Auto sync2gitlab import of shim-unsigned-aarch64-15-4.el8.src.rpm
This commit is contained in:
parent
d89ae62006
commit
e687d0d4f0
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
/dbx.esl
|
||||||
|
/securebootca.cer
|
||||||
|
/shim-15.tar.bz2
|
60
0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
Normal file
60
0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From 9ab0d796bdc9cefdaa3b0df7434845d26c43d894 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Uiterwijk <patrick@puiterwijk.org>
|
||||||
|
Date: Mon, 5 Nov 2018 14:51:16 +0100
|
||||||
|
Subject: [PATCH 1/3] Make sure that MOK variables always get mirrored
|
||||||
|
|
||||||
|
Without this, if a Mok variable doesn't exist in Boot Services, it will also
|
||||||
|
not be copied to Runtime, even if we have data to be added to it (vendor cert).
|
||||||
|
This patch makes sure that if we have extra data to append, we still mirror
|
||||||
|
the variable.
|
||||||
|
|
||||||
|
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
|
||||||
|
---
|
||||||
|
mok.c | 20 ++++++++++++++++----
|
||||||
|
1 file changed, 16 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/mok.c b/mok.c
|
||||||
|
index 38675211e0e..00dd1ad3034 100644
|
||||||
|
--- a/mok.c
|
||||||
|
+++ b/mok.c
|
||||||
|
@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
|
||||||
|
UINT32 attrs = 0;
|
||||||
|
BOOLEAN delete = FALSE, present, addend;
|
||||||
|
|
||||||
|
+ addend = (v->addend_source && v->addend_size &&
|
||||||
|
+ *v->addend_source && *v->addend_size)
|
||||||
|
+ ? TRUE : FALSE;
|
||||||
|
+
|
||||||
|
efi_status = get_variable_attr(v->name,
|
||||||
|
&v->data, &v->data_size,
|
||||||
|
*v->guid, &attrs);
|
||||||
|
- if (efi_status == EFI_NOT_FOUND)
|
||||||
|
+ if (efi_status == EFI_NOT_FOUND) {
|
||||||
|
+ if (v->rtname && addend) {
|
||||||
|
+ efi_status = mirror_one_mok_variable(v);
|
||||||
|
+ if (EFI_ERROR(efi_status) &&
|
||||||
|
+ ret != EFI_SECURITY_VIOLATION)
|
||||||
|
+ ret = efi_status;
|
||||||
|
+ }
|
||||||
|
+ /*
|
||||||
|
+ * after possibly adding, we can continue, no
|
||||||
|
+ * further checks to be done.
|
||||||
|
+ */
|
||||||
|
continue;
|
||||||
|
+ }
|
||||||
|
if (EFI_ERROR(efi_status)) {
|
||||||
|
perror(L"Could not verify %s: %r\n", v->name,
|
||||||
|
efi_status);
|
||||||
|
@@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
|
||||||
|
}
|
||||||
|
|
||||||
|
present = (v->data && v->data_size) ? TRUE : FALSE;
|
||||||
|
- addend = (v->addend_source && v->addend_size &&
|
||||||
|
- *v->addend_source && *v->addend_size)
|
||||||
|
- ? TRUE : FALSE;
|
||||||
|
|
||||||
|
if (v->flags & MOK_VARIABLE_MEASURE && present) {
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
49
0002-mok-fix-the-mirroring-of-RT-variables.patch
Normal file
49
0002-mok-fix-the-mirroring-of-RT-variables.patch
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Wed, 21 Nov 2018 12:47:43 +0800
|
||||||
|
Subject: [PATCH 2/3] mok: fix the mirroring of RT variables
|
||||||
|
|
||||||
|
When there is no key in MokList, import_mok_state() just skipped MokList
|
||||||
|
even though it should always mirror the vendor cert. Besides, the faulty
|
||||||
|
check of 'present' and 'addend' invalidates the mirroring of MokListXRT,
|
||||||
|
MokSBStateRT, and MokIgnoreDB.
|
||||||
|
|
||||||
|
https://github.com/rhboot/shim/issues/154
|
||||||
|
|
||||||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
|
---
|
||||||
|
mok.c | 11 ++++-------
|
||||||
|
1 file changed, 4 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/mok.c b/mok.c
|
||||||
|
index 00dd1ad3034..41925abbb49 100644
|
||||||
|
--- a/mok.c
|
||||||
|
+++ b/mok.c
|
||||||
|
@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
|
||||||
|
&v->data, &v->data_size,
|
||||||
|
*v->guid, &attrs);
|
||||||
|
if (efi_status == EFI_NOT_FOUND) {
|
||||||
|
- if (v->rtname && addend) {
|
||||||
|
- efi_status = mirror_one_mok_variable(v);
|
||||||
|
- if (EFI_ERROR(efi_status) &&
|
||||||
|
- ret != EFI_SECURITY_VIOLATION)
|
||||||
|
- ret = efi_status;
|
||||||
|
- }
|
||||||
|
+ if (addend)
|
||||||
|
+ goto mirror_addend;
|
||||||
|
/*
|
||||||
|
* after possibly adding, we can continue, no
|
||||||
|
* further checks to be done.
|
||||||
|
@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (v->rtname && present && addend) {
|
||||||
|
+mirror_addend:
|
||||||
|
+ if (v->rtname && (present || addend)) {
|
||||||
|
if (v->flags & MOK_MIRROR_DELETE_FIRST)
|
||||||
|
LibDeleteVariable(v->rtname, v->guid);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
109
0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
Normal file
109
0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
Normal file
@ -0,0 +1,109 @@
|
|||||||
|
From 29c11483101b460869a5e0dba1f425073862127d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Thu, 31 Jan 2019 13:45:30 -0500
|
||||||
|
Subject: [PATCH 3/3] mok: consolidate mirroring code in a helper instead of
|
||||||
|
using goto
|
||||||
|
|
||||||
|
There's no reason to complicate the logic with a goto here, instead just
|
||||||
|
pull the logic we're jumping to out to a helper function.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
mok.c | 41 ++++++++++++++++++++++++++++-------------
|
||||||
|
shim.h | 2 ++
|
||||||
|
2 files changed, 30 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/mok.c b/mok.c
|
||||||
|
index 41925abbb49..2f495e6cf25 100644
|
||||||
|
--- a/mok.c
|
||||||
|
+++ b/mok.c
|
||||||
|
@@ -130,7 +130,8 @@ struct mok_state_variable mok_state_variables[] = {
|
||||||
|
{ NULL, }
|
||||||
|
};
|
||||||
|
|
||||||
|
-static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
|
||||||
|
+static EFI_STATUS nonnull(1)
|
||||||
|
+mirror_one_mok_variable(struct mok_state_variable *v)
|
||||||
|
{
|
||||||
|
EFI_STATUS efi_status = EFI_SUCCESS;
|
||||||
|
void *FullData = NULL;
|
||||||
|
@@ -196,6 +197,29 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
|
||||||
|
return efi_status;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Mirror a variable if it has an rtname, and preserve any
|
||||||
|
+ * EFI_SECURITY_VIOLATION status at the same time.
|
||||||
|
+ */
|
||||||
|
+static EFI_STATUS nonnull(1)
|
||||||
|
+maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret)
|
||||||
|
+{
|
||||||
|
+ EFI_STATUS efi_status;
|
||||||
|
+ if (v->rtname) {
|
||||||
|
+ if (v->flags & MOK_MIRROR_DELETE_FIRST)
|
||||||
|
+ LibDeleteVariable(v->rtname, v->guid);
|
||||||
|
+
|
||||||
|
+ efi_status = mirror_one_mok_variable(v);
|
||||||
|
+ if (EFI_ERROR(efi_status)) {
|
||||||
|
+ if (ret != EFI_SECURITY_VIOLATION)
|
||||||
|
+ ret = efi_status;
|
||||||
|
+ perror(L"Could not create %s: %r\n", v->rtname,
|
||||||
|
+ efi_status);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Verify our non-volatile MoK state. This checks the variables above
|
||||||
|
* accessable and have valid attributes. If they don't, it removes
|
||||||
|
@@ -232,7 +256,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
|
||||||
|
*v->guid, &attrs);
|
||||||
|
if (efi_status == EFI_NOT_FOUND) {
|
||||||
|
if (addend)
|
||||||
|
- goto mirror_addend;
|
||||||
|
+ ret = maybe_mirror_one_mok_variable(v, ret);
|
||||||
|
/*
|
||||||
|
* after possibly adding, we can continue, no
|
||||||
|
* further checks to be done.
|
||||||
|
@@ -312,16 +336,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-mirror_addend:
|
||||||
|
- if (v->rtname && (present || addend)) {
|
||||||
|
- if (v->flags & MOK_MIRROR_DELETE_FIRST)
|
||||||
|
- LibDeleteVariable(v->rtname, v->guid);
|
||||||
|
-
|
||||||
|
- efi_status = mirror_one_mok_variable(v);
|
||||||
|
- if (EFI_ERROR(efi_status) &&
|
||||||
|
- ret != EFI_SECURITY_VIOLATION)
|
||||||
|
- ret = efi_status;
|
||||||
|
- }
|
||||||
|
+ if (present)
|
||||||
|
+ ret = maybe_mirror_one_mok_variable(v, ret);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -340,4 +356,4 @@ mirror_addend:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
-// vim:fenc=utf-8:tw=75
|
||||||
|
+// vim:fenc=utf-8:tw=75:noet
|
||||||
|
diff --git a/shim.h b/shim.h
|
||||||
|
index 2b359d821e3..c26d5f06538 100644
|
||||||
|
--- a/shim.h
|
||||||
|
+++ b/shim.h
|
||||||
|
@@ -30,6 +30,8 @@
|
||||||
|
|
||||||
|
#include <stddef.h>
|
||||||
|
|
||||||
|
+#define nonnull(...) __attribute__((__nonnull__(__VA_ARGS__)))
|
||||||
|
+
|
||||||
|
#define min(a, b) ({(a) < (b) ? (a) : (b);})
|
||||||
|
|
||||||
|
#ifdef __x86_64__
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
50
0004-Make-VLogError-behave-as-expected.patch
Normal file
50
0004-Make-VLogError-behave-as-expected.patch
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
From 0bff94b170116737e6e0838c35c0ac376542a5c0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 12 Feb 2019 18:04:49 -0500
|
||||||
|
Subject: [PATCH 4/4] Make VLogError() behave as expected.
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
errlog.c | 15 +++------------
|
||||||
|
1 file changed, 3 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/errlog.c b/errlog.c
|
||||||
|
index 18be4822d53..eebb266d396 100644
|
||||||
|
--- a/errlog.c
|
||||||
|
+++ b/errlog.c
|
||||||
|
@@ -14,29 +14,20 @@ EFI_STATUS
|
||||||
|
VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
|
||||||
|
{
|
||||||
|
va_list args2;
|
||||||
|
- UINTN size = 0, size2;
|
||||||
|
CHAR16 **newerrs;
|
||||||
|
|
||||||
|
- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
|
||||||
|
- va_copy(args2, args);
|
||||||
|
- size2 = VSPrint(NULL, 0, fmt, args2);
|
||||||
|
- va_end(args2);
|
||||||
|
-
|
||||||
|
newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
|
||||||
|
(nerrs + 3) * sizeof(*errs));
|
||||||
|
if (!newerrs)
|
||||||
|
return EFI_OUT_OF_RESOURCES;
|
||||||
|
|
||||||
|
- newerrs[nerrs] = AllocatePool(size*2+2);
|
||||||
|
+ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
|
||||||
|
if (!newerrs[nerrs])
|
||||||
|
return EFI_OUT_OF_RESOURCES;
|
||||||
|
- newerrs[nerrs+1] = AllocatePool(size2*2+2);
|
||||||
|
+ va_copy(args2, args);
|
||||||
|
+ newerrs[nerrs+1] = VPoolPrint(fmt, args2);
|
||||||
|
if (!newerrs[nerrs+1])
|
||||||
|
return EFI_OUT_OF_RESOURCES;
|
||||||
|
-
|
||||||
|
- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
|
||||||
|
- va_copy(args2, args);
|
||||||
|
- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
|
||||||
|
va_end(args2);
|
||||||
|
|
||||||
|
nerrs += 2;
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -0,0 +1,47 @@
|
|||||||
|
From 741c61abba7d5c74166f8d0c1b9ee8001ebcd186 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Uiterwijk <patrick@puiterwijk.org>
|
||||||
|
Date: Thu, 6 Dec 2018 10:08:45 +0100
|
||||||
|
Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled
|
||||||
|
systems
|
||||||
|
|
||||||
|
I have come across systems that are unwilling to reserve enough memory for
|
||||||
|
a MokListRT big enough for big certificates.
|
||||||
|
This seems to be the case with firmware implementations that do not support
|
||||||
|
secureboot, which is probably the reason they went with much lower variable
|
||||||
|
storage.
|
||||||
|
|
||||||
|
This patch set makes sure we can still boot on those systems, by only
|
||||||
|
making the copy action fatal if the system has secure boot enabled, or if
|
||||||
|
the error was anything other than EFI_INVALID_PARAMETER.
|
||||||
|
|
||||||
|
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
|
||||||
|
---
|
||||||
|
shim.c | 12 +++++++++++-
|
||||||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/shim.c b/shim.c
|
||||||
|
index 7d25ad6fe70..aee4727fe67 100644
|
||||||
|
--- a/shim.c
|
||||||
|
+++ b/shim.c
|
||||||
|
@@ -2639,7 +2639,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
|
||||||
|
* boot-services-only state variables are what we think they are.
|
||||||
|
*/
|
||||||
|
efi_status = import_mok_state(image_handle);
|
||||||
|
- if (EFI_ERROR(efi_status)) {
|
||||||
|
+ if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
|
||||||
|
+ /*
|
||||||
|
+ * Make copy failures fatal only if secure_mode is enabled, or
|
||||||
|
+ * the error was anything else than EFI_INVALID_PARAMETER.
|
||||||
|
+ * There are non-secureboot firmware implementations that don't
|
||||||
|
+ * reserve enough EFI variable memory to fit the variable.
|
||||||
|
+ */
|
||||||
|
+ console_print(L"Importing MOK states has failed: %s: %r\n",
|
||||||
|
+ msgs[msg], efi_status);
|
||||||
|
+ console_print(L"Continuing boot since secure mode is disabled");
|
||||||
|
+ } else if (EFI_ERROR(efi_status)) {
|
||||||
|
die:
|
||||||
|
console_print(L"Something has gone seriously wrong: %s: %r\n",
|
||||||
|
msgs[msg], efi_status);
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
28
0006-Make-some-things-dprint-instead-of-console_print.patch
Normal file
28
0006-Make-some-things-dprint-instead-of-console_print.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From dad59f8c0f3620f68379a29c3e6badd22681ddc5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Tue, 10 Apr 2018 12:36:34 -0400
|
||||||
|
Subject: [PATCH] Make some things dprint() instead of console_print()
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
---
|
||||||
|
shim.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/shim.c b/shim.c
|
||||||
|
index 00155346c12..ff0817009cd 100644
|
||||||
|
--- a/shim.c
|
||||||
|
+++ b/shim.c
|
||||||
|
@@ -2087,8 +2087,8 @@ static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path, UINTN len)
|
||||||
|
if (!dppath)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
- console_print(L"dppath: %s\n", dppath);
|
||||||
|
- console_print(L"path: %s\n", path);
|
||||||
|
+ dprint(L"dppath: %s\n", dppath);
|
||||||
|
+ dprint(L"path: %s\n", path);
|
||||||
|
if (StrnCaseCmp(dppath, path, len))
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
@ -0,0 +1,51 @@
|
|||||||
|
From a625fa5096ccdf87036379a5cb237bd43516d605 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
Date: Fri, 7 Sep 2018 14:11:02 +0200
|
||||||
|
Subject: [PATCH] shim: Properly generate absolute paths from relative
|
||||||
|
image paths
|
||||||
|
|
||||||
|
The generate_path_from_image_path() doesn't properly handle the case when
|
||||||
|
shim is invoked using a relative path (e.g: from the EFI shell). In that
|
||||||
|
function, always the last component is stripped from absolute file path
|
||||||
|
to calculate the dirname, and this is concatenated with the image path.
|
||||||
|
|
||||||
|
But if the path is a relative one, the function will wrongly concatenate
|
||||||
|
the dirname with the relative image path, i.e:
|
||||||
|
|
||||||
|
Shell> FS0:
|
||||||
|
FS0:\> cd EFI
|
||||||
|
FS0:\EFI\> BOOT\BOOTX64.EFI
|
||||||
|
Failed to open \EFI\BOOT\BOOT\BOOTX64.EFI - Not found
|
||||||
|
Failed to load image \EFI\BOOT\BOOT\BOOTX64.EFI: Not found
|
||||||
|
start_image() returned Not found
|
||||||
|
|
||||||
|
Calculate the image path basename and concatenate that with the dirname.
|
||||||
|
|
||||||
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
Reviewed-by: Maran Wilson maran.wilson@oracle.com
|
||||||
|
Tested-by: Maran Wilson maran.wilson@oracle.com
|
||||||
|
---
|
||||||
|
shim.c | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/shim.c b/shim.c
|
||||||
|
index f29f39214f5..32d2772b279 100644
|
||||||
|
--- a/shim.c
|
||||||
|
+++ b/shim.c
|
||||||
|
@@ -1640,9 +1640,11 @@ static EFI_STATUS generate_path_from_image_path(EFI_LOADED_IMAGE *li,
|
||||||
|
bootpath[j] = '\0';
|
||||||
|
}
|
||||||
|
|
||||||
|
- while (*ImagePath == '\\')
|
||||||
|
- ImagePath++;
|
||||||
|
+ for (i = 0, last = 0; i < StrLen(ImagePath); i++)
|
||||||
|
+ if (ImagePath[i] == '\\')
|
||||||
|
+ last = i + 1;
|
||||||
|
|
||||||
|
+ ImagePath = ImagePath + last;
|
||||||
|
*PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath));
|
||||||
|
|
||||||
|
if (!*PathName) {
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
@ -0,0 +1,75 @@
|
|||||||
|
From e563bc3dcd17d91861d3b363ed19d30228f409e1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
Date: Fri, 7 Sep 2018 15:10:51 +0200
|
||||||
|
Subject: [PATCH] shim: Prevent shim to set itself as a second stage loader
|
||||||
|
|
||||||
|
When shim is invoked from a relative path (e.g: from the UEFI shell), the
|
||||||
|
Loaded Image handle LoadOptions can be set to the binary relative path.
|
||||||
|
|
||||||
|
But the is_our_path() function only checks if LoadOptions is set to the
|
||||||
|
absolute path of shim to ignore it. So if a relative path is there, shim
|
||||||
|
would set itself as the secondary loader and invoke itself in a loop.
|
||||||
|
|
||||||
|
To prevent that, use the path in LoadOptions to calculate the absolute
|
||||||
|
path and compare it with the one in the Loader Image handle FilePath.
|
||||||
|
|
||||||
|
Resolves: bz#1622485
|
||||||
|
|
||||||
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
Reviewed-by: Maran Wilson maran.wilson@oracle.com
|
||||||
|
Tested-by: Maran Wilson maran.wilson@oracle.com
|
||||||
|
---
|
||||||
|
shim.c | 17 ++++++++++++++---
|
||||||
|
1 file changed, 14 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/shim.c b/shim.c
|
||||||
|
index 32d2772b279..8abc0c267cf 100644
|
||||||
|
--- a/shim.c
|
||||||
|
+++ b/shim.c
|
||||||
|
@@ -2116,21 +2116,32 @@ get_load_option_optional_data(UINT8 *data, UINTN data_size,
|
||||||
|
return EFI_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path, UINTN len)
|
||||||
|
+static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path)
|
||||||
|
{
|
||||||
|
CHAR16 *dppath = NULL;
|
||||||
|
+ CHAR16 *PathName = NULL;
|
||||||
|
+ EFI_STATUS efi_status;
|
||||||
|
int ret = 1;
|
||||||
|
|
||||||
|
dppath = DevicePathToStr(li->FilePath);
|
||||||
|
if (!dppath)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
+ efi_status = generate_path_from_image_path(li, path, &PathName);
|
||||||
|
+ if (EFI_ERROR(efi_status)) {
|
||||||
|
+ perror(L"Unable to generate path %s: %r\n", path,
|
||||||
|
+ efi_status);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
dprint(L"dppath: %s\n", dppath);
|
||||||
|
dprint(L"path: %s\n", path);
|
||||||
|
- if (StrnCaseCmp(dppath, path, len))
|
||||||
|
+ if (StrnCaseCmp(dppath, PathName, strlen(dppath)))
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
+done:
|
||||||
|
FreePool(dppath);
|
||||||
|
+ FreePool(PathName);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -2319,7 +2330,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
|
||||||
|
|
||||||
|
* which is just cruel... So yeah, just don't use it.
|
||||||
|
*/
|
||||||
|
- if (strings == 1 && is_our_path(li, start, loader_len))
|
||||||
|
+ if (strings == 1 && is_our_path(li, start))
|
||||||
|
return EFI_SUCCESS;
|
||||||
|
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
90
shim-find-debuginfo.sh
Executable file
90
shim-find-debuginfo.sh
Executable file
@ -0,0 +1,90 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# shim-find-debuginfo.sh
|
||||||
|
# Copyright (C) 2017 Peter Jones <Peter Jones@random>
|
||||||
|
#
|
||||||
|
# Distributed under terms of the GPLv3 license.
|
||||||
|
#
|
||||||
|
set -e
|
||||||
|
set -u
|
||||||
|
|
||||||
|
mainarch=$1 && shift
|
||||||
|
if [ $# == 1 ]; then
|
||||||
|
altarch=$1 && shift
|
||||||
|
fi
|
||||||
|
if ! [ -v RPM_BUILD_ROOT ]; then
|
||||||
|
echo "RPM_BUILD_ROOT must be set" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
findsource()
|
||||||
|
{
|
||||||
|
(
|
||||||
|
cd ${RPM_BUILD_ROOT}
|
||||||
|
find usr/src/debug/ -type d | sed "s,^,%dir /,"
|
||||||
|
find usr/src/debug/ -type f | sed "s,^,/,"
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
finddebug()
|
||||||
|
{
|
||||||
|
arch=$1 && shift
|
||||||
|
declare -a dirs=()
|
||||||
|
declare -a files=()
|
||||||
|
declare -a excludes=()
|
||||||
|
|
||||||
|
pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
|
||||||
|
for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
|
||||||
|
if ! [ -e "${x}" ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
if [[ ${x} =~ ${arch}\.efi\.debug$ ]]; then
|
||||||
|
files[${#files[@]}]=${x}
|
||||||
|
else
|
||||||
|
excludes[${#excludes[@]}]=${x}
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
for x in usr/lib/debug/.build-id/*/*.debug ; do
|
||||||
|
if ! [ -e "${x}" ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
link=$(readlink "${x}")
|
||||||
|
if [[ ${link} =~ ${arch}\.efi\.debug$ ]]; then
|
||||||
|
files[${#files[@]}]=${x}
|
||||||
|
files[${#files[@]}]=${x%%.debug}
|
||||||
|
else
|
||||||
|
excludes[${#excludes[@]}]=${x}
|
||||||
|
excludes[${#excludes[@]}]=${x%%.debug}
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
for x in ${files[@]} ; do
|
||||||
|
declare name=$(dirname /${x})
|
||||||
|
while [ "${name}" != "/" ]; do
|
||||||
|
case "${name}" in
|
||||||
|
"/usr/lib/debug"|"/usr/lib"|"/usr")
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
dirs[${#dirs[@]}]=${name}
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
name=$(dirname ${name})
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
popd >/dev/null 2>&1
|
||||||
|
for x in ${dirs[@]} ; do
|
||||||
|
echo "%dir ${x}"
|
||||||
|
done | sort | uniq
|
||||||
|
for x in ${files[@]} ; do
|
||||||
|
echo "/${x}"
|
||||||
|
done | sort | uniq
|
||||||
|
for x in ${excludes[@]} ; do
|
||||||
|
echo "%exclude /${x}"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
findsource > build-${mainarch}/debugsource.list
|
||||||
|
finddebug ${mainarch} > build-${mainarch}/debugfiles.list
|
||||||
|
if [ -v altarch ]; then
|
||||||
|
finddebug ${altarch} > build-${altarch}/debugfiles.list
|
||||||
|
fi
|
175
shim-unsigned-aarch64.spec
Normal file
175
shim-unsigned-aarch64.spec
Normal file
@ -0,0 +1,175 @@
|
|||||||
|
%global pesign_vre 0.106-1
|
||||||
|
%global gnuefi_vre 1:3.0.5-6
|
||||||
|
%global openssl_vre 1.0.2j
|
||||||
|
|
||||||
|
%global debug_package %{nil}
|
||||||
|
%global __debug_package 1
|
||||||
|
%global _binaries_in_noarch_packages_terminate_build 0
|
||||||
|
%global __debug_install_post %{SOURCE100} aa64
|
||||||
|
%undefine _debuginfo_subpackages
|
||||||
|
|
||||||
|
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
|
||||||
|
%global shimrootdir %{_datadir}/shim/
|
||||||
|
%global shimversiondir %{shimrootdir}/%{version}-%{release}
|
||||||
|
%global efiarch aa64
|
||||||
|
%global shimdir %{shimversiondir}/%{efiarch}
|
||||||
|
|
||||||
|
Name: shim-unsigned-aarch64
|
||||||
|
Version: 15
|
||||||
|
Release: 4%{?dist}
|
||||||
|
Summary: First-stage UEFI bootloader
|
||||||
|
ExclusiveArch: aarch64
|
||||||
|
License: BSD
|
||||||
|
URL: https://github.com/rhboot/shim
|
||||||
|
Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
|
||||||
|
Source1: securebootca.cer
|
||||||
|
# currently here's what's in our dbx:
|
||||||
|
# nothing.
|
||||||
|
Source2: dbx.esl
|
||||||
|
|
||||||
|
Source100: shim-find-debuginfo.sh
|
||||||
|
|
||||||
|
Patch0001: 0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
|
||||||
|
Patch0002: 0002-mok-fix-the-mirroring-of-RT-variables.patch
|
||||||
|
Patch0003: 0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
|
||||||
|
Patch0004: 0004-Make-VLogError-behave-as-expected.patch
|
||||||
|
Patch0005: 0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch
|
||||||
|
Patch0006: 0006-Make-some-things-dprint-instead-of-console_print.patch
|
||||||
|
Patch0007: 0007-shim-Properly-generate-absolute-paths-from-relative-.patch
|
||||||
|
Patch0008: 0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch
|
||||||
|
|
||||||
|
BuildRequires: elfutils-libelf-devel
|
||||||
|
BuildRequires: git openssl-devel openssl
|
||||||
|
BuildRequires: pesign >= %{pesign_vre}
|
||||||
|
BuildRequires: gnu-efi >= %{gnuefi_vre}
|
||||||
|
BuildRequires: gnu-efi-devel >= %{gnuefi_vre}
|
||||||
|
|
||||||
|
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
|
||||||
|
# compatible with SysV (there's no red zone under UEFI) and there isn't a
|
||||||
|
# POSIX-style C library.
|
||||||
|
# BuildRequires: OpenSSL
|
||||||
|
Provides: bundled(openssl) = %{openssl_vre}
|
||||||
|
|
||||||
|
%global desc \
|
||||||
|
Initial UEFI bootloader that handles chaining to a trusted full \
|
||||||
|
bootloader under secure boot environments.
|
||||||
|
%global debug_desc \
|
||||||
|
This package provides debug information for package %{expand:%%{name}} \
|
||||||
|
Debug information is useful when developing applications that \
|
||||||
|
use this package or when debugging this package.
|
||||||
|
|
||||||
|
%description
|
||||||
|
%desc
|
||||||
|
|
||||||
|
%package debuginfo
|
||||||
|
Summary: Debug information for shim-unsigned-aarch64
|
||||||
|
Requires: %{name}-debugsource = %{version}-%{release}
|
||||||
|
Group: Development/Debug
|
||||||
|
AutoReqProv: 0
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
%description debuginfo
|
||||||
|
%debug_desc
|
||||||
|
|
||||||
|
%package debugsource
|
||||||
|
Summary: Debug Source for shim-unsigned
|
||||||
|
Group: Development/Debug
|
||||||
|
AutoReqProv: 0
|
||||||
|
BuildArch: noarch
|
||||||
|
|
||||||
|
%description debugsource
|
||||||
|
%debug_desc
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -S git -n shim-%{version}
|
||||||
|
git config --unset user.email
|
||||||
|
git config --unset user.name
|
||||||
|
mkdir build-%{efiarch}
|
||||||
|
|
||||||
|
%build
|
||||||
|
COMMITID=$(cat commit)
|
||||||
|
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
|
||||||
|
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
||||||
|
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
||||||
|
MAKEFLAGS+="%{_smp_mflags}"
|
||||||
|
if [ -f "%{SOURCE1}" ]; then
|
||||||
|
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
|
||||||
|
fi
|
||||||
|
if [ -f "%{SOURCE2}" ]; then
|
||||||
|
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cd build-%{efiarch}
|
||||||
|
make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all
|
||||||
|
cd ..
|
||||||
|
|
||||||
|
%install
|
||||||
|
COMMITID=$(cat commit)
|
||||||
|
MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
|
||||||
|
MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
|
||||||
|
MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
|
||||||
|
if [ -f "%{SOURCE1}" ]; then
|
||||||
|
MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
|
||||||
|
fi
|
||||||
|
if [ -f "%{SOURCE2}" ]; then
|
||||||
|
MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cd build-%{efiarch}
|
||||||
|
make ${MAKEFLAGS} \
|
||||||
|
DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
|
||||||
|
DESTDIR=${RPM_BUILD_ROOT} \
|
||||||
|
install-as-data install-debuginfo install-debugsource
|
||||||
|
cd ..
|
||||||
|
|
||||||
|
%files
|
||||||
|
%license COPYRIGHT
|
||||||
|
%dir %{shimrootdir}
|
||||||
|
%dir %{shimversiondir}
|
||||||
|
%dir %{shimdir}
|
||||||
|
%{shimdir}/*.efi
|
||||||
|
%{shimdir}/*.hash
|
||||||
|
|
||||||
|
%files debuginfo -f build-%{efiarch}/debugfiles.list
|
||||||
|
|
||||||
|
%files debugsource -f build-%{efiarch}/debugsource.list
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> 15-4
|
||||||
|
- Add a gating.yaml file so the package can be properly gated
|
||||||
|
Related: rhbz#1682749
|
||||||
|
|
||||||
|
* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
|
||||||
|
- Make EFI variable copying fatal only on secureboot enabled systems
|
||||||
|
Resolves: rhbz#1704854
|
||||||
|
- Fix booting shim from an EFI shell using a relative path
|
||||||
|
Resolves: rhbz#1717063
|
||||||
|
|
||||||
|
* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
|
||||||
|
- Fix MoK mirroring issue which breaks kdump without intervention
|
||||||
|
Related: rhbz#1668966
|
||||||
|
|
||||||
|
* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
|
||||||
|
- Update to shim 15
|
||||||
|
|
||||||
|
* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
|
||||||
|
- Actually update to the *real* 13 final.
|
||||||
|
Related: rhbz#1489604
|
||||||
|
|
||||||
|
* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
|
||||||
|
- Actually update to 13 final.
|
||||||
|
|
||||||
|
* Mon Aug 21 2017 Peter Jones <pjones@redhat.com> - 13-0.1
|
||||||
|
- Update to shim-13 test release.
|
||||||
|
|
||||||
|
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-4
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-3
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||||
|
|
||||||
|
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9-2
|
||||||
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||||
|
|
||||||
|
* Thu May 12 2016 Peter Jones <pjones@redhat.com> - - 0.9-1
|
||||||
|
- Initial split up of -aarch64
|
3
sources
Normal file
3
sources
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
SHA512 (dbx.esl) = cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
|
||||||
|
SHA512 (securebootca.cer) = 8ad5a2a1fc85bfdf1be4eea2e93a5ce7a535ed4800126fd8b9daa796bb4d387d8268e88da5cf9f383f079f4fe80cbae11910f1c28ea0ed97524e3b409085b838
|
||||||
|
SHA512 (shim-15.tar.bz2) = f7dfac774d644111431ca56da76b5575b891b0abad970b318edaede11a0d83c869728bc39cb6af3689bdb203c6826545caf8ddd3d14228831027e334963cf957
|
Loading…
Reference in New Issue
Block a user