Accepting request 819890 from home:gary_lin:branches:devel:openSUSE:Factory

only check EFI variable copying when Secure Boot is enabled (bsc#1173411)

OBS-URL: https://build.opensuse.org/request/show/819890
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=158

shim-bsc1173411-only-check-efi-var-on-sb.patch

@@ -0,0 +1,47 @@
+From 741c61abba7d5c74166f8d0c1b9ee8001ebcd186 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+Date: Thu, 6 Dec 2018 10:08:45 +0100
+Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled
+ systems
+
+I have come across systems that are unwilling to reserve enough memory for
+a MokListRT big enough for big certificates.
+This seems to be the case with firmware implementations that do not support
+secureboot, which is probably the reason they went with much lower variable
+storage.
+
+This patch set makes sure we can still boot on those systems, by only
+making the copy action fatal if the system has secure boot enabled, or if
+the error was anything other than EFI_INVALID_PARAMETER.
+
+Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+---
+ shim.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/shim.c b/shim.c
+index 7d25ad6..aee4727 100644
+--- a/shim.c
++++ b/shim.c
+@@ -2639,7 +2639,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ 	 * boot-services-only state variables are what we think they are.
+ 	 */
+ 	efi_status = import_mok_state(image_handle);
+-	if (EFI_ERROR(efi_status)) {
++	if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
++		/*
++		 * Make copy failures fatal only if secure_mode is enabled, or
++		 * the error was anything else than EFI_INVALID_PARAMETER.
++		 * There are non-secureboot firmware implementations that don't
++		 * reserve enough EFI variable memory to fit the variable.
++		 */
++		console_print(L"Importing MOK states has failed: %s: %r\n",
++			      msgs[msg], efi_status);
++		console_print(L"Continuing boot since secure mode is disabled");
++	} else if (EFI_ERROR(efi_status)) {
+ die:
+ 		console_print(L"Something has gone seriously wrong: %s: %r\n",
+ 			      msgs[msg], efi_status);
+-- 
+2.25.1
+

shim.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Jul 10 06:28:44 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check
+  EFI variable copying when Secure Boot is enabled (bsc#1173411)
+
 -------------------------------------------------------------------
 Tue Mar 31 08:38:56 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
 

shim.spec

@@ -75,6 +75,8 @@ Patch5:         shim-correct-license-in-headers.patch
 Patch6:         gcc9-fix-warnings.patch
 # PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch glin@suse.com -- Fix the build error caused by the typo fix in gnu-efi 3.0.11
 Patch7:         shim-fix-gnu-efi-3.0.11.patch
+# PATCH-FIX-UPSTREAM shim-bsc1173411-only-check-efi-var-on-sb.patch bsc#1173411 glin@suse.com -- Make EFI variable copying check only fatal on SB systems
+Patch8:         shim-bsc1173411-only-check-efi-var-on-sb.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:       shim-opensuse-cert-prompt.patch
 BuildRequires:  gnu-efi >= 3.0.3
@@ -123,6 +125,7 @@ The source code of UEFI shim loader
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 %if 0%{?is_opensuse} == 1
 %patch100 -p1
 %endif