Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2022-06-29 16:00:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Wed Jun 29 16:00:19 2022 rev:100 rq:985419 version:15.6 Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2021-07-04 22:09:59.417578323 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1548/shim.changes 2022-06-29 16:00:23.488538457 +0200 @@ -1,0 +2,156 @@ +Tue Jun 28 04:03:45 UTC 2022 - Joey Lee <j...@suse.com> + +- Update to 15.6 (bsc#1198458) + - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76 + which is from upstream grub2.cve_2021_3695.ms keybase channel. + - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to + support efi-app-aarch64 target. So we need the following patches in bintuils: + - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch + b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64). + - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch + 32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64) + - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch + d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64) + - Patches (git log --oneline --reverse 15.5~..77144e5a4) + 448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458) + a2da05f shim: implement SBAT verification for the shim_lock protocol + bda03b8 post-process-pe: Fix a missing return code check + af18810 CI: don't cancel testing when one fails + ba580f9 CI: remove EOL Fedoras from github actions + bfeb4b3 Remove aarch64 build tests before f35 + 38cc646 CI: Add f36 and centos9 CI build tests. + b5185cb post-process-pe: Fix format string warnings on 32-bit platforms + 31094e5 tests: also look for system headers in multi-arch directories + 4df989a mock-variables.c: fix gcc warning + 6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled + 2670c6a Allow MokListTrusted to be enabled by default + 5c44aaf Add code of conduct + d6eb9c6 Modernize aarch64 + 9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail + de87985 make: don't treat cert.S specially + 803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode + 6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry. + bb4b60e Add verify_image + acfd48f Abstract out image reading + 35d7378 Load additional certs from a signed binary + 8ce2832 post-process-pe: there is no 's' argument. + 465663e Add some missing PE image flag definitions + 226fee2 PE Loader: support and require NX + df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX + b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT + f81a7cc SBAT revocation management + abe41ab make: unbreak scan-build again for gnu-efi + 610a1ac sbat.h: minor reformatting for legibility + f28833f peimage.h: make our signature macros force the type + 5d789ca Always initialize data/datasize before calling read_image() + a50d364 sbat policy: make our policy change actions symbolic + 5868789 load_certs: trust dir->Read() slightly less. + a78673b mok.c: fix a trivial dead assignment + 759f061 Fix preserve_sbat_uefi_variable() logic + aa61fdf Give the Coverity scanner some more GCC blinders... + 0214cd9 load_cert_file(): don't defererence NULL + 1eca363 mok import: handle OOM case + 75449bc sbat: Make nth_sbat_field() honor the size limit + c0bcd04 shim-15.6~rc1 + 77144e5 SBAT Policy latest should be a one-shot + - 15.5 release note https://github.com/rhboot/shim/releases + Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357 + mok: allocate MOK config table as BootServicesData by @lcp in #361 + Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364 + Relax the check for import_mok_state() by @lcp in #372 + SBAT.md: trivial changes by @hallyn in #389 + shim: another attempt to fix load options handling by @chrisccoulson in #379 + Add tests for our load options parsing. by @vathpela in #390 + arm/aa64: fix the size of .rela* sections by @lcp in #383 + mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365 + mok: relax the maximum variable size check by @lcp in #369 + Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378 + fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396 + httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403 + Fallback allocation errors by @vathpela in #402 + shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406 + str: remove duplicate parameter check by @xypron in #408 + fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359 + Test mok mirror by @vathpela in #394 + Modify sbat.md to help with readability. by @eshiman in #398 + csv: detect end of csv file correctly by @xypron in #404 + Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413 + tests: add "include-fixed" GCC directory to include directories by @diabonas in #415 + pe: simplify generate_hash() by @xypron in #411 + Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414 + Fallback to default loader if parsed one does not exist by @julian-klode in #393 + fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422 + Better console checks by @vathpela in #416 + docs: update SBAT UEFI variable name by @nicholasbishop in #421 + Don't parse load options if invoked from removable media path by @julian-klode in #399 + fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433 + shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438 + Shim 15.5 coverity by @vathpela in #439 + Allocate mokvar table in runtime memory. by @vathpela in #447 + Remove post-process-pe on 'make clean' by @vathpela in #448 + pe: missing perror argument by @xypron in #443 + - Drop upstreamed patch: + - shim-bsc1184454-allocate-mok-config-table-BS.patch + - Allocate MOK config table as BootServicesData to avoid the error message + from linux kernel + - 4068fd42c8 15.5-rc1~70 + - shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + - Handle ignore_db and user_insecure_mode correctly + - 822d07ad4f07 15.5-rc1~73 + - shim-bsc1185621-relax-max-var-sz-check.patch + - Relax the maximum variable size check for u-boot + - 3f327f546c219634b2 15.5-rc1~49 + - shim-bsc1185261-relax-import_mok_state-check.patch + - Relax the check for import_mok_state() when Secure Boot is off + - 9f973e4e95b113 15.5-rc1~67 + - shim-bsc1185232-relax-loadoptions-length-check.patch + - Relax the check for the LoadOptions length + - ada7ff69bd8a95 15.5-rc1~52 + - shim-fix-aa64-relsz.patch + - Fix the size of rela* sections for AArch64 + - 34e3ef205c5d65 15.5-rc1~51 + - shim-bsc1187260-fix-efi-1.10-machines.patch + - Don't call QueryVariableInfo() on EFI 1.10 machines + - 493bd940e5 15.5-rc1~69 + - shim-bsc1185232-fix-config-table-copying.patch + - Avoid buffer overflow when copying the MOK config table + - 7501b6bb44 15.5-rc1~50 + - shim-bsc1187696-avoid-deleting-rt-variables.patch + - Avoid deleting the mirrored RT variables + - b1fead0f7c9 15.5-rc1~37 + - Add "rm -f *.o" after building MokManager/fallback in shim.spec + to make sure all object files gets rebuilt + - reference: https://github.com/rhboot/shim/pull/461 +- The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included + in shim-15.6.tar.bz2 + - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch + pe: Fix a buffer overflow when SizeOfRawData VirtualSize + - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch + pe: Perform image verification earlier when loading grub + - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch + Update advertised sbat generation number for shim + - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch + Update SBAT generation requirements for 05/24/22 + - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch + Also avoid CVE-2022-28737 in verify_image() + - 0006-shim-15.6-rc2.patch + - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch + sbat: add the parsed SBAT variable entries to the debug log + - 0008-bump-version-to-shim-15.6.patch +- Add mokutil command to post script for setting sbat policy to latest mode + when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. + (bsc#1198458) +- Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to + show the prompt to ask whether the user trusts openSUSE certificate or not + (bsc#1198101) +- Updated vendor dbx binary and script (bsc#1198458) + - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding + SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. + - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding + openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. + - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt + and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. + - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin + file which includes all .der for testing environment. + +------------------------------------------------------------------- Old: ---- shim-15.4.tar.bz2 shim-bsc1184454-allocate-mok-config-table-BS.patch shim-bsc1185232-fix-config-table-copying.patch shim-bsc1185232-relax-loadoptions-length-check.patch shim-bsc1185261-relax-import_mok_state-check.patch shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch shim-bsc1185621-relax-max-var-sz-check.patch shim-bsc1187260-fix-efi-1.10-machines.patch shim-bsc1187696-avoid-deleting-rt-variables.patch shim-fix-aa64-relsz.patch New: ---- shim-15.6.tar.bz2 shim-bsc1198101-opensuse-cert-prompt.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.gM1sgh/_old 2022-06-29 16:00:24.356539765 +0200 +++ /var/tmp/diff_new_pack.gM1sgh/_new 2022-06-29 16:00:24.360539770 +0200 @@ -36,7 +36,7 @@ %endif Name: shim -Version: 15.4 +Version: 15.6 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause @@ -75,26 +75,10 @@ Patch4: shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch # PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container Patch5: remove_build_id.patch -# PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch bsc#1184454 g...@suse.com -- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel -Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch -# PATCH-FIX-UPSTREAM shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch bsc#1184454 g...@suse.com -- Handle ignore_db and user_insecure_mode correctly -Patch7: shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch -# PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 g...@suse.com -- Relax the maximum variable size check for u-boot -Patch8: shim-bsc1185621-relax-max-var-sz-check.patch -# PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch bsc#1185261 g...@suse.com -- Relax the check for import_mok_state() when Secure Boot is off -Patch9: shim-bsc1185261-relax-import_mok_state-check.patch -# PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch bsc#1185232 g...@suse.com -- Relax the check for the LoadOptions length -Patch10: shim-bsc1185232-relax-loadoptions-length-check.patch -# PATCH-FIX-UPSTREAM shim-fix-aa64-relsz.patch g...@suse.com -- Fix the size of rela* sections for AArch64 -Patch11: shim-fix-aa64-relsz.patch # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 g...@suse.com -- Disable exporting vendor-dbx to MokListXRT -Patch12: shim-disable-export-vendor-dbx.patch -# PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 g...@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines -Patch13: shim-bsc1187260-fix-efi-1.10-machines.patch -# PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch bsc#1185232 g...@suse.com -- Avoid buffer overflow when copying the MOK config table -Patch14: shim-bsc1185232-fix-config-table-copying.patch -# PATCH-FIX-UPSTREAM shim-bsc1187696-avoid-deleting-rt-variables.patch bsc#1187696 g...@suse.com -- Avoid deleting the mirrored RT variables -Patch15: shim-bsc1187696-avoid-deleting-rt-variables.patch +Patch6: shim-disable-export-vendor-dbx.patch +# PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not +Patch100: shim-bsc1198101-opensuse-cert-prompt.patch BuildRequires: dos2unix BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -111,6 +95,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-%{grubplatform} +Requires: mokutil ExclusiveArch: x86_64 aarch64 %description @@ -139,15 +124,7 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 +%patch100 -p1 %build # generate the vendor SBAT metadata @@ -168,6 +145,8 @@ MMSTEM=MokManager FBSTEM=fallback \ MokManager.efi.debug fallback.efi.debug \ MokManager.efi fallback.efi +# make sure all object files gets rebuilt +rm -f *.o # now build variants of shim that embed different certificates default='' @@ -318,6 +297,22 @@ /sbin/update-bootloader --reinit || true %endif +# copy from kernel-scriptlets/cert-script +is_efi () { + local msg rc=0 +# The below statement fails if mokutil isn't installed or UEFI is unsupported. +# It doesn't fail if UEFI is available but secure boot is off. + msg="$(mokutil --sb-state 2>&1)" || rc=$? + return $rc +} +# run mokutil for setting sbat policy to latest mode +SBAT_POLICY=/sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 +if is_efi; then + if [ ! -f "$SBAT_POLICY" ]; then + mokutil --set-sbat-policy latest + fi +fi + %if %{defined update_bootloader_posttrans} %posttrans %{?update_bootloader_posttrans} ++++++ dbx-cert.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbx-cert/SLES-UEFI-SIGN-Certificate-2021-05.crt new/dbx-cert/SLES-UEFI-SIGN-Certificate-2021-05.crt --- old/dbx-cert/SLES-UEFI-SIGN-Certificate-2021-05.crt 1970-01-01 01:00:00.000000000 +0100 +++ new/dbx-cert/SLES-UEFI-SIGN-Certificate-2021-05.crt 2022-06-13 12:46:59.973538914 +0200 @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ+MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD +VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV +BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg +UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ +ARYNYnVpbGRAc3VzZS5kZTAeFw0yMTAzMDgxMDE1MDhaFw0zMDEyMzExMDE1MDha +MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg +U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE +CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt +MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAtvApQ4qgxDibOpYufFyQG3HDsQvwjPfrQHdYqkcKDZvz +hKFJSpAu4gulkuKnOeMO1+ecpOC9f0G6mbIwYCsM/GKBCUKRQZPOB5eSeGU+NJaI +XV6IimhfYi3MXmheVrP64Xd6pvcn/iplk2IPLbbdjIeiSImg1xtfnrcaWa+tzOMu +MAQfF4wUlVnFF4Pnh0goS2sv2Lj3fVQ4XV7d8bsB9gwdWSQQMwbSb5SXoiLZOIrZ +iI/n6DD5UL8Yap+2f5sBXA1MtonX91MSUu68Vh7l/9UXEntkx5byOdRAKxndIpnP +QQazhXtQoFskPtVzKs+8jIemDOosn7cTkBgOEP49iQIDAQABo4IBLDCCASgwDAYD +VR0TAQH/BAIwADAdBgNVHQ4EFgQUWiQESdKf0NinoYfm/A4muV0aqHswgdMGA1Ud +IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM +JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC +REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k +dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i +dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF +BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAqFI4lVQf3heh0TWrZwc0ej30p1EhVJms +NxCy/mtn6IDkRzmzAe9F/Tx5B6Kytjtj2WvU2mOhjDW61Tdvk2UBqlapTbT0X2oF +Co4ww8gm2uDyY3nCEM0jdPj8XnA+T+raxwcw6NosK3J6g+bEWjkX0lWryl1jgxuA +q3zup4t2rl792z+nAUAmCSrsYeQQxnKIeCvZCYMGgixSoYrv2SxD8hTFC8XW606v +ITVb9fxaYF1cCjCLjhkQpnegViT0mV5QcPW/IIjqKla1N9sH26buFwcJIHXQRB4h +1boVtIqiQZOe4BjGRTvRILGOa/WXn8UhQvMc39bCr1SxMRvpCV7zKw== +-----END CERTIFICATE----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbx-cert/generate-vendor-dbx.sh new/dbx-cert/generate-vendor-dbx.sh --- old/dbx-cert/generate-vendor-dbx.sh 2021-04-28 11:21:35.387363178 +0200 +++ new/dbx-cert/generate-vendor-dbx.sh 2022-06-13 12:48:21.295875076 +0200 @@ -20,3 +20,15 @@ cat tmp/*bin > $OUTPUT rm -rf tmp done + +# generate a vendor dbx file includes all .der for testing environment +OUTPUT=vendor-dbx.bin +mkdir tmp +for cert in *.crt +do + BASENAME=`basename $cert .crt` + openssl x509 -in $cert -outform der -out tmp/${BASENAME}.der + efisiglist -a -c tmp/${BASENAME}.der -o tmp/${BASENAME}.bin +done +cat tmp/*bin > $OUTPUT +rm -rf tmp diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/dbx-cert/openSUSE-UEFI-SIGN-Certificate-2021-05.crt new/dbx-cert/openSUSE-UEFI-SIGN-Certificate-2021-05.crt --- old/dbx-cert/openSUSE-UEFI-SIGN-Certificate-2021-05.crt 1970-01-01 01:00:00.000000000 +0100 +++ new/dbx-cert/openSUSE-UEFI-SIGN-Certificate-2021-05.crt 2022-06-13 12:47:11.769877788 +0200 @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIElTCCA32gAwIBAgIJAPq+2L9Aml5kMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD +VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV +BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG +SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIxMDMwMjEzMDE1NFoXDTMx +MDEwOTEzMDE1NFowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp +Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM +EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLI9AESuA0aqXLg +RwX7lU1td6HhC3Oj+kwKJJvF/kwA+1viW/1cC4vS9muigFHe3b4CPwZ9WRxb5Wyi +3nxP1fjYwFmygBnqWvzMTxGZBFuhcQQpSPDbjWOEiFspVZbvkBF7t0cu1EcpKaHl ++pPqVdWrh11mk7bSjnYGAZ0BFHQ3bnhCuH1+p4PIMLAFZIRQ9suW9t5caOoHK6pi +fisOYy+WR3a/2AFTCZIdZIueVpvPHhGgjEDoE0wnoAg5lKDn+SAUS7JiWy/hdT2U +c/OjH1onXi99kTWDOMwQA+g2d7JAPtLuepcKpiUbFaR+7KJYWhkfit6WYz40sC6Q +PMAHIj8CAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJ3fQ9nx +oCcnP1LGwHdZCO4BZxMlMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl +lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL +MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV +U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB +MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B +AQsFAAOCAQEAnjK7rL3T/Fu443EQSB3cV2V84pQcOcQf3dCSx8VT14ZTgkp1RGM4 +qr4V8foA7Fyr9UE+x2zEMzcVy2eZ2aihO/qaQ/JGZi8cp1pjq0nNMUQjgXF0YGyn +Qanjb/48V5eOF9Z1h/wQ0HISTdkwsvGUS0leHT3LjXWNRL9QBp1Qi5A5IE5t8vpX +OxAvHNTsKsx6x2p8R3yVLX7rY84xvBJCqHDY9tYDQ2VbVX7CEw5x9FffobYpY/s1 +lCV/fhOThm/q/p9Pr3hydxKP4PoxxwBtII/p0zJTMWEEfOsK/zAS3v8Ltlz83gTk +WX+2oXpj/WRFsYWIEXTPwEm4MwYWxw5rMw== +-----END CERTIFICATE----- ++++++ shim-15.4.tar.bz2 -> shim-15.6.tar.bz2 ++++++ ++++ 12646 lines of diff (skipped) ++++++ shim-bsc1198101-opensuse-cert-prompt.patch ++++++ >From 49355a83722494099caeb23b46637b2c94a6ab9e Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Tue, 18 Feb 2014 17:29:19 +0800 Subject: [PATCH 1/3] Show the build-in certificate prompt This is an openSUSE-only patch. Pop up a window to ask if the user is willing to trust the built-in openSUSE certificate. If yes, set openSUSE_Verify, a BootService variable, to 1, and shim won't bother the user afterward. If no, continue the booting process without using the built-in certificate to verify the EFI images, and the window will show up again after reboot. The state will store in use_openSUSE_cert, a volatile RT variable. --- mok.c | 3 ++- shim.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- shim.h | 1 + 3 files changed, 71 insertions(+), 2 deletions(-) Index: shim-15.6~rc1+77144e5a/mok.c =================================================================== --- shim-15.6~rc1+77144e5a.orig/mok.c +++ shim-15.6~rc1+77144e5a/mok.c @@ -46,7 +46,8 @@ static EFI_STATUS check_mok_request(EFI_ check_var(L"MokPW") || check_var(L"MokAuth") || check_var(L"MokDel") || check_var(L"MokDB") || check_var(L"MokXNew") || check_var(L"MokXDel") || - check_var(L"MokXAuth") || check_var(L"MokListTrustedNew")) { + check_var(L"MokXAuth") || check_var(L"MokListTrustedNew") || + check_var(L"ClearVerify")) { efi_status = start_image(image_handle, MOK_MANAGER); if (EFI_ERROR(efi_status)) { @@ -62,7 +63,8 @@ static vendor_addend_category_t categorize_authorized(struct mok_state_variable *v) { if (!(v->addend && v->addend_size && - *v->addend && *v->addend_size)) { + *v->addend && *v->addend_size && + use_builtin_cert)) { return VENDOR_ADDEND_NONE; } Index: shim-15.6~rc1+77144e5a/shim.c =================================================================== --- shim-15.6~rc1+77144e5a.orig/shim.c +++ shim-15.6~rc1+77144e5a/shim.c @@ -496,6 +496,8 @@ verify_one_signature(WIN_CERTIFICATE_EFI } efi_status = EFI_NOT_FOUND; + if (!use_builtin_cert) + return efi_status; #if defined(ENABLE_SHIM_CERT) /* * Check against the shim build key @@ -1572,6 +1574,69 @@ shim_fini(void) console_fini(); } +#define VENDOR_VERIFY L"openSUSE_Verify" + +/* Show the built-in certificate prompt if necessary */ +static int builtin_cert_prompt(void) +{ + EFI_STATUS status; + UINT32 attributes; + UINTN len = sizeof(UINT8); + UINT8 data; + + use_builtin_cert = FALSE; + + if (vendor_cert_size == 0) + return 0; + + status = gRT->GetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID, + &attributes, &len, (void *)&data); + if (status != EFI_SUCCESS || + (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) { + int choice; + + if (status != EFI_NOT_FOUND) + LibDeleteVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID); + + CHAR16 *str[] = {L"Trust openSUSE Certificate", + L"", + L"Do you agree to use the built-in openSUSE certificate", + L"to verify boot loaders and kernels?", + NULL}; + choice = console_yes_no(str); + if (choice != 1) { + data = 0; + goto done; + } + + data = 1; + status = gRT->SetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + sizeof(UINT8), &data); + if (status != EFI_SUCCESS) { + console_error(L"Failed to set openSUSE_Verify", status); + return -1; + } + } + + use_builtin_cert = TRUE; + data = 1; + +done: + /* Setup a runtime variable to show the current state */ + status = gRT->SetVariable(L"use_openSUSE_cert", &SHIM_LOCK_GUID, + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + sizeof(UINT8), &data); + if (status != EFI_SUCCESS) { + console_error(L"Failed to set use_openSUSE_cert", status); + return -1; + } + + return 0; +} + extern EFI_STATUS efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab); @@ -1712,6 +1777,9 @@ efi_main (EFI_HANDLE passed_image_handle */ debug_hook(); + if (secure_mode() && (builtin_cert_prompt() != 0)) + return EFI_ABORTED; + efi_status = set_sbat_uefi_variable(); if (EFI_ERROR(efi_status) && secure_mode()) { perror(L"%s variable initialization failed\n", SBAT_VAR_NAME); Index: shim-15.6~rc1+77144e5a/MokManager.c =================================================================== --- shim-15.6~rc1+77144e5a.orig/MokManager.c +++ shim-15.6~rc1+77144e5a/MokManager.c @@ -1864,6 +1864,36 @@ mokpw_done: return EFI_SUCCESS; } +static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { + EFI_STATUS status; + + if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1) + return 0; + + if (ClearVerifySize == PASSWORD_CRYPT_SIZE) { + status = match_password((PASSWORD_CRYPT *)ClearVerify, NULL, 0, + NULL, NULL); + } else { + status = EFI_INVALID_PARAMETER; + } + if (status != EFI_SUCCESS) + return -1; + + status = gRT->SetVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID, + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_NON_VOLATILE, + 0, NULL); + if (status != EFI_SUCCESS) { + console_error(L"Failed to delete openSUSE_Verify", status); + return -1; + } + + console_notify(L"The system must now be rebooted"); + gRT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL); + console_notify(L"Failed to reboot"); + return -1; +} + static BOOLEAN verify_certificate(UINT8 * cert, UINTN size) { X509 *X509Cert; @@ -2195,6 +2225,7 @@ typedef enum { MOK_CHANGE_SB, MOK_SET_PW, MOK_CHANGE_DB, + MOK_CLEAR_VERIFY, MOK_KEY_ENROLL, MOK_HASH_ENROLL, MOK_CHANGE_TML @@ -2217,7 +2248,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN void *MokDB, UINTN MokDBSize, void *MokXNew, UINTN MokXNewSize, void *MokXDel, UINTN MokXDelSize, - void *MokTML, UINTN MokTMLSize) + void *MokTML, UINTN MokTMLSize, + void *ClearVerify, UINTN ClearVerifySize) + { CHAR16 **menu_strings = NULL; mok_menu_item *menu_item = NULL; @@ -2296,6 +2329,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN if (MokTML) menucount++; + if (ClearVerify) + menucount++; + menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1)); if (!menu_strings) @@ -2373,6 +2409,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN i++; } + if (ClearVerify) { + menu_strings[i] = L"Revoke openSUSE certificate"; + menu_item[i] = MOK_CLEAR_VERIFY; + i++; + } + menu_strings[i] = L"Enroll key from disk"; menu_item[i] = MOK_KEY_ENROLL; i++; @@ -2477,6 +2519,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN if (!EFI_ERROR(efi_status)) MokDB = NULL; break; + case MOK_CLEAR_VERIFY: + mok_clear_verify_prompt(ClearVerify, ClearVerifySize); + break; case MOK_KEY_ENROLL: efi_status = mok_key_enroll(); break; @@ -2519,6 +2564,7 @@ static EFI_STATUS check_mok_request(EFI_ { UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0; UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0, MokTMLSize = 0; + UINTN ClearVerifySize = 0; void *MokNew = NULL; void *MokDel = NULL; void *MokSB = NULL; @@ -2527,6 +2573,7 @@ static EFI_STATUS check_mok_request(EFI_ void *MokXNew = NULL; void *MokXDel = NULL; void *MokTML = NULL; + void *ClearVerify = NULL; EFI_STATUS efi_status; efi_status = get_variable(L"MokNew", (UINT8 **) & MokNew, &MokNewSize, @@ -2611,9 +2658,20 @@ static EFI_STATUS check_mok_request(EFI_ console_error(L"Could not retrieve MokXDel", efi_status); } + efi_status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify, + &ClearVerifySize, SHIM_LOCK_GUID); + if (!EFI_ERROR(efi_status)) { + efi_status = LibDeleteVariable(L"ClearVerify", &SHIM_LOCK_GUID); + if (EFI_ERROR(efi_status)) + console_notify(L"Failed to delete ClearVerify"); + } else if (EFI_ERROR(efi_status) && efi_status != EFI_NOT_FOUND) { + console_error(L"Could not retrieve ClearVerify", efi_status); + } + enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize, MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize, - MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize); + MokXNew, MokXNewSize, MokXDel, MokXDelSize, MokTML, MokTMLSize, + ClearVerify, ClearVerifySize); if (MokNew) FreePool(MokNew); @@ -2639,6 +2697,9 @@ static EFI_STATUS check_mok_request(EFI_ if (MokTML) FreePool(MokTML); + if (ClearVerify) + FreePool (ClearVerify); + LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID); LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID); LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID); Index: shim-15.6~rc1+77144e5a/globals.c =================================================================== --- shim-15.6~rc1+77144e5a.orig/globals.c +++ shim-15.6~rc1+77144e5a/globals.c @@ -25,6 +25,7 @@ UINT8 *build_cert; */ verification_method_t verification_method; int loader_is_participating; +BOOLEAN use_builtin_cert; UINT8 user_insecure_mode; UINT8 ignore_db; Index: shim-15.6~rc1+77144e5a/shim.h =================================================================== --- shim-15.6~rc1+77144e5a.orig/shim.h +++ shim-15.6~rc1+77144e5a/shim.h @@ -268,6 +268,7 @@ extern UINT8 mok_policy; extern UINT8 in_protocol; extern void *load_options; extern UINT32 load_options_size; +extern BOOLEAN use_builtin_cert; BOOLEAN secure_mode (void);
