From d6b79f1fb691611cb9f42997f65575735c24eb83e07bdc0d637d486fd4808b15 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 3 Jun 2014 02:49:47 +0000 Subject: [PATCH] Accepting request 236110 from home:gary_lin:branches:devel:openSUSE:Factory - remove the unused variables - check the encoding of the keys (bnc#872503) - fetch the netboot image from the same device (bnc#877003) - Refresh shim-opensuse-cert-prompt.patch OBS-URL: https://build.opensuse.org/request/show/236110 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=76 --- shim-bnc872503-check-key-encoding.patch | 140 +++++++++++++++++ ...bnc877003-fetch-from-the-same-device.patch | 144 ++++++++++++++++++ shim-opensuse-cert-prompt.patch | 50 +++--- shim-remove-unused-variables.patch | 63 ++++++++ shim.changes | 11 ++ shim.spec | 9 ++ 6 files changed, 392 insertions(+), 25 deletions(-) create mode 100644 shim-bnc872503-check-key-encoding.patch create mode 100644 shim-bnc877003-fetch-from-the-same-device.patch create mode 100644 shim-remove-unused-variables.patch diff --git a/shim-bnc872503-check-key-encoding.patch b/shim-bnc872503-check-key-encoding.patch new file mode 100644 index 0000000..9983a33 --- /dev/null +++ b/shim-bnc872503-check-key-encoding.patch @@ -0,0 +1,140 @@ +From a7246827074c6c17fa15c696ad48ff1ff1a2b4d2 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 27 May 2014 17:42:00 +0800 +Subject: [PATCH] Check the first 4 bytes of the certificate + +A non-DER encoding x509 certificate may be mistakenly enrolled into +db or MokList. This commit checks the first 4 bytes of the certificate +to ensure that it's DER encoding. + +This commit also removes the iteration of the x509 signature list. +Per UEFI SPEC, each x509 signature list contains only one x509 certificate. +Besides, the size of certificate is incorrect. The size of the header must +be substracted from the signature size. + +Signed-off-by: Gary Ching-Pang Lin +--- + MokManager.c | 23 +++++++++++++++++++++-- + shim.c | 45 +++++++++++++++++++++++++++++++-------------- + 2 files changed, 52 insertions(+), 16 deletions(-) + +diff --git a/MokManager.c b/MokManager.c +index 3da61f4..c9fbbac 100644 +--- a/MokManager.c ++++ b/MokManager.c +@@ -1306,11 +1306,30 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { + return -1; + } + +-static BOOLEAN verify_certificate(void *cert, UINTN size) ++static BOOLEAN verify_certificate(UINT8 *cert, UINTN size) + { + X509 *X509Cert; +- if (!cert || size == 0) ++ UINTN length; ++ if (!cert || size < 0) ++ return FALSE; ++ ++ /* ++ * A DER encoding x509 certificate starts with SEQUENCE(0x30), ++ * the number of length bytes, and the number of value bytes. ++ * The size of a x509 certificate is usually between 127 bytes ++ * and 64KB. For convenience, assume the number of value bytes ++ * is 2, i.e. the second byte is 0x82. ++ */ ++ if (cert[0] != 0x30 || cert[1] != 0x82) { ++ console_notify(L"Not a DER encoding X509 certificate"); + return FALSE; ++ } ++ ++ length = (cert[2]<<8 | cert[3]); ++ if (length != (size - 4)) { ++ console_notify(L"Invalid X509 certificate: Inconsistent size"); ++ return FALSE; ++ } + + if (!(X509ConstructCertificate(cert, size, (UINT8 **) &X509Cert)) || + X509Cert == NULL) { +diff --git a/shim.c b/shim.c +index 48a6f2f..e674079 100644 +--- a/shim.c ++++ b/shim.c +@@ -226,44 +226,61 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, + return EFI_SUCCESS; + } + ++static BOOLEAN verify_x509(UINT8 *Cert, UINTN CertSize) ++{ ++ UINTN length; ++ ++ if (!Cert || CertSize < 4) ++ return FALSE; ++ ++ /* ++ * A DER encoding x509 certificate starts with SEQUENCE(0x30), ++ * the number of length bytes, and the number of value bytes. ++ * The size of a x509 certificate is usually between 127 bytes ++ * and 64KB. For convenience, assume the number of value bytes ++ * is 2, i.e. the second byte is 0x82. ++ */ ++ if (Cert[0] != 0x30 || Cert[1] != 0x82) ++ return FALSE; ++ ++ length = Cert[2]<<8 | Cert[3]; ++ if (length != (CertSize - 4)) ++ return FALSE; ++ ++ return TRUE; ++} ++ + static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, + UINTN dbsize, + WIN_CERTIFICATE_EFI_PKCS *data, + UINT8 *hash) + { + EFI_SIGNATURE_DATA *Cert; +- UINTN CertCount, Index; ++ UINTN CertSize; + BOOLEAN IsFound = FALSE; + EFI_GUID CertType = X509_GUID; + + while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { + if (CompareGuid (&CertList->SignatureType, &CertType) == 0) { +- CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize; + Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); +- for (Index = 0; Index < CertCount; Index++) { ++ CertSize = CertList->SignatureSize - sizeof(EFI_GUID); ++ if (verify_x509(Cert->SignatureData, CertSize)) { + IsFound = AuthenticodeVerify (data->CertData, + data->Hdr.dwLength - sizeof(data->Hdr), + Cert->SignatureData, +- CertList->SignatureSize, ++ CertSize, + hash, SHA256_DIGEST_SIZE); + if (IsFound) +- break; +- +- Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize); ++ return DATA_FOUND; ++ } else if (verbose) { ++ console_notify(L"Not a DER encoding x.509 Certificate"); + } +- + } + +- if (IsFound) +- break; +- + dbsize -= CertList->SignatureListSize; + CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize); + } + +- if (IsFound) +- return DATA_FOUND; +- + return DATA_NOT_FOUND; + } + +-- +1.8.4.5 + diff --git a/shim-bnc877003-fetch-from-the-same-device.patch b/shim-bnc877003-fetch-from-the-same-device.patch new file mode 100644 index 0000000..0457fb1 --- /dev/null +++ b/shim-bnc877003-fetch-from-the-same-device.patch @@ -0,0 +1,144 @@ +From cd92dd17fa990856d7d94f1fbb9cf08a4640915f Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 27 May 2014 14:12:32 +0800 +Subject: [PATCH] Fetch the netboot image from the same device + +The previous strategy is to locate the first available PXE_BASE_CODE +protocol and to fetch the second stage image from it, and this may +cause shim to fetch the wrong second stage image, i.e. grub.efi. + +Consider the machine with the following boot order: +1. PXE Boot +2. Hard Drive + +Assume that the EFI image, e.g. bootx64.efi, in the PXE server is +broken, then "PXE Boot" will fail and fallback to "Hard Drive". While +shim.efi in "Hard Drive" is loaded, it will find the PXE protocol is +available and fetch grub.efi from the PXE server, not grub.efi in the +disk. + +This commit checks the DeviceHandle from Loaded Image. If the device +supports PXE, then shim fetches grub.efi with the PXE protocol. Otherwise, +shim loads grub.efi from the disk. + +Signed-off-by: Gary Ching-Pang Lin +--- + netboot.c | 77 +++++++++++++-------------------------------------------------- + shim.c | 2 +- + 2 files changed, 17 insertions(+), 62 deletions(-) + +diff --git a/netboot.c b/netboot.c +index 07e2773..5ef53f7 100644 +--- a/netboot.c ++++ b/netboot.c +@@ -85,78 +85,33 @@ translate_slashes(char *str) + * Returns TRUE if we identify a protocol that is enabled and Providing us with + * the needed information to fetch a grubx64.efi image + */ +-BOOLEAN findNetboot(EFI_HANDLE image_handle) ++BOOLEAN findNetboot(EFI_HANDLE device) + { +- UINTN bs = sizeof(EFI_HANDLE); +- EFI_GUID pxe_base_code_protocol = EFI_PXE_BASE_CODE_PROTOCOL; +- EFI_HANDLE *hbuf; +- BOOLEAN rc = FALSE; +- void *buffer = AllocatePool(bs); +- UINTN errcnt = 0; +- UINTN i; + EFI_STATUS status; + +- if (!buffer) ++ status = uefi_call_wrapper(BS->HandleProtocol, 3, device, ++ &PxeBaseCodeProtocol, (VOID **)&pxe); ++ if (status != EFI_SUCCESS) { ++ pxe = NULL; + return FALSE; +- +-try_again: +- status = uefi_call_wrapper(BS->LocateHandle,5, ByProtocol, +- &pxe_base_code_protocol, NULL, &bs, +- buffer); +- +- if (status == EFI_BUFFER_TOO_SMALL) { +- errcnt++; +- FreePool(buffer); +- if (errcnt > 1) +- return FALSE; +- buffer = AllocatePool(bs); +- if (!buffer) +- return FALSE; +- goto try_again; + } + +- if (status == EFI_NOT_FOUND) { +- FreePool(buffer); ++ if (!pxe || !pxe->Mode) { ++ pxe = NULL; + return FALSE; + } + +- /* +- * We have a list of pxe supporting protocols, lets see if any are +- * active +- */ +- hbuf = buffer; +- pxe = NULL; +- for (i=0; i < (bs / sizeof(EFI_HANDLE)); i++) { +- status = uefi_call_wrapper(BS->OpenProtocol, 6, hbuf[i], +- &pxe_base_code_protocol, +- (void **)&pxe, image_handle, NULL, +- EFI_OPEN_PROTOCOL_GET_PROTOCOL); +- +- if (status != EFI_SUCCESS) { +- pxe = NULL; +- continue; +- } +- +- if (!pxe || !pxe->Mode) { +- pxe = NULL; +- continue; +- } +- +- if (pxe->Mode->Started && pxe->Mode->DhcpAckReceived) { +- /* +- * We've located a pxe protocol handle thats been +- * started and has received an ACK, meaning its +- * something we'll be able to get tftp server info +- * out of +- */ +- rc = TRUE; +- break; +- } +- ++ if (!pxe->Mode->Started || !pxe->Mode->DhcpAckReceived) { ++ pxe = NULL; ++ return FALSE; + } + +- FreePool(buffer); +- return rc; ++ /* ++ * We've located a pxe protocol handle thats been started and has ++ * received an ACK, meaning its something we'll be able to get ++ * tftp server info out of ++ */ ++ return TRUE; + } + + static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt) +diff --git a/shim.c b/shim.c +index 48a6f2f..d8699f9 100644 +--- a/shim.c ++++ b/shim.c +@@ -1373,7 +1373,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) + goto done; + } + +- if (findNetboot(image_handle)) { ++ if (findNetboot(li->DeviceHandle)) { + efi_status = parseNetbootinfo(image_handle); + if (efi_status != EFI_SUCCESS) { + Print(L"Netboot parsing failed: %r\n", efi_status); +-- +1.8.4.5 + diff --git a/shim-opensuse-cert-prompt.patch b/shim-opensuse-cert-prompt.patch index a7bba19..e48c1c4 100644 --- a/shim-opensuse-cert-prompt.patch +++ b/shim-opensuse-cert-prompt.patch @@ -1,4 +1,4 @@ -From 2082ad15e0b3413845a1ddc10c2953dcd95beb83 Mon Sep 17 00:00:00 2001 +From b13d18d4069032ccf6c885774e9eada6a1d80ddd Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 18 Feb 2014 17:29:19 +0800 Subject: [PATCH 1/3] Show the build-in certificate prompt @@ -21,7 +21,7 @@ The state will store in use_openSUSE_cert, a volatile RT variable. 1 file changed, 97 insertions(+), 19 deletions(-) diff --git a/shim.c b/shim.c -index 0b20191..a483ce3 100644 +index 3921028..1335d61 100644 --- a/shim.c +++ b/shim.c @@ -82,6 +82,7 @@ UINT8 *vendor_dbx; @@ -32,7 +32,7 @@ index 0b20191..a483ce3 100644 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} -@@ -752,7 +753,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, +@@ -769,7 +770,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, if (status == EFI_SUCCESS) return status; @@ -41,7 +41,7 @@ index 0b20191..a483ce3 100644 /* * Check against the shim build key */ -@@ -1418,11 +1419,14 @@ EFI_STATUS mirror_mok_list() +@@ -1430,11 +1431,14 @@ EFI_STATUS mirror_mok_list() if (efi_status != EFI_SUCCESS) DataSize = 0; @@ -61,7 +61,7 @@ index 0b20191..a483ce3 100644 FullData = AllocatePool(FullDataSize); if (!FullData) { Print(L"Failed to allocate space for MokListRT\n"); -@@ -1434,21 +1438,24 @@ EFI_STATUS mirror_mok_list() +@@ -1446,21 +1450,24 @@ EFI_STATUS mirror_mok_list() CopyMem(p, Data, DataSize); p += DataSize; } @@ -99,7 +99,7 @@ index 0b20191..a483ce3 100644 efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT", &shim_lock_guid, -@@ -1767,6 +1774,75 @@ uninstall_shim_protocols(void) +@@ -1779,6 +1786,75 @@ uninstall_shim_protocols(void) &shim_lock_guid, &shim_lock_interface); } @@ -175,7 +175,7 @@ index 0b20191..a483ce3 100644 EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) { EFI_STATUS efi_status; -@@ -1819,6 +1895,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) +@@ -1831,6 +1907,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) */ hook_system_services(systab); loader_is_participating = 0; @@ -188,7 +188,7 @@ index 0b20191..a483ce3 100644 1.8.4.5 -From 57b6062bc614d5638e66f8c5ac62106b812c6d1a Mon Sep 17 00:00:00 2001 +From 6a53209ece97f3e1ca34b73473b5bc57284bd669 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 20 Feb 2014 16:57:08 +0800 Subject: [PATCH 2/3] Support revoking the openSUSE cert @@ -204,10 +204,10 @@ will show up with an additional option to clear openSUSE_Verify 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/MokManager.c b/MokManager.c -index 71a3137..a03eea4 100644 +index dbfb67a..c6589e9 100644 --- a/MokManager.c +++ b/MokManager.c -@@ -1570,6 +1570,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { +@@ -1701,6 +1701,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { return -1; } @@ -238,10 +238,10 @@ index 71a3137..a03eea4 100644 + return -1; +} + - static BOOLEAN verify_certificate(void *cert, UINTN size) + static BOOLEAN verify_certificate(UINT8 *cert, UINTN size) { X509 *X509Cert; -@@ -1903,6 +1930,7 @@ typedef enum { +@@ -2053,6 +2080,7 @@ typedef enum { MOK_CHANGE_SB, MOK_SET_PW, MOK_CHANGE_DB, @@ -249,7 +249,7 @@ index 71a3137..a03eea4 100644 MOK_KEY_ENROLL, MOK_HASH_ENROLL } mok_menu_item; -@@ -1914,7 +1942,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +@@ -2064,7 +2092,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, void *MokPW, UINTN MokPWSize, void *MokDB, UINTN MokDBSize, void *MokXNew, UINTN MokXNewSize, @@ -259,7 +259,7 @@ index 71a3137..a03eea4 100644 { CHAR16 **menu_strings; mok_menu_item *menu_item; -@@ -1988,6 +2017,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +@@ -2138,6 +2167,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, if (MokDB) menucount++; @@ -269,7 +269,7 @@ index 71a3137..a03eea4 100644 menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1)); if (!menu_strings) -@@ -2057,6 +2089,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +@@ -2207,6 +2239,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, i++; } @@ -282,7 +282,7 @@ index 71a3137..a03eea4 100644 menu_strings[i] = L"Enroll key from disk"; menu_item[i] = MOK_KEY_ENROLL; i++; -@@ -2107,6 +2145,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +@@ -2257,6 +2295,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, case MOK_CHANGE_DB: mok_db_prompt(MokDB, MokDBSize); break; @@ -292,7 +292,7 @@ index 71a3137..a03eea4 100644 case MOK_KEY_ENROLL: mok_key_enroll(); break; -@@ -2132,6 +2173,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -2282,6 +2323,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0; UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0; @@ -300,7 +300,7 @@ index 71a3137..a03eea4 100644 void *MokNew = NULL; void *MokDel = NULL; void *MokSB = NULL; -@@ -2139,6 +2181,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -2289,6 +2331,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) void *MokDB = NULL; void *MokXNew = NULL; void *MokXDel = NULL; @@ -308,7 +308,7 @@ index 71a3137..a03eea4 100644 EFI_STATUS status; status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize, -@@ -2211,9 +2254,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -2361,9 +2404,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) console_error(L"Could not retrieve MokXDel", status); } @@ -330,7 +330,7 @@ index 71a3137..a03eea4 100644 if (MokNew) FreePool (MokNew); -@@ -2236,6 +2290,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -2386,6 +2440,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) if (MokXDel) FreePool (MokXDel); @@ -341,10 +341,10 @@ index 71a3137..a03eea4 100644 LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); LibDeleteVariable(L"MokXAuth", &shim_lock_guid); diff --git a/shim.c b/shim.c -index a483ce3..3b00e6c 100644 +index 1335d61..3c7cbe8 100644 --- a/shim.c +++ b/shim.c -@@ -1529,7 +1529,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -1541,7 +1541,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) check_var(L"MokPW") || check_var(L"MokAuth") || check_var(L"MokDel") || check_var(L"MokDB") || check_var(L"MokXNew") || check_var(L"MokXDel") || @@ -357,7 +357,7 @@ index a483ce3..3b00e6c 100644 1.8.4.5 -From 8d1fc876a8117bdfa2d1e8975725e03660eadc7c Mon Sep 17 00:00:00 2001 +From 437fb0feb6fd0dd321bd4e4cdbbf0095bda5f715 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 7 Mar 2014 16:17:20 +0800 Subject: [PATCH 3/3] Delete openSUSE_Verify the right way @@ -370,10 +370,10 @@ LibDeleteVariable only works on the runtime variables. 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/MokManager.c b/MokManager.c -index a03eea4..d4f107d 100644 +index c6589e9..a08385a 100644 --- a/MokManager.c +++ b/MokManager.c -@@ -1584,7 +1584,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { +@@ -1715,7 +1715,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { if (status != EFI_SUCCESS) return -1; diff --git a/shim-remove-unused-variables.patch b/shim-remove-unused-variables.patch new file mode 100644 index 0000000..77db23c --- /dev/null +++ b/shim-remove-unused-variables.patch @@ -0,0 +1,63 @@ +From c5d0105fb66be43c0f5f96778e750e9cf7a2cdce Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Mon, 26 May 2014 16:49:10 +0800 +Subject: [PATCH] Remove grubpath in generate_path() + +The variable is not used anymore. + +Signed-off-by: Gary Ching-Pang Lin +--- + shim.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/shim.c b/shim.c +index 0b20191..7966cbd 100644 +--- a/shim.c ++++ b/shim.c +@@ -1060,16 +1060,14 @@ should_use_fallback(EFI_HANDLE image_handle) + * of the executable + */ + static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, +- EFI_DEVICE_PATH **grubpath, CHAR16 **PathName) ++ CHAR16 **PathName) + { + EFI_DEVICE_PATH *devpath; +- EFI_HANDLE device; + int i, j, last = -1; + unsigned int pathlen = 0; + EFI_STATUS efi_status = EFI_SUCCESS; + CHAR16 *bootpath; + +- device = li->DeviceHandle; + devpath = li->FilePath; + + bootpath = DevicePathToStr(devpath); +@@ -1122,8 +1120,6 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, + StrCat(*PathName, bootpath); + StrCat(*PathName, ImagePath); + +- *grubpath = FileDevicePath(device, *PathName); +- + error: + FreePool(bootpath); + +@@ -1286,7 +1282,6 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) + EFI_GUID loaded_image_protocol = LOADED_IMAGE_PROTOCOL; + EFI_STATUS efi_status; + EFI_LOADED_IMAGE *li, li_bak; +- EFI_DEVICE_PATH *path; + CHAR16 *PathName = NULL; + void *sourcebuffer = NULL; + UINT64 sourcesize = 0; +@@ -1308,7 +1303,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) + /* + * Build a new path from the existing one plus the executable name + */ +- efi_status = generate_path(li, ImagePath, &path, &PathName); ++ efi_status = generate_path(li, ImagePath, &PathName); + + if (efi_status != EFI_SUCCESS) { + Print(L"Unable to generate path %s: %r\n", ImagePath, efi_status); +-- +1.8.4.5 + diff --git a/shim.changes b/shim.changes index 73cc914..29afcc1 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed May 28 04:13:33 UTC 2014 - glin@suse.com + +- Add shim-remove-unused-variables.patch to remove the unused + variables +- Add shim-bnc872503-check-key-encoding.patch to check the encoding + of the keys (bnc#872503) +- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the + netboot image from the same device (bnc#877003) +- Refresh shim-opensuse-cert-prompt.patch + ------------------------------------------------------------------- Wed May 14 09:39:02 UTC 2014 - glin@suse.com diff --git a/shim.spec b/shim.spec index a4a9650..8af920c 100644 --- a/shim.spec +++ b/shim.spec @@ -70,6 +70,12 @@ Patch13: shim-mokmanager-delete-bs-var-right.patch Patch14: shim-fix-uninitialized-variable.patch # PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK Patch15: shim-mokmanager-support-sha-family.patch +# PATCH-FIX-UPSTREAM shim-remove-unused-variables.patch glin@suse.com -- Remove unused variables +Patch16: shim-remove-unused-variables.patch +# PATCH-FIX-UPSTREAM shim-bnc872503-check-key-encoding.patch bnc#872503 glin@suse.com -- Check the key encoding before using it +Patch17: shim-bnc872503-check-key-encoding.patch +# PATCH-FIX-UPSTREAM shim-bnc877003-fetch-from-the-same-device.patch bnc#877003 glin@suse.com -- Fetch the netboot image from the same device +Patch18: shim-bnc877003-fetch-from-the-same-device.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t @@ -109,6 +115,9 @@ Authors: %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 %patch100 -p1 %build