Accepting request 224988 from home:gary_lin:branches:devel:openSUSE:Factory

- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
  variables the right way
- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
  correctly

OBS-URL: https://build.opensuse.org/request/show/224988
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=66

shim-mokmanager-delete-bs-var-right.patch

@@ -0,0 +1,69 @@
+From 3c545d630917d76d91a8491f8759927f512e56f2 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Fri, 7 Mar 2014 16:56:14 +0800
+Subject: [PATCH] MokManager: delete the BS+NV variables the right way
+
+LibDeleteVariable assumes that the variable is RT+NV and it
+won't work on a BS+NV variable.
+
+Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
+---
+ MokManager.c | 28 +++++++++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 3 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index f5ed379..4ea28ef 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1112,7 +1112,16 @@ static INTN mok_sb_prompt (void *MokSB, UINTN MokSBSize) {
+ 			return -1;
+ 		}
+ 	} else {
+-		LibDeleteVariable(L"MokSBState", &shim_lock_guid);
++		efi_status = uefi_call_wrapper(RT->SetVariable,
++					       5, L"MokSBState",
++					       &shim_lock_guid,
++					       EFI_VARIABLE_NON_VOLATILE |
++					       EFI_VARIABLE_BOOTSERVICE_ACCESS,
++					       0, NULL);
++		if (efi_status != EFI_SUCCESS) {
++			console_notify(L"Failed to delete Secure Boot state");
++			return -1;
++		}
+ 	}
+ 
+ 	console_notify(L"The system must now be rebooted");
+@@ -1224,7 +1233,16 @@ static INTN mok_db_prompt (void *MokDB, UINTN MokDBSize) {
+ 			return -1;
+ 		}
+ 	} else {
+-		LibDeleteVariable(L"MokDBState", &shim_lock_guid);
++		efi_status = uefi_call_wrapper(RT->SetVariable, 5,
++					       L"MokDBState",
++					       &shim_lock_guid,
++					       EFI_VARIABLE_NON_VOLATILE |
++					       EFI_VARIABLE_BOOTSERVICE_ACCESS,
++					       0, NULL);
++		if (efi_status != EFI_SUCCESS) {
++			console_notify(L"Failed to delete DB state");
++			return -1;
++		}
+ 	}
+ 
+ 	console_notify(L"The system must now be rebooted");
+@@ -1261,7 +1279,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
+ 		if (console_yes_no((CHAR16 *[]){L"Clear MOK password?", NULL}) == 0)
+ 			return 0;
+ 
+-		LibDeleteVariable(L"MokPWStore", &shim_lock_guid);
++		uefi_call_wrapper(RT->SetVariable, 5, L"MokPWStore",
++				  &shim_lock_guid,
++				  EFI_VARIABLE_NON_VOLATILE
++				  | EFI_VARIABLE_BOOTSERVICE_ACCESS,
++				  0, NULL);
+ 		LibDeleteVariable(L"MokPW", &shim_lock_guid);
+ 		console_notify(L"The system must now be rebooted");
+ 		uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, EFI_SUCCESS, 0,
+-- 
+1.8.4.5
+

shim-opensuse-cert-prompt.patch

@@ -1,7 +1,7 @@
 From 2082ad15e0b3413845a1ddc10c2953dcd95beb83 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 18 Feb 2014 17:29:19 +0800
-Subject: [PATCH 1/2] Show the build-in certificate prompt
+Subject: [PATCH 1/3] Show the build-in certificate prompt
 
 This is an openSUSE-only patch.
 
@@ -191,7 +191,7 @@ index 0b20191..a483ce3 100644
 From 57b6062bc614d5638e66f8c5ac62106b812c6d1a Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 20 Feb 2014 16:57:08 +0800
-Subject: [PATCH 2/2] Support revoking the openSUSE cert
+Subject: [PATCH 2/3] Support revoking the openSUSE cert
 
 This is an openSUSE-only patch.
 
@@ -356,3 +356,35 @@ index a483ce3..3b00e6c 100644
 -- 
 1.8.4.5
 
+
+From 8d1fc876a8117bdfa2d1e8975725e03660eadc7c Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <glin@suse.com>
+Date: Fri, 7 Mar 2014 16:17:20 +0800
+Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
+
+This is an openSUSE-only patch.
+
+LibDeleteVariable only works on the runtime variables.
+---
+ MokManager.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index a03eea4..d4f107d 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1584,7 +1584,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+ 	if (status != EFI_SUCCESS)
+ 		return -1;
+ 
+-	status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
++	status = uefi_call_wrapper(RT->SetVariable, 5,
++				   L"openSUSE_Verify", &shim_lock_guid,
++				   EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
++				   0, NULL);
+ 	if (status != EFI_SUCCESS) {
+ 		console_error(L"Failed to delete openSUSE_Verify", status);
+ 		return -1;
+-- 
+1.8.4.5
+

shim.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Mar  7 09:09:12 UTC 2014 - glin@suse.com
+
+- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
+  variables the right way
+- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
+  correctly
+
 -------------------------------------------------------------------
 Thu Mar  6 07:37:57 UTC 2014 - glin@suse.com
 

shim.spec

@@ -64,6 +64,8 @@ Patch10:        shim-bnc863205-mokmanager-fix-hash-delete.patch
 Patch11:        shim-fallback-avoid-duplicate-bootorder.patch
 # PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch -- Handle the shim protocol properly to keep only one protocol entity
 Patch12:        shim-allow-fallback-use-system-loadimage.patch
+# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch -- Delete BootService non-volatile variables the right way
+Patch13:        shim-mokmanager-delete-bs-var-right.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:       shim-opensuse-cert-prompt.patch
 BuildRequires:  gnu-efi >= 3.0t
@@ -100,6 +102,7 @@ Authors:
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
 %patch100 -p1
 
 %build