From 61318a0867be57059ade436d7042180a30a42897 Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Mon, 13 Feb 2023 02:40:34 -0500 Subject: [PATCH] * Mon Feb 13 2023 Miroslav Rezanina - 20221207gitfff6d81270b5-6 - edk2-update-build-script-rhel-only.patch [bz#2168046] - edk2-update-build-config-rhel-only.patch [bz#2168046] - edk2-add-release-date-to-builds-rh-only.patch [bz#2168046] - edk2-openssl-update.patch [bz#2164534 bz#2164550 bz#2164565 bz#2164583] - edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164534 bz#2164550 bz#2164565 bz#2164583] - Resolves: bz#2168046 ([SVVP] job 'Check SMBIOS Table Specific Requirements' failed on win2022) - Resolves: bz#2164534 (CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-9]) - Resolves: bz#2164550 (CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-9]) - Resolves: bz#2164565 (CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-9]) - Resolves: bz#2164583 (CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-9]) --- .gitignore | 1 + edk2-build.py | 107 +++++++++++++----- edk2-build.rhel-9 | 20 +++- ...crypto-bn-rsa_sup_mul.c-to-file-list.patch | 42 +++++++ edk2.spec | 31 ++++- sources | 2 +- 6 files changed, 165 insertions(+), 38 deletions(-) create mode 100644 edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch diff --git a/.gitignore b/.gitignore index 360472e..caedbe6 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ /openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz /openssl-rhel-a75722161d20fd632f8875585d3aa066ec5fea93.tar.xz /openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz +/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz diff --git a/edk2-build.py b/edk2-build.py index 3b3e590..27da748 100755 --- a/edk2-build.py +++ b/edk2-build.py @@ -9,6 +9,7 @@ import configparser rebase_prefix = "" version_override = None +release_date = None def check_rebase(): """ detect 'git rebase -x edk2-build.py master' testbuilds """ @@ -25,7 +26,7 @@ def check_rebase(): head = f.read().strip().split('/') rebase_prefix = f'[ {int(msgnum/2)} / {int(end/2)} - {head[-1]} ] ' - if msgnum != end: + if msgnum != end and not version_override: # fixed version speeds up builds version_override = "test-build-patch-series" @@ -51,13 +52,8 @@ def get_version(cfg): return version if os.path.exists(coredir + '/.git'): cmdline = [ 'git', 'describe', '--tags', '--abbrev=8', '--match=edk2-stable*' ] - result = subprocess.run(cmdline, capture_output = True, cwd = coredir) + result = subprocess.run(cmdline, stdout = subprocess.PIPE, cwd = coredir) version = result.stdout.decode().strip() - #cmdline = [ 'git', 'branch', '--show-current'] - #result = subprocess.run(cmdline, capture_output = True, cwd = coredir) - #branch = result.stdout.decode().strip() - #if branch != "master": - # version += f' ({branch})' print('') print(f'### version [git]: {version}') return version @@ -72,7 +68,12 @@ def pcd_version(cfg): return [] return [ '--pcd', pcd_string('PcdFirmwareVersionString', version) ] -def build_message(line): +def pcd_release_date(cfg): + if release_date is None: + return [] + return [ '--pcd', pcd_string('PcdFirmwareReleaseDateString', release_date) ] + +def build_message(line, line2 = None): if os.environ.get('TERM') in [ 'xterm', 'xterm-256color' ]: # setxterm title start = '\x1b]2;' @@ -82,11 +83,32 @@ def build_message(line): print('') print('###') print(f'### {rebase_prefix}{line}') + if line2: + print(f'### {line2}') print('###') -def build_run(cmdline, name): +def build_run(cmdline, name, section, silent = False): print(cmdline) - result = subprocess.run(cmdline) + if silent: + print('### building in silent mode ...', flush = True) + result = subprocess.run(cmdline, + stdout = subprocess.PIPE, + stderr = subprocess.STDOUT) + + logfile = f'{section}.log' + print(f'### writing log to {logfile} ...') + with open(logfile, 'wb') as f: + f.write(result.stdout) + + if result.returncode: + print('### BUILD FAILURE') + print('### output') + print(result.stdout.decode()) + print(f'### exit code: {result.returncode}') + else: + print('### OK') + else: + result = subprocess.run(cmdline) if result.returncode: print(f'ERROR: {cmdline[0]} exited with {result.returncode} while building {name}') sys.exit(result.returncode) @@ -101,9 +123,10 @@ def build_copy(plat, tgt, dstdir, copy): dstfile = os.path.basename(srcfile) print(f'# copy: {srcdir} / {srcfile} => {dstdir} / {dstfile}') - os.makedirs(dstdir, exist_ok = True) - shutil.copy(srcdir + '/' + srcfile, - dstdir + '/' + dstfile) + src = srcdir + '/' + srcfile + dst = dstdir + '/' + dstfile + os.makedirs(os.path.dirname(dst), exist_ok = True) + shutil.copy(src, dst) def pad_file(dstdir, pad): args = pad.split() @@ -119,7 +142,7 @@ def pad_file(dstdir, pad): print(f'# padding: {dstdir} / {name} => {size}') subprocess.run(cmdline) -def build_one(cfg, build, jobs = None): +def build_one(cfg, build, jobs = None, silent = False): cmdline = [ 'build' ] cmdline += [ '-t', 'GCC5' ] cmdline += [ '-p', cfg[build]['conf'] ] @@ -127,6 +150,7 @@ def build_one(cfg, build, jobs = None): if (cfg[build]['conf'].startswith('OvmfPkg/') or cfg[build]['conf'].startswith('ArmVirtPkg/')): cmdline += pcd_version(cfg) + cmdline += pcd_release_date(cfg) if jobs: cmdline += [ '-n', jobs ] @@ -136,15 +160,26 @@ def build_one(cfg, build, jobs = None): for name in cfg[build]['opts'].split(): section = 'opts.' + name for opt in cfg[section]: - cmdline += [ '-D', opt.upper() + '=' + cfg[section][opt] ] + cmdline += [ '-D', opt + '=' + cfg[section][opt] ] + if 'pcds' in cfg[build]: + for name in cfg[build]['pcds'].split(): + section = 'pcds.' + name + for pcd in cfg[section]: + cmdline += [ '--pcd', pcd + '=' + cfg[section][pcd] ] if 'tgts' in cfg[build]: tgts = cfg[build]['tgts'].split() else: tgts = [ 'DEBUG' ] for tgt in tgts: - build_message(f'building: {cfg[build]["conf"]} ({cfg[build]["arch"]}, {tgt})') + desc = None + if 'desc' in cfg[build]: + desc = cfg[build]['desc'] + build_message(f'building: {cfg[build]["conf"]} ({cfg[build]["arch"]}, {tgt})', + f'description: {desc}') build_run(cmdline + [ '-b', tgt ], - cfg[build]['conf']) + cfg[build]['conf'], + build + '.' + tgt, + silent) if 'plat' in cfg[build]: # copy files @@ -162,11 +197,11 @@ def build_one(cfg, build, jobs = None): pad_file(cfg[build]['dest'], cfg[build][pad]) -def build_basetools(): +def build_basetools(silent = False): build_message(f'building: BaseTools') basedir = os.environ['EDK_TOOLS_PATH'] cmdline = [ 'make', '-C', basedir ] - build_run(cmdline, 'BaseTools') + build_run(cmdline, 'BaseTools', 'build.basetools', silent) def binary_exists(name): for dir in os.environ['PATH'].split(':'): @@ -184,12 +219,12 @@ def prepare_env(cfg): 'BaseTools/BinWrappers/PosixLike' ] - coredir = get_coredir(cfg) - if coredir != workspace: - packages.append(coredir) if cfg.has_option('global', 'pkgs'): for pkgdir in cfg['global']['pkgs'].split(): packages.append(os.path.abspath(pkgdir)) + coredir = get_coredir(cfg) + if coredir != workspace: + packages.append(coredir) # add basetools to path for dir in dirs: @@ -203,8 +238,9 @@ def prepare_env(cfg): # run edksetup if needed toolsdef = coredir + '/Conf/tools_def.txt'; if not os.path.exists(toolsdef): - build_message('running edksetup') - cmdline = [ 'sh', 'edksetup.sh' ] + os.makedirs(os.path.dirname(toolsdef), exist_ok = True) + build_message('running BaseTools/BuildEnv') + cmdline = [ 'sh', 'BaseTools/BuildEnv' ] subprocess.run(cmdline, cwd = coredir) # set variables @@ -214,15 +250,19 @@ def prepare_env(cfg): os.environ['EDK_TOOLS_PATH'] = coredir + '/BaseTools' os.environ['CONF_PATH'] = coredir + '/Conf' os.environ['PYTHON_COMMAND'] = '/usr/bin/python3' + os.environ['PYTHONHASHSEED'] = '1' # for cross builds if binary_exists('arm-linux-gnu-gcc'): os.environ['GCC5_ARM_PREFIX'] = 'arm-linux-gnu-' if binary_exists('aarch64-linux-gnu-gcc'): os.environ['GCC5_AARCH64_PREFIX'] = 'aarch64-linux-gnu-' + if binary_exists('riscv64-linux-gnu-gcc'): + os.environ['GCC5_RISCV64_PREFIX'] = 'riscv64-linux-gnu-' if binary_exists('x86_64-linux-gnu-gcc'): os.environ['GCC5_IA32_PREFIX'] = 'x86_64-linux-gnu-' os.environ['GCC5_X64_PREFIX'] = 'x86_64-linux-gnu-' + os.environ['GCC5_BIN'] = 'x86_64-linux-gnu-' def build_list(cfg): for build in cfg.sections(): @@ -238,14 +278,22 @@ def main(): parser = optparse.OptionParser() parser.add_option('-c', '--config', dest = 'configfile', type = 'string', default = '.edk2.builds') + parser.add_option('-C', '--directory', dest = 'directory', type = 'string') parser.add_option('-j', '--jobs', dest = 'jobs', type = 'string') parser.add_option('-m', '--match', dest = 'match', type = 'string') - parser.add_option('-l', '--list', dest = 'list', action = 'store_true') + parser.add_option('-l', '--list', dest = 'list', action = 'store_true', default = False) + parser.add_option('--silent', dest = 'silent', action = 'store_true', default = False) parser.add_option('--core', dest = 'core', type = 'string') + parser.add_option('--pkg', '--package', dest = 'pkgs', type = 'string', action = 'append') parser.add_option('--version-override', dest = 'version_override', type = 'string') + parser.add_option('--release-date', dest = 'release_date', type = 'string') (options, args) = parser.parse_args() + if options.directory: + os.chdir(options.directory) + cfg = configparser.ConfigParser() + cfg.optionxform = str cfg.read(options.configfile) if options.list: @@ -256,21 +304,26 @@ def main(): cfg.add_section('global') if options.core: cfg.set('global', 'core', options.core) + if options.pkgs: + cfg.set('global', 'pkgs', ' '.join(options.pkgs)) global version_override + global release_date check_rebase() if options.version_override: version_override = options.version_override + if options.release_date: + release_date = options.release_date prepare_env(cfg) - build_basetools() + build_basetools(options.silent) for build in cfg.sections(): if not build.startswith('build.'): continue if options.match and options.match not in build: print(f'# skipping "{build}" (not matching "{options.match}")') continue - build_one(cfg, build, options.jobs) + build_one(cfg, build, options.jobs, options.silent) if __name__ == '__main__': sys.exit(main()) diff --git a/edk2-build.rhel-9 b/edk2-build.rhel-9 index ef7df91..e79ab52 100644 --- a/edk2-build.rhel-9 +++ b/edk2-build.rhel-9 @@ -8,6 +8,7 @@ NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE TPM2_ENABLE = TRUE TPM2_CONFIG_ENABLE = TRUE TPM1_ENABLE = FALSE +CAVIUM_ERRATUM_27456 = TRUE [opts.ovmf.4m] FD_SIZE_4MB = TRUE @@ -34,7 +35,8 @@ DEBUG_PRINT_ERROR_LEVEL = 0x80000000 desc = ovmf build (64-bit, 4MB) conf = OvmfPkg/OvmfPkgX64.dsc arch = X64 -opts = ovmf.common ovmf.4m +opts = ovmf.common + ovmf.4m plat = OvmfX64 dest = RHEL-9/ovmf cpy1 = FV/OVMF_CODE.fd OVMF_CODE.fd @@ -45,7 +47,9 @@ cpy3 = X64/Shell.efi desc = ovmf build (32/64-bit, 4MB, q35 only, needs smm, secure boot) conf = OvmfPkg/OvmfPkgIa32X64.dsc arch = IA32 X64 -opts = ovmf.common ovmf.4m ovmf.sb.smm +opts = ovmf.common + ovmf.4m + ovmf.sb.smm plat = Ovmf3264 dest = RHEL-9/ovmf cpy1 = FV/OVMF_CODE.fd OVMF_CODE.secboot.fd @@ -59,7 +63,8 @@ cpy2 = X64/EnrollDefaultKeys.efi desc = ovmf build for AmdSev (4MB) conf = OvmfPkg/AmdSev/AmdSevX64.dsc arch = X64 -opts = ovmf.common ovmf.4m +opts = ovmf.common + ovmf.4m plat = AmdSev dest = RHEL-9/ovmf cpy1 = FV/OVMF.fd OVMF.amdsev.fd @@ -68,7 +73,8 @@ cpy1 = FV/OVMF.fd OVMF.amdsev.fd desc = ovmf build for IntelTdx (4MB) conf = OvmfPkg/IntelTdx/IntelTdxX64.dsc arch = X64 -opts = ovmf.common ovmf.4m +opts = ovmf.common + ovmf.4m plat = IntelTdx dest = RHEL-9/ovmf cpy1 = FV/OVMF.fd OVMF.inteltdx.fd @@ -81,7 +87,8 @@ cpy1 = FV/OVMF.fd OVMF.inteltdx.fd desc = ArmVirt build for qemu, 64-bit (arm v8), verbose conf = ArmVirtPkg/ArmVirtQemu.dsc arch = AARCH64 -opts = ovmf.common armvirt.verbose +opts = ovmf.common + armvirt.verbose plat = ArmVirtQemu-AARCH64 dest = RHEL-9/aarch64 cpy1 = FV/QEMU_EFI.fd @@ -95,7 +102,8 @@ pad4 = vars-template-pflash.raw 64m desc = ArmVirt build for qemu, 64-bit (arm v8), silent conf = ArmVirtPkg/ArmVirtQemu.dsc arch = AARCH64 -opts = ovmf.common armvirt.silent +opts = ovmf.common + armvirt.silent plat = ArmVirtQemu-AARCH64 dest = RHEL-9/aarch64 cpy1 = FV/QEMU_EFI.fd QEMU_EFI.silent.fd diff --git a/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch b/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch new file mode 100644 index 0000000..dc7e0f6 --- /dev/null +++ b/edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch @@ -0,0 +1,42 @@ +From dca1a100d14056865c7360d80a2a1d1ae4b0de96 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 10 Feb 2023 10:49:44 +0100 +Subject: [PATCH 5/5] rh openssl: add crypto/bn/rsa_sup_mul.c to file list + +RH-Author: Gerd Hoffmann +RH-MergeRequest: 27: openssl update +RH-Bugzilla: 2164534 2164550 2164565 2164583 +RH-Acked-by: Miroslav Rezanina +RH-Commit: [2/2] a097fc031b54208e9c8974173784e4c306dbf7a0 (kraxel/centos-edk2) +--- + CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 + + CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +index e446b51e66..7e78255467 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf +@@ -576,6 +576,7 @@ + $(OPENSSL_PATH)/ssl/statem/statem_local.h + # Autogenerated files list ends here + # RHEL8-specific OpenSSL file list starts here ++ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c + $(OPENSSL_PATH)/crypto/evp/kdf_lib.c + $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c + $(OPENSSL_PATH)/crypto/kdf/kbkdf.c +diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +index c207dc8f4c..1c551cb099 100644 +--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf ++++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf +@@ -526,6 +526,7 @@ + $(OPENSSL_PATH)/crypto/x509v3/v3_admis.h + # Autogenerated files list ends here + # RHEL8-specific OpenSSL file list starts here ++ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c + $(OPENSSL_PATH)/crypto/evp/kdf_lib.c + $(OPENSSL_PATH)/crypto/evp/pkey_kdf.c + $(OPENSSL_PATH)/crypto/kdf/kbkdf.c +-- +2.31.1 + diff --git a/edk2.spec b/edk2.spec index 304d435..b8dd571 100644 --- a/edk2.spec +++ b/edk2.spec @@ -16,7 +16,7 @@ ExclusiveArch: x86_64 aarch64 Name: edk2 Version: %{GITDATE}git%{GITCOMMIT} -Release: 5%{?dist} +Release: 6%{?dist} Summary: UEFI firmware for 64-bit virtual machines License: BSD-2-Clause-Patent and OpenSSL and MIT URL: http://www.tianocore.org @@ -27,7 +27,7 @@ URL: http://www.tianocore.org # | xz -9ev >/tmp/edk2-$COMMIT.tar.xz Source0:edk2-%{GITCOMMIT}.tar.xz Source1: ovmf-whitepaper-c770f8c.txt -Source2: openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz +Source2: openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz # json description files Source10: 50-edk2-aarch64.json @@ -79,6 +79,11 @@ Patch35: edk2-MdePkg-Remove-Itanium-leftover-data-structure-RH-onl.patch Patch36: edk2-ArmVirt-don-t-use-unaligned-CopyMem-on-NOR-flash.patch # For bz#2157656 - [edk2] [aarch64] Unable to initialize EFI firmware when using edk2-aarch64-20221207gitfff6d81270b5-1.el9 in some hardwares Patch37: edk2-Revert-ArmVirtPkg-ArmVirtQemu-enable-initial-ID-map-.patch +# For bz#2164534 - CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-9] +# For bz#2164550 - CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-9] +# For bz#2164565 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-9] +# For bz#2164583 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-9] +Patch38: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch # python3-devel and libuuid-devel are required for building tools. @@ -225,11 +230,12 @@ build_iso() { export EXTRA_OPTFLAGS="%{optflags}" export EXTRA_LDFLAGS="%{__global_ldflags}" +export RELEASE_DATE="$(echo %{GITDATE} | sed -e 's|\(....\)\(..\)\(..\)|\2/\3/\1|')" touch OvmfPkg/AmdSev/Grub/grub.efi # dummy %if %{build_ovmf} -./edk2-build.py --config edk2-build.rhel-9 -m ovmf +./edk2-build.py --config edk2-build.rhel-9 -m ovmf --release-date "$RELEASE_DATE" build_iso RHEL-9/ovmf virt-fw-vars --input RHEL-9/ovmf/OVMF_VARS.fd \ --output RHEL-9/ovmf/OVMF_VARS.secboot.fd \ @@ -237,7 +243,7 @@ virt-fw-vars --input RHEL-9/ovmf/OVMF_VARS.fd \ %endif %if %{build_aarch64} -./edk2-build.py --config edk2-build.rhel-9 -m armvirt +./edk2-build.py --config edk2-build.rhel-9 -m armvirt --release-date "$RELEASE_DATE" %endif %install @@ -383,6 +389,23 @@ install -m 0644 \ %changelog +* Mon Feb 13 2023 Miroslav Rezanina - 20221207gitfff6d81270b5-6 +- edk2-update-build-script-rhel-only.patch [bz#2168046] +- edk2-update-build-config-rhel-only.patch [bz#2168046] +- edk2-add-release-date-to-builds-rh-only.patch [bz#2168046] +- edk2-openssl-update.patch [bz#2164534 bz#2164550 bz#2164565 bz#2164583] +- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164534 bz#2164550 bz#2164565 bz#2164583] +- Resolves: bz#2168046 + ([SVVP] job 'Check SMBIOS Table Specific Requirements' failed on win2022) +- Resolves: bz#2164534 + (CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-9]) +- Resolves: bz#2164550 + (CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-9]) +- Resolves: bz#2164565 + (CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-9]) +- Resolves: bz#2164583 + (CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-9]) + * Mon Feb 06 2023 Miroslav Rezanina - 20221207gitfff6d81270b5-5 - edk2-Revert-ArmVirtPkg-ArmVirtQemu-enable-initial-ID-map-.patch [bz#2157656] - Resolves: bz#2157656 diff --git a/sources b/sources index 8feaf0c..e72430c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (edk2-fff6d81270b5.tar.xz) = 3b215ae200c6be355aa937ef933cc636867416a24e159a83852d7972b7b70f712df3773c429ed5ac5cc6e300fd6f733d6a5bc1b54a06fc0bc3f98ea14d7cb068 -SHA512 (openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz) = 8260c5faa963d0fc35ff9b17cacbbe7f7c1251f5b9243d63814313c230f6e0141b92e7a65d5adf5199795779261f738c26b9e93bfc007e96ee207b9a7ec6bea3 +SHA512 (openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz) = 6842e767f767fe79edcb9ba8e32ce2956e8b56f0b265f79a5b4dbd4bba51b63d9733841badee7f2ffdcca803baf82b3e9e132fd465c22027539dcfd02608e99a