pool/shim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 561561 from home:gary_lin:branches:devel:openSUSE:Factory

Browse Source 
- Update to 14
- Adjust make commands in spec
- Drop upstreamed fixes
- Add patches to avoid build failure
- Update SUSE/openSUSE specific patches

OBS-URL: https://build.opensuse.org/request/show/561561
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=135
This commit is contained in:
Gary Ching-Pang Lin 2018-01-04 08:44:05 +00:00 committed by Git OBS Bridge
parent d06322a5c5
commit 232d61ad7e
17 changed files with 399 additions and 180083 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
shim-12.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d9364983ef91ab09dc231c8d979b413cfa36d4744830ba59f5d3e52b616048b0
size 994898

3
shim-14.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:11584881af2cb990a5a782747558ebd3a182b766f2747bd0c0955cbf4786285e
size 1023267

304
shim-add-fallback-verbose-print.patch
View File

@ -1,304 +0,0 @@
From 5b7f867367131e758548f9b537b765611ce3d874 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 31 Jul 2017 11:07:06 -0400
Subject: [PATCH 1/2] fallback: Minor whitespace cleanup
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit 87c8f07e98995c7a2bd040e9d7b7c35b15ff05e4)
---
fallback.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fallback.c b/fallback.c
index 0a7058b..9ec40b8 100644
--- a/fallback.c
+++ b/fallback.c
@@ -114,7 +114,7 @@ EFI_STATUS
make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen)
{
UINT64 len;
-
+
len = StrLen(L"\\EFI\\") + StrLen(dirname)
+ StrLen(L"\\") + StrLen(filename)
+ 2;
@@ -358,12 +358,12 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
rc = make_full_path(dirname, filename, &fullpath, &pathlen);
if (EFI_ERROR(rc))
return rc;
-
+
EFI_DEVICE_PATH *dph = NULL;
EFI_DEVICE_PATH *file = NULL;
EFI_DEVICE_PATH *full_device_path = NULL;
EFI_DEVICE_PATH *dp = NULL;
-
+
dph = DevicePathFromHandle(this_image->DeviceHandle);
if (!dph) {
rc = EFI_OUT_OF_RESOURCES;
--
2.14.1
From 74608d8f3dded28addbc09046c626f1a02251f3d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 31 Jul 2017 12:51:46 -0400
Subject: [PATCH 2/2] Make fallback debug printing be dynamic at runtime.
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit c0f7d130746e82613b88cdaa9929fe37aff54c57)
---
fallback.c | 133 +++++++++++++++++++++++++++++++++++++++++++------------------
1 file changed, 94 insertions(+), 39 deletions(-)
diff --git a/fallback.c b/fallback.c
index 9ec40b8..5602a88 100644
--- a/fallback.c
+++ b/fallback.c
@@ -15,6 +15,57 @@
EFI_LOADED_IMAGE *this_image = NULL;
+EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
+
+int
+get_fallback_verbose(void)
+{
+ EFI_GUID guid = SHIM_LOCK_GUID;
+ UINT8 *data = NULL;
+ UINTN dataSize = 0;
+ EFI_STATUS efi_status;
+ unsigned int i;
+ static int state = -1;
+
+ if (state != -1)
+ return state;
+
+ efi_status = get_variable(L"FALLBACK_VERBOSE",
+ &data, &dataSize, guid);
+ if (EFI_ERROR(efi_status)) {
+ state = 0;
+ return state;
+ }
+
+ for (i = 0; i < dataSize; i++) {
+ if (data[i]) {
+ state = 1;
+ return state;
+ }
+ }
+
+ state = 0;
+ return state;
+}
+
+#define VerbosePrintUnprefixed(fmt, ...) \
+ ({ \
+ UINTN ret_ = 0; \
+ if (get_fallback_verbose()) \
+ ret_ = Print((fmt), ##__VA_ARGS__); \
+ ret_; \
+ })
+
+#define VerbosePrint(fmt, ...) \
+ ({ UINTN line_ = __LINE__; \
+ UINTN ret_ = 0; \
+ if (get_fallback_verbose()) { \
+ Print(L"%a:%d: ", __func__, line_); \
+ ret_ = Print((fmt), ##__VA_ARGS__); \
+ } \
+ ret_; \
+ })
+
static EFI_STATUS
FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType,
EFI_DEVICE_PATH **Out)
@@ -23,9 +74,18 @@ FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType,
if (!In || !Out)
return EFI_INVALID_PARAMETER;
+ CHAR16 *dps = DevicePathToStr(In);
+ VerbosePrint(L"input device path: \"%s\"\n", dps);
+ FreePool(dps);
+
for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) {
if (DevicePathType(dp) == Type &&
DevicePathSubType(dp) == SubType) {
+ dps = DevicePathToStr(dp);
+ VerbosePrint(L"sub-path (%hhd,%hhd): \"%s\"\n",
+ Type, SubType, dps);
+ FreePool(dps);
+
*Out = DuplicateDevicePath(dp);
if (!*Out)
return EFI_OUT_OF_RESOURCES;
@@ -327,13 +387,11 @@ update_boot_order(void)
return EFI_OUT_OF_RESOURCES;
CopyMem(newbootorder, bootorder, size);
-#ifdef DEBUG_FALLBACK
- Print(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16));
+ VerbosePrint(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16));
UINTN j;
for (j = 0 ; j < size / sizeof (CHAR16); j++)
- Print(L"%04x ", newbootorder[j]);
+ VerbosePrintUnprefixed(L"%04x ", newbootorder[j]);
Print(L"\n");
-#endif
rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global,
NULL, &len, NULL);
if (rc == EFI_BUFFER_TOO_SMALL)
@@ -363,6 +421,7 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
EFI_DEVICE_PATH *file = NULL;
EFI_DEVICE_PATH *full_device_path = NULL;
EFI_DEVICE_PATH *dp = NULL;
+ CHAR16 *dps;
dph = DevicePathFromHandle(this_image->DeviceHandle);
if (!dph) {
@@ -381,6 +440,9 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
rc = EFI_OUT_OF_RESOURCES;
goto err;
}
+ dps = DevicePathToStr(full_device_path);
+ VerbosePrint(L"file DP: %s\n", dps);
+ FreePool(dps);
rc = FindSubDevicePath(full_device_path,
MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp);
@@ -393,22 +455,24 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
}
}
-#ifdef DEBUG_FALLBACK
{
- UINTN s = DevicePathSize(dp);
- UINTN i;
- UINT8 *dpv = (void *)dp;
- for (i = 0; i < s; i++) {
- if (i > 0 && i % 16 == 0)
- Print(L"\n");
- Print(L"%02x ", dpv[i]);
- }
- Print(L"\n");
+ UINTN s = DevicePathSize(dp);
+ UINTN i;
+ UINT8 *dpv = (void *)dp;
+ for (i = 0; i < s; i++) {
+ if (i % 16 == 0) {
+ if (i > 0)
+ VerbosePrintUnprefixed(L"\n");
+ VerbosePrint(L"");
+ }
+ VerbosePrintUnprefixed(L"%02x ", dpv[i]);
+ }
+ VerbosePrintUnprefixed(L"\n");
- CHAR16 *dps = DevicePathToStr(dp);
- Print(L"device path: \"%s\"\n", dps);
+ CHAR16 *dps = DevicePathToStr(dp);
+ VerbosePrint(L"device path: \"%s\"\n", dps);
+ FreePool(dps);
}
-#endif
UINT16 option;
rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option);
@@ -443,35 +507,27 @@ err:
EFI_STATUS
populate_stanza(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *csv)
{
-#ifdef DEBUG_FALLBACK
- Print(L"CSV data: \"%s\"\n", csv);
-#endif
CHAR16 *file = csv;
+ VerbosePrint(L"CSV data: \"%s\"\n", csv);
UINTN comma0 = StrCSpn(csv, L",");
if (comma0 == 0)
return EFI_INVALID_PARAMETER;
file[comma0] = L'\0';
-#ifdef DEBUG_FALLBACK
- Print(L"filename: \"%s\"\n", file);
-#endif
+ VerbosePrint(L"filename: \"%s\"\n", file);
CHAR16 *label = csv + comma0 + 1;
UINTN comma1 = StrCSpn(label, L",");
if (comma1 == 0)
return EFI_INVALID_PARAMETER;
label[comma1] = L'\0';
-#ifdef DEBUG_FALLBACK
- Print(L"label: \"%s\"\n", label);
-#endif
+ VerbosePrint(L"label: \"%s\"\n", label);
CHAR16 *arguments = csv + comma0 +1 + comma1 +1;
UINTN comma2 = StrCSpn(arguments, L",");
arguments[comma2] = L'\0';
/* This one is optional, so don't check if comma2 is 0 */
-#ifdef DEBUG_FALLBACK
- Print(L"arguments: \"%s\"\n", arguments);
-#endif
+ VerbosePrint(L"arguments: \"%s\"\n", arguments);
add_to_boot_list(fh, dirname, file, label, arguments);
@@ -489,9 +545,7 @@ try_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename)
if (EFI_ERROR(rc))
return rc;
-#ifdef DEBUG_FALLBACK
- Print(L"Found file \"%s\"\n", fullpath);
-#endif
+ VerbosePrint(L"Found file \"%s\"\n", fullpath);
CHAR16 *buffer;
UINT64 bs;
@@ -503,9 +557,7 @@ try_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename)
}
FreePool(fullpath);
-#ifdef DEBUG_FALLBACK
- Print(L"File looks like:\n%s\n", buffer);
-#endif
+ VerbosePrint(L"File looks like:\n%s\n", buffer);
CHAR16 *start = buffer;
/* The file may or may not start with the Unicode byte order marker.
@@ -735,9 +787,7 @@ find_boot_options(EFI_HANDLE device)
buffer = NULL;
continue;
}
-#ifdef DEBUG_FALLBACK
- Print(L"Found directory named \"%s\"\n", fi->FileName);
-#endif
+ VerbosePrint(L"Found directory named \"%s\"\n", fi->FileName);
EFI_FILE_HANDLE fh3;
rc = uefi_call_wrapper(fh->Open, 5, fh2, &fh3, fi->FileName,
@@ -810,7 +860,6 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
return rc;
}
-EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
extern EFI_STATUS
efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab);
@@ -870,6 +919,12 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
try_start_first_option(image);
Print(L"Reset System\n");
+
+ if (get_fallback_verbose()) {
+ Print(L"Verbose enabled, sleeping for half a second\n");
+ uefi_call_wrapper(BS->Stall, 1, 500000);
+ }
+
uefi_call_wrapper(RT->ResetSystem, 4, EfiResetCold,
EFI_SUCCESS, 0, NULL);
--
2.14.1

54
shim-arch-independent-names.patch
View File

@ -1,4 +1,4 @@
From 927d98bacff515fdbac1ba13c6ca655385f3d6a7 Mon Sep 17 00:00:00 2001
From ffd90c3957fe8621e660d663b38b2eef8559c84a Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 22 Aug 2017 12:43:36 +0800
Subject: [PATCH] Make the names of EFI binaries arch-independent
@ -10,49 +10,15 @@ the script with the same names.
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile | 9 ---------
fallback.c | 2 +-
shim.c | 6 +++---
3 files changed, 4 insertions(+), 13 deletions(-)
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 6ece282..d518615 100644
--- a/Makefile
+++ b/Makefile
@@ -51,9 +51,6 @@ ifeq ($(ARCH),x86_64)
-DNO_BUILTIN_VA_FUNCS \
-DMDE_CPU_X64 "-DEFI_ARCH=L\"x64\"" -DPAGE_SIZE=4096 \
"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
- MMNAME = mmx64
- FBNAME = fbx64
- SHIMNAME= shimx64
EFI_PATH:=/usr/lib64/gnuefi
LIB_PATH:=/usr/lib64
@@ -63,18 +60,12 @@ ifeq ($(ARCH),ia32)
-maccumulate-outgoing-args -m32 \
-DMDE_CPU_IA32 "-DEFI_ARCH=L\"ia32\"" -DPAGE_SIZE=4096 \
"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
- MMNAME = mmia32
- FBNAME = fbia32
- SHIMNAME= shimia32
EFI_PATH:=/usr/lib/gnuefi
LIB_PATH:=/usr/lib
endif
ifeq ($(ARCH),aarch64)
CFLAGS += -DMDE_CPU_AARCH64 "-DEFI_ARCH=L\"aa64\"" -DPAGE_SIZE=4096 \
"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
- MMNAME = mmaa64
- FBNAME = fbaa64
- SHIMNAME= shimaa64
EFI_PATH:=/usr/lib64/gnuefi
LIB_PATH:=/usr/lib64
endif
diff --git a/fallback.c b/fallback.c
index 5e4a396..c80652a 100644
index 46894af..886e052 100644
--- a/fallback.c
+++ b/fallback.c
@@ -835,7 +835,7 @@ debug_hook(void)
@@ -977,7 +977,7 @@ debug_hook(void)
x = 1;
Print(L"add-symbol-file "DEBUGDIR
@ -62,12 +28,12 @@ index 5e4a396..c80652a 100644
}
diff --git a/shim.c b/shim.c
index f8a1e67..48c8797 100644
index aec9f8f..7b34868 100644
--- a/shim.c
+++ b/shim.c
@@ -56,8 +56,8 @@
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -50,8 +50,8 @@
#include <Library/BaseCryptLib.h>
-#define FALLBACK L"\\fb" EFI_ARCH L".efi"
-#define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
@ -76,7 +42,7 @@ index f8a1e67..48c8797 100644
#define OID_EKU_MODSIGN "1.3.6.1.4.1.2312.16.1.2"
@@ -2671,7 +2671,7 @@ debug_hook(void)
@@ -2852,7 +2852,7 @@ debug_hook(void)
}
Print(L"add-symbol-file "DEBUGDIR
@ -86,5 +52,5 @@ index f8a1e67..48c8797 100644
Print(L"Pausing for debugger attachment.\n");
--
2.14.0
2.15.1

178031
shim-back-to-openssl-1.0.2e.patch
View File

File diff suppressed because it is too large Load Diff

37
shim-change-debug-file-path.patch
View File

@ -1,23 +1,26 @@
From a2b1ceac7093798d770cf50c8a2a78f7051c7be9 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 15 Jul 2015 18:15:40 +0800
Subject: [PATCH] Change the debug file path
From 4e83fe57c5a8f1ba32a264f7a936e0e3a9aafedc Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 4 Jan 2018 12:28:37 +0800
Subject: [PATCH] Use our own debug path
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: shim-12/Makefile
===================================================================
--- shim-12.orig/Makefile
+++ shim-12/Makefile
@@ -50,7 +50,7 @@ ifeq ($(ARCH),x86_64)
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
-DNO_BUILTIN_VA_FUNCS \
-DMDE_CPU_X64 "-DEFI_ARCH=L\"x64\"" -DPAGE_SIZE=4096 \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
+ "-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\""
EFI_PATH:=/usr/lib64/gnuefi
LIB_PATH:=/usr/lib64
diff --git a/Makefile b/Makefile
index f4b7adb..55f6126 100644
--- a/Makefile
+++ b/Makefile
@@ -122,7 +122,7 @@ SHIMHASHNAME = $(SHIMSTEM).hash
BOOTEFINAME ?= BOOT$(ARCH_SUFFIX_UPPER).EFI
BOOTCSVNAME ?= BOOT$(ARCH_SUFFIX_UPPER).CSV
-CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/\""
+CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\""
ifneq ($(origin VENDOR_CERT_FILE), undefined)
CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
--
2.15.1

198
shim-fallback-workaround-masked-ami-variables.patch
View File

@ -1,198 +0,0 @@
From 38744a099187401f2f5e382c2ce8869e1e9b22a0 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Fri, 11 Aug 2017 13:42:20 +0800
Subject: [PATCH] fallback: work around the issue of boot option creation with
AMI BIOS
AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX
variables with ami_masked_device_path_guid.
Initially, the normal boot option created by fallback looks like this:
00000000 01 00 00 00 5e 00 42 00 6f 00 6f 00 74 00 6c 00 |....^.B.o.o.t.l.|
00000010 6f 00 61 00 64 00 65 00 72 00 20 00 54 00 65 00 |o.a.d.e.r. .T.e.|
00000020 73 00 74 00 20 00 28 00 36 00 34 00 2d 00 62 00 |s.t. .(.6.4.-.b.|
00000030 69 00 74 00 29 00 00 00 04 01 2a 00 01 00 00 00 |i.t.).....*.....|
00000040 00 08 00 00 00 00 00 00 00 00 08 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 01 01 04 04 30 00 5c 00 45 00 46 00 49 00 5c 00 |....0.\.E.F.I.\.|
00000070 42 00 4f 00 4f 00 54 00 5c 00 74 00 65 00 73 00 |B.O.O.T.\.t.e.s.|
00000080 74 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 |t.x.6.4...e.f.i.|
00000090 00 00 7f ff 04 00 |......|
00000096
after reboot, fallback has to create a new one due to the previous boot
option is hidden and masked by AMI BIOS:
00000000 09 00 00 00 76 00 42 00 6f 00 6f 00 74 00 6c 00 |....v.B.o.o.t.l.|
00000010 6f 00 61 00 64 00 65 00 72 00 20 00 54 00 65 00 |o.a.d.e.r. .T.e.|
00000020 73 00 74 00 20 00 28 00 36 00 34 00 2d 00 62 00 |s.t. .(.6.4.-.b.|
00000030 69 00 74 00 29 00 00 00 01 04 14 00 e7 75 e2 99 |i.t.)........u..|
00000040 a0 75 37 4b a2 e6 c5 38 5e 6c 00 cb 7f ff 04 00 |.u7K...8^l......|
00000050 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 |..*.............|
00000060 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 01 01 04 04 30 00 5c 00 |............0.\.|
00000080 45 00 46 00 49 00 5c 00 42 00 4f 00 4f 00 54 00 |E.F.I.\.B.O.O.T.|
00000090 5c 00 74 00 65 00 73 00 74 00 78 00 36 00 34 00 |\.t.e.s.t.x.6.4.|
000000a0 2e 00 65 00 66 00 69 00 00 00 7f ff 04 00 |..e.f.i.......|
000000ae
And after several reboot, fallback will have to create more boot options
because AMI BIOS corrupts the previous ones.
We can get the valid device path if just skipping the masked device path and
its next end path.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
(cherry picked from commit 0cc030c2f2fba53b74fb09466a07b8e6297a52d3)
---
fallback.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 109 insertions(+), 5 deletions(-)
diff --git a/fallback.c b/fallback.c
index 5602a88..8c0369f 100644
--- a/fallback.c
+++ b/fallback.c
@@ -286,6 +286,105 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
return EFI_OUT_OF_RESOURCES;
}
+/*
+ * AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX
+ * variables with ami_masked_device_path_guid. We can get the valid device path
+ * if just skipping it and its next end path.
+ */
+
+static EFI_GUID ami_masked_device_path_guid = {
+ 0x99e275e7, 0x75a0, 0x4b37,
+ { 0xa2, 0xe6, 0xc5, 0x38, 0x5e, 0x6c, 0x0, 0xcb }
+};
+
+static unsigned int
+calc_masked_boot_option_size(unsigned int size)
+{
+ return size + sizeof(EFI_DEVICE_PATH) +
+ sizeof(ami_masked_device_path_guid) + sizeof(EFI_DEVICE_PATH);
+}
+
+static int
+check_masked_boot_option(CHAR8 *candidate, unsigned int candidate_size,
+ CHAR8 *data, unsigned int data_size)
+{
+ /*
+ * The patched BootXXXX variables contain a hardware device path and
+ * an end path, preceding the real device path.
+ */
+ if (calc_masked_boot_option_size(data_size) != candidate_size)
+ return 1;
+
+ CHAR8 *cursor = candidate;
+
+ /* Check whether the BootXXXX is patched */
+ cursor += sizeof(UINT32) + sizeof(UINT16);
+ cursor += StrSize((CHAR16 *)cursor);
+
+ unsigned int min_valid_size = cursor - candidate + sizeof(EFI_DEVICE_PATH);
+
+ if (candidate_size <= min_valid_size)
+ return 1;
+
+ EFI_DEVICE_PATH *dp = (EFI_DEVICE_PATH *)cursor;
+ unsigned int node_size = DevicePathNodeLength(dp) - sizeof(EFI_DEVICE_PATH);
+
+ min_valid_size += node_size;
+ if (candidate_size <= min_valid_size ||
+ DevicePathType(dp) != HARDWARE_DEVICE_PATH ||
+ DevicePathSubType(dp) != HW_VENDOR_DP ||
+ node_size != sizeof(ami_masked_device_path_guid) ||
+ CompareGuid((EFI_GUID *)(cursor + sizeof(EFI_DEVICE_PATH)),
+ &ami_masked_device_path_guid))
+ return 1;
+
+ /* Check whether the patched guid is followed by an end path */
+ min_valid_size += sizeof(EFI_DEVICE_PATH);
+ if (candidate_size <= min_valid_size)
+ return 1;
+
+ dp = NextDevicePathNode(dp);
+ if (!IsDevicePathEnd(dp))
+ return 1;
+
+ /*
+ * OK. We may really get a masked BootXXXX variable. The next
+ * step is to test whether it is hidden.
+ */
+ UINT32 attrs = *(UINT32 *)candidate;
+#ifndef LOAD_OPTION_HIDDEN
+# define LOAD_OPTION_HIDDEN 0x00000008
+#endif
+ if (!(attrs & LOAD_OPTION_HIDDEN))
+ return 1;
+
+ attrs &= ~LOAD_OPTION_HIDDEN;
+
+ /* Compare the field Attributes */
+ if (attrs != *(UINT32 *)data)
+ return 1;
+
+ /* Compare the field FilePathListLength */
+ data += sizeof(UINT32);
+ candidate += sizeof(UINT32);
+ if (calc_masked_boot_option_size(*(UINT16 *)data) !=
+ *(UINT16 *)candidate)
+ return 1;
+
+ /* Compare the field Description */
+ data += sizeof(UINT16);
+ candidate += sizeof(UINT16);
+ if (CompareMem(candidate, data, cursor - candidate))
+ return 1;
+
+ /* Compare the filed FilePathList */
+ cursor = (CHAR8 *)NextDevicePathNode(dp);
+ data += sizeof(UINT16);
+ data += StrSize((CHAR16 *)data);
+
+ return CompareMem(cursor, data, candidate_size - min_valid_size);
+}
+
EFI_STATUS
find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
CHAR16 *filename, CHAR16 *label, CHAR16 *arguments,
@@ -315,7 +414,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
EFI_GUID global = EFI_GLOBAL_VARIABLE;
EFI_STATUS rc;
- CHAR8 *candidate = AllocateZeroPool(size);
+ UINTN max_candidate_size = calc_masked_boot_option_size(size);
+ CHAR8 *candidate = AllocateZeroPool(max_candidate_size);
if (!candidate) {
FreePool(data);
return EFI_OUT_OF_RESOURCES;
@@ -327,17 +427,21 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4];
varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0];
- UINTN candidate_size = size;
+ UINTN candidate_size = max_candidate_size;
rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global,
NULL, &candidate_size, candidate);
if (EFI_ERROR(rc))
continue;
- if (candidate_size != size)
+ if (candidate_size != size) {
+ if (check_masked_boot_option(candidate, candidate_size,
+ data, size))
+ continue;
+ } else if (CompareMem(candidate, data, size))
continue;
- if (CompareMem(candidate, data, size))
- continue;
+ VerbosePrint(L"Found boot entry \"%s\" with label \"%s\" "
+ L"for file \"%s\"\n", varname, label, filename);
/* at this point, we have duplicate data. */
if (!first_new_option) {
--
2.14.1

35
shim-fix-fallback-double-free.patch
View File

@ -1,35 +0,0 @@
From 971c5225bea11b4193e4e69a939410030b420ed1 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Wed, 9 Aug 2017 16:10:14 +0800
Subject: [PATCH] fallback: fix double free of dp
If the boot option recorded in csv is not in a media device path, the
corresponding full device path will be referred for creating the boot
variable.
However, the current code logic always frees the full device path
(full_device_path) and the media device path (dp) separately. In order
to resolve this issue, always check whether dp equals to full_device_path
before freeing dp.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
fallback.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fallback.c b/fallback.c
index c80652a..0a7058b 100644
--- a/fallback.c
+++ b/fallback.c
@@ -433,7 +433,7 @@ err:
FreePool(file);
if (full_device_path)
FreePool(full_device_path);
- if (dp)
+ if (dp && dp != full_device_path)
FreePool(dp);
if (fullpath)
FreePool(fullpath);
--
2.14.0

32
shim-fix-httpboot-crash.patch
View File

@ -1,32 +0,0 @@
From 1a83299ac5caca13be7ba69507f7623c99d9eef6 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Fri, 30 Jun 2017 15:50:24 +0800
Subject: [PATCH] httpboot: fix OVMF crash
This is a typical typo. The free operation should be done if uri
was allocated.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
httpboot.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/httpboot.c b/httpboot.c
index f8fbc73..e4657c1 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -110,8 +110,10 @@ find_httpboot (EFI_HANDLE device)
URI_DEVICE_PATH *UriNode;
UINTN uri_size;
- if (!uri)
+ if (uri) {
FreePool(uri);
+ uri = NULL;
+ }
devpath = DevicePathFromHandle(device);
if (!devpath) {
--
2.14.0

40
shim-fix-openssl-flags.patch
View File

@ -1,40 +0,0 @@
From a120ddd83d02f302c72baa1974691a1f677829f3 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 8 Aug 2017 17:48:59 -0400
Subject: [PATCH] Fix openssl compile flags for x86_64
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Cryptlib/Makefile | 2 +-
Cryptlib/OpenSSL/Makefile | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index 77a5bd4..e99f009 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -8,7 +8,7 @@ CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DNO_BUILTIN_VA_FUNCS \
- -DMDE_CPU_IA64
+ -DMDE_CPU_X64
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 \
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
index 829fa5c..e54105b 100644
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -8,7 +8,7 @@ CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-st
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
- -UNO_BUILTIN_VA_FUNCS -DMDE_CPU_IA64
+ -UNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
--
2.14.0

28
shim-httpboot-include-console.h.patch Normal file
View File

@ -0,0 +1,28 @@
From c6ecc2923b8072e9cb24806b1c1b92f63016fd63 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 4 Jan 2018 14:31:51 +0800
Subject: [PATCH] httpboot: include console.h
in_protocol is declared in console.h, so httpboot.c has to include the
header.
Signed-off-by: Gary Lin <glin@suse.com>
---
httpboot.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/httpboot.c b/httpboot.c
index 058704f..b753405 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -34,6 +34,7 @@
#include <efi.h>
#include <efilib.h>
#include "str.h"
+#include "console.h"
#include "Http.h"
#include "Ip4Config2.h"
#include "Ip6Config.h"
--
2.15.1

1263
shim-more-tpm-measurement.patch
View File

File diff suppressed because it is too large Load Diff

31
shim-only-os-name.patch
View File

@ -1,13 +1,30 @@
Index: shim-12/Makefile
===================================================================
--- shim-12.orig/Makefile
+++ shim-12/Makefile
@@ -117,7 +117,7 @@ shim_cert.h: shim.cer
From 087123b6eb8e8067c500cb7a411085c0ebe66e94 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 4 Jan 2018 12:22:43 +0800
Subject: [PATCH] Only use the OS name in version
Since we build shim binary with open build service, it's difficult to
fix the linux kernel version of the build bot, so we just use "uname -o"
instead of "uname -a".
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index e756aa5..f4b7adb 100644
--- a/Makefile
+++ b/Makefile
@@ -177,7 +177,7 @@ shim_cert.h: shim.cer
version.c : version.c.in
version.c : $(TOPDIR)/version.c.in
sed -e "s,@@VERSION@@,$(VERSION)," \
- -e "s,@@UNAME@@,$(shell uname -a)," \
+ -e "s,@@UNAME@@,$(shell uname -o)," \
-e "s,@@COMMIT@@,$(COMMITID)," \
< version.c.in > version.c
< $< > $@
--
2.15.1

140
shim-opensuse-cert-prompt.patch
View File

@ -1,7 +1,7 @@
From ccd53ba8892ce8955611c9dc519454ddd4b2a62f Mon Sep 17 00:00:00 2001
From 7472a6ee1f01466df1a1de65de669ed0c20b12c4 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 18 Feb 2014 17:29:19 +0800
Subject: [PATCH 1/4] Show the build-in certificate prompt
Subject: [PATCH 1/3] Show the build-in certificate prompt
This is an openSUSE-only patch.
@ -21,10 +21,10 @@ The state will store in use_openSUSE_cert, a volatile RT variable.
1 file changed, 75 insertions(+), 2 deletions(-)
diff --git a/shim.c b/shim.c
index f8a1e67..b1fe60f 100644
index 7b34868..be250b6 100644
--- a/shim.c
+++ b/shim.c
@@ -99,6 +99,7 @@ UINT8 *vendor_dbx;
@@ -93,6 +93,7 @@ UINT8 *vendor_dbx;
*/
verification_method_t verification_method;
int loader_is_participating;
@ -32,16 +32,16 @@ index f8a1e67..b1fe60f 100644
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -1016,7 +1017,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
if (status == EFI_SUCCESS)
return status;
@@ -1096,7 +1097,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
LogError(L"check_whitelist(): %r\n", status);
}
- if (cert) {
+ if (cert && use_builtin_cert) {
#if defined(ENABLE_SHIM_CERT)
/*
* Check against the shim build key
*/
@@ -1941,7 +1942,7 @@ EFI_STATUS mirror_mok_list()
@@ -2080,7 +2081,7 @@ EFI_STATUS mirror_mok_list()
if (efi_status != EFI_SUCCESS)
DataSize = 0;
@ -50,7 +50,7 @@ index f8a1e67..b1fe60f 100644
FullDataSize = DataSize
+ sizeof (*CertList)
+ sizeof (EFI_GUID)
@@ -2648,6 +2649,75 @@ shim_fini(void)
@@ -2829,6 +2830,75 @@ shim_fini(void)
setup_console(0);
}
@ -126,7 +126,7 @@ index f8a1e67..b1fe60f 100644
extern EFI_STATUS
efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
@@ -2750,6 +2820,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
@@ -2933,6 +3003,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
*/
check_mok_sb();
@ -137,13 +137,13 @@ index f8a1e67..b1fe60f 100644
if (EFI_ERROR(efi_status)) {
Print(L"Something has gone seriously wrong: %r\n", efi_status);
--
2.13.1
2.15.1
From 04cef138d17143fb1b5e9e52b593991f783536e8 Mon Sep 17 00:00:00 2001
From 3e3cf4589edf350c8c33d0f5069c6868c2810b80 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 20 Feb 2014 16:57:08 +0800
Subject: [PATCH 2/4] Support revoking the openSUSE cert
Subject: [PATCH 2/3] Support revoking the openSUSE cert
This is an openSUSE-only patch.
@ -156,11 +156,11 @@ will show up with an additional option to clear openSUSE_Verify
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index e0ba789..81ae8aa 100644
index 55af321..678a9d9 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1812,6 +1812,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
return -1;
@@ -1806,6 +1806,33 @@ mokpw_done:
return EFI_SUCCESS;
}
+static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
@ -193,7 +193,7 @@ index e0ba789..81ae8aa 100644
static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
{
X509 *X509Cert;
@@ -2164,6 +2191,7 @@ typedef enum {
@@ -2162,6 +2189,7 @@ typedef enum {
MOK_CHANGE_SB,
MOK_SET_PW,
MOK_CHANGE_DB,
@ -201,7 +201,7 @@ index e0ba789..81ae8aa 100644
MOK_KEY_ENROLL,
MOK_HASH_ENROLL
} mok_menu_item;
@@ -2175,7 +2203,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
@@ -2182,7 +2210,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
void *MokPW, UINTN MokPWSize,
void *MokDB, UINTN MokDBSize,
void *MokXNew, UINTN MokXNewSize,
@ -211,40 +211,40 @@ index e0ba789..81ae8aa 100644
{
CHAR16 **menu_strings;
mok_menu_item *menu_item;
@@ -2249,6 +2278,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (MokDB)
menucount++;
@@ -2262,6 +2291,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (MokDB)
menucount++;
+ if (ClearVerify)
+ menucount++;
+ if (ClearVerify)
+ menucount++;
+
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
if (!menu_strings)
@@ -2318,6 +2350,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (!menu_strings)
@@ -2334,6 +2366,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
i++;
}
+ if (ClearVerify) {
+ menu_strings[i] = L"Revoke openSUSE certificate";
+ menu_item[i] = MOK_CLEAR_VERIFY;
+ i++;
+ }
+
menu_strings[i] = L"Enroll key from disk";
menu_item[i] = MOK_KEY_ENROLL;
i++;
}
+ if (ClearVerify) {
+ menu_strings[i] = L"Revoke openSUSE certificate";
+ menu_item[i] = MOK_CLEAR_VERIFY;
+ i++;
+ }
+
menu_strings[i] = L"Enroll key from disk";
menu_item[i] = MOK_KEY_ENROLL;
i++;
@@ -2368,6 +2406,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
case MOK_CHANGE_DB:
mok_db_prompt(MokDB, MokDBSize);
@@ -2394,6 +2432,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (efi_status == EFI_SUCCESS)
MokDB = NULL;
break;
+ case MOK_CLEAR_VERIFY:
+ mok_clear_verify_prompt(ClearVerify, ClearVerifySize);
+ break;
case MOK_KEY_ENROLL:
mok_key_enroll();
efi_status = mok_key_enroll();
break;
@@ -2393,6 +2434,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@@ -2424,6 +2465,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
@ -252,7 +252,7 @@ index e0ba789..81ae8aa 100644
void *MokNew = NULL;
void *MokDel = NULL;
void *MokSB = NULL;
@@ -2400,6 +2442,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@@ -2431,6 +2473,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
void *MokDB = NULL;
void *MokXNew = NULL;
void *MokXDel = NULL;
@ -260,7 +260,7 @@ index e0ba789..81ae8aa 100644
EFI_STATUS status;
status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
@@ -2472,9 +2515,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@@ -2503,9 +2546,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
console_error(L"Could not retrieve MokXDel", status);
}
@ -282,7 +282,7 @@ index e0ba789..81ae8aa 100644
if (MokNew)
FreePool (MokNew);
@@ -2497,6 +2551,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@@ -2528,6 +2582,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
if (MokXDel)
FreePool (MokXDel);
@ -293,10 +293,10 @@ index e0ba789..81ae8aa 100644
LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
diff --git a/shim.c b/shim.c
index b1fe60f..909c4b7 100644
index be250b6..d461edd 100644
--- a/shim.c
+++ b/shim.c
@@ -2092,7 +2092,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@@ -2233,7 +2233,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
check_var(L"MokXNew") || check_var(L"MokXDel") ||
@ -306,13 +306,13 @@ index b1fe60f..909c4b7 100644
if (efi_status != EFI_SUCCESS) {
--
2.13.1
2.15.1
From c7d47d6050bac84d99651278a7e1a3defddaed86 Mon Sep 17 00:00:00 2001
From b5348293dd95c6627f8fde0344650e006acc181b Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 7 Mar 2014 16:17:20 +0800
Subject: [PATCH 3/4] Delete openSUSE_Verify the right way
Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
This is an openSUSE-only patch.
@ -322,10 +322,10 @@ LibDeleteVariable only works on the runtime variables.
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/MokManager.c b/MokManager.c
index 81ae8aa..d839355 100644
index 678a9d9..c3f8f45 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1826,7 +1826,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
@@ -1820,7 +1820,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
if (status != EFI_SUCCESS)
return -1;
@ -338,37 +338,5 @@ index 81ae8aa..d839355 100644
console_error(L"Failed to delete openSUSE_Verify", status);
return -1;
--
2.13.1
From 29a7dd0330a75dce47131c4165c06d0b425e2159 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 19 Oct 2015 16:36:14 +0800
Subject: [PATCH 4/4] Don't pass NULL to set MokListRT
This is an openSUSE-only patch.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
shim.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/shim.c b/shim.c
index 909c4b7..1804f1c 100644
--- a/shim.c
+++ b/shim.c
@@ -1979,6 +1979,11 @@ EFI_STATUS mirror_mok_list()
FullData = Data;
}
+ if (FullDataSize == 0) {
+ /* openSUSE_Verify isn't set and no other MOK exists. */
+ return EFI_SUCCESS;
+ }
+
efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
&shim_lock_guid,
EFI_VARIABLE_BOOTSERVICE_ACCESS
--
2.13.1
2.15.1

223
shim-remove-cryptpem.patch Normal file
View File

@ -0,0 +1,223 @@
From 063d4aa37d271ce5c30a9c7a1746af421d40ca17 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 4 Jan 2018 14:54:34 +0800
Subject: [PATCH] Cryptlib: replace CryptPem with CryptPemNull
We don't need the functions in CryptPem.c.
Signed-off-by: Gary Lin <glin@suse.com>
---
Cryptlib/Makefile | 2 +-
Cryptlib/Pem/CryptPem.c | 135 --------------------------------------------
Cryptlib/Pem/CryptPemNull.c | 44 +++++++++++++++
3 files changed, 45 insertions(+), 136 deletions(-)
delete mode 100644 Cryptlib/Pem/CryptPem.c
create mode 100644 Cryptlib/Pem/CryptPemNull.c
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index bf9d0dc..a025ac5 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -40,7 +40,7 @@ OBJS = Hash/CryptMd4Null.o \
Pk/CryptTs.o \
Pk/CryptX509.o \
Pk/CryptAuthenticode.o \
- Pem/CryptPem.o \
+ Pem/CryptPemNull.o \
SysCall/CrtWrapper.o \
SysCall/TimerWrapper.o \
SysCall/BaseMemAllocation.o \
diff --git a/Cryptlib/Pem/CryptPem.c b/Cryptlib/Pem/CryptPem.c
deleted file mode 100644
index 51e648b..0000000
--- a/Cryptlib/Pem/CryptPem.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/** @file
- PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/pem.h>
-
-/**
- Callback function for password phrase conversion used for retrieving the encrypted PEM.
-
- @param[out] Buf Pointer to the buffer to write the passphrase to.
- @param[in] Size Maximum length of the passphrase (i.e. the size of Buf).
- @param[in] Flag A flag which is set to 0 when reading and 1 when writing.
- @param[in] Key Key data to be passed to the callback routine.
-
- @retval The number of characters in the passphrase or 0 if an error occurred.
-
-**/
-INTN
-PasswordCallback (
- OUT CHAR8 *Buf,
- IN INTN Size,
- IN INTN Flag,
- IN VOID *Key
- )
-{
- INTN KeyLength;
-
- ZeroMem ((VOID *) Buf, (UINTN) Size);
- if (Key != NULL) {
- //
- // Duplicate key phrase directly.
- //
- KeyLength = (INTN) AsciiStrLen ((CHAR8 *)Key);
- KeyLength = (KeyLength > Size ) ? Size : KeyLength;
- CopyMem (Buf, Key, (UINTN) KeyLength);
- return KeyLength;
- } else {
- return 0;
- }
-}
-
-/**
- Retrieve the RSA Private Key from the password-protected PEM key data.
-
- @param[in] PemData Pointer to the PEM-encoded key data to be retrieved.
- @param[in] PemSize Size of the PEM key data in bytes.
- @param[in] Password NULL-terminated passphrase used for encrypted PEM key data.
- @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved
- RSA private key component. Use RsaFree() function to free the
- resource.
-
- If PemData is NULL, then return FALSE.
- If RsaContext is NULL, then return FALSE.
-
- @retval TRUE RSA Private Key was retrieved successfully.
- @retval FALSE Invalid PEM key data or incorrect password.
-
-**/
-BOOLEAN
-EFIAPI
-RsaGetPrivateKeyFromPem (
- IN CONST UINT8 *PemData,
- IN UINTN PemSize,
- IN CONST CHAR8 *Password,
- OUT VOID **RsaContext
- )
-{
- BOOLEAN Status;
- BIO *PemBio;
-
- //
- // Check input parameters.
- //
- if (PemData == NULL || RsaContext == NULL || PemSize > INT_MAX) {
- return FALSE;
- }
-
- //
- // Add possible block-cipher descriptor for PEM data decryption.
- // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.
- //
- if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {
- return FALSE;
- }
- if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {
- return FALSE;
- }
- if (EVP_add_cipher (EVP_aes_192_cbc ()) == 0) {
- return FALSE;
- }
- if (EVP_add_cipher (EVP_aes_256_cbc ()) == 0) {
- return FALSE;
- }
-
- Status = FALSE;
-
- //
- // Read encrypted PEM Data.
- //
- PemBio = BIO_new (BIO_s_mem ());
- if (PemBio == NULL) {
- goto _Exit;
- }
-
- if (BIO_write (PemBio, PemData, (int) PemSize) <= 0) {
- goto _Exit;
- }
-
- //
- // Retrieve RSA Private Key from encrypted PEM data.
- //
- *RsaContext = PEM_read_bio_RSAPrivateKey (PemBio, NULL, (pem_password_cb *) &PasswordCallback, (void *) Password);
- if (*RsaContext != NULL) {
- Status = TRUE;
- }
-
-_Exit:
- //
- // Release Resources.
- //
- BIO_free (PemBio);
-
- return Status;
-}
diff --git a/Cryptlib/Pem/CryptPemNull.c b/Cryptlib/Pem/CryptPemNull.c
new file mode 100644
index 0000000..8c9e4f0
--- /dev/null
+++ b/Cryptlib/Pem/CryptPemNull.c
@@ -0,0 +1,44 @@
+/** @file
+ PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation which does
+ not provide real capabilities.
+
+Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieve the RSA Private Key from the password-protected PEM key data.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] PemData Pointer to the PEM-encoded key data to be retrieved.
+ @param[in] PemSize Size of the PEM key data in bytes.
+ @param[in] Password NULL-terminated passphrase used for encrypted PEM key data.
+ @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved
+ RSA private key component. Use RsaFree() function to free the
+ resource.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RsaGetPrivateKeyFromPem (
+ IN CONST UINT8 *PemData,
+ IN UINTN PemSize,
+ IN CONST CHAR8 *Password,
+ OUT VOID **RsaContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
--
2.15.1

23
shim.changes
View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Thu Jan 4 08:17:44 UTC 2018 - glin@suse.com
- Update to 14
- Adjust make commands in spec
- Drop upstreamed fixes
+ shim-add-fallback-verbose-print.patch
+ shim-back-to-openssl-1.0.2e.patch
+ shim-fallback-workaround-masked-ami-variables.patch
+ shim-fix-fallback-double-free.patch
+ shim-fix-httpboot-crash.patch
+ shim-fix-openssl-flags.patch
+ shim-more-tpm-measurement.patch
- Add shim-httpboot-include-console.h.patch to include console.h
in httpboot.c to avoid build failure
- Add shim-remove-cryptpem.patch to replace functions in CryptPem.c
with the null function
- Update SUSE/openSUSE specific patches
+ shim-only-os-name.patch
+ shim-arch-independent-names.patch
+ shim-change-debug-file-path.patch
+ shim-opensuse-cert-prompt.patch
-------------------------------------------------------------------
Fri Dec 29 18:41:12 UTC 2017 - ngompa13@gmail.com

37
shim.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package shim
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -21,7 +21,7 @@
%undefine _build_create_debug
Name: shim
Version: 12
Version: 14
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
@ -48,20 +48,10 @@ Source99: SIGNATURE_UPDATE.txt
Patch1: shim-only-os-name.patch
# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
Patch2: shim-arch-independent-names.patch
# PATCH-FIX-UPSTREAM shim-fix-httpboot-crash.patch glin@suse.com -- Fix HTTPBoot crash
Patch3: shim-fix-httpboot-crash.patch
# PATCH-FIX-UPSTREAM shim-fix-openssl-flags.patch glin@suse.com -- Fix the openssl compiler flags
Patch4: shim-fix-openssl-flags.patch
# PATCH-FIX-UPSTREAM shim-fix-fallback-double-free.patch glin@suse.com -- Fix double free in fallback.c
Patch5: shim-fix-fallback-double-free.patch
# PATCH-FIX-UPSTREAM shim-add-fallback-verbose-print.patch glin@suse.com -- Print debug messages dynamically
Patch6: shim-add-fallback-verbose-print.patch
# PATCH-FIX-UPSTREAM shim-fallback-workaround-masked-ami-variables.patch glin@suse.com -- Work around the masked AMI variables
Patch7: shim-fallback-workaround-masked-ami-variables.patch
# PATCH-FIX-UPSTREAM shim-more-tpm-measurement.patch glin@suse.com -- Measure more components for TPM
Patch8: shim-more-tpm-measurement.patch
# PATCH-FIX-UPSTREAM shim-back-to-openssl-1.0.2e.patch bsc#1054712 glin@suse.com -- Revert openssl back to 1.0.2e due to the rejection of some legit certificates
Patch9: shim-back-to-openssl-1.0.2e.patch
# PATCH-FIX-UPSTREAM shim-httpboot-include-console.h.patch glin@suse.com -- Include console.h in httpboot.c
Patch3: shim-httpboot-include-console.h.patch
# PATCH-FIX-UPSTREAM shim-remove-cryptpem.patch glin@suse.com -- Replace the functions in CryptPem.c with the null function
Patch4: shim-remove-cryptpem.patch
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
Patch50: shim-change-debug-file-path.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
@ -110,11 +100,6 @@ The source code of UEFI shim loader
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch50 -p1
%if 0%{?is_opensuse} == 1
%patch100 -p1
@ -122,7 +107,10 @@ The source code of UEFI shim loader
%build
# first, build MokManager and fallback as they don't depend on a
# specific certificate
make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2> /dev/null
make EFI_PATH=/usr/lib64 RELEASE=0 \
MMSTEM=MokManager FBSTEM=fallback \
MokManager.efi.debug fallback.efi.debug \
MokManager.efi fallback.efi
# now build variants of shim that embed different certificates
default=''
@ -177,7 +165,10 @@ for suffix in "${suffixes[@]}"; do
cp $cert2 shim.crt
fi
# make sure cast warnings don't trigger post build check
make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 shim.efi
make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
DEFAULT_LOADER="grub.efi" \
shim.efi.debug shim.efi
#
# assert correct certificate embedded
grep -q "$verify" shim.efi