From 182fd24b7c2b9c258c820be218a948a9ab78d7d5d1dfe0d46aec221878c601fe Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 1 Jul 2021 06:13:57 +0000 Subject: [PATCH] Accepting request 903339 from home:gary_lin:branches:devel:openSUSE:Factory avoid deleting the mirrored RT variables (bsc#1187696) OBS-URL: https://build.opensuse.org/request/show/903339 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=186 --- ...c1187696-avoid-deleting-rt-variables.patch | 41 +++++++++++++++++++ shim.changes | 6 +++ shim.spec | 3 ++ 3 files changed, 50 insertions(+) create mode 100644 shim-bsc1187696-avoid-deleting-rt-variables.patch diff --git a/shim-bsc1187696-avoid-deleting-rt-variables.patch b/shim-bsc1187696-avoid-deleting-rt-variables.patch new file mode 100644 index 0000000..eef657b --- /dev/null +++ b/shim-bsc1187696-avoid-deleting-rt-variables.patch @@ -0,0 +1,41 @@ +From 14f6e10b8272ce34d3c373e000c583e5345b526b Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 30 Jun 2021 16:34:51 +0800 +Subject: [PATCH] mok: delete the existing RT variables only when + only_first=TRUE + +For the firmware without the variable writing issues, MOK variables are +mirrored when only_first=TRUE. However, LibDeleteVariable() was called +in maybe_mirror_one_mok_variable() when only_first=FALSE, and this +could delete MOK variables that were just mirrored in the first round. + +This bug was hidden since LibDeleteVariable() deletes BS+RT+NV variables +while we mirror MOK variables as BS+RT, and the firmware refused to +delete the mirrored MOK variable due to mismatching attributes. However, +some firmwares, such as VMWare, didn't enforce the attribute check and +just deleted the variables with matched name and GUID. In such system, +MokListRT was always removed before it reached OS. + +Fixes: https://github.com/rhboot/shim/issues/386 + +Signed-off-by: Gary Lin +--- + mok.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mok.c b/mok.c +index beac0ff6..5ea39d54 100644 +--- a/mok.c ++++ b/mok.c +@@ -863,7 +863,7 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v, + BOOLEAN present = FALSE; + + if (v->rtname) { +- if (!only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) { ++ if (only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) { + dprint(L"deleting \"%s\"\n", v->rtname); + efi_status = LibDeleteVariable(v->rtname, v->guid); + dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", v->rtname, efi_status); +-- +2.31.1 + diff --git a/shim.changes b/shim.changes index 7dba4ee..2f090d7 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jul 1 04:07:03 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid + deleting the mirrored RT variables (bsc#1187696) + ------------------------------------------------------------------- Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin diff --git a/shim.spec b/shim.spec index 475784b..f289b61 100644 --- a/shim.spec +++ b/shim.spec @@ -93,6 +93,8 @@ Patch12: shim-disable-export-vendor-dbx.patch Patch13: shim-bsc1187260-fix-efi-1.10-machines.patch # PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 glin@suse.com -- Avoid buffer overflow when copying the MOK config table Patch14: shim-bsc1185232-fix-config-table-copying.patch +# PATCH-FIX-UPSTREAM shim-bsc1187696-avoid-deleting-rt-variables.patch bsc#1187696 glin@suse.com -- Avoid deleting the mirrored RT variables +Patch15: shim-bsc1187696-avoid-deleting-rt-variables.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -145,6 +147,7 @@ The source code of UEFI shim loader %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 %build # generate the vendor SBAT metadata