May 2015 - openSUSE Commits - openSUSE Mailing Lists

commit chromium for openSUSE:13.1:Update
by root＠hilbert.suse.de 29 May '15

29 May '15

Hello community, here is the log from the commit of package chromium for openSUSE:13.1:Update checked in at 2015-05-29 16:34:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/chromium (Old) and /work/SRC/openSUSE:13.1:Update/.chromium.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "chromium" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.pJeWyo/_old 2015-05-29 16:34:26.000000000 +0200 +++ /var/tmp/diff_new_pack.pJeWyo/_new 2015-05-29 16:34:26.000000000 +0200 @@ -1 +1 @@ -<link package='chromium.3749' cicount='copy' /> +<link package='chromium.3793' cicount='copy' />

1 0

commit gnu_parallel for openSUSE:13.2:Update
by root＠hilbert.suse.de 29 May '15

29 May '15

Hello community, here is the log from the commit of package gnu_parallel for openSUSE:13.2:Update checked in at 2015-05-29 16:33:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/gnu_parallel (Old) and /work/SRC/openSUSE:13.2:Update/.gnu_parallel.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnu_parallel" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.fzOmWU/_old 2015-05-29 16:34:00.000000000 +0200 +++ /var/tmp/diff_new_pack.fzOmWU/_new 2015-05-29 16:34:00.000000000 +0200 @@ -1 +1 @@ -<link package='gnu_parallel.3740' cicount='copy' /> +<link package='gnu_parallel.3792' cicount='copy' />

1 0

commit gnu_parallel for openSUSE:13.1:Update
by root＠hilbert.suse.de 29 May '15

29 May '15

Hello community, here is the log from the commit of package gnu_parallel for openSUSE:13.1:Update checked in at 2015-05-29 16:33:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/gnu_parallel (Old) and /work/SRC/openSUSE:13.1:Update/.gnu_parallel.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gnu_parallel" Changes: -------- New Changes file: NO CHANGES FILE!!! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ _link ++++++ --- /var/tmp/diff_new_pack.obIAA2/_old 2015-05-29 16:33:57.000000000 +0200 +++ /var/tmp/diff_new_pack.obIAA2/_new 2015-05-29 16:33:57.000000000 +0200 @@ -1 +1 @@ -<link package='gnu_parallel.3740' cicount='copy' /> +<link package='gnu_parallel.3792' cicount='copy' />

1 0

commit ovmf for openSUSE:Factory:NonFree
by root＠hilbert.suse.de 29 May '15

29 May '15

Hello community, here is the log from the commit of package ovmf for openSUSE:Factory:NonFree checked in at 2015-05-29 11:45:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory:NonFree/ovmf (Old) and /work/SRC/openSUSE:Factory:NonFree/.ovmf.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "ovmf" Changes: -------- New Changes file: --- /dev/null 2015-05-15 19:41:08.266053825 +0200 +++ /work/SRC/openSUSE:Factory:NonFree/.ovmf.new/ovmf.changes 2015-05-29 11:45:56.000000000 +0200 @@ -0,0 +1,581 @@ +------------------------------------------------------------------- +Thu May 14 06:59:14 UTC 2015 - glin(a)suse.com + +- Update to R17446 + + OvmfPkg: AcpiS3SaveDxe: fix protocol usage hint in the INF file + + OvmfPkg: extract some bits and port offsets common to Q35 and + I440FX + + MdeModulePkg: Add ESRT management module. + + MdeModulePkg: Add ESRT management protocol definition + + MdePkg: Add Microsoft UX capsule GUID & layout + + SecurityPkg: Update SecureBootConfigDxe to support ARM image + + SecurityPkg Variable: Make PK & SecureBootMode consistent + + MdeModulePkg DxeCore: Add read only memory support + + OvmfPkg: QemuBootOrderLib: parse OFW device path nodes of PCI + bridges + + MdePkg: Add UEFI 2.5 SD (Secure Digital) Device Path Definitions + + Hash2 driver to [Components.IA32, Components.X64, Components.IPF] + section + + ArmVirtualizationPkg: Enable secure boot for ArmVirtualizationQemu + + ArmPlatformPkg: enable use of authenticated variables in + NorFlashDxe +- Refresh patch + + ovmf-0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch +- Enable Secure Boot for AArch64 +- Remove the workaround for SLE11 + +------------------------------------------------------------------- +Thu May 7 10:13:13 UTC 2015 - glin(a)suse.com + +- Although ovmf-gdb-symbols.patch has been included for a while, + it's not mentioned in changelog and legal-auto script is not + happy with it. + +------------------------------------------------------------------- +Thu May 7 06:58:50 UTC 2015 - glin(a)suse.com + +- Update to R17351 + + BaseTools: Fix build fail issue + + MdeModluePkg: Enable refresh opcode to refresh the entire form + + BaseTool: Add refresh form opcode in vfrcompiler + + MdeModulePkg: Add BootManagerMenuApp + + MdeModulePkg: Add BdsDxe driver and PlatformBootManagerNull + library + + MdeModulePkg: Add UefiBootManagerLib + + MdePkg: Update the UEFI version to reflect new revision + + OvmfPkg: Use the new PCDs defined in MdePkg and MdeModulePkg + + MdePkg: Add UEFI2.5 bluetooth protocol/devicepath definition + + Add UEFI2.5 HASH protocol implementation + + MdeModulePkg: Add UEFI2.5 and PI1.4 PersistentMemory feature + + MdePkg: Add ESRT Interface Definitions + + Various fixes for Shell +- Drop ovmf-sle-11-gcc47.patch + + The NASM version in SLE11 is too old to build the newer ovmf +- Rename the ARM patches to make the legal-auto script happy + + ovmf-0001-ArmPlatformPkg-ArmVirtualizationPkg-enable-DEBUG_VER.patch + + ovmf-0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch + + ovmf-0003-ArmPlatformPkg-Bds-check-for-other-defaults-too-if-u.patch + + ovmf-0004-ArmPlatformPkg-ArmVirtualizationPkg-auto-detect-boot.patch + + ovmf-0005-ArmPlatformPkg-Bds-initialize-ConIn-ConOut-ErrOut-be.patch + + ovmf-0006-ArmPlatformPkg-Bds-let-FindCandidate-search-all-file.patch + + ovmf-0007-ArmPlatformPkg-Bds-FindCandidateOnHandle-log-full-de.patch + + ovmf-0008-ArmPlatformPkg-Bds-fall-back-to-Boot-Menu-when-no-de.patch + + ovmf-0009-ArmPlatformPkg-Bds-always-connect-drivers-before-loo.patch + + ovmf-0010-avoid-potentially-uninitialized-variable.diff + +------------------------------------------------------------------- +Thu Apr 23 03:33:36 UTC 2015 - glin(a)suse.com + +- Update ovmf-embed-default-keys.patch to embed the default dbx. + Also add the dbx list from the UEFI website and enable it in the + MS flavor. A script, strip_authinfo.pl, was added to strip the + AuthInfo headers from dbxupdate.bin since those are not necessary + in dbx. + +------------------------------------------------------------------- +Mon Apr 20 03:43:56 UTC 2015 - glin(a)suse.com + +- Update to R17187 + + Save initial TSVal from TCP connection initiation packets + + BaseTools/Ecc: Add ECC (EFI Code Checker) Binary into BaseTools + bin directory + + MdePkg: Add ESRT Interface Definitions + + OvmfPkg: XenConsoleSerialPortLib: deal with output overflow + + OvmfPkg: Q35: Use correct ACPI PM control register:bit + + PXE driver bug fix + + A failed PXEv6 after a success PXEv4 will cause ASSERT + + MdePkg: BaseSynchronizationLib: fix Increment/Decrement retvals + for ARM + + Updated Memory Error Record Per UEFI Specification 2.4a + + MdeModulePkg BootScriptExecutorDxe: Use ImageContext.ImageSize + to allocate memory for PE image to handle the case PE file + alignment is not same as PE section alignment. + + Fix GCC hang issue: Point should use directly assignment + instead of IP4_COPY_ADDRESS. + + SecurityPkg Variable: Update code in ProcessVariable () +- Update openssl to 0.9.8zf + +------------------------------------------------------------------- +Tue Mar 17 03:10:34 UTC 2015 - glin(a)suse.com + +- Update to R17055 + + OvmfPkg: include XHCI driver + + ArmVirtualizationPkg/ArmVirtualizationQemu: include XHCI driver + + ArmVirtualizationPkg: build UEFI shell from source + + SecurityPkg Variable: Allow the delete operation of common auth + variable at user physical presence + + Set network boot option to the default last priority + + MdeModulePkg: improve scalability of memory pools + + MdeModulePkg: use correct granularity when allocating pool + pages + +------------------------------------------------------------------- +Fri Mar 6 03:22:51 UTC 2015 - glin(a)suse.com + +- Update to R17007 + + ArmVirtualizationPkg: PlatformIntelBdsLib: lack of QEMU kernel + is no error + + Improve Xen support in Ovmf + + ArmVirtualizationPkg: PlatformIntelBdsLib: display TianoCore + logo + + ArmVirtualizationPkg/ArmVirtualizationQemu: add USB keyboard + input + + ArmVirtualizationPkg/ArmVirtualizationQemu: add VGA console + output + + ArmVirtualizationPkg/ArmVirtualizationQemu: enable PCI support + + OvmfPkg/QemuVideoDxe: enable ARM builds + + Improve ACPI support in Ovmf + + OvmfPkg/PlatformBdsLib: Signal ReadyToBoot before booting QEMU + kernel + + ArmPkg/ArmLib.h: Add CPU Affinity definitions + + OvmfPkg/SMBIOS: Provide default Type 0 (BIOS Information) + structure + + NetworkPkg: Code refine to avoid NULL pointer dereferenced + + DHCP6 bug fix + + BaseTools/GenFw: Set the PE/COFF attribute BaseOfData with the + address of the first '.data' section + + OvmfPkg: Update PlatformBaseDebugLibIoPort library + + Various fixes for shell +- Update ARM patches + +------------------------------------------------------------------- +Fri Feb 6 10:47:54 UTC 2015 - lnussel(a)suse.de + +- update to R16775 +- add RH patches for ARM + +------------------------------------------------------------------- +Tue Jan 6 07:51:52 UTC 2015 - glin(a)suse.com + +- Update to R16580 + + MdeModulePkg Variable: Implement VarCheck PROTOCOL and follow + UEFI spec to check UEFI defined variables + + ArmVirtualizationPkg: Intel BDS: load EFI-stubbed Linux kernel + from fw_cfg + + ArmVirtualizationPkg: identify "new shell" as builtin shell + for Intel BDS + + ArmVirtualizationPkg: PlatformIntelBdsLib: adhere to QEMU's + boot order + + OvmfPkg: QemuBootOrderLib: OFW-to-UEFI translation for + virtio-mmio + + OvmfPkg: QemuBootOrderLib: widen ParseUnitAddressHexList() to + UINT64 + + ArmVirtualizationPkg: VirtFdtDxe: use dedicated + VIRTIO_MMIO_TRANSPORT_GUID + + OvmfPkg: introduce VIRTIO_MMIO_TRANSPORT_GUID + + OvmfPkg: QemuBootOrderLib: featurize PCI-like device path + translation + + OvmfPkg: extract QemuBootOrderLib + + ArmVirtualizationPkg: PlatformIntelBdsLib: add basic policy + + ArmVirtualizationPkg: clone PlatformIntelBdsLib from + ArmPlatformPkg + + ArmVirtualizationPkg: introduce QemuFwCfgLib instance for DXE + drivers + + ArmVirtualizationPkg: VirtFdtDxe: forward FwCfg addresses from + DTB to PCDs + + MdeModulePkg/FvSimpleFileSystem:Fix a potential NULL + dereference issue + + Correct the Hash Calculation for Revoked X.509 Certificate to + align with RFC3280 and UEFI 2.4 Spec + + MdeModulePkg/FvSimpleFileSystem: Add a new module to provide + access to executable files in FVs + + OvmfPkg: enable IPv6 support + + Fix a bug that the gateway is not necessary in a simple PXE + network + + ArmPkg/BdsLib: Update the size of the Device Tree before + booting Linux + + ArmPkg/BdsLib: Rework TFTP boot + + MdePkg: UefiScsiLib: do not encode LUN in CDB for SCSI commands + + Correct the alignment calculation of PE/COFF attribute + certificate entry + + OvmfPkg: CsmSupportLib: depend on OvmfPkg.dec explicitly + + OvmfPkg: AcpiPlatformDxe: make dependency on PCI enumeration + explicit + + MdePkg/MdeModulePkg: Implement the missing + SetMemorySpaceCapabilities function + + Various fixes for shell +- Set the flag to enable IPv6 support ++++ 384 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Factory:NonFree/.ovmf.new/ovmf.changes New: ---- MicCorKEKCA2011_2011-06-24.crt MicCorUEFCA2011_2011-06-27.crt README SLES-UEFI-CA-Certificate-2048.crt SLES-UEFI-SIGN-Certificate-2048.crt _service dbxupdate.zip gdb_uefi.py.in openSUSE-UEFI-CA-Certificate-2048.crt openSUSE-UEFI-CA-Certificate-4096.crt openSUSE-UEFI-SIGN-Certificate-2048.crt openSUSE-UEFI-SIGN-Certificate-4096.crt openssl-0.9.8zf.tar.gz openssl-0.9.8zf.tar.gz.asc openssl.keyring ovmf-0.1+svn17446.tar.xz ovmf-0001-ArmPlatformPkg-ArmVirtualizationPkg-enable-DEBUG_VER.patch ovmf-0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch ovmf-0003-ArmPlatformPkg-Bds-check-for-other-defaults-too-if-u.patch ovmf-0004-ArmPlatformPkg-ArmVirtualizationPkg-auto-detect-boot.patch ovmf-0005-ArmPlatformPkg-Bds-initialize-ConIn-ConOut-ErrOut-be.patch ovmf-0006-ArmPlatformPkg-Bds-let-FindCandidate-search-all-file.patch ovmf-0007-ArmPlatformPkg-Bds-FindCandidateOnHandle-log-full-de.patch ovmf-0008-ArmPlatformPkg-Bds-fall-back-to-Boot-Menu-when-no-de.patch ovmf-0009-ArmPlatformPkg-Bds-always-connect-drivers-before-loo.patch ovmf-0010-avoid-potentially-uninitialized-variable.diff ovmf-embed-default-keys.patch ovmf-gdb-symbols.patch ovmf-rpmlintrc ovmf.changes ovmf.spec strip_authinfo.pl ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ovmf.spec ++++++ # # spec file for package ovmf # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # needssslcertforbuild %undefine _build_create_debug Name: ovmf Url: http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=EDK2 Summary: Open Virtual Machine Firmware License: BSD-2-Clause Group: System/Emulators/PC Version: 0.1+svn17446 Release: 0 Source0: %{name}-%{version}.tar.xz Source1: https://www.openssl.org/source/openssl-0.9.8zf.tar.gz Source111: https://www.openssl.org/source/openssl-0.9.8zf.tar.gz.asc Source112: openssl.keyring Source2: README Source3: SLES-UEFI-CA-Certificate-2048.crt Source4: SLES-UEFI-SIGN-Certificate-2048.crt Source5: MicCorKEKCA2011_2011-06-24.crt Source6: MicCorUEFCA2011_2011-06-27.crt Source7: openSUSE-UEFI-CA-Certificate-2048.crt Source8: openSUSE-UEFI-SIGN-Certificate-2048.crt Source9: openSUSE-UEFI-CA-Certificate-4096.crt Source10: openSUSE-UEFI-SIGN-Certificate-4096.crt Source11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip Source12: strip_authinfo.pl Source100: %{name}-rpmlintrc Source101: gdb_uefi.py.in Patch2: %{name}-embed-default-keys.patch Patch3: %{name}-gdb-symbols.patch # PATCH-FIX-OPENSUSE 0001-ArmPlatformPkg-ArmVirtualizationPkg-enable-DEBUG_VER.patch bnc#123456 you@foo -- descr Patch4: %{name}-0001-ArmPlatformPkg-ArmVirtualizationPkg-enable-DEBUG_VER.patch # PATCH-FIX-OPENSUSE 0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch bnc#123456 you@foo -- descr Patch5: %{name}-0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch # PATCH-FIX-OPENSUSE 0003-ArmPlatformPkg-Bds-check-for-other-defaults-too-if-u.patch bnc#123456 you@foo -- descr Patch6: %{name}-0003-ArmPlatformPkg-Bds-check-for-other-defaults-too-if-u.patch # PATCH-FIX-OPENSUSE 0004-ArmPlatformPkg-ArmVirtualizationPkg-auto-detect-boot.patch bnc#123456 you@foo -- descr Patch7: %{name}-0004-ArmPlatformPkg-ArmVirtualizationPkg-auto-detect-boot.patch # PATCH-FIX-OPENSUSE 0005-ArmPlatformPkg-Bds-initialize-ConIn-ConOut-ErrOut-be.patch bnc#123456 you@foo -- descr Patch8: %{name}-0005-ArmPlatformPkg-Bds-initialize-ConIn-ConOut-ErrOut-be.patch # PATCH-FIX-OPENSUSE 0006-ArmPlatformPkg-Bds-let-FindCandidate-search-all-file.patch bnc#123456 you@foo -- descr Patch9: %{name}-0006-ArmPlatformPkg-Bds-let-FindCandidate-search-all-file.patch # PATCH-FIX-OPENSUSE 0007-ArmPlatformPkg-Bds-FindCandidateOnHandle-log-full-de.patch bnc#123456 you@foo -- descr Patch10: %{name}-0007-ArmPlatformPkg-Bds-FindCandidateOnHandle-log-full-de.patch # PATCH-FIX-OPENSUSE 0008-ArmPlatformPkg-Bds-fall-back-to-Boot-Menu-when-no-de.patch bnc#123456 you@foo -- descr Patch11: %{name}-0008-ArmPlatformPkg-Bds-fall-back-to-Boot-Menu-when-no-de.patch # PATCH-FIX-OPENSUSE 0009-ArmPlatformPkg-Bds-always-connect-drivers-before-loo.patch bnc#123456 you@foo -- descr Patch12: %{name}-0009-ArmPlatformPkg-Bds-always-connect-drivers-before-loo.patch # PATCH-FIX-OPENSUSE 0010-avoid-potentially-uninitialized-variable.diff bnc#123456 you@foo -- descr Patch13: %{name}-0010-avoid-potentially-uninitialized-variable.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: libuuid-devel BuildRequires: fdupes BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: python %ifnarch aarch64 %arm BuildRequires: iasl BuildRequires: nasm %endif %ifarch x86_64 BuildRequires: openssl BuildRequires: unzip %if 0%{?suse_version} BuildRequires: vim-base %else BuildRequires: vim-common %endif %endif ExclusiveArch: %ix86 x86_64 aarch64 %arm %description The Open Virtual Machine Firmware (OVMF) project aims to support firmware for Virtual Machines using the edk2 code base. %ifarch %ix86 %package -n qemu-ovmf-ia32 Summary: Open Virtual Machine Firmware - QEMU rom images (IA32) Group: System/Emulators/PC BuildArch: noarch Requires: qemu %description -n qemu-ovmf-ia32 The Open Virtual Machine Firmware (OVMF) project aims to support firmware for Virtual Machines using the edk2 code base. This package contains UEFI rom images for exercising UEFI secure boot in a qemu environment (IA32) %endif %ifarch x86_64 %package -n qemu-ovmf-x86_64 Summary: Open Virtual Machine Firmware - QEMU rom images (x86_64) Group: System/Emulators/PC BuildArch: noarch Requires: qemu %description -n qemu-ovmf-x86_64 The Open Virtual Machine Firmware (OVMF) project aims to support firmware for Virtual Machines using the edk2 code base. This package contains UEFI rom images for exercising UEFI secure boot in a qemu environment (x86_64) %package -n qemu-ovmf-x86_64-debug Summary: Open Virtual Machine Firmware - debug symbols (x86_64) Group: System/Emulators/PC Requires: qemu %description -n qemu-ovmf-x86_64-debug The Open Virtual Machine Firmware (OVMF) project aims to support firmware for Virtual Machines using the edk2 code base. This package contains the debug symbols for UEFI rom images (x86_64) %endif %ifarch aarch64 %package -n qemu-uefi-aarch64 Summary: UEFI QEMU rom image (AArch64) Group: System/Emulators/PC BuildArch: noarch %description -n qemu-uefi-aarch64 This package contains the UEFI rom image (AArch64) for QEMU cortex-a57 virt board. %endif %ifarch %arm %package -n qemu-uefi-aarch32 Summary: UEFI QEMU rom image (AArch32) Group: System/Emulators/PC BuildArch: noarch %description -n qemu-uefi-aarch32 This package contains the UEFI rom image (AArch32) for QEMU cortex-a15 virt board. %endif %prep %setup -q -n %{name}-%{version} %setup -T -D -n %{name}-%{version}/CryptoPkg/Library/OpensslLib -a 1 %setup -T -D -n %{name}-%{version} %ifarch x86_64 %patch2 -p1 %endif %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 # Intel has special patches for openssl pushd CryptoPkg/Library/OpensslLib/openssl-0.9.8zf patch -p0 -i ../EDKII_openssl-0.9.8zf.patch cd .. ./Install.sh popd %build OVMF_FLAGS="-D FD_SIZE_2MB -D SECURE_BOOT_ENABLE -D NETWORK_IP6_ENABLE" TOOL_CHAIN_TAG=GCC$(gcc -dumpversion|sed 's/$[0-9]$\.$[0-9]$.*/\1\2/') %ifarch %ix86 BUILD_OPTIONS="$OVMF_FLAGS -a IA32 -p OvmfPkg/OvmfPkgIa32.dsc -b DEBUG -t $TOOL_CHAIN_TAG" make -C BaseTools %else %ifarch x86_64 BUILD_OPTIONS="$OVMF_FLAGS -a X64 -p OvmfPkg/OvmfPkgX64.dsc -b DEBUG -t $TOOL_CHAIN_TAG" make -C BaseTools %else %ifarch aarch64 BUILD_OPTIONS="-D SECURE_BOOT_ENABLE -a AARCH64 -p ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc -b RELEASE -t $TOOL_CHAIN_TAG" ARCH=AARCH64 make -C BaseTools %else %ifarch %arm BUILD_OPTIONS="-a ARM -p ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc -b RELEASE -t $TOOL_CHAIN_TAG" ARCH=ARM make -C BaseTools %else echo "ERROR: unsupported architecture" false %endif #arm %endif #aarch64 %endif #x86_64 %endif #ix86 . ./edksetup.sh # Build the UEFI image build $BUILD_OPTIONS %ifarch %ix86 cp Build/OvmfIa32/DEBUG_*/FV/OVMF.fd ovmf-ia32.bin cp Build/OvmfIa32/DEBUG_*/FV/OVMF_CODE.fd ovmf-ia32-code.bin cp Build/OvmfIa32/DEBUG_*/FV/OVMF_VARS.fd ovmf-ia32-vars.bin %else %ifarch x86_64 collect_debug_files() { target="$1" out_dir="debug/$target" abs_path="`pwd`/$out_dir/" source_path="`pwd`" gdb_src_path="/usr/src/debug/ovmf-x86_64" # copy the debug symbols mkdir -p $out_dir pushd Build/OvmfX64/DEBUG_GCC4*/X64/ find . -mindepth 2 -type f -name "*.debug" -exec cp --parents -a {} $abs_path \; cp --parents -a DebugPkg/GdbSyms/GdbSyms/DEBUG/GdbSyms.dll $abs_path build_path=`pwd` popd # Change the path in the python gdb script sed "s:__BUILD_PATH__:$build_path:;s:__SOURCE_PATH__:$source_path:;s:__GDB_SRC_PATH__:$gdb_src_path:;s/__FLAVOR__/$target/" \ %{SOURCE101} > gdb_uefi-$target.py } cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-code.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-vars.bin # Collect the debug files collect_debug_files ovmf-x86_64 # Collect the source mkdir -p source/ovmf-x86_64 # TODO get the source list from debug files src_list=`find Build/OvmfX64/DEBUG_GCC4*/X64/ -mindepth 1 -maxdepth 1 -type d -exec basename {} \;` find $src_list $ -name "*.c" -o -name "*.h" $ -type f -exec cp --parents -a {} source/ovmf-x86_64 \; build_with_keys() { suffix="$1" xxd -i Default_PK > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h xxd -i Default_KEK > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h xxd -i Default_DB > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h if [ -e Default_DBX ]; then xxd -i Default_DBX > SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h fi build $BUILD_OPTIONS cp Build/OvmfX64/DEBUG_*/FV/OVMF.fd ovmf-x86_64-$suffix.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_CODE.fd ovmf-x86_64-$suffix-code.bin cp Build/OvmfX64/DEBUG_*/FV/OVMF_VARS.fd ovmf-x86_64-$suffix-vars.bin collect_debug_files ovmf-x86_64-$suffix } # OVMF with SUSE keys openssl x509 -in %{SOURCE3} -outform DER > Default_PK openssl x509 -in %{SOURCE3} -outform DER > Default_KEK openssl x509 -in %{SOURCE4} -outform DER > Default_DB build_with_keys suse #unpack the UEFI revocation list unzip %{SOURCE11} # OVMF with MS keys cat %{SOURCE5} > Default_PK cat %{SOURCE5} > Default_KEK cat %{SOURCE6} > Default_DB chmod 755 %{SOURCE12} %{SOURCE12} dbxupdate.bin Default_DBX build_with_keys ms rm -f Default_DBX # OVMF with openSUSE keys openssl x509 -in %{SOURCE7} -outform DER > Default_PK openssl x509 -in %{SOURCE7} -outform DER > Default_KEK openssl x509 -in %{SOURCE8} -outform DER > Default_DB build_with_keys opensuse # OVMF with openSUSE keys (4096 bit CA) openssl x509 -in %{SOURCE9} -outform DER > Default_PK openssl x509 -in %{SOURCE9} -outform DER > Default_KEK openssl x509 -in %{SOURCE10} -outform DER > Default_DB build_with_keys opensuse-4096 if [ -e %{_sourcedir}/_projectcert.crt ]; then prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) opensusesubject=$(openssl x509 -in %{SOURCE7} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE3} -noout -subject_hash) if [ "$prjissuer" != "$opensusesubject" -a "$prjissuer" != "$slessubject" ]; then openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_PK openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_KEK openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_DB build_with_keys devel fi fi %else %ifarch aarch64 cp Build/ArmVirtualizationQemu-AARCH64/RELEASE_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch64.bin %else %ifarch %arm cp Build/ArmVirtualizationQemu-ARM/RELEASE_GCC*/FV/QEMU_EFI.fd qemu-uefi-aarch32.bin %endif #arm %endif #aarch64 %endif #x86_64 %endif #ix86 %install rm -rf %{buildroot} cp %{SOURCE2} README tr -d '\r' < FatBinPkg/License.txt > License-fat-driver.txt %ifarch %ix86 tr -d '\r' < OvmfPkg/License.txt > License.txt install -m 0644 -D ovmf-ia32.bin %{buildroot}/%{_datadir}/qemu/ovmf-ia32.bin install -m 0644 -D ovmf-ia32-code.bin %{buildroot}/%{_datadir}/qemu/ovmf-ia32-code.bin install -m 0644 -D ovmf-ia32-vars.bin %{buildroot}/%{_datadir}/qemu/ovmf-ia32-vars.bin %else %ifarch x86_64 tr -d '\r' < OvmfPkg/License.txt > License.txt install -m 0644 -D ovmf-x86_64.bin %{buildroot}/%{_datadir}/qemu/ovmf-x86_64.bin install -m 0644 ovmf-x86_64-*.bin %{buildroot}/%{_datadir}/qemu/ # Install debug symbols, gdb-uefi.py install -d %{buildroot}/%{_datadir}/ovmf-x86_64/ install -m 0644 gdb_uefi-*.py %{buildroot}/%{_datadir}/ovmf-x86_64/ mkdir -p %{buildroot}/usr/lib/debug mv debug/ovmf-x86_64* %{buildroot}/usr/lib/debug %fdupes %{buildroot}/usr/lib/debug/ovmf-x86_64* mkdir -p %{buildroot}/usr/src/debug mv source/ovmf-x86_64* %{buildroot}/usr/src/debug %fdupes -s %{buildroot}/usr/src/debug/ovmf-x86_64 %else %ifarch aarch64 tr -d '\r' < ArmPlatformPkg/License.txt > License.txt install -m 0644 -D qemu-uefi-aarch64.bin %{buildroot}/%{_datadir}/qemu/qemu-uefi-aarch64.bin %else %ifarch %arm tr -d '\r' < ArmPlatformPkg/License.txt > License.txt install -m 0644 -D qemu-uefi-aarch32.bin %{buildroot}/%{_datadir}/qemu/qemu-uefi-aarch32.bin %endif #arm %endif #aarch64 %endif #x86_64 %endif #ix86 %files %defattr(-,root,root,-) %doc README %ifarch %ix86 %files -n qemu-ovmf-ia32 %defattr(-,root,root,-) %doc License.txt License-fat-driver.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/ovmf-ia32*.bin %endif %ifarch x86_64 %files -n qemu-ovmf-x86_64 %defattr(-,root,root,-) %doc License.txt License-fat-driver.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/ovmf-x86_64*.bin %files -n qemu-ovmf-x86_64-debug %defattr(-,root,root,-) %{_datadir}/ovmf-x86_64/ %dir /usr/lib/debug/ /usr/lib/debug/ovmf-x86_64* %dir /usr/src/debug/ /usr/src/debug/ovmf-x86_64* %endif %ifarch aarch64 %files -n qemu-uefi-aarch64 %defattr(-,root,root,-) %doc License.txt License-fat-driver.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/qemu-uefi-aarch64.bin %endif %ifarch %arm %files -n qemu-uefi-aarch32 %defattr(-,root,root,-) %doc License.txt License-fat-driver.txt %dir %{_datadir}/qemu/ %{_datadir}/qemu/qemu-uefi-aarch32.bin %endif %changelog ++++++ README ++++++ Running the OVMF image in qemu ============================== There are two flavors of the OVMF efi images: the 64 bit and 32 bit one. For the 64 bit image, use the following command: qemu-system-x86_64 -bios /usr/share/qemu/ovmf-x86_64.bin For 32 bit: qemu-system-i386 -bios /usr/share/qemu/ovmf-ia32.bin The rom will boot up to an EFI shell. If you add standard things like a USB drive, you can also run efi executables. To enrol the platform and key exchange keys, exit the efi shell, select 'Device Manager' then 'Secure Boot Configuration' and change the secure boot mode from "Standard Mode" to "Custom Mode". This will cause an extra "Custom Secure Boot Options" menu to appear from which you can enrol the Platform and Key Exchange keys (these need to be present on external media, like a USB key). Note that enroling the KEK will require you to specify a GUID. The GUID is used only to identify the keys later (it's essentially the globally unique label for the key). If you only enrol one KEK, you can ignore this and it will end up with a GUID of all zeros. Flash Mode ---------- For version >= r14840, OVMF supports the qemu flash mode. The non-volatile variables were originally stored in NvVars, a file in the ESP. With the flash mode support, all changes will be saved in the firmware file directly. Here is the example to use OVMF in the flash mode: qemu-system-x86_64 -pflash ovmf-x86_64.bin Please make sure the firmware is writable before using the flash mode, or all your changes won't be saved. Starting from r15670, two extra firmware files are provided for the flash mode: ovmf-*-code.bin and ovmf-*-vars.bin, and all non-volatile variables will be stored in ovmf-*-vars.bin. Example: qemu-system-x86_64 -pflash ovmf-x86_64-code.bin -pflash ovmf-x86_64-vars.bin It would be easier to manage the NV variables with the separated vars firmware. Image with preloaded keys ------------------------- Besides the generic OVMF images, there are images preloaded with different vendor keys. ovmf-x86_64-ms.bin - PK: Microsoft Corporation KEK CA 2011 - KEK: Microsoft Corporation KEK CA 2011 - db: Microsoft Corporation UEFI CA 2011 ovmf-x86_64-opensuse.bin - PK: openSUSE Secure Boot CA - KEK: openSUSE Secure Boot CA - db: openSUSE Secure Boot Signkey ovmf-x86_64-suse.bin - PK: SUSE Linux Enterprise Secure Boot CA - KEK: SUSE Linux Enterprise Secure Boot CA - db: SUSE Linux Enterprise Secure Boot Signkey Note that the preloaded key images are all 64 bit because openSUSE/SLE and Windows only support Secure Boot in 64 bit mode. Creating Platform and Key Exchange keys ======================================= A note about terminology. In UEFI terms, "key" means certificate (not the openssl key). UEFI keys are required to be based on RSA 2048 bit keys. The Platform key and Key Exchange Keys should be the equivalent of CA root certificates (i.e. a self signed certificate). Note that in current tianocore OVMF, the input certificates, if taken from external media, *must* be in a file with a .cer extension and in DER format. The platform key is the key which controls updates to the Key Exchange Key database. The Key Exchange Key controls updates to the signature databases. Note that if the Key Exchange Key is an X509 key, any key which has the KEK as its root signature can also be used to validate an efi binary without need for any entries in the signatures database. Create Platform Key (PK) ------------------------ openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt -days <length> Note that the Key is PK.crt (PK.key is the private key you use to sign other certificates) Now convert to DER format openssl x509 -in PK.crt -out PK.cer -outform DER The file PK.cer can be placed on a USB key for enrolling as the platform key. Create Key Exchange Key (KEK) ----------------------------- This is done exactly as the Platform key above, except call the file KEK.cer instead. Note, for expermentation purposes, there's no reason the KEK and the PK can't be the same certificate. Creating derived keys from the KEK ---------------------------------- This process can be used to create subordinate keys which can be used to sign efi binaries (since their roots can be traced back to the KEK). openssl req -new -newkey rsa:2048 -keyout new.key -out new.csr -days <length> Now sign the certificate request with the KEK: openssl x509 -req -in new.csr -CA KEK.crt -CAkey KEK.key -set_serial 1 -out new.crt Note that since the new key doesn't have to be enrolled in the platform because its root of trust can be traced back to the KEK, there's no need to create a DER form of the key (the sbsign utilites used to sign efi binaries take the key.crt file which is in PEM form). Running the UEFI ARM image in qemu ================================== There are two flavors of the UEFI ARM images: AArch32 and AArch64. For the AArch64 image, use the following command: qemu-system-aarch64 -m 1024 -M virt -cpu cortex-a57 -bios /usr/share/qemu/qemu-uefi-aarch64.bin -serial stdio For AArch32: qemu-system-arm -m 1024 -M virt -cpu cortex-a15 -bios /usr/share/qemu/qemu-uefi-aarch32.bin -serial stdio ++++++ SLES-UEFI-CA-Certificate-2048.crt ++++++ -----BEGIN CERTIFICATE----- MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7 e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+ whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/ MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51 eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3 SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0 rvc1p6G0YWtO -----END CERTIFICATE----- ++++++ SLES-UEFI-SIGN-Certificate-2048.crt ++++++ -----BEGIN CERTIFICATE----- MIIE/DCCA+SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk QHN1c2UuZGUwHhcNMTMwNDE4MTQzNDM0WhcNMjMwMjI1MTQzNDM0WjCBqzEyMDAG A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5 HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA FOyrDULEVs93BDa5c5k4YpZehyYvoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ KoZIhvcNAQELBQADggEBAFEYo0sWgMCODHZEHWcoltp5RMcVj2DAYfw2NePbPqxW AmIgpMU0yG01JPbwJZu6dcuNeYoytgfDrSRLuloKm0JR8oR3+G7/oxbKQCxtMubB Qdflq7PIz73b/JSGiV5Pi77f9oAHijgnKEZrz4obs6sFp2gvuMvJ4w9jteCaofpq IDNhu7i2KFx4rC6FYF/p6V9xnVwOnZS1G56cJALfP/7kOD4k3TVSMiE2FCS3wLwR RI7VE0I/3oJHsi8CR++CT1BI02PI+EWgRcuW8jOzJ3+tYa77HCKpXNyIi7/L5QAK N5ZinPyv68tae+GHkL5U2FxLY365gABSXqXUA9mTquU= -----END CERTIFICATE----- ++++++ _service ++++++ <services> <service name="tar_scm" mode="disabled"> <param name="filename">ovmf</param> <param name="versionformat">0.1+svn%r</param> <param name="url">https://svn.code.sf.net/p/edk2/code/trunk/edk2</param> <param name="scm">svn</param> </service> <service name="recompress" mode="disabled"> <param name="compression">xz</param> <param name="file">*.tar</param> </service> <service name="set_version" mode="disabled"/> </services> ++++++ gdb_uefi.py.in ++++++ """ Allows loading TianoCore symbols into a GDB session attached to EFI Firmware. This is how it works: build GdbSyms - it's a dummy binary that contains the relevant symbols needed to find and load image symbols. $ gdb (gdb) taget remote .... (gdb) source Scripts/gdb_uefi.py (gdb) reload-uefi -o /path/to/GdbSyms.dll The -o option should be used if you've debugging EFI, where the PE images were converted from MACH-O or ELF binaries. """ import array import getopt import binascii import re __license__ = "BSD" __version = "1.0.0" __maintainer__ = "Andrei Warkentin" __email__ = "andrey.warkentin(a)gmail.com" __status__ = "Works" # FOR RPM PACKAGE replace the strings in the spec file build_path="__BUILD_PATH__" source_path="__SOURCE_PATH__" gdb_src_path="__GDB_SRC_PATH__" flavor="__FLAVOR__" class ReloadUefi (gdb.Command): """Reload UEFI symbols""" # # Various constants. # EINVAL = 0xffffffff CV_NB10 = 0x3031424E CV_RSDS = 0x53445352 CV_MTOC = 0x434F544D DOS_MAGIC = 0x5A4D PE32PLUS_MAGIC = 0x20b EST_SIGNATURE = 0x5453595320494249L DEBUG_GUID = [0x49152E77, 0x1ADA, 0x4764, [0xB7,0xA2,0x7A,0xFE, 0xFE,0xD9,0x5E, 0x8B]] DEBUG_IS_UPDATING = 0x1 # # If the images were built as ELF/MACH-O and then converted to PE, # then the base address needs to be offset by PE headers. # offset_by_headers = False def __init__ (self): super (ReloadUefi, self).__init__ ("reload-uefi", gdb.COMMAND_OBSCURE) # # Returns gdb.Type for a type. # def type (self, typename): return gdb.lookup_type (typename) # # Returns gdb.Type for a pointer to a type. # def ptype (self, typename): return gdb.lookup_type (typename).pointer () # # Computes CRC32 on an array of data. # def crc32 (self, data): return binascii.crc32 (data) & 0xFFFFFFFF # # Sets a field in a struct to a value, i.e. # value->field_name = data. # # Newer Py bindings to Gdb provide access to the inferior # memory, but not all, so have to do it this awkward way. # def set_field (self, value, field_name, data): gdb.execute ("set *(%s *) 0x%x = 0x%x" % \ (str (value[field_name].type), \ long (value[field_name].address), \ data)) # # Returns data backing a gdb.Value as an array. # Same comment as above regarding newer Py bindings... # def value_data (self, value, bytes=0): value_address = gdb.Value (value.address) array_t = self.ptype ('UINT8') value_array = value_address.cast (array_t) if bytes == 0: bytes = value.type.sizeof data = array.array ('B') for i in range (0, bytes): data.append (value_array[i]) return data # # Locates the EFI_SYSTEM_TABLE as per UEFI spec 17.4. # Returns base address or -1. # def search_est (self): address = 0 estp_t = self.ptype ('EFI_SYSTEM_TABLE_POINTER') while True: estp = gdb.Value(address).cast(estp_t) if estp['Signature'] == self.EST_SIGNATURE: oldcrc = long (estp['Crc32']) self.set_field (estp, 'Crc32', 0) newcrc = self.crc32 (self.value_data (estp.dereference (), 0)) self.set_field (estp, 'Crc32', long (oldcrc)) if newcrc == oldcrc: return estp['EfiSystemTableBase'] address = address + 4*1024*1024 if long (address) == 0: return gdb.Value(self.EINVAL) # # Searches for a vendor-specific configuration table (in EST), # given a vendor-specific table GUID. GUID is a list like - # [32-bit, 16-bit, 16-bit, [8 bytes]] # def search_config (self, cfg_table, count, guid): index = 0 while index != count: cfg_entry = cfg_table[index]['VendorGuid'] if cfg_entry['Data1'] == guid[0] and \ cfg_entry['Data2'] == guid[1] and \ cfg_entry['Data3'] == guid[2] and \ self.value_data (cfg_entry['Data4']).tolist () == guid[3]: return cfg_table[index]['VendorTable'] index = index + 1 return gdb.Value(self.EINVAL) # # Returns a UTF16 string corresponding to a (CHAR16 *) value in EFI. # def parse_utf16 (self, value): index = 0 data = array.array ('H') while value[index] != 0: data.append (value[index]) index = index + 1 return data.tostring ().decode ('utf-16') # # Returns offset of a field within structure. Useful # for getting container of a structure. # def offsetof (self, typename, field): t = gdb.Value (0).cast (self.ptype (typename)) return long (t[field].address) # # Returns sizeof of a type. # def sizeof (self, typename): return self.type (typename).sizeof # # Returns the EFI_IMAGE_NT_HEADERS32 pointer, given # an ImageBase address as a gdb.Value. # def pe_headers (self, imagebase): dosh_t = self.ptype ('EFI_IMAGE_DOS_HEADER') head_t = self.ptype ('EFI_IMAGE_OPTIONAL_HEADER_UNION') dosh = imagebase.cast(dosh_t) h_addr = imagebase if dosh['e_magic'] == self.DOS_MAGIC: h_addr = h_addr + dosh['e_lfanew'] return gdb.Value(h_addr).cast (head_t) # # Returns True if pe_headers refer to a PE32+ image. # def pe_is_64 (self, pe_headers): if pe_headers['Pe32']['OptionalHeader']['Magic'] == self.PE32PLUS_MAGIC: return True return False # # Returns the PE (not so) optional header. # def pe_optional (self, pe): if self.pe_is_64 (pe): return pe['Pe32Plus']['OptionalHeader'] else: return pe['Pe32']['OptionalHeader'] # # Returns the symbol file name for a PE image. # def pe_parse_debug (self, pe): opt = self.pe_optional (pe) debug_dir_entry = opt['DataDirectory'][6] dep = debug_dir_entry['VirtualAddress'] + opt['ImageBase'] dep = dep.cast (self.ptype ('EFI_IMAGE_DEBUG_DIRECTORY_ENTRY')) cvp = dep.dereference ()['RVA'] + opt['ImageBase'] cvv = cvp.cast(self.ptype ('UINT32')).dereference () if cvv == self.CV_NB10: return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY') elif cvv == self.CV_RSDS: return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY') elif cvv == self.CV_MTOC: return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY') return gdb.Value(self.EINVAL) # # Parses an EFI_LOADED_IMAGE_PROTOCOL, figuring out the symbol file name. # This file name is then appended to list of loaded symbols. # # TBD: Support TE images. # def parse_image (self, image, syms): base = image['ImageBase'] pe = self.pe_headers (base) opt = self.pe_optional (pe) sym_name = self.pe_parse_debug (pe) # For ELF and Mach-O-derived images... if self.offset_by_headers: base = base + opt['SizeOfHeaders'] if sym_name != self.EINVAL: sym_name = sym_name.cast (self.ptype('CHAR8')).string () # Ignore the driver from qemu if re.search (r"\.efidrv$", sym_name): return # FOR RPM PACKAGE substitute the build path sym_name = re.sub(r"^"+re.escape(build_path), "/usr/lib/debug/"+flavor, sym_name) sym_name = re.sub(r"\.dll$", ".debug", sym_name) syms.append ("add-symbol-file %s 0x%x" % \ (sym_name, long (base))) # # Parses table EFI_DEBUG_IMAGE_INFO structures, builds # a list of add-symbol-file commands, and reloads debugger # symbols. # def parse_edii (self, edii, count): index = 0 syms = [] while index != count: entry = edii[index] if entry['ImageInfoType'].dereference () == 1: entry = entry['NormalImage'] self.parse_image(entry['LoadedImageProtocolInstance'], syms) else: print "Skipping unknown EFI_DEBUG_IMAGE_INFO (Type 0x%x)" % \ entry['ImageInfoType'].dereference () index = index + 1 gdb.execute ("symbol-file") print "Loading new symbols..." for sym in syms: print sym gdb.execute (sym) # # Parses EFI_DEBUG_IMAGE_INFO_TABLE_HEADER, in order to load # image symbols. # def parse_dh (self, dh): dh_t = self.ptype ('EFI_DEBUG_IMAGE_INFO_TABLE_HEADER') dh = dh.cast (dh_t) print "DebugImageInfoTable @ 0x%x, 0x%x entries" \ % (long (dh['EfiDebugImageInfoTable']), dh['TableSize']) if dh['UpdateStatus'] & self.DEBUG_IS_UPDATING: print "EfiDebugImageInfoTable update in progress, retry later" return self.parse_edii (dh['EfiDebugImageInfoTable'], dh['TableSize']) # # Parses EFI_SYSTEM_TABLE, in order to load image symbols. # def parse_est (self, est): est_t = self.ptype ('EFI_SYSTEM_TABLE') est = est.cast (est_t) print "Connected to %s (Rev. 0x%x)" % \ (self.parse_utf16 (est['FirmwareVendor']), \ long (est['FirmwareRevision'])) print "ConfigurationTable @ 0x%x, 0x%x entries" \ % (long (est['ConfigurationTable']), est['NumberOfTableEntries']) dh = self.search_config(est['ConfigurationTable'], est['NumberOfTableEntries'], self.DEBUG_GUID) if dh == self.EINVAL: print "No EFI_DEBUG_IMAGE_INFO_TABLE_HEADER" return self.parse_dh (dh) # # Usage information. # def usage (self): print "Usage: reload-uefi [-o] /path/to/GdbSyms.dll" # # Handler for reload-uefi. # def invoke (self, arg, from_tty): args = arg.split(' ') try: opts, args = getopt.getopt(args, "o", ["offset-by-headers"]) except getopt.GetoptError, err: self.usage () return for opt, arg in opts: if opt == "-o": self.offset_by_headers = True if len(args) < 1: self.usage () return # FOR RPM PACKAGE substitute the path of the source code gdb.execute ("set substitute-path "+source_path+" "+gdb_src_path) gdb.execute ("symbol-file") gdb.execute ("symbol-file %s" % args[0]) est = self.search_est () if est == self.EINVAL: print "No EFI_SYSTEM_TABLE..." return print "EFI_SYSTEM_TABLE @ 0x%x" % est self.parse_est (est) ReloadUefi () ++++++ openSUSE-UEFI-CA-Certificate-2048.crt ++++++ -----BEGIN CERTIFICATE----- MIIEdDCCA1ygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjEyMDdaFw0zNTA3MjIxNjEy MDdaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3t9hknqk/oPRfTtoDrGn8E6Sk/xHPnAt Tojcmp76M7Sm2w4jwQ2owdVlBIQE/zpIGE85MuTKTvkEnp8PzSBdYaunANil/yt/ vuhHwy9bAsi73o4a6UbThu//iJmQ6xCJuIs/PqgHxlV6btNf/IM8PRbtJsUTc5Kx cB4ilcgAbCV2RvGi2dCwmGgPpy2xDWeJypRK6hLFkVV2f2x6LvkYiZ/49CRD1TVq ywAOLu1L4l0J2BuXcJmeWm+mgaidqVh2fWlxgtO6OpZDm/DaFcZO6cgVuenLx+Rx zuoQG2vEKnABqVK0F94AUs995P0PTQMYspAo1G/Erla8NmBJRotrCwIDAQABo4H0 MIHxMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGhCYA3iLExHfpW+I9/qlRPl lxdiMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPllxdioYGHpIGEMIGB MSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUx EjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEh MB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEBMA4GA1UdDwEB/wQE AwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAiqOJwo7Z+YIL8zPO6RkXF6NlgM0zrgZR Vim2OId79J38KI6q4FMSDjpgxwbYOmF2O3cI9JSkjHxHOpnYhJsXzCBiLuJ25MY2 DSbpLlM1Cvs6NZNFw5OCwQvzCOlXH1k3qdBsafto6n87r9P3WSeO1MeWc/QMCvc+ 5K9sjMd6bwl59EEf428R+z5ssaB75JK3yvky9d7DsHN947OCXc3sYdz+DD7Gteds LV2Sc//tqmqpm2aeXjptcLAxwM7fLyEQaAyH83egMzEKDxX27jKIxZpTcc0NGqEo idC/9lasSzs2BisBxevl3HKDPZSsKIMT+8FdJ5wT9jJf9h9Ktz5Tig== -----END CERTIFICATE----- ++++++ openSUSE-UEFI-CA-Certificate-4096.crt ++++++ -----BEGIN CERTIFICATE----- MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8 YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/ w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg 4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79 aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/ phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0 nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3 BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp 4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL -----END CERTIFICATE----- ++++++ openSUSE-UEFI-SIGN-Certificate-2048.crt ++++++ -----BEGIN CERTIFICATE----- MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjE4MzdaFw0yMzA3MDUxNjE4 MzdaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7 RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf 0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2 EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBRoQmAN4ixMR36VviPf6pUT5ZcXYqGBh6SB hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEB AI3sxNvPFB/+Cjj9GVCvNbaOGFV+5X6Dd7ZMJat0xI93GS+FvUOO1i53iCpnfSld gE+2chifX2W3u6RyiJTTfwke4EVU4GWjFy78WwwszCih0byVa/YSQguvPuMjvQY6 mw+exom0ri68328yWb1oCDaPOhI9Fr51hj50yUWWBbmpu2YPi5blN6CBE+9B2cbp HVDPxoUWjYJ9leK951nfSu0E1+cLNYDpZ39h4dBHNvU1a3AueVKIXyEYaiwy0VDS 8CQJluUCE4eLlt/cbJqMs0/iY7nRnbVOOyZUYTYxq7ACvDrMyStkfdR4KLDzvLWo 8Gu+1aY2qw6wZ+TKiiRRYjQ= -----END CERTIFICATE----- ++++++ openSUSE-UEFI-SIGN-Certificate-4096.crt ++++++ Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build(a)opensuse.org Validity Not Before: Jan 28 15:10:28 2013 GMT Not After : Dec 7 15:10:28 2022 GMT Subject: CN=openSUSE Secure Boot Signkey, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build(a)opensuse.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:35:e0:9c:cf:d8:f7:4b:eb:e3:94:2c:f2:11: 77:33:86:9c:28:1d:19:de:45:69:21:5e:a0:94:4a: 0b:b5:41:2e:67:01:6b:91:76:3a:85:66:2a:63:8b: 87:2b:e8:94:8a:12:6e:25:13:b0:07:3f:28:2b:76: 25:3e:29:b2:55:42:e7:3b:44:24:1d:b7:99:32:cb: 44:d2:b4:88:cb:a9:4f:a7:b3:06:be:5c:aa:ee:2b: 04:09:aa:ec:58:63:5a:c8:62:c7:d9:68:43:fb:bd: 0e:92:ff:4c:ec:02:44:bc:95:c9:9f:d1:be:21:f8: f4:b2:6d:5a:0a:d5:4d:98:65:cc:c1:8c:ef:df:f2: 9f:da:45:05:76:f9:1a:c0:8b:d5:1c:05:f2:c0:b8: 4a:b0:12:df:43:ca:d5:0b:18:46:b3:03:be:cd:a7: d7:01:80:f1:c5:ca:ee:d9:3a:1f:4a:33:7d:50:01: ab:d7:3a:48:6e:62:59:73:62:1e:38:ef:32:31:ee: 58:18:7d:59:05:8a:fb:7d:d4:0d:5e:9d:47:9b:d8: af:b6:11:9f:3c:e7:13:84:e4:00:ec:0a:97:89:22: 90:f3:14:e6:df:c1:75:07:ad:24:38:d8:e0:8f:f6: b9:c0:db:45:e3:6e:81:5c:1e:29:d0:78:ae:6c:a7: 4b:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 03:32:FA:9C:BF:0D:88:BF:21:92:4B:0D:E8:2A:09:A5:4D:5D:EF:C8 X509v3 Authority Key Identifier: keyid:99:0D:26:B7:F0:4D:D9:CE:64:E7:D1:8E:FD:68:7B:4A:5D:E2:86:A5 DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build(a)opensuse.org serial:01 X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing Signature Algorithm: sha256WithRSAEncryption ad:b9:27:89:ed:02:85:3c:c8:5d:fb:28:45:04:16:78:74:58: 49:41:55:88:a7:4c:20:77:55:53:6a:d2:72:5b:70:ba:b6:02: 4f:f2:3d:be:3f:85:52:46:bd:44:31:33:61:20:69:f1:81:7e: 30:3a:b1:5b:ea:bd:91:2a:6e:7d:1b:42:74:93:26:a8:e5:c0: 05:29:cd:50:7d:96:5d:ef:6a:74:f4:4b:0c:26:45:d6:c7:b4: 52:df:92:67:dc:ea:cb:fb:75:4b:22:cd:27:17:7a:d8:76:0b: bb:df:da:bc:6a:24:a0:48:74:2b:3b:12:45:16:89:b2:a6:df: 8c:b9:f7:02:58:aa:c6:53:fe:32:de:16:b6:8b:8b:ff:91:35: 67:a2:59:8f:40:97:25:e6:e5:0c:cd:a8:4a:f7:aa:a8:55:42: 88:4a:23:48:11:53:02:52:d1:dc:77:c5:23:05:77:cb:5d:fa: af:b6:da:26:2e:34:cc:76:0e:4d:c0:0f:d1:de:9c:53:19:89: 2c:38:af:ef:11:e6:69:bc:0e:7e:83:24:40:7b:63:99:89:85: 1d:73:66:4e:d0:de:05:61:c2:37:91:fe:c7:6b:20:5f:4a:f2: d4:a4:c8:81:ed:4f:87:fe:a8:d1:75:bc:17:d0:f7:ef:33:1e: a4:3f:5f:6a:36:0a:4c:bf:7b:25:bd:af:1d:d5:fd:f6:0b:39: 7c:ce:75:bc:48:cb:99:c3:39:de:60:6d:72:03:a1:93:55:70: 99:ff:69:ff:8c:80:ca:d4:23:bb:ea:0d:9d:40:d5:49:b0:29: 20:09:45:98:c8:24:25:fe:da:68:eb:02:d4:25:f5:6e:e1:f2: a6:6d:d8:78:2a:ff:8c:c2:08:d4:87:bf:88:06:a0:3b:58:12: d7:2f:b3:59:2a:4b:9e:bf:5d:04:72:66:29:03:7c:45:24:04: 4d:61:5c:e5:b8:85:ea:6e:4b:d6:6c:e8:b8:a1:1a:92:92:7d: fa:90:1f:43:b2:82:f0:9a:5a:32:cd:cc:4a:e3:c7:91:e5:f6: 94:ef:1f:6a:a4:2c:b5:fa:3f:58:bf:62:e6:d6:fb:71:3a:02: e0:e4:b3:db:ba:78:5e:fc:1a:42:9b:e8:02:ec:73:34:1f:8c: 77:f6:d8:2d:6b:97:dc:b7:13:1f:bd:ab:7b:ca:cd:ea:3d:1e: d2:01:bf:f1:44:ca:df:86:13:37:42:5d:d7:f8:2e:68:e6:7f: 59:75:b8:15:fa:f8:42:45:01:5b:06:50:fc:6a:88:96:4b:3a: 8f:1d:11:b5:88:0f:3a:31:13:cb:d7:8d:94:cd:14:10:3d:9a: 46:26:8a:97:59:c0:66:95 -----BEGIN CERTIFICATE----- MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNTEwMjhaFw0yMjEyMDcxNTEw MjhaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7 RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf 0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2 EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79aHtKXeKGpaGBh6SB hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggIB AK25J4ntAoU8yF37KEUEFnh0WElBVYinTCB3VVNq0nJbcLq2Ak/yPb4/hVJGvUQx M2EgafGBfjA6sVvqvZEqbn0bQnSTJqjlwAUpzVB9ll3vanT0SwwmRdbHtFLfkmfc 6sv7dUsizScXeth2C7vf2rxqJKBIdCs7EkUWibKm34y59wJYqsZT/jLeFraLi/+R NWeiWY9AlyXm5QzNqEr3qqhVQohKI0gRUwJS0dx3xSMFd8td+q+22iYuNMx2Dk3A D9HenFMZiSw4r+8R5mm8Dn6DJEB7Y5mJhR1zZk7Q3gVhwjeR/sdrIF9K8tSkyIHt T4f+qNF1vBfQ9+8zHqQ/X2o2Cky/eyW9rx3V/fYLOXzOdbxIy5nDOd5gbXIDoZNV cJn/af+MgMrUI7vqDZ1A1UmwKSAJRZjIJCX+2mjrAtQl9W7h8qZt2Hgq/4zCCNSH v4gGoDtYEtcvs1kqS56/XQRyZikDfEUkBE1hXOW4hepuS9Zs6LihGpKSffqQH0Oy gvCaWjLNzErjx5Hl9pTvH2qkLLX6P1i/YubW+3E6AuDks9u6eF78GkKb6ALsczQf jHf22C1rl9y3Ex+9q3vKzeo9HtIBv/FEyt+GEzdCXdf4Lmjmf1l1uBX6+EJFAVsG UPxqiJZLOo8dEbWIDzoxE8vXjZTNFBA9mkYmipdZwGaV -----END CERTIFICATE----- ++++++ ovmf-0001-ArmPlatformPkg-ArmVirtualizationPkg-enable-DEBUG_VER.patch ++++++ >From b687cd5e037fe2710ffdc9b5dea1ce6134eededb Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Sun, 21 Sep 2014 23:12:09 +0200 Subject: [PATCH 1/9] ArmPlatformPkg/ArmVirtualizationPkg: enable DEBUG_VERBOSE Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> --- ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc | 1 + 1 file changed, 1 insertion(+) diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc index 0f064af..ce27b4d 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc @@ -91,6 +91,7 @@ gArmVirtualizationTokenSpaceGuid.PcdKludgeMapPciMmioAsCached|TRUE [PcdsFixedAtBuild.common] + gEfiMdePkgTokenSpaceGuid.PcdDebugPrintErrorLevel|0x8040004F gArmPlatformTokenSpaceGuid.PcdFirmwareVendor|"QEMU" gArmPlatformTokenSpaceGuid.PcdCoreCount|1 -- 1.8.3.1 ++++++ ovmf-0002-ArmPlatformPkg-Bds-generate-ESP-Image-boot-option-if.patch ++++++ >From 6624a09b1ad2fac52024c403eec75076c3ff0652 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Wed, 27 Nov 2013 01:07:05 +0100 Subject: [PATCH 2/9] ArmPlatformPkg/Bds: generate ESP Image boot option if user pref is unset This hack is probably not upstreamable, but it should ease development: If "PcdDefaultBootDevicePath" is set to the empty string in the platform DSC file, then this patch will try to boot the file called "Image" from the ESP. This should make the UEFI binary independent of the ESP's characteristics (UUID of GPT partition, size, etc) and require disk image files only to provide a file called "Image" in the ESP. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 66 +++++++++++++++++++++++++++++---------------- ArmPlatformPkg/Bds/Bds.inf | 1 2 files changed, 44 insertions(+), 23 deletions(-) --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -20,6 +20,7 @@ #include <Protocol/Bds.h> #include <Guid/EventGroup.h> +#include <Guid/Gpt.h> #define EFI_SET_TIMER_TO_SECOND 10000000 @@ -238,34 +239,53 @@ DefineDefaultBootEntries ( Status = gRT->GetVariable (L"BootOrder", &gEfiGlobalVariableGuid, NULL, &Size, NULL); if (Status == EFI_NOT_FOUND) { if ((PcdGetPtr(PcdDefaultBootDevicePath) == NULL) || (StrLen ((CHAR16*)PcdGetPtr(PcdDefaultBootDevicePath)) == 0)) { - return EFI_UNSUPPORTED; - } + UINTN NrHandles; + EFI_HANDLE *Handles; - Status = gBS->LocateProtocol (&gEfiDevicePathFromTextProtocolGuid, NULL, (VOID **)&EfiDevicePathFromTextProtocol); - if (EFI_ERROR(Status)) { - // You must provide an implementation of DevicePathFromTextProtocol in your firmware (eg: DevicePathDxe) - DEBUG((EFI_D_ERROR,"Error: Bds requires DevicePathFromTextProtocol\n")); - return Status; - } - BootDevicePath = EfiDevicePathFromTextProtocol->ConvertTextToDevicePath ((CHAR16*)PcdGetPtr(PcdDefaultBootDevicePath)); + BdsConnectAllDrivers(); + Status = gBS->LocateHandleBuffer (ByProtocol, + &gEfiPartTypeSystemPartGuid, NULL /* SearchKey */, + &NrHandles, &Handles); + if (!EFI_ERROR (Status)) { + ASSERT (NrHandles > 0); + BootDevicePath = FileDevicePath (Handles[0], L"Image"); + if (BootDevicePath == NULL) { + Status = EFI_OUT_OF_RESOURCES; + } + FreePool (Handles); + } + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "failed to auto-create default boot option: %r\n", + Status)); + return Status; + } + } else { + Status = gBS->LocateProtocol (&gEfiDevicePathFromTextProtocolGuid, NULL, (VOID **)&EfiDevicePathFromTextProtocol); + if (EFI_ERROR(Status)) { + // You must provide an implementation of DevicePathFromTextProtocol in your firmware (eg: DevicePathDxe) + DEBUG((EFI_D_ERROR,"Error: Bds requires DevicePathFromTextProtocol\n")); + return Status; + } + BootDevicePath = EfiDevicePathFromTextProtocol->ConvertTextToDevicePath ((CHAR16*)PcdGetPtr(PcdDefaultBootDevicePath)); - DEBUG_CODE_BEGIN(); - // We convert back to the text representation of the device Path to see if the initial text is correct - EFI_DEVICE_PATH_TO_TEXT_PROTOCOL* DevicePathToTextProtocol; - CHAR16* DevicePathTxt; + DEBUG_CODE_BEGIN(); + // We convert back to the text representation of the device Path to see if the initial text is correct + EFI_DEVICE_PATH_TO_TEXT_PROTOCOL* DevicePathToTextProtocol; + CHAR16* DevicePathTxt; - Status = gBS->LocateProtocol(&gEfiDevicePathToTextProtocolGuid, NULL, (VOID **)&DevicePathToTextProtocol); - ASSERT_EFI_ERROR(Status); - DevicePathTxt = DevicePathToTextProtocol->ConvertDevicePathToText (BootDevicePath, TRUE, TRUE); + Status = gBS->LocateProtocol(&gEfiDevicePathToTextProtocolGuid, NULL, (VOID **)&DevicePathToTextProtocol); + ASSERT_EFI_ERROR(Status); + DevicePathTxt = DevicePathToTextProtocol->ConvertDevicePathToText (BootDevicePath, TRUE, TRUE); - if (StrCmp ((CHAR16*)PcdGetPtr (PcdDefaultBootDevicePath), DevicePathTxt) != 0) { - DEBUG ((EFI_D_ERROR, "Device Path given: '%s' Device Path expected: '%s'\n", - (CHAR16*)PcdGetPtr (PcdDefaultBootDevicePath), DevicePathTxt)); - ASSERT_EFI_ERROR (EFI_INVALID_PARAMETER); - } + if (StrCmp ((CHAR16*)PcdGetPtr (PcdDefaultBootDevicePath), DevicePathTxt) != 0) { + DEBUG ((EFI_D_ERROR, "Device Path given: '%s' Device Path expected: '%s'\n", + (CHAR16*)PcdGetPtr (PcdDefaultBootDevicePath), DevicePathTxt)); + ASSERT_EFI_ERROR (EFI_INVALID_PARAMETER); + } - FreePool (DevicePathTxt); - DEBUG_CODE_END(); + FreePool (DevicePathTxt); + DEBUG_CODE_END(); + } // Create the entry is the Default values are correct if (BootDevicePath != NULL) { --- a/ArmPlatformPkg/Bds/Bds.inf +++ b/ArmPlatformPkg/Bds/Bds.inf @@ -53,6 +53,7 @@ gEfiEndOfDxeEventGroupGuid gEfiFileSystemInfoGuid gArmGlobalVariableGuid + gEfiPartTypeSystemPartGuid [Protocols] gEfiBdsArchProtocolGuid ++++++ ovmf-0003-ArmPlatformPkg-Bds-check-for-other-defaults-too-if-u.patch ++++++ >From 449888b252138a33cc94bce099262ee52b55b69e Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Fri, 13 Dec 2013 22:02:37 +0100 Subject: [PATCH 3/9] ArmPlatformPkg/Bds: check for other defaults too if user pref is unset Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 63 +++++++++++++++++++++++++++++++++++++++++++--- ArmPlatformPkg/Bds/Bds.inf | 1 + 2 files changed, 60 insertions(+), 4 deletions(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index 276a7c0..b376433 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -18,6 +18,7 @@ #include <Library/PerformanceLib.h> #include <Protocol/Bds.h> +#include <Protocol/SimpleFileSystem.h> #include <Guid/EventGroup.h> #include <Guid/Gpt.h> @@ -211,6 +212,63 @@ InitializeConsole ( return EFI_SUCCESS; } +STATIC +EFI_STATUS +FindCandidate ( + IN EFI_HANDLE Handle, + OUT EFI_DEVICE_PATH **Candidate + ) +{ + EFI_STATUS Status; + EFI_SIMPLE_FILE_SYSTEM_PROTOCOL *FileSystem; + EFI_FILE_PROTOCOL *RootDir; + CONST CHAR16 *CONST *FileName; + CONST CHAR16 *CONST Candidates[] = { + EFI_REMOVABLE_MEDIA_FILE_NAME, + L"\\Image", + L"\\EFI\\redhat\\grubaa64.efi", + L"\\EFI\\fedora\\grubaa64.efi", + NULL + }; + + Status = gBS->HandleProtocol (Handle, &gEfiSimpleFileSystemProtocolGuid, + (VOID **) &FileSystem); + if (EFI_ERROR (Status)) { + return Status; + } + Status = FileSystem->OpenVolume (FileSystem, &RootDir); + if (EFI_ERROR (Status)) { + return Status; + } + + for (FileName = Candidates; *FileName != NULL; ++FileName) { + EFI_FILE_PROTOCOL *File; + + Status = RootDir->Open (RootDir, &File, (CHAR16 *) *FileName, + EFI_FILE_MODE_READ, 0); + if (!EFI_ERROR (Status)) { + File->Close (File); + break; + } + } + if (*FileName == NULL) { + Status = EFI_NOT_FOUND; + goto CloseRoot; + } + + *Candidate = FileDevicePath (Handle, *FileName); + if (*Candidate == NULL) { + Status = EFI_OUT_OF_RESOURCES; + goto CloseRoot; + } + + DEBUG ((EFI_D_INFO, "%a: found \"%s\"\n", __FUNCTION__, *FileName)); + +CloseRoot: + RootDir->Close (RootDir); + return Status; +} + EFI_STATUS DefineDefaultBootEntries ( VOID @@ -248,10 +306,7 @@ DefineDefaultBootEntries ( &NrHandles, &Handles); if (!EFI_ERROR (Status)) { ASSERT (NrHandles > 0); - BootDevicePath = FileDevicePath (Handles[0], L"Image"); - if (BootDevicePath == NULL) { - Status = EFI_OUT_OF_RESOURCES; - } + Status = FindCandidate (Handles[0], &BootDevicePath); FreePool (Handles); } if (EFI_ERROR (Status)) { diff --git a/ArmPlatformPkg/Bds/Bds.inf b/ArmPlatformPkg/Bds/Bds.inf index 78df86f..2d23f13 100644 --- a/ArmPlatformPkg/Bds/Bds.inf +++ b/ArmPlatformPkg/Bds/Bds.inf @@ -66,6 +66,7 @@ gEfiFirmwareVolumeBlock2ProtocolGuid gEfiDhcp4ServiceBindingProtocolGuid gEfiMtftp4ServiceBindingProtocolGuid + gEfiSimpleFileSystemProtocolGuid [Pcd] gArmPlatformTokenSpaceGuid.PcdFirmwareVendor -- 1.8.3.1 ++++++ ovmf-0004-ArmPlatformPkg-ArmVirtualizationPkg-auto-detect-boot.patch ++++++ >From f17f9128d2c6d838cf913bdfc37edd4a0a6d9bb3 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Sun, 21 Sep 2014 23:16:14 +0200 Subject: [PATCH 4/9] ArmPlatformPkg/ArmVirtualizationPkg: auto-detect boot path Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> --- ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc index ce27b4d..068c732 100644 --- a/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc +++ b/ArmPlatformPkg/ArmVirtualizationPkg/ArmVirtualizationQemu.dsc @@ -123,9 +123,9 @@ # # ARM OS Loader # - gArmPlatformTokenSpaceGuid.PcdDefaultBootDescription|L"Linux (EFI stub) on virtio31:hd0:part0" - gArmPlatformTokenSpaceGuid.PcdDefaultBootDevicePath|L"VenHw(837DCA9E-E874-4D82-B29A-23FE0E23D1E2,003E000A00000000)/HD(1,MBR,0x00000000,0x3F,0x19FC0)/Image" - gArmPlatformTokenSpaceGuid.PcdDefaultBootArgument|"root=/dev/vda2 console=ttyAMA0 earlycon uefi_debug" + gArmPlatformTokenSpaceGuid.PcdDefaultBootDescription|L"Linux from first ESP" + gArmPlatformTokenSpaceGuid.PcdDefaultBootDevicePath|L"" + gArmPlatformTokenSpaceGuid.PcdDefaultBootArgument|"" gArmPlatformTokenSpaceGuid.PcdDefaultBootType|0 # -- 1.8.3.1 ++++++ ovmf-0005-ArmPlatformPkg-Bds-initialize-ConIn-ConOut-ErrOut-be.patch ++++++ >From e1b259925c0c4be3d26042b8e298ccb4b4ab9071 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Fri, 17 Oct 2014 01:06:38 +0200 Subject: [PATCH 5/9] ArmPlatformPkg/Bds: initialize ConIn/ConOut/ErrOut before connecting terminals In the following call tree: BdsEntry() DefineDefaultBootEntries() BdsConnectAllDrivers() InitializeConsole() set ConIn/ConOut/ErrOut BdsConnectAllDrivers() connects SerialDxe -> TerminalDxe -> ConPlatformDxe -> ConSplitterDxe before InitializeConsole has a chance to set ConIn / ConOut / ErrOut. This causes ConPlatformDxe, at very first boot, to filter out TerminalDxe's STI and STO from the set that ConSplitterDxe multiplexes, leaving the system without a terminal console. Reorder InitializeConsole() with DefineDefaultBootEntries(), so that the variables be always set when DefineDefaultBootEntries() calls BdsConnectAllDrivers(). Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index b376433..a0ca7c4 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -616,9 +616,6 @@ BdsEntry ( 0, NULL); } - // If Boot Order does not exist then create a default entry - DefineDefaultBootEntries (); - // Now we need to setup the EFI System Table with information about the console devices. InitializeConsole (); @@ -629,6 +626,9 @@ BdsEntry ( Status = gBS->CalculateCrc32 ((VOID*)gST, gST->Hdr.HeaderSize, &gST->Hdr.CRC32); ASSERT_EFI_ERROR (Status); + // If Boot Order does not exist then create a default entry + DefineDefaultBootEntries (); + // Timer before initiating the default boot selection StartDefaultBootOnTimeout (); -- 1.8.3.1 ++++++ ovmf-0006-ArmPlatformPkg-Bds-let-FindCandidate-search-all-file.patch ++++++ >From 6b23210afb7379b6db21a9e398cb11f23f4e04cf Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Thu, 13 Nov 2014 15:18:41 +0100 Subject: [PATCH 6/9] ArmPlatformPkg/Bds: let FindCandidate() search all filesystems Thus far FindCandidate() has looked only at the EFI System Partition that was found first. Let's scan all handles with the ESP protocol instead, and if we still can't find a boot option candidate, go through all FAT filesystems as well. (The latter set will probably include the former set, but that's no problem.) This is motivated by the fact that PartitionDxe doesn't install the ESP protocol for ElTorito (ie. CD-ROM) boot images, therefore FindCandidate() was unable to find any candidates on CD-ROMs. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 51 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index a0ca7c4..6f70483 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -214,7 +214,7 @@ InitializeConsole ( STATIC EFI_STATUS -FindCandidate ( +FindCandidateOnHandle ( IN EFI_HANDLE Handle, OUT EFI_DEVICE_PATH **Candidate ) @@ -269,6 +269,43 @@ CloseRoot: return Status; } + +STATIC +EFI_STATUS +FindCandidate ( + OUT EFI_DEVICE_PATH **Candidate + ) +{ + EFI_STATUS Status; + EFI_GUID * CONST *FilterGuid; + STATIC EFI_GUID * CONST FilterGuids[] = { &gEfiPartTypeSystemPartGuid, + &gEfiSimpleFileSystemProtocolGuid, NULL }; + + Status = EFI_NOT_FOUND; + FilterGuid = FilterGuids; + while (EFI_ERROR (Status) && *FilterGuid != NULL) { + UINTN NrHandles; + EFI_HANDLE *Handles; + + Status = gBS->LocateHandleBuffer (ByProtocol, *FilterGuid, + NULL /* SearchKey */, &NrHandles, &Handles); + if (!EFI_ERROR (Status)) { + UINTN Idx; + + Status = EFI_NOT_FOUND; + Idx = 0; + while (EFI_ERROR (Status) && Idx < NrHandles) { + Status = FindCandidateOnHandle (Handles[Idx], Candidate); + ++Idx; + } + FreePool (Handles); + } + ++FilterGuid; + } + return Status; +} + + EFI_STATUS DefineDefaultBootEntries ( VOID @@ -297,18 +334,8 @@ DefineDefaultBootEntries ( Status = gRT->GetVariable (L"BootOrder", &gEfiGlobalVariableGuid, NULL, &Size, NULL); if (Status == EFI_NOT_FOUND) { if ((PcdGetPtr(PcdDefaultBootDevicePath) == NULL) || (StrLen ((CHAR16*)PcdGetPtr(PcdDefaultBootDevicePath)) == 0)) { - UINTN NrHandles; - EFI_HANDLE *Handles; - BdsConnectAllDrivers(); - Status = gBS->LocateHandleBuffer (ByProtocol, - &gEfiPartTypeSystemPartGuid, NULL /* SearchKey */, - &NrHandles, &Handles); - if (!EFI_ERROR (Status)) { - ASSERT (NrHandles > 0); - Status = FindCandidate (Handles[0], &BootDevicePath); - FreePool (Handles); - } + Status = FindCandidate (&BootDevicePath); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "failed to auto-create default boot option: %r\n", Status)); -- 1.8.3.1 ++++++ ovmf-0007-ArmPlatformPkg-Bds-FindCandidateOnHandle-log-full-de.patch ++++++ >From 20938b307851edd71ec3ba16ae1d221e22686f76 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Thu, 13 Nov 2014 15:18:42 +0100 Subject: [PATCH 7/9] ArmPlatformPkg/Bds: FindCandidateOnHandle(): log full device path Since we scan several handles / devices now, log the full device path when we find the candidate. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 10 +++++++++- ArmPlatformPkg/Bds/Bds.inf | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index 6f70483..545cc24 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -16,6 +16,7 @@ #include <Library/PcdLib.h> #include <Library/PerformanceLib.h> +#include <Library/DevicePathLib.h> #include <Protocol/Bds.h> #include <Protocol/SimpleFileSystem.h> @@ -230,6 +231,7 @@ FindCandidateOnHandle ( L"\\EFI\\fedora\\grubaa64.efi", NULL }; + CHAR16 *DevicePathString; Status = gBS->HandleProtocol (Handle, &gEfiSimpleFileSystemProtocolGuid, (VOID **) &FileSystem); @@ -262,7 +264,13 @@ FindCandidateOnHandle ( goto CloseRoot; } - DEBUG ((EFI_D_INFO, "%a: found \"%s\"\n", __FUNCTION__, *FileName)); + DevicePathString = ConvertDevicePathToText (*Candidate, + FALSE /* DisplayOnly */, FALSE /* AllowShortcuts */); + DEBUG ((EFI_D_INFO, "%a: found \"%s\"\n", __FUNCTION__, + DevicePathString == NULL ? *FileName : DevicePathString)); + if (DevicePathString != NULL) { + FreePool (DevicePathString); + } CloseRoot: RootDir->Close (RootDir); diff --git a/ArmPlatformPkg/Bds/Bds.inf b/ArmPlatformPkg/Bds/Bds.inf index 2d23f13..6f6e31c 100644 --- a/ArmPlatformPkg/Bds/Bds.inf +++ b/ArmPlatformPkg/Bds/Bds.inf @@ -48,6 +48,7 @@ PrintLib BaseLib NetLib + DevicePathLib [Guids] gEfiEndOfDxeEventGroupGuid -- 1.8.3.1 ++++++ ovmf-0008-ArmPlatformPkg-Bds-fall-back-to-Boot-Menu-when-no-de.patch ++++++ >From 93e312a3ac46bbc97b89974bd1b4ea3bc0ae4382 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Fri, 21 Nov 2014 02:52:56 +0100 Subject: [PATCH 8/9] ArmPlatformPkg/Bds: fall back to Boot Menu when no default option was found The StartDefaultBootOnTimeout() function assumes that its predecessor DefineDefaultBootEntries() sets up at least one default boot option, unconditionally (even if that boot option can't actually be booted later). With our FindCandidate() logic in place, this is no longer guaranteed. If FindCandidate() fails, then StartDefaultBootOnTimeout() may dereference the uninitialized BootOrder pointer. Prevent this by checking the return value of GetGlobalEnvironmentVariable(L"BootOrder"). And, if it's not found, don't even start the countdown, just go straight to the boot menu. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index 545cc24..31bcee0 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -475,6 +475,15 @@ StartDefaultBootOnTimeout ( EFI_STATUS Status; EFI_INPUT_KEY Key; + Status = GetGlobalEnvironmentVariable (L"BootOrder", NULL, &BootOrderSize, + (VOID**)&BootOrder); + if (EFI_ERROR (Status)) { + // + // proceed to Boot Menu immediately + // + return Status; + } + Size = sizeof(UINT16); Timeout = (UINT16)PcdGet16 (PcdPlatformBootTimeOut); Status = GetGlobalEnvironmentVariable (L"Timeout", &Timeout, &Size, (VOID**)&TimeoutPtr); @@ -511,9 +520,6 @@ StartDefaultBootOnTimeout ( // In case of Timeout we start the default boot selection if (Timeout == 0) { - // Get the Boot Option Order from the environment variable (a default value should have been created) - GetGlobalEnvironmentVariable (L"BootOrder", NULL, &BootOrderSize, (VOID**)&BootOrder); - for (Index = 0; Index < BootOrderSize / sizeof (UINT16); Index++) { UnicodeSPrint (BootVariableName, 9 * sizeof(CHAR16), L"Boot%04X", BootOrder[Index]); Status = BdsStartBootOption (BootVariableName); @@ -523,9 +529,10 @@ StartDefaultBootOnTimeout ( } // In case of success, we should not return from this call. } - FreePool (BootOrder); } } + + FreePool (BootOrder); return EFI_SUCCESS; } -- 1.8.3.1 ++++++ ovmf-0009-ArmPlatformPkg-Bds-always-connect-drivers-before-loo.patch ++++++ >From c1a637498f7d0992004af328f3bf81731dcfe92e Mon Sep 17 00:00:00 2001 From: Laszlo Ersek <lersek(a)redhat.com> Date: Fri, 21 Nov 2014 03:40:53 +0100 Subject: [PATCH 9/9] ArmPlatformPkg/Bds: always connect drivers before looking at boot options A long standing issue in ARM BDS has been that it can attempt to load a preexistent, absolute devpath option without first connecting the necessary drivers and devices, fail, and drop to the boot menu. Connect drivers and devices unconditionally, before we look at anything boot option related. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Laszlo Ersek <lersek(a)redhat.com> --- ArmPlatformPkg/Bds/Bds.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index 31bcee0..771bf11 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -342,7 +342,6 @@ DefineDefaultBootEntries ( Status = gRT->GetVariable (L"BootOrder", &gEfiGlobalVariableGuid, NULL, &Size, NULL); if (Status == EFI_NOT_FOUND) { if ((PcdGetPtr(PcdDefaultBootDevicePath) == NULL) || (StrLen ((CHAR16*)PcdGetPtr(PcdDefaultBootDevicePath)) == 0)) { - BdsConnectAllDrivers(); Status = FindCandidate (&BootDevicePath); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "failed to auto-create default boot option: %r\n", @@ -668,6 +667,8 @@ BdsEntry ( Status = gBS->CalculateCrc32 ((VOID*)gST, gST->Hdr.HeaderSize, &gST->Hdr.CRC32); ASSERT_EFI_ERROR (Status); + BdsConnectAllDrivers(); + // If Boot Order does not exist then create a default entry DefineDefaultBootEntries (); -- 1.8.3.1 ++++++ ovmf-0010-avoid-potentially-uninitialized-variable.diff ++++++ >From 6b3d00f41e511c9e626ab6269c929d0f4f585cf5 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nussel(a)suse.de> Date: Fri, 6 Feb 2015 10:34:30 +0100 Subject: [PATCH 10/10] avoid potentially uninitialized variable --- ArmPlatformPkg/Bds/Bds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ArmPlatformPkg/Bds/Bds.c b/ArmPlatformPkg/Bds/Bds.c index 771bf11..6fa0dd0 100644 --- a/ArmPlatformPkg/Bds/Bds.c +++ b/ArmPlatformPkg/Bds/Bds.c @@ -323,7 +323,7 @@ DefineDefaultBootEntries ( UINTN Size; EFI_STATUS Status; EFI_DEVICE_PATH_FROM_TEXT_PROTOCOL* EfiDevicePathFromTextProtocol; - EFI_DEVICE_PATH* BootDevicePath; + EFI_DEVICE_PATH* BootDevicePath = NULL; UINT8* OptionalData; UINTN OptionalDataSize; ARM_BDS_LOADER_ARGUMENTS* BootArguments; -- 2.2.2 ++++++ ovmf-embed-default-keys.patch ++++++ >From 718b2183d898df8ca9becb2e5945cdb53c4fd310 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin(a)suse.com> Date: Fri, 10 May 2013 10:27:51 +0800 Subject: [PATCH 1/2] Add a stub to allow keys to be embedded at build time Signed-off-by: Gary Ching-Pang Lin <glin(a)suse.com> --- .../VariableAuthenticated/RuntimeDxe/AuthService.c | 173 +++++++++++++++++++++ .../VariableAuthenticated/RuntimeDxe/Default_DB.h | 2 + .../VariableAuthenticated/RuntimeDxe/Default_KEK.h | 2 + .../VariableAuthenticated/RuntimeDxe/Default_PK.h | 2 + .../RuntimeDxe/VariableRuntimeDxe.inf | 3 + 5 files changed, 182 insertions(+) create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index 1e9e190..03c8e26 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -32,6 +32,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "Variable.h" #include "AuthService.h" +#include "Default_PK.h" +#include "Default_KEK.h" +#include "Default_DB.h" /// /// Global database array for scratch @@ -145,6 +148,11 @@ AutenticatedVariableServiceInitialize ( UINT8 SecureBootEnable; UINT8 CustomMode; UINT32 ListSize; + EFI_SIGNATURE_LIST *SigCert; + EFI_SIGNATURE_DATA *SigCertData; + UINTN SigSize; + EFI_GUID *SignatureGUID; + UINT32 Attr; // // Initialize hash context. @@ -155,6 +163,171 @@ AutenticatedVariableServiceInitialize ( return EFI_OUT_OF_RESOURCES; } + //**** + // Create signature list for PK KEK DB + Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS; + + // PK + if (Default_PK == NULL) + goto SKIP_KEYS; + + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len); + + Status = FindVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + &Variable, + &mVariableModuleGlobal->VariableGlobal, + FALSE + ); + if (Variable.CurrPtr == NULL) { + Status = UpdateVariable ( + EFI_PLATFORM_KEY_NAME, + &gEfiGlobalVariableGuid, + Data, + SigSize, + Attr, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + + FreePool(SignatureGUID); + FreePool(Data); + + // KEK + if (Default_KEK == NULL) + goto SKIP_KEYS; + + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len); + + Status = FindVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + &Variable, + &mVariableModuleGlobal->VariableGlobal, + FALSE + ); + if (Variable.CurrPtr == NULL) { + Status = UpdateVariable ( + EFI_KEY_EXCHANGE_KEY_NAME, + &gEfiGlobalVariableGuid, + Data, + SigSize, + Attr, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + + FreePool(SignatureGUID); + FreePool(Data); + + // DB + if (Default_DB == NULL) + goto SKIP_KEYS; + + SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID)); + if (SignatureGUID == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len; + Data = AllocateZeroPool (SigSize); + if (Data == NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SigCert = (EFI_SIGNATURE_LIST*) Data; + SigCert->SignatureListSize = (UINT32) SigSize; + SigCert->SignatureHeaderSize = 0; + SigCert->SignatureSize = (UINT32) (sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len); + CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid); + + SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST)); + CopyGuid (&SigCertData->SignatureOwner, SignatureGUID); + CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len); + + Status = FindVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + &Variable, + &mVariableModuleGlobal->VariableGlobal, + FALSE + ); + if (Variable.CurrPtr == NULL) { + Status = UpdateVariable ( + EFI_IMAGE_SECURITY_DATABASE, + &gEfiImageSecurityDatabaseGuid, + Data, + SigSize, + Attr, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + + FreePool(SignatureGUID); + FreePool(Data); + +SKIP_KEYS: + //**** + // // Reserve runtime buffer for public key database. The size excludes variable header and name size. // diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h new file mode 100644 index 0000000..4d13894 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DB.h @@ -0,0 +1,2 @@ +unsigned char *Default_DB = NULL; +unsigned int Default_DB_len = 0; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h new file mode 100644 index 0000000..80883de --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_KEK.h @@ -0,0 +1,2 @@ +unsigned char *Default_KEK = NULL; +unsigned int Default_KEK_len = 0; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h new file mode 100644 index 0000000..23b90e4 --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_PK.h @@ -0,0 +1,2 @@ +unsigned char *Default_PK = NULL; +unsigned int Default_PK_len = 0; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf index cbf7da0..e4ec2e0 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf @@ -45,6 +45,9 @@ AuthService.h Measurement.c VarCheck.c + Default_PK.h + Default_KEK.h + Default_DB.h [Packages] MdePkg/MdePkg.dec -- 2.1.4 >From cc0bdc4ec72c751f0a6f3925ab5ffd6ada6cd8a8 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin(a)suse.com> Date: Wed, 22 Apr 2015 16:20:54 +0800 Subject: [PATCH 2/2] Add a stub to set the default dbx Signed-off-by: Gary Ching-Pang Lin <glin(a)suse.com> --- .../VariableAuthenticated/RuntimeDxe/AuthService.c | 29 ++++++++++++++++++++++ .../VariableAuthenticated/RuntimeDxe/Default_DBX.h | 2 ++ .../RuntimeDxe/VariableRuntimeDxe.inf | 1 + 3 files changed, 32 insertions(+) create mode 100644 SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index 03c8e26..56bfda4 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -35,6 +35,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include "Default_PK.h" #include "Default_KEK.h" #include "Default_DB.h" +#include "Default_DBX.h" /// /// Global database array for scratch @@ -325,6 +326,34 @@ AutenticatedVariableServiceInitialize ( FreePool(SignatureGUID); FreePool(Data); + // DBX + if (Default_DBX == NULL) + goto SKIP_KEYS; + + Status = FindVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + &Variable, + &mVariableModuleGlobal->VariableGlobal, + FALSE + ); + if (Variable.CurrPtr == NULL) { + Status = UpdateVariable ( + EFI_IMAGE_SECURITY_DATABASE1, + &gEfiImageSecurityDatabaseGuid, + Default_DBX, + Default_DBX_len, + Attr, + 0, + 0, + &Variable, + NULL + ); + if (EFI_ERROR (Status)) { + return Status; + } + } + SKIP_KEYS: //**** diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h new file mode 100644 index 0000000..5fd3cdc --- /dev/null +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Default_DBX.h @@ -0,0 +1,2 @@ +unsigned char *Default_DBX = NULL; +unsigned int Default_DBX_len = 0; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf index e4ec2e0..b390d0b 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf @@ -48,6 +48,7 @@ Default_PK.h Default_KEK.h Default_DB.h + Default_DBX.h [Packages] MdePkg/MdePkg.dec -- 2.1.4 ++++++ ovmf-gdb-symbols.patch ++++++ diff --git a/DebugPkg/DebugPkg.dec b/DebugPkg/DebugPkg.dec new file mode 100644 index 0000000..e12401d --- /dev/null +++ b/DebugPkg/DebugPkg.dec @@ -0,0 +1,34 @@ +## @file +# Debug package - various useful stuff for debugging. +# +# Copyright (c) 2006 - 2011, Andrei Warkentin <andreiw(a)motorola.com> +# +# This program and the accompanying materials +# are licensed and made available under the terms and conditions of the BSD License +# which accompanies this distribution. The full text of the license may be found at +# http://opensource.org/licenses/bsd-license.php +# +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +# +## + +[Defines] + DEC_VERSION = 0x00010005 + PACKAGE_NAME = DebugPkg + PACKAGE_GUID = 2d234f34-50e5-4b9d-b8e3-5562334d87e5 + PACKAGE_VERSION = 0.1 + +[Includes] + Include + +[Guids] + +[Protocols] + +[PcdsFixedAtBuild] + +[PcdsDynamic] + +[LibraryClasses] + diff --git a/DebugPkg/GdbSyms/GdbSyms.c b/DebugPkg/GdbSyms/GdbSyms.c new file mode 100644 index 0000000..2551dfa --- /dev/null +++ b/DebugPkg/GdbSyms/GdbSyms.c @@ -0,0 +1,70 @@ +/** @file + + Bare-minimum GDB symbols needed for reloading symbols. + + This is not a "driver" and should not be placed in a FD. + + Copyright (c) 2011, Andrei Warkentin <andreiw(a)motorola.com> + + This program and the accompanying materials + are licensed and made available under the terms and conditions of the BSD License + which accompanies this distribution. The full text of the license may be found at + http://opensource.org/licenses/bsd-license.php + THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include "PiDxe.h" + +#include <Library/UefiLib.h> +#include <Library/UefiDriverEntryPoint.h> +#include <Library/BaseLib.h> +#include <Library/UefiRuntimeLib.h> +#include <Library/DebugLib.h> +#include <Library/BaseMemoryLib.h> +#include <Library/MemoryAllocationLib.h> +#include <Library/UefiBootServicesTableLib.h> +#include <Library/DevicePathLib.h> +#include <Library/PcdLib.h> +#include <Guid/DebugImageInfoTable.h> + +/** + Main entry point. + + @param[in] ImageHandle The firmware allocated handle for the EFI image. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS Successfully initialized. + +**/ +EFI_STATUS +EFIAPI +Initialize ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_SYSTEM_TABLE_POINTER ESTP; + EFI_DEBUG_IMAGE_INFO_TABLE_HEADER EDIITH; + EFI_IMAGE_DOS_HEADER EIDH; + EFI_IMAGE_OPTIONAL_HEADER_UNION EIOHU; + EFI_IMAGE_DEBUG_DIRECTORY_ENTRY EIDDE; + EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY EIDCNE; + EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY EIDCRE; + EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY EIDCME; + UINTN Dummy = + (UINTN) &ESTP | + (UINTN) &EDIITH | + (UINTN) &EIDH | + (UINTN) &EIOHU | + (UINTN) &EIDDE | + (UINTN) &EIDCNE | + (UINTN) &EIDCRE | + (UINTN) &EIDCME | + 1 + ; + return !!Dummy & EFI_SUCCESS; +} + + diff --git a/DebugPkg/GdbSyms/GdbSyms.inf b/DebugPkg/GdbSyms/GdbSyms.inf new file mode 100644 index 0000000..afb7887 --- /dev/null +++ b/DebugPkg/GdbSyms/GdbSyms.inf @@ -0,0 +1,57 @@ +## @file +# +# Bare-minimum GDB symbols needed for reloading symbols. +# +# This is not a "driver" and should not be placed in a FD. +# +# Copyright (c) 2011, Andrei Warkentin <andreiw(a)motorola.com> +# +# This program and the accompanying materials +# are licensed and made available under the terms and conditions of the BSD License +# which accompanies this distribution. The full text of the license may be found at +# http://opensource.org/licenses/bsd-license.php +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = GdbSyms + FILE_GUID = 22abcb60-fb40-42ac-b01f-3ab1fad9aad8 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + ENTRY_POINT = Initialize + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 IPF EBC ARM +# + +[Sources] + GdbSyms.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + +[LibraryClasses] + BaseLib + BaseMemoryLib + DebugLib + DxeServicesTableLib + HobLib + MemoryAllocationLib + PcdLib + UefiBootServicesTableLib + UefiDriverEntryPoint + UefiLib + +[Guids] + +[Protocols] + +[Depex] + TRUE + diff --git a/DebugPkg/Scripts/gdb_uefi.py b/DebugPkg/Scripts/gdb_uefi.py new file mode 100644 index 0000000..3db87a4 --- /dev/null +++ b/DebugPkg/Scripts/gdb_uefi.py @@ -0,0 +1,350 @@ +""" +Allows loading TianoCore symbols into a GDB session attached to EFI +Firmware. + +This is how it works: build GdbSyms - it's a dummy binary that +contains the relevant symbols needed to find and load image symbols. + +$ gdb +(gdb) taget remote .... +(gdb) source Scripts/gdb_uefi.py +(gdb) reload-uefi -o /path/to/GdbSyms.dll + +The -o option should be used if you've debugging EFI, where the PE +images were converted from MACH-O or ELF binaries. + +""" + +import array +import getopt +import binascii +import re + +__license__ = "BSD" +__version = "1.0.0" +__maintainer__ = "Andrei Warkentin" +__email__ = "andrey.warkentin(a)gmail.com" +__status__ = "Works" + +class ReloadUefi (gdb.Command): + """Reload UEFI symbols""" + + # + # Various constants. + # + + EINVAL = 0xffffffff + CV_NB10 = 0x3031424E + CV_RSDS = 0x53445352 + CV_MTOC = 0x434F544D + DOS_MAGIC = 0x5A4D + PE32PLUS_MAGIC = 0x20b + EST_SIGNATURE = 0x5453595320494249L + DEBUG_GUID = [0x49152E77, 0x1ADA, 0x4764, + [0xB7,0xA2,0x7A,0xFE, + 0xFE,0xD9,0x5E, 0x8B]] + DEBUG_IS_UPDATING = 0x1 + + # + # If the images were built as ELF/MACH-O and then converted to PE, + # then the base address needs to be offset by PE headers. + # + + offset_by_headers = False + + def __init__ (self): + super (ReloadUefi, self).__init__ ("reload-uefi", gdb.COMMAND_OBSCURE) + + # + # Returns gdb.Type for a type. + # + + def type (self, typename): + return gdb.lookup_type (typename) + + # + # Returns gdb.Type for a pointer to a type. + # + + def ptype (self, typename): + return gdb.lookup_type (typename).pointer () + + # + # Computes CRC32 on an array of data. + # + + def crc32 (self, data): + return binascii.crc32 (data) & 0xFFFFFFFF + + # + # Sets a field in a struct to a value, i.e. + # value->field_name = data. + # + # Newer Py bindings to Gdb provide access to the inferior + # memory, but not all, so have to do it this awkward way. + # + + def set_field (self, value, field_name, data): + gdb.execute ("set *(%s *) 0x%x = 0x%x" % \ + (str (value[field_name].type), \ + long (value[field_name].address), \ + data)) + + # + # Returns data backing a gdb.Value as an array. + # Same comment as above regarding newer Py bindings... + # + + def value_data (self, value, bytes=0): + value_address = gdb.Value (value.address) + array_t = self.ptype ('UINT8') + value_array = value_address.cast (array_t) + if bytes == 0: + bytes = value.type.sizeof + data = array.array ('B') + for i in range (0, bytes): + data.append (value_array[i]) + return data + + # + # Locates the EFI_SYSTEM_TABLE as per UEFI spec 17.4. + # Returns base address or -1. + # + + def search_est (self): + address = 0 + estp_t = self.ptype ('EFI_SYSTEM_TABLE_POINTER') + while True: + estp = gdb.Value(address).cast(estp_t) + if estp['Signature'] == self.EST_SIGNATURE: + oldcrc = long (estp['Crc32']) + self.set_field (estp, 'Crc32', 0) + newcrc = self.crc32 (self.value_data (estp.dereference (), 0)) + self.set_field (estp, 'Crc32', long (oldcrc)) + if newcrc == oldcrc: + return estp['EfiSystemTableBase'] + + address = address + 4*1024*1024 + if long (address) == 0: + return gdb.Value(self.EINVAL) + + # + # Searches for a vendor-specific configuration table (in EST), + # given a vendor-specific table GUID. GUID is a list like - + # [32-bit, 16-bit, 16-bit, [8 bytes]] + # + + def search_config (self, cfg_table, count, guid): + index = 0 + while index != count: + cfg_entry = cfg_table[index]['VendorGuid'] + if cfg_entry['Data1'] == guid[0] and \ + cfg_entry['Data2'] == guid[1] and \ + cfg_entry['Data3'] == guid[2] and \ + self.value_data (cfg_entry['Data4']).tolist () == guid[3]: + return cfg_table[index]['VendorTable'] + index = index + 1 + return gdb.Value(self.EINVAL) + + # + # Returns a UTF16 string corresponding to a (CHAR16 *) value in EFI. + # + + def parse_utf16 (self, value): + index = 0 + data = array.array ('H') + while value[index] != 0: + data.append (value[index]) + index = index + 1 + return data.tostring ().decode ('utf-16') + + # + # Returns offset of a field within structure. Useful + # for getting container of a structure. + # + + def offsetof (self, typename, field): + t = gdb.Value (0).cast (self.ptype (typename)) + return long (t[field].address) + + # + # Returns sizeof of a type. + # + + def sizeof (self, typename): + return self.type (typename).sizeof + + # + # Returns the EFI_IMAGE_NT_HEADERS32 pointer, given + # an ImageBase address as a gdb.Value. + # + + def pe_headers (self, imagebase): + dosh_t = self.ptype ('EFI_IMAGE_DOS_HEADER') + head_t = self.ptype ('EFI_IMAGE_OPTIONAL_HEADER_UNION') + dosh = imagebase.cast(dosh_t) + h_addr = imagebase + if dosh['e_magic'] == self.DOS_MAGIC: + h_addr = h_addr + dosh['e_lfanew'] + return gdb.Value(h_addr).cast (head_t) + + # + # Returns True if pe_headers refer to a PE32+ image. + # + + def pe_is_64 (self, pe_headers): + if pe_headers['Pe32']['OptionalHeader']['Magic'] == self.PE32PLUS_MAGIC: + return True + return False + + # + # Returns the PE (not so) optional header. + # + + def pe_optional (self, pe): + if self.pe_is_64 (pe): + return pe['Pe32Plus']['OptionalHeader'] + else: + return pe['Pe32']['OptionalHeader'] + + # + # Returns the symbol file name for a PE image. + # + + def pe_parse_debug (self, pe): + opt = self.pe_optional (pe) + debug_dir_entry = opt['DataDirectory'][6] + dep = debug_dir_entry['VirtualAddress'] + opt['ImageBase'] + dep = dep.cast (self.ptype ('EFI_IMAGE_DEBUG_DIRECTORY_ENTRY')) + cvp = dep.dereference ()['RVA'] + opt['ImageBase'] + cvv = cvp.cast(self.ptype ('UINT32')).dereference () + if cvv == self.CV_NB10: + return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY') + elif cvv == self.CV_RSDS: + return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_RSDS_ENTRY') + elif cvv == self.CV_MTOC: + return cvp + self.sizeof('EFI_IMAGE_DEBUG_CODEVIEW_MTOC_ENTRY') + return gdb.Value(self.EINVAL) + + # + # Parses an EFI_LOADED_IMAGE_PROTOCOL, figuring out the symbol file name. + # This file name is then appended to list of loaded symbols. + # + # TBD: Support TE images. + # + + def parse_image (self, image, syms): + base = image['ImageBase'] + pe = self.pe_headers (base) + opt = self.pe_optional (pe) + sym_name = self.pe_parse_debug (pe) + + # For ELF and Mach-O-derived images... + if self.offset_by_headers: + base = base + opt['SizeOfHeaders'] + if sym_name != self.EINVAL: + sym_name = sym_name.cast (self.ptype('CHAR8')).string () + sym_name = re.sub(r"\.dll$", ".debug", sym_name) + syms.append ("add-symbol-file %s 0x%x" % \ + (sym_name, + long (base))) + + # + # Parses table EFI_DEBUG_IMAGE_INFO structures, builds + # a list of add-symbol-file commands, and reloads debugger + # symbols. + # + + def parse_edii (self, edii, count): + index = 0 + syms = [] + while index != count: + entry = edii[index] + if entry['ImageInfoType'].dereference () == 1: + entry = entry['NormalImage'] + self.parse_image(entry['LoadedImageProtocolInstance'], syms) + else: + print "Skipping unknown EFI_DEBUG_IMAGE_INFO (Type 0x%x)" % \ + entry['ImageInfoType'].dereference () + index = index + 1 + gdb.execute ("symbol-file") + print "Loading new symbols..." + for sym in syms: + print sym + gdb.execute (sym) + + # + # Parses EFI_DEBUG_IMAGE_INFO_TABLE_HEADER, in order to load + # image symbols. + # + + def parse_dh (self, dh): + dh_t = self.ptype ('EFI_DEBUG_IMAGE_INFO_TABLE_HEADER') + dh = dh.cast (dh_t) + print "DebugImageInfoTable @ 0x%x, 0x%x entries" \ + % (long (dh['EfiDebugImageInfoTable']), dh['TableSize']) + if dh['UpdateStatus'] & self.DEBUG_IS_UPDATING: + print "EfiDebugImageInfoTable update in progress, retry later" + return + self.parse_edii (dh['EfiDebugImageInfoTable'], dh['TableSize']) + + # + # Parses EFI_SYSTEM_TABLE, in order to load image symbols. + # + + def parse_est (self, est): + est_t = self.ptype ('EFI_SYSTEM_TABLE') + est = est.cast (est_t) + print "Connected to %s (Rev. 0x%x)" % \ + (self.parse_utf16 (est['FirmwareVendor']), \ + long (est['FirmwareRevision'])) + print "ConfigurationTable @ 0x%x, 0x%x entries" \ + % (long (est['ConfigurationTable']), est['NumberOfTableEntries']) + + dh = self.search_config(est['ConfigurationTable'], + est['NumberOfTableEntries'], + self.DEBUG_GUID) + if dh == self.EINVAL: + print "No EFI_DEBUG_IMAGE_INFO_TABLE_HEADER" + return + self.parse_dh (dh) + + # + # Usage information. + # + + def usage (self): + print "Usage: reload-uefi [-o] /path/to/GdbSyms.dll" + + # + # Handler for reload-uefi. + # + + def invoke (self, arg, from_tty): + args = arg.split(' ') + try: + opts, args = getopt.getopt(args, "o", ["offset-by-headers"]) + except getopt.GetoptError, err: + self.usage () + return + for opt, arg in opts: + if opt == "-o": + self.offset_by_headers = True + + if len(args) < 1: + self.usage () + return + + gdb.execute ("symbol-file") + gdb.execute ("symbol-file %s" % args[0]) + est = self.search_est () + if est == self.EINVAL: + print "No EFI_SYSTEM_TABLE..." + return + + print "EFI_SYSTEM_TABLE @ 0x%x" % est + self.parse_est (est) + +ReloadUefi () + + diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 66459c2..320ffe8 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -567,3 +567,4 @@ !endif OvmfPkg/PlatformDxe/Platform.inf + DebugPkg/GdbSyms/GdbSyms.inf ++++++ ovmf-rpmlintrc ++++++ addFilter("unstripped-binary-or-object /usr/lib/debug/*") addFilter("statically-linked-binary /usr/lib/debug/*") addFilter("executable-stack /usr/lib/debug/*") ++++++ strip_authinfo.pl ++++++ #!/usr/bin/perl use strict; use FileHandle; if ($#ARGV != 1) { print "Usage: stripe_authinfo <variable with AuthInfo> <stripped binary>\n"; exit; } my $file_in = $ARGV[0]; my $file_out = $ARGV[1]; sub read_file($) { my ($file) = @_; my $contents; my $len; open(FD, "<$file") || die $file; binmode FD; my @st = stat(FD); die $file if (!@st); $len = read(FD, $contents, $st[7]) || die $file; close(FD) || die $file; die "$file: Wanted length ", $st[7], ", got ", $len, "\n" if ($len != $st[7]); return $contents; } my $authvar = read_file($file_in); my $authvar_len = length($authvar); # Skip the first 16 bytes (EFI_TIME) and check the following 8 bytes # # WIN_CERTIFICATE (8 bytes) # UINT32 dwLength # UINT16 wRevision 0x0200 # UINT16 wCertificateType 0x0EF0 to 0x0EFF my($dwLength, $wRevision, $wCertificateType) = unpack("VSS", substr($authvar, 16, 8)); # check the contents die "invalid certificate length" if ($dwLength > $authvar_len); die "invalid Revision" if ($wRevision != 0x200); die "invalid certificate type" if ($wCertificateType != 0x0EF0 && $wCertificateType != 0x0EF1 && $wCertificateType != 0x0002); my $skip = $dwLength + 16; open(FD, ">$file_out") || die $file_out; binmode FD; print FD substr($authvar, $skip, $authvar_len - $skip); close FD || die $file_out;

1 0

commit krb5 for openSUSE:Factory
by root＠hilbert.suse.de 29 May '15

29 May '15

Hello community, here is the log from the commit of package krb5 for openSUSE:Factory checked in at 2015-05-29 11:44:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/krb5 (Old) and /work/SRC/openSUSE:Factory/.krb5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "krb5" Changes: -------- --- /work/SRC/openSUSE:Factory/krb5/krb5-mini.changes 2015-02-22 17:23:32.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5-mini.changes 2015-05-29 11:44:24.000000000 +0200 @@ -1,0 +2,59 @@ +Thu May 28 08:01:00 UTC 2015 - dimstar(a)opensuse.org + +- Drop libverto and libverto-libev Requires from the -server + package: those package names don't exist and the shared libs + are pulled in automatically. + +------------------------------------------------------------------- +Wed May 27 10:59:13 UTC 2015 - dimstar(a)opensuse.org + +- Unconditionally buildrequire libverto-devel: krb5-mini also + depends on it. + +------------------------------------------------------------------- +Fri May 22 09:27:11 UTC 2015 - meissner(a)suse.com + +- pre_checkin.sh aligned changes between krb5/krb5-mini +- added krb5.keyring + +------------------------------------------------------------------- +Tue May 12 07:48:18 UTC 2015 - michael(a)stroeder.com + +- update to krb5 1.13.2 + +- DES transition +============== + +The Data Encryption Standard (DES) is widely recognized as weak. The +krb5-1.7 release contains measures to encourage sites to migrate away +- From using single-DES cryptosystems. Among these is a configuration +variable that enables "weak" enctypes, which defaults to "false" +beginning with krb5-1.8. + + +Major changes in 1.13.2 (2015-05-08) +==================================== + +This is a bug fix release. + +* Fix a minor vulnerability in krb5_read_message, which is primarily + used in the BSD-derived kcmd suite of applications. [CVE-2014-5355] + +* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled. + [CVE-2015-2694] + +* Fix some issues with the LDAP KDC database back end. + +* Fix an iteration-related memory leak in the DB2 KDC database back + end. + +* Fix issues with some less-used kadm5.acl functionality. + +* Improve documentation. + +------------------------------------------------------------------- +Thu Apr 23 14:13:03 UTC 2015 - hguo(a)suse.com + +- Use externally built libverto + +------------------------------------------------------------------- @@ -16,0 +76 @@ + @@ -18 +78 @@ -Tue Jan 6 07:20:54 UTC 2015 - mlin(a)suse.com +Tue Jan 6 07:12:29 UTC 2015 - mlin(a)suse.com @@ -52,0 +113,12 @@ +------------------------------------------------------------------- +Thu Sep 25 12:48:32 UTC 2014 - ddiss(a)suse.com + +- Work around replay cache creation race; (bnc#898439). + krb5-1.13-work-around-replay-cache-creation-race.patch + +------------------------------------------------------------------- +Tue Sep 23 13:25:33 UTC 2014 - varkoly(a)suse.com + +- bnc#897874 CVE-2014-5351: krb5: current keys returned when randomizing the keys for a service principal +- added patches: + * bnc#897874-CVE-2014-5351.diff --- /work/SRC/openSUSE:Factory/krb5/krb5.changes 2015-02-22 17:23:32.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.krb5.new/krb5.changes 2015-05-29 11:44:24.000000000 +0200 @@ -1,0 +2,59 @@ +Thu May 28 08:01:00 UTC 2015 - dimstar(a)opensuse.org + +- Drop libverto and libverto-libev Requires from the -server + package: those package names don't exist and the shared libs + are pulled in automatically. + +------------------------------------------------------------------- +Wed May 27 10:59:13 UTC 2015 - dimstar(a)opensuse.org + +- Unconditionally buildrequire libverto-devel: krb5-mini also + depends on it. + +------------------------------------------------------------------- +Fri May 22 09:27:11 UTC 2015 - meissner(a)suse.com + +- pre_checkin.sh aligned changes between krb5/krb5-mini +- added krb5.keyring + +------------------------------------------------------------------- +Tue May 12 07:48:18 UTC 2015 - michael(a)stroeder.com + +- update to krb5 1.13.2 + +- DES transition +============== + +The Data Encryption Standard (DES) is widely recognized as weak. The +krb5-1.7 release contains measures to encourage sites to migrate away +- From using single-DES cryptosystems. Among these is a configuration +variable that enables "weak" enctypes, which defaults to "false" +beginning with krb5-1.8. + + +Major changes in 1.13.2 (2015-05-08) +==================================== + +This is a bug fix release. + +* Fix a minor vulnerability in krb5_read_message, which is primarily + used in the BSD-derived kcmd suite of applications. [CVE-2014-5355] + +* Fix a bypass of requires_preauth in KDCs that have PKINIT enabled. + [CVE-2015-2694] + +* Fix some issues with the LDAP KDC database back end. + +* Fix an iteration-related memory leak in the DB2 KDC database back + end. + +* Fix issues with some less-used kadm5.acl functionality. + +* Improve documentation. + +------------------------------------------------------------------- +Thu Apr 23 14:13:03 UTC 2015 - hguo(a)suse.com + +- Use externally built libverto + +------------------------------------------------------------------- Old: ---- krb5-1.13.1.tar.gz New: ---- krb5-1.13.2.tar.gz krb5-1.13.2.tar.gz.asc krb5.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-mini.spec ++++++ --- /var/tmp/diff_new_pack.txOWLJ/_old 2015-05-29 11:44:26.000000000 +0200 +++ /var/tmp/diff_new_pack.txOWLJ/_new 2015-05-29 11:44:26.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package krb5-mini # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 1 -%define srcRoot krb5-1.13.1 +%define srcRoot krb5-1.13.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,12 +30,13 @@ BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.13.1 +Version: 1.13.2 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT Group: Productivity/Networking/Security Obsoletes: krb5-plugin-preauth-pkinit-nss +BuildRequires: libverto-devel %if ! 0%{?build_mini} BuildRequires: doxygen BuildRequires: libopenssl-devel @@ -64,7 +65,10 @@ Conflicts: krb5-plugin-preauth-pkinit Conflicts: krb5-plugin-preauth-otp %endif +# both tar.gz and .tar.gz.asc extracted from the http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar Source: krb5-%{version}.tar.gz +Source42: krb5-%version.tar.gz.asc +Source43: krb5.keyring Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc @@ -163,6 +167,7 @@ PreReq: %{name} = %{version} Requires: keyutils-devel Requires: libcom_err-devel +Requires: libverto-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-devel-64bit @@ -231,7 +236,8 @@ %endif --with-selinux \ --with-system-et \ - --with-system-ss + --with-system-ss \ + --with-system-verto %{__make} %{?_smp_mflags} %if ! 0%{?build_mini} cd doc @@ -451,7 +457,6 @@ %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so -%{_libdir}/libverto.so %{_libdir}/libkrad.so %{_libdir}/pkgconfig/gssrpc.pc %{_libdir}/pkgconfig/kadm-client.pc @@ -511,7 +516,6 @@ %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* -%{_libdir}/libverto.so.* %{_libdir}/libkrad.so.* %{_libdir}/krb5/plugins/kdb/* %{_libdir}/krb5/plugins/tls/* @@ -585,7 +589,6 @@ %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* -%{_libdir}/libverto.so.* %{_libdir}/libkrad.so.* %files server ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.txOWLJ/_old 2015-05-29 11:44:26.000000000 +0200 +++ /var/tmp/diff_new_pack.txOWLJ/_new 2015-05-29 11:44:26.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package krb5 # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ %define build_mini 0 -%define srcRoot krb5-1.13.1 +%define srcRoot krb5-1.13.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -30,12 +30,13 @@ BuildRequires: libcom_err-devel BuildRequires: libselinux-devel BuildRequires: ncurses-devel -Version: 1.13.1 +Version: 1.13.2 Release: 0 Summary: MIT Kerberos5 Implementation--Libraries License: MIT Group: Productivity/Networking/Security Obsoletes: krb5-plugin-preauth-pkinit-nss +BuildRequires: libverto-devel %if ! 0%{?build_mini} BuildRequires: doxygen BuildRequires: libopenssl-devel @@ -64,7 +65,10 @@ Conflicts: krb5-plugin-preauth-pkinit Conflicts: krb5-plugin-preauth-otp %endif +# both tar.gz and .tar.gz.asc extracted from the http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar Source: krb5-%{version}.tar.gz +Source42: krb5-%version.tar.gz.asc +Source43: krb5.keyring Source1: vendor-files.tar.bz2 Source2: baselibs.conf Source5: krb5-rpmlintrc @@ -163,6 +167,7 @@ PreReq: %{name} = %{version} Requires: keyutils-devel Requires: libcom_err-devel +Requires: libverto-devel # bug437293 %ifarch ppc64 Obsoletes: krb5-devel-64bit @@ -231,7 +236,8 @@ %endif --with-selinux \ --with-system-et \ - --with-system-ss + --with-system-ss \ + --with-system-verto %{__make} %{?_smp_mflags} %if ! 0%{?build_mini} cd doc @@ -451,7 +457,6 @@ %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so %{_libdir}/libkrb5support.so -%{_libdir}/libverto.so %{_libdir}/libkrad.so %{_libdir}/pkgconfig/gssrpc.pc %{_libdir}/pkgconfig/kadm-client.pc @@ -511,7 +516,6 @@ %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* -%{_libdir}/libverto.so.* %{_libdir}/libkrad.so.* %{_libdir}/krb5/plugins/kdb/* %{_libdir}/krb5/plugins/tls/* @@ -585,7 +589,6 @@ %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* -%{_libdir}/libverto.so.* %{_libdir}/libkrad.so.* %files server ++++++ krb5-1.13.1.tar.gz -> krb5-1.13.2.tar.gz ++++++ /work/SRC/openSUSE:Factory/krb5/krb5-1.13.1.tar.gz /work/SRC/openSUSE:Factory/.krb5.new/krb5-1.13.2.tar.gz differ: char 5, line 1

1 0

commit calibre for openSUSE:Factory
by root＠hilbert.suse.de 29 May '15

29 May '15

Hello community, here is the log from the commit of package calibre for openSUSE:Factory checked in at 2015-05-29 10:47:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/calibre (Old) and /work/SRC/openSUSE:Factory/.calibre.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "calibre" Changes: -------- --- /work/SRC/openSUSE:Factory/calibre/calibre.changes 2015-05-02 16:15:31.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.calibre.new/calibre.changes 2015-05-29 10:47:40.000000000 +0200 @@ -1,0 +2,38 @@ +Thu May 28 22:15:52 UTC 2015 - cornelis(a)solcon.nl + +- Update to version 2.28.0: + * New Features: + - Conversion of all ebook formats to Microsoft Word (DOCX) + files. + - Add keyboard shortcuts (Ctrl+Right, Ctrl+Left) to switch + between virtual library tabs. + - When sending email using GMX pause for five minutes between + books, to prevent GMX from blocking the account. The delay + can be configured via Preferences->Tweaks. + * Bug Fixes: + - Open With: Fix application icons in XDG_DATA_HOME on linux + not being found and fix unhandled error when choosing + non-executable files as applications. + - AZW3 Output: Remove duplicate anchors to workaround some + Kindle renderers using the last occurrence of an anchor as + the target instead of the first. + - Fix language definition on body tag being ignored during + conversion. + - Edit book: When importing multiple files into the book, + import them in the order sorted by their filenames instead + of in random order. + - E-book viewer: Fix print to pdf not working on some windows + systems with non-ascii usernames and non-utf-8 system + locales. Also make the print to pdf dialog a little easier + to use. + - Edit Book: Fix TOC editor window not remembering its last + used size + * Improved news sources: + - Field and Stream + - Linux Magazine + - Brand Eins + - Courrier International + - Wired Magazine + - The Onion + +------------------------------------------------------------------- Old: ---- calibre-2.27.0.tar.xz New: ---- calibre-2.28.0.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ calibre.spec ++++++ --- /var/tmp/diff_new_pack.ryHptB/_old 2015-05-29 10:47:41.000000000 +0200 +++ /var/tmp/diff_new_pack.ryHptB/_new 2015-05-29 10:47:41.000000000 +0200 @@ -20,7 +20,7 @@ License: GPL-3.0 Group: Productivity/Other Name: calibre -Version: 2.27.0 +Version: 2.28.0 Release: 0 Url: http://calibre-ebook.com Source0: http://download.calibre-ebook.com/%{version}/calibre-%{version}.tar.xz ++++++ calibre-2.27.0.tar.xz -> calibre-2.28.0.tar.xz ++++++ /work/SRC/openSUSE:Factory/calibre/calibre-2.27.0.tar.xz /work/SRC/openSUSE:Factory/.calibre.new/calibre-2.28.0.tar.xz differ: char 27, line 1

1 0

commit pam_passwdqc for openSUSE:Factory
by root＠hilbert.suse.de 29 May '15

29 May '15

Hello community, here is the log from the commit of package pam_passwdqc for openSUSE:Factory checked in at 2015-05-29 10:47:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_passwdqc (Old) and /work/SRC/openSUSE:Factory/.pam_passwdqc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pam_passwdqc" Changes: -------- --- /work/SRC/openSUSE:Factory/pam_passwdqc/pam_passwdqc.changes 2012-03-07 13:43:54.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.pam_passwdqc.new/pam_passwdqc.changes 2015-05-29 10:47:22.000000000 +0200 @@ -1,0 +2,26 @@ +Sun Mar 8 23:28:24 UTC 2015 - p.drouand(a)gmail.com + +- Update to version 1.3.0 + * Detection of common character sequences has been improved. This has + reduced the number of passing passwords for RockYou top 100k from + 35 to 18, and for RockYou top 1M from 2333 to 2273 (all of these are + with passwdqc's default policy). I also tested on lists of cracked and + not cracked passwords and reviewed the results manually to ensure + there's no significant increase in false positives. + * Generation of random passphrases with non-default settings has been + improved: case toggling has been made optional, possible use of trailing + single characters has been added, words are now separated with dashes + when different separator characters are not in use, and the range of + possible bit sizes of generated passphrases has been expanded (now it is + 24 to 85 bits for the programs, and 24 to 136 bits for the API). + The code has been made more robust: possible NULL pointer returns from + crypt(3) are handled correctly, all pre-initialized arrays and structs + are declared as "const", greater use of cpp macros for integer constants + and some source code comments were added (mostly in passwdqc_random.c). + * Darwin (Mac OS X) support has been added to the Makefile + * pwqcheck.php, a PHP wrapper function around the pwqcheck program, has + been added. +- Use download Url as source +- Remove redundant %clean section + +------------------------------------------------------------------- Old: ---- passwdqc-1.2.2.tar.gz New: ---- passwdqc-1.3.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_passwdqc.spec ++++++ --- /var/tmp/diff_new_pack.LlyEiv/_old 2015-05-29 10:47:22.000000000 +0200 +++ /var/tmp/diff_new_pack.LlyEiv/_new 2015-05-29 10:47:22.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package pam_passwdqc # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,12 +22,12 @@ Requires: pam Recommends: passwdqc Provides: pam-modules:/%_lib/security/pam_passwdqc.so -Version: 1.2.2 +Version: 1.3.0 Release: 0 Summary: Simple Password Strength Checking Module License: BSD-3-Clause Group: System/Libraries -Source0: passwdqc-%{version}.tar.gz +Source0: www.openwall.com/passwdqc/passwdqc-%{version}.tar.gz Source1: baselibs.conf Source50: dlopen.sh BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -102,9 +102,6 @@ %postun -n libpasswdqc0 -p /sbin/ldconfig -%clean -rm -rf $RPM_BUILD_ROOT - %files %defattr(-,root,root,755) %attr(755,root,root) /%{_lib}/security/pam_*.so ++++++ passwdqc-1.2.2.tar.gz -> passwdqc-1.3.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/INSTALL new/passwdqc-1.3.0/INSTALL --- old/passwdqc-1.2.2/INSTALL 2010-06-23 00:41:31.000000000 +0200 +++ new/passwdqc-1.3.0/INSTALL 2013-04-24 04:02:54.000000000 +0200 @@ -26,8 +26,8 @@ Alternatively, on a Red Hat'ish Linux system and under an account configured to build RPM packages (perhaps with ~/.rpmmacros specifying the proper pathnames for %_topdir, %_tmppath, and %buildroot), you may -build RPM packages by running "rpmbuild -tb passwdqc-1.2.2.tar.gz", then -install the two binary subpackages with "rpm -Uvh passwdqc*-1.2.2*.rpm". +build RPM packages by running "rpmbuild -tb passwdqc-1.3.0.tar.gz", then +install the two binary subpackages with "rpm -Uvh passwdqc*-1.3.0*.rpm". This works due to the RPM spec file included in the tarball. Please refer to README and PLATFORMS for information on configuring your @@ -37,4 +37,4 @@ Please refer to the pwqcheck(1) and pwqgen(1) manual pages for information on using the command-line programs. -$Owl: Owl/packages/passwdqc/passwdqc/INSTALL,v 1.5 2010/06/22 22:41:31 solar Exp $ +$Owl: Owl/packages/passwdqc/passwdqc/INSTALL,v 1.8 2013/04/24 02:02:54 solar Exp $ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/LICENSE new/passwdqc-1.3.0/LICENSE --- old/passwdqc-1.2.2/LICENSE 2009-10-21 21:38:39.000000000 +0200 +++ new/passwdqc-1.3.0/LICENSE 2013-04-24 04:01:43.000000000 +0200 @@ -1,9 +1,9 @@ Two manual pages (pam_passwdqc.8 and passwdqc.conf.5) are under the 3-clause BSD-style license as specified within the files themselves. -concat.c, wordset_4k.c, wordset_4k.h, and pam_macros.h are in the public -domain, but at your option they may also be used under this package's -license below. +concat.c, wordset_4k.c, wordset_4k.h, pam_macros.h, and pwqcheck.php +are in the public domain, but at your option they may also be used under +this package's license below. The rest of the files in this package fall under the following terms (heavily cut-down "BSD license"): @@ -23,4 +23,4 @@ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -$Owl: Owl/packages/passwdqc/passwdqc/LICENSE,v 1.7 2009/10/21 19:38:39 solar Exp $ +$Owl: Owl/packages/passwdqc/passwdqc/LICENSE,v 1.8 2013/04/24 02:01:43 solar Exp $ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/Makefile new/passwdqc-1.3.0/Makefile --- old/passwdqc-1.2.2/Makefile 2010-06-23 00:36:03.000000000 +0200 +++ new/passwdqc-1.3.0/Makefile 2012-08-19 00:24:09.000000000 +0200 @@ -7,6 +7,8 @@ TITLE = pam_passwdqc SHARED_LIB = libpasswdqc.so.0 DEVEL_LIB = libpasswdqc.so +SHARED_LIB_DARWIN = libpasswdqc.0.dylib +DEVEL_LIB_DARWIN = libpasswdqc.dylib MAP_LIB = libpasswdqc.map PAM_SO_SUFFIX = SHARED_PAM = $(TITLE).so$(PAM_SO_SUFFIX) @@ -28,6 +30,7 @@ DEVEL_LIBDIR = /usr/lib SECUREDIR = /lib/security SECUREDIR_SUN = /usr/lib/security +SECUREDIR_DARWIN = /usr/lib/pam INCLUDEDIR = /usr/include MANDIR = /usr/share/man DESTDIR = @@ -66,6 +69,7 @@ LDLIBS_pam_LINUX = -lpam -lcrypt LDLIBS_pam_SUN = -lpam -lcrypt LDLIBS_pam_HP = -lpam -lsec +LDLIBS_pam_DARWIN = -lpam -lSystem # Uncomment this to use cc instead of gcc #CC = cc @@ -110,6 +114,12 @@ LDFLAGS_pam="$(LDFLAGS_pam_HP)" \ LDLIBS_pam="$(LDLIBS_pam_HP)" \ $@_wrapped;; \ + Darwin) $(MAKE) \ + SHARED_LIB="$(SHARED_LIB_DARWIN)" \ + DEVEL_LIB="$(DEVEL_LIB_DARWIN)" \ + SECUREDIR="$(SECUREDIR_DARWIN)" \ + LDLIBS_pam="$(LDLIBS_pam_DARWIN)" \ + $@_wrapped;; \ *) $(MAKE) $@_wrapped;; \ esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/README new/passwdqc-1.3.0/README --- old/passwdqc-1.2.2/README 2010-03-13 22:29:15.000000000 +0100 +++ new/passwdqc-1.3.0/README 2013-04-23 16:14:07.000000000 +0200 @@ -97,7 +97,7 @@ random=N[,only] [random=47] -The size of randomly-generated passphrases in bits (26 to 81), or 0 to +The size of randomly-generated passphrases in bits (24 to 85), or 0 to disable this feature. Any passphrase that contains the offered randomly-generated string will be allowed regardless of other possible restrictions. @@ -152,4 +152,4 @@ -- Solar Designer <solar at openwall.com> -$Owl: Owl/packages/passwdqc/passwdqc/README,v 1.15 2010/03/13 21:29:15 solar Exp $ +$Owl: Owl/packages/passwdqc/passwdqc/README,v 1.16 2013/04/23 14:14:07 solar Exp $ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/pam_passwdqc.c new/passwdqc-1.3.0/pam_passwdqc.c --- old/passwdqc-1.2.2/pam_passwdqc.c 2010-06-22 21:39:27.000000000 +0200 +++ new/passwdqc-1.3.0/pam_passwdqc.c 2012-08-19 00:24:09.000000000 +0200 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2003,2005 by Solar Designer. See LICENSE. + * Copyright (c) 2000-2003,2005,2012 by Solar Designer. See LICENSE. */ #ifdef __FreeBSD__ @@ -186,32 +186,39 @@ static int check_pass(struct passwd *pw, const char *pass) { -#ifdef HAVE_SHADOW - struct spwd *spw; const char *hash; int retval; +#ifdef HAVE_SHADOW #ifdef __hpux if (iscomsec()) { #else if (!strcmp(pw->pw_passwd, "x")) { #endif - spw = getspnam(pw->pw_name); + struct spwd *spw = getspnam(pw->pw_name); endspent(); if (!spw) return -1; + hash = NULL; + if (strlen(spw->sp_pwdp) >= 13) { #ifdef __hpux - hash = bigcrypt(pass, spw->sp_pwdp); + hash = bigcrypt(pass, spw->sp_pwdp); #else - hash = crypt(pass, spw->sp_pwdp); + hash = crypt(pass, spw->sp_pwdp); #endif - retval = strcmp(hash, spw->sp_pwdp) ? -1 : 0; + } + retval = (hash && !strcmp(hash, spw->sp_pwdp)) ? 0 : -1; memset(spw->sp_pwdp, 0, strlen(spw->sp_pwdp)); return retval; } #endif - return strcmp(crypt(pass, pw->pw_passwd), pw->pw_passwd) ? -1 : 0; + hash = NULL; + if (strlen(pw->pw_passwd) >= 13) + hash = crypt(pass, pw->pw_passwd); + retval = (hash && !strcmp(hash, pw->pw_passwd)) ? 0 : -1; + memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); + return retval; } static int am_root(pam_handle_t *pamh) @@ -299,6 +306,10 @@ pw->pw_name = (char *)user; pw->pw_gecos = ""; } else { +/* As currently implemented, we don't avoid timing leaks for valid vs. not + * usernames and hashes. Normally, the username would have already been + * checked and determined valid, and the check_oldauthtok option is only needed + * on systems that happen to have similar timing leaks all over the place. */ pw = getpwnam(user); endpwent(); if (!pw) @@ -479,7 +490,7 @@ #ifdef PAM_MODULE_ENTRY PAM_MODULE_ENTRY("pam_passwdqc"); #elif defined(PAM_STATIC) -struct pam_module _pam_passwdqc_modstruct = { +const struct pam_module _pam_passwdqc_modstruct = { "pam_passwdqc", NULL, NULL, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/passwdqc.conf.5 new/passwdqc-1.3.0/passwdqc.conf.5 --- old/passwdqc-1.2.2/passwdqc.conf.5 2010-03-13 22:29:15.000000000 +0100 +++ new/passwdqc-1.3.0/passwdqc.conf.5 2013-04-23 16:14:07.000000000 +0200 @@ -35,7 +35,7 @@ .\" SUCH DAMAGE. .\" .\" $FreeBSD: src/lib/libpam/modules/pam_passwdqc/pam_passwdqc.8,v 1.4 2002/05/30 14:49:57 ru Exp $ -.\" $Owl: Owl/packages/passwdqc/passwdqc/passwdqc.conf.5,v 1.10 2010/03/13 21:29:15 solar Exp $ +.\" $Owl: Owl/packages/passwdqc/passwdqc/passwdqc.conf.5,v 1.11 2013/04/23 14:14:07 solar Exp $ .\" .Dd March 13, 2010 .Dt PASSWDQC.CONF 5 @@ -177,7 +177,7 @@ .Sm on .Xc .Pq default: Cm random Ns = Ns 47 -The size of randomly-generated passphrases in bits (26 to 81), +The size of randomly-generated passphrases in bits (24 to 85), or 0 to disable this feature. Any passphrase that contains the offered randomly-generated string will be allowed regardless of other possible restrictions. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/passwdqc.h new/passwdqc-1.3.0/passwdqc.h --- old/passwdqc-1.2.2/passwdqc.h 2010-06-18 22:06:01.000000000 +0200 +++ new/passwdqc-1.3.0/passwdqc.h 2013-04-24 03:45:10.000000000 +0200 @@ -49,6 +49,6 @@ #define F_USE_FIRST_PASS 0x00000100 #define F_USE_AUTHTOK 0x00000200 -#define PASSWDQC_VERSION "1.2.2" +#define PASSWDQC_VERSION "1.3.0" #endif /* PASSWDQC_H__ */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/passwdqc.spec new/passwdqc-1.3.0/passwdqc.spec --- old/passwdqc-1.2.2/passwdqc.spec 2010-06-23 01:10:33.000000000 +0200 +++ new/passwdqc-1.3.0/passwdqc.spec 2013-04-24 04:02:54.000000000 +0200 @@ -1,8 +1,8 @@ -# $Owl: Owl/packages/passwdqc/passwdqc/passwdqc.spec,v 1.58 2010/06/22 23:10:33 solar Exp $ +# $Owl: Owl/packages/passwdqc/passwdqc/passwdqc.spec,v 1.63 2013/04/24 02:02:54 solar Exp $ Summary: A password/passphrase strength checking and policy enforcement toolset. Name: passwdqc -Version: 1.2.2 +Version: 1.3.0 Release: owl1 License: BSD-compatible Group: System Environment/Base @@ -60,7 +60,7 @@ %files %defattr(-,root,root) -%doc LICENSE README +%doc LICENSE README pwqcheck.php %config(noreplace) /etc/passwdqc.conf /%_lib/lib*.so* %_bindir/* @@ -73,6 +73,35 @@ %_libdir/lib*.so %changelog +* Wed Apr 24 2013 Solar Designer <solar-at-owl.openwall.com> 1.3.0-owl1 +- When checking is_simple() after discounting a common character sequence, +apply the (negative) bias even for the passphrase length check. Previously, +we were not doing this because passphrases are normally built from words, and +the same code was being used for the check for dictionary words. +- Expanded the list of common character sequences. Along with the change +above, this reduces the number of passing passwords for RockYou top 100k from +35 to 18, and for RockYou top 1M from 2333 to 2273 (all of these are with +passwdqc's default policy). +- Moved the common character sequences check to be made after the dictionary +words check, to avoid introducing more cases of misreporting. +- Added pwqcheck.php, a PHP wrapper function around the pwqcheck program. + +* Tue Apr 23 2013 Solar Designer <solar-at-owl.openwall.com> 1.2.4-owl1 +- In randomly generated passphrases: toggle case of the first character of each +word only if we wouldn't achieve sufficient entropy otherwise, use a trailing +separator if we achieve sufficient entropy even with the final word omitted +(in fact, we now enable the use of different separators in more cases for this +reason), use dashes rather than spaces to separate words when different +separator characters are not in use. +- Expanded the allowed size of randomly-generated passphrases in bits (now it's +24 to 85 in the tools, and 24 to 136 in the passwdqc_random() interface). + +* Wed Aug 15 2012 Solar Designer <solar-at-owl.openwall.com> 1.2.3-owl1 +- Handle possible NULL returns from crypt(). +- Declared all pre-initialized arrays and structs as const. +- Added Darwin (Mac OS X) support to the Makefile, loosely based on a patch by +Ronald Ip (thanks!) + * Tue Jun 22 2010 Solar Designer <solar-at-owl.openwall.com> 1.2.2-owl1 - Introduced the GNU'ish "uninstall" make target name (a synonym for "remove"). - Makefile updates to make the "install" and "uninstall" targets with their diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/passwdqc_check.c new/passwdqc-1.3.0/passwdqc_check.c --- old/passwdqc-1.2.2/passwdqc_check.c 2010-03-27 20:13:15.000000000 +0100 +++ new/passwdqc-1.3.0/passwdqc_check.c 2013-04-24 03:16:03.000000000 +0200 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2002,2010 by Solar Designer. See LICENSE. + * Copyright (c) 2000-2002,2010,2013 by Solar Designer. See LICENSE. */ #include <stdio.h> @@ -66,14 +66,15 @@ * contain enough different characters for its class, or doesn't contain * enough words for a passphrase. * - * The bias may be positive or negative. It is added to the length, - * except that a negative bias is not considered in the passphrase - * length check because a passphrase is expected to contain words. - * The bias does not apply to the number of different characters; the - * actual number is used in all checks. + * The biases are added to the length, and they may be positive or negative. + * The passphrase length check uses passphrase_bias instead of bias so that + * zero may be passed for this parameter when the (other) bias is non-zero + * because of a dictionary word, which is perfectly normal for a passphrase. + * The biases do not affect the number of different characters, character + * classes, and word count. */ static int is_simple(const passwdqc_params_qc_t *params, const char *newpass, - int bias) + int bias, int passphrase_bias) { int length, classes, words, chars; int digits, lowers, uppers, others, unknowns; @@ -155,7 +156,7 @@ if (!params->passphrase_words || words < params->passphrase_words) continue; - if (length + (bias > 0 ? bias : 0) >= params->min[2] && + if (length + passphrase_bias >= params->min[2] && chars >= expected_different(27, params->min[2]) - 1) return 0; continue; @@ -291,7 +292,7 @@ } /* add credit for match_length - 1 chars */ bias = params->match_length - 1; - if (is_simple(params, scratch, bias)) { + if (is_simple(params, scratch, bias, bias)) { clean(scratch); return 1; } @@ -319,7 +320,8 @@ bias += (int)params->match_length - j; /* bias <= -1 */ if (bias < worst_bias) { - if (is_simple(params, original, bias)) + if (is_simple(params, original, bias, + (mode & 0xff) == 1 ? 0 : bias)) return 1; worst_bias = bias; } @@ -342,23 +344,34 @@ /* * Common sequences of characters. - * We don't need to list any of the characters in reverse order because the + * We don't need to list any of the entire strings in reverse order because the * code checks the new password in both "unified" and "unified and reversed" - * form against these strings (unifying them first indeed). We also don't - * have to include common repeats of characters (e.g., "777", "!!!", "1000") - * because these are often taken care of by the requirement on the number of - * different characters. + * form against these strings (unifying them first indeed). We also don't have + * to include common repeats of characters (e.g., "777", "!!!", "1000") because + * these are often taken care of by the requirement on the number of different + * characters. */ -const char *seq[] = { +const char * const seq[] = { "0123456789", "`1234567890-=", "~!@#$%^&*()_+", "abcdefghijklmnopqrstuvwxyz", + "a1b2c3d4e5f6g7h8i9j0", + "1a2b3c4d5e6f7g8h9i0j", + "abc123", "qwertyuiop[]\\asdfghjkl;'zxcvbnm,./", "qwertyuiop{}|asdfghjkl:\"zxcvbnm<>?", "qwertyuiopasdfghjklzxcvbnm", "1qaz2wsx3edc4rfv5tgb6yhn7ujm8ik,9ol.0p;/-['=]\\", - "qazwsxedcrfvtgbyhnujmikolp" + "!qaz@wsx#edc$rfv%tgb^yhn&ujm*ik<(ol>)p:?_{\"+}|", + "qazwsxedcrfvtgbyhnujmikolp", + "1q2w3e4r5t6y7u8i9o0p-[=]", + "q1w2e3r4t5y6u7i8o9p0[-]=\\", + "1qaz1qaz", + "1qaz!qaz", /* can't unify '1' and '!' - see comment in unify() */ + "1qazzaq1", + "zaq!1qaz", + "zaq!2wsx" }; /* @@ -376,7 +389,7 @@ static const char *is_word_based(const passwdqc_params_qc_t *params, const char *needle, const char *original, int is_reversed) { - char word[7]; + char word[WORDSET_4K_LENGTH_MAX + 1]; char *unified; unsigned int i; int length; @@ -385,22 +398,10 @@ if (!params->match_length) /* disabled */ return NULL; - mode = is_reversed | 2; - for (i = 0; i < sizeof(seq) / sizeof(seq[0]); i++) { - unified = unify(NULL, seq[i]); - if (!unified) - return REASON_ERROR; - if (is_based(params, unified, needle, original, mode)) { - free(unified); - return REASON_SEQ; - } - free(unified); - } - mode = is_reversed | 1; - word[6] = '\0'; + word[WORDSET_4K_LENGTH_MAX] = '\0'; for (i = 0; i < 0x1000; i++) { - memcpy(word, _passwdqc_wordset_4k[i], 6); + memcpy(word, _passwdqc_wordset_4k[i], WORDSET_4K_LENGTH_MAX); length = strlen(word); if (length < params->match_length) continue; @@ -413,6 +414,17 @@ } mode = is_reversed | 2; + for (i = 0; i < sizeof(seq) / sizeof(seq[0]); i++) { + unified = unify(NULL, seq[i]); + if (!unified) + return REASON_ERROR; + if (is_based(params, unified, needle, original, mode)) { + free(unified); + return REASON_SEQ; + } + free(unified); + } + if (params->match_length <= 4) for (i = 1900; i <= 2039; i++) { sprintf(word, "%u", i); @@ -466,7 +478,7 @@ } } - if (is_simple(params, newpass, 0)) { + if (is_simple(params, newpass, 0, 0)) { reason = REASON_SIMPLE; if (length < params->min[1] && params->min[1] <= params->max) reason = REASON_SIMPLESHORT; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/passwdqc_parse.c new/passwdqc-1.3.0/passwdqc_parse.c --- old/passwdqc-1.2.2/passwdqc_parse.c 2010-03-13 22:23:08.000000000 +0100 +++ new/passwdqc-1.3.0/passwdqc_parse.c 2013-04-23 15:52:53.000000000 +0200 @@ -78,7 +78,7 @@ e += 5; params->qc.min[4] = INT_MAX; } - if (*e || (v && v < 26) || v > 81) + if (*e || (v && v < 24) || v > 85) goto parse_error; params->qc.random_bits = v; } else if ((p = skip_prefix(option, "enforce="))) { @@ -152,7 +152,7 @@ return 0; } -static passwdqc_params_t defaults = { +static const passwdqc_params_t defaults = { { {INT_MAX, 24, 11, 8, 7}, /* min */ 40, /* max */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/passwdqc_random.c new/passwdqc-1.3.0/passwdqc_random.c --- old/passwdqc-1.2.2/passwdqc_random.c 2010-03-13 22:04:51.000000000 +0100 +++ new/passwdqc-1.3.0/passwdqc_random.c 2013-04-23 16:00:38.000000000 +0200 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2002,2005,2008,2010 by Solar Designer. See LICENSE. + * Copyright (c) 2000-2002,2005,2008,2010,2013 by Solar Designer. See LICENSE. */ #include <stdio.h> @@ -25,6 +25,37 @@ */ #define SEPARATORS "-_!$&*+=23456789" +/* + * Number of bits encoded per separator character. + */ +#define SEPARATOR_BITS 4 + +/* + * Number of bits encoded per word. We use 4096 words, which gives 12 bits, + * and we toggle the case of the first character, which gives one bit more. + */ +#define WORD_BITS 13 + +/* + * Number of bits encoded per separator and word. + */ +#define SWORD_BITS \ + (SEPARATOR_BITS + WORD_BITS) + +/* + * Maximum number of words to use. + */ +#define WORDS_MAX 8 + +/* + * Minimum and maximum number of bits to encode. With the settings above, + * these are 24 and 136, respectively. + */ +#define BITS_MIN \ + (2 * (WORD_BITS - 1)) +#define BITS_MAX \ + (WORDS_MAX * SWORD_BITS) + static int read_loop(int fd, unsigned char *buffer, int count) { int offset, block; @@ -52,62 +83,131 @@ { char output[0x100], *retval; int bits; - int use_separators, count, i; - unsigned int length, extra; - char *start, *end; + int word_count, trailing_separator, use_separators, toggle_case; + int i; + unsigned int max_length, length, extra; + const char *start, *end; int fd; unsigned char bytes[3]; bits = params->random_bits; - if (bits < 26 || bits > 132) + if (bits < BITS_MIN || bits > BITS_MAX) return NULL; - count = 1 + (bits + (16 - 13)) / 17; - use_separators = ((bits + 12) / 13 != count); +/* + * Calculate the number of words to use. The first word is always present + * (hence the "1 +" and the "- WORD_BITS"). Each one of the following words, + * if any, is prefixed by a separator character, so we use SWORD_BITS when + * calculating how many additional words to use. We divide "bits - WORD_BITS" + * by SWORD_BITS with rounding up (hence the addition of "SWORD_BITS - 1"). + */ + word_count = 1 + (bits + (SWORD_BITS - 1 - WORD_BITS)) / SWORD_BITS; + +/* + * Special case: would we still encode enough bits if we omit the final word, + * but keep the would-be-trailing separator? + */ + trailing_separator = (SWORD_BITS * (word_count - 1) >= bits); + word_count -= trailing_separator; + +/* + * To determine whether we need to use different separator characters or maybe + * not, calculate the number of words we'd need to use if we don't use + * different separators. We calculate it by dividing "bits" by WORD_BITS with + * rounding up (hence the addition of "WORD_BITS - 1"). The resulting number + * is either the same as or greater than word_count. Use different separators + * only if their use, in the word_count calculation above, has helped reduce + * word_count. + */ + use_separators = ((bits + (WORD_BITS - 1)) / WORD_BITS != word_count); + trailing_separator &= use_separators; + +/* + * Toggle case of the first character of each word only if we wouldn't achieve + * sufficient entropy otherwise. + */ + toggle_case = (bits > + ((WORD_BITS - 1) * word_count) + + (use_separators ? + (SEPARATOR_BITS * (word_count - !trailing_separator)) : 0)); - length = count * 7 - 1; - if (length >= sizeof(output) || (int)length > params->max) +/* + * Calculate and check the maximum possible length of a "passphrase" we may + * generate for a given word_count. We add 1 to WORDSET_4K_LENGTH_MAX to + * account for separators (whether different or not). When there's no + * trailing separator, we subtract 1. The check against sizeof(output) uses + * ">=" to account for NUL termination. + */ + max_length = word_count * (WORDSET_4K_LENGTH_MAX + 1) - + !trailing_separator; + if (max_length >= sizeof(output) || (int)max_length > params->max) return NULL; if ((fd = open("/dev/urandom", O_RDONLY)) < 0) return NULL; + retval = NULL; length = 0; do { - if (read_loop(fd, bytes, sizeof(bytes)) != sizeof(bytes)) { - close(fd); - return NULL; - } + if (read_loop(fd, bytes, sizeof(bytes)) != sizeof(bytes)) + goto out; +/* + * Append a word. Treating bytes as little-endian, we use bits 0 to 11 for the + * word index, and bit 13 for toggling the case of the first character. Bits + * 12, 14, and 15 are left unused. Bits 16 to 23 are left for the separator. + */ i = (((int)bytes[1] & 0x0f) << 8) | (int)bytes[0]; start = _passwdqc_wordset_4k[i]; - end = memchr(start, '\0', 6); + end = memchr(start, '\0', WORDSET_4K_LENGTH_MAX); if (!end) - end = start + 6; + end = start + WORDSET_4K_LENGTH_MAX; extra = end - start; - if (length + extra >= sizeof(output) - 1) { - close(fd); - return NULL; - } +/* The ">=" leaves room for either one more separator or NUL */ + if (length + extra >= sizeof(output)) + goto out; memcpy(&output[length], start, extra); - output[length] ^= bytes[1] & 0x20; /* toggle case if bit set */ + if (toggle_case) { +/* Toggle case if bit set (we assume ASCII) */ + output[length] ^= bytes[1] & 0x20; + bits--; + } length += extra; - bits -= 13; + bits -= WORD_BITS - 1; + + if (bits <= 0) + break; - if (use_separators && bits > 4) { +/* + * Append a separator character. We use bits 16 to 19. Bits 20 to 23 are left + * unused. + * + * Special case: we may happen to leave a trailing separator if it provides + * enough bits on its own. With WORD_BITS 13 and SEPARATOR_BITS 4, this + * happens e.g. for bits values from 31 to 34, 48 to 51, 65 to 68. + */ + if (use_separators) { i = bytes[2] & 0x0f; output[length++] = SEPARATORS[i]; - bits -= 4; - } else if (bits > 0) - output[length++] = ' '; + bits -= SEPARATOR_BITS; + } else + output[length++] = SEPARATORS[0]; } while (bits > 0); +/* + * Since we may have added a separator after the check in the loop above, we + * must check again now. + */ + if (length < sizeof(output)) { + output[length] = '\0'; + retval = strdup(output); + } + +out: memset(bytes, 0, sizeof(bytes)); + memset(output, 0, length); close(fd); - output[length] = '\0'; - retval = strdup(output); - memset(output, 0, length); return retval; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/pwqcheck.php new/passwdqc-1.3.0/pwqcheck.php --- old/passwdqc-1.2.2/pwqcheck.php 1970-01-01 01:00:00.000000000 +0100 +++ new/passwdqc-1.3.0/pwqcheck.php 2013-04-24 03:57:26.000000000 +0200 @@ -0,0 +1,84 @@ +<?php + +/* + * Copyright (c) 2010 by Solar Designer + * See LICENSE + * + * This file was originally written as part of demos for the "How to manage a + * PHP application's users and passwords" article submitted to "the Month of + * PHP Security" (which was May 2010): + * + * http://www.openwall.com/articles/PHP-Users-Passwords#enforcing-password-pol… + * + * The pwqcheck() function is a wrapper around the pwqcheck(1) program from + * the passwdqc package: + * + * http://www.openwall.com/passwdqc/ + * + * Returns 'OK' if the new password/passphrase passes the requirements. + * Otherwise returns a message explaining one of the reasons why the + * password/passphrase is rejected. + * + * $newpass and $oldpass are the new and current/old passwords/passphrases, + * respectively. Only $newpass is required. + * + * $user is the username. + * + * $aux may be the user's full name, e-mail address, and/or other textual + * info specific to the user (multiple items may be separated with spaces). + * + * $args are additional arguments to pass to pwqcheck(1), to override the + * default password policy. + */ +function pwqcheck($newpass, $oldpass = '', $user = '', $aux = '', $args = '') +{ +// pwqcheck(1) itself returns the same message on internal error + $retval = 'Bad passphrase (check failed)'; + + $descriptorspec = array( + 0 => array('pipe', 'r'), + 1 => array('pipe', 'w')); +// Leave stderr (fd 2) pointing to where it is, likely to error_log + +// Replace characters that would violate the protocol + $newpass = strtr($newpass, "\n", '.'); + $oldpass = strtr($oldpass, "\n", '.'); + $user = strtr($user, "\n:", '..'); + +// Trigger a "too short" rather than "is the same" message in this special case + if (!$newpass && !$oldpass) + $oldpass = '.'; + + if ($args) + $args = ' ' . $args; + if (!$user) + $args = ' -2' . $args; // passwdqc 1.2.0+ + + $command = 'exec '; // No need to keep the shell process around on Unix + $command .= 'pwqcheck' . $args; + if (!($process = @proc_open($command, $descriptorspec, $pipes))) + return $retval; + + $err = 0; + fwrite($pipes[0], "$newpass\n$oldpass\n") || $err = 1; + if ($user) + fwrite($pipes[0], "$user::::$aux:/:\n") || $err = 1; + fclose($pipes[0]) || $err = 1; + ($output = stream_get_contents($pipes[1])) || $err = 1; + fclose($pipes[1]); + + $status = proc_close($process); + +// There must be a linefeed character at the end. Remove it. + if (substr($output, -1) === "\n") + $output = substr($output, 0, -1); + else + $err = 1; + + if ($err === 0 && ($status === 0 || $output !== 'OK')) + $retval = $output; + + return $retval; +} + +?> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/pwqgen.1 new/passwdqc-1.3.0/pwqgen.1 --- old/passwdqc-1.2.2/pwqgen.1 2010-03-13 22:29:15.000000000 +0100 +++ new/passwdqc-1.3.0/pwqgen.1 2013-04-23 16:14:07.000000000 +0200 @@ -16,7 +16,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Owl: Owl/packages/passwdqc/passwdqc/pwqgen.1,v 1.10 2010/03/13 21:29:15 solar Exp $ +.\" $Owl: Owl/packages/passwdqc/passwdqc/pwqgen.1,v 1.11 2013/04/23 14:14:07 solar Exp $ .\" .Dd March 13, 2010 .Dt PWQGEN 1 @@ -37,7 +37,7 @@ .Bl -tag -width indent .It Cm random Ns = Ns Ar N .Pq default: Cm random Ns = Ns 47 -The size of randomly-generated passphrase in bits (26 to 81). +The size of randomly-generated passphrase in bits (24 to 85). .It Cm config Ns = Ns Ar FILE Load config .Ar FILE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/wordset_4k.c new/passwdqc-1.3.0/wordset_4k.c --- old/passwdqc-1.2.2/wordset_4k.c 2010-03-27 20:42:54.000000000 +0100 +++ new/passwdqc-1.3.0/wordset_4k.c 2013-04-23 14:22:39.000000000 +0200 @@ -57,7 +57,7 @@ #include "wordset_4k.h" -char _passwdqc_wordset_4k[0x1000][6] = { +const char _passwdqc_wordset_4k[0x1000][WORDSET_4K_LENGTH_MAX] = { "Adam", "Afghan", "Alaska", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/passwdqc-1.2.2/wordset_4k.h new/passwdqc-1.3.0/wordset_4k.h --- old/passwdqc-1.2.2/wordset_4k.h 2009-10-10 00:46:30.000000000 +0200 +++ new/passwdqc-1.3.0/wordset_4k.h 2013-04-23 14:22:21.000000000 +0200 @@ -6,6 +6,8 @@ #ifndef WORDSET_4K_H__ #define WORDSET_4K_H__ -extern char _passwdqc_wordset_4k[0x1000][6]; +#define WORDSET_4K_LENGTH_MAX 6 + +extern const char _passwdqc_wordset_4k[0x1000][WORDSET_4K_LENGTH_MAX]; #endif /* WORDSET_4K_H__ */

1 0

commit mono-basic for openSUSE:Factory
by root＠hilbert.suse.de 29 May '15

29 May '15

Hello community, here is the log from the commit of package mono-basic for openSUSE:Factory checked in at 2015-05-29 10:47:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mono-basic (Old) and /work/SRC/openSUSE:Factory/.mono-basic.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "mono-basic" Changes: -------- --- /work/SRC/openSUSE:Factory/mono-basic/mono-basic.changes 2015-05-10 10:53:42.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.mono-basic.new/mono-basic.changes 2015-05-29 10:47:05.000000000 +0200 @@ -1,0 +2,5 @@ +Thu May 28 19:00:00 UTC 2015 - fwdsbs.to.11df(a)xoxy.net + +- update version 4.0.1 + +------------------------------------------------------------------- Old: ---- mono-basic-4.0.tar.bz2 New: ---- mono-basic-4.0.1.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mono-basic.spec ++++++ --- /var/tmp/diff_new_pack.Z3YGpA/_old 2015-05-29 10:47:06.000000000 +0200 +++ /var/tmp/diff_new_pack.Z3YGpA/_new 2015-05-29 10:47:06.000000000 +0200 @@ -17,7 +17,7 @@ Name: mono-basic -Version: 4.0 +Version: 4.0.1 Release: 0 Summary: Mono's Visual Basic Compiler and Runtime License: LGPL-2.1 ++++++ mono-basic-4.0.tar.bz2 -> mono-basic-4.0.1.tar.bz2 ++++++ Files old/mono-basic-4.0/class/lib/bootstrap/Microsoft.VisualBasic.dll and new/mono-basic-4.0.1/class/lib/bootstrap/Microsoft.VisualBasic.dll differ Files old/mono-basic-4.0/class/lib/bootstrap/Microsoft.VisualBasic.dll.mdb and new/mono-basic-4.0.1/class/lib/bootstrap/Microsoft.VisualBasic.dll.mdb differ Files old/mono-basic-4.0/class/lib/bootstrap/Mono.Cecil.VB.Mdb.dll.mdb and new/mono-basic-4.0.1/class/lib/bootstrap/Mono.Cecil.VB.Mdb.dll.mdb differ Files old/mono-basic-4.0/class/lib/bootstrap/Mono.Cecil.VB.Pdb.dll.mdb and new/mono-basic-4.0.1/class/lib/bootstrap/Mono.Cecil.VB.Pdb.dll.mdb differ Files old/mono-basic-4.0/class/lib/bootstrap/Mono.Cecil.VB.dll.mdb and new/mono-basic-4.0.1/class/lib/bootstrap/Mono.Cecil.VB.dll.mdb differ Files old/mono-basic-4.0/class/lib/bootstrap/vbnc.exe and new/mono-basic-4.0.1/class/lib/bootstrap/vbnc.exe differ Files old/mono-basic-4.0/class/lib/bootstrap/vbnc.exe.mdb and new/mono-basic-4.0.1/class/lib/bootstrap/vbnc.exe.mdb differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mono-basic-4.0/configure new/mono-basic-4.0.1/configure --- old/mono-basic-4.0/configure 2015-04-27 20:36:26.000000000 +0200 +++ new/mono-basic-4.0.1/configure 2015-05-06 16:56:39.000000000 +0200 @@ -1,6 +1,6 @@ #!/bin/sh -VERSION=4.0 +VERSION=4.0.1 prefix=/usr/local configured_profiles="net_4_5" moonlight_sdk_location= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mono-basic-4.0/vbruntime/Microsoft.VisualBasic/AssemblyInfo.vb new/mono-basic-4.0.1/vbruntime/Microsoft.VisualBasic/AssemblyInfo.vb --- old/mono-basic-4.0/vbruntime/Microsoft.VisualBasic/AssemblyInfo.vb 2014-09-04 15:56:58.000000000 +0200 +++ new/mono-basic-4.0.1/vbruntime/Microsoft.VisualBasic/AssemblyInfo.vb 2015-05-06 16:47:29.000000000 +0200 @@ -66,16 +66,16 @@ <Assembly: AssemblyDefaultAlias("Microsoft.VisualBasic.dll")> #Else #If NET_VER >= 4.5 Then -<Assembly: AssemblyVersion("11.0.0.0")> +<Assembly: AssemblyVersion("10.0.0.0")> <Assembly: ComVisible(True)> '<Assembly: Guid("aa353322-85a4-4601-a6b7-e3b724e9350c")> <Assembly: CLSCompliant(True)> <Assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default Or DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)> <Assembly: CompilationRelaxations(CompilationRelaxations.NoStringInterning)> <Assembly: RuntimeCompatibility(WrapNonExceptionThrows:=True)> -<Assembly: SatelliteContractVersion("11.0.0.0")> -<Assembly: AssemblyInformationalVersion("11.0.30319.17020")> -<Assembly: AssemblyFileVersion("11.0.30319.17020")> +<Assembly: SatelliteContractVersion("10.0.0.0")> +<Assembly: AssemblyInformationalVersion("10.0.30319.17020")> +<Assembly: AssemblyFileVersion("10.0.30319.17020")> <Assembly: AssemblyDefaultAlias("Microsoft.VisualBasic.dll")> #ElseIf NET_VER >= 4.0 Then <Assembly: AssemblyVersion("10.0.0.0")>

1 0

commit qtractor for openSUSE:Factory
by root＠hilbert.suse.de 29 May '15

29 May '15

Hello community, here is the log from the commit of package qtractor for openSUSE:Factory checked in at 2015-05-29 10:46:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qtractor (Old) and /work/SRC/openSUSE:Factory/.qtractor.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "qtractor" Changes: -------- --- /work/SRC/openSUSE:Factory/qtractor/qtractor.changes 2015-04-13 20:31:35.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.qtractor.new/qtractor.changes 2015-05-29 10:46:48.000000000 +0200 @@ -1,0 +2,26 @@ +Thu May 28 16:28:45 UTC 2015 - ecsos(a)opensuse.org + +- update to 0.6.7 + * MIDI clip editor (aka. piano-roll) position, size, and view + /event type criteria are now persistent, across session and + user preferences application state. + * Generic plugin form widget position is now also preserved + across open/save session cycles. + * MIDI clip editor resilience is about to get an improvement, + fe. it doesn't close on stopping record/overdub anymore. + * Introducing (JACK) Timebase master setting as an option to + Transport mode (cf. View/Options.../General/Transport + /Timebase). + * LV2 plug-in MIDI/Event support now slanted for deprecation. + * Spanish (es) translation added, by avid Reyes Pucheta. + * It's live: audio track export (cf. Track/Export Tracks/ Audio.) + has been deeply refactored to finally include MIDI t + rack/instrument plugins rendering (aka. freeze) on selected + audio output buses on mix-down. (EXPERIMENTAL) + * MIDI file player now does (N)RPN 14-bit controller events. + * Track properties dialog output bus switch fix/optimization; + also fixed multiple DSSI instance reference count on close. + * Fixed for some strict tests for Qt4 vs. Qt5 configure builds. + * German (de) translation update (by Guido Scholz, thanks). + +------------------------------------------------------------------- Old: ---- qtractor-0.6.6.tar.gz New: ---- qtractor-0.6.7.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qtractor.spec ++++++ --- /var/tmp/diff_new_pack.wydrCl/_old 2015-05-29 10:46:49.000000000 +0200 +++ /var/tmp/diff_new_pack.wydrCl/_new 2015-05-29 10:46:49.000000000 +0200 @@ -17,7 +17,7 @@ Name: qtractor -Version: 0.6.6 +Version: 0.6.7 Release: 0 Summary: An Audio/MIDI multi-track sequencer License: GPL-2.0+ ++++++ qtractor-0.6.6.tar.gz -> qtractor-0.6.7.tar.gz ++++++ ++++ 78766 lines of diff (skipped)

1 0

commit perl-Sys-Virt for openSUSE:Factory
by root＠hilbert.suse.de 29 May '15

29 May '15

Hello community, here is the log from the commit of package perl-Sys-Virt for openSUSE:Factory checked in at 2015-05-29 10:46:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-Sys-Virt (Old) and /work/SRC/openSUSE:Factory/.perl-Sys-Virt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "perl-Sys-Virt" Changes: -------- --- /work/SRC/openSUSE:Factory/perl-Sys-Virt/perl-Sys-Virt.changes 2015-04-22 01:18:58.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.perl-Sys-Virt.new/perl-Sys-Virt.changes 2015-05-29 10:46:32.000000000 +0200 @@ -1,0 +2,6 @@ +Thu May 21 11:31:26 MDT 2015 - jfehlig(a)suse.com + +- Update to 1.2.15 + - Add all new APIs and constants in libvirt 1.2.15 + +------------------------------------------------------------------- Old: ---- Sys-Virt-1.2.14.tar.gz New: ---- Sys-Virt-1.2.15.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-Sys-Virt.spec ++++++ --- /var/tmp/diff_new_pack.DwhIil/_old 2015-05-29 10:46:32.000000000 +0200 +++ /var/tmp/diff_new_pack.DwhIil/_new 2015-05-29 10:46:32.000000000 +0200 @@ -17,7 +17,7 @@ Name: perl-Sys-Virt -Version: 1.2.14 +Version: 1.2.15 Release: 0 %define cpan_name Sys-Virt Summary: Represent and manage a libvirt hypervisor connection ++++++ Sys-Virt-1.2.14.tar.gz -> Sys-Virt-1.2.15.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/Changes new/Sys-Virt-1.2.15/Changes --- old/Sys-Virt-1.2.14/Changes 2015-04-09 18:35:58.000000000 +0200 +++ new/Sys-Virt-1.2.15/Changes 2015-05-05 17:33:07.000000000 +0200 @@ -1,5 +1,13 @@ Revision history for perl module Sys::Virt +1.2.15 2015-05-05 + + - Add support for VIR_DOMAIN_EVENT_ID_DEVICE_ADDED + event callback & constants. + - Add JOB_DOWNTIME_NET constant + - Add JOB_TIME_ELAPSED_NET constant + - Add virDomainAddIOThread and virDomainDelIOThread API bindings + 1.2.14 2015-04-09 - Add VIR_CONNECT_BASELINE_CPU_MIGRATABLE constant diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/HACKING new/Sys-Virt-1.2.15/HACKING --- old/Sys-Virt-1.2.14/HACKING 2015-04-09 18:35:58.000000000 +0200 +++ new/Sys-Virt-1.2.15/HACKING 2015-05-05 17:33:07.000000000 +0200 @@ -1,10 +1,197 @@ Hacking on libvirt perl ======================= -After each libvirt release: +The libvirt Perl release versions are tied directly to the libvirt C +library release versions. ie Sys::Virt 1.2.10 will require libvirt +version 1.2.10 or newer in order to build. We do not aim to support +conditional compilation against versions of libvirt that are older +than the version of Sys::Virt. - - Look at src/libvirt_public.syms and find any - new APIs introduced - - Look at include/libvirt/virterror.h and find - any new VIR_FROM_XXX and VIR_ERR_XXX constants - - Look for any new constants in libvirt.h.in \ No newline at end of file + +General changes for new APIs +---------------------------- + +Additions to the libvirt C API will require changes to a minimum +of two parts of the Sys::Virt codebase. + + - Virt.xs - this provides the C glue code to access the libvirt C + library APIs and constants from the Perl interpretor. As a general + rule, every new function and header file constant/enum requires an + addition to this file. The exceptions are functions that are only + provided for the benefit of language bindings and not intended for + use by application code. For example the reference counting APIs + don't need exposing to Perl applications + + - lib/ - this directory contains the pure Perl part of the binding. + There are separate files for each core libvirt object type + + - lib/Sys/Virt.pm - mapping for virConnectPtr + - lib/Sys/Virt/Domain.pm - mapping for virDomainPtr + - lib/Sys/Virt/Error.pm - mapping for virErrorPtr + - lib/Sys/Virt/Event.pm - mapping for virEventPtr + - lib/Sys/Virt/Interface.pm - mapping for virInterfacePtr + - lib/Sys/Virt/Network.pm - mapping for virNetworkPtr + - lib/Sys/Virt/NodeDevice.pm - mapping for virNodeDevicePtr + - lib/Sys/Virt/NWFilter.pm - mapping for virNWFilterPtr + - lib/Sys/Virt/Secret.pm - mapping for virSecretPtr + - lib/Sys/Virt/StoragePool.pm - mapping for virStoragePoolPtr + - lib/Sys/Virt/StorageVol.pm - mapping for virStorageVolPtr + - lib/Sys/Virt/Stream.pm - mapping for virStreamPtr + + There is rarely a need to write Perl code in the .pm modules, as + the mapping in the Virt.xs file is usually sufficient. As such + the primary purpose of the .pm modules is to hold the POD inline + documentation. Every function and constants is required to have + full API documentation provided + +There are a number of unit tests available in the t/ directory which +assist in creation of new APIs. + + - t/010-pod-coverage.t - ensures that every Perl method and constant + has POD documentation present + - t/030-api-coverage.t - ensures that every C library method/constant + in the libvirt-api.xml file has corresponding code in the Virt.xs. + Certain functions can be blacklisted in t/030-api-coverage.t as not + needed mapping to Perl. This only runs if TEST_MAINTAINER=1 is set. + - t/*.t - the other files mostly do functional testing against the + test:///default API - if the new function has support in the test + driver, then suitable additions should be made + +If use of the API is not obvious, it is often worth providing a small +example program in the examples/ directory. These examples are also +useful when adding APIs to ensure that they are operating correctly, +if it wasn't possible to unit test them with test:///default. + +Every addition / change to the API must be documented in the Changes +file. + + +New API addition workflow +------------------------- + +When the libvirt C library is changed, the following workflow is an +effective way to update the Perl binding. + + - Build the libvirt C library + + # cd $HOME/src/libvirt + # ./autogen.sh --system + # make + + - Configure & build the Sys::Virt module to build against the just + built libvirt library + + # cd $HOME/src/libvirt-perl + # ../libvirt/run perl Makefile.PL + # ../libvirt/run make + + - Run the test suite to identify which new functions/constants need + handling + + # ../libvirt/run make test TEST_MAINTAINER=1 + + - For each missing item reported in the test suite... + + - Edit Virt.xs to add the C binding + - Edit lib/*.pm to add the POD documentation (and occassionally Perl glue code) + - Edit Changes to document the addition + - Run the test suite (without maintainer mode) to verify POD docs + # ../libvirt/run make test + - Optionally add to one of the t/*.t test cases + - Optionally add demo to examples/ + - Commit the changes to GIT + + +Understanding Virt.xs glue layer +-------------------------------- + +The Perl XS glue (Virt.xs) is a pretty bizarre language, that mostly +looks like C but is actually run through a Perl specific preprocessor +to turn it into real C code. Learning and understanding XS code well +is a really difficult task, but fortunately such knowledge is rarely +required in order to add new APIs to the Perl Sys::Virt code. + +When adding constants just look for the REGISTER_CONSTANT() macro +at the end of Virt.xs. Make sure that the constant is registered against +the correct Sys::Virt::XXXX object namespace - look for the adjacent +'gv_stashpv' calls to see which namespace is currently in effect. + +When adding methods, you must again make sure they are put in the +correct object namespace. For methods, look for the statements +that look like: + + MODULE = Sys::Virt::NWFilter PACKAGE = Sys::Virt::NWFilter + +these indicate the start of a namespace for the object in question. +When implementing the binding for a method, if not already familiar +with XS code, the best technique is to just do cut+paste programming. +Find an existing libvirt API call that has the same kind of API +signature as the new API. Then just copy the XS code for that method +and tweak the parameter names as needed. + +Async event callbacks have a little bit of special handling too. The +callbacks are all implemented as static methods at the very top of +the Virt.XS file. Look for method names like _domain_event_pmsuspend_callback +and just copy the code for an existing callback method that has a similar +set of parameters to the new callback. + +Once the callback is implemented look for the domain_event_register_any() +or network_event_register_any() methods and extend the switch() statement +so that it maps the event ID constant to your new callback. + + +Making new releases +------------------- + +The Sys::Virt releases are hosted on the Perl project CPAN infrastructure +rather than libvirt.org + + 1. Build the new release of libvirt as an RPM and install it on the + local machine. + + 2. Set the release date in the Changes file and commit the change + + 3. Tag the release with a GPG signed tag using vX.Y.Z syntax for + the tag name + + git tag -s -m 'Release 1.2.14' v1.2.14 + + 4. Clone the repository or run 'git clean -x -f -d' to ensure a + 100% pristine state + + 5. Run autobuild.sh to test the full test suite and generate local + RPMs. This results in Sys-Virt-1.2.14.tar.gz file being created + + 6. Take the src.rpm file that was just generated by autobuild.sh + and run a scratch build against Fedora rawhide + + # cd $HOME/src/fedora/perl-Sys-Virt + # fedpkg scratch-build --srpm /path/to/src/rpm/file + + 7. Push the Changes commit and tag to GIT master + + # git push + # git push origin v1.2.14 + +If there is a failure at any step then this must be corrected +as follows + + a. Delete the signed release tag + + git tag -d v1.2.14 + + b. Fix whatever the problem was and update the Changes file + if appropriate + + c. Go to release process step 3 again. + + +Assuming the release has now been made, the Sys-Virt-1.2.14.tar.gz +file should be uploaded to CPAN using https://pause.cpan.org form. +The upload is currently done by Daniel Berrange (username DANBERR). + +Now open the tree for the next release version by editing the files +lib/Sys/Virt.pm, README, Makefile.PL to update the version number +listed. Also edit Changes to add a placeholder entry for the new +release number. Run 'make test' to ensure Changes file is syntax +valid. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/META.yml new/Sys-Virt-1.2.15/META.yml --- old/Sys-Virt-1.2.14/META.yml 2015-04-09 18:36:10.000000000 +0200 +++ new/Sys-Virt-1.2.15/META.yml 2015-05-05 17:33:24.000000000 +0200 @@ -1,7 +1,7 @@ --- #YAML:1.0 name: Sys-Virt abstract: Extension for the libvirt library -version: 1.2.14 +version: 1.2.15 author: - Daniel P. Berrange <dan(a)berrange.com> license: perl diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/MYMETA.json new/Sys-Virt-1.2.15/MYMETA.json --- old/Sys-Virt-1.2.14/MYMETA.json 2015-04-09 18:36:02.000000000 +0200 +++ new/Sys-Virt-1.2.15/MYMETA.json 2015-05-05 17:33:17.000000000 +0200 @@ -42,5 +42,5 @@ } }, "release_status" : "stable", - "version" : "v1.2.14" + "version" : "v1.2.15" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/MYMETA.yml new/Sys-Virt-1.2.15/MYMETA.yml --- old/Sys-Virt-1.2.14/MYMETA.yml 2015-04-09 18:36:02.000000000 +0200 +++ new/Sys-Virt-1.2.15/MYMETA.yml 2015-05-05 17:33:17.000000000 +0200 @@ -24,4 +24,4 @@ Test::Pod::Coverage: '0' Time::HiRes: '0' XML::XPath: '0' -version: v1.2.14 +version: v1.2.15 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/Makefile.PL new/Sys-Virt-1.2.15/Makefile.PL --- old/Sys-Virt-1.2.14/Makefile.PL 2015-04-09 18:35:58.000000000 +0200 +++ new/Sys-Virt-1.2.15/Makefile.PL 2015-05-05 17:33:07.000000000 +0200 @@ -3,7 +3,7 @@ # See lib/ExtUtils/MakeMaker.pm for details of how to influence # the contents of the Makefile that is written. -my $libvirtver = "1.2.14"; +my $libvirtver = "1.2.15"; my $stat = system "pkg-config --atleast-version=$libvirtver libvirt"; die "cannot run pkg-config to check libvirt version" if $stat == -1; die "libvirt >= $libvirtver is required\n" unless $stat == 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/README new/Sys-Virt-1.2.15/README --- old/Sys-Virt-1.2.14/README 2015-04-09 18:35:58.000000000 +0200 +++ new/Sys-Virt-1.2.15/README 2015-05-05 17:33:07.000000000 +0200 @@ -7,6 +7,6 @@ The only pre-requisite for this module is libvirt itself. For installation instructions, consult the INSTALL file. -The current minimum required version of libvirt is 1.2.14 +The current minimum required version of libvirt is 1.2.15 -- End diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/Virt.xs new/Sys-Virt-1.2.15/Virt.xs --- old/Sys-Virt-1.2.14/Virt.xs 2015-04-09 18:35:58.000000000 +0200 +++ new/Sys-Virt-1.2.15/Virt.xs 2015-05-05 17:33:07.000000000 +0200 @@ -858,6 +858,44 @@ static int +_domain_event_device_added_callback(virConnectPtr con, + virDomainPtr dom, + const char *devAlias, + void *opaque) +{ + AV *data = opaque; + SV **self; + SV **cb; + SV *domref; + dSP; + + self = av_fetch(data, 0, 0); + cb = av_fetch(data, 1, 0); + + SvREFCNT_inc(*self); + + ENTER; + SAVETMPS; + + PUSHMARK(SP); + XPUSHs(*self); + domref = sv_newmortal(); + sv_setref_pv(domref, "Sys::Virt::Domain", (void*)dom); + virDomainRef(dom); + XPUSHs(domref); + XPUSHs(sv_2mortal(newSVpv(devAlias, 0))); + PUTBACK; + + call_sv(*cb, G_DISCARD); + + FREETMPS; + LEAVE; + + return 0; +} + + +static int _domain_event_device_removed_callback(virConnectPtr con, virDomainPtr dom, const char *devAlias, @@ -2942,12 +2980,15 @@ case VIR_DOMAIN_EVENT_ID_BALLOON_CHANGE: callback = VIR_DOMAIN_EVENT_CALLBACK(_domain_event_balloonchange_callback); break; + case VIR_DOMAIN_EVENT_ID_DEVICE_ADDED: + callback = VIR_DOMAIN_EVENT_CALLBACK(_domain_event_device_added_callback); + break; case VIR_DOMAIN_EVENT_ID_DEVICE_REMOVED: callback = VIR_DOMAIN_EVENT_CALLBACK(_domain_event_device_removed_callback); break; case VIR_DOMAIN_EVENT_ID_TUNABLE: - callback = VIR_DOMAIN_EVENT_CALLBACK(_domain_event_tunable_callback); - break; + callback = VIR_DOMAIN_EVENT_CALLBACK(_domain_event_tunable_callback); + break; case VIR_DOMAIN_EVENT_ID_AGENT_LIFECYCLE: callback = VIR_DOMAIN_EVENT_CALLBACK(_domain_event_agent_lifecycle_callback); break; @@ -5059,6 +5100,26 @@ _croak_error(); +void +add_iothread(dom, iothread_id, flags=0) + virDomainPtr dom; + unsigned int iothread_id; + unsigned int flags; + PPCODE: + if (virDomainAddIOThread(dom, iothread_id, flags) < 0) + _croak_error(); + + +void +del_iothread(dom, iothread_id, flags=0) + virDomainPtr dom; + unsigned int iothread_id; + unsigned int flags; + PPCODE: + if (virDomainDelIOThread(dom, iothread_id, flags) < 0) + _croak_error(); + + int num_of_snapshots(dom, flags=0) virDomainPtr dom; @@ -7519,6 +7580,7 @@ REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_DISK_TOTAL, JOB_DISK_TOTAL); REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_DISK_BPS, JOB_DISK_BPS); REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_DOWNTIME, JOB_DOWNTIME); + REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_DOWNTIME_NET, JOB_DOWNTIME_NET); REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_MEMORY_CONSTANT, JOB_MEMORY_CONSTANT); REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_MEMORY_NORMAL, JOB_MEMORY_NORMAL); REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_MEMORY_NORMAL_BYTES, JOB_MEMORY_NORMAL_BYTES); @@ -7528,6 +7590,7 @@ REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_MEMORY_BPS, JOB_MEMORY_BPS); REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_SETUP_TIME, JOB_SETUP_TIME); REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_TIME_ELAPSED, JOB_TIME_ELAPSED); + REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_TIME_ELAPSED_NET, JOB_TIME_ELAPSED_NET); REGISTER_CONSTANT_STR(VIR_DOMAIN_JOB_TIME_REMAINING, JOB_TIME_REMAINING); REGISTER_CONSTANT(VIR_DOMAIN_BLOCK_JOB_TYPE_UNKNOWN, BLOCK_JOB_TYPE_UNKNOWN); @@ -7563,6 +7626,7 @@ REGISTER_CONSTANT(VIR_DOMAIN_EVENT_ID_PMWAKEUP, EVENT_ID_PMWAKEUP); REGISTER_CONSTANT(VIR_DOMAIN_EVENT_ID_TRAY_CHANGE, EVENT_ID_TRAY_CHANGE); REGISTER_CONSTANT(VIR_DOMAIN_EVENT_ID_BALLOON_CHANGE, EVENT_ID_BALLOON_CHANGE); + REGISTER_CONSTANT(VIR_DOMAIN_EVENT_ID_DEVICE_ADDED, EVENT_ID_DEVICE_ADDED); REGISTER_CONSTANT(VIR_DOMAIN_EVENT_ID_DEVICE_REMOVED, EVENT_ID_DEVICE_REMOVED); REGISTER_CONSTANT(VIR_DOMAIN_EVENT_ID_TUNABLE, EVENT_ID_TUNABLE); REGISTER_CONSTANT(VIR_DOMAIN_EVENT_ID_AGENT_LIFECYCLE, EVENT_ID_AGENT_LIFECYCLE); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/lib/Sys/Virt/Domain.pm new/Sys-Virt-1.2.15/lib/Sys/Virt/Domain.pm --- old/Sys-Virt-1.2.14/lib/Sys/Virt/Domain.pm 2015-04-09 18:35:58.000000000 +0200 +++ new/Sys-Virt-1.2.15/lib/Sys/Virt/Domain.pm 2015-05-05 17:33:07.000000000 +0200 @@ -1237,6 +1237,18 @@ given by C<$mask>. The C<$mask> is a string representing a bitmask against physical CPUs, 8 cpus per character. +=item $dom->add_iothread($iothread, $flags=0) + +Add a new IOThread by the C<$iothread> value to the guest domain. +The C<$flags> parameter accepts one or more the CONFIG OPTION constants +documented later, and defaults to 0 if omitted. + +=item $dom->del_iothread($iothread, $flags=0) + +Delete an existing IOThread by the C<$iothread> value from the guest domain. +The C<$flags> parameter accepts one or more the CONFIG OPTION constants +documented later, and defaults to 0 if omitted. + =item my @stats = $dom->get_cpu_stats($startCpu, $numCpus, $flags=0) Requests the guests host physical CPU usage statistics, starting @@ -1334,6 +1346,12 @@ The elapsed time in milliseconds +=item Sys::Virt::Domain::JOB_TIME_ELAPSED_NET + +Time in miliseconds since the beginning of the migration job NOT +including the time required to transfer control flow from the +source host to the destination host. + =item Sys::Virt::Domain::JOB_TIME_REMAINING The expected remaining time in milliseconds. Only set if the @@ -1423,6 +1441,12 @@ The number of milliseconds of downtime expected during migration switchover. +=item Sys::Virt::Domain::JOB_DOWNTIME_NET + +Real measured downtime (ms) NOT including the time required to +transfer control flow from the source host to the destination +host. + =item Sys::Virt::Domain::JOB_SETUP_TIME The number of milliseconds of time doing setup of the job @@ -2791,6 +2815,10 @@ Balloon target changes +=item Sys::Virt::Domain::EVENT_ID_DEVICE_ADDED + +Asynchronous guest device addition + =item Sys::Virt::Domain::EVENT_ID_DEVICE_REMOVED Asynchronous guest device removal diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/lib/Sys/Virt.pm new/Sys-Virt-1.2.15/lib/Sys/Virt.pm --- old/Sys-Virt-1.2.14/lib/Sys/Virt.pm 2015-04-09 18:35:58.000000000 +0200 +++ new/Sys-Virt-1.2.15/lib/Sys/Virt.pm 2015-05-05 17:33:07.000000000 +0200 @@ -78,7 +78,7 @@ use Sys::Virt::DomainSnapshot; use Sys::Virt::Stream; -our $VERSION = '1.2.14'; +our $VERSION = '1.2.15'; require XSLoader; XSLoader::load('Sys::Virt', $VERSION); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/perl-Sys-Virt.spec new/Sys-Virt-1.2.15/perl-Sys-Virt.spec --- old/Sys-Virt-1.2.14/perl-Sys-Virt.spec 2015-04-09 18:36:10.000000000 +0200 +++ new/Sys-Virt-1.2.15/perl-Sys-Virt.spec 2015-05-05 17:33:24.000000000 +0200 @@ -1,7 +1,7 @@ # Automatically generated by perl-Sys-Virt.spec.PL Name: perl-Sys-Virt -Version: 1.2.14 +Version: 1.2.15 Release: 1%{?dist}%{?extra_release} Summary: Represent and manage a libvirt hypervisor connection License: GPLv2+ or Artistic diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Sys-Virt-1.2.14/t/030-api-coverage.t new/Sys-Virt-1.2.15/t/030-api-coverage.t --- old/Sys-Virt-1.2.14/t/030-api-coverage.t 2015-04-09 18:35:58.000000000 +0200 +++ new/Sys-Virt-1.2.15/t/030-api-coverage.t 2015-05-05 17:33:07.000000000 +0200 @@ -87,6 +87,7 @@ virConnectDomainEventPMWakeupCallback virConnectDomainEventTrayChangeCallback virConnectDomainEventBalloonChangeCallback +virConnectDomainEventDeviceAddedCallback virConnectDomainEventDeviceRemovedCallback virConnectDomainEventTunableCallback virConnectDomainEventAgentLifecycleCallback

1 0