Upstream release that is considered latest: 16.0 (Mar 4 2025) Current version/release in rawhide: 15.8 (Sep 25 2023) 16.0 Changelog: - SBAT Level update for February 2026 GRUB CVEs - README.tpm: Update MokList entry to MokListRT - Make 'make fanalyzer' work again. - simple_dir_filter(): test our 'next' pointer - shim_load_image(): initialize the buffer fully - mirror_mok_db(): Free our mok variable name correctly - mirror_one_mok_variable(): fix a memory leak on TPM log error. - mirror_mok_db(): get rid of an unused variable+allocation - generate_sbat_var_defs: Ensure revlistentry->revocations is initialized. - generate_sbat_var_defs: Fix memory leak on realloc failure and fd leak. - generate_sbat_var_defs: run clang-format on readfile() - SetSecureVariable(): free Cert on failure - make-archive: some minor housekeeping - makefiles: Make GITTAG swizzle tildes to dashes - fallback: don't add new boot order entries backwards - Disable log saving for now. - Some save_logs() improvements. - reject message with different values in multiple Content-Length header field - README.tpm: reflect that vendor_db is in fact logged as "vendor_db" - peimage: add a bunch of comments to read_header() - peimage.h: minor whitespace fixes - Add shim's current NX_COMPAT status to HSIStatus - pe: read_header(): allow skipping SecDir content validation - HSI: Add decode_hsi_bits() for easier reading of the debug log - hexdump: give a different debug log for size==0 - Add DXE Services information to HSI - Add support for DXE memory attribute updates. - gnu-efi: add some DXE services. - Mirror some more efi variables to mok-variables - Move mok state variable data flag definitions to the header. - test-mock-variables: improve some debug prints - mock-variables: fix debugging printf format specifier oopsie - shim: add HSIStatus feature - Move memory attribute support to its own file. - Make test-mok-error failures *slightly* more clear. - mok variables: add a format callback - mok: add MOK_VARIABLE_CONFIG_ONLY - get_mem_attrs(): ensure an error code is set on failure - Silence minor nit in load-options parsing debug output - Save the debug and error logs in mok-variables - Move error logging decls out of shim.h - compiler.h: minor ALIGN_... fixes - regression: out of bounds read in CopyMem() in ad8692e - post-process-pe: add tests to validate NX compliance - Document how revocations can be delivered - netboot can try to load shim_certificate_[0..9].efi - Allow indepdent SkuSi and SBAT revocation updates - netboot: process revocations.efi as revocations not shim_certificate - Suppress file open failures for some netboot cases - loader-proto: Respect optional DevicePath parameter to load_image() - Don't print full screen error dialog from handle_image() when called in_protocol - loader-proto: Mark load_image()'s handle_image() call as "in_protocol" - loader-proto: Add support for loading files from disk to LoadImage() - Add EFI_LOAD_FILE2_PROTOCOL to gnu-efi - Implement the rest of the loader protocol functions - Move some stuff around - Implement shim image load protocol - Add configuration option to boot an alternative 2nd stage - Create utils file - Add docs for ENABLE_CODESIGN_EKU - Optionally enabling codesign EKU check in compiling time. - Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP. - SbatLevel_Variable.txt: clarify where and how revocation data is tracked - Generate and use generated_sbat_var_defs.h - Add generate_sbat_var_defs utility program - Update SbatLevel_Variable.txt with peimage CVE-2024-2312 revocation - Load concatenated EFI_SIGNATURE_LISTs from shim_certificate.efi - Fix leak in error path - pe: Enhance debug report for update_mem_attrs - test.mk: don't use a temporary random.bin - Fall back to default loader when encountering errors on network boot - Ignore a minor clang-tidy nit - simple_file: Use second variable to create filesystem entries - simple_file: Allow to form a volume name from DevicePath - lib/simple_file.c: Allocate zeroed pool for SimpleFS entries - test-mok-mirror: minor bug fix - test-mok-mirror: add a test case where MokListRT won't fit. - test-mok-mirror: refactor the validation of test_mok_mirror_0 - tests: make it possible to use different limits for variable space - Make mock_set_variable() correctly account for resource usage. - MokManager: remove redundant logical constraints - tpm: Boot with a warning if the event log is full - Provide better error message when MokManager is not found - Move is_removable_media_path() to a shared location. - Fix bad reference to PathName in image loading - Improve shortcut performance when comparing two boolean expressions - avoid EFIv2 runtime services on Apple x86 machines - Increase EFI file alignment - Update gnu-efi submodule for EFI_HTTP_ERROR - httpboot: Convert HTTP status codes to EFI status codes - netboot: Convert TFTP error codes to EFI status codes - Backport EFI_HTTP_ERROR status code - shim: Allow data after the end of device path node in load options - Fix the issue that the gBS->LoadImage pointer was empty. - Discard load-options that start with WINDOWS - Add building compile_commands.json to CI - Suppress some warnings even harder in Cryptlib and OpenSSL. - Makefile: don't warn about clang when building compile_commands.json - includes: work around CLANG_PREREQ() double-definition - Force gcc to produce DWARF4 so that gdb can use it - Update fedora CI targets - CI: work around ownership issue on github - CI: use checkout@v4 - Fix "Verifiying" typo in error message - Null-terminate 'arguments' in fallback - Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition - export DEFINES for sub makefile - Update MokVars.txt - Update documented mirrored variable attributes from RT to BS,RT - Add missing MokSBStateRT - Clarify that MokIgnoreDB is a mirror of MokDBState - Add missing attributes for MokPWStore - make-certs: Handle missing OpenSSL installation - Update Code of Conduct contact address - Realize the suggestions as part of PR #672 - Fix SBAT.md for today's consensus about numbers - shim: don't set second_stage to the empty string - undo change that limits certificate files to a single file - sbat: Also bump latest for grub,4 (and to todays date) - sbat: Add grub.peimage,2 to latest (CVE-2024-2312) - Validate that a supplied vendor cert is not in PEM format
Hi, We are going to release a new version of shim soon. Not long after shim 16.0 was released, some problems were found around sd-stub and loading UKIs. Right now there is at least one issue still open that needs to resolved. shim 16.1 should be ready soon, and it will make its way into fedora once is has been signed. thanks!
Upstream release that is considered latest: 16.1 (Aug 13 2025) Current version/release in rawhide: 15.8 (Sep 25 2023) 16.1 Changelog: - mkosi: disable repository key check on Fedora - gitignore: add more mkosi dirs and vscode dir - loader-protocol: Fix memory leaks - loader-protocol: Handle UnloadImage after StartImage properly - fix http boot - ci: update mkosi commit - mkosi: remove spurious slashes from script - doc: add howto for running mkosi locally - _do_sha256_sum(): Fix missing error check. - format_variable_info(): fix wrong size test. - add SbatLevel entry 2025051000 for PSA-2025-00012-1 - Fixes for 'make TOPDIR=... clean' - build: Avoid passing *FLAGS to sub-make - Add a "VariableInfo" variable to mok-variables. - get_max_var_sz(): add more debugging for apple platforms - Update to the shim-16.1 branch of gnu-efi to get AsciiSPrint() - This is an organizational patch to move some things around in mok.c - shim: change automatically enable MOK_POLICY_REQUIRE_NX - mkosi workflow: fix the branch name for main. - ci: add mkosi configuration and CI - README: mention new loader protocol and interaction with UKIs - Generate Authenticode for the entire PE file - loader-protocol: NULL output variable in load_image on failure - loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages - loader-protocol: handle sub-section loading for UKIs - Cache sections of a loaded image and sub-images from them. - handle_image(): make verification conditional - Move a bunch of stuff from shim.c to verify.c - Prepare to move things from shim.c to verify.c - Loader Proto: make freeing of bprop.buffer conditional. - IPv6: Add more check to avoid multiple double colon and illegal char - Realloc() needs one more byte for sprintf() - SbatLevel_Variable.txt: minor typo fix. - Update CI to use ubuntu-24.04 instead of ubuntu-20.04 - mock-variables: remove unused variable - test-mock-variables: make our filter list entries safer. - str2ip6(): parsing of "uncompressed" ipv6 addresses - shim_start_image(): fix guid/handle pairing when uninstalling protocols
Manually updating to shim-x64-16.1-4.x86_64.rpm in f43, I get the following error: >>> Scriptlet output: >>> cp: cannot create hard link '/boot/efi/EFI/fedora/./shimx64.efi' to '/boot/efi/EFI/fedora/./shim.efi': Operation not permitted I guess it's because /boot/efi/ is vfat, and hard links are unsupported on it. Thanks.
(In reply to Xose Vazquez Perez from comment #3) > Manually updating to shim-x64-16.1-4.x86_64.rpm in f43, I get the following > error: > >>> Scriptlet output: > >>> cp: cannot create hard link '/boot/efi/EFI/fedora/./shimx64.efi' to '/boot/efi/EFI/fedora/./shim.efi': Operation not permitted > > I guess it's because /boot/efi/ is vfat, and hard links are unsupported on > it. > > Thanks. It was fixed with shim-x64-16.1-5.x86_64.rpm : https://koji.fedoraproject.org/koji/buildinfo?buildID=2854807 Thank you.