Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-07-13 09:04:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Mon Jul 13 09:04:41 2020 rev:81 rq:819891 version:15+git47 Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2020-04-04 12:19:41.475637883 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.3060/shim.changes 2020-07-13 09:04:55.784002540 +0200 @@ -1,0 +2,6 @@ +Fri Jul 10 06:28:44 UTC 2020 - Gary Ching-Pang Lin <[email protected]> + +- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check + EFI variable copying when Secure Boot is enabled (bsc#1173411) + +------------------------------------------------------------------- New: ---- shim-bsc1173411-only-check-efi-var-on-sb.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.52X9VG/_old 2020-07-13 09:04:56.472004269 +0200 +++ /var/tmp/diff_new_pack.52X9VG/_new 2020-07-13 09:04:56.472004269 +0200 @@ -75,6 +75,8 @@ Patch6: gcc9-fix-warnings.patch # PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch [email protected] -- Fix the build error caused by the typo fix in gnu-efi 3.0.11 Patch7: shim-fix-gnu-efi-3.0.11.patch +# PATCH-FIX-UPSTREAM shim-bsc1173411-only-check-efi-var-on-sb.patch bsc#1173411 [email protected] -- Make EFI variable copying check only fatal on SB systems +Patch8: shim-bsc1173411-only-check-efi-var-on-sb.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch [email protected] -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -123,6 +125,7 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif ++++++ shim-bsc1173411-only-check-efi-var-on-sb.patch ++++++ >From 741c61abba7d5c74166f8d0c1b9ee8001ebcd186 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk <[email protected]> Date: Thu, 6 Dec 2018 10:08:45 +0100 Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled systems I have come across systems that are unwilling to reserve enough memory for a MokListRT big enough for big certificates. This seems to be the case with firmware implementations that do not support secureboot, which is probably the reason they went with much lower variable storage. This patch set makes sure we can still boot on those systems, by only making the copy action fatal if the system has secure boot enabled, or if the error was anything other than EFI_INVALID_PARAMETER. Signed-off-by: Patrick Uiterwijk <[email protected]> --- shim.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/shim.c b/shim.c index 7d25ad6..aee4727 100644 --- a/shim.c +++ b/shim.c @@ -2639,7 +2639,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) * boot-services-only state variables are what we think they are. */ efi_status = import_mok_state(image_handle); - if (EFI_ERROR(efi_status)) { + if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { + /* + * Make copy failures fatal only if secure_mode is enabled, or + * the error was anything else than EFI_INVALID_PARAMETER. + * There are non-secureboot firmware implementations that don't + * reserve enough EFI variable memory to fit the variable. + */ + console_print(L"Importing MOK states has failed: %s: %r\n", + msgs[msg], efi_status); + console_print(L"Continuing boot since secure mode is disabled"); + } else if (EFI_ERROR(efi_status)) { die: console_print(L"Something has gone seriously wrong: %s: %r\n", msgs[msg], efi_status); -- 2.25.1
