Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in
at 2021-04-10 15:26:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new.2401 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Sat Apr 10 15:26:12 2021 rev:93 rq:883801 version:15.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2021-03-15
10:53:43.801109986 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.2401/shim.changes 2021-04-10
15:26:29.766316259 +0200
@@ -1,0 +2,68 @@
+Thu Apr 8 08:44:27 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid
+ the error message during linux system boot (bsc#1184454)
+
+-------------------------------------------------------------------
+Wed Apr 7 12:25:02 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Add remove_build_id.patch to prevent the build id being added to
+ the binary. That can cause issues with the signature
+
+-------------------------------------------------------------------
+Wed Mar 31 08:40:49 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Update to 15.4 (bsc#1182057)
+ + Rename the SBAT variable and fix the self-check of SBAT
+ + sbat: add more dprint()
+ + arm/aa64: Swizzle some sections to make old sbsign happier
+ + arm/aa64 targets: put .rel* and .dyn* in .rodata
+- Drop upstreamed patch:
+ + shim-bsc1182057-sbat-variable-enhancement.patch
+
+-------------------------------------------------------------------
+Mon Mar 29 07:18:20 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add shim-bsc1182057-sbat-variable-enhancement.patch to change
+ the SBAT variable name and enhance the handling of SBAT
+ (bsc#1182057)
+
+-------------------------------------------------------------------
+Wed Mar 24 01:29:17 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Update to 15.3 for SBAT support (bsc#1182057)
+ + Drop gnu-efi from BuildRequires since upstream pull it into the
+ tar ball.
+- Generate vender-specific SBAT metadata
+ + Add dos2unix to BuildRequires since Makefile requires it for
+ vendor SBAT
+- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following
+ sign keys:
+ + SLES-UEFI-SIGN-Certificate-2020-07.crt
+ + openSUSE-UEFI-SIGN-Certificate-2020-07.crt
+- Refresh patches
+ + shim-arch-independent-names.patch
+ + shim-change-debug-file-path.patch
+ + shim-bsc1177315-verify-eku-codesign.patch
+ - Unified with shim-bsc1177315-fix-buffer-use-after-free.patch
+- Drop upstreamed fixes
+ + shim-correct-license-in-headers.patch
+ + shim-always-mirror-mok-variables.patch
+ + shim-bsc1175509-more-tpm-fixes.patch
+ + shim-bsc1173411-only-check-efi-var-on-sb.patch
+ + shim-fix-verify-eku.patch
+ + gcc9-fix-warnings.patch
+ + shim-fix-gnu-efi-3.0.11.patch
+ + shim-bsc1177404-fix-a-use-of-strlen.patch
+ + shim-do-not-write-string-literals.patch
+ + shim-VLogError-Avoid-Null-pointer-dereferences.patch
+ + shim-bsc1092000-fallback-menu.patch
+ + shim-bsc1175509-tpm2-fixes.patch
+ + shim-bsc1174512-correct-license-in-headers.patch
+ + shim-bsc1182776-fix-crash-at-exit.patch
+- Drop shim-opensuse-cert-prompt.patch
+ + All newly released openSUSE kernels enable kernel lockdown
+ and signature verification, so there is no need to add the
+ prompt anymore.
+
+-------------------------------------------------------------------
Old:
----
gcc9-fix-warnings.patch
shim-15+git47.tar.bz2
shim-VLogError-Avoid-Null-pointer-dereferences.patch
shim-always-mirror-mok-variables.patch
shim-bsc1092000-fallback-menu.patch
shim-bsc1173411-only-check-efi-var-on-sb.patch
shim-bsc1174512-correct-license-in-headers.patch
shim-bsc1175509-more-tpm-fixes.patch
shim-bsc1175509-tpm2-fixes.patch
shim-bsc1177315-fix-buffer-use-after-free.patch
shim-bsc1177404-fix-a-use-of-strlen.patch
shim-bsc1182776-fix-crash-at-exit.patch
shim-correct-license-in-headers.patch
shim-do-not-write-string-literals.patch
shim-fix-gnu-efi-3.0.11.patch
shim-fix-verify-eku.patch
shim-opensuse-cert-prompt.patch
New:
----
remove_build_id.patch
shim-15.4.tar.bz2
shim-bsc1184454-allocate-mok-config-table-BS.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.wLskZp/_old 2021-04-10 15:26:30.466317083 +0200
+++ /var/tmp/diff_new_pack.wLskZp/_new 2021-04-10 15:26:30.470317088 +0200
@@ -36,7 +36,7 @@
%endif
Name: shim
-Version: 15+git47
+Version: 15.4
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
@@ -67,43 +67,15 @@
Patch1: shim-arch-independent-names.patch
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change
the default debug file path
Patch2: shim-change-debug-file-path.patch
-# PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-menu.patch bsc#1092000
g...@suse.com -- Show a menu before reset
-Patch3: shim-bsc1092000-fallback-menu.patch
-# PATCH-FIX-UPSTREAM shim-always-mirror-mok-variables.patch g...@suse.com --
Mirror MOK variables correctly
-Patch4: shim-always-mirror-mok-variables.patch
-# PATCH-FIX-UPSTREAM shim-bsc1174512-correct-license-in-headers.patch
g...@suse.com -- Fix the license header in errlog.c and mok.c
-Patch5: shim-bsc1174512-correct-license-in-headers.patch
-# PATCH-FIX-SUSE shim-correct-license-in-headers.patch g...@suse.com --
Another fix for the license header in errlog.c and mok.c
-Patch51: shim-correct-license-in-headers.patch
-# PATCH-FIX-UPSTREAM gcc9-fix-warnings.patch mli...@suse.cz -- MokManager: Use
CompareMem on MokListNode.Type instead of CompareGuid
-Patch6: gcc9-fix-warnings.patch
-# PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch g...@suse.com -- Fix the
build error caused by the typo fix in gnu-efi 3.0.11
-Patch7: shim-fix-gnu-efi-3.0.11.patch
-# PATCH-FIX-UPSTREAM shim-bsc1173411-only-check-efi-var-on-sb.patch
bsc#1173411 g...@suse.com -- Make EFI variable copying check only fatal on SB
systems
-Patch8: shim-bsc1173411-only-check-efi-var-on-sb.patch
-# PATCH-FIX-UPSTREAM shim-bsc1175509-tpm2-fixes.patch bsc#1175509
g...@suse.com -- Upstream fixes for the TPM2 measurement
-Patch9: shim-bsc1175509-tpm2-fixes.patch
-# PATCH-FIX-UPSTREAM shim-VLogError-Avoid-Null-pointer-dereferences.patch
g...@suse.com -- Fix VlogError crash in AArch64
-Patch10: shim-VLogError-Avoid-Null-pointer-dereferences.patch
-# PATCH-FIX-UPSTREAM shim-fix-verify-eku.patch g...@suse.com -- Fix the
potential crash at verify_eku()
-Patch11: shim-fix-verify-eku.patch
-# PATCH-FIX-UPSTREAM shim-do-not-write-string-literals.patch -- Fix the
potential crash when accessing the DEFAULT_LOADER string
-Patch12: shim-do-not-write-string-literals.patch
-# PATCH-FIX-UPSTREAM shim-bsc1177404-fix-a-use-of-strlen.patch bsc#1177404
g...@suse.com -- Fix the length of the option data string to launch the program
correctly
-Patch13: shim-bsc1177404-fix-a-use-of-strlen.patch
-# PATCH-FIX-UPSTREAM shim-bsc1175509-more-tpm-fixes.patch bsc#1175509
g...@suse.com -- Fix the file path in tpm event log
-Patch14: shim-bsc1175509-more-tpm-fixes.patch
# PATCH-FIX-SUSE shim-bsc1177315-verify-eku-codesign.patch bsc#1177315
g...@suse.com -- Verify CodeSign in the signer's EKU
-Patch15: shim-bsc1177315-verify-eku-codesign.patch
+Patch3: shim-bsc1177315-verify-eku-codesign.patch
# PATCH-FIX-UPSTREAM
shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789
g...@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify()
-Patch16: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
-# PATCH-FIX-SUSE shim-bsc1177315-fix-buffer-use-after-free.patch bsc#1177315
g...@suse.com -- Fix buffer use-after-free at the end of the EKU verification
-Patch17: shim-bsc1177315-fix-buffer-use-after-free.patch
-# PATCH-FIX-UPSTREAM shim-bsc1182776-fix-crash-at-exit.patch bsc#1182776
g...@suse.com -- Fix the potential crash at Exit()
-Patch18: shim-bsc1182776-fix-crash-at-exit.patch
-# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the
prompt to ask whether the user trusts openSUSE certificate or not
-Patch100: shim-opensuse-cert-prompt.patch
-BuildRequires: gnu-efi >= 3.0.3
+Patch4: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
+# PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the
binary reproducible when building with AArch64 container
+Patch5: remove_build_id.patch
+# PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch
bsc#1184454 g...@suse.com -- Allocate MOK config table as BootServicesData to
avoid the error message from linux kernel
+Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch
+BuildRequires: dos2unix
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
BuildRequires: pesign
@@ -146,34 +118,25 @@
%patch2 -p1
%patch3 -p1
%patch4 -p1
-%ifarch x86_64
-%patch51 -p1
-%else
%patch5 -p1
-%endif
%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%ifarch aarch64
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%endif
-%if 0%{?is_opensuse} == 1
-%patch100 -p1
-%endif
%build
+# generate the vendor SBAT metadata
+%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
+distro_id="opensuse"
+distro_name="The openSUSE project"
+%else
+distro_id="sle"
+distro_name="SUSE Linux Enterprise"
+%endif
+distro_sbat=1
+sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security-t...@suse.de"
+echo "${sbat}" > data/sbat.vendor.csv
+
# first, build MokManager and fallback as they don't depend on a
# specific certificate
-make EFI_PATH=/usr/lib64 RELEASE=0 \
+make RELEASE=0 \
MMSTEM=MokManager FBSTEM=fallback \
MokManager.efi.debug fallback.efi.debug \
MokManager.efi fallback.efi
@@ -232,7 +195,7 @@
fi
openssl x509 -in $cert -outform DER -out shim-$suffix.der
- make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \
+ make RELEASE=0 SHIMSTEM=shim \
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
DEFAULT_LOADER="\\\\\\\\grub.efi" \
VENDOR_DBX_FILE=%{SOURCE51} \
++++++ dbx-cert.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbx-cert/SLES-UEFI-SIGN-Certificate-2020-07.crt
new/dbx-cert/SLES-UEFI-SIGN-Certificate-2020-07.crt
--- old/dbx-cert/SLES-UEFI-SIGN-Certificate-2020-07.crt 1970-01-01
01:00:00.000000000 +0100
+++ new/dbx-cert/SLES-UEFI-SIGN-Certificate-2020-07.crt 2021-02-23
08:45:49.060829628 +0100
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ0MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
+VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
+BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
+UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
+ARYNYnVpbGRAc3VzZS5kZTAeFw0yMDA3MjMxNDA3MThaFw0yNDA3MjIxNDA3MTha
+MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
+U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
+CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
+MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwrRYIcn7XQ2/nQfdCUM7EUzIfYB5Lra03/q9nggEfUke
+N5O9qmA9uFWTvgdq2Nh8hia16TawyHMFyUd/PsdU2/pVydC6+OGDxE1sRJvu0pzP
+3wvr+QQXnDjBYon+AGkuw/K8baUInl/1He2idCIB7pH3tGjj6jcorK70yZHU5Hl1
+UwuQXlfQpG3zEJy1yZ7fg3RxAQ/716BOy1CceK0qCLi/qgR8w5GE92Xg1CHZe62u
+I+9EmhXBbY2UcsfxRGEtdCU55L0R/MtHztfVHZw9Vazw8rCCvBjwPOxxjUx5It5N
+yG0JaYXgAXqRXE88Gwo9VlEWNOKrC0vUUfxA63IZ0wIDAQABo4IBLDCCASgwDAYD
+VR0TAQH/BAIwADAdBgNVHQ4EFgQUSrDGl8kQcydsJ97/PCIPsAfh3mEwgdMGA1Ud
+IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
+JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
+REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
+dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
+dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
+BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAazJCs7IIjYUma9ZT1NLJZ7QSy/d6oAaW
+E6JI1u3LHancnU3kXH19U7z1mni74OQdlsbIyfddR+AIvIu1RrepQ6BHNVrXO90J
+LxvORpholbgeXk/FdIHWFu6AhL2jg8UM4Jxq/P3FxckGj25LxCPgd5C/L5ITufhf
+1yPQ3CDxqfUiqlfdrQCROJ21sErLoYXoZim5pd1kT5vimyVrdaLM7eTq6G5LbKZ3
+/TqRXPpVzwZGXXeZvM5s55kGKqNTUIZ2Cft5g9CBkRZujJ5gLGToxUHYbb6Fj5UT
+Xr5Yh68j1IgvhQz+abALb/87Z3r2V+BWh1icc0rnCli1ulmZMd0H8A==
+-----END CERTIFICATE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbx-cert/openSUSE-UEFI-SIGN-Certificate-2020-07.crt
new/dbx-cert/openSUSE-UEFI-SIGN-Certificate-2020-07.crt
--- old/dbx-cert/openSUSE-UEFI-SIGN-Certificate-2020-07.crt 1970-01-01
01:00:00.000000000 +0100
+++ new/dbx-cert/openSUSE-UEFI-SIGN-Certificate-2020-07.crt 2021-02-23
08:47:11.017468066 +0100
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElTCCA32gAwIBAgIJAPq+2L9Aml5jMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
+VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
+BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
+SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIwMDgwMzEyMzUzOVoXDTMw
+MDYxMjEyMzUzOVowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
+Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
+EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKVKfWLm7OvwYpDO
+4s0qzbUDWG2GTlxFOkZe4XaFsjxAnmuXZTVm1SJ3N12zSdRH60YMqcns7yuISYQz
+0K79shGDOfktO8iqxSE0JdUvhEFnJUECaXYAq+ioiSwkm7QQWhHAUE3htshJeMt4
+SK4dTGmTQNQBKCZ3xQTTHi1sOl8wYt0QdhkucqvgDUyPaxHrI4LV1OV9R3XjGclG
+ZD6QEkXLhVcir2yLIA9G1qPZDXpNbrdfSx3GDEnSsD+GS0D/k5oe32w1KGMnEM/S
+fYrY1nsP6/k0hVO1KH9WJWV/DUoyO/4U75C6swg7SVTxyigT3s92/UV4N9Es5kZv
+aHhsuncCAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMi9x6wa
+HYWWYhf9k+v8FPSiALgUMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
+lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
+MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
+U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
+MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAS1NWAHYBV1uaK7wE6c+Xz8t4c2hgTkFR4E0iVZ+2aTz8OFzztQZq
+CyZ9QYgSpApmvwmgFEQog6UUzw2f19W7qhIskDHfhBmK2uQtazHZ/Pd8oXyHrbgK
+TVh7GDc9OjrZe2wg03Q0N/KVUHD5lKYXY4rfAqKdc1XKfo7t8GIu+TnWDLXWVI40
+oDIXwSmg+JOZFXpf9cxZ2zENZnsaH0KTKNk6bNq8wjum4W54Tgk7UbDE6roJp5C3
+7cUt/j+dL00gyFK66PFR1wXflZFtKixxVbMOLa13ZldsuNs0ye6whPqIKZ9ev4M4
+rjWQD5k14Ui+48/MDJt4Nc2Sm1LYrdXJMw==
+-----END CERTIFICATE-----
++++++ remove_build_id.patch ++++++
Index: shim/shim-15.4/gnu-efi/Make.defaults
===================================================================
--- shim-15.4.orgi/gnu-efi/Make.defaults
+++ shim-15.4/gnu-efi/Make.defaults
@@ -205,8 +205,7 @@ ARFLAGS := rDv
endif
ASFLAGS += $(ARCH3264)
-LDFLAGS += -nostdlib --warn-common --no-undefined --fatal-warnings \
- --build-id=sha1
+LDFLAGS += -nostdlib --warn-common --no-undefined --fatal-warnings
ifneq ($(ARCH),arm)
export LIBGCC=$(shell $(CC) $(CFLAGS) $(ARCH3264) -print-libgcc-file-name)
Index: shim/shim-15.4/Make.defaults
===================================================================
--- shim-15.4.orig/Make.defaults
+++ shim-15.4/Make.defaults
@@ -184,7 +184,7 @@ ifneq ($(origin VENDOR_DBX_FILE), undefi
DEFINES += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\"
endif
-LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T
$(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib
-LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS)
--no-undefined
+LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T
$(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib
-LCryptlib/OpenSSL $(EFI_CRT_OBJS) $(ARCH_LDFLAGS) --no-undefined
ifneq ($(DEBUG),)
export DEBUG
++++++ shim-15+git47.tar.bz2 -> shim-15.4.tar.bz2 ++++++
++++ 226326 lines of diff (skipped)
++++++ shim-arch-independent-names.patch ++++++
--- /var/tmp/diff_new_pack.wLskZp/_old 2021-04-10 15:26:31.518318320 +0200
+++ /var/tmp/diff_new_pack.wLskZp/_new 2021-04-10 15:26:31.518318320 +0200
@@ -1,4 +1,4 @@
-From b0fc750ab3af4883a7124229398a758837a4e7ce Mon Sep 17 00:00:00 2001
+From 71ca8f761fb5434ef65895345d96ccf063da7d66 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Tue, 22 Aug 2017 12:43:36 +0800
Subject: [PATCH] Make the names of EFI binaries arch-independent
@@ -16,10 +16,10 @@
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/fallback.c b/fallback.c
-index c3f5583..01f2ae4 100644
+index fc81c5e4..44b2d464 100644
--- a/fallback.c
+++ b/fallback.c
-@@ -999,7 +999,7 @@ debug_hook(void)
+@@ -1058,7 +1058,7 @@ debug_hook(void)
x = 1;
console_print(L"add-symbol-file "DEBUGDIR
@@ -29,10 +29,10 @@
}
diff --git a/shim.c b/shim.c
-index fcc11eb..248c946 100644
+index 765c9254..6751a2bc 100644
--- a/shim.c
+++ b/shim.c
-@@ -2554,7 +2554,7 @@ debug_hook(void)
+@@ -1811,7 +1811,7 @@ debug_hook(void)
FreePool(data);
console_print(L"add-symbol-file "DEBUGDIR
@@ -42,11 +42,11 @@
console_print(L"Pausing for debugger attachment.\n");
diff --git a/shim.h b/shim.h
-index 2b359d8..d9c60f5 100644
+index 0a6c8cfa..b9c3c4d8 100644
--- a/shim.h
+++ b/shim.h
-@@ -92,8 +92,8 @@
- #endif
+@@ -105,8 +105,8 @@
+ #define DEBUGSRC L"/usr/src/debug/shim-" VERSIONSTR "." EFI_ARCH
#endif
-#define FALLBACK L"\\fb" EFI_ARCH L".efi"
@@ -54,8 +54,8 @@
+#define FALLBACK L"\\fallback.efi"
+#define MOK_MANAGER L"\\MokManager.efi"
- #include "include/configtable.h"
- #include "include/console.h"
+ #if defined(VENDOR_DB_FILE)
+ # define vendor_authorized vendor_db
--
-2.19.2
+2.29.2
++++++ shim-bsc1177315-verify-eku-codesign.patch ++++++
--- /var/tmp/diff_new_pack.wLskZp/_old 2021-04-10 15:26:31.530318334 +0200
+++ /var/tmp/diff_new_pack.wLskZp/_new 2021-04-10 15:26:31.534318339 +0200
@@ -1,4 +1,4 @@
-From b27f96477647c0a055e97f1f9a9cffba354dad6f Mon Sep 17 00:00:00 2001
+From 6ff890bf0af9d37acc6ea8ad64f597060e8bb143 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Wed, 14 Oct 2020 14:31:12 +0800
Subject: [PATCH] Enforce EKU CodeSign extension check
@@ -8,22 +8,25 @@
This commit borrows VerifyEKUsInPkcs7Signature() from edk2 and enforces
the CodeSign check in Pkcs7Verify().
++ Also merged the buffer use-after-free fix (*)
+
+(*) https://bugzilla.tianocore.org/show_bug.cgi?id=2459
Signed-off-by: Gary Lin <g...@suse.com>
---
Cryptlib/InternalCryptLib.h | 32 ++
Cryptlib/Library/BaseCryptLib.h | 40 +++
Cryptlib/Makefile | 1 +
- Cryptlib/Pk/CryptPkcs7Verify.c | 11 +
- Cryptlib/Pk/CryptPkcs7VerifyEku.c | 520 ++++++++++++++++++++++++++++++
- 5 files changed, 604 insertions(+)
+ Cryptlib/Pk/CryptPkcs7Verify.c | 10 +
+ Cryptlib/Pk/CryptPkcs7VerifyEku.c | 516 ++++++++++++++++++++++++++++++
+ 5 files changed, 599 insertions(+)
create mode 100644 Cryptlib/Pk/CryptPkcs7VerifyEku.c
diff --git a/Cryptlib/InternalCryptLib.h b/Cryptlib/InternalCryptLib.h
-index 8cccf72..026793f 100644
+index e9a4c20..8c9a2a4 100644
--- a/Cryptlib/InternalCryptLib.h
+++ b/Cryptlib/InternalCryptLib.h
-@@ -33,4 +33,36 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
EXPRESS OR IMPLIED.
+@@ -30,5 +30,37 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
EXPRESS OR IMPLIED.
#define OBJ_length(o) ((o)->length)
#endif
@@ -60,6 +63,7 @@
+ );
+
#endif
+
diff --git a/Cryptlib/Library/BaseCryptLib.h b/Cryptlib/Library/BaseCryptLib.h
index 2df8bd2..ed482d3 100644
--- a/Cryptlib/Library/BaseCryptLib.h
@@ -112,10 +116,10 @@
Extracts the attached content from a PKCS#7 signed data if existed. The
input signed
data could be wrapped in a ContentInfo structure.
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
-index 2aa5695..0147587 100644
+index 18a33b1..a1d8b02 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
-@@ -38,6 +38,7 @@ OBJS = Hash/CryptMd4Null.o \
+@@ -41,6 +41,7 @@ OBJS = Hash/CryptMd4Null.o \
Pk/CryptRsaExtNull.o \
Pk/CryptPkcs7SignNull.o \
Pk/CryptPkcs7Verify.o \
@@ -124,20 +128,19 @@
Pk/CryptTs.o \
Pk/CryptX509.o \
diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c
-index cbd9669..b3ef356 100644
+index 09895d8..da15be2 100644
--- a/Cryptlib/Pk/CryptPkcs7Verify.c
+++ b/Cryptlib/Pk/CryptPkcs7Verify.c
-@@ -30,6 +30,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
EXPRESS OR IMPLIED.
+@@ -29,6 +29,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER
EXPRESS OR IMPLIED.
+ #include <openssl/pkcs7.h>
UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
-
+/* EKU CodeSign */
+CHAR8 mOidCodeSign[] = "1.3.6.1.5.5.7.3.3";
-+
- BOOLEAN ca_warning;
- void
-@@ -812,6 +815,8 @@ Pkcs7Verify (
+ #if 1
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+@@ -846,6 +848,8 @@ Pkcs7Verify (
CONST UINT8 *Temp;
UINTN SignedDataSize;
BOOLEAN Wrapped;
@@ -146,7 +149,7 @@
//
// Check input parameters.
-@@ -825,6 +830,7 @@ Pkcs7Verify (
+@@ -859,6 +863,7 @@ Pkcs7Verify (
DataBio = NULL;
Cert = NULL;
CertStore = NULL;
@@ -154,7 +157,7 @@
//
// Register & Initialize necessary digest algorithms for PKCS#7 Handling
-@@ -924,6 +930,11 @@ Pkcs7Verify (
+@@ -958,6 +963,11 @@ Pkcs7Verify (
//
X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
@@ -168,10 +171,10 @@
//
diff --git a/Cryptlib/Pk/CryptPkcs7VerifyEku.c
b/Cryptlib/Pk/CryptPkcs7VerifyEku.c
new file mode 100644
-index 0000000..d086886
+index 0000000..2c172e2
--- /dev/null
+++ b/Cryptlib/Pk/CryptPkcs7VerifyEku.c
-@@ -0,0 +1,520 @@
+@@ -0,0 +1,516 @@
+/** @file
+ This module verifies that Enhanced Key Usages (EKU's) are present within
+ a PKCS7 signature blob using OpenSSL.
@@ -681,10 +684,6 @@
+ free (SignedData);
+ }
+
-+ if (SignerCert != NULL) {
-+ X509_free (SignerCert);
-+ }
-+
+ if (Pkcs7 != NULL) {
+ PKCS7_free (Pkcs7);
+ }
@@ -693,5 +692,5 @@
+}
+
--
-2.28.0
+2.29.2
++++++ shim-bsc1184454-allocate-mok-config-table-BS.patch ++++++
>From 33ca95024aa7e33218da5882d30b3ec690a11046 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 8 Apr 2021 16:23:03 +0800
Subject: [PATCH] mok: allocate MOK config table as BootServicesData
Linux kernel is picky when reserving the memory for x86 and it only
expects BootServicesData:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/platform/efi/quirks.c?h=v5.11#n254
Otherwise, the following error would show during system boot:
Apr 07 12:31:56.743925 localhost kernel: efi: Failed to lookup EFI memory
descriptor for 0x000000003dcf8000
Although BootServicesData would be reclaimed after ExitBootService(),
linux kernel reserves MOK config table when it detects the existence of
the table, so it's fine to allocate the table as BootServicesData.
Signed-off-by: Gary Lin <g...@suse.com>
---
mok.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mok.c b/mok.c
index 5ad9072b..fc1ee04d 100644
--- a/mok.c
+++ b/mok.c
@@ -1002,7 +1002,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT;
config_table = NULL;
efi_status = gBS->AllocatePages(AllocateAnyPages,
- EfiRuntimeServicesData,
+ EfiBootServicesData,
npages,
(EFI_PHYSICAL_ADDRESS
*)&config_table);
if (EFI_ERROR(efi_status) || !config_table) {
--
2.29.2
++++++ shim-change-debug-file-path.patch ++++++
--- /var/tmp/diff_new_pack.wLskZp/_old 2021-04-10 15:26:31.562318372 +0200
+++ /var/tmp/diff_new_pack.wLskZp/_new 2021-04-10 15:26:31.562318372 +0200
@@ -1,4 +1,4 @@
-From e766e3943fa8513c1afe01e69e8aa6ec14067028 Mon Sep 17 00:00:00 2001
+From ac7e88b1f2219ec2b09c9596e6f7d5911e5f6ffd Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 4 Jan 2018 12:28:37 +0800
Subject: [PATCH] Use our own debug path
@@ -6,21 +6,49 @@
Signed-off-by: Gary Lin <g...@suse.com>
---
Make.defaults | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ fallback.c | 2 +-
+ shim.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Make.defaults b/Make.defaults
-index bbfc1d7..1cec0e1 100644
+index bef3cb51..d88367e3 100644
--- a/Make.defaults
+++ b/Make.defaults
-@@ -119,7 +119,7 @@ SHIMHASHNAME = $(SHIMSTEM).hash
- BOOTEFINAME ?= BOOT$(ARCH_SUFFIX_UPPER).EFI
+@@ -167,7 +167,7 @@ BOOTEFINAME ?= BOOT$(ARCH_SUFFIX_UPPER).EFI
BOOTCSVNAME ?= BOOT$(ARCH_SUFFIX_UPPER).CSV
--CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\""
"-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/\""
-+CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\""
"-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\""
+ DEFINES += -DEFI_ARCH='L"$(ARCH_SUFFIX)"' \
+-
-DDEBUGDIR='L"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/"'
++ -DDEBUGDIR=L\"/usr/lib/debug/usr/share/efi/"$(ARCH)/"\"
- ifneq ($(origin VENDOR_CERT_FILE), undefined)
- CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+ ifneq ($(origin VENDOR_DB_FILE), undefined)
+ DEFINES += -DVENDOR_DB_FILE=\"$(VENDOR_DB_FILE)\"
+diff --git a/fallback.c b/fallback.c
+index 44b2d464..8e0de901 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -1058,7 +1058,7 @@ debug_hook(void)
+
+ x = 1;
+ console_print(L"add-symbol-file "DEBUGDIR
+- L"fallback.efi.debug %p -s .data %p\n",
++ L"fallback.debug %p -s .data %p\n",
+ &_etext, &_edata);
+ }
+
+diff --git a/shim.c b/shim.c
+index 1d539855..f8d2ba5f 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1818,7 +1818,7 @@ debug_hook(void)
+ FreePool(data);
+
+ console_print(L"add-symbol-file "DEBUGDIR
+- L"shim.efi.debug 0x%08x -s .data 0x%08x\n",
++ L"shim.debug 0x%08x -s .data 0x%08x\n",
+ &_text, &_data);
+
+ console_print(L"Pausing for debugger attachment.\n");
--
-2.19.2
+2.29.2
++++++ vendor-dbx.bin ++++++
Binary files /var/tmp/diff_new_pack.wLskZp/_old and
/var/tmp/diff_new_pack.wLskZp/_new differ
