diff --git a/shim-bsc1185261-relax-import_mok_state-check.patch b/shim-bsc1185261-relax-import_mok_state-check.patch new file mode 100644 index 0000000..dc983ff --- /dev/null +++ b/shim-bsc1185261-relax-import_mok_state-check.patch @@ -0,0 +1,57 @@ +From 3e33205b9c957624df7e30a2e5e2847f23d37989 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Tue, 11 May 2021 10:41:43 +0800 +Subject: [PATCH] Relax the check for import_mok_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +An openSUSE user reported(*) that shim 15.4 failed to boot the system +with the following message: + + "Could not create MokListXRT: Out of Resources" + +In the beginning, I thought it's caused by the growing size of +vendor-dbx. However, we found the following messages after set +SHIM_VERBOSE: + + max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000 + SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources + +Even though the firmware claimed the remaining storage size is 0x85EC, +it still rejected MokListXRT with size 0x1404. It seems that the return +values from QueryVariableInfo() are not reliable. Since this firmware +didn't really support Secure Boot, the variable mirroring is not so +critical, so we can just accept the failure of import_mok_state() and +continue boot. + +(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261 + +Signed-off-by: Gary Lin +--- + shim.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/shim.c b/shim.c +index c5cfbb83..d38ae2f0 100644 +--- a/shim.c ++++ b/shim.c +@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) + * boot-services-only state variables are what we think they are. + */ + efi_status = import_mok_state(image_handle); +- if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { ++ if (!secure_mode() && ++ (efi_status == EFI_INVALID_PARAMETER || ++ efi_status == EFI_OUT_OF_RESOURCES)) { + /* + * Make copy failures fatal only if secure_mode is enabled, or +- * the error was anything else than EFI_INVALID_PARAMETER. ++ * the error was anything else than EFI_INVALID_PARAMETER or ++ * EFI_OUT_OF_RESOURCES. + * There are non-secureboot firmware implementations that don't + * reserve enough EFI variable memory to fit the variable. + */ +-- +2.31.1 + diff --git a/shim-install b/shim-install index 66dc984..cfe6d31 100644 --- a/shim-install +++ b/shim-install @@ -221,15 +221,6 @@ do esac done -# bsc#1185464 -# The Azure firmware doesn't respect the boot option created by either -# efibootmgr or fallback.efi so we have to skip the installation of -# fallback.efi to avoid the endless reset loop. -if is_azure; then - no_nvram=yes - removable=yes -fi - if test -n "$efidir"; then efi_fs=`"$grub_probe" --target=fs "${efidir}"` if test "x$efi_fs" = xfat; then :; else @@ -441,3 +432,22 @@ if test "$no_nvram" = no && test -n "$bootloader_id"; then fi fi +# bsc#1185464 bsc#1185961 +# The Azure firmware sometimes doesn't respect the boot option created by +# either efibootmgr or fallback.efi so we have to remove fallback.efi to +# avoid the endless reset loop. +if is_azure; then + # Skip the workaround if we don't own \EFI\Boot or the removable + # option is used + if test "$update_boot" = "yes" && test "$removable" = "no"; then + # Remove fallback.efi which could cause the reset loop in Azure + rm -f "${efibootdir}/fallback.efi" + # Remove the older grub binary and config + rm -f "${efibootdir}/grub.efi" + rm -f "${efibootdir}/grub.cfg" + # Install new grub binary and config file to \EFI\Boot as + # the "removable" option + cp "${efidir}/grub.cfg" "${efibootdir}/grub.cfg" + cp "${efidir}/grub.efi" "${efibootdir}/grub.efi" + fi +fi diff --git a/shim.changes b/shim.changes index 5207f86..3eeaed5 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Wed May 19 01:07:43 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: instead of assuming "removable" for Azure, remove + fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot + to make \EFI\Boot bootable and keep the boot option created by + efibootmgr (bsc#1185464, bsc#1185961) + +------------------------------------------------------------------- +Tue May 11 02:57:14 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax + the check for import_mok_state() when Secure Boot is off. + (bsc#1185261) + ------------------------------------------------------------------- Fri May 7 08:33:49 UTC 2021 - Gary Ching-Pang Lin diff --git a/shim.spec b/shim.spec index 263e73b..7f720a6 100644 --- a/shim.spec +++ b/shim.spec @@ -81,6 +81,8 @@ Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch Patch7: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch # PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 glin@suse.com -- Relax the maximum variable size check for u-boot Patch8: shim-bsc1185621-relax-max-var-sz-check.patch +# PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch bsc#1185261 glin@suse.com -- Relax the check for import_mok_state() when Secure Boot is off +Patch9: shim-bsc1185261-relax-import_mok_state-check.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -127,6 +129,7 @@ The source code of UEFI shim loader %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build # generate the vendor SBAT metadata