commit aa4732497d2ac2a009c2aa8a0384af322d33eeea Author: CentOS Sources Date: Tue May 17 06:16:54 2022 -0400 import shim-unsigned-aarch64-15-6.el9 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6af0766 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/shim-15.tar.bz2 diff --git a/.shim-unsigned-aarch64.metadata b/.shim-unsigned-aarch64.metadata new file mode 100644 index 0000000..5677fcd --- /dev/null +++ b/.shim-unsigned-aarch64.metadata @@ -0,0 +1 @@ +2dc6308584187bf3ee88bf9b119938c72c5a5088 SOURCES/shim-15.tar.bz2 diff --git a/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch new file mode 100644 index 0000000..0779498 --- /dev/null +++ b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch @@ -0,0 +1,60 @@ +From 9ab0d796bdc9cefdaa3b0df7434845d26c43d894 Mon Sep 17 00:00:00 2001 +From: Patrick Uiterwijk +Date: Mon, 5 Nov 2018 14:51:16 +0100 +Subject: [PATCH 1/3] Make sure that MOK variables always get mirrored + +Without this, if a Mok variable doesn't exist in Boot Services, it will also +not be copied to Runtime, even if we have data to be added to it (vendor cert). +This patch makes sure that if we have extra data to append, we still mirror +the variable. + +Signed-off-by: Patrick Uiterwijk +--- + mok.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/mok.c b/mok.c +index 38675211e0e..00dd1ad3034 100644 +--- a/mok.c ++++ b/mok.c +@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + UINT32 attrs = 0; + BOOLEAN delete = FALSE, present, addend; + ++ addend = (v->addend_source && v->addend_size && ++ *v->addend_source && *v->addend_size) ++ ? TRUE : FALSE; ++ + efi_status = get_variable_attr(v->name, + &v->data, &v->data_size, + *v->guid, &attrs); +- if (efi_status == EFI_NOT_FOUND) ++ if (efi_status == EFI_NOT_FOUND) { ++ if (v->rtname && addend) { ++ efi_status = mirror_one_mok_variable(v); ++ if (EFI_ERROR(efi_status) && ++ ret != EFI_SECURITY_VIOLATION) ++ ret = efi_status; ++ } ++ /* ++ * after possibly adding, we can continue, no ++ * further checks to be done. ++ */ + continue; ++ } + if (EFI_ERROR(efi_status)) { + perror(L"Could not verify %s: %r\n", v->name, + efi_status); +@@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + } + + present = (v->data && v->data_size) ? TRUE : FALSE; +- addend = (v->addend_source && v->addend_size && +- *v->addend_source && *v->addend_size) +- ? TRUE : FALSE; + + if (v->flags & MOK_VARIABLE_MEASURE && present) { + /* +-- +2.20.1 + diff --git a/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch new file mode 100644 index 0000000..fc2adbc --- /dev/null +++ b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch @@ -0,0 +1,49 @@ +From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 21 Nov 2018 12:47:43 +0800 +Subject: [PATCH 2/3] mok: fix the mirroring of RT variables + +When there is no key in MokList, import_mok_state() just skipped MokList +even though it should always mirror the vendor cert. Besides, the faulty +check of 'present' and 'addend' invalidates the mirroring of MokListXRT, +MokSBStateRT, and MokIgnoreDB. + +https://github.com/rhboot/shim/issues/154 + +Signed-off-by: Gary Lin +--- + mok.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/mok.c b/mok.c +index 00dd1ad3034..41925abbb49 100644 +--- a/mok.c ++++ b/mok.c +@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + &v->data, &v->data_size, + *v->guid, &attrs); + if (efi_status == EFI_NOT_FOUND) { +- if (v->rtname && addend) { +- efi_status = mirror_one_mok_variable(v); +- if (EFI_ERROR(efi_status) && +- ret != EFI_SECURITY_VIOLATION) +- ret = efi_status; +- } ++ if (addend) ++ goto mirror_addend; + /* + * after possibly adding, we can continue, no + * further checks to be done. +@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + } + } + +- if (v->rtname && present && addend) { ++mirror_addend: ++ if (v->rtname && (present || addend)) { + if (v->flags & MOK_MIRROR_DELETE_FIRST) + LibDeleteVariable(v->rtname, v->guid); + +-- +2.20.1 + diff --git a/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch new file mode 100644 index 0000000..caded4e --- /dev/null +++ b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch @@ -0,0 +1,109 @@ +From 29c11483101b460869a5e0dba1f425073862127d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 31 Jan 2019 13:45:30 -0500 +Subject: [PATCH 3/3] mok: consolidate mirroring code in a helper instead of + using goto + +There's no reason to complicate the logic with a goto here, instead just +pull the logic we're jumping to out to a helper function. + +Signed-off-by: Peter Jones +--- + mok.c | 41 ++++++++++++++++++++++++++++------------- + shim.h | 2 ++ + 2 files changed, 30 insertions(+), 13 deletions(-) + +diff --git a/mok.c b/mok.c +index 41925abbb49..2f495e6cf25 100644 +--- a/mok.c ++++ b/mok.c +@@ -130,7 +130,8 @@ struct mok_state_variable mok_state_variables[] = { + { NULL, } + }; + +-static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) ++static EFI_STATUS nonnull(1) ++mirror_one_mok_variable(struct mok_state_variable *v) + { + EFI_STATUS efi_status = EFI_SUCCESS; + void *FullData = NULL; +@@ -196,6 +197,29 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) + return efi_status; + } + ++/* ++ * Mirror a variable if it has an rtname, and preserve any ++ * EFI_SECURITY_VIOLATION status at the same time. ++ */ ++static EFI_STATUS nonnull(1) ++maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) ++{ ++ EFI_STATUS efi_status; ++ if (v->rtname) { ++ if (v->flags & MOK_MIRROR_DELETE_FIRST) ++ LibDeleteVariable(v->rtname, v->guid); ++ ++ efi_status = mirror_one_mok_variable(v); ++ if (EFI_ERROR(efi_status)) { ++ if (ret != EFI_SECURITY_VIOLATION) ++ ret = efi_status; ++ perror(L"Could not create %s: %r\n", v->rtname, ++ efi_status); ++ } ++ } ++ return ret; ++} ++ + /* + * Verify our non-volatile MoK state. This checks the variables above + * accessable and have valid attributes. If they don't, it removes +@@ -232,7 +256,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + *v->guid, &attrs); + if (efi_status == EFI_NOT_FOUND) { + if (addend) +- goto mirror_addend; ++ ret = maybe_mirror_one_mok_variable(v, ret); + /* + * after possibly adding, we can continue, no + * further checks to be done. +@@ -312,16 +336,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + } + } + +-mirror_addend: +- if (v->rtname && (present || addend)) { +- if (v->flags & MOK_MIRROR_DELETE_FIRST) +- LibDeleteVariable(v->rtname, v->guid); +- +- efi_status = mirror_one_mok_variable(v); +- if (EFI_ERROR(efi_status) && +- ret != EFI_SECURITY_VIOLATION) +- ret = efi_status; +- } ++ if (present) ++ ret = maybe_mirror_one_mok_variable(v, ret); + } + + /* +@@ -340,4 +356,4 @@ mirror_addend: + return ret; + } + +-// vim:fenc=utf-8:tw=75 ++// vim:fenc=utf-8:tw=75:noet +diff --git a/shim.h b/shim.h +index 2b359d821e3..c26d5f06538 100644 +--- a/shim.h ++++ b/shim.h +@@ -30,6 +30,8 @@ + + #include + ++#define nonnull(...) __attribute__((__nonnull__(__VA_ARGS__))) ++ + #define min(a, b) ({(a) < (b) ? (a) : (b);}) + + #ifdef __x86_64__ +-- +2.20.1 + diff --git a/SOURCES/0004-Make-VLogError-behave-as-expected.patch b/SOURCES/0004-Make-VLogError-behave-as-expected.patch new file mode 100644 index 0000000..2e5ca64 --- /dev/null +++ b/SOURCES/0004-Make-VLogError-behave-as-expected.patch @@ -0,0 +1,50 @@ +From 0bff94b170116737e6e0838c35c0ac376542a5c0 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 12 Feb 2019 18:04:49 -0500 +Subject: [PATCH 4/4] Make VLogError() behave as expected. + +Signed-off-by: Peter Jones +--- + errlog.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/errlog.c b/errlog.c +index 18be4822d53..eebb266d396 100644 +--- a/errlog.c ++++ b/errlog.c +@@ -14,29 +14,20 @@ EFI_STATUS + VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args) + { + va_list args2; +- UINTN size = 0, size2; + CHAR16 **newerrs; + +- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func); +- va_copy(args2, args); +- size2 = VSPrint(NULL, 0, fmt, args2); +- va_end(args2); +- + newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs), + (nerrs + 3) * sizeof(*errs)); + if (!newerrs) + return EFI_OUT_OF_RESOURCES; + +- newerrs[nerrs] = AllocatePool(size*2+2); ++ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func); + if (!newerrs[nerrs]) + return EFI_OUT_OF_RESOURCES; +- newerrs[nerrs+1] = AllocatePool(size2*2+2); ++ va_copy(args2, args); ++ newerrs[nerrs+1] = VPoolPrint(fmt, args2); + if (!newerrs[nerrs+1]) + return EFI_OUT_OF_RESOURCES; +- +- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func); +- va_copy(args2, args); +- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2); + va_end(args2); + + nerrs += 2; +-- +2.20.1 + diff --git a/SOURCES/0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch b/SOURCES/0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch new file mode 100644 index 0000000..bbd6525 --- /dev/null +++ b/SOURCES/0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch @@ -0,0 +1,47 @@ +From 741c61abba7d5c74166f8d0c1b9ee8001ebcd186 Mon Sep 17 00:00:00 2001 +From: Patrick Uiterwijk +Date: Thu, 6 Dec 2018 10:08:45 +0100 +Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled + systems + +I have come across systems that are unwilling to reserve enough memory for +a MokListRT big enough for big certificates. +This seems to be the case with firmware implementations that do not support +secureboot, which is probably the reason they went with much lower variable +storage. + +This patch set makes sure we can still boot on those systems, by only +making the copy action fatal if the system has secure boot enabled, or if +the error was anything other than EFI_INVALID_PARAMETER. + +Signed-off-by: Patrick Uiterwijk +--- + shim.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/shim.c b/shim.c +index 7d25ad6fe70..aee4727fe67 100644 +--- a/shim.c ++++ b/shim.c +@@ -2639,7 +2639,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) + * boot-services-only state variables are what we think they are. + */ + efi_status = import_mok_state(image_handle); +- if (EFI_ERROR(efi_status)) { ++ if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { ++ /* ++ * Make copy failures fatal only if secure_mode is enabled, or ++ * the error was anything else than EFI_INVALID_PARAMETER. ++ * There are non-secureboot firmware implementations that don't ++ * reserve enough EFI variable memory to fit the variable. ++ */ ++ console_print(L"Importing MOK states has failed: %s: %r\n", ++ msgs[msg], efi_status); ++ console_print(L"Continuing boot since secure mode is disabled"); ++ } else if (EFI_ERROR(efi_status)) { + die: + console_print(L"Something has gone seriously wrong: %s: %r\n", + msgs[msg], efi_status); +-- +2.21.0 + diff --git a/SOURCES/0006-Make-some-things-dprint-instead-of-console_print.patch b/SOURCES/0006-Make-some-things-dprint-instead-of-console_print.patch new file mode 100644 index 0000000..6fc67a0 --- /dev/null +++ b/SOURCES/0006-Make-some-things-dprint-instead-of-console_print.patch @@ -0,0 +1,28 @@ +From dad59f8c0f3620f68379a29c3e6badd22681ddc5 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 10 Apr 2018 12:36:34 -0400 +Subject: [PATCH] Make some things dprint() instead of console_print() + +Signed-off-by: Peter Jones +--- + shim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/shim.c b/shim.c +index 00155346c12..ff0817009cd 100644 +--- a/shim.c ++++ b/shim.c +@@ -2087,8 +2087,8 @@ static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path, UINTN len) + if (!dppath) + return 0; + +- console_print(L"dppath: %s\n", dppath); +- console_print(L"path: %s\n", path); ++ dprint(L"dppath: %s\n", dppath); ++ dprint(L"path: %s\n", path); + if (StrnCaseCmp(dppath, path, len)) + ret = 0; + +-- +2.21.0 + diff --git a/SOURCES/0007-shim-Properly-generate-absolute-paths-from-relative-.patch b/SOURCES/0007-shim-Properly-generate-absolute-paths-from-relative-.patch new file mode 100644 index 0000000..b7a4824 --- /dev/null +++ b/SOURCES/0007-shim-Properly-generate-absolute-paths-from-relative-.patch @@ -0,0 +1,51 @@ +From a625fa5096ccdf87036379a5cb237bd43516d605 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Fri, 7 Sep 2018 14:11:02 +0200 +Subject: [PATCH] shim: Properly generate absolute paths from relative + image paths + +The generate_path_from_image_path() doesn't properly handle the case when +shim is invoked using a relative path (e.g: from the EFI shell). In that +function, always the last component is stripped from absolute file path +to calculate the dirname, and this is concatenated with the image path. + +But if the path is a relative one, the function will wrongly concatenate +the dirname with the relative image path, i.e: + + Shell> FS0: + FS0:\> cd EFI + FS0:\EFI\> BOOT\BOOTX64.EFI + Failed to open \EFI\BOOT\BOOT\BOOTX64.EFI - Not found + Failed to load image \EFI\BOOT\BOOT\BOOTX64.EFI: Not found + start_image() returned Not found + +Calculate the image path basename and concatenate that with the dirname. + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Maran Wilson maran.wilson@oracle.com +Tested-by: Maran Wilson maran.wilson@oracle.com +--- + shim.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/shim.c b/shim.c +index f29f39214f5..32d2772b279 100644 +--- a/shim.c ++++ b/shim.c +@@ -1640,9 +1640,11 @@ static EFI_STATUS generate_path_from_image_path(EFI_LOADED_IMAGE *li, + bootpath[j] = '\0'; + } + +- while (*ImagePath == '\\') +- ImagePath++; ++ for (i = 0, last = 0; i < StrLen(ImagePath); i++) ++ if (ImagePath[i] == '\\') ++ last = i + 1; + ++ ImagePath = ImagePath + last; + *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath)); + + if (!*PathName) { +-- +2.21.0 + diff --git a/SOURCES/0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch b/SOURCES/0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch new file mode 100644 index 0000000..4830fd8 --- /dev/null +++ b/SOURCES/0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch @@ -0,0 +1,75 @@ +From e563bc3dcd17d91861d3b363ed19d30228f409e1 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Fri, 7 Sep 2018 15:10:51 +0200 +Subject: [PATCH] shim: Prevent shim to set itself as a second stage loader + +When shim is invoked from a relative path (e.g: from the UEFI shell), the +Loaded Image handle LoadOptions can be set to the binary relative path. + +But the is_our_path() function only checks if LoadOptions is set to the +absolute path of shim to ignore it. So if a relative path is there, shim +would set itself as the secondary loader and invoke itself in a loop. + +To prevent that, use the path in LoadOptions to calculate the absolute +path and compare it with the one in the Loader Image handle FilePath. + +Resolves: bz#1622485 + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Maran Wilson maran.wilson@oracle.com +Tested-by: Maran Wilson maran.wilson@oracle.com +--- + shim.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/shim.c b/shim.c +index 32d2772b279..8abc0c267cf 100644 +--- a/shim.c ++++ b/shim.c +@@ -2116,21 +2116,32 @@ get_load_option_optional_data(UINT8 *data, UINTN data_size, + return EFI_SUCCESS; + } + +-static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path, UINTN len) ++static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path) + { + CHAR16 *dppath = NULL; ++ CHAR16 *PathName = NULL; ++ EFI_STATUS efi_status; + int ret = 1; + + dppath = DevicePathToStr(li->FilePath); + if (!dppath) + return 0; + ++ efi_status = generate_path_from_image_path(li, path, &PathName); ++ if (EFI_ERROR(efi_status)) { ++ perror(L"Unable to generate path %s: %r\n", path, ++ efi_status); ++ goto done; ++ } ++ + dprint(L"dppath: %s\n", dppath); + dprint(L"path: %s\n", path); +- if (StrnCaseCmp(dppath, path, len)) ++ if (StrnCaseCmp(dppath, PathName, strlen(dppath))) + ret = 0; + ++done: + FreePool(dppath); ++ FreePool(PathName); + return ret; + } + +@@ -2319,7 +2330,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) + + * which is just cruel... So yeah, just don't use it. + */ +- if (strings == 1 && is_our_path(li, start, loader_len)) ++ if (strings == 1 && is_our_path(li, start)) + return EFI_SUCCESS; + + /* +-- +2.21.0 + diff --git a/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch b/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch new file mode 100644 index 0000000..dc9d880 --- /dev/null +++ b/SOURCES/0009-Fix-a-use-of-strlen-instead-of-Strlen.patch @@ -0,0 +1,28 @@ +From 1870bae796022f8bbf60465352eac329ff1d6ffd Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 5 Sep 2019 10:36:23 -0400 +Subject: [PATCH] Fix a use of strlen() instead of Strlen() + +Resolves: rhbz#1817882 + +Signed-off-by: Peter Jones +--- + src/shim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/shim.c b/shim.c +index 3f131f48572..38f1346da7f 100644 +--- a/shim.c ++++ b/shim.c +@@ -2053,7 +2053,7 @@ static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path) + + dprint(L"dppath: %s\n", dppath); + dprint(L"path: %s\n", path); +- if (StrnCaseCmp(dppath, PathName, strlen(dppath))) ++ if (StrnCaseCmp(dppath, PathName, StrLen(dppath))) + ret = 0; + + done: +-- +2.25.1 + diff --git a/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch b/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch new file mode 100644 index 0000000..edb03aa --- /dev/null +++ b/SOURCES/0010-translate_slashes-don-t-write-to-string-literals.patch @@ -0,0 +1,139 @@ +From 9813e8bc8b3295f343809fac43298a73a93ffc97 Mon Sep 17 00:00:00 2001 +From: Laszlo Ersek +Date: Tue, 28 Jan 2020 23:33:46 +0100 +Subject: [PATCH] translate_slashes(): don't write to string literals + +Currently, all three invocations of the translate_slashes() function may +lead to writes to the string literal that is #defined with the +DEFAULT_LOADER_CHAR macro. According to ISO C99 6.4.5p6, this is undefined +behavior ("If the program attempts to modify such an array, the behavior +is undefined"). + +This bug crashes shim on e.g. the 64-bit ArmVirtQemu platform ("Data +abort: Permission fault"), where the platform firmware maps the .text +section (which contains the string literal) read-only. + +Modify translate_slashes() so that it copies and translates characters +from an input array of "char" to an output array of "CHAR8". + +While at it, fix another bug. Before this patch, if translate_slashes() +ever encountered a double backslash (translating it to a single forward +slash), then the output would end up shorter than the input. However, the +output was not NUL-terminated in-place, therefore the original string +length (and according trailing garbage) would be preserved. After this +patch, the NUL-termination on contraction is automatic, as the output +array's contents are indeterminate when entering the function, and so we +must NUL-terminate it anyway. + +Fixes: 8e9124227d18475d3bc634c33518963fc8db7c98 +Fixes: e62b69a5b0b87c6df7a4fc23906134945309e927 +Fixes: 3d79bcb2651b9eae809b975b3e03e2f96c067072 +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1795654 +Signed-off-by: Laszlo Ersek +--- + include/str.h | 14 ++++++++------ + httpboot.c | 4 ++-- + netboot.c | 16 +++++++++++----- + 3 files changed, 21 insertions(+), 13 deletions(-) + +diff --git a/include/str.h b/include/str.h +index 9a748366bd1..f73c6212cd9 100644 +--- a/include/str.h ++++ b/include/str.h +@@ -45,21 +45,23 @@ strcata(CHAR8 *dest, const CHAR8 *src) + static inline + __attribute__((unused)) + CHAR8 * +-translate_slashes(char *str) ++translate_slashes(CHAR8 *out, const char *str) + { + int i; + int j; +- if (str == NULL) +- return (CHAR8 *)str; ++ if (str == NULL || out == NULL) ++ return NULL; + + for (i = 0, j = 0; str[i] != '\0'; i++, j++) { + if (str[i] == '\\') { +- str[j] = '/'; ++ out[j] = '/'; + if (str[i+1] == '\\') + i++; +- } ++ } else ++ out[j] = str[i]; + } +- return (CHAR8 *)str; ++ out[j] = '\0'; ++ return out; + } + + #endif /* SHIM_STR_H */ +diff --git a/httpboot.c b/httpboot.c +index 3622e85867c..2d27e8ed993 100644 +--- a/httpboot.c ++++ b/httpboot.c +@@ -743,14 +743,14 @@ httpboot_fetch_buffer (EFI_HANDLE image, VOID **buffer, UINT64 *buf_size) + { + EFI_STATUS efi_status; + EFI_HANDLE nic; +- CHAR8 *next_loader = NULL; ++ CHAR8 next_loader[sizeof DEFAULT_LOADER_CHAR]; + CHAR8 *next_uri = NULL; + CHAR8 *hostname = NULL; + + if (!uri) + return EFI_NOT_READY; + +- next_loader = translate_slashes(DEFAULT_LOADER_CHAR); ++ translate_slashes(next_loader, DEFAULT_LOADER_CHAR); + + /* Create the URI for the next loader based on the original URI */ + efi_status = generate_next_uri(uri, next_loader, &next_uri); +diff --git a/netboot.c b/netboot.c +index 583fe4bee71..6d293bca9dd 100644 +--- a/netboot.c ++++ b/netboot.c +@@ -189,7 +189,9 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) + CHAR8 *start, *end; + CHAR8 ip6str[40]; + CHAR8 ip6inv[16]; +- CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); ++ CHAR8 template[sizeof DEFAULT_LOADER_CHAR]; ++ ++ translate_slashes(template, DEFAULT_LOADER_CHAR); + + // to check against str2ip6() errors + memset(ip6inv, 0, sizeof(ip6inv)); +@@ -254,10 +256,14 @@ static EFI_STATUS parseDhcp6() + + static EFI_STATUS parseDhcp4() + { +- CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); +- INTN template_len = strlen(template) + 1; ++ CHAR8 template[sizeof DEFAULT_LOADER_CHAR]; ++ INTN template_len; ++ UINTN template_ofs = 0; + EFI_PXE_BASE_CODE_DHCPV4_PACKET* pkt_v4 = (EFI_PXE_BASE_CODE_DHCPV4_PACKET *)&pxe->Mode->DhcpAck.Dhcpv4; + ++ translate_slashes(template, DEFAULT_LOADER_CHAR); ++ template_len = strlen(template) + 1; ++ + if(pxe->Mode->ProxyOfferReceived) { + /* + * Proxy should not have precedence. Check if DhcpAck +@@ -288,8 +294,8 @@ static EFI_STATUS parseDhcp4() + full_path[dir_len-1] = '\0'; + } + if (dir_len == 0 && dir[0] != '/' && template[0] == '/') +- template++; +- strcata(full_path, template); ++ template_ofs++; ++ strcata(full_path, template + template_ofs); + memcpy(&tftp_addr.v4, pkt_v4->BootpSiAddr, 4); + + return EFI_SUCCESS; +-- +2.26.2 + diff --git a/SOURCES/0011-RHEL-9-disable-Wpointer-sign-for-now.patch b/SOURCES/0011-RHEL-9-disable-Wpointer-sign-for-now.patch new file mode 100644 index 0000000..e16a0b0 --- /dev/null +++ b/SOURCES/0011-RHEL-9-disable-Wpointer-sign-for-now.patch @@ -0,0 +1,25 @@ +From 7e7fa748c8651ca3d9fdd55f0ad891c816949ff5 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 6 Aug 2021 16:43:37 -0400 +Subject: [PATCH] RHEL-9: disable -Wpointer-sign for now + +Signed-off-by: Peter Jones +--- + Make.defaults | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Make.defaults b/Make.defaults +index e11ab5a7f2c..9b28720d186 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -42,6 +42,7 @@ EFI_LDS = $(TOPDIR)/elf_$(ARCH)_efi.lds + CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ + -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ + -Werror=sign-compare -ffreestanding -std=gnu89 \ ++ -Wno-pointer-sign -Wno-address-of-packed-member \ + -I$(shell $(CC) -print-file-name=include) \ + "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ + "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ +-- +2.31.1 + diff --git a/SOURCES/dbx.esl b/SOURCES/dbx.esl new file mode 100644 index 0000000..e69de29 diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer new file mode 100644 index 0000000..b235400 Binary files /dev/null and b/SOURCES/securebootca.cer differ diff --git a/SOURCES/shim-find-debuginfo.sh b/SOURCES/shim-find-debuginfo.sh new file mode 100755 index 0000000..7e882ff --- /dev/null +++ b/SOURCES/shim-find-debuginfo.sh @@ -0,0 +1,90 @@ +#!/bin/bash +# +# shim-find-debuginfo.sh +# Copyright (C) 2017 Peter Jones +# +# Distributed under terms of the GPLv3 license. +# +set -e +set -u + +mainarch=$1 && shift +if [ $# == 1 ]; then + altarch=$1 && shift +fi +if ! [ -v RPM_BUILD_ROOT ]; then + echo "RPM_BUILD_ROOT must be set" 1>&2 + exit 1 +fi + +findsource() +{ + ( + cd ${RPM_BUILD_ROOT} + find usr/src/debug/ -type d | sed "s,^,%dir /," + find usr/src/debug/ -type f | sed "s,^,/," + ) +} + +finddebug() +{ + arch=$1 && shift + declare -a dirs=() + declare -a files=() + declare -a excludes=() + + pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1 + for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do + if ! [ -e "${x}" ]; then + break + fi + if [[ ${x} =~ ${arch}\.efi\.debug$ ]]; then + files[${#files[@]}]=${x} + else + excludes[${#excludes[@]}]=${x} + fi + done + for x in usr/lib/debug/.build-id/*/*.debug ; do + if ! [ -e "${x}" ]; then + break + fi + link=$(readlink "${x}") + if [[ ${link} =~ ${arch}\.efi\.debug$ ]]; then + files[${#files[@]}]=${x} + files[${#files[@]}]=${x%%.debug} + else + excludes[${#excludes[@]}]=${x} + excludes[${#excludes[@]}]=${x%%.debug} + fi + done + for x in ${files[@]} ; do + declare name=$(dirname /${x}) + while [ "${name}" != "/" ]; do + case "${name}" in + "/usr/lib/debug"|"/usr/lib"|"/usr") + ;; + *) + dirs[${#dirs[@]}]=${name} + ;; + esac + name=$(dirname ${name}) + done + done + + popd >/dev/null 2>&1 + for x in ${dirs[@]} ; do + echo "%dir ${x}" + done | sort | uniq + for x in ${files[@]} ; do + echo "/${x}" + done | sort | uniq + for x in ${excludes[@]} ; do + echo "%exclude /${x}" + done +} + +findsource > build-${mainarch}/debugsource.list +finddebug ${mainarch} > build-${mainarch}/debugfiles.list +if [ -v altarch ]; then + finddebug ${altarch} > build-${altarch}/debugfiles.list +fi diff --git a/SPECS/shim-unsigned-aarch64.spec b/SPECS/shim-unsigned-aarch64.spec new file mode 100644 index 0000000..acf7f40 --- /dev/null +++ b/SPECS/shim-unsigned-aarch64.spec @@ -0,0 +1,198 @@ +%global pesign_vre 0.106-1 +%global gnuefi_vre 1:3.0.5-6 +%global openssl_vre 1.0.2j + +%global debug_package %{nil} +%global __debug_package 1 +%global _binaries_in_noarch_packages_terminate_build 0 +%global __debug_install_post %{SOURCE100} aa64 +%undefine _debuginfo_subpackages + +%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) +%global shimrootdir %{_datadir}/shim/ +%global shimversiondir %{shimrootdir}/%{version}-%{release} +%global efiarch aa64 +%global shimdir %{shimversiondir}/%{efiarch} + +Name: shim-unsigned-aarch64 +Version: 15 +Release: 6%{?dist} +Summary: First-stage UEFI bootloader +ExclusiveArch: aarch64 +License: BSD +URL: https://github.com/rhboot/shim +Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 +Source1: securebootca.cer +# currently here's what's in our dbx: +# nothing. +Source2: dbx.esl + +Source100: shim-find-debuginfo.sh + +Patch0001: 0001-Make-sure-that-MOK-variables-always-get-mirrored.patch +Patch0002: 0002-mok-fix-the-mirroring-of-RT-variables.patch +Patch0003: 0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch +Patch0004: 0004-Make-VLogError-behave-as-expected.patch +Patch0005: 0005-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch +Patch0006: 0006-Make-some-things-dprint-instead-of-console_print.patch +Patch0007: 0007-shim-Properly-generate-absolute-paths-from-relative-.patch +Patch0008: 0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch +Patch0009: 0009-Fix-a-use-of-strlen-instead-of-Strlen.patch +Patch0010: 0010-translate_slashes-don-t-write-to-string-literals.patch +Patch0011: 0011-RHEL-9-disable-Wpointer-sign-for-now.patch + +BuildRequires: gcc make +BuildRequires: elfutils-libelf-devel +BuildRequires: git openssl-devel openssl +BuildRequires: pesign >= %{pesign_vre} +BuildRequires: gnu-efi >= %{gnuefi_vre} +BuildRequires: gnu-efi-devel >= %{gnuefi_vre} + +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not +# compatible with SysV (there's no red zone under UEFI) and there isn't a +# POSIX-style C library. +# BuildRequires: OpenSSL +Provides: bundled(openssl) = %{openssl_vre} + +%global desc \ +Initial UEFI bootloader that handles chaining to a trusted full \ +bootloader under secure boot environments. +%global debug_desc \ +This package provides debug information for package %{expand:%%{name}} \ +Debug information is useful when developing applications that \ +use this package or when debugging this package. + +%description +%desc + +%package debuginfo +Summary: Debug information for shim-unsigned-aarch64 +Requires: %{name}-debugsource = %{version}-%{release} +Group: Development/Debug +AutoReqProv: 0 +BuildArch: noarch + +%description debuginfo +%debug_desc + +%package debugsource +Summary: Debug Source for shim-unsigned +Group: Development/Debug +AutoReqProv: 0 +BuildArch: noarch + +%description debugsource +%debug_desc + +%prep +%autosetup -S git -n shim-%{version} +git config --unset user.email +git config --unset user.name +mkdir build-%{efiarch} + +%build +COMMITID=$(cat commit) +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " +MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " +MAKEFLAGS+="%{_smp_mflags}" +if [ -f "%{SOURCE1}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +fi +if [ -f "%{SOURCE2}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" +fi + +cd build-%{efiarch} +make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all +cd .. + +%install +COMMITID=$(cat commit) +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " +MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true " +if [ -f "%{SOURCE1}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" +fi +if [ -f "%{SOURCE2}" ]; then + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" +fi + +cd build-%{efiarch} +make ${MAKEFLAGS} \ + DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \ + DESTDIR=${RPM_BUILD_ROOT} \ + install-as-data install-debuginfo install-debugsource +cd .. + +%files +%license COPYRIGHT +%dir %{shimrootdir} +%dir %{shimversiondir} +%dir %{shimdir} +%{shimdir}/*.efi +%{shimdir}/*.hash + +%files debuginfo -f build-%{efiarch}/debugfiles.list + +%files debugsource -f build-%{efiarch}/debugsource.list + +%changelog +* Tue May 26 2020 Javier Martinez Canillas - 15-6 +- Fix a shim crash when attempting to netboot + Resolves: rhbz#1840036 + +* Mon May 04 2020 Javier Martinez Canillas - 15-5 +- Fix firmware update bug in aarch64 caused by shim ignoring arguments + Resolves: rhbz#1817882 + +* Fri Jun 07 2019 Javier Martinez Canillas - 15-4 +- Add a gating.yaml file so the package can be properly gated + Related: rhbz#1682749 + +* Wed Jun 05 2019 Javier Martinez Canillas - 15-3 +- Make EFI variable copying fatal only on secureboot enabled systems + Resolves: rhbz#1704854 +- Fix booting shim from an EFI shell using a relative path + Resolves: rhbz#1717063 + +* Tue Feb 12 2019 Peter Jones - 15-2 +- Fix MoK mirroring issue which breaks kdump without intervention + Related: rhbz#1668966 + +* Thu Apr 05 2018 Peter Jones - 15-1 +- Update to shim 15 +- better checking for bad linker output +- flicker-free console if there's no error output +- improved http boot support +- better protocol re-installation +- dhcp proxy support +- tpm measurement even when verification is disabled +- REQUIRE_TPM build flag +- more reproducable builds +- measurement of everything verified through shim_verify() +- coverity and scan-build checker make targets +- misc cleanups + +* Tue Sep 19 2017 Peter Jones - 13-3 +- Actually update to the *real* 13 final. + Related: rhbz#1489604 + +* Thu Aug 31 2017 Peter Jones - 13-2 +- Actually update to 13 final. + +* Mon Aug 21 2017 Peter Jones - 13-0.1 +- Update to shim-13 test release. + +* Thu Aug 03 2017 Fedora Release Engineering - 0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu May 12 2016 Peter Jones - - 0.9-1 +- Initial split up of -aarch64