Accepting request 883796 from home:gary_lin:branches:devel:openSUSE:Factory

- avoid the error message during linux system boot (bsc#1184454) - prevent the build id being added to the binary. That can cause issues with the signature OBS-URL: https://build.opensuse.org/request/show/883796 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=177
2021-04-08 09:16:46 +00:00 · 2021-04-08 09:16:46 +00:00 · 0f47283b84
commit 0f47283b84
parent 1354ba095a
4 changed files with 84 additions and 0 deletions
--- a/remove_build_id.patch
+++ b/remove_build_id.patch
@ -0,0 +1,27 @@
+Index: shim/shim-15.4/gnu-efi/Make.defaults
+===================================================================
+--- shim-15.4.orgi/gnu-efi/Make.defaults
+++ shim-15.4/gnu-efi/Make.defaults
+@@ -205,8 +205,7 @@ ARFLAGS := rDv
+ endif
+ 
+ ASFLAGS += $(ARCH3264)
+-LDFLAGS	+= -nostdlib --warn-common --no-undefined --fatal-warnings \
+-	   --build-id=sha1
+LDFLAGS	+= -nostdlib --warn-common --no-undefined --fatal-warnings
+ 
+ ifneq ($(ARCH),arm)
+ export LIBGCC=$(shell $(CC) $(CFLAGS) $(ARCH3264) -print-libgcc-file-name)
+Index: shim/shim-15.4/Make.defaults
+===================================================================
+--- shim-15.4.orig/Make.defaults
+++ shim-15.4/Make.defaults
+@@ -184,7 +184,7 @@ ifneq ($(origin VENDOR_DBX_FILE), undefi
+ DEFINES		+= -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
+ endif
+ 
+-LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined
+LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) $(ARCH_LDFLAGS) --no-undefined
+ 
+ ifneq ($(DEBUG),)
+ export DEBUG
--- a/shim-bsc1184454-allocate-mok-config-table-BS.patch
+++ b/shim-bsc1184454-allocate-mok-config-table-BS.patch
@ -0,0 +1,39 @@
+From 33ca95024aa7e33218da5882d30b3ec690a11046 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Thu, 8 Apr 2021 16:23:03 +0800
+Subject: [PATCH] mok: allocate MOK config table as BootServicesData
+
+Linux kernel is picky when reserving the memory for x86 and it only
+expects BootServicesData:
+
+https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/platform/efi/quirks.c?h=v5.11#n254
+
+Otherwise, the following error would show during system boot:
+
+Apr 07 12:31:56.743925 localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000
+
+Although BootServicesData would be reclaimed after ExitBootService(),
+linux kernel reserves MOK config table when it detects the existence of
+the table, so it's fine to allocate the table as BootServicesData.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ mok.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mok.c b/mok.c
+index 5ad9072b..fc1ee04d 100644
+--- a/mok.c
+++ b/mok.c
+@@ -1002,7 +1002,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
+ 		npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT;
+ 		config_table = NULL;
+ 		efi_status = gBS->AllocatePages(AllocateAnyPages,
+-						EfiRuntimeServicesData,
+						EfiBootServicesData,
+ 						npages,
+ 						(EFI_PHYSICAL_ADDRESS *)&config_table);
+ 		if (EFI_ERROR(efi_status) || !config_table) {
+-- 
+2.29.2
+
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Thu Apr  8 08:44:27 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid
+  the error message during linux system boot (bsc#1184454)
+
+-------------------------------------------------------------------
+Wed Apr  7 12:25:02 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Add remove_build_id.patch to prevent the build id being added to 
+  the binary. That can cause issues with the signature
+
 -------------------------------------------------------------------
 Wed Mar 31 08:40:49 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>

--- a/shim.spec
+++ b/shim.spec
@ -71,6 +71,10 @@ Patch2:         shim-change-debug-file-path.patch
 Patch3:         shim-bsc1177315-verify-eku-codesign.patch
 # PATCH-FIX-UPSTREAM shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789 glin@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify()
 Patch4:         shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
+# PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container
+Patch5:         remove_build_id.patch
+# PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 glin@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel
+Patch6:         shim-bsc1184454-allocate-mok-config-table-BS.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@ -114,6 +118,8 @@ The source code of UEFI shim loader
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1

 %build
 # generate the vendor SBAT metadata