-
shim-signed (1.41) focal; urgency=medium
* Update to the signed 15+1552672080.a4a1fbe-0ubuntu1 binary from Microsoft.
-- Steve Langasek <email address hidden> Wed, 05 Feb 2020 13:04:08 -0800
-
shim-signed (1.40.9) focal; urgency=medium
[ dann frazier ]
* Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
(LP: #2004208)
* is-not-revoked: Support vmlinux.gz files as used on arm64.
(LP: #2004201)
shim-signed (1.40.8) focal; urgency=medium
* New upstream version 15.7 (LP: #1996503)
- SBAT level: shim,3
- SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
* SECURITY FIX: Buffer overflow when loading crafted EFI images.
- CVE-2022-28737
* debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
* Break fwupd-signed signed with old keys
* Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
* Install both previous and latest shim as alternatives. On secure boot
systems, if the current kernel or any newer one is revoked, the previous
shim will continue to be used until current kernel and all newer ones
are signed with a non-revoked key.
-- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100
-
shim-signed (1.40.8) focal; urgency=medium
* New upstream version 15.7 (LP: #1996503)
- SBAT level: shim,3
- SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
* SECURITY FIX: Buffer overflow when loading crafted EFI images.
- CVE-2022-28737
* debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
* Break fwupd-signed signed with old keys
* Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
* Install both previous and latest shim as alternatives. On secure boot
systems, if the current kernel or any newer one is revoked, the previous
shim will continue to be used until current kernel and all newer ones
are signed with a non-revoked key.
-- Julian Andres Klode <email address hidden> Thu, 26 Jan 2023 13:03:25 +0100
-
shim-signed (1.40.7) focal; urgency=medium
* Update to shim 15.4-0ubuntu9
- Fix booting installer media on some machines (LP: #1937115)
+ Always fallback to the default loader (PR #393)
+ Dump load options parsed (PR #393)
+ Disable load option parsing on removable media path (PR #399)
- trivial: Fix a minor overflow in the mok importing code (PR #365)
- Fix fall back loader to find the correct boot entry, avoiding potential
corruption of firmware (PR #396).
-- Julian Andres Klode <email address hidden> Fri, 13 Aug 2021 18:07:24 +0200
-
shim-signed (1.40.6) focal; urgency=medium
* Update to shim 15.4-0ubuntu7:
- Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
- Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
- Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
- mok: relax the maximum variable size check (LP: #1934780) (PR #369)
* download-signed: Fetch signed artefacts from versioned URL instead
of current/ symlink to work around caching (LP: #1936640)
shim-signed (1.40.5) focal; urgency=medium
* New upstream release 15.4. LP: #1921134
* Synchronize packaging with 1.48, summary
- Update packaging to pull fb and mm from shim-signed package as in
later releases, dropping the runtime dependency on shim.
- Add download-signed script from linux-signed package
- Include reworked Makefile from devel to better assert the integrity of
the executables.
- Dual-signed shim
- Set XB-Important: yes and Protected: yes on shim-signed package
so that it cannot be removed by accident (LP: #1898729)
* Update to shim 15.4-0ubuntu5:
- Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
is causing systems to run out of EFI storage space, or just hang up
when trying to write it (LP: #1924605) (LP: #1928434)
- Further relax the check for variable mirroring on non-secureboot systems
avoiding boot failures on out of space conditons (pull request #372)
- Don't unhook ExitBootServices() when EBS protection is disabled
(LP: #1931136) (pull request #378)
-- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:33:00 +0200
-
shim-signed (1.40.5) focal; urgency=medium
* New upstream release 15.4. LP: #1921134
* Synchronize packaging with 1.48, summary
- Update packaging to pull fb and mm from shim-signed package as in
later releases, dropping the runtime dependency on shim.
- Add download-signed script from linux-signed package
- Include reworked Makefile from devel to better assert the integrity of
the executables.
- Dual-signed shim
- Set XB-Important: yes and Protected: yes on shim-signed package
so that it cannot be removed by accident (LP: #1898729)
* Update to shim 15.4-0ubuntu5:
- Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
is causing systems to run out of EFI storage space, or just hang up
when trying to write it (LP: #1924605) (LP: #1928434)
- Further relax the check for variable mirroring on non-secureboot systems
avoiding boot failures on out of space conditons (pull request #372)
- Don't unhook ExitBootServices() when EBS protection is disabled
(LP: #1931136) (pull request #378)
-- Julian Andres Klode <email address hidden> Fri, 25 Jun 2021 18:35:51 +0200
-
shim-signed (1.40.4) focal; urgency=medium
* Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft.
(LP: #1862171)
-- Julian Andres Klode <email address hidden> Fri, 07 Aug 2020 13:42:41 +0200
-
shim-signed (1.40.3) focal; urgency=medium
* Depend on the correct version of grub-signed (LP: #1871895)
-- Julian Andres Klode <email address hidden> Thu, 09 Apr 2020 20:48:31 +0200
-
shim-signed (1.40.2) focal; urgency=medium
* Install grub to multiple ESPs (LP: #1871821)
-- Julian Andres Klode <email address hidden> Thu, 09 Apr 2020 13:05:53 +0200
-
shim-signed (1.40.1) focal; urgency=medium
* Pass --timeout -1 to mokutil in a separate mokutil run (LP: #1869187),
thanks to Aleksander Miera for the patch.
-- Julian Andres Klode <email address hidden> Thu, 09 Apr 2020 09:57:51 +0200
-
shim-signed (1.40) focal; urgency=medium
* Pass --timeout -1 to mokutil so that users don't end up with broken
systems by missing MokManager on reboot after install. LP: #1856422.
* Add a versioned dependency on the mokutil that introduces --timeout.
-- Steve Langasek <email address hidden> Sat, 14 Dec 2019 20:26:42 -0800
-
shim-signed (1.39) disco; urgency=medium
* debian/source_shim-signed.py: Correct EFI architecture name for arm64.
* Parameterize code to remove hardcoded x86-isms.
* Add arm64 support.
-- dann frazier <email address hidden> Wed, 14 Nov 2018 11:13:42 -0700
