diff --git a/dbx-cert.tar.xz b/dbx-cert.tar.xz index 3c8171f..b7d90f8 100644 --- a/dbx-cert.tar.xz +++ b/dbx-cert.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c872989a35b85ff4a284871d95bae930f6372a31f3353e72890775bf151e5ff2 -size 7052 +oid sha256:ce6458fd78dfe56700ddfc82b6e72de3823735c449400c06379234eaa12e8f85 +size 8416 diff --git a/shim-15.4.tar.bz2 b/shim-15.4.tar.bz2 deleted file mode 100644 index c2d5860..0000000 --- a/shim-15.4.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8344473dd10569588b8238a4656b8fab226714eea9f5363f8c410aa8a5090297 -size 1260475 diff --git a/shim-15.6.tar.bz2 b/shim-15.6.tar.bz2 new file mode 100644 index 0000000..67dfd30 --- /dev/null +++ b/shim-15.6.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eab91644a3efe91a666399f5d8eb3eed0e04d04f79d4b6c0b278ef7747a239a5 +size 1343748 diff --git a/shim-bsc1184454-allocate-mok-config-table-BS.patch b/shim-bsc1184454-allocate-mok-config-table-BS.patch deleted file mode 100644 index 1a92979..0000000 --- a/shim-bsc1184454-allocate-mok-config-table-BS.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 33ca95024aa7e33218da5882d30b3ec690a11046 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Thu, 8 Apr 2021 16:23:03 +0800 -Subject: [PATCH] mok: allocate MOK config table as BootServicesData - -Linux kernel is picky when reserving the memory for x86 and it only -expects BootServicesData: - -https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/platform/efi/quirks.c?h=v5.11#n254 - -Otherwise, the following error would show during system boot: - -Apr 07 12:31:56.743925 localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000 - -Although BootServicesData would be reclaimed after ExitBootService(), -linux kernel reserves MOK config table when it detects the existence of -the table, so it's fine to allocate the table as BootServicesData. - -Signed-off-by: Gary Lin ---- - mok.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/mok.c b/mok.c -index 5ad9072b..fc1ee04d 100644 ---- a/mok.c -+++ b/mok.c -@@ -1002,7 +1002,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT; - config_table = NULL; - efi_status = gBS->AllocatePages(AllocateAnyPages, -- EfiRuntimeServicesData, -+ EfiBootServicesData, - npages, - (EFI_PHYSICAL_ADDRESS *)&config_table); - if (EFI_ERROR(efi_status) || !config_table) { --- -2.29.2 - diff --git a/shim-bsc1185232-fix-config-table-copying.patch b/shim-bsc1185232-fix-config-table-copying.patch deleted file mode 100644 index 1da126c..0000000 --- a/shim-bsc1185232-fix-config-table-copying.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 42c6148c7ebd026862ab96405e78191ff8ebf298 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Mon, 21 Jun 2021 16:38:02 +0800 -Subject: [PATCH] mok: skip the empty variables when copying the data to MOK - config table - -When calculating the size of the MOK config table, we skip the empty -variables. However, when copying the data, we copied the zeroed config -templates for those empty variables, and this could cause crash since we -may write more data than the allocated pages. This commit skips the -empty variables when copying the data so that the size of copied data -matches config_sz. - -Signed-off-by: Gary Lin ---- - mok.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/mok.c b/mok.c -index beac0ff6..add21223 100644 ---- a/mok.c -+++ b/mok.c -@@ -1028,16 +1028,18 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - for (i = 0; p && mok_state_variables[i].name != NULL; i++) { - struct mok_state_variable *v = &mok_state_variables[i]; - -- ZeroMem(&config_template, sizeof(config_template)); -- strncpy(config_template.name, (CHAR8 *)v->rtname8, 255); -- config_template.name[255] = '\0'; -+ if (v->data && v->data_size) { -+ ZeroMem(&config_template, sizeof(config_template)); -+ strncpy(config_template.name, (CHAR8 *)v->rtname8, 255); -+ config_template.name[255] = '\0'; - -- config_template.data_size = v->data_size; -+ config_template.data_size = v->data_size; - -- CopyMem(p, &config_template, sizeof(config_template)); -- p += sizeof(config_template); -- CopyMem(p, v->data, v->data_size); -- p += v->data_size; -+ CopyMem(p, &config_template, sizeof(config_template)); -+ p += sizeof(config_template); -+ CopyMem(p, v->data, v->data_size); -+ p += v->data_size; -+ } - } - if (p) { - ZeroMem(&config_template, sizeof(config_template)); --- -2.31.1 - diff --git a/shim-bsc1185232-relax-loadoptions-length-check.patch b/shim-bsc1185232-relax-loadoptions-length-check.patch deleted file mode 100644 index fa4bb6f..0000000 --- a/shim-bsc1185232-relax-loadoptions-length-check.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 795c62cb023886d39f1ee15977dc3194e01da57f Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Fri, 4 Jun 2021 17:02:31 +0800 -Subject: [PATCH] shim: don't fail on the odd LoadOptions length - -Some firmware feeds the LoadOptions with an odd length when booting from -an USB device(*). We should only skip this kind of LoadOptions, not fail -it, or the user won't be able to boot the system from USB or CD-ROM. - -(*) https://bugzilla.suse.com/show_bug.cgi?id=1185232#c62 - -Signed-off-by: Gary Lin ---- - shim.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/shim.c b/shim.c -index c5cfbb83..dd563cf6 100644 ---- a/shim.c -+++ b/shim.c -@@ -1411,9 +1411,16 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) - return efi_status; - } - -- /* Sanity check since we make several assumptions about the length */ -+ /* Sanity check since we make several assumptions about the length -+ * Some firmware feeds the following load option when booting from -+ * an USB device: -+ * -+ * 0x46 0x4a 0x00 |FJ.| -+ * -+ * The string is meaningless for shim and so just ignore it. -+ * */ - if (li->LoadOptionsSize % 2 != 0) -- return EFI_INVALID_PARAMETER; -+ return EFI_SUCCESS; - - /* So, load options are a giant pain in the ass. If we're invoked - * from the EFI shell, we get something like this: --- -2.31.1 - diff --git a/shim-bsc1185261-relax-import_mok_state-check.patch b/shim-bsc1185261-relax-import_mok_state-check.patch deleted file mode 100644 index dc983ff..0000000 --- a/shim-bsc1185261-relax-import_mok_state-check.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 3e33205b9c957624df7e30a2e5e2847f23d37989 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Tue, 11 May 2021 10:41:43 +0800 -Subject: [PATCH] Relax the check for import_mok_state() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -An openSUSE user reported(*) that shim 15.4 failed to boot the system -with the following message: - - "Could not create MokListXRT: Out of Resources" - -In the beginning, I thought it's caused by the growing size of -vendor-dbx. However, we found the following messages after set -SHIM_VERBOSE: - - max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000 - SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources - -Even though the firmware claimed the remaining storage size is 0x85EC, -it still rejected MokListXRT with size 0x1404. It seems that the return -values from QueryVariableInfo() are not reliable. Since this firmware -didn't really support Secure Boot, the variable mirroring is not so -critical, so we can just accept the failure of import_mok_state() and -continue boot. - -(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261 - -Signed-off-by: Gary Lin ---- - shim.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/shim.c b/shim.c -index c5cfbb83..d38ae2f0 100644 ---- a/shim.c -+++ b/shim.c -@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - * boot-services-only state variables are what we think they are. - */ - efi_status = import_mok_state(image_handle); -- if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { -+ if (!secure_mode() && -+ (efi_status == EFI_INVALID_PARAMETER || -+ efi_status == EFI_OUT_OF_RESOURCES)) { - /* - * Make copy failures fatal only if secure_mode is enabled, or -- * the error was anything else than EFI_INVALID_PARAMETER. -+ * the error was anything else than EFI_INVALID_PARAMETER or -+ * EFI_OUT_OF_RESOURCES. - * There are non-secureboot firmware implementations that don't - * reserve enough EFI variable memory to fit the variable. - */ --- -2.31.1 - diff --git a/shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch b/shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch deleted file mode 100644 index 55c4e73..0000000 --- a/shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 822d07ad4f07ef66fe447a130e1027c88d02a394 Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Thu, 8 Apr 2021 22:39:02 -0700 -Subject: [PATCH] Fix handling of ignore_db and user_insecure_mode - -In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split -up into a function that manages the whole mok state, and one that -handles the state machine for an individual state variable. -Unfortunately, the code that initializes the global ignore_db and -user_insecure_mode was copied from import_mok_state() into the new -import_one_mok_state() function, and thus re-initializes that state each -time it processes a MoK state variable, before even assessing if that -variable is set. As a result, we never honor either flag, and the -machine owner cannot disable trusting the system firmware's db/dbx -databases or disable validation altogether. - -This patch removes the extra re-initialization, allowing those variables -to be set properly. - -Signed-off-by: Adam Williamson ---- - mok.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/mok.c b/mok.c -index 5ad9072b..9e37d6ab 100644 ---- a/mok.c -+++ b/mok.c -@@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v, - EFI_STATUS ret = EFI_SUCCESS; - EFI_STATUS efi_status; - -- user_insecure_mode = 0; -- ignore_db = 0; -- - UINT32 attrs = 0; - BOOLEAN delete = FALSE; - --- -2.31.1 - diff --git a/shim-bsc1185621-relax-max-var-sz-check.patch b/shim-bsc1185621-relax-max-var-sz-check.patch deleted file mode 100644 index 2b3ad9f..0000000 --- a/shim-bsc1185621-relax-max-var-sz-check.patch +++ /dev/null @@ -1,38 +0,0 @@ -commit 690ec2419a8c2c4246450e447629adc85f9a6f40 -Author: Gary Lin -Date: Wed May 5 11:25:07 2021 +0800 - - mok: relax the maximum variable size check - - Some UEFI environment such as u-boot doesn't implement - QueryVariableInfo(), so we couldn't rely on the function to estimate the - available space for RT variables. All we can do is to call SetVariable() - directly and check the return value of SetVariable(). - - Signed-off-by: Gary Lin - -diff --git a/mok.c b/mok.c -index 5ad9072b..1f9820e7 100644 ---- a/mok.c -+++ b/mok.c -@@ -351,13 +351,18 @@ mirror_mok_db(CHAR16 *name, CHAR8 *name8, EFI_GUID *guid, UINT32 attrs, - SIZE_T max_var_sz; - - efi_status = get_max_var_sz(attrs, &max_var_sz); -- if (EFI_ERROR(efi_status)) { -+ if (EFI_ERROR(efi_status) && efi_status != EFI_UNSUPPORTED) { - LogError(L"Could not get maximum variable size: %r", - efi_status); - return efi_status; - } - -- if (FullDataSize <= max_var_sz) { -+ /* Some UEFI environment such as u-boot doesn't implement -+ * QueryVariableInfo() and we will only get EFI_UNSUPPORTED when -+ * querying the available space. In this case, we just mirror -+ * the variable directly. */ -+ if (FullDataSize <= max_var_sz || efi_status == EFI_UNSUPPORTED) { -+ efi_status = EFI_SUCCESS; - if (only_first) - efi_status = SetVariable(name, guid, attrs, - FullDataSize, FullData); diff --git a/shim-bsc1187260-fix-efi-1.10-machines.patch b/shim-bsc1187260-fix-efi-1.10-machines.patch deleted file mode 100644 index c6f4d8c..0000000 --- a/shim-bsc1187260-fix-efi-1.10-machines.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 493bd940e5c6e28e673034687de7adef9529efff Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Sat, 10 Apr 2021 16:05:23 -0400 -Subject: [PATCH] Don't call QueryVariableInfo() on EFI 1.10 machines - -The EFI 1.10 spec (and presumably earlier revisions as well) didn't have -RT->QueryVariableInfo(), and on Chris Murphy's MacBookPro8,2 , that -memory appears to be initialized randomly. - -This patch changes it to not call RT->QueryVariableInfo() if the -EFI_RUNTIME_SERVICES table's major revision is less than two, and -assumes our maximum variable size is 1024 in that case. - -Signed-off-by: Peter Jones ---- - mok.c | 23 ++++++++++++++++++----- - 1 file changed, 18 insertions(+), 5 deletions(-) - -diff --git a/mok.c b/mok.c -index 9b8fc2bc..beac0ff6 100644 ---- a/mok.c -+++ b/mok.c -@@ -261,6 +261,9 @@ static const uint8_t null_sha256[32] = { 0, }; - - typedef UINTN SIZE_T; - -+#define EFI_MAJOR_VERSION(tablep) ((UINT16)((((tablep)->Hdr.Revision) >> 16) & 0xfffful)) -+#define EFI_MINOR_VERSION(tablep) ((UINT16)(((tablep)->Hdr.Revision) & 0xfffful)) -+ - static EFI_STATUS - get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp) - { -@@ -270,11 +273,21 @@ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp) - uint64_t max_var_sz = 0; - - *max_var_szp = 0; -- efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz, -- &remaining_sz, &max_var_sz); -- if (EFI_ERROR(efi_status)) { -- perror(L"Could not get variable storage info: %r\n", efi_status); -- return efi_status; -+ if (EFI_MAJOR_VERSION(gRT) < 2) { -+ dprint(L"EFI %d.%d; no RT->QueryVariableInfo(). Using 1024!\n", -+ EFI_MAJOR_VERSION(gRT), EFI_MINOR_VERSION(gRT)); -+ max_var_sz = remaining_sz = max_storage_sz = 1024; -+ efi_status = EFI_SUCCESS; -+ } else { -+ dprint(L"calling RT->QueryVariableInfo() at 0x%lx\n", -+ gRT->QueryVariableInfo); -+ efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz, -+ &remaining_sz, &max_var_sz); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Could not get variable storage info: %r\n", -+ efi_status); -+ return efi_status; -+ } - } - - /* --- -2.31.1 - diff --git a/shim-bsc1187696-avoid-deleting-rt-variables.patch b/shim-bsc1187696-avoid-deleting-rt-variables.patch deleted file mode 100644 index eef657b..0000000 --- a/shim-bsc1187696-avoid-deleting-rt-variables.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 14f6e10b8272ce34d3c373e000c583e5345b526b Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 30 Jun 2021 16:34:51 +0800 -Subject: [PATCH] mok: delete the existing RT variables only when - only_first=TRUE - -For the firmware without the variable writing issues, MOK variables are -mirrored when only_first=TRUE. However, LibDeleteVariable() was called -in maybe_mirror_one_mok_variable() when only_first=FALSE, and this -could delete MOK variables that were just mirrored in the first round. - -This bug was hidden since LibDeleteVariable() deletes BS+RT+NV variables -while we mirror MOK variables as BS+RT, and the firmware refused to -delete the mirrored MOK variable due to mismatching attributes. However, -some firmwares, such as VMWare, didn't enforce the attribute check and -just deleted the variables with matched name and GUID. In such system, -MokListRT was always removed before it reached OS. - -Fixes: https://github.com/rhboot/shim/issues/386 - -Signed-off-by: Gary Lin ---- - mok.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/mok.c b/mok.c -index beac0ff6..5ea39d54 100644 ---- a/mok.c -+++ b/mok.c -@@ -863,7 +863,7 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v, - BOOLEAN present = FALSE; - - if (v->rtname) { -- if (!only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) { -+ if (only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) { - dprint(L"deleting \"%s\"\n", v->rtname); - efi_status = LibDeleteVariable(v->rtname, v->guid); - dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", v->rtname, efi_status); --- -2.31.1 - diff --git a/shim-bsc1198101-opensuse-cert-prompt.patch b/shim-bsc1198101-opensuse-cert-prompt.patch new file mode 100644 index 0000000..87389a3 --- /dev/null +++ b/shim-bsc1198101-opensuse-cert-prompt.patch @@ -0,0 +1,306 @@ +From 49355a83722494099caeb23b46637b2c94a6ab9e Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 18 Feb 2014 17:29:19 +0800 +Subject: [PATCH 1/3] Show the build-in certificate prompt + +This is an openSUSE-only patch. + +Pop up a window to ask if the user is willing to trust the built-in +openSUSE certificate. + +If yes, set openSUSE_Verify, a BootService variable, to 1, and shim +won't bother the user afterward. + +If no, continue the booting process without using the built-in +certificate to verify the EFI images, and the window will show up +again after reboot. + +The state will store in use_openSUSE_cert, a volatile RT variable. +--- + mok.c | 3 ++- + shim.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + shim.h | 1 + + 3 files changed, 71 insertions(+), 2 deletions(-) + +Index: shim-15.6~rc1+77144e5a/mok.c +=================================================================== +--- shim-15.6~rc1+77144e5a.orig/mok.c ++++ shim-15.6~rc1+77144e5a/mok.c +@@ -46,7 +46,8 @@ static EFI_STATUS check_mok_request(EFI_ + check_var(L"MokPW") || check_var(L"MokAuth") || + check_var(L"MokDel") || check_var(L"MokDB") || + check_var(L"MokXNew") || check_var(L"MokXDel") || +- check_var(L"MokXAuth") || check_var(L"MokListTrustedNew")) { ++ check_var(L"MokXAuth") || check_var(L"MokListTrustedNew") || ++ check_var(L"ClearVerify")) { + efi_status = start_image(image_handle, MOK_MANAGER); + + if (EFI_ERROR(efi_status)) { +@@ -62,7 +63,8 @@ static vendor_addend_category_t + categorize_authorized(struct mok_state_variable *v) + { + if (!(v->addend && v->addend_size && +- *v->addend && *v->addend_size)) { ++ *v->addend && *v->addend_size && ++ use_builtin_cert)) { + return VENDOR_ADDEND_NONE; + } + +Index: shim-15.6~rc1+77144e5a/shim.c +=================================================================== +--- shim-15.6~rc1+77144e5a.orig/shim.c ++++ shim-15.6~rc1+77144e5a/shim.c +@@ -496,6 +496,8 @@ verify_one_signature(WIN_CERTIFICATE_EFI + } + + efi_status = EFI_NOT_FOUND; ++ if (!use_builtin_cert) ++ return efi_status; + #if defined(ENABLE_SHIM_CERT) + /* + * Check against the shim build key +@@ -1572,6 +1574,69 @@ shim_fini(void) + console_fini(); + } + ++#define VENDOR_VERIFY L"openSUSE_Verify" ++ ++/* Show the built-in certificate prompt if necessary */ ++static int builtin_cert_prompt(void) ++{ ++ EFI_STATUS status; ++ UINT32 attributes; ++ UINTN len = sizeof(UINT8); ++ UINT8 data; ++ ++ use_builtin_cert = FALSE; ++ ++ if (vendor_cert_size == 0) ++ return 0; ++ ++ status = gRT->GetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID, ++ &attributes, &len, (void *)&data); ++ if (status != EFI_SUCCESS || ++ (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) { ++ int choice; ++ ++ if (status != EFI_NOT_FOUND) ++ LibDeleteVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID); ++ ++ CHAR16 *str[] = {L"Trust openSUSE Certificate", ++ L"", ++ L"Do you agree to use the built-in openSUSE certificate", ++ L"to verify boot loaders and kernels?", ++ NULL}; ++ choice = console_yes_no(str); ++ if (choice != 1) { ++ data = 0; ++ goto done; ++ } ++ ++ data = 1; ++ status = gRT->SetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID, ++ EFI_VARIABLE_NON_VOLATILE | ++ EFI_VARIABLE_BOOTSERVICE_ACCESS, ++ sizeof(UINT8), &data); ++ if (status != EFI_SUCCESS) { ++ console_error(L"Failed to set openSUSE_Verify", status); ++ return -1; ++ } ++ } ++ ++ use_builtin_cert = TRUE; ++ data = 1; ++ ++done: ++ /* Setup a runtime variable to show the current state */ ++ status = gRT->SetVariable(L"use_openSUSE_cert", &SHIM_LOCK_GUID, ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | ++ EFI_VARIABLE_RUNTIME_ACCESS, ++ sizeof(UINT8), &data); ++ if (status != EFI_SUCCESS) { ++ console_error(L"Failed to set use_openSUSE_cert", status); ++ return -1; ++ } ++ ++ return 0; ++} ++ + extern EFI_STATUS + efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab); + +@@ -1712,6 +1777,9 @@ efi_main (EFI_HANDLE passed_image_handle + */ + debug_hook(); + ++ if (secure_mode() && (builtin_cert_prompt() != 0)) ++ return EFI_ABORTED; ++ + efi_status = set_sbat_uefi_variable(); + if (EFI_ERROR(efi_status) && secure_mode()) { + perror(L"%s variable initialization failed\n", SBAT_VAR_NAME); +Index: shim-15.6~rc1+77144e5a/MokManager.c +=================================================================== +--- shim-15.6~rc1+77144e5a.orig/MokManager.c ++++ shim-15.6~rc1+77144e5a/MokManager.c +@@ -1864,6 +1864,36 @@ mokpw_done: + return EFI_SUCCESS; + } + ++static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { ++ EFI_STATUS status; ++ ++ if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1) ++ return 0; ++ ++ if (ClearVerifySize == PASSWORD_CRYPT_SIZE) { ++ status = match_password((PASSWORD_CRYPT *)ClearVerify, NULL, 0, ++ NULL, NULL); ++ } else { ++ status = EFI_INVALID_PARAMETER; ++ } ++ if (status != EFI_SUCCESS) ++ return -1; ++ ++ status = gRT->SetVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID, ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | ++ EFI_VARIABLE_NON_VOLATILE, ++ 0, NULL); ++ if (status != EFI_SUCCESS) { ++ console_error(L"Failed to delete openSUSE_Verify", status); ++ return -1; ++ } ++ ++ console_notify(L"The system must now be rebooted"); ++ gRT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL); ++ console_notify(L"Failed to reboot"); ++ return -1; ++} ++ + static BOOLEAN verify_certificate(UINT8 * cert, UINTN size) + { + X509 *X509Cert; +@@ -2195,6 +2225,7 @@ typedef enum { + MOK_CHANGE_SB, + MOK_SET_PW, + MOK_CHANGE_DB, ++ MOK_CLEAR_VERIFY, + MOK_KEY_ENROLL, + MOK_HASH_ENROLL, + MOK_CHANGE_TML +@@ -2217,7 +2248,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN + void *MokDB, UINTN MokDBSize, + void *MokXNew, UINTN MokXNewSize, + void *MokXDel, UINTN MokXDelSize, +- void *MokTML, UINTN MokTMLSize) ++ void *MokTML, UINTN MokTMLSize, ++ void *ClearVerify, UINTN ClearVerifySize) ++ + { + CHAR16 **menu_strings = NULL; + mok_menu_item *menu_item = NULL; +@@ -2296,6 +2329,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN + if (MokTML) + menucount++; + ++ if (ClearVerify) ++ menucount++; ++ + menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * + (menucount + 1)); + if (!menu_strings) +@@ -2373,6 +2409,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN + i++; + } + ++ if (ClearVerify) { ++ menu_strings[i] = L"Revoke openSUSE certificate"; ++ menu_item[i] = MOK_CLEAR_VERIFY; ++ i++; ++ } ++ + menu_strings[i] = L"Enroll key from disk"; + menu_item[i] = MOK_KEY_ENROLL; + i++; +@@ -2477,6 +2519,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN + if (!EFI_ERROR(efi_status)) + MokDB = NULL; + break; ++ case MOK_CLEAR_VERIFY: ++ mok_clear_verify_prompt(ClearVerify, ClearVerifySize); ++ break; + case MOK_KEY_ENROLL: + efi_status = mok_key_enroll(); + break; +@@ -2519,6 +2564,7 @@ static EFI_STATUS check_mok_request(EFI_ + { + UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0; + UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0, MokTMLSize = 0; ++ UINTN ClearVerifySize = 0; + void *MokNew = NULL; + void *MokDel = NULL; + void *MokSB = NULL; +@@ -2527,6 +2573,7 @@ static EFI_STATUS check_mok_request(EFI_ + void *MokXNew = NULL; + void *MokXDel = NULL; + void *MokTML = NULL; ++ void *ClearVerify = NULL; + EFI_STATUS efi_status; + + efi_status = get_variable(L"MokNew", (UINT8 **) & MokNew, &MokNewSize, +@@ -2611,9 +2658,20 @@ static EFI_STATUS check_mok_request(EFI_ + console_error(L"Could not retrieve MokXDel", efi_status); + } + ++ efi_status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify, ++ &ClearVerifySize, SHIM_LOCK_GUID); ++ if (!EFI_ERROR(efi_status)) { ++ efi_status = LibDeleteVariable(L"ClearVerify", &SHIM_LOCK_GUID); ++ if (EFI_ERROR(efi_status)) ++ console_notify(L"Failed to delete ClearVerify"); ++ } else if (EFI_ERROR(efi_status) && efi_status != EFI_NOT_FOUND) { ++ console_error(L"Could not retrieve ClearVerify", efi_status); ++ } ++ + enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize, + MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize, +- MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize); ++ MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize, ++ ClearVerify, ClearVerifySize); + + if (MokNew) + FreePool(MokNew); +@@ -2639,6 +2697,9 @@ static EFI_STATUS check_mok_request(EFI_ + if (MokTML) + FreePool(MokTML); + ++ if (ClearVerify) ++ FreePool (ClearVerify); ++ + LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID); +Index: shim-15.6~rc1+77144e5a/globals.c +=================================================================== +--- shim-15.6~rc1+77144e5a.orig/globals.c ++++ shim-15.6~rc1+77144e5a/globals.c +@@ -25,6 +25,7 @@ UINT8 *build_cert; + */ + verification_method_t verification_method; + int loader_is_participating; ++BOOLEAN use_builtin_cert; + + UINT8 user_insecure_mode; + UINT8 ignore_db; +Index: shim-15.6~rc1+77144e5a/shim.h +=================================================================== +--- shim-15.6~rc1+77144e5a.orig/shim.h ++++ shim-15.6~rc1+77144e5a/shim.h +@@ -268,6 +268,7 @@ extern UINT8 mok_policy; + extern UINT8 in_protocol; + extern void *load_options; + extern UINT32 load_options_size; ++extern BOOLEAN use_builtin_cert; + + BOOLEAN secure_mode (void); + diff --git a/shim-fix-aa64-relsz.patch b/shim-fix-aa64-relsz.patch deleted file mode 100644 index 0d9c416..0000000 --- a/shim-fix-aa64-relsz.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 9828f65f3e9de29da7bc70cb71069cc1d7ca1b4a Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 16 Jun 2021 16:13:32 +0800 -Subject: [PATCH] arm/aa64: fix the size of .rela* sections - -The previous commit(*) merged .rel* and .dyn* into .rodata, and this -made ld to generate the wrong size for .rela* sections that covered -other unrelated sections. When the EFI image was loaded, _relocate() -went through the unexpected data and may cause unexpected crash. -This commit moves .rel* and .dyn* out of .rodata in the ld script but -also moves the related variables, such as _evrodata, _rodata_size, -and _rodata_vsize, to the end of the new .dyn section, so that the -crafted pe-coff section header for .rodata still covers our new -.rela and .dyn sections. - -(*) 212ba30544f ("arm/aa64 targets: put .rel* and .dyn* in .rodata") - -Fix issue: https://github.com/rhboot/shim/issues/371 - -Signed-off-by: Gary Lin ---- - Makefile | 4 ++-- - elf_aarch64_efi.lds | 24 ++++++++++++++++-------- - elf_arm_efi.lds | 24 ++++++++++++++++-------- - 3 files changed, 34 insertions(+), 18 deletions(-) - -Index: shim-15.4/Makefile -=================================================================== ---- shim-15.4.orig/Makefile -+++ shim-15.4/Makefile -@@ -243,7 +243,7 @@ ifneq ($(OBJCOPY_GTE224),1) - endif - $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \ - -j .dynamic -j .rodata -j .rel* \ -- -j .rela* -j .reloc -j .eh_frame \ -+ -j .rela* -j .dyn -j .reloc -j .eh_frame \ - -j .vendor_cert -j .sbat \ - $(FORMAT) $< $@ - # I am tired of wasting my time fighting binutils timestamp code. -@@ -260,7 +260,7 @@ ifneq ($(OBJCOPY_GTE224),1) - endif - $(OBJCOPY) -D -j .text -j .sdata -j .data \ - -j .dynamic -j .rodata -j .rel* \ -- -j .rela* -j .reloc -j .eh_frame -j .sbat \ -+ -j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \ - -j .debug_info -j .debug_abbrev -j .debug_aranges \ - -j .debug_line -j .debug_str -j .debug_ranges \ - -j .note.gnu.build-id \ -Index: shim-15.4/elf_aarch64_efi.lds -=================================================================== ---- shim-15.4.orig/elf_aarch64_efi.lds -+++ shim-15.4/elf_aarch64_efi.lds -@@ -70,21 +70,29 @@ SECTIONS - .rodata : - { - _rodata = .; -- *(.rela.dyn) -- *(.rela.plt) -- *(.rela.got) -- *(.rela.data) -- *(.rela.data*) -- - *(.rodata*) - *(.srodata) -- *(.dynsym) -- *(.dynstr) - . = ALIGN(16); - *(.note.gnu.build-id) - . = ALIGN(4096); - *(.vendor_cert) - *(.data.ident) -+ . = ALIGN(4096); -+ } -+ . = ALIGN(4096); -+ .rela : -+ { -+ *(.rela.dyn) -+ *(.rela.plt) -+ *(.rela.got) -+ *(.rela.data) -+ *(.rela.data*) -+ } -+ . = ALIGN(4096); -+ .dyn : -+ { -+ *(.dynsym) -+ *(.dynstr) - _evrodata = .; - . = ALIGN(4096); - } -Index: shim-15.4/elf_arm_efi.lds -=================================================================== ---- shim-15.4.orig/elf_arm_efi.lds -+++ shim-15.4/elf_arm_efi.lds -@@ -70,21 +70,29 @@ SECTIONS - .rodata : - { - _rodata = .; -- *(.rel.dyn) -- *(.rel.plt) -- *(.rel.got) -- *(.rel.data) -- *(.rel.data*) -- - *(.rodata*) - *(.srodata) -- *(.dynsym) -- *(.dynstr) - . = ALIGN(16); - *(.note.gnu.build-id) - . = ALIGN(4096); - *(.vendor_cert) - *(.data.ident) -+ . = ALIGN(4096); -+ } -+ . = ALIGN(4096); -+ .rela : -+ { -+ *(.rela.dyn) -+ *(.rela.plt) -+ *(.rela.got) -+ *(.rela.data) -+ *(.rela.data*) -+ } -+ . = ALIGN(4096); -+ .dyn : -+ { -+ *(.dynsym) -+ *(.dynstr) - _evrodata = .; - . = ALIGN(4096); - } diff --git a/shim.changes b/shim.changes index 2f090d7..8f99f04 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,159 @@ +------------------------------------------------------------------- +Tue Jun 28 04:03:45 UTC 2022 - Joey Lee + +- Update to 15.6 (bsc#1198458) + - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76 + which is from upstream grub2.cve_2021_3695.ms keybase channel. + - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to + support efi-app-aarch64 target. So we need the following patches in bintuils: + - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch + b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64). + - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch + 32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64) + - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch + d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64) + - Patches (git log --oneline --reverse 15.5~..77144e5a4) + 448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458) + a2da05f shim: implement SBAT verification for the shim_lock protocol + bda03b8 post-process-pe: Fix a missing return code check + af18810 CI: don't cancel testing when one fails + ba580f9 CI: remove EOL Fedoras from github actions + bfeb4b3 Remove aarch64 build tests before f35 + 38cc646 CI: Add f36 and centos9 CI build tests. + b5185cb post-process-pe: Fix format string warnings on 32-bit platforms + 31094e5 tests: also look for system headers in multi-arch directories + 4df989a mock-variables.c: fix gcc warning + 6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled + 2670c6a Allow MokListTrusted to be enabled by default + 5c44aaf Add code of conduct + d6eb9c6 Modernize aarch64 + 9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail + de87985 make: don't treat cert.S specially + 803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode + 6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry. + bb4b60e Add verify_image + acfd48f Abstract out image reading + 35d7378 Load additional certs from a signed binary + 8ce2832 post-process-pe: there is no 's' argument. + 465663e Add some missing PE image flag definitions + 226fee2 PE Loader: support and require NX + df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX + b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT + f81a7cc SBAT revocation management + abe41ab make: unbreak scan-build again for gnu-efi + 610a1ac sbat.h: minor reformatting for legibility + f28833f peimage.h: make our signature macros force the type + 5d789ca Always initialize data/datasize before calling read_image() + a50d364 sbat policy: make our policy change actions symbolic + 5868789 load_certs: trust dir->Read() slightly less. + a78673b mok.c: fix a trivial dead assignment + 759f061 Fix preserve_sbat_uefi_variable() logic + aa61fdf Give the Coverity scanner some more GCC blinders... + 0214cd9 load_cert_file(): don't defererence NULL + 1eca363 mok import: handle OOM case + 75449bc sbat: Make nth_sbat_field() honor the size limit + c0bcd04 shim-15.6~rc1 + 77144e5 SBAT Policy latest should be a one-shot + - 15.5 release note https://github.com/rhboot/shim/releases + Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357 + mok: allocate MOK config table as BootServicesData by @lcp in #361 + Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364 + Relax the check for import_mok_state() by @lcp in #372 + SBAT.md: trivial changes by @hallyn in #389 + shim: another attempt to fix load options handling by @chrisccoulson in #379 + Add tests for our load options parsing. by @vathpela in #390 + arm/aa64: fix the size of .rela* sections by @lcp in #383 + mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365 + mok: relax the maximum variable size check by @lcp in #369 + Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378 + fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396 + httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403 + Fallback allocation errors by @vathpela in #402 + shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406 + str: remove duplicate parameter check by @xypron in #408 + fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359 + Test mok mirror by @vathpela in #394 + Modify sbat.md to help with readability. by @eshiman in #398 + csv: detect end of csv file correctly by @xypron in #404 + Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413 + tests: add "include-fixed" GCC directory to include directories by @diabonas in #415 + pe: simplify generate_hash() by @xypron in #411 + Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414 + Fallback to default loader if parsed one does not exist by @julian-klode in #393 + fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422 + Better console checks by @vathpela in #416 + docs: update SBAT UEFI variable name by @nicholasbishop in #421 + Don't parse load options if invoked from removable media path by @julian-klode in #399 + fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433 + shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438 + Shim 15.5 coverity by @vathpela in #439 + Allocate mokvar table in runtime memory. by @vathpela in #447 + Remove post-process-pe on 'make clean' by @vathpela in #448 + pe: missing perror argument by @xypron in #443 + - Drop upstreamed patch: + - shim-bsc1184454-allocate-mok-config-table-BS.patch + - Allocate MOK config table as BootServicesData to avoid the error message + from linux kernel + - 4068fd42c8 15.5-rc1~70 + - shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + - Handle ignore_db and user_insecure_mode correctly + - 822d07ad4f07 15.5-rc1~73 + - shim-bsc1185621-relax-max-var-sz-check.patch + - Relax the maximum variable size check for u-boot + - 3f327f546c219634b2 15.5-rc1~49 + - shim-bsc1185261-relax-import_mok_state-check.patch + - Relax the check for import_mok_state() when Secure Boot is off + - 9f973e4e95b113 15.5-rc1~67 + - shim-bsc1185232-relax-loadoptions-length-check.patch + - Relax the check for the LoadOptions length + - ada7ff69bd8a95 15.5-rc1~52 + - shim-fix-aa64-relsz.patch + - Fix the size of rela* sections for AArch64 + - 34e3ef205c5d65 15.5-rc1~51 + - shim-bsc1187260-fix-efi-1.10-machines.patch + - Don't call QueryVariableInfo() on EFI 1.10 machines + - 493bd940e5 15.5-rc1~69 + - shim-bsc1185232-fix-config-table-copying.patch + - Avoid buffer overflow when copying the MOK config table + - 7501b6bb44 15.5-rc1~50 + - shim-bsc1187696-avoid-deleting-rt-variables.patch + - Avoid deleting the mirrored RT variables + - b1fead0f7c9 15.5-rc1~37 + - Add "rm -f *.o" after building MokManager/fallback in shim.spec + to make sure all object files gets rebuilt + - reference: https://github.com/rhboot/shim/pull/461 +- The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included + in shim-15.6.tar.bz2 + - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch + pe: Fix a buffer overflow when SizeOfRawData VirtualSize + - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch + pe: Perform image verification earlier when loading grub + - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch + Update advertised sbat generation number for shim + - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch + Update SBAT generation requirements for 05/24/22 + - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch + Also avoid CVE-2022-28737 in verify_image() + - 0006-shim-15.6-rc2.patch + - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch + sbat: add the parsed SBAT variable entries to the debug log + - 0008-bump-version-to-shim-15.6.patch +- Add mokutil command to post script for setting sbat policy to latest mode + when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. + (bsc#1198458) +- Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to + show the prompt to ask whether the user trusts openSUSE certificate or not + (bsc#1198101) +- Updated vendor dbx binary and script (bsc#1198458) + - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding + SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. + - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding + openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. + - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt + and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. + - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin + file which includes all .der for testing environment. + ------------------------------------------------------------------- Thu Jul 1 04:07:03 UTC 2021 - Gary Ching-Pang Lin diff --git a/shim.spec b/shim.spec index f289b61..9d33f3d 100644 --- a/shim.spec +++ b/shim.spec @@ -36,7 +36,7 @@ %endif Name: shim -Version: 15.4 +Version: 15.6 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause @@ -75,26 +75,10 @@ Patch3: shim-bsc1177315-verify-eku-codesign.patch Patch4: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch # PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container Patch5: remove_build_id.patch -# PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 glin@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel -Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch -# PATCH-FIX-UPSTREAM shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch bsc#1184454 glin@suse.com -- Handle ignore_db and user_insecure_mode correctly -Patch7: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch -# PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 glin@suse.com -- Relax the maximum variable size check for u-boot -Patch8: shim-bsc1185621-relax-max-var-sz-check.patch -# PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch bsc#1185261 glin@suse.com -- Relax the check for import_mok_state() when Secure Boot is off -Patch9: shim-bsc1185261-relax-import_mok_state-check.patch -# PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch bsc#1185232 glin@suse.com -- Relax the check for the LoadOptions length -Patch10: shim-bsc1185232-relax-loadoptions-length-check.patch -# PATCH-FIX-UPSTREAM shim-fix-aa64-relsz.patch glin@suse.com -- Fix the size of rela* sections for AArch64 -Patch11: shim-fix-aa64-relsz.patch # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT -Patch12: shim-disable-export-vendor-dbx.patch -# PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 glin@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines -Patch13: shim-bsc1187260-fix-efi-1.10-machines.patch -# PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 glin@suse.com -- Avoid buffer overflow when copying the MOK config table -Patch14: shim-bsc1185232-fix-config-table-copying.patch -# PATCH-FIX-UPSTREAM shim-bsc1187696-avoid-deleting-rt-variables.patch bsc#1187696 glin@suse.com -- Avoid deleting the mirrored RT variables -Patch15: shim-bsc1187696-avoid-deleting-rt-variables.patch +Patch6: shim-disable-export-vendor-dbx.patch +# PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not +Patch100: shim-bsc1198101-opensuse-cert-prompt.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -111,6 +95,7 @@ Requires: perl-Bootloader BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-%{grubplatform} +Requires: mokutil ExclusiveArch: x86_64 aarch64 %description @@ -139,15 +124,7 @@ The source code of UEFI shim loader %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 +%patch100 -p1 %build # generate the vendor SBAT metadata @@ -168,6 +145,8 @@ make RELEASE=0 \ MMSTEM=MokManager FBSTEM=fallback \ MokManager.efi.debug fallback.efi.debug \ MokManager.efi fallback.efi +# make sure all object files gets rebuilt +rm -f *.o # now build variants of shim that embed different certificates default='' @@ -318,6 +297,22 @@ cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version} /sbin/update-bootloader --reinit || true %endif +# copy from kernel-scriptlets/cert-script +is_efi () { + local msg rc=0 +# The below statement fails if mokutil isn't installed or UEFI is unsupported. +# It doesn't fail if UEFI is available but secure boot is off. + msg="$(mokutil --sb-state 2>&1)" || rc=$? + return $rc +} +# run mokutil for setting sbat policy to latest mode +SBAT_POLICY=/sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 +if is_efi; then + if [ ! -f "$SBAT_POLICY" ]; then + mokutil --set-sbat-policy latest + fi +fi + %if %{defined update_bootloader_posttrans} %posttrans %{?update_bootloader_posttrans}