Accepting request 882314 from home:gary_lin:branches:devel:openSUSE:Factory

Update to 15.4 (bsc#1182057)

OBS-URL: https://build.opensuse.org/request/show/882314
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=176

shim-15.3.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:df76c9b68cf6e6d9c024059b5335701441c366cdcced2ae21e115f3901cb8333
-size 1260580

shim-15.4.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8344473dd10569588b8238a4656b8fab226714eea9f5363f8c410aa8a5090297
+size 1260475

shim-bsc1182057-sbat-variable-enhancement.patch

@@ -1,346 +0,0 @@
-From 08a0ce01dbe9945287f37a9b139b25f46c53f878 Mon Sep 17 00:00:00 2001
-From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
-Date: Fri, 26 Mar 2021 21:19:14 -0700
-Subject: [PATCH 1/3] Move the check for the SBAT variable properties to its
- own function.
-
-This moves the check for the SBAT variable's attributes and contents
-into its own function, so that test cases can be written against it.
-
-Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
----
- include/sbat.h |  1 +
- sbat.c         | 13 +++++++++----
- 2 files changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/include/sbat.h b/include/sbat.h
-index 5db82379..656bf8d7 100644
---- a/include/sbat.h
-+++ b/include/sbat.h
-@@ -51,6 +51,7 @@ extern list_t sbat_var;
- EFI_STATUS parse_sbat_var(list_t *entries);
- void cleanup_sbat_var(list_t *entries);
- EFI_STATUS set_sbat_uefi_variable(void);
-+bool preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes);
- 
- struct sbat_section_entry {
- 	const CHAR8 *component_name;
-diff --git a/sbat.c b/sbat.c
-index 89c08417..7bd0e4ec 100644
---- a/sbat.c
-+++ b/sbat.c
-@@ -304,6 +304,14 @@ check_sbat_var_attributes(UINT32 attributes)
- #endif
- }
- 
-+bool
-+preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes)
-+{
-+	return check_sbat_var_attributes(attributes) &&
-+	       sbatsize >= strlen(SBAT_VAR_SIG "1") &&
-+	       strncmp((const char *)sbat, SBAT_VAR_SIG, strlen(SBAT_VAR_SIG));
-+}
-+
- EFI_STATUS
- set_sbat_uefi_variable(void)
- {
-@@ -323,10 +331,7 @@ set_sbat_uefi_variable(void)
- 	 */
- 	if (EFI_ERROR(efi_status)) {
- 		dprint(L"SBAT read failed %r\n", efi_status);
--	} else if (check_sbat_var_attributes(attributes) &&
--		   sbatsize >= strlen(SBAT_VAR_SIG "1") &&
--		   strncmp((const char *)sbat, SBAT_VAR_SIG,
--	                   strlen(SBAT_VAR_SIG))) {
-+	} else if (preserve_sbat_uefi_variable(sbat, sbatsize, attributes)) {
- 		dprint("SBAT variable is %d bytes, attributes are 0x%08x\n",
- 		       sbatsize, attributes);
- 		FreePool(sbat);
--- 
-2.29.2
-
-
-From ca034e15aa15aa43c78ff6203feec8423b814047 Mon Sep 17 00:00:00 2001
-From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
-Date: Fri, 26 Mar 2021 21:19:14 -0700
-Subject: [PATCH 2/3] Fix SBAT variable content validation.
-
-Currently, the check for the contents of the SBAT variable has an
-inverted strncmp() test, causing it to delete the variable
-inappropriately.
-
-This patch fixes that check, preventing shim from always stepping on the
-sbat variable, and adds test cases to validate the correct logic.
-
-Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
----
- sbat.c      |  2 +-
- test-sbat.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 58 insertions(+), 1 deletion(-)
-
-diff --git a/sbat.c b/sbat.c
-index 7bd0e4ec..4d6ddd22 100644
---- a/sbat.c
-+++ b/sbat.c
-@@ -309,7 +309,7 @@ preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes)
- {
- 	return check_sbat_var_attributes(attributes) &&
- 	       sbatsize >= strlen(SBAT_VAR_SIG "1") &&
--	       strncmp((const char *)sbat, SBAT_VAR_SIG, strlen(SBAT_VAR_SIG));
-+	       !strncmp((const char *)sbat, SBAT_VAR_SIG, strlen(SBAT_VAR_SIG));
- }
- 
- EFI_STATUS
-diff --git a/test-sbat.c b/test-sbat.c
-index 780e5cbe..8b94ecf0 100644
---- a/test-sbat.c
-+++ b/test-sbat.c
-@@ -952,6 +952,58 @@ test_parse_and_verify(void)
- 	return 0;
- }
- 
-+int
-+test_preserve_sbat_uefi_variable_good(void)
-+{
-+	char sbat[] = "sbat,1,\ncomponent,2,\n";
-+	size_t sbat_size = sizeof(sbat);
-+	UINT32 attributes = SBAT_VAR_ATTRS;
-+
-+	if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
-+		return 0;
-+	else
-+		return -1;
-+}
-+
-+int
-+test_preserve_sbat_uefi_variable_bad_sig(void)
-+{
-+	char sbat[] = "bad_sig,1,\ncomponent,2,\n";
-+	size_t sbat_size = sizeof(sbat);
-+	UINT32 attributes = SBAT_VAR_ATTRS;
-+
-+	if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
-+		return -1;
-+	else
-+		return 0;
-+}
-+
-+int
-+test_preserve_sbat_uefi_variable_bad_attr(void)
-+{
-+	char sbat[] = "sbat,1,\ncomponent,2,\n";
-+	size_t sbat_size = sizeof(sbat);
-+	UINT32 attributes = 0;
-+
-+	if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
-+		return -1;
-+	else
-+		return 0;
-+}
-+
-+int
-+test_preserve_sbat_uefi_variable_bad_short(void)
-+{
-+	char sbat[] = "sba";
-+	size_t sbat_size = sizeof(sbat);
-+	UINT32 attributes = SBAT_VAR_ATTRS;
-+
-+	if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
-+		return -1;
-+	else
-+		return 0;
-+}
-+
- int
- main(void)
- {
-@@ -989,6 +1041,11 @@ main(void)
- #endif
- 	test(test_parse_and_verify);
- 
-+	test(test_preserve_sbat_uefi_variable_good);
-+	test(test_preserve_sbat_uefi_variable_bad_sig);
-+	test(test_preserve_sbat_uefi_variable_bad_attr);
-+	test(test_preserve_sbat_uefi_variable_bad_short);
-+
- 	return 0;
- }
- 
--- 
-2.29.2
-
-
-From 27da4170f0fb30acde91a37e0256dfcfe76ea69e Mon Sep 17 00:00:00 2001
-From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
-Date: Sat, 27 Mar 2021 11:09:52 -0700
-Subject: [PATCH 3/3] Change SBAT variable name to SbatLevel
-
-Because a few shim builds were signed that did not properly initialize
-the SBAT variable, and in doing so deleted valid SBAT variables, we need
-to use a different name.
-
-This changes the name from "SBAT" to "SbatLevel".
-
-Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
----
- include/sbat.h | 16 ++++++++--------
- sbat.c         | 26 ++++++++++++++------------
- shim.c         | 12 ++++++------
- 3 files changed, 28 insertions(+), 26 deletions(-)
-
-diff --git a/include/sbat.h b/include/sbat.h
-index 656bf8d7..8551b74a 100644
---- a/include/sbat.h
-+++ b/include/sbat.h
-@@ -20,16 +20,16 @@
- 	(UEFI_VAR_NV_BS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
- 
- #if defined(ENABLE_SHIM_DEVEL)
--#define SBAT_VAR_NAME L"SBAT_DEVEL"
--#define SBAT_VAR_NAME8 "SBAT_DEVEL"
--#define SBAT_RT_VAR_NAME L"SbatRT_DEVEL"
--#define SBAT_RT_VAR_NAME8 "SbatRT_DEVEL"
-+#define SBAT_VAR_NAME L"SbatLevel_DEVEL"
-+#define SBAT_VAR_NAME8 "SbatLevel_DEVEL"
-+#define SBAT_RT_VAR_NAME L"SbatLevelRT_DEVEL"
-+#define SBAT_RT_VAR_NAME8 "SbatLevelRT_DEVEL"
- #define SBAT_VAR_ATTRS UEFI_VAR_NV_BS_RT
- #else
--#define SBAT_VAR_NAME L"SBAT"
--#define SBAT_VAR_NAME8 "SBAT"
--#define SBAT_RT_VAR_NAME L"SbatRT"
--#define SBAT_RT_VAR_NAME8 "SbatRT"
-+#define SBAT_VAR_NAME L"SbatLevel"
-+#define SBAT_VAR_NAME8 "SbatLevel"
-+#define SBAT_RT_VAR_NAME L"SbatLevelRT"
-+#define SBAT_RT_VAR_NAME8 "SbatLevelRT"
- #define SBAT_VAR_ATTRS UEFI_VAR_NV_BS
- #endif
- 
-diff --git a/sbat.c b/sbat.c
-index 4d6ddd22..5821475b 100644
---- a/sbat.c
-+++ b/sbat.c
-@@ -120,8 +120,8 @@ verify_single_entry(struct sbat_section_entry *entry, struct sbat_var_entry *sba
- 		sbat_var_gen = atoi((const char *)sbat_var_entry->component_generation);
- 
- 		if (sbat_gen < sbat_var_gen) {
--			dprint(L"component %a, generation %d, was revoked by SBAT variable",
--			       entry->component_name, sbat_gen);
-+			dprint(L"component %a, generation %d, was revoked by %s variable",
-+			       entry->component_name, sbat_gen, SBAT_VAR_NAME);
- 			LogError(L"image did not pass SBAT verification\n");
- 			return EFI_SECURITY_VIOLATION;
- 		}
-@@ -157,7 +157,7 @@ verify_sbat_helper(list_t *local_sbat_var, size_t n, struct sbat_section_entry *
- 	struct sbat_var_entry *sbat_var_entry;
- 
- 	if (list_empty(local_sbat_var)) {
--		dprint(L"SBAT variable not present\n");
-+		dprint(L"%s variable not present\n", SBAT_VAR_NAME);
- 		return EFI_SUCCESS;
- 	}
- 
-@@ -324,16 +324,16 @@ set_sbat_uefi_variable(void)
- 	efi_status = get_variable_attr(SBAT_VAR_NAME, &sbat, &sbatsize,
- 				       SHIM_LOCK_GUID, &attributes);
- 	/*
--	 * Always set the SBAT UEFI variable if it fails to read.
-+	 * Always set the SbatLevel UEFI variable if it fails to read.
- 	 *
--	 * Don't try to set the SBAT UEFI variable if attributes match and
--	 * the signature matches.
-+	 * Don't try to set the SbatLevel UEFI variable if attributes match
-+	 * and the signature matches.
- 	 */
- 	if (EFI_ERROR(efi_status)) {
- 		dprint(L"SBAT read failed %r\n", efi_status);
- 	} else if (preserve_sbat_uefi_variable(sbat, sbatsize, attributes)) {
--		dprint("SBAT variable is %d bytes, attributes are 0x%08x\n",
--		       sbatsize, attributes);
-+		dprint(L"%s variable is %d bytes, attributes are 0x%08x\n",
-+		       SBAT_VAR_NAME, sbatsize, attributes);
- 		FreePool(sbat);
- 		return EFI_SUCCESS;
- 	} else {
-@@ -346,7 +346,8 @@ set_sbat_uefi_variable(void)
- 		efi_status = set_variable(SBAT_VAR_NAME, SHIM_LOCK_GUID,
- 		                          attributes, 0, "");
- 		if (EFI_ERROR(efi_status)) {
--			dprint(L"SBAT variable delete failed %r\n", efi_status);
-+			dprint(L"%s variable delete failed %r\n", SBAT_VAR_NAME,
-+					efi_status);
- 			return efi_status;
- 		}
- 	}
-@@ -355,7 +356,8 @@ set_sbat_uefi_variable(void)
- 	efi_status = set_variable(SBAT_VAR_NAME, SHIM_LOCK_GUID, SBAT_VAR_ATTRS,
- 	                          sizeof(SBAT_VAR)-1, SBAT_VAR);
- 	if (EFI_ERROR(efi_status)) {
--		dprint(L"SBAT variable writing failed %r\n", efi_status);
-+		dprint(L"%s variable writing failed %r\n", SBAT_VAR_NAME,
-+				efi_status);
- 		return efi_status;
- 	}
- 
-@@ -363,7 +365,7 @@ set_sbat_uefi_variable(void)
- 	efi_status = get_variable(SBAT_VAR_NAME, &sbat, &sbatsize,
- 				  SHIM_LOCK_GUID);
- 	if (EFI_ERROR(efi_status)) {
--		dprint(L"SBAT read failed %r\n", efi_status);
-+		dprint(L"%s read failed %r\n", SBAT_VAR_NAME, efi_status);
- 		return efi_status;
- 	}
- 
-@@ -373,7 +375,7 @@ set_sbat_uefi_variable(void)
- 		       strlen(SBAT_VAR));
- 		efi_status = EFI_INVALID_PARAMETER;
- 	} else {
--		dprint(L"SBAT variable initialization succeeded\n");
-+		dprint(L"%s variable initialization succeeded\n", SBAT_VAR_NAME);
- 	}
- 
- 	FreePool(sbat);
-diff --git a/shim.c b/shim.c
-index 117c8f42..5bed2446 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1895,7 +1895,7 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 		L"shim_init() failed",
- 		L"import of SBAT data failed",
- 		L"SBAT self-check failed",
--		L"SBAT UEFI variable setting failed",
-+		SBAT_VAR_NAME L" UEFI variable setting failed",
- 		NULL
- 	};
- 	enum {
-@@ -1935,12 +1935,12 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 
- 	efi_status = set_sbat_uefi_variable();
- 	if (EFI_ERROR(efi_status) && secure_mode()) {
--		perror(L"SBAT variable initialization failed\n");
-+		perror(L"%s variable initialization failed\n", SBAT_VAR_NAME);
- 		msg = SET_SBAT;
- 		goto die;
- 	} else if (EFI_ERROR(efi_status)) {
--		dprint(L"SBAT variable initialization failed: %r\n",
--		       efi_status);
-+		dprint(L"%s variable initialization failed: %r\n",
-+		       SBAT_VAR_NAME, efi_status);
- 	}
- 
- 	if (secure_mode()) {
-@@ -1950,8 +1950,8 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 		INIT_LIST_HEAD(&sbat_var);
- 		efi_status = parse_sbat_var(&sbat_var);
- 		if (EFI_ERROR(efi_status)) {
--			perror(L"Parsing SBAT variable failed: %r\n",
--				efi_status);
-+			perror(L"Parsing %s variable failed: %r\n",
-+				SBAT_VAR_NAME, efi_status);
- 			msg = IMPORT_SBAT;
- 			goto die;
- 		}
--- 
-2.29.2
-

shim.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Mar 31 08:40:49 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update to 15.4 (bsc#1182057)
+  + Rename the SBAT variable and fix the self-check of SBAT
+  + sbat: add more dprint()
+  + arm/aa64: Swizzle some sections to make old sbsign happier
+  + arm/aa64 targets: put .rel* and .dyn* in .rodata
+- Drop upstreamed patch:
+  + shim-bsc1182057-sbat-variable-enhancement.patch
+
 -------------------------------------------------------------------
 Mon Mar 29 07:18:20 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 

shim.spec

@@ -36,7 +36,7 @@
 %endif
 
 Name:           shim
-Version:        15.3
+Version:        15.4
 Release:        0
 Summary:        UEFI shim loader
 License:        BSD-2-Clause
@@ -71,8 +71,6 @@ Patch2:         shim-change-debug-file-path.patch
 Patch3:         shim-bsc1177315-verify-eku-codesign.patch
 # PATCH-FIX-UPSTREAM shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789 glin@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify()
 Patch4:         shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
-# PATCH-FIX-UPSTREAM shim-bsc1182057-sbat-variable-enhancement.patch bsc#1182057 glin@suse.com -- SBAT variable name changing and enhancement
-Patch5:         shim-bsc1182057-sbat-variable-enhancement.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -116,7 +114,6 @@ The source code of UEFI shim loader
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
-%patch5 -p1
 
 %build
 # generate the vendor SBAT metadata