packages/shim
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!157 【openEuler-22.03-LTS-Next】Backport patch from upstream

Browse Source 
From: @yixiangzhike 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot 2024-03-26 03:04:49 +00:00 committed by Gitee
commit 8063b52667
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch Normal file
View File

@ -0,0 +1,48 @@
From b078ef274887a4cc0da64fd6668800d1e24a2871 Mon Sep 17 00:00:00 2001
From: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Date: Tue, 16 May 2023 14:31:13 -0700
Subject: [PATCH] Always clear SbatLevel when Secure Boot is disabled
Unless an explict sbat policy is specified, always delete SbatLevel
when secure boot is disabled.
Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com>
---
sbat.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/sbat.c b/sbat.c
index f1d6e98..cdf4e93 100644
--- a/sbat.c
+++ b/sbat.c
@@ -412,7 +412,12 @@ set_sbat_uefi_variable(void)
&attributes);
if (EFI_ERROR(efi_status)) {
dprint("Default sbat policy: previous\n");
- sbat_var = SBAT_VAR_PREVIOUS;
+ if (secure_mode()) {
+ sbat_var = SBAT_VAR_PREVIOUS;
+ } else {
+ reset_sbat = true;
+ sbat_var = SBAT_VAR_ORIGINAL;
+ }
} else {
switch (*sbat_policy) {
case SBAT_POLICY_LATEST:
@@ -438,7 +443,12 @@ set_sbat_uefi_variable(void)
default:
console_error(L"SBAT policy state %llu is invalid",
EFI_INVALID_PARAMETER);
- sbat_var = SBAT_VAR_PREVIOUS;
+ if (secure_mode()) {
+ sbat_var = SBAT_VAR_PREVIOUS;
+ } else {
+ reset_sbat = true;
+ sbat_var = SBAT_VAR_ORIGINAL;
+ }
clear_sbat_policy();
break;
}
--
2.33.0

6
shim.spec
View File

@ -25,7 +25,7 @@
Name: shim
Version: 15.6
Release: 19
Release: 20
Summary: First-stage UEFI bootloader
ExclusiveArch: x86_64 aarch64
License: BSD
@ -86,6 +86,7 @@ Patch48:backport-CVE-2023-40549-Authenticode-verify-that-the-signatur.patch
Patch49: backport-CVE-2023-2650.patch
Patch50: backport-CVE-2023-0465.patch
Patch51: backport-CVE-2024-0727.patch
Patch52: backport-Always-clear-SbatLevel-when-Secure-Boot-is-disabled.patch
# Feature for shim SMx support
Patch9000:Feature-shim-openssl-add-ec-support.patch
@ -220,6 +221,9 @@ make test
/usr/src/debug/%{name}-%{version}-%{release}/*
%changelog
* Tue Mar 26 2024 yixiangzhike <yixiangzhike007@163.com> - 15.6-20
- backport patch from upstream
* Wed Feb 28 2024 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 15.6-19
- fix CVE-2023-0465 CVE-2023-2650 CVE-2024-0727