diff --git a/.gitignore b/.gitignore index 6af0766..3a4f2b3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/shim-15.tar.bz2 +SOURCES/shim-15.8.tar.bz2r diff --git a/.shim-unsigned-aarch64.metadata b/.shim-unsigned-aarch64.metadata index 5677fcd..89e9ccb 100644 --- a/.shim-unsigned-aarch64.metadata +++ b/.shim-unsigned-aarch64.metadata @@ -1 +1 @@ -2dc6308584187bf3ee88bf9b119938c72c5a5088 SOURCES/shim-15.tar.bz2 +cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2 diff --git a/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch deleted file mode 100644 index 0779498..0000000 --- a/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 9ab0d796bdc9cefdaa3b0df7434845d26c43d894 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Mon, 5 Nov 2018 14:51:16 +0100 -Subject: [PATCH 1/3] Make sure that MOK variables always get mirrored - -Without this, if a Mok variable doesn't exist in Boot Services, it will also -not be copied to Runtime, even if we have data to be added to it (vendor cert). -This patch makes sure that if we have extra data to append, we still mirror -the variable. - -Signed-off-by: Patrick Uiterwijk ---- - mok.c | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/mok.c b/mok.c -index 38675211e0e..00dd1ad3034 100644 ---- a/mok.c -+++ b/mok.c -@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - UINT32 attrs = 0; - BOOLEAN delete = FALSE, present, addend; - -+ addend = (v->addend_source && v->addend_size && -+ *v->addend_source && *v->addend_size) -+ ? TRUE : FALSE; -+ - efi_status = get_variable_attr(v->name, - &v->data, &v->data_size, - *v->guid, &attrs); -- if (efi_status == EFI_NOT_FOUND) -+ if (efi_status == EFI_NOT_FOUND) { -+ if (v->rtname && addend) { -+ efi_status = mirror_one_mok_variable(v); -+ if (EFI_ERROR(efi_status) && -+ ret != EFI_SECURITY_VIOLATION) -+ ret = efi_status; -+ } -+ /* -+ * after possibly adding, we can continue, no -+ * further checks to be done. -+ */ - continue; -+ } - if (EFI_ERROR(efi_status)) { - perror(L"Could not verify %s: %r\n", v->name, - efi_status); -@@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - } - - present = (v->data && v->data_size) ? TRUE : FALSE; -- addend = (v->addend_source && v->addend_size && -- *v->addend_source && *v->addend_size) -- ? TRUE : FALSE; - - if (v->flags & MOK_VARIABLE_MEASURE && present) { - /* --- -2.20.1 - diff --git a/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch deleted file mode 100644 index fc2adbc..0000000 --- a/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 21 Nov 2018 12:47:43 +0800 -Subject: [PATCH 2/3] mok: fix the mirroring of RT variables - -When there is no key in MokList, import_mok_state() just skipped MokList -even though it should always mirror the vendor cert. Besides, the faulty -check of 'present' and 'addend' invalidates the mirroring of MokListXRT, -MokSBStateRT, and MokIgnoreDB. - -https://github.com/rhboot/shim/issues/154 - -Signed-off-by: Gary Lin ---- - mok.c | 11 ++++------- - 1 file changed, 4 insertions(+), 7 deletions(-) - -diff --git a/mok.c b/mok.c -index 00dd1ad3034..41925abbb49 100644 ---- a/mok.c -+++ b/mok.c -@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - &v->data, &v->data_size, - *v->guid, &attrs); - if (efi_status == EFI_NOT_FOUND) { -- if (v->rtname && addend) { -- efi_status = mirror_one_mok_variable(v); -- if (EFI_ERROR(efi_status) && -- ret != EFI_SECURITY_VIOLATION) -- ret = efi_status; -- } -+ if (addend) -+ goto mirror_addend; - /* - * after possibly adding, we can continue, no - * further checks to be done. -@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - } - } - -- if (v->rtname && present && addend) { -+mirror_addend: -+ if (v->rtname && (present || addend)) { - if (v->flags & MOK_MIRROR_DELETE_FIRST) - LibDeleteVariable(v->rtname, v->guid); - --- -2.20.1 - diff --git a/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch deleted file mode 100644 index caded4e..0000000 --- a/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 29c11483101b460869a5e0dba1f425073862127d Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 31 Jan 2019 13:45:30 -0500 -Subject: [PATCH 3/3] mok: consolidate mirroring code in a helper instead of - using goto - -There's no reason to complicate the logic with a goto here, instead just -pull the logic we're jumping to out to a helper function. - -Signed-off-by: Peter Jones ---- - mok.c | 41 ++++++++++++++++++++++++++++------------- - shim.h | 2 ++ - 2 files changed, 30 insertions(+), 13 deletions(-) - -diff --git a/mok.c b/mok.c -index 41925abbb49..2f495e6cf25 100644 ---- a/mok.c -+++ b/mok.c -@@ -130,7 +130,8 @@ struct mok_state_variable mok_state_variables[] = { - { NULL, } - }; - --static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) -+static EFI_STATUS nonnull(1) -+mirror_one_mok_variable(struct mok_state_variable *v) - { - EFI_STATUS efi_status = EFI_SUCCESS; - void *FullData = NULL; -@@ -196,6 +197,29 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) - return efi_status; - } - -+/* -+ * Mirror a variable if it has an rtname, and preserve any -+ * EFI_SECURITY_VIOLATION status at the same time. -+ */ -+static EFI_STATUS nonnull(1) -+maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) -+{ -+ EFI_STATUS efi_status; -+ if (v->rtname) { -+ if (v->flags & MOK_MIRROR_DELETE_FIRST) -+ LibDeleteVariable(v->rtname, v->guid); -+ -+ efi_status = mirror_one_mok_variable(v); -+ if (EFI_ERROR(efi_status)) { -+ if (ret != EFI_SECURITY_VIOLATION) -+ ret = efi_status; -+ perror(L"Could not create %s: %r\n", v->rtname, -+ efi_status); -+ } -+ } -+ return ret; -+} -+ - /* - * Verify our non-volatile MoK state. This checks the variables above - * accessable and have valid attributes. If they don't, it removes -@@ -232,7 +256,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - *v->guid, &attrs); - if (efi_status == EFI_NOT_FOUND) { - if (addend) -- goto mirror_addend; -+ ret = maybe_mirror_one_mok_variable(v, ret); - /* - * after possibly adding, we can continue, no - * further checks to be done. -@@ -312,16 +336,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - } - } - --mirror_addend: -- if (v->rtname && (present || addend)) { -- if (v->flags & MOK_MIRROR_DELETE_FIRST) -- LibDeleteVariable(v->rtname, v->guid); -- -- efi_status = mirror_one_mok_variable(v); -- if (EFI_ERROR(efi_status) && -- ret != EFI_SECURITY_VIOLATION) -- ret = efi_status; -- } -+ if (present) -+ ret = maybe_mirror_one_mok_variable(v, ret); - } - - /* -@@ -340,4 +356,4 @@ mirror_addend: - return ret; - } - --// vim:fenc=utf-8:tw=75 -+// vim:fenc=utf-8:tw=75:noet -diff --git a/shim.h b/shim.h -index 2b359d821e3..c26d5f06538 100644 ---- a/shim.h -+++ b/shim.h -@@ -30,6 +30,8 @@ - - #include - -+#define nonnull(...) __attribute__((__nonnull__(__VA_ARGS__))) -+ - #define min(a, b) ({(a) < (b) ? (a) : (b);}) - - #ifdef __x86_64__ --- -2.20.1 - diff --git a/SOURCES/0004-Make-VLogError-behave-as-expected.patch b/SOURCES/0004-Make-VLogError-behave-as-expected.patch deleted file mode 100644 index 2e5ca64..0000000 --- a/SOURCES/0004-Make-VLogError-behave-as-expected.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 0bff94b170116737e6e0838c35c0ac376542a5c0 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 12 Feb 2019 18:04:49 -0500 -Subject: [PATCH 4/4] Make VLogError() behave as expected. - -Signed-off-by: Peter Jones ---- - errlog.c | 15 +++------------ - 1 file changed, 3 insertions(+), 12 deletions(-) - -diff --git a/errlog.c b/errlog.c -index 18be4822d53..eebb266d396 100644 ---- a/errlog.c -+++ b/errlog.c -@@ -14,29 +14,20 @@ EFI_STATUS - VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args) - { - va_list args2; -- UINTN size = 0, size2; - CHAR16 **newerrs; - -- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func); -- va_copy(args2, args); -- size2 = VSPrint(NULL, 0, fmt, args2); -- va_end(args2); -- - newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs), - (nerrs + 3) * sizeof(*errs)); - if (!newerrs) - return EFI_OUT_OF_RESOURCES; - -- newerrs[nerrs] = AllocatePool(size*2+2); -+ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func); - if (!newerrs[nerrs]) - return EFI_OUT_OF_RESOURCES; -- newerrs[nerrs+1] = AllocatePool(size2*2+2); -+ va_copy(args2, args); -+ newerrs[nerrs+1] = VPoolPrint(fmt, args2); - if (!newerrs[nerrs+1]) - return EFI_OUT_OF_RESOURCES; -- -- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func); -- va_copy(args2, args); -- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2); - va_end(args2); - - nerrs += 2; --- -2.20.1 - diff --git a/SOURCES/0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch b/SOURCES/0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch deleted file mode 100644 index bbd6525..0000000 --- a/SOURCES/0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 741c61abba7d5c74166f8d0c1b9ee8001ebcd186 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Thu, 6 Dec 2018 10:08:45 +0100 -Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled - systems - -I have come across systems that are unwilling to reserve enough memory for -a MokListRT big enough for big certificates. -This seems to be the case with firmware implementations that do not support -secureboot, which is probably the reason they went with much lower variable -storage. - -This patch set makes sure we can still boot on those systems, by only -making the copy action fatal if the system has secure boot enabled, or if -the error was anything other than EFI_INVALID_PARAMETER. - -Signed-off-by: Patrick Uiterwijk ---- - shim.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/shim.c b/shim.c -index 7d25ad6fe70..aee4727fe67 100644 ---- a/shim.c -+++ b/shim.c -@@ -2639,7 +2639,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - * boot-services-only state variables are what we think they are. - */ - efi_status = import_mok_state(image_handle); -- if (EFI_ERROR(efi_status)) { -+ if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { -+ /* -+ * Make copy failures fatal only if secure_mode is enabled, or -+ * the error was anything else than EFI_INVALID_PARAMETER. -+ * There are non-secureboot firmware implementations that don't -+ * reserve enough EFI variable memory to fit the variable. -+ */ -+ console_print(L"Importing MOK states has failed: %s: %r\n", -+ msgs[msg], efi_status); -+ console_print(L"Continuing boot since secure mode is disabled"); -+ } else if (EFI_ERROR(efi_status)) { - die: - console_print(L"Something has gone seriously wrong: %s: %r\n", - msgs[msg], efi_status); --- -2.21.0 - diff --git a/SOURCES/0006-Make-some-things-dprint-instead-of-console_print.patch b/SOURCES/0006-Make-some-things-dprint-instead-of-console_print.patch deleted file mode 100644 index 6fc67a0..0000000 --- a/SOURCES/0006-Make-some-things-dprint-instead-of-console_print.patch +++ /dev/null @@ -1,28 +0,0 @@ -From dad59f8c0f3620f68379a29c3e6badd22681ddc5 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 10 Apr 2018 12:36:34 -0400 -Subject: [PATCH] Make some things dprint() instead of console_print() - -Signed-off-by: Peter Jones ---- - shim.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shim.c b/shim.c -index 00155346c12..ff0817009cd 100644 ---- a/shim.c -+++ b/shim.c -@@ -2087,8 +2087,8 @@ static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path, UINTN len) - if (!dppath) - return 0; - -- console_print(L"dppath: %s\n", dppath); -- console_print(L"path: %s\n", path); -+ dprint(L"dppath: %s\n", dppath); -+ dprint(L"path: %s\n", path); - if (StrnCaseCmp(dppath, path, len)) - ret = 0; - --- -2.21.0 - diff --git a/SOURCES/0007-shim-Properly-generate-absolute-paths-from-relative-.patch b/SOURCES/0007-shim-Properly-generate-absolute-paths-from-relative-.patch deleted file mode 100644 index b7a4824..0000000 --- a/SOURCES/0007-shim-Properly-generate-absolute-paths-from-relative-.patch +++ /dev/null @@ -1,51 +0,0 @@ -From a625fa5096ccdf87036379a5cb237bd43516d605 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Fri, 7 Sep 2018 14:11:02 +0200 -Subject: [PATCH] shim: Properly generate absolute paths from relative - image paths - -The generate_path_from_image_path() doesn't properly handle the case when -shim is invoked using a relative path (e.g: from the EFI shell). In that -function, always the last component is stripped from absolute file path -to calculate the dirname, and this is concatenated with the image path. - -But if the path is a relative one, the function will wrongly concatenate -the dirname with the relative image path, i.e: - - Shell> FS0: - FS0:\> cd EFI - FS0:\EFI\> BOOT\BOOTX64.EFI - Failed to open \EFI\BOOT\BOOT\BOOTX64.EFI - Not found - Failed to load image \EFI\BOOT\BOOT\BOOTX64.EFI: Not found - start_image() returned Not found - -Calculate the image path basename and concatenate that with the dirname. - -Signed-off-by: Javier Martinez Canillas -Reviewed-by: Maran Wilson maran.wilson@oracle.com -Tested-by: Maran Wilson maran.wilson@oracle.com ---- - shim.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/shim.c b/shim.c -index f29f39214f5..32d2772b279 100644 ---- a/shim.c -+++ b/shim.c -@@ -1640,9 +1640,11 @@ static EFI_STATUS generate_path_from_image_path(EFI_LOADED_IMAGE *li, - bootpath[j] = '\0'; - } - -- while (*ImagePath == '\\') -- ImagePath++; -+ for (i = 0, last = 0; i < StrLen(ImagePath); i++) -+ if (ImagePath[i] == '\\') -+ last = i + 1; - -+ ImagePath = ImagePath + last; - *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath)); - - if (!*PathName) { --- -2.21.0 - diff --git a/SOURCES/0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch b/SOURCES/0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch deleted file mode 100644 index 4830fd8..0000000 --- a/SOURCES/0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch +++ /dev/null @@ -1,75 +0,0 @@ -From e563bc3dcd17d91861d3b363ed19d30228f409e1 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Fri, 7 Sep 2018 15:10:51 +0200 -Subject: [PATCH] shim: Prevent shim to set itself as a second stage loader - -When shim is invoked from a relative path (e.g: from the UEFI shell), the -Loaded Image handle LoadOptions can be set to the binary relative path. - -But the is_our_path() function only checks if LoadOptions is set to the -absolute path of shim to ignore it. So if a relative path is there, shim -would set itself as the secondary loader and invoke itself in a loop. - -To prevent that, use the path in LoadOptions to calculate the absolute -path and compare it with the one in the Loader Image handle FilePath. - -Resolves: bz#1622485 - -Signed-off-by: Javier Martinez Canillas -Reviewed-by: Maran Wilson maran.wilson@oracle.com -Tested-by: Maran Wilson maran.wilson@oracle.com ---- - shim.c | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/shim.c b/shim.c -index 32d2772b279..8abc0c267cf 100644 ---- a/shim.c -+++ b/shim.c -@@ -2116,21 +2116,32 @@ get_load_option_optional_data(UINT8 *data, UINTN data_size, - return EFI_SUCCESS; - } - --static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path, UINTN len) -+static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path) - { - CHAR16 *dppath = NULL; -+ CHAR16 *PathName = NULL; -+ EFI_STATUS efi_status; - int ret = 1; - - dppath = DevicePathToStr(li->FilePath); - if (!dppath) - return 0; - -+ efi_status = generate_path_from_image_path(li, path, &PathName); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Unable to generate path %s: %r\n", path, -+ efi_status); -+ goto done; -+ } -+ - dprint(L"dppath: %s\n", dppath); - dprint(L"path: %s\n", path); -- if (StrnCaseCmp(dppath, path, len)) -+ if (StrnCaseCmp(dppath, PathName, strlen(dppath))) - ret = 0; - -+done: - FreePool(dppath); -+ FreePool(PathName); - return ret; - } - -@@ -2319,7 +2330,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) - - * which is just cruel... So yeah, just don't use it. - */ -- if (strings == 1 && is_our_path(li, start, loader_len)) -+ if (strings == 1 && is_our_path(li, start)) - return EFI_SUCCESS; - - /* --- -2.21.0 - diff --git a/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch b/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch deleted file mode 100644 index dc9d880..0000000 --- a/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 1870bae796022f8bbf60465352eac329ff1d6ffd Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 5 Sep 2019 10:36:23 -0400 -Subject: [PATCH] Fix a use of strlen() instead of Strlen() - -Resolves: rhbz#1817882 - -Signed-off-by: Peter Jones ---- - src/shim.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shim.c b/shim.c -index 3f131f48572..38f1346da7f 100644 ---- a/shim.c -+++ b/shim.c -@@ -2053,7 +2053,7 @@ static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path) - - dprint(L"dppath: %s\n", dppath); - dprint(L"path: %s\n", path); -- if (StrnCaseCmp(dppath, PathName, strlen(dppath))) -+ if (StrnCaseCmp(dppath, PathName, StrLen(dppath))) - ret = 0; - - done: --- -2.25.1 - diff --git a/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch b/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch deleted file mode 100644 index edb03aa..0000000 --- a/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 9813e8bc8b3295f343809fac43298a73a93ffc97 Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 28 Jan 2020 23:33:46 +0100 -Subject: [PATCH] translate_slashes(): don't write to string literals - -Currently, all three invocations of the translate_slashes() function may -lead to writes to the string literal that is #defined with the -DEFAULT_LOADER_CHAR macro. According to ISO C99 6.4.5p6, this is undefined -behavior ("If the program attempts to modify such an array, the behavior -is undefined"). - -This bug crashes shim on e.g. the 64-bit ArmVirtQemu platform ("Data -abort: Permission fault"), where the platform firmware maps the .text -section (which contains the string literal) read-only. - -Modify translate_slashes() so that it copies and translates characters -from an input array of "char" to an output array of "CHAR8". - -While at it, fix another bug. Before this patch, if translate_slashes() -ever encountered a double backslash (translating it to a single forward -slash), then the output would end up shorter than the input. However, the -output was not NUL-terminated in-place, therefore the original string -length (and according trailing garbage) would be preserved. After this -patch, the NUL-termination on contraction is automatic, as the output -array's contents are indeterminate when entering the function, and so we -must NUL-terminate it anyway. - -Fixes: 8e9124227d18475d3bc634c33518963fc8db7c98 -Fixes: e62b69a5b0b87c6df7a4fc23906134945309e927 -Fixes: 3d79bcb2651b9eae809b975b3e03e2f96c067072 -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1795654 -Signed-off-by: Laszlo Ersek ---- - include/str.h | 14 ++++++++------ - httpboot.c | 4 ++-- - netboot.c | 16 +++++++++++----- - 3 files changed, 21 insertions(+), 13 deletions(-) - -diff --git a/include/str.h b/include/str.h -index 9a748366bd1..f73c6212cd9 100644 ---- a/include/str.h -+++ b/include/str.h -@@ -45,21 +45,23 @@ strcata(CHAR8 *dest, const CHAR8 *src) - static inline - __attribute__((unused)) - CHAR8 * --translate_slashes(char *str) -+translate_slashes(CHAR8 *out, const char *str) - { - int i; - int j; -- if (str == NULL) -- return (CHAR8 *)str; -+ if (str == NULL || out == NULL) -+ return NULL; - - for (i = 0, j = 0; str[i] != '\0'; i++, j++) { - if (str[i] == '\\') { -- str[j] = '/'; -+ out[j] = '/'; - if (str[i+1] == '\\') - i++; -- } -+ } else -+ out[j] = str[i]; - } -- return (CHAR8 *)str; -+ out[j] = '\0'; -+ return out; - } - - #endif /* SHIM_STR_H */ -diff --git a/httpboot.c b/httpboot.c -index 3622e85867c..2d27e8ed993 100644 ---- a/httpboot.c -+++ b/httpboot.c -@@ -743,14 +743,14 @@ httpboot_fetch_buffer (EFI_HANDLE image, VOID **buffer, UINT64 *buf_size) - { - EFI_STATUS efi_status; - EFI_HANDLE nic; -- CHAR8 *next_loader = NULL; -+ CHAR8 next_loader[sizeof DEFAULT_LOADER_CHAR]; - CHAR8 *next_uri = NULL; - CHAR8 *hostname = NULL; - - if (!uri) - return EFI_NOT_READY; - -- next_loader = translate_slashes(DEFAULT_LOADER_CHAR); -+ translate_slashes(next_loader, DEFAULT_LOADER_CHAR); - - /* Create the URI for the next loader based on the original URI */ - efi_status = generate_next_uri(uri, next_loader, &next_uri); -diff --git a/netboot.c b/netboot.c -index 583fe4bee71..6d293bca9dd 100644 ---- a/netboot.c -+++ b/netboot.c -@@ -189,7 +189,9 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) - CHAR8 *start, *end; - CHAR8 ip6str[40]; - CHAR8 ip6inv[16]; -- CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); -+ CHAR8 template[sizeof DEFAULT_LOADER_CHAR]; -+ -+ translate_slashes(template, DEFAULT_LOADER_CHAR); - - // to check against str2ip6() errors - memset(ip6inv, 0, sizeof(ip6inv)); -@@ -254,10 +256,14 @@ static EFI_STATUS parseDhcp6() - - static EFI_STATUS parseDhcp4() - { -- CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); -- INTN template_len = strlen(template) + 1; -+ CHAR8 template[sizeof DEFAULT_LOADER_CHAR]; -+ INTN template_len; -+ UINTN template_ofs = 0; - EFI_PXE_BASE_CODE_DHCPV4_PACKET* pkt_v4 = (EFI_PXE_BASE_CODE_DHCPV4_PACKET *)&pxe->Mode->DhcpAck.Dhcpv4; - -+ translate_slashes(template, DEFAULT_LOADER_CHAR); -+ template_len = strlen(template) + 1; -+ - if(pxe->Mode->ProxyOfferReceived) { - /* - * Proxy should not have precedence. Check if DhcpAck -@@ -288,8 +294,8 @@ static EFI_STATUS parseDhcp4() - full_path[dir_len-1] = '\0'; - } - if (dir_len == 0 && dir[0] != '/' && template[0] == '/') -- template++; -- strcata(full_path, template); -+ template_ofs++; -+ strcata(full_path, template + template_ofs); - memcpy(&tftp_addr.v4, pkt_v4->BootpSiAddr, 4); - - return EFI_SUCCESS; --- -2.26.2 - diff --git a/SOURCES/0011-RHEL-9-disable-Wpointer-sign-for-now.patch b/SOURCES/0011-RHEL-9-disable-Wpointer-sign-for-now.patch deleted file mode 100644 index e16a0b0..0000000 --- a/SOURCES/0011-RHEL-9-disable-Wpointer-sign-for-now.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 7e7fa748c8651ca3d9fdd55f0ad891c816949ff5 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 6 Aug 2021 16:43:37 -0400 -Subject: [PATCH] RHEL-9: disable -Wpointer-sign for now - -Signed-off-by: Peter Jones ---- - Make.defaults | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/Make.defaults b/Make.defaults -index e11ab5a7f2c..9b28720d186 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -42,6 +42,7 @@ EFI_LDS = $(TOPDIR)/elf_$(ARCH)_efi.lds - CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ - -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ - -Werror=sign-compare -ffreestanding -std=gnu89 \ -+ -Wno-pointer-sign -Wno-address-of-packed-member \ - -I$(shell $(CC) -print-file-name=include) \ - "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ - "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ --- -2.31.1 - diff --git a/SOURCES/almalinux-sb-cert-1.der b/SOURCES/almalinux-sb-cert-1.der new file mode 100644 index 0000000..6a4e99b Binary files /dev/null and b/SOURCES/almalinux-sb-cert-1.der differ diff --git a/SOURCES/almalinux-sb-cert-2.der b/SOURCES/almalinux-sb-cert-2.der new file mode 100644 index 0000000..fad6c2c Binary files /dev/null and b/SOURCES/almalinux-sb-cert-2.der differ diff --git a/SOURCES/almalinux-sb-cert-3.der b/SOURCES/almalinux-sb-cert-3.der new file mode 100644 index 0000000..d086cd5 Binary files /dev/null and b/SOURCES/almalinux-sb-cert-3.der differ diff --git a/SOURCES/clsecureboot001.cer b/SOURCES/clsecureboot001.cer deleted file mode 100644 index ca9ce5d..0000000 Binary files a/SOURCES/clsecureboot001.cer and /dev/null differ diff --git a/SOURCES/sbat.almalinux.csv b/SOURCES/sbat.almalinux.csv new file mode 100644 index 0000000..f2496f1 --- /dev/null +++ b/SOURCES/sbat.almalinux.csv @@ -0,0 +1 @@ +shim.almalinux,3,AlmaLinux,shim,15.8,security@almalinux.org diff --git a/SOURCES/shim-15.8.tar.bz2 b/SOURCES/shim-15.8.tar.bz2 new file mode 100644 index 0000000..4e1f3ad Binary files /dev/null and b/SOURCES/shim-15.8.tar.bz2 differ diff --git a/SOURCES/shim.patches b/SOURCES/shim.patches new file mode 100644 index 0000000..e69de29 diff --git a/SPECS/shim-unsigned-aarch64.spec b/SPECS/shim-unsigned-aarch64.spec index a1f31f1..169b14f 100644 --- a/SPECS/shim-unsigned-aarch64.spec +++ b/SPECS/shim-unsigned-aarch64.spec @@ -15,38 +15,35 @@ %global shimdir %{shimversiondir}/%{efiarch} Name: shim-unsigned-aarch64 -Version: 15 -Release: 6%{?dist}.alma +Version: 15.8 +Release: 2.el9.alma.1 Summary: First-stage UEFI bootloader ExclusiveArch: aarch64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: clsecureboot001.cer # currently here's what's in our dbx: # nothing. Source2: dbx.esl +Source3: sbat.almalinux.csv +Source4: shim.patches Source100: shim-find-debuginfo.sh -Patch0001: 0001-Make-sure-that-MOK-variables-always-get-mirrored.patch -Patch0002: 0002-mok-fix-the-mirroring-of-RT-variables.patch -Patch0003: 0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch -Patch0004: 0004-Make-VLogError-behave-as-expected.patch -Patch0005: 0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch -Patch0006: 0006-Make-some-things-dprint-instead-of-console_print.patch -Patch0007: 0007-shim-Properly-generate-absolute-paths-from-relative-.patch -Patch0008: 0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch -Patch0009: 0009-Fix-a-use-of-strlen-instead-of-Strlen.patch -Patch0010: 0010-translate_slashes-don-t-write-to-string-literals.patch -Patch0011: 0011-RHEL-9-disable-Wpointer-sign-for-now.patch +Source101: almalinux-sb-cert-1.der +Source102: almalinux-sb-cert-2.der +Source103: almalinux-sb-cert-3.der + +%include %{SOURCE4} BuildRequires: gcc make BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} -BuildRequires: gnu-efi >= %{gnuefi_vre} -BuildRequires: gnu-efi-devel >= %{gnuefi_vre} +BuildRequires: dos2unix findutils +BuildRequires: efitools +BuildRequires: gcc-toolset-12-binutils +BuildRequires: gcc-toolset-12-gcc # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a @@ -85,37 +82,61 @@ BuildArch: noarch %debug_desc %prep -%autosetup -S git -n shim-%{version} +%autosetup -S git_am -n shim-%{version} +%if 0%{?rhel} == 8 || 0%{?rhel} == 9 +source scl_source enable gcc-toolset-12 || : +%endif git config --unset user.email git config --unset user.name mkdir build-%{efiarch} +cp %{SOURCE3} data/ %build -COMMITID=$(cat commit) -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +# Prepare vendor_db.esl file +openssl x509 -inform DER -in %{SOURCE101} -out 01.pem +openssl x509 -inform DER -in %{SOURCE102} -out 02.pem +openssl x509 -inform DER -in %{SOURCE103} -out 03.pem +cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl +cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl +cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl +cat 01.esl 02.esl 03.esl > vendor_db.esl + +%if 0%{?rhel} == 8 || 0%{?rhel} == 9 +source scl_source enable gcc-toolset-12 || : +%endif + +COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " -MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " +MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="%{_smp_mflags}" -if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +if [ -s vendor_db.esl ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" fi -if [ -f "%{SOURCE2}" ]; then +if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi cd build-%{efiarch} -make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all +make ${MAKEFLAGS} \ + DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ + all cd .. %install -COMMITID=$(cat commit) -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +%if 0%{?rhel} == 8 || 0%{?rhel} == 9 +source scl_source enable gcc-toolset-12 || : +%endif +COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " -if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " +if [ -s vendor_db.esl ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl" fi -if [ -f "%{SOURCE2}" ]; then +if [ -s "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi @@ -131,52 +152,84 @@ cd .. %dir %{shimrootdir} %dir %{shimversiondir} %dir %{shimdir} +%{shimdir}/*.CSV %{shimdir}/*.efi %{shimdir}/*.hash + %files debuginfo -f build-%{efiarch}/debugfiles.list %files debugsource -f build-%{efiarch}/debugsource.list %changelog -* Thu May 18 2022 Eduard Abdullin - 15-6.alma +* Fri May 10 2024 Eduard Abdullin - 15.8-2.el9.alma.1 - Use AlmaLinux cert +- Use gcc-toolset-12 -* Tue May 26 2020 Javier Martinez Canillas - 15-6 -- Fix a shim crash when attempting to netboot - Resolves: rhbz#1840036 +* Wed Feb 07 2024 Peter Jones - 15.8-2.el9 +- Rebuild to fix the commit ident and MAKEFLAGS + Resolves: RHEL-11259 -* Mon May 04 2020 Javier Martinez Canillas - 15-5 -- Fix firmware update bug in aarch64 caused by shim ignoring arguments - Resolves: rhbz#1817882 +* Tue Dec 05 2023 Peter Jones - 15.8-1.el9 +- Update to shim-15.8 for CVE-2023-40547 + Resolves: RHEL-11259 -* Fri Jun 07 2019 Javier Martinez Canillas - 15-4 -- Add a gating.yaml file so the package can be properly gated - Related: rhbz#1682749 +* Wed Jun 01 2022 Peter Jones - 15.6-1.el9 +- Update to shim-15.6 + Resolves: CVE-2022-28737 + +* Thu Sep 17 2020 Peter Jones - 15-9.el9 +- Fix an incorrect allocation size. + Related: rhbz#1877253 + +* Thu Jul 30 2020 Peter Jones - 15-8 +- Fix a load-address-dependent forever loop. + Resolves: rhbz#1861977 + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + Related: CVE-2020-15705 + Related: CVE-2020-15706 + Related: CVE-2020-15707 + +* Sat Jul 25 2020 Peter Jones - 15-7 +- Implement Lenny's workaround + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + +* Fri Jul 24 2020 Peter Jones - 15-5 +- Once more with the MokListRT config table patch added. + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 + +* Thu Jul 23 2020 Peter Jones - 15-4 +- Rebuild for bug fixes and new signing keys + Related: CVE-2020-10713 + Related: CVE-2020-14308 + Related: CVE-2020-14309 + Related: CVE-2020-14310 + Related: CVE-2020-14311 * Wed Jun 05 2019 Javier Martinez Canillas - 15-3 - Make EFI variable copying fatal only on secureboot enabled systems - Resolves: rhbz#1704854 + Resolves: rhbz#1715878 - Fix booting shim from an EFI shell using a relative path - Resolves: rhbz#1717063 + Resolves: rhbz#1717064 * Tue Feb 12 2019 Peter Jones - 15-2 - Fix MoK mirroring issue which breaks kdump without intervention Related: rhbz#1668966 -* Thu Apr 05 2018 Peter Jones - 15-1 +* Fri Jul 20 2018 Peter Jones - 15-1 - Update to shim 15 -- better checking for bad linker output -- flicker-free console if there's no error output -- improved http boot support -- better protocol re-installation -- dhcp proxy support -- tpm measurement even when verification is disabled -- REQUIRE_TPM build flag -- more reproducable builds -- measurement of everything verified through shim_verify() -- coverity and scan-build checker make targets -- misc cleanups * Tue Sep 19 2017 Peter Jones - 13-3 - Actually update to the *real* 13 final. @@ -185,17 +238,7 @@ cd .. * Thu Aug 31 2017 Peter Jones - 13-2 - Actually update to 13 final. -* Mon Aug 21 2017 Peter Jones - 13-0.1 -- Update to shim-13 test release. - -* Thu Aug 03 2017 Fedora Release Engineering - 0.9-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 0.9-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Sat Feb 11 2017 Fedora Release Engineering - 0.9-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Thu May 12 2016 Peter Jones - - 0.9-1 -- Initial split up of -aarch64 +* Fri Aug 18 2017 Peter Jones - 13-1 +- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one. +- This will (eventually) supersede what's in the "shim" package so we can + make "shim" hold the signed one, which will confuse fewer people.