pool/shim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 343340 from home:gary_lin:branches:devel:openSUSE:Factory

Browse Source 
- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the
  definition of va functions to avoid the potential crash
  (bsc#950569)
- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to
  MokListRT (bsc#950801)
- Drop shim-fix-mokmanager-sections.patch as we are using the
  newer binutils now
- Refresh shim-change-debug-file-path.patch

OBS-URL: https://build.opensuse.org/request/show/343340
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=106
This commit is contained in:
Gary Ching-Pang Lin 2015-11-10 09:59:11 +00:00 committed by Git OBS Bridge
parent 395a47885d
commit 0bf24d30d2
6 changed files with 343 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

283
shim-bsc950569-fix-cryptlib-va-functions.patch Normal file
View File

@ -0,0 +1,283 @@
From b74c635bfd5d131f2848ce2cd2ffc838dc616ee8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 27 Oct 2015 12:00:13 +0800
Subject: [PATCH] Cryptlib: Define the va functions for EFIAPI
It turned out that my previous crash fix(*) was wrong.
We actually always used the gcc built-in va functions instead of
the "real" va functions for EFIAPI, and we are just lucky that
ERR_add_error_data didn't crash before.
This commit copies the va functions from MdePkg/Include/Base.h
in edk2 and introdues NO_BUILTIN_VA_FUNCS for x86_64, so that all
the x86_64 build will adopt the new va functions. For safety,
I also added EFIAPI to all the functions which use va_* to avoid
the potential trouble.
(*) a7f4b26cc35204165bd04e75c34e8e7aa2a87ecc
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
Cryptlib/Include/OpenSslSupport.h | 75 +++++++++++++++++++++++++++++++++++
Cryptlib/Include/openssl/bio.h | 8 ++++
Cryptlib/Include/openssl/err.h | 4 --
Cryptlib/Makefile | 2 +-
Cryptlib/OpenSSL/Makefile | 3 +-
Cryptlib/OpenSSL/crypto/bio/b_print.c | 8 ++++
Cryptlib/OpenSSL/crypto/cryptlib.c | 4 ++
Cryptlib/OpenSSL/crypto/cryptlib.h | 4 ++
Cryptlib/OpenSSL/crypto/err/err.c | 4 --
Makefile | 1 +
10 files changed, 103 insertions(+), 10 deletions(-)
diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h
index e5e1adc..004c3e8 100644
--- a/Cryptlib/Include/OpenSslSupport.h
+++ b/Cryptlib/Include/OpenSslSupport.h
@@ -47,6 +47,9 @@ typedef VOID *FILE;
#define va_arg VA_ARG
#define va_start VA_START
#define va_end VA_END
+
+# if !defined(NO_BUILTIN_VA_FUNCS)
+
typedef __builtin_va_list VA_LIST;
#define VA_START(Marker, Parameter) __builtin_va_start (Marker, Parameter)
@@ -57,6 +60,78 @@ typedef __builtin_va_list VA_LIST;
#define VA_COPY(Dest, Start) __builtin_va_copy (Dest, Start)
+# else
+
+#define _INT_SIZE_OF(n) ((sizeof (n) + sizeof (UINTN) - 1) &~(sizeof (UINTN) - 1))
+///
+/// Variable used to traverse the list of arguments. This type can vary by
+/// implementation and could be an array or structure.
+///
+typedef CHAR8 *VA_LIST;
+
+/**
+ Retrieves a pointer to the beginning of a variable argument list, based on
+ the name of the parameter that immediately precedes the variable argument list.
+
+ This function initializes Marker to point to the beginning of the variable
+ argument list that immediately follows Parameter. The method for computing the
+ pointer to the next argument in the argument list is CPU-specific following the
+ EFIAPI ABI.
+
+ @param Marker The VA_LIST used to traverse the list of arguments.
+ @param Parameter The name of the parameter that immediately precedes
+ the variable argument list.
+
+ @return A pointer to the beginning of a variable argument list.
+
+**/
+#define VA_START(Marker, Parameter) (Marker = (VA_LIST) ((UINTN) & (Parameter) + _INT_SIZE_OF (Parameter)))
+
+/**
+ Returns an argument of a specified type from a variable argument list and updates
+ the pointer to the variable argument list to point to the next argument.
+
+ This function returns an argument of the type specified by TYPE from the beginning
+ of the variable argument list specified by Marker. Marker is then updated to point
+ to the next argument in the variable argument list. The method for computing the
+ pointer to the next argument in the argument list is CPU-specific following the EFIAPI ABI.
+
+ @param Marker VA_LIST used to traverse the list of arguments.
+ @param TYPE The type of argument to retrieve from the beginning
+ of the variable argument list.
+
+ @return An argument of the type specified by TYPE.
+
+**/
+#define VA_ARG(Marker, TYPE) (*(TYPE *) ((Marker += _INT_SIZE_OF (TYPE)) - _INT_SIZE_OF (TYPE)))
+
+/**
+ Terminates the use of a variable argument list.
+
+ This function initializes Marker so it can no longer be used with VA_ARG().
+ After this macro is used, the only way to access the variable argument list is
+ by using VA_START() again.
+
+ @param Marker VA_LIST used to traverse the list of arguments.
+
+**/
+#define VA_END(Marker) (Marker = (VA_LIST) 0)
+
+/**
+ Initializes a VA_LIST as a copy of an existing VA_LIST.
+
+ This macro initializes Dest as a copy of Start, as if the VA_START macro had been applied to Dest
+ followed by the same sequence of uses of the VA_ARG macro as had previously been used to reach
+ the present state of Start.
+
+ @param Dest VA_LIST used to traverse the list of arguments.
+ @param Start VA_LIST used to traverse the list of arguments.
+
+**/
+#define VA_COPY(Dest, Start) ((void)((Dest) = (Start)))
+
+# endif
+
#else // __CC_ARM
#define va_start(Marker, Parameter) __va_start(Marker, Parameter)
#define va_arg(Marker, TYPE) __va_arg(Marker, TYPE)
diff --git a/Cryptlib/Include/openssl/bio.h b/Cryptlib/Include/openssl/bio.h
index 561ae2f..69bd48c 100644
--- a/Cryptlib/Include/openssl/bio.h
+++ b/Cryptlib/Include/openssl/bio.h
@@ -787,11 +787,19 @@ void BIO_copy_next_retry(BIO *b);
# else
# define __bio_h__attr__(x)
# endif
+# if defined(OPENSSL_SYS_UEFI)
+int EFIAPI BIO_printf(BIO *bio, const char *format, ...)
+# else
int BIO_printf(BIO *bio, const char *format, ...)
+# endif
__bio_h__attr__((__format__(__printf__, 2, 3)));
int BIO_vprintf(BIO *bio, const char *format, va_list args)
__bio_h__attr__((__format__(__printf__, 2, 0)));
+# if defined(OPENSSL_SYS_UEFI)
+int EFIAPI BIO_snprintf(char *buf, size_t n, const char *format, ...)
+# else
int BIO_snprintf(char *buf, size_t n, const char *format, ...)
+# endif
__bio_h__attr__((__format__(__printf__, 3, 4)));
int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
__bio_h__attr__((__format__(__printf__, 3, 0)));
diff --git a/Cryptlib/Include/openssl/err.h b/Cryptlib/Include/openssl/err.h
index da589f8..bbfdb95 100644
--- a/Cryptlib/Include/openssl/err.h
+++ b/Cryptlib/Include/openssl/err.h
@@ -352,11 +352,7 @@ void EFIAPI ERR_add_error_data(int num, ...);
void ERR_add_error_data(int num, ...);
#endif
-#if defined(OPENSSL_SYS_UEFI)
-void EFIAPI ERR_add_error_vdata(int num, va_list args);
-#else
void ERR_add_error_vdata(int num, va_list args);
-#endif
void ERR_load_strings(int lib, ERR_STRING_DATA str[]);
void ERR_unload_strings(int lib, ERR_STRING_DATA str[]);
void ERR_load_ERR_strings(void);
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index 9a92304..c9cf379 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -7,7 +7,7 @@ CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
+ -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DNO_BUILTIN_VA_FUNCS
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
index ab6e7dd..f8055fd 100644
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -7,7 +7,8 @@ CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-st
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG
+ -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DSIXTY_FOUR_BIT_LONG \
+ -DNO_BUILTIN_VA_FUNCS
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
diff --git a/Cryptlib/OpenSSL/crypto/bio/b_print.c b/Cryptlib/OpenSSL/crypto/bio/b_print.c
index 9091d56..4695827 100644
--- a/Cryptlib/OpenSSL/crypto/bio/b_print.c
+++ b/Cryptlib/OpenSSL/crypto/bio/b_print.c
@@ -751,7 +751,11 @@ doapr_outch(char **sbuffer,
/***************************************************************************/
+#if defined(OPENSSL_SYS_UEFI)
+int EFIAPI BIO_printf(BIO *bio, const char *format, ...)
+#else
int BIO_printf(BIO *bio, const char *format, ...)
+#endif
{
va_list args;
int ret;
@@ -795,7 +799,11 @@ int BIO_vprintf(BIO *bio, const char *format, va_list args)
* closely related to BIO_printf, and we need *some* name prefix ... (XXX the
* function should be renamed, but to what?)
*/
+#if defined(OPENSSL_SYS_UEFI)
+int EFIAPI BIO_snprintf(char *buf, size_t n, const char *format, ...)
+#else
int BIO_snprintf(char *buf, size_t n, const char *format, ...)
+#endif
{
va_list args;
int ret;
diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.c b/Cryptlib/OpenSSL/crypto/cryptlib.c
index ca0e3cc..0a59342 100644
--- a/Cryptlib/OpenSSL/crypto/cryptlib.c
+++ b/Cryptlib/OpenSSL/crypto/cryptlib.c
@@ -962,7 +962,11 @@ void OPENSSL_showfatal(const char *fmta, ...)
MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONSTOP);
}
#else
+# if defined(OPENSSL_SYS_UEFI)
+void EFIAPI OPENSSL_showfatal(const char *fmta, ...)
+# else
void OPENSSL_showfatal(const char *fmta, ...)
+# endif
{
va_list ap;
diff --git a/Cryptlib/OpenSSL/crypto/cryptlib.h b/Cryptlib/OpenSSL/crypto/cryptlib.h
index fba180a..7ca4c99 100644
--- a/Cryptlib/OpenSSL/crypto/cryptlib.h
+++ b/Cryptlib/OpenSSL/crypto/cryptlib.h
@@ -100,7 +100,11 @@ extern "C" {
void OPENSSL_cpuid_setup(void);
extern unsigned int OPENSSL_ia32cap_P[];
+# if defined(OPENSSL_SYS_UEFI)
+void EFIAPI OPENSSL_showfatal(const char *fmta, ...);
+# else
void OPENSSL_showfatal(const char *fmta, ...);
+# endif
void *OPENSSL_stderr(void);
extern int OPENSSL_NONPIC_relocated;
diff --git a/Cryptlib/OpenSSL/crypto/err/err.c b/Cryptlib/OpenSSL/crypto/err/err.c
index 108b83a..f98cce6 100644
--- a/Cryptlib/OpenSSL/crypto/err/err.c
+++ b/Cryptlib/OpenSSL/crypto/err/err.c
@@ -1085,11 +1085,7 @@ void ERR_add_error_data(int num, ...)
va_end(args);
}
-#if defined(OPENSSL_SYS_UEFI)
-void EFIAPI ERR_add_error_vdata(int num, va_list args)
-#else
void ERR_add_error_vdata(int num, va_list args)
-#endif
{
int i, n, s;
char *str, *p, *a;
diff --git a/Makefile b/Makefile
index 2449fe4..b36e2a3 100644
--- a/Makefile
+++ b/Makefile
@@ -42,6 +42,7 @@ ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
-maccumulate-outgoing-args \
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
+ -DNO_BUILTIN_VA_FUNCS \
"-DEFI_ARCH=L\"x64\"" \
"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
endif
--
2.6.2

15
shim-change-debug-file-path.patch
View File

@ -8,19 +8,16 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 48e2a7d..081c9a8 100644
--- a/Makefile
+++ b/Makefile
@@ -43,7 +43,7 @@ ifeq ($(ARCH),x86_64)
-maccumulate-outgoing-args \
Index: shim-0.9/Makefile
===================================================================
--- shim-0.9.orig/Makefile
+++ shim-0.9/Makefile
@@ -44,7 +44,7 @@ ifeq ($(ARCH),x86_64)
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
-DNO_BUILTIN_VA_FUNCS \
"-DEFI_ARCH=L\"x64\"" \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
+ "-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\""
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \
--
2.1.4

53
shim-fix-mokmanager-sections.patch
View File

@ -1,53 +0,0 @@
From fa7e46558ebdafeb7b5f4a3b843f309a678d4365 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 10 Nov 2014 17:19:58 +0800
Subject: [PATCH] Fix objcopy parameters to include .rel and .rela
This is a quick hack for the old objcopy.
The asterisks support in objcopy was added in 2.24. For the distro
with the older objcopy, some sections would be ignored and this could
crash the program.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
Makefile | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/Makefile b/Makefile
index 412496b..a791bcc 100644
--- a/Makefile
+++ b/Makefile
@@ -9,7 +9,6 @@ LD = $(CROSS_COMPILE)ld
OBJCOPY = $(CROSS_COMPILE)objcopy
ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
-OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24)
SUBDIRS = Cryptlib lib
@@ -142,17 +141,14 @@ endif
FORMAT ?= --target efi-app-$(ARCH)
%.efi: %.so
-ifneq ($(OBJCOPY_GTE224),1)
- $(error objcopy >= 2.24 is required)
-endif
$(OBJCOPY) -j .text -j .sdata -j .data \
- -j .dynamic -j .dynsym -j .rel* \
- -j .rela* -j .reloc -j .eh_frame \
+ -j .dynamic -j .dynsym -j .rel \
+ -j .rela -j .reloc -j .eh_frame \
-j .vendor_cert \
$(FORMAT) $^ $@
$(OBJCOPY) -j .text -j .sdata -j .data \
- -j .dynamic -j .dynsym -j .rel* \
- -j .rela* -j .reloc -j .eh_frame \
+ -j .dynamic -j .dynsym -j .rel \
+ -j .rela -j .reloc -j .eh_frame \
-j .debug_info -j .debug_abbrev -j .debug_aranges \
-j .debug_line -j .debug_str -j .debug_ranges \
-j .note.gnu.build-id \
--
2.1.4

44
shim-opensuse-cert-prompt.patch
View File

@ -1,7 +1,7 @@
From 83b991190b82da422cff4e357e045ff993ecaa9d Mon Sep 17 00:00:00 2001
From 6718680400c48e463aac6ceef2a3238f2a0e1d57 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 18 Feb 2014 17:29:19 +0800
Subject: [PATCH 1/3] Show the build-in certificate prompt
Subject: [PATCH 1/4] Show the build-in certificate prompt
This is an openSUSE-only patch.
@ -140,10 +140,10 @@ index 4c6bdc5..4e8ed3a 100644
2.1.4
From bde21fc34f6c1293a4233e704d9890a14f4bff19 Mon Sep 17 00:00:00 2001
From 60e38ea2418c8e77a5e85cb833de7a3967be1343 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 20 Feb 2014 16:57:08 +0800
Subject: [PATCH 2/3] Support revoking the openSUSE cert
Subject: [PATCH 2/4] Support revoking the openSUSE cert
This is an openSUSE-only patch.
@ -309,10 +309,10 @@ index 4e8ed3a..8848e6a 100644
2.1.4
From 3d22ec8e64253ec7edc4133d6122539f006c792e Mon Sep 17 00:00:00 2001
From fd62fb657674e9cb63f2bd814c6c8c50acf2c6aa Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 7 Mar 2014 16:17:20 +0800
Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
Subject: [PATCH 3/4] Delete openSUSE_Verify the right way
This is an openSUSE-only patch.
@ -340,3 +340,35 @@ index 68d4099..c7f2b65 100644
--
2.1.4
From 2014c6b629a4c5543d0531f59303dbd7bcdd4051 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 19 Oct 2015 16:36:14 +0800
Subject: [PATCH 4/4] Don't pass NULL to set MokListRT
This is an openSUSE-only patch.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
shim.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/shim.c b/shim.c
index 8848e6a..7a21bb2 100644
--- a/shim.c
+++ b/shim.c
@@ -1768,6 +1768,11 @@ EFI_STATUS mirror_mok_list()
FullData = Data;
}
+ if (FullDataSize == 0) {
+ /* openSUSE_Verify isn't set and no other MOK exists. */
+ return EFI_SUCCESS;
+ }
+
efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
&shim_lock_guid,
EFI_VARIABLE_BOOTSERVICE_ACCESS
--
2.1.4

12
shim.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Mon Nov 9 08:22:43 UTC 2015 - glin@suse.com
- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the
definition of va functions to avoid the potential crash
(bsc#950569)
- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to
MokListRT (bsc#950801)
- Drop shim-fix-mokmanager-sections.patch as we are using the
newer binutils now
- Refresh shim-change-debug-file-path.patch
-------------------------------------------------------------------
Thu Oct 8 06:49:43 UTC 2015 - jsegitz@novell.com

8
shim.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package shim
#
# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -44,12 +44,12 @@ Source11: strip_signature.sh
Source12: signature-sles.asc
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
Patch1: shim-only-os-name.patch
# PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch glin@suse.com -- Fix the objcopy parameters for the EFI files
Patch3: shim-fix-mokmanager-sections.patch
# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2d.patch glin@suse.com -- Update openssl to 1.0.2d
Patch4: shim-update-openssl-1.0.2d.patch
# PATCH-FIX-UPSTREAM shim-gcc5.patch glin@suse.com -- Specify the gnu89 standard
Patch5: shim-gcc5.patch
# PATCH-FIX-UPSTREAM shim-bsc950569-fix-cryptlib-va-functions.patch bsc#950569 glin@suse.com -- Fix the definition of the va functions to avoid the potential crash
Patch6: shim-bsc950569-fix-cryptlib-va-functions.patch
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
Patch50: shim-change-debug-file-path.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
@ -90,9 +90,9 @@ Authors:
%prep
%setup -q
%patch1 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch50 -p1
%patch100 -p1
%build