From 60ee4da5808b1a3adc0d0abc7cec96e56cd43613 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Sep 15 2020 23:28:56 +0000 Subject: Re-enable HTTPS support, with edk2 fix included (bz 1820836) Signed-off-by: Cole Robinson --- diff --git a/0001-build-customize-configuration.patch b/0001-build-customize-configuration.patch index 045561a..9763ba0 100644 --- a/0001-build-customize-configuration.patch +++ b/0001-build-customize-configuration.patch @@ -1,6 +1,8 @@ diff -rupN ipxe-20190125-git36a4c85f/src/config/local/general.h ipxe-20190125-git36a4c85f.new/src/config/local/general.h --- ipxe-20190125-git36a4c85f/src/config/local/general.h 1970-01-01 01:00:00.000000000 +0100 +++ ipxe-20190125-git36a4c85f.new/src/config/local/general.h 2019-02-01 16:40:42.725293033 +0000 -@@ -0,0 +1,2 @@ +@@ -0,0 +1,4 @@ +/* Enable IPv6. */ +#define NET_PROTO_IPV6 ++/* Enable HTTPS */ ++#define DOWNLOAD_PROTO_HTTPS diff --git a/0003-efi-Raise-TPL-during-driver-entry-point.patch b/0003-efi-Raise-TPL-during-driver-entry-point.patch new file mode 100644 index 0000000..84c8b5d --- /dev/null +++ b/0003-efi-Raise-TPL-during-driver-entry-point.patch @@ -0,0 +1,63 @@ +From 82a962066fb5a41b6dc50476f8676b559ac1edcc Mon Sep 17 00:00:00 2001 +From: Michael Brown +Date: Tue, 30 Jun 2020 16:32:59 +0100 +Subject: [PATCH] [efi] Raise TPL during driver entry point + +As per commit c89a446 ("[efi] Run at TPL_CALLBACK to protect against +UEFI timers") we expect to run at TPL_CALLBACK almost all of the time. +Various code paths rely on this assumption. Code paths that need to +temporarily lower the TPL (e.g. for entropy gathering) will restore it +to TPL_CALLBACK. + +The entropy gathering code will be run during DRBG initialisation, +which happens during the call to startup(). In the case of iPXE +compiled as an EFI application this code will run within the scope of +efi_snp_claim() and so will execute at TPL_CALLBACK as expected. + +In the case of iPXE compiled as an EFI driver the code will +incorrectly run at TPL_APPLICATION since there is nothing within the +EFI driver entry point that raises (and restores) the TPL. The net +effect is that a build that includes the entropy-gathering code +(e.g. a build with HTTPS enabled) will return from the driver entry +point at TPL_CALLBACK, which causes a system lockup. + +Fix by raising and restoring the TPL within the EFI driver entry +point. + +Debugged-by: Ignat Korchagin +Signed-off-by: Michael Brown +(cherry picked from commit 2ae5d4338661b65c63eb5cb1a96e5b803fe7d620) +--- + src/interface/efi/efidrvprefix.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/interface/efi/efidrvprefix.c b/src/interface/efi/efidrvprefix.c +index 4fbb19ff..a8ef6673 100644 +--- a/src/interface/efi/efidrvprefix.c ++++ b/src/interface/efi/efidrvprefix.c +@@ -34,16 +34,25 @@ FILE_LICENCE ( GPL2_OR_LATER ); + */ + EFI_STATUS EFIAPI _efidrv_start ( EFI_HANDLE image_handle, + EFI_SYSTEM_TABLE *systab ) { ++ EFI_BOOT_SERVICES *bs; ++ EFI_TPL saved_tpl; + EFI_STATUS efirc; + + /* Initialise EFI environment */ + if ( ( efirc = efi_init ( image_handle, systab ) ) != 0 ) + return efirc; + ++ /* Raise TPL */ ++ bs = efi_systab->BootServices; ++ saved_tpl = bs->RaiseTPL ( TPL_CALLBACK ); ++ + /* Initialise iPXE environment */ + initialise(); + startup(); + ++ /* Restore TPL */ ++ bs->RestoreTPL ( saved_tpl ); ++ + return 0; + } + diff --git a/ipxe.spec b/ipxe.spec index 20e2604..6455c0f 100644 --- a/ipxe.spec +++ b/ipxe.spec @@ -3,6 +3,12 @@ %global efi_ia32 1 %endif +# With the addition of HTTPS support, we need to drop +# efi_ia32 so qemu roms still stay in the expected size +# range. If no one complains we can drop the efi_ia32 +# infrastructure in 2021 IMO +%global efi_ia32 0 + # PCI IDs (vendor,product) of the ROMS we want for QEMU # # pcnet32: 0x1022 0x2000 @@ -59,6 +65,7 @@ Source0: %{name}-%{version}-git%{hash}.tar.xz # Sent upstream: http://lists.ipxe.org/pipermail/ipxe-devel/2015-November/004494.html Patch0001: 0001-build-customize-configuration.patch Patch0002: 0002-Use-spec-compliant-timeouts.patch +Patch0003: 0003-efi-Raise-TPL-during-driver-entry-point.patch %ifarch %{buildarches} BuildRequires: perl-interpreter