Accepting request 1057935 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1057935 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=111
This commit is contained in:
commit
6708fb2b48
@ -1,306 +0,0 @@
|
|||||||
From 49355a83722494099caeb23b46637b2c94a6ab9e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gary Ching-Pang Lin <glin@suse.com>
|
|
||||||
Date: Tue, 18 Feb 2014 17:29:19 +0800
|
|
||||||
Subject: [PATCH 1/3] Show the build-in certificate prompt
|
|
||||||
|
|
||||||
This is an openSUSE-only patch.
|
|
||||||
|
|
||||||
Pop up a window to ask if the user is willing to trust the built-in
|
|
||||||
openSUSE certificate.
|
|
||||||
|
|
||||||
If yes, set openSUSE_Verify, a BootService variable, to 1, and shim
|
|
||||||
won't bother the user afterward.
|
|
||||||
|
|
||||||
If no, continue the booting process without using the built-in
|
|
||||||
certificate to verify the EFI images, and the window will show up
|
|
||||||
again after reboot.
|
|
||||||
|
|
||||||
The state will store in use_openSUSE_cert, a volatile RT variable.
|
|
||||||
---
|
|
||||||
mok.c | 3 ++-
|
|
||||||
shim.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
|
|
||||||
shim.h | 1 +
|
|
||||||
3 files changed, 71 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
Index: shim-15.6/mok.c
|
|
||||||
===================================================================
|
|
||||||
--- shim-15.6.orig/mok.c
|
|
||||||
+++ shim-15.6/mok.c
|
|
||||||
@@ -46,7 +46,8 @@ static EFI_STATUS check_mok_request(EFI_
|
|
||||||
check_var(L"MokPW") || check_var(L"MokAuth") ||
|
|
||||||
check_var(L"MokDel") || check_var(L"MokDB") ||
|
|
||||||
check_var(L"MokXNew") || check_var(L"MokXDel") ||
|
|
||||||
- check_var(L"MokXAuth") || check_var(L"MokListTrustedNew")) {
|
|
||||||
+ check_var(L"MokXAuth") || check_var(L"MokListTrustedNew") ||
|
|
||||||
+ check_var(L"ClearVerify")) {
|
|
||||||
efi_status = start_image(image_handle, MOK_MANAGER);
|
|
||||||
|
|
||||||
if (EFI_ERROR(efi_status)) {
|
|
||||||
@@ -62,7 +63,8 @@ static vendor_addend_category_t
|
|
||||||
categorize_authorized(struct mok_state_variable *v)
|
|
||||||
{
|
|
||||||
if (!(v->addend && v->addend_size &&
|
|
||||||
- *v->addend && *v->addend_size)) {
|
|
||||||
+ *v->addend && *v->addend_size &&
|
|
||||||
+ use_builtin_cert)) {
|
|
||||||
return VENDOR_ADDEND_NONE;
|
|
||||||
}
|
|
||||||
|
|
||||||
Index: shim-15.6/shim.c
|
|
||||||
===================================================================
|
|
||||||
--- shim-15.6.orig/shim.c
|
|
||||||
+++ shim-15.6/shim.c
|
|
||||||
@@ -496,6 +496,8 @@ verify_one_signature(WIN_CERTIFICATE_EFI
|
|
||||||
}
|
|
||||||
|
|
||||||
efi_status = EFI_NOT_FOUND;
|
|
||||||
+ if (!use_builtin_cert)
|
|
||||||
+ return efi_status;
|
|
||||||
#if defined(ENABLE_SHIM_CERT)
|
|
||||||
/*
|
|
||||||
* Check against the shim build key
|
|
||||||
@@ -1568,6 +1570,69 @@ shim_fini(void)
|
|
||||||
console_fini();
|
|
||||||
}
|
|
||||||
|
|
||||||
+#define VENDOR_VERIFY L"openSUSE_Verify"
|
|
||||||
+
|
|
||||||
+/* Show the built-in certificate prompt if necessary */
|
|
||||||
+static int builtin_cert_prompt(void)
|
|
||||||
+{
|
|
||||||
+ EFI_STATUS status;
|
|
||||||
+ UINT32 attributes;
|
|
||||||
+ UINTN len = sizeof(UINT8);
|
|
||||||
+ UINT8 data;
|
|
||||||
+
|
|
||||||
+ use_builtin_cert = FALSE;
|
|
||||||
+
|
|
||||||
+ if (vendor_cert_size == 0)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ status = gRT->GetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID,
|
|
||||||
+ &attributes, &len, (void *)&data);
|
|
||||||
+ if (status != EFI_SUCCESS ||
|
|
||||||
+ (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) {
|
|
||||||
+ int choice;
|
|
||||||
+
|
|
||||||
+ if (status != EFI_NOT_FOUND)
|
|
||||||
+ LibDeleteVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID);
|
|
||||||
+
|
|
||||||
+ CHAR16 *str[] = {L"Trust openSUSE Certificate",
|
|
||||||
+ L"",
|
|
||||||
+ L"Do you agree to use the built-in openSUSE certificate",
|
|
||||||
+ L"to verify boot loaders and kernels?",
|
|
||||||
+ NULL};
|
|
||||||
+ choice = console_yes_no(str);
|
|
||||||
+ if (choice != 1) {
|
|
||||||
+ data = 0;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ data = 1;
|
|
||||||
+ status = gRT->SetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID,
|
|
||||||
+ EFI_VARIABLE_NON_VOLATILE |
|
|
||||||
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
|
|
||||||
+ sizeof(UINT8), &data);
|
|
||||||
+ if (status != EFI_SUCCESS) {
|
|
||||||
+ console_error(L"Failed to set openSUSE_Verify", status);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ use_builtin_cert = TRUE;
|
|
||||||
+ data = 1;
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
+ /* Setup a runtime variable to show the current state */
|
|
||||||
+ status = gRT->SetVariable(L"use_openSUSE_cert", &SHIM_LOCK_GUID,
|
|
||||||
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
|
|
||||||
+ EFI_VARIABLE_RUNTIME_ACCESS,
|
|
||||||
+ sizeof(UINT8), &data);
|
|
||||||
+ if (status != EFI_SUCCESS) {
|
|
||||||
+ console_error(L"Failed to set use_openSUSE_cert", status);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
extern EFI_STATUS
|
|
||||||
efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
|
|
||||||
|
|
||||||
@@ -1708,6 +1773,9 @@ efi_main (EFI_HANDLE passed_image_handle
|
|
||||||
*/
|
|
||||||
debug_hook();
|
|
||||||
|
|
||||||
+ if (secure_mode() && (builtin_cert_prompt() != 0))
|
|
||||||
+ return EFI_ABORTED;
|
|
||||||
+
|
|
||||||
efi_status = set_sbat_uefi_variable();
|
|
||||||
if (EFI_ERROR(efi_status) && secure_mode()) {
|
|
||||||
perror(L"%s variable initialization failed\n", SBAT_VAR_NAME);
|
|
||||||
Index: shim-15.6/MokManager.c
|
|
||||||
===================================================================
|
|
||||||
--- shim-15.6.orig/MokManager.c
|
|
||||||
+++ shim-15.6/MokManager.c
|
|
||||||
@@ -1864,6 +1864,36 @@ mokpw_done:
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
|
|
||||||
+ EFI_STATUS status;
|
|
||||||
+
|
|
||||||
+ if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (ClearVerifySize == PASSWORD_CRYPT_SIZE) {
|
|
||||||
+ status = match_password((PASSWORD_CRYPT *)ClearVerify, NULL, 0,
|
|
||||||
+ NULL, NULL);
|
|
||||||
+ } else {
|
|
||||||
+ status = EFI_INVALID_PARAMETER;
|
|
||||||
+ }
|
|
||||||
+ if (status != EFI_SUCCESS)
|
|
||||||
+ return -1;
|
|
||||||
+
|
|
||||||
+ status = gRT->SetVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID,
|
|
||||||
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
|
|
||||||
+ EFI_VARIABLE_NON_VOLATILE,
|
|
||||||
+ 0, NULL);
|
|
||||||
+ if (status != EFI_SUCCESS) {
|
|
||||||
+ console_error(L"Failed to delete openSUSE_Verify", status);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ console_notify(L"The system must now be rebooted");
|
|
||||||
+ gRT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL);
|
|
||||||
+ console_notify(L"Failed to reboot");
|
|
||||||
+ return -1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static BOOLEAN verify_certificate(UINT8 * cert, UINTN size)
|
|
||||||
{
|
|
||||||
X509 *X509Cert;
|
|
||||||
@@ -2195,6 +2225,7 @@ typedef enum {
|
|
||||||
MOK_CHANGE_SB,
|
|
||||||
MOK_SET_PW,
|
|
||||||
MOK_CHANGE_DB,
|
|
||||||
+ MOK_CLEAR_VERIFY,
|
|
||||||
MOK_KEY_ENROLL,
|
|
||||||
MOK_HASH_ENROLL,
|
|
||||||
MOK_CHANGE_TML
|
|
||||||
@@ -2217,7 +2248,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
|
|
||||||
void *MokDB, UINTN MokDBSize,
|
|
||||||
void *MokXNew, UINTN MokXNewSize,
|
|
||||||
void *MokXDel, UINTN MokXDelSize,
|
|
||||||
- void *MokTML, UINTN MokTMLSize)
|
|
||||||
+ void *MokTML, UINTN MokTMLSize,
|
|
||||||
+ void *ClearVerify, UINTN ClearVerifySize)
|
|
||||||
+
|
|
||||||
{
|
|
||||||
CHAR16 **menu_strings = NULL;
|
|
||||||
mok_menu_item *menu_item = NULL;
|
|
||||||
@@ -2296,6 +2329,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
|
|
||||||
if (MokTML)
|
|
||||||
menucount++;
|
|
||||||
|
|
||||||
+ if (ClearVerify)
|
|
||||||
+ menucount++;
|
|
||||||
+
|
|
||||||
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) *
|
|
||||||
(menucount + 1));
|
|
||||||
if (!menu_strings)
|
|
||||||
@@ -2373,6 +2409,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
|
|
||||||
i++;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (ClearVerify) {
|
|
||||||
+ menu_strings[i] = L"Revoke openSUSE certificate";
|
|
||||||
+ menu_item[i] = MOK_CLEAR_VERIFY;
|
|
||||||
+ i++;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
menu_strings[i] = L"Enroll key from disk";
|
|
||||||
menu_item[i] = MOK_KEY_ENROLL;
|
|
||||||
i++;
|
|
||||||
@@ -2477,6 +2519,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
|
|
||||||
if (!EFI_ERROR(efi_status))
|
|
||||||
MokDB = NULL;
|
|
||||||
break;
|
|
||||||
+ case MOK_CLEAR_VERIFY:
|
|
||||||
+ mok_clear_verify_prompt(ClearVerify, ClearVerifySize);
|
|
||||||
+ break;
|
|
||||||
case MOK_KEY_ENROLL:
|
|
||||||
efi_status = mok_key_enroll();
|
|
||||||
break;
|
|
||||||
@@ -2519,6 +2564,7 @@ static EFI_STATUS check_mok_request(EFI_
|
|
||||||
{
|
|
||||||
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
|
|
||||||
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0, MokTMLSize = 0;
|
|
||||||
+ UINTN ClearVerifySize = 0;
|
|
||||||
void *MokNew = NULL;
|
|
||||||
void *MokDel = NULL;
|
|
||||||
void *MokSB = NULL;
|
|
||||||
@@ -2527,6 +2573,7 @@ static EFI_STATUS check_mok_request(EFI_
|
|
||||||
void *MokXNew = NULL;
|
|
||||||
void *MokXDel = NULL;
|
|
||||||
void *MokTML = NULL;
|
|
||||||
+ void *ClearVerify = NULL;
|
|
||||||
EFI_STATUS efi_status;
|
|
||||||
|
|
||||||
efi_status = get_variable(L"MokNew", (UINT8 **) & MokNew, &MokNewSize,
|
|
||||||
@@ -2611,9 +2658,20 @@ static EFI_STATUS check_mok_request(EFI_
|
|
||||||
console_error(L"Could not retrieve MokXDel", efi_status);
|
|
||||||
}
|
|
||||||
|
|
||||||
+ efi_status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify,
|
|
||||||
+ &ClearVerifySize, SHIM_LOCK_GUID);
|
|
||||||
+ if (!EFI_ERROR(efi_status)) {
|
|
||||||
+ efi_status = LibDeleteVariable(L"ClearVerify", &SHIM_LOCK_GUID);
|
|
||||||
+ if (EFI_ERROR(efi_status))
|
|
||||||
+ console_notify(L"Failed to delete ClearVerify");
|
|
||||||
+ } else if (EFI_ERROR(efi_status) && efi_status != EFI_NOT_FOUND) {
|
|
||||||
+ console_error(L"Could not retrieve ClearVerify", efi_status);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize,
|
|
||||||
MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize,
|
|
||||||
- MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize);
|
|
||||||
+ MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize,
|
|
||||||
+ ClearVerify, ClearVerifySize);
|
|
||||||
|
|
||||||
if (MokNew)
|
|
||||||
FreePool(MokNew);
|
|
||||||
@@ -2639,6 +2697,9 @@ static EFI_STATUS check_mok_request(EFI_
|
|
||||||
if (MokTML)
|
|
||||||
FreePool(MokTML);
|
|
||||||
|
|
||||||
+ if (ClearVerify)
|
|
||||||
+ FreePool (ClearVerify);
|
|
||||||
+
|
|
||||||
LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
|
|
||||||
LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID);
|
|
||||||
LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
|
|
||||||
Index: shim-15.6/globals.c
|
|
||||||
===================================================================
|
|
||||||
--- shim-15.6.orig/globals.c
|
|
||||||
+++ shim-15.6/globals.c
|
|
||||||
@@ -25,6 +25,7 @@ UINT8 *build_cert;
|
|
||||||
*/
|
|
||||||
verification_method_t verification_method;
|
|
||||||
int loader_is_participating;
|
|
||||||
+BOOLEAN use_builtin_cert;
|
|
||||||
|
|
||||||
UINT8 user_insecure_mode;
|
|
||||||
UINT8 ignore_db;
|
|
||||||
Index: shim-15.6/shim.h
|
|
||||||
===================================================================
|
|
||||||
--- shim-15.6.orig/shim.h
|
|
||||||
+++ shim-15.6/shim.h
|
|
||||||
@@ -270,6 +270,7 @@ extern UINT8 mok_policy;
|
|
||||||
extern UINT8 in_protocol;
|
|
||||||
extern void *load_options;
|
|
||||||
extern UINT32 load_options_size;
|
|
||||||
+extern BOOLEAN use_builtin_cert;
|
|
||||||
|
|
||||||
BOOLEAN secure_mode (void);
|
|
||||||
|
|
14
shim.changes
14
shim.changes
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jan 12 07:00:19 UTC 2023 - Joey Lee <jlee@suse.com>
|
||||||
|
|
||||||
|
- Removed shim-bsc1198101-opensuse-cert-prompt.patch (bsc#1198101)
|
||||||
|
- Detail discussion is in bugzilla:
|
||||||
|
https://bugzilla.suse.com/show_bug.cgi?id=1198101
|
||||||
|
- The shim community review and challenge this prompt. No other
|
||||||
|
distro shows prompt (Have checked Fedora 37, CentOS 9 and Ubuntu 22.10).
|
||||||
|
Currently, it blocked the review process of openSUSE shim.
|
||||||
|
- Other distros lock-down kernel when secure boot is enabled. Some of
|
||||||
|
them used different key for signing kernel binary with In-tree kernel
|
||||||
|
module. And their build service does not provide signed Out-off-tree
|
||||||
|
module.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Dec 9 08:38:14 UTC 2022 - Joey Lee <jlee@suse.com>
|
Fri Dec 9 08:38:14 UTC 2022 - Joey Lee <jlee@suse.com>
|
||||||
|
|
||||||
|
@ -77,8 +77,6 @@ Patch4: remove_build_id.patch
|
|||||||
Patch5: shim-disable-export-vendor-dbx.patch
|
Patch5: shim-disable-export-vendor-dbx.patch
|
||||||
# PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch jlee@suse.com -- Enable the NX compatibility flag by default
|
# PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch jlee@suse.com -- Enable the NX compatibility flag by default
|
||||||
Patch6: shim-Enable-the-NX-compatibility-flag-by-default.patch
|
Patch6: shim-Enable-the-NX-compatibility-flag-by-default.patch
|
||||||
# PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
|
|
||||||
Patch100: shim-bsc1198101-opensuse-cert-prompt.patch
|
|
||||||
BuildRequires: dos2unix
|
BuildRequires: dos2unix
|
||||||
BuildRequires: mozilla-nss-tools
|
BuildRequires: mozilla-nss-tools
|
||||||
BuildRequires: openssl >= 0.9.8
|
BuildRequires: openssl >= 0.9.8
|
||||||
@ -124,9 +122,6 @@ The source code of UEFI shim loader
|
|||||||
%patch4 -p1
|
%patch4 -p1
|
||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
|
|
||||||
%patch100 -p1
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# generate the vendor SBAT metadata
|
# generate the vendor SBAT metadata
|
||||||
|
Loading…
Reference in New Issue
Block a user