pool/shim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 258747 from home:gary_lin:branches:devel:openSUSE:Factory

Browse Source 
- Update to 0.8
- adapt the change in gnu-efi-3.0w
- Enable aarch64

OBS-URL: https://build.opensuse.org/request/show/258747
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=90
This commit is contained in:
Gary Ching-Pang Lin 2014-10-29 08:02:58 +00:00 committed by Git OBS Bridge
parent 0876ada789
commit 7b2b297a5c
13 changed files with 1617 additions and 5483 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
bug-889332_shim-mok-oob.patch
View File

@ -1,69 +0,0 @@
Index: shim-0.7.318.81ee561d/MokManager.c
===================================================================
--- shim-0.7.318.81ee561d.orig/MokManager.c
+++ shim-0.7.318.81ee561d/MokManager.c
@@ -163,8 +163,18 @@ static UINT32 count_keys(void *Data, UIN
EFI_SIGNATURE_LIST *CertList = Data;
UINTN dbsize = DataSize;
UINT32 MokNum = 0;
+ void *end = Data + DataSize;
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
+
+ /* Use ptr arithmetics to ensure bounded access. Do not allow 0
+ * SignatureListSize that will cause endless loop.
+ */
+ if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) {
+ console_notify(L"Invalid MOK detected! Ignoring MOK List.");
+ return 0;
+ }
+
if (CertList->SignatureListSize == 0 ||
CertList->SignatureListSize <= CertList->SignatureSize) {
console_errorbox(L"Corrupted signature list");
@@ -192,6 +202,7 @@ static MokListNode *build_mok_list(UINT3
EFI_GUID CertType = X509_GUID;
UINTN dbsize = DataSize;
UINTN count = 0;
+ void *end = Data + DataSize;
list = AllocatePool(sizeof(MokListNode) * num);
@@ -201,12 +212,24 @@ static MokListNode *build_mok_list(UINT3
}
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
+ /* CertList out of bounds? */
+ if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) {
+ FreePool(list);
+ return NULL;
+ }
+
/* Omit the signature check here since we already did it
in count_keys() */
Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
+ /* Cert out of bounds? */
+ if ((void *)(Cert + 1) > end || CertList->SignatureSize <= sizeof(EFI_GUID)) {
+ FreePool(list);
+ return NULL;
+ }
+
list[count].Type = CertList->SignatureType;
if (CompareGuid (&CertList->SignatureType, &CertType) == 0) {
list[count].MokSize = CertList->SignatureSize -
@@ -218,6 +241,12 @@ static MokListNode *build_mok_list(UINT3
list[count].Mok = (void *)Cert;
}
+ /* MOK out of bounds? */
+ if (list[count].MokSize > end - (void *)list[count].Mok) {
+ FreePool(list);
+ return NULL;
+ }
+
count++;
dbsize -= CertList->SignatureListSize;
CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +

161
bug-889332_shim-overflow.patch
View File

@ -1,161 +0,0 @@
diff --git a/netboot.c b/netboot.c
index 5ef53f7..f01a9bc 100644
--- a/netboot.c
+++ b/netboot.c
@@ -116,29 +116,34 @@ BOOLEAN findNetboot(EFI_HANDLE device)
static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt)
{
- void *optr;
- EFI_DHCP6_PACKET_OPTION *option;
- CHAR8 *url;
- UINT32 urllen;
+ void *optr = NULL, *end = NULL;
+ EFI_DHCP6_PACKET_OPTION *option = NULL;
+ CHAR8 *url = NULL;
+ UINT32 urllen = 0;
optr = pkt->DhcpOptions;
+ end = optr + sizeof(pkt->DhcpOptions);
- for(;;) {
+ for (;;) {
option = (EFI_DHCP6_PACKET_OPTION *)optr;
if (ntohs(option->OpCode) == 0)
- return NULL;
+ break;
if (ntohs(option->OpCode) == 59) {
/* This is the bootfile url option */
urllen = ntohs(option->Length);
- url = AllocateZeroPool(urllen+1);
+ if ((void *)(option->Data + urllen) > end)
+ break;
+ url = AllocateZeroPool(urllen + 1);
if (!url)
- return NULL;
+ break;
memcpy(url, option->Data, urllen);
return url;
}
optr += 4 + ntohs(option->Length);
+ if (optr + sizeof(EFI_DHCP6_PACKET_OPTION) > end)
+ break;
}
return NULL;
@@ -164,45 +169,60 @@ static CHAR16 str2ns(CHAR8 *str)
static CHAR8 *str2ip6(CHAR8 *str)
{
- UINT8 i, j, p;
- size_t len;
- CHAR8 *a, *b, t;
- static UINT16 ip[8];
+ UINT8 i = 0, j = 0, p = 0;
+ size_t len = 0, dotcount = 0;
+ enum { MAX_IP6_DOTS = 7 };
+ CHAR8 *a = NULL, *b = NULL, t = 0;
+ static UINT16 ip[8];
- for(i=0; i < 8; i++) {
- ip[i] = 0;
- }
- len = strlen(str);
- a = b = str;
- for(i=p=0; i < len; i++, b++) {
- if (*b != ':')
- continue;
- *b = '\0';
- ip[p++] = str2ns(a);
- *b = ':';
- a = b + 1;
- if ( *(b+1) == ':' )
- break;
- }
- a = b = (str + len);
- for(j=len, p=7; j > i; j--, a--) {
- if (*a != ':')
- continue;
- t = *b;
- *b = '\0';
- ip[p--] = str2ns(a+1);
- *b = t;
- b = a;
- }
- return (CHAR8 *)ip;
+ memset(ip, 0, sizeof(ip));
+
+ /* Count amount of ':' to prevent overflows.
+ * max. count = 7. Returns an invalid ip6 that
+ * can be checked against
+ */
+ for (a = str; *a != 0; ++a) {
+ if (*a == ':')
+ ++dotcount;
+ }
+ if (dotcount > MAX_IP6_DOTS)
+ return (CHAR8 *)ip;
+
+ len = strlen(str);
+ a = b = str;
+ for (i = p = 0; i < len; i++, b++) {
+ if (*b != ':')
+ continue;
+ *b = '\0';
+ ip[p++] = str2ns(a);
+ *b = ':';
+ a = b + 1;
+ if (b[1] == ':' )
+ break;
+ }
+ a = b = (str + len);
+ for (j = len, p = 7; j > i; j--, a--) {
+ if (*a != ':')
+ continue;
+ t = *b;
+ *b = '\0';
+ ip[p--] = str2ns(a+1);
+ *b = t;
+ b = a;
+ }
+ return (CHAR8 *)ip;
}
static BOOLEAN extract_tftp_info(CHAR8 *url)
{
CHAR8 *start, *end;
CHAR8 ip6str[40];
+ CHAR8 ip6inv[16];
CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR);
+ // to check against str2ip6() errors
+ memset(ip6inv, 0, sizeof(ip6inv));
+
if (strncmp((UINT8 *)url, (UINT8 *)"tftp://", 7)) {
Print(L"URLS MUST START WITH tftp://\n");
return FALSE;
@@ -217,7 +237,7 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
end = start;
while ((*end != '\0') && (*end != ']')) {
end++;
- if (end - start > 39) {
+ if (end - start >= (int)sizeof(ip6str)) {
Print(L"TFTP URL includes malformed IPv6 address\n");
return FALSE;
}
@@ -226,10 +246,12 @@ static BOOLEAN extract_tftp_info(CHAR8 *url)
Print(L"TFTP SERVER MUST BE ENCLOSED IN [..]\n");
return FALSE;
}
- memset(ip6str, 0, 40);
+ memset(ip6str, 0, sizeof(ip6str));
memcpy(ip6str, start, end - start);
end++;
memcpy(&tftp_addr.v6, str2ip6(ip6str), 16);
+ if (memcmp(&tftp_addr.v6, ip6inv, sizeof(ip6inv)) == 0)
+ return FALSE;
full_path = AllocateZeroPool(strlen(end)+strlen(template)+1);
if (!full_path)
return FALSE;

3
shim-0.7.318.81ee561d.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:161cdfa33c1221b9d86241d7b9803240c91d939251a5d6b5c8d8626b8d93cf7f
size 1012687

3
shim-0.8.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4cea304dc6f6e5c429f602c42a4dda7b9c64f448a346bae78fb2c6c19c0cd0b3
size 991166

60
shim-bnc863205-mokmanager-fix-hash-delete.patch
View File

@ -1,60 +0,0 @@
From 23cdee7b62fc62cd988d74b2180014595da9e4c5 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 13 Feb 2014 15:05:45 +0800
Subject: [PATCH 1/2] MokManager: calculate the variable size correctly
MokSize of the hash signature list includes the owner GUID,
so we should not add the 16bytes compensation.
Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
MokManager.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Index: shim-0.7/MokManager.c
===================================================================
--- shim-0.7.orig/MokManager.c
+++ shim-0.7/MokManager.c
@@ -940,7 +940,9 @@ static EFI_STATUS write_back_mok_list (M
if (list[i].Mok == NULL)
continue;
- DataSize += sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
+ DataSize += sizeof(EFI_SIGNATURE_LIST);
+ if (CompareGuid(&(list[i].Type), &CertType) == 0)
+ DataSize += sizeof(EFI_GUID);
DataSize += list[i].MokSize;
}
@@ -1046,6 +1048,7 @@ static void delete_hash_in_list (UINT8 *
{
EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINT32 sig_size;
+ UINT32 list_num;
int i, del_ind;
void *start, *end;
UINT32 remain;
@@ -1057,8 +1060,10 @@ static void delete_hash_in_list (UINT8 *
(mok[i].MokSize < sig_size))
continue;
+ list_num = mok[i].MokSize / sig_size;
+
del_ind = match_hash(hash, hash_size, 0, mok[i].Mok,
- mok[i].MokSize);
+ list_num);
while (del_ind >= 0) {
/* Remove the hash */
if (sig_size == mok[i].MokSize) {
@@ -1073,9 +1078,10 @@ static void delete_hash_in_list (UINT8 *
mem_move(start, end, remain);
mok[i].MokSize -= sig_size;
+ list_num--;
del_ind = match_hash(hash, hash_size, del_ind,
- mok[i].Mok, mok[i].MokSize);
+ mok[i].Mok, list_num);
}
}
}

85
shim-fix-gnu-efi-30w.patch Normal file
View File

@ -0,0 +1,85 @@
From d4e4bf4e1e03eb5685474d240929d3e3b50581f8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 25 Sep 2014 18:12:42 +0800
Subject: [PATCH] Adapt the change in gnu-efi-3.0w
---
Cryptlib/Include/OpenSslSupport.h | 13 +++++++------
Cryptlib/Makefile | 1 +
Cryptlib/OpenSSL/Makefile | 3 +++
Makefile | 2 ++
4 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h
index 9e56ced..6b3bfbd 100644
--- a/Cryptlib/Include/OpenSslSupport.h
+++ b/Cryptlib/Include/OpenSslSupport.h
@@ -16,12 +16,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define __OPEN_SSL_SUPPORT_H__
#include <efi.h>
-#include <efilib.h>
-#include <Base.h>
-#include <Library/BaseLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/DebugLib.h>
#define CONST const
@@ -63,6 +57,13 @@ typedef __builtin_va_list VA_LIST;
#define va_end(Marker) ((void)0)
#endif
+#include <efilib.h>
+#include <Base.h>
+#include <Library/BaseLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/DebugLib.h>
+
//
// #defines from EFI Application Toolkit required to buiild Open SSL
//
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index 9719a27..dbd79fb 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -3,6 +3,7 @@ EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLU
CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-Wall $(EFI_INCLUDES)
+CFLAGS += -DGNU_EFI_USE_EXTERNAL_STDARG
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
index 7990b3c..967e55e 100644
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -18,6 +18,9 @@ endif
ifeq ($(ARCH),arm)
CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
endif
+
+CFLAGS += -DGNU_EFI_USE_EXTERNAL_STDARG
+
LDFLAGS = -nostdlib -znocombreloc
TARGET = libopenssl.a
diff --git a/Makefile b/Makefile
index 332a29b..52fd5b3 100644
--- a/Makefile
+++ b/Makefile
@@ -26,6 +26,8 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
$(EFI_INCLUDES)
+CFLAGS += -DGNU_EFI_USE_EXTERNAL_STDARG
+
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
CFLAGS += -DOVERRIDE_SECURITY_POLICY
endif
--
1.8.4.5

449
shim-mokmanager-support-sha-family.patch
View File

@ -1,449 +0,0 @@
From f110c89b169505156741ee4ce4b0952e899ed0d8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 3 Apr 2014 18:26:37 +0800
Subject: [PATCH 1/5] MokManager: Support SHA1 hash in MOK
Add SHA1 hash support and amend the code to make it easier to support
other SHA digests.
---
MokManager.c | 121 ++++++++++++++++++++++++++++++++++++-----------------------
1 file changed, 75 insertions(+), 46 deletions(-)
Index: shim-0.7/MokManager.c
===================================================================
--- shim-0.7.orig/MokManager.c
+++ shim-0.7/MokManager.c
@@ -25,6 +25,9 @@
#define EFI_VARIABLE_APPEND_WRITE 0x00000040
EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} };
+EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} };
+EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} };
+EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} };
#define CERT_STRING L"Select an X509 certificate to enroll:\n\n"
#define HASH_STRING L"Select a file to trust:\n\n"
@@ -93,31 +96,84 @@ done:
return status;
}
+static BOOLEAN is_sha_hash (EFI_GUID Type)
+{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
+
+ if (CompareGuid(&Type, &Sha1) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha224) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha256) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha384) == 0)
+ return TRUE;
+ else if (CompareGuid(&Type, &Sha512) == 0)
+ return TRUE;
+
+ return FALSE;
+}
+
+static UINT32 sha_size (EFI_GUID Type)
+{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
+
+ if (CompareGuid(&Type, &Sha1) == 0)
+ return SHA1_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha224) == 0)
+ return SHA224_DIGEST_LENGTH;
+ else if (CompareGuid(&Type, &Sha256) == 0)
+ return SHA256_DIGEST_SIZE;
+ else if (CompareGuid(&Type, &Sha384) == 0)
+ return SHA384_DIGEST_LENGTH;
+ else if (CompareGuid(&Type, &Sha512) == 0)
+ return SHA512_DIGEST_LENGTH;
+
+ return 0;
+}
+
+static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize)
+{
+ EFI_GUID CertType = X509_GUID;
+ UINT32 hash_sig_size;
+
+ if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0)
+ return TRUE;
+
+ if (!is_sha_hash (Type))
+ return FALSE;
+
+ hash_sig_size = sha_size (Type) + sizeof(EFI_GUID);
+ if (SigSize != hash_sig_size)
+ return FALSE;
+
+ return TRUE;
+}
+
static UINT32 count_keys(void *Data, UINTN DataSize)
{
EFI_SIGNATURE_LIST *CertList = Data;
- EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINTN dbsize = DataSize;
UINT32 MokNum = 0;
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
- console_notify(L"Doesn't look like a key or hash");
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
+ if (CertList->SignatureListSize == 0 ||
+ CertList->SignatureListSize <= CertList->SignatureSize) {
+ console_errorbox(L"Corrupted signature list");
+ return 0;
}
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CertList->SignatureSize != 48)) {
- console_notify(L"Doesn't look like a valid hash");
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
+ if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) {
+ console_errorbox(L"Invalid signature list found");
+ return 0;
}
MokNum++;
@@ -134,7 +190,6 @@ static MokListNode *build_mok_list(UINT3
EFI_SIGNATURE_LIST *CertList = Data;
EFI_SIGNATURE_DATA *Cert;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINTN dbsize = DataSize;
UINTN count = 0;
@@ -146,21 +201,8 @@ static MokListNode *build_mok_list(UINT3
}
while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
- if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) &&
- (CompareGuid (&CertList->SignatureType, &HashType) != 0)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
-
- if ((CompareGuid (&CertList->SignatureType, &HashType) == 0) &&
- (CertList->SignatureSize != 48)) {
- dbsize -= CertList->SignatureListSize;
- CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList +
- CertList->SignatureListSize);
- continue;
- }
+ /* Omit the signature check here since we already did it
+ in count_keys() */
Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) +
sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
@@ -380,22 +422,46 @@ static void show_x509_info (X509 *X509Ce
FreePool(text);
}
-static void show_sha256_digest (UINT8 *hash)
+static void show_sha_digest (EFI_GUID Type, UINT8 *hash)
{
+ EFI_GUID Sha1 = EFI_CERT_SHA1_GUID;
+ EFI_GUID Sha224 = EFI_CERT_SHA224_GUID;
+ EFI_GUID Sha256 = EFI_CERT_SHA256_GUID;
+ EFI_GUID Sha384 = EFI_CERT_SHA384_GUID;
+ EFI_GUID Sha512 = EFI_CERT_SHA512_GUID;
CHAR16 *text[5];
POOL_PRINT hash_string1;
POOL_PRINT hash_string2;
int i;
+ int length;
+
+ if (CompareGuid(&Type, &Sha1) == 0) {
+ length = SHA1_DIGEST_SIZE;
+ text[0] = L"SHA1 hash";
+ } else if (CompareGuid(&Type, &Sha224) == 0) {
+ length = SHA224_DIGEST_LENGTH;
+ text[0] = L"SHA224 hash";
+ } else if (CompareGuid(&Type, &Sha256) == 0) {
+ length = SHA256_DIGEST_SIZE;
+ text[0] = L"SHA256 hash";
+ } else if (CompareGuid(&Type, &Sha384) == 0) {
+ length = SHA384_DIGEST_LENGTH;
+ text[0] = L"SHA384 hash";
+ } else if (CompareGuid(&Type, &Sha512) == 0) {
+ length = SHA512_DIGEST_LENGTH;
+ text[0] = L"SHA512 hash";
+ } else {
+ return;
+ }
ZeroMem(&hash_string1, sizeof(hash_string1));
ZeroMem(&hash_string2, sizeof(hash_string2));
- text[0] = L"SHA256 hash";
text[1] = L"";
- for (i=0; i<16; i++)
+ for (i=0; i<length/2; i++)
CatPrint(&hash_string1, L"%02x ", hash[i]);
- for (i=16; i<32; i++)
+ for (i=length/2; i<length; i++)
CatPrint(&hash_string2, L"%02x ", hash[i]);
text[2] = hash_string1.str;
@@ -411,7 +477,7 @@ static void show_sha256_digest (UINT8 *h
FreePool(hash_string2.str);
}
-static void show_efi_hash (void *Mok, UINTN MokSize)
+static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize)
{
UINTN sig_size;
UINTN hash_num;
@@ -420,7 +486,7 @@ static void show_efi_hash (void *Mok, UI
int key_num = 0;
int i;
- sig_size = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
+ sig_size = sha_size(Type) + sizeof(EFI_GUID);
if ((MokSize % sig_size) != 0) {
console_errorbox(L"Corrupted Hash List");
return;
@@ -429,7 +495,7 @@ static void show_efi_hash (void *Mok, UI
if (hash_num == 1) {
hash = (UINT8 *)Mok + sizeof(EFI_GUID);
- show_sha256_digest(hash);
+ show_sha_digest(Type, hash);
return;
}
@@ -452,7 +518,7 @@ static void show_efi_hash (void *Mok, UI
break;
hash = (UINT8 *)Mok + sig_size*key_num + sizeof(EFI_GUID);
- show_sha256_digest(hash);
+ show_sha_digest(Type, hash);
}
for (i=0; menu_strings[i] != NULL; i++)
@@ -467,7 +533,6 @@ static void show_mok_info (EFI_GUID Type
UINT8 hash[SHA1_DIGEST_SIZE];
X509 *X509Cert;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
if (!Mok || MokSize == 0)
return;
@@ -488,8 +553,8 @@ static void show_mok_info (EFI_GUID Type
console_notify(L"Not a valid X509 certificate");
return;
}
- } else if (CompareGuid (&Type, &HashType) == 0) {
- show_efi_hash(Mok, MokSize);
+ } else if (is_sha_hash(Type)) {
+ show_efi_hash(Type, Mok, MokSize);
}
}
@@ -504,15 +569,18 @@ static EFI_STATUS list_keys (void *KeyLi
if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) +
sizeof(EFI_SIGNATURE_DATA))) {
console_notify(L"No MOK keys found");
- return 0;
+ return EFI_NOT_FOUND;
}
MokNum = count_keys(KeyList, KeyListSize);
+ if (MokNum == 0) {
+ console_errorbox(L"Invalid key list");
+ return EFI_ABORTED;
+ }
keys = build_mok_list(MokNum, KeyList, KeyListSize);
-
if (!keys) {
- console_notify(L"Failed to construct key list");
- return 0;
+ console_errorbox(L"Failed to construct key list");
+ return EFI_ABORTED;
}
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (MokNum + 2));
@@ -837,7 +905,7 @@ static EFI_STATUS store_keys (void *MokN
return EFI_SUCCESS;
}
-static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
+static INTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth,
BOOLEAN MokX)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
@@ -974,7 +1042,7 @@ static EFI_STATUS write_back_mok_list (M
} else {
CertList->SignatureListSize = list[i].MokSize +
sizeof(EFI_SIGNATURE_LIST);
- CertList->SignatureSize = SHA256_DIGEST_SIZE + sizeof(EFI_GUID);
+ CertList->SignatureSize = sha_size(list[i].Type) + sizeof(EFI_GUID);
CopyMem(CertData, list[i].Mok, list[i].MokSize);
}
@@ -1043,10 +1111,9 @@ static void mem_move (void *dest, void *
d[i] = s[i];
}
-static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size,
+static void delete_hash_in_list (EFI_GUID Type, UINT8 *hash, UINT32 hash_size,
MokListNode *mok, INTN mok_num)
{
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
UINT32 sig_size;
UINT32 list_num;
int i, del_ind;
@@ -1056,7 +1123,7 @@ static void delete_hash_in_list (UINT8 *
sig_size = hash_size + sizeof(EFI_GUID);
for (i = 0; i < mok_num; i++) {
- if ((CompareGuid(&(mok[i].Type), &HashType) != 0) ||
+ if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
(mok[i].MokSize < sig_size))
continue;
@@ -1086,7 +1153,7 @@ static void delete_hash_in_list (UINT8 *
}
}
-static void delete_hash_list (void *hash_list, UINT32 list_size,
+static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size,
MokListNode *mok, INTN mok_num)
{
UINT32 hash_size;
@@ -1095,7 +1162,7 @@ static void delete_hash_list (void *hash
UINT8 *hash;
int i;
- hash_size = SHA256_DIGEST_SIZE;
+ hash_size = sha_size (Type);
sig_size = hash_size + sizeof(EFI_GUID);
if (list_size < sig_size)
return;
@@ -1105,7 +1172,7 @@ static void delete_hash_list (void *hash
hash = hash_list + sizeof(EFI_GUID);
for (i = 0; i < hash_num; i++) {
- delete_hash_in_list (hash, hash_size, mok, mok_num);
+ delete_hash_in_list (Type, hash, hash_size, mok, mok_num);
hash += sig_size;
}
}
@@ -1114,7 +1181,6 @@ static EFI_STATUS delete_keys (void *Mok
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_GUID CertType = X509_GUID;
- EFI_GUID HashType = EFI_CERT_SHA256_GUID;
EFI_STATUS efi_status;
CHAR16 *db_name;
CHAR16 *auth_name;
@@ -1161,7 +1227,13 @@ static EFI_STATUS delete_keys (void *Mok
efi_status = get_variable_attr (db_name, &MokListData, &MokListDataSize,
shim_lock_guid, &attributes);
- if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
+ if (efi_status != EFI_SUCCESS) {
+ if (MokX)
+ console_errorbox(L"Failed to retrieve MokListX");
+ else
+ console_errorbox(L"Failed to retrieve MokList");
+ return EFI_ABORTED;
+ } else if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) {
if (MokX) {
err_str1 = L"MokListX is compromised!";
err_str2 = L"Erase all keys in MokListX!";
@@ -1170,7 +1242,11 @@ static EFI_STATUS delete_keys (void *Mok
err_str2 = L"Erase all keys in MokList!";
}
console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
- LibDeleteVariable(db_name, &shim_lock_guid);
+ uefi_call_wrapper(RT->SetVariable, 5, db_name,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
return EFI_ACCESS_DENIED;
}
@@ -1180,23 +1256,56 @@ static EFI_STATUS delete_keys (void *Mok
/* Construct lists */
mok_num = count_keys(MokListData, MokListDataSize);
+ if (mok_num == 0) {
+ if (MokX) {
+ err_str1 = L"Failed to construct the key list of MokListX";
+ err_str2 = L"Reset MokListX!";
+ } else {
+ err_str1 = L"Failed to construct the key list of MokList";
+ err_str2 = L"Reset MokList!";
+ }
+ console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL});
+ uefi_call_wrapper(RT->SetVariable, 5, db_name,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ 0, NULL);
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
mok = build_mok_list(mok_num, MokListData, MokListDataSize);
+ if (!mok) {
+ console_errorbox(L"Failed to construct key list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
del_num = count_keys(MokDel, MokDelSize);
+ if (del_num == 0) {
+ console_errorbox(L"Invalid key delete list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
del_key = build_mok_list(del_num, MokDel, MokDelSize);
+ if (!del_key) {
+ console_errorbox(L"Failed to construct key list");
+ efi_status = EFI_ABORTED;
+ goto error;
+ }
/* Search and destroy */
for (i = 0; i < del_num; i++) {
if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
delete_cert(del_key[i].Mok, del_key[i].MokSize,
mok, mok_num);
- } else if (CompareGuid(&(del_key[i].Type), &HashType) == 0) {
- delete_hash_list(del_key[i].Mok, del_key[i].MokSize,
- mok, mok_num);
+ } else if (is_sha_hash(del_key[i].Type)) {
+ delete_hash_list(del_key[i].Type, del_key[i].Mok,
+ del_key[i].MokSize, mok, mok_num);
}
}
efi_status = write_back_mok_list(mok, mok_num, MokX);
+error:
if (MokListData)
FreePool(MokListData);
if (mok)

1751
shim-mokx-support.patch
View File

File diff suppressed because it is too large Load Diff

191
shim-opensuse-cert-prompt.patch
View File

@ -1,4 +1,4 @@
From b13d18d4069032ccf6c885774e9eada6a1d80ddd Mon Sep 17 00:00:00 2001
From e3b81e524747199fb7da29e5988cff79db1658a3 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 18 Feb 2014 17:29:19 +0800
Subject: [PATCH 1/3] Show the build-in certificate prompt
@ -17,13 +17,13 @@ again after reboot.
The state will store in use_openSUSE_cert, a volatile RT variable.
---
shim.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 97 insertions(+), 19 deletions(-)
shim.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 74 insertions(+), 2 deletions(-)
Index: shim-0.7/shim.c
===================================================================
--- shim-0.7.orig/shim.c
+++ shim-0.7/shim.c
diff --git a/shim.c b/shim.c
index d46494a..c14a54d 100644
--- a/shim.c
+++ b/shim.c
@@ -90,6 +90,7 @@ UINT8 *vendor_dbx;
*/
verification_method_t verification_method;
@ -32,7 +32,7 @@ Index: shim-0.7/shim.c
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -817,7 +818,7 @@ static EFI_STATUS verify_buffer (char *d
@@ -954,7 +955,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
if (status == EFI_SUCCESS)
return status;
@ -41,75 +41,16 @@ Index: shim-0.7/shim.c
/*
* Check against the shim build key
*/
@@ -1523,11 +1524,14 @@ EFI_STATUS mirror_mok_list()
@@ -1708,7 +1709,7 @@ EFI_STATUS mirror_mok_list()
if (efi_status != EFI_SUCCESS)
DataSize = 0;
- FullDataSize = DataSize
- + sizeof (*CertList)
- + sizeof (EFI_GUID)
- + vendor_cert_size
- ;
+ FullDataSize = DataSize;
+ if (use_builtin_cert) {
+ FullDataSize += sizeof (*CertList) +
+ sizeof (EFI_GUID) +
+ vendor_cert_size;
+ } else if (DataSize == 0) {
+ return EFI_SUCCESS;
+ }
FullData = AllocatePool(FullDataSize);
if (!FullData) {
perror(L"Failed to allocate space for MokListRT\n");
@@ -1539,21 +1543,24 @@ EFI_STATUS mirror_mok_list()
CopyMem(p, Data, DataSize);
p += DataSize;
}
- CertList = (EFI_SIGNATURE_LIST *)p;
- p += sizeof (*CertList);
- CertData = (EFI_SIGNATURE_DATA *)p;
- p += sizeof (EFI_GUID);
-
- CertList->SignatureType = EFI_CERT_X509_GUID;
- CertList->SignatureListSize = vendor_cert_size
- + sizeof (*CertList)
- + sizeof (*CertData)
- -1;
- CertList->SignatureHeaderSize = 0;
- CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
- CertData->SignatureOwner = SHIM_LOCK_GUID;
- CopyMem(p, vendor_cert, vendor_cert_size);
+ if (use_builtin_cert) {
+ CertList = (EFI_SIGNATURE_LIST *)p;
+ p += sizeof (*CertList);
+ CertData = (EFI_SIGNATURE_DATA *)p;
+ p += sizeof (EFI_GUID);
+
+ CertList->SignatureType = EFI_CERT_X509_GUID;
+ CertList->SignatureListSize = vendor_cert_size
+ + sizeof (*CertList)
+ + sizeof (*CertData)
+ -1;
+ CertList->SignatureHeaderSize = 0;
+ CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
+
+ CertData->SignatureOwner = SHIM_LOCK_GUID;
+ CopyMem(p, vendor_cert, vendor_cert_size);
+ }
efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
&shim_lock_guid,
@@ -1600,7 +1607,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
check_var(L"MokXNew") || check_var(L"MokXDel") ||
- check_var(L"MokXAuth")) {
+ check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
efi_status = start_image(image_handle, MOK_MANAGER);
if (efi_status != EFI_SUCCESS) {
@@ -1840,6 +1847,75 @@ uninstall_shim_protocols(void)
- if (vendor_cert_size) {
+ if (vendor_cert_size && use_builtin_cert) {
FullDataSize = DataSize
+ sizeof (*CertList)
+ sizeof (EFI_GUID)
@@ -2057,6 +2058,75 @@ uninstall_shim_protocols(void)
&shim_lock_guid, &shim_lock_interface);
}
@ -185,7 +126,7 @@ Index: shim-0.7/shim.c
EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
{
EFI_STATUS efi_status;
@@ -1895,6 +1971,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha
@@ -2112,6 +2182,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
*/
hook_system_services(systab);
loader_is_participating = 0;
@ -194,11 +135,30 @@ Index: shim-0.7/shim.c
}
}
Index: shim-0.7/MokManager.c
===================================================================
--- shim-0.7.orig/MokManager.c
+++ shim-0.7/MokManager.c
@@ -1701,6 +1701,36 @@ static INTN mok_pw_prompt (void *MokPW,
--
1.8.4.5
From 7b87b12059a9f26125f135ae649757346d26d6f8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 20 Feb 2014 16:57:08 +0800
Subject: [PATCH 2/3] Support revoking the openSUSE cert
This is an openSUSE-only patch.
To revoke the openSUSE cert, create ClearVerify, a NV RT variable,
and store the password hash in the variable, and then MokManager
will show up with an additional option to clear openSUSE_Verify
---
MokManager.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
shim.c | 2 +-
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 442ab8f..7277968 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1731,6 +1731,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
return -1;
}
@ -216,10 +176,7 @@ Index: shim-0.7/MokManager.c
+ if (status != EFI_SUCCESS)
+ return -1;
+
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ L"openSUSE_Verify", &shim_lock_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
+ 0, NULL);
+ status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to delete openSUSE_Verify", status);
+ return -1;
@ -235,7 +192,7 @@ Index: shim-0.7/MokManager.c
static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
{
X509 *X509Cert;
@@ -2053,6 +2083,7 @@ typedef enum {
@@ -2083,6 +2110,7 @@ typedef enum {
MOK_CHANGE_SB,
MOK_SET_PW,
MOK_CHANGE_DB,
@ -243,7 +200,7 @@ Index: shim-0.7/MokManager.c
MOK_KEY_ENROLL,
MOK_HASH_ENROLL
} mok_menu_item;
@@ -2064,7 +2095,8 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
@@ -2094,7 +2122,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
void *MokPW, UINTN MokPWSize,
void *MokDB, UINTN MokDBSize,
void *MokXNew, UINTN MokXNewSize,
@ -253,7 +210,7 @@ Index: shim-0.7/MokManager.c
{
CHAR16 **menu_strings;
mok_menu_item *menu_item;
@@ -2138,6 +2170,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
@@ -2168,6 +2197,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (MokDB)
menucount++;
@ -263,7 +220,7 @@ Index: shim-0.7/MokManager.c
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
if (!menu_strings)
@@ -2207,6 +2242,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
@@ -2237,6 +2269,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
i++;
}
@ -276,7 +233,7 @@ Index: shim-0.7/MokManager.c
menu_strings[i] = L"Enroll key from disk";
menu_item[i] = MOK_KEY_ENROLL;
i++;
@@ -2257,6 +2298,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
@@ -2287,6 +2325,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
case MOK_CHANGE_DB:
mok_db_prompt(MokDB, MokDBSize);
break;
@ -286,7 +243,7 @@ Index: shim-0.7/MokManager.c
case MOK_KEY_ENROLL:
mok_key_enroll();
break;
@@ -2282,6 +2326,7 @@ static EFI_STATUS check_mok_request(EFI_
@@ -2312,6 +2353,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
@ -294,7 +251,7 @@ Index: shim-0.7/MokManager.c
void *MokNew = NULL;
void *MokDel = NULL;
void *MokSB = NULL;
@@ -2289,6 +2334,7 @@ static EFI_STATUS check_mok_request(EFI_
@@ -2319,6 +2361,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
void *MokDB = NULL;
void *MokXNew = NULL;
void *MokXDel = NULL;
@ -302,7 +259,7 @@ Index: shim-0.7/MokManager.c
EFI_STATUS status;
status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
@@ -2361,9 +2407,20 @@ static EFI_STATUS check_mok_request(EFI_
@@ -2391,9 +2434,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
console_error(L"Could not retrieve MokXDel", status);
}
@ -324,7 +281,7 @@ Index: shim-0.7/MokManager.c
if (MokNew)
FreePool (MokNew);
@@ -2386,6 +2443,9 @@ static EFI_STATUS check_mok_request(EFI_
@@ -2416,6 +2470,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
if (MokXDel)
FreePool (MokXDel);
@ -334,3 +291,51 @@ Index: shim-0.7/MokManager.c
LibDeleteVariable(L"MokAuth", &shim_lock_guid);
LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
diff --git a/shim.c b/shim.c
index c14a54d..1287eed 100644
--- a/shim.c
+++ b/shim.c
@@ -1818,7 +1818,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
check_var(L"MokXNew") || check_var(L"MokXDel") ||
- check_var(L"MokXAuth")) {
+ check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
efi_status = start_image(image_handle, MOK_MANAGER);
if (efi_status != EFI_SUCCESS) {
--
1.8.4.5
From c7340fe9219777622fe58b6596f53a4cad739e9f Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 7 Mar 2014 16:17:20 +0800
Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
This is an openSUSE-only patch.
LibDeleteVariable only works on the runtime variables.
---
MokManager.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/MokManager.c b/MokManager.c
index 7277968..b5d2454 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1745,7 +1745,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
if (status != EFI_SUCCESS)
return -1;
- status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ L"openSUSE_Verify", &shim_lock_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
+ 0, NULL);
if (status != EFI_SUCCESS) {
console_error(L"Failed to delete openSUSE_Verify", status);
return -1;
--
1.8.4.5

51
shim-signed-unsigned-compares.patch
View File

@ -1,51 +0,0 @@
Index: shim-0.7/MokManager.c
===================================================================
--- shim-0.7.orig/MokManager.c
+++ shim-0.7/MokManager.c
@@ -483,8 +483,8 @@ static void show_efi_hash (EFI_GUID Type
UINTN hash_num;
UINT8 *hash;
CHAR16 **menu_strings;
- int key_num = 0;
- int i;
+ UINTN key_num = 0;
+ UINTN i;
sig_size = sha_size(Type) + sizeof(EFI_GUID);
if ((MokSize % sig_size) != 0) {
@@ -562,7 +562,7 @@ static EFI_STATUS list_keys (void *KeyLi
{
UINT32 MokNum = 0;
MokListNode *keys = NULL;
- int key_num = 0;
+ UINT32 key_num = 0;
CHAR16 **menu_strings;
unsigned int i;
@@ -1088,7 +1088,7 @@ static int match_hash (UINT8 *hash, UINT
void *hash_list, UINT32 list_num)
{
UINT8 *ptr;
- int i;
+ UINTN i;
ptr = hash_list + sizeof(EFI_GUID);
for (i = start; i < list_num; i++) {
@@ -1103,7 +1103,7 @@ static int match_hash (UINT8 *hash, UINT
static void mem_move (void *dest, void *src, UINTN size)
{
UINT8 *d, *s;
- int i;
+ UINTN i;
d = (UINT8 *)dest;
s = (UINT8 *)src;
@@ -1160,7 +1160,7 @@ static void delete_hash_list (EFI_GUID T
UINT32 hash_num;
UINT32 sig_size;
UINT8 *hash;
- int i;
+ UINT32 i;
hash_size = sha_size (Type);
sig_size = hash_size + sizeof(EFI_GUID);

4231
shim-update-openssl-0.9.8zb.patch
View File

File diff suppressed because it is too large Load Diff

15
shim.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Tue Oct 28 04:00:51 UTC 2014 - glin@suse.com
- Update to 0.8
- Add shim-fix-gnu-efi-30w.patch to adapt the change in
gnu-efi-3.0w
- Merge shim-signed-unsigned-compares.patch,
shim-mokmanager-support-sha-family.patch and
shim-bnc863205-mokmanager-fix-hash-delete.patch into
shim-mokx-support.patch
- Refresh shim-opensuse-cert-prompt.patch
- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch,
bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch
- Enable aarch64
-------------------------------------------------------------------
Mon Oct 13 13:09:14 UTC 2014 - jsegitz@novell.com

29
shim.spec
View File

@ -17,13 +17,9 @@
# needssslcertforbuild
%define commit 81ee561dde0213bc487aa1b701799f6d2faeaf31
%define shortcommit 81ee561d
Name: shim
# to ensure newer versions of the git export are always higher numbers the output of
# git rev-list master|wc -l is added before the git commit hash
Version: 0.7.318.%{shortcommit}
Version: 0.8
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
@ -44,22 +40,12 @@ Source9: openSUSE-UEFI-CA-Certificate-4096.crt
Source10: timestamp.pl
Source11: strip_signature.sh
Source12: signature-sles.asc
# PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
# REBASE PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
Patch1: shim-mokx-support.patch
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
Patch2: shim-only-os-name.patch
# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list
Patch3: shim-bnc863205-mokmanager-fix-hash-delete.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
Patch4: shim-mokmanager-support-sha-family.patch
# PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jsegitz@suse.com -- Fixed some signed - unsigned comparisons
Patch5: shim-signed-unsigned-compares.patch
# PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch glin@suse.com -- Update openssl to 0.9.8zb
Patch6: shim-update-openssl-0.9.8zb.patch
# PATCH-FIX-UPSTREAM bug-889332_shim-overflow.patch krahmer@suse.com -- patch for overflow issue.
Patch7: bug-889332_shim-overflow.patch
# PATCH-FIX-UPSTREAM bug-889332_shim-mok-oob.patch krahmer@suse.com -- patch for MOK OOB access.
Patch8: bug-889332_shim-mok-oob.patch
# PATCH-FIX-UPSTREAM shim-fix-gnu-efi-30w.patch glin@suse.com -- Adapt the change in gnu-efi 3.0w
Patch3: shim-fix-gnu-efi-30w.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-opensuse-cert-prompt.patch
BuildRequires: gnu-efi >= 3.0t
@ -71,7 +57,7 @@ Requires: perl-Bootloader
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# For shim-install script
Requires: grub2-efi
ExclusiveArch: x86_64
ExclusiveArch: x86_64 aarch64
%description
shim is a trivial EFI application that, when run, attempts to open and
@ -88,11 +74,6 @@ Authors:
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch100 -p1
%build