Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2021-06-02 22:10:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Wed Jun 2 22:10:23 2021 rev:96 rq:895435 version:15.4 Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2021-05-08 22:07:24.353745628 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1898/shim.changes 2021-06-02 22:10:28.152127832 +0200 @@ -1,0 +2,15 @@ +Wed May 19 01:07:43 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com> + +- shim-install: instead of assuming "removable" for Azure, remove + fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot + to make \EFI\Boot bootable and keep the boot option created by + efibootmgr (bsc#1185464, bsc#1185961) + +------------------------------------------------------------------- +Tue May 11 02:57:14 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com> + +- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax + the check for import_mok_state() when Secure Boot is off. + (bsc#1185261) + +------------------------------------------------------------------- New: ---- shim-bsc1185261-relax-import_mok_state-check.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.QbU0Hm/_old 2021-06-02 22:10:29.016127762 +0200 +++ /var/tmp/diff_new_pack.QbU0Hm/_new 2021-06-02 22:10:29.020127761 +0200 @@ -81,6 +81,8 @@ Patch7: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch # PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 g...@suse.com -- Relax the maximum variable size check for u-boot Patch8: shim-bsc1185621-relax-max-var-sz-check.patch +# PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch bsc#1185261 g...@suse.com -- Relax the check for import_mok_state() when Secure Boot is off +Patch9: shim-bsc1185261-relax-import_mok_state-check.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -127,6 +129,7 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build # generate the vendor SBAT metadata ++++++ shim-bsc1185261-relax-import_mok_state-check.patch ++++++ >From 3e33205b9c957624df7e30a2e5e2847f23d37989 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Tue, 11 May 2021 10:41:43 +0800 Subject: [PATCH] Relax the check for import_mok_state() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit An openSUSE user reported(*) that shim 15.4 failed to boot the system with the following message: "Could not create MokListXRT: Out of Resources" In the beginning, I thought it's caused by the growing size of vendor-dbx. However, we found the following messages after set SHIM_VERBOSE: max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000 SetVariable(???MokListXRT???, ... varsz=0x1404) = Out of Resources Even though the firmware claimed the remaining storage size is 0x85EC, it still rejected MokListXRT with size 0x1404. It seems that the return values from QueryVariableInfo() are not reliable. Since this firmware didn't really support Secure Boot, the variable mirroring is not so critical, so we can just accept the failure of import_mok_state() and continue boot. (*) https://bugzilla.suse.com/show_bug.cgi?id=1185261 Signed-off-by: Gary Lin <g...@suse.com> --- shim.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c index c5cfbb83..d38ae2f0 100644 --- a/shim.c +++ b/shim.c @@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) * boot-services-only state variables are what we think they are. */ efi_status = import_mok_state(image_handle); - if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { + if (!secure_mode() && + (efi_status == EFI_INVALID_PARAMETER || + efi_status == EFI_OUT_OF_RESOURCES)) { /* * Make copy failures fatal only if secure_mode is enabled, or - * the error was anything else than EFI_INVALID_PARAMETER. + * the error was anything else than EFI_INVALID_PARAMETER or + * EFI_OUT_OF_RESOURCES. * There are non-secureboot firmware implementations that don't * reserve enough EFI variable memory to fit the variable. */ -- 2.31.1 ++++++ shim-install ++++++ --- /var/tmp/diff_new_pack.QbU0Hm/_old 2021-06-02 22:10:29.120127753 +0200 +++ /var/tmp/diff_new_pack.QbU0Hm/_new 2021-06-02 22:10:29.120127753 +0200 @@ -221,15 +221,6 @@ esac done -# bsc#1185464 -# The Azure firmware doesn't respect the boot option created by either -# efibootmgr or fallback.efi so we have to skip the installation of -# fallback.efi to avoid the endless reset loop. -if is_azure; then - no_nvram=yes - removable=yes -fi - if test -n "$efidir"; then efi_fs=`"$grub_probe" --target=fs "${efidir}"` if test "x$efi_fs" = xfat; then :; else @@ -441,3 +432,22 @@ fi fi +# bsc#1185464 bsc#1185961 +# The Azure firmware sometimes doesn't respect the boot option created by +# either efibootmgr or fallback.efi so we have to remove fallback.efi to +# avoid the endless reset loop. +if is_azure; then + # Skip the workaround if we don't own \EFI\Boot or the removable + # option is used + if test "$update_boot" = "yes" && test "$removable" = "no"; then + # Remove fallback.efi which could cause the reset loop in Azure + rm -f "${efibootdir}/fallback.efi" + # Remove the older grub binary and config + rm -f "${efibootdir}/grub.efi" + rm -f "${efibootdir}/grub.cfg" + # Install new grub binary and config file to \EFI\Boot as + # the "removable" option + cp "${efidir}/grub.cfg" "${efibootdir}/grub.cfg" + cp "${efidir}/grub.efi" "${efibootdir}/grub.efi" + fi +fi
