(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=15.8 2024-01-22T19:18:05+00:00 2024-01-22T19:18:05+00:00 Peter Jones pjones@redhat.com 2023-09-25T18:52:59+00:00 urn:sha1:5914984a1ffeab841f482c791426d7ca9935a5e6 What's changed * Various CVE fixes: CVE-2023-40546 mok: fix LogError() invocation CVE-2023-40547 - avoid incorrectly trusting HTTP headers CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system CVE-2023-40549 Authenticode: verify that the signature header is in bounds. CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Add make infrastructure to set the NX_COMPAT flag by @vathpela in https://github.com/rhboot/shim/pull/530 * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in https://github.com/rhboot/shim/pull/535 * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in https://github.com/rhboot/shim/pull/537 * pe: Align section size up to page size for mem attrs by @nicholasbishop in https://github.com/rhboot/shim/pull/539 * test-sbat: Fix exit code by @vathpela in https://github.com/rhboot/shim/pull/540 * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in https://github.com/rhboot/shim/pull/541 * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in https://github.com/rhboot/shim/pull/546 * Don't loop forever in load_certs() with buggy firmware by @rmetrich in https://github.com/rhboot/shim/pull/547 * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in https://github.com/rhboot/shim/pull/550 * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in https://github.com/rhboot/shim/pull/551 * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in https://github.com/rhboot/shim/pull/560 * pe: only process RelocDir->Size of reloc section by @mikebeaton in https://github.com/rhboot/shim/pull/562 * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in https://github.com/rhboot/shim/pull/563 * Optionally allow to keep shim protocol installed by @bluca in https://github.com/rhboot/shim/pull/565 * SBAT-related documents formatting and spelling by @aronowski in https://github.com/rhboot/shim/pull/566 * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in https://github.com/rhboot/shim/pull/569 * Add a security contact email address in README.md by @vathpela in https://github.com/rhboot/shim/pull/572 * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in https://github.com/rhboot/shim/pull/576 * mok: fix LogError() invocation by @vathpela in https://github.com/rhboot/shim/pull/577 * Minor housekeeping by @vathpela in https://github.com/rhboot/shim/pull/578 * Test ImageAddress() by @vathpela in https://github.com/rhboot/shim/pull/579 * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in https://github.com/rhboot/shim/pull/580 * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in https://github.com/rhboot/shim/pull/581 * Verify signature before verifying sbat levels by @jsetje in https://github.com/rhboot/shim/pull/583 * Add libFuzzer support for csv.c and sbat.c by @vathpela in https://github.com/rhboot/shim/pull/584 * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in https://github.com/rhboot/shim/pull/587 * Housekeeping by @vathpela in https://github.com/rhboot/shim/pull/605 Signed-off-by: Peter Jones <pjones@redhat.com> 2024-01-22T19:17:20+00:00 Peter Jones pjones@redhat.com 2023-12-07T22:11:28+00:00 urn:sha1:1770a03423123b195b2e95ad4ce52ef30c907d43 Signed-off-by: Peter Jones <pjones@redhat.com> 2024-01-22T19:17:20+00:00 Jan Setje-Eilers jan.setjeeilers@oracle.com 2023-12-15T22:49:04+00:00 urn:sha1:993a345dc3657d47f0e5e1c55cfddfd5f9866053 Network booting tends to expose things like a tfpt server as a filesystem that doesn't implement directory listing This will blindly try to ingest a revocations.efi file in those cases, even if that may result in some console noise when the file does not exist. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com> 2024-01-22T19:17:20+00:00 Jan Setje-Eilers jan.setjeeilers@oracle.com 2023-12-16T05:31:48+00:00 urn:sha1:a23e2f0de7a61b6e895a915676eba3a1fda2cd78 The netboot path up until now hardcodes DEFAULT_LOADER as the only possible filename to load. This is pretty limiting and needs to be fixed. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com> 2024-01-22T19:17:20+00:00 Jan Setje-Eilers jan.setjeeilers@oracle.com 2023-12-14T04:32:10+00:00 urn:sha1:6f395c23466a2bc08a28bbc216d6665ade0b117d The ability to automatically apply SBATLevel revocations varies from distro to distro. This allows distros that are able to automatically apply SBATLevel revocations when shim is updated to select a level by supplying SBAT_AUTOMATIC_DATE=<datestamp> on the make command line. Currently the following options are available: 2021030218 no revocations - useful for distros that need to rely on an externally delivered revocations.efi 2022052400 grub,2 2022111500 shim,2 grub,3 2023012900 shim,2 grub,3 grub.debian,4 If no datestamp is specified the build will default to the most recent 2023012900. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com> 2024-01-22T19:17:20+00:00 Jan Setje-Eilers jan.setjeeilers@oracle.com 2023-12-14T01:59:28+00:00 urn:sha1:30a4f3751a8da09ab0853f1a384b80096828cc34 When the term previous was introduced for revocations to be automatically applied there was a hope that everytime a new revocation was built into shim, the previous revocation could be applied automatically. Further experience has shown the real world to be more complex than that. The automatic payload will realistically contain a set of revocations governed by both the cadence at which a distro's customer base updates as well as the severity of the issue being revoked. This is not a functional change. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com> 2024-01-22T19:17:20+00:00 Jan Setje-Eilers jan.setjeeilers@oracle.com 2023-12-06T23:43:32+00:00 urn:sha1:c46c975591b99a4c7374b3f14bcd500f316d0b73 Attempting to call loadimage on revocations.efi when it isn't present should results in error messages being printed to the console on at least some firmware: Failed to open \EFI\distro\revocations.efi - Not Found Failed to load image ...: Not Found Of course this is going to be the normal case on nearly all systems, at least to begin with. Since we are about to loop through the directory entries anyway, we can just make two passes, first looking for revocations.efi and then looking for shim_certificate.efi. This will still ensure that any revocations in revocations.efi are picked up before shim_certificate.efi is loaded without resulting in any noise on the console. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com> 2024-01-22T19:17:20+00:00 Peter Jones pjones@redhat.com 2023-12-06T22:07:01+00:00 urn:sha1:13abd9f51b285db7eb46bf375cae623bf1153404 GCC 4 doesn't have __builtin_add_overflow() and friends, so this results in a compiler error. On platforms using that version, do the arithmetic without it. Signed-off-by: Peter Jones <pjones@redhat.com> 2024-01-22T19:17:20+00:00 Peter Jones pjones@redhat.com 2023-12-01T23:19:38+00:00 urn:sha1:be8ff7c2680fed067cdd76df0afc43138c24cc0d We thought we would fully support NX compatibility in the full stack for this release, but all of the necessary components aren't *quite* ready for this release. This patch switches back the default that was changed in a53b9f7ceec1d, but it leaves the build infrastructure in place. Signed-off-by: Peter Jones <pjones@redhat.com> 2024-01-22T19:17:20+00:00 Peter Jones pjones@redhat.com 2023-09-25T20:49:26+00:00 urn:sha1:49c6d95bd5c4f57f004db1f25b57fe36ca1c7443 Several of our CVE fixes apparently were not well tested on 32-bit, and needed some (uintptr_t) casts sprinkled about to build with -Werror=pointer-to-int-cast. Signed-off-by: Peter Jones <pjones@redhat.com>