Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-11-12 00:21:06
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2014-10-14 07:10:25.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-11-12 00:21:07.000000000 +0100
@@ -1,0 +2,21 @@
+Tue Nov 11 04:26:00 UTC 2014 - glin@suse.com
+
+- Add shim-fix-mokmanager-sections.patch to fix the objcopy
+ parameters for the EFI files
+
+-------------------------------------------------------------------
+Tue Oct 28 04:00:51 UTC 2014 - glin@suse.com
+
+- Update to 0.8
+- Add shim-fix-gnu-efi-30w.patch to adapt the change in
+ gnu-efi-3.0w
+- Merge shim-signed-unsigned-compares.patch,
+ shim-mokmanager-support-sha-family.patch and
+ shim-bnc863205-mokmanager-fix-hash-delete.patch into
+ shim-mokx-support.patch
+- Refresh shim-opensuse-cert-prompt.patch
+- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch,
+ bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch
+- Enable aarch64
+
+-------------------------------------------------------------------
Old:
----
bug-889332_shim-mok-oob.patch
bug-889332_shim-overflow.patch
shim-0.7.318.81ee561d.tar.bz2
shim-bnc863205-mokmanager-fix-hash-delete.patch
shim-mokmanager-support-sha-family.patch
shim-signed-unsigned-compares.patch
shim-update-openssl-0.9.8zb.patch
New:
----
shim-0.8.tar.bz2
shim-fix-gnu-efi-30w.patch
shim-fix-mokmanager-sections.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.VNSw7k/_old 2014-11-12 00:21:09.000000000 +0100
+++ /var/tmp/diff_new_pack.VNSw7k/_new 2014-11-12 00:21:09.000000000 +0100
@@ -17,13 +17,9 @@
# needssslcertforbuild
-%define commit 81ee561dde0213bc487aa1b701799f6d2faeaf31
-%define shortcommit 81ee561d
Name: shim
-# to ensure newer versions of the git export are always higher numbers the output of
-# git rev-list master|wc -l is added before the git commit hash
-Version: 0.7.318.%{shortcommit}
+Version: 0.8
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
@@ -44,22 +40,14 @@
Source10: timestamp.pl
Source11: strip_signature.sh
Source12: signature-sles.asc
-# PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
+# REBASE PATCH-FIX-UPSTREAM shim-mokx-support.patch glin@suse.com -- Support MOK blacklist
Patch1: shim-mokx-support.patch
# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
Patch2: shim-only-os-name.patch
-# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list
-Patch3: shim-bnc863205-mokmanager-fix-hash-delete.patch
-# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK
-Patch4: shim-mokmanager-support-sha-family.patch
-# PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jsegitz@suse.com -- Fixed some signed - unsigned comparisons
-Patch5: shim-signed-unsigned-compares.patch
-# PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch glin@suse.com -- Update openssl to 0.9.8zb
-Patch6: shim-update-openssl-0.9.8zb.patch
-# PATCH-FIX-UPSTREAM bug-889332_shim-overflow.patch krahmer@suse.com -- patch for overflow issue.
-Patch7: bug-889332_shim-overflow.patch
-# PATCH-FIX-UPSTREAM bug-889332_shim-mok-oob.patch krahmer@suse.com -- patch for MOK OOB access.
-Patch8: bug-889332_shim-mok-oob.patch
+# PATCH-FIX-UPSTREAM shim-fix-gnu-efi-30w.patch glin@suse.com -- Adapt the change in gnu-efi 3.0w
+Patch3: shim-fix-gnu-efi-30w.patch
+# PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch glin@suse.com -- Fix the objcopy parameters for the EFI files
+Patch4: shim-fix-mokmanager-sections.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-opensuse-cert-prompt.patch
BuildRequires: gnu-efi >= 3.0t
@@ -71,7 +59,7 @@
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# For shim-install script
Requires: grub2-efi
-ExclusiveArch: x86_64
+ExclusiveArch: x86_64 aarch64
%description
shim is a trivial EFI application that, when run, attempts to open and
@@ -89,10 +77,6 @@
%patch2 -p1
%patch3 -p1
%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
%patch100 -p1
%build
++++++ shim-0.7.318.81ee561d.tar.bz2 -> shim-0.8.tar.bz2 ++++++
++++ 4417 lines of diff (skipped)
++++++ shim-fix-gnu-efi-30w.patch ++++++
From d4e4bf4e1e03eb5685474d240929d3e3b50581f8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Thu, 25 Sep 2014 18:12:42 +0800
Subject: [PATCH] Adapt the change in gnu-efi-3.0w
---
Cryptlib/Include/OpenSslSupport.h | 13 +++++++------
Cryptlib/Makefile | 1 +
Cryptlib/OpenSSL/Makefile | 3 +++
Makefile | 2 ++
4 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h
index 9e56ced..6b3bfbd 100644
--- a/Cryptlib/Include/OpenSslSupport.h
+++ b/Cryptlib/Include/OpenSslSupport.h
@@ -16,12 +16,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#define __OPEN_SSL_SUPPORT_H__
#include
-#include
-#include
-#include
-#include
-#include
-#include
#define CONST const
@@ -63,6 +57,13 @@ typedef __builtin_va_list VA_LIST;
#define va_end(Marker) ((void)0)
#endif
+#include
+#include
+#include
+#include
+#include
+#include
+
//
// #defines from EFI Application Toolkit required to buiild Open SSL
//
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index 9719a27..dbd79fb 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -3,6 +3,7 @@ EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLU
CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-Wall $(EFI_INCLUDES)
+CFLAGS += -DGNU_EFI_USE_EXTERNAL_STDARG
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
index 7990b3c..967e55e 100644
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -18,6 +18,9 @@ endif
ifeq ($(ARCH),arm)
CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
endif
+
+CFLAGS += -DGNU_EFI_USE_EXTERNAL_STDARG
+
LDFLAGS = -nostdlib -znocombreloc
TARGET = libopenssl.a
diff --git a/Makefile b/Makefile
index 332a29b..52fd5b3 100644
--- a/Makefile
+++ b/Makefile
@@ -26,6 +26,8 @@ CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
$(EFI_INCLUDES)
+CFLAGS += -DGNU_EFI_USE_EXTERNAL_STDARG
+
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
CFLAGS += -DOVERRIDE_SECURITY_POLICY
endif
--
1.8.4.5
++++++ shim-fix-mokmanager-sections.patch ++++++
From 61f1bfea2250c38b6c381a3876b41acf007f4289 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Mon, 10 Nov 2014 17:19:58 +0800
Subject: [PATCH 1/2] Fix objcopy parameters to include .rel and .rela
The objcopy parameters -j .rel* and -j .rela* looked like that the
two sections would be in the EFI binary, but it's actually not, and
this caused MokManager.efi crash.
Remove the asterisks to fix MokManager.efi.
Signed-off-by: Gary Ching-Pang Lin
---
Makefile | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
index 332a29b..39160c5 100644
--- a/Makefile
+++ b/Makefile
@@ -133,13 +133,13 @@ FORMAT ?= --target efi-app-$(ARCH)
%.efi: %.so
$(OBJCOPY) -j .text -j .sdata -j .data \
- -j .dynamic -j .dynsym -j .rel* \
- -j .rela* -j .reloc -j .eh_frame \
+ -j .dynamic -j .dynsym -j .rel \
+ -j .rela -j .reloc -j .eh_frame \
-j .vendor_cert \
$(FORMAT) $^ $@
$(OBJCOPY) -j .text -j .sdata -j .data \
- -j .dynamic -j .dynsym -j .rel* \
- -j .rela* -j .reloc -j .eh_frame \
+ -j .dynamic -j .dynsym -j .rel \
+ -j .rela -j .reloc -j .eh_frame \
-j .debug_info -j .debug_abbrev -j .debug_aranges \
-j .debug_line -j .debug_str -j .debug_ranges \
$(FORMAT) $^ $@.debug
--
1.8.4.5
From a0d319c24c064b3275f4dc91cf141336fb7449fa Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Mon, 10 Nov 2014 17:31:15 +0800
Subject: [PATCH 2/2] Add nostdinc to the CFLAGS for lib
We don't need the headers from the standard include path.
Signed-off-by: Gary Ching-Pang Lin
---
lib/Makefile | 2 +-
lib/console.c | 4 ++--
lib/guid.c | 1 -
3 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/lib/Makefile b/lib/Makefile
index ebd21a1..3c5101e 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -4,7 +4,7 @@ LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variab
EFI_INCLUDES = -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -I../include
-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -nostdinc\
-fshort-wchar -Wall -DBUILD_EFI -fno-builtin -Werror \
$(EFI_INCLUDES)
diff --git a/lib/console.c b/lib/console.c
index 83ee679..fd8cc5c 100644
--- a/lib/console.c
+++ b/lib/console.c
@@ -4,8 +4,8 @@
*
* see COPYING file
*/
-#include
-#include
+#include
+#include
#include
#include
diff --git a/lib/guid.c b/lib/guid.c
index 56ec952..c97a7ca 100644
--- a/lib/guid.c
+++ b/lib/guid.c
@@ -5,7 +5,6 @@
*/
#include
-#include
#ifndef BUILD_EFI
/* EFI has %g for this, so it's only needed in platform c */
--
1.8.4.5
++++++ shim-mokx-support.patch ++++++
++++ 2016 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/shim/shim-mokx-support.patch
++++ and /work/SRC/openSUSE:Factory/.shim.new/shim-mokx-support.patch
++++++ shim-opensuse-cert-prompt.patch ++++++
--- /var/tmp/diff_new_pack.VNSw7k/_old 2014-11-12 00:21:10.000000000 +0100
+++ /var/tmp/diff_new_pack.VNSw7k/_new 2014-11-12 00:21:10.000000000 +0100
@@ -1,4 +1,4 @@
-From b13d18d4069032ccf6c885774e9eada6a1d80ddd Mon Sep 17 00:00:00 2001
+From e3b81e524747199fb7da29e5988cff79db1658a3 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Tue, 18 Feb 2014 17:29:19 +0800
Subject: [PATCH 1/3] Show the build-in certificate prompt
@@ -17,13 +17,13 @@
The state will store in use_openSUSE_cert, a volatile RT variable.
---
- shim.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----------
- 1 file changed, 97 insertions(+), 19 deletions(-)
+ shim.c | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 74 insertions(+), 2 deletions(-)
-Index: shim-0.7/shim.c
-===================================================================
---- shim-0.7.orig/shim.c
-+++ shim-0.7/shim.c
+diff --git a/shim.c b/shim.c
+index d46494a..c14a54d 100644
+--- a/shim.c
++++ b/shim.c
@@ -90,6 +90,7 @@ UINT8 *vendor_dbx;
*/
verification_method_t verification_method;
@@ -32,7 +32,7 @@
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
-@@ -817,7 +818,7 @@ static EFI_STATUS verify_buffer (char *d
+@@ -954,7 +955,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
if (status == EFI_SUCCESS)
return status;
@@ -41,75 +41,16 @@
/*
* Check against the shim build key
*/
-@@ -1523,11 +1524,14 @@ EFI_STATUS mirror_mok_list()
+@@ -1708,7 +1709,7 @@ EFI_STATUS mirror_mok_list()
if (efi_status != EFI_SUCCESS)
DataSize = 0;
-- FullDataSize = DataSize
-- + sizeof (*CertList)
-- + sizeof (EFI_GUID)
-- + vendor_cert_size
-- ;
-+ FullDataSize = DataSize;
-+ if (use_builtin_cert) {
-+ FullDataSize += sizeof (*CertList) +
-+ sizeof (EFI_GUID) +
-+ vendor_cert_size;
-+ } else if (DataSize == 0) {
-+ return EFI_SUCCESS;
-+ }
- FullData = AllocatePool(FullDataSize);
- if (!FullData) {
- perror(L"Failed to allocate space for MokListRT\n");
-@@ -1539,21 +1543,24 @@ EFI_STATUS mirror_mok_list()
- CopyMem(p, Data, DataSize);
- p += DataSize;
- }
-- CertList = (EFI_SIGNATURE_LIST *)p;
-- p += sizeof (*CertList);
-- CertData = (EFI_SIGNATURE_DATA *)p;
-- p += sizeof (EFI_GUID);
--
-- CertList->SignatureType = EFI_CERT_X509_GUID;
-- CertList->SignatureListSize = vendor_cert_size
-- + sizeof (*CertList)
-- + sizeof (*CertData)
-- -1;
-- CertList->SignatureHeaderSize = 0;
-- CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
-
-- CertData->SignatureOwner = SHIM_LOCK_GUID;
-- CopyMem(p, vendor_cert, vendor_cert_size);
-+ if (use_builtin_cert) {
-+ CertList = (EFI_SIGNATURE_LIST *)p;
-+ p += sizeof (*CertList);
-+ CertData = (EFI_SIGNATURE_DATA *)p;
-+ p += sizeof (EFI_GUID);
-+
-+ CertList->SignatureType = EFI_CERT_X509_GUID;
-+ CertList->SignatureListSize = vendor_cert_size
-+ + sizeof (*CertList)
-+ + sizeof (*CertData)
-+ -1;
-+ CertList->SignatureHeaderSize = 0;
-+ CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID);
-+
-+ CertData->SignatureOwner = SHIM_LOCK_GUID;
-+ CopyMem(p, vendor_cert, vendor_cert_size);
-+ }
-
- efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
- &shim_lock_guid,
-@@ -1600,7 +1607,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE
- check_var(L"MokPW") || check_var(L"MokAuth") ||
- check_var(L"MokDel") || check_var(L"MokDB") ||
- check_var(L"MokXNew") || check_var(L"MokXDel") ||
-- check_var(L"MokXAuth")) {
-+ check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
- efi_status = start_image(image_handle, MOK_MANAGER);
-
- if (efi_status != EFI_SUCCESS) {
-@@ -1840,6 +1847,75 @@ uninstall_shim_protocols(void)
+- if (vendor_cert_size) {
++ if (vendor_cert_size && use_builtin_cert) {
+ FullDataSize = DataSize
+ + sizeof (*CertList)
+ + sizeof (EFI_GUID)
+@@ -2057,6 +2058,75 @@ uninstall_shim_protocols(void)
&shim_lock_guid, &shim_lock_interface);
}
@@ -185,7 +126,7 @@
EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
{
EFI_STATUS efi_status;
-@@ -1895,6 +1971,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha
+@@ -2112,6 +2182,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab)
*/
hook_system_services(systab);
loader_is_participating = 0;
@@ -194,11 +135,30 @@
}
}
-Index: shim-0.7/MokManager.c
-===================================================================
---- shim-0.7.orig/MokManager.c
-+++ shim-0.7/MokManager.c
-@@ -1701,6 +1701,36 @@ static INTN mok_pw_prompt (void *MokPW,
+--
+1.8.4.5
+
+
+From 7b87b12059a9f26125f135ae649757346d26d6f8 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin
+Date: Thu, 20 Feb 2014 16:57:08 +0800
+Subject: [PATCH 2/3] Support revoking the openSUSE cert
+
+This is an openSUSE-only patch.
+
+To revoke the openSUSE cert, create ClearVerify, a NV RT variable,
+and store the password hash in the variable, and then MokManager
+will show up with an additional option to clear openSUSE_Verify
+---
+ MokManager.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
+ shim.c | 2 +-
+ 2 files changed, 60 insertions(+), 3 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index 442ab8f..7277968 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1731,6 +1731,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
return -1;
}
@@ -216,10 +176,7 @@
+ if (status != EFI_SUCCESS)
+ return -1;
+
-+ status = uefi_call_wrapper(RT->SetVariable, 5,
-+ L"openSUSE_Verify", &shim_lock_guid,
-+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
-+ 0, NULL);
++ status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to delete openSUSE_Verify", status);
+ return -1;
@@ -235,7 +192,7 @@
static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
{
X509 *X509Cert;
-@@ -2053,6 +2083,7 @@ typedef enum {
+@@ -2083,6 +2110,7 @@ typedef enum {
MOK_CHANGE_SB,
MOK_SET_PW,
MOK_CHANGE_DB,
@@ -243,7 +200,7 @@
MOK_KEY_ENROLL,
MOK_HASH_ENROLL
} mok_menu_item;
-@@ -2064,7 +2095,8 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+@@ -2094,7 +2122,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
void *MokPW, UINTN MokPWSize,
void *MokDB, UINTN MokDBSize,
void *MokXNew, UINTN MokXNewSize,
@@ -253,7 +210,7 @@
{
CHAR16 **menu_strings;
mok_menu_item *menu_item;
-@@ -2138,6 +2170,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+@@ -2168,6 +2197,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
if (MokDB)
menucount++;
@@ -263,7 +220,7 @@
menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
if (!menu_strings)
-@@ -2207,6 +2242,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+@@ -2237,6 +2269,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
i++;
}
@@ -276,7 +233,7 @@
menu_strings[i] = L"Enroll key from disk";
menu_item[i] = MOK_KEY_ENROLL;
i++;
-@@ -2257,6 +2298,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN
+@@ -2287,6 +2325,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
case MOK_CHANGE_DB:
mok_db_prompt(MokDB, MokDBSize);
break;
@@ -286,7 +243,7 @@
case MOK_KEY_ENROLL:
mok_key_enroll();
break;
-@@ -2282,6 +2326,7 @@ static EFI_STATUS check_mok_request(EFI_
+@@ -2312,6 +2353,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
@@ -294,7 +251,7 @@
void *MokNew = NULL;
void *MokDel = NULL;
void *MokSB = NULL;
-@@ -2289,6 +2334,7 @@ static EFI_STATUS check_mok_request(EFI_
+@@ -2319,6 +2361,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
void *MokDB = NULL;
void *MokXNew = NULL;
void *MokXDel = NULL;
@@ -302,7 +259,7 @@
EFI_STATUS status;
status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
-@@ -2361,9 +2407,20 @@ static EFI_STATUS check_mok_request(EFI_
+@@ -2391,9 +2434,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
console_error(L"Could not retrieve MokXDel", status);
}
@@ -324,7 +281,7 @@
if (MokNew)
FreePool (MokNew);
-@@ -2386,6 +2443,9 @@ static EFI_STATUS check_mok_request(EFI_
+@@ -2416,6 +2470,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
if (MokXDel)
FreePool (MokXDel);
@@ -334,3 +291,51 @@
LibDeleteVariable(L"MokAuth", &shim_lock_guid);
LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
+diff --git a/shim.c b/shim.c
+index c14a54d..1287eed 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1818,7 +1818,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+ check_var(L"MokPW") || check_var(L"MokAuth") ||
+ check_var(L"MokDel") || check_var(L"MokDB") ||
+ check_var(L"MokXNew") || check_var(L"MokXDel") ||
+- check_var(L"MokXAuth")) {
++ check_var(L"MokXAuth") || check_var(L"ClearVerify")) {
+ efi_status = start_image(image_handle, MOK_MANAGER);
+
+ if (efi_status != EFI_SUCCESS) {
+--
+1.8.4.5
+
+
+From c7340fe9219777622fe58b6596f53a4cad739e9f Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin
+Date: Fri, 7 Mar 2014 16:17:20 +0800
+Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
+
+This is an openSUSE-only patch.
+
+LibDeleteVariable only works on the runtime variables.
+---
+ MokManager.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index 7277968..b5d2454 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1745,7 +1745,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+ if (status != EFI_SUCCESS)
+ return -1;
+
+- status = LibDeleteVariable(L"openSUSE_Verify", &shim_lock_guid);
++ status = uefi_call_wrapper(RT->SetVariable, 5,
++ L"openSUSE_Verify", &shim_lock_guid,
++ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE,
++ 0, NULL);
+ if (status != EFI_SUCCESS) {
+ console_error(L"Failed to delete openSUSE_Verify", status);
+ return -1;
+--
+1.8.4.5
+
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org