From 32f6f1f55a210a2d704d081ca0ef2ec046ec9260c2305bb7c7b19e2d7a21ca3d Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 21 Jun 2021 02:58:46 +0000 Subject: [PATCH] Accepting request 901053 from home:gary_lin:branches:devel:openSUSE:Factory - Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260) - Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371 OBS-URL: https://build.opensuse.org/request/show/901053 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=184 --- shim-bsc1187260-fix-efi-1.10-machines.patch | 62 +++++++++ shim-disable-export-vendor-dbx.patch | 36 ++++++ shim-fix-aa64-relsz.patch | 132 ++++++++++++++++++++ shim.changes | 17 +++ shim.spec | 9 ++ 5 files changed, 256 insertions(+) create mode 100644 shim-bsc1187260-fix-efi-1.10-machines.patch create mode 100644 shim-disable-export-vendor-dbx.patch create mode 100644 shim-fix-aa64-relsz.patch diff --git a/shim-bsc1187260-fix-efi-1.10-machines.patch b/shim-bsc1187260-fix-efi-1.10-machines.patch new file mode 100644 index 0000000..c6f4d8c --- /dev/null +++ b/shim-bsc1187260-fix-efi-1.10-machines.patch @@ -0,0 +1,62 @@ +From 493bd940e5c6e28e673034687de7adef9529efff Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Sat, 10 Apr 2021 16:05:23 -0400 +Subject: [PATCH] Don't call QueryVariableInfo() on EFI 1.10 machines + +The EFI 1.10 spec (and presumably earlier revisions as well) didn't have +RT->QueryVariableInfo(), and on Chris Murphy's MacBookPro8,2 , that +memory appears to be initialized randomly. + +This patch changes it to not call RT->QueryVariableInfo() if the +EFI_RUNTIME_SERVICES table's major revision is less than two, and +assumes our maximum variable size is 1024 in that case. + +Signed-off-by: Peter Jones +--- + mok.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/mok.c b/mok.c +index 9b8fc2bc..beac0ff6 100644 +--- a/mok.c ++++ b/mok.c +@@ -261,6 +261,9 @@ static const uint8_t null_sha256[32] = { 0, }; + + typedef UINTN SIZE_T; + ++#define EFI_MAJOR_VERSION(tablep) ((UINT16)((((tablep)->Hdr.Revision) >> 16) & 0xfffful)) ++#define EFI_MINOR_VERSION(tablep) ((UINT16)(((tablep)->Hdr.Revision) & 0xfffful)) ++ + static EFI_STATUS + get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp) + { +@@ -270,11 +273,21 @@ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp) + uint64_t max_var_sz = 0; + + *max_var_szp = 0; +- efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz, +- &remaining_sz, &max_var_sz); +- if (EFI_ERROR(efi_status)) { +- perror(L"Could not get variable storage info: %r\n", efi_status); +- return efi_status; ++ if (EFI_MAJOR_VERSION(gRT) < 2) { ++ dprint(L"EFI %d.%d; no RT->QueryVariableInfo(). Using 1024!\n", ++ EFI_MAJOR_VERSION(gRT), EFI_MINOR_VERSION(gRT)); ++ max_var_sz = remaining_sz = max_storage_sz = 1024; ++ efi_status = EFI_SUCCESS; ++ } else { ++ dprint(L"calling RT->QueryVariableInfo() at 0x%lx\n", ++ gRT->QueryVariableInfo); ++ efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz, ++ &remaining_sz, &max_var_sz); ++ if (EFI_ERROR(efi_status)) { ++ perror(L"Could not get variable storage info: %r\n", ++ efi_status); ++ return efi_status; ++ } + } + + /* +-- +2.31.1 + diff --git a/shim-disable-export-vendor-dbx.patch b/shim-disable-export-vendor-dbx.patch new file mode 100644 index 0000000..defe242 --- /dev/null +++ b/shim-disable-export-vendor-dbx.patch @@ -0,0 +1,36 @@ +From 41da21f1f9d4af213f9f235a864772b99ce85fc7 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 18 Jun 2021 17:54:46 +0800 +Subject: [PATCH] Disable exporting vendor-dbx to MokListXRT + +As the vendor-dbx grows, it caused some problems when writing such +a large variable. Some firmwares lie the avaiable space(*1) , and +some even crash(*2) for no good reason after the writing of +MokListXRT. Both shim and kernel don't rely on MokListXRT to block +anything, so we just stop exporting vendor-dbx to MokListXRT to +avoid the potential hassles. + +(*1) https://bugzilla.suse.com/show_bug.cgi?id=1185261 +(*2) https://github.com/rhboot/shim/pull/369#issuecomment-855275115 + +Signed-off-by: Gary Lin +--- + mok.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/mok.c b/mok.c +index beac0ff6..a687a92b 100644 +--- a/mok.c ++++ b/mok.c +@@ -194,8 +194,6 @@ struct mok_state_variable mok_state_variables[] = { + EFI_VARIABLE_NON_VOLATILE, + .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, + .categorize_addend = categorize_deauthorized, +- .addend = &vendor_deauthorized, +- .addend_size = &vendor_deauthorized_size, + .flags = MOK_MIRROR_KEYDB | + MOK_MIRROR_DELETE_FIRST | + MOK_VARIABLE_LOG, +-- +2.31.1 + diff --git a/shim-fix-aa64-relsz.patch b/shim-fix-aa64-relsz.patch new file mode 100644 index 0000000..0d9c416 --- /dev/null +++ b/shim-fix-aa64-relsz.patch @@ -0,0 +1,132 @@ +From 9828f65f3e9de29da7bc70cb71069cc1d7ca1b4a Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 16 Jun 2021 16:13:32 +0800 +Subject: [PATCH] arm/aa64: fix the size of .rela* sections + +The previous commit(*) merged .rel* and .dyn* into .rodata, and this +made ld to generate the wrong size for .rela* sections that covered +other unrelated sections. When the EFI image was loaded, _relocate() +went through the unexpected data and may cause unexpected crash. +This commit moves .rel* and .dyn* out of .rodata in the ld script but +also moves the related variables, such as _evrodata, _rodata_size, +and _rodata_vsize, to the end of the new .dyn section, so that the +crafted pe-coff section header for .rodata still covers our new +.rela and .dyn sections. + +(*) 212ba30544f ("arm/aa64 targets: put .rel* and .dyn* in .rodata") + +Fix issue: https://github.com/rhboot/shim/issues/371 + +Signed-off-by: Gary Lin +--- + Makefile | 4 ++-- + elf_aarch64_efi.lds | 24 ++++++++++++++++-------- + elf_arm_efi.lds | 24 ++++++++++++++++-------- + 3 files changed, 34 insertions(+), 18 deletions(-) + +Index: shim-15.4/Makefile +=================================================================== +--- shim-15.4.orig/Makefile ++++ shim-15.4/Makefile +@@ -243,7 +243,7 @@ ifneq ($(OBJCOPY_GTE224),1) + endif + $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \ + -j .dynamic -j .rodata -j .rel* \ +- -j .rela* -j .reloc -j .eh_frame \ ++ -j .rela* -j .dyn -j .reloc -j .eh_frame \ + -j .vendor_cert -j .sbat \ + $(FORMAT) $< $@ + # I am tired of wasting my time fighting binutils timestamp code. +@@ -260,7 +260,7 @@ ifneq ($(OBJCOPY_GTE224),1) + endif + $(OBJCOPY) -D -j .text -j .sdata -j .data \ + -j .dynamic -j .rodata -j .rel* \ +- -j .rela* -j .reloc -j .eh_frame -j .sbat \ ++ -j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \ + -j .debug_info -j .debug_abbrev -j .debug_aranges \ + -j .debug_line -j .debug_str -j .debug_ranges \ + -j .note.gnu.build-id \ +Index: shim-15.4/elf_aarch64_efi.lds +=================================================================== +--- shim-15.4.orig/elf_aarch64_efi.lds ++++ shim-15.4/elf_aarch64_efi.lds +@@ -70,21 +70,29 @@ SECTIONS + .rodata : + { + _rodata = .; +- *(.rela.dyn) +- *(.rela.plt) +- *(.rela.got) +- *(.rela.data) +- *(.rela.data*) +- + *(.rodata*) + *(.srodata) +- *(.dynsym) +- *(.dynstr) + . = ALIGN(16); + *(.note.gnu.build-id) + . = ALIGN(4096); + *(.vendor_cert) + *(.data.ident) ++ . = ALIGN(4096); ++ } ++ . = ALIGN(4096); ++ .rela : ++ { ++ *(.rela.dyn) ++ *(.rela.plt) ++ *(.rela.got) ++ *(.rela.data) ++ *(.rela.data*) ++ } ++ . = ALIGN(4096); ++ .dyn : ++ { ++ *(.dynsym) ++ *(.dynstr) + _evrodata = .; + . = ALIGN(4096); + } +Index: shim-15.4/elf_arm_efi.lds +=================================================================== +--- shim-15.4.orig/elf_arm_efi.lds ++++ shim-15.4/elf_arm_efi.lds +@@ -70,21 +70,29 @@ SECTIONS + .rodata : + { + _rodata = .; +- *(.rel.dyn) +- *(.rel.plt) +- *(.rel.got) +- *(.rel.data) +- *(.rel.data*) +- + *(.rodata*) + *(.srodata) +- *(.dynsym) +- *(.dynstr) + . = ALIGN(16); + *(.note.gnu.build-id) + . = ALIGN(4096); + *(.vendor_cert) + *(.data.ident) ++ . = ALIGN(4096); ++ } ++ . = ALIGN(4096); ++ .rela : ++ { ++ *(.rela.dyn) ++ *(.rela.plt) ++ *(.rela.got) ++ *(.rela.data) ++ *(.rela.data*) ++ } ++ . = ALIGN(4096); ++ .dyn : ++ { ++ *(.dynsym) ++ *(.dynstr) + _evrodata = .; + . = ALIGN(4096); + } diff --git a/shim.changes b/shim.changes index 16c05aa..155bd72 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Jun 21 01:58:00 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-disable-export-vendor-dbx.patch to disable exporting + vendor-dbx to MokListXRT since writing a large RT variable + could crash some machines (bsc#1185261) +- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the + potential crash when calling QueryVariableInfo in EFI 1.10 + machines (bsc#1187260) + +------------------------------------------------------------------- +Thu Jun 17 03:03:37 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-fix-aa64-relsz.patch to fix the size of rela sections + for AArch64 + Fix: https://github.com/rhboot/shim/issues/371 + ------------------------------------------------------------------- Fri Jun 4 09:22:51 UTC 2021 - Gary Ching-Pang Lin diff --git a/shim.spec b/shim.spec index 8fbcd9c..a74182a 100644 --- a/shim.spec +++ b/shim.spec @@ -85,6 +85,12 @@ Patch8: shim-bsc1185621-relax-max-var-sz-check.patch Patch9: shim-bsc1185261-relax-import_mok_state-check.patch # PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch bsc#1185232 glin@suse.com -- Relax the check for the LoadOptions length Patch10: shim-bsc1185232-relax-loadoptions-length-check.patch +# PATCH-FIX-UPSTREAM shim-fix-aa64-relsz.patch glin@suse.com -- Fix the size of rela* sections for AArch64 +Patch11: shim-fix-aa64-relsz.patch +# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT +Patch12: shim-disable-export-vendor-dbx.patch +# PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 glin@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines +Patch13: shim-bsc1187260-fix-efi-1.10-machines.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -133,6 +139,9 @@ The source code of UEFI shim loader %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 %build # generate the vendor SBAT metadata