commit shim for openSUSE:Factory

[root]

Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2017-09-04 12:18:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and      /work/SRC/openSUSE:Factory/.shim.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "shim"

Mon Sep  4 12:18:25 2017 rev:62 rq:519293 version:12

Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes        2017-08-28 
16:16:20.537747923 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes   2017-09-04 
12:18:26.598335869 +0200
@@ -1,0 +2,9 @@
+Tue Aug 29 08:44:25 UTC 2017 - g...@suse.com
+
+- Add shim-add-fallback-verbose-print.patch to print the debug
+  messages in fallback.efi dynamically
+- Refresh shim-fallback-workaround-masked-ami-variables.patch
+- Add shim-more-tpm-measurement.patch to measure more components
+  and support TPM better
+
+-------------------------------------------------------------------

New:
----
  shim-add-fallback-verbose-print.patch
  shim-more-tpm-measurement.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.fnPROW/_old  2017-09-04 12:18:27.894153702 +0200
+++ /var/tmp/diff_new_pack.fnPROW/_new  2017-09-04 12:18:27.906152015 +0200
@@ -53,8 +53,12 @@
 Patch4:         shim-fix-openssl-flags.patch
 # PATCH-FIX-UPSTREAM shim-fix-fallback-double-free.patch g...@suse.com -- Fix 
double free in fallback.c
 Patch5:         shim-fix-fallback-double-free.patch
+# PATCH-FIX-UPSTREAM shim-add-fallback-verbose-print.patch g...@suse.com -- 
Print debug messages dynamically
+Patch6:         shim-add-fallback-verbose-print.patch
 # PATCH-FIX-UPSTREAM shim-fallback-workaround-masked-ami-variables.patch 
g...@suse.com -- Work around the masked AMI variables
-Patch6:         shim-fallback-workaround-masked-ami-variables.patch
+Patch7:         shim-fallback-workaround-masked-ami-variables.patch
+# PATCH-FIX-UPSTREAM shim-more-tpm-measurement.patch g...@suse.com -- Measure 
more components for TPM
+Patch8:         shim-more-tpm-measurement.patch
 # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change 
the default debug file path
 Patch50:        shim-change-debug-file-path.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the 
prompt to ask whether the user trusts openSUSE certificate or not
@@ -108,6 +112,8 @@
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
 %patch50 -p1
 %if 0%{?is_opensuse} == 1
 %patch100 -p1




++++++ shim-add-fallback-verbose-print.patch ++++++
>From 5b7f867367131e758548f9b537b765611ce3d874 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjo...@redhat.com>
Date: Mon, 31 Jul 2017 11:07:06 -0400
Subject: [PATCH 1/2] fallback: Minor whitespace cleanup

Signed-off-by: Peter Jones <pjo...@redhat.com>
(cherry picked from commit 87c8f07e98995c7a2bd040e9d7b7c35b15ff05e4)
---
 fallback.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fallback.c b/fallback.c
index 0a7058b..9ec40b8 100644
--- a/fallback.c
+++ b/fallback.c
@@ -114,7 +114,7 @@ EFI_STATUS
 make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen)
 {
        UINT64 len;
-       
+
        len = StrLen(L"\\EFI\\") + StrLen(dirname)
            + StrLen(L"\\") + StrLen(filename)
            + 2;
@@ -358,12 +358,12 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, 
CHAR16 *filename, CHAR16 *
        rc = make_full_path(dirname, filename, &fullpath, &pathlen);
        if (EFI_ERROR(rc))
                return rc;
-       
+
        EFI_DEVICE_PATH *dph = NULL;
        EFI_DEVICE_PATH *file = NULL;
        EFI_DEVICE_PATH *full_device_path = NULL;
        EFI_DEVICE_PATH *dp = NULL;
-       
+
        dph = DevicePathFromHandle(this_image->DeviceHandle);
        if (!dph) {
                rc = EFI_OUT_OF_RESOURCES;
-- 
2.14.1


>From 74608d8f3dded28addbc09046c626f1a02251f3d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjo...@redhat.com>
Date: Mon, 31 Jul 2017 12:51:46 -0400
Subject: [PATCH 2/2] Make fallback debug printing be dynamic at runtime.

Signed-off-by: Peter Jones <pjo...@redhat.com>
(cherry picked from commit c0f7d130746e82613b88cdaa9929fe37aff54c57)
---
 fallback.c | 133 +++++++++++++++++++++++++++++++++++++++++++------------------
 1 file changed, 94 insertions(+), 39 deletions(-)

diff --git a/fallback.c b/fallback.c
index 9ec40b8..5602a88 100644
--- a/fallback.c
+++ b/fallback.c
@@ -15,6 +15,57 @@
 
 EFI_LOADED_IMAGE *this_image = NULL;
 
+EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 
0xd8, 0x10, 0xdd, 0x8b, 0x23} };
+
+int
+get_fallback_verbose(void)
+{
+       EFI_GUID guid = SHIM_LOCK_GUID;
+       UINT8 *data = NULL;
+       UINTN dataSize = 0;
+       EFI_STATUS efi_status;
+       unsigned int i;
+       static int state = -1;
+
+       if (state != -1)
+               return state;
+
+       efi_status = get_variable(L"FALLBACK_VERBOSE",
+                                 &data, &dataSize, guid);
+       if (EFI_ERROR(efi_status)) {
+               state = 0;
+               return state;
+       }
+
+       for (i = 0; i < dataSize; i++) {
+               if (data[i]) {
+                       state = 1;
+                       return state;
+               }
+       }
+
+       state = 0;
+       return state;
+}
+
+#define VerbosePrintUnprefixed(fmt, ...)                               \
+       ({                                                              \
+               UINTN ret_ = 0;                                         \
+               if (get_fallback_verbose())                             \
+                       ret_ = Print((fmt), ##__VA_ARGS__);             \
+               ret_;                                                   \
+       })
+
+#define VerbosePrint(fmt, ...)                                         \
+       ({      UINTN line_ = __LINE__;                                 \
+               UINTN ret_ = 0;                                         \
+               if (get_fallback_verbose()) {                           \
+                       Print(L"%a:%d: ", __func__, line_);             \
+                       ret_ = Print((fmt), ##__VA_ARGS__);             \
+               }                                                       \
+               ret_;                                                   \
+       })
+
 static EFI_STATUS
 FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 SubType,
                  EFI_DEVICE_PATH **Out)
@@ -23,9 +74,18 @@ FindSubDevicePath(EFI_DEVICE_PATH *In, UINT8 Type, UINT8 
SubType,
        if (!In || !Out)
                return EFI_INVALID_PARAMETER;
 
+       CHAR16 *dps = DevicePathToStr(In);
+       VerbosePrint(L"input device path: \"%s\"\n", dps);
+       FreePool(dps);
+
        for (dp = In; !IsDevicePathEnd(dp); dp = NextDevicePathNode(dp)) {
                if (DevicePathType(dp) == Type &&
                                DevicePathSubType(dp) == SubType) {
+                       dps = DevicePathToStr(dp);
+                       VerbosePrint(L"sub-path (%hhd,%hhd): \"%s\"\n",
+                                    Type, SubType, dps);
+                       FreePool(dps);
+
                        *Out = DuplicateDevicePath(dp);
                        if (!*Out)
                                return EFI_OUT_OF_RESOURCES;
@@ -327,13 +387,11 @@ update_boot_order(void)
                return EFI_OUT_OF_RESOURCES;
        CopyMem(newbootorder, bootorder, size);
 
-#ifdef DEBUG_FALLBACK
-       Print(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16));
+       VerbosePrint(L"nbootorder: %d\nBootOrder: ", size / sizeof (CHAR16));
        UINTN j;
        for (j = 0 ; j < size / sizeof (CHAR16); j++)
-               Print(L"%04x ", newbootorder[j]);
+               VerbosePrintUnprefixed(L"%04x ", newbootorder[j]);
        Print(L"\n");
-#endif
        rc = uefi_call_wrapper(RT->GetVariable, 5, L"BootOrder", &global,
                               NULL, &len, NULL);
        if (rc == EFI_BUFFER_TOO_SMALL)
@@ -363,6 +421,7 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, 
CHAR16 *filename, CHAR16 *
        EFI_DEVICE_PATH *file = NULL;
        EFI_DEVICE_PATH *full_device_path = NULL;
        EFI_DEVICE_PATH *dp = NULL;
+       CHAR16 *dps;
 
        dph = DevicePathFromHandle(this_image->DeviceHandle);
        if (!dph) {
@@ -381,6 +440,9 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, 
CHAR16 *filename, CHAR16 *
                rc = EFI_OUT_OF_RESOURCES;
                goto err;
        }
+       dps = DevicePathToStr(full_device_path);
+       VerbosePrint(L"file DP: %s\n", dps);
+       FreePool(dps);
 
        rc = FindSubDevicePath(full_device_path,
                                MEDIA_DEVICE_PATH, MEDIA_HARDDRIVE_DP, &dp);
@@ -393,22 +455,24 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, 
CHAR16 *filename, CHAR16 *
                }
        }
 
-#ifdef DEBUG_FALLBACK
        {
-       UINTN s = DevicePathSize(dp);
-       UINTN i;
-       UINT8 *dpv = (void *)dp;
-       for (i = 0; i < s; i++) {
-               if (i > 0 && i % 16 == 0)
-                       Print(L"\n");
-               Print(L"%02x ", dpv[i]);
-       }
-       Print(L"\n");
+               UINTN s = DevicePathSize(dp);
+               UINTN i;
+               UINT8 *dpv = (void *)dp;
+               for (i = 0; i < s; i++) {
+                       if (i % 16 == 0) {
+                               if (i > 0)
+                                       VerbosePrintUnprefixed(L"\n");
+                               VerbosePrint(L"");
+                       }
+                       VerbosePrintUnprefixed(L"%02x ", dpv[i]);
+               }
+               VerbosePrintUnprefixed(L"\n");
 
-       CHAR16 *dps = DevicePathToStr(dp);
-       Print(L"device path: \"%s\"\n", dps);
+               CHAR16 *dps = DevicePathToStr(dp);
+               VerbosePrint(L"device path: \"%s\"\n", dps);
+               FreePool(dps);
        }
-#endif
 
        UINT16 option;
        rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, 
&option);
@@ -443,35 +507,27 @@ err:
 EFI_STATUS
 populate_stanza(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 
*csv)
 {
-#ifdef DEBUG_FALLBACK
-       Print(L"CSV data: \"%s\"\n", csv);
-#endif
        CHAR16 *file = csv;
+       VerbosePrint(L"CSV data: \"%s\"\n", csv);
 
        UINTN comma0 = StrCSpn(csv, L",");
        if (comma0 == 0)
                return EFI_INVALID_PARAMETER;
        file[comma0] = L'\0';
-#ifdef DEBUG_FALLBACK
-       Print(L"filename: \"%s\"\n", file);
-#endif
+       VerbosePrint(L"filename: \"%s\"\n", file);
 
        CHAR16 *label = csv + comma0 + 1;
        UINTN comma1 = StrCSpn(label, L",");
        if (comma1 == 0)
                return EFI_INVALID_PARAMETER;
        label[comma1] = L'\0';
-#ifdef DEBUG_FALLBACK
-       Print(L"label: \"%s\"\n", label);
-#endif
+       VerbosePrint(L"label: \"%s\"\n", label);
 
        CHAR16 *arguments = csv + comma0 +1 + comma1 +1;
        UINTN comma2 = StrCSpn(arguments, L",");
        arguments[comma2] = L'\0';
        /* This one is optional, so don't check if comma2 is 0 */
-#ifdef DEBUG_FALLBACK
-       Print(L"arguments: \"%s\"\n", arguments);
-#endif
+       VerbosePrint(L"arguments: \"%s\"\n", arguments);
 
        add_to_boot_list(fh, dirname, file, label, arguments);
 
@@ -489,9 +545,7 @@ try_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 
*filename)
        if (EFI_ERROR(rc))
                return rc;
 
-#ifdef DEBUG_FALLBACK
-       Print(L"Found file \"%s\"\n", fullpath);
-#endif
+       VerbosePrint(L"Found file \"%s\"\n", fullpath);
 
        CHAR16 *buffer;
        UINT64 bs;
@@ -503,9 +557,7 @@ try_boot_csv(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 
*filename)
        }
        FreePool(fullpath);
 
-#ifdef DEBUG_FALLBACK
-       Print(L"File looks like:\n%s\n", buffer);
-#endif
+       VerbosePrint(L"File looks like:\n%s\n", buffer);
 
        CHAR16 *start = buffer;
        /* The file may or may not start with the Unicode byte order marker.
@@ -735,9 +787,7 @@ find_boot_options(EFI_HANDLE device)
                        buffer = NULL;
                        continue;
                }
-#ifdef DEBUG_FALLBACK
-               Print(L"Found directory named \"%s\"\n", fi->FileName);
-#endif
+               VerbosePrint(L"Found directory named \"%s\"\n", fi->FileName);
 
                EFI_FILE_HANDLE fh3;
                rc = uefi_call_wrapper(fh->Open, 5, fh2, &fh3, fi->FileName,
@@ -810,7 +860,6 @@ try_start_first_option(EFI_HANDLE parent_image_handle)
        return rc;
 }
 
-EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 
0xd8, 0x10, 0xdd, 0x8b, 0x23} };
 extern EFI_STATUS
 efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab);
 
@@ -870,6 +919,12 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
        try_start_first_option(image);
 
        Print(L"Reset System\n");
+
+       if (get_fallback_verbose()) {
+               Print(L"Verbose enabled, sleeping for half a second\n");
+               uefi_call_wrapper(BS->Stall, 1, 500000);
+       }
+
        uefi_call_wrapper(RT->ResetSystem, 4, EfiResetCold,
                          EFI_SUCCESS, 0, NULL);
 
-- 
2.14.1

++++++ shim-fallback-workaround-masked-ami-variables.patch ++++++
--- /var/tmp/diff_new_pack.fnPROW/_old  2017-09-04 12:18:28.258102537 +0200
+++ /var/tmp/diff_new_pack.fnPROW/_new  2017-09-04 12:18:28.258102537 +0200
@@ -1,8 +1,8 @@
-From 40eef4450fd4d5ec9ea666a02c276bbe073300d3 Mon Sep 17 00:00:00 2001
+From 38744a099187401f2f5e382c2ce8869e1e9b22a0 Mon Sep 17 00:00:00 2001
 From: Lans Zhang <jia.zh...@windriver.com>
 Date: Fri, 11 Aug 2017 13:42:20 +0800
-Subject: [PATCH 1/2] fallback: work around the issue of boot option creation
- with AMI BIOS
+Subject: [PATCH] fallback: work around the issue of boot option creation with
+ AMI BIOS
 
 AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX
 variables with ami_masked_device_path_guid.
@@ -42,15 +42,16 @@
 its next end path.
 
 Signed-off-by: Lans Zhang <jia.zh...@windriver.com>
+(cherry picked from commit 0cc030c2f2fba53b74fb09466a07b8e6297a52d3)
 ---
  fallback.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
  1 file changed, 109 insertions(+), 5 deletions(-)
 
 diff --git a/fallback.c b/fallback.c
-index 0a7058b..7b58018 100644
+index 5602a88..8c0369f 100644
 --- a/fallback.c
 +++ b/fallback.c
-@@ -226,6 +226,105 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH 
*fulldp,
+@@ -286,6 +286,105 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH 
*fulldp,
        return EFI_OUT_OF_RESOURCES;
  }
  
@@ -156,7 +157,7 @@
  EFI_STATUS
  find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp,
                   CHAR16 *filename, CHAR16 *label, CHAR16 *arguments,
-@@ -255,7 +354,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH 
*fulldp,
+@@ -315,7 +414,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH 
*fulldp,
        EFI_GUID global = EFI_GLOBAL_VARIABLE;
        EFI_STATUS rc;
  
@@ -166,7 +167,7 @@
        if (!candidate) {
                FreePool(data);
                return EFI_OUT_OF_RESOURCES;
-@@ -267,17 +367,21 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH 
*fulldp,
+@@ -327,17 +427,21 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH 
*fulldp,
                varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4];
                varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0];
  
@@ -193,35 +194,5 @@
                /* at this point, we have duplicate data. */
                if (!first_new_option) {
 -- 
-2.14.0
-
-
-From 5efee65f1cb7a04ea9434eedfc0d8a49b0305c83 Mon Sep 17 00:00:00 2001
-From: Gary Lin <g...@suse.com>
-Date: Wed, 23 Aug 2017 18:26:00 +0800
-Subject: [PATCH 2/2] fallback: Remove VerbosePrint()
-
-It's not available in shim 12.
-
-Signed-off-by: Gary Lin <g...@suse.com>
----
- fallback.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/fallback.c b/fallback.c
-index 7b58018..701a1c4 100644
---- a/fallback.c
-+++ b/fallback.c
-@@ -380,9 +380,6 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH 
*fulldp,
-               } else if (CompareMem(candidate, data, size))
-                       continue;
- 
--              VerbosePrint(L"Found boot entry \"%s\" with label \"%s\" "
--                           L"for file \"%s\"\n", varname, label, filename);
--
-               /* at this point, we have duplicate data. */
-               if (!first_new_option) {
-                       first_new_option = DuplicateDevicePath(fulldp);
--- 
-2.14.0
+2.14.1
 

++++++ shim-more-tpm-measurement.patch ++++++
++++ 1263 lines (skipped)