shim (15.8-1+pmx1) bookworm; urgency=medium * Bump version for Proxmox build. -- Proxmox Support Team Tue, 07 May 2024 09:08:22 +0200 shim (15.8-1~deb12u1) bookworm; urgency=medium [ Steve McIntyre ] * Cope with changes in pesign packaging. * New upstream release fixing more bugs * Remove all our previous patches, no longer needed: + Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now upstream) + Enable-NX.patch (we don't want NX just yet until the whole boot stack is NX-capable) + block-grub-sbat3-debian.patch (not needed now upstream grub SBAT is 4) * Cherry-pick 2 new patches from upstream for grub revocations: + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch * Log if the build is nx-compatible or not * Force shim to use the latest revocations by default to block some older grub / peimage issues. This is: "shim,4\ngrub,4\ngrub.peimage,2\n" * Install a copy of the Debian CA certificate into /usr/share/shim. Closes: #1069054 * Clean up better after build. Closes: #1046268 [ Bastien Roucariès ] * Port autopkgtest from ubuntu * Import MR-12: "shim-unsigned:amd64 cannot be installed alongside shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009). * Fix debian/watch and check signature -- Steve McIntyre <93sam@debian.org> Sat, 04 May 2024 21:28:21 +0100 shim (15.7-1+pmx1) bookworm; urgency=medium * Bump version for Proxmox build. -- Proxmox Support Team Mon, 20 Mar 2023 10:32:21 +0100 shim (15.7-1) unstable; urgency=medium * New upstream release fixing more bugs * Add further patches from upstream: + Make sbat_var.S parse right with buggy gcc/binutils + Enable NX support at build time, as required by policy for signing new shim binaries. * Switch to using gcc-12. Closes: #1022180 * Update to Standards-Version 4.6.2 (no changes needed) * Block Debian grub binaries with sbat < 4 (see #1024617) -- Steve McIntyre <93sam@debian.org> Mon, 30 Jan 2023 18:11:23 +0000 shim (15.6-1) unstable; urgency=medium * New upstream release fixing more bugs + Remove all our old patches, all now upstream: - fix-32b-format-strings.patch - fix-test-includes.patch -- Steve McIntyre <93sam@debian.org> Thu, 21 Jul 2022 14:04:01 +0200 shim (15.5-1) UNRELEASED; urgency=medium * New upstream release fixing more bugs + Remove all our old patches, all now upstream: - Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch - MOK-BootServicesData.patch - fix-broken-ia32-reloc.patch - fix-import_one_mok_state.patch - fix_arm64_rela_sections.patch - relax_check_for_import_mok_state.patch * Fix format strings for 32-bit builds * Tweak setup for dh_auto_test so the tests work * Add new build-dep on libefivar-dev for tests -- Steve McIntyre <93sam@debian.org> Wed, 27 Apr 2022 22:50:08 +0100 shim (15.4-7) unstable; urgency=high * Tweak how we call grub-install; don't abort on error. Not ideal behaviour either, but don't break upgrades. Copy the behaviour from the grub packages here. Closes: #990966 -- Steve McIntyre <93sam@debian.org> Mon, 12 Jul 2021 08:53:54 +0100 shim (15.4-6) unstable; urgency=high * Add arm64 patch to tweak section layout and stop crashing problems. Upstream issue #371. Closes: #990082, #990190 * In insecure mode, don't abort if we can't create the MokListXRT variable. Upstream issue #372. Closes: #989962, #990158 -- Steve McIntyre <93sam@debian.org> Wed, 23 Jun 2021 19:03:54 +0100 shim (15.4-5) unstable; urgency=medium * Add defensive code around calls to db_get. Don't fail if they return errors. -- Steve McIntyre <93sam@debian.org> Thu, 06 May 2021 00:37:49 +0100 shim (15.4-4) unstable; urgency=medium * Fix up those maintainer scripts - if we're not running on an EFI system then exit cleanly. -- Steve McIntyre <93sam@debian.org> Tue, 04 May 2021 17:53:21 +0100 shim (15.4-3) unstable; urgency=medium * Add maintainer scripts to the template packages to manage installing and removing fbXXX.efi and mmXXX.efi when we install/remove the shim-helpers-$arch-signed packages. Closes: #966845 -- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 20:48:49 +0100 shim (15.4-2) unstable; urgency=medium * Add two further patches from upstream: + fix import_one_mok_state() after split + Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older Intel Mac machines) -- Steve McIntyre <93sam@debian.org> Wed, 21 Apr 2021 00:23:02 +0100 shim (15.4-1) unstable; urgency=medium * New upstream release fixing more bugs: SBAT and arm64 support * Print sha256 checksums of the EFI binaries when the build is done * Add two patches from upstream: + fix i386 binary relocations + allocate MOK config table as BootServicesData -- Steve McIntyre <93sam@debian.org> Wed, 31 Mar 2021 18:25:00 +0100 shim (15.3-3) unstable; urgency=medium * Update the timestamp for the 15.3-2 upload. * Only include the upstream version in the Debian SBAT metadata, so we don't break reproducibility on every minor packaging change. -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 13:21:05 +0000 shim (15.3-2) unstable; urgency=medium * Add missing build-dep on xxd for build-time unit tests -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 02:21:53 +0000 shim (15.3-1) unstable; urgency=medium [ Steve McIntyre ] * Switch to much-newer release with many fixes + Particularly pulling in SBAT changes for better revocation support + Remove all our old patches, no longer needed: - avoid_null_vsprint.patch - check_null_sn_ln.patch - fixup_git.patch - uname.patch - use_compare_mem_gcc9.patch + Now includes a vendor copy of gnu-efi with quite a few extra fixes needed. + Update copyright file to cover these changes * Switch to using gcc-10 rather than gcc-9. Closes: #978521 * Add dbx entries for all our existing grub binaries + They're insecure, let's break the chainloading hole. * Add Debian SBAT data + Add a Debian SBAT template, and rules to use it + Adds a build-dep on dos2unix -- Steve McIntyre <93sam@debian.org> Tue, 23 Mar 2021 23:39:48 +0000 shim (15+1533136590.3beb971-10) unstable; urgency=medium [ Debian Janitor ] * Trim trailing whitespace. * Use secure copyright file specification URI. * debian/copyright: use spaces rather than tabs to start continuation lines. * Bump debhelper from old 11 to 12. * Set debhelper-compat version in Build-Depends. * Set upstream metadata fields: Bug-Database, Bug-Submit. * Update standards version to 4.4.1, no changes needed. [ Steve McIntyre ] * Trivial changes to generating the inbuilt dbx if we're using it. * Upload to pick up rotated Debian signing keys -- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 01:22:46 +0100 shim (15+1533136590.3beb971-9) unstable; urgency=medium [ Steve McIntyre ] * In the -helpers-ARCH-signed packages, change the version dependency on shim-unsigned to be >= and not =. This will allow for installation to still work in the window while we wait for the template package to do its second trip through the archive. Closes: #955356 -- Steve McIntyre <93sam@debian.org> Mon, 30 Mar 2020 15:19:08 +0100 shim (15+1533136590.3beb971-8) unstable; urgency=medium [ Steve McIntyre ] * Use --padding when calling pesign to generate hashes for the dbx list, as recommended by Peter Jones. No actual changes needed in our list of hashes at this point - they work out the same either way. * Switch to using gcc-9 for builds, tweaking a patch from upstream to fix a FTBFS. Closes: #925816 * Update debhelper compat level to 11 for shim and the signing-template -- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000 # Older entries have been removed from this changelog. # To read the complete changelog use `apt changelog shim-helpers-amd64-signed-template`.