Tags: rhboot/shim
Tags
shim-16.0 What's Changed * Validate that a supplied vendor cert is not in PEM format by @steve-mcintyre in #646 * sbat: Add grub.peimage,2 to latest (CVE-2024-2312) by @julian-klode in #651 * sbat: Also bump latest for grub,4 (and to todays date) by @julian-klode in #653 * undo change that limits certificate files to a single file by @jsetje in #659 * shim: don't set second_stage to the empty string by @jjd27 in #640 * Fix SBAT.md for today's consensus about numbers by @aronowski in #672 * Update Code of Conduct contact address by @aronowski in #683 * make-certs: Handle missing OpenSSL installation by @aronowski in #595 * Update MokVars.txt by @mikebeaton in #598 * export DEFINES for sub makefile by @bryteise in #600 * Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition by @vittyvk in #609 * Null-terminate 'arguments' in fallback by @vittyvk in #611 * Fix "Verifiying" typo in error message by @chrisbainbridge in #706 * Update Fedora CI targets by @vathpela in #708 * Force gcc to produce DWARF4 so that gdb can use it by @mikebeaton in #607 * Minor housekeeping 2024121700 by @vathpela in #709 * Discard load-options that start with WINDOWS by @Metabolix in #621 * Fix the issue that the gBS->LoadImage pointer was empty. by @15058718379 in #703 * shim: Allow data after the end of device path node in load options by @dbnicholson in #694 * Handle network file not found like disks by @dbnicholson in #695 * Update gnu-efi submodule for EFI_HTTP_ERROR by @vathpela in #674 * Increase EFI file alignment by @lumag in #673 * avoid EFIv2 runtime services on Apple x86 machines by @eduardacatrinei in #690 * Improve shortcut performance when comparing two boolean expressions by @dennis-tseng99 in #667 * Provide better error message when MokManager is not found by @rmetrich in #663 * tpm: Boot with a warning if the event log is full by @kukrimate in #657 * MokManager: remove redundant logical constraints by @xypron in #409 * Test import_mok_state() when MokListRT would be bigger than available size by @vathpela in #417 * test-mok-mirror: minor bug fix by @vathpela in #715 * Fix file system browser hang when enrolling MOK from disk by @miczyg1 in #622 * Ignore a minor clang-tidy nit by @vathpela in #716 * Allow fallback to default loader when encountering errors on network boot by @nathan-omeara in #666 * test.mk: don't use a temporary random.bin by @vathpela in #718 * pe: Enhance debug report for update_mem_attrs by @jongwu in #594 * Multiple certificate handling improvements by @rosslagerwall in #644 * Generate SbatLevel Metadata from SbatLevel_Variable.txt by @jsetje in #711 * Apply EKU check with compile option by @dennis-tseng99 in #664 * Add configuration option to boot an alternative 2nd stage by @esnowberg in #608 * Loader protocol (with Device Path resolution support) by @kukrimate in #656 * netboot cleanup for additional files by @jsetje in #686 * Document how revocations can be delivered by @jsetje in #722 * post-process-pe: add tests to validate NX compliance by @vathpela in #705 * regression: CopyMem() in ad8692e copies out of bounds by @jsetje in #725 * Save the debug and error logs in mok-variables by @vathpela in #726 * Add features for the Host Security ID program by @vathpela in #660 * Mirror some more efi variables to mok-variables by @vathpela in #723 * This adds DXE Services measurements to HSI and uses them for NX by @vathpela in #724 * Add shim's current NX_COMPAT status to HSIStatus by @vathpela in #727 * README.tpm: reflect that vendor_db is in fact logged as "vendor_db" by @jsetje in #728 * Reject HTTP message with duplicate Content-Length header fields by @dennis-tseng99 in #637 * Disable log saving by @vathpela in #729 * fallback: don't add new boot order entries backwards by @vathpela in #730 * Misc fixes... by @vathpela in #735 * README.tpm: Update MokList entry to MokListRT by @trungams in #732 * SBAT Level update for February 2025 GRUB CVEs by @jsetje in #736 New Contributors * @jjd27 made their first contribution in #640 * @mikebeaton made their first contribution in #598 * @bryteise made their first contribution in #600 * @vittyvk made their first contribution in #609 * @chrisbainbridge made their first contribution in #706 * @Metabolix made their first contribution in #621 * @15058718379 made their first contribution in #703 * @dbnicholson made their first contribution in #694 * @lumag made their first contribution in #673 * @eduardacatrinei made their first contribution in #690 * @kukrimate made their first contribution in #657 * @miczyg1 made their first contribution in #622 * @nathan-omeara made their first contribution in #666 * @jongwu made their first contribution in #594 * @rosslagerwall made their first contribution in #644 * @trungams made their first contribution in #732 **Full Changelog**: 15.8...16.0
shim-16.0~rc1 * Validate that a supplied vendor cert is not in PEM format by @steve-mcintyre in #646 * sbat: Add grub.peimage,2 to latest (CVE-2024-2312) by @julian-klode in #651 * sbat: Also bump latest for grub,4 (and to todays date) by @julian-klode in #653 * undo change that limits certificate files to a single file by @jsetje in #659 * shim: don't set second_stage to the empty string by @jjd27 in #640 * Fix SBAT.md for today's consensus about numbers by @aronowski in #672 * Update Code of Conduct contact address by @aronowski in #683 * make-certs: Handle missing OpenSSL installation by @aronowski in #595 * Update MokVars.txt by @mikebeaton in #598 * export DEFINES for sub makefile by @bryteise in #600 * Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition by @vittyvk in #609 * Null-terminate 'arguments' in fallback by @vittyvk in #611 * Fix "Verifiying" typo in error message by @chrisbainbridge in #706 * Update Fedora CI targets by @vathpela in #708 * Force gcc to produce DWARF4 so that gdb can use it by @mikebeaton in #607 * Minor housekeeping 2024121700 by @vathpela in #709 * Discard load-options that start with WINDOWS by @Metabolix in #621 * Fix the issue that the gBS->LoadImage pointer was empty. by @15058718379 in #703 * shim: Allow data after the end of device path node in load options by @dbnicholson in #694 * Handle network file not found like disks by @dbnicholson in #695 * Update gnu-efi submodule for EFI_HTTP_ERROR by @vathpela in #674 * Increase EFI file alignment by @lumag in #673 * avoid EFIv2 runtime services on Apple x86 machines by @eduardacatrinei in #690 * Improve shortcut performance when comparing two boolean expressions by @dennis-tseng99 in #667 * Provide better error message when MokManager is not found by @rmetrich in #663 * tpm: Boot with a warning if the event log is full by @kukrimate in #657 * MokManager: remove redundant logical constraints by @xypron in #409 * Test import_mok_state() when MokListRT would be bigger than available size by @vathpela in #417 * test-mok-mirror: minor bug fix by @vathpela in #715 * Fix file system browser hang when enrolling MOK from disk by @miczyg1 in #622 * Ignore a minor clang-tidy nit by @vathpela in #716 * Allow fallback to default loader when encountering errors on network boot by @nathan-omeara in #666 * test.mk: don't use a temporary random.bin by @vathpela in #718 * pe: Enhance debug report for update_mem_attrs by @jongwu in #594 * Multiple certificate handling improvements by @rosslagerwall in #644 * Generate SbatLevel Metadata from SbatLevel_Variable.txt by @jsetje in #711 * Apply EKU check with compile option by @dennis-tseng99 in #664 * Add configuration option to boot an alternative 2nd stage by @esnowberg in #608 * Loader protocol (with Device Path resolution support) by @kukrimate in #656 * netboot cleanup for additional files by @jsetje in #686 * Document how revocations can be delivered by @jsetje in #722 * post-process-pe: add tests to validate NX compliance by @vathpela in #705 * regression: CopyMem() in ad8692e copies out of bounds by @jsetje in #725 * Save the debug and error logs in mok-variables by @vathpela in #726 * Add features for the Host Security ID program by @vathpela in #660 * Mirror some more efi variables to mok-variables by @vathpela in #723 * This adds DXE Services measurements to HSI and uses them for NX by @vathpela in #724 * Add shim's current NX_COMPAT status to HSIStatus by @vathpela in #727 * README.tpm: reflect that vendor_db is in fact logged as "vendor_db" by @jsetje in #728 * Reject HTTP message with duplicate Content-Length header fields by @dennis-tseng99 in #637 * Disable log saving by @vathpela in #729 * fallback: don't add new boot order entries backwards by @vathpela in #730 * @jjd27 made their first contribution in #640 * @mikebeaton made their first contribution in #598 * @bryteise made their first contribution in #600 * @vittyvk made their first contribution in #609 * @chrisbainbridge made their first contribution in #706 * @Metabolix made their first contribution in #621 * @15058718379 made their first contribution in #703 * @dbnicholson made their first contribution in #694 * @lumag made their first contribution in #673 * @eduardacatrinei made their first contribution in #690 * @kukrimate made their first contribution in #657 * @miczyg1 made their first contribution in #622 * @nathan-omeara made their first contribution in #666 * @jongwu made their first contribution in #594 * @rosslagerwall made their first contribution in #644 **Full Changelog**: 15.8...16.0-rc1
shim 15.8: What's changed * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Add make infrastructure to set the NX_COMPAT flag by @vathpela in #530 * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in #535 * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in #537 * pe: Align section size up to page size for mem attrs by @nicholasbishop in #539 * test-sbat: Fix exit code by @vathpela in #540 * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in #541 * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in #546 * Don't loop forever in load_certs() with buggy firmware by @rmetrich in #547 * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in #550 * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in #551 * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in #560 * pe: only process RelocDir->Size of reloc section by @mikebeaton in #562 * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in #563 * Optionally allow to keep shim protocol installed by @bluca in #565 * SBAT-related documents formatting and spelling by @aronowski in #566 * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in #569 * Add a security contact email address in README.md by @vathpela in #572 * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in #576 * mok: fix LogError() invocation by @vathpela in #577 * Minor housekeeping by @vathpela in #578 * Test ImageAddress() by @vathpela in #579 * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in #580 * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in #581 * Verify signature before verifying sbat levels by @jsetje in #583 * Add libFuzzer support for csv.c and sbat.c by @vathpela in #584 * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in #587 * Housekeeping by @vathpela in #605 Signed-off-by: Peter Jones <pjones@redhat.com>
shim 15.8: What's changed * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Add make infrastructure to set the NX_COMPAT flag by @vathpela in #530 * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in #535 * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in #537 * pe: Align section size up to page size for mem attrs by @nicholasbishop in #539 * test-sbat: Fix exit code by @vathpela in #540 * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in #541 * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in #546 * Don't loop forever in load_certs() with buggy firmware by @rmetrich in #547 * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in #550 * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in #551 * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in #560 * pe: only process RelocDir->Size of reloc section by @mikebeaton in #562 * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in #563 * Optionally allow to keep shim protocol installed by @bluca in #565 * SBAT-related documents formatting and spelling by @aronowski in #566 * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in #569 * Add a security contact email address in README.md by @vathpela in #572 * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in #576 * mok: fix LogError() invocation by @vathpela in #577 * Minor housekeeping by @vathpela in #578 * Test ImageAddress() by @vathpela in #579 * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in #580 * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in #581 * Verify signature before verifying sbat levels by @jsetje in #583 * Add libFuzzer support for csv.c and sbat.c by @vathpela in #584 * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in #587 * Housekeeping by @vathpela in #605 Signed-off-by: Peter Jones <pjones@redhat.com>
shim-15.8-rc1
Alberto Perez (1):
Work around malformed path delimiters in file paths from DHCP
Alper Nebi Yasak (1):
mok: Avoid underflow in maximum variable size calculation
Dennis Tseng (2):
Work around ImageAddress() usage mistake
Correctly free memory allocated in handle_image()
Jan Setje-Eilers (7):
Add SbatLevel_Variable.txt to document the various revocations
Verify signature before verifying sbat levels
Allow SbatLevel data from external binary
Always clear SbatLevel when Secure Boot is disabled
BS Variables for bootmgr revocations
shim should not self revoke
Print message when refusing to apply SbatLevel
Kamil Aronowski (4):
SBAT-related documents formatting and spelling
Skip testing msleep()
Rename 'msecs' to 'usecs' to avoid potential confusion
Change type of fallback_verbose_wait from int to unsigned long
Long Qin (1):
CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
Luca Boccassi (1):
Optionally allow to keep shim protocol installed
Mike Beaton (1):
pe: only process RelocDir->Size of reloc section
Nicholas Bishop (4):
pe: Align section size up to page size for mem attrs
pe: Add IS_PAGE_ALIGNED macro
Drop invalid calls to `CRYPTO_set_mem_functions`
test-sbat: Fix exit code
Pete Batard (1):
Further improve load_certs() for non-compliant drivers/firmwares
Peter Jones (28):
Make sbat_var.S parse right with buggy gcc/binutils
Enable the NX compatibility flag by default.
Add a security contact email address in README.md
Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL
Add a make rule for compile_commands.json
Add gnu-stack notes
test: Make our fake dprintf be a statement.
Remove CentOS 7 test builds.
Split pe.c up even more.
Test (and fix) ImageAddress()
Add libFuzzer support for csv.c
Fix a 1-byte memory leak in .sbat parsing.
Add libFuzzer support to the .sbat parser.
Make some of the static analysis tools a little easier to run
compile_commands.json: remove stuff clang doesn't like
CVE-2023-40546 mok: fix LogError() invocation
Add primitives for overflow-checked arithmetic operations.
pe-relocate: Add a fuzzer for read_header()
CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
pe-relocate: make read_header() use checked arithmetic operations.
CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
pe-relocate: Ensure nothing else implements CVE-2023-40550
CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
Further mitigations against CVE-2023-40546 as a class
sbat revocations: check the full section name
CVE-2023-40547 - avoid incorrectly trusting HTTP headers
Print errors when setting/clearing memory attrs
Renaud Métrich (1):
Don't loop forever in load_certs() with buggy firmware
Steve McIntyre (1):
Block Debian grub binaries with SBAT < 4
shim 15.7 What's Changed * Make SBAT variable payload introspectable by @chrisccoulson in #483 * Reference MokListRT instead of MokList by @esnowberg in #488 * Add a link to the test plan in the readme. by @vathpela in #494 * [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485 * Discard load-options that start with a NUL by @frozencemetery in #505 * load_cert_file bugs by @esnowberg in #523 * Add -malign-double to IA32 compiler flags by @nicholasbishop in #516 * pe: Fix image section entry-point validation by @iokomin in #518 * make-archive: Build reproducible tarball by @julian-klode in #527 * mok: remove MokListTrusted from PCR 7 by @baloo in #519 * Shim 15.7 version update by @vathpela in #528 New Contributors * @kenplusplus made their first contribution in #485 * @iokomin made their first contribution in #518 * @baloo made their first contribution in #519 **Full Changelog**: 15.6...15.7
shim-15.6 - What's Changed * MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 * shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 * post-process-pe: Fix a missing return code check by @vathpela in #462 * Update github actions matrix to be more useful by @frozencemetery in #469 * Add f36 and centos9 CI builds by @vathpela in #470 * post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 * tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 * tests: fix gcc warnings by @akodanev in #463 * Allow MokListTrusted to be enabled by default by @esnowberg in #455 * Add code of conduct by @frozencemetery in #427 * Re-add ARM AArch64 support by @vathpela in #468 * Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 * make: don't treat cert.S specially by @vathpela in #475 * shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 * Break out of the inner sbat loop if we find the entry. by @vathpela in #476 * Support loading additional certificates by @esnowberg in #446 * Add support for NX (W^X) mitigations. by @vathpela in #459 * Misc fixups from scan-build. by @vathpela in #477 * Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 * SBAT Policy latest should be a one-shot by @jsetje in #481 * pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson * pe: Perform image verification earlier when loading grub by @chriscoulson * Update advertised sbat generation number for shim by @jsetje * Update SBAT generation requirements for 05/24/22 by @jsetje * Also avoid CVE-2022-28737 in verify_image() by @vathpela - New Contributors * @joeyli made their first contribution in #441 * @akodanev made their first contribution in #463 * @esnowberg made their first contribution in #455 - Full Changelog**: 15.5...15.6
shim-15.6~rc2 - What's Changed * SBAT Policy latest should be a one-shot by @jsetje in #481 * pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson * pe: Perform image verification earlier when loading grub by @chriscoulson * Update advertised sbat generation number for shim by @jsetje * Update SBAT generation requirements for 05/24/22 by @jsetje * Also avoid CVE-2022-28737 in verify_image() by @vathpela - Full Changelog**: https://github.com/rhboot/shim/compare/15.6-rc1..15.6-rc2
shim-15.6~rc1 - What's Changed * MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 * shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 * post-process-pe: Fix a missing return code check by @vathpela in #462 * Update github actions matrix to be more useful by @frozencemetery in #469 * Add f36 and centos9 CI builds by @vathpela in #470 * post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 * tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 * tests: fix gcc warnings by @akodanev in #463 * Allow MokListTrusted to be enabled by default by @esnowberg in #455 * Add code of conduct by @frozencemetery in #427 * Re-add ARM AArch64 support by @vathpela in #468 * Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 * make: don't treat cert.S specially by @vathpela in #475 * shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 * Break out of the inner sbat loop if we find the entry. by @vathpela in #476 * Support loading additional certificates by @esnowberg in #446 * Add support for NX (W^X) mitigations. by @vathpela in #459 * Misc fixups from scan-build. by @vathpela in #477 * Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 - New Contributors * @joeyli made their first contribution in #441 * @akodanev made their first contribution in #463 * @esnowberg made their first contribution in #455 - Full Changelog**: 15.5...15.6-rc1
shim 15.5 Much thanks to those who tested this release. Changes from -rc2: - Make Mok config table be runtime services memory - Remove post-process-pe on 'make clean' - pe: missing perror argument **Incremental changelog**: 15.5-rc2...15.5 From 15.4, the following people contributed code: - Peter Jones (46) - Heinrich Schuchardt (7) - Gary Lin (6) - Renaud Métrich (4) - Julian Andres Klode (4) - Serge Hallyn (2) - Robbie Harwood (2) - Nicholas Bishop (2) - João Paulo Rechi Vita (2) - Seth Forshee (1) - Jonathan Yong (1) - Jonas Witschel (1) - Javier Martinez Canillas (1) - Jan Setje-Eilers (1) - Esther Shimanovich (1) - Eric Snowberg (1) - Dimitri John Ledkov (1) - Daniel Axtens (1) - Chris Coulson (1) - Adam Williamson (1) **Full changelog**: 15.4...15.5
PreviousNext