Merge tag '16.0' into vyos/current

shim-16.0

What's Changed
* Validate that a supplied vendor cert is not in PEM format by @steve-mcintyre in https://github.com/rhboot/shim/pull/646
* sbat: Add grub.peimage,2 to latest (CVE-2024-2312) by @julian-klode in https://github.com/rhboot/shim/pull/651
* sbat: Also bump latest for grub,4 (and to todays date) by @julian-klode in https://github.com/rhboot/shim/pull/653
* undo change that limits certificate files to a single file by @jsetje in https://github.com/rhboot/shim/pull/659
* shim: don't set second_stage to the empty string by @jjd27 in https://github.com/rhboot/shim/pull/640
* Fix SBAT.md for today's consensus about numbers by @aronowski in https://github.com/rhboot/shim/pull/672
* Update Code of Conduct contact address by @aronowski in https://github.com/rhboot/shim/pull/683
* make-certs: Handle missing OpenSSL installation by @aronowski in https://github.com/rhboot/shim/pull/595
* Update MokVars.txt by @mikebeaton in https://github.com/rhboot/shim/pull/598
* export DEFINES for sub makefile by @bryteise in https://github.com/rhboot/shim/pull/600
* Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition by @vittyvk in https://github.com/rhboot/shim/pull/609
* Null-terminate 'arguments' in fallback by @vittyvk in https://github.com/rhboot/shim/pull/611
* Fix "Verifiying" typo in error message by @chrisbainbridge in https://github.com/rhboot/shim/pull/706
* Update Fedora CI targets by @vathpela in https://github.com/rhboot/shim/pull/708
* Force gcc to produce DWARF4 so that gdb can use it by @mikebeaton in https://github.com/rhboot/shim/pull/607
* Minor housekeeping 2024121700 by @vathpela in https://github.com/rhboot/shim/pull/709
* Discard load-options that start with WINDOWS by @Metabolix in https://github.com/rhboot/shim/pull/621
* Fix the issue that the gBS->LoadImage pointer was empty. by @15058718379 in https://github.com/rhboot/shim/pull/703
* shim: Allow data after the end of device path node in load options by @dbnicholson in https://github.com/rhboot/shim/pull/694
* Handle network file not found like disks by @dbnicholson in https://github.com/rhboot/shim/pull/695
* Update gnu-efi submodule for EFI_HTTP_ERROR by @vathpela in https://github.com/rhboot/shim/pull/674
* Increase EFI file alignment by @lumag in https://github.com/rhboot/shim/pull/673
* avoid EFIv2 runtime services on Apple x86 machines by @eduardacatrinei in https://github.com/rhboot/shim/pull/690
* Improve shortcut performance when comparing two boolean expressions by @dennis-tseng99 in https://github.com/rhboot/shim/pull/667
* Provide better error message when MokManager is not found by @rmetrich in https://github.com/rhboot/shim/pull/663
* tpm: Boot with a warning if the event log is full by @kukrimate in https://github.com/rhboot/shim/pull/657
* MokManager: remove redundant logical constraints by @xypron in https://github.com/rhboot/shim/pull/409
* Test import_mok_state() when MokListRT would be bigger than available size by @vathpela in https://github.com/rhboot/shim/pull/417
* test-mok-mirror: minor bug fix by @vathpela in https://github.com/rhboot/shim/pull/715
* Fix file system browser hang when enrolling MOK from disk by @miczyg1 in https://github.com/rhboot/shim/pull/622
* Ignore a minor clang-tidy nit by @vathpela in https://github.com/rhboot/shim/pull/716
* Allow fallback to default loader when encountering errors on network boot by @nathan-omeara in https://github.com/rhboot/shim/pull/666
* test.mk: don't use a temporary random.bin by @vathpela in https://github.com/rhboot/shim/pull/718
* pe: Enhance debug report for update_mem_attrs by @jongwu in https://github.com/rhboot/shim/pull/594
* Multiple certificate handling improvements by @rosslagerwall in https://github.com/rhboot/shim/pull/644
* Generate SbatLevel Metadata from SbatLevel_Variable.txt by @jsetje in https://github.com/rhboot/shim/pull/711
* Apply EKU check with compile option by @dennis-tseng99 in https://github.com/rhboot/shim/pull/664
* Add configuration option to boot an alternative 2nd stage by @esnowberg in https://github.com/rhboot/shim/pull/608
* Loader protocol (with Device Path resolution support) by @kukrimate in https://github.com/rhboot/shim/pull/656
* netboot cleanup for additional files by @jsetje in https://github.com/rhboot/shim/pull/686
* Document how revocations can be delivered by @jsetje in https://github.com/rhboot/shim/pull/722
* post-process-pe: add tests to validate NX compliance by @vathpela in https://github.com/rhboot/shim/pull/705
* regression: CopyMem() in ad8692e copies out of bounds by @jsetje in https://github.com/rhboot/shim/pull/725
* Save the debug and error logs in mok-variables by @vathpela in https://github.com/rhboot/shim/pull/726
* Add features for the Host Security ID program by @vathpela in https://github.com/rhboot/shim/pull/660
* Mirror some more efi variables to mok-variables by @vathpela in https://github.com/rhboot/shim/pull/723
* This adds DXE Services measurements to HSI and uses them for NX by @vathpela in https://github.com/rhboot/shim/pull/724
* Add shim's current NX_COMPAT status to HSIStatus by @vathpela in https://github.com/rhboot/shim/pull/727
* README.tpm: reflect that vendor_db is in fact logged as "vendor_db" by @jsetje in https://github.com/rhboot/shim/pull/728
* Reject HTTP message with duplicate Content-Length header fields by @dennis-tseng99 in https://github.com/rhboot/shim/pull/637
* Disable log saving by @vathpela in https://github.com/rhboot/shim/pull/729
* fallback: don't add new boot order entries backwards by @vathpela in https://github.com/rhboot/shim/pull/730
* Misc fixes... by @vathpela in https://github.com/rhboot/shim/pull/735
* README.tpm: Update MokList entry to MokListRT by @trungams in https://github.com/rhboot/shim/pull/732
* SBAT Level update for February 2025 GRUB CVEs by @jsetje in https://github.com/rhboot/shim/pull/736

New Contributors
* @jjd27 made their first contribution in https://github.com/rhboot/shim/pull/640
* @mikebeaton made their first contribution in https://github.com/rhboot/shim/pull/598
* @bryteise made their first contribution in https://github.com/rhboot/shim/pull/600
* @vittyvk made their first contribution in https://github.com/rhboot/shim/pull/609
* @chrisbainbridge made their first contribution in https://github.com/rhboot/shim/pull/706
* @Metabolix made their first contribution in https://github.com/rhboot/shim/pull/621
* @15058718379 made their first contribution in https://github.com/rhboot/shim/pull/703
* @dbnicholson made their first contribution in https://github.com/rhboot/shim/pull/694
* @lumag made their first contribution in https://github.com/rhboot/shim/pull/673
* @eduardacatrinei made their first contribution in https://github.com/rhboot/shim/pull/690
* @kukrimate made their first contribution in https://github.com/rhboot/shim/pull/657
* @miczyg1 made their first contribution in https://github.com/rhboot/shim/pull/622
* @nathan-omeara made their first contribution in https://github.com/rhboot/shim/pull/666
* @jongwu made their first contribution in https://github.com/rhboot/shim/pull/594
* @rosslagerwall made their first contribution in https://github.com/rhboot/shim/pull/644
* @trungams made their first contribution in https://github.com/rhboot/shim/pull/732

**Full Changelog**: https://github.com/rhboot/shim/compare/15.8...16.0

* tag '16.0': (451 commits)
  Update version to 16.0
  SBAT Level update for February 2025 GRUB CVEs
  README.tpm: Update MokList entry to MokListRT
  Make 'make fanalyzer' work again.
  simple_dir_filter(): test our 'next' pointer
  shim_load_image(): initialize the buffer fully
  mirror_mok_db(): Free our mok variable name correctly
  mirror_one_mok_variable(): fix a memory leak on TPM log error.
  mirror_mok_db(): get rid of an unused variable+allocation
  generate_sbat_var_defs: Ensure revlistentry->revocations is initialized.
  generate_sbat_var_defs: Fix memory leak on realloc failure and fd leak.
  generate_sbat_var_defs: run clang-format on readfile()
  SetSecureVariable(): free Cert on failure
  Update version to 16.0~rc1
  make-archive: some minor housekeeping
  makefiles: Make GITTAG swizzle tildes to dashes
  fallback: don't add new boot order entries backwards
  Disable log saving for now.
  Some save_logs() improvements.
  reject message with different values in multiple Content-Length header field
  ...

1 files changed, 181 insertions, 0 deletions

diff --git a/errlog.c b/errlog.c
index 3c5e0af8..b43a4bc2 100644
--- a/errlog.c
+++ b/errlog.c
@@ -99,4 +99,185 @@ ClearErrors(VOID)
 	errs = NULL;
 }
 
+static size_t
+format_error_log(UINT8 *dest, size_t dest_sz)
+{
+	size_t err_log_sz = 0;
+	size_t pos = 0;
+
+	for (UINTN i = 0; i < nerrs; i++)
+		err_log_sz += StrSize(errs[i]);
+
+	if (!dest || dest_sz < err_log_sz)
+		return err_log_sz;
+
+	ZeroMem(dest, err_log_sz);
+	for (UINTN i = 0; i < nerrs; i++) {
+		UINTN sz = StrSize(errs[i]);
+		CopyMem(&dest[pos], errs[i], sz);
+		pos += sz;
+	}
+
+	return err_log_sz;
+}
+
+static UINT8 *debug_log = NULL;
+static size_t debug_log_sz = 0;
+static size_t debug_log_alloc = 0;
+
+UINTN EFIAPI
+log_debug_print(const CHAR16 *fmt, ...)
+{
+	ms_va_list args;
+	CHAR16 *buf;
+	size_t buf_sz;
+	UINTN ret = 0;
+
+	ms_va_start(args, fmt);
+	buf = VPoolPrint(fmt, args);
+	if (!buf)
+		return 0;
+	ms_va_end(args);
+
+	ret = StrLen(buf);
+	buf_sz = StrSize(buf);
+	if (debug_log_sz + buf_sz > debug_log_alloc) {
+		size_t new_alloc_sz = debug_log_alloc;
+		CHAR16 *new_debug_log;
+
+		new_alloc_sz += buf_sz;
+		new_alloc_sz = ALIGN_UP(new_alloc_sz, EFI_PAGE_SIZE);
+
+		new_debug_log = ReallocatePool(debug_log, debug_log_alloc, new_alloc_sz);
+		if (!new_debug_log)
+			return 0;
+		debug_log = (UINT8 *)new_debug_log;
+		debug_log_alloc = new_alloc_sz;
+	}
+
+	CopyMem(&debug_log[debug_log_sz], buf, buf_sz);
+	debug_log_sz += buf_sz;
+	FreePool(buf);
+	return ret;
+}
+
+static size_t
+format_debug_log(UINT8 *dest, size_t dest_sz)
+{
+	if (!dest || dest_sz < debug_log_sz)
+		return debug_log_sz;
+
+	ZeroMem(dest, debug_log_sz);
+	CopyMem(dest, debug_log, debug_log_sz);
+	return debug_log_sz;
+}
+
+void
+replace_config_table(EFI_CONFIGURATION_TABLE *CT, EFI_PHYSICAL_ADDRESS new_table, UINTN new_table_pages)
+{
+	EFI_GUID bogus_guid = { 0x29f2f0db, 0xd025, 0x4aa6, { 0x99, 0x58, 0xa0, 0x21, 0x8b, 0x1d, 0xec, 0x0e }};
+	EFI_STATUS efi_status;
+
+	if (CT) {
+		CopyMem(&CT->VendorGuid, &bogus_guid, sizeof(bogus_guid));
+		if (CT->VendorTable &&
+		    CT->VendorTable == (void *)(uintptr_t)mok_config_table) {
+			BS->FreePages(mok_config_table, mok_config_table_pages);
+			CT->VendorTable = NULL;
+		}
+	}
+
+	efi_status = BS->InstallConfigurationTable(&MOK_VARIABLE_STORE,
+						   (void *)(uintptr_t)new_table);
+	if (EFI_ERROR(efi_status)) {
+		console_print(L"Could not re-install MoK configuration table: %r\n", efi_status);
+	} else {
+		mok_config_table = new_table;
+		mok_config_table_pages = new_table_pages;
+	}
+}
+
+void
+save_logs(void)
+{
+	struct mok_variable_config_entry *cfg_table = NULL;
+	struct mok_variable_config_entry *new_table = NULL;
+	struct mok_variable_config_entry *entry = NULL;
+	EFI_PHYSICAL_ADDRESS physaddr = 0;
+	UINTN new_table_pages = 0;
+	size_t new_table_sz;
+	UINTN pos = 0;
+	EFI_STATUS efi_status;
+	size_t errlog_sz, dbglog_sz;
+
+	errlog_sz = format_error_log(NULL, 0);
+	dbglog_sz = format_debug_log(NULL, 0);
+
+	if (errlog_sz == 0 && dbglog_sz == 0) {
+		console_print(L"No console or debug log?!?!?\n");
+		return;
+	}
+
+	for (UINTN i = 0; i < ST->NumberOfTableEntries; i++) {
+		EFI_CONFIGURATION_TABLE *CT;
+		CT = &ST->ConfigurationTable[i];
+
+		if (CompareGuid(&MOK_VARIABLE_STORE, &CT->VendorGuid) == 0) {
+			cfg_table = CT->VendorTable;
+			break;
+		}
+		CT = NULL;
+	}
+
+	entry = cfg_table;
+	while (entry && entry->name[0] != 0) {
+		size_t entry_sz;
+		entry = (struct mok_variable_config_entry *)((uintptr_t)cfg_table + pos);
+
+		if (entry->name[0] != 0) {
+			entry_sz = sizeof(*entry);
+			entry_sz += entry->data_size;
+			pos += entry_sz;
+		}
+	}
+
+	new_table_sz = pos +
+		(errlog_sz ? sizeof(*entry) + errlog_sz : 0) +
+		(dbglog_sz ? sizeof(*entry) + dbglog_sz : 0) +
+		sizeof(*entry);
+	new_table = NULL;
+	new_table_pages = ALIGN_UP(new_table_sz + 4*EFI_PAGE_SIZE, EFI_PAGE_SIZE) / EFI_PAGE_SIZE;
+	efi_status = BS->AllocatePages(AllocateAnyPages, EfiRuntimeServicesData, new_table_pages, &physaddr);
+	if (EFI_ERROR(efi_status)) {
+		perror(L"Couldn't allocate %llu pages\n", new_table_pages);
+		return;
+	}
+	new_table = (void *)(uintptr_t)physaddr;
+	if (!new_table)
+		return;
+	ZeroMem(new_table, new_table_pages * EFI_PAGE_SIZE);
+	CopyMem(new_table, cfg_table, pos);
+
+	entry = (struct mok_variable_config_entry *)((uintptr_t)new_table + pos);
+	if (errlog_sz) {
+		strcpy(entry->name, "shim-err.txt");
+		entry->data_size = errlog_sz;
+		format_error_log(&entry->data[0], errlog_sz);
+
+		pos += sizeof(*entry) + errlog_sz;
+		entry = (struct mok_variable_config_entry *)((uintptr_t)new_table + pos);
+	}
+	if (dbglog_sz) {
+		strcpy(entry->name, "shim-dbg.txt");
+		entry->data_size = dbglog_sz;
+		format_debug_log(&entry->data[0], dbglog_sz);
+
+		pos += sizeof(*entry) + dbglog_sz;
+
+		entry = (struct mok_variable_config_entry *)((uintptr_t)new_table + pos);
+	}
+
+	replace_config_table((EFI_CONFIGURATION_TABLE *)cfg_table, physaddr, new_table_pages);
+}
+
 // vim:fenc=utf-8:tw=75