diff --git a/.fwupd.metadata b/.fwupd.metadata deleted file mode 100644 index 19c69f0..0000000 --- a/.fwupd.metadata +++ /dev/null @@ -1,9 +0,0 @@ -b2620c36bd23ca699567fd4e4add039ee4375247 SOURCES/DBXUpdate-20100307-x64.cab -dfdb1d0d42c1563ca63bd45c7e2ddc48cbfc5023 SOURCES/DBXUpdate-20140413-x64.cab -a5f73c606abb93bf61625e4628d27a2cd460f162 SOURCES/DBXUpdate-20160809-x64.cab -b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab -3fb407561768a3a2f5fb49d7738b5e0650e70810 SOURCES/DBXUpdate-20200729-ia32.cab -89db93c9d9d20f81791a262e817b99d8882c8bb0 SOURCES/DBXUpdate-20200729-x64.cab -59006fd556faeacc8185075c8fe7826249a2da32 SOURCES/fwupd-1.7.8.tar.xz -1a586c3634ef190e6128351ee60fd17d0e584f7c SOURCES/fwupd-efi-1.3.tar.xz -a62a28924d26cd49b6441170795a237ba33ec192 SOURCES/libjcat-0.1.9.tar.xz diff --git a/.gitignore b/.gitignore index 5b65834..00d15ca 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,7 @@ SOURCES/DBXUpdate-20160809-x64.cab SOURCES/DBXUpdate-20200729-aa64.cab SOURCES/DBXUpdate-20200729-ia32.cab SOURCES/DBXUpdate-20200729-x64.cab +SOURCES/almalinuxsecurebootca0.cer SOURCES/fwupd-1.7.8.tar.xz SOURCES/fwupd-efi-1.3.tar.xz SOURCES/libjcat-0.1.9.tar.xz diff --git a/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch b/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch new file mode 100644 index 0000000..4bc0dc7 --- /dev/null +++ b/SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch @@ -0,0 +1,29 @@ +From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 22 Aug 2023 10:05:27 +0100 +Subject: [PATCH] Use /usr/libexec/platform-python for RHEL + +--- + meson.build | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/meson.build b/meson.build +index bb406d616..ac90c8ee6 100644 +--- a/meson.build ++++ b/meson.build +@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes', + endif + + bashcomp = dependency('bash-completion', required: false) +-if host_machine.system() != 'freebsd' +- python3 = find_program('python3') +-else +- python3 = find_program('python3.8', 'python3', 'python3.9') +-endif ++python3 = find_program('/usr/libexec/platform-python') + + if get_option('gnutls') + gnutls = dependency('gnutls', version : '>= 3.6.0') +-- +2.41.0 + diff --git a/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch b/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch new file mode 100644 index 0000000..b3f334e --- /dev/null +++ b/SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch @@ -0,0 +1,28 @@ +From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 20 Sep 2022 08:06:12 +0100 +Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install + time + +Although typically we set the password using fu_plugin_set_secure_config_value() +or something like Ansible or Puppet -- the user could just edit the file with +vim and we still want the permissions set correctly. +--- + plugins/redfish/meson.build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build +index 34ba4b7f6..7b19574de 100644 +--- a/plugins/redfish/meson.build ++++ b/plugins/redfish/meson.build +@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish', + + install_data(['redfish.conf'], + install_dir: join_paths(sysconfdir, 'fwupd'), ++ install_mode: 'rw-r-----', + ) + + if get_option('tests') +-- +2.39.1 + diff --git a/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch b/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch new file mode 100644 index 0000000..f7ec617 --- /dev/null +++ b/SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch @@ -0,0 +1,47 @@ +From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Tue, 20 Sep 2022 09:13:52 +0100 +Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's + going to work + +Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI +implementations are not specification compliant and do entirely the wrong thing. +--- + plugins/redfish/fu-plugin-redfish.c | 8 ++++++++ + plugins/redfish/redfish.quirk | 2 +- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c +index deb0fe742..3972d4b4b 100644 +--- a/plugins/redfish/fu-plugin-redfish.c ++++ b/plugins/redfish/fu-plugin-redfish.c +@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error) + #ifdef HAVE_LINUX_IPMI_H + /* we got neither a type 42 entry or config value, lets try IPMI */ + if (fu_redfish_backend_get_username(data->backend) == NULL) { ++ if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) { ++ g_set_error_literal(error, ++ FWUPD_ERROR, ++ FWUPD_ERROR_NOT_SUPPORTED, ++ "no username and password specified, " ++ "and no vendor quirk for 'ipmi-create-user'"); ++ return FALSE; ++ } + if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) { + g_debug("attempting to create user using IPMI"); + if (!fu_redfish_plugin_ipmi_create_user(plugin, error)) +diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk +index b12439926..5e9722fda 100644 +--- a/plugins/redfish/redfish.quirk ++++ b/plugins/redfish/redfish.quirk +@@ -1,6 +1,6 @@ + # Lenovo ThinkSystem + [42f00735-c9ab-5374-bd63-a5deee5881e0] +-Flags = wildcard-targets,reset-required ++Flags = wildcard-targets,reset-required,ipmi-create-user + + [REDFISH\VENDOR_Lenovo&ID_BMC-Backup] + ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary +-- +2.39.1 + diff --git a/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch b/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch new file mode 100644 index 0000000..f9e717d --- /dev/null +++ b/SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch @@ -0,0 +1,141 @@ +From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001 +From: Richard Hughes +Date: Wed, 21 Sep 2022 14:56:10 +0100 +Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by + users + +When the redfish plugin automatically creates an OPERATOR user account on the +BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it +is chmod'ed to 0660 before writing the file with g_key_file_save_to_file(). + +Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with +the keyfile string data. +I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being +used to copy permissions, but alas not. + +GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666, +which undoes the previous chmod(). + +Use g_file_set_contents_full() with the correct mode for newer GLib versions, +and provide a fallback with the same semantics for older versions. +--- + contrib/fwupd.spec.in | 3 ++ + libfwupdplugin/fu-plugin.c | 65 +++++++++++++++++++++++++++++------ + libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++ + 3 files changed, 114 insertions(+), 11 deletions(-) + +diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in +index a50e30a9c..0854fcf4f 100644 +--- a/contrib/fwupd.spec.in ++++ b/contrib/fwupd.spec.in +@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do + fi + done + ++# ensure this is private ++chmod 0660 /etc/fwupd/redfish.conf ++ + %preun + %systemd_preun fwupd.service + +diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c +index 18042a028..04951de85 100644 +--- a/libfwupdplugin/fu-plugin.c ++++ b/libfwupdplugin/fu-plugin.c +@@ -9,6 +9,7 @@ + #include "config.h" + + #include ++#include + #include + #include + #include +@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value, + return g_key_file_save_to_file(keyfile, conf_path, error); + } + ++#if !GLIB_CHECK_VERSION(2, 66, 0) ++ ++#define G_FILE_SET_CONTENTS_CONSISTENT 0 ++typedef guint GFileSetContentsFlags; ++static gboolean ++g_file_set_contents_full(const gchar *filename, ++ const gchar *contents, ++ gssize length, ++ GFileSetContentsFlags flags, ++ int mode, ++ GError **error) ++{ ++ gint fd; ++ gssize wrote; ++ ++ if (length < 0) ++ length = strlen(contents); ++ fd = g_open(filename, O_CREAT, mode); ++ if (fd <= 0) { ++ g_set_error(error, ++ G_IO_ERROR, ++ G_IO_ERROR_FAILED, ++ "could not open %s file", ++ filename); ++ return FALSE; ++ } ++ wrote = write(fd, contents, length); ++ if (wrote != length) { ++ g_set_error(error, ++ G_IO_ERROR, ++ G_IO_ERROR_FAILED, ++ "did not write %s file", ++ filename); ++ g_close(fd, NULL); ++ return FALSE; ++ } ++ return g_close(fd, error); ++} ++#endif ++ + /** + * fu_plugin_set_secure_config_value: + * @self: a #FuPlugin +@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self, + GError **error) + { + g_autofree gchar *conf_path = fu_plugin_get_config_filename(self); +- gint ret; ++ g_autofree gchar *data = NULL; ++ g_autoptr(GKeyFile) keyfile = g_key_file_new(); + + g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE); + g_return_val_if_fail(error == NULL || *error == NULL, FALSE); +@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self, + g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path); + return FALSE; + } +- ret = g_chmod(conf_path, 0660); +- if (ret == -1) { +- g_set_error(error, +- FWUPD_ERROR, +- FWUPD_ERROR_INTERNAL, +- "failed to set permissions on %s", +- conf_path); ++ if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error)) + return FALSE; +- } +- +- return fu_plugin_set_config_value(self, key, value, error); ++ g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value); ++ data = g_key_file_to_data(keyfile, NULL, error); ++ if (data == NULL) ++ return FALSE; ++ return g_file_set_contents_full(conf_path, ++ data, ++ -1, ++ G_FILE_SET_CONTENTS_CONSISTENT, ++ 0660, ++ error); + } + + /** +-- +2.39.1 + diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer deleted file mode 100644 index 4ff8b79..0000000 Binary files a/SOURCES/redhatsecureboot301.cer and /dev/null differ diff --git a/SOURCES/redhatsecureboot503.cer b/SOURCES/redhatsecureboot503.cer deleted file mode 100644 index 50e375c..0000000 Binary files a/SOURCES/redhatsecureboot503.cer and /dev/null differ diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer deleted file mode 100644 index b235400..0000000 Binary files a/SOURCES/redhatsecurebootca3.cer and /dev/null differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284..0000000 Binary files a/SOURCES/redhatsecurebootca5.cer and /dev/null differ diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec index 15ce573..9549e0f 100644 --- a/SPECS/fwupd.spec +++ b/SPECS/fwupd.spec @@ -1,3 +1,7 @@ +%global efi_vendor almalinux +%global efidir almalinux +%global efi_esp_dir /boot/efi/EFI/%{efidir} + %global glib2_version 2.45.8 %global libxmlb_version 0.1.3 %global libgusb_version 0.2.11 @@ -40,7 +44,7 @@ Summary: Firmware update daemon Name: fwupd Version: 1.7.8 -Release: 1%{?dist} +Release: 2%{?dist}.alma License: LGPLv2+ URL: https://github.com/fwupd/fwupd Source0: http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz @@ -56,10 +60,12 @@ Source15: http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-x64.cab # these are numbered high just to keep them wildly away from colliding with # the real package sources, in order to reduce churn. -Source300: redhatsecurebootca3.cer -Source301: redhatsecureboot301.cer -Source500: redhatsecurebootca5.cer -Source503: redhatsecureboot503.cer +Source300: almalinuxsecurebootca0.cer + +Patch1: 0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch +Patch2: 0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch +Patch3: 0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch +Patch4: 0001-Use-usr-libexec-platform-python-for-RHEL.patch BuildRequires: efi-srpm-macros BuildRequires: gettext @@ -163,7 +169,7 @@ Requires: %{name}%{?_isa} = %{version}-%{release} Data files for installed tests. %prep -%setup -q +%autosetup -p1 mkdir -p subprojects/libjcat tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1 @@ -215,11 +221,11 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1 -Dplugin_uefi_capsule=true \ -Dplugin_uefi_pk=false \ %ifarch x86_64 - -Dfwupd-efi:efi_sbat_distro_id="rhel" \ - -Dfwupd-efi:efi_sbat_distro_summary="Red Hat Enterprise Linux" \ + -Dfwupd-efi:efi_sbat_distro_id="almalinux" \ + -Dfwupd-efi:efi_sbat_distro_summary="AlmaLinux" \ -Dfwupd-efi:efi_sbat_distro_pkgname="%{name}" \ -Dfwupd-efi:efi_sbat_distro_version="%{version}" \ - -Dfwupd-efi:efi_sbat_distro_url="mail:secalert@redhat.com" \ + -Dfwupd-efi:efi_sbat_distro_url="mail:security@almalinux.org" \ -Dfwupd-efi:efi-libdir="/usr/lib64" \ %endif -Dplugin_tpm=false \ @@ -267,9 +273,7 @@ install %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %ifarch x86_64 %global efiarch x64 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi -%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301 -%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503 -rm -fv %{fwup_efi_fn}.tmp +%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE300} -c %{SOURCE301} -n clsecureboot001 %endif mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg @@ -491,6 +495,9 @@ done %if 0%{?have_uefi} %{_datadir}/fwupd/uefi-capsule-ux.tar.xz %endif +%if 0%{?have_modem_manager} +%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so +%endif %files devel %{_datadir}/gir-1.0/Fwupd-2.0.gir @@ -526,6 +533,12 @@ done %endif %changelog +* Wed Sep 27 2023 Eduard Abdullin - 1.7.8-2.alma +- Use AlmaLinux cert + +* Mon Feb 20 2023 Richard Hughes 1.7.8-2 +- Backport the Redfish security fixes which affect IDRAC. +- Resolves: rhbz#2170950 * Wed Jun 15 2022 Richard Hughes 1.7.8-1 - New upstream release - Resolves: rhbz#2095668 @@ -657,7 +670,7 @@ done * Wed Aug 29 2018 Richard Hughes 1.1.1-5 - Include the certificates for secure boot signing -* Tue Aug 23 2018 Richard Hughes 1.1.1-4 +* Thu Aug 23 2018 Richard Hughes 1.1.1-4 - Rebuild to get the EFI executable signed with the Red Hat key * Thu Aug 23 2018 Richard Hughes 1.1.1-3