Accepting request 882314 from home:gary_lin:branches:devel:openSUSE:Factory
Update to 15.4 (bsc#1182057) OBS-URL: https://build.opensuse.org/request/show/882314 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=176
This commit is contained in:
parent
bbfcbff67b
commit
1354ba095a
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:df76c9b68cf6e6d9c024059b5335701441c366cdcced2ae21e115f3901cb8333
|
||||
size 1260580
|
3
shim-15.4.tar.bz2
Normal file
3
shim-15.4.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:8344473dd10569588b8238a4656b8fab226714eea9f5363f8c410aa8a5090297
|
||||
size 1260475
|
@ -1,346 +0,0 @@
|
||||
From 08a0ce01dbe9945287f37a9b139b25f46c53f878 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
||||
Date: Fri, 26 Mar 2021 21:19:14 -0700
|
||||
Subject: [PATCH 1/3] Move the check for the SBAT variable properties to its
|
||||
own function.
|
||||
|
||||
This moves the check for the SBAT variable's attributes and contents
|
||||
into its own function, so that test cases can be written against it.
|
||||
|
||||
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
||||
---
|
||||
include/sbat.h | 1 +
|
||||
sbat.c | 13 +++++++++----
|
||||
2 files changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/include/sbat.h b/include/sbat.h
|
||||
index 5db82379..656bf8d7 100644
|
||||
--- a/include/sbat.h
|
||||
+++ b/include/sbat.h
|
||||
@@ -51,6 +51,7 @@ extern list_t sbat_var;
|
||||
EFI_STATUS parse_sbat_var(list_t *entries);
|
||||
void cleanup_sbat_var(list_t *entries);
|
||||
EFI_STATUS set_sbat_uefi_variable(void);
|
||||
+bool preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes);
|
||||
|
||||
struct sbat_section_entry {
|
||||
const CHAR8 *component_name;
|
||||
diff --git a/sbat.c b/sbat.c
|
||||
index 89c08417..7bd0e4ec 100644
|
||||
--- a/sbat.c
|
||||
+++ b/sbat.c
|
||||
@@ -304,6 +304,14 @@ check_sbat_var_attributes(UINT32 attributes)
|
||||
#endif
|
||||
}
|
||||
|
||||
+bool
|
||||
+preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes)
|
||||
+{
|
||||
+ return check_sbat_var_attributes(attributes) &&
|
||||
+ sbatsize >= strlen(SBAT_VAR_SIG "1") &&
|
||||
+ strncmp((const char *)sbat, SBAT_VAR_SIG, strlen(SBAT_VAR_SIG));
|
||||
+}
|
||||
+
|
||||
EFI_STATUS
|
||||
set_sbat_uefi_variable(void)
|
||||
{
|
||||
@@ -323,10 +331,7 @@ set_sbat_uefi_variable(void)
|
||||
*/
|
||||
if (EFI_ERROR(efi_status)) {
|
||||
dprint(L"SBAT read failed %r\n", efi_status);
|
||||
- } else if (check_sbat_var_attributes(attributes) &&
|
||||
- sbatsize >= strlen(SBAT_VAR_SIG "1") &&
|
||||
- strncmp((const char *)sbat, SBAT_VAR_SIG,
|
||||
- strlen(SBAT_VAR_SIG))) {
|
||||
+ } else if (preserve_sbat_uefi_variable(sbat, sbatsize, attributes)) {
|
||||
dprint("SBAT variable is %d bytes, attributes are 0x%08x\n",
|
||||
sbatsize, attributes);
|
||||
FreePool(sbat);
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From ca034e15aa15aa43c78ff6203feec8423b814047 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
||||
Date: Fri, 26 Mar 2021 21:19:14 -0700
|
||||
Subject: [PATCH 2/3] Fix SBAT variable content validation.
|
||||
|
||||
Currently, the check for the contents of the SBAT variable has an
|
||||
inverted strncmp() test, causing it to delete the variable
|
||||
inappropriately.
|
||||
|
||||
This patch fixes that check, preventing shim from always stepping on the
|
||||
sbat variable, and adds test cases to validate the correct logic.
|
||||
|
||||
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
||||
---
|
||||
sbat.c | 2 +-
|
||||
test-sbat.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 58 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/sbat.c b/sbat.c
|
||||
index 7bd0e4ec..4d6ddd22 100644
|
||||
--- a/sbat.c
|
||||
+++ b/sbat.c
|
||||
@@ -309,7 +309,7 @@ preserve_sbat_uefi_variable(UINT8 *sbat, UINTN sbatsize, UINT32 attributes)
|
||||
{
|
||||
return check_sbat_var_attributes(attributes) &&
|
||||
sbatsize >= strlen(SBAT_VAR_SIG "1") &&
|
||||
- strncmp((const char *)sbat, SBAT_VAR_SIG, strlen(SBAT_VAR_SIG));
|
||||
+ !strncmp((const char *)sbat, SBAT_VAR_SIG, strlen(SBAT_VAR_SIG));
|
||||
}
|
||||
|
||||
EFI_STATUS
|
||||
diff --git a/test-sbat.c b/test-sbat.c
|
||||
index 780e5cbe..8b94ecf0 100644
|
||||
--- a/test-sbat.c
|
||||
+++ b/test-sbat.c
|
||||
@@ -952,6 +952,58 @@ test_parse_and_verify(void)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+int
|
||||
+test_preserve_sbat_uefi_variable_good(void)
|
||||
+{
|
||||
+ char sbat[] = "sbat,1,\ncomponent,2,\n";
|
||||
+ size_t sbat_size = sizeof(sbat);
|
||||
+ UINT32 attributes = SBAT_VAR_ATTRS;
|
||||
+
|
||||
+ if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
|
||||
+ return 0;
|
||||
+ else
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+test_preserve_sbat_uefi_variable_bad_sig(void)
|
||||
+{
|
||||
+ char sbat[] = "bad_sig,1,\ncomponent,2,\n";
|
||||
+ size_t sbat_size = sizeof(sbat);
|
||||
+ UINT32 attributes = SBAT_VAR_ATTRS;
|
||||
+
|
||||
+ if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
|
||||
+ return -1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+test_preserve_sbat_uefi_variable_bad_attr(void)
|
||||
+{
|
||||
+ char sbat[] = "sbat,1,\ncomponent,2,\n";
|
||||
+ size_t sbat_size = sizeof(sbat);
|
||||
+ UINT32 attributes = 0;
|
||||
+
|
||||
+ if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
|
||||
+ return -1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+int
|
||||
+test_preserve_sbat_uefi_variable_bad_short(void)
|
||||
+{
|
||||
+ char sbat[] = "sba";
|
||||
+ size_t sbat_size = sizeof(sbat);
|
||||
+ UINT32 attributes = SBAT_VAR_ATTRS;
|
||||
+
|
||||
+ if (preserve_sbat_uefi_variable(sbat, sbat_size, attributes))
|
||||
+ return -1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
int
|
||||
main(void)
|
||||
{
|
||||
@@ -989,6 +1041,11 @@ main(void)
|
||||
#endif
|
||||
test(test_parse_and_verify);
|
||||
|
||||
+ test(test_preserve_sbat_uefi_variable_good);
|
||||
+ test(test_preserve_sbat_uefi_variable_bad_sig);
|
||||
+ test(test_preserve_sbat_uefi_variable_bad_attr);
|
||||
+ test(test_preserve_sbat_uefi_variable_bad_short);
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
--
|
||||
2.29.2
|
||||
|
||||
|
||||
From 27da4170f0fb30acde91a37e0256dfcfe76ea69e Mon Sep 17 00:00:00 2001
|
||||
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
||||
Date: Sat, 27 Mar 2021 11:09:52 -0700
|
||||
Subject: [PATCH 3/3] Change SBAT variable name to SbatLevel
|
||||
|
||||
Because a few shim builds were signed that did not properly initialize
|
||||
the SBAT variable, and in doing so deleted valid SBAT variables, we need
|
||||
to use a different name.
|
||||
|
||||
This changes the name from "SBAT" to "SbatLevel".
|
||||
|
||||
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
|
||||
---
|
||||
include/sbat.h | 16 ++++++++--------
|
||||
sbat.c | 26 ++++++++++++++------------
|
||||
shim.c | 12 ++++++------
|
||||
3 files changed, 28 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/include/sbat.h b/include/sbat.h
|
||||
index 656bf8d7..8551b74a 100644
|
||||
--- a/include/sbat.h
|
||||
+++ b/include/sbat.h
|
||||
@@ -20,16 +20,16 @@
|
||||
(UEFI_VAR_NV_BS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS)
|
||||
|
||||
#if defined(ENABLE_SHIM_DEVEL)
|
||||
-#define SBAT_VAR_NAME L"SBAT_DEVEL"
|
||||
-#define SBAT_VAR_NAME8 "SBAT_DEVEL"
|
||||
-#define SBAT_RT_VAR_NAME L"SbatRT_DEVEL"
|
||||
-#define SBAT_RT_VAR_NAME8 "SbatRT_DEVEL"
|
||||
+#define SBAT_VAR_NAME L"SbatLevel_DEVEL"
|
||||
+#define SBAT_VAR_NAME8 "SbatLevel_DEVEL"
|
||||
+#define SBAT_RT_VAR_NAME L"SbatLevelRT_DEVEL"
|
||||
+#define SBAT_RT_VAR_NAME8 "SbatLevelRT_DEVEL"
|
||||
#define SBAT_VAR_ATTRS UEFI_VAR_NV_BS_RT
|
||||
#else
|
||||
-#define SBAT_VAR_NAME L"SBAT"
|
||||
-#define SBAT_VAR_NAME8 "SBAT"
|
||||
-#define SBAT_RT_VAR_NAME L"SbatRT"
|
||||
-#define SBAT_RT_VAR_NAME8 "SbatRT"
|
||||
+#define SBAT_VAR_NAME L"SbatLevel"
|
||||
+#define SBAT_VAR_NAME8 "SbatLevel"
|
||||
+#define SBAT_RT_VAR_NAME L"SbatLevelRT"
|
||||
+#define SBAT_RT_VAR_NAME8 "SbatLevelRT"
|
||||
#define SBAT_VAR_ATTRS UEFI_VAR_NV_BS
|
||||
#endif
|
||||
|
||||
diff --git a/sbat.c b/sbat.c
|
||||
index 4d6ddd22..5821475b 100644
|
||||
--- a/sbat.c
|
||||
+++ b/sbat.c
|
||||
@@ -120,8 +120,8 @@ verify_single_entry(struct sbat_section_entry *entry, struct sbat_var_entry *sba
|
||||
sbat_var_gen = atoi((const char *)sbat_var_entry->component_generation);
|
||||
|
||||
if (sbat_gen < sbat_var_gen) {
|
||||
- dprint(L"component %a, generation %d, was revoked by SBAT variable",
|
||||
- entry->component_name, sbat_gen);
|
||||
+ dprint(L"component %a, generation %d, was revoked by %s variable",
|
||||
+ entry->component_name, sbat_gen, SBAT_VAR_NAME);
|
||||
LogError(L"image did not pass SBAT verification\n");
|
||||
return EFI_SECURITY_VIOLATION;
|
||||
}
|
||||
@@ -157,7 +157,7 @@ verify_sbat_helper(list_t *local_sbat_var, size_t n, struct sbat_section_entry *
|
||||
struct sbat_var_entry *sbat_var_entry;
|
||||
|
||||
if (list_empty(local_sbat_var)) {
|
||||
- dprint(L"SBAT variable not present\n");
|
||||
+ dprint(L"%s variable not present\n", SBAT_VAR_NAME);
|
||||
return EFI_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -324,16 +324,16 @@ set_sbat_uefi_variable(void)
|
||||
efi_status = get_variable_attr(SBAT_VAR_NAME, &sbat, &sbatsize,
|
||||
SHIM_LOCK_GUID, &attributes);
|
||||
/*
|
||||
- * Always set the SBAT UEFI variable if it fails to read.
|
||||
+ * Always set the SbatLevel UEFI variable if it fails to read.
|
||||
*
|
||||
- * Don't try to set the SBAT UEFI variable if attributes match and
|
||||
- * the signature matches.
|
||||
+ * Don't try to set the SbatLevel UEFI variable if attributes match
|
||||
+ * and the signature matches.
|
||||
*/
|
||||
if (EFI_ERROR(efi_status)) {
|
||||
dprint(L"SBAT read failed %r\n", efi_status);
|
||||
} else if (preserve_sbat_uefi_variable(sbat, sbatsize, attributes)) {
|
||||
- dprint("SBAT variable is %d bytes, attributes are 0x%08x\n",
|
||||
- sbatsize, attributes);
|
||||
+ dprint(L"%s variable is %d bytes, attributes are 0x%08x\n",
|
||||
+ SBAT_VAR_NAME, sbatsize, attributes);
|
||||
FreePool(sbat);
|
||||
return EFI_SUCCESS;
|
||||
} else {
|
||||
@@ -346,7 +346,8 @@ set_sbat_uefi_variable(void)
|
||||
efi_status = set_variable(SBAT_VAR_NAME, SHIM_LOCK_GUID,
|
||||
attributes, 0, "");
|
||||
if (EFI_ERROR(efi_status)) {
|
||||
- dprint(L"SBAT variable delete failed %r\n", efi_status);
|
||||
+ dprint(L"%s variable delete failed %r\n", SBAT_VAR_NAME,
|
||||
+ efi_status);
|
||||
return efi_status;
|
||||
}
|
||||
}
|
||||
@@ -355,7 +356,8 @@ set_sbat_uefi_variable(void)
|
||||
efi_status = set_variable(SBAT_VAR_NAME, SHIM_LOCK_GUID, SBAT_VAR_ATTRS,
|
||||
sizeof(SBAT_VAR)-1, SBAT_VAR);
|
||||
if (EFI_ERROR(efi_status)) {
|
||||
- dprint(L"SBAT variable writing failed %r\n", efi_status);
|
||||
+ dprint(L"%s variable writing failed %r\n", SBAT_VAR_NAME,
|
||||
+ efi_status);
|
||||
return efi_status;
|
||||
}
|
||||
|
||||
@@ -363,7 +365,7 @@ set_sbat_uefi_variable(void)
|
||||
efi_status = get_variable(SBAT_VAR_NAME, &sbat, &sbatsize,
|
||||
SHIM_LOCK_GUID);
|
||||
if (EFI_ERROR(efi_status)) {
|
||||
- dprint(L"SBAT read failed %r\n", efi_status);
|
||||
+ dprint(L"%s read failed %r\n", SBAT_VAR_NAME, efi_status);
|
||||
return efi_status;
|
||||
}
|
||||
|
||||
@@ -373,7 +375,7 @@ set_sbat_uefi_variable(void)
|
||||
strlen(SBAT_VAR));
|
||||
efi_status = EFI_INVALID_PARAMETER;
|
||||
} else {
|
||||
- dprint(L"SBAT variable initialization succeeded\n");
|
||||
+ dprint(L"%s variable initialization succeeded\n", SBAT_VAR_NAME);
|
||||
}
|
||||
|
||||
FreePool(sbat);
|
||||
diff --git a/shim.c b/shim.c
|
||||
index 117c8f42..5bed2446 100644
|
||||
--- a/shim.c
|
||||
+++ b/shim.c
|
||||
@@ -1895,7 +1895,7 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
|
||||
L"shim_init() failed",
|
||||
L"import of SBAT data failed",
|
||||
L"SBAT self-check failed",
|
||||
- L"SBAT UEFI variable setting failed",
|
||||
+ SBAT_VAR_NAME L" UEFI variable setting failed",
|
||||
NULL
|
||||
};
|
||||
enum {
|
||||
@@ -1935,12 +1935,12 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
|
||||
|
||||
efi_status = set_sbat_uefi_variable();
|
||||
if (EFI_ERROR(efi_status) && secure_mode()) {
|
||||
- perror(L"SBAT variable initialization failed\n");
|
||||
+ perror(L"%s variable initialization failed\n", SBAT_VAR_NAME);
|
||||
msg = SET_SBAT;
|
||||
goto die;
|
||||
} else if (EFI_ERROR(efi_status)) {
|
||||
- dprint(L"SBAT variable initialization failed: %r\n",
|
||||
- efi_status);
|
||||
+ dprint(L"%s variable initialization failed: %r\n",
|
||||
+ SBAT_VAR_NAME, efi_status);
|
||||
}
|
||||
|
||||
if (secure_mode()) {
|
||||
@@ -1950,8 +1950,8 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
|
||||
INIT_LIST_HEAD(&sbat_var);
|
||||
efi_status = parse_sbat_var(&sbat_var);
|
||||
if (EFI_ERROR(efi_status)) {
|
||||
- perror(L"Parsing SBAT variable failed: %r\n",
|
||||
- efi_status);
|
||||
+ perror(L"Parsing %s variable failed: %r\n",
|
||||
+ SBAT_VAR_NAME, efi_status);
|
||||
msg = IMPORT_SBAT;
|
||||
goto die;
|
||||
}
|
||||
--
|
||||
2.29.2
|
||||
|
11
shim.changes
11
shim.changes
@ -1,3 +1,14 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Mar 31 08:40:49 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Update to 15.4 (bsc#1182057)
|
||||
+ Rename the SBAT variable and fix the self-check of SBAT
|
||||
+ sbat: add more dprint()
|
||||
+ arm/aa64: Swizzle some sections to make old sbsign happier
|
||||
+ arm/aa64 targets: put .rel* and .dyn* in .rodata
|
||||
- Drop upstreamed patch:
|
||||
+ shim-bsc1182057-sbat-variable-enhancement.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 29 07:18:20 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
|
@ -36,7 +36,7 @@
|
||||
%endif
|
||||
|
||||
Name: shim
|
||||
Version: 15.3
|
||||
Version: 15.4
|
||||
Release: 0
|
||||
Summary: UEFI shim loader
|
||||
License: BSD-2-Clause
|
||||
@ -71,8 +71,6 @@ Patch2: shim-change-debug-file-path.patch
|
||||
Patch3: shim-bsc1177315-verify-eku-codesign.patch
|
||||
# PATCH-FIX-UPSTREAM shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789 glin@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify()
|
||||
Patch4: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
|
||||
# PATCH-FIX-UPSTREAM shim-bsc1182057-sbat-variable-enhancement.patch bsc#1182057 glin@suse.com -- SBAT variable name changing and enhancement
|
||||
Patch5: shim-bsc1182057-sbat-variable-enhancement.patch
|
||||
BuildRequires: dos2unix
|
||||
BuildRequires: mozilla-nss-tools
|
||||
BuildRequires: openssl >= 0.9.8
|
||||
@ -116,7 +114,6 @@ The source code of UEFI shim loader
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
|
||||
%build
|
||||
# generate the vendor SBAT metadata
|
||||
|
Loading…
Reference in New Issue
Block a user