shim

lp://staging/shim

Created by Mathieu Trudel-Lapierre and last modified
Get this branch:
bzr branch lp://staging/shim

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Mathieu Trudel-Lapierre
Project:
shim
Status:
Development

Import details

Import Status: Suspended

This branch is an import of the HEAD branch of the Git repository at https://github.com/rhinstaller/shim.git.

Last successful import was .

Import started on izar and finished taking 15 seconds — see the log
Import started on alnitak and finished taking 15 seconds — see the log
Import started on izar and finished taking 20 seconds — see the log
Import started on alnitak and finished taking 15 seconds — see the log

Recent revisions

630. By Peter Jones

Undo part of our old openssl version rollback.

When OpenSSL 1.1.0e didn't work so well, we added a macro for abort() to
passify the build. Now that we've got 1.1.0e in again, that macro
messes up building SysCall/CrtWrapper.c. This patch gets rid of the
macro.

Signed-off-by: Peter Jones <email address hidden>

629. By Peter Jones

Add fallback boot loop detection to TODO

Signed-off-by: Peter Jones <email address hidden>

628. By Gary Lin <email address hidden>

shim: Show the warning for the CA check result

After verifying the image, a warning will show if the less strict CA
check is used.

Signed-off-by: Gary Lin <email address hidden>

627. By Gary Lin <email address hidden>

Cryptlib: Amend update.sh for the CA check workaround

Also add the workaround patch so we won't lose it for the future update.

Signed-off-by: Gary Lin <email address hidden>

626. By Gary Lin <email address hidden>

Cryptlib: Apply the less strict CA check

Since openssl < 1.1.0 didn't check the x509 v3 extension strictly, a CA
certificate without the CA flag in the basic constraints or KeyCertSign
in the key usage was still loaded to verify EFI images.

We relax the check for now. In the future, the workaround should be
removed.

Signed-off-by: Gary Lin <email address hidden>

625. By Gary Lin <email address hidden>

Cryptlib: replace CryptPem with the Null version

CryptPem only provides one function: RsaGetPrivateKeyFromPem(). Since we
don't need to retrieve any private key, it's safe to disable the
function.

Signed-off-by: Gary Lin <email address hidden>

624. By Gary Lin <email address hidden>

MokManager: Update to new openssl API

X509_get_notBefore -> X509_getm_notBefore
X509_get_notAfter -> X509_getm_notAfter

Signed-off-by: Gary Lin <email address hidden>

623. By Gary Lin <email address hidden>

shim: Update shim.c for the changes from openssl 1.1.0e

- Remove the obsolete OBJ_cleanup()

- Update ossl_malloc() and ossl_free() due to the change of definition
  of CRYPTO_set_mem_functions()

- Include stdarg.h earlier to avoid redefining VA_LIST

Signed-off-by: Gary Lin <email address hidden>

622. By Gary Lin <email address hidden>

Cryptlib/OpenSSL: update to openssl 1.1.0e

- Delete the old openssl files and use the script to copy the new files

- Add "-DNO_SYSLOG" to CFLAGS and add crypto/include to the include path

Signed-off-by: Gary Lin <email address hidden>

621. By Gary Lin <email address hidden>

Cryptlib/OpenSSL: Update the script to copy the new openssl files

- Update update.sh to copy the openssl 1.1.0 source files

- Refresh the supplemental patch to reflect the change

- Add a patch for pk7_smime.c (*)

* aaf8049c3995dd2c0c42087a601c262545f36b9c
  Fix a missing OpenSSL error message point

Signed-off-by: Gary Lin <email address hidden>

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.