From 6e9b3032319f1fcdb56057e452c60adfa67a7f3a05017f593a5c3d1a8a0280df Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 29 Aug 2017 09:16:30 +0000 Subject: [PATCH] Accepting request 519292 from home:gary_lin:branches:devel:openSUSE:Factory - Print the debug messages in fallback.efi dynamically - Refresh shim-fallback-workaround-masked-ami-variables.patch - Measure more components and support TPM better OBS-URL: https://build.opensuse.org/request/show/519292 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=132 --- shim-add-fallback-verbose-print.patch | 304 ++++ ...back-workaround-masked-ami-variables.patch | 47 +- shim-more-tpm-measurement.patch | 1263 +++++++++++++++++ shim.changes | 9 + shim.spec | 8 +- 5 files changed, 1592 insertions(+), 39 deletions(-) create mode 100644 shim-add-fallback-verbose-print.patch create mode 100644 shim-more-tpm-measurement.patch diff --git a/shim-add-fallback-verbose-print.patch b/shim-add-fallback-verbose-print.patch new file mode 100644 index 0000000..bbc678f --- /dev/null +++ b/shim-add-fallback-verbose-print.patch @@ -0,0 +1,304 @@ +From 5b7f867367131e758548f9b537b765611ce3d874 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 31 Jul 2017 11:07:06 -0400 +Subject: [PATCH 1/2] fallback: Minor whitespace cleanup + +Signed-off-by: Peter Jones +(cherry picked from commit 87c8f07e98995c7a2bd040e9d7b7c35b15ff05e4) +--- + fallback.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/fallback.c b/fallback.c +index 0a7058b..9ec40b8 100644 +--- a/fallback.c ++++ b/fallback.c +@@ -114,7 +114,7 @@ EFI_STATUS + make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen) + { + UINT64 len; +- ++ + len = StrLen(L"\\EFI\\") + StrLen(dirname) + + StrLen(L"\\") + StrLen(filename) + + 2; +@@ -358,12 +358,12 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * + rc = make_full_path(dirname, filename, &fullpath, &pathlen); + if (EFI_ERROR(rc)) + return rc; +- ++ + EFI_DEVICE_PATH *dph = NULL; + EFI_DEVICE_PATH *file = NULL; + EFI_DEVICE_PATH *full_device_path = NULL; + EFI_DEVICE_PATH *dp = NULL; +- ++ + dph = DevicePathFromHandle(this_image->DeviceHandle); + if (!dph) { + rc = EFI_OUT_OF_RESOURCES; +-- +2.14.1 + + +From 74608d8f3dded28addbc09046c626f1a02251f3d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 31 Jul 2017 12:51:46 -0400 +Subject: [PATCH 2/2] Make fallback debug printing be dynamic at runtime. + +Signed-off-by: Peter Jones +(cherry picked from commit c0f7d130746e82613b88cdaa9929fe37aff54c57) +--- + fallback.c | 133 +++++++++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 94 insertions(+), 39 deletions(-) + +diff --git a/fallback.c b/fallback.c +index 9ec40b8..5602a88 100644 +--- a/fallback.c ++++ b/fallback.c +@@ -15,6 +15,57 @@ + + EFI_LOADED_IMAGE *this_image = NULL; + ++EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; ++ ++int ++get_fallback_verbose(void) ++{ ++ EFI_GUID guid = SHIM_LOCK_GUID; ++ UINT8 *data = NULL; ++ UINTN dataSize = 0; ++ EFI_STATUS efi_status; ++ unsigned int i; ++ static int state = -1; ++ ++ if (state != -1) ++ return state; ++ ++ efi_status = get_variable(L"FALLBACK_VERBOSE", ++ &data, &dataSize, guid); ++ if (EFI_ERROR(efi_status)) { ++ state = 0; ++ return state; ++ } ++ ++ for (i = 0; i < dataSize; i++) { ++ if (data[i]) { ++ state = 1; ++ return state; ++ } ++ } ++ ++ state = 0; ++ return state; ++} ++ ++#define VerbosePrintUnprefixed(fmt, ...) \ ++ ({ \ ++ UINTN ret_ = 0; \ ++ if (get_fallback_verbose()) \ ++ ret_ = Print((fmt), ##__VA_ARGS__); \ ++ ret_; \ ++ }) ++ ++#define VerbosePrint(fmt, ...) \ ++ ({ UINTN line_ = __LINE__; \ ++ UINTN ret_ = 0; \ ++ if (get_fallback_verbose()) { \ ++ Print(L"%a:%d: ", __func__, line_); \ ++ ret_ = Print((fmt), ##__VA_ARGS__); \ ++ } \ ++ ret_; \ ++ }) ++ + static EFI_STATUS + FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType, + EFI_DEVICE_PATH **Out) +@@ -23,9 +74,18 @@ FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType, + if (!In || !Out) + return EFI_INVALID_PARAMETER; + ++ CHAR16 *dps = DevicePathToStr(In); ++ VerbosePrint(L"input device path: \"%s\"\n", dps); ++ FreePool(dps); ++ + for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) { + if (DevicePathType(dp) == Type && + DevicePathSubType(dp) == SubType) { ++ dps = DevicePathToStr(dp); ++ VerbosePrint(L"sub-path (%hhd,%hhd): \"%s\"\n", ++ Type, SubType, dps); ++ FreePool(dps); ++ + *Out = DuplicateDevicePath(dp); + if (!*Out) + return EFI_OUT_OF_RESOURCES; +@@ -327,13 +387,11 @@ update_boot_order(void) + return EFI_OUT_OF_RESOURCES; + CopyMem(newbootorder, bootorder, size); + +-#ifdef DEBUG_FALLBACK +- Print(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16)); ++ VerbosePrint(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16)); + UINTN j; + for (j = 0 ; j < size / sizeof (CHAR16); j++) +- Print(L"%04x ", newbootorder[j]); ++ VerbosePrintUnprefixed(L"%04x ", newbootorder[j]); + Print(L"\n"); +-#endif + rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global, + NULL, &len, NULL); + if (rc == EFI_BUFFER_TOO_SMALL) +@@ -363,6 +421,7 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * + EFI_DEVICE_PATH *file = NULL; + EFI_DEVICE_PATH *full_device_path = NULL; + EFI_DEVICE_PATH *dp = NULL; ++ CHAR16 *dps; + + dph = DevicePathFromHandle(this_image->DeviceHandle); + if (!dph) { +@@ -381,6 +440,9 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * + rc = EFI_OUT_OF_RESOURCES; + goto err; + } ++ dps = DevicePathToStr(full_device_path); ++ VerbosePrint(L"file DP: %s\n", dps); ++ FreePool(dps); + + rc = FindSubDevicePath(full_device_path, + MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp); +@@ -393,22 +455,24 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * + } + } + +-#ifdef DEBUG_FALLBACK + { +- UINTN s = DevicePathSize(dp); +- UINTN i; +- UINT8 *dpv = (void *)dp; +- for (i = 0; i < s; i++) { +- if (i > 0 && i % 16 == 0) +- Print(L"\n"); +- Print(L"%02x ", dpv[i]); +- } +- Print(L"\n"); ++ UINTN s = DevicePathSize(dp); ++ UINTN i; ++ UINT8 *dpv = (void *)dp; ++ for (i = 0; i < s; i++) { ++ if (i % 16 == 0) { ++ if (i > 0) ++ VerbosePrintUnprefixed(L"\n"); ++ VerbosePrint(L""); ++ } ++ VerbosePrintUnprefixed(L"%02x ", dpv[i]); ++ } ++ VerbosePrintUnprefixed(L"\n"); + +- CHAR16 *dps = DevicePathToStr(dp); +- Print(L"device path: \"%s\"\n", dps); ++ CHAR16 *dps = DevicePathToStr(dp); ++ VerbosePrint(L"device path: \"%s\"\n", dps); ++ FreePool(dps); + } +-#endif + + UINT16 option; + rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option); +@@ -443,35 +507,27 @@ err: + EFI_STATUS + populate_stanza(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *csv) + { +-#ifdef DEBUG_FALLBACK +- Print(L"CSV data: \"%s\"\n", csv); +-#endif + CHAR16 *file = csv; ++ VerbosePrint(L"CSV data: \"%s\"\n", csv); + + UINTN comma0 = StrCSpn(csv, L","); + if (comma0 == 0) + return EFI_INVALID_PARAMETER; + file[comma0] = L'\0'; +-#ifdef DEBUG_FALLBACK +- Print(L"filename: \"%s\"\n", file); +-#endif ++ VerbosePrint(L"filename: \"%s\"\n", file); + + CHAR16 *label = csv + comma0 + 1; + UINTN comma1 = StrCSpn(label, L","); + if (comma1 == 0) + return EFI_INVALID_PARAMETER; + label[comma1] = L'\0'; +-#ifdef DEBUG_FALLBACK +- Print(L"label: \"%s\"\n", label); +-#endif ++ VerbosePrint(L"label: \"%s\"\n", label); + + CHAR16 *arguments = csv + comma0 +1 + comma1 +1; + UINTN comma2 = StrCSpn(arguments, L","); + arguments[comma2] = L'\0'; + /* This one is optional, so don't check if comma2 is 0 */ +-#ifdef DEBUG_FALLBACK +- Print(L"arguments: \"%s\"\n", arguments); +-#endif ++ VerbosePrint(L"arguments: \"%s\"\n", arguments); + + add_to_boot_list(fh, dirname, file, label, arguments); + +@@ -489,9 +545,7 @@ try_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename) + if (EFI_ERROR(rc)) + return rc; + +-#ifdef DEBUG_FALLBACK +- Print(L"Found file \"%s\"\n", fullpath); +-#endif ++ VerbosePrint(L"Found file \"%s\"\n", fullpath); + + CHAR16 *buffer; + UINT64 bs; +@@ -503,9 +557,7 @@ try_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename) + } + FreePool(fullpath); + +-#ifdef DEBUG_FALLBACK +- Print(L"File looks like:\n%s\n", buffer); +-#endif ++ VerbosePrint(L"File looks like:\n%s\n", buffer); + + CHAR16 *start = buffer; + /* The file may or may not start with the Unicode byte order marker. +@@ -735,9 +787,7 @@ find_boot_options(EFI_HANDLE device) + buffer = NULL; + continue; + } +-#ifdef DEBUG_FALLBACK +- Print(L"Found directory named \"%s\"\n", fi->FileName); +-#endif ++ VerbosePrint(L"Found directory named \"%s\"\n", fi->FileName); + + EFI_FILE_HANDLE fh3; + rc = uefi_call_wrapper(fh->Open, 5, fh2, &fh3, fi->FileName, +@@ -810,7 +860,6 @@ try_start_first_option(EFI_HANDLE parent_image_handle) + return rc; + } + +-EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; + extern EFI_STATUS + efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab); + +@@ -870,6 +919,12 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) + try_start_first_option(image); + + Print(L"Reset System\n"); ++ ++ if (get_fallback_verbose()) { ++ Print(L"Verbose enabled, sleeping for half a second\n"); ++ uefi_call_wrapper(BS->Stall, 1, 500000); ++ } ++ + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetCold, + EFI_SUCCESS, 0, NULL); + +-- +2.14.1 + diff --git a/shim-fallback-workaround-masked-ami-variables.patch b/shim-fallback-workaround-masked-ami-variables.patch index e91e0cb..57e04c3 100644 --- a/shim-fallback-workaround-masked-ami-variables.patch +++ b/shim-fallback-workaround-masked-ami-variables.patch @@ -1,8 +1,8 @@ -From 40eef4450fd4d5ec9ea666a02c276bbe073300d3 Mon Sep 17 00:00:00 2001 +From 38744a099187401f2f5e382c2ce8869e1e9b22a0 Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Fri, 11 Aug 2017 13:42:20 +0800 -Subject: [PATCH 1/2] fallback: work around the issue of boot option creation - with AMI BIOS +Subject: [PATCH] fallback: work around the issue of boot option creation with + AMI BIOS AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX variables with ami_masked_device_path_guid. @@ -42,15 +42,16 @@ We can get the valid device path if just skipping the masked device path and its next end path. Signed-off-by: Lans Zhang +(cherry picked from commit 0cc030c2f2fba53b74fb09466a07b8e6297a52d3) --- fallback.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 109 insertions(+), 5 deletions(-) diff --git a/fallback.c b/fallback.c -index 0a7058b..7b58018 100644 +index 5602a88..8c0369f 100644 --- a/fallback.c +++ b/fallback.c -@@ -226,6 +226,105 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, +@@ -286,6 +286,105 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, return EFI_OUT_OF_RESOURCES; } @@ -156,7 +157,7 @@ index 0a7058b..7b58018 100644 EFI_STATUS find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, CHAR16 *filename, CHAR16 *label, CHAR16 *arguments, -@@ -255,7 +354,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, +@@ -315,7 +414,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, EFI_GUID global = EFI_GLOBAL_VARIABLE; EFI_STATUS rc; @@ -166,7 +167,7 @@ index 0a7058b..7b58018 100644 if (!candidate) { FreePool(data); return EFI_OUT_OF_RESOURCES; -@@ -267,17 +367,21 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, +@@ -327,17 +427,21 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4]; varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0]; @@ -193,35 +194,5 @@ index 0a7058b..7b58018 100644 /* at this point, we have duplicate data. */ if (!first_new_option) { -- -2.14.0 - - -From 5efee65f1cb7a04ea9434eedfc0d8a49b0305c83 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 23 Aug 2017 18:26:00 +0800 -Subject: [PATCH 2/2] fallback: Remove VerbosePrint() - -It's not available in shim 12. - -Signed-off-by: Gary Lin ---- - fallback.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/fallback.c b/fallback.c -index 7b58018..701a1c4 100644 ---- a/fallback.c -+++ b/fallback.c -@@ -380,9 +380,6 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, - } else if (CompareMem(candidate, data, size)) - continue; - -- VerbosePrint(L"Found boot entry \"%s\" with label \"%s\" " -- L"for file \"%s\"\n", varname, label, filename); -- - /* at this point, we have duplicate data. */ - if (!first_new_option) { - first_new_option = DuplicateDevicePath(fulldp); --- -2.14.0 +2.14.1 diff --git a/shim-more-tpm-measurement.patch b/shim-more-tpm-measurement.patch new file mode 100644 index 0000000..81351a8 --- /dev/null +++ b/shim-more-tpm-measurement.patch @@ -0,0 +1,1263 @@ +From 0ed82edaf88e51b2e4da26104202d681bb78f948 Mon Sep 17 00:00:00 2001 +From: Lans Zhang +Date: Wed, 21 Sep 2016 11:17:29 +0800 +Subject: [PATCH 1/9] update verification_method if the loaded image is signed + by shim/vendor cert + +Signed-off-by: Lans Zhang +(cherry picked from commit 6d4498fb3b66621992ef61f163befd1c8374781b) +--- + shim.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/shim.c b/shim.c +index 48c8797..7081be2 100644 +--- a/shim.c ++++ b/shim.c +@@ -1025,6 +1025,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, + cert->Hdr.dwLength - sizeof(cert->Hdr), + shim_cert, sizeof(shim_cert), sha256hash, + SHA256_DIGEST_SIZE)) { ++ update_verification_method(VERIFIED_BY_CERT); + status = EFI_SUCCESS; + return status; + } +@@ -1037,6 +1038,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, + cert->Hdr.dwLength - sizeof(cert->Hdr), + vendor_cert, vendor_cert_size, + sha256hash, SHA256_DIGEST_SIZE)) { ++ update_verification_method(VERIFIED_BY_CERT); + status = EFI_SUCCESS; + return status; + } +-- +2.14.1 + + +From 36719046eba3e92ec91887391648d551412f47db Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Thu, 15 Jun 2017 15:16:04 +0200 +Subject: [PATCH 2/9] shim/tpm: Remove magic numbers + +When measuring data into the TPM and generating events logs, the event +type is set to EV_IPL (0xd), and for TPM1.2 the algorithm will always +be set to SHA-1 (0x4). + +So, add some macro-defined constants for these instead of having them +as magic numbers to make the code more readable. + +Signed-off-by: Javier Martinez Canillas +(cherry picked from commit 9c40fb7c0570430e28c8e5bc34223d6e3a59a929) +--- + tpm.c | 9 ++++----- + tpm.h | 3 +++ + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/tpm.c b/tpm.c +index 88920bb..99486b1 100644 +--- a/tpm.c ++++ b/tpm.c +@@ -110,7 +110,7 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER); + event->Header.HeaderVersion = 1; + event->Header.PCRIndex = pcr; +- event->Header.EventType = 0x0d; ++ event->Header.EventType = EV_IPL; + event->Size = sizeof(*event) - sizeof(event->Event) + strlen(description) + 1; + memcpy(event->Event, description, strlen(description) + 1); + status = uefi_call_wrapper(tpm2->hash_log_extend_event, 5, tpm2, +@@ -119,7 +119,7 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + return status; + } else { + TCG_PCR_EVENT *event; +- UINT32 algorithm, eventnum = 0; ++ UINT32 eventnum = 0; + EFI_PHYSICAL_ADDRESS lastevent; + + status = LibLocateProtocol(&tpm_guid, (VOID **)&tpm); +@@ -138,11 +138,10 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + } + + event->PCRIndex = pcr; +- event->EventType = 0x0d; ++ event->EventType = EV_IPL; + event->EventSize = strlen(description) + 1; +- algorithm = 0x00000004; + status = uefi_call_wrapper(tpm->log_extend_event, 7, tpm, buf, +- (UINT64)size, algorithm, event, ++ (UINT64)size, TPM_ALG_SHA, event, + &eventnum, &lastevent); + FreePool(event); + return status; +diff --git a/tpm.h b/tpm.h +index 7c83644..27cb418 100644 +--- a/tpm.h ++++ b/tpm.h +@@ -1,6 +1,9 @@ + #define EFI_TPM_GUID {0xf541796d, 0xa62e, 0x4954, {0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd }}; + #define EFI_TPM2_GUID {0x607f766c, 0x7455, 0x42be, {0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f }}; + ++#define TPM_ALG_SHA 0x00000004 ++#define EV_IPL 0x0000000d ++ + EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + const CHAR8 *description); + +-- +2.14.1 + + +From 69f0b00e0fba6a08455e0e2f72726b73ad0c2cc6 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Thu, 15 Jun 2017 15:16:05 +0200 +Subject: [PATCH 3/9] shim/tpm: Take out GetCapability() call from + tpm2_present() logic + +The EFI_TCG2_PROTOCOL.GetCapability() function is used to learn if a TPM2 +chip is present. But the protocol capability information is also needed +for other reasons, for example to determine what event log formats are +supported by the firmware. + +Take out the GetCapability() call from the tpm2_present() logic and reduce +that function to just checking if a TPM2 chip is available or not, so the +capabilities can later be used to determine the supported TPM log formats. + +Signed-off-by: Javier Martinez Canillas +(cherry picked from commit 0baa915056b6dc3dbea51c045e1e3ef8a0d86a08) +--- + tpm.c | 44 +++++++++++++++++++++++++++++++------------- + 1 file changed, 31 insertions(+), 13 deletions(-) + +diff --git a/tpm.c b/tpm.c +index 99486b1..2ca5845 100644 +--- a/tpm.c ++++ b/tpm.c +@@ -35,29 +35,41 @@ static BOOLEAN tpm_present(efi_tpm_protocol_t *tpm) + return TRUE; + } + +-static BOOLEAN tpm2_present(efi_tpm2_protocol_t *tpm) ++static EFI_STATUS tpm2_get_caps(efi_tpm2_protocol_t *tpm, ++ EFI_TCG2_BOOT_SERVICE_CAPABILITY *caps, ++ BOOLEAN *old_caps) + { + EFI_STATUS status; +- EFI_TCG2_BOOT_SERVICE_CAPABILITY caps; +- TREE_BOOT_SERVICE_CAPABILITY *caps_1_0; + +- caps.Size = (UINT8)sizeof(caps); ++ caps->Size = (UINT8)sizeof(*caps); + +- status = uefi_call_wrapper(tpm->get_capability, 2, tpm, &caps); ++ status = uefi_call_wrapper(tpm->get_capability, 2, tpm, caps); + + if (status != EFI_SUCCESS) +- return FALSE; ++ return status; ++ ++ if (caps->StructureVersion.Major == 1 && ++ caps->StructureVersion.Minor == 0) ++ *old_caps = TRUE; + +- if (caps.StructureVersion.Major == 1 && +- caps.StructureVersion.Minor == 0) { +- caps_1_0 = (TREE_BOOT_SERVICE_CAPABILITY *)∩︀ ++ return EFI_SUCCESS; ++} ++ ++static BOOLEAN tpm2_present(efi_tpm2_protocol_t *tpm, ++ EFI_TCG2_BOOT_SERVICE_CAPABILITY *caps, ++ BOOLEAN old_caps) ++{ ++ TREE_BOOT_SERVICE_CAPABILITY *caps_1_0; ++ ++ if (old_caps) { ++ caps_1_0 = (TREE_BOOT_SERVICE_CAPABILITY *)caps; + if (caps_1_0->TrEEPresentFlag) + return TRUE; +- } else { +- if (caps.TPMPresentFlag) +- return TRUE; + } + ++ if (caps->TPMPresentFlag) ++ return TRUE; ++ + return FALSE; + } + +@@ -90,9 +102,15 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + status = LibLocateProtocol(&tpm2_guid, (VOID **)&tpm2); + /* TPM 2.0 */ + if (status == EFI_SUCCESS) { ++ BOOLEAN old_caps; + EFI_TCG2_EVENT *event; ++ EFI_TCG2_BOOT_SERVICE_CAPABILITY caps; ++ ++ status = tpm2_get_caps(tpm2, &caps, &old_caps); ++ if (status != EFI_SUCCESS) ++ return EFI_SUCCESS; + +- if (!tpm2_present(tpm2)) ++ if (!tpm2_present(tpm2, &caps, old_caps)) + return EFI_SUCCESS; + + status = trigger_tcg2_final_events_table(tpm2); +-- +2.14.1 + + +From 947f9d7e70cc899997a1cfe89ee08152c6f921be Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Thu, 15 Jun 2017 15:16:06 +0200 +Subject: [PATCH 4/9] shim/tpm: Avoid passing an usupported event log format to + GetEventLogs() + +The TCG EFI Protocol Specification for family "2.0" mentions that not all +TPM2 chips may support the EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 (crypto agile) +log format. So instead of always use this log format, the GetCapability() +function should be used to determine which format is supported by the TPM. + +For example, the Intel PTT firmware based TPM found in Lenovo Thinkapd X1 +Carbon (4th gen), only supports SHA-1 (EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2) +log format. So a call to GetEventLog() using the crypto agile format was +returning EFI_INVALID_PARAMETER, making tpm_log_event() function to fail. + +This was preventing shim to correctly measure the second stage bootloader: + +$ tpm2_listpcrs -L 0x04:9 + +Bank/Algorithm: TPM_ALG_SHA1(0x0004) +PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + +After passing a supported log format to GetEventLog(), it succeeds and so +shim is able to call the HashLogExtendEvent() EFI function correctly: + +$ tpm2_listpcrs -L 0x04:9 + +Bank/Algorithm: TPM_ALG_SHA1(0x0004) +PCR_09: 07 5a 7e d3 75 64 ad 91 1a 34 17 17 c2 34 10 2b 58 5b de b7 + +Signed-off-by: Javier Martinez Canillas +(cherry picked from commit 55c65546e46a78edbe41e88cb4ccbd2522e09625) +--- + tpm.c | 30 +++++++++++++++++++++++++----- + tpm.h | 3 ++- + 2 files changed, 27 insertions(+), 6 deletions(-) + +diff --git a/tpm.c b/tpm.c +index 2ca5845..b2f9c46 100644 +--- a/tpm.c ++++ b/tpm.c +@@ -73,6 +73,17 @@ static BOOLEAN tpm2_present(efi_tpm2_protocol_t *tpm, + return FALSE; + } + ++static inline EFI_TCG2_EVENT_LOG_BITMAP ++tpm2_get_supported_logs(efi_tpm2_protocol_t *tpm, ++ EFI_TCG2_BOOT_SERVICE_CAPABILITY *caps, ++ BOOLEAN old_caps) ++{ ++ if (old_caps) ++ return ((TREE_BOOT_SERVICE_CAPABILITY *)caps)->SupportedEventLogs; ++ ++ return caps->SupportedEventLogs; ++} ++ + /* + * According to TCG EFI Protocol Specification for TPM 2.0 family, + * all events generated after the invocation of EFI_TCG2_GET_EVENT_LOG +@@ -81,15 +92,21 @@ static BOOLEAN tpm2_present(efi_tpm2_protocol_t *tpm, + * internal switch through calling get_event_log() in order to allow + * to retrieve the logs from OS runtime. + */ +-static EFI_STATUS trigger_tcg2_final_events_table(efi_tpm2_protocol_t *tpm2) ++static EFI_STATUS trigger_tcg2_final_events_table(efi_tpm2_protocol_t *tpm2, ++ EFI_TCG2_EVENT_LOG_BITMAP supported_logs) + { ++ EFI_TCG2_EVENT_LOG_FORMAT log_fmt; + EFI_PHYSICAL_ADDRESS start; + EFI_PHYSICAL_ADDRESS end; + BOOLEAN truncated; + +- return uefi_call_wrapper(tpm2->get_event_log, 5, tpm2, +- EFI_TCG2_EVENT_LOG_FORMAT_TCG_2, &start, +- &end, &truncated); ++ if (supported_logs & EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) ++ log_fmt = EFI_TCG2_EVENT_LOG_FORMAT_TCG_2; ++ else ++ log_fmt = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2; ++ ++ return uefi_call_wrapper(tpm2->get_event_log, 5, tpm2, log_fmt, ++ &start, &end, &truncated); + } + + EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, +@@ -105,6 +122,7 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + BOOLEAN old_caps; + EFI_TCG2_EVENT *event; + EFI_TCG2_BOOT_SERVICE_CAPABILITY caps; ++ EFI_TCG2_EVENT_LOG_BITMAP supported_logs; + + status = tpm2_get_caps(tpm2, &caps, &old_caps); + if (status != EFI_SUCCESS) +@@ -113,7 +131,9 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + if (!tpm2_present(tpm2, &caps, old_caps)) + return EFI_SUCCESS; + +- status = trigger_tcg2_final_events_table(tpm2); ++ supported_logs = tpm2_get_supported_logs(tpm2, &caps, old_caps); ++ ++ status = trigger_tcg2_final_events_table(tpm2, supported_logs); + if (EFI_ERROR(status)) { + perror(L"Unable to trigger tcg2 final events table: %r\n", status); + return status; +diff --git a/tpm.h b/tpm.h +index 27cb418..cc1bbed 100644 +--- a/tpm.h ++++ b/tpm.h +@@ -122,7 +122,8 @@ typedef struct tdEFI_TCG2_EVENT { + uint8_t Event[1]; + } __attribute__ ((packed)) EFI_TCG2_EVENT; + +-#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 0x00000002 ++#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2 0x00000001 ++#define EFI_TCG2_EVENT_LOG_FORMAT_TCG_2 0x00000002 + + struct efi_tpm2_protocol + { +-- +2.14.1 + + +From 7518101bcca0213afe1ca94fbedb76a06d644d1d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 20 Jun 2017 16:41:44 -0400 +Subject: [PATCH 5/9] tpm2_present(): remove unused tpm2 protocol argument. + +Signed-off-by: Peter Jones +(cherry picked from commit 919c17a45fe722dcc2b9bdaba538c738f97f88cd) +--- + tpm.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tpm.c b/tpm.c +index b2f9c46..c37cc48 100644 +--- a/tpm.c ++++ b/tpm.c +@@ -55,8 +55,7 @@ static EFI_STATUS tpm2_get_caps(efi_tpm2_protocol_t *tpm, + return EFI_SUCCESS; + } + +-static BOOLEAN tpm2_present(efi_tpm2_protocol_t *tpm, +- EFI_TCG2_BOOT_SERVICE_CAPABILITY *caps, ++static BOOLEAN tpm2_present(EFI_TCG2_BOOT_SERVICE_CAPABILITY *caps, + BOOLEAN old_caps) + { + TREE_BOOT_SERVICE_CAPABILITY *caps_1_0; +@@ -128,7 +127,7 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + if (status != EFI_SUCCESS) + return EFI_SUCCESS; + +- if (!tpm2_present(tpm2, &caps, old_caps)) ++ if (!tpm2_present(&caps, old_caps)) + return EFI_SUCCESS; + + supported_logs = tpm2_get_supported_logs(tpm2, &caps, old_caps); +-- +2.14.1 + + +From 4d722aae64e74192c16682caa204c90013cc42c0 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Mon, 22 May 2017 15:36:48 -0700 +Subject: [PATCH 6/9] Extend PCR 7 + +It's desirable to be able to use PCR 7 for all TPM policy on Secure Boot +systems, but right now Shim doesn't record any information about its +configuration or the signature used to launch the second stage loader. Add +support for that. + +(cherry picked from commit 8af7c4cacaf753f38f2564b26b962a7a2942d664) +--- + shim.c | 41 +++++++++++++++----- + tpm.c | 136 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----- + tpm.h | 16 ++++++++ + 3 files changed, 174 insertions(+), 19 deletions(-) + +diff --git a/shim.c b/shim.c +index 7081be2..f621af9 100644 +--- a/shim.c ++++ b/shim.c +@@ -428,7 +428,8 @@ static BOOLEAN verify_eku(UINT8 *Cert, UINTN CertSize) + static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, + UINTN dbsize, + WIN_CERTIFICATE_EFI_PKCS *data, +- UINT8 *hash) ++ UINT8 *hash, CHAR16 *dbname, ++ EFI_GUID guid) + { + EFI_SIGNATURE_DATA *Cert; + UINTN CertSize; +@@ -446,8 +447,10 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, + Cert->SignatureData, + CertSize, + hash, SHA256_DIGEST_SIZE); +- if (IsFound) ++ if (IsFound) { ++ tpm_measure_variable(dbname, guid, CertSize, Cert->SignatureData); + return DATA_FOUND; ++ } + } + } else if (verbose) { + console_notify(L"Not a DER encoding x.509 Certificate"); +@@ -477,7 +480,7 @@ static CHECK_STATUS check_db_cert(CHAR16 *dbname, EFI_GUID guid, + + CertList = (EFI_SIGNATURE_LIST *)db; + +- rc = check_db_cert_in_ram(CertList, dbsize, data, hash); ++ rc = check_db_cert_in_ram(CertList, dbsize, data, hash, dbname, guid); + + FreePool(db); + +@@ -489,7 +492,8 @@ static CHECK_STATUS check_db_cert(CHAR16 *dbname, EFI_GUID guid, + */ + static CHECK_STATUS check_db_hash_in_ram(EFI_SIGNATURE_LIST *CertList, + UINTN dbsize, UINT8 *data, +- int SignatureSize, EFI_GUID CertType) ++ int SignatureSize, EFI_GUID CertType, ++ CHAR16 *dbname, EFI_GUID guid) + { + EFI_SIGNATURE_DATA *Cert; + UINTN CertCount, Index; +@@ -505,6 +509,7 @@ static CHECK_STATUS check_db_hash_in_ram(EFI_SIGNATURE_LIST *CertList, + // Find the signature in database. + // + IsFound = TRUE; ++ tpm_measure_variable(dbname, guid, SignatureSize, data); + break; + } + +@@ -545,7 +550,8 @@ static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data, + CertList = (EFI_SIGNATURE_LIST *)db; + + CHECK_STATUS rc = check_db_hash_in_ram(CertList, dbsize, data, +- SignatureSize, CertType); ++ SignatureSize, CertType, ++ dbname, guid); + FreePool(db); + return rc; + +@@ -563,15 +569,18 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, + EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx; + + if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash, +- SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) == ++ SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID, ++ L"dbx", secure_var) == + DATA_FOUND) + return EFI_SECURITY_VIOLATION; + if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash, +- SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID) == ++ SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID, ++ L"dbx", secure_var) == + DATA_FOUND) + return EFI_SECURITY_VIOLATION; + if (cert && check_db_cert_in_ram(dbx, vendor_dbx_size, cert, +- sha256hash) == DATA_FOUND) ++ sha256hash, L"dbx", ++ secure_var) == DATA_FOUND) + return EFI_SECURITY_VIOLATION; + + if (check_db_hash(L"dbx", secure_var, sha256hash, SHA256_DIGEST_SIZE, +@@ -960,6 +969,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, + EFI_STATUS status = EFI_SECURITY_VIOLATION; + WIN_CERTIFICATE_EFI_PKCS *cert = NULL; + unsigned int size = datasize; ++ EFI_GUID shim_var = SHIM_LOCK_GUID; + + if (context->SecDir->Size != 0) { + if (context->SecDir->Size >= size) { +@@ -1026,6 +1036,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, + shim_cert, sizeof(shim_cert), sha256hash, + SHA256_DIGEST_SIZE)) { + update_verification_method(VERIFIED_BY_CERT); ++ tpm_measure_variable(L"Shim", shim_var, sizeof(shim_cert), shim_cert); + status = EFI_SUCCESS; + return status; + } +@@ -1039,6 +1050,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, + vendor_cert, vendor_cert_size, + sha256hash, SHA256_DIGEST_SIZE)) { + update_verification_method(VERIFIED_BY_CERT); ++ tpm_measure_variable(L"Shim", shim_var, vendor_cert_size, vendor_cert); + status = EFI_SUCCESS; + return status; + } +@@ -1888,7 +1900,11 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle) + } + + /* +- * Measure some of the MOK variables into the TPM ++ * Measure some of the MOK variables into the TPM. We measure the entirety ++ * of MokList into PCR 14, and also measure the raw MokSBState there. PCR 7 ++ * will be extended with MokSBState in the Microsoft format, and we'll ++ * measure any matching hashes or certificates later on in order to behave ++ * consistently with the PCR 7 spec. + */ + EFI_STATUS measure_mok() + { +@@ -1915,9 +1931,14 @@ EFI_STATUS measure_mok() + if (efi_status != EFI_SUCCESS) + return efi_status; + ++ efi_status = tpm_measure_variable(L"MokSBState", shim_lock_guid, ++ DataSize, Data); ++ if (efi_status != EFI_SUCCESS) ++ goto out; ++ + efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data, + DataSize, 14, (CHAR8 *)"MokSBState"); +- ++out: + FreePool(Data); + + return efi_status; +diff --git a/tpm.c b/tpm.c +index c37cc48..6e3933c 100644 +--- a/tpm.c ++++ b/tpm.c +@@ -14,6 +14,16 @@ extern UINT8 in_protocol; + }) + + ++typedef struct { ++ CHAR16 *VariableName; ++ EFI_GUID *VendorGuid; ++ VOID *Data; ++ UINTN Size; ++} VARIABLE_RECORD; ++ ++UINTN measuredcount = 0; ++VARIABLE_RECORD *measureddata = NULL; ++ + EFI_GUID tpm_guid = EFI_TPM_GUID; + EFI_GUID tpm2_guid = EFI_TPM2_GUID; + +@@ -108,8 +118,9 @@ static EFI_STATUS trigger_tcg2_final_events_table(efi_tpm2_protocol_t *tpm2, + &start, &end, &truncated); + } + +-EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, +- const CHAR8 *description) ++static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, ++ UINT8 pcr, const CHAR8 *log, UINTN logsize, ++ UINT32 type) + { + EFI_STATUS status; + efi_tpm_protocol_t *tpm; +@@ -138,7 +149,7 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + return status; + } + +- event = AllocatePool(sizeof(*event) + strlen(description) + 1); ++ event = AllocatePool(sizeof(*event) + logsize); + if (!event) { + perror(L"Unable to allocate event structure\n"); + return EFI_OUT_OF_RESOURCES; +@@ -147,9 +158,9 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER); + event->Header.HeaderVersion = 1; + event->Header.PCRIndex = pcr; +- event->Header.EventType = EV_IPL; +- event->Size = sizeof(*event) - sizeof(event->Event) + strlen(description) + 1; +- memcpy(event->Event, description, strlen(description) + 1); ++ event->Header.EventType = type; ++ event->Size = sizeof(*event) - sizeof(event->Event) + logsize + 1; ++ CopyMem(event->Event, (VOID *)log, logsize); + status = uefi_call_wrapper(tpm2->hash_log_extend_event, 5, tpm2, + 0, buf, (UINT64) size, event); + FreePool(event); +@@ -167,7 +178,7 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + if (!tpm_present(tpm)) + return EFI_SUCCESS; + +- event = AllocatePool(sizeof(*event) + strlen(description) + 1); ++ event = AllocatePool(sizeof(*event) + logsize); + + if (!event) { + perror(L"Unable to allocate event structure\n"); +@@ -175,8 +186,9 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + } + + event->PCRIndex = pcr; +- event->EventType = EV_IPL; +- event->EventSize = strlen(description) + 1; ++ event->EventType = type; ++ event->EventSize = logsize; ++ CopyMem(event->Event, (VOID *)log, logsize); + status = uefi_call_wrapper(tpm->log_extend_event, 7, tpm, buf, + (UINT64)size, TPM_ALG_SHA, event, + &eventnum, &lastevent); +@@ -186,3 +198,109 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + + return EFI_SUCCESS; + } ++EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, ++ const CHAR8 *description) ++{ ++ return tpm_log_event_raw(buf, size, pcr, description, ++ strlen(description) + 1, 0xd); ++} ++ ++typedef struct { ++ EFI_GUID VariableName; ++ UINT64 UnicodeNameLength; ++ UINT64 VariableDataLength; ++ CHAR16 UnicodeName[1]; ++ INT8 VariableData[1]; ++} EFI_VARIABLE_DATA_TREE; ++ ++static BOOLEAN tpm_data_measured(CHAR16 *VarName, EFI_GUID VendorGuid, UINTN VarSize, VOID *VarData) ++{ ++ UINTN i; ++ ++ for (i=0; iUnicodeName) - ++ sizeof (VarLog->VariableData)); ++ ++ VarLog = (EFI_VARIABLE_DATA_TREE *) AllocateZeroPool (VarLogSize); ++ if (VarLog == NULL) { ++ return EFI_OUT_OF_RESOURCES; ++ } ++ ++ CopyMem (&VarLog->VariableName, &VendorGuid, ++ sizeof(VarLog->VariableName)); ++ VarLog->UnicodeNameLength = VarNameLength; ++ VarLog->VariableDataLength = VarSize; ++ CopyMem (VarLog->UnicodeName, VarName, ++ VarNameLength * sizeof (*VarName)); ++ CopyMem ((CHAR16 *)VarLog->UnicodeName + VarNameLength, VarData, ++ VarSize); ++ ++ Status = tpm_log_event_raw((EFI_PHYSICAL_ADDRESS)VarLog, VarLogSize, 7, ++ (CHAR8 *)VarLog, VarLogSize, ++ EV_EFI_VARIABLE_AUTHORITY); ++ ++ FreePool(VarLog); ++ ++ if (Status != EFI_SUCCESS) ++ return Status; ++ ++ return tpm_record_data_measurement(VarName, VendorGuid, VarSize, ++ VarData); ++} +diff --git a/tpm.h b/tpm.h +index cc1bbed..3769a1d 100644 +--- a/tpm.h ++++ b/tpm.h +@@ -7,6 +7,8 @@ + EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + const CHAR8 *description); + ++EFI_STATUS tpm_measure_variable(CHAR16 *dbname, EFI_GUID guid, UINTN size, void *data); ++ + typedef struct { + uint8_t Major; + uint8_t Minor; +@@ -154,3 +156,17 @@ struct efi_tpm2_protocol + }; + + typedef struct efi_tpm2_protocol efi_tpm2_protocol_t; ++ ++typedef UINT32 TCG_EVENTTYPE; ++ ++#define EV_EFI_EVENT_BASE ((TCG_EVENTTYPE) 0x80000000) ++#define EV_EFI_VARIABLE_DRIVER_CONFIG (EV_EFI_EVENT_BASE + 1) ++#define EV_EFI_VARIABLE_BOOT (EV_EFI_EVENT_BASE + 2) ++#define EV_EFI_BOOT_SERVICES_APPLICATION (EV_EFI_EVENT_BASE + 3) ++#define EV_EFI_BOOT_SERVICES_DRIVER (EV_EFI_EVENT_BASE + 4) ++#define EV_EFI_RUNTIME_SERVICES_DRIVER (EV_EFI_EVENT_BASE + 5) ++#define EV_EFI_GPT_EVENT (EV_EFI_EVENT_BASE + 6) ++#define EV_EFI_ACTION (EV_EFI_EVENT_BASE + 7) ++#define EV_EFI_PLATFORM_FIRMWARE_BLOB (EV_EFI_EVENT_BASE + 8) ++#define EV_EFI_HANDOFF_TABLES (EV_EFI_EVENT_BASE + 9) ++#define EV_EFI_VARIABLE_AUTHORITY (EV_EFI_EVENT_BASE + 0xE0) +-- +2.14.1 + + +From 6572858b0c39cd8ba32e7e0d3f6791ccbe4d69c7 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Wed, 12 Jul 2017 15:29:24 -0700 +Subject: [PATCH 7/9] Measure stage 2 according to spec + +We're currently measuring the raw second stage loader into PCR 9, but +we're closer to spec if we measure the semi-parsed PE into PCR 4. The +hash that's logged is the same as the hash used for the Authenticode +validation, so refactor shim.c a little to separate out the hash +generation. + +(cherry picked from commit 22f2737535ca09faf48762df89b61e81b8d4a2f8) +--- + shim.c | 30 +++++++++++++++++++++--------- + tpm.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++-------- + tpm.h | 15 +++++++++++++++ + 3 files changed, 83 insertions(+), 17 deletions(-) + +diff --git a/shim.c b/shim.c +index f621af9..8feed6d 100644 +--- a/shim.c ++++ b/shim.c +@@ -962,10 +962,9 @@ static EFI_STATUS verify_mok (void) { + * Check that the signature is valid and matches the binary + */ + static EFI_STATUS verify_buffer (char *data, int datasize, +- PE_COFF_LOADER_IMAGE_CONTEXT *context) ++ PE_COFF_LOADER_IMAGE_CONTEXT *context, ++ UINT8 *sha256hash, UINT8 *sha1hash) + { +- UINT8 sha256hash[SHA256_DIGEST_SIZE]; +- UINT8 sha1hash[SHA1_DIGEST_SIZE]; + EFI_STATUS status = EFI_SECURITY_VIOLATION; + WIN_CERTIFICATE_EFI_PKCS *cert = NULL; + unsigned int size = datasize; +@@ -1206,6 +1205,8 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, + unsigned int alignment, alloc_size; + EFI_PHYSICAL_ADDRESS alloc_address; + int found_entry_point = 0; ++ UINT8 sha1hash[SHA1_DIGEST_SIZE]; ++ UINT8 sha256hash[SHA256_DIGEST_SIZE]; + + /* + * The binary header contains relevant context and section pointers +@@ -1219,8 +1220,17 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, + /* + * We only need to verify the binary if we're in secure mode + */ ++ efi_status = generate_hash(data, datasize, &context, sha256hash, ++ sha1hash); ++ if (efi_status != EFI_SUCCESS) ++ return efi_status; ++ ++ /* Measure the binary into the TPM */ ++ tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, sha1hash, 4); ++ + if (secure_mode ()) { +- efi_status = verify_buffer(data, datasize, &context); ++ efi_status = verify_buffer(data, datasize, &context, ++ sha256hash, sha1hash); + + if (EFI_ERROR(efi_status)) { + console_error(L"Verification failed", efi_status); +@@ -1711,6 +1721,8 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) + { + EFI_STATUS status = EFI_SUCCESS; + PE_COFF_LOADER_IMAGE_CONTEXT context; ++ UINT8 sha1hash[SHA1_DIGEST_SIZE]; ++ UINT8 sha256hash[SHA256_DIGEST_SIZE]; + + loader_is_participating = 1; + in_protocol = 1; +@@ -1722,7 +1734,11 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) + if (status != EFI_SUCCESS) + goto done; + +- status = verify_buffer(buffer, size, &context); ++ status = generate_hash(buffer, size, &context, sha256hash, sha1hash); ++ if (status != EFI_SUCCESS) ++ goto done; ++ ++ status = verify_buffer(buffer, size, &context, sha256hash, sha1hash); + done: + in_protocol = 0; + return status; +@@ -1826,10 +1842,6 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) + } + } + +- /* Measure the binary into the TPM */ +- tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, +- 9, (CHAR8 *)"Second stage bootloader"); +- + /* + * We need to modify the loaded image protocol entry before running + * the new binary, so back it up +diff --git a/tpm.c b/tpm.c +index 6e3933c..af6b126 100644 +--- a/tpm.c ++++ b/tpm.c +@@ -120,7 +120,7 @@ static EFI_STATUS trigger_tcg2_final_events_table(efi_tpm2_protocol_t *tpm2, + + static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, + UINT8 pcr, const CHAR8 *log, UINTN logsize, +- UINT32 type) ++ UINT32 type, CHAR8 *hash) + { + EFI_STATUS status; + efi_tpm_protocol_t *tpm; +@@ -161,8 +161,18 @@ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, + event->Header.EventType = type; + event->Size = sizeof(*event) - sizeof(event->Event) + logsize + 1; + CopyMem(event->Event, (VOID *)log, logsize); +- status = uefi_call_wrapper(tpm2->hash_log_extend_event, 5, tpm2, +- 0, buf, (UINT64) size, event); ++ if (hash) { ++ /* TPM 2 systems will generate the appropriate hash ++ themselves if we pass PE_COFF_IMAGE ++ */ ++ status = uefi_call_wrapper(tpm2->hash_log_extend_event, ++ 5, tpm2, PE_COFF_IMAGE, buf, ++ (UINT64) size, event); ++ } else { ++ status = uefi_call_wrapper(tpm2->hash_log_extend_event, ++ 5, tpm2, 0, buf, ++ (UINT64) size, event); ++ } + FreePool(event); + return status; + } else { +@@ -189,9 +199,21 @@ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, + event->EventType = type; + event->EventSize = logsize; + CopyMem(event->Event, (VOID *)log, logsize); +- status = uefi_call_wrapper(tpm->log_extend_event, 7, tpm, buf, +- (UINT64)size, TPM_ALG_SHA, event, +- &eventnum, &lastevent); ++ if (hash) { ++ /* TPM 1.2 devices require us to pass the Authenticode ++ hash rather than allowing the firmware to attempt ++ to calculate it */ ++ CopyMem(event->digest, hash, sizeof(event->digest)); ++ status = uefi_call_wrapper(tpm->log_extend_event, 7, ++ tpm, 0, 0, TPM_ALG_SHA, ++ event, &eventnum, ++ &lastevent); ++ } else { ++ status = uefi_call_wrapper(tpm->log_extend_event, 7, ++ tpm, buf, (UINT64)size, ++ TPM_ALG_SHA, event, ++ &eventnum, &lastevent); ++ } + FreePool(event); + return status; + } +@@ -202,7 +224,24 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + const CHAR8 *description) + { + return tpm_log_event_raw(buf, size, pcr, description, +- strlen(description) + 1, 0xd); ++ strlen(description) + 1, 0xd, NULL); ++} ++ ++EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 *sha1hash, ++ UINT8 pcr) ++{ ++ EFI_IMAGE_LOAD_EVENT ImageLoad; ++ ++ // All of this is informational and forces us to do more parsing before ++ // we can generate it, so let's just leave it out for now ++ ImageLoad.ImageLocationInMemory = 0; ++ ImageLoad.ImageLengthInMemory = 0; ++ ImageLoad.ImageLinkTimeAddress = 0; ++ ImageLoad.LengthOfDevicePath = 0; ++ ++ return tpm_log_event_raw(buf, size, pcr, (CHAR8 *)&ImageLoad, ++ sizeof(ImageLoad), ++ EV_EFI_BOOT_SERVICES_APPLICATION, sha1hash); + } + + typedef struct { +@@ -294,7 +333,7 @@ EFI_STATUS tpm_measure_variable(CHAR16 *VarName, EFI_GUID VendorGuid, UINTN VarS + + Status = tpm_log_event_raw((EFI_PHYSICAL_ADDRESS)VarLog, VarLogSize, 7, + (CHAR8 *)VarLog, VarLogSize, +- EV_EFI_VARIABLE_AUTHORITY); ++ EV_EFI_VARIABLE_AUTHORITY, NULL); + + FreePool(VarLog); + +diff --git a/tpm.h b/tpm.h +index 3769a1d..e3c2b92 100644 +--- a/tpm.h ++++ b/tpm.h +@@ -1,3 +1,5 @@ ++#include ++ + #define EFI_TPM_GUID {0xf541796d, 0xa62e, 0x4954, {0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd }}; + #define EFI_TPM2_GUID {0x607f766c, 0x7455, 0x42be, {0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f }}; + +@@ -7,6 +9,9 @@ + EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + const CHAR8 *description); + ++EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 *sha1hash, ++ UINT8 pcr); ++ + EFI_STATUS tpm_measure_variable(CHAR16 *dbname, EFI_GUID guid, UINTN size, void *data); + + typedef struct { +@@ -33,6 +38,14 @@ typedef struct _TCG_PCR_EVENT { + uint8_t Event[1]; + } TCG_PCR_EVENT; + ++typedef struct _EFI_IMAGE_LOAD_EVENT { ++ EFI_PHYSICAL_ADDRESS ImageLocationInMemory; ++ UINTN ImageLengthInMemory; ++ UINTN ImageLinkTimeAddress; ++ UINTN LengthOfDevicePath; ++ EFI_DEVICE_PATH DevicePath[1]; ++} EFI_IMAGE_LOAD_EVENT; ++ + struct efi_tpm_protocol + { + EFI_STATUS (EFIAPI *status_check) (struct efi_tpm_protocol *this, +@@ -170,3 +183,5 @@ typedef UINT32 TCG_EVENTTYPE; + #define EV_EFI_PLATFORM_FIRMWARE_BLOB (EV_EFI_EVENT_BASE + 8) + #define EV_EFI_HANDOFF_TABLES (EV_EFI_EVENT_BASE + 9) + #define EV_EFI_VARIABLE_AUTHORITY (EV_EFI_EVENT_BASE + 0xE0) ++ ++#define PE_COFF_IMAGE 0x0000000000000010 +-- +2.14.1 + + +From c40cc115a60da33ce2291149471bfd740981bc37 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 1 Aug 2017 11:19:33 -0400 +Subject: [PATCH 8/9] Always measure all of MokSBState, MokList, and MokListX + +Even if errors occurred, always try to measure all of our Mok entries. +This way we won't fail on e.g. MokList not being set. + +Signed-off-by: Peter Jones +(cherry picked from commit bdc5d3ec9ca5e0f270dc583c86ef8916ee70ac39) +--- + shim.c | 56 +++++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 37 insertions(+), 19 deletions(-) + +diff --git a/shim.c b/shim.c +index 8feed6d..32aa521 100644 +--- a/shim.c ++++ b/shim.c +@@ -1921,37 +1921,55 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle) + EFI_STATUS measure_mok() + { + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; +- EFI_STATUS efi_status; ++ EFI_STATUS efi_status, ret = EFI_SUCCESS; + UINT8 *Data = NULL; + UINTN DataSize = 0; + + efi_status = get_variable(L"MokList", &Data, &DataSize, shim_lock_guid); +- if (efi_status != EFI_SUCCESS) +- return efi_status; ++ if (!EFI_ERROR(efi_status)) { ++ efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data, ++ DataSize, 14, (CHAR8 *)"MokList"); ++ FreePool(Data); + +- efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data, +- DataSize, 14, (CHAR8 *)"MokList"); ++ if (EFI_ERROR(efi_status)) ++ ret = efi_status; + +- FreePool(Data); ++ } else { ++ ret = efi_status; ++ } + +- if (efi_status != EFI_SUCCESS) +- return efi_status; ++ efi_status = get_variable(L"MokListX", &Data, &DataSize, shim_lock_guid); ++ if (!EFI_ERROR(efi_status)) { ++ efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data, ++ DataSize, 14, (CHAR8 *)"MokListX"); ++ FreePool(Data); ++ ++ if (EFI_ERROR(efi_status) && !EFI_ERROR(ret)) ++ ret = efi_status; ++ ++ } else if (!EFI_ERROR(ret)) { ++ ret = efi_status; ++ } + + efi_status = get_variable(L"MokSBState", &Data, &DataSize, + shim_lock_guid); ++ if (!EFI_ERROR(efi_status)) { ++ efi_status = tpm_measure_variable(L"MokSBState", ++ shim_lock_guid, ++ DataSize, Data); ++ if (!EFI_ERROR(efi_status)) { ++ efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS) ++ (UINTN)Data, DataSize, 14, ++ (CHAR8 *)"MokSBState"); ++ } + +- if (efi_status != EFI_SUCCESS) +- return efi_status; +- +- efi_status = tpm_measure_variable(L"MokSBState", shim_lock_guid, +- DataSize, Data); +- if (efi_status != EFI_SUCCESS) +- goto out; ++ FreePool(Data); + +- efi_status = tpm_log_event((EFI_PHYSICAL_ADDRESS)(UINTN)Data, +- DataSize, 14, (CHAR8 *)"MokSBState"); +-out: +- FreePool(Data); ++ if (EFI_ERROR(efi_status) && !EFI_ERROR(ret)) ++ ret = efi_status; ++ } else if (!EFI_ERROR(ret)) { ++ ret = efi_status; ++ } + + return efi_status; + } +-- +2.14.1 + + +From de680d100d94d613be32168fcefa0f47868ba07c Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 31 Jul 2017 13:10:41 -0400 +Subject: [PATCH 9/9] Make fallback aware of tpm measurements, and reboot if + tpm is used. + +Since booting the entry with fallback in the stack of things that got +measured will result in all the wrong PCR values, in the cases where TPM +is present and enabled, use ->Reset() instead of loading the Boot#### +variable and executing its target. + +Signed-off-by: Peter Jones +(cherry picked from commit 431b8a2e75a71a0b1f47d47d3f045b1e3efbce53) +--- + Makefile | 2 +- + fallback.c | 9 +++++++- + tpm.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++----------- + tpm.h | 1 + + 4 files changed, 68 insertions(+), 14 deletions(-) + +diff --git a/Makefile b/Makefile +index d518615..05e8f46 100644 +--- a/Makefile ++++ b/Makefile +@@ -85,7 +85,7 @@ KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim + SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h + MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o + MOK_SOURCES = MokManager.c shim.h include/console.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h +-FALLBACK_OBJS = fallback.o ++FALLBACK_OBJS = fallback.o tpm.o + FALLBACK_SRCS = fallback.c + + ifneq ($(origin ENABLE_HTTPBOOT), undefined) +diff --git a/fallback.c b/fallback.c +index 8c0369f..55ce79f 100644 +--- a/fallback.c ++++ b/fallback.c +@@ -12,6 +12,7 @@ + + #include "ucs2.h" + #include "variables.h" ++#include "tpm.h" + + EFI_LOADED_IMAGE *this_image = NULL; + +@@ -1020,7 +1021,13 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) + return rc; + } + +- try_start_first_option(image); ++ rc = fallback_should_prefer_reset(); ++ if (EFI_ERROR(rc)) { ++ VerbosePrint(L"tpm not present, starting the first image\n"); ++ try_start_first_option(image); ++ } else { ++ VerbosePrint(L"tpm present, resetting system\n"); ++ } + + Print(L"Reset System\n"); + +diff --git a/tpm.c b/tpm.c +index af6b126..0a36e1c 100644 +--- a/tpm.c ++++ b/tpm.c +@@ -118,28 +118,60 @@ static EFI_STATUS trigger_tcg2_final_events_table(efi_tpm2_protocol_t *tpm2, + &start, &end, &truncated); + } + +-static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, +- UINT8 pcr, const CHAR8 *log, UINTN logsize, +- UINT32 type, CHAR8 *hash) ++static EFI_STATUS tpm_locate_protocol(efi_tpm_protocol_t **tpm, ++ efi_tpm2_protocol_t **tpm2, ++ BOOLEAN *old_caps_p, ++ EFI_TCG2_BOOT_SERVICE_CAPABILITY *capsp) + { + EFI_STATUS status; +- efi_tpm_protocol_t *tpm; +- efi_tpm2_protocol_t *tpm2; + +- status = LibLocateProtocol(&tpm2_guid, (VOID **)&tpm2); ++ *tpm = NULL; ++ *tpm2 = NULL; ++ status = LibLocateProtocol(&tpm2_guid, (VOID **)tpm2); + /* TPM 2.0 */ + if (status == EFI_SUCCESS) { + BOOLEAN old_caps; +- EFI_TCG2_EVENT *event; + EFI_TCG2_BOOT_SERVICE_CAPABILITY caps; +- EFI_TCG2_EVENT_LOG_BITMAP supported_logs; + +- status = tpm2_get_caps(tpm2, &caps, &old_caps); +- if (status != EFI_SUCCESS) ++ status = tpm2_get_caps(*tpm2, &caps, &old_caps); ++ if (EFI_ERROR(status)) ++ return status; ++ ++ if (tpm2_present(&caps, old_caps)) { ++ if (old_caps_p) ++ *old_caps_p = old_caps; ++ if (capsp) ++ memcpy(capsp, &caps, sizeof(caps)); + return EFI_SUCCESS; ++ } ++ } else { ++ status = LibLocateProtocol(&tpm_guid, (VOID **)tpm); ++ if (EFI_ERROR(status)) ++ return status; + +- if (!tpm2_present(&caps, old_caps)) ++ if (tpm_present(*tpm)) + return EFI_SUCCESS; ++ } ++ ++ return EFI_NOT_FOUND; ++} ++ ++static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, ++ UINT8 pcr, const CHAR8 *log, UINTN logsize, ++ UINT32 type, CHAR8 *hash) ++{ ++ EFI_STATUS status; ++ efi_tpm_protocol_t *tpm; ++ efi_tpm2_protocol_t *tpm2; ++ BOOLEAN old_caps; ++ EFI_TCG2_BOOT_SERVICE_CAPABILITY caps; ++ ++ status = tpm_locate_protocol(&tpm, &tpm2, &old_caps, &caps); ++ if (EFI_ERROR(status)) { ++ return status; ++ } else if (tpm2) { ++ EFI_TCG2_EVENT *event; ++ EFI_TCG2_EVENT_LOG_BITMAP supported_logs; + + supported_logs = tpm2_get_supported_logs(tpm2, &caps, old_caps); + +@@ -175,7 +207,7 @@ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, + } + FreePool(event); + return status; +- } else { ++ } else if (tpm) { + TCG_PCR_EVENT *event; + UINT32 eventnum = 0; + EFI_PHYSICAL_ADDRESS lastevent; +@@ -220,6 +252,7 @@ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, + + return EFI_SUCCESS; + } ++ + EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + const CHAR8 *description) + { +@@ -343,3 +376,16 @@ EFI_STATUS tpm_measure_variable(CHAR16 *VarName, EFI_GUID VendorGuid, UINTN VarS + return tpm_record_data_measurement(VarName, VendorGuid, VarSize, + VarData); + } ++ ++EFI_STATUS ++fallback_should_prefer_reset(void) ++{ ++ EFI_STATUS status; ++ efi_tpm_protocol_t *tpm; ++ efi_tpm2_protocol_t *tpm2; ++ ++ status = tpm_locate_protocol(&tpm, &tpm2, NULL, NULL); ++ if (EFI_ERROR(status)) ++ return EFI_NOT_FOUND; ++ return EFI_SUCCESS; ++} +diff --git a/tpm.h b/tpm.h +index e3c2b92..d11b545 100644 +--- a/tpm.h ++++ b/tpm.h +@@ -8,6 +8,7 @@ + + EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, + const CHAR8 *description); ++EFI_STATUS fallback_should_prefer_reset(void); + + EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 *sha1hash, + UINT8 pcr); +-- +2.14.1 + diff --git a/shim.changes b/shim.changes index de3e011..461ee70 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Aug 29 08:44:25 UTC 2017 - glin@suse.com + +- Add shim-add-fallback-verbose-print.patch to print the debug + messages in fallback.efi dynamically +- Refresh shim-fallback-workaround-masked-ami-variables.patch +- Add shim-more-tpm-measurement.patch to measure more components + and support TPM better + ------------------------------------------------------------------- Wed Aug 23 10:28:44 UTC 2017 - glin@suse.com diff --git a/shim.spec b/shim.spec index 8223594..8a68f78 100644 --- a/shim.spec +++ b/shim.spec @@ -53,8 +53,12 @@ Patch3: shim-fix-httpboot-crash.patch Patch4: shim-fix-openssl-flags.patch # PATCH-FIX-UPSTREAM shim-fix-fallback-double-free.patch glin@suse.com -- Fix double free in fallback.c Patch5: shim-fix-fallback-double-free.patch +# PATCH-FIX-UPSTREAM shim-add-fallback-verbose-print.patch glin@suse.com -- Print debug messages dynamically +Patch6: shim-add-fallback-verbose-print.patch # PATCH-FIX-UPSTREAM shim-fallback-workaround-masked-ami-variables.patch glin@suse.com -- Work around the masked AMI variables -Patch6: shim-fallback-workaround-masked-ami-variables.patch +Patch7: shim-fallback-workaround-masked-ami-variables.patch +# PATCH-FIX-UPSTREAM shim-more-tpm-measurement.patch glin@suse.com -- Measure more components for TPM +Patch8: shim-more-tpm-measurement.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path Patch50: shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -108,6 +112,8 @@ Authors: %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %patch50 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1