Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2016-08-17 11:59:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2016-05-13 09:22:00.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2016-08-17 11:59:48.000000000 +0200 @@ -1,0 +2,37 @@ +Fri Aug 5 02:53:54 UTC 2016 - [email protected] + +- Add shim-bsc991885-fix-sig-length.patch to fix the signature + length passed to Authenticode (bsc#991885) + +------------------------------------------------------------------- +Wed Aug 3 09:10:25 UTC 2016 - [email protected] + +- Update shim-bsc973496-mokmanager-no-append-write.patch to try + append write first + +------------------------------------------------------------------- +Tue Aug 2 02:59:46 UTC 2016 - [email protected] + +- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h +- Bump the requirement of gnu-efi due to the HTTPBoot support + +------------------------------------------------------------------- +Mon Aug 1 09:01:59 UTC 2016 - [email protected] + +- Add shim-httpboot-support.patch to support HTTPBoot +- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g + and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6 +- Drop patches since they are merged into + shim-update-openssl-1.0.2g.patch + + shim-update-openssl-1.0.2d.patch + + shim-gcc5.patch + + shim-bsc950569-fix-cryptlib-va-functions.patch + + shim-fix-aarch64.patch +- Refresh shim-change-debug-file-path.patch +- Add shim-bsc973496-mokmanager-no-append-write.patch to work + around the firmware that doesn't support APPEND_WRITE (bsc973496) +- shim-install : remove '\n' from the help message (bsc#991188) +- shim-install : print a message if there is no valid EFI partition + (bsc#991187) + +------------------------------------------------------------------- Old: ---- shim-bsc950569-fix-cryptlib-va-functions.patch shim-fix-aarch64.patch shim-gcc5.patch shim-update-openssl-1.0.2d.patch New: ---- shim-bsc973496-mokmanager-no-append-write.patch shim-bsc991885-fix-sig-length.patch shim-httpboot-support.patch shim-update-openssl-1.0.2g.patch shim-update-openssl-1.0.2h.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.qZ1cTj/_old 2016-08-17 11:59:50.000000000 +0200 +++ /var/tmp/diff_new_pack.qZ1cTj/_new 2016-08-17 11:59:50.000000000 +0200 @@ -44,18 +44,21 @@ Source12: signature-sles.asc # PATCH-FIX-SUSE shim-only-os-name.patch [email protected] -- Only include the OS name in version.c Patch1: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2d.patch [email protected] -- Update openssl to 1.0.2d -Patch4: shim-update-openssl-1.0.2d.patch -# PATCH-FIX-UPSTREAM shim-gcc5.patch [email protected] -- Specify the gnu89 standard -Patch5: shim-gcc5.patch -# PATCH-FIX-UPSTREAM shim-bsc950569-fix-cryptlib-va-functions.patch bsc#950569 [email protected] -- Fix the definition of the va functions to avoid the potential crash -Patch6: shim-bsc950569-fix-cryptlib-va-functions.patch -Patch7: shim-fix-aarch64.patch +# PATCH-FIX-UPSTREAM FATE#320129 shim-httpboot-support.patch [email protected] -- Add HTTPBoot support +Patch2: shim-httpboot-support.patch +# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2g.patch [email protected] -- Update openssl to 1.0.2g +Patch3: shim-update-openssl-1.0.2g.patch +# PATCH-FIX-UPSTREAM bsc#973496 shim-bsc973496-mokmanager-no-append-write.patch [email protected] -- Work around the firmware that doesn't support APPEND_WRITE +Patch4: shim-bsc973496-mokmanager-no-append-write.patch +# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2h.patch [email protected] -- Update openssl to 1.0.2h +Patch5: shim-update-openssl-1.0.2h.patch +# PATCH-FIX-UPSTREAM bsc#991885 shim-bsc991885-fix-sig-length.patch [email protected] -- Fix the signature length passed to Authenticode +Patch6: shim-bsc991885-fix-sig-length.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch [email protected] -- Change the default debug file path Patch50: shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch [email protected] -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch -BuildRequires: gnu-efi >= 3.0t +BuildRequires: gnu-efi >= 3.0.3 BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign @@ -91,10 +94,11 @@ %prep %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 %patch50 -p1 %patch100 -p1 %build ++++++ shim-bsc973496-mokmanager-no-append-write.patch ++++++ >From 3bd098ea88d36cdaa550cdd384f7a08d3586d7e5 Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Thu, 28 Jul 2016 15:11:14 +0800 Subject: [PATCH 1/2] MokManager: Remove the usage of APPEND_WRITE We got the bug report about the usage of APPEND_WRITE that may cause the failure when writing a variable in Lenovo machines. Although EFI_VARIABLE_APPEND_WRITE already exists in the UEFI spec for years, unfortunately, some vendors just ignore it and never implement the attribute. This commit removes the usage of EFI_VARIABLE_APPEND_WRITE to make MokManager work on those machines. https://github.com/rhinstaller/shim/issues/55 Signed-off-by: Gary Lin <[email protected]> --- MokManager.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 48 insertions(+), 8 deletions(-) diff --git a/MokManager.c b/MokManager.c index 2de6853..9ed7b4b 100644 --- a/MokManager.c +++ b/MokManager.c @@ -23,8 +23,6 @@ #define SHIM_VENDOR L"Shim" #endif -#define EFI_VARIABLE_APPEND_WRITE 0x00000040 - EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} }; EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} }; @@ -863,6 +861,53 @@ static EFI_STATUS match_password (PASSWORD_CRYPT *pw_crypt, return EFI_SUCCESS; } +static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize) +{ + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS status; + UINT32 attributes; + void *old_data = NULL; + void *new_data = NULL; + UINTN old_size; + UINTN new_size; + + status = get_variable_attr(db_name, (UINT8 **)&old_data, &old_size, + shim_lock_guid, &attributes); + if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { + return status; + } + + /* Check if the old db is compromised or not */ + if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { + FreePool(old_data); + old_data = NULL; + old_size = 0; + } + + new_size = old_size + MokNewSize; + new_data = AllocatePool(new_size); + if (new_data == NULL) { + status = EFI_OUT_OF_RESOURCES; + goto out; + } + + CopyMem(new_data, old_data, old_size); + CopyMem(new_data + old_size, MokNew, MokNewSize); + + status = uefi_call_wrapper(RT->SetVariable, 5, db_name, + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS, + new_size, new_data); + +out: + if (old_size > 0) { + FreePool(old_data); + } + + return status; +} + static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate, BOOLEAN MokX) { @@ -917,12 +962,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate, 0, NULL); } else { /* Write new MOK */ - efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name, - &shim_lock_guid, - EFI_VARIABLE_NON_VOLATILE - | EFI_VARIABLE_BOOTSERVICE_ACCESS - | EFI_VARIABLE_APPEND_WRITE, - MokNewSize, MokNew); + efi_status = write_db(db_name, MokNew, MokNewSize); } if (efi_status != EFI_SUCCESS) { -- 2.9.2 >From 3c000e67cc9c5ddd84f5a34b77e6ee8df4fe3ae5 Mon Sep 17 00:00:00 2001 From: Gary Lin <[email protected]> Date: Wed, 3 Aug 2016 16:53:51 +0800 Subject: [PATCH 2/2] MokManager: Try APPEND_WRITE first Try to append the MOK/MOKX list first and then fallback to the normal SetVariable if the firmware doesn't support EFI_VARIABLE_APPEND_WRITE. Signed-off-by: Gary Lin <[email protected]> --- MokManager.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/MokManager.c b/MokManager.c index 9ed7b4b..3933ee0 100644 --- a/MokManager.c +++ b/MokManager.c @@ -871,6 +871,16 @@ static EFI_STATUS write_db (CHAR16 *db_name, void *MokNew, UINTN MokNewSize) UINTN old_size; UINTN new_size; + status = uefi_call_wrapper(RT->SetVariable, 5, db_name, + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_APPEND_WRITE, + MokNewSize, MokNew); + if (status == EFI_SUCCESS || status != EFI_INVALID_PARAMETER) { + return status; + } + status = get_variable_attr(db_name, (UINT8 **)&old_data, &old_size, shim_lock_guid, &attributes); if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { -- 2.9.2 ++++++ shim-bsc991885-fix-sig-length.patch ++++++ >From 6c12c7bf522d032922abb799cdf0d6f525de3c38 Mon Sep 17 00:00:00 2001 From: Sachin Agrawal <[email protected]> Date: Tue, 2 Aug 2016 16:46:31 -0700 Subject: [PATCH] Use authenticode signature length from WIN_CERTIFICATE structure. Authenticode Certificate length is available in Certificate Table (inside PE header) and also in signature header(WIN_CERTIFICATE) itself. Code in 'check_backlist()' method uses length from signature header, whereas, AuthenticodeVerify() call inside 'verify_buffer()' method uses the length in signature header. This causes a security vulnerability issue : Good Scenario : Assume shim1.crt is used for signing grub.efi and shim1.crt is embedded inside shim.efi. Also, assume shim1.crt got compromised and therefore it was added in 'dbx' database. Now, when shim.efi will attempt to load grub.efi, it will fail loading with log message "Binary is blacklisted" because 'check_blacklist' call will detect the presence of 'shim1.crt' in 'dbx'. Vulnerable Scenario : Similar as above. Add 'shim1.crt' in dbx database. Also, tamper the earlier signed grub.efi file by placing 0x0000 in the WIN_CERTIFICATE.dwLength. (Open grub.efi/vmlinuz signed binary with hex editor. Go to 0x128 address and read out the address from 0x128 until 0x12B in little Indian order from right to left. Jump to the address from 0x128 address area. First 8bytes are the signature header area which consist of signature size(4bytes), revision(2bytes) and type(2bytes). So tamper the first 4 bytes for signature size and save the binary. ) With this tampered grub.efi, shim.efi loads it successfully because 'check_blacklist()' call fails to detect the presence of shim1.crt in 'dbx' database. Signed-off-by: Sachin Agrawal <[email protected]> --- shim.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c index ed01899..03a5604 100644 --- a/shim.c +++ b/shim.c @@ -966,7 +966,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, */ if (sizeof(shim_cert) && AuthenticodeVerify(cert->CertData, - context->SecDir->Size - sizeof(cert->Hdr), + cert->Hdr.dwLength - sizeof(cert->Hdr), shim_cert, sizeof(shim_cert), sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; @@ -977,7 +977,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, * And finally, check against shim's built-in key */ if (vendor_cert_size && AuthenticodeVerify(cert->CertData, - context->SecDir->Size - sizeof(cert->Hdr), + cert->Hdr.dwLength - sizeof(cert->Hdr), vendor_cert, vendor_cert_size, sha256hash, SHA256_DIGEST_SIZE)) { status = EFI_SUCCESS; -- 2.9.2 ++++++ shim-change-debug-file-path.patch ++++++ --- /var/tmp/diff_new_pack.qZ1cTj/_old 2016-08-17 11:59:50.000000000 +0200 +++ /var/tmp/diff_new_pack.qZ1cTj/_new 2016-08-17 11:59:50.000000000 +0200 @@ -12,9 +12,9 @@ =================================================================== --- shim-0.9.orig/Makefile +++ shim-0.9/Makefile -@@ -44,7 +44,7 @@ ifeq ($(ARCH),x86_64) - -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ +@@ -45,7 +45,7 @@ ifeq ($(ARCH),x86_64) -DNO_BUILTIN_VA_FUNCS \ + -DMDE_CPU_X64 \ "-DEFI_ARCH=L\"x64\"" \ - "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\"" + "-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\"" ++++++ shim-httpboot-support.patch ++++++ ++++ 2219 lines (skipped) ++++++ shim-install ++++++ --- /var/tmp/diff_new_pack.qZ1cTj/_old 2016-08-17 11:59:50.000000000 +0200 +++ /var/tmp/diff_new_pack.qZ1cTj/_new 2016-08-17 11:59:50.000000000 +0200 @@ -47,17 +47,17 @@ usage () { echo "Usage: $self [OPTION] [INSTALL_DEVICE]" echo - echo "Install Secure Boot Loaders on your drive.\n" + echo "Install Secure Boot Loaders on your drive." echo - echo "--directory=DIR use images from DIR.\n" - echo "--grub-probe=FILE use FILE as grub-probe.\n" - echo "--removable the installation device is removable.\n" - echo "--bootloader-id=ID the ID of bootloader.\n" - echo "--efi-directory=DIR use DIR as the EFI System Partition root.\n" - echo "--config-file=FILE use FILE as config file, default is $grub_cfg.\n" - echo "--clean remove all installed files and configs.\n" + echo "--directory=DIR use images from DIR." + echo "--grub-probe=FILE use FILE as grub-probe." + echo "--removable the installation device is removable." + echo "--bootloader-id=ID the ID of bootloader." + echo "--efi-directory=DIR use DIR as the EFI System Partition root." + echo "--config-file=FILE use FILE as config file, default is $grub_cfg." + echo "--clean remove all installed files and configs." echo - echo "INSTALL_DEVICE must be system device filename.\n" + echo "INSTALL_DEVICE must be system device filename." } argument () { @@ -192,6 +192,7 @@ efidir="$efidir/EFI/$efi_distributor" mkdir -p "$efidir" || exit 1 else + echo "No valid EFI partition" 1>&2 exit 1; fi ++++++ shim-update-openssl-1.0.2g.patch ++++++ ++++ 160198 lines (skipped) ++++++ shim-update-openssl-1.0.2h.patch ++++++ ++++ 834 lines (skipped)
