{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":3996476,"defaultBranch":"main","name":"shim","ownerLogin":"rhboot","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2012-04-11T18:00:40.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/29258823?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1706717487.0","currentOid":""},"activityList":{"items":[{"before":"63edf92f8ae11b884bc7d24aecb8229cbc4ae014","after":"3e1394e8e6fd0071a69196230f991612a960c154","ref":"refs/heads/main","pushedAt":"2024-04-09T19:03:34.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"sbat: Also bump latest for grub,4 (and to todays date)\n\nBack in January we decided to bump the SBAT level for the shim\nCVE without bumping the grub level for the previous NTFS issues\n- CVE-2023-4692 CVE-2023-4693 - as not every vendor was signing\nthe ntfs module.\n\nCatch up on this revocation to ensure it doesn't get lost. Doing\nso also allows us to remove the grub.debian,4 revocation as this\nhappened before grub,4 and hence is obsolete.\n\nAlso bump the date of the sbat variable to today's. Don't copy\nthe April 5 one to a previous selection, as it wasn't shipped\nto anyone.\n\nSigned-off-by: Julian Andres Klode ","shortMessageHtmlLink":"sbat: Also bump latest for grub,4 (and to todays date)"}},{"before":"126a07ebc30bbd203b6966465b058da741b2654b","after":"63edf92f8ae11b884bc7d24aecb8229cbc4ae014","ref":"refs/heads/main","pushedAt":"2024-04-09T16:40:44.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"sbat: Add grub.peimage,2 to latest (CVE-2024-2312)\n\nAdd the previous latest level to the switch for automatic.\n\nSigned-off-by: Julian Andres Klode ","shortMessageHtmlLink":"sbat: Add grub.peimage,2 to latest (CVE-2024-2312)"}},{"before":"5914984a1ffeab841f482c791426d7ca9935a5e6","after":"126a07ebc30bbd203b6966465b058da741b2654b","ref":"refs/heads/main","pushedAt":"2024-03-19T20:43:06.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"steve-mcintyre","name":"Steve McIntyre","path":"/steve-mcintyre","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/48764113?s=80&v=4"},"commit":{"message":"Validate that a supplied vendor cert is not in PEM format\n\nIf we see \"BEGIN\", it's likely a PEM certificate and won't work. Fail\nthe build early and say so.\n\nFixes #645\n\nSigned-off-by: Steve McIntyre ","shortMessageHtmlLink":"Validate that a supplied vendor cert is not in PEM format"}},{"before":"66e6579dbf921152f647a0c16da1d3b2f40861ca","after":"5914984a1ffeab841f482c791426d7ca9935a5e6","ref":"refs/heads/main","pushedAt":"2024-01-23T18:59:06.000Z","pushType":"push","commitsCount":28,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Bump version to 15.8\n\nWhat's changed\n* Various CVE fixes:\n CVE-2023-40546 mok: fix LogError() invocation\n CVE-2023-40547 - avoid incorrectly trusting HTTP headers\n CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system\n CVE-2023-40549 Authenticode: verify that the signature header is in bounds.\n CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()\n CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries\n* Add make infrastructure to set the NX_COMPAT flag by @vathpela in https://github.com/rhboot/shim/pull/530\n* Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in https://github.com/rhboot/shim/pull/535\n* Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in https://github.com/rhboot/shim/pull/537\n* pe: Align section size up to page size for mem attrs by @nicholasbishop in https://github.com/rhboot/shim/pull/539\n* test-sbat: Fix exit code by @vathpela in https://github.com/rhboot/shim/pull/540\n* pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in https://github.com/rhboot/shim/pull/541\n* CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in https://github.com/rhboot/shim/pull/546\n* Don't loop forever in load_certs() with buggy firmware by @rmetrich in https://github.com/rhboot/shim/pull/547\n* Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in https://github.com/rhboot/shim/pull/550\n* Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in https://github.com/rhboot/shim/pull/551\n* Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in https://github.com/rhboot/shim/pull/560\n* pe: only process RelocDir->Size of reloc section by @mikebeaton in https://github.com/rhboot/shim/pull/562\n* Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in https://github.com/rhboot/shim/pull/563\n* Optionally allow to keep shim protocol installed by @bluca in https://github.com/rhboot/shim/pull/565\n* SBAT-related documents formatting and spelling by @aronowski in https://github.com/rhboot/shim/pull/566\n* Add SbatLevel_Variable.txt to document the various revocations by @jsetje in https://github.com/rhboot/shim/pull/569\n* Add a security contact email address in README.md by @vathpela in https://github.com/rhboot/shim/pull/572\n* Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in https://github.com/rhboot/shim/pull/576\n* mok: fix LogError() invocation by @vathpela in https://github.com/rhboot/shim/pull/577\n* Minor housekeeping by @vathpela in https://github.com/rhboot/shim/pull/578\n* Test ImageAddress() by @vathpela in https://github.com/rhboot/shim/pull/579\n* FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in https://github.com/rhboot/shim/pull/580\n* Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in https://github.com/rhboot/shim/pull/581\n* Verify signature before verifying sbat levels by @jsetje in https://github.com/rhboot/shim/pull/583\n* Add libFuzzer support for csv.c and sbat.c by @vathpela in https://github.com/rhboot/shim/pull/584\n* mok: Avoid underflow in maximum variable size calculation by @alpernebbi in https://github.com/rhboot/shim/pull/587\n* Housekeeping by @vathpela in https://github.com/rhboot/shim/pull/605\n\nSigned-off-by: Peter Jones ","shortMessageHtmlLink":"Bump version to 15.8"}},{"before":"7ba7440c49d32f911fb9e1c213307947a777085d","after":"66e6579dbf921152f647a0c16da1d3b2f40861ca","ref":"refs/heads/main","pushedAt":"2023-10-19T09:28:44.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"steve-mcintyre","name":"Steve McIntyre","path":"/steve-mcintyre","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/48764113?s=80&v=4"},"commit":{"message":"CVE-2023-40546 mok: fix LogError() invocation\n\nOn some ARM platform, jlinton noticed that when we fail to set a\nvariable (because it isn't supported at all, presumably), our error\nmessage has an extra argument that doesn't match the format string.\n\nThis patch removes the extra argument.\n\nResolves: CVE-2023-40546\nSigned-off-by: Peter Jones ","shortMessageHtmlLink":"CVE-2023-40546 mok: fix LogError() invocation"}},{"before":"dbbe3c84bd0e7683d4b81c1794a112a6853b80ee","after":"7ba7440c49d32f911fb9e1c213307947a777085d","ref":"refs/heads/main","pushedAt":"2023-08-25T18:14:45.000Z","pushType":"pr_merge","commitsCount":2,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"compile_commands.json: remove stuff clang doesn't like\n\nThis is a \"creature comfort\" change to make it so gcc-specific options\ndon't make it into compile_commands.json.\n\nSigned-off-by: Peter Jones ","shortMessageHtmlLink":"compile_commands.json: remove stuff clang doesn't like"}},{"before":"1e985a3a238100ca5f4bda3e269a9eaec9bda74b","after":"dbbe3c84bd0e7683d4b81c1794a112a6853b80ee","ref":"refs/heads/main","pushedAt":"2023-07-19T20:13:45.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"mok: Avoid underflow in maximum variable size calculation\n\nThe code that mirrors MOK database to EFI variables gets the remaining\nvariable storage size from the firmware and subtracts the size needed\nfor any overhead to see if there is enough space to create a new entry.\n\nHowever these calculations are on unsigned integer types, they can\nunderflow and result in huge values when the firmware is about to run\nout of usable variable space. Explicitly check against this.\n\nSigned-off-by: Alper Nebi Yasak ","shortMessageHtmlLink":"mok: Avoid underflow in maximum variable size calculation"}},{"before":"62e4b4462525c11460a4b3e3f9562a383a346091","after":"1e985a3a238100ca5f4bda3e269a9eaec9bda74b","ref":"refs/heads/main","pushedAt":"2023-07-19T20:09:17.000Z","pushType":"force_push","commitsCount":0,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Correctly free memory allocated in handle_image()\n\nCurrently pe's handle_image() function has two related issues, which are\na memory leak in most error paths and an incorrect FreePool() call in\nsome error paths.\n\nThis patch adds the correct FreePages() calls to most error paths, and\nswitches the FreePool() call to match them.\n\n[commit message re-written to be more informative by pjones]\n\nSigned-off-by: Dennis Tseng ","shortMessageHtmlLink":"Correctly free memory allocated in handle_image()"}},{"before":"e24681211ce8a71583b5233084bd1290c3c7e872","after":"62e4b4462525c11460a4b3e3f9562a383a346091","ref":"refs/heads/main","pushedAt":"2023-07-14T20:41:22.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"jsetje","name":"Jan Setje-Eilers","path":"/jsetje","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/73182357?s=80&v=4"},"commit":{"message":"Size should minus 1 when calculating 'RelocBaseEnd'\n\nSigned-off-by: Dennis Tseng ","shortMessageHtmlLink":"Size should minus 1 when calculating 'RelocBaseEnd'"}},{"before":"61e989446849205d3e9eef2544f6d9bd87142933","after":"e24681211ce8a71583b5233084bd1290c3c7e872","ref":"refs/heads/main","pushedAt":"2023-06-29T18:35:50.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Add libFuzzer support to the .sbat parser.\n\nshim takes several forms of input from several sources that are not\nnecessarily trustworthy. As such, we need to take measures to validate\nthat we don't have unacceptable results from bad inputs. One such\nmeasure is \"fuzzing\" the inputs which parse untrusted data by running\nthem with randomized or partially randomized input.\n\nThis change adds such testing using clang's \"libFuzzer\" to our parser\nfor \".sbat\" sections. I've run it for about half an hour and so far it\nfound one memory leak, but no other errors.\n\nSigned-off-by: Peter Jones ","shortMessageHtmlLink":"Add libFuzzer support to the .sbat parser."}},{"before":"569270d8603d68308ad8bf8ef4cad4b09101d35e","after":"61e989446849205d3e9eef2544f6d9bd87142933","ref":"refs/heads/main","pushedAt":"2023-06-27T18:58:25.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Verify signature before verifying sbat levels\n\nVerifying the validity of a files signature can protect from\nan attacker creating a file that exploits a potential issue\nin the sbat validation. If the signature is not checked first,\nan attacker can just create a file with a valid .sbat section\nand can still attack the signature validation.\n\nSigned-off-by: Jan Setje-Eilers ","shortMessageHtmlLink":"Verify signature before verifying sbat levels"}},{"before":"f132655f458035aa2ed6b9e3a5ae4c04b13c9311","after":"569270d8603d68308ad8bf8ef4cad4b09101d35e","ref":"refs/heads/main","pushedAt":"2023-06-23T21:13:13.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"jsetje","name":"Jan Setje-Eilers","path":"/jsetje","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/73182357?s=80&v=4"},"commit":{"message":"Test (and fix) ImageAddress()\n\nThis adds a test case for our address sanitation checking function\nImageAddresS(). In doing so it addresses two issues:\n\n- previously we allowed the address after the last byte of the image to\n be computed (may need to revert this or fix some callers, we'll see...)\n- bespoke overflow checking and using + directly instead of using\n __builtin_add_overflow()\n\nSigned-off-by: Peter Jones ","shortMessageHtmlLink":"Test (and fix) ImageAddress()"}},{"before":"243f12589dbb5e9549d0e08760a03f3a41cd82a2","after":"f132655f458035aa2ed6b9e3a5ae4c04b13c9311","ref":"refs/heads/main","pushedAt":"2023-06-23T21:12:58.000Z","pushType":"pr_merge","commitsCount":3,"pusher":{"login":"jsetje","name":"Jan Setje-Eilers","path":"/jsetje","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/73182357?s=80&v=4"},"commit":{"message":"test: Make our fake dprintf be a statement.\n\nIn a few places we put dprintf() at places where the compiler will get\nconfused if it isn't a block or a statement.\n\nObviously, it should be a statement, so this makes it one.\n\nSigned-off-by: Peter Jones ","shortMessageHtmlLink":"test: Make our fake dprintf be a statement."}},{"before":"05eae929c52f418fbd4e4fd8f27e332e64868d03","after":"243f12589dbb5e9549d0e08760a03f3a41cd82a2","ref":"refs/heads/main","pushedAt":"2023-06-21T19:04:38.329Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL\n\nCryptlib and OpenSSL both currently throw warnings with some compilers\nusing -Wunused-but-set-variable:\n\n clang -std=gnu11 -ggdb -ffreestanding -fmacro-prefix-map=/home/pjones/devel/github.com/shim/main/= -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -m64 -mno-mmx -mno-sse -mno-red-zone -Os -Wall -Wextra -Wno-missing-field-initializers -Wno-unused-parameter -Werror -I/home/pjones/devel/github.com/shim/main/Cryptlib -I/home/pjones/devel/github.com/shim/main/Cryptlib/Include -I/home/pjones/devel/github.com/shim/main/gnu-efi/inc -I/home/pjones/devel/github.com/shim/main/gnu-efi/inc/x86_64 -I/home/pjones/devel/github.com/shim/main/gnu-efi/inc/protocol -isystem /home/pjones/devel/github.com/shim/main/include/system -isystem /usr/lib64/clang/16/include -DMDE_CPU_X64 -c -o Pk/CryptX509.o Pk/CryptX509.c\nPk/CryptX509.c:94:19: error: variable 'Index' set but not used [-Werror,-Wunused-but-set-variable]\n UINTN Index;\n ^\n clang -std=gnu11 -ggdb -ffreestanding -fmacro-prefix-map=/home/pjones/devel/github.com/shim/main/= -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -m64 -mno-mmx -mno-sse -mno-red-zone -Os -Wall -Wextra -Wno-missing-field-initializers -Wno-empty-body -Wno-implicit-fallthrough -Wno-unused-parameter -Werror -I/home/pjones/devel/github.com/shim/main/Cryptlib/OpenSSL -I/home/pjones/devel/github.com/shim/main/Cryptlib -I/home/pjones/devel/github.com/shim/main/Cryptlib/OpenSSL/Include/ -I/home/pjones/devel/github.com/shim/main/Cryptlib/OpenSSL/crypto -I/home/pjones/devel/github.com/shim/main/Cryptlib/Include -I/home/pjones/devel/github.com/shim/main/gnu-efi/inc -I/home/pjones/devel/github.com/shim/main/gnu-efi/inc/x86_64 -I/home/pjones/devel/github.com/shim/main/gnu-efi/inc/protocol -I/home/pjones/devel/github.com/shim/main/Cryptlib/OpenSSL/crypto/asn1 -I/home/pjones/devel/github.com/shim/main/Cryptlib/OpenSSL/crypto/evp -I/home/pjones/devel/github.com/shim/main/Cryptlib/OpenSSL/crypto/modes -I/home/pjones/devel/github.com/shim/main/Cryptlib/OpenSSL/crypto/include -isystem /home/pjones/devel/github.com/shim/main/include/system -isystem /usr/lib64/clang/16/include -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC -DMDE_CPU_X64 -c -o crypto/asn1/t_x509.o crypto/asn1/t_x509.c\ncrypto/asn1/t_x509.c:504:18: error: variable 'l' set but not used [-Werror,-Wunused-but-set-variable]\n int ret = 0, l, i;\n ^\n\nSince we normally build with -Werror, these cause builds to fail in\nthese cases. While the bad code should be addressed, it appears\ngenerally safe, so we should solve it upstream.\n\nThis patch adds -Wno-unused-but-set-variable to the Cryptlib Makefile,\nand removes the conditionalization on gcc in the OpenSSL Makefile, as\nclang now has this argument, and since we don't support building with\nclang for the final build, it's useful to have clang-based tools\nworking.\n\nSigned-off-by: Peter Jones ","shortMessageHtmlLink":"Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL"}},{"before":"908c388c922c6369cace0b76660198becee2284e","after":"05eae929c52f418fbd4e4fd8f27e332e64868d03","ref":"refs/heads/main","pushedAt":"2023-06-21T19:03:58.198Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Add SbatLevel_Variable.txt to document the various revocations\n\nThis serves to document the SbatLevel Boot Services variable so that\nother boot services code, such as bootmgr can update the revocation\nlevel.\n\nSigned-off-by: Jan Setje-Eilers ","shortMessageHtmlLink":"Add SbatLevel_Variable.txt to document the various revocations"}},{"before":"a8b0b600ddcf02605da8582b4eac1932a3bb13fa","after":"908c388c922c6369cace0b76660198becee2284e","ref":"refs/heads/main","pushedAt":"2023-06-21T18:46:09.927Z","pushType":"push","commitsCount":3,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Change type of fallback_verbose_wait from int to unsigned long\n\nThe variable fallback_verbose_wait from now on is of the type unsigned\nlong to match the type of the argument usleep() accepts.\n\nSigned-off-by: Kamil Aronowski ","shortMessageHtmlLink":"Change type of fallback_verbose_wait from int to unsigned long"}},{"before":"0bfc3978f4a6a10e4427fdab222b0e50c3c7283c","after":"a8b0b600ddcf02605da8582b4eac1932a3bb13fa","ref":"refs/heads/main","pushedAt":"2023-06-21T17:50:04.077Z","pushType":"push","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"pe: only process RelocDir->Size of reloc section\n\nPreviously processing full padding-aligned Section->Misc.VirtualSize\nrelied on padding reloc entries being inserted by GenFw, which is\nnot required by spec.\n\nThis changes it to only process the amount referenced by Size, rather\nthan VirtualSize which may be bigger than the data present.\n\nSigned-off-by: Mike Beaton ","shortMessageHtmlLink":"pe: only process RelocDir->Size of reloc section"}},{"before":"0640e136842200eb5873e9b2b02b159e15940591","after":"0bfc3978f4a6a10e4427fdab222b0e50c3c7283c","ref":"refs/heads/main","pushedAt":"2023-06-21T17:44:46.058Z","pushType":"push","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Work around malformed path delimiters in file paths from DHCP\n\nshim uses path delimiters to determine the file path for the second\nstage. Currently only / (slash) is detected, but some DHCP\nimplementations supply \\ (backslash) as the path specifier.\n\nThis patch changes it to accept either delimiter.\n\nFixes issue #524.\n\nSigned-off-by: Alberto Perez ","shortMessageHtmlLink":"Work around malformed path delimiters in file paths from DHCP"}},{"before":"0601f44760fb10550422090cc2761065047f56ab","after":"0640e136842200eb5873e9b2b02b159e15940591","ref":"refs/heads/main","pushedAt":"2023-06-06T20:33:54.586Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Add a security contact email address in README.md\n\nSigned-off-by: Peter Jones ","shortMessageHtmlLink":"Add a security contact email address in README.md"}},{"before":"cf59f3452d478455c5f3d83790b37a372d2837ea","after":"0601f44760fb10550422090cc2761065047f56ab","ref":"refs/heads/main","pushedAt":"2023-05-02T20:05:59.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"SBAT-related documents formatting and spelling\n\nA rendering error which caused the `_key.EFI` text to be\nrendered as `_key.EFI` has been fixed. The text was being rendered incorrectly by GitHub since the part was being treated as an HTML tag and therefore ignored.\n\nTwo misspellings have been fixed\n\nTables have been reformatted to be more readable as plaintext. Rendering remains the same.\n\nSigned-off-by: Kamil Aronowski ","shortMessageHtmlLink":"SBAT-related documents formatting and spelling"}},{"before":"cca3933f48e3a52863322f358c2e8cb8ea80bd57","after":"cf59f3452d478455c5f3d83790b37a372d2837ea","ref":"refs/heads/main","pushedAt":"2023-05-02T18:16:06.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Further improve load_certs() for non-compliant drivers/firmwares\n\nFollowing the discovery of more problematic firmwares and drivers\naffected by the issue f23883ccf78f1f605a272f9e5700f47e5494a71d is\ndesigned to address (e.g. https://github.com/rhboot/shim/issues/558),\nthis patch further improves the code so that, instead of simply bailing\nout, we progressively increase the buffer sizes, until either success\nor a maximum size limit is reached.\n\nIn most cases, this workaround should be enough to ensure completion\nof the directory read and thus provide full shim functionality (while\nstill warning the user about the non-compliance of their environment).\n\nSigned-off-by: Pete Batard ","shortMessageHtmlLink":"Further improve load_certs() for non-compliant drivers/firmwares"}},{"before":"aae3df086a22aa1727889199f730b9d5dc9de78c","after":"cca3933f48e3a52863322f358c2e8cb8ea80bd57","ref":"refs/heads/main","pushedAt":"2023-05-02T18:09:52.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Block Debian grub binaries with SBAT < 4\n\n(See https://bugs.debian.org/1024617)\n\nOne of the Debian builds of grub bumped the SBAT to 3, but didn't\ninclude the patches needed. Add \"grub.debian,4\" to block those\nbinaries.\n\nSigned-off-by: Steve McIntyre ","shortMessageHtmlLink":"Block Debian grub binaries with SBAT < 4"}},{"before":"102a658e176b9e0779ba67618ef72eb69021e00a","after":"aae3df086a22aa1727889199f730b9d5dc9de78c","ref":"refs/heads/main","pushedAt":"2023-05-02T18:08:57.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"test-sbat: Fix exit code\n\nFix the `main` function in `test-sbat.c` to return the `status` variable\nlike the other `test-*.c` files.\n\nSigned-off-by: Nicholas Bishop ","shortMessageHtmlLink":"test-sbat: Fix exit code"}},{"before":"1f38cb30a5e1dcea97b8d48915515b866ec13c32","after":"102a658e176b9e0779ba67618ef72eb69021e00a","ref":"refs/heads/main","pushedAt":"2023-05-02T18:08:18.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Drop invalid calls to `CRYPTO_set_mem_functions`\n\nThese calls did not check the return value. If they had, it would have\nshown that the calls were failing due to passing `NULL` for the\n`realloc` function pointer. That causes an early return, so the calls\nweren't actually doing anything.\n\nThe `malloc`/`realloc`/`free` functions defined in\nCryptlib/SysCall/BaseMemAllocation.c are what actually get used, so just\ndrop the explicit call to `CRYPTO_set_mem_functions`.\n\nSigned-off-by: Nicholas Bishop ","shortMessageHtmlLink":"Drop invalid calls to CRYPTO_set_mem_functions"}},{"before":"f23883ccf78f1f605a272f9e5700f47e5494a71d","after":"1f38cb30a5e1dcea97b8d48915515b866ec13c32","ref":"refs/heads/main","pushedAt":"2023-05-02T17:53:08.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"vathpela","name":"Peter Jones","path":"/vathpela","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/1063106?s=80&v=4"},"commit":{"message":"Optionally allow to keep shim protocol installed\n\nIf the ShimRetainProtocol variable is set, avoid uninstalling our\nprotocol.\nFor example, this allows sd-stub in a UKI to use the shim protocol to\nvalidate PE binaries, even if it is executed by a second stage, before\nthe kernel is loaded.\nEnsure that the variable is volatile and for BootServices access.\nAlso delete it on startup, so that we can be sure it was really set by\na second stage.\n\nExample use case in sd-boot/sd-stub:\n\nhttps://github.com/systemd/systemd/pull/27358\n\nSigned-off-by: Luca Boccassi ","shortMessageHtmlLink":"Optionally allow to keep shim protocol installed"}}],"hasNextPage":false,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAELFYmEgA","startCursor":null,"endCursor":null}},"title":"Activity ยท rhboot/shim"}