Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in at 2018-01-07 17:21:55
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Sun Jan 7 17:21:55 2018 rev:64 rq:561806 version:14
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2017-09-18 19:52:44.285691772 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2018-01-07 17:22:06.363214408 +0100
@@ -1,0 +2,36 @@
+Fri Jan 5 08:41:42 UTC 2018 - glin@suse.com
+
+- Add shim-httpboot-amend-device-path.patch to amend the device
+ path matching rule for httpboot (bsc#1065370)
+
+-------------------------------------------------------------------
+Thu Jan 4 08:17:44 UTC 2018 - glin@suse.com
+
+- Update to 14 (bsc#1054712)
+- Adjust make commands in spec
+- Drop upstreamed fixes
+ + shim-add-fallback-verbose-print.patch
+ + shim-back-to-openssl-1.0.2e.patch
+ + shim-fallback-workaround-masked-ami-variables.patch
+ + shim-fix-fallback-double-free.patch
+ + shim-fix-httpboot-crash.patch
+ + shim-fix-openssl-flags.patch
+ + shim-more-tpm-measurement.patch
+- Add shim-httpboot-include-console.h.patch to include console.h
+ in httpboot.c to avoid build failure
+- Add shim-remove-cryptpem.patch to replace functions in CryptPem.c
+ with the null function
+- Update SUSE/openSUSE specific patches
+ + shim-only-os-name.patch
+ + shim-arch-independent-names.patch
+ + shim-change-debug-file-path.patch
+ + shim-opensuse-cert-prompt.patch
+
+-------------------------------------------------------------------
+Fri Dec 29 18:41:12 UTC 2017 - ngompa13@gmail.com
+
+- Fix debuginfo + debugsource subpackage generation for RPM 4.14
+- Set the RPM groups correctly for debug{info,source} subpackages
+- Drop deprecated and out of date Authors information in description
+
+-------------------------------------------------------------------
Old:
----
shim-12.tar.bz2
shim-add-fallback-verbose-print.patch
shim-back-to-openssl-1.0.2e.patch
shim-fallback-workaround-masked-ami-variables.patch
shim-fix-fallback-double-free.patch
shim-fix-httpboot-crash.patch
shim-fix-openssl-flags.patch
shim-more-tpm-measurement.patch
New:
----
shim-14.tar.bz2
shim-httpboot-amend-device-path.patch
shim-httpboot-include-console.h.patch
shim-remove-cryptpem.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.pHYk2N/_old 2018-01-07 17:22:07.779148039 +0100
+++ /var/tmp/diff_new_pack.pHYk2N/_new 2018-01-07 17:22:07.783147852 +0100
@@ -1,7 +1,7 @@
#
# spec file for package shim
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,10 +17,11 @@
# needssslcertforbuild
+%undefine _debuginfo_subpackages
%undefine _build_create_debug
Name: shim
-Version: 12
+Version: 14
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
@@ -47,20 +48,12 @@
Patch1: shim-only-os-name.patch
# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
Patch2: shim-arch-independent-names.patch
-# PATCH-FIX-UPSTREAM shim-fix-httpboot-crash.patch glin@suse.com -- Fix HTTPBoot crash
-Patch3: shim-fix-httpboot-crash.patch
-# PATCH-FIX-UPSTREAM shim-fix-openssl-flags.patch glin@suse.com -- Fix the openssl compiler flags
-Patch4: shim-fix-openssl-flags.patch
-# PATCH-FIX-UPSTREAM shim-fix-fallback-double-free.patch glin@suse.com -- Fix double free in fallback.c
-Patch5: shim-fix-fallback-double-free.patch
-# PATCH-FIX-UPSTREAM shim-add-fallback-verbose-print.patch glin@suse.com -- Print debug messages dynamically
-Patch6: shim-add-fallback-verbose-print.patch
-# PATCH-FIX-UPSTREAM shim-fallback-workaround-masked-ami-variables.patch glin@suse.com -- Work around the masked AMI variables
-Patch7: shim-fallback-workaround-masked-ami-variables.patch
-# PATCH-FIX-UPSTREAM shim-more-tpm-measurement.patch glin@suse.com -- Measure more components for TPM
-Patch8: shim-more-tpm-measurement.patch
-# PATCH-FIX-UPSTREAM shim-back-to-openssl-1.0.2e.patch bsc#1054712 glin@suse.com -- Revert openssl back to 1.0.2e due to the rejection of some legit certificates
-Patch9: shim-back-to-openssl-1.0.2e.patch
+# PATCH-FIX-UPSTREAM shim-httpboot-include-console.h.patch glin@suse.com -- Include console.h in httpboot.c
+Patch3: shim-httpboot-include-console.h.patch
+# PATCH-FIX-UPSTREAM shim-remove-cryptpem.patch glin@suse.com -- Replace the functions in CryptPem.c with the null function
+Patch4: shim-remove-cryptpem.patch
+# PATCH-FIX-UPSTREAM shim-httpboot-amend-device-path.patch bsc#1065370 glin@suse.com -- Amend the device path matching rule for httpboot
+Patch5: shim-httpboot-amend-device-path.patch
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
Patch50: shim-change-debug-file-path.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
@@ -90,21 +83,18 @@
%package -n shim-debuginfo
Summary: UEFI shim loader - debug symbols
-Group: System/Boot
+Group: Development/Debug
%description -n shim-debuginfo
The debug symbols of UEFI shim loader
%package -n shim-debugsource
Summary: UEFI shim loader - debug source
-Group: System/Boot
+Group: Development/Debug
%description -n shim-debugsource
The source code of UEFI shim loader
-Authors:
---------
- Matthew Garrett
%prep
%setup -q
@@ -113,10 +103,6 @@
%patch3 -p1
%patch4 -p1
%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
%patch50 -p1
%if 0%{?is_opensuse} == 1
%patch100 -p1
@@ -124,7 +110,10 @@
%build
# first, build MokManager and fallback as they don't depend on a
# specific certificate
-make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2> /dev/null
+make EFI_PATH=/usr/lib64 RELEASE=0 \
+ MMSTEM=MokManager FBSTEM=fallback \
+ MokManager.efi.debug fallback.efi.debug \
+ MokManager.efi fallback.efi
# now build variants of shim that embed different certificates
default=''
@@ -179,7 +168,10 @@
cp $cert2 shim.crt
fi
# make sure cast warnings don't trigger post build check
- make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 shim.efi
+ make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \
+ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
+ DEFAULT_LOADER="grub.efi" \
+ shim.efi.debug shim.efi
#
# assert correct certificate embedded
grep -q "$verify" shim.efi
++++++ shim-12.tar.bz2 -> shim-14.tar.bz2 ++++++
++++ 172208 lines of diff (skipped)
++++++ shim-arch-independent-names.patch ++++++
--- /var/tmp/diff_new_pack.pHYk2N/_old 2018-01-07 17:22:08.675106043 +0100
+++ /var/tmp/diff_new_pack.pHYk2N/_new 2018-01-07 17:22:08.679105856 +0100
@@ -1,4 +1,4 @@
-From 927d98bacff515fdbac1ba13c6ca655385f3d6a7 Mon Sep 17 00:00:00 2001
+From ffd90c3957fe8621e660d663b38b2eef8559c84a Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Tue, 22 Aug 2017 12:43:36 +0800
Subject: [PATCH] Make the names of EFI binaries arch-independent
@@ -10,49 +10,15 @@
Signed-off-by: Gary Lin
---
- Makefile | 9 ---------
fallback.c | 2 +-
shim.c | 6 +++---
- 3 files changed, 4 insertions(+), 13 deletions(-)
+ 2 files changed, 4 insertions(+), 4 deletions(-)
-diff --git a/Makefile b/Makefile
-index 6ece282..d518615 100644
---- a/Makefile
-+++ b/Makefile
-@@ -51,9 +51,6 @@ ifeq ($(ARCH),x86_64)
- -DNO_BUILTIN_VA_FUNCS \
- -DMDE_CPU_X64 "-DEFI_ARCH=L\"x64\"" -DPAGE_SIZE=4096 \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
-- MMNAME = mmx64
-- FBNAME = fbx64
-- SHIMNAME= shimx64
- EFI_PATH:=/usr/lib64/gnuefi
- LIB_PATH:=/usr/lib64
-
-@@ -63,18 +60,12 @@ ifeq ($(ARCH),ia32)
- -maccumulate-outgoing-args -m32 \
- -DMDE_CPU_IA32 "-DEFI_ARCH=L\"ia32\"" -DPAGE_SIZE=4096 \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\""
-- MMNAME = mmia32
-- FBNAME = fbia32
-- SHIMNAME= shimia32
- EFI_PATH:=/usr/lib/gnuefi
- LIB_PATH:=/usr/lib
- endif
- ifeq ($(ARCH),aarch64)
- CFLAGS += -DMDE_CPU_AARCH64 "-DEFI_ARCH=L\"aa64\"" -DPAGE_SIZE=4096 \
- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\""
-- MMNAME = mmaa64
-- FBNAME = fbaa64
-- SHIMNAME= shimaa64
- EFI_PATH:=/usr/lib64/gnuefi
- LIB_PATH:=/usr/lib64
- endif
diff --git a/fallback.c b/fallback.c
-index 5e4a396..c80652a 100644
+index 46894af..886e052 100644
--- a/fallback.c
+++ b/fallback.c
-@@ -835,7 +835,7 @@ debug_hook(void)
+@@ -977,7 +977,7 @@ debug_hook(void)
x = 1;
Print(L"add-symbol-file "DEBUGDIR
@@ -62,12 +28,12 @@
}
diff --git a/shim.c b/shim.c
-index f8a1e67..48c8797 100644
+index aec9f8f..7b34868 100644
--- a/shim.c
+++ b/shim.c
-@@ -56,8 +56,8 @@
- #include
- #include
+@@ -50,8 +50,8 @@
+
+ #include
-#define FALLBACK L"\\fb" EFI_ARCH L".efi"
-#define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
@@ -76,7 +42,7 @@
#define OID_EKU_MODSIGN "1.3.6.1.4.1.2312.16.1.2"
-@@ -2671,7 +2671,7 @@ debug_hook(void)
+@@ -2852,7 +2852,7 @@ debug_hook(void)
}
Print(L"add-symbol-file "DEBUGDIR
@@ -86,5 +52,5 @@
Print(L"Pausing for debugger attachment.\n");
--
-2.14.0
+2.15.1
++++++ shim-change-debug-file-path.patch ++++++
--- /var/tmp/diff_new_pack.pHYk2N/_old 2018-01-07 17:22:08.687105481 +0100
+++ /var/tmp/diff_new_pack.pHYk2N/_new 2018-01-07 17:22:08.691105293 +0100
@@ -1,23 +1,26 @@
-From a2b1ceac7093798d770cf50c8a2a78f7051c7be9 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin
-Date: Wed, 15 Jul 2015 18:15:40 +0800
-Subject: [PATCH] Change the debug file path
+From 4e83fe57c5a8f1ba32a264f7a936e0e3a9aafedc Mon Sep 17 00:00:00 2001
+From: Gary Lin
+Date: Thu, 4 Jan 2018 12:28:37 +0800
+Subject: [PATCH] Use our own debug path
-Signed-off-by: Gary Ching-Pang Lin
+Signed-off-by: Gary Lin
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-Index: shim-12/Makefile
-===================================================================
---- shim-12.orig/Makefile
-+++ shim-12/Makefile
-@@ -50,7 +50,7 @@ ifeq ($(ARCH),x86_64)
- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
- -DNO_BUILTIN_VA_FUNCS \
- -DMDE_CPU_X64 "-DEFI_ARCH=L\"x64\"" -DPAGE_SIZE=4096 \
-- "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\""
-+ "-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\""
- EFI_PATH:=/usr/lib64/gnuefi
- LIB_PATH:=/usr/lib64
+diff --git a/Makefile b/Makefile
+index f4b7adb..55f6126 100644
+--- a/Makefile
++++ b/Makefile
+@@ -122,7 +122,7 @@ SHIMHASHNAME = $(SHIMSTEM).hash
+ BOOTEFINAME ?= BOOT$(ARCH_SUFFIX_UPPER).EFI
+ BOOTCSVNAME ?= BOOT$(ARCH_SUFFIX_UPPER).CSV
+-CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/\""
++CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\""
+
+ ifneq ($(origin VENDOR_CERT_FILE), undefined)
+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+--
+2.15.1
+
++++++ shim-httpboot-amend-device-path.patch ++++++
From 9fcc5c93c4cad02927ecb318bafe2335f1026df3 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Fri, 27 Oct 2017 11:36:40 +0800
Subject: [PATCH 1/2] httpboot: Amend the device path matching rule
Originally, we check if the last 2 nodes in the device path are
IPv4()/Uri() or IPv6()/Uri() to determine whether httpboot is used or
not. However, since UEFI 2.7, the DNS node will be inserted between the
IP node and the URI node if the server provides the DNS server address.
This commit changes the matching rule to search IP node and URI node
and ignore any node between those two nodes.
Signed-off-by: Gary Lin
---
httpboot.c | 67 ++++++++++++++++++++++++++++++++++++--------------------------
1 file changed, 39 insertions(+), 28 deletions(-)
diff --git a/httpboot.c b/httpboot.c
index e4657c1..ccff5aa 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -105,10 +105,11 @@ find_httpboot (EFI_HANDLE device)
{
EFI_DEVICE_PATH *unpacked;
EFI_DEVICE_PATH *Node;
- EFI_DEVICE_PATH *NextNode;
MAC_ADDR_DEVICE_PATH *MacNode;
URI_DEVICE_PATH *UriNode;
UINTN uri_size;
+ BOOLEAN ip_found = FALSE;
+ BOOLEAN ret = FALSE;
if (uri) {
FreePool(uri);
@@ -128,50 +129,60 @@ find_httpboot (EFI_HANDLE device)
}
Node = unpacked;
- /* Traverse the device path to find IPv4()/Uri() or IPv6()/Uri() */
+ /* Traverse the device path to find IPv4()/.../Uri() or
+ * IPv6()/.../Uri() */
while (!IsDevicePathEnd(Node)) {
/* Save the MAC node so we can match the net card later */
if (DevicePathType(Node) == MESSAGING_DEVICE_PATH &&
DevicePathSubType(Node) == MSG_MAC_ADDR_DP) {
MacNode = (MAC_ADDR_DEVICE_PATH *)Node;
- CopyMem(&mac_addr, &MacNode->MacAddress, sizeof(EFI_MAC_ADDRESS));
- }
-
- if (DevicePathType(Node) == MESSAGING_DEVICE_PATH &&
- (DevicePathSubType(Node) == MSG_IPv4_DP ||
- DevicePathSubType(Node) == MSG_IPv6_DP)) {
- /* Save the IP node so we can set up the connection later */
+ CopyMem(&mac_addr, &MacNode->MacAddress,
+ sizeof(EFI_MAC_ADDRESS));
+ } else if (DevicePathType(Node) == MESSAGING_DEVICE_PATH &&
+ (DevicePathSubType(Node) == MSG_IPv4_DP ||
+ DevicePathSubType(Node) == MSG_IPv6_DP)) {
+ /* Save the IP node so we can set up the connection */
+ /* later */
if (DevicePathSubType(Node) == MSG_IPv6_DP) {
- CopyMem(&ip6_node, Node, sizeof(IPv6_DEVICE_PATH));
+ CopyMem(&ip6_node, Node,
+ sizeof(IPv6_DEVICE_PATH));
is_ip6 = TRUE;
} else {
- CopyMem(&ip4_node, Node, sizeof(IPv4_DEVICE_PATH));
+ CopyMem(&ip4_node, Node,
+ sizeof(IPv4_DEVICE_PATH));
is_ip6 = FALSE;
}
- Node = NextDevicePathNode(Node);
+ ip_found = TRUE;
+ } else if (ip_found == TRUE &&
+ (DevicePathType(Node) == MESSAGING_DEVICE_PATH &&
+ DevicePathSubType(Node) == MSG_URI_DP)) {
+ EFI_DEVICE_PATH *NextNode;
+
+ /* Check if the URI node is the last node since the */
+ /* RAMDISK node could be appended, and we don't need */
+ /* to download the second stage loader in that case. */
NextNode = NextDevicePathNode(Node);
- if (DevicePathType(Node) == MESSAGING_DEVICE_PATH &&
- DevicePathSubType(Node) == MSG_URI_DP &&
- IsDevicePathEnd(NextNode)) {
- /* Save the current URI */
- UriNode = (URI_DEVICE_PATH *)Node;
- uri_size = strlena(UriNode->Uri);
- uri = AllocatePool(uri_size + 1);
- if (!uri) {
- perror(L"Failed to allocate uri\n");
- return FALSE;
- }
- CopyMem(uri, UriNode->Uri, uri_size + 1);
- FreePool(unpacked);
- return TRUE;
+ if (!IsDevicePathEnd(NextNode))
+ continue;
+
+ /* Save the current URI */
+ UriNode = (URI_DEVICE_PATH *)Node;
+ uri_size = strlena(UriNode->Uri);
+ uri = AllocatePool(uri_size + 1);
+ if (!uri) {
+ perror(L"Failed to allocate uri\n");
+ goto out;
}
+ CopyMem(uri, UriNode->Uri, uri_size + 1);
+ ret = TRUE;
+ goto out;
}
Node = NextDevicePathNode(Node);
}
-
+out:
FreePool(unpacked);
- return FALSE;
+ return ret;
}
static EFI_STATUS
--
2.15.1
From 2da4f7a9c97f7fed1cbacc37af8895cf1f90150f Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Fri, 5 Jan 2018 16:51:39 +0800
Subject: [PATCH 2/2] httpboot: fix the infinite loop
We should get out of the loop once the uri node is not the last node in
the device path.
Signed-off-by: Gary Lin
---
httpboot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/httpboot.c b/httpboot.c
index ccff5aa..d865dca 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -164,7 +164,7 @@ find_httpboot (EFI_HANDLE device)
/* to download the second stage loader in that case. */
NextNode = NextDevicePathNode(Node);
if (!IsDevicePathEnd(NextNode))
- continue;
+ goto out;
/* Save the current URI */
UriNode = (URI_DEVICE_PATH *)Node;
--
2.15.1
++++++ shim-httpboot-include-console.h.patch ++++++
From c6ecc2923b8072e9cb24806b1c1b92f63016fd63 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Thu, 4 Jan 2018 14:31:51 +0800
Subject: [PATCH] httpboot: include console.h
in_protocol is declared in console.h, so httpboot.c has to include the
header.
Signed-off-by: Gary Lin
---
httpboot.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/httpboot.c b/httpboot.c
index 058704f..b753405 100644
--- a/httpboot.c
+++ b/httpboot.c
@@ -34,6 +34,7 @@
#include
#include
#include "str.h"
+#include "console.h"
#include "Http.h"
#include "Ip4Config2.h"
#include "Ip6Config.h"
--
2.15.1
++++++ shim-only-os-name.patch ++++++
--- /var/tmp/diff_new_pack.pHYk2N/_old 2018-01-07 17:22:08.723103794 +0100
+++ /var/tmp/diff_new_pack.pHYk2N/_new 2018-01-07 17:22:08.727103606 +0100
@@ -1,13 +1,30 @@
-Index: shim-12/Makefile
-===================================================================
---- shim-12.orig/Makefile
-+++ shim-12/Makefile
-@@ -117,7 +117,7 @@ shim_cert.h: shim.cer
+From 087123b6eb8e8067c500cb7a411085c0ebe66e94 Mon Sep 17 00:00:00 2001
+From: Gary Lin
+Date: Thu, 4 Jan 2018 12:22:43 +0800
+Subject: [PATCH] Only use the OS name in version
+
+Since we build shim binary with open build service, it's difficult to
+fix the linux kernel version of the build bot, so we just use "uname -o"
+instead of "uname -a".
+
+Signed-off-by: Gary Lin
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index e756aa5..f4b7adb 100644
+--- a/Makefile
++++ b/Makefile
+@@ -177,7 +177,7 @@ shim_cert.h: shim.cer
- version.c : version.c.in
+ version.c : $(TOPDIR)/version.c.in
sed -e "s,@@VERSION@@,$(VERSION)," \
- -e "s,@@UNAME@@,$(shell uname -a)," \
+ -e "s,@@UNAME@@,$(shell uname -o)," \
-e "s,@@COMMIT@@,$(COMMITID)," \
- < version.c.in > version.c
+ < $< > $@
+--
+2.15.1
+
++++++ shim-opensuse-cert-prompt.patch ++++++
--- /var/tmp/diff_new_pack.pHYk2N/_old 2018-01-07 17:22:08.739103044 +0100
+++ /var/tmp/diff_new_pack.pHYk2N/_new 2018-01-07 17:22:08.739103044 +0100
@@ -1,7 +1,7 @@
-From ccd53ba8892ce8955611c9dc519454ddd4b2a62f Mon Sep 17 00:00:00 2001
+From 7472a6ee1f01466df1a1de65de669ed0c20b12c4 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Tue, 18 Feb 2014 17:29:19 +0800
-Subject: [PATCH 1/4] Show the build-in certificate prompt
+Subject: [PATCH 1/3] Show the build-in certificate prompt
This is an openSUSE-only patch.
@@ -21,10 +21,10 @@
1 file changed, 75 insertions(+), 2 deletions(-)
diff --git a/shim.c b/shim.c
-index f8a1e67..b1fe60f 100644
+index 7b34868..be250b6 100644
--- a/shim.c
+++ b/shim.c
-@@ -99,6 +99,7 @@ UINT8 *vendor_dbx;
+@@ -93,6 +93,7 @@ UINT8 *vendor_dbx;
*/
verification_method_t verification_method;
int loader_is_participating;
@@ -32,16 +32,16 @@
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
-@@ -1016,7 +1017,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
- if (status == EFI_SUCCESS)
- return status;
+@@ -1096,7 +1097,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
+ LogError(L"check_whitelist(): %r\n", status);
+ }
- if (cert) {
+ if (cert && use_builtin_cert) {
+ #if defined(ENABLE_SHIM_CERT)
/*
* Check against the shim build key
- */
-@@ -1941,7 +1942,7 @@ EFI_STATUS mirror_mok_list()
+@@ -2080,7 +2081,7 @@ EFI_STATUS mirror_mok_list()
if (efi_status != EFI_SUCCESS)
DataSize = 0;
@@ -50,7 +50,7 @@
FullDataSize = DataSize
+ sizeof (*CertList)
+ sizeof (EFI_GUID)
-@@ -2648,6 +2649,75 @@ shim_fini(void)
+@@ -2829,6 +2830,75 @@ shim_fini(void)
setup_console(0);
}
@@ -126,7 +126,7 @@
extern EFI_STATUS
efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
-@@ -2750,6 +2820,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+@@ -2933,6 +3003,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
*/
check_mok_sb();
@@ -137,13 +137,13 @@
if (EFI_ERROR(efi_status)) {
Print(L"Something has gone seriously wrong: %r\n", efi_status);
--
-2.13.1
+2.15.1
-From 04cef138d17143fb1b5e9e52b593991f783536e8 Mon Sep 17 00:00:00 2001
+From 3e3cf4589edf350c8c33d0f5069c6868c2810b80 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Thu, 20 Feb 2014 16:57:08 +0800
-Subject: [PATCH 2/4] Support revoking the openSUSE cert
+Subject: [PATCH 2/3] Support revoking the openSUSE cert
This is an openSUSE-only patch.
@@ -156,11 +156,11 @@
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/MokManager.c b/MokManager.c
-index e0ba789..81ae8aa 100644
+index 55af321..678a9d9 100644
--- a/MokManager.c
+++ b/MokManager.c
-@@ -1812,6 +1812,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) {
- return -1;
+@@ -1806,6 +1806,33 @@ mokpw_done:
+ return EFI_SUCCESS;
}
+static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
@@ -193,7 +193,7 @@
static BOOLEAN verify_certificate(UINT8 *cert, UINTN size)
{
X509 *X509Cert;
-@@ -2164,6 +2191,7 @@ typedef enum {
+@@ -2162,6 +2189,7 @@ typedef enum {
MOK_CHANGE_SB,
MOK_SET_PW,
MOK_CHANGE_DB,
@@ -201,7 +201,7 @@
MOK_KEY_ENROLL,
MOK_HASH_ENROLL
} mok_menu_item;
-@@ -2175,7 +2203,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+@@ -2182,7 +2210,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
void *MokPW, UINTN MokPWSize,
void *MokDB, UINTN MokDBSize,
void *MokXNew, UINTN MokXNewSize,
@@ -211,40 +211,40 @@
{
CHAR16 **menu_strings;
mok_menu_item *menu_item;
-@@ -2249,6 +2278,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
- if (MokDB)
- menucount++;
-
-+ if (ClearVerify)
-+ menucount++;
+@@ -2262,6 +2291,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+ if (MokDB)
+ menucount++;
+
++ if (ClearVerify)
++ menucount++;
++
+ menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
+
+ if (!menu_strings)
+@@ -2334,6 +2366,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+ i++;
+ }
+
++ if (ClearVerify) {
++ menu_strings[i] = L"Revoke openSUSE certificate";
++ menu_item[i] = MOK_CLEAR_VERIFY;
++ i++;
++ }
+
- menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1));
-
- if (!menu_strings)
-@@ -2318,6 +2350,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+ menu_strings[i] = L"Enroll key from disk";
+ menu_item[i] = MOK_KEY_ENROLL;
i++;
- }
-
-+ if (ClearVerify) {
-+ menu_strings[i] = L"Revoke openSUSE certificate";
-+ menu_item[i] = MOK_CLEAR_VERIFY;
-+ i++;
-+ }
-+
- menu_strings[i] = L"Enroll key from disk";
- menu_item[i] = MOK_KEY_ENROLL;
- i++;
-@@ -2368,6 +2406,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
- case MOK_CHANGE_DB:
- mok_db_prompt(MokDB, MokDBSize);
+@@ -2394,6 +2432,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
+ if (efi_status == EFI_SUCCESS)
+ MokDB = NULL;
break;
+ case MOK_CLEAR_VERIFY:
+ mok_clear_verify_prompt(ClearVerify, ClearVerifySize);
+ break;
case MOK_KEY_ENROLL:
- mok_key_enroll();
+ efi_status = mok_key_enroll();
break;
-@@ -2393,6 +2434,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2424,6 +2465,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0;
UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0;
@@ -252,7 +252,7 @@
void *MokNew = NULL;
void *MokDel = NULL;
void *MokSB = NULL;
-@@ -2400,6 +2442,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2431,6 +2473,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
void *MokDB = NULL;
void *MokXNew = NULL;
void *MokXDel = NULL;
@@ -260,7 +260,7 @@
EFI_STATUS status;
status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize,
-@@ -2472,9 +2515,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2503,9 +2546,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
console_error(L"Could not retrieve MokXDel", status);
}
@@ -282,7 +282,7 @@
if (MokNew)
FreePool (MokNew);
-@@ -2497,6 +2551,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2528,6 +2582,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
if (MokXDel)
FreePool (MokXDel);
@@ -293,10 +293,10 @@
LibDeleteVariable(L"MokDelAuth", &shim_lock_guid);
LibDeleteVariable(L"MokXAuth", &shim_lock_guid);
diff --git a/shim.c b/shim.c
-index b1fe60f..909c4b7 100644
+index be250b6..d461edd 100644
--- a/shim.c
+++ b/shim.c
-@@ -2092,7 +2092,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
+@@ -2233,7 +2233,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
check_var(L"MokXNew") || check_var(L"MokXDel") ||
@@ -306,13 +306,13 @@
if (efi_status != EFI_SUCCESS) {
--
-2.13.1
+2.15.1
-From c7d47d6050bac84d99651278a7e1a3defddaed86 Mon Sep 17 00:00:00 2001
+From b5348293dd95c6627f8fde0344650e006acc181b Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Fri, 7 Mar 2014 16:17:20 +0800
-Subject: [PATCH 3/4] Delete openSUSE_Verify the right way
+Subject: [PATCH 3/3] Delete openSUSE_Verify the right way
This is an openSUSE-only patch.
@@ -322,10 +322,10 @@
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/MokManager.c b/MokManager.c
-index 81ae8aa..d839355 100644
+index 678a9d9..c3f8f45 100644
--- a/MokManager.c
+++ b/MokManager.c
-@@ -1826,7 +1826,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
+@@ -1820,7 +1820,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) {
if (status != EFI_SUCCESS)
return -1;
@@ -338,37 +338,5 @@
console_error(L"Failed to delete openSUSE_Verify", status);
return -1;
--
-2.13.1
-
-
-From 29a7dd0330a75dce47131c4165c06d0b425e2159 Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin
-Date: Mon, 19 Oct 2015 16:36:14 +0800
-Subject: [PATCH 4/4] Don't pass NULL to set MokListRT
-
-This is an openSUSE-only patch.
-
-Signed-off-by: Gary Ching-Pang Lin
----
- shim.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/shim.c b/shim.c
-index 909c4b7..1804f1c 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1979,6 +1979,11 @@ EFI_STATUS mirror_mok_list()
- FullData = Data;
- }
-
-+ if (FullDataSize == 0) {
-+ /* openSUSE_Verify isn't set and no other MOK exists. */
-+ return EFI_SUCCESS;
-+ }
-+
- efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT",
- &shim_lock_guid,
- EFI_VARIABLE_BOOTSERVICE_ACCESS
---
-2.13.1
+2.15.1
++++++ shim-remove-cryptpem.patch ++++++
From 063d4aa37d271ce5c30a9c7a1746af421d40ca17 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Thu, 4 Jan 2018 14:54:34 +0800
Subject: [PATCH] Cryptlib: replace CryptPem with CryptPemNull
We don't need the functions in CryptPem.c.
Signed-off-by: Gary Lin
---
Cryptlib/Makefile | 2 +-
Cryptlib/Pem/CryptPem.c | 135 --------------------------------------------
Cryptlib/Pem/CryptPemNull.c | 44 +++++++++++++++
3 files changed, 45 insertions(+), 136 deletions(-)
delete mode 100644 Cryptlib/Pem/CryptPem.c
create mode 100644 Cryptlib/Pem/CryptPemNull.c
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index bf9d0dc..a025ac5 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -40,7 +40,7 @@ OBJS = Hash/CryptMd4Null.o \
Pk/CryptTs.o \
Pk/CryptX509.o \
Pk/CryptAuthenticode.o \
- Pem/CryptPem.o \
+ Pem/CryptPemNull.o \
SysCall/CrtWrapper.o \
SysCall/TimerWrapper.o \
SysCall/BaseMemAllocation.o \
diff --git a/Cryptlib/Pem/CryptPem.c b/Cryptlib/Pem/CryptPem.c
deleted file mode 100644
index 51e648b..0000000
--- a/Cryptlib/Pem/CryptPem.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/** @file
- PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials
-are licensed and made available under the terms and conditions of the BSD License
-which accompanies this distribution. The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php
-
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
-
-**/
-
-#include "InternalCryptLib.h"
-#include
-
-/**
- Callback function for password phrase conversion used for retrieving the encrypted PEM.
-
- @param[out] Buf Pointer to the buffer to write the passphrase to.
- @param[in] Size Maximum length of the passphrase (i.e. the size of Buf).
- @param[in] Flag A flag which is set to 0 when reading and 1 when writing.
- @param[in] Key Key data to be passed to the callback routine.
-
- @retval The number of characters in the passphrase or 0 if an error occurred.
-
-**/
-INTN
-PasswordCallback (
- OUT CHAR8 *Buf,
- IN INTN Size,
- IN INTN Flag,
- IN VOID *Key
- )
-{
- INTN KeyLength;
-
- ZeroMem ((VOID *) Buf, (UINTN) Size);
- if (Key != NULL) {
- //
- // Duplicate key phrase directly.
- //
- KeyLength = (INTN) AsciiStrLen ((CHAR8 *)Key);
- KeyLength = (KeyLength > Size ) ? Size : KeyLength;
- CopyMem (Buf, Key, (UINTN) KeyLength);
- return KeyLength;
- } else {
- return 0;
- }
-}
-
-/**
- Retrieve the RSA Private Key from the password-protected PEM key data.
-
- @param[in] PemData Pointer to the PEM-encoded key data to be retrieved.
- @param[in] PemSize Size of the PEM key data in bytes.
- @param[in] Password NULL-terminated passphrase used for encrypted PEM key data.
- @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved
- RSA private key component. Use RsaFree() function to free the
- resource.
-
- If PemData is NULL, then return FALSE.
- If RsaContext is NULL, then return FALSE.
-
- @retval TRUE RSA Private Key was retrieved successfully.
- @retval FALSE Invalid PEM key data or incorrect password.
-
-**/
-BOOLEAN
-EFIAPI
-RsaGetPrivateKeyFromPem (
- IN CONST UINT8 *PemData,
- IN UINTN PemSize,
- IN CONST CHAR8 *Password,
- OUT VOID **RsaContext
- )
-{
- BOOLEAN Status;
- BIO *PemBio;
-
- //
- // Check input parameters.
- //
- if (PemData == NULL || RsaContext == NULL || PemSize > INT_MAX) {
- return FALSE;
- }
-
- //
- // Add possible block-cipher descriptor for PEM data decryption.
- // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.
- //
- if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {
- return FALSE;
- }
- if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {
- return FALSE;
- }
- if (EVP_add_cipher (EVP_aes_192_cbc ()) == 0) {
- return FALSE;
- }
- if (EVP_add_cipher (EVP_aes_256_cbc ()) == 0) {
- return FALSE;
- }
-
- Status = FALSE;
-
- //
- // Read encrypted PEM Data.
- //
- PemBio = BIO_new (BIO_s_mem ());
- if (PemBio == NULL) {
- goto _Exit;
- }
-
- if (BIO_write (PemBio, PemData, (int) PemSize) <= 0) {
- goto _Exit;
- }
-
- //
- // Retrieve RSA Private Key from encrypted PEM data.
- //
- *RsaContext = PEM_read_bio_RSAPrivateKey (PemBio, NULL, (pem_password_cb *) &PasswordCallback, (void *) Password);
- if (*RsaContext != NULL) {
- Status = TRUE;
- }
-
-_Exit:
- //
- // Release Resources.
- //
- BIO_free (PemBio);
-
- return Status;
-}
diff --git a/Cryptlib/Pem/CryptPemNull.c b/Cryptlib/Pem/CryptPemNull.c
new file mode 100644
index 0000000..8c9e4f0
--- /dev/null
+++ b/Cryptlib/Pem/CryptPemNull.c
@@ -0,0 +1,44 @@
+/** @file
+ PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation which does
+ not provide real capabilities.
+
+Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution. The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include "InternalCryptLib.h"
+
+/**
+ Retrieve the RSA Private Key from the password-protected PEM key data.
+
+ Return FALSE to indicate this interface is not supported.
+
+ @param[in] PemData Pointer to the PEM-encoded key data to be retrieved.
+ @param[in] PemSize Size of the PEM key data in bytes.
+ @param[in] Password NULL-terminated passphrase used for encrypted PEM key data.
+ @param[out] RsaContext Pointer to new-generated RSA context which contain the retrieved
+ RSA private key component. Use RsaFree() function to free the
+ resource.
+
+ @retval FALSE This interface is not supported.
+
+**/
+BOOLEAN
+EFIAPI
+RsaGetPrivateKeyFromPem (
+ IN CONST UINT8 *PemData,
+ IN UINTN PemSize,
+ IN CONST CHAR8 *Password,
+ OUT VOID **RsaContext
+ )
+{
+ ASSERT (FALSE);
+ return FALSE;
+}
--
2.15.1