rpms/edk2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

* Mon Feb 13 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-6

Browse Source 
- edk2-update-build-script-rhel-only.patch [bz#2168046]
- edk2-update-build-config-rhel-only.patch [bz#2168046]
- edk2-add-release-date-to-builds-rh-only.patch [bz#2168046]
- edk2-openssl-update.patch [bz#2164534 bz#2164550 bz#2164565 bz#2164583]
- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164534 bz#2164550 bz#2164565 bz#2164583]
- Resolves: bz#2168046
  ([SVVP] job 'Check SMBIOS Table Specific Requirements' failed on win2022)
- Resolves: bz#2164534
  (CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-9])
- Resolves: bz#2164550
  (CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-9])
- Resolves: bz#2164565
  (CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-9])
- Resolves: bz#2164583
  (CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-9])
This commit is contained in:
Miroslav Rezanina 2023-02-13 02:40:34 -05:00
parent 410d8c40be
commit 61318a0867
6 changed files with 165 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -8,3 +8,4 @@
/openssl-rhel-bdd048e929dcfcf2f046d74e812e0e3d5fc58504.tar.xz
/openssl-rhel-a75722161d20fd632f8875585d3aa066ec5fea93.tar.xz
/openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz
/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz

107
edk2-build.py
View File

@ -9,6 +9,7 @@ import configparser
rebase_prefix = ""
version_override = None
release_date = None
def check_rebase():
""" detect 'git rebase -x edk2-build.py master' testbuilds """
@ -25,7 +26,7 @@ def check_rebase():
head = f.read().strip().split('/')
rebase_prefix = f'[ {int(msgnum/2)} / {int(end/2)} - {head[-1]} ] '
if msgnum != end:
if msgnum != end and not version_override:
# fixed version speeds up builds
version_override = "test-build-patch-series"
@ -51,13 +52,8 @@ def get_version(cfg):
return version
if os.path.exists(coredir + '/.git'):
cmdline = [ 'git', 'describe', '--tags', '--abbrev=8', '--match=edk2-stable*' ]
result = subprocess.run(cmdline, capture_output = True, cwd = coredir)
result = subprocess.run(cmdline, stdout = subprocess.PIPE, cwd = coredir)
version = result.stdout.decode().strip()
#cmdline = [ 'git', 'branch', '--show-current']
#result = subprocess.run(cmdline, capture_output = True, cwd = coredir)
#branch = result.stdout.decode().strip()
#if branch != "master":
# version += f' ({branch})'
print('')
print(f'### version [git]: {version}')
return version
@ -72,7 +68,12 @@ def pcd_version(cfg):
return []
return [ '--pcd', pcd_string('PcdFirmwareVersionString', version) ]
def build_message(line):
def pcd_release_date(cfg):
if release_date is None:
return []
return [ '--pcd', pcd_string('PcdFirmwareReleaseDateString', release_date) ]
def build_message(line, line2 = None):
if os.environ.get('TERM') in [ 'xterm', 'xterm-256color' ]:
# setxterm title
start = '\x1b]2;'
@ -82,11 +83,32 @@ def build_message(line):
print('')
print('###')
print(f'### {rebase_prefix}{line}')
if line2:
print(f'### {line2}')
print('###')
def build_run(cmdline, name):
def build_run(cmdline, name, section, silent = False):
print(cmdline)
result = subprocess.run(cmdline)
if silent:
print('### building in silent mode ...', flush = True)
result = subprocess.run(cmdline,
stdout = subprocess.PIPE,
stderr = subprocess.STDOUT)
logfile = f'{section}.log'
print(f'### writing log to {logfile} ...')
with open(logfile, 'wb') as f:
f.write(result.stdout)
if result.returncode:
print('### BUILD FAILURE')
print('### output')
print(result.stdout.decode())
print(f'### exit code: {result.returncode}')
else:
print('### OK')
else:
result = subprocess.run(cmdline)
if result.returncode:
print(f'ERROR: {cmdline[0]} exited with {result.returncode} while building {name}')
sys.exit(result.returncode)
@ -101,9 +123,10 @@ def build_copy(plat, tgt, dstdir, copy):
dstfile = os.path.basename(srcfile)
print(f'# copy: {srcdir} / {srcfile} => {dstdir} / {dstfile}')
os.makedirs(dstdir, exist_ok = True)
shutil.copy(srcdir + '/' + srcfile,
dstdir + '/' + dstfile)
src = srcdir + '/' + srcfile
dst = dstdir + '/' + dstfile
os.makedirs(os.path.dirname(dst), exist_ok = True)
shutil.copy(src, dst)
def pad_file(dstdir, pad):
args = pad.split()
@ -119,7 +142,7 @@ def pad_file(dstdir, pad):
print(f'# padding: {dstdir} / {name} => {size}')
subprocess.run(cmdline)
def build_one(cfg, build, jobs = None):
def build_one(cfg, build, jobs = None, silent = False):
cmdline = [ 'build' ]
cmdline += [ '-t', 'GCC5' ]
cmdline += [ '-p', cfg[build]['conf'] ]
@ -127,6 +150,7 @@ def build_one(cfg, build, jobs = None):
if (cfg[build]['conf'].startswith('OvmfPkg/') or
cfg[build]['conf'].startswith('ArmVirtPkg/')):
cmdline += pcd_version(cfg)
cmdline += pcd_release_date(cfg)
if jobs:
cmdline += [ '-n', jobs ]
@ -136,15 +160,26 @@ def build_one(cfg, build, jobs = None):
for name in cfg[build]['opts'].split():
section = 'opts.' + name
for opt in cfg[section]:
cmdline += [ '-D', opt.upper() + '=' + cfg[section][opt] ]
cmdline += [ '-D', opt + '=' + cfg[section][opt] ]
if 'pcds' in cfg[build]:
for name in cfg[build]['pcds'].split():
section = 'pcds.' + name
for pcd in cfg[section]:
cmdline += [ '--pcd', pcd + '=' + cfg[section][pcd] ]
if 'tgts' in cfg[build]:
tgts = cfg[build]['tgts'].split()
else:
tgts = [ 'DEBUG' ]
for tgt in tgts:
build_message(f'building: {cfg[build]["conf"]} ({cfg[build]["arch"]}, {tgt})')
desc = None
if 'desc' in cfg[build]:
desc = cfg[build]['desc']
build_message(f'building: {cfg[build]["conf"]} ({cfg[build]["arch"]}, {tgt})',
f'description: {desc}')
build_run(cmdline + [ '-b', tgt ],
cfg[build]['conf'])
cfg[build]['conf'],
build + '.' + tgt,
silent)
if 'plat' in cfg[build]:
# copy files
@ -162,11 +197,11 @@ def build_one(cfg, build, jobs = None):
pad_file(cfg[build]['dest'],
cfg[build][pad])
def build_basetools():
def build_basetools(silent = False):
build_message(f'building: BaseTools')
basedir = os.environ['EDK_TOOLS_PATH']
cmdline = [ 'make', '-C', basedir ]
build_run(cmdline, 'BaseTools')
build_run(cmdline, 'BaseTools', 'build.basetools', silent)
def binary_exists(name):
for dir in os.environ['PATH'].split(':'):
@ -184,12 +219,12 @@ def prepare_env(cfg):
'BaseTools/BinWrappers/PosixLike'
]
coredir = get_coredir(cfg)
if coredir != workspace:
packages.append(coredir)
if cfg.has_option('global', 'pkgs'):
for pkgdir in cfg['global']['pkgs'].split():
packages.append(os.path.abspath(pkgdir))
coredir = get_coredir(cfg)
if coredir != workspace:
packages.append(coredir)
# add basetools to path
for dir in dirs:
@ -203,8 +238,9 @@ def prepare_env(cfg):
# run edksetup if needed
toolsdef = coredir + '/Conf/tools_def.txt';
if not os.path.exists(toolsdef):
build_message('running edksetup')
cmdline = [ 'sh', 'edksetup.sh' ]
os.makedirs(os.path.dirname(toolsdef), exist_ok = True)
build_message('running BaseTools/BuildEnv')
cmdline = [ 'sh', 'BaseTools/BuildEnv' ]
subprocess.run(cmdline, cwd = coredir)
# set variables
@ -214,15 +250,19 @@ def prepare_env(cfg):
os.environ['EDK_TOOLS_PATH'] = coredir + '/BaseTools'
os.environ['CONF_PATH'] = coredir + '/Conf'
os.environ['PYTHON_COMMAND'] = '/usr/bin/python3'
os.environ['PYTHONHASHSEED'] = '1'
# for cross builds
if binary_exists('arm-linux-gnu-gcc'):
os.environ['GCC5_ARM_PREFIX'] = 'arm-linux-gnu-'
if binary_exists('aarch64-linux-gnu-gcc'):
os.environ['GCC5_AARCH64_PREFIX'] = 'aarch64-linux-gnu-'
if binary_exists('riscv64-linux-gnu-gcc'):
os.environ['GCC5_RISCV64_PREFIX'] = 'riscv64-linux-gnu-'
if binary_exists('x86_64-linux-gnu-gcc'):
os.environ['GCC5_IA32_PREFIX'] = 'x86_64-linux-gnu-'
os.environ['GCC5_X64_PREFIX'] = 'x86_64-linux-gnu-'
os.environ['GCC5_BIN'] = 'x86_64-linux-gnu-'
def build_list(cfg):
for build in cfg.sections():
@ -238,14 +278,22 @@ def main():
parser = optparse.OptionParser()
parser.add_option('-c', '--config', dest = 'configfile',
type = 'string', default = '.edk2.builds')
parser.add_option('-C', '--directory', dest = 'directory', type = 'string')
parser.add_option('-j', '--jobs', dest = 'jobs', type = 'string')
parser.add_option('-m', '--match', dest = 'match', type = 'string')
parser.add_option('-l', '--list', dest = 'list', action = 'store_true')
parser.add_option('-l', '--list', dest = 'list', action = 'store_true', default = False)
parser.add_option('--silent', dest = 'silent', action = 'store_true', default = False)
parser.add_option('--core', dest = 'core', type = 'string')
parser.add_option('--pkg', '--package', dest = 'pkgs', type = 'string', action = 'append')
parser.add_option('--version-override', dest = 'version_override', type = 'string')
parser.add_option('--release-date', dest = 'release_date', type = 'string')
(options, args) = parser.parse_args()
if options.directory:
os.chdir(options.directory)
cfg = configparser.ConfigParser()
cfg.optionxform = str
cfg.read(options.configfile)
if options.list:
@ -256,21 +304,26 @@ def main():
cfg.add_section('global')
if options.core:
cfg.set('global', 'core', options.core)
if options.pkgs:
cfg.set('global', 'pkgs', ' '.join(options.pkgs))
global version_override
global release_date
check_rebase()
if options.version_override:
version_override = options.version_override
if options.release_date:
release_date = options.release_date
prepare_env(cfg)
build_basetools()
build_basetools(options.silent)
for build in cfg.sections():
if not build.startswith('build.'):
continue
if options.match and options.match not in build:
print(f'# skipping "{build}" (not matching "{options.match}")')
continue
build_one(cfg, build, options.jobs)
build_one(cfg, build, options.jobs, options.silent)
if __name__ == '__main__':
sys.exit(main())

20
edk2-build.rhel-9
View File

@ -8,6 +8,7 @@ NETWORK_ALLOW_HTTP_CONNECTIONS = TRUE
TPM2_ENABLE = TRUE
TPM2_CONFIG_ENABLE = TRUE
TPM1_ENABLE = FALSE
CAVIUM_ERRATUM_27456 = TRUE
[opts.ovmf.4m]
FD_SIZE_4MB = TRUE
@ -34,7 +35,8 @@ DEBUG_PRINT_ERROR_LEVEL = 0x80000000
desc = ovmf build (64-bit, 4MB)
conf = OvmfPkg/OvmfPkgX64.dsc
arch = X64
opts = ovmf.common ovmf.4m
opts = ovmf.common
ovmf.4m
plat = OvmfX64
dest = RHEL-9/ovmf
cpy1 = FV/OVMF_CODE.fd OVMF_CODE.fd
@ -45,7 +47,9 @@ cpy3 = X64/Shell.efi
desc = ovmf build (32/64-bit, 4MB, q35 only, needs smm, secure boot)
conf = OvmfPkg/OvmfPkgIa32X64.dsc
arch = IA32 X64
opts = ovmf.common ovmf.4m ovmf.sb.smm
opts = ovmf.common
ovmf.4m
ovmf.sb.smm
plat = Ovmf3264
dest = RHEL-9/ovmf
cpy1 = FV/OVMF_CODE.fd OVMF_CODE.secboot.fd
@ -59,7 +63,8 @@ cpy2 = X64/EnrollDefaultKeys.efi
desc = ovmf build for AmdSev (4MB)
conf = OvmfPkg/AmdSev/AmdSevX64.dsc
arch = X64
opts = ovmf.common ovmf.4m
opts = ovmf.common
ovmf.4m
plat = AmdSev
dest = RHEL-9/ovmf
cpy1 = FV/OVMF.fd OVMF.amdsev.fd
@ -68,7 +73,8 @@ cpy1 = FV/OVMF.fd OVMF.amdsev.fd
desc = ovmf build for IntelTdx (4MB)
conf = OvmfPkg/IntelTdx/IntelTdxX64.dsc
arch = X64
opts = ovmf.common ovmf.4m
opts = ovmf.common
ovmf.4m
plat = IntelTdx
dest = RHEL-9/ovmf
cpy1 = FV/OVMF.fd OVMF.inteltdx.fd
@ -81,7 +87,8 @@ cpy1 = FV/OVMF.fd OVMF.inteltdx.fd
desc = ArmVirt build for qemu, 64-bit (arm v8), verbose
conf = ArmVirtPkg/ArmVirtQemu.dsc
arch = AARCH64
opts = ovmf.common armvirt.verbose
opts = ovmf.common
armvirt.verbose
plat = ArmVirtQemu-AARCH64
dest = RHEL-9/aarch64
cpy1 = FV/QEMU_EFI.fd
@ -95,7 +102,8 @@ pad4 = vars-template-pflash.raw 64m
desc = ArmVirt build for qemu, 64-bit (arm v8), silent
conf = ArmVirtPkg/ArmVirtQemu.dsc
arch = AARCH64
opts = ovmf.common armvirt.silent
opts = ovmf.common
armvirt.silent
plat = ArmVirtQemu-AARCH64
dest = RHEL-9/aarch64
cpy1 = FV/QEMU_EFI.fd QEMU_EFI.silent.fd

42
edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch Normal file
View File

@ -0,0 +1,42 @@
From dca1a100d14056865c7360d80a2a1d1ae4b0de96 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 10 Feb 2023 10:49:44 +0100
Subject: [PATCH 5/5] rh openssl: add crypto/bn/rsa_sup_mul.c to file list
RH-Author: Gerd Hoffmann <kraxel@redhat.com>
RH-MergeRequest: 27: openssl update
RH-Bugzilla: 2164534 2164550 2164565 2164583
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Commit: [2/2] a097fc031b54208e9c8974173784e4c306dbf7a0 (kraxel/centos-edk2)
---
CryptoPkg/Library/OpensslLib/OpensslLib.inf | 1 +
CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 1 +
2 files changed, 2 insertions(+)
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index e446b51e66..7e78255467 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -576,6 +576,7 @@
$(OPENSSL_PATH)/ssl/statem/statem_local.h
# Autogenerated files list ends here
# RHEL8-specific OpenSSL file list starts here
+ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
$(OPENSSL_PATH)/crypto/evp/kdf_lib.c
$(OPENSSL_PATH)/crypto/evp/pkey_kdf.c
$(OPENSSL_PATH)/crypto/kdf/kbkdf.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index c207dc8f4c..1c551cb099 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -526,6 +526,7 @@
$(OPENSSL_PATH)/crypto/x509v3/v3_admis.h
# Autogenerated files list ends here
# RHEL8-specific OpenSSL file list starts here
+ $(OPENSSL_PATH)/crypto/bn/rsa_sup_mul.c
$(OPENSSL_PATH)/crypto/evp/kdf_lib.c
$(OPENSSL_PATH)/crypto/evp/pkey_kdf.c
$(OPENSSL_PATH)/crypto/kdf/kbkdf.c
--
2.31.1

31
edk2.spec
View File

@ -16,7 +16,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2
Version: %{GITDATE}git%{GITCOMMIT}
Release: 5%{?dist}
Release: 6%{?dist}
Summary: UEFI firmware for 64-bit virtual machines
License: BSD-2-Clause-Patent and OpenSSL and MIT
URL: http://www.tianocore.org
@ -27,7 +27,7 @@ URL: http://www.tianocore.org
# | xz -9ev >/tmp/edk2-$COMMIT.tar.xz
Source0:edk2-%{GITCOMMIT}.tar.xz
Source1: ovmf-whitepaper-c770f8c.txt
Source2: openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz
Source2: openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
# json description files
Source10: 50-edk2-aarch64.json
@ -79,6 +79,11 @@ Patch35: edk2-MdePkg-Remove-Itanium-leftover-data-structure-RH-onl.patch
Patch36: edk2-ArmVirt-don-t-use-unaligned-CopyMem-on-NOR-flash.patch
# For bz#2157656 - [edk2] [aarch64] Unable to initialize EFI firmware when using edk2-aarch64-20221207gitfff6d81270b5-1.el9 in some hardwares
Patch37: edk2-Revert-ArmVirtPkg-ArmVirtQemu-enable-initial-ID-map-.patch
# For bz#2164534 - CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-9]
# For bz#2164550 - CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-9]
# For bz#2164565 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-9]
# For bz#2164583 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-9]
Patch38: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
# python3-devel and libuuid-devel are required for building tools.
@ -225,11 +230,12 @@ build_iso() {
export EXTRA_OPTFLAGS="%{optflags}"
export EXTRA_LDFLAGS="%{__global_ldflags}"
export RELEASE_DATE="$(echo %{GITDATE} | sed -e 's|\(....\)\(..\)\(..\)|\2/\3/\1|')"
touch OvmfPkg/AmdSev/Grub/grub.efi # dummy
%if %{build_ovmf}
./edk2-build.py --config edk2-build.rhel-9 -m ovmf
./edk2-build.py --config edk2-build.rhel-9 -m ovmf --release-date "$RELEASE_DATE"
build_iso RHEL-9/ovmf
virt-fw-vars --input RHEL-9/ovmf/OVMF_VARS.fd \
--output RHEL-9/ovmf/OVMF_VARS.secboot.fd \
@ -237,7 +243,7 @@ virt-fw-vars --input RHEL-9/ovmf/OVMF_VARS.fd \
%endif
%if %{build_aarch64}
./edk2-build.py --config edk2-build.rhel-9 -m armvirt
./edk2-build.py --config edk2-build.rhel-9 -m armvirt --release-date "$RELEASE_DATE"
%endif
%install
@ -383,6 +389,23 @@ install -m 0644 \
%changelog
* Mon Feb 13 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-6
- edk2-update-build-script-rhel-only.patch [bz#2168046]
- edk2-update-build-config-rhel-only.patch [bz#2168046]
- edk2-add-release-date-to-builds-rh-only.patch [bz#2168046]
- edk2-openssl-update.patch [bz#2164534 bz#2164550 bz#2164565 bz#2164583]
- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164534 bz#2164550 bz#2164565 bz#2164583]
- Resolves: bz#2168046
([SVVP] job 'Check SMBIOS Table Specific Requirements' failed on win2022)
- Resolves: bz#2164534
(CVE-2023-0286 edk2: openssl: X.400 address type confusion in X.509 GeneralName [rhel-9])
- Resolves: bz#2164550
(CVE-2022-4304 edk2: openssl: timing attack in RSA Decryption implementation [rhel-9])
- Resolves: bz#2164565
(CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-9])
- Resolves: bz#2164583
(CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-9])
* Mon Feb 06 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20221207gitfff6d81270b5-5
- edk2-Revert-ArmVirtPkg-ArmVirtQemu-enable-initial-ID-map-.patch [bz#2157656]
- Resolves: bz#2157656

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (edk2-fff6d81270b5.tar.xz) = 3b215ae200c6be355aa937ef933cc636867416a24e159a83852d7972b7b70f712df3773c429ed5ac5cc6e300fd6f733d6a5bc1b54a06fc0bc3f98ea14d7cb068
SHA512 (openssl-rhel-740e53ace8f6771c205bf84780e26bcd7a3275df.tar.xz) = 8260c5faa963d0fc35ff9b17cacbbe7f7c1251f5b9243d63814313c230f6e0141b92e7a65d5adf5199795779261f738c26b9e93bfc007e96ee207b9a7ec6bea3
SHA512 (openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz) = 6842e767f767fe79edcb9ba8e32ce2956e8b56f0b265f79a5b4dbd4bba51b63d9733841badee7f2ffdcca803baf82b3e9e132fd465c22027539dcfd02608e99a