import CS edk2-20220126gitbb1bba3d77-7.el8
This commit is contained in:
parent
2e1d5e2456
commit
df6c232fe4
@ -1,3 +1,2 @@
|
|||||||
fdcb04021414cdd5a7e286058ca36aca359d323d SOURCES/RedHatSecureBootPkKek1.pem
|
|
||||||
ae830c7278f985cb25e90f4687b46c8b22316bef SOURCES/edk2-bb1bba3d77.tar.xz
|
ae830c7278f985cb25e90f4687b46c8b22316bef SOURCES/edk2-bb1bba3d77.tar.xz
|
||||||
df2e14a45d968b590194d82736fcbfe2be10d1b0 SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
|
df2e14a45d968b590194d82736fcbfe2be10d1b0 SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
|
||||||
|
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,3 +1,2 @@
|
|||||||
SOURCES/RedHatSecureBootPkKek1.pem
|
|
||||||
SOURCES/edk2-bb1bba3d77.tar.xz
|
SOURCES/edk2-bb1bba3d77.tar.xz
|
||||||
SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
|
SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz
|
||||||
|
22
SOURCES/RedHatSecureBootPkKek1.pem
Normal file
22
SOURCES/RedHatSecureBootPkKek1.pem
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
|
||||||
|
BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
|
||||||
|
9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
|
||||||
|
MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
|
||||||
|
RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
|
||||||
|
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
|
||||||
|
+d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
|
||||||
|
huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
|
||||||
|
bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
|
||||||
|
3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
|
||||||
|
y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
|
||||||
|
AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
|
||||||
|
YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
|
||||||
|
HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
|
||||||
|
ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
|
||||||
|
3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
|
||||||
|
1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
|
||||||
|
qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
|
||||||
|
NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
|
||||||
|
R+SqIs/vdWGA40O3SFdzET14m2k=
|
||||||
|
-----END CERTIFICATE-----
|
@ -0,0 +1,109 @@
|
|||||||
|
From bb0f29580825e60a5dc5c67e260dd20258eb71b0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
Date: Wed, 29 Mar 2023 11:52:52 -0400
|
||||||
|
Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Check result of
|
||||||
|
GetEfiGlobalVariable2
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
RH-MergeRequest: 22: SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
|
||||||
|
RH-Bugzilla: 1861743
|
||||||
|
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
RH-Commit: [1/1] 70e1ae5e2c7c148fc23160acdd360c044df5f4ff
|
||||||
|
|
||||||
|
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1861743
|
||||||
|
Upstream: Merged
|
||||||
|
CVE: CVE-2019-14560
|
||||||
|
|
||||||
|
commit 494127613b36e870250649b02cd4ce5f1969d9bd
|
||||||
|
Author: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Date: Fri Mar 3 18:35:53 2023 +0800
|
||||||
|
|
||||||
|
SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
|
||||||
|
|
||||||
|
Call gRT->GetVariable() directly to read the SecureBoot variable. It is
|
||||||
|
one byte in size so we can easily place it on the stack instead of
|
||||||
|
having GetEfiGlobalVariable2() allocate it for us, which avoids a few
|
||||||
|
possible error cases.
|
||||||
|
|
||||||
|
Skip secure boot checks if (and only if):
|
||||||
|
|
||||||
|
(a) the SecureBoot variable is not present (EFI_NOT_FOUND) according to
|
||||||
|
the return value, or
|
||||||
|
(b) the SecureBoot variable was read successfully and is set to
|
||||||
|
SECURE_BOOT_MODE_DISABLE.
|
||||||
|
|
||||||
|
Previously the code skipped the secure boot checks on *any*
|
||||||
|
gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable
|
||||||
|
value to NULL in that case) and also on memory allocation failures.
|
||||||
|
|
||||||
|
Fixes: CVE-2019-14560
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Suggested-by: Marvin Häuser <mhaeuser@posteo.de>
|
||||||
|
Reviewed-by: Min Xu <min.m.xu@intel.com>
|
||||||
|
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
|
||||||
|
|
||||||
|
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
---
|
||||||
|
.../DxeImageVerificationLib.c | 18 ++++++++++++------
|
||||||
|
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||||
|
index c48861cd64..1252927664 100644
|
||||||
|
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||||
|
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
|
||||||
|
@@ -1650,7 +1650,8 @@ DxeImageVerificationHandler (
|
||||||
|
EFI_IMAGE_EXECUTION_ACTION Action;
|
||||||
|
WIN_CERTIFICATE *WinCertificate;
|
||||||
|
UINT32 Policy;
|
||||||
|
- UINT8 *SecureBoot;
|
||||||
|
+ UINT8 SecureBoot;
|
||||||
|
+ UINTN SecureBootSize;
|
||||||
|
PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
|
||||||
|
UINT32 NumberOfRvaAndSizes;
|
||||||
|
WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;
|
||||||
|
@@ -1665,6 +1666,8 @@ DxeImageVerificationHandler (
|
||||||
|
RETURN_STATUS PeCoffStatus;
|
||||||
|
EFI_STATUS HashStatus;
|
||||||
|
EFI_STATUS DbStatus;
|
||||||
|
+ EFI_STATUS VarStatus;
|
||||||
|
+ UINT32 VarAttr;
|
||||||
|
BOOLEAN IsFound;
|
||||||
|
|
||||||
|
SignatureList = NULL;
|
||||||
|
@@ -1720,22 +1723,25 @@ DxeImageVerificationHandler (
|
||||||
|
CpuDeadLoop ();
|
||||||
|
}
|
||||||
|
|
||||||
|
- GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
|
||||||
|
+ SecureBootSize = sizeof (SecureBoot);
|
||||||
|
+ VarStatus = gRT->GetVariable (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &VarAttr, &SecureBootSize, &SecureBoot);
|
||||||
|
//
|
||||||
|
// Skip verification if SecureBoot variable doesn't exist.
|
||||||
|
//
|
||||||
|
- if (SecureBoot == NULL) {
|
||||||
|
+ if (VarStatus == EFI_NOT_FOUND) {
|
||||||
|
return EFI_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Skip verification if SecureBoot is disabled but not AuditMode
|
||||||
|
//
|
||||||
|
- if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
|
||||||
|
- FreePool (SecureBoot);
|
||||||
|
+ if ((VarStatus == EFI_SUCCESS) &&
|
||||||
|
+ (VarAttr == (EFI_VARIABLE_BOOTSERVICE_ACCESS |
|
||||||
|
+ EFI_VARIABLE_RUNTIME_ACCESS)) &&
|
||||||
|
+ (SecureBoot == SECURE_BOOT_MODE_DISABLE))
|
||||||
|
+ {
|
||||||
|
return EFI_SUCCESS;
|
||||||
|
}
|
||||||
|
- FreePool (SecureBoot);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Read the Dos header.
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
@ -0,0 +1,49 @@
|
|||||||
|
From c32f4994552ea5835cf00ce06f2f7d88c71249e5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Date: Tue, 28 Feb 2023 15:47:00 +0100
|
||||||
|
Subject: [PATCH] UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug
|
||||||
|
|
||||||
|
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
|
||||||
|
RH-MergeRequest: 29: UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug
|
||||||
|
RH-Bugzilla: 2150267
|
||||||
|
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
|
||||||
|
RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
|
||||||
|
RH-Commit: [1/1] e7e332ac0e6edf207b1b9692f2e1aed4a1fe7c0c
|
||||||
|
|
||||||
|
In case the number of CPUs can in increase beyond 255
|
||||||
|
due to CPU hotplug choose x2apic mode.
|
||||||
|
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
---
|
||||||
|
UefiCpuPkg/Library/MpInitLib/MpLib.c | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c
|
||||||
|
index b9a06747ed..177d15ab5b 100644
|
||||||
|
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.c
|
||||||
|
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c
|
||||||
|
@@ -495,7 +495,9 @@ CollectProcessorCount (
|
||||||
|
//
|
||||||
|
// Enable x2APIC mode if
|
||||||
|
// 1. Number of CPU is greater than 255; or
|
||||||
|
- // 2. There are any logical processors reporting an Initial APIC ID of 255 or greater.
|
||||||
|
+ // 2. The platform exposed the exact *boot* CPU count to us in advance, and
|
||||||
|
+ // more than 255 logical processors are possible later, with hotplug; or
|
||||||
|
+ // 3. There are any logical processors reporting an Initial APIC ID of 255 or greater.
|
||||||
|
//
|
||||||
|
X2Apic = FALSE;
|
||||||
|
if (CpuMpData->CpuCount > 255) {
|
||||||
|
@@ -503,6 +505,10 @@ CollectProcessorCount (
|
||||||
|
// If there are more than 255 processor found, force to enable X2APIC
|
||||||
|
//
|
||||||
|
X2Apic = TRUE;
|
||||||
|
+ } else if ((PcdGet32 (PcdCpuBootLogicalProcessorNumber) > 0) &&
|
||||||
|
+ (PcdGet32 (PcdCpuMaxLogicalProcessorNumber) > 255))
|
||||||
|
+ {
|
||||||
|
+ X2Apic = TRUE;
|
||||||
|
} else {
|
||||||
|
CpuInfoInHob = (CPU_INFO_IN_HOB *) (UINTN) CpuMpData->CpuInfoInHob;
|
||||||
|
for (Index = 0; Index < CpuMpData->CpuCount; Index++) {
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
@ -18,6 +18,7 @@
|
|||||||
{
|
{
|
||||||
"architecture": "x86_64",
|
"architecture": "x86_64",
|
||||||
"machines": [
|
"machines": [
|
||||||
|
"pc-q35-rhel8.6.0",
|
||||||
"pc-q35-rhel8.5.0"
|
"pc-q35-rhel8.5.0"
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
|
|||||||
|
|
||||||
Name: edk2
|
Name: edk2
|
||||||
Version: %{GITDATE}git%{GITCOMMIT}
|
Version: %{GITDATE}git%{GITCOMMIT}
|
||||||
Release: 4%{?dist}
|
Release: 7%{?dist}
|
||||||
Summary: UEFI firmware for 64-bit virtual machines
|
Summary: UEFI firmware for 64-bit virtual machines
|
||||||
Group: Applications/Emulators
|
Group: Applications/Emulators
|
||||||
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
License: BSD-2-Clause-Patent and OpenSSL and MIT
|
||||||
@ -56,6 +56,10 @@ Patch27: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
|
|||||||
# For bz#2164558 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8]
|
# For bz#2164558 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8]
|
||||||
# For bz#2164581 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8]
|
# For bz#2164581 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8]
|
||||||
Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
|
Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
|
||||||
|
# For bz#1861743 - CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8]
|
||||||
|
Patch29: edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch
|
||||||
|
# For bz#2150267 - ovmf must consider max cpu count not boot cpu count for apic mode [rhel-8]
|
||||||
|
Patch30: edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch
|
||||||
|
|
||||||
|
|
||||||
# python3-devel and libuuid-devel are required for building tools.
|
# python3-devel and libuuid-devel are required for building tools.
|
||||||
@ -500,6 +504,21 @@ true
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 22 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-7
|
||||||
|
- edk2-add-8.6-machine-type-to-edk2-ovmf-cc.json.patch [RHEL-12626]
|
||||||
|
- Resolves: RHEL-12626
|
||||||
|
(Missing firmware descriptor with secureboot disabled in RHEL 8)
|
||||||
|
|
||||||
|
* Fri Aug 04 2023 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-6
|
||||||
|
- edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch [bz#2150267]
|
||||||
|
- Resolves: bz#2150267
|
||||||
|
(ovmf must consider max cpu count not boot cpu count for apic mode [rhel-8])
|
||||||
|
|
||||||
|
* Thu Apr 06 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-5
|
||||||
|
- edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch [bz#1861743]
|
||||||
|
- Resolves: bz#1861743
|
||||||
|
(CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8])
|
||||||
|
|
||||||
* Wed Feb 15 2023 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-4
|
* Wed Feb 15 2023 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-4
|
||||||
- edk2-openssl-update.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
|
- edk2-openssl-update.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
|
||||||
- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
|
- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
|
||||||
|
Loading…
Reference in New Issue
Block a user