import shim-unsigned-x64-15-2.el8

This commit is contained in:
CentOS Sources 2020-01-21 10:31:36 -05:00 committed by Stepan Oksanichenko
parent 8a58a7b0a3
commit e6ff779411
5 changed files with 278 additions and 1 deletions

View File

@ -0,0 +1,60 @@
From 9ab0d796bdc9cefdaa3b0df7434845d26c43d894 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Mon, 5 Nov 2018 14:51:16 +0100
Subject: [PATCH 1/3] Make sure that MOK variables always get mirrored
Without this, if a Mok variable doesn't exist in Boot Services, it will also
not be copied to Runtime, even if we have data to be added to it (vendor cert).
This patch makes sure that if we have extra data to append, we still mirror
the variable.
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
mok.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/mok.c b/mok.c
index 38675211e0e..00dd1ad3034 100644
--- a/mok.c
+++ b/mok.c
@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
UINT32 attrs = 0;
BOOLEAN delete = FALSE, present, addend;
+ addend = (v->addend_source && v->addend_size &&
+ *v->addend_source && *v->addend_size)
+ ? TRUE : FALSE;
+
efi_status = get_variable_attr(v->name,
&v->data, &v->data_size,
*v->guid, &attrs);
- if (efi_status == EFI_NOT_FOUND)
+ if (efi_status == EFI_NOT_FOUND) {
+ if (v->rtname && addend) {
+ efi_status = mirror_one_mok_variable(v);
+ if (EFI_ERROR(efi_status) &&
+ ret != EFI_SECURITY_VIOLATION)
+ ret = efi_status;
+ }
+ /*
+ * after possibly adding, we can continue, no
+ * further checks to be done.
+ */
continue;
+ }
if (EFI_ERROR(efi_status)) {
perror(L"Could not verify %s: %r\n", v->name,
efi_status);
@@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
}
present = (v->data && v->data_size) ? TRUE : FALSE;
- addend = (v->addend_source && v->addend_size &&
- *v->addend_source && *v->addend_size)
- ? TRUE : FALSE;
if (v->flags & MOK_VARIABLE_MEASURE && present) {
/*
--
2.20.1

View File

@ -0,0 +1,49 @@
From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 21 Nov 2018 12:47:43 +0800
Subject: [PATCH 2/3] mok: fix the mirroring of RT variables
When there is no key in MokList, import_mok_state() just skipped MokList
even though it should always mirror the vendor cert. Besides, the faulty
check of 'present' and 'addend' invalidates the mirroring of MokListXRT,
MokSBStateRT, and MokIgnoreDB.
https://github.com/rhboot/shim/issues/154
Signed-off-by: Gary Lin <glin@suse.com>
---
mok.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/mok.c b/mok.c
index 00dd1ad3034..41925abbb49 100644
--- a/mok.c
+++ b/mok.c
@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
&v->data, &v->data_size,
*v->guid, &attrs);
if (efi_status == EFI_NOT_FOUND) {
- if (v->rtname && addend) {
- efi_status = mirror_one_mok_variable(v);
- if (EFI_ERROR(efi_status) &&
- ret != EFI_SECURITY_VIOLATION)
- ret = efi_status;
- }
+ if (addend)
+ goto mirror_addend;
/*
* after possibly adding, we can continue, no
* further checks to be done.
@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
}
}
- if (v->rtname && present && addend) {
+mirror_addend:
+ if (v->rtname && (present || addend)) {
if (v->flags & MOK_MIRROR_DELETE_FIRST)
LibDeleteVariable(v->rtname, v->guid);
--
2.20.1

View File

@ -0,0 +1,109 @@
From 29c11483101b460869a5e0dba1f425073862127d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 31 Jan 2019 13:45:30 -0500
Subject: [PATCH 3/3] mok: consolidate mirroring code in a helper instead of
using goto
There's no reason to complicate the logic with a goto here, instead just
pull the logic we're jumping to out to a helper function.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
mok.c | 41 ++++++++++++++++++++++++++++-------------
shim.h | 2 ++
2 files changed, 30 insertions(+), 13 deletions(-)
diff --git a/mok.c b/mok.c
index 41925abbb49..2f495e6cf25 100644
--- a/mok.c
+++ b/mok.c
@@ -130,7 +130,8 @@ struct mok_state_variable mok_state_variables[] = {
{ NULL, }
};
-static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
+static EFI_STATUS nonnull(1)
+mirror_one_mok_variable(struct mok_state_variable *v)
{
EFI_STATUS efi_status = EFI_SUCCESS;
void *FullData = NULL;
@@ -196,6 +197,29 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
return efi_status;
}
+/*
+ * Mirror a variable if it has an rtname, and preserve any
+ * EFI_SECURITY_VIOLATION status at the same time.
+ */
+static EFI_STATUS nonnull(1)
+maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret)
+{
+ EFI_STATUS efi_status;
+ if (v->rtname) {
+ if (v->flags & MOK_MIRROR_DELETE_FIRST)
+ LibDeleteVariable(v->rtname, v->guid);
+
+ efi_status = mirror_one_mok_variable(v);
+ if (EFI_ERROR(efi_status)) {
+ if (ret != EFI_SECURITY_VIOLATION)
+ ret = efi_status;
+ perror(L"Could not create %s: %r\n", v->rtname,
+ efi_status);
+ }
+ }
+ return ret;
+}
+
/*
* Verify our non-volatile MoK state. This checks the variables above
* accessable and have valid attributes. If they don't, it removes
@@ -232,7 +256,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
*v->guid, &attrs);
if (efi_status == EFI_NOT_FOUND) {
if (addend)
- goto mirror_addend;
+ ret = maybe_mirror_one_mok_variable(v, ret);
/*
* after possibly adding, we can continue, no
* further checks to be done.
@@ -312,16 +336,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
}
}
-mirror_addend:
- if (v->rtname && (present || addend)) {
- if (v->flags & MOK_MIRROR_DELETE_FIRST)
- LibDeleteVariable(v->rtname, v->guid);
-
- efi_status = mirror_one_mok_variable(v);
- if (EFI_ERROR(efi_status) &&
- ret != EFI_SECURITY_VIOLATION)
- ret = efi_status;
- }
+ if (present)
+ ret = maybe_mirror_one_mok_variable(v, ret);
}
/*
@@ -340,4 +356,4 @@ mirror_addend:
return ret;
}
-// vim:fenc=utf-8:tw=75
+// vim:fenc=utf-8:tw=75:noet
diff --git a/shim.h b/shim.h
index 2b359d821e3..c26d5f06538 100644
--- a/shim.h
+++ b/shim.h
@@ -30,6 +30,8 @@
#include <stddef.h>
+#define nonnull(...) __attribute__((__nonnull__(__VA_ARGS__)))
+
#define min(a, b) ({(a) < (b) ? (a) : (b);})
#ifdef __x86_64__
--
2.20.1

View File

@ -0,0 +1,50 @@
From 0bff94b170116737e6e0838c35c0ac376542a5c0 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 12 Feb 2019 18:04:49 -0500
Subject: [PATCH 4/4] Make VLogError() behave as expected.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
errlog.c | 15 +++------------
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/errlog.c b/errlog.c
index 18be4822d53..eebb266d396 100644
--- a/errlog.c
+++ b/errlog.c
@@ -14,29 +14,20 @@ EFI_STATUS
VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
{
va_list args2;
- UINTN size = 0, size2;
CHAR16 **newerrs;
- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
- va_copy(args2, args);
- size2 = VSPrint(NULL, 0, fmt, args2);
- va_end(args2);
-
newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
(nerrs + 3) * sizeof(*errs));
if (!newerrs)
return EFI_OUT_OF_RESOURCES;
- newerrs[nerrs] = AllocatePool(size*2+2);
+ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
if (!newerrs[nerrs])
return EFI_OUT_OF_RESOURCES;
- newerrs[nerrs+1] = AllocatePool(size2*2+2);
+ va_copy(args2, args);
+ newerrs[nerrs+1] = VPoolPrint(fmt, args2);
if (!newerrs[nerrs+1])
return EFI_OUT_OF_RESOURCES;
-
- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
- va_copy(args2, args);
- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
va_end(args2);
nerrs += 2;
--
2.20.1

View File

@ -18,7 +18,7 @@
Name: shim-unsigned-%{efiarch}
Version: 15
Release: 1%{?dist}
Release: 2%{?dist}
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64
License: BSD
@ -31,6 +31,11 @@ Source2: dbx.esl
Source100: shim-find-debuginfo.sh
Patch0001: 0001-Make-sure-that-MOK-variables-always-get-mirrored.patch
Patch0002: 0002-mok-fix-the-mirroring-of-RT-variables.patch
Patch0003: 0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch
Patch0004: 0004-Make-VLogError-behave-as-expected.patch
BuildRequires: elfutils-libelf-devel
BuildRequires: git openssl-devel openssl
BuildRequires: pesign >= %{pesign_vre}
@ -167,6 +172,10 @@ cd ..
%files debugsource -f build-%{efiarch}/debugsource.list
%changelog
* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
- Fix MoK mirroring issue which breaks kdump without intervention
Related: rhbz#1668966
* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
- Update to shim 15