diff --git a/backport-shim-don-t-set-second_stage-to-the-empty-string.patch b/backport-shim-don-t-set-second_stage-to-the-empty-string.patch new file mode 100644 index 0000000000000000000000000000000000000000..4bc6805c1f139903172e86949df76a5be9127ca9 --- /dev/null +++ b/backport-shim-don-t-set-second_stage-to-the-empty-string.patch @@ -0,0 +1,54 @@ +From 0287c6b14c77eeb3e3c61996330850d43d937a2b Mon Sep 17 00:00:00 2001 +From: Jonathan Davies +Date: Thu, 22 Feb 2024 16:24:01 +0000 +Subject: [PATCH] shim: don't set second_stage to the empty string + +When LoadOptions is either L" " or L"shim.efi ", parse_load_options sets +second_stage to the empty string. This is unlikely to be what is intended, and +typically leads to a non-obvious failure mode. + +The failure happens because parse_load_options's call to split_load_options +(after eating shim's own filename, if present) returns the empty string. Since +init_grub typically passes second_stage to start_image, this causes read_image +to concatenate the empty string onto the directory name. This means PathName +refers to the directory, not the path to a pe image. Then load_image +successfully opens a handle on the directory and reads "data" from it. It only +eventually fails when handle_image calls read_header which finds that this data +isn't in fact a pe header, reporting "Invalid image". + +This scenario has been seen when shim is loaded via rEFInd 0.11.5, which sets +LoadOptions to the name of the shim program followed by a space character. + +Instead, modify parse_load_options to leave second_stage set to its default +value rather than the empty string. + +Reference:https://github.com/rhboot/shim/commit/0287c6b14c77eeb3e3c61996330850d43d937a2b +Conflict:NA + +Signed-off-by: Jonathan Davies +--- + load-options.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/load-options.c b/load-options.c +index a8c6e1a..8b92e37 100644 +--- a/load-options.c ++++ b/load-options.c +@@ -447,10 +447,12 @@ parse_load_options(EFI_LOADED_IMAGE *li) + + /* + * Set up the name of the alternative loader and the LoadOptions for +- * the loader ++ * the loader if it's not the empty string. + */ + if (loader_str) { +- second_stage = loader_str; ++ if (*loader_str) { ++ second_stage = loader_str; ++ } + load_options = remaining; + load_options_size = remaining_size; + } +-- +2.33.0 + diff --git a/shim.spec b/shim.spec index bff032d7cc9275e371b5a4e8c8e6066911507ede..08a7d12d577297357fbe35aca0a26d11391a45dc 100644 --- a/shim.spec +++ b/shim.spec @@ -25,7 +25,7 @@ Name: shim Version: 15.7 -Release: 12 +Release: 14 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 aarch64 License: BSD @@ -34,6 +34,8 @@ Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{v Source1: BOOTAA64.CSV Source2: BOOTX64.CSV Source3: openEuler_ca.der +Source4: shimaa64-cfca.efi +Source5: shimx64-cfca.efi Patch1:backport-CVE-2023-40546.patch Patch2:backport-CVE-2023-40551-pe-relocate-Fix-bounds-check-for-MZ-b.patch @@ -52,6 +54,7 @@ Patch14:backport-CVE-2023-2650.patch Patch15:backport-CVE-2024-0727.patch Patch16:backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch Patch17:backport-Align-section-size-up-to-page-size-for-mem-attrs.patch +Patch18:backport-shim-don-t-set-second_stage-to-the-empty-string.patch # Feature for shim SMx support Patch9000:Feature-shim-openssl-add-ec-support.patch @@ -76,6 +79,14 @@ Obsoletes: shim-%{efi_arch} < %{version}-%{release} Initial UEFI bootloader that handles chaining to a trusted full \ bootloader under secure boot environments. +%package signed +Summary: signed shim +Requires: %{name} = %{version}-%{release} +AutoReqProv: 0 + +%description signed +signed shim + %package debuginfo Summary: Debug information for shim-unsigned Requires: %{name}-debugsource = %{version}-%{release} @@ -150,9 +161,11 @@ install -m 0700 *.efi ${RPM_BUILD_ROOT}/%{shimefivendor} install -m 0700 *.hash ${RPM_BUILD_ROOT}/%{shimefivendor} %ifarch aarch64 install -m 0700 %{SOURCE1} ${RPM_BUILD_ROOT}/%{shimefivendor} +install -m 0700 %{SOURCE4} ${RPM_BUILD_ROOT}/%{shimBOOT}/BOOTAA64_CFCA.EFI %endif %ifarch x86_64 install -m 0700 %{SOURCE2} ${RPM_BUILD_ROOT}/%{shimefivendor} +install -m 0700 %{SOURCE5} ${RPM_BUILD_ROOT}/%{shimBOOT}/BOOTX64_CFCA.EFI %endif %if "%{_vendor}" != "openEuler" iconv -f UTF-16LE -t UTF-8 ${RPM_BUILD_ROOT}/%{shimefivendor}/%{bootcsv} > /tmp/%{bootcsv}.tmp @@ -180,6 +193,14 @@ make test %{shimefivendor}/*.efi %{shimefivendor}/*.hash +%files signed +%ifarch aarch64 +%{shimBOOT}/BOOTAA64_CFCA.EFI +%endif +%ifarch x86_64 +%{shimBOOT}/BOOTX64_CFCA.EFI +%endif + %files debuginfo %defattr(-,root,root,-) /usr/lib/debug/* @@ -191,6 +212,12 @@ make test /usr/src/debug/%{name}-%{version}-%{release}/* %changelog +* Tue Oct 22 2024 fuanan -15.7-14 +- backport patch from upstream + +* Wed May 29 2024 jinlun -15.7-13 +- add CFCA sign shim + * Fri May 17 2024 wangcheng - 15.7-12 - Align section size up to page size for mem attrs diff --git a/shimaa64-cfca.efi b/shimaa64-cfca.efi new file mode 100644 index 0000000000000000000000000000000000000000..36a468df34b8c7fc25e92eebf738ea5cb1342757 Binary files /dev/null and b/shimaa64-cfca.efi differ diff --git a/shimx64-cfca.efi b/shimx64-cfca.efi new file mode 100644 index 0000000000000000000000000000000000000000..772d43a172ddb2012ac027fdbf66368cc3a5d68a Binary files /dev/null and b/shimx64-cfca.efi differ