Compare commits

...

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

9 changed files with 960 additions and 600 deletions

19
.fwupd.metadata Normal file
View File

@ -0,0 +1,19 @@
b2620c36bd23ca699567fd4e4add039ee4375247 SOURCES/DBXUpdate-20100307-x64.cab
dfdb1d0d42c1563ca63bd45c7e2ddc48cbfc5023 SOURCES/DBXUpdate-20140413-x64.cab
a5f73c606abb93bf61625e4628d27a2cd460f162 SOURCES/DBXUpdate-20160809-x64.cab
b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab
3fb407561768a3a2f5fb49d7738b5e0650e70810 SOURCES/DBXUpdate-20200729-ia32.cab
89db93c9d9d20f81791a262e817b99d8882c8bb0 SOURCES/DBXUpdate-20200729-x64.cab
cd2bbe591438fe893b4042dc03d30659c1e31756 SOURCES/DBXUpdate-20210429-x64.cab
d3ae610f5b6e602feded54eae8d67ddb7c60e64f SOURCES/DBXUpdate-20220812-aa64.cab
0ac8508ef7a86959e6ab03deec256b19df29677f SOURCES/DBXUpdate-20220812-ia32.cab
60f9aa664cb7588e33ce56d621dafa9b5a71e072 SOURCES/DBXUpdate-20220812-x64.cab
46a42362cd34c0d103cf534ca431508d24715e51 SOURCES/DBXUpdate-20230509-aa64.cab
23d9544ef0f9b39a76d258f6d4a4a54d8f7592b2 SOURCES/DBXUpdate-20230509-ia32.cab
bc6a604b29918d67d5fef745ad4375ca3d43d05e SOURCES/DBXUpdate-20230509-x64.cab
a8c8f0cc046ecff12e425484bc5ec1eb7fe49e90 SOURCES/fwupd-1.9.13.tar.xz
147b36f75fca288fd01d9ed4150866344d57df27 SOURCES/fwupd-efi-1.4.tar.xz
4a07b56e28741884b86da6ac91f8f9929541a1e4 SOURCES/redhatsecureboot301.cer
33e260486f5c12e47b72b90dfb779ca892f56c45 SOURCES/redhatsecureboot503.cer
cf9230e69000076727e5b784ec871d22716dc5da SOURCES/redhatsecurebootca3.cer
e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer

17
.gitignore vendored
View File

@ -4,7 +4,16 @@ SOURCES/DBXUpdate-20160809-x64.cab
SOURCES/DBXUpdate-20200729-aa64.cab
SOURCES/DBXUpdate-20200729-ia32.cab
SOURCES/DBXUpdate-20200729-x64.cab
SOURCES/almalinuxsecurebootca0.cer
SOURCES/fwupd-1.7.8.tar.xz
SOURCES/fwupd-efi-1.3.tar.xz
SOURCES/libjcat-0.1.9.tar.xz
SOURCES/DBXUpdate-20210429-x64.cab
SOURCES/DBXUpdate-20220812-aa64.cab
SOURCES/DBXUpdate-20220812-ia32.cab
SOURCES/DBXUpdate-20220812-x64.cab
SOURCES/DBXUpdate-20230509-aa64.cab
SOURCES/DBXUpdate-20230509-ia32.cab
SOURCES/DBXUpdate-20230509-x64.cab
SOURCES/fwupd-1.9.13.tar.xz
SOURCES/fwupd-efi-1.4.tar.xz
SOURCES/redhatsecureboot301.cer
SOURCES/redhatsecureboot503.cer
SOURCES/redhatsecurebootca3.cer
SOURCES/redhatsecurebootca5.cer

View File

@ -0,0 +1,47 @@
From 6fc21ec8364babc2edc57d6a39ee44c1e72cc6b2 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Sun, 18 Feb 2024 10:23:03 +0000
Subject: [PATCH] Correctly migrate from v2 to database schema v10
Artificially bump the schema version to v11 to ensure the migration is done.
diff --git a/src/fu-history.c b/src/fu-history.c
index 21a4fd3e8..3be03c3a7 100644
--- a/src/fu-history.c
+++ b/src/fu-history.c
@@ -21,7 +21,20 @@
#include "fu-history.h"
#include "fu-security-attr-common.h"
-#define FU_HISTORY_CURRENT_SCHEMA_VERSION 10
+/*
+ * v1 legacy schema
+ * v2 initial schema
+ * v3 add checksum_device to history
+ * v4 add protocol to history
+ * v5 create table approved_firmware
+ * v6 create table blocked_firmware
+ * v7 create table hsi_history
+ * v8 add release_id to history
+ * v9 add appstream_id to history
+ * v10 add version_format to history
+ * v11 no changes, bumped due to bungled migration to v10
+ */
+#define FU_HISTORY_CURRENT_SCHEMA_VERSION 11
static void
fu_history_finalize(GObject *object);
@@ -466,11 +479,12 @@ fu_history_create_or_migrate(FuHistory *self, guint schema_ver, GError **error)
case 8:
if (!fu_history_migrate_database_v8(self, error))
return FALSE;
- break;
/* fall through */
case 9:
+ case 10:
if (!fu_history_migrate_database_v9(self, error))
return FALSE;
+ /* no longer fall through */
break;
default:
/* this is probably okay, but return an error if we ever delete

View File

@ -1,29 +0,0 @@
From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Tue, 22 Aug 2023 10:05:27 +0100
Subject: [PATCH] Use /usr/libexec/platform-python for RHEL
---
meson.build | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/meson.build b/meson.build
index bb406d616..ac90c8ee6 100644
--- a/meson.build
+++ b/meson.build
@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes',
endif
bashcomp = dependency('bash-completion', required: false)
-if host_machine.system() != 'freebsd'
- python3 = find_program('python3')
-else
- python3 = find_program('python3.8', 'python3', 'python3.9')
-endif
+python3 = find_program('/usr/libexec/platform-python')
if get_option('gnutls')
gnutls = dependency('gnutls', version : '>= 3.6.0')
--
2.41.0

View File

@ -0,0 +1,91 @@
From cfd61f6958a46d5e9687f87caf04c94680382a9f Mon Sep 17 00:00:00 2001
From: Nicolas Frayer <nfrayer@redhat.com>
Date: Wed, 1 Feb 2023 12:13:45 +0100
Subject: [PATCH] generate_binary: Add NX COMPAT flag manually when genpeimg
missing
When genpeimg or python3-pefile is missing, add the NX COMPAT flag
manually by setting bit8 of the DllCharacteristics in the optional
header, clear the TimeDateStamp and update the checksum.
---
efi/generate_binary.py | 50 ++++++++++++++++++++++++++++++++++++++++--
1 file changed, 48 insertions(+), 2 deletions(-)
diff --git a/efi/generate_binary.py b/efi/generate_binary.py
index 7b802e7..10ab0b3 100755
--- a/efi/generate_binary.py
+++ b/efi/generate_binary.py
@@ -10,6 +10,13 @@
import subprocess
import sys
import argparse
+import os
+import struct
+
+COFF_HDR_OFFSET = 0x80
+OPTIONALHDR_CHECKSUM = COFF_HDR_OFFSET + 0x58
+OPTIONALHDR_DLLCHARACTERISTICS = COFF_HDR_OFFSET + 0x5E
+PEHEADER_TIMEDATASTAMP = COFF_HDR_OFFSET + 0x8
def _run_objcopy(args):
@@ -66,6 +73,27 @@ def _run_genpeimg(args):
sys.exit(1)
+def generate_checksum(data):
+ checksum_offset: int = OPTIONALHDR_CHECKSUM
+ checksum: int = 0
+ remainder: int = len(data) % 4
+ data_len: int = len(data) + ((4 - remainder) * (remainder != 0))
+ for i in range(int(data_len / 4)):
+ if i == int(checksum_offset / 4):
+ continue
+ if i + 1 == (int(data_len / 4)) and remainder:
+ dword = struct.unpack("I", data[i * 4 :] + (b"\0" * (4 - remainder)))[0]
+ else:
+ dword = struct.unpack("I", data[i * 4 : i * 4 + 4])[0]
+ checksum += dword
+ if checksum >= 2**32:
+ checksum = (checksum & 0xFFFFFFFF) + (checksum >> 32)
+ checksum = (checksum & 0xFFFF) + (checksum >> 16)
+ checksum = checksum + (checksum >> 16)
+ checksum = checksum & 0xFFFF
+ return checksum + len(data)
+
+
def _add_nx_pefile(args):
# unnecessary if we have genpeimg
if args.genpeimg:
@@ -73,8 +101,26 @@ def _add_nx_pefile(args):
try:
import pefile
except ImportError:
- print("Unable to add NX support to binaries without genpeimg or python3-pefile")
- sys.exit(1)
+ print("Adding NX support manually to the binary")
+ with open(args.outfile, "r+b") as fh:
+ buf = bytearray(fh.read(os.path.getsize(args.outfile)))
+ fh.seek(0)
+ DllCharacteristics = struct.unpack_from(
+ "<H", buf, OPTIONALHDR_DLLCHARACTERISTICS
+ )[0]
+ DllCharacteristics |= 0x100
+ struct.pack_into(
+ "<H", buf, OPTIONALHDR_DLLCHARACTERISTICS, DllCharacteristics
+ )
+
+ # set the timestamp to 0
+ struct.pack_into("<I", buf, PEHEADER_TIMEDATASTAMP, 0x0)
+
+ # as we have set the NX COMPAT bit, regenerate the checksum
+ struct.pack_into("<I", buf, OPTIONALHDR_CHECKSUM, generate_checksum(buf))
+ fh.write(buf)
+
+ return
pe = pefile.PE(args.outfile)
pe.OPTIONAL_HEADER.DllCharacteristics |= pefile.DLL_CHARACTERISTICS[
--
2.39.1

View File

@ -1,28 +0,0 @@
From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Tue, 20 Sep 2022 08:06:12 +0100
Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install
time
Although typically we set the password using fu_plugin_set_secure_config_value()
or something like Ansible or Puppet -- the user could just edit the file with
vim and we still want the permissions set correctly.
---
plugins/redfish/meson.build | 1 +
1 file changed, 1 insertion(+)
diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
index 34ba4b7f6..7b19574de 100644
--- a/plugins/redfish/meson.build
+++ b/plugins/redfish/meson.build
@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish',
install_data(['redfish.conf'],
install_dir: join_paths(sysconfdir, 'fwupd'),
+ install_mode: 'rw-r-----',
)
if get_option('tests')
--
2.39.1

View File

@ -1,47 +0,0 @@
From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Tue, 20 Sep 2022 09:13:52 +0100
Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's
going to work
Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI
implementations are not specification compliant and do entirely the wrong thing.
---
plugins/redfish/fu-plugin-redfish.c | 8 ++++++++
plugins/redfish/redfish.quirk | 2 +-
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c
index deb0fe742..3972d4b4b 100644
--- a/plugins/redfish/fu-plugin-redfish.c
+++ b/plugins/redfish/fu-plugin-redfish.c
@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error)
#ifdef HAVE_LINUX_IPMI_H
/* we got neither a type 42 entry or config value, lets try IPMI */
if (fu_redfish_backend_get_username(data->backend) == NULL) {
+ if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) {
+ g_set_error_literal(error,
+ FWUPD_ERROR,
+ FWUPD_ERROR_NOT_SUPPORTED,
+ "no username and password specified, "
+ "and no vendor quirk for 'ipmi-create-user'");
+ return FALSE;
+ }
if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) {
g_debug("attempting to create user using IPMI");
if (!fu_redfish_plugin_ipmi_create_user(plugin, error))
diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk
index b12439926..5e9722fda 100644
--- a/plugins/redfish/redfish.quirk
+++ b/plugins/redfish/redfish.quirk
@@ -1,6 +1,6 @@
# Lenovo ThinkSystem
[42f00735-c9ab-5374-bd63-a5deee5881e0]
-Flags = wildcard-targets,reset-required
+Flags = wildcard-targets,reset-required,ipmi-create-user
[REDFISH\VENDOR_Lenovo&ID_BMC-Backup]
ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary
--
2.39.1

View File

@ -1,141 +0,0 @@
From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Wed, 21 Sep 2022 14:56:10 +0100
Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by
users
When the redfish plugin automatically creates an OPERATOR user account on the
BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it
is chmod'ed to 0660 before writing the file with g_key_file_save_to_file().
Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with
the keyfile string data.
I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being
used to copy permissions, but alas not.
GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666,
which undoes the previous chmod().
Use g_file_set_contents_full() with the correct mode for newer GLib versions,
and provide a fallback with the same semantics for older versions.
---
contrib/fwupd.spec.in | 3 ++
libfwupdplugin/fu-plugin.c | 65 +++++++++++++++++++++++++++++------
libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++
3 files changed, 114 insertions(+), 11 deletions(-)
diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in
index a50e30a9c..0854fcf4f 100644
--- a/contrib/fwupd.spec.in
+++ b/contrib/fwupd.spec.in
@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do
fi
done
+# ensure this is private
+chmod 0660 /etc/fwupd/redfish.conf
+
%preun
%systemd_preun fwupd.service
diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c
index 18042a028..04951de85 100644
--- a/libfwupdplugin/fu-plugin.c
+++ b/libfwupdplugin/fu-plugin.c
@@ -9,6 +9,7 @@
#include "config.h"
#include <errno.h>
+#include <fcntl.h>
#include <fwupd.h>
#include <glib/gstdio.h>
#include <gmodule.h>
@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value,
return g_key_file_save_to_file(keyfile, conf_path, error);
}
+#if !GLIB_CHECK_VERSION(2, 66, 0)
+
+#define G_FILE_SET_CONTENTS_CONSISTENT 0
+typedef guint GFileSetContentsFlags;
+static gboolean
+g_file_set_contents_full(const gchar *filename,
+ const gchar *contents,
+ gssize length,
+ GFileSetContentsFlags flags,
+ int mode,
+ GError **error)
+{
+ gint fd;
+ gssize wrote;
+
+ if (length < 0)
+ length = strlen(contents);
+ fd = g_open(filename, O_CREAT, mode);
+ if (fd <= 0) {
+ g_set_error(error,
+ G_IO_ERROR,
+ G_IO_ERROR_FAILED,
+ "could not open %s file",
+ filename);
+ return FALSE;
+ }
+ wrote = write(fd, contents, length);
+ if (wrote != length) {
+ g_set_error(error,
+ G_IO_ERROR,
+ G_IO_ERROR_FAILED,
+ "did not write %s file",
+ filename);
+ g_close(fd, NULL);
+ return FALSE;
+ }
+ return g_close(fd, error);
+}
+#endif
+
/**
* fu_plugin_set_secure_config_value:
* @self: a #FuPlugin
@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
GError **error)
{
g_autofree gchar *conf_path = fu_plugin_get_config_filename(self);
- gint ret;
+ g_autofree gchar *data = NULL;
+ g_autoptr(GKeyFile) keyfile = g_key_file_new();
g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE);
g_return_val_if_fail(error == NULL || *error == NULL, FALSE);
@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path);
return FALSE;
}
- ret = g_chmod(conf_path, 0660);
- if (ret == -1) {
- g_set_error(error,
- FWUPD_ERROR,
- FWUPD_ERROR_INTERNAL,
- "failed to set permissions on %s",
- conf_path);
+ if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error))
return FALSE;
- }
-
- return fu_plugin_set_config_value(self, key, value, error);
+ g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value);
+ data = g_key_file_to_data(keyfile, NULL, error);
+ if (data == NULL)
+ return FALSE;
+ return g_file_set_contents_full(conf_path,
+ data,
+ -1,
+ G_FILE_SET_CONTENTS_CONSISTENT,
+ 0660,
+ error);
}
/**
--
2.39.1

File diff suppressed because it is too large Load Diff