Accepting request 221745 from home:gary_lin:branches:devel:openSUSE:Factory

- Update shim-mokx-support.patch to support the resetting of MOK blacklist
- Fix the variable checking in get_variable_attr
- Improve the boot entry pathes and avoid generating the boot entries that are already there
- Update SUSE certificate
- Update scritps to remove the creation of the temporary nss database
- Remove the kernel version of the build server
- Match the the prefix of the project name properly by escaping the percent sign.

OBS-URL: https://build.opensuse.org/request/show/221745
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=57

SLES-UEFI-CA-Certificate.crt

@@ -1,39 +1,29 @@
 -----BEGIN CERTIFICATE-----
-MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
+MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
 RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
 MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
 IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
-QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG
+QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG
 A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
 VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
-CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
-AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR
-QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d
-FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ
-BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O
-d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B
-J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt
-HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi
-yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc
-dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/
-cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+
-KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw
-DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w
-gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr
-BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG
-A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51
-eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN
-AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
-AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS
-1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI
-eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5
-Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt
-z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P
-yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv
-4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc
-ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC
-OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z
-yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV
-a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8=
+CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p
+ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE
+WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv
+abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7
+e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+
+whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/
+MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs
+qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51
+eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE
+BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx
+EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu
+ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU
+Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw
+pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL
+jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M
+rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3
+SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0
+rvc1p6G0YWtO
 -----END CERTIFICATE-----

attach_signature.sh

@@ -11,13 +11,4 @@ fi
 
 outfile="${infile%.efi}-signed.efi"
 
-nssdir=`mktemp -d`
-cleanup()
-{
-	rm -r "$nssdir"
-}
-trap cleanup EXIT
-echo > "$nssdir/pw"
-certutil -f "$nssdir/pw" -d "$nssdir" -N
-
-pesign -n "$nssdir" -m "$sig" -i "$infile" -o "$outfile"
+pesign -m "$sig" -i "$infile" -o "$outfile"

extract_signature.sh

@@ -9,16 +9,7 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
 	exit 1
 fi
 
-nssdir=`mktemp -d`
-cleanup()
-{
-	rm -r "$nssdir"
-}
-trap cleanup EXIT
-echo > "$nssdir/pw"
-certutil -f "$nssdir/pw" -d "$nssdir" -N
-
 # wtf?
-(pesign -n "$nssdir" -h -P -i "$infile";
+(pesign -h -P -i "$infile";
 perl $(dirname $0)/timestamp.pl "$infile";
-pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat
+pesign -a -f -e /dev/stdout -i "$infile")|cat

shim-fallback-improve-entries-creation.patch

@@ -0,0 +1,365 @@
+From 9ba08c4e8e7cf9b001497a0752652e0ece0b2b84 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 31 Jan 2014 10:30:24 -0500
+Subject: [PATCH 1/2] For HD() device paths, use just the media node and later.
+
+UEFI 2.x section 3.1.2 provides for "short-form device path", where the
+first element specified is a "hard drive media device path", so that you
+can move a disk around on different buses without invalidating your
+device path.  Fallback has not been using this option, though in most
+cases efibootmgr has.
+
+Note that we still keep the full device path, because LoadImage()
+isn't necessarily the layer where HD() works - one some systems BDS is
+responsible for resolving the full path and passes that to LoadImage()
+instead.  So we have to do LoadImage() with the full path.
+---
+ fallback.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 78 insertions(+), 25 deletions(-)
+
+diff --git a/fallback.c b/fallback.c
+index 82ddbf2..7f4201e 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -15,6 +15,27 @@
+ EFI_LOADED_IMAGE *this_image = NULL;
+ 
+ static EFI_STATUS
++FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType,
++		  EFI_DEVICE_PATH **Out)
++{
++	EFI_DEVICE_PATH *dp = In;
++	if (!In || !Out)
++		return EFI_INVALID_PARAMETER;
++
++	for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) {
++		if (DevicePathType(dp) == Type &&
++				DevicePathSubType(dp) == SubType) {
++			*Out = DuplicateDevicePath(dp);
++			if (!*Out)
++				return EFI_OUT_OF_RESOURCES;
++			return EFI_SUCCESS;
++		}
++	}
++	*Out = NULL;
++	return EFI_NOT_FOUND;
++}
++
++static EFI_STATUS
+ get_file_size(EFI_FILE_HANDLE fh, UINT64 *retsize)
+ {
+ 	EFI_STATUS rc;
+@@ -93,7 +114,9 @@ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen)
+ {
+ 	UINT64 len;
+ 	
+-	len = StrLen(dirname) + StrLen(filename) + StrLen(L"\\EFI\\\\") + 2;
++	len = StrLen(L"\\EFI\\") + StrLen(dirname)
++	    + StrLen(L"\\") + StrLen(filename)
++	    + 2;
+ 
+ 	CHAR16 *fullpath = AllocateZeroPool(len*sizeof(CHAR16));
+ 	if (!fullpath) {
+@@ -119,7 +142,8 @@ VOID *first_new_option_args = NULL;
+ UINTN first_new_option_size = 0;
+ 
+ EFI_STATUS
+-add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *arguments)
++add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
++		CHAR16 *filename, CHAR16 *label, CHAR16 *arguments)
+ {
+ 	static int i = 0;
+ 	CHAR16 varname[] = L"Boot0000";
+@@ -136,24 +160,31 @@ add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *ar
+ 		void *var = LibGetVariable(varname, &global);
+ 		if (!var) {
+ 			int size = sizeof(UINT32) + sizeof (UINT16) +
+-				StrLen(label)*2 + 2 + DevicePathSize(dp) +
+-				StrLen(arguments) * 2 + 2;
++				StrLen(label)*2 + 2 + DevicePathSize(hddp) +
++				StrLen(arguments) * 2;
+ 
+ 			CHAR8 *data = AllocateZeroPool(size);
+ 			CHAR8 *cursor = data;
+ 			*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
+ 			cursor += sizeof (UINT32);
+-			*(UINT16 *)cursor = DevicePathSize(dp);
++			*(UINT16 *)cursor = DevicePathSize(hddp);
+ 			cursor += sizeof (UINT16);
+ 			StrCpy((CHAR16 *)cursor, label);
+ 			cursor += StrLen(label)*2 + 2;
+-			CopyMem(cursor, dp, DevicePathSize(dp));
+-			cursor += DevicePathSize(dp);
++			CopyMem(cursor, hddp, DevicePathSize(hddp));
++			cursor += DevicePathSize(hddp);
+ 			StrCpy((CHAR16 *)cursor, arguments);
+ 
+ 			Print(L"Creating boot entry \"%s\" with label \"%s\" "
+ 					L"for file \"%s\"\n",
+ 				varname, label, filename);
++
++			if (!first_new_option) {
++				first_new_option = DuplicateDevicePath(fulldp);
++				first_new_option_args = arguments;
++				first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
++			}
++
+ 			rc = uefi_call_wrapper(RT->SetVariable, 5, varname,
+ 				&global, EFI_VARIABLE_NON_VOLATILE |
+ 					 EFI_VARIABLE_BOOTSERVICE_ACCESS |
+@@ -254,7 +285,10 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 	if (EFI_ERROR(rc))
+ 		return rc;
+ 	
+-	EFI_DEVICE_PATH *dph = NULL, *dpf = NULL, *dp = NULL;
++	EFI_DEVICE_PATH *dph = NULL;
++	EFI_DEVICE_PATH *file = NULL;
++	EFI_DEVICE_PATH *full_device_path = NULL;
++	EFI_DEVICE_PATH *dp = NULL;
+ 	
+ 	dph = DevicePathFromHandle(this_image->DeviceHandle);
+ 	if (!dph) {
+@@ -262,19 +296,31 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 		goto err;
+ 	}
+ 
+-	dpf = FileDevicePath(fh, fullpath);
+-	if (!dpf) {
++	file = FileDevicePath(fh, fullpath);
++	if (!file) {
+ 		rc = EFI_OUT_OF_RESOURCES;
+ 		goto err;
+ 	}
+ 
+-	dp = AppendDevicePath(dph, dpf);
+-	if (!dp) {
++	full_device_path = AppendDevicePath(dph, file);
++	if (!full_device_path) {
+ 		rc = EFI_OUT_OF_RESOURCES;
+ 		goto err;
+ 	}
+ 
++	rc = FindSubDevicePath(full_device_path,
++				MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp);
++	if (EFI_ERROR(rc)) {
++		if (rc == EFI_NOT_FOUND) {
++			dp = full_device_path;
++		} else {
++			rc = EFI_OUT_OF_RESOURCES;
++			goto err;
++		}
++	}
++
+ #ifdef DEBUG_FALLBACK
++	{
+ 	UINTN s = DevicePathSize(dp);
+ 	int i;
+ 	UINT8 *dpv = (void *)dp;
+@@ -287,20 +333,16 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 
+ 	CHAR16 *dps = DevicePathToStr(dp);
+ 	Print(L"device path: \"%s\"\n", dps);
+-#endif
+-	if (!first_new_option) {
+-		CHAR16 *dps = DevicePathToStr(dp);
+-		Print(L"device path: \"%s\"\n", dps);
+-		first_new_option = DuplicateDevicePath(dp);
+-		first_new_option_args = arguments;
+-		first_new_option_size = StrLen(arguments) * sizeof (CHAR16);
+ 	}
++#endif
+ 
+-	add_boot_option(dp, fullpath, label, arguments);
++	add_boot_option(dp, full_device_path, fullpath, label, arguments);
+ 
+ err:
+-	if (dpf)
+-		FreePool(dpf);
++	if (file)
++		FreePool(file);
++	if (full_device_path)
++		FreePool(full_device_path);
+ 	if (dp)
+ 		FreePool(dp);
+ 	if (fullpath)
+@@ -622,8 +664,19 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
+ 			       first_new_option, NULL, 0,
+ 			       &image_handle);
+ 	if (EFI_ERROR(rc)) {
+-		Print(L"LoadImage failed: %d\n", rc);
+-		uefi_call_wrapper(BS->Stall, 1, 2000000);
++		CHAR16 *dps = DevicePathToStr(first_new_option);
++		UINTN s = DevicePathSize(first_new_option);
++		int i;
++		UINT8 *dpv = (void *)first_new_option;
++		Print(L"LoadImage failed: %d\nDevice path: \"%s\"\n", rc, dps);
++		for (i = 0; i < s; i++) {
++			if (i > 0 && i % 16 == 0)
++				Print(L"\n");
++			Print(L"%02x ", dpv[i]);
++		}
++		Print(L"\n");
++
++		uefi_call_wrapper(BS->Stall, 1, 500000000);
+ 		return rc;
+ 	}
+ 
+@@ -637,7 +690,7 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
+ 	rc = uefi_call_wrapper(BS->StartImage, 3, image_handle, NULL, NULL);
+ 	if (EFI_ERROR(rc)) {
+ 		Print(L"StartImage failed: %d\n", rc);
+-		uefi_call_wrapper(BS->Stall, 1, 2000000);
++		uefi_call_wrapper(BS->Stall, 1, 500000000);
+ 	}
+ 	return rc;
+ }
+-- 
+1.8.4.5
+
+
+From 23ed6291df5dd34789829607a97b3605b739a629 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 31 Jan 2014 10:31:10 -0500
+Subject: [PATCH 2/2] Attempt to re-use existing entries when possible.
+
+Some firmwares seem to ignore our boot entries and put their fallback
+entries back on top.  Right now that results in a lot of boot entries
+for our stuff, a la https://bugzilla.redhat.com/show_bug.cgi?id=995834 .
+
+Instead of that happening, if we simply find existing entries that match
+the entry we would create and move them to the top of the boot order,
+the machine will continue to operate in failure mode (which we can't
+avoid), but at least we won't create thousands of extra entries.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ fallback.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 98 insertions(+), 1 deletion(-)
+
+diff --git a/fallback.c b/fallback.c
+index 7f4201e..044e4ba 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -226,6 +226,85 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
+ }
+ 
+ EFI_STATUS
++find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label,
++		CHAR16 *arguments, UINT16 *optnum)
++{
++	int size = sizeof(UINT32) + sizeof (UINT16) +
++		StrLen(label)*2 + 2 + DevicePathSize(dp) +
++		StrLen(arguments) * 2 + 2;
++
++	CHAR8 *data = AllocateZeroPool(size);
++	if (!data)
++		return EFI_OUT_OF_RESOURCES;
++	CHAR8 *cursor = data;
++	*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
++	cursor += sizeof (UINT32);
++	*(UINT16 *)cursor = DevicePathSize(dp);
++	cursor += sizeof (UINT16);
++	StrCpy((CHAR16 *)cursor, label);
++	cursor += StrLen(label)*2 + 2;
++	CopyMem(cursor, dp, DevicePathSize(dp));
++	cursor += DevicePathSize(dp);
++	StrCpy((CHAR16 *)cursor, arguments);
++
++	int i = 0;
++	CHAR16 varname[] = L"Boot0000";
++	CHAR16 hexmap[] = L"0123456789ABCDEF";
++	EFI_GUID global = EFI_GLOBAL_VARIABLE;
++	EFI_STATUS rc;
++
++	CHAR8 *candidate = AllocateZeroPool(size);
++	if (!candidate) {
++		FreePool(data);
++		return EFI_OUT_OF_RESOURCES;
++	}
++
++	for(i = 0; i < nbootorder && i < 0x10000; i++) {
++		varname[4] = hexmap[(bootorder[i] & 0xf000) >> 12];
++		varname[5] = hexmap[(bootorder[i] & 0x0f00) >> 8];
++		varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4];
++		varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0];
++
++		UINTN candidate_size = size;
++		rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global,
++					NULL, &candidate_size, candidate);
++		if (EFI_ERROR(rc))
++			continue;
++
++		if (candidate_size != size)
++			continue;
++
++		if (CompareMem(candidate, data, size))
++			continue;
++
++		/* at this point, we have duplicate data. */
++		*optnum = i;
++		FreePool(candidate);
++		FreePool(data);
++		return EFI_SUCCESS;
++	}
++	FreePool(candidate);
++	FreePool(data);
++	return EFI_NOT_FOUND;
++}
++
++EFI_STATUS
++set_boot_order(void)
++{
++	CHAR16 *oldbootorder;
++	UINTN size;
++	EFI_GUID global = EFI_GLOBAL_VARIABLE;
++
++	oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size);
++	if (oldbootorder) {
++		nbootorder = size / sizeof (CHAR16);
++		bootorder = oldbootorder;
++	}
++	return EFI_SUCCESS;
++
++}
++
++EFI_STATUS
+ update_boot_order(void)
+ {
+ 	CHAR16 *oldbootorder;
+@@ -336,7 +415,23 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 	}
+ #endif
+ 
+-	add_boot_option(dp, full_device_path, fullpath, label, arguments);
++	UINT16 option;
++	rc = find_boot_option(dp, fullpath, label, arguments, &option);
++	if (EFI_ERROR(rc)) {
++		add_boot_option(dp, full_device_path, fullpath, label, arguments);
++	} else if (option != 0) {
++		CHAR16 *newbootorder;
++		newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder);
++		if (!newbootorder)
++			return EFI_OUT_OF_RESOURCES;
++
++		newbootorder[0] = bootorder[option];
++		CopyMem(newbootorder + 1, bootorder, sizeof (CHAR16) * option);
++		CopyMem(newbootorder + option + 1, bootorder + option + 1,
++			sizeof (CHAR16) * (nbootorder - option - 1));
++		FreePool(bootorder);
++		bootorder = newbootorder;
++	}
+ 
+ err:
+ 	if (file)
+@@ -710,6 +805,8 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 
+ 	Print(L"System BootOrder not found.  Initializing defaults.\n");
+ 
++	set_boot_order();
++
+ 	rc = find_boot_options(this_image->DeviceHandle);
+ 	if (EFI_ERROR(rc)) {
+ 		Print(L"Error: could not find boot options: %d\n", rc);
+-- 
+1.8.4.5
+

shim-get-variable-check.patch

@@ -0,0 +1,27 @@
+From 293f28d1fe3921c5348c60948b4dedcef5042d5b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 15 Nov 2013 10:55:37 -0500
+Subject: [PATCH] Error check the right thing in get_variable_attr() when
+ allocating.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ lib/variables.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/variables.c b/lib/variables.c
+index 81bd34d..3a9735e 100644
+--- a/lib/variables.c
++++ b/lib/variables.c
+@@ -224,7 +224,7 @@ get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner,
+ 		return efi_status;
+ 
+ 	*data = AllocateZeroPool(*len);
+-	if (!data)
++	if (!*data)
+ 		return EFI_OUT_OF_RESOURCES;
+ 	
+ 	efi_status = uefi_call_wrapper(RT->GetVariable, 5, var, &owner,
+-- 
+1.8.4.5
+

shim-mokx-support.patch

@@ -1,10 +1,12 @@
-From 8614cf8c164049e77d702eb234d608d5342e975b Mon Sep 17 00:00:00 2001
+From 58b8e54ef60d488886a9f0d0877b7187eb200d07 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 24 Oct 2013 17:02:08 +0800
-Subject: [PATCH 1/9] Support MOK blacklist
+Subject: [PATCH 01/10] Support MOK blacklist
 
 The new blacklist, MokListX, stores the keys and hashes that are
 banned.
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++----------
  shim.c       |   3 +-
@@ -510,7 +512,7 @@ index f5ed379..b9b42b6 100644
  	return EFI_SUCCESS;
  }
 diff --git a/shim.c b/shim.c
-index 9ae1936..c133bb2 100644
+index cf93d65..2c23a2f 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -1510,7 +1510,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@@ -524,14 +526,15 @@ index 9ae1936..c133bb2 100644
  
  		if (efi_status != EFI_SUCCESS) {
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From f36f4093bb72344242949b16b83905cefb93d3cd Mon Sep 17 00:00:00 2001
+From d2980a5cbee887223405a24be44ffd5bb439e3f1 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 24 Oct 2013 17:32:31 +0800
-Subject: [PATCH 2/9] MokManager: show the hash list properly
+Subject: [PATCH 02/10] MokManager: show the hash list properly
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
  1 file changed, 71 insertions(+), 11 deletions(-)
@@ -675,14 +678,15 @@ index b9b42b6..5575a94 100644
  
  	for (i=0; menu_strings[i] != NULL; i++)
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From f1073a9bc757008d44b5b86cb5002a3654faf2d2 Mon Sep 17 00:00:00 2001
+From 9c4b5d58385c64056adb5386c097219665f2f50d Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 25 Oct 2013 16:54:25 +0800
-Subject: [PATCH 3/9] MokManager: delete the hash properly
+Subject: [PATCH 03/10] MokManager: delete the hash properly
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
  1 file changed, 114 insertions(+), 10 deletions(-)
@@ -840,14 +844,15 @@ index 5575a94..23bdeef 100644
  	}
  
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From b5cb83a92620b0b41857f3e3a292d1577eb3a3a5 Mon Sep 17 00:00:00 2001
+From 54ce2f9605990c00f9cafae7cab22a1c885828c1 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 25 Oct 2013 17:05:10 +0800
-Subject: [PATCH 4/9] MokManager: Match all hashes in the list
+Subject: [PATCH 04/10] MokManager: Match all hashes in the list
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 24 ++++++++++++++----------
  1 file changed, 14 insertions(+), 10 deletions(-)
@@ -908,15 +913,17 @@ index 23bdeef..5b40e19 100644
  	}
  }
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From 70a4e12d2e6ba37541d0b78ec3c8ed5e8da9a941 Mon Sep 17 00:00:00 2001
+From 4c1912c8521cca4d320a1417abff6f7954809a20 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 25 Oct 2013 18:30:48 +0800
-Subject: [PATCH 5/9] MokManager: Write the hash list properly
+Subject: [PATCH 05/10] MokManager: Write the hash list properly
 
 also return to the previous entry in the list
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  MokManager.c | 30 +++++++++++++++++++-----------
  1 file changed, 19 insertions(+), 11 deletions(-)
@@ -991,20 +998,21 @@ index 5b40e19..e79a8e0 100644
  
  	efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From 225e5fca2f7cf63e365b77243d6e43b1eb9860c8 Mon Sep 17 00:00:00 2001
+From 8b96a93bda39617efbe51f24d1dc606ad8835d26 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 28 Oct 2013 15:08:40 +0800
-Subject: [PATCH 6/9] Copy the MOK blacklist to a RT variable
+Subject: [PATCH 06/10] Copy the MOK blacklist to a RT variable
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  shim.c | 29 +++++++++++++++++++++++++++++
  1 file changed, 29 insertions(+)
 
 diff --git a/shim.c b/shim.c
-index c133bb2..a0383a8 100644
+index 2c23a2f..ccb3071 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -1480,6 +1480,33 @@ EFI_STATUS mirror_mok_list()
@@ -1041,7 +1049,7 @@ index c133bb2..a0383a8 100644
   * Check if a variable exists
   */
  static BOOLEAN check_var(CHAR16 *varname)
-@@ -1795,6 +1822,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
+@@ -1799,6 +1826,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
  	 */
  	efi_status = mirror_mok_list();
  
@@ -1051,20 +1059,21 @@ index c133bb2..a0383a8 100644
  	 * Create the runtime MokIgnoreDB variable so the kernel can make
  	 * use of it
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From f9db55b719281ce491780ecd4ec269c5286a7251 Mon Sep 17 00:00:00 2001
+From 044d04dbed3ef3f2f3004a770e3751eabc052c2c Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 28 Oct 2013 16:36:34 +0800
-Subject: [PATCH 7/9] No newline for console_notify
+Subject: [PATCH 07/10] No newline for console_notify
 
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
  shim.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/shim.c b/shim.c
-index a0383a8..a2e0862 100644
+index ccb3071..e30a464 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -470,7 +470,7 @@ static BOOLEAN secure_mode (void)
@@ -1086,13 +1095,13 @@ index a0383a8..a2e0862 100644
  	}
  
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From 0bf2da5c7d9442f3249fc977b3fbffab924a374c Mon Sep 17 00:00:00 2001
+From 0e97d1576fcc1924f0f17b7f31baf1dd74a7f83e Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 4 Nov 2013 14:45:33 +0800
-Subject: [PATCH 8/9] Verify the EFI images with MOK blacklist
+Subject: [PATCH 08/10] Verify the EFI images with MOK blacklist
 
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
@@ -1100,7 +1109,7 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
  1 file changed, 9 insertions(+)
 
 diff --git a/shim.c b/shim.c
-index a2e0862..5f5e9a6 100644
+index e30a464..efd3d85 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -365,6 +365,7 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
@@ -1127,13 +1136,13 @@ index a2e0862..5f5e9a6 100644
  	return EFI_SUCCESS;
  }
 -- 
-1.8.1.4
+1.8.4.5
 
 
-From 20ced27d1785bceaf814c07ca0d5686506a119ad Mon Sep 17 00:00:00 2001
+From a166edaa42ef96eaf5b000d0e4ad71779b745d68 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 4 Nov 2013 17:51:55 +0800
-Subject: [PATCH 9/9] Exclude ca.crt while signing EFI images
+Subject: [PATCH 09/10] Exclude ca.crt while signing EFI images
 
 If ca.crt was added into the certificate database, ca.crt would be the first
 certificate in the signature. Because shim couldn't verify ca.crt with the
@@ -1158,5 +1167,33 @@ index e65d28d..5e3fa9e 100644
  	certutil -d certdb/ -A -i shim.crt -n shim -t u
  
 -- 
-1.8.1.4
+1.8.4.5
+
+
+From cce37bfa5298e8e9c12d3509c78592f711699c4f Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Tue, 11 Feb 2014 14:11:15 +0800
+Subject: [PATCH 10/10] Make shim to check MokXAuth for MOKX reset
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ shim.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/shim.c b/shim.c
+index efd3d85..7093c45 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1547,7 +1547,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+ 	if (check_var(L"MokNew") || check_var(L"MokSB") ||
+ 	    check_var(L"MokPW") || check_var(L"MokAuth") ||
+ 	    check_var(L"MokDel") || check_var(L"MokDB") ||
+-	    check_var(L"MokXNew") || check_var(L"MokXDel")) {
++	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
++	    check_var(L"MokXAuth")) {
+ 		efi_status = start_image(image_handle, MOK_MANAGER);
+ 
+ 		if (efi_status != EFI_SUCCESS) {
+-- 
+1.8.4.5
 

shim-only-os-name.patch

@@ -0,0 +1,13 @@
+diff --git a/Makefile b/Makefile
+index 91e6bcd..6ed5ba7 100644
+--- a/Makefile
++++ b/Makefile
+@@ -63,7 +63,7 @@ shim_cert.h: shim.cer
+ 
+ version.c : version.c.in
+ 	sed	-e "s,@@VERSION@@,$(VERSION)," \
+-		-e "s,@@UNAME@@,$(shell uname -a)," \
++		-e "s,@@UNAME@@,$(shell uname -o)," \
+ 		-e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \
+ 		< version.c.in > version.c
+ 

shim.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com
+
+- Update shim-mokx-support.patch to support the resetting of MOK
+  blacklist
+- Add shim-get-variable-check.patch to fix the variable checking
+  in get_variable_attr
+- Add shim-improve-fallback-entries-creation.patch to improve the
+  boot entry pathes and avoid generating the boot entries that
+  are already there
+- Update SUSE certificate
+- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
+  extract_signature.sh and show_signatures.sh to remove the
+  creation of the temporary nss database
+- Add shim-only-os-name.patch: remove the kernel version of the
+  build server
+- Match the the prefix of the project name properly by escaping the 
+  percent sign.
+
 -------------------------------------------------------------------
 Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de
 

shim.spec

@@ -38,6 +38,7 @@ Source7:        show_hash.sh
 Source8:        show_signatures.sh
 Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 Source10:       timestamp.pl
+Source11:       strip_signature.sh
 # PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch glin@suse.com -- Fix the error handling in verify_mok()
 Patch1:         shim-fix-verify-mok.patch
 # PATCH-FIX-UPSTREAM shim-improve-error-messages.patch glin@suse.com -- Improve the error messages
@@ -50,6 +51,12 @@ Patch4:         shim-fix-dhcpv4-path-generation.patch
 Patch5:         shim-mokx-support.patch
 # PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch glin@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys
 Patch6:         shim-mokmanager-handle-keystroke-error.patch
+# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
+Patch7:         shim-only-os-name.patch
+# PATCH-FIX-UPSTREAM shim-get-variable-check.patch glin@suse.com -- Fix the variable checking in get_variable_attr 
+Patch8:         shim-get-variable-check.patch
+# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch glin@suse.com -- Improve the boot entry pathes and avoid generating the boot entries that are already there 
+Patch9:         shim-fallback-improve-entries-creation.patch
 BuildRequires:  gnu-efi >= 3.0t
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -78,6 +85,9 @@ Authors:
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
 
 %build
 # first, build MokManager and fallback as they don't depend on a
@@ -133,7 +143,7 @@ for suffix in "${suffixes[@]}"; do
     # make sure cast warnings don't trigger post build check
     make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
     # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
-    chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10}
+    chmod 755 %{SOURCE10}
     # alternative: verify signature
     #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
     head -1 %{SOURCE1} > hash1
@@ -141,21 +151,20 @@ for suffix in "${suffixes[@]}"; do
     # pe header contains timestamp and checksum. we need to
     # restore that
     %{SOURCE10} --set-from-file %{SOURCE1} shim.efi
-    %{SOURCE7} shim.efi > hash2
+    pesign -h -P -i shim.efi > hash2
     cat hash1 hash2
     if ! cmp -s hash1 hash2; then
 	    echo "ERROR: binary changed, need to request new signature!"
 	    # don't fail in devel projects
 	    prj="%{_project}"
-	    if [ "${prj%%:*}" = "openSUSE" -o "${prj%%:*}" = "SUSE" ]; then
+	    if [ "${prj%%%:*}" = "openSUSE" -o "${prj%%%:*}" = "SUSE" ]; then
 		    false
 	    fi
 	    mv shim.efi.bak shim-$suffix.efi
 	    rm shim.efi
     else
 	    # attach signature
-	    %{SOURCE6} %{SOURCE1} shim.efi
-	    mv shim-signed.efi shim-$suffix.efi
+	    pesign -m %{SOURCE1} -i shim.efi -o shim-$suffix.efi
 	    rm -f shim.efi
     fi
     rm -f shim.cer shim.crt

show_hash.sh

@@ -9,13 +9,4 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
 	exit 1
 fi
 
-nssdir=`mktemp -d`
-cleanup()
-{
-	rm -r "$nssdir"
-}
-trap cleanup EXIT
-echo > "$nssdir/pw"
-certutil -f "$nssdir/pw" -d "$nssdir" -N
-
-pesign -n "$nssdir" -h -P -i "$infile"
+pesign -h -P -i "$infile"

show_signatures.sh

@@ -9,13 +9,4 @@ if [ -z "$infile" -o ! -e "$infile" ]; then
 	exit 1
 fi
 
-nssdir=`mktemp -d`
-cleanup()
-{
-	rm -r "$nssdir"
-}
-trap cleanup EXIT
-echo > "$nssdir/pw"
-certutil -f "$nssdir/pw" -d "$nssdir" -N
-
-pesign -n "$nssdir" -S -i "$infile"
+pesign -S -i "$infile"

strip_signature.sh

@@ -10,13 +10,4 @@ fi
 
 outfile="${infile%.efi}-unsigned.efi"
 
-nssdir=`mktemp -d`
-cleanup()
-{
-	rm -r "$nssdir"
-}
-trap cleanup EXIT
-echo > "$nssdir/pw"
-certutil -f "$nssdir/pw" -d "$nssdir" -N
-
-pesign -n "$nssdir" -r -i "$infile" -o "$outfile"
+pesign -r -i "$infile" -o "$outfile"