of pesign.
* Add a versioned build-dependency on gnu-efi.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
* debian/patches/shim-before-loadimage: Use direct verification first
before LoadImage. Addresses an issue where Lenovo's SecureBoot
implementation pops an error message on any verification failure - avoid
calling LoadImage at all unless we have to.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
* debian/patches/second-stage-path: Chainload grubx64.efi, not
grub.efi.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
* debian/patches/prototypes: Include missing prototypes, and disable
use of BIO_new_file.
* Only build the package for amd64; we're not signing an i386 shim at this
stage so there's no point in building it.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
* Initial release.
* Include the Canonical Secure Boot master CA.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700