diff --git a/Feature-add-tpcm-support-with-ipmi-channel.patch b/Feature-add-tpcm-support-with-ipmi-channel.patch index fb58bd490befdca67d8d6d67737037903265ce51..ad92e5c2682ea95b59aa6a49a6c8bedfc41ce19d 100644 --- a/Feature-add-tpcm-support-with-ipmi-channel.patch +++ b/Feature-add-tpcm-support-with-ipmi-channel.patch @@ -185,7 +185,7 @@ index 0000000..a086620 + CHAR16 *description) +{ + UINT32 filename_len = StrLen(description) * 2 + 1; -+ UINT32 stage_base = bm_stage_base++; ++ UINT32 stage_base = bm_stage_base; + UINT8 filename[FIRMWARE_NAME_SIZE] = {0}; + + if (filename_len > FIRMWARE_NAME_SIZE) { diff --git a/backport-Align-section-size-up-to-page-size-for-mem-attrs.patch b/backport-Align-section-size-up-to-page-size-for-mem-attrs.patch new file mode 100644 index 0000000000000000000000000000000000000000..458cf16855301fb9903f708a9cd76921915b12ff --- /dev/null +++ b/backport-Align-section-size-up-to-page-size-for-mem-attrs.patch @@ -0,0 +1,33 @@ +From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001 +From: Nicholas Bishop +Date: Mon, 19 Dec 2022 18:56:13 -0500 +Subject: [PATCH] pe: Align section size up to page size for mem attrs + +Setting memory attributes is generally done at page granularity, and +this is enforced by checks in `get_mem_attrs` and +`update_mem_attrs`. But unlike the section address, the section size +isn't necessarily aligned to 4KiB. Round up the section size to fix +this. + +Signed-off-by: Nicholas Bishop +--- + pe.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/pe.c b/pe.c +index 9a3679e16..5ad0914ba 100644 +--- a/pe.c ++++ b/pe.c +@@ -1372,7 +1372,11 @@ handle_image (void *data, unsigned int datasize, + + Section->Misc.VirtualSize - 1); + + addr = (uintptr_t)base; +- length = (uintptr_t)end - (uintptr_t)base + 1; ++ // Align the length up to PAGE_SIZE. This is required because ++ // platforms generally set memory attributes at page ++ // granularity, but the section length (unlike the section ++ // address) is not required to be aligned. ++ length = ALIGN_VALUE((uintptr_t)end - (uintptr_t)base + 1, PAGE_SIZE); + + if (Section->Characteristics & EFI_IMAGE_SCN_MEM_WRITE) { + set_attrs |= MEM_ATTR_W; diff --git a/backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch b/backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch new file mode 100644 index 0000000000000000000000000000000000000000..d410893b7c2cd4668a6726206a69f3669bb3bece --- /dev/null +++ b/backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch @@ -0,0 +1,48 @@ +From b078ef274887a4cc0da64fd6668800d1e24a2871 Mon Sep 17 00:00:00 2001 +From: Jan Setje-Eilers +Date: Tue, 16 May 2023 14:31:13 -0700 +Subject: [PATCH] Always clear SbatLevel when Secure Boot is disabled + +Unless an explict sbat policy is specified, always delete SbatLevel +when secure boot is disabled. + +Signed-off-by: Jan Setje-Eilers +--- + sbat.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/sbat.c b/sbat.c +index a08c5b2..42a3346 100644 +--- a/sbat.c ++++ b/sbat.c +@@ -423,7 +423,12 @@ set_sbat_uefi_variable(void) + &attributes); + if (EFI_ERROR(efi_status)) { + dprint("Default sbat policy: previous\n"); +- sbat_var = sbat_var_previous; ++ if (secure_mode()) { ++ sbat_var = sbat_var_previous; ++ } else { ++ reset_sbat = true; ++ sbat_var = SBAT_VAR_ORIGINAL; ++ } + } else { + switch (*sbat_policy) { + case SBAT_POLICY_LATEST: +@@ -449,7 +454,12 @@ set_sbat_uefi_variable(void) + default: + console_error(L"SBAT policy state %llu is invalid", + EFI_INVALID_PARAMETER); +- sbat_var = sbat_var_previous; ++ if (secure_mode()) { ++ sbat_var = sbat_var_previous; ++ } else { ++ reset_sbat = true; ++ sbat_var = SBAT_VAR_ORIGINAL; ++ } + clear_sbat_policy(); + break; + } +-- +2.33.0 + diff --git a/backport-Fix-the-issue-that-the-gBS-LoadImage-pointer-was-emp.patch b/backport-Fix-the-issue-that-the-gBS-LoadImage-pointer-was-emp.patch new file mode 100644 index 0000000000000000000000000000000000000000..2e61043bb55394834ca8e0478f44c046803efde5 --- /dev/null +++ b/backport-Fix-the-issue-that-the-gBS-LoadImage-pointer-was-emp.patch @@ -0,0 +1,39 @@ +From 712097206702f26e96be3f7ba79eb52d00e1f658 Mon Sep 17 00:00:00 2001 +From: jinlun <869793317@qq.com> +Date: Sat, 2 Nov 2024 17:21:22 +0800 +Subject: [PATCH] Fix the issue that the gBS->LoadImage pointer was empty. + +The interface shouldn't be replaced at the shim_fini + stage When the vendor certificate doesn't exist. + +Signed-off-by: jinlun <869793317@qq.com> +Signed-off-by: xuce +--- + shim.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/shim.c b/shim.c +index 547b052..aa74610 100644 +--- a/shim.c ++++ b/shim.c +@@ -1651,11 +1651,12 @@ shim_fini(void) + uninstall_shim_protocols(); + + if (secure_mode()) { +- +- /* +- * Remove our hooks from system services. +- */ +- unhook_system_services(); ++ if (vendor_authorized_size || vendor_deauthorized_size) { ++ /* ++ * Remove our hooks from system services. ++ */ ++ unhook_system_services(); ++ } + } + + unhook_exit(); +-- +2.33.0 + diff --git a/backport-shim-don-t-set-second_stage-to-the-empty-string.patch b/backport-shim-don-t-set-second_stage-to-the-empty-string.patch new file mode 100644 index 0000000000000000000000000000000000000000..4bc6805c1f139903172e86949df76a5be9127ca9 --- /dev/null +++ b/backport-shim-don-t-set-second_stage-to-the-empty-string.patch @@ -0,0 +1,54 @@ +From 0287c6b14c77eeb3e3c61996330850d43d937a2b Mon Sep 17 00:00:00 2001 +From: Jonathan Davies +Date: Thu, 22 Feb 2024 16:24:01 +0000 +Subject: [PATCH] shim: don't set second_stage to the empty string + +When LoadOptions is either L" " or L"shim.efi ", parse_load_options sets +second_stage to the empty string. This is unlikely to be what is intended, and +typically leads to a non-obvious failure mode. + +The failure happens because parse_load_options's call to split_load_options +(after eating shim's own filename, if present) returns the empty string. Since +init_grub typically passes second_stage to start_image, this causes read_image +to concatenate the empty string onto the directory name. This means PathName +refers to the directory, not the path to a pe image. Then load_image +successfully opens a handle on the directory and reads "data" from it. It only +eventually fails when handle_image calls read_header which finds that this data +isn't in fact a pe header, reporting "Invalid image". + +This scenario has been seen when shim is loaded via rEFInd 0.11.5, which sets +LoadOptions to the name of the shim program followed by a space character. + +Instead, modify parse_load_options to leave second_stage set to its default +value rather than the empty string. + +Reference:https://github.com/rhboot/shim/commit/0287c6b14c77eeb3e3c61996330850d43d937a2b +Conflict:NA + +Signed-off-by: Jonathan Davies +--- + load-options.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/load-options.c b/load-options.c +index a8c6e1a..8b92e37 100644 +--- a/load-options.c ++++ b/load-options.c +@@ -447,10 +447,12 @@ parse_load_options(EFI_LOADED_IMAGE *li) + + /* + * Set up the name of the alternative loader and the LoadOptions for +- * the loader ++ * the loader if it's not the empty string. + */ + if (loader_str) { +- second_stage = loader_str; ++ if (*loader_str) { ++ second_stage = loader_str; ++ } + load_options = remaining; + load_options_size = remaining_size; + } +-- +2.33.0 + diff --git a/shim.spec b/shim.spec index 3211151aae9f53de5fc1463872853b672b4a1b32..97dedce8fddcc71d5e0eee8b7e682d08357e7a4f 100644 --- a/shim.spec +++ b/shim.spec @@ -25,7 +25,7 @@ Name: shim Version: 15.7 -Release: 7 +Release: 16 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -34,6 +34,8 @@ Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{v Source1: BOOTAA64.CSV Source2: BOOTX64.CSV Source3: openEuler_ca.der +Source4: shimaa64-cfca.efi +Source5: shimx64-cfca.efi Patch1:backport-CVE-2023-40546.patch Patch2:backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch @@ -50,6 +52,10 @@ Patch12:backport-CVE-2023-3446.patch Patch13:backport-CVE-2023-0465.patch Patch14:backport-CVE-2023-2650.patch Patch15:backport-CVE-2024-0727.patch +Patch16:backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch +Patch17:backport-Align-section-size-up-to-page-size-for-mem-attrs.patch +Patch18:backport-shim-don-t-set-second_stage-to-the-empty-string.patch +Patch19:backport-Fix-the-issue-that-the-gBS-LoadImage-pointer-was-emp.patch # Feature for shim SMx support Patch9000:Feature-shim-openssl-add-ec-support.patch @@ -62,10 +68,6 @@ Patch9005:Feature-add-tpcm-support-with-ipmi-channel.patch BuildRequires: elfutils-libelf-devel openssl-devel openssl git pesign gnu-efi gnu-efi-devel gcc vim-common efivar-devel -%if 0%{?openEuler_sign_rsa} -BuildRequires: sign-openEuler -%endif - %ifarch aarch64 BuildRequires: binutils >= 2.37-7 %endif @@ -78,6 +80,14 @@ Obsoletes: shim-%{efi_arch} < %{version}-%{release} Initial UEFI bootloader that handles chaining to a trusted full \ bootloader under secure boot environments. +%package signed +Summary: signed shim +Requires: %{name} = %{version}-%{release} +AutoReqProv: 0 + +%description signed +signed shim + %package debuginfo Summary: Debug information for shim-unsigned Requires: %{name}-debugsource = %{version}-%{release} @@ -123,10 +133,12 @@ cd .. %if 0%{?openEuler_sign_rsa} echo "start sign" - -/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi -/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi -/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi +sh /usr/lib/rpm/brp-ebs-sign --efi %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi || [ $? -eq 2 ] && echo "failed to sign, skip signgture" +sh /usr/lib/rpm/brp-ebs-sign --efi %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi || [ $? -eq 2 ] && echo "failed to sign, skip signgture" +sh /usr/lib/rpm/brp-ebs-sign --efi %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi || [ $? -eq 2 ] && echo "failed to sign, skip signgture" +mv %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi.sig %{_builddir}/shim-%{version}/build-%{efi_arch}/shim%{efi_arch}.efi ||: +mv %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi.sig %{_builddir}/shim-%{version}/build-%{efi_arch}/fb%{efi_arch}.efi ||: +mv %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi.sig %{_builddir}/shim-%{version}/build-%{efi_arch}/mm%{efi_arch}.efi ||: %endif %install @@ -150,9 +162,16 @@ install -m 0700 *.efi ${RPM_BUILD_ROOT}/%{shimefivendor} install -m 0700 *.hash ${RPM_BUILD_ROOT}/%{shimefivendor} %ifarch aarch64 install -m 0700 %{SOURCE1} ${RPM_BUILD_ROOT}/%{shimefivendor} +install -m 0700 %{SOURCE4} ${RPM_BUILD_ROOT}/%{shimBOOT}/BOOTAA64_CFCA.EFI %endif %ifarch x86_64 install -m 0700 %{SOURCE2} ${RPM_BUILD_ROOT}/%{shimefivendor} +install -m 0700 %{SOURCE5} ${RPM_BUILD_ROOT}/%{shimBOOT}/BOOTX64_CFCA.EFI +%endif +%if "%{_vendor}" != "openEuler" + iconv -f UTF-16LE -t UTF-8 ${RPM_BUILD_ROOT}/%{shimefivendor}/%{bootcsv} > /tmp/%{bootcsv}.tmp + sed -i -e 's/openeuler/%{_vendor}/g' -e 's/openEuler/%{_vendor}/g' /tmp/%{bootcsv}.tmp + iconv -f UTF-8 -t UTF-16LE /tmp/%{bootcsv}.tmp > ${RPM_BUILD_ROOT}/%{shimefivendor}/%{bootcsv} %endif # install the debug symbols @@ -175,6 +194,14 @@ make test %{shimefivendor}/*.efi %{shimefivendor}/*.hash +%files signed +%ifarch aarch64 +%{shimBOOT}/BOOTAA64_CFCA.EFI +%endif +%ifarch x86_64 +%{shimBOOT}/BOOTX64_CFCA.EFI +%endif + %files debuginfo %defattr(-,root,root,-) /usr/lib/debug/* @@ -186,6 +213,34 @@ make test /usr/src/debug/%{name}-%{version}-%{release}/* %changelog +* Mon Jan 20 2025 xuce -15.7-16 +- fix the issue that the gBS->LoadImage pointer was empty. + +* Tue Oct 29 2024 yanglongkang -15.7-15 +- Correct the signature code. + +* Tue Oct 22 2024 fuanan -15.7-14 +- backport patch from upstream + +* Wed May 29 2024 jinlun -15.7-13 +- add CFCA sign shim + +* Fri May 17 2024 wangcheng - 15.7-12 +- Align section size up to page size for mem attrs + +* Wed May 8 2024 lijuzhang - 15.7-11 +- replace vendor for BOOTX64.CSV or BOOTAA64.CSV + +* Tue May 7 2024 jinlun - 15.7-10 +- Fix the TPCM feature issue, and ignore signing failures + due to insufficient permissions. + +* Mon Apr 1 2024 jinlun - 15.7-9 +- Interface for replacing the EFI signature + +* Mon Mar 25 2024 yixiangzhike - 15.7-8 +- backport patch from upstream + * Wed Feb 28 2024 jinlun - 15.7-7 - add signature for secureboot diff --git a/shimaa64-cfca.efi b/shimaa64-cfca.efi new file mode 100644 index 0000000000000000000000000000000000000000..36a468df34b8c7fc25e92eebf738ea5cb1342757 Binary files /dev/null and b/shimaa64-cfca.efi differ diff --git a/shimx64-cfca.efi b/shimx64-cfca.efi new file mode 100644 index 0000000000000000000000000000000000000000..772d43a172ddb2012ac027fdbf66368cc3a5d68a Binary files /dev/null and b/shimx64-cfca.efi differ