Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-01-17 10:43:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim", Maintainer is "[email protected]" Changes: -------- New Changes file: --- /dev/null 2013-01-09 19:40:42.352580873 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-01-17 10:43:07.000000000 +0100 @@ -0,0 +1,66 @@ +------------------------------------------------------------------- +Wed Jan 16 08:01:55 UTC 2013 - [email protected] + +- Merge patches for FATE#314506 + + Add shim-support-mok-delete.patch to add support for deleting + specific keys + + Add shim-mokmanager-new-pw-hash.patch to support the new + password hash. +- Drop shim-correct-mok-size.patch which is included in + shim-support-mok-delete.patch +- Merge shim-remove-debug-code.patch and + shim-local-sign-mokmanager.patch into + shim-local-key-sign-mokmanager.patch +- Install COPYRIGHT + +------------------------------------------------------------------- +Tue Jan 15 03:17:53 UTC 2013 - [email protected] + +- Add shim-fix-loadoptions.patch to adopt the UEFI shell style + LoadOptions (bnc#798043) +- Drop shim-check-pk-kek.patch since upstream rejected the patch + due to violation of SPEC. +- Install EFI binaries to /usr/lib64/efi + +------------------------------------------------------------------- +Wed Dec 26 07:05:02 UTC 2012 - [email protected] + +- Update shim-reboot-after-changes.patch to avoid rebooting the + system after enrolling keys/hashes from the file system +- Add shim-correct-mok-size.patch to correct the size of MOK +- Add shim-clear-queued-key.patch to clear the queued key and show + the menu properly + +------------------------------------------------------------------- +Wed Dec 12 15:16:18 UTC 2012 - [email protected] + +- Remove shim-rpmlintrc, it wasn't fixing the error, hide error + stdout to prevent post build check to get triggered by cast + warnings in openSSL code +- Add shim-remove-debug-code.patch: remove debug code + +------------------------------------------------------------------- +Wed Dec 12 04:01:52 UTC 2012 - [email protected] + +- Add shim-rpmlintrc to filter 64bit portability errors + +------------------------------------------------------------------- +Tue Dec 11 07:36:32 UTC 2012 - [email protected] + +- Add shim-local-sign-mokmanager.patch to create a local certicate + to sign MokManager +- Add shim-get-2nd-stage-loader.patch to get the second stage + loader path from the load options +- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK +- Add shim-reboot-after-changes.patch to reboot the system after + enrolling or erasing keys +- Install the EFI images to /usr/lib64/shim instead of the EFI + partition +- Update the mail address of the author + +------------------------------------------------------------------- +Fri Nov 2 08:19:37 UTC 2012 - [email protected] + +- Add new package shim 0.2 (FATE#314484) + + It's in fact git 2fd180a92 since there is no tag for 0.2 + New: ---- shim-0.2.tar.bz2 shim-clear-queued-key.patch shim-fix-loadoptions.patch shim-get-2nd-stage-loader.patch shim-local-key-sign-mokmanager.patch shim-mokmanager-new-pw-hash.patch shim-reboot-after-changes.patch shim-support-mok-delete.patch shim-suse-build.patch shim.changes shim.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ # # spec file for package shim # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: shim Version: 0.2 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot Url: https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 # PATCH-FIX-SUSE shim-suse-build.patch [email protected] -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch [email protected] -- Sign MokManager.efi with the local generated certificate Patch1: shim-local-key-sign-mokmanager.patch # PATCH-FEATURE-UPSTREAM shim-get-2nd-stage-loader.patch [email protected] -- Get the second stage loader path from the load options Patch2: shim-get-2nd-stage-loader.patch # PATCH-FIX-UPSTREAM shim-reboot-after-changes.patch [email protected] -- Reboot the system after enrolling or erasing keys Patch3: shim-reboot-after-changes.patch # PATCH-FIX-UPSTREAM shim-clear-queued-key.patch [email protected] -- Clear the queued key to show the menu properly Patch5: shim-clear-queued-key.patch # PATCH-FIX-UPSTREAM shim-fix-loadoptions.patch bnc#798043 [email protected] -- Adopt the UEFI shell style LoadOptions Patch6: shim-fix-loadoptions.patch # PATCH-FIX-UPSTREAM shim-support-mok-delete.patch [email protected] -- Support for deleting specific keys Patch7: shim-support-mok-delete.patch # PATCH-FIX-UPSTREAM shim-mokmanager-new-pw-hash.patch [email protected] -- Support the new password hash Patch8: shim-mokmanager-new-pw-hash.patch BuildRequires: gnu-efi >= 3.0q BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign BuildRoot: %{_tmppath}/%{name}-%{version}-build ExclusiveArch: x86_64 %description shim is a trivial EFI application that, when run, attempts to open and execute another application. Authors: -------- Matthew Garrett <[email protected]> %prep %setup -q %patch0 -p1 %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %build chmod +x "make-certs" # make sure cast warnings don't trigger post build check make 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx %install install -d %{buildroot}/%{_libdir}/efi install -m 444 shim.efi %{buildroot}/%{_libdir}/efi install -m 444 MokManager.efi.signed %{buildroot}/%{_libdir}/efi/MokManager.efi %clean %{?buildroot:%__rm -rf "%{buildroot}"} %files %defattr(-,root,root) %doc COPYRIGHT %dir %{_libdir}/efi %{_libdir}/efi/shim.efi %{_libdir}/efi/MokManager.efi %changelog ++++++ shim-clear-queued-key.patch ++++++ >From daa6a7519caa23ef69b9a879bc70789a0669b3e3 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Wed, 26 Dec 2012 11:44:46 +0800 Subject: [PATCH] Make sure the menu shows when the callback fails Since Pause() doesn't clear the key from the input queue, the next ReadKeyStroke reads the queued key instead of the new one. If the user presses "Enter", MokManager exits directly without showing the menu again. --- MokManager.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/MokManager.c b/MokManager.c index bfcbfd6..97588cb 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1241,6 +1241,9 @@ static void run_menu (CHAR16 *header, UINTN lines, struct menu_item *items, if (ret < 0) { Print(L"Press a key to continue\n"); Pause(); + /* Clear the key in the queue */ + uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, + ST->ConIn, &key); } draw_menu (header, lines, items, count); pos = 0; -- 1.7.10.4 ++++++ shim-fix-loadoptions.patch ++++++ commit f23f6b726bd12b28befd5a064c47a8a249d80a59 Author: Gary Ching-Pang Lin <[email protected]> Date: Mon Jan 14 16:53:19 2013 +0800 Adopt the UEFI shell style LoadOptions The previous commit, 14d4b8e, caused shim failed to parse the name of the 2nd stage loader in UEFI shell. Amend parsing of the name the 2nd stage loader to be compatible with UEFI shell. To create an boot entry for elilo.efi: # efibootmgr -c -L "shim elilo" -l "efi\\shim.efi" -u "shim.efi elilo.efi" diff --git a/shim.c b/shim.c index dcf1c51..37a5898 100644 --- a/shim.c +++ b/shim.c @@ -1330,6 +1330,8 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) EFI_LOADED_IMAGE *li; CHAR16 *start = NULL, *c; int i, remaining_size = 0; + CHAR16 *loader_str = NULL; + int loader_len = 0; second_stage = DEFAULT_LOADER; load_options = NULL; @@ -1351,6 +1353,11 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) return EFI_BAD_BUFFER_SIZE; } + /* + * UEFI shell copies the whole line of the command into LoadOptions. + * We ignore the string before the first L' ', i.e. the name of this + * program. + */ for (i = 0; i < li->LoadOptionsSize; i += 2) { c = (CHAR16 *)(li->LoadOptions + i); if (*c == L' ') { @@ -1360,9 +1367,30 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) break; } } + if (!start || remaining_size <= 0) + return EFI_SUCCESS; - second_stage = (CHAR16 *)li->LoadOptions; - if (start && remaining_size > 0) { + for (i = 0; start[i] != '\0'; i++) { + if (start[i] == L' ' || start[i] == L'\0') + break; + loader_len++; + } + + /* + * Setup the name of the alternative loader and the LoadOptions for + * the loader + */ + if (loader_len > 0) { + loader_str = AllocatePool((loader_len + 1) * sizeof(CHAR16)); + if (!loader_str) { + Print(L"Failed to allocate loader string\n"); + return EFI_OUT_OF_RESOURCES; + } + for (i = 0; i < loader_len; i++) + loader_str[i] = start[i]; + loader_str[loader_len] = L'\0'; + + second_stage = loader_str; load_options = start; load_options_size = remaining_size; } @@ -1439,5 +1467,11 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) uefi_call_wrapper(BS->UninstallProtocolInterface, 3, handle, &shim_lock_guid, &shim_lock_interface); + /* + * Free the space allocated for the alternative 2nd stage loader + */ + if (load_options_size > 0) + FreePool(second_stage); + return efi_status; } ++++++ shim-get-2nd-stage-loader.patch ++++++ commit 940425a8bce6bf1b556dc48189884b4a82d8d420 Author: Gary Ching-Pang Lin <[email protected]> Date: Thu Dec 6 17:47:26 2012 +0800 Get the second stage loader from the Load Options This commit replaces the 2nd stage loader path with the first argument in the Load Options and moves the rest arguments (if any) to the Load Options for the 2nd stage loader. For example, to make shim to load elilo.efi, just create a new boot entry with efibootmgr: # efibootmgr -c -L "shim elilo" -l "efi\\shim.efi" -u "elilo.efi" diff --git a/shim.c b/shim.c index c3aae9e..44301dd 100644 --- a/shim.c +++ b/shim.c @@ -42,12 +42,16 @@ #include "netboot.h" #include "shim_cert.h" -#define SECOND_STAGE L"\\grub.efi" +#define DEFAULT_LOADER L"\\grub.efi" #define MOK_MANAGER L"\\MokManager.efi" static EFI_SYSTEM_TABLE *systab; static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *system_table); +static CHAR16 *second_stage; +static void *load_options; +static UINT32 load_options_size; + /* * The vendor certificate used for validating the second stage loader */ @@ -881,6 +885,10 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, li->ImageBase = buffer; li->ImageSize = context.ImageSize; + /* Pass the load options to the second stage loader */ + li->LoadOptions = load_options; + li->LoadOptionsSize = load_options_size; + if (!entry_point) { Print(L"Invalid entry point\n"); FreePool(buffer); @@ -1192,7 +1200,7 @@ EFI_STATUS init_grub(EFI_HANDLE image_handle) { EFI_STATUS efi_status; - efi_status = start_image(image_handle, SECOND_STAGE); + efi_status = start_image(image_handle, second_stage); if (efi_status != EFI_SUCCESS) efi_status = start_image(image_handle, MOK_MANAGER); @@ -1312,6 +1320,55 @@ static EFI_STATUS check_mok_sb (void) return status; } +/* + * Check the load options to specify the second stage loader + */ +EFI_STATUS set_second_stage (EFI_HANDLE image_handle) +{ + EFI_STATUS status; + EFI_LOADED_IMAGE *li; + CHAR16 *start = NULL, *c; + int i, remaining_size = 0; + + second_stage = DEFAULT_LOADER; + load_options = NULL; + load_options_size = 0; + + status = uefi_call_wrapper(BS->HandleProtocol, 3, image_handle, + &LoadedImageProtocol, (void **) &li); + if (status != EFI_SUCCESS) { + Print (L"Failed to get load options\n"); + return status; + } + + /* Expect a CHAR16 string with at least one CHAR16 */ + if (li->LoadOptionsSize < 4 || li->LoadOptionsSize % 2 != 0) { + return EFI_BAD_BUFFER_SIZE; + } + c = (CHAR16 *)(li->LoadOptions + (li->LoadOptionsSize - 2)); + if (*c != L'\0') { + return EFI_BAD_BUFFER_SIZE; + } + + for (i = 0; i < li->LoadOptionsSize; i += 2) { + c = (CHAR16 *)(li->LoadOptions + i); + if (*c == L' ') { + *c = L'\0'; + start = c + 1; + remaining_size = li->LoadOptionsSize - i - 2; + break; + } + } + + second_stage = (CHAR16 *)li->LoadOptions; + if (start && remaining_size > 0) { + load_options = start; + load_options_size = remaining_size; + } + + return EFI_SUCCESS; +} + EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; @@ -1334,6 +1391,9 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) */ InitializeLib(image_handle, systab); + /* Set the second stage loader */ + set_second_stage (image_handle); + /* * Check whether the user has configured the system to run in * insecure mode ++++++ shim-local-key-sign-mokmanager.patch ++++++ ++++ 722 lines (skipped) ++++++ shim-mokmanager-new-pw-hash.patch ++++++ >From 6e816e3e0f8b2013c1bccd67ec27db10ccaabc67 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Tue, 15 Jan 2013 18:01:41 +0800 Subject: [PATCH 2/2] Support new password hash Old password hash: sha256sum(key_list + password) New password hash: salt + sha256sum(salt + password) --- MokManager.c | 91 ++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 67 insertions(+), 24 deletions(-) diff --git a/MokManager.c b/MokManager.c index 97588cb..be2a764 100644 --- a/MokManager.c +++ b/MokManager.c @@ -19,6 +19,9 @@ #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" #define HASH_STRING L"Select a file to trust:\n\n" +#define SALT_LEN 16 +#define AUTH_LEN (SALT_LEN + SHA256_DIGEST_SIZE) + struct menu_item { CHAR16 *text; INTN (* callback)(void *data, void *data2, void *data3); @@ -648,23 +651,30 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size; + UINT8 data[AUTH_LEN], *auth, *salt; + UINTN auth_size = AUTH_LEN; UINT32 attributes; if (authenticate) { - auth_size = SHA256_DIGEST_SIZE; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth", &shim_lock_guid, - &attributes, &auth_size, auth); + &attributes, &auth_size, data); - if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) { + if (efi_status != EFI_SUCCESS || + (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) { Print(L"Failed to get MokAuth %d\n", efi_status); return efi_status; } - efi_status = match_password(MokNew, MokNewSize, auth, NULL); + if (auth_size == AUTH_LEN) { + salt = data; + auth = data + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, NULL); + } else { + auth = data; + efi_status = match_password(MokNew, MokNewSize, auth, NULL); + } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; } @@ -842,8 +852,8 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size = SHA256_DIGEST_SIZE; + UINT8 data[AUTH_LEN], *auth, *salt;; + UINTN auth_size = AUTH_LEN; UINT32 attributes; void *MokListData = NULL; UINTN MokListDataSize = 0; @@ -853,14 +863,22 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", &shim_lock_guid, - &attributes, &auth_size, auth); + &attributes, &auth_size, data); - if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) { + if (efi_status != EFI_SUCCESS || + (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) { Print(L"Failed to get MokDelAuth %d\n", efi_status); return efi_status; } - efi_status = match_password(MokDel, MokDelSize, auth, NULL); + if (auth_size == AUTH_LEN) { + salt = data; + auth = data + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, NULL); + } else { + auth = data; + efi_status = match_password(MokDel, MokDelSize, auth, NULL); + } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1052,20 +1070,29 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; UINTN MokPWSize = (UINTN)data2; - UINT8 hash[SHA256_DIGEST_SIZE]; + UINT8 hash[AUTH_LEN], *auth, *salt; + UINT8 clear = 0; UINT32 length; CHAR16 line[1]; - if (MokPWSize != SHA256_DIGEST_SIZE) { + if (MokPWSize != SHA256_DIGEST_SIZE && MokPWSize != AUTH_LEN) { Print(L"Invalid MokPW variable contents\n"); return -1; } uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - SetMem(hash, SHA256_DIGEST_SIZE, 0); + SetMem(hash, AUTH_LEN, 0); + + if (MokPWSize == AUTH_LEN) { + if (CompareMem(MokPW, hash, AUTH_LEN) == 0) + clear = 1; + } else { + if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) + clear = 1; + } - if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) { + if (clear) { Print(L"Clear MOK password? (y/n): "); do { @@ -1080,7 +1107,14 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { return 0; } - efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); + if (MokPWSize == AUTH_LEN) { + salt = MokPW; + auth = MokPW + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, L"Confirm MOK passphrase: "); + } else { + efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); + } + if (efi_status != EFI_SUCCESS) { Print(L"Password limit reached\n"); return -1; @@ -1691,8 +1725,8 @@ static BOOLEAN verify_pw(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 pwhash[SHA256_DIGEST_SIZE]; - UINTN size = SHA256_DIGEST_SIZE; + UINT8 pwhash[AUTH_LEN], *auth, *salt; + UINTN size = AUTH_LEN; UINT32 attributes; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore", @@ -1704,7 +1738,8 @@ static BOOLEAN verify_pw(void) * known value, so there's no safety advantage in failing to validate * purely because of a failure to read the variable */ - if (efi_status != EFI_SUCCESS) + if (efi_status != EFI_SUCCESS || + (size != SHA256_DIGEST_SIZE && size != AUTH_LEN)) return TRUE; if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) @@ -1712,7 +1747,13 @@ static BOOLEAN verify_pw(void) uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); + if (size == AUTH_LEN) { + salt = pwhash; + auth = pwhash + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, L"Enter MOK password: "); + } else { + efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); + } if (efi_status != EFI_SUCCESS) { Print(L"Password limit reached\n"); return FALSE; @@ -1733,8 +1774,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, UINTN menucount = 3, i = 0; EFI_STATUS efi_status; EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size = SHA256_DIGEST_SIZE; + UINT8 auth[AUTH_LEN]; + UINTN auth_size = AUTH_LEN; UINT32 attributes; if (verify_pw() == FALSE) @@ -1744,14 +1785,16 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, &shim_lock_guid, &attributes, &auth_size, auth); - if ((efi_status == EFI_SUCCESS) && (auth_size == SHA256_DIGEST_SIZE)) + if ((efi_status == EFI_SUCCESS) && + (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN)) MokAuth = 1; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", &shim_lock_guid, &attributes, &auth_size, auth); - if ((efi_status == EFI_SUCCESS) && (auth_size == SHA256_DIGEST_SIZE)) + if ((efi_status == EFI_SUCCESS) && + (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN)) MokDelAuth = 1; if (MokNew || MokAuth) -- 1.7.10.4 ++++++ shim-reboot-after-changes.patch ++++++ >From 10f0f58b03b3bcc56797744f25be15b226b51a50 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Mon, 10 Dec 2012 17:54:05 +0800 Subject: [PATCH 1/2] Clear the screen before erasing keys --- MokManager.c | 1 + 1 file changed, 1 insertion(+) diff --git a/MokManager.c b/MokManager.c index 5802d27..c6f84d8 100644 --- a/MokManager.c +++ b/MokManager.c @@ -675,6 +675,7 @@ static INTN mok_deletion_prompt (void *MokNew, void *data2, void *data3) { UINT32 length; EFI_STATUS efi_status; + uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); Print(L"Erase all stored keys? (y/N): "); get_line (&length, line, 1, 1); -- 1.7.10.4 >From 510dafda53cd56210d7ff634b1c630d3645150f0 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Mon, 10 Dec 2012 18:24:45 +0800 Subject: [PATCH 2/2] Reboot the system after enrolling/erasing keys --- MokManager.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/MokManager.c b/MokManager.c index c6f84d8..7d6650e 100644 --- a/MokManager.c +++ b/MokManager.c @@ -637,6 +637,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) } static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth) { + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; CHAR16 line[1]; UINT32 length; EFI_STATUS efi_status; @@ -657,6 +658,19 @@ static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth) { Print(L"Failed to enroll keys\n"); return -1; } + + if (auth) { + LibDeleteVariable(L"MokNew", &shim_lock_guid); + LibDeleteVariable(L"MokAuth", &shim_lock_guid); + + Print(L"\nPress a key to reboot system\n"); + Pause(); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + Print(L"Failed to reboot\n"); + return -1; + } + return 0; } } while (line[0] != 'N' && line[0] != 'n'); @@ -671,6 +685,7 @@ static INTN mok_enrollment_prompt_callback (void *MokNew, void *data2, } static INTN mok_deletion_prompt (void *MokNew, void *data2, void *data3) { + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; CHAR16 line[1]; UINT32 length; EFI_STATUS efi_status; @@ -687,6 +702,16 @@ static INTN mok_deletion_prompt (void *MokNew, void *data2, void *data3) { Print(L"Failed to erase keys\n"); return -1; } + + LibDeleteVariable(L"MokNew", &shim_lock_guid); + LibDeleteVariable(L"MokAuth", &shim_lock_guid); + + Print(L"\nPress a key to reboot system\n"); + Pause(); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + Print(L"Failed to reboot\n"); + return -1; } return 0; -- 1.7.10.4 ++++++ shim-support-mok-delete.patch ++++++ ++++ 763 lines (skipped) ++++++ shim-suse-build.patch ++++++ Index: shim-0.2/Makefile =================================================================== --- shim-0.2.orig/Makefile +++ shim-0.2/Makefile @@ -6,7 +6,7 @@ LIB_PATH = /usr/lib64 EFI_INCLUDE = /usr/include/efi EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -EFI_PATH = /usr/lib64/gnuefi +EFI_PATH = /usr/lib64 LIB_GCC = $(shell $(CC) -print-libgcc-file-name) EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
