Ersek, I already checked some local Authenticode signature and Cryptest utility, and Ard also helped to validate something, looks the new update works well.
Could you share me the signed shim binary? (I have no copy in my local environment now). Then I can check if any issues. Thanks. Best Regards & Thanks, LONG, Qin -----Original Message----- From: Ard Biesheuvel [mailto:ard.biesheu...@linaro.org] Sent: Saturday, June 20, 2015 9:01 PM To: Laszlo Ersek Cc: edk2-devel@lists.sourceforge.net Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release *** On 20 June 2015 at 03:42, Laszlo Ersek <ler...@redhat.com> wrote: > Hi, > > On 06/14/15 18:54, Long, Qin wrote: >> [NOTE] >> Just one day after 1.0.2b release, one new upgrade (1.0.2c) was >> released to resolve ABI compatibility problems. This patch has to be >> updated to catch this latest release. >> No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch series. >> ================================================================ >> OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is >> updated to catch this latest release. >> The changes between 1.0.2a-patch and 1.0.2b-patch is few: >> > One memory allocation bug was already fixed in 1.0.2b codes (x509_vpm.c) >> Then remove the fix codes from EDKII-openssl-1.0.2b.patch >> > Add few missed boundary check in CryptX509.c >> ================================================================ >> Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b. >> The OpenSSL Project announced that the support for version 0.9.8 will >> cease on 31st December 2015. This patch updates the EDKII openssl >> support to the latest 1.0.2 branch. >> >> Long, Qin (3): >> CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c >> CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support >> CryptoPkg: Wrapper files updates to support openssl-1.0.2c >> >> CryptoPkg/Include/OpenSslSupport.h | 8 +- >> CryptoPkg/Include/memory.h | 16 + >> .../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +- >> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +- >> .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +- >> CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +- >> CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +- >> .../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ---------- >> .../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++ >> CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++--- >> CryptoPkg/Library/OpensslLib/Install.sh | 146 ++--- >> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 >> ++++++++++++++------- >> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +- >> 13 files changed, 1013 insertions(+), 651 deletions(-) create mode >> 100644 CryptoPkg/Include/memory.h delete mode 100644 >> CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch >> create mode 100644 >> CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch >> > > Sorry that I'm late to the party, but this update seems to have broken > Secure Boot under OVMF. I started out with a fresh varstore, enrolled > the Microsoft keys manually, using the SecureBootConfigDxe forms, and > then tried to boot Fedora 20. "Booting fedora shim" appears at the end > of the debug log, and the VM spins into an infinite loop. > > I confirmed that with 0.9.8zf things work. > I wonder what is going on here. My AArch64 boot tests work fine with these patches applied, but they don't use shim. (They do use GRUB as an intermediate loader calling LoadImage() to boot a signed kernel). Are there any plans or patches yet to move shim to a more recent OpenSSL version? It shouldn't be affecting things like this, but it would allow a quick check if someone has patches already. -- Ard. ------------------------------------------------------------------------------ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel ------------------------------------------------------------------------------ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
