Accepting request 315550 from home:gary_lin:branches:devel:openSUSE:Factory

- Update to 0.9
- Refresh patches
  + shim-fix-gnu-efi-30w.patch
  + shim-fix-mokmanager-sections.patch
  + shim-opensuse-cert-prompt.patch
- Drop upstreamed patches
  + shim-bsc920515-fix-fallback-buffer-length.patch
  + shim-mokx-support.patch
  + shim-update-cryptlib.patch
- Drop shim-bsc919675-uninstall-shim-protocols.patch since
  upstream fixed the bug in another way.
- Drop shim-gcc5.patch which was fixed in another way

OBS-URL: https://build.opensuse.org/request/show/315550
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=99

shim-0.8.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4cea304dc6f6e5c429f602c42a4dda7b9c64f448a346bae78fb2c6c19c0cd0b3
-size 991166

shim-0.9.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f524af773af0c8bfce132c9cf1d43c501b479abf2d12fe26d9f419a3d9688ab5
+size 997797

shim-bsc919675-uninstall-shim-protocols.patch

@@ -1,145 +0,0 @@
-From 4f8bf8c570dadf8044e7f3f260c55e3e22630998 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Tue, 3 Mar 2015 16:53:11 +0800
-Subject: [PATCH] Uninstall shim protocols at Exit()
-
-Shim uninstalls its own protocol at the end of the program. However,
-if the loaded binary, e.g. grub2, calls Exit(), the uninstall function
-would never be called, i.e. the shim protocol handle existed even if
-shim was gone. This already caused crashes on the dell machines with
-the following steps:
-
-1. boot to grub2 and press 'C' for the grub2 shell
-2. type "exit" to quit the shell
-3. boot to grub2 again and boot an OS
-
-While grub2 uses the shim protocol to verify the OS image, it may get
-the old dead shim handle and crash the system.
-
-This commit adds uninstall_shim_protocols() to the hooked exit function
-and always hook Exit to clean up the protocol handle.
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- replacements.c | 35 ++++++++++++++++++++++++++++-------
- replacements.h |  1 +
- shim.c         |  5 ++++-
- 3 files changed, 33 insertions(+), 8 deletions(-)
-
-diff --git a/replacements.c b/replacements.c
-index f7623d9..4d96e57 100644
---- a/replacements.c
-+++ b/replacements.c
-@@ -74,6 +74,10 @@ unhook_system_services(void)
- 		return;
- 
- 	systab->BootServices->Exit = system_exit;
-+
-+	if (hook_exit_only)
-+		return;
-+
- 	systab->BootServices->LoadImage = system_load_image;
- 	systab->BootServices->StartImage = system_start_image;
- 	systab->BootServices->ExitBootServices = system_exit_boot_services;
-@@ -167,10 +171,24 @@ do_exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus,
- {
- 	EFI_STATUS status;
- 	unhook_system_services();
-+	uninstall_shim_protocols();
- 
- 	status = systab->BootServices->Exit(ImageHandle, ExitStatus, ExitDataSize, ExitData);
--	if (EFI_ERROR(status))
-+	if (EFI_ERROR(status)) {
-+		EFI_STATUS status2 = install_shim_protocols();
-+
-+		if (EFI_ERROR(status2)) {
-+			Print(L"Something has gone seriously wrong: %r\n",
-+				status2);
-+			Print(L"shim cannot continue, sorry.\n");
-+			systab->BootServices->Stall(5000000);
-+			systab->RuntimeServices->ResetSystem(
-+				EfiResetShutdown,
-+				EFI_SECURITY_VIOLATION, 0, NULL);
-+		}
-+
- 		hook_system_services(systab);
-+	}
- 	return status;
- }
- 
-@@ -182,6 +200,15 @@ hook_system_services(EFI_SYSTEM_TABLE *local_systab)
- 
- 	/* We need to hook various calls to make this work... */
- 
-+	/* we need to hook Exit() so that we can allow users to quit the
-+	 * bootloader and still e.g. start a new one or run an internal
-+	 * shell. */
-+	system_exit = systab->BootServices->Exit;
-+	systab->BootServices->Exit = do_exit;
-+
-+	if (hook_exit_only)
-+		return;
-+
- 	/* We need LoadImage() hooked so that fallback.c can load shim
- 	 * without having to fake LoadImage as well.  This allows it
- 	 * to call the system LoadImage(), and have us track the output
-@@ -201,10 +228,4 @@ hook_system_services(EFI_SYSTEM_TABLE *local_systab)
- 	 * and b) we can unwrap when we're done. */
- 	system_exit_boot_services = systab->BootServices->ExitBootServices;
- 	systab->BootServices->ExitBootServices = exit_boot_services;
--
--	/* we need to hook Exit() so that we can allow users to quit the
--	 * bootloader and still e.g. start a new one or run an internal
--	 * shell. */
--	system_exit = systab->BootServices->Exit;
--	systab->BootServices->Exit = do_exit;
- }
-diff --git a/replacements.h b/replacements.h
-index bd09424..928144d 100644
---- a/replacements.h
-+++ b/replacements.h
-@@ -37,6 +37,7 @@ typedef enum {
- 
- extern verification_method_t verification_method;
- extern int loader_is_participating;
-+extern int hook_exit_only;
- 
- extern void hook_system_services(EFI_SYSTEM_TABLE *local_systab);
- extern void unhook_system_services(void);
-diff --git a/shim.c b/shim.c
-index d46494a..6fbe427 100644
---- a/shim.c
-+++ b/shim.c
-@@ -90,6 +90,7 @@ UINT8 *vendor_dbx;
-  */
- verification_method_t verification_method;
- int loader_is_participating;
-+int exit_only;
- 
- #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
- 
-@@ -2100,6 +2101,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 	/*
- 	 * Tell the user that we're in insecure mode if necessary
- 	 */
-+	hook_exit_only = 1;
- 	if (user_insecure_mode) {
- 		Print(L"Booting in insecure mode\n");
- 		uefi_call_wrapper(BS->Stall, 1, 2000000);
-@@ -2110,11 +2112,12 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 			 * that anything it boots has performed some
- 			 * validation of the next image.
- 			 */
--			hook_system_services(systab);
-+			hook_exit_only = 0;
- 			loader_is_participating = 0;
- 		}
- 	}
- 
-+	hook_system_services(systab);
- 	efi_status = install_shim_protocols();
- 	if (EFI_ERROR(efi_status))
- 		return efi_status;
--- 
-2.1.4
-

shim-bsc920515-fix-fallback-buffer-length.patch

@@ -1,54 +0,0 @@
-From 8bfaa280dc0fcc67e636f33f5c056d6f08b22ef5 Mon Sep 17 00:00:00 2001
-From: Laszlo Ersek <lersek@redhat.com>
-Date: Wed, 25 Feb 2015 18:45:41 +0000
-Subject: [PATCH] Fix length of allocated buffer for boot option comparison.
-
-The following commit:
-
-  commit 4aac8a1179e160397d7ef8f1e3232cfb4f3373d6
-  Author: Gary Ching-Pang Lin <glin@suse.com>
-  Date:   Thu Mar 6 10:57:02 2014 +0800
-
-    [fallback] Fix the data size for boot option comparison
-
-corrected the data size used for comparison, but also reduced the
-allocation so it doesn't include the trailing UTF16LE '\0\0' at the
-end of the string, with the result that the trailer of the buffer
-containing the string is overwritten, which OVMF detects as memory
-corruption.
-
-Increase the size of the storage buffer in a few places to correct
-this problem.
-
-Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
-Cc: Laszlo Ersek <lersek@redhat.com>
-Cc: Gary Ching-Pang Lin <glin@suse.com>
----
- fallback.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/fallback.c b/fallback.c
-index d10fb62..0c1a413 100644
---- a/fallback.c
-+++ b/fallback.c
-@@ -163,7 +163,7 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
- 				StrLen(label)*2 + 2 + DevicePathSize(hddp) +
- 				StrLen(arguments) * 2;
- 
--			CHAR8 *data = AllocateZeroPool(size);
-+			CHAR8 *data = AllocateZeroPool(size + 2);
- 			CHAR8 *cursor = data;
- 			*(UINT32 *)cursor = LOAD_OPTION_ACTIVE;
- 			cursor += sizeof (UINT32);
-@@ -234,7 +234,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
- 		StrLen(label)*2 + 2 + DevicePathSize(dp) +
- 		StrLen(arguments) * 2;
- 
--	CHAR8 *data = AllocateZeroPool(size);
-+	CHAR8 *data = AllocateZeroPool(size + 2);
- 	if (!data)
- 		return EFI_OUT_OF_RESOURCES;
- 	CHAR8 *cursor = data;
--- 
-2.1.4
-

shim-fix-gnu-efi-30w.patch

@@ -1,4 +1,4 @@
-From d4e4bf4e1e03eb5685474d240929d3e3b50581f8 Mon Sep 17 00:00:00 2001
+From 7bfd197ba085e84db662decd9efc8ecf8a435ec2 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 25 Sep 2014 18:12:42 +0800
 Subject: [PATCH] Adapt the change in gnu-efi-3.0w
@@ -11,7 +11,7 @@ Subject: [PATCH] Adapt the change in gnu-efi-3.0w
  4 files changed, 13 insertions(+), 6 deletions(-)
 
 diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h
-index 9e56ced..6b3bfbd 100644
+index b77838d..8a53eb7 100644
 --- a/Cryptlib/Include/OpenSslSupport.h
 +++ b/Cryptlib/Include/OpenSslSupport.h
 @@ -16,12 +16,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@@ -42,24 +42,24 @@ index 9e56ced..6b3bfbd 100644
  // #defines from EFI Application Toolkit required to buiild Open SSL
  //
 diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
-index 9719a27..dbd79fb 100644
+index 1769e67..e4f9eb5 100644
 --- a/Cryptlib/Makefile
 +++ b/Cryptlib/Makefile
-@@ -3,6 +3,7 @@ EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLU
- 
+@@ -4,6 +4,7 @@ EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLU
  CFLAGS		= -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- 		  -Wall $(EFI_INCLUDES)
+ 		  -Wall $(EFI_INCLUDES) \
+ 		  -ffreestanding -I$(shell $(CC) -print-file-name=include)
 +CFLAGS          += -DGNU_EFI_USE_EXTERNAL_STDARG
  
  ifeq ($(ARCH),x86_64)
  	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
 diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
-index 7990b3c..967e55e 100644
+index 7bedb94..1f2c6d5 100644
 --- a/Cryptlib/OpenSSL/Makefile
 +++ b/Cryptlib/OpenSSL/Makefile
-@@ -18,6 +18,9 @@ endif
+@@ -19,6 +19,9 @@ endif
  ifeq ($(ARCH),arm)
- 	CFLAGS	+= -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ 	CFLAGS	+= -O2 -DTHIRTY_TWO_BIT
  endif
 +
 +CFLAGS          += -DGNU_EFI_USE_EXTERNAL_STDARG
@@ -68,10 +68,10 @@ index 7990b3c..967e55e 100644
  
  TARGET		= libopenssl.a
 diff --git a/Makefile b/Makefile
-index 332a29b..52fd5b3 100644
+index 83cf374..9cfebc7 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -26,6 +26,8 @@ CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+@@ -28,6 +28,8 @@ CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
  		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
  		  $(EFI_INCLUDES)
  
@@ -81,5 +81,5 @@ index 332a29b..52fd5b3 100644
  	CFLAGS	+= -DOVERRIDE_SECURITY_POLICY
  endif
 -- 
-1.8.4.5
+2.1.4
 

shim-fix-mokmanager-sections.patch

@@ -1,26 +1,38 @@
-From 61f1bfea2250c38b6c381a3876b41acf007f4289 Mon Sep 17 00:00:00 2001
+From fa7e46558ebdafeb7b5f4a3b843f309a678d4365 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 10 Nov 2014 17:19:58 +0800
-Subject: [PATCH 1/2] Fix objcopy parameters to include .rel and .rela
+Subject: [PATCH] Fix objcopy parameters to include .rel and .rela
 
-The objcopy parameters -j .rel* and -j .rela* looked like that the
-two sections would be in the EFI binary, but it's actually not, and
-this caused MokManager.efi crash.
+This is a quick hack for the old objcopy.
 
-Remove the asterisks to fix MokManager.efi.
+The asterisks support in objcopy was added in 2.24. For the distro
+with the older objcopy, some sections would be ignored and this could
+crash the program.
 
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
- Makefile | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
+ Makefile | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
 
 diff --git a/Makefile b/Makefile
-index 332a29b..39160c5 100644
+index 412496b..a791bcc 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -133,13 +133,13 @@ FORMAT		?= --target efi-app-$(ARCH)
+@@ -9,7 +9,6 @@ LD		= $(CROSS_COMPILE)ld
+ OBJCOPY		= $(CROSS_COMPILE)objcopy
+ 
+ ARCH		= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
+-OBJCOPY_GTE224  = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.* //g' | cut -f1-2 -d.` \>= 2.24)
+ 
+ SUBDIRS		= Cryptlib lib
+ 
+@@ -142,17 +141,14 @@ endif
+ FORMAT		?= --target efi-app-$(ARCH)
  
  %.efi: %.so
+-ifneq ($(OBJCOPY_GTE224),1)
+-	$(error objcopy >= 2.24 is required)
+-endif
  	$(OBJCOPY) -j .text -j .sdata -j .data \
 -		-j .dynamic -j .dynsym  -j .rel* \
 -		-j .rela* -j .reloc -j .eh_frame \
@@ -35,65 +47,7 @@ index 332a29b..39160c5 100644
 +		-j .rela -j .reloc -j .eh_frame \
  		-j .debug_info -j .debug_abbrev -j .debug_aranges \
  		-j .debug_line -j .debug_str -j .debug_ranges \
- 		$(FORMAT) $^ $@.debug
+ 		-j .note.gnu.build-id \
 -- 
-1.8.4.5
-
-
-From a0d319c24c064b3275f4dc91cf141336fb7449fa Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <glin@suse.com>
-Date: Mon, 10 Nov 2014 17:31:15 +0800
-Subject: [PATCH 2/2] Add nostdinc to the CFLAGS for lib
-
-We don't need the headers from the standard include path.
-
-Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
----
- lib/Makefile  | 2 +-
- lib/console.c | 4 ++--
- lib/guid.c    | 1 -
- 3 files changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/lib/Makefile b/lib/Makefile
-index ebd21a1..3c5101e 100644
---- a/lib/Makefile
-+++ b/lib/Makefile
-@@ -4,7 +4,7 @@ LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variab
- 
- EFI_INCLUDES    = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include
- 
--CFLAGS          = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-+CFLAGS          = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -nostdinc\
- 		  -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror \
- 		  $(EFI_INCLUDES)
- 
-diff --git a/lib/console.c b/lib/console.c
-index 83ee679..fd8cc5c 100644
---- a/lib/console.c
-+++ b/lib/console.c
-@@ -4,8 +4,8 @@
-  *
-  * see COPYING file
-  */
--#include <efi/efi.h>
--#include <efi/efilib.h>
-+#include <efi.h>
-+#include <efilib.h>
- 
- #include <console.h>
- #include <variables.h>
-diff --git a/lib/guid.c b/lib/guid.c
-index 56ec952..c97a7ca 100644
---- a/lib/guid.c
-+++ b/lib/guid.c
-@@ -5,7 +5,6 @@
-  */
- 
- #include <guid.h>
--#include <stdio.h>
- 
- #ifndef BUILD_EFI
- /* EFI has %g for this, so it's only needed in platform c */
--- 
-1.8.4.5
+2.1.4
 

shim-gcc5.patch

@@ -1,44 +0,0 @@
---- shim-0.8.orig/Makefile
-+++ shim-0.8/Makefile
-@@ -21,7 +21,7 @@ EFI_LDS		= elf_$(ARCH)_efi.lds
- DEFAULT_LOADER	:= \\\\grub.efi
- CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
- 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
--		  -Werror=sign-compare \
-+		  -Werror=sign-compare -std=gnu89 \
- 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
- 		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
- 		  $(EFI_INCLUDES)
---- shim-0.8.orig/Cryptlib/Makefile
-+++ shim-0.8/Cryptlib/Makefile
-@@ -2,7 +2,7 @@
- EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
- 
- CFLAGS		= -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
--		  -Wall $(EFI_INCLUDES)
-+		  -Wall $(EFI_INCLUDES) -std=gnu89
- CFLAGS          += -DGNU_EFI_USE_EXTERNAL_STDARG
- 
- ifeq ($(ARCH),x86_64)
---- shim-0.8.orig/Cryptlib/OpenSSL/Makefile
-+++ shim-0.8/Cryptlib/OpenSSL/Makefile
-@@ -2,7 +2,7 @@
- EFI_INCLUDES	= -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
- 
- CFLAGS		= -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
--		  -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
-+		  -Wall -std=gnu89 $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
- 
- ifeq ($(ARCH),x86_64)
- 	CFLAGS	+= -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
---- shim-0.8.orig/lib/Makefile
-+++ shim-0.8/lib/Makefile
-@@ -5,7 +5,7 @@ LIBFILES = simple_file.o guid.o console.
- EFI_INCLUDES    = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include
- 
- CFLAGS          = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -nostdinc\
--		  -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror \
-+		  -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror -std=gnu89 \
- 		  $(EFI_INCLUDES)
- 
- ifeq ($(ARCH),x86_64)

shim-opensuse-cert-prompt.patch

@@ -1,4 +1,4 @@
-From eeeb5117c7d30eef6ec8a09f884d6e6872e41638 Mon Sep 17 00:00:00 2001
+From 83b991190b82da422cff4e357e045ff993ecaa9d Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 18 Feb 2014 17:29:19 +0800
 Subject: [PATCH 1/3] Show the build-in certificate prompt
@@ -17,22 +17,22 @@ again after reboot.
 
 The state will store in use_openSUSE_cert, a volatile RT variable.
 ---
- shim.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
- 1 file changed, 74 insertions(+), 2 deletions(-)
+ shim.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 75 insertions(+), 2 deletions(-)
 
 diff --git a/shim.c b/shim.c
-index 6fbe427..112a141 100644
+index 4c6bdc5..4e8ed3a 100644
 --- a/shim.c
 +++ b/shim.c
 @@ -91,6 +91,7 @@ UINT8 *vendor_dbx;
+  */
  verification_method_t verification_method;
  int loader_is_participating;
- int exit_only;
 +BOOLEAN use_builtin_cert;
  
  #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
  
-@@ -955,7 +956,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+@@ -959,7 +960,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
  	if (status == EFI_SUCCESS)
  		return status;
  
@@ -41,7 +41,7 @@ index 6fbe427..112a141 100644
  		/*
  		 * Check against the shim build key
  		 */
-@@ -1709,7 +1710,7 @@ EFI_STATUS mirror_mok_list()
+@@ -1730,7 +1731,7 @@ EFI_STATUS mirror_mok_list()
  	if (efi_status != EFI_SUCCESS)
  		DataSize = 0;
  
@@ -50,8 +50,8 @@ index 6fbe427..112a141 100644
  		FullDataSize = DataSize
  			     + sizeof (*CertList)
  			     + sizeof (EFI_GUID)
-@@ -2058,6 +2059,75 @@ uninstall_shim_protocols(void)
- 			  &shim_lock_guid, &shim_lock_interface);
+@@ -2140,6 +2141,75 @@ shim_fini(void)
+ 	setup_console(0);
  }
  
 +#define VENDOR_VERIFY L"openSUSE_Verify"
@@ -123,23 +123,24 @@ index 6fbe427..112a141 100644
 +	return 0;
 +}
 +
- EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
- {
- 	EFI_STATUS efi_status;
-@@ -2114,6 +2184,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 			 */
- 			hook_exit_only = 0;
- 			loader_is_participating = 0;
-+			if (builtin_cert_prompt() != 0)
-+				return EFI_ABORTED;
- 		}
- 	}
+ extern EFI_STATUS
+ efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
  
+@@ -2228,6 +2298,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ 	 */
+ 	check_mok_sb();
+ 
++	if (secure_mode() && (builtin_cert_prompt() != 0))
++		return EFI_ABORTED;
++
+ 	efi_status = shim_init();
+ 	if (EFI_ERROR(efi_status)) {
+ 		Print(L"Something has gone seriously wrong: %r\n", efi_status);
 -- 
 2.1.4
 
 
-From 869b4633b647c00d13bdf9c2ad554e5d5b8b9670 Mon Sep 17 00:00:00 2001
+From bde21fc34f6c1293a4233e704d9890a14f4bff19 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Thu, 20 Feb 2014 16:57:08 +0800
 Subject: [PATCH 2/3] Support revoking the openSUSE cert
@@ -155,10 +156,10 @@ will show up with an additional option to clear openSUSE_Verify
  2 files changed, 60 insertions(+), 3 deletions(-)
 
 diff --git a/MokManager.c b/MokManager.c
-index 442ab8f..7277968 100644
+index ee6dffb..68d4099 100644
 --- a/MokManager.c
 +++ b/MokManager.c
-@@ -1731,6 +1731,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
+@@ -1729,6 +1729,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
  	return -1;
  }
  
@@ -192,7 +193,7 @@ index 442ab8f..7277968 100644
  static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
  {
  	X509 *X509Cert;
-@@ -2083,6 +2110,7 @@ typedef enum {
+@@ -2081,6 +2108,7 @@ typedef enum {
  	MOK_CHANGE_SB,
  	MOK_SET_PW,
  	MOK_CHANGE_DB,
@@ -200,7 +201,7 @@ index 442ab8f..7277968 100644
  	MOK_KEY_ENROLL,
  	MOK_HASH_ENROLL
  } mok_menu_item;
-@@ -2094,7 +2122,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2092,7 +2120,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
  				 void *MokPW, UINTN MokPWSize,
  				 void *MokDB, UINTN MokDBSize,
  				 void *MokXNew, UINTN MokXNewSize,
@@ -210,7 +211,7 @@ index 442ab8f..7277968 100644
  {
  	CHAR16 **menu_strings;
  	mok_menu_item *menu_item;
-@@ -2168,6 +2197,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2166,6 +2195,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
  	if (MokDB)
  		menucount++;
  
@@ -220,7 +221,7 @@ index 442ab8f..7277968 100644
  	menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
  
  	if (!menu_strings)
-@@ -2237,6 +2269,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2235,6 +2267,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
  		i++;
  	}
  
@@ -233,7 +234,7 @@ index 442ab8f..7277968 100644
  	menu_strings[i] = L"Enroll key from disk";
  	menu_item[i] = MOK_KEY_ENROLL;
  	i++;
-@@ -2287,6 +2325,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2285,6 +2323,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
  		case MOK_CHANGE_DB:
  			mok_db_prompt(MokDB, MokDBSize);
  			break;
@@ -243,7 +244,7 @@ index 442ab8f..7277968 100644
  		case MOK_KEY_ENROLL:
  			mok_key_enroll();
  			break;
-@@ -2312,6 +2353,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2310,6 +2351,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
  	EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
  	UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
  	UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
@@ -251,7 +252,7 @@ index 442ab8f..7277968 100644
  	void *MokNew = NULL;
  	void *MokDel = NULL;
  	void *MokSB = NULL;
-@@ -2319,6 +2361,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2317,6 +2359,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
  	void *MokDB = NULL;
  	void *MokXNew = NULL;
  	void *MokXDel = NULL;
@@ -259,7 +260,7 @@ index 442ab8f..7277968 100644
  	EFI_STATUS status;
  
  	status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
-@@ -2391,9 +2434,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2389,9 +2432,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
  		console_error(L"Could not retrieve MokXDel", status);
  	}
  
@@ -281,7 +282,7 @@ index 442ab8f..7277968 100644
  
  	if (MokNew)
  		FreePool (MokNew);
-@@ -2416,6 +2470,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2414,6 +2468,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
  	if (MokXDel)
  		FreePool (MokXDel);
  
@@ -292,10 +293,10 @@ index 442ab8f..7277968 100644
  	LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
  	LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
 diff --git a/shim.c b/shim.c
-index 112a141..9ffac1f 100644
+index 4e8ed3a..8848e6a 100644
 --- a/shim.c
 +++ b/shim.c
-@@ -1819,7 +1819,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -1840,7 +1840,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
  	    check_var(L"MokPW") || check_var(L"MokAuth") ||
  	    check_var(L"MokDel") || check_var(L"MokDB") ||
  	    check_var(L"MokXNew") || check_var(L"MokXDel") ||
@@ -308,7 +309,7 @@ index 112a141..9ffac1f 100644
 2.1.4
 
 
-From 8d8ccfdebdd01601548d662ad8a43371d307e2f1 Mon Sep 17 00:00:00 2001
+From 3d22ec8e64253ec7edc4133d6122539f006c792e Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Fri, 7 Mar 2014 16:17:20 +0800
 Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
@@ -321,10 +322,10 @@ LibDeleteVariable only works on the runtime variables.
  1 file changed, 4 insertions(+), 1 deletion(-)
 
 diff --git a/MokManager.c b/MokManager.c
-index 7277968..b5d2454 100644
+index 68d4099..c7f2b65 100644
 --- a/MokManager.c
 +++ b/MokManager.c
-@@ -1745,7 +1745,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+@@ -1743,7 +1743,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
  	if (status != EFI_SUCCESS)
  		return -1;
  

shim.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Mon Jul  6 09:06:02 UTC 2015 - glin@suse.com
+
+- Update to 0.9
+- Refresh patches
+  + shim-fix-gnu-efi-30w.patch
+  + shim-fix-mokmanager-sections.patch
+  + shim-opensuse-cert-prompt.patch
+- Drop upstreamed patches
+  + shim-bsc920515-fix-fallback-buffer-length.patch
+  + shim-mokx-support.patch
+  + shim-update-cryptlib.patch
+- Drop shim-bsc919675-uninstall-shim-protocols.patch since
+  upstream fixed the bug in another way.
+- Drop shim-gcc5.patch which was fixed in another way
+
 -------------------------------------------------------------------
 Wed Apr  8 07:10:39 UTC 2015 - glin@suse.com
 

shim.spec

@@ -19,7 +19,7 @@
 # needssslcertforbuild
 
 Name:           shim
-Version:        0.8
+Version:        0.9
 Release:        0
 Summary:        UEFI shim loader
 License:        BSD-2-Clause
@@ -40,23 +40,14 @@ Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 Source10:       timestamp.pl
 Source11:       strip_signature.sh
 Source12:       signature-sles.asc
-# PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
-Patch1:         shim-mokx-support.patch
 # PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
-Patch2:         shim-only-os-name.patch
+Patch1:         shim-only-os-name.patch
 # PATCH-FIX-UPSTREAM shim-fix-gnu-efi-30w.patch glin@suse.com -- Adapt the change in gnu-efi 3.0w
-Patch3:         shim-fix-gnu-efi-30w.patch
+Patch2:         shim-fix-gnu-efi-30w.patch
 # PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch glin@suse.com -- Fix the objcopy parameters for the EFI files
-Patch4:         shim-fix-mokmanager-sections.patch
-# PATCH-FIX-UPSTREAM shim-bsc919675-uninstall-shim-protocols.patch bsc#919675 glin@suse.com -- Uinstall the shim protocols at Exit
-Patch5:         shim-bsc919675-uninstall-shim-protocols.patch
-# PATCH-FIX-UPSTREAM shim-bsc920515-fix-fallback-buffer-length.patch bsc#920515 glin@suse.com -- Fix the buffer size for the boot options
-Patch6:         shim-bsc920515-fix-fallback-buffer-length.patch
-# PATCH-FIX-UPSTREAM shim-update-cryptlib.patch glin@suse.com -- Update Cryptlib and openssl
-Patch7:         shim-update-cryptlib.patch
+Patch3:         shim-fix-mokmanager-sections.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:       shim-opensuse-cert-prompt.patch
-Patch101:       shim-gcc5.patch
 BuildRequires:  gnu-efi >= 3.0t
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -83,16 +74,11 @@ Authors:
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
 %patch100 -p1
-%patch101 -p1
 %build
 # first, build MokManager and fallback as they don't depend on a
 # specific certificate
-make EFI_PATH=/usr/lib64 MokManager.efi fallback.efi 2>/dev/null
+make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2>/dev/null
 
 # now build variants of shim that embed different certificates
 default=''
@@ -147,7 +133,7 @@ for suffix in "${suffixes[@]}"; do
 	    cp $cert2 shim.crt
     fi
     # make sure cast warnings don't trigger post build check
-    make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
+    make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
     #
     # assert correct certificate embedded
     grep -q "$verify" shim.efi