-
shim-signed (1.37~18.04.13) bionic; urgency=medium
[ dann frazier ]
* Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
(LP: #2004208)
* is-not-revoked: Support vmlinux.gz files as used on arm64.
(LP: #2004201)
shim-signed (1.37~18.04.12) bionic; urgency=medium
* New upstream version 15.7 (LP: #1996503)
- SBAT level: shim,3
- SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
* SECURITY FIX: Buffer overflow when loading crafted EFI images.
- CVE-2022-28737
* debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
* Break fwupd-signed signed with old keys
* Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
* Install both previous and latest shim as alternatives. On secure boot
systems, if the current kernel or any newer one is revoked, the previous
shim will continue to be used until current kernel and all newer ones
are signed with a non-revoked key.
-- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100
-
shim-signed (1.37~18.04.12) bionic; urgency=medium
* New upstream version 15.7 (LP: #1996503)
- SBAT level: shim,3
- SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
* SECURITY FIX: Buffer overflow when loading crafted EFI images.
- CVE-2022-28737
* debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
* Break fwupd-signed signed with old keys
* Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
* Install both previous and latest shim as alternatives. On secure boot
systems, if the current kernel or any newer one is revoked, the previous
shim will continue to be used until current kernel and all newer ones
are signed with a non-revoked key.
-- Julian Andres Klode <email address hidden> Thu, 26 Jan 2023 13:03:25 +0100
-
shim-signed (1.37~18.04.11) bionic; urgency=medium
* Update to shim 15.4-0ubuntu9
- Fix booting installer media on some machines (LP: #1937115)
+ Always fallback to the default loader (PR #393)
+ Dump load options parsed (PR #393)
+ Disable load option parsing on removable media path (PR #399)
- trivial: Fix a minor overflow in the mok importing code (PR #365)
- Fix fall back loader to find the correct boot entry, avoiding potential
corruption of firmware (PR #396).
-- Julian Andres Klode <email address hidden> Tue, 07 Sep 2021 12:03:11 +0200
-
shim-signed (1.37~18.04.10) bionic; urgency=medium
* Remove unnecessary efitools dependency that prevented build on arm64
shim-signed (1.37~18.04.9) bionic; urgency=medium
* New upstream release 15.4. LP: #1921134
* Synchronize packaging with 1.50, summary
- Update packaging to pull fb and mm from shim-signed package as in
later releases, dropping the runtime dependency on shim.
- Add download-signed script from linux-signed package
- Include reworked Makefile from devel to better assert the integrity of
the executables.
- Dual-signed shim
- Set XB-Important: yes on shim-signed package so that it cannot be
removed by accident (LP: #1898729)
- download-signed: Fetch signed artefacts from versioned URL instead
of current/ symlink to work around caching (LP: #1936640)
* Update to shim 15.4-0ubuntu5:
- Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
is causing systems to run out of EFI storage space, or just hang up
when trying to write it (LP: #1924605) (LP: #1928434)
- Further relax the check for variable mirroring on non-secureboot systems
avoiding boot failures on out of space conditons (pull request #372)
- Don't unhook ExitBootServices() when EBS protection is disabled
(LP: #1931136) (pull request #378)
* Update to shim 15.4-0ubuntu7:
- Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
- Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
- Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
- mok: relax the maximum variable size check (LP: #1934780) (PR #369)
-- Julian Andres Klode <email address hidden> Mon, 19 Jul 2021 17:01:19 +0200
-
shim-signed (1.37~18.04.9) bionic; urgency=medium
* New upstream release 15.4. LP: #1921134
* Synchronize packaging with 1.50, summary
- Update packaging to pull fb and mm from shim-signed package as in
later releases, dropping the runtime dependency on shim.
- Add download-signed script from linux-signed package
- Include reworked Makefile from devel to better assert the integrity of
the executables.
- Dual-signed shim
- Set XB-Important: yes on shim-signed package so that it cannot be
removed by accident (LP: #1898729)
- download-signed: Fetch signed artefacts from versioned URL instead
of current/ symlink to work around caching (LP: #1936640)
* Update to shim 15.4-0ubuntu5:
- Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
is causing systems to run out of EFI storage space, or just hang up
when trying to write it (LP: #1924605) (LP: #1928434)
- Further relax the check for variable mirroring on non-secureboot systems
avoiding boot failures on out of space conditons (pull request #372)
- Don't unhook ExitBootServices() when EBS protection is disabled
(LP: #1931136) (pull request #378)
* Update to shim 15.4-0ubuntu7:
- Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
- Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
- Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
- mok: relax the maximum variable size check (LP: #1934780) (PR #369)
-- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 14:04:10 +0200
-
shim-signed (1.37~18.04.8) bionic; urgency=medium
* Followup fix to actually include the updated shimx64.efi (LP: #1862171),
as the previous upload accidentally only contained an updated shimaa64.efi
shim-signed (1.37~18.04.7) bionic; urgency=medium
* Build shim-signed:arm64 (LP: #1890813)
* Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft.
(LP: #1862171)
-- Julian Andres Klode <email address hidden> Thu, 27 Aug 2020 13:32:46 +0200
-
shim-signed (1.37~18.04.7) bionic; urgency=medium
* Build shim-signed:arm64 (LP: #1890813)
* Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft.
(LP: #1862171)
-- Julian Andres Klode <email address hidden> Fri, 07 Aug 2020 13:57:23 +0200
-
shim-signed (1.37~18.04.6) bionic; urgency=medium
* Pass --timeout -1 to mokutil in a separate mokutil run (LP: #1869187)
thanks to Aleksander Miera for the patch.
shim-signed (1.37~18.04.5) bionic; urgency=medium
* Fix versioned dependency on mokutil so that it matches the version in
bionic-updates. LP: #1862632.
shim-signed (1.37~18.04.4) bionic; urgency=medium
* Pass --timeout -1 to mokutil so that users don't end up with broken
systems by missing MokManager on reboot after install. LP: #1856422.
* Add a versioned dependency on the mokutil that introduces --timeout.
-- Matthieu Clemenceau <email address hidden> Fri, 10 Jul 2020 14:27:41 -0500
-
shim-signed (1.37~18.04.5) bionic; urgency=medium
* Fix versioned dependency on mokutil so that it matches the version in
bionic-updates. LP: #1862632.
shim-signed (1.37~18.04.4) bionic; urgency=medium
* Pass --timeout -1 to mokutil so that users don't end up with broken
systems by missing MokManager on reboot after install. LP: #1856422.
* Add a versioned dependency on the mokutil that introduces --timeout.
-- Steve Langasek <email address hidden> Mon, 10 Feb 2020 09:50:46 -0800
-
shim-signed (1.37~18.04.4) bionic; urgency=medium
* Pass --timeout -1 to mokutil so that users don't end up with broken
systems by missing MokManager on reboot after install. LP: #1856422.
* Add a versioned dependency on the mokutil that introduces --timeout.
-- Steve Langasek <email address hidden> Sat, 14 Dec 2019 20:33:19 -0800
-
shim-signed (1.37~18.04.3) bionic; urgency=medium
* Don't fail non-interactive upgrade of nvidia module and module removals
(LP: #1726803)
-- Balint Reczey <email address hidden> Thu, 25 Oct 2018 20:55:38 +0200
-
shim-signed (1.37~18.04.2) bionic; urgency=medium
* debian/control: add Breaks: grub-efi-amd64-signed (<< 1.93.7), as the new
version of shim exercises a bug in relocation code for chainload that was
fixed in that upload of grub, affecting Windows 7, Windows 10, and some
netboot scenarios where chainloading is required. (LP: #1792575)
shim-signed (1.37~18.04.1) bionic; urgency=medium
* Backport shim-signed 1.37 to Ubuntu 18.04. (LP: #1790724)
shim-signed (1.37) cosmic; urgency=medium
* Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft.
* debian/real-po: replace debian/po to make sure things are translatable
via Launchpad.
-- Mathieu Trudel-Lapierre <email address hidden> Fri, 28 Sep 2018 11:02:56 -0400
-
shim-signed (1.37~18.04.1) bionic; urgency=medium
* Backport shim-signed 1.37 to Ubuntu 18.04. (LP: #1790724)
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 04 Sep 2018 17:02:59 -0400
-
shim-signed (1.34.9.2) bionic; urgency=medium
* debian/shim-signed.postinst: use --auto-nvram with grub-install in case
we're installing on a NVRAM-unavailable platform. (LP: #1778848)
* debian/control: bump the dependency for grub2-common to make sure
grub-install supports --auto-nvram. (LP: #1778848)
* debian/control: switch the grub-efi-amd64-bin dependency to
grub-efi-amd64-signed. (LP: #1778848)
-- Ćukasz 'sil2100' Zemczak <email address hidden> Wed, 27 Jun 2018 10:14:24 +0200
-
shim-signed (1.34.9.1) bionic; urgency=medium
* update-secureboot-policy: fix quoting for key/again password handling to
mokutil. (LP: #1770579)
* update-secureboot-policy: don't allow backtracking at the "main" question
for whether to enroll a new MOK. (LP: #1767091)
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 11 Jun 2018 15:23:28 -0400
-
shim-signed (1.34.9) bionic; urgency=medium
* debian/shim-signed.postinst: check for MOK existence rather than ignoring
failures in the trigger. (LP: #1766627)
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 24 Apr 2018 13:24:24 -0400
-
shim-signed (1.34.8) bionic; urgency=medium
* debian/shim-signed.postinst: shim-signed's trigger to enroll a new MOK
should not fail the upgrade if there was no MOK to enroll. (LP: #1766627)
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 24 Apr 2018 12:31:25 -0400
-
shim-signed (1.34.7) bionic; urgency=medium
* debian/shim-signed.postinst: it's not guaranteed that all linux-image
packages currently installed have dkms modules built for them.
Gracefully handle any failures in the path for signing existing dkms
modules on upgrade due to absent modules. LP: #1766391.
* Add a dependency on sbsigntool for kmodsign, which we use directly.
-- Steve Langasek <email address hidden> Mon, 23 Apr 2018 21:47:50 -0700
-
shim-signed (1.34.6) bionic; urgency=medium
* debian/shim-signed.postinst: bump lower version for batch-signing module
to 1.34.6, to make sure everything is properly signed if people got one
of the previous shim-signed packages.
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 23 Apr 2018 19:52:19 -0400
-
shim-signed (1.34.5) bionic; urgency=medium
* Don't try to save new dkms list if we're still dealing with password
validation for enrollment. (LP: #1766312)
* Specify kernel version when installing/uninstalling modules while doing
batch signing on upgrade.
* Do a better job at finding kernel modules from DKMS if they are in sub-
directories.
* Don't prompt if DKMS is installed but there are no DKMS-built modules
installed. (LP: #1766261)
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 23 Apr 2018 15:29:44 -0400
-
shim-signed (1.34.4) bionic; urgency=medium
* Handle the case that there are no kernel modules available for a given
dkms package. This probably indicates there is a problem with the dkms
module's installation, but that should not cause this package's
installation to fail. LP: #1765954.
-- Steve Langasek <email address hidden> Sat, 21 Apr 2018 10:13:41 -0700
-
shim-signed (1.34.3) bionic; urgency=medium
* Only take the first 31 bytes of the hostname. LP: #1765905.
-- Steve Langasek <email address hidden> Sat, 21 Apr 2018 01:14:12 -0700
-
shim-signed (1.34.2) bionic; urgency=medium
* Handle the case of multiple .kos per dkms module and .kos whose name
does not match the dkms package name. LP: #1765647.
-- Steve Langasek <email address hidden> Sat, 21 Apr 2018 01:01:56 -0700
-
shim-signed (1.34.1) bionic; urgency=medium
* update-secureboot-policy: don't skip creating a MOK if Secure Boot is not
enabled in firmware, but do guard against prompting users on a system that
doesn't have efivars mounted or where SB is disabled. (LP: #1765515)
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 19 Apr 2018 17:56:50 -0400
-
shim-signed (1.34) bionic; urgency=medium
* update-secureboot-policy: (LP: #1748983)
- Factor out validate_password() and clear_passwords() for reuse.
- Add --new-key option to generate a self-signed MOK.
- Add --enroll-key option to allow enrolling a new MOK in shim.
- Drop --enable and --disable options; users should call mokutil directly
instead.
* debian/shim-signed.postinst:
- When triggered, explicitly try to enroll the available MOK.
* debian/shim-signed.install, openssl.cnf: Install some default configuration
for creating our self-signed key.
* debian/shim-signed.dirs: make sure we have a directory where to put a MOK.
* debian/templates: update templates for update-secureboot-policy changes.
* debian/control: add versioned Breaks: for dkms.
-- Mathieu Trudel-Lapierre <email address hidden> Wed, 18 Apr 2018 22:35:46 -0400
-
shim-signed (1.33.1) bionic; urgency=medium
* Update to the signed 13-0ubuntu2 binary from Microsoft. (LP: #1708245)
* Stop generating and install BOOT.CSV, shim will do that by itself now.
* Add Vcs-* fields.
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 21 Dec 2017 14:33:37 -0500
-
shim-signed (1.32) artful; urgency=medium
* Handle cleanup of /var/lib/shim-signed on package purge.
-- Steve Langasek <email address hidden> Fri, 23 Jun 2017 22:30:42 -0700
