Permalink
Commits on Sep 18, 2015
  1. Fix recursive reference for RELEASE

    Building 0.9 with GNU Make 4.0 fails with the following error:
    
    Makefile:4: *** Recursive variable 'RELEASE' references itself (eventually).  Stop.
    
    Change RELEASE to simply-expanded.
    
    Signed-off-by: Linn Crosetto <linn@hpe.com>
    lcrosetto committed with vathpela Sep 17, 2015
Commits on Jul 28, 2015
  1. Specify the gnu89 standard

    According to the gcc5 porting guideline (*), gcc5 defaults to
    -std=gnu11 instead of -std=gnu89. Append -std=gnu89 to CFLAGS
    to avoid the potential problems.
    
    (*) https://gcc.gnu.org/gcc-5/porting_to.html
    
    Based on the patch from Cristian Rodriguez <crrodriguez@opensuse.org>
    
    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Jul 13, 2015
  2. Openssl: Add EFIAPI for ERR_add_error_vdata

    Without declaring EFIAPI for ERR_add_error_vdata, shim would crash
    while verifying the loaded image.
    
    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Jul 15, 2015
  3. Update openssl to 1.0.2d

    Also update Cryptlib to edk2 r17731
    
    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Jul 13, 2015
Commits on Jun 30, 2015
  1. Typo on aarch64 :/

    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 30, 2015
  2. 0.9

    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 19, 2015
  3. Improve our debuginfo path print

    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 30, 2015
  4. Make sure our build-id notes wind up at a reasonable place.

    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 29, 2015
Commits on Jun 29, 2015
  1. Only be verbose the first time secure_mode() is called.

    It's annoying to find out we're not in SB mode over and over.  Really it
    is.
    
    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 21, 2015
  2. Add a conditional point for a debugger to attach.

    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 20, 2015
  3. More incorrect unsigned vs signed fixups from yours truly.

    Woops.
    
    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 19, 2015
  4. Don't print anything or delay when start_image() succeeds.

    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 19, 2015
Commits on Jun 16, 2015
  1. MokManager: Nerf SHA-1 again for actual hashes and signatures.

    Nobody should be deploying SHA-1.  No hardware deploys it, and the rate
    of change on https://en.wikipedia.org/wiki/SHA-1#Attacks is wildly
    uninspiring.
    
    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 16, 2015
  2. MokManager: fix comparison between signed and unsigned integer

    Patch from Johannes Segitz <jsegitz@suse.com>
    lcp committed with vathpela Oct 28, 2014
  3. MokManager: Discard the list contains an invalid signature

    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Apr 10, 2014
  4. MokManager: Support SHA224, SHA384, and SHA512

    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Apr 10, 2014
  5. MokManager: Add more key list safe checks

    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Apr 10, 2014
  6. MokManager: fix the return value and type

    There are some functions that the return value and the type
    didn't match.
    
    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Apr 9, 2014
  7. MokManager: Support SHA1 hash in MOK

    Add SHA1 hash support and amend the code to make it easier to support
    other SHA digests.
    lcp committed with vathpela Apr 3, 2014
  8. MokManager: fix the hash list counting in delete

    match_hash() requests the number of keys in a list and it was
    mistakenly replaced with the size of the Mok node. This would
    made MokManager to remove the whole Mok node instead of one
    hash.
    
    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Feb 17, 2014
  9. MokManager: calculate the variable size correctly

    MokSize of the hash signature list includes the owner GUID,
    so we should not add the 16bytes compensation.
    
    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Feb 13, 2014
  10. Make shim to check MokXAuth for MOKX reset

    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Feb 11, 2014
  11. Verify the EFI images with MOK blacklist

    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Nov 4, 2013
  12. Copy the MOK blacklist to a RT variable

    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Oct 28, 2013
  13. MokManager: Write the hash list properly

    also return to the previous entry in the list
    
    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Oct 25, 2013
  14. MokManager: Match all hashes in the list

    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Oct 25, 2013
  15. MokManager: delete the hash properly

    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Oct 25, 2013
  16. MokManager: show the hash list properly

    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Oct 24, 2013
  17. Support MOK blacklist

    The new blacklist, MokListX, stores the keys and hashes that are
    banned.
    
    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Oct 24, 2013
  18. Fix console_print_box*() parameters.

    When we made lib build with the correct CFLAGS, it inherited
    -Werror=sign-compare, and I fixed up some parameters on
    console_print_box() and console_print_box_at() to avoid sign comparison
    errors.
    
    The fixups were *completely wrong*, as some behavior relies on negative
    values.  So this fixes them in a completely different way, by casting
    appropriately to signed types where we're doing comparisons.
    
    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 11, 2015
Commits on Jun 11, 2015
  1. Ensure that apps launched by shim get correct BS->Exit() behavior

    Right now applications run by shim get our wrapper for Exit(), but it
    doesn't do as much cleanup as it should - shim itself also exits, but
    currently is not doing all the cleanup it should be doing.
    
    This changes it so all of shim's cleanup is also performed.
    
    Based on a patch and lots of review from Gary Lin.
    
    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 5, 2015
  2. Don't leave in_protocol==1 when shim_verify() isn't enforcing.

    Right now if shim_verify() sees secure_mode()==0, it exits with
    EFI_SUCCESS, but accidentally leaves in_protocol=1.  This means any
    other call will have supressed error/warning messages.
    
    That's wrong, so don't do it.
    
    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 11, 2015
Commits on Jun 4, 2015
  1. Only run MokManager if asked or a security violation occurs.

    Don't run MokManager on any random error from start_image(second_stage);
    only try it if it /is/ the second stage, or if start_image gave us
    EFI_SECURITY_VIOLATION.
    
    Signed-off-by: Peter Jones <pjones@redhat.com>
    vathpela committed Jun 4, 2015
Commits on May 12, 2015
  1. Make the build failed with objcopy < 2.24

    The wildcard support was introduced in objcopy since binutils 2.24.
    However, objcopy < 2.24 never issues any warning message with the
    wildcard and a faulty binary will be generated. This commit makes
    the build failed as a notification for the usage of binutils < 2.24.
    
    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Dec 12, 2014
  2. Update Cryptlib and openssl

    Update Cryptlib to r16559 and openssl to 0.9.8zf
    
    Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
    lcp committed with vathpela Mar 31, 2015