On 20 June 2015 at 03:42, Laszlo Ersek <ler...@redhat.com> wrote: > Hi, > > On 06/14/15 18:54, Long, Qin wrote: >> [NOTE] >> Just one day after 1.0.2b release, one new upgrade (1.0.2c) was released >> to resolve ABI compatibility problems. This patch has to be updated to >> catch this latest release. >> No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series. >> ================================================================ >> OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is updated to >> catch this latest release. >> The changes between 1.0.2a-patch and 1.0.2b-patch is few: >> > One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c) >> Then remove the fix codes from EDKII-openssl-1.0.2b.patch >> > Add few missed boundary check in CryptX509.c >> ================================================================ >> Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b. >> The OpenSSL Project announced that the support for version 0.9.8 will cease >> on 31st December 2015. This patch updates the EDKII openssl support to the >> latest 1.0.2 branch. >> >> Long, Qin (3): >> CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c >> CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support >> CryptoPkg: Wrapper files updates to support openssl-1.0.2c >> >> CryptoPkg/Include/OpenSslSupport.h | 8 +- >> CryptoPkg/Include/memory.h | 16 + >> .../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +- >> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +- >> .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +- >> CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +- >> CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +- >> .../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ---------- >> .../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++ >> CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++--- >> CryptoPkg/Library/OpensslLib/Install.sh | 146 ++--- >> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 >> ++++++++++++++------- >> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +- >> 13 files changed, 1013 insertions(+), 651 deletions(-) >> create mode 100644 CryptoPkg/Include/memory.h >> delete mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch >> create mode 100644 CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch >> > > Sorry that I'm late to the party, but this update seems to have broken > Secure Boot under OVMF. I started out with a fresh varstore, enrolled > the Microsoft keys manually, using the SecureBootConfigDxe forms, and > then tried to boot Fedora 20. "Booting fedora shim" appears at the end > of the debug log, and the VM spins into an infinite loop. > > I confirmed that with 0.9.8zf things work. >
I wonder what is going on here. My AArch64 boot tests work fine with these patches applied, but they don't use shim. (They do use GRUB as an intermediate loader calling LoadImage() to boot a signed kernel). Are there any plans or patches yet to move shim to a more recent OpenSSL version? It shouldn't be affecting things like this, but it would allow a quick check if someone has patches already. -- Ard. ------------------------------------------------------------------------------ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
