import CS edk2-20220126gitbb1bba3d77-7.el8

This commit is contained in:
eabdullin 2024-01-15 08:05:28 +00:00
parent 2e1d5e2456
commit df6c232fe4
7 changed files with 201 additions and 3 deletions

View File

@ -1,3 +1,2 @@
fdcb04021414cdd5a7e286058ca36aca359d323d SOURCES/RedHatSecureBootPkKek1.pem
ae830c7278f985cb25e90f4687b46c8b22316bef SOURCES/edk2-bb1bba3d77.tar.xz ae830c7278f985cb25e90f4687b46c8b22316bef SOURCES/edk2-bb1bba3d77.tar.xz
df2e14a45d968b590194d82736fcbfe2be10d1b0 SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz df2e14a45d968b590194d82736fcbfe2be10d1b0 SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz

1
.gitignore vendored
View File

@ -1,3 +1,2 @@
SOURCES/RedHatSecureBootPkKek1.pem
SOURCES/edk2-bb1bba3d77.tar.xz SOURCES/edk2-bb1bba3d77.tar.xz
SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz SOURCES/openssl-rhel-d00c3c5b8a9d6d3ea3dabfcafdf36afd61ba8bcc.tar.xz

View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDoDCCAoigAwIBAgIJAP71iOjzlsDxMA0GCSqGSIb3DQEBCwUAMFExKzApBgNV
BAMTIlJlZCBIYXQgU2VjdXJlIEJvb3QgKFBLL0tFSyBrZXkgMSkxIjAgBgkqhkiG
9w0BCQEWE3NlY2FsZXJ0QHJlZGhhdC5jb20wHhcNMTQxMDMxMTExNTM3WhcNMzcx
MDI1MTExNTM3WjBRMSswKQYDVQQDEyJSZWQgSGF0IFNlY3VyZSBCb290IChQSy9L
RUsga2V5IDEpMSIwIAYJKoZIhvcNAQkBFhNzZWNhbGVydEByZWRoYXQuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkB+Ee42865cmgm2Iq4rJjGhw
+d9LB7I3gwsCyGdoMJ7j8PCZSrhZV8ZB9jiL/mZMSek3N5IumAEeWxRQ5qiNJQ31
huarMMtAFuqNixaGcEM38s7Akd9xFI6ZDom2TG0kHozkL08l0LoG+MboGRh2cx2B
bajYBc86yHsoyDajFg0pjJmaaNyrwE2Nv1q7K6k5SwSXHPk2u8U6hgSur9SCe+Cr
3kkFaPz2rmgabJBNVxk8ZGYD9sdSm/eUz5NqoWjJqs+Za7yqXgjnORz3+A+6Bn7x
y+h23f4i2q06Xls06rPJ4E0EKX64YLkF77XZF1hWFmC5MDLwNkrD8nmNEkBw8wID
AQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVy
YXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUPOlg4/8ZoQp7o0L0jUIutNWccuww
HwYDVR0jBBgwFoAUPOlg4/8ZoQp7o0L0jUIutNWccuwwDQYJKoZIhvcNAQELBQAD
ggEBAFxNkoi0gl8drYsR7N8GpnqlK583VQyNbgUArbcMQYlpz9ZlBptReNKtx7+c
3AVzf+ceORO06rYwfUB1q5xDC9+wwhu/MOD0/sDbYiGY9sWv3jtPSQrmHvmGsD8N
1tRGN9tUdF7/EcJgxnBYxRxv7LLYbm/DvDOHOKTzRGScNDsolCZ4J58WF+g7aQol
qXM2fp43XOzoP9uR+RKzPc7n3RXDrowFIGGbld6br/qxXBzll+fDNBGF9YonJqRw
NuwM9oM9kPc28/nzFdSQYr5TtK/TSa/v9HPoe3bkRCo3uoGkmQw6MSRxoOTktxrL
R+SqIs/vdWGA40O3SFdzET14m2k=
-----END CERTIFICATE-----

View File

@ -0,0 +1,109 @@
From bb0f29580825e60a5dc5c67e260dd20258eb71b0 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 29 Mar 2023 11:52:52 -0400
Subject: [PATCH] SecurityPkg/DxeImageVerificationLib: Check result of
GetEfiGlobalVariable2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 22: SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
RH-Bugzilla: 1861743
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
RH-Commit: [1/1] 70e1ae5e2c7c148fc23160acdd360c044df5f4ff
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1861743
Upstream: Merged
CVE: CVE-2019-14560
commit 494127613b36e870250649b02cd4ce5f1969d9bd
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri Mar 3 18:35:53 2023 +0800
SecurityPkg/DxeImageVerificationLib: Check result of GetEfiGlobalVariable2
Call gRT->GetVariable() directly to read the SecureBoot variable. It is
one byte in size so we can easily place it on the stack instead of
having GetEfiGlobalVariable2() allocate it for us, which avoids a few
possible error cases.
Skip secure boot checks if (and only if):
(a) the SecureBoot variable is not present (EFI_NOT_FOUND) according to
the return value, or
(b) the SecureBoot variable was read successfully and is set to
SECURE_BOOT_MODE_DISABLE.
Previously the code skipped the secure boot checks on *any*
gRT->GetVariable() error (GetEfiGlobalVariable2 sets the variable
value to NULL in that case) and also on memory allocation failures.
Fixes: CVE-2019-14560
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Suggested-by: Marvin Häuser <mhaeuser@posteo.de>
Reviewed-by: Min Xu <min.m.xu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
.../DxeImageVerificationLib.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
index c48861cd64..1252927664 100644
--- a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
+++ b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.c
@@ -1650,7 +1650,8 @@ DxeImageVerificationHandler (
EFI_IMAGE_EXECUTION_ACTION Action;
WIN_CERTIFICATE *WinCertificate;
UINT32 Policy;
- UINT8 *SecureBoot;
+ UINT8 SecureBoot;
+ UINTN SecureBootSize;
PE_COFF_LOADER_IMAGE_CONTEXT ImageContext;
UINT32 NumberOfRvaAndSizes;
WIN_CERTIFICATE_EFI_PKCS *PkcsCertData;
@@ -1665,6 +1666,8 @@ DxeImageVerificationHandler (
RETURN_STATUS PeCoffStatus;
EFI_STATUS HashStatus;
EFI_STATUS DbStatus;
+ EFI_STATUS VarStatus;
+ UINT32 VarAttr;
BOOLEAN IsFound;
SignatureList = NULL;
@@ -1720,22 +1723,25 @@ DxeImageVerificationHandler (
CpuDeadLoop ();
}
- GetEfiGlobalVariable2 (EFI_SECURE_BOOT_MODE_NAME, (VOID**)&SecureBoot, NULL);
+ SecureBootSize = sizeof (SecureBoot);
+ VarStatus = gRT->GetVariable (EFI_SECURE_BOOT_MODE_NAME, &gEfiGlobalVariableGuid, &VarAttr, &SecureBootSize, &SecureBoot);
//
// Skip verification if SecureBoot variable doesn't exist.
//
- if (SecureBoot == NULL) {
+ if (VarStatus == EFI_NOT_FOUND) {
return EFI_SUCCESS;
}
//
// Skip verification if SecureBoot is disabled but not AuditMode
//
- if (*SecureBoot == SECURE_BOOT_MODE_DISABLE) {
- FreePool (SecureBoot);
+ if ((VarStatus == EFI_SUCCESS) &&
+ (VarAttr == (EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ EFI_VARIABLE_RUNTIME_ACCESS)) &&
+ (SecureBoot == SECURE_BOOT_MODE_DISABLE))
+ {
return EFI_SUCCESS;
}
- FreePool (SecureBoot);
//
// Read the Dos header.
--
2.39.1

View File

@ -0,0 +1,49 @@
From c32f4994552ea5835cf00ce06f2f7d88c71249e5 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 28 Feb 2023 15:47:00 +0100
Subject: [PATCH] UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug
RH-Author: Miroslav Rezanina <mrezanin@redhat.com>
RH-MergeRequest: 29: UefiCpuPkg/MpInitLib: fix apic mode for cpu hotplug
RH-Bugzilla: 2150267
RH-Acked-by: Oliver Steffen <osteffen@redhat.com>
RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
RH-Commit: [1/1] e7e332ac0e6edf207b1b9692f2e1aed4a1fe7c0c
In case the number of CPUs can in increase beyond 255
due to CPU hotplug choose x2apic mode.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
UefiCpuPkg/Library/MpInitLib/MpLib.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/UefiCpuPkg/Library/MpInitLib/MpLib.c b/UefiCpuPkg/Library/MpInitLib/MpLib.c
index b9a06747ed..177d15ab5b 100644
--- a/UefiCpuPkg/Library/MpInitLib/MpLib.c
+++ b/UefiCpuPkg/Library/MpInitLib/MpLib.c
@@ -495,7 +495,9 @@ CollectProcessorCount (
//
// Enable x2APIC mode if
// 1. Number of CPU is greater than 255; or
- // 2. There are any logical processors reporting an Initial APIC ID of 255 or greater.
+ // 2. The platform exposed the exact *boot* CPU count to us in advance, and
+ // more than 255 logical processors are possible later, with hotplug; or
+ // 3. There are any logical processors reporting an Initial APIC ID of 255 or greater.
//
X2Apic = FALSE;
if (CpuMpData->CpuCount > 255) {
@@ -503,6 +505,10 @@ CollectProcessorCount (
// If there are more than 255 processor found, force to enable X2APIC
//
X2Apic = TRUE;
+ } else if ((PcdGet32 (PcdCpuBootLogicalProcessorNumber) > 0) &&
+ (PcdGet32 (PcdCpuMaxLogicalProcessorNumber) > 255))
+ {
+ X2Apic = TRUE;
} else {
CpuInfoInHob = (CPU_INFO_IN_HOB *) (UINTN) CpuMpData->CpuInfoInHob;
for (Index = 0; Index < CpuMpData->CpuCount; Index++) {
--
2.37.3

View File

@ -18,6 +18,7 @@
{ {
"architecture": "x86_64", "architecture": "x86_64",
"machines": [ "machines": [
"pc-q35-rhel8.6.0",
"pc-q35-rhel8.5.0" "pc-q35-rhel8.5.0"
] ]
} }

View File

@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2 Name: edk2
Version: %{GITDATE}git%{GITCOMMIT} Version: %{GITDATE}git%{GITCOMMIT}
Release: 4%{?dist} Release: 7%{?dist}
Summary: UEFI firmware for 64-bit virtual machines Summary: UEFI firmware for 64-bit virtual machines
Group: Applications/Emulators Group: Applications/Emulators
License: BSD-2-Clause-Patent and OpenSSL and MIT License: BSD-2-Clause-Patent and OpenSSL and MIT
@ -56,6 +56,10 @@ Patch27: edk2-OvmfPkg-AmdSev-SecretPei-Mark-SEV-launch-secret-area.patch
# For bz#2164558 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8] # For bz#2164558 - CVE-2023-0215 edk2: openssl: use-after-free following BIO_new_NDEF [rhel-8]
# For bz#2164581 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8] # For bz#2164581 - CVE-2022-4450 edk2: openssl: double free after calling PEM_read_bio_ex [rhel-8]
Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch Patch28: edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch
# For bz#1861743 - CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8]
Patch29: edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch
# For bz#2150267 - ovmf must consider max cpu count not boot cpu count for apic mode [rhel-8]
Patch30: edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch
# python3-devel and libuuid-devel are required for building tools. # python3-devel and libuuid-devel are required for building tools.
@ -500,6 +504,21 @@ true
%endif %endif
%changelog %changelog
* Wed Nov 22 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-7
- edk2-add-8.6-machine-type-to-edk2-ovmf-cc.json.patch [RHEL-12626]
- Resolves: RHEL-12626
(Missing firmware descriptor with secureboot disabled in RHEL 8)
* Fri Aug 04 2023 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-6
- edk2-UefiCpuPkg-MpInitLib-fix-apic-mode-for-cpu-hotplug.patch [bz#2150267]
- Resolves: bz#2150267
(ovmf must consider max cpu count not boot cpu count for apic mode [rhel-8])
* Thu Apr 06 2023 Miroslav Rezanina <mrezanin@redhat.com> - 20220126gitbb1bba3d77-5
- edk2-SecurityPkg-DxeImageVerificationLib-Check-result-of-.patch [bz#1861743]
- Resolves: bz#1861743
(CVE-2019-14560 edk2: Function GetEfiGlobalVariable2() return value not checked in DxeImageVerificationHandler() [rhel-8])
* Wed Feb 15 2023 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-4 * Wed Feb 15 2023 Jon Maloy <jmaloy@redhat.com> - 20220126gitbb1bba3d77-4
- edk2-openssl-update.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581] - edk2-openssl-update.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]
- edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581] - edk2-rh-openssl-add-crypto-bn-rsa_sup_mul.c-to-file-list.patch [bz#2164531 bz#2164543 bz#2164558 bz#2164581]