Hello community, here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2016-08-03 11:36:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ovmf (Old) and /work/SRC/openSUSE:Factory/.ovmf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ovmf" Changes: -------- --- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2016-07-01 09:51:46.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ovmf.new/ovmf.changes 2016-08-03 11:36:53.000000000 +0200 @@ -1,0 +2,9 @@ +Wed Jul 27 04:13:18 UTC 2016 - [email protected] + +- Update openssl to 1.0.2h (bsc#990612) + + Add the patch: ovmf-bsc990612-update-openssl-1.0.2h.patch + + Update the openssl tarball +- Add ovmf-bsc990773-remove-stale-boot-options.patch to remove the + stale boot options (bsc#990773) + +------------------------------------------------------------------- Old: ---- openssl-1.0.2g.tar.gz openssl-1.0.2g.tar.gz.asc New: ---- openssl-1.0.2h.tar.gz openssl-1.0.2h.tar.gz.asc ovmf-bsc990612-update-openssl-1.0.2h.patch ovmf-bsc990773-remove-stale-boot-options.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.HlhCzv/_old 2016-08-03 11:36:55.000000000 +0200 +++ /var/tmp/diff_new_pack.HlhCzv/_new 2016-08-03 11:36:55.000000000 +0200 @@ -19,7 +19,7 @@ # needssslcertforbuild %undefine _build_create_debug -%define openssl_version 1.0.2g +%define openssl_version 1.0.2h Name: ovmf Url: http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=EDK2 @@ -54,6 +54,15 @@ Patch7: %{name}-bsc980635-fix-http-crash.patch Patch8: %{name}-bsc982193-dont-restore-readonly-var.patch Patch9: %{name}-bsc982193-connect-xen-drivers.patch +# NOTE: edk2 retired NO_BUILTIN_VA_FUNCS right after the 1.0.2h patch, so the +# following commits may be necessary for the next openssl update: +# b2dc04a87fab89307240dc0f30b9a23bb5726c81 CryptoPkg: set new define to avoid MS ABI VA_LIST on GCC/X64 +# 48d5f9a551a93acb45f272dda879b0ab5a504e36 MdePkg: Enable new MS VA intrinsics for GNUC x86 64bits build +# 0676c285ba518ae81ca7f06278d4cc4958660864 EdkCompatibilityPkg: Enable new MS VA intrinsics for GNUC x86 64bits build +# 247093f45d94a3956cdd15c357fe7d6dca878df9 BaseTools/tools_def: enable Os optimization for GCC X64 builds +# 17ab1ec5accc866b77446f4e336e982bb5e1cc9f MdePkg CryptoPkg EdkCompatibilityPkg: retire NO_BUILTIN_VA_FUNCS define +Patch10: %{name}-bsc990612-update-openssl-1.0.2h.patch +Patch11: %{name}-bsc990773-remove-stale-boot-options.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes BuildRequires: gcc @@ -175,6 +184,8 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 # Intel has special patches for openssl pushd CryptoPkg/Library/OpensslLib/openssl-%{openssl_version} patch -p1 -i ../EDKII_openssl-%{openssl_version}.patch ++++++ ovmf-bsc990612-update-openssl-1.0.2h.patch ++++++ >From 535421d25307a1c212a5f514048229b8ab429d5d Mon Sep 17 00:00:00 2001 From: Qin Long <[email protected]> Date: Wed, 13 Jul 2016 13:27:11 +0800 Subject: [PATCH] CryptoPkg/OpensslLib: Upgrade OpenSSL version to 1.0.2h OpenSSL 1.0.2h was released with several severity fixes at 03-May-2016 (https://www.openssl.org/news/secadv/20160503.txt). Upgrade the supported OpenSSL version in CryptoPkg/OpensslLib to catch the latest release 1.0.2h. Cc: Ting Ye <[email protected]> Cc: David Woodhouse <[email protected]> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Qin Long <[email protected]> Reviewed-by: Ye Ting <[email protected]> Tested-by: Laszlo Ersek <[email protected]> --- CryptoPkg/CryptoPkg.dec | 2 +- ...ssl-1.0.2g.patch => EDKII_openssl-1.0.2h.patch} | 97 ++++++++++------------ CryptoPkg/Library/OpensslLib/Install.cmd | 2 +- CryptoPkg/Library/OpensslLib/Install.sh | 2 +- CryptoPkg/Library/OpensslLib/OpensslLib.inf | 2 +- CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 26 +++--- 6 files changed, 62 insertions(+), 69 deletions(-) rename CryptoPkg/Library/OpensslLib/{EDKII_openssl-1.0.2g.patch => EDKII_openssl-1.0.2h.patch} (95%) diff --git a/CryptoPkg/CryptoPkg.dec b/CryptoPkg/CryptoPkg.dec index e1cdb8e..c0885bb 100644 --- a/CryptoPkg/CryptoPkg.dec +++ b/CryptoPkg/CryptoPkg.dec @@ -24,7 +24,7 @@ [Defines] [Includes] Include - Library/OpensslLib/openssl-1.0.2g/include + Library/OpensslLib/openssl-1.0.2h/include [LibraryClasses] ## @libraryclass Provides basic library functions for cryptographic primitives. diff --git a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2g.patch b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch similarity index 95% rename from CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2g.patch rename to CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch index 25dbebc..559fc67 100644 --- a/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2g.patch +++ b/CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2h.patch @@ -254,7 +254,7 @@ index d5a5514..bede55c 100644 goto err; diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c -index 1d25687..e933ead 100644 +index 1d25687..ad641c3 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -131,7 +131,7 @@ @@ -277,7 +277,7 @@ index 1d25687..e933ead 100644 + mods = OPENSSL_malloc(sizeof(*mods) * NUMPRIMES); + if (mods == NULL) -+ goto err; ++ goto err; ctx = BN_CTX_new(); if (ctx == NULL) goto err; @@ -311,7 +311,7 @@ index 1d25687..e933ead 100644 again: diff --git a/crypto/conf/conf.h b/crypto/conf/conf.h -index 8d926d5..41cf38e 100644 +index 8d926d5..c29e97d 100644 --- a/crypto/conf/conf.h +++ b/crypto/conf/conf.h @@ -118,8 +118,10 @@ typedef void conf_finish_func (CONF_IMODULE *md); @@ -329,9 +329,9 @@ index 8d926d5..41cf38e 100644 long CONF_get_number(LHASH_OF(CONF_VALUE) *conf, const char *group, const char *name); void CONF_free(LHASH_OF(CONF_VALUE) *conf); -+#ifndef OPENSSL_NO_FP_API ++# ifndef OPENSSL_NO_FP_API int CONF_dump_fp(LHASH_OF(CONF_VALUE) *conf, FILE *out); -+#endif ++# endif int CONF_dump_bio(LHASH_OF(CONF_VALUE) *conf, BIO *out); void OPENSSL_config(const char *config_name); @@ -349,9 +349,9 @@ index 8d926d5..41cf38e 100644 char *NCONF_get_string(const CONF *conf, const char *group, const char *name); int NCONF_get_number_e(const CONF *conf, const char *group, const char *name, long *result); -+#ifndef OPENSSL_NO_FP_API ++# ifndef OPENSSL_NO_FP_API int NCONF_dump_fp(const CONF *conf, FILE *out); -+#endif ++# endif int NCONF_dump_bio(const CONF *conf, BIO *out); # if 0 /* The following function has no error @@ -359,10 +359,10 @@ index 8d926d5..41cf38e 100644 int CONF_modules_load(const CONF *cnf, const char *appname, unsigned long flags); -+#ifndef OPENSSL_NO_STDIO ++# ifndef OPENSSL_NO_STDIO int CONF_modules_load_file(const char *filename, const char *appname, unsigned long flags); -+#endif ++# endif void CONF_modules_unload(int all); void CONF_modules_finish(void); void CONF_modules_free(void); @@ -684,10 +684,10 @@ index a5bd901..6488879 100644 /* BEGIN ERROR CODES */ /* diff --git a/crypto/dh/dh_kdf.c b/crypto/dh/dh_kdf.c -index a882cb2..4eddb9a 100644 +index a882cb2..aace5fb 100644 --- a/crypto/dh/dh_kdf.c +++ b/crypto/dh/dh_kdf.c -@@ -51,13 +51,18 @@ +@@ -51,6 +51,9 @@ * ==================================================================== */ @@ -697,22 +697,21 @@ index a882cb2..4eddb9a 100644 #include <string.h> #include <openssl/dh.h> #include <openssl/evp.h> - #include <openssl/asn1.h> +@@ -58,6 +61,7 @@ #include <openssl/cms.h> -+ /* Key derivation from X9.42/RFC2631 */ +/* Uses CMS functions, hence the #ifdef wrapper. */ #define DH_KDF_MAX (1L << 30) -@@ -185,3 +190,4 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen, +@@ -185,3 +189,4 @@ int DH_KDF_X9_42(unsigned char *out, size_t outlen, EVP_MD_CTX_cleanup(&mctx); return rv; } +#endif diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c -index b58e3fa..c6288f6 100644 +index b58e3fa..926be98 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -207,7 +207,11 @@ static int pkey_dh_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) @@ -727,7 +726,7 @@ index b58e3fa..c6288f6 100644 return -2; dctx->kdf_type = p1; return 1; -@@ -448,7 +452,10 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, +@@ -448,7 +452,9 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, return ret; *keylen = ret; return 1; @@ -735,11 +734,10 @@ index b58e3fa..c6288f6 100644 + } +#ifndef OPENSSL_NO_CMS + else if (dctx->kdf_type == EVP_PKEY_DH_KDF_X9_42) { -+ unsigned char *Z = NULL; size_t Zlen = 0; if (!dctx->kdf_outlen || !dctx->kdf_oid) -@@ -479,7 +486,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, +@@ -479,7 +485,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key, } return ret; } @@ -945,7 +943,7 @@ index 7a1c85d..7162c0f 100644 #undef BN_LLONG diff --git a/crypto/pem/pem.h b/crypto/pem/pem.h -index d3b23fc..87b0b6a 100644 +index d3b23fc..5df6ffd 100644 --- a/crypto/pem/pem.h +++ b/crypto/pem/pem.h @@ -324,6 +324,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \ @@ -980,17 +978,16 @@ index d3b23fc..87b0b6a 100644 int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cb, void *u); -@@ -510,7 +514,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, +@@ -510,6 +514,7 @@ EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cd, void *u); -- +#endif + EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x); int PEM_write_bio_Parameters(BIO *bp, EVP_PKEY *x); - diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c -index a29821a..5525efd 100644 +index fe881d6..e25cc68 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -84,7 +84,7 @@ int pem_check_suffix(const char *pem_str, const char *suffix); @@ -1003,38 +1000,35 @@ index a29821a..5525efd 100644 * We should not ever call the default callback routine from windows. */ diff --git a/crypto/pem/pem_pk8.c b/crypto/pem/pem_pk8.c -index 5747c73..fe465cc 100644 +index 5747c73..9edca4d 100644 --- a/crypto/pem/pem_pk8.c +++ b/crypto/pem/pem_pk8.c -@@ -69,10 +69,12 @@ +@@ -69,9 +69,11 @@ static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cb, void *u); -+ +#ifndef OPENSSL_NO_FP_API static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder, int nid, const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cb, void *u); -- +#endif + /* * These functions write a private key in PKCS#8 format: it is a "drop in" - * replacement for PEM_write_bio_PrivateKey() and friends. As usual if 'enc' diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c -index dc9b484..0bc3d43 100644 +index dc9b484..e75c4b2 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c -@@ -64,6 +64,9 @@ +@@ -64,6 +64,8 @@ #include <openssl/x509.h> #include <openssl/x509v3.h> -+ +#define BUFFERSIZE 4096 + static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si); PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, -@@ -254,7 +257,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, +@@ -254,7 +256,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, STACK_OF(PKCS7_SIGNER_INFO) *sinfos; PKCS7_SIGNER_INFO *si; X509_STORE_CTX cert_ctx; @@ -1043,7 +1037,7 @@ index dc9b484..0bc3d43 100644 int i, j = 0, k, ret = 0; BIO *p7bio = NULL; BIO *tmpin = NULL, *tmpout = NULL; -@@ -373,8 +376,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, +@@ -373,8 +375,12 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, tmpout = out; /* We now have to 'read' from p7bio to calculate digests etc. */ @@ -1057,7 +1051,7 @@ index dc9b484..0bc3d43 100644 if (i <= 0) break; if (tmpout) -@@ -405,6 +412,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, +@@ -405,6 +411,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, ret = 1; err: @@ -1065,7 +1059,7 @@ index dc9b484..0bc3d43 100644 if (tmpin == indata) { if (indata) BIO_pop(p7bio); -@@ -523,7 +531,7 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) +@@ -523,7 +530,7 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) { BIO *tmpmem; int ret, i; @@ -1074,7 +1068,7 @@ index dc9b484..0bc3d43 100644 if (!p7) { PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_INVALID_NULL_POINTER); -@@ -567,24 +575,29 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) +@@ -567,24 +574,30 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) } BIO_free_all(bread); return ret; @@ -1116,6 +1110,7 @@ index dc9b484..0bc3d43 100644 - BIO_free_all(tmpmem); - return ret; } ++ +err: + OPENSSL_free(buf); + BIO_free_all(tmpmem); @@ -1222,20 +1217,19 @@ index 4e06218..ddead3d 100644 const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { { diff --git a/crypto/srp/srp.h b/crypto/srp/srp.h -index 028892a..713fc54 100644 +index 028892a..4ed4bfe 100644 --- a/crypto/srp/srp.h +++ b/crypto/srp/srp.h -@@ -119,8 +119,9 @@ DECLARE_STACK_OF(SRP_gN) +@@ -119,7 +119,9 @@ DECLARE_STACK_OF(SRP_gN) SRP_VBASE *SRP_VBASE_new(char *seed_key); int SRP_VBASE_free(SRP_VBASE *vb); +#ifndef OPENSSL_NO_STDIO int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file); -- +#endif + /* This method ignores the configured seed and fails for an unknown user. */ SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username); - /* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/ diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index 26ad3e0..6be4cf2 100644 --- a/crypto/srp/srp_vfy.c @@ -1950,7 +1944,7 @@ index f6b3ff2..1dcbe36 100755 SEED,- SHA,- diff --git a/ssl/d1_both.c b/ssl/d1_both.c -index d1fc716..d5f661a 100644 +index 5d26c94..ee3f49b 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -1053,7 +1053,7 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b) @@ -2002,15 +1996,14 @@ index 35cc27c..a1f5335 100644 } else { ret->sid_ctx_length = os.length; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c -index a73f866..d534c0a 100644 +index f48ebae..ac4f08c 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c -@@ -855,12 +855,13 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) +@@ -857,12 +857,12 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) return (add_client_CA(&(ctx->client_CA), x)); } +#ifndef OPENSSL_NO_STDIO -+ static int xname_cmp(const X509_NAME *const *a, const X509_NAME *const *b) { return (X509_NAME_cmp(*a, *b)); @@ -2020,7 +2013,7 @@ index a73f866..d534c0a 100644 /** * Load CA certs from a file into a ::STACK. Note that it is somewhat misnamed; * it doesn't really have anything to do with clients (except that a common use -@@ -928,7 +929,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) +@@ -930,7 +930,6 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) ERR_clear_error(); return (ret); } @@ -2028,7 +2021,7 @@ index a73f866..d534c0a 100644 /** * Add a file of certs to a stack. -@@ -1048,6 +1048,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, +@@ -1050,6 +1049,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, CRYPTO_w_unlock(CRYPTO_LOCK_READDIR); return ret; } @@ -2108,7 +2101,7 @@ index baa3b59..1ee3f02 100644 if ($? == 0) { diff --git a/util/libeay.num b/util/libeay.num -index e5b3c6e..8d4185c 100755 +index 2094ab3..992abb2 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4370,7 +4370,7 @@ DH_compute_key_padded 4732 EXIST::FUNCTION:DH @@ -2121,7 +2114,7 @@ index e5b3c6e..8d4185c 100755 EVP_des_ede3_wrap 4737 EXIST::FUNCTION:DES RSA_OAEP_PARAMS_it 4738 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA diff --git a/util/mkdef.pl b/util/mkdef.pl -index c57c7f7..d4c3386 100755 +index b9b159a..9841498 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -97,6 +97,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF", @@ -2133,7 +2126,7 @@ index c57c7f7..d4c3386 100755 # RFC3779 "RFC3779", # TLS -@@ -142,7 +144,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; +@@ -144,7 +146,7 @@ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2; my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5; my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_fp_api; my $no_static_engine=1; my $no_gmp; my $no_deprecated; @@ -2141,8 +2134,8 @@ index c57c7f7..d4c3386 100755 +my $no_sct; my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng; my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc; my $no_nextprotoneg; my $no_sctp; my $no_srtp; my $no_ssl_trace; - my $no_unit_test; my $no_ssl3_method; -@@ -233,6 +235,7 @@ foreach (@ARGV, split(/ /, $options)) + my $no_unit_test; my $no_ssl3_method; my $no_ssl2_method; +@@ -235,6 +237,7 @@ foreach (@ARGV, split(/ /, $options)) elsif (/^no-engine$/) { $no_engine=1; } elsif (/^no-hw$/) { $no_hw=1; } elsif (/^no-gmp$/) { $no_gmp=1; } @@ -2150,7 +2143,7 @@ index c57c7f7..d4c3386 100755 elsif (/^no-rfc3779$/) { $no_rfc3779=1; } elsif (/^no-tlsext$/) { $no_tlsext=1; } elsif (/^no-cms$/) { $no_cms=1; } -@@ -1206,6 +1209,7 @@ sub is_valid +@@ -1209,6 +1212,7 @@ sub is_valid if ($keyword eq "FP_API" && $no_fp_api) { return 0; } if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; } if ($keyword eq "GMP" && $no_gmp) { return 0; } diff --git a/CryptoPkg/Library/OpensslLib/Install.cmd b/CryptoPkg/Library/OpensslLib/Install.cmd index 51e5414..83d04d7 100755 --- a/CryptoPkg/Library/OpensslLib/Install.cmd +++ b/CryptoPkg/Library/OpensslLib/Install.cmd @@ -1,4 +1,4 @@ -cd openssl-1.0.2g +cd openssl-1.0.2h copy ..\opensslconf.h crypto if not exist include\openssl mkdir include\openssl copy e_os2.h include\openssl diff --git a/CryptoPkg/Library/OpensslLib/Install.sh b/CryptoPkg/Library/OpensslLib/Install.sh index 06f1dcd..95963ff 100755 --- a/CryptoPkg/Library/OpensslLib/Install.sh +++ b/CryptoPkg/Library/OpensslLib/Install.sh @@ -1,6 +1,6 @@ #!/bin/sh -cd openssl-1.0.2g +cd openssl-1.0.2h cp ../opensslconf.h crypto mkdir -p include/openssl cp e_os2.h include/openssl diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf index 8757100..361d30e 100644 --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf @@ -20,7 +20,7 @@ [Defines] MODULE_TYPE = BASE VERSION_STRING = 1.0 LIBRARY_CLASS = OpensslLib - DEFINE OPENSSL_PATH = openssl-1.0.2g + DEFINE OPENSSL_PATH = openssl-1.0.2h DEFINE OPENSSL_FLAGS = -DL_ENDIAN -DOPENSSL_SMALL_FOOTPRINT -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE # diff --git a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt index 7db1451..f836736 100644 --- a/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt +++ b/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt @@ -17,36 +17,36 @@ cryptography. This patch will enable openssl building under UEFI environment. ================================================================================ OpenSSL-Version ================================================================================ - Current supported OpenSSL version for UEFI Crypto Library is 1.0.2g. - http://www.openssl.org/source/openssl-1.0.2g.tar.gz + Current supported OpenSSL version for UEFI Crypto Library is 1.0.2h. + http://www.openssl.org/source/openssl-1.0.2h.tar.gz ================================================================================ HOW to Install Openssl for UEFI Building ================================================================================ -1. Download OpenSSL 1.0.2g from official website: - http://www.openssl.org/source/openssl-1.0.2g.tar.gz +1. Download OpenSSL 1.0.2h from official website: + http://www.openssl.org/source/openssl-1.0.2h.tar.gz - NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2g.tar.tar. - When you do the download, rename the "openssl-1.0.2g.tar.tar" to - "openssl-1.0.2g.tar.gz" or rename the local downloaded file with ".tar.tar" + NOTE: Some web browsers may rename the downloaded TAR file to openssl-1.0.2h.tar.tar. + When you do the download, rename the "openssl-1.0.2h.tar.tar" to + "openssl-1.0.2h.tar.gz" or rename the local downloaded file with ".tar.tar" extension to ".tar.gz". -2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2g +2. Extract TAR into CryptoPkg/Library/OpenSslLib/openssl-1.0.2h NOTE: If you use WinZip to unpack the openssl source in Windows, please uncheck the WinZip smart CR/LF conversion option (WINZIP: Options --> Configuration --> Miscellaneous --> "TAR file smart CR/LF conversion"). -3. Apply this patch: EDKII_openssl-1.0.2g.patch, and make installation +3. Apply this patch: EDKII_openssl-1.0.2h.patch, and make installation For Windows Environment: ------------------------ 1) Make sure the patch utility has been installed in your machine. Install Cygwin or get the patch utility binary from http://gnuwin32.sourceforge.net/packages/patch.htm - 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2g - 3) patch -p1 -i ..\EDKII_openssl-1.0.2g.patch + 2) cd $(WORKSPACE)\CryptoPkg\Library\OpensslLib\openssl-1.0.2h + 3) patch -p1 -i ..\EDKII_openssl-1.0.2h.patch 4) cd .. 5) Install.cmd @@ -54,8 +54,8 @@ cryptography. This patch will enable openssl building under UEFI environment. ----------------------- 1) Make sure the patch utility has been installed in your machine. Patch utility is available from http://directory.fsf.org/project/patch/ - 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2g - 3) patch -p1 -i ../EDKII_openssl-1.0.2g.patch + 2) cd $(WORKSPACE)/CryptoPkg/Library/OpensslLib/openssl-1.0.2h + 3) patch -p1 -i ../EDKII_openssl-1.0.2h.patch 4) cd .. 5) ./Install.sh -- 2.9.2 ++++++ ovmf-bsc990773-remove-stale-boot-options.patch ++++++ >From 2eb358986052bd0104f6d16fbeb0a450658256fc Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <[email protected]> Date: Fri, 8 Jul 2016 02:49:45 +0200 Subject: [PATCH] OvmfPkg/PlatformBootManagerLib: remove stale FvFile boot options Removes any boot options that point to binaries built into the firmware and have become stale due to any of the following: - DXEFV's base address or size changed (historical), - DXEFV's FvNameGuid changed, - the FILE_GUID of the pointed-to binary changed, - the referenced binary is no longer built into the firmware. For example, multiple such "EFI Internal Shell" boot options can coexist. They technically differ from each other, but may not describe any built-in shell binary exactly. Such options can accumulate in a varstore over time, and while they remain generally bootable (thanks to the efforts of BmGetFileBufferByFvFilePath()), they look bad. Filter out any stale options. This functionality is not added to QemuBootOrderLib, because it is independent from QEMU and fw_cfg. Cc: Ard Biesheuvel <[email protected]> Cc: Gary Lin <[email protected]> Cc: Jordan Justen <[email protected]> Cc: Ruiyu Ni <[email protected]> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <[email protected]> Reviewed-by: Jordan Justen <[email protected]> --- .../Library/PlatformBootManagerLib/BdsPlatform.c | 130 +++++++++++++++++++++ .../PlatformBootManagerLib.inf | 1 + 2 files changed, 131 insertions(+) Index: ovmf-2015+git1462940744.321151f/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c =================================================================== --- ovmf-2015+git1462940744.321151f.orig/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c +++ ovmf-2015+git1462940744.321151f/OvmfPkg/Library/PlatformBootManagerLib/BdsPlatform.c @@ -15,6 +15,7 @@ #include "BdsPlatform.h" #include <Guid/XenInfo.h> #include <Guid/RootBridgesConnectedEventGroup.h> +#include <Protocol/FirmwareVolume2.h> // @@ -149,6 +150,134 @@ PlatformRegisterFvBootOption ( EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount); } +/** + Remove all MemoryMapped(...)/FvFile(...) and Fv(...)/FvFile(...) boot options + whose device paths do not resolve exactly to an FvFile in the system. + + This removes any boot options that point to binaries built into the firmware + and have become stale due to any of the following: + - DXEFV's base address or size changed (historical), + - DXEFV's FvNameGuid changed, + - the FILE_GUID of the pointed-to binary changed, + - the referenced binary is no longer built into the firmware. + + EfiBootManagerFindLoadOption() used in PlatformRegisterFvBootOption() only + avoids exact duplicates. +**/ +VOID +RemoveStaleFvFileOptions ( + VOID + ) +{ + EFI_BOOT_MANAGER_LOAD_OPTION *BootOptions; + UINTN BootOptionCount; + UINTN Index; + + BootOptions = EfiBootManagerGetLoadOptions (&BootOptionCount, + LoadOptionTypeBoot); + + for (Index = 0; Index < BootOptionCount; ++Index) { + EFI_DEVICE_PATH_PROTOCOL *Node1, *Node2, *SearchNode; + EFI_STATUS Status; + EFI_HANDLE FvHandle; + + // + // If the device path starts with neither MemoryMapped(...) nor Fv(...), + // then keep the boot option. + // + Node1 = BootOptions[Index].FilePath; + if (!(DevicePathType (Node1) == HARDWARE_DEVICE_PATH && + DevicePathSubType (Node1) == HW_MEMMAP_DP) && + !(DevicePathType (Node1) == MEDIA_DEVICE_PATH && + DevicePathSubType (Node1) == MEDIA_PIWG_FW_VOL_DP)) { + continue; + } + + // + // If the second device path node is not FvFile(...), then keep the boot + // option. + // + Node2 = NextDevicePathNode (Node1); + if (DevicePathType (Node2) != MEDIA_DEVICE_PATH || + DevicePathSubType (Node2) != MEDIA_PIWG_FW_FILE_DP) { + continue; + } + + // + // Locate the Firmware Volume2 protocol instance that is denoted by the + // boot option. If this lookup fails (i.e., the boot option references a + // firmware volume that doesn't exist), then we'll proceed to delete the + // boot option. + // + SearchNode = Node1; + Status = gBS->LocateDevicePath (&gEfiFirmwareVolume2ProtocolGuid, + &SearchNode, &FvHandle); + + if (!EFI_ERROR (Status)) { + // + // The firmware volume was found; now let's see if it contains the FvFile + // identified by GUID. + // + EFI_FIRMWARE_VOLUME2_PROTOCOL *FvProtocol; + MEDIA_FW_VOL_FILEPATH_DEVICE_PATH *FvFileNode; + UINTN BufferSize; + EFI_FV_FILETYPE FoundType; + EFI_FV_FILE_ATTRIBUTES FileAttributes; + UINT32 AuthenticationStatus; + + Status = gBS->HandleProtocol (FvHandle, &gEfiFirmwareVolume2ProtocolGuid, + (VOID **)&FvProtocol); + ASSERT_EFI_ERROR (Status); + + FvFileNode = (MEDIA_FW_VOL_FILEPATH_DEVICE_PATH *)Node2; + // + // Buffer==NULL means we request metadata only: BufferSize, FoundType, + // FileAttributes. + // + Status = FvProtocol->ReadFile ( + FvProtocol, + &FvFileNode->FvFileName, // NameGuid + NULL, // Buffer + &BufferSize, + &FoundType, + &FileAttributes, + &AuthenticationStatus + ); + if (!EFI_ERROR (Status)) { + // + // The FvFile was found. Keep the boot option. + // + continue; + } + } + + // + // Delete the boot option. + // + Status = EfiBootManagerDeleteLoadOptionVariable ( + BootOptions[Index].OptionNumber, LoadOptionTypeBoot); + DEBUG_CODE ( + CHAR16 *DevicePathString; + + DevicePathString = ConvertDevicePathToText(BootOptions[Index].FilePath, + FALSE, FALSE); + DEBUG (( + EFI_ERROR (Status) ? EFI_D_WARN : EFI_D_VERBOSE, + "%a: removing stale Boot#%04x %s: %r\n", + __FUNCTION__, + (UINT32)BootOptions[Index].OptionNumber, + DevicePathString == NULL ? L"<unavailable>" : DevicePathString, + Status + )); + if (DevicePathString != NULL) { + FreePool (DevicePathString); + } + ); + } + + EfiBootManagerFreeLoadOptions (BootOptions, BootOptionCount); +} + VOID PlatformRegisterOptionsAndKeys ( VOID @@ -1342,6 +1471,7 @@ Routine Description: PcdGetPtr (PcdShellFile), L"EFI Internal Shell", LOAD_OPTION_ACTIVE ); + RemoveStaleFvFileOptions (); SetBootOrderFromQemu (NULL); } Index: ovmf-2015+git1462940744.321151f/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf =================================================================== --- ovmf-2015+git1462940744.321151f.orig/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf +++ ovmf-2015+git1462940744.321151f/OvmfPkg/Library/PlatformBootManagerLib/PlatformBootManagerLib.inf @@ -77,6 +77,7 @@ gEfiDxeSmmReadyToLockProtocolGuid # PROTOCOL SOMETIMES_PRODUCED gEfiOEMBadgingProtocolGuid # PROTOCOL SOMETIMES_PRODUCED gEfiLoadedImageProtocolGuid # PROTOCOL SOMETIMES_PRODUCED + gEfiFirmwareVolume2ProtocolGuid # PROTOCOL SOMETIMES_CONSUMED [Guids] gEfiXenInfoGuid
