rpms/shim
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Get rid of unused patches.

Browse Source 
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2014-10-14 10:38:05 -04:00
parent 5fbba32ca2
commit d854b5dba9
9 changed files with 0 additions and 465 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
0001-Don-t-use-MMX-and-SSE-registers-they-aren-t-initiali.patch
View File

@ -1,59 +0,0 @@
From 2a1167083fc6fa313a202afe179dbae080f04b95 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 31 May 2013 15:22:37 -0400
Subject: [PATCH] Don't use MMX and SSE registers, they aren't initialized.
GCC 4.8.0 will try to use these by default, and you'll wind up looping
across the (uninitialized!) trap handler for uninitialized instructions.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Cryptlib/Makefile | 2 +-
Cryptlib/OpenSSL/Makefile | 2 +-
Makefile | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
index 925db8d..f1add83 100644
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -10,7 +10,7 @@ LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
EFI_LIBS = -lefi -lgnuefi $(LIB_GCC)
CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- -Wall $(EFI_INCLUDES) -mno-red-zone
+ -Wall $(EFI_INCLUDES) -mno-red-zone -mno-sse -mno-mmx
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER
endif
diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
index 7fde382..1bae841 100644
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -9,7 +9,7 @@ EFI_PATH = /usr/lib64/gnuefi
LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
EFI_LIBS = -lefi -lgnuefi $(LIB_GCC)
-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
+CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc -mno-mmx -mno-sse \
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -DSIXTY_FOUR_BIT_LONG -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_SHA512 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC -mno-red-zone
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER
diff --git a/Makefile b/Makefile
index 287fbcf..c8f6ec8 100644
--- a/Makefile
+++ b/Makefile
@@ -14,8 +14,8 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- -Wall -mno-red-zone \
+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+ -fshort-wchar -Wall -mno-red-zone -mno-mmx -mno-sse \
$(EFI_INCLUDES)
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI
--
1.8.2.1

34
0001-Don-t-use-shim_cert-for-verifying-MoK-fedora-will-do.patch
View File

@ -1,34 +0,0 @@
From 878dc1a6a76eab7d9fee897ecc978e55e3fc80ed Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 10 Jun 2013 18:08:50 -0400
Subject: [PATCH] Don't use shim_cert for verifying MoK; fedora will do its own
signing.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
shim.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/shim.c b/shim.c
index 94b9710..4edd0b6 100644
--- a/shim.c
+++ b/shim.c
@@ -702,6 +702,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
return status;
}
+#if 0
/*
* Check against the shim build key
*/
@@ -713,6 +714,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
Print(L"Binary is verified by the vendor certificate\n");
return status;
}
+#endif
/*
--
1.8.2.1

32
0001-EFI_PXE_BASE_CODE_DHCPV6_PACKET-is-in-gnu-efi-3.0t.patch
View File

@ -1,32 +0,0 @@
From 5a82ef99c8ff146280cb4134d84ee242d3bdb98d Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 30 May 2013 17:23:19 -0400
Subject: [PATCH] EFI_PXE_BASE_CODE_DHCPV6_PACKET is in gnu-efi-3.0t
---
netboot.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git b/netboot.c a/netboot.c
index c44aeac..90fb9cb 100644
--- b/netboot.c
+++ a/netboot.c
@@ -56,6 +56,15 @@ static EFI_IP_ADDRESS tftp_addr;
static char *full_path;
+/*
+ * Not in the EFI header set yet, so I have to declare it here
+ */
+typedef struct {
+ UINT32 MessageType:8;
+ UINT32 TransactionId:24;
+ UINT8 DhcpOptions[1024];
+} EFI_PXE_BASE_CODE_DHCPV6_PACKET;
+
typedef struct {
UINT16 OpCode;
UINT16 Length;
--
1.8.2.1

26
0001-Fix-grub-path.patch
View File

@ -1,26 +0,0 @@
From 8f20d5f78a67675ac8920e0ba67581563b921465 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 14 May 2013 13:12:43 -0400
Subject: [PATCH] Fix grub path
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
---
shim.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/shim.c b/shim.c
index f2b8f1d..d28e0cd 100644
--- a/shim.c
+++ b/shim.c
@@ -43,7 +43,7 @@
#include "shim_cert.h"
#include "ucs2.h"
-#define DEFAULT_LOADER L"\\grub.efi"
+#define DEFAULT_LOADER L"\\grubx64.efi"
#define FALLBACK L"\\fallback.efi"
#define MOK_MANAGER L"\\MokManager.efi"
--
1.8.2.1

61
0001-Fix-some-pointer-casting-issues.patch
View File

@ -1,61 +0,0 @@
From 75593536b4cf1ab5803a45240a90168bc4698573 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 11 Jun 2013 14:58:25 -0400
Subject: [PATCH] Fix some pointer casting issues.
This also fixes the size of an empty vendor_cert or dbx_cert.
Signed-off-by: Peter Jones <shim-owner@fedoraproject.org>
---
cert.S | 2 +-
shim.c | 9 +++++----
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/cert.S b/cert.S
index 2ed9b6d..66a05b8 100644
--- a/cert.S
+++ b/cert.S
@@ -32,5 +32,5 @@ vendor_cert:
.size vendor_cert_size, 4
.section .vendor_cert, "a", @progbits
vendor_cert_size:
- .long 1
+ .long 0
#endif
diff --git a/shim.c b/shim.c
index 8ffcad6..a573037 100644
--- a/shim.c
+++ b/shim.c
@@ -59,7 +59,7 @@ static UINT32 load_options_size;
*/
extern UINT8 vendor_cert[];
extern UINT32 vendor_cert_size;
-extern EFI_SIGNATURE_LIST *vendor_dbx;
+extern UINT8 vendor_dbx[];
extern UINT32 vendor_dbx_size;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -359,16 +359,17 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert,
UINT8 *sha256hash, UINT8 *sha1hash)
{
EFI_GUID secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
+ EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx;
- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha256hash,
+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash,
SHA256_DIGEST_SIZE, EfiHashSha256Guid) ==
DATA_FOUND)
return EFI_ACCESS_DENIED;
- if (check_db_hash_in_ram(vendor_dbx, vendor_dbx_size, sha1hash,
+ if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash,
SHA1_DIGEST_SIZE, EfiHashSha1Guid) ==
DATA_FOUND)
return EFI_ACCESS_DENIED;
- if (check_db_cert_in_ram(vendor_dbx, vendor_dbx_size, cert,
+ if (check_db_cert_in_ram(dbx, vendor_dbx_size, cert,
sha256hash) == DATA_FOUND)
return EFI_ACCESS_DENIED;
--
1.8.2.1

54
mokutil-correct-moklistrt-size.patch
View File

@ -1,54 +0,0 @@
From jwboyer@redhat.com Tue Dec 11 11:12:04 2012
Return-Path: jwboyer@redhat.com
Received: from zmta04.collab.prod.int.phx2.redhat.com (LHLO
zmta04.collab.prod.int.phx2.redhat.com) (10.5.81.11) by
zmail14.collab.prod.int.phx2.redhat.com with LMTP; Tue, 11 Dec 2012
11:12:04 -0500 (EST)
Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
by zmta04.collab.prod.int.phx2.redhat.com (Postfix) with ESMTP id 02F16D0D4D
for <pjones@mail.corp.redhat.com>; Tue, 11 Dec 2012 11:12:04 -0500 (EST)
Received: from hansolo.jdub.homelinux.org ([10.3.113.16])
by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qBBGC1N7022642
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
Tue, 11 Dec 2012 11:12:03 -0500
Date: Tue, 11 Dec 2012 11:12:01 -0500
From: Josh Boyer <jwboyer@redhat.com>
To: pjones@redhat.com
Cc: mjg59@srcf.ucam.org
Subject: [PATCH] Fix SignatureSize field when importing a new cert
Message-ID: <20121211161200.GA999@hansolo.jdub.homelinux.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12
Status: RO
Content-Length: 842
Lines: 25
The SignatureSize field should be the length of the certificate plus
16 per the UEFI spec. Remove the extraneous addition of
sizeof(EFI_SIGNATURE_DATA) from the calculation so that certs enrolled
in MokListRT are parsable.
---
src/mokutil.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/mokutil-0.1.0/src/mokutil.c b/mokutil-0.1.0/src/mokutil.c
index ca46488..f94aee4 100644
--- a/mokutil-0.1.0/src/mokutil.c
+++ b/mokutil-0.1.0/src/mokutil.c
@@ -485,8 +485,7 @@ import_moks (char **files, uint32_t total)
CertList->SignatureListSize = sizes[i] +
sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA) - 1;
CertList->SignatureHeaderSize = 0;
- CertList->SignatureSize = sizes[i] +
- sizeof(EFI_SIGNATURE_DATA) + 16;
+ CertList->SignatureSize = sizes[i] + 16;
CertData->SignatureOwner = SHIM_LOCK_GUID;
fd = open (files[i], O_RDONLY);
--
1.8.0.1

7
shim-fedora.diff
View File

File diff suppressed because one or more lines are too long

63
shim-image-size.patch
View File

@ -1,63 +0,0 @@
From d3a9d4e8404e0f402fb371066f0e405ed3cecc29 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Tue, 14 Aug 2012 06:50:00 -0400
Subject: [PATCH] Use the file size, not the image size field, for
verification.
---
shim.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/shim.c b/shim.c
index 2d9044d..6a3c054 100644
--- a/shim.c
+++ b/shim.c
@@ -555,7 +555,7 @@ done:
/*
* Read the binary header and grab appropriate information from it
*/
-static EFI_STATUS read_header(void *data,
+static EFI_STATUS read_header(void *data, unsigned int datasize,
PE_COFF_LOADER_IMAGE_CONTEXT *context)
{
EFI_IMAGE_DOS_HEADER *DosHdr = data;
@@ -590,7 +590,7 @@ static EFI_STATUS read_header(void *data,
context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
context->SecDir = (EFI_IMAGE_DATA_DIRECTORY *) &PEHdr->Pe32Plus.OptionalHeader.DataDirectory[EFI_IMAGE_DIRECTORY_ENTRY_SECURITY];
- if (context->SecDir->VirtualAddress >= context->ImageSize) {
+ if (context->SecDir->VirtualAddress >= datasize) {
Print(L"Malformed security header\n");
return EFI_INVALID_PARAMETER;
}
@@ -606,7 +606,8 @@ static EFI_STATUS read_header(void *data,
/*
* Once the image has been loaded it needs to be validated and relocated
*/
-static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
+static EFI_STATUS handle_grub (void *data, unsigned int datasize,
+ EFI_LOADED_IMAGE *li)
{
EFI_STATUS efi_status;
char *buffer;
@@ -615,7 +616,7 @@ static EFI_STATUS handle_grub (void *data, int datasize, EFI_LOADED_IMAGE *li)
char *base, *end;
PE_COFF_LOADER_IMAGE_CONTEXT context;
- efi_status = read_header(data, &context);
+ efi_status = read_header(data, datasize, &context);
if (efi_status != EFI_SUCCESS) {
Print(L"Failed to read header\n");
return efi_status;
@@ -843,7 +844,7 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size)
if (!secure_mode())
return EFI_SUCCESS;
- status = read_header(buffer, &context);
+ status = read_header(buffer, size, &context);
if (status != EFI_SUCCESS)
return status;
--
1.7.11.2

129
shim-vendor-cert-file.patch
View File

@ -1,129 +0,0 @@
From be817236507a104ec9b0e8be57daab0e2bab40ce Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 13 Aug 2012 17:06:46 -0400
Subject: [PATCH] Allow specification of vendor_cert through a build command
line option.
This allows you to specify the vendor_cert as a file on the command line
during build.
---
Makefile | 16 +++++++++++-----
cert.S | 32 ++++++++++++++++++++++++++++++++
cert.h | 1 -
shim.c | 6 +++---
4 files changed, 46 insertions(+), 9 deletions(-)
create mode 100644 cert.S
delete mode 100644 cert.h
diff --git a/Makefile b/Makefile
index 1e3a020..66b105f 100644
--- a/Makefile
+++ b/Makefile
@@ -14,24 +14,30 @@ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/
EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o
EFI_LDS = $(EFI_PATH)/elf_$(ARCH)_efi.lds
-
CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-Wall -mno-red-zone \
$(EFI_INCLUDES)
ifeq ($(ARCH),x86_64)
CFLAGS += -DEFI_FUNCTION_WRAPPER
endif
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
+ CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\"
+endif
+
LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS)
-TARGET = shim.efi
-OBJS = shim.o shim.so
-SOURCES = shim.c shim.h signature.h PeImage.h cert.h
+TARGET = shim.efi
+OBJS = shim.o cert.o
+SOURCES = shim.c shim.h signature.h PeImage.h
all: $(TARGET)
shim.o: $(SOURCES)
-shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a
+cert.o : cert.S
+ $(CC) $(CFLAGS) -c -o $@ $<
+
+shim.so: $(OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a cert.o
$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS)
Cryptlib/libcryptlib.a:
diff --git a/cert.S b/cert.S
new file mode 100644
index 0000000..129bab5
--- /dev/null
+++ b/cert.S
@@ -0,0 +1,32 @@
+#if defined(VENDOR_CERT_FILE)
+ .globl vendor_cert
+ .data
+ .align 16
+ .type vendor_cert, @object
+ .size vendor_cert_size, vendor_cert_size-vendor_cert
+vendor_cert:
+.incbin VENDOR_CERT_FILE
+
+ .globl vendor_cert_size
+ .data
+ .align 16
+ .type vendor_cert_size, @object
+ .size vendor_cert_size, 4
+vendor_cert_size:
+ .long vendor_cert_size - vendor_cert
+#else
+ .globl vendor_cert
+ .bss
+ .type vendor_cert, @object
+ .size vendor_cert, 1
+vendor_cert:
+ .zero 1
+
+ .globl vendor_cert_size
+ .data
+ .align 4
+ .type vendor_cert_size, @object
+ .size vendor_cert_size, 4
+vendor_cert_size:
+ .long 1
+#endif
diff --git a/cert.h b/cert.h
deleted file mode 100644
index 380bc04..0000000
--- a/cert.h
+++ /dev/null
@@ -1 +0,0 @@
-static UINT8 vendor_cert[] = {0x00};
diff --git a/shim.c b/shim.c
index fc3dafc..2d9044d 100644
--- a/shim.c
+++ b/shim.c
@@ -48,8 +48,8 @@ static EFI_STATUS (EFIAPI *entry_point) (EFI_HANDLE image_handle, EFI_SYSTEM_TAB
/*
* The vendor certificate used for validating the second stage loader
*/
-
-#include "cert.h"
+extern UINT8 vendor_cert[];
+extern UINT32 vendor_cert_size;
#define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }}
@@ -535,7 +535,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize,
if (!AuthenticodeVerify(cert->CertData,
context->SecDir->Size - sizeof(cert->Hdr),
- vendor_cert, sizeof(vendor_cert), hash,
+ vendor_cert, vendor_cert_size, hash,
SHA256_DIGEST_SIZE)) {
Print(L"Invalid signature\n");
status = EFI_ACCESS_DENIED;
--
1.7.11.2