Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2018-12-27 00:22:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Thu Dec 27 00:22:16 2018 rev:71 rq:660489 version:15+git47 Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2018-12-11 15:42:05.746584508 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.28833/shim.changes 2018-12-27 00:22:17.864010614 +0100 @@ -1,0 +2,23 @@ +Thu Dec 20 04:13:00 UTC 2018 - Gary Ching-Pang Lin <[email protected]> + +- Update to 15+git47 (bsc#1120026, FATE#325971) + + git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d +- Retire the old openSUSE 4096 bit certificate + + Those programs are already out of maintenance. +- Add shim-always-mirror-mok-variables.patch to mirror MOK + variables correctly +- Add shim-correct-license-in-headers.patch to correct the license + declaration +- Refresh patches: + + shim-arch-independent-names.patch + + shim-change-debug-file-path.patch + + shim-bsc1092000-fallback-menu.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: + + shim-bsc1088585-handle-mok-allocations-better.patch + + shim-httpboot-amend-device-path.patch + + shim-httpboot-include-console.h.patch + + shim-only-os-name.patch + + shim-remove-cryptpem.patch + +------------------------------------------------------------------- Old: ---- openSUSE-UEFI-CA-Certificate-4096.crt shim-14.tar.bz2 shim-bsc1088585-handle-mok-allocations-better.patch shim-httpboot-amend-device-path.patch shim-httpboot-include-console.h.patch shim-only-os-name.patch shim-remove-cryptpem.patch New: ---- shim-15+git47.tar.bz2 shim-always-mirror-mok-variables.patch shim-correct-license-in-headers.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.xhi2B1/_old 2018-12-27 00:22:18.508010090 +0100 +++ /var/tmp/diff_new_pack.xhi2B1/_new 2018-12-27 00:22:18.508010090 +0100 @@ -21,13 +21,13 @@ %undefine _build_create_debug Name: shim -Version: 14 +Version: 15+git47 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot Url: https://github.com/rhboot/shim -Source: https://github.com/rhboot/shim/releases/download/%{version}/%{name}-%{version}.tar.bz2 +Source: %{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. # Note: For signature requesting, check SIGNATURE_UPDATE.txt @@ -39,29 +39,21 @@ Source6: attach_signature.sh Source7: show_hash.sh Source8: show_signatures.sh -Source9: openSUSE-UEFI-CA-Certificate-4096.crt -Source10: timestamp.pl -Source11: strip_signature.sh -Source12: signature-sles.x86_64.asc -Source13: signature-opensuse.aarch64.asc -Source14: signature-sles.aarch64.asc +Source9: timestamp.pl +Source10: strip_signature.sh +Source11: signature-sles.x86_64.asc +Source12: signature-opensuse.aarch64.asc +Source13: signature-sles.aarch64.asc Source99: SIGNATURE_UPDATE.txt -# PATCH-FIX-SUSE shim-only-os-name.patch [email protected] -- Only include the OS name in version.c -Patch1: shim-only-os-name.patch # PATCH-FIX-SUSE shim-arch-independent-names.patch [email protected] -- Use the Arch-independent names -Patch2: shim-arch-independent-names.patch -# PATCH-FIX-UPSTREAM shim-httpboot-include-console.h.patch [email protected] -- Include console.h in httpboot.c -Patch3: shim-httpboot-include-console.h.patch -# PATCH-FIX-UPSTREAM shim-remove-cryptpem.patch [email protected] -- Replace the functions in CryptPem.c with the null function -Patch4: shim-remove-cryptpem.patch -# PATCH-FIX-UPSTREAM shim-httpboot-amend-device-path.patch bsc#1065370 [email protected] -- Amend the device path matching rule for httpboot -Patch5: shim-httpboot-amend-device-path.patch -# PATCH-FIX-UPSTREAM shim-bsc1088585-handle-mok-allocations-better.patch bsc#1088585 [email protected] -- Handle the mok parameter allocations better -Patch6: shim-bsc1088585-handle-mok-allocations-better.patch -# PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-menu.patch bsc#1092000 [email protected] -- Show a menu before reset -Patch7: shim-bsc1092000-fallback-menu.patch +Patch1: shim-arch-independent-names.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch [email protected] -- Change the default debug file path -Patch50: shim-change-debug-file-path.patch +Patch2: shim-change-debug-file-path.patch +# PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-menu.patch bsc#1092000 [email protected] -- Show a menu before reset +Patch3: shim-bsc1092000-fallback-menu.patch +# PATCH-FIX-UPSTREAM shim-always-mirror-mok-variables.patch [email protected] -- Mirror MOK variables correctly +Patch4: shim-always-mirror-mok-variables.patch +Patch5: shim-correct-license-in-headers.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch [email protected] -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -108,9 +100,6 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch50 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif @@ -145,27 +134,24 @@ for suffix in "${suffixes[@]}"; do if test "$suffix" = "opensuse"; then cert=%{SOURCE2} - cert2=%{SOURCE9} verify='openSUSE Secure Boot CA1' %ifarch x86_64 signature=%{SOURCE1} %else # AArch64 signature - signature=%{SOURCE13} + signature=%{SOURCE12} %endif elif test "$suffix" = "sles"; then cert=%{SOURCE4} - cert2='' verify='SUSE Linux Enterprise Secure Boot CA1' %ifarch x86_64 - signature=%{SOURCE12} + signature=%{SOURCE11} %else # AArch64 signature - signature=%{SOURCE14} + signature=%{SOURCE13} %endif elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt - cert2='' verify=`openssl x509 -in "$cert" -noout -email` signature='' test -e "$cert" || continue @@ -175,16 +161,6 @@ fi openssl x509 -in $cert -outform DER -out shim-$suffix.der - rm -f shim_cert.h shim.cer shim.crt - if [ -z "$cert2" ]; then - # create empty local cert file, we don't need a local key pair as we - # sign the mokmanager with our vendor key - touch shim.crt - touch shim.cer - else - cp $cert2 shim.crt - fi - # make sure cast warnings don't trigger post build check make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ DEFAULT_LOADER="\\\\\\\\grub.efi" \ @@ -193,7 +169,7 @@ # assert correct certificate embedded grep -q "$verify" shim.efi # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx - chmod 755 %{SOURCE10} + chmod 755 %{SOURCE9} # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi if test -n "$signature"; then @@ -201,7 +177,7 @@ cp shim.efi shim.efi.bak # pe header contains timestamp and checksum. we need to # restore that - %{SOURCE10} --set-from-file "$signature" shim.efi + %{SOURCE9} --set-from-file "$signature" shim.efi pesign -h -P -i shim.efi > hash2 cat hash1 hash2 if ! cmp -s hash1 hash2; then @@ -220,9 +196,10 @@ mv shim.efi shim-$suffix.efi fi mv shim.efi.debug shim-$suffix.debug - rm -f shim.cer shim.crt - # make sure cert.o gets rebuilt - rm -f cert.o + # remove the build cert if exists + rm -f shim_cert.h shim.cer shim.crt + # make sure all object files gets rebuilt + rm -f *.o done ln -s shim-${suffixes[0]}.efi shim.efi ++++++ shim-always-mirror-mok-variables.patch ++++++ >From e6ce8788f4a622da1ba5421a5eb11df163a56727 Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Wed, 21 Nov 2018 12:47:43 +0800 Subject: [PATCH] MOK: Fix the missing vendor cert in MokListRT When there is no key in MokList, import_mok_state() just skipped MokList even though it should always mirror the vendor cert. https://github.com/rhboot/shim/issues/154 Signed-off-by: Gary Lin <[email protected]> --- mok.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/mok.c b/mok.c index 3867521..0bcab32 100644 --- a/mok.c +++ b/mok.c @@ -223,11 +223,18 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) UINT32 attrs = 0; BOOLEAN delete = FALSE, present, addend; + addend = (v->addend_source && v->addend_size && + *v->addend_source && *v->addend_size) + ? TRUE : FALSE; + efi_status = get_variable_attr(v->name, &v->data, &v->data_size, *v->guid, &attrs); - if (efi_status == EFI_NOT_FOUND) + if (efi_status == EFI_NOT_FOUND) { + if (addend) + goto mirror_addend; continue; + } if (EFI_ERROR(efi_status)) { perror(L"Could not verify %s: %r\n", v->name, efi_status); @@ -272,9 +279,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) } present = (v->data && v->data_size) ? TRUE : FALSE; - addend = (v->addend_source && v->addend_size && - *v->addend_source && *v->addend_size) - ? TRUE : FALSE; if (v->flags & MOK_VARIABLE_MEASURE && present) { /* @@ -304,7 +308,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) } } - if (v->rtname && present && addend) { +mirror_addend: + if (v->rtname && (present || addend)) { if (v->flags & MOK_MIRROR_DELETE_FIRST) LibDeleteVariable(v->rtname, v->guid); -- 2.19.2 ++++++ shim-arch-independent-names.patch ++++++ --- /var/tmp/diff_new_pack.xhi2B1/_old 2018-12-27 00:22:18.584010028 +0100 +++ /var/tmp/diff_new_pack.xhi2B1/_new 2018-12-27 00:22:18.584010028 +0100 @@ -1,4 +1,4 @@ -From ffd90c3957fe8621e660d663b38b2eef8559c84a Mon Sep 17 00:00:00 2001 +From b0fc750ab3af4883a7124229398a758837a4e7ce Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Tue, 22 Aug 2017 12:43:36 +0800 Subject: [PATCH] Make the names of EFI binaries arch-independent @@ -11,46 +11,51 @@ Signed-off-by: Gary Lin <[email protected]> --- fallback.c | 2 +- - shim.c | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) + shim.c | 2 +- + shim.h | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fallback.c b/fallback.c -index 46894af..886e052 100644 +index c3f5583..01f2ae4 100644 --- a/fallback.c +++ b/fallback.c -@@ -977,7 +977,7 @@ debug_hook(void) +@@ -999,7 +999,7 @@ debug_hook(void) x = 1; - Print(L"add-symbol-file "DEBUGDIR -- L"fb" EFI_ARCH L".efi.debug %p -s .data %p\n", &_etext, -+ L"fallback.efi.debug %p -s .data %p\n", &_etext, - &_edata); + console_print(L"add-symbol-file "DEBUGDIR +- L"fb" EFI_ARCH L".efi.debug %p -s .data %p\n", ++ L"fallback.efi.debug %p -s .data %p\n", + &_etext, &_edata); } diff --git a/shim.c b/shim.c -index aec9f8f..7b34868 100644 +index fcc11eb..248c946 100644 --- a/shim.c +++ b/shim.c -@@ -50,8 +50,8 @@ +@@ -2554,7 +2554,7 @@ debug_hook(void) + FreePool(data); - #include <Library/BaseCryptLib.h> + console_print(L"add-symbol-file "DEBUGDIR +- L"shim" EFI_ARCH L".efi.debug 0x%08x -s .data 0x%08x\n", ++ L"shim.efi.debug 0x%08x -s .data 0x%08x\n", + &_text, &_data); + + console_print(L"Pausing for debugger attachment.\n"); +diff --git a/shim.h b/shim.h +index 2b359d8..d9c60f5 100644 +--- a/shim.h ++++ b/shim.h +@@ -92,8 +92,8 @@ + #endif + #endif -#define FALLBACK L"\\fb" EFI_ARCH L".efi" -#define MOK_MANAGER L"\\mm" EFI_ARCH L".efi" +#define FALLBACK L"\\fallback.efi" +#define MOK_MANAGER L"\\MokManager.efi" - #define OID_EKU_MODSIGN "1.3.6.1.4.1.2312.16.1.2" - -@@ -2852,7 +2852,7 @@ debug_hook(void) - } - - Print(L"add-symbol-file "DEBUGDIR -- L"shim" EFI_ARCH L".efi.debug 0x%08x -s .data 0x%08x\n", &_text, -+ L"shim.efi.debug 0x%08x -s .data 0x%08x\n", &_text, - &_data); - - Print(L"Pausing for debugger attachment.\n"); + #include "include/configtable.h" + #include "include/console.h" -- -2.15.1 +2.19.2 ++++++ shim-bsc1092000-fallback-menu.patch ++++++ --- /var/tmp/diff_new_pack.xhi2B1/_old 2018-12-27 00:22:18.592010022 +0100 +++ /var/tmp/diff_new_pack.xhi2B1/_new 2018-12-27 00:22:18.596010018 +0100 @@ -1,7 +1,234 @@ -From 22269728415432718e7757842086785d7daf0cc3 Mon Sep 17 00:00:00 2001 +From 407763d37cae353609b3f3ef78ff127745860357 Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> -Date: Mon, 28 May 2018 10:57:06 +0800 -Subject: [PATCH] fallback: show a countdown menu before reset +Date: Wed, 23 May 2018 16:58:31 +0800 +Subject: [PATCH 1/2] console: Move the countdown function to console.c + +Move the countdown function from MokManager to console.c to make the +function public + +Also make console_save_and_set_mode() and console_restore_mode() public + +Signed-off-by: Gary Lin <[email protected]> +--- + MokManager.c | 71 ++++--------------------------------------- + include/console.h | 6 ++++ + lib/console.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 88 insertions(+), 65 deletions(-) + +diff --git a/MokManager.c b/MokManager.c +index 2e55c50..1ab8e5e 100644 +--- a/MokManager.c ++++ b/MokManager.c +@@ -733,30 +733,6 @@ done: + return efi_status; + } + +-static void console_save_and_set_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode) +-{ +- SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; +- +- if (!SavedMode) { +- console_print(L"Invalid parameter: SavedMode\n"); +- return; +- } +- +- CopyMem(SavedMode, co->Mode, sizeof(SIMPLE_TEXT_OUTPUT_MODE)); +- co->EnableCursor(co, FALSE); +- co->SetAttribute(co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); +-} +- +-static void console_restore_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode) +-{ +- SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; +- +- co->EnableCursor(co, SavedMode->CursorVisible); +- co->SetCursorPosition(co, SavedMode->CursorColumn, +- SavedMode->CursorRow); +- co->SetAttribute(co, SavedMode->Attribute); +-} +- + static INTN reset_system() + { + gRT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL); +@@ -2032,18 +2008,13 @@ static BOOLEAN verify_pw(BOOLEAN * protected) + + static int draw_countdown() + { +- SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; +- SIMPLE_INPUT_INTERFACE *ci = ST->ConIn; +- SIMPLE_TEXT_OUTPUT_MODE SavedMode; +- EFI_INPUT_KEY key; +- EFI_STATUS efi_status; +- UINTN cols, rows; +- CHAR16 *title[2]; + CHAR16 *message = L"Press any key to perform MOK management"; ++ CHAR16 *title; ++ EFI_STATUS efi_status; + void *MokTimeout = NULL; + MokTimeoutvar *var; + UINTN MokTimeoutSize = 0; +- int timeout, wait = 10000000; ++ int timeout; + + efi_status = get_variable(L"MokTimeout", (UINT8 **) &MokTimeout, + &MokTimeoutSize, SHIM_LOCK_GUID); +@@ -2059,41 +2030,11 @@ static int draw_countdown() + if (timeout < 0) + return timeout; + +- console_save_and_set_mode(&SavedMode); +- +- title[0] = PoolPrint(L"%s UEFI key management", SHIM_VENDOR); +- title[1] = NULL; +- +- console_print_box_at(title, -1, 0, 0, -1, -1, 1, 1); +- +- co->QueryMode(co, co->Mode->Mode, &cols, &rows); +- +- console_print_at((cols - StrLen(message)) / 2, rows / 2, message); +- while (1) { +- if (timeout > 1) +- console_print_at(2, rows - 3, +- L"Booting in %d seconds ", +- timeout); +- else if (timeout) +- console_print_at(2, rows - 3, +- L"Booting in %d second ", +- timeout); ++ title = PoolPrint(L"%s UEFI key management", SHIM_VENDOR); + +- efi_status = WaitForSingleEvent(ci->WaitForKey, wait); +- if (efi_status != EFI_TIMEOUT) { +- /* Clear the key in the queue */ +- ci->ReadKeyStroke(ci, &key); +- break; +- } ++ timeout = console_countdown(title, message, timeout); + +- timeout--; +- if (!timeout) +- break; +- } +- +- FreePool(title[0]); +- +- console_restore_mode(&SavedMode); ++ FreePool(title); + + return timeout; + } +diff --git a/include/console.h b/include/console.h +index deb4fa3..bd75eb5 100644 +--- a/include/console.h ++++ b/include/console.h +@@ -33,6 +33,12 @@ console_alertbox(CHAR16 **title); + void + console_notify(CHAR16 *string); + void ++console_save_and_set_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode); ++void ++console_restore_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode); ++int ++console_countdown(CHAR16* title, const CHAR16* message, int timeout); ++void + console_reset(void); + #define NOSEL 0x7fffffff + +diff --git a/lib/console.c b/lib/console.c +index 3aee41c..2d421af 100644 +--- a/lib/console.c ++++ b/lib/console.c +@@ -409,6 +409,82 @@ console_notify(CHAR16 *string) + console_alertbox(str_arr); + } + ++void ++console_save_and_set_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode) ++{ ++ SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; ++ ++ if (!SavedMode) { ++ console_print(L"Invalid parameter: SavedMode\n"); ++ return; ++ } ++ ++ CopyMem(SavedMode, co->Mode, sizeof(SIMPLE_TEXT_OUTPUT_MODE)); ++ co->EnableCursor(co, FALSE); ++ co->SetAttribute(co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); ++} ++ ++void ++console_restore_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode) ++{ ++ SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; ++ ++ co->EnableCursor(co, SavedMode->CursorVisible); ++ co->SetCursorPosition(co, SavedMode->CursorColumn, ++ SavedMode->CursorRow); ++ co->SetAttribute(co, SavedMode->Attribute); ++} ++ ++int ++console_countdown(CHAR16* title, const CHAR16* message, ++ int timeout) ++{ ++ SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; ++ SIMPLE_INPUT_INTERFACE *ci = ST->ConIn; ++ SIMPLE_TEXT_OUTPUT_MODE SavedMode; ++ EFI_INPUT_KEY key; ++ EFI_STATUS efi_status; ++ UINTN cols, rows; ++ CHAR16 *titles[2]; ++ int wait = 10000000; ++ ++ console_save_and_set_mode(&SavedMode); ++ ++ titles[0] = title; ++ titles[1] = NULL; ++ ++ console_print_box_at(titles, -1, 0, 0, -1, -1, 1, 1); ++ ++ co->QueryMode(co, co->Mode->Mode, &cols, &rows); ++ ++ console_print_at((cols - StrLen(message)) / 2, rows / 2, message); ++ while (1) { ++ if (timeout > 1) ++ console_print_at(2, rows - 3, ++ L"Booting in %d seconds ", ++ timeout); ++ else if (timeout) ++ console_print_at(2, rows - 3, ++ L"Booting in %d second ", ++ timeout); ++ ++ efi_status = WaitForSingleEvent(ci->WaitForKey, wait); ++ if (efi_status != EFI_TIMEOUT) { ++ /* Clear the key in the queue */ ++ ci->ReadKeyStroke(ci, &key); ++ break; ++ } ++ ++ timeout--; ++ if (!timeout) ++ break; ++ } ++ ++ console_restore_mode(&SavedMode); ++ ++ return timeout; ++} ++ + #define ARRAY_SIZE(a) (sizeof (a) / sizeof ((a)[0])) + + /* Copy of gnu-efi-3.0 with the added secure boot strings */ +-- +2.19.2 + + +From 9544a6dc75343059184d9dfb0cfdc4eda880afd0 Mon Sep 17 00:00:00 2001 +From: Gary Lin <[email protected]> +Date: Wed, 23 May 2018 18:13:05 +0800 +Subject: [PATCH 2/2] fallback: show a countdown menu before reset Some machines with the faulty firmware may keep booting the default boot path instead of the boot option we create. To avoid the infinite reset @@ -13,42 +240,38 @@ removing the variable. https://github.com/rhboot/shim/issues/128 -https://bugzilla.opensuse.org/show_bug.cgi?id=1092000 Signed-off-by: Gary Lin <[email protected]> --- - fallback.c | 144 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 144 insertions(+) + fallback.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 81 insertions(+) diff --git a/fallback.c b/fallback.c -index 886e052..1f3eb78 100644 +index 01f2ae4..33f104f 100644 --- a/fallback.c +++ b/fallback.c -@@ -13,6 +13,9 @@ - #include "ucs2.h" - #include "variables.h" - #include "tpm.h" -+#include "console.h" -+ -+#define NO_REBOOT L"FB_NO_REBOOT" +@@ -12,6 +12,8 @@ + #include "shim.h" + ++#define NO_REBOOT L"FB_NO_REBOOT" ++ EFI_LOADED_IMAGE *this_image = NULL; -@@ -953,6 +956,127 @@ try_start_first_option(EFI_HANDLE parent_image_handle) - return rc; + int +@@ -973,6 +975,65 @@ try_start_first_option(EFI_HANDLE parent_image_handle) + return efi_status; } +static UINT32 +get_fallback_no_reboot(void) +{ -+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS efi_status; + UINT32 no_reboot; + UINTN size = sizeof(UINT32); + -+ efi_status = uefi_call_wrapper(RT->GetVariable, 5, -+ NO_REBOOT, &shim_lock_guid, -+ NULL, &size, &no_reboot); ++ efi_status = gRT->GetVariable(NO_REBOOT, &SHIM_LOCK_GUID, ++ NULL, &size, &no_reboot); + if (!EFI_ERROR(efi_status)) { + return no_reboot; + } @@ -58,84 +281,24 @@ +static EFI_STATUS +set_fallback_no_reboot(void) +{ -+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS efi_status; + UINT32 no_reboot = 1; -+ efi_status = uefi_call_wrapper(RT->SetVariable, 5, -+ NO_REBOOT, &shim_lock_guid, -+ EFI_VARIABLE_NON_VOLATILE -+ | EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS, -+ sizeof(UINT32), &no_reboot); ++ efi_status = gRT->SetVariable(NO_REBOOT, &SHIM_LOCK_GUID, ++ EFI_VARIABLE_NON_VOLATILE ++ | EFI_VARIABLE_BOOTSERVICE_ACCESS ++ | EFI_VARIABLE_RUNTIME_ACCESS, ++ sizeof(UINT32), &no_reboot); + return efi_status; +} + -+static void console_save_and_set_mode (SIMPLE_TEXT_OUTPUT_MODE *SavedMode) -+{ -+ if (!SavedMode) { -+ Print(L"Invalid parameter: SavedMode\n"); -+ return; -+ } -+ -+ CopyMem(SavedMode, ST->ConOut->Mode, sizeof(SIMPLE_TEXT_OUTPUT_MODE)); -+ uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, FALSE); -+ uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, -+ EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); -+} -+ -+static void console_restore_mode (SIMPLE_TEXT_OUTPUT_MODE *SavedMode) -+{ -+ uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, -+ SavedMode->CursorVisible); -+ uefi_call_wrapper(ST->ConOut->SetCursorPosition, 3, ST->ConOut, -+ SavedMode->CursorColumn, SavedMode->CursorRow); -+ uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConOut, -+ SavedMode->Attribute); -+} -+ +static int +draw_countdown(void) +{ -+ SIMPLE_TEXT_OUTPUT_MODE SavedMode; -+ EFI_INPUT_KEY key; -+ EFI_STATUS status; -+ UINTN cols, rows; -+ CHAR16 *title[2]; ++ CHAR16 *title = L"Boot Option Restoration"; + CHAR16 *message = L"Press any key to stop system reset"; -+ int timeout = 5, wait = 10000000; -+ -+ console_save_and_set_mode (&SavedMode); ++ int timeout; + -+ title[0] = L"Boot Option Restoration"; -+ title[1] = NULL; -+ -+ console_print_box_at(title, -1, 0, 0, -1, -1, 1, 1); -+ -+ uefi_call_wrapper(ST->ConOut->QueryMode, 4, ST->ConOut, -+ ST->ConOut->Mode->Mode, &cols, &rows); -+ -+ PrintAt((cols - StrLen(message))/2, rows/2, message); -+ while (1) { -+ if (timeout > 1) -+ PrintAt(2, rows - 3, L"Booting in %d seconds ", timeout); -+ else if (timeout) -+ PrintAt(2, rows - 3, L"Booting in %d second ", timeout); -+ -+ status = WaitForSingleEvent(ST->ConIn->WaitForKey, wait); -+ -+ if (status != EFI_TIMEOUT) { -+ /* Clear the key in the queue */ -+ uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2, -+ ST->ConIn, &key); -+ break; -+ } -+ -+ timeout--; -+ if (!timeout) -+ break; -+ } -+ -+ console_restore_mode(&SavedMode); ++ timeout = console_countdown(title, message, 5); + + return timeout; +} @@ -162,7 +325,7 @@ extern EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab); -@@ -1014,6 +1138,26 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) +@@ -1039,6 +1100,26 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab) VerbosePrint(L"tpm not present, starting the first image\n"); try_start_first_option(image); } else { @@ -179,8 +342,8 @@ + if (choice == 0) { + goto reset; + } else if (choice == 2) { -+ rc = set_fallback_no_reboot(); -+ if (EFI_ERROR(rc)) ++ efi_status = set_fallback_no_reboot(); ++ if (EFI_ERROR(efi_status)) + goto reset; + } + VerbosePrint(L"tpm present, starting the first image\n"); @@ -190,5 +353,5 @@ } -- -2.16.3 +2.19.2 ++++++ shim-change-debug-file-path.patch ++++++ --- /var/tmp/diff_new_pack.xhi2B1/_old 2018-12-27 00:22:18.608010008 +0100 +++ /var/tmp/diff_new_pack.xhi2B1/_new 2018-12-27 00:22:18.608010008 +0100 @@ -1,18 +1,18 @@ -From 4e83fe57c5a8f1ba32a264f7a936e0e3a9aafedc Mon Sep 17 00:00:00 2001 +From e766e3943fa8513c1afe01e69e8aa6ec14067028 Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Thu, 4 Jan 2018 12:28:37 +0800 Subject: [PATCH] Use our own debug path Signed-off-by: Gary Lin <[email protected]> --- - Makefile | 2 +- + Make.defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/Makefile b/Makefile -index f4b7adb..55f6126 100644 ---- a/Makefile -+++ b/Makefile -@@ -122,7 +122,7 @@ SHIMHASHNAME = $(SHIMSTEM).hash +diff --git a/Make.defaults b/Make.defaults +index bbfc1d7..1cec0e1 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -119,7 +119,7 @@ SHIMHASHNAME = $(SHIMSTEM).hash BOOTEFINAME ?= BOOT$(ARCH_SUFFIX_UPPER).EFI BOOTCSVNAME ?= BOOT$(ARCH_SUFFIX_UPPER).CSV @@ -22,5 +22,5 @@ ifneq ($(origin VENDOR_CERT_FILE), undefined) CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" -- -2.15.1 +2.19.2 ++++++ shim-correct-license-in-headers.patch ++++++ >From 64492acf8b1d72cea0c3e203887bfe26fb840f1d Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Thu, 13 Dec 2018 17:19:36 +0800 Subject: [PATCH] Add the license change statement for errlog.c and mok.c --- errlog.c | 6 ++++++ mok.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/errlog.c b/errlog.c index 18be482..4a1fffb 100644 --- a/errlog.c +++ b/errlog.c @@ -3,6 +3,12 @@ * Copyright 2017 Peter Jones <[email protected]> * * Distributed under terms of the GPLv3 license. + * + * As Peter stated in issues#155: + * "I'll publicly state here that as the author of those files, you can + * treat them as dual-licensed with the GPLv3 text that accidentally + * made it in and the BSD license they should have borne." + * Ref: https://github.com/rhboot/shim/issues/155#issuecomment-443738252 */ #include "shim.h" diff --git a/mok.c b/mok.c index 3867521..903b3b4 100644 --- a/mok.c +++ b/mok.c @@ -3,6 +3,12 @@ * Copyright 2017 Peter Jones <[email protected]> * * Distributed under terms of the GPLv3 license. + * + * As Peter stated in issues#155: + * "I'll publicly state here that as the author of those files, you can + * treat them as dual-licensed with the GPLv3 text that accidentally + * made it in and the BSD license they should have borne." + * Ref: https://github.com/rhboot/shim/issues/155#issuecomment-443738252 */ #include "shim.h" -- 2.19.2 ++++++ shim-opensuse-cert-prompt.patch ++++++ --- /var/tmp/diff_new_pack.xhi2B1/_old 2018-12-27 00:22:18.628009992 +0100 +++ /var/tmp/diff_new_pack.xhi2B1/_new 2018-12-27 00:22:18.628009992 +0100 @@ -1,4 +1,4 @@ -From aab03ce2522a3610ecfd5e2f9e896a1ccdd5a94a Mon Sep 17 00:00:00 2001 +From 49355a83722494099caeb23b46637b2c94a6ab9e Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Tue, 18 Feb 2014 17:29:19 +0800 Subject: [PATCH 1/3] Show the build-in certificate prompt @@ -17,14 +17,30 @@ The state will store in use_openSUSE_cert, a volatile RT variable. --- - shim.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 75 insertions(+), 2 deletions(-) - + mok.c | 3 ++- + shim.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++- + shim.h | 1 + + 3 files changed, 71 insertions(+), 2 deletions(-) + +diff --git a/mok.c b/mok.c +index 00dd1ad..1645d24 100644 +--- a/mok.c ++++ b/mok.c +@@ -139,7 +139,8 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) + + if ((v->flags & MOK_MIRROR_KEYDB) && + v->addend_source && *v->addend_source && +- v->addend_size && *v->addend_size) { ++ v->addend_size && *v->addend_size && ++ use_builtin_cert) { + EFI_SIGNATURE_LIST *CertList = NULL; + EFI_SIGNATURE_DATA *CertData = NULL; + FullDataSize = v->data_size diff --git a/shim.c b/shim.c -index 7b34868..be250b6 100644 +index 248c946..d52f46f 100644 --- a/shim.c +++ b/shim.c -@@ -93,6 +93,7 @@ UINT8 *vendor_dbx; +@@ -83,6 +83,7 @@ UINT8 *vendor_dbx; */ verification_method_t verification_method; int loader_is_participating; @@ -32,8 +48,8 @@ #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} -@@ -1096,7 +1097,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - LogError(L"check_whitelist(): %r\n", status); +@@ -1066,7 +1067,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, + return efi_status; } - if (cert) { @@ -41,17 +57,8 @@ #if defined(ENABLE_SHIM_CERT) /* * Check against the shim build key -@@ -2080,7 +2081,7 @@ EFI_STATUS mirror_mok_list() - if (efi_status != EFI_SUCCESS) - DataSize = 0; - -- if (vendor_cert_size) { -+ if (vendor_cert_size && use_builtin_cert) { - FullDataSize = DataSize - + sizeof (*CertList) - + sizeof (EFI_GUID) -@@ -2829,6 +2830,75 @@ shim_fini(void) - setup_console(0); +@@ -2529,6 +2530,69 @@ shim_fini(void) + console_fini(); } +#define VENDOR_VERIFY L"openSUSE_Verify" @@ -59,7 +66,6 @@ +/* Show the built-in certificate prompt if necessary */ +static int builtin_cert_prompt(void) +{ -+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS status; + UINT32 attributes; + UINTN len = sizeof(UINT8); @@ -70,15 +76,14 @@ + if (vendor_cert_size == 0) + return 0; + -+ status = uefi_call_wrapper(RT->GetVariable, 5, VENDOR_VERIFY, -+ &shim_lock_guid, &attributes, -+ &len, &data); ++ status = gRT->GetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID, ++ &attributes, &len, (void *)&data); + if (status != EFI_SUCCESS || + (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) { + int choice; + + if (status != EFI_NOT_FOUND) -+ LibDeleteVariable(VENDOR_VERIFY, &shim_lock_guid); ++ LibDeleteVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID); + + CHAR16 *str[] = {L"Trust openSUSE Certificate", + L"", @@ -92,12 +97,10 @@ + } + + data = 1; -+ status = uefi_call_wrapper(RT->SetVariable, 5, -+ VENDOR_VERIFY, -+ &shim_lock_guid, -+ EFI_VARIABLE_NON_VOLATILE | -+ EFI_VARIABLE_BOOTSERVICE_ACCESS, -+ sizeof(UINT8), &data); ++ status = gRT->SetVariable(VENDOR_VERIFY, &SHIM_LOCK_GUID, ++ EFI_VARIABLE_NON_VOLATILE | ++ EFI_VARIABLE_BOOTSERVICE_ACCESS, ++ sizeof(UINT8), &data); + if (status != EFI_SUCCESS) { + console_error(L"Failed to set openSUSE_Verify", status); + return -1; @@ -109,12 +112,10 @@ + +done: + /* Setup a runtime variable to show the current state */ -+ status = uefi_call_wrapper(RT->SetVariable, 5, -+ L"use_openSUSE_cert", -+ &shim_lock_guid, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS | -+ EFI_VARIABLE_RUNTIME_ACCESS, -+ sizeof(UINT8), &data); ++ status = gRT->SetVariable(L"use_openSUSE_cert", &SHIM_LOCK_GUID, ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | ++ EFI_VARIABLE_RUNTIME_ACCESS, ++ sizeof(UINT8), &data); + if (status != EFI_SUCCESS) { + console_error(L"Failed to set use_openSUSE_cert", status); + return -1; @@ -126,21 +127,33 @@ extern EFI_STATUS efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab); -@@ -2933,6 +3003,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) +@@ -2623,6 +2687,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) */ - check_mok_sb(); + debug_hook(); + if (secure_mode() && (builtin_cert_prompt() != 0)) + return EFI_ABORTED; + - efi_status = shim_init(); - if (EFI_ERROR(efi_status)) { - Print(L"Something has gone seriously wrong: %r\n", efi_status); + /* + * Before we do anything else, validate our non-volatile, + * boot-services-only state variables are what we think they are. +diff --git a/shim.h b/shim.h +index d9c60f5..ab384d4 100644 +--- a/shim.h ++++ b/shim.h +@@ -174,6 +174,7 @@ extern UINT8 *vendor_dbx; + extern UINT8 user_insecure_mode; + extern UINT8 ignore_db; + extern UINT8 in_protocol; ++extern BOOLEAN use_builtin_cert; + + #define perror_(file, line, func, fmt, ...) ({ \ + UINTN __perror_ret = 0; \ -- -2.16.2 +2.19.2 -From d377f58aadd8c5579a922ef3c237d3ed25bb6d00 Mon Sep 17 00:00:00 2001 +From 18b6390f3193ebccad44cf1448ce54be512cd066 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Thu, 20 Feb 2014 16:57:08 +0800 Subject: [PATCH 2/3] Support revoking the openSUSE cert @@ -151,20 +164,19 @@ and store the password hash in the variable, and then MokManager will show up with an additional option to clear openSUSE_Verify --- - MokManager.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- - shim.c | 2 +- - 2 files changed, 60 insertions(+), 3 deletions(-) + MokManager.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++-- + mok.c | 2 +- + 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/MokManager.c b/MokManager.c -index 42bf72d..7a2b5fe 100644 +index 1ab8e5e..fbb7d22 100644 --- a/MokManager.c +++ b/MokManager.c -@@ -1794,6 +1794,33 @@ mokpw_done: +@@ -1715,6 +1715,31 @@ mokpw_done: return EFI_SUCCESS; } +static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { -+ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS status; + + if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1) @@ -177,23 +189,22 @@ + if (status != EFI_SUCCESS) + return -1; + -+ status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid); ++ status = LibDeleteVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID); + if (status != EFI_SUCCESS) { + console_error(L"Failed to delete openSUSE_Verify", status); + return -1; + } + + console_notify(L"The system must now be rebooted"); -+ uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, -+ EFI_SUCCESS, 0, NULL); ++ gRT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL); + console_notify(L"Failed to reboot"); + return -1; +} + - static BOOLEAN verify_certificate(UINT8 *cert, UINTN size) + static BOOLEAN verify_certificate(UINT8 * cert, UINTN size) { X509 *X509Cert; -@@ -2150,6 +2177,7 @@ typedef enum { +@@ -2050,6 +2075,7 @@ typedef enum { MOK_CHANGE_SB, MOK_SET_PW, MOK_CHANGE_DB, @@ -201,7 +212,7 @@ MOK_KEY_ENROLL, MOK_HASH_ENROLL } mok_menu_item; -@@ -2170,7 +2198,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +@@ -2070,7 +2096,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, void *MokPW, UINTN MokPWSize, void *MokDB, UINTN MokDBSize, void *MokXNew, UINTN MokXNewSize, @@ -211,17 +222,20 @@ { CHAR16 **menu_strings = NULL; mok_menu_item *menu_item = NULL; -@@ -2250,6 +2279,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +@@ -2146,8 +2173,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, if (MokDB) menucount++; + if (ClearVerify) + menucount++; + - menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1)); - + menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * + (menucount + 1)); ++ if (!menu_strings) -@@ -2322,6 +2354,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, + return EFI_OUT_OF_RESOURCES; + +@@ -2217,6 +2248,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, i++; } @@ -234,8 +248,8 @@ menu_strings[i] = L"Enroll key from disk"; menu_item[i] = MOK_KEY_ENROLL; i++; -@@ -2424,6 +2462,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, - if (efi_status == EFI_SUCCESS) +@@ -2321,6 +2358,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, + if (!EFI_ERROR(efi_status)) MokDB = NULL; break; + case MOK_CLEAR_VERIFY: @@ -244,34 +258,34 @@ case MOK_KEY_ENROLL: efi_status = mok_key_enroll(); break; -@@ -2456,6 +2497,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) - EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; +@@ -2352,6 +2392,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) + { UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0; UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0; + UINTN ClearVerifySize = 0; void *MokNew = NULL; void *MokDel = NULL; void *MokSB = NULL; -@@ -2463,6 +2505,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -2359,6 +2400,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) void *MokDB = NULL; void *MokXNew = NULL; void *MokXDel = NULL; + void *ClearVerify = NULL; - EFI_STATUS status; + EFI_STATUS efi_status; - status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize, -@@ -2535,9 +2578,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) - console_error(L"Could not retrieve MokXDel", status); + efi_status = get_variable(L"MokNew", (UINT8 **) & MokNew, &MokNewSize, +@@ -2431,9 +2473,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) + console_error(L"Could not retrieve MokXDel", efi_status); } -+ status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify, &ClearVerifySize, -+ shim_lock_guid); -+ if (status == EFI_SUCCESS) { -+ if (LibDeleteVariable(L"ClearVerify", &shim_lock_guid) != EFI_SUCCESS) { ++ efi_status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify, ++ &ClearVerifySize, SHIM_LOCK_GUID); ++ if (!EFI_ERROR(efi_status)) { ++ efi_status = LibDeleteVariable(L"ClearVerify", &SHIM_LOCK_GUID); ++ if (EFI_ERROR(efi_status)) + console_notify(L"Failed to delete ClearVerify"); -+ } -+ } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { -+ console_error(L"Could not retrieve ClearVerify", status); ++ } else if (EFI_ERROR(efi_status) && efi_status != EFI_NOT_FOUND) { ++ console_error(L"Could not retrieve ClearVerify", efi_status); + } + enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize, @@ -281,22 +295,22 @@ + ClearVerify, ClearVerifySize); if (MokNew) - FreePool (MokNew); -@@ -2560,6 +2614,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) + FreePool(MokNew); +@@ -2456,6 +2509,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) if (MokXDel) - FreePool (MokXDel); + FreePool(MokXDel); + if (ClearVerify) + FreePool (ClearVerify); + - LibDeleteVariable(L"MokAuth", &shim_lock_guid); - LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); - LibDeleteVariable(L"MokXAuth", &shim_lock_guid); -diff --git a/shim.c b/shim.c -index be250b6..d461edd 100644 ---- a/shim.c -+++ b/shim.c -@@ -2233,7 +2233,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) + LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID); + LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID); +diff --git a/mok.c b/mok.c +index 1645d24..45110cd 100644 +--- a/mok.c ++++ b/mok.c +@@ -37,7 +37,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) check_var(L"MokPW") || check_var(L"MokAuth") || check_var(L"MokDel") || check_var(L"MokDB") || check_var(L"MokXNew") || check_var(L"MokXDel") || @@ -304,12 +318,12 @@ + check_var(L"MokXAuth") || check_var(L"ClearVerify")) { efi_status = start_image(image_handle, MOK_MANAGER); - if (efi_status != EFI_SUCCESS) { + if (EFI_ERROR(efi_status)) { -- -2.16.2 +2.19.2 -From 5a60e36a5c2bad616bc842d7ffaa6acc1493650f Mon Sep 17 00:00:00 2001 +From f16f00e47824722651e2e4f2b327dfbe4fb6367d Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Fri, 7 Mar 2014 16:17:20 +0800 Subject: [PATCH 3/3] Delete openSUSE_Verify the right way @@ -322,21 +336,21 @@ 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/MokManager.c b/MokManager.c -index 7a2b5fe..feae113 100644 +index fbb7d22..22336d4 100644 --- a/MokManager.c +++ b/MokManager.c -@@ -1808,7 +1808,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { +@@ -1728,7 +1728,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { if (status != EFI_SUCCESS) return -1; -- status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid); -+ status = uefi_call_wrapper(RT->SetVariable, 5, -+ L"openSUSE_Verify", &shim_lock_guid, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE, -+ 0, NULL); +- status = LibDeleteVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID); ++ status = gRT->SetVariable(L"openSUSE_Verify", &SHIM_LOCK_GUID, ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | ++ EFI_VARIABLE_NON_VOLATILE, ++ 0, NULL); if (status != EFI_SUCCESS) { console_error(L"Failed to delete openSUSE_Verify", status); return -1; -- -2.16.2 +2.19.2
