From ba65b5563e6d427de2a80cb53e744cacf6f29aeb Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Oct 04 2013 21:20:31 +0000 Subject: Update to 0.5 Signed-off-by: Peter Jones --- diff --git a/.gitignore b/.gitignore index b930343..6512969 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -/mokutil-*.tar.bz2 -/shim-*.tar.bz2 +/*.tar.gz +clog diff --git a/0001-Don-t-use-MMX-and-SSE-registers-they-aren-t-initiali.patch b/0001-Don-t-use-MMX-and-SSE-registers-they-aren-t-initiali.patch deleted file mode 100644 index a8f0ee5..0000000 --- a/0001-Don-t-use-MMX-and-SSE-registers-they-aren-t-initiali.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 2a1167083fc6fa313a202afe179dbae080f04b95 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 31 May 2013 15:22:37 -0400 -Subject: [PATCH] Don't use MMX and SSE registers, they aren't initialized. - -GCC 4.8.0 will try to use these by default, and you'll wind up looping -across the (uninitialized!) trap handler for uninitialized instructions. - -Signed-off-by: Peter Jones ---- - Cryptlib/Makefile | 2 +- - Cryptlib/OpenSSL/Makefile | 2 +- - Makefile | 4 ++-- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile -index 925db8d..f1add83 100644 ---- a/Cryptlib/Makefile -+++ b/Cryptlib/Makefile -@@ -10,7 +10,7 @@ LIB_GCC = $(shell $(CC) -print-libgcc-file-name) - EFI_LIBS = -lefi -lgnuefi $(LIB_GCC) - - CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ -- -Wall $(EFI_INCLUDES) -mno-red-zone -+ -Wall $(EFI_INCLUDES) -mno-red-zone -mno-sse -mno-mmx - ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER - endif -diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile -index 7fde382..1bae841 100644 ---- a/Cryptlib/OpenSSL/Makefile -+++ b/Cryptlib/OpenSSL/Makefile -@@ -9,7 +9,7 @@ EFI_PATH = /usr/lib64/gnuefi - LIB_GCC = $(shell $(CC) -print-libgcc-file-name) - EFI_LIBS = -lefi -lgnuefi $(LIB_GCC) - --CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \ -+CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -mno-mmx -mno-sse \ - -Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -DSIXTY_FOUR_BIT_LONG -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_SHA512 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC -mno-red-zone - ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -diff --git a/Makefile b/Makefile -index 287fbcf..c8f6ec8 100644 ---- a/Makefile -+++ b/Makefile -@@ -14,8 +14,8 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/ - EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o - EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds - --CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \ -- -Wall -mno-red-zone \ -+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -+ -fshort-wchar -Wall -mno-red-zone -mno-mmx -mno-sse \ - $(EFI_INCLUDES) - ifeq ($(ARCH),x86_64) - CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI --- -1.8.2.1 - diff --git a/0001-Don-t-use-shim_cert-for-verifying-MoK-fedora-will-do.patch b/0001-Don-t-use-shim_cert-for-verifying-MoK-fedora-will-do.patch deleted file mode 100644 index 1720b36..0000000 --- a/0001-Don-t-use-shim_cert-for-verifying-MoK-fedora-will-do.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 878dc1a6a76eab7d9fee897ecc978e55e3fc80ed Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 10 Jun 2013 18:08:50 -0400 -Subject: [PATCH] Don't use shim_cert for verifying MoK; fedora will do its own - signing. - -Signed-off-by: Peter Jones ---- - shim.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/shim.c b/shim.c -index 94b9710..4edd0b6 100644 ---- a/shim.c -+++ b/shim.c -@@ -702,6 +702,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - return status; - } - -+#if 0 - /* - * Check against the shim build key - */ -@@ -713,6 +714,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - Print(L"Binary is verified by the vendor certificate\n"); - return status; - } -+#endif - - - /* --- -1.8.2.1 - diff --git a/0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch b/0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch deleted file mode 100644 index f97f518..0000000 --- a/0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 5a82ef99c8ff146280cb4134d84ee242d3bdb98d Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 30 May 2013 17:23:19 -0400 -Subject: [PATCH] EFI_PXE_BASE_CODE_DHCPV6_PACKET is in gnu-efi-3.0t - ---- - netboot.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git b/netboot.c a/netboot.c -index c44aeac..90fb9cb 100644 ---- b/netboot.c -+++ a/netboot.c -@@ -56,6 +56,15 @@ static EFI_IP_ADDRESS tftp_addr; - static char *full_path; - - -+/* -+ * Not in the EFI header set yet, so I have to declare it here -+ */ -+typedef struct { -+ UINT32 MessageType:8; -+ UINT32 TransactionId:24; -+ UINT8 DhcpOptions[1024]; -+} EFI_PXE_BASE_CODE_DHCPV6_PACKET; -+ - typedef struct { - UINT16 OpCode; - UINT16 Length; --- -1.8.2.1 - diff --git a/0001-Fix-grub-path.patch b/0001-Fix-grub-path.patch deleted file mode 100644 index 01aac82..0000000 --- a/0001-Fix-grub-path.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 8f20d5f78a67675ac8920e0ba67581563b921465 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 14 May 2013 13:12:43 -0400 -Subject: [PATCH] Fix grub path - -Signed-off-by: Peter Jones ---- - shim.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shim.c b/shim.c -index f2b8f1d..d28e0cd 100644 ---- a/shim.c -+++ b/shim.c -@@ -43,7 +43,7 @@ - #include "shim_cert.h" - #include "ucs2.h" - --#define DEFAULT_LOADER L"\\grub.efi" -+#define DEFAULT_LOADER L"\\grubx64.efi" - #define FALLBACK L"\\fallback.efi" - #define MOK_MANAGER L"\\MokManager.efi" - --- -1.8.2.1 - diff --git a/0001-Fix-some-pointer-casting-issues.patch b/0001-Fix-some-pointer-casting-issues.patch deleted file mode 100644 index 4a3b0a6..0000000 --- a/0001-Fix-some-pointer-casting-issues.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 75593536b4cf1ab5803a45240a90168bc4698573 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 11 Jun 2013 14:58:25 -0400 -Subject: [PATCH] Fix some pointer casting issues. - -This also fixes the size of an empty vendor_cert or dbx_cert. - -Signed-off-by: Peter Jones ---- - cert.S | 2 +- - shim.c | 9 +++++---- - 2 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/cert.S b/cert.S -index 2ed9b6d..66a05b8 100644 ---- a/cert.S -+++ b/cert.S -@@ -32,5 +32,5 @@ vendor_cert: - .size vendor_cert_size, 4 - .section .vendor_cert, "a", @progbits - vendor_cert_size: -- .long 1 -+ .long 0 - #endif -diff --git a/shim.c b/shim.c -index 8ffcad6..a573037 100644 ---- a/shim.c -+++ b/shim.c -@@ -59,7 +59,7 @@ static UINT32 load_options_size; - */ - extern UINT8 vendor_cert[]; - extern UINT32 vendor_cert_size; --extern EFI_SIGNATURE_LIST *vendor_dbx; -+extern UINT8 vendor_dbx[]; - extern UINT32 vendor_dbx_size; - - #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} -@@ -359,16 +359,17 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, - UINT8 *sha256hash, UINT8 *sha1hash) - { - EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; -+ EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx; - -- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha256hash, -+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash, - SHA256_DIGEST_SIZE, EfiHashSha256Guid) == - DATA_FOUND) - return EFI_ACCESS_DENIED; -- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha1hash, -+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash, - SHA1_DIGEST_SIZE, EfiHashSha1Guid) == - DATA_FOUND) - return EFI_ACCESS_DENIED; -- if (check_db_cert_in_ram(vendor_dbx, vendor_dbx_size, cert, -+ if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert, - sha256hash) == DATA_FOUND) - return EFI_ACCESS_DENIED; - --- -1.8.2.1 - diff --git a/mokutil-correct-moklistrt-size.patch b/mokutil-correct-moklistrt-size.patch deleted file mode 100644 index 2f3bcef..0000000 --- a/mokutil-correct-moklistrt-size.patch +++ /dev/null @@ -1,54 +0,0 @@ -From jwboyer@redhat.com Tue Dec 11 11:12:04 2012 -Return-Path: jwboyer@redhat.com -Received: from zmta04.collab.prod.int.phx2.redhat.com (LHLO - zmta04.collab.prod.int.phx2.redhat.com) (10.5.81.11) by - zmail14.collab.prod.int.phx2.redhat.com with LMTP; Tue, 11 Dec 2012 - 11:12:04 -0500 (EST) -Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by zmta04.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 02F16D0D4D - for ; Tue, 11 Dec 2012 11:12:04 -0500 (EST) -Received: from hansolo.jdub.homelinux.org ([10.3.113.16]) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qBBGC1N7022642 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); - Tue, 11 Dec 2012 11:12:03 -0500 -Date: Tue, 11 Dec 2012 11:12:01 -0500 -From: Josh Boyer -To: pjones@redhat.com -Cc: mjg59@srcf.ucam.org -Subject: [PATCH] Fix SignatureSize field when importing a new cert -Message-ID: <20121211161200.GA999@hansolo.jdub.homelinux.org> -MIME-Version: 1.0 -Content-Type: text/plain; charset=us-ascii -Content-Disposition: inline -User-Agent: Mutt/1.5.21 (2010-09-15) -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Status: RO -Content-Length: 842 -Lines: 25 - -The SignatureSize field should be the length of the certificate plus -16 per the UEFI spec. Remove the extraneous addition of -sizeof(EFI_SIGNATURE_DATA) from the calculation so that certs enrolled -in MokListRT are parsable. ---- - src/mokutil.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/mokutil-0.1.0/src/mokutil.c b/mokutil-0.1.0/src/mokutil.c -index ca46488..f94aee4 100644 ---- a/mokutil-0.1.0/src/mokutil.c -+++ b/mokutil-0.1.0/src/mokutil.c -@@ -485,8 +485,7 @@ import_moks (char **files, uint32_t total) - CertList->SignatureListSize = sizes[i] + - sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1; - CertList->SignatureHeaderSize = 0; -- CertList->SignatureSize = sizes[i] + -- sizeof(EFI_SIGNATURE_DATA) + 16; -+ CertList->SignatureSize = sizes[i] + 16; - CertData->SignatureOwner = SHIM_LOCK_GUID; - - fd = open (files[i], O_RDONLY); --- -1.8.0.1 - - diff --git a/shim.spec b/shim.spec index bb56c59..15657a6 100644 --- a/shim.spec +++ b/shim.spec @@ -1,5 +1,5 @@ Name: shim -Version: 0.4 +Version: 0.5 Release: 1%{?dist} Summary: First-stage UEFI bootloader @@ -9,8 +9,8 @@ Source0: https://github.com/mjg59/shim/archive/%{version}.tar.gz Source1: fedora-ca.cer # incorporate mokutil for packaging simplicity -%global mokutilver 0.1.0 -Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2 +%global mokutilver 0.2.0 +Source2: https://github.com/lcp/mokutil/archive/mokutil-%{mokutilver}.tar.bz2 # currently here's what's in our dbx: # grub2-efi-2.00-11.fc18.x86_64: @@ -22,24 +22,9 @@ Source2: http://www.codon.org.uk/~mjg59/mokutil/mokutil-%{mokutilver}.tar.bz2 # woops. Source3: dbx.esl -# this we'll always need, unless we phase in a rename of our grub binary. -Patch0: 0001-Fix-grub-path.patch - -# this we won't need in the next version of mokutil -Patch1: mokutil-correct-moklistrt-size.patch - -# this needs to be worked on upstream -Patch2: 0001-Don-t-use-shim_cert-for-verifying-MoK-fedora-will-do.patch - -# this will go away once a new gnu-efi actually works again -Patch3: 0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch - -# this will go away with shim 0.5 -Patch4: 0001-Fix-some-pointer-casting-issues.patch - BuildRequires: gnu-efi git openssl-devel openssl BuildRequires: pesign >= 0.106-1 -BuildRequires: gnu-efi = 3.0q +BuildRequires: gnu-efi = 3.0u, gnu-efi-devel = 3.0u # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a @@ -78,7 +63,7 @@ Summary: Utilities for managing Secure Boot/MoK keys. Utilities for managing the "Machine's Own Keys" list. %prep -%setup -q -n shim-%{version} +%setup -q %setup -q -a 2 -D -T git init git config user.email "shim-owner@fedoraproject.org" @@ -92,7 +77,7 @@ MAKEFLAGS="" if [ -f "%{SOURCE1}" ]; then MAKEFLAGS="VENDOR_CERT_FILE=%{SOURCE1} VENDOR_DBX_FILE=%{SOURCE3}" fi -make ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi +make 'DEFAULT_LOADER=\\\\grubx64.efi' ${MAKEFLAGS} shim.efi MokManager.efi fallback.efi cd mokutil-%{mokutilver} %configure make %{?_smp_mflags} @@ -125,6 +110,9 @@ install -m 0644 MokManager.efi.debug $RPM_BUILD_ROOT/usr/lib/debug/%{_datadir}/s /usr/share/man/man1/mokutil.1.gz %changelog +* Fri Oct 04 2013 Peter Jones - 0.5-1 +- Update to 0.5 + * Tue Jun 11 2013 Peter Jones - 0.4-1 - Update to 0.4 diff --git a/sources b/sources index 3e2751b..b155f4a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -485218c423aef15de46d55d6de48c98b mokutil-0.1.0.tar.bz2 -8e7c5fe72ca0d911de9c1103a68eb455 shim-0.4.tar.bz2 +162dfa375a624ada5d8c9cbc44769c15 mokutil-0.2.0.tar.bz2 +ce460de9ddaf896e81dfa9e747190627 0.5.tar.gz