From f94c2e5bcf86e46599ddef09e44a703612c7d1887e94b233bb5178b9ee20d6e4 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 6 May 2021 03:35:27 +0000 Subject: [PATCH] Accepting request 890839 from home:gary_lin:branches:devel:openSUSE:Factory - Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621) - Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441) OBS-URL: https://build.opensuse.org/request/show/890839 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=179 --- ...-of-ignore_db-and-user_insecure_mode.patch | 41 +++++++++++++++++++ shim-bsc1185621-relax-max-var-sz-check.patch | 38 +++++++++++++++++ shim.changes | 13 ++++++ shim.spec | 6 +++ 4 files changed, 98 insertions(+) create mode 100644 shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch create mode 100644 shim-bsc1185621-relax-max-var-sz-check.patch diff --git a/shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch b/shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch new file mode 100644 index 0000000..55c4e73 --- /dev/null +++ b/shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch @@ -0,0 +1,41 @@ +From 822d07ad4f07ef66fe447a130e1027c88d02a394 Mon Sep 17 00:00:00 2001 +From: Adam Williamson +Date: Thu, 8 Apr 2021 22:39:02 -0700 +Subject: [PATCH] Fix handling of ignore_db and user_insecure_mode + +In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split +up into a function that manages the whole mok state, and one that +handles the state machine for an individual state variable. +Unfortunately, the code that initializes the global ignore_db and +user_insecure_mode was copied from import_mok_state() into the new +import_one_mok_state() function, and thus re-initializes that state each +time it processes a MoK state variable, before even assessing if that +variable is set. As a result, we never honor either flag, and the +machine owner cannot disable trusting the system firmware's db/dbx +databases or disable validation altogether. + +This patch removes the extra re-initialization, allowing those variables +to be set properly. + +Signed-off-by: Adam Williamson +--- + mok.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/mok.c b/mok.c +index 5ad9072b..9e37d6ab 100644 +--- a/mok.c ++++ b/mok.c +@@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v, + EFI_STATUS ret = EFI_SUCCESS; + EFI_STATUS efi_status; + +- user_insecure_mode = 0; +- ignore_db = 0; +- + UINT32 attrs = 0; + BOOLEAN delete = FALSE; + +-- +2.31.1 + diff --git a/shim-bsc1185621-relax-max-var-sz-check.patch b/shim-bsc1185621-relax-max-var-sz-check.patch new file mode 100644 index 0000000..2b3ad9f --- /dev/null +++ b/shim-bsc1185621-relax-max-var-sz-check.patch @@ -0,0 +1,38 @@ +commit 690ec2419a8c2c4246450e447629adc85f9a6f40 +Author: Gary Lin +Date: Wed May 5 11:25:07 2021 +0800 + + mok: relax the maximum variable size check + + Some UEFI environment such as u-boot doesn't implement + QueryVariableInfo(), so we couldn't rely on the function to estimate the + available space for RT variables. All we can do is to call SetVariable() + directly and check the return value of SetVariable(). + + Signed-off-by: Gary Lin + +diff --git a/mok.c b/mok.c +index 5ad9072b..1f9820e7 100644 +--- a/mok.c ++++ b/mok.c +@@ -351,13 +351,18 @@ mirror_mok_db(CHAR16 *name, CHAR8 *name8, EFI_GUID *guid, UINT32 attrs, + SIZE_T max_var_sz; + + efi_status = get_max_var_sz(attrs, &max_var_sz); +- if (EFI_ERROR(efi_status)) { ++ if (EFI_ERROR(efi_status) && efi_status != EFI_UNSUPPORTED) { + LogError(L"Could not get maximum variable size: %r", + efi_status); + return efi_status; + } + +- if (FullDataSize <= max_var_sz) { ++ /* Some UEFI environment such as u-boot doesn't implement ++ * QueryVariableInfo() and we will only get EFI_UNSUPPORTED when ++ * querying the available space. In this case, we just mirror ++ * the variable directly. */ ++ if (FullDataSize <= max_var_sz || efi_status == EFI_UNSUPPORTED) { ++ efi_status = EFI_SUCCESS; + if (only_first) + efi_status = SetVariable(name, guid, attrs, + FullDataSize, FullData); diff --git a/shim.changes b/shim.changes index c95cbac..00c7598 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu May 6 03:18:32 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the + maximum variable size check for u-boot (bsc#1185621) + +------------------------------------------------------------------- +Mon May 3 03:46:27 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + to handle ignore_db and user_insecure_mode correctly + (bsc#1185441) + ------------------------------------------------------------------- Wed Apr 28 09:28:30 UTC 2021 - Gary Ching-Pang Lin diff --git a/shim.spec b/shim.spec index 2b87cbe..263e73b 100644 --- a/shim.spec +++ b/shim.spec @@ -77,6 +77,10 @@ Patch4: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch Patch5: remove_build_id.patch # PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 glin@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch +# PATCH-FIX-UPSTREAM shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch bsc#1184454 glin@suse.com -- Handle ignore_db and user_insecure_mode correctly +Patch7: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch +# PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 glin@suse.com -- Relax the maximum variable size check for u-boot +Patch8: shim-bsc1185621-relax-max-var-sz-check.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -121,6 +125,8 @@ The source code of UEFI shim loader %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build # generate the vendor SBAT metadata