File shim.changes of Package shim

-------------------------------------------------------------------
Wed Oct  1 07:12:38 UTC 2014 - jsegitz@suse.com

- Update signature-sles.asc: shim signed by UEFI signing service

-------------------------------------------------------------------
Mon Sep 29 17:02:43 UTC 2014 - jsegitz@suse.com

- Fixed buffer overflow and OOB access in shim trusted code path
  (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677)
  * added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch

-------------------------------------------------------------------
Mon Aug  4 07:53:22 UTC 2014 - mchang@suse.com

- shim-install: fix GRUB shows broken letters at boot by calling
  grub2-install to initialize /boot/grub2 directory with files 
  needed by grub.cfg (bnc#889765) 

-------------------------------------------------------------------
Tue Jun 10 07:36:01 UTC 2014 - glin@suse.com

- Update signature-sles.asc: shim signed by UEFI signing service,
  based on code from "Wed May 28 04:13:33 UTC 2014"

-------------------------------------------------------------------
Wed May 28 04:13:33 UTC 2014 - glin@suse.com

- Add shim-remove-unused-variables.patch to remove the unused
  variables
- Add shim-bnc872503-check-key-encoding.patch to check the encoding
  of the keys (bnc#872503)
- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the
  netboot image from the same device (bnc#877003)

-------------------------------------------------------------------
Wed May 14 09:39:02 UTC 2014 - glin@suse.com

- Use --reinit instead of --refresh in %post to update the files
  in /boot

-------------------------------------------------------------------
Thu May  8 08:38:48 UTC 2014 - glin@suse.com

- Update signature-sles.asc: shim signed by UEFI signing service,
  based on code from "Thu Apr 10 08:26:15 UTC 2014".

-------------------------------------------------------------------
Tue Apr 29 07:43:50 UTC 2014 - mchang@suse.com

- shim-install: fix boot partition and rollback support kluge
  (bnc#875385) 

-------------------------------------------------------------------
Thu Apr 10 08:26:15 UTC 2014 - glin@suse.com

- Add shim-allow-fallback-use-system-loadimage.patch to handle the
  shim protocol properly to keep only one protocol entity
  (bnc#868342)
- Add shim-mokmanager-support-sha-family.patch to support SHA
  family

-------------------------------------------------------------------
Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com

- snapper rollback support (fate#317062)
  - refresh shim-install

-------------------------------------------------------------------
Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com

- Insert the right signature (bnc#867974)

-------------------------------------------------------------------
Wed Mar 12 08:46:18 UTC 2014 - glin@suse.com

- Merge Michael's fix for shim-install: fix the $prefix to use
  grub2-mkrelpath for paths on btrfs subvolume (bnc#866690).

-------------------------------------------------------------------
Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com

- Add shim-fix-uninitialized-variable.patch to fix the use of
  uninitialzed variables in lib

-------------------------------------------------------------------
Fri Mar  7 09:09:12 UTC 2014 - glin@suse.com

- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
  variables the right way

-------------------------------------------------------------------
Thu Mar  6 07:43:31 UTC 2014 - glin@suse.com

- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
  duplicate entries in BootOrder

-------------------------------------------------------------------
Tue Mar  4 04:19:05 UTC 2014 - glin@suse.com

- FATE#315002: Update shim-install to install shim.efi as the EFI
  default bootloader when none exists in \EFI\boot.

-------------------------------------------------------------------
Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com

- Update signature-sles.asc: shim signed by UEFI signing service,
  based on code from "Fri Feb 21 02:36:49 UTC 2014".

-------------------------------------------------------------------
Fri Feb 21 02:36:49 UTC 2014 - glin@suse.com

- always clean up generated files that embed certificates
  (shim_cert.h shim.cer shim.crt) to make sure next build loop
  rebuilds them properly
- allow package to carry multiple signatures
- check correct certificate is embedded

-------------------------------------------------------------------
Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com

- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
  hash deletion operation to avoid ruining the whole list
  (bnc#863205)

-------------------------------------------------------------------
Tue Feb 11 06:24:05 UTC 2014 - glin@suse.com


- Update shim-mokx-support.patch to enable the resetting of MOK
  blacklist
- Add shim-get-variable-check.patch to fix the variable checking
  in get_variable_attr
- Add shim-improve-fallback-entries-creation.patch to improve the
  boot entry pathes and avoid generating the boot entries that
  are already there
- Restore attach_signature.sh, show_hash.sh, and strip_signature.sh
  since those scripts could be useful to generate the EFI image for
  the UEFI signing service
- Match the the prefix of the project name properly by escaping the
  percent sign.

-------------------------------------------------------------------
Fri Jan 24 02:35:43 UTC 2014 - glin@suse.com

- Update SUSE certificate
- Drop attach_signature.sh and show_hash.sh since pesign now can
  proceed the commands without a nss database
- Drop unused script strip_signature.sh
- Update extract_signature.sh and show_signatures.sh to remove the
  creation of the temporary nss database
- Add shim-only-os-name.patch: remove the kernel version of the
  build server
- Enable signature assertion also in SUSE: hierarchy

-------------------------------------------------------------------
Fri Dec  6 06:44:43 UTC 2013 - glin@suse.com

- Add shim-mokmanager-handle-keystroke-error.patch to handle the
  error status from ReadKeyStroke to avoid unexpected keys

-------------------------------------------------------------------
Thu Dec  5 02:05:13 UTC 2013 - glin@suse.com

- Update to 0.7
- Add upstream patches:
  + shim-fix-verify-mok.patch
  + shim-improve-error-messages.patch
  + shim-correct-user_insecure-usage.patch
  + shim-fix-dhcpv4-path-generation.patch
- Add shim-mokx-support.patch to support the MOK blacklist
  (Fate#316531)
- Drop upstreamed patches
  + shim-fix-pointer-casting.patch
  + shim-merge-lf-loader-code.patch
  + shim-fix-simple-file-selector.patch
  + shim-mokmanager-support-crypt-hash-method.patch
  + shim-bnc804631-fix-broken-bootpath.patch
  + shim-bnc798043-no-doulbe-separators.patch
  + shim-bnc807760-change-pxe-2nd-loader-name.patch
  + shim-bnc808106-correct-certcount.patch
  + shim-mokmanager-ui-revamp.patch
  + shim-netboot-fixes.patch
  + shim-mokmanager-disable-gfx-console.patch
- Drop shim-suse-build.patch: it's not necessary anymore
- Drop shim-bnc841426-silence-shim-protocols.patch: shim is not
  verbose by default

-------------------------------------------------------------------
Thu Oct 31 09:11:18 UTC 2013 - fcrozat@suse.com

- Update microsoft.asc: shim signed by UEFI signing service, based
  on code from "Tue Oct  1 04:29:29 UTC 2013".

-------------------------------------------------------------------
Tue Oct  1 04:29:29 UTC 2013 - glin@suse.com

- Add shim-netboot-fixes.patch to include upstream netboot fixes
- Add shim-mokmanager-disable-gfx-console.patch to disable the
  graphics console to avoid system hang on some machines
- Add shim-bnc841426-silence-shim-protocols.patch to silence the
  shim protocols (bnc#841426)

-------------------------------------------------------------------
Wed Sep 25 07:17:54 UTC 2013 - glin@suse.com

- Create boot.csv in ESP for fallback.efi to restore the boot entry

-------------------------------------------------------------------
Tue Sep 17 10:53:50 CEST 2013 - fcrozat@suse.com

- Update microsoft.asc: shim signed by UEFI signing service, based
  on code from "Fri Sep  6 13:57:36 UTC 2013".
- Improve extract_signature.sh to work on current path.

-------------------------------------------------------------------
Fri Sep  6 13:57:36 UTC 2013 - lnussel@suse.de

- set timestamp of PE file to time of the binary the signature was
  made for.
- make sure cert.o get's rebuilt for each target

-------------------------------------------------------------------
Fri Sep  6 11:48:14 CEST 2013 - fcrozat@suse.com

- Update microsoft.asc: shim signed by UEFI signing service, based
  on code from "Wed Aug 28 15:54:38 UTC 2013"

-------------------------------------------------------------------
Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de

- always build a shim that embeds the distro's certificate (e.g.
  shim-opensuse.efi). If the package is built in the devel project
  additionally shim-devel.efi is created. That allows us to either
  load grub2/kernel signed by the distro or signed by the devel
  project, depending on use case. Also shim-$distro.efi from the
  devel project can be used to request additional signatures.

-------------------------------------------------------------------
Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de

- also include old openSUSE 4096 bit certificate to be able to still
  boot kernels signed with that key.
- add show_signatures script

-------------------------------------------------------------------
Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de

- replace the 4096 bit openSUSE UEFI CA certificate with new a
  standard compliant 2048 bit one.

-------------------------------------------------------------------
Tue Aug 20 11:48:25 UTC 2013 - lnussel@suse.de

- fix shell syntax error

-------------------------------------------------------------------
Wed Aug  7 15:51:36 UTC 2013 - lnussel@suse.de

- don't include binary in the sources. Instead package the raw
  signature and attach it during build (bnc#813448).

-------------------------------------------------------------------
Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com

- Update shim-mokmanager-ui-revamp.patch to include fixes for
  MokManager
  + reboot the system after clearing MOK password
  + fetch more info from X509 name
  + check the suffix of the key file

-------------------------------------------------------------------
Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com

- Update to 0.4
- Rebase patches
  + shim-suse-build.patch
  + shim-mokmanager-support-crypt-hash-method.patch
  + shim-bnc804631-fix-broken-bootpath.patch
  + shim-bnc798043-no-doulbe-separators.patch
  + shim-bnc807760-change-pxe-2nd-loader-name.patch
  + shim-bnc808106-correct-certcount.patch 
  + shim-mokmanager-ui-revamp.patch
- Add patches
  + shim-merge-lf-loader-code.patch: merge the Linux Foundation
    loader UI code
  + shim-fix-pointer-casting.patch: fix a casting issue and the
    size of an empty vendor cert
  + shim-fix-simple-file-selector.patch: fix the buffer allocation
    in the simple file selector
- Remove upstreamed patches
  + shim-support-mok-delete.patch
  + shim-reboot-after-changes.patch
  + shim-clear-queued-key.patch
  + shim-local-key-sign-mokmanager.patch
  + shim-get-2nd-stage-loader.patch
  + shim-fix-loadoptions.patch
- Remove unused patch: shim-mokmanager-new-pw-hash.patch and
  shim-keep-unsigned-mokmanager.patch
- Install the vendor certificate to /etc/uefi/certs

-------------------------------------------------------------------
Wed May  8 06:40:12 UTC 2013 - glin@suse.com

- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI

-------------------------------------------------------------------
Wed Apr  3 03:54:22 UTC 2013 - glin@suse.com

- Call update-bootloader in %post to update *.efi in \efi\opensuse
  (bnc#813079) 

-------------------------------------------------------------------
Fri Mar  8 06:53:47 UTC 2013 - glin@suse.com

- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the
  PXE 2nd stage loader name (bnc#807760)
- Add shim-bnc808106-correct-certcount.patch to correct the
  certificate count of the signature list (bnc#808106)

-------------------------------------------------------------------
Fri Mar  1 10:07:55 UTC 2013 - glin@suse.com

- Add shim-bnc798043-no-doulbe-separators.patch to remove double
  seperators from the bootpath (bnc#798043#c4)

-------------------------------------------------------------------
Thu Feb 28 08:57:48 UTC 2013 - lnussel@suse.de

- sign shim also with openSUSE certificate

-------------------------------------------------------------------
Wed Feb 27 15:52:53 CET 2013 - mls@suse.de

- identify project, export certificate as DER file
- don't create an unused extra keypair

-------------------------------------------------------------------
Thu Feb 21 10:08:12 UTC 2013 - glin@suse.com

- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken
  bootpath generated in generate_path(). (bnc#804631)

-------------------------------------------------------------------
Mon Feb 11 12:15:25 UTC 2013 - fcrozat@suse.com

- Update with shim signed by UEFI signing service, based on code
  from "Thu Feb  7 06:56:19 UTC 2013".

-------------------------------------------------------------------
Thu Feb  7 13:54:06 UTC 2013 - lnussel@suse.de

- prepare for having a signed shim from the UEFI signing service

-------------------------------------------------------------------
Thu Feb  7 06:56:19 UTC 2013 - glin@suse.com

- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert
- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned
  MokManager and sign it later.

-------------------------------------------------------------------
Wed Feb  6 06:35:45 UTC 2013 - mchang@suse.com

- Add shim-install utility
- Add Recommends to grub2-efi 

-------------------------------------------------------------------
Wed Jan 30 09:00:31 UTC 2013 - glin@suse.com

- Add shim-mokmanager-support-crypt-hash-method.patch to support
  password hash from /etc/shadow (FATE#314506)

-------------------------------------------------------------------
Tue Jan 29 03:20:48 UTC 2013 - glin@suse.com

- Embed openSUSE-UEFI-CA-Certificate.crt in shim
- Rename shim-unsigned.efi to shim-opensuse.efi.

-------------------------------------------------------------------
Fri Jan 18 10:06:13 UTC 2013 - glin@suse.com

- Update shim-mokmanager-new-pw-hash.patch to extend the password
  hash format
- Rename shim.efi as shim-unsigned.efi

-------------------------------------------------------------------
Wed Jan 16 08:01:55 UTC 2013 - glin@suse.com

- Merge patches for FATE#314506
  + Add shim-support-mok-delete.patch to add support for deleting
    specific keys
  + Add shim-mokmanager-new-pw-hash.patch to support the new
    password hash.
- Drop shim-correct-mok-size.patch which is included in
  shim-support-mok-delete.patch
- Merge shim-remove-debug-code.patch and
  shim-local-sign-mokmanager.patch into
  shim-local-key-sign-mokmanager.patch
- Install COPYRIGHT

-------------------------------------------------------------------
Tue Jan 15 03:17:53 UTC 2013 - glin@suse.com

- Add shim-fix-loadoptions.patch to adopt the UEFI shell style
  LoadOptions (bnc#798043)
- Drop shim-check-pk-kek.patch since upstream rejected the patch
  due to violation of SPEC.
- Install EFI binaries to /usr/lib64/efi

-------------------------------------------------------------------
Wed Dec 26 07:05:02 UTC 2012 - glin@suse.com

- Update shim-reboot-after-changes.patch to avoid rebooting the
  system after enrolling keys/hashes from the file system
- Add shim-correct-mok-size.patch to correct the size of MOK
- Add shim-clear-queued-key.patch to clear the queued key and show
  the menu properly

-------------------------------------------------------------------
Wed Dec 12 15:16:18 UTC 2012 - fcrozat@suse.com

- Remove shim-rpmlintrc, it wasn't fixing the error, hide error
  stdout to prevent post build check to get triggered by cast
  warnings in openSSL code
- Add shim-remove-debug-code.patch: remove debug code

-------------------------------------------------------------------
Wed Dec 12 04:01:52 UTC 2012 - glin@suse.com

- Add shim-rpmlintrc to filter 64bit portability errors

-------------------------------------------------------------------
Tue Dec 11 07:36:32 UTC 2012 - glin@suse.com

- Add shim-local-sign-mokmanager.patch to create a local certicate
  to sign MokManager
- Add shim-get-2nd-stage-loader.patch to get the second stage
  loader path from the load options
- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK
- Add shim-reboot-after-changes.patch to reboot the system after
  enrolling or erasing keys
- Install the EFI images to /usr/lib64/shim instead of the EFI
  partition
- Update the mail address of the author

-------------------------------------------------------------------
Fri Nov  2 08:19:37 UTC 2012 - glin@suse.com

- Add new package shim 0.2 (FATE#314484)
  + It's in fact git 2fd180a92 since there is no tag for 0.2

openSUSE Build Service is sponsored by