diff --git a/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch new file mode 100644 index 0000000..0779498 --- /dev/null +++ b/SOURCES/0001-Make-sure-that-MOK-variables-always-get-mirrored.patch @@ -0,0 +1,60 @@ +From 9ab0d796bdc9cefdaa3b0df7434845d26c43d894 Mon Sep 17 00:00:00 2001 +From: Patrick Uiterwijk +Date: Mon, 5 Nov 2018 14:51:16 +0100 +Subject: [PATCH 1/3] Make sure that MOK variables always get mirrored + +Without this, if a Mok variable doesn't exist in Boot Services, it will also +not be copied to Runtime, even if we have data to be added to it (vendor cert). +This patch makes sure that if we have extra data to append, we still mirror +the variable. + +Signed-off-by: Patrick Uiterwijk +--- + mok.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/mok.c b/mok.c +index 38675211e0e..00dd1ad3034 100644 +--- a/mok.c ++++ b/mok.c +@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + UINT32 attrs = 0; + BOOLEAN delete = FALSE, present, addend; + ++ addend = (v->addend_source && v->addend_size && ++ *v->addend_source && *v->addend_size) ++ ? TRUE : FALSE; ++ + efi_status = get_variable_attr(v->name, + &v->data, &v->data_size, + *v->guid, &attrs); +- if (efi_status == EFI_NOT_FOUND) ++ if (efi_status == EFI_NOT_FOUND) { ++ if (v->rtname && addend) { ++ efi_status = mirror_one_mok_variable(v); ++ if (EFI_ERROR(efi_status) && ++ ret != EFI_SECURITY_VIOLATION) ++ ret = efi_status; ++ } ++ /* ++ * after possibly adding, we can continue, no ++ * further checks to be done. ++ */ + continue; ++ } + if (EFI_ERROR(efi_status)) { + perror(L"Could not verify %s: %r\n", v->name, + efi_status); +@@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + } + + present = (v->data && v->data_size) ? TRUE : FALSE; +- addend = (v->addend_source && v->addend_size && +- *v->addend_source && *v->addend_size) +- ? TRUE : FALSE; + + if (v->flags & MOK_VARIABLE_MEASURE && present) { + /* +-- +2.20.1 + diff --git a/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch new file mode 100644 index 0000000..fc2adbc --- /dev/null +++ b/SOURCES/0002-mok-fix-the-mirroring-of-RT-variables.patch @@ -0,0 +1,49 @@ +From 4b27ae034ba9885960e72f77b3f687a9b7fea824 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 21 Nov 2018 12:47:43 +0800 +Subject: [PATCH 2/3] mok: fix the mirroring of RT variables + +When there is no key in MokList, import_mok_state() just skipped MokList +even though it should always mirror the vendor cert. Besides, the faulty +check of 'present' and 'addend' invalidates the mirroring of MokListXRT, +MokSBStateRT, and MokIgnoreDB. + +https://github.com/rhboot/shim/issues/154 + +Signed-off-by: Gary Lin +--- + mok.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/mok.c b/mok.c +index 00dd1ad3034..41925abbb49 100644 +--- a/mok.c ++++ b/mok.c +@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + &v->data, &v->data_size, + *v->guid, &attrs); + if (efi_status == EFI_NOT_FOUND) { +- if (v->rtname && addend) { +- efi_status = mirror_one_mok_variable(v); +- if (EFI_ERROR(efi_status) && +- ret != EFI_SECURITY_VIOLATION) +- ret = efi_status; +- } ++ if (addend) ++ goto mirror_addend; + /* + * after possibly adding, we can continue, no + * further checks to be done. +@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + } + } + +- if (v->rtname && present && addend) { ++mirror_addend: ++ if (v->rtname && (present || addend)) { + if (v->flags & MOK_MIRROR_DELETE_FIRST) + LibDeleteVariable(v->rtname, v->guid); + +-- +2.20.1 + diff --git a/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch new file mode 100644 index 0000000..caded4e --- /dev/null +++ b/SOURCES/0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch @@ -0,0 +1,109 @@ +From 29c11483101b460869a5e0dba1f425073862127d Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 31 Jan 2019 13:45:30 -0500 +Subject: [PATCH 3/3] mok: consolidate mirroring code in a helper instead of + using goto + +There's no reason to complicate the logic with a goto here, instead just +pull the logic we're jumping to out to a helper function. + +Signed-off-by: Peter Jones +--- + mok.c | 41 ++++++++++++++++++++++++++++------------- + shim.h | 2 ++ + 2 files changed, 30 insertions(+), 13 deletions(-) + +diff --git a/mok.c b/mok.c +index 41925abbb49..2f495e6cf25 100644 +--- a/mok.c ++++ b/mok.c +@@ -130,7 +130,8 @@ struct mok_state_variable mok_state_variables[] = { + { NULL, } + }; + +-static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) ++static EFI_STATUS nonnull(1) ++mirror_one_mok_variable(struct mok_state_variable *v) + { + EFI_STATUS efi_status = EFI_SUCCESS; + void *FullData = NULL; +@@ -196,6 +197,29 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) + return efi_status; + } + ++/* ++ * Mirror a variable if it has an rtname, and preserve any ++ * EFI_SECURITY_VIOLATION status at the same time. ++ */ ++static EFI_STATUS nonnull(1) ++maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) ++{ ++ EFI_STATUS efi_status; ++ if (v->rtname) { ++ if (v->flags & MOK_MIRROR_DELETE_FIRST) ++ LibDeleteVariable(v->rtname, v->guid); ++ ++ efi_status = mirror_one_mok_variable(v); ++ if (EFI_ERROR(efi_status)) { ++ if (ret != EFI_SECURITY_VIOLATION) ++ ret = efi_status; ++ perror(L"Could not create %s: %r\n", v->rtname, ++ efi_status); ++ } ++ } ++ return ret; ++} ++ + /* + * Verify our non-volatile MoK state. This checks the variables above + * accessable and have valid attributes. If they don't, it removes +@@ -232,7 +256,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + *v->guid, &attrs); + if (efi_status == EFI_NOT_FOUND) { + if (addend) +- goto mirror_addend; ++ ret = maybe_mirror_one_mok_variable(v, ret); + /* + * after possibly adding, we can continue, no + * further checks to be done. +@@ -312,16 +336,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) + } + } + +-mirror_addend: +- if (v->rtname && (present || addend)) { +- if (v->flags & MOK_MIRROR_DELETE_FIRST) +- LibDeleteVariable(v->rtname, v->guid); +- +- efi_status = mirror_one_mok_variable(v); +- if (EFI_ERROR(efi_status) && +- ret != EFI_SECURITY_VIOLATION) +- ret = efi_status; +- } ++ if (present) ++ ret = maybe_mirror_one_mok_variable(v, ret); + } + + /* +@@ -340,4 +356,4 @@ mirror_addend: + return ret; + } + +-// vim:fenc=utf-8:tw=75 ++// vim:fenc=utf-8:tw=75:noet +diff --git a/shim.h b/shim.h +index 2b359d821e3..c26d5f06538 100644 +--- a/shim.h ++++ b/shim.h +@@ -30,6 +30,8 @@ + + #include + ++#define nonnull(...) __attribute__((__nonnull__(__VA_ARGS__))) ++ + #define min(a, b) ({(a) < (b) ? (a) : (b);}) + + #ifdef __x86_64__ +-- +2.20.1 + diff --git a/SOURCES/0004-Make-VLogError-behave-as-expected.patch b/SOURCES/0004-Make-VLogError-behave-as-expected.patch new file mode 100644 index 0000000..2e5ca64 --- /dev/null +++ b/SOURCES/0004-Make-VLogError-behave-as-expected.patch @@ -0,0 +1,50 @@ +From 0bff94b170116737e6e0838c35c0ac376542a5c0 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 12 Feb 2019 18:04:49 -0500 +Subject: [PATCH 4/4] Make VLogError() behave as expected. + +Signed-off-by: Peter Jones +--- + errlog.c | 15 +++------------ + 1 file changed, 3 insertions(+), 12 deletions(-) + +diff --git a/errlog.c b/errlog.c +index 18be4822d53..eebb266d396 100644 +--- a/errlog.c ++++ b/errlog.c +@@ -14,29 +14,20 @@ EFI_STATUS + VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args) + { + va_list args2; +- UINTN size = 0, size2; + CHAR16 **newerrs; + +- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func); +- va_copy(args2, args); +- size2 = VSPrint(NULL, 0, fmt, args2); +- va_end(args2); +- + newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs), + (nerrs + 3) * sizeof(*errs)); + if (!newerrs) + return EFI_OUT_OF_RESOURCES; + +- newerrs[nerrs] = AllocatePool(size*2+2); ++ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func); + if (!newerrs[nerrs]) + return EFI_OUT_OF_RESOURCES; +- newerrs[nerrs+1] = AllocatePool(size2*2+2); ++ va_copy(args2, args); ++ newerrs[nerrs+1] = VPoolPrint(fmt, args2); + if (!newerrs[nerrs+1]) + return EFI_OUT_OF_RESOURCES; +- +- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func); +- va_copy(args2, args); +- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2); + va_end(args2); + + nerrs += 2; +-- +2.20.1 + diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec index d7da0bb..a5e0483 100644 --- a/SPECS/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64.spec @@ -18,7 +18,7 @@ Name: shim-unsigned-%{efiarch} Version: 15 -Release: 1%{?dist} +Release: 2%{?dist} Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD @@ -31,6 +31,11 @@ Source2: dbx.esl Source100: shim-find-debuginfo.sh +Patch0001: 0001-Make-sure-that-MOK-variables-always-get-mirrored.patch +Patch0002: 0002-mok-fix-the-mirroring-of-RT-variables.patch +Patch0003: 0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch +Patch0004: 0004-Make-VLogError-behave-as-expected.patch + BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} @@ -167,6 +172,10 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Tue Feb 12 2019 Peter Jones - 15-2 +- Fix MoK mirroring issue which breaks kdump without intervention + Related: rhbz#1668966 + * Fri Jul 20 2018 Peter Jones - 15-1 - Update to shim 15