Hello community, here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2018-12-11 15:41:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ovmf (Old) and /work/SRC/openSUSE:Factory/.ovmf.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ovmf" Tue Dec 11 15:41:53 2018 rev:29 rq:655463 version:2018+git1542164568.85588389222a Changes: -------- --- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2018-11-18 23:24:34.958033759 +0100 +++ /work/SRC/openSUSE:Factory/.ovmf.new.19453/ovmf.changes 2018-12-11 15:41:58.966591929 +0100 @@ -1,0 +2,9 @@ +Mon Dec 3 08:05:38 UTC 2018 - Gary Ching-Pang Lin <g...@suse.com> + +- Update ovmf-embed-default-keys.patch and add owner-guid-zero.h to + set the default owner of PK/KEK/db/dbx and make the + auto-enrollment only happen at the very first boot. (bsc#1117998) +- Change the group of qemu-ovmf-x86_64-debug to Development/Sources + since there is no Development/Debug anymore + +------------------------------------------------------------------- New: ---- owner-guid-zero.h ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ --- /var/tmp/diff_new_pack.M6iKkb/_old 2018-12-11 15:42:01.258589420 +0100 +++ /var/tmp/diff_new_pack.M6iKkb/_new 2018-12-11 15:42:01.258589420 +0100 @@ -42,6 +42,7 @@ Source11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip Source12: strip_authinfo.pl Source13: MicWinProPCA2011_2011-10-19.crt +Source14: owner-guid-zero.h Source100: %{name}-rpmlintrc Source101: gdb_uefi.py.in Patch2: %{name}-embed-default-keys.patch @@ -114,7 +115,7 @@ %package -n qemu-ovmf-x86_64-debug Summary: Open Virtual Machine Firmware - debug symbols (x86_64) -Group: Development/Debug +Group: Development/Sources Requires: qemu %description -n qemu-ovmf-x86_64-debug @@ -270,6 +271,7 @@ xxd -i Default_DB > SecurityPkg/Library/AuthVariableLib/Default_DB.h xxd -i Default_DB_EX > SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h xxd -i Default_DBX > SecurityPkg/Library/AuthVariableLib/Default_DBX.h + cat Default_Owner > SecurityPkg/Library/AuthVariableLib/Default_Owner.h for suffix in $suffix_base $suffix_base-4m; do if [ "$suffix" = "$suffix_base-4m" ]; then @@ -290,6 +292,7 @@ openssl x509 -in %{SOURCE3} -outform DER > Default_DB truncate -s 0 Default_DB_EX truncate -s 0 Default_DBX +cat %{SOURCE14} > Default_Owner build_with_keys suse #unpack the UEFI revocation list @@ -302,6 +305,8 @@ cat %{SOURCE13} > Default_DB_EX chmod 755 %{SOURCE12} %{SOURCE12} dbxupdate.bin Default_DBX +echo "EFI_GUID DefaultOwnerGUID = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}};" > \ +Default_Owner build_with_keys ms # OVMF with openSUSE keys @@ -310,6 +315,7 @@ openssl x509 -in %{SOURCE8} -outform DER > Default_DB truncate -s 0 Default_DB_EX truncate -s 0 Default_DBX +cat %{SOURCE14} > Default_Owner build_with_keys opensuse # OVMF with openSUSE keys (4096 bit CA) @@ -318,6 +324,7 @@ openssl x509 -in %{SOURCE10} -outform DER > Default_DB truncate -s 0 Default_DB_EX truncate -s 0 Default_DBX +cat %{SOURCE14} > Default_Owner build_with_keys opensuse-4096 if [ -e %{_sourcedir}/_projectcert.crt ]; then @@ -330,6 +337,7 @@ openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_DB truncate -s 0 Default_DB_EX truncate -s 0 Default_DBX + cat %{SOURCE14} > Default_Owner build_with_keys devel fi fi ++++++ ovmf-embed-default-keys.patch ++++++ --- /var/tmp/diff_new_pack.M6iKkb/_old 2018-12-11 15:42:01.354589316 +0100 +++ /var/tmp/diff_new_pack.M6iKkb/_new 2018-12-11 15:42:01.358589310 +0100 @@ -1,16 +1,16 @@ -From 933284f94b8bffb7d3d81152e0b5f49c46a9f787 Mon Sep 17 00:00:00 2001 +From 9263239b037b71f81b14ac86746dafd582527b98 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Fri, 10 May 2013 10:27:51 +0800 -Subject: [PATCH 1/3] Add a stub to allow keys to be embedded at build time +Subject: [PATCH 1/5] Add a stub to allow keys to be embedded at build time Signed-off-by: Gary Ching-Pang Lin <g...@suse.com> --- - .../Library/AuthVariableLib/AuthVariableLib.c | 180 +++++++++++++++++++++ - .../Library/AuthVariableLib/AuthVariableLib.inf | 4 + - SecurityPkg/Library/AuthVariableLib/Default_DB.h | 2 + - SecurityPkg/Library/AuthVariableLib/Default_DBX.h | 2 + - SecurityPkg/Library/AuthVariableLib/Default_KEK.h | 2 + - SecurityPkg/Library/AuthVariableLib/Default_PK.h | 2 + + .../Library/AuthVariableLib/AuthVariableLib.c | 180 ++++++++++++++++++ + .../AuthVariableLib/AuthVariableLib.inf | 4 + + .../Library/AuthVariableLib/Default_DB.h | 2 + + .../Library/AuthVariableLib/Default_DBX.h | 2 + + .../Library/AuthVariableLib/Default_KEK.h | 2 + + .../Library/AuthVariableLib/Default_PK.h | 2 + 6 files changed, 192 insertions(+) create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB.h create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DBX.h @@ -18,7 +18,7 @@ create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_PK.h diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c -index 00917eb374..a7a46fc648 100644 +index 00917eb37436..a7a46fc648ea 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -23,6 +23,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. @@ -223,7 +223,7 @@ // Reserve runtime buffer for certificate database. The size excludes variable header and name size. // Use EFI_CERT_DB_VOLATILE_NAME size since it is longer. diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf -index 572ba4e120..1a46019a5f 100644 +index 572ba4e120d2..1a46019a5f42 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -33,6 +33,10 @@ [Sources] @@ -239,7 +239,7 @@ MdePkg/MdePkg.dec diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB.h b/SecurityPkg/Library/AuthVariableLib/Default_DB.h new file mode 100644 -index 0000000000..4d13894216 +index 000000000000..4d138942164e --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DB.h @@ -0,0 +1,2 @@ @@ -247,7 +247,7 @@ +unsigned int Default_DB_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DBX.h b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h new file mode 100644 -index 0000000000..5fd3cdc0f4 +index 000000000000..5fd3cdc0f43d --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h @@ -0,0 +1,2 @@ @@ -255,7 +255,7 @@ +unsigned int Default_DBX_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_KEK.h b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h new file mode 100644 -index 0000000000..80883de1ae +index 000000000000..80883de1aeeb --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h @@ -0,0 +1,2 @@ @@ -263,30 +263,30 @@ +unsigned int Default_KEK_len = 0; diff --git a/SecurityPkg/Library/AuthVariableLib/Default_PK.h b/SecurityPkg/Library/AuthVariableLib/Default_PK.h new file mode 100644 -index 0000000000..23b90e45f0 +index 000000000000..23b90e45f07d --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_PK.h @@ -0,0 +1,2 @@ +unsigned char *Default_PK = NULL; +unsigned int Default_PK_len = 0; -- -2.15.0 +2.19.1 -From 72d09098734d00696e0db13d9b84bb01a0c89c76 Mon Sep 17 00:00:00 2001 +From a76f3966a97f51acfb83839aa3349f7af9966466 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Tue, 15 Dec 2015 16:54:54 +0800 -Subject: [PATCH 2/3] Add DB_EX to include one more DB cert +Subject: [PATCH 2/5] Add DB_EX to include one more DB cert Signed-off-by: Gary Lin <g...@suse.com> --- - .../Library/AuthVariableLib/AuthVariableLib.c | 27 ++++++++++++++++++---- - .../Library/AuthVariableLib/Default_DB_EX.h | 2 ++ + .../Library/AuthVariableLib/AuthVariableLib.c | 27 ++++++++++++++++--- + .../Library/AuthVariableLib/Default_DB_EX.h | 2 ++ 2 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c -index a7a46fc648..114f3d84c6 100644 +index a7a46fc648ea..114f3d84c68f 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -26,6 +26,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. @@ -353,20 +353,20 @@ FreePool(SignatureGUID); diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h new file mode 100644 -index 0000000000..001f125065 +index 000000000000..001f12506530 --- /dev/null +++ b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h @@ -0,0 +1,2 @@ +unsigned char *Default_DB_EX = NULL; +unsigned int Default_DB_EX_len = 0; -- -2.15.0 +2.19.1 -From 5db901016015df0955085003387f52655ed9b964 Mon Sep 17 00:00:00 2001 +From ce3429b55bc96e80e194075f0fafc5163382e422 Mon Sep 17 00:00:00 2001 From: Gary Lin <g...@suse.com> Date: Mon, 28 Aug 2017 16:18:00 +0800 -Subject: [PATCH 3/3] Check the length of the certificate instead of the +Subject: [PATCH 3/5] Check the length of the certificate instead of the pointer Since "xxd -i" may produce a valid pointer for an empty file, it's safer @@ -374,11 +374,11 @@ Signed-off-by: Gary Lin <g...@suse.com> --- - SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 12 ++++++------ + .../Library/AuthVariableLib/AuthVariableLib.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c -index 114f3d84c6..641823216a 100644 +index 114f3d84c68f..641823216a39 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -164,7 +164,7 @@ AuthVariableLibInitialize ( @@ -436,5 +436,188 @@ Status = AuthServiceInternalFindVariable ( -- -2.15.0 +2.19.1 + + +From b64d3f5128cfbee3648d04a39820584d5798700b Mon Sep 17 00:00:00 2001 +From: Gary Lin <g...@suse.com> +Date: Fri, 30 Nov 2018 15:31:51 +0800 +Subject: [PATCH 4/5] Add the DefaultOwnerGUID + +Ref: https://bugzilla.suse.com/show_bug.cgi?id=1117998 + +A new header file is added to set the default GUID for the signature +owner. + +Signed-off-by: Gary Lin <g...@suse.com> +--- + .../Library/AuthVariableLib/AuthVariableLib.c | 28 ++++--------------- + .../Library/AuthVariableLib/Default_Owner.h | 1 + + 2 files changed, 6 insertions(+), 23 deletions(-) + create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_Owner.h + +diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +index 641823216a39..fc9bbd2ad392 100644 +--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c ++++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +@@ -28,6 +28,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + #include "Default_DB.h" + #include "Default_DB_EX.h" + #include "Default_DBX.h" ++#include "Default_Owner.h" + + /// + /// Global database array for scratch +@@ -139,7 +140,6 @@ AuthVariableLibInitialize ( + EFI_SIGNATURE_LIST *SigCert; + EFI_SIGNATURE_DATA *SigCertData; + UINTN SigSize; +- EFI_GUID *SignatureGUID; + UINT32 Attr; + + if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) { +@@ -174,11 +174,6 @@ AuthVariableLibInitialize ( + &DataSize + ); + if (Status == EFI_NOT_FOUND) { +- SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); +- if (SignatureGUID == NULL) { +- return EFI_OUT_OF_RESOURCES; +- } +- + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { +@@ -192,7 +187,7 @@ AuthVariableLibInitialize ( + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); +- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); ++ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len); + + Status = AuthServiceInternalUpdateVariable ( +@@ -202,7 +197,6 @@ AuthVariableLibInitialize ( + SigSize, + Attr + ); +- FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { +@@ -221,11 +215,6 @@ AuthVariableLibInitialize ( + &DataSize + ); + if (Status == EFI_NOT_FOUND) { +- SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); +- if (SignatureGUID == NULL) { +- return EFI_OUT_OF_RESOURCES; +- } +- + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { +@@ -239,7 +228,7 @@ AuthVariableLibInitialize ( + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); +- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); ++ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len); + + Status = AuthServiceInternalUpdateVariable ( +@@ -249,7 +238,6 @@ AuthVariableLibInitialize ( + SigSize, + Attr + ); +- FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { +@@ -271,11 +259,6 @@ AuthVariableLibInitialize ( + UINTN SigSize_1 = 0; + UINTN SigSize_2 = 0; + +- SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); +- if (SignatureGUID == NULL) { +- return EFI_OUT_OF_RESOURCES; +- } +- + SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; + if (Default_DB_EX_len != 0) { + SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len; +@@ -292,7 +275,7 @@ AuthVariableLibInitialize ( + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); +- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); ++ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len); + + if (Default_DB_EX_len != 0) { +@@ -303,7 +286,7 @@ AuthVariableLibInitialize ( + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); +- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); ++ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB_EX, Default_DB_EX_len); + } + +@@ -314,7 +297,6 @@ AuthVariableLibInitialize ( + SigSize_1 + SigSize_2, + Attr + ); +- FreePool(SignatureGUID); + FreePool(Data); + + if (EFI_ERROR (Status)) { +diff --git a/SecurityPkg/Library/AuthVariableLib/Default_Owner.h b/SecurityPkg/Library/AuthVariableLib/Default_Owner.h +new file mode 100644 +index 000000000000..6230ed7d9605 +--- /dev/null ++++ b/SecurityPkg/Library/AuthVariableLib/Default_Owner.h +@@ -0,0 +1 @@ ++EFI_GUID DefaultOwnerGUID = {0x00000000, 0x0000, 0x0000, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}}; +-- +2.19.1 + + +From 47d96fd043c2c4b2fc21864ec669f4542a4cfc30 Mon Sep 17 00:00:00 2001 +From: Gary Lin <g...@suse.com> +Date: Mon, 3 Dec 2018 16:02:27 +0800 +Subject: [PATCH 5/5] Check VendorKeysNv before creating PK/KEK/db + +Ref: https://bugzilla.suse.com/show_bug.cgi?id=1117998 + +We only need to create PK/KEK/db for the very first time. + +Signed-off-by: Gary Lin <g...@suse.com> +--- + SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +index fc9bbd2ad392..cea1dc7bfba5 100644 +--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c ++++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +@@ -158,6 +158,16 @@ AuthVariableLibInitialize ( + } + + //**** ++ // Check VendorKeysNv and create PK/KEK/DB only for the "first boot" ++ Status = AuthServiceInternalFindVariable ( ++ EFI_VENDOR_KEYS_NV_VARIABLE_NAME, ++ &gEfiVendorKeysNvGuid, ++ (VOID **) &Data, ++ &DataSize ++ ); ++ if (Status != EFI_NOT_FOUND) ++ goto SKIP_KEYS; ++ + // Create signature list for PK KEK DB + Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_BOOTSERVICE_ACCESS | +-- +2.19.1 ++++++ owner-guid-zero.h ++++++ EFI_GUID DefaultOwnerGUID = {0x00000000, 0x0000, 0x0000, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}};