(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=15.7 2022-11-16T21:35:47+00:00 2022-11-16T21:35:47+00:00 Peter Jones pjones@redhat.com 2022-11-16T18:28:18+00:00 urn:sha1:11491619f4336fef41c3519877ba242161763580 Signed-off-by: Peter Jones <pjones@redhat.com> 2022-11-16T21:35:47+00:00 Peter Jones pjones@redhat.com 2022-11-16T18:25:11+00:00 urn:sha1:dd8be98cf0fceddd9f156d2917565b18d38c4830 Due to the issues addressed in the 2022-11-15 batch of grub CVEs[0], we need to bump the sbat version from grub. This patch changes it from 2 to 3. [0] https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html Signed-off-by: Peter Jones <pjones@redhat.com> 2022-11-16T21:35:47+00:00 Peter Jones pjones@redhat.com 2022-11-15T21:36:09+00:00 urn:sha1:ea0d0a5be4323d4e403f97610a581bf34f044f4e Though we don't need to bump SBAT_LEVEL for this, we've decided to change the level to 3 here in case 53509eaf2253e23bfb552e9386fd0877abe592b4 turns out to be worse than we think it is, so we can fix that easily later. Signed-off-by: Peter Jones <pjones@redhat.com> 2022-11-16T21:35:47+00:00 Peter Jones pjones@redhat.com 2022-11-15T21:23:10+00:00 urn:sha1:616c566b3a47762c6cea71eb26db083e3eb66624 This adds a few more UEFI functions to our coverity model, so we see a few less false positives during scanning. It also fixes an error in our model for OpenSSL's OBJ_dup(). Signed-off-by: Peter Jones <pjones@redhat.com> 2022-11-15T18:07:29+00:00 Jian J Wang jian.j.wang@intel.com 2019-04-25T15:42:16+00:00 urn:sha1:53509eaf2253e23bfb552e9386fd0877abe592b4 AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded signed authenticode pkcs#7 data. when this successfully returns, a type check is done by calling PKCS7_type_is_signed() and then Pkcs7->d.sign->contents->type is used. It is possible to construct an asn1 blob that successfully decodes and have d2i_PKCS7() return a valid pointer and have PKCS7_type_is_signed() also return success but have Pkcs7->d.sign be a NULL pointer. Looking at how PKCS7_verify() [inside of OpenSSL] implements checking for pkcs7 structs it does the following: - call PKCS7_type_is_signed() - call PKCS7_get_detached() Looking into how PKCS7_get_detatched() is implemented, it checks to see if p7->d.sign is NULL or if p7->d.sign->contents->d.ptr is NULL. As such, the fix is to do the same as OpenSSL after calling d2i_PKCS7(). - Add call to PKS7_get_detached() to existing error handling Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Jian J Wang <jian.j.wang@intel.com> Cherry-picked-from: https://github.com/tianocore/edk2/commit/26442d11e620a9e81c019a24a4ff38441c64ba10 2022-11-14T19:32:42+00:00 Arthur Gautier arthur.gautier@arista.com 2022-10-21T20:20:45+00:00 urn:sha1:aa1b289a1a16774afc3143b8948d97261f0872d0 MokListTrusted was added by mistake to PCR 7 in 4e513405. The value of MokListTrusted does not alter the behavior of secure boot so, as per https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#page=36 (section 3.3.4 PCR usage) so it should not be factored in the value of PCR 7. See: https://github.com/rhboot/shim/pull/423 https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f Fixes https://github.com/rhboot/shim/issues/484 Fixes https://github.com/rhboot/shim/issues/492 Signed-off-by: Arthur Gautier <arthur.gautier@arista.com> 2022-11-14T19:26:03+00:00 Julian Andres Klode julian.klode@canonical.com 2022-11-14T11:16:29+00:00 urn:sha1:5169769e0f84dd227592cb73da97dacd61ae40b9 Remove timestamps, user names, etc. from the tarball so that it can be built reproducibly by multiple people, on different machines. The outer bzip2 layer might still be different, no reproducible bzip2 known. Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> 2022-11-14T19:13:24+00:00 Ilya Okomin ilya.okomin@oracle.com 2022-10-07T20:52:08+00:00 urn:sha1:17f02339ed1be9e90738603fe3c95ae7dc300061 Seen mokmanager image load failure '2 sections contain entry point' for shim built on Oracle Linux 9 aarch64. found_entry_point counter in handle_image() uses SizeOfRawData to calculate section boundary. PE spec defines VirtualSize for the total size of the section when loaded into memory. SizeOfRawData is the size of the section (for object files) or the size of the initialized data on disk. Fix this issue by updating section in-memory size limit to VirtualSize. Resolves: #517 Signed-off-by: Ilya Okomin <ilya.okomin@oracle.com> 2022-11-14T19:04:12+00:00 Nicholas Bishop nicholasbishop@google.com 2022-10-06T20:08:56+00:00 urn:sha1:0cf43ac6d78c6f47f8b91210639ac1aa63665f0b This changes the alignment of UINT64 data to 8 bytes on IA32, which matches EDK2's understanding of alignment. In particular this change affects the offset where shim writes `EFI_LOADED_IMAGE.ImageSize`. Fixes https://github.com/rhboot/shim/issues/515 Signed-off-by: Nicholas Bishop <nicholasbishop@google.com> 2022-11-08T17:46:46+00:00 Eric Snowberg eric.snowberg@oracle.com 2022-11-02T16:45:23+00:00 urn:sha1:ea4911c2f3ce8f8f703a1476febac86bb16b00fd Use the EFI RT memory function CopyMem instead of memcpy in load_cert_file. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>