Accepting request 894182 from home:gary_lin:branches:devel:openSUSE:Factory

- shim-install: instead of assuming "removable" for Azure, remove
  fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
  to make \EFI\Boot bootable and keep the boot option created by
  efibootmgr (bsc#1185464, bsc#1185961)

- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax
  the check for import_mok_state() when Secure Boot is off.
  (bsc#1185261)

OBS-URL: https://build.opensuse.org/request/show/894182
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=181

shim-bsc1185261-relax-import_mok_state-check.patch

@@ -0,0 +1,57 @@
+From 3e33205b9c957624df7e30a2e5e2847f23d37989 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Tue, 11 May 2021 10:41:43 +0800
+Subject: [PATCH] Relax the check for import_mok_state()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+An openSUSE user reported(*) that shim 15.4 failed to boot the system
+with the following message:
+
+  "Could not create MokListXRT: Out of Resources"
+
+In the beginning, I thought it's caused by the growing size of
+vendor-dbx. However, we found the following messages after set
+SHIM_VERBOSE:
+
+  max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000
+  SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources
+
+Even though the firmware claimed the remaining storage size is 0x85EC,
+it still rejected MokListXRT with size 0x1404. It seems that the return
+values from QueryVariableInfo() are not reliable. Since this firmware
+didn't really support Secure Boot, the variable mirroring is not so
+critical, so we can just accept the failure of import_mok_state() and
+continue boot.
+
+(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ shim.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index c5cfbb83..d38ae2f0 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ 	 * boot-services-only state variables are what we think they are.
+ 	 */
+ 	efi_status = import_mok_state(image_handle);
+-	if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
++	if (!secure_mode() && 
++	    (efi_status == EFI_INVALID_PARAMETER ||
++	     efi_status == EFI_OUT_OF_RESOURCES)) {
+ 		/*
+ 		 * Make copy failures fatal only if secure_mode is enabled, or
+-		 * the error was anything else than EFI_INVALID_PARAMETER.
++		 * the error was anything else than EFI_INVALID_PARAMETER or
++		 * EFI_OUT_OF_RESOURCES.
+ 		 * There are non-secureboot firmware implementations that don't
+ 		 * reserve enough EFI variable memory to fit the variable.
+ 		 */
+-- 
+2.31.1
+

shim-install

@@ -221,15 +221,6 @@ do
     esac
 done
 
-# bsc#1185464
-# The Azure firmware doesn't respect the boot option created by either
-# efibootmgr or fallback.efi so we have to skip the installation of
-# fallback.efi to avoid the endless reset loop.
-if is_azure; then
-    no_nvram=yes
-    removable=yes
-fi
-
 if test -n "$efidir"; then
     efi_fs=`"$grub_probe" --target=fs "${efidir}"`
     if test "x$efi_fs" = xfat; then :; else
@@ -441,3 +432,22 @@ if test "$no_nvram" = no && test -n "$bootloader_id"; then
     fi
 fi
 
+# bsc#1185464 bsc#1185961
+# The Azure firmware sometimes doesn't respect the boot option created by
+# either efibootmgr or fallback.efi so we have to remove fallback.efi to
+# avoid the endless reset loop.
+if is_azure; then
+    # Skip the workaround if we don't own \EFI\Boot or the removable
+    # option is used
+    if test "$update_boot" = "yes" && test "$removable" = "no"; then
+        # Remove fallback.efi which could cause the reset loop in Azure
+        rm -f "${efibootdir}/fallback.efi"
+        # Remove the older grub binary and config
+        rm -f "${efibootdir}/grub.efi"
+        rm -f "${efibootdir}/grub.cfg"
+        # Install new grub binary and config file to \EFI\Boot as
+        # the "removable" option
+        cp "${efidir}/grub.cfg" "${efibootdir}/grub.cfg"
+        cp "${efidir}/grub.efi" "${efibootdir}/grub.efi"
+    fi
+fi

shim.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Wed May 19 01:07:43 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- shim-install: instead of assuming "removable" for Azure, remove
+  fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
+  to make \EFI\Boot bootable and keep the boot option created by
+  efibootmgr (bsc#1185464, bsc#1185961)
+
+-------------------------------------------------------------------
+Tue May 11 02:57:14 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax
+  the check for import_mok_state() when Secure Boot is off.
+  (bsc#1185261)
+
 -------------------------------------------------------------------
 Fri May  7 08:33:49 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 

shim.spec

@@ -81,6 +81,8 @@ Patch6:         shim-bsc1184454-allocate-mok-config-table-BS.patch
 Patch7:         shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
 # PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 glin@suse.com -- Relax the maximum variable size check for u-boot
 Patch8:         shim-bsc1185621-relax-max-var-sz-check.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch bsc#1185261 glin@suse.com -- Relax the check for import_mok_state() when Secure Boot is off
+Patch9:         shim-bsc1185261-relax-import_mok_state-check.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -127,6 +129,7 @@ The source code of UEFI shim loader
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 # generate the vendor SBAT metadata