Accepting request 903340 from devel:openSUSE:Factory

OBS-URL: https://build.opensuse.org/request/show/903340
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=99

shim-bsc1187696-avoid-deleting-rt-variables.patch

@@ -0,0 +1,41 @@
+From 14f6e10b8272ce34d3c373e000c583e5345b526b Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 30 Jun 2021 16:34:51 +0800
+Subject: [PATCH] mok: delete the existing RT variables only when
+ only_first=TRUE
+
+For the firmware without the variable writing issues, MOK variables are
+mirrored when only_first=TRUE. However, LibDeleteVariable() was called
+in maybe_mirror_one_mok_variable() when only_first=FALSE, and this
+could delete MOK variables that were just mirrored in the first round.
+
+This bug was hidden since LibDeleteVariable() deletes BS+RT+NV variables
+while we mirror MOK variables as BS+RT, and the firmware refused to
+delete the mirrored MOK variable due to mismatching attributes. However,
+some firmwares, such as VMWare, didn't enforce the attribute check and
+just deleted the variables with matched name and GUID. In such system,
+MokListRT was always removed before it reached OS.
+
+Fixes: https://github.com/rhboot/shim/issues/386
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ mok.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mok.c b/mok.c
+index beac0ff6..5ea39d54 100644
+--- a/mok.c
++++ b/mok.c
+@@ -863,7 +863,7 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v,
+ 	BOOLEAN present = FALSE;
+ 
+ 	if (v->rtname) {
+-		if (!only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
++		if (only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
+ 			dprint(L"deleting \"%s\"\n", v->rtname);
+ 			efi_status = LibDeleteVariable(v->rtname, v->guid);
+ 			dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", v->rtname, efi_status);
+-- 
+2.31.1
+

shim.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jul  1 04:07:03 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid
+  deleting the mirrored RT variables (bsc#1187696)
+
 -------------------------------------------------------------------
 Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 

shim.spec

@@ -93,6 +93,8 @@ Patch12:        shim-disable-export-vendor-dbx.patch
 Patch13:        shim-bsc1187260-fix-efi-1.10-machines.patch
 # PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 glin@suse.com -- Avoid buffer overflow when copying the MOK config table
 Patch14:        shim-bsc1185232-fix-config-table-copying.patch
+# PATCH-FIX-UPSTREAM shim-bsc1187696-avoid-deleting-rt-variables.patch bsc#1187696 glin@suse.com -- Avoid deleting the mirrored RT variables
+Patch15:        shim-bsc1187696-avoid-deleting-rt-variables.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -145,6 +147,7 @@ The source code of UEFI shim loader
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
 
 %build
 # generate the vendor SBAT metadata