Hello community,
here is the log from the commit of package shim for openSUSE:13.1 checked in at 2013-10-25 13:50:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.1/shim (Old)
and /work/SRC/openSUSE:13.1/.shim.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Changes:
--------
--- /work/SRC/openSUSE:13.1/shim/shim.changes 2013-10-02 13:33:59.000000000 +0200
+++ /work/SRC/openSUSE:13.1/.shim.new/shim.changes 2013-10-25 13:50:02.000000000 +0200
@@ -2,132 +1,0 @@
-Tue Oct 1 04:29:29 UTC 2013 - glin@suse.com
-
-- Add shim-netboot-fixes.patch to include upstream netboot fixes
-- Add shim-mokmanager-disable-gfx-console.patch to disable the
- graphics console to avoid system hang on some machines
-- Add shim-bnc841426-silence-shim-protocols.patch to silence the
- shim protocols (bnc#841426)
-
--------------------------------------------------------------------
-Wed Sep 25 07:17:54 UTC 2013 - glin@suse.com
-
-- Create boot.csv in ESP for fallback.efi to restore the boot entry
-
--------------------------------------------------------------------
-Tue Sep 17 10:53:50 CEST 2013 - fcrozat@suse.com
-
-- Update microsoft.asc: shim signed by UEFI signing service, based
- on code from "Fri Sep 6 13:57:36 UTC 2013".
-- Improve extract_signature.sh to work on current path.
-
--------------------------------------------------------------------
-Fri Sep 6 13:57:36 UTC 2013 - lnussel@suse.de
-
-- set timestamp of PE file to time of the binary the signature was
- made for.
-- make sure cert.o get's rebuilt for each target
-
--------------------------------------------------------------------
-Fri Sep 6 11:48:14 CEST 2013 - fcrozat@suse.com
-
-- Update microsoft.asc: shim signed by UEFI signing service, based
- on code from "Wed Aug 28 15:54:38 UTC 2013"
-
--------------------------------------------------------------------
-Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de
-
-- always build a shim that embeds the distro's certificate (e.g.
- shim-opensuse.efi). If the package is built in the devel project
- additionally shim-devel.efi is created. That allows us to either
- load grub2/kernel signed by the distro or signed by the devel
- project, depending on use case. Also shim-$distro.efi from the
- devel project can be used to request additional signatures.
-
--------------------------------------------------------------------
-Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de
-
-- also include old openSUSE 4096 bit certificate to be able to still
- boot kernels signed with that key.
-- add show_signatures script
-
--------------------------------------------------------------------
-Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de
-
-- replace the 4096 bit openSUSE UEFI CA certificate with new a
- standard compliant 2048 bit one.
-
--------------------------------------------------------------------
-Tue Aug 20 11:48:25 UTC 2013 - lnussel@suse.de
-
-- fix shell syntax error
-
--------------------------------------------------------------------
-Wed Aug 7 15:51:36 UTC 2013 - lnussel@suse.de
-
-- don't include binary in the sources. Instead package the raw
- signature and attach it during build (bnc#813448).
-
--------------------------------------------------------------------
-Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com
-
-- Update shim-mokmanager-ui-revamp.patch to include fixes for
- MokManager
- + reboot the system after clearing MOK password
- + fetch more info from X509 name
- + check the suffix of the key file
-
--------------------------------------------------------------------
-Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com
-
-- Update to 0.4
-- Rebase patches
- + shim-suse-build.patch
- + shim-mokmanager-support-crypt-hash-method.patch
- + shim-bnc804631-fix-broken-bootpath.patch
- + shim-bnc798043-no-doulbe-separators.patch
- + shim-bnc807760-change-pxe-2nd-loader-name.patch
- + shim-bnc808106-correct-certcount.patch
- + shim-mokmanager-ui-revamp.patch
-- Add patches
- + shim-merge-lf-loader-code.patch: merge the Linux Foundation
- loader UI code
- + shim-fix-pointer-casting.patch: fix a casting issue and the
- size of an empty vendor cert
- + shim-fix-simple-file-selector.patch: fix the buffer allocation
- in the simple file selector
-- Remove upstreamed patches
- + shim-support-mok-delete.patch
- + shim-reboot-after-changes.patch
- + shim-clear-queued-key.patch
- + shim-local-key-sign-mokmanager.patch
- + shim-get-2nd-stage-loader.patch
- + shim-fix-loadoptions.patch
-- Remove unused patch: shim-mokmanager-new-pw-hash.patch and
- shim-keep-unsigned-mokmanager.patch
-- Install the vendor certificate to /etc/uefi/certs
-
--------------------------------------------------------------------
-Wed May 8 06:40:12 UTC 2013 - glin@suse.com
-
-- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI
-
--------------------------------------------------------------------
-Wed Apr 3 03:54:22 UTC 2013 - glin@suse.com
-
-- Call update-bootloader in %post to update *.efi in \efi\opensuse
- (bnc#813079)
-
--------------------------------------------------------------------
-Fri Mar 8 06:53:47 UTC 2013 - glin@suse.com
-
-- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the
- PXE 2nd stage loader name (bnc#807760)
-- Add shim-bnc808106-correct-certcount.patch to correct the
- certificate count of the signature list (bnc#808106)
-
--------------------------------------------------------------------
-Fri Mar 1 10:07:55 UTC 2013 - glin@suse.com
-
-- Add shim-bnc798043-no-doulbe-separators.patch to remove double
- seperators from the bootpath (bnc#798043#c4)
-
--------------------------------------------------------------------
Old:
----
attach_signature.sh
extract_signature.sh
microsoft.asc
openSUSE-UEFI-CA-Certificate-4096.crt
shim-0.4.tar.bz2
shim-bnc798043-no-doulbe-separators.patch
shim-bnc807760-change-pxe-2nd-loader-name.patch
shim-bnc808106-correct-certcount.patch
shim-bnc841426-silence-shim-protocols.patch
shim-fix-pointer-casting.patch
shim-fix-simple-file-selector.patch
shim-merge-lf-loader-code.patch
shim-mokmanager-disable-gfx-console.patch
shim-mokmanager-ui-revamp.patch
shim-netboot-fixes.patch
show_hash.sh
show_signatures.sh
strip_signature.sh
timestamp.pl
New:
----
shim-0.2.tar.bz2
shim-clear-queued-key.patch
shim-fix-loadoptions.patch
shim-get-2nd-stage-loader.patch
shim-keep-unsigned-mokmanager.patch
shim-local-key-sign-mokmanager.patch
shim-mokmanager-new-pw-hash.patch
shim-reboot-after-changes.patch
shim-signed.efi
shim-support-mok-delete.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.yanFTi/_old 2013-10-25 13:50:02.000000000 +0200
+++ /var/tmp/diff_new_pack.yanFTi/_new 2013-10-25 13:50:02.000000000 +0200
@@ -19,57 +19,47 @@
# needssslcertforbuild
Name: shim
-Version: 0.4
+Version: 0.2
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
Group: System/Boot
Url: https://github.com/mjg59/shim
Source: %{name}-%{version}.tar.bz2
-# run "extract_signature.sh shim.efi" where shim.efi is the binary
-# with the signature from the UEFI signing service.
-Source1: microsoft.asc
+# this binary has been signed by UEFI signing service
+# FIXME: evaluate whether using signature only and attaching that
+# to the built binary also works
+Source1: shim-signed.efi
Source2: openSUSE-UEFI-CA-Certificate.crt
Source3: shim-install
Source4: SLES-UEFI-CA-Certificate.crt
-Source5: extract_signature.sh
-Source6: attach_signature.sh
-Source7: show_hash.sh
-Source8: show_signatures.sh
-Source9: openSUSE-UEFI-CA-Certificate-4096.crt
-Source10: timestamp.pl
# PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
Patch0: shim-suse-build.patch
-# PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch glin@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert.
-Patch1: shim-fix-pointer-casting.patch
-# PATCH-FIX-UPSTREAM shim-merge-lf-loader-code.patch glin@suse.com -- Merge the Linux Foundation loader UI code
-Patch2: shim-merge-lf-loader-code.patch
-# PATCH-FIX-UPSTREAM shim-fix-simple-file-selector.patch glin@suse.com -- Fix the buffer allocation in the simple file selector
-Patch3: shim-fix-simple-file-selector.patch
+# PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch glin@suse.com -- Sign MokManager.efi with the local generated certificate
+Patch1: shim-local-key-sign-mokmanager.patch
+# PATCH-FEATURE-UPSTREAM shim-get-2nd-stage-loader.patch glin@suse.com -- Get the second stage loader path from the load options
+Patch2: shim-get-2nd-stage-loader.patch
+# PATCH-FIX-UPSTREAM shim-reboot-after-changes.patch glin@suse.com -- Reboot the system after enrolling or erasing keys
+Patch3: shim-reboot-after-changes.patch
+# PATCH-FIX-UPSTREAM shim-clear-queued-key.patch glin@suse.com -- Clear the queued key to show the menu properly
+Patch5: shim-clear-queued-key.patch
+# PATCH-FIX-UPSTREAM shim-fix-loadoptions.patch bnc#798043 glin@suse.com -- Adopt the UEFI shell style LoadOptions
+Patch6: shim-fix-loadoptions.patch
+# PATCH-FIX-UPSTREAM shim-support-mok-delete.patch glin@suse.com -- Support for deleting specific keys
+Patch7: shim-support-mok-delete.patch
+# PATCH-FIX-UPSTREAM shim-mokmanager-new-pw-hash.patch glin@suse.com -- Support the new password hash
+Patch8: shim-mokmanager-new-pw-hash.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch glin@suse.com -- Support the password hashes from /etc/shadow
-Patch4: shim-mokmanager-support-crypt-hash-method.patch
+Patch9: shim-mokmanager-support-crypt-hash-method.patch
+# PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch glin@suse.com -- Keep MokManager.efi and sign it with the openSUSE key later
+Patch10: shim-keep-unsigned-mokmanager.patch
# PATCH-FIX-UPSTREAM shim-bnc804631-fix-broken-bootpath.patch bnc#804631 glin@suse.com -- Fix the broken bootpath generated in generate_path()
-Patch5: shim-bnc804631-fix-broken-bootpath.patch
-# PATCH-FIX-UPSTREAM shim-bnc798043-no-doulbe-separators.patch bnc#798043 glin@suse.com -- Remove all double-separators from the bootpath
-Patch6: shim-bnc798043-no-doulbe-separators.patch
-# PATCH-FIX-UPSTREAM shim-bnc807760-change-pxe-2nd-loader-name.patch bnc#807760 glin@suse.com -- Change the PXE 2nd stage loader to match the filename we are using
-Patch7: shim-bnc807760-change-pxe-2nd-loader-name.patch
-# PATCH-FIX-UPSTREAM shim-bnc808106-correct-certcount.patch bnc#808106 glin@suse.com -- Correct the certifcate count of the signature list
-Patch8: shim-bnc808106-correct-certcount.patch
-# PATCH-FIX-UPSTREAM shim-mokmanager-ui-revamp.patch glin@suse.com -- Revamp the MokManager UI
-Patch9: shim-mokmanager-ui-revamp.patch
-# PATCH-FIX-UPSTREAM shim-netboot-fixes.patch glin@suse.com -- Upstream netboot fixes
-Patch10: shim-netboot-fixes.patch
-# PATCH-FIX-UPSTREAM shim-mokmanager-disable-gfx-console.patch glin@suse.com -- Disable graphics console to avoid system hang on some machines
-Patch11: shim-mokmanager-disable-gfx-console.patch
-# PATCH-FIX-UPSTREAM shim-bnc841426-silence-shim-protocols.patch bnc#841426 glin@suse.com -- Silence the shim protocols to avoid system hang
-Patch12: shim-bnc841426-silence-shim-protocols.patch
-BuildRequires: gnu-efi >= 3.0t
+Patch11: shim-bnc804631-fix-broken-bootpath.patch
+BuildRequires: gnu-efi >= 3.0q
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
BuildRequires: pesign
BuildRequires: pesign-obs-integration
-Requires: perl-Bootloader
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Recommends: grub2-efi
ExclusiveArch: x86_64
@@ -90,7 +80,6 @@
%patch1 -p1
%patch2 -p1
%patch3 -p1
-%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
@@ -98,118 +87,58 @@
%patch9 -p1
%patch10 -p1
%patch11 -p1
-%patch12 -p1
%build
chmod +x "make-certs"
-# first, build MokManager and fallback as they don't depend on a
-# specific certificate
-make MokManager.efi fallback.efi 2>/dev/null
-
-# now build variants of shim that embed different certificates
-default=''
-suffixes=(opensuse sles)
-# check whether the project cert is a known one. If it is we build
-# just one shim that embeds this specific cert. If it's a devel
-# project we build all variants to simplify testing.
if test -e %{_sourcedir}/_projectcert.crt ; then
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
if test "$prjissuer" = "$opensusesubject" ; then
- suffixes=(opensuse)
- elif test "$prjissuer" = "$slessubject" ; then
- suffixes=(sles)
- elif test "$prjsubject" = "$prjissuer" ; then
- suffixes=(devel opensuse sles)
- fi
-fi
-
-for suffix in "${suffixes[@]}"; do
- if test "$suffix" = "opensuse"; then
+ suffix=opensuse
cert=%{SOURCE2}
- cert2=%{SOURCE9}
- elif test "$suffix" = "sles"; then
- cert=%{SOURCE4}
- cert2=''
- elif test "$suffix" = "devel"; then
- cert=%{_sourcedir}/_projectcert.crt
- cert2=''
- test -e "$cert" || continue
- else
- echo "invalid suffix"
- false
- fi
-
- openssl x509 -in $cert -outform DER -out shim-$suffix.der
- if [ -z "$cert2" ]; then
- # create empty local cert file, we don't need a local key pair as we
- # sign the mokmanager with our vendor key
- touch shim.crt
- touch shim.cer
- else
- cp $cert2 shim.crt
- rm -f shim.cer
fi
- # make sure cast warnings don't trigger post build check
- make VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
- # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
- chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10}
- # alternative: verify signature
- #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
- head -1 %{SOURCE1} > hash1
- cp shim.efi shim.efi.bak
- # pe header contains timestamp and checksum. we need to
- # restore that
- %{SOURCE10} --set-from-file %{SOURCE1} shim.efi
- %{SOURCE7} shim.efi > hash2
- cat hash1 hash2
- if ! cmp -s hash1 hash2; then
- echo "ERROR: binary changed, need to request new signature!"
- # don't fail in devel projects
- prj="%{_project}"
- if [ "${prj%%:*}" = "openSUSE" ]; then
- false
+ if test "$prjissuer" = "$slessubject" ; then
+ suffix=sles
+ cert=%{SOURCE4}
fi
- mv shim.efi.bak shim-$suffix.efi
- rm shim.efi
- else
- # attach signature
- %{SOURCE6} %{SOURCE1} shim.efi
- mv shim-signed.efi shim-$suffix.efi
- rm -f shim.efi
+ if test "$prjsubject" = "$prjissuer" ; then
+ suffix=local
+ cert=%{_sourcedir}/_projectcert.crt
fi
- rm -f shim.cer shim.crt
- # make sure cert.o gets rebuilt
- rm -f cert.o
-done
+fi
+if test -z "$suffix" ; then
+ echo "cannot identify project, assuming openSUSE signing"
+ suffix=opensuse
+ cert=%{SOURCE2}
+fi
-ln -s shim-${suffixes[0]}.efi shim.efi
+openssl x509 -in $cert -outform DER -out shim-$suffix.der
+# create empty local cert file, we don't need a local key pair as we
+# sign the mokmanager with our vendor key
+touch shim.crt
+touch shim.cer
+# make sure cast warnings don't trigger post build check
+make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi 2>/dev/null
+# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
+mv shim.efi shim-$suffix.efi
%install
-export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
+export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi'
install -d %{buildroot}/%{_libdir}/efi
-cp -a shim*.efi %{buildroot}/%{_libdir}/efi
+install -m 444 shim-*.efi %{buildroot}/%{_libdir}/efi
install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
-install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
-install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi
+# FIXME: install signed shim here
+install -m 444 %{SOURCE1} %{buildroot}/%{_libdir}/efi/shim.efi
+install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
install -d %{buildroot}/%{_sbindir}
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
-# install SUSE certificate
-install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
-for file in shim-*.der; do
- fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
- install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt
-done
%clean
%{?buildroot:%__rm -rf "%{buildroot}"}
-%post
-/sbin/update-bootloader --refresh || true
-
%files
%defattr(-,root,root)
%doc COPYRIGHT
@@ -218,10 +147,6 @@
%{_libdir}/efi/shim-*.efi
%{_libdir}/efi/shim-*.der
%{_libdir}/efi/MokManager.efi
-%{_libdir}/efi/fallback.efi
%{_sbindir}/shim-install
-%dir %{_sysconfdir}/uefi/
-%dir %{_sysconfdir}/uefi/certs/
-%{_sysconfdir}/uefi/certs/*.crt
%changelog
++++++ openSUSE-UEFI-CA-Certificate.crt ++++++
--- /var/tmp/diff_new_pack.yanFTi/_old 2013-10-25 13:50:02.000000000 +0200
+++ /var/tmp/diff_new_pack.yanFTi/_new 2013-10-25 13:50:02.000000000 +0200
@@ -1,26 +1,37 @@
-----BEGIN CERTIFICATE-----
-MIIEdDCCA1ygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
+MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
-EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjEyMDdaFw0zNTA3MjIxNjEy
-MDdaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
+EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz
+MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv
-amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3t9hknqk/oPRfTtoDrGn8E6Sk/xHPnAt
-Tojcmp76M7Sm2w4jwQ2owdVlBIQE/zpIGE85MuTKTvkEnp8PzSBdYaunANil/yt/
-vuhHwy9bAsi73o4a6UbThu//iJmQ6xCJuIs/PqgHxlV6btNf/IM8PRbtJsUTc5Kx
-cB4ilcgAbCV2RvGi2dCwmGgPpy2xDWeJypRK6hLFkVV2f2x6LvkYiZ/49CRD1TVq
-ywAOLu1L4l0J2BuXcJmeWm+mgaidqVh2fWlxgtO6OpZDm/DaFcZO6cgVuenLx+Rx
-zuoQG2vEKnABqVK0F94AUs995P0PTQMYspAo1G/Erla8NmBJRotrCwIDAQABo4H0
-MIHxMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGhCYA3iLExHfpW+I9/qlRPl
-lxdiMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPllxdioYGHpIGEMIGB
-MSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUx
-EjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEh
-MB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEBMA4GA1UdDwEB/wQE
-AwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAiqOJwo7Z+YIL8zPO6RkXF6NlgM0zrgZR
-Vim2OId79J38KI6q4FMSDjpgxwbYOmF2O3cI9JSkjHxHOpnYhJsXzCBiLuJ25MY2
-DSbpLlM1Cvs6NZNFw5OCwQvzCOlXH1k3qdBsafto6n87r9P3WSeO1MeWc/QMCvc+
-5K9sjMd6bwl59EEf428R+z5ssaB75JK3yvky9d7DsHN947OCXc3sYdz+DD7Gteds
-LV2Sc//tqmqpm2aeXjptcLAxwM7fLyEQaAyH83egMzEKDxX27jKIxZpTcc0NGqEo
-idC/9lasSzs2BisBxevl3HKDPZSsKIMT+8FdJ5wT9jJf9h9Ktz5Tig==
+amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8
+YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN
+z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh
+O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/
+w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf
+RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM
+ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx
+ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg
+i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i
+EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH
+CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg
+4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ
+DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79
+aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg
+Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w
+ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y
+Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu
+Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/
+phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD
+dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0
+nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD
+eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c
+sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO
+Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3
+BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG
+A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI
+xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp
+4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL
-----END CERTIFICATE-----
++++++ shim-0.4.tar.bz2 -> shim-0.2.tar.bz2 ++++++
++++ 2835 lines of diff (skipped)
++++++ shim-bnc804631-fix-broken-bootpath.patch ++++++
--- /var/tmp/diff_new_pack.yanFTi/_old 2013-10-25 13:50:03.000000000 +0200
+++ /var/tmp/diff_new_pack.yanFTi/_new 2013-10-25 13:50:03.000000000 +0200
@@ -1,4 +1,4 @@
-From bfffac234fabdf8110e8e8c53557d57d61320098 Mon Sep 17 00:00:00 2001
+From 6b70850baa958b196ec332cf0224ffa9d5a81f5f Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
From daa6a7519caa23ef69b9a879bc70789a0669b3e3 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin
Date: Wed, 26 Dec 2012 11:44:46 +0800 Subject: [PATCH] Make sure the menu shows when the callback fails
Since Pause() doesn't clear the key from the input queue, the next
ReadKeyStroke reads the queued key instead of the new one. If the
user presses "Enter", MokManager exits directly without showing
the menu again.
---
MokManager.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/MokManager.c b/MokManager.c
index bfcbfd6..97588cb 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -1241,6 +1241,9 @@ static void run_menu (CHAR16 *header, UINTN lines, struct menu_item *items,
if (ret < 0) {
Print(L"Press a key to continue\n");
Pause();
+ /* Clear the key in the queue */
+ uefi_call_wrapper(ST->ConIn->ReadKeyStroke, 2,
+ ST->ConIn, &key);
}
draw_menu (header, lines, items, count);
pos = 0;
--
1.7.10.4
++++++ shim-fix-loadoptions.patch ++++++
commit f23f6b726bd12b28befd5a064c47a8a249d80a59
Author: Gary Ching-Pang Lin
From 6e816e3e0f8b2013c1bccd67ec27db10ccaabc67 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin
Date: Tue, 15 Jan 2013 18:01:41 +0800 Subject: [PATCH 1/2] Support new password hash
Old password hash: sha256sum(key_list + password) New password hash: salt + sha256sum(salt + password) --- MokManager.c | 91 ++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 67 insertions(+), 24 deletions(-) diff --git a/MokManager.c b/MokManager.c index 97588cb..be2a764 100644 --- a/MokManager.c +++ b/MokManager.c @@ -19,6 +19,9 @@ #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" #define HASH_STRING L"Select a file to trust:\n\n" +#define SALT_LEN 16 +#define AUTH_LEN (SALT_LEN + SHA256_DIGEST_SIZE) + struct menu_item { CHAR16 *text; INTN (* callback)(void *data, void *data2, void *data3); @@ -648,23 +651,30 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size; + UINT8 data[AUTH_LEN], *auth, *salt; + UINTN auth_size = AUTH_LEN; UINT32 attributes; if (authenticate) { - auth_size = SHA256_DIGEST_SIZE; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth", &shim_lock_guid, - &attributes, &auth_size, auth); + &attributes, &auth_size, data); - if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) { + if (efi_status != EFI_SUCCESS || + (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) { Print(L"Failed to get MokAuth %d\n", efi_status); return efi_status; } - efi_status = match_password(MokNew, MokNewSize, auth, NULL); + if (auth_size == AUTH_LEN) { + salt = data; + auth = data + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, NULL); + } else { + auth = data; + efi_status = match_password(MokNew, MokNewSize, auth, NULL); + } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; } @@ -842,8 +852,8 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size = SHA256_DIGEST_SIZE; + UINT8 data[AUTH_LEN], *auth, *salt;; + UINTN auth_size = AUTH_LEN; UINT32 attributes; void *MokListData = NULL; UINTN MokListDataSize = 0; @@ -853,14 +863,22 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", &shim_lock_guid, - &attributes, &auth_size, auth); + &attributes, &auth_size, data); - if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) { + if (efi_status != EFI_SUCCESS || + (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) { Print(L"Failed to get MokDelAuth %d\n", efi_status); return efi_status; } - efi_status = match_password(MokDel, MokDelSize, auth, NULL); + if (auth_size == AUTH_LEN) { + salt = data; + auth = data + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, NULL); + } else { + auth = data; + efi_status = match_password(MokDel, MokDelSize, auth, NULL); + } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1052,20 +1070,29 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; UINTN MokPWSize = (UINTN)data2; - UINT8 hash[SHA256_DIGEST_SIZE]; + UINT8 hash[AUTH_LEN], *auth, *salt; + UINT8 clear = 0; UINT32 length; CHAR16 line[1]; - if (MokPWSize != SHA256_DIGEST_SIZE) { + if (MokPWSize != SHA256_DIGEST_SIZE && MokPWSize != AUTH_LEN) { Print(L"Invalid MokPW variable contents\n"); return -1; } uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - SetMem(hash, SHA256_DIGEST_SIZE, 0); + SetMem(hash, AUTH_LEN, 0); + + if (MokPWSize == AUTH_LEN) { + if (CompareMem(MokPW, hash, AUTH_LEN) == 0) + clear = 1; + } else { + if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) + clear = 1; + } - if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) { + if (clear) { Print(L"Clear MOK password? (y/n): "); do { @@ -1080,7 +1107,14 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { return 0; } - efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); + if (MokPWSize == AUTH_LEN) { + salt = MokPW; + auth = MokPW + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, L"Confirm MOK passphrase: "); + } else { + efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); + } + if (efi_status != EFI_SUCCESS) { Print(L"Password limit reached\n"); return -1; @@ -1691,8 +1725,8 @@ static BOOLEAN verify_pw(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 pwhash[SHA256_DIGEST_SIZE]; - UINTN size = SHA256_DIGEST_SIZE; + UINT8 pwhash[AUTH_LEN], *auth, *salt; + UINTN size = AUTH_LEN; UINT32 attributes; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore", @@ -1704,7 +1738,8 @@ static BOOLEAN verify_pw(void) * known value, so there's no safety advantage in failing to validate * purely because of a failure to read the variable */ - if (efi_status != EFI_SUCCESS) + if (efi_status != EFI_SUCCESS || + (size != SHA256_DIGEST_SIZE && size != AUTH_LEN)) return TRUE; if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) @@ -1712,7 +1747,13 @@ static BOOLEAN verify_pw(void) uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); + if (size == AUTH_LEN) { + salt = pwhash; + auth = pwhash + SALT_LEN; + efi_status = match_password(salt, SALT_LEN, auth, L"Enter MOK password: "); + } else { + efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); + } if (efi_status != EFI_SUCCESS) { Print(L"Password limit reached\n"); return FALSE; @@ -1733,8 +1774,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, UINTN menucount = 3, i = 0; EFI_STATUS efi_status; EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - UINT8 auth[SHA256_DIGEST_SIZE]; - UINTN auth_size = SHA256_DIGEST_SIZE; + UINT8 auth[AUTH_LEN]; + UINTN auth_size = AUTH_LEN; UINT32 attributes; if (verify_pw() == FALSE) @@ -1744,14 +1785,16 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, &shim_lock_guid, &attributes, &auth_size, auth); - if ((efi_status == EFI_SUCCESS) && (auth_size == SHA256_DIGEST_SIZE)) + if ((efi_status == EFI_SUCCESS) && + (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN)) MokAuth = 1; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", &shim_lock_guid, &attributes, &auth_size, auth); - if ((efi_status == EFI_SUCCESS) && (auth_size == SHA256_DIGEST_SIZE)) + if ((efi_status == EFI_SUCCESS) && + (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN)) MokDelAuth = 1; if (MokNew || MokAuth) -- 1.7.10.4
From cf448e938a54ee3006f0fca214b83e0a40499ea5 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin
Date: Fri, 18 Jan 2013 15:51:02 +0800 Subject: [PATCH 2/2] Extend the password hash format
Several new fields were added to support hash from /etc/shadow. Affected variables: MokAuth, MokDelAuth, MokPW, MokPWStore [Hash Method][Interation Count][Salt Size][Salt][hash] Besides, the password is converted to a 8-bit char array before hashing with salt. --- MokManager.c | 145 +++++++++++++++++++++++++++++++++----------------------- PasswordHash.h | 23 +++++++++ 2 files changed, 110 insertions(+), 58 deletions(-) create mode 100644 PasswordHash.h diff --git a/MokManager.c b/MokManager.c index be2a764..9c8f32f 100644 --- a/MokManager.c +++ b/MokManager.c @@ -5,6 +5,7 @@ #include "shim.h" #include "signature.h" #include "PeImage.h" +#include "PasswordHash.h" #define PASSWORD_MAX 16 #define PASSWORD_MIN 8 @@ -19,9 +20,6 @@ #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" #define HASH_STRING L"Select a file to trust:\n\n" -#define SALT_LEN 16 -#define AUTH_LEN (SALT_LEN + SHA256_DIGEST_SIZE) - struct menu_item { CHAR16 *text; INTN (* callback)(void *data, void *data2, void *data3); @@ -553,8 +551,8 @@ static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show return 1; } -static EFI_STATUS compute_pw_hash (void *MokNew, UINTN MokNewSize, CHAR16 *password, - UINT32 pw_length, UINT8 *hash) +static EFI_STATUS compute_pw_hash (void *Data, UINTN DataSize, UINT8 *password, + UINT32 pw_length, UINT8 *hash) { EFI_STATUS status; unsigned int ctxsize; @@ -574,15 +572,15 @@ static EFI_STATUS compute_pw_hash (void *MokNew, UINTN MokNewSize, CHAR16 *passw goto done; } - if (MokNew && MokNewSize) { - if (!(Sha256Update(ctx, MokNew, MokNewSize))) { + if (Data && DataSize) { + if (!(Sha256Update(ctx, Data, DataSize))) { Print(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; } } - if (!(Sha256Update(ctx, password, pw_length * sizeof(CHAR16)))) { + if (!(Sha256Update(ctx, password, pw_length))) { Print(L"Unable to generate hash\n"); status = EFI_OUT_OF_RESOURCES; goto done; @@ -599,15 +597,34 @@ done: return status; } -static EFI_STATUS match_password (void *Data, UINTN DataSize, - UINT8 auth[SHA256_DIGEST_SIZE], - CHAR16 *prompt) +static EFI_STATUS match_password (PASSWORD_HASH *pw_hash, + void *Data, UINTN DataSize, + UINT8 *auth, CHAR16 *prompt) { EFI_STATUS efi_status; UINT8 hash[SHA256_DIGEST_SIZE]; + UINT8 *auth_hash; + UINT32 auth_size; CHAR16 password[PASSWORD_MAX]; UINT32 pw_length; UINT8 fail_count = 0; + int i; + + if (pw_hash) { + /* + * Only support sha256 now and ignore iter_count + */ + if(pw_hash->method != SHA256_BASED) + return EFI_INVALID_PARAMETER; + auth_hash = pw_hash->hash; + /* FIXME assign auth_size according to pw_hash->method */ + auth_size = SHA256_DIGEST_SIZE; + } else if (auth) { + auth_hash = auth; + auth_size = SHA256_DIGEST_SIZE; + } else { + return EFI_INVALID_PARAMETER; + } while (fail_count < 3) { if (prompt) { @@ -623,16 +640,31 @@ static EFI_STATUS match_password (void *Data, UINTN DataSize, continue; } - efi_status = compute_pw_hash(Data, DataSize, password, - pw_length, hash); - + /* + * Compute password hash + */ + if (pw_hash) { + char pw_ascii[PASSWORD_MAX]; + for (i = 0; i < pw_length; i++) + pw_ascii[i] = (char)password[i]; + + /* FIXME calculate a proper salt_size */ + efi_status = compute_pw_hash(pw_hash->salt, (pw_hash->salt_size)/8, + (UINT8 *)pw_ascii, pw_length, hash); + } else { + /* + * For backward compatibility + */ + efi_status = compute_pw_hash(Data, DataSize, (UINT8 *)password, + pw_length * sizeof(CHAR16), hash); + } if (efi_status != EFI_SUCCESS) { Print(L"Unable to generate password hash\n"); fail_count++; continue; } - if (CompareMem(auth, hash, SHA256_DIGEST_SIZE) != 0) { + if (CompareMem(auth_hash, hash, auth_size) != 0) { Print(L"Password doesn't match\n"); fail_count++; continue; @@ -651,29 +683,28 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 data[AUTH_LEN], *auth, *salt; - UINTN auth_size = AUTH_LEN; + UINT8 auth[PASSWORD_HASH_SIZE]; + UINTN auth_size = PASSWORD_HASH_SIZE; UINT32 attributes; if (authenticate) { efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth", &shim_lock_guid, - &attributes, &auth_size, data); - + &attributes, &auth_size, auth); if (efi_status != EFI_SUCCESS || - (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) { + (auth_size != SHA256_DIGEST_SIZE && + auth_size != PASSWORD_HASH_SIZE)) { Print(L"Failed to get MokAuth %d\n", efi_status); return efi_status; } - if (auth_size == AUTH_LEN) { - salt = data; - auth = data + SALT_LEN; - efi_status = match_password(salt, SALT_LEN, auth, NULL); + if (auth_size == PASSWORD_HASH_SIZE) { + efi_status = match_password((PASSWORD_HASH *)auth, + NULL, 0, NULL, NULL); } else { - auth = data; - efi_status = match_password(MokNew, MokNewSize, auth, NULL); + efi_status = match_password(NULL, MokNew, MokNewSize, + auth, NULL); } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -852,8 +883,8 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 data[AUTH_LEN], *auth, *salt;; - UINTN auth_size = AUTH_LEN; + UINT8 auth[PASSWORD_HASH_SIZE]; + UINTN auth_size = PASSWORD_HASH_SIZE; UINT32 attributes; void *MokListData = NULL; UINTN MokListDataSize = 0; @@ -863,21 +894,19 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize) efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", &shim_lock_guid, - &attributes, &auth_size, data); + &attributes, &auth_size, auth); if (efi_status != EFI_SUCCESS || - (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) { + (auth_size != SHA256_DIGEST_SIZE && auth_size != PASSWORD_HASH_SIZE)) { Print(L"Failed to get MokDelAuth %d\n", efi_status); return efi_status; } - if (auth_size == AUTH_LEN) { - salt = data; - auth = data + SALT_LEN; - efi_status = match_password(salt, SALT_LEN, auth, NULL); + if (auth_size == PASSWORD_HASH_SIZE) { + efi_status = match_password((PASSWORD_HASH *)auth, NULL, 0, + NULL, NULL); } else { - auth = data; - efi_status = match_password(MokDel, MokDelSize, auth, NULL); + efi_status = match_password(NULL, MokDel, MokDelSize, auth, NULL); } if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; @@ -1070,22 +1099,22 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; UINTN MokPWSize = (UINTN)data2; - UINT8 hash[AUTH_LEN], *auth, *salt; + UINT8 hash[PASSWORD_HASH_SIZE]; UINT8 clear = 0; UINT32 length; CHAR16 line[1]; - if (MokPWSize != SHA256_DIGEST_SIZE && MokPWSize != AUTH_LEN) { + if (MokPWSize != SHA256_DIGEST_SIZE && MokPWSize != PASSWORD_HASH_SIZE) { Print(L"Invalid MokPW variable contents\n"); return -1; } uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - SetMem(hash, AUTH_LEN, 0); + SetMem(hash, PASSWORD_HASH_SIZE, 0); - if (MokPWSize == AUTH_LEN) { - if (CompareMem(MokPW, hash, AUTH_LEN) == 0) + if (MokPWSize == PASSWORD_HASH_SIZE) { + if (CompareMem(MokPW, hash, PASSWORD_HASH_SIZE) == 0) clear = 1; } else { if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) @@ -1107,12 +1136,12 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { return 0; } - if (MokPWSize == AUTH_LEN) { - salt = MokPW; - auth = MokPW + SALT_LEN; - efi_status = match_password(salt, SALT_LEN, auth, L"Confirm MOK passphrase: "); + if (MokPWSize == PASSWORD_HASH_SIZE) { + efi_status = match_password((PASSWORD_HASH *)MokPW, NULL, 0, + NULL, L"Confirm MOK passphrase: "); } else { - efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); + efi_status = match_password(NULL, NULL, 0, MokPW, + L"Confirm MOK passphrase: "); } if (efi_status != EFI_SUCCESS) { @@ -1725,8 +1754,8 @@ static BOOLEAN verify_pw(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 pwhash[AUTH_LEN], *auth, *salt; - UINTN size = AUTH_LEN; + UINT8 pwhash[PASSWORD_HASH_SIZE]; + UINTN size = PASSWORD_HASH_SIZE; UINT32 attributes; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore", @@ -1739,7 +1768,7 @@ static BOOLEAN verify_pw(void) * purely because of a failure to read the variable */ if (efi_status != EFI_SUCCESS || - (size != SHA256_DIGEST_SIZE && size != AUTH_LEN)) + (size != SHA256_DIGEST_SIZE && size != PASSWORD_HASH_SIZE)) return TRUE; if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) @@ -1747,12 +1776,12 @@ static BOOLEAN verify_pw(void) uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - if (size == AUTH_LEN) { - salt = pwhash; - auth = pwhash + SALT_LEN; - efi_status = match_password(salt, SALT_LEN, auth, L"Enter MOK password: "); + if (size == PASSWORD_HASH_SIZE) { + efi_status = match_password((PASSWORD_HASH *)pwhash, NULL, 0, + NULL, L"Enter MOK password: "); } else { - efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); + efi_status = match_password(NULL, NULL, 0, pwhash, + L"Enter MOK password: "); } if (efi_status != EFI_SUCCESS) { Print(L"Password limit reached\n"); @@ -1774,8 +1803,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, UINTN menucount = 3, i = 0; EFI_STATUS efi_status; EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; - UINT8 auth[AUTH_LEN]; - UINTN auth_size = AUTH_LEN; + UINT8 auth[PASSWORD_HASH_SIZE]; + UINTN auth_size = PASSWORD_HASH_SIZE; UINT32 attributes; if (verify_pw() == FALSE) @@ -1786,7 +1815,7 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, &attributes, &auth_size, auth); if ((efi_status == EFI_SUCCESS) && - (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN)) + (auth_size == SHA256_DIGEST_SIZE || auth_size == PASSWORD_HASH_SIZE)) MokAuth = 1; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth", @@ -1794,7 +1823,7 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, &attributes, &auth_size, auth); if ((efi_status == EFI_SUCCESS) && - (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN)) + (auth_size == SHA256_DIGEST_SIZE || auth_size == PASSWORD_HASH_SIZE)) MokDelAuth = 1; if (MokNew || MokAuth) diff --git a/PasswordHash.h b/PasswordHash.h new file mode 100644 index 0000000..70ee441 --- /dev/null +++ b/PasswordHash.h @@ -0,0 +1,23 @@ +#ifndef __PASSWORD_HASH_H__ +#define __PASSWORD_HASH_H__ + +#define PASSWORD_HASH_SIZE 88 + +enum HashMethod { + Tranditional_DES = 0, + Extend_BSDI_DES, + MD5_BASED, + SHA256_BASED, + SHA512_BASED, + BLOWFISH_BASED +}; + +typedef struct { + UINT16 method; + UINT32 iter_count; + UINT16 salt_size; + UINT8 salt[16]; + UINT8 hash[64]; +} __attribute__ ((packed)) PASSWORD_HASH; + +#endif /* __PASSWORD_HASH_H__ */ -- 1.7.10.4 ++++++ shim-mokmanager-support-crypt-hash-method.patch ++++++ ++++ 719 lines (skipped) ++++ between /work/SRC/openSUSE:13.1/shim/shim-mokmanager-support-crypt-hash-method.patch ++++ and /work/SRC/openSUSE:13.1/.shim.new/shim-mokmanager-support-crypt-hash-method.patch ++++++ shim-reboot-after-changes.patch ++++++
From 10f0f58b03b3bcc56797744f25be15b226b51a50 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin
Date: Mon, 10 Dec 2012 17:54:05 +0800 Subject: [PATCH 1/2] Clear the screen before erasing keys
--- MokManager.c | 1 + 1 file changed, 1 insertion(+) diff --git a/MokManager.c b/MokManager.c index 5802d27..c6f84d8 100644 --- a/MokManager.c +++ b/MokManager.c @@ -675,6 +675,7 @@ static INTN mok_deletion_prompt (void *MokNew, void *data2, void *data3) { UINT32 length; EFI_STATUS efi_status; + uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); Print(L"Erase all stored keys? (y/N): "); get_line (&length, line, 1, 1); -- 1.7.10.4
From 510dafda53cd56210d7ff634b1c630d3645150f0 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin
Date: Mon, 10 Dec 2012 18:24:45 +0800 Subject: [PATCH 2/2] Reboot the system after enrolling/erasing keys
--- MokManager.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/MokManager.c b/MokManager.c index c6f84d8..7d6650e 100644 --- a/MokManager.c +++ b/MokManager.c @@ -637,6 +637,7 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) } static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth) { + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; CHAR16 line[1]; UINT32 length; EFI_STATUS efi_status; @@ -657,6 +658,19 @@ static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth) { Print(L"Failed to enroll keys\n"); return -1; } + + if (auth) { + LibDeleteVariable(L"MokNew", &shim_lock_guid); + LibDeleteVariable(L"MokAuth", &shim_lock_guid); + + Print(L"\nPress a key to reboot system\n"); + Pause(); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + Print(L"Failed to reboot\n"); + return -1; + } + return 0; } } while (line[0] != 'N' && line[0] != 'n'); @@ -671,6 +685,7 @@ static INTN mok_enrollment_prompt_callback (void *MokNew, void *data2, } static INTN mok_deletion_prompt (void *MokNew, void *data2, void *data3) { + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; CHAR16 line[1]; UINT32 length; EFI_STATUS efi_status; @@ -687,6 +702,16 @@ static INTN mok_deletion_prompt (void *MokNew, void *data2, void *data3) { Print(L"Failed to erase keys\n"); return -1; } + + LibDeleteVariable(L"MokNew", &shim_lock_guid); + LibDeleteVariable(L"MokAuth", &shim_lock_guid); + + Print(L"\nPress a key to reboot system\n"); + Pause(); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + Print(L"Failed to reboot\n"); + return -1; } return 0; -- 1.7.10.4 ++++++ shim-support-mok-delete.patch ++++++ ++++ 763 lines (skipped) ++++++ shim-suse-build.patch ++++++ --- /var/tmp/diff_new_pack.yanFTi/_old 2013-10-25 13:50:03.000000000 +0200 +++ /var/tmp/diff_new_pack.yanFTi/_new 2013-10-25 13:50:03.000000000 +0200 @@ -1,13 +1,11 @@ ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/Makefile -+++ b/Makefile +Index: shim-0.2/Makefile +=================================================================== +--- shim-0.2.orig/Makefile ++++ shim-0.2/Makefile @@ -6,7 +6,7 @@ LIB_PATH = /usr/lib64 EFI_INCLUDE = /usr/include/efi - EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -EFI_PATH = /usr/lib64/gnuefi +EFI_PATH = /usr/lib64 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org