Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-05-08 22:07:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Sat May 8 22:07:23 2021 rev:95 rq:891231 version:15.4 Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2021-05-02 18:35:40.793059319 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.2988/shim.changes 2021-05-08 22:07:24.353745628 +0200 @@ -1,0 +2,19 @@ +Fri May 7 08:33:49 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com> + +- shim-install: always assume "removable" for Azure to avoid the + endless reset loop (bsc#1185464) + +------------------------------------------------------------------- +Thu May 6 03:18:32 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com> + +- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the + maximum variable size check for u-boot (bsc#1185621) + +------------------------------------------------------------------- +Mon May 3 03:46:27 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com> + +- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + to handle ignore_db and user_insecure_mode correctly + (bsc#1185441) + +------------------------------------------------------------------- New: ---- shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch shim-bsc1185621-relax-max-var-sz-check.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.Om96XS/_old 2021-05-08 22:07:25.001742823 +0200 +++ /var/tmp/diff_new_pack.Om96XS/_new 2021-05-08 22:07:25.005742805 +0200 @@ -77,6 +77,10 @@ Patch5: remove_build_id.patch # PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 g...@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch +# PATCH-FIX-UPSTREAM shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch bsc#1184454 g...@suse.com -- Handle ignore_db and user_insecure_mode correctly +Patch7: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch +# PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 g...@suse.com -- Relax the maximum variable size check for u-boot +Patch8: shim-bsc1185621-relax-max-var-sz-check.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -121,6 +125,8 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build # generate the vendor SBAT metadata ++++++ shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch ++++++ >From 822d07ad4f07ef66fe447a130e1027c88d02a394 Mon Sep 17 00:00:00 2001 From: Adam Williamson <awill...@redhat.com> Date: Thu, 8 Apr 2021 22:39:02 -0700 Subject: [PATCH] Fix handling of ignore_db and user_insecure_mode In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split up into a function that manages the whole mok state, and one that handles the state machine for an individual state variable. Unfortunately, the code that initializes the global ignore_db and user_insecure_mode was copied from import_mok_state() into the new import_one_mok_state() function, and thus re-initializes that state each time it processes a MoK state variable, before even assessing if that variable is set. As a result, we never honor either flag, and the machine owner cannot disable trusting the system firmware's db/dbx databases or disable validation altogether. This patch removes the extra re-initialization, allowing those variables to be set properly. Signed-off-by: Adam Williamson <awill...@redhat.com> --- mok.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/mok.c b/mok.c index 5ad9072b..9e37d6ab 100644 --- a/mok.c +++ b/mok.c @@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v, EFI_STATUS ret = EFI_SUCCESS; EFI_STATUS efi_status; - user_insecure_mode = 0; - ignore_db = 0; - UINT32 attrs = 0; BOOLEAN delete = FALSE; -- 2.31.1 ++++++ shim-bsc1185621-relax-max-var-sz-check.patch ++++++ commit 690ec2419a8c2c4246450e447629adc85f9a6f40 Author: Gary Lin <g...@suse.com> Date: Wed May 5 11:25:07 2021 +0800 mok: relax the maximum variable size check Some UEFI environment such as u-boot doesn't implement QueryVariableInfo(), so we couldn't rely on the function to estimate the available space for RT variables. All we can do is to call SetVariable() directly and check the return value of SetVariable(). Signed-off-by: Gary Lin <g...@suse.com> diff --git a/mok.c b/mok.c index 5ad9072b..1f9820e7 100644 --- a/mok.c +++ b/mok.c @@ -351,13 +351,18 @@ mirror_mok_db(CHAR16 *name, CHAR8 *name8, EFI_GUID *guid, UINT32 attrs, SIZE_T max_var_sz; efi_status = get_max_var_sz(attrs, &max_var_sz); - if (EFI_ERROR(efi_status)) { + if (EFI_ERROR(efi_status) && efi_status != EFI_UNSUPPORTED) { LogError(L"Could not get maximum variable size: %r", efi_status); return efi_status; } - if (FullDataSize <= max_var_sz) { + /* Some UEFI environment such as u-boot doesn't implement + * QueryVariableInfo() and we will only get EFI_UNSUPPORTED when + * querying the available space. In this case, we just mirror + * the variable directly. */ + if (FullDataSize <= max_var_sz || efi_status == EFI_UNSUPPORTED) { + efi_status = EFI_SUCCESS; if (only_first) efi_status = SetVariable(name, guid, attrs, FullDataSize, FullData); ++++++ shim-install ++++++ --- /var/tmp/diff_new_pack.Om96XS/_old 2021-05-08 22:07:25.117742320 +0200 +++ /var/tmp/diff_new_pack.Om96XS/_new 2021-05-08 22:07:25.117742320 +0200 @@ -77,6 +77,42 @@ *) ca_string="";; esac +is_azure () { + local bios_vendor; + local product_name; + local sys_vendor; + + local sysfs_dmi_id="/sys/class/dmi/id" + + if test -e "${sysfs_dmi_id}/bios_vendor"; then + bios_vendor=$(cat "${sysfs_dmi_id}/bios_vendor") + fi + if test -e "${sysfs_dmi_id}/product_name"; then + product_name=$(cat "${sysfs_dmi_id}/product_name") + fi + if test -e "${sysfs_dmi_id}/sys_vendor"; then + sys_vendor=$(cat "${sysfs_dmi_id}/sys_vendor") + fi + + if test "x${bios_vendor}" != "xMicrosoft Corporation"; then + # return false + return 1 + fi + + if test "x${product_name}" != "xVirtual Machine"; then + # return false + return 1 + fi + + if test "x${sys_vendor}" != "xMicrosoft Corporation"; then + # return false + return 1 + fi + + # return true + return 0 +} + usage () { echo "Usage: $self [OPTION] [INSTALL_DEVICE]" echo @@ -185,6 +221,15 @@ esac done +# bsc#1185464 +# The Azure firmware doesn't respect the boot option created by either +# efibootmgr or fallback.efi so we have to skip the installation of +# fallback.efi to avoid the endless reset loop. +if is_azure; then + no_nvram=yes + removable=yes +fi + if test -n "$efidir"; then efi_fs=`"$grub_probe" --target=fs "${efidir}"` if test "x$efi_fs" = xfat; then :; else