diff --git a/shim-mokmanager-delete-bs-var-right.patch b/shim-mokmanager-delete-bs-var-right.patch new file mode 100644 index 0000000..3e244c0 --- /dev/null +++ b/shim-mokmanager-delete-bs-var-right.patch @@ -0,0 +1,69 @@ +From 3c545d630917d76d91a8491f8759927f512e56f2 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Fri, 7 Mar 2014 16:56:14 +0800 +Subject: [PATCH] MokManager: delete the BS+NV variables the right way + +LibDeleteVariable assumes that the variable is RT+NV and it +won't work on a BS+NV variable. + +Signed-off-by: Gary Ching-Pang Lin +--- + MokManager.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/MokManager.c b/MokManager.c +index f5ed379..4ea28ef 100644 +--- a/MokManager.c ++++ b/MokManager.c +@@ -1112,7 +1112,16 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) { + return -1; + } + } else { +- LibDeleteVariable(L"MokSBState", &shim_lock_guid); ++ efi_status = uefi_call_wrapper(RT->SetVariable, ++ 5, L"MokSBState", ++ &shim_lock_guid, ++ EFI_VARIABLE_NON_VOLATILE | ++ EFI_VARIABLE_BOOTSERVICE_ACCESS, ++ 0, NULL); ++ if (efi_status != EFI_SUCCESS) { ++ console_notify(L"Failed to delete Secure Boot state"); ++ return -1; ++ } + } + + console_notify(L"The system must now be rebooted"); +@@ -1224,7 +1233,16 @@ static INTN mok_db_prompt (void *MokDB, UINTN MokDBSize) { + return -1; + } + } else { +- LibDeleteVariable(L"MokDBState", &shim_lock_guid); ++ efi_status = uefi_call_wrapper(RT->SetVariable, 5, ++ L"MokDBState", ++ &shim_lock_guid, ++ EFI_VARIABLE_NON_VOLATILE | ++ EFI_VARIABLE_BOOTSERVICE_ACCESS, ++ 0, NULL); ++ if (efi_status != EFI_SUCCESS) { ++ console_notify(L"Failed to delete DB state"); ++ return -1; ++ } + } + + console_notify(L"The system must now be rebooted"); +@@ -1261,7 +1279,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { + if (console_yes_no((CHAR16 *[]){L"Clear MOK password?", NULL}) == 0) + return 0; + +- LibDeleteVariable(L"MokPWStore", &shim_lock_guid); ++ uefi_call_wrapper(RT->SetVariable, 5, L"MokPWStore", ++ &shim_lock_guid, ++ EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS, ++ 0, NULL); + LibDeleteVariable(L"MokPW", &shim_lock_guid); + console_notify(L"The system must now be rebooted"); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0, +-- +1.8.4.5 + diff --git a/shim-opensuse-cert-prompt.patch b/shim-opensuse-cert-prompt.patch index dcaae27..a7bba19 100644 --- a/shim-opensuse-cert-prompt.patch +++ b/shim-opensuse-cert-prompt.patch @@ -1,7 +1,7 @@ From 2082ad15e0b3413845a1ddc10c2953dcd95beb83 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 18 Feb 2014 17:29:19 +0800 -Subject: [PATCH 1/2] Show the build-in certificate prompt +Subject: [PATCH 1/3] Show the build-in certificate prompt This is an openSUSE-only patch. @@ -191,7 +191,7 @@ index 0b20191..a483ce3 100644 From 57b6062bc614d5638e66f8c5ac62106b812c6d1a Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 20 Feb 2014 16:57:08 +0800 -Subject: [PATCH 2/2] Support revoking the openSUSE cert +Subject: [PATCH 2/3] Support revoking the openSUSE cert This is an openSUSE-only patch. @@ -356,3 +356,35 @@ index a483ce3..3b00e6c 100644 -- 1.8.4.5 + +From 8d1fc876a8117bdfa2d1e8975725e03660eadc7c Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Fri, 7 Mar 2014 16:17:20 +0800 +Subject: [PATCH 3/3] Delete openSUSE_Verify the right way + +This is an openSUSE-only patch. + +LibDeleteVariable only works on the runtime variables. +--- + MokManager.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/MokManager.c b/MokManager.c +index a03eea4..d4f107d 100644 +--- a/MokManager.c ++++ b/MokManager.c +@@ -1584,7 +1584,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { + if (status != EFI_SUCCESS) + return -1; + +- status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid); ++ status = uefi_call_wrapper(RT->SetVariable, 5, ++ L"openSUSE_Verify", &shim_lock_guid, ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE, ++ 0, NULL); + if (status != EFI_SUCCESS) { + console_error(L"Failed to delete openSUSE_Verify", status); + return -1; +-- +1.8.4.5 + diff --git a/shim.changes b/shim.changes index f95df7f..a0253f3 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Mar 7 09:09:12 UTC 2014 - glin@suse.com + +- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV + variables the right way +- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify + correctly + ------------------------------------------------------------------- Thu Mar 6 07:37:57 UTC 2014 - glin@suse.com diff --git a/shim.spec b/shim.spec index 04b9cde..985050b 100644 --- a/shim.spec +++ b/shim.spec @@ -64,6 +64,8 @@ Patch10: shim-bnc863205-mokmanager-fix-hash-delete.patch Patch11: shim-fallback-avoid-duplicate-bootorder.patch # PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch -- Handle the shim protocol properly to keep only one protocol entity Patch12: shim-allow-fallback-use-system-loadimage.patch +# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch -- Delete BootService non-volatile variables the right way +Patch13: shim-mokmanager-delete-bs-var-right.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t @@ -100,6 +102,7 @@ Authors: %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 %patch100 -p1 %build