import fwupd-1.4.2-4.el8

This commit is contained in:
CentOS Sources 2020-11-03 06:44:56 -05:00 committed by Andrew Lukoshko
parent 1554303a7f
commit 0cc62e157a
10 changed files with 332 additions and 395 deletions

View File

@ -1 +1,2 @@
9777016b6b861676e3e88153f7b310e4d985871a SOURCES/fwupd-1.1.4.tar.xz
c152547682cb354b69e4e1a89b53369dd42f3e53 SOURCES/fwupd-1.4.2.tar.xz
6991b6879b438a4672e97c534d10737bc54e6f39 SOURCES/libjcat-0.1.2.tar.xz

3
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/fwupd-1.1.4.tar.xz
SOURCES/fwupd-1.4.2.tar.xz
SOURCES/libjcat-0.1.2.tar.xz

View File

@ -1,28 +0,0 @@
From d4a65700c5ed9544b6445213bd5f8a0dbc2cd1e5 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Fri, 29 Nov 2019 14:00:39 +0000
Subject: [PATCH] Disable wacomhid by default as probing the device stops the
tablet working
This is fixed properly in fwupd >= 1.2.2 but add this workaround here for
stable distros that cannot rebase to a newer branch.
---
data/daemon.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/data/daemon.conf b/data/daemon.conf
index 51ab19f4..03965d88 100644
--- a/data/daemon.conf
+++ b/data/daemon.conf
@@ -6,7 +6,7 @@ BlacklistDevices=
# Allow blacklisting specific plugins
# Uses semicolons as delimiter
-BlacklistPlugins=test
+BlacklistPlugins=test;wacomhid
# Maximum archive size that can be loaded in Mb, with 0 for the default
ArchiveSizeMax=0
--
2.23.0

View File

@ -0,0 +1,26 @@
diff --git a/data/remotes.d/lvfs.conf b/data/remotes.d/lvfs.conf
index 1249ef74..f533bf52 100644
--- a/data/remotes.d/lvfs.conf
+++ b/data/remotes.d/lvfs.conf
@@ -1,7 +1,7 @@
[fwupd Remote]
# this remote provides metadata and firmware marked as 'stable' from the LVFS
-Enabled=true
+Enabled=false
Title=Linux Vendor Firmware Service
MetadataURI=https://cdn.fwupd.org/downloads/firmware.xml.gz
ReportURI=https://fwupd.org/lvfs/firmware/report
diff --git a/libfwupd/fwupd-self-test.c b/libfwupd/fwupd-self-test.c
index 679360b0..59660360 100644
--- a/libfwupd/fwupd-self-test.c
+++ b/libfwupd/fwupd-self-test.c
@@ -182,7 +182,7 @@ fwupd_remote_download_func (void)
g_assert_cmpint (fwupd_remote_get_kind (remote), ==, FWUPD_REMOTE_KIND_DOWNLOAD);
g_assert_cmpint (fwupd_remote_get_keyring_kind (remote), ==, FWUPD_KEYRING_KIND_JCAT);
g_assert_cmpint (fwupd_remote_get_priority (remote), ==, 0);
- g_assert (fwupd_remote_get_enabled (remote));
+// g_assert (fwupd_remote_get_enabled (remote));
g_assert (fwupd_remote_get_metadata_uri (remote) != NULL);
g_assert (fwupd_remote_get_metadata_uri_sig (remote) != NULL);
g_assert_cmpstr (fwupd_remote_get_title (remote), ==, "Linux Vendor Firmware Service");

View File

@ -1,220 +0,0 @@
commit 58f79c3d235290c4cecccc1d55cbcc2da8e988a6
Author: Richard Hughes <richard@hughsie.com>
Date: Thu Aug 1 09:45:25 2019 +0100
Relax the certificate time checks in the self tests for the legacy certificate
One test verifies a firmware with a signature from the old LVFS which was
hosted on secure-lvfs.rhcloud.com and used the original PKCS-7 key. This key
had a two year validity (expiring today, ohh the naivety...) rather than the
newer fwupd.org key which expires in the year 2058.
For this specific test only, disable the certificate time checks to fix CI.
Fixes https://github.com/hughsie/fwupd/issues/1264
diff --git a/src/fu-engine.c b/src/fu-engine.c
index ac102cfa..1a57b0af 100644
--- a/src/fu-engine.c
+++ b/src/fu-engine.c
@@ -1908,7 +1908,8 @@ fu_engine_get_existing_keyring_result (FuEngine *self,
blob_sig = fu_common_get_contents_bytes (fwupd_remote_get_filename_cache_sig (remote), error);
if (blob_sig == NULL)
return NULL;
- return fu_keyring_verify_data (kr, blob, blob_sig, error);
+ return fu_keyring_verify_data (kr, blob, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE, error);
}
/**
@@ -1991,7 +1992,9 @@ fu_engine_update_metadata (FuEngine *self, const gchar *remote_id,
pki_dir = g_build_filename (sysconfdir, "pki", "fwupd-metadata", NULL);
if (!fu_keyring_add_public_keys (kr, pki_dir, error))
return FALSE;
- kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error);
+ kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE,
+ error);
if (kr_result == NULL)
return FALSE;
diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c
index af0bfbe0..a51ab7a4 100644
--- a/src/fu-keyring-gpg.c
+++ b/src/fu-keyring-gpg.c
@@ -231,6 +231,7 @@ static FuKeyringResult *
fu_keyring_gpg_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error)
{
FuKeyringGpg *self = FU_KEYRING_GPG (keyring);
diff --git a/src/fu-keyring-pkcs7.c b/src/fu-keyring-pkcs7.c
index d48dc5d0..dc310d37 100644
--- a/src/fu-keyring-pkcs7.c
+++ b/src/fu-keyring-pkcs7.c
@@ -182,6 +182,7 @@ static FuKeyringResult *
fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error)
{
FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring);
@@ -231,6 +232,14 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
for (gint i = 0; i < count; i++) {
gnutls_pkcs7_signature_info_st info;
gint64 signing_time = 0;
+ gnutls_certificate_verify_flags verify_flags = 0;
+
+ /* use with care */
+ if (flags & FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS) {
+ g_debug ("WARNING: disabling time checks");
+ verify_flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
+ verify_flags |= GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS;
+ }
/* verify the data against the detached signature */
rc = gnutls_pkcs7_verify (pkcs7, self->tl,
@@ -238,7 +247,7 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
0, /* vdata_size */
i, /* index */
&datum, /* data */
- 0); /* flags */
+ verify_flags);
if (rc < 0) {
g_set_error (error,
FWUPD_ERROR,
diff --git a/src/fu-keyring-utils.c b/src/fu-keyring-utils.c
index 0c5a7f04..465b4a02 100644
--- a/src/fu-keyring-utils.c
+++ b/src/fu-keyring-utils.c
@@ -167,7 +167,9 @@ fu_keyring_get_release_trust_flags (AsRelease *release,
fu_keyring_get_name (kr));
return FALSE;
}
- kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local);
+ kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature,
+ FU_KEYRING_VERIFY_FLAG_NONE,
+ &error_local);
if (kr_result == NULL) {
g_warning ("untrusted as failed to verify from %s keyring: %s",
fu_keyring_get_name (kr),
diff --git a/src/fu-keyring.c b/src/fu-keyring.c
index d8a88e8c..9b582563 100644
--- a/src/fu-keyring.c
+++ b/src/fu-keyring.c
@@ -40,13 +40,14 @@ FuKeyringResult *
fu_keyring_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error)
{
FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring);
g_return_val_if_fail (FU_IS_KEYRING (keyring), NULL);
g_return_val_if_fail (blob != NULL, NULL);
g_return_val_if_fail (blob_signature != NULL, NULL);
- return klass->verify_data (keyring, blob, blob_signature, error);
+ return klass->verify_data (keyring, blob, blob_signature, flags, error);
}
const gchar *
diff --git a/src/fu-keyring.h b/src/fu-keyring.h
index 6e03694c..f097305d 100644
--- a/src/fu-keyring.h
+++ b/src/fu-keyring.h
@@ -17,6 +17,20 @@ G_BEGIN_DECLS
#define FU_TYPE_KEYRING (fu_keyring_get_type ())
G_DECLARE_DERIVABLE_TYPE (FuKeyring, fu_keyring, FU, KEYRING, GObject)
+/**
+ * FuKeyringVerifyFlags:
+ * @FU_KEYRING_VERIFY_FLAG_NONE: No flags set
+ * @FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS: Disable checking of validity periods
+ *
+ * The flags to use when interacting with a keyring
+ **/
+typedef enum {
+ FU_KEYRING_VERIFY_FLAG_NONE = 0,
+ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS = 1 << 2,
+ /*< private >*/
+ FU_KEYRING_VERIFY_FLAG_LAST
+} FuKeyringVerifyFlags;
+
struct _FuKeyringClass
{
GObjectClass parent_class;
@@ -28,6 +42,7 @@ struct _FuKeyringClass
FuKeyringResult *(*verify_data) (FuKeyring *keyring,
GBytes *payload,
GBytes *payload_signature,
+ FuKeyringVerifyFlags flags,
GError **error);
};
@@ -39,6 +54,7 @@ gboolean fu_keyring_add_public_keys (FuKeyring *keyring,
FuKeyringResult *fu_keyring_verify_data (FuKeyring *keyring,
GBytes *blob,
GBytes *blob_signature,
+ FuKeyringVerifyFlags flags,
GError **error);
const gchar *fu_keyring_get_name (FuKeyring *self);
void fu_keyring_set_name (FuKeyring *self,
diff --git a/src/fu-self-test.c b/src/fu-self-test.c
index 4f359614..98fac714 100644
--- a/src/fu-self-test.c
+++ b/src/fu-self-test.c
@@ -1947,7 +1947,9 @@ fu_keyring_gpg_func (void)
g_assert_no_error (error);
g_assert_nonnull (blob_pass);
blob_sig = g_bytes_new_static (sig_gpgme, strlen (sig_gpgme));
- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
+ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE,
+ &error);
g_assert_no_error (error);
g_assert_nonnull (result_pass);
g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), == , 1438072952);
@@ -1960,7 +1962,8 @@ fu_keyring_gpg_func (void)
blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_fail);
- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
+ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
g_assert_null (result_fail);
g_clear_error (&error);
@@ -2010,7 +2013,9 @@ fu_keyring_pkcs7_func (void)
blob_sig = fu_common_get_contents_bytes (sig_fn, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_sig);
- result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
+ result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS,
+ &error);
g_assert_no_error (error);
g_assert_nonnull (result_pass);
g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), >= , 1502871248);
@@ -2022,7 +2027,8 @@ fu_keyring_pkcs7_func (void)
blob_sig2 = fu_common_get_contents_bytes (sig_fn2, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_sig2);
- result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, &error);
+ result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2,
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
g_assert_null (result_fail);
g_clear_error (&error);
@@ -2033,7 +2039,8 @@ fu_keyring_pkcs7_func (void)
blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
g_assert_no_error (error);
g_assert_nonnull (blob_fail);
- result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
+ result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
+ FU_KEYRING_VERIFY_FLAG_NONE, &error);
g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
g_assert_null (result_fail);
g_clear_error (&error);

View File

@ -0,0 +1,114 @@
From 839b89f45a38b2373bf5836337a33f450aaab72e Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Thu, 28 May 2020 10:41:23 +0100
Subject: [PATCH] Validate that gpgme_op_verify_result() returned at least one
signature
If a detached signature is actually a PGP message, gpgme_op_verify() returns
the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result()
builds an empty list.
Explicitly check for no signatures present to avoid returning a JcatResult with
no timestamp and an empty authority.
Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and
coordinated disclosure of this issue. Fixes CVE-2020-10759
---
libjcat/jcat-gpg-engine.c | 7 +++++
libjcat/jcat-self-test.c | 55 +++++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+)
diff --git libjcat/jcat-gpg-engine.c libjcat/jcat-gpg-engine.c
index 0812a62..bd44dba 100644
--- libjcat/jcat-gpg-engine.c
+++ libjcat/jcat-gpg-engine.c
@@ -267,6 +267,13 @@ jcat_gpg_engine_pubkey_verify (JcatEngine *engine,
"no result record from libgpgme");
return NULL;
}
+ if (result->signatures == NULL) {
+ g_set_error_literal (error,
+ G_IO_ERROR,
+ G_IO_ERROR_FAILED,
+ "no signatures from libgpgme");
+ return NULL;
+ }
/* look at each signature */
for (s = result->signatures; s != NULL ; s = s->next ) {
diff --git libjcat/jcat-self-test.c libjcat/jcat-self-test.c
index d79a3a9..fd4295e 100644
--- libjcat/jcat-self-test.c
+++ libjcat/jcat-self-test.c
@@ -393,6 +393,60 @@ jcat_gpg_engine_func (void)
#endif
}
+static void
+jcat_gpg_engine_msg_func (void)
+{
+#ifdef ENABLE_GPG
+ g_autofree gchar *fn = NULL;
+ g_autofree gchar *pki_dir = NULL;
+ g_autoptr(GBytes) data = NULL;
+ g_autoptr(GBytes) data_sig = NULL;
+ g_autoptr(GError) error = NULL;
+ g_autoptr(JcatContext) context = jcat_context_new ();
+ g_autoptr(JcatEngine) engine = NULL;
+ g_autoptr(JcatResult) result = NULL;
+ const gchar *sig =
+ "-----BEGIN PGP MESSAGE-----\n"
+ "owGbwMvMwMEovmZX76/pfOKMp0WSGOLOX3/ikZqTk6+jUJ5flJOiyNXJaMzCwMjB\n"
+ "ICumyCJmt5VRUil28/1+z1cwbaxMID0MXJwCMJG4RxwMLUYXDkUad34I3vrT8+X2\n"
+ "m+ZyHyMWnTiQYaQb/eLJGqbiAJc5Jr4a/PPqHNi7auwzGsKsljebabjtnJRzpDr0\n"
+ "YvwrnmmWLJUnTzjM3MH5Kn+RzqXkywsYdk9yD2OUdLy736CiemFMdcuF02lOZvPU\n"
+ "HaTKl76wW62QH8Lr8yGMQ1Xgc6nC2ZwUhvctky7NOZtc1T477uBTL81p31ZmaIUJ\n"
+ "paS8uWZl8UzX5sFsqQi37G1TbDc8Cm+oU/yRkFj2pLBzw367ncsa4n7EqEWu1yrN\n"
+ "yD39LUeErePdqfKCG+xhL6WkWt5ZJ/6//XnjouXhl5Z4tWspT49MtNp5d3aDQ43c\n"
+ "mnbresn6A7KMZgdOiwIA\n"
+ "=a9ui\n"
+ "-----END PGP MESSAGE-----\n";
+
+ /* set up context */
+ jcat_context_set_keyring_path (context, "/tmp/libjcat-self-test/var");
+ pki_dir = g_test_build_filename (G_TEST_DIST, "pki", NULL);
+ jcat_context_add_public_keys (context, pki_dir);
+
+ /* get engine */
+ engine = jcat_context_get_engine (context, JCAT_BLOB_KIND_GPG, &error);
+ g_assert_no_error (error);
+ g_assert_nonnull (engine);
+ g_assert_cmpint (jcat_engine_get_kind (engine), ==, JCAT_BLOB_KIND_GPG);
+ g_assert_cmpint (jcat_engine_get_verify_kind (engine), ==, JCAT_ENGINE_VERIFY_KIND_SIGNATURE);
+
+ /* verify with GnuPG, which should fail as the signature is not a
+ * detached signature at all, but gnupg stabs us in the back by returning
+ * success from gpgme_op_verify() with an empty list of signatures */
+ fn = g_test_build_filename (G_TEST_DIST, "colorhug", "firmware.bin", NULL);
+ data = jcat_get_contents_bytes (fn, &error);
+ g_assert_no_error (error);
+ g_assert_nonnull (data);
+ data_sig = g_bytes_new_static (sig, strlen (sig));
+ result = jcat_engine_pubkey_verify (engine, data, data_sig,
+ JCAT_VERIFY_FLAG_NONE, &error);
+ g_assert_error (error, G_IO_ERROR, G_IO_ERROR_FAILED);
+ g_assert_null (result);
+#else
+ g_test_skip ("no GnuPG support enabled");
+#endif
+}
+
static void
jcat_pkcs7_engine_func (void)
{
@@ -753,6 +807,7 @@ main (int argc, char **argv)
g_test_add_func ("/jcat/engine{sha1}", jcat_sha1_engine_func);
g_test_add_func ("/jcat/engine{sha256}", jcat_sha256_engine_func);
g_test_add_func ("/jcat/engine{gpg}", jcat_gpg_engine_func);
+ g_test_add_func ("/jcat/engine{gpg-msg}", jcat_gpg_engine_msg_func);
g_test_add_func ("/jcat/engine{pkcs7}", jcat_pkcs7_engine_func);
g_test_add_func ("/jcat/engine{pkcs7-self-signed}", jcat_pkcs7_engine_self_signed_func);
g_test_add_func ("/jcat/context{verify-blob}", jcat_context_verify_blob_func);
--
2.26.2

View File

@ -0,0 +1,32 @@
From d7a1eb17bef650f13e7f96430f99294c36a40806 Mon Sep 17 00:00:00 2001
From: Vincent Huang <vincent.huang@tw.synaptics.com>
Date: Tue, 19 May 2020 13:09:28 +0800
Subject: [PATCH] synaptics-prometheus: Force the minor version from 0x02 to
0x01 to make sure the devices can be updated back to 0x01.
---
plugins/synaptics-prometheus/fu-synaprom-device.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git plugins/synaptics-prometheus/fu-synaprom-device.c plugins/synaptics-prometheus/fu-synaprom-device.c
index 5a19203c..299ebde2 100644
--- a/plugins/synaptics-prometheus/fu-synaprom-device.c
+++ b/plugins/synaptics-prometheus/fu-synaprom-device.c
@@ -142,6 +142,14 @@ fu_synaprom_device_set_version (FuSynapromDevice *self,
{
g_autofree gchar *str = NULL;
+ /* We decide to skip 10.02.xxxxxx firmware, so we force the minor version from 0x02
+ ** to 0x01 to make the devices with 0x02 minor version firmware allow to be updated
+ ** back to minor version 0x01. */
+ if (vmajor == 0x0a && vminor == 0x02) {
+ g_debug ("quirking vminor from %02x to 01", vminor);
+ vminor = 0x01;
+ }
+
/* set display version */
str = g_strdup_printf ("%02u.%02u.%u", vmajor, vminor, buildnum);
fu_device_set_version (FU_DEVICE (self), str);
--
2.26.2

View File

@ -1,29 +0,0 @@
From 48cea11bd5d3d8c7f7423ad9807b1e537bc051c8 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Thu, 8 Nov 2018 20:05:12 +0000
Subject: [PATCH] trivial: Relax the timing requirements on the FuDevice poll
test
If the poll source is scheduled just at the right time, we might only get 8x
'10ms ticks' in a 100ms window. This fixes an occasional build failure on
slower hardware and in CI.
---
src/fu-self-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/fu-self-test.c b/src/fu-self-test.c
index 3c774b55..edc0088d 100644
--- a/src/fu-self-test.c
+++ b/src/fu-self-test.c
@@ -2806,7 +2806,7 @@ fu_device_poll_func (void)
fu_test_loop_run_with_timeout (100);
fu_test_loop_quit ();
cnt = fu_device_get_metadata_integer (device, "cnt");
- g_assert_cmpint (cnt, >=, 9);
+ g_assert_cmpint (cnt, >=, 8);
/* disable the poll */
fu_device_set_poll_interval (device, 0);
--
2.19.1

View File

@ -1,74 +0,0 @@
From 3cd6171c44ef217acef059c871efc726eb9df062 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 28 Mar 2019 16:20:22 +0800
Subject: [PATCH] uefi: add a new option to specify the os name
fu_uefi_get_esp_path_for_os() generates the path to the OS directory
based on "ID" in /etc/os-release, and it may not work for some distros.
Take openSUSE as an example, the "ID" for openSUSE Leap is
"opensuse-leap" and that for openSUSE Tumbleweed is "opensuse-tumbleweed".
However, both of them use the same OS directory in the ESP, i.e.
"/EFI/opensuse".
This commit adds a new build option, efi_os_dir, to allow the packager to
specify the name of OS directory at build time instead of the runtime
detection.
Signed-off-by: Gary Lin <glin@suse.com>
---
meson_options.txt | 1 +
plugins/uefi/fu-uefi-common.c | 4 ++++
plugins/uefi/meson.build | 5 +++++
3 files changed, 10 insertions(+)
diff --git a/meson_options.txt b/meson_options.txt
index 23ef8cdb..c1767205 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -24,3 +24,4 @@ option('efi-ld', type : 'string', value : 'ld', description : 'the linker to use
option('efi-libdir', type : 'string', description : 'path to the EFI lib directory')
option('efi-ldsdir', type : 'string', description : 'path to the EFI lds directory')
option('efi-includedir', type : 'string', value : '/usr/include/efi', description : 'path to the EFI header directory')
+option('efi_os_dir', type: 'string', description : 'the name of OS directory in ESP')
diff --git a/plugins/uefi/fu-uefi-common.c b/plugins/uefi/fu-uefi-common.c
index 2e3268aa..4d9d03d7 100644
--- a/plugins/uefi/fu-uefi-common.c
+++ b/plugins/uefi/fu-uefi-common.c
@@ -246,6 +246,7 @@ gchar *
fu_uefi_get_esp_path_for_os (const gchar *esp_path)
{
const gchar *os_release_id = NULL;
+#ifndef EFI_OS_DIR
g_autoptr(GError) error_local = NULL;
g_autoptr(GHashTable) os_release = fwupd_get_os_release (&error_local);
if (os_release != NULL) {
@@ -255,6 +256,9 @@ fu_uefi_get_esp_path_for_os (const gchar *esp_path)
}
if (os_release_id == NULL)
os_release_id = "unknown";
+#else
+ os_release_id = EFI_OS_DIR;
+#endif
return g_build_filename (esp_path, "EFI", os_release_id, NULL);
}
diff --git a/plugins/uefi/meson.build b/plugins/uefi/meson.build
index 140418a8..21d4b6c8 100644
--- a/plugins/uefi/meson.build
+++ b/plugins/uefi/meson.build
@@ -3,6 +3,11 @@ subdir('efi')
cargs = ['-DG_LOG_DOMAIN="FuPluginUefi"']
cargs += '-DEFI_APP_LOCATION_BUILD="' + app.full_path() + '"'
+efi_os_dir = get_option('efi_os_dir')
+if efi_os_dir != ''
+ cargs += '-DEFI_OS_DIR="' + efi_os_dir + '"'
+endif
+
shared_module('fu_plugin_uefi',
sources : [
'fu-plugin-uefi.c',
--
2.24.1

View File

@ -1,9 +1,10 @@
%global glib2_version 2.45.8
%global libappstream_version 0.7.4
%global libxmlb_version 0.1.3
%global libgusb_version 0.2.11
%global libsoup_version 2.51.92
%global systemd_version 231
%global json_glib_version 1.1.1
%global __meson_wrap_mode default
%global enable_tests 1
%global enable_dummy 1
@ -23,13 +24,19 @@
%global have_dell 1
%endif
# only available recently
%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8
%global have_modem_manager 1
%endif
Summary: Firmware update daemon
Name: fwupd
Version: 1.1.4
Release: 7%{?dist}
Version: 1.4.2
Release: 4%{?dist}
License: LGPLv2+
URL: https://github.com/hughsie/fwupd
URL: https://github.com/fwupd/fwupd
Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
Source1: http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz
# these are numbered high just to keep them wildly away from colliding with
# the real package sources, in order to reduce churn.
@ -38,16 +45,14 @@ Source301: redhatsecureboot301.cer
Source500: redhatsecurebootca5.cer
Source503: redhatsecureboot503.cer
# backport from upstream
Patch0: 0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch
Patch1: 0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
Patch2: 0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch
Patch3: 0001-uefi-add-a-new-option-to-specify-the-os-name.patch
Patch1: 0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
Patch2: 0001-Do-not-use-the-LVFS.patch
Patch3: 0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
BuildRequires: efi-srpm-macros
BuildRequires: gettext
BuildRequires: glib2-devel >= %{glib2_version}
BuildRequires: libappstream-glib-devel >= %{libappstream_version}
BuildRequires: libxmlb-devel >= %{libxmlb_version}
BuildRequires: libgcab1-devel
BuildRequires: libgudev1-devel
BuildRequires: libgusb-devel >= %{libgusb_version}
@ -65,7 +70,6 @@ BuildRequires: valgrind-devel
%endif
BuildRequires: elfutils-libelf-devel
BuildRequires: gtk-doc
BuildRequires: libuuid-devel
BuildRequires: gnutls-devel
BuildRequires: gnutls-utils
BuildRequires: meson
@ -74,9 +78,15 @@ BuildRequires: json-glib-devel >= %{json_glib_version}
BuildRequires: vala
BuildRequires: python3-devel
BuildRequires: bash-completion
BuildRequires: git-core
%if 0%{?have_flashrom}
BuildRequires: flashrom-devel >= 1.2-2
%endif
# until rh-signing-tools is fixed
BuildRequires: nss-tools
%if 0%{?have_modem_manager}
BuildRequires: ModemManager-glib-devel >= 1.10.0
BuildRequires: libqmi-devel >= 1.22.0
%endif
%if 0%{?have_redfish}
BuildRequires: efivar-devel >= 33
@ -104,15 +114,17 @@ Requires(preun): systemd
Requires(postun): systemd
Requires: glib2%{?_isa} >= %{glib2_version}
Requires: libappstream-glib%{?_isa} >= %{libappstream_version}
Requires: libxmlb%{?_isa} >= %{libxmlb_version}
Requires: libgusb%{?_isa} >= %{libgusb_version}
Requires: libsoup%{?_isa} >= %{libsoup_version}
Requires: bubblewrap
Requires: shared-mime-info
Obsoletes: fwupd-sign < 0.1.6
Obsoletes: libebitdo < 0.7.5-3
Obsoletes: libdfu < 1.0.0
Obsoletes: fwupd-labels < 1.1.0-1
Obsoletes: fwupdate
%description
fwupd is a daemon to allow session software to update device firmware.
@ -128,24 +140,33 @@ Files for development with %{name}.
%package tests
Summary: Data files for installed tests
BuildArch: noarch
Recommends: python3
%description tests
Data files for installed tests.
%prep
%autosetup -p1
%setup -q
%patch2 -p1 -b .lvfs-disabled
mkdir -p subprojects/libjcat
tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1
# apply patch to subproject
cd subprojects/libjcat
%patch3 -p0 -b .gpgme-parsing
cd -
sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \
libfwupd/generate-version-script.py \
data/installed-tests/hardware.py \
po/test-deps \
contrib/ci/*.py \
contrib/firmware_packager/*.py \
contrib/*.py \
contrib/standalone-installer/assets/*.py \
contrib/standalone-installer/*.py \
data/device-tests/*.py \
libfwupdplugin/*.py \
plugins/dfu/contrib/*.py \
po/make-images \
contrib/ci/generate_debian.py \
contrib/ci/generate_docker.py \
contrib/firmware-packager/firmware-packager \
plugins/dfu/contrib/parse-avrdude-conf.py
po/test-deps
%build
@ -155,6 +176,10 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
%meson \
-Dgtkdoc=true \
-Defi_os_dir=%{efi_vendor} \
-Dplugin_tpm=false \
-Dlibjcat:gtkdoc=false \
-Dlibjcat:introspection=false \
-Dlibjcat:tests=false \
%if 0%{?enable_tests}
-Dtests=true \
%else
@ -164,6 +189,11 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
-Dplugin_dummy=true \
%else
-Dplugin_dummy=false \
%endif
%if 0%{?have_flashrom}
-Dplugin_flashrom=true \
%else
-Dplugin_flashrom=false \
%endif
-Dplugin_thunderbolt=true \
%if 0%{?have_redfish}
@ -184,6 +214,11 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
%else
-Dplugin_dell=false \
-Dplugin_synaptics=false \
%endif
%if 0%{?have_modem_manager}
-Dplugin_modem_manager=true \
%else
-Dplugin_modem_manager=false \
%endif
-Dman=true
@ -213,77 +248,112 @@ rm -fv %{fwup_efi_fn}.tmp
mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1757948
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
%find_lang %{name}
%post
/sbin/ldconfig
%systemd_post fwupd.service
%preun
%systemd_preun fwupd.service
%postun
/sbin/ldconfig
%systemd_postun_with_restart fwupd.service
%systemd_postun_with_restart pesign.service
%files -f %{name}.lang
%doc README.md AUTHORS NEWS
%doc README.md AUTHORS
%license COPYING
%config(noreplace)%{_sysconfdir}/fwupd/ata.conf
%config(noreplace)%{_sysconfdir}/fwupd/daemon.conf
%config(noreplace)%{_sysconfdir}/fwupd/upower.conf
%if 0%{?have_uefi}
%config(noreplace)%{_sysconfdir}/fwupd/uefi.conf
%endif
%if 0%{?have_redfish}
%config(noreplace)%{_sysconfdir}/fwupd/redfish.conf
%endif
%config(noreplace)%{_sysconfdir}/fwupd/thunderbolt.conf
%dir %{_libexecdir}/fwupd
%{_libexecdir}/fwupd/fwupd
%{_libexecdir}/fwupd/fwupdtool
%{_libexecdir}/fwupd/fwupdoffline
%if 0%{?have_uefi}
%{_libexecdir}/fwupd/efi/*.efi
%{_libexecdir}/fwupd/efi/*.efi.signed
%{_libexecdir}/fwupd/fwupdate
%{_bindir}/fwupdate
%endif
%{_bindir}/dfu-tool
%{_bindir}/fwupdmgr
%{_bindir}/fwupdtool
%{_bindir}/fwupdagent
%{_bindir}/jcat-tool
%dir %{_sysconfdir}/fwupd
%dir %{_sysconfdir}/fwupd/remotes.d
%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/fwupd.conf
%if 0%{?have_dell}
%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/dell-esrt.conf
%endif
%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/lvfs.conf
%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/lvfs-testing.conf
%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/vendor.conf
%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/vendor-directory.conf
%config(noreplace)%{_sysconfdir}/pki/fwupd
%{_sysconfdir}/pki/fwupd-metadata
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.fwupd.conf
%{_datadir}/dbus-1/system.d/org.freedesktop.fwupd.conf
%{_datadir}/bash-completion/completions/fwupdmgr
%{_datadir}/bash-completion/completions/fwupdtool
%{_datadir}/bash-completion/completions/fwupdagent
%{_datadir}/fish/vendor_completions.d/fwupdmgr.fish
%{_datadir}/fwupd/metainfo/org.freedesktop.fwupd*.metainfo.xml
%{_datadir}/fwupd/remotes.d/fwupd/metadata.xml
%if 0%{?have_dell}
%{_datadir}/fwupd/remotes.d/dell-esrt/metadata.xml
%endif
%{_datadir}/fwupd/remotes.d/vendor/firmware/README.md
%{_datadir}/dbus-1/interfaces/org.freedesktop.fwupd.xml
%{_datadir}/polkit-1/actions/org.freedesktop.fwupd.policy
%{_datadir}/polkit-1/rules.d/org.freedesktop.fwupd.rules
%{_datadir}/dbus-1/system-services/org.freedesktop.fwupd.service
%{_datadir}/man/man1/fwupdtool.1.gz
%{_datadir}/man/man1/fwupdagent.1.gz
%{_datadir}/man/man1/dfu-tool.1.gz
%{_datadir}/man/man1/fwupdmgr.1.gz
%if 0%{?have_uefi}
%{_datadir}/man/man1/fwupdate.1.gz
%endif
%{_datadir}/man/man1/jcat-tool.1*
%{_datadir}/metainfo/org.freedesktop.fwupd.metainfo.xml
%{_datadir}/fwupd/firmware-packager
%{_datadir}/icons/hicolor/scalable/apps/org.freedesktop.fwupd.svg
%{_datadir}/fwupd/firmware_packager.py
%{_datadir}/fwupd/simple_client.py
%{_datadir}/fwupd/add_capsule_header.py
%{_datadir}/fwupd/install_dell_bios_exe.py
%{_unitdir}/fwupd-offline-update.service
%{_unitdir}/fwupd.service
%{_unitdir}/fwupd-refresh.service
%{_unitdir}/fwupd-refresh.timer
%{_presetdir}/fwupd-refresh.preset
%{_unitdir}/system-update.target.wants/
%dir %{_localstatedir}/lib/fwupd
%dir %{_localstatedir}/cache/fwupd
%dir %{_datadir}/fwupd/quirks.d
%{_datadir}/fwupd/quirks.d/*.quirk
%{_localstatedir}/lib/fwupd/builder/README.md
%{_libdir}/libfwupd*.so.*
%{_libdir}/libjcat.so.*
%{_libdir}/girepository-1.0/Fwupd-2.0.typelib
%{_libdir}/girepository-1.0/FwupdPlugin-1.0.typelib
/usr/lib/udev/rules.d/*.rules
/usr/lib/systemd/system-shutdown/fwupd.shutdown
%dir %{_libdir}/fwupd-plugins-3
%{_libdir}/fwupd-plugins-3/libfu_plugin_altos.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_amt.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_ata.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_ccgx.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_colorhug.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_coreboot.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_csr.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_cpu.so
%if 0%{?have_dell}
%{_libdir}/fwupd-plugins-3/libfu_plugin_dell.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_dell_esrt.so
@ -291,33 +361,53 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
%{_libdir}/fwupd-plugins-3/libfu_plugin_dell_dock.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_dfu.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_ebitdo.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_emmc.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_ep963x.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_fastboot.so
%if 0%{?have_flashrom}
%{_libdir}/fwupd-plugins-3/libfu_plugin_flashrom.so
%endif
%{_libdir}/fwupd-plugins-3/libfu_plugin_fresco_pd.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_jabra.so
%if 0%{?have_modem_manager}
%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so
%endif
%{_libdir}/fwupd-plugins-3/libfu_plugin_nitrokey.so
%if 0%{?have_uefi}
%{_libdir}/fwupd-plugins-3/libfu_plugin_nvme.so
%endif
%{_libdir}/fwupd-plugins-3/libfu_plugin_optionrom.so
%if 0%{?have_redfish}
%{_libdir}/fwupd-plugins-3/libfu_plugin_redfish.so
%endif
%{_libdir}/fwupd-plugins-3/libfu_plugin_rts54hid.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_rts54hub.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_solokey.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_steelseries.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_superio.so
%if 0%{?have_dell}
%{_libdir}/fwupd-plugins-3/libfu_plugin_synapticsmst.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_mst.so
%endif
%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_cxaudio.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_prometheus.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_rmi.so
%if 0%{?enable_dummy}
%{_libdir}/fwupd-plugins-3/libfu_plugin_test.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_invalid.so
%endif
%{_libdir}/fwupd-plugins-3/libfu_plugin_thelio_io.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_thunderbolt.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_thunderbolt_power.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_udev.so
%if 0%{?have_uefi}
%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_recovery.so
%endif
%{_libdir}/fwupd-plugins-3/libfu_plugin_unifying.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_logind.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_logitech_hidpp.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_upower.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_wacomhid.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_vli.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_wacom_raw.so
%{_libdir}/fwupd-plugins-3/libfu_plugin_wacom_usb.so
%ghost %{_localstatedir}/lib/fwupd/gnupg
%if 0%{?have_uefi}
%{_datadir}/locale/*/LC_IMAGES/fwupd*
@ -325,26 +415,50 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
%files devel
%{_datadir}/gir-1.0/Fwupd-2.0.gir
%{_datadir}/gtk-doc/html/libfwupd
%{_datadir}/gir-1.0/FwupdPlugin-1.0.gir
%{_datadir}/gtk-doc/html/fwupd
%{_datadir}/vala/vapi
%{_includedir}/fwupd-1
%{_includedir}/libjcat-1
%{_libdir}/libfwupd*.so
%{_libdir}/libjcat.so
%{_libdir}/pkgconfig/fwupd.pc
%{_libdir}/pkgconfig/fwupdplugin.pc
%{_libdir}/pkgconfig/jcat.pc
%files tests
%if 0%{?enable_tests}
%dir %{_datadir}/installed-tests/fwupd
%{_datadir}/installed-tests/fwupd/firmware-example.xml.gz
%{_datadir}/installed-tests/fwupd/firmware-example.xml.gz.asc
%{_datadir}/installed-tests/fwupd/fwupd-tests.xml
%{_datadir}/installed-tests/fwupd/*.test
%{_datadir}/installed-tests/fwupd/*.cab
%{_datadir}/installed-tests/fwupd/*.sh
%{_datadir}/installed-tests/fwupd/*.py*
%dir %{_sysconfdir}/fwupd/remotes.d
%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/fwupd-tests.conf
%endif
%changelog
* Mon Jul 27 2020 Peter Jones <pjones@redhat.com> - 1.1.4-7
* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 1.4.2-4
- Add signing with redhatsecureboot503 cert
Related: CVE-2020-10713
* Thu Jul 23 2020 Richard Hughes <richard@hughsie.com> 1.4.2-3
- Obsolete the now-dead fwupdate package to prevent file conflicts
- Resolves: #1859202
* Fri Jun 05 2020 Richard Hughes <richard@hughsie.com> 1.4.2-2
- Security fix for CVE-2020-10759
- Resolves: #1844324
* Mon May 18 2020 Richard Hughes <richard@hughsie.com> 1.4.2-1
- New upstream release
- Backport a patch to fix the synaptics fingerprint reader update.
- Resolves: #1775277
* Mon Apr 27 2020 Richard Hughes <richard@hughsie.com> 1.4.1-1
- New upstream release
- Resolves: #1775277
* Wed Feb 19 2020 Richard Hughes <richard@hughsie.com> 1.1.4-6
- Rebuild to get the EFI executable signed with the Red Hat key
- Resolves: #1713033