pool/shim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 883796 from home:gary_lin:branches:devel:openSUSE:Factory

Browse Source 
- avoid the error message during linux system boot (bsc#1184454)
- prevent the build id being added to the binary. That can cause issues with the signature

OBS-URL: https://build.opensuse.org/request/show/883796
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=177
This commit is contained in:
Gary Ching-Pang Lin 2021-04-08 09:16:46 +00:00 committed by Git OBS Bridge
parent 1354ba095a
commit 0f47283b84
4 changed files with 84 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
remove_build_id.patch Normal file
View File

@ -0,0 +1,27 @@
Index: shim/shim-15.4/gnu-efi/Make.defaults
===================================================================
--- shim-15.4.orgi/gnu-efi/Make.defaults
+++ shim-15.4/gnu-efi/Make.defaults
@@ -205,8 +205,7 @@ ARFLAGS := rDv
endif
ASFLAGS += $(ARCH3264)
-LDFLAGS += -nostdlib --warn-common --no-undefined --fatal-warnings \
- --build-id=sha1
+LDFLAGS += -nostdlib --warn-common --no-undefined --fatal-warnings
ifneq ($(ARCH),arm)
export LIBGCC=$(shell $(CC) $(CFLAGS) $(ARCH3264) -print-libgcc-file-name)
Index: shim/shim-15.4/Make.defaults
===================================================================
--- shim-15.4.orig/Make.defaults
+++ shim-15.4/Make.defaults
@@ -184,7 +184,7 @@ ifneq ($(origin VENDOR_DBX_FILE), undefi
DEFINES += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
endif
-LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined
+LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) $(ARCH_LDFLAGS) --no-undefined
ifneq ($(DEBUG),)
export DEBUG

39
shim-bsc1184454-allocate-mok-config-table-BS.patch Normal file
View File

@ -0,0 +1,39 @@
From 33ca95024aa7e33218da5882d30b3ec690a11046 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 8 Apr 2021 16:23:03 +0800
Subject: [PATCH] mok: allocate MOK config table as BootServicesData
Linux kernel is picky when reserving the memory for x86 and it only
expects BootServicesData:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/platform/efi/quirks.c?h=v5.11#n254
Otherwise, the following error would show during system boot:
Apr 07 12:31:56.743925 localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000
Although BootServicesData would be reclaimed after ExitBootService(),
linux kernel reserves MOK config table when it detects the existence of
the table, so it's fine to allocate the table as BootServicesData.
Signed-off-by: Gary Lin <glin@suse.com>
---
mok.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mok.c b/mok.c
index 5ad9072b..fc1ee04d 100644
--- a/mok.c
+++ b/mok.c
@@ -1002,7 +1002,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT;
config_table = NULL;
efi_status = gBS->AllocatePages(AllocateAnyPages,
- EfiRuntimeServicesData,
+ EfiBootServicesData,
npages,
(EFI_PHYSICAL_ADDRESS *)&config_table);
if (EFI_ERROR(efi_status) || !config_table) {
--
2.29.2

12
shim.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Thu Apr 8 08:44:27 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid
the error message during linux system boot (bsc#1184454)
-------------------------------------------------------------------
Wed Apr 7 12:25:02 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Add remove_build_id.patch to prevent the build id being added to
the binary. That can cause issues with the signature
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Mar 31 08:40:49 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com> Wed Mar 31 08:40:49 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>

6
shim.spec
View File

@ -71,6 +71,10 @@ Patch2: shim-change-debug-file-path.patch
Patch3: shim-bsc1177315-verify-eku-codesign.patch Patch3: shim-bsc1177315-verify-eku-codesign.patch
# PATCH-FIX-UPSTREAM shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789 glin@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify() # PATCH-FIX-UPSTREAM shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789 glin@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify()
Patch4: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch Patch4: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
# PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container
Patch5: remove_build_id.patch
# PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 glin@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel
Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch
BuildRequires: dos2unix BuildRequires: dos2unix
BuildRequires: mozilla-nss-tools BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8 BuildRequires: openssl >= 0.9.8
@ -114,6 +118,8 @@ The source code of UEFI shim loader
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%patch6 -p1
%build %build
# generate the vendor SBAT metadata # generate the vendor SBAT metadata