Accepting request 1251154 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1251154 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pcr-oracle?expand=0&rev=18
2025-03-07 15:39:40 +00:00 · 2025-03-07 15:39:40 +00:00 · 34510ba1ec
commit 34510ba1ec
parent c3a080f6f8 41ba24edaf
4 changed files with 150 additions and 0 deletions
--- a/fix-bsc1230316-make-pcr4-hard-requirement.patch
+++ b/fix-bsc1230316-make-pcr4-hard-requirement.patch
@ -0,0 +1,34 @@
+From 55fe5c34cf41813fd91fff85281770da77913b68 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 7 Mar 2025 16:40:36 +0800
+Subject: [PATCH 2/2] Stop the SbatLevelRT prediction if .sbatlevel not
+ available
+
+The SbatLevelRT prediction relies on the PCR4 events to locate shim.efi,
+so PCR4 has to be a hard requirement.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ src/efi-variable.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/efi-variable.c b/src/efi-variable.c
+index b70f63b..f8527cc 100644
+--- a/src/efi-variable.c
+++ b/src/efi-variable.c
+@@ -291,9 +291,9 @@ efi_variable_authority_get_record(const tpm_parsed_event_t *parsed, const char *
+ 		db_name = "MokList";
+ 	} else
+ 	if (!strcmp(var_short_name, "SbatLevel")) {
+-		if (ctx->sbatlevel != NULL)
+-			return efi_sbatlevel_get_record(ctx->sbatlevel);
+-		return runtime_read_efi_variable(var_name);
+		if (ctx->sbatlevel == NULL)
+			fatal("No reference .sbatlevel section. Please add PCR4 into the PCR index list\n");
+		return efi_sbatlevel_get_record(ctx->sbatlevel);
+ 	} else {
+ 		/* Read as-is (this could be SbatLevel, or some other variable that's not
+ 		 * a signature db). */
+-- 
+2.43.0
+
--- a/fix-bsc1230316-predict-sbatlevelrt-sb-off.patch
+++ b/fix-bsc1230316-predict-sbatlevelrt-sb-off.patch
@ -0,0 +1,103 @@
+From 07e43365379ef5bd9fb53a45306af02025442b92 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 7 Mar 2025 14:09:34 +0800
+Subject: [PATCH 1/2] Fix SbatLevelRT prediction when Secure Boot is disabled
+
+Since shim 15.8, instead of using SBAT automatic as the default
+candidate, it always resets SbatLevel to SBAT_ORIGINAL. To make the
+prediction work for shim >= 15.8, the additinal check is added to adjust
+the SBAT candidate.
+
+Also fix POLICY_RESET for not setting sbat_reset to true and a few
+typos.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ src/efi-variable.c | 30 ++++++++++++++++++++++++++----
+ 1 file changed, 26 insertions(+), 4 deletions(-)
+
+diff --git a/src/efi-variable.c b/src/efi-variable.c
+index 9c56eec..b70f63b 100644
+--- a/src/efi-variable.c
+++ b/src/efi-variable.c
+@@ -100,6 +100,7 @@ __tpm_event_efi_variable_build_event(const tpm_parsed_event_t *parsed, const voi
+ #define POLICY_LATEST		1
+ #define POLICY_AUTOMATIC	2
+ #define POLICY_RESET		3
+#define POLICY_NOTREAD		255
+ 
+ #define SBAT_ORIGINAL "sbat,1,2021030218\n"
+ 
+@@ -169,6 +170,7 @@ efi_sbatlevel_get_record(buffer_t *sbatlevel)
+ 	buffer_t *result = NULL;
+ 	uint8_t secureboot;
+ 	uint8_t sbatpolicy;
+	uint32_t auto_date;
+ 	uint32_t current_date;
+ 	uint32_t candidate_date;
+ 	bool sbat_reset = false;
+@@ -178,6 +180,11 @@ efi_sbatlevel_get_record(buffer_t *sbatlevel)
+ 		return NULL;
+ 	}
+ 
+	if (!fetch_sbat_datestamp(sbat_automatic, strlen(sbat_automatic), &auto_date)) {
+		error("Unable to get datestamp of SBAT automatic\n");
+		return NULL;
+	}
+
+ 	buffer = runtime_read_efi_variable(SECUREBOOT_VARNAME);
+ 	if (buffer == NULL || !buffer_get_u8(buffer, &secureboot))
+ 		secureboot = 0;
+@@ -185,7 +192,7 @@ efi_sbatlevel_get_record(buffer_t *sbatlevel)
+ 
+ 	buffer = runtime_read_efi_variable(SBATPOLICY_VARNAME);
+ 	if (buffer == NULL || !buffer_get_u8(buffer, &sbatpolicy))
+-		sbatpolicy = POLICY_AUTOMATIC;
+		sbatpolicy = POLICY_NOTREAD;
+ 	buffer_free(buffer);
+ 
+ 	switch (sbatpolicy) {
+@@ -200,9 +207,24 @@ efi_sbatlevel_get_record(buffer_t *sbatlevel)
+ 			infomsg("SBAT cannot be reset when Secure Boot is enabled.\n");
+ 			sbat_candidate = sbat_automatic;
+ 		} else {
+			sbat_reset = true;
+ 			sbat_candidate = SBAT_ORIGINAL;
+ 		}
+ 		break;
+	case POLICY_NOTREAD:
+		if (secureboot == 1) {
+			sbat_candidate = sbat_automatic;
+		} else {
+			/* shim 15.8 always resets SbatLevel when Secure Boot is disabled.
+			 * The automatic datestamp of shim 15.8 is 2023012900. */
+			if (auto_date >= 2023012900) {
+				sbat_reset = true;
+				sbat_candidate = SBAT_ORIGINAL;
+			} else {
+				sbat_candidate = sbat_automatic;
+			}
+		}
+		break;
+ 	default:
+ 		error("Invalid SBAT policy\n");
+ 		return NULL;
+@@ -217,12 +239,12 @@ efi_sbatlevel_get_record(buffer_t *sbatlevel)
+ 
+ 	if (!fetch_sbat_datestamp(sbat_current, sbatlvlrt->size, &current_date)
+ 	 || !fetch_sbat_datestamp(sbat_candidate, strlen(sbat_candidate), &candidate_date)) {
+-		error("Unable to get SBAT timestamp\n");
+		error("Unable to get SBAT datestamp\n");
+ 		goto fail;
+ 	}
+ 
+-	debug("Current SBAT datestampe: %u\n", current_date);
+-	debug("Candidate SBAT datestampe: %u\n", candidate_date);
+	debug("Current SBAT datestamp: %u\n", current_date);
+	debug("Candidate SBAT datestamp: %u\n", candidate_date);
+ 
+ 	if (current_date >= candidate_date && sbat_reset == false) {
+ 		debug("Use current SbatLevel\n");
+-- 
+2.43.0
+
--- a/pcr-oracle.changes
+++ b/pcr-oracle.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Mar  7 06:19:42 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add fix-bsc1230316-predict-sbatlevelrt-sb-off.patch to fix the
+  prediction of SbatLevelRT when Secure Boot is disabled
+  (bsc#1230316)
+- Add fix-bsc1230316-make-pcr4-hard-requirement.patch to make PCR4
+  a hard requirement for SbatLevelRT prediction (bsc#1230316)
+
 -------------------------------------------------------------------
 Wed Feb 26 07:31:47 UTC 2025 - Gary Ching-Pang Lin <glin@suse.com>

--- a/pcr-oracle.spec
+++ b/pcr-oracle.spec
@ -42,6 +42,10 @@ Patch5:         fix-testcase-empty-efi-variables.patch
 Patch6:         fix-event-reshash-for-cryptouuid.patch
 # PATCH-FIX-UPSTREAM fix-bsc1230316-predict-sbatlevelrt.patch gh#okirch/pcr-oracle!61
 Patch7:         fix-bsc1230316-predict-sbatlevelrt.patch
+# PATCH-FIX-UPSTREAM fix-bsc1230316-predict-sbatlevelrt-sb-off.patch gh#okirch/pcr-oracle!61
+Patch8:         fix-bsc1230316-predict-sbatlevelrt-sb-off.patch
+# PATCH-FIX-UPSTREAM fix-bsc1230316-make-pcr4-hard-requirement.patch gh#okirch/pcr-oracle!61
+Patch9:         fix-bsc1230316-make-pcr4-hard-requirement.patch
 BuildRequires:  libopenssl-devel >= 0.9.8
 BuildRequires:  tpm2-0-tss-devel >= 2.4.0
 Requires:       libtss2-tcti-device0