)]}' { "log": [ { "commit": "9cfca9fe7aa7a8e29b92fe33ce8433e212c9a8ba", "tree": "04b8e181961fe86a5aa125422eebb171436f9bd1", "parents": [ "75d8405eca50bc62da4d6115f09f9a42969092e1" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sun Mar 19 17:07:59 2023 -0400" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sun Mar 19 17:07:59 2023 -0400" }, "message": "Version 0.9.5\n\nAndreas Schwab (1):\n sbsigntool: add support for RISC-V 64-bit PE/COFF images\n\nDaniel Axtens (1):\n sbvarsign: do not include PKCS#7 attributes\n\nJames Bottomley (1):\n Add support for openssl-3\n\nJeremi Piotrowski (1):\n Fix openssl-3.0 issue involving ASN1 xxx_it\n\ndann frazier (1):\n sbkeysync: Don\u0027t ignore errors from insert_new_keys()\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "75d8405eca50bc62da4d6115f09f9a42969092e1", "tree": "5f3b920c25203abaee6b8b8a29a20abc577a6390", "parents": [ "d6e4bff8f1ec1118282bea9413d74a94388108ac" ], "author": { "name": "Jeremi Piotrowski", "email": "jeremi.piotrowski@gmail.com", "time": "Mon Sep 27 17:27:27 2021 +0200" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Mon Jun 13 18:12:08 2022 -0400" }, "message": "Fix openssl-3.0 issue involving ASN1 xxx_it\n\nUse ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it.\n\nopenssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it` to\n`const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind\nOPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is\navailable. This change should have been transparent to the application, but\nonly if the `ASN1_ITEM_rptr()` macro is used.\n\nThis change passes `make check` with both openssl 1.1 and 3.0.\n\nSigned-off-by: Jeremi Piotrowski \u003cjpiotrowski@microsoft.com\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "d6e4bff8f1ec1118282bea9413d74a94388108ac", "tree": "1a07bea2f7a805f569dd37cad93a549f53f095d2", "parents": [ "25af2eb5e39b5d54703d4489182a6b9d0af58b76" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Mon Jun 13 16:32:45 2022 -0400" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Mon Jun 13 18:12:08 2022 -0400" }, "message": "Add support for openssl-3\n\nWe\u0027re currently using a raft of APIs which trigger deprecation\nwarnings, so add OPENSSL_API_COMPAT to the command line for openssl-3\nto cause them not to break the build.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "25af2eb5e39b5d54703d4489182a6b9d0af58b76", "tree": "af7aa17ffc248061321975bbaac59fb3cd37e184", "parents": [ "4b8fc118774a3dfce41cd21fea3e7cda6bbd0a47" ], "author": { "name": "Andreas Schwab", "email": "schwab@suse.de", "time": "Fri Jun 04 14:36:17 2021 +0200" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Fri Mar 04 16:43:24 2022 -0500" }, "message": "sbsigntool: add support for RISC-V 64-bit PE/COFF images\n\nSigned-off-by: Andreas Schwab \u003cschwab@suse.de\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "4b8fc118774a3dfce41cd21fea3e7cda6bbd0a47", "tree": "4d70da5756fbc2568e97230e016c6b1985768611", "parents": [ "f12484869c9590682ac3253d583bf59b890bb826" ], "author": { "name": "Daniel Axtens", "email": "dja@axtens.net", "time": "Mon Feb 21 11:22:47 2022 +1100" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Mon Feb 21 07:45:56 2022 -0500" }, "message": "sbvarsign: do not include PKCS#7 attributes\n\nThe UEFI spec (8.2.2 Using the EFI_VARIABLE_AUTHENTICATION_2\ndescriptor) includes the following information about constructing\nthe PKCS#7 message for the authentication descriptor under\npoint 4(g):\n\n SignedData.signerInfos shall be constructed as:\n ...\n - SignerInfo.authenticatedAttributes shall not be present.\n\nsbvarsign does not currently honour this, and generates a PKCS#7\nmessage containing authenticated attributes. This is a snippet from\nOpenSSL\u0027s printout of a message I reconstructed from an auth file:\n\n signedAttrs:\n object: contentType (1.2.840.113549.1.9.3)\n set:\n OBJECT:pkcs7-data (1.2.840.113549.1.7.1)\n\n object: signingTime (1.2.840.113549.1.9.5)\n set:\n UTCTIME:Mar 2 11:20:21 2021 GMT\n\n object: messageDigest (1.2.840.113549.1.9.4)\n set:\n OCTET STRING:\n 0000 - 99 58 87 86 82 82 b6 4b-c4 6a e4 e5 6b .X.....K.j..k\n 000d - 51 39 ac c3 b8 21 24 30-0c 28 e6 e3 aa Q9...!$0.(...\n 001a - 5c 33 c1 80 3f d1 \\3..?.\n\nTell OpenSSL to stop adding attributes.\n\nThis also brings sbvarsign in to line with sign-efi-sig-list.\n\nSigned-off-by: Daniel Axtens \u003cdja@axtens.net\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "f12484869c9590682ac3253d583bf59b890bb826", "tree": "6273f2b255f23b9711930498ae1e261edeb5caa6", "parents": [ "d52f7bbb73401aab8a1d59e8d0d686ad9641035e" ], "author": { "name": "dann frazier", "email": "dann.frazier@canonical.com", "time": "Wed Aug 12 15:27:08 2020 -0600" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Tue Aug 18 12:06:39 2020 -0700" }, "message": "sbkeysync: Don\u0027t ignore errors from insert_new_keys()\n\nIf insert_new_keys() fails, say due to a full variable store, we currently\nstill exit(0). This can make it difficult to know something is wrong.\nFor example, Debian and Ubuntu implement a secureboot-db systemd service\nto update the DB and DBX, which calls:\n\n ExecStart\u003d/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose\n\nBut although this seemed to succeed on my system, looking at the logs shows\na different story:\n\nInserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx\nError writing key update: Invalid argument\nError syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin\n\nSigned-off-by: dann frazier \u003cdann.frazier@canonical.com\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "d52f7bbb73401aab8a1d59e8d0d686ad9641035e", "tree": "caf0a5636bd019624b57fd3f6a596e0ed475ebe4", "parents": [ "e17dc20591236d21f086f16294ed691544cb6fc2" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Jun 11 16:32:13 2020 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Jun 11 16:32:13 2020 -0700" }, "message": "Version 0.9.4\n\nAKASHI Takahiro (1):\n sbsign: allow for adding intermediate certificates\n\nJames Bottomley (8):\n sbverify: fix verification with intermediate certificates\n Tests: Add intermediate certificate tests to the sign-verify cases\n Fix some openssl 1.1.0 deprecated functions\n sbvarsign: remove unused global variable\n sbverify: refer to unused function\n Fix errors on 32 bit\n Enable -Werror for builds\n docs: add man page for sbkeysync\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "e17dc20591236d21f086f16294ed691544cb6fc2", "tree": "4dbec25cb409b1846a399bdd0aaffc2a79ff0e87", "parents": [ "ff96a590466a1881d2203988fcc39b51af11c519" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 15:21:11 2020 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 17:22:39 2020 -0700" }, "message": "docs: add man page for sbkeysync\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "ff96a590466a1881d2203988fcc39b51af11c519", "tree": "24eca4a815ff538bb2cfb2c89ede14a15d75d1ea", "parents": [ "e3f7d2754147e76302d6b4e7f52f09bb9a2fed47" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 15:08:01 2020 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 17:22:39 2020 -0700" }, "message": "Enable -Werror for builds\n\nNow that all the build warnings are eliminated, make sure they don\u0027t\ncome back\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "e3f7d2754147e76302d6b4e7f52f09bb9a2fed47", "tree": "f2a778b92227d304f8f8f2b71ad4ac97a37223bc", "parents": [ "5aeb513916c7b1d37304e28571ad3daeda9e3cb0" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 15:34:02 2020 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 17:22:39 2020 -0700" }, "message": "Fix errors on 32 bit\n\nprint format and signed conversion due to big hex types\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "5aeb513916c7b1d37304e28571ad3daeda9e3cb0", "tree": "6cf70d5b129d22f12e5e087b01e8a078a05a0035", "parents": [ "6b7d5ccb288509512ff1e36357685262e6d4645c" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 14:50:51 2020 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 14:50:51 2020 -0700" }, "message": "sbverify: refer to unused function\n\nThe function print_certificate_store_certs() is currently commented\nout leading to an unused function warning. Make verbose a level and\ncall this function for levels \u003e 1 (meaning you have to specify -v -v\nto see it).\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "6b7d5ccb288509512ff1e36357685262e6d4645c", "tree": "6ec37a718b7f01f23593bf71f86aa6674faf6e4d", "parents": [ "311d6c2b9c1129114834f4df9b12a195a66dc4bc" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 14:50:33 2020 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 14:50:33 2020 -0700" }, "message": "sbvarsign: remove unused global variable\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "311d6c2b9c1129114834f4df9b12a195a66dc4bc", "tree": "8bc3a421b546b9427092cc7f1313a24c49b0ed02", "parents": [ "6c2b07fa1c5a2cffffd76a0a0703d2de93cfad06" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 14:44:54 2020 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jun 06 14:44:54 2020 -0700" }, "message": "Fix some openssl 1.1.0 deprecated functions\n\nreplace OPENSSL_config with OPENSSL_init_crypto and ASN1_STRING_data\nwith ASN1_STRING_get0_data\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "6c2b07fa1c5a2cffffd76a0a0703d2de93cfad06", "tree": "65126dbc345005f0bffa4bb919f8f3abbd6ae83a", "parents": [ "df27a417b92ebdcf4161fd115fc61a204ff7c202" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Fri Jun 05 18:34:55 2020 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Fri Jun 05 18:34:55 2020 -0700" }, "message": "Tests: Add intermediate certificate tests to the sign-verify cases\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "df27a417b92ebdcf4161fd115fc61a204ff7c202", "tree": "85790e763d7d4478542fc84ee415b9d815a729e7", "parents": [ "7d6210e4b1fd5ed16a671a07aaa14a98a9f7c33c" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Fri Jun 05 18:29:07 2020 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Fri Jun 05 18:33:41 2020 -0700" }, "message": "sbverify: fix verification with intermediate certificates\n\nsbverify is currently failing if an intermediate certificate is added\non signing but the binary is verified with the singing certificate.\nIt fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.\n\nThis is happening because the x509_STORE only contains the signing\ncertificate but the pkcs7 bundle in the binary contains the issuer\ncertificate as well. Fix this by unconditionally approving any\nlocally missing certificates on verify.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "7d6210e4b1fd5ed16a671a07aaa14a98a9f7c33c", "tree": "be0db81e7b8fd993f89d7f8beb5b07be91497f3b", "parents": [ "fe88da5f66241d959b7aeca7502d401ad88df410" ], "author": { "name": "AKASHI Takahiro", "email": "takahiro.akashi@linaro.org", "time": "Thu Jun 04 16:50:22 2020 +0900" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Fri Jun 05 14:07:44 2020 -0700" }, "message": "sbsign: allow for adding intermediate certificates\n\nSignedData can have multiple certificates, but the current\nimplementation of sbsign only allows a single one (as a signer).\nWith this patch, \"-addcert\" options will be available on command line to\nspecify a file in which any number of intermediate certificates in PEM\nformat can be concatenated.\n\n $ sign --key \u003ckey\u003e --cert \u003ccert\u003e --addcert \u003cmorecerts\u003e [...] image_file\n\nBackground:\nI\u0027m working on implementing UEFI secure boot on U-Boot and want\nto test my code against PE images with intermediate certificates\nin certificate chain.\nAs far as I know, the only tool that supports it in signing is\nMicrosoft\u0027s signtool.exe. So I\u0027d like to have some corresponding\ntool on linux.\n\nSigned-off-by: AKASHI Takahiro \u003ctakahiro.akashi@linaro.org\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "fe88da5f66241d959b7aeca7502d401ad88df410", "tree": "713f6069f6550f3b15f1aa33be7110c1cf5e4c96", "parents": [ "ea4e6db5d984ac3bb5988abb6dc63213afb4cff0" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Jan 09 09:33:38 2020 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Jan 09 09:33:38 2020 -0800" }, "message": "Version 0.9.3\n\nJames Bottomley (1):\n README: update git location and add mailing list information\n\nLaszlo Ersek (1):\n sbvarsign: fix \"EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year\" assignment\n\nSteve McIntyre (1):\n Fix PE/COFF checksum calculation\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "ea4e6db5d984ac3bb5988abb6dc63213afb4cff0", "tree": "136dbbbc70cfc6a70e0aea7461936c916c5efd62", "parents": [ "2ed8eebcc52eaeb60dd24addaed90e5f9a1419e5" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Jan 09 09:29:39 2020 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Jan 09 09:29:39 2020 -0800" }, "message": "README: update git location and add mailing list information\n\nNow that a Mailing list is set up, update the README to point to it\nand mention the new maintained git location for this fork.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "2ed8eebcc52eaeb60dd24addaed90e5f9a1419e5", "tree": "a23bab28cbf66f152da6adc3667cbf5da8629d60", "parents": [ "0dc3d4b5210dae158651d058f7ac68a9f178ae84" ], "author": { "name": "Laszlo Ersek", "email": "lersek@redhat.com", "time": "Thu Jan 09 18:13:02 2020 +0100" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Jan 09 09:21:25 2020 -0800" }, "message": "sbvarsign: fix \"EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year\" assignment\n\nAccording to UEFI-2.8, section 8.3 \"Time Services\" / GetTime(), the\n\"EFI_TIME.Year\" field must be in the range [1900, 9999] (both bounds\ninclusive). It is not stated or even implied that \"EFI_TIME.Year\" would\nnot be an absolute year number.\n\nAccording to POSIX, the \"tm_year\" field of \"struct tm\" is defined as\n\"Years since 1900\". In other words, \"tm_year\" is relative to 1900.\n\nIn set_timestamp(), time() and gmtime() are suitable for populating\n\"EFI_VARIABLE_AUTHENTICATION_2.TimeStamp\", as the UEFI spec specifically\nrequires a stamp expressed in the GMT (UTC) zone. But we still need to\noffset \"tm-\u003etm_year\" by 1900 for filling in \"timestamp-\u003eYear\". So let\u0027s do\nthat now.\n\nWhile this issue does not seem to affect upstream edk2, SetVariable()\ncalls with payloads containing an invalid\n\"EFI_VARIABLE_AUTHENTICATION_2.TimeStamp.Year\" value do seem to be\nrejected at least on some Dell Inspiron machines (using a UEFI\nimplementation from AMI).\n\nReported-by: Eugene Khoruzhenko \u003cekhoruzhenko@absolute.com\u003e\nReported-by: Paulo Henrique Lacerda de Amorim \u003cphlamorim@riseup.net\u003e\nRef: https://edk2.groups.io/g/devel/message/49402\nFixes: 953b00481f3957fc756a6dc7d10c570da32a08bc\nSigned-off-by: Laszlo Ersek \u003clersek@redhat.com\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "0dc3d4b5210dae158651d058f7ac68a9f178ae84", "tree": "5075f0d837932a6a247d7b4a3cb4ac231e6b611a", "parents": [ "216dbd3331a7e14ff79cc4dd68c29896f1152ae4" ], "author": { "name": "Steve McIntyre", "email": "93sam@debian.org", "time": "Fri Apr 19 23:14:46 2019 +0100" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Jul 27 15:20:49 2019 -0700" }, "message": "Fix PE/COFF checksum calculation\n\nOnly count the cert_table header once when performing the calculation\nand counting buffer sizes.\n\nThe problem entered because of a mismerge of multiple signature\nsupport and \"be1f3d8 Update the PE checksum field using the\nsomewhat-underdocumented algorithm, so that we match the Microsoft\nimplementation in our signature generation.\". Originally\nimage-\u003ecert_table held the full certificate table including the\nMicrosoft _WINH_CERTIFICATE header and image-\u003esigbuf pointed to the\npkcs11 signature inside, so the two had to be checksummed separately.\nAfter multiple signature support, image-\u003esigbuf points to the full\ncertificate table because we now need the headers to decide where one\nsignature ends and the next begins, so the correct checksum only needs\nto sum over the entire image-\u003esigbuf.\n\nSigned-off-by: Steve McIntyre \u003c93sam@debian.org\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "216dbd3331a7e14ff79cc4dd68c29896f1152ae4", "tree": "6082c136b8d2c3de2f2b867aab64f673ebc1951d", "parents": [ "98d3ce77b4960785c5180277989542bfb90a9666" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 09 16:09:37 2019 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 09 16:09:37 2019 -0800" }, "message": "Version 0.9.2\n\nFix fedora build\nFix variable signing for current tianocore\nFix image processing not to invalidate existing signatures\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "98d3ce77b4960785c5180277989542bfb90a9666", "tree": "f770423ab3ac034d77d9293b9e908d2b1e5218db", "parents": [ "73a13fb7e3264d8d9be7c7aa713016ce810ebe71" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 09 16:04:01 2019 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 09 16:04:01 2019 -0800" }, "message": "src/image.c: remove alignment of regions\n\nThe old code forced region size to be aligned to the PECOFF file\nalignment parameter, which is correct according to the spec. However,\nthe major UEFI platforms do not align up when checking the signature,\nso if the PECOFF binary being signed already contains a signature,\nrealigning the sections will make the existing signature invalid. Fix\nthis by relaxing the rule about aligning up (also eliminates\ncomplaints about some pecoff sections being misaligned).\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "73a13fb7e3264d8d9be7c7aa713016ce810ebe71", "tree": "7d0af724a6a217c32e0b33c94db334a1d430fca2", "parents": [ "704d2c2506d532f277f089b6b9c10ebb6458c8aa" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 09 15:52:34 2019 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 09 15:52:34 2019 -0800" }, "message": "sbvarsign: use SignedData instead of PKCS7 for authenticated updates\n\nThe EFI standard is ambiguous about which one to use for variable\nupdates (it is definite about using PKCS7 for signed binaries). Until\nrecently, the reference platform, tianocore, accepted both. However\nafter patch\n\ncommit c035e37335ae43229d7e68de74a65f2c01ebc0af\nAuthor: Zhang Lubo \u003clubo.zhang@intel.com\u003e\nDate: Thu Jan 5 14:58:05 2017 +0800\n\n SecurityPkg: enhance secure boot Config Dxe \u0026 Time Based AuthVariable.\n\nThe acceptance of PKCS7 got broken. This breakage seems to be\npropagating to the UEFI ecosystem, so update the variable signing\ntools to emit the SignedData type (which all previous EFI\nimplementations accepted).\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "704d2c2506d532f277f089b6b9c10ebb6458c8aa", "tree": "bfa0e2a611b0fed9b4d2c27ca6d018450f1505a5", "parents": [ "a631793f2d02ef219b5348eab0ac2ae604ed1269" ], "author": { "name": "Guy Lunardi", "email": "guy@linux.com", "time": "Tue Feb 20 14:42:15 2018 -0500" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Tue Feb 20 15:36:19 2018 -0500" }, "message": "Fix Fedora Build\n\nOf course, Fedora puts gnu-efi in yet another different, non-standard place\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "a631793f2d02ef219b5348eab0ac2ae604ed1269", "tree": "7c5ae400ee52819a4eb756ffeec4be2889981e7b", "parents": [ "efc424c8eea2c398e4371320b4d7266898675ac8" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Oct 28 14:23:16 2017 +0100" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Oct 28 14:23:16 2017 +0100" }, "message": "Version 0.9.1\n\nAdd support for engine based keys\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "efc424c8eea2c398e4371320b4d7266898675ac8", "tree": "dd0cdb0e5fa8a42db9eef26c3d62176a48ba7c94", "parents": [ "62c9352519e1a21d2e6423a2e39354cb05d56c44" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Oct 28 14:21:24 2017 +0100" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sat Oct 28 14:21:24 2017 +0100" }, "message": "sbsign, sbvarsign: support engine based private keys\n\nAdd the ability to specify an engine to read the keyfile. For safety,\nwe don\u0027t do the full dynamic engine support, but only use engines\nconfigured for use by the platform.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "62c9352519e1a21d2e6423a2e39354cb05d56c44", "tree": "5dbccc07a3546f4f4233d6c1813997ea5c603fad", "parents": [ "8e184454fd4d59d39c860dfad100cba82af5ea33" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 11:17:23 2017 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 11:18:29 2017 -0700" }, "message": "Version 0.9\n\nThis version builds correctly on openssl 1.1 and also includes\nfunctional autotests for every architecture.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "8e184454fd4d59d39c860dfad100cba82af5ea33", "tree": "ecb0bb90cd5f71e815d7ce3834394091a88d5827", "parents": [ "f065bb5705d0d7eddb4c412758fd7ab8dc4d59f4" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 11:09:41 2017 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 11:09:41 2017 -0700" }, "message": "Fix Debian 8 and Leap_42.1 builds\n\nOlder versions of openssl 1.0.0 don\u0027t have X509_STORE_CTX_get0_store\nso define that as well.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "f065bb5705d0d7eddb4c412758fd7ab8dc4d59f4", "tree": "da9e17356ef8adc74b58ae372d07782189a9d01b", "parents": [ "cbbafe244baee231f1726d86af634b6680f9629e" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 09:20:42 2017 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 10:45:58 2017 -0700" }, "message": "tests: Fix up to work on arbitrary architectures\n\nThe current test infrastructure is tied to x86/amd64. This means the\ntests always fail on a non-x86 architecture (like aarch64). Fix this\nby generating the efi binary directly from C code and removing the\narchitectural restrictions in the Makefile.am. One of the\nconsequences of this is that we no longer test ia32 on x86_64, but the\ndifficulty of detecting which architectures can support 32 bit\nvariants and generating them correctly from EFI c code is too great.\n\nWe also need to exclude tests involving objdump from aarch64 since its\nbfd still doesn\u0027t have an efi_app_aarch64 target.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "cbbafe244baee231f1726d86af634b6680f9629e", "tree": "e755471e91c8d104e23e06f51cfccc2b3e1016e9", "parents": [ "bc6ff99d36337b4ccb3551dd8bbc4e38a193fd7d" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Oct 18 18:17:29 2017 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 10:45:58 2017 -0700" }, "message": "tests/detach-remove.sh: fix for i386 pecoff size problems\n\npecoff for i386 can be too short, so it gets padded for an accurate\nsignature. Make sure the size comparison takes this into account to\navoid spurious failures.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "bc6ff99d36337b4ccb3551dd8bbc4e38a193fd7d", "tree": "a982caf12eae3764d2e4f0de12f7353ff68e25b3", "parents": [ "5b79ed2179c333949385ef959f01d4a7abbc351b" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Oct 18 17:20:56 2017 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 10:45:58 2017 -0700" }, "message": "tests: fix up the generation of the test pecoff binary for gcc-7.2\n\nnewer versions of gcc have contained an efi target for a while so use\nit instead of hacking a linker script.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "5b79ed2179c333949385ef959f01d4a7abbc351b", "tree": "9695384e7bcfd5eeced20314ad5911edbffe0817", "parents": [ "79d0c44afbc7da0adefe1250a17a49e6eb90c9bd" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Oct 18 17:01:21 2017 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 10:45:58 2017 -0700" }, "message": "tests: fix signature resign/reattach test problems\n\nThe original tests to warn about overwriting signatures have never\nworked after the multiple signature code was added (because we add a\nnew signature instead of overwriting the old one) update the tests to\ncheck instead for the signature addition.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "79d0c44afbc7da0adefe1250a17a49e6eb90c9bd", "tree": "a674a7efd455dc46bf3190c30f1792d12fe2a3db", "parents": [ "73a261f238296df5552097442ee88979f5f70016" ], "author": { "name": "Ben Hutchings", "email": "ben@decadent.org.uk", "time": "Sun Jun 26 22:04:29 2016 +0200" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 10:45:58 2017 -0700" }, "message": "Update OpenSSL API usage to support OpenSSL 1.1\n\nMost structure definitions in OpenSSL are now opaque and we must call\nthe appropriate accessor functions to get information from them.\nNot all the accessors are available in older versions, so define the\nmissing accessors as macros.\n\nThe X509_retrieve_match() function is no longer usable, as we cannot\ninitialise an X509_OBJECT ourselves. Instead, iterate over the\ncertificate store and use X509_OBJECT_get_type and X509_cmp to\ncompare certificates.\n" }, { "commit": "73a261f238296df5552097442ee88979f5f70016", "tree": "be46e956eab6a6dd64709aa747132dd7736ba954", "parents": [ "e9626fefa176d79620dbf24982c60509fa3f3da2" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Oct 18 16:48:01 2017 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 10:45:57 2017 -0700" }, "message": "make check: fix test environment problem\n\nautotest is very finicky. The environment can\u0027t be set up in\nSH_LOG_COMPILER, but have to be done in AM_TESTS_ENVIRONMENT instead,\nso fix this.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "e9626fefa176d79620dbf24982c60509fa3f3da2", "tree": "51cd64b3464bfa586b1e9084567ad1020dbc806e", "parents": [ "df8303a4e37e42cce36d8ef7d4ea4d75b1080e28" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Nov 16 10:27:54 2016 -0500" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Thu Oct 19 10:45:41 2017 -0700" }, "message": "Add OPENSSL_config(NULL) to each binary to load openssl.cnf\n\nIn the current framework for using engine based keys, the engine has\nto be loaded and initialised as part of the default engines. The only\nway this can happen for the TPM engine is if it is named in a config\nsecion, so all the tools must read and act on the config file to be\nable to use TPM based keys.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "df8303a4e37e42cce36d8ef7d4ea4d75b1080e28", "tree": "81a96b3cf44ba8b28d916c31e24392e31b806aae", "parents": [ "5f7f8f3ded1d3e601bb5c630959808c35f8c39e6" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sun Feb 14 12:04:45 2016 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Sun Feb 14 12:04:45 2016 -0800" }, "message": "Version: 0.8\n\nThis version works correctly on arm 32 and 64.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "5f7f8f3ded1d3e601bb5c630959808c35f8c39e6", "tree": "69d05ffa45c5a96407b0414ab2cd52da12763397", "parents": [ "3b4e9bb901e40ce5d737dfc5b44b4529421d8f8a" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Fri Feb 12 15:54:31 2016 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Fri Feb 12 15:54:31 2016 -0800" }, "message": "sbkeysync: don\u0027t include efi.h\n\nIt causes the ARM build to crash (because of directives) and it\u0027s\nunnecessary in this file.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "3b4e9bb901e40ce5d737dfc5b44b4529421d8f8a", "tree": "38575ff12a5676ce217df6816b7f03c6ecb21859", "parents": [ "f37c1858fc83ce1f4cef28f47cd356226b93fa0f" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Fri Feb 12 15:46:44 2016 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Fri Feb 12 15:46:44 2016 -0800" }, "message": "configure: build on arm\n\narm has a variety of uname -m forms, all beginning with arm, so use\nthis to determine the EFI architecture\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "f37c1858fc83ce1f4cef28f47cd356226b93fa0f", "tree": "cf9a31065bb2bb06c0641dfce8546ac139b5bf12", "parents": [ "1c9dfe73640542e1eefc8d69389cea73c0dc5ce3" ], "author": { "name": "Mathieu Trudel-Lapierre", "email": "mathieu.trudel-lapierre@canonical.com", "time": "Wed Jan 27 12:18:28 2016 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 27 12:18:28 2016 -0800" }, "message": "sbverify: Clear out content for the signature we\u0027re building\n\nOpenSSL 1.0.2e now actively checks for both data and contents being present\nfor a certificate. Clear out contents so that we have only data, and run a\nchance of actually verifying the signature.\n\nBug-Ubuntu: https://launchpad.net/bugs/1526959\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "1c9dfe73640542e1eefc8d69389cea73c0dc5ce3", "tree": "b213bf37328aa77dbc1eef413a06c9f17a086226", "parents": [ "2c2f71313e5717e9858fcbcfbe102a1964b6e385" ], "author": { "name": "Linn Crosetto", "email": "linn@hpe.com", "time": "Tue Oct 27 15:31:12 2015 -0600" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 27 11:53:53 2016 -0800" }, "message": "Handle odd buffer lengths in checksum\n\nBuffers of odd length can be passed to the checksum, for example signatures.\ncsum_bytes uses a uint16_t so change the function to prevent overflowing the\nbuffer, while taking the extra byte into account if the length is odd.\n\nSigned-off-by: Linn Crosetto \u003clinn@hpe.com\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "2c2f71313e5717e9858fcbcfbe102a1964b6e385", "tree": "ce3550b81f7369e8db990ff1648c9b05b563b920", "parents": [ "ca6ad33055c67e1bfcae34e36c64d50ba7ff9320" ], "author": { "name": "Steve Langasek", "email": "steve.langasek@canonical.com", "time": "Wed Jul 15 08:48:25 2015 -0700" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 27 11:53:18 2016 -0800" }, "message": "Support openssl 1.0.2b and above\n\nNewer versions of openssl return a different error with alternate\ncertificate chains; update for compatibility.\n\nSigned-off-by: Marc Deslauriers \u003cmarc.deslauriers@canonical.com\u003e\nBug-Ubuntu: https://bugs.launchpad.net/bugs/1474541\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "ca6ad33055c67e1bfcae34e36c64d50ba7ff9320", "tree": "29639fd43eb52c42364ac79108a4d3e5b2f3bc42", "parents": [ "84d8361642350c11c47d1c884420b89403df4ba8" ], "author": { "name": "Ard Biesheuvel", "email": "ard.biesheuvel@linaro.org", "time": "Wed Jan 27 13:17:19 2016 +0100" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 27 11:50:19 2016 -0800" }, "message": "sbsigntool: add support for ARM and Aarch64 PE/COFF images\n\nNote that for the ARM case, we are using IMAGE_FILE_MACHINE_THUMB (0x1c2)\nrather than IMAGE_FILE_MACHINE_ARM (0x1c0), as the latter refers to\nan older calling convention that is incompatible with Tianocore UEFI.\n\nSigned-off-by: Ard Biesheuvel \u003card.biesheuvel@linaro.org\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "84d8361642350c11c47d1c884420b89403df4ba8", "tree": "59edca191d4c98ebbd4002751c30d108d4897d39", "parents": [ "38ebdc8a6624522a1dd22dc77e10793e356473a3" ], "author": { "name": "Ard Biesheuvel", "email": "ard.biesheuvel@linaro.org", "time": "Wed Jan 27 13:17:18 2016 +0100" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 27 11:49:30 2016 -0800" }, "message": "sbsigntool: fix handling of zero sized sections\n\nThe loop that iterates over the PE/COFF sections correctly skips zero\nsized sections, but still increments the loop index \u0027i\u0027. This results in\nsubsequent iterations poking into unallocated memory.\n\nSigned-off-by: Ard Biesheuvel \u003card.biesheuvel@linaro.org\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "38ebdc8a6624522a1dd22dc77e10793e356473a3", "tree": "f5825a2612f795d8c80426d01269ea94df5d0301", "parents": [ "a03f9d4d7c3f871773ec9dee500c932b132c05e7" ], "author": { "name": "Ard Biesheuvel", "email": "ard.biesheuvel@linaro.org", "time": "Wed Jan 27 11:47:28 2016 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 27 11:48:09 2016 -0800" }, "message": "sbsigntool: remove doubly defined IMAGE_FILE_MACHINE_AMD64\n\nSigned-off-by: Ard Biesheuvel \u003card.biesheuvel@linaro.org\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "a03f9d4d7c3f871773ec9dee500c932b132c05e7", "tree": "0a7024f4e509a1dde06f1fbeec60aa00d63b7685", "parents": [ "be1f3d8350c6d86fa5fd36bd22c94bf86e106dbb" ], "author": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 27 11:42:53 2016 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 27 11:42:53 2016 -0800" }, "message": "sbverify: add extra expiry errors to ignore\n\nOriginal patch from: Steve Langasek \u003csteve.langasek@canonical.com\u003e\n\nThe ubuntu version of the signature expiry patch ignores serveral more errors,\nso add them.\n\nBug-Ubuntu: https://bugs.launchpad.net/bugs/1234649.\n\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "be1f3d8350c6d86fa5fd36bd22c94bf86e106dbb", "tree": "2090a6cdeee22f53d577b8f3c1389f98900af656", "parents": [ "706bec1a957f2fcce3781e326e6e0b2be41a9b86" ], "author": { "name": "Steve Langasek", "email": "steve.langasek@canonical.com", "time": "Wed Jan 27 11:06:02 2016 -0800" }, "committer": { "name": "James Bottomley", "email": "James.Bottomley@HansenPartnership.com", "time": "Wed Jan 27 11:38:00 2016 -0800" }, "message": "Update the PE checksum field using the somewhat-underdocumented\nalgorithm, so that we match the Microsoft implementation in our\nsignature generation.\n\n[jejb: add endian to autogen.sh and fix for multi-sign]\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\nSigned-off-by: James Bottomley \u003cJames.Bottomley@HansenPartnership.com\u003e\n" }, { "commit": "706bec1a957f2fcce3781e326e6e0b2be41a9b86", "tree": "67e377137062a48833a2c07c8c71aa0bfa9645f0", "parents": [ "ed53774c2f6b39ab63b312891ba7e98492f4d7e3" ], "author": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Tue Jan 06 08:00:28 2015 -0800" }, "committer": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Tue Jan 06 12:45:03 2015 -0800" }, "message": "OBS add correcting definition of EFI_ARCH\n\nSigned-off-by: James Bottomley \u003cJBottomley@Parallels.com\u003e\n" }, { "commit": "ed53774c2f6b39ab63b312891ba7e98492f4d7e3", "tree": "af006875a390e89905b014287be33e000b7c7599", "parents": [ "f6115a8045275a0dc138f9088ba018441146e81d" ], "author": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Fri Dec 19 16:44:54 2014 -0800" }, "committer": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Fri Dec 19 16:44:54 2014 -0800" }, "message": "Version 0.7\n\nChange responsible person to James Bottomley\n\nSigned-off-by: James Bottomley \u003cJBottomley@Parallels.com\u003e\n" }, { "commit": "f6115a8045275a0dc138f9088ba018441146e81d", "tree": "39333a363cb38883bc8ccb496c4d7b76ea7b6553", "parents": [ "6b493361c28756e6e0167a972d06ab49ce24640f" ], "author": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Fri Dec 19 16:10:34 2014 -0800" }, "committer": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Fri Dec 19 16:42:37 2014 -0800" }, "message": "sbsign, sbattach, sbverify: add multiple signature support\n\nsbsign will sign an already signed binary (adding a signature at the end)\nsbverify has a new mode --list, for listing all the signatures and sbattach\ntakes a --signum argument for --remove or --detach.\n\nSigned-off-by: James Bottomley \u003cJBottomley@Parallels.com\u003e\n" }, { "commit": "6b493361c28756e6e0167a972d06ab49ce24640f", "tree": "a5be9e5e86f6f5f71ebe3d58122f2a843251fa1b", "parents": [ "35e2e074e362b949aa9c6ac1619312b8e2642080" ], "author": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Fri Dec 19 11:37:30 2014 -0800" }, "committer": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Fri Dec 19 16:42:37 2014 -0800" }, "message": "sbverify: fix verification\n\nno leaf is OK as is expired cert.\n\nSigned-off-by: James Bottomley \u003cJBottomley@Parallels.com\u003e\n" }, { "commit": "35e2e074e362b949aa9c6ac1619312b8e2642080", "tree": "c6caf1ba9c1109ade1264bec62e508536457c916", "parents": [ "592ec2188f7b9cf003fe7cb0835e93559f19156f" ], "author": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Fri Dec 19 10:59:05 2014 -0800" }, "committer": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Fri Dec 19 16:42:37 2014 -0800" }, "message": "Clear ssl errors after loading everyting\n\nThis prevents a FIPS failure message if no FIPS module is loaded.\n\nPlus add -v as short form for --verbose in sbverify\n\nSigned-off-by: James Bottomley \u003cJBottomley@Parallels.com\u003e\n" }, { "commit": "592ec2188f7b9cf003fe7cb0835e93559f19156f", "tree": "a482ebd1ce85131f7778c6849c7033cb30d20d33", "parents": [ "b963c5cb381527bca6d45593779f1f628cd8e7cc" ], "author": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Mon Sep 30 19:25:37 2013 -0700" }, "committer": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Fri Dec 19 16:42:37 2014 -0800" }, "message": "Fix for multi-sign\n\nThe new Tianocore multi-sign code fails now for images signed with\nsbsigntools. The reason is that we don\u0027t actually align the signature table,\nwe just slap it straight after the binary data. Unfortunately, the new\nmulti-signature code checks that our alignment offsets are correct and fails\nthe signature for this reason. Fix by adding junk to the end of the image to\nalign the signature section.\n\nSigned-off-by: James Bottomley \u003cJBottomley@Parallels.com\u003e\n" }, { "commit": "b963c5cb381527bca6d45593779f1f628cd8e7cc", "tree": "00271cd827d2aa043599ecd61675d2ae9434a86a", "parents": [ "951ee95a301674c046f55330cd7460e1314deff2" ], "author": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Thu Apr 11 21:12:17 2013 -0700" }, "committer": { "name": "James Bottomley", "email": "JBottomley@Parallels.com", "time": "Fri Dec 19 16:42:37 2014 -0800" }, "message": "image.c: clear image variable\n\nNot zeroing the image after talloc occasionally leads to a segfault because\nthe programme thinks it has a signature when in reality it just has a junk\npointer and segfaults.\n\nSigned-off-by: James Bottomley \u003cJBottomley@Parallels.com\u003e\n" }, { "commit": "951ee95a301674c046f55330cd7460e1314deff2", "tree": "130b244ce9c31471dccddae14b8719c66fd5f341", "parents": [ "a7577f56b3c3c6e314576809cc9ce1bde94ae727" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Nov 13 20:22:57 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Nov 14 16:37:08 2012 +0800" }, "message": "sbkeysync: add corrected efivars magic\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "a7577f56b3c3c6e314576809cc9ce1bde94ae727", "tree": "ce3498a690e693565f457f35800edc80f97c2941", "parents": [ "050f003ce78fee00ef9f52342047e33061686108" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Oct 11 20:32:32 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Oct 11 20:32:32 2012 +0800" }, "message": "Version 0.6\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "050f003ce78fee00ef9f52342047e33061686108", "tree": "7c4465cadbb4440a4b0e9138d925266625a7006a", "parents": [ "c98692a71faaf10816b544a9c50c6deef6b5174e" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Oct 10 15:57:35 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Oct 11 20:31:04 2012 +0800" }, "message": "sbverify: explicitly trust all certificates given in --cert arguments\n\nIn line with the verification process in firmware, update our verify\ncallback to explicitly trust all certificates that we load to our cert\nstore.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "c98692a71faaf10816b544a9c50c6deef6b5174e", "tree": "2038c41e659f52792e703075300c55e161b03dd1", "parents": [ "cd51a269115419a956ad2e94ed93373ed24ef63d" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Oct 10 15:56:58 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Oct 10 15:56:58 2012 +0800" }, "message": "sbverify: Add --verbose option\n\nAdd an option to print the certificate \u0026 signature info while verifying\na signed image.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "cd51a269115419a956ad2e94ed93373ed24ef63d", "tree": "86219ed9b05926e28541bb043d30d95b4b3ba9b0", "parents": [ "ab63e31bb8ba8ef4b51b8698cc5e89466e003989" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Oct 10 09:00:55 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Oct 10 09:00:55 2012 +0800" }, "message": "Version 0.5\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "ab63e31bb8ba8ef4b51b8698cc5e89466e003989", "tree": "aa6039268fb56642a99c47d3974dac0ac14f958a", "parents": [ "6bfa9f3349ff017e19ad9c5dca23cd33ca9cfcf6" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Mon Oct 08 12:07:43 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Mon Oct 08 12:07:43 2012 +0800" }, "message": "sbkeysync: change default efivarfs mountpoint to /sys/.../efivars/\n\nProposed changes to the kernel will establish /sys/firmware/efi/efivars\nas the canonical mountpoint for the efivars filesystem.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "6bfa9f3349ff017e19ad9c5dca23cd33ca9cfcf6", "tree": "53d38e797b3172d8b8437bb2771bd647f50b565e", "parents": [ "de78e0cde96220cc30ae560c437801f8fa59beaa" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Oct 02 17:12:02 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Oct 02 17:12:02 2012 +0800" }, "message": "Version 0.4\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "de78e0cde96220cc30ae560c437801f8fa59beaa", "tree": "e8a2989e2a37b1caf015e25d46bf2e5586bc7cf5", "parents": [ "142ba5c1b3e73eb4140c972af20d1aa1ca9cbe04" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Oct 02 11:44:39 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Oct 02 11:44:39 2012 +0800" }, "message": "image: improve handling of unaligned section tables\n\nRather than overrunning the heap, explicitly allocate the pad area for\ncases where we\u0027ve aligned-up the section table sizes.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "142ba5c1b3e73eb4140c972af20d1aa1ca9cbe04", "tree": "c6996fc9322a960cd1a403789c95e37b135139d3", "parents": [ "63cfc10ce0af23ad5a79e7e6921419f0b6cfb5a6" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Oct 02 11:22:37 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Oct 02 11:22:37 2012 +0800" }, "message": "image: use data_size in cert table header\n\nSince we write the certificate table starting at data_size (not size),\nuse this value when generating the cert table header.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "63cfc10ce0af23ad5a79e7e6921419f0b6cfb5a6", "tree": "01d2aa4d6663753871472aab4f7274a84992e4cb", "parents": [ "274d4df0ff78aee34759c69b88d53a732ed6f263" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Sep 28 15:45:42 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Sep 28 15:45:42 2012 +0800" }, "message": "image: improve section table parsing\n\nOnly add the endjunk region when we need to add data, and warn when\nwe\u0027ve got too much.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "274d4df0ff78aee34759c69b88d53a732ed6f263", "tree": "22fa5ba01e250069be52b73a56b44bb155acb4dd", "parents": [ "cf747fcca39ffdb870423a4c97e1abb11fbc7774" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Sep 28 09:56:48 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Sep 28 09:56:48 2012 +0800" }, "message": "image: Allow variable sized data directories\n\nThe PE/COFF spec allows variable-sized data directories, which reduce\nthe size of the optional header. While GNU ld always produces\nmaximum-sized headers, the kernel\u0027s EFI_STUB code generates a smaller\nheader size, which causes the image parsing code to abort.\n\nThis change allows variable-sized optional headers, but checks for at\nleast enough of an optional header to contain a CERT_TABLE data\ndirectory entry.\n\nWe also rename struct image\u0027s aouthdr to opthdr, as it contains more\nthan just the a.out fields.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "cf747fcca39ffdb870423a4c97e1abb11fbc7774", "tree": "027bde04c818a887679994db3063582fa57d57cc", "parents": [ "c933b5e8fd39e85ace978cbd1f3072bcd9598e26" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Sep 05 11:17:08 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Sep 05 11:19:05 2012 +0800" }, "message": "sbvarsign: fix incorrect pointer in add_auth_descriptor\n\nBrown paper bag time: we want to hash the variable data, not the stack.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "c933b5e8fd39e85ace978cbd1f3072bcd9598e26", "tree": "8a9366da69d699cdf46342fbf5497d21fa00c2cc", "parents": [ "15354eaa4e955ce5b96498b7fa397b505cf1ff33" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Sep 05 11:16:42 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Sep 05 11:16:42 2012 +0800" }, "message": "sbvarsign: auth descriptor hash does not cover the \\0 in the varname\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "15354eaa4e955ce5b96498b7fa397b505cf1ff33", "tree": "6a564001db9960cd5844a4a78c2f466508d225c4", "parents": [ "41c8bb9ea2b2cee52fd3de412b02bc9b7a302ae4" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 23:03:49 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 23:03:49 2012 +0800" }, "message": "sbkeysync: fix siglist iteration\n\nWe were updating siglist before incrementing i, and so aborting the\nsiglist iteration earlier than necessary.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "41c8bb9ea2b2cee52fd3de412b02bc9b7a302ae4", "tree": "6e4e5661e7cbd3a7e9abeec2942551e394f765b0", "parents": [ "03e6a4e2b3897d9635dc63a5abc10a2bb45dd13c" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:57:00 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:57:00 2012 +0800" }, "message": "sbvarsign: Improve default GUID choice\n\nFor db and dbx, we want EFI_IMAGE_SECURITY_DATABASE.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "03e6a4e2b3897d9635dc63a5abc10a2bb45dd13c", "tree": "1b6eaee948870e69730e95cafda18df4edf198f8", "parents": [ "74153741c4d3a6f45ddfa683ff39724ce9fc1a0b" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 18:01:37 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:04:14 2012 +0800" }, "message": "skkeysync: Add PK-handing code\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "74153741c4d3a6f45ddfa683ff39724ce9fc1a0b", "tree": "c80b5a20c6abf21c9b844db1ea79090361c69998", "parents": [ "b4773c902aeff4e09c652f90cd93875bc9d66132" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 13:08:57 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:04:13 2012 +0800" }, "message": "sbkeysync: Refactor signature database data structures\n\nRather than having three sets of (firmware, filesystem) key databases,\nrefactor into two sets of (kdk, db, dbx) databases. This allows us to\nadd the PK later.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "b4773c902aeff4e09c652f90cd93875bc9d66132", "tree": "81bb4e3bbec9e6a42f6244e42af9c430065166e2", "parents": [ "41c741fe13967c74604e21087f3d55d344f409f2" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Aug 23 21:33:53 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:56 2012 +0800" }, "message": "sbkeysync: fix invalid free in keystore_read_entry\n\nWe want to free path, not ke. We can also unify the error path.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "41c741fe13967c74604e21087f3d55d344f409f2", "tree": "a870a281c1f085c83903c99a8652b80bc1c9bca9", "parents": [ "16c09d22a61b0ea5e7ee4c4e5e57231a3ca701bc" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Aug 23 18:52:48 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:54 2012 +0800" }, "message": "sbkeysync: Improve error handling in read_firmware_key_database\n\nWe should free filename, and buf on error.\n\nAlso, check for the length of the file\u0027s data; we may be passed empty\nfiles, and end up with a negative len.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "16c09d22a61b0ea5e7ee4c4e5e57231a3ca701bc", "tree": "b53ad57c3e10099d3eeee26de9388e3f28c8bb94", "parents": [ "ae1523673ef1b04e004f5e210061af3a4cf24b98" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Aug 23 17:41:49 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:32 2012 +0800" }, "message": "sbkeysync: insert new keys\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "ae1523673ef1b04e004f5e210061af3a4cf24b98", "tree": "fbedc4ba4bb41441ddceb2509e6585f48c37bbed", "parents": [ "37d838a43d496da9a6bb8d97e088f6cce842e3c2" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Aug 23 14:14:45 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:32 2012 +0800" }, "message": "sbkeysync: print keystore before key databases\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "37d838a43d496da9a6bb8d97e088f6cce842e3c2", "tree": "603e4f985b0325176fa1b9c4589c05d3839b930f", "parents": [ "60586e122f48c2282e84a34f6f6e78f4c1f55bc9" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Aug 23 14:13:38 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:32 2012 +0800" }, "message": "sbkeysync: Find keys missing from firmware key databases\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "60586e122f48c2282e84a34f6f6e78f4c1f55bc9", "tree": "7e7fae0ad0863a86e291ddf4bf53b8e7bc0c2a7c", "parents": [ "ae3344f5eb21069c6e0ace949d1989ec597c776f" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Aug 23 11:29:47 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:32 2012 +0800" }, "message": "sbkeysync: Rename struct keystore_entry-\u003elist to keystore_list\n\nWe want to collect keystore entries on a separate list, so rename the\n\u0027list\u0027 member to something more specific.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "ae3344f5eb21069c6e0ace949d1989ec597c776f", "tree": "2a87e12163f78f0756b694933359aac6b4625860", "parents": [ "7dc407e311a037297fdb6323f8cb375a0c4640cc" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Aug 22 18:15:57 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:32 2012 +0800" }, "message": "sbkeysync: Generate and print key descriptions\n\n.. rather than printing the raw IDs.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "7dc407e311a037297fdb6323f8cb375a0c4640cc", "tree": "a5f7a63f73c1f262f8539691f5ae0a8f461d65c3", "parents": [ "bd9de8eadd109865a703fa21938efd922b61e6ac" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Aug 22 17:53:58 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:32 2012 +0800" }, "message": "sbkeysync: add comment to sigdb_iterate\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "bd9de8eadd109865a703fa21938efd922b61e6ac", "tree": "8c3bd4f9df7b49086a949d19b9982116df474ada", "parents": [ "22450d8c40027f144c1c2f98b4f7b061c529f613" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Aug 22 17:51:10 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:32 2012 +0800" }, "message": "sbkeysync: Change key_id to key_parse\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "22450d8c40027f144c1c2f98b4f7b061c529f613", "tree": "ac5d82da9cb1e0637fc8c2d7b101ce5c24a62214", "parents": [ "54e1fbed3009c1e749c077b6ce839db496e7cbce" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Aug 22 17:23:29 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:32 2012 +0800" }, "message": "sbkeysync: Print filesystem key databases\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "54e1fbed3009c1e749c077b6ce839db496e7cbce", "tree": "0c6ca3f8d990f2efda7a8c9fb7c9b5bd52f1cc67", "parents": [ "5527ef2db4c841dc96bd36da5971e666346d9825" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Aug 21 18:26:33 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:32 2012 +0800" }, "message": "sbkeysync: read keystore into kdb-\u003efilesystem_keys\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "5527ef2db4c841dc96bd36da5971e666346d9825", "tree": "6576207a00972389e43560450dfba4abea57ffa4", "parents": [ "1bdfb9acb8be085ddc2ce28b63c7b5b2e7c05e33" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Aug 21 15:39:43 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:03:29 2012 +0800" }, "message": "sbkeysync: Unify key_database\n\nUse key_database as a generic container for both firmware \u0026 filesystem\nkeys.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "1bdfb9acb8be085ddc2ce28b63c7b5b2e7c05e33", "tree": "d48d2a5e8539b3b46657dd00086ae924173a8064", "parents": [ "bdeb14370d9a4882214fd535ac2bed4f6db3898f" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Aug 21 15:15:11 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:02:15 2012 +0800" }, "message": "sbkeysync: Add key_database-\u003efilesystem_keys\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "bdeb14370d9a4882214fd535ac2bed4f6db3898f", "tree": "4c7eff06a209cb9e82885e2145e64dd87f3211b6", "parents": [ "98911a7f4c3d0708018911b2b468785c06447771" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Aug 21 15:11:38 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:02:15 2012 +0800" }, "message": "sbkeysync: keystore -\u003e fs_keystore\n\nTo make it clear that these are key files.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "98911a7f4c3d0708018911b2b468785c06447771", "tree": "ed3059d858fe2bebbf84f1442ffa2aa7a69866da", "parents": [ "1a431a5a2d15bec05fdc8bb1b72349bd1005fbed" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Aug 21 13:56:41 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:02:15 2012 +0800" }, "message": "sbkeysync: pass data buffer (instead of EFI_SIGNATURE_DATA) to key_id\n\nWe want to call key_id on file buffers too, which don\u0027t have the\nEFI_SIGNATURE_DATA encapsulation.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "1a431a5a2d15bec05fdc8bb1b72349bd1005fbed", "tree": "3f10faae07d7b1d8d9b068f568d8053c12624b96", "parents": [ "add8d00f31dcb48bc40499eedc86fc4d5c040d84" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Aug 21 12:10:25 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:02:15 2012 +0800" }, "message": "sbkeysync: add keystore_entry-\u003eroot\n\nHelps to show where the keys are loaded from.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "add8d00f31dcb48bc40499eedc86fc4d5c040d84", "tree": "2d580044c5eefd30d3c3fe237c42fff3f626724b", "parents": [ "a151ffdb9d085122e0e9a18e44f79f8587478346" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Aug 21 11:59:42 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:02:15 2012 +0800" }, "message": "sbkeysync: Add --keystore and --no-default-keystores options\n\nAdd a couple of options to configure the location we read keys from\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "a151ffdb9d085122e0e9a18e44f79f8587478346", "tree": "3729176ad760586e1db4093e2b8f6e4251e639cb", "parents": [ "d5ce9e3f366d7ff30d458a6625706220bcb589a1" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Tue Aug 21 11:32:29 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:02:15 2012 +0800" }, "message": "sbkeysync: Add --verbose option and conditionally print debug output\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "d5ce9e3f366d7ff30d458a6625706220bcb589a1", "tree": "651d158a084f153df24661f536e4ebad2b74faad", "parents": [ "2f82c545c2289371dc45eb7ffd0469770c1c2bc8" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Mon Aug 20 17:19:33 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:01:31 2012 +0800" }, "message": "sbkeysync: Add keystore parsing functions\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "2f82c545c2289371dc45eb7ffd0469770c1c2bc8", "tree": "c0f22ed77d1470cf0afda70e812ad105a7c8194f", "parents": [ "5757f278122f7a10dd9fedc3bf11f831ae271829" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Mon Aug 20 16:04:53 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:01:31 2012 +0800" }, "message": "sbkeysync: Add --efivars-dir option to specific different locations for var files\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "5757f278122f7a10dd9fedc3bf11f831ae271829", "tree": "2625af15062243b5cbd4fdf4bbbef964a05e58a2", "parents": [ "c03ca4f73faf9fdaa783a34ea785b334c8436361" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Mon Aug 20 15:51:47 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:01:30 2012 +0800" }, "message": "sbkeysync: Add X509 key parsing\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "c03ca4f73faf9fdaa783a34ea785b334c8436361", "tree": "7c4b36de555136066df8996838bf3b3946c95479", "parents": [ "72ec025d795e55a65a90fe666b0d1971efa5108e" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Mon Aug 20 15:51:04 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:01:30 2012 +0800" }, "message": "sbkeysync: Add key ID data to print_key_database()\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "72ec025d795e55a65a90fe666b0d1971efa5108e", "tree": "d45de48d1dcfbf8696ea1c6c39a123d925c10eb4", "parents": [ "f8024a6a3bbcab8e7b0f2f84cda41daff4a97eb3" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Mon Aug 20 14:47:50 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:00:52 2012 +0800" }, "message": "sbkeysync: read \u0026 print signature databases\n\nAdd some initial code to parse the EFI signature databases.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "f8024a6a3bbcab8e7b0f2f84cda41daff4a97eb3", "tree": "63b21b931b3b69602d49bf80c5f7cfabc667cf36", "parents": [ "f9eed9cc42dee01ac16a4dd968607f0ac84667c6" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Mon Aug 20 14:47:02 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 20:00:15 2012 +0800" }, "message": "Move EFI_CERT types to efivars.h\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "f9eed9cc42dee01ac16a4dd968607f0ac84667c6", "tree": "7fca8bd71206bb01a9e6d1cca21e16bd3407386b", "parents": [ "07328d85c319ca83c16f26a2bbdb70ebc9cb3455" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 19:58:21 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Fri Aug 24 19:58:21 2012 +0800" }, "message": "fileio: Add fileio_read_file_noerror()\n\nWe may want to read files which can be absent. In this case, we don\u0027t\nwant to print an error.\n\nThis change adds fileio_read_file_noerror(), which suppresses error\noutput.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "07328d85c319ca83c16f26a2bbdb70ebc9cb3455", "tree": "0ba703a2bb7ddd934abff6da27dbe5d3db61eb5f", "parents": [ "88625a586cf0e89284bdcdc89ee0152de0b81c8b" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Aug 23 19:35:32 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Aug 23 19:39:32 2012 +0800" }, "message": "sbvarsign: Start with a default set of variable attributes\n\nWe\u0027re almost always going to want the attributes set to\nNON_VOLATILE | BOOTSERVICE_ACCESS | RUNTIME_ACCES | APPEND_WRITE,\nand TIME_BASED_AUTHENTICATED_WRITE is required. So, provide this\nas the default if no --attrs argument is specified.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "88625a586cf0e89284bdcdc89ee0152de0b81c8b", "tree": "922bcc9860bffa8fe2b08b390589c8d71aa41c37", "parents": [ "a7228c83072e6d819deeeca331da4942f2a6ad96" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Aug 23 19:07:52 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Thu Aug 23 19:11:34 2012 +0800" }, "message": "efivars: Move EFI_VARIABLE_* attributes to efivars.h\n\nRather than making these private to sbvarsign, move the EFI_VARIABLE\nattribute defintions to efivars.h\n\nSince some of these are defined by gnu-efi, we need to protect the\ndefinitions with an #ifdef.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "a7228c83072e6d819deeeca331da4942f2a6ad96", "tree": "fa42e395f91f54d7742d93fbbb09beaadbc11fef", "parents": [ "fd553e841af7661a4837a0dce4f580edb86e797f" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Aug 22 18:15:00 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Aug 22 18:16:49 2012 +0800" }, "message": "sbsiglist: fix signature size check\n\nRather than checking the size with the EFI_SIGNATURE_DATA header, just\ncheck the data len.\n\nAlso, fix the definition for the SHA256 size.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "fd553e841af7661a4837a0dce4f580edb86e797f", "tree": "ef7f262509e3cd5b3cd91ac0d108b4b503ec521e", "parents": [ "feddcb4f4fc94a3bfd1858f1c5d37062fc9c1f3a" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Aug 22 16:50:04 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Aug 22 16:53:49 2012 +0800" }, "message": "sbvarsign: WIN_CERTIFICATE.dwLength should include the header size\n\nDespite what the Authenticode spec says (\"dwLength is set to the length\nof bCertificate\"), the MS var sign tool and EDK2 sources include the\nheader in the dwLength size.\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" }, { "commit": "feddcb4f4fc94a3bfd1858f1c5d37062fc9c1f3a", "tree": "887f5a10b123e621679a16c66f008e987aaaa7c2", "parents": [ "030d5ef321e7a4884a9f59580fed4d293267d495" ], "author": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Aug 22 14:57:00 2012 +0800" }, "committer": { "name": "Jeremy Kerr", "email": "jeremy.kerr@canonical.com", "time": "Wed Aug 22 14:58:13 2012 +0800" }, "message": "sbvarsign: Fix invalid sizeof() for zeroing timestamp data\n\nSigned-off-by: Jeremy Kerr \u003cjeremy.kerr@canonical.com\u003e\n" } ], "next": "030d5ef321e7a4884a9f59580fed4d293267d495" }