Accepting request 236110 from home:gary_lin:branches:devel:openSUSE:Factory

- remove the unused variables - check the encoding of the keys (bnc#872503) - fetch the netboot image from the same device (bnc#877003) - Refresh shim-opensuse-cert-prompt.patch OBS-URL: https://build.opensuse.org/request/show/236110 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=76
2014-06-03 02:49:47 +00:00 · 2014-06-03 02:49:47 +00:00 · d6b79f1fb6
commit d6b79f1fb6
parent e0970dfd6a
6 changed files with 392 additions and 25 deletions
--- a/shim-bnc872503-check-key-encoding.patch
+++ b/shim-bnc872503-check-key-encoding.patch
@ -0,0 +1,140 @@
 From a7246827074c6c17fa15c696ad48ff1ff1a2b4d2 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 27 May 2014 17:42:00 +0800
 Subject: [PATCH] Check the first 4 bytes of the certificate
 A non-DER encoding x509 certificate may be mistakenly enrolled into
 db or MokList. This commit checks the first 4 bytes of the certificate
 to ensure that it's DER encoding.
 This commit also removes the iteration of the x509 signature list.
 Per UEFI SPEC, each x509 signature list contains only one x509 certificate.
 Besides, the size of certificate is incorrect. The size of the header must
 be substracted from the signature size.
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
 MokManager.c | 23 +++++++++++++++++++++--
 shim.c       | 45 +++++++++++++++++++++++++++++++--------------
 2 files changed, 52 insertions(+), 16 deletions(-)
 diff --git a/MokManager.c b/MokManager.c
 index 3da61f4..c9fbbac 100644
 --- a/MokManager.c
 +++ b/MokManager.c
@@ -1306,11 +1306,30 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
 	return -1;
 }
 -static BOOLEAN verify_certificate(void *cert, UINTN size)
 +static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
 {
 	X509 *X509Cert;
 -	if (!cert || size == 0)
 +	UINTN length;
 +	if (!cert || size < 0)
 +		return FALSE;
 +
 +	/*
 +	 * A DER encoding x509 certificate starts with SEQUENCE(0x30),
 +	 * the number of length bytes, and the number of value bytes.
 +	 * The size of a x509 certificate is usually between 127 bytes
 +	 * and 64KB. For convenience, assume the number of value bytes
 +	 * is 2, i.e. the second byte is 0x82.
 +	 */
 +	if (cert[0] != 0x30 || cert[1] != 0x82) {
 +		console_notify(L"Not a DER encoding X509 certificate");
 		return FALSE;
 +	}
 +
 +	length = (cert[2]<<8 | cert[3]);
 +	if (length != (size - 4)) {
 +		console_notify(L"Invalid X509 certificate: Inconsistent size");
 +		return FALSE;
 +	}
 	if (!(X509ConstructCertificate(cert, size, (UINT8 **) &X509Cert)) ||
 	    X509Cert == NULL) {
 diff --git a/shim.c b/shim.c
 index 48a6f2f..e674079 100644
 --- a/shim.c
 +++ b/shim.c
@@ -226,44 +226,61 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context,
 	return EFI_SUCCESS;
 }
 +static BOOLEAN verify_x509(UINT8 *Cert, UINTN CertSize)
 +{
 +	UINTN length;
 +
 +	if (!Cert || CertSize < 4)
 +		return FALSE;
 +
 +	/*
 +	 * A DER encoding x509 certificate starts with SEQUENCE(0x30),
 +	 * the number of length bytes, and the number of value bytes.
 +	 * The size of a x509 certificate is usually between 127 bytes
 +	 * and 64KB. For convenience, assume the number of value bytes
 +	 * is 2, i.e. the second byte is 0x82.
 +	 */
 +	if (Cert[0] != 0x30 || Cert[1] != 0x82)
 +		return FALSE;
 +
 +	length = Cert[2]<<8 | Cert[3];
 +	if (length != (CertSize - 4))
 +		return FALSE;
 +
 +	return TRUE;
 +}
 +
 static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList,
 					 UINTN dbsize,
 					 WIN_CERTIFICATE_EFI_PKCS *data,
 					 UINT8 *hash)
 {
 	EFI_SIGNATURE_DATA *Cert;
 -	UINTN CertCount, Index;
 +	UINTN CertSize;
 	BOOLEAN IsFound = FALSE;
 	EFI_GUID CertType = X509_GUID;
 	while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) {
 		if (CompareGuid (&CertList->SignatureType, &CertType) == 0) {
 -			CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
 			Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize);
 -			for (Index = 0; Index < CertCount; Index++) {
 +			CertSize = CertList->SignatureSize - sizeof(EFI_GUID);
 +			if (verify_x509(Cert->SignatureData, CertSize)) {
 				IsFound = AuthenticodeVerify (data->CertData,
 							      data->Hdr.dwLength - sizeof(data->Hdr),
 							      Cert->SignatureData,
 -							      CertList->SignatureSize,
 +							      CertSize,
 							      hash, SHA256_DIGEST_SIZE);
 				if (IsFound)
 -					break;
 -
 -				Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) Cert + CertList->SignatureSize);
 +					return DATA_FOUND;
 +			} else if (verbose) {
 +				console_notify(L"Not a DER encoding x.509 Certificate");
 			}
 -
 		}
 -		if (IsFound)
 -			break;
 -
 		dbsize -= CertList->SignatureListSize;
 		CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + CertList->SignatureListSize);
 	}
 -	if (IsFound)
 -		return DATA_FOUND;
 -
 	return DATA_NOT_FOUND;
 }
 -- 
 1.8.4.5
--- a/shim-bnc877003-fetch-from-the-same-device.patch
+++ b/shim-bnc877003-fetch-from-the-same-device.patch
@ -0,0 +1,144 @@
 From cd92dd17fa990856d7d94f1fbb9cf08a4640915f Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 27 May 2014 14:12:32 +0800
 Subject: [PATCH] Fetch the netboot image from the same device
 The previous strategy is to locate the first available PXE_BASE_CODE
 protocol and to fetch the second stage image from it, and this may
 cause shim to fetch the wrong second stage image, i.e. grub.efi.
 Consider the machine with the following boot order:
 1. PXE Boot
 2. Hard Drive
 Assume that the EFI image, e.g. bootx64.efi, in the PXE server is
 broken, then "PXE Boot" will fail and fallback to "Hard Drive". While
 shim.efi in "Hard Drive" is loaded, it will find the PXE protocol is
 available and fetch grub.efi from the PXE server, not grub.efi in the
 disk.
 This commit checks the DeviceHandle from Loaded Image. If the device
 supports PXE, then shim fetches grub.efi with the PXE protocol. Otherwise,
 shim loads grub.efi from the disk.
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
 netboot.c | 77 +++++++++++++--------------------------------------------------
 shim.c    |  2 +-
 2 files changed, 17 insertions(+), 62 deletions(-)
 diff --git a/netboot.c b/netboot.c
 index 07e2773..5ef53f7 100644
 --- a/netboot.c
 +++ b/netboot.c
@@ -85,78 +85,33 @@ translate_slashes(char *str)
  * Returns TRUE if we identify a protocol that is enabled and Providing us with
  * the needed information to fetch a grubx64.efi image
  */
 -BOOLEAN findNetboot(EFI_HANDLE image_handle)
 +BOOLEAN findNetboot(EFI_HANDLE device)
 {
 -	UINTN bs = sizeof(EFI_HANDLE);
 -	EFI_GUID pxe_base_code_protocol = EFI_PXE_BASE_CODE_PROTOCOL;
 -	EFI_HANDLE *hbuf;
 -	BOOLEAN rc = FALSE;
 -	void *buffer = AllocatePool(bs);
 -	UINTN errcnt = 0;
 -	UINTN i;
 	EFI_STATUS status;
 -	if (!buffer)
 +	status = uefi_call_wrapper(BS->HandleProtocol, 3, device,
 +				   &PxeBaseCodeProtocol, (VOID **)&pxe);
 +	if (status != EFI_SUCCESS) {
 +		pxe = NULL;
 		return FALSE;
 -
 -try_again:
 -	status = uefi_call_wrapper(BS->LocateHandle,5, ByProtocol, 
 -				   &pxe_base_code_protocol, NULL, &bs,
 -				   buffer);
 -
 -	if (status == EFI_BUFFER_TOO_SMALL) {
 -		errcnt++;
 -		FreePool(buffer);
 -		if (errcnt > 1)
 -			return FALSE;
 -		buffer = AllocatePool(bs);
 -		if (!buffer)
 -			return FALSE;
 -		goto try_again;
 	}
 -	if (status == EFI_NOT_FOUND) {
 -		FreePool(buffer);
 +	if (!pxe || !pxe->Mode) {
 +		pxe = NULL;
 		return FALSE;
 	}
 -	/*
 - 	 * We have a list of pxe supporting protocols, lets see if any are
 - 	 * active
 - 	 */
 -	hbuf = buffer;
 -	pxe = NULL;
 -	for (i=0; i < (bs / sizeof(EFI_HANDLE)); i++) {
 -		status = uefi_call_wrapper(BS->OpenProtocol, 6, hbuf[i],
 -					   &pxe_base_code_protocol,
 -					   (void **)&pxe, image_handle, NULL,
 -					   EFI_OPEN_PROTOCOL_GET_PROTOCOL);
 -
 -		if (status != EFI_SUCCESS) {
 -			pxe = NULL;
 -			continue;
 -		}
 -
 -		if (!pxe || !pxe->Mode) {
 -			pxe = NULL;
 -			continue;
 -		}
 -
 -		if (pxe->Mode->Started && pxe->Mode->DhcpAckReceived) {
 -			/*
 - 			 * We've located a pxe protocol handle thats been 
 - 			 * started and has received an ACK, meaning its
 - 			 * something we'll be able to get tftp server info
 - 			 * out of
 - 			 */
 -			rc = TRUE;
 -			break;
 -		}
 -			
 +	if (!pxe->Mode->Started || !pxe->Mode->DhcpAckReceived) {
 +		pxe = NULL;
 +		return FALSE;
 	}
 -	FreePool(buffer);
 -	return rc;
 +	/*
 +	 * We've located a pxe protocol handle thats been started and has
 +	 * received an ACK, meaning its something we'll be able to get
 +	 * tftp server info out of
 +	 */
 +	return TRUE;
 }
 static CHAR8 *get_v6_bootfile_url(EFI_PXE_BASE_CODE_DHCPV6_PACKET *pkt)
 diff --git a/shim.c b/shim.c
 index 48a6f2f..d8699f9 100644
 --- a/shim.c
 +++ b/shim.c
@@ -1373,7 +1373,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
 		goto done;
 	}
 -	if (findNetboot(image_handle)) {
 +	if (findNetboot(li->DeviceHandle)) {
 		efi_status = parseNetbootinfo(image_handle);
 		if (efi_status != EFI_SUCCESS) {
 			Print(L"Netboot parsing failed: %r\n", efi_status);
 -- 
 1.8.4.5
--- a/shim-opensuse-cert-prompt.patch
+++ b/shim-opensuse-cert-prompt.patch
@ -1,4 +1,4 @@
-From 2082ad15e0b3413845a1ddc10c2953dcd95beb83 Mon Sep 17 00:00:00 2001
+From b13d18d4069032ccf6c885774e9eada6a1d80ddd Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 18 Feb 2014 17:29:19 +0800
 Subject: [PATCH 1/3] Show the build-in certificate prompt
@ -21,7 +21,7 @@ The state will store in use_openSUSE_cert, a volatile RT variable.
 1 file changed, 97 insertions(+), 19 deletions(-)
 diff --git a/shim.c b/shim.c
-index 0b20191..a483ce3 100644
+index 3921028..1335d61 100644
 --- a/shim.c
 +++ b/shim.c
@@ -82,6 +82,7 @@ UINT8 *vendor_dbx;
@ -32,7 +32,7 @@ index 0b20191..a483ce3 100644
 #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
-@@ -752,7 +753,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+@@ -769,7 +770,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
 	if (status == EFI_SUCCESS)
 		return status;
@ -41,7 +41,7 @@ index 0b20191..a483ce3 100644
 		/*
 		 * Check against the shim build key
 		 */
-@@ -1418,11 +1419,14 @@ EFI_STATUS mirror_mok_list()
+@@ -1430,11 +1431,14 @@ EFI_STATUS mirror_mok_list()
 	if (efi_status != EFI_SUCCESS)
 		DataSize = 0;
@ -61,7 +61,7 @@ index 0b20191..a483ce3 100644
 	FullData = AllocatePool(FullDataSize);
 	if (!FullData) {
 		Print(L"Failed to allocate space for MokListRT\n");
-@@ -1434,21 +1438,24 @@ EFI_STATUS mirror_mok_list()
+@@ -1446,21 +1450,24 @@ EFI_STATUS mirror_mok_list()
 		CopyMem(p, Data, DataSize);
 		p += DataSize;
 	}
@ -99,7 +99,7 @@ index 0b20191..a483ce3 100644
 	efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
 				       &shim_lock_guid,
-@@ -1767,6 +1774,75 @@ uninstall_shim_protocols(void)
+@@ -1779,6 +1786,75 @@ uninstall_shim_protocols(void)
 			  &shim_lock_guid, &shim_lock_interface);
 }
@ -175,7 +175,7 @@ index 0b20191..a483ce3 100644
 EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 {
 	EFI_STATUS efi_status;
-@@ -1819,6 +1895,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
+@@ -1831,6 +1907,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
 		 */
 		hook_system_services(systab);
 		loader_is_participating = 0;
@ -188,7 +188,7 @@ index 0b20191..a483ce3 100644
 1.8.4.5
-From 57b6062bc614d5638e66f8c5ac62106b812c6d1a Mon Sep 17 00:00:00 2001
+From 6a53209ece97f3e1ca34b73473b5bc57284bd669 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 20 Feb 2014 16:57:08 +0800
 Subject: [PATCH 2/3] Support revoking the openSUSE cert
@ -204,10 +204,10 @@ will show up with an additional option to clear openSUSE_Verify
 2 files changed, 60 insertions(+), 3 deletions(-)
 diff --git a/MokManager.c b/MokManager.c
-index 71a3137..a03eea4 100644
+index dbfb67a..c6589e9 100644
 --- a/MokManager.c
 +++ b/MokManager.c
-@@ -1570,6 +1570,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
+@@ -1701,6 +1701,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
 	return -1;
 }
@ -238,10 +238,10 @@ index 71a3137..a03eea4 100644
 +	return -1;
 +}
 +
- static BOOLEAN verify_certificate(void *cert, UINTN size)
+ static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
 {
 	X509 *X509Cert;
-@@ -1903,6 +1930,7 @@ typedef enum {
+@@ -2053,6 +2080,7 @@ typedef enum {
 	MOK_CHANGE_SB,
 	MOK_SET_PW,
 	MOK_CHANGE_DB,
@ -249,7 +249,7 @@ index 71a3137..a03eea4 100644
 	MOK_KEY_ENROLL,
 	MOK_HASH_ENROLL
 } mok_menu_item;
-@@ -1914,7 +1942,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2064,7 +2092,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 				 void *MokPW, UINTN MokPWSize,
 				 void *MokDB, UINTN MokDBSize,
 				 void *MokXNew, UINTN MokXNewSize,
@ -259,7 +259,7 @@ index 71a3137..a03eea4 100644
 {
 	CHAR16 **menu_strings;
 	mok_menu_item *menu_item;
-@@ -1988,6 +2017,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2138,6 +2167,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 	if (MokDB)
 		menucount++;
@ -269,7 +269,7 @@ index 71a3137..a03eea4 100644
 	menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
 	if (!menu_strings)
-@@ -2057,6 +2089,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2207,6 +2239,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 		i++;
 	}
@ -282,7 +282,7 @@ index 71a3137..a03eea4 100644
 	menu_strings[i] = L"Enroll key from disk";
 	menu_item[i] = MOK_KEY_ENROLL;
 	i++;
-@@ -2107,6 +2145,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2257,6 +2295,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
 		case MOK_CHANGE_DB:
 			mok_db_prompt(MokDB, MokDBSize);
 			break;
@ -292,7 +292,7 @@ index 71a3137..a03eea4 100644
 		case MOK_KEY_ENROLL:
 			mok_key_enroll();
 			break;
-@@ -2132,6 +2173,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2282,6 +2323,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
 	UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
 	UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
@ -300,7 +300,7 @@ index 71a3137..a03eea4 100644
 	void *MokNew = NULL;
 	void *MokDel = NULL;
 	void *MokSB = NULL;
-@@ -2139,6 +2181,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2289,6 +2331,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	void *MokDB = NULL;
 	void *MokXNew = NULL;
 	void *MokXDel = NULL;
@ -308,7 +308,7 @@ index 71a3137..a03eea4 100644
 	EFI_STATUS status;
 	status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
-@@ -2211,9 +2254,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2361,9 +2404,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 		console_error(L"Could not retrieve MokXDel", status);
 	}
@ -330,7 +330,7 @@ index 71a3137..a03eea4 100644
 	if (MokNew)
 		FreePool (MokNew);
-@@ -2236,6 +2290,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2386,6 +2440,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	if (MokXDel)
 		FreePool (MokXDel);
@ -341,10 +341,10 @@ index 71a3137..a03eea4 100644
 	LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
 	LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
 diff --git a/shim.c b/shim.c
-index a483ce3..3b00e6c 100644
+index 1335d61..3c7cbe8 100644
 --- a/shim.c
 +++ b/shim.c
-@@ -1529,7 +1529,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -1541,7 +1541,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
 	    check_var(L"MokPW") || check_var(L"MokAuth") ||
 	    check_var(L"MokDel") || check_var(L"MokDB") ||
 	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
@ -357,7 +357,7 @@ index a483ce3..3b00e6c 100644
 1.8.4.5
-From 8d1fc876a8117bdfa2d1e8975725e03660eadc7c Mon Sep 17 00:00:00 2001
+From 437fb0feb6fd0dd321bd4e4cdbbf0095bda5f715 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 7 Mar 2014 16:17:20 +0800
 Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
@ -370,10 +370,10 @@ LibDeleteVariable only works on the runtime variables.
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/MokManager.c b/MokManager.c
-index a03eea4..d4f107d 100644
+index c6589e9..a08385a 100644
 --- a/MokManager.c
 +++ b/MokManager.c
-@@ -1584,7 +1584,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+@@ -1715,7 +1715,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
 	if (status != EFI_SUCCESS)
 		return -1;
--- a/shim-remove-unused-variables.patch
+++ b/shim-remove-unused-variables.patch
@ -0,0 +1,63 @@
 From c5d0105fb66be43c0f5f96778e750e9cf7a2cdce Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 26 May 2014 16:49:10 +0800
 Subject: [PATCH] Remove grubpath in generate_path()
 The variable is not used anymore.
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
 shim.c | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)
 diff --git a/shim.c b/shim.c
 index 0b20191..7966cbd 100644
 --- a/shim.c
 +++ b/shim.c
@@ -1060,16 +1060,14 @@ should_use_fallback(EFI_HANDLE image_handle)
  * of the executable
  */
 static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath,
 -				EFI_DEVICE_PATH **grubpath, CHAR16 **PathName)
 +				CHAR16 **PathName)
 {
 	EFI_DEVICE_PATH *devpath;
 -	EFI_HANDLE device;
 	int i, j, last = -1;
 	unsigned int pathlen = 0;
 	EFI_STATUS efi_status = EFI_SUCCESS;
 	CHAR16 *bootpath;
 -	device = li->DeviceHandle;
 	devpath = li->FilePath;
 	bootpath = DevicePathToStr(devpath);
@@ -1122,8 +1120,6 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath,
 		StrCat(*PathName, bootpath);
 	StrCat(*PathName, ImagePath);
 -	*grubpath = FileDevicePath(device, *PathName);
 -
 error:
 	FreePool(bootpath);
@@ -1286,7 +1282,6 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
 	EFI_GUID loaded_image_protocol = LOADED_IMAGE_PROTOCOL;
 	EFI_STATUS efi_status;
 	EFI_LOADED_IMAGE *li, li_bak;
 -	EFI_DEVICE_PATH *path;
 	CHAR16 *PathName = NULL;
 	void *sourcebuffer = NULL;
 	UINT64 sourcesize = 0;
@@ -1308,7 +1303,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
 	/*
 	 * Build a new path from the existing one plus the executable name
 	 */
 -	efi_status = generate_path(li, ImagePath, &path, &PathName);
 +	efi_status = generate_path(li, ImagePath, &PathName);
 	if (efi_status != EFI_SUCCESS) {
 		Print(L"Unable to generate path %s: %r\n", ImagePath, efi_status);
 -- 
 1.8.4.5
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,14 @@
 -------------------------------------------------------------------
 Wed May 28 04:13:33 UTC 2014 - glin@suse.com
 - Add shim-remove-unused-variables.patch to remove the unused
  variables
 - Add shim-bnc872503-check-key-encoding.patch to check the encoding
  of the keys (bnc#872503)
 - Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the
  netboot image from the same device (bnc#877003)
 - Refresh shim-opensuse-cert-prompt.patch
 -------------------------------------------------------------------
 Wed May 14 09:39:02 UTC 2014 - glin@suse.com
--- a/shim.spec
+++ b/shim.spec
@ -70,6 +70,12 @@ Patch13:        shim-mokmanager-delete-bs-var-right.patch
 Patch14:        shim-fix-uninitialized-variable.patch
 # PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
 Patch15:        shim-mokmanager-support-sha-family.patch
 # PATCH-FIX-UPSTREAM shim-remove-unused-variables.patch glin@suse.com -- Remove unused variables
 Patch16:        shim-remove-unused-variables.patch
 # PATCH-FIX-UPSTREAM shim-bnc872503-check-key-encoding.patch bnc#872503 glin@suse.com -- Check the key encoding before using it
 Patch17:        shim-bnc872503-check-key-encoding.patch
 # PATCH-FIX-UPSTREAM shim-bnc877003-fetch-from-the-same-device.patch bnc#877003 glin@suse.com -- Fetch the netboot image from the same device
 Patch18:        shim-bnc877003-fetch-from-the-same-device.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:       shim-opensuse-cert-prompt.patch
 BuildRequires:  gnu-efi >= 3.0t
@ -109,6 +115,9 @@ Authors:
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
 %patch100 -p1
 %build