commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2024-07-02 18:15:29 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.18349 (New) Package is "shim" Tue Jul 2 18:15:29 2024 rev:121 rq:1184771 version:15.8 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2024-04-02 16:38:41.216993558 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.18349/shim.changes 2024-07-02 18:15:30.681358825 +0200 @@ -1,0 +2,13 @@ +Tue Jun 25 04:12:39 UTC 2024 - Dennis Tseng + +- Update asc files of shim-15.8 after being signed back from + Microsoft, including: + signature-opensuse.x86_64.asc, + signature-opensuse.aarch64.asc, + signature-sles.x86_64.asc, + signature-sles.aarch64.asc. + +- Enable aarch64 signature comparison which was disabled temporarily + before. Now, we got a real one. So it is enabled again. + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.25LOH1/_old 2024-07-02 18:15:31.665394834 +0200 +++ /var/tmp/diff_new_pack.25LOH1/_new 2024-07-02 18:15:31.669394980 +0200 @@ -192,7 +192,8 @@ # AArch64 signature # Disable AArch64 signature attachment temporarily # until we get a real one. - #signature=%{SOURCE12} +# Now, we got a real one. So enable it again. + signature=%{SOURCE12} %endif elif test "$suffix" = "sles"; then cert=%{SOURCE4} ++ signature-opensuse.aarch64.asc ++ --- /var/tmp/diff_new_pack.25LOH1/_old 2024-07-02 18:15:31.881402738 +0200 +++ /var/tmp/diff_new_pack.25LOH1/_new 2024-07-02 18:15:31.885402885 +0200 @@ -1,189 +1,211 @@ -hash: 96275dfd6282a522b011177ee049296952ac794832091f937fbbf92869028629 -# 2069-04-10 06:07:54 -timestamp: babababa -linker: 2002 -checksum: ef25 +hash: 15854cd77be6b61bb6d22b4d448fe9b2d5d06dfa67d8161b6497e10af5b1bfb3 +# 1970-01-01 00:00:00 +timestamp: 0 +linker: 2902 +checksum: e2b1 -BEGIN AUTHENTICODE SIGNATURE- -MIIhwQYJKoZIhvcNAQcCoIIhsjCCIa4CAQExDzANBglghkgBZQMEAgEFADBcBgor +MIIl/AYJKoZIhvcNAQcCoIIl7TCCJekCAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB -ZQMEAgEFAAQglidd/WKCpSKwERd+4EkpaVKseUgyCR+Tf7v5KGkChimgggs8MIIF -JDCCBAygAwIBAgITMwAAABjnMIN/Ryp7WwABGDANBgkqhkiG9w0BAQsFADCB +ZQMEAgEFAAQgFYVM13vmthu20itNRI/pstXQbfpn2BYbZJfhCvWxv7OgggszMIIF +GzCCBAOgAwIBAgITMwAAAF4N6/Cb7d174QABXjANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi -TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xNTEwMjgyMDQz -MzdaFw0xNzAxMjgyMDQzMzdaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMzEwMTkxOTUz +MjNaFw0yNDEwMTYxOTUzMjNaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv -cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu -ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQCxZkprRvykOB1+X8MMpDVlB36RVafGyaZ8Dsl5/8U92WKQvqdx -T7SsnmbDv9TNSndVGzFvH5p4dn1Q/52kuDMpwpjGUqTWrx1+jrZOYrb02uTL/+QZ -H/nxW96fPJqKIEnqe16lLp2WCjT6J7AzckF67KEW6voOzXITZLP8t3OCqNWIWXy3 -ABLiZllI3O+VAwmRlosEmPYcD2qM3KxhPNvT+GZ2gb+FrLKvuRNxpHK0iZBxnrSg -SnTlSfqzOAf9LWP6f4ajn04tdPOCRh3xuPM/bHJlCS40hBH2hYAV40s1vKTL8/Uf -lTVdaBrq6f6NZAc4RFWnQgc/32xiYIcQ6AmjAgMBAAGjggF9MIIBeTAfBgNVHSUE -GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQUI3JhxfMYweN5Brdl -fggzjB4hb1owUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT -KjMxNjE5K2UyOTg0YTM1LWNmNGYtNDEwZC04ZWMzLTcxOTYxNWJmOGMxYjAfBgNV -HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo -dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw -MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo -dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB -MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA -A4IBAQBxu75jhm/XBbQkp7pR8jykioQZc4KXLTqPQ1l/Z5KO1yY6oKImgbidhR3b -ZV+cz5MqktoNxsf0Pt7WVxbuZe0nOe8UC7ldmH3NwbfukTSr0CNw4Sw+unFmLxDo -g3BhCstsmP/yfDizuCkzPXVCjoBK3tCbNIZxfUEYjwSJAsFpeHvPEJlse2beTfpb -ghe9sCMUOT2yiKjf+1tbY6FNeB6/DvpaxkBYX99jcLy1KHD5LWcoIjEREhFybILA -mhoagQQ7upVbQLvJHAMyctmHUh432Kod0PpUUTwSrMChSAgB0t+l5DinGgowpoSj -kjMiS55xRj22uZpnBzckogBCW0LGMIIGEDCCA/igAwIBAgIKYQjTxAAABDAN -BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 -b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh -dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5 -IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEz
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2024-04-02 16:38:25 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1905 (New) Package is "shim" Tue Apr 2 16:38:25 2024 rev:120 rq:1164003 version:15.8 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2024-03-06 23:03:27.222968378 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.1905/shim.changes 2024-04-02 16:38:41.216993558 +0200 @@ -1,0 +2,7 @@ +Tue Apr 2 03:09:15 UTC 2024 - Gary Ching-Pang Lin + +- Introduce %shim_use_fde_tpm_helper macro so that the project + can include the fde-tpm-helper-macros for the build targets + other than Tumbleweed + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.tj23i1/_old 2024-04-02 16:38:42.057024513 +0200 +++ /var/tmp/diff_new_pack.tj23i1/_new 2024-04-02 16:38:42.057024513 +0200 @@ -35,6 +35,10 @@ %endif %endif +%if 0%{?suse_version} >= 1600 +%define shim_use_fde_tpm_helper 1 +%endif + Name: shim Version:15.8 Release:0 @@ -89,7 +93,7 @@ BuildRequires: openssl >= 0.9.8 BuildRequires: pesign BuildRequires: pesign-obs-integration -%if 0%{?suse_version} >= 1600 +%if 0%{?shim_use_fde_tpm_helper:1} BuildRequires: fde-tpm-helper-rpm-macros %endif %if 0%{?suse_version} > 1320
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2024-03-06 23:03:16 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1770 (New) Package is "shim" Wed Mar 6 23:03:16 2024 rev:119 rq:1155012 version:15.8 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2024-02-18 20:23:23.682498178 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.1770/shim.changes 2024-03-06 23:03:27.222968378 +0100 @@ -1,0 +2,6 @@ +Mon Feb 26 13:09:29 UTC 2024 - Dominique Leuenberger + +- Use %autosetup macro. Allows to eliminate the usage of deprecated + PatchN. + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.BeMp6M/_old 2024-03-06 23:03:29.019033492 +0100 +++ /var/tmp/diff_new_pack.BeMp6M/_new 2024-03-06 23:03:29.023033638 +0100 @@ -129,12 +129,7 @@ The source code of UEFI shim loader %prep -%setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +%autosetup -p1 %build # generate the vendor SBAT metadata
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2024-02-01 18:04:12 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1815 (New) Package is "shim" Thu Feb 1 18:04:12 2024 rev:115 rq:1143192 version:15.8 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2023-10-10 20:52:30.165123807 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1815/shim.changes 2024-02-01 18:04:18.908808714 +0100 @@ -1,0 +2,81 @@ +Sun Jan 28 09:32:32 UTC 2024 - Dennis Tseng + +-- Update to version 15.8 +- Various CVE fixes are already merged into this version +mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546) +avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547) +Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548) +Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549) +pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550) +pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551) +- remove shim-Enable-the-NX-compatibility-flag-by-default.patch +The codes in this patch are already existing in shim-15.8 +The NX flag is disable which is same as the default value of shim-15.8, +hence, not need to enable it by this patch now. +- Patches (git log --oneline --reverse 15.7..15.8) +657b248 Make sbat_var.S parse right with buggy gcc/binutils +7c76425 Enable the NX compatibility flag by default. +89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper +c7b3051 pe: Align section size up to page size for mem attrs +e4f40ae pe: Add IS_PAGE_ALIGNED macro +f23883c Don't loop forever in load_certs() with buggy firmware +1f38cb3 Optionally allow to keep shim protocol installed +102a658 Drop invalid calls to `CRYPTO_set_mem_functions` +aae3df0 test-sbat: Fix exit code +cca3933 Block Debian grub binaries with SBAT < 4 +cf59f34 Further improve load_certs() for non-compliant drivers/firmwares +0601f44 SBAT-related documents formatting and spelling +0640e13 Add a security contact email address in README.md +0bfc397 Work around malformed path delimiters in file paths from DHCP +a8b0b60 pe: only process RelocDir->Size of reloc section +f7a4338 Skip testing msleep() +549d346 Rename 'msecs' to 'usecs' to avoid potential confusion +908c388 Change type of fallback_verbose_wait from int to unsigned long +05eae92 Add SbatLevel_Variable.txt to document the various revocations +243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL +89d25a1 Add a make rule for compile_commands.json +118ff87 Add gnu-stack notes +f132655 test: Make our fake dprintf be a statement. +be00279 Remove CentOS 7 test builds. +9964960 Split pe.c up even more. +569270d Test (and fix) ImageAddress() +61e9894 Verify signature before verifying sbat levels +1578b55 Add libFuzzer support for csv.c +a0673e3 Fix a 1-byte memory leak in .sbat parsing. +e246812 Add libFuzzer support to the .sbat parser. +fd43eda Work around ImageAddress() usage mistake +1e985a3 Correctly free memory allocated in handle_image() +dbbe3c8 mok: Avoid underflow in maximum variable size calculation +04111d4 Make some of the static analysis tools a little easier to run +7ba7440 compile_commands.json: remove stuff clang doesn't like +66e6579 CVE-2023-40546 mok: fix LogError() invocation +f271826 Add primitives for overflow-checked arithmetic operations. +8372147 pe-relocate: Add a fuzzer for read_header() +5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries +e912071 pe-relocate: make read_header() use checked arithmetic operations. +93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() +e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550 +afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds. +96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system +dae82f6 Further mitigations against CVE-2023-40546 as a class +ea0f9df Allow SbatLevel data from external binary +b078ef2 Always clear SbatLevel when Secure Boot is disabled +7dfb687 BS Variables for bootmgr revocations +a967c0e shim should not self revoke +577cedd Print message when refusing to apply SbatLev
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2023-10-10 20:52:13 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.28202 (New) Package is "shim" Tue Oct 10 20:52:13 2023 rev:114 rq:1116629 version:15.7 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2023-05-26 20:15:15.336184744 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.28202/shim.changes 2023-10-10 20:52:30.165123807 +0200 @@ -1,0 +2,18 @@ +Thu Oct 5 13:19:48 UTC 2023 - Ludwig Nussel + +- Don't require grub so shim can still be used with systemd-boot + +--- +Wed Sep 20 04:33:59 UTC 2023 - Michael Chang + +- Update shim-install to fix boot failure of ext4 root file system + on RAID10 (bsc#1205855) + 226c94ca5cfca Use hint in looking for root if possible + +--- +Tue Sep 19 08:36:17 UTC 2023 - Gary Ching-Pang Lin + +- Adopt the macros from fde-tpm-helper-macros to update the + signature in the sealed key after a bootloader upgrade + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.2B6odh/_old 2023-10-10 20:52:33.481243978 +0200 +++ /var/tmp/diff_new_pack.2B6odh/_new 2023-10-10 20:52:33.485244123 +0200 @@ -83,6 +83,7 @@ BuildRequires: pesign BuildRequires: pesign-obs-integration %if 0%{?suse_version} > 1320 +BuildRequires: fde-tpm-helper-rpm-macros BuildRequires: update-bootloader-rpm-macros %endif %if 0%{?update_bootloader_requires:1} @@ -90,9 +91,13 @@ %else Requires: perl-Bootloader %endif +%if 0%{?fde_tpm_update_requires:1} +%fde_tpm_update_requires +%endif BuildRoot: %{_tmppath}/%{name}-%{version}-build -# For shim-install script -Requires: grub2-%{grubplatform} +# For shim-install script grub is needed but we also want to use +# shim for systemd-boot where shim-install is not actually used. +# Requires: grub2-%{grubplatform} Requires: mokutil ExclusiveArch: x86_64 aarch64 @@ -286,6 +291,10 @@ %{?buildroot:%__rm -rf "%{buildroot}"} %post +%if 0%{?fde_tpm_update_post:1} +%fde_tpm_update_post shim +%endif + %if 0%{?update_bootloader_check_type_reinit_post:1} %update_bootloader_check_type_reinit_post grub2-efi %else @@ -316,6 +325,7 @@ %if %{defined update_bootloader_posttrans} %posttrans %{?update_bootloader_posttrans} +%{?fde_tpm_update_posttrans} %endif %files ++ shim-install ++ --- /var/tmp/diff_new_pack.2B6odh/_old 2023-10-10 20:52:33.593248037 +0200 +++ /var/tmp/diff_new_pack.2B6odh/_new 2023-10-10 20:52:33.597248182 +0200 @@ -419,8 +419,19 @@ done fi +hints="`"${grub_probe}" --target=hints_string "${grub_cfg_dirname}" 2> /dev/null`" + +if [ "x$hints" != x ]; then + echo "if [ x\$feature_platform_search_hint = xy ]; then" + echo " search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}" + echo "else" + echo " search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}" + echo "fi" +else + echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}" +fi + cat <
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2023-05-26 20:15:09 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1533 (New) Package is "shim" Fri May 26 20:15:09 2023 rev:113 rq:1089032 version:15.7 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2023-04-11 13:50:58.379295938 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1533/shim.changes 2023-05-26 20:15:15.336184744 +0200 @@ -1,0 +2,9 @@ +Mon May 15 03:28:47 UTC 2023 - Gary Ching-Pang Lin + +- Update shim-install to amend full disk encryption support +b540061e041b Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector +f2e8143ce831 Use the long name to specify the grub2 key protector +72830120e5ea cryptodisk: support TPM authorized policies +49e7a0d307f3 Do not use tpm_record_pcrs unless the command is in command.lst + +--- Other differences: -- ++ shim-install ++ --- /var/tmp/diff_new_pack.zujSGz/_old 2023-05-26 20:15:15.968188511 +0200 +++ /var/tmp/diff_new_pack.zujSGz/_new 2023-05-26 20:15:15.972188535 +0200 @@ -370,20 +370,23 @@ return fi - tpm_pcr_bank="${GRUB_TPM2_PCR_BANK:-sha256}" - tpm_pcr_list="${GRUB_TPM2_PCR_LIST:-0,2,4,7,9}" tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}" declare -g TPM_PCR_SNAPSHOT_TAKEN if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then TPM_PCR_SNAPSHOT_TAKEN=1 -echo "tpm_record_pcrs 0-9" + +# Check if tpm_record_pcrs is available and set the command to +# grub.cfg. +if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; then + echo "tpm_record_pcrs 0-9" +fi fi cat <
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2023-04-11 13:50:40 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.19717 (New) Package is "shim" Tue Apr 11 13:50:40 2023 rev:112 rq:1078224 version:15.7 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2023-01-14 00:02:21.645411393 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.19717/shim.changes 2023-04-11 13:50:58.379295938 +0200 @@ -1,0 +2,14 @@ +Mon Apr 10 05:04:33 UTC 2023 - Joey Lee + +- Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to + enable the NX compatibility flag when using post-process-pe after + discussed with grub2 experts in mail. It's useful for further development + and testing. (bsc#1205588) + +--- +Mon Mar 27 09:26:02 UTC 2023 - Joey Lee + +- Updated shim signature after shim 15.7 of SLE be signed back: + signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.WeqhQM/_old 2023-04-11 13:50:59.083300017 +0200 +++ /var/tmp/diff_new_pack.WeqhQM/_new 2023-04-11 13:50:59.087300040 +0200 @@ -204,7 +204,6 @@ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ DEFAULT_LOADER="grub.efi" \ VENDOR_DBX_FILE=$vendor_dbx \ - POST_PROCESS_PE_FLAGS=-N \ shim.efi.debug shim.efi # # assert correct certificate embedded ++ signature-sles.aarch64.asc ++ --- /var/tmp/diff_new_pack.WeqhQM/_old 2023-04-11 13:50:59.223300828 +0200 +++ /var/tmp/diff_new_pack.WeqhQM/_new 2023-04-11 13:50:59.227300851 +0200 @@ -1,190 +1,208 @@ -hash: f31fd461c5e99510403fc97c1da2d8a9cbe270597d32badf8fd66b77495f8d94 -# 2069-04-10 06:07:54 -timestamp: babababa -linker: 2002 -checksum: 61c9 +hash: 04478d49dfa6c5f8442ec919568e1eda59de99cc1b5192f18028084409bbebe5 +# 1970-01-01 00:00:00 +timestamp: 0 +linker: 2702 +checksum: dfaa -BEGIN AUTHENTICODE SIGNATURE- -MIIh9AYJKoZIhvcNAQcCoIIh5TCCIeECAQExDzANBglghkgBZQMEAgEFADBcBgor +MIIlYgYJKoZIhvcNAQcCoIIlUzCCJU8CAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB -ZQMEAgEFAAQg8x/UYcXplRBAP8l8HaLYqcvicFl9Mrrfj9Zrd0lfjZSgggs8MIIF -JDCCBAygAwIBAgITMwpmQvP0n7c3lgABCjANBgkqhkiG9w0BAQsFADCB +ZQMEAgEFAAQgBEeNSd+mxfhELskZVo4e2lnemcwbUZLxgCgIRAm76+WgggswMIIF +GDCCBACgAwIBAgITMwAAAFRJgAequ/NAsgABVDANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi -TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0 -MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMzAyMTYyMDE5 +NTdaFw0yNDAxMzEyMDE5NTdaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv -cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu -ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s -ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG -CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23 -BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc -cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH -SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE -GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP -ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT -KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV -HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo -dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw -MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo -dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB -MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA -A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3 -We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC -5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g -78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj -PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+ -Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAABDAN -BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 -b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh -dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2023-01-14 00:02:14 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.32243 (New) Package is "shim" Sat Jan 14 00:02:14 2023 rev:111 rq:1057935 version:15.7 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-12-10 21:17:50.185559326 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.32243/shim.changes 2023-01-14 00:02:21.645411393 +0100 @@ -1,0 +2,14 @@ +Thu Jan 12 07:00:19 UTC 2023 - Joey Lee + +- Removed shim-bsc1198101-opensuse-cert-prompt.patch (bsc#1198101) + - Detail discussion is in bugzilla: + https://bugzilla.suse.com/show_bug.cgi?id=1198101 + - The shim community review and challenge this prompt. No other + distro shows prompt (Have checked Fedora 37, CentOS 9 and Ubuntu 22.10). + Currently, it blocked the review process of openSUSE shim. + - Other distros lock-down kernel when secure boot is enabled. Some of + them used different key for signing kernel binary with In-tree kernel + module. And their build service does not provide signed Out-off-tree + module. + +--- Old: shim-bsc1198101-opensuse-cert-prompt.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.tS2rJR/_old 2023-01-14 00:02:22.949418989 +0100 +++ /var/tmp/diff_new_pack.tS2rJR/_new 2023-01-14 00:02:22.957419036 +0100 @@ -77,8 +77,6 @@ Patch5: shim-disable-export-vendor-dbx.patch # PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch j...@suse.com -- Enable the NX compatibility flag by default Patch6: shim-Enable-the-NX-compatibility-flag-by-default.patch -# PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not -Patch100: shim-bsc1198101-opensuse-cert-prompt.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -124,9 +122,6 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 -%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0 -%patch100 -p1 -%endif %build # generate the vendor SBAT metadata
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-12-10 21:17:34 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1835 (New) Package is "shim" Sat Dec 10 21:17:34 2022 rev:110 rq:1041832 version:15.7 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-11-24 12:22:09.908891828 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.1835/shim.changes 2022-12-10 21:17:50.185559326 +0100 @@ -1,0 +2,9 @@ +Fri Dec 9 08:38:14 UTC 2022 - Joey Lee + +- Modified shim-install, add the following Olaf Kirch's patches to support + full disk encryption: (jsc#PED-922) +a5c57340740c Introduce --no-grub-install option +5c2c3addc51f Handle different cases of controlling cryptomount volumes during first stage boot +26c6bd5df7ae Have grub take a snapshot of "relevant" TPM PCRs + +--- Other differences: -- ++ shim-install ++ --- /var/tmp/diff_new_pack.cerdcY/_old 2022-12-10 21:17:50.901563513 +0100 +++ /var/tmp/diff_new_pack.cerdcY/_new 2022-12-10 21:17:50.905563536 +0100 @@ -17,6 +17,7 @@ efibootmgr="/usr/sbin/efibootmgr" grub_probe="/usr/sbin/grub2-probe" grub_mkrelpath="/usr/bin/grub2-mkrelpath" +no_grub_install=no grub_install="/usr/sbin/grub2-install" grub_install_target= self="`basename $0`" @@ -127,6 +128,7 @@ echo "--config-file=FILE use FILE as config file, default is $grub_cfg." echo "--clean remove all installed files and configs." echo "--suse-enable-tpm install grub.efi with TPM support." +echo "--no-grub-install Do not run grub2-install." echo echo "INSTALL_DEVICE must be system device filename." } @@ -206,6 +208,9 @@ --clean) clean=yes ;; +--no-grub-install) + no_grub_install=yes ;; + -*) echo "Unrecognized option \`$option'" 1>&2 usage @@ -352,6 +357,39 @@ fi +prepare_cryptodisk () { + uuid="$1" + + if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then +echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\"" +return + fi + + if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then +echo "cryptomount -u $uuid" +return + fi + + tpm_pcr_bank="${GRUB_TPM2_PCR_BANK:-sha256}" + tpm_pcr_list="${GRUB_TPM2_PCR_LIST:-0,2,4,7,9}" + tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}" + + declare -g TPM_PCR_SNAPSHOT_TAKEN + + if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then +TPM_PCR_SNAPSHOT_TAKEN=1 +echo "tpm_record_pcrs 0-9" + fi + + cat < "${efidir}/grub.cfg"
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-11-24 12:22:07 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1597 (New) Package is "shim" Thu Nov 24 12:22:07 2022 rev:109 rq:1037458 version:15.7 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-11-22 16:09:24.841795668 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.1597/shim.changes 2022-11-24 12:22:09.908891828 +0100 @@ -1,0 +2,12 @@ +Wed Nov 23 07:28:57 UTC 2022 - Joey Lee + +- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to + disable the NX compatibility flag when using post-process-pe because + grub2 is not ready. (bsc#1205588) +- Kernel can boot with the NX compatibility flag since 82e0d6d76a2a7 + be merged to v5.19. On the other hand, upstream is working on + improve compressed kernel stage for NX: +[PATCH v3 00/24] x86_64: Improvements at compressed kernel stage +https://www.spinics.net/lists/kernel/msg4599636.html + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.FQePnN/_old 2022-11-24 12:22:10.608896275 +0100 +++ /var/tmp/diff_new_pack.FQePnN/_new 2022-11-24 12:22:10.612896301 +0100 @@ -209,6 +209,7 @@ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ DEFAULT_LOADER="grub.efi" \ VENDOR_DBX_FILE=$vendor_dbx \ + POST_PROCESS_PE_FLAGS=-N \ shim.efi.debug shim.efi # # assert correct certificate embedded
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-11-22 16:09:23 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1597 (New) Package is "shim" Tue Nov 22 16:09:23 2022 rev:108 rq:1037006 version:15.7 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-11-19 18:08:42.706231922 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.1597/shim.changes 2022-11-22 16:09:24.841795668 +0100 @@ -1,0 +2,6 @@ +Fri Nov 18 04:52:49 UTC 2022 - Joey Lee + +- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to + enable the NX compatibility flag by default. (jsc#PED-127) + +--- New: shim-Enable-the-NX-compatibility-flag-by-default.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.UZiYEX/_old 2022-11-22 16:09:25.749800282 +0100 +++ /var/tmp/diff_new_pack.UZiYEX/_new 2022-11-22 16:09:25.757800323 +0100 @@ -75,6 +75,8 @@ Patch4: remove_build_id.patch # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 g...@suse.com -- Disable exporting vendor-dbx to MokListXRT Patch5: shim-disable-export-vendor-dbx.patch +# PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch j...@suse.com -- Enable the NX compatibility flag by default +Patch6: shim-Enable-the-NX-compatibility-flag-by-default.patch # PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-bsc1198101-opensuse-cert-prompt.patch BuildRequires: dos2unix @@ -121,6 +123,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0 %patch100 -p1 %endif ++ shim-Enable-the-NX-compatibility-flag-by-default.patch ++ >From a53b9f7ceec1dfa1487f4d675573449c5b2a16fb Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 17 Nov 2022 12:31:31 -0500 Subject: [PATCH] Enable the NX compatibility flag by default. Currently by default, when we build shim we do not set the PE NX-compatibility DLL Characteristic flag. This signifies to the firmware that shim (including the components it loads) is not prepared for several related firmware changes: - non-executable stack - non-executable pages from AllocatePages()/AllocatePool()/etc. - non-writable 0 page (not strictly related but some firmware will be transitioning at the same time) - the need to use the UEFI 2.10 Memory Attribute Protocol to set page permissions. This patch changes that default to be enabled by default. Distributors of shim will need to ensure that either their builds disable this bit (using "post-process-pe -N"), or that the bootloaders and kernels you support loading are all compliant with this change. A new make variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so. Signed-off-by: Peter Jones --- BUILDING | 3 +++ Make.defaults | 2 ++ Makefile | 2 +- post-process-pe.c | 2 +- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/BUILDING b/BUILDING index 3b2e85d3..17cd98d3 100644 --- a/BUILDING +++ b/BUILDING @@ -78,6 +78,9 @@ Variables you could set to customize the build: - OSLABEL This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS. By default this is the same value as EFIDIR . +- POST_PROCESS_PE_FLAGS + This allows you to add flags to the invocation of "post-process-pe", for + example to disable the NX compatibility flag. Vendor SBAT data: It will sometimes be requested by reviewers that a build includes extra diff --git a/Make.defaults b/Make.defaults index c46164a3..9af89f4e 100644 --- a/Make.defaults +++ b/Make.defaults @@ -139,6 +139,8 @@ CFLAGS = $(FEATUREFLAGS) \ $(INCLUDES) \ $(DEFINES) +POST_PROCESS_PE_FLAGS = + ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) DEFINES += -DOVERRIDE_SECURITY_POLICY endif diff --git a/Makefile b/Makefile index a9202f46..f0f53f8f 100644 --- a/Makefile +++ b/Makefile @@ -255,7 +255,7 @@ endif -j .rela* -j .dyn -j .reloc -j .eh_frame \ -j .vendor_cert -j .sbat -j .sbatlevel \ $(FORMAT) $< $@ - ./post-process-pe -vv $@ + ./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@ ifneq ($(origin ENABLE_SHIM_HASH),undefined) %.hash : %.efi diff --git a/post-process-pe.c b/post-process-pe.c index de8f4a38..f39fdddf 100644 --- a/post-process-pe.c +++ b/post-process-pe.c @@ -42,7 +42,7 @@ static int verbosity; 0;
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-11-19 18:08:40 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1597 (New) Package is "shim" Sat Nov 19 18:08:40 2022 rev:107 rq:1036529 version:15.7 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-11-16 15:42:26.435618660 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.1597/shim.changes 2022-11-19 18:08:42.706231922 +0100 @@ -1,0 +2,63 @@ +Fri Nov 18 03:17:46 UTC 2022 - Joey Lee + +- Drop upstreamed patch: +- shim-Enable-TDX-measurement-to-RTMR-register.patch +- Enable TDX measurement to RTMR register (jsc#PED-1273) + - 4fd484e4c215.7 + +--- +Thu Nov 17 05:17:34 UTC 2022 - Joey Lee + +- Update to 15.7 (bsc#1198458)(jsc#PED-127) +- Patches (git log --oneline --reverse 15.6..15.7) + 0eb07e1 Make SBAT variable payload introspectable + 092c2b2 Reference MokListRT instead of MokList + 8b59b69 Add a link to the test plan in the readme. + 4fd484e Enable TDX measurement to RTMR register + 14d6339 Discard load-options that start with a NUL + 5c537b3 shim: Flush the memory region from i-cache before execution + 2d4ebb5 load_cert_file: Fix stack issue + ea4911c load_cert_file: Use EFI RT memory function + 0cf43ac Add -malign-double to IA32 compiler flags + 17f0233 pe: Fix image section entry-point validation + 5169769 make-archive: Build reproducible tarball + aa1b289 mok: remove MokListTrusted from PCR 7 + 53509ea CryptoPkg/BaseCryptLib: fix NULL dereference + 616c566 More coverity modeling + ea0d0a5 Update shim's .sbat to sbat,3 + dd8be98 Bump grub's sbat requirement to grub,3 + 1149161 (HEAD -> main, tag: 15.7, origin/main, origin/HEAD) Update version to 15.7 +- 15.7 release note https://github.com/rhboot/shim/releases + Make SBAT variable payload introspectable by @chrisccoulson in #483 + Reference MokListRT instead of MokList by @esnowberg in #488 + Add a link to the test plan in the readme. by @vathpela in #494 + [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485 + Discard load-options that start with a NUL by @frozencemetery in #505 + load_cert_file bugs by @esnowberg in #523 + Add -malign-double to IA32 compiler flags by @nicholasbishop in #516 + pe: Fix image section entry-point validation by @iokomin in #518 + make-archive: Build reproducible tarball by @julian-klode in #527 + mok: remove MokListTrusted from PCR 7 by @baloo in #519 +- Drop upstreamed patch: + - shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch + - Cryptlib/CryptAuthenticode: fix NULL pointer dereference in AuthenticodeVerify() + - 53509eaf2215.7 + - shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch + - For backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127) + - The following patches are merged to 15.7 + aa1b289a1a mok: remove MokListTrusted from PCR 7 + 0cf43ac6d7 Add -malign-double to IA32 compiler flags + ea4911c2f3 load_cert_file: Use EFI RT memory function + 2d4ebb5a79 load_cert_file: Fix stack issue + 5c537b3d0c shim: Flush the memory region from i-cache before execution + 14d6339829 Discard load-options that start with a NUL + 092c2b2bbe Reference MokListRT instead of MokList + 0eb07e11b2 Make SBAT variable payload introspectable + +--- +Thu Nov 17 05:08:49 UTC 2022 - Joey Lee + +- Update shim.changes, added missed shim 15.6-rc1 and 15.6 changelog to + the item in Update to 15.6. (bsc#1198458) + +--- @@ -159,0 +223,46 @@ +- 15.6-rc1 release note https://github.com/rhboot/shim/releases + MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 + shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 + post-process-pe: Fix a missing return code check by @vathpela in #462 + Update github actions matrix to be more useful by @frozencemetery in #469 + Add f36 and centos9 CI builds by @vathpela in #470 + post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 + tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 + tests: fix gcc warnings by @akodanev in #463 + Al
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-11-16 15:42:21 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1597 (New) Package is "shim" Wed Nov 16 15:42:21 2022 rev:106 rq:1035800 version:15.6 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-10-03 13:44:30.845316706 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1597/shim.changes 2022-11-16 15:42:26.435618660 +0100 @@ -1,0 +2,34 @@ +Tue Nov 15 08:06:24 UTC 2022 - Joey Lee + +- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following + patches between 15.6 with aa1b289a1a (jsc#PED-127): +aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from PCR 7 +0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 compiler flags +ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory function +2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue +5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region from i-cache before execution +14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start with a NUL +092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of MokList +0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload introspectable + +--- +Tue Nov 15 08:06:05 UTC 2022 - Joey Lee + +- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support + enhance shim measurement to TD RTMR. (jsc#PED-1273) + +--- +Tue Nov 15 07:53:59 UTC 2022 - Joey Lee + +- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec + and shim.changes: (jsc#PED-127) +- Add some change log from SLE shim.changes to Factory shim.changes + Those messages are added "(sync shim.changes from SLE)" tag. +- Add the following changes to shim.spec + - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch + on openSUSE. + - Enable the AArch64 signature check for SLE: + # AArch64 signature + signature=%{SOURCE13} + +--- @@ -195,0 +230,5 @@ +Thu Jul 15 08:13:26 UTC 2021 - Johannes Segitz + +- Update the SLE signatures (sync shim.changes from SLE) + +--- @@ -203,0 +243,34 @@ +(sync shim.changes from SLE) +- Split the keys in vendor-dbx.bin to vendor-dbx-sles and + vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce + the size of MokListXRT (bsc#1185261) + + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz +- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + to handle ignore_db and user_insecure_mode correctly + (bsc#1185441, bsc#1187071) +- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the + maximum variable size check for u-boot (bsc#1185621) + + Also drop AArch64 suse-signed shim since we merged this patch +- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax + the check for import_mok_state() when Secure Boot is off. + (bsc#1185261) +- Add shim-bsc1185232-relax-loadoptions-length-check.patch to + ignore the odd LoadOptions length (bsc#1185232) +- shim-install: reset def_shim_efi to "shim.efi" if the given + file doesn't exist +- Add shim-fix-aa64-relsz.patch to fix the size of rela sections + for AArch64 + Fix: https://github.com/rhboot/shim/issues/371 +- Add shim-disable-export-vendor-dbx.patch to disable exporting + vendor-dbx to MokListXRT since writing a large RT variable + could crash some machines (bsc#1185261) +- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the + potential crash when calling QueryVariableInfo in EFI 1.10 + machines (bsc#1187260) +- Add shim-bsc1185232-fix-config-table-copying.patch to avoid + buffer overflow when copying data to the MOK config table + (bsc#1185232) + +--- +Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin + @@ -258,0 +332,6 @@ +Thu May 6 06:45:39 UTC 2021 - Gary Ching-Pang Lin + +- Include suse-signed shim for AArch64 (bsc#1185621) + (sync shim.changes from SLE) + +--- @@ -277,0 +357,10 @@ + +--- +Thu Apr 22 03:26:48 UTC 2021 - Gary Ching-Pang Lin + +- Enable the AArch64 signature check for SLE (sync shim.changes from SLE) + +--- +Wed Apr 21 05:44
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-10-03 13:44:20 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.2275 (New) Package is "shim" Mon Oct 3 13:44:20 2022 rev:105 rq:1007166 version:15.6 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-09-17 20:10:06.861117813 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.2275/shim.changes 2022-10-03 13:44:30.845316706 +0200 @@ -1,0 +2,6 @@ +Thu Sep 29 02:42:35 UTC 2022 - Michael Chang + +- shim-install: ensure grub.cfg created is not overwritten after + installing grub related files + +--- Other differences: -- ++ shim-install ++ --- /var/tmp/diff_new_pack.f47vFd/_old 2022-10-03 13:44:31.597318360 +0200 +++ /var/tmp/diff_new_pack.f47vFd/_new 2022-10-03 13:44:31.601318369 +0200 @@ -386,13 +386,15 @@ } -make_grubcfg > "${efidir}/grub.cfg" # bnc#889765 GRUB shows broken letters at boot # invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg # bsc#1118363 shim-install didn't specify the target for grub2-install # set the target explicitly for some special cases ${grub_install} --target=${grub_install_target} --no-nvram +# Making sure grub.cfg not overwritten by grub-install above +make_grubcfg > "${efidir}/grub.cfg" + if test "$no_nvram" = no && test -n "$bootloader_id"; then modprobe -q efivars 2>/dev/null || true
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-09-17 20:10:05 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.2083 (New) Package is "shim" Sat Sep 17 20:10:05 2022 rev:104 rq:1004027 version:15.6 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-08-05 19:50:56.657446872 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.2083/shim.changes 2022-09-17 20:10:06.861117813 +0200 @@ -1,0 +2,6 @@ +Mon Sep 12 12:30:54 UTC 2022 - Kilian Hanich + +- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. + (bsc#1201066) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.OqeMTj/_old 2022-09-17 20:10:07.573119867 +0200 +++ /var/tmp/diff_new_pack.OqeMTj/_new 2022-09-17 20:10:07.577119878 +0200 @@ -306,9 +306,13 @@ return $rc } # run mokutil for setting sbat policy to latest mode -SBAT_POLICY=/sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 +EFIVARFS=/sys/firmware/efi/efivars +SBAT_POLICY="$EFIVARFS/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23" if is_efi; then -if [ ! -f "$SBAT_POLICY" ] && mokutil -h | grep -q "set-sbat-policy"; then +if [ -w $EFIVARFS ] && \ + [ ! -f "$SBAT_POLICY" ] && \ + mokutil -h | grep -q "set-sbat-policy"; \ +then # Only apply CA check on the kernel package certs (bsc#1173115) mokutil --set-sbat-policy latest fi
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-08-05 19:50:25 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1521 (New) Package is "shim" Fri Aug 5 19:50:25 2022 rev:103 rq:993204 version:15.6 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-07-31 23:01:04.847715594 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1521/shim.changes 2022-08-05 19:50:56.657446872 +0200 @@ -1,0 +2,6 @@ +Fri Aug 5 05:25:16 UTC 2022 - Joey Lee + +- Add logic to shim.spec for detecting --set-sbat-policy option before + using mokutil to set sbat policy. (bsc#1202120) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.9b1OOX/_old 2022-08-05 19:50:57.353448670 +0200 +++ /var/tmp/diff_new_pack.9b1OOX/_new 2022-08-05 19:50:57.357448679 +0200 @@ -308,7 +308,8 @@ # run mokutil for setting sbat policy to latest mode SBAT_POLICY=/sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 if is_efi; then -if [ ! -f "$SBAT_POLICY" ]; then +if [ ! -f "$SBAT_POLICY" ] && mokutil -h | grep -q "set-sbat-policy"; then +# Only apply CA check on the kernel package certs (bsc#1173115) mokutil --set-sbat-policy latest fi fi
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-07-31 23:00:49 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1533 (New) Package is "shim" Sun Jul 31 23:00:49 2022 rev:102 rq:991619 version:15.6 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-07-18 18:32:53.977668924 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1533/shim.changes 2022-07-31 23:01:04.847715594 +0200 @@ -1,0 +2,15 @@ +Fri Jul 29 02:36:36 UTC 2022 - Joey Lee + +- Change the URL in SBAT section to mail:secur...@suse.de. (bsc#1193282) + +--- +Mon Jul 25 12:44:24 UTC 2022 - Joey Lee + +- Revoked the change in shim.spec for "use common SBAT values (boo#1193282)" + - we need to build openSUSE Tumbleweed's shim on Leap 15.4 because Factory +is unstable for building out a stable shim binary for signing. (bsc#1198458) + - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4 +because closing-the-leap-gap. So sbat_distro_* variables are SLE version, +not for openSUSE. (bsc#1198458) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.GxjqO3/_old 2022-07-31 23:01:05.563717675 +0200 +++ /var/tmp/diff_new_pack.GxjqO3/_new 2022-07-31 23:01:05.567717686 +0200 @@ -35,13 +35,6 @@ %endif %endif -%if %{defined sbat_distro} -# SBAT metadata -%define sbat_generation 1 -%else -%{error please define sbat_distro, sbat_distro_summary and sbat_distro_url} -%endif - Name: shim Version:15.6 Release:0 @@ -134,10 +127,17 @@ %patch100 -p1 %build -%if 0%{?sbat_generation} # generate the vendor SBAT metadata -echo "shim.%{sbat_distro},%{sbat_generation},%{sbat_distro_summary},%{name},%{version},%{sbat_distro_url}" > data/sbat.vendor.csv +%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0 +distro_id="opensuse" +distro_name="The openSUSE project" +%else +distro_id="sle" +distro_name="SUSE Linux Enterprise" %endif +distro_sbat=1 +sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:secur...@suse.de" +echo "${sbat}" > data/sbat.vendor.csv # first, build MokManager and fallback as they don't depend on a # specific certificate
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-07-18 18:32:49 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1523 (New) Package is "shim" Mon Jul 18 18:32:49 2022 rev:101 rq:989068 version:15.6 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2022-06-29 16:00:23.488538457 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1523/shim.changes 2022-07-18 18:32:53.977668924 +0200 @@ -157,0 +158,5 @@ +Tue Apr 12 06:35:16 UTC 2022 - Ludwig Nussel + +- use common SBAT values (boo#1193282) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.DSnmIW/_old 2022-07-18 18:32:54.861670181 +0200 +++ /var/tmp/diff_new_pack.DSnmIW/_new 2022-07-18 18:32:54.865670186 +0200 @@ -35,6 +35,13 @@ %endif %endif +%if %{defined sbat_distro} +# SBAT metadata +%define sbat_generation 1 +%else +%{error please define sbat_distro, sbat_distro_summary and sbat_distro_url} +%endif + Name: shim Version:15.6 Release:0 @@ -127,17 +134,10 @@ %patch100 -p1 %build +%if 0%{?sbat_generation} # generate the vendor SBAT metadata -%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0 -distro_id="opensuse" -distro_name="The openSUSE project" -%else -distro_id="sle" -distro_name="SUSE Linux Enterprise" +echo "shim.%{sbat_distro},%{sbat_generation},%{sbat_distro_summary},%{name},%{version},%{sbat_distro_url}" > data/sbat.vendor.csv %endif -distro_sbat=1 -sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security-t...@suse.de" -echo "${sbat}" > data/sbat.vendor.csv # first, build MokManager and fallback as they don't depend on a # specific certificate
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-06-29 16:00:19 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1548 (New) Package is "shim" Wed Jun 29 16:00:19 2022 rev:100 rq:985419 version:15.6 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2021-07-04 22:09:59.417578323 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1548/shim.changes 2022-06-29 16:00:23.488538457 +0200 @@ -1,0 +2,156 @@ +Tue Jun 28 04:03:45 UTC 2022 - Joey Lee + +- Update to 15.6 (bsc#1198458) +- shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76 + which is from upstream grub2.cve_2021_3695.ms keybase channel. +- For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to + support efi-app-aarch64 target. So we need the following patches in bintuils: +- binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch +b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64). +- binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch +32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64) +- binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch +d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64) +- Patches (git log --oneline --reverse 15.5~..77144e5a4) +448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458) +a2da05f shim: implement SBAT verification for the shim_lock protocol +bda03b8 post-process-pe: Fix a missing return code check +af18810 CI: don't cancel testing when one fails +ba580f9 CI: remove EOL Fedoras from github actions +bfeb4b3 Remove aarch64 build tests before f35 +38cc646 CI: Add f36 and centos9 CI build tests. +b5185cb post-process-pe: Fix format string warnings on 32-bit platforms +31094e5 tests: also look for system headers in multi-arch directories +4df989a mock-variables.c: fix gcc warning +6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled +2670c6a Allow MokListTrusted to be enabled by default +5c44aaf Add code of conduct +d6eb9c6 Modernize aarch64 +9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail +de87985 make: don't treat cert.S specially +803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode +6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry. +bb4b60e Add verify_image +acfd48f Abstract out image reading +35d7378 Load additional certs from a signed binary +8ce2832 post-process-pe: there is no 's' argument. +465663e Add some missing PE image flag definitions +226fee2 PE Loader: support and require NX +df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX +b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT +f81a7cc SBAT revocation management +abe41ab make: unbreak scan-build again for gnu-efi +610a1ac sbat.h: minor reformatting for legibility +f28833f peimage.h: make our signature macros force the type +5d789ca Always initialize data/datasize before calling read_image() +a50d364 sbat policy: make our policy change actions symbolic +5868789 load_certs: trust dir->Read() slightly less. +a78673b mok.c: fix a trivial dead assignment +759f061 Fix preserve_sbat_uefi_variable() logic +aa61fdf Give the Coverity scanner some more GCC blinders... +0214cd9 load_cert_file(): don't defererence NULL +1eca363 mok import: handle OOM case +75449bc sbat: Make nth_sbat_field() honor the size limit +c0bcd04 shim-15.6~rc1 +77144e5 SBAT Policy latest should be a one-shot +- 15.5 release note https://github.com/rhboot/shim/releases + Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357 + mok: allocate MOK config table as BootServicesData by @lcp in #361 + Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364 + Relax the check for import_mok_state() by @lcp in #372 + SBAT.md: trivial changes by @hallyn in #389 + shim: another attempt to fix load options handling by @chrisccoulson in #379 + Add tests for our load options parsing. by @vathpela in #390 + arm/aa64: fix the size of .rela* sections by @lcp in #383 + mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365 + mok: relax the maximum variable size check by @lcp in #369 + Don't unhook ExitBootServices when EBS protec
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-07-04 22:09:58 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.2625 (New) Package is "shim" Sun Jul 4 22:09:58 2021 rev:99 rq:903340 version:15.4 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2021-06-25 15:00:51.492116465 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.2625/shim.changes 2021-07-04 22:09:59.417578323 +0200 @@ -1,0 +2,6 @@ +Thu Jul 1 04:07:03 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid + deleting the mirrored RT variables (bsc#1187696) + +--- New: shim-bsc1187696-avoid-deleting-rt-variables.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.2EWFDC/_old 2021-07-04 22:10:00.157572600 +0200 +++ /var/tmp/diff_new_pack.2EWFDC/_new 2021-07-04 22:10:00.161572569 +0200 @@ -93,6 +93,8 @@ Patch13:shim-bsc1187260-fix-efi-1.10-machines.patch # PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 g...@suse.com -- Avoid buffer overflow when copying the MOK config table Patch14:shim-bsc1185232-fix-config-table-copying.patch +# PATCH-FIX-UPSTREAM shim-bsc1187696-avoid-deleting-rt-variables.patch bsc#1187696 g...@suse.com -- Avoid deleting the mirrored RT variables +Patch15:shim-bsc1187696-avoid-deleting-rt-variables.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -145,6 +147,7 @@ %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 %build # generate the vendor SBAT metadata ++ shim-bsc1187696-avoid-deleting-rt-variables.patch ++ >From 14f6e10b8272ce34d3c373e000c583e5345b526b Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Wed, 30 Jun 2021 16:34:51 +0800 Subject: [PATCH] mok: delete the existing RT variables only when only_first=TRUE For the firmware without the variable writing issues, MOK variables are mirrored when only_first=TRUE. However, LibDeleteVariable() was called in maybe_mirror_one_mok_variable() when only_first=FALSE, and this could delete MOK variables that were just mirrored in the first round. This bug was hidden since LibDeleteVariable() deletes BS+RT+NV variables while we mirror MOK variables as BS+RT, and the firmware refused to delete the mirrored MOK variable due to mismatching attributes. However, some firmwares, such as VMWare, didn't enforce the attribute check and just deleted the variables with matched name and GUID. In such system, MokListRT was always removed before it reached OS. Fixes: https://github.com/rhboot/shim/issues/386 Signed-off-by: Gary Lin --- mok.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mok.c b/mok.c index beac0ff6..5ea39d54 100644 --- a/mok.c +++ b/mok.c @@ -863,7 +863,7 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v, BOOLEAN present = FALSE; if (v->rtname) { - if (!only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) { + if (only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) { dprint(L"deleting \"%s\"\n", v->rtname); efi_status = LibDeleteVariable(v->rtname, v->guid); dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", v->rtname, efi_status); -- 2.31.1
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-06-25 15:00:33 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.2625 (New) Package is "shim" Fri Jun 25 15:00:33 2021 rev:98 rq:901237 version:15.4 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2021-06-15 16:37:12.693680451 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.2625/shim.changes 2021-06-25 15:00:51.492116465 +0200 @@ -1,0 +2,24 @@ +Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185232-fix-config-table-copying.patch to avoid + buffer overflow when copying data to the MOK config table + (bsc#1185232) + +--- +Mon Jun 21 01:58:00 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-disable-export-vendor-dbx.patch to disable exporting + vendor-dbx to MokListXRT since writing a large RT variable + could crash some machines (bsc#1185261) +- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the + potential crash when calling QueryVariableInfo in EFI 1.10 + machines (bsc#1187260) + +--- +Thu Jun 17 03:03:37 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-fix-aa64-relsz.patch to fix the size of rela sections + for AArch64 + Fix: https://github.com/rhboot/shim/issues/371 + +--- New: shim-bsc1185232-fix-config-table-copying.patch shim-bsc1187260-fix-efi-1.10-machines.patch shim-disable-export-vendor-dbx.patch shim-fix-aa64-relsz.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.23NATu/_old 2021-06-25 15:00:52.612117831 +0200 +++ /var/tmp/diff_new_pack.23NATu/_new 2021-06-25 15:00:52.612117831 +0200 @@ -85,6 +85,14 @@ Patch9: shim-bsc1185261-relax-import_mok_state-check.patch # PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch bsc#1185232 g...@suse.com -- Relax the check for the LoadOptions length Patch10:shim-bsc1185232-relax-loadoptions-length-check.patch +# PATCH-FIX-UPSTREAM shim-fix-aa64-relsz.patch g...@suse.com -- Fix the size of rela* sections for AArch64 +Patch11:shim-fix-aa64-relsz.patch +# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 g...@suse.com -- Disable exporting vendor-dbx to MokListXRT +Patch12:shim-disable-export-vendor-dbx.patch +# PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 g...@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines +Patch13:shim-bsc1187260-fix-efi-1.10-machines.patch +# PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 g...@suse.com -- Avoid buffer overflow when copying the MOK config table +Patch14:shim-bsc1185232-fix-config-table-copying.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -133,6 +141,10 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build # generate the vendor SBAT metadata ++ shim-bsc1185232-fix-config-table-copying.patch ++ >From 42c6148c7ebd026862ab96405e78191ff8ebf298 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Mon, 21 Jun 2021 16:38:02 +0800 Subject: [PATCH] mok: skip the empty variables when copying the data to MOK config table When calculating the size of the MOK config table, we skip the empty variables. However, when copying the data, we copied the zeroed config templates for those empty variables, and this could cause crash since we may write more data than the allocated pages. This commit skips the empty variables when copying the data so that the size of copied data matches config_sz. Signed-off-by: Gary Lin --- mok.c | 18 ++ 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/mok.c b/mok.c index beac0ff6..add21223 100644 --- a/mok.c +++ b/mok.c @@ -1028,16 +1028,18 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) for (i = 0; p && mok_state_variables[i].name != NULL; i++) { struct mok_state_variable *v = &mok_state_variables[i]; - ZeroMem(&config_template, sizeof(config_template)); - strncpy(config_template.name, (CHAR8 *)v->rtname8, 255); - config_template.name[255] = '\0'; + if (v->data && v->data_size) { + ZeroMem(&config_template, sizeof(config_template)); + strncpy(config_template.name, (CHAR8 *)v->rtname8, 255); + config_template.name[255] = '\0';
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-06-15 16:37:00 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.32437 (New) Package is "shim" Tue Jun 15 16:37:00 2021 rev:97 rq:99 version:15.4 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2021-06-02 22:10:28.152127832 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.32437/shim.changes 2021-06-15 16:37:12.693680451 +0200 @@ -1,0 +2,12 @@ +Fri Jun 4 09:22:51 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185232-relax-loadoptions-length-check.patch to + ignore the odd LoadOptions length (bsc#1185232) + +--- +Fri Jun 4 07:02:03 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: reset def_shim_efi to "shim.efi" if the given + file doesn't exist + +--- @@ -33 +45 @@ - (bsc#1185441) + (bsc#1185441, bsc#1187071) New: shim-bsc1185232-relax-loadoptions-length-check.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.HwiD8w/_old 2021-06-15 16:37:13.401681676 +0200 +++ /var/tmp/diff_new_pack.HwiD8w/_new 2021-06-15 16:37:13.405681684 +0200 @@ -83,6 +83,8 @@ Patch8: shim-bsc1185621-relax-max-var-sz-check.patch # PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch bsc#1185261 g...@suse.com -- Relax the check for import_mok_state() when Secure Boot is off Patch9: shim-bsc1185261-relax-import_mok_state-check.patch +# PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch bsc#1185232 g...@suse.com -- Relax the check for the LoadOptions length +Patch10:shim-bsc1185232-relax-loadoptions-length-check.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -130,6 +132,7 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 %build # generate the vendor SBAT metadata ++ shim-bsc1185232-relax-loadoptions-length-check.patch ++ >From 795c62cb023886d39f1ee15977dc3194e01da57f Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Fri, 4 Jun 2021 17:02:31 +0800 Subject: [PATCH] shim: don't fail on the odd LoadOptions length Some firmware feeds the LoadOptions with an odd length when booting from an USB device(*). We should only skip this kind of LoadOptions, not fail it, or the user won't be able to boot the system from USB or CD-ROM. (*) https://bugzilla.suse.com/show_bug.cgi?id=1185232#c62 Signed-off-by: Gary Lin --- shim.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c index c5cfbb83..dd563cf6 100644 --- a/shim.c +++ b/shim.c @@ -1411,9 +1411,16 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) return efi_status; } - /* Sanity check since we make several assumptions about the length */ + /* Sanity check since we make several assumptions about the length +* Some firmware feeds the following load option when booting from +* an USB device: +* +*0x46 0x4a 0x00 |FJ.| +* +* The string is meaningless for shim and so just ignore it. +* */ if (li->LoadOptionsSize % 2 != 0) - return EFI_INVALID_PARAMETER; + return EFI_SUCCESS; /* So, load options are a giant pain in the ass. If we're invoked * from the EFI shell, we get something like this: -- 2.31.1 ++ shim-install ++ --- /var/tmp/diff_new_pack.HwiD8w/_old 2021-06-15 16:37:13.509681864 +0200 +++ /var/tmp/diff_new_pack.HwiD8w/_new 2021-06-15 16:37:13.509681864 +0200 @@ -28,7 +28,7 @@ [ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim [ ! -r /etc/default/shim ] || . /etc/default/shim -if [ -z "$def_shim_efi" ] ; then +if [ -z "$def_shim_efi" -o ! -e ${source_dir}/${def_shim_efi} ] ; then def_shim_efi="shim.efi" fi
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-06-02 22:10:23 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1898 (New) Package is "shim" Wed Jun 2 22:10:23 2021 rev:96 rq:895435 version:15.4 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2021-05-08 22:07:24.353745628 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1898/shim.changes 2021-06-02 22:10:28.152127832 +0200 @@ -1,0 +2,15 @@ +Wed May 19 01:07:43 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: instead of assuming "removable" for Azure, remove + fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot + to make \EFI\Boot bootable and keep the boot option created by + efibootmgr (bsc#1185464, bsc#1185961) + +--- +Tue May 11 02:57:14 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax + the check for import_mok_state() when Secure Boot is off. + (bsc#1185261) + +--- New: shim-bsc1185261-relax-import_mok_state-check.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.QbU0Hm/_old 2021-06-02 22:10:29.016127762 +0200 +++ /var/tmp/diff_new_pack.QbU0Hm/_new 2021-06-02 22:10:29.020127761 +0200 @@ -81,6 +81,8 @@ Patch7: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch # PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 g...@suse.com -- Relax the maximum variable size check for u-boot Patch8: shim-bsc1185621-relax-max-var-sz-check.patch +# PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch bsc#1185261 g...@suse.com -- Relax the check for import_mok_state() when Secure Boot is off +Patch9: shim-bsc1185261-relax-import_mok_state-check.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -127,6 +129,7 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build # generate the vendor SBAT metadata ++ shim-bsc1185261-relax-import_mok_state-check.patch ++ >From 3e33205b9c957624df7e30a2e5e2847f23d37989 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Tue, 11 May 2021 10:41:43 +0800 Subject: [PATCH] Relax the check for import_mok_state() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit An openSUSE user reported(*) that shim 15.4 failed to boot the system with the following message: "Could not create MokListXRT: Out of Resources" In the beginning, I thought it's caused by the growing size of vendor-dbx. However, we found the following messages after set SHIM_VERBOSE: max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000 SetVariable(???MokListXRT???, ... varsz=0x1404) = Out of Resources Even though the firmware claimed the remaining storage size is 0x85EC, it still rejected MokListXRT with size 0x1404. It seems that the return values from QueryVariableInfo() are not reliable. Since this firmware didn't really support Secure Boot, the variable mirroring is not so critical, so we can just accept the failure of import_mok_state() and continue boot. (*) https://bugzilla.suse.com/show_bug.cgi?id=1185261 Signed-off-by: Gary Lin --- shim.c | 7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c index c5cfbb83..d38ae2f0 100644 --- a/shim.c +++ b/shim.c @@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) * boot-services-only state variables are what we think they are. */ efi_status = import_mok_state(image_handle); - if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { + if (!secure_mode() && + (efi_status == EFI_INVALID_PARAMETER || +efi_status == EFI_OUT_OF_RESOURCES)) { /* * Make copy failures fatal only if secure_mode is enabled, or -* the error was anything else than EFI_INVALID_PARAMETER. +* the error was anything else than EFI_INVALID_PARAMETER or +* EFI_OUT_OF_RESOURCES. * There are non-secureboot firmware implementations that don't * reserve enough EFI variable memory to fit the variable. */ -- 2.31.1 ++ shim-install ++ --- /var/tmp/diff_new_pack.QbU0Hm/_old 2021-06-02 22:10:29.120127753 +0200 +++ /var/tmp/diff_new_pack.QbU0Hm/_new 2021-06-02 22:10:29.120127753 +0200 @@ -221,15 +221,6 @@ esac done -# bsc#1185464 -# The A
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-05-08 22:07:23 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.2988 (New) Package is "shim" Sat May 8 22:07:23 2021 rev:95 rq:891231 version:15.4 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2021-05-02 18:35:40.793059319 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.2988/shim.changes 2021-05-08 22:07:24.353745628 +0200 @@ -1,0 +2,19 @@ +Fri May 7 08:33:49 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: always assume "removable" for Azure to avoid the + endless reset loop (bsc#1185464) + +--- +Thu May 6 03:18:32 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the + maximum variable size check for u-boot (bsc#1185621) + +--- +Mon May 3 03:46:27 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + to handle ignore_db and user_insecure_mode correctly + (bsc#1185441) + +--- New: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch shim-bsc1185621-relax-max-var-sz-check.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.Om96XS/_old 2021-05-08 22:07:25.001742823 +0200 +++ /var/tmp/diff_new_pack.Om96XS/_new 2021-05-08 22:07:25.005742805 +0200 @@ -77,6 +77,10 @@ Patch5: remove_build_id.patch # PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 g...@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch +# PATCH-FIX-UPSTREAM shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch bsc#1184454 g...@suse.com -- Handle ignore_db and user_insecure_mode correctly +Patch7: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch +# PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 g...@suse.com -- Relax the maximum variable size check for u-boot +Patch8: shim-bsc1185621-relax-max-var-sz-check.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -121,6 +125,8 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build # generate the vendor SBAT metadata ++ shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch ++ >From 822d07ad4f07ef66fe447a130e1027c88d02a394 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 8 Apr 2021 22:39:02 -0700 Subject: [PATCH] Fix handling of ignore_db and user_insecure_mode In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split up into a function that manages the whole mok state, and one that handles the state machine for an individual state variable. Unfortunately, the code that initializes the global ignore_db and user_insecure_mode was copied from import_mok_state() into the new import_one_mok_state() function, and thus re-initializes that state each time it processes a MoK state variable, before even assessing if that variable is set. As a result, we never honor either flag, and the machine owner cannot disable trusting the system firmware's db/dbx databases or disable validation altogether. This patch removes the extra re-initialization, allowing those variables to be set properly. Signed-off-by: Adam Williamson --- mok.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/mok.c b/mok.c index 5ad9072b..9e37d6ab 100644 --- a/mok.c +++ b/mok.c @@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v, EFI_STATUS ret = EFI_SUCCESS; EFI_STATUS efi_status; - user_insecure_mode = 0; - ignore_db = 0; - UINT32 attrs = 0; BOOLEAN delete = FALSE; -- 2.31.1 ++ shim-bsc1185621-relax-max-var-sz-check.patch ++ commit 690ec2419a8c2c4246450e447629adc85f9a6f40 Author: Gary Lin Date: Wed May 5 11:25:07 2021 +0800 mok: relax the maximum variable size check Some UEFI environment such as u-boot doesn't implement QueryVariableInfo(), so we couldn't rely on the function to estimate the available space for RT variables. All we can do is to call SetVariable() directly and check the return value of SetVariable(). Signed-off-by: Gary Lin diff --git a/mok.c b/mok.c index 5ad9072b..1f9820e7 100644 --- a/mok.c +++ b/mok.c
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-05-02 18:35:23 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1947 (New) Package is "shim" Sun May 2 18:35:23 2021 rev:94 rq:888995 version:15.4 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2021-04-10 15:26:29.766316259 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1947/shim.changes 2021-05-02 18:35:40.793059319 +0200 @@ -1,0 +2,8 @@ +Wed Apr 28 09:28:30 UTC 2021 - Gary Ching-Pang Lin + +- Split the keys in vendor-dbx.bin to vendor-dbx-sles and + vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce + the size of MokListXRT (bsc#1185261) + + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz + +--- New: vendor-dbx-opensuse.bin vendor-dbx-sles.bin Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.ytlyp9/_old 2021-05-02 18:35:41.493056336 +0200 +++ /var/tmp/diff_new_pack.ytlyp9/_new 2021-05-02 18:35:41.497056319 +0200 @@ -60,8 +60,10 @@ Source12: signature-opensuse.aarch64.asc Source13: signature-sles.aarch64.asc Source50: dbx-cert.tar.xz -# vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz +# vendor-dbx*.bin are generated by generate-vendor-dbx.sh in dbx-cert.tar.xz Source51: vendor-dbx.bin +Source52: vendor-dbx-sles.bin +Source53: vendor-dbx-opensuse.bin Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-arch-independent-names.patch g...@suse.com -- Use the Arch-independent names Patch1: shim-arch-independent-names.patch @@ -111,7 +113,6 @@ %description -n shim-debugsource The source code of UEFI shim loader - %prep %setup -q %patch1 -p1 @@ -165,6 +166,7 @@ if test "$suffix" = "opensuse"; then cert=%{SOURCE2} verify='openSUSE Secure Boot CA1' + vendor_dbx=%{SOURCE53} %ifarch x86_64 signature=%{SOURCE1} %else @@ -176,6 +178,7 @@ elif test "$suffix" = "sles"; then cert=%{SOURCE4} verify='SUSE Linux Enterprise Secure Boot CA1' + vendor_dbx=%{SOURCE52} %ifarch x86_64 signature=%{SOURCE11} %else @@ -187,6 +190,7 @@ elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt verify=`openssl x509 -in "$cert" -noout -email` + vendor_dbx=%{SOURCE51} signature='' test -e "$cert" || continue else @@ -198,7 +202,7 @@ make RELEASE=0 SHIMSTEM=shim \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ DEFAULT_LOADER="grub.efi" \ - VENDOR_DBX_FILE=%{SOURCE51} \ + VENDOR_DBX_FILE=$vendor_dbx \ shim.efi.debug shim.efi # # assert correct certificate embedded ++ dbx-cert.tar.xz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbx-cert/generate-vendor-dbx.sh new/dbx-cert/generate-vendor-dbx.sh --- old/dbx-cert/generate-vendor-dbx.sh 2020-07-10 09:18:35.508195647 +0200 +++ new/dbx-cert/generate-vendor-dbx.sh 2021-04-28 11:21:35.387363178 +0200 @@ -3,16 +3,20 @@ # This script goes through all .crt files in this directory and stores # them in EFI signature database format. -OUTPUT=vendor-dbx.bin +FLAVORS="openSUSE SLES" -mkdir tmp +for flavor in ${FLAVORS}; do + OUTPUT=vendor-dbx-$(echo ${flavor} | tr '[:upper:]' '[:lower:]').bin -for cert in *.crt -do - BASENAME=`basename $cert .crt` - openssl x509 -in $cert -outform der -out tmp/${BASENAME}.der - efisiglist -a -c tmp/${BASENAME}.der -o tmp/${BASENAME}.bin -done + mkdir tmp + + for cert in ${flavor}-*.crt + do + BASENAME=`basename $cert .crt` + openssl x509 -in $cert -outform der -out tmp/${BASENAME}.der + efisiglist -a -c tmp/${BASENAME}.der -o tmp/${BASENAME}.bin + done -cat tmp/*bin > $OUTPUT -rm -rf tmp + cat tmp/*bin > $OUTPUT + rm -rf tmp +done
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-04-10 15:26:12 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.2401 (New) Package is "shim" Sat Apr 10 15:26:12 2021 rev:93 rq:883801 version:15.4 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2021-03-15 10:53:43.801109986 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.2401/shim.changes 2021-04-10 15:26:29.766316259 +0200 @@ -1,0 +2,68 @@ +Thu Apr 8 08:44:27 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid + the error message during linux system boot (bsc#1184454) + +--- +Wed Apr 7 12:25:02 UTC 2021 - Johannes Segitz + +- Add remove_build_id.patch to prevent the build id being added to + the binary. That can cause issues with the signature + +--- +Wed Mar 31 08:40:49 UTC 2021 - Gary Ching-Pang Lin + +- Update to 15.4 (bsc#1182057) + + Rename the SBAT variable and fix the self-check of SBAT + + sbat: add more dprint() + + arm/aa64: Swizzle some sections to make old sbsign happier + + arm/aa64 targets: put .rel* and .dyn* in .rodata +- Drop upstreamed patch: + + shim-bsc1182057-sbat-variable-enhancement.patch + +--- +Mon Mar 29 07:18:20 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1182057-sbat-variable-enhancement.patch to change + the SBAT variable name and enhance the handling of SBAT + (bsc#1182057) + +--- +Wed Mar 24 01:29:17 UTC 2021 - Gary Ching-Pang Lin + +- Update to 15.3 for SBAT support (bsc#1182057) + + Drop gnu-efi from BuildRequires since upstream pull it into the +tar ball. +- Generate vender-specific SBAT metadata + + Add dos2unix to BuildRequires since Makefile requires it for +vendor SBAT +- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following + sign keys: + + SLES-UEFI-SIGN-Certificate-2020-07.crt + + openSUSE-UEFI-SIGN-Certificate-2020-07.crt +- Refresh patches + + shim-arch-independent-names.patch + + shim-change-debug-file-path.patch + + shim-bsc1177315-verify-eku-codesign.patch +- Unified with shim-bsc1177315-fix-buffer-use-after-free.patch +- Drop upstreamed fixes + + shim-correct-license-in-headers.patch + + shim-always-mirror-mok-variables.patch + + shim-bsc1175509-more-tpm-fixes.patch + + shim-bsc1173411-only-check-efi-var-on-sb.patch + + shim-fix-verify-eku.patch + + gcc9-fix-warnings.patch + + shim-fix-gnu-efi-3.0.11.patch + + shim-bsc1177404-fix-a-use-of-strlen.patch + + shim-do-not-write-string-literals.patch + + shim-VLogError-Avoid-Null-pointer-dereferences.patch + + shim-bsc1092000-fallback-menu.patch + + shim-bsc1175509-tpm2-fixes.patch + + shim-bsc1174512-correct-license-in-headers.patch + + shim-bsc1182776-fix-crash-at-exit.patch +- Drop shim-opensuse-cert-prompt.patch + + All newly released openSUSE kernels enable kernel lockdown +and signature verification, so there is no need to add the +prompt anymore. + +--- Old: gcc9-fix-warnings.patch shim-15+git47.tar.bz2 shim-VLogError-Avoid-Null-pointer-dereferences.patch shim-always-mirror-mok-variables.patch shim-bsc1092000-fallback-menu.patch shim-bsc1173411-only-check-efi-var-on-sb.patch shim-bsc1174512-correct-license-in-headers.patch shim-bsc1175509-more-tpm-fixes.patch shim-bsc1175509-tpm2-fixes.patch shim-bsc1177315-fix-buffer-use-after-free.patch shim-bsc1177404-fix-a-use-of-strlen.patch shim-bsc1182776-fix-crash-at-exit.patch shim-correct-license-in-headers.patch shim-do-not-write-string-literals.patch shim-fix-gnu-efi-3.0.11.patch shim-fix-verify-eku.patch shim-opensuse-cert-prompt.patch New: remove_build_id.patch shim-15.4.tar.bz2 shim-bsc1184454-allocate-mok-config-table-BS.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.wLskZp/_old 2021-04-10 15:26:30.466317083 +0200 +++ /var/tmp/diff_new_pack.wLskZp/_new 2021-04-10 15:26:30.470317088 +0200 @@ -36,7 +36,7 @@ %endif Name: shim -Version:15+git47 +Version:15.4 Release:0 Summary:UEFI shim loader License:BSD-2-Clause @@ -67,43 +67,15 @@ Patch1: shim-arch-independent-names.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch2: shim-change-debug-file-pat
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-03-15 10:53:37 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.2401 (New) Package is "shim" Mon Mar 15 10:53:37 2021 rev:92 rq:878251 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2021-03-10 08:52:02.978566589 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.2401/shim.changes 2021-03-15 10:53:43.801109986 +0100 @@ -1,0 +2,8 @@ +Thu Mar 11 03:15:03 UTC 2021 - Gary Ching-Pang Lin + +- Refresh shim-bsc1182776-fix-crash-at-exit.patch to do the cleanup + also when Secure Boot is disabled (bsc#1183213, bsc#1182776) +- Merged linker-version.pl into timestamp.pl and add the linker + version to signature files accordingly + +--- Old: linker-version.pl Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.2yL7CV/_old 2021-03-15 10:53:44.709111380 +0100 +++ /var/tmp/diff_new_pack.2yL7CV/_new 2021-03-15 10:53:44.709111380 +0100 @@ -59,7 +59,6 @@ Source11: signature-sles.x86_64.asc Source12: signature-opensuse.aarch64.asc Source13: signature-sles.aarch64.asc -Source14: linker-version.pl Source50: dbx-cert.tar.xz # vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz Source51: vendor-dbx.bin @@ -246,14 +245,6 @@ # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi if test -n "$signature"; then -%ifarch x86_64 -# Modify MajorLinkerVersion and MinorLinkerVersion in the - # EFI/PE header to match the one for the SLE signature. -if test "$suffix" = "sles"; then -chmod 755 %{SOURCE14} -%{SOURCE14} shim.efi -fi -%endif head -1 "$signature" > hash1 cp shim.efi shim.efi.bak # pe header contains timestamp and checksum. we need to ++ shim-bsc1182776-fix-crash-at-exit.patch ++ --- /var/tmp/diff_new_pack.2yL7CV/_old 2021-03-15 10:53:44.805111527 +0100 +++ /var/tmp/diff_new_pack.2yL7CV/_new 2021-03-15 10:53:44.809111532 +0100 @@ -1,7 +1,58 @@ -From 74d26654d55a4f32e58b76757efca50ceedefef4 Mon Sep 17 00:00:00 2001 +From 83b82c611d7d3b864f5f46764645f4eed096 Mon Sep 17 00:00:00 2001 +From: Stuart Hayes +Date: Fri, 8 Feb 2019 15:48:20 -0500 +Subject: [PATCH 1/2] Hook exit when shim_lock protocol installed + +A recent commit moved where the shim_lock protocol is loaded and +unloaded, but did not move where exit was hooked and unhooked. Exit +needs to be hooked when the protocol is installed, so that the protocol +will be uninstalled on exit. Otherwise, the system can crash if, for +example, shim loads grub, the user exits grub, shim is run again, which +installs a second instance of the protocol, and then grub tries to use +the shim_lock protocol that was installed by the first instance of shim. + +Signed-off-by: Stuart Hayes +Upstream-commit-id: 06c92591e94 +(cherry picked from commit b5e10f70c7a495dc1788e3604803ee633f1e5f76) +--- + shim.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/shim.c b/shim.c +index 6ce30a06..e9ab8f1a 100644 +--- a/shim.c b/shim.c +@@ -2517,9 +2517,9 @@ shim_init(void) + loader_is_participating = 0; + } + +- hook_exit(systab); + } + ++ hook_exit(systab); + return install_shim_protocols(); + } + +@@ -2537,9 +2537,10 @@ shim_fini(void) +* Remove our hooks from system services. +*/ + unhook_system_services(); +- unhook_exit(); + } + ++ unhook_exit(); ++ + /* +* Free the space allocated for the alternative 2nd stage loader +*/ +-- +2.29.2 + + +From 13eeece966bf2e5b2d1c1cca0c8b47bbded0f98e Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Fri, 5 Mar 2021 15:00:29 +0800 -Subject: [PATCH] Restore loaded image of shim at Exit() +Subject: [PATCH 2/2] Restore loaded image of shim at Exit() When grub2 invoked Exit() in AArch64 AAVMF, the VM crashed with the following messsages: @@ -24,17 +75,18 @@ do_exit(). Signed-off-by: Gary Lin +(cherry picked from commit 74d26654d55a4f32e58b76757efca50ceedefef4) --- replacements.c | 2 ++ shim.c | 41 - shim.h | 1 + 3 files changed, 27 insertions(+), 17 deletions(-) -Index: shim-15+git47/replacements.c -=== shim-15+git47.orig/replacements.c -+++ shim-15+git47/repla
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-03-10 08:50:40 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.2378 (New) Package is "shim" Wed Mar 10 08:50:40 2021 rev:91 rq:877920 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2021-01-27 18:56:54.424310121 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.2378/shim.changes 2021-03-10 08:52:02.978566589 +0100 @@ -1,0 +2,6 @@ +Mon Mar 8 03:13:13 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1182776-fix-crash-at-exit.patch to fix the potential + crash at Exit() (bsc#1182776) + +--- New: shim-bsc1182776-fix-crash-at-exit.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.tVYUQ2/_old 2021-03-10 08:52:03.794567431 +0100 +++ /var/tmp/diff_new_pack.tVYUQ2/_new 2021-03-10 08:52:03.798567435 +0100 @@ -100,6 +100,8 @@ Patch16:shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch # PATCH-FIX-SUSE shim-bsc1177315-fix-buffer-use-after-free.patch bsc#1177315 g...@suse.com -- Fix buffer use-after-free at the end of the EKU verification Patch17:shim-bsc1177315-fix-buffer-use-after-free.patch +# PATCH-FIX-UPSTREAM shim-bsc1182776-fix-crash-at-exit.patch bsc#1182776 g...@suse.com -- Fix the potential crash at Exit() +Patch18:shim-bsc1182776-fix-crash-at-exit.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -163,6 +165,7 @@ %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 %endif %if 0%{?is_opensuse} == 1 %patch100 -p1 ++ shim-bsc1182776-fix-crash-at-exit.patch ++ >From 74d26654d55a4f32e58b76757efca50ceedefef4 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Fri, 5 Mar 2021 15:00:29 +0800 Subject: [PATCH] Restore loaded image of shim at Exit() When grub2 invoked Exit() in AArch64 AAVMF, the VM crashed with the following messsages: Unloading driver at 0x000B7D7B000 Synchronous Exception at 0xBF5D5E68 AllocatePool: failed to allocate 800 bytes Synchronous Exception at 0xBF5D5E68 The similar error also showed when I modified MokManager to call gBS->Exit() at the end of efi_main(). However, if MokManager just returned, the error never showed. One significant difference is whether the loaded image was restored or not, and the firmware seems to need the original ImageBase pointer to do clean-up. To avoid the potential crash, this commit adds restore_loaded_image() so that we can restore the loaded image both in start_image() and do_exit(). Signed-off-by: Gary Lin --- replacements.c | 2 ++ shim.c | 41 - shim.h | 1 + 3 files changed, 27 insertions(+), 17 deletions(-) Index: shim-15+git47/replacements.c === --- shim-15+git47.orig/replacements.c +++ shim-15+git47/replacements.c @@ -159,6 +159,8 @@ do_exit(EFI_HANDLE ImageHandle, EFI_STAT shim_fini(); + restore_loaded_image(); + efi_status = gBS->Exit(ImageHandle, ExitStatus, ExitDataSize, ExitData); if (EFI_ERROR(efi_status)) { Index: shim-15+git47/shim.c === --- shim-15+git47.orig/shim.c +++ shim-15+git47/shim.c @@ -58,6 +58,8 @@ static EFI_SYSTEM_TABLE *systab; static EFI_HANDLE global_image_handle; +static EFI_LOADED_IMAGE *shim_li; +static EFI_LOADED_IMAGE shim_li_bak; static CHAR16 *second_stage; static void *load_options; @@ -1861,13 +1863,24 @@ static EFI_STATUS shim_read_header(void return efi_status; } +VOID +restore_loaded_image(VOID) +{ + if (shim_li->FilePath) + FreePool(shim_li->FilePath); + + /* +* Restore our original loaded image values +*/ + CopyMem(shim_li, &shim_li_bak, sizeof(shim_li_bak)); +} + /* * Load and run an EFI executable */ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) { EFI_STATUS efi_status; - EFI_LOADED_IMAGE *li, li_bak; EFI_IMAGE_ENTRY_POINT entry_point; EFI_PHYSICAL_ADDRESS alloc_address; UINTN alloc_pages; @@ -1882,7 +1895,7 @@ EFI_STATUS start_image(EFI_HANDLE image_ * binary in order to find our path */ efi_status = gBS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID, -
commit shim for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-01-27 18:56:50 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.28504 (New) Package is "shim" Wed Jan 27 18:56:50 2021 rev:90 rq:865544 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-11-05 21:55:22.516122752 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.28504/shim.changes 2021-01-27 18:56:54.424310121 +0100 @@ -1,0 +2,10 @@ +Fri Jan 22 03:29:56 UTC 2021 - Gary Ching-Pang Lin + +- Update the SLE signature +- Exclude some patches from x86_64 to avoid breaking the signature +- Add shim-correct-license-in-headers.patch back for x86_64 to + match the SLE signature +- Add linker-version.pl to modify the EFI/PE header to match the + SLE signature + +--- New: linker-version.pl shim-correct-license-in-headers.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.uTvaNg/_old 2021-01-27 18:56:56.040312621 +0100 +++ /var/tmp/diff_new_pack.uTvaNg/_new 2021-01-27 18:56:56.040312621 +0100 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -59,6 +59,7 @@ Source11: signature-sles.x86_64.asc Source12: signature-opensuse.aarch64.asc Source13: signature-sles.aarch64.asc +Source14: linker-version.pl Source50: dbx-cert.tar.xz # vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz Source51: vendor-dbx.bin @@ -73,6 +74,8 @@ Patch4: shim-always-mirror-mok-variables.patch # PATCH-FIX-UPSTREAM shim-bsc1174512-correct-license-in-headers.patch g...@suse.com -- Fix the license header in errlog.c and mok.c Patch5: shim-bsc1174512-correct-license-in-headers.patch +# PATCH-FIX-SUSE shim-correct-license-in-headers.patch g...@suse.com -- Another fix for the license header in errlog.c and mok.c +Patch51:shim-correct-license-in-headers.patch # PATCH-FIX-UPSTREAM gcc9-fix-warnings.patch mli...@suse.cz -- MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid Patch6: gcc9-fix-warnings.patch # PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch g...@suse.com -- Fix the build error caused by the typo fix in gnu-efi 3.0.11 @@ -142,10 +145,15 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%ifarch x86_64 +%patch51 -p1 +%else %patch5 -p1 +%endif %patch6 -p1 %patch7 -p1 %patch8 -p1 +%ifarch aarch64 %patch9 -p1 %patch10 -p1 %patch11 -p1 @@ -155,6 +163,7 @@ %patch15 -p1 %patch16 -p1 %patch17 -p1 +%endif %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif @@ -234,6 +243,14 @@ # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi if test -n "$signature"; then +%ifarch x86_64 +# Modify MajorLinkerVersion and MinorLinkerVersion in the + # EFI/PE header to match the one for the SLE signature. +if test "$suffix" = "sles"; then +chmod 755 %{SOURCE14} +%{SOURCE14} shim.efi +fi +%endif head -1 "$signature" > hash1 cp shim.efi shim.efi.bak # pe header contains timestamp and checksum. we need to ++ linker-version.pl ++ #!/usr/bin/perl -w # # Modify the linker version in the EFI/PE header # # NOTE: only use this script when the signature doesn't match after # a binutils upgrade # use strict; # The target version of binutils: 2.32 my $major_linker_version = 2; my $minor_linker_version = 32; my ($file) = @ARGV; die "$file: $!\n" unless open(my $fh, '+<', $file); # Set MajorLinkerVersion at 0x9a die "seek $file: $!\n" unless seek($fh, 0x9a, 0); die "write $file: $!\n" unless print $fh pack('C', $major_linker_version); # Set MinorLinkerVersion at 0x9b die "seek $file: $!\n" unless seek($fh, 0x9b, 0); die "write $file: $!\n" unless print $fh pack('C', $minor_linker_version); close($fh); ++ shim-correct-license-in-headers.patch ++ >From 64492acf8b1d72cea0c3e203887bfe26fb840f1d Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Thu, 13 Dec 2018 17:19:36 +0800 Subject: [PATCH] Add the license change statement for errlog.c and mok.c --- errlog.c | 6 ++ mok.c| 6 ++ 2 files changed, 12 insertions(+) diff --git a/errlog.c b/errlog.c index 18be482..4a1fffb 100644 --- a/errlog.c +++ b/errlog.c @@ -3,6 +3,12 @@ * Copyright 2017 Peter Jones * * Distributed under terms of the GPLv3 l