diff --git a/shim-bsc1173411-only-check-efi-var-on-sb.patch b/shim-bsc1173411-only-check-efi-var-on-sb.patch new file mode 100644 index 0000000..3df34fd --- /dev/null +++ b/shim-bsc1173411-only-check-efi-var-on-sb.patch @@ -0,0 +1,47 @@ +From 741c61abba7d5c74166f8d0c1b9ee8001ebcd186 Mon Sep 17 00:00:00 2001 +From: Patrick Uiterwijk +Date: Thu, 6 Dec 2018 10:08:45 +0100 +Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled + systems + +I have come across systems that are unwilling to reserve enough memory for +a MokListRT big enough for big certificates. +This seems to be the case with firmware implementations that do not support +secureboot, which is probably the reason they went with much lower variable +storage. + +This patch set makes sure we can still boot on those systems, by only +making the copy action fatal if the system has secure boot enabled, or if +the error was anything other than EFI_INVALID_PARAMETER. + +Signed-off-by: Patrick Uiterwijk +--- + shim.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/shim.c b/shim.c +index 7d25ad6..aee4727 100644 +--- a/shim.c ++++ b/shim.c +@@ -2639,7 +2639,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) + * boot-services-only state variables are what we think they are. + */ + efi_status = import_mok_state(image_handle); +- if (EFI_ERROR(efi_status)) { ++ if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { ++ /* ++ * Make copy failures fatal only if secure_mode is enabled, or ++ * the error was anything else than EFI_INVALID_PARAMETER. ++ * There are non-secureboot firmware implementations that don't ++ * reserve enough EFI variable memory to fit the variable. ++ */ ++ console_print(L"Importing MOK states has failed: %s: %r\n", ++ msgs[msg], efi_status); ++ console_print(L"Continuing boot since secure mode is disabled"); ++ } else if (EFI_ERROR(efi_status)) { + die: + console_print(L"Something has gone seriously wrong: %s: %r\n", + msgs[msg], efi_status); +-- +2.25.1 + diff --git a/shim.changes b/shim.changes index 577ed59..9dc0a26 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Jul 10 06:28:44 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check + EFI variable copying when Secure Boot is enabled (bsc#1173411) + ------------------------------------------------------------------- Tue Mar 31 08:38:56 UTC 2020 - Gary Ching-Pang Lin diff --git a/shim.spec b/shim.spec index 0f7d461..fb28acf 100644 --- a/shim.spec +++ b/shim.spec @@ -75,6 +75,8 @@ Patch5: shim-correct-license-in-headers.patch Patch6: gcc9-fix-warnings.patch # PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch glin@suse.com -- Fix the build error caused by the typo fix in gnu-efi 3.0.11 Patch7: shim-fix-gnu-efi-3.0.11.patch +# PATCH-FIX-UPSTREAM shim-bsc1173411-only-check-efi-var-on-sb.patch bsc#1173411 glin@suse.com -- Make EFI variable copying check only fatal on SB systems +Patch8: shim-bsc1173411-only-check-efi-var-on-sb.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -123,6 +125,7 @@ The source code of UEFI shim loader %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif