diff --git a/SOURCES/0001-Add-vendor-esl.patch b/SOURCES/0001-Add-vendor-esl.patch deleted file mode 100644 index c7de89d..0000000 --- a/SOURCES/0001-Add-vendor-esl.patch +++ /dev/null @@ -1,318 +0,0 @@ -From ad8b20e8e2cd71418a536a8068f8e37222bd3855 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Sat, 21 Jul 2018 04:12:57 +0200 -Subject: [PATCH] Implement vendor EFI Signature List (ESL) - -Signed-off-by: Patrick Uiterwijk ---- - Make.defaults | 3 ++ - cert.S | 30 +++++++++++++++ - mok.c | 100 +++++++++++++++++++++++++++++--------------------- - shim.c | 25 +++++++++++++ - shim.h | 2 + - 5 files changed, 119 insertions(+), 41 deletions(-) - -diff --git a/Make.defaults b/Make.defaults -index bbfc1d7f..d8b4ba25 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -124,6 +124,9 @@ CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/sha - ifneq ($(origin VENDOR_CERT_FILE), undefined) - CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" - endif -+ifneq ($(origin VENDOR_ESL_FILE), undefined) -+ CFLAGS += -DVENDOR_ESL_FILE=\"$(VENDOR_ESL_FILE)\" -+endif - ifneq ($(origin VENDOR_DBX_FILE), undefined) - CFLAGS += -DVENDOR_DBX_FILE=\"$(VENDOR_DBX_FILE)\" - endif -diff --git a/cert.S b/cert.S -index cfc4525b..7ad782ab 100644 ---- a/cert.S -+++ b/cert.S -@@ -8,12 +8,18 @@ cert_table: - #else - .long 0 - #endif -+#if defined(VENDOR_ESL_FILE) -+ .long vendor_esl_priv_end - vendor_esl_priv -+#else -+ .long 0 -+#endif - #if defined(VENDOR_DBX_FILE) - .long vendor_dbx_priv_end - vendor_dbx_priv - #else - .long 0 - #endif - .long vendor_cert_priv - cert_table -+ .long vendor_esl_priv - cert_table - .long vendor_dbx_priv - cert_table - #if defined(VENDOR_CERT_FILE) - .data -@@ -39,6 +45,30 @@ vendor_cert_priv: - .section .vendor_cert, "a", %progbits - vendor_cert_priv_end: - #endif -+#if defined(VENDOR_ESL_FILE) -+ .data -+ .align 1 -+ .type vendor_esl_priv, %object -+ .size vendor_esl_priv, vendor_esl_priv_end-vendor_esl_priv -+ .section .vendor_cert, "a", %progbits -+vendor_esl_priv: -+.incbin VENDOR_ESL_FILE -+vendor_esl_priv_end: -+#else -+ .bss -+ .type vendor_esl_priv, %object -+ .size vendor_esl_priv, 1 -+ .section .vendor_cert, "a", %progbits -+vendor_esl_priv: -+ .zero 1 -+ -+ .data -+ .align 4 -+ .type vendor_esl_size_priv, %object -+ .size vendor_esl_size_priv, 4 -+ .section .vendor_cert, "a", %progbits -+vendor_esl_priv_end: -+#endif - #if defined(VENDOR_DBX_FILE) - .data - .align 1 -diff --git a/mok.c b/mok.c -index 38675211..7734806b 100644 ---- a/mok.c -+++ b/mok.c -@@ -62,12 +62,6 @@ struct mok_state_variable { - EFI_GUID *guid; - UINT8 *data; - UINTN data_size; -- /* -- * These two are indirect pointers just to make initialization -- * saner... -- */ -- UINT8 **addend_source; -- UINT32 *addend_size; - UINT32 yes_attr; - UINT32 no_attr; - UINT32 flags; -@@ -75,10 +69,11 @@ struct mok_state_variable { - UINT8 *state; - }; - --#define MOK_MIRROR_KEYDB 0x01 --#define MOK_MIRROR_DELETE_FIRST 0x02 --#define MOK_VARIABLE_MEASURE 0x04 --#define MOK_VARIABLE_LOG 0x08 -+#define MOK_MIRROR_KEYDB 0x01 -+#define MOK_MIRROR_DELETE_FIRST 0x02 -+#define MOK_VARIABLE_MEASURE 0x04 -+#define MOK_VARIABLE_LOG 0x08 -+#define MOK_VARIABLE_APPEND_CERT 0x10 - - struct mok_state_variable mok_state_variables[] = { - {.name = L"MokList", -@@ -88,10 +83,9 @@ struct mok_state_variable mok_state_variables[] = { - .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_NON_VOLATILE, - .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, -- .addend_source = &vendor_cert, -- .addend_size = &vendor_cert_size, - .flags = MOK_MIRROR_KEYDB | -- MOK_VARIABLE_LOG, -+ MOK_VARIABLE_LOG | -+ MOK_VARIABLE_APPEND_CERT, - .pcr = 14, - }, - {.name = L"MokListX", -@@ -138,40 +132,54 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) - uint8_t *p = NULL; - - if ((v->flags & MOK_MIRROR_KEYDB) && -- v->addend_source && *v->addend_source && -- v->addend_size && *v->addend_size) { -- EFI_SIGNATURE_LIST *CertList = NULL; -- EFI_SIGNATURE_DATA *CertData = NULL; -- FullDataSize = v->data_size -- + sizeof (*CertList) -- + sizeof (EFI_GUID) -- + *v->addend_size; -+ (v->flags & MOK_VARIABLE_APPEND_CERT)) { -+ FullDataSize = v->data_size; -+ -+ if (vendor_esl_size) { -+ FullDataSize += vendor_esl_size; -+ } -+ if (vendor_cert_size) { -+ FullDataSize += sizeof (EFI_SIGNATURE_LIST) -+ + sizeof (EFI_GUID) -+ + vendor_cert_size; -+ } -+ - FullData = AllocatePool(FullDataSize); - if (!FullData) { - perror(L"Failed to allocate space for MokListRT\n"); - return EFI_OUT_OF_RESOURCES; - } - p = FullData; -- - if (!EFI_ERROR(efi_status) && v->data_size > 0) { - CopyMem(p, v->data, v->data_size); - p += v->data_size; - } -- CertList = (EFI_SIGNATURE_LIST *)p; -- p += sizeof (*CertList); -- CertData = (EFI_SIGNATURE_DATA *)p; -- p += sizeof (EFI_GUID); -- -- CertList->SignatureType = EFI_CERT_TYPE_X509_GUID; -- CertList->SignatureListSize = *v->addend_size -- + sizeof (*CertList) -- + sizeof (*CertData) -- -1; -- CertList->SignatureHeaderSize = 0; -- CertList->SignatureSize = *v->addend_size + sizeof (EFI_GUID); -- -- CertData->SignatureOwner = SHIM_LOCK_GUID; -- CopyMem(p, *v->addend_source, *v->addend_size); -+ -+ if (vendor_esl_size) { -+ CopyMem(p, vendor_esl, vendor_esl_size); -+ p += vendor_esl_size; -+ } -+ -+ if (vendor_cert_size) { -+ EFI_SIGNATURE_LIST *CertList = NULL; -+ EFI_SIGNATURE_DATA *CertData = NULL; -+ -+ CertList = (EFI_SIGNATURE_LIST *)p; -+ p += sizeof (*CertList); -+ CertData = (EFI_SIGNATURE_DATA *)p; -+ p += sizeof (EFI_GUID); -+ -+ CertList->SignatureType = EFI_CERT_TYPE_X509_GUID; -+ CertList->SignatureListSize = vendor_cert_size -+ + sizeof (*CertList) -+ + sizeof (*CertData) -+ -1; -+ CertList->SignatureHeaderSize = 0; -+ CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); -+ -+ CertData->SignatureOwner = SHIM_LOCK_GUID; -+ CopyMem(p, vendor_cert, vendor_cert_size); -+ } - - if (v->data && v->data_size) - FreePool(v->data); -@@ -223,11 +231,24 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - UINT32 attrs = 0; - BOOLEAN delete = FALSE, present, addend; - -+ addend = (v->flags & MOK_VARIABLE_APPEND_CERT) != 0; -+ - efi_status = get_variable_attr(v->name, - &v->data, &v->data_size, - *v->guid, &attrs); -- if (efi_status == EFI_NOT_FOUND) -+ if (efi_status == EFI_NOT_FOUND) { -+ if (v->rtname && addend) { -+ efi_status = mirror_one_mok_variable(v); -+ if (EFI_ERROR(efi_status) && -+ ret != EFI_SECURITY_VIOLATION) -+ ret = efi_status; -+ } -+ /* -+ * after possibly adding, we can continue, no -+ * further checks to be done. -+ */ - continue; -+ } - if (EFI_ERROR(efi_status)) { - perror(L"Could not verify %s: %r\n", v->name, - efi_status); -@@ -272,9 +293,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - } - - present = (v->data && v->data_size) ? TRUE : FALSE; -- addend = (v->addend_source && v->addend_size && -- *v->addend_source && *v->addend_size) -- ? TRUE : FALSE; - - if (v->flags & MOK_VARIABLE_MEASURE && present) { - /* -diff --git a/shim.c b/shim.c -index 05fc6500..64b79da5 100644 ---- a/shim.c -+++ b/shim.c -@@ -66,14 +66,18 @@ static UINT32 load_options_size; - */ - extern struct { - UINT32 vendor_cert_size; -+ UINT32 vendor_esl_size; - UINT32 vendor_dbx_size; - UINT32 vendor_cert_offset; -+ UINT32 vendor_esl_offset; - UINT32 vendor_dbx_offset; - } cert_table; - - UINT32 vendor_cert_size; -+UINT32 vendor_esl_size; - UINT32 vendor_dbx_size; - UINT8 *vendor_cert; -+UINT8 *vendor_esl; - UINT8 *vendor_dbx; - - /* -@@ -1065,6 +1069,25 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - } - #endif /* defined(ENABLE_SHIM_CERT) */ - -+ /* -+ * Check against a built-in EFI Signature List (ESL) -+ */ -+ if (vendor_esl_size && -+ check_db_cert_in_ram((EFI_SIGNATURE_LIST*)vendor_esl, -+ vendor_esl_size, -+ cert, -+ sha256hash, -+ L"Shim", -+ SHIM_LOCK_GUID) == DATA_FOUND) { -+ update_verification_method(VERIFIED_BY_CERT); -+ // tpm_measurement is done by check_db_cert_in_ram -+ efi_status = EFI_SUCCESS; -+ drain_openssl_errors(); -+ return efi_status; -+ } else { -+ LogError(L"check_db_cert_in_ram(vendor_esl) failed\n"); -+ } -+ - /* - * And finally, check against shim's built-in key - */ -@@ -2541,8 +2564,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - verification_method = VERIFIED_BY_NOTHING; - - vendor_cert_size = cert_table.vendor_cert_size; -+ vendor_esl_size = cert_table.vendor_esl_size; - vendor_dbx_size = cert_table.vendor_dbx_size; - vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset; -+ vendor_esl = (UINT8 *)&cert_table + cert_table.vendor_esl_offset; - vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset; - CHAR16 *msgs[] = { - L"import_mok_state() failed\n", -diff --git a/shim.h b/shim.h -index 2b359d82..2e411040 100644 ---- a/shim.h -+++ b/shim.h -@@ -167,8 +167,10 @@ extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath); - extern EFI_STATUS import_mok_state(EFI_HANDLE image_handle); - - extern UINT32 vendor_cert_size; -+extern UINT32 vendor_esl_size; - extern UINT32 vendor_dbx_size; - extern UINT8 *vendor_cert; -+extern UINT8 *vendor_esl; - extern UINT8 *vendor_dbx; - - extern UINT8 user_insecure_mode; diff --git a/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch new file mode 100644 index 0000000..0779498 --- /dev/null +++ b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch @@ -0,0 +1,60 @@ +From 9ab0d796bdc9cefdaa3b0df7434845d26c43d894 Mon Sep 17 00:00:00 2001 +From: Patrick Uiterwijk +Date: Mon, 5 Nov 2018 14:51:16 +0100 +Subject: [PATCH 1/3] Make sure that MOK variables always get mirrored + +Without this, if a Mok variable doesn't exist in Boot Services, it will also +not be copied to Runtime, even if we have data to be added to it (vendor cert). +This patch makes sure that if we have extra data to append, we still mirror +the variable. + +Signed-off-by: Patrick Uiterwijk +--- + mok.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/mok.c b/mok.c +index 38675211e0e..00dd1ad3034 100644 +--- a/mok.c ++++ b/mok.c +@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + UINT32 attrs = 0; + BOOLEAN delete = FALSE, present, addend; + ++ addend = (v->addend_source && v->addend_size && ++ *v->addend_source && *v->addend_size) ++ ? TRUE : FALSE; ++ + efi_status = get_variable_attr(v->name, + &v->data, &v->data_size, + *v->guid, &attrs); +- if (efi_status == EFI_NOT_FOUND) ++ if (efi_status == EFI_NOT_FOUND) { ++ if (v->rtname && addend) { ++ efi_status = mirror_one_mok_variable(v); ++ if (EFI_ERROR(efi_status) && ++ ret != EFI_SECURITY_VIOLATION) ++ ret = efi_status; ++ } ++ /* ++ * after possibly adding, we can continue, no ++ * further checks to be done. ++ */ + continue; ++ } + if (EFI_ERROR(efi_status)) { + perror(L"Could not verify %s: %r\n", v->name, + efi_status); +@@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + } + + present = (v->data && v->data_size) ? TRUE : FALSE; +- addend = (v->addend_source && v->addend_size && +- *v->addend_source && *v->addend_size) +- ? TRUE : FALSE; + + if (v->flags & MOK_VARIABLE_MEASURE && present) { + /* +-- +2.20.1 + diff --git a/SOURCES/0002-MokListRT-Fatal.patch b/SOURCES/0002-MokListRT-Fatal.patch deleted file mode 100644 index 6590ae9..0000000 --- a/SOURCES/0002-MokListRT-Fatal.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 9a2dd0a945720634b9f3608c3b3dfb99fafd4465 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Thu, 6 Dec 2018 10:08:45 +0100 -Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled - systems - -I have come across systems that are unwilling to reserve enough memory for -a MokListRT big enough for big certificates. -This seems to be the case with firmware implementations that do not support -secureboot, which is probably the reason they went with much lower variable -storage. - -This patch set makes sure we can still boot on those systems, by only -making the copy action fatal if the system has secure boot enabled, or if -the error was anything other than EFI_INVALID_PARAMETER. - -Signed-off-by: Patrick Uiterwijk ---- - shim.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/shim.c b/shim.c -index fcc11eb3..89ef0036 100644 ---- a/shim.c -+++ b/shim.c -@@ -2632,9 +2632,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - die: - console_print(L"Something has gone seriously wrong: %s: %r\n", - msgs[msg], efi_status); -- msleep(5000000); -- gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, -- 0, NULL); -+ /* -+ * Make copy failures fatal only if secure_mode is enabled, or -+ * the error was anything else than EFI_INVALID_PARAMETER. -+ * There are non-secureboot firmware implementations that don't -+ * reserve enough EFI variable memory to fit the variable. -+ */ -+ if (secure_mode() || efi_status != EFI_INVALID_PARAMETER) { -+ msleep(5000000); -+ gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, -+ 0, NULL); -+ } - } - - efi_status = shim_init(); diff --git a/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch new file mode 100644 index 0000000..fc2adbc --- /dev/null +++ b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch @@ -0,0 +1,49 @@ +From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 21 Nov 2018 12:47:43 +0800 +Subject: [PATCH 2/3] mok: fix the mirroring of RT variables + +When there is no key in MokList, import_mok_state() just skipped MokList +even though it should always mirror the vendor cert. Besides, the faulty +check of 'present' and 'addend' invalidates the mirroring of MokListXRT, +MokSBStateRT, and MokIgnoreDB. + +https://github.com/rhboot/shim/issues/154 + +Signed-off-by: Gary Lin +--- + mok.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/mok.c b/mok.c +index 00dd1ad3034..41925abbb49 100644 +--- a/mok.c ++++ b/mok.c +@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + &v->data, &v->data_size, + *v->guid, &attrs); + if (efi_status == EFI_NOT_FOUND) { +- if (v->rtname && addend) { +- efi_status = mirror_one_mok_variable(v); +- if (EFI_ERROR(efi_status) && +- ret != EFI_SECURITY_VIOLATION) +- ret = efi_status; +- } ++ if (addend) ++ goto mirror_addend; + /* + * after possibly adding, we can continue, no + * further checks to be done. +@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + } + } + +- if (v->rtname && present && addend) { ++mirror_addend: ++ if (v->rtname && (present || addend)) { + if (v->flags & MOK_MIRROR_DELETE_FIRST) + LibDeleteVariable(v->rtname, v->guid); + +-- +2.20.1 + diff --git a/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch new file mode 100644 index 0000000..caded4e --- /dev/null +++ b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch @@ -0,0 +1,109 @@ +From 29c11483101b460869a5e0dba1f425073862127d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 31 Jan 2019 13:45:30 -0500 +Subject: [PATCH 3/3] mok: consolidate mirroring code in a helper instead of + using goto + +There's no reason to complicate the logic with a goto here, instead just +pull the logic we're jumping to out to a helper function. + +Signed-off-by: Peter Jones +--- + mok.c | 41 ++++++++++++++++++++++++++++------------- + shim.h | 2 ++ + 2 files changed, 30 insertions(+), 13 deletions(-) + +diff --git a/mok.c b/mok.c +index 41925abbb49..2f495e6cf25 100644 +--- a/mok.c ++++ b/mok.c +@@ -130,7 +130,8 @@ struct mok_state_variable mok_state_variables[] = { + { NULL, } + }; + +-static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) ++static EFI_STATUS nonnull(1) ++mirror_one_mok_variable(struct mok_state_variable *v) + { + EFI_STATUS efi_status = EFI_SUCCESS; + void *FullData = NULL; +@@ -196,6 +197,29 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) + return efi_status; + } + ++/* ++ * Mirror a variable if it has an rtname, and preserve any ++ * EFI_SECURITY_VIOLATION status at the same time. ++ */ ++static EFI_STATUS nonnull(1) ++maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) ++{ ++ EFI_STATUS efi_status; ++ if (v->rtname) { ++ if (v->flags & MOK_MIRROR_DELETE_FIRST) ++ LibDeleteVariable(v->rtname, v->guid); ++ ++ efi_status = mirror_one_mok_variable(v); ++ if (EFI_ERROR(efi_status)) { ++ if (ret != EFI_SECURITY_VIOLATION) ++ ret = efi_status; ++ perror(L"Could not create %s: %r\n", v->rtname, ++ efi_status); ++ } ++ } ++ return ret; ++} ++ + /* + * Verify our non-volatile MoK state. This checks the variables above + * accessable and have valid attributes. If they don't, it removes +@@ -232,7 +256,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + *v->guid, &attrs); + if (efi_status == EFI_NOT_FOUND) { + if (addend) +- goto mirror_addend; ++ ret = maybe_mirror_one_mok_variable(v, ret); + /* + * after possibly adding, we can continue, no + * further checks to be done. +@@ -312,16 +336,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + } + } + +-mirror_addend: +- if (v->rtname && (present || addend)) { +- if (v->flags & MOK_MIRROR_DELETE_FIRST) +- LibDeleteVariable(v->rtname, v->guid); +- +- efi_status = mirror_one_mok_variable(v); +- if (EFI_ERROR(efi_status) && +- ret != EFI_SECURITY_VIOLATION) +- ret = efi_status; +- } ++ if (present) ++ ret = maybe_mirror_one_mok_variable(v, ret); + } + + /* +@@ -340,4 +356,4 @@ mirror_addend: + return ret; + } + +-// vim:fenc=utf-8:tw=75 ++// vim:fenc=utf-8:tw=75:noet +diff --git a/shim.h b/shim.h +index 2b359d821e3..c26d5f06538 100644 +--- a/shim.h ++++ b/shim.h +@@ -30,6 +30,8 @@ + + #include + ++#define nonnull(...) __attribute__((__nonnull__(__VA_ARGS__))) ++ + #define min(a, b) ({(a) < (b) ? (a) : (b);}) + + #ifdef __x86_64__ +-- +2.20.1 + diff --git a/SOURCES/0004-Make-VLogError-behave-as-expected.patch b/SOURCES/0004-Make-VLogError-behave-as-expected.patch new file mode 100644 index 0000000..2e5ca64 --- /dev/null +++ b/SOURCES/0004-Make-VLogError-behave-as-expected.patch @@ -0,0 +1,50 @@ +From 0bff94b170116737e6e0838c35c0ac376542a5c0 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 12 Feb 2019 18:04:49 -0500 +Subject: [PATCH 4/4] Make VLogError() behave as expected. + +Signed-off-by: Peter Jones +--- + errlog.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/errlog.c b/errlog.c +index 18be4822d53..eebb266d396 100644 +--- a/errlog.c ++++ b/errlog.c +@@ -14,29 +14,20 @@ EFI_STATUS + VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args) + { + va_list args2; +- UINTN size = 0, size2; + CHAR16 **newerrs; + +- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func); +- va_copy(args2, args); +- size2 = VSPrint(NULL, 0, fmt, args2); +- va_end(args2); +- + newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs), + (nerrs + 3) * sizeof(*errs)); + if (!newerrs) + return EFI_OUT_OF_RESOURCES; + +- newerrs[nerrs] = AllocatePool(size*2+2); ++ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func); + if (!newerrs[nerrs]) + return EFI_OUT_OF_RESOURCES; +- newerrs[nerrs+1] = AllocatePool(size2*2+2); ++ va_copy(args2, args); ++ newerrs[nerrs+1] = VPoolPrint(fmt, args2); + if (!newerrs[nerrs+1]) + return EFI_OUT_OF_RESOURCES; +- +- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func); +- va_copy(args2, args); +- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2); + va_end(args2); + + nerrs += 2; +-- +2.20.1 + diff --git a/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch b/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch new file mode 100644 index 0000000..8e3c47a --- /dev/null +++ b/SOURCES/0005-Once-again-try-even-harder-to-get-binaries-without-t.patch @@ -0,0 +1,97 @@ +From fea3f2ec1936cfb9ed0b3ee62d9d23698097b814 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 15 Mar 2019 09:52:02 -0400 +Subject: [PATCH] Once again, try even harder to get binaries without + timestamps in them. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +$ objdump -x /builddir/build/BUILDROOT/shim-*/usr/share/shim/*/shimx64.efi | grep 'Time/Date' +Time/Date Thu Jan 1 00:00:08 1970 +$ _ + +"What is despair? I have known it—hear my song. Despair is when you’re +debugging a kernel driver and you look at a memory dump and you see that +a pointer has a value of 7." + - http://scholar.harvard.edu/files/mickens/files/thenightwatch.pdf + +objcopy only knows about -D for some targets. +ld only believes in --no-insert-timestamp in some versions. +dd takes off and nukes the site from orbit. + +It's the only way to be sure. + +Signed-off-by: Peter Jones +--- + Make.defaults | 4 ++++ + Makefile | 6 ++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/Make.defaults b/Make.defaults +index e11ab5a7f2c..4c26c1adf1f 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -72,6 +72,7 @@ ifeq ($(ARCH),x86_64) + ARCH_SUFFIX ?= x64 + ARCH_SUFFIX_UPPER ?= X64 + ARCH_LDFLAGS ?= ++ TIMESTAMP_LOCATION := 136 + endif + ifeq ($(ARCH),ia32) + CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ +@@ -81,6 +82,7 @@ ifeq ($(ARCH),ia32) + ARCH_SUFFIX ?= ia32 + ARCH_SUFFIX_UPPER ?= IA32 + ARCH_LDFLAGS ?= ++ TIMESTAMP_LOCATION := 136 + endif + ifeq ($(ARCH),aarch64) + CFLAGS += -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096 -mstrict-align +@@ -90,6 +92,7 @@ ifeq ($(ARCH),aarch64) + FORMAT := -O binary + SUBSYSTEM := 0xa + ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) ++ TIMESTAMP_LOCATION := 72 + endif + ifeq ($(ARCH),arm) + CFLAGS += -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mstrict-align +@@ -99,6 +102,7 @@ ifeq ($(ARCH),arm) + FORMAT := -O binary + SUBSYSTEM := 0xa + ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) ++ TIMESTAMP_LOCATION := 72 + endif + + FORMAT ?= --target efi-app-$(ARCH) +diff --git a/Makefile b/Makefile +index 115e7f08c0f..a012c9f0d16 100644 +--- a/Makefile ++++ b/Makefile +@@ -189,11 +189,13 @@ endif + ifneq ($(OBJCOPY_GTE224),1) + $(error objcopy >= 2.24 is required) + endif +- $(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \ ++ $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \ + -j .dynamic -j .dynsym -j .rel* \ + -j .rela* -j .reloc -j .eh_frame \ + -j .vendor_cert \ + $(FORMAT) $^ $@ ++ # I am tired of wasting my time fighting binutils timestamp code. ++ dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@ + + ifneq ($(origin ENABLE_SHIM_HASH),undefined) + %.hash : %.efi +@@ -204,7 +206,7 @@ endif + ifneq ($(OBJCOPY_GTE224),1) + $(error objcopy >= 2.24 is required) + endif +- $(OBJCOPY) -j .text -j .sdata -j .data \ ++ $(OBJCOPY) -D -j .text -j .sdata -j .data \ + -j .dynamic -j .dynsym -j .rel* \ + -j .rela* -j .reloc -j .eh_frame \ + -j .debug_info -j .debug_abbrev -j .debug_aranges \ +-- +2.20.1 + diff --git a/SOURCES/centos.esl b/SOURCES/centos.esl deleted file mode 100644 index c0815a7..0000000 Binary files a/SOURCES/centos.esl and /dev/null differ diff --git a/SPECS/shim.spec b/SPECS/shim.spec index d43865d..c42bf48 100644 --- a/SPECS/shim.spec +++ b/SPECS/shim.spec @@ -1,20 +1,22 @@ Name: shim Version: 15 -Release: 2%{?dist} +Release: 5%{?dist} Summary: First-stage UEFI bootloader License: BSD URL: http://www.codon.org.uk/~mjg59/shim/ Source0: https://github.com/mjg59/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -#Source1: centos.crt +Source1: securebootca.cer # currently here's what's in our dbx: # nothing. #Source2: dbx-x64.esl #Source3: dbx-aa64.esl Source4: shim-find-debuginfo.sh -Source5: centos.esl -Patch0: 0001-Add-vendor-esl.patch -Patch1: 0002-MokListRT-Fatal.patch +Patch0001: 0001-Make-sure-that-MOK-variables-always-get-mirrored.patch +Patch0002: 0002-mok-fix-the-mirroring-of-RT-variables.patch +Patch0003: 0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch +Patch0004: 0004-Make-VLogError-behave-as-expected.patch +Patch0005: 0005-Once-again-try-even-harder-to-get-binaries-without-t.patch BuildRequires: git openssl-devel openssl BuildRequires: pesign >= 0.106-1 @@ -122,8 +124,8 @@ git config --unset user.name %endif %build -COMMITID=$(cat %{name}-%{version}-%{efiarch}/commit) -MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMITID=${COMMITID}" +COMMIT_ID=$(cat %{name}-%{version}-%{efiarch}/commit) +MAKEFLAGS="RELEASE=%{release} ENABLE_HTTPBOOT=true COMMIT_ID=${COMMIT_ID}" %ifarch aarch64 if [ -f "%{SOURCE1}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" @@ -131,10 +133,6 @@ fi if [ -f "%{SOURCE3}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE3}" fi -if [ -f "%{SOURCE5}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}" -fi - %else if [ -f "%{SOURCE1}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" @@ -142,17 +140,13 @@ fi if [ -f "%{SOURCE2}" ]; then MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" fi -if [ -f "%{SOURCE5}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_ESL_FILE=%{SOURCE5}" -fi - %endif cd %{name}-%{version}-%{efiarch} make 'DEFAULT_LOADER=\\\\grub%{efiarch}.efi' ${MAKEFLAGS} shim%{efiarch}.efi mm%{efiarch}.efi fb%{efiarch}.efi %ifarch x86_64 cd ../%{name}-%{version}-ia32 -setarch linux32 -B make 'DEFAULT_LOADER=\\\\grubia32.efi' ARCH=ia32 ${MAKEFLAGS} shimia32.efi mmia32.efi fbia32.efi +setarch linux32 make 'DEFAULT_LOADER=\\\\grubia32.efi' ARCH=ia32 ${MAKEFLAGS} shimia32.efi mmia32.efi fbia32.efi cd ../%{name}-%{version}-%{efiarch} %endif @@ -229,12 +223,23 @@ cd ../%{name}-%{version}-%{efiarch} %endif %changelog -* Thu Dec 06 2018 Fabian Arrotin - 15-2.el7.centos -- 0002-MokListRT-Fatal.patch (https://github.com/rhboot/shim/pull/157) (#15522) - -* Tue Oct 30 2018 Fabian Arrotin - 15-1.el7.centos -- Added 0001-Add-vendor-esl.patch (Patrick Uiterwijk) -- Rebuilt with combined centos.esl (so new and previous crt) +* Mon Mar 18 2019 Peter Jones - 15-5 +- Fix a couple more things that are breaking reproducability, and thus + breaking external review. + Related: rhbz#1649270 + +* Fri Mar 15 2019 Peter Jones - 15-4 +- Fight with binutils to try to get a binary without timestamps in it. + Again, but without breaking aarch64 this time. + Related: rhbz#1649270 + +* Fri Mar 15 2019 Peter Jones - 15-3 +- Fight with binutils to try to get a binary without timestamps in it. Again. + Related: rhbz#1649270 + +* Tue Feb 12 2019 Peter Jones - 15-2 +- Fix MoK mirroring issue which breaks kdump without intervention + Related: rhbz#1649270 * Mon Jun 18 2018 Peter Jones - 15-1 - Update to shim 15