Hello community,
here is the log from the commit of package ovmf for openSUSE:Factory checked in at 2018-12-11 15:41:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ovmf (Old)
and /work/SRC/openSUSE:Factory/.ovmf.new.19453 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ovmf"
Tue Dec 11 15:41:53 2018 rev:29 rq:655463 version:2018+git1542164568.85588389222a
Changes:
--------
--- /work/SRC/openSUSE:Factory/ovmf/ovmf.changes 2018-11-18 23:24:34.958033759 +0100
+++ /work/SRC/openSUSE:Factory/.ovmf.new.19453/ovmf.changes 2018-12-11 15:41:58.966591929 +0100
@@ -1,0 +2,9 @@
+Mon Dec 3 08:05:38 UTC 2018 - Gary Ching-Pang Lin
+
+- Update ovmf-embed-default-keys.patch and add owner-guid-zero.h to
+ set the default owner of PK/KEK/db/dbx and make the
+ auto-enrollment only happen at the very first boot. (bsc#1117998)
+- Change the group of qemu-ovmf-x86_64-debug to Development/Sources
+ since there is no Development/Debug anymore
+
+-------------------------------------------------------------------
New:
----
owner-guid-zero.h
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ovmf.spec ++++++
--- /var/tmp/diff_new_pack.M6iKkb/_old 2018-12-11 15:42:01.258589420 +0100
+++ /var/tmp/diff_new_pack.M6iKkb/_new 2018-12-11 15:42:01.258589420 +0100
@@ -42,6 +42,7 @@
Source11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
Source12: strip_authinfo.pl
Source13: MicWinProPCA2011_2011-10-19.crt
+Source14: owner-guid-zero.h
Source100: %{name}-rpmlintrc
Source101: gdb_uefi.py.in
Patch2: %{name}-embed-default-keys.patch
@@ -114,7 +115,7 @@
%package -n qemu-ovmf-x86_64-debug
Summary: Open Virtual Machine Firmware - debug symbols (x86_64)
-Group: Development/Debug
+Group: Development/Sources
Requires: qemu
%description -n qemu-ovmf-x86_64-debug
@@ -270,6 +271,7 @@
xxd -i Default_DB > SecurityPkg/Library/AuthVariableLib/Default_DB.h
xxd -i Default_DB_EX > SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h
xxd -i Default_DBX > SecurityPkg/Library/AuthVariableLib/Default_DBX.h
+ cat Default_Owner > SecurityPkg/Library/AuthVariableLib/Default_Owner.h
for suffix in $suffix_base $suffix_base-4m; do
if [ "$suffix" = "$suffix_base-4m" ]; then
@@ -290,6 +292,7 @@
openssl x509 -in %{SOURCE3} -outform DER > Default_DB
truncate -s 0 Default_DB_EX
truncate -s 0 Default_DBX
+cat %{SOURCE14} > Default_Owner
build_with_keys suse
#unpack the UEFI revocation list
@@ -302,6 +305,8 @@
cat %{SOURCE13} > Default_DB_EX
chmod 755 %{SOURCE12}
%{SOURCE12} dbxupdate.bin Default_DBX
+echo "EFI_GUID DefaultOwnerGUID = {0x77fa9abd, 0x0359, 0x4d32, {0xbd, 0x60, 0x28, 0xf4, 0xe7, 0x8f, 0x78, 0x4b}};" > \
+Default_Owner
build_with_keys ms
# OVMF with openSUSE keys
@@ -310,6 +315,7 @@
openssl x509 -in %{SOURCE8} -outform DER > Default_DB
truncate -s 0 Default_DB_EX
truncate -s 0 Default_DBX
+cat %{SOURCE14} > Default_Owner
build_with_keys opensuse
# OVMF with openSUSE keys (4096 bit CA)
@@ -318,6 +324,7 @@
openssl x509 -in %{SOURCE10} -outform DER > Default_DB
truncate -s 0 Default_DB_EX
truncate -s 0 Default_DBX
+cat %{SOURCE14} > Default_Owner
build_with_keys opensuse-4096
if [ -e %{_sourcedir}/_projectcert.crt ]; then
@@ -330,6 +337,7 @@
openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER > Default_DB
truncate -s 0 Default_DB_EX
truncate -s 0 Default_DBX
+ cat %{SOURCE14} > Default_Owner
build_with_keys devel
fi
fi
++++++ ovmf-embed-default-keys.patch ++++++
--- /var/tmp/diff_new_pack.M6iKkb/_old 2018-12-11 15:42:01.354589316 +0100
+++ /var/tmp/diff_new_pack.M6iKkb/_new 2018-12-11 15:42:01.358589310 +0100
@@ -1,16 +1,16 @@
-From 933284f94b8bffb7d3d81152e0b5f49c46a9f787 Mon Sep 17 00:00:00 2001
+From 9263239b037b71f81b14ac86746dafd582527b98 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Fri, 10 May 2013 10:27:51 +0800
-Subject: [PATCH 1/3] Add a stub to allow keys to be embedded at build time
+Subject: [PATCH 1/5] Add a stub to allow keys to be embedded at build time
Signed-off-by: Gary Ching-Pang Lin
---
- .../Library/AuthVariableLib/AuthVariableLib.c | 180 +++++++++++++++++++++
- .../Library/AuthVariableLib/AuthVariableLib.inf | 4 +
- SecurityPkg/Library/AuthVariableLib/Default_DB.h | 2 +
- SecurityPkg/Library/AuthVariableLib/Default_DBX.h | 2 +
- SecurityPkg/Library/AuthVariableLib/Default_KEK.h | 2 +
- SecurityPkg/Library/AuthVariableLib/Default_PK.h | 2 +
+ .../Library/AuthVariableLib/AuthVariableLib.c | 180 ++++++++++++++++++
+ .../AuthVariableLib/AuthVariableLib.inf | 4 +
+ .../Library/AuthVariableLib/Default_DB.h | 2 +
+ .../Library/AuthVariableLib/Default_DBX.h | 2 +
+ .../Library/AuthVariableLib/Default_KEK.h | 2 +
+ .../Library/AuthVariableLib/Default_PK.h | 2 +
6 files changed, 192 insertions(+)
create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB.h
create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DBX.h
@@ -18,7 +18,7 @@
create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_PK.h
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
-index 00917eb374..a7a46fc648 100644
+index 00917eb37436..a7a46fc648ea 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -23,6 +23,10 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@@ -223,7 +223,7 @@
// Reserve runtime buffer for certificate database. The size excludes variable header and name size.
// Use EFI_CERT_DB_VOLATILE_NAME size since it is longer.
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
-index 572ba4e120..1a46019a5f 100644
+index 572ba4e120d2..1a46019a5f42 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -33,6 +33,10 @@ [Sources]
@@ -239,7 +239,7 @@
MdePkg/MdePkg.dec
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB.h b/SecurityPkg/Library/AuthVariableLib/Default_DB.h
new file mode 100644
-index 0000000000..4d13894216
+index 000000000000..4d138942164e
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_DB.h
@@ -0,0 +1,2 @@
@@ -247,7 +247,7 @@
+unsigned int Default_DB_len = 0;
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DBX.h b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h
new file mode 100644
-index 0000000000..5fd3cdc0f4
+index 000000000000..5fd3cdc0f43d
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_DBX.h
@@ -0,0 +1,2 @@
@@ -255,7 +255,7 @@
+unsigned int Default_DBX_len = 0;
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_KEK.h b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h
new file mode 100644
-index 0000000000..80883de1ae
+index 000000000000..80883de1aeeb
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_KEK.h
@@ -0,0 +1,2 @@
@@ -263,30 +263,30 @@
+unsigned int Default_KEK_len = 0;
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_PK.h b/SecurityPkg/Library/AuthVariableLib/Default_PK.h
new file mode 100644
-index 0000000000..23b90e45f0
+index 000000000000..23b90e45f07d
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_PK.h
@@ -0,0 +1,2 @@
+unsigned char *Default_PK = NULL;
+unsigned int Default_PK_len = 0;
--
-2.15.0
+2.19.1
-From 72d09098734d00696e0db13d9b84bb01a0c89c76 Mon Sep 17 00:00:00 2001
+From a76f3966a97f51acfb83839aa3349f7af9966466 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Tue, 15 Dec 2015 16:54:54 +0800
-Subject: [PATCH 2/3] Add DB_EX to include one more DB cert
+Subject: [PATCH 2/5] Add DB_EX to include one more DB cert
Signed-off-by: Gary Lin
---
- .../Library/AuthVariableLib/AuthVariableLib.c | 27 ++++++++++++++++++----
- .../Library/AuthVariableLib/Default_DB_EX.h | 2 ++
+ .../Library/AuthVariableLib/AuthVariableLib.c | 27 ++++++++++++++++---
+ .../Library/AuthVariableLib/Default_DB_EX.h | 2 ++
2 files changed, 25 insertions(+), 4 deletions(-)
create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
-index a7a46fc648..114f3d84c6 100644
+index a7a46fc648ea..114f3d84c68f 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -26,6 +26,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
@@ -353,20 +353,20 @@
FreePool(SignatureGUID);
diff --git a/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h
new file mode 100644
-index 0000000000..001f125065
+index 000000000000..001f12506530
--- /dev/null
+++ b/SecurityPkg/Library/AuthVariableLib/Default_DB_EX.h
@@ -0,0 +1,2 @@
+unsigned char *Default_DB_EX = NULL;
+unsigned int Default_DB_EX_len = 0;
--
-2.15.0
+2.19.1
-From 5db901016015df0955085003387f52655ed9b964 Mon Sep 17 00:00:00 2001
+From ce3429b55bc96e80e194075f0fafc5163382e422 Mon Sep 17 00:00:00 2001
From: Gary Lin
Date: Mon, 28 Aug 2017 16:18:00 +0800
-Subject: [PATCH 3/3] Check the length of the certificate instead of the
+Subject: [PATCH 3/5] Check the length of the certificate instead of the
pointer
Since "xxd -i" may produce a valid pointer for an empty file, it's safer
@@ -374,11 +374,11 @@
Signed-off-by: Gary Lin
---
- SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 12 ++++++------
+ .../Library/AuthVariableLib/AuthVariableLib.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
-index 114f3d84c6..641823216a 100644
+index 114f3d84c68f..641823216a39 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -164,7 +164,7 @@ AuthVariableLibInitialize (
@@ -436,5 +436,188 @@
Status = AuthServiceInternalFindVariable (
--
-2.15.0
+2.19.1
+
+
+From b64d3f5128cfbee3648d04a39820584d5798700b Mon Sep 17 00:00:00 2001
+From: Gary Lin
+Date: Fri, 30 Nov 2018 15:31:51 +0800
+Subject: [PATCH 4/5] Add the DefaultOwnerGUID
+
+Ref: https://bugzilla.suse.com/show_bug.cgi?id=1117998
+
+A new header file is added to set the default GUID for the signature
+owner.
+
+Signed-off-by: Gary Lin
+---
+ .../Library/AuthVariableLib/AuthVariableLib.c | 28 ++++---------------
+ .../Library/AuthVariableLib/Default_Owner.h | 1 +
+ 2 files changed, 6 insertions(+), 23 deletions(-)
+ create mode 100644 SecurityPkg/Library/AuthVariableLib/Default_Owner.h
+
+diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+index 641823216a39..fc9bbd2ad392 100644
+--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
++++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+@@ -28,6 +28,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+ #include "Default_DB.h"
+ #include "Default_DB_EX.h"
+ #include "Default_DBX.h"
++#include "Default_Owner.h"
+
+ ///
+ /// Global database array for scratch
+@@ -139,7 +140,6 @@ AuthVariableLibInitialize (
+ EFI_SIGNATURE_LIST *SigCert;
+ EFI_SIGNATURE_DATA *SigCertData;
+ UINTN SigSize;
+- EFI_GUID *SignatureGUID;
+ UINT32 Attr;
+
+ if ((AuthVarLibContextIn == NULL) || (AuthVarLibContextOut == NULL)) {
+@@ -174,11 +174,6 @@ AuthVariableLibInitialize (
+ &DataSize
+ );
+ if (Status == EFI_NOT_FOUND) {
+- SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+- if (SignatureGUID == NULL) {
+- return EFI_OUT_OF_RESOURCES;
+- }
+-
+ SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_PK_len;
+ Data = AllocateZeroPool (SigSize);
+ if (Data == NULL) {
+@@ -192,7 +187,7 @@ AuthVariableLibInitialize (
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
++ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID);
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_PK, Default_PK_len);
+
+ Status = AuthServiceInternalUpdateVariable (
+@@ -202,7 +197,6 @@ AuthVariableLibInitialize (
+ SigSize,
+ Attr
+ );
+- FreePool(SignatureGUID);
+ FreePool(Data);
+
+ if (EFI_ERROR (Status)) {
+@@ -221,11 +215,6 @@ AuthVariableLibInitialize (
+ &DataSize
+ );
+ if (Status == EFI_NOT_FOUND) {
+- SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+- if (SignatureGUID == NULL) {
+- return EFI_OUT_OF_RESOURCES;
+- }
+-
+ SigSize = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_KEK_len;
+ Data = AllocateZeroPool (SigSize);
+ if (Data == NULL) {
+@@ -239,7 +228,7 @@ AuthVariableLibInitialize (
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
++ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID);
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_KEK, Default_KEK_len);
+
+ Status = AuthServiceInternalUpdateVariable (
+@@ -249,7 +238,6 @@ AuthVariableLibInitialize (
+ SigSize,
+ Attr
+ );
+- FreePool(SignatureGUID);
+ FreePool(Data);
+
+ if (EFI_ERROR (Status)) {
+@@ -271,11 +259,6 @@ AuthVariableLibInitialize (
+ UINTN SigSize_1 = 0;
+ UINTN SigSize_2 = 0;
+
+- SignatureGUID = (EFI_GUID *) AllocateZeroPool (sizeof (EFI_GUID));
+- if (SignatureGUID == NULL) {
+- return EFI_OUT_OF_RESOURCES;
+- }
+-
+ SigSize_1 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_len;
+ if (Default_DB_EX_len != 0) {
+ SigSize_2 = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1 + Default_DB_EX_len;
+@@ -292,7 +275,7 @@ AuthVariableLibInitialize (
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
++ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID);
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB, Default_DB_len);
+
+ if (Default_DB_EX_len != 0) {
+@@ -303,7 +286,7 @@ AuthVariableLibInitialize (
+ CopyGuid (&SigCert->SignatureType, &gEfiCertX509Guid);
+
+ SigCertData = (EFI_SIGNATURE_DATA*) ((UINT8* ) SigCert + sizeof (EFI_SIGNATURE_LIST));
+- CopyGuid (&SigCertData->SignatureOwner, SignatureGUID);
++ CopyGuid (&SigCertData->SignatureOwner, &DefaultOwnerGUID);
+ CopyMem ((UINT8* ) (SigCertData->SignatureData), Default_DB_EX, Default_DB_EX_len);
+ }
+
+@@ -314,7 +297,6 @@ AuthVariableLibInitialize (
+ SigSize_1 + SigSize_2,
+ Attr
+ );
+- FreePool(SignatureGUID);
+ FreePool(Data);
+
+ if (EFI_ERROR (Status)) {
+diff --git a/SecurityPkg/Library/AuthVariableLib/Default_Owner.h b/SecurityPkg/Library/AuthVariableLib/Default_Owner.h
+new file mode 100644
+index 000000000000..6230ed7d9605
+--- /dev/null
++++ b/SecurityPkg/Library/AuthVariableLib/Default_Owner.h
+@@ -0,0 +1 @@
++EFI_GUID DefaultOwnerGUID = {0x00000000, 0x0000, 0x0000, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}};
+--
+2.19.1
+
+
+From 47d96fd043c2c4b2fc21864ec669f4542a4cfc30 Mon Sep 17 00:00:00 2001
+From: Gary Lin
+Date: Mon, 3 Dec 2018 16:02:27 +0800
+Subject: [PATCH 5/5] Check VendorKeysNv before creating PK/KEK/db
+
+Ref: https://bugzilla.suse.com/show_bug.cgi?id=1117998
+
+We only need to create PK/KEK/db for the very first time.
+
+Signed-off-by: Gary Lin
+---
+ SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+index fc9bbd2ad392..cea1dc7bfba5 100644
+--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
++++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+@@ -158,6 +158,16 @@ AuthVariableLibInitialize (
+ }
+
+ //****
++ // Check VendorKeysNv and create PK/KEK/DB only for the "first boot"
++ Status = AuthServiceInternalFindVariable (
++ EFI_VENDOR_KEYS_NV_VARIABLE_NAME,
++ &gEfiVendorKeysNvGuid,
++ (VOID **) &Data,
++ &DataSize
++ );
++ if (Status != EFI_NOT_FOUND)
++ goto SKIP_KEYS;
++
+ // Create signature list for PK KEK DB
+ Attr = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS |
+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
+--
+2.19.1
++++++ owner-guid-zero.h ++++++
EFI_GUID DefaultOwnerGUID = {0x00000000, 0x0000, 0x0000, {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}};