On Mon, Jun 22, 2015 at 04:45:24PM +0000, Long, Qin wrote: > Laszlo, thanks for updates. > > I did one quick validation based on the shared zip file. The signature > verification succeeded. > This may just means the new updates (openssl-1.0.2c) should work well on > Authenticode verification. > > And it is just one static test based on Cryptest utility in CryptoPkg, since > I have no full test environment now: > 1. I stripped-off the p7 signature from the signed shim.efi file; > 2. Use the certificate "Microsoft Corporation UEFI CA 2011" as trusted > anchor; > 3. Replace some static data in AuthenticodeVerify.c with these shim data > (the Hash value was also stripped from the P7 data); > The test result is passed. > > So looks the basic image verification should be OK. We may need extra efforts > on root-cause. Will do more booting validations on my workstation later. :-) > > Peter, any suggestion against this?
I've got some features in an upcoming shim release to make debugging a lot easier. Until then, basically you need to know the address shim was loaded at and the offset of .text, and then use shim.efi.debug as the symbol file in gdb with add-symbol-file . I can look in to this, but right now I'm very deep in deadline time for RHEL 7.2, so it's going to be hard to find time in the *immediate* future. If somebody else can figure those out and get a traceback out of it, that'd be helpful. Hard to see how shim wedging can be the result of changing the openssl version in tiano, though - we don't directly call any of that code. > > > Best Regards & Thanks, > LONG, Qin > > -----Original Message----- > From: Laszlo Ersek [mailto:ler...@redhat.com] > Sent: Monday, June 22, 2015 9:33 PM > To: Long, Qin > Cc: edk2-devel@lists.sourceforge.net; Peter Jones > Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c release > *** > > Hi, > > On 06/20/15 18:59, Long, Qin wrote: > > Ersek, > > > > I already checked some local Authenticode signature and Cryptest > > utility, and Ard also helped to validate something, looks the new > > update works well. > > > > Could you share me the signed shim binary? (I have no copy in my local > > environment now). Then I can check if any issues. Thanks. > > I have no evidence either way if the root cause is in edk2, or shim, or grub; > the only symptom I'm witnessing is that the combination of the updated > CryptoPkg / OpenSSL version and Fedora's UEFI binaries leads to an infinite > loop "somewhere" after such a binary is booted. > > The easiest way to reprocude it is by downloading > > https://download.fedoraproject.org/pub/fedora/linux/releases/22/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-22-3.iso > > and booting it. > > The UEFI binary you're most probably interested in is from the following > Fedora package: > > shim-signed-0.8-8 > http://koji.fedoraproject.org/koji/buildinfo?buildID=612245 > > I thought that maybe you'd prefer a ZIP file, so I repacked it for you: > > http://people.redhat.com/~lersek/for_qin_long/shim-0.8-8.x86_64.zip > > Thanks! > Laszlo > > > Best Regards & Thanks, > > LONG, Qin > > > > -----Original Message----- > > From: Ard Biesheuvel [mailto:ard.biesheu...@linaro.org] > > Sent: Saturday, June 20, 2015 9:01 PM > > To: Laszlo Ersek > > Cc: edk2-devel@lists.sourceforge.net > > Subject: Re: [edk2] [patch 0/3] *** Update OpenSSL support to 1.0.2c > > release *** > > > > On 20 June 2015 at 03:42, Laszlo Ersek <ler...@redhat.com> wrote: > >> Hi, > >> > >> On 06/14/15 18:54, Long, Qin wrote: > >>> [NOTE] > >>> Just one day after 1.0.2b release, one new upgrade (1.0.2c) was > >>> released to resolve ABI compatibility problems. This patch has to be > >>> updated to catch this latest release. > >>> No actual changes between this 1.0.2c-patch and the last 1.0.2b-patch > >>> series. > >>> ================================================================ > >>> OpenSSL 1.0.2b was just released at 11-Jun-2015. This patch is > >>> updated to catch this latest release. > >>> The changes between 1.0.2a-patch and 1.0.2b-patch is few: > >>> > One memory allocation bug was already fixed in 1.0.2b codes > >>> (x509_vpm.c) > >>> Then remove the fix codes from EDKII-openssl-1.0.2b.patch > >>> > Add few missed boundary check in CryptX509.c > >>> ================================================================ > >>> Update the EDKII crypto provider from openssl 0.9.8zf to 1.0.2b. > >>> The OpenSSL Project announced that the support for version 0.9.8 > >>> will cease on 31st December 2015. This patch updates the EDKII > >>> openssl support to the latest 1.0.2 branch. > >>> > >>> Long, Qin (3): > >>> CryptoPkg: Update openssl patch file from 0.9.8zf to 1.0.2c > >>> CryptoPkg: Update OpensslLib module files for openssl-1.0.2c support > >>> CryptoPkg: Wrapper files updates to support openssl-1.0.2c > >>> > >>> CryptoPkg/Include/OpenSslSupport.h | 8 +- > >>> CryptoPkg/Include/memory.h | 16 + > >>> .../Library/BaseCryptLib/Pk/CryptAuthenticode.c | 6 +- > >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptPkcs7Sign.c | 10 +- > >>> .../Library/BaseCryptLib/Pk/CryptPkcs7Verify.c | 11 +- > >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptTs.c | 12 +- > >>> CryptoPkg/Library/BaseCryptLib/Pk/CryptX509.c | 18 +- > >>> .../Library/OpensslLib/EDKII_openssl-0.9.8zf.patch | 279 ---------- > >>> .../Library/OpensslLib/EDKII_openssl-1.0.2c.patch | 346 ++++++++++++ > >>> CryptoPkg/Library/OpensslLib/Install.cmd | 146 ++--- > >>> CryptoPkg/Library/OpensslLib/Install.sh | 146 ++--- > >>> CryptoPkg/Library/OpensslLib/OpensslLib.inf | 620 > >>> ++++++++++++++------- > >>> CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt | 46 +- > >>> 13 files changed, 1013 insertions(+), 651 deletions(-) create mode > >>> 100644 CryptoPkg/Include/memory.h delete mode 100644 > >>> CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8zf.patch > >>> create mode 100644 > >>> CryptoPkg/Library/OpensslLib/EDKII_openssl-1.0.2c.patch > >>> > >> > >> Sorry that I'm late to the party, but this update seems to have broken > >> Secure Boot under OVMF. I started out with a fresh varstore, enrolled > >> the Microsoft keys manually, using the SecureBootConfigDxe forms, and > >> then tried to boot Fedora 20. "Booting fedora shim" appears at the end > >> of the debug log, and the VM spins into an infinite loop. > >> > >> I confirmed that with 0.9.8zf things work. > >> > > > > I wonder what is going on here. My AArch64 boot tests work fine with these > > patches applied, but they don't use shim. (They do use GRUB as an > > intermediate loader calling LoadImage() to boot a signed kernel). > > > > Are there any plans or patches yet to move shim to a more recent OpenSSL > > version? It shouldn't be affecting things like this, but it would allow a > > quick check if someone has patches already. > > > > -- > > Ard. > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/edk2-devel > > > -- Peter ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
