-
shim (15.7-0ubuntu1) kinetic; urgency=medium
* New upstream version 15.7 (LP: #1996503), highlights:
- Enable TDX measurements (LP: #1995852)
- Flush the memory region from i-cache before execution (LP: #1987541)
- Introspectable SBAT payload for TPM resealing efforts
- Don't measure MokListTrusted to PCR7
- SBAT level: shim,3
- SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
Note that shim requirement was not bumped as shim,2 shims are not
commonly available yet.
* SECURITY FIX: Buffer overflow when loading crafted EFI images.
- CVE-2022-28737
* Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
* Import 20221103 Canonical vendor dbx.
This vendor dbx revokes all certificates that have been used
so far.
- CN = Canonical Ltd. Secure Boot Signing
- CN = Canonical Ltd. Secure Boot Signing (2017)
- CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
- CN = Canonical Ltd. Secure Boot Signing (2019)
- CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
- CN = Canonical Ltd. Secure Boot Signing (2021 v1)
- CN = Canonical Ltd. Secure Boot Signing (2021 v2)
- CN = Canonical Ltd. Secure Boot Signing (2021 v3)
* Build-Depend on libefivar-dev
* debian/rules: Update COMMIT_ID
-- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100
-
shim (15.4-0ubuntu9) hirsute; urgency=medium
* Fix booting installer media on some machines (LP: #1937115)
- Always fallback to the default loader (PR #393)
- Dump load options parsed (PR #393)
- Disable load option parsing on removable media path (PR #399)
* trivial: Fix a minor overflow in the mok importing code (PR #365)
* Fix fall back loader to find the correct boot entry, avoiding potential
corruption of firmware (PR #396).
-- Julian Andres Klode <email address hidden> Fri, 06 Aug 2021 13:16:33 +0200
-
shim (15.4-0ubuntu7) hirsute; urgency=medium
* Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
* Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
* Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
* mok: relax the maximum variable size check (LP: #1934780) (PR #369)
-- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200
-
shim (15.4-0ubuntu5) hirsute; urgency=medium
* Rebuild in hirsute to get a more stable target to keep shim reproducible
for a longer time.
shim (15.4-0ubuntu3) impish; urgency=medium
[ Steve Langasek ]
* Use -Zxz compression, for compatibility with dpkg in older releases.
LP: #1925673
[ Julian Andres Klode ]
* Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
is causing systems to run out of EFI storage space, or just hang up
when trying to write it (LP: #1924605) (LP: #1928434)
* Further relax the check for variable mirroring on non-secureboot systems
avoiding boot failures on out of space conditons (pull request #372)
[ Seth Forshee ]
* Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136)
(pull request #378)
-- Julian Andres Klode <email address hidden> Wed, 16 Jun 2021 12:52:45 +0200
-
shim (15+1552672080.a4a1fbe-0ubuntu2) focal; urgency=medium
* d/patches/fix-path-checks.patch: Cherry-pick upstream fix for regression
in loading fwupd, or anything else specified as an argument (LP: #1864223)
-- Julian Andres Klode <email address hidden> Fri, 20 Mar 2020 16:19:14 +0100
-
shim (15+1552672080.a4a1fbe-0ubuntu1) eoan; urgency=medium
* New upstream snapshot 15+1552672080.a4a1fbe.
* debian/patches/VLogError-Avoid-NULL-pointer-dereferences-in-V-Sprin.patch,
debian/patches/fixup_git.patch: drop patches included in upstream.
* debian/patches/MokManager-avoid-unaligned.patch: Fix compilation with GCC9:
avoid -Werror=address-of-packed-member errors in MokManager.
* debian/patches/tpm-correctness-1.patch,
debian/patches/tpm-correctness-2.patch: fix issues in TPM calls to ensure
the measurements are consistent with what is entered in the TPM event log.
* debian/patches/tpm-correctness-3.patch: Don't log duplicate identical
TPM events.
* debian/patches/MokManager-hidpi-support.patch: Do a little bit more to
try to get a more usable screen resolution for MokManager when running on
HiDPI screens; by trying to detect such cases and switching to mode 0.
* debian/rules: update COMMIT_ID explicitly for this new snapshot.
-- Mathieu Trudel-Lapierre <email address hidden> Fri, 11 Oct 2019 16:32:32 -0400
-
shim (15+1533136590.3beb971-0ubuntu1) cosmic; urgency=medium
[ Steve Langasek ]
* Fix Vcs link.
[ dann frazier ]
* Enable arm64 build.
[ Mathieu Trudel-Lapierre ]
* New upstream snapshot.
* debian/patches/abort_abort_abort.patch: dropped patch, included upstream.
* debian/rules:
- define RELEASE and COMMIT_ID for the snapshot.
- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
* debian/patches/fixup_git.patch: don't run git in clean; we're not really
in a git tree.
-- Mathieu Trudel-Lapierre <email address hidden> Wed, 22 Aug 2018 10:52:10 -0400
