Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-11-12 00:21:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2014-10-14 07:10:25.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-11-12 00:21:07.000000000 +0100 @@ -1,0 +2,21 @@ +Tue Nov 11 04:26:00 UTC 2014 - [email protected] + +- Add shim-fix-mokmanager-sections.patch to fix the objcopy + parameters for the EFI files + +------------------------------------------------------------------- +Tue Oct 28 04:00:51 UTC 2014 - [email protected] + +- Update to 0.8 +- Add shim-fix-gnu-efi-30w.patch to adapt the change in + gnu-efi-3.0w +- Merge shim-signed-unsigned-compares.patch, + shim-mokmanager-support-sha-family.patch and + shim-bnc863205-mokmanager-fix-hash-delete.patch into + shim-mokx-support.patch +- Refresh shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch, + bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch +- Enable aarch64 + +------------------------------------------------------------------- Old: ---- bug-889332_shim-mok-oob.patch bug-889332_shim-overflow.patch shim-0.7.318.81ee561d.tar.bz2 shim-bnc863205-mokmanager-fix-hash-delete.patch shim-mokmanager-support-sha-family.patch shim-signed-unsigned-compares.patch shim-update-openssl-0.9.8zb.patch New: ---- shim-0.8.tar.bz2 shim-fix-gnu-efi-30w.patch shim-fix-mokmanager-sections.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.VNSw7k/_old 2014-11-12 00:21:09.000000000 +0100 +++ /var/tmp/diff_new_pack.VNSw7k/_new 2014-11-12 00:21:09.000000000 +0100 @@ -17,13 +17,9 @@ # needssslcertforbuild -%define commit 81ee561dde0213bc487aa1b701799f6d2faeaf31 -%define shortcommit 81ee561d Name: shim -# to ensure newer versions of the git export are always higher numbers the output of -# git rev-list master|wc -l is added before the git commit hash -Version: 0.7.318.%{shortcommit} +Version: 0.8 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause @@ -44,22 +40,14 @@ Source10: timestamp.pl Source11: strip_signature.sh Source12: signature-sles.asc -# PATCH-FIX-UPSTREAM shim-mokx-support.patch [email protected] -- Support MOK blacklist +# REBASE PATCH-FIX-UPSTREAM shim-mokx-support.patch [email protected] -- Support MOK blacklist Patch1: shim-mokx-support.patch # PATCH-FIX-SUSE shim-only-os-name.patch [email protected] -- Only include the OS name in version.c Patch2: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 [email protected] -- Fix the hash deletion operation to avoid ruining the whole list -Patch3: shim-bnc863205-mokmanager-fix-hash-delete.patch -# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch [email protected] -- Support SHA hashes in MOK -Patch4: shim-mokmanager-support-sha-family.patch -# PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch [email protected] -- Fixed some signed - unsigned comparisons -Patch5: shim-signed-unsigned-compares.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch [email protected] -- Update openssl to 0.9.8zb -Patch6: shim-update-openssl-0.9.8zb.patch -# PATCH-FIX-UPSTREAM bug-889332_shim-overflow.patch [email protected] -- patch for overflow issue. -Patch7: bug-889332_shim-overflow.patch -# PATCH-FIX-UPSTREAM bug-889332_shim-mok-oob.patch [email protected] -- patch for MOK OOB access. -Patch8: bug-889332_shim-mok-oob.patch +# PATCH-FIX-UPSTREAM shim-fix-gnu-efi-30w.patch [email protected] -- Adapt the change in gnu-efi 3.0w +Patch3: shim-fix-gnu-efi-30w.patch +# PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch [email protected] -- Fix the objcopy parameters for the EFI files +Patch4: shim-fix-mokmanager-sections.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch [email protected] -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t @@ -71,7 +59,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-efi -ExclusiveArch: x86_64 +ExclusiveArch: x86_64 aarch64 %description shim is a trivial EFI application that, when run, attempts to open and @@ -89,10 +77,6 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 %patch100 -p1 %build ++++++ shim-0.7.318.81ee561d.tar.bz2 -> shim-0.8.tar.bz2 ++++++ ++++ 4417 lines of diff (skipped) ++++++ shim-fix-gnu-efi-30w.patch ++++++ >From d4e4bf4e1e03eb5685474d240929d3e3b50581f8 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Thu, 25 Sep 2014 18:12:42 +0800 Subject: [PATCH] Adapt the change in gnu-efi-3.0w --- Cryptlib/Include/OpenSslSupport.h | 13 +++++++------ Cryptlib/Makefile | 1 + Cryptlib/OpenSSL/Makefile | 3 +++ Makefile | 2 ++ 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h index 9e56ced..6b3bfbd 100644 --- a/Cryptlib/Include/OpenSslSupport.h +++ b/Cryptlib/Include/OpenSslSupport.h @@ -16,12 +16,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define __OPEN_SSL_SUPPORT_H__ #include <efi.h> -#include <efilib.h> -#include <Base.h> -#include <Library/BaseLib.h> -#include <Library/BaseMemoryLib.h> -#include <Library/MemoryAllocationLib.h> -#include <Library/DebugLib.h> #define CONST const @@ -63,6 +57,13 @@ typedef __builtin_va_list VA_LIST; #define va_end(Marker) ((void)0) #endif +#include <efilib.h> +#include <Base.h> +#include <Library/BaseLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/MemoryAllocationLib.h> +#include <Library/DebugLib.h> + // // #defines from EFI Application Toolkit required to buiild Open SSL // diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile index 9719a27..dbd79fb 100644 --- a/Cryptlib/Makefile +++ b/Cryptlib/Makefile @@ -3,6 +3,7 @@ EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLU CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ -Wall $(EFI_INCLUDES) +CFLAGS += -DGNU_EFI_USE_EXTERNAL_STDARG ifeq ($(ARCH),x86_64) CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \ diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile index 7990b3c..967e55e 100644 --- a/Cryptlib/OpenSSL/Makefile +++ b/Cryptlib/OpenSSL/Makefile @@ -18,6 +18,9 @@ endif ifeq ($(ARCH),arm) CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include) endif + +CFLAGS += -DGNU_EFI_USE_EXTERNAL_STDARG + LDFLAGS = -nostdlib -znocombreloc TARGET = libopenssl.a diff --git a/Makefile b/Makefile index 332a29b..52fd5b3 100644 --- a/Makefile +++ b/Makefile @@ -26,6 +26,8 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ $(EFI_INCLUDES) +CFLAGS += -DGNU_EFI_USE_EXTERNAL_STDARG + ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) CFLAGS += -DOVERRIDE_SECURITY_POLICY endif -- 1.8.4.5 ++++++ shim-fix-mokmanager-sections.patch ++++++ >From 61f1bfea2250c38b6c381a3876b41acf007f4289 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Mon, 10 Nov 2014 17:19:58 +0800 Subject: [PATCH 1/2] Fix objcopy parameters to include .rel and .rela The objcopy parameters -j .rel* and -j .rela* looked like that the two sections would be in the EFI binary, but it's actually not, and this caused MokManager.efi crash. Remove the asterisks to fix MokManager.efi. Signed-off-by: Gary Ching-Pang Lin <[email protected]> --- Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 332a29b..39160c5 100644 --- a/Makefile +++ b/Makefile @@ -133,13 +133,13 @@ FORMAT ?= --target efi-app-$(ARCH) %.efi: %.so $(OBJCOPY) -j .text -j .sdata -j .data \ - -j .dynamic -j .dynsym -j .rel* \ - -j .rela* -j .reloc -j .eh_frame \ + -j .dynamic -j .dynsym -j .rel \ + -j .rela -j .reloc -j .eh_frame \ -j .vendor_cert \ $(FORMAT) $^ $@ $(OBJCOPY) -j .text -j .sdata -j .data \ - -j .dynamic -j .dynsym -j .rel* \ - -j .rela* -j .reloc -j .eh_frame \ + -j .dynamic -j .dynsym -j .rel \ + -j .rela -j .reloc -j .eh_frame \ -j .debug_info -j .debug_abbrev -j .debug_aranges \ -j .debug_line -j .debug_str -j .debug_ranges \ $(FORMAT) $^ [email protected] -- 1.8.4.5 >From a0d319c24c064b3275f4dc91cf141336fb7449fa Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Mon, 10 Nov 2014 17:31:15 +0800 Subject: [PATCH 2/2] Add nostdinc to the CFLAGS for lib We don't need the headers from the standard include path. Signed-off-by: Gary Ching-Pang Lin <[email protected]> --- lib/Makefile | 2 +- lib/console.c | 4 ++-- lib/guid.c | 1 - 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/lib/Makefile b/lib/Makefile index ebd21a1..3c5101e 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -4,7 +4,7 @@ LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variab EFI_INCLUDES = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include -CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ +CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -nostdinc\ -fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror \ $(EFI_INCLUDES) diff --git a/lib/console.c b/lib/console.c index 83ee679..fd8cc5c 100644 --- a/lib/console.c +++ b/lib/console.c @@ -4,8 +4,8 @@ * * see COPYING file */ -#include <efi/efi.h> -#include <efi/efilib.h> +#include <efi.h> +#include <efilib.h> #include <console.h> #include <variables.h> diff --git a/lib/guid.c b/lib/guid.c index 56ec952..c97a7ca 100644 --- a/lib/guid.c +++ b/lib/guid.c @@ -5,7 +5,6 @@ */ #include <guid.h> -#include <stdio.h> #ifndef BUILD_EFI /* EFI has %g for this, so it's only needed in platform c */ -- 1.8.4.5 ++++++ shim-mokx-support.patch ++++++ ++++ 2016 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/shim/shim-mokx-support.patch ++++ and /work/SRC/openSUSE:Factory/.shim.new/shim-mokx-support.patch ++++++ shim-opensuse-cert-prompt.patch ++++++ --- /var/tmp/diff_new_pack.VNSw7k/_old 2014-11-12 00:21:10.000000000 +0100 +++ /var/tmp/diff_new_pack.VNSw7k/_new 2014-11-12 00:21:10.000000000 +0100 @@ -1,4 +1,4 @@ -From b13d18d4069032ccf6c885774e9eada6a1d80ddd Mon Sep 17 00:00:00 2001 +From e3b81e524747199fb7da29e5988cff79db1658a3 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Tue, 18 Feb 2014 17:29:19 +0800 Subject: [PATCH 1/3] Show the build-in certificate prompt @@ -17,13 +17,13 @@ The state will store in use_openSUSE_cert, a volatile RT variable. --- - shim.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----------- - 1 file changed, 97 insertions(+), 19 deletions(-) + shim.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 74 insertions(+), 2 deletions(-) -Index: shim-0.7/shim.c -=================================================================== ---- shim-0.7.orig/shim.c -+++ shim-0.7/shim.c +diff --git a/shim.c b/shim.c +index d46494a..c14a54d 100644 +--- a/shim.c ++++ b/shim.c @@ -90,6 +90,7 @@ UINT8 *vendor_dbx; */ verification_method_t verification_method; @@ -32,7 +32,7 @@ #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} -@@ -817,7 +818,7 @@ static EFI_STATUS verify_buffer (char *d +@@ -954,7 +955,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, if (status == EFI_SUCCESS) return status; @@ -41,75 +41,16 @@ /* * Check against the shim build key */ -@@ -1523,11 +1524,14 @@ EFI_STATUS mirror_mok_list() +@@ -1708,7 +1709,7 @@ EFI_STATUS mirror_mok_list() if (efi_status != EFI_SUCCESS) DataSize = 0; -- FullDataSize = DataSize -- + sizeof (*CertList) -- + sizeof (EFI_GUID) -- + vendor_cert_size -- ; -+ FullDataSize = DataSize; -+ if (use_builtin_cert) { -+ FullDataSize += sizeof (*CertList) + -+ sizeof (EFI_GUID) + -+ vendor_cert_size; -+ } else if (DataSize == 0) { -+ return EFI_SUCCESS; -+ } - FullData = AllocatePool(FullDataSize); - if (!FullData) { - perror(L"Failed to allocate space for MokListRT\n"); -@@ -1539,21 +1543,24 @@ EFI_STATUS mirror_mok_list() - CopyMem(p, Data, DataSize); - p += DataSize; - } -- CertList = (EFI_SIGNATURE_LIST *)p; -- p += sizeof (*CertList); -- CertData = (EFI_SIGNATURE_DATA *)p; -- p += sizeof (EFI_GUID); -- -- CertList->SignatureType = EFI_CERT_X509_GUID; -- CertList->SignatureListSize = vendor_cert_size -- + sizeof (*CertList) -- + sizeof (*CertData) -- -1; -- CertList->SignatureHeaderSize = 0; -- CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); - -- CertData->SignatureOwner = SHIM_LOCK_GUID; -- CopyMem(p, vendor_cert, vendor_cert_size); -+ if (use_builtin_cert) { -+ CertList = (EFI_SIGNATURE_LIST *)p; -+ p += sizeof (*CertList); -+ CertData = (EFI_SIGNATURE_DATA *)p; -+ p += sizeof (EFI_GUID); -+ -+ CertList->SignatureType = EFI_CERT_X509_GUID; -+ CertList->SignatureListSize = vendor_cert_size -+ + sizeof (*CertList) -+ + sizeof (*CertData) -+ -1; -+ CertList->SignatureHeaderSize = 0; -+ CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); -+ -+ CertData->SignatureOwner = SHIM_LOCK_GUID; -+ CopyMem(p, vendor_cert, vendor_cert_size); -+ } - - efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT", - &shim_lock_guid, -@@ -1600,7 +1607,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE - check_var(L"MokPW") || check_var(L"MokAuth") || - check_var(L"MokDel") || check_var(L"MokDB") || - check_var(L"MokXNew") || check_var(L"MokXDel") || -- check_var(L"MokXAuth")) { -+ check_var(L"MokXAuth") || check_var(L"ClearVerify")) { - efi_status = start_image(image_handle, MOK_MANAGER); - - if (efi_status != EFI_SUCCESS) { -@@ -1840,6 +1847,75 @@ uninstall_shim_protocols(void) +- if (vendor_cert_size) { ++ if (vendor_cert_size && use_builtin_cert) { + FullDataSize = DataSize + + sizeof (*CertList) + + sizeof (EFI_GUID) +@@ -2057,6 +2058,75 @@ uninstall_shim_protocols(void) &shim_lock_guid, &shim_lock_interface); } @@ -185,7 +126,7 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) { EFI_STATUS efi_status; -@@ -1895,6 +1971,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha +@@ -2112,6 +2182,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) */ hook_system_services(systab); loader_is_participating = 0; @@ -194,11 +135,30 @@ } } -Index: shim-0.7/MokManager.c -=================================================================== ---- shim-0.7.orig/MokManager.c -+++ shim-0.7/MokManager.c -@@ -1701,6 +1701,36 @@ static INTN mok_pw_prompt (void *MokPW, +-- +1.8.4.5 + + +From 7b87b12059a9f26125f135ae649757346d26d6f8 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin <[email protected]> +Date: Thu, 20 Feb 2014 16:57:08 +0800 +Subject: [PATCH 2/3] Support revoking the openSUSE cert + +This is an openSUSE-only patch. + +To revoke the openSUSE cert, create ClearVerify, a NV RT variable, +and store the password hash in the variable, and then MokManager +will show up with an additional option to clear openSUSE_Verify +--- + MokManager.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- + shim.c | 2 +- + 2 files changed, 60 insertions(+), 3 deletions(-) + +diff --git a/MokManager.c b/MokManager.c +index 442ab8f..7277968 100644 +--- a/MokManager.c ++++ b/MokManager.c +@@ -1731,6 +1731,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { return -1; } @@ -216,10 +176,7 @@ + if (status != EFI_SUCCESS) + return -1; + -+ status = uefi_call_wrapper(RT->SetVariable, 5, -+ L"openSUSE_Verify", &shim_lock_guid, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE, -+ 0, NULL); ++ status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid); + if (status != EFI_SUCCESS) { + console_error(L"Failed to delete openSUSE_Verify", status); + return -1; @@ -235,7 +192,7 @@ static BOOLEAN verify_certificate(UINT8 *cert, UINTN size) { X509 *X509Cert; -@@ -2053,6 +2083,7 @@ typedef enum { +@@ -2083,6 +2110,7 @@ typedef enum { MOK_CHANGE_SB, MOK_SET_PW, MOK_CHANGE_DB, @@ -243,7 +200,7 @@ MOK_KEY_ENROLL, MOK_HASH_ENROLL } mok_menu_item; -@@ -2064,7 +2095,8 @@ static EFI_STATUS enter_mok_menu(EFI_HAN +@@ -2094,7 +2122,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, void *MokPW, UINTN MokPWSize, void *MokDB, UINTN MokDBSize, void *MokXNew, UINTN MokXNewSize, @@ -253,7 +210,7 @@ { CHAR16 **menu_strings; mok_menu_item *menu_item; -@@ -2138,6 +2170,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN +@@ -2168,6 +2197,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, if (MokDB) menucount++; @@ -263,7 +220,7 @@ menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1)); if (!menu_strings) -@@ -2207,6 +2242,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN +@@ -2237,6 +2269,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, i++; } @@ -276,7 +233,7 @@ menu_strings[i] = L"Enroll key from disk"; menu_item[i] = MOK_KEY_ENROLL; i++; -@@ -2257,6 +2298,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN +@@ -2287,6 +2325,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, case MOK_CHANGE_DB: mok_db_prompt(MokDB, MokDBSize); break; @@ -286,7 +243,7 @@ case MOK_KEY_ENROLL: mok_key_enroll(); break; -@@ -2282,6 +2326,7 @@ static EFI_STATUS check_mok_request(EFI_ +@@ -2312,6 +2353,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0; UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0; @@ -294,7 +251,7 @@ void *MokNew = NULL; void *MokDel = NULL; void *MokSB = NULL; -@@ -2289,6 +2334,7 @@ static EFI_STATUS check_mok_request(EFI_ +@@ -2319,6 +2361,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) void *MokDB = NULL; void *MokXNew = NULL; void *MokXDel = NULL; @@ -302,7 +259,7 @@ EFI_STATUS status; status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize, -@@ -2361,9 +2407,20 @@ static EFI_STATUS check_mok_request(EFI_ +@@ -2391,9 +2434,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) console_error(L"Could not retrieve MokXDel", status); } @@ -324,7 +281,7 @@ if (MokNew) FreePool (MokNew); -@@ -2386,6 +2443,9 @@ static EFI_STATUS check_mok_request(EFI_ +@@ -2416,6 +2470,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) if (MokXDel) FreePool (MokXDel); @@ -334,3 +291,51 @@ LibDeleteVariable(L"MokAuth", &shim_lock_guid); LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); LibDeleteVariable(L"MokXAuth", &shim_lock_guid); +diff --git a/shim.c b/shim.c +index c14a54d..1287eed 100644 +--- a/shim.c ++++ b/shim.c +@@ -1818,7 +1818,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) + check_var(L"MokPW") || check_var(L"MokAuth") || + check_var(L"MokDel") || check_var(L"MokDB") || + check_var(L"MokXNew") || check_var(L"MokXDel") || +- check_var(L"MokXAuth")) { ++ check_var(L"MokXAuth") || check_var(L"ClearVerify")) { + efi_status = start_image(image_handle, MOK_MANAGER); + + if (efi_status != EFI_SUCCESS) { +-- +1.8.4.5 + + +From c7340fe9219777622fe58b6596f53a4cad739e9f Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin <[email protected]> +Date: Fri, 7 Mar 2014 16:17:20 +0800 +Subject: [PATCH 3/3] Delete openSUSE_Verify the right way + +This is an openSUSE-only patch. + +LibDeleteVariable only works on the runtime variables. +--- + MokManager.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/MokManager.c b/MokManager.c +index 7277968..b5d2454 100644 +--- a/MokManager.c ++++ b/MokManager.c +@@ -1745,7 +1745,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { + if (status != EFI_SUCCESS) + return -1; + +- status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid); ++ status = uefi_call_wrapper(RT->SetVariable, 5, ++ L"openSUSE_Verify", &shim_lock_guid, ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE, ++ 0, NULL); + if (status != EFI_SUCCESS) { + console_error(L"Failed to delete openSUSE_Verify", status); + return -1; +-- +1.8.4.5 + -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
