packages/shim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Backport patch from upstream

Browse Source 
(cherry picked from commit 65d0919c62bdfa8a40ba21cf33d80413f92f25a6)
This commit is contained in:
yixiangzhike 2024-03-25 18:38:45 +08:00 committed by openeuler-sync-bot
parent b72af9b104
commit 2622ef5277
2 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch Normal file
View File

@ -0,0 +1,48 @@
From b078ef274887a4cc0da64fd6668800d1e24a2871 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Tue, 16 May 2023 14:31:13 -0700
Subject: [PATCH] Always clear SbatLevel when Secure Boot is disabled
Unless an explict sbat policy is specified, always delete SbatLevel
when secure boot is disabled.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
sbat.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/sbat.c b/sbat.c
index a08c5b2..42a3346 100644
--- a/sbat.c
+++ b/sbat.c
@@ -423,7 +423,12 @@ set_sbat_uefi_variable(void)
&attributes);
if (EFI_ERROR(efi_status)) {
dprint("Default sbat policy: previous\n");
- sbat_var = sbat_var_previous;
+ if (secure_mode()) {
+ sbat_var = sbat_var_previous;
+ } else {
+ reset_sbat = true;
+ sbat_var = SBAT_VAR_ORIGINAL;
+ }
} else {
switch (*sbat_policy) {
case SBAT_POLICY_LATEST:
@@ -449,7 +454,12 @@ set_sbat_uefi_variable(void)
default:
console_error(L"SBAT policy state %llu is invalid",
EFI_INVALID_PARAMETER);
- sbat_var = sbat_var_previous;
+ if (secure_mode()) {
+ sbat_var = sbat_var_previous;
+ } else {
+ reset_sbat = true;
+ sbat_var = SBAT_VAR_ORIGINAL;
+ }
clear_sbat_policy();
break;
}
--
2.33.0

6
shim.spec
View File

@ -25,7 +25,7 @@
Name: shim
Version: 15.7
Release: 7
Release: 8
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64 aarch64
License: BSD
@ -50,6 +50,7 @@ Patch12:backport-CVE-2023-3446.patch
Patch13:backport-CVE-2023-0465.patch
Patch14:backport-CVE-2023-2650.patch
Patch15:backport-CVE-2024-0727.patch
Patch16:backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch
# Feature for shim SMx support
Patch9000:Feature-shim-openssl-add-ec-support.patch
@ -186,6 +187,9 @@ make test
/usr/src/debug/%{name}-%{version}-%{release}/*
%changelog
* Mon Mar 25 2024 yixiangzhike <yixiangzhike007@163.com> - 15.7-8
- backport patch from upstream
* Wed Feb 28 2024 jinlun <jinlun@huawei.com> - 15.7-7
- add signature for secureboot