| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: shim-susesigned | Distribution: SUSE Linux Enterprise 15 |
| Version: 15.4 | Vendor: SUSE LLC <https://www.suse.com/> |
| Release: 3.3.1 | Build date: Tue Aug 10 13:30:30 2021 |
| Group: System/Boot | Build host: ibs-arm-5 |
| Size: 862037 | Source RPM: shim-susesigned-15.4-3.3.1.src.rpm |
| Packager: https://www.suse.com/ | |
| Url: https://github.com/rhboot/shim | |
| Summary: UEFI shim loader | |
shim is a trivial EFI application that, when run, attempts to open and execute another application.
BSD-2-Clause
* Mon Aug 09 2021 jlee@suse.com
- Sync with Microsoft signed shim to Thu Jul 15 08:13:26 UTC 2021.
* Thu Jul 01 2021 glin@suse.com
- Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid
deleting the mirrored RT variables (bsc#1187696)
* Mon Jun 21 2021 glin@suse.com
- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax
the check for import_mok_state() when Secure Boot is off.
(bsc#1185261)
- Add shim-bsc1185232-relax-loadoptions-length-check.patch to
ignore the odd LoadOptions length (bsc#1185232)
- shim-install: reset def_shim_efi to "shim.efi" if the given
file doesn't exist
- Add shim-fix-aa64-relsz.patch to fix the size of rela sections
for AArch64
Fix: https://github.com/rhboot/shim/issues/371
- Add shim-disable-export-vendor-dbx.patch to disable exporting
vendor-dbx to MokListXRT since writing a large RT variable
could crash some machines (bsc#1185261)
- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the
potential crash when calling QueryVariableInfo in EFI 1.10
machines (bsc#1187260)
- Add shim-bsc1185232-fix-config-table-copying.patch to avoid
buffer overflow when copying data to the MOK config table
(bsc#1185232)
* Thu May 20 2021 glin@suse.com
- shim-install: instead of assuming "removable" for Azure, remove
fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
to make \EFI\Boot bootable and keep the boot option created by
efibootmgr (bsc#1185464, bsc#1185961)
* Fri May 07 2021 glin@suse.com
- shim-install: always assume "removable" for Azure to avoid the
endless reset loop (bsc#1185464)
* Thu May 06 2021 glin@suse.com
- Branch shim-susesigned from the original shim to include the
additional fix for bsc#1185621
+ Only build AArch64 SLES shim and drop MokManager and fallback
+ Make it conflict with the original shim package
- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the
maximum variable size check for u-boot (bsc#1185621)
- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
to handle ignore_db and user_insecure_mode correctly
(bsc#1185441)
- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
the size of MokListXRT (bsc#1185261)
+ Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
* Thu Apr 22 2021 glin@suse.com
- Enable the AArch64 signature check for SLE
* Wed Apr 21 2021 jsegitz@suse.com
- Update the SLE signatures
* Thu Apr 08 2021 glin@suse.com
- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid
the error message during linux system boot (bsc#1184454)
* Wed Apr 07 2021 jsegitz@suse.com
- Add remove_build_id.patch to prevent the build id being added to
the binary. That can cause issues with the signature
* Wed Mar 31 2021 glin@suse.com
- Update to 15.4 (bsc#1182057)
+ Rename the SBAT variable and fix the self-check of SBAT
+ sbat: add more dprint()
+ arm/aa64: Swizzle some sections to make old sbsign happier
+ arm/aa64 targets: put .rel* and .dyn* in .rodata
- Drop upstreamed patch:
+ shim-bsc1182057-sbat-variable-enhancement.patch
* Mon Mar 29 2021 glin@suse.com
- Add shim-bsc1182057-sbat-variable-enhancement.patch to change
the SBAT variable name and enhance the handling of SBAT
(bsc#1182057)
* Wed Mar 24 2021 glin@suse.com
- Update to 15.3 for SBAT support (bsc#1182057)
+ Drop gnu-efi from BuildRequires since upstream pull it into the
tar ball.
- Generate vender-specific SBAT metadata
+ Add dos2unix to BuildRequires since Makefile requires it for
vendor SBAT
- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following
sign keys:
+ SLES-UEFI-SIGN-Certificate-2020-07.crt
+ openSUSE-UEFI-SIGN-Certificate-2020-07.crt
- Refresh patches
+ shim-arch-independent-names.patch
+ shim-change-debug-file-path.patch
+ shim-bsc1177315-verify-eku-codesign.patch
- Unified with shim-bsc1177315-fix-buffer-use-after-free.patch
- Drop upstreamed fixes
+ shim-correct-license-in-headers.patch
+ shim-always-mirror-mok-variables.patch
+ shim-bsc1175509-more-tpm-fixes.patch
+ shim-bsc1173411-only-check-efi-var-on-sb.patch
+ shim-fix-verify-eku.patch
+ gcc9-fix-warnings.patch
+ shim-fix-gnu-efi-3.0.11.patch
+ shim-bsc1177404-fix-a-use-of-strlen.patch
+ shim-do-not-write-string-literals.patch
+ shim-VLogError-Avoid-Null-pointer-dereferences.patch
+ shim-bsc1092000-fallback-menu.patch
+ shim-bsc1175509-tpm2-fixes.patch
+ shim-bsc1174512-correct-license-in-headers.patch
+ shim-bsc1182776-fix-crash-at-exit.patch
- Drop shim-opensuse-cert-prompt.patch
+ All newly released openSUSE kernels enable kernel lockdown
and signature verification, so there is no need to add the
prompt anymore.
* Thu Mar 11 2021 glin@suse.com
- Refresh shim-bsc1182776-fix-crash-at-exit.patch to do the cleanup
also when Secure Boot is disabled (bsc#1183213, bsc#1182776)
- Merged linker-version.pl into timestamp.pl and add the linker
version to signature files accordingly
* Mon Mar 08 2021 glin@suse.com
- Add shim-bsc1182776-fix-crash-at-exit.patch to fix the potential
crash at Exit() (bsc#1182776)
* Fri Jan 22 2021 glin@suse.com
- Update the SLE signature
- Exclude some patches from x86_64 to avoid breaking the signature
- Add shim-correct-license-in-headers.patch back for x86_64 to
match the SLE signature
- Add linker-version.pl to modify the EFI/PE header to match the
SLE signature
* Wed Nov 04 2020 glin@suse.com
- Disable the signature attachment for AArch64 temporarily until
we get a real one.
* Mon Nov 02 2020 glin@suse.com
- Add shim-bsc1177315-verify-eku-codesign.patch to check CodeSign
in the signer's EKU (bsc#1177315)
- Add shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
to fix NULL pointer dereference in AuthenticodeVerify()
(bsc#1177789, CVE-2019-14584)
- shim-install: Support changing default shim efi binary in
/usr/etc/default/shim and /etc/default/shim (bsc#1177315)
- Add shim-bsc1177315-fix-buffer-use-after-free.patch to fix buffer
use-after-free at the end of the EKU verification (bsc#1177315)
* Wed Oct 14 2020 glin@suse.com
- Add shim-bsc1177404-fix-a-use-of-strlen.patch to fix the length
of the option data string to launch the program correctly
(bsc#1177404)
- Add shim-bsc1175509-more-tpm-fixes.patch to fix the file path
in the tpm even log (bsc#1175509)
* Mon Sep 14 2020 glin@suse.com
- Add shim-VLogError-Avoid-Null-pointer-dereferences.patch to fix
VLogError crash in AArch64 (jsc#SLE-15824)
- Add shim-fix-verify-eku.patch to fix the potential crash at
verify_eku() (jsc#SLE-15824)
- Add shim-do-not-write-string-literals.patch to fix the potential
crash when accessing the DEFAULT_LOADER string (jsc#SLE-15824)
* Fri Sep 04 2020 guillaume.gardet@opensuse.org
- Enable build on aarch64
* Mon Aug 24 2020 glin@suse.com
- shim-install: install MokManager to \EFI\boot to process the
pending MOK request (bsc#1175626, bsc#1175656)
* Fri Aug 21 2020 glin@suse.com
- Add shim-bsc1175509-tpm2-fixes.patch to fix the TPM2 measurement
(bsc#1175509)
* Thu Aug 06 2020 glin@suse.com
- Amend the check of %shim_enforce_ms_signature
* Fri Jul 31 2020 jsegitz@suse.com
- Updated openSUSE signature
* Mon Jul 27 2020 glin@suse.com
- Replace shim-correct-license-in-headers.patch with the upstream
commit: shim-bsc1174512-correct-license-in-headers.patch
(bsc#1174512)
* Wed Jul 22 2020 glin@suse.com
- Update the path to grub-tpm.efi in shim-install (bsc#1174320)
* Fri Jul 10 2020 glin@suse.com
- Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994)
+ Add dbx-cert.tar.xz which contains the certificates to block
and a script, generate-vendor-dbx.sh, to generate
vendor-dbx.bin
+ Add vendor-dbx.bin as the vendor dbx to block unwanted keys
- Drop shim-opensuse-signed.efi
+ We don't need it anymore
* Fri Jul 10 2020 glin@suse.com
- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check
EFI variable copying when Secure Boot is enabled (bsc#1173411)
* Tue Mar 31 2020 glin@suse.com
- Use the full path of efibootmgr to avoid errors when invoking
shim-install from packagekitd (bsc#1168104)
* Mon Mar 30 2020 glin@suse.com
- Use "suse_version" instead of "sle_version" to avoid
shim_lib64_share_compat being set in Tumbleweed forever.
* Mon Mar 16 2020 glin@suse.com
- Add shim-fix-gnu-efi-3.0.11.patch to fix the build error caused
by the upgrade of gnu-efi
* Wed Nov 27 2019 mchang@suse.com
- shim-install: add check for btrfs is used as root file system to enable
relative path lookup for file. (bsc#1153953)
* Fri Aug 16 2019 glin@suse.com
- Fix a typo in shim-install (bsc#1145802)
* Fri Apr 19 2019 mliska@suse.cz
- Add gcc9-fix-warnings.patch (bsc#1121268).
* Mon Apr 15 2019 glin@suse.com
- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary
(bsc#1113225)
* Fri Apr 12 2019 glin@suse.com
- Disable AArch64 build (FATE#325971)
+ AArch64 machines don't use UEFI CA, at least for now.
* Thu Apr 11 2019 jsegitz@suse.com
- Updated shim signature: signature-sles.x86_64.asc (bsc#1120026)
* Thu Feb 14 2019 rw@suse.com
- Fix conditions for '/usr/share/efi'-move (FATE#326960)
* Mon Jan 28 2019 glin@suse.com
- Amend shim.spec to remove $RPM_BUILD_ROOT
* Thu Jan 17 2019 rw@suse.com
- Move 'efi'-executables to '/usr/share/efi' (FATE#326960)
(preparing the move to 'noarch' for this package)
* Mon Jan 14 2019 glin@suse.com
- Update shim-install to handle the partitioned MD devices
(bsc#1119762, bsc#1119763)
* Thu Dec 20 2018 glin@suse.com
- Update to 15+git47 (bsc#1120026, FATE#325971)
+ git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d
- Retire the old openSUSE 4096 bit certificate
+ Those programs are already out of maintenance.
- Add shim-always-mirror-mok-variables.patch to mirror MOK
variables correctly
- Add shim-correct-license-in-headers.patch to correct the license
declaration
- Refresh patches:
+ shim-arch-independent-names.patch
+ shim-change-debug-file-path.patch
+ shim-bsc1092000-fallback-menu.patch
+ shim-opensuse-cert-prompt.patch
- Drop upstreamed patches:
+ shim-bsc1088585-handle-mok-allocations-better.patch
+ shim-httpboot-amend-device-path.patch
+ shim-httpboot-include-console.h.patch
+ shim-only-os-name.patch
+ shim-remove-cryptpem.patch
* Wed Dec 05 2018 glin@suse.com
- Update shim-install to specify the target for grub2-install and
change the boot efi file name according to the architecture
(bsc#1118363, FATE#325971)
* Tue Aug 21 2018 glin@suse.com
- Enable AArch64 build (FATE#325971)
+ Also add the aarch64 signature files and rename the x86_64
signature files
* Tue May 29 2018 glin@suse.com
- Add shim-bsc1092000-fallback-menu.patch to show a menu before
system reset ((bsc#1092000))
* Tue Apr 10 2018 glin@suse.com
- Add shim-bsc1088585-handle-mok-allocations-better.patch to avoid
double-freeing after enrolling a key from the disk (bsc#1088585)
+ Also refresh shim-opensuse-cert-prompt.patch due to the change
in MokManager.c
* Tue Apr 03 2018 glin@suse.com
- Install the certificates with a shim suffix to avoid conflicting
with other packages (bsc#1087847)
* Fri Mar 23 2018 glin@suse.com
- Add the missing leading backlash to the DEFAULT_LOADER
(bsc#1086589)
* Fri Jan 05 2018 glin@suse.com
- Add shim-httpboot-amend-device-path.patch to amend the device
path matching rule for httpboot (bsc#1065370)
* Thu Jan 04 2018 glin@suse.com
- Update to 14 (bsc#1054712)
- Adjust make commands in spec
- Drop upstreamed fixes
+ shim-add-fallback-verbose-print.patch
+ shim-back-to-openssl-1.0.2e.patch
+ shim-fallback-workaround-masked-ami-variables.patch
+ shim-fix-fallback-double-free.patch
+ shim-fix-httpboot-crash.patch
+ shim-fix-openssl-flags.patch
+ shim-more-tpm-measurement.patch
- Add shim-httpboot-include-console.h.patch to include console.h
in httpboot.c to avoid build failure
- Add shim-remove-cryptpem.patch to replace functions in CryptPem.c
with the null function
- Update SUSE/openSUSE specific patches
+ shim-only-os-name.patch
+ shim-arch-independent-names.patch
+ shim-change-debug-file-path.patch
+ shim-opensuse-cert-prompt.patch
* Fri Dec 29 2017 ngompa13@gmail.com
- Fix debuginfo + debugsource subpackage generation for RPM 4.14
- Set the RPM groups correctly for debug{info,source} subpackages
- Drop deprecated and out of date Authors information in description
* Wed Sep 13 2017 glin@suse.com
- Add shim-back-to-openssl-1.0.2e.patch to avoid rejecting some
legit certificates (bsc#1054712)
- Add the stderr mask back while compiling MokManager.efi since the
warnings in Cryptlib is back after reverting the openssl commits.
* Tue Aug 29 2017 glin@suse.com
- Add shim-add-fallback-verbose-print.patch to print the debug
messages in fallback.efi dynamically
- Refresh shim-fallback-workaround-masked-ami-variables.patch
- Add shim-more-tpm-measurement.patch to measure more components
and support TPM better
* Wed Aug 23 2017 glin@suse.com
- Add upstream fixes
+ shim-fix-httpboot-crash.patch
+ shim-fix-openssl-flags.patch
+ shim-fix-fallback-double-free.patch
+ shim-fallback-workaround-masked-ami-variables.patch
- Remove the stderr mask while compiling MokManager.efi since the
warnings in Cryptlib were fixed.
* Tue Aug 22 2017 glin@suse.com
- Add shim-arch-independent-names.patch to use the Arch-independent
names. (bsc#1054712)
- Refresh shim-change-debug-file-path.patch
- Disable shim-opensuse-cert-prompt.patch automatically in SLE
- Diable AArch64 until we have a real user and aarch64 signature
* Fri Jul 14 2017 bwiedemann@suse.com
- Make build reproducible by avoiding race between find and cp
* Thu Jun 22 2017 glin@suse.com
- Update to 12
- Rename the result EFI images due to the upstream name change
+ shimx64 -> shim
+ mmx64 -> MokManager
+ fbx64 -> fallback
- Refresh patches:
+ shim-only-os-name.patch
+ shim-change-debug-file-path.patch
+ shim-opensuse-cert-prompt.patch
- Drop upstreamed patches:
+ shim-httpboot-support.patch
+ shim-bsc973496-mokmanager-no-append-write.patch
+ shim-bsc991885-fix-sig-length.patch
+ shim-update-openssl-1.0.2g.patch
+ shim-update-openssl-1.0.2h.patch
* Tue May 23 2017 glin@suse.com
- Add the build flag to enable HTTPBoot
* Wed Mar 22 2017 mchang@suse.com
- shim-install: add option --suse-enable-tpm (fate#315831)
* Fri Jan 13 2017 mchang@suse.com
- Support %posttrans with marcos provided by update-bootloader-rpm-macros
package (bsc#997317)
* Fri Nov 18 2016 glin@suse.com
- Add SIGNATURE_UPDATE.txt to state the steps to update
signature-*.asc
- Update the comment of strip_signature.sh
* Wed Sep 21 2016 mchang@suse.com
- shim-install :
* add option --no-nvram (bsc#999818)
* improve removable media and fallback mode handling
* Fri Aug 19 2016 mchang@suse.com
- shim-install : fix regression of password prompt (bsc#993764)
* Fri Aug 05 2016 glin@suse.com
- Add shim-bsc991885-fix-sig-length.patch to fix the signature
length passed to Authenticode (bsc#991885)
* Wed Aug 03 2016 glin@suse.com
- Update shim-bsc973496-mokmanager-no-append-write.patch to try
append write first
* Tue Aug 02 2016 glin@suse.com
- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h
- Bump the requirement of gnu-efi due to the HTTPBoot support
* Mon Aug 01 2016 glin@suse.com
- Add shim-httpboot-support.patch to support HTTPBoot
- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g
and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6
- Drop patches since they are merged into
shim-update-openssl-1.0.2g.patch
+ shim-update-openssl-1.0.2d.patch
+ shim-gcc5.patch
+ shim-bsc950569-fix-cryptlib-va-functions.patch
+ shim-fix-aarch64.patch
- Refresh shim-change-debug-file-path.patch
- Add shim-bsc973496-mokmanager-no-append-write.patch to work
around the firmware that doesn't support APPEND_WRITE (bsc973496)
- shim-install : remove '\n' from the help message (bsc#991188)
- shim-install : print a message if there is no valid EFI partition
(bsc#991187)
* Mon May 09 2016 rw@suse.com
- shim-install : support simple MD RAID1 target devices (FATE#314829)
* Wed May 04 2016 agraf@suse.com
- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438)
* Wed Mar 09 2016 mchang@suse.com
- shim-install : fix typing ESC can escape to parent config which is
in command mode and cannot return back (bsc#966701)
- shim-install : fix no which command for JeOS (bsc#968264)
* Thu Dec 03 2015 jsegitz@novell.com
- acquired updated signature from Microsoft
* Mon Nov 09 2015 glin@suse.com
- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the
definition of va functions to avoid the potential crash
(bsc#950569)
- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to
MokListRT (bsc#950801)
- Drop shim-fix-mokmanager-sections.patch as we are using the
newer binutils now
- Refresh shim-change-debug-file-path.patch
* Thu Oct 08 2015 jsegitz@novell.com
- acquired updated signature from Microsoft
* Tue Sep 15 2015 mchang@suse.com
- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release
if it is empty or not set by user (bsc#942519)
* Thu Jul 16 2015 glin@suse.com
- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d
- Refresh shim-gcc5.patch and add it back since we really need it
- Add shim-change-debug-file-path.patch to change the debug file
path in shim.efi
+ also add the debuginfo and debugsource subpackages
- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore
* Mon Jul 06 2015 glin@suse.com
- Update to 0.9
- Refresh patches
+ shim-fix-gnu-efi-30w.patch
+ shim-fix-mokmanager-sections.patch
+ shim-opensuse-cert-prompt.patch
- Drop upstreamed patches
+ shim-bsc920515-fix-fallback-buffer-length.patch
+ shim-mokx-support.patch
+ shim-update-cryptlib.patch
- Drop shim-bsc919675-uninstall-shim-protocols.patch since
upstream fixed the bug in another way.
- Drop shim-gcc5.patch which was fixed in another way
* Wed Apr 08 2015 glin@suse.com
- Fix tags in the spec file
* Tue Apr 07 2015 glin@suse.com
- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and
openssl to 0.9.8zf
- Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall
the shim protocols at Exit (bsc#919675)
- Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust
the buffer size for the boot options (bsc#920515)
- Refresh shim-opensuse-cert-prompt.patch
* Thu Apr 02 2015 crrodriguez@opensuse.org
- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5
* Tue Feb 17 2015 mchang@suse.com
- shim-install : fix cryptodisk installation (boo#917427)
* Tue Nov 11 2014 glin@suse.com
- Add shim-fix-mokmanager-sections.patch to fix the objcopy
parameters for the EFI files
* Tue Oct 28 2014 glin@suse.com
- Update to 0.8
- Add shim-fix-gnu-efi-30w.patch to adapt the change in
gnu-efi-3.0w
- Merge shim-signed-unsigned-compares.patch,
shim-mokmanager-support-sha-family.patch and
shim-bnc863205-mokmanager-fix-hash-delete.patch into
shim-mokx-support.patch
- Refresh shim-opensuse-cert-prompt.patch
- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch,
bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch
- Enable aarch64
* Mon Oct 13 2014 jsegitz@novell.com
- Fixed buffer overflow and OOB access in shim trusted code path
(bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677)
* added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch
- Added new certificate by Microsoft
/etc/uefi /etc/uefi/certs /etc/uefi/certs/BCA4E38E-shim.crt /usr/share/doc/packages/shim-susesigned /usr/share/doc/packages/shim-susesigned/COPYRIGHT /usr/share/efi /usr/share/efi/aarch64 /usr/share/efi/aarch64/shim-susesigned.der /usr/share/efi/aarch64/shim-susesigned.efi
Generated by rpm2html 1.8.1
Fabrice Bellet, Mon Mar 9 15:56:43 2026