From 112f409e327c0a441d58ae0544e7637157be7a6c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 02 2019 17:17:01 +0000 Subject: import shim-signed-15-2.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1d56686 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +SOURCES/mokutil-0.3.0.tar.gz +SOURCES/shimaa64.efi +SOURCES/shimia32.efi +SOURCES/shimx64.efi diff --git a/.shim-signed.metadata b/.shim-signed.metadata new file mode 100644 index 0000000..7300029 --- /dev/null +++ b/.shim-signed.metadata @@ -0,0 +1,4 @@ +8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/mokutil-0.3.0.tar.gz +5d388f1f7cbb6c00fc5029f3e9ecef931953c6af SOURCES/shimaa64.efi +ef1dd5153ae097116a870b6b3571aa1f2f99bfe7 SOURCES/shimia32.efi +23b7889abdb236c8cd871733ba2ea7f91d543b99 SOURCES/shimx64.efi diff --git a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch new file mode 100644 index 0000000..f752a3f --- /dev/null +++ b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch @@ -0,0 +1,36 @@ +From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Tue, 4 Nov 2014 15:50:03 +0800 +Subject: [PATCH 01/10] Fix the potential buffer overflow + +Signed-off-by: Gary Ching-Pang Lin +--- + src/mokutil.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 5b34f22fd98..93fb6fabcab 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state) + MokToggleVar tvar; + char *password = NULL; + unsigned int pw_len; +- efi_char16_t efichar_pass[SB_PASSWORD_MAX]; ++ efi_char16_t efichar_pass[SB_PASSWORD_MAX+1]; + int ret = -1; + + printf ("password length: %d~%d\n", SB_PASSWORD_MIN, SB_PASSWORD_MAX); +@@ -1757,8 +1757,7 @@ set_toggle (const char * VarName, uint32_t state) + efichar_from_char (efichar_pass, password, + SB_PASSWORD_MAX * sizeof(efi_char16_t)); + +- memcpy(tvar.password, efichar_pass, +- SB_PASSWORD_MAX * sizeof(efi_char16_t)); ++ memcpy(tvar.password, efichar_pass, sizeof(tvar.password)); + + tvar.mok_toggle_state = state; + +-- +2.17.1 + diff --git a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch new file mode 100644 index 0000000..33ca700 --- /dev/null +++ b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch @@ -0,0 +1,34 @@ +From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Mon, 24 Nov 2014 11:38:54 +0800 +Subject: [PATCH 02/10] Fix the 32bit signedness comparison + +--- + src/mokutil.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 93fb6fabcab..a7e83f71f0b 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req, + + /* Mok */ + read_size = read (fd, ptr, sizes[i]); +- if (read_size < 0 || read_size != sizes[i]) { ++ if (read_size < 0 || read_size != (int64_t)sizes[i]) { + fprintf (stderr, "Failed to read %s\n", files[i]); + goto error; + } +@@ -1645,7 +1645,7 @@ export_moks () + goto error; + } + +- while (offset < list[i].mok_size) { ++ while (offset < (int64_t)list[i].mok_size) { + write_size = write (fd, list[i].mok + offset, + list[i].mok_size - offset); + if (write_size < 0) { +-- +2.17.1 + diff --git a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch new file mode 100644 index 0000000..a9fe4e9 --- /dev/null +++ b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch @@ -0,0 +1,43 @@ +From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 19 Jun 2015 16:53:36 -0400 +Subject: [PATCH 03/10] Build with -fshort-wchar so toggle passwords work + right. + +This source tree uses: + +typedef wchar_t efi_char16_t; + +to define UEFI's UCS-2 character type. On many platforms, wchar_t is +32-bits by default. As a result, efichar_from_char winds up writing +4-byte characters instead of 2-byte characters. In the case where we +hash the password in mokutil, this works fine, because the same datatype +is used, and the values are the same. But for our feature toggles, +where we store the raw data and shim is interpretting the character +array, every other character winds up being L'\0', and verification +fails. + +So always build with -fshort-wchar to ensure we get 2-byte character +storage. + +Signed-off-by: Peter Jones +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fe28fb92241..69d412ac633 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -37,7 +37,7 @@ else + default_strict=no + fi + +-WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11" ++WARNINGFLAGS_C="$WARNINGFLAGS_C -std=gnu11 -fshort-wchar" + + AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval, + enable_strict=$default_strict) +-- +2.17.1 + diff --git a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch new file mode 100644 index 0000000..f45fd42 --- /dev/null +++ b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch @@ -0,0 +1,32 @@ +From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 16 Jun 2015 17:06:30 -0400 +Subject: [PATCH 04/10] Don't allow sha1 on the mokutil command line. + +Related: rhbz#1115843 + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/mokutil.c b/src/mokutil.c +index a7e83f71f0b..1fb34f9d3aa 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type) + } + + switch (len) { ++#if 0 + case SHA_DIGEST_LENGTH*2: + *type = efi_guid_sha1; + hash_size = SHA_DIGEST_LENGTH; + break; ++#endif + case SHA224_DIGEST_LENGTH*2: + *type = efi_guid_sha224; + hash_size = SHA224_DIGEST_LENGTH; +-- +2.17.1 + diff --git a/SOURCES/0005-Make-all-efi_guid_t-const.patch b/SOURCES/0005-Make-all-efi_guid_t-const.patch new file mode 100644 index 0000000..b041fc4 --- /dev/null +++ b/SOURCES/0005-Make-all-efi_guid_t-const.patch @@ -0,0 +1,87 @@ +From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 13 Jan 2016 16:05:21 +0800 +Subject: [PATCH 05/10] Make all efi_guid_t const + +All UEFI GUIDs defined in efivar are const. Declare all of them const +to make gcc happy. + +Signed-off-by: Gary Lin +--- + src/mokutil.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 1fb34f9d3aa..d2c52b4caaf 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len) + } + + static uint32_t +-efi_hash_size (efi_guid_t *hash_type) ++efi_hash_size (const efi_guid_t *hash_type) + { + if (efi_guid_cmp (hash_type, &efi_guid_sha1) == 0) { + return SHA_DIGEST_LENGTH; +@@ -218,7 +218,7 @@ efi_hash_size (efi_guid_t *hash_type) + } + + static uint32_t +-signature_size (efi_guid_t *hash_type) ++signature_size (const efi_guid_t *hash_type) + { + uint32_t hash_size; + +@@ -439,7 +439,7 @@ list_keys (uint8_t *data, size_t data_size) + + /* match the hash in the hash array and return the index if matched */ + static int +-match_hash_array (efi_guid_t *hash_type, const void *hash, ++match_hash_array (const efi_guid_t *hash_type, const void *hash, + const void *hash_array, const uint32_t array_size) + { + uint32_t hash_size, hash_count; +@@ -469,8 +469,8 @@ match_hash_array (efi_guid_t *hash_type, const void *hash, + } + + static int +-delete_data_from_list (efi_guid_t *var_guid, const char *var_name, +- efi_guid_t *type, void *data, uint32_t data_size) ++delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, ++ const efi_guid_t *type, void *data, uint32_t data_size) + { + uint8_t *var_data = NULL; + size_t var_data_size = 0; +@@ -1006,8 +1006,8 @@ is_valid_cert (void *cert, uint32_t cert_size) + } + + static int +-is_duplicate (efi_guid_t *type, const void *data, const uint32_t data_size, +- efi_guid_t *vendor, const char *db_name) ++is_duplicate (const efi_guid_t *type, const void *data, const uint32_t data_size, ++ const efi_guid_t *vendor, const char *db_name) + { + uint8_t *var_data; + size_t var_data_size; +@@ -1059,7 +1059,7 @@ done: + } + + static int +-is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size, ++is_valid_request (const efi_guid_t *type, void *mok, uint32_t mok_size, + MokRequest req) + { + switch (req) { +@@ -1096,7 +1096,7 @@ is_valid_request (efi_guid_t *type, void *mok, uint32_t mok_size, + } + + static int +-in_pending_request (efi_guid_t *type, void *data, uint32_t data_size, ++in_pending_request (const efi_guid_t *type, void *data, uint32_t data_size, + MokRequest req) + { + uint8_t *authvar_data; +-- +2.17.1 + diff --git a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch new file mode 100644 index 0000000..af8b621 --- /dev/null +++ b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch @@ -0,0 +1,37 @@ +From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jun 2016 10:19:43 -0400 +Subject: [PATCH 06/10] mokutil: be explicit about file modes in all cases. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index d2c52b4caaf..d554f6cca21 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name, + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS; + ret = efi_set_variable (*var_guid, var_name, +- var_data, total, attributes); ++ var_data, total, attributes, ++ S_IRUSR | S_IWUSR); + if (ret < 0) { + fprintf (stderr, "Failed to write variable \"%s\": %m\n", + var_name); +@@ -938,7 +939,8 @@ update_request (void *new_list, int list_len, MokRequest req, + data_size = list_len; + + if (efi_set_variable (efi_guid_shim, req_name, +- data, data_size, attributes) < 0) { ++ data, data_size, attributes, ++ S_IRUSR | S_IWUSR) < 0) { + switch (req) { + case ENROLL_MOK: + fprintf (stderr, "Failed to enroll new keys\n"); +-- +2.17.1 + diff --git a/SOURCES/0007-Add-bash-completion-file.patch b/SOURCES/0007-Add-bash-completion-file.patch new file mode 100644 index 0000000..29720ad --- /dev/null +++ b/SOURCES/0007-Add-bash-completion-file.patch @@ -0,0 +1,98 @@ +From a797a566127f7469d744b2748f98d1fa5ea8d8f9 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 14 Jun 2016 10:20:14 -0400 +Subject: [PATCH 07/10] Add bash completion file. + +Signed-off-by: Peter Jones +--- + configure.ac | 17 +++++++++++++++++ + Makefile.am | 5 +++++ + data/mokutil | 37 +++++++++++++++++++++++++++++++++++++ + 3 files changed, 59 insertions(+) + create mode 100755 data/mokutil + +diff --git a/configure.ac b/configure.ac +index 69d412ac633..7b52a063df0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset]) + PKG_CHECK_MODULES(OPENSSL, [openssl >= 0.9.8]) + PKG_CHECK_MODULES(EFIVAR, [efivar >= 0.12]) + ++AC_ARG_WITH([bash-completion-dir], ++ AS_HELP_STRING([--with-bash-completion-dir[=PATH]], ++ [Install the bash auto-completion script in this directory. @<:@default=yes@:>@]), ++ [], ++ [with_bash_completion_dir=yes]) ++ ++if test "x$with_bash_completion_dir" = "xyes"; then ++ PKG_CHECK_MODULES([BASH_COMPLETION], [bash-completion >= 2.0], ++ [BASH_COMPLETION_DIR="`pkg-config --variable=completionsdir bash-completion`"], ++ [BASH_COMPLETION_DIR="$datadir/bash-completion/completions"]) ++else ++ BASH_COMPLETION_DIR="$with_bash_completion_dir" ++fi ++ ++AC_SUBST([BASH_COMPLETION_DIR]) ++AM_CONDITIONAL([ENABLE_BASH_COMPLETION],[test "x$with_bash_completion_dir" != "xno"]) ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile]) +diff --git a/Makefile.am b/Makefile.am +index 9f0d4192515..c17cc4a86d8 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1 +1,6 @@ + SUBDIRS = src man ++ ++if ENABLE_BASH_COMPLETION ++ bashcompletiondir = $(BASH_COMPLETION_DIR) ++ dist_bashcompletion_DATA = data/mokutil ++endif +diff --git a/data/mokutil b/data/mokutil +new file mode 100755 +index 00000000000..800b039e7f4 +--- /dev/null ++++ b/data/mokutil +@@ -0,0 +1,37 @@ ++#!/bin/bash ++ ++_mokutil() ++{ ++ local cur=${COMP_WORDS[COMP_CWORD]} ++ ++ if [[ "$cur" == -* ]]; then ++ #COMPREPLY=( $( compgen -W "--help --list-enrolled --list-new --list-delete --import --delete --revoke-import --revoke-delete --export --password --clear-password --disable-validation --enable-validation --sb-state --test-key --reset --generate-hash --hash-file --root-pw --simple-hash" -- $cur ) ) ++ COMPREPLY=( $( compgen -W '$( _parse_help "$1" --long-help ) -h -l -N -D -i -d -x -p -c -t -f -g -P -s -X' -- "$cur" ) ) ++ [[ $COMPREPLY == *= ]] && compopt -o nospace ++ return 0 ++ fi ++ ++ case "${COMP_WORDS[COMP_CWORD-1]}" in ++ --import|-i|--delete|-d|--test-key|-t|--hash-file|-f) ++ _filedir ++ return 0 ++ ;; ++ --import-hash|--delete-hash) ++ COMPREPLY=( $( compgen -W "" ) ) ++ return 0 ++ ;; ++ --set-verbosity) ++ COMPREPLY=( $( compgen -W "true false") ) ++ return 0 ++ ;; ++ --generate-hash|-g) ++ COMPREPLY=( $( compgen -o nospace -P= -W "") ) ++ return 0 ++ ;; ++ *) ++ return 0 ++ ;; ++ esac ++} ++ ++complete -F _mokutil mokutil +-- +2.17.1 + diff --git a/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch new file mode 100644 index 0000000..5642502 --- /dev/null +++ b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch @@ -0,0 +1,27 @@ +From b5f004ddbd8ef1f9f1d664d41d5dcc4272621080 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Mon, 20 Jun 2016 11:18:17 -0500 +Subject: [PATCH 08/10] Fix typo in error message when the system lacks Secure + Boot support + +Signed-off-by: Tyler Hicks +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index d554f6cca21..27f1292f3a9 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -2297,7 +2297,7 @@ main (int argc, char *argv[]) + rc = efi_get_variable (efi_guid_global, "SecureBoot", + &data, &data_size, &attributes); + if (rc < 0) { +- fprintf(stderr, "This system does't support Secure Boot\n"); ++ fprintf(stderr, "This system doesn't support Secure Boot\n"); + ret = -1; + goto out; + } +-- +2.17.1 + diff --git a/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch new file mode 100644 index 0000000..0bed1d9 --- /dev/null +++ b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch @@ -0,0 +1,27 @@ +From 2fa167f3905ebee27221fc2b1db4b79e215d8ca0 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 3 Apr 2017 16:33:38 -0400 +Subject: [PATCH 09/10] list_keys_in_var(): check errno correctly, not ret + twice. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 27f1292f3a9..0be9e8491fd 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid) + + ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes); + if (ret < 0) { +- if (ret == ENOENT) { ++ if (errno == ENOENT) { + printf ("%s is empty\n", var_name); + return 0; + } +-- +2.17.1 + diff --git a/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch new file mode 100644 index 0000000..2d57007 --- /dev/null +++ b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch @@ -0,0 +1,101 @@ +From 57f7c776dca0322fab107460cac71ac4b6e79b9a Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 15 May 2018 11:20:15 -0400 +Subject: [PATCH 10/10] generate_hash() / generate_pw_hash(): don't use + strlen() for strncpy bounds + +New gcc rightly comlplains when we do the following: + +strncpy (dest, src, strlen(src)); + +For two reasons: +a) it doesn't copy the NUL byte +b) it's otherwise the same thing strcpy() would have done + +This patch replaces that with stpncpy (just because it's slightly easier +to use) and the real bounds for the destination. + +Signed-off-by: Peter Jones +--- + src/mokutil.c | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/src/mokutil.c b/src/mokutil.c +index 0be9e8491fd..b5080107600 100644 +--- a/src/mokutil.c ++++ b/src/mokutil.c +@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) + { + pw_crypt_t new_crypt; + char settings[SETTINGS_LEN]; ++ char *next; + char *crypt_string; + const char *prefix; +- int hash_len, prefix_len; ++ int hash_len, settings_len = sizeof (settings) - 2; + + if (!password || !pw_crypt || password[pw_len] != '\0') + return -1; +@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len) + prefix = get_crypt_prefix (pw_crypt->method); + if (!prefix) + return -1; +- prefix_len = strlen(prefix); + + pw_crypt->salt_size = get_salt_size (pw_crypt->method); + generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size); + +- strncpy (settings, prefix, prefix_len); +- strncpy (settings + prefix_len, (const char *)pw_crypt->salt, +- pw_crypt->salt_size); +- settings[pw_crypt->salt_size + prefix_len] = '\0'; ++ memset (settings, 0, sizeof (settings)); ++ next = stpncpy (settings, prefix, settings_len); ++ if (pw_crypt->salt_size > settings_len - (next - settings)) { ++ errno = EOVERFLOW; ++ return -1; ++ } ++ next = stpncpy (next, (const char *)pw_crypt->salt, ++ pw_crypt->salt_size); ++ *next = '\0'; + + crypt_string = crypt (password, settings); + if (!crypt_string) +@@ -1929,10 +1934,11 @@ static int + generate_pw_hash (const char *input_pw) + { + char settings[SETTINGS_LEN]; ++ char *next; + char *password = NULL; + char *crypt_string; + const char *prefix; +- int prefix_len; ++ int settings_len = sizeof (settings) - 2; + unsigned int pw_len, salt_size; + + if (input_pw) { +@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw) + prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD); + if (!prefix) + return -1; +- prefix_len = strlen(prefix); + +- strncpy (settings, prefix, prefix_len); ++ memset (settings, 0, sizeof (settings)); ++ next = stpncpy (settings, prefix, settings_len); + salt_size = get_salt_size (DEFAULT_CRYPT_METHOD); +- generate_salt ((settings + prefix_len), salt_size); +- settings[DEFAULT_SALT_SIZE + prefix_len] = '\0'; ++ if (salt_size > settings_len - (next - settings)) { ++ errno = EOVERFLOW; ++ return -1; ++ } ++ generate_salt (next, salt_size); ++ next += salt_size; ++ *next = '\0'; + + crypt_string = crypt (password, settings); + free (password); +-- +2.17.1 + diff --git a/SOURCES/BOOTAA64.CSV b/SOURCES/BOOTAA64.CSV new file mode 100644 index 0000000..2dad06e Binary files /dev/null and b/SOURCES/BOOTAA64.CSV differ diff --git a/SOURCES/BOOTIA32.CSV b/SOURCES/BOOTIA32.CSV new file mode 100644 index 0000000..4e658b2 Binary files /dev/null and b/SOURCES/BOOTIA32.CSV differ diff --git a/SOURCES/BOOTX64.CSV b/SOURCES/BOOTX64.CSV new file mode 100644 index 0000000..7692a93 Binary files /dev/null and b/SOURCES/BOOTX64.CSV differ diff --git a/SOURCES/secureboot.cer b/SOURCES/secureboot.cer new file mode 100644 index 0000000..4ff8b79 Binary files /dev/null and b/SOURCES/secureboot.cer differ diff --git a/SOURCES/securebootca.cer b/SOURCES/securebootca.cer new file mode 100644 index 0000000..b235400 Binary files /dev/null and b/SOURCES/securebootca.cer differ diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec new file mode 100644 index 0000000..91b911e --- /dev/null +++ b/SPECS/shim-signed.spec @@ -0,0 +1,448 @@ +Name: shim-signed +Version: 15 +Release: 2%{?dist}%{?buildid} +Summary: First-stage UEFI bootloader +%define unsigned_release 5%{?dist} + +License: BSD +URL: https://github.com/rhboot/shim/ +# incorporate mokutil for packaging simplicity +%global mokutil_version 0.3.0 +Source0: https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz +Source1: secureboot.cer +Source2: securebootca.cer +Source10: shimx64.efi +Source11: shimia32.efi +Source12: shimaa64.efi +Source20: BOOTX64.CSV +Source21: BOOTIA32.CSV +Source22: BOOTAA64.CSV + +Patch0001: 0001-Fix-the-potential-buffer-overflow.patch +Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch +Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch +Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch +Patch0005: 0005-Make-all-efi_guid_t-const.patch +Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch +Patch0007: 0007-Add-bash-completion-file.patch +Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch +Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch +Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch + +%ifarch x86_64 +%global efiarch X64 +%global efiarchlc x64 +%global shimsrc %{SOURCE10} +%global bootsrc %{SOURCE20} + +%global shimsrcia32 %{SOURCE11} +%global bootsrcia32 %{SOURCE21} +%define unsigned_dir_ia32 %{_datadir}/shim/ia32-%{version}-%{unsigned_release}/ +%endif +%ifarch aarch64 +%global efiarch AA64 +%global efiarchlc aa64 +%global shimsrc %{SOURCE12} +%global bootsrc %{SOURCE22} +%endif +%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/ + +BuildRequires: git +BuildRequires: openssl-devel openssl +BuildRequires: pesign >= 0.106-5%{dist} +BuildRequires: efivar-devel +BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release} +%ifarch x86_64 +BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release} +%endif + +# for mokutil's configure +BuildRequires: autoconf automake + +# Shim is only required on platforms implementing the UEFI secure boot +# protocol. The only one of those we currently wish to support is 64-bit x86. +# Adding further platforms will require adding appropriate relocation code. +ExclusiveArch: x86_64 aarch64 + +%define debug_package \ +%ifnarch noarch\ +%global __debug_package 1\ +%package -n mokutil-debuginfo\ +Summary: Debug information for package %{name}\ +Group: Development/Debug\ +AutoReqProv: 0\ +%description -n mokutil-debuginfo\ +This package provides debug information for package %{name}.\ +Debug information is useful when developing applications that use this\ +package or when debugging this package.\ +%files -n mokutil-debuginfo -f debugfiles.list\ +%defattr(-,root,root,-)\ +%endif\ +%{nil} + +# Figure out the right file path to use +%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) + +%define ca_signed_arches x86_64 +%define rh_signed_arches x86_64 aarch64 + +%description +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. + +%package -n shim-%{efiarchlc} +Summary: First-stage UEFI bootloader +Requires: mokutil = %{version}-%{release} +Provides: shim = %{version}-%{release} +Obsoletes: shim <= 12 +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not +# compatible with SysV (there's no red zone under UEFI) and there isn't a +# POSIX-style C library. +# BuildRequires: OpenSSL +Provides: bundled(openssl) = 0.9.8zb + +%description -n shim-%{efiarchlc} +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. + +%ifarch x86_64 +%package -n shim-ia32 +Summary: First-stage UEFI bootloader +Requires: mokutil = %{version}-%{release} +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not +# compatible with SysV (there's no red zone under UEFI) and there isn't a +# POSIX-style C library. +# BuildRequires: OpenSSL +Provides: bundled(openssl) = 0.9.8zb + +%description -n shim-ia32 +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. +%endif + +%package -n mokutil +Summary: Utilities for managing Secure Boot/MoK keys. + +%description -n mokutil +Utilities for managing the "Machine's Own Keys" list. + +%prep +%setup -T -q -a 0 -n shim-signed-%{version} -c +git init +git config user.email "example@example.com" +git config user.name "rpmbuild -bp" +git add . +git commit -a -q -m "%{version} baseline." +cd mokutil-%{mokutil_version} +git am --ignore-whitespace --directory=mokutil-%{mokutil_version} %{patches} shim%{efiarchlc}.hash +if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then + echo Invalid signature\! > /dev/stderr + echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr + echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr + exit 1 +fi +cp %{shimsrc} shim%{efiarchlc}.efi +%ifarch x86_64 +pesign -i %{shimsrcia32} -h -P > shimia32.hash +if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then + echo Invalid signature\! > /dev/stderr + echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr + echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr + exit 1 +fi +cp %{shimsrcia32} shimia32.efi +%endif +%endif +%ifarch %{rh_signed_arches} +%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shim%{efiarchlc}-%{efidir}.efi +%ifarch x86_64 +%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shimia32-%{efidir}.efi +%endif +%endif +%ifarch %{rh_signed_arches} +%ifnarch %{ca_signed_arches} +cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi +%endif +%endif + +%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 +%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 + +%ifarch x86_64 +%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 +%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 +%endif + +cd mokutil-%{mokutil_version} +./autogen.sh +%configure +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT +install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ +install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi +install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi +install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi +install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV + +install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ +install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI +install -m 0700 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi + +%ifarch aarch64 +# In case old boot entries aren't updated +install -m 0700 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi +%endif + +%ifarch x86_64 +# In case old boot entries aren't updated +install -m 0700 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi +install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV + +install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi +install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi +install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi +install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi +install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV + +install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI +install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi +%endif + +cd mokutil-%{mokutil_version} +make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install + +%files -n shim-%{efiarchlc} +%defattr(0700,root,root,-) +%verify(not mtime) /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi +%verify(not mtime) /boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi +%verify(not mtime) /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi +%verify(not mtime) /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV +%verify(not mtime) /boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI +%verify(not mtime) /boot/efi/EFI/BOOT/fb%{efiarchlc}.efi +%verify(not mtime) /boot/efi/EFI/%{efidir}/shim.efi + +%ifarch x86_64 +%verify(not mtime) /boot/efi/EFI/%{efidir}/BOOT.CSV + +%files -n shim-ia32 +%defattr(0700,root,root,-) +%verify(not mtime) /boot/efi/EFI/%{efidir}/shimia32.efi +%verify(not mtime) /boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi +%verify(not mtime) /boot/efi/EFI/%{efidir}/mmia32.efi +%verify(not mtime) /boot/efi/EFI/%{efidir}/BOOTIA32.CSV +%verify(not mtime) /boot/efi/EFI/BOOT/BOOTIA32.EFI +%verify(not mtime) /boot/efi/EFI/BOOT/fbia32.efi +%endif + +%files -n mokutil +%{!?_licensedir:%global license %%doc} +%license mokutil-%{mokutil_version}/COPYING +%doc mokutil-%{mokutil_version}/README +%{_bindir}/mokutil +%{_mandir}/man1/* +%{_datadir}/bash-completion/completions/mokutil + +%changelog +* Thu Mar 21 2019 Peter Jones - 15-2 +- Fix MoK mirroring issue which breaks kdump without intervention + Related: rhbz#1649270 + +* Fri Jul 20 2018 Peter Jones - 15-1 +- Update to shim version 15 + Resolves: rhbz#1589962 + +* Wed Jul 11 2018 Peter Jones - 12-3 +- Fix broken file owner/modes + Resolves: rhbz#1595677 + +* Sat Jun 23 2018 Peter Jones - 12-2 +- Fix /boot/efi/... permissions to match the filesystem's requirements + Related: rhbz#1512749 +- Minor .spec cleanups + Related: rhbz#1512749 + +* Mon May 01 2017 Peter Jones - 12-1 +- Update to 12-1 to work around a signtool.exe bug + Resolves: rhbz#1445393 + +* Mon Apr 24 2017 Peter Jones - 11-4 +- Another shot at better obsoletes. + Related: rhbz#1310764 + +* Mon Apr 24 2017 Peter Jones - 11-3 +- Fix Obsoletes + Related: rhbz#1310764 + +* Thu Apr 13 2017 Peter Jones - 11-2 +- Make sure Aarch64 still has shim.efi as well + Related: rhbz#1310766 + +* Wed Apr 12 2017 Peter Jones - 11-1 +- Rebuild with signed shim + Related: rhbz#1310766 + +* Mon Apr 03 2017 Peter Jones - 11-0.1 +- Update to 11-0.1 to match shim-11-1 + Related: rhbz#1310766 +- Fix regression in PE loader + Related: rhbz#1310766 +- Fix case where BDS invokes us wrong and we exec shim again as a result + Related: rhbz#1310766 + +* Mon Mar 27 2017 Peter Jones - 10-0.1 +- Support ia32 + Resolves: rhbz#1310766 +- Handle various different load option implementation differences +- TPM 1 and TPM 2 support. +- Update to OpenSSL 1.0.2k + +* Mon Jul 20 2015 Peter Jones - 0.9-2 +- Apparently I'm *never* going to learn to build this in the right target + the first time through. + Related: rhbz#1100048 + +* Mon Jun 29 2015 Peter Jones - 0.9-0.1 +- Bump version for 0.9 + Also use mokutil-0.3.0 + Related: rhbz#1100048 + +* Tue Jun 23 2015 Peter Jones - 0.7-14.1 +- Fix mokutil_version usage. + Related: rhbz#1100048 + +* Mon Jun 22 2015 Peter Jones - 0.7-14 +- Pull in aarch64 build so they can compose that tree. + (-14 to match -unsigned) + Related: rhbz#1100048 + +* Wed Feb 25 2015 Peter Jones - 0.7-12 +- Fix some minor build bugs on Aarch64 + Related: rhbz#1190191 + +* Tue Feb 24 2015 Peter Jones - 0.7-11 +- Fix section loading on Aarch64 + Related: rhbz#1190191 + +* Wed Dec 17 2014 Peter Jones - 0.7-10 +- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right. + (I managed to fix the inputs but not the outputs in -9.) + Related: rhbz#1100048 + +* Wed Dec 17 2014 Peter Jones - 0.7-9 +- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right. + Related: rhbz#1100048 + +* Tue Oct 21 2014 Peter Jones - 0.7-8 +- Build for aarch64 as well + Related: rhbz#1100048 +- out-of-bounds memory read flaw in DHCPv6 packet processing + Resolves: CVE-2014-3675 +- heap-based buffer overflow flaw in IPv6 address parsing + Resolves: CVE-2014-3676 +- memory corruption flaw when processing Machine Owner Keys (MOKs) + Resolves: CVE-2014-3677 + +* Tue Sep 23 2014 Peter Jones - 0.7-7 +- Make sure we use the right keys on Aarch64. + (It's only a demo at this stage.) + Related: rhbz#1100048 + +* Tue Sep 23 2014 Peter Jones - 0.7-6 +- Add ARM Aarch64. + Related: rhbz#1100048 + +* Thu Feb 27 2014 Peter Jones - 0.7-5.2 +- Get the right signatures on shim-redhat.efi + Related: rhbz#1064449 + +* Thu Feb 27 2014 Peter Jones - 0.7-5.1 +- Update for signed shim for RHEL 7 + Resolves: rhbz#1064449 + +* Thu Nov 21 2013 Peter Jones - 0.7-5 +- Fix shim-unsigned deps. + Related: rhbz#1032583 + +* Thu Nov 21 2013 Peter Jones - 0.7-4 +- Make dhcp4 work better. + Related: rhbz#1032583 + +* Thu Nov 14 2013 Peter Jones - 0.7-3 +- Make lockdown include UEFI and other KEK/DB entries. + Related: rhbz#1030492 + +* Fri Nov 08 2013 Peter Jones - 0.7-2 +- Handle SetupMode better in lockdown as well + Related: rhbz#996863 + +* Wed Nov 06 2013 Peter Jones - 0.7-1 +- Don't treat SetupMode variable's presence as meaning we're in SetupMode. + Related: rhbz#996863 + +* Wed Nov 06 2013 Peter Jones - 0.6-3 +- Use the correct CA and signer certificates. + Related: rhbz#996863 + +* Thu Oct 31 2013 Peter Jones - 0.6-1 +- Update to 0.6-1 + Resolves: rhbz#1008379 + +* Wed Aug 07 2013 Peter Jones - 0.4-3.2 +- Depend on newer pesign. + Related: rhbz#989442 + +* Tue Aug 06 2013 Peter Jones - 0.4-3.1 +- Rebuild with newer pesign + Related: rhbz#989442 + +* Tue Aug 06 2013 Peter Jones - 0.4-3 +- Update for RHEL signing with early test keys. + Related: rhbz#989442 + +* Thu Jun 20 2013 Peter Jones - 0.4-1 +- Provide a fallback for uninitialized Boot#### and BootOrder + Resolves: rhbz#963359 +- Move all signing from shim-unsigned to here +- properly compare our generated hash from shim-unsigned with the hash of + the signed binary (as opposed to doing it manually) + +* Fri May 31 2013 Peter Jones - 0.2-4.4 +- Re-sign to get alignments that match the new specification. + Resolves: rhbz#963361 + +* Thu Feb 14 2013 Fedora Release Engineering - 0.2-4.3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 02 2013 Peter Jones - 0.2-3.3 +- Add obsoletes and provides for earlier shim-signed packages, to cover + the package update cases where previous versions were installed. + Related: rhbz#888026 + +* Mon Dec 17 2012 Peter Jones - 0.2-3.2 +- Make the shim-unsigned dep be on the subpackage. + +* Sun Dec 16 2012 Peter Jones - 0.2-3.1 +- Rebuild to provide "shim" package directly instead of just as a Provides: + +* Sat Dec 15 2012 Peter Jones - 0.2-3 +- Also provide shim-fedora.efi, signed only by the fedora signer. +- Fix the fedora signature on the result to actually be correct. +- Update for shim-unsigned 0.2-3 + +* Mon Dec 03 2012 Peter Jones - 0.2-2 +- Initial build