diff --git a/SOURCES/0005-MokListRT-Fatal.patch b/SOURCES/0005-MokListRT-Fatal.patch new file mode 100644 index 0000000..a8daf99 --- /dev/null +++ b/SOURCES/0005-MokListRT-Fatal.patch @@ -0,0 +1,47 @@ +From 9a2dd0a945720634b9f3608c3b3dfb99fafd4465 Mon Sep 17 00:00:00 2001 +From: Patrick Uiterwijk +Date: Thu, 6 Dec 2018 10:08:45 +0100 +Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled + systems + +I have come across systems that are unwilling to reserve enough memory for +a MokListRT big enough for big certificates. +This seems to be the case with firmware implementations that do not support +secureboot, which is probably the reason they went with much lower variable +storage. + +This patch set makes sure we can still boot on those systems, by only +making the copy action fatal if the system has secure boot enabled, or if +the error was anything other than EFI_INVALID_PARAMETER. + +Signed-off-by: Patrick Uiterwijk +--- + shim.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/shim.c b/shim.c +index fcc11eb3..89ef0036 100644 +--- a/shim.c ++++ b/shim.c +@@ -2632,9 +2632,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) + die: + console_print(L"Something has gone seriously wrong: %s: %r\n", + msgs[msg], efi_status); +- msleep(5000000); +- gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, +- 0, NULL); ++ /* ++ * Make copy failures fatal only if secure_mode is enabled, or ++ * the error was anything else than EFI_INVALID_PARAMETER. ++ * There are non-secureboot firmware implementations that don't ++ * reserve enough EFI variable memory to fit the variable. ++ */ ++ if (secure_mode() || efi_status != EFI_INVALID_PARAMETER) { ++ msleep(5000000); ++ gRT->ResetSystem(EfiResetShutdown, EFI_SECURITY_VIOLATION, ++ 0, NULL); ++ } + } + + efi_status = shim_init(); + diff --git a/SOURCES/centossecureboot001.der b/SOURCES/centossecureboot001.der new file mode 100644 index 0000000..e8216b1 Binary files /dev/null and b/SOURCES/centossecureboot001.der differ diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec index a5e0483..0261a47 100644 --- a/SPECS/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64.spec @@ -24,7 +24,7 @@ ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: securebootca.cer +Source1: centossecureboot001.der # currently here's what's in our dbx: # nothing. Source2: dbx.esl @@ -35,6 +35,7 @@ Patch0001: 0001-Make-sure-that-MOK-variables-always-get-mirrored.patch Patch0002: 0002-mok-fix-the-mirroring-of-RT-variables.patch Patch0003: 0003-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch Patch0004: 0004-Make-VLogError-behave-as-expected.patch +Patch0005: 0005-MokListRT-Fatal.patch BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl @@ -120,7 +121,7 @@ make ${MAKEFLAGS} DEFAULT_LOADER='\\\\grub%{efiarch}.efi' all cd .. cd build-%{efialtarch} -setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' all +setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' all cd .. %install @@ -172,6 +173,10 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Tue May 7 2019 Fabian Arrotin - 15-2.centos +- Rolled in CentOS CA for secureboot +- Added 0005-MokListRT-Fatal.patch to avoid crashing legacy uefi/non SB machines + * Tue Feb 12 2019 Peter Jones - 15-2 - Fix MoK mirroring issue which breaks kdump without intervention Related: rhbz#1668966