Start packaging updates for the new 15.51 upstream release

Remove all our patches, all upstream now.

8 files changed, 13 insertions, 350 deletions

diff --git a/debian/changelog b/debian/changelog
index f000a887..3f03db3d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+shim (15.5-1) UNRELEASED; urgency=medium
+
+  * New upstream release fixing more bugs
+    + Remove all our old patches, all now upstream:
+      - Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
+      - MOK-BootServicesData.patch
+      -	fix-broken-ia32-reloc.patch
+      -	fix-import_one_mok_state.patch
+      - fix_arm64_rela_sections.patch
+      - relax_check_for_import_mok_state.patch
+
+ -- Steve McIntyre <93sam@debian.org>  Wed, 27 Apr 2022 22:50:08 +0100
+
 shim (15.4-7) unstable; urgency=high
 
   * Tweak how we call grub-install; don't abort on error. Not ideal
diff --git a/debian/patches/Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch b/debian/patches/Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
deleted file mode 100644
index 74ae9eb5..00000000
--- a/debian/patches/Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 8b59591775a0412863aab9596ab87bdd493a9c1e Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Sat, 10 Apr 2021 16:05:23 -0400
-Subject: [PATCH] Don't call QueryVariableInfo() on EFI 1.10 machines
-
-The EFI 1.10 spec (and presumably earlier revisions as well) didn't have
-RT->QueryVariableInfo(), and on Chris Murphy's MacBookPro8,2 , that
-memory appears to be initialized randomly.
-
-This patch changes it to not call RT->QueryVariableInfo() if the
-EFI_RUNTIME_SERVICES table's major revision is less than two, and
-assumes our maximum variable size is 1024 in that case.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- mok.c | 23 ++++++++++++++++++-----
- 1 file changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/mok.c b/mok.c
-index 9b8fc2bc..beac0ff6 100644
---- a/mok.c
-+++ b/mok.c
-@@ -261,6 +261,9 @@ static const uint8_t null_sha256[32] = { 0, };
- 
- typedef UINTN SIZE_T;
- 
-+#define EFI_MAJOR_VERSION(tablep) ((UINT16)((((tablep)->Hdr.Revision) >> 16) & 0xfffful))
-+#define EFI_MINOR_VERSION(tablep) ((UINT16)(((tablep)->Hdr.Revision) & 0xfffful))
-+
- static EFI_STATUS
- get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp)
- {
-@@ -270,11 +273,21 @@ get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp)
- 	uint64_t max_var_sz = 0;
- 
- 	*max_var_szp = 0;
--	efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz,
--					    &remaining_sz, &max_var_sz);
--	if (EFI_ERROR(efi_status)) {
--		perror(L"Could not get variable storage info: %r\n", efi_status);
--		return efi_status;
-+	if (EFI_MAJOR_VERSION(gRT) < 2) {
-+		dprint(L"EFI %d.%d; no RT->QueryVariableInfo().  Using 1024!\n",
-+		       EFI_MAJOR_VERSION(gRT), EFI_MINOR_VERSION(gRT));
-+		max_var_sz = remaining_sz = max_storage_sz = 1024;
-+		efi_status = EFI_SUCCESS;
-+	} else {
-+		dprint(L"calling RT->QueryVariableInfo() at 0x%lx\n",
-+		       gRT->QueryVariableInfo);
-+		efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz,
-+						    &remaining_sz, &max_var_sz);
-+		if (EFI_ERROR(efi_status)) {
-+			perror(L"Could not get variable storage info: %r\n",
-+			       efi_status);
-+			return efi_status;
-+		}
- 	}
- 
- 	/*
--- 
-2.20.1
-
diff --git a/debian/patches/MOK-BootServicesData.patch b/debian/patches/MOK-BootServicesData.patch
deleted file mode 100644
index 948b89b9..00000000
--- a/debian/patches/MOK-BootServicesData.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-commit 4068fd42c891ea6ebdec056f461babc6e4048844
-Author: Gary Lin <glin@suse.com>
-Date:   Thu Apr 8 16:23:03 2021 +0800
-
-    mok: allocate MOK config table as BootServicesData
-    
-    Linux kernel is picky when reserving the memory for x86 and it only
-    expects BootServicesData:
-    
-    https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/platform/efi/quirks.c?h=v5.11#n254
-    
-    Otherwise, the following error would show during system boot:
-    
-    Apr 07 12:31:56.743925 localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000
-    
-    Although BootServicesData would be reclaimed after ExitBootService(),
-    linux kernel reserves MOK config table when it detects the existence of
-    the table, so it's fine to allocate the table as BootServicesData.
-    
-    Signed-off-by: Gary Lin <glin@suse.com>
-
-diff --git a/mok.c b/mok.c
-index 9e37d6ab..9b8fc2bc 100644
---- a/mok.c
-+++ b/mok.c
-@@ -999,7 +999,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
- 		npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT;
- 		config_table = NULL;
- 		efi_status = gBS->AllocatePages(AllocateAnyPages,
--						EfiRuntimeServicesData,
-+						EfiBootServicesData,
- 						npages,
- 						(EFI_PHYSICAL_ADDRESS *)&config_table);
- 		if (EFI_ERROR(efi_status) || !config_table) {
diff --git a/debian/patches/fix-broken-ia32-reloc.patch b/debian/patches/fix-broken-ia32-reloc.patch
deleted file mode 100644
index a1bd63de..00000000
--- a/debian/patches/fix-broken-ia32-reloc.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-commit 1bea91ba72165d97c3b453cf769cb4bc5c07207a
-Author: Peter Jones <pjones@redhat.com>
-Date:   Wed Mar 31 14:54:52 2021 -0400
-
-    Fix a broken file header on ia32
-    
-    Commit c6281c6a195edee61185 needs to have included a ". = ALIGN(4096)"
-    directive before .reloc, but fails to do so.
-    
-    As a result, binutils, which does not care about the actual binary
-    format's constraints in any way, does not enforce the section alignment,
-    and it will not load.
-    
-    Signed-off-by: Peter Jones <pjones@redhat.com>
-
-diff --git a/elf_ia32_efi.lds b/elf_ia32_efi.lds
-index 742e0a47..497a3a15 100644
---- a/elf_ia32_efi.lds
-+++ b/elf_ia32_efi.lds
-@@ -15,6 +15,7 @@ SECTIONS
-    *(.gnu.linkonce.t.*)
-    _etext = .;
-   }
-+  . = ALIGN(4096);
-   .reloc :
-   {
-    *(.reloc)
diff --git a/debian/patches/fix-import_one_mok_state.patch b/debian/patches/fix-import_one_mok_state.patch
deleted file mode 100644
index 995a8640..00000000
--- a/debian/patches/fix-import_one_mok_state.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-commit 822d07ad4f07ef66fe447a130e1027c88d02a394
-Author: Adam Williamson <awilliam@redhat.com>
-Date:   Thu Apr 8 22:39:02 2021 -0700
-
-    Fix handling of ignore_db and user_insecure_mode
-    
-    In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split
-    up into a function that manages the whole mok state, and one that
-    handles the state machine for an individual state variable.
-    Unfortunately, the code that initializes the global ignore_db and
-    user_insecure_mode was copied from import_mok_state() into the new
-    import_one_mok_state() function, and thus re-initializes that state each
-    time it processes a MoK state variable, before even assessing if that
-    variable is set.  As a result, we never honor either flag, and the
-    machine owner cannot disable trusting the system firmware's db/dbx
-    databases or disable validation altogether.
-    
-    This patch removes the extra re-initialization, allowing those variables
-    to be set properly.
-    
-    Signed-off-by: Adam Williamson <awilliam@redhat.com>
-
-diff --git a/mok.c b/mok.c
-index 5ad9072b..9e37d6ab 100644
---- a/mok.c
-+++ b/mok.c
-@@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable *v,
- 	EFI_STATUS ret = EFI_SUCCESS;
- 	EFI_STATUS efi_status;
- 
--	user_insecure_mode = 0;
--	ignore_db = 0;
--
- 	UINT32 attrs = 0;
- 	BOOLEAN delete = FALSE;
- 
diff --git a/debian/patches/fix_arm64_rela_sections.patch b/debian/patches/fix_arm64_rela_sections.patch
deleted file mode 100644
index 523bd333..00000000
--- a/debian/patches/fix_arm64_rela_sections.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From 9828f65f3e9de29da7bc70cb71069cc1d7ca1b4a Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Wed, 16 Jun 2021 16:13:32 +0800
-Subject: [PATCH] arm/aa64: fix the size of .rela* sections
-
-The previous commit(*) merged .rel* and .dyn* into .rodata, and this
-made ld to generate the wrong size for .rela* sections that covered
-other unrelated sections. When the EFI image was loaded, _relocate()
-went through the unexpected data and may cause unexpected crash.
-This commit moves .rel* and .dyn* out of .rodata in the ld script but
-also moves the related variables, such as _evrodata, _rodata_size,
-and _rodata_vsize, to the end of the new .dyn section, so that the
-crafted pe-coff section header for .rodata still covers our new
-.rela and .dyn sections.
-
-(*) 212ba30544f ("arm/aa64 targets: put .rel* and .dyn* in .rodata")
-
-Fix issue: https://github.com/rhboot/shim/issues/371
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- Makefile            |  4 ++--
- elf_aarch64_efi.lds | 24 ++++++++++++++++--------
- elf_arm_efi.lds     | 24 ++++++++++++++++--------
- 3 files changed, 34 insertions(+), 18 deletions(-)
-
-Index: shim.git/Makefile
-===================================================================
---- shim.git.orig/Makefile
-+++ shim.git/Makefile
-@@ -244,7 +244,7 @@ endif
- 	$(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \
- 		-j .dynamic -j .rodata -j .rel* \
- 		-j .rela* -j .reloc -j .eh_frame \
--		-j .vendor_cert -j .sbat \
-+		-j .vendor_cert -j .dyn -j .sbat \
- 		$(FORMAT) $< $@
- 	# I am tired of wasting my time fighting binutils timestamp code.
- 	dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@
-@@ -260,7 +260,7 @@ ifneq ($(OBJCOPY_GTE224),1)
- endif
- 	$(OBJCOPY) -D -j .text -j .sdata -j .data \
- 		-j .dynamic -j .rodata -j .rel* \
--		-j .rela* -j .reloc -j .eh_frame -j .sbat \
-+		-j .rela* -j .dyn -j .reloc -j .eh_frame -j .sbat \
- 		-j .debug_info -j .debug_abbrev -j .debug_aranges \
- 		-j .debug_line -j .debug_str -j .debug_ranges \
- 		-j .note.gnu.build-id \
-Index: shim.git/elf_aarch64_efi.lds
-===================================================================
---- shim.git.orig/elf_aarch64_efi.lds
-+++ shim.git/elf_aarch64_efi.lds
-@@ -70,21 +70,29 @@ SECTIONS
-   .rodata :
-   {
-     _rodata = .;
--    *(.rela.dyn)
--    *(.rela.plt)
--    *(.rela.got)
--    *(.rela.data)
--    *(.rela.data*)
--
-     *(.rodata*)
-     *(.srodata)
--    *(.dynsym)
--    *(.dynstr)
-     . = ALIGN(16);
-     *(.note.gnu.build-id)
-     . = ALIGN(4096);
-     *(.vendor_cert)
-     *(.data.ident)
-+    . = ALIGN(4096);
-+  }
-+  . = ALIGN(4096);
-+  .rela :
-+  {
-+    *(.rela.dyn)
-+    *(.rela.plt)
-+    *(.rela.got)
-+    *(.rela.data)
-+    *(.rela.data*)
-+  }
-+  . = ALIGN(4096);
-+  .dyn :
-+  {
-+    *(.dynsym)
-+    *(.dynstr)
-     _evrodata = .;
-     . = ALIGN(4096);
-   }
-Index: shim.git/elf_arm_efi.lds
-===================================================================
---- shim.git.orig/elf_arm_efi.lds
-+++ shim.git/elf_arm_efi.lds
-@@ -70,21 +70,29 @@ SECTIONS
-   .rodata :
-   {
-     _rodata = .;
--    *(.rel.dyn)
--    *(.rel.plt)
--    *(.rel.got)
--    *(.rel.data)
--    *(.rel.data*)
--
-     *(.rodata*)
-     *(.srodata)
--    *(.dynsym)
--    *(.dynstr)
-     . = ALIGN(16);
-     *(.note.gnu.build-id)
-     . = ALIGN(4096);
-     *(.vendor_cert)
-     *(.data.ident)
-+    . = ALIGN(4096);
-+  }
-+  . = ALIGN(4096);
-+  .rela :
-+  {
-+    *(.rela.dyn)
-+    *(.rela.plt)
-+    *(.rela.got)
-+    *(.rela.data)
-+    *(.rela.data*)
-+  }
-+  . = ALIGN(4096);
-+  .dyn :
-+  {
-+    *(.dynsym)
-+    *(.dynstr)
-     _evrodata = .;
-     . = ALIGN(4096);
-   }
diff --git a/debian/patches/relax_check_for_import_mok_state.patch b/debian/patches/relax_check_for_import_mok_state.patch
deleted file mode 100644
index 09f00a1c..00000000
--- a/debian/patches/relax_check_for_import_mok_state.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: Gary Lin <glin@suse.com>
-Date: Tue, 11 May 2021 10:41:43 +0800
-Subject: Relax the check for import_mok_state()
-MIME-Version: 1.0
-Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: 8bit
-
-An openSUSE user reported(*) that shim 15.4 failed to boot the system
-with the following message:
-
-  "Could not create MokListXRT: Out of Resources"
-
-In the beginning, I thought it's caused by the growing size of
-vendor-dbx. However, we found the following messages after set
-SHIM_VERBOSE:
-
-  max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000
-  SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources
-
-Even though the firmware claimed the remaining storage size is 0x85EC
-and the maximum variable size is 0x8000, it still rejected MokListXRT
-with size 0x1404. It seems that the return values from QueryVariableInfo()
-are not reliable. Since this firmware didn't really support Secure Boot,
-the variable mirroring is not so critical, so we can just accept the
-failure of import_mok_state() and continue boot.
-
-(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- shim.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/shim.c b/shim.c
-index c5cfbb8..40e4894 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
- 	 * boot-services-only state variables are what we think they are.
- 	 */
- 	efi_status = import_mok_state(image_handle);
--	if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
-+	if (!secure_mode() &&
-+	    (efi_status == EFI_INVALID_PARAMETER ||
-+	     efi_status == EFI_OUT_OF_RESOURCES)) {
- 		/*
- 		 * Make copy failures fatal only if secure_mode is enabled, or
--		 * the error was anything else than EFI_INVALID_PARAMETER.
-+		 * the error was anything else than EFI_INVALID_PARAMETER or
-+		 * EFI_OUT_OF_RESOURCES.
- 		 * There are non-secureboot firmware implementations that don't
- 		 * reserve enough EFI variable memory to fit the variable.
- 		 */
diff --git a/debian/patches/series b/debian/patches/series
index dff99bc7..e69de29b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,6 +0,0 @@
-fix-import_one_mok_state.patch
-fix-broken-ia32-reloc.patch
-MOK-BootServicesData.patch
-Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
-relax_check_for_import_mok_state.patch
-fix_arm64_rela_sections.patch