commit shim for openSUSE:Factory

Tue, 22 Nov 2022 07:09:33 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-11-22 16:09:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and      /work/SRC/openSUSE:Factory/.shim.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "shim"

Tue Nov 22 16:09:23 2022 rev:108 rq:1037006 version:15.7

Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes        2022-11-19 
18:08:42.706231922 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.1597/shim.changes      2022-11-22 
16:09:24.841795668 +0100
@@ -1,0 +2,6 @@
+Fri Nov 18 04:52:49 UTC 2022 - Joey Lee <j...@suse.com>
+
+- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to
+  enable the NX compatibility flag by default. (jsc#PED-127) 
+
+-------------------------------------------------------------------

New:
----
  shim-Enable-the-NX-compatibility-flag-by-default.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.UZiYEX/_old  2022-11-22 16:09:25.749800282 +0100
+++ /var/tmp/diff_new_pack.UZiYEX/_new  2022-11-22 16:09:25.757800323 +0100
@@ -75,6 +75,8 @@
 Patch4:         remove_build_id.patch
 # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 
g...@suse.com -- Disable exporting vendor-dbx to MokListXRT
 Patch5:         shim-disable-export-vendor-dbx.patch
+# PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch 
j...@suse.com -- Enable the NX compatibility flag by default
+Patch6:         shim-Enable-the-NX-compatibility-flag-by-default.patch
 # PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch g...@suse.com 
-- Show the prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:      shim-bsc1198101-opensuse-cert-prompt.patch
 BuildRequires:  dos2unix
@@ -121,6 +123,7 @@
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 %if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
 %patch100 -p1
 %endif



++++++ shim-Enable-the-NX-compatibility-flag-by-default.patch ++++++
>From a53b9f7ceec1dfa1487f4d675573449c5b2a16fb Mon Sep 17 00:00:00 2001
From: Peter Jones <pjo...@redhat.com>
Date: Thu, 17 Nov 2022 12:31:31 -0500
Subject: [PATCH] Enable the NX compatibility flag by default.

Currently by default, when we build shim we do not set the PE
NX-compatibility DLL Characteristic flag.  This signifies to the
firmware that shim (including the components it loads) is not prepared
for several related firmware changes:

- non-executable stack
- non-executable pages from AllocatePages()/AllocatePool()/etc.
- non-writable 0 page (not strictly related but some firmware will be
  transitioning at the same time)
- the need to use the UEFI 2.10 Memory Attribute Protocol to set page
  permissions.

This patch changes that default to be enabled by default.  Distributors
of shim will need to ensure that either their builds disable this bit
(using "post-process-pe -N"), or that the bootloaders and kernels you
support loading are all compliant with this change.  A new make
variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so.

Signed-off-by: Peter Jones <pjo...@redhat.com>
---
 BUILDING          | 3 +++
 Make.defaults     | 2 ++
 Makefile          | 2 +-
 post-process-pe.c | 2 +-
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/BUILDING b/BUILDING
index 3b2e85d3..17cd98d3 100644
--- a/BUILDING
+++ b/BUILDING
@@ -78,6 +78,9 @@ Variables you could set to customize the build:
 - OSLABEL
   This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
   By default this is the same value as EFIDIR .
+- POST_PROCESS_PE_FLAGS
+  This allows you to add flags to the invocation of "post-process-pe", for
+  example to disable the NX compatibility flag.
 
 Vendor SBAT data:
 It will sometimes be requested by reviewers that a build includes extra
diff --git a/Make.defaults b/Make.defaults
index c46164a3..9af89f4e 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -139,6 +139,8 @@ CFLAGS              = $(FEATUREFLAGS) \
                  $(INCLUDES) \
                  $(DEFINES)
 
+POST_PROCESS_PE_FLAGS =
+
 ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
        DEFINES += -DOVERRIDE_SECURITY_POLICY
 endif
diff --git a/Makefile b/Makefile
index a9202f46..f0f53f8f 100644
--- a/Makefile
+++ b/Makefile
@@ -255,7 +255,7 @@ endif
                -j .rela* -j .dyn -j .reloc -j .eh_frame \
                -j .vendor_cert -j .sbat -j .sbatlevel \
                $(FORMAT) $< $@
-       ./post-process-pe -vv $@
+       ./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@
 
 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
 %.hash : %.efi
diff --git a/post-process-pe.c b/post-process-pe.c
index de8f4a38..f39fdddf 100644
--- a/post-process-pe.c
+++ b/post-process-pe.c
@@ -42,7 +42,7 @@ static int verbosity;
                0;                                               \
        })
 
-static bool set_nx_compat = false;
+static bool set_nx_compat = true;
 
 typedef uint8_t UINT8;
 typedef uint16_t UINT16;

Reply via email to