pool/shim
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 660489 from devel:openSUSE:Factory

Browse Source 
- Update to 15+git47 (bsc#1120026, FATE#325971)

OBS-URL: https://build.opensuse.org/request/show/660489
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=71
This commit is contained in:
Dominique Leuenberger 2018-12-26 23:22:16 +00:00 committed by Git OBS Bridge
commit a844fc1dc8
16 changed files with 560 additions and 961 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
openSUSE-UEFI-CA-Certificate-4096.crt
View File

@ -1,37 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz
MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv
amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8
YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN
z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh
O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/
w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf
RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM
ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx
ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg
i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i
EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH
CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg
4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ
DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79
aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg
Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w
ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y
Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu
Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/
phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD
dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0
nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD
eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c
sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO
Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3
BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG
A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI
xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp
4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL
-----END CERTIFICATE-----

3
shim-14.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:11584881af2cb990a5a782747558ebd3a182b766f2747bd0c0955cbf4786285e
size 1023267

3
shim-15+git47.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4e5d2d07df89384185dbbbe5b0cb4402829c858f615a1400d2264e3ecf78abc6
size 1002928

62
shim-always-mirror-mok-variables.patch Normal file
View File

@ -0,0 +1,62 @@
From e6ce8788f4a622da1ba5421a5eb11df163a56727 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 21 Nov 2018 12:47:43 +0800
Subject: [PATCH] MOK: Fix the missing vendor cert in MokListRT
When there is no key in MokList, import_mok_state() just skipped MokList
even though it should always mirror the vendor cert.
https://github.com/rhboot/shim/issues/154
Signed-off-by: Gary Lin <glin@suse.com>
---
mok.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/mok.c b/mok.c
index 3867521..0bcab32 100644
--- a/mok.c
+++ b/mok.c
@@ -223,11 +223,18 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
UINT32 attrs = 0;
BOOLEAN delete = FALSE, present, addend;
+ addend = (v->addend_source && v->addend_size &&
+ *v->addend_source && *v->addend_size)
+ ? TRUE : FALSE;
+
efi_status = get_variable_attr(v->name,
&v->data, &v->data_size,
*v->guid, &attrs);
- if (efi_status == EFI_NOT_FOUND)
+ if (efi_status == EFI_NOT_FOUND) {
+ if (addend)
+ goto mirror_addend;
continue;
+ }
if (EFI_ERROR(efi_status)) {
perror(L"Could not verify %s: %r\n", v->name,
efi_status);
@@ -272,9 +279,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
}
present = (v->data && v->data_size) ? TRUE : FALSE;
- addend = (v->addend_source && v->addend_size &&
- *v->addend_source && *v->addend_size)
- ? TRUE : FALSE;
if (v->flags & MOK_VARIABLE_MEASURE && present) {
/*
@@ -304,7 +308,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
}
}
- if (v->rtname && present && addend) {
+mirror_addend:
+ if (v->rtname && (present || addend)) {
if (v->flags & MOK_MIRROR_DELETE_FIRST)
LibDeleteVariable(v->rtname, v->guid);
--
2.19.2

53
shim-arch-independent-names.patch
View File

@ -1,4 +1,4 @@
From ffd90c3957fe8621e660d663b38b2eef8559c84a Mon Sep 17 00:00:00 2001
From b0fc750ab3af4883a7124229398a758837a4e7ce Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 22 Aug 2017 12:43:36 +0800
Subject: [PATCH] Make the names of EFI binaries arch-independent
@ -11,46 +11,51 @@ the script with the same names.
Signed-off-by: Gary Lin <glin@suse.com>
---
fallback.c | 2 +-
shim.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
shim.c | 2 +-
shim.h | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/fallback.c b/fallback.c
index 46894af..886e052 100644
index c3f5583..01f2ae4 100644
--- a/fallback.c
+++ b/fallback.c
@@ -977,7 +977,7 @@ debug_hook(void)
@@ -999,7 +999,7 @@ debug_hook(void)
x = 1;
Print(L"add-symbol-file "DEBUGDIR
- L"fb" EFI_ARCH L".efi.debug %p -s .data %p\n", &_etext,
+ L"fallback.efi.debug %p -s .data %p\n", &_etext,
&_edata);
console_print(L"add-symbol-file "DEBUGDIR
- L"fb" EFI_ARCH L".efi.debug %p -s .data %p\n",
+ L"fallback.efi.debug %p -s .data %p\n",
&_etext, &_edata);
}
diff --git a/shim.c b/shim.c
index aec9f8f..7b34868 100644
index fcc11eb..248c946 100644
--- a/shim.c
+++ b/shim.c
@@ -50,8 +50,8 @@
@@ -2554,7 +2554,7 @@ debug_hook(void)
FreePool(data);
#include <Library/BaseCryptLib.h>
console_print(L"add-symbol-file "DEBUGDIR
- L"shim" EFI_ARCH L".efi.debug 0x%08x -s .data 0x%08x\n",
+ L"shim.efi.debug 0x%08x -s .data 0x%08x\n",
&_text, &_data);
console_print(L"Pausing for debugger attachment.\n");
diff --git a/shim.h b/shim.h
index 2b359d8..d9c60f5 100644
--- a/shim.h
+++ b/shim.h
@@ -92,8 +92,8 @@
#endif
#endif
-#define FALLBACK L"\\fb" EFI_ARCH L".efi"
-#define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
+#define FALLBACK L"\\fallback.efi"
+#define MOK_MANAGER L"\\MokManager.efi"
#define OID_EKU_MODSIGN "1.3.6.1.4.1.2312.16.1.2"
@@ -2852,7 +2852,7 @@ debug_hook(void)
}
Print(L"add-symbol-file "DEBUGDIR
- L"shim" EFI_ARCH L".efi.debug 0x%08x -s .data 0x%08x\n", &_text,
+ L"shim.efi.debug 0x%08x -s .data 0x%08x\n", &_text,
&_data);
Print(L"Pausing for debugger attachment.\n");
#include "include/configtable.h"
#include "include/console.h"
--
2.15.1
2.19.2

219
shim-bsc1088585-handle-mok-allocations-better.patch
View File

@ -1,219 +0,0 @@
From c232e8577b0608664fd4ce7a6b24b8ed7d2fc7a4 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 27 Sep 2017 14:17:20 -0400
Subject: [PATCH] MokManager: handle mok parameter allocations better.
Covscan daftly claims:
288. var_compare_op: Comparing MokSB to null implies that MokSB might be null.
2330 if (MokSB) {
2331 menu_strings[i] = L"Change Secure Boot state";
2332 menu_item[i] = MOK_CHANGE_SB;
2333 i++;
2334 }
2335
...
2358 choice = console_select(perform_mok_mgmt, menu_strings, 0);
2359 if (choice < 0)
2360 goto out;
...
2362 switch (menu_item[choice]) {
...
2395 case MOK_CHANGE_SB:
CID 182841 (#1 of 1): Dereference after null check
(FORWARD_NULL)293. var_deref_model: Passing null pointer MokSB to
mok_sb_prompt, which dereferences it. [show details]
2396 efi_status = mok_sb_prompt(MokSB, MokSBSize);
Which is, of course, entirely false, beause for menu_item[choice] to be
MOK_CHANGE_SB, MokSB must be !NULL. And then:
252. Condition efi_status == 0, taking true branch.
2397 if (efi_status == EFI_SUCCESS)
2398 MokSB = NULL;
This guarantees it won't be in the list the next time through the loop.
This adds tests for NULLness before mok_sb_prompt(), just to make it
more clear to covscan what's going on.
Also do the same thing for all of:
MOK_CHANGE_SB
MOK_SET_PW
MOK_CHANGE_DB
MOK_ENROLL_MOKX
MOK_DELETE_MOKX
I also Lindent-ed everything I had to touch.
Three other minor errors are also fixed:
1) the loop in enter_mok_menu() leaked the menu allocations each time
through the loop
2) mok_sb_prompt(), mok_pw_prompt(), and mok_db_prompt() all call
FreePool() on their respective variables (MokSB, etc), and
check_mok_request() also calls FreePool() on these. This sounds
horrible, but it turns out it's not an issue, because they only free
them in their EFI_SUCCESS paths, and enter_mok_menu() resets the
system if any of the mok_XX_prompt() calls actually returned
EFI_SUCCESS, so we never get back to check_mok_request() for it to do
its FreePool() calls.
3) the loop in enter_mok_menu() winds up introducing a double free in
the call to free_menu(), but we also can't hit this bug, because all
the exit paths from the loop are "goto out" (or return error) rather
than actually exiting on the loop conditional.
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit a32651360552559ee6a8978b5bcdc6e7dcc72b8c)
Gary Lin: Fixed the conflict against shim 14.
---
MokManager.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 46 insertions(+), 14 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 55af321..42bf72d 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1060,9 +1060,6 @@ static EFI_STATUS mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int aut
}
}
- if (MokNew)
- FreePool (MokNew);
-
return EFI_SUCCESS;
}
@@ -1609,9 +1606,6 @@ static EFI_STATUS mok_sb_prompt (void *MokSB, UINTN MokSBSize) {
}
}
- if (MokSB)
- FreePool(MokSB);
-
return EFI_SUCCESS;
}
@@ -1729,9 +1723,6 @@ static EFI_STATUS mok_db_prompt (void *MokDB, UINTN MokDBSize) {
}
}
- if (MokDB)
- FreePool(MokDB);
-
return EFI_SUCCESS;
}
@@ -1800,9 +1791,6 @@ static EFI_STATUS mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
mokpw_done:
LibDeleteVariable(L"MokPW", &shim_lock_guid);
- if (MokPW)
- FreePool(MokPW);
-
return EFI_SUCCESS;
}
@@ -2184,8 +2172,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
void *MokXNew, UINTN MokXNewSize,
void *MokXDel, UINTN MokXDelSize)
{
- CHAR16 **menu_strings;
- mok_menu_item *menu_item;
+ CHAR16 **menu_strings = NULL;
+ mok_menu_item *menu_item = NULL;
int choice = 0;
int mok_changed = 0;
EFI_STATUS efi_status;
@@ -2357,11 +2345,23 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
efi_status = mok_reset_prompt(FALSE);
break;
case MOK_ENROLL_MOK:
+ if (!MokNew) {
+ Print(L"MokManager: internal error: %s",
+ L"MokNew was !NULL but is now NULL\n");
+ ret = EFI_ABORTED;
+ goto out;
+ }
efi_status = mok_enrollment_prompt(MokNew, MokNewSize, TRUE, FALSE);
if (efi_status == EFI_SUCCESS)
MokNew = NULL;
break;
case MOK_DELETE_MOK:
+ if (!MokDel) {
+ Print(L"MokManager: internal error: %s",
+ L"MokDel was !NULL but is now NULL\n");
+ ret = EFI_ABORTED;
+ goto out;
+ }
efi_status = mok_deletion_prompt(MokDel, MokDelSize, FALSE);
if (efi_status == EFI_SUCCESS)
MokDel = NULL;
@@ -2370,26 +2370,56 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
efi_status = mok_reset_prompt(TRUE);
break;
case MOK_ENROLL_MOKX:
+ if (!MokXNew) {
+ Print(L"MokManager: internal error: %s",
+ L"MokXNew was !NULL but is now NULL\n");
+ ret = EFI_ABORTED;
+ goto out;
+ }
efi_status = mok_enrollment_prompt(MokXNew, MokXNewSize, TRUE, TRUE);
if (efi_status == EFI_SUCCESS)
MokXNew = NULL;
break;
case MOK_DELETE_MOKX:
+ if (!MokXDel) {
+ Print(L"MokManager: internal error: %s",
+ L"MokXDel was !NULL but is now NULL\n");
+ ret = EFI_ABORTED;
+ goto out;
+ }
efi_status = mok_deletion_prompt(MokXDel, MokXDelSize, TRUE);
if (efi_status == EFI_SUCCESS)
MokXDel = NULL;
break;
case MOK_CHANGE_SB:
+ if (!MokSB) {
+ Print(L"MokManager: internal error: %s",
+ L"MokSB was !NULL but is now NULL\n");
+ ret = EFI_ABORTED;
+ goto out;
+ }
efi_status = mok_sb_prompt(MokSB, MokSBSize);
if (efi_status == EFI_SUCCESS)
MokSB = NULL;
break;
case MOK_SET_PW:
+ if (!MokPW) {
+ Print(L"MokManager: internal error: %s",
+ L"MokPW was !NULL but is now NULL\n");
+ ret = EFI_ABORTED;
+ goto out;
+ }
efi_status = mok_pw_prompt(MokPW, MokPWSize);
if (efi_status == EFI_SUCCESS)
MokPW = NULL;
break;
case MOK_CHANGE_DB:
+ if (!MokDB) {
+ Print(L"MokManager: internal error: %s",
+ L"MokDB was !NULL but is now NULL\n");
+ ret = EFI_ABORTED;
+ goto out;
+ }
efi_status = mok_db_prompt(MokDB, MokDBSize);
if (efi_status == EFI_SUCCESS)
MokDB = NULL;
@@ -2406,6 +2436,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
mok_changed = 1;
free_menu(menu_item, menu_strings);
+ menu_item = NULL;
+ menu_strings = NULL;
}
out:
--
2.16.2

347
shim-bsc1092000-fallback-menu.patch
View File

@ -1,7 +1,234 @@
From 22269728415432718e7757842086785d7daf0cc3 Mon Sep 17 00:00:00 2001
From 407763d37cae353609b3f3ef78ff127745860357 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 28 May 2018 10:57:06 +0800
Subject: [PATCH] fallback: show a countdown menu before reset
Date: Wed, 23 May 2018 16:58:31 +0800
Subject: [PATCH 1/2] console: Move the countdown function to console.c
Move the countdown function from MokManager to console.c to make the
function public
Also make console_save_and_set_mode() and console_restore_mode() public
Signed-off-by: Gary Lin <glin@suse.com>
---
MokManager.c | 71 ++++---------------------------------------
include/console.h | 6 ++++
lib/console.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 88 insertions(+), 65 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 2e55c50..1ab8e5e 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -733,30 +733,6 @@ done:
return efi_status;
}
-static void console_save_and_set_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode)
-{
- SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut;
-
- if (!SavedMode) {
- console_print(L"Invalid parameter: SavedMode\n");
- return;
- }
-
- CopyMem(SavedMode, co->Mode, sizeof(SIMPLE_TEXT_OUTPUT_MODE));
- co->EnableCursor(co, FALSE);
- co->SetAttribute(co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE);
-}
-
-static void console_restore_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode)
-{
- SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut;
-
- co->EnableCursor(co, SavedMode->CursorVisible);
- co->SetCursorPosition(co, SavedMode->CursorColumn,
- SavedMode->CursorRow);
- co->SetAttribute(co, SavedMode->Attribute);
-}
-
static INTN reset_system()
{
gRT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL);
@@ -2032,18 +2008,13 @@ static BOOLEAN verify_pw(BOOLEAN * protected)
static int draw_countdown()
{
- SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut;
- SIMPLE_INPUT_INTERFACE *ci = ST->ConIn;
- SIMPLE_TEXT_OUTPUT_MODE SavedMode;
- EFI_INPUT_KEY key;
- EFI_STATUS efi_status;
- UINTN cols, rows;
- CHAR16 *title[2];
CHAR16 *message = L"Press any key to perform MOK management";
+ CHAR16 *title;
+ EFI_STATUS efi_status;
void *MokTimeout = NULL;
MokTimeoutvar *var;
UINTN MokTimeoutSize = 0;
- int timeout, wait = 10000000;
+ int timeout;
efi_status = get_variable(L"MokTimeout", (UINT8 **) &MokTimeout,
&MokTimeoutSize, SHIM_LOCK_GUID);
@@ -2059,41 +2030,11 @@ static int draw_countdown()
if (timeout < 0)
return timeout;
- console_save_and_set_mode(&SavedMode);
-
- title[0] = PoolPrint(L"%s UEFI key management", SHIM_VENDOR);
- title[1] = NULL;
-
- console_print_box_at(title, -1, 0, 0, -1, -1, 1, 1);
-
- co->QueryMode(co, co->Mode->Mode, &cols, &rows);
-
- console_print_at((cols - StrLen(message)) / 2, rows / 2, message);
- while (1) {
- if (timeout > 1)
- console_print_at(2, rows - 3,
- L"Booting in %d seconds ",
- timeout);
- else if (timeout)
- console_print_at(2, rows - 3,
- L"Booting in %d second ",
- timeout);
+ title = PoolPrint(L"%s UEFI key management", SHIM_VENDOR);
- efi_status = WaitForSingleEvent(ci->WaitForKey, wait);
- if (efi_status != EFI_TIMEOUT) {
- /* Clear the key in the queue */
- ci->ReadKeyStroke(ci, &key);
- break;
- }
+ timeout = console_countdown(title, message, timeout);
- timeout--;
- if (!timeout)
- break;
- }
-
- FreePool(title[0]);
-
- console_restore_mode(&SavedMode);
+ FreePool(title);
return timeout;
}
diff --git a/include/console.h b/include/console.h
index deb4fa3..bd75eb5 100644
--- a/include/console.h
+++ b/include/console.h
@@ -33,6 +33,12 @@ console_alertbox(CHAR16 **title);
void
console_notify(CHAR16 *string);
void
+console_save_and_set_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode);
+void
+console_restore_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode);
+int
+console_countdown(CHAR16* title, const CHAR16* message, int timeout);
+void
console_reset(void);
#define NOSEL 0x7fffffff
diff --git a/lib/console.c b/lib/console.c
index 3aee41c..2d421af 100644
--- a/lib/console.c
+++ b/lib/console.c
@@ -409,6 +409,82 @@ console_notify(CHAR16 *string)
console_alertbox(str_arr);
}
+void
+console_save_and_set_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode)
+{
+ SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut;
+
+ if (!SavedMode) {
+ console_print(L"Invalid parameter: SavedMode\n");
+ return;
+ }
+
+ CopyMem(SavedMode, co->Mode, sizeof(SIMPLE_TEXT_OUTPUT_MODE));
+ co->EnableCursor(co, FALSE);
+ co->SetAttribute(co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE);
+}
+
+void
+console_restore_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode)
+{
+ SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut;
+
+ co->EnableCursor(co, SavedMode->CursorVisible);
+ co->SetCursorPosition(co, SavedMode->CursorColumn,
+ SavedMode->CursorRow);
+ co->SetAttribute(co, SavedMode->Attribute);
+}
+
+int
+console_countdown(CHAR16* title, const CHAR16* message,
+ int timeout)
+{
+ SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut;
+ SIMPLE_INPUT_INTERFACE *ci = ST->ConIn;
+ SIMPLE_TEXT_OUTPUT_MODE SavedMode;
+ EFI_INPUT_KEY key;
+ EFI_STATUS efi_status;
+ UINTN cols, rows;
+ CHAR16 *titles[2];
+ int wait = 10000000;
+
+ console_save_and_set_mode(&SavedMode);
+
+ titles[0] = title;
+ titles[1] = NULL;
+
+ console_print_box_at(titles, -1, 0, 0, -1, -1, 1, 1);
+
+ co->QueryMode(co, co->Mode->Mode, &cols, &rows);
+
+ console_print_at((cols - StrLen(message)) / 2, rows / 2, message);
+ while (1) {
+ if (timeout > 1)
+ console_print_at(2, rows - 3,
+ L"Booting in %d seconds ",
+ timeout);
+ else if (timeout)
+ console_print_at(2, rows - 3,
+ L"Booting in %d second ",
+ timeout);
+
+ efi_status = WaitForSingleEvent(ci->WaitForKey, wait);
+ if (efi_status != EFI_TIMEOUT) {
+ /* Clear the key in the queue */
+ ci->ReadKeyStroke(ci, &key);
+ break;
+ }
+
+ timeout--;
+ if (!timeout)
+ break;
+ }
+
+ console_restore_mode(&SavedMode);
+
+ return timeout;
+}
+
#define ARRAY_SIZE(a) (sizeof (a) / sizeof ((a)[0]))
/* Copy of gnu-efi-3.0 with the added secure boot strings */
--
2.19.2
From 9544a6dc75343059184d9dfb0cfdc4eda880afd0 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 23 May 2018 18:13:05 +0800
Subject: [PATCH 2/2] fallback: show a countdown menu before reset
Some machines with the faulty firmware may keep booting the default boot
path instead of the boot option we create. To avoid the infinite reset
@ -13,42 +240,38 @@ option afterward without asking. The user can revert the behavior by
removing the variable.
https://github.com/rhboot/shim/issues/128
https://bugzilla.opensuse.org/show_bug.cgi?id=1092000
Signed-off-by: Gary Lin <glin@suse.com>
---
fallback.c | 144 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 144 insertions(+)
fallback.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 81 insertions(+)
diff --git a/fallback.c b/fallback.c
index 886e052..1f3eb78 100644
index 01f2ae4..33f104f 100644
--- a/fallback.c
+++ b/fallback.c
@@ -13,6 +13,9 @@
#include "ucs2.h"
#include "variables.h"
#include "tpm.h"
+#include "console.h"
+
+#define NO_REBOOT L"FB_NO_REBOOT"
@@ -12,6 +12,8 @@
#include "shim.h"
+#define NO_REBOOT L"FB_NO_REBOOT"
+
EFI_LOADED_IMAGE *this_image = NULL;
@@ -953,6 +956,127 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
return rc;
int
@@ -973,6 +975,65 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
return efi_status;
}
+static UINT32
+get_fallback_no_reboot(void)
+{
+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ EFI_STATUS efi_status;
+ UINT32 no_reboot;
+ UINTN size = sizeof(UINT32);
+
+ efi_status = uefi_call_wrapper(RT->GetVariable, 5,
+ NO_REBOOT, &shim_lock_guid,
+ NULL, &size, &no_reboot);
+ efi_status = gRT->GetVariable(NO_REBOOT, &SHIM_LOCK_GUID,
+ NULL, &size, &no_reboot);
+ if (!EFI_ERROR(efi_status)) {
+ return no_reboot;
+ }
@ -58,84 +281,24 @@ index 886e052..1f3eb78 100644
+static EFI_STATUS
+set_fallback_no_reboot(void)
+{
+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ EFI_STATUS efi_status;
+ UINT32 no_reboot = 1;
+ efi_status = uefi_call_wrapper(RT->SetVariable, 5,
+ NO_REBOOT, &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS,
+ sizeof(UINT32), &no_reboot);
+ efi_status = gRT->SetVariable(NO_REBOOT, &SHIM_LOCK_GUID,
+ EFI_VARIABLE_NON_VOLATILE
+ | EFI_VARIABLE_BOOTSERVICE_ACCESS
+ | EFI_VARIABLE_RUNTIME_ACCESS,
+ sizeof(UINT32), &no_reboot);
+ return efi_status;
+}
+
+static void console_save_and_set_mode (SIMPLE_TEXT_OUTPUT_MODE *SavedMode)
+{
+ if (!SavedMode) {
+ Print(L"Invalid parameter: SavedMode\n");
+ return;
+ }
+
+ CopyMem(SavedMode, ST->ConOut->Mode, sizeof(SIMPLE_TEXT_OUTPUT_MODE));
+ uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, FALSE);
+ uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut,
+ EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE);
+}
+
+static void console_restore_mode (SIMPLE_TEXT_OUTPUT_MODE *SavedMode)
+{
+ uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut,
+ SavedMode->CursorVisible);
+ uefi_call_wrapper(ST->ConOut->SetCursorPosition, 3, ST->ConOut,
+ SavedMode->CursorColumn, SavedMode->CursorRow);
+ uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut,
+ SavedMode->Attribute);
+}
+
+static int
+draw_countdown(void)
+{
+ SIMPLE_TEXT_OUTPUT_MODE SavedMode;
+ EFI_INPUT_KEY key;
+ EFI_STATUS status;
+ UINTN cols, rows;
+ CHAR16 *title[2];
+ CHAR16 *title = L"Boot Option Restoration";
+ CHAR16 *message = L"Press any key to stop system reset";
+ int timeout = 5, wait = 10000000;
+ int timeout;
+
+ console_save_and_set_mode (&SavedMode);
+
+ title[0] = L"Boot Option Restoration";
+ title[1] = NULL;
+
+ console_print_box_at(title, -1, 0, 0, -1, -1, 1, 1);
+
+ uefi_call_wrapper(ST->ConOut->QueryMode, 4, ST->ConOut,
+ ST->ConOut->Mode->Mode, &cols, &rows);
+
+ PrintAt((cols - StrLen(message))/2, rows/2, message);
+ while (1) {
+ if (timeout > 1)
+ PrintAt(2, rows - 3, L"Booting in %d seconds ", timeout);
+ else if (timeout)
+ PrintAt(2, rows - 3, L"Booting in %d second ", timeout);
+
+ status = WaitForSingleEvent(ST->ConIn->WaitForKey, wait);
+
+ if (status != EFI_TIMEOUT) {
+ /* Clear the key in the queue */
+ uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2,
+ ST->ConIn, &key);
+ break;
+ }
+
+ timeout--;
+ if (!timeout)
+ break;
+ }
+
+ console_restore_mode(&SavedMode);
+ timeout = console_countdown(title, message, 5);
+
+ return timeout;
+}
@ -162,7 +325,7 @@ index 886e052..1f3eb78 100644
extern EFI_STATUS
efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab);
@@ -1014,6 +1138,26 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
@@ -1039,6 +1100,26 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
VerbosePrint(L"tpm not present, starting the first image\n");
try_start_first_option(image);
} else {
@ -179,8 +342,8 @@ index 886e052..1f3eb78 100644
+ if (choice == 0) {
+ goto reset;
+ } else if (choice == 2) {
+ rc = set_fallback_no_reboot();
+ if (EFI_ERROR(rc))
+ efi_status = set_fallback_no_reboot();
+ if (EFI_ERROR(efi_status))
+ goto reset;
+ }
+ VerbosePrint(L"tpm present, starting the first image\n");
@ -190,5 +353,5 @@ index 886e052..1f3eb78 100644
}
--
2.16.3
2.19.2

16
shim-change-debug-file-path.patch
View File

@ -1,18 +1,18 @@
From 4e83fe57c5a8f1ba32a264f7a936e0e3a9aafedc Mon Sep 17 00:00:00 2001
From e766e3943fa8513c1afe01e69e8aa6ec14067028 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 4 Jan 2018 12:28:37 +0800
Subject: [PATCH] Use our own debug path
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile | 2 +-
Make.defaults | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index f4b7adb..55f6126 100644
--- a/Makefile
+++ b/Makefile
@@ -122,7 +122,7 @@ SHIMHASHNAME = $(SHIMSTEM).hash
diff --git a/Make.defaults b/Make.defaults
index bbfc1d7..1cec0e1 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -119,7 +119,7 @@ SHIMHASHNAME = $(SHIMSTEM).hash
BOOTEFINAME ?= BOOT$(ARCH_SUFFIX_UPPER).EFI
BOOTCSVNAME ?= BOOT$(ARCH_SUFFIX_UPPER).CSV
@ -22,5 +22,5 @@ index f4b7adb..55f6126 100644
ifneq ($(origin VENDOR_CERT_FILE), undefined)
CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
--
2.15.1
2.19.2

47
shim-correct-license-in-headers.patch Normal file
View File

@ -0,0 +1,47 @@
From 64492acf8b1d72cea0c3e203887bfe26fb840f1d Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 13 Dec 2018 17:19:36 +0800
Subject: [PATCH] Add the license change statement for errlog.c and mok.c
---
errlog.c | 6 ++++++
mok.c | 6 ++++++
2 files changed, 12 insertions(+)
diff --git a/errlog.c b/errlog.c
index 18be482..4a1fffb 100644
--- a/errlog.c
+++ b/errlog.c
@@ -3,6 +3,12 @@
* Copyright 2017 Peter Jones <pjones@redhat.com>
*
* Distributed under terms of the GPLv3 license.
+ *
+ * As Peter stated in issues#155:
+ * "I'll publicly state here that as the author of those files, you can
+ * treat them as dual-licensed with the GPLv3 text that accidentally
+ * made it in and the BSD license they should have borne."
+ * Ref: https://github.com/rhboot/shim/issues/155#issuecomment-443738252
*/
#include "shim.h"
diff --git a/mok.c b/mok.c
index 3867521..903b3b4 100644
--- a/mok.c
+++ b/mok.c
@@ -3,6 +3,12 @@
* Copyright 2017 Peter Jones <pjones@redhat.com>
*
* Distributed under terms of the GPLv3 license.
+ *
+ * As Peter stated in issues#155:
+ * "I'll publicly state here that as the author of those files, you can
+ * treat them as dual-licensed with the GPLv3 text that accidentally
+ * made it in and the BSD license they should have borne."
+ * Ref: https://github.com/rhboot/shim/issues/155#issuecomment-443738252
*/
#include "shim.h"
--
2.19.2

155
shim-httpboot-amend-device-path.patch
View File

@ -1,155 +0,0 @@
From 9fcc5c93c4cad02927ecb318bafe2335f1026df3 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 27 Oct 2017 11:36:40 +0800
Subject: [PATCH 1/2] httpboot: Amend the device path matching rule
Originally, we check if the last 2 nodes in the device path are
IPv4()/Uri() or IPv6()/Uri() to determine whether httpboot is used or
not. However, since UEFI 2.7, the DNS node will be inserted between the
IP node and the URI node if the server provides the DNS server address.
This commit changes the matching rule to search IP node and URI node
and ignore any node between those two nodes.
Signed-off-by: Gary Lin <glin@suse.com>
---
httpboot.c | 67 ++++++++++++++++++++++++++++++++++++--------------------------
1 file changed, 39 insertions(+), 28 deletions(-)
diff --git a/httpboot.c b/httpboot.c
index e4657c1..ccff5aa 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -105,10 +105,11 @@ find_httpboot (EFI_HANDLE device)
{
EFI_DEVICE_PATH *unpacked;
EFI_DEVICE_PATH *Node;
- EFI_DEVICE_PATH *NextNode;
MAC_ADDR_DEVICE_PATH *MacNode;
URI_DEVICE_PATH *UriNode;
UINTN uri_size;
+ BOOLEAN ip_found = FALSE;
+ BOOLEAN ret = FALSE;
if (uri) {
FreePool(uri);
@@ -128,50 +129,60 @@ find_httpboot (EFI_HANDLE device)
}
Node = unpacked;
- /* Traverse the device path to find IPv4()/Uri() or IPv6()/Uri() */
+ /* Traverse the device path to find IPv4()/.../Uri() or
+ * IPv6()/.../Uri() */
while (!IsDevicePathEnd(Node)) {
/* Save the MAC node so we can match the net card later */
if (DevicePathType(Node) == MESSAGING_DEVICE_PATH &&
DevicePathSubType(Node) == MSG_MAC_ADDR_DP) {
MacNode = (MAC_ADDR_DEVICE_PATH *)Node;
- CopyMem(&mac_addr, &MacNode->MacAddress, sizeof(EFI_MAC_ADDRESS));
- }
-
- if (DevicePathType(Node) == MESSAGING_DEVICE_PATH &&
- (DevicePathSubType(Node) == MSG_IPv4_DP ||
- DevicePathSubType(Node) == MSG_IPv6_DP)) {
- /* Save the IP node so we can set up the connection later */
+ CopyMem(&mac_addr, &MacNode->MacAddress,
+ sizeof(EFI_MAC_ADDRESS));
+ } else if (DevicePathType(Node) == MESSAGING_DEVICE_PATH &&
+ (DevicePathSubType(Node) == MSG_IPv4_DP ||
+ DevicePathSubType(Node) == MSG_IPv6_DP)) {
+ /* Save the IP node so we can set up the connection */
+ /* later */
if (DevicePathSubType(Node) == MSG_IPv6_DP) {
- CopyMem(&ip6_node, Node, sizeof(IPv6_DEVICE_PATH));
+ CopyMem(&ip6_node, Node,
+ sizeof(IPv6_DEVICE_PATH));
is_ip6 = TRUE;
} else {
- CopyMem(&ip4_node, Node, sizeof(IPv4_DEVICE_PATH));
+ CopyMem(&ip4_node, Node,
+ sizeof(IPv4_DEVICE_PATH));
is_ip6 = FALSE;
}
- Node = NextDevicePathNode(Node);
+ ip_found = TRUE;
+ } else if (ip_found == TRUE &&
+ (DevicePathType(Node) == MESSAGING_DEVICE_PATH &&
+ DevicePathSubType(Node) == MSG_URI_DP)) {
+ EFI_DEVICE_PATH *NextNode;
+
+ /* Check if the URI node is the last node since the */
+ /* RAMDISK node could be appended, and we don't need */
+ /* to download the second stage loader in that case. */
NextNode = NextDevicePathNode(Node);
- if (DevicePathType(Node) == MESSAGING_DEVICE_PATH &&
- DevicePathSubType(Node) == MSG_URI_DP &&
- IsDevicePathEnd(NextNode)) {
- /* Save the current URI */
- UriNode = (URI_DEVICE_PATH *)Node;
- uri_size = strlena(UriNode->Uri);
- uri = AllocatePool(uri_size + 1);
- if (!uri) {
- perror(L"Failed to allocate uri\n");
- return FALSE;
- }
- CopyMem(uri, UriNode->Uri, uri_size + 1);
- FreePool(unpacked);
- return TRUE;
+ if (!IsDevicePathEnd(NextNode))
+ continue;
+
+ /* Save the current URI */
+ UriNode = (URI_DEVICE_PATH *)Node;
+ uri_size = strlena(UriNode->Uri);
+ uri = AllocatePool(uri_size + 1);
+ if (!uri) {
+ perror(L"Failed to allocate uri\n");
+ goto out;
}
+ CopyMem(uri, UriNode->Uri, uri_size + 1);
+ ret = TRUE;
+ goto out;
}
Node = NextDevicePathNode(Node);
}
-
+out:
FreePool(unpacked);
- return FALSE;
+ return ret;
}
static EFI_STATUS
--
2.15.1
From 2da4f7a9c97f7fed1cbacc37af8895cf1f90150f Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 5 Jan 2018 16:51:39 +0800
Subject: [PATCH 2/2] httpboot: fix the infinite loop
We should get out of the loop once the uri node is not the last node in
the device path.
Signed-off-by: Gary Lin <glin@suse.com>
---
httpboot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/httpboot.c b/httpboot.c
index ccff5aa..d865dca 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -164,7 +164,7 @@ find_httpboot (EFI_HANDLE device)
/* to download the second stage loader in that case. */
NextNode = NextDevicePathNode(Node);
if (!IsDevicePathEnd(NextNode))
- continue;
+ goto out;
/* Save the current URI */
UriNode = (URI_DEVICE_PATH *)Node;
--
2.15.1

28
shim-httpboot-include-console.h.patch
View File

@ -1,28 +0,0 @@
From c6ecc2923b8072e9cb24806b1c1b92f63016fd63 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 4 Jan 2018 14:31:51 +0800
Subject: [PATCH] httpboot: include console.h
in_protocol is declared in console.h, so httpboot.c has to include the
header.
Signed-off-by: Gary Lin <glin@suse.com>
---
httpboot.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/httpboot.c b/httpboot.c
index 058704f..b753405 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -34,6 +34,7 @@
#include <efi.h>
#include <efilib.h>
#include "str.h"
+#include "console.h"
#include "Http.h"
#include "Ip4Config2.h"
#include "Ip6Config.h"
--
2.15.1

30
shim-only-os-name.patch
View File

@ -1,30 +0,0 @@
From 087123b6eb8e8067c500cb7a411085c0ebe66e94 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 4 Jan 2018 12:22:43 +0800
Subject: [PATCH] Only use the OS name in version
Since we build shim binary with open build service, it's difficult to
fix the linux kernel version of the build bot, so we just use "uname -o"
instead of "uname -a".
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index e756aa5..f4b7adb 100644
--- a/Makefile
+++ b/Makefile
@@ -177,7 +177,7 @@ shim_cert.h: shim.cer
version.c : $(TOPDIR)/version.c.in
sed -e "s,@@VERSION@@,$(VERSION)," \
- -e "s,@@UNAME@@,$(shell uname -a)," \
+ -e "s,@@UNAME@@,$(shell uname -o)," \
-e "s,@@COMMIT@@,$(COMMITID)," \
< $< > $@
--
2.15.1

206
shim-opensuse-cert-prompt.patch
View File

@ -1,4 +1,4 @@
From aab03ce2522a3610ecfd5e2f9e896a1ccdd5a94a Mon Sep 17 00:00:00 2001
From 49355a83722494099caeb23b46637b2c94a6ab9e Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 18 Feb 2014 17:29:19 +0800
Subject: [PATCH 1/3] Show the build-in certificate prompt
@ -17,14 +17,30 @@ again after reboot.
The state will store in use_openSUSE_cert, a volatile RT variable.
---
shim.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 75 insertions(+), 2 deletions(-)
mok.c | 3 ++-
shim.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
shim.h | 1 +
3 files changed, 71 insertions(+), 2 deletions(-)
diff --git a/mok.c b/mok.c
index 00dd1ad..1645d24 100644
--- a/mok.c
+++ b/mok.c
@@ -139,7 +139,8 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
if ((v->flags & MOK_MIRROR_KEYDB) &&
v->addend_source && *v->addend_source &&
- v->addend_size && *v->addend_size) {
+ v->addend_size && *v->addend_size &&
+ use_builtin_cert) {
EFI_SIGNATURE_LIST *CertList = NULL;
EFI_SIGNATURE_DATA *CertData = NULL;
FullDataSize = v->data_size
diff --git a/shim.c b/shim.c
index 7b34868..be250b6 100644
index 248c946..d52f46f 100644
--- a/shim.c
+++ b/shim.c
@@ -93,6 +93,7 @@ UINT8 *vendor_dbx;
@@ -83,6 +83,7 @@ UINT8 *vendor_dbx;
*/
verification_method_t verification_method;
int loader_is_participating;
@ -32,8 +48,8 @@ index 7b34868..be250b6 100644
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -1096,7 +1097,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
LogError(L"check_whitelist(): %r\n", status);
@@ -1066,7 +1067,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
return efi_status;
}
- if (cert) {
@ -41,17 +57,8 @@ index 7b34868..be250b6 100644
#if defined(ENABLE_SHIM_CERT)
/*
* Check against the shim build key
@@ -2080,7 +2081,7 @@ EFI_STATUS mirror_mok_list()
if (efi_status != EFI_SUCCESS)
DataSize = 0;
- if (vendor_cert_size) {
+ if (vendor_cert_size && use_builtin_cert) {
FullDataSize = DataSize
+ sizeof (*CertList)
+ sizeof (EFI_GUID)
@@ -2829,6 +2830,75 @@ shim_fini(void)
setup_console(0);
@@ -2529,6 +2530,69 @@ shim_fini(void)
console_fini();
}
+#define VENDOR_VERIFY L"openSUSE_Verify"
@ -59,7 +66,6 @@ index 7b34868..be250b6 100644
+/* Show the built-in certificate prompt if necessary */
+static int builtin_cert_prompt(void)
+{
+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ EFI_STATUS status;
+ UINT32 attributes;
+ UINTN len = sizeof(UINT8);
@ -70,15 +76,14 @@ index 7b34868..be250b6 100644
+ if (vendor_cert_size == 0)
+ return 0;
+
+ status = uefi_call_wrapper(RT->GetVariable, 5, VENDOR_VERIFY,
+ &shim_lock_guid, &attributes,
+ &len, &data);
+ status = gRT->GetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID,
+ &attributes, &len, (void *)&data);
+ if (status != EFI_SUCCESS ||
+ (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) {
+ int choice;
+
+ if (status != EFI_NOT_FOUND)
+ LibDeleteVariable(VENDOR_VERIFY, &shim_lock_guid);
+ LibDeleteVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID);
+
+ CHAR16 *str[] = {L"Trust openSUSE Certificate",
+ L"",
@ -92,12 +97,10 @@ index 7b34868..be250b6 100644
+ }
+
+ data = 1;
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ VENDOR_VERIFY,
+ &shim_lock_guid,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ sizeof(UINT8), &data);
+ status = gRT->SetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID,
+ EFI_VARIABLE_NON_VOLATILE |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS,
+ sizeof(UINT8), &data);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to set openSUSE_Verify", status);
+ return -1;
@ -109,12 +112,10 @@ index 7b34868..be250b6 100644
+
+done:
+ /* Setup a runtime variable to show the current state */
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ L"use_openSUSE_cert",
+ &shim_lock_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ sizeof(UINT8), &data);
+ status = gRT->SetVariable(L"use_openSUSE_cert", &SHIM_LOCK_GUID,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS,
+ sizeof(UINT8), &data);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to set use_openSUSE_cert", status);
+ return -1;
@ -126,21 +127,33 @@ index 7b34868..be250b6 100644
extern EFI_STATUS
efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
@@ -2933,6 +3003,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
@@ -2623,6 +2687,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
*/
check_mok_sb();
debug_hook();
+ if (secure_mode() && (builtin_cert_prompt() != 0))
+ return EFI_ABORTED;
+
efi_status = shim_init();
if (EFI_ERROR(efi_status)) {
Print(L"Something has gone seriously wrong: %r\n", efi_status);
/*
* Before we do anything else, validate our non-volatile,
* boot-services-only state variables are what we think they are.
diff --git a/shim.h b/shim.h
index d9c60f5..ab384d4 100644
--- a/shim.h
+++ b/shim.h
@@ -174,6 +174,7 @@ extern UINT8 *vendor_dbx;
extern UINT8 user_insecure_mode;
extern UINT8 ignore_db;
extern UINT8 in_protocol;
+extern BOOLEAN use_builtin_cert;
#define perror_(file, line, func, fmt, ...) ({ \
UINTN __perror_ret = 0; \
--
2.16.2
2.19.2
From d377f58aadd8c5579a922ef3c237d3ed25bb6d00 Mon Sep 17 00:00:00 2001
From 18b6390f3193ebccad44cf1448ce54be512cd066 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 20 Feb 2014 16:57:08 +0800
Subject: [PATCH 2/3] Support revoking the openSUSE cert
@ -151,20 +164,19 @@ To revoke the openSUSE cert, create ClearVerify, a NV RT variable,
and store the password hash in the variable, and then MokManager
will show up with an additional option to clear openSUSE_Verify
---
MokManager.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
shim.c | 2 +-
2 files changed, 60 insertions(+), 3 deletions(-)
MokManager.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++--
mok.c | 2 +-
2 files changed, 59 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 42bf72d..7a2b5fe 100644
index 1ab8e5e..fbb7d22 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1794,6 +1794,33 @@ mokpw_done:
@@ -1715,6 +1715,31 @@ mokpw_done:
return EFI_SUCCESS;
}
+static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
+ EFI_STATUS status;
+
+ if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1)
@ -177,23 +189,22 @@ index 42bf72d..7a2b5fe 100644
+ if (status != EFI_SUCCESS)
+ return -1;
+
+ status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
+ status = LibDeleteVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to delete openSUSE_Verify", status);
+ return -1;
+ }
+
+ console_notify(L"The system must now be rebooted");
+ uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm,
+ EFI_SUCCESS, 0, NULL);
+ gRT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL);
+ console_notify(L"Failed to reboot");
+ return -1;
+}
+
static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
static BOOLEAN verify_certificate(UINT8 * cert, UINTN size)
{
X509 *X509Cert;
@@ -2150,6 +2177,7 @@ typedef enum {
@@ -2050,6 +2075,7 @@ typedef enum {
MOK_CHANGE_SB,
MOK_SET_PW,
MOK_CHANGE_DB,
@ -201,7 +212,7 @@ index 42bf72d..7a2b5fe 100644
MOK_KEY_ENROLL,
MOK_HASH_ENROLL
} mok_menu_item;
@@ -2170,7 +2198,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
@@ -2070,7 +2096,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
void *MokPW, UINTN MokPWSize,
void *MokDB, UINTN MokDBSize,
void *MokXNew, UINTN MokXNewSize,
@ -211,17 +222,20 @@ index 42bf72d..7a2b5fe 100644
{
CHAR16 **menu_strings = NULL;
mok_menu_item *menu_item = NULL;
@@ -2250,6 +2279,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
@@ -2146,8 +2173,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (MokDB)
menucount++;
+ if (ClearVerify)
+ menucount++;
+
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) *
(menucount + 1));
+
if (!menu_strings)
@@ -2322,6 +2354,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
return EFI_OUT_OF_RESOURCES;
@@ -2217,6 +2248,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
i++;
}
@ -234,8 +248,8 @@ index 42bf72d..7a2b5fe 100644
menu_strings[i] = L"Enroll key from disk";
menu_item[i] = MOK_KEY_ENROLL;
i++;
@@ -2424,6 +2462,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (efi_status == EFI_SUCCESS)
@@ -2321,6 +2358,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (!EFI_ERROR(efi_status))
MokDB = NULL;
break;
+ case MOK_CLEAR_VERIFY:
@ -244,34 +258,34 @@ index 42bf72d..7a2b5fe 100644
case MOK_KEY_ENROLL:
efi_status = mok_key_enroll();
break;
@@ -2456,6 +2497,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
@@ -2352,6 +2392,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
{
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
+ UINTN ClearVerifySize = 0;
void *MokNew = NULL;
void *MokDel = NULL;
void *MokSB = NULL;
@@ -2463,6 +2505,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@@ -2359,6 +2400,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
void *MokDB = NULL;
void *MokXNew = NULL;
void *MokXDel = NULL;
+ void *ClearVerify = NULL;
EFI_STATUS status;
EFI_STATUS efi_status;
status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
@@ -2535,9 +2578,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
console_error(L"Could not retrieve MokXDel", status);
efi_status = get_variable(L"MokNew", (UINT8 **) & MokNew, &MokNewSize,
@@ -2431,9 +2473,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
console_error(L"Could not retrieve MokXDel", efi_status);
}
+ status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify, &ClearVerifySize,
+ shim_lock_guid);
+ if (status == EFI_SUCCESS) {
+ if (LibDeleteVariable(L"ClearVerify", &shim_lock_guid) != EFI_SUCCESS) {
+ efi_status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify,
+ &ClearVerifySize, SHIM_LOCK_GUID);
+ if (!EFI_ERROR(efi_status)) {
+ efi_status = LibDeleteVariable(L"ClearVerify", &SHIM_LOCK_GUID);
+ if (EFI_ERROR(efi_status))
+ console_notify(L"Failed to delete ClearVerify");
+ }
+ } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) {
+ console_error(L"Could not retrieve ClearVerify", status);
+ } else if (EFI_ERROR(efi_status) && efi_status != EFI_NOT_FOUND) {
+ console_error(L"Could not retrieve ClearVerify", efi_status);
+ }
+
enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize,
@ -281,22 +295,22 @@ index 42bf72d..7a2b5fe 100644
+ ClearVerify, ClearVerifySize);
if (MokNew)
FreePool (MokNew);
@@ -2560,6 +2614,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
FreePool(MokNew);
@@ -2456,6 +2509,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
if (MokXDel)
FreePool (MokXDel);
FreePool(MokXDel);
+ if (ClearVerify)
+ FreePool (ClearVerify);
+
LibDeleteVariable(L"MokAuth", &shim_lock_guid);
LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
diff --git a/shim.c b/shim.c
index be250b6..d461edd 100644
--- a/shim.c
+++ b/shim.c
@@ -2233,7 +2233,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID);
LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
diff --git a/mok.c b/mok.c
index 1645d24..45110cd 100644
--- a/mok.c
+++ b/mok.c
@@ -37,7 +37,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
check_var(L"MokXNew") || check_var(L"MokXDel") ||
@ -304,12 +318,12 @@ index be250b6..d461edd 100644
+ check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
efi_status = start_image(image_handle, MOK_MANAGER);
if (efi_status != EFI_SUCCESS) {
if (EFI_ERROR(efi_status)) {
--
2.16.2
2.19.2
From 5a60e36a5c2bad616bc842d7ffaa6acc1493650f Mon Sep 17 00:00:00 2001
From f16f00e47824722651e2e4f2b327dfbe4fb6367d Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Fri, 7 Mar 2014 16:17:20 +0800
Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
@ -322,21 +336,21 @@ LibDeleteVariable only works on the runtime variables.
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/MokManager.c b/MokManager.c
index 7a2b5fe..feae113 100644
index fbb7d22..22336d4 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1808,7 +1808,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
@@ -1728,7 +1728,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
if (status != EFI_SUCCESS)
return -1;
- status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
+ status = uefi_call_wrapper(RT->SetVariable, 5,
+ L"openSUSE_Verify", &shim_lock_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
+ 0, NULL);
- status = LibDeleteVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID);
+ status = gRT->SetVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_NON_VOLATILE,
+ 0, NULL);
if (status != EFI_SUCCESS) {
console_error(L"Failed to delete openSUSE_Verify", status);
return -1;
--
2.16.2
2.19.2

223
shim-remove-cryptpem.patch
View File

@ -1,223 +0,0 @@
From 063d4aa37d271ce5c30a9c7a1746af421d40ca17 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 4 Jan 2018 14:54:34 +0800
Subject: [PATCH] Cryptlib: replace CryptPem with CryptPemNull
We don't need the functions in CryptPem.c.
Signed-off-by: Gary Lin <glin@suse.com>
---
Cryptlib/Makefile | 2 +-
Cryptlib/Pem/CryptPem.c | 135 --------------------------------------------
Cryptlib/Pem/CryptPemNull.c | 44 +++++++++++++++
3 files changed, 45 insertions(+), 136 deletions(-)
delete mode 100644 Cryptlib/Pem/CryptPem.c
create mode 100644 Cryptlib/Pem/CryptPemNull.c
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index bf9d0dc..a025ac5 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -40,7 +40,7 @@ OBJS = Hash/CryptMd4Null.o \
Pk/CryptTs.o \
Pk/CryptX509.o \
Pk/CryptAuthenticode.o \
- Pem/CryptPem.o \
+ Pem/CryptPemNull.o \
SysCall/CrtWrapper.o \
SysCall/TimerWrapper.o \
SysCall/BaseMemAllocation.o \
diff --git a/Cryptlib/Pem/CryptPem.c b/Cryptlib/Pem/CryptPem.c
deleted file mode 100644
index 51e648b..0000000
--- a/Cryptlib/Pem/CryptPem.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/** @file
- PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/pem.h>
-
-/**
- Callback function for password phrase conversion used for retrieving the encrypted PEM.
-
- @param[out] Buf Pointer to the buffer to write the passphrase to.
- @param[in] Size Maximum length of the passphrase (i.e. the size of Buf).
- @param[in] Flag A flag which is set to 0 when reading and 1 when writing.
- @param[in] Key Key data to be passed to the callback routine.
-
- @retval The number of characters in the passphrase or 0 if an error occurred.
-
-**/
-INTN
-PasswordCallback (
- OUT CHAR8 *Buf,
- IN INTN Size,
- IN INTN Flag,
- IN VOID *Key
- )
-{
- INTN KeyLength;
-
- ZeroMem ((VOID *) Buf, (UINTN) Size);
- if (Key != NULL) {
- //
- // Duplicate key phrase directly.
- //
- KeyLength = (INTN) AsciiStrLen ((CHAR8 *)Key);
- KeyLength = (KeyLength > Size ) ? Size : KeyLength;
- CopyMem (Buf, Key, (UINTN) KeyLength);
- return KeyLength;
- } else {
- return 0;
- }
-}
-
-/**
- Retrieve the RSA Private Key from the password-protected PEM key data.
-
- @param[in] PemData Pointer to the PEM-encoded key data to be retrieved.
- @param[in] PemSize Size of the PEM key data in bytes.
- @param[in] Password NULL-terminated passphrase used for encrypted PEM key data.
- @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved
- RSA private key component. Use RsaFree() function to free the
- resource.
-
- If PemData is NULL, then return FALSE.
- If RsaContext is NULL, then return FALSE.
-
- @retval TRUE RSA Private Key was retrieved successfully.
- @retval FALSE Invalid PEM key data or incorrect password.
-
-**/
-BOOLEAN
-EFIAPI
-RsaGetPrivateKeyFromPem (
- IN CONST UINT8 *PemData,
- IN UINTN PemSize,
- IN CONST CHAR8 *Password,
- OUT VOID **RsaContext
- )
-{
- BOOLEAN Status;
- BIO *PemBio;
-
- //
- // Check input parameters.
- //
- if (PemData == NULL || RsaContext == NULL || PemSize > INT_MAX) {
- return FALSE;
- }
-
- //
- // Add possible block-cipher descriptor for PEM data decryption.
- // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.
- //
- if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {
- return FALSE;
- }
- if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {
- return FALSE;
- }
- if (EVP_add_cipher (EVP_aes_192_cbc ()) == 0) {
- return FALSE;
- }
- if (EVP_add_cipher (EVP_aes_256_cbc ()) == 0) {
- return FALSE;
- }
-
- Status = FALSE;
-
- //
- // Read encrypted PEM Data.
- //
- PemBio = BIO_new (BIO_s_mem ());
- if (PemBio == NULL) {
- goto _Exit;
- }
-
- if (BIO_write (PemBio, PemData, (int) PemSize) <= 0) {
- goto _Exit;
- }
-
- //
- // Retrieve RSA Private Key from encrypted PEM data.
- //
- *RsaContext = PEM_read_bio_RSAPrivateKey (PemBio, NULL, (pem_password_cb *) &PasswordCallback, (void *) Password);
- if (*RsaContext != NULL) {
- Status = TRUE;
- }
-
-_Exit:
- //
- // Release Resources.
- //
- BIO_free (PemBio);
-
- return Status;
-}
diff --git a/Cryptlib/Pem/CryptPemNull.c b/Cryptlib/Pem/CryptPemNull.c
new file mode 100644
index 0000000..8c9e4f0
--- /dev/null
+++ b/Cryptlib/Pem/CryptPemNull.c
@@ -0,0 +1,44 @@
+/** @file
+ PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation which does
+ not provide real capabilities.
+
+Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieve the RSA Private Key from the password-protected PEM key data.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] PemData Pointer to the PEM-encoded key data to be retrieved.
+ @param[in] PemSize Size of the PEM key data in bytes.
+ @param[in] Password NULL-terminated passphrase used for encrypted PEM key data.
+ @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved
+ RSA private key component. Use RsaFree() function to free the
+ resource.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RsaGetPrivateKeyFromPem (
+ IN CONST UINT8 *PemData,
+ IN UINTN PemSize,
+ IN CONST CHAR8 *Password,
+ OUT VOID **RsaContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
--
2.15.1

23
shim.changes
View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Thu Dec 20 04:13:00 UTC 2018 - Gary Ching-Pang Lin <glin@suse.com>
- Update to 15+git47 (bsc#1120026, FATE#325971)
+ git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d
- Retire the old openSUSE 4096 bit certificate
+ Those programs are already out of maintenance.
- Add shim-always-mirror-mok-variables.patch to mirror MOK
variables correctly
- Add shim-correct-license-in-headers.patch to correct the license
declaration
- Refresh patches:
+ shim-arch-independent-names.patch
+ shim-change-debug-file-path.patch
+ shim-bsc1092000-fallback-menu.patch
+ shim-opensuse-cert-prompt.patch
- Drop upstreamed patches:
+ shim-bsc1088585-handle-mok-allocations-better.patch
+ shim-httpboot-amend-device-path.patch
+ shim-httpboot-include-console.h.patch
+ shim-only-os-name.patch
+ shim-remove-cryptpem.patch
-------------------------------------------------------------------
Wed Dec 5 10:28:00 UTC 2018 - Gary Ching-Pang Lin <glin@suse.com>

69
shim.spec
View File

@ -21,13 +21,13 @@
%undefine _build_create_debug
Name: shim
Version: 14
Version: 15+git47
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
Group: System/Boot
Url: https://github.com/rhboot/shim
Source: https://github.com/rhboot/shim/releases/download/%{version}/%{name}-%{version}.tar.bz2
Source: %{name}-%{version}.tar.bz2
# run "extract_signature.sh shim.efi" where shim.efi is the binary
# with the signature from the UEFI signing service.
# Note: For signature requesting, check SIGNATURE_UPDATE.txt
@ -39,29 +39,21 @@ Source5: extract_signature.sh
Source6: attach_signature.sh
Source7: show_hash.sh
Source8: show_signatures.sh
Source9: openSUSE-UEFI-CA-Certificate-4096.crt
Source10: timestamp.pl
Source11: strip_signature.sh
Source12: signature-sles.x86_64.asc
Source13: signature-opensuse.aarch64.asc
Source14: signature-sles.aarch64.asc
Source9: timestamp.pl
Source10: strip_signature.sh
Source11: signature-sles.x86_64.asc
Source12: signature-opensuse.aarch64.asc
Source13: signature-sles.aarch64.asc
Source99: SIGNATURE_UPDATE.txt
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
Patch1: shim-only-os-name.patch
# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
Patch2: shim-arch-independent-names.patch
# PATCH-FIX-UPSTREAM shim-httpboot-include-console.h.patch glin@suse.com -- Include console.h in httpboot.c
Patch3: shim-httpboot-include-console.h.patch
# PATCH-FIX-UPSTREAM shim-remove-cryptpem.patch glin@suse.com -- Replace the functions in CryptPem.c with the null function
Patch4: shim-remove-cryptpem.patch
# PATCH-FIX-UPSTREAM shim-httpboot-amend-device-path.patch bsc#1065370 glin@suse.com -- Amend the device path matching rule for httpboot
Patch5: shim-httpboot-amend-device-path.patch
# PATCH-FIX-UPSTREAM shim-bsc1088585-handle-mok-allocations-better.patch bsc#1088585 glin@suse.com -- Handle the mok parameter allocations better
Patch6: shim-bsc1088585-handle-mok-allocations-better.patch
# PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-menu.patch bsc#1092000 glin@suse.com -- Show a menu before reset
Patch7: shim-bsc1092000-fallback-menu.patch
Patch1: shim-arch-independent-names.patch
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
Patch50: shim-change-debug-file-path.patch
Patch2: shim-change-debug-file-path.patch
# PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-menu.patch bsc#1092000 glin@suse.com -- Show a menu before reset
Patch3: shim-bsc1092000-fallback-menu.patch
# PATCH-FIX-UPSTREAM shim-always-mirror-mok-variables.patch glin@suse.com -- Mirror MOK variables correctly
Patch4: shim-always-mirror-mok-variables.patch
Patch5: shim-correct-license-in-headers.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-opensuse-cert-prompt.patch
BuildRequires: gnu-efi >= 3.0.3
@ -108,9 +100,6 @@ The source code of UEFI shim loader
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch50 -p1
%if 0%{?is_opensuse} == 1
%patch100 -p1
%endif
@ -145,27 +134,24 @@ fi
for suffix in "${suffixes[@]}"; do
if test "$suffix" = "opensuse"; then
cert=%{SOURCE2}
cert2=%{SOURCE9}
verify='openSUSE Secure Boot CA1'
%ifarch x86_64
signature=%{SOURCE1}
%else
# AArch64 signature
signature=%{SOURCE13}
signature=%{SOURCE12}
%endif
elif test "$suffix" = "sles"; then
cert=%{SOURCE4}
cert2=''
verify='SUSE Linux Enterprise Secure Boot CA1'
%ifarch x86_64
signature=%{SOURCE12}
signature=%{SOURCE11}
%else
# AArch64 signature
signature=%{SOURCE14}
signature=%{SOURCE13}
%endif
elif test "$suffix" = "devel"; then
cert=%{_sourcedir}/_projectcert.crt
cert2=''
verify=`openssl x509 -in "$cert" -noout -email`
signature=''
test -e "$cert" || continue
@ -175,16 +161,6 @@ for suffix in "${suffixes[@]}"; do
fi
openssl x509 -in $cert -outform DER -out shim-$suffix.der
rm -f shim_cert.h shim.cer shim.crt
if [ -z "$cert2" ]; then
# create empty local cert file, we don't need a local key pair as we
# sign the mokmanager with our vendor key
touch shim.crt
touch shim.cer
else
cp $cert2 shim.crt
fi
# make sure cast warnings don't trigger post build check
make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
DEFAULT_LOADER="\\\\\\\\grub.efi" \
@ -193,7 +169,7 @@ for suffix in "${suffixes[@]}"; do
# assert correct certificate embedded
grep -q "$verify" shim.efi
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
chmod 755 %{SOURCE10}
chmod 755 %{SOURCE9}
# alternative: verify signature
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
if test -n "$signature"; then
@ -201,7 +177,7 @@ for suffix in "${suffixes[@]}"; do
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to
# restore that
%{SOURCE10} --set-from-file "$signature" shim.efi
%{SOURCE9} --set-from-file "$signature" shim.efi
pesign -h -P -i shim.efi > hash2
cat hash1 hash2
if ! cmp -s hash1 hash2; then
@ -220,9 +196,10 @@ for suffix in "${suffixes[@]}"; do
mv shim.efi shim-$suffix.efi
fi
mv shim.efi.debug shim-$suffix.debug
rm -f shim.cer shim.crt
# make sure cert.o gets rebuilt
rm -f cert.o
# remove the build cert if exists
rm -f shim_cert.h shim.cer shim.crt
# make sure all object files gets rebuilt
rm -f *.o
done
ln -s shim-${suffixes[0]}.efi shim.efi