From 63a3d1b717737ca07ae7a749b132f1ab5d377f2b8e6266f16ff3061bc87d1f1d Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 13 Feb 2014 01:57:08 +0000 Subject: [PATCH] Accepting request 221745 from home:gary_lin:branches:devel:openSUSE:Factory - Update shim-mokx-support.patch to support the resetting of MOK blacklist - Fix the variable checking in get_variable_attr - Improve the boot entry pathes and avoid generating the boot entries that are already there - Update SUSE certificate - Update scritps to remove the creation of the temporary nss database - Remove the kernel version of the build server - Match the the prefix of the project name properly by escaping the percent sign. OBS-URL: https://build.opensuse.org/request/show/221745 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=57 --- SLES-UEFI-CA-Certificate.crt | 52 ++- attach_signature.sh | 11 +- extract_signature.sh | 13 +- shim-fallback-improve-entries-creation.patch | 365 +++++++++++++++++++ shim-get-variable-check.patch | 27 ++ shim-mokx-support.patch | 101 +++-- shim-only-os-name.patch | 13 + shim.changes | 19 + shim.spec | 19 +- show_hash.sh | 11 +- show_signatures.sh | 11 +- strip_signature.sh | 11 +- 12 files changed, 534 insertions(+), 119 deletions(-) create mode 100644 shim-fallback-improve-entries-creation.patch create mode 100644 shim-get-variable-check.patch create mode 100644 shim-only-os-name.patch diff --git a/SLES-UEFI-CA-Certificate.crt b/SLES-UEFI-CA-Certificate.crt index 56f3fce..480fa09 100644 --- a/SLES-UEFI-CA-Certificate.crt +++ b/SLES-UEFI-CA-Certificate.crt @@ -1,39 +1,29 @@ -----BEGIN CERTIFICATE----- -MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT +MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk -QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG +QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B -CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR -QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d -FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ -BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O -d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B -J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt -HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi -yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc -dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/ -cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+ -KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw -DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w -gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr -BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG -A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51 -eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN -AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B -AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS -1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI -eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5 -Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt -z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P -yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv -4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc -ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC -OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z -yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV -a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8= +CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p +ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE +WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv +abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7 +e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+ +whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/ +MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs +qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51 +eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE +BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx +EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu +ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU +Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw +pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL +jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M +rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3 +SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0 +rvc1p6G0YWtO -----END CERTIFICATE----- diff --git a/attach_signature.sh b/attach_signature.sh index 9492186..689a7e4 100644 --- a/attach_signature.sh +++ b/attach_signature.sh @@ -11,13 +11,4 @@ fi outfile="${infile%.efi}-signed.efi" -nssdir=`mktemp -d` -cleanup() -{ - rm -r "$nssdir" -} -trap cleanup EXIT -echo > "$nssdir/pw" -certutil -f "$nssdir/pw" -d "$nssdir" -N - -pesign -n "$nssdir" -m "$sig" -i "$infile" -o "$outfile" +pesign -m "$sig" -i "$infile" -o "$outfile" diff --git a/extract_signature.sh b/extract_signature.sh index e92e8a6..0a989e5 100644 --- a/extract_signature.sh +++ b/extract_signature.sh @@ -9,16 +9,7 @@ if [ -z "$infile" -o ! -e "$infile" ]; then exit 1 fi -nssdir=`mktemp -d` -cleanup() -{ - rm -r "$nssdir" -} -trap cleanup EXIT -echo > "$nssdir/pw" -certutil -f "$nssdir/pw" -d "$nssdir" -N - # wtf? -(pesign -n "$nssdir" -h -P -i "$infile"; +(pesign -h -P -i "$infile"; perl $(dirname $0)/timestamp.pl "$infile"; -pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat +pesign -a -f -e /dev/stdout -i "$infile")|cat diff --git a/shim-fallback-improve-entries-creation.patch b/shim-fallback-improve-entries-creation.patch new file mode 100644 index 0000000..efe5c52 --- /dev/null +++ b/shim-fallback-improve-entries-creation.patch @@ -0,0 +1,365 @@ +From 9ba08c4e8e7cf9b001497a0752652e0ece0b2b84 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 31 Jan 2014 10:30:24 -0500 +Subject: [PATCH 1/2] For HD() device paths, use just the media node and later. + +UEFI 2.x section 3.1.2 provides for "short-form device path", where the +first element specified is a "hard drive media device path", so that you +can move a disk around on different buses without invalidating your +device path. Fallback has not been using this option, though in most +cases efibootmgr has. + +Note that we still keep the full device path, because LoadImage() +isn't necessarily the layer where HD() works - one some systems BDS is +responsible for resolving the full path and passes that to LoadImage() +instead. So we have to do LoadImage() with the full path. +--- + fallback.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 78 insertions(+), 25 deletions(-) + +diff --git a/fallback.c b/fallback.c +index 82ddbf2..7f4201e 100644 +--- a/fallback.c ++++ b/fallback.c +@@ -15,6 +15,27 @@ + EFI_LOADED_IMAGE *this_image = NULL; + + static EFI_STATUS ++FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType, ++ EFI_DEVICE_PATH **Out) ++{ ++ EFI_DEVICE_PATH *dp = In; ++ if (!In || !Out) ++ return EFI_INVALID_PARAMETER; ++ ++ for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) { ++ if (DevicePathType(dp) == Type && ++ DevicePathSubType(dp) == SubType) { ++ *Out = DuplicateDevicePath(dp); ++ if (!*Out) ++ return EFI_OUT_OF_RESOURCES; ++ return EFI_SUCCESS; ++ } ++ } ++ *Out = NULL; ++ return EFI_NOT_FOUND; ++} ++ ++static EFI_STATUS + get_file_size(EFI_FILE_HANDLE fh, UINT64 *retsize) + { + EFI_STATUS rc; +@@ -93,7 +114,9 @@ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen) + { + UINT64 len; + +- len = StrLen(dirname) + StrLen(filename) + StrLen(L"\\EFI\\\\") + 2; ++ len = StrLen(L"\\EFI\\") + StrLen(dirname) ++ + StrLen(L"\\") + StrLen(filename) ++ + 2; + + CHAR16 *fullpath = AllocateZeroPool(len*sizeof(CHAR16)); + if (!fullpath) { +@@ -119,7 +142,8 @@ VOID *first_new_option_args = NULL; + UINTN first_new_option_size = 0; + + EFI_STATUS +-add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *arguments) ++add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, ++ CHAR16 *filename, CHAR16 *label, CHAR16 *arguments) + { + static int i = 0; + CHAR16 varname[] = L"Boot0000"; +@@ -136,24 +160,31 @@ add_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, CHAR16 *ar + void *var = LibGetVariable(varname, &global); + if (!var) { + int size = sizeof(UINT32) + sizeof (UINT16) + +- StrLen(label)*2 + 2 + DevicePathSize(dp) + +- StrLen(arguments) * 2 + 2; ++ StrLen(label)*2 + 2 + DevicePathSize(hddp) + ++ StrLen(arguments) * 2; + + CHAR8 *data = AllocateZeroPool(size); + CHAR8 *cursor = data; + *(UINT32 *)cursor = LOAD_OPTION_ACTIVE; + cursor += sizeof (UINT32); +- *(UINT16 *)cursor = DevicePathSize(dp); ++ *(UINT16 *)cursor = DevicePathSize(hddp); + cursor += sizeof (UINT16); + StrCpy((CHAR16 *)cursor, label); + cursor += StrLen(label)*2 + 2; +- CopyMem(cursor, dp, DevicePathSize(dp)); +- cursor += DevicePathSize(dp); ++ CopyMem(cursor, hddp, DevicePathSize(hddp)); ++ cursor += DevicePathSize(hddp); + StrCpy((CHAR16 *)cursor, arguments); + + Print(L"Creating boot entry \"%s\" with label \"%s\" " + L"for file \"%s\"\n", + varname, label, filename); ++ ++ if (!first_new_option) { ++ first_new_option = DuplicateDevicePath(fulldp); ++ first_new_option_args = arguments; ++ first_new_option_size = StrLen(arguments) * sizeof (CHAR16); ++ } ++ + rc = uefi_call_wrapper(RT->SetVariable, 5, varname, + &global, EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | +@@ -254,7 +285,10 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * + if (EFI_ERROR(rc)) + return rc; + +- EFI_DEVICE_PATH *dph = NULL, *dpf = NULL, *dp = NULL; ++ EFI_DEVICE_PATH *dph = NULL; ++ EFI_DEVICE_PATH *file = NULL; ++ EFI_DEVICE_PATH *full_device_path = NULL; ++ EFI_DEVICE_PATH *dp = NULL; + + dph = DevicePathFromHandle(this_image->DeviceHandle); + if (!dph) { +@@ -262,19 +296,31 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * + goto err; + } + +- dpf = FileDevicePath(fh, fullpath); +- if (!dpf) { ++ file = FileDevicePath(fh, fullpath); ++ if (!file) { + rc = EFI_OUT_OF_RESOURCES; + goto err; + } + +- dp = AppendDevicePath(dph, dpf); +- if (!dp) { ++ full_device_path = AppendDevicePath(dph, file); ++ if (!full_device_path) { + rc = EFI_OUT_OF_RESOURCES; + goto err; + } + ++ rc = FindSubDevicePath(full_device_path, ++ MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp); ++ if (EFI_ERROR(rc)) { ++ if (rc == EFI_NOT_FOUND) { ++ dp = full_device_path; ++ } else { ++ rc = EFI_OUT_OF_RESOURCES; ++ goto err; ++ } ++ } ++ + #ifdef DEBUG_FALLBACK ++ { + UINTN s = DevicePathSize(dp); + int i; + UINT8 *dpv = (void *)dp; +@@ -287,20 +333,16 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * + + CHAR16 *dps = DevicePathToStr(dp); + Print(L"device path: \"%s\"\n", dps); +-#endif +- if (!first_new_option) { +- CHAR16 *dps = DevicePathToStr(dp); +- Print(L"device path: \"%s\"\n", dps); +- first_new_option = DuplicateDevicePath(dp); +- first_new_option_args = arguments; +- first_new_option_size = StrLen(arguments) * sizeof (CHAR16); + } ++#endif + +- add_boot_option(dp, fullpath, label, arguments); ++ add_boot_option(dp, full_device_path, fullpath, label, arguments); + + err: +- if (dpf) +- FreePool(dpf); ++ if (file) ++ FreePool(file); ++ if (full_device_path) ++ FreePool(full_device_path); + if (dp) + FreePool(dp); + if (fullpath) +@@ -622,8 +664,19 @@ try_start_first_option(EFI_HANDLE parent_image_handle) + first_new_option, NULL, 0, + &image_handle); + if (EFI_ERROR(rc)) { +- Print(L"LoadImage failed: %d\n", rc); +- uefi_call_wrapper(BS->Stall, 1, 2000000); ++ CHAR16 *dps = DevicePathToStr(first_new_option); ++ UINTN s = DevicePathSize(first_new_option); ++ int i; ++ UINT8 *dpv = (void *)first_new_option; ++ Print(L"LoadImage failed: %d\nDevice path: \"%s\"\n", rc, dps); ++ for (i = 0; i < s; i++) { ++ if (i > 0 && i % 16 == 0) ++ Print(L"\n"); ++ Print(L"%02x ", dpv[i]); ++ } ++ Print(L"\n"); ++ ++ uefi_call_wrapper(BS->Stall, 1, 500000000); + return rc; + } + +@@ -637,7 +690,7 @@ try_start_first_option(EFI_HANDLE parent_image_handle) + rc = uefi_call_wrapper(BS->StartImage, 3, image_handle, NULL, NULL); + if (EFI_ERROR(rc)) { + Print(L"StartImage failed: %d\n", rc); +- uefi_call_wrapper(BS->Stall, 1, 2000000); ++ uefi_call_wrapper(BS->Stall, 1, 500000000); + } + return rc; + } +-- +1.8.4.5 + + +From 23ed6291df5dd34789829607a97b3605b739a629 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 31 Jan 2014 10:31:10 -0500 +Subject: [PATCH 2/2] Attempt to re-use existing entries when possible. + +Some firmwares seem to ignore our boot entries and put their fallback +entries back on top. Right now that results in a lot of boot entries +for our stuff, a la https://bugzilla.redhat.com/show_bug.cgi?id=995834 . + +Instead of that happening, if we simply find existing entries that match +the entry we would create and move them to the top of the boot order, +the machine will continue to operate in failure mode (which we can't +avoid), but at least we won't create thousands of extra entries. + +Signed-off-by: Peter Jones +--- + fallback.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 98 insertions(+), 1 deletion(-) + +diff --git a/fallback.c b/fallback.c +index 7f4201e..044e4ba 100644 +--- a/fallback.c ++++ b/fallback.c +@@ -226,6 +226,85 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, + } + + EFI_STATUS ++find_boot_option(EFI_DEVICE_PATH *dp, CHAR16 *filename, CHAR16 *label, ++ CHAR16 *arguments, UINT16 *optnum) ++{ ++ int size = sizeof(UINT32) + sizeof (UINT16) + ++ StrLen(label)*2 + 2 + DevicePathSize(dp) + ++ StrLen(arguments) * 2 + 2; ++ ++ CHAR8 *data = AllocateZeroPool(size); ++ if (!data) ++ return EFI_OUT_OF_RESOURCES; ++ CHAR8 *cursor = data; ++ *(UINT32 *)cursor = LOAD_OPTION_ACTIVE; ++ cursor += sizeof (UINT32); ++ *(UINT16 *)cursor = DevicePathSize(dp); ++ cursor += sizeof (UINT16); ++ StrCpy((CHAR16 *)cursor, label); ++ cursor += StrLen(label)*2 + 2; ++ CopyMem(cursor, dp, DevicePathSize(dp)); ++ cursor += DevicePathSize(dp); ++ StrCpy((CHAR16 *)cursor, arguments); ++ ++ int i = 0; ++ CHAR16 varname[] = L"Boot0000"; ++ CHAR16 hexmap[] = L"0123456789ABCDEF"; ++ EFI_GUID global = EFI_GLOBAL_VARIABLE; ++ EFI_STATUS rc; ++ ++ CHAR8 *candidate = AllocateZeroPool(size); ++ if (!candidate) { ++ FreePool(data); ++ return EFI_OUT_OF_RESOURCES; ++ } ++ ++ for(i = 0; i < nbootorder && i < 0x10000; i++) { ++ varname[4] = hexmap[(bootorder[i] & 0xf000) >> 12]; ++ varname[5] = hexmap[(bootorder[i] & 0x0f00) >> 8]; ++ varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4]; ++ varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0]; ++ ++ UINTN candidate_size = size; ++ rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global, ++ NULL, &candidate_size, candidate); ++ if (EFI_ERROR(rc)) ++ continue; ++ ++ if (candidate_size != size) ++ continue; ++ ++ if (CompareMem(candidate, data, size)) ++ continue; ++ ++ /* at this point, we have duplicate data. */ ++ *optnum = i; ++ FreePool(candidate); ++ FreePool(data); ++ return EFI_SUCCESS; ++ } ++ FreePool(candidate); ++ FreePool(data); ++ return EFI_NOT_FOUND; ++} ++ ++EFI_STATUS ++set_boot_order(void) ++{ ++ CHAR16 *oldbootorder; ++ UINTN size; ++ EFI_GUID global = EFI_GLOBAL_VARIABLE; ++ ++ oldbootorder = LibGetVariableAndSize(L"BootOrder", &global, &size); ++ if (oldbootorder) { ++ nbootorder = size / sizeof (CHAR16); ++ bootorder = oldbootorder; ++ } ++ return EFI_SUCCESS; ++ ++} ++ ++EFI_STATUS + update_boot_order(void) + { + CHAR16 *oldbootorder; +@@ -336,7 +415,23 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * + } + #endif + +- add_boot_option(dp, full_device_path, fullpath, label, arguments); ++ UINT16 option; ++ rc = find_boot_option(dp, fullpath, label, arguments, &option); ++ if (EFI_ERROR(rc)) { ++ add_boot_option(dp, full_device_path, fullpath, label, arguments); ++ } else if (option != 0) { ++ CHAR16 *newbootorder; ++ newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder); ++ if (!newbootorder) ++ return EFI_OUT_OF_RESOURCES; ++ ++ newbootorder[0] = bootorder[option]; ++ CopyMem(newbootorder + 1, bootorder, sizeof (CHAR16) * option); ++ CopyMem(newbootorder + option + 1, bootorder + option + 1, ++ sizeof (CHAR16) * (nbootorder - option - 1)); ++ FreePool(bootorder); ++ bootorder = newbootorder; ++ } + + err: + if (file) +@@ -710,6 +805,8 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) + + Print(L"System BootOrder not found. Initializing defaults.\n"); + ++ set_boot_order(); ++ + rc = find_boot_options(this_image->DeviceHandle); + if (EFI_ERROR(rc)) { + Print(L"Error: could not find boot options: %d\n", rc); +-- +1.8.4.5 + diff --git a/shim-get-variable-check.patch b/shim-get-variable-check.patch new file mode 100644 index 0000000..53801e6 --- /dev/null +++ b/shim-get-variable-check.patch @@ -0,0 +1,27 @@ +From 293f28d1fe3921c5348c60948b4dedcef5042d5b Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 15 Nov 2013 10:55:37 -0500 +Subject: [PATCH] Error check the right thing in get_variable_attr() when + allocating. + +Signed-off-by: Peter Jones +--- + lib/variables.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/variables.c b/lib/variables.c +index 81bd34d..3a9735e 100644 +--- a/lib/variables.c ++++ b/lib/variables.c +@@ -224,7 +224,7 @@ get_variable_attr(CHAR16 *var, UINT8 **data, UINTN *len, EFI_GUID owner, + return efi_status; + + *data = AllocateZeroPool(*len); +- if (!data) ++ if (!*data) + return EFI_OUT_OF_RESOURCES; + + efi_status = uefi_call_wrapper(RT->GetVariable, 5, var, &owner, +-- +1.8.4.5 + diff --git a/shim-mokx-support.patch b/shim-mokx-support.patch index f19a7f4..608b47b 100644 --- a/shim-mokx-support.patch +++ b/shim-mokx-support.patch @@ -1,10 +1,12 @@ -From 8614cf8c164049e77d702eb234d608d5342e975b Mon Sep 17 00:00:00 2001 +From 58b8e54ef60d488886a9f0d0877b7187eb200d07 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 24 Oct 2013 17:02:08 +0800 -Subject: [PATCH 1/9] Support MOK blacklist +Subject: [PATCH 01/10] Support MOK blacklist The new blacklist, MokListX, stores the keys and hashes that are banned. + +Signed-off-by: Gary Ching-Pang Lin --- MokManager.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++---------- shim.c | 3 +- @@ -510,7 +512,7 @@ index f5ed379..b9b42b6 100644 return EFI_SUCCESS; } diff --git a/shim.c b/shim.c -index 9ae1936..c133bb2 100644 +index cf93d65..2c23a2f 100644 --- a/shim.c +++ b/shim.c @@ -1510,7 +1510,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) @@ -524,14 +526,15 @@ index 9ae1936..c133bb2 100644 if (efi_status != EFI_SUCCESS) { -- -1.8.1.4 +1.8.4.5 -From f36f4093bb72344242949b16b83905cefb93d3cd Mon Sep 17 00:00:00 2001 +From d2980a5cbee887223405a24be44ffd5bb439e3f1 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 24 Oct 2013 17:32:31 +0800 -Subject: [PATCH 2/9] MokManager: show the hash list properly +Subject: [PATCH 02/10] MokManager: show the hash list properly +Signed-off-by: Gary Ching-Pang Lin --- MokManager.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 71 insertions(+), 11 deletions(-) @@ -675,14 +678,15 @@ index b9b42b6..5575a94 100644 for (i=0; menu_strings[i] != NULL; i++) -- -1.8.1.4 +1.8.4.5 -From f1073a9bc757008d44b5b86cb5002a3654faf2d2 Mon Sep 17 00:00:00 2001 +From 9c4b5d58385c64056adb5386c097219665f2f50d Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 25 Oct 2013 16:54:25 +0800 -Subject: [PATCH 3/9] MokManager: delete the hash properly +Subject: [PATCH 03/10] MokManager: delete the hash properly +Signed-off-by: Gary Ching-Pang Lin --- MokManager.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 114 insertions(+), 10 deletions(-) @@ -840,14 +844,15 @@ index 5575a94..23bdeef 100644 } -- -1.8.1.4 +1.8.4.5 -From b5cb83a92620b0b41857f3e3a292d1577eb3a3a5 Mon Sep 17 00:00:00 2001 +From 54ce2f9605990c00f9cafae7cab22a1c885828c1 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 25 Oct 2013 17:05:10 +0800 -Subject: [PATCH 4/9] MokManager: Match all hashes in the list +Subject: [PATCH 04/10] MokManager: Match all hashes in the list +Signed-off-by: Gary Ching-Pang Lin --- MokManager.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) @@ -908,15 +913,17 @@ index 23bdeef..5b40e19 100644 } } -- -1.8.1.4 +1.8.4.5 -From 70a4e12d2e6ba37541d0b78ec3c8ed5e8da9a941 Mon Sep 17 00:00:00 2001 +From 4c1912c8521cca4d320a1417abff6f7954809a20 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 25 Oct 2013 18:30:48 +0800 -Subject: [PATCH 5/9] MokManager: Write the hash list properly +Subject: [PATCH 05/10] MokManager: Write the hash list properly also return to the previous entry in the list + +Signed-off-by: Gary Ching-Pang Lin --- MokManager.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) @@ -991,20 +998,21 @@ index 5b40e19..e79a8e0 100644 efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name, -- -1.8.1.4 +1.8.4.5 -From 225e5fca2f7cf63e365b77243d6e43b1eb9860c8 Mon Sep 17 00:00:00 2001 +From 8b96a93bda39617efbe51f24d1dc606ad8835d26 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 28 Oct 2013 15:08:40 +0800 -Subject: [PATCH 6/9] Copy the MOK blacklist to a RT variable +Subject: [PATCH 06/10] Copy the MOK blacklist to a RT variable +Signed-off-by: Gary Ching-Pang Lin --- shim.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/shim.c b/shim.c -index c133bb2..a0383a8 100644 +index 2c23a2f..ccb3071 100644 --- a/shim.c +++ b/shim.c @@ -1480,6 +1480,33 @@ EFI_STATUS mirror_mok_list() @@ -1041,7 +1049,7 @@ index c133bb2..a0383a8 100644 * Check if a variable exists */ static BOOLEAN check_var(CHAR16 *varname) -@@ -1795,6 +1822,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) +@@ -1799,6 +1826,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) */ efi_status = mirror_mok_list(); @@ -1051,20 +1059,21 @@ index c133bb2..a0383a8 100644 * Create the runtime MokIgnoreDB variable so the kernel can make * use of it -- -1.8.1.4 +1.8.4.5 -From f9db55b719281ce491780ecd4ec269c5286a7251 Mon Sep 17 00:00:00 2001 +From 044d04dbed3ef3f2f3004a770e3751eabc052c2c Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 28 Oct 2013 16:36:34 +0800 -Subject: [PATCH 7/9] No newline for console_notify +Subject: [PATCH 07/10] No newline for console_notify +Signed-off-by: Gary Ching-Pang Lin --- shim.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c -index a0383a8..a2e0862 100644 +index ccb3071..e30a464 100644 --- a/shim.c +++ b/shim.c @@ -470,7 +470,7 @@ static BOOLEAN secure_mode (void) @@ -1086,13 +1095,13 @@ index a0383a8..a2e0862 100644 } -- -1.8.1.4 +1.8.4.5 -From 0bf2da5c7d9442f3249fc977b3fbffab924a374c Mon Sep 17 00:00:00 2001 +From 0e97d1576fcc1924f0f17b7f31baf1dd74a7f83e Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 4 Nov 2013 14:45:33 +0800 -Subject: [PATCH 8/9] Verify the EFI images with MOK blacklist +Subject: [PATCH 08/10] Verify the EFI images with MOK blacklist Signed-off-by: Gary Ching-Pang Lin --- @@ -1100,7 +1109,7 @@ Signed-off-by: Gary Ching-Pang Lin 1 file changed, 9 insertions(+) diff --git a/shim.c b/shim.c -index a2e0862..5f5e9a6 100644 +index e30a464..efd3d85 100644 --- a/shim.c +++ b/shim.c @@ -365,6 +365,7 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, @@ -1127,13 +1136,13 @@ index a2e0862..5f5e9a6 100644 return EFI_SUCCESS; } -- -1.8.1.4 +1.8.4.5 -From 20ced27d1785bceaf814c07ca0d5686506a119ad Mon Sep 17 00:00:00 2001 +From a166edaa42ef96eaf5b000d0e4ad71779b745d68 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Mon, 4 Nov 2013 17:51:55 +0800 -Subject: [PATCH 9/9] Exclude ca.crt while signing EFI images +Subject: [PATCH 09/10] Exclude ca.crt while signing EFI images If ca.crt was added into the certificate database, ca.crt would be the first certificate in the signature. Because shim couldn't verify ca.crt with the @@ -1158,5 +1167,33 @@ index e65d28d..5e3fa9e 100644 certutil -d certdb/ -A -i shim.crt -n shim -t u -- -1.8.1.4 +1.8.4.5 + + +From cce37bfa5298e8e9c12d3509c78592f711699c4f Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 11 Feb 2014 14:11:15 +0800 +Subject: [PATCH 10/10] Make shim to check MokXAuth for MOKX reset + +Signed-off-by: Gary Ching-Pang Lin +--- + shim.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/shim.c b/shim.c +index efd3d85..7093c45 100644 +--- a/shim.c ++++ b/shim.c +@@ -1547,7 +1547,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) + if (check_var(L"MokNew") || check_var(L"MokSB") || + check_var(L"MokPW") || check_var(L"MokAuth") || + check_var(L"MokDel") || check_var(L"MokDB") || +- check_var(L"MokXNew") || check_var(L"MokXDel")) { ++ check_var(L"MokXNew") || check_var(L"MokXDel") || ++ check_var(L"MokXAuth")) { + efi_status = start_image(image_handle, MOK_MANAGER); + + if (efi_status != EFI_SUCCESS) { +-- +1.8.4.5 diff --git a/shim-only-os-name.patch b/shim-only-os-name.patch new file mode 100644 index 0000000..076b7d6 --- /dev/null +++ b/shim-only-os-name.patch @@ -0,0 +1,13 @@ +diff --git a/Makefile b/Makefile +index 91e6bcd..6ed5ba7 100644 +--- a/Makefile ++++ b/Makefile +@@ -63,7 +63,7 @@ shim_cert.h: shim.cer + + version.c : version.c.in + sed -e "s,@@VERSION@@,$(VERSION)," \ +- -e "s,@@UNAME@@,$(shell uname -a)," \ ++ -e "s,@@UNAME@@,$(shell uname -o)," \ + -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \ + < version.c.in > version.c + diff --git a/shim.changes b/shim.changes index 465b298..efbdc8c 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com + +- Update shim-mokx-support.patch to support the resetting of MOK + blacklist +- Add shim-get-variable-check.patch to fix the variable checking + in get_variable_attr +- Add shim-improve-fallback-entries-creation.patch to improve the + boot entry pathes and avoid generating the boot entries that + are already there +- Update SUSE certificate +- Update attach_signature.sh, show_hash.sh, strip_signature.sh, + extract_signature.sh and show_signatures.sh to remove the + creation of the temporary nss database +- Add shim-only-os-name.patch: remove the kernel version of the + build server +- Match the the prefix of the project name properly by escaping the + percent sign. + ------------------------------------------------------------------- Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de diff --git a/shim.spec b/shim.spec index cdc712e..d21f129 100644 --- a/shim.spec +++ b/shim.spec @@ -38,6 +38,7 @@ Source7: show_hash.sh Source8: show_signatures.sh Source9: openSUSE-UEFI-CA-Certificate-4096.crt Source10: timestamp.pl +Source11: strip_signature.sh # PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch glin@suse.com -- Fix the error handling in verify_mok() Patch1: shim-fix-verify-mok.patch # PATCH-FIX-UPSTREAM shim-improve-error-messages.patch glin@suse.com -- Improve the error messages @@ -50,6 +51,12 @@ Patch4: shim-fix-dhcpv4-path-generation.patch Patch5: shim-mokx-support.patch # PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch glin@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys Patch6: shim-mokmanager-handle-keystroke-error.patch +# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c +Patch7: shim-only-os-name.patch +# PATCH-FIX-UPSTREAM shim-get-variable-check.patch glin@suse.com -- Fix the variable checking in get_variable_attr +Patch8: shim-get-variable-check.patch +# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch glin@suse.com -- Improve the boot entry pathes and avoid generating the boot entries that are already there +Patch9: shim-fallback-improve-entries-creation.patch BuildRequires: gnu-efi >= 3.0t BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -78,6 +85,9 @@ Authors: %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 %build # first, build MokManager and fallback as they don't depend on a @@ -133,7 +143,7 @@ for suffix in "${suffixes[@]}"; do # make sure cast warnings don't trigger post build check make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx - chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10} + chmod 755 %{SOURCE10} # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi head -1 %{SOURCE1} > hash1 @@ -141,21 +151,20 @@ for suffix in "${suffixes[@]}"; do # pe header contains timestamp and checksum. we need to # restore that %{SOURCE10} --set-from-file %{SOURCE1} shim.efi - %{SOURCE7} shim.efi > hash2 + pesign -h -P -i shim.efi > hash2 cat hash1 hash2 if ! cmp -s hash1 hash2; then echo "ERROR: binary changed, need to request new signature!" # don't fail in devel projects prj="%{_project}" - if [ "${prj%%:*}" = "openSUSE" -o "${prj%%:*}" = "SUSE" ]; then + if [ "${prj%%%:*}" = "openSUSE" -o "${prj%%%:*}" = "SUSE" ]; then false fi mv shim.efi.bak shim-$suffix.efi rm shim.efi else # attach signature - %{SOURCE6} %{SOURCE1} shim.efi - mv shim-signed.efi shim-$suffix.efi + pesign -m %{SOURCE1} -i shim.efi -o shim-$suffix.efi rm -f shim.efi fi rm -f shim.cer shim.crt diff --git a/show_hash.sh b/show_hash.sh index 82c4944..a485768 100644 --- a/show_hash.sh +++ b/show_hash.sh @@ -9,13 +9,4 @@ if [ -z "$infile" -o ! -e "$infile" ]; then exit 1 fi -nssdir=`mktemp -d` -cleanup() -{ - rm -r "$nssdir" -} -trap cleanup EXIT -echo > "$nssdir/pw" -certutil -f "$nssdir/pw" -d "$nssdir" -N - -pesign -n "$nssdir" -h -P -i "$infile" +pesign -h -P -i "$infile" diff --git a/show_signatures.sh b/show_signatures.sh index d9bdb6e..ab9acdb 100644 --- a/show_signatures.sh +++ b/show_signatures.sh @@ -9,13 +9,4 @@ if [ -z "$infile" -o ! -e "$infile" ]; then exit 1 fi -nssdir=`mktemp -d` -cleanup() -{ - rm -r "$nssdir" -} -trap cleanup EXIT -echo > "$nssdir/pw" -certutil -f "$nssdir/pw" -d "$nssdir" -N - -pesign -n "$nssdir" -S -i "$infile" +pesign -S -i "$infile" diff --git a/strip_signature.sh b/strip_signature.sh index f22cabf..ccda812 100644 --- a/strip_signature.sh +++ b/strip_signature.sh @@ -10,13 +10,4 @@ fi outfile="${infile%.efi}-unsigned.efi" -nssdir=`mktemp -d` -cleanup() -{ - rm -r "$nssdir" -} -trap cleanup EXIT -echo > "$nssdir/pw" -certutil -f "$nssdir/pw" -d "$nssdir" -N - -pesign -n "$nssdir" -r -i "$infile" -o "$outfile" +pesign -r -i "$infile" -o "$outfile"