Tags: THS-on/shim
Tags
shim 15.8: What's changed * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Add make infrastructure to set the NX_COMPAT flag by @vathpela in rhboot#530 * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in rhboot#535 * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in rhboot#537 * pe: Align section size up to page size for mem attrs by @nicholasbishop in rhboot#539 * test-sbat: Fix exit code by @vathpela in rhboot#540 * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in rhboot#541 * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in rhboot#546 * Don't loop forever in load_certs() with buggy firmware by @rmetrich in rhboot#547 * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in rhboot#550 * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in rhboot#551 * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in rhboot#560 * pe: only process RelocDir->Size of reloc section by @mikebeaton in rhboot#562 * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in rhboot#563 * Optionally allow to keep shim protocol installed by @bluca in rhboot#565 * SBAT-related documents formatting and spelling by @aronowski in rhboot#566 * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in rhboot#569 * Add a security contact email address in README.md by @vathpela in rhboot#572 * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in rhboot#576 * mok: fix LogError() invocation by @vathpela in rhboot#577 * Minor housekeeping by @vathpela in rhboot#578 * Test ImageAddress() by @vathpela in rhboot#579 * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in rhboot#580 * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in rhboot#581 * Verify signature before verifying sbat levels by @jsetje in rhboot#583 * Add libFuzzer support for csv.c and sbat.c by @vathpela in rhboot#584 * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in rhboot#587 * Housekeeping by @vathpela in rhboot#605 Signed-off-by: Peter Jones <pjones@redhat.com>
shim 15.8: What's changed * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Add make infrastructure to set the NX_COMPAT flag by @vathpela in rhboot#530 * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in rhboot#535 * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in rhboot#537 * pe: Align section size up to page size for mem attrs by @nicholasbishop in rhboot#539 * test-sbat: Fix exit code by @vathpela in rhboot#540 * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in rhboot#541 * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in rhboot#546 * Don't loop forever in load_certs() with buggy firmware by @rmetrich in rhboot#547 * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in rhboot#550 * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in rhboot#551 * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in rhboot#560 * pe: only process RelocDir->Size of reloc section by @mikebeaton in rhboot#562 * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in rhboot#563 * Optionally allow to keep shim protocol installed by @bluca in rhboot#565 * SBAT-related documents formatting and spelling by @aronowski in rhboot#566 * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in rhboot#569 * Add a security contact email address in README.md by @vathpela in rhboot#572 * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in rhboot#576 * mok: fix LogError() invocation by @vathpela in rhboot#577 * Minor housekeeping by @vathpela in rhboot#578 * Test ImageAddress() by @vathpela in rhboot#579 * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in rhboot#580 * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in rhboot#581 * Verify signature before verifying sbat levels by @jsetje in rhboot#583 * Add libFuzzer support for csv.c and sbat.c by @vathpela in rhboot#584 * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in rhboot#587 * Housekeeping by @vathpela in rhboot#605 Signed-off-by: Peter Jones <pjones@redhat.com>
shim-15.8-rc1
Alberto Perez (1):
Work around malformed path delimiters in file paths from DHCP
Alper Nebi Yasak (1):
mok: Avoid underflow in maximum variable size calculation
Dennis Tseng (2):
Work around ImageAddress() usage mistake
Correctly free memory allocated in handle_image()
Jan Setje-Eilers (7):
Add SbatLevel_Variable.txt to document the various revocations
Verify signature before verifying sbat levels
Allow SbatLevel data from external binary
Always clear SbatLevel when Secure Boot is disabled
BS Variables for bootmgr revocations
shim should not self revoke
Print message when refusing to apply SbatLevel
Kamil Aronowski (4):
SBAT-related documents formatting and spelling
Skip testing msleep()
Rename 'msecs' to 'usecs' to avoid potential confusion
Change type of fallback_verbose_wait from int to unsigned long
Long Qin (1):
CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper
Luca Boccassi (1):
Optionally allow to keep shim protocol installed
Mike Beaton (1):
pe: only process RelocDir->Size of reloc section
Nicholas Bishop (4):
pe: Align section size up to page size for mem attrs
pe: Add IS_PAGE_ALIGNED macro
Drop invalid calls to `CRYPTO_set_mem_functions`
test-sbat: Fix exit code
Pete Batard (1):
Further improve load_certs() for non-compliant drivers/firmwares
Peter Jones (28):
Make sbat_var.S parse right with buggy gcc/binutils
Enable the NX compatibility flag by default.
Add a security contact email address in README.md
Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL
Add a make rule for compile_commands.json
Add gnu-stack notes
test: Make our fake dprintf be a statement.
Remove CentOS 7 test builds.
Split pe.c up even more.
Test (and fix) ImageAddress()
Add libFuzzer support for csv.c
Fix a 1-byte memory leak in .sbat parsing.
Add libFuzzer support to the .sbat parser.
Make some of the static analysis tools a little easier to run
compile_commands.json: remove stuff clang doesn't like
CVE-2023-40546 mok: fix LogError() invocation
Add primitives for overflow-checked arithmetic operations.
pe-relocate: Add a fuzzer for read_header()
CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
pe-relocate: make read_header() use checked arithmetic operations.
CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
pe-relocate: Ensure nothing else implements CVE-2023-40550
CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
Further mitigations against CVE-2023-40546 as a class
sbat revocations: check the full section name
CVE-2023-40547 - avoid incorrectly trusting HTTP headers
Print errors when setting/clearing memory attrs
Renaud Métrich (1):
Don't loop forever in load_certs() with buggy firmware
Steve McIntyre (1):
Block Debian grub binaries with SBAT < 4
shim 15.7 What's Changed * Make SBAT variable payload introspectable by @chrisccoulson in rhboot#483 * Reference MokListRT instead of MokList by @esnowberg in rhboot#488 * Add a link to the test plan in the readme. by @vathpela in rhboot#494 * [V3] Enable TDX measurement to RTMR register by @kenplusplus in rhboot#485 * Discard load-options that start with a NUL by @frozencemetery in rhboot#505 * load_cert_file bugs by @esnowberg in rhboot#523 * Add -malign-double to IA32 compiler flags by @nicholasbishop in rhboot#516 * pe: Fix image section entry-point validation by @iokomin in rhboot#518 * make-archive: Build reproducible tarball by @julian-klode in rhboot#527 * mok: remove MokListTrusted from PCR 7 by @baloo in rhboot#519 * Shim 15.7 version update by @vathpela in rhboot#528 New Contributors * @kenplusplus made their first contribution in rhboot#485 * @iokomin made their first contribution in rhboot#518 * @baloo made their first contribution in rhboot#519 **Full Changelog**: rhboot/shim@15.6...15.7
shim-15.6 - What's Changed * MokManager: removed Locate graphic output protocol fail error message by @joeyli in rhboot#441 * shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in rhboot#456 * post-process-pe: Fix a missing return code check by @vathpela in rhboot#462 * Update github actions matrix to be more useful by @frozencemetery in rhboot#469 * Add f36 and centos9 CI builds by @vathpela in rhboot#470 * post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in rhboot#464 * tests: also look for system headers in multi-arch directories by @steve-mcintyre in rhboot#466 * tests: fix gcc warnings by @akodanev in rhboot#463 * Allow MokListTrusted to be enabled by default by @esnowberg in rhboot#455 * Add code of conduct by @frozencemetery in rhboot#427 * Re-add ARM AArch64 support by @vathpela in rhboot#468 * Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in rhboot#428 * make: don't treat cert.S specially by @vathpela in rhboot#475 * shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in rhboot#474 * Break out of the inner sbat loop if we find the entry. by @vathpela in rhboot#476 * Support loading additional certificates by @esnowberg in rhboot#446 * Add support for NX (W^X) mitigations. by @vathpela in rhboot#459 * Misc fixups from scan-build. by @vathpela in rhboot#477 * Fix preserve_sbat_uefi_variable() logic by @jsetje in rhboot#478 * SBAT Policy latest should be a one-shot by @jsetje in rhboot#481 * pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson * pe: Perform image verification earlier when loading grub by @chriscoulson * Update advertised sbat generation number for shim by @jsetje * Update SBAT generation requirements for 05/24/22 by @jsetje * Also avoid CVE-2022-28737 in verify_image() by @vathpela - New Contributors * @joeyli made their first contribution in rhboot#441 * @akodanev made their first contribution in rhboot#463 * @esnowberg made their first contribution in rhboot#455 - Full Changelog**: rhboot/shim@15.5...15.6
shim-15.6~rc2 - What's Changed * SBAT Policy latest should be a one-shot by @jsetje in rhboot#481 * pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson * pe: Perform image verification earlier when loading grub by @chriscoulson * Update advertised sbat generation number for shim by @jsetje * Update SBAT generation requirements for 05/24/22 by @jsetje * Also avoid CVE-2022-28737 in verify_image() by @vathpela - Full Changelog**: https://github.com/rhboot/shim/compare/15.6-rc1..15.6-rc2
shim-15.6~rc1 - What's Changed * MokManager: removed Locate graphic output protocol fail error message by @joeyli in rhboot#441 * shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in rhboot#456 * post-process-pe: Fix a missing return code check by @vathpela in rhboot#462 * Update github actions matrix to be more useful by @frozencemetery in rhboot#469 * Add f36 and centos9 CI builds by @vathpela in rhboot#470 * post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in rhboot#464 * tests: also look for system headers in multi-arch directories by @steve-mcintyre in rhboot#466 * tests: fix gcc warnings by @akodanev in rhboot#463 * Allow MokListTrusted to be enabled by default by @esnowberg in rhboot#455 * Add code of conduct by @frozencemetery in rhboot#427 * Re-add ARM AArch64 support by @vathpela in rhboot#468 * Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in rhboot#428 * make: don't treat cert.S specially by @vathpela in rhboot#475 * shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in rhboot#474 * Break out of the inner sbat loop if we find the entry. by @vathpela in rhboot#476 * Support loading additional certificates by @esnowberg in rhboot#446 * Add support for NX (W^X) mitigations. by @vathpela in rhboot#459 * Misc fixups from scan-build. by @vathpela in rhboot#477 * Fix preserve_sbat_uefi_variable() logic by @jsetje in rhboot#478 - New Contributors * @joeyli made their first contribution in rhboot#441 * @akodanev made their first contribution in rhboot#463 * @esnowberg made their first contribution in rhboot#455 - Full Changelog**: rhboot/shim@15.5...15.6-rc1
shim 15.5 Much thanks to those who tested this release. Changes from -rc2: - Make Mok config table be runtime services memory - Remove post-process-pe on 'make clean' - pe: missing perror argument **Incremental changelog**: rhboot/shim@15.5-rc2...15.5 From 15.4, the following people contributed code: - Peter Jones (46) - Heinrich Schuchardt (7) - Gary Lin (6) - Renaud Métrich (4) - Julian Andres Klode (4) - Serge Hallyn (2) - Robbie Harwood (2) - Nicholas Bishop (2) - João Paulo Rechi Vita (2) - Seth Forshee (1) - Jonathan Yong (1) - Jonas Witschel (1) - Javier Martinez Canillas (1) - Jan Setje-Eilers (1) - Esther Shimanovich (1) - Eric Snowberg (1) - Dimitri John Ledkov (1) - Daniel Axtens (1) - Chris Coulson (1) - Adam Williamson (1) **Full changelog**: rhboot/shim@15.4...15.5
shim 15.5 release candidate 2 What's Changed * docs: update SBAT UEFI variable name by @nicholasbishop in rhboot#421 * Don't parse load options if invoked from removable media path by @julian-klode in rhboot#399 * fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in rhboot#433 * shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in rhboot#438 * Shim 15.5 coverity by @vathpela in rhboot#439 New Contributors * @hallyn made their first contribution in rhboot#389 * @jyong2 made their first contribution in rhboot#365 * @sforshee made their first contribution in rhboot#378 * @frozencemetery made their first contribution in rhboot#403 * @xypron made their first contribution in rhboot#406 * @eshiman made their first contribution in rhboot#398 * @daxtens made their first contribution in rhboot#413 * @rmetrich made their first contribution in rhboot#414 * @julian-klode made their first contribution in rhboot#393 **Full Changelog**: rhboot/shim@15.5-rc1...15.5-rc2
shim 15.5 release candidate 1 What's Changed * Broken ia32 relocs and an unimportant submodule change. by @vathpela in rhboot#357 * mok: allocate MOK config table as BootServicesData by @lcp in rhboot#361 * Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in rhboot#364 * Relax the check for import_mok_state() by @lcp in rhboot#372 * SBAT.md: trivial changes by @hallyn in rhboot#389 * shim: another attempt to fix load options handling by @chrisccoulson in rhboot#379 * Add tests for our load options parsing. by @vathpela in rhboot#390 * arm/aa64: fix the size of .rela* sections by @lcp in rhboot#383 * mok: fix potential buffer overrun in import_mok_state by @jyong2 in rhboot#365 * mok: relax the maximum variable size check by @lcp in rhboot#369 * Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in rhboot#378 * fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in rhboot#396 * httpboot: Ignore case when checking HTTP headers by @frozencemetery in rhboot#403 * Fallback allocation errors by @vathpela in rhboot#402 * shim: avoid BOOTx64.EFI in message on other architectures by @xypron in rhboot#406 * str: remove duplicate parameter check by @xypron in rhboot#408 * fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in rhboot#359 * Test mok mirror by @vathpela in rhboot#394 * Modify sbat.md to help with readability. by @eshiman in rhboot#398 * csv: detect end of csv file correctly by @xypron in rhboot#404 * Specify that the .sbat section is ASCII not UTF-8 by @daxtens in rhboot#413 * tests: add "include-fixed" GCC directory to include directories by @diabonas in rhboot#415 * pe: simplify generate_hash() by @xypron in rhboot#411 * Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in rhboot#414 * Fallback to default loader if parsed one does not exist by @julian-klode in rhboot#393 * fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in rhboot#422 * Better console checks by @vathpela in rhboot#416 * docs: update SBAT UEFI variable name by @nicholasbishop in rhboot#421 New Contributors * @hallyn made their first contribution in rhboot#389 * @jyong2 made their first contribution in rhboot#365 * @sforshee made their first contribution in rhboot#378 * @frozencemetery made their first contribution in rhboot#403 * @xypron made their first contribution in rhboot#406 * @eshiman made their first contribution in rhboot#398 * @daxtens made their first contribution in rhboot#413 * @rmetrich made their first contribution in rhboot#414 **Full Changelog**: rhboot/shim@15.4...15.5-rc1
PreviousNext