Accepting request 519292 from home:gary_lin:branches:devel:openSUSE:Factory

- Print the debug messages in fallback.efi dynamically
- Refresh shim-fallback-workaround-masked-ami-variables.patch
- Measure more components and support TPM better

OBS-URL: https://build.opensuse.org/request/show/519292
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=132

shim-add-fallback-verbose-print.patch

@@ -0,0 +1,304 @@
+From 5b7f867367131e758548f9b537b765611ce3d874 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 31 Jul 2017 11:07:06 -0400
+Subject: [PATCH 1/2] fallback: Minor whitespace cleanup
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 87c8f07e98995c7a2bd040e9d7b7c35b15ff05e4)
+---
+ fallback.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fallback.c b/fallback.c
+index 0a7058b..9ec40b8 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -114,7 +114,7 @@ EFI_STATUS
+ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen)
+ {
+ 	UINT64 len;
+-	
++
+ 	len = StrLen(L"\\EFI\\") + StrLen(dirname)
+ 	    + StrLen(L"\\") + StrLen(filename)
+ 	    + 2;
+@@ -358,12 +358,12 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 	rc = make_full_path(dirname, filename, &fullpath, &pathlen);
+ 	if (EFI_ERROR(rc))
+ 		return rc;
+-	
++
+ 	EFI_DEVICE_PATH *dph = NULL;
+ 	EFI_DEVICE_PATH *file = NULL;
+ 	EFI_DEVICE_PATH *full_device_path = NULL;
+ 	EFI_DEVICE_PATH *dp = NULL;
+-	
++
+ 	dph = DevicePathFromHandle(this_image->DeviceHandle);
+ 	if (!dph) {
+ 		rc = EFI_OUT_OF_RESOURCES;
+-- 
+2.14.1
+
+
+From 74608d8f3dded28addbc09046c626f1a02251f3d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 31 Jul 2017 12:51:46 -0400
+Subject: [PATCH 2/2] Make fallback debug printing be dynamic at runtime.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit c0f7d130746e82613b88cdaa9929fe37aff54c57)
+---
+ fallback.c | 133 +++++++++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 94 insertions(+), 39 deletions(-)
+
+diff --git a/fallback.c b/fallback.c
+index 9ec40b8..5602a88 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -15,6 +15,57 @@
+ 
+ EFI_LOADED_IMAGE *this_image = NULL;
+ 
++EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
++
++int
++get_fallback_verbose(void)
++{
++	EFI_GUID guid = SHIM_LOCK_GUID;
++	UINT8 *data = NULL;
++	UINTN dataSize = 0;
++	EFI_STATUS efi_status;
++	unsigned int i;
++	static int state = -1;
++
++	if (state != -1)
++		return state;
++
++	efi_status = get_variable(L"FALLBACK_VERBOSE",
++				  &data, &dataSize, guid);
++	if (EFI_ERROR(efi_status)) {
++		state = 0;
++		return state;
++	}
++
++	for (i = 0; i < dataSize; i++) {
++		if (data[i]) {
++			state = 1;
++			return state;
++		}
++	}
++
++	state = 0;
++	return state;
++}
++
++#define VerbosePrintUnprefixed(fmt, ...)				\
++	({								\
++		UINTN ret_ = 0;						\
++		if (get_fallback_verbose())				\
++			ret_ = Print((fmt), ##__VA_ARGS__);		\
++		ret_;							\
++	})
++
++#define VerbosePrint(fmt, ...)						\
++	({	UINTN line_ = __LINE__;					\
++		UINTN ret_ = 0;						\
++		if (get_fallback_verbose()) {				\
++			Print(L"%a:%d: ", __func__, line_);		\
++			ret_ = Print((fmt), ##__VA_ARGS__);		\
++		}							\
++		ret_;							\
++	})
++
+ static EFI_STATUS
+ FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType,
+ 		  EFI_DEVICE_PATH **Out)
+@@ -23,9 +74,18 @@ FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType,
+ 	if (!In || !Out)
+ 		return EFI_INVALID_PARAMETER;
+ 
++	CHAR16 *dps = DevicePathToStr(In);
++	VerbosePrint(L"input device path: \"%s\"\n", dps);
++	FreePool(dps);
++
+ 	for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) {
+ 		if (DevicePathType(dp) == Type &&
+ 				DevicePathSubType(dp) == SubType) {
++			dps = DevicePathToStr(dp);
++			VerbosePrint(L"sub-path (%hhd,%hhd): \"%s\"\n",
++				     Type, SubType, dps);
++			FreePool(dps);
++
+ 			*Out = DuplicateDevicePath(dp);
+ 			if (!*Out)
+ 				return EFI_OUT_OF_RESOURCES;
+@@ -327,13 +387,11 @@ update_boot_order(void)
+ 		return EFI_OUT_OF_RESOURCES;
+ 	CopyMem(newbootorder, bootorder, size);
+ 
+-#ifdef DEBUG_FALLBACK
+-	Print(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16));
++	VerbosePrint(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16));
+ 	UINTN j;
+ 	for (j = 0 ; j < size / sizeof (CHAR16); j++)
+-		Print(L"%04x ", newbootorder[j]);
++		VerbosePrintUnprefixed(L"%04x ", newbootorder[j]);
+ 	Print(L"\n");
+-#endif
+ 	rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global,
+ 			       NULL, &len, NULL);
+ 	if (rc == EFI_BUFFER_TOO_SMALL)
+@@ -363,6 +421,7 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 	EFI_DEVICE_PATH *file = NULL;
+ 	EFI_DEVICE_PATH *full_device_path = NULL;
+ 	EFI_DEVICE_PATH *dp = NULL;
++	CHAR16 *dps;
+ 
+ 	dph = DevicePathFromHandle(this_image->DeviceHandle);
+ 	if (!dph) {
+@@ -381,6 +440,9 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 		rc = EFI_OUT_OF_RESOURCES;
+ 		goto err;
+ 	}
++	dps = DevicePathToStr(full_device_path);
++	VerbosePrint(L"file DP: %s\n", dps);
++	FreePool(dps);
+ 
+ 	rc = FindSubDevicePath(full_device_path,
+ 				MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp);
+@@ -393,22 +455,24 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *
+ 		}
+ 	}
+ 
+-#ifdef DEBUG_FALLBACK
+ 	{
+-	UINTN s = DevicePathSize(dp);
+-	UINTN i;
+-	UINT8 *dpv = (void *)dp;
+-	for (i = 0; i < s; i++) {
+-		if (i > 0 && i % 16 == 0)
+-			Print(L"\n");
+-		Print(L"%02x ", dpv[i]);
+-	}
+-	Print(L"\n");
++		UINTN s = DevicePathSize(dp);
++		UINTN i;
++		UINT8 *dpv = (void *)dp;
++		for (i = 0; i < s; i++) {
++			if (i % 16 == 0) {
++				if (i > 0)
++					VerbosePrintUnprefixed(L"\n");
++				VerbosePrint(L"");
++			}
++			VerbosePrintUnprefixed(L"%02x ", dpv[i]);
++		}
++		VerbosePrintUnprefixed(L"\n");
+ 
+-	CHAR16 *dps = DevicePathToStr(dp);
+-	Print(L"device path: \"%s\"\n", dps);
++		CHAR16 *dps = DevicePathToStr(dp);
++		VerbosePrint(L"device path: \"%s\"\n", dps);
++		FreePool(dps);
+ 	}
+-#endif
+ 
+ 	UINT16 option;
+ 	rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option);
+@@ -443,35 +507,27 @@ err:
+ EFI_STATUS
+ populate_stanza(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 *csv)
+ {
+-#ifdef DEBUG_FALLBACK
+-	Print(L"CSV data: \"%s\"\n", csv);
+-#endif
+ 	CHAR16 *file = csv;
++	VerbosePrint(L"CSV data: \"%s\"\n", csv);
+ 
+ 	UINTN comma0 = StrCSpn(csv, L",");
+ 	if (comma0 == 0)
+ 		return EFI_INVALID_PARAMETER;
+ 	file[comma0] = L'\0';
+-#ifdef DEBUG_FALLBACK
+-	Print(L"filename: \"%s\"\n", file);
+-#endif
++	VerbosePrint(L"filename: \"%s\"\n", file);
+ 
+ 	CHAR16 *label = csv + comma0 + 1;
+ 	UINTN comma1 = StrCSpn(label, L",");
+ 	if (comma1 == 0)
+ 		return EFI_INVALID_PARAMETER;
+ 	label[comma1] = L'\0';
+-#ifdef DEBUG_FALLBACK
+-	Print(L"label: \"%s\"\n", label);
+-#endif
++	VerbosePrint(L"label: \"%s\"\n", label);
+ 
+ 	CHAR16 *arguments = csv + comma0 +1 + comma1 +1;
+ 	UINTN comma2 = StrCSpn(arguments, L",");
+ 	arguments[comma2] = L'\0';
+ 	/* This one is optional, so don't check if comma2 is 0 */
+-#ifdef DEBUG_FALLBACK
+-	Print(L"arguments: \"%s\"\n", arguments);
+-#endif
++	VerbosePrint(L"arguments: \"%s\"\n", arguments);
+ 
+ 	add_to_boot_list(fh, dirname, file, label, arguments);
+ 
+@@ -489,9 +545,7 @@ try_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename)
+ 	if (EFI_ERROR(rc))
+ 		return rc;
+ 
+-#ifdef DEBUG_FALLBACK
+-	Print(L"Found file \"%s\"\n", fullpath);
+-#endif
++	VerbosePrint(L"Found file \"%s\"\n", fullpath);
+ 
+ 	CHAR16 *buffer;
+ 	UINT64 bs;
+@@ -503,9 +557,7 @@ try_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename)
+ 	}
+ 	FreePool(fullpath);
+ 
+-#ifdef DEBUG_FALLBACK
+-	Print(L"File looks like:\n%s\n", buffer);
+-#endif
++	VerbosePrint(L"File looks like:\n%s\n", buffer);
+ 
+ 	CHAR16 *start = buffer;
+ 	/* The file may or may not start with the Unicode byte order marker.
+@@ -735,9 +787,7 @@ find_boot_options(EFI_HANDLE device)
+ 			buffer = NULL;
+ 			continue;
+ 		}
+-#ifdef DEBUG_FALLBACK
+-		Print(L"Found directory named \"%s\"\n", fi->FileName);
+-#endif
++		VerbosePrint(L"Found directory named \"%s\"\n", fi->FileName);
+ 
+ 		EFI_FILE_HANDLE fh3;
+ 		rc = uefi_call_wrapper(fh->Open, 5, fh2, &fh3, fi->FileName,
+@@ -810,7 +860,6 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
+ 	return rc;
+ }
+ 
+-EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
+ extern EFI_STATUS
+ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab);
+ 
+@@ -870,6 +919,12 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
+ 	try_start_first_option(image);
+ 
+ 	Print(L"Reset System\n");
++
++	if (get_fallback_verbose()) {
++		Print(L"Verbose enabled, sleeping for half a second\n");
++		uefi_call_wrapper(BS->Stall, 1, 500000);
++	}
++
+ 	uefi_call_wrapper(RT->ResetSystem, 4, EfiResetCold,
+ 			  EFI_SUCCESS, 0, NULL);
+ 
+-- 
+2.14.1
+

shim-fallback-workaround-masked-ami-variables.patch

@@ -1,8 +1,8 @@
-From 40eef4450fd4d5ec9ea666a02c276bbe073300d3 Mon Sep 17 00:00:00 2001
+From 38744a099187401f2f5e382c2ce8869e1e9b22a0 Mon Sep 17 00:00:00 2001
 From: Lans Zhang <jia.zhang@windriver.com>
 Date: Fri, 11 Aug 2017 13:42:20 +0800
-Subject: [PATCH 1/2] fallback: work around the issue of boot option creation
- with AMI BIOS
+Subject: [PATCH] fallback: work around the issue of boot option creation with
+ AMI BIOS
 
 AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX
 variables with ami_masked_device_path_guid.
@@ -42,15 +42,16 @@ We can get the valid device path if just skipping the masked device path and
 its next end path.
 
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+(cherry picked from commit 0cc030c2f2fba53b74fb09466a07b8e6297a52d3)
 ---
  fallback.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
  1 file changed, 109 insertions(+), 5 deletions(-)
 
 diff --git a/fallback.c b/fallback.c
-index 0a7058b..7b58018 100644
+index 5602a88..8c0369f 100644
 --- a/fallback.c
 +++ b/fallback.c
-@@ -226,6 +226,105 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
+@@ -286,6 +286,105 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
  	return EFI_OUT_OF_RESOURCES;
  }
  
@@ -156,7 +157,7 @@ index 0a7058b..7b58018 100644
  EFI_STATUS
  find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
                   CHAR16 *filename, CHAR16 *label, CHAR16 *arguments,
-@@ -255,7 +354,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
+@@ -315,7 +414,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
  	EFI_GUID global = EFI_GLOBAL_VARIABLE;
  	EFI_STATUS rc;
  
@@ -166,7 +167,7 @@ index 0a7058b..7b58018 100644
  	if (!candidate) {
  		FreePool(data);
  		return EFI_OUT_OF_RESOURCES;
-@@ -267,17 +367,21 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
+@@ -327,17 +427,21 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
  		varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4];
  		varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0];
  
@@ -193,35 +194,5 @@ index 0a7058b..7b58018 100644
  		/* at this point, we have duplicate data. */
  		if (!first_new_option) {
 -- 
-2.14.0
-
-
-From 5efee65f1cb7a04ea9434eedfc0d8a49b0305c83 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Wed, 23 Aug 2017 18:26:00 +0800
-Subject: [PATCH 2/2] fallback: Remove VerbosePrint()
-
-It's not available in shim 12.
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- fallback.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/fallback.c b/fallback.c
-index 7b58018..701a1c4 100644
---- a/fallback.c
-+++ b/fallback.c
-@@ -380,9 +380,6 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
- 		} else if (CompareMem(candidate, data, size))
- 			continue;
- 
--		VerbosePrint(L"Found boot entry \"%s\" with label \"%s\" "
--			     L"for file \"%s\"\n", varname, label, filename);
--
- 		/* at this point, we have duplicate data. */
- 		if (!first_new_option) {
- 			first_new_option = DuplicateDevicePath(fulldp);
--- 
-2.14.0
+2.14.1
 

shim.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Aug 29 08:44:25 UTC 2017 - glin@suse.com
+
+- Add shim-add-fallback-verbose-print.patch to print the debug
+  messages in fallback.efi dynamically
+- Refresh shim-fallback-workaround-masked-ami-variables.patch
+- Add shim-more-tpm-measurement.patch to measure more components
+  and support TPM better
+
 -------------------------------------------------------------------
 Wed Aug 23 10:28:44 UTC 2017 - glin@suse.com
 

shim.spec

@@ -53,8 +53,12 @@ Patch3:         shim-fix-httpboot-crash.patch
 Patch4:         shim-fix-openssl-flags.patch
 # PATCH-FIX-UPSTREAM shim-fix-fallback-double-free.patch glin@suse.com -- Fix double free in fallback.c
 Patch5:         shim-fix-fallback-double-free.patch
+# PATCH-FIX-UPSTREAM shim-add-fallback-verbose-print.patch glin@suse.com -- Print debug messages dynamically
+Patch6:         shim-add-fallback-verbose-print.patch
 # PATCH-FIX-UPSTREAM shim-fallback-workaround-masked-ami-variables.patch glin@suse.com -- Work around the masked AMI variables
-Patch6:         shim-fallback-workaround-masked-ami-variables.patch
+Patch7:         shim-fallback-workaround-masked-ami-variables.patch
+# PATCH-FIX-UPSTREAM shim-more-tpm-measurement.patch glin@suse.com -- Measure more components for TPM
+Patch8:         shim-more-tpm-measurement.patch
 # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
 Patch50:        shim-change-debug-file-path.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
@@ -108,6 +112,8 @@ Authors:
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
 %patch50 -p1
 %if 0%{?is_opensuse} == 1
 %patch100 -p1