shim-16.0

What's Changed
* Validate that a supplied vendor cert is not in PEM format by @steve-mcintyre in rhboot#646
* sbat: Add grub.peimage,2 to latest (CVE-2024-2312) by @julian-klode in rhboot#651
* sbat: Also bump latest for grub,4 (and to todays date) by @julian-klode in rhboot#653
* undo change that limits certificate files to a single file by @jsetje in rhboot#659
* shim: don't set second_stage to the empty string by @jjd27 in rhboot#640
* Fix SBAT.md for today's consensus about numbers by @aronowski in rhboot#672
* Update Code of Conduct contact address by @aronowski in rhboot#683
* make-certs: Handle missing OpenSSL installation by @aronowski in rhboot#595
* Update MokVars.txt by @mikebeaton in rhboot#598
* export DEFINES for sub makefile by @bryteise in rhboot#600
* Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition by @vittyvk in rhboot#609
* Null-terminate 'arguments' in fallback by @vittyvk in rhboot#611
* Fix "Verifiying" typo in error message by @chrisbainbridge in rhboot#706
* Update Fedora CI targets by @vathpela in rhboot#708
* Force gcc to produce DWARF4 so that gdb can use it by @mikebeaton in rhboot#607
* Minor housekeeping 2024121700 by @vathpela in rhboot#709
* Discard load-options that start with WINDOWS by @Metabolix in rhboot#621
* Fix the issue that the gBS->LoadImage pointer was empty. by @15058718379 in rhboot#703
* shim: Allow data after the end of device path node in load options by @dbnicholson in rhboot#694
* Handle network file not found like disks by @dbnicholson in rhboot#695
* Update gnu-efi submodule for EFI_HTTP_ERROR by @vathpela in rhboot#674
* Increase EFI file alignment by @lumag in rhboot#673
* avoid EFIv2 runtime services on Apple x86 machines by @eduardacatrinei in rhboot#690
* Improve shortcut performance when comparing two boolean expressions by @dennis-tseng99 in rhboot#667
* Provide better error message when MokManager is not found by @rmetrich in rhboot#663
* tpm: Boot with a warning if the event log is full by @kukrimate in rhboot#657
* MokManager: remove redundant logical constraints by @xypron in rhboot#409
* Test import_mok_state() when MokListRT would be bigger than available size by @vathpela in rhboot#417
* test-mok-mirror: minor bug fix by @vathpela in rhboot#715
* Fix file system browser hang when enrolling MOK from disk by @miczyg1 in rhboot#622
* Ignore a minor clang-tidy nit by @vathpela in rhboot#716
* Allow fallback to default loader when encountering errors on network boot by @nathan-omeara in rhboot#666
* test.mk: don't use a temporary random.bin by @vathpela in rhboot#718
* pe: Enhance debug report for update_mem_attrs by @jongwu in rhboot#594
* Multiple certificate handling improvements by @rosslagerwall in rhboot#644
* Generate SbatLevel Metadata from SbatLevel_Variable.txt by @jsetje in rhboot#711
* Apply EKU check with compile option by @dennis-tseng99 in rhboot#664
* Add configuration option to boot an alternative 2nd stage by @esnowberg in rhboot#608
* Loader protocol (with Device Path resolution support) by @kukrimate in rhboot#656
* netboot cleanup for additional files by @jsetje in rhboot#686
* Document how revocations can be delivered by @jsetje in rhboot#722
* post-process-pe: add tests to validate NX compliance by @vathpela in rhboot#705
* regression: CopyMem() in ad8692e copies out of bounds by @jsetje in rhboot#725
* Save the debug and error logs in mok-variables by @vathpela in rhboot#726
* Add features for the Host Security ID program by @vathpela in rhboot#660
* Mirror some more efi variables to mok-variables by @vathpela in rhboot#723
* This adds DXE Services measurements to HSI and uses them for NX by @vathpela in rhboot#724
* Add shim's current NX_COMPAT status to HSIStatus by @vathpela in rhboot#727
* README.tpm: reflect that vendor_db is in fact logged as "vendor_db" by @jsetje in rhboot#728
* Reject HTTP message with duplicate Content-Length header fields by @dennis-tseng99 in rhboot#637
* Disable log saving by @vathpela in rhboot#729
* fallback: don't add new boot order entries backwards by @vathpela in rhboot#730
* Misc fixes... by @vathpela in rhboot#735
* README.tpm: Update MokList entry to MokListRT by @trungams in rhboot#732
* SBAT Level update for February 2025 GRUB CVEs by @jsetje in rhboot#736

New Contributors
* @jjd27 made their first contribution in rhboot#640
* @mikebeaton made their first contribution in rhboot#598
* @bryteise made their first contribution in rhboot#600
* @vittyvk made their first contribution in rhboot#609
* @chrisbainbridge made their first contribution in rhboot#706
* @Metabolix made their first contribution in rhboot#621
* @15058718379 made their first contribution in rhboot#703
* @dbnicholson made their first contribution in rhboot#694
* @lumag made their first contribution in rhboot#673
* @eduardacatrinei made their first contribution in rhboot#690
* @kukrimate made their first contribution in rhboot#657
* @miczyg1 made their first contribution in rhboot#622
* @nathan-omeara made their first contribution in rhboot#666
* @jongwu made their first contribution in rhboot#594
* @rosslagerwall made their first contribution in rhboot#644
* @trungams made their first contribution in rhboot#732

**Full Changelog**: rhboot/shim@15.8...16.0

shim-16.0~rc1

* Validate that a supplied vendor cert is not in PEM format by @steve-mcintyre in rhboot#646
* sbat: Add grub.peimage,2 to latest (CVE-2024-2312) by @julian-klode in rhboot#651
* sbat: Also bump latest for grub,4 (and to todays date) by @julian-klode in rhboot#653
* undo change that limits certificate files to a single file by @jsetje in rhboot#659
* shim: don't set second_stage to the empty string by @jjd27 in rhboot#640
* Fix SBAT.md for today's consensus about numbers by @aronowski in rhboot#672
* Update Code of Conduct contact address by @aronowski in rhboot#683
* make-certs: Handle missing OpenSSL installation by @aronowski in rhboot#595
* Update MokVars.txt by @mikebeaton in rhboot#598
* export DEFINES for sub makefile by @bryteise in rhboot#600
* Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition by @vittyvk in rhboot#609
* Null-terminate 'arguments' in fallback by @vittyvk in rhboot#611
* Fix "Verifiying" typo in error message by @chrisbainbridge in rhboot#706
* Update Fedora CI targets by @vathpela in rhboot#708
* Force gcc to produce DWARF4 so that gdb can use it by @mikebeaton in rhboot#607
* Minor housekeeping 2024121700 by @vathpela in rhboot#709
* Discard load-options that start with WINDOWS by @Metabolix in rhboot#621
* Fix the issue that the gBS->LoadImage pointer was empty. by @15058718379 in rhboot#703
* shim: Allow data after the end of device path node in load options by @dbnicholson in rhboot#694
* Handle network file not found like disks by @dbnicholson in rhboot#695
* Update gnu-efi submodule for EFI_HTTP_ERROR by @vathpela in rhboot#674
* Increase EFI file alignment by @lumag in rhboot#673
* avoid EFIv2 runtime services on Apple x86 machines by @eduardacatrinei in rhboot#690
* Improve shortcut performance when comparing two boolean expressions by @dennis-tseng99 in rhboot#667
* Provide better error message when MokManager is not found by @rmetrich in rhboot#663
* tpm: Boot with a warning if the event log is full by @kukrimate in rhboot#657
* MokManager: remove redundant logical constraints by @xypron in rhboot#409
* Test import_mok_state() when MokListRT would be bigger than available size by @vathpela in rhboot#417
* test-mok-mirror: minor bug fix by @vathpela in rhboot#715
* Fix file system browser hang when enrolling MOK from disk by @miczyg1 in rhboot#622
* Ignore a minor clang-tidy nit by @vathpela in rhboot#716
* Allow fallback to default loader when encountering errors on network boot by @nathan-omeara in rhboot#666
* test.mk: don't use a temporary random.bin by @vathpela in rhboot#718
* pe: Enhance debug report for update_mem_attrs by @jongwu in rhboot#594
* Multiple certificate handling improvements by @rosslagerwall in rhboot#644
* Generate SbatLevel Metadata from SbatLevel_Variable.txt by @jsetje in rhboot#711
* Apply EKU check with compile option by @dennis-tseng99 in rhboot#664
* Add configuration option to boot an alternative 2nd stage by @esnowberg in rhboot#608
* Loader protocol (with Device Path resolution support) by @kukrimate in rhboot#656
* netboot cleanup for additional files by @jsetje in rhboot#686
* Document how revocations can be delivered by @jsetje in rhboot#722
* post-process-pe: add tests to validate NX compliance by @vathpela in rhboot#705
* regression: CopyMem() in ad8692e copies out of bounds by @jsetje in rhboot#725
* Save the debug and error logs in mok-variables by @vathpela in rhboot#726
* Add features for the Host Security ID program by @vathpela in rhboot#660
* Mirror some more efi variables to mok-variables by @vathpela in rhboot#723
* This adds DXE Services measurements to HSI and uses them for NX by @vathpela in rhboot#724
* Add shim's current NX_COMPAT status to HSIStatus by @vathpela in rhboot#727
* README.tpm: reflect that vendor_db is in fact logged as "vendor_db" by @jsetje in rhboot#728
* Reject HTTP message with duplicate Content-Length header fields by @dennis-tseng99 in rhboot#637
* Disable log saving by @vathpela in rhboot#729
* fallback: don't add new boot order entries backwards by @vathpela in rhboot#730

* @jjd27 made their first contribution in rhboot#640
* @mikebeaton made their first contribution in rhboot#598
* @bryteise made their first contribution in rhboot#600
* @vittyvk made their first contribution in rhboot#609
* @chrisbainbridge made their first contribution in rhboot#706
* @Metabolix made their first contribution in rhboot#621
* @15058718379 made their first contribution in rhboot#703
* @dbnicholson made their first contribution in rhboot#694
* @lumag made their first contribution in rhboot#673
* @eduardacatrinei made their first contribution in rhboot#690
* @kukrimate made their first contribution in rhboot#657
* @miczyg1 made their first contribution in rhboot#622
* @nathan-omeara made their first contribution in rhboot#666
* @jongwu made their first contribution in rhboot#594
* @rosslagerwall made their first contribution in rhboot#644

**Full Changelog**: rhboot/shim@15.8...16.0-rc1

shim 15.8:

What's changed
* Various CVE fixes:
CVE-2023-40546 mok: fix LogError() invocation
CVE-2023-40547 - avoid incorrectly trusting HTTP headers
CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
* Add make infrastructure to set the NX_COMPAT flag by @vathpela in rhboot#530
* Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in rhboot#535
* Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in rhboot#537
* pe: Align section size up to page size for mem attrs by @nicholasbishop in rhboot#539
* test-sbat: Fix exit code by @vathpela in rhboot#540
* pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in rhboot#541
* CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in rhboot#546
* Don't loop forever in load_certs() with buggy firmware by @rmetrich in rhboot#547
* Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in rhboot#550
* Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in rhboot#551
* Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in rhboot#560
* pe: only process RelocDir->Size of reloc section by @mikebeaton in rhboot#562
* Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in rhboot#563
* Optionally allow to keep shim protocol installed by @bluca in rhboot#565
* SBAT-related documents formatting and spelling by @aronowski in rhboot#566
* Add SbatLevel_Variable.txt to document the various revocations by @jsetje in rhboot#569
* Add a security contact email address in README.md by @vathpela in rhboot#572
* Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in rhboot#576
* mok: fix LogError() invocation by @vathpela in rhboot#577
* Minor housekeeping by @vathpela in rhboot#578
* Test ImageAddress() by @vathpela in rhboot#579
* FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in rhboot#580
* Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in rhboot#581
* Verify signature before verifying sbat levels by @jsetje in rhboot#583
* Add libFuzzer support for csv.c and sbat.c by @vathpela in rhboot#584
* mok: Avoid underflow in maximum variable size calculation by @alpernebbi in rhboot#587
* Housekeeping by @vathpela in rhboot#605

Signed-off-by: Peter Jones <pjones@redhat.com>

shim 15.8:

What's changed
* Various CVE fixes:
CVE-2023-40546 mok: fix LogError() invocation
CVE-2023-40547 - avoid incorrectly trusting HTTP headers
CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
* Add make infrastructure to set the NX_COMPAT flag by @vathpela in rhboot#530
* Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in rhboot#535
* Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in rhboot#537
* pe: Align section size up to page size for mem attrs by @nicholasbishop in rhboot#539
* test-sbat: Fix exit code by @vathpela in rhboot#540
* pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in rhboot#541
* CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in rhboot#546
* Don't loop forever in load_certs() with buggy firmware by @rmetrich in rhboot#547
* Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in rhboot#550
* Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in rhboot#551
* Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in rhboot#560
* pe: only process RelocDir->Size of reloc section by @mikebeaton in rhboot#562
* Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in rhboot#563
* Optionally allow to keep shim protocol installed by @bluca in rhboot#565
* SBAT-related documents formatting and spelling by @aronowski in rhboot#566
* Add SbatLevel_Variable.txt to document the various revocations by @jsetje in rhboot#569
* Add a security contact email address in README.md by @vathpela in rhboot#572
* Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in rhboot#576
* mok: fix LogError() invocation by @vathpela in rhboot#577
* Minor housekeeping by @vathpela in rhboot#578
* Test ImageAddress() by @vathpela in rhboot#579
* FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in rhboot#580
* Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in rhboot#581
* Verify signature before verifying sbat levels by @jsetje in rhboot#583
* Add libFuzzer support for csv.c and sbat.c by @vathpela in rhboot#584
* mok: Avoid underflow in maximum variable size calculation by @alpernebbi in rhboot#587
* Housekeeping by @vathpela in rhboot#605

Signed-off-by: Peter Jones <pjones@redhat.com>

shim-15.8-rc1

Alberto Perez (1):
      Work around malformed path delimiters in file paths from DHCP

Alper Nebi Yasak (1):
      mok: Avoid underflow in maximum variable size calculation

Dennis Tseng (2):
      Work around ImageAddress() usage mistake
      Correctly free memory allocated in handle_image()

Jan Setje-Eilers (7):
      Add SbatLevel_Variable.txt to document the various revocations
      Verify signature before verifying sbat levels
      Allow SbatLevel data from external binary
      Always clear SbatLevel when Secure Boot is disabled
      BS Variables for bootmgr revocations
      shim should not self revoke
      Print message when refusing to apply SbatLevel

Kamil Aronowski (4):
      SBAT-related documents formatting and spelling
      Skip testing msleep()
      Rename 'msecs' to 'usecs' to avoid potential confusion
      Change type of fallback_verbose_wait from int to unsigned long

Long Qin (1):
      CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper

Luca Boccassi (1):
      Optionally allow to keep shim protocol installed

Mike Beaton (1):
      pe: only process RelocDir->Size of reloc section

Nicholas Bishop (4):
      pe: Align section size up to page size for mem attrs
      pe: Add IS_PAGE_ALIGNED macro
      Drop invalid calls to `CRYPTO_set_mem_functions`
      test-sbat: Fix exit code

Pete Batard (1):
      Further improve load_certs() for non-compliant drivers/firmwares

Peter Jones (28):
      Make sbat_var.S parse right with buggy gcc/binutils
      Enable the NX compatibility flag by default.
      Add a security contact email address in README.md
      Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL
      Add a make rule for compile_commands.json
      Add gnu-stack notes
      test: Make our fake dprintf be a statement.
      Remove CentOS 7 test builds.
      Split pe.c up even more.
      Test (and fix) ImageAddress()
      Add libFuzzer support for csv.c
      Fix a 1-byte memory leak in .sbat parsing.
      Add libFuzzer support to the .sbat parser.
      Make some of the static analysis tools a little easier to run
      compile_commands.json: remove stuff clang doesn't like
      CVE-2023-40546 mok: fix LogError() invocation
      Add primitives for overflow-checked arithmetic operations.
      pe-relocate: Add a fuzzer for read_header()
      CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
      pe-relocate: make read_header() use checked arithmetic operations.
      CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
      pe-relocate: Ensure nothing else implements CVE-2023-40550
      CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
      CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
      Further mitigations against CVE-2023-40546 as a class
      sbat revocations: check the full section name
      CVE-2023-40547 - avoid incorrectly trusting HTTP headers
      Print errors when setting/clearing memory attrs

Renaud Métrich (1):
      Don't loop forever in load_certs() with buggy firmware

Steve McIntyre (1):
      Block Debian grub binaries with SBAT < 4

shim 15.7

What's Changed
* Make SBAT variable payload introspectable by @chrisccoulson in rhboot#483
* Reference MokListRT instead of MokList by @esnowberg in rhboot#488
* Add a link to the test plan in the readme. by @vathpela in rhboot#494
* [V3] Enable TDX measurement to RTMR register by @kenplusplus in rhboot#485
* Discard load-options that start with a NUL by @frozencemetery in rhboot#505
* load_cert_file bugs by @esnowberg in rhboot#523
* Add -malign-double to IA32 compiler flags by @nicholasbishop in rhboot#516
* pe: Fix image section entry-point validation by @iokomin in rhboot#518
* make-archive: Build reproducible tarball by @julian-klode in rhboot#527
* mok: remove MokListTrusted from PCR 7 by @baloo in rhboot#519
* Shim 15.7 version update by @vathpela in rhboot#528

New Contributors
* @kenplusplus made their first contribution in rhboot#485
* @iokomin made their first contribution in rhboot#518
* @baloo made their first contribution in rhboot#519

**Full Changelog**: rhboot/shim@15.6...15.7

shim-15.6

- What's Changed
* MokManager: removed Locate graphic output protocol fail error message by @joeyli in rhboot#441
* shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in rhboot#456
* post-process-pe: Fix a missing return code check by @vathpela in rhboot#462
* Update github actions matrix to be more useful by @frozencemetery in rhboot#469
* Add f36 and centos9 CI builds by @vathpela in rhboot#470
* post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in rhboot#464
* tests: also look for system headers in multi-arch directories by @steve-mcintyre in rhboot#466
* tests: fix gcc warnings by @akodanev in rhboot#463
* Allow MokListTrusted to be enabled by default by @esnowberg in rhboot#455
* Add code of conduct by @frozencemetery in rhboot#427
* Re-add ARM AArch64 support by @vathpela in rhboot#468
* Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in rhboot#428
* make: don't treat cert.S specially by @vathpela in rhboot#475
* shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in rhboot#474
* Break out of the inner sbat loop if we find the entry. by @vathpela in rhboot#476
* Support loading additional certificates by @esnowberg in rhboot#446
* Add support for NX (W^X) mitigations. by @vathpela in rhboot#459
* Misc fixups from scan-build. by @vathpela in rhboot#477
* Fix preserve_sbat_uefi_variable() logic by @jsetje in rhboot#478
* SBAT Policy latest should be a one-shot by @jsetje in rhboot#481
* pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson
* pe: Perform image verification earlier when loading grub by @chriscoulson
* Update advertised sbat generation number for shim by @jsetje
* Update SBAT generation requirements for 05/24/22 by @jsetje
* Also avoid CVE-2022-28737 in verify_image() by @vathpela

- New Contributors
* @joeyli made their first contribution in rhboot#441
* @akodanev made their first contribution in rhboot#463
* @esnowberg made their first contribution in rhboot#455

- Full Changelog**: rhboot/shim@15.5...15.6

shim-15.6~rc2

- What's Changed
* SBAT Policy latest should be a one-shot by @jsetje in rhboot#481
* pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson
* pe: Perform image verification earlier when loading grub by @chriscoulson
* Update advertised sbat generation number for shim by @jsetje
* Update SBAT generation requirements for 05/24/22 by @jsetje
* Also avoid CVE-2022-28737 in verify_image() by @vathpela

- Full Changelog**: https://github.com/rhboot/shim/compare/15.6-rc1..15.6-rc2

shim-15.6~rc1

- What's Changed
* MokManager: removed Locate graphic output protocol fail error message by @joeyli in rhboot#441
* shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in rhboot#456
* post-process-pe: Fix a missing return code check by @vathpela in rhboot#462
* Update github actions matrix to be more useful by @frozencemetery in rhboot#469
* Add f36 and centos9 CI builds by @vathpela in rhboot#470
* post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in rhboot#464
* tests: also look for system headers in multi-arch directories by @steve-mcintyre in rhboot#466
* tests: fix gcc warnings by @akodanev in rhboot#463
* Allow MokListTrusted to be enabled by default by @esnowberg in rhboot#455
* Add code of conduct by @frozencemetery in rhboot#427
* Re-add ARM AArch64 support by @vathpela in rhboot#468
* Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in rhboot#428
* make: don't treat cert.S specially by @vathpela in rhboot#475
* shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in rhboot#474
* Break out of the inner sbat loop if we find the entry. by @vathpela in rhboot#476
* Support loading additional certificates by @esnowberg in rhboot#446
* Add support for NX (W^X) mitigations. by @vathpela in rhboot#459
* Misc fixups from scan-build. by @vathpela in rhboot#477
* Fix preserve_sbat_uefi_variable() logic by @jsetje in rhboot#478

- New Contributors
* @joeyli made their first contribution in rhboot#441
* @akodanev made their first contribution in rhboot#463
* @esnowberg made their first contribution in rhboot#455

- Full Changelog**: rhboot/shim@15.5...15.6-rc1

shim 15.5

Much thanks to those who tested this release.

Changes from -rc2:

- Make Mok config table be runtime services memory
- Remove post-process-pe on 'make clean'
- pe: missing perror argument

**Incremental changelog**:
rhboot/shim@15.5-rc2...15.5

From 15.4, the following people contributed code:

- Peter Jones (46)
- Heinrich Schuchardt (7)
- Gary Lin (6)
- Renaud Métrich (4)
- Julian Andres Klode (4)
- Serge Hallyn (2)
- Robbie Harwood (2)
- Nicholas Bishop (2)
- João Paulo Rechi Vita (2)
- Seth Forshee (1)
- Jonathan Yong (1)
- Jonas Witschel (1)
- Javier Martinez Canillas (1)
- Jan Setje-Eilers (1)
- Esther Shimanovich (1)
- Eric Snowberg (1)
- Dimitri John Ledkov (1)
- Daniel Axtens (1)
- Chris Coulson (1)
- Adam Williamson (1)

**Full changelog**:
rhboot/shim@15.4...15.5