pool/shim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 985419 from devel:openSUSE:Factory

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/985419
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=100
This commit is contained in:
Dominique Leuenberger 2022-06-29 14:00:19 +00:00 committed by Git OBS Bridge
commit 8b17f8e390
15 changed files with 491 additions and 538 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
dbx-cert.tar.xz
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c872989a35b85ff4a284871d95bae930f6372a31f3353e72890775bf151e5ff2
size 7052
oid sha256:ce6458fd78dfe56700ddfc82b6e72de3823735c449400c06379234eaa12e8f85
size 8416

3
shim-15.4.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8344473dd10569588b8238a4656b8fab226714eea9f5363f8c410aa8a5090297
size 1260475

3
shim-15.6.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:eab91644a3efe91a666399f5d8eb3eed0e04d04f79d4b6c0b278ef7747a239a5
size 1343748

39
shim-bsc1184454-allocate-mok-config-table-BS.patch
View File

@ -1,39 +0,0 @@
From 33ca95024aa7e33218da5882d30b3ec690a11046 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 8 Apr 2021 16:23:03 +0800
Subject: [PATCH] mok: allocate MOK config table as BootServicesData
Linux kernel is picky when reserving the memory for x86 and it only
expects BootServicesData:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/platform/efi/quirks.c?h=v5.11#n254
Otherwise, the following error would show during system boot:
Apr 07 12:31:56.743925 localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000
Although BootServicesData would be reclaimed after ExitBootService(),
linux kernel reserves MOK config table when it detects the existence of
the table, so it's fine to allocate the table as BootServicesData.
Signed-off-by: Gary Lin <glin@suse.com>
---
mok.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mok.c b/mok.c
index 5ad9072b..fc1ee04d 100644
--- a/mok.c
+++ b/mok.c
@@ -1002,7 +1002,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT;
config_table = NULL;
efi_status = gBS->AllocatePages(AllocateAnyPages,
- EfiRuntimeServicesData,
+ EfiBootServicesData,
npages,
(EFI_PHYSICAL_ADDRESS *)&config_table);
if (EFI_ERROR(efi_status) || !config_table) {
--
2.29.2

52
shim-bsc1185232-fix-config-table-copying.patch
View File

@ -1,52 +0,0 @@
From 42c6148c7ebd026862ab96405e78191ff8ebf298 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 21 Jun 2021 16:38:02 +0800
Subject: [PATCH] mok: skip the empty variables when copying the data to MOK
config table
When calculating the size of the MOK config table, we skip the empty
variables. However, when copying the data, we copied the zeroed config
templates for those empty variables, and this could cause crash since we
may write more data than the allocated pages. This commit skips the
empty variables when copying the data so that the size of copied data
matches config_sz.
Signed-off-by: Gary Lin <glin@suse.com>
---
mok.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/mok.c b/mok.c
index beac0ff6..add21223 100644
--- a/mok.c
+++ b/mok.c
@@ -1028,16 +1028,18 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
for (i = 0; p && mok_state_variables[i].name != NULL; i++) {
struct mok_state_variable *v = &mok_state_variables[i];
- ZeroMem(&config_template, sizeof(config_template));
- strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
- config_template.name[255] = '\0';
+ if (v->data && v->data_size) {
+ ZeroMem(&config_template, sizeof(config_template));
+ strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
+ config_template.name[255] = '\0';
- config_template.data_size = v->data_size;
+ config_template.data_size = v->data_size;
- CopyMem(p, &config_template, sizeof(config_template));
- p += sizeof(config_template);
- CopyMem(p, v->data, v->data_size);
- p += v->data_size;
+ CopyMem(p, &config_template, sizeof(config_template));
+ p += sizeof(config_template);
+ CopyMem(p, v->data, v->data_size);
+ p += v->data_size;
+ }
}
if (p) {
ZeroMem(&config_template, sizeof(config_template));
--
2.31.1

42
shim-bsc1185232-relax-loadoptions-length-check.patch
View File

@ -1,42 +0,0 @@
From 795c62cb023886d39f1ee15977dc3194e01da57f Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 4 Jun 2021 17:02:31 +0800
Subject: [PATCH] shim: don't fail on the odd LoadOptions length
Some firmware feeds the LoadOptions with an odd length when booting from
an USB device(*). We should only skip this kind of LoadOptions, not fail
it, or the user won't be able to boot the system from USB or CD-ROM.
(*) https://bugzilla.suse.com/show_bug.cgi?id=1185232#c62
Signed-off-by: Gary Lin <glin@suse.com>
---
shim.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/shim.c b/shim.c
index c5cfbb83..dd563cf6 100644
--- a/shim.c
+++ b/shim.c
@@ -1411,9 +1411,16 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
return efi_status;
}
- /* Sanity check since we make several assumptions about the length */
+ /* Sanity check since we make several assumptions about the length
+ * Some firmware feeds the following load option when booting from
+ * an USB device:
+ *
+ * 0x46 0x4a 0x00 |FJ.|
+ *
+ * The string is meaningless for shim and so just ignore it.
+ * */
if (li->LoadOptionsSize % 2 != 0)
- return EFI_INVALID_PARAMETER;
+ return EFI_SUCCESS;
/* So, load options are a giant pain in the ass. If we're invoked
* from the EFI shell, we get something like this:
--
2.31.1

57
shim-bsc1185261-relax-import_mok_state-check.patch
View File

@ -1,57 +0,0 @@
From 3e33205b9c957624df7e30a2e5e2847f23d37989 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 11 May 2021 10:41:43 +0800
Subject: [PATCH] Relax the check for import_mok_state()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
An openSUSE user reported(*) that shim 15.4 failed to boot the system
with the following message:
"Could not create MokListXRT: Out of Resources"
In the beginning, I thought it's caused by the growing size of
vendor-dbx. However, we found the following messages after set
SHIM_VERBOSE:
max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000
SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources
Even though the firmware claimed the remaining storage size is 0x85EC,
it still rejected MokListXRT with size 0x1404. It seems that the return
values from QueryVariableInfo() are not reliable. Since this firmware
didn't really support Secure Boot, the variable mirroring is not so
critical, so we can just accept the failure of import_mok_state() and
continue boot.
(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261
Signed-off-by: Gary Lin <glin@suse.com>
---
shim.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/shim.c b/shim.c
index c5cfbb83..d38ae2f0 100644
--- a/shim.c
+++ b/shim.c
@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
* boot-services-only state variables are what we think they are.
*/
efi_status = import_mok_state(image_handle);
- if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
+ if (!secure_mode() &&
+ (efi_status == EFI_INVALID_PARAMETER ||
+ efi_status == EFI_OUT_OF_RESOURCES)) {
/*
* Make copy failures fatal only if secure_mode is enabled, or
- * the error was anything else than EFI_INVALID_PARAMETER.
+ * the error was anything else than EFI_INVALID_PARAMETER or
+ * EFI_OUT_OF_RESOURCES.
* There are non-secureboot firmware implementations that don't
* reserve enough EFI variable memory to fit the variable.
*/
--
2.31.1

41
shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
View File

@ -1,41 +0,0 @@
From 822d07ad4f07ef66fe447a130e1027c88d02a394 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awilliam@redhat.com>
Date: Thu, 8 Apr 2021 22:39:02 -0700
Subject: [PATCH] Fix handling of ignore_db and user_insecure_mode
In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split
up into a function that manages the whole mok state, and one that
handles the state machine for an individual state variable.
Unfortunately, the code that initializes the global ignore_db and
user_insecure_mode was copied from import_mok_state() into the new
import_one_mok_state() function, and thus re-initializes that state each
time it processes a MoK state variable, before even assessing if that
variable is set. As a result, we never honor either flag, and the
machine owner cannot disable trusting the system firmware's db/dbx
databases or disable validation altogether.
This patch removes the extra re-initialization, allowing those variables
to be set properly.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
---
mok.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/mok.c b/mok.c
index 5ad9072b..9e37d6ab 100644
--- a/mok.c
+++ b/mok.c
@@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v,
EFI_STATUS ret = EFI_SUCCESS;
EFI_STATUS efi_status;
- user_insecure_mode = 0;
- ignore_db = 0;
-
UINT32 attrs = 0;
BOOLEAN delete = FALSE;
--
2.31.1

38
shim-bsc1185621-relax-max-var-sz-check.patch
View File

@ -1,38 +0,0 @@
commit 690ec2419a8c2c4246450e447629adc85f9a6f40
Author: Gary Lin <glin@suse.com>
Date: Wed May 5 11:25:07 2021 +0800
mok: relax the maximum variable size check
Some UEFI environment such as u-boot doesn't implement
QueryVariableInfo(), so we couldn't rely on the function to estimate the
available space for RT variables. All we can do is to call SetVariable()
directly and check the return value of SetVariable().
Signed-off-by: Gary Lin <glin@suse.com>
diff --git a/mok.c b/mok.c
index 5ad9072b..1f9820e7 100644
--- a/mok.c
+++ b/mok.c
@@ -351,13 +351,18 @@ mirror_mok_db(CHAR16 *name, CHAR8 *name8, EFI_GUID *guid, UINT32 attrs,
SIZE_T max_var_sz;
efi_status = get_max_var_sz(attrs, &max_var_sz);
- if (EFI_ERROR(efi_status)) {
+ if (EFI_ERROR(efi_status) && efi_status != EFI_UNSUPPORTED) {
LogError(L"Could not get maximum variable size: %r",
efi_status);
return efi_status;
}
- if (FullDataSize <= max_var_sz) {
+ /* Some UEFI environment such as u-boot doesn't implement
+ * QueryVariableInfo() and we will only get EFI_UNSUPPORTED when
+ * querying the available space. In this case, we just mirror
+ * the variable directly. */
+ if (FullDataSize <= max_var_sz || efi_status == EFI_UNSUPPORTED) {
+ efi_status = EFI_SUCCESS;
if (only_first)
efi_status = SetVariable(name, guid, attrs,
FullDataSize, FullData);

62
shim-bsc1187260-fix-efi-1.10-machines.patch
View File

@ -1,62 +0,0 @@
From 493bd940e5c6e28e673034687de7adef9529efff Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Sat, 10 Apr 2021 16:05:23 -0400
Subject: [PATCH] Don't call QueryVariableInfo() on EFI 1.10 machines
The EFI 1.10 spec (and presumably earlier revisions as well) didn't have
RT->QueryVariableInfo(), and on Chris Murphy's MacBookPro8,2 , that
memory appears to be initialized randomly.
This patch changes it to not call RT->QueryVariableInfo() if the
EFI_RUNTIME_SERVICES table's major revision is less than two, and
assumes our maximum variable size is 1024 in that case.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
mok.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/mok.c b/mok.c
index 9b8fc2bc..beac0ff6 100644
--- a/mok.c
+++ b/mok.c
@@ -261,6 +261,9 @@ static const uint8_t null_sha256[32] = { 0, };
typedef UINTN SIZE_T;
+#define EFI_MAJOR_VERSION(tablep) ((UINT16)((((tablep)->Hdr.Revision) >> 16) & 0xfffful))
+#define EFI_MINOR_VERSION(tablep) ((UINT16)(((tablep)->Hdr.Revision) & 0xfffful))
+
static EFI_STATUS
get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp)
{
@@ -270,11 +273,21 @@ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp)
uint64_t max_var_sz = 0;
*max_var_szp = 0;
- efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz,
- &remaining_sz, &max_var_sz);
- if (EFI_ERROR(efi_status)) {
- perror(L"Could not get variable storage info: %r\n", efi_status);
- return efi_status;
+ if (EFI_MAJOR_VERSION(gRT) < 2) {
+ dprint(L"EFI %d.%d; no RT->QueryVariableInfo(). Using 1024!\n",
+ EFI_MAJOR_VERSION(gRT), EFI_MINOR_VERSION(gRT));
+ max_var_sz = remaining_sz = max_storage_sz = 1024;
+ efi_status = EFI_SUCCESS;
+ } else {
+ dprint(L"calling RT->QueryVariableInfo() at 0x%lx\n",
+ gRT->QueryVariableInfo);
+ efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz,
+ &remaining_sz, &max_var_sz);
+ if (EFI_ERROR(efi_status)) {
+ perror(L"Could not get variable storage info: %r\n",
+ efi_status);
+ return efi_status;
+ }
}
/*
--
2.31.1

41
shim-bsc1187696-avoid-deleting-rt-variables.patch
View File

@ -1,41 +0,0 @@
From 14f6e10b8272ce34d3c373e000c583e5345b526b Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 30 Jun 2021 16:34:51 +0800
Subject: [PATCH] mok: delete the existing RT variables only when
only_first=TRUE
For the firmware without the variable writing issues, MOK variables are
mirrored when only_first=TRUE. However, LibDeleteVariable() was called
in maybe_mirror_one_mok_variable() when only_first=FALSE, and this
could delete MOK variables that were just mirrored in the first round.
This bug was hidden since LibDeleteVariable() deletes BS+RT+NV variables
while we mirror MOK variables as BS+RT, and the firmware refused to
delete the mirrored MOK variable due to mismatching attributes. However,
some firmwares, such as VMWare, didn't enforce the attribute check and
just deleted the variables with matched name and GUID. In such system,
MokListRT was always removed before it reached OS.
Fixes: https://github.com/rhboot/shim/issues/386
Signed-off-by: Gary Lin <glin@suse.com>
---
mok.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mok.c b/mok.c
index beac0ff6..5ea39d54 100644
--- a/mok.c
+++ b/mok.c
@@ -863,7 +863,7 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v,
BOOLEAN present = FALSE;
if (v->rtname) {
- if (!only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
+ if (only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
dprint(L"deleting \"%s\"\n", v->rtname);
efi_status = LibDeleteVariable(v->rtname, v->guid);
dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", v->rtname, efi_status);
--
2.31.1

306
shim-bsc1198101-opensuse-cert-prompt.patch Normal file
View File

@ -0,0 +1,306 @@
From 49355a83722494099caeb23b46637b2c94a6ab9e Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 18 Feb 2014 17:29:19 +0800
Subject: [PATCH 1/3] Show the build-in certificate prompt
This is an openSUSE-only patch.
Pop up a window to ask if the user is willing to trust the built-in
openSUSE certificate.
If yes, set openSUSE_Verify, a BootService variable, to 1, and shim
won't bother the user afterward.
If no, continue the booting process without using the built-in
certificate to verify the EFI images, and the window will show up
again after reboot.
The state will store in use_openSUSE_cert, a volatile RT variable.
---
mok.c | 3 ++-
shim.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
shim.h | 1 +
3 files changed, 71 insertions(+), 2 deletions(-)
Index: shim-15.6~rc1+77144e5a/mok.c
===================================================================
--- shim-15.6~rc1+77144e5a.orig/mok.c
+++ shim-15.6~rc1+77144e5a/mok.c
@@ -46,7 +46,8 @@ static EFI_STATUS check_mok_request(EFI_
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
check_var(L"MokXNew") || check_var(L"MokXDel") ||
- check_var(L"MokXAuth") || check_var(L"MokListTrustedNew")) {
+ check_var(L"MokXAuth") || check_var(L"MokListTrustedNew") ||
+ check_var(L"ClearVerify")) {
efi_status = start_image(image_handle, MOK_MANAGER);
if (EFI_ERROR(efi_status)) {
@@ -62,7 +63,8 @@ static vendor_addend_category_t
categorize_authorized(struct mok_state_variable *v)
{
if (!(v->addend && v->addend_size &&
- *v->addend && *v->addend_size)) {
+ *v->addend && *v->addend_size &&
+ use_builtin_cert)) {
return VENDOR_ADDEND_NONE;
}
Index: shim-15.6~rc1+77144e5a/shim.c
===================================================================
--- shim-15.6~rc1+77144e5a.orig/shim.c
+++ shim-15.6~rc1+77144e5a/shim.c
@@ -496,6 +496,8 @@ verify_one_signature(WIN_CERTIFICATE_EFI
}
efi_status = EFI_NOT_FOUND;
+ if (!use_builtin_cert)
+ return efi_status;
#if defined(ENABLE_SHIM_CERT)
/*
* Check against the shim build key
@@ -1572,6 +1574,69 @@ shim_fini(void)
console_fini();
}
+#define VENDOR_VERIFY L"openSUSE_Verify"
+
+/* Show the built-in certificate prompt if necessary */
+static int builtin_cert_prompt(void)
+{
+ EFI_STATUS status;
+ UINT32 attributes;
+ UINTN len = sizeof(UINT8);
+ UINT8 data;
+
+ use_builtin_cert = FALSE;
+
+ if (vendor_cert_size == 0)
+ return 0;
+
+ status = gRT->GetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID,
+ &attributes, &len, (void *)&data);
+ if (status != EFI_SUCCESS ||
+ (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) {
+ int choice;
+
+ if (status != EFI_NOT_FOUND)
+ LibDeleteVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID);
+
+ CHAR16 *str[] = {L"Trust openSUSE Certificate",
+ L"",
+ L"Do you agree to use the built-in openSUSE certificate",
+ L"to verify boot loaders and kernels?",
+ NULL};
+ choice = console_yes_no(str);
+ if (choice != 1) {
+ data = 0;
+ goto done;
+ }
+
+ data = 1;
+ status = gRT->SetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ sizeof(UINT8), &data);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to set openSUSE_Verify", status);
+ return -1;
+ }
+ }
+
+ use_builtin_cert = TRUE;
+ data = 1;
+
+done:
+ /* Setup a runtime variable to show the current state */
+ status = gRT->SetVariable(L"use_openSUSE_cert", &SHIM_LOCK_GUID,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ sizeof(UINT8), &data);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to set use_openSUSE_cert", status);
+ return -1;
+ }
+
+ return 0;
+}
+
extern EFI_STATUS
efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
@@ -1712,6 +1777,9 @@ efi_main (EFI_HANDLE passed_image_handle
*/
debug_hook();
+ if (secure_mode() && (builtin_cert_prompt() != 0))
+ return EFI_ABORTED;
+
efi_status = set_sbat_uefi_variable();
if (EFI_ERROR(efi_status) && secure_mode()) {
perror(L"%s variable initialization failed\n", SBAT_VAR_NAME);
Index: shim-15.6~rc1+77144e5a/MokManager.c
===================================================================
--- shim-15.6~rc1+77144e5a.orig/MokManager.c
+++ shim-15.6~rc1+77144e5a/MokManager.c
@@ -1864,6 +1864,36 @@ mokpw_done:
return EFI_SUCCESS;
}
+static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+ EFI_STATUS status;
+
+ if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1)
+ return 0;
+
+ if (ClearVerifySize == PASSWORD_CRYPT_SIZE) {
+ status = match_password((PASSWORD_CRYPT *)ClearVerify, NULL, 0,
+ NULL, NULL);
+ } else {
+ status = EFI_INVALID_PARAMETER;
+ }
+ if (status != EFI_SUCCESS)
+ return -1;
+
+ status = gRT->SetVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_NON_VOLATILE,
+ 0, NULL);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to delete openSUSE_Verify", status);
+ return -1;
+ }
+
+ console_notify(L"The system must now be rebooted");
+ gRT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL);
+ console_notify(L"Failed to reboot");
+ return -1;
+}
+
static BOOLEAN verify_certificate(UINT8 * cert, UINTN size)
{
X509 *X509Cert;
@@ -2195,6 +2225,7 @@ typedef enum {
MOK_CHANGE_SB,
MOK_SET_PW,
MOK_CHANGE_DB,
+ MOK_CLEAR_VERIFY,
MOK_KEY_ENROLL,
MOK_HASH_ENROLL,
MOK_CHANGE_TML
@@ -2217,7 +2248,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
void *MokDB, UINTN MokDBSize,
void *MokXNew, UINTN MokXNewSize,
void *MokXDel, UINTN MokXDelSize,
- void *MokTML, UINTN MokTMLSize)
+ void *MokTML, UINTN MokTMLSize,
+ void *ClearVerify, UINTN ClearVerifySize)
+
{
CHAR16 **menu_strings = NULL;
mok_menu_item *menu_item = NULL;
@@ -2296,6 +2329,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
if (MokTML)
menucount++;
+ if (ClearVerify)
+ menucount++;
+
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) *
(menucount + 1));
if (!menu_strings)
@@ -2373,6 +2409,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
i++;
}
+ if (ClearVerify) {
+ menu_strings[i] = L"Revoke openSUSE certificate";
+ menu_item[i] = MOK_CLEAR_VERIFY;
+ i++;
+ }
+
menu_strings[i] = L"Enroll key from disk";
menu_item[i] = MOK_KEY_ENROLL;
i++;
@@ -2477,6 +2519,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
if (!EFI_ERROR(efi_status))
MokDB = NULL;
break;
+ case MOK_CLEAR_VERIFY:
+ mok_clear_verify_prompt(ClearVerify, ClearVerifySize);
+ break;
case MOK_KEY_ENROLL:
efi_status = mok_key_enroll();
break;
@@ -2519,6 +2564,7 @@ static EFI_STATUS check_mok_request(EFI_
{
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0, MokTMLSize = 0;
+ UINTN ClearVerifySize = 0;
void *MokNew = NULL;
void *MokDel = NULL;
void *MokSB = NULL;
@@ -2527,6 +2573,7 @@ static EFI_STATUS check_mok_request(EFI_
void *MokXNew = NULL;
void *MokXDel = NULL;
void *MokTML = NULL;
+ void *ClearVerify = NULL;
EFI_STATUS efi_status;
efi_status = get_variable(L"MokNew", (UINT8 **) & MokNew, &MokNewSize,
@@ -2611,9 +2658,20 @@ static EFI_STATUS check_mok_request(EFI_
console_error(L"Could not retrieve MokXDel", efi_status);
}
+ efi_status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify,
+ &ClearVerifySize, SHIM_LOCK_GUID);
+ if (!EFI_ERROR(efi_status)) {
+ efi_status = LibDeleteVariable(L"ClearVerify", &SHIM_LOCK_GUID);
+ if (EFI_ERROR(efi_status))
+ console_notify(L"Failed to delete ClearVerify");
+ } else if (EFI_ERROR(efi_status) && efi_status != EFI_NOT_FOUND) {
+ console_error(L"Could not retrieve ClearVerify", efi_status);
+ }
+
enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize,
MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize,
- MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize);
+ MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize,
+ ClearVerify, ClearVerifySize);
if (MokNew)
FreePool(MokNew);
@@ -2639,6 +2697,9 @@ static EFI_STATUS check_mok_request(EFI_
if (MokTML)
FreePool(MokTML);
+ if (ClearVerify)
+ FreePool (ClearVerify);
+
LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID);
LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
Index: shim-15.6~rc1+77144e5a/globals.c
===================================================================
--- shim-15.6~rc1+77144e5a.orig/globals.c
+++ shim-15.6~rc1+77144e5a/globals.c
@@ -25,6 +25,7 @@ UINT8 *build_cert;
*/
verification_method_t verification_method;
int loader_is_participating;
+BOOLEAN use_builtin_cert;
UINT8 user_insecure_mode;
UINT8 ignore_db;
Index: shim-15.6~rc1+77144e5a/shim.h
===================================================================
--- shim-15.6~rc1+77144e5a.orig/shim.h
+++ shim-15.6~rc1+77144e5a/shim.h
@@ -268,6 +268,7 @@ extern UINT8 mok_policy;
extern UINT8 in_protocol;
extern void *load_options;
extern UINT32 load_options_size;
+extern BOOLEAN use_builtin_cert;
BOOLEAN secure_mode (void);

132
shim-fix-aa64-relsz.patch
View File

@ -1,132 +0,0 @@
From 9828f65f3e9de29da7bc70cb71069cc1d7ca1b4a Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 16 Jun 2021 16:13:32 +0800
Subject: [PATCH] arm/aa64: fix the size of .rela* sections
The previous commit(*) merged .rel* and .dyn* into .rodata, and this
made ld to generate the wrong size for .rela* sections that covered
other unrelated sections. When the EFI image was loaded, _relocate()
went through the unexpected data and may cause unexpected crash.
This commit moves .rel* and .dyn* out of .rodata in the ld script but
also moves the related variables, such as _evrodata, _rodata_size,
and _rodata_vsize, to the end of the new .dyn section, so that the
crafted pe-coff section header for .rodata still covers our new
.rela and .dyn sections.
(*) 212ba30544f ("arm/aa64 targets: put .rel* and .dyn* in .rodata")
Fix issue: https://github.com/rhboot/shim/issues/371
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile | 4 ++--
elf_aarch64_efi.lds | 24 ++++++++++++++++--------
elf_arm_efi.lds | 24 ++++++++++++++++--------
3 files changed, 34 insertions(+), 18 deletions(-)
Index: shim-15.4/Makefile
===================================================================
--- shim-15.4.orig/Makefile
+++ shim-15.4/Makefile
@@ -243,7 +243,7 @@ ifneq ($(OBJCOPY_GTE224),1)
endif
$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
-j .dynamic -j .rodata -j .rel* \
- -j .rela* -j .reloc -j .eh_frame \
+ -j .rela* -j .dyn -j .reloc -j .eh_frame \
-j .vendor_cert -j .sbat \
$(FORMAT) $< $@
# I am tired of wasting my time fighting binutils timestamp code.
@@ -260,7 +260,7 @@ ifneq ($(OBJCOPY_GTE224),1)
endif
$(OBJCOPY) -D -j .text -j .sdata -j .data \
-j .dynamic -j .rodata -j .rel* \
- -j .rela* -j .reloc -j .eh_frame -j .sbat \
+ -j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
-j .debug_info -j .debug_abbrev -j .debug_aranges \
-j .debug_line -j .debug_str -j .debug_ranges \
-j .note.gnu.build-id \
Index: shim-15.4/elf_aarch64_efi.lds
===================================================================
--- shim-15.4.orig/elf_aarch64_efi.lds
+++ shim-15.4/elf_aarch64_efi.lds
@@ -70,21 +70,29 @@ SECTIONS
.rodata :
{
_rodata = .;
- *(.rela.dyn)
- *(.rela.plt)
- *(.rela.got)
- *(.rela.data)
- *(.rela.data*)
-
*(.rodata*)
*(.srodata)
- *(.dynsym)
- *(.dynstr)
. = ALIGN(16);
*(.note.gnu.build-id)
. = ALIGN(4096);
*(.vendor_cert)
*(.data.ident)
+ . = ALIGN(4096);
+ }
+ . = ALIGN(4096);
+ .rela :
+ {
+ *(.rela.dyn)
+ *(.rela.plt)
+ *(.rela.got)
+ *(.rela.data)
+ *(.rela.data*)
+ }
+ . = ALIGN(4096);
+ .dyn :
+ {
+ *(.dynsym)
+ *(.dynstr)
_evrodata = .;
. = ALIGN(4096);
}
Index: shim-15.4/elf_arm_efi.lds
===================================================================
--- shim-15.4.orig/elf_arm_efi.lds
+++ shim-15.4/elf_arm_efi.lds
@@ -70,21 +70,29 @@ SECTIONS
.rodata :
{
_rodata = .;
- *(.rel.dyn)
- *(.rel.plt)
- *(.rel.got)
- *(.rel.data)
- *(.rel.data*)
-
*(.rodata*)
*(.srodata)
- *(.dynsym)
- *(.dynstr)
. = ALIGN(16);
*(.note.gnu.build-id)
. = ALIGN(4096);
*(.vendor_cert)
*(.data.ident)
+ . = ALIGN(4096);
+ }
+ . = ALIGN(4096);
+ .rela :
+ {
+ *(.rela.dyn)
+ *(.rela.plt)
+ *(.rela.got)
+ *(.rela.data)
+ *(.rela.data*)
+ }
+ . = ALIGN(4096);
+ .dyn :
+ {
+ *(.dynsym)
+ *(.dynstr)
_evrodata = .;
. = ALIGN(4096);
}

156
shim.changes
View File

@ -1,3 +1,159 @@
-------------------------------------------------------------------
Tue Jun 28 04:03:45 UTC 2022 - Joey Lee <jlee@suse.com>
- Update to 15.6 (bsc#1198458)
- shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76
which is from upstream grub2.cve_2021_3695.ms keybase channel.
- For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to
support efi-app-aarch64 target. So we need the following patches in bintuils:
- binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch
b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64).
- binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch
32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64)
- binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch
d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64)
- Patches (git log --oneline --reverse 15.5~..77144e5a4)
448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458)
a2da05f shim: implement SBAT verification for the shim_lock protocol
bda03b8 post-process-pe: Fix a missing return code check
af18810 CI: don't cancel testing when one fails
ba580f9 CI: remove EOL Fedoras from github actions
bfeb4b3 Remove aarch64 build tests before f35
38cc646 CI: Add f36 and centos9 CI build tests.
b5185cb post-process-pe: Fix format string warnings on 32-bit platforms
31094e5 tests: also look for system headers in multi-arch directories
4df989a mock-variables.c: fix gcc warning
6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled
2670c6a Allow MokListTrusted to be enabled by default
5c44aaf Add code of conduct
d6eb9c6 Modernize aarch64
9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail
de87985 make: don't treat cert.S specially
803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode
6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry.
bb4b60e Add verify_image
acfd48f Abstract out image reading
35d7378 Load additional certs from a signed binary
8ce2832 post-process-pe: there is no 's' argument.
465663e Add some missing PE image flag definitions
226fee2 PE Loader: support and require NX
df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX
b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT
f81a7cc SBAT revocation management
abe41ab make: unbreak scan-build again for gnu-efi
610a1ac sbat.h: minor reformatting for legibility
f28833f peimage.h: make our signature macros force the type
5d789ca Always initialize data/datasize before calling read_image()
a50d364 sbat policy: make our policy change actions symbolic
5868789 load_certs: trust dir->Read() slightly less.
a78673b mok.c: fix a trivial dead assignment
759f061 Fix preserve_sbat_uefi_variable() logic
aa61fdf Give the Coverity scanner some more GCC blinders...
0214cd9 load_cert_file(): don't defererence NULL
1eca363 mok import: handle OOM case
75449bc sbat: Make nth_sbat_field() honor the size limit
c0bcd04 shim-15.6~rc1
77144e5 SBAT Policy latest should be a one-shot
- 15.5 release note https://github.com/rhboot/shim/releases
Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357
mok: allocate MOK config table as BootServicesData by @lcp in #361
Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364
Relax the check for import_mok_state() by @lcp in #372
SBAT.md: trivial changes by @hallyn in #389
shim: another attempt to fix load options handling by @chrisccoulson in #379
Add tests for our load options parsing. by @vathpela in #390
arm/aa64: fix the size of .rela* sections by @lcp in #383
mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365
mok: relax the maximum variable size check by @lcp in #369
Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378
fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396
httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403
Fallback allocation errors by @vathpela in #402
shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406
str: remove duplicate parameter check by @xypron in #408
fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359
Test mok mirror by @vathpela in #394
Modify sbat.md to help with readability. by @eshiman in #398
csv: detect end of csv file correctly by @xypron in #404
Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413
tests: add "include-fixed" GCC directory to include directories by @diabonas in #415
pe: simplify generate_hash() by @xypron in #411
Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414
Fallback to default loader if parsed one does not exist by @julian-klode in #393
fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422
Better console checks by @vathpela in #416
docs: update SBAT UEFI variable name by @nicholasbishop in #421
Don't parse load options if invoked from removable media path by @julian-klode in #399
fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433
shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438
Shim 15.5 coverity by @vathpela in #439
Allocate mokvar table in runtime memory. by @vathpela in #447
Remove post-process-pe on 'make clean' by @vathpela in #448
pe: missing perror argument by @xypron in #443
- Drop upstreamed patch:
- shim-bsc1184454-allocate-mok-config-table-BS.patch
- Allocate MOK config table as BootServicesData to avoid the error message
from linux kernel
- 4068fd42c8 15.5-rc1~70
- shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
- Handle ignore_db and user_insecure_mode correctly
- 822d07ad4f07 15.5-rc1~73
- shim-bsc1185621-relax-max-var-sz-check.patch
- Relax the maximum variable size check for u-boot
- 3f327f546c219634b2 15.5-rc1~49
- shim-bsc1185261-relax-import_mok_state-check.patch
- Relax the check for import_mok_state() when Secure Boot is off
- 9f973e4e95b113 15.5-rc1~67
- shim-bsc1185232-relax-loadoptions-length-check.patch
- Relax the check for the LoadOptions length
- ada7ff69bd8a95 15.5-rc1~52
- shim-fix-aa64-relsz.patch
- Fix the size of rela* sections for AArch64
- 34e3ef205c5d65 15.5-rc1~51
- shim-bsc1187260-fix-efi-1.10-machines.patch
- Don't call QueryVariableInfo() on EFI 1.10 machines
- 493bd940e5 15.5-rc1~69
- shim-bsc1185232-fix-config-table-copying.patch
- Avoid buffer overflow when copying the MOK config table
- 7501b6bb44 15.5-rc1~50
- shim-bsc1187696-avoid-deleting-rt-variables.patch
- Avoid deleting the mirrored RT variables
- b1fead0f7c9 15.5-rc1~37
- Add "rm -f *.o" after building MokManager/fallback in shim.spec
to make sure all object files gets rebuilt
- reference: https://github.com/rhboot/shim/pull/461
- The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included
in shim-15.6.tar.bz2
- shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch
pe: Fix a buffer overflow when SizeOfRawData VirtualSize
- shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch
pe: Perform image verification earlier when loading grub
- shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch
Update advertised sbat generation number for shim
- shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch
Update SBAT generation requirements for 05/24/22
- shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch
Also avoid CVE-2022-28737 in verify_image()
- 0006-shim-15.6-rc2.patch
- 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch
sbat: add the parsed SBAT variable entries to the debug log
- 0008-bump-version-to-shim-15.6.patch
- Add mokutil command to post script for setting sbat policy to latest mode
when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created.
(bsc#1198458)
- Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to
show the prompt to ask whether the user trusts openSUSE certificate or not
(bsc#1198101)
- Updated vendor dbx binary and script (bsc#1198458)
- Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding
SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
- Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding
openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
- Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt
and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment.
- Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin
file which includes all .der for testing environment.
-------------------------------------------------------------------
Thu Jul 1 04:07:03 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>

53
shim.spec
View File

@ -36,7 +36,7 @@
%endif
Name: shim
Version: 15.4
Version: 15.6
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
@ -75,26 +75,10 @@ Patch3: shim-bsc1177315-verify-eku-codesign.patch
Patch4: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
# PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container
Patch5: remove_build_id.patch
# PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 glin@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel
Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch
# PATCH-FIX-UPSTREAM shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch bsc#1184454 glin@suse.com -- Handle ignore_db and user_insecure_mode correctly
Patch7: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
# PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 glin@suse.com -- Relax the maximum variable size check for u-boot
Patch8: shim-bsc1185621-relax-max-var-sz-check.patch
# PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch bsc#1185261 glin@suse.com -- Relax the check for import_mok_state() when Secure Boot is off
Patch9: shim-bsc1185261-relax-import_mok_state-check.patch
# PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch bsc#1185232 glin@suse.com -- Relax the check for the LoadOptions length
Patch10: shim-bsc1185232-relax-loadoptions-length-check.patch
# PATCH-FIX-UPSTREAM shim-fix-aa64-relsz.patch glin@suse.com -- Fix the size of rela* sections for AArch64
Patch11: shim-fix-aa64-relsz.patch
# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT
Patch12: shim-disable-export-vendor-dbx.patch
# PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 glin@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines
Patch13: shim-bsc1187260-fix-efi-1.10-machines.patch
# PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 glin@suse.com -- Avoid buffer overflow when copying the MOK config table
Patch14: shim-bsc1185232-fix-config-table-copying.patch
# PATCH-FIX-UPSTREAM shim-bsc1187696-avoid-deleting-rt-variables.patch bsc#1187696 glin@suse.com -- Avoid deleting the mirrored RT variables
Patch15: shim-bsc1187696-avoid-deleting-rt-variables.patch
Patch6: shim-disable-export-vendor-dbx.patch
# PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-bsc1198101-opensuse-cert-prompt.patch
BuildRequires: dos2unix
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
@ -111,6 +95,7 @@ Requires: perl-Bootloader
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# For shim-install script
Requires: grub2-%{grubplatform}
Requires: mokutil
ExclusiveArch: x86_64 aarch64
%description
@ -139,15 +124,7 @@ The source code of UEFI shim loader
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch100 -p1
%build
# generate the vendor SBAT metadata
@ -168,6 +145,8 @@ make RELEASE=0 \
MMSTEM=MokManager FBSTEM=fallback \
MokManager.efi.debug fallback.efi.debug \
MokManager.efi fallback.efi
# make sure all object files gets rebuilt
rm -f *.o
# now build variants of shim that embed different certificates
default=''
@ -318,6 +297,22 @@ cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}
/sbin/update-bootloader --reinit || true
%endif
# copy from kernel-scriptlets/cert-script
is_efi () {
local msg rc=0
# The below statement fails if mokutil isn't installed or UEFI is unsupported.
# It doesn't fail if UEFI is available but secure boot is off.
msg="$(mokutil --sb-state 2>&1)" || rc=$?
return $rc
}
# run mokutil for setting sbat policy to latest mode
SBAT_POLICY=/sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23
if is_efi; then
if [ ! -f "$SBAT_POLICY" ]; then
mokutil --set-sbat-policy latest
fi
fi
%if %{defined update_bootloader_posttrans}
%posttrans
%{?update_bootloader_posttrans}