Accepting request 891231 from devel:openSUSE:Factory

- shim-install: always assume "removable" for Azure to avoid the endless reset loop (bsc#1185464) - relax the maximum variable size check for u-boot (bsc#1185621) - handle ignore_db and user_insecure_mode correctly (bsc#1185441) OBS-URL: https://build.opensuse.org/request/show/891231 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=95
2021-05-08 20:07:23 +00:00 · 2021-05-08 20:07:23 +00:00 · 9d260d7357
commit 9d260d7357
parent 191992cbed d24e6a73df
5 changed files with 149 additions and 0 deletions
--- a/shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+++ b/shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
@ -0,0 +1,41 @@
+From 822d07ad4f07ef66fe447a130e1027c88d02a394 Mon Sep 17 00:00:00 2001
+From: Adam Williamson <awilliam@redhat.com>
+Date: Thu, 8 Apr 2021 22:39:02 -0700
+Subject: [PATCH] Fix handling of ignore_db and user_insecure_mode
+
+In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split
+up into a function that manages the whole mok state, and one that
+handles the state machine for an individual state variable.
+Unfortunately, the code that initializes the global ignore_db and
+user_insecure_mode was copied from import_mok_state() into the new
+import_one_mok_state() function, and thus re-initializes that state each
+time it processes a MoK state variable, before even assessing if that
+variable is set.  As a result, we never honor either flag, and the
+machine owner cannot disable trusting the system firmware's db/dbx
+databases or disable validation altogether.
+
+This patch removes the extra re-initialization, allowing those variables
+to be set properly.
+
+Signed-off-by: Adam Williamson <awilliam@redhat.com>
+---
+ mok.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index 5ad9072b..9e37d6ab 100644
+--- a/mok.c
+++ b/mok.c
+@@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v,
+ 	EFI_STATUS ret = EFI_SUCCESS;
+ 	EFI_STATUS efi_status;
+ 
+-	user_insecure_mode = 0;
+-	ignore_db = 0;
+-
+ 	UINT32 attrs = 0;
+ 	BOOLEAN delete = FALSE;
+ 
+-- 
+2.31.1
+
--- a/shim-bsc1185621-relax-max-var-sz-check.patch
+++ b/shim-bsc1185621-relax-max-var-sz-check.patch
@ -0,0 +1,38 @@
+commit 690ec2419a8c2c4246450e447629adc85f9a6f40
+Author: Gary Lin <glin@suse.com>
+Date:   Wed May 5 11:25:07 2021 +0800
+
+    mok: relax the maximum variable size check
+    
+    Some UEFI environment such as u-boot doesn't implement
+    QueryVariableInfo(), so we couldn't rely on the function to estimate the
+    available space for RT variables. All we can do is to call SetVariable()
+    directly and check the return value of SetVariable().
+    
+    Signed-off-by: Gary Lin <glin@suse.com>
+
+diff --git a/mok.c b/mok.c
+index 5ad9072b..1f9820e7 100644
+--- a/mok.c
+++ b/mok.c
+@@ -351,13 +351,18 @@ mirror_mok_db(CHAR16 *name, CHAR8 *name8, EFI_GUID *guid, UINT32 attrs,
+ 	SIZE_T max_var_sz;
+ 
+ 	efi_status = get_max_var_sz(attrs, &max_var_sz);
+-	if (EFI_ERROR(efi_status)) {
+	if (EFI_ERROR(efi_status) && efi_status != EFI_UNSUPPORTED) {
+ 		LogError(L"Could not get maximum variable size: %r",
+ 			 efi_status);
+ 		return efi_status;
+ 	}
+ 
+-	if (FullDataSize <= max_var_sz) {
+	/* Some UEFI environment such as u-boot doesn't implement
+	 * QueryVariableInfo() and we will only get EFI_UNSUPPORTED when
+	 * querying the available space. In this case, we just mirror
+	 * the variable directly. */
+	if (FullDataSize <= max_var_sz || efi_status == EFI_UNSUPPORTED) {
+		efi_status = EFI_SUCCESS;
+ 		if (only_first)
+ 			efi_status = SetVariable(name, guid, attrs,
+ 						 FullDataSize, FullData);
--- a/45
+++ b/45
@ -77,6 +77,42 @@ case "$bootloader_id" in
    *) ca_string="";;
 esac

+is_azure () {
+    local bios_vendor;
+    local product_name;
+    local sys_vendor;
+
+    local sysfs_dmi_id="/sys/class/dmi/id"
+
+    if test -e "${sysfs_dmi_id}/bios_vendor"; then
+        bios_vendor=$(cat "${sysfs_dmi_id}/bios_vendor")
+    fi
+    if test -e "${sysfs_dmi_id}/product_name"; then
+        product_name=$(cat "${sysfs_dmi_id}/product_name")
+    fi
+    if test -e "${sysfs_dmi_id}/sys_vendor"; then
+        sys_vendor=$(cat "${sysfs_dmi_id}/sys_vendor")
+    fi
+
+    if test "x${bios_vendor}" != "xMicrosoft Corporation"; then
+	# return false
+        return 1
+    fi
+
+    if test "x${product_name}" != "xVirtual Machine"; then
+	# return false
+        return 1
+    fi
+
+    if test "x${sys_vendor}" != "xMicrosoft Corporation"; then
+	# return false
+        return 1
+    fi
+
+    # return true
+    return 0
+}
+
 usage () {
    echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
    echo
@ -185,6 +221,15 @@ do
    esac
 done

+# bsc#1185464
+# The Azure firmware doesn't respect the boot option created by either
+# efibootmgr or fallback.efi so we have to skip the installation of
+# fallback.efi to avoid the endless reset loop.
+if is_azure; then
+    no_nvram=yes
+    removable=yes
+fi
+
 if test -n "$efidir"; then
    efi_fs=`"$grub_probe" --target=fs "${efidir}"`
    if test "x$efi_fs" = xfat; then :; else
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Fri May  7 08:33:49 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- shim-install: always assume "removable" for Azure to avoid the
+  endless reset loop (bsc#1185464)
+
+-------------------------------------------------------------------
+Thu May  6 03:18:32 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the
+  maximum variable size check for u-boot (bsc#1185621)
+
+-------------------------------------------------------------------
+Mon May  3 03:46:27 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+  to handle ignore_db and user_insecure_mode correctly
+  (bsc#1185441)
+
 -------------------------------------------------------------------
 Wed Apr 28 09:28:30 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>

--- a/shim.spec
+++ b/shim.spec
@ -77,6 +77,10 @@ Patch4:         shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
 Patch5:         remove_build_id.patch
 # PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 glin@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel
 Patch6:         shim-bsc1184454-allocate-mok-config-table-BS.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch bsc#1184454 glin@suse.com -- Handle ignore_db and user_insecure_mode correctly
+Patch7:         shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 glin@suse.com -- Relax the maximum variable size check for u-boot
+Patch8:         shim-bsc1185621-relax-max-var-sz-check.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@ -121,6 +125,8 @@ The source code of UEFI shim loader
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1

 %build
 # generate the vendor SBAT metadata