Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in
at 2021-05-08 22:07:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new.2988 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Sat May 8 22:07:23 2021 rev:95 rq:891231 version:15.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2021-05-02
18:35:40.793059319 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.2988/shim.changes 2021-05-08
22:07:24.353745628 +0200
@@ -1,0 +2,19 @@
+Fri May 7 08:33:49 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- shim-install: always assume "removable" for Azure to avoid the
+ endless reset loop (bsc#1185464)
+
+-------------------------------------------------------------------
+Thu May 6 03:18:32 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the
+ maximum variable size check for u-boot (bsc#1185621)
+
+-------------------------------------------------------------------
+Mon May 3 03:46:27 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+ to handle ignore_db and user_insecure_mode correctly
+ (bsc#1185441)
+
+-------------------------------------------------------------------
New:
----
shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
shim-bsc1185621-relax-max-var-sz-check.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.Om96XS/_old 2021-05-08 22:07:25.001742823 +0200
+++ /var/tmp/diff_new_pack.Om96XS/_new 2021-05-08 22:07:25.005742805 +0200
@@ -77,6 +77,10 @@
Patch5: remove_build_id.patch
# PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch
bsc#1184454 g...@suse.com -- Allocate MOK config table as BootServicesData to
avoid the error message from linux kernel
Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch
+# PATCH-FIX-UPSTREAM
shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
bsc#1184454 g...@suse.com -- Handle ignore_db and user_insecure_mode correctly
+Patch7:
shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621
g...@suse.com -- Relax the maximum variable size check for u-boot
+Patch8: shim-bsc1185621-relax-max-var-sz-check.patch
BuildRequires: dos2unix
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
@@ -121,6 +125,8 @@
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
+%patch8 -p1
%build
# generate the vendor SBAT metadata
++++++ shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
++++++
>From 822d07ad4f07ef66fe447a130e1027c88d02a394 Mon Sep 17 00:00:00 2001
From: Adam Williamson <awill...@redhat.com>
Date: Thu, 8 Apr 2021 22:39:02 -0700
Subject: [PATCH] Fix handling of ignore_db and user_insecure_mode
In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split
up into a function that manages the whole mok state, and one that
handles the state machine for an individual state variable.
Unfortunately, the code that initializes the global ignore_db and
user_insecure_mode was copied from import_mok_state() into the new
import_one_mok_state() function, and thus re-initializes that state each
time it processes a MoK state variable, before even assessing if that
variable is set. As a result, we never honor either flag, and the
machine owner cannot disable trusting the system firmware's db/dbx
databases or disable validation altogether.
This patch removes the extra re-initialization, allowing those variables
to be set properly.
Signed-off-by: Adam Williamson <awill...@redhat.com>
---
mok.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/mok.c b/mok.c
index 5ad9072b..9e37d6ab 100644
--- a/mok.c
+++ b/mok.c
@@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable
*v,
EFI_STATUS ret = EFI_SUCCESS;
EFI_STATUS efi_status;
- user_insecure_mode = 0;
- ignore_db = 0;
-
UINT32 attrs = 0;
BOOLEAN delete = FALSE;
--
2.31.1
++++++ shim-bsc1185621-relax-max-var-sz-check.patch ++++++
commit 690ec2419a8c2c4246450e447629adc85f9a6f40
Author: Gary Lin <g...@suse.com>
Date: Wed May 5 11:25:07 2021 +0800
mok: relax the maximum variable size check
Some UEFI environment such as u-boot doesn't implement
QueryVariableInfo(), so we couldn't rely on the function to estimate the
available space for RT variables. All we can do is to call SetVariable()
directly and check the return value of SetVariable().
Signed-off-by: Gary Lin <g...@suse.com>
diff --git a/mok.c b/mok.c
index 5ad9072b..1f9820e7 100644
--- a/mok.c
+++ b/mok.c
@@ -351,13 +351,18 @@ mirror_mok_db(CHAR16 *name, CHAR8 *name8, EFI_GUID *guid,
UINT32 attrs,
SIZE_T max_var_sz;
efi_status = get_max_var_sz(attrs, &max_var_sz);
- if (EFI_ERROR(efi_status)) {
+ if (EFI_ERROR(efi_status) && efi_status != EFI_UNSUPPORTED) {
LogError(L"Could not get maximum variable size: %r",
efi_status);
return efi_status;
}
- if (FullDataSize <= max_var_sz) {
+ /* Some UEFI environment such as u-boot doesn't implement
+ * QueryVariableInfo() and we will only get EFI_UNSUPPORTED when
+ * querying the available space. In this case, we just mirror
+ * the variable directly. */
+ if (FullDataSize <= max_var_sz || efi_status == EFI_UNSUPPORTED) {
+ efi_status = EFI_SUCCESS;
if (only_first)
efi_status = SetVariable(name, guid, attrs,
FullDataSize, FullData);
++++++ shim-install ++++++
--- /var/tmp/diff_new_pack.Om96XS/_old 2021-05-08 22:07:25.117742320 +0200
+++ /var/tmp/diff_new_pack.Om96XS/_new 2021-05-08 22:07:25.117742320 +0200
@@ -77,6 +77,42 @@
*) ca_string="";;
esac
+is_azure () {
+ local bios_vendor;
+ local product_name;
+ local sys_vendor;
+
+ local sysfs_dmi_id="/sys/class/dmi/id"
+
+ if test -e "${sysfs_dmi_id}/bios_vendor"; then
+ bios_vendor=$(cat "${sysfs_dmi_id}/bios_vendor")
+ fi
+ if test -e "${sysfs_dmi_id}/product_name"; then
+ product_name=$(cat "${sysfs_dmi_id}/product_name")
+ fi
+ if test -e "${sysfs_dmi_id}/sys_vendor"; then
+ sys_vendor=$(cat "${sysfs_dmi_id}/sys_vendor")
+ fi
+
+ if test "x${bios_vendor}" != "xMicrosoft Corporation"; then
+ # return false
+ return 1
+ fi
+
+ if test "x${product_name}" != "xVirtual Machine"; then
+ # return false
+ return 1
+ fi
+
+ if test "x${sys_vendor}" != "xMicrosoft Corporation"; then
+ # return false
+ return 1
+ fi
+
+ # return true
+ return 0
+}
+
usage () {
echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
echo
@@ -185,6 +221,15 @@
esac
done
+# bsc#1185464
+# The Azure firmware doesn't respect the boot option created by either
+# efibootmgr or fallback.efi so we have to skip the installation of
+# fallback.efi to avoid the endless reset loop.
+if is_azure; then
+ no_nvram=yes
+ removable=yes
+fi
+
if test -n "$efidir"; then
efi_fs=`"$grub_probe" --target=fs "${efidir}"`
if test "x$efi_fs" = xfat; then :; else
