diff --git a/.github/workflows/check-license-map.yml b/.github/workflows/check-license-map.yml index 3002b2a4498..654461de16e 100644 --- a/.github/workflows/check-license-map.yml +++ b/.github/workflows/check-license-map.yml @@ -24,7 +24,7 @@ jobs: - name: Run license map checking script run: | - python3 ./SPECS/LICENSES-AND-NOTICES/data/license_map.py \ + python3 ./toolkit/scripts/licenses/license_map.py \ ./SPECS/LICENSES-AND-NOTICES/data/licenses.json \ ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md \ ./SPECS \ diff --git a/.github/workflows/check_entangled_specs.py b/.github/workflows/check_entangled_specs.py index 6be7021a3f8..43fbbfc7558 100644 --- a/.github/workflows/check_entangled_specs.py +++ b/.github/workflows/check_entangled_specs.py @@ -9,14 +9,12 @@ version_release_matching_groups = [ frozenset([ - "SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec", - "SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec", + "SPECS-SIGNED/kernel-signed/kernel-signed.spec", "SPECS/kernel/kernel.spec", "SPECS/kernel-headers/kernel-headers.spec" ]), frozenset([ - "SPECS-SIGNED/grub2-efi-binary-signed-x64/grub2-efi-binary-signed-x64.spec", - "SPECS-SIGNED/grub2-efi-binary-signed-aarch64/grub2-efi-binary-signed-aarch64.spec", + "SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec", "SPECS/grub2/grub2.spec" ]), frozenset([ diff --git a/.github/workflows/validate-cg-manifest.sh b/.github/workflows/validate-cg-manifest.sh index d2bc968d133..968037e37b4 100755 --- a/.github/workflows/validate-cg-manifest.sh +++ b/.github/workflows/validate-cg-manifest.sh @@ -17,6 +17,7 @@ ignore_list=" \ kf5 \ mariner-repos \ mariner-rpm-macros \ + shim \ moby-buildx \ moby-containerd \ python-markupsafe \ @@ -25,10 +26,11 @@ ignore_list=" \ qt5-rpm-macros \ runc \ grub2-efi-binary-signed-aarch64 \ - grub2-efi-binary-signed-x64 \ + grub2-efi-binary-signed-x86_64 \ kernel-signed-aarch64 \ - kernel-signed-x64 \ - verity-read-only-root" + kernel-signed-x86_64 \ + verity-read-only-root \ + installkernel" rm -f bad_registrations.txt rm -rf ./cgmanifest_test_dir/ diff --git a/SPECS-SIGNED/grub2-efi-binary-signed-x64/grub2-efi-binary-signed-x64.spec b/SPECS-SIGNED/grub2-efi-binary-signed-x64/grub2-efi-binary-signed-x64.spec deleted file mode 100644 index 3ab174161dc..00000000000 --- a/SPECS-SIGNED/grub2-efi-binary-signed-x64/grub2-efi-binary-signed-x64.spec +++ /dev/null @@ -1,54 +0,0 @@ -%global debug_package %{nil} -Summary: Signed GRand Unified Bootloader for x86_64 systems -Name: grub2-efi-binary-signed-x64 -Version: 2.06~rc1 -Release: 1%{?dist} -License: GPLv3+ -Vendor: Microsoft Corporation -Distribution: Mariner -URL: https://www.gnu.org/software/grub -# This package's "version" and "release" must reflect the unsigned version that -# was signed. -# An important consequence is that when making a change to this package, the -# unsigned version/release must be increased to keep the two versions consistent. -# Ideally though, this spec will not change much or at all, so the version will -# just track the unsigned package's version/release. -# -# To populate these sources: -# 1. Build the unsigned packages as normal -# 2. Sign the desired binary -# 3. Place the unsigned package and signed binary in this spec's folder -# 4. Build this spec -Source0: grub2-efi-unsigned-%{version}-%{release}.x86_64.rpm -Source1: grubx64.efi -Conflicts: grub2-efi-binary -ExclusiveArch: x86_64 - -%description -This package contains the GRUB EFI image signed for secure boot. The package is -specifically created for installing on x86_64 systems - -%prep - -%build - -%install -mkdir -p %{buildroot}/boot/efi/EFI/BOOT -cp %{SOURCE1} %{buildroot}/boot/efi/EFI/BOOT/grubx64.efi - -%files -/boot/efi/EFI/BOOT/grubx64.efi - -%changelog -* Wed Mar 10 2021 Chris Co - 2.06~rc1-1 -- Update to 2.06-rc1 -- Incorporate SBAT data - -* Wed Dec 23 2020 Pawel Winogrodzki - 2.02-26 -- Updating release to be aligned with the unsigned bits. - -* Tue Nov 03 2020 Pawel Winogrodzki - 2.02-25 -- Updating release to be aligned with the unsigned bits. - -* Thu Aug 13 2020 Chris Co 2.02-24 -- Original version for CBL-Mariner. diff --git a/SPECS-SIGNED/grub2-efi-binary-signed-aarch64/grub2-efi-binary-signed-aarch64.spec b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec similarity index 51% rename from SPECS-SIGNED/grub2-efi-binary-signed-aarch64/grub2-efi-binary-signed-aarch64.spec rename to SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec index 985750cd8c5..420c3fd02f6 100644 --- a/SPECS-SIGNED/grub2-efi-binary-signed-aarch64/grub2-efi-binary-signed-aarch64.spec +++ b/SPECS-SIGNED/grub2-efi-binary-signed/grub2-efi-binary-signed.spec @@ -1,8 +1,16 @@ %global debug_package %{nil} -Summary: Signed GRand Unified Bootloader for aarch64 systems -Name: grub2-efi-binary-signed-aarch64 +%ifarch x86_64 +%global buildarch x86_64 +%global grubefiname grubx64.efi +%endif +%ifarch aarch64 +%global buildarch aarch64 +%global grubefiname grubaa64.efi +%endif +Summary: Signed GRand Unified Bootloader for %{buildarch} systems +Name: grub2-efi-binary-signed-%{buildarch} Version: 2.06~rc1 -Release: 1%{?dist} +Release: 4%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Mariner @@ -19,14 +27,20 @@ URL: https://www.gnu.org/software/grub # 2. Sign the desired binary # 3. Place the unsigned package and signed binary in this spec's folder # 4. Build this spec -Source0: grub2-efi-unsigned-%{version}-%{release}.aarch64.rpm -Source1: grubaa64.efi -Conflicts: grub2-efi-binary -ExclusiveArch: aarch64 +Source0: grub2-efi-binary-%{version}-%{release}.%{buildarch}.rpm +Source1: %{grubefiname} %description This package contains the GRUB EFI image signed for secure boot. The package is -specifically created for installing on aarch64 systems +specifically created for installing on %{buildarch} systems + +%package -n grub2-efi-binary +Summary: GRand Unified Bootloader +Group: Applications/System + +%description -n grub2-efi-binary +This package contains the GRUB EFI image signed for secure boot. The package is +specifically created for installing on %{buildarch} systems %prep @@ -34,12 +48,22 @@ specifically created for installing on aarch64 systems %install mkdir -p %{buildroot}/boot/efi/EFI/BOOT -cp %{SOURCE1} %{buildroot}/boot/efi/EFI/BOOT/grubaa64.efi +cp %{SOURCE1} %{buildroot}/boot/efi/EFI/BOOT/%{grubefiname} -%files -/boot/efi/EFI/BOOT/grubaa64.efi +%files -n grub2-efi-binary +/boot/efi/EFI/BOOT/%{grubefiname} %changelog +* Fri Apr 16 2021 Chris Co - 2.06~rc1-4 +- Commonize to one spec instead of having a spec per arch +- Define a new grub2-efi-binary subpackage which contains the signed collateral + +* Fri Apr 02 2021 Rachel Menge - 2.06~rc1-3 +- Update release to be aligned with unsigned version + +* Fri Mar 26 2021 Chris Co - 2.06~rc1-2 +- Update release to be aligned with unsigned version + * Wed Mar 10 2021 Chris Co - 2.06~rc1-1 - Update to 2.06-rc1 - Incorporate SBAT data diff --git a/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec b/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec deleted file mode 100644 index 74a33f49cfd..00000000000 --- a/SPECS-SIGNED/kernel-signed-x64/kernel-signed-x64.spec +++ /dev/null @@ -1,193 +0,0 @@ -%global debug_package %{nil} -%define uname_r %{version}-rolling-lts-mariner-%{release} -Summary: Signed Linux Kernel for x86_64 systems -Name: kernel-signed-x64 -Version: 5.10.21.1 -Release: 4%{?dist} -License: GPLv2 -Vendor: Microsoft Corporation -Distribution: Mariner -Group: System Environment/Kernel -URL: https://github.com/microsoft/CBL-Mariner-Linux-Kernel -# This package's "version" and "release" must reflect the unsigned version that -# was signed. -# An important consequence is that when making a change to this package, the -# unsigned version/release must be increased to keep the two versions consistent. -# Ideally though, this spec will not change much or at all, so the version will -# just track the unsigned package's version/release. -# -# To populate these sources: -# 1. Build the unsigned packages as normal -# 2. Sign the desired binary -# 3. Place the unsigned package and signed binary in this spec's folder -# 4. Build this spec -Source0: kernel-%{version}-%{release}.x86_64.rpm -Source1: vmlinuz-%{uname_r} -BuildRequires: cpio -Requires: filesystem -Requires: kmod -Requires(post): coreutils -Requires(postun): coreutils -Conflicts: kernel -ExclusiveArch: x86_64 - -%description -This package contains the Linux kernel package with kernel signed with the production key - -%prep - -%build -rpm2cpio %{SOURCE0} | cpio -idmv -cp %{SOURCE1} ./boot/vmlinuz-%{uname_r} - -%install -install -vdm 700 %{buildroot}/boot -install -vdm 755 %{buildroot}/lib/modules/%{uname_r} -mkdir -p %{buildroot}/%{_localstatedir}/lib/initramfs/kernel - -cp -rp ./boot/. %{buildroot}/boot -cp -rp ./lib/. %{buildroot}/lib -cp -rp ./var/. %{buildroot}/%{_localstatedir} - -%triggerin -- initramfs -mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending -touch %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r} -echo "initrd generation of kernel %{uname_r} will be triggered later" >&2 - -%triggerun -- initramfs -rm -rf %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r} -rm -rf /boot/initrd.img-%{uname_r} -echo "initrd of kernel %{uname_r} removed" >&2 - -%postun -if [ ! -e /boot/mariner.cfg ] -then - ls /boot/linux-*.cfg 1> /dev/null 2>&1 - if [ $? -eq 0 ] - then - list=`ls -tu /boot/linux-*.cfg | head -n1` - test -n "$list" && ln -sf "$list" /boot/mariner.cfg - fi -fi - -%post -/sbin/depmod -a %{uname_r} -ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg - -%files -/boot/* -/boot/.vmlinuz-%{uname_r}.hmac -/lib/modules/%{uname_r}/* -/lib/modules/%{uname_r}/.vmlinuz.hmac -%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} - -%changelog -* Fri Mar 26 2021 Daniel Mihai - 5.10.21.1-4 -- Update to kernel release 5.10.21.1-4 - -* Thu Mar 18 2021 Chris Co - 5.10.21.1-3 -- Fix file copy - -* Wed Mar 17 2021 Nicolas Ontiveros - 5.10.21.1-2 -- Update to kernel release 5.10.21.1-2 - -* Thu Mar 11 2021 Chris Co - 5.10.21.1-1 -- Update source to 5.10.21.1 - -* Fri Mar 05 2021 Chris Co - 5.10.13.1-4 -- Update release number to match kernel spec -- Use uname_r macro instead of version-release for kernel version - -* Thu Mar 04 2021 Suresh Babu Chalamalasetty - 5.10.13.1-3 -- Update to kernel release 5.10.13.1-3 - -* Mon Feb 22 2021 Thomas Crain - 5.10.13.1-2 -- Update to kernel release 5.10.13.1-2 - -* Thu Feb 18 2021 Chris Co - 5.10.13.1-1 -- Update source to 5.10.13.1 - -* Tue Feb 16 2021 Nicolas Ontiveros - 5.4.91-5 -- Update to kernel release 5.4.91-5. - -* Tue Feb 09 2021 Nicolas Ontiveros - 5.4.91-4 -- Update to kernel release 5.4.91-4. - -* Thu Jan 28 2021 Nicolas Ontiveros - 5.4.91-3 -- Add hmac files for FIPS - -* Wed Jan 27 2021 Daniel McIlvaney - 5.4.91-2 -- Update release number to match kernel spec - -* Wed Jan 20 2021 Chris Co - 5.4.91-1 -- Update source to 5.4.91 - -* Tue Jan 12 2021 Rachel Menge - 5.4.83-4 -- Update release number to match kernel spec - -* Sat Jan 09 2021 Andrew Phelps - 5.4.83-3 -- Update to kernel release 5.4.83-3 - -* Mon Dec 28 2020 Nicolas Ontiveros - 5.4.83-2 -- Update to kernel release 5.4.83-2 - -* Tue Dec 15 2020 Henry Beberman - 5.4.83-1 -- Update source to 5.4.83 - -* Fri Dec 04 2020 Chris Co - 5.4.81-1 -- Update source to 5.4.81 - -* Wed Nov 25 2020 Chris Co - 5.4.72-5 -- Update release number to match kernel spec - -* Mon Nov 23 2020 Chris Co - 5.4.72-4 -- Update release number to match kernel spec - -* Mon Nov 16 2020 Suresh Babu Chalamalasetty - 5.4.72-3 -- Update release number - -* Tue Nov 10 2020 Suresh Babu Chalamalasetty - 5.4.72-2 -- Update release number - -* Mon Oct 26 2020 Chris Co - 5.4.72-1 -- Update source to 5.4.72 -- Lint spec - -* Fri Oct 16 2020 Suresh Babu Chalamalasetty - 5.4.51-11 -- Update release number - -* Fri Oct 02 2020 Chris Co - 5.4.51-10 -- Update release number to match kernel spec - -* Fri Oct 02 2020 Chris Co - 5.4.51-9 -- Update release number - -* Wed Sep 30 2020 Emre Girgin - 5.4.51-8 -- Update postun script to deal with removal in case of another installed kernel. - -* Fri Sep 25 2020 Suresh Babu Chalamalasetty - 5.4.51-7 -- Update release number - -* Wed Sep 23 2020 Daniel McIlvaney - 5.4.51-6 -- Update release number - -* Thu Sep 03 2020 Daniel McIlvaney - 5.4.51-5 -- Update release number - -* Thu Sep 03 2020 Chris Co - 5.4.51-4 -- Update release number - -* Thu Sep 03 2020 Chris Co - 5.4.51-3 -- Add missing requires - -* Tue Sep 01 2020 Chris Co - 5.4.51-2 -- Update release number - -* Wed Aug 19 2020 Chris Co - 5.4.51-1 -- Update source to 5.4.51 - -* Wed Aug 19 2020 Chris Co - 5.4.42-12 -- Update release number - -* Tue Aug 18 2020 Chris Co - 5.4.42-11 -- Original version for CBL-Mariner. diff --git a/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec similarity index 55% rename from SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec rename to SPECS-SIGNED/kernel-signed/kernel-signed.spec index 429a1501b82..b33594be4b0 100644 --- a/SPECS-SIGNED/kernel-signed-aarch64/kernel-signed-aarch64.spec +++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec @@ -1,65 +1,110 @@ %global debug_package %{nil} -%define uname_r %{version}-rolling-lts-mariner-%{release} -Summary: Signed Linux Kernel for aarch64 systems -Name: kernel-signed-aarch64 -Version: 5.10.21.1 +%ifarch x86_64 +%global buildarch x86_64 +%endif +%ifarch aarch64 +%global buildarch aarch64 +%endif +%define uname_r %{version}-%{release} +Summary: Signed Linux Kernel for %{buildarch} systems +Name: kernel-signed-%{buildarch} +Version: 5.10.28.1 Release: 4%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/Kernel URL: https://github.com/microsoft/CBL-Mariner-Linux-Kernel -# This package's "version" and "release" must reflect the unsigned version that -# was signed. -# An important consequence is that when making a change to this package, the -# unsigned version/release must be increased to keep the two versions consistent. -# Ideally though, this spec will not change much or at all, so the version will -# just track the unsigned package's version/release. +# This spec purpose is to take an input kernel rpm and input secure-boot-signed +# kernel binary from the same build and generate a new "kernel" rpm with the +# signed kernel binary + all of the other original kernel files, triggers, +# scriptlets, requires, provides, etc. # -# To populate these sources: +# We need to ensure the kernel modules and kernel binary used are from the exact +# same build because at build time the kernel modules are signed with an +# ephemeral key that the kernel enrolls in its keyring. We enforce kernel +# module signature checking when we enable security features like kernel +# lockdown so our kernel can only load those specific kernel modules at runtime. +# +# Additionally, to complete the UEFI Secure Boot chain, we must PE-sign the +# kernel binary. Ideally we would enable secure-boot signing tools like pesign +# or sbsign to be callable from inside the rpmbuild environment, that way we can +# secure-boot sign the kernel binary during the kernel's rpmbuild. It is best +# practice to sign as soon as possible. However there are issues getting that +# secure boot signing infrastructure in place today. Hence we sign the +# resulting kernel binary and "repackage" the kernel RPM (something rpm itself +# actively tries to make sure you never do...generally for good reasons). +# +# To achive this repackaging, this spec creates a new subpackage named +# "kernel". To retain all of the initial kernel package behaviors, we make sure +# the subpackage has the same requires, provides, triggers, post steps, and +# files as the original kernel package. +# +# This specific repackaging implementation leaves room for us to enable the +# more ideal secure-boot signing flow in the future without introducing any +# sort of breaking change or new packaging. Users still install a "kernel" +# package like they normally would. +# +# Maintenance Notes: +# - This spec's "version" and "release" must reflect the unsigned version that +# was signed. An important consequence is that when making a change to this +# spec or the normal kernel spec, the other spec's version version/release must +# be increased to keep the two versions consistent. +# +# - Make sure the kernel subpackage's Requires, Provides, triggers, post/postun +# scriptlets, and files match the normal kernel spec's. The kernel subpackage +# should contain the same content as the input kernel package but replace the +# kernel binary with our signed kernel binary. Since all the requires, provides, +# etc are the same, this new kernel package can be a direct replacement for the +# normal kernel package and RPM will resolve packages with kernel dependencies +# correctly. +# +# To populate the input sources: # 1. Build the unsigned packages as normal # 2. Sign the desired binary # 3. Place the unsigned package and signed binary in this spec's folder # 4. Build this spec -Source0: kernel-%{version}-%{release}.aarch64.rpm +Source0: kernel-%{version}-%{release}.%{buildarch}.rpm Source1: vmlinuz-%{uname_r} BuildRequires: cpio + +%description +This package contains the Linux kernel package with kernel signed with the production key + +%package -n kernel +Summary: Linux Kernel +Group: System Environment/Kernel Requires: filesystem Requires: kmod Requires(post): coreutils Requires(postun): coreutils -Conflicts: kernel -ExclusiveArch: aarch64 -%description -This package contains the Linux kernel package with kernel signed with the production key +%description -n kernel +The kernel package contains the signed Linux kernel. %prep %build +# This spec's whole purpose is to inject the signed kernel binary +# Do not do anything extra. rpm2cpio %{SOURCE0} | cpio -idmv cp %{SOURCE1} ./boot/vmlinuz-%{uname_r} %install -install -vdm 700 %{buildroot}/boot -install -vdm 755 %{buildroot}/lib/modules/%{uname_r} -mkdir -p %{buildroot}/%{_localstatedir}/lib/initramfs/kernel +# Don't use * wildcard. It does not copy over hidden files in the root folder... +cp -rp ./. %{buildroot}/ -cp -rp ./boot/. %{buildroot}/boot -cp -rp ./lib/. %{buildroot}/lib -cp -rp ./var/. %{buildroot}/%{_localstatedir} - -%triggerin -- initramfs +%triggerin -n kernel -- initramfs mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending touch %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r} echo "initrd generation of kernel %{uname_r} will be triggered later" >&2 -%triggerun -- initramfs +%triggerun -n kernel -- initramfs rm -rf %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r} rm -rf /boot/initrd.img-%{uname_r} echo "initrd of kernel %{uname_r} removed" >&2 -%postun +%postun -n kernel if [ ! -e /boot/mariner.cfg ] then ls /boot/linux-*.cfg 1> /dev/null 2>&1 @@ -70,18 +115,43 @@ then fi fi -%post +%post -n kernel /sbin/depmod -a %{uname_r} ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg -%files -/boot/* +%files -n kernel +%defattr(-,root,root) +%license COPYING +/boot/System.map-%{uname_r} +/boot/config-%{uname_r} +/boot/vmlinuz-%{uname_r} /boot/.vmlinuz-%{uname_r}.hmac +%config(noreplace) /boot/linux-%{uname_r}.cfg +%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} +%defattr(0644,root,root) /lib/modules/%{uname_r}/* /lib/modules/%{uname_r}/.vmlinuz.hmac -%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} +%exclude /lib/modules/%{uname_r}/build +%exclude /lib/modules/%{uname_r}/kernel/drivers/gpu +%exclude /lib/modules/%{uname_r}/kernel/sound +%ifarch x86_64 +%exclude /lib/modules/%{uname_r}/kernel/arch/x86/oprofile/ +%endif %changelog +* Thu Apr 22 2021 Chris Co - 5.10.28.1-4 +- Bump release number to match kernel release + +* Mon Apr 19 2021 Chris Co - 5.10.28.1-3 +- Define a new kernel subpackage + +* Thu Apr 15 2021 Rachel Menge - 5.10.28.1-2 +- Update to kernel release 5.10.28.1-2 + +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 +- Update uname_r define to match the new value derived from the source + * Fri Mar 26 2021 Daniel Mihai - 5.10.21.1-4 - Update to kernel release 5.10.21.1-4 diff --git a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md index 9d61aeb9d3d..5ca0b6216b6 100644 --- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md +++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md @@ -2,9 +2,10 @@ The CBL-Mariner SPEC files originated from a variety of sources with varying lic | Origin | License | Specs | | --- | --- | --- | -| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | at
attr
autoconf213
babeltrace2
brotli
busybox
calamares
catch
chrony
conntrack-tools
cpprest
cryptsetup
dnf
dos2unix
ebtables
extra-cmake-modules
gnu-efi
hardening-check
heimdal
hyperv-daemons
ipmitool
ipv6calc
jemalloc
kde-settings
kexec-tools
kf5
kf5-kconfig
kf5-kcoreaddons
kf5-ki18n
kf5-kwidgetsaddons
kpmcore
libatasmart
libburn
libcgroup
libcomps
libdnf
libisoburn
libisofs
libkcapi
libpwquality
libxcrypt
mokutil
mozjs60
open-vm-tools
openssl
p11-kit
perl-JSON
pugixml
qt5-qtbase
qt5-qtdeclarative
qt5-qtsvg
qt5-qttools
qt5-rpm-macros
squashfs-tools
uclibc-ng
uuid
websocketpp
words
yaml-cpp
zipper | -| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | aspnetcore-runtime-3.1
auoms
azure-iot-sdk-c
azure-iotedge
azure-storage-cpp
blobfuse
bmon
bond
bpftrace
ccache
clamav
cloud-hypervisor
cloud-init-vmware-guestinfo
coredns-1.6.5
coredns-1.6.7
coredns-1.7.0
distroless-packages
dtc
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
go-md2man
grpc
GSL
ivykis
jsonbuilder
kubernetes-1.17.13
kubernetes-1.17.16
kubernetes-1.18.10
kubernetes-1.18.14
kubernetes-1.19.6
kubernetes-1.19.7
libacvp
libconfini
libconfuse
libiothsm-std
libmaxminddb
libuv
libxml++
lttng-consume
mariner-release
mariner-repos
mariner-rpm-macros
mm-common
moby-buildx
moby-cli
moby-containerd
moby-engine
moby-runc
msgpack
nlohmann-json
nmap
ntopng
omi
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates-base
qemu-kvm
rocksdb
rubygem-addressable
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-aws-eventstream
rubygem-aws-partitions
rubygem-aws-sdk-core
rubygem-aws-sdk-kms
rubygem-aws-sdk-s3
rubygem-aws-sdk-sqs
rubygem-aws-sigv4
rubygem-concurrent-ruby
rubygem-console
rubygem-cool.io
rubygem-digest-crc
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-elasticsearch-transport
rubygem-excon
rubygem-faraday
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-s3
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-td
rubygem-fluent-plugin-webhdfs
rubygem-fluentd
rubygem-hirb
rubygem-http_parser.rb
rubygem-httpclient
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-quantile
rubygem-rake
rubygem-rdkafka
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-ruby2_keywords
rubygem-rubyzip
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-td
rubygem-td-client
rubygem-td-logger
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-yajl-ruby
rubygem-zip-zip
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
span-lite
swupdate
tinyxml2
toml11
tracelogging
vala
verity-read-only-root
vnstat
zstd | -| Photon | [Photon License](LICENSE-PHOTON.md) and [Photon Notice](NOTICE.APACHE2).
Also see [LICENSE-EXCEPTIONS.PHOTON](LICENSE-EXCEPTIONS.PHOTON). | acl
alsa-lib
alsa-utils
ansible
ant
ant-contrib
apparmor
apr
apr-util
asciidoc
atftp
audit
autoconf
autoconf-archive
autofs
autogen
automake
babel
bash
bc
bcc
bind
binutils
bison
blktrace
boost
bridge-utils
btrfs-progs
bubblewrap
build-essential
bzip2
c-ares
ca-certificates
cairo
cdrkit
check
chkconfig
chrpath
cifs-utils
clang
cloud-init
cloud-utils-growpart
cmake
cni
core-packages
coreutils
cpio
cppunit
cracklib
crash
crash-gcore-command
createrepo_c
cri-tools
cronie
ctags
curl
cyrus-sasl
Cython
dbus
dbus-glib
dejagnu
device-mapper-multipath
dhcp
dialog
diffutils
dkms
dmidecode
dnsmasq
docbook-dtd-xml
docbook-style-xsl
dosfstools
dotnet-runtime-3.1
dotnet-sdk-3.1
dracut
dstat
e2fsprogs
ed
efibootmgr
efivar
elfutils
erlang
etcd-3.4.13
etcd-3.4.3
ethtool
expat
expect
fcgi
file
filesystem
findutils
finger
flex
fontconfig
fping
freetype
fuse
gawk
gc
gcc
gdb
gdbm
gettext
git
glib
glib-networking
glibc
glibmm24
gmp
gnome-common
gnupg2
gnuplot
gnutls
gobject-introspection
golang-1.15
gperf
gperftools
gpgme
gptfdisk
grep
groff
grub2
grub2-efi-binary-signed-aarch64
grub2-efi-binary-signed-x64
gtest
gtk-doc
guile
gzip
haproxy
harfbuzz
haveged
hdparm
http-parser
httpd
i2c-tools
iana-etc
icu
initramfs
initscripts
inotify-tools
intltool
iotop
iperf3
ipmitool
iproute
ipset
iptables
iputils
ipvsadm
ipxe
irqbalance
itstool
jansson
jna
jq
json-c
json-glib
kbd
keepalived
kernel
kernel-headers
kernel-hyperv
kernel-signed-aarch64
kernel-signed-x64
kexec-tools
keyutils
kmod
krb5
lapack
less
libaio
libarchive
libassuan
libatomic_ops
libcap
libcap-ng
libconfig
libdb
libdnet
libedit
libestr
libev
libevent
libfastjson
libffi
libgcrypt
libgpg-error
libgssglue
libgsystem
libgudev
libjpeg-turbo
libksba
liblogging
libmbim
libmnl
libmodulemd
libmpc
libmspack
libndp
libnetfilter_conntrack
libnetfilter_cthelper
libnetfilter_cttimeout
libnetfilter_queue
libnfnetlink
libnftnl
libnl3
libnsl2
libpcap
libpipeline
libpng
libpsl
libqmi
librelp
librepo
librsync
libseccomp
libselinux
libsepol
libserf
libsigc++20
libsolv
libsoup
libssh2
libtalloc
libtar
libtasn1
libtiff
libtirpc
libtool
libunistring
libunwind
libusb
libvirt
libwebp
libxml2
libxslt
libyaml
linux-firmware
lldb
lldpad
llvm
lm-sensors
lmdb
log4cpp
logrotate
lshw
lsof
lsscsi
ltrace
lttng-tools
lttng-ust
lua
lvm2
lz4
lzo
m2crypto
m4
make
man-db
man-pages
mariadb
maven
mc
mercurial
meson
mlocate
ModemManager
mpfr
msr-tools
mysql
nano
nasm
ncurses
ndctl
net-snmp
net-tools
nettle
newt
nfs-utils
nghttp2
nginx
ninja-build
nodejs-8.11.4
nodejs-9.11.2
npth
nspr
nss
nss-altfiles
ntp
numactl
numpy
nvme-cli
oniguruma
OpenIPMI
openjdk8
openjdk8_aarch64
openldap
openscap
openssh
openvswitch
ostree
pam
pango
parted
patch
pciutils
pcre
perl
perl-Canary-Stability
perl-CGI
perl-common-sense
perl-Crypt-SSLeay
perl-DBD-SQLite
perl-DBI
perl-DBIx-Simple
perl-Exporter-Tiny
perl-File-HomeDir
perl-File-Which
perl-IO-Socket-SSL
perl-JSON-Any
perl-JSON-XS
perl-libintl-perl
perl-List-MoreUtils
perl-Module-Build
perl-Module-Install
perl-Module-ScanDeps
perl-Net-SSLeay
perl-NetAddr-IP
perl-Object-Accessor
perl-Path-Class
perl-Try-Tiny
perl-Types-Serialiser
perl-WWW-Curl
perl-XML-Parser
perl-YAML
perl-YAML-Tiny
pgbouncer
pinentry
pixman
pkg-config
polkit
popt
postgresql
powershell
procps-ng
protobuf
protobuf-c
psmisc
pth
pyasn1-modules
pygobject3
pyOpenSSL
PyPAM
pyparsing
pytest
python-appdirs
python-asn1crypto
python-atomicwrites
python-attrs
python-backports-ssl_match_hostname
python-bcrypt
python-boto3
python-botocore
python-certifi
python-cffi
python-chardet
python-configobj
python-constantly
python-coverage
python-cryptography
python-daemon
python-dateutil
python-defusedxml
python-distro
python-docopt
python-docutils
python-ecdsa
python-enum34
python-futures
python-gevent
python-greenlet
python-hyperlink
python-hypothesis
python-idna
python-imagesize
python-incremental
python-iniparse
python-ipaddr
python-ipaddress
python-jinja2
python-jmespath
python-jsonpatch
python-jsonpointer
python-jsonschema
python-lockfile
python-lxml
python-m2r
python-mako
python-markupsafe
python-mistune
python-msgpack
python-netaddr
python-netifaces
python-ntplib
python-oauthlib
python-packaging
python-pam
python-pbr
python-pip
python-ply
python-prettytable
python-psutil
python-psycopg2
python-py
python-pyasn1
python-pycodestyle
python-pycparser
python-pycurl
python-pygments
python-pynacl
python-pyvmomi
python-requests
python-setuptools
python-setuptools_scm
python-simplejson
python-six
python-snowballstemmer
python-sphinx
python-sphinx-theme-alabaster
python-sqlalchemy
python-twisted
python-typing
python-urllib3
python-vcversioner
python-virtualenv
python-wcwidth
python-webob
python-websocket-client
python-werkzeug
python-zope-interface
python2
python3
pytz
PyYAML
rapidjson
readline
redis
rng-tools
rpcbind
rpcsvc-proto
rpm
rpm-ostree
rrdtool
rsync
rsyslog
ruby
rubygem-bundler
runc
rust
scons
sed
sg3_utils
shadow-utils
slang
snappy
socat
sqlite
sshpass
strace
strongswan
subversion
sudo
swig
syslinux
syslog-ng
sysstat
systemd
systemd-bootstrap
systemtap
tar
tboot
tcl
tcp_wrappers
tcpdump
tcsh
tdnf
telegraf
texinfo
tmux
tpm2-abrmd
tpm2-tools
tpm2-tss
traceroute
tree
trousers
tzdata
unbound
unixODBC
unzip
usbutils
userspace-rcu
utf8proc
util-linux
valgrind
vim
vsftpd
WALinuxAgent
wget
which
wpa_supplicant
xerces-c
xfsprogs
xinetd
xmlsec1
xmlto
xz
zchunk
zeromq
zip
zlib
zsh | +| Fedora | [Fedora MIT License Declaration](https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#License_of_Fedora_SPEC_Files) | at
attr
autoconf213
babeltrace2
bmake
brotli
busybox
calamares
catch
chrony
conntrack-tools
cpprest
cryptsetup
dnf
dos2unix
ebtables
extra-cmake-modules
gnu-efi
hardening-check
heimdal
hyperv-daemons
ipmitool
ipv6calc
jemalloc
kde-settings
kexec-tools
kf5
kf5-kconfig
kf5-kcoreaddons
kf5-ki18n
kf5-kwidgetsaddons
kpmcore
libatasmart
libburn
libcgroup
libcomps
libdnf
libisoburn
libisofs
libkcapi
libpwquality
libxcrypt
mokutil
mozjs60
open-vm-tools
openssl
p11-kit
perl-JSON
pugixml
qt5-qtbase
qt5-qtdeclarative
qt5-qtsvg
qt5-qttools
qt5-rpm-macros
squashfs-tools
uclibc-ng
uuid
websocketpp
words
yaml-cpp
zipper | +| Microsoft | [Microsoft MIT License](/LICENSES-AND-NOTICES/LICENSE.md) | aspnetcore-runtime-3.1
auoms
azure-iot-sdk-c
azure-iotedge
azure-storage-cpp
blobfuse
bmon
bond
bpftrace
ccache
clamav
cloud-hypervisor
cloud-init-vmware-guestinfo
coredns-1.6.7
coredns-1.7.0
distroless-packages
dtc
espeak-ng
espeakup
flannel
fluent-bit
freefont
gflags
go-md2man
grpc
GSL
installkernel
ivykis
jsonbuilder
kubernetes-1.18.14
kubernetes-1.18.17
kubernetes-1.19.7
kubernetes-1.19.9
kubernetes-1.20.2
kubernetes-1.20.5
libacvp
libconfini
libconfuse
libiothsm-std
libmaxminddb
libuv
libxml++
lttng-consume
mariner-release
mariner-repos
mariner-rpm-macros
mm-common
moby-buildx
moby-cli
moby-containerd
moby-engine
moby-runc
msgpack
nlohmann-json
nmap
ntopng
omi
pcaudiolib
pcre2
perl-Test-Warnings
perl-Text-Template
pigz
prebuilt-ca-certificates-base
qemu-kvm
rocksdb
rubygem-addressable
rubygem-async
rubygem-async-http
rubygem-async-io
rubygem-async-pool
rubygem-aws-eventstream
rubygem-aws-partitions
rubygem-aws-sdk-core
rubygem-aws-sdk-kms
rubygem-aws-sdk-s3
rubygem-aws-sdk-sqs
rubygem-aws-sigv4
rubygem-concurrent-ruby
rubygem-console
rubygem-cool.io
rubygem-digest-crc
rubygem-elasticsearch
rubygem-elasticsearch-api
rubygem-elasticsearch-transport
rubygem-excon
rubygem-faraday
rubygem-ffi
rubygem-fiber-local
rubygem-fluent-config-regexp-type
rubygem-fluent-logger
rubygem-fluent-plugin-elasticsearch
rubygem-fluent-plugin-kafka
rubygem-fluent-plugin-prometheus
rubygem-fluent-plugin-prometheus_pushgateway
rubygem-fluent-plugin-record-modifier
rubygem-fluent-plugin-rewrite-tag-filter
rubygem-fluent-plugin-s3
rubygem-fluent-plugin-systemd
rubygem-fluent-plugin-td
rubygem-fluent-plugin-webhdfs
rubygem-fluentd
rubygem-hirb
rubygem-http_parser.rb
rubygem-httpclient
rubygem-jmespath
rubygem-ltsv
rubygem-mini_portile2
rubygem-msgpack
rubygem-multi_json
rubygem-multipart-post
rubygem-nio4r
rubygem-nokogiri
rubygem-oj
rubygem-parallel
rubygem-prometheus-client
rubygem-protocol-hpack
rubygem-protocol-http
rubygem-protocol-http1
rubygem-protocol-http2
rubygem-public_suffix
rubygem-quantile
rubygem-rake
rubygem-rdkafka
rubygem-ruby-kafka
rubygem-ruby-progressbar
rubygem-ruby2_keywords
rubygem-rubyzip
rubygem-serverengine
rubygem-sigdump
rubygem-strptime
rubygem-systemd-journal
rubygem-td
rubygem-td-client
rubygem-td-logger
rubygem-timers
rubygem-tzinfo
rubygem-tzinfo-data
rubygem-webhdfs
rubygem-yajl-ruby
rubygem-zip-zip
shim
shim-unsigned
shim-unsigned-aarch64
shim-unsigned-x64
span-lite
swupdate
tinyxml2
toml11
tracelogging
vala
verity-read-only-root
vnstat
zstd | +| Photon | [Photon License](LICENSE-PHOTON.md) and [Photon Notice](NOTICE.APACHE2).
Also see [LICENSE-EXCEPTIONS.PHOTON](LICENSE-EXCEPTIONS.PHOTON). | acl
alsa-lib
alsa-utils
ansible
ant
ant-contrib
apparmor
apr
apr-util
asciidoc
atftp
audit
autoconf
autoconf-archive
autofs
autogen
automake
babel
bash
bc
bcc
bind
binutils
bison
blktrace
boost
bridge-utils
btrfs-progs
bubblewrap
build-essential
bzip2
c-ares
ca-certificates
cairo
cdrkit
check
chkconfig
chrpath
cifs-utils
clang
cloud-init
cloud-utils-growpart
cmake
cni
core-packages
coreutils
cpio
cppunit
cracklib
crash
crash-gcore-command
createrepo_c
cri-tools
cronie
ctags
curl
cyrus-sasl
Cython
dbus
dbus-glib
dejagnu
device-mapper-multipath
dhcp
dialog
diffutils
dkms
dmidecode
dnsmasq
docbook-dtd-xml
docbook-style-xsl
dosfstools
dotnet-runtime-3.1
dotnet-sdk-3.1
dracut
dstat
e2fsprogs
ed
efibootmgr
efivar
elfutils
erlang
etcd-3.4.13
etcd-3.4.3
ethtool
expat
expect
fcgi
file
filesystem
findutils
finger
flex
fontconfig
fping
freetype
fuse
gawk
gc
gcc
gdb
gdbm
gettext
git
glib
glib-networking
glibc
glibmm24
gmp
gnome-common
gnupg2
gnuplot
gnutls
gobject-introspection
golang-1.15
gperf
gperftools
gpgme
gptfdisk
grep
groff
grub2
grub2-efi-binary-signed
gtest
gtk-doc
guile
gzip
haproxy
harfbuzz
haveged
hdparm
http-parser
httpd
i2c-tools
iana-etc
icu
initramfs
initscripts
inotify-tools
intltool
iotop
iperf3
ipmitool
iproute
ipset
iptables
iputils
ipvsadm
ipxe
irqbalance
itstool
jansson
jna
jq
json-c
json-glib
kbd
keepalived
kernel
kernel-headers
kernel-hyperv
kernel-signed
kexec-tools
keyutils
kmod
krb5
lapack
less
libaio
libarchive
libassuan
libatomic_ops
libcap
libcap-ng
libconfig
libdb
libdnet
libedit
libestr
libev
libevent
libfastjson
libffi
libgcrypt
libgpg-error
libgssglue
libgsystem
libgudev
libjpeg-turbo
libksba
liblogging
libmbim
libmnl
libmodulemd
libmpc
libmspack
libndp
libnetfilter_conntrack
libnetfilter_cthelper
libnetfilter_cttimeout
libnetfilter_queue
libnfnetlink
libnftnl
libnl3
libnsl2
libpcap
libpipeline
libpng
libpsl
libqmi
librelp
librepo
librsync
libseccomp
libselinux
libsepol
libserf
libsigc++20
libsolv
libsoup
libssh2
libtalloc
libtar
libtasn1
libtiff
libtirpc
libtool
libunistring
libunwind
libusb
libvirt
libwebp
libxml2
libxslt
libyaml
linux-firmware
lldb
lldpad
llvm
lm-sensors
lmdb
log4cpp
logrotate
lshw
lsof
lsscsi
ltrace
lttng-tools
lttng-ust
lua
lvm2
lz4
lzo
m2crypto
m4
make
man-db
man-pages
mariadb
maven
mc
mercurial
meson
mlocate
ModemManager
mpfr
msr-tools
mysql
nano
nasm
ncurses
ndctl
net-snmp
net-tools
nettle
newt
nfs-utils
nghttp2
nginx
ninja-build
nodejs-8.11.4
nodejs-9.11.2
npth
nspr
nss
nss-altfiles
ntp
numactl
numpy
nvme-cli
oniguruma
OpenIPMI
openjdk8
openjdk8_aarch64
openldap
openscap
openssh
openvswitch
ostree
pam
pango
parted
patch
pciutils
pcre
perl
perl-Canary-Stability
perl-CGI
perl-common-sense
perl-Crypt-SSLeay
perl-DBD-SQLite
perl-DBI
perl-DBIx-Simple
perl-Exporter-Tiny
perl-File-HomeDir
perl-File-Which
perl-IO-Socket-SSL
perl-JSON-Any
perl-JSON-XS
perl-libintl-perl
perl-List-MoreUtils
perl-Module-Build
perl-Module-Install
perl-Module-ScanDeps
perl-Net-SSLeay
perl-NetAddr-IP
perl-Object-Accessor
perl-Path-Class
perl-Try-Tiny
perl-Types-Serialiser
perl-WWW-Curl
perl-XML-Parser
perl-YAML
perl-YAML-Tiny
pgbouncer
pinentry
pixman
pkg-config
polkit
popt
postgresql
powershell
procps-ng
protobuf
protobuf-c
psmisc
pth
pyasn1-modules
pygobject3
pyOpenSSL
PyPAM
pyparsing
pytest
python-appdirs
python-asn1crypto
python-atomicwrites
python-attrs
python-backports-ssl_match_hostname
python-bcrypt
python-boto3
python-botocore
python-certifi
python-cffi
python-chardet
python-configobj
python-constantly
python-coverage
python-cryptography
python-daemon
python-dateutil
python-defusedxml
python-distro
python-docopt
python-docutils
python-ecdsa
python-enum34
python-futures
python-gevent
python-greenlet
python-hyperlink
python-hypothesis
python-idna
python-imagesize
python-incremental
python-iniparse
python-ipaddr
python-ipaddress
python-jinja2
python-jmespath
python-jsonpatch
python-jsonpointer
python-jsonschema
python-lockfile
python-lxml
python-m2r
python-mako
python-markupsafe
python-mistune
python-msgpack
python-netaddr
python-netifaces
python-ntplib
python-oauthlib
python-packaging
python-pam
python-pbr
python-pip
python-ply
python-prettytable
python-psutil
python-psycopg2
python-py
python-pyasn1
python-pycodestyle
python-pycparser
python-pycurl
python-pygments
python-pynacl
python-pyvmomi
python-requests
python-setuptools
python-setuptools_scm
python-simplejson
python-six
python-snowballstemmer
python-sphinx
python-sphinx-theme-alabaster
python-sqlalchemy
python-twisted
python-typing
python-urllib3
python-vcversioner
python-virtualenv
python-wcwidth
python-webob
python-websocket-client
python-werkzeug
python-zope-interface
python2
python3
pytz
PyYAML
rapidjson
readline
redis
rng-tools
rpcbind
rpcsvc-proto
rpm
rpm-ostree
rrdtool
rsync
rsyslog
ruby
rubygem-bundler
runc
rust
scons
sed
sg3_utils
shadow-utils
slang
snappy
socat
sqlite
sshpass
strace
strongswan
subversion
sudo
swig
syslinux
syslog-ng
sysstat
systemd
systemd-bootstrap
systemtap
tar
tboot
tcl
tcp_wrappers
tcpdump
tcsh
tdnf
telegraf
texinfo
tmux
tpm2-abrmd
tpm2-tools
tpm2-tss
traceroute
tree
trousers
tzdata
unbound
unixODBC
unzip
usbutils
userspace-rcu
utf8proc
util-linux
valgrind
vim
vsftpd
WALinuxAgent
wget
which
wpa_supplicant
xerces-c
xfsprogs
xinetd
xmlsec1
xmlto
xz
zchunk
zeromq
zip
zlib
zsh | | OpenMamba | [Openmamba GPLv2 License](https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt) | bash-completion | -| TreasureData | [TreasureData ASL 2.0 License](http://www.apache.org/licenses/LICENSE-2.0) | td-agent | +| TreasureData | [ASL 2.0 License](http://www.apache.org/licenses/LICENSE-2.0) | td-agent | +| Nvidia | [ASL 2.0 License](http://www.apache.org/licenses/LICENSE-2.0) | nvidia-container-runtime | | Magnus Edenhill Open Source | [Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING) | librdkafka | diff --git a/SPECS/LICENSES-AND-NOTICES/data/licenses.json b/SPECS/LICENSES-AND-NOTICES/data/licenses.json index 866917a4b43..651806dc983 100644 --- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json +++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json @@ -14,6 +14,7 @@ "attr", "autoconf213", "babeltrace2", + "bmake", "brotli", "busybox", "calamares", @@ -89,7 +90,6 @@ "clamav", "cloud-hypervisor", "cloud-init-vmware-guestinfo", - "coredns-1.6.5", "coredns-1.6.7", "coredns-1.7.0", "distroless-packages", @@ -103,14 +103,15 @@ "go-md2man", "grpc", "GSL", + "installkernel", "ivykis", "jsonbuilder", - "kubernetes-1.17.13", - "kubernetes-1.17.16", - "kubernetes-1.18.10", "kubernetes-1.18.14", + "kubernetes-1.18.17", "kubernetes-1.19.7", - "kubernetes-1.19.6", + "kubernetes-1.19.9", + "kubernetes-1.20.2", + "kubernetes-1.20.5", "libacvp", "libconfini", "libconfuse", @@ -216,6 +217,7 @@ "rubygem-webhdfs", "rubygem-yajl-ruby", "rubygem-zip-zip", + "shim", "shim-unsigned", "shim-unsigned-aarch64", "shim-unsigned-x64", @@ -355,8 +357,7 @@ "grep", "groff", "grub2", - "grub2-efi-binary-signed-aarch64", - "grub2-efi-binary-signed-x64", + "grub2-efi-binary-signed", "gtest", "gtk-doc", "guile", @@ -395,8 +396,7 @@ "kernel", "kernel-headers", "kernel-hyperv", - "kernel-signed-aarch64", - "kernel-signed-x64", + "kernel-signed", "kexec-tools", "keyutils", "kmod", @@ -765,11 +765,18 @@ }, { "origin": "TreasureData", - "license": "[TreasureData ASL 2.0 License](http://www.apache.org/licenses/LICENSE-2.0)", + "license": "[ASL 2.0 License](http://www.apache.org/licenses/LICENSE-2.0)", "specs": [ "td-agent" ] }, + { + "origin": "Nvidia", + "license": "[ASL 2.0 License](http://www.apache.org/licenses/LICENSE-2.0)", + "specs": [ + "nvidia-container-runtime" + ] + }, { "origin": "Magnus Edenhill Open Source", "license": "[Magnus Edenhill Open Source BSD License](https://github.com/jemalloc/jemalloc/blob/dev/COPYING)", @@ -778,4 +785,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/SPECS/at/at.spec b/SPECS/at/at.spec index d1f1c8a498c..4ef88364eb5 100644 --- a/SPECS/at/at.spec +++ b/SPECS/at/at.spec @@ -2,7 +2,7 @@ Summary: Job spooling tools Name: at Version: 3.1.23 -Release: 6%{?dist} +Release: 7%{?dist} # http://packages.debian.org/changelogs/pool/main/a/at/current/copyright # + install-sh is MIT license with changes under Public Domain License: GPLv3+ AND GPLv2+ AND ISC AND MIT AND Public Domain @@ -38,6 +38,7 @@ BuildRequires: flex-devel BuildRequires: gcc BuildRequires: libselinux-devel >= 1.27.9 BuildRequires: perl +BuildRequires: systemd Requires(post): systemd Requires(postun): systemd Requires(preun): systemd @@ -124,8 +125,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/sysconfig install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/atd # install systemd initscript -mkdir -p %{buildroot}/%{_unitdir}/ -install -m 644 %{SOURCE5} %{buildroot}/%{_unitdir}/atd.service +mkdir -p %{buildroot}/lib/systemd/system/ +install -m 644 %{SOURCE5} %{buildroot}/lib/systemd/system/atd.service # remove unpackaged files from the buildroot rm -r %{buildroot}%{_prefix}/doc @@ -174,9 +175,13 @@ chown root:root %{_localstatedir}/spool/at/.SEQ %{_bindir}/atrm %{_bindir}/atq %attr(4755,root,root) %{_bindir}/at -%attr(0644,root,root) /%{_unitdir}/atd.service +%attr(0644,root,root) /lib/systemd/system/atd.service %changelog +* Mon Apr 19 2021 Nicolas Ontiveros - 3.1.23-7 +- Fix installation of atd.service +- Add systemd to BR + * Mon Nov 30 2020 Nicolas Ontiveros - 3.1.23-6 - Initial CBL-Mariner import from Fedora 33 (license: MIT). - Use flex-devel in BR diff --git a/SPECS/azure-iotedge/azure-iotedge.spec b/SPECS/azure-iotedge/azure-iotedge.spec index 9c92dca523c..089bb8c797f 100644 --- a/SPECS/azure-iotedge/azure-iotedge.spec +++ b/SPECS/azure-iotedge/azure-iotedge.spec @@ -1,7 +1,7 @@ Summary: Azure IoT Edge Security Daemon Name: azure-iotedge Version: 1.1.0 -Release: 3%{?dist} +Release: 4%{?dist} # A buildable azure-iotedge environments needs functioning submodules that do not work from the archive download # To recreate the tar.gz run the following @@ -166,6 +166,9 @@ echo "========================================================================== %doc %{_docdir}/iotedge-%{version}/trademark %changelog +* Mon Apr 26 2021 Thomas Crain - 1.1.0-4 +- Bump release to rebuild with rust 1.47.0-3 (security update) + * Tue Apr 20 2021 Thomas Crain - 1.1.0-3 - Bump release to rebuild with rust 1.47.0-2 (security update) diff --git a/SPECS/bmake/bmake.signatures.json b/SPECS/bmake/bmake.signatures.json new file mode 100644 index 00000000000..9c8812a9b3c --- /dev/null +++ b/SPECS/bmake/bmake.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "bmake-20201010.tar.gz": "6e1261b3b194d3a92770fc73772bff052c47eada98952a0b19c4e5b7f1fe5515" + } +} diff --git a/SPECS/bmake/bmake.spec b/SPECS/bmake/bmake.spec new file mode 100644 index 00000000000..aa19eff8822 --- /dev/null +++ b/SPECS/bmake/bmake.spec @@ -0,0 +1,214 @@ +Summary: The NetBSD make(1) tool +Name: bmake +Version: 20201010 +Release: 2%{?dist} +License: BSD +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://ftp.netbsd.org/pub/NetBSD/misc/sjg/ +Source0: %{url}/bmake-%{version}.tar.gz +Requires: mk-files + +BuildRequires: gcc +BuildRequires: sed +BuildRequires: util-linux + +%description +bmake, the NetBSD make tool, is a program designed to simplify the +maintenance of other programs. The input of bmake is a list of specifications +indicating the files upon which the targets (programs and other files) depend. +bmake then detects which targets are out of date based on their dependencies +and triggers the necessary commands to bring them up to date when that happens. + +bmake is similar to GNU make, even though the syntax for the advanced features +supported in Makefiles is very different. + +%package -n mk-files +Summary: Support files for bmake, the NetBSD make(1) tool +BuildArch: noarch + +%description -n mk-files +The mk-files package provides some bmake macros derived from the NetBSD +bsd.*.mk macros. These macros allow the creation of simple Makefiles to +build all kinds of targets, including, for example, C/C++ programs and/or +shared libraries. + +%prep +%autosetup -n %{name} +sed -i.timestamp -e 's|cp_f=-f|cp_f=-pf|' mk/install-mk +sed -i.python -e '1 s|^#!/usr/bin/env python|#!/usr/bin/python3|' mk/meta2deps.py +sed -i.makefile '/ksh/d' unit-tests/Makefile +sed -i.makefile '/csh/d' unit-tests/Makefile + +%build +%configure --with-default-sys-path=%{_datadir}/mk +sh ./make-bootstrap.sh + +%install +export STRIP=/bin/true # Make sure binary is not stripped +./bmake -m mk install DESTDIR=%{buildroot} +mv %{buildroot}%{_mandir}/{cat,man}1 +chmod a-x %{buildroot}%{_datadir}/mk/mkopt.sh + +%files +%doc ChangeLog README +%license LICENSE +%{_bindir}/* +%{_mandir}/man1/* + +%files -n mk-files +%license LICENSE +%doc mk/README +%{_datadir}/mk + +%changelog +* Fri Apr 16 2021 Vincent Tam - 20201010-2 +- Disable tests for tcsh / ksh +- License verified +- Initial CBL-Mariner import from Fedora 33 (license: MIT). + +* Tue Oct 20 2020 Petr Menšík - 20201010-1 +- Update to 20201010 (#1876115) + +* Sat Aug 01 2020 Fedora Release Engineering - 20200710-3 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 20200710-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jul 16 2020 Petr Menšík - 20200710-1 +- Update to 20200710 + +* Thu Jul 09 2020 Petr Menšík - 20200704-1 +- Update to 20200704 (#1852609) +- Include license (#1845892) + +* Wed Jun 10 2020 Petr Menšík - 20200524-3 +- Make mk-files mandatory again + +* Wed Jun 10 2020 Petr Menšík - 20200524-2 +- Create mk-files subpackage from bmake sources + +* Mon May 25 2020 Petr Menšík - 20200524-1 +- Update to version 20200524 + +* Fri Feb 28 2020 Luis Bazan - 20200212-1 +- New upstream version + +* Tue Jan 28 2020 Fedora Release Engineering - 20180512-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jul 24 2019 Fedora Release Engineering - 20180512-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 20180512-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Jul 12 2018 Fedora Release Engineering - 20180512-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue May 29 2018 Luis Bazan - 20180512-1 +- New Upstream version + +* Wed Apr 25 2018 Luis Bazan - 20180222-1 +- New upstream version + +* Wed Feb 07 2018 Fedora Release Engineering - 20171207-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Jan 26 2018 Luis Bazan - 20171207-1 +- New Upstream version + +* Wed Nov 22 2017 Luis Bazan - 20171118-1 +- new upstream version + +* Sun Nov 05 2017 Michel Alexandre Salim - 20171028-1 +- New upstream version + +* Wed Aug 02 2017 Fedora Release Engineering - 20150910-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 20150910-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 20150910-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Wed Feb 03 2016 Fedora Release Engineering - 20150910-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Sat Oct 03 2015 Luis Bazan - 20150910-1 +- new upstream version + +* Wed Jun 17 2015 Fedora Release Engineering - 20141111-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Dec 15 2014 Luis Bazan - 20141111-1 +- New upstream version + +* Fri Aug 15 2014 Fedora Release Engineering - 20140620-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 2 2014 Luis Bazan - 20140620-1 +- new upstream version + +* Sat Jun 07 2014 Fedora Release Engineering - 20140214-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Feb 18 2014 Luis Bazan - 20140214-1 +- new upstream version + +* Wed Jan 15 2014 Luis Bazan - 20140101-1 +- New Upstream version + +* Tue Oct 29 2013 Luis Bazan - 20131001-1 +- New Upstream version + +* Wed Aug 14 2013 Luis Bazan - 20130730-1 +- New Upstream Version + +* Sat Aug 03 2013 Fedora Release Engineering - 20130330-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu May 16 2013 Luis Bazan - 20130330-1 +- New Upstream Version + +* Wed Mar 06 2013 Luis Bazan - 20130123-1 +- New Upstream Version + +* Wed Feb 13 2013 Fedora Release Engineering - 20120831-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Sep 05 2012 Luis Bazan - 20120831-1 +- New Upstream Version + +* Wed Jul 18 2012 Fedora Release Engineering - 20120604-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jun 06 2012 Luis Bazan 20120604-2 +- Changing destination of the sources + +* Tue Jun 05 2012 Luis Bazan 20120604-1 +- New Upstream Version 20120604-1. + +* Mon Feb 06 2012 Julio Merino 20111111-1 +- New upstream version. + +* Thu Jan 12 2012 Fedora Release Engineering - 20090222-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Feb 07 2011 Fedora Release Engineering - 20090222-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Jul 24 2009 Fedora Release Engineering - 20090222-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 15 2009 Stepan Kasal - 20090222-1 +- new upstream version + +* Mon Feb 23 2009 Fedora Release Engineering - 20080515-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Jul 02 2008 Julio M. Merino Vidal - 20080515-1 +- Initial release for Fedora. diff --git a/SPECS/cairo/CVE-2018-19876.patch b/SPECS/cairo/CVE-2018-19876.patch deleted file mode 100644 index 5aeda204272..00000000000 --- a/SPECS/cairo/CVE-2018-19876.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- a/src/cairo-ft-font.c -+++ b/src/cairo-ft-font.c -@@ -2393,7 +2393,11 @@ - done: - free (coords); - free (current_coords); -+#if HAVE_FT_DONE_MM_VAR -+ FT_Done_MM_Var (face->glyph->library, ft_mm_var); -+#else - free (ft_mm_var); -+#endif - } - } - diff --git a/SPECS/cairo/cairo.signatures.json b/SPECS/cairo/cairo.signatures.json index f4d5a288ace..396846550f4 100644 --- a/SPECS/cairo/cairo.signatures.json +++ b/SPECS/cairo/cairo.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "cairo-1.16.0.tar.xz": "5e7b29b3f113ef870d1e3ecf8adf21f923396401604bda16d44be45e66052331" + "cairo-1.17.4.tar.xz": "74b24c1ed436bbe87499179a3b27c43f4143b8676d8ad237a6fa787401959705" } } \ No newline at end of file diff --git a/SPECS/cairo/cairo.spec b/SPECS/cairo/cairo.spec index a406b24dbb4..3d897e80a15 100644 --- a/SPECS/cairo/cairo.spec +++ b/SPECS/cairo/cairo.spec @@ -1,25 +1,24 @@ Summary: A 2D graphics library. Name: cairo -Version: 1.16.0 -Release: 5%{?dist} -License: LGPLv2 or MPLv1.1 -URL: http://cairographics.org -Group: System Environment/Libraries +Version: 1.17.4 +Release: 1%{?dist} +License: LGPLv2 OR MPLv1.1 Vendor: Microsoft Corporation Distribution: Mariner -Source0: http://cairographics.org/releases/%{name}-%{version}.tar.xz -Patch0: CVE-2018-19876.patch -BuildRequires: pkg-config +Group: System Environment/Libraries +URL: https://cairographics.org +Source0: https://cairographics.org/snapshots/%{name}-%{version}.tar.xz +BuildRequires: fontconfig-devel +BuildRequires: freetype-devel +BuildRequires: glib-devel BuildRequires: libpng-devel BuildRequires: libxml2-devel BuildRequires: pixman-devel -BuildRequires: freetype-devel -BuildRequires: fontconfig-devel -BuildRequires: glib-devel -Requires: pixman +BuildRequires: pkg-config +Requires: expat Requires: glib Requires: libpng -Requires: expat +Requires: pixman %description Cairo is a 2D graphics library with support for multiple output devices. @@ -49,13 +48,10 @@ make %{?_smp_mflags} %install make DESTDIR=%{buildroot} install -find %{buildroot} -name '*.la' -delete - -%post -/sbin/ldconfig +find %{buildroot} -type f -name "*.la" -delete -print -%postun -/sbin/ldconfig +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig %files %defattr(-,root,root) @@ -73,23 +69,35 @@ find %{buildroot} -name '*.la' -delete %{_libdir}/pkgconfig/*.pc %changelog +* Fri Apr 02 2021 Nicolas Ontiveros - 1.17.4-1 +- Upgrade to version 1.17.4, which resolves CVE-2020-35492. +- Fix source URL + * Mon Oct 26 2020 Nicolas Ontiveros 1.16.0-5 - Fix CVE-2018-19876 + * Sat May 09 2020 Nick Samson 1.16.0-4 - Added %%license line automatically + * Mon Apr 20 2020 Nicolas Ontiveros 1.16.0-3 - Rename freetype2-devel to freetype-devel. - Remove sha1 macro. + * Tue Sep 03 2019 Mateusz Malisz 1.16.0-2 - Initial CBL-Mariner import from Photon (license: Apache2). + * Thu Mar 14 2019 Michelle Wang 1.16.0-1 - Upgrade cairo to 1.16.0 for CVE-2018-18064 - CVE-2018-18064 is for version up to (including) 1.15.14 + * Tue Sep 11 2018 Dheeraj Shetty 1.14.12-1 - Update to version 1.14.12 + * Tue Oct 10 2017 Dheeraj Shetty 1.14.8-3 - Fix CVE-2017-9814 + * Tue Jun 06 2017 Chang Lee 1.14.8-2 - Remove %check + * Wed Apr 05 2017 Dheeraj Shetty 1.14.8-1 - Initial version diff --git a/SPECS/chrony/chrony.spec b/SPECS/chrony/chrony.spec index 185485756d0..ce0a4ad1525 100644 --- a/SPECS/chrony/chrony.spec +++ b/SPECS/chrony/chrony.spec @@ -4,7 +4,7 @@ Name: chrony Version: 3.5.1 -Release: 3%{?dist} +Release: 4%{?dist} Summary: An NTP client/server Vendor: Microsoft Corporation Distribution: Mariner @@ -30,7 +30,7 @@ BuildRequires: gnupg2 BuildRequires: libcap-devel BuildRequires: libedit-devel BuildRequires: libseccomp-devel -BuildRequires: nettle-devel +BuildRequires: nettle-devel >= 3.7.2 BuildRequires: systemd %if %{with_check} @@ -201,6 +201,9 @@ systemctl start chronyd.service %dir %attr(-,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Tue Apr 13 2021 Rachel Menge - 3.5.1-4 +- Bump release to rebuild with new nettle (3.7.2) + * Fri Jan 15 2021 Andrew Phelps - 3.5.1-3 - Add build requirements needed for check tests diff --git a/SPECS/clamav/clamav.signatures.json b/SPECS/clamav/clamav.signatures.json index 63fbbd12831..fa746df36a6 100644 --- a/SPECS/clamav/clamav.signatures.json +++ b/SPECS/clamav/clamav.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "clamav-0.103.0.tar.gz": "32a9745277bfdda80e77ac9ca2f5990897418e9416880f3c31553ca673e80546" + "clamav-0.103.2.tar.gz": "d4b5d0ac666262e423a326fb54778caa7c69624d6c3f9542895feb8478271bd2" } } \ No newline at end of file diff --git a/SPECS/clamav/clamav.spec b/SPECS/clamav/clamav.spec index f393317db4b..cea38b8d071 100644 --- a/SPECS/clamav/clamav.spec +++ b/SPECS/clamav/clamav.spec @@ -1,26 +1,24 @@ %{!?python2_sitelib: %global python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} %{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} - Summary: Open source antivirus engine Name: clamav -Version: 0.103.0 +Version: 0.103.2 Release: 1%{?dist} -License: ASL 2.0 and BSD and bzip2-1.0.4 and GPLv2 and LGPLv2+ and MIT and Public Domain and UnRar -Group: System Environment/Security +License: ASL 2.0 AND BSD AND bzip2-1.0.4 AND GPLv2 AND LGPLv2+ AND MIT AND Public Domain AND UnRar Vendor: Microsoft Corporation Distribution: Mariner +Group: System Environment/Security URL: https://www.clamav.net Source0: %{url}/downloads/production/%{name}-%{version}.tar.gz - -BuildRequires: libtool -BuildRequires: zlib-devel -# Workaround for coreutils missing requirement flex +# Workaround for coreutils missing requirement flex BuildRequires: flex-devel +BuildRequires: libtool +BuildRequires: openssl-devel # Required to produce systemd files BuildRequires: systemd-devel -BuildRequires: openssl-devel -Requires: zlib +BuildRequires: zlib-devel Requires: openssl +Requires: zlib %description ClamAV® is an open source (GPL) anti-virus engine used in a variety of situations @@ -42,11 +40,8 @@ make install DESTDIR=%{buildroot} %check make %{?_smp_mflags} check -%post -/sbin/ldconfig - -%postun -/sbin/ldconfig +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig %files %defattr(-,root,root) @@ -64,16 +59,21 @@ make %{?_smp_mflags} check %{_mandir}/man5/* %{_mandir}/man8/* - %changelog -* Tue Oct 27 2020 Pawel Winogrodzki 0.103.0-1 +* Tue Apr 20 2021 Thomas Crain - 0.103.2-1 +- Updating to 0.103.2 to fix CVE-2021-1252, CVE-2021-1404, CVE-2021-1405 + +* Tue Oct 27 2020 Pawel Winogrodzki - 0.103.0-1 - Updating to 0.103.0 to fix: CVE-2019-12625, CVE-2019-15961. -* Mon Oct 19 2020 Pawel Winogrodzki 0.101.2-3 + +* Mon Oct 19 2020 Pawel Winogrodzki - 0.101.2-3 - License verified. - Added %%license macro. - Switching to using the %%configure macro. - Extended package's summary and description. -* Wed Oct 02 2019 Mateusz Malisz 0.101.2-2 + +* Wed Oct 02 2019 Mateusz Malisz - 0.101.2-2 - Fix vendor and distribution. Add systemd files to the list. -* Thu Jul 25 2019 Chad Zawistowski 0.101.2-1 + +* Thu Jul 25 2019 Chad Zawistowski - 0.101.2-1 - Initial CBL-Mariner import from Azure. diff --git a/SPECS/cloud-hypervisor/cloud-hypervisor.spec b/SPECS/cloud-hypervisor/cloud-hypervisor.spec index 455677e0a55..dd100a3f5d5 100644 --- a/SPECS/cloud-hypervisor/cloud-hypervisor.spec +++ b/SPECS/cloud-hypervisor/cloud-hypervisor.spec @@ -1,7 +1,7 @@ Summary: A Rust-VMM based cloud hypervisor from Intel Name: cloud-hypervisor Version: 0.6.0 -Release: 6%{?dist} +Release: 7%{?dist} License: ASL 2.0 or BSD URL: https://github.com/cloud-hypervisor/cloud-hypervisor Group: Development/Tools @@ -50,6 +50,9 @@ install -D -m755 target/release/vhost_user_net %{buildroot}%{_libdir}/cloud-hype %exclude %{_libdir}/debug %changelog +* Mon Apr 26 2021 Thomas Crain - 0.6.0-7 +- Bump release to rebuild with rust 1.47.0-3 (security update) + * Tue Apr 20 2021 Thomas Crain - 0.6.0-6 - Bump release to rebuild with rust 1.47.0-2 (security update) diff --git a/SPECS/cloud-utils-growpart/cloud-utils-growpart.spec b/SPECS/cloud-utils-growpart/cloud-utils-growpart.spec index f4670964998..1c65b1e6c0e 100644 --- a/SPECS/cloud-utils-growpart/cloud-utils-growpart.spec +++ b/SPECS/cloud-utils-growpart/cloud-utils-growpart.spec @@ -1,15 +1,16 @@ Summary: Shell script to auto detect free size on disk and grow partition. Name: cloud-utils-growpart Version: 0.32 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3 -Group: System Environment -Source0: https://launchpad.net/cloud-utils/trunk/%{version}/+download/cloud-utils-%{version}.tar.gz -URL: https://launchpad.net/cloud-utils Vendor: Microsoft Corporation Distribution: Mariner -Requires: gptfdisk +Group: System Environment +URL: https://launchpad.net/cloud-utils +Source0: https://launchpad.net/cloud-utils/trunk/%{version}/+download/cloud-utils-%{version}.tar.gz +Patch0: growpart-remove-flock-disk-locking.patch Requires: gawk +Requires: gptfdisk Requires: util-linux BuildArch: noarch @@ -20,8 +21,10 @@ This is generally used by cloud-init for disk space manangement on cloud images. %prep %setup -q -n cloud-utils-%{version} +%patch0 -p1 %build + %install mkdir -p $RPM_BUILD_ROOT/%{_bindir} mkdir -p $RPM_BUILD_ROOT/%{_mandir}/man1 @@ -34,18 +37,27 @@ cp man/growpart.* $RPM_BUILD_ROOT/%{_mandir}/man1/ %doc %{_mandir}/man1/growpart.* %changelog -* Sat Mar 13 2021 Henry Beberman 0.32-1 -- Update to version 0.32 for more robust parsing of kernel version in growpart -* Sat May 09 2020 Nick Samson 0.30-6 -- Added %%license line automatically -* Tue May 05 2020 Emre Girgin 0.30-5 -- Renaming cloud-utils to cloud-utils-growpart -* Tue Sep 03 2019 Mateusz Malisz 0.30-4 -- Initial CBL-Mariner import from Photon (license: Apache2). -- License verified. -* Mon Sep 18 2017 Alexey Makhalov 0.30-3 -- Requires util-linux or toybox -* Tue Apr 25 2017 Priyesh Padmavilasom 0.30-2 -- Fix arch -* Wed Mar 29 2017 Kumar Kaushik 0.30-1 -- Initial build. First version +* Tue Apr 27 2021 Chris Co - 0.32-2 +- Add patch to handle unexpected timeout + +* Sat Mar 13 2021 Henry Beberman - 0.32-1 +- Update to version 0.32 for more robust parsing of kernel version in growpart + +* Sat May 09 2020 Nick Samson - 0.30-6 +- Added %%license line automatically + +* Tue May 05 2020 Emre Girgin - 0.30-5 +- Renaming cloud-utils to cloud-utils-growpart + +* Tue Sep 03 2019 Mateusz Malisz - 0.30-4 +- Initial CBL-Mariner import from Photon (license: Apache2). +- License verified. + +* Mon Sep 18 2017 Alexey Makhalov - 0.30-3 +- Requires util-linux or toybox + +* Tue Apr 25 2017 Priyesh Padmavilasom - 0.30-2 +- Fix arch + +* Wed Mar 29 2017 Kumar Kaushik - 0.30-1 +- Initial build. First version diff --git a/SPECS/cloud-utils-growpart/growpart-remove-flock-disk-locking.patch b/SPECS/cloud-utils-growpart/growpart-remove-flock-disk-locking.patch new file mode 100644 index 00000000000..9f5a2129bad --- /dev/null +++ b/SPECS/cloud-utils-growpart/growpart-remove-flock-disk-locking.patch @@ -0,0 +1,60 @@ +From 1baf9aed12e35e7c032499081ea1c9887e65626a Mon Sep 17 00:00:00 2001 +From: Chris Co +Date: Wed, 28 Apr 2021 05:58:02 +0000 +Subject: [PATCH] growpart: remove flock disk locking + +Regression identified when using flock disk locking with 5.10 kernel and +systemd-239. During unlock_disk_and_settle(), udevadm settle will not +complete and eventually timeout after 2 minutes. When looking at the +systemd-udevd logs, the daemon crashes and produces the following stack +trace: + + Stack trace of thread 1531: + #0 0x00007fd73d9be405 recvmsg (libpthread.so.0) + #1 0x00007fd73dab33b8 udev_monitor_receive_device (libsystemd-shared-239.so) + #2 0x0000600347316201 on_uevent (systemd-udevd) + #3 0x0000600347316667 on_inotify (systemd-udevd) + #4 0x00007fd73dbad6d7 source_dispatch (libsystemd-shared-239.so) + #5 0x00007fd73dbaf4e5 sd_event_dispatch (libsystemd-shared-239.so) + #6 0x00007fd73dbaf678 sd_event_run (libsystemd-shared-239.so) + #7 0x00007fd73dbaf89f sd_event_loop (libsystemd-shared-239.so) + #8 0x00006003473132df run (systemd-udevd) + #9 0x00007fd73d80e133 __libc_start_main (libc.so.6) + #10 0x0000600347313efe _start (systemd-udevd) + +The failing behavior appears to be directly linked to the "exec FD" +actions. A quick way to replicate this issue in the repro environment: + exec 9<>$disk + exec 9>&- + udevadm settle + +This patch comments out the initial lock_disk() call, which makes +unlock_disk_and_settle() return early because ${FLOCK_DISK_FD} is not +set to a valid FD, avoiding the file descriptor actions that lead to +the failing behavior. + +Note that this change does re-introduce the possibility of udev race +conditions during the disk operations, effectively reverting this +behavior to pre-0.32 behavior. + +Signed-off-by: Chris Co +--- + bin/growpart | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bin/growpart b/bin/growpart +index 994b258..90fa016 100755 +--- a/bin/growpart ++++ b/bin/growpart +@@ -954,7 +954,7 @@ get_resizer "$format" "$resizer" || + fail "failed to get a resizer for format '$format'" + resizer=$_RET + +-lock_disk $DISK ++#lock_disk $DISK + debug 1 "resizing $PART on $DISK using $resizer" + "$resizer" + ret=$? +-- +2.17.1 + diff --git a/SPECS/coredns/coredns-1.6.5.signatures.json b/SPECS/coredns/coredns-1.6.5.signatures.json deleted file mode 100644 index 246d31b1abe..00000000000 --- a/SPECS/coredns/coredns-1.6.5.signatures.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "Signatures": { - "coredns-1.6.5-vendor.tar.gz": "6ca4667a47e4169e36589c17df875918f8fd8458528001efcaa2b454e29e8af3", - "coredns-1.6.5.tar.gz": "df2e61a857eb7735258fd230e096e254596f18a89b5504dc2ac687798403343a" - } -} \ No newline at end of file diff --git a/SPECS/coredns/coredns-1.6.5.spec b/SPECS/coredns/coredns-1.6.5.spec deleted file mode 100644 index fd0a83043fe..00000000000 --- a/SPECS/coredns/coredns-1.6.5.spec +++ /dev/null @@ -1,55 +0,0 @@ -%global debug_package %{nil} - -Summary: Fast and flexible DNS server -Name: coredns -Version: 1.6.5 -Release: 1%{?dist} -License: Apache License 2.0 -Vendor: Microsoft Corporation -Distribution: Mariner -Group: System Environment/Libraries -URL: https://github.com/coredns/coredns -#Source0: https://github.com/coredns/coredns/archive/v%%{version}.tar.gz -Source0: %{name}-%{version}.tar.gz -# Below is a manually created tarball, no download link. -# We're using pre-populated Go modules from this tarball, since network is disabled during build time. -# How to re-build this file: -# 1. wget https://github.com/coredns/coredns/archive/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz -# 2. tar -xf %%{name}-%%{version}.tar.gz -# 3. cd %%{name}-%%{version} -# 4. go mod vendor -# 5. tar -cf %%{name}-%%{version}-vendor.tar.gz vendor -Source1: %{name}-%{version}-vendor.tar.gz -Patch0: makefile-buildoption-commitnb-%{version}.patch - -BuildRequires: golang >= 1.12 - -%description -CoreDNS is a fast and flexible DNS server. - -%prep -%autosetup -p1 - -%build -# create vendor folder from the vendor tarball and set vendor mode -tar -xf %{SOURCE1} --no-same-owner -export BUILDOPTS="-mod=vendor -v" -# set commit number that correspond to the github tag for that version -export GITCOMMIT="c2fd1b2" -make - -%install -install -m 755 -d %{buildroot}%{_bindir} -install -p -m 755 -t %{buildroot}%{_bindir} %{name} - -%clean -rm -rf %{buildroot}/* - -%files -%defattr(-,root,root) -%license LICENSE -%{_bindir}/%{name} - -%changelog -* Wed Jan 20 2021 Nicolas Guibourge - 1.6.5-1 -- Original version for CBL-Mariner. diff --git a/SPECS/coredns/makefile-buildoption-commitnb-1.6.5.patch b/SPECS/coredns/makefile-buildoption-commitnb-1.6.5.patch deleted file mode 100644 index 1c742b0fb2a..00000000000 --- a/SPECS/coredns/makefile-buildoption-commitnb-1.6.5.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -ru coredns-1.6.5-original/Makefile coredns-1.6.5/Makefile ---- coredns-1.6.5-original/Makefile 2019-11-05 05:46:54.000000000 -0800 -+++ coredns-1.6.5/Makefile 2021-01-25 10:26:44.337497154 -0800 -@@ -1,9 +1,9 @@ - # Makefile for building CoreDNS --GITCOMMIT:=$(shell git describe --dirty --always) -+GITCOMMIT?=$(shell git describe --dirty --always) - BINARY:=coredns - SYSTEM:= - CHECKS:=check --BUILDOPTS:=-v -+BUILDOPTS?=-v - GOPATH?=$(HOME)/go - PRESUBMIT:=core coremain plugin test request - MAKEPWD:=$(dir $(realpath $(firstword $(MAKEFILE_LIST)))) diff --git a/SPECS/curl/curl.signatures.json b/SPECS/curl/curl.signatures.json index 7e6c0cf23d1..4aee9bcecdb 100644 --- a/SPECS/curl/curl.signatures.json +++ b/SPECS/curl/curl.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "curl-7.74.0.tar.gz": "e56b3921eeb7a2951959c02db0912b5fcd5fdba5aca071da819e1accf338bbd7" + "curl-7.76.0.tar.gz": "3b4378156ba09e224008e81dcce854b7ce4d182b1f9cfb97fe5ed9e9c18c6bd3" } } \ No newline at end of file diff --git a/SPECS/curl/curl.spec b/SPECS/curl/curl.spec index 0469c97024d..f502cec793a 100644 --- a/SPECS/curl/curl.spec +++ b/SPECS/curl/curl.spec @@ -1,6 +1,6 @@ Summary: An URL retrieval utility and library Name: curl -Version: 7.74.0 +Version: 7.76.0 Release: 1%{?dist} License: MIT Vendor: Microsoft Corporation @@ -8,22 +8,19 @@ Distribution: Mariner Group: System Environment/NetworkingLibraries URL: https://curl.haxx.se Source0: https://curl.haxx.se/download/%{name}-%{version}.tar.gz - BuildRequires: krb5-devel BuildRequires: libssh2-devel BuildRequires: openssl-devel - +Requires: curl-libs = %{version}-%{release} +Requires: krb5 +Requires: libssh2 +Requires: openssl %if %{with_check} BuildRequires: python3 BuildRequires: shadow-utils BuildRequires: sudo %endif -Requires: curl-libs = %{version}-%{release} -Requires: krb5 -Requires: libssh2 -Requires: openssl - %description The cURL package contains an utility and a library used for transferring files with URL syntax to any of the following @@ -81,6 +78,7 @@ sudo -u test make %{?_smp_mflags} check %clean rm -rf %{buildroot}/* + %files %defattr(-,root,root) %license COPYING @@ -100,6 +98,9 @@ rm -rf %{buildroot}/* %{_libdir}/libcurl.so.* %changelog +* Wed Mar 31 2021 Nicolas Ontiveros - 7.76.0-1 +- Upgrade to version 7.76.0 to fix CVE-2021-22876 and CVE-2021-22890. + * Tue Dec 22 2020 Pawel Winogrodzki - 7.74.0-1 - Updating to 7.74.0 to fix CVE-2020-8169 and incorporate fixes for other CVEs as well. - Updating source URL to an HTTPS address. diff --git a/SPECS/dnsmasq/dnsmasq.signatures.json b/SPECS/dnsmasq/dnsmasq.signatures.json index 6e091e9a674..ff25cec4ddd 100644 --- a/SPECS/dnsmasq/dnsmasq.signatures.json +++ b/SPECS/dnsmasq/dnsmasq.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "dnsmasq-2.84.tar.xz": "603195c64b73137609b07e1024ae0b37f652b2f5fe467dce66985b3d1850050c" + "dnsmasq-2.85.tar.xz": "ad98d3803df687e5b938080f3d25c628fe41c878752d03fbc6199787fee312fa" } } \ No newline at end of file diff --git a/SPECS/dnsmasq/dnsmasq.spec b/SPECS/dnsmasq/dnsmasq.spec index bc4d5a7069a..982b1349983 100644 --- a/SPECS/dnsmasq/dnsmasq.spec +++ b/SPECS/dnsmasq/dnsmasq.spec @@ -1,6 +1,6 @@ Summary: DNS proxy with integrated DHCP server Name: dnsmasq -Version: 2.84 +Version: 2.85 Release: 1%{?dist} License: GPLv2 or GPLv3 Group: System Environment/Daemons @@ -69,46 +69,67 @@ rm -rf %{buildroot} %config /usr/share/dnsmasq/trust-anchors.conf %changelog -* Thu Jan 28 2021 Henry Li 2.84-1 -- Upgrade to version 2.84 -- Fix CVE-2020-25683, CVE-2020-25686, CVE-2020-25687 -- Remove Patch CVE-2019-14834 -- Use autosetup -* Thu Jun 18 2020 Pawel Winogrodzki 2.79-11 -- Removing runtime dependency on a specific kernel package. -* Thu Jun 11 2020 Christopher Co - 2.79-10 -- Remove KERNEL_VERSION macro from BuildRequires -* Thu May 21 2020 Ruying Chen - 2.79-9 -- Fix CVE-2019-14834 -* Sat May 09 00:21:16 PST 2020 Nick Samson - 2.79-8 -- Added %%license line automatically -* Thu Apr 30 2020 Emre Girgin 2.79-7 -- Renaming linux-api-headers to kernel-headers -* Tue Apr 28 2020 Emre Girgin 2.79-6 -- Renaming linux to kernel -* Thu Apr 09 2020 Pawel Winogrodzki 2.79-5 -- Fixed "Source0" tag. -- Removed "%%define sha1". -* Mon Mar 23 2020 Christopher Co 2.79-4 -- Remove KERNEL_RELEASE macro from required packages -* Wed Jan 08 2020 Christopher Co 2.79-3 -- Fix missing SIOCGSTAMP ioctl definition due to linux 5.2 header refactor -- Verified License -* Tue Sep 03 2019 Mateusz Malisz 2.79-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Mon Sep 10 2018 Ajay Kaher 2.79-1 -- Upgrading to version 2.79 -* Tue Feb 13 2018 Xiaolin Li 2.76-5 -- Fix CVE-2017-15107 -* Mon Nov 13 2017 Vinay Kulkarni 2.76-4 -- Always restart dnsmasq service on exit -* Wed Oct 11 2017 Alexey Makhalov 2.76-3 -- Fix CVE-2017-13704 -* Wed Sep 27 2017 Alexey Makhalov 2.76-2 -- Fix CVE-2017-14491..CVE-2017-14496 -* Sun Nov 27 2016 Vinay Kulkarni 2.76-1 -- Upgrade to 2.76 to address CVE-2015-8899 -* Tue May 24 2016 Priyesh Padmavilasom 2.75-2 -- GA - Bump release of all rpms -* Mon Apr 18 2016 Xiaolin Li 2.75-1 -- Initial version +* Fri Apr 23 2021 Thomas Crain - 2.85-1 +- Upgrade to version 2.85 to fix CVE-2021-3348 + +* Thu Jan 28 2021 Henry Li - 2.84-1 +- Upgrade to version 2.84 +- Fix CVE-2020-25683, CVE-2020-25686, CVE-2020-25687 +- Remove Patch CVE-2019-14834 +- Use autosetup + +* Thu Jun 18 2020 Pawel Winogrodzki - 2.79-11 +- Removing runtime dependency on a specific kernel package. + +* Thu Jun 11 2020 Christopher Co - 2.79-10 +- Remove KERNEL_VERSION macro from BuildRequires + +* Thu May 21 2020 Ruying Chen - 2.79-9 +- Fix CVE-2019-14834 + +* Sat May 09 2020 Nick Samson - 2.79-8 +- Added %%license line automatically + +* Thu Apr 30 2020 Emre Girgin - 2.79-7 +- Renaming linux-api-headers to kernel-headers + +* Tue Apr 28 2020 Emre Girgin - 2.79-6 +- Renaming linux to kernel + +* Thu Apr 09 2020 Pawel Winogrodzki - 2.79-5 +- Fixed "Source0" tag. +- Removed "%%define sha1". + +* Mon Mar 23 2020 Christopher Co - 2.79-4 +- Remove KERNEL_RELEASE macro from required packages + +* Wed Jan 08 2020 Christopher Co - 2.79-3 +- Fix missing SIOCGSTAMP ioctl definition due to linux 5.2 header refactor +- Verified License + +* Tue Sep 03 2019 Mateusz Malisz - 2.79-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Mon Sep 10 2018 Ajay Kaher - 2.79-1 +- Upgrading to version 2.79 + +* Tue Feb 13 2018 Xiaolin Li - 2.76-5 +- Fix CVE-2017-15107 + +* Mon Nov 13 2017 Vinay Kulkarni - 2.76-4 +- Always restart dnsmasq service on exit + +* Wed Oct 11 2017 Alexey Makhalov - 2.76-3 +- Fix CVE-2017-13704 + +* Wed Sep 27 2017 Alexey Makhalov - 2.76-2 +- Fix CVE-2017-14491..CVE-2017-14496 + +* Sun Nov 27 2016 Vinay Kulkarni - 2.76-1 +- Upgrade to 2.76 to address CVE-2015-8899 + +* Tue May 24 2016 Priyesh Padmavilasom - 2.75-2 +- GA - Bump release of all rpms + +* Mon Apr 18 2016 Xiaolin Li - 2.75-1 +- Initial version diff --git a/SPECS/git/git.signatures.json b/SPECS/git/git.signatures.json index 5641a61a80b..bbdd7fb1c48 100644 --- a/SPECS/git/git.signatures.json +++ b/SPECS/git/git.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "git-2.23.3.tar.xz": "f0784f0e679b2b162e6b7b40388305e27e9e232ad29f73c1d4cb53ac7d295822" + "git-2.23.4.tar.xz": "d008bf4461f7cf92405a67851456496e5e5f6c495064c1058d2de6a390d8bb60" } } \ No newline at end of file diff --git a/SPECS/git/git.spec b/SPECS/git/git.spec index 5b7ca0c2506..7667ede1cfd 100644 --- a/SPECS/git/git.spec +++ b/SPECS/git/git.spec @@ -1,7 +1,7 @@ Summary: Fast distributed version control system Name: git -Version: 2.23.3 -Release: 2%{?dist} +Version: 2.23.4 +Release: 1%{?dist} License: GPLv2 URL: https://git-scm.com/ Group: System Environment/Programming @@ -87,6 +87,8 @@ rm -rf %{buildroot}/* %defattr(-,root,root) %changelog +* Wed Apr 07 2021 Suresh Babu Chalamalasetty 2.23.4-1 +- Update to version 2.23.4 for CVE-2021-21300 fix. * Mon Oct 19 2020 Andrew Phelps 2.23.3-2 - Fix check test * Thu May 21 2020 Suresh Babu Chalamalasetty 2.23.3-1 diff --git a/SPECS/glib-networking/glib-networking.spec b/SPECS/glib-networking/glib-networking.spec index be68b48d355..412a4c27054 100644 --- a/SPECS/glib-networking/glib-networking.spec +++ b/SPECS/glib-networking/glib-networking.spec @@ -1,7 +1,7 @@ Summary: Glib networking modules Name: glib-networking Version: 2.59.1 -Release: 6%{?dist} +Release: 7%{?dist} License: GPLv2+ with exceptions URL: https://gitlab.gnome.org/GNOME/glib-networking/ Group: System Environment/Development @@ -11,7 +11,7 @@ Source0: http://ftp.gnome.org/pub/GNOME/sources/glib-networking/2.59/%{na Patch0: CVE-2020-13645.patch -BuildRequires: nettle-devel +BuildRequires: nettle-devel >= 3.7.2 BuildRequires: autogen-libopts-devel BuildRequires: libtasn1-devel BuildRequires: gnutls-devel @@ -23,7 +23,7 @@ BuildRequires: glib-schemas BuildRequires: meson BuildRequires: gnome-common BuildRequires: ninja-build -Requires: nettle +Requires: nettle >= 3.7.2 Requires: gnutls Requires: libtasn1 Requires: openssl @@ -72,6 +72,8 @@ ninja test %defattr(-,root,root) %changelog +* Tue Apr 13 2021 Rachel Menge - 2.59.1-7 +- Bump release to rebuild with new nettle (3.7.2) * Tue Aug 18 2020 Henry Beberman - 2.59.1-6 - Backport patch for CVE-2020-13645 * Sat May 09 00:20:40 PST 2020 Nick Samson - 2.59.1-5 diff --git a/SPECS/glib/CVE-2021-28153.patch b/SPECS/glib/CVE-2021-28153.patch new file mode 100644 index 00000000000..a13030b75d9 --- /dev/null +++ b/SPECS/glib/CVE-2021-28153.patch @@ -0,0 +1,611 @@ +From 84d7b850d76a46ba4a0cfeea5b4ecaa3a42e9b9e Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:33:38 +0000 +Subject: [PATCH 1/6] glocalfileoutputstream: Fix a typo in a comment + +Signed-off-by: Philip Withnall +(cherry picked from commit 78420a75aeb70569a8cd79fa0fea7b786b6f785f) +--- + gio/glocalfileoutputstream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 57d2d5dfe..8a68be3de 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -755,7 +755,7 @@ handle_overwrite_open (const char *filename, + mode = mode_from_flags_or_info (flags, reference_info); + + /* We only need read access to the original file if we are creating a backup. +- * We also add O_CREATE to avoid a race if the file was just removed */ ++ * We also add O_CREAT to avoid a race if the file was just removed */ + if (create_backup || readable) + open_flags = O_RDWR | O_CREAT | O_BINARY; + else +-- +GitLab + + +From 42020509ac9f0a13ced21871c7f5762f65bc142d Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:34:32 +0000 +Subject: [PATCH 2/6] tests: Stop using g_test_bug_base() in file tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since a following commit is going to add a new test which references +Gitlab, so it’s best to move the URI bases inside the test cases. + +Backported to GLib 2.58 by Simon McVittie. + +Signed-off-by: Philip Withnall +(cherry-picked from commit 32d3d02a50e7dcec5f4cf7908e7ac88d575d8fc5) +[GLib 2.58.x did not allow g_test_bug() without g_test_bug_base(), +so use an empty string as the base] +Signed-off-by: Simon McVittie +--- + gio/tests/file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gio/tests/file.c b/gio/tests/file.c +index d2f147419..9c2af641f 100644 +--- a/gio/tests/file.c ++++ b/gio/tests/file.c +@@ -679,7 +679,7 @@ test_replace_cancel (void) + guint count; + GError *error = NULL; + +- g_test_bug ("629301"); ++ g_test_bug ("https://bugzilla.gnome.org/629301"); + + path = g_dir_make_tmp ("g_file_replace_cancel_XXXXXX", &error); + g_assert_no_error (error); +@@ -1167,7 +1167,7 @@ main (int argc, char *argv[]) + { + g_test_init (&argc, &argv, NULL); + +- g_test_bug_base ("http://bugzilla.gnome.org/"); ++ g_test_bug_base (""); + + g_test_add_func ("/file/basic", test_basic); + g_test_add_func ("/file/build-filename", test_build_filename); +-- +GitLab + + +From b38fca2149a086b64198dd5b8ffe12209c513ad0 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 10 Mar 2021 16:05:55 +0000 +Subject: [PATCH 3/6] glocalfileoutputstream: Factor out a flag check + +This clarifies the code a little. It introduces no functional changes. + +Signed-off-by: Philip Withnall +(cherry picked from commit ce0eb088a68171eed3ac217cb92a72e36eb57d1b) +--- + gio/glocalfileoutputstream.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 8a68be3de..8e0e793ff 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -751,6 +751,7 @@ handle_overwrite_open (const char *filename, + int res; + int mode; + int errsv; ++ gboolean replace_destination_set = (flags & G_FILE_CREATE_REPLACE_DESTINATION); + + mode = mode_from_flags_or_info (flags, reference_info); + +@@ -858,7 +859,7 @@ handle_overwrite_open (const char *filename, + * to a backup file and rewrite the contents of the file. + */ + +- if ((flags & G_FILE_CREATE_REPLACE_DESTINATION) || ++ if (replace_destination_set || + (!(original_stat.st_nlink > 1) && !is_symlink)) + { + char *dirname, *tmp_filename; +@@ -877,7 +878,7 @@ handle_overwrite_open (const char *filename, + + /* try to keep permissions (unless replacing) */ + +- if ( ! (flags & G_FILE_CREATE_REPLACE_DESTINATION) && ++ if (!replace_destination_set && + ( + #ifdef HAVE_FCHOWN + fchown (tmpfd, original_stat.st_uid, original_stat.st_gid) == -1 || +@@ -1016,7 +1017,7 @@ handle_overwrite_open (const char *filename, + } + } + +- if (flags & G_FILE_CREATE_REPLACE_DESTINATION) ++ if (replace_destination_set) + { + g_close (fd, NULL); + +-- +GitLab + + +From 4e64a27f4f170860ddcf835ca6858bda09911a23 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:36:07 +0000 +Subject: [PATCH 4/6] glocalfileoutputstream: Fix CREATE_REPLACE_DESTINATION + with symlinks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The `G_FILE_CREATE_REPLACE_DESTINATION` flag is equivalent to unlinking +the destination file and re-creating it from scratch. That did +previously work, but in the process the code would call `open(O_CREAT)` +on the file. If the file was a dangling symlink, this would create the +destination file (empty). That’s not an intended side-effect, and has +security implications if the symlink is controlled by a lower-privileged +process. + +Fix that by not opening the destination file if it’s a symlink, and +adjusting the rest of the code to cope with + - the fact that `fd == -1` is not an error iff `is_symlink` is true, + - and that `original_stat` will contain the `lstat()` results for the + symlink now, rather than the `stat()` results for its target (again, + iff `is_symlink` is true). + +This means that the target of the dangling symlink is no longer created, +which was the bug. The symlink itself continues to be replaced (as +before) with the new file — this is the intended behaviour of +`g_file_replace()`. + +The behaviour for non-symlink cases, or cases where the symlink was not +dangling, should be unchanged. + +Includes a unit test. + +Resolves CVE-2021-28153 (glib#2325). Backported to GLib 2.58 by +Simon McVittie. + +Signed-off-by: Philip Withnall +(cherry-picked from commit 317b3b587058a05dca95d56dac26568c5b098d33) +[Backport to 2.58.x: replace g_local_file_fstat with fstat] +[Backport to 2.58.x: replace g_local_file_lstat with lstat] +[Backport to 2.58.x: replace _g_stat_mode with direct access to st_mode] +[Backport to 2.58.x: don't call g_test_summary()] +Signed-off-by: Simon McVittie +--- + gio/glocalfileoutputstream.c | 49 +++++++++++----- + gio/tests/file.c | 107 +++++++++++++++++++++++++++++++++++ + 2 files changed, 142 insertions(+), 14 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 8e0e793ff..2be51ae12 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -779,16 +779,22 @@ handle_overwrite_open (const char *filename, + /* Could be a symlink, or it could be a regular ELOOP error, + * but then the next open will fail too. */ + is_symlink = TRUE; +- fd = g_open (filename, open_flags, mode); ++ if (!replace_destination_set) ++ fd = g_open (filename, open_flags, mode); + } +-#else +- fd = g_open (filename, open_flags, mode); +- errsv = errno; ++#else /* if !O_NOFOLLOW */ + /* This is racy, but we do it as soon as possible to minimize the race */ + is_symlink = g_file_test (filename, G_FILE_TEST_IS_SYMLINK); ++ ++ if (!is_symlink || !replace_destination_set) ++ { ++ fd = g_open (filename, open_flags, mode); ++ errsv = errno; ++ } + #endif + +- if (fd == -1) ++ if (fd == -1 && ++ (!is_symlink || !replace_destination_set)) + { + char *display_name = g_filename_display_name (filename); + g_set_error (error, G_IO_ERROR, +@@ -802,7 +808,10 @@ handle_overwrite_open (const char *filename, + #ifdef G_OS_WIN32 + res = GLIB_PRIVATE_CALL (g_win32_fstat) (fd, &original_stat); + #else +- res = fstat (fd, &original_stat); ++ if (!is_symlink) ++ res = fstat (fd, &original_stat); ++ else ++ res = lstat (filename, &original_stat); + #endif + errsv = errno; + +@@ -821,16 +830,27 @@ handle_overwrite_open (const char *filename, + if (!S_ISREG (original_stat.st_mode)) + { + if (S_ISDIR (original_stat.st_mode)) +- g_set_error_literal (error, +- G_IO_ERROR, +- G_IO_ERROR_IS_DIRECTORY, +- _("Target file is a directory")); +- else +- g_set_error_literal (error, ++ { ++ g_set_error_literal (error, ++ G_IO_ERROR, ++ G_IO_ERROR_IS_DIRECTORY, ++ _("Target file is a directory")); ++ goto err_out; ++ } ++ else if (!is_symlink || ++#ifdef S_ISLNK ++ !S_ISLNK (original_stat.st_mode) ++#else ++ FALSE ++#endif ++ ) ++ { ++ g_set_error_literal (error, + G_IO_ERROR, + G_IO_ERROR_NOT_REGULAR_FILE, + _("Target file is not a regular file")); +- goto err_out; ++ goto err_out; ++ } + } + + if (etag != NULL) +@@ -911,7 +931,8 @@ handle_overwrite_open (const char *filename, + } + } + +- g_close (fd, NULL); ++ if (fd >= 0) ++ g_close (fd, NULL); + *temp_filename = tmp_filename; + return tmpfd; + } +diff --git a/gio/tests/file.c b/gio/tests/file.c +index 9c2af641f..1bdbe19b4 100644 +--- a/gio/tests/file.c ++++ b/gio/tests/file.c +@@ -787,6 +787,112 @@ test_replace_cancel (void) + g_object_unref (tmpdir); + } + ++static void ++test_replace_symlink (void) ++{ ++#ifdef G_OS_UNIX ++ gchar *tmpdir_path = NULL; ++ GFile *tmpdir = NULL, *source_file = NULL, *target_file = NULL; ++ GFileOutputStream *stream = NULL; ++ const gchar *new_contents = "this is a test message which should be written to source and not target"; ++ gsize n_written; ++ GFileEnumerator *enumerator = NULL; ++ GFileInfo *info = NULL; ++ gchar *contents = NULL; ++ gsize length = 0; ++ GError *local_error = NULL; ++ ++ g_test_bug ("https://gitlab.gnome.org/GNOME/glib/-/issues/2325"); ++ ++ /* Create a fresh, empty working directory. */ ++ tmpdir_path = g_dir_make_tmp ("g_file_replace_symlink_XXXXXX", &local_error); ++ g_assert_no_error (local_error); ++ tmpdir = g_file_new_for_path (tmpdir_path); ++ ++ g_test_message ("Using temporary directory %s", tmpdir_path); ++ g_free (tmpdir_path); ++ ++ /* Create symlink `source` which points to `target`. */ ++ source_file = g_file_get_child (tmpdir, "source"); ++ target_file = g_file_get_child (tmpdir, "target"); ++ g_file_make_symbolic_link (source_file, "target", NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ /* Ensure that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Replace the `source` symlink with a regular file using ++ * %G_FILE_CREATE_REPLACE_DESTINATION, which should replace it *without* ++ * following the symlink */ ++ stream = g_file_replace (source_file, NULL, FALSE /* no backup */, ++ G_FILE_CREATE_REPLACE_DESTINATION, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_output_stream_write_all (G_OUTPUT_STREAM (stream), new_contents, strlen (new_contents), ++ &n_written, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpint (n_written, ==, strlen (new_contents)); ++ ++ g_output_stream_close (G_OUTPUT_STREAM (stream), NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&stream); ++ ++ /* At this point, there should still only be one file: `source`. It should ++ * now be a regular file. `target` should not exist. */ ++ enumerator = g_file_enumerate_children (tmpdir, ++ G_FILE_ATTRIBUTE_STANDARD_NAME "," ++ G_FILE_ATTRIBUTE_STANDARD_TYPE, ++ G_FILE_QUERY_INFO_NOFOLLOW_SYMLINKS, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_nonnull (info); ++ ++ g_assert_cmpstr (g_file_info_get_name (info), ==, "source"); ++ g_assert_cmpint (g_file_info_get_file_type (info), ==, G_FILE_TYPE_REGULAR); ++ ++ g_clear_object (&info); ++ ++ info = g_file_enumerator_next_file (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_assert_null (info); ++ ++ g_file_enumerator_close (enumerator, NULL, &local_error); ++ g_assert_no_error (local_error); ++ g_clear_object (&enumerator); ++ ++ /* Double-check that `target` doesn’t exist */ ++ g_assert_false (g_file_query_exists (target_file, NULL)); ++ ++ /* Check the content of `source`. */ ++ g_file_load_contents (source_file, ++ NULL, ++ &contents, ++ &length, ++ NULL, ++ &local_error); ++ g_assert_no_error (local_error); ++ g_assert_cmpstr (contents, ==, new_contents); ++ g_assert_cmpuint (length, ==, strlen (new_contents)); ++ g_free (contents); ++ ++ /* Tidy up. */ ++ g_file_delete (source_file, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_file_delete (tmpdir, NULL, &local_error); ++ g_assert_no_error (local_error); ++ ++ g_clear_object (&target_file); ++ g_clear_object (&source_file); ++ g_clear_object (&tmpdir); ++#else /* if !G_OS_UNIX */ ++ g_test_skip ("Symlink replacement tests can only be run on Unix") ++#endif ++} ++ + static void + on_file_deleted (GObject *object, + GAsyncResult *result, +@@ -1182,6 +1288,7 @@ main (int argc, char *argv[]) + g_test_add_data_func ("/file/async-create-delete/4096", GINT_TO_POINTER (4096), test_create_delete); + g_test_add_func ("/file/replace-load", test_replace_load); + g_test_add_func ("/file/replace-cancel", test_replace_cancel); ++ g_test_add_func ("/file/replace-symlink", test_replace_symlink); + g_test_add_func ("/file/async-delete", test_async_delete); + #ifdef G_OS_UNIX + g_test_add_func ("/file/copy-preserve-mode", test_copy_preserve_mode); +-- +GitLab + + +From 7bfe2dcebe59517e5d31c63b881c4227029a2fc4 Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Wed, 24 Feb 2021 17:42:24 +0000 +Subject: [PATCH 5/6] glocalfileoutputstream: Add a missing O_CLOEXEC flag to + replace() + +Signed-off-by: Philip Withnall +(cherry picked from commit 6c6439261bc7a8a0627519848a7222b3e1bd4ffe) +--- + gio/glocalfileoutputstream.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index 2be51ae12..fff2439b9 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -56,6 +56,12 @@ + #define O_BINARY 0 + #endif + ++#ifndef O_CLOEXEC ++#define O_CLOEXEC 0 ++#else ++#define HAVE_O_CLOEXEC 1 ++#endif ++ + struct _GLocalFileOutputStreamPrivate { + char *tmp_filename; + char *original_filename; +@@ -1123,7 +1129,7 @@ _g_local_file_output_stream_replace (const char *filename, + sync_on_close = FALSE; + + /* If the file doesn't exist, create it */ +- open_flags = O_CREAT | O_EXCL | O_BINARY; ++ open_flags = O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC; + if (readable) + open_flags |= O_RDWR; + else +@@ -1153,8 +1159,11 @@ _g_local_file_output_stream_replace (const char *filename, + set_error_from_open_errno (filename, error); + return NULL; + } +- +- ++#if !defined(HAVE_O_CLOEXEC) && defined(F_SETFD) ++ else ++ fcntl (fd, F_SETFD, FD_CLOEXEC); ++#endif ++ + stream = g_object_new (G_TYPE_LOCAL_FILE_OUTPUT_STREAM, NULL); + stream->priv->fd = fd; + stream->priv->sync_on_close = sync_on_close; +-- +GitLab + + +From af39d83fc71408bca50f2cb3739099f36139281b Mon Sep 17 00:00:00 2001 +From: Philip Withnall +Date: Tue, 16 Mar 2021 11:36:27 +0000 +Subject: [PATCH 6/6] glocalfileoutputstream: Tidy up error handling + +After the recent reworking of this code it was possible for `g_close()` +to be called on `fd == -1`, which is invalid. It would have reported an +error, were errors not ignored. So it was harmless, but still best to +fix. + +Simplify the error handling by combining both error labels and checking +the state of `fd` dynamically. + +Coverity CID: #1450834 + +Signed-off-by: Philip Withnall +(cherry picked from commit c4b4fecaef5fa6eac63569513511ba6f8674548a) +--- + gio/glocalfileoutputstream.c | 33 +++++++++++++++++---------------- + 1 file changed, 17 insertions(+), 16 deletions(-) + +diff --git a/gio/glocalfileoutputstream.c b/gio/glocalfileoutputstream.c +index fff2439b9..8d7eadd95 100644 +--- a/gio/glocalfileoutputstream.c ++++ b/gio/glocalfileoutputstream.c +@@ -829,7 +829,7 @@ handle_overwrite_open (const char *filename, + _("Error when getting information for file “%s”: %s"), + display_name, g_strerror (errsv)); + g_free (display_name); +- goto err_out; ++ goto error; + } + + /* not a regular file */ +@@ -841,7 +841,7 @@ handle_overwrite_open (const char *filename, + G_IO_ERROR, + G_IO_ERROR_IS_DIRECTORY, + _("Target file is a directory")); +- goto err_out; ++ goto error; + } + else if (!is_symlink || + #ifdef S_ISLNK +@@ -855,7 +855,7 @@ handle_overwrite_open (const char *filename, + G_IO_ERROR, + G_IO_ERROR_NOT_REGULAR_FILE, + _("Target file is not a regular file")); +- goto err_out; ++ goto error; + } + } + +@@ -869,7 +869,7 @@ handle_overwrite_open (const char *filename, + G_IO_ERROR_WRONG_ETAG, + _("The file was externally modified")); + g_free (current_etag); +- goto err_out; ++ goto error; + } + g_free (current_etag); + } +@@ -962,7 +962,7 @@ handle_overwrite_open (const char *filename, + G_IO_ERROR_CANT_CREATE_BACKUP, + _("Backup file creation failed")); + g_free (backup_filename); +- goto err_out; ++ goto error; + } + + bfd = g_open (backup_filename, +@@ -976,7 +976,7 @@ handle_overwrite_open (const char *filename, + G_IO_ERROR_CANT_CREATE_BACKUP, + _("Backup file creation failed")); + g_free (backup_filename); +- goto err_out; ++ goto error; + } + + /* If needed, Try to set the group of the backup same as the +@@ -993,7 +993,7 @@ handle_overwrite_open (const char *filename, + g_unlink (backup_filename); + g_close (bfd, NULL); + g_free (backup_filename); +- goto err_out; ++ goto error; + } + + if ((original_stat.st_gid != tmp_statbuf.st_gid) && +@@ -1010,7 +1010,7 @@ handle_overwrite_open (const char *filename, + g_unlink (backup_filename); + g_close (bfd, NULL); + g_free (backup_filename); +- goto err_out; ++ goto error; + } + } + #endif +@@ -1025,7 +1025,7 @@ handle_overwrite_open (const char *filename, + g_close (bfd, NULL); + g_free (backup_filename); + +- goto err_out; ++ goto error; + } + + g_close (bfd, NULL); +@@ -1040,7 +1040,7 @@ handle_overwrite_open (const char *filename, + g_io_error_from_errno (errsv), + _("Error seeking in file: %s"), + g_strerror (errsv)); +- goto err_out; ++ goto error; + } + } + +@@ -1056,7 +1056,7 @@ handle_overwrite_open (const char *filename, + g_io_error_from_errno (errsv), + _("Error removing old file: %s"), + g_strerror (errsv)); +- goto err_out2; ++ goto error; + } + + if (readable) +@@ -1073,7 +1073,7 @@ handle_overwrite_open (const char *filename, + _("Error opening file “%s”: %s"), + display_name, g_strerror (errsv)); + g_free (display_name); +- goto err_out2; ++ goto error; + } + } + else +@@ -1091,15 +1091,16 @@ handle_overwrite_open (const char *filename, + g_io_error_from_errno (errsv), + _("Error truncating file: %s"), + g_strerror (errsv)); +- goto err_out; ++ goto error; + } + } + + return fd; + +- err_out: +- g_close (fd, NULL); +- err_out2: ++error: ++ if (fd >= 0) ++ g_close (fd, NULL); ++ + return -1; + } + +-- +GitLab diff --git a/SPECS/glib/glib.spec b/SPECS/glib/glib.spec index 9b6bc0249d4..45a49f503a2 100644 --- a/SPECS/glib/glib.spec +++ b/SPECS/glib/glib.spec @@ -1,7 +1,7 @@ Summary: Low-level libraries useful for providing data structure handling for C. Name: glib Version: 2.58.0 -Release: 8%{?dist} +Release: 9%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -14,6 +14,7 @@ Patch2: CVE-2020-35457.patch # CVE-2021-27218 and CVE-2021-27219 are both solved by the patch for the first Patch3: CVE-2021-27218.patch Patch4: CVE-2021-27219.nopatch +Patch5: CVE-2021-28153.patch BuildRequires: cmake BuildRequires: libffi-devel BuildRequires: pcre-devel @@ -99,6 +100,9 @@ make DESTDIR=%{buildroot} install %{_datadir}/glib-2.0/schemas/* %changelog +* Mon Mar 29 2021 Nicolas Ontiveros - 2.58.0-9 +- Added patch for CVE-2021-28153 + * Mon Mar 01 2021 Thomas Crain - 2.58.0-8 - Added patch for CVE-2021-27218, CVE-2021-27219 diff --git a/SPECS/glibc/CVE-2020-27618.patch b/SPECS/glibc/CVE-2020-27618.patch new file mode 100644 index 00000000000..adabe4766a7 --- /dev/null +++ b/SPECS/glibc/CVE-2020-27618.patch @@ -0,0 +1,56 @@ +From 9a99c682144bdbd40792ebf822fe9264e0376fb5 Mon Sep 17 00:00:00 2001 +From: Arjun Shankar +Date: Wed, 4 Nov 2020 12:19:38 +0100 +Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ + #26224] + +The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets +share converter logic (iconvdata/ibm1364.c) which would reject +redundant shift sequences when processing input in these character +sets. This led to a hang in the iconv program (CVE-2020-27618). + +This commit adjusts the converter to ignore redundant shift sequences +and adds test cases for iconv_prog hangs that would be triggered upon +their rejection. This brings the implementation in line with other +converters that also ignore redundant shift sequences (e.g. IBM930 +etc., fixed in commit 692de4b3960d). + +Reviewed-by: Carlos O'Donell +--- + iconvdata/ibm1364.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c +index 49e7267ab4..521f0825b7 100644 +--- a/iconvdata/ibm1364.c ++++ b/iconvdata/ibm1364.c +@@ -158,24 +158,14 @@ enum + \ + if (__builtin_expect (ch, 0) == SO) \ + { \ +- /* Shift OUT, change to DBCS converter. */ \ +- if (curcs == db) \ +- { \ +- result = __GCONV_ILLEGAL_INPUT; \ +- break; \ +- } \ ++ /* Shift OUT, change to DBCS converter (redundant escape okay). */ \ + curcs = db; \ + ++inptr; \ + continue; \ + } \ + if (__builtin_expect (ch, 0) == SI) \ + { \ +- /* Shift IN, change to SBCS converter. */ \ +- if (curcs == sb) \ +- { \ +- result = __GCONV_ILLEGAL_INPUT; \ +- break; \ +- } \ ++ /* Shift IN, change to SBCS converter (redundant escape okay). */ \ + curcs = sb; \ + ++inptr; \ + continue; \ +-- +2.27.0 + diff --git a/SPECS/glibc/glibc.spec b/SPECS/glibc/glibc.spec index 6d2200ee538..d7705831809 100644 --- a/SPECS/glibc/glibc.spec +++ b/SPECS/glibc/glibc.spec @@ -6,7 +6,7 @@ Summary: Main C library Name: glibc Version: 2.28 -Release: 17%{?dist} +Release: 18%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -37,6 +37,7 @@ Patch12: CVE-2019-7309.patch Patch13: CVE-2019-19126.patch Patch14: CVE-2019-25013.patch Patch15: CVE-2021-3326.patch +Patch16: CVE-2020-27618.patch Requires: filesystem Provides: rtld(GNU_HASH) Provides: /sbin/ldconfig @@ -308,6 +309,9 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||: %defattr(-,root,root) %changelog +* Mon Mar 22 2021 Nick Samson - 2.28-18 +- Patch CVE-2020-27618 + * Tue Feb 09 2021 Thomas Crain - 2.28-17 - Patch CVE-2021-3326 diff --git a/SPECS/gnutls/gnutls.spec b/SPECS/gnutls/gnutls.spec index c220fdf39e2..c82e9cbc15f 100644 --- a/SPECS/gnutls/gnutls.spec +++ b/SPECS/gnutls/gnutls.spec @@ -1,7 +1,7 @@ Summary: The GnuTLS Transport Layer Security Library Name: gnutls Version: 3.6.14 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv3+ and LGPLv2+ URL: https://www.gnutls.org Source0: ftp://ftp.gnutls.org/gcrypt/gnutls/v3.6/%{name}-%{version}.tar.xz @@ -9,7 +9,7 @@ Group: System Environment/Libraries Vendor: Microsoft Corporation Distribution: Mariner -BuildRequires: nettle-devel +BuildRequires: nettle-devel >= 3.7.2 BuildRequires: autogen-libopts-devel BuildRequires: libtasn1-devel BuildRequires: openssl-devel @@ -20,7 +20,7 @@ BuildRequires: net-tools BuildRequires: which %endif -Requires: nettle +Requires: nettle >= 3.7.2 Requires: autogen-libopts Requires: libtasn1 Requires: openssl @@ -102,6 +102,8 @@ make %{?_smp_mflags} check %{_mandir}/man3/* %changelog +* Tue Apr 13 2021 Rachel Menge - 3.6.14-6 +- Bump release to rebuild with new nettle (3.7.2) * Mon Mar 22 2021 Mateusz Malisz 3.6.14-5 - Apply patch for CVE-2021-20231 and CVE-2021-20231 from upstream. * Tue Jan 26 2021 Andrew Phelps 3.6.14-4 diff --git a/SPECS/grpc/grpc.spec b/SPECS/grpc/grpc.spec index 6054a1a3e97..173953f7236 100644 --- a/SPECS/grpc/grpc.spec +++ b/SPECS/grpc/grpc.spec @@ -1,7 +1,7 @@ Summary: Open source remote procedure call (RPC) framework Name: grpc Version: 1.35.0 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -18,6 +18,7 @@ Source0: %{name}-%{version}.tar.gz # sudo mv grpc grpc-%{version} # sudo tar -cvf grpc-%{version}.tar.gz grpc-%{version}/ BuildRequires: git +BuildRequires: c-ares-devel BuildRequires: cmake BuildRequires: gcc BuildRequires: zlib-devel @@ -25,6 +26,7 @@ BuildRequires: openssl-devel Requires: zlib Requires: openssl +Requires: c-ares %description gRPC is a modern, open source, high-performance remote procedure call (RPC) framework that can run anywhere. It enables client and server applications to communicate transparently, and simplifies the building of connected systems. @@ -56,7 +58,8 @@ cmake ../.. -DgRPC_INSTALL=ON \ -DCMAKE_BUILD_TYPE=Release \ -DCMAKE_INSTALL_PREFIX:PATH=%{_prefix} \ -DgRPC_ZLIB_PROVIDER:STRING='package' \ - -DgRPC_SSL_PROVIDER:STRING='package' + -DgRPC_SSL_PROVIDER:STRING='package' \ + -DgRPC_CARES_PROVIDER:STRING='package' %make_build %install @@ -88,6 +91,9 @@ find %{buildroot} -name '*.cmake' -delete %{_bindir}/grpc_*_plugin %changelog +* Wed Apr 28 2021 Nick Samson - 1.35.0-3 +- Switch to system package for c-ares dependency. + * Fri Mar 26 2021 Neha Agarwal - 1.35.0-2 - Switch to system provided packages for zlib and openssl. diff --git a/SPECS/grub2/0017-Pass-x-hex-hex-straight-through-unmolested.patch b/SPECS/grub2/0017-Pass-x-hex-hex-straight-through-unmolested.patch new file mode 100644 index 00000000000..b81abb54583 --- /dev/null +++ b/SPECS/grub2/0017-Pass-x-hex-hex-straight-through-unmolested.patch @@ -0,0 +1,173 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 1 Oct 2012 13:24:37 -0400 +Subject: [PATCH] Pass "\x[[:hex:]][[:hex:]]" straight through unmolested. + +Don't munge raw spaces when we're doing our cmdline escaping (#923374) + +Signed-off-by: Peter Jones +--- + grub-core/commands/wildcard.c | 16 +++++++++++++++- + grub-core/lib/cmdline.c | 25 +++++++++++++++++++++++-- + grub-core/script/execute.c | 43 +++++++++++++++++++++++++++++++++++++------ + 3 files changed, 75 insertions(+), 9 deletions(-) + +diff --git a/grub-core/commands/wildcard.c b/grub-core/commands/wildcard.c +index cc3290311f0..8f67a4be7f0 100644 +--- a/grub-core/commands/wildcard.c ++++ b/grub-core/commands/wildcard.c +@@ -488,6 +488,12 @@ check_file (const char *dir, const char *basename) + return ctx.found; + } + ++static int ++is_hex(char c) ++{ ++ return ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F')); ++} ++ + static void + unescape (char *out, const char *in, const char *end) + { +@@ -496,7 +502,15 @@ unescape (char *out, const char *in, const char *end) + + for (optr = out, iptr = in; iptr < end;) + { +- if (*iptr == '\\' && iptr + 1 < end) ++ if (*iptr == '\\' && iptr + 3 < end && iptr[1] == 'x' && is_hex(iptr[2]) && is_hex(iptr[3])) ++ { ++ *optr++ = *iptr++; ++ *optr++ = *iptr++; ++ *optr++ = *iptr++; ++ *optr++ = *iptr++; ++ continue; ++ } ++ else if (*iptr == '\\' && iptr + 1 < end) + { + *optr++ = iptr[1]; + iptr += 2; +diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c +index ed0b149dca5..8e2294d8ff6 100644 +--- a/grub-core/lib/cmdline.c ++++ b/grub-core/lib/cmdline.c +@@ -20,6 +20,12 @@ + #include + #include + ++static int ++is_hex(char c) ++{ ++ return ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F')); ++} ++ + static unsigned int check_arg (char *c, int *has_space) + { + int space = 0; +@@ -27,7 +33,13 @@ static unsigned int check_arg (char *c, int *has_space) + + while (*c) + { +- if (*c == '\\' || *c == '\'' || *c == '"') ++ if (*c == '\\' && *(c+1) == 'x' && is_hex(*(c+2)) && is_hex(*(c+3))) ++ { ++ size += 4; ++ c += 4; ++ continue; ++ } ++ else if (*c == '\\' || *c == '\'' || *c == '"') + size++; + else if (*c == ' ') + space = 1; +@@ -86,7 +98,16 @@ grub_create_loader_cmdline (int argc, char *argv[], char *buf, + + while (*c) + { +- if (*c == '\\' || *c == '\'' || *c == '"') ++ if (*c == '\\' && *(c+1) == 'x' && ++ is_hex(*(c+2)) && is_hex(*(c+3))) ++ { ++ *buf++ = *c++; ++ *buf++ = *c++; ++ *buf++ = *c++; ++ *buf++ = *c++; ++ continue; ++ } ++ else if (*c == '\\' || *c == '\'' || *c == '"') + *buf++ = '\\'; + + *buf++ = *c; +diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c +index ad80399246a..0c6dd9c5201 100644 +--- a/grub-core/script/execute.c ++++ b/grub-core/script/execute.c +@@ -56,6 +56,12 @@ static struct grub_script_scope *scope = 0; + /* Wildcard translator for GRUB script. */ + struct grub_script_wildcard_translator *grub_wildcard_translator; + ++static int ++is_hex(char c) ++{ ++ return ((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F')); ++} ++ + static char* + wildcard_escape (const char *s) + { +@@ -72,7 +78,15 @@ wildcard_escape (const char *s) + i = 0; + while ((ch = *s++)) + { +- if (ch == '*' || ch == '\\' || ch == '?') ++ if (ch == '\\' && s[0] == 'x' && is_hex(s[1]) && is_hex(s[2])) ++ { ++ p[i++] = ch; ++ p[i++] = *s++; ++ p[i++] = *s++; ++ p[i++] = *s++; ++ continue; ++ } ++ else if (ch == '*' || ch == '\\' || ch == '?') + p[i++] = '\\'; + p[i++] = ch; + } +@@ -96,7 +110,14 @@ wildcard_unescape (const char *s) + i = 0; + while ((ch = *s++)) + { +- if (ch == '\\') ++ if (ch == '\\' && s[0] == 'x' && is_hex(s[1]) && is_hex(s[2])) ++ { ++ p[i++] = '\\'; ++ p[i++] = *s++; ++ p[i++] = *s++; ++ p[i++] = *s++; ++ } ++ else if (ch == '\\') + p[i++] = *s++; + else + p[i++] = ch; +@@ -398,10 +419,20 @@ parse_string (const char *str, + switch (*ptr) + { + case '\\': +- escaped = !escaped; +- if (!escaped && put) +- *(put++) = '\\'; +- ptr++; ++ if (!escaped && put && *(ptr+1) == 'x' && is_hex(*(ptr+2)) && is_hex(*(ptr+3))) ++ { ++ *(put++) = *ptr++; ++ *(put++) = *ptr++; ++ *(put++) = *ptr++; ++ *(put++) = *ptr++; ++ } ++ else ++ { ++ escaped = !escaped; ++ if (!escaped && put) ++ *(put++) = '\\'; ++ ptr++; ++ } + break; + case '$': + if (escaped) diff --git a/SPECS/grub2/0037-Replace-a-lot-of-man-pages-with-slightly-nicer-ones.patch b/SPECS/grub2/0037-Replace-a-lot-of-man-pages-with-slightly-nicer-ones.patch new file mode 100644 index 00000000000..79399654283 --- /dev/null +++ b/SPECS/grub2/0037-Replace-a-lot-of-man-pages-with-slightly-nicer-ones.patch @@ -0,0 +1,1959 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 4 Mar 2014 11:00:23 -0500 +Subject: [PATCH] Replace a lot of man pages with slightly nicer ones. + +Replace a bunch of machine generated ones with ones that look nicer. +--- + configure.ac | 23 ++++++ + conf/Makefile.extra-dist | 1 - + docs/Makefile.am | 2 - + docs/man/grub-bios-setup.h2m | 6 -- + docs/man/grub-editenv.h2m | 5 -- + docs/man/grub-emu.h2m | 6 -- + docs/man/grub-file.h2m | 2 - + docs/man/grub-fstest.h2m | 4 - + docs/man/grub-glue-efi.h2m | 4 - + docs/man/grub-install.h2m | 6 -- + docs/man/grub-kbdcomp.h2m | 10 --- + docs/man/grub-macbless.h2m | 4 - + docs/man/grub-macho2img.h2m | 4 - + docs/man/grub-menulst2cfg.h2m | 4 - + docs/man/grub-mkconfig.h2m | 4 - + docs/man/grub-mkfont.h2m | 4 - + docs/man/grub-mkimage.h2m | 6 -- + docs/man/grub-mklayout.h2m | 10 --- + docs/man/grub-mknetdir.h2m | 4 - + docs/man/grub-mkpasswd-pbkdf2.h2m | 4 - + docs/man/grub-mkrelpath.h2m | 4 - + docs/man/grub-mkrescue.h2m | 4 - + docs/man/grub-mkstandalone.h2m | 4 - + docs/man/grub-mount.h2m | 2 - + docs/man/grub-ofpathname.h2m | 4 - + docs/man/grub-pe2elf.h2m | 4 - + docs/man/grub-probe.h2m | 4 - + docs/man/grub-reboot.h2m | 5 -- + docs/man/grub-render-label.h2m | 3 - + docs/man/grub-script-check.h2m | 4 - + docs/man/grub-set-default.h2m | 5 -- + docs/man/grub-sparc64-setup.h2m | 6 -- + docs/man/grub-syslinux2cfg.h2m | 4 - + gentpl.py | 5 +- + util/grub-bios-setup.8 | 54 +++++++++++++ + util/grub-editenv.1 | 46 +++++++++++ + util/grub-file.1 | 165 ++++++++++++++++++++++++++++++++++++++ + util/grub-fstest.1 | 99 +++++++++++++++++++++++ + util/grub-glue-efi.1 | 31 +++++++ + util/grub-install.8 | 128 +++++++++++++++++++++++++++++ + util/grub-kbdcomp.1 | 19 +++++ + util/grub-macbless.1 | 22 +++++ + util/grub-menulst2cfg.1 | 12 +++ + util/grub-mkconfig.8 | 17 ++++ + util/grub-mkfont.1 | 87 ++++++++++++++++++++ + util/grub-mkimage.1 | 95 ++++++++++++++++++++++ + util/grub-mklayout.1 | 27 +++++++ + util/grub-mknetdir.1 | 12 +++ + util/grub-mkpasswd-pbkdf2.1 | 27 +++++++ + util/grub-mkrelpath.1 | 12 +++ + util/grub-mkrescue.1 | 123 ++++++++++++++++++++++++++++ + util/grub-mkstandalone.1 | 100 +++++++++++++++++++++++ + util/grub-ofpathname.8 | 12 +++ + util/grub-probe.8 | 80 ++++++++++++++++++ + util/grub-reboot.8 | 21 +++++ + util/grub-render-label.1 | 51 ++++++++++++ + util/grub-script-check.1 | 21 +++++ + util/grub-set-default.8 | 21 +++++ + util/grub-sparc64-setup.8 | 12 +++ + 59 files changed, 1318 insertions(+), 147 deletions(-) + delete mode 100644 docs/man/grub-bios-setup.h2m + delete mode 100644 docs/man/grub-editenv.h2m + delete mode 100644 docs/man/grub-emu.h2m + delete mode 100644 docs/man/grub-file.h2m + delete mode 100644 docs/man/grub-fstest.h2m + delete mode 100644 docs/man/grub-glue-efi.h2m + delete mode 100644 docs/man/grub-install.h2m + delete mode 100644 docs/man/grub-kbdcomp.h2m + delete mode 100644 docs/man/grub-macbless.h2m + delete mode 100644 docs/man/grub-macho2img.h2m + delete mode 100644 docs/man/grub-menulst2cfg.h2m + delete mode 100644 docs/man/grub-mkconfig.h2m + delete mode 100644 docs/man/grub-mkfont.h2m + delete mode 100644 docs/man/grub-mkimage.h2m + delete mode 100644 docs/man/grub-mklayout.h2m + delete mode 100644 docs/man/grub-mknetdir.h2m + delete mode 100644 docs/man/grub-mkpasswd-pbkdf2.h2m + delete mode 100644 docs/man/grub-mkrelpath.h2m + delete mode 100644 docs/man/grub-mkrescue.h2m + delete mode 100644 docs/man/grub-mkstandalone.h2m + delete mode 100644 docs/man/grub-mount.h2m + delete mode 100644 docs/man/grub-ofpathname.h2m + delete mode 100644 docs/man/grub-pe2elf.h2m + delete mode 100644 docs/man/grub-probe.h2m + delete mode 100644 docs/man/grub-reboot.h2m + delete mode 100644 docs/man/grub-render-label.h2m + delete mode 100644 docs/man/grub-script-check.h2m + delete mode 100644 docs/man/grub-set-default.h2m + delete mode 100644 docs/man/grub-sparc64-setup.h2m + delete mode 100644 docs/man/grub-syslinux2cfg.h2m + create mode 100644 util/grub-bios-setup.8 + create mode 100644 util/grub-editenv.1 + create mode 100644 util/grub-file.1 + create mode 100644 util/grub-fstest.1 + create mode 100644 util/grub-glue-efi.1 + create mode 100644 util/grub-install.8 + create mode 100644 util/grub-kbdcomp.1 + create mode 100644 util/grub-macbless.1 + create mode 100644 util/grub-menulst2cfg.1 + create mode 100644 util/grub-mkconfig.8 + create mode 100644 util/grub-mkfont.1 + create mode 100644 util/grub-mkimage.1 + create mode 100644 util/grub-mklayout.1 + create mode 100644 util/grub-mknetdir.1 + create mode 100644 util/grub-mkpasswd-pbkdf2.1 + create mode 100644 util/grub-mkrelpath.1 + create mode 100644 util/grub-mkrescue.1 + create mode 100644 util/grub-mkstandalone.1 + create mode 100644 util/grub-ofpathname.8 + create mode 100644 util/grub-probe.8 + create mode 100644 util/grub-reboot.8 + create mode 100644 util/grub-render-label.1 + create mode 100644 util/grub-script-check.1 + create mode 100644 util/grub-set-default.8 + create mode 100644 util/grub-sparc64-setup.8 + +diff --git a/configure.ac b/configure.ac +index c0103b30d4e..b8c4d52dfd1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -77,6 +77,29 @@ grub_TRANSFORM([grub-set-default]) + grub_TRANSFORM([grub-sparc64-setup]) + grub_TRANSFORM([grub-render-label]) + grub_TRANSFORM([grub-file]) ++grub_TRANSFORM([grub-bios-setup.3]) ++grub_TRANSFORM([grub-editenv.1]) ++grub_TRANSFORM([grub-fstest.3]) ++grub_TRANSFORM([grub-glue-efi.3]) ++grub_TRANSFORM([grub-install.1]) ++grub_TRANSFORM([grub-kbdcomp.3]) ++grub_TRANSFORM([grub-menulst2cfg.1]) ++grub_TRANSFORM([grub-mkconfig.1]) ++grub_TRANSFORM([grub-mkfont.3]) ++grub_TRANSFORM([grub-mkimage.1]) ++grub_TRANSFORM([grub-mklayout.3]) ++grub_TRANSFORM([grub-mknetdir.3]) ++grub_TRANSFORM([grub-mkpasswd-pbkdf2.3]) ++grub_TRANSFORM([grub-mkrelpath.3]) ++grub_TRANSFORM([grub-mkrescue.1]) ++grub_TRANSFORM([grub-mkstandalone.3]) ++grub_TRANSFORM([grub-ofpathname.3]) ++grub_TRANSFORM([grub-probe.3]) ++grub_TRANSFORM([grub-reboot.3]) ++grub_TRANSFORM([grub-render-label.3]) ++grub_TRANSFORM([grub-script-check.3]) ++grub_TRANSFORM([grub-set-default.1]) ++grub_TRANSFORM([grub-sparc64-setup.3]) + + # Optimization flag. Allow user to override. + if test "x$TARGET_CFLAGS" = x; then +diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist +index 8f1485d52a5..b909f2c073a 100644 +--- a/conf/Makefile.extra-dist ++++ b/conf/Makefile.extra-dist +@@ -11,7 +11,6 @@ EXTRA_DIST += unicode + EXTRA_DIST += util/import_gcry.py + EXTRA_DIST += util/import_unicode.py + +-EXTRA_DIST += docs/man + EXTRA_DIST += docs/autoiso.cfg + EXTRA_DIST += docs/grub.cfg + EXTRA_DIST += docs/osdetect.cfg +diff --git a/docs/Makefile.am b/docs/Makefile.am +index 93eb3962765..ab28f199694 100644 +--- a/docs/Makefile.am ++++ b/docs/Makefile.am +@@ -5,5 +5,3 @@ info_TEXINFOS = grub.texi grub-dev.texi + grub_TEXINFOS = fdl.texi + + EXTRA_DIST = font_char_metrics.png font_char_metrics.txt +- +- +diff --git a/docs/man/grub-bios-setup.h2m b/docs/man/grub-bios-setup.h2m +deleted file mode 100644 +index ac6ede36296..00000000000 +--- a/docs/man/grub-bios-setup.h2m ++++ /dev/null +@@ -1,6 +0,0 @@ +-[NAME] +-grub-bios-setup \- set up a device to boot using GRUB +-[SEE ALSO] +-.BR grub-install (8), +-.BR grub-mkimage (1), +-.BR grub-mkrescue (1) +diff --git a/docs/man/grub-editenv.h2m b/docs/man/grub-editenv.h2m +deleted file mode 100644 +index 3859d3d4c4f..00000000000 +--- a/docs/man/grub-editenv.h2m ++++ /dev/null +@@ -1,5 +0,0 @@ +-[NAME] +-grub-editenv \- edit GRUB environment block +-[SEE ALSO] +-.BR grub-reboot (8), +-.BR grub-set-default (8) +diff --git a/docs/man/grub-emu.h2m b/docs/man/grub-emu.h2m +deleted file mode 100644 +index ef1c000656a..00000000000 +--- a/docs/man/grub-emu.h2m ++++ /dev/null +@@ -1,6 +0,0 @@ +-[NAME] +-grub-emu \- GRUB emulator +-[SEE ALSO] +-If you are trying to install GRUB, then you should use +-.BR grub-install (8) +-rather than this program. +diff --git a/docs/man/grub-file.h2m b/docs/man/grub-file.h2m +deleted file mode 100644 +index e09bb4d3101..00000000000 +--- a/docs/man/grub-file.h2m ++++ /dev/null +@@ -1,2 +0,0 @@ +-[NAME] +-grub-file \- check file type +diff --git a/docs/man/grub-fstest.h2m b/docs/man/grub-fstest.h2m +deleted file mode 100644 +index 9676b159afd..00000000000 +--- a/docs/man/grub-fstest.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-fstest \- debug tool for GRUB filesystem drivers +-[SEE ALSO] +-.BR grub-probe (8) +diff --git a/docs/man/grub-glue-efi.h2m b/docs/man/grub-glue-efi.h2m +deleted file mode 100644 +index c1c6ded49ff..00000000000 +--- a/docs/man/grub-glue-efi.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-glue-efi \- generate a fat binary for EFI +-[DESCRIPTION] +-grub-glue-efi processes ia32 and amd64 EFI images and glues them according to Apple format. +diff --git a/docs/man/grub-install.h2m b/docs/man/grub-install.h2m +deleted file mode 100644 +index 8cbbc87a0f2..00000000000 +--- a/docs/man/grub-install.h2m ++++ /dev/null +@@ -1,6 +0,0 @@ +-[NAME] +-grub-install \- install GRUB to a device +-[SEE ALSO] +-.BR grub-mkconfig (8), +-.BR grub-mkimage (1), +-.BR grub-mkrescue (1) +diff --git a/docs/man/grub-kbdcomp.h2m b/docs/man/grub-kbdcomp.h2m +deleted file mode 100644 +index d81f9157e01..00000000000 +--- a/docs/man/grub-kbdcomp.h2m ++++ /dev/null +@@ -1,10 +0,0 @@ +-[NAME] +-grub-kbdcomp \- generate a GRUB keyboard layout file +-[DESCRIPTION] +-grub-kbdcomp processes a X keyboard layout description in +-.BR keymaps (5) +-format into a format that can be used by GRUB's +-.B keymap +-command. +-[SEE ALSO] +-.BR grub-mklayout (8) +diff --git a/docs/man/grub-macbless.h2m b/docs/man/grub-macbless.h2m +deleted file mode 100644 +index 0197c0087d7..00000000000 +--- a/docs/man/grub-macbless.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-macbless \- bless a mac file/directory +-[SEE ALSO] +-.BR grub-install (1) +diff --git a/docs/man/grub-macho2img.h2m b/docs/man/grub-macho2img.h2m +deleted file mode 100644 +index d79aaeed8f9..00000000000 +--- a/docs/man/grub-macho2img.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-macho2img \- convert Mach-O to raw image +-[SEE ALSO] +-.BR grub-mkimage (1) +diff --git a/docs/man/grub-menulst2cfg.h2m b/docs/man/grub-menulst2cfg.h2m +deleted file mode 100644 +index c2e0055ed7e..00000000000 +--- a/docs/man/grub-menulst2cfg.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-menulst2cfg \- transform legacy menu.lst into grub.cfg +-[SEE ALSO] +-.BR grub-mkconfig (8) +diff --git a/docs/man/grub-mkconfig.h2m b/docs/man/grub-mkconfig.h2m +deleted file mode 100644 +index 9b42f813010..00000000000 +--- a/docs/man/grub-mkconfig.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-mkconfig \- generate a GRUB configuration file +-[SEE ALSO] +-.BR grub-install (8) +diff --git a/docs/man/grub-mkfont.h2m b/docs/man/grub-mkfont.h2m +deleted file mode 100644 +index d46fe600eca..00000000000 +--- a/docs/man/grub-mkfont.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-mkfont \- make GRUB font files +-[SEE ALSO] +-.BR grub-mkconfig (8) +diff --git a/docs/man/grub-mkimage.h2m b/docs/man/grub-mkimage.h2m +deleted file mode 100644 +index f0fbc2bb197..00000000000 +--- a/docs/man/grub-mkimage.h2m ++++ /dev/null +@@ -1,6 +0,0 @@ +-[NAME] +-grub-mkimage \- make a bootable image of GRUB +-[SEE ALSO] +-.BR grub-install (8), +-.BR grub-mkrescue (1), +-.BR grub-mknetdir (8) +diff --git a/docs/man/grub-mklayout.h2m b/docs/man/grub-mklayout.h2m +deleted file mode 100644 +index 1e43409c0ab..00000000000 +--- a/docs/man/grub-mklayout.h2m ++++ /dev/null +@@ -1,10 +0,0 @@ +-[NAME] +-grub-mklayout \- generate a GRUB keyboard layout file +-[DESCRIPTION] +-grub-mklayout processes a keyboard layout description in +-.BR keymaps (5) +-format into a format that can be used by GRUB's +-.B keymap +-command. +-[SEE ALSO] +-.BR grub-mkconfig (8) +diff --git a/docs/man/grub-mknetdir.h2m b/docs/man/grub-mknetdir.h2m +deleted file mode 100644 +index a2ef13ec111..00000000000 +--- a/docs/man/grub-mknetdir.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-mknetdir \- prepare a GRUB netboot directory. +-[SEE ALSO] +-.BR grub-mkimage (1) +diff --git a/docs/man/grub-mkpasswd-pbkdf2.h2m b/docs/man/grub-mkpasswd-pbkdf2.h2m +deleted file mode 100644 +index 4d202f3da7e..00000000000 +--- a/docs/man/grub-mkpasswd-pbkdf2.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-mkpasswd-pbkdf2 \- generate hashed password for GRUB +-[SEE ALSO] +-.BR grub-mkconfig (8) +diff --git a/docs/man/grub-mkrelpath.h2m b/docs/man/grub-mkrelpath.h2m +deleted file mode 100644 +index d01f3961e3f..00000000000 +--- a/docs/man/grub-mkrelpath.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-mkrelpath \- make a system path relative to its root +-[SEE ALSO] +-.BR grub-probe (8) +diff --git a/docs/man/grub-mkrescue.h2m b/docs/man/grub-mkrescue.h2m +deleted file mode 100644 +index a427f02e3c6..00000000000 +--- a/docs/man/grub-mkrescue.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-mkrescue \- make a GRUB rescue image +-[SEE ALSO] +-.BR grub-mkimage (1) +diff --git a/docs/man/grub-mkstandalone.h2m b/docs/man/grub-mkstandalone.h2m +deleted file mode 100644 +index c77313978ad..00000000000 +--- a/docs/man/grub-mkstandalone.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-mkstandalone \- make a memdisk-based GRUB image +-[SEE ALSO] +-.BR grub-mkimage (1) +diff --git a/docs/man/grub-mount.h2m b/docs/man/grub-mount.h2m +deleted file mode 100644 +index 8d168982d72..00000000000 +--- a/docs/man/grub-mount.h2m ++++ /dev/null +@@ -1,2 +0,0 @@ +-[NAME] +-grub-mount \- export GRUB filesystem with FUSE +diff --git a/docs/man/grub-ofpathname.h2m b/docs/man/grub-ofpathname.h2m +deleted file mode 100644 +index 74b43eea039..00000000000 +--- a/docs/man/grub-ofpathname.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-ofpathname \- find OpenBOOT path for a device +-[SEE ALSO] +-.BR grub-probe (8) +diff --git a/docs/man/grub-pe2elf.h2m b/docs/man/grub-pe2elf.h2m +deleted file mode 100644 +index 7ca29bd703c..00000000000 +--- a/docs/man/grub-pe2elf.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-pe2elf \- convert PE image to ELF +-[SEE ALSO] +-.BR grub-mkimage (1) +diff --git a/docs/man/grub-probe.h2m b/docs/man/grub-probe.h2m +deleted file mode 100644 +index 6e1ffdcf937..00000000000 +--- a/docs/man/grub-probe.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-probe \- probe device information for GRUB +-[SEE ALSO] +-.BR grub-fstest (1) +diff --git a/docs/man/grub-reboot.h2m b/docs/man/grub-reboot.h2m +deleted file mode 100644 +index e4acace65ce..00000000000 +--- a/docs/man/grub-reboot.h2m ++++ /dev/null +@@ -1,5 +0,0 @@ +-[NAME] +-grub-reboot \- set the default boot entry for GRUB, for the next boot only +-[SEE ALSO] +-.BR grub-set-default (8), +-.BR grub-editenv (1) +diff --git a/docs/man/grub-render-label.h2m b/docs/man/grub-render-label.h2m +deleted file mode 100644 +index 50ae5247c05..00000000000 +--- a/docs/man/grub-render-label.h2m ++++ /dev/null +@@ -1,3 +0,0 @@ +-[NAME] +-grub-render-label \- generate a .disk_label for Apple Macs. +- +diff --git a/docs/man/grub-script-check.h2m b/docs/man/grub-script-check.h2m +deleted file mode 100644 +index 3653682671a..00000000000 +--- a/docs/man/grub-script-check.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-script-check \- check grub.cfg for syntax errors +-[SEE ALSO] +-.BR grub-mkconfig (8) +diff --git a/docs/man/grub-set-default.h2m b/docs/man/grub-set-default.h2m +deleted file mode 100644 +index 7945001c154..00000000000 +--- a/docs/man/grub-set-default.h2m ++++ /dev/null +@@ -1,5 +0,0 @@ +-[NAME] +-grub-set-default \- set the saved default boot entry for GRUB +-[SEE ALSO] +-.BR grub-reboot (8), +-.BR grub-editenv (1) +diff --git a/docs/man/grub-sparc64-setup.h2m b/docs/man/grub-sparc64-setup.h2m +deleted file mode 100644 +index 18f803a50db..00000000000 +--- a/docs/man/grub-sparc64-setup.h2m ++++ /dev/null +@@ -1,6 +0,0 @@ +-[NAME] +-grub-sparc64-setup \- set up a device to boot using GRUB +-[SEE ALSO] +-.BR grub-install (8), +-.BR grub-mkimage (1), +-.BR grub-mkrescue (1) +diff --git a/docs/man/grub-syslinux2cfg.h2m b/docs/man/grub-syslinux2cfg.h2m +deleted file mode 100644 +index ad25c8ab753..00000000000 +--- a/docs/man/grub-syslinux2cfg.h2m ++++ /dev/null +@@ -1,4 +0,0 @@ +-[NAME] +-grub-syslinux2cfg \- transform syslinux config into grub.cfg +-[SEE ALSO] +-.BR grub-menulst2cfg (8) +diff --git a/gentpl.py b/gentpl.py +index c86550d4f9e..2cba0bbbd6f 100644 +--- a/gentpl.py ++++ b/gentpl.py +@@ -805,10 +805,7 @@ def manpage(defn, adddeps): + + output("if COND_MAN_PAGES\n") + gvar_add("man_MANS", name + "." + mansection) +- rule(name + "." + mansection, name + " " + adddeps, """ +-chmod a+x """ + name + """ +-PATH=$(builddir):$$PATH pkgdatadir=$(builddir) $(HELP2MAN) --section=""" + mansection + """ -i $(top_srcdir)/docs/man/""" + name + """.h2m -o $@ """ + name + """ +-""") ++ rule(name + "." + mansection, name + " " + adddeps, "cat $(top_srcdir)/util/" + name + "." + mansection + " | $(top_builddir)/config.status --file=$@:-") + gvar_add("CLEANFILES", name + "." + mansection) + output("endif\n") + +diff --git a/util/grub-bios-setup.8 b/util/grub-bios-setup.8 +new file mode 100644 +index 00000000000..56f582b3d75 +--- /dev/null ++++ b/util/grub-bios-setup.8 +@@ -0,0 +1,54 @@ ++.TH GRUB-BIOS-SETUP 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-bios-setup\fR \(em Set up images to boot from a device. ++ ++.SH SYNOPSIS ++\fBgrub-bios-setup\fR [-a | --allow-floppy] [-b | --boot-image=\fIFILE\fR] ++.RS 17 ++[-c | --core-image=\fIFILE\fR] [-d | --directory=\fIDIR\fR] ++.RE ++.RS 17 ++[-f | --force] [-m | --device-map=\fIFILE\fR] ++.RE ++.RS 17 ++[-s | --skip-fs-probe] [-v | --verbose] \fIDEVICE\fR ++ ++.SH DESCRIPTION ++You should not normally run this program directly. Use grub-install instead. ++ ++.SH OPTIONS ++.TP ++\fB--allow-floppy\fR ++Make the device also bootable as a floppy. This option is the default for ++/dev/fdX devices. Some BIOSes will not boot images created with this option. ++ ++.TP ++\fB--boot-image\fR=\fIFILE\fR ++Use FILE as the boot image. The default value is \fBboot.img\fR. ++ ++.TP ++\fB--core-image\fR=\fIFILE\fR ++Use FILE as ther core image. The default value is \fBcore.img\fR. ++ ++.TP ++\fB--directory\fR=\fIDIR\fR ++Use GRUB files in the directory DIR. The default value is \fB/boot/grub\fR. ++ ++.TP ++\fB--force\fR ++Install even if problems are detected. ++ ++.TP ++\fB--device-map\fR=\fIFILE\fR ++Use FILE as the device map. The default value is /boot/grub/device.map . ++ ++.TP ++\fB--skip-fs-probe\fR ++Do not probe DEVICE for filesystems. ++ ++.TP ++\fB--verbose\fR ++Print verbose messages. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-editenv.1 b/util/grub-editenv.1 +new file mode 100644 +index 00000000000..d28ba03ba42 +--- /dev/null ++++ b/util/grub-editenv.1 +@@ -0,0 +1,46 @@ ++.TH GRUB-EDITENV 1 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-editenv\fR \(em Manage the GRUB environment block. ++ ++.SH SYNOPSIS ++\fBgrub-editenv\fR [-v | --verbose] [\fIFILE\fR] ++.RS 14 ++ ++ ++.SH DESCRIPTION ++\fBgrub-editenv\fR is a command line tool to manage GRUB's stored environment. ++ ++.SH OPTIONS ++.TP ++\fB--verbose\fR ++Print verbose messages. ++ ++.TP ++\fBFILE\fR ++.RS 7 ++File name to use for grub environment. Default is /boot/grub/grubenv . ++.RE ++ ++.SH COMMANDS ++.TP ++\fBcreate\fR ++.RS 7 ++Create a blank environment block file. ++.RE ++ ++.TP ++\fBlist\fR ++.RS 7 ++List the current variables. ++.RE ++ ++.TP ++\fBset\fR [\fINAME\fR=\fIVALUE\fR ...] ++Set variables. ++ ++.TP ++\fBunset [\fINAME\fR ...] ++Delete variables. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-file.1 b/util/grub-file.1 +new file mode 100644 +index 00000000000..b29cb327889 +--- /dev/null ++++ b/util/grub-file.1 +@@ -0,0 +1,165 @@ ++.TH GRUB-FILE 1 "Web Feb 26 2014" ++.SH NAME ++\fBgrub-file\fR \(em Check if FILE is of specified type. ++ ++.SH SYNOPSIS ++\fBgrub-file\fR (--is-i386-xen-pae-domu | --is-x86_64-xen-domu | ++.RS 11 ++--is-x86-xen-dom0 | --is-x86-multiboot | ++.RE ++.RS 11 ++--is-x86-multiboot2 | --is-arm-linux | --is-arm64-linux | ++.RE ++.RS 11 ++--is-ia64-linux | --is-mips-linux | --is-mipsel-linux | ++.RE ++.RS 11 ++--is-sparc64-linux | --is-powerpc-linux | --is-x86-linux | ++.RE ++.RS 11 ++--is-x86-linux32 | --is-x86-kfreebsd | --is-i386-kfreebsd | ++.RE ++.RS 11 ++--is-x86_64-kfreebsd | --is-x86-knetbsd | ++.RE ++.RS 11 ++--is-i386-knetbsd | --is-x86_64-knetbsd | --is-i386-efi | ++.RE ++.RS 11 ++--is-x86_64-efi | --is-ia64-efi | --is-arm64-efi | ++.RE ++.RS 11 ++--is-arm-efi | --is-hibernated-hiberfil | --is-x86_64-xnu | ++.RE ++.RS 11 ++--is-i386-xnu | --is-xnu-hibr | --is-x86-bios-bootsector) ++.RE ++.RS 11 ++\fIFILE\fR ++ ++.SH DESCRIPTION ++\fBgrub-file\fR is used to check if \fIFILE\fR is of a specified type. ++ ++.SH OPTIONS ++.TP ++--is-i386-xen-pae-domu ++Check if FILE can be booted as i386 PAE Xen unprivileged guest kernel ++ ++.TP ++--is-x86_64-xen-domu ++Check if FILE can be booted as x86_64 Xen unprivileged guest kernel ++ ++.TP ++--is-x86-xen-dom0 ++Check if FILE can be used as Xen x86 privileged guest kernel ++ ++.TP ++--is-x86-multiboot ++Check if FILE can be used as x86 multiboot kernel ++ ++.TP ++--is-x86-multiboot2 ++Check if FILE can be used as x86 multiboot2 kernel ++ ++.TP ++--is-arm-linux ++Check if FILE is ARM Linux ++ ++.TP ++--is-arm64-linux ++Check if FILE is ARM64 Linux ++ ++.TP ++--is-ia64-linux ++Check if FILE is IA64 Linux ++ ++.TP ++--is-mips-linux ++Check if FILE is MIPS Linux ++ ++.TP ++--is-mipsel-linux ++Check if FILE is MIPSEL Linux ++ ++.TP ++--is-sparc64-linux ++Check if FILE is SPARC64 Linux ++ ++.TP ++--is-powerpc-linux ++Check if FILE is POWERPC Linux ++ ++.TP ++--is-x86-linux ++Check if FILE is x86 Linux ++ ++.TP ++--is-x86-linux32 ++Check if FILE is x86 Linux supporting 32-bit protocol ++ ++.TP ++--is-x86-kfreebsd ++Check if FILE is x86 kFreeBSD ++ ++.TP ++--is-i386-kfreebsd ++Check if FILE is i386 kFreeBSD ++ ++.TP ++--is-x86_64-kfreebsd ++Check if FILE is x86_64 kFreeBSD ++ ++.TP ++--is-x86-knetbsd ++Check if FILE is x86 kNetBSD ++ ++.TP ++--is-i386-knetbsd ++Check if FILE is i386 kNetBSD ++ ++.TP ++--is-x86_64-knetbsd ++Check if FILE is x86_64 kNetBSD ++ ++.TP ++--is-i386-efi ++Check if FILE is i386 EFI file ++ ++.TP ++--is-x86_64-efi ++Check if FILE is x86_64 EFI file ++ ++.TP ++--is-ia64-efi ++Check if FILE is IA64 EFI file ++ ++.TP ++--is-arm64-efi ++Check if FILE is ARM64 EFI file ++ ++.TP ++--is-arm-efi ++Check if FILE is ARM EFI file ++ ++.TP ++--is-hibernated-hiberfil ++Check if FILE is hiberfil.sys in hibernated state ++ ++.TP ++--is-x86_64-xnu ++Check if FILE is x86_64 XNU (Mac OS X kernel) ++ ++.TP ++--is-i386-xnu ++Check if FILE is i386 XNU (Mac OS X kernel) ++ ++.TP ++--is-xnu-hibr ++Check if FILE is XNU (Mac OS X kernel) hibernated image ++ ++.TP ++--is-x86-bios-bootsector ++Check if FILE is BIOS bootsector ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-fstest.1 b/util/grub-fstest.1 +new file mode 100644 +index 00000000000..792fa78634c +--- /dev/null ++++ b/util/grub-fstest.1 +@@ -0,0 +1,99 @@ ++.TH GRUB-FSTEST 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-fstest\fR — Debug tool for GRUB's filesystem driver. ++ ++.SH SYNOPSIS ++\fBgrub-fstest\fR [-c | --diskcount=\fINUM\fR] [-C | --crypto] ++.RS 13 ++[-d | --debug=\fISTRING\fR] [-K | --zfs-key=\fIFILE\fR|\fIprompt\fR] ++.RE ++.RS 13 ++[-n | --length=\fINUM\fR] [-r | --root=\fIDEVICE_NAME\fR] ++.RE ++.RS 13 ++[-s | --skip=\fINUM\fR] [-u | --uncompress] [-v | --verbose] ++.RE ++.RS 13 ++\fIIMAGE_PATH\fR ++ ++.SH DESCRIPTION ++\fBgrub-fstest\fR is a tool for testing GRUB's filesystem drivers. You should not normally need to run this program. ++ ++.SH OPTIONS ++.TP ++\fB--diskcount\fR=\fINUM\fR ++Specify the number of input files. ++ ++.TP ++\fB--crypto\fR ++Mount cryptographic devices. ++ ++.TP ++\fB--debug\fR=\fISTRING\fR ++Set debug environment variable. ++ ++.TP ++\fB--zfs-key\fR=\fIFILE\fR|\fIprompt\fR ++Load ZFS cryptographic key. ++ ++.TP ++\fB--length\fR=\fINUM\fR ++Handle NUM bytes in output file. ++ ++.TP ++\fB--root\fR=\fIDEVICE_NAME\fR ++Set root device. ++ ++.TP ++\fB--skip\fR=\fINUM\fR ++Skip NUM bytes from output file. ++ ++.TP ++\fB--uncompress\fR ++Uncompress data. ++ ++.TP ++\fB--verbose\fR ++Print verbose messages. ++ ++.SH COMMANDS ++.TP ++\fBblocklist\fR \fIFILE\fR ++Display block list of \fIFILE\fR. ++ ++.TP ++\fBcat\fR \fIFILE\fR ++Display \fIFILE\fR on standard output. ++ ++.TP ++\fBcmp\fR \fIFILE\fR \fILOCAL\fR ++Compare \fIFILE\fR with local file \fILOCAL\fR. ++ ++.TP ++\fBcp\fR \fIFILE\fR \fILOCAL\fR ++Copy \fIFILE\fR to local file \fILOCAL\fR. ++ ++.TP ++\fBcrc\fR \fIFILE\fR ++Display the CRC-32 checksum of \fIFILE\fR. ++ ++.TP ++\fBhex\fR \fIFILE\fR ++Display contents of \fIFILE\fR in hexidecimal. ++ ++.TP ++\fBls\fR \fIPATH\fR ++List files at \fIPATH\fR. ++ ++.TP ++\fBxnu_uuid\fR \fIDEVICE\fR ++Display the XNU UUID of \fIDEVICE\fR. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-glue-efi.1 b/util/grub-glue-efi.1 +new file mode 100644 +index 00000000000..72bd555d577 +--- /dev/null ++++ b/util/grub-glue-efi.1 +@@ -0,0 +1,31 @@ ++.TH GRUB-GLUE-EFI 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-glue-efi\fR \(em Create an Apple fat EFI binary. ++ ++.SH SYNOPSIS ++\fBgrub-glue-efi\fR <-3 | --input32=\fIFILE\fR> <-6 | --input64=\fIFILE\fR> ++.RS 15 ++<-o | --output=\fIFILE\fR> [-v | --verbose] ++ ++.SH DESCRIPTION ++\fBgrub-glue-efi\fR creates an Apple fat EFI binary from two EFI binaries. ++ ++.SH OPTIONS ++.TP ++\fB--input32\fR=\fIFILE\fR ++Read 32-bit binary from \fIFILE\fR. ++ ++.TP ++\fB--input64\fR=\fIFILE\fR ++Read 64-bit binary from \fIFILE\fR. ++ ++.TP ++\fB--output\fR=\fIFILE\fR ++Write resulting fat binary to \fIFILE\fR. ++ ++.TP ++\fB--verbose\fR ++Print verbose messages. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-install.8 b/util/grub-install.8 +new file mode 100644 +index 00000000000..1db89e94b3b +--- /dev/null ++++ b/util/grub-install.8 +@@ -0,0 +1,128 @@ ++.TH GRUB-INSTALL 1 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-install\fR \(em Install GRUB on a device. ++ ++.SH SYNOPSIS ++\fBgrub-install\fR [--modules=\fIMODULES\fR] [--install-modules=\fIMODULES\fR] ++.RS 14 ++[--themes=\fITHEMES\fR] [--fonts=\fIFONTS\fR] [--locales=\fILOCALES\fR] ++.RE ++.RS 14 ++[--compress[=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR]] [-d | --directory=\fIDIR\fR] ++.RE ++.RS 14 ++[--grub-mkimage=\fIFILE\fR] [--boot-directory=\fIDIR\fR] ++.RE ++.RS 14 ++[--target=\fITARGET\fR] [--grub-setup=\fIFILE\fR] ++.RE ++.RS 14 ++[--grub-mkrelpath=\fIFILE\fR] [--grub-probe=\fIFILE\fR] ++.RE ++.RS 14 ++[--allow-floppy] [--recheck] [--force] [--force-file-id] ++.RE ++.RS 14 ++[--disk-module=\fIMODULE\fR] [--no-nvram] [--removable] ++.RE ++.RS 14 ++[--bootloader-id=\fIID\fR] [--efi-directory=\fIDIR\fR] \fIINSTALL_DEVICE\fR ++ ++.SH DESCRIPTION ++\fBgrub-install\fR installs GRUB onto a device. This includes copying GRUB images into the target directory (generally \fI/boot/grub\fR), and on some platforms may also include installing GRUB onto a boot sector. ++ ++.SH OPTIONS ++.TP ++\fB--modules\fR=\fIMODULES\fR\! ++Pre-load modules specified by \fIMODULES\fR. ++ ++.TP ++\fB--install-modules\fR=\fIMODULES\fR ++Install only \fIMODULES\fR and their dependencies. The default is to install all available modules. ++ ++.TP ++\fB--themes\fR=\fITHEMES\fR ++Install \fITHEMES\fR. The default is to install the \fIstarfield\fR theme, if available. ++ ++.TP ++\fB--fonts\fR=\fIFONTS\fR ++Install \fIFONTS\fR. The default is to install the \fIunicode\fR font. ++ ++.TP ++\fB--locales\fR=\fILOCALES\fR ++Install only locales listed in \fILOCALES\fR. The default is to install all available locales. ++ ++.TP ++\fB--compress\fR=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR ++Compress GRUB files using the specified compression algorithm. ++ ++.TP ++\fB--directory\fR=\fIDIR\fR ++Use images and modules in \fIDIR\fR. ++ ++.TP ++\fB--grub-mkimage\fR=\fIFILE\fR ++Use \fIFILE\fR as \fBgrub-mkimage\fR. The default is \fI/usr/bin/grub-mkimage\fR. ++ ++.TP ++\fB--boot-directory\fR=\fIDIR\fR ++Use \fIDIR\fR as the boot directory. The default is \fI/boot\fR. GRUB will put its files in a subdirectory of this directory named \fIgrub\fR. ++ ++.TP ++\fB--target\fR=\fITARGET\fR ++Install GRUB for \fITARGET\fR platform. The default is the platform \fBgrub-install\fR is running on. ++ ++.TP ++\fB--grub-setup\fR=\fIFILE\fR ++Use \fIFILE\fR as \fBgrub-setup\fR. The default is \fI/usr/bin/grub-setup\fR. ++ ++.TP ++\fB--grub-mkrelpath\fR=\fIFILE\fR ++Use \fIFILE\fR as \fBgrub-mkrelpath\fR. The default is \fI/usr/bin/grub-mkrelpath\fR. ++ ++.TP ++\fB--grub-probe\fR=\fIFILE\fR ++Use \fIFILE\fR as \fBgrub-probe\fR. The default is \fI/usr/bin/grub-mkrelpath\fR. ++ ++.TP ++\fB--allow-floppy ++Make the device also bootable as a floppy. This option is the default for /dev/fdX devices. Some BIOSes will not boot images created with this option. ++ ++.TP ++\fB--recheck ++Delete any existing device map and create a new one if necessary. ++ ++.TP ++\fB--force ++Install even if problems are detected. ++ ++.TP ++\fB--force-file-id ++Use identifier file even if UUID is available. ++ ++.TP ++\fB--disk-module\fR=\fIMODULE\fR ++Use \fIMODULE\fR for disk access. This allows you to manually specify either \fIbiosdisk\fR or \fInative\fR disk access. This option is only available on the BIOS target platform. ++ ++.TP ++\fB--no-nvram ++Do not update the \fIboot-device\fR NVRAM variable. This option is only available on IEEE1275 target platforms. ++ ++.TP ++\fB--removable ++Treat the target device as if it is removeable. This option is only available on the EFI target platform. ++ ++.TP ++\fB--bootloader-id\fR=\fIID\fR ++Use \fIID\fR as the bootloader ID. This option is only available on the EFI target platform. ++ ++.TP ++\fB--efi-directory\fR=\fIDIR\fR ++Use \fIDIR\fR as the EFI System Partition root. This option is only available on the EFI target platform. ++ ++.TP ++\fIINSTALL_DEVICE\fR ++Install GRUB to the block device \fIINSTALL_DEVICE\fR. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-kbdcomp.1 b/util/grub-kbdcomp.1 +new file mode 100644 +index 00000000000..0bb969a5b43 +--- /dev/null ++++ b/util/grub-kbdcomp.1 +@@ -0,0 +1,19 @@ ++.TH GRUB-KBDCOMP 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-kbdcomp\fR \(em Generate a GRUB keyboard layout file. ++ ++.SH SYNOPSIS ++\fBgrub-kbdcomp\fR <-o | --output=\fIFILE\fR> \fICKBMAP_ARGUMENTS\fR ++ ++.SH DESCRIPTION ++\fBgrub-kbdcomp\fR processes an X keyboard layout description in ++\fBkeymaps\fR(5) format into a format that can be used by GRUB's \fBkeymap\fR ++command. ++ ++.SH OPTIONS ++.TP ++\fB--output\fR=\fIFILE\fR ++Write output to \fIFILE\fR. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-macbless.1 b/util/grub-macbless.1 +new file mode 100644 +index 00000000000..41a96186f70 +--- /dev/null ++++ b/util/grub-macbless.1 +@@ -0,0 +1,22 @@ ++.TH GRUB-MACBLESS 1 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-macbless\fR \(em Mac-style bless on HFS or HFS+ ++ ++.SH SYNOPSIS ++\fBgrub-macbless\fR [-v | --verbose] [-p | --ppc] \fIFILE\fR | [-x | --x86] \fIFILE\fR ++ ++.SH OPTIONS ++.TP ++--x86 ++Bless for x86 based Macs. ++ ++.TP ++--ppc ++Bless for PPC based Macs. ++ ++.TP ++--verbose ++Print verbose messages. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-menulst2cfg.1 b/util/grub-menulst2cfg.1 +new file mode 100644 +index 00000000000..91e2ef87113 +--- /dev/null ++++ b/util/grub-menulst2cfg.1 +@@ -0,0 +1,12 @@ ++.TH GRUB-MENULST2CFG 1 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-menulst2cfg\fR \(em Convert a configuration file from GRUB 0.xx to GRUB 2.xx format. ++ ++.SH SYNOPSIS ++\fBgrub-menulst2cfg\fR [\fIINFILE\fR [\fIOUTFILE\fR]] ++ ++.SH DESCRIPTION ++\fBgrub-menulst2cfg\fR converts a configuration file from GRUB 0.xx to the current format. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-mkconfig.8 b/util/grub-mkconfig.8 +new file mode 100644 +index 00000000000..a2d1f577b9b +--- /dev/null ++++ b/util/grub-mkconfig.8 +@@ -0,0 +1,17 @@ ++.TH GRUB-MKCONFIG 1 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-mkconfig\fR \(em Generate a GRUB configuration file. ++ ++.SH SYNOPSIS ++\fBgrub-mkconfig\fR [-o | --output=\fIFILE\fR] ++ ++.SH DESCRIPTION ++\fBgrub-mkconfig\fR generates a configuration file for GRUB. ++ ++.SH OPTIONS ++.TP ++\fB--output\fR=\fIFILE\fR ++Write generated output to \fIFILE\fR. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-mkfont.1 b/util/grub-mkfont.1 +new file mode 100644 +index 00000000000..3494857987d +--- /dev/null ++++ b/util/grub-mkfont.1 +@@ -0,0 +1,87 @@ ++.TH GRUB-MKFONT 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-mkfont\fR \(em Convert common font file formats into the PF2 format. ++ ++.SH SYNOPSIS ++\fBgrub-mkfont\fR [--ascii-bitmaps] [-a | --force-autohint] ++.RS 13 ++[-b | --bold] [-c | --asce=\fINUM\fR] [-d | --desc=\fINUM\fR] ++.RE ++.RS 13 ++[-i | --index=\fINUM\fR] [-n | --name=\fINAME\fR] [--no-bitmap] ++.RE ++.RS 13 ++[--no-hinting] <-o | --output=\fIFILE\fR> ++.RE ++.RS 13 ++[-r | --range=\fIFROM-TO\fR[\fI,FROM-TO\fR]] [-s | --size=\fISIZE\fR] ++.RE ++.RS 13 ++[-v | --verbose] [--width-spec] \fIFONT_FILES\fR ++ ++.SH DESCRIPTION ++\fBgrub-mkfont\fR converts font files from common formats into the PF2 format used by GRUB. ++ ++.SH OPTIONS ++.TP ++--ascii-bitmaps ++Save only bitmaps for ASCII characters. ++ ++.TP ++--force-autohint ++Force generation of automatic hinting. ++ ++.TP ++--bold ++Convert font to bold. ++ ++.TP ++--asce=\fINUM\fR ++Set font ascent to \fINUM\fR. ++ ++.TP ++--desc=\fINUM\fR ++Set font descent to \fINUM\fR. ++ ++.TP ++--index=\fINUM\fR ++Select face index \fINUM\fR. ++ ++.TP ++--name=\fINAME\fR ++Set font family to \fINAME\fR. ++ ++.TP ++--no-bitmap ++Ignore bitmap strikes when loading. ++ ++.TP ++--no-hinting ++Disable hinting. ++ ++.TP ++--output=\fIFILE\fR ++Save ouptut to \fIFILE\fR. This argument is required. ++ ++.TP ++--range=\fIFROM-TO\fR\fI,FROM-TO\fR ++Set the font ranges to each pair of \fIFROM\fR,\fITO\fR. ++ ++.TP ++--size=\fISIZE\fR ++Set font size to \fISIZE\fR. ++ ++.TP ++--verbose ++Print verbose messages. ++ ++.TP ++--width-spec ++Create a width summary file. ++ ++.TP ++\fIFONT_FILES\fR ++The input files to be converted. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-mkimage.1 b/util/grub-mkimage.1 +new file mode 100644 +index 00000000000..4dea4f54597 +--- /dev/null ++++ b/util/grub-mkimage.1 +@@ -0,0 +1,95 @@ ++.TH GRUB-MKIMAGE 1 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-mkimage\fR \(em Make a bootable GRUB image. ++ ++.SH SYNOPSIS ++\fBgrub-mkimage\fR [-c | --config=\fRFILE\fI] [-C | --compression=(\fIxz\fR,\fInone\fR,\fIauto\fR)] ++.RS 14 ++[-d | --directory=\fRDIR\fR] [-k | --pubkey=\fIFILE\fR] ++.RE ++.RS 14 ++[-m | --memdisk=\fIFILE\fR] [-n | --note] [-o | --output=\fIFILE\fR] ++.RE ++.RS 14 ++[-O | --format=\fIFORMAT\fR] [-p | --prefix=\fIDIR\fR] ++.RE ++.RS 14 ++[-v | --verbose] \fIMODULES\fR ++ ++.SH DESCRIPTION ++\fBgrub-mkimage\fI builds a bootable image of GRUB. ++ ++.SH OPTIONS ++.TP ++--config=\fIFILE\fR ++Embed \fIFILE\fR as the image's initial configuration file. ++ ++.TP ++--compression=(\fIxz\fR,\fInone\fR,\fIauto\fR) ++Use one of \fIxz\fR, \fInone\fR, or \fIauto\fR as the compression method for the core image. ++ ++.TP ++--directory=\fIDIR\fR ++Use images and modules from \fIDIR\fR. The default value is \fB/usr/lib/grub/\fR. ++ ++.TP ++--pubkey=\fIFILE\fR ++Embed the public key \fIFILE\fR for signature checking. ++ ++.TP ++--memdisk=\fIFILE\fR ++Embed the memdisk image \fIFILE\fR. If no \fB-p\fR option is also specified, this implies \fI-p (memdisk)/boot/grub\fR. ++ ++.TP ++--note ++Add a CHRP \fINOTE\fR section. This option is only valid on IEEE1275 platforms. ++ ++.TP ++--output=\fIFILE\fR ++Write the generated file to \fIFILE\fR. The default is to write to standard output. ++ ++.TP ++--format=\fIFORMAT\fR ++Generate an image in the specified \fIFORMAT\fR. Valid values are: ++.RS ++.RS 4 ++.P ++i386-coreboot, ++i386-multiboot, ++i386-pc, ++i386-pc-pxe, ++i386-efi, ++i386-ieee1275, ++i386-qemu, ++x86_64-efi, ++mipsel-yeeloong-flash, ++mipsel-fuloong2f-flash, ++mipself-loongson-elf, ++powerpc-ieee1275, ++sparc64-ieee1275-raw, ++sparc64-ieee1275-cdcore, ++sparc64-ieee1275-aout, ++ia64-efi, ++mips-arc, ++mipsel-arc, ++mipsel-qemu_mips-elf, ++mips-qemu_mips-flash, ++mipsel-qemu_mips-flash, ++mips-qemu_mips-elf ++.RE ++.RE ++ ++.TP ++--prefix=\fIDIR\fR ++Set prefix directory. The default value is \fI/boot/grub\fR. ++ ++.TP ++--verbose ++Print verbose messages. ++ ++.TP ++\fIMODULES\fR ++Include \fIMODULES\fR. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-mklayout.1 b/util/grub-mklayout.1 +new file mode 100644 +index 00000000000..d1bbc2ec515 +--- /dev/null ++++ b/util/grub-mklayout.1 +@@ -0,0 +1,27 @@ ++.TH GRUB-MKLAYOUT 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-mklayout\fR \(em Generate a GRUB keyboard layout file. ++ ++.SH SYNOPSIS ++\fBgrub-mklayout\fR [-i | --input=\fIFILE\fR] [-o | --output=\fIFILE\fR] ++.RS 15 ++[-v | --verbose] ++ ++.SH DESCRIPTION ++\fBgrub-mklayout\fR generates a GRUB keyboard layout description which corresponds with the Linux console layout description given as input. ++ ++.SH OPTIONS ++.TP ++--input=\fIFILE\fR ++Use \fIFILE\fR as the input. The default value is the standard input device. ++ ++.TP ++--output=\fIFILE\fR ++Use \fIFILE\fR as the output. The default value is the standard output device. ++ ++.TP ++--verbose ++Print verbose messages. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-mknetdir.1 b/util/grub-mknetdir.1 +new file mode 100644 +index 00000000000..fa7e8d4ef0d +--- /dev/null ++++ b/util/grub-mknetdir.1 +@@ -0,0 +1,12 @@ ++.TH GRUB-MKNETDIR 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-mknetdir\fR \(em Prepare a GRUB netboot directory. ++ ++.SH SYNOPSIS ++\fBgrub-mknetdir\fR ++ ++.SH DESCRIPTION ++\fBgrub-mknetdir\fR prepares a directory for GRUB to be netbooted from. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-mkpasswd-pbkdf2.1 b/util/grub-mkpasswd-pbkdf2.1 +new file mode 100644 +index 00000000000..73c437c15d8 +--- /dev/null ++++ b/util/grub-mkpasswd-pbkdf2.1 +@@ -0,0 +1,27 @@ ++.TH GRUB-MKPASSWD-PBKDF2 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-mkpasswd-pbkdf2\fR \(em Generate a PBKDF2 password hash. ++ ++.SH SYNOPSIS ++\fBgrub-mkpasswd-pbkdf2\fR [-c | --iteration-count=\fINUM\fR] [-l | --buflen=\fINUM\fR] ++.RS 22 ++[-s | --salt=\fINUM\fR] ++ ++.SH DESCRIPTION ++\fBgrub-mkpasswd-pbkdf2\fR generates a PBKDF2 password string suitable for use in a GRUB configuration file. ++ ++.SH OPTIONS ++.TP ++--iteration-count=\fINUM\fR ++Number of PBKDF2 iterations. ++ ++.TP ++--buflen=\fINUM\fR ++Length of generated hash. ++ ++.TP ++--salt=\fINUM\fR ++Length of salt to use. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-mkrelpath.1 b/util/grub-mkrelpath.1 +new file mode 100644 +index 00000000000..85f1113621d +--- /dev/null ++++ b/util/grub-mkrelpath.1 +@@ -0,0 +1,12 @@ ++.TH GRUB-MKRELPATH 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-mkrelpath\fR \(em Generate a relative GRUB path given an OS path. ++ ++.SH SYNOPSIS ++\fBgrub-mkrelpath\fR \fIFILE\fR ++ ++.SH DESCRIPTION ++\fBgrub-mkrelpath\fR takes an OS filesystem path for \fIFILE\fR and returns a relative path suitable for use in a GRUB configuration file. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-mkrescue.1 b/util/grub-mkrescue.1 +new file mode 100644 +index 00000000000..4ed9fc723fd +--- /dev/null ++++ b/util/grub-mkrescue.1 +@@ -0,0 +1,123 @@ ++.TH GRUB-MKRESCUE 3 "Wed Feb 26 2014" ++.SH NAME ++grub-mkrescue \(em Generate a GRUB rescue image using GNU Xorriso. ++ ++.SH SYNOPSIS ++\fBgrub-mkrescue\fR [-o | --output=\fIFILE\fR] [--modules=\fIMODULES\fR] ++.RS 15 ++[--install-modules=\fIMODULES\fR] [--themes=\fITHEMES\fR] ++.RE ++.RS 15 ++[--fonts=\fIFONTS\fR] [--locales=\fILOCALES\fR] ++.RE ++.RS 15 ++[--compress[=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR]] [-d | --directory=\fIDIR\fR] ++.RE ++.RS 15 ++[--grub-mkimage=\fIFILE\fR] [--rom-directory=\fIDIR\fR] ++.RE ++.RS 15 ++[--xorriso=\fIFILE\fR] [--grub-glue-efi=\fIFILE\fR] ++.RE ++.RS 15 ++[--grub-render-label=\fIFILE\fR] [--label-font=\fIFILE\fR] ++.RE ++.RS 15 ++[--label-color=\fICOLOR\fR] [--label-bgcolor=\fIFILE\fR] ++.RE ++.RS 15 ++[--product-name=\fISTRING\fR] [--product-version=\fISTRING\fR] ++.RE ++.RS 15 ++[--sparc-boot] [--arcs-boot] ++ ++.SH DESCRIPTION ++\fBgrub-mkrescue\fR can be used to generate a rescue image with the GRUB bootloader. ++ ++.SH OPTIONS ++.TP ++\fB--output\fR=\fIFILE\fR ++Write the generated file to \fIFILE\fR. The default is to write to standard output. ++ ++.TP ++\fB--modules\fR=\fIMODULES\fR ++Pre-load modules specified by \fIMODULES\fR. ++ ++.TP ++\fB--install-modules\fR=\fIMODULES\fR ++Install only \fIMODULES\fR and their dependencies. The default is to install all available modules. ++ ++.TP ++\fB--themes\fR=\fITHEMES\fR ++Install \fITHEMES\fR. The default is to install the \fIstarfield\fR theme, if available. ++ ++.TP ++\fB--fonts\fR=\fIFONTS\fR ++Install \fIFONTS\fR. The default is to install the \fIunicode\fR font. ++ ++.TP ++\fB--locales\fR=\fILOCALES\fR ++Install only locales listed in \fILOCALES\fR. The default is to install all available locales. ++ ++.TP ++\fB--compress\fR[=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR] ++Compress GRUB files using the specified compression algorithm. ++ ++.TP ++\fB--directory\fR=\fIDIR\fR ++Use images and modules in \fIDIR\fR. ++ ++.TP ++\fB--grub-mkimage\fR=\fIFILE\fR ++Use \fIFILE\fR as \fBgrub-mkimage\fR(1). The default is \fI/usr/bin/grub-mkimage\fR. ++ ++.TP ++\fB--rom-directory\fR=\fIDIR\fR ++Save ROM images in \fIDIR\fR. ++ ++.TP ++\fB--xorriso\fR=\fIFILE\fR ++Use \fIFILE\fR as \fBxorriso\fI. ++ ++.TP ++\fB--grub-glue-efi\fR=\fIFILE\fR ++Use \fIFILE\fR as \fBgrub-glue-efi\fR(3). ++ ++.TP ++\fB--grub-render-label\fR=\fIFILE\fR ++Use \fIFILE\fR as \fBgrub-render-label\fR(3). ++ ++.TP ++\fB--label-font\fR=\fIFILE\fR ++Use \fIFILE\fR as the font file for generated labels. ++ ++.TP ++\fB--label-color\fR=\fICOLOR\fR ++Use \fICOLOR\fI as the color for generated labels. ++ ++.TP ++\fB--label-bgcolor\fR=\fICOLOR\fR ++Use \fICOLOR\fR as the background color for generated labels. ++ ++.TP ++\fB--product-name\fR=\fISTRING\fR ++Use \fISTRING\fR as the product name in generated labels. ++ ++.TP ++\fB--product-version\fR=\fISTRING\fR ++Use \fISTRING\fR as the product version in generated labels. ++ ++.TP ++\fB--sparc-boot\fR ++Enable booting the SPARC platform. This disables HFS+, APM, ARCS, and "boot as disk image" on the \fIi386-pc\fR target platform. ++ ++.TP ++\fB--arcs-boot\fR ++Enable ARCS booting. This is typically for big-endian MIPS machines, and disables HFS+, APM, sparc64, and "boot as disk image" on the \fIi386-pc\fR target platform. ++ ++.TP ++\fB--\fR ++All options after a \fB--\fR will be passed directly to xorriso's command line when generating the image. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-mkstandalone.1 b/util/grub-mkstandalone.1 +new file mode 100644 +index 00000000000..ba2d2bdf279 +--- /dev/null ++++ b/util/grub-mkstandalone.1 +@@ -0,0 +1,100 @@ ++.TH GRUB-MKSTANDALONE 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-mkstandalone\fR \(em Generate a standalone image in the selected format. ++ ++.SH SYNOPSIS ++\fBgrub-mkstandalone\fR [-o | --output=\fIFILE\fR] [-O | --format=\fIFORMAT\fR] ++.RS 19 ++[-C | --compression=(\fIxz\fR|\fInone\fR|\fIauto\fR)] ++.RE ++.RS 19 ++[--modules=\fIMODULES\fR] [--install-modules=\fIMODULES\fR] ++.RE ++.RS 19 ++[--themes=\fITHEMES\fR] [--fonts=\fIFONTS\fR] ++.RE ++.RS 19 ++[--locales=\fILOCALES\fR] [--compress[=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR]] ++.RE ++.RS 19 ++[-d | --directory=\fIDIR\fR] [--grub-mkimage=\fIFILE\fR] ++.RE ++.RS 19 ++\fISOURCE...\fR ++ ++.SH DESCRIPTION ++ ++.SH OPTIONS ++.TP ++--output=\fIFILE\fR ++Write the generated file to \fIFILE\fR. The default is to write to standard output. ++ ++.TP ++--format=\fIFORMAT\fR ++Generate an image in the specified \fIFORMAT\fR. Valid values are: ++.RS ++.RS 4 ++.P ++i386-coreboot, ++i386-multiboot, ++i386-pc, ++i386-pc-pxe, ++i386-efi, ++i386-ieee1275, ++i386-qemu, ++x86_64-efi, ++mipsel-yeeloong-flash, ++mipsel-fuloong2f-flash, ++mipself-loongson-elf, ++powerpc-ieee1275, ++sparc64-ieee1275-raw, ++sparc64-ieee1275-cdcore, ++sparc64-ieee1275-aout, ++ia64-efi, ++mips-arc, ++mipsel-arc, ++mipsel-qemu_mips-elf, ++mips-qemu_mips-flash, ++mipsel-qemu_mips-flash, ++mips-qemu_mips-elf ++.RE ++.RE ++ ++.TP ++--compression=(\fIxz\fR|\fInone\fR|\fIauto\fR) ++Use one of \fIxz\fR, \fInone\fR, or \fIauto\fR as the compression method for the core image. ++ ++.TP ++--modules=\fIMODULES\fR ++Pre-load modules specified by \fIMODULES\fR. ++ ++.TP ++--install-modules=\fIMODULES\fR ++Install only \fIMODULES\fR and their dependencies. The default is to install all available modules. ++ ++.TP ++--themes=\fITHEMES\fR ++Install \fITHEMES\fR. The default is to install the \fIstarfield\fR theme, if available. ++ ++.TP ++--fonts=\fIFONTS\fR ++Install \fIFONTS\fR. The default is to install the \fIunicode\fR font. ++ ++.TP ++--locales=\fILOCALES\fR ++Install only locales listed in \fILOCALES\fR. The default is to install all available locales. ++ ++.TP ++--compress[=\fIno\fR,\fIxz\fR,\fIgz\fR,\fIlzo\fR] ++Compress GRUB files using the specified compression algorithm. ++ ++.TP ++--directory=\fIDIR\fR ++Use images and modules in \fIDIR\fR. ++ ++.TP ++--grub-mkimage=\fIFILE\fR ++Use \fIFILE\fR as \fBgrub-mkimage\fR. The default is \fI/usr/bin/grub-mkimage\fR. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-ofpathname.8 b/util/grub-ofpathname.8 +new file mode 100644 +index 00000000000..bf3743aeba1 +--- /dev/null ++++ b/util/grub-ofpathname.8 +@@ -0,0 +1,12 @@ ++.TH GRUB-OFPATHNAME 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-ofpathname\fR \(em Generate an IEEE-1275 device path for a specified device. ++ ++.SH SYNOPSIS ++\fBgrub-ofpathname\fR \fIDEVICE\fR ++ ++.SH DESCRIPTION ++\fBgrub-ofpathname\fR generates an IEEE-1275 device path for the specified \fIDEVICE\fR. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-probe.8 b/util/grub-probe.8 +new file mode 100644 +index 00000000000..04e26c832bb +--- /dev/null ++++ b/util/grub-probe.8 +@@ -0,0 +1,80 @@ ++.TH GRUB-PROBE 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-probe\fR \(em Probe device information for a given path. ++ ++.SH SYNOPSIS ++\fBgrub-probe\fR \[-d | --device] [-m | --device-map=\fIFILE\fR] ++.RS 12 ++[-t | --target=(fs|fs_uuid|fs_label|drive|device|partmap| ++.RE ++.RS 28 ++abstraction|cryptodisk_uuid| ++.RE ++.RS 28 ++msdos_parttype)] ++.RE ++.RS 12 ++[-v | --verbose] (PATH|DEVICE) ++ ++.SH DESCRIPTION ++\fBgrub-probe\fR probes a path or device for filesystem and related information. ++ ++.SH OPTIONS ++.TP ++--device ++Final option represents a \fIDEVICE\fR, rather than a filesystem \fIPATH\fR. ++.TP ++--device-map=\fIFILE\fR ++Use \fIFILE\fR as the device map. The default value is \fI/boot/grub/device.map\fR. ++ ++.TP ++--target=(fs|fs_uuid|fs_label|drive|device|partmap|msdos_parttype) ++Select among various output definitions. The default is \fIfs\fR. ++.RS ++.TP ++\fIfs\fR ++filesystem module ++ ++.TP ++\fIfs_uuid\fR ++filesystem UUID ++ ++.TP ++\fIfs_label\fR ++filesystem label ++ ++.TP ++\fIdrive\fR ++GRUB drive name ++ ++.TP ++\fIdevice\fR ++System device ++ ++.TP ++\fIpartmap\fR ++partition map module ++ ++.TP ++\fIabstraction\fR ++abstraction module ++ ++.TP ++\fIcryptodisk_uuid\fR ++cryptographic container ++ ++.TP ++\fImsdos_partmap\fR ++MS-DOS partition map ++.RE ++ ++.TP ++--verbose ++Print verbose output. ++ ++.TP ++(\fIPATH\fR|\fIDEVICE\fR) ++If --device is passed, a block \fIDEVICE\fR. Otherwise, the \fIPATH\fR of a file on the filesystem. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-reboot.8 b/util/grub-reboot.8 +new file mode 100644 +index 00000000000..faa5e4eece2 +--- /dev/null ++++ b/util/grub-reboot.8 +@@ -0,0 +1,21 @@ ++.TH GRUB-REBOOT 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-reboot\fR \(em Set the default boot menu entry for the next boot only. ++ ++.SH SYNOPSIS ++\fBgrub-reboot\fR [--boot-directory=\fIDIR\fR] \fIMENU_ENTRY\fR ++ ++.SH DESCRIPTION ++\fBgrub-reboot\fR sets the default boot menu entry for the next boot, but not further boots after that. This command only works for GRUB configuration files created with \fIGRUB_DEFAULT=saved\fR in \fI/etc/default/grub\fR. ++ ++.SH OPTIONS ++.TP ++--boot-directory=\fIDIR\fR ++Find GRUB images under \fIDIR/grub\fR. The default value is \fI/boot\fR, resulting in grub images being search for at \fI/boot/grub\fR. ++ ++.TP ++\fIMENU_ENTRY\fR ++A number, a menu item title or a menu item identifier. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-render-label.1 b/util/grub-render-label.1 +new file mode 100644 +index 00000000000..4d51c8abf01 +--- /dev/null ++++ b/util/grub-render-label.1 +@@ -0,0 +1,51 @@ ++.TH GRUB-RENDER-LABEL 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-render-label\fR \(em Render an Apple disk label. ++ ++.SH SYNOPSIS ++\fBgrub-render-label\fR [-b | --bgcolor=\fICOLOR\fR] [-c | --color=\fICOLOR\fR] ++.RS 19 ++[-f | --font=\fIFILE\fR] [-i | --input=\fIFILE\fR] ++.RE ++.RS 19 ++[-o | --output=\fIFILE\fR] [-t | --text=\fISTRING\fR] ++.RE ++.RS 19 ++[-v | --verbose] ++ ++.SH DESCRIPTION ++\fBgrub-render-label\fR renders an Apple disk label (.disk_label) file. ++ ++ ++.SH OPTIONS ++.TP ++\fB--color\fR=\fICOLOR\fR ++Use \fICOLOR\fI as the color for generated labels. ++ ++.TP ++\fB--bgcolor\fR=\fICOLOR\fR ++Use \fICOLOR\fR as the background color for generated labels. ++ ++.TP ++\fB--font\fR=\fIFILE\fR ++Use \fIFILE\fR as the font file for generated labels. ++ ++.TP ++--input=\fIFILE\fR ++Read input text from \fIFILE\fR. ++ ++.TP ++--output=\fIFILE\fR ++Render output to \fIFILE\fR. ++ ++.TP ++--text=\fISTRING\fR ++Use \fISTRING\fR as input text. ++ ++.TP ++--verbose ++Print verbose output. ++ ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-script-check.1 b/util/grub-script-check.1 +new file mode 100644 +index 00000000000..0f1f625b05d +--- /dev/null ++++ b/util/grub-script-check.1 +@@ -0,0 +1,21 @@ ++.TH GRUB-SCRIPT-CHECK 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-script-check\fR \(em Check GRUB configuration file for syntax errors. ++ ++.SH SYNOPSIS ++\fBgrub-script-check\fR [-v | --verbose] \fIPATH\fR ++ ++.SH DESCRIPTION ++\fBgrub-script-check\fR verifies that a specified GRUB configuration file does not contain syntax errors. ++ ++.SH OPTIONS ++.TP ++--verbose ++Print verbose output. ++ ++.TP ++\fIPATH\fR ++Path of the file to use as input. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-set-default.8 b/util/grub-set-default.8 +new file mode 100644 +index 00000000000..a96265a1509 +--- /dev/null ++++ b/util/grub-set-default.8 +@@ -0,0 +1,21 @@ ++.TH GRUB-SET-DEFAULT 1 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-set-default\fR \(em Set the default boot menu entry for GRUB. ++ ++.SH SYNOPSIS ++\fBgrub-set-default\fR [--boot-directory=\fIDIR\fR] \fIMENU_ENTRY\fR ++ ++.SH DESCRIPTION ++\fBgrub-set-default\fR sets the default boot menu entry for all subsequent boots. This command only works for GRUB configuration files created with \fIGRUB_DEFAULT=saved\fR in \fI/etc/default/grub\fR. ++ ++.SH OPTIONS ++.TP ++--boot-directory=\fIDIR\fR ++Find GRUB images under \fIDIR/grub\fR. The default value is \fI/boot\fR, resulting in grub images being search for at \fI/boot/grub\fR. ++ ++.TP ++\fIMENU_ENTRY\fR ++A number, a menu item title or a menu item identifier. ++ ++.SH SEE ALSO ++.BR "info grub" +diff --git a/util/grub-sparc64-setup.8 b/util/grub-sparc64-setup.8 +new file mode 100644 +index 00000000000..37ea2dd5eaa +--- /dev/null ++++ b/util/grub-sparc64-setup.8 +@@ -0,0 +1,12 @@ ++.TH GRUB-SPARC64-SETUP 3 "Wed Feb 26 2014" ++.SH NAME ++\fBgrub-sparc64-setup\fR \(em Set up a device to boot a sparc64 GRUB image. ++ ++.SH SYNOPSIS ++\fBgrub-sparc64-setup\fR [OPTIONS]. ++ ++.SH DESCRIPTION ++You should not normally run this program directly. Use grub-install instead. ++ ++.SH SEE ALSO ++.BR "info grub" diff --git a/SPECS/grub2/0052-Make-our-info-pages-say-grub2-where-appropriate.patch b/SPECS/grub2/0052-Make-our-info-pages-say-grub2-where-appropriate.patch new file mode 100644 index 00000000000..e09306741c2 --- /dev/null +++ b/SPECS/grub2/0052-Make-our-info-pages-say-grub2-where-appropriate.patch @@ -0,0 +1,1014 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 9 Jul 2019 12:59:58 +0200 +Subject: [PATCH] Make our info pages say "grub2" where appropriate. + +This needs to be hooked up to --program-transform=, but I haven't had +time. + +Signed-off-by: Peter Jones +--- + docs/grub-dev.texi | 4 +- + docs/grub.texi | 323 ++++++++++++++++++++++++++++------------------------- + 2 files changed, 172 insertions(+), 155 deletions(-) + +diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi +index a834b3a9c32..a55af53fd45 100644 +--- a/docs/grub-dev.texi ++++ b/docs/grub-dev.texi +@@ -1,7 +1,7 @@ + \input texinfo + @c -*-texinfo-*- + @c %**start of header +-@setfilename grub-dev.info ++@setfilename grub2-dev.info + @include version-dev.texi + @settitle GNU GRUB Developers Manual @value{VERSION} + @c Unify all our little indices for now. +@@ -32,7 +32,7 @@ Invariant Sections. + + @dircategory Kernel + @direntry +-* grub-dev: (grub-dev). The GRand Unified Bootloader Dev ++* grub2-dev: (grub2-dev). The GRand Unified Bootloader Dev + @end direntry + + @setchapternewpage odd +diff --git a/docs/grub.texi b/docs/grub.texi +index eeb3118ebde..aa3a7de9d4f 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -1,7 +1,7 @@ + \input texinfo + @c -*-texinfo-*- + @c %**start of header +-@setfilename grub.info ++@setfilename grub2.info + @include version.texi + @settitle GNU GRUB Manual @value{VERSION} + @c Unify all our little indices for now. +@@ -32,15 +32,15 @@ Invariant Sections. + + @dircategory Kernel + @direntry +-* GRUB: (grub). The GRand Unified Bootloader +-* grub-install: (grub)Invoking grub-install. Install GRUB on your drive +-* grub-mkconfig: (grub)Invoking grub-mkconfig. Generate GRUB configuration +-* grub-mkpasswd-pbkdf2: (grub)Invoking grub-mkpasswd-pbkdf2. +-* grub-mkrelpath: (grub)Invoking grub-mkrelpath. +-* grub-mkrescue: (grub)Invoking grub-mkrescue. Make a GRUB rescue image +-* grub-mount: (grub)Invoking grub-mount. Mount a file system using GRUB +-* grub-probe: (grub)Invoking grub-probe. Probe device information +-* grub-script-check: (grub)Invoking grub-script-check. ++* GRUB2: (grub2). The GRand Unified Bootloader ++* grub2-install: (grub2)Invoking grub2-install. Install GRUB on your drive ++* grub2-mkconfig: (grub2)Invoking grub2-mkconfig. Generate GRUB configuration ++* grub2-mkpasswd-pbkdf2: (grub2)Invoking grub2-mkpasswd-pbkdf2. ++* grub2-mkrelpath: (grub2)Invoking grub2-mkrelpath. ++* grub2-mkrescue: (grub2)Invoking grub2-mkrescue. Make a GRUB rescue image ++* grub2-mount: (grub2)Invoking grub2-mount. Mount a file system using GRUB ++* grub2-probe: (grub2)Invoking grub2-probe. Probe device information ++* grub2-script-check: (grub2)Invoking grub2-script-check. + @end direntry + + @setchapternewpage odd +@@ -103,15 +103,15 @@ This edition documents version @value{VERSION}. + * Platform-specific operations:: Platform-specific operations + * Supported kernels:: The list of supported kernels + * Troubleshooting:: Error messages produced by GRUB +-* Invoking grub-install:: How to use the GRUB installer +-* Invoking grub-mkconfig:: Generate a GRUB configuration file +-* Invoking grub-mkpasswd-pbkdf2:: ++* Invoking grub2-install:: How to use the GRUB installer ++* Invoking grub2-mkconfig:: Generate a GRUB configuration file ++* Invoking grub2-mkpasswd-pbkdf2:: + Generate GRUB password hashes +-* Invoking grub-mkrelpath:: Make system path relative to its root +-* Invoking grub-mkrescue:: Make a GRUB rescue image +-* Invoking grub-mount:: Mount a file system using GRUB +-* Invoking grub-probe:: Probe device information for GRUB +-* Invoking grub-script-check:: Check GRUB script file for syntax errors ++* Invoking grub2-mkrelpath:: Make system path relative to its root ++* Invoking grub2-mkrescue:: Make a GRUB rescue image ++* Invoking grub2-mount:: Mount a file system using GRUB ++* Invoking grub2-probe:: Probe device information for GRUB ++* Invoking grub2-script-check:: Check GRUB script file for syntax errors + * Obtaining and Building GRUB:: How to obtain and build GRUB + * Reporting bugs:: Where you should send a bug report + * Future:: Some future plans on GRUB +@@ -230,7 +230,7 @@ surprising. + + @item + @file{grub.cfg} is typically automatically generated by +-@command{grub-mkconfig} (@pxref{Simple configuration}). This makes it ++@command{grub2-mkconfig} (@pxref{Simple configuration}). This makes it + easier to handle versioned kernel upgrades. + + @item +@@ -244,7 +244,7 @@ scripting language: variables, conditionals, and loops are available. + @item + A small amount of persistent storage is available across reboots, using the + @command{save_env} and @command{load_env} commands in GRUB and the +-@command{grub-editenv} utility. This is not available in all configurations ++@command{grub2-editenv} utility. This is not available in all configurations + (@pxref{Environment block}). + + @item +@@ -549,7 +549,7 @@ On OS which have device nodes similar to Unix-like OS GRUB tools use the + OS name. E.g. for GNU/Linux: + + @example +-# @kbd{grub-install /dev/sda} ++# @kbd{grub2-install /dev/sda} + @end example + + On AROS we use another syntax. For volumes: +@@ -572,7 +572,7 @@ For disks we use syntax: + E.g. + + @example +-# @kbd{grub-install //:ata.device/0/0} ++# @kbd{grub2-install //:ata.device/0/0} + @end example + + On Windows we use UNC path. For volumes it's typically +@@ -599,7 +599,7 @@ For disks it's + E.g. + + @example +-# @kbd{grub-install \\?\PhysicalDrive0} ++# @kbd{grub2-install \\?\PhysicalDrive0} + @end example + + Beware that you may need to further escape the backslashes depending on your +@@ -609,7 +609,7 @@ When compiled with cygwin support then cygwin drive names are automatically + when needed. E.g. + + @example +-# @kbd{grub-install /dev/sda} ++# @kbd{grub2-install /dev/sda} + @end example + + @node Installation +@@ -622,7 +622,7 @@ from the source tarball, or as a package for your OS. + + After you have done that, you need to install the boot loader on a + drive (floppy or hard disk) by using the utility +-@command{grub-install} (@pxref{Invoking grub-install}) on a UNIX-like OS. ++@command{grub2-install} (@pxref{Invoking grub2-install}) on a UNIX-like OS. + + GRUB comes with boot images, which are normally put in the directory + @file{/usr/lib/grub/-} (for BIOS-based machines +@@ -633,22 +633,22 @@ loader needs to find them (usually @file{/boot}) will be called + the @dfn{boot directory}. + + @menu +-* Installing GRUB using grub-install:: ++* Installing GRUB using grub2-install:: + * Making a GRUB bootable CD-ROM:: + * Device map:: + * BIOS installation:: + @end menu + + +-@node Installing GRUB using grub-install +-@section Installing GRUB using grub-install ++@node Installing GRUB using grub2-install ++@section Installing GRUB using grub2-install + + For information on where GRUB should be installed on PC BIOS platforms, + @pxref{BIOS installation}. + + In order to install GRUB under a UNIX-like OS (such +-as @sc{gnu}), invoke the program @command{grub-install} (@pxref{Invoking +-grub-install}) as the superuser (@dfn{root}). ++as @sc{gnu}), invoke the program @command{grub2-install} (@pxref{Invoking ++grub2-install}) as the superuser (@dfn{root}). + + The usage is basically very simple. You only need to specify one + argument to the program, namely, where to install the boot loader. The +@@ -657,13 +657,13 @@ For example, under Linux the following will install GRUB into the MBR + of the first IDE disk: + + @example +-# @kbd{grub-install /dev/sda} ++# @kbd{grub2-install /dev/sda} + @end example + + Likewise, under GNU/Hurd, this has the same effect: + + @example +-# @kbd{grub-install /dev/hd0} ++# @kbd{grub2-install /dev/hd0} + @end example + + But all the above examples assume that GRUB should put images under +@@ -677,7 +677,7 @@ boot floppy with a filesystem. Here is an example: + # @kbd{mke2fs /dev/fd0} + # @kbd{mount -t ext2 /dev/fd0 /mnt} + # @kbd{mkdir /mnt/boot} +-# @kbd{grub-install --boot-directory=/mnt/boot /dev/fd0} ++# @kbd{grub2-install --boot-directory=/mnt/boot /dev/fd0} + # @kbd{umount /mnt} + @end group + @end example +@@ -689,30 +689,37 @@ floppy instead of exposing the USB drive as a hard disk (they call it + @example + # @kbd{losetup /dev/loop0 /dev/sdb1} + # @kbd{mount /dev/loop0 /mnt/usb} +-# @kbd{grub-install --boot-directory=/mnt/usb/bugbios --force --allow-floppy /dev/loop0} ++# @kbd{grub2-install --boot-directory=/mnt/usb/bugbios --force --allow-floppy /dev/loop0} + @end example + + This install doesn't conflict with standard install as long as they are in + separate directories. + ++Note that @command{grub2-install} is actually just a shell script and the ++real task is done by other tools such as @command{grub2-mkimage}. Therefore, ++you may run those commands directly to install GRUB, without using ++@command{grub2-install}. Don't do that, however, unless you are very familiar ++with the internals of GRUB. Installing a boot loader on a running OS may be ++extremely dangerous. ++ + On EFI systems for fixed disk install you have to mount EFI System Partition. + If you mount it at @file{/boot/efi} then you don't need any special arguments: + + @example +-# @kbd{grub-install} ++# @kbd{grub2-install} + @end example + + Otherwise you need to specify where your EFI System partition is mounted: + + @example +-# @kbd{grub-install --efi-directory=/mnt/efi} ++# @kbd{grub2-install --efi-directory=/mnt/efi} + @end example + + For removable installs you have to use @option{--removable} and specify both + @option{--boot-directory} and @option{--efi-directory}: + + @example +-# @kbd{grub-install --efi-directory=/mnt/usb --boot-directory=/mnt/usb/boot --removable} ++# @kbd{grub2-install --efi-directory=/mnt/usb --boot-directory=/mnt/usb/boot --removable} + @end example + + @node Making a GRUB bootable CD-ROM +@@ -732,10 +739,10 @@ usually also need to include a configuration file @file{grub.cfg} and some + other GRUB modules. + + To make a simple generic GRUB rescue CD, you can use the +-@command{grub-mkrescue} program (@pxref{Invoking grub-mkrescue}): ++@command{grub2-mkrescue} program (@pxref{Invoking grub2-mkrescue}): + + @example +-$ @kbd{grub-mkrescue -o grub.iso} ++$ @kbd{grub2-mkrescue -o grub.iso} + @end example + + You will often need to include other files in your image. To do this, first +@@ -758,7 +765,7 @@ directory @file{iso/}. + Finally, make the image: + + @example +-$ @kbd{grub-mkrescue -o grub.iso iso} ++$ @kbd{grub2-mkrescue -o grub.iso iso} + @end example + + This produces a file named @file{grub.iso}, which then can be burned +@@ -774,7 +781,7 @@ storage devices. + @node Device map + @section The map between BIOS drives and OS devices + +-If the device map file exists, the GRUB utilities (@command{grub-probe}, ++If the device map file exists, the GRUB utilities (@command{grub2-probe}, + etc.) read it to map BIOS drives to OS devices. This file consists of lines + like this: + +@@ -1254,23 +1261,23 @@ need to write the whole thing by hand. + @node Simple configuration + @section Simple configuration handling + +-The program @command{grub-mkconfig} (@pxref{Invoking grub-mkconfig}) ++The program @command{grub2-mkconfig} (@pxref{Invoking grub2-mkconfig}) + generates @file{grub.cfg} files suitable for most cases. It is suitable for + use when upgrading a distribution, and will discover available kernels and + attempt to generate menu entries for them. + +-@command{grub-mkconfig} does have some limitations. While adding extra ++@command{grub2-mkconfig} does have some limitations. While adding extra + custom menu entries to the end of the list can be done by editing +-@file{/etc/grub.d/40_custom} or creating @file{/boot/grub/custom.cfg}, ++@file{/etc/grub.d/40_custom} or creating @file{/boot/grub2/custom.cfg}, + changing the order of menu entries or changing their titles may require + making complex changes to shell scripts stored in @file{/etc/grub.d/}. This + may be improved in the future. In the meantime, those who feel that it + would be easier to write @file{grub.cfg} directly are encouraged to do so + (@pxref{Booting}, and @ref{Shell-like scripting}), and to disable any system +-provided by their distribution to automatically run @command{grub-mkconfig}. ++provided by their distribution to automatically run @command{grub2-mkconfig}. + + The file @file{/etc/default/grub} controls the operation of +-@command{grub-mkconfig}. It is sourced by a shell script, and so must be ++@command{grub2-mkconfig}. It is sourced by a shell script, and so must be + valid POSIX shell input; normally, it will just be a sequence of + @samp{KEY=value} lines, but if the value contains spaces or other special + characters then it must be quoted. For example: +@@ -1308,7 +1315,7 @@ works it's not recommended since titles often contain unstable device names + and may be translated + + If you set this to @samp{saved}, then the default menu entry will be that +-saved by @samp{GRUB_SAVEDEFAULT} or @command{grub-set-default}. This relies on ++saved by @samp{GRUB_SAVEDEFAULT} or @command{grub2-set-default}. This relies on + the environment block, which may not be available in all situations + (@pxref{Environment block}). + +@@ -1319,7 +1326,7 @@ If this option is set to @samp{true}, then, when an entry is selected, save + it as a new default entry for use by future runs of GRUB. This is only + useful if @samp{GRUB_DEFAULT=saved}; it is a separate option because + @samp{GRUB_DEFAULT=saved} is useful without this option, in conjunction with +-@command{grub-set-default}. Unset by default. ++@command{grub2-set-default}. Unset by default. + This option relies on the environment block, which may not be available in + all situations (@pxref{Environment block}). + +@@ -1449,7 +1456,7 @@ intel-uc.img intel-ucode.img amd-uc.img amd-ucode.img early_ucode.cpio microcode + @end example + + @item GRUB_DISABLE_LINUX_UUID +-Normally, @command{grub-mkconfig} will generate menu entries that use ++Normally, @command{grub2-mkconfig} will generate menu entries that use + universally-unique identifiers (UUIDs) to identify the root filesystem to + the Linux kernel, using a @samp{root=UUID=...} kernel parameter. This is + usually more reliable, but in some cases it may not be appropriate. To +@@ -1471,7 +1478,7 @@ If this option is set to @samp{true}, disable the generation of recovery + mode menu entries. + + @item GRUB_DISABLE_UUID +-Normally, @command{grub-mkconfig} will generate menu entries that use ++Normally, @command{grub2-mkconfig} will generate menu entries that use + universally-unique identifiers (UUIDs) to identify various filesystems to + search for files. This is usually more reliable, but in some cases it may + not be appropriate. To disable this use of UUIDs, set this option to +@@ -1482,12 +1489,12 @@ not be appropriate. To disable this use of UUIDs, set this option to + @item GRUB_VIDEO_BACKEND + If graphical video support is required, either because the @samp{gfxterm} + graphical terminal is in use or because @samp{GRUB_GFXPAYLOAD_LINUX} is set, +-then @command{grub-mkconfig} will normally load all available GRUB video ++then @command{grub2-mkconfig} will normally load all available GRUB video + drivers and use the one most appropriate for your hardware. If you need to + override this for some reason, then you can set this option. + +-After @command{grub-install} has been run, the available video drivers are +-listed in @file{/boot/grub/video.lst}. ++After @command{grub2-install} has been run, the available video drivers are ++listed in @file{/boot/grub2/video.lst}. + + @item GRUB_GFXMODE + Set the resolution used on the @samp{gfxterm} graphical terminal. Note that +@@ -1519,20 +1526,20 @@ boot sequence. If you have problems, set this option to @samp{text} and + GRUB will tell Linux to boot in normal text mode. + + @item GRUB_DISABLE_OS_PROBER +-The @command{grub-mkconfig} has a feature to use the external ++The @command{grub2-mkconfig} has a feature to use the external + @command{os-prober} program to discover other operating systems installed on + the same machine and generate appropriate menu entries for them. It is disabled + by default since automatic and silent execution of @command{os-prober}, and + creating boot entries based on that data, is a potential attack vector. Set + this option to @samp{false} to enable this feature in the +-@command{grub-mkconfig} command. ++@command{grub2-mkconfig} command. + + @item GRUB_OS_PROBER_SKIP_LIST + List of space-separated FS UUIDs of filesystems to be ignored from os-prober + output. For efi chainloaders it's @@ + + @item GRUB_DISABLE_SUBMENU +-Normally, @command{grub-mkconfig} will generate top level menu entry for ++Normally, @command{grub2-mkconfig} will generate top level menu entry for + the kernel with highest version number and put all other found kernels + or alternative menu entries for recovery mode in submenu. For entries returned + by @command{os-prober} first entry will be put on top level and all others +@@ -1540,11 +1547,11 @@ in submenu. If this option is set to @samp{true}, flat menu with all entries + on top level will be generated instead. Changing this option will require + changing existing values of @samp{GRUB_DEFAULT}, @samp{fallback} (@pxref{fallback}) + and @samp{default} (@pxref{default}) environment variables as well as saved +-default entry using @command{grub-set-default} and value used with +-@command{grub-reboot}. ++default entry using @command{grub2-set-default} and value used with ++@command{grub2-reboot}. + + @item GRUB_ENABLE_CRYPTODISK +-If set to @samp{y}, @command{grub-mkconfig} and @command{grub-install} will ++If set to @samp{y}, @command{grub2-mkconfig} and @command{grub2-install} will + check for encrypted disks and generate additional commands needed to access + them during boot. Note that in this case unattended boot is not possible + because GRUB will wait for passphrase to unlock encrypted container. +@@ -1603,7 +1610,7 @@ confusing @samp{GRUB_TIMEOUT_STYLE=countdown} or + + @end table + +-For more detailed customisation of @command{grub-mkconfig}'s output, you may ++For more detailed customisation of @command{grub2-mkconfig}'s output, you may + edit the scripts in @file{/etc/grub.d} directly. + @file{/etc/grub.d/40_custom} is particularly useful for adding entire custom + menu entries; simply type the menu entries you want to add at the end of +@@ -1864,7 +1871,7 @@ images as well. + Mount this partition on/mnt/boot and disable GRUB in all OSes and manually + install self-compiled latest GRUB with: + +-@code{grub-install --boot-directory=/mnt/boot /dev/sda} ++@code{grub2-install --boot-directory=/mnt/boot /dev/sda} + + In all the OSes install GRUB tools but disable installing GRUB in bootsector, + so you'll have menu.lst and grub.cfg available for use. Also disable os-prober +@@ -1874,20 +1881,20 @@ use by setting: + + in /etc/default/grub + +-Then write a grub.cfg (/mnt/boot/grub/grub.cfg): ++Then write a grub.cfg (/mnt/boot/grub2/grub.cfg): + + @example + + menuentry "OS using grub2" @{ + insmod xfs + search --set=root --label OS1 --hint hd0,msdos8 +- configfile /boot/grub/grub.cfg ++ configfile /boot/grub2/grub.cfg + @} + + menuentry "OS using grub2-legacy" @{ + insmod ext2 + search --set=root --label OS2 --hint hd0,msdos6 +- legacy_configfile /boot/grub/menu.lst ++ legacy_configfile /boot/grub2/menu.lst + @} + + menuentry "Windows XP" @{ +@@ -1950,15 +1957,15 @@ GRUB supports embedding a configuration file directly into the core image, + so that it is loaded before entering normal mode. This is useful, for + example, when it is not straightforward to find the real configuration file, + or when you need to debug problems with loading that file. +-@command{grub-install} uses this feature when it is not using BIOS disk ++@command{grub2-install} uses this feature when it is not using BIOS disk + functions or when installing to a different disk from the one containing + @file{/boot/grub}, in which case it needs to use the @command{search} + command (@pxref{search}) to find @file{/boot/grub}. + + To embed a configuration file, use the @option{-c} option to +-@command{grub-mkimage}. The file is copied into the core image, so it may ++@command{grub2-mkimage}. The file is copied into the core image, so it may + reside anywhere on the file system, and may be removed after running +-@command{grub-mkimage}. ++@command{grub2-mkimage}. + + After the embedded configuration file (if any) is executed, GRUB will load + the @samp{normal} module (@pxref{normal}), which will then read the real +@@ -1993,13 +2000,13 @@ included in the core image: + @example + @group + search.fs_label grub root +-if [ -e /boot/grub/example/test1.cfg ]; then ++if [ -e /boot/grub2/example/test1.cfg ]; then + set prefix=($root)/boot/grub +- configfile /boot/grub/example/test1.cfg ++ configfile /boot/grub2/example/test1.cfg + else +- if [ -e /boot/grub/example/test2.cfg ]; then ++ if [ -e /boot/grub2/example/test2.cfg ]; then + set prefix=($root)/boot/grub +- configfile /boot/grub/example/test2.cfg ++ configfile /boot/grub2/example/test2.cfg + else + echo "Could not find an example configuration file!" + fi +@@ -2523,7 +2530,7 @@ grub-mknetdir --net-directory=/srv/tftp --subdir=/boot/grub -d /usr/lib/grub/i38 + @end group + @end example + +-Then follow instructions printed out by grub-mknetdir on configuring your DHCP ++Then follow instructions printed out by grub2-mknetdir on configuring your DHCP + server. + + The grub.cfg file is placed in the same directory as the path output by +@@ -2717,7 +2724,7 @@ team are: + @end table + + To take full advantage of this function, install GRUB into the MBR +-(@pxref{Installing GRUB using grub-install}). ++(@pxref{Installing GRUB using grub2-install}). + + If you have a laptop which has a similar feature and not in the above list + could you figure your address and contribute? +@@ -2778,7 +2785,7 @@ bytes. + The sole function of @file{boot.img} is to read the first sector of the core + image from a local disk and jump to it. Because of the size restriction, + @file{boot.img} cannot understand any file system structure, so +-@command{grub-install} hardcodes the location of the first sector of the ++@command{grub2-install} hardcodes the location of the first sector of the + core image into @file{boot.img} when installing GRUB. + + @item diskboot.img +@@ -2808,7 +2815,7 @@ images. + + @item core.img + This is the core image of GRUB. It is built dynamically from the kernel +-image and an arbitrary list of modules by the @command{grub-mkimage} ++image and an arbitrary list of modules by the @command{grub2-mkimage} + program. Usually, it contains enough modules to access @file{/boot/grub}, + and loads everything else (including menu handling, the ability to load + target operating systems, and so on) from the file system at run-time. The +@@ -2860,7 +2867,7 @@ GRUB 2 has no single Stage 2 image. Instead, it loads modules from + In GRUB 2, images for booting from CD-ROM drives are now constructed using + @file{cdboot.img} and @file{core.img}, making sure that the core image + contains the @samp{iso9660} module. It is usually best to use the +-@command{grub-mkrescue} program for this. ++@command{grub2-mkrescue} program for this. + + @item nbgrub + There is as yet no equivalent for @file{nbgrub} in GRUB 2; it was used by +@@ -3016,8 +3023,8 @@ There are two ways to specify files, by @dfn{absolute file name} and by + + An absolute file name resembles a Unix absolute file name, using + @samp{/} for the directory separator (not @samp{\} as in DOS). One +-example is @samp{(hd0,1)/boot/grub/grub.cfg}. This means the file +-@file{/boot/grub/grub.cfg} in the first partition of the first hard ++example is @samp{(hd0,1)/boot/grub2/grub.cfg}. This means the file ++@file{/boot/grub2/grub.cfg} in the first partition of the first hard + disk. If you omit the device name in an absolute file name, GRUB uses + GRUB's @dfn{root device} implicitly. So if you set the root device to, + say, @samp{(hd1,1)} by the command @samp{set root=(hd1,1)} (@pxref{set}), +@@ -3025,8 +3032,8 @@ then @code{/boot/kernel} is the same as @code{(hd1,1)/boot/kernel}. + + On ZFS filesystem the first path component must be + @var{volume}@samp{@@}[@var{snapshot}]. +-So @samp{/rootvol@@snap-129/boot/grub/grub.cfg} refers to file +-@samp{/boot/grub/grub.cfg} in snapshot of volume @samp{rootvol} with name ++So @samp{/rootvol@@snap-129/boot/grub2/grub.cfg} refers to file ++@samp{/boot/grub2/grub.cfg} in snapshot of volume @samp{rootvol} with name + @samp{snap-129}. Trailing @samp{@@} after volume name is mandatory even if + snapshot name is omitted. + +@@ -3429,7 +3436,7 @@ The more recent release of Minix would then be identified as + @samp{other>minix>minix-3.4.0}. + + This variable is often set by @samp{GRUB_DEFAULT} (@pxref{Simple +-configuration}), @command{grub-set-default}, or @command{grub-reboot}. ++configuration}), @command{grub2-set-default}, or @command{grub2-reboot}. + + + @node fallback +@@ -3519,7 +3526,7 @@ If this variable is set, it names the language code that the + example, French would be named as @samp{fr}, and Simplified Chinese as + @samp{zh_CN}. + +-@command{grub-mkconfig} (@pxref{Simple configuration}) will try to set a ++@command{grub2-mkconfig} (@pxref{Simple configuration}) will try to set a + reasonable default for this variable based on the system locale. + + +@@ -3527,10 +3534,10 @@ reasonable default for this variable based on the system locale. + @subsection locale_dir + + If this variable is set, it names the directory where translation files may +-be found (@pxref{gettext}), usually @file{/boot/grub/locale}. Otherwise, ++be found (@pxref{gettext}), usually @file{/boot/grub2/locale}. Otherwise, + internationalization is disabled. + +-@command{grub-mkconfig} (@pxref{Simple configuration}) will set a reasonable ++@command{grub2-mkconfig} (@pxref{Simple configuration}) will set a reasonable + default for this variable if internationalization is needed and any + translation files are available. + +@@ -3648,7 +3655,7 @@ input. The default is not to pause output. + + The location of the @samp{/boot/grub} directory as an absolute file name + (@pxref{File name syntax}). This is normally set by GRUB at startup based +-on information provided by @command{grub-install}. GRUB modules are ++on information provided by @command{grub2-install}. GRUB modules are + dynamically loaded from this directory, so it must be set correctly in order + for many parts of GRUB to work. + +@@ -3739,17 +3746,17 @@ GRUB provides an ``environment block'' which can be used to save a small + amount of state. + + The environment block is a preallocated 1024-byte file, which normally lives +-in @file{/boot/grub/grubenv} (although you should not assume this). At boot ++in @file{/boot/grub2/grubenv} (although you should not assume this). At boot + time, the @command{load_env} command (@pxref{load_env}) loads environment + variables from it, and the @command{save_env} (@pxref{save_env}) command + saves environment variables to it. From a running system, the +-@command{grub-editenv} utility can be used to edit the environment block. ++@command{grub2-editenv} utility can be used to edit the environment block. + + For safety reasons, this storage is only available when installed on a plain + disk (no LVM or RAID), using a non-checksumming filesystem (no ZFS), and + using BIOS or EFI functions (no ATA, USB or IEEE1275). + +-@command{grub-mkconfig} uses this facility to implement ++@command{grub2-mkconfig} uses this facility to implement + @samp{GRUB_SAVEDEFAULT} (@pxref{Simple configuration}). + + +@@ -4473,7 +4480,7 @@ Translate @var{string} into the current language. + + The current language code is stored in the @samp{lang} variable in GRUB's + environment (@pxref{lang}). Translation files in MO format are read from +-@samp{locale_dir} (@pxref{locale_dir}), usually @file{/boot/grub/locale}. ++@samp{locale_dir} (@pxref{locale_dir}), usually @file{/boot/grub2/locale}. + @end deffn + + +@@ -4868,7 +4875,7 @@ Define a user named @var{user} with password @var{clear-password}. + + @deffn Command password_pbkdf2 user hashed-password + Define a user named @var{user} with password hash @var{hashed-password}. +-Use @command{grub-mkpasswd-pbkdf2} (@pxref{Invoking grub-mkpasswd-pbkdf2}) ++Use @command{grub2-mkpasswd-pbkdf2} (@pxref{Invoking grub2-mkpasswd-pbkdf2}) + to generate password hashes. @xref{Security}. + @end deffn + +@@ -5811,8 +5818,8 @@ The @samp{password} (@pxref{password}) and @samp{password_pbkdf2} + which has an associated password. @samp{password} sets the password in + plain text, requiring @file{grub.cfg} to be secure; @samp{password_pbkdf2} + sets the password hashed using the Password-Based Key Derivation Function +-(RFC 2898), requiring the use of @command{grub-mkpasswd-pbkdf2} +-(@pxref{Invoking grub-mkpasswd-pbkdf2}) to generate password hashes. ++(RFC 2898), requiring the use of @command{grub2-mkpasswd-pbkdf2} ++(@pxref{Invoking grub2-mkpasswd-pbkdf2}) to generate password hashes. + + In order to enable authentication support, the @samp{superusers} environment + variable must be set to a list of usernames, separated by any of spaces, +@@ -5857,7 +5864,7 @@ menuentry "May be run by user1 or a superuser" --users user1 @{ + @end group + @end example + +-The @command{grub-mkconfig} program does not yet have built-in support for ++The @command{grub2-mkconfig} program does not yet have built-in support for + generating configuration files with authentication. You can use + @file{/etc/grub.d/40_custom} to add simple superuser authentication, by + adding @kbd{set superusers=} and @kbd{password} or @kbd{password_pbkdf2} +@@ -5884,7 +5891,17 @@ may halt or otherwise impact the boot process. + + An initial trusted public key can be embedded within the GRUB @file{core.img} + using the @code{--pubkey} option to @command{grub-install} +-(@pxref{Invoking grub-install}). ++(@pxref{Invoking grub2-install}). ++ ++@comment Unfortunately --pubkey is not yet supported by grub2-install, ++@comment but we should not bring up internal detail grub2-mkimage here ++@comment in the user guide (as opposed to developer's manual). ++ ++@comment An initial trusted public key can be embedded within the GRUB ++@comment @file{core.img} using the @code{--pubkey} option to ++@comment @command{grub2-mkimage} (@pxref{Invoking grub2-install}). Presently it ++@comment is necessary to write a custom wrapper around @command{grub2-mkimage} ++@comment using the @code{--grub-mkimage} flag to @command{grub2-install}. + + GRUB uses GPG-style detached signatures (meaning that a file + @file{foo.sig} will be produced when file @file{foo} is signed), and +@@ -5904,8 +5921,8 @@ gpg --detach-sign /path/to/file + For successful validation of all of GRUB's subcomponents and the + loaded OS kernel, they must all be signed. One way to accomplish this + is the following (after having already produced the desired +-@file{grub.cfg} file, e.g., by running @command{grub-mkconfig} +-(@pxref{Invoking grub-mkconfig}): ++@file{grub.cfg} file, e.g., by running @command{grub2-mkconfig} ++(@pxref{Invoking grub2-mkconfig}): + + @example + @group +@@ -5927,7 +5944,7 @@ See also: @ref{check_signatures}, @ref{verify_detached}, @ref{trust}, + Note that internally signature enforcement is controlled by setting + the environment variable @code{check_signatures} equal to + @code{enforce}. Passing one or more @code{--pubkey} options to +-@command{grub-mkimage} implicitly defines @code{check_signatures} ++@command{grub2-mkimage} implicitly defines @code{check_signatures} + equal to @code{enforce} in @file{core.img} prior to processing any + configuration files. + +@@ -6385,10 +6402,10 @@ Required files are: + + GRUB's normal start-up procedure involves setting the @samp{prefix} + environment variable to a value set in the core image by +-@command{grub-install}, setting the @samp{root} variable to match, loading ++@command{grub2-install}, setting the @samp{root} variable to match, loading + the @samp{normal} module from the prefix, and running the @samp{normal} + command (@pxref{normal}). This command is responsible for reading +-@file{/boot/grub/grub.cfg}, running the menu, and doing all the useful ++@file{/boot/grub2/grub.cfg}, running the menu, and doing all the useful + things GRUB is supposed to do. + + If, instead, you only get a rescue shell, this usually means that GRUB +@@ -6414,8 +6431,8 @@ normal + + However, any problem that leaves you in the rescue shell probably means that + GRUB was not correctly installed. It may be more useful to try to reinstall +-it properly using @kbd{grub-install @var{device}} (@pxref{Invoking +-grub-install}). When doing this, there are a few things to remember: ++it properly using @kbd{grub2-install @var{device}} (@pxref{Invoking ++grub2-install}). When doing this, there are a few things to remember: + + @itemize @bullet{} + @item +@@ -6427,7 +6444,7 @@ is usually better to use UUIDs or file system labels and avoid depending on + drive ordering entirely. + + @item +-At least on BIOS systems, if you tell @command{grub-install} to install GRUB ++At least on BIOS systems, if you tell @command{grub2-install} to install GRUB + to a partition but GRUB has already been installed in the master boot + record, then the GRUB installation in the partition will be ignored. + +@@ -6458,21 +6475,21 @@ entry which claims partition start at block 0. This change will not hamper + bootability on other machines. + + +-@node Invoking grub-install +-@chapter Invoking grub-install ++@node Invoking grub2-install ++@chapter Invoking grub2-install + +-The program @command{grub-install} generates a GRUB core image using +-@command{grub-mkimage} and installs it on your system. You must specify the ++The program @command{grub2-install} generates a GRUB core image using ++@command{grub2-mkimage} and installs it on your system. You must specify the + device name on which you want to install GRUB, like this: + + @example +-grub-install @var{install_device} ++grub2-install @var{install_device} + @end example + + The device name @var{install_device} is an OS device name or a GRUB + device name. + +-@command{grub-install} accepts the following options: ++@command{grub2-install} accepts the following options: + + @table @option + @item --help +@@ -6488,13 +6505,13 @@ separate partition or a removable disk. + If this option is not specified then it defaults to @file{/boot}, so + + @example +-@kbd{grub-install /dev/sda} ++@kbd{grub2-install /dev/sda} + @end example + + is equivalent to + + @example +-@kbd{grub-install --boot-directory=/boot/ /dev/sda} ++@kbd{grub2-install --boot-directory=/boot/ /dev/sda} + @end example + + Here is an example in which you have a separate @dfn{boot} partition which is +@@ -6502,16 +6519,16 @@ mounted on + @file{/mnt/boot}: + + @example +-@kbd{grub-install --boot-directory=/mnt/boot /dev/sdb} ++@kbd{grub2-install --boot-directory=/mnt/boot /dev/sdb} + @end example + + @item --recheck +-Recheck the device map, even if @file{/boot/grub/device.map} already ++Recheck the device map, even if @file{/boot/grub2/device.map} already + exists. You should use this option whenever you add/remove a disk + into/from your computer. + + @item --no-rs-codes +-By default on x86 BIOS systems, @command{grub-install} will use some ++By default on x86 BIOS systems, @command{grub2-install} will use some + extra space in the bootloader embedding area for Reed-Solomon + error-correcting codes. This enables GRUB to still boot successfully + if some blocks are corrupted. The exact amount of protection offered +@@ -6524,17 +6541,17 @@ installation}) where GRUB does not reside in any unpartitioned space + outside of the MBR. Disable the Reed-Solomon codes with this option. + @end table + +-@node Invoking grub-mkconfig +-@chapter Invoking grub-mkconfig ++@node Invoking grub2-mkconfig ++@chapter Invoking grub2-mkconfig + +-The program @command{grub-mkconfig} generates a configuration file for GRUB ++The program @command{grub2-mkconfig} generates a configuration file for GRUB + (@pxref{Simple configuration}). + + @example +-grub-mkconfig -o /boot/grub/grub.cfg ++grub-mkconfig -o /boot/grub2/grub.cfg + @end example + +-@command{grub-mkconfig} accepts the following options: ++@command{grub2-mkconfig} accepts the following options: + + @table @option + @item --help +@@ -6550,17 +6567,17 @@ it to standard output. + @end table + + +-@node Invoking grub-mkpasswd-pbkdf2 +-@chapter Invoking grub-mkpasswd-pbkdf2 ++@node Invoking grub2-mkpasswd-pbkdf2 ++@chapter Invoking grub2-mkpasswd-pbkdf2 + +-The program @command{grub-mkpasswd-pbkdf2} generates password hashes for ++The program @command{grub2-mkpasswd-pbkdf2} generates password hashes for + GRUB (@pxref{Security}). + + @example + grub-mkpasswd-pbkdf2 + @end example + +-@command{grub-mkpasswd-pbkdf2} accepts the following options: ++@command{grub2-mkpasswd-pbkdf2} accepts the following options: + + @table @option + @item -c @var{number} +@@ -6578,23 +6595,23 @@ Length of the salt. Defaults to 64. + @end table + + +-@node Invoking grub-mkrelpath +-@chapter Invoking grub-mkrelpath ++@node Invoking grub2-mkrelpath ++@chapter Invoking grub2-mkrelpath + +-The program @command{grub-mkrelpath} makes a file system path relative to ++The program @command{grub2-mkrelpath} makes a file system path relative to + the root of its containing file system. For instance, if @file{/usr} is a + mount point, then: + + @example +-$ @kbd{grub-mkrelpath /usr/share/grub/unicode.pf2} ++$ @kbd{grub2-mkrelpath /usr/share/grub/unicode.pf2} + @samp{/share/grub/unicode.pf2} + @end example + + This is mainly used internally by other GRUB utilities such as +-@command{grub-mkconfig} (@pxref{Invoking grub-mkconfig}), but may ++@command{grub2-mkconfig} (@pxref{Invoking grub2-mkconfig}), but may + occasionally also be useful for debugging. + +-@command{grub-mkrelpath} accepts the following options: ++@command{grub2-mkrelpath} accepts the following options: + + @table @option + @item --help +@@ -6605,17 +6622,17 @@ Print the version number of GRUB and exit. + @end table + + +-@node Invoking grub-mkrescue +-@chapter Invoking grub-mkrescue ++@node Invoking grub2-mkrescue ++@chapter Invoking grub2-mkrescue + +-The program @command{grub-mkrescue} generates a bootable GRUB rescue image ++The program @command{grub2-mkrescue} generates a bootable GRUB rescue image + (@pxref{Making a GRUB bootable CD-ROM}). + + @example + grub-mkrescue -o grub.iso + @end example + +-All arguments not explicitly listed as @command{grub-mkrescue} options are ++All arguments not explicitly listed as @command{grub2-mkrescue} options are + passed on directly to @command{xorriso} in @command{mkisofs} emulation mode. + Options passed to @command{xorriso} will normally be interpreted as + @command{mkisofs} options; if the option @samp{--} is used, then anything +@@ -6630,7 +6647,7 @@ mkdir -p disk/boot/grub + grub-mkrescue -o grub.iso disk + @end example + +-@command{grub-mkrescue} accepts the following options: ++@command{grub2-mkrescue} accepts the following options: + + @table @option + @item --help +@@ -6658,15 +6675,15 @@ Use @var{file} as the @command{xorriso} program, rather than the built-in + default. + + @item --grub-mkimage=@var{file} +-Use @var{file} as the @command{grub-mkimage} program, rather than the ++Use @var{file} as the @command{grub2-mkimage} program, rather than the + built-in default. + @end table + + +-@node Invoking grub-mount +-@chapter Invoking grub-mount ++@node Invoking grub2-mount ++@chapter Invoking grub2-mount + +-The program @command{grub-mount} performs a read-only mount of any file ++The program @command{grub2-mount} performs a read-only mount of any file + system or file system image that GRUB understands, using GRUB's file system + drivers via FUSE. (It is only available if FUSE development files were + present when GRUB was built.) This has a number of uses: +@@ -6698,13 +6715,13 @@ even if nobody has yet written a FUSE module specifically for that file + system type. + @end itemize + +-Using @command{grub-mount} is normally as simple as: ++Using @command{grub2-mount} is normally as simple as: + + @example + grub-mount /dev/sda1 /mnt + @end example + +-@command{grub-mount} must be given one or more images and a mount point as ++@command{grub2-mount} must be given one or more images and a mount point as + non-option arguments (if it is given more than one image, it will treat them + as a RAID set), and also accepts the following options: + +@@ -6726,13 +6743,13 @@ Show debugging output for conditions matching @var{string}. + @item -K prompt|@var{file} + @itemx --zfs-key=prompt|@var{file} + Load a ZFS encryption key. If you use @samp{prompt} as the argument, +-@command{grub-mount} will read a passphrase from the terminal; otherwise, it ++@command{grub2-mount} will read a passphrase from the terminal; otherwise, it + will read key material from the specified file. + + @item -r @var{device} + @itemx --root=@var{device} + Set the GRUB root device to @var{device}. You do not normally need to set +-this; @command{grub-mount} will automatically set the root device to the ++this; @command{grub2-mount} will automatically set the root device to the + root of the supplied file system. + + If @var{device} is just a number, then it will be treated as a partition +@@ -6750,10 +6767,10 @@ Print verbose messages. + @end table + + +-@node Invoking grub-probe +-@chapter Invoking grub-probe ++@node Invoking grub2-probe ++@chapter Invoking grub2-probe + +-The program @command{grub-probe} probes device information for a given path ++The program @command{grub2-probe} probes device information for a given path + or device. + + @example +@@ -6761,7 +6778,7 @@ grub-probe --target=fs /boot/grub + grub-probe --target=drive --device /dev/sda1 + @end example + +-@command{grub-probe} must be given a path or device as a non-option ++@command{grub2-probe} must be given a path or device as a non-option + argument, and also accepts the following options: + + @table @option +@@ -6774,16 +6791,16 @@ Print the version number of GRUB and exit. + @item -d + @itemx --device + If this option is given, then the non-option argument is a system device +-name (such as @samp{/dev/sda1}), and @command{grub-probe} will print ++name (such as @samp{/dev/sda1}), and @command{grub2-probe} will print + information about that device. If it is not given, then the non-option + argument is a filesystem path (such as @samp{/boot/grub}), and +-@command{grub-probe} will print information about the device containing that ++@command{grub2-probe} will print information about the device containing that + part of the filesystem. + + @item -m @var{file} + @itemx --device-map=@var{file} + Use @var{file} as the device map (@pxref{Device map}) rather than the +-default, usually @samp{/boot/grub/device.map}. ++default, usually @samp{/boot/grub2/device.map}. + + @item -t @var{target} + @itemx --target=@var{target} +@@ -6836,19 +6853,19 @@ Print verbose messages. + @end table + + +-@node Invoking grub-script-check +-@chapter Invoking grub-script-check ++@node Invoking grub2-script-check ++@chapter Invoking grub2-script-check + +-The program @command{grub-script-check} takes a GRUB script file ++The program @command{grub2-script-check} takes a GRUB script file + (@pxref{Shell-like scripting}) and checks it for syntax errors, similar to + commands such as @command{sh -n}. It may take a @var{path} as a non-option + argument; if none is supplied, it will read from standard input. + + @example +-grub-script-check /boot/grub/grub.cfg ++grub-script-check /boot/grub2/grub.cfg + @end example + +-@command{grub-script-check} accepts the following options: ++@command{grub2-script-check} accepts the following options: + + @table @option + @item --help diff --git a/SPECS/grub2/0069-Make-pmtimer-tsc-calibration-not-take-51-seconds-to-.patch b/SPECS/grub2/0069-Make-pmtimer-tsc-calibration-not-take-51-seconds-to-.patch new file mode 100644 index 00000000000..acfb116d74f --- /dev/null +++ b/SPECS/grub2/0069-Make-pmtimer-tsc-calibration-not-take-51-seconds-to-.patch @@ -0,0 +1,211 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 7 Nov 2017 17:12:17 -0500 +Subject: [PATCH] Make pmtimer tsc calibration not take 51 seconds to fail. + +On my laptop running at 2.4GHz, if I run a VM where tsc calibration +using pmtimer will fail presuming a broken pmtimer, it takes ~51 seconds +to do so (as measured with the stopwatch on my phone), with a tsc delta +of 0x1cd1c85300, or around 125 billion cycles. + +If instead of trying to wait for 5-200ms to show up on the pmtimer, we try +to wait for 5-200us, it decides it's broken in ~0x2626aa0 TSCs, aka ~2.4 +million cycles, or more or less instantly. + +Additionally, this reading the pmtimer was returning 0xffffffff anyway, +and that's obviously an invalid return. I've added a check for that and +0 so we don't bother waiting for the test if what we're seeing is dead +pins with no response at all. + +If "debug" is includes "pmtimer", you will see one of the following +three outcomes. If pmtimer gives all 0 or all 1 bits, you will see: + +kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 1 +kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 2 +kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 3 +kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 4 +kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 5 +kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 6 +kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 7 +kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 8 +kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 9 +kern/i386/tsc_pmtimer.c:77: pmtimer: 0xffffff bad_reads: 10 +kern/i386/tsc_pmtimer.c:78: timer is broken; giving up. + +This outcome was tested using qemu+kvm with UEFI (OVMF) firmware and +these options: -machine pc-q35-2.10 -cpu Broadwell-noTSX + +If pmtimer gives any other bit patterns but is not actually marching +forward fast enough to use for clock calibration, you will see: + +kern/i386/tsc_pmtimer.c:121: pmtimer delta is 0x0 (1904 iterations) +kern/i386/tsc_pmtimer.c:124: tsc delta is implausible: 0x2626aa0 + +This outcome was tested using grub compiled with GRUB_PMTIMER_IGNORE_BAD_READS +defined (so as not to trip the bad read test) using qemu+kvm with UEFI +(OVMF) firmware, and these options: -machine pc-q35-2.10 -cpu Broadwell-noTSX + +If pmtimer actually works, you'll see something like: + +kern/i386/tsc_pmtimer.c:121: pmtimer delta is 0x0 (1904 iterations) +kern/i386/tsc_pmtimer.c:124: tsc delta is implausible: 0x2626aa0 + +This outcome was tested using qemu+kvm with UEFI (OVMF) firmware, and +these options: -machine pc-i440fx-2.4 -cpu Broadwell-noTSX + +I've also tested this outcome on a real Intel Xeon E3-1275v3 on an Intel +Server Board S1200V3RPS using the SDV.RP.B8 "Release" build here: +https://firmware.intel.com/sites/default/files/UEFIDevKit_S1200RP_vB8.zip + +Signed-off-by: Peter Jones +--- + grub-core/kern/i386/tsc_pmtimer.c | 109 +++++++++++++++++++++++++++++++------- + 1 file changed, 89 insertions(+), 20 deletions(-) + +diff --git a/grub-core/kern/i386/tsc_pmtimer.c b/grub-core/kern/i386/tsc_pmtimer.c +index c9c36169978..ca15c3aacd7 100644 +--- a/grub-core/kern/i386/tsc_pmtimer.c ++++ b/grub-core/kern/i386/tsc_pmtimer.c +@@ -28,40 +28,101 @@ + #include + #include + ++/* ++ * Define GRUB_PMTIMER_IGNORE_BAD_READS if you're trying to test a timer that's ++ * present but doesn't keep time well. ++ */ ++// #define GRUB_PMTIMER_IGNORE_BAD_READS ++ + grub_uint64_t + grub_pmtimer_wait_count_tsc (grub_port_t pmtimer, + grub_uint16_t num_pm_ticks) + { + grub_uint32_t start; +- grub_uint32_t last; +- grub_uint32_t cur, end; ++ grub_uint64_t cur, end; + grub_uint64_t start_tsc; + grub_uint64_t end_tsc; +- int num_iter = 0; ++ unsigned int num_iter = 0; ++#ifndef GRUB_PMTIMER_IGNORE_BAD_READS ++ int bad_reads = 0; ++#endif + +- start = grub_inl (pmtimer) & 0xffffff; +- last = start; ++ /* ++ * Some timers are 24-bit and some are 32-bit, but it doesn't make much ++ * difference to us. Caring which one we have isn't really worth it since ++ * the low-order digits will give us enough data to calibrate TSC. So just ++ * mask the top-order byte off. ++ */ ++ cur = start = grub_inl (pmtimer) & 0xffffffUL; + end = start + num_pm_ticks; + start_tsc = grub_get_tsc (); + while (1) + { +- cur = grub_inl (pmtimer) & 0xffffff; +- if (cur < last) +- cur |= 0x1000000; +- num_iter++; ++ cur &= 0xffffffffff000000ULL; ++ cur |= grub_inl (pmtimer) & 0xffffffUL; ++ ++ end_tsc = grub_get_tsc(); ++ ++#ifndef GRUB_PMTIMER_IGNORE_BAD_READS ++ /* ++ * If we get 10 reads in a row that are obviously dead pins, there's no ++ * reason to do this thousands of times. ++ */ ++ if (cur == 0xffffffUL || cur == 0) ++ { ++ bad_reads++; ++ grub_dprintf ("pmtimer", ++ "pmtimer: 0x%"PRIxGRUB_UINT64_T" bad_reads: %d\n", ++ cur, bad_reads); ++ grub_dprintf ("pmtimer", "timer is broken; giving up.\n"); ++ ++ if (bad_reads == 10) ++ return 0; ++ } ++#endif ++ ++ if (cur < start) ++ cur += 0x1000000; ++ + if (cur >= end) + { +- end_tsc = grub_get_tsc (); ++ grub_dprintf ("pmtimer", "pmtimer delta is 0x%"PRIxGRUB_UINT64_T"\n", ++ cur - start); ++ grub_dprintf ("pmtimer", "tsc delta is 0x%"PRIxGRUB_UINT64_T"\n", ++ end_tsc - start_tsc); + return end_tsc - start_tsc; + } +- /* Check for broken PM timer. +- 50000000 TSCs is between 5 ms (10GHz) and 200 ms (250 MHz) +- if after this time we still don't have 1 ms on pmtimer, then +- pmtimer is broken. ++ ++ /* ++ * Check for broken PM timer. 1ms at 10GHz should be 1E+7 TSCs; at ++ * 250MHz it should be 2.5E6. So if after 4E+7 TSCs on a 10GHz machine, ++ * we should have seen pmtimer show 4ms of change (i.e. cur =~ ++ * start+14320); on a 250MHz machine that should be 16ms (start+57280). ++ * If after this a time we still don't have 1ms on pmtimer, then pmtimer ++ * is broken. ++ * ++ * Likewise, if our code is perfectly efficient and introduces no delays ++ * whatsoever, on a 10GHz system we should see a TSC delta of 3580 in ++ * ~3580 iterations. On a 250MHz machine that should be ~900 iterations. ++ * ++ * With those factors in mind, there are two limits here. There's a hard ++ * limit here at 8x our desired pm timer delta, picked as an arbitrarily ++ * large value that's still not a lot of time to humans, because if we ++ * get that far this is either an implausibly fast machine or the pmtimer ++ * is not running. And there's another limit on 4x our 10GHz tsc delta ++ * without seeing cur converge on our target value. + */ +- if ((num_iter & 0xffffff) == 0 && grub_get_tsc () - start_tsc > 5000000) { +- return 0; +- } ++ if ((++num_iter > (grub_uint32_t)num_pm_ticks << 3UL) || ++ end_tsc - start_tsc > 40000000) ++ { ++ grub_dprintf ("pmtimer", ++ "pmtimer delta is 0x%"PRIxGRUB_UINT64_T" (%u iterations)\n", ++ cur - start, num_iter); ++ grub_dprintf ("pmtimer", ++ "tsc delta is implausible: 0x%"PRIxGRUB_UINT64_T"\n", ++ end_tsc - start_tsc); ++ return 0; ++ } + } + } + +@@ -74,12 +135,20 @@ grub_tsc_calibrate_from_pmtimer (void) + + fadt = grub_acpi_find_fadt (); + if (!fadt) +- return 0; ++ { ++ grub_dprintf ("pmtimer", "No FADT found; not using pmtimer.\n"); ++ return 0; ++ } + pmtimer = fadt->pmtimer; + if (!pmtimer) +- return 0; ++ { ++ grub_dprintf ("pmtimer", "FADT does not specify pmtimer; skipping.\n"); ++ return 0; ++ } + +- /* It's 3.579545 MHz clock. Wait 1 ms. */ ++ /* ++ * It's 3.579545 MHz clock. Wait 1 ms. ++ */ + tsc_diff = grub_pmtimer_wait_count_tsc (pmtimer, 3580); + if (tsc_diff == 0) + return 0; diff --git a/SPECS/grub2/0166-grub-install-disable-support-for-EFI-platforms.patch b/SPECS/grub2/0166-grub-install-disable-support-for-EFI-platforms.patch new file mode 100644 index 00000000000..e3cf2ecf2ec --- /dev/null +++ b/SPECS/grub2/0166-grub-install-disable-support-for-EFI-platforms.patch @@ -0,0 +1,120 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jan Hlavac +Date: Fri, 20 Nov 2020 23:51:47 +0100 +Subject: [PATCH] grub-install: disable support for EFI platforms + +For each platform, GRUB is shipped as a kernel image and a set of +modules. These files are then used by the grub-install utility to +install GRUB on a specific device. However, in order to support UEFI +Secure Boot, the resulting EFI binary must be signed by a recognized +private key. For this reason, for EFI platforms, most distributions also +ship prebuilt EFI binaries signed by a distribution-specific private +key. In this case, however, the grub-install utility should not be used +because it would overwrite the signed EFI binary. + +The current fix is suboptimal because it preserves all EFI-related code. +A better solution could be to modularize the code and provide a +build-time option. + +Resolves: rhbz#1737444 + +Signed-off-by: Jan Hlavac +--- + util/grub-install.c | 37 ++++++++++++++++--------------------- + docs/grub.texi | 7 +++++++ + util/grub-install.8 | 4 +++- + 3 files changed, 26 insertions(+), 22 deletions(-) + +diff --git a/util/grub-install.c b/util/grub-install.c +index 1e47491bc21..ffac91c9a24 100644 +--- a/util/grub-install.c ++++ b/util/grub-install.c +@@ -899,6 +899,22 @@ main (int argc, char *argv[]) + + platform = grub_install_get_target (grub_install_source_directory); + ++ switch (platform) ++ { ++ case GRUB_INSTALL_PLATFORM_ARM_EFI: ++ case GRUB_INSTALL_PLATFORM_ARM64_EFI: ++ case GRUB_INSTALL_PLATFORM_I386_EFI: ++ case GRUB_INSTALL_PLATFORM_IA64_EFI: ++ case GRUB_INSTALL_PLATFORM_X86_64_EFI: ++ is_efi = 1; ++ grub_util_error (_("this utility cannot be used for EFI platforms" ++ " because it does not support UEFI Secure Boot")); ++ break; ++ default: ++ is_efi = 0; ++ break; ++ } ++ + { + char *platname = grub_install_get_platform_name (platform); + fprintf (stderr, _("Installing for %s platform.\n"), platname); +@@ -1011,28 +1027,7 @@ main (int argc, char *argv[]) + grub_hostfs_init (); + grub_host_init (); + +- switch (platform) +- { +- case GRUB_INSTALL_PLATFORM_I386_EFI: +- case GRUB_INSTALL_PLATFORM_X86_64_EFI: +- case GRUB_INSTALL_PLATFORM_ARM_EFI: +- case GRUB_INSTALL_PLATFORM_ARM64_EFI: +- case GRUB_INSTALL_PLATFORM_RISCV32_EFI: +- case GRUB_INSTALL_PLATFORM_RISCV64_EFI: +- case GRUB_INSTALL_PLATFORM_IA64_EFI: +- is_efi = 1; +- break; +- default: +- is_efi = 0; +- break; +- +- /* pacify warning. */ +- case GRUB_INSTALL_PLATFORM_MAX: +- break; +- } +- + /* Find the EFI System Partition. */ +- + if (is_efi) + { + grub_fs_t fs; +diff --git a/docs/grub.texi b/docs/grub.texi +index 67bf8523ccb..75b22231f35 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -6506,6 +6506,13 @@ grub2-install @var{install_device} + The device name @var{install_device} is an OS device name or a GRUB + device name. + ++In order to support UEFI Secure Boot, the resulting GRUB EFI binary must ++be signed by a recognized private key. For this reason, for EFI ++platforms, most distributions also ship prebuilt GRUB EFI binaries ++signed by a distribution-specific private key. In this case, however, ++@command{grub2-install} should not be used because it would overwrite ++the signed EFI binary. ++ + @command{grub2-install} accepts the following options: + + @table @option +diff --git a/util/grub-install.8 b/util/grub-install.8 +index 1db89e94b3b..811d441b16c 100644 +--- a/util/grub-install.8 ++++ b/util/grub-install.8 +@@ -1,4 +1,4 @@ +-.TH GRUB-INSTALL 1 "Wed Feb 26 2014" ++.TH GRUB-INSTALL 1 "Fri Nov 20 2020" + .SH NAME + \fBgrub-install\fR \(em Install GRUB on a device. + +@@ -31,6 +31,8 @@ + .SH DESCRIPTION + \fBgrub-install\fR installs GRUB onto a device. This includes copying GRUB images into the target directory (generally \fI/boot/grub\fR), and on some platforms may also include installing GRUB onto a boot sector. + ++In order to support UEFI Secure Boot, the resulting GRUB EFI binary must be signed by a recognized private key. For this reason, for EFI platforms, most distributions also ship prebuilt GRUB EFI binaries signed by a distribution-specific private key. In this case, however, the \fBgrub-install\fR utility should not be used because it would overwrite the signed EFI binary. ++ + .SH OPTIONS + .TP + \fB--modules\fR=\fIMODULES\fR\! diff --git a/SPECS/grub2/CVE-2020-10713.nopatch b/SPECS/grub2/CVE-2020-10713.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2020-14308.nopatch b/SPECS/grub2/CVE-2020-14308.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2020-14309.nopatch b/SPECS/grub2/CVE-2020-14309.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2020-14310.nopatch b/SPECS/grub2/CVE-2020-14310.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2020-14311.nopatch b/SPECS/grub2/CVE-2020-14311.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2020-14372.nopatch b/SPECS/grub2/CVE-2020-14372.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2020-25632.nopatch b/SPECS/grub2/CVE-2020-25632.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2020-25647.nopatch b/SPECS/grub2/CVE-2020-25647.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2020-27749.nopatch b/SPECS/grub2/CVE-2020-27749.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2020-27779.nopatch b/SPECS/grub2/CVE-2020-27779.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2021-20225.nopatch b/SPECS/grub2/CVE-2021-20225.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2021-20233.nopatch b/SPECS/grub2/CVE-2021-20233.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/CVE-2021-3418.nopatch b/SPECS/grub2/CVE-2021-3418.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/grub2/grub2.spec b/SPECS/grub2/grub2.spec index 1f9d6aa0a0d..652a182e665 100644 --- a/SPECS/grub2/grub2.spec +++ b/SPECS/grub2/grub2.spec @@ -6,7 +6,7 @@ Summary: GRand Unified Bootloader Name: grub2 Version: 2.06~rc1 -Release: 1%{?dist} +Release: 4%{?dist} License: GPLv3+ Vendor: Microsoft Corporation Distribution: Mariner @@ -23,6 +23,13 @@ Patch0003: 0003-Rework-linux16-command.patch Patch0004: 0004-Add-secureboot-support-on-efi-chainloader.patch Patch0005: 0005-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch Patch0006: 0006-Handle-multi-arch-64-on-32-boot-in-linuxefi-loader.patch +# Kernel cmdline fix +Patch0017: 0017-Pass-x-hex-hex-straight-through-unmolested.patch +# Nicer documentation. Also makes patch #166 apply cleanly +Patch0037: 0037-Replace-a-lot-of-man-pages-with-slightly-nicer-ones.patch +Patch0052: 0052-Make-our-info-pages-say-grub2-where-appropriate.patch +# General fix +Patch0069: 0069-Make-pmtimer-tsc-calibration-not-take-51-seconds-to-.patch # ARM64 build patch Patch0104: 0104-Rework-how-the-fdt-command-builds.patch # General fixes (> 4GB DMA, TPM measurements, etc) @@ -37,6 +44,22 @@ Patch0150: 0150-x86-efi-Reduce-maximum-bounce-buffer-size-to-16-MiB.patch Patch0156: 0156-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch # CVE-2020-15705 Patch0157: 0157-linuxefi-fail-kernel-validation-without-shim-protoco.patch +# Fix to prevent user from overwriting signed grub binary using grub2-install +Patch0166: 0166-grub-install-disable-support-for-EFI-platforms.patch +# Add nopatches for tooling +Patch1000: CVE-2021-3418.nopatch +Patch1001: CVE-2020-14372.nopatch +Patch1002: CVE-2020-25632.nopatch +Patch1003: CVE-2020-25647.nopatch +Patch1004: CVE-2020-27779.nopatch +Patch1005: CVE-2021-20233.nopatch +Patch1006: CVE-2020-10713.nopatch +Patch1007: CVE-2020-14308.nopatch +Patch1008: CVE-2020-14309.nopatch +Patch1009: CVE-2020-14310.nopatch +Patch1010: CVE-2020-14311.nopatch +Patch1011: CVE-2020-27749.nopatch +Patch1012: CVE-2021-20225.nopatch BuildRequires: autoconf BuildRequires: device-mapper-devel BuildRequires: python3 @@ -247,6 +270,17 @@ cp $GRUB_MODULE_SOURCE $EFI_BOOT_DIR/$GRUB_MODULE_NAME %endif %changelog +* Fri Apr 16 2021 Chris Co - 2.06~rc1-4 +- Bump version to match grub-efi-binary-signed spec + +* Fri Apr 02 2021 Rachel Menge - 2.06~rc1-3 +- Apply no patches for CVE-2021-3418 CVE-2020-14372 CVE-2020-25632 + CVE-2020-25647 CVE-2020-27779 CVE-2021-20233 CVE-2020-10713 CVE-2020-14308 + CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-27749 CVE-2021-20225 + +* Fri Mar 26 2021 Chris Co - 2.06~rc1-2 +- Add a few more F34 patches (017, 037, 052, 069, 166) + * Wed Mar 10 2021 Chris Co - 2.06~rc1-1 - Update to 2.06-rc1. Remove old out-of-tree patches. Add patches from F34 - Incorporate SBAT data diff --git a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json index 703056fc96e..c1f8622a0c0 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.signatures.json +++ b/SPECS/hyperv-daemons/hyperv-daemons.signatures.json @@ -7,6 +7,6 @@ "hypervkvpd.service": "25339871302f7a47e1aecfa9fc2586c78bc37edb98773752f0a5dec30f0ed3a1", "hypervvss.rules": "94cead44245ef6553ab79c0bbac8419e3ff4b241f01bcec66e6f508098cbedd1", "hypervvssd.service": "22270d9f0f23af4ea7905f19c1d5d5495e40c1f782cbb87a99f8aec5a011078d", - "kernel-5.10.21.1.tar.gz": "7b5ef89649dbcd95344e5a374a3144afdc1f2613995870b1613e585fb91abff0" + "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d" } } \ No newline at end of file diff --git a/SPECS/hyperv-daemons/hyperv-daemons.spec b/SPECS/hyperv-daemons/hyperv-daemons.spec index ac60fa30cdd..09b5b3713ea 100644 --- a/SPECS/hyperv-daemons/hyperv-daemons.spec +++ b/SPECS/hyperv-daemons/hyperv-daemons.spec @@ -8,8 +8,8 @@ %global udev_prefix 70 Summary: Hyper-V daemons suite Name: hyperv-daemons -Version: 5.10.21.1 -Release: 1%{?dist} +Version: 5.10.28.1 +Release: 2%{?dist} License: GPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -219,6 +219,12 @@ fi %{_sbindir}/lsvmbus %changelog +* Thu Apr 15 2021 Rachel Menge - 5.10.28.1-2 +- Update to kernel release 5.10.28.1-2 + +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 + * Thu Mar 11 2021 Chris Co - 5.10.21.1-1 - Update source to 5.10.21.1 diff --git a/SPECS/icu/icu.signatures.json b/SPECS/icu/icu.signatures.json index a68b97143c0..ee204e88ea9 100644 --- a/SPECS/icu/icu.signatures.json +++ b/SPECS/icu/icu.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "icu-64.2.0.2.tar.gz": "c8778cb09d4eaa9980edb644cbf5f1ccb680849824827373fef272b5dc2d892c" + "icu-68.2.0.6.tar.gz": "d69265080220977fd7fd53869dddd6a1381352005541727d2063ef1261092707" } } diff --git a/SPECS/icu/icu.spec b/SPECS/icu/icu.spec index 578b7824341..ec39da32930 100644 --- a/SPECS/icu/icu.spec +++ b/SPECS/icu/icu.spec @@ -1,6 +1,6 @@ Summary: International Components for Unicode. Name: icu -Version: 64.2.0.2 +Version: 68.2.0.6 Release: 1%{?dist} License: BSD and MIT and Public Domain and naist-2003 URL: https://github.com/microsoft/icu @@ -48,7 +48,8 @@ make -C icu/icu4c/source DESTDIR=%{buildroot} install %license LICENSE %{_bindir}/* %{_sbindir}/* -%{_libdir}/*.so.* +%{_libdir}/*.so.68 +%{_libdir}/*.so.68.* %exclude %{_libdir}/debug/ %exclude %{_libdir}/icu/ @@ -60,6 +61,13 @@ make -C icu/icu4c/source DESTDIR=%{buildroot} install %{_libdir}/pkgconfig/*.pc %changelog +* Fri Apr 16 2021 CBL-Mariner Service Account - 68.2.0.6-1 +- Update to version "68.2.0.6". +- Explicitly listing provided shared libraries' versions. + +* Sun Apr 04 2021 CBL-Mariner Service Account - 68.2.0.1-1 +- Update to version "68.2.0.1". + * Fri Jul 31 2020 Nick Samson 64.2.0.2-1 - Updated to 64.2.0.2. * Wed Jun 17 2020 Pawel Winogrodzki 64.2.0.1-1 diff --git a/SPECS/installkernel/COPYING b/SPECS/installkernel/COPYING new file mode 100644 index 00000000000..d159169d105 --- /dev/null +++ b/SPECS/installkernel/COPYING @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/SPECS/installkernel/installkernel b/SPECS/installkernel/installkernel new file mode 100644 index 00000000000..4bf5ea15cb6 --- /dev/null +++ b/SPECS/installkernel/installkernel @@ -0,0 +1,62 @@ +#!/bin/bash +# Copyright (c) 2021 Microsoft Corporation. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Arguments: +# $1 - kernel version +# $2 - kernel image file +# $3 - kernel map file +# $4 - default install path (blank if root directory) + +set -e + +KERNEL_VERSION="$1" +KERNEL_IMAGE="$2" +SYSTEM_MAP="$3" +DEST_DIR="${4:-/boot}" + +echo installkernel $1 $2 $3 $4 + +FINAL_KERNEL_IMAGE=vmlinuz-"$KERNEL_VERSION" +FINAL_INITRD=initrd.img-"$KERNEL_VERSION" +FINAL_LINUX_CFG_PATH="$DEST_DIR"/linux-"$KERNEL_VERSION".cfg + +# Copy kernel +cp "$KERNEL_IMAGE" "$DEST_DIR"/"$FINAL_KERNEL_IMAGE" +cp "$SYSTEM_MAP" "$DEST_DIR"/System.map-"$KERNEL_VERSION" +cp $(dirname "$SYSTEM_MAP")/.config "$DEST_DIR"/config-"$KERNEL_VERSION" + +# Remake initrd +if [ ! -d /lib/modules/"$KERNEL_VERSION" ]; then + echo Cannot find modules for "$KERNEL_VERSION" + echo Please run: make modules_install + exit 1 +fi +mkinitrd -q "$DEST_DIR"/"$FINAL_INITRD" "$KERNEL_VERSION" -k + +# Create linux cfg file if it doesn't exist +if [ ! -f "$FINAL_LINUX_CFG_PATH" ]; then + cp -f "$DEST_DIR"/mariner.cfg "$FINAL_LINUX_CFG_PATH" +fi + +# Update contents +sed -i "s/mariner_linux=.*$/mariner_linux=${FINAL_KERNEL_IMAGE}/" "$FINAL_LINUX_CFG_PATH" +sed -i "s/mariner_initrd=.*$/mariner_initrd=${FINAL_INITRD}/" "$FINAL_LINUX_CFG_PATH" + +# Update mariner.cfg symlink so grub boots this configuration now +ln -sf "$DEST_DIR"/linux-"$KERNEL_VERSION".cfg "$DEST_DIR"/mariner.cfg + +exit 0 diff --git a/SPECS/installkernel/installkernel.signatures.json b/SPECS/installkernel/installkernel.signatures.json new file mode 100644 index 00000000000..ddf496b26f8 --- /dev/null +++ b/SPECS/installkernel/installkernel.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "COPYING": "8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643", + "installkernel": "6798c2a42eaeb67020fe4b9ee9d04491146b7d10c779ddf1e7b54742a0c4c30a" + } +} \ No newline at end of file diff --git a/SPECS/installkernel/installkernel.spec b/SPECS/installkernel/installkernel.spec new file mode 100644 index 00000000000..44cf8efef60 --- /dev/null +++ b/SPECS/installkernel/installkernel.spec @@ -0,0 +1,34 @@ +Summary: Custom installkernel script for installing the Linux kernel +Name: installkernel +Version: 1.0.0 +Release: 1%{?dist} +License: GPLv2 +Vendor: Microsoft Corporation +Distribution: Mariner +Group: System Environment/Kernel +Source0: installkernel +Source1: COPYING +BuildArch: noarch + +%description +Custom installkernel script to easily install the Linux kernel onto a running +Mariner system. This script will get called automatically by the Linux kernel's +"make install" command. + +%prep + +%build + +%install +install -vdm 755 %{buildroot}%{_sbindir} +install -vm 744 %{SOURCE0} %{buildroot}%{_sbindir}/installkernel +cp %{SOURCE1} COPYING + +%files +%defattr(-,root,root) +%license COPYING +%{_sbindir}/installkernel + +%changelog +* Mon Mar 29 2021 Chris Co - 1.0.0-1 +- Initial version of the installkernel package diff --git a/SPECS/kernel-headers/kernel-headers.signatures.json b/SPECS/kernel-headers/kernel-headers.signatures.json index 819e36f9d91..dd269727900 100644 --- a/SPECS/kernel-headers/kernel-headers.signatures.json +++ b/SPECS/kernel-headers/kernel-headers.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "kernel-5.10.21.1.tar.gz": "7b5ef89649dbcd95344e5a374a3144afdc1f2613995870b1613e585fb91abff0" + "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d" } } \ No newline at end of file diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec index 427c88f355c..f3cc67bf228 100644 --- a/SPECS/kernel-headers/kernel-headers.spec +++ b/SPECS/kernel-headers/kernel-headers.spec @@ -1,6 +1,6 @@ Summary: Linux API header files Name: kernel-headers -Version: 5.10.21.1 +Version: 5.10.28.1 Release: 4%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -35,6 +35,18 @@ cp -rv usr/include/* /%{buildroot}%{_includedir} %{_includedir}/* %changelog +* Thu Apr 22 2021 Chris Co - 5.10.28.1-4 +- Bump release number to match kernel release + +* Mon Apr 19 2021 Chris Co - 5.10.28.1-3 +- Bump release number to match kernel-signed update + +* Thu Apr 15 2021 Rachel Menge - 5.10.28.1-2 +- Update to kernel release 5.10.28.1-2 + +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 + * Fri Mar 26 2021 Daniel Mihai - 5.10.21.1-4 - Update to kernel release 5.10.21.1-4 diff --git a/SPECS/kernel-hyperv/config b/SPECS/kernel-hyperv/config index 545c6e2af13..b5f02fd2cba 100644 --- a/SPECS/kernel-hyperv/config +++ b/SPECS/kernel-hyperv/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.21.1-rolling-lts-mariner Kernel Configuration +# Linux/x86_64 5.10.28.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y @@ -1537,7 +1537,6 @@ CONFIG_PCIEASPM_DEFAULT=y # CONFIG_PCIEASPM_PERFORMANCE is not set # CONFIG_PCIE_DPC is not set # CONFIG_PCIE_PTM is not set -# CONFIG_PCIE_BW is not set CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y CONFIG_PCI_QUIRKS=y @@ -3260,6 +3259,7 @@ CONFIG_UIO=m # CONFIG_UIO_PRUSS is not set # CONFIG_UIO_MF624 is not set CONFIG_UIO_HV_GENERIC=m +# CONFIG_VFIO is not set CONFIG_VIRT_DRIVERS=y # CONFIG_VBOXGUEST is not set # CONFIG_NITRO_ENCLAVES is not set @@ -3278,6 +3278,7 @@ CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=m CONFIG_DXGKRNL=m +# CONFIG_DXGKRNL_DEBUG is not set # end of Microsoft Hyper-V guest support # CONFIG_GREYBUS is not set diff --git a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json index c969898bbed..62db6fa6d68 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.signatures.json +++ b/SPECS/kernel-hyperv/kernel-hyperv.signatures.json @@ -1,7 +1,7 @@ { "Signatures": { - "config": "c5426e82771a878a06758657e7442ae693f76a88994b3cad36ead19c4a48f2a5", - "kernel-5.10.21.1.tar.gz": "7b5ef89649dbcd95344e5a374a3144afdc1f2613995870b1613e585fb91abff0", + "config": "409a59c15de0b9a2417df76b89dfe9796449a2e1b45ea0d48ea09013a012c947", + "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f" } } \ No newline at end of file diff --git a/SPECS/kernel-hyperv/kernel-hyperv.spec b/SPECS/kernel-hyperv/kernel-hyperv.spec index 5c8ec3fa8b7..4294a17b6b4 100644 --- a/SPECS/kernel-hyperv/kernel-hyperv.spec +++ b/SPECS/kernel-hyperv/kernel-hyperv.spec @@ -1,10 +1,10 @@ %global security_hardening none %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh -%define uname_r %{version}-rolling-lts-mariner-%{release} +%define uname_r %{version}-%{release} Summary: Linux Kernel optimized for Hyper-V Name: kernel-hyperv -Version: 5.10.21.1 -Release: 2%{?dist} +Version: 5.10.28.1 +Release: 4%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Mariner @@ -274,6 +274,19 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %{_libdir}/perf/include/bpf/* %changelog +* Thu Apr 22 2021 Chris Co - 5.10.28.1-4 +- Bump release number to match kernel release + +* Mon Apr 19 2021 Chris Co - 5.10.28.1-3 +- Bump release number to match kernel-signed update + +* Thu Apr 15 2021 Rachel Menge - 5.10.28.1-2 +- Update to kernel release 5.10.28.1-2 + +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 +- Update uname_r define to match the new value derived from the source + * Thu Mar 18 2021 Chris Co - 5.10.21.1-2 - Enable CONFIG_FANOTIFY_ACCESS_PERMISSIONS diff --git a/SPECS/kernel/CVE-2020-16120.nopatch b/SPECS/kernel/CVE-2020-16120.nopatch new file mode 100644 index 00000000000..e514b1760c2 --- /dev/null +++ b/SPECS/kernel/CVE-2020-16120.nopatch @@ -0,0 +1,3 @@ +CVE-2020-16120 - already patched in 5.10.28.1 stable kernel +Upstream: 05acefb4872dae89e772729efb194af754c877e8 +Stable: 48bd024b8a40d73ad6b086de2615738da0c7004f \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-27170.nopatch b/SPECS/kernel/CVE-2020-27170.nopatch new file mode 100644 index 00000000000..780f091b439 --- /dev/null +++ b/SPECS/kernel/CVE-2020-27170.nopatch @@ -0,0 +1,3 @@ +CVE-2020-27170 - already patched in 5.10.28.1 stable kernel +Upstream: f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 +Stable: c4d37eea1c641a9319baf34253cc373abb39d3e1 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-27171.nopatch b/SPECS/kernel/CVE-2020-27171.nopatch new file mode 100644 index 00000000000..53fe35470ea --- /dev/null +++ b/SPECS/kernel/CVE-2020-27171.nopatch @@ -0,0 +1,3 @@ +CVE-2020-27171 - already patched in 5.10.28.1 stable kernel +Upstream: 10d2bb2e6b1d8c4576c56a748f697dbeb8388899 +Stable: ac1b87a18c1ffbe3d093000b762121b5aae0a3f9 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2020-35508.nopatch b/SPECS/kernel/CVE-2020-35508.nopatch new file mode 100644 index 00000000000..65399193734 --- /dev/null +++ b/SPECS/kernel/CVE-2020-35508.nopatch @@ -0,0 +1,3 @@ +CVE-2020-35508 - already patched in 5.10.28.1 stable kernel +Upstream: b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948 +Stable: b4e00444cab4c3f3fec876dc0cccc8cbb0d1a948 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28375.nopatch b/SPECS/kernel/CVE-2021-28375.nopatch new file mode 100644 index 00000000000..0b86960ef19 --- /dev/null +++ b/SPECS/kernel/CVE-2021-28375.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28375 - already patched in 5.10.28.1 stable kernel +Upstream: 20c40794eb85ea29852d7bc37c55713802a543d6 +Stable: 52feb58f9b5b078b5a39ed8ba8ab3b4546e16ff2 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28660.nopatch b/SPECS/kernel/CVE-2021-28660.nopatch new file mode 100644 index 00000000000..549a0f047c5 --- /dev/null +++ b/SPECS/kernel/CVE-2021-28660.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28660 - already patched in 5.10.28.1 stable kernel +Upstream: 74b6b20df8cfe90ada777d621b54c32e69e27cd7 +Stable: d972a516958dee489911d9f57ee7a177834ef248 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28950.nopatch b/SPECS/kernel/CVE-2021-28950.nopatch new file mode 100644 index 00000000000..70212dc2140 --- /dev/null +++ b/SPECS/kernel/CVE-2021-28950.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28950 - already patched in 5.10.28.1 stable kernel +Upstream: 775c5033a0d164622d9d10dd0f0a5531639ed3ed +Stable: d955f13ea2120269319d6133d0dd82b66d1eeca3 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28951.nopatch b/SPECS/kernel/CVE-2021-28951.nopatch new file mode 100644 index 00000000000..1627975ec5b --- /dev/null +++ b/SPECS/kernel/CVE-2021-28951.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28951 - already patched in 5.10.28.1 stable kernel +Upstream: 3ebba796fa251d042be42b929a2d916ee5c34a49 +Stable: 6cae8095490caae12875300243ec94b39b6a2a78 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28952.nopatch b/SPECS/kernel/CVE-2021-28952.nopatch new file mode 100644 index 00000000000..e7af4379aba --- /dev/null +++ b/SPECS/kernel/CVE-2021-28952.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28952 - already patched in 5.10.28.1 stable kernel +Upstream: 1c668e1c0a0f74472469cd514f40c9012b324c31 +Stable: 26b08c08a5f3008fe45822d8b163f1516178c42b \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28964.nopatch b/SPECS/kernel/CVE-2021-28964.nopatch new file mode 100644 index 00000000000..dbcb485de77 --- /dev/null +++ b/SPECS/kernel/CVE-2021-28964.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28964 - already patched in 5.10.28.1 stable kernel +Upstream: dbcc7d57bffc0c8cac9dac11bec548597d59a6a5 +Stable: 38ffe9eaeb7cce383525439f0948f9eb74632e1d \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28971.nopatch b/SPECS/kernel/CVE-2021-28971.nopatch new file mode 100644 index 00000000000..58b652a973e --- /dev/null +++ b/SPECS/kernel/CVE-2021-28971.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28971 - already patched in 5.10.28.1 stable kernel +Upstream: d88d05a9e0b6d9356e97129d4ff9942d765f46ea +Stable: 514ea597be8e4b6a787bc34da111c44944fbf5a5 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-28972.nopatch b/SPECS/kernel/CVE-2021-28972.nopatch new file mode 100644 index 00000000000..6021df2e18a --- /dev/null +++ b/SPECS/kernel/CVE-2021-28972.nopatch @@ -0,0 +1,3 @@ +CVE-2021-28972 - already patched in 5.10.28.1 stable kernel +Upstream: cc7a0bb058b85ea03db87169c60c7cfdd5d34678 +Stable: be1f58e58f7644ab33f1413685c84173766408d3 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29264.nopatch b/SPECS/kernel/CVE-2021-29264.nopatch new file mode 100644 index 00000000000..761811b866e --- /dev/null +++ b/SPECS/kernel/CVE-2021-29264.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29264 - already patched in 5.10.28.1 stable kernel +Upstream: d8861bab48b6c1fc3cdbcab8ff9d1eaea43afe7f +Stable: b8bfda6e08b8a419097eea5a8e57671bc36f9939 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29265.nopatch b/SPECS/kernel/CVE-2021-29265.nopatch new file mode 100644 index 00000000000..040f5b91468 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29265.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29265 - already patched in 5.10.28.1 stable kernel +Upstream: 9380afd6df70e24eacbdbde33afc6a3950965d22 +Stable: ab5c3186686aa87c741381d10a948817f1deb9b2 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29266.nopatch b/SPECS/kernel/CVE-2021-29266.nopatch new file mode 100644 index 00000000000..1ae1f2f361b --- /dev/null +++ b/SPECS/kernel/CVE-2021-29266.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29266 - already patched in 5.10.28.1 stable kernel +Upstream: f6bbf0010ba004f5e90c7aefdebc0ee4bd3283b9 +Stable: 49ca3100fbaf864853c922c8f7a8fe7090a83860 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29646.nopatch b/SPECS/kernel/CVE-2021-29646.nopatch new file mode 100644 index 00000000000..df31acf6b40 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29646.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29646 - already patched in 5.10.28.1 stable kernel +Upstream: 0217ed2848e8538bcf9172d97ed2eeb4a26041bb +Stable: 50f41f2e29ff1980f7edfca40bbf81a4336b9feb \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29647.nopatch b/SPECS/kernel/CVE-2021-29647.nopatch new file mode 100644 index 00000000000..78011619563 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29647.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29647 - already patched in 5.10.28.1 stable kernel +Upstream: 50535249f624d0072cd885bcdce4e4b6fb770160 +Stable: fce6fb90218935f7319265459484b3762c80d0a8 \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29648.nopatch b/SPECS/kernel/CVE-2021-29648.nopatch new file mode 100644 index 00000000000..1aaf42e828b --- /dev/null +++ b/SPECS/kernel/CVE-2021-29648.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29648 - Introducing commit not in stable tree. No fix necessary at this time. +Upstream introducing commit - 5329722057d41aebc31e391907a501feaa42f7d9 +Upstream fix commit - 350a5c4dd2452ea999cc5e1d4a8dbf12de2f97ef \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29649.nopatch b/SPECS/kernel/CVE-2021-29649.nopatch new file mode 100644 index 00000000000..ff8c9b3b158 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29649.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29649 - already patched in 5.10.28.1 stable kernel +Upstream: f60a85cad677c4f9bb4cadd764f1d106c38c7cf8 +Stable: ccd5565feea346697c1d1e8e9cd042218b49c44b \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-29650.nopatch b/SPECS/kernel/CVE-2021-29650.nopatch new file mode 100644 index 00000000000..69276bf16b3 --- /dev/null +++ b/SPECS/kernel/CVE-2021-29650.nopatch @@ -0,0 +1,3 @@ +CVE-2021-29650 - already patched in 5.10.28.1 stable kernel +Upstream: 175e476b8cdf2a4de7432583b49c871345e4f8a1 +Stable: 3fdebc2d8e7965f946a3d716ffdd482e66c1f46c \ No newline at end of file diff --git a/SPECS/kernel/CVE-2021-30002.nopatch b/SPECS/kernel/CVE-2021-30002.nopatch new file mode 100644 index 00000000000..fe6ca441f71 --- /dev/null +++ b/SPECS/kernel/CVE-2021-30002.nopatch @@ -0,0 +1,3 @@ +CVE-2021-30002 - already patched in 5.10.28.1 stable kernel +Upstream: fb18802a338b36f675a388fc03d2aa504a0d0899 +Stable: 5400770e31e8b80efc25b4c1d619361255174d11 \ No newline at end of file diff --git a/SPECS/kernel/config b/SPECS/kernel/config index 96e62c87a9f..463985418e9 100644 --- a/SPECS/kernel/config +++ b/SPECS/kernel/config @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86_64 5.10.21.1-rolling-lts-mariner Kernel Configuration +# Linux/x86_64 5.10.28.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y @@ -662,7 +662,7 @@ CONFIG_EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER=y # CONFIG_APPLE_PROPERTIES is not set CONFIG_RESET_ATTACK_MITIGATION=y # CONFIG_EFI_RCI2_TABLE is not set -CONFIG_EFI_DISABLE_PCI_DMA=y +# CONFIG_EFI_DISABLE_PCI_DMA is not set # end of EFI (Extensible Firmware Interface) Support CONFIG_UEFI_CPER=y @@ -1754,7 +1754,6 @@ CONFIG_PCIEASPM_DEFAULT=y CONFIG_PCIE_PME=y # CONFIG_PCIE_DPC is not set # CONFIG_PCIE_PTM is not set -# CONFIG_PCIE_BW is not set CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y CONFIG_PCI_QUIRKS=y @@ -5507,6 +5506,7 @@ CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=m CONFIG_DXGKRNL=m +# CONFIG_DXGKRNL_DEBUG is not set # end of Microsoft Hyper-V guest support # @@ -5514,7 +5514,7 @@ CONFIG_DXGKRNL=m # CONFIG_XEN_BALLOON=y CONFIG_XEN_BALLOON_MEMORY_HOTPLUG=y -CONFIG_XEN_BALLOON_MEMORY_HOTPLUG_LIMIT=512 +CONFIG_XEN_MEMORY_HOTPLUG_LIMIT=512 CONFIG_XEN_SCRUB_PAGES_DEFAULT=y CONFIG_XEN_DEV_EVTCHN=m CONFIG_XEN_BACKEND=y @@ -5800,7 +5800,6 @@ CONFIG_IIO_ST_ACCEL_I2C_3AXIS=m # CONFIG_AD7291 is not set # CONFIG_AD7606_IFACE_PARALLEL is not set # CONFIG_AD799X is not set -# CONFIG_ADI_AXI_ADC is not set # CONFIG_HX711 is not set # CONFIG_INA2XX_ADC is not set # CONFIG_LTC2471 is not set diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64 index 2fa5fb34720..bc104136432 100644 --- a/SPECS/kernel/config_aarch64 +++ b/SPECS/kernel/config_aarch64 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 5.10.21.1-rolling-lts-mariner Kernel Configuration +# Linux/arm64 5.10.28.1 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 9.1.0" CONFIG_CC_IS_GCC=y @@ -629,7 +629,7 @@ CONFIG_EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER=y # CONFIG_EFI_CAPSULE_LOADER is not set # CONFIG_EFI_TEST is not set CONFIG_RESET_ATTACK_MITIGATION=y -CONFIG_EFI_DISABLE_PCI_DMA=y +# CONFIG_EFI_DISABLE_PCI_DMA is not set # end of EFI (Extensible Firmware Interface) Support CONFIG_UEFI_CPER=y @@ -2031,7 +2031,6 @@ CONFIG_PCIEASPM_DEFAULT=y CONFIG_PCIE_PME=y CONFIG_PCIE_DPC=y CONFIG_PCIE_PTM=y -# CONFIG_PCIE_BW is not set # CONFIG_PCIE_EDR is not set CONFIG_PCI_MSI=y CONFIG_PCI_MSI_IRQ_DOMAIN=y @@ -7559,6 +7558,7 @@ CONFIG_HYPERV_TIMER=y CONFIG_HYPERV_UTILS=m CONFIG_HYPERV_BALLOON=y CONFIG_DXGKRNL=y +# CONFIG_DXGKRNL_DEBUG is not set # end of Microsoft Hyper-V guest support # diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 521fba017a4..7da435aaae9 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,8 +1,8 @@ { "Signatures": { - "config": "ed2ad5c004ef1a40cb8f33aa7f5a2c23fa74b4485e12f4f92a90e880002f2b6f", - "config_aarch64": "f2222dc3ff9739cb08a6ef009ad8742552ab1cbc90d075f9746647df297301c4", - "kernel-5.10.21.1.tar.gz": "7b5ef89649dbcd95344e5a374a3144afdc1f2613995870b1613e585fb91abff0", + "config": "37dacc87cdac3d733618dea2733d5e4d98caed2bcf9c0cdc30c46691ccd695ef", + "config_aarch64": "cd6fd817674f65a2c12ef6069835762fa0f41d8bff1d05655604dcbd25e03f14", + "kernel-5.10.28.1.tar.gz": "51118e54227410d15c20246e4905d897a8b6b3ebe1326ebe44e1080d0d17c27d", "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f" } } diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index 1009b3e9c7e..dbe5daa8005 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -1,9 +1,9 @@ %global security_hardening none %global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh -%define uname_r %{version}-rolling-lts-mariner-%{release} +%define uname_r %{version}-%{release} Summary: Linux Kernel Name: kernel -Version: 5.10.21.1 +Version: 5.10.28.1 Release: 4%{?dist} License: GPLv2 Vendor: Microsoft Corporation @@ -136,6 +136,28 @@ Patch1107: CVE-2021-26932.nopatch Patch1108: CVE-2021-27365.nopatch Patch1109: CVE-2021-27364.nopatch Patch1110: CVE-2021-27363.nopatch +Patch1111: CVE-2020-27170.nopatch +Patch1112: CVE-2020-27171.nopatch +Patch1113: CVE-2021-28375.nopatch +Patch1114: CVE-2021-28660.nopatch +Patch1115: CVE-2021-28950.nopatch +Patch1116: CVE-2021-28951.nopatch +Patch1117: CVE-2021-28952.nopatch +Patch1118: CVE-2021-28971.nopatch +Patch1119: CVE-2021-28972.nopatch +Patch1120: CVE-2021-29266.nopatch +Patch1121: CVE-2021-28964.nopatch +Patch1122: CVE-2020-35508.nopatch +Patch1123: CVE-2020-16120.nopatch +Patch1124: CVE-2021-29264.nopatch +Patch1125: CVE-2021-29265.nopatch +Patch1126: CVE-2021-29646.nopatch +Patch1127: CVE-2021-29647.nopatch +Patch1128: CVE-2021-29649.nopatch +Patch1129: CVE-2021-29650.nopatch +Patch1130: CVE-2021-30002.nopatch +# CVE-2021-29648 - Introducing commit not in stable tree. No fix necessary at this time. +Patch1131: CVE-2021-29648.nopatch BuildRequires: audit-devel BuildRequires: bash BuildRequires: bc @@ -474,6 +496,24 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg %endif %changelog +* Thu Apr 22 2021 Chris Co - 5.10.28.1-4 +- Disable CONFIG_EFI_DISABLE_PCI_DMA. It can cause boot issues on some hardware. + +* Mon Apr 19 2021 Chris Co - 5.10.28.1-3 +- Bump release number to match kernel-signed update + +* Thu Apr 15 2021 Rachel Menge - 5.10.28.1-2 +- Address CVE-2021-29648 + +* Thu Apr 08 2021 Chris Co - 5.10.28.1-1 +- Update source to 5.10.28.1 +- Update uname_r define to match the new value derived from the source +- Address CVE-2020-27170, CVE-2020-27171, CVE-2021-28375, CVE-2021-28660, + CVE-2021-28950, CVE-2021-28951, CVE-2021-28952, CVE-2021-28971, + CVE-2021-28972, CVE-2021-29266, CVE-2021-28964, CVE-2020-35508, + CVE-2020-16120, CVE-2021-29264, CVE-2021-29265, CVE-2021-29646, + CVE-2021-29647, CVE-2021-29649, CVE-2021-29650, CVE-2021-30002 + * Fri Mar 26 2021 Daniel Mihai - 5.10.21.1-4 - Enable CONFIG_CRYPTO_DRBG_HASH, CONFIG_CRYPTO_DRBG_CTR diff --git a/SPECS/kubernetes/golang-1.15-k8s-1.17-test.patch b/SPECS/kubernetes/golang-1.15-k8s-1.17-test.patch deleted file mode 100644 index 3242d68ebfc..00000000000 --- a/SPECS/kubernetes/golang-1.15-k8s-1.17-test.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- test.sh 2020-10-14 17:58:31.000000000 -0700 -+++ test-golang-1.15.sh 2021-01-05 10:55:19.515412980 -0800 -@@ -267,6 +267,17 @@ - - verifyPathsToPackagesUnderTest "$@" - -+ # vet tool which is by default invoked by 'go test' command will fail -+ # because of a verification that is specific to golang 1.15 (stringintconv) -+ # => exclude that verification from the vet check list (see golang doc for more) -+ # -+ # this version of kubernetes was initially built against golang 1.13 which vet tool does not -+ # has the problematic check. CBL-Mariner moved to golang 1.15 and consequenlty build this version of kubernetes -+ # against golang 1.15 -+ # -+ go_vet_tests=asmdecl,assign,atomic,bools,buildtag,cgocall,composites,copylocks,errorsas,httpresponse,ifaceassert,loopclosure,lostcancel,nilfunc,printf,shift,stdmethods,structtag,tests,unmarshal,unreachable,unsafeptr,unusedresult -+ goflags+=(-vet $go_vet_tests) -+ - # If we're not collecting coverage, run all requested tests with one 'go test' - # command, which is much faster. - if [[ ! ${KUBE_COVER} =~ ^[yY]$ ]]; then diff --git a/SPECS/kubernetes/kubernetes-1.17.13.signatures.json b/SPECS/kubernetes/kubernetes-1.17.13.signatures.json deleted file mode 100644 index 171c790b8bf..00000000000 --- a/SPECS/kubernetes/kubernetes-1.17.13.signatures.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "Signatures": { - "golang-1.15-k8s-1.17-test.patch": "4607a1675331e309f651737cd10114e2a610dcd0250ec06a46e4de7feb000161", - "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.17.13-hotfix.20210310.tar.gz": "d4956906392c59dc72554352bc99c671eac6fef6c529766fad52e656f52d3354" - } -} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.17.16.signatures.json b/SPECS/kubernetes/kubernetes-1.17.16.signatures.json deleted file mode 100644 index aa87fcd3feb..00000000000 --- a/SPECS/kubernetes/kubernetes-1.17.16.signatures.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "Signatures": { - "golang-1.15-k8s-1.17-test.patch": "4607a1675331e309f651737cd10114e2a610dcd0250ec06a46e4de7feb000161", - "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.17.16-hotfix.20210310.tar.gz": "69d3b5a1637a801b49b19ec8dc0511b1b3584954bf709ce4c2f487c3c4c2ba75" - } -} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.18.14.signatures.json b/SPECS/kubernetes/kubernetes-1.18.14.signatures.json index 034a7aa99fb..442de6abd62 100644 --- a/SPECS/kubernetes/kubernetes-1.18.14.signatures.json +++ b/SPECS/kubernetes/kubernetes-1.18.14.signatures.json @@ -2,6 +2,6 @@ "Signatures": { "golang-1.15-k8s-1.18-test.patch": "043a5ae433066335578701d29544c81669ffaa19fa14d987a82fd8b5a3acdd88", "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.18.14-hotfix.20210310.tar.gz": "61882517bc8e211a56219ee6cf0bf7f9ed7499bf9e9ebe1d004c3a12d280ba6f" + "kubernetes-node-linux-amd64-1.18.14-hotfix.20210428.tar.gz": "ccbba2aa26f2ebf589ccf5d52a88b7347e663d6fc53d1fbbf8b1e0b93d3db5b6" } } \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.18.14.spec b/SPECS/kubernetes/kubernetes-1.18.14.spec index 579c7841214..29904427ab1 100644 --- a/SPECS/kubernetes/kubernetes-1.18.14.spec +++ b/SPECS/kubernetes/kubernetes-1.18.14.spec @@ -10,15 +10,15 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.18.14 -Release: 2%{?dist} +Release: 4%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner Group: Microsoft Kubernetes URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.14-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz +#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.14-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz # Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210310.tar.gz +Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz Source1: kubelet.service Source2: golang-1.15-k8s-1.18-test.patch # CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) @@ -270,6 +270,12 @@ fi %{_bindir}/pause %changelog +* Thu Apr 29 2021 CBL-Mariner Service Account - 1.18.14-4 +- Update to version "1.18.14-hotfix.20210428". + +* Mon Mar 29 2021 CBL-Mariner Service Account - 1.18.14-3 +- Update to version "1.18.14-hotfix.20210322". + * Thu Mar 18 2021 CBL-Mariner Service Account - 1.18.14-2 - Update to version "1.18.14-hotfix.20210310". diff --git a/SPECS/kubernetes/kubernetes-1.18.10.signatures.json b/SPECS/kubernetes/kubernetes-1.18.17.signatures.json similarity index 62% rename from SPECS/kubernetes/kubernetes-1.18.10.signatures.json rename to SPECS/kubernetes/kubernetes-1.18.17.signatures.json index 0624a55656a..fc4468c8bf9 100644 --- a/SPECS/kubernetes/kubernetes-1.18.10.signatures.json +++ b/SPECS/kubernetes/kubernetes-1.18.17.signatures.json @@ -2,6 +2,6 @@ "Signatures": { "golang-1.15-k8s-1.18-test.patch": "043a5ae433066335578701d29544c81669ffaa19fa14d987a82fd8b5a3acdd88", "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.18.10-hotfix.20210310.tar.gz": "ebcf3947e9078638c7a88b02679f5fe6d3e9cd423b3839f84758bb2cac58e81f" + "kubernetes-node-linux-amd64-1.18.17-hotfix.20210428.tar.gz": "fa07d9d5e0c0d45b449bb5e422c9ccd01c4890a48a648673f6a503386985aa0a" } } \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.17.16.spec b/SPECS/kubernetes/kubernetes-1.18.17.spec similarity index 82% rename from SPECS/kubernetes/kubernetes-1.17.16.spec rename to SPECS/kubernetes/kubernetes-1.18.17.spec index c01b2b8f03b..350c7847977 100644 --- a/SPECS/kubernetes/kubernetes-1.17.16.spec +++ b/SPECS/kubernetes/kubernetes-1.18.17.spec @@ -9,18 +9,18 @@ %define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' Summary: Microsoft Kubernetes Name: kubernetes -Version: 1.17.16 +Version: 1.18.17 Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner Group: Microsoft Kubernetes URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.17.16-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz +#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.17-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz # Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210310.tar.gz +Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz Source1: kubelet.service -Source2: golang-1.15-k8s-1.17-test.patch +Source2: golang-1.15-k8s-1.18-test.patch # CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) Patch0: CVE-2020-8565.nopatch # CVE-2020-8563 Only applies when using VSphere as cloud provider, @@ -270,54 +270,69 @@ fi %{_bindir}/pause %changelog -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.17.16-2 -- Update to version "1.17.16-hotfix.20210310". +* Thu Apr 29 2021 CBL-Mariner Service Account - 1.18.17-2 +- Update to version "1.18.17-hotfix.20210428". -* Wed Jan 20 2021 Nicolas Guibourge - 1.17.16-1 -- Move to version 1.17.16 +* Thu Apr 22 2021 CBL-Mariner Service Account - 1.18.17-1 +- Update to version "1.18.17-hotfix.20210322". -* Fri Jan 15 2021 Nicolas Guibourge - 1.17.11-7 +* Mon Mar 29 2021 CBL-Mariner Service Account - 1.18.14-3 +- Update to version "1.18.14-hotfix.20210322". + +* Thu Mar 18 2021 CBL-Mariner Service Account - 1.18.14-2 +- Update to version "1.18.14-hotfix.20210310". + +* Wed Jan 20 2021 Nicolas Guibourge - 1.18.14-1 +- Move to version 1.18.14 + +* Fri Jan 15 2021 Nicolas Guibourge - 1.18.8-8 - Packages for container images -* Tue Jan 05 2021 Nicolas Guibourge - 1.17.11-6 +* Tue Jan 05 2021 Nicolas Guibourge - 1.18.8-7 - Fix test issue when building against golang 1.15 - CVE-2020-8563 -* Mon Jan 04 2021 Nicolas Guibourge - 1.17.11-5 +* Mon Jan 04 2021 Nicolas Guibourge - 1.18.8-6 - CVE-2020-8564, CVE-2020-8565, CVE-2020-8566 -* Thu Dec 17 2020 Nicolas Guibourge - 1.17.11-4 +* Thu Dec 17 2020 Nicolas Guibourge - 1.18.8-5 - Rename spec file -* Wed Dec 02 2020 Nicolas Guibourge - 1.17.11-3 -- Rename ms-kubernetes-1.17.11 into kubernetes and lint spec +* Wed Dec 02 2020 Nicolas Guibourge - 1.18.8-4 +- Rename ms-kubernetes-1.81.8 into kubernetes and lint spec -* Wed Nov 18 2020 George Mileka 1.17.11-2 +* Wed Nov 18 2020 George Mileka 1.18.8-3 - Added license file and macro. -* Fri Oct 2 2020 George Mileka 1.18.8-2 +- Update k8s to v1.18.8-hotfix.20200917 release -* Mon Aug 17 2020 Jiri Appl 1.17.7-4 +* Fri Oct 2 2020 George Mileka 1.18.8-1 +- Moved k8s to 1.18.8. + +* Mon Aug 17 2020 Jiri Appl 1.18.6-4 - Clean up the spec. -* Thu Aug 6 2020 George Mileka 1.17.7-3 +* Thu Aug 6 2020 George Mileka 1.18.6-3 - Create /etc/kubernetes/manifests. -* Wed Jul 30 2020 Jiri Appl 1.17.7-2 +* Wed Jul 30 2020 Jiri Appl 1.18.6-2 - Removed container images. -* Fri Jul 24 2020 George Mileka 1.17.7 -- Moved to 1.17.7. +* Fri Jul 24 2020 George Mileka 1.18.6 +- Moved to 1.18.6. + +* Tue Jun 30 2020 George Mileka 1.18.2 +- Adding the 1.16 knd 1.17 ubeproxy and coredns for downgrade scenarios. -* Tue Jun 30 2020 George Mileka 1.17.3-2 -- Adding the 1.16 kubeproxy and coredns for downgrade scenarios. +* Fri Jun 05 2020 George Mileka 1.18.2 +- Switched to K8s 1.18.2. -* Thu Jun 03 2020 Nicolas Guibourge 1.17.3-2 +* Thu Jun 04 2020 Nicolas Guibourge 1.18.0-2 - Renaming iproute2 to iproute. -* Fri May 29 2020 George Mileka 1.17.3. +* Fri May 29 2020 George Mileka 1.18.0 - Switched to ecpacr. -* Tue Apr 14 2020 George Mileka 1.17.3-hotfix.20200408 -- Original version for CBL-Mariner of K8s 1.17.3-hotfix.20200408. +* Tue Apr 14 2020 George Mileka 1.18.0 +- Original version for CBL-Mariner of K8s 1.18.0. diff --git a/SPECS/kubernetes/kubernetes-1.19.6.signatures.json b/SPECS/kubernetes/kubernetes-1.19.6.signatures.json deleted file mode 100644 index 3ab12b6cf2f..00000000000 --- a/SPECS/kubernetes/kubernetes-1.19.6.signatures.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "Signatures": { - "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.19.6-hotfix.20210310.tar.gz": "fa2c302999d4bd56edf0d9dff7843fd169e84e2f14f50033d1efa79ea66103da" - } -} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.19.7.signatures.json b/SPECS/kubernetes/kubernetes-1.19.7.signatures.json index 37fecd2f4f3..29ee44fa799 100644 --- a/SPECS/kubernetes/kubernetes-1.19.7.signatures.json +++ b/SPECS/kubernetes/kubernetes-1.19.7.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", - "kubernetes-node-linux-amd64-1.19.7-hotfix.20210310.tar.gz": "7d4f4ce192178a8cc1774de35a012028a0b0b6a465d6c94f22b725dbefc733c3" + "kubernetes-node-linux-amd64-1.19.7-hotfix.20210428.tar.gz": "78626dd33b75c33eae4b03802bbc075d86369a881d729d61dccb5a86b4da0f60" } } \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.19.7.spec b/SPECS/kubernetes/kubernetes-1.19.7.spec index 47a3b76400a..a84f6a8e866 100644 --- a/SPECS/kubernetes/kubernetes-1.19.7.spec +++ b/SPECS/kubernetes/kubernetes-1.19.7.spec @@ -10,15 +10,15 @@ Summary: Microsoft Kubernetes Name: kubernetes Version: 1.19.7 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner Group: Microsoft Kubernetes URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.7-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz +#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.7-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz # Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210310.tar.gz +Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz Source1: kubelet.service # CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) Patch0: CVE-2020-8565.nopatch @@ -266,6 +266,9 @@ fi %{_bindir}/pause %changelog +* Thu Apr 29 2021 CBL-Mariner Service Account - 1.19.7-2 +- Update to version "1.19.7-hotfix.20210428". + * Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.7-1 - Update to version "1.19.7-hotfix.20210310". diff --git a/SPECS/kubernetes/kubernetes-1.19.9.signatures.json b/SPECS/kubernetes/kubernetes-1.19.9.signatures.json new file mode 100644 index 00000000000..9eb87a8313e --- /dev/null +++ b/SPECS/kubernetes/kubernetes-1.19.9.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", + "kubernetes-node-linux-amd64-1.19.9-hotfix.20210428.tar.gz": "e41b5aaea5615bf845616115df39a62908cde47145c6a77e449abfe1d8c3f7cf" + } +} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.19.6.spec b/SPECS/kubernetes/kubernetes-1.19.9.spec similarity index 94% rename from SPECS/kubernetes/kubernetes-1.19.6.spec rename to SPECS/kubernetes/kubernetes-1.19.9.spec index d7b285ae415..d7bb07918c8 100644 --- a/SPECS/kubernetes/kubernetes-1.19.6.spec +++ b/SPECS/kubernetes/kubernetes-1.19.9.spec @@ -9,16 +9,16 @@ %define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' Summary: Microsoft Kubernetes Name: kubernetes -Version: 1.19.6 +Version: 1.19.9 Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner Group: Microsoft Kubernetes URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.6-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz +#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.9-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz # Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210310.tar.gz +Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz Source1: kubelet.service # CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) Patch0: CVE-2020-8565.nopatch @@ -266,6 +266,15 @@ fi %{_bindir}/pause %changelog +* Thu Apr 29 2021 CBL-Mariner Service Account - 1.19.9-2 +- Update to version "1.19.9-hotfix.20210428". + +* Thu Apr 22 2021 CBL-Mariner Service Account - 1.19.9-1 +- Update to version "1.19.9-hotfix.20210322". + +* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.7-1 +- Update to version "1.19.7-hotfix.20210310". + * Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.6-2 - Update to version "1.19.6-hotfix.20210310". diff --git a/SPECS/kubernetes/kubernetes-1.20.2.signatures.json b/SPECS/kubernetes/kubernetes-1.20.2.signatures.json new file mode 100644 index 00000000000..e3fc52221e0 --- /dev/null +++ b/SPECS/kubernetes/kubernetes-1.20.2.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", + "kubernetes-node-linux-amd64-1.20.2-hotfix.20210428.tar.gz": "b07034861e5c1d532b9bdcf6a4564bdc710e1bb42d402923426b8327fc5c79e1" + } +} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.17.13.spec b/SPECS/kubernetes/kubernetes-1.20.2.spec similarity index 86% rename from SPECS/kubernetes/kubernetes-1.17.13.spec rename to SPECS/kubernetes/kubernetes-1.20.2.spec index 803035d077b..fa4a0b2c148 100644 --- a/SPECS/kubernetes/kubernetes-1.17.13.spec +++ b/SPECS/kubernetes/kubernetes-1.20.2.spec @@ -9,25 +9,21 @@ %define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' Summary: Microsoft Kubernetes Name: kubernetes -Version: 1.17.13 -Release: 6%{?dist} +Version: 1.20.2 +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner Group: Microsoft Kubernetes URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.17.13-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz +#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.20.2-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz # Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210310.tar.gz +Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz Source1: kubelet.service -Source2: golang-1.15-k8s-1.17-test.patch # CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) Patch0: CVE-2020-8565.nopatch -# CVE-2020-8563 Only applies when using VSphere as cloud provider, -# Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) -Patch1: CVE-2020-8563.nopatch BuildRequires: flex-devel -BuildRequires: golang >= 1.13.15 +BuildRequires: golang >= 1.15.5 BuildRequires: rsync BuildRequires: systemd-devel BuildRequires: which @@ -123,7 +119,7 @@ for component in ${components_to_build}; do done # build pause -pushd build/pause +pushd build/pause/linux gcc -Os -Wall -Werror -static -o %{_builddir}/%{name}/node/bin/pause pause.c strip %{_builddir}/%{name}/node/bin/pause popd @@ -270,21 +266,36 @@ fi %{_bindir}/pause %changelog -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.17.13-6 -- Update to version "1.17.13-hotfix.20210310". +* Thu Apr 29 2021 CBL-Mariner Service Account - 1.20.2-2 +- Update to version "1.20.2-hotfix.20210428". -* Tue Jan 19 2021 Nicolas Guibourge - 1.17.13-5 -- Update to version 1.17.13-hotfix.20210118 +* Thu Apr 22 2021 CBL-Mariner Service Account - 1.20.2-1 +- Update to version "1.20.2-hotfix.20210310". +- Adjust "pause" building steps with the new sources layout. -* Fri Jan 15 2021 Nicolas Guibourge - 1.17.13-4 +* Thu Apr 22 2021 CBL-Mariner Service Account - 1.19.9-1 +- Update to version "1.19.9-hotfix.20210322". + +* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.7-1 +- Update to version "1.19.7-hotfix.20210310". + +* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.6-2 +- Update to version "1.19.6-hotfix.20210310". + +* Wed Jan 20 2021 Nicolas Guibourge - 1.19.6-1 +- Move to version 1.19.6 + +* Fri Jan 15 2021 Nicolas Guibourge - 1.19.1-5 - Packages for container images -* Tue Jan 05 2021 Nicolas Guibourge - 1.17.13-3 -- Fix test issue when building against golang 1.15 +* Tue Jan 05 2021 Nicolas Guibourge - 1.19.1-4 - CVE-2020-8563 -* Mon Jan 04 2021 Nicolas Guibourge - 1.17.13-2 -- CVE-2020-8565 +* Mon Jan 04 2021 Nicolas Guibourge - 1.19.1-3 +- CVE-2020-8564, CVE-2020-8565, CVE-2020-8566 + +* Thu Dec 17 2020 Nicolas Guibourge - 1.19.1-2 +- Rename spec file -* Thu Dec 17 2020 Nicolas Guibourge - 1.17.13-1 -- Original version for CBL-Mariner of K8s 1.17.13. +* Wed Dec 02 2020 Nicolas Guibourge - 1.19.1-1 +- Original version for CBL-Mariner of K8s 1.19.1. diff --git a/SPECS/kubernetes/kubernetes-1.20.5.signatures.json b/SPECS/kubernetes/kubernetes-1.20.5.signatures.json new file mode 100644 index 00000000000..12685f1632f --- /dev/null +++ b/SPECS/kubernetes/kubernetes-1.20.5.signatures.json @@ -0,0 +1,6 @@ +{ + "Signatures": { + "kubelet.service": "22ea9e0b85aa9db9e1accfb6c21843683425fc1af9c0a2669523e42a455dc57e", + "kubernetes-node-linux-amd64-1.20.5-hotfix.20210428.tar.gz": "e2e5accaa10b02cea9fa5d31ec1c648f791810bb5c672d1e002bfcad5e58a11a" + } +} \ No newline at end of file diff --git a/SPECS/kubernetes/kubernetes-1.18.10.spec b/SPECS/kubernetes/kubernetes-1.20.5.spec similarity index 85% rename from SPECS/kubernetes/kubernetes-1.18.10.spec rename to SPECS/kubernetes/kubernetes-1.20.5.spec index 73d7fc112c1..799b1aae8b9 100644 --- a/SPECS/kubernetes/kubernetes-1.18.10.spec +++ b/SPECS/kubernetes/kubernetes-1.20.5.spec @@ -9,25 +9,21 @@ %define container_image_components 'kube-proxy kube-apiserver kube-controller-manager kube-scheduler' Summary: Microsoft Kubernetes Name: kubernetes -Version: 1.18.10 -Release: 6%{?dist} +Version: 1.20.5 +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner Group: Microsoft Kubernetes URL: https://mcr.microsoft.com/oss -#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.10-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz +#Source0: https://kubernetesartifacts.azureedge.net/kubernetes/v1.20.5-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz # Note that only amd64 tarball exist which is OK since kubernetes is built from source -Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210310.tar.gz +Source0: kubernetes-node-linux-amd64-%{version}-hotfix.20210428.tar.gz Source1: kubelet.service -Source2: golang-1.15-k8s-1.18-test.patch # CVE-2020-8565 Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) Patch0: CVE-2020-8565.nopatch -# CVE-2020-8563 Only applies when using VSphere as cloud provider, -# Kubernetes doc on website recommend to not enable debug level logging in production (no patch available) -Patch1: CVE-2020-8563.nopatch BuildRequires: flex-devel -BuildRequires: golang >= 1.13.15 +BuildRequires: golang >= 1.15.5 BuildRequires: rsync BuildRequires: systemd-devel BuildRequires: which @@ -123,7 +119,7 @@ for component in ${components_to_build}; do done # build pause -pushd build/pause +pushd build/pause/linux gcc -Os -Wall -Werror -static -o %{_builddir}/%{name}/node/bin/pause pause.c strip %{_builddir}/%{name}/node/bin/pause popd @@ -270,21 +266,39 @@ fi %{_bindir}/pause %changelog -* Thu Mar 18 2021 CBL-Mariner Service Account - 1.18.10-6 -- Update to version "1.18.10-hotfix.20210310". +* Thu Apr 29 2021 CBL-Mariner Service Account - 1.20.5-2 +- Update to version "1.20.5-hotfix.20210428". -* Tue Jan 19 2021 Nicolas Guibourge - 1.18.10-5 -- Update to version 1.18.10-hotfix.20210118 +* Thu Apr 22 2021 CBL-Mariner Service Account - 1.20.5-1 +- Update to version "1.20.5-hotfix.20210322". -* Fri Jan 15 2021 Nicolas Guibourge - 1.18.10-4 +* Thu Apr 22 2021 CBL-Mariner Service Account - 1.20.2-1 +- Update to version "1.20.2-hotfix.20210310". +- Adjust "pause" building steps with the new sources layout. + +* Thu Apr 22 2021 CBL-Mariner Service Account - 1.19.9-1 +- Update to version "1.19.9-hotfix.20210322". + +* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.7-1 +- Update to version "1.19.7-hotfix.20210310". + +* Thu Mar 18 2021 CBL-Mariner Service Account - 1.19.6-2 +- Update to version "1.19.6-hotfix.20210310". + +* Wed Jan 20 2021 Nicolas Guibourge - 1.19.6-1 +- Move to version 1.19.6 + +* Fri Jan 15 2021 Nicolas Guibourge - 1.19.1-5 - Packages for container images -* Tue Jan 05 2021 Nicolas Guibourge - 1.18.10-3 -- Fix test issue when building against golang 1.15 +* Tue Jan 05 2021 Nicolas Guibourge - 1.19.1-4 - CVE-2020-8563 -* Mon Jan 04 2021 Nicolas Guibourge - 1.18.10-2 -- CVE-2020-8565 +* Mon Jan 04 2021 Nicolas Guibourge - 1.19.1-3 +- CVE-2020-8564, CVE-2020-8565, CVE-2020-8566 + +* Thu Dec 17 2020 Nicolas Guibourge - 1.19.1-2 +- Rename spec file -* Thu Dec 17 2020 Nicolas Guibourge - 1.18.10-1 -- Original version for CBL-Mariner of K8s 1.18.10. +* Wed Dec 02 2020 Nicolas Guibourge - 1.19.1-1 +- Original version for CBL-Mariner of K8s 1.19.1. diff --git a/SPECS/libpsl/libpsl.spec b/SPECS/libpsl/libpsl.spec index bb3da5a808d..ecc81ba7008 100644 --- a/SPECS/libpsl/libpsl.spec +++ b/SPECS/libpsl/libpsl.spec @@ -1,18 +1,18 @@ -Summary: libpsl - C library to handle the Public Suffix List -Name: libpsl -Version: 0.20.2 -Release: 4%{?dist} -License: MIT -URL: https://github.com/rockdaboot/libpsl -Group: System Environment/Development +Summary: libpsl - C library to handle the Public Suffix List +Name: libpsl +Version: 0.20.2 +Release: 5%{?dist} +License: MIT Vendor: Microsoft Corporation Distribution: Mariner -Source0: https://github.com/rockdaboot/libpsl/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -%define sha1 libpsl=890376d6038652911cfa853ccfb5b993ae0743ee +Group: System Environment/Development +URL: https://github.com/rockdaboot/libpsl +Source0: https://github.com/rockdaboot/libpsl/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -BuildRequires: icu-devel -BuildRequires: python2 -Requires: icu +BuildRequires: icu-devel +BuildRequires: python2 + +Requires: icu %description libpsl is a C library to handle the Public Suffix List. A "public suffix" is a @@ -75,7 +75,7 @@ make check %files %defattr(-,root,root) -%license LICENSE +%license COPYING LICENSE %{_libdir}/*.so.* %files -n psl @@ -94,12 +94,20 @@ make check %{_libdir}/pkgconfig/* %changelog -* Sat May 09 00:21:12 PST 2020 Nick Samson - 0.20.2-4 +* Fri Apr 16 2021 Pawel Winogrodzki - 0.20.2-5 +- Bumping up release to re-compile against the new version of the 'icu' libraries. +- License verified. +- Removing the 'sha1' macro. +- Updated the '%%license' macro. + +* Sat May 09 2020 Nick Samson - 0.20.2-4 - Added %%license line automatically -* Tue Sep 03 2019 Mateusz Malisz 0.20.2-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Jan 08 2019 Alexey Makhalov 0.20.2-2 -- Added BuildRequires python2 -* Mon Sep 17 2018 Bo Gan 0.20.2-1 -- Initial packaging of libpsl +* Tue Sep 03 2019 Mateusz Malisz 0.20.2-3 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Tue Jan 08 2019 Alexey Makhalov 0.20.2-2 +- Added BuildRequires python2 + +* Mon Sep 17 2018 Bo Gan 0.20.2-1 +- Initial packaging of libpsl diff --git a/SPECS/mariadb/mariadb.signatures.json b/SPECS/mariadb/mariadb.signatures.json index 71a6cb60314..93e10a914fa 100644 --- a/SPECS/mariadb/mariadb.signatures.json +++ b/SPECS/mariadb/mariadb.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "mariadb-10.3.17.tar.gz": "e3a3675c489618c4f72c81aec5d304eb7b082da872106f4dd42a971049194bc1" + "mariadb-10.3.28.tar.gz": "e8c912cae2e5800d0da364cc23437907ed4be767f2cbdf198cf3afc03db6a6a3" } } \ No newline at end of file diff --git a/SPECS/mariadb/mariadb.spec b/SPECS/mariadb/mariadb.spec index 6a61f002693..43910c32b35 100644 --- a/SPECS/mariadb/mariadb.spec +++ b/SPECS/mariadb/mariadb.spec @@ -1,57 +1,59 @@ Summary: Database servers made by the original developers of MySQL. Name: mariadb -Version: 10.3.17 -Release: 4%{?dist} -License: GPLv2 with exceptions and LGPLv2 and BSD -Group: Applications/Databases +Version: 10.3.28 +Release: 1%{?dist} +License: GPLv2 WITH exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation Distribution: Mariner -Url: https://mariadb.org/ +Group: Applications/Databases +URL: https://mariadb.org/ Source0: https://github.com/MariaDB/server/archive/mariadb-%{version}.tar.gz BuildRequires: cmake -BuildRequires: pam-devel -BuildRequires: openssl-devel -BuildRequires: zlib-devel -BuildRequires: krb5-devel -BuildRequires: e2fsprogs-devel -BuildRequires: systemd-devel BuildRequires: curl-devel +BuildRequires: e2fsprogs-devel +BuildRequires: krb5-devel BuildRequires: libxml2-devel +BuildRequires: openssl-devel +BuildRequires: pam-devel +BuildRequires: systemd-devel +BuildRequires: zlib-devel Conflicts: mysql + %description MariaDB Server is one of the most popular database servers in the world. It’s made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google. MariaDB turns data into structured information in a wide array of applications, ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases. %package server -Summary: MariaDB server -Requires: %{name}-errmsg = %{version}-%{release} +Summary: MariaDB server +Requires: %{name}-errmsg = %{version}-%{release} + %description server The MariaDB server and related files %package server-galera -Summary: MariaDB Galera Cluster is a synchronous multi-master cluster for MariaDB -Group: Applications/Databases -Requires: %{name}-server = %{version}-%{release} +Summary: MariaDB Galera Cluster is a synchronous multi-master cluster for MariaDB +Group: Applications/Databases +Requires: %{name}-server = %{version}-%{release} %description server-galera MariaDB Galera Cluster is a synchronous multi-master cluster for MariaDB. It is available on Linux only, and only supports the XtraDB/InnoDB storage engines (although there is experimental support for MyISAM - see the wsrep_replicate_myisam system variable). %package devel -Summary: Development headers for mariadb -Requires: %{name} = %{version}-%{release} +Summary: Development headers for mariadb +Requires: %{name} = %{version}-%{release} %description devel Development headers for developing applications linking to maridb %package errmsg -Summary: errmsg for mariadb +Summary: errmsg for mariadb %description errmsg errmsg for maridb %prep -%setup -q -n %{name}-%{version} +%setup -q # Remove PerconaFT from here because of AGPL licence rm -rf storage/tokudb/PerconaFT # Disable "embedded" directory which only contains "test-connect" test @@ -65,7 +67,7 @@ export CXXFLAGS="`echo " %{build_cxxflags} " | sed 's/ -g//'`" mkdir build && cd build cmake -DCMAKE_BUILD_TYPE=Release \ - -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_INSTALL_PREFIX=%{_prefix} \ -DINSTALL_DOCDIR=share/doc/mariadb-10.2.8 \ -DINSTALL_DOCREADMEDIR=share/doc/mariadb-10.2.8 \ -DINSTALL_MANDIR=share/man \ @@ -78,8 +80,8 @@ cmake -DCMAKE_BUILD_TYPE=Release \ -DINSTALL_SCRIPTDIR=bin \ -DINSTALL_SQLBENCHDIR=share/mysql/bench \ -DINSTALL_SUPPORTFILESDIR=share \ - -DMYSQL_DATADIR="%{_var}/lib/mysql" \ - -DMYSQL_UNIX_ADDR="%{_var}/lib/mysql/mysqld.sock" \ + -DMYSQL_DATADIR="%{_sharedstatedir}/mysql" \ + -DMYSQL_UNIX_ADDR="%{_sharedstatedir}/mysql/mysqld.sock" \ -DWITH_EXTRA_CHARSETS=complex \ -DWITH_EMBEDDED_SERVER=ON \ -DSKIP_TESTS=ON \ @@ -94,11 +96,11 @@ cd build make DESTDIR=%{buildroot} install mkdir -p %{buildroot}/%{_libdir}/systemd/system -mv %{buildroot}/usr/share/systemd/mariadb.service %{buildroot}/%{_libdir}/systemd/system/mariadb.service -mv %{buildroot}/usr/share/systemd/mariadb@.service %{buildroot}/%{_libdir}/systemd/system/mariadb@.service +mv %{buildroot}%{_datadir}/systemd/mariadb.service %{buildroot}/%{_libdir}/systemd/system/mariadb.service +mv %{buildroot}%{_datadir}/systemd/mariadb@.service %{buildroot}/%{_libdir}/systemd/system/mariadb@.service rm %{buildroot}/%{_sbindir}/rcmysql rm %{buildroot}/%{_libdir}/*.a -mkdir -p %{buildroot}/%{_var}/lib/mysql +mkdir -p %{buildroot}/%{_sharedstatedir}/mysql install -vdm755 %{buildroot}%{_libdir}/systemd/system-preset echo "disable mariadb.service" > %{buildroot}%{_libdir}/systemd/system-preset/50-mariadb.preset @@ -108,16 +110,16 @@ make test %post -p /sbin/ldconfig %postun -p /sbin/ldconfig - %pre server if [ $1 -eq 1 ] ; then getent group mysql >/dev/null || groupadd -r mysql getent passwd mysql >/dev/null || useradd -c "mysql" -s /bin/false -g mysql -M -r mysql fi + %post server /sbin/ldconfig -chown mysql:mysql %{_var}/lib/mysql || : -mysql_install_db --datadir="/var/lib/mysql" --user="mysql" --basedir="/usr" >/dev/null || : +chown mysql:mysql %{_sharedstatedir}/mysql || : +mysql_install_db --datadir="%{_sharedstatedir}/mysql" --user="mysql" --basedir="%{_prefix}" >/dev/null || : %systemd_post mariadb.service %postun server @@ -138,6 +140,7 @@ fi %clean rm -rf %{buildroot} + %files %defattr(-,root,root) %{_libdir}/libmysqlclient.so @@ -202,13 +205,16 @@ rm -rf %{buildroot} %{_mandir}/man1/perror.1.gz %{_datadir}/mysql/charsets/* %{_datadir}/magic -%doc COPYING CREDITS +%{_datadir}/pam_user_map.so +%{_datadir}/user_map.conf +%license COPYING +%doc CREDITS -%exclude /usr/share/mysql/bench -%exclude /usr/share/mysql/test -%exclude /usr/data/test/db.opt -%exclude /usr/share/doc/mariadb-10.2.8/* -%exclude /etc/init.d/mysql +%exclude %{_datadir}/mysql/bench +%exclude %{_datadir}/mysql/test +%exclude %{_prefix}/data/test/db.opt +%exclude %{_docdir}/mariadb-10.2.8/* +%exclude %{_sysconfdir}/init.d/mysql %files server %config(noreplace) %{_sysconfdir}/logrotate.d/mysql @@ -217,7 +223,7 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/my.cnf.d/enable_encryption.preset %config(noreplace) %{_sysconfdir}/my.cnf.d/mysql-clients.cnf %config(noreplace) %{_sysconfdir}/my.cnf.d/server.cnf -%dir %attr(0750,mysql,mysql) %{_var}/lib/mysql +%dir %attr(0750,mysql,mysql) %{_sharedstatedir}/mysql %{_libdir}/mysql/plugin* %{_bindir}/aria_chk %{_bindir}/aria_dump_log @@ -289,8 +295,6 @@ rm -rf %{buildroot} %{_mandir}/man1/replace.1.gz %{_mandir}/man1/resolveip.1.gz %{_mandir}/man1/resolve_stack_dump.1.gz -%{_mandir}/man1/tokuftdump.1.gz -%{_mandir}/man1/tokuft_logprint.1.gz %{_mandir}/man1/wsrep_sst_common.1.gz %{_mandir}/man1/wsrep_sst_mysqldump.1.gz %{_mandir}/man1/wsrep_sst_rsync.1.gz @@ -320,7 +324,6 @@ rm -rf %{buildroot} %doc %{_datadir}/groonga-normalizer-mysql/README.md %doc %{_datadir}/groonga/README.md - %files server-galera %{_bindir}/galera_new_cluster %{_bindir}/galera_recovery @@ -334,8 +337,7 @@ rm -rf %{buildroot} %{_libdir}/libmariadb.so %{_libdir}/libmariadbd.so %{_libdir}/libmysqld.so -%{_libdir}/pkgconfig/libmariadb.pc -%{_datadir}/pkgconfig/mariadb.pc +%{_libdir}/pkgconfig/*mariadb.pc %files errmsg %{_datadir}/mysql/czech/errmsg.sys @@ -365,33 +367,50 @@ rm -rf %{buildroot} %{_datadir}/mysql/hindi/errmsg.sys %changelog +* Fri Apr 02 2021 Nicolas Ontiveros - 10.3.28-1 +- Upgrade to version 10.3.28, which resolves CVE-2021-27928 + * Thu Jan 14 2021 Andrew Phelps 10.3.17-4 - Disable failing "test-connect" test and binary "test-connect-t" + * Fri Jun 12 2020 Henry Beberman 10.3.17-3 - Temporarily disable generation of debug symbols. + * Tue Apr 28 2020 Emre Girgin 10.3.17-2 - Renaming Linux-PAM to pam + * Fri Mar 13 2020 Paul Monson 10.3.17-1 - Update to version 10.3.17. License verified. + * Tue Sep 03 2019 Mateusz Malisz 10.3.11-3 - Initial CBL-Mariner import from Photon (license: Apache2). + * Wed Jan 23 2019 Ajay Kaher 10.3.11-2 - Remove PerconaFT from mariadb pkg because of AGPL licence + * Wed Jan 02 2019 Him Kalyan Bordoloi 10.3.11-1 - Upgrade to version 10.3.11 + * Mon Nov 19 2018 Ajay Kaher 10.3.9-3 - Enabling for aarch64 + * Mon Oct 22 2018 Ajay Kaher 10.3.9-2 - Adding BuildArch + * Thu Sep 06 2018 Srivatsa S. Bhat 10.3.9-1 - Update to version 10.3.9 + * Tue Nov 07 2017 Xiaolin Li 10.2.10-1 - Update to verion 10.2.10 to address CVE-2017-10378, CVE-2017-10268 + * Wed Sep 06 2017 Xiaolin Li 10.2.8-1 - Update to 10.2.8 and enable build server. + * Thu Aug 31 2017 Xiaolin Li 10.1.24-3 - Fixed make check issue. + * Fri Aug 25 2017 Dheeraj Shetty 10.1.24-2 - Specify MariaDB conflicts with MySQL + * Wed Apr 05 2017 Xiaolin Li 10.1.24-1 - Initial packaging for Photon diff --git a/SPECS/mariner-release/mariner-release.spec b/SPECS/mariner-release/mariner-release.spec index e78d56e2ebf..278180e207c 100644 --- a/SPECS/mariner-release/mariner-release.spec +++ b/SPECS/mariner-release/mariner-release.spec @@ -1,7 +1,7 @@ Summary: CBL-Mariner release files Name: mariner-release Version: 1.0 -Release: 15%{?dist} +Release: 16%{?dist} License: MIT Group: System Environment/Base URL: https://aka.ms/cbl-mariner @@ -67,6 +67,8 @@ rm -rf $RPM_BUILD_ROOT %config(noreplace) /etc/issue.net %changelog +* Wed Apr 27 2021 Jon Slobodzian - 1.0-16 +- Updating version for April update * Tue Mar 30 2021 Jon Slobodzian - 1.0-15 - Updating version for March update * Mon Feb 22 2021 Jon Slobodzian - 1.0-14 diff --git a/SPECS/moby-cli/generate-sources.sh b/SPECS/moby-cli/generate-sources.sh index 8a44147d55e..578cefd402d 100755 --- a/SPECS/moby-cli/generate-sources.sh +++ b/SPECS/moby-cli/generate-sources.sh @@ -5,8 +5,8 @@ # Git clone is a standard practice of producing source files for moby-* packages. CLI_REPO=https://github.com/docker/cli.git -CLI_COMMIT=dd360c7c0de8d9132a3965db6a59d3ae74f43ba7 -VERSION=19.03.11+azure +CLI_COMMIT=48d30b5b32e99c932b4ea3edca74353feddd83ff +VERSION=19.03.15+azure mkdir -p /build/cli-src cd /build/cli-src diff --git a/SPECS/moby-cli/moby-cli.signatures.json b/SPECS/moby-cli/moby-cli.signatures.json index 1a7575ff130..9b1ce5419bc 100644 --- a/SPECS/moby-cli/moby-cli.signatures.json +++ b/SPECS/moby-cli/moby-cli.signatures.json @@ -2,6 +2,6 @@ "Signatures": { "LICENSE": "dba39ca0c42bd0aa0909b21925c4a2d5e80da82725139ce866c8b2f76ea56202", "NOTICE": "d8a1fbf076711ce24d0db29be6dbc7a87234f9c1293716377591e03f017a3c88", - "moby-cli-19.03.11+azure.tar.gz": "f97282eddb166c3ab711c6cff65d9320e39f64c17f897c2d46f14cd1f6e63191" + "moby-cli-19.03.15+azure.tar.gz": "d20d6d9435409f99852d72958dbb5ebf683f79cb29989512ff44f4257d3ac675" } } \ No newline at end of file diff --git a/SPECS/moby-cli/moby-cli.spec b/SPECS/moby-cli/moby-cli.spec index 89aa2c70f4f..488e9606feb 100644 --- a/SPECS/moby-cli/moby-cli.spec +++ b/SPECS/moby-cli/moby-cli.spec @@ -1,15 +1,15 @@ Summary: The open-source application container engine client. Name: moby-cli -Version: 19.03.11+azure -Release: 2%{?dist} +Version: 19.03.15+azure +Release: 1%{?dist} License: ASL 2.0 Group: Tools/Container # Git clone is a standard practice of producing source files for moby-* packages. # Please look at ./generate-sources.sh for generating source tar ball. # REPO = https://github.com/docker/cli.git -%define CLI_COMMIT dd360c7c0de8d9132a3965db6a59d3ae74f43ba7 -#Source0: https://github.com/docker/cli/archive/v19.03.11.tar.gz +%define CLI_COMMIT 48d30b5b32e99c932b4ea3edca74353feddd83ff +#Source0: https://github.com/docker/cli/archive/v19.03.15.tar.gz Source0: moby-cli-%{version}.tar.gz Source1: NOTICE Source2: LICENSE @@ -38,6 +38,8 @@ Requires: xz %setup -q -n %{name}-%{version} -c mkdir -p %{OUR_GOPATH}/src/github.com/docker ln -sfT %{_topdir}/BUILD/%{name}-%{version} %{OUR_GOPATH}/src/github.com/docker/cli +# Fix incorrect package name reference for go-md2man +sed -i 's/md2man/go-md2man/g' ./man/md2man-all.sh %build export GOPATH=%{OUR_GOPATH} @@ -92,6 +94,10 @@ cp %{SOURCE2} %{buildroot}/usr/share/doc/%{name}-%{version}/LICENSE /usr/share/fish/vendor_completions.d/docker.fish %changelog +* Thu Apr 15 2021 Andrew Phelps 19.03.15+azure-1 +- Update to version 19.03.15+azure +- Rename 'md2man' to 'go-md2man' in md2man-all.sh + * Thu Dec 10 2020 Andrew Phelps 19.03.11+azure-2 - Increment release to force republishing using golang 1.15. diff --git a/SPECS/moby-engine/generate-sources.sh b/SPECS/moby-engine/generate-sources.sh index b982d95933f..0a3c3c224bb 100755 --- a/SPECS/moby-engine/generate-sources.sh +++ b/SPECS/moby-engine/generate-sources.sh @@ -5,8 +5,8 @@ # Git clone is a standard practice of producing source files for moby-* packages. ENGINE_REPO=https://github.com/moby/moby.git -ENGINE_COMMIT=77e06fda0c9457c99a210e9648c064b44805fa2d -VERSION=19.03.11+azure +ENGINE_COMMIT=420b1d36250f9cfdc561f086f25a213ecb669b6f +VERSION=19.03.15+azure # docker-proxy binary comes from libnetwork # The proxy code rarely sees any changes diff --git a/SPECS/moby-engine/moby-engine.signatures.json b/SPECS/moby-engine/moby-engine.signatures.json index 0aefe6d071f..8842e81cb10 100644 --- a/SPECS/moby-engine/moby-engine.signatures.json +++ b/SPECS/moby-engine/moby-engine.signatures.json @@ -4,6 +4,6 @@ "NOTICE": "6fa0790288289acbdb9c0d8ee8e7769b65332aa4c080964b6f1623b4eda3cab0", "docker.service": "1a748c285a3cb5c8fb01db35d5b1f9029d170fd4b4e8428fec745b9bf0424bbc", "docker.socket": "51a06786cae46bc63b7314c25d0bd5bb2e676120d80874b99e35bf60d0b0ffa8", - "moby-engine-19.03.11+azure.tar.gz": "23d11a9e3a95bad471a3e4a8e9fa2f4663a6c5b194431bba80a69a5f3b879dee" + "moby-engine-19.03.15+azure.tar.gz": "0daaaea884f8682cc2e1c466c2001ee55ac52fa5a0faedc070a5f59bbb39defa" } } \ No newline at end of file diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index bdbc538075a..2a8f2b359aa 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -1,14 +1,14 @@ Summary: The open-source application container engine Name: moby-engine -Version: 19.03.11+azure -Release: 4%{?dist} +Version: 19.03.15+azure +Release: 1%{?dist} License: ASL 2.0 Group: Tools/Container # Git clone is a standard practice of producing source files for moby. # Please look at ./generate-sources.sh for generating source tar ball. # ENGINE_REPO=https://github.com/moby/moby.git -%define MOBY_GITCOMMIT 77e06fda0c9457c99a210e9648c064b44805fa2d +%define MOBY_GITCOMMIT 420b1d36250f9cfdc561f086f25a213ecb669b6f # docker-proxy binary comes from libnetwork # The proxy code rarely sees any changes @@ -21,7 +21,7 @@ Group: Tools/Container # TINI_REPO=https://github.com/krallin/tini.git # TINI_COMMIT=fec3683b971d9c3ef73f284f176672c44b448662 -#Source0: https://github.com/moby/moby/archive/v19.03.11.tar.gz +#Source0: https://github.com/moby/moby/archive/v19.03.15.tar.gz Source0: moby-engine-%{version}.tar.gz Source2: docker.service Source3: docker.socket @@ -149,6 +149,9 @@ fi /usr/share/doc/%{name}-%{version}/* %changelog +* Thu Apr 15 2021 Andrew Phelps 19.03.15+azure-1 +- Update to version 19.03.15+azure + * Thu Dec 10 2020 Andrew Phelps 19.03.11+azure-4 - Increment release to force republishing using golang 1.15. diff --git a/SPECS/mysql/mysql.signatures.json b/SPECS/mysql/mysql.signatures.json index 443555548e2..13d064b571d 100644 --- a/SPECS/mysql/mysql.signatures.json +++ b/SPECS/mysql/mysql.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "mysql-boost-8.0.23.tar.gz": "1c7a424303c134758e59607a0b3172e43a21a27ff08e8c88c2439ffd4fc724a5" + "mysql-boost-8.0.24.tar.gz": "4bc9c54b38e9e2a3f5cc77f21791dc52372f15c5473f7d427793f6ec44bf5900" } } \ No newline at end of file diff --git a/SPECS/mysql/mysql.spec b/SPECS/mysql/mysql.spec index 0f5305442c6..11829732c20 100644 --- a/SPECS/mysql/mysql.spec +++ b/SPECS/mysql/mysql.spec @@ -1,13 +1,13 @@ Summary: MySQL. Name: mysql -Version: 8.0.23 +Version: 8.0.24 Release: 1%{?dist} License: GPLv2 with exceptions AND LGPLv2 AND BSD Vendor: Microsoft Corporation Distribution: Mariner Group: Applications/Databases URL: https://www.mysql.com -Source0: https://cdn.mysql.com/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz +Source0: https://dev.mysql.com/get/Downloads/MySQL-8.0/%{name}-boost-%{version}.tar.gz Patch0: CVE-2012-5627.nopatch BuildRequires: cmake BuildRequires: libtirpc-devel @@ -76,66 +76,70 @@ make test %{_libdir}/pkgconfig/mysqlclient.pc %changelog -* Thu Feb 11 2021 Rachel Menge - 8.0.23-1 -- Upgrade to 8.0.23. Fixes CVE-2020-15358. +* Sat Apr 24 2021 Thomas Crain - 8.0.24-1 +- Upgrade to 8.0.24 to fix 30 CVEs +- Update source URL -* Thu Nov 05 2020 Rachel Menge - 8.0.22-2 -- Added no patch for CVE-2012-5627 +* Thu Feb 11 2021 Rachel Menge - 8.0.23-1 +- Upgrade to 8.0.23. Fixes CVE-2020-15358. -* Tue Nov 03 2020 Rachel Menge - 8.0.22-1 -- Upgrade to 8.0.22. Fixes 40 CVES. -- Lint spec +* Thu Nov 05 2020 Rachel Menge - 8.0.22-2 +- Added no patch for CVE-2012-5627 -* Tue Aug 18 2020 Henry Beberman - 8.0.21-1 -- Upgrade to 8.0.21. Fixes 32 CVEs. +* Tue Nov 03 2020 Rachel Menge - 8.0.22-1 +- Upgrade to 8.0.22. Fixes 40 CVES. +- Lint spec -* Sat May 09 2020 Nick Samson - 8.0.20-2 -- Added %%license line automatically +* Tue Aug 18 2020 Henry Beberman - 8.0.21-1 +- Upgrade to 8.0.21. Fixes 32 CVEs. -* Mon Apr 27 2020 Emre Girgin 8.0.20-1 -- Upgrade to 8.0.20. Fixes 70 CVEs. -- Update URL. -- Fix CVE-2020-2804. +* Sat May 09 2020 Nick Samson - 8.0.20-2 +- Added %%license line automatically -* Fri Mar 13 2020 Paul Monson 8.0.17-1 -- Update to version 8.0.17. License verified. +* Mon Apr 27 2020 Emre Girgin - 8.0.20-1 +- Upgrade to 8.0.20. Fixes 70 CVEs. +- Update URL. +- Fix CVE-2020-2804. -* Tue Sep 03 2019 Mateusz Malisz 8.0.14-2 -- Initial CBL-Mariner import from Photon (license: Apache2). +* Fri Mar 13 2020 Paul Monson - 8.0.17-1 +- Update to version 8.0.17. License verified. -* Tue Jan 22 2019 Siju Maliakkal 8.0.14-1 -- Upgrade to 8.0.14 +* Tue Sep 03 2019 Mateusz Malisz - 8.0.14-2 +- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Jan 02 2019 Him Kalyan Bordoloi 8.0.13-1 -- Upgrade to version 8.0.13 -- Workaround for broken DCMAKE_BUILD_TYPE=RELEASE(Mysql Bug#92945). Revert in next version +* Tue Jan 22 2019 Siju Maliakkal - 8.0.14-1 +- Upgrade to 8.0.14 -* Mon Nov 19 2018 Ajay Kaher 8.0.12-4 -- Enabling for aarch64 +* Wed Jan 02 2019 Him Kalyan Bordoloi - 8.0.13-1 +- Upgrade to version 8.0.13 +- Workaround for broken DCMAKE_BUILD_TYPE=RELEASE(Mysql Bug#92945). Revert in next version -* Mon Oct 22 2018 Ajay Kaher 8.0.12-3 -- Adding BuildArch +* Mon Nov 19 2018 Ajay Kaher - 8.0.12-4 +- Enabling for aarch64 -* Fri Sep 21 2018 Alexey Makhalov 8.0.12-2 -- Use libtirpc instead obsoleted rpc from glibc. +* Mon Oct 22 2018 Ajay Kaher - 8.0.12-3 +- Adding BuildArch -* Mon Sep 10 2018 Srivatsa S. Bhat 8.0.12-1 -- Update to version 8.0.12 +* Fri Sep 21 2018 Alexey Makhalov - 8.0.12-2 +- Use libtirpc instead obsoleted rpc from glibc. -* Wed Aug 08 2018 Srivatsa S. Bhat 5.7.23-1 -- Update to version 5.7.23 to get it to build with gcc 7.3 +* Mon Sep 10 2018 Srivatsa S. Bhat - 8.0.12-1 +- Update to version 8.0.12 -* Thu Jan 25 2018 Divya Thaluru 5.7.20-2 -- Added patch for CVE-2018-2696 +* Wed Aug 08 2018 Srivatsa S. Bhat - 5.7.23-1 +- Update to version 5.7.23 to get it to build with gcc 7.3 -* Wed Oct 25 2017 Xiaolin Li 5.7.20-1 -- Update to version 5.7.20 +* Thu Jan 25 2018 Divya Thaluru - 5.7.20-2 +- Added patch for CVE-2018-2696 -* Fri Oct 13 2017 Alexey Makhalov 5.7.18-3 -- Fix typo in description +* Wed Oct 25 2017 Xiaolin Li - 5.7.20-1 +- Update to version 5.7.20 -* Fri Jul 14 2017 Xiaolin Li 5.7.18-2 -- Run make test in the %check section +* Fri Oct 13 2017 Alexey Makhalov - 5.7.18-3 +- Fix typo in description -* Tue Jun 13 2017 Xiaolin Li 5.7.18-1 -- Initial packaging for Photon +* Fri Jul 14 2017 Xiaolin Li - 5.7.18-2 +- Run make test in the %check section + +* Tue Jun 13 2017 Xiaolin Li - 5.7.18-1 +- Initial packaging for Photon diff --git a/SPECS/nettle/nettle.signatures.json b/SPECS/nettle/nettle.signatures.json index e6567c5effa..caf19aaa391 100644 --- a/SPECS/nettle/nettle.signatures.json +++ b/SPECS/nettle/nettle.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "nettle-3.4.1.tar.gz": "f941cf1535cd5d1819be5ccae5babef01f6db611f9b5a777bae9c7604b8a92ad" + "nettle-3.7.2.tar.gz": "8d2a604ef1cde4cd5fb77e422531ea25ad064679ff0adf956e78b3352e0ef162" } } \ No newline at end of file diff --git a/SPECS/nettle/nettle.spec b/SPECS/nettle/nettle.spec index 237bd40c0c1..541ddd4f069 100644 --- a/SPECS/nettle/nettle.spec +++ b/SPECS/nettle/nettle.spec @@ -1,17 +1,17 @@ Summary: Low level cryptographic libraries Name: nettle -Version: 3.4.1 -Release: 2%{?dist} +Version: 3.7.2 +Release: 1%{?dist} License: LGPLv3+ or GPLv2+ URL: https://www.lysator.liu.se/~nisse/nettle/ Source0: https://ftp.gnu.org/gnu/nettle/%{name}-%{version}.tar.gz Group: Development/Libraries Vendor: Microsoft Corporation Distribution: Mariner -Provides: libhogweed.so.4()(64bit) -Provides: libhogweed.so.4(HOGWEED_4)(64bit) -Provides: libnettle.so.6()(64bit) -Provides: libnettle.so.6(NETTLE_6)(64bit) +Provides: libhogweed.so.6()(64bit) +Provides: libhogweed.so.6(HOGWEED_6)(64bit) +Provides: libnettle.so.8()(64bit) +Provides: libnettle.so.8(NETTLE_8)(64bit) Requires: gmp %description @@ -63,24 +63,25 @@ make %{?_smp_mflags} check %{_libdir}/pkgconfig/*.pc %changelog +* Mon Apr 12 2021 Rachel Menge - 3.7.2-1 +- Update to 3.7.2 for CVE-2021-20305 * Sat May 09 00:20:58 PST 2020 Nick Samson - 3.4.1-2 - Added %%license line automatically - -* Mon Mar 16 2020 Henry Beberman 3.4.1-1 -- Update to 3.4.1. Licence verified. -* Tue Sep 03 2019 Mateusz Malisz 3.4-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Thu Sep 06 2018 Anish Swaminathan 3.4-1 -- Update version to 3.4 -* Sat Apr 15 2017 Priyesh Padmavilasom 3.3-1 -- Update to 3.3 -* Mon Oct 04 2016 ChangLee 3.2-3 -- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 3.2-2 -- GA - Bump release of all rpms -* Mon Feb 22 2016 XIaolin Li 3.2-1 -- Updated to version 3.2 -* Mon Oct 12 2015 Xiaolin Li 3.1.1-2 -- Moving static lib files to devel package. -* Thu Jun 18 2015 Divya Thaluru 3.1.1-1 -- Initial build. First version +* Mon Mar 16 2020 Henry Beberman 3.4.1-1 +- Update to 3.4.1. Licence verified. +* Tue Sep 03 2019 Mateusz Malisz 3.4-2 +- Initial CBL-Mariner import from Photon (license: Apache2). +* Thu Sep 06 2018 Anish Swaminathan 3.4-1 +- Update version to 3.4 +* Sat Apr 15 2017 Priyesh Padmavilasom 3.3-1 +- Update to 3.3 +* Mon Oct 04 2016 ChangLee 3.2-3 +- Modified %check +* Tue May 24 2016 Priyesh Padmavilasom 3.2-2 +- GA - Bump release of all rpms +* Mon Feb 22 2016 XIaolin Li 3.2-1 +- Updated to version 3.2 +* Mon Oct 12 2015 Xiaolin Li 3.1.1-2 +- Moving static lib files to devel package. +* Thu Jun 18 2015 Divya Thaluru 3.1.1-1 +- Initial build. First version diff --git a/SPECS/nvidia-container-runtime/nvidia-container-runtime.signatures.json b/SPECS/nvidia-container-runtime/nvidia-container-runtime.signatures.json new file mode 100644 index 00000000000..59d469fbd3f --- /dev/null +++ b/SPECS/nvidia-container-runtime/nvidia-container-runtime.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "nvidia-container-runtime-3.4.2.tar.gz": "30e8a871b4cd8e1577d9439ae4f17fa9208f8f7c026ad69c8e41e3e3d103a38b" + } +} \ No newline at end of file diff --git a/SPECS/nvidia-container-runtime/nvidia-container-runtime.spec b/SPECS/nvidia-container-runtime/nvidia-container-runtime.spec new file mode 100644 index 00000000000..2a47b782e9e --- /dev/null +++ b/SPECS/nvidia-container-runtime/nvidia-container-runtime.spec @@ -0,0 +1,60 @@ +Summary: NVIDIA container runtime +Name: nvidia-container-runtime +Version: 3.4.2 +Release: 2%{?dist} +License: ASL 2.0 +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/NVIDIA/nvidia-container-runtime +#Source0: https://github.com/NVIDIA/%%{name}/archive/v%%{version}.tar.gz +Source0: %{name}-%{version}.tar.gz +BuildRequires: golang +Requires: libseccomp + +%description +Provides a modified version of runc allowing users to run GPU enabled +containers. + +%prep +%setup -q + +%build +cd src/ +make build +mkdir -p %{buildroot}%{_bindir} +cp %{name} %{buildroot}%{_bindir} + +%install +cd src +install -m 755 %{name} %{buildroot}%{_bindir}/%{name} + +%files +%license LICENSE +%{_bindir}/%{name} + +%changelog +* Wed Apr 21 2021 Joseph Knierman - 3.4.2-2 +- License verified +- Initial CBL-Mariner import from NVIDIA (license: ASL 2.0). + +* Fri Feb 05 2021 NVIDIA CORPORATION 3.4.2-1 +- Add dependence on nvidia-container-toolkit >= 1.4.2 + +* Mon Jan 25 2021 NVIDIA CORPORATION 3.4.1-1 +- Update README to list 'compute' as part of the default capabilities +- Switch to gomod for vendoring +- Update to Go 1.15.6 for builds +- Add dependence on nvidia-container-toolkit >= 1.4.1 + +* Wed Sep 16 2020 NVIDIA CORPORATION 3.4.0-1 +- Bump version to v3.4.0 +- Add dependence on nvidia-container-toolkit >= 1.3.0 + +* Wed Jul 08 2020 NVIDIA CORPORATION 3.3.0-1 +- e550cb15 Update package license to match source license +- f02eef53 Update project License +- c0fe8aae Update dependence on nvidia-container-toolkit to 1.2.0 + +* Fri May 15 2020 NVIDIA CORPORATION 3.2.0-1 +- e486a70e Update build system to support multi-arch builds +- 854f4c48 Require new MIG changes diff --git a/SPECS/openjdk8/check-system-ca-certs-292.patch b/SPECS/openjdk8/check-system-ca-certs-292.patch new file mode 100644 index 00000000000..f012305d801 --- /dev/null +++ b/SPECS/openjdk8/check-system-ca-certs-292.patch @@ -0,0 +1,54 @@ +diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java ++++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +@@ -72,7 +72,7 @@ + * The preference of the default trusted KeyStore is: + * javax.net.ssl.trustStore + * jssecacerts +- * cacerts ++ * cacerts (system and local) + */ + private static final class TrustStoreDescriptor { + private static final String fileSep = File.separator; +@@ -83,6 +83,10 @@ + defaultStorePath + fileSep + "cacerts"; + private static final String jsseDefaultStore = + defaultStorePath + fileSep + "jssecacerts"; ++ /* Check system cacerts DB: /etc/pki/java/cacerts */ ++ private static final String systemStore = ++ fileSep + "etc" + fileSep + "pki" + ++ fileSep + "java" + fileSep + "cacerts"; + + // the trust store name + private final String storeName; +@@ -146,7 +150,8 @@ + long temporaryTime = 0L; + if (!"NONE".equals(storePropName)) { + String[] fileNames = +- new String[] {storePropName, defaultStore}; ++ new String[] {storePropName, ++ systemStore, defaultStore}; + for (String fileName : fileNames) { + File f = new File(fileName); + if (f.isFile() && f.canRead()) { +diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +--- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java ++++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +@@ -108,9 +108,14 @@ + throws Exception + { + String sep = File.separator; +- File file = new File(System.getProperty("java.home") + sep +- + "lib" + sep + "security" + sep +- + "cacerts"); ++ /* Check system cacerts DB first; /etc/pki/java/cacerts */ ++ File file = new File(sep + "etc" + sep + "pki" + sep ++ + "java" + sep + "cacerts"); ++ if (!file.exists()) { ++ file = new File(System.getProperty("java.home") + sep ++ + "lib" + sep + "security" + sep ++ + "cacerts"); ++ } + if (!file.exists()) { + return null; + } diff --git a/SPECS/openjdk8/check-system-ca-certs.patch b/SPECS/openjdk8/check-system-ca-certs.patch index abcb8ff47cb..64950994c84 100644 --- a/SPECS/openjdk8/check-system-ca-certs.patch +++ b/SPECS/openjdk8/check-system-ca-certs.patch @@ -50,4 +50,3 @@ diff -r 6b81fd2227d1 -r 3334efeacd83 src/share/classes/sun/security/tools/KeySto if (!file.exists()) { return null; } - diff --git a/SPECS/openjdk8/openjdk8.signatures.json b/SPECS/openjdk8/openjdk8.signatures.json index 9ffb33d7830..1aa1af865da 100644 --- a/SPECS/openjdk8/openjdk8.signatures.json +++ b/SPECS/openjdk8/openjdk8.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "openjdk-1.8.0.212-b04.tar.gz": "c0f4e284026250bcb08c41fbde9fb369b04d2e7a050ff6ad23f13161c98ce5ec" - } + "Signatures": { + "openjdk-1.8.0.292.tar.gz": "427d7a1d64dcaaab442137752e2f7ddcfad507beabeb277cd1d660eb27fb876f" + } } \ No newline at end of file diff --git a/SPECS/openjdk8/openjdk8.spec b/SPECS/openjdk8/openjdk8.spec index 649fb539380..9c72726782a 100644 --- a/SPECS/openjdk8/openjdk8.spec +++ b/SPECS/openjdk8/openjdk8.spec @@ -1,19 +1,21 @@ %define _use_internal_dependency_generator 0 %global security_hardening none +%define _jdk_update 292 +%define _jdk_build 10 Summary: OpenJDK Name: openjdk8 -Version: 1.8.0.212 -Release: 10%{?dist} +Version: 1.8.0.292 +Release: 1%{?dist} License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib URL: https://openjdk.java.net Group: Development/Tools Vendor: Microsoft Corporation Distribution: Mariner -# Source0 tarball is generated from Mercurial clones -# See generate_source_tarball.sh -Source0: openjdk-%{version}-b04.tar.gz +# Source tarball is generated by AdoptOpenJDK from OpenJDK sources +#Source0: https://github.com/AdoptOpenJDK/openjdk-jdk8u/archive/jdk8u292-b10.tar.gz +Source0: openjdk-%{version}.tar.gz Patch0: Awt_build_headless_only.patch -Patch1: check-system-ca-certs.patch +Patch1: check-system-ca-certs-292.patch ExclusiveArch: x86_64 BuildRequires: alsa-lib BuildRequires: alsa-lib-devel @@ -68,7 +70,7 @@ Requires: %{name} = %{version}-%{release} This package provides the runtime library class sources. %prep -p exit -%setup -qn openjdk-%{version}-b04 +%setup -qn openjdk-jdk8u-jdk8u%{_jdk_update}-b%{_jdk_build} %patch0 -p1 %patch1 -p1 rm jdk/src/solaris/native/sun/awt/CUPSfuncs.c @@ -92,6 +94,7 @@ unset JAVA_HOME && --with-freetype-include=/usr/include/freetype2 \ --with-freetype-lib=/usr/lib \ --with-stdc++lib=dynamic \ + --with-native-debug-symbols=none \ --disable-zip-debug-info make \ @@ -137,6 +140,7 @@ alternatives --install %{_bindir}/javac javac %{_libdir}/jvm/OpenJDK-%{version}/ --slave %{_bindir}/jinfo jinfo %{_libdir}/jvm/OpenJDK-%{version}/bin/jinfo \ --slave %{_bindir}/jmap jmap %{_libdir}/jvm/OpenJDK-%{version}/bin/jmap \ --slave %{_bindir}/jps jps %{_libdir}/jvm/OpenJDK-%{version}/bin/jps \ + --slave %{_bindir}/jfr jfr %{_libdir}/jvm/OpenJDK-%{version}/bin/jfr \ --slave %{_bindir}/jrunscript jrunscript %{_libdir}/jvm/OpenJDK-%{version}/bin/jrunscript \ --slave %{_bindir}/jsadebugd jsadebugd %{_libdir}/jvm/OpenJDK-%{version}/bin/jsadebugd \ --slave %{_bindir}/jstack jstack %{_libdir}/jvm/OpenJDK-%{version}/bin/jstack \ @@ -201,6 +205,7 @@ rm -rf %{buildroot}/* %{_libdir}/jvm/OpenJDK-%{version}/bin/jhat %{_libdir}/jvm/OpenJDK-%{version}/bin/jinfo %{_libdir}/jvm/OpenJDK-%{version}/bin/jjs +%{_libdir}/jvm/OpenJDK-%{version}/bin/jfr %{_libdir}/jvm/OpenJDK-%{version}/bin/jmap %{_libdir}/jvm/OpenJDK-%{version}/bin/jps %{_libdir}/jvm/OpenJDK-%{version}/bin/jrunscript @@ -217,6 +222,7 @@ rm -rf %{buildroot}/* %{_libdir}/jvm/OpenJDK-%{version}/bin/xjc %{_libdir}/jvm/OpenJDK-%{version}/bin/clhsdb %{_libdir}/jvm/OpenJDK-%{version}/bin/hsdb +%exclude %{_libdir}/jvm/OpenJDK-%(version)/bin/*.debuginfo %files -n openjre8 %defattr(-,root,root) @@ -248,6 +254,9 @@ rm -rf %{buildroot}/* %{_libdir}/jvm/OpenJDK-%{version}/src.zip %changelog +* Fri Apr 16 2021 Nick Samson - 1.8.0.292-1 +- Update to 8u292 to address CVEs +- Switch to AdoptOpenJDK-generated source tarball * Thu Jun 11 2020 Henry Beberman - 1.8.0.212-10 - Disable -Werrors that break the build in cflags and cxxflags. * Tue May 26 2020 Pawel Winogrodzki 1.8.0.212-9 diff --git a/SPECS/openjdk8/openjdk8_aarch64.signatures.json b/SPECS/openjdk8/openjdk8_aarch64.signatures.json index 3d404521b26..bf5ce02af6d 100644 --- a/SPECS/openjdk8/openjdk8_aarch64.signatures.json +++ b/SPECS/openjdk8/openjdk8_aarch64.signatures.json @@ -1,5 +1,5 @@ { - "Signatures": { - "aarch64-jdk8u181-b13.tar.gz": "c225d344b421d9260a6d0c039ac04500389a0f138246e4a8242d25b3a93fb9fc" - } + "Signatures": { + "aarch64-shenandoah-jdk8u292-b10.tar.gz": "f46e116b23a09e80888d90dcd977da11f6ed83cae2bca09132618893d93b1405" + } } \ No newline at end of file diff --git a/SPECS/openjdk8/openjdk8_aarch64.spec b/SPECS/openjdk8/openjdk8_aarch64.spec index 45fc0f20a64..e4cf6d9570b 100644 --- a/SPECS/openjdk8/openjdk8_aarch64.spec +++ b/SPECS/openjdk8/openjdk8_aarch64.spec @@ -1,77 +1,84 @@ %define _use_internal_dependency_generator 0 %global security_hardening none -%define _jdk_update 181 -%define _jdk_build 13 -%define _repo_ver aarch64-jdk8u%{_jdk_update}-b%{_jdk_build} +%define _jdk_update 292 +%define _jdk_build 10 +%define _repo_ver aarch64-shenandoah-jdk8u%{_jdk_update}-b%{_jdk_build} %define _url_src https://github.com/AdoptOpenJDK/openjdk-aarch64-jdk8u/ - +%define bootstrapjdk %{_libdir}/jvm/OpenJDK-1.8.0.181-bootstrap Summary: OpenJDK Name: openjdk8 -Version: 1.8.0.181 -Release: 8%{?dist} -License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib -URL: https://hg.openjdk.java.net/aarch64-port/jdk8u/ -Group: Development/Tools +Version: 1.8.0.292 +Release: 1%{?dist} +License: ASL 1.1 AND ASL 2.0 AND BSD AND BSD WITH advertising AND GPL+ AND GPLv2 AND GPLv2 WITH exceptions AND IJG AND LGPLv2+ AND MIT AND MPLv2.0 AND Public Domain AND W3C AND zlib Vendor: Microsoft Corporation Distribution: Mariner +Group: Development/Tools +URL: https://hg.openjdk.java.net/aarch64-port/jdk8u-shenandoah/ Source0: %{_url_src}/archive/%{_repo_ver}.tar.gz Patch0: Awt_build_headless_only.patch -Patch1: check-system-ca-certs.patch -ExclusiveArch: aarch64 -BuildRequires: pcre-devel -BuildRequires: which -BuildRequires: zip -BuildRequires: unzip -BuildRequires: zlib-devel -BuildRequires: chkconfig +Patch1: check-system-ca-certs-292.patch BuildRequires: fontconfig-devel BuildRequires: freetype-devel BuildRequires: glib-devel -Requires: openjre8 = %{version}-%{release} +BuildRequires: pcre-devel +BuildRequires: unzip +BuildRequires: which +BuildRequires: zip +BuildRequires: zlib-devel Requires: chkconfig +Requires: openjre8 = %{version}-%{release} +AutoReqProv: no Obsoletes: openjdk <= %{version} -AutoReqProv: no -%define bootstrapjdk /usr/lib/jvm/OpenJDK-1.8.0.181-bootstrap +Provides: java-devel = %{version}-%{release} +Provides: java-1.8.0-openjdk = %{version}-%{release} +Provides: java-1.8.0-openjdk-headless = %{version}-%{release} +Provides: java-1.8.0-openjdk-devel = %{version}-%{release} +ExclusiveArch: aarch64 %description The OpenJDK package installs java class library and javac java compiler. %package -n openjre8 -Summary: Java runtime environment -AutoReqProv: no -Obsoletes: openjre <= %{version} +Summary: Java runtime environment Requires: chkconfig -Requires: libstdc++ +Requires: libstdc++ +AutoReqProv: no +Obsoletes: openjre <= %{version} +Provides: java = %{version}-%{release} +Provides: java-headless = %{version}-%{release} + %description -n openjre8 It contains the libraries files for Java runtime environment - %package sample -Summary: Sample java applications. +Summary: Sample java applications. Group: Development/Languages/Java -Obsoletes: openjdk-sample <= %{version} Requires: %{name} = %{version}-%{release} +Obsoletes: openjdk-sample <= %{version} + %description sample It contains the Sample java applications. %package doc -Summary: Documentation and demo applications for openjdk +Summary: Documentation and demo applications for openjdk Group: Development/Languages/Java -Obsoletes: openjdk-doc <= %{version} Requires: %{name} = %{version}-%{release} +Obsoletes: openjdk-doc <= %{version} + %description doc It contains the documentation and demo applications for openjdk %package src Summary: OpenJDK Java classes for developers Group: Development/Languages/Java -Obsoletes: openjdk-src <= %{version} Requires: %{name} = %{version}-%{release} +Obsoletes: openjdk-src <= %{version} + %description src This package provides the runtime library class sources. %prep -p exit -%setup -qn openjdk-aarch64-jdk8u-%{_repo_ver} +%setup -n openjdk-aarch64-jdk8u-%{_repo_ver} %patch0 -p1 %patch1 -p1 rm jdk/src/solaris/native/sun/awt/CUPSfuncs.c @@ -92,8 +99,10 @@ sh configure \ --with-cacerts-file=%{bootstrapjdk}/jre/lib/security/cacerts \ --with-extra-cxxflags="-Wno-error -std=gnu++98 -fno-delete-null-pointer-checks -fno-lifetime-dse" \ --with-extra-cflags="-std=gnu++98 -fno-delete-null-pointer-checks -Wno-error -fno-lifetime-dse" \ - --with-freetype-include=/usr/include/freetype2 \ - --with-freetype-lib=/usr/lib \ + --with-freetype-include=%{_includedir}/freetype2 \ + --with-freetype-lib=%{_libdir} \ + --with-native-debug-symbols=none \ + --disable-zip-debug-info \ --with-stdc++lib=dynamic make \ @@ -118,8 +127,8 @@ make DESTDIR=%{buildroot} install \ install -vdm755 %{buildroot}%{_libdir}/jvm/OpenJDK-%{version} chown -R root:root %{buildroot}%{_libdir}/jvm/OpenJDK-%{version} install -vdm755 %{buildroot}%{_bindir} -find /usr/local/jvm/openjdk-1.8.0-internal/jre/lib/aarch64 -iname \*.diz -delete -mv /usr/local/jvm/openjdk-1.8.0-internal/* %{buildroot}%{_libdir}/jvm/OpenJDK-%{version}/ +find %{_prefix}/local/jvm/openjdk-1.8.0-internal/jre/lib/aarch64 -iname \*.diz -delete +mv %{_prefix}/local/jvm/openjdk-1.8.0-internal/* %{buildroot}%{_libdir}/jvm/OpenJDK-%{version}/ %post alternatives --install %{_bindir}/javac javac %{_libdir}/jvm/OpenJDK-%{version}/bin/javac 2000 \ @@ -178,6 +187,8 @@ alternatives --remove java %{_libdir}/jvm/OpenJDK-%{version}/jre/bin/java %clean rm -rf %{buildroot}/* + + %files %defattr(-,root,root) %license LICENSE @@ -187,9 +198,12 @@ rm -rf %{buildroot}/* %{_libdir}/jvm/OpenJDK-%{version}/THIRD_PARTY_README %{_libdir}/jvm/OpenJDK-%{version}/lib %{_libdir}/jvm/OpenJDK-%{version}/include/ +%{_libdir}/jvm/OpenJDK-%{version}/bin/clhsdb %{_libdir}/jvm/OpenJDK-%{version}/bin/extcheck +%{_libdir}/jvm/OpenJDK-%{version}/bin/hsdb %{_libdir}/jvm/OpenJDK-%{version}/bin/idlj %{_libdir}/jvm/OpenJDK-%{version}/bin/jar +%{_libdir}/jvm/OpenJDK-%{version}/bin/jfr %{_libdir}/jvm/OpenJDK-%{version}/bin/jarsigner %{_libdir}/jvm/OpenJDK-%{version}/bin/java-rmi.cgi %{_libdir}/jvm/OpenJDK-%{version}/bin/javac @@ -217,8 +231,9 @@ rm -rf %{buildroot}/* %{_libdir}/jvm/OpenJDK-%{version}/bin/wsgen %{_libdir}/jvm/OpenJDK-%{version}/bin/wsimport %{_libdir}/jvm/OpenJDK-%{version}/bin/xjc +%exclude %{_libdir}/jvm/OpenJDK-%{version}/bin/*.debuginfo -%files -n openjre8 +%files -n openjre8 %defattr(-,root,root) %dir %{_libdir}/jvm/OpenJDK-%{version} %{_libdir}/jvm/OpenJDK-%{version}/jre/ @@ -248,28 +263,59 @@ rm -rf %{buildroot}/* %{_libdir}/jvm/OpenJDK-%{version}/src.zip %changelog -* Thu Jun 11 2020 Henry Beberman - 1.8.0.181-8 +* Sun Apr 18 2021 Nick Samson - 1.8.0.292-1 +- Update to 8u292 to address CVEs. +- Switch to Shenandoah version of the aarch64 port + +* Fri Feb 05 2021 Joe Schmitt - 1.8.0.181-13 +- Replace incorrect %%{_lib} usage with %%{_libdir} + +* Tue Nov 17 2020 Joe Schmitt - 1.8.0.181-12 +- Provide java and java-headless. + +* Mon Nov 02 2020 Joe Schmitt - 1.8.0.181-11 +- Provide java-1.8.0-openjdk and java-devel. + +* Thu Oct 15 2020 Joe Schmitt 1.8.0.181-10 +- Provide java-1.8.0-openjdk-devel. + +* Mon Sep 28 2020 Joe Schmitt 1.8.0.181-9 +- Remove unused buildrequires. +- Provide java-1.8.0-openjdk-headless. + +* Thu Jun 11 2020 Henry Beberman 1.8.0.181-8 - Disable -Werrors that break the build in cflags and cxxflags. -* Sat May 09 00:20:52 PST 2020 Nick Samson - 1.8.0.181-7 + +* Sat May 09 2020 Nick Samson 1.8.0.181-7 - Added %%license line automatically + * Wed May 06 2020 Pawel Winogrodzki 1.8.0.181-6 - Removing *Requires for "ca-certificates". + * Mon May 04 2020 Emre Girgin 1.8.0.181-5 - Replace BuildArch with ExclusiveArch + * Thu Apr 30 2020 Nicolas Ontiveros 8.0.181-4 - Rename freetype2-devel to freetype-devel. + * Thu Apr 16 2020 Paul Monson 8.0.181-3 - Remove harfbuzz-devel. License verified. + * Wed Feb 12 2020 Andrew Phelps 8.0.181-2 - Remove ExtraBuildRequires + * Tue Sep 03 2019 Mateusz Malisz 8.0.181-1 - Initial CBL-Mariner import from Photon (license: Apache2). + * Thu Mar 21 2019 Ajay Kaher 1.8.0.181-1 - Update to version 1.8.0.181 + * Mon Oct 29 2018 Ajay Kaher 1.8.0.151-3 - Adding BuildArch + * Mon Oct 29 2018 Alexey Makhalov 1.8.0.151-2 - Use ExtraBuildRequires + * Thu Dec 21 2017 Alexey Makhalov 1.8.0.151-1 - Initial version of OpenJDK for aarch64. SPEC file was forked from openjdk8-1.8.0.152-1 of x86_64 diff --git a/SPECS/openvswitch/CVE-2020-35498.patch b/SPECS/openvswitch/CVE-2020-35498.patch deleted file mode 100644 index e43f356b3b5..00000000000 --- a/SPECS/openvswitch/CVE-2020-35498.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 53c1b8b166f3dd217bc391d707885f789e9ecc49 Mon Sep 17 00:00:00 2001 -From: Flavio Leitner -Date: Mon, 26 Oct 2020 16:03:19 -0300 -Subject: [PATCH] flow: Support extra padding length. - -Although not required, padding can be optionally added until -the packet length is MTU bytes. A packet with extra padding -currently fails sanity checks. - -Vulnerability: CVE-2020-35498 -Fixes: fa8d9001a624 ("miniflow_extract: Properly handle small IP packets.") -Reported-by: Joakim Hindersson -Acked-by: Ilya Maximets -Signed-off-by: Flavio Leitner -Signed-off-by: Ilya Maximets ---- - lib/conntrack.c | 2 +- - lib/dp-packet.h | 10 +++++----- - lib/flow.c | 6 +++--- - tests/classifier.at | 36 ++++++++++++++++++++++++++++++++++++ - 4 files changed, 45 insertions(+), 9 deletions(-) - -diff --git a/lib/conntrack.c b/lib/conntrack.c -index a8743111eb..6bb57d228c 100644 ---- a/lib/conntrack.c -+++ b/lib/conntrack.c -@@ -688,7 +688,7 @@ static void - reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn) - { - char *tail = dp_packet_tail(pkt); -- char pad = dp_packet_l2_pad_size(pkt); -+ uint16_t pad = dp_packet_l2_pad_size(pkt); - struct conn_key inner_key; - const char *inner_l4 = NULL; - uint16_t orig_l3_ofs = pkt->l3_ofs; -diff --git a/lib/dp-packet.h b/lib/dp-packet.h -index 3dd59e25d2..55c442a019 100644 ---- a/lib/dp-packet.h -+++ b/lib/dp-packet.h -@@ -81,7 +81,7 @@ struct dp_packet { - - /* All the following elements of this struct are copied in a single call - * of memcpy in dp_packet_clone_with_headroom. */ -- uint8_t l2_pad_size; /* Detected l2 padding size. -+ uint16_t l2_pad_size; /* Detected l2 padding size. - * Padding is non-pullable. */ - uint16_t l2_5_ofs; /* MPLS label stack offset, or UINT16_MAX */ - uint16_t l3_ofs; /* Network-level header offset, -@@ -118,8 +118,8 @@ void *dp_packet_resize_l2(struct dp_packet *, int increment); - void *dp_packet_resize_l2_5(struct dp_packet *, int increment); - static inline void *dp_packet_eth(const struct dp_packet *); - static inline void dp_packet_reset_offsets(struct dp_packet *); --static inline uint8_t dp_packet_l2_pad_size(const struct dp_packet *); --static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint8_t); -+static inline uint16_t dp_packet_l2_pad_size(const struct dp_packet *); -+static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint16_t); - static inline void *dp_packet_l2_5(const struct dp_packet *); - static inline void dp_packet_set_l2_5(struct dp_packet *, void *); - static inline void *dp_packet_l3(const struct dp_packet *); -@@ -325,14 +325,14 @@ dp_packet_reset_offsets(struct dp_packet *b) - b->l4_ofs = UINT16_MAX; - } - --static inline uint8_t -+static inline uint16_t - dp_packet_l2_pad_size(const struct dp_packet *b) - { - return b->l2_pad_size; - } - - static inline void --dp_packet_set_l2_pad_size(struct dp_packet *b, uint8_t pad_size) -+dp_packet_set_l2_pad_size(struct dp_packet *b, uint16_t pad_size) - { - ovs_assert(pad_size <= dp_packet_size(b)); - b->l2_pad_size = pad_size; -diff --git a/lib/flow.c b/lib/flow.c -index 00152be12b..2fd4545a46 100644 ---- a/lib/flow.c -+++ b/lib/flow.c -@@ -655,7 +655,7 @@ ipv4_sanity_check(const struct ip_header *nh, size_t size, - - tot_len = ntohs(nh->ip_tot_len); - if (OVS_UNLIKELY(tot_len > size || ip_len > tot_len || -- size - tot_len > UINT8_MAX)) { -+ size - tot_len > UINT16_MAX)) { - return false; - } - -@@ -693,8 +693,8 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, size_t size) - if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) { - return false; - } -- /* Jumbo Payload option not supported yet. */ -- if (OVS_UNLIKELY(size - plen > UINT8_MAX)) { -+ -+ if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT16_MAX)) { - return false; - } - -diff --git a/tests/classifier.at b/tests/classifier.at -index 88818618be..cdcd72c156 100644 ---- a/tests/classifier.at -+++ b/tests/classifier.at -@@ -304,3 +304,39 @@ ovs-ofctl: "conjunction" actions may be used along with "note" but not any other - ]) - OVS_VSWITCHD_STOP - AT_CLEANUP -+ -+# Flow classifier a packet with excess of padding. -+AT_SETUP([flow classifier - packet with extra padding]) -+OVS_VSWITCHD_START -+add_of_ports br0 1 2 -+AT_DATA([flows.txt], [dnl -+priority=5,ip,ip_dst=1.1.1.1,actions=1 -+priority=5,ip,ip_dst=1.1.1.2,actions=2 -+priority=0,actions=drop -+]) -+AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) -+packet=00020202020000010101010008004500001c00010000401176cc01010101010101020d6a00350008ee3a -+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 $packet] , [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no -+Datapath actions: 2 -+]) -+# normal packet plus 255 bytes of padding (8bit padding). -+# 255 * 2 = 510 -+padding=$(printf '%*s' 510 | tr ' ' '0') -+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}] , [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no -+Datapath actions: 2 -+]) -+# normal packet plus padding up to 65535 bytes of length (16bit limit). -+# 65535 - 43 = 65492 -+# 65492 * 2 = 130984 -+padding=$(printf '%*s' 130984 | tr ' ' '0') -+AT_CHECK([ovs-appctl ofproto/trace br0 in_port=1 ${packet}${padding}], [0], [stdout]) -+AT_CHECK([tail -2 stdout], [0], -+ [Megaflow: recirc_id=0,eth,ip,in_port=1,nw_dst=1.1.1.2,nw_frag=no -+Datapath actions: 2 -+]) -+OVS_VSWITCHD_STOP -+AT_CLEANUP diff --git a/SPECS/openvswitch/openvswitch.signatures.json b/SPECS/openvswitch/openvswitch.signatures.json index 80001d56d04..f1fc872c686 100644 --- a/SPECS/openvswitch/openvswitch.signatures.json +++ b/SPECS/openvswitch/openvswitch.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "openvswitch-2.12.0.tar.gz": "13fd42703180b4b1146c7e97926d09225485868cc2fbbd58dc0c421b4b8fe8f8" + "openvswitch-2.12.3.tar.gz": "374b24a13c664c1174d430da2a7c87223598f926e4f1b0751e9dc90c190ebbfb" } } \ No newline at end of file diff --git a/SPECS/openvswitch/openvswitch.spec b/SPECS/openvswitch/openvswitch.spec index e5896f9988c..1c335b9f624 100644 --- a/SPECS/openvswitch/openvswitch.spec +++ b/SPECS/openvswitch/openvswitch.spec @@ -2,16 +2,14 @@ %{!?python3_sitelib: %global python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} Summary: Open vSwitch daemon/database/utilities Name: openvswitch -Version: 2.12.0 -Release: 3%{?dist} +Version: 2.12.3 +Release: 2%{?dist} License: ASL 2.0 AND LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner Group: System Environment/Daemons URL: https://www.openvswitch.org/ Source0: http://openvswitch.org/releases/%{name}-%{version}.tar.gz -# https://github.com/openvswitch/ovs/commit/53c1b8b166f3dd217bc391d707885f789e9ecc49.patch -Patch0: CVE-2020-35498.patch BuildRequires: gcc >= 4.0.0 BuildRequires: libcap-ng BuildRequires: libcap-ng-devel @@ -202,7 +200,18 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} %{_unitdir}/openvswitch.service %{_unitdir}/ovs-vswitchd.service %{_unitdir}/ovsdb-server.service -%{_libdir}/lib* +%{_libdir}/libovn.so +%{_libdir}/libovn-2.12.so.0* +%{_libdir}/libopenvswitch.so +%{_libdir}/libopenvswitch-2.12.so.0* +%{_libdir}/libofproto.so +%{_libdir}/libofproto-2.12.so.0* +%{_libdir}/libvtep.so +%{_libdir}/libvtep-2.12.so.0* +%{_libdir}/libovsdb.so +%{_libdir}/libovsdb-2.12.so.0* +%{_libdir}/libsflow.so +%{_libdir}/libsflow-2.12.so.0* %{_sysconfdir}/openvswitch/default.conf %{_sysconfdir}/bash_completion.d/ovs-*-bashcomp.bash %{_datadir}/openvswitch/*.ovsschema @@ -280,6 +289,12 @@ make -k check |& tee %{_specdir}/%{name}-check-log || %{nocheck} %{_mandir}/man8/ovn-trace.8.gz %changelog +* Mon Apr 19 2021 Nicolas Ontiveros - 2.12.3-2 +- Don't include static libraries in openvswitch package + +* Thu Apr 01 2021 Nicolas Ontiveros - 2.12.3-1 +- Upgrade to version 2.12.3, which fixes CVE-2020-27827 + * Mon Feb 22 2021 Emre Girgin - 2.12.0-3 - Fix CVE-2020-35498. diff --git a/SPECS/python3/fix_broken_mariner_ssl_tests.patch b/SPECS/python3/fix_broken_mariner_ssl_tests.patch new file mode 100644 index 00000000000..76baecda859 --- /dev/null +++ b/SPECS/python3/fix_broken_mariner_ssl_tests.patch @@ -0,0 +1,11 @@ +diff -ruN a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +--- a/Lib/test/test_ssl.py 2021-04-28 01:36:22.225711327 -0700 ++++ b/Lib/test/test_ssl.py 2021-04-28 01:36:49.557622894 -0700 +@@ -278,6 +278,7 @@ + + # Issue #9415: Ubuntu hijacks their OpenSSL and forcefully disables SSLv2 + def skip_if_broken_ubuntu_ssl(func): ++ raise unittest.SkipTest("Patched Mariner OpenSSL breaks behaviour") + if hasattr(ssl, 'PROTOCOL_SSLv2'): + @functools.wraps(func) + def f(*args, **kwargs): diff --git a/SPECS/python3/python3.spec b/SPECS/python3/python3.spec index fa0a31b65e9..0a4079b7ad4 100644 --- a/SPECS/python3/python3.spec +++ b/SPECS/python3/python3.spec @@ -2,7 +2,7 @@ Summary: A high-level scripting language Name: python3 Version: 3.7.10 -Release: 1%{?dist} +Release: 2%{?dist} License: PSF Vendor: Microsoft Corporation Distribution: Mariner @@ -12,6 +12,7 @@ Source0: https://www.python.org/ftp/python/%{version}/Python-%{version}.t Patch0: cgi3.patch Patch1: python3-support-mariner-platform.patch Patch2: Replace-unsupported-TLS-methods.patch +Patch3: fix_broken_mariner_ssl_tests.patch BuildRequires: bzip2-devel BuildRequires: expat-devel >= 2.1.0 BuildRequires: libffi-devel >= 3.0.13 @@ -254,6 +255,9 @@ make %{?_smp_mflags} test %{_libdir}/python3.7/test/* %changelog +* Wed Apr 28 2021 Andrew Phelps - 3.7.10-2 +- Add patch to fix test_ssl tests. + * Mon Mar 01 2021 Thomas Crain - 3.7.10-1 - Update to 3.7.10, the latest security release for 3.7, to fix CVE-2021-23336 - Remove backported patches for CVE-2020-27619, CVE-2021-3177 diff --git a/SPECS/qemu-kvm/CVE-2021-3392.patch b/SPECS/qemu-kvm/CVE-2021-3392.patch new file mode 100644 index 00000000000..3f56a675efa --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2021-3392.patch @@ -0,0 +1,25 @@ +CVE-2021-3392 patch adapted from QEMU patch by Prasad J Pandit + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1924042 + +Signed-off-by: Neha Agarwal +--- + hw/scsi/mptsas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index f86616544b..adff5b0bf2 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -257,8 +257,8 @@ static void mptsas_free_request(MPTSASRequest *req) + req->sreq->hba_private = NULL; + scsi_req_unref(req->sreq); + req->sreq = NULL; +- QTAILQ_REMOVE(&s->pending, req, next); + } ++ QTAILQ_REMOVE(&s->pending, req, next); + qemu_sglist_destroy(&req->qsg); + g_free(req); + } +-- +2.29.2 diff --git a/SPECS/qemu-kvm/CVE-2021-3409.patch b/SPECS/qemu-kvm/CVE-2021-3409.patch new file mode 100644 index 00000000000..183745c8f43 --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2021-3409.patch @@ -0,0 +1,114 @@ +CVE-2021-3392 patch adapted from QEMU patches by Bin Meng + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 + +Signed-off-by: Neha Agarwal +--- + hw/sd/sdhci.c | 53 ++++++++++++++++++++++++++++++++++++----------------- + 1 file changed, 36 insertions(+), 17 deletions(-) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 9acf446..f72d76c 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -316,6 +316,7 @@ + SDRequest request; + uint8_t response[16]; + int rlen; ++ bool timeout = false; + + s->errintsts = 0; + s->acmd12errsts = 0; +@@ -339,6 +340,7 @@ + trace_sdhci_response16(s->rspreg[3], s->rspreg[2], + s->rspreg[1], s->rspreg[0]); + } else { ++ timeout = true; + trace_sdhci_error("timeout waiting for command response"); + if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) { + s->errintsts |= SDHC_EIS_CMDTIMEOUT; +@@ -359,7 +361,7 @@ + + sdhci_update_irq(s); + +- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { ++ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) { + s->data_count = 0; + sdhci_data_transfer(s); + } +@@ -776,8 +778,9 @@ + + switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) { + case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */ +- ++ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE; + if (s->trnmod & SDHC_TRNS_READ) { ++ s->prnsts |= SDHC_DOING_READ; + while (length) { + if (s->data_count == 0) { + for (n = 0; n < block_size; n++) { +@@ -807,6 +810,7 @@ + } + } + } else { ++ s->prnsts |= SDHC_DOING_WRITE; + while (length) { + begin = s->data_count; + if ((length + begin) < block_size) { +@@ -1117,23 +1121,26 @@ + + switch (offset & ~0x3) { + case SDHC_SYSAD: +- s->sdmasysad = (s->sdmasysad & mask) | value; +- MASKED_WRITE(s->sdmasysad, mask, value); +- /* Writing to last byte of sdmasysad might trigger transfer */ +- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt && +- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { +- if (s->trnmod & SDHC_TRNS_MULTI) { +- sdhci_sdma_transfer_multi_blocks(s); +- } else { +- sdhci_sdma_transfer_single_block(s); ++ if (!TRANSFERRING_DATA(s->prnsts)) { ++ s->sdmasysad = (s->sdmasysad & mask) | value; ++ MASKED_WRITE(s->sdmasysad, mask, value); ++ /* Writing to last byte of sdmasysad might trigger transfer */ ++ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize && ++ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) { ++ if (s->trnmod & SDHC_TRNS_MULTI) { ++ sdhci_sdma_transfer_multi_blocks(s); ++ } else { ++ sdhci_sdma_transfer_single_block(s); ++ } + } + } + break; + case SDHC_BLKSIZE: + if (!TRANSFERRING_DATA(s->prnsts)) { ++ uint16_t blksize = s->blksize; ++ + MASKED_WRITE(s->blksize, mask, value); + MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16); +- } + + /* Limit block size to the maximum buffer size */ + if (extract32(s->blksize, 0, 12) > s->buf_maxsz) { +@@ -1142,6 +1149,17 @@ + s->buf_maxsz); + + s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz); ++ } ++ ++ /* ++ * If the block size is programmed to a different value from ++ * the previous one, reset the data pointer of s->fifo_buffer[] ++ * so that s->fifo_buffer[] can be filled in using the new block ++ * size in the next transfer. ++ */ ++ if (blksize != s->blksize) { ++ s->data_count = 0; ++ } + } + + break; +-- +1.8.3.1 diff --git a/SPECS/qemu-kvm/CVE-2021-3416.patch b/SPECS/qemu-kvm/CVE-2021-3416.patch new file mode 100644 index 00000000000..31ade9a97de --- /dev/null +++ b/SPECS/qemu-kvm/CVE-2021-3416.patch @@ -0,0 +1,250 @@ +CVE-2021-3416 patch adapted from QEMU patch by Jason Wang + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1932827 + +Signed-off-by: Neha Agarwal +--- + include/net/net.h | 5 +++++ + include/net/queue.h | 8 ++++++++ + net/net.c | 38 +++++++++++++++++++++++++++++++------- + net/queue.c | 22 ++++++++++++++++++++++ + hw/net/e1000.c | 2 +- + hw/net/dp8393x.c | 2 +- + hw/net/sungem.c | 2 +- + hw/net/net_tx_pkt.c | 2 +- + hw/net/rtl8139.c | 2 +- + hw/net/pcnet.c | 2 +- + hw/net/lan9118.c | 2 +- + + 11 files changed, 73 insertions(+), 14 deletions(-) + +diff --git a/include/net/net.h b/include/net/net.h +index 919faca..4f56cae 100644 +--- a/include/net/net.h ++++ b/include/net/net.h +@@ -144,12 +144,17 @@ void *qemu_get_nic_opaque(NetClientState *nc); + void qemu_del_net_client(NetClientState *nc); + typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque); + void qemu_foreach_nic(qemu_nic_foreach func, void *opaque); ++int qemu_can_receive_packet(NetClientState *nc); + int qemu_can_send_packet(NetClientState *nc); + ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov, + int iovcnt); + ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov, + int iovcnt, NetPacketSent *sent_cb); + ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size); ++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size); ++ssize_t qemu_receive_packet_iov(NetClientState *nc, ++ const struct iovec *iov, ++ int iovcnt); + ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size); + ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf, + int size, NetPacketSent *sent_cb); +diff --git a/include/net/queue.h b/include/net/queue.h +index c0269bb..9f2f289 100644 +--- a/include/net/queue.h ++++ b/include/net/queue.h +@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue, + + void qemu_del_net_queue(NetQueue *queue); + ++ssize_t qemu_net_queue_receive(NetQueue *queue, ++ const uint8_t *data, ++ size_t size); ++ ++ssize_t qemu_net_queue_receive_iov(NetQueue *queue, ++ const struct iovec *iov, ++ int iovcnt); ++ + ssize_t qemu_net_queue_send(NetQueue *queue, + NetClientState *sender, + unsigned flags, +diff --git a/net/net.c b/net/net.c +index 77b35ea..edf9b95 100644 +--- a/net/net.c ++++ b/net/net.c +@@ -529,6 +529,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be) + #endif + } + ++int qemu_can_receive_packet(NetClientState *nc) ++{ ++ if (nc->receive_disabled) { ++ return 0; ++ } else if (nc->info->can_receive && ++ !nc->info->can_receive(nc)) { ++ return 0; ++ } ++ return 1; ++} ++ + int qemu_can_send_packet(NetClientState *sender) + { + int vm_running = runstate_is_running(); +@@ -541,13 +552,7 @@ int qemu_can_send_packet(NetClientState *sender) + return 1; + } + +- if (sender->peer->receive_disabled) { +- return 0; +- } else if (sender->peer->info->can_receive && +- !sender->peer->info->can_receive(sender->peer)) { +- return 0; +- } +- return 1; ++ return qemu_can_receive_packet(sender->peer); + } + + static ssize_t filter_receive_iov(NetClientState *nc, +@@ -680,6 +685,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size) + return qemu_send_packet_async(nc, buf, size, NULL); + } + ++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size) ++{ ++ if (!qemu_can_receive_packet(nc)) { ++ return 0; ++ } ++ ++ return qemu_net_queue_receive(nc->incoming_queue, buf, size); ++} ++ ++ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov, ++ int iovcnt) ++{ ++ if (!qemu_can_receive_packet(nc)) { ++ return 0; ++ } ++ ++ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt); ++} ++ + ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size) + { + return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW, +diff --git a/net/queue.c b/net/queue.c +index 19e32c8..c872d51 100644 +--- a/net/queue.c ++++ b/net/queue.c +@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue, + return ret; + } + ++ssize_t qemu_net_queue_receive(NetQueue *queue, ++ const uint8_t *data, ++ size_t size) ++{ ++ if (queue->delivering) { ++ return 0; ++ } ++ ++ return qemu_net_queue_deliver(queue, NULL, 0, data, size); ++} ++ ++ssize_t qemu_net_queue_receive_iov(NetQueue *queue, ++ const struct iovec *iov, ++ int iovcnt) ++{ ++ if (queue->delivering) { ++ return 0; ++ } ++ ++ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt); ++} ++ + ssize_t qemu_net_queue_send(NetQueue *queue, + NetClientState *sender, + unsigned flags, +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index 4345d86..4f75b44 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size) + + NetClientState *nc = qemu_get_queue(s->nic); + if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } +diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c +index 205c0de..533a830 100644 +--- a/hw/net/dp8393x.c ++++ b/hw/net/dp8393x.c +@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) + s->regs[SONIC_TCR] |= SONIC_TCR_CRSL; + if (nc->info->can_receive(nc)) { + s->loopback_packet = 1; +- nc->info->receive(nc, s->tx_buffer, tx_len); ++ qemu_receive_packet(nc, s->tx_buffer, tx_len); + } + } else { + /* Transmit packet */ +diff --git a/hw/net/sungem.c b/hw/net/sungem.c +index 33c3722..3684a4d 100644 +--- a/hw/net/sungem.c ++++ b/hw/net/sungem.c +@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf, + NetClientState *nc = qemu_get_queue(s->nic); + + if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c +index da262ed..1f9aa59 100644 +--- a/hw/net/net_tx_pkt.c ++++ b/hw/net/net_tx_pkt.c +@@ -553,7 +553,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt, + NetClientState *nc, const struct iovec *iov, int iov_cnt) + { + if (pkt->is_loopback) { +- nc->info->receive_iov(nc, iov, iov_cnt); ++ qemu_receive_packet_iov(nc, iov, iov_cnt); + } else { + qemu_sendv_packet(nc, iov, iov_cnt); + } +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c +index 4675ac8..90b4fc6 100644 +--- a/hw/net/rtl8139.c ++++ b/hw/net/rtl8139.c +@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size, + } + + DPRINTF("+++ transmit loopback mode\n"); +- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt); ++ qemu_receive_packet(qemu_get_queue(s->nic), buf, size); + + if (iov) { + g_free(buf2); +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index f3f18d8..dcd3fc4 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1250,7 +1250,7 @@ txagain: + if (BCR_SWSTYLE(s) == 1) + add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); + s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; +- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); + s->looptest = 0; + } else { + if (s->nic) { +diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c +index abc7962..6aff424 100644 +--- a/hw/net/lan9118.c ++++ b/hw/net/lan9118.c +@@ -680,7 +680,7 @@ static void do_tx_packet(lan9118_state *s) + /* FIXME: Honor TX disable, and allow queueing of packets. */ + if (s->phy_control & 0x4000) { + /* This assumes the receive routine doesn't touch the VLANClient. */ +- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + } else { + qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + } +-- +1.8.3.1 diff --git a/SPECS/qemu-kvm/qemu-kvm.spec b/SPECS/qemu-kvm/qemu-kvm.spec index e7a4bcc5789..db71a369697 100644 --- a/SPECS/qemu-kvm/qemu-kvm.spec +++ b/SPECS/qemu-kvm/qemu-kvm.spec @@ -1,7 +1,7 @@ Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 4.2.0 -Release: 27%{?dist} +Release: 29%{?dist} License: GPLv2 AND GPLv2+ AND CC-BY AND BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -47,6 +47,9 @@ Patch28: CVE-2020-27821.patch Patch29: CVE-2020-17380.patch Patch30: CVE-2021-20203.patch Patch31: CVE-2021-20255.patch +Patch32: CVE-2021-3416.patch +Patch33: CVE-2021-3392.patch +Patch34: CVE-2021-3409.patch BuildRequires: alsa-lib-devel BuildRequires: glib-devel BuildRequires: pixman-devel @@ -103,6 +106,9 @@ This package provides a command line tool for manipulating disk images. %patch29 -p1 %patch30 -p1 %patch31 -p1 +%patch32 -p1 +%patch33 -p1 +%patch34 -p1 %build @@ -138,7 +144,43 @@ ln -sv qemu-system-`uname -m` %{buildroot}%{_bindir}/qemu chmod 755 %{buildroot}%{_bindir}/qemu %check -# Deliberately empty +testsPassed=true +make check-unit +if [ $? -ne 0 ]; then + testsPassed=false +fi +make check-qtest +if [ $? -ne 0 ]; then + testsPassed=false +fi +make check-speed +if [ $? -ne 0 ]; then + testsPassed=false +fi +make check-qapi-schema +if [ $? -ne 0 ]; then + testsPassed=false +fi +make check-block +if [ $? -ne 0 ]; then + testsPassed=false +fi +make check-tcg +if [ $? -ne 0 ]; then + testsPassed=false +fi +make check-softfloat +if [ $? -ne 0 ]; then + testsPassed=false +fi +make check-acceptance +if [ $? -ne 0 ]; then + testsPassed=false +fi +if [ "$testsPassed" = false ] ; then + echo 'One (or more) tests failed. Check log for further details' + (exit 1) +fi %files %defattr(-,root,root) @@ -163,6 +205,12 @@ chmod 755 %{buildroot}%{_bindir}/qemu %{_bindir}/qemu-nbd %changelog +* Wed Apr 07 2021 Neha Agarwal - 4.2.0-29 +- Patch CVE-2021-3392 and CVE-2021-3409. + +* Tue Mar 30 2021 Neha Agarwal - 4.2.0-28 +- Patch CVE-2021-3416. Added test modules under check section. + * Tue Mar 23 2021 Neha Agarwal - 4.2.0-27 - Patch CVE-2021-20255 diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec index 72f1a64f8e0..ddae12e77c2 100644 --- a/SPECS/qt5-qtbase/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase/qt5-qtbase.spec @@ -42,9 +42,14 @@ Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.5 -Release: 4%{?dist} +Release: 5%{?dist} +# See LICENSE.GPL3-EXCEPT.txt, for exception details +License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0 Vendor: Microsoft Corporation Distribution: Mariner +URL: https://qt-project.org/ +%global majmin %(echo %{version} | cut -d. -f1-2) +Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz BuildRequires: build-essential BuildRequires: systemd @@ -64,15 +69,10 @@ BuildRequires: libjpeg-turbo-devel BuildRequires: zlib-devel BuildRequires: qt5-rpm-macros +Requires: icu Requires(post): chkconfig Requires(postun): chkconfig -# See LGPL_EXCEPTIONS.txt, for exception details -License: LGPLv2 with exceptions or GPLv3 with exceptions -Url: http://qt-project.org/ -%global majmin %(echo %{version} | cut -d. -f1-2) -Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz - # https://bugzilla.redhat.com/show_bug.cgi?id=1227295 Source1: qtlogging.ini @@ -529,6 +529,7 @@ fi %license LICENSE.FDL %license LICENSE.GPL* %license LICENSE.LGPL* +%license LICENSE.QT-LICENSE-AGREEMENT-4.0 %if 0%{?qtchooser} %dir %{_sysconfdir}/xdg/qtchooser # not editable config files, so not using %%config here @@ -761,6 +762,14 @@ fi %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake %changelog +* Fri Apr 16 2021 Pawel Winogrodzki - 5.12.5-5 +- Added explicit 'Requires' on 'icu'. +- Bumping up release to re-compile against the new version of the 'icu' libraries. +- License verified. +- Updated the 'License' tag. +- Updated the 'URL' tag. +- Updated the '%%license' macro. + * Thu Jul 30 2020 Joe Schmitt - 5.12.5-4 - Add missing Requires for chkconfig. diff --git a/SPECS/redis/CVE-2021-3470.patch b/SPECS/redis/CVE-2021-3470.patch new file mode 100644 index 00000000000..4fb0cd21623 --- /dev/null +++ b/SPECS/redis/CVE-2021-3470.patch @@ -0,0 +1,14 @@ +diff --git a/src/zmalloc.c b/src/zmalloc.c +index dd655620ca69..972db79d7ab7 100644 +--- a/src/zmalloc.c ++++ b/src/zmalloc.c +@@ -177,9 +177,6 @@ void *zrealloc(void *ptr, size_t size) { + size_t zmalloc_size(void *ptr) { + void *realptr = (char*)ptr-PREFIX_SIZE; + size_t size = *((size_t*)realptr); +- /* Assume at least that all the allocations are padded at sizeof(long) by +- * the underlying allocator. */ +- if (size&(sizeof(long)-1)) size += sizeof(long)-(size&(sizeof(long)-1)); + return size+PREFIX_SIZE; + } + size_t zmalloc_usable(void *ptr) { diff --git a/SPECS/redis/redis.spec b/SPECS/redis/redis.spec index 0e7652ad347..f4c1acd0d5a 100644 --- a/SPECS/redis/redis.spec +++ b/SPECS/redis/redis.spec @@ -1,7 +1,7 @@ Summary: advanced key-value store Name: redis Version: 5.0.5 -Release: 6%{?dist} +Release: 7%{?dist} License: BSD URL: https://redis.io/ Group: Applications/Databases @@ -13,6 +13,7 @@ Patch1: CVE-2020-14147.patch Patch2: disable_active_defrag_big_keys.patch # CVE-2021-21309 affects 32-bit executables only. Mariner always builds with -m64 and does not support 32-bit architectures. Patch3: CVE-2021-21309.nopatch +Patch4: CVE-2021-3470.patch BuildRequires: gcc BuildRequires: systemd @@ -87,6 +88,8 @@ exit 0 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf %changelog +* Fri Apr 09 2021 Suresh Babu Chalamalasetty 5.0.5-7 +- Add patch for CVE-2021-3470 * Thu Mar 11 2021 Mateusz Malisz 5.0.5-6 - Add nopatch for CVE-2021-21309. * Wed Mar 03 2021 Andrew Phelps 5.0.5-5 diff --git a/SPECS/rpm-ostree/rpm-ostree.spec b/SPECS/rpm-ostree/rpm-ostree.spec index 7ae2822732e..ec1ed4bacbc 100644 --- a/SPECS/rpm-ostree/rpm-ostree.spec +++ b/SPECS/rpm-ostree/rpm-ostree.spec @@ -1,7 +1,7 @@ Summary: Commit RPMs to an OSTree repository Name: rpm-ostree Version: 2019.3 -Release: 8%{?dist} +Release: 9%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -161,6 +161,9 @@ make check %{_datadir}/gir-1.0/*-1.0.gir %changelog +* Mon Apr 26 2021 Thomas Crain - 2019-3.9 +- Bump release to rebuild with rust 1.47.0-3 (security update) + * Tue Apr 20 2021 Thomas Crain - 2019.3-8 - Bump release to rebuild with rust 1.47.0-2 (security update) diff --git a/SPECS/rpm/CVE-2021-20271.patch b/SPECS/rpm/CVE-2021-20271.patch new file mode 100644 index 00000000000..598d058189d --- /dev/null +++ b/SPECS/rpm/CVE-2021-20271.patch @@ -0,0 +1,192 @@ +From d6a86b5e69e46cc283b1e06c92343319beb42e21 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Thu, 4 Mar 2021 13:21:19 +0200 +Subject: [PATCH] Be much more careful about copying data from the signature + header + +Only look for known tags, and ensure correct type and size where known +before copying over. Bump the old arbitrary 16k count limit to 16M limit +though, it's not inconceivable that a package could have that many files. +While at it, ensure none of these tags exist in the main header, +which would confuse us greatly. + +This is optimized for backporting ease, upstream can remove redundancies +and further improve checking later. + +Reported and initial patches by Demi Marie Obenour. + +Fixes: RhBug:1935049, RhBug:1933867, RhBug:1935035, RhBug:1934125, ... + +Fixes: CVE-2021-3421, CVE-2021-20271 + +Modified to apply to version 4.14.2 by: Nicolas Ontiveros + +diff --git a/lib/package.c b/lib/package.c +index 93a06ebfe..96a1737d8 100644 +--- a/lib/package.c ++++ b/lib/package.c +@@ -20,76 +20,75 @@ + + #include "debug.h" + ++struct taglate_s { ++ rpmTagVal stag; ++ rpmTagVal xtag; ++ rpm_count_t count; ++} const xlateTags[] = { ++ { RPMSIGTAG_SIZE, RPMTAG_SIGSIZE, 1 }, ++ { RPMSIGTAG_PGP, RPMTAG_SIGPGP, 0 }, ++ { RPMSIGTAG_MD5, RPMTAG_SIGMD5, 16 }, ++ { RPMSIGTAG_GPG, RPMTAG_SIGGPG, 0 }, ++ /* { RPMSIGTAG_PGP5, RPMTAG_SIGPGP5, 0 }, */ /* long obsolete, dont use */ ++ { RPMSIGTAG_PAYLOADSIZE, RPMTAG_ARCHIVESIZE, 1 }, ++ { RPMSIGTAG_FILESIGNATURES, RPMTAG_FILESIGNATURES, 0 }, ++ { RPMSIGTAG_FILESIGNATURELENGTH, RPMTAG_FILESIGNATURELENGTH, 1 }, ++ { RPMSIGTAG_VERITYSIGNATURES, RPMTAG_VERITYSIGNATURES, 0 }, ++ { RPMSIGTAG_VERITYSIGNATUREALGO, RPMTAG_VERITYSIGNATUREALGO, 1 }, ++ { RPMSIGTAG_SHA1, RPMTAG_SHA1HEADER, 1 }, ++ { RPMSIGTAG_SHA256, RPMTAG_SHA256HEADER, 1 }, ++ { RPMSIGTAG_DSA, RPMTAG_DSAHEADER, 0 }, ++ { RPMSIGTAG_RSA, RPMTAG_RSAHEADER, 0 }, ++ { RPMSIGTAG_LONGSIZE, RPMTAG_LONGSIGSIZE, 1 }, ++ { RPMSIGTAG_LONGARCHIVESIZE, RPMTAG_LONGARCHIVESIZE, 1 }, ++ { 0 } ++}; ++ + /** \ingroup header + * Translate and merge legacy signature tags into header. + * @param h header (dest) + * @param sigh signature header (src) ++ * @return failing tag number, 0 on success + */ + static +-void headerMergeLegacySigs(Header h, Header sigh) ++rpmTagVal headerMergeLegacySigs(Header h, Header sigh, char **msg) + { +- HeaderIterator hi; ++ const struct taglate_s *xl; + struct rpmtd_s td; + +- hi = headerInitIterator(sigh); +- for (; headerNext(hi, &td); rpmtdFreeData(&td)) +- { +- switch (td.tag) { +- /* XXX Translate legacy signature tag values. */ +- case RPMSIGTAG_SIZE: +- td.tag = RPMTAG_SIGSIZE; +- break; +- case RPMSIGTAG_PGP: +- td.tag = RPMTAG_SIGPGP; +- break; +- case RPMSIGTAG_MD5: +- td.tag = RPMTAG_SIGMD5; +- break; +- case RPMSIGTAG_GPG: +- td.tag = RPMTAG_SIGGPG; +- break; +- case RPMSIGTAG_PGP5: +- td.tag = RPMTAG_SIGPGP5; +- break; +- case RPMSIGTAG_PAYLOADSIZE: +- td.tag = RPMTAG_ARCHIVESIZE; +- break; +- case RPMSIGTAG_SHA1: +- case RPMSIGTAG_SHA256: +- case RPMSIGTAG_DSA: +- case RPMSIGTAG_RSA: +- default: +- if (!(td.tag >= HEADER_SIGBASE && td.tag < HEADER_TAGBASE)) +- continue; +- break; +- } +- if (!headerIsEntry(h, td.tag)) { +- switch (td.type) { +- case RPM_NULL_TYPE: +- continue; ++ for (xl = xlateTags; xl->stag; xl++) { ++ /* There mustn't be one in the main header */ ++ if (headerIsEntry(h, xl->xtag)) ++ goto exit; ++ } ++ ++ rpmtdReset(&td); ++ for (xl = xlateTags; xl->stag; xl++) { ++ if (headerGet(sigh, xl->stag, &td, HEADERGET_RAW|HEADERGET_MINMEM)) { ++ /* Translate legacy tags */ ++ if (xl->stag != xl->xtag) ++ td.tag = xl->xtag; ++ /* Ensure type and tag size match expectations */ ++ if (td.type != rpmTagGetTagType(td.tag)) + break; +- case RPM_CHAR_TYPE: +- case RPM_INT8_TYPE: +- case RPM_INT16_TYPE: +- case RPM_INT32_TYPE: +- case RPM_INT64_TYPE: +- if (td.count != 1) +- continue; ++ if (td.count < 1 || td.count > 16*1024*1024) + break; +- case RPM_STRING_TYPE: +- case RPM_BIN_TYPE: +- if (td.count >= 16*1024) +- continue; ++ if (xl->count && td.count != xl->count) + break; +- case RPM_STRING_ARRAY_TYPE: +- case RPM_I18NSTRING_TYPE: +- continue; ++ if (!headerPut(h, &td, HEADERPUT_DEFAULT)) + break; +- } +- (void) headerPut(h, &td, HEADERPUT_DEFAULT); ++ rpmtdFreeData(&td); + } + } +- headerFreeIterator(hi); ++ rpmtdFreeData(&td); ++ ++exit: ++ if (xl->stag) { ++ rasprintf(msg, "invalid signature tag %s (%d)", ++ rpmTagGetName(xl->xtag), xl->xtag); ++ } ++ ++ return xl->stag; + } + + /** +@@ -337,7 +336,8 @@ + goto exit; + + /* Append (and remap) signature tags to the metadata. */ +- headerMergeLegacySigs(h, sigh); ++ if (headerMergeLegacySigs(h, sigh, &msg)) ++ goto exit; + applyRetrofits(h); + + /* Bump reference count for return. */ + +--- a/lib/rpmtag.h ++++ b/lib/rpmtag.h +@@ -65,6 +65,10 @@ + RPMTAG_LONGARCHIVESIZE = RPMTAG_SIG_BASE+15, /* l */ + /* RPMTAG_SIG_BASE+16 reserved */ + RPMTAG_SHA256HEADER = RPMTAG_SIG_BASE+17, /* s */ ++ /* RPMTAG_SIG_BASE+18 reserved for RPMSIGTAG_FILESIGNATURES */ ++ /* RPMTAG_SIG_BASE+19 reserved for RPMSIGTAG_FILESIGNATURELENGTH */ ++ RPMTAG_VERITYSIGNATURES = RPMTAG_SIG_BASE+20, /* s[] */ ++ RPMTAG_VERITYSIGNATUREALGO = RPMTAG_SIG_BASE+21, /* i */ + + RPMTAG_NAME = 1000, /* s */ + #define RPMTAG_N RPMTAG_NAME /* s */ +@@ -422,6 +426,10 @@ + RPMSIGTAG_LONGSIZE = RPMTAG_LONGSIGSIZE, /*!< internal Header+Payload size (64bit) in bytes. */ + RPMSIGTAG_LONGARCHIVESIZE = RPMTAG_LONGARCHIVESIZE, /*!< internal uncompressed payload size (64bit) in bytes. */ + RPMSIGTAG_SHA256 = RPMTAG_SHA256HEADER, ++ RPMSIGTAG_FILESIGNATURES = RPMTAG_SIG_BASE + 18, ++ RPMSIGTAG_FILESIGNATURELENGTH = RPMTAG_SIG_BASE + 19, ++ RPMSIGTAG_VERITYSIGNATURES = RPMTAG_VERITYSIGNATURES, ++ RPMSIGTAG_VERITYSIGNATUREALGO = RPMTAG_VERITYSIGNATUREALGO, + } rpmSigTag; + \ No newline at end of file diff --git a/SPECS/rpm/CVE-2021-3421.nopatch b/SPECS/rpm/CVE-2021-3421.nopatch new file mode 100644 index 00000000000..e69de29bb2d diff --git a/SPECS/rpm/rpm.spec b/SPECS/rpm/rpm.spec index 100b93259f3..01915ee1cbb 100644 --- a/SPECS/rpm/rpm.spec +++ b/SPECS/rpm/rpm.spec @@ -1,79 +1,85 @@ %{!?python2_sitelib: %define python2_sitelib %(python2 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} %{!?python3_sitelib: %define python3_sitelib %(python3 -c "from distutils.sysconfig import get_python_lib;print(get_python_lib())")} - Summary: Package manager Name: rpm Version: 4.14.2 -Release: 10%{?dist} -License: GPLv2+ and LGPLv2+ and BSD -URL: https://rpm.org -Group: Applications/System +Release: 11%{?dist} +License: GPLv2+ AND LGPLv2+ AND BSD Vendor: Microsoft Corporation Distribution: Mariner +Group: Applications/System +URL: https://rpm.org Source0: https://github.com/rpm-software-management/rpm/archive/%{name}-%{version}-release.tar.gz Source1: brp-strip-debug-symbols Source2: brp-strip-unneeded Patch0: find-debuginfo-do-not-generate-dir-entries.patch -Requires: bash -Requires: libdb -Requires: rpm-libs = %{version}-%{release} -Requires: libarchive -Requires: lua +Patch1: CVE-2021-20271.patch +# CVE-2021-20271 patch also patches CVE-2021-3421 +Patch2: CVE-2021-3421.nopatch +BuildRequires: elfutils-devel +BuildRequires: file-devel BuildRequires: libarchive-devel +BuildRequires: libcap-devel BuildRequires: libdb-devel -BuildRequires: popt-devel +BuildRequires: lua-devel BuildRequires: nss-devel -BuildRequires: elfutils-devel -BuildRequires: libcap-devel -BuildRequires: xz-devel -BuildRequires: zstd-devel -BuildRequires: file-devel +BuildRequires: popt-devel BuildRequires: python2-devel BuildRequires: python3-devel -BuildRequires: lua-devel +BuildRequires: xz-devel +BuildRequires: zstd-devel +Requires: bash +Requires: libarchive +Requires: libdb +Requires: lua +Requires: rpm-libs = %{version}-%{release} %description RPM package manager %package devel Summary: Libraries and header files for rpm -Provides: pkgconfig(rpm) Requires: %{name} = %{version}-%{release} +Provides: pkgconfig(rpm) + %description devel Static libraries and header files for the support library for rpm %package libs Summary: Libraries for rpm -Requires: nss-libs -Requires: popt -Requires: libgcc -Requires: libcap -Requires: zlib Requires: bzip2-libs Requires: elfutils-libelf +Requires: libcap +Requires: libgcc +Requires: mariner-rpm-macros +Requires: nss-libs +Requires: popt Requires: xz-libs +Requires: zlib Requires: zstd-libs -Requires: mariner-rpm-macros + %description libs Shared libraries librpm and librpmio %package build-libs -Summary: Librpmbuild.so.* libraries needed to build rpms. +Summary: Librpmbuild.so.* libraries needed to build rpms. + %description build-libs %{summary} %package build +Summary: Binaries, scripts and libraries needed to build rpms. Requires: %{name}-build-libs Requires: %{name}-devel = %{version}-%{release} -Requires: elfutils-libelf +Requires: bzip2 +Requires: cpio Requires: elfutils-devel -Requires: unzip +Requires: elfutils-libelf +Requires: gzip Requires: tar +Requires: unzip Requires: xz -Requires: bzip2 -Requires: gzip -Requires: cpio -Summary: Binaries, scripts and libraries needed to build rpms. + %description build %{summary} @@ -81,6 +87,7 @@ Summary: Binaries, scripts and libraries needed to build rpms. Summary: Additional language files for rpm Group: Applications/System Requires: %{name} = %{version}-%{release} + %description lang These are the additional language files of rpm. @@ -88,6 +95,7 @@ These are the additional language files of rpm. Summary: Python 2 bindings for rpm. Group: Development/Libraries Requires: python2 + %description -n python-rpm %package -n python3-rpm @@ -100,8 +108,7 @@ Requires: python3 Python3 rpm. %prep -%setup -n rpm-%{name}-%{version}-release -%patch0 -p1 +%autosetup -n rpm-%{name}-%{version}-release -p1 %build sed -i '/define _GNU_SOURCE/a #include "../config.h"' tools/sepdebugcrcfix.c @@ -135,7 +142,7 @@ make check %install make DESTDIR=%{buildroot} install -find %{buildroot} -name '*.la' -delete +find %{buildroot} -type f -name "*.la" -delete -print find %{buildroot} -name 'perl*' -delete %find_lang %{name} @@ -151,13 +158,13 @@ popd %post libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig - %post build-libs -p /sbin/ldconfig %postun build-libs -p /sbin/ldconfig %clean rm -rf %{buildroot} + %files %defattr(-,root,root) %license COPYING @@ -269,100 +276,146 @@ rm -rf %{buildroot} %{python3_sitelib}/* %changelog +* Thu Apr 01 2021 Nicolas Ontiveros - 4.14.2-11 +- Patch CVE-2021-20271 and CVE-2021-3421 + * Thu Jun 11 2020 Henry Beberman - 4.14.2-10 - Add a vendor definition so rpm will search /usr/lib/rpm/ for macros. + * Tue Jun 09 2020 Pawel Winogrodzki - 4.14.2-9 - Removed 'rpm-build' dependency on 'perl'. - Defined an 'rpm-build-libs' subpackage to prevent 'python3-rpm' - from pulling in 'perl'. - Made 'python3-rpm' dependency on 'rpm-build-libs' explicit. + * Thu May 28 2020 Ruying Chen - 4.14.2-8 - Move macros to mariner-rpm-macros + * Wed May 20 2020 Henry Beberman - 4.14.2-7 - Add BuildRequires and Requires for zstd support. + * Sat May 09 00:20:45 PST 2020 Nick Samson - 4.14.2-6 - Added %%license line automatically + * Wed May 06 2020 Emre Girgin 4.14.2-5 - Enable built-in lua support. - Update URL. - License verified. + * Wed Apr 29 2020 Mateusz Malisz 4.14.2-4 - Add packaging tools as runtime requirements for rpm-build + * Fri Apr 03 2020 Suresh Babu Chalamalasetty 4.14.2-3 - Remove rpm-build from requires. + * Wed Sep 11 2019 Mateusz Malisz 4.14.2-2 - Fix Dependency and include build in base package. + * Tue Sep 03 2019 Mateusz Malisz 4.14.2-1 - Initial CBL-Mariner import from Photon (license: Apache2). + * Wed Oct 03 2018 Alexey Makhalov 4.14.2-4 - Clean up the file in accordance to spec file checker + * Mon Oct 01 2018 Alexey Makhalov 4.14.2-3 - Fix python libs dependencies to use current libs version (regression) + * Fri Sep 28 2018 Alexey Makhalov 4.14.2-2 - macros: set _build_id_links to alldebug + * Fri Sep 14 2018 Keerthana K 4.14.2-1 - Update to version 4.14.2 + * Thu Dec 21 2017 Xiaolin Li 4.13.0.1-7 - Fix CVE-2017-7501 + * Wed Oct 04 2017 Alexey Makhalov 4.13.0.1-6 - make python{,3}-rpm depend on current version of librpm + * Wed Jun 28 2017 Xiaolin Li 4.13.0.1-5 - Add file-devel to BuildRequires + * Mon Jun 26 2017 Chang Lee 4.13.0.1-4 - Updated %check + * Mon Jun 05 2017 Bo Gan 4.13.0.1-3 - Fix Dependency + * Thu May 18 2017 Xiaolin Li 4.13.0.1-2 - Remove python2 from requires of rpm-devel subpackages. + * Wed May 10 2017 Priyesh Padmavilasom 4.13.0.1-1 - Update to 4.13.0.1 + * Fri Apr 21 2017 Priyesh Padmavilasom 4.13.0-1 - Update to 4.13.0 + * Wed Apr 19 2017 Alexey Makhalov 4.11.2-22 - Do not allow -debuginfo to own directories to avoid conflicts with filesystem package and between each other. Patch applied + * Fri Apr 14 2017 Alexey Makhalov 4.11.2-21 - rpm-libs requires nss-libs, xz-libs and bzip2-libs. + * Tue Mar 21 2017 Xiaolin Li 4.11.2-20 - Added python3 packages and moved python2 site packages from devel to python-rpm. + * Tue Jan 10 2017 Priyesh Padmavilasom 4.11.2-19 - added buildrequires for xz-devel for PayloadIsLzma cap + * Thu Dec 15 2016 Xiaolin Li 4.11.2-18 - Moved some files from rpm to rpm-build. + * Tue Dec 06 2016 Xiaolin Li 4.11.2-17 - Added -lang subpackage. + * Wed Nov 23 2016 Alexey Makhalov 4.11.2-16 - Move rpmrc and macros into -libs subpackage - Move zlib and elfutils-libelf dependency from rpm to rpm-libs - Add bzip2 dependency to rpm-libs + * Thu Nov 17 2016 Alexey Makhalov 4.11.2-15 - Added -libs subpackage + * Tue Nov 15 2016 Alexey Makhalov 4.11.2-14 - Disable lua support + * Tue Oct 18 2016 Priyesh Padmavilasom 4.11.2-13 - Apply patch for CVE-2014-8118 + * Wed Oct 05 2016 ChangLee 4.11.2-12 - Modified %check + * Fri Aug 26 2016 Alexey Makhalov 4.11.2-11 - find-debuginfo...patch: exclude non existing .build-id from packaging - Move all files from rpm-system-configuring-scripts tarball to here + * Wed May 25 2016 Priyesh Padmavilasom 4.11.2-10 - Exclude .build-id/.1 and .build-id/.1.debug from debuginfo pkg + * Tue May 24 2016 Priyesh Padmavilasom 4.11.2-9 - GA - Bump release of all rpms + * Thu May 05 2016 Priyesh Padmavilasom 4.11.2-8 - Update rpm version in lock-step with lua update to 5.3.2 + * Fri Apr 08 2016 Mahmoud Bassiouny 4.11.2-7 - Build rpm with capabilities. + * Wed Aug 05 2015 Sharath George 4.11.2-6 - Moving build utils to a different package. + * Sat Jun 27 2015 Alexey Makhalov 4.11.2-5 - Update rpm-system-configuring-scripts. Use tar --no-same-owner for rpmbuild. + * Thu Jun 18 2015 Anish Swaminathan 4.11.2-4 - Add pkgconfig Provides directive + * Thu Jun 18 2015 Alexey Makhalov 4.11.2-3 - Do no strip debug info from .debug files + * Wed Jun 3 2015 Divya Thaluru 4.11.2-2 - Removing perl-module-scandeps package from run time required packages + * Tue Jan 13 2015 Divya Thaluru 4.11.2-1 - Initial build. First version diff --git a/SPECS/rust/CVE-2020-36317.patch b/SPECS/rust/CVE-2020-36317.patch new file mode 100644 index 00000000000..78b316918e1 --- /dev/null +++ b/SPECS/rust/CVE-2020-36317.patch @@ -0,0 +1,111 @@ +From 4588490cdceb407fd5754045d173be7ea381b794 Mon Sep 17 00:00:00 2001 +From: Thomas Crain +Date: Mon, 26 Apr 2021 12:40:04 -0500 +Subject: [PATCH 1/6] Patch CVE-2020-36317 + +Backporting the following to 1.47.0: +https://github.com/rust-lang/rust/pull/78499 +https://github.com/rust-lang/rust/pull/82554 +--- + library/alloc/src/string.rs | 37 ++++++++++++++++++++++------------- + library/alloc/tests/string.rs | 15 ++++++++++++++ + 2 files changed, 38 insertions(+), 14 deletions(-) + +diff --git a/library/alloc/src/string.rs b/library/alloc/src/string.rs +index 05690e19d23..9387f4edde3 100644 +--- a/library/alloc/src/string.rs ++++ b/library/alloc/src/string.rs +@@ -1231,35 +1231,44 @@ impl String { + where + F: FnMut(char) -> bool, + { ++ struct SetLenOnDrop<'a> { ++ s: &'a mut String, ++ idx: usize, ++ del_bytes: usize, ++ } ++ ++ impl<'a> Drop for SetLenOnDrop<'a> { ++ fn drop(&mut self) { ++ let new_len = self.idx - self.del_bytes; ++ debug_assert!(new_len <= self.s.len()); ++ unsafe { self.s.vec.set_len(new_len) }; ++ } ++ } ++ + let len = self.len(); +- let mut del_bytes = 0; +- let mut idx = 0; ++ let mut guard = SetLenOnDrop { s: self, idx: 0, del_bytes: 0 }; + +- while idx < len { +- let ch = unsafe { self.get_unchecked(idx..len).chars().next().unwrap() }; ++ while guard.idx < len { ++ let ch = unsafe { guard.s.get_unchecked(guard.idx..len).chars().next().unwrap() }; + let ch_len = ch.len_utf8(); + + if !f(ch) { +- del_bytes += ch_len; +- } else if del_bytes > 0 { ++ guard.del_bytes += ch_len; ++ } else if guard.del_bytes > 0 { + unsafe { + ptr::copy( +- self.vec.as_ptr().add(idx), +- self.vec.as_mut_ptr().add(idx - del_bytes), ++ guard.s.vec.as_ptr().add(guard.idx), ++ guard.s.vec.as_mut_ptr().add(guard.idx - guard.del_bytes), + ch_len, + ); + } + } + + // Point idx to the next char +- idx += ch_len; ++ guard.idx += ch_len; + } + +- if del_bytes > 0 { +- unsafe { +- self.vec.set_len(len - del_bytes); +- } +- } ++ drop(guard); + } + + /// Inserts a character into this `String` at a byte position. +diff --git a/library/alloc/tests/string.rs b/library/alloc/tests/string.rs +index d38655af78c..61587987172 100644 +--- a/library/alloc/tests/string.rs ++++ b/library/alloc/tests/string.rs +@@ -1,6 +1,7 @@ + use std::borrow::Cow; + use std::collections::TryReserveError::*; + use std::mem::size_of; ++use std::panic; + + pub trait IntoCow<'a, B: ?Sized> + where +@@ -374,6 +375,20 @@ fn test_retain() { + + s.retain(|_| false); + assert_eq!(s, ""); ++ ++ let mut s = String::from("0è0"); ++ let _ = panic::catch_unwind(panic::AssertUnwindSafe(|| { ++ let mut count = 0; ++ s.retain(|_| { ++ count += 1; ++ match count { ++ 1 => false, ++ 2 => true, ++ _ => panic!(), ++ } ++ }); ++ })); ++ assert!(std::str::from_utf8(s.as_bytes()).is_ok()); + } + + #[test] +-- +2.25.1 diff --git a/SPECS/rust/CVE-2020-36323.patch b/SPECS/rust/CVE-2020-36323.patch new file mode 100644 index 00000000000..76d2602c82a --- /dev/null +++ b/SPECS/rust/CVE-2020-36323.patch @@ -0,0 +1,142 @@ +From 358bf9bf74dc7ce040e9be8232057d2904ba4fd9 Mon Sep 17 00:00:00 2001 +From: Thomas Crain +Date: Mon, 26 Apr 2021 14:28:30 -0500 +Subject: [PATCH] Fix CVE-2020-36323 + +Backported to 1.47.0: +https://github.com/rust-lang/rust/pull/81728 +--- + library/alloc/src/str.rs | 44 ++++++++++++++++++++++---------------- + library/alloc/tests/str.rs | 30 ++++++++++++++++++++++++++ + 2 files changed, 55 insertions(+), 19 deletions(-) + +diff --git a/library/alloc/src/str.rs b/library/alloc/src/str.rs +index 339592728ac..7e55f2fa579 100644 +--- a/library/alloc/src/str.rs ++++ b/library/alloc/src/str.rs +@@ -90,8 +90,8 @@ impl> Join<&str> for [S] { + } + } + +-macro_rules! spezialize_for_lengths { +- ($separator:expr, $target:expr, $iter:expr; $($num:expr),*) => { ++macro_rules! specialize_for_lengths { ++ ($separator:expr, $target:expr, $iter:expr; $($num:expr),*) => {{ + let mut target = $target; + let iter = $iter; + let sep_bytes = $separator; +@@ -102,7 +102,8 @@ macro_rules! spezialize_for_lengths { + $num => { + for s in iter { + copy_slice_and_advance!(target, sep_bytes); +- copy_slice_and_advance!(target, s.borrow().as_ref()); ++ let content_bytes = s.borrow().as_ref(); ++ copy_slice_and_advance!(target, content_bytes); + } + }, + )* +@@ -110,11 +111,13 @@ macro_rules! spezialize_for_lengths { + // arbitrary non-zero size fallback + for s in iter { + copy_slice_and_advance!(target, sep_bytes); +- copy_slice_and_advance!(target, s.borrow().as_ref()); ++ let content_bytes = s.borrow().as_ref(); ++ copy_slice_and_advance!(target, content_bytes); + } + } + } +- }; ++ target ++ }} + } + + macro_rules! copy_slice_and_advance { +@@ -153,30 +156,33 @@ where + // if the `len` calculation overflows, we'll panic + // we would have run out of memory anyway and the rest of the function requires + // the entire Vec pre-allocated for safety +- let len = sep_len ++ let reserved_len = sep_len + .checked_mul(iter.len()) + .and_then(|n| { + slice.iter().map(|s| s.borrow().as_ref().len()).try_fold(n, usize::checked_add) + }) + .expect("attempt to join into collection with len > usize::MAX"); + +- // crucial for safety +- let mut result = Vec::with_capacity(len); +- assert!(result.capacity() >= len); ++ // prepare an uninitialized buffer ++ let mut result = Vec::with_capacity(reserved_len); ++ debug_assert!(result.capacity() >= reserved_len); + + result.extend_from_slice(first.borrow().as_ref()); + + unsafe { +- { +- let pos = result.len(); +- let target = result.get_unchecked_mut(pos..len); +- +- // copy separator and slices over without bounds checks +- // generate loops with hardcoded offsets for small separators +- // massive improvements possible (~ x2) +- spezialize_for_lengths!(sep, target, iter; 0, 1, 2, 3, 4); +- } +- result.set_len(len); ++ let pos = result.len(); ++ let target = result.get_unchecked_mut(pos..reserved_len); ++ ++ // copy separator and slices over without bounds checks ++ // generate loops with hardcoded offsets for small separators ++ // massive improvements possible (~ x2) ++ let remain = specialize_for_lengths!(sep, target, iter; 0, 1, 2, 3, 4); ++ ++ // A weird borrow implementation may return different ++ // slices for the length calculation and the actual copy. ++ // Make sure we don't expose uninitialized bytes to the caller. ++ let result_len = reserved_len - remain.len(); ++ result.set_len(result_len); + } + result + } +diff --git a/library/alloc/tests/str.rs b/library/alloc/tests/str.rs +index b20cf076aca..5a3190103c3 100644 +--- a/library/alloc/tests/str.rs ++++ b/library/alloc/tests/str.rs +@@ -1921,3 +1921,33 @@ fn different_str_pattern_forwarding_lifetimes() { + + foo::<&str>("x"); + } ++ ++#[test] ++fn test_join_isue_80335() { ++ use core::{borrow::Borrow, cell::Cell}; ++ ++ struct WeirdBorrow { ++ state: Cell, ++ } ++ ++ impl Default for WeirdBorrow { ++ fn default() -> Self { ++ WeirdBorrow { state: Cell::new(false) } ++ } ++ } ++ ++ impl Borrow for WeirdBorrow { ++ fn borrow(&self) -> &str { ++ let state = self.state.get(); ++ if state { ++ "0" ++ } else { ++ self.state.set(true); ++ "123456" ++ } ++ } ++ } ++ ++ let arr: [WeirdBorrow; 3] = Default::default(); ++ test_join!("0-0-0", arr, "-"); ++} +-- +2.25.1 + diff --git a/SPECS/rust/CVE-2021-28875.patch b/SPECS/rust/CVE-2021-28875.patch new file mode 100644 index 00000000000..27fdcef8406 --- /dev/null +++ b/SPECS/rust/CVE-2021-28875.patch @@ -0,0 +1,58 @@ +From 4095a00f08f855366c60ae00040edc1a5e64dd7c Mon Sep 17 00:00:00 2001 +From: Thomas Crain +Date: Mon, 26 Apr 2021 12:42:46 -0500 +Subject: [PATCH 2/6] Patch CVE-2021-28875 + +Backport to 1.47.0 from: +https://github.com/rust-lang/rust/pull/80895 +--- + library/std/src/io/mod.rs | 23 ++++++++++------------- + 1 file changed, 10 insertions(+), 13 deletions(-) + +diff --git a/library/std/src/io/mod.rs b/library/std/src/io/mod.rs +index 462b696db40..0a3be236ac9 100644 +--- a/library/std/src/io/mod.rs ++++ b/library/std/src/io/mod.rs +@@ -362,7 +362,6 @@ where + { + let start_len = buf.len(); + let mut g = Guard { len: buf.len(), buf }; +- let ret; + loop { + if g.len == g.buf.len() { + unsafe { +@@ -380,22 +379,20 @@ where + r.initializer().initialize(&mut g.buf[g.len..]); + } + } +- +- match r.read(&mut g.buf[g.len..]) { +- Ok(0) => { +- ret = Ok(g.len - start_len); +- break; ++ let buf = &mut g.buf[g.len..]; ++ match r.read(buf) { ++ Ok(0) => return Ok(g.len - start_len), ++ Ok(n) => { ++ // We can't allow bogus values from read. If it is too large, the returned vec could have its length ++ // set past its capacity, or if it overflows the vec could be shortened which could create an invalid ++ // string if this is called via read_to_string. ++ assert!(n <= buf.len()); ++ g.len += n; + } +- Ok(n) => g.len += n, + Err(ref e) if e.kind() == ErrorKind::Interrupted => {} +- Err(e) => { +- ret = Err(e); +- break; +- } ++ Err(e) => return Err(e), + } + } +- +- ret + } + + pub(crate) fn default_read_vectored(read: F, bufs: &mut [IoSliceMut<'_>]) -> Result +-- +2.25.1 diff --git a/SPECS/rust/CVE-2021-28876.patch b/SPECS/rust/CVE-2021-28876.patch new file mode 100644 index 00000000000..8a2600517a0 --- /dev/null +++ b/SPECS/rust/CVE-2021-28876.patch @@ -0,0 +1,34 @@ +From adb9ae35768ccf0a457693950d5b128d8de2372f Mon Sep 17 00:00:00 2001 +From: Thomas Crain +Date: Mon, 26 Apr 2021 13:41:49 -0500 +Subject: [PATCH 4/6] Fix CVE-2021-28876 + +Backport to 1.47.0: +https://github.com/rust-lang/rust/pull/81741 +--- + library/core/src/iter/adapters/zip.rs | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/library/core/src/iter/adapters/zip.rs b/library/core/src/iter/adapters/zip.rs +index cde4d8f3c06..8a9f4b8af1e 100644 +--- a/library/core/src/iter/adapters/zip.rs ++++ b/library/core/src/iter/adapters/zip.rs +@@ -201,12 +201,13 @@ where + Some((self.a.__iterator_get_unchecked(i), self.b.__iterator_get_unchecked(i))) + } + } else if A::may_have_side_effect() && self.index < self.a.size() { ++ let i = self.index; ++ self.index += 1; + // match the base implementation's potential side effects +- // SAFETY: we just checked that `self.index` < `self.a.len()` ++ // SAFETY: we just checked that `i` < `self.a.len()` + unsafe { +- self.a.__iterator_get_unchecked(self.index); ++ self.a.__iterator_get_unchecked(i); + } +- self.index += 1; + None + } else { + None +-- +2.25.1 diff --git a/SPECS/rust/CVE-2021-28877.patch b/SPECS/rust/CVE-2021-28877.patch new file mode 100644 index 00000000000..792048eb8f2 --- /dev/null +++ b/SPECS/rust/CVE-2021-28877.patch @@ -0,0 +1,53 @@ +From a297d4e6d60244482b6889111080a461bd474426 Mon Sep 17 00:00:00 2001 +From: Thomas Crain +Date: Mon, 26 Apr 2021 13:38:46 -0500 +Subject: [PATCH 3/6] Patch CVE-2021-28877 + +Backported to 1.47.0: +https://github.com/rust-lang/rust/pull/80670/files +--- + library/core/src/iter/adapters/zip.rs | 1 + + library/core/tests/iter.rs | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/library/core/src/iter/adapters/zip.rs b/library/core/src/iter/adapters/zip.rs +index 581ac6e0d82..cde4d8f3c06 100644 +--- a/library/core/src/iter/adapters/zip.rs ++++ b/library/core/src/iter/adapters/zip.rs +@@ -289,6 +289,7 @@ where + + #[inline] + unsafe fn get_unchecked(&mut self, idx: usize) -> ::Item { ++ let idx = self.index + idx; + // SAFETY: the caller must uphold the contract for + // `Iterator::get_unchecked`. + unsafe { (self.a.__iterator_get_unchecked(idx), self.b.__iterator_get_unchecked(idx)) } +diff --git a/library/core/tests/iter.rs b/library/core/tests/iter.rs +index 00e3972c42f..803dc5d1698 100644 +--- a/library/core/tests/iter.rs ++++ b/library/core/tests/iter.rs +@@ -3222,3 +3222,21 @@ fn test_flatten_non_fused_inner() { + assert_eq!(iter.next(), Some(1)); + assert_eq!(iter.next(), None); + } ++ ++#[test] ++fn test_zip_trusted_random_access_composition() { ++ let a = [0, 1, 2, 3, 4]; ++ let b = a; ++ let c = a; ++ ++ let a = a.iter().copied(); ++ let b = b.iter().copied(); ++ let mut c = c.iter().copied(); ++ c.next(); ++ ++ let mut z1 = a.zip(b); ++ assert_eq!(z1.next().unwrap(), (0, 0)); ++ ++ let mut z2 = z1.zip(c); ++ assert_eq!(z2.next().unwrap(), ((1, 1), 1)); ++} +\ No newline at end of file +-- +2.25.1 diff --git a/SPECS/rust/CVE-2021-28878.patch b/SPECS/rust/CVE-2021-28878.patch new file mode 100644 index 00000000000..3344f14996f --- /dev/null +++ b/SPECS/rust/CVE-2021-28878.patch @@ -0,0 +1,106 @@ +From a461afc27b43155dcf16430bc071682466011501 Mon Sep 17 00:00:00 2001 +From: Thomas Crain +Date: Mon, 26 Apr 2021 13:49:28 -0500 +Subject: [PATCH 6/6] Fix CVE-2021-28878 + +Backported to 1.47.0: +https://github.com/rust-lang/rust/pull/82292 +--- + library/core/src/iter/adapters/zip.rs | 13 +++++++++---- + library/core/tests/iter.rs | 23 +++++++++++++++++++++++ + 2 files changed, 32 insertions(+), 4 deletions(-) + +diff --git a/library/core/src/iter/adapters/zip.rs b/library/core/src/iter/adapters/zip.rs +index e480bf2bc28..79f22583e5d 100644 +--- a/library/core/src/iter/adapters/zip.rs ++++ b/library/core/src/iter/adapters/zip.rs +@@ -16,9 +16,10 @@ use super::super::{DoubleEndedIterator, ExactSizeIterator, FusedIterator, Iterat + pub struct Zip { + a: A, + b: B, +- // index and len are only used by the specialized version of zip ++ // index, len and a_len are only used by the specialized version of zip + index: usize, + len: usize, ++ a_len: usize, + } + impl Zip { + pub(in super::super) fn new(a: A, b: B) -> Zip { +@@ -113,6 +114,7 @@ where + b, + index: 0, // unused + len: 0, // unused ++ a_len: 0, // unused + } + } + +@@ -187,8 +189,9 @@ where + B: TrustedRandomAccess + Iterator, + { + fn new(a: A, b: B) -> Self { +- let len = cmp::min(a.size(), b.size()); +- Zip { a, b, index: 0, len } ++ let a_len = a.size(); ++ let len = cmp::min(a_len, b.size()); ++ Zip { a, b, index: 0, len, a_len } + } + + #[inline] +@@ -200,7 +203,7 @@ where + unsafe { + Some((self.a.__iterator_get_unchecked(i), self.b.__iterator_get_unchecked(i))) + } +- } else if A::may_have_side_effect() && self.index < self.a.size() { ++ } else if A::may_have_side_effect() && self.index < self.a_len { + let i = self.index; + self.index += 1; + self.len += 1; +@@ -267,6 +270,7 @@ where + for _ in 0..sz_a - self.len { + self.a.next_back(); + } ++ self.a_len = self.len; + } + let sz_b = self.b.size(); + if b_side_effect && sz_b > self.len { +@@ -278,6 +282,7 @@ where + } + if self.index < self.len { + self.len -= 1; ++ self.a_len -= 1; + let i = self.len; + // SAFETY: `i` is smaller than the previous value of `self.len`, + // which is also smaller than or equal to `self.a.len()` and `self.b.len()` +diff --git a/library/core/tests/iter.rs b/library/core/tests/iter.rs +index 913764894ec..bbadb5820e9 100644 +--- a/library/core/tests/iter.rs ++++ b/library/core/tests/iter.rs +@@ -3260,3 +3260,26 @@ fn test_issue_82282() { + panic!(); + } + } ++ ++#[test] ++fn test_issue_82291() { ++ use std::cell::Cell; ++ ++ let mut v1 = [()]; ++ let v2 = [()]; ++ ++ let called = Cell::new(0); ++ ++ let mut zip = v1 ++ .iter_mut() ++ .map(|r| { ++ called.set(called.get() + 1); ++ r ++ }) ++ .zip(&v2); ++ ++ zip.next_back(); ++ assert_eq!(called.get(), 1); ++ zip.next(); ++ assert_eq!(called.get(), 1); ++} +-- +2.25.1 diff --git a/SPECS/rust/CVE-2021-28879.patch b/SPECS/rust/CVE-2021-28879.patch index 335fabeeeb2..9fc9a24c5f1 100644 --- a/SPECS/rust/CVE-2021-28879.patch +++ b/SPECS/rust/CVE-2021-28879.patch @@ -1,3 +1,4 @@ +<<<<<<< HEAD From 1e43823ef5bc19f8ffa60539f8dc93868d6cc1ef Mon Sep 17 00:00:00 2001 From: Thomas Crain Date: Sun, 25 Apr 2021 13:14:28 -0500 @@ -23,6 +24,33 @@ index 581ac6e0d82..95bb16325ef 100644 // SAFETY: we just checked that `self.index` < `self.a.len()` unsafe { @@ -262,7 +263,7 @@ where +======= +From 173e9c1d6dc4195e9223d6c1f7fe95017c12fd9f Mon Sep 17 00:00:00 2001 +From: Thomas Crain +Date: Mon, 26 Apr 2021 13:44:39 -0500 +Subject: [PATCH 5/6] Fix CVE-2021-28879 + +Backport to 1.47.0: +https://github.com/rust-lang/rust/pull/82289 +--- + library/core/src/iter/adapters/zip.rs | 3 ++- + library/core/tests/iter.rs | 22 +++++++++++++++++++++- + 2 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/library/core/src/iter/adapters/zip.rs b/library/core/src/iter/adapters/zip.rs +index 8a9f4b8af1e..e480bf2bc28 100644 +--- a/library/core/src/iter/adapters/zip.rs ++++ b/library/core/src/iter/adapters/zip.rs +@@ -203,6 +203,7 @@ where + } else if A::may_have_side_effect() && self.index < self.a.size() { + let i = self.index; + self.index += 1; ++ self.len += 1; + // match the base implementation's potential side effects + // SAFETY: we just checked that `i` < `self.a.len()` + unsafe { +@@ -263,7 +264,7 @@ where +>>>>>>> 1.0-dev if sz_a != sz_b { let sz_a = self.a.size(); if a_side_effect && sz_a > self.len { @@ -32,6 +60,7 @@ index 581ac6e0d82..95bb16325ef 100644 } } diff --git a/library/core/tests/iter.rs b/library/core/tests/iter.rs +<<<<<<< HEAD index 00e3972c42f..94787931994 100644 --- a/library/core/tests/iter.rs +++ b/library/core/tests/iter.rs @@ -39,6 +68,19 @@ index 00e3972c42f..94787931994 100644 assert_eq!(it.next(), None); } +======= +index 803dc5d1698..913764894ec 100644 +--- a/library/core/tests/iter.rs ++++ b/library/core/tests/iter.rs +@@ -3239,4 +3239,24 @@ fn test_zip_trusted_random_access_composition() { + + let mut z2 = z1.zip(c); + assert_eq!(z2.next().unwrap(), ((1, 1), 1)); +-} +\ No newline at end of file ++} ++ +>>>>>>> 1.0-dev +#[test] +fn test_issue_82282() { + fn overflowed_zip(arr: &[i32]) -> impl Iterator { @@ -58,9 +100,15 @@ index 00e3972c42f..94787931994 100644 + panic!(); + } +} +<<<<<<< HEAD + #[test] fn test_double_ended_filter() { let xs = [1, 2, 3, 4, 5, 6]; -- 2.25.1 +======= +-- +2.25.1 + +>>>>>>> 1.0-dev diff --git a/SPECS/rust/rust.spec b/SPECS/rust/rust.spec index 5817483d6d4..60df6419801 100644 --- a/SPECS/rust/rust.spec +++ b/SPECS/rust/rust.spec @@ -3,7 +3,7 @@ Summary: Rust Programming Language Name: rust Version: 1.47.0 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 AND MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -17,7 +17,13 @@ Source4: https://static.rust-lang.org/dist/2020-08-27/rust-std-1.46.0-x86 Source5: https://static.rust-lang.org/dist/2020-08-27/cargo-0.47.0-aarch64-unknown-linux-gnu.tar.gz Source6: https://static.rust-lang.org/dist/2020-08-27/rustc-1.46.0-aarch64-unknown-linux-gnu.tar.gz Source7: https://static.rust-lang.org/dist/2020-08-27/rust-std-1.46.0-aarch64-unknown-linux-gnu.tar.gz -Patch0: CVE-2021-28879.patch +Patch0: CVE-2020-36317.patch +Patch1: CVE-2021-28875.patch +Patch2: CVE-2021-28877.patch +Patch3: CVE-2021-28876.patch +Patch4: CVE-2021-28879.patch +Patch5: CVE-2021-28878.patch +Patch6: CVE-2020-36323.patch BuildRequires: binutils BuildRequires: cmake @@ -104,6 +110,10 @@ rm %{buildroot}%{_docdir}/%{name}/*.old %{_sysconfdir}/bash_completion.d/cargo %changelog +* Mon Apr 26 2021 Thomas Crain - 1.47.0-3 +- Patch CVE-2020-36317, CVE-2021-28875, CVE-2021-28876, CVE-2021-28877, CVE-2021-28878 +- Redo patch for CVE-2021-28879 with regards to patches listed above + * Mon Apr 19 2021 Thomas Crain - 1.47.0-2 - Patch CVE-2021-28879 diff --git a/SPECS/shim-unsigned-aarch64/cbl-mariner-ca-20210127.der b/SPECS/shim-unsigned-aarch64/cbl-mariner-ca-20210127.der new file mode 100644 index 00000000000..411415aed6a Binary files /dev/null and b/SPECS/shim-unsigned-aarch64/cbl-mariner-ca-20210127.der differ diff --git a/SPECS/shim-unsigned-aarch64/cbl-mariner-ca.der b/SPECS/shim-unsigned-aarch64/cbl-mariner-ca.der deleted file mode 100644 index a1de99e51fc..00000000000 Binary files a/SPECS/shim-unsigned-aarch64/cbl-mariner-ca.der and /dev/null differ diff --git a/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.signatures.json b/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.signatures.json index 89dce6cf63b..87a878f10ea 100644 --- a/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.signatures.json +++ b/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.signatures.json @@ -1,6 +1,6 @@ { "Signatures": { - "cbl-mariner-ca.der": "ce1290f2bbdf5a7f68053951a9f7fc7f1852a562ea103f46ca5249b497fb1faf", + "cbl-mariner-ca-20210127.der": "34f7436bc56c7b4e526e55dbc207ad6311dbace0403e1d462ad1f9ce3479d386", "shim-15.tar.bz2": "473720200e6dae7cfd3ce7fb27c66367a8d6b08233fe63f01aa1d6b3888deeb6" } } \ No newline at end of file diff --git a/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec b/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec index f7e7c7ddea6..a6ed633dfed 100644 --- a/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec +++ b/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec @@ -2,13 +2,13 @@ Summary: First stage UEFI bootloader Name: shim-unsigned-aarch64 Version: 15 -Release: 4%{?dist} +Release: 5%{?dist} URL: https://github.com/rhboot/shim License: BSD Vendor: Microsoft Distribution: Mariner Source0: https://github.com/rhboot/shim/releases/download/15/shim-%{version}.tar.bz2 -Source1: cbl-mariner-ca.der +Source1: cbl-mariner-ca-20210127.der ExclusiveArch: aarch64 BuildRequires: gnu-efi @@ -102,6 +102,8 @@ install -vm 644 shimaa64.efi %{buildroot}/usr/share/%{name}/shimaa64.efi /usr/share/%{name}/shimaa64.efi %changelog +* Fri Apr 23 2021 Chris Co 15-5 +- Update cert * Tue Aug 25 2020 Chris Co 15-4 - Apply patch files (from CentOS: shim-15-8.el7) * Thu Jul 30 2020 Chris Co 15-3 diff --git a/SPECS/shim-unsigned-x64/0001-Make-some-things-dprint-instead-of-console_print.patch b/SPECS/shim-unsigned-x64/0001-Make-some-things-dprint-instead-of-console_print.patch deleted file mode 100644 index 7190954c978..00000000000 --- a/SPECS/shim-unsigned-x64/0001-Make-some-things-dprint-instead-of-console_print.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1d50318f448b73b072724eb6664d311e6084a446 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 10 Apr 2018 12:36:34 -0400 -Subject: [PATCH 01/62] Make some things dprint() instead of console_print() - -Signed-off-by: Peter Jones -Upstream-commit-id: dad59f8c0f36 ---- - shim.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/shim.c b/shim.c -index 00155346c12..ff0817009cd 100644 ---- a/shim.c -+++ b/shim.c -@@ -2087,8 +2087,8 @@ static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path, UINTN len) - if (!dppath) - return 0; - -- console_print(L"dppath: %s\n", dppath); -- console_print(L"path: %s\n", path); -+ dprint(L"dppath: %s\n", dppath); -+ dprint(L"path: %s\n", path); - if (StrnCaseCmp(dppath, path, len)) - ret = 0; - --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0002-Makefiles-ensure-m32-gets-propogated-to-our-gcc-para.patch b/SPECS/shim-unsigned-x64/0002-Makefiles-ensure-m32-gets-propogated-to-our-gcc-para.patch deleted file mode 100644 index 94c0c73b65b..00000000000 --- a/SPECS/shim-unsigned-x64/0002-Makefiles-ensure-m32-gets-propogated-to-our-gcc-para.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 32f71225382ddb7dd1ad51f584bc3d42a7ee39d1 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 12 Apr 2018 13:24:48 -0400 -Subject: [PATCH 02/62] Makefiles: ensure -m32 gets propogated to our gcc - parameter queries - -'gcc -print-file-name=include' and 'gcc -print-libgcc-file-name' both -need -m32 when we're building 32-on-64 on some distros, so ensure that -gets propogated correctly. - -Signed-off-by: Peter Jones -Upstream-commit-id: 104d6e54ac7 ---- - Make.defaults | 66 ++++++++++++++++++++++++++------------------------- - 1 file changed, 34 insertions(+), 32 deletions(-) - -diff --git a/Make.defaults b/Make.defaults -index e11ab5a7f2c..bbfc1d7f77b 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -33,66 +33,46 @@ EFI_INCLUDES = -nostdinc -I$(TOPDIR)/Cryptlib -I$(TOPDIR)/Cryptlib/Include \ - -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol \ - -I$(TOPDIR)/include -iquote $(TOPDIR) -iquote $(shell pwd) - --LIB_GCC = $(shell $(CC) -print-libgcc-file-name) --EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) -- - EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(ARCH).o - EFI_LDS = $(TOPDIR)/elf_$(ARCH)_efi.lds - --CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -- -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ -- -Werror=sign-compare -ffreestanding -std=gnu89 \ -- -I$(shell $(CC) -print-file-name=include) \ -- "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ -- "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ -- $(EFI_INCLUDES) -- - CLANG_BUGS = $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,) - - COMMIT_ID ?= $(shell if [ -e .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo master; fi) - --ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) -- CFLAGS += -DOVERRIDE_SECURITY_POLICY --endif -- --ifneq ($(origin ENABLE_HTTPBOOT), undefined) -- CFLAGS += -DENABLE_HTTPBOOT --endif -- --ifneq ($(origin REQUIRE_TPM), undefined) -- CFLAGS += -DREQUIRE_TPM --endif -- - ifeq ($(ARCH),x86_64) -- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -- $(CLANG_BUGS) -m64 \ -- -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ -- -DNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 -DPAGE_SIZE=4096 -+ ARCH_CFLAGS ?= -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -+ $(CLANG_BUGS) -m64 \ -+ -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ -+ -DNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 \ -+ -DPAGE_SIZE=4096 - LIBDIR ?= $(prefix)/lib64 - ARCH_SUFFIX ?= x64 - ARCH_SUFFIX_UPPER ?= X64 - ARCH_LDFLAGS ?= - endif - ifeq ($(ARCH),ia32) -- CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -- $(CLANG_BUGS) -m32 \ -- -DMDE_CPU_IA32 -DPAGE_SIZE=4096 -+ ARCH_CFLAGS ?= -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -+ $(CLANG_BUGS) -m32 \ -+ -DMDE_CPU_IA32 -DPAGE_SIZE=4096 - LIBDIR ?= $(prefix)/lib - ARCH_SUFFIX ?= ia32 - ARCH_SUFFIX_UPPER ?= IA32 - ARCH_LDFLAGS ?= -+ ARCH_CFLAGS ?= -m32 - endif - ifeq ($(ARCH),aarch64) -- CFLAGS += -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096 -mstrict-align -+ ARCH_CFLAGS ?= -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096 -mstrict-align - LIBDIR ?= $(prefix)/lib64 - ARCH_SUFFIX ?= aa64 - ARCH_SUFFIX_UPPER ?= AA64 - FORMAT := -O binary - SUBSYSTEM := 0xa - ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) -+ ARCH_CFLAGS ?= - endif - ifeq ($(ARCH),arm) -- CFLAGS += -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mstrict-align -+ ARCH_CFLAGS ?= -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mstrict-align - LIBDIR ?= $(prefix)/lib - ARCH_SUFFIX ?= arm - ARCH_SUFFIX_UPPER ?= ARM -@@ -101,6 +81,28 @@ ifeq ($(ARCH),arm) - ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) - endif - -+CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -+ -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \ -+ -Werror=sign-compare -ffreestanding -std=gnu89 \ -+ -I$(shell $(CC) $(ARCH_CFLAGS) -print-file-name=include) \ -+ "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \ -+ "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \ -+ $(EFI_INCLUDES) $(ARCH_CFLAGS) -+ -+ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) -+ CFLAGS += -DOVERRIDE_SECURITY_POLICY -+endif -+ -+ifneq ($(origin ENABLE_HTTPBOOT), undefined) -+ CFLAGS += -DENABLE_HTTPBOOT -+endif -+ -+ifneq ($(origin REQUIRE_TPM), undefined) -+ CFLAGS += -DREQUIRE_TPM -+endif -+ -+LIB_GCC = $(shell $(CC) $(ARCH_CFLAGS) -print-libgcc-file-name) -+EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) - FORMAT ?= --target efi-app-$(ARCH) - EFI_PATH ?= $(LIBDIR)/gnuefi - --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0003-Let-MokManager-follow-a-MokTimeout-var-for-timeout-l.patch b/SPECS/shim-unsigned-x64/0003-Let-MokManager-follow-a-MokTimeout-var-for-timeout-l.patch deleted file mode 100644 index 9f6697a1c44..00000000000 --- a/SPECS/shim-unsigned-x64/0003-Let-MokManager-follow-a-MokTimeout-var-for-timeout-l.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 74718677945b1ab825130b317c63f5002876e772 Mon Sep 17 00:00:00 2001 -From: Mathieu Trudel-Lapierre -Date: Thu, 5 Jul 2018 11:28:12 -0400 -Subject: [PATCH 03/62] Let MokManager follow a MokTimeout var for timeout - length for the prompt - -This timeout can have the values [-1,0..0x7fff]; where -1 means "no timeout", -with MokManager going directly to the menu, and is capped to 0x7fff to avoid -unecessary long timeouts. The default remains 10, which will be used whenever -the MokTimeout variable isn't set. - -Signed-off-by: Mathieu Trudel-Lapierre -Upstream-commit-id: 93708c11083 ---- - MokManager.c | 23 ++++++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - -diff --git a/MokManager.c b/MokManager.c -index 7e40a38f1d1..0767e4a6cde 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -40,6 +40,10 @@ typedef struct { - CHAR16 Password[SB_PASSWORD_LEN]; - } __attribute__ ((packed)) MokDBvar; - -+typedef struct { -+ INT32 Timeout; -+} __attribute__ ((packed)) MokTimeoutvar; -+ - static EFI_STATUS get_sha1sum(void *Data, int DataSize, UINT8 * hash) - { - EFI_STATUS efi_status; -@@ -2041,7 +2045,24 @@ static int draw_countdown() - UINTN cols, rows; - CHAR16 *title[2]; - CHAR16 *message = L"Press any key to perform MOK management"; -- int timeout = 10, wait = 10000000; -+ void *MokTimeout = NULL; -+ MokTimeoutvar *var; -+ UINTN MokTimeoutSize = 0; -+ int timeout, wait = 10000000; -+ -+ efi_status = get_variable(L"MokTimeout", (UINT8 **) &MokTimeout, -+ &MokTimeoutSize, SHIM_LOCK_GUID); -+ if (EFI_ERROR(efi_status)) { -+ timeout = 10; -+ } else { -+ var = MokTimeout; -+ timeout = (int)var->Timeout; -+ FreePool(MokTimeout); -+ LibDeleteVariable(L"MokTimeout", &SHIM_LOCK_GUID); -+ } -+ -+ if (timeout < 0) -+ return timeout; - - console_save_and_set_mode(&SavedMode); - --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0004-httpboot-return-EFI_NOT_FOUND-when-it-fails-to-find-.patch b/SPECS/shim-unsigned-x64/0004-httpboot-return-EFI_NOT_FOUND-when-it-fails-to-find-.patch deleted file mode 100644 index 44de3b7f53c..00000000000 --- a/SPECS/shim-unsigned-x64/0004-httpboot-return-EFI_NOT_FOUND-when-it-fails-to-find-.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 8a66f5571bb059d2692e804f4ba9817e978dd103 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Mon, 28 May 2018 16:05:38 +0800 -Subject: [PATCH 04/62] httpboot: return EFI_NOT_FOUND when it fails to find - the NIC handle - -httpboot_fetch_buffer() should return EFI_NOT_FOUND to reflect the error -status when get_nic_handle() returns NULL. - -Signed-off-by: Gary Lin -Upstream-commit-id: 2be5c7dc4b0 ---- - httpboot.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/httpboot.c b/httpboot.c -index 4cfa3aab3b7..d656073c633 100644 ---- a/httpboot.c -+++ b/httpboot.c -@@ -715,6 +715,7 @@ httpboot_fetch_buffer (EFI_HANDLE image, VOID **buffer, UINT64 *buf_size) - also supports the HTTP service binding protocol */ - nic = get_nic_handle(&mac_addr); - if (!nic) { -+ efi_status = EFI_NOT_FOUND; - goto error; - } - --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0005-httpboot-print-more-messages-when-it-fails-to-set-IP.patch b/SPECS/shim-unsigned-x64/0005-httpboot-print-more-messages-when-it-fails-to-set-IP.patch deleted file mode 100644 index d64a38170ba..00000000000 --- a/SPECS/shim-unsigned-x64/0005-httpboot-print-more-messages-when-it-fails-to-set-IP.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 0ba6c87bdf55f749a0ec1c3b0fd24ebb8200d537 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Mon, 28 May 2018 17:24:30 +0800 -Subject: [PATCH 05/62] httpboot: print more messages when it fails to set IP - -We previously only print the return status and it may not be clear -enough in some situations. Print the IP address and the gateway to help -the user to identify the possible errors. - -Signed-off-by: Gary Lin -Upstream-commit-id: 3abe94516c7 ---- - httpboot.c | 45 +++++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 41 insertions(+), 4 deletions(-) - -diff --git a/httpboot.c b/httpboot.c -index d656073c633..6f27b01bf71 100644 ---- a/httpboot.c -+++ b/httpboot.c -@@ -311,6 +311,20 @@ is_unspecified_addr (EFI_IPv6_ADDRESS ip6) - return TRUE; - } - -+static inline void -+print_ip6_addr(EFI_IPv6_ADDRESS ip6addr) -+{ -+ perror(L"%x:%x:%x:%x:%x:%x:%x:%x\n", -+ ip6addr.Addr[0] << 8 | ip6addr.Addr[1], -+ ip6addr.Addr[2] << 8 | ip6addr.Addr[3], -+ ip6addr.Addr[4] << 8 | ip6addr.Addr[5], -+ ip6addr.Addr[6] << 8 | ip6addr.Addr[7], -+ ip6addr.Addr[8] << 8 | ip6addr.Addr[9], -+ ip6addr.Addr[10] << 8 | ip6addr.Addr[11], -+ ip6addr.Addr[12] << 8 | ip6addr.Addr[13], -+ ip6addr.Addr[14] << 8 | ip6addr.Addr[15]); -+} -+ - static EFI_STATUS - set_ip6(EFI_HANDLE *nic, IPv6_DEVICE_PATH *ip6node) - { -@@ -329,8 +343,12 @@ set_ip6(EFI_HANDLE *nic, IPv6_DEVICE_PATH *ip6node) - ip6.IsAnycast = FALSE; - efi_status = ip6cfg->SetData(ip6cfg, Ip6ConfigDataTypeManualAddress, - sizeof(ip6), &ip6); -- if (EFI_ERROR(efi_status)) -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Failed to set IPv6 Address:\nIP: "); -+ print_ip6_addr(ip6.Address); -+ perror(L"Prefix Length: %u\n", ip6.PrefixLength); - return efi_status; -+ } - - gateway = ip6node->GatewayIpAddress; - if (is_unspecified_addr(gateway)) -@@ -338,12 +356,23 @@ set_ip6(EFI_HANDLE *nic, IPv6_DEVICE_PATH *ip6node) - - efi_status = ip6cfg->SetData(ip6cfg, Ip6ConfigDataTypeGateway, - sizeof(gateway), &gateway); -- if (EFI_ERROR(efi_status)) -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Failed to set IPv6 Gateway:\nIP: "); -+ print_ip6_addr(gateway); - return efi_status; -+ } - - return EFI_SUCCESS; - } - -+static inline void -+print_ip4_addr(EFI_IPv4_ADDRESS ip4addr) -+{ -+ perror(L"%u.%u.%u.%u\n", -+ ip4addr.Addr[0], ip4addr.Addr[1], -+ ip4addr.Addr[2], ip4addr.Addr[3]); -+} -+ - static EFI_STATUS - set_ip4(EFI_HANDLE *nic, IPv4_DEVICE_PATH *ip4node) - { -@@ -361,14 +390,22 @@ set_ip4(EFI_HANDLE *nic, IPv4_DEVICE_PATH *ip4node) - ip4.SubnetMask = ip4node->SubnetMask; - efi_status = ip4cfg2->SetData(ip4cfg2, Ip4Config2DataTypeManualAddress, - sizeof(ip4), &ip4); -- if (EFI_ERROR(efi_status)) -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Failed to Set IPv4 Address:\nIP: "); -+ print_ip4_addr(ip4.Address); -+ perror(L"Mask: "); -+ print_ip4_addr(ip4.SubnetMask); - return efi_status; -+ } - - gateway = ip4node->GatewayIpAddress; - efi_status = ip4cfg2->SetData(ip4cfg2, Ip4Config2DataTypeGateway, - sizeof(gateway), &gateway); -- if (EFI_ERROR(efi_status)) -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Failed to Set IPv4 Gateway:\nGateway: "); -+ print_ip4_addr(gateway); - return efi_status; -+ } - - return EFI_SUCCESS; - } --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0006-httpboot-allow-the-IPv4-gateway-to-be-empty.patch b/SPECS/shim-unsigned-x64/0006-httpboot-allow-the-IPv4-gateway-to-be-empty.patch deleted file mode 100644 index 4b92fda9e56..00000000000 --- a/SPECS/shim-unsigned-x64/0006-httpboot-allow-the-IPv4-gateway-to-be-empty.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 80e52895f206fcb40a60f031e7b721627bb193ca Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Mon, 28 May 2018 17:42:56 +0800 -Subject: [PATCH 06/62] httpboot: allow the IPv4 gateway to be empty - -The gateway is not mandatory. - -Signed-off-by: Gary Lin -Upstream-commit-id: 69089e9c678 ---- - httpboot.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/httpboot.c b/httpboot.c -index 6f27b01bf71..16dd6621f66 100644 ---- a/httpboot.c -+++ b/httpboot.c -@@ -299,7 +299,7 @@ out: - } - - static BOOLEAN --is_unspecified_addr (EFI_IPv6_ADDRESS ip6) -+is_unspecified_ip6addr (EFI_IPv6_ADDRESS ip6) - { - UINT8 i; - -@@ -351,7 +351,7 @@ set_ip6(EFI_HANDLE *nic, IPv6_DEVICE_PATH *ip6node) - } - - gateway = ip6node->GatewayIpAddress; -- if (is_unspecified_addr(gateway)) -+ if (is_unspecified_ip6addr(gateway)) - return EFI_SUCCESS; - - efi_status = ip6cfg->SetData(ip6cfg, Ip6ConfigDataTypeGateway, -@@ -365,6 +365,19 @@ set_ip6(EFI_HANDLE *nic, IPv6_DEVICE_PATH *ip6node) - return EFI_SUCCESS; - } - -+static BOOLEAN -+is_unspecified_ip4addr (EFI_IPv4_ADDRESS ip4) -+{ -+ UINT8 i; -+ -+ for (i = 0; i<4; i++) { -+ if (ip4.Addr[i] != 0) -+ return FALSE; -+ } -+ -+ return TRUE; -+} -+ - static inline void - print_ip4_addr(EFI_IPv4_ADDRESS ip4addr) - { -@@ -399,6 +412,9 @@ set_ip4(EFI_HANDLE *nic, IPv4_DEVICE_PATH *ip4node) - } - - gateway = ip4node->GatewayIpAddress; -+ if (is_unspecified_ip4addr(gateway)) -+ return EFI_SUCCESS; -+ - efi_status = ip4cfg2->SetData(ip4cfg2, Ip4Config2DataTypeGateway, - sizeof(gateway), &gateway); - if (EFI_ERROR(efi_status)) { --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0007-httpboot-show-the-error-message-for-the-ChildHandle.patch b/SPECS/shim-unsigned-x64/0007-httpboot-show-the-error-message-for-the-ChildHandle.patch deleted file mode 100644 index 8d42888518b..00000000000 --- a/SPECS/shim-unsigned-x64/0007-httpboot-show-the-error-message-for-the-ChildHandle.patch +++ /dev/null @@ -1,30 +0,0 @@ -From c2f645c7cd9872585e7b4522b01c368bb545258b Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Mon, 28 May 2018 18:03:39 +0800 -Subject: [PATCH 07/62] httpboot: show the error message for the ChildHandle - -Signed-off-by: Gary Lin -Upstream-commit-id: 0fd3c7e8518 ---- - httpboot.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/httpboot.c b/httpboot.c -index 16dd6621f66..3622e85867c 100644 ---- a/httpboot.c -+++ b/httpboot.c -@@ -696,8 +696,10 @@ http_fetch (EFI_HANDLE image, EFI_HANDLE device, - /* Set the handle to NULL to request a new handle */ - http_handle = NULL; - efi_status = service->CreateChild(service, &http_handle); -- if (EFI_ERROR(efi_status)) -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Failed to create the ChildHandle\n"); - return efi_status; -+ } - - /* Get the http protocol */ - efi_status = gBS->HandleProtocol(http_handle, &EFI_HTTP_PROTOCOL_GUID, --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0008-Fix-typo-in-debug-path-in-shim.h.patch b/SPECS/shim-unsigned-x64/0008-Fix-typo-in-debug-path-in-shim.h.patch deleted file mode 100644 index be22b8340b6..00000000000 --- a/SPECS/shim-unsigned-x64/0008-Fix-typo-in-debug-path-in-shim.h.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 409b59af29b8749207a527c91dccba7eee98232b Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 23 May 2018 15:15:56 +0800 -Subject: [PATCH 08/62] Fix typo in debug path in shim.h - -Signed-off-by: Gary Lin -Upstream-commit-id: a98c20bbdbb ---- - shim.h | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/shim.h b/shim.h -index a25a660df6a..2b359d821e3 100644 ---- a/shim.h -+++ b/shim.h -@@ -43,7 +43,7 @@ - #define EFI_ARCH L"x64" - #endif - #ifndef DEBUGDIR --#define DEBUGDIR L"/usr/lub/debug/usr/share/shim/x64/" -+#define DEBUGDIR L"/usr/lib/debug/usr/share/shim/x64/" - #endif - #endif - -@@ -58,7 +58,7 @@ - #define EFI_ARCH L"ia32" - #endif - #ifndef DEBUGDIR --#define DEBUGDIR L"/usr/lub/debug/usr/share/shim/ia32/" -+#define DEBUGDIR L"/usr/lib/debug/usr/share/shim/ia32/" - #endif - #endif - -@@ -73,7 +73,7 @@ - #define EFI_ARCH L"aa64" - #endif - #ifndef DEBUGDIR --#define DEBUGDIR L"/usr/lub/debug/usr/share/shim/aa64/" -+#define DEBUGDIR L"/usr/lib/debug/usr/share/shim/aa64/" - #endif - #endif - -@@ -88,7 +88,7 @@ - #define EFI_ARCH L"arm" - #endif - #ifndef DEBUGDIR --#define DEBUGDIR L"/usr/lub/debug/usr/share/shim/arm/" -+#define DEBUGDIR L"/usr/lib/debug/usr/share/shim/arm/" - #endif - #endif - --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0009-MokManager-Stop-using-EFI_VARIABLE_APPEND_WRITE.patch b/SPECS/shim-unsigned-x64/0009-MokManager-Stop-using-EFI_VARIABLE_APPEND_WRITE.patch deleted file mode 100644 index 1baa54bb470..00000000000 --- a/SPECS/shim-unsigned-x64/0009-MokManager-Stop-using-EFI_VARIABLE_APPEND_WRITE.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 85c837d67fef9cd831a3126398ed8da1421f61c5 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Fri, 11 May 2018 16:59:03 +0800 -Subject: [PATCH 09/62] MokManager: Stop using EFI_VARIABLE_APPEND_WRITE - -When writing MokList with EFI_VARIABLE_APPEND_WRITE, some HP laptops -may just return EFI_SUCCESS without writing the content into the flash, -so we have no way to detect if MokList is updated or not. Now we always -read MokList first and write it back with the new content. - -https://github.com/rhboot/shim/issues/105 - -Signed-off-by: Gary Lin -Upstream-commit-id: f442c8424b4 ---- - MokManager.c | 11 +++-------- - 1 file changed, 3 insertions(+), 8 deletions(-) - -diff --git a/MokManager.c b/MokManager.c -index 0767e4a6cde..df9b6fe6912 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -880,14 +880,9 @@ static EFI_STATUS write_db(CHAR16 * db_name, void *MokNew, UINTN MokNewSize) - UINTN old_size; - UINTN new_size; - -- efi_status = gRT->SetVariable(db_name, &SHIM_LOCK_GUID, -- EFI_VARIABLE_NON_VOLATILE | -- EFI_VARIABLE_BOOTSERVICE_ACCESS | -- EFI_VARIABLE_APPEND_WRITE, -- MokNewSize, MokNew); -- if (!EFI_ERROR(efi_status) || efi_status != EFI_INVALID_PARAMETER) { -- return efi_status; -- } -+ /* Do not use EFI_VARIABLE_APPEND_WRITE due to faulty firmwares. -+ * ref: https://github.com/rhboot/shim/issues/55 -+ * https://github.com/rhboot/shim/issues/105 */ - - efi_status = get_variable_attr(db_name, (UINT8 **)&old_data, &old_size, - SHIM_LOCK_GUID, &attributes); --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0010-shim-Extend-invalid-reloc-size-warning-message.patch b/SPECS/shim-unsigned-x64/0010-shim-Extend-invalid-reloc-size-warning-message.patch deleted file mode 100644 index 76d26e86668..00000000000 --- a/SPECS/shim-unsigned-x64/0010-shim-Extend-invalid-reloc-size-warning-message.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 956717e2b375d7c7f0faafec8f12a7692708eb9a Mon Sep 17 00:00:00 2001 -From: Paul Menzel -Date: Wed, 23 May 2018 12:32:37 +0200 -Subject: [PATCH 10/62] shim: Extend invalid reloc size warning message - -Knowing the value of the reloc directory size is helpful for debugging, -cf. issue #131 [1], - -[1]: https://github.com/rhboot/shim/issues/131 - -Signed-off-by: Paul Menzel -Upstream-commit-id: dd3230d07f3 ---- - shim.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/shim.c b/shim.c -index ff0817009cd..05fc65005d1 100644 ---- a/shim.c -+++ b/shim.c -@@ -280,8 +280,14 @@ static EFI_STATUS relocate_coff (PE_COFF_LOADER_IMAGE_CONTEXT *context, - while (RelocBase < RelocBaseEnd) { - Reloc = (UINT16 *) ((char *) RelocBase + sizeof (EFI_IMAGE_BASE_RELOCATION)); - -- if ((RelocBase->SizeOfBlock == 0) || (RelocBase->SizeOfBlock > context->RelocDir->Size)) { -- perror(L"Reloc %d block size %d is invalid\n", n, RelocBase->SizeOfBlock); -+ if (RelocBase->SizeOfBlock == 0) { -+ perror(L"Reloc %d block size 0 is invalid\n", n); -+ return EFI_UNSUPPORTED; -+ } else if (RelocBase->SizeOfBlock > context->RelocDir->Size) { -+ perror(L"Reloc %d block size %d greater than reloc dir" -+ "size %d, which is invalid\n", n, -+ RelocBase->SizeOfBlock, -+ context->RelocDir->Size); - return EFI_UNSUPPORTED; - } - --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0011-Add-GRUB-s-PCR-Usage-to-README.tpm.patch b/SPECS/shim-unsigned-x64/0011-Add-GRUB-s-PCR-Usage-to-README.tpm.patch deleted file mode 100644 index 25197e0bc56..00000000000 --- a/SPECS/shim-unsigned-x64/0011-Add-GRUB-s-PCR-Usage-to-README.tpm.patch +++ /dev/null @@ -1,34 +0,0 @@ -From bd97e72f0490b2be766949f448bf6ea3ec2bba1a Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 1 Aug 2018 09:58:09 -0500 -Subject: [PATCH 11/62] Add GRUB's PCR Usage to README.tpm - -This didn't seem to get documented anywhere, and this is as good a place as any. -Upstream-commit-id: 4fab7281a8c ---- - README.tpm | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/README.tpm b/README.tpm -index b7314f12d57..d9c7c53483b 100644 ---- a/README.tpm -+++ b/README.tpm -@@ -19,6 +19,15 @@ PCR7: - - MokSBState will be extended into PCR7 if it is set, logged as - "MokSBState". - -+PCR8: -+- If you're using the grub2 TPM patchset we cary in Fedora, the kernel command -+ line and all grub commands (including all of grub.cfg that gets run) are -+ measured into PCR8. -+ -+PCR9: -+- If you're using the grub2 TPM patchset we cary in Fedora, the kernel, -+ initramfs, and any multiboot modules loaded are measured into PCR9. -+ - PCR14: - - MokList, MokListX, and MokSBState will be extended into PCR14 if they are - set. --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0012-Fix-the-compile-error-of-mkdir-wrong-directory.patch b/SPECS/shim-unsigned-x64/0012-Fix-the-compile-error-of-mkdir-wrong-directory.patch deleted file mode 100644 index a71436e76a0..00000000000 --- a/SPECS/shim-unsigned-x64/0012-Fix-the-compile-error-of-mkdir-wrong-directory.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c4e3516e303daa42b3381ddd889a90641717f720 Mon Sep 17 00:00:00 2001 -From: TanMing -Date: Tue, 21 Aug 2018 02:25:52 -0400 -Subject: [PATCH 12/62] Fix the compile error of mkdir wrong directory. - -In Ubuntu 14.04, the following code in old Makefile: - mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall} -will create a directory named "{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall}". - -Signed-off-by: Ming Tan -Upstream-commit-id: 39b83455d68 ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index 115e7f08c0f..3f2105595a6 100644 ---- a/Makefile -+++ b/Makefile -@@ -102,11 +102,11 @@ $(MMSONAME): $(MOK_OBJS) Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a li - $(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a - - Cryptlib/libcryptlib.a: -- mkdir -p Cryptlib/{Hash,Hmac,Cipher,Rand,Pk,Pem,SysCall} -+ for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done - $(MAKE) VPATH=$(TOPDIR)/Cryptlib TOPDIR=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile - - Cryptlib/OpenSSL/libopenssl.a: -- mkdir -p Cryptlib/OpenSSL/crypto/{x509v3,x509,txt_db,stack,sha,rsa,rc4,rand,pkcs7,pkcs12,pem,ocsp,objects,modes,md5,lhash,kdf,hmac,evp,err,dso,dh,conf,comp,cmac,buffer,bn,bio,async{,/arch},asn1,aes}/ -+ for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done - $(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL TOPDIR=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile - - lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch]) --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0013-shim-Properly-generate-absolute-paths-from-relative-.patch b/SPECS/shim-unsigned-x64/0013-shim-Properly-generate-absolute-paths-from-relative-.patch deleted file mode 100644 index 00dfaeb05ff..00000000000 --- a/SPECS/shim-unsigned-x64/0013-shim-Properly-generate-absolute-paths-from-relative-.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 79be2af5260b1f2e2a4680e74e14da0fdb42b570 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Fri, 7 Sep 2018 14:11:02 +0200 -Subject: [PATCH 13/62] shim: Properly generate absolute paths from relative - image paths - -The generate_path_from_image_path() doesn't properly handle the case when -shim is invoked using a relative path (e.g: from the EFI shell). In that -function, always the last component is stripped from absolute file path -to calculate the dirname, and this is concatenated with the image path. - -But if the path is a relative one, the function will wrongly concatenate -the dirname with the relative image path, i.e: - - Shell> FS0: - FS0:\> cd EFI - FS0:\EFI\> BOOT\BOOTX64.EFI - Failed to open \EFI\BOOT\BOOT\BOOTX64.EFI - Not found - Failed to load image \EFI\BOOT\BOOT\BOOTX64.EFI: Not found - start_image() returned Not found - -Calculate the image path basename and concatenate that with the dirname. - -Signed-off-by: Javier Martinez Canillas -Reviewed-by: Maran Wilson maran.wilson@oracle.com -Tested-by: Maran Wilson maran.wilson@oracle.com -Upstream-commit-id: a625fa5096c ---- - shim.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/shim.c b/shim.c -index 05fc65005d1..5ab23d03db4 100644 ---- a/shim.c -+++ b/shim.c -@@ -1610,9 +1610,11 @@ static EFI_STATUS generate_path_from_image_path(EFI_LOADED_IMAGE *li, - bootpath[j] = '\0'; - } - -- while (*ImagePath == '\\') -- ImagePath++; -+ for (i = 0, last = 0; i < StrLen(ImagePath); i++) -+ if (ImagePath[i] == '\\') -+ last = i + 1; - -+ ImagePath = ImagePath + last; - *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath)); - - if (!*PathName) { --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0014-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch b/SPECS/shim-unsigned-x64/0014-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch deleted file mode 100644 index 34b9896d521..00000000000 --- a/SPECS/shim-unsigned-x64/0014-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 818a0dbd247f7c83d844febfa0a037b396d22701 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Fri, 7 Sep 2018 15:10:51 +0200 -Subject: [PATCH 14/62] shim: Prevent shim to set itself as a second stage - loader - -When shim is invoked from a relative path (e.g: from the UEFI shell), the -Loaded Image handle LoadOptions can be set to the binary relative path. - -But the is_our_path() function only checks if LoadOptions is set to the -absolute path of shim to ignore it. So if a relative path is there, shim -would set itself as the secondary loader and invoke itself in a loop. - -To prevent that, use the path in LoadOptions to calculate the absolute -path and compare it with the one in the Loader Image handle FilePath. - -Resolves: bz#1622485 - -Signed-off-by: Javier Martinez Canillas -Reviewed-by: Maran Wilson maran.wilson@oracle.com -Tested-by: Maran Wilson maran.wilson@oracle.com -Upstream-commit-id: e563bc3dcd1 ---- - shim.c | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/shim.c b/shim.c -index 5ab23d03db4..ae03da7eddf 100644 ---- a/shim.c -+++ b/shim.c -@@ -2086,21 +2086,32 @@ get_load_option_optional_data(UINT8 *data, UINTN data_size, - return EFI_SUCCESS; - } - --static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path, UINTN len) -+static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path) - { - CHAR16 *dppath = NULL; -+ CHAR16 *PathName = NULL; -+ EFI_STATUS efi_status; - int ret = 1; - - dppath = DevicePathToStr(li->FilePath); - if (!dppath) - return 0; - -+ efi_status = generate_path_from_image_path(li, path, &PathName); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Unable to generate path %s: %r\n", path, -+ efi_status); -+ goto done; -+ } -+ - dprint(L"dppath: %s\n", dppath); - dprint(L"path: %s\n", path); -- if (StrnCaseCmp(dppath, path, len)) -+ if (StrnCaseCmp(dppath, PathName, strlen(dppath))) - ret = 0; - -+done: - FreePool(dppath); -+ FreePool(PathName); - return ret; - } - -@@ -2289,7 +2300,7 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) - - * which is just cruel... So yeah, just don't use it. - */ -- if (strings == 1 && is_our_path(li, start, loader_len)) -+ if (strings == 1 && is_our_path(li, start)) - return EFI_SUCCESS; - - /* --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0015-Fix-for-Section-0-has-negative-size-error-when-loadi.patch b/SPECS/shim-unsigned-x64/0015-Fix-for-Section-0-has-negative-size-error-when-loadi.patch deleted file mode 100644 index 419d8414e08..00000000000 --- a/SPECS/shim-unsigned-x64/0015-Fix-for-Section-0-has-negative-size-error-when-loadi.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 3d04aef8d80293d701f7efee6b5300f9f528ddfc Mon Sep 17 00:00:00 2001 -From: Maran Wilson -Date: Tue, 7 Aug 2018 15:32:29 -0700 -Subject: [PATCH 15/62] Fix for "Section 0 has negative size" error when - loading fbaa64.efi - -The current code is incorrectly failing to load the fbaa64.efi image found -in Arm servers even though the UEFI shell code is able to properly load -and execute the same image. - -The problem is due to the presence of a section header that has zero size -and address and marked "discardable" in the fbaa64.efi image. - -Although there is already a check further down in the code to look for -the discardable bit and skip further verification checks if set, we never -get to that point due to the "end < base" check at the start of the loop. - -Here is a dump of the fbaa64.efi image as compiled on an Arm machine -from the latest code in this repo: - -% # First I used hexedit to change header byte from 'AA' to '86' -% # so that objdump was able to correctly parse the file: -% objdump -x -m aarch64 fbaa64.efi - -fbaa64.efi: file format pei-x86-64 -fbaa64.efi -architecture: i386:x86-64, flags 0x00000103: -HAS_RELOC, EXEC_P, D_PAGED -start address 0x0000000000000148 - -Characteristics 0x20e - executable - line numbers stripped - symbols stripped - debugging information removed - -Time/Date Wed Dec 31 16:00:00 1969 -Magic 020b (PE32+) -MajorLinkerVersion 2 -MinorLinkerVersion 20 -SizeOfCode 000b15d0 -SizeOfInitializedData 00000000 -SizeOfUninitializedData 00000000 -AddressOfEntryPoint 0000000000000148 -BaseOfCode 0000000000000148 -ImageBase 0000000000000000 -SectionAlignment 0000000000000020 -FileAlignment 0000000000000008 -MajorOSystemVersion 0 -MinorOSystemVersion 0 -MajorImageVersion 0 -MinorImageVersion 0 -MajorSubsystemVersion 0 -MinorSubsystemVersion 0 -Win32Version 00000000 -SizeOfImage 000b1718 -SizeOfHeaders 00000148 -CheckSum 00000000 -Subsystem 0000000a (EFI application) -DllCharacteristics 00000000 -SizeOfStackReserve 0000000000000000 -SizeOfStackCommit 0000000000000000 -SizeOfHeapReserve 0000000000000000 -SizeOfHeapCommit 0000000000000000 -LoaderFlags 00000000 -NumberOfRvaAndSizes 00000006 - -The Data Directory -Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)] -Entry 1 0000000000000000 00000000 Import Directory [parts of .idata] -Entry 2 0000000000000000 00000000 Resource Directory [.rsrc] -Entry 3 0000000000000000 00000000 Exception Directory [.pdata] -Entry 4 0000000000000000 00000000 Security Directory -Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc] -Entry 6 0000000000000000 00000000 Debug Directory -Entry 7 0000000000000000 00000000 Description Directory -Entry 8 0000000000000000 00000000 Special Directory -Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls] -Entry a 0000000000000000 00000000 Load Configuration Directory -Entry b 0000000000000000 00000000 Bound Import Directory -Entry c 0000000000000000 00000000 Import Address Table Directory -Entry d 0000000000000000 00000000 Delay Import Directory -Entry e 0000000000000000 00000000 CLR Runtime Header -Entry f 0000000000000000 00000000 Reserved - -Sections: -Idx Name Size VMA LMA File off Algn - 0 .reloc 00000000 0000000000000000 0000000000000000 00000000 2**0 - ALLOC, LOAD, READONLY, DATA - 1 .text 000b15d0 0000000000000148 0000000000000148 00000148 2**4 - CONTENTS, ALLOC, LOAD, CODE -SYMBOL TABLE: -no symbols - -Signed-off-by: Maran Wilson -Reviewed-by: Aaron Young -Reviewed-by: Jack Schwartz -Upstream-commit-id: 6df7a8f5609 ---- - shim.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/shim.c b/shim.c -index ae03da7eddf..d980cadacfc 100644 ---- a/shim.c -+++ b/shim.c -@@ -1347,6 +1347,11 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, - */ - Section = context.FirstSection; - for (i = 0; i < context.NumberOfSections; i++, Section++) { -+ /* Don't try to copy discardable sections with zero size */ -+ if ((Section->Characteristics & EFI_IMAGE_SCN_MEM_DISCARDABLE) && -+ !Section->Misc.VirtualSize) -+ continue; -+ - base = ImageAddress (buffer, context.ImageSize, - Section->VirtualAddress); - end = ImageAddress (buffer, context.ImageSize, --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0016-Fix-apparent-typo-in-ARM-32-on-64-code.patch b/SPECS/shim-unsigned-x64/0016-Fix-apparent-typo-in-ARM-32-on-64-code.patch deleted file mode 100644 index 6163a19422f..00000000000 --- a/SPECS/shim-unsigned-x64/0016-Fix-apparent-typo-in-ARM-32-on-64-code.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d5b72b322d5b7c6c115833c518e1aa5798076309 Mon Sep 17 00:00:00 2001 -From: dann frazier -Date: Mon, 14 Jan 2019 15:25:11 -0700 -Subject: [PATCH 16/62] Fix apparent typo in ARM 32-on-64 code - -The architecture is aarch64, not arch64. - -Fixes: 750584c20775 ("Make 64-on-32 maybe work on x86_64.") -Signed-off-by: dann frazier -Upstream-commit-id: e9f67aaa75a ---- - shim.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shim.c b/shim.c -index d980cadacfc..e4d4fea226d 100644 ---- a/shim.c -+++ b/shim.c -@@ -150,7 +150,7 @@ allow_32_bit(void) - #endif - #elif defined(__i386__) || defined(__i686__) - return 1; --#elif defined(__arch64__) -+#elif defined(__aarch64__) - return 0; - #else /* assuming everything else is 32-bit... */ - return 1; --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0017-Makefile-do-not-run-git-on-clean-if-there-s-no-.git-.patch b/SPECS/shim-unsigned-x64/0017-Makefile-do-not-run-git-on-clean-if-there-s-no-.git-.patch deleted file mode 100644 index 961e531f1e3..00000000000 --- a/SPECS/shim-unsigned-x64/0017-Makefile-do-not-run-git-on-clean-if-there-s-no-.git-.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 8544018093b8aa4311b1e970f8396140c22ede0b Mon Sep 17 00:00:00 2001 -From: Luca Boccassi -Date: Mon, 14 Jan 2019 19:29:34 +0000 -Subject: [PATCH 17/62] Makefile: do not run git on clean if there's no .git - directory - -When building in minimal chroot on build workers, like in Debian (where -make clean is called at the beginning of the build process), git will -not be available. Skip the git clean. - -Signed-off-by: Luca Boccassi -Upstream-commit-id: be352762a01 ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 3f2105595a6..fd7e83dc764 100644 ---- a/Makefile -+++ b/Makefile -@@ -225,7 +225,7 @@ clean-shim-objs: - @rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME) - @rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid - @rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa] -- @git clean -f -d -e 'Cryptlib/OpenSSL/*' -+ @if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi - - clean: clean-shim-objs - $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0018-Make.default-use-correct-flags-to-disable-unaligned-.patch b/SPECS/shim-unsigned-x64/0018-Make.default-use-correct-flags-to-disable-unaligned-.patch deleted file mode 100644 index e934fa747a2..00000000000 --- a/SPECS/shim-unsigned-x64/0018-Make.default-use-correct-flags-to-disable-unaligned-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 7f080b30f3c3718d6b2533f62a50f373fd2cda21 Mon Sep 17 00:00:00 2001 -From: Peter Korsgaard -Date: Thu, 10 Jan 2019 23:34:11 +0100 -Subject: [PATCH 18/62] Make.default: use correct flags to disable unaligned - access for 32 bit ARM -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The GCC flag to disable unaligned access on 32bit ARM is --mno-unaligned-access, not -mstrict-align (which is used on aarch64): - -https://lkml.org/lkml/2018/8/3/294 - -Otherwise build dies with: -arm-linux-gnueabihf-gcc: error: unrecognized command line option - ‘-mstrict-align’; did you mean ‘-Wstrict-aliasing’? - -Signed-off-by: Peter Korsgaard -Upstream-commit-id: 41b93358e8c ---- - Make.defaults | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Make.defaults b/Make.defaults -index bbfc1d7f77b..09807bd8108 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -72,7 +72,7 @@ ifeq ($(ARCH),aarch64) - ARCH_CFLAGS ?= - endif - ifeq ($(ARCH),arm) -- ARCH_CFLAGS ?= -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mstrict-align -+ ARCH_CFLAGS ?= -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mno-unaligned-access - LIBDIR ?= $(prefix)/lib - ARCH_SUFFIX ?= arm - ARCH_SUFFIX_UPPER ?= ARM --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0019-Cryptlib-fix-build-on-32bit-ARM.patch b/SPECS/shim-unsigned-x64/0019-Cryptlib-fix-build-on-32bit-ARM.patch deleted file mode 100644 index 9ef4f677fab..00000000000 --- a/SPECS/shim-unsigned-x64/0019-Cryptlib-fix-build-on-32bit-ARM.patch +++ /dev/null @@ -1,34 +0,0 @@ -From ee832f21c6706d6b3890d82f9d8bcb2bd249ee04 Mon Sep 17 00:00:00 2001 -From: Peter Korsgaard -Date: Fri, 11 Jan 2019 09:17:42 +0100 -Subject: [PATCH 19/62] Cryptlib: fix build on 32bit ARM - -Pass MDE_CPU_ARM, similar to how it is done for the other supported -architectures, otherwise the build fails in: - -Cryptlib/Include/OpenSslSupport.h:55:2: error: - #error Unknown target architecture - -Signed-off-by: Peter Korsgaard -Upstream-commit-id: cb83c14628b ---- - Cryptlib/Makefile | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile -index 2aa569594a0..5c098f34cec 100644 ---- a/Cryptlib/Makefile -+++ b/Cryptlib/Makefile -@@ -19,6 +19,9 @@ endif - ifeq ($(ARCH),aarch64) - CFLAGS += -DMDE_CPU_AARCH64 - endif -+ifeq ($(ARCH),arm) -+ CFLAGS += -DMDE_CPU_ARM -+endif - LDFLAGS = -nostdlib -znocombreloc - - TARGET = libcryptlib.a --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0020-Make-sure-that-MOK-variables-always-get-mirrored.patch b/SPECS/shim-unsigned-x64/0020-Make-sure-that-MOK-variables-always-get-mirrored.patch deleted file mode 100644 index ca6f732fc7e..00000000000 --- a/SPECS/shim-unsigned-x64/0020-Make-sure-that-MOK-variables-always-get-mirrored.patch +++ /dev/null @@ -1,61 +0,0 @@ -From ac0400b20264ef67b67891d2216edd3fe20e5571 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Mon, 5 Nov 2018 14:51:16 +0100 -Subject: [PATCH 20/62] Make sure that MOK variables always get mirrored - -Without this, if a Mok variable doesn't exist in Boot Services, it will also -not be copied to Runtime, even if we have data to be added to it (vendor cert). -This patch makes sure that if we have extra data to append, we still mirror -the variable. - -Signed-off-by: Patrick Uiterwijk -Upstream-commit-id: 9ab0d796bdc ---- - mok.c | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/mok.c b/mok.c -index 38675211e0e..00dd1ad3034 100644 ---- a/mok.c -+++ b/mok.c -@@ -223,11 +223,26 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - UINT32 attrs = 0; - BOOLEAN delete = FALSE, present, addend; - -+ addend = (v->addend_source && v->addend_size && -+ *v->addend_source && *v->addend_size) -+ ? TRUE : FALSE; -+ - efi_status = get_variable_attr(v->name, - &v->data, &v->data_size, - *v->guid, &attrs); -- if (efi_status == EFI_NOT_FOUND) -+ if (efi_status == EFI_NOT_FOUND) { -+ if (v->rtname && addend) { -+ efi_status = mirror_one_mok_variable(v); -+ if (EFI_ERROR(efi_status) && -+ ret != EFI_SECURITY_VIOLATION) -+ ret = efi_status; -+ } -+ /* -+ * after possibly adding, we can continue, no -+ * further checks to be done. -+ */ - continue; -+ } - if (EFI_ERROR(efi_status)) { - perror(L"Could not verify %s: %r\n", v->name, - efi_status); -@@ -272,9 +287,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - } - - present = (v->data && v->data_size) ? TRUE : FALSE; -- addend = (v->addend_source && v->addend_size && -- *v->addend_source && *v->addend_size) -- ? TRUE : FALSE; - - if (v->flags & MOK_VARIABLE_MEASURE && present) { - /* --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0021-mok-fix-the-mirroring-of-RT-variables.patch b/SPECS/shim-unsigned-x64/0021-mok-fix-the-mirroring-of-RT-variables.patch deleted file mode 100644 index 135788e6e77..00000000000 --- a/SPECS/shim-unsigned-x64/0021-mok-fix-the-mirroring-of-RT-variables.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f748139695384fb4e09833898f0b8cb3ab85d810 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 21 Nov 2018 12:47:43 +0800 -Subject: [PATCH 21/62] mok: fix the mirroring of RT variables - -When there is no key in MokList, import_mok_state() just skipped MokList -even though it should always mirror the vendor cert. Besides, the faulty -check of 'present' and 'addend' invalidates the mirroring of MokListXRT, -MokSBStateRT, and MokIgnoreDB. - -https://github.com/rhboot/shim/issues/154 - -Signed-off-by: Gary Lin -Upstream-commit-id: 4b27ae034ba ---- - mok.c | 11 ++++------- - 1 file changed, 4 insertions(+), 7 deletions(-) - -diff --git a/mok.c b/mok.c -index 00dd1ad3034..41925abbb49 100644 ---- a/mok.c -+++ b/mok.c -@@ -231,12 +231,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - &v->data, &v->data_size, - *v->guid, &attrs); - if (efi_status == EFI_NOT_FOUND) { -- if (v->rtname && addend) { -- efi_status = mirror_one_mok_variable(v); -- if (EFI_ERROR(efi_status) && -- ret != EFI_SECURITY_VIOLATION) -- ret = efi_status; -- } -+ if (addend) -+ goto mirror_addend; - /* - * after possibly adding, we can continue, no - * further checks to be done. -@@ -316,7 +312,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - } - } - -- if (v->rtname && present && addend) { -+mirror_addend: -+ if (v->rtname && (present || addend)) { - if (v->flags & MOK_MIRROR_DELETE_FIRST) - LibDeleteVariable(v->rtname, v->guid); - --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0022-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch b/SPECS/shim-unsigned-x64/0022-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch deleted file mode 100644 index bd8d9cfb2c2..00000000000 --- a/SPECS/shim-unsigned-x64/0022-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch +++ /dev/null @@ -1,110 +0,0 @@ -From ff6e5cda136c8fd637d3d6b8334f4f221ba2b1ee Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 31 Jan 2019 13:45:30 -0500 -Subject: [PATCH 22/62] mok: consolidate mirroring code in a helper instead of - using goto - -There's no reason to complicate the logic with a goto here, instead just -pull the logic we're jumping to out to a helper function. - -Signed-off-by: Peter Jones -Upstream-commit-id: 29c11483101 ---- - mok.c | 42 +++++++++++++++++++++++++++++------------- - shim.h | 2 ++ - 2 files changed, 31 insertions(+), 13 deletions(-) - -diff --git a/mok.c b/mok.c -index 41925abbb49..2b9d796a0e8 100644 ---- a/mok.c -+++ b/mok.c -@@ -130,7 +130,8 @@ struct mok_state_variable mok_state_variables[] = { - { NULL, } - }; - --static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) -+static EFI_STATUS nonnull(1) -+mirror_one_mok_variable(struct mok_state_variable *v) - { - EFI_STATUS efi_status = EFI_SUCCESS; - void *FullData = NULL; -@@ -196,6 +197,29 @@ static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v) - return efi_status; - } - -+/* -+ * Mirror a variable if it has an rtname, and preserve any -+ * EFI_SECURITY_VIOLATION status at the same time. -+ */ -+static EFI_STATUS nonnull(1) -+maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) -+{ -+ EFI_STATUS efi_status; -+ if (v->rtname) { -+ if (v->flags & MOK_MIRROR_DELETE_FIRST) -+ LibDeleteVariable(v->rtname, v->guid); -+ -+ efi_status = mirror_one_mok_variable(v); -+ if (EFI_ERROR(efi_status)) { -+ if (ret != EFI_SECURITY_VIOLATION) -+ ret = efi_status; -+ perror(L"Could not create %s: %r\n", v->rtname, -+ efi_status); -+ } -+ } -+ return ret; -+} -+ - /* - * Verify our non-volatile MoK state. This checks the variables above - * accessable and have valid attributes. If they don't, it removes -@@ -232,7 +256,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - *v->guid, &attrs); - if (efi_status == EFI_NOT_FOUND) { - if (addend) -- goto mirror_addend; -+ ret = maybe_mirror_one_mok_variable(v, ret); - /* - * after possibly adding, we can continue, no - * further checks to be done. -@@ -312,16 +336,8 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - } - } - --mirror_addend: -- if (v->rtname && (present || addend)) { -- if (v->flags & MOK_MIRROR_DELETE_FIRST) -- LibDeleteVariable(v->rtname, v->guid); -- -- efi_status = mirror_one_mok_variable(v); -- if (EFI_ERROR(efi_status) && -- ret != EFI_SECURITY_VIOLATION) -- ret = efi_status; -- } -+ if (present) -+ ret = maybe_mirror_one_mok_variable(v, ret); - } - - /* -@@ -340,4 +356,4 @@ mirror_addend: - return ret; - } - --// vim:fenc=utf-8:tw=75 -+// vim:fenc=utf-8:tw=75:noet -diff --git a/shim.h b/shim.h -index 2b359d821e3..c26d5f06538 100644 ---- a/shim.h -+++ b/shim.h -@@ -30,6 +30,8 @@ - - #include - -+#define nonnull(...) __attribute__((__nonnull__(__VA_ARGS__))) -+ - #define min(a, b) ({(a) < (b) ? (a) : (b);}) - - #ifdef __x86_64__ --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0023-shim-only-include-shim_cert.h-in-shim.c.patch b/SPECS/shim-unsigned-x64/0023-shim-only-include-shim_cert.h-in-shim.c.patch deleted file mode 100644 index fce89631931..00000000000 --- a/SPECS/shim-unsigned-x64/0023-shim-only-include-shim_cert.h-in-shim.c.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 7a3638173e406ce7cbd682213606e3152244fcb2 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 19 Dec 2018 11:27:42 +0800 -Subject: [PATCH 23/62] shim: only include shim_cert.h in shim.c - -The shim_cert array was declared as a static array, and every user of -shim_cert.h would create a shim_cert array for its own and grow the file -size. To remove the unnecessary duplicate shim_cert arrays, this commit -declares shim_cert in shim.c while other users still can access the -array through the external variables: build_cert and build_cert_size. - -Signed-off-by: Gary Lin -Upstream-commit-id: 4e2d62f0f4e ---- - shim.c | 11 +++++++++++ - shim.h | 7 ++++--- - 2 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/shim.c b/shim.c -index e4d4fea226d..0a95f94b360 100644 ---- a/shim.c -+++ b/shim.c -@@ -34,6 +34,9 @@ - */ - - #include "shim.h" -+#if defined(ENABLE_SHIM_CERT) -+#include "shim_cert.h" -+#endif /* defined(ENABLE_SHIM_CERT) */ - - #include - #include -@@ -75,6 +78,10 @@ UINT32 vendor_cert_size; - UINT32 vendor_dbx_size; - UINT8 *vendor_cert; - UINT8 *vendor_dbx; -+#if defined(ENABLE_SHIM_CERT) -+UINT32 build_cert_size; -+UINT8 *build_cert; -+#endif /* defined(ENABLE_SHIM_CERT) */ - - /* - * indicator of how an image has been verified -@@ -2562,6 +2569,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - vendor_dbx_size = cert_table.vendor_dbx_size; - vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset; - vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset; -+#if defined(ENABLE_SHIM_CERT) -+ build_cert_size = sizeof(shim_cert); -+ build_cert = shim_cert; -+#endif /* defined(ENABLE_SHIM_CERT) */ - CHAR16 *msgs[] = { - L"import_mok_state() failed\n", - L"shim_int() failed\n", -diff --git a/shim.h b/shim.h -index c26d5f06538..e4d40505f09 100644 ---- a/shim.h -+++ b/shim.h -@@ -122,9 +122,6 @@ - #include "include/variables.h" - - #include "version.h" --#ifdef ENABLE_SHIM_CERT --#include "shim_cert.h" --#endif - - INTERFACE_DECL(_SHIM_LOCK); - -@@ -172,6 +169,10 @@ extern UINT32 vendor_cert_size; - extern UINT32 vendor_dbx_size; - extern UINT8 *vendor_cert; - extern UINT8 *vendor_dbx; -+#if defined(ENABLE_SHIM_CERT) -+extern UINT32 build_cert_size; -+extern UINT8 *build_cert; -+#endif /* defined(ENABLE_SHIM_CERT) */ - - extern UINT8 user_insecure_mode; - extern UINT8 ignore_db; --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0024-mok-also-mirror-the-build-cert-to-MokListRT.patch b/SPECS/shim-unsigned-x64/0024-mok-also-mirror-the-build-cert-to-MokListRT.patch deleted file mode 100644 index d331df47557..00000000000 --- a/SPECS/shim-unsigned-x64/0024-mok-also-mirror-the-build-cert-to-MokListRT.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 3d62232feb296b238ca5d7963ba40a2c346767e7 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Wed, 19 Dec 2018 12:40:02 +0800 -Subject: [PATCH 24/62] mok: also mirror the build cert to MokListRT - -If the build cert is enabled, we should also mirror it to MokListRT. - -Signed-off-by: Gary Lin -Upstream-commit-id: aecbe1f99b6 ---- - mok.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----- - 1 file changed, 72 insertions(+), 6 deletions(-) - -diff --git a/mok.c b/mok.c -index 2b9d796a0e8..6150d8c8868 100644 ---- a/mok.c -+++ b/mok.c -@@ -68,6 +68,10 @@ struct mok_state_variable { - */ - UINT8 **addend_source; - UINT32 *addend_size; -+#if defined(ENABLE_SHIM_CERT) -+ UINT8 **build_cert; -+ UINT32 *build_cert_size; -+#endif /* defined(ENABLE_SHIM_CERT) */ - UINT32 yes_attr; - UINT32 no_attr; - UINT32 flags; -@@ -90,6 +94,10 @@ struct mok_state_variable mok_state_variables[] = { - .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, - .addend_source = &vendor_cert, - .addend_size = &vendor_cert_size, -+#if defined(ENABLE_SHIM_CERT) -+ .build_cert = &build_cert, -+ .build_cert_size = &build_cert_size, -+#endif /* defined(ENABLE_SHIM_CERT) */ - .flags = MOK_MIRROR_KEYDB | - MOK_VARIABLE_LOG, - .pcr = 14, -@@ -130,6 +138,22 @@ struct mok_state_variable mok_state_variables[] = { - { NULL, } - }; - -+inline BOOLEAN check_vendor_cert(struct mok_state_variable *v) -+{ -+ return (v->addend_source && v->addend_size && -+ *v->addend_source && *v->addend_size) ? TRUE : FALSE; -+} -+#if defined(ENABLE_SHIM_CERT) -+inline BOOLEAN check_build_cert(struct mok_state_variable *v) -+{ -+ return (v->build_cert && v->build_cert_size && -+ *v->build_cert && *v->build_cert_size) ? TRUE : FALSE; -+} -+#define check_addend(v) (check_vendor_cert(v) || check_build_cert(v)) -+#else -+#define check_addend(v) check_vendor_cert(v) -+#endif /* defined(ENABLE_SHIM_CERT) */ -+ - static EFI_STATUS nonnull(1) - mirror_one_mok_variable(struct mok_state_variable *v) - { -@@ -138,15 +162,27 @@ mirror_one_mok_variable(struct mok_state_variable *v) - UINTN FullDataSize = 0; - uint8_t *p = NULL; - -- if ((v->flags & MOK_MIRROR_KEYDB) && -- v->addend_source && *v->addend_source && -- v->addend_size && *v->addend_size) { -+ if ((v->flags & MOK_MIRROR_KEYDB) && check_addend(v)) { - EFI_SIGNATURE_LIST *CertList = NULL; - EFI_SIGNATURE_DATA *CertData = NULL; -+#if defined(ENABLE_SHIM_CERT) -+ FullDataSize = v->data_size; -+ if (check_build_cert(v)) { -+ FullDataSize += sizeof (*CertList) -+ + sizeof (EFI_GUID) -+ + *v->build_cert_size; -+ } -+ if (check_vendor_cert(v)) { -+ FullDataSize += sizeof (*CertList) -+ + sizeof (EFI_GUID) -+ + *v->addend_size; -+ } -+#else - FullDataSize = v->data_size - + sizeof (*CertList) - + sizeof (EFI_GUID) - + *v->addend_size; -+#endif /* defined(ENABLE_SHIM_CERT) */ - FullData = AllocatePool(FullDataSize); - if (!FullData) { - perror(L"Failed to allocate space for MokListRT\n"); -@@ -158,6 +194,35 @@ mirror_one_mok_variable(struct mok_state_variable *v) - CopyMem(p, v->data, v->data_size); - p += v->data_size; - } -+ -+#if defined(ENABLE_SHIM_CERT) -+ if (check_build_cert(v) == FALSE) -+ goto skip_build_cert; -+ -+ CertList = (EFI_SIGNATURE_LIST *)p; -+ p += sizeof (*CertList); -+ CertData = (EFI_SIGNATURE_DATA *)p; -+ p += sizeof (EFI_GUID); -+ -+ CertList->SignatureType = EFI_CERT_TYPE_X509_GUID; -+ CertList->SignatureListSize = *v->build_cert_size -+ + sizeof (*CertList) -+ + sizeof (*CertData) -+ -1; -+ CertList->SignatureHeaderSize = 0; -+ CertList->SignatureSize = *v->build_cert_size + -+ sizeof (EFI_GUID); -+ -+ CertData->SignatureOwner = SHIM_LOCK_GUID; -+ CopyMem(p, *v->build_cert, *v->build_cert_size); -+ -+ p += *v->build_cert_size; -+ -+ if (check_vendor_cert(v) == FALSE) -+ goto skip_vendor_cert; -+skip_build_cert: -+#endif /* defined(ENABLE_SHIM_CERT) */ -+ - CertList = (EFI_SIGNATURE_LIST *)p; - p += sizeof (*CertList); - CertData = (EFI_SIGNATURE_DATA *)p; -@@ -174,6 +239,9 @@ mirror_one_mok_variable(struct mok_state_variable *v) - CertData->SignatureOwner = SHIM_LOCK_GUID; - CopyMem(p, *v->addend_source, *v->addend_size); - -+#if defined(ENABLE_SHIM_CERT) -+skip_vendor_cert: -+#endif /* defined(ENABLE_SHIM_CERT) */ - if (v->data && v->data_size) - FreePool(v->data); - v->data = FullData; -@@ -247,9 +315,7 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - UINT32 attrs = 0; - BOOLEAN delete = FALSE, present, addend; - -- addend = (v->addend_source && v->addend_size && -- *v->addend_source && *v->addend_size) -- ? TRUE : FALSE; -+ addend = check_addend(v); - - efi_status = get_variable_attr(v->name, - &v->data, &v->data_size, --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0025-mok-minor-cleanups.patch b/SPECS/shim-unsigned-x64/0025-mok-minor-cleanups.patch deleted file mode 100644 index 98120d36a74..00000000000 --- a/SPECS/shim-unsigned-x64/0025-mok-minor-cleanups.patch +++ /dev/null @@ -1,37 +0,0 @@ -From ff890cf45224926574eee93b0ea1494468870bd3 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 31 Jan 2019 14:04:57 -0500 -Subject: [PATCH 25/62] mok: minor cleanups - -Signed-off-by: Peter Jones -Upstream-commit-id: 617b9007668 ---- - mok.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/mok.c b/mok.c -index 6150d8c8868..59630e74425 100644 ---- a/mok.c -+++ b/mok.c -@@ -138,13 +138,16 @@ struct mok_state_variable mok_state_variables[] = { - { NULL, } - }; - --inline BOOLEAN check_vendor_cert(struct mok_state_variable *v) -+static inline BOOLEAN nonnull(1) -+check_vendor_cert(struct mok_state_variable *v) - { - return (v->addend_source && v->addend_size && - *v->addend_source && *v->addend_size) ? TRUE : FALSE; - } -+ - #if defined(ENABLE_SHIM_CERT) --inline BOOLEAN check_build_cert(struct mok_state_variable *v) -+static inline BOOLEAN nonnull(1) -+check_build_cert(struct mok_state_variable *v) - { - return (v->build_cert && v->build_cert_size && - *v->build_cert && *v->build_cert_size) ? TRUE : FALSE; --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0026-Remove-call-to-TPM2-get_event_log.patch b/SPECS/shim-unsigned-x64/0026-Remove-call-to-TPM2-get_event_log.patch deleted file mode 100644 index 30b8374ad3f..00000000000 --- a/SPECS/shim-unsigned-x64/0026-Remove-call-to-TPM2-get_event_log.patch +++ /dev/null @@ -1,91 +0,0 @@ -From cf3f99c3b1e11c8c83938784975331db5efb410f Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Tue, 11 Dec 2018 15:25:44 -0800 -Subject: [PATCH 26/62] Remove call to TPM2 get_event_log() - -Calling the TPM2 get_event_log causes the firmware to start logging -events to the final events table, but implementations may also continue -logging to the boot services event log. Any OS that wishes to -reconstruct the full PCR state must already look at both the final -events log and the boot services event log, so if this call is made -anywhere other than immediately before ExitBootServices() then the OS -must deduplicate events that occur in both, complicating things -immensely. - -Linux already has support for copying up the boot services event log -across the ExitBootServices() boundary, so there's no reason to make -this call. Remove it. - -Signed-off-by: Matthew Garrett -Upstream-commit-id: fd7c3bd920b ---- - tpm.c | 46 ---------------------------------------------- - 1 file changed, 46 deletions(-) - -diff --git a/tpm.c b/tpm.c -index 674e69b715f..f07362c70bb 100644 ---- a/tpm.c -+++ b/tpm.c -@@ -70,41 +70,6 @@ static BOOLEAN tpm2_present(EFI_TCG2_BOOT_SERVICE_CAPABILITY *caps, - return FALSE; - } - --static inline EFI_TCG2_EVENT_LOG_BITMAP --tpm2_get_supported_logs(efi_tpm2_protocol_t *tpm, -- EFI_TCG2_BOOT_SERVICE_CAPABILITY *caps, -- BOOLEAN old_caps) --{ -- if (old_caps) -- return ((TREE_BOOT_SERVICE_CAPABILITY *)caps)->SupportedEventLogs; -- -- return caps->SupportedEventLogs; --} -- --/* -- * According to TCG EFI Protocol Specification for TPM 2.0 family, -- * all events generated after the invocation of EFI_TCG2_GET_EVENT_LOG -- * shall be stored in an instance of an EFI_CONFIGURATION_TABLE aka -- * EFI TCG 2.0 final events table. Hence, it is necessary to trigger the -- * internal switch through calling get_event_log() in order to allow -- * to retrieve the logs from OS runtime. -- */ --static EFI_STATUS trigger_tcg2_final_events_table(efi_tpm2_protocol_t *tpm2, -- EFI_TCG2_EVENT_LOG_BITMAP supported_logs) --{ -- EFI_TCG2_EVENT_LOG_FORMAT log_fmt; -- EFI_PHYSICAL_ADDRESS start; -- EFI_PHYSICAL_ADDRESS end; -- BOOLEAN truncated; -- -- if (supported_logs & EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) -- log_fmt = EFI_TCG2_EVENT_LOG_FORMAT_TCG_2; -- else -- log_fmt = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2; -- -- return tpm2->get_event_log(tpm2, log_fmt, &start, &end, &truncated); --} -- - static EFI_STATUS tpm_locate_protocol(efi_tpm_protocol_t **tpm, - efi_tpm2_protocol_t **tpm2, - BOOLEAN *old_caps_p, -@@ -166,17 +131,6 @@ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, - #endif - } else if (tpm2) { - EFI_TCG2_EVENT *event; -- EFI_TCG2_EVENT_LOG_BITMAP supported_logs; -- -- supported_logs = tpm2_get_supported_logs(tpm2, &caps, old_caps); -- -- efi_status = trigger_tcg2_final_events_table(tpm2, -- supported_logs); -- if (EFI_ERROR(efi_status)) { -- perror(L"Unable to trigger tcg2 final events table: %r\n", -- efi_status); -- return efi_status; -- } - - event = AllocatePool(sizeof(*event) + logsize); - if (!event) { --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0027-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch b/SPECS/shim-unsigned-x64/0027-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch deleted file mode 100644 index d07e6e2832a..00000000000 --- a/SPECS/shim-unsigned-x64/0027-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 95bd1d88003a9a7c2732472b061ad2a9c7140419 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Thu, 6 Dec 2018 10:08:45 +0100 -Subject: [PATCH 27/62] Make EFI variable copying fatal only on secureboot - enabled systems - -I have come across systems that are unwilling to reserve enough memory for -a MokListRT big enough for big certificates. -This seems to be the case with firmware implementations that do not support -secureboot, which is probably the reason they went with much lower variable -storage. - -This patch set makes sure we can still boot on those systems, by only -making the copy action fatal if the system has secure boot enabled, or if -the error was anything other than EFI_INVALID_PARAMETER. - -Signed-off-by: Patrick Uiterwijk -Upstream-commit-id: 741c61abba7 ---- - shim.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/shim.c b/shim.c -index 0a95f94b360..d4ed332f901 100644 ---- a/shim.c -+++ b/shim.c -@@ -2609,7 +2609,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - * boot-services-only state variables are what we think they are. - */ - efi_status = import_mok_state(image_handle); -- if (EFI_ERROR(efi_status)) { -+ if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { -+ /* -+ * Make copy failures fatal only if secure_mode is enabled, or -+ * the error was anything else than EFI_INVALID_PARAMETER. -+ * There are non-secureboot firmware implementations that don't -+ * reserve enough EFI variable memory to fit the variable. -+ */ -+ console_print(L"Importing MOK states has failed: %s: %r\n", -+ msgs[msg], efi_status); -+ console_print(L"Continuing boot since secure mode is disabled"); -+ } else if (EFI_ERROR(efi_status)) { - die: - console_print(L"Something has gone seriously wrong: %s: %r\n", - msgs[msg], efi_status); --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0028-VLogError-Avoid-NULL-pointer-dereferences-in-V-Sprin.patch b/SPECS/shim-unsigned-x64/0028-VLogError-Avoid-NULL-pointer-dereferences-in-V-Sprin.patch deleted file mode 100644 index c671a9a7072..00000000000 --- a/SPECS/shim-unsigned-x64/0028-VLogError-Avoid-NULL-pointer-dereferences-in-V-Sprin.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 344a8364cb05cdaafc43231d0f73d5217c4e118c Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 12 Feb 2019 18:04:49 -0500 -Subject: [PATCH 28/62] VLogError(): Avoid NULL pointer dereferences in - (V)Sprint calls - -VLogError() calculates the size of format strings by using calls to -SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer. -Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize -of "0" is special-cased to mean "there is no limit". So, we end up -writing our string to address 0x0. This was discovered because it -causes a crash on ARM where, unlike x86, it does not necessarily -have memory mapped at 0x0. - -Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which -handles the size calculation and allocation for us. - -Signed-off-by: Peter Jones -Fixes: 25f6fd08cd26 ("try to show errors more usefully.") -[dannf: commit message ] -Signed-off-by: dann frazier -Upstream-commit-id: 20e731f423a ---- - errlog.c | 15 +++------------ - 1 file changed, 3 insertions(+), 12 deletions(-) - -diff --git a/errlog.c b/errlog.c -index 18be4822d53..eebb266d396 100644 ---- a/errlog.c -+++ b/errlog.c -@@ -14,29 +14,20 @@ EFI_STATUS - VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args) - { - va_list args2; -- UINTN size = 0, size2; - CHAR16 **newerrs; - -- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func); -- va_copy(args2, args); -- size2 = VSPrint(NULL, 0, fmt, args2); -- va_end(args2); -- - newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs), - (nerrs + 3) * sizeof(*errs)); - if (!newerrs) - return EFI_OUT_OF_RESOURCES; - -- newerrs[nerrs] = AllocatePool(size*2+2); -+ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func); - if (!newerrs[nerrs]) - return EFI_OUT_OF_RESOURCES; -- newerrs[nerrs+1] = AllocatePool(size2*2+2); -+ va_copy(args2, args); -+ newerrs[nerrs+1] = VPoolPrint(fmt, args2); - if (!newerrs[nerrs+1]) - return EFI_OUT_OF_RESOURCES; -- -- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func); -- va_copy(args2, args); -- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2); - va_end(args2); - - nerrs += 2; --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0029-Once-again-try-even-harder-to-get-binaries-without-t.patch b/SPECS/shim-unsigned-x64/0029-Once-again-try-even-harder-to-get-binaries-without-t.patch deleted file mode 100644 index 617ae6a908d..00000000000 --- a/SPECS/shim-unsigned-x64/0029-Once-again-try-even-harder-to-get-binaries-without-t.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 10d6e3d90f1ea504a1dedaea50478c444e92951c Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 15 Mar 2019 09:52:02 -0400 -Subject: [PATCH 29/62] Once again, try even harder to get binaries without - timestamps in them. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -$ objdump -x /builddir/build/BUILDROOT/shim-*/usr/share/shim/*/shimx64.efi | grep 'Time/Date' -Time/Date Thu Jan 1 00:00:08 1970 -$ _ - -"What is despair? I have known it—hear my song. Despair is when you’re -debugging a kernel driver and you look at a memory dump and you see that -a pointer has a value of 7." - - http://scholar.harvard.edu/files/mickens/files/thenightwatch.pdf - -objcopy only knows about -D for some targets. -ld only believes in --no-insert-timestamp in some versions. -dd takes off and nukes the site from orbit. - -It's the only way to be sure. - -Signed-off-by: Peter Jones -Upstream-commit-id: a4a1fbe728c ---- - Make.defaults | 4 ++++ - Makefile | 6 ++++-- - 2 files changed, 8 insertions(+), 2 deletions(-) - -diff --git a/Make.defaults b/Make.defaults -index 09807bd8108..f0bfa9fd573 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -50,6 +50,7 @@ ifeq ($(ARCH),x86_64) - ARCH_SUFFIX ?= x64 - ARCH_SUFFIX_UPPER ?= X64 - ARCH_LDFLAGS ?= -+ TIMESTAMP_LOCATION := 136 - endif - ifeq ($(ARCH),ia32) - ARCH_CFLAGS ?= -mno-mmx -mno-sse -mno-red-zone -nostdinc \ -@@ -60,6 +61,7 @@ ifeq ($(ARCH),ia32) - ARCH_SUFFIX_UPPER ?= IA32 - ARCH_LDFLAGS ?= - ARCH_CFLAGS ?= -m32 -+ TIMESTAMP_LOCATION := 136 - endif - ifeq ($(ARCH),aarch64) - ARCH_CFLAGS ?= -DMDE_CPU_AARCH64 -DPAGE_SIZE=4096 -mstrict-align -@@ -70,6 +72,7 @@ ifeq ($(ARCH),aarch64) - SUBSYSTEM := 0xa - ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) - ARCH_CFLAGS ?= -+ TIMESTAMP_LOCATION := 72 - endif - ifeq ($(ARCH),arm) - ARCH_CFLAGS ?= -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mno-unaligned-access -@@ -79,6 +82,7 @@ ifeq ($(ARCH),arm) - FORMAT := -O binary - SUBSYSTEM := 0xa - ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM) -+ TIMESTAMP_LOCATION := 72 - endif - - CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \ -diff --git a/Makefile b/Makefile -index fd7e83dc764..49e14a26521 100644 ---- a/Makefile -+++ b/Makefile -@@ -189,11 +189,13 @@ endif - ifneq ($(OBJCOPY_GTE224),1) - $(error objcopy >= 2.24 is required) - endif -- $(OBJCOPY) -j .text -j .sdata -j .data -j .data.ident \ -+ $(OBJCOPY) -D -j .text -j .sdata -j .data -j .data.ident \ - -j .dynamic -j .dynsym -j .rel* \ - -j .rela* -j .reloc -j .eh_frame \ - -j .vendor_cert \ - $(FORMAT) $^ $@ -+ # I am tired of wasting my time fighting binutils timestamp code. -+ dd conv=notrunc bs=1 count=4 seek=$(TIMESTAMP_LOCATION) if=/dev/zero of=$@ - - ifneq ($(origin ENABLE_SHIM_HASH),undefined) - %.hash : %.efi -@@ -204,7 +206,7 @@ endif - ifneq ($(OBJCOPY_GTE224),1) - $(error objcopy >= 2.24 is required) - endif -- $(OBJCOPY) -j .text -j .sdata -j .data \ -+ $(OBJCOPY) -D -j .text -j .sdata -j .data \ - -j .dynamic -j .dynsym -j .rel* \ - -j .rela* -j .reloc -j .eh_frame \ - -j .debug_info -j .debug_abbrev -j .debug_aranges \ --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0030-shim-Rework-pause-functions-and-add-read_counter.patch b/SPECS/shim-unsigned-x64/0030-shim-Rework-pause-functions-and-add-read_counter.patch deleted file mode 100644 index ba8c2782284..00000000000 --- a/SPECS/shim-unsigned-x64/0030-shim-Rework-pause-functions-and-add-read_counter.patch +++ /dev/null @@ -1,280 +0,0 @@ -From 1b382ef850de5a6c59b192c146a0e8d898d2d961 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 23 Oct 2018 18:17:57 -0400 -Subject: [PATCH 30/62] shim: Rework pause functions and add read_counter() - -Signed-off-by: Peter Jones -Upstream-commit-id: fc6b0bca84e ---- - shim.c | 4 +- - include/asm.h | 59 +++++++++++++++++ - include/compiler.h | 156 +++++++++++++++++++++++++++++++++++++++++++++ - shim.h | 1 + - 4 files changed, 217 insertions(+), 3 deletions(-) - create mode 100644 include/asm.h - create mode 100644 include/compiler.h - -diff --git a/shim.c b/shim.c -index d4ed332f901..f69e69487fc 100644 ---- a/shim.c -+++ b/shim.c -@@ -2543,16 +2543,14 @@ debug_hook(void) - #if defined(__x86_64__) || defined(__i386__) || defined(__i686__) - if (x > 4294967294ULL) - break; -- __asm__ __volatile__("pause"); - #elif defined(__aarch64__) - if (x > 1000) - break; -- __asm__ __volatile__("wfi"); - #else - if (x > 12000) - break; -- msleep(5000); - #endif -+ pause(); - } - x = 1; - } -diff --git a/include/asm.h b/include/asm.h -new file mode 100644 -index 00000000000..5e8f9ed9d7c ---- /dev/null -+++ b/include/asm.h -@@ -0,0 +1,59 @@ -+/* -+ * asm.h -+ * Copyright 2018 Peter Jones -+ */ -+ -+#ifndef SHIM_ASM_H_ -+#define SHIM_ASM_H_ -+ -+#define __stringify_1(x...) #x -+#define __stringify(x...) __stringify_1(x) -+ -+static inline uint64_t read_counter(void) -+{ -+ uint64_t val; -+#if defined (__x86_64__) -+ unsigned long low, high; -+ __asm__ __volatile__("rdtsc" : "=a" (low), "=d" (high)); -+ val = (low) | (high) << 32; -+#elif defined(__i386__) || defined(__i686__) -+ __asm__ __volatile__("rdtsc" : "=A" (val)); -+#elif defined(__aarch64__) -+ __asm__ __volatile__ ("mrs %0, pmccntr_el0" : "=r" (val)); -+#elif defined(__arm__) -+ __asm__ __volatile__ ("mrc p15, 0, %0, c9, c13, 0" : "=r" (val)); -+#else -+#error unsupported arch -+#endif -+ return val; -+} -+ -+#if defined(__x86_64__) || defined(__i386__) || defined(__i686__) -+static inline void pause(void) -+{ -+ __asm__ __volatile__("pause"); -+} -+#elif defined(__aarch64__) -+static inline void pause(void) -+{ -+ __asm__ __volatile__("wfi"); -+} -+#else -+static inline void pause(void) -+{ -+ uint64_t a, b; -+ int x; -+ extern void msleep(unsigned long msecs); -+ -+ a = read_counter(); -+ for (x = 0; x < 1000; x++) { -+ msleep(1000); -+ b = read_counter(); -+ if (a != b) -+ break; -+ } -+} -+#endif -+ -+#endif /* !SHIM_ASM_H_ */ -+// vim:fenc=utf-8:tw=75:et -diff --git a/include/compiler.h b/include/compiler.h -new file mode 100644 -index 00000000000..a2a0859379f ---- /dev/null -+++ b/include/compiler.h -@@ -0,0 +1,156 @@ -+/* -+ * compiler.h -+ * Copyright 2019 Peter Jones -+ */ -+ -+#ifndef COMPILER_H_ -+#define COMPILER_H_ -+ -+#ifndef UNUSED -+#define UNUSED __attribute__((__unused__)) -+#endif -+#ifndef HIDDEN -+#define HIDDEN __attribute__((__visibility__ ("hidden"))) -+#endif -+#ifndef PUBLIC -+#define PUBLIC __attribute__((__visibility__ ("default"))) -+#endif -+#ifndef DESTRUCTOR -+#define DESTRUCTOR __attribute__((destructor)) -+#endif -+#ifndef CONSTRUCTOR -+#define CONSTRUCTOR __attribute__((constructor)) -+#endif -+#ifndef ALIAS -+#define ALIAS(x) __attribute__((weak, alias (#x))) -+#endif -+#ifndef NONNULL -+#endif -+#define NONNULL(first, args...) __attribute__((__nonnull__(first, ## args))) -+#ifndef PRINTF -+#define PRINTF(first, args...) __attribute__((__format__(printf, first, ## args))) -+#endif -+#ifndef FLATTEN -+#define FLATTEN __attribute__((__flatten__)) -+#endif -+#ifndef PACKED -+#define PACKED __attribute__((__packed__)) -+#endif -+#ifndef VERSION -+#define VERSION(sym, ver) __asm__(".symver " # sym "," # ver) -+#endif -+#ifndef NORETURN -+#define NORETURN __attribute__((__noreturn__)) -+#endif -+#ifndef ALIGNED -+#define ALIGNED(n) __attribute__((__aligned__(n))) -+#endif -+#ifndef CLEANUP_FUNC -+#define CLEANUP_FUNC(x) __attribute__((__cleanup__(x))) -+#endif -+#ifndef USED -+#define USED __attribute__((__used__)) -+#endif -+#ifndef SECTION -+#define SECTION(x) __attribute__((__section__(x))) -+#endif -+#ifndef OPTIMIZE -+#define OPTIMIZE(x) __attribute__((__optimize__(x))) -+#endif -+ -+#ifndef __CONCAT -+#define __CONCAT3(a, b, c) a ## b ## c -+#endif -+#ifndef CAT -+#define CAT(a, b) __CONCAT(a, b) -+#endif -+#ifndef CAT3 -+#define CAT3(a, b, c) __CONCAT3(a, b, c) -+#endif -+#ifndef STRING -+#define STRING(x) __STRING(x) -+#endif -+ -+#ifndef WRITE_ONCE -+#define WRITE_ONCE(var, val) \ -+ (*((volatile typeof(val) *)(&(var))) = (val)) -+#endif -+ -+#ifndef READ_ONCE -+#define READ_ONCE(var) (*((volatile typeof(var) *)(&(var)))) -+#endif -+ -+#ifndef likely -+#define likely(x) __builtin_expect(!!(x), 1) -+#endif -+ -+#ifndef unlikely -+#define unlikely(x) __builtin_expect(!!(x), 0) -+#endif -+ -+/* Are two types/vars the same type (ignoring qualifiers)? */ -+#ifndef __same_type -+#define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b)) -+#endif -+ -+/* Compile time object size, -1 for unknown */ -+#ifndef __compiletime_object_size -+# define __compiletime_object_size(obj) -1 -+#endif -+#ifndef __compiletime_warning -+# define __compiletime_warning(message) -+#endif -+#ifndef __compiletime_error -+# define __compiletime_error(message) -+#endif -+ -+#ifndef __compiletime_assert -+#define __compiletime_assert(condition, msg, prefix, suffix) \ -+ do { \ -+ extern void prefix ## suffix(void) __compiletime_error(msg); \ -+ if (!(condition)) \ -+ prefix ## suffix(); \ -+ } while (0) -+#endif -+ -+#ifndef _compiletime_assert -+#define _compiletime_assert(condition, msg, prefix, suffix) \ -+ __compiletime_assert(condition, msg, prefix, suffix) -+#endif -+ -+/** -+ * compiletime_assert - break build and emit msg if condition is false -+ * @condition: a compile-time constant condition to check -+ * @msg: a message to emit if condition is false -+ * -+ * In tradition of POSIX assert, this macro will break the build if the -+ * supplied condition is *false*, emitting the supplied error message if the -+ * compiler has support to do so. -+ */ -+#ifndef compiletime_assert -+#define compiletime_assert(condition, msg) \ -+ _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__) -+#endif -+ -+/** -+ * BUILD_BUG_ON_MSG - break compile if a condition is true & emit supplied -+ * error message. -+ * @condition: the condition which the compiler should know is false. -+ * -+ * See BUILD_BUG_ON for description. -+ */ -+#ifndef BUILD_BUG_ON_MSG -+#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg) -+#endif -+ -+#ifndef ALIGN -+#define __ALIGN_MASK(x, mask) (((x) + (mask)) & ~(mask)) -+#define __ALIGN(x, a) __ALIGN_MASK(x, (typeof(x))(a) - 1) -+#define ALIGN(x, a) __ALIGN((x), (a)) -+#endif -+#ifndef ALIGN_DOWN -+#define ALIGN_DOWN(x, a) __ALIGN((x) - ((a) - 1), (a)) -+#endif -+ -+#endif /* !COMPILER_H_ */ -+// vim:fenc=utf-8:tw=75:et -diff --git a/shim.h b/shim.h -index e4d40505f09..a0fa5a75e7e 100644 ---- a/shim.h -+++ b/shim.h -@@ -97,6 +97,7 @@ - #define FALLBACK L"\\fb" EFI_ARCH L".efi" - #define MOK_MANAGER L"\\mm" EFI_ARCH L".efi" - -+#include "include/asm.h" - #include "include/configtable.h" - #include "include/console.h" - #include "include/crypt_blowfish.h" --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0031-Hook-exit-when-shim_lock-protocol-installed.patch b/SPECS/shim-unsigned-x64/0031-Hook-exit-when-shim_lock-protocol-installed.patch deleted file mode 100644 index 16f472ffc89..00000000000 --- a/SPECS/shim-unsigned-x64/0031-Hook-exit-when-shim_lock-protocol-installed.patch +++ /dev/null @@ -1,49 +0,0 @@ -From b5e10f70c7a495dc1788e3604803ee633f1e5f76 Mon Sep 17 00:00:00 2001 -From: Stuart Hayes -Date: Fri, 8 Feb 2019 15:48:20 -0500 -Subject: [PATCH 31/62] Hook exit when shim_lock protocol installed - -A recent commit moved where the shim_lock protocol is loaded and -unloaded, but did not move where exit was hooked and unhooked. Exit -needs to be hooked when the protocol is installed, so that the protocol -will be uninstalled on exit. Otherwise, the system can crash if, for -example, shim loads grub, the user exits grub, shim is run again, which -installs a second instance of the protocol, and then grub tries to use -the shim_lock protocol that was installed by the first instance of shim. - -Signed-off-by: Stuart Hayes -Upstream-commit-id: 06c92591e94 ---- - shim.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/shim.c b/shim.c -index f69e69487fc..16911a37b17 100644 ---- a/shim.c -+++ b/shim.c -@@ -2474,9 +2474,9 @@ shim_init(void) - loader_is_participating = 0; - } - -- hook_exit(systab); - } - -+ hook_exit(systab); - return install_shim_protocols(); - } - -@@ -2494,9 +2494,10 @@ shim_fini(void) - * Remove our hooks from system services. - */ - unhook_system_services(); -- unhook_exit(); - } - -+ unhook_exit(); -+ - /* - * Free the space allocated for the alternative 2nd stage loader - */ --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0032-Work-around-stuff-Waddress-of-packed-member-finds.patch b/SPECS/shim-unsigned-x64/0032-Work-around-stuff-Waddress-of-packed-member-finds.patch deleted file mode 100644 index f7696a30e4b..00000000000 --- a/SPECS/shim-unsigned-x64/0032-Work-around-stuff-Waddress-of-packed-member-finds.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 2cbf56b82a5102777b37c4f7f47c8cf058cea027 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 13 May 2019 16:34:35 -0400 -Subject: [PATCH 32/62] Work around stuff -Waddress-of-packed-member finds. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In MokManager we get a lot of these: - -../src/MokManager.c:1063:19: error: taking address of packed member of ‘struct ’ may result in an unaligned pointer value [-Werror=address-of-packed-member] - 1063 | if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) - | ^~~~~~~~~~~~~~~ - -The reason for this is that gnu-efi takes EFI_GUID * as its argument -instead of VOID *, and there's nothing telling the compiler that it -doesn't have alignment constraints on the input, so the compiler wants -it to have 16-byte alignment. - -Just use CompareMem() for these, as that's all CompareGuid is calling -anyway. - -Signed-off-by: Peter Jones -Upstream-commit-id: 08c14376b59 ---- - MokManager.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/MokManager.c b/MokManager.c -index df9b6fe6912..a1bd39a68e2 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -22,6 +22,8 @@ - #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" - #define HASH_STRING L"Select a file to trust:\n\n" - -+#define CompareMemberGuid(x, y) CompareMem(x, y, sizeof(EFI_GUID)) -+ - typedef struct { - UINT32 MokSize; - UINT8 *Mok; -@@ -1077,7 +1079,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - continue; - - DataSize += sizeof(EFI_SIGNATURE_LIST); -- if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) -+ if (CompareMemberGuid(&(list[i].Type), &X509_GUID) == 0) - DataSize += sizeof(EFI_GUID); - DataSize += list[i].MokSize; - } -@@ -1099,7 +1101,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - CertList->SignatureType = list[i].Type; - CertList->SignatureHeaderSize = 0; - -- if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) { -+ if (CompareMemberGuid(&(list[i].Type), &X509_GUID) == 0) { - CertList->SignatureListSize = list[i].MokSize + - sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); - CertList->SignatureSize = -@@ -1140,7 +1142,7 @@ static void delete_cert(void *key, UINT32 key_size, - int i; - - for (i = 0; i < mok_num; i++) { -- if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0) -+ if (CompareMemberGuid(&(mok[i].Type), &X509_GUID) != 0) - continue; - - if (mok[i].MokSize == key_size && -@@ -1191,7 +1193,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size, - sig_size = hash_size + sizeof(EFI_GUID); - - for (i = 0; i < mok_num; i++) { -- if ((CompareGuid(&(mok[i].Type), &Type) != 0) || -+ if ((CompareMemberGuid(&(mok[i].Type), &Type) != 0) || - (mok[i].MokSize < sig_size)) - continue; - -@@ -1355,7 +1357,7 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) - - /* Search and destroy */ - for (i = 0; i < del_num; i++) { -- if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) { -+ if (CompareMemberGuid(&(del_key[i].Type), &X509_GUID) == 0) { - delete_cert(del_key[i].Mok, del_key[i].MokSize, - mok, mok_num); - } else if (is_sha2_hash(del_key[i].Type)) { --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0033-Fix-a-use-of-strlen-instead-of-Strlen.patch b/SPECS/shim-unsigned-x64/0033-Fix-a-use-of-strlen-instead-of-Strlen.patch deleted file mode 100644 index e79afa1dcc1..00000000000 --- a/SPECS/shim-unsigned-x64/0033-Fix-a-use-of-strlen-instead-of-Strlen.patch +++ /dev/null @@ -1,27 +0,0 @@ -From c372ec7a254147f70d62c1f72da5806d42df6994 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 5 Sep 2019 10:36:23 -0400 -Subject: [PATCH 33/62] Fix a use of strlen() instead of Strlen() - -Signed-off-by: Peter Jones -Upstream-commit-id: 1870bae7960 ---- - shim.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/shim.c b/shim.c -index 16911a37b17..a0eb19b91fe 100644 ---- a/shim.c -+++ b/shim.c -@@ -2118,7 +2118,7 @@ static int is_our_path(EFI_LOADED_IMAGE *li, CHAR16 *path) - - dprint(L"dppath: %s\n", dppath); - dprint(L"path: %s\n", path); -- if (StrnCaseCmp(dppath, PathName, strlen(dppath))) -+ if (StrnCaseCmp(dppath, PathName, StrLen(dppath))) - ret = 0; - - done: --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0034-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch b/SPECS/shim-unsigned-x64/0034-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch deleted file mode 100644 index 43a2c6e9778..00000000000 --- a/SPECS/shim-unsigned-x64/0034-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 5d30a31fef4eb7e773da24c5e6c20576282a9c3a Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Tue, 26 Feb 2019 11:33:53 +0800 -Subject: [PATCH 34/62] MokManager: Use CompareMem on MokListNode.Type instead - of CompareGuid - -Fix the errors from gcc9 '-Werror=address-of-packed-member' - -https://github.com/rhboot/shim/issues/161 - -Signed-off-by: Gary Lin -Upstream-commit-id: aaa09b35e73 ---- - MokManager.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/MokManager.c b/MokManager.c -index a1bd39a68e2..30192c16789 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -1079,7 +1079,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - continue; - - DataSize += sizeof(EFI_SIGNATURE_LIST); -- if (CompareMemberGuid(&(list[i].Type), &X509_GUID) == 0) -+ if (CompareMem(&(list[i].Type), &X509_GUID, -+ sizeof(EFI_GUID)) == 0) - DataSize += sizeof(EFI_GUID); - DataSize += list[i].MokSize; - } -@@ -1101,7 +1102,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - CertList->SignatureType = list[i].Type; - CertList->SignatureHeaderSize = 0; - -- if (CompareMemberGuid(&(list[i].Type), &X509_GUID) == 0) { -+ if (CompareMem(&(list[i].Type), &X509_GUID, -+ sizeof(EFI_GUID)) == 0) { - CertList->SignatureListSize = list[i].MokSize + - sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); - CertList->SignatureSize = -@@ -1142,7 +1144,8 @@ static void delete_cert(void *key, UINT32 key_size, - int i; - - for (i = 0; i < mok_num; i++) { -- if (CompareMemberGuid(&(mok[i].Type), &X509_GUID) != 0) -+ if (CompareMem(&(mok[i].Type), &X509_GUID, -+ sizeof(EFI_GUID)) != 0) - continue; - - if (mok[i].MokSize == key_size && -@@ -1193,7 +1196,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size, - sig_size = hash_size + sizeof(EFI_GUID); - - for (i = 0; i < mok_num; i++) { -- if ((CompareMemberGuid(&(mok[i].Type), &Type) != 0) || -+ if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) || - (mok[i].MokSize < sig_size)) - continue; - -@@ -1357,7 +1360,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) - - /* Search and destroy */ - for (i = 0; i < del_num; i++) { -- if (CompareMemberGuid(&(del_key[i].Type), &X509_GUID) == 0) { -+ if (CompareMem(&(del_key[i].Type), &X509_GUID, -+ sizeof(EFI_GUID)) == 0) { - delete_cert(del_key[i].Mok, del_key[i].MokSize, - mok, mok_num); - } else if (is_sha2_hash(del_key[i].Type)) { --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0035-OpenSSL-always-provide-OBJ_create-with-name-strings.patch b/SPECS/shim-unsigned-x64/0035-OpenSSL-always-provide-OBJ_create-with-name-strings.patch deleted file mode 100644 index 0efaac9d217..00000000000 --- a/SPECS/shim-unsigned-x64/0035-OpenSSL-always-provide-OBJ_create-with-name-strings.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 44b211bcf7ad58ff29e6495e1c3978e4660cb7d1 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Tue, 15 Jan 2019 18:04:34 -0500 -Subject: [PATCH 35/62] OpenSSL: always provide OBJ_create() with name strings. - -Some versions of OpenSSL seem to go back and forth as to whether NULL -for these names are okay. Don't risk it. - -Signed-off-by: Peter Jones -Upstream-commit-id: 46b76a01717 ---- - shim.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/shim.c b/shim.c -index a0eb19b91fe..d7ee2b6de6f 100644 ---- a/shim.c -+++ b/shim.c -@@ -388,7 +388,9 @@ static BOOLEAN verify_eku(UINT8 *Cert, UINTN CertSize) - EXTENDED_KEY_USAGE *eku; - ASN1_OBJECT *module_signing; - -- module_signing = OBJ_nid2obj(OBJ_create(OID_EKU_MODSIGN, NULL, NULL)); -+ module_signing = OBJ_nid2obj(OBJ_create(OID_EKU_MODSIGN, -+ "modsign-eku", -+ "modsign-eku")); - - x509 = d2i_X509 (NULL, &Temp, (long) CertSize); - if (x509 != NULL) { --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0036-Use-portable-shebangs-bin-bash-usr-bin-env-bash.patch b/SPECS/shim-unsigned-x64/0036-Use-portable-shebangs-bin-bash-usr-bin-env-bash.patch deleted file mode 100644 index 6ba6995e691..00000000000 --- a/SPECS/shim-unsigned-x64/0036-Use-portable-shebangs-bin-bash-usr-bin-env-bash.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 07de085dabab8daaea589b597e3915893cc98445 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= -Date: Fri, 26 Apr 2019 11:41:02 +0200 -Subject: [PATCH 36/62] Use portable shebangs: /bin/bash -> /usr/bin/env bash - -Upstream-commit-id: 6a73ca814af ---- - Cryptlib/update.sh | 2 +- - make-certs | 4 +++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/Cryptlib/update.sh b/Cryptlib/update.sh -index 31a082d4db6..7ea59831a06 100755 ---- a/Cryptlib/update.sh -+++ b/Cryptlib/update.sh -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/usr/bin/env bash - - DIR=$1 - OPENSSL_VERSION="1.0.2k" -diff --git a/make-certs b/make-certs -index 3e9293b2497..6f40b234d6a 100755 ---- a/make-certs -+++ b/make-certs -@@ -1,10 +1,12 @@ --#!/bin/bash -e -+#!/usr/bin/env bash - # - # Generate a root CA cert for signing, and then a subject cert. - # Usage: make-certs.sh hostname [user[@domain]] [more ...] - # For testing only, probably still has some bugs in it. - # - -+set -e -+ - DOMAIN=xn--u4h.net - DAYS=365 - KEYTYPE=RSA --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0037-tpm-Fix-off-by-one-error-when-calculating-event-size.patch b/SPECS/shim-unsigned-x64/0037-tpm-Fix-off-by-one-error-when-calculating-event-size.patch deleted file mode 100644 index a2619ab6c4d..00000000000 --- a/SPECS/shim-unsigned-x64/0037-tpm-Fix-off-by-one-error-when-calculating-event-size.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 6fd8db6bb3b23b9e41f109135253f77263071f46 Mon Sep 17 00:00:00 2001 -From: Chris Coulson -Date: Sat, 22 Jun 2019 15:33:03 +0100 -Subject: [PATCH 37/62] tpm: Fix off-by-one error when calculating event size - -tpm_log_event_raw() allocates a buffer for the EFI_TCG2_EVENT structure -that is one byte larger than necessary, and sets event->Size accordingly. -The result of this is that the event data recorded in the log differs -from the data that is measured to the TPM (it has an extra zero byte -at the end). - -Upstream-commit-id: 8a27a4809a6 ---- - tpm.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/tpm.c b/tpm.c -index f07362c70bb..516fb876caa 100644 ---- a/tpm.c -+++ b/tpm.c -@@ -131,8 +131,10 @@ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, - #endif - } else if (tpm2) { - EFI_TCG2_EVENT *event; -+ UINTN event_size = sizeof(*event) - sizeof(event->Event) + -+ logsize; - -- event = AllocatePool(sizeof(*event) + logsize); -+ event = AllocatePool(event_size); - if (!event) { - perror(L"Unable to allocate event structure\n"); - return EFI_OUT_OF_RESOURCES; -@@ -142,7 +144,7 @@ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size, - event->Header.HeaderVersion = 1; - event->Header.PCRIndex = pcr; - event->Header.EventType = type; -- event->Size = sizeof(*event) - sizeof(event->Event) + logsize + 1; -+ event->Size = event_size; - CopyMem(event->Event, (VOID *)log, logsize); - if (hash) { - /* TPM 2 systems will generate the appropriate hash --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0038-tpm-Define-EFI_VARIABLE_DATA_TREE-as-packed.patch b/SPECS/shim-unsigned-x64/0038-tpm-Define-EFI_VARIABLE_DATA_TREE-as-packed.patch deleted file mode 100644 index 71b98a961d0..00000000000 --- a/SPECS/shim-unsigned-x64/0038-tpm-Define-EFI_VARIABLE_DATA_TREE-as-packed.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 9f80be9f16a854e3946568fa92edebe26eb79e78 Mon Sep 17 00:00:00 2001 -From: Chris Coulson -Date: Sat, 22 Jun 2019 15:37:29 +0100 -Subject: [PATCH 38/62] tpm: Define EFI_VARIABLE_DATA_TREE as packed - -tpm_measure_variable() calculates VarLogSize by adding the size of VarName -and VarData to the size of EFI_VARIABLE_DATA_TREE, and then subtracting -the size of the UnicodeName and VariableData members. This results in a -calculation that is 5 bytes larger than necessary because it doesn't take -in to account the padding of these members. The effect of this is that -shim measures an additional 5 zero bytes when measuring UEFI variables -(at least on 64-bit architectures). - -Byte packing EFI_VARIABLE_DATA_TREE fixes this. - -Upstream-commit-id: 7e4d3f1c8c7 ---- - tpm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tpm.c b/tpm.c -index 516fb876caa..c0617bb479e 100644 ---- a/tpm.c -+++ b/tpm.c -@@ -233,7 +233,7 @@ typedef struct { - UINT64 VariableDataLength; - CHAR16 UnicodeName[1]; - INT8 VariableData[1]; --} EFI_VARIABLE_DATA_TREE; -+} __attribute__ ((packed)) EFI_VARIABLE_DATA_TREE; - - static BOOLEAN tpm_data_measured(CHAR16 *VarName, EFI_GUID VendorGuid, UINTN VarSize, VOID *VarData) - { --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0039-MokManager-console-mode-modification-for-hi-dpi-scre.patch b/SPECS/shim-unsigned-x64/0039-MokManager-console-mode-modification-for-hi-dpi-scre.patch deleted file mode 100644 index a71b6436972..00000000000 --- a/SPECS/shim-unsigned-x64/0039-MokManager-console-mode-modification-for-hi-dpi-scre.patch +++ /dev/null @@ -1,223 +0,0 @@ -From 55163bc82c5179adb109c3d8b982c2689d68b4c9 Mon Sep 17 00:00:00 2001 -From: Ivan Hu -Date: Fri, 10 May 2019 17:50:12 +0800 -Subject: [PATCH 39/62] MokManager: console mode modification for hi-dpi screen - devices - -There are lots of hi-dpi laptops nowadays, as doing mok enrollment, the font -is too small to see. -https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1822043 - -This patch checks if the resolution is larger than Full HD (1920x1080) and -current console output columns and rows is in a good mode. Then swith the -console output to a better mode. - -Signed-off-by: Ivan Hu -Upstream-commit-id: cf05af6d899 ---- - MokManager.c | 2 + - lib/console.c | 161 +++++++++++++++++++++++++++++++++++++++++++++- - include/console.h | 2 + - 3 files changed, 164 insertions(+), 1 deletion(-) - -diff --git a/MokManager.c b/MokManager.c -index 30192c16789..78da9fd95ee 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -2560,6 +2560,8 @@ EFI_STATUS efi_main(EFI_HANDLE image_handle, EFI_SYSTEM_TABLE * systab) - - setup_rand(); - -+ console_mode_handle(); -+ - efi_status = check_mok_request(image_handle); - - console_fini(); -diff --git a/lib/console.c b/lib/console.c -index 3aee41cd276..c92d27f3c86 100644 ---- a/lib/console.c -+++ b/lib/console.c -@@ -409,7 +409,166 @@ console_notify(CHAR16 *string) - console_alertbox(str_arr); - } - --#define ARRAY_SIZE(a) (sizeof (a) / sizeof ((a)[0])) -+void -+console_save_and_set_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode) -+{ -+ SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; -+ -+ if (!SavedMode) { -+ console_print(L"Invalid parameter: SavedMode\n"); -+ return; -+ } -+ -+ CopyMem(SavedMode, co->Mode, sizeof(SIMPLE_TEXT_OUTPUT_MODE)); -+ co->EnableCursor(co, FALSE); -+ co->SetAttribute(co, EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE); -+} -+ -+void -+console_restore_mode(SIMPLE_TEXT_OUTPUT_MODE * SavedMode) -+{ -+ SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; -+ -+ co->EnableCursor(co, SavedMode->CursorVisible); -+ co->SetCursorPosition(co, SavedMode->CursorColumn, -+ SavedMode->CursorRow); -+ co->SetAttribute(co, SavedMode->Attribute); -+} -+ -+int -+console_countdown(CHAR16* title, const CHAR16* message, int timeout) -+{ -+ SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; -+ SIMPLE_INPUT_INTERFACE *ci = ST->ConIn; -+ SIMPLE_TEXT_OUTPUT_MODE SavedMode; -+ EFI_INPUT_KEY key; -+ EFI_STATUS efi_status; -+ UINTN cols, rows; -+ CHAR16 *titles[2]; -+ int wait = 10000000; -+ -+ console_save_and_set_mode(&SavedMode); -+ -+ titles[0] = title; -+ titles[1] = NULL; -+ -+ console_print_box_at(titles, -1, 0, 0, -1, -1, 1, 1); -+ -+ co->QueryMode(co, co->Mode->Mode, &cols, &rows); -+ -+ console_print_at((cols - StrLen(message)) / 2, rows / 2, message); -+ while (1) { -+ if (timeout > 1) -+ console_print_at(2, rows - 3, -+ L"Booting in %d seconds ", -+ timeout); -+ else if (timeout) -+ console_print_at(2, rows - 3, -+ L"Booting in %d second ", -+ timeout); -+ -+ efi_status = WaitForSingleEvent(ci->WaitForKey, wait); -+ if (efi_status != EFI_TIMEOUT) { -+ /* Clear the key in the queue */ -+ ci->ReadKeyStroke(ci, &key); -+ break; -+ } -+ -+ timeout--; -+ if (!timeout) -+ break; -+ } -+ -+ console_restore_mode(&SavedMode); -+ -+ return timeout; -+} -+ -+#define HORIZONTAL_MAX_OK 1920 -+#define VERTICAL_MAX_OK 1080 -+#define COLUMNS_MAX_OK 200 -+#define ROWS_MAX_OK 100 -+ -+void -+console_mode_handle(VOID) -+{ -+ SIMPLE_TEXT_OUTPUT_INTERFACE *co = ST->ConOut; -+ EFI_GRAPHICS_OUTPUT_PROTOCOL *gop; -+ EFI_GUID gop_guid = EFI_GRAPHICS_OUTPUT_PROTOCOL_GUID; -+ EFI_GRAPHICS_OUTPUT_MODE_INFORMATION *Info; -+ -+ UINTN mode_set; -+ UINTN rows = 0, columns = 0; -+ EFI_STATUS efi_status = EFI_SUCCESS; -+ -+ efi_status = gBS->LocateProtocol(&gop_guid, NULL, (void **)&gop); -+ if (EFI_ERROR(efi_status)) { -+ console_error(L"Locate graphic output protocol fail", efi_status); -+ return; -+ } -+ -+ Info = gop->Mode->Info; -+ -+ /* -+ * Start verifying if we are in a resolution larger than Full HD -+ * (1920x1080). If we're not, assume we're in a good mode and do not -+ * try to change it. -+ */ -+ if (Info->HorizontalResolution <= HORIZONTAL_MAX_OK && -+ Info->VerticalResolution <= VERTICAL_MAX_OK) { -+ /* keep original mode and return */ -+ return; -+ } -+ -+ efi_status = co->QueryMode(co, co->Mode->Mode, &columns, &rows); -+ if (EFI_ERROR(efi_status)) { -+ console_error(L"Console query mode fail", efi_status); -+ return; -+ } -+ -+ /* -+ * Verify current console output to check if the character columns and -+ * rows in a good mode. -+ */ -+ if (columns <= COLUMNS_MAX_OK && rows <= ROWS_MAX_OK) { -+ /* keep original mode and return */ -+ return; -+ } -+ -+ if (!console_text_mode) -+ setup_console(1); -+ -+ co->Reset(co, TRUE); -+ -+ /* -+ * If we reached here, then we have a high resolution screen and the -+ * text too small. Try to switch to a better mode. Mode number 2 is -+ * first non standard mode, which is provided by the device -+ * manufacturer, so it should be a good mode. -+ */ -+ if (co->Mode->MaxMode > 2) -+ mode_set = 2; -+ else -+ mode_set = 0; -+ -+ efi_status = co->SetMode(co, mode_set); -+ if (EFI_ERROR(efi_status) && mode_set != 0) { -+ /* -+ * Set to 0 mode which is required that all output devices -+ * support at least 80x25 text mode. -+ */ -+ mode_set = 0; -+ efi_status = co->SetMode(co, mode_set); -+ } -+ -+ co->ClearScreen(co); -+ -+ if (EFI_ERROR(efi_status)) { -+ console_error(L"Console set mode fail", efi_status); -+ } -+ -+ return; -+} - - /* Copy of gnu-efi-3.0 with the added secure boot strings */ - static struct { -diff --git a/include/console.h b/include/console.h -index deb4fa3db23..9f259c71b72 100644 ---- a/include/console.h -+++ b/include/console.h -@@ -34,6 +34,8 @@ void - console_notify(CHAR16 *string); - void - console_reset(void); -+void -+console_mode_handle(void); - #define NOSEL 0x7fffffff - - typedef struct _EFI_CONSOLE_CONTROL_PROTOCOL EFI_CONSOLE_CONTROL_PROTOCOL; --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0040-MokManager-avoid-Werror-address-of-packed-member.patch b/SPECS/shim-unsigned-x64/0040-MokManager-avoid-Werror-address-of-packed-member.patch deleted file mode 100644 index ac8814ebb4b..00000000000 --- a/SPECS/shim-unsigned-x64/0040-MokManager-avoid-Werror-address-of-packed-member.patch +++ /dev/null @@ -1,111 +0,0 @@ -From d57e53f3bddc4bc7299b3d5efd5ba8c547e8dfa5 Mon Sep 17 00:00:00 2001 -From: Jonas Witschel -Date: Thu, 5 Sep 2019 10:39:37 +0200 -Subject: [PATCH 40/62] MokManager: avoid -Werror=address-of-packed-member -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When compiling with GCC 9, there are a couple of errors of the form - -MokManager.c: In function ‘write_back_mok_list’: -MokManager.c:1056:19: error: taking address of packed member of ‘struct ’ may result in an unaligned pointer value [-Werror=address-of-packed-member] - 1056 | if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) - | ^~~~~~~~~~~~~~~ - -Copying the member of the packed struct to a temporary variable and -pointing to that variable solves the problem. - -Upstream-commit-id: 58532e12e9a ---- - MokManager.c | 22 +++++++++++++--------- - 1 file changed, 13 insertions(+), 9 deletions(-) - -diff --git a/MokManager.c b/MokManager.c -index 78da9fd95ee..fa73e2fd865 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -1064,6 +1064,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - EFI_STATUS efi_status; - EFI_SIGNATURE_LIST *CertList; - EFI_SIGNATURE_DATA *CertData; -+ EFI_GUID type; - void *Data = NULL, *ptr; - INTN DataSize = 0; - int i; -@@ -1079,8 +1080,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - continue; - - DataSize += sizeof(EFI_SIGNATURE_LIST); -- if (CompareMem(&(list[i].Type), &X509_GUID, -- sizeof(EFI_GUID)) == 0) -+ type = list[i].Type; /* avoid -Werror=address-of-packed-member */ -+ if (CompareGuid(&type, &X509_GUID) == 0) - DataSize += sizeof(EFI_GUID); - DataSize += list[i].MokSize; - } -@@ -1102,8 +1103,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - CertList->SignatureType = list[i].Type; - CertList->SignatureHeaderSize = 0; - -- if (CompareMem(&(list[i].Type), &X509_GUID, -- sizeof(EFI_GUID)) == 0) { -+ if (CompareGuid(&(CertList->SignatureType), &X509_GUID) == 0) { - CertList->SignatureListSize = list[i].MokSize + - sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); - CertList->SignatureSize = -@@ -1141,11 +1141,12 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - static void delete_cert(void *key, UINT32 key_size, - MokListNode * mok, INTN mok_num) - { -+ EFI_GUID type; - int i; - - for (i = 0; i < mok_num; i++) { -- if (CompareMem(&(mok[i].Type), &X509_GUID, -- sizeof(EFI_GUID)) != 0) -+ type = mok[i].Type; /* avoid -Werror=address-of-packed-member */ -+ if (CompareGuid(&type, &X509_GUID) != 0) - continue; - - if (mok[i].MokSize == key_size && -@@ -1187,6 +1188,7 @@ static void mem_move(void *dest, void *src, UINTN size) - static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size, - MokListNode * mok, INTN mok_num) - { -+ EFI_GUID type; - UINT32 sig_size; - UINT32 list_num; - int i, del_ind; -@@ -1196,7 +1198,8 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size, - sig_size = hash_size + sizeof(EFI_GUID); - - for (i = 0; i < mok_num; i++) { -- if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) || -+ type = mok[i].Type; /* avoid -Werror=address-of-packed-member */ -+ if ((CompareGuid(&type, &Type) != 0) || - (mok[i].MokSize < sig_size)) - continue; - -@@ -1252,6 +1255,7 @@ static void delete_hash_list(EFI_GUID Type, void *hash_list, UINT32 list_size, - static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) - { - EFI_STATUS efi_status; -+ EFI_GUID type; - CHAR16 *db_name; - CHAR16 *auth_name; - CHAR16 *err_strs[] = { NULL, NULL, NULL }; -@@ -1360,8 +1364,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) - - /* Search and destroy */ - for (i = 0; i < del_num; i++) { -- if (CompareMem(&(del_key[i].Type), &X509_GUID, -- sizeof(EFI_GUID)) == 0) { -+ type = del_key[i].Type; /* avoid -Werror=address-of-packed-member */ -+ if (CompareGuid(&type, &X509_GUID) == 0) { - delete_cert(del_key[i].Mok, del_key[i].MokSize, - mok, mok_num); - } else if (is_sha2_hash(del_key[i].Type)) { --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0041-tpm-Don-t-log-duplicate-identical-events.patch b/SPECS/shim-unsigned-x64/0041-tpm-Don-t-log-duplicate-identical-events.patch deleted file mode 100644 index 3a282e4953e..00000000000 --- a/SPECS/shim-unsigned-x64/0041-tpm-Don-t-log-duplicate-identical-events.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 58df8d745c6516818ba6ebfa8fe826702c1621a0 Mon Sep 17 00:00:00 2001 -From: Chris Coulson -Date: Thu, 26 Sep 2019 20:01:01 +0100 -Subject: [PATCH 41/62] tpm: Don't log duplicate identical events - -According to the comment in tpm_measure_variable ("Don't measure something that we've already measured"), shim -shouldn't measure duplicate events if they are identical, which also aligns with section 2.3.4.8 of the TCG PC -Client Platform Firmware Profile Specification ("If it has been measured previously, it MUST NOT be measured -again"). This is currently broken because tpm_data_measured() uses the return value of CompareGuid() incorrectly. - -Upstream-commit-id: 103adc89ce5 ---- - tpm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tpm.c b/tpm.c -index c0617bb479e..196b93c30f6 100644 ---- a/tpm.c -+++ b/tpm.c -@@ -241,7 +241,7 @@ static BOOLEAN tpm_data_measured(CHAR16 *VarName, EFI_GUID VendorGuid, UINTN Var - - for (i=0; i -Date: Mon, 18 Nov 2019 13:59:14 -0500 -Subject: [PATCH 42/62] Slightly better debugging messages - -Signed-off-by: Peter Jones -Upstream-commit-id: 173d35fe8f5 ---- - shim.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/shim.c b/shim.c -index d7ee2b6de6f..2f7aba07421 100644 ---- a/shim.c -+++ b/shim.c -@@ -2459,6 +2459,8 @@ uninstall_shim_protocols(void) - EFI_STATUS - shim_init(void) - { -+ EFI_STATUS efi_status; -+ - setup_verbosity(); - dprint(L"%a", shim_version); - -@@ -2479,7 +2481,12 @@ shim_init(void) - } - - hook_exit(systab); -- return install_shim_protocols(); -+ -+ efi_status = install_shim_protocols(); -+ if (EFI_ERROR(efi_status)) -+ perror(L"install_shim_protocols() failed: %r\n", efi_status); -+ -+ return efi_status; - } - - void -@@ -2575,13 +2582,12 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - build_cert = shim_cert; - #endif /* defined(ENABLE_SHIM_CERT) */ - CHAR16 *msgs[] = { -- L"import_mok_state() failed\n", -- L"shim_int() failed\n", -+ L"import_mok_state() failed", -+ L"shim_init() failed", - NULL - }; - int msg = 0; - -- - /* - * Set up the shim lock protocol so that grub and MokManager can - * call back in and use shim functions --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0043-Actually-check-for-errors-from-set_second_stage.patch b/SPECS/shim-unsigned-x64/0043-Actually-check-for-errors-from-set_second_stage.patch deleted file mode 100644 index 255f47f9017..00000000000 --- a/SPECS/shim-unsigned-x64/0043-Actually-check-for-errors-from-set_second_stage.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 959f5e4e993a82020fef48c7e7c012a44074645c Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 18 Nov 2019 13:58:46 -0500 -Subject: [PATCH 43/62] Actually check for errors from set_second_stage() - -This changes shim_init() to check for errors from set_second_stage(). -In order to make that work, it also does the following: - -- correctly /always/ allocate second_stage, not sometimes allocate and - sometimes point at .data -- test for LoadOptionSize == 0 and return success -- print an error message for the failure so we can see it. - -Signed-off-by: Peter Jones -Upstream-commit-id: 354bd9b1931 ---- - shim.c | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/shim.c b/shim.c -index 2f7aba07421..5329795c333 100644 ---- a/shim.c -+++ b/shim.c -@@ -2141,8 +2141,15 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) - CHAR16 *loader_str = NULL; - UINTN loader_len = 0; - unsigned int i; -+ UINTN second_stage_len; - -- second_stage = DEFAULT_LOADER; -+ second_stage_len = StrLen(DEFAULT_LOADER) + 1; -+ second_stage = AllocatePool(second_stage_len); -+ if (!second_stage) { -+ perror(L"Could not allocate %lu bytes\n", second_stage_len); -+ return EFI_OUT_OF_RESOURCES; -+ } -+ StrCpy(second_stage, DEFAULT_LOADER); - load_options = NULL; - load_options_size = 0; - -@@ -2199,6 +2206,12 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle) - * BDS will add that, but we ignore that here. - */ - -+ /* -+ * Maybe there just aren't any options... -+ */ -+ if (li->LoadOptionsSize == 0) -+ return EFI_SUCCESS; -+ - /* - * In either case, we've got to have at least a UCS2 NUL... - */ -@@ -2465,7 +2478,11 @@ shim_init(void) - dprint(L"%a", shim_version); - - /* Set the second stage loader */ -- set_second_stage (global_image_handle); -+ efi_status = set_second_stage(global_image_handle); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"set_second_stage() failed: %r\n", efi_status); -+ return efi_status; -+ } - - if (secure_mode()) { - if (vendor_cert_size || vendor_dbx_size) { --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0044-translate_slashes-don-t-write-to-string-literals.patch b/SPECS/shim-unsigned-x64/0044-translate_slashes-don-t-write-to-string-literals.patch deleted file mode 100644 index f69b22e3757..00000000000 --- a/SPECS/shim-unsigned-x64/0044-translate_slashes-don-t-write-to-string-literals.patch +++ /dev/null @@ -1,140 +0,0 @@ -From c6bedd5b83529925c3ec08f96a3bf61c81bff0ae Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 28 Jan 2020 23:33:46 +0100 -Subject: [PATCH 44/62] translate_slashes(): don't write to string literals - -Currently, all three invocations of the translate_slashes() function may -lead to writes to the string literal that is #defined with the -DEFAULT_LOADER_CHAR macro. According to ISO C99 6.4.5p6, this is undefined -behavior ("If the program attempts to modify such an array, the behavior -is undefined"). - -This bug crashes shim on e.g. the 64-bit ArmVirtQemu platform ("Data -abort: Permission fault"), where the platform firmware maps the .text -section (which contains the string literal) read-only. - -Modify translate_slashes() so that it copies and translates characters -from an input array of "char" to an output array of "CHAR8". - -While at it, fix another bug. Before this patch, if translate_slashes() -ever encountered a double backslash (translating it to a single forward -slash), then the output would end up shorter than the input. However, the -output was not NUL-terminated in-place, therefore the original string -length (and according trailing garbage) would be preserved. After this -patch, the NUL-termination on contraction is automatic, as the output -array's contents are indeterminate when entering the function, and so we -must NUL-terminate it anyway. - -Fixes: 8e9124227d18475d3bc634c33518963fc8db7c98 -Fixes: e62b69a5b0b87c6df7a4fc23906134945309e927 -Fixes: 3d79bcb2651b9eae809b975b3e03e2f96c067072 -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1795654 -Signed-off-by: Laszlo Ersek -Upstream-commit-id: 9813e8bc8b3 ---- - httpboot.c | 4 ++-- - netboot.c | 16 +++++++++++----- - include/str.h | 14 ++++++++------ - 3 files changed, 21 insertions(+), 13 deletions(-) - -diff --git a/httpboot.c b/httpboot.c -index 3622e85867c..2d27e8ed993 100644 ---- a/httpboot.c -+++ b/httpboot.c -@@ -743,14 +743,14 @@ httpboot_fetch_buffer (EFI_HANDLE image, VOID **buffer, UINT64 *buf_size) - { - EFI_STATUS efi_status; - EFI_HANDLE nic; -- CHAR8 *next_loader = NULL; -+ CHAR8 next_loader[sizeof DEFAULT_LOADER_CHAR]; - CHAR8 *next_uri = NULL; - CHAR8 *hostname = NULL; - - if (!uri) - return EFI_NOT_READY; - -- next_loader = translate_slashes(DEFAULT_LOADER_CHAR); -+ translate_slashes(next_loader, DEFAULT_LOADER_CHAR); - - /* Create the URI for the next loader based on the original URI */ - efi_status = generate_next_uri(uri, next_loader, &next_uri); -diff --git a/netboot.c b/netboot.c -index 58babfb4d2e..4922ef284b1 100644 ---- a/netboot.c -+++ b/netboot.c -@@ -189,7 +189,9 @@ static BOOLEAN extract_tftp_info(CHAR8 *url) - CHAR8 *start, *end; - CHAR8 ip6str[40]; - CHAR8 ip6inv[16]; -- CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); -+ CHAR8 template[sizeof DEFAULT_LOADER_CHAR]; -+ -+ translate_slashes(template, DEFAULT_LOADER_CHAR); - - // to check against str2ip6() errors - memset(ip6inv, 0, sizeof(ip6inv)); -@@ -254,10 +256,14 @@ static EFI_STATUS parseDhcp6() - - static EFI_STATUS parseDhcp4() - { -- CHAR8 *template = (CHAR8 *)translate_slashes(DEFAULT_LOADER_CHAR); -- INTN template_len = strlen(template) + 1; -+ CHAR8 template[sizeof DEFAULT_LOADER_CHAR]; -+ INTN template_len; -+ UINTN template_ofs = 0; - EFI_PXE_BASE_CODE_DHCPV4_PACKET* pkt_v4 = (EFI_PXE_BASE_CODE_DHCPV4_PACKET *)&pxe->Mode->DhcpAck.Dhcpv4; - -+ translate_slashes(template, DEFAULT_LOADER_CHAR); -+ template_len = strlen(template) + 1; -+ - if(pxe->Mode->ProxyOfferReceived) { - /* - * Proxy should not have precedence. Check if DhcpAck -@@ -288,8 +294,8 @@ static EFI_STATUS parseDhcp4() - full_path[dir_len-1] = '\0'; - } - if (dir_len == 0 && dir[0] != '/' && template[0] == '/') -- template++; -- strcata(full_path, template); -+ template_ofs++; -+ strcata(full_path, template + template_ofs); - memcpy(&tftp_addr.v4, pkt_v4->BootpSiAddr, 4); - - return EFI_SUCCESS; -diff --git a/include/str.h b/include/str.h -index 9a748366bd1..f73c6212cd9 100644 ---- a/include/str.h -+++ b/include/str.h -@@ -45,21 +45,23 @@ strcata(CHAR8 *dest, const CHAR8 *src) - static inline - __attribute__((unused)) - CHAR8 * --translate_slashes(char *str) -+translate_slashes(CHAR8 *out, const char *str) - { - int i; - int j; -- if (str == NULL) -- return (CHAR8 *)str; -+ if (str == NULL || out == NULL) -+ return NULL; - - for (i = 0, j = 0; str[i] != '\0'; i++, j++) { - if (str[i] == '\\') { -- str[j] = '/'; -+ out[j] = '/'; - if (str[i+1] == '\\') - i++; -- } -+ } else -+ out[j] = str[i]; - } -- return (CHAR8 *)str; -+ out[j] = '\0'; -+ return out; - } - - #endif /* SHIM_STR_H */ --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0045-shim-Update-EFI_LOADED_IMAGE-with-the-second-stage-l.patch b/SPECS/shim-unsigned-x64/0045-shim-Update-EFI_LOADED_IMAGE-with-the-second-stage-l.patch deleted file mode 100644 index 2203e484df5..00000000000 --- a/SPECS/shim-unsigned-x64/0045-shim-Update-EFI_LOADED_IMAGE-with-the-second-stage-l.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 89d72301aa67c82f00fe7fa4f42d7f6eb6045538 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Tue, 18 Feb 2020 12:03:28 +0100 -Subject: [PATCH 45/62] shim: Update EFI_LOADED_IMAGE with the second stage - loader file path - -When shim loads the second stage loader (e.g: GRUB) the FilePath field of -the EFI_LOADED_IMAGE structure isn't updated with the path of the loaded -binary. So it still contains the file path of the shim binary. - -This isn't a problem since the file path is currently not used. But should -be used to set the DevicePath field of the EFI_IMAGE_LOAD_EVENT structure -that is logged when measuring the PE/COFF binaries. In that case the TPM -Event Log will have an incorrect file path for the measured binary, i.e: - -$ hexdump -Cv /sys/kernel/security/tpm0/binary_bios_measurements -... -00000a50 00 00 00 00 00 00 04 04 34 00 5c 00 45 00 46 00 |........4.\.E.F.| -00000a60 49 00 5c 00 72 00 65 00 64 00 68 00 61 00 74 00 |I.\.r.e.d.h.a.t.| -00000a70 5c 00 73 00 68 00 69 00 6d 00 78 00 36 00 34 00 |\.s.h.i.m.x.6.4.| -00000a80 2e 00 65 00 66 00 69 00 00 00 7f ff 04 00 00 00 |..e.f.i.........| -00000a90 00 00 00 00 00 00 af 08 00 00 00 0d 00 00 00 b5 |................| -00000aa0 cd d0 8f bb 16 31 e2 80 8b e8 58 75 c9 89 18 95 |.....1....Xu....| -00000ab0 d2 de 15 15 00 00 00 67 72 75 62 5f 63 6d 64 20 |.......grub_cmd | -00000ac0 73 65 74 20 70 61 67 65 72 3d 31 00 08 00 00 00 |set pager=1.....| -... - -So update the EFI_LOADED_IMAGE structure with the second stage loader file -path to have the correct value in the log, i.e: - -$ hexdump -Cv /sys/kernel/security/tpm0/binary_bios_measurements -... -00000a50 00 00 00 00 00 00 04 04 34 00 5c 00 45 00 46 00 |........4.\.E.F.| -00000a60 49 00 5c 00 72 00 65 00 64 00 68 00 61 00 74 00 |I.\.r.e.d.h.a.t.| -00000a70 5c 00 67 00 72 00 75 00 62 00 78 00 36 00 34 00 |\.g.r.u.b.x.6.4.| -00000a80 2e 00 65 00 66 00 69 00 00 00 7f ff 04 00 00 00 |..e.f.i.........| -00000a90 00 00 00 00 00 00 af 08 00 00 00 0d 00 00 00 b5 |................| -00000aa0 cd d0 8f bb 16 31 e2 80 8b e8 58 75 c9 89 18 95 |.....1....Xu....| -00000ab0 d2 de 15 15 00 00 00 67 72 75 62 5f 63 6d 64 20 |.......grub_cmd | -00000ac0 73 65 74 20 70 61 67 65 72 3d 31 00 08 00 00 00 |set pager=1.....| -... - -Signed-off-by: Javier Martinez Canillas -Upstream-commit-id: cd7d42d493d ---- - shim.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/shim.c b/shim.c -index 5329795c333..a4f7769b38b 100644 ---- a/shim.c -+++ b/shim.c -@@ -1925,6 +1925,16 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) - */ - CopyMem(&li_bak, li, sizeof(li_bak)); - -+ /* -+ * Update the loaded image with the second stage loader file path -+ */ -+ li->FilePath = FileDevicePath(NULL, PathName); -+ if (!li->FilePath) { -+ perror(L"Unable to update loaded image file path\n"); -+ efi_status = EFI_OUT_OF_RESOURCES; -+ goto restore; -+ } -+ - /* - * Verify and, if appropriate, relocate and execute the executable - */ -@@ -1934,8 +1944,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) - perror(L"Failed to load image: %r\n", efi_status); - PrintErrors(); - ClearErrors(); -- CopyMem(li, &li_bak, sizeof(li_bak)); -- goto done; -+ goto restore; - } - - loader_is_participating = 0; -@@ -1945,6 +1954,10 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath) - */ - efi_status = entry_point(image_handle, systab); - -+restore: -+ if (li->FilePath) -+ FreePool(li->FilePath); -+ - /* - * Restore our original loaded image values - */ --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0046-tpm-Include-information-about-PE-COFF-images-in-the-.patch b/SPECS/shim-unsigned-x64/0046-tpm-Include-information-about-PE-COFF-images-in-the-.patch deleted file mode 100644 index 90a6b52e2f1..00000000000 --- a/SPECS/shim-unsigned-x64/0046-tpm-Include-information-about-PE-COFF-images-in-the-.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 0a8f7ade76ff3eede486027eaa638181e6bed3b8 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Tue, 18 Feb 2020 12:03:17 +0100 -Subject: [PATCH 46/62] tpm: Include information about PE/COFF images in the - TPM Event Log - -The "TCG PC Client Specific Platform Firmware Profile Specification" says -that when measuring a PE/COFF image, the TCG_PCR_EVENT2 structure Event -field MUST contain a UEFI_IMAGE_LOAD_EVENT structure. - -Currently an empty UEFI_IMAGE_LOAD_EVENT structure is passed so users only -have the hash of the PE/COFF image, but not information such the file path -of the binary. - -Signed-off-by: Javier Martinez Canillas -Upstream-commit-id: c252b9ee94c ---- - shim.c | 7 +++++-- - tpm.c | 46 ++++++++++++++++++++++++++++++++-------------- - include/tpm.h | 5 +++-- - 3 files changed, 40 insertions(+), 18 deletions(-) - -diff --git a/shim.c b/shim.c -index a4f7769b38b..b35b0ad90cc 100644 ---- a/shim.c -+++ b/shim.c -@@ -1274,7 +1274,9 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, - #ifdef REQUIRE_TPM - efi_status = - #endif -- tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, sha1hash, 4); -+ tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)data, datasize, -+ (EFI_PHYSICAL_ADDRESS)(UINTN)context.ImageAddress, -+ li->FilePath, sha1hash, 4); - #ifdef REQUIRE_TPM - if (efi_status != EFI_SUCCESS) { - return efi_status; -@@ -1788,7 +1790,8 @@ EFI_STATUS shim_verify (void *buffer, UINT32 size) - #ifdef REQUIRE_TPM - efi_status = - #endif -- tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, sha1hash, 4); -+ tpm_log_pe((EFI_PHYSICAL_ADDRESS)(UINTN)buffer, size, 0, NULL, -+ sha1hash, 4); - #ifdef REQUIRE_TPM - if (EFI_ERROR(efi_status)) - goto done; -diff --git a/tpm.c b/tpm.c -index 196b93c30f6..22ad148b35a 100644 ---- a/tpm.c -+++ b/tpm.c -@@ -210,21 +210,39 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, - strlen(description) + 1, 0xd, NULL); - } - --EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 *sha1hash, -- UINT8 pcr) -+EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, -+ EFI_PHYSICAL_ADDRESS addr, EFI_DEVICE_PATH *path, -+ UINT8 *sha1hash, UINT8 pcr) - { -- EFI_IMAGE_LOAD_EVENT ImageLoad; -- -- // All of this is informational and forces us to do more parsing before -- // we can generate it, so let's just leave it out for now -- ImageLoad.ImageLocationInMemory = 0; -- ImageLoad.ImageLengthInMemory = 0; -- ImageLoad.ImageLinkTimeAddress = 0; -- ImageLoad.LengthOfDevicePath = 0; -- -- return tpm_log_event_raw(buf, size, pcr, (CHAR8 *)&ImageLoad, -- sizeof(ImageLoad), -- EV_EFI_BOOT_SERVICES_APPLICATION, sha1hash); -+ EFI_IMAGE_LOAD_EVENT *ImageLoad = NULL; -+ EFI_STATUS efi_status; -+ UINTN path_size = 0; -+ -+ if (path) -+ path_size = DevicePathSize(path); -+ -+ ImageLoad = AllocateZeroPool(sizeof(*ImageLoad) + path_size); -+ if (!ImageLoad) { -+ perror(L"Unable to allocate image load event structure\n"); -+ return EFI_OUT_OF_RESOURCES; -+ } -+ -+ ImageLoad->ImageLocationInMemory = buf; -+ ImageLoad->ImageLengthInMemory = size; -+ ImageLoad->ImageLinkTimeAddress = addr; -+ -+ if (path_size > 0) { -+ CopyMem(ImageLoad->DevicePath, path, path_size); -+ ImageLoad->LengthOfDevicePath = path_size; -+ } -+ -+ efi_status = tpm_log_event_raw(buf, size, pcr, (CHAR8 *)ImageLoad, -+ sizeof(*ImageLoad) + path_size, -+ EV_EFI_BOOT_SERVICES_APPLICATION, -+ sha1hash); -+ FreePool(ImageLoad); -+ -+ return efi_status; - } - - typedef struct { -diff --git a/include/tpm.h b/include/tpm.h -index 746e871ff22..a05c24949e5 100644 ---- a/include/tpm.h -+++ b/include/tpm.h -@@ -10,8 +10,9 @@ EFI_STATUS tpm_log_event(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 pcr, - const CHAR8 *description); - EFI_STATUS fallback_should_prefer_reset(void); - --EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, UINT8 *sha1hash, -- UINT8 pcr); -+EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, -+ EFI_PHYSICAL_ADDRESS addr, EFI_DEVICE_PATH *path, -+ UINT8 *sha1hash, UINT8 pcr); - - EFI_STATUS tpm_measure_variable(CHAR16 *dbname, EFI_GUID guid, UINTN size, void *data); - --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0047-Fix-the-license-on-our-buildid-extractor.patch b/SPECS/shim-unsigned-x64/0047-Fix-the-license-on-our-buildid-extractor.patch deleted file mode 100644 index b62628d0f61..00000000000 --- a/SPECS/shim-unsigned-x64/0047-Fix-the-license-on-our-buildid-extractor.patch +++ /dev/null @@ -1,27 +0,0 @@ -From dce3659ac3d14ed338cdb37798a429751898c078 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 23 Apr 2020 18:55:34 -0400 -Subject: [PATCH 47/62] Fix the license on our buildid extractor. - -Signed-off-by: Peter Jones -Upstream-commit-id: 71439f848f6 ---- - buildid.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/buildid.c b/buildid.c -index f213f3bc921..6b414cdcffb 100644 ---- a/buildid.c -+++ b/buildid.c -@@ -1,8 +1,6 @@ - /* - * Walk a list of input files, printing the name and buildid of any file - * that has one. -- * -- * This program is licensed under the GNU Public License version 2. - */ - - #include --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0048-Update-README.tpm.patch b/SPECS/shim-unsigned-x64/0048-Update-README.tpm.patch deleted file mode 100644 index b5cd08d288d..00000000000 --- a/SPECS/shim-unsigned-x64/0048-Update-README.tpm.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 633169fe3291c832236ca1074fc679852f9caee1 Mon Sep 17 00:00:00 2001 -From: noahbliss -Date: Wed, 4 Mar 2020 19:46:28 -0500 -Subject: [PATCH 48/62] Update README.tpm - -typo -Upstream-commit-id: bc24c9eb1d4 ---- - README.tpm | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/README.tpm b/README.tpm -index d9c7c53483b..c060dbe22db 100644 ---- a/README.tpm -+++ b/README.tpm -@@ -25,7 +25,7 @@ PCR8: - measured into PCR8. - - PCR9: --- If you're using the grub2 TPM patchset we cary in Fedora, the kernel, -+- If you're using the grub2 TPM patchset we carry in Fedora, the kernel, - initramfs, and any multiboot modules loaded are measured into PCR9. - - PCR14: --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0049-Check-PxeReplyReceived-as-fallback-in-netboot.patch b/SPECS/shim-unsigned-x64/0049-Check-PxeReplyReceived-as-fallback-in-netboot.patch deleted file mode 100644 index dd9eea9afcc..00000000000 --- a/SPECS/shim-unsigned-x64/0049-Check-PxeReplyReceived-as-fallback-in-netboot.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 9a209af5d84f4015ec399e1d1fa9dab31ef4d2b7 Mon Sep 17 00:00:00 2001 -From: Thomas Frauendorfer | Miray Software -Date: Wed, 25 Mar 2020 09:19:19 +0100 -Subject: [PATCH 49/62] Check PxeReplyReceived as fallback in netboot - -Some mainboards do not update the ProxyOffset dhcp information when using -proxy dhcp and boot menus. -This adds a fallback to check the PxeReply field if no boot information is -found in the v4 dhcp or proxy dhcp information - -Upstream-commit-id: cc7ebe0f9f4 ---- - netboot.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - mode change 100644 => 100755 netboot.c - -diff --git a/netboot.c b/netboot.c -old mode 100644 -new mode 100755 -index 4922ef284b1..047dad3a760 ---- a/netboot.c -+++ b/netboot.c -@@ -273,7 +273,16 @@ static EFI_STATUS parseDhcp4() - pkt_v4 = &pxe->Mode->ProxyOffer.Dhcpv4; - } - -- INTN dir_len = strnlena(pkt_v4->BootpBootFile, 127); -+ if(pxe->Mode->PxeReplyReceived) { -+ /* -+ * If we have no bootinfo yet search for it in the PxeReply. -+ * Some mainboards run into this when the server uses boot menus -+ */ -+ if(pkt_v4->BootpBootFile[0] == '\0' && pxe->Mode->PxeReply.Dhcpv4.BootpBootFile[0] != '\0') -+ pkt_v4 = &pxe->Mode->PxeReply.Dhcpv4; -+ } -+ -+ INTN dir_len = strnlena((CHAR8 *)pkt_v4->BootpBootFile, 127); - INTN i; - UINT8 *dir = pkt_v4->BootpBootFile; - -@@ -289,7 +298,7 @@ static EFI_STATUS parseDhcp4() - return EFI_OUT_OF_RESOURCES; - - if (dir_len > 0) { -- strncpya(full_path, dir, dir_len); -+ strncpya(full_path, (CHAR8 *)dir, dir_len); - if (full_path[dir_len-1] == '/' && template[0] == '/') - full_path[dir_len-1] = '\0'; - } -@@ -340,7 +349,7 @@ EFI_STATUS FetchNetbootimage(EFI_HANDLE image_handle, VOID **buffer, UINT64 *buf - - try_again: - efi_status = pxe->Mtftp(pxe, read, *buffer, overwrite, bufsiz, &blksz, -- &tftp_addr, full_path, NULL, nobuffer); -+ &tftp_addr, (UINT8 *)full_path, NULL, nobuffer); - if (efi_status == EFI_BUFFER_TOO_SMALL) { - /* try again, doubling buf size */ - *bufsiz *= 2; --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0050-Remove-a-couple-of-incorrect-license-claims.patch b/SPECS/shim-unsigned-x64/0050-Remove-a-couple-of-incorrect-license-claims.patch deleted file mode 100644 index 1fda36cd5aa..00000000000 --- a/SPECS/shim-unsigned-x64/0050-Remove-a-couple-of-incorrect-license-claims.patch +++ /dev/null @@ -1,46 +0,0 @@ -From e8a04c1d84d2ebd0dbdf7bda26d7a22017100586 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 9 Jul 2020 00:24:57 -0400 -Subject: [PATCH 50/62] Remove a couple of incorrect license claims. - -A certain someone's default editor template leaked in to a couple of -source files, and claims they're GPL licensed. They're not. - -Signed-off-by: Peter Jones -Upstream-commit-id: 476cbff1110 ---- - errlog.c | 3 --- - mok.c | 2 -- - 2 files changed, 5 deletions(-) - -diff --git a/errlog.c b/errlog.c -index eebb266d396..6669c800233 100644 ---- a/errlog.c -+++ b/errlog.c -@@ -1,10 +1,7 @@ - /* - * errlog.c - * Copyright 2017 Peter Jones -- * -- * Distributed under terms of the GPLv3 license. - */ -- - #include "shim.h" - - static CHAR16 **errs = NULL; -diff --git a/mok.c b/mok.c -index 59630e74425..089ea6bfc9a 100644 ---- a/mok.c -+++ b/mok.c -@@ -1,8 +1,6 @@ - /* - * mok.c - * Copyright 2017 Peter Jones -- * -- * Distributed under terms of the GPLv3 license. - */ - - #include "shim.h" --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0051-MokManager-fix-uninitialized-value.patch b/SPECS/shim-unsigned-x64/0051-MokManager-fix-uninitialized-value.patch deleted file mode 100644 index 808d11f101e..00000000000 --- a/SPECS/shim-unsigned-x64/0051-MokManager-fix-uninitialized-value.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 7b77bee7966a1aa5f00a9b34aeb7e550bfa47be1 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 22 Jul 2020 23:53:09 -0400 -Subject: [PATCH 51/62] MokManager: fix uninitialized value - -Signed-off-by: Peter Jones -Upstream: pr#212 ---- - MokManager.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/MokManager.c b/MokManager.c -index fa73e2fd865..654a115033c 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -1431,7 +1431,7 @@ static CHAR16 get_password_charater(CHAR16 * prompt) - SIMPLE_TEXT_OUTPUT_MODE SavedMode; - EFI_STATUS efi_status; - CHAR16 *message[2]; -- CHAR16 character; -+ CHAR16 character = 0; - UINTN length; - UINT32 pw_length; - --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0052-Fix-some-volatile-usage-gcc-whines-about.patch b/SPECS/shim-unsigned-x64/0052-Fix-some-volatile-usage-gcc-whines-about.patch deleted file mode 100644 index 4f3d2d61ebc..00000000000 --- a/SPECS/shim-unsigned-x64/0052-Fix-some-volatile-usage-gcc-whines-about.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d3b7dc54cdac474a57b67cf9bcdb15bcb131d06c Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 23 Jul 2020 16:18:52 -0400 -Subject: [PATCH 52/62] Fix some volatile usage gcc whines about. - -Signed-off-by: Peter Jones -Upstream: pr#212 ---- - fallback.c | 2 +- - shim.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fallback.c b/fallback.c -index c3f5583c626..5a4bfff0793 100644 ---- a/fallback.c -+++ b/fallback.c -@@ -983,7 +983,7 @@ debug_hook(void) - UINT8 *data = NULL; - UINTN dataSize = 0; - EFI_STATUS efi_status; -- volatile register int x = 0; -+ register volatile int x = 0; - extern char _etext, _edata; - - efi_status = get_variable(L"SHIM_DEBUG", &data, &dataSize, -diff --git a/shim.c b/shim.c -index b35b0ad90cc..0e7e784b4c8 100644 ---- a/shim.c -+++ b/shim.c -@@ -2559,7 +2559,7 @@ debug_hook(void) - UINT8 *data = NULL; - UINTN dataSize = 0; - EFI_STATUS efi_status; -- volatile register UINTN x = 0; -+ register volatile UINTN x = 0; - extern char _text, _data; - - if (x) --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0053-MokManager-fix-a-wrong-allocation-failure-check.patch b/SPECS/shim-unsigned-x64/0053-MokManager-fix-a-wrong-allocation-failure-check.patch deleted file mode 100644 index cd20cb47655..00000000000 --- a/SPECS/shim-unsigned-x64/0053-MokManager-fix-a-wrong-allocation-failure-check.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 6df96cdb20b84b33027d2e40bc0dbe0676d31282 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 23 Jul 2020 19:01:27 -0400 -Subject: [PATCH 53/62] MokManager: fix a wrong allocation failure check. - -Signed-off-by: Peter Jones -Upstream: pr#212 ---- - MokManager.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/MokManager.c b/MokManager.c -index 654a115033c..c9949e33bcf 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -1085,9 +1085,11 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - DataSize += sizeof(EFI_GUID); - DataSize += list[i].MokSize; - } -+ if (DataSize == 0) -+ return EFI_SUCCESS; - - Data = AllocatePool(DataSize); -- if (Data == NULL && DataSize != 0) -+ if (Data == NULL) - return EFI_OUT_OF_RESOURCES; - - ptr = Data; --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0054-simple_file-fix-uninitialized-variable-unchecked-ret.patch b/SPECS/shim-unsigned-x64/0054-simple_file-fix-uninitialized-variable-unchecked-ret.patch deleted file mode 100644 index 874943237d1..00000000000 --- a/SPECS/shim-unsigned-x64/0054-simple_file-fix-uninitialized-variable-unchecked-ret.patch +++ /dev/null @@ -1,33 +0,0 @@ -From c186bdddaa7b103aef9d4a164ac0a07499dba112 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 22 Jul 2020 23:55:44 -0400 -Subject: [PATCH 54/62] simple_file: fix uninitialized variable/unchecked - return - -Signed-off-by: Peter Jones -Upstream: pr#212 ---- - lib/simple_file.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/lib/simple_file.c b/lib/simple_file.c -index 3bf92ed8e0f..6ad31b4dc04 100644 ---- a/lib/simple_file.c -+++ b/lib/simple_file.c -@@ -403,10 +403,10 @@ simple_file_selector(EFI_HANDLE * im, CHAR16 ** title, CHAR16 * name, - filter = L""; - if (!*im) { - EFI_HANDLE h; -- CHAR16 *volname; -+ CHAR16 *volname = NULL; - -- simple_volume_selector(title, &volname, &h); -- if (!volname) -+ efi_status = simple_volume_selector(title, &volname, &h); -+ if (EFI_ERROR(efi_status) || !volname) - return; - FreePool(volname); - *im = h; --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0055-Fix-a-broken-tpm-type.patch b/SPECS/shim-unsigned-x64/0055-Fix-a-broken-tpm-type.patch deleted file mode 100644 index 06b12010b9f..00000000000 --- a/SPECS/shim-unsigned-x64/0055-Fix-a-broken-tpm-type.patch +++ /dev/null @@ -1,27 +0,0 @@ -From a7f9911b776f3cdc12e42bf5990ddef0b08d3701 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 23 Jul 2020 20:35:56 -0400 -Subject: [PATCH 55/62] Fix a broken tpm type - -Signed-off-by: Peter Jones -Upstream: pr#212 ---- - tpm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tpm.c b/tpm.c -index 22ad148b35a..03cf3a1f60e 100644 ---- a/tpm.c -+++ b/tpm.c -@@ -239,7 +239,7 @@ EFI_STATUS tpm_log_pe(EFI_PHYSICAL_ADDRESS buf, UINTN size, - efi_status = tpm_log_event_raw(buf, size, pcr, (CHAR8 *)ImageLoad, - sizeof(*ImageLoad) + path_size, - EV_EFI_BOOT_SERVICES_APPLICATION, -- sha1hash); -+ (CHAR8 *)sha1hash); - FreePool(ImageLoad); - - return efi_status; --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0056-Make-cert.S-not-impossible-to-read.patch b/SPECS/shim-unsigned-x64/0056-Make-cert.S-not-impossible-to-read.patch deleted file mode 100644 index c8068efda39..00000000000 --- a/SPECS/shim-unsigned-x64/0056-Make-cert.S-not-impossible-to-read.patch +++ /dev/null @@ -1,279 +0,0 @@ -From 7d542805ba5c48185128a2351bb315a5648fe3d7 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 23 Jul 2020 00:08:30 -0400 -Subject: [PATCH 56/62] Make cert.S not impossible to read. - -Signed-off-by: Peter Jones -Upstream: pr#206 ---- - shim.c | 47 +++++++++++++++++-------------- - shim.h | 28 +++++++++++++++--- - cert.S | 89 ++++++++++++++++++++++------------------------------------ - 3 files changed, 84 insertions(+), 80 deletions(-) - -diff --git a/shim.c b/shim.c -index 0e7e784b4c8..888ee6e8d7b 100644 ---- a/shim.c -+++ b/shim.c -@@ -68,16 +68,18 @@ static UINT32 load_options_size; - * The vendor certificate used for validating the second stage loader - */ - extern struct { -- UINT32 vendor_cert_size; -- UINT32 vendor_dbx_size; -- UINT32 vendor_cert_offset; -- UINT32 vendor_dbx_offset; -+ UINT32 vendor_authorized_size; -+ UINT32 vendor_deauthorized_size; -+ UINT32 vendor_authorized_offset; -+ UINT32 vendor_deauthorized_offset; - } cert_table; - --UINT32 vendor_cert_size; --UINT32 vendor_dbx_size; --UINT8 *vendor_cert; --UINT8 *vendor_dbx; -+UINT32 vendor_authorized_size = 0; -+UINT8 *vendor_authorized = NULL; -+ -+UINT32 vendor_deauthorized_size = 0; -+UINT8 *vendor_deauthorized = NULL; -+ - #if defined(ENABLE_SHIM_CERT) - UINT32 build_cert_size; - UINT8 *build_cert; -@@ -554,22 +556,22 @@ static CHECK_STATUS check_db_hash(CHAR16 *dbname, EFI_GUID guid, UINT8 *data, - static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, - UINT8 *sha256hash, UINT8 *sha1hash) - { -- EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_dbx; -+ EFI_SIGNATURE_LIST *dbx = (EFI_SIGNATURE_LIST *)vendor_deauthorized; - -- if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha256hash, -+ if (check_db_hash_in_ram(dbx, vendor_deauthorized_size, sha256hash, - SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID, L"dbx", - EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) { - LogError(L"binary sha256hash found in vendor dbx\n"); - return EFI_SECURITY_VIOLATION; - } -- if (check_db_hash_in_ram(dbx, vendor_dbx_size, sha1hash, -+ if (check_db_hash_in_ram(dbx, vendor_deauthorized_size, sha1hash, - SHA1_DIGEST_SIZE, EFI_CERT_SHA1_GUID, L"dbx", - EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) { - LogError(L"binary sha1hash found in vendor dbx\n"); - return EFI_SECURITY_VIOLATION; - } - if (cert && -- check_db_cert_in_ram(dbx, vendor_dbx_size, cert, sha256hash, L"dbx", -+ check_db_cert_in_ram(dbx, vendor_deauthorized_size, cert, sha256hash, L"dbx", - EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) { - LogError(L"cert sha256hash found in vendor dbx\n"); - return EFI_SECURITY_VIOLATION; -@@ -1077,19 +1079,19 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - /* - * And finally, check against shim's built-in key - */ -- if (vendor_cert_size && -+ if (vendor_authorized_size && - AuthenticodeVerify(cert->CertData, - cert->Hdr.dwLength - sizeof(cert->Hdr), -- vendor_cert, vendor_cert_size, -+ vendor_authorized, vendor_authorized_size, - sha256hash, SHA256_DIGEST_SIZE)) { - update_verification_method(VERIFIED_BY_CERT); - tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, -- vendor_cert_size, vendor_cert); -+ vendor_authorized_size, vendor_authorized); - efi_status = EFI_SUCCESS; - drain_openssl_errors(); - return efi_status; - } else { -- LogError(L"AuthenticodeVerify(vendor_cert) failed\n"); -+ LogError(L"AuthenticodeVerify(vendor_authorized) failed\n"); - } - } - -@@ -2501,7 +2503,7 @@ shim_init(void) - } - - if (secure_mode()) { -- if (vendor_cert_size || vendor_dbx_size) { -+ if (vendor_authorized_size || vendor_deauthorized_size) { - /* - * If shim includes its own certificates then ensure - * that anything it boots has performed some -@@ -2606,14 +2608,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - - verification_method = VERIFIED_BY_NOTHING; - -- vendor_cert_size = cert_table.vendor_cert_size; -- vendor_dbx_size = cert_table.vendor_dbx_size; -- vendor_cert = (UINT8 *)&cert_table + cert_table.vendor_cert_offset; -- vendor_dbx = (UINT8 *)&cert_table + cert_table.vendor_dbx_offset; -+ vendor_authorized_size = cert_table.vendor_authorized_size; -+ vendor_authorized = (UINT8 *)&cert_table + cert_table.vendor_authorized_offset; -+ -+ vendor_deauthorized_size = cert_table.vendor_deauthorized_size; -+ vendor_deauthorized = (UINT8 *)&cert_table + cert_table.vendor_deauthorized_offset; -+ - #if defined(ENABLE_SHIM_CERT) - build_cert_size = sizeof(shim_cert); - build_cert = shim_cert; - #endif /* defined(ENABLE_SHIM_CERT) */ -+ - CHAR16 *msgs[] = { - L"import_mok_state() failed", - L"shim_init() failed", -diff --git a/shim.h b/shim.h -index a0fa5a75e7e..555498c6673 100644 ---- a/shim.h -+++ b/shim.h -@@ -97,6 +97,24 @@ - #define FALLBACK L"\\fb" EFI_ARCH L".efi" - #define MOK_MANAGER L"\\mm" EFI_ARCH L".efi" - -+#if defined(VENDOR_CERT_FILE) -+# define vendor_authorized vendor_cert -+# define vendor_authorized_size vendor_cert_size -+# define vendor_authorized_category VENDOR_ADDEND_X509 -+#else -+# define vendor_authorized vendor_null -+# define vendor_authorized_size vendor_null_size -+# define vendor_authorized_category VENDOR_ADDEND_NONE -+#endif -+ -+#if defined(VENDOR_DBX_FILE) -+# define vendor_deauthorized vendor_dbx -+# define vendor_deauthorized_size vendor_dbx_size -+#else -+# define vendor_deauthorized vendor_deauthorized_null -+# define vendor_deauthorized_size vendor_deauthorized_null_size -+#endif -+ - #include "include/asm.h" - #include "include/configtable.h" - #include "include/console.h" -@@ -166,10 +184,12 @@ extern VOID ClearErrors(VOID); - extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath); - extern EFI_STATUS import_mok_state(EFI_HANDLE image_handle); - --extern UINT32 vendor_cert_size; --extern UINT32 vendor_dbx_size; --extern UINT8 *vendor_cert; --extern UINT8 *vendor_dbx; -+extern UINT32 vendor_authorized_size; -+extern UINT8 *vendor_authorized; -+ -+extern UINT32 vendor_deauthorized_size; -+extern UINT8 *vendor_deauthorized; -+ - #if defined(ENABLE_SHIM_CERT) - extern UINT32 build_cert_size; - extern UINT8 *build_cert; -diff --git a/cert.S b/cert.S -index cfc4525b44c..520caaef3af 100644 ---- a/cert.S -+++ b/cert.S -@@ -1,65 +1,44 @@ -+ -+#if defined(VENDOR_CERT_FILE) -+# define vendor_authorized vendor_cert -+# define vendor_authorized_end vendor_cert_end -+# define vendor_authorized_size vendor_cert_size -+# define vendor_authorized_size_end vendor_cert_size_end -+#endif -+ -+#if defined(VENDOR_DBX_FILE) -+# define vendor_deauthorized vendor_dbx -+# define vendor_deauthorized_end vendor_dbx_end -+# define vendor_deauthorized_size vendor_dbx_size -+# define vendor_deauthorized_size_end vendor_dbx_size_end -+#endif -+ - .globl cert_table - .type cert_table, %object -- .size cert_table, 4 -+ .size cert_table, .Lcert_table_end - cert_table - .section .vendor_cert, "a", %progbits -+ .balignl 4, 0 - cert_table: --#if defined(VENDOR_CERT_FILE) -- .long vendor_cert_priv_end - vendor_cert_priv --#else -- .long 0 --#endif --#if defined(VENDOR_DBX_FILE) -- .long vendor_dbx_priv_end - vendor_dbx_priv --#else -- .long 0 --#endif -- .long vendor_cert_priv - cert_table -- .long vendor_dbx_priv - cert_table --#if defined(VENDOR_CERT_FILE) -- .data -- .align 1 -- .type vendor_cert_priv, %object -- .size vendor_cert_priv, vendor_cert_priv_end-vendor_cert_priv -+ .4byte .Lvendor_authorized_end - vendor_authorized -+ .4byte .Lvendor_deauthorized_end - vendor_deauthorized -+ .4byte vendor_authorized - cert_table -+ .4byte vendor_deauthorized - cert_table -+ .balign 1, 0 -+ .type vendor_authorized, %object -+ .size vendor_authorized, .Lvendor_authorized_end - vendor_authorized - .section .vendor_cert, "a", %progbits --vendor_cert_priv: -+vendor_authorized: -+#if defined(VENDOR_CERT_FILE) - .incbin VENDOR_CERT_FILE --vendor_cert_priv_end: --#else -- .bss -- .type vendor_cert_priv, %object -- .size vendor_cert_priv, 1 -- .section .vendor_cert, "a", %progbits --vendor_cert_priv: -- .zero 1 -- -- .data -- .align 4 -- .type vendor_cert_size_priv, %object -- .size vendor_cert_size_priv, 4 -- .section .vendor_cert, "a", %progbits --vendor_cert_priv_end: - #endif -+.Lvendor_authorized_end: -+ .balign 1, 0 -+ .type vendor_deauthorized, %object -+ .size vendor_deauthorized, .Lvendor_deauthorized_end - vendor_deauthorized -+ .section .vendor_cert, "a", %progbits -+vendor_deauthorized: - #if defined(VENDOR_DBX_FILE) -- .data -- .align 1 -- .type vendor_dbx_priv, %object -- .size vendor_dbx_priv, vendor_dbx_priv_end-vendor_dbx_priv -- .section .vendor_cert, "a", %progbits --vendor_dbx_priv: - .incbin VENDOR_DBX_FILE --vendor_dbx_priv_end: --#else -- .bss -- .type vendor_dbx_priv, %object -- .size vendor_dbx_priv, 1 -- .section .vendor_cert, "a", %progbits --vendor_dbx_priv: -- .zero 1 -- -- .data -- .align 4 -- .type vendor_dbx_size_priv, %object -- .size vendor_dbx_size_priv, 4 -- .section .vendor_cert, "a", %progbits --vendor_dbx_priv_end: - #endif -+.Lvendor_deauthorized_end: -+.Lcert_table_end: --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0057-Add-support-for-vendor_db-built-in-shim-authorized-l.patch b/SPECS/shim-unsigned-x64/0057-Add-support-for-vendor_db-built-in-shim-authorized-l.patch deleted file mode 100644 index 13a25e8f2d1..00000000000 --- a/SPECS/shim-unsigned-x64/0057-Add-support-for-vendor_db-built-in-shim-authorized-l.patch +++ /dev/null @@ -1,943 +0,0 @@ -From dd3a5d71252a1f94e37f1a4c8841d253630b305a Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 23 Jul 2020 12:36:56 -0400 -Subject: [PATCH 57/62] Add support for vendor_db built-in shim authorized - list. - -Potential new signing strategies ( for example signing grub, fwupdate -and vmlinuz with separate certificates ) require shim to support a -vendor provided bundle of trusted certificates and hashes, which allows -shim to trust EFI binaries matching either certificate by signature or -hash in the vendor_db. Functionality is similar to vendor_dbx. - -This also improves the mirroring quite a bit. -Upstream: pr#206 ---- - lib/variables.c | 55 +++-- - mok.c | 502 ++++++++++++++++++++++++++++++-------------- - shim.c | 27 +++ - include/console.h | 3 +- - include/variables.h | 9 +- - shim.h | 7 +- - cert.S | 13 +- - Make.defaults | 3 + - README.tpm | 1 + - 9 files changed, 437 insertions(+), 183 deletions(-) - -diff --git a/lib/variables.c b/lib/variables.c -index 9c2e7d0ac2d..8123ae60fc9 100644 ---- a/lib/variables.c -+++ b/lib/variables.c -@@ -25,32 +25,59 @@ - #include "shim.h" - - EFI_STATUS --variable_create_esl(void *cert, int cert_len, EFI_GUID *type, EFI_GUID *owner, -- void **out, int *outlen) -+fill_esl(const uint8_t *data, const size_t data_len, -+ const EFI_GUID *type, const EFI_GUID *owner, -+ uint8_t *out, size_t *outlen) - { -- *outlen = cert_len + sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); -+ EFI_SIGNATURE_LIST *sl; -+ EFI_SIGNATURE_DATA *sd; -+ size_t needed = 0; - -- *out = AllocateZeroPool(*outlen); -- if (!*out) -- return EFI_OUT_OF_RESOURCES; -+ if (!data || !data_len || !type || !outlen) -+ return EFI_INVALID_PARAMETER; - -- EFI_SIGNATURE_LIST *sl = *out; -+ needed = sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID) + data_len; -+ if (!out || *outlen < needed) { -+ *outlen = needed; -+ return EFI_BUFFER_TOO_SMALL; -+ } -+ -+ *outlen = needed; -+ sl = (EFI_SIGNATURE_LIST *)out; - - sl->SignatureHeaderSize = 0; - sl->SignatureType = *type; -- sl->SignatureSize = cert_len + sizeof(EFI_GUID); -- sl->SignatureListSize = *outlen; -- -- EFI_SIGNATURE_DATA *sd = *out + sizeof(EFI_SIGNATURE_LIST); -+ sl->SignatureSize = sizeof(EFI_GUID) + data_len; -+ sl->SignatureListSize = needed; - -+ sd = (EFI_SIGNATURE_DATA *)(out + sizeof(EFI_SIGNATURE_LIST)); - if (owner) - sd->SignatureOwner = *owner; - -- CopyMem(sd->SignatureData, cert, cert_len); -+ CopyMem(sd->SignatureData, data, data_len); - - return EFI_SUCCESS; - } - -+EFI_STATUS -+variable_create_esl(const uint8_t *data, const size_t data_len, -+ const EFI_GUID *type, const EFI_GUID *owner, -+ uint8_t **out, size_t *outlen) -+{ -+ EFI_STATUS efi_status; -+ -+ *outlen = 0; -+ efi_status = fill_esl(data, data_len, type, owner, NULL, outlen); -+ if (efi_status != EFI_BUFFER_TOO_SMALL) -+ return efi_status; -+ -+ *out = AllocateZeroPool(*outlen); -+ if (!*out) -+ return EFI_OUT_OF_RESOURCES; -+ -+ return fill_esl(data, data_len, type, owner, *out, outlen); -+} -+ - EFI_STATUS - CreateTimeBasedPayload(IN OUT UINTN * DataSize, IN OUT UINT8 ** Data) - { -@@ -137,9 +164,9 @@ SetSecureVariable(CHAR16 *var, UINT8 *Data, UINTN len, EFI_GUID owner, - return EFI_SECURITY_VIOLATION; - - if (createtimebased) { -- int ds; -+ size_t ds; - efi_status = variable_create_esl(Data, len, &X509_GUID, NULL, -- (void **)&Cert, &ds); -+ (uint8_t **)&Cert, &ds); - if (EFI_ERROR(efi_status)) { - console_print(L"Failed to create %s certificate %d\n", - var, efi_status); -diff --git a/mok.c b/mok.c -index 089ea6bfc9a..e69857f3c37 100644 ---- a/mok.c -+++ b/mok.c -@@ -5,6 +5,8 @@ - - #include "shim.h" - -+#include -+ - /* - * Check if a variable exists - */ -@@ -47,6 +49,15 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) - return EFI_SUCCESS; - } - -+typedef enum { -+ VENDOR_ADDEND_DB, -+ VENDOR_ADDEND_X509, -+ VENDOR_ADDEND_NONE, -+} vendor_addend_category_t; -+ -+struct mok_state_variable; -+typedef vendor_addend_category_t (vendor_addend_categorizer_t)(struct mok_state_variable *); -+ - /* - * MoK variables that need to have their storage validated. - * -@@ -58,18 +69,20 @@ struct mok_state_variable { - char *name8; - CHAR16 *rtname; - EFI_GUID *guid; -+ - UINT8 *data; - UINTN data_size; -+ - /* -- * These two are indirect pointers just to make initialization -- * saner... -+ * These are indirect pointers just to make initialization saner... - */ -- UINT8 **addend_source; -+ vendor_addend_categorizer_t *categorize_addend; -+ UINT8 **addend; - UINT32 *addend_size; --#if defined(ENABLE_SHIM_CERT) -+ - UINT8 **build_cert; - UINT32 *build_cert_size; --#endif /* defined(ENABLE_SHIM_CERT) */ -+ - UINT32 yes_attr; - UINT32 no_attr; - UINT32 flags; -@@ -77,6 +90,28 @@ struct mok_state_variable { - UINT8 *state; - }; - -+static vendor_addend_category_t -+categorize_authorized(struct mok_state_variable *v) -+{ -+ if (!(v->addend && v->addend_size && -+ *v->addend && *v->addend_size)) { -+ return VENDOR_ADDEND_NONE; -+ } -+ -+ return vendor_authorized_category; -+} -+ -+static vendor_addend_category_t -+categorize_deauthorized(struct mok_state_variable *v) -+{ -+ if (!(v->addend && v->addend_size && -+ *v->addend && *v->addend_size)) { -+ return VENDOR_ADDEND_NONE; -+ } -+ -+ return VENDOR_ADDEND_DB; -+} -+ - #define MOK_MIRROR_KEYDB 0x01 - #define MOK_MIRROR_DELETE_FIRST 0x02 - #define MOK_VARIABLE_MEASURE 0x04 -@@ -90,8 +125,9 @@ struct mok_state_variable mok_state_variables[] = { - .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_NON_VOLATILE, - .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, -- .addend_source = &vendor_cert, -- .addend_size = &vendor_cert_size, -+ .categorize_addend = categorize_authorized, -+ .addend = &vendor_authorized, -+ .addend_size = &vendor_authorized_size, - #if defined(ENABLE_SHIM_CERT) - .build_cert = &build_cert, - .build_cert_size = &build_cert_size, -@@ -107,6 +143,9 @@ struct mok_state_variable mok_state_variables[] = { - .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_NON_VOLATILE, - .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, -+ .categorize_addend = categorize_deauthorized, -+ .addend = &vendor_deauthorized, -+ .addend_size = &vendor_deauthorized_size, - .flags = MOK_MIRROR_KEYDB | - MOK_VARIABLE_LOG, - .pcr = 14, -@@ -136,123 +175,253 @@ struct mok_state_variable mok_state_variables[] = { - { NULL, } - }; - --static inline BOOLEAN nonnull(1) --check_vendor_cert(struct mok_state_variable *v) --{ -- return (v->addend_source && v->addend_size && -- *v->addend_source && *v->addend_size) ? TRUE : FALSE; --} -+#define should_mirror_addend(v) (((v)->categorize_addend) && ((v)->categorize_addend(v) != VENDOR_ADDEND_NONE)) - --#if defined(ENABLE_SHIM_CERT) - static inline BOOLEAN nonnull(1) --check_build_cert(struct mok_state_variable *v) -+should_mirror_build_cert(struct mok_state_variable *v) - { - return (v->build_cert && v->build_cert_size && - *v->build_cert && *v->build_cert_size) ? TRUE : FALSE; - } --#define check_addend(v) (check_vendor_cert(v) || check_build_cert(v)) --#else --#define check_addend(v) check_vendor_cert(v) --#endif /* defined(ENABLE_SHIM_CERT) */ -+ -+static const uint8_t null_sha256[32] = { 0, }; - - static EFI_STATUS nonnull(1) - mirror_one_mok_variable(struct mok_state_variable *v) - { - EFI_STATUS efi_status = EFI_SUCCESS; -- void *FullData = NULL; -- UINTN FullDataSize = 0; -+ uint8_t *FullData = NULL; -+ size_t FullDataSize = 0; -+ vendor_addend_category_t addend_category = VENDOR_ADDEND_NONE; - uint8_t *p = NULL; - -- if ((v->flags & MOK_MIRROR_KEYDB) && check_addend(v)) { -- EFI_SIGNATURE_LIST *CertList = NULL; -- EFI_SIGNATURE_DATA *CertData = NULL; --#if defined(ENABLE_SHIM_CERT) -- FullDataSize = v->data_size; -- if (check_build_cert(v)) { -- FullDataSize += sizeof (*CertList) -- + sizeof (EFI_GUID) -- + *v->build_cert_size; -- } -- if (check_vendor_cert(v)) { -- FullDataSize += sizeof (*CertList) -- + sizeof (EFI_GUID) -- + *v->addend_size; -- } --#else -- FullDataSize = v->data_size -- + sizeof (*CertList) -- + sizeof (EFI_GUID) -- + *v->addend_size; --#endif /* defined(ENABLE_SHIM_CERT) */ -- FullData = AllocatePool(FullDataSize); -- if (!FullData) { -- perror(L"Failed to allocate space for MokListRT\n"); -- return EFI_OUT_OF_RESOURCES; -- } -- p = FullData; -+ size_t build_cert_esl_sz = 0, addend_esl_sz = 0; - -- if (!EFI_ERROR(efi_status) && v->data_size > 0) { -- CopyMem(p, v->data, v->data_size); -- p += v->data_size; -- } -+ if (v->categorize_addend) -+ addend_category = v->categorize_addend(v); - --#if defined(ENABLE_SHIM_CERT) -- if (check_build_cert(v) == FALSE) -- goto skip_build_cert; -+ /* -+ * we're always mirroring the original data, whether this is an efi -+ * security database or not -+ */ -+ dprint(L"v->data_size:%lu v->data:0x%08llx\n", v->data_size, v->data); -+ dprint(L"FullDataSize:%lu FullData:0x%08llx\n", FullDataSize, FullData); -+ if (v->data_size) { -+ FullDataSize = v->data_size; -+ dprint(L"FullDataSize:%lu FullData:0x%08llx\n", -+ FullDataSize, FullData); -+ } - -- CertList = (EFI_SIGNATURE_LIST *)p; -- p += sizeof (*CertList); -- CertData = (EFI_SIGNATURE_DATA *)p; -- p += sizeof (EFI_GUID); -+ /* -+ * if it is, there's more data -+ */ -+ if (v->flags & MOK_MIRROR_KEYDB) { - -- CertList->SignatureType = EFI_CERT_TYPE_X509_GUID; -- CertList->SignatureListSize = *v->build_cert_size -- + sizeof (*CertList) -- + sizeof (*CertData) -- -1; -- CertList->SignatureHeaderSize = 0; -- CertList->SignatureSize = *v->build_cert_size + -- sizeof (EFI_GUID); -+ /* -+ * We're mirroring (into) an efi security database, aka an -+ * array of efi_signature_list_t. Its layout goes like: -+ * -+ * existing_variable_data -+ * existing_variable_data_size -+ * if flags & MOK_MIRROR_KEYDB -+ * if build_cert -+ * build_cert_esl -+ * build_cert_header (always sz=0) -+ * build_cert_esd[0] { owner, data } -+ * if addend==vendor_db -+ * for n=[1..N] -+ * vendor_db_esl_n -+ * vendor_db_header_n (always sz=0) -+ * vendor_db_esd_n[m] {{ owner, data }, ... } -+ * elif addend==vendor_cert -+ * vendor_cert_esl -+ * vendor_cert_header (always sz=0) -+ * vendor_cert_esd[1] { owner, data } -+ * -+ * first we determine the size of the variable, then alloc -+ * and add the data. -+ */ - -- CertData->SignatureOwner = SHIM_LOCK_GUID; -- CopyMem(p, *v->build_cert, *v->build_cert_size); -+ /* -+ * first bit is existing data, but we added that above -+ */ - -- p += *v->build_cert_size; -+ /* -+ * then the build cert if it's there -+ */ -+ if (should_mirror_build_cert(v)) { -+ efi_status = fill_esl(*v->build_cert, -+ *v->build_cert_size, -+ &EFI_CERT_TYPE_X509_GUID, -+ &SHIM_LOCK_GUID, -+ NULL, &build_cert_esl_sz); -+ if (efi_status != EFI_BUFFER_TOO_SMALL) { -+ perror(L"Could not add built-in cert to %s: %r\n", -+ v->name, efi_status); -+ return efi_status; -+ } -+ FullDataSize += build_cert_esl_sz; -+ dprint(L"FullDataSize:%lu FullData:0x%08llx\n", -+ FullDataSize, FullData); -+ } - -- if (check_vendor_cert(v) == FALSE) -- goto skip_vendor_cert; --skip_build_cert: --#endif /* defined(ENABLE_SHIM_CERT) */ -+ /* -+ * then the addend data -+ */ -+ switch (addend_category) { -+ case VENDOR_ADDEND_DB: -+ /* -+ * if it's an ESL already, we use it wholesale -+ */ -+ FullDataSize += *v->addend_size; -+ dprint(L"FullDataSize:%lu FullData:0x%08llx\n", -+ FullDataSize, FullData); -+ break; -+ case VENDOR_ADDEND_X509: -+ efi_status = fill_esl(*v->addend, *v->addend_size, -+ &EFI_CERT_TYPE_X509_GUID, -+ &SHIM_LOCK_GUID, -+ NULL, &addend_esl_sz); -+ if (efi_status != EFI_BUFFER_TOO_SMALL) { -+ perror(L"Could not add built-in cert to %s: %r\n", -+ v->name, efi_status); -+ return efi_status; -+ } -+ FullDataSize += addend_esl_sz; -+ dprint(L"FullDataSize:%lu FullData:0x%08llx\n", -+ FullDataSize, FullData); -+ break; -+ default: -+ case VENDOR_ADDEND_NONE: -+ dprint(L"FullDataSize:%lu FullData:0x%08llx\n", -+ FullDataSize, FullData); -+ break; -+ } -+ } - -- CertList = (EFI_SIGNATURE_LIST *)p; -- p += sizeof (*CertList); -- CertData = (EFI_SIGNATURE_DATA *)p; -- p += sizeof (EFI_GUID); -+ /* -+ * Now we have the full size -+ */ -+ if (FullDataSize) { -+ /* -+ * allocate the buffer, or use the old one if it's just the -+ * existing data. -+ */ -+ if (FullDataSize != v->data_size) { -+ dprint(L"FullDataSize:%lu FullData:0x%08llx allocating FullData\n", -+ FullDataSize, FullData); -+ FullData = AllocatePool(FullDataSize); -+ if (!FullData) { -+ FreePool(v->data); -+ v->data = NULL; -+ v->data_size = 0; -+ perror(L"Failed to allocate %lu bytes for %s\n", -+ FullDataSize, v->name); -+ return EFI_OUT_OF_RESOURCES; -+ } -+ p = FullData; -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ if (v->data && v->data_size) { -+ CopyMem(p, v->data, v->data_size); -+ p += v->data_size; -+ } -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ } else { -+ FullData = v->data; -+ FullDataSize = v->data_size; -+ p = FullData + FullDataSize; -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ v->data = NULL; -+ v->data_size = 0; -+ } -+ } -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); - -- CertList->SignatureType = EFI_CERT_TYPE_X509_GUID; -- CertList->SignatureListSize = *v->addend_size -- + sizeof (*CertList) -- + sizeof (*CertData) -- -1; -- CertList->SignatureHeaderSize = 0; -- CertList->SignatureSize = *v->addend_size + sizeof (EFI_GUID); -+ /* -+ * Now fill it. -+ */ -+ if (v->flags & MOK_MIRROR_KEYDB) { -+ /* -+ * first bit is existing data, but again, we added that above -+ */ - -- CertData->SignatureOwner = SHIM_LOCK_GUID; -- CopyMem(p, *v->addend_source, *v->addend_size); -+ /* -+ * second is the build cert -+ */ -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ if (should_mirror_build_cert(v)) { -+ efi_status = fill_esl(*v->build_cert, -+ *v->build_cert_size, -+ &EFI_CERT_TYPE_X509_GUID, -+ &SHIM_LOCK_GUID, -+ p, &build_cert_esl_sz); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Could not add built-in cert to %s: %r\n", -+ v->name, efi_status); -+ return efi_status; -+ } -+ p += build_cert_esl_sz; -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ } - --#if defined(ENABLE_SHIM_CERT) --skip_vendor_cert: --#endif /* defined(ENABLE_SHIM_CERT) */ -- if (v->data && v->data_size) -- FreePool(v->data); -- v->data = FullData; -- v->data_size = FullDataSize; -- } else { -- FullDataSize = v->data_size; -- FullData = v->data; -+ switch (addend_category) { -+ case VENDOR_ADDEND_DB: -+ CopyMem(p, *v->addend, *v->addend_size); -+ p += *v->addend_size; -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ break; -+ case VENDOR_ADDEND_X509: -+ efi_status = fill_esl(*v->addend, *v->addend_size, -+ &EFI_CERT_TYPE_X509_GUID, -+ &SHIM_LOCK_GUID, -+ p, &addend_esl_sz); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Could not add built-in cert to %s: %r\n", -+ v->name, efi_status); -+ return efi_status; -+ } -+ p += addend_esl_sz; -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ break; -+ default: -+ case VENDOR_ADDEND_NONE: -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ break; -+ } -+ } -+ /* -+ * We always want to create our key databases, so in this case we -+ * need a dummy entry -+ */ -+ if ((v->flags & MOK_MIRROR_KEYDB) && FullDataSize == 0) { -+ efi_status = variable_create_esl( -+ null_sha256, sizeof(null_sha256), -+ &EFI_CERT_SHA256_GUID, &SHIM_LOCK_GUID, -+ &FullData, &FullDataSize); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Failed to allocate %lu bytes for %s\n", -+ FullDataSize, v->name); -+ return efi_status; -+ } -+ p = FullData + FullDataSize; -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); - } - -+ dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); - if (FullDataSize) { -+ dprint(L"Setting %s with %lu bytes of data\n", -+ v->rtname, FullDataSize); - efi_status = gRT->SetVariable(v->rtname, v->guid, - EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_RUNTIME_ACCESS, -@@ -262,7 +431,15 @@ skip_vendor_cert: - v->rtname, efi_status); - } - } -- -+ if (v->data && v->data_size) { -+ FreePool(v->data); -+ v->data = NULL; -+ v->data_size = 0; -+ } -+ if (FullData && FullDataSize) { -+ FreePool(FullData); -+ } -+ dprint(L"returning %r\n", efi_status); - return efi_status; - } - -@@ -274,6 +451,8 @@ static EFI_STATUS nonnull(1) - maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) - { - EFI_STATUS efi_status; -+ BOOLEAN present = FALSE; -+ - if (v->rtname) { - if (v->flags & MOK_MIRROR_DELETE_FIRST) - LibDeleteVariable(v->rtname, v->guid); -@@ -286,6 +465,43 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) - efi_status); - } - } -+ -+ present = (v->data && v->data_size) ? TRUE : FALSE; -+ if (!present) -+ return ret; -+ -+ if (v->data_size == sizeof(UINT8) && v->state) { -+ *v->state = v->data[0]; -+ } -+ -+ if (v->flags & MOK_VARIABLE_MEASURE) { -+ /* -+ * Measure this into PCR 7 in the Microsoft format -+ */ -+ efi_status = tpm_measure_variable(v->name, *v->guid, -+ v->data_size, -+ v->data); -+ if (EFI_ERROR(efi_status)) { -+ if (ret != EFI_SECURITY_VIOLATION) -+ ret = efi_status; -+ } -+ } -+ -+ if (v->flags & MOK_VARIABLE_LOG) { -+ /* -+ * Log this variable into whichever PCR the table -+ * says. -+ */ -+ EFI_PHYSICAL_ADDRESS datap = -+ (EFI_PHYSICAL_ADDRESS)(UINTN)v->data, -+ efi_status = tpm_log_event(datap, v->data_size, -+ v->pcr, (CHAR8 *)v->name8); -+ if (EFI_ERROR(efi_status)) { -+ if (ret != EFI_SECURITY_VIOLATION) -+ ret = efi_status; -+ } -+ } -+ - return ret; - } - -@@ -311,26 +527,20 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - user_insecure_mode = 0; - ignore_db = 0; - -+ dprint(L"importing mok state\n"); - for (i = 0; mok_state_variables[i].name != NULL; i++) { - struct mok_state_variable *v = &mok_state_variables[i]; - UINT32 attrs = 0; -- BOOLEAN delete = FALSE, present, addend; -- -- addend = check_addend(v); -+ BOOLEAN delete = FALSE; - - efi_status = get_variable_attr(v->name, - &v->data, &v->data_size, - *v->guid, &attrs); -+ dprint(L"maybe mirroring %s\n", v->name); - if (efi_status == EFI_NOT_FOUND) { -- if (addend) -- ret = maybe_mirror_one_mok_variable(v, ret); -- /* -- * after possibly adding, we can continue, no -- * further checks to be done. -- */ -- continue; -- } -- if (EFI_ERROR(efi_status)) { -+ v->data = NULL; -+ v->data_size = 0; -+ } else if (EFI_ERROR(efi_status)) { - perror(L"Could not verify %s: %r\n", v->name, - efi_status); - /* -@@ -339,22 +549,22 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - */ - if (ret != EFI_SECURITY_VIOLATION) - ret = efi_status; -- continue; -- } -- -- if (!(attrs & v->yes_attr)) { -- perror(L"Variable %s is missing attributes:\n", -- v->name); -- perror(L" 0x%08x should have 0x%08x set.\n", -- attrs, v->yes_attr); -- delete = TRUE; -- } -- if (attrs & v->no_attr) { -- perror(L"Variable %s has incorrect attribute:\n", -- v->name); -- perror(L" 0x%08x should not have 0x%08x set.\n", -- attrs, v->no_attr); - delete = TRUE; -+ } else { -+ if (!(attrs & v->yes_attr)) { -+ perror(L"Variable %s is missing attributes:\n", -+ v->name); -+ perror(L" 0x%08x should have 0x%08x set.\n", -+ attrs, v->yes_attr); -+ delete = TRUE; -+ } -+ if (attrs & v->no_attr) { -+ perror(L"Variable %s has incorrect attribute:\n", -+ v->name); -+ perror(L" 0x%08x should not have 0x%08x set.\n", -+ attrs, v->no_attr); -+ delete = TRUE; -+ } - } - if (delete == TRUE) { - perror(L"Deleting bad variable %s\n", v->name); -@@ -366,45 +576,9 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - FreePool(v->data); - v->data = NULL; - v->data_size = 0; -- continue; - } - -- if (v->data && v->data_size == sizeof(UINT8) && v->state) { -- *v->state = v->data[0]; -- } -- -- present = (v->data && v->data_size) ? TRUE : FALSE; -- -- if (v->flags & MOK_VARIABLE_MEASURE && present) { -- /* -- * Measure this into PCR 7 in the Microsoft format -- */ -- efi_status = tpm_measure_variable(v->name, *v->guid, -- v->data_size, -- v->data); -- if (EFI_ERROR(efi_status)) { -- if (ret != EFI_SECURITY_VIOLATION) -- ret = efi_status; -- } -- } -- -- if (v->flags & MOK_VARIABLE_LOG && present) { -- /* -- * Log this variable into whichever PCR the table -- * says. -- */ -- EFI_PHYSICAL_ADDRESS datap = -- (EFI_PHYSICAL_ADDRESS)(UINTN)v->data, -- efi_status = tpm_log_event(datap, v->data_size, -- v->pcr, (CHAR8 *)v->name8); -- if (EFI_ERROR(efi_status)) { -- if (ret != EFI_SECURITY_VIOLATION) -- ret = efi_status; -- } -- } -- -- if (present) -- ret = maybe_mirror_one_mok_variable(v, ret); -+ ret = maybe_mirror_one_mok_variable(v, ret); - } - - /* -@@ -412,14 +586,16 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - * cause MokManager to demand a machine reboot, so this is safe to - * have after the entire loop. - */ -+ dprint(L"checking mok request\n"); - efi_status = check_mok_request(image_handle); -+ dprint(L"mok returned %r\n", efi_status); - if (EFI_ERROR(efi_status)) { - if (ret != EFI_SECURITY_VIOLATION) - ret = efi_status; - return ret; - } - -- -+ dprint(L"returning %r\n", ret); - return ret; - } - -diff --git a/shim.c b/shim.c -index 888ee6e8d7b..ee62248ca4e 100644 ---- a/shim.c -+++ b/shim.c -@@ -646,6 +646,31 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, - } - } - -+#if defined(VENDOR_DB_FILE) -+ EFI_SIGNATURE_LIST *db = (EFI_SIGNATURE_LIST *)vendor_db; -+ -+ if (check_db_hash_in_ram(db, vendor_db_size, -+ sha256hash, SHA256_DIGEST_SIZE, -+ EFI_CERT_SHA256_GUID, L"vendor_db", -+ EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) { -+ verification_method = VERIFIED_BY_HASH; -+ update_verification_method(VERIFIED_BY_HASH); -+ return EFI_SUCCESS; -+ } else { -+ LogError(L"check_db_hash(vendor_db, sha256hash) != DATA_FOUND\n"); -+ } -+ if (cert && -+ check_db_cert_in_ram(db, vendor_db_size, -+ cert, sha256hash, L"vendor_db", -+ EFI_SECURE_BOOT_DB_GUID) == DATA_FOUND) { -+ verification_method = VERIFIED_BY_CERT; -+ update_verification_method(VERIFIED_BY_CERT); -+ return EFI_SUCCESS; -+ } else { -+ LogError(L"check_db_cert(vendor_db, sha256hash) != DATA_FOUND\n"); -+ } -+#endif -+ - if (check_db_hash(L"MokList", SHIM_LOCK_GUID, sha256hash, - SHA256_DIGEST_SIZE, EFI_CERT_SHA256_GUID) - == DATA_FOUND) { -@@ -1076,6 +1101,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - } - #endif /* defined(ENABLE_SHIM_CERT) */ - -+#if defined(VENDOR_CERT_FILE) - /* - * And finally, check against shim's built-in key - */ -@@ -1093,6 +1119,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - } else { - LogError(L"AuthenticodeVerify(vendor_authorized) failed\n"); - } -+#endif /* defined(VENDOR_CERT_FILE) */ - } - - LogError(L"Binary is not whitelisted\n"); -diff --git a/include/console.h b/include/console.h -index 9f259c71b72..810bf13a1f1 100644 ---- a/include/console.h -+++ b/include/console.h -@@ -78,12 +78,13 @@ struct _EFI_CONSOLE_CONTROL_PROTOCOL { - extern VOID console_fini(VOID); - extern VOID setup_verbosity(VOID); - extern UINT32 verbose; --#define dprint(fmt, ...) ({ \ -+#define dprint_(fmt, ...) ({ \ - UINTN __dprint_ret = 0; \ - if (verbose) \ - __dprint_ret = console_print((fmt), ##__VA_ARGS__); \ - __dprint_ret; \ - }) -+#define dprint(fmt, ...) dprint_(L"%a:%d:%a() " fmt, __FILE__, __LINE__, __func__, ##__VA_ARGS__) - - extern EFI_STATUS print_crypto_errors(EFI_STATUS rc, char *file, const char *func, int line); - #define crypterr(rc) print_crypto_errors((rc), __FILE__, __func__, __LINE__) -diff --git a/include/variables.h b/include/variables.h -index 8566a1a4746..436adb46e16 100644 ---- a/include/variables.h -+++ b/include/variables.h -@@ -57,7 +57,12 @@ EFI_STATUS - variable_enroll_hash(CHAR16 *var, EFI_GUID owner, - UINT8 hash[SHA256_DIGEST_SIZE]); - EFI_STATUS --variable_create_esl(void *cert, int cert_len, EFI_GUID *type, EFI_GUID *owner, -- void **out, int *outlen); -+variable_create_esl(const uint8_t *cert, const size_t cert_len, -+ const EFI_GUID *type, const EFI_GUID *owner, -+ uint8_t **out, size_t *outlen); -+EFI_STATUS -+fill_esl(const uint8_t *data, const size_t data_len, -+ const EFI_GUID *type, const EFI_GUID *owner, -+ uint8_t *out, size_t *outlen); - - #endif /* SHIM_VARIABLES_H */ -diff --git a/shim.h b/shim.h -index 555498c6673..c1d7e7c7197 100644 ---- a/shim.h -+++ b/shim.h -@@ -97,7 +97,11 @@ - #define FALLBACK L"\\fb" EFI_ARCH L".efi" - #define MOK_MANAGER L"\\mm" EFI_ARCH L".efi" - --#if defined(VENDOR_CERT_FILE) -+#if defined(VENDOR_DB_FILE) -+# define vendor_authorized vendor_db -+# define vendor_authorized_size vendor_db_size -+# define vendor_authorized_category VENDOR_ADDEND_DB -+#elif defined(VENDOR_CERT_FILE) - # define vendor_authorized vendor_cert - # define vendor_authorized_size vendor_cert_size - # define vendor_authorized_category VENDOR_ADDEND_X509 -@@ -116,6 +120,7 @@ - #endif - - #include "include/asm.h" -+#include "include/compiler.h" - #include "include/configtable.h" - #include "include/console.h" - #include "include/crypt_blowfish.h" -diff --git a/cert.S b/cert.S -index 520caaef3af..e636fcbbf2d 100644 ---- a/cert.S -+++ b/cert.S -@@ -1,5 +1,12 @@ - --#if defined(VENDOR_CERT_FILE) -+#if defined(VENDOR_DB_FILE) && defined(VENDOR_CERT_FILE) -+# error both VENDOR_DB_FILE and VENDOR_CERT_FILE have been configured -+#elif defined(VENDOR_DB_FILE) -+# define vendor_authorized vendor_db -+# define vendor_authorized_end vendor_db_end -+# define vendor_authorized_size vendor_db_size -+# define vendor_authorized_size_end vendor_db_size_end -+#elif defined(VENDOR_CERT_FILE) - # define vendor_authorized vendor_cert - # define vendor_authorized_end vendor_cert_end - # define vendor_authorized_size vendor_cert_size -@@ -28,7 +35,9 @@ cert_table: - .size vendor_authorized, .Lvendor_authorized_end - vendor_authorized - .section .vendor_cert, "a", %progbits - vendor_authorized: --#if defined(VENDOR_CERT_FILE) -+#if defined(VENDOR_DB_FILE) -+.incbin VENDOR_DB_FILE -+#elif defined(VENDOR_CERT_FILE) - .incbin VENDOR_CERT_FILE - #endif - .Lvendor_authorized_end: -diff --git a/Make.defaults b/Make.defaults -index f0bfa9fd573..2e01646a35d 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -125,6 +125,9 @@ BOOTCSVNAME ?= BOOT$(ARCH_SUFFIX_UPPER).CSV - - CFLAGS += "-DEFI_ARCH=L\"$(ARCH_SUFFIX)\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/\"" - -+ifneq ($(origin VENDOR_DB_FILE), undefined) -+ CFLAGS += -DVENDOR_DB_FILE=\"$(VENDOR_DB_FILE)\" -+endif - ifneq ($(origin VENDOR_CERT_FILE), undefined) - CFLAGS += -DVENDOR_CERT_FILE=\"$(VENDOR_CERT_FILE)\" - endif -diff --git a/README.tpm b/README.tpm -index c060dbe22db..62308d5c71a 100644 ---- a/README.tpm -+++ b/README.tpm -@@ -13,6 +13,7 @@ PCR7: - - MokListX - the Mok blacklist, logged as "MokListX" - - vendor_dbx - shim's built-in vendor blacklist, logged as "dbx" - - DB - the system whitelist, logged as "db" -+ - vendor_db - shim's built-in vendor whitelist, logged as "db" - - MokList the Mok whitelist, logged as "MokList" - - vendor_cert - shim's built-in vendor whitelist, logged as "Shim" - - shim_cert - shim's build-time generated whitelist, logged as "Shim" --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0058-Handle-binaries-with-multiple-signatures.patch b/SPECS/shim-unsigned-x64/0058-Handle-binaries-with-multiple-signatures.patch deleted file mode 100644 index 84482de7399..00000000000 --- a/SPECS/shim-unsigned-x64/0058-Handle-binaries-with-multiple-signatures.patch +++ /dev/null @@ -1,366 +0,0 @@ -From 76c0447e204c7e4ce918c4887ce8aae0e0816271 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 23 Jul 2020 16:32:05 -0400 -Subject: [PATCH 58/62] Handle binaries with multiple signatures. - -This adds support for multiple signatures. It first tries validating -the binary by hash, first against our dbx lists, then against our db -lists. If it isn't allowed or rejected at that step, it continues to -the normal routine of checking all the signatures. - -At this point it does *not* reject a binary just because a signature is -by a cert on a dbx list, though that will override any db list that -certificate is listed on. If at any point any assertion about the -binary or signature list being well-formed fails, the binary is -immediately rejected, though we do allow skipping over signatures -which have an unsupported sig->Hdr.wCertificateType. - -Signed-off-by: Peter Jones -Upstream: pr#210 ---- - shim.c | 287 +++++++++++++++++++++++++++++++++++++++------------------ - 1 file changed, 198 insertions(+), 89 deletions(-) - -diff --git a/shim.c b/shim.c -index ee62248ca4e..d10a1ba1cac 100644 ---- a/shim.c -+++ b/shim.c -@@ -690,7 +690,7 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, - } - - update_verification_method(VERIFIED_BY_NOTHING); -- return EFI_SECURITY_VIOLATION; -+ return EFI_NOT_FOUND; - } - - /* -@@ -1004,6 +1004,103 @@ done: - return efi_status; - } - -+static EFI_STATUS -+verify_one_signature(WIN_CERTIFICATE_EFI_PKCS *sig, -+ UINT8 *sha256hash, UINT8 *sha1hash) -+{ -+ EFI_STATUS efi_status; -+ -+ /* -+ * Ensure that the binary isn't blacklisted -+ */ -+ drain_openssl_errors(); -+ efi_status = check_blacklist(sig, sha256hash, sha1hash); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Binary is blacklisted: %r\n", efi_status); -+ PrintErrors(); -+ ClearErrors(); -+ crypterr(efi_status); -+ return efi_status; -+ } -+ -+ /* -+ * Check whether the binary is whitelisted in any of the firmware -+ * databases -+ */ -+ drain_openssl_errors(); -+ efi_status = check_whitelist(sig, sha256hash, sha1hash); -+ if (EFI_ERROR(efi_status)) { -+ if (efi_status != EFI_NOT_FOUND) { -+ dprint(L"check_whitelist(): %r\n", efi_status); -+ PrintErrors(); -+ ClearErrors(); -+ crypterr(efi_status); -+ } -+ } else { -+ drain_openssl_errors(); -+ return efi_status; -+ } -+ -+ efi_status = EFI_NOT_FOUND; -+#if defined(ENABLE_SHIM_CERT) -+ /* -+ * Check against the shim build key -+ */ -+ drain_openssl_errors(); -+ if (build_cert && build_cert_size) { -+ dprint("verifying against shim cert\n"); -+ } -+ if (build_cert && build_cert_size && -+ AuthenticodeVerify(sig->CertData, -+ sig->Hdr.dwLength - sizeof(sig->Hdr), -+ build_cert, build_cert_size, sha256hash, -+ SHA256_DIGEST_SIZE)) { -+ dprint(L"AuthenticodeVerify(shim_cert) succeeded\n"); -+ update_verification_method(VERIFIED_BY_CERT); -+ tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, -+ build_cert_size, build_cert); -+ efi_status = EFI_SUCCESS; -+ drain_openssl_errors(); -+ return efi_status; -+ } else { -+ dprint(L"AuthenticodeVerify(shim_cert) failed\n"); -+ PrintErrors(); -+ ClearErrors(); -+ crypterr(EFI_NOT_FOUND); -+ } -+#endif /* defined(ENABLE_SHIM_CERT) */ -+ -+#if defined(VENDOR_CERT_FILE) -+ /* -+ * And finally, check against shim's built-in key -+ */ -+ drain_openssl_errors(); -+ if (vendor_cert_size) { -+ dprint("verifying against vendor_cert\n"); -+ } -+ if (vendor_cert_size && -+ AuthenticodeVerify(sig->CertData, -+ sig->Hdr.dwLength - sizeof(sig->Hdr), -+ vendor_cert, vendor_cert_size, -+ sha256hash, SHA256_DIGEST_SIZE)) { -+ dprint(L"AuthenticodeVerify(vendor_cert) succeeded\n"); -+ update_verification_method(VERIFIED_BY_CERT); -+ tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, -+ vendor_cert_size, vendor_cert); -+ efi_status = EFI_SUCCESS; -+ drain_openssl_errors(); -+ return efi_status; -+ } else { -+ dprint(L"AuthenticodeVerify(vendor_cert) failed\n"); -+ PrintErrors(); -+ ClearErrors(); -+ crypterr(EFI_NOT_FOUND); -+ } -+#endif /* defined(VENDOR_CERT_FILE) */ -+ -+ return efi_status; -+} -+ - /* - * Check that the signature is valid and matches the binary - */ -@@ -1011,40 +1108,14 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - PE_COFF_LOADER_IMAGE_CONTEXT *context, - UINT8 *sha256hash, UINT8 *sha1hash) - { -- EFI_STATUS efi_status = EFI_SECURITY_VIOLATION; -- WIN_CERTIFICATE_EFI_PKCS *cert = NULL; -- unsigned int size = datasize; -+ EFI_STATUS ret_efi_status; -+ size_t size = datasize; -+ size_t offset = 0; -+ unsigned int i = 0; - - if (datasize < 0) - return EFI_INVALID_PARAMETER; - -- if (context->SecDir->Size != 0) { -- if (context->SecDir->Size >= size) { -- perror(L"Certificate Database size is too large\n"); -- return EFI_INVALID_PARAMETER; -- } -- -- cert = ImageAddress (data, size, -- context->SecDir->VirtualAddress); -- -- if (!cert) { -- perror(L"Certificate located outside the image\n"); -- return EFI_INVALID_PARAMETER; -- } -- -- if (cert->Hdr.dwLength > context->SecDir->Size) { -- perror(L"Certificate list size is inconsistent with PE headers"); -- return EFI_INVALID_PARAMETER; -- } -- -- if (cert->Hdr.wCertificateType != -- WIN_CERT_TYPE_PKCS_SIGNED_DATA) { -- perror(L"Unsupported certificate type %x\n", -- cert->Hdr.wCertificateType); -- return EFI_UNSUPPORTED; -- } -- } -- - /* - * Clear OpenSSL's error log, because we get some DSO unimplemented - * errors during its intialization, and we don't want those to look -@@ -1052,81 +1123,119 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - */ - drain_openssl_errors(); - -- efi_status = generate_hash(data, datasize, context, sha256hash, sha1hash); -- if (EFI_ERROR(efi_status)) { -- LogError(L"generate_hash: %r\n", efi_status); -- return efi_status; -+ ret_efi_status = generate_hash(data, datasize, context, sha256hash, sha1hash); -+ if (EFI_ERROR(ret_efi_status)) { -+ dprint(L"generate_hash: %r\n", ret_efi_status); -+ PrintErrors(); -+ ClearErrors(); -+ crypterr(ret_efi_status); -+ return ret_efi_status; - } - - /* -- * Ensure that the binary isn't blacklisted -+ * Ensure that the binary isn't blacklisted by hash - */ -- efi_status = check_blacklist(cert, sha256hash, sha1hash); -- if (EFI_ERROR(efi_status)) { -+ drain_openssl_errors(); -+ ret_efi_status = check_blacklist(NULL, sha256hash, sha1hash); -+ if (EFI_ERROR(ret_efi_status)) { - perror(L"Binary is blacklisted\n"); -- LogError(L"Binary is blacklisted: %r\n", efi_status); -- return efi_status; -+ dprint(L"Binary is blacklisted: %r\n", ret_efi_status); -+ PrintErrors(); -+ ClearErrors(); -+ crypterr(ret_efi_status); -+ return ret_efi_status; - } - - /* -- * Check whether the binary is whitelisted in any of the firmware -- * databases -+ * Check whether the binary is whitelisted by hash in any of the -+ * firmware databases - */ -- efi_status = check_whitelist(cert, sha256hash, sha1hash); -- if (EFI_ERROR(efi_status)) { -- LogError(L"check_whitelist(): %r\n", efi_status); -+ drain_openssl_errors(); -+ ret_efi_status = check_whitelist(NULL, sha256hash, sha1hash); -+ if (EFI_ERROR(ret_efi_status)) { -+ dprint(L"check_whitelist: %r\n", ret_efi_status); -+ if (ret_efi_status != EFI_NOT_FOUND) { -+ PrintErrors(); -+ ClearErrors(); -+ crypterr(ret_efi_status); -+ return ret_efi_status; -+ } - } else { - drain_openssl_errors(); -- return efi_status; -+ return ret_efi_status; - } - -- if (cert) { --#if defined(ENABLE_SHIM_CERT) -- /* -- * Check against the shim build key -- */ -- if (sizeof(shim_cert) && -- AuthenticodeVerify(cert->CertData, -- cert->Hdr.dwLength - sizeof(cert->Hdr), -- shim_cert, sizeof(shim_cert), sha256hash, -- SHA256_DIGEST_SIZE)) { -- update_verification_method(VERIFIED_BY_CERT); -- tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, -- sizeof(shim_cert), shim_cert); -- efi_status = EFI_SUCCESS; -- drain_openssl_errors(); -- return efi_status; -- } else { -- LogError(L"AuthenticodeVerify(shim_cert) failed\n"); -+ if (context->SecDir->Size == 0) { -+ dprint(L"No signatures found\n"); -+ return EFI_SECURITY_VIOLATION; -+ } -+ -+ if (context->SecDir->Size >= size) { -+ perror(L"Certificate Database size is too large\n"); -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ ret_efi_status = EFI_NOT_FOUND; -+ do { -+ WIN_CERTIFICATE_EFI_PKCS *sig = NULL; -+ size_t sz; -+ -+ sig = ImageAddress(data, size, -+ context->SecDir->VirtualAddress + offset); -+ if (!sig) -+ break; -+ -+ sz = offset + offsetof(WIN_CERTIFICATE_EFI_PKCS, Hdr.dwLength) -+ + sizeof(sig->Hdr.dwLength); -+ if (sz > context->SecDir->Size) { -+ perror(L"Certificate size is too large for secruity database"); -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ sz = sig->Hdr.dwLength; -+ if (sz > context->SecDir->Size - offset) { -+ perror(L"Certificate size is too large for secruity database"); -+ return EFI_INVALID_PARAMETER; - } --#endif /* defined(ENABLE_SHIM_CERT) */ -- --#if defined(VENDOR_CERT_FILE) -- /* -- * And finally, check against shim's built-in key -- */ -- if (vendor_authorized_size && -- AuthenticodeVerify(cert->CertData, -- cert->Hdr.dwLength - sizeof(cert->Hdr), -- vendor_authorized, vendor_authorized_size, -- sha256hash, SHA256_DIGEST_SIZE)) { -- update_verification_method(VERIFIED_BY_CERT); -- tpm_measure_variable(L"Shim", SHIM_LOCK_GUID, -- vendor_authorized_size, vendor_authorized); -- efi_status = EFI_SUCCESS; -- drain_openssl_errors(); -- return efi_status; -+ -+ if (sz < sizeof(sig->Hdr)) { -+ perror(L"Certificate size is too small for certificate data"); -+ return EFI_INVALID_PARAMETER; -+ } -+ -+ if (sig->Hdr.wCertificateType == WIN_CERT_TYPE_PKCS_SIGNED_DATA) { -+ EFI_STATUS efi_status; -+ -+ dprint(L"Attempting to verify signature %d:\n", i++); -+ -+ efi_status = verify_one_signature(sig, sha256hash, sha1hash); -+ -+ /* -+ * If we didn't get EFI_SECURITY_VIOLATION from -+ * checking the hashes above, then any dbx entries are -+ * for a certificate, not this individual binary. -+ * -+ * So don't clobber successes with security violation -+ * here; that just means it isn't a success. -+ */ -+ if (ret_efi_status != EFI_SUCCESS) -+ ret_efi_status = efi_status; - } else { -- LogError(L"AuthenticodeVerify(vendor_authorized) failed\n"); -+ perror(L"Unsupported certificate type %x\n", -+ sig->Hdr.wCertificateType); - } --#endif /* defined(VENDOR_CERT_FILE) */ -- } -+ offset = ALIGN_VALUE(offset + sz, 8); -+ } while (offset < context->SecDir->Size); - -- LogError(L"Binary is not whitelisted\n"); -- crypterr(EFI_SECURITY_VIOLATION); -- PrintErrors(); -- efi_status = EFI_SECURITY_VIOLATION; -- return efi_status; -+ if (ret_efi_status != EFI_SUCCESS) { -+ dprint(L"Binary is not whitelisted\n"); -+ PrintErrors(); -+ ClearErrors(); -+ crypterr(EFI_SECURITY_VIOLATION); -+ ret_efi_status = EFI_SECURITY_VIOLATION; -+ } -+ drain_openssl_errors(); -+ return ret_efi_status; - } - - /* --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0059-Make-openssl-accept-the-right-set-of-KU-EKUs.patch b/SPECS/shim-unsigned-x64/0059-Make-openssl-accept-the-right-set-of-KU-EKUs.patch deleted file mode 100644 index 87d6f0c6b5b..00000000000 --- a/SPECS/shim-unsigned-x64/0059-Make-openssl-accept-the-right-set-of-KU-EKUs.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 705d47ac2c90b8de07a4ef3e1930de6c4b8fece0 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Wed, 22 Jul 2020 19:54:58 -0400 -Subject: [PATCH 59/62] Make openssl accept the right set of KU/EKUs - -Signed-off-by: Peter Jones -Upstream: pr#211 ---- - Cryptlib/Pk/CryptPkcs7Verify.c | 87 ++++++++++++++++++++++++++++++++++ - 1 file changed, 87 insertions(+) - -diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c -index dcaba436797..09895d8c66a 100644 ---- a/Cryptlib/Pk/CryptPkcs7Verify.c -+++ b/Cryptlib/Pk/CryptPkcs7Verify.c -@@ -30,6 +30,91 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. - - UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 }; - -+#if 1 -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509) -+#define X509_OBJECT_get_type(obj) ((obj)->type) -+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert) -+#define X509_STORE_get0_objects(certs) ((certs)->objs) -+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage) -+#if OPENSSL_VERSION_NUMBER < 0x10020000L -+#define X509_STORE_CTX_get0_store(ctx) ((ctx)->ctx) -+#endif -+#endif -+ -+static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx) -+{ -+ X509_OBJECT obj; -+ obj.type = X509_LU_X509; -+ obj.data.x509 = cert; -+ return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL; -+} -+#else -+/* -+ * Later versions of openssl will need this instead. -+ */ -+static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx) -+{ -+ STACK_OF(X509_OBJECT) *objs; -+ X509_OBJECT *obj; -+ int i; -+ -+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx)); -+ -+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { -+ obj = sk_X509_OBJECT_value(objs, i); -+ -+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 && -+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert)) -+ return 1; -+ } -+ -+ return 0; -+} -+#endif -+ -+int -+X509VerifyCb ( -+ IN int Status, -+ IN X509_STORE_CTX *Context -+ ) -+{ -+ INTN Error; -+ -+ Error = (INTN) X509_STORE_CTX_get_error (Context); -+ -+ /* Accept code-signing keys */ -+ if (Error == X509_V_ERR_INVALID_PURPOSE && -+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(Context)) == XKU_CODE_SIGN) { -+ Status = 1; -+ } else if (Error == X509_V_ERR_CERT_UNTRUSTED || -+ Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT || -+ Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || -+ Error == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE) { -+ /* all certs in our cert database are explicitly trusted */ -+ -+ if (cert_in_store(X509_STORE_CTX_get_current_cert(Context), Context)) -+ Status = 1; -+ } else if (Error == X509_V_ERR_CERT_HAS_EXPIRED || -+ Error == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD || -+ Error == X509_V_ERR_CERT_NOT_YET_VALID || -+ Error == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || -+ Error == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD) { -+ /* UEFI explicitly allows expired certificates */ -+ Status = 1; -+#if 0 -+ } else if (Error == X509_V_ERR_INVALID_CA) { -+ /* Due to the historical reason, we have to relax the the x509 v3 extension -+ * check to allow the CA certificates without the CA flag in the basic -+ * constraints or KeyCertSign in the key usage to be loaded. In the future, -+ * this callback should be removed to enforce the proper check. */ -+ Status = 1; -+#endif -+ } -+ -+ return Status; -+} -+ - /** - Check input P7Data is a wrapped ContentInfo structure or not. If not construct - a new structure to wrap P7Data. -@@ -844,6 +929,8 @@ Pkcs7Verify ( - goto _Exit; - } - -+ X509_STORE_set_verify_cb (CertStore, X509VerifyCb); -+ - // - // For generic PKCS#7 handling, InData may be NULL if the content is present - // in PKCS#7 structure. So ignore NULL checking here. --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0060-Improve-debug-output-some.patch b/SPECS/shim-unsigned-x64/0060-Improve-debug-output-some.patch deleted file mode 100644 index b48e54b64ba..00000000000 --- a/SPECS/shim-unsigned-x64/0060-Improve-debug-output-some.patch +++ /dev/null @@ -1,451 +0,0 @@ -From fc4368fed53837e00d303600d8b628cb0392b629 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 23 Jul 2020 20:29:52 -0400 -Subject: [PATCH 60/62] Improve debug output some - -Signed-off-by: Peter Jones -Upstream: pr#213 ---- - errlog.c | 26 ++++++- - shim.c | 36 ++++++++-- - include/console.h | 3 + - include/hexdump.h | 172 ++++++++++++++++++++++++++++------------------ - shim.h | 5 +- - 5 files changed, 164 insertions(+), 78 deletions(-) - -diff --git a/errlog.c b/errlog.c -index 6669c800233..08f7a82a6b2 100644 ---- a/errlog.c -+++ b/errlog.c -@@ -3,12 +3,28 @@ - * Copyright 2017 Peter Jones - */ - #include "shim.h" -+#include "hexdump.h" - - static CHAR16 **errs = NULL; - static UINTN nerrs = 0; - - EFI_STATUS --VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args) -+vdprint_(const CHAR16 *fmt, const char *file, int line, const char *func, va_list args) -+{ -+ va_list args2; -+ EFI_STATUS efi_status = EFI_SUCCESS; -+ -+ if (verbose) { -+ va_copy(args2, args); -+ console_print(L"%a:%d:%a() ", file, line, func); -+ efi_status = VPrint(fmt, args2); -+ va_end(args2); -+ } -+ return efi_status; -+} -+ -+EFI_STATUS -+VLogError(const char *file, int line, const char *func, const CHAR16 *fmt, va_list args) - { - va_list args2; - CHAR16 **newerrs; -@@ -35,7 +51,7 @@ VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list arg - } - - EFI_STATUS --LogError_(const char *file, int line, const char *func, CHAR16 *fmt, ...) -+LogError_(const char *file, int line, const char *func, const CHAR16 *fmt, ...) - { - va_list args; - EFI_STATUS efi_status; -@@ -47,6 +63,12 @@ LogError_(const char *file, int line, const char *func, CHAR16 *fmt, ...) - return efi_status; - } - -+VOID -+LogHexdump_(const char *file, int line, const char *func, const void *data, size_t sz) -+{ -+ hexdumpat(file, line, func, data, sz, 0); -+} -+ - VOID - PrintErrors(VOID) - { -diff --git a/shim.c b/shim.c -index d10a1ba1cac..9248642bd57 100644 ---- a/shim.c -+++ b/shim.c -@@ -34,6 +34,7 @@ - */ - - #include "shim.h" -+#include "hexdump.h" - #if defined(ENABLE_SHIM_CERT) - #include "shim_cert.h" - #endif /* defined(ENABLE_SHIM_CERT) */ -@@ -373,12 +374,18 @@ static BOOLEAN verify_x509(UINT8 *Cert, UINTN CertSize) - * and 64KB. For convenience, assume the number of value bytes - * is 2, i.e. the second byte is 0x82. - */ -- if (Cert[0] != 0x30 || Cert[1] != 0x82) -+ if (Cert[0] != 0x30 || Cert[1] != 0x82) { -+ dprint(L"cert[0:1] is [%02x%02x], should be [%02x%02x]\n", -+ Cert[0], Cert[1], 0x30, 0x82); - return FALSE; -+ } - - length = Cert[2]<<8 | Cert[3]; -- if (length != (CertSize - 4)) -+ if (length != (CertSize - 4)) { -+ dprint(L"Cert length is %ld, expecting %ld\n", -+ length, CertSize); - return FALSE; -+ } - - return TRUE; - } -@@ -426,19 +433,23 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, - EFI_SIGNATURE_DATA *Cert; - UINTN CertSize; - BOOLEAN IsFound = FALSE; -+ int i = 0; - - while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { - if (CompareGuid (&CertList->SignatureType, &EFI_CERT_TYPE_X509_GUID) == 0) { - Cert = (EFI_SIGNATURE_DATA *) ((UINT8 *) CertList + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); - CertSize = CertList->SignatureSize - sizeof(EFI_GUID); -+ dprint(L"trying to verify cert %d (%s)\n", i++, dbname); - if (verify_x509(Cert->SignatureData, CertSize)) { - if (verify_eku(Cert->SignatureData, CertSize)) { -+ drain_openssl_errors(); - IsFound = AuthenticodeVerify (data->CertData, - data->Hdr.dwLength - sizeof(data->Hdr), - Cert->SignatureData, - CertSize, - hash, SHA256_DIGEST_SIZE); - if (IsFound) { -+ dprint(L"AuthenticodeVerify() succeeded: %d\n", IsFound); - tpm_measure_variable(dbname, guid, CertSize, Cert->SignatureData); - drain_openssl_errors(); - return DATA_FOUND; -@@ -447,7 +458,9 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, - } - } - } else if (verbose) { -- console_notify(L"Not a DER encoding x.509 Certificate"); -+ console_print(L"Not a DER encoded x.509 Certificate"); -+ dprint(L"cert:\n"); -+ dhexdumpat(Cert->SignatureData, CertSize, 0); - } - } - -@@ -641,7 +654,7 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, - verification_method = VERIFIED_BY_CERT; - update_verification_method(VERIFIED_BY_CERT); - return EFI_SUCCESS; -- } else { -+ } else if (cert) { - LogError(L"check_db_cert(db, sha256hash) != DATA_FOUND\n"); - } - } -@@ -666,7 +679,7 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, - verification_method = VERIFIED_BY_CERT; - update_verification_method(VERIFIED_BY_CERT); - return EFI_SUCCESS; -- } else { -+ } else if (cert) { - LogError(L"check_db_cert(vendor_db, sha256hash) != DATA_FOUND\n"); - } - #endif -@@ -685,7 +698,7 @@ static EFI_STATUS check_whitelist (WIN_CERTIFICATE_EFI_PKCS *cert, - verification_method = VERIFIED_BY_CERT; - update_verification_method(VERIFIED_BY_CERT); - return EFI_SUCCESS; -- } else { -+ } else if (cert) { - LogError(L"check_db_cert(MokList, sha256hash) != DATA_FOUND\n"); - } - -@@ -993,6 +1006,11 @@ static EFI_STATUS generate_hash (char *data, unsigned int datasize_in, - goto done; - } - -+ dprint(L"sha1 authenticode hash:\n"); -+ dhexdumpat(sha1hash, SHA1_DIGEST_SIZE, 0); -+ dprint(L"sha256 authenticode hash:\n"); -+ dhexdumpat(sha256hash, SHA256_DIGEST_SIZE, 0); -+ - done: - if (SectionHeader) - FreePool(SectionHeader); -@@ -1155,6 +1173,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, - if (EFI_ERROR(ret_efi_status)) { - dprint(L"check_whitelist: %r\n", ret_efi_status); - if (ret_efi_status != EFI_NOT_FOUND) { -+ dprint(L"check_whitelist(): %r\n", ret_efi_status); - PrintErrors(); - ClearErrors(); - crypterr(ret_efi_status); -@@ -1803,6 +1822,7 @@ static EFI_STATUS load_image (EFI_LOADED_IMAGE *li, void **data, - - device = li->DeviceHandle; - -+ dprint(L"attempting to load %s\n", PathName); - /* - * Open the device - */ -@@ -2778,6 +2798,10 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - */ - InitializeLib(image_handle, systab); - -+ dprint(L"vendor_authorized:0x%08lx vendor_authorized_size:%lu\n", -+ __FILE__, __LINE__, __func__, vendor_authorized, vendor_authorized_size); -+ dprint(L"vendor_deauthorized:0x%08lx vendor_deauthorized_size:%lu\n", -+ __FILE__, __LINE__, __func__, vendor_deauthorized, vendor_deauthorized_size); - init_openssl(); - - /* -diff --git a/include/console.h b/include/console.h -index 810bf13a1f1..ac6fdf61d18 100644 ---- a/include/console.h -+++ b/include/console.h -@@ -85,6 +85,9 @@ extern UINT32 verbose; - __dprint_ret; \ - }) - #define dprint(fmt, ...) dprint_(L"%a:%d:%a() " fmt, __FILE__, __LINE__, __func__, ##__VA_ARGS__) -+extern EFI_STATUS -+vdprint_(const CHAR16 *fmt, const char *file, int line, const char *func, va_list args); -+#define vdprint(fmt, ...) vdprint_(fmt, __FILE__, __LINE__, __func__, ##__VA_ARGS__) - - extern EFI_STATUS print_crypto_errors(EFI_STATUS rc, char *file, const char *func, int line); - #define crypterr(rc) print_crypto_errors((rc), __FILE__, __func__, __LINE__) -diff --git a/include/hexdump.h b/include/hexdump.h -index d337b571d8d..f3f3ac284a3 100644 ---- a/include/hexdump.h -+++ b/include/hexdump.h -@@ -1,104 +1,140 @@ - #ifndef STATIC_HEXDUMP_H - #define STATIC_HEXDUMP_H - --static int --__attribute__((__unused__)) --isprint(char c) --{ -- if (c < 0x20) -- return 0; -- if (c > 0x7e) -- return 0; -- return 1; --} -+#include - --static UINTN --__attribute__((__unused__)) --format_hex(UINT8 *data, UINTN size, CHAR16 *buf) -+static inline unsigned long UNUSED -+prepare_hex(const void *data, size_t size, char *buf, int position) - { -- UINTN sz = (UINTN)data % 16; -- CHAR16 hexchars[] = L"0123456789abcdef"; -+ char hexchars[] = "0123456789abcdef"; - int offset = 0; -- UINTN i; -- UINTN j; -+ unsigned long i; -+ unsigned long j; -+ unsigned long ret; - -- for (i = 0; i < sz; i++) { -- buf[offset++] = L' '; -- buf[offset++] = L' '; -- buf[offset++] = L' '; -+ unsigned long before = (position % 16); -+ unsigned long after = (before+size >= 16) ? 0 : 16 - (before+size); -+ -+ for (i = 0; i < before; i++) { -+ buf[offset++] = 'X'; -+ buf[offset++] = 'X'; -+ buf[offset++] = ' '; - if (i == 7) -- buf[offset++] = L' '; -+ buf[offset++] = ' '; - } -- for (j = sz; j < 16 && j < size; j++) { -- UINT8 d = data[j-sz]; -+ for (j = 0; j < 16 - after - before; j++) { -+ uint8_t d = ((uint8_t *)data)[j]; - buf[offset++] = hexchars[(d & 0xf0) >> 4]; - buf[offset++] = hexchars[(d & 0x0f)]; -- if (j != 15) -- buf[offset++] = L' '; -- if (j == 7) -- buf[offset++] = L' '; -+ if (i+j != 15) -+ buf[offset++] = ' '; -+ if (i+j == 7) -+ buf[offset++] = ' '; - } -- for (i = j; i < 16; i++) { -- buf[offset++] = L' '; -- buf[offset++] = L' '; -- if (i != 15) -- buf[offset++] = L' '; -- if (i == 7) -- buf[offset++] = L' '; -+ ret = 16 - after - before; -+ j += i; -+ for (i = 0; i < after; i++) { -+ buf[offset++] = 'X'; -+ buf[offset++] = 'X'; -+ if (i+j != 15) -+ buf[offset++] = ' '; -+ if (i+j == 7) -+ buf[offset++] = ' '; - } -- buf[offset] = L'\0'; -- return j - sz; -+ buf[offset] = '\0'; -+ return ret; - } - --static void --__attribute__((__unused__)) --format_text(UINT8 *data, UINTN size, CHAR16 *buf) -+#define isprint(c) ((c) >= 0x20 && (c) <= 0x7e) -+ -+static inline void UNUSED -+prepare_text(const void *data, size_t size, char *buf, int position) - { -- UINTN sz = (UINTN)data % 16; - int offset = 0; -- UINTN i; -- UINTN j; -+ unsigned long i; -+ unsigned long j; - -- for (i = 0; i < sz; i++) -- buf[offset++] = L' '; -- buf[offset++] = L'|'; -- for (j = sz; j < 16 && j < size; j++) { -- if (isprint(data[j-sz])) -- buf[offset++] = data[j-sz]; -+ unsigned long before = position % 16; -+ unsigned long after = (before+size > 16) ? 0 : 16 - (before+size); -+ -+ if (size == 0) { -+ buf[0] = '\0'; -+ return; -+ } -+ for (i = 0; i < before; i++) -+ buf[offset++] = 'X'; -+ buf[offset++] = '|'; -+ for (j = 0; j < 16 - after - before; j++) { -+ if (isprint(((uint8_t *)data)[j])) -+ buf[offset++] = ((uint8_t *)data)[j]; - else -- buf[offset++] = L'.'; -+ buf[offset++] = '.'; - } -- buf[offset++] = L'|'; -- for (i = j; i < 16; i++) -- buf[offset++] = L' '; -- buf[offset] = L'\0'; -+ buf[offset++] = size > 0 ? '|' : 'X'; -+ buf[offset] = '\0'; - } - --static void --__attribute__((__unused__)) --hexdump(UINT8 *data, UINTN size) -+/* -+ * variadic hexdump formatted -+ * think of it as: printf("%s%s\n", vformat(fmt, ap), hexdump(data,size)); -+ */ -+static inline void UNUSED -+vhexdumpf(const char *file, int line, const char *func, const CHAR16 * const fmt, const void *data, unsigned long size, size_t at, va_list ap) - { -- UINTN display_offset = (UINTN)data & 0xffffffff; -- UINTN offset = 0; -- //console_print(L"hexdump: data=0x%016x size=0x%x\n", data, size); -+ unsigned long display_offset = at; -+ unsigned long offset = 0; - - while (offset < size) { -- CHAR16 hexbuf[49]; -- CHAR16 txtbuf[19]; -- UINTN sz; -+ char hexbuf[49]; -+ char txtbuf[19]; -+ unsigned long sz; - -- sz = format_hex(data+offset, size-offset, hexbuf); -+ sz = prepare_hex(data+offset, size-offset, hexbuf, -+ (unsigned long)data+offset); - if (sz == 0) - return; -- msleep(200000); - -- format_text(data+offset, size-offset, txtbuf); -- console_print(L"%08x %s %s\n", display_offset, hexbuf, txtbuf); -- msleep(200000); -+ prepare_text(data+offset, size-offset, txtbuf, -+ (unsigned long)data+offset); -+ if (fmt && fmt[0] != 0) -+ vdprint_(fmt, file, line, func, ap); -+ dprint_(L"%a:%d:%a() %08lx %a %a\n", file, line, func, display_offset, hexbuf, txtbuf); - - display_offset += sz; - offset += sz; - } - } - -+/* -+ * hexdump formatted -+ * think of it as: printf("%s%s", format(fmt, ...), hexdump(data,size)[lineN]); -+ */ -+static inline void UNUSED -+hexdumpf(const char *file, int line, const char *func, const CHAR16 * const fmt, const void *data, unsigned long size, size_t at, ...) -+{ -+ va_list ap; -+ -+ va_start(ap, at); -+ vhexdumpf(file, line, func, fmt, data, size, at, ap); -+ va_end(ap); -+} -+ -+static inline void UNUSED -+hexdump(const char *file, int line, const char *func, const void *data, unsigned long size) -+{ -+ hexdumpf(file, line, func, L"", data, size, (intptr_t)data); -+} -+ -+static inline void UNUSED -+hexdumpat(const char *file, int line, const char *func, const void *data, unsigned long size, size_t at) -+{ -+ hexdumpf(file, line, func, L"", data, size, at); -+} -+ -+#define LogHexdump(data, sz) LogHexdump_(__FILE__, __LINE__, __func__, data, sz) -+#define dhexdump(data, sz) hexdump(__FILE__, __LINE__, __func__, data, sz) -+#define dhexdumpat(data, sz, at) hexdumpat(__FILE__, __LINE__, __func__, data, sz, at) -+#define dhexdumpf(fmt, data, sz, at, ...) hexdumpf(__FILE__, __LINE__, __func__, fmt, data, sz, at, ##__VA_ARGS__) -+ - #endif /* STATIC_HEXDUMP_H */ -+// vim:fenc=utf-8:tw=75:noet -diff --git a/shim.h b/shim.h -index c1d7e7c7197..0b3ad4f2d20 100644 ---- a/shim.h -+++ b/shim.h -@@ -182,8 +182,9 @@ typedef struct _SHIM_LOCK { - - extern EFI_STATUS shim_init(void); - extern void shim_fini(void); --extern EFI_STATUS LogError_(const char *file, int line, const char *func, CHAR16 *fmt, ...); --extern EFI_STATUS VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args); -+extern EFI_STATUS LogError_(const char *file, int line, const char *func, const CHAR16 *fmt, ...); -+extern EFI_STATUS VLogError(const char *file, int line, const char *func, const CHAR16 *fmt, va_list args); -+extern VOID LogHexdump_(const char *file, int line, const char *func, const void *data, size_t sz); - extern VOID PrintErrors(VOID); - extern VOID ClearErrors(VOID); - extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath); --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0061-Also-use-a-config-table-to-mirror-mok-variables.patch b/SPECS/shim-unsigned-x64/0061-Also-use-a-config-table-to-mirror-mok-variables.patch deleted file mode 100644 index a2095b1df86..00000000000 --- a/SPECS/shim-unsigned-x64/0061-Also-use-a-config-table-to-mirror-mok-variables.patch +++ /dev/null @@ -1,352 +0,0 @@ -From fecc2dfb8e408526221091923d9345796b8e294e Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 23 Jul 2020 22:09:03 -0400 -Subject: [PATCH 61/62] Also use a config table to mirror mok variables. - -Everything was going just fine until I made a vendor_db with 17kB of -sha256 sums in it. And then the same source tree that had worked fine -without that threw errors and failed all over the place. I wrote some -code to diagnose the problem, and of course it was a failure in -mirroring MokList to MokListRT. - -As Patrick noted in 741c61abba7, some systems have obnoxiously low -amounts of variable storage available: - -mok.c:550:import_mok_state() BS+RT variable info: - MaximumVariableStorageSize:0x000000000000DFE4 - RemainingVariableStorageSize:0x000000000000D21C - MaximumVariableSize:0x0000000000001FC4 - -The most annoying part is that on at least this edk2 build, -SetVariable() /does actually appear to set the variable/, but it returns -EFI_INVALID_PARAMETER. I'm not planning on relying on that behavior. - -So... yeah, the largest *volatile* (i.e. RAM only) variable this edk2 -build will let you create is less than two pages. It's only got 7.9G -free, so I guess it's feeling like space is a little tight. - -We're also not quite preserving that return code well enough for his -workaround to work. - -New plan. We try to create variables the normal way, but we don't -consider not having enough space to be fatal. In that case, we create -an EFI_SECURITY_LIST with one sha256sum in it, with a value of all 0, -and try to add that so we're sure there's /something/ there that's -innocuous. On systems where the first SetVariable() / -QueryVariableInfo() lied to us, the correct variable should be there, -otherwise the one with the zero-hash will be. - -We then also build a config table to hold this info and install that. - -The config table is a packed array of this struct: - -struct mok_variable_config_entry { - CHAR8 name[256]; - UINT64 data_size; - UINT8 data[]; -}; - -There will be N+1 entries, and the last entry is all 0 for name and -data_size. The total allocation size will always be a multiple of 4096. -In the typical RHEL 7.9 case that means it'll be around 5 pages. - -It's installed with this guid: - -c451ed2b-9694-45d3-baba-ed9f8988a389 - -Anything that can go wrong will. - -Signed-off-by: Peter Jones -Upstream: not yet, I don't want people to read this before Wednesday. -Signed-off-by: Peter Jones ---- - lib/guid.c | 2 + - mok.c | 150 ++++++++++++++++++++++++++++++++++++++++++++----- - include/guid.h | 2 + - 3 files changed, 140 insertions(+), 14 deletions(-) - -diff --git a/lib/guid.c b/lib/guid.c -index 57c02fbeecd..99ff400a0ab 100644 ---- a/lib/guid.c -+++ b/lib/guid.c -@@ -36,4 +36,6 @@ EFI_GUID EFI_SECURE_BOOT_DB_GUID = { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, - EFI_GUID EFI_SIMPLE_FILE_SYSTEM_GUID = SIMPLE_FILE_SYSTEM_PROTOCOL; - EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF, 0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } }; - EFI_GUID SECURITY2_PROTOCOL_GUID = { 0x94ab2f58, 0x1438, 0x4ef1, {0x91, 0x52, 0x18, 0x94, 0x1a, 0x3a, 0x0e, 0x68 } }; -+ - EFI_GUID SHIM_LOCK_GUID = {0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } }; -+EFI_GUID MOK_VARIABLE_STORE = {0xc451ed2b, 0x9694, 0x45d3, {0xba, 0xba, 0xed, 0x9f, 0x89, 0x88, 0xa3, 0x89} }; -diff --git a/mok.c b/mok.c -index e69857f3c37..4e141fb21fc 100644 ---- a/mok.c -+++ b/mok.c -@@ -68,6 +68,7 @@ struct mok_state_variable { - CHAR16 *name; - char *name8; - CHAR16 *rtname; -+ char *rtname8; - EFI_GUID *guid; - - UINT8 *data; -@@ -121,6 +122,7 @@ struct mok_state_variable mok_state_variables[] = { - {.name = L"MokList", - .name8 = "MokList", - .rtname = L"MokListRT", -+ .rtname8 = "MokListRT", - .guid = &SHIM_LOCK_GUID, - .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_NON_VOLATILE, -@@ -133,12 +135,14 @@ struct mok_state_variable mok_state_variables[] = { - .build_cert_size = &build_cert_size, - #endif /* defined(ENABLE_SHIM_CERT) */ - .flags = MOK_MIRROR_KEYDB | -+ MOK_MIRROR_DELETE_FIRST | - MOK_VARIABLE_LOG, - .pcr = 14, - }, - {.name = L"MokListX", - .name8 = "MokListX", - .rtname = L"MokListXRT", -+ .rtname8 = "MokListXRT", - .guid = &SHIM_LOCK_GUID, - .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_NON_VOLATILE, -@@ -147,12 +151,14 @@ struct mok_state_variable mok_state_variables[] = { - .addend = &vendor_deauthorized, - .addend_size = &vendor_deauthorized_size, - .flags = MOK_MIRROR_KEYDB | -+ MOK_MIRROR_DELETE_FIRST | - MOK_VARIABLE_LOG, - .pcr = 14, - }, - {.name = L"MokSBState", - .name8 = "MokSBState", - .rtname = L"MokSBStateRT", -+ .rtname8 = "MokSBStateRT", - .guid = &SHIM_LOCK_GUID, - .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_NON_VOLATILE, -@@ -166,6 +172,7 @@ struct mok_state_variable mok_state_variables[] = { - {.name = L"MokDBState", - .name8 = "MokDBState", - .rtname = L"MokIgnoreDB", -+ .rtname8 = "MokIgnoreDB", - .guid = &SHIM_LOCK_GUID, - .yes_attr = EFI_VARIABLE_BOOTSERVICE_ACCESS | - EFI_VARIABLE_NON_VOLATILE, -@@ -204,6 +211,7 @@ mirror_one_mok_variable(struct mok_state_variable *v) - * we're always mirroring the original data, whether this is an efi - * security database or not - */ -+ dprint(L"v->name:\"%s\" v->rtname:\"%s\"\n", v->name, v->rtname); - dprint(L"v->data_size:%lu v->data:0x%08llx\n", v->data_size, v->data); - dprint(L"FullDataSize:%lu FullData:0x%08llx\n", FullDataSize, FullData); - if (v->data_size) { -@@ -299,6 +307,7 @@ mirror_one_mok_variable(struct mok_state_variable *v) - } - } - -+ - /* - * Now we have the full size - */ -@@ -417,28 +426,72 @@ mirror_one_mok_variable(struct mok_state_variable *v) - FullDataSize, FullData, p, p-(uintptr_t)FullData); - } - -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ dprint(L"FullDataSize:%lu FullData:0x%016llx p:0x%016llx pos:%lld\n", - FullDataSize, FullData, p, p-(uintptr_t)FullData); - if (FullDataSize) { -- dprint(L"Setting %s with %lu bytes of data\n", -- v->rtname, FullDataSize); -+ uint32_t attrs = EFI_VARIABLE_BOOTSERVICE_ACCESS | -+ EFI_VARIABLE_RUNTIME_ACCESS; -+ uint64_t max_storage_sz = 0; -+ uint64_t remaining_sz = 0; -+ uint64_t max_var_sz = 0; -+ UINT8 *tmp = NULL; -+ UINTN tmpsz = 0; -+ -+ efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz, -+ &remaining_sz, &max_var_sz); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Could not get variable storage info: %r\n", efi_status); -+ return efi_status; -+ } -+ dprint(L"calling SetVariable(\"%s\", 0x%016llx, 0x%08lx, %lu, 0x%016llx)\n", -+ v->rtname, v->guid, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS, -+ FullDataSize, FullData); - efi_status = gRT->SetVariable(v->rtname, v->guid, -- EFI_VARIABLE_BOOTSERVICE_ACCESS | -- EFI_VARIABLE_RUNTIME_ACCESS, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS, - FullDataSize, FullData); -- if (EFI_ERROR(efi_status)) { -- perror(L"Failed to set %s: %r\n", -- v->rtname, efi_status); -+ if (efi_status == EFI_INVALID_PARAMETER && max_var_sz < FullDataSize) { -+ /* -+ * In this case we're going to try to create a -+ * dummy variable so that there's one there. It -+ * may or may not work, because on some firmware -+ * builds when the SetVariable call above fails it -+ * does actually set the variable(!), so aside from -+ * not using the allocation if it doesn't work, we -+ * don't care about failures here. -+ */ -+ console_print(L"WARNING: Maximum volatile variable size is %lu.\n", max_var_sz); -+ console_print(L"WARNING: Cannot set %s (%lu bytes)\n", v->rtname, FullDataSize); -+ perror(L"Failed to set %s: %r\n", v->rtname, efi_status); -+ efi_status = variable_create_esl( -+ null_sha256, sizeof(null_sha256), -+ &EFI_CERT_SHA256_GUID, &SHIM_LOCK_GUID, -+ &tmp, &tmpsz); -+ /* -+ * from here we don't really care if it works or -+ * doens't. -+ */ -+ if (!EFI_ERROR(efi_status) && tmp && tmpsz) { -+ gRT->SetVariable(v->rtname, v->guid, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS, -+ tmpsz, tmp); -+ FreePool(tmp); -+ } -+ efi_status = EFI_INVALID_PARAMETER; -+ } else if (EFI_ERROR(efi_status)) { -+ perror(L"Failed to set %s: %r\n", v->rtname, efi_status); - } - } -- if (v->data && v->data_size) { -+ if (v->data && v->data_size && v->data != FullData) { - FreePool(v->data); - v->data = NULL; - v->data_size = 0; - } -- if (FullData && FullDataSize) { -- FreePool(FullData); -- } -+ v->data = FullData; -+ v->data_size = FullDataSize; - dprint(L"returning %r\n", efi_status); - return efi_status; - } -@@ -454,8 +507,11 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) - BOOLEAN present = FALSE; - - if (v->rtname) { -- if (v->flags & MOK_MIRROR_DELETE_FIRST) -- LibDeleteVariable(v->rtname, v->guid); -+ if (v->flags & MOK_MIRROR_DELETE_FIRST) { -+ dprint(L"deleting \"%s\"\n", v->rtname); -+ efi_status = LibDeleteVariable(v->rtname, v->guid); -+ dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", v->rtname, efi_status); -+ } - - efi_status = mirror_one_mok_variable(v); - if (EFI_ERROR(efi_status)) { -@@ -505,6 +561,12 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) - return ret; - } - -+struct mok_variable_config_entry { -+ CHAR8 name[256]; -+ UINT64 data_size; -+ UINT8 data[]; -+}; -+ - /* - * Verify our non-volatile MoK state. This checks the variables above - * accessable and have valid attributes. If they don't, it removes -@@ -527,6 +589,11 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - user_insecure_mode = 0; - ignore_db = 0; - -+ UINT64 config_sz = 0; -+ UINT8 *config_table = NULL; -+ size_t npages = 0; -+ struct mok_variable_config_entry config_template; -+ - dprint(L"importing mok state\n"); - for (i = 0; mok_state_variables[i].name != NULL; i++) { - struct mok_state_variable *v = &mok_state_variables[i]; -@@ -579,6 +646,61 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - } - - ret = maybe_mirror_one_mok_variable(v, ret); -+ if (v->data && v->data_size) { -+ config_sz += v->data_size; -+ config_sz += sizeof(config_template); -+ } -+ } -+ -+ /* -+ * Alright, so we're going to copy these to a config table. The -+ * table is a packed array of N+1 struct mok_variable_config_entry -+ * items, with the last item having all zero's in name and -+ * data_size. -+ */ -+ if (config_sz) { -+ config_sz += sizeof(config_template); -+ npages = ALIGN_VALUE(config_sz, PAGE_SIZE) >> EFI_PAGE_SHIFT; -+ config_table = NULL; -+ efi_status = gBS->AllocatePages(AllocateAnyPages, -+ EfiRuntimeServicesData, -+ npages, -+ (EFI_PHYSICAL_ADDRESS *)&config_table); -+ if (EFI_ERROR(efi_status) || !config_table) { -+ console_print(L"Allocating %lu pages for mok config table failed: %r\n", -+ npages, efi_status); -+ if (ret != EFI_SECURITY_VIOLATION) -+ ret = efi_status; -+ config_table = NULL; -+ } else { -+ ZeroMem(config_table, npages << EFI_PAGE_SHIFT); -+ } -+ } -+ -+ UINT8 *p = (UINT8 *)config_table; -+ for (i = 0; p && mok_state_variables[i].name != NULL; i++) { -+ struct mok_state_variable *v = &mok_state_variables[i]; -+ -+ ZeroMem(&config_template, sizeof(config_template)); -+ strncpya(config_template.name, (CHAR8 *)v->rtname8, 255); -+ config_template.name[255] = '\0'; -+ -+ config_template.data_size = v->data_size; -+ -+ CopyMem(p, &config_template, sizeof(config_template)); -+ p += sizeof(config_template); -+ CopyMem(p, v->data, v->data_size); -+ p += v->data_size; -+ } -+ if (p) { -+ ZeroMem(&config_template, sizeof(config_template)); -+ CopyMem(p, &config_template, sizeof(config_template)); -+ -+ efi_status = gBS->InstallConfigurationTable(&MOK_VARIABLE_STORE, -+ config_table); -+ if (EFI_ERROR(efi_status)) { -+ console_print(L"Couldn't install MoK configuration table\n"); -+ } - } - - /* -diff --git a/include/guid.h b/include/guid.h -index 81689d6cc1a..91b14d96146 100644 ---- a/include/guid.h -+++ b/include/guid.h -@@ -35,4 +35,6 @@ extern EFI_GUID SECURITY_PROTOCOL_GUID; - extern EFI_GUID SECURITY2_PROTOCOL_GUID; - extern EFI_GUID SHIM_LOCK_GUID; - -+extern EFI_GUID MOK_VARIABLE_STORE; -+ - #endif /* SHIM_GUID_H */ --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0062-Implement-lennysz-s-suggestions-for-MokListRT.patch b/SPECS/shim-unsigned-x64/0062-Implement-lennysz-s-suggestions-for-MokListRT.patch deleted file mode 100644 index 86467e39e4a..00000000000 --- a/SPECS/shim-unsigned-x64/0062-Implement-lennysz-s-suggestions-for-MokListRT.patch +++ /dev/null @@ -1,991 +0,0 @@ -From 65be350308783a8ef537246c8ad0545b4e6ad069 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Sat, 25 Jul 2020 22:13:57 -0400 -Subject: [PATCH 62/62] Implement lennysz's suggestions for MokListRT - -Signed-off-by: Peter Jones ---- - mok.c | 726 ++++++++++++++++++++++++++++++++-------------- - shim.c | 7 +- - include/PeImage.h | 3 +- - 3 files changed, 515 insertions(+), 221 deletions(-) - -diff --git a/mok.c b/mok.c -index 4e141fb21fc..3e6c7e43025 100644 ---- a/mok.c -+++ b/mok.c -@@ -7,6 +7,8 @@ - - #include - -+#include "hexdump.h" -+ - /* - * Check if a variable exists - */ -@@ -25,6 +27,15 @@ static BOOLEAN check_var(CHAR16 *varname) - return FALSE; - } - -+#define SetVariable(name, guid, attrs, varsz, var) ({ \ -+ EFI_STATUS efi_status_; \ -+ efi_status_ = gRT->SetVariable(name, guid, attrs, varsz, var); \ -+ dprint_(L"%a:%d:%a() SetVariable(\"%s\", ... varsz=0x%llx) = %r\n",\ -+ __FILE__, __LINE__, __func__, \ -+ name, varsz, efi_status_); \ -+ efi_status_; \ -+}) -+ - /* - * If the OS has set any of these variables we need to drop into MOK and - * handle them appropriately -@@ -193,33 +204,296 @@ should_mirror_build_cert(struct mok_state_variable *v) - - static const uint8_t null_sha256[32] = { 0, }; - -+typedef UINTN SIZE_T; -+ -+static EFI_STATUS -+get_max_var_sz(UINT32 attrs, SIZE_T *max_var_szp) -+{ -+ EFI_STATUS efi_status; -+ uint64_t max_storage_sz = 0; -+ uint64_t remaining_sz = 0; -+ uint64_t max_var_sz = 0; -+ -+ *max_var_szp = 0; -+ efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz, -+ &remaining_sz, &max_var_sz); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Could not get variable storage info: %r\n", efi_status); -+ return efi_status; -+ } -+ -+ /* -+ * I just don't trust implementations to not be showing static data -+ * for max_var_sz -+ */ -+ *max_var_szp = (max_var_sz < remaining_sz) ? max_var_sz : remaining_sz; -+ dprint("max_var_sz:%lx remaining_sz:%lx max_storage_sz:%lx\n", -+ max_var_sz, remaining_sz, max_storage_sz); -+ return efi_status; -+} -+ -+/* -+ * If any entries fit in < maxsz, and nothing goes wrong, create a variable -+ * of the given name and guid with as many esd entries as possible in it, -+ * and updates *esdp with what would be the next entry (even if makes *esdp -+ * > esl+esl->SignatureListSize), and returns whatever SetVariable() -+ * returns -+ * -+ * If no entries fit (i.e. sizeof(esl) + esl->SignatureSize > maxsz), -+ * returns EFI_BUFFER_TOO_SMALL; -+ */ -+static EFI_STATUS -+mirror_one_esl(CHAR16 *name, EFI_GUID *guid, UINT32 attrs, -+ EFI_SIGNATURE_LIST *esl, EFI_SIGNATURE_DATA *esd, -+ UINTN *newsz, SIZE_T maxsz) -+{ -+ EFI_STATUS efi_status; -+ SIZE_T howmany, varsz = 0, esdsz; -+ UINT8 *var, *data; -+ -+ howmany = min((maxsz - sizeof(*esl)) / esl->SignatureSize, -+ (esl->SignatureListSize - sizeof(*esl)) / esl->SignatureSize); -+ if (howmany < 1) { -+ return EFI_BUFFER_TOO_SMALL; -+ } -+ -+ /* -+ * We always assume esl->SignatureHeaderSize is 0 (and so far, -+ * that's true as per UEFI 2.8) -+ */ -+ esdsz = howmany * esl->SignatureSize; -+ data = (UINT8 *)esd; -+ dprint(L"Trying to add %lx signatures to \"%s\" of size %lx\n", -+ howmany, name, esl->SignatureSize); -+ -+ /* -+ * Because of the semantics of variable_create_esl(), the first -+ * owner guid from the data is not part of esdsz, or the data. -+ * -+ * Compensate here. -+ */ -+ efi_status = variable_create_esl(data + sizeof(EFI_GUID), -+ esdsz - sizeof(EFI_GUID), -+ &esl->SignatureType, -+ &esd->SignatureOwner, -+ &var, &varsz); -+ if (EFI_ERROR(efi_status) || !var || !varsz) { -+ LogError(L"Couldn't allocate %lu bytes for mok variable \"%s\": %r\n", -+ varsz, var, efi_status); -+ return efi_status; -+ } -+ -+ dprint(L"new esl:\n"); -+ dhexdumpat(var, varsz, 0); -+ -+ efi_status = SetVariable(name, guid, attrs, varsz, var); -+ FreePool(var); -+ if (EFI_ERROR(efi_status)) { -+ LogError(L"Couldn't create mok variable \"%s\": %r\n", -+ varsz, var, efi_status); -+ return efi_status; -+ } -+ -+ *newsz = esdsz; -+ -+ return efi_status; -+} -+ -+static EFI_STATUS -+mirror_mok_db(CHAR16 *name, CHAR8 *name8, EFI_GUID *guid, UINT32 attrs, -+ UINT8 *FullData, SIZE_T FullDataSize, BOOLEAN only_first) -+{ -+ EFI_STATUS efi_status = EFI_SUCCESS; -+ SIZE_T max_var_sz; -+ -+ if (only_first) { -+ efi_status = get_max_var_sz(attrs, &max_var_sz); -+ if (EFI_ERROR(efi_status)) { -+ LogError(L"Could not get maximum variable size: %r", -+ efi_status); -+ return efi_status; -+ } -+ -+ if (FullDataSize <= max_var_sz) { -+ efi_status = SetVariable(name, guid, attrs, -+ FullDataSize, FullData); -+ return efi_status; -+ } -+ } -+ -+ CHAR16 *namen; -+ CHAR8 *namen8; -+ UINTN namelen, namesz; -+ -+ namelen = StrLen(name); -+ namesz = namelen * 2; -+ if (only_first) { -+ namen = name; -+ namen8 = name8; -+ } else { -+ namelen += 18; -+ namesz += 34; -+ namen = AllocateZeroPool(namesz); -+ if (!namen) { -+ LogError(L"Could not allocate %lu bytes", namesz); -+ return EFI_OUT_OF_RESOURCES; -+ } -+ namen8 = AllocateZeroPool(namelen); -+ if (!namen8) { -+ FreePool(namen); -+ LogError(L"Could not allocate %lu bytes", namelen); -+ return EFI_OUT_OF_RESOURCES; -+ } -+ } -+ -+ UINTN pos, i; -+ const SIZE_T minsz = sizeof(EFI_SIGNATURE_LIST) -+ + sizeof(EFI_SIGNATURE_DATA) -+ + SHA1_DIGEST_SIZE; -+ BOOLEAN did_one = FALSE; -+ -+ /* -+ * Create any entries that can fit. -+ */ -+ if (!only_first) { -+ dprint(L"full data for \"%s\":\n", name); -+ dhexdumpat(FullData, FullDataSize, 0); -+ } -+ EFI_SIGNATURE_LIST *esl = NULL; -+ UINTN esl_end_pos = 0; -+ for (i = 0, pos = 0; FullDataSize - pos >= minsz && FullData; ) { -+ EFI_SIGNATURE_DATA *esd = NULL; -+ -+ dprint(L"pos:0x%llx FullDataSize:0x%llx\n", pos, FullDataSize); -+ if (esl == NULL || pos >= esl_end_pos) { -+ UINT8 *nesl = FullData + pos; -+ dprint(L"esl:0x%llx->0x%llx\n", esl, nesl); -+ esl = (EFI_SIGNATURE_LIST *)nesl; -+ esl_end_pos = pos + esl->SignatureListSize; -+ dprint(L"pos:0x%llx->0x%llx\n", pos, pos + sizeof(*esl)); -+ pos += sizeof(*esl); -+ } -+ esd = (EFI_SIGNATURE_DATA *)(FullData + pos); -+ if (pos >= FullDataSize) -+ break; -+ if (esl->SignatureListSize == 0 || esl->SignatureSize == 0) -+ break; -+ -+ dprint(L"esl[%lu] 0x%llx = {sls=0x%lx, ss=0x%lx} esd:0x%llx\n", -+ i, esl, esl->SignatureListSize, esl->SignatureSize, esd); -+ -+ if (!only_first) { -+ SPrint(namen, namelen, L"%s%lu", name, i); -+ namen[namelen-1] = 0; -+ /* uggggh */ -+ UINTN j; -+ for (j = 0; j < namelen; j++) -+ namen8[j] = (CHAR8)(namen[j] & 0xff); -+ namen8[namelen - 1] = 0; -+ } -+ -+ /* -+ * In case max_var_sz is computed dynamically, refresh the -+ * value here. -+ */ -+ efi_status = get_max_var_sz(attrs, &max_var_sz); -+ if (EFI_ERROR(efi_status)) { -+ LogError(L"Could not get maximum variable size: %r", -+ efi_status); -+ if (!only_first) { -+ FreePool(namen); -+ FreePool(namen8); -+ } -+ return efi_status; -+ } -+ -+ SIZE_T howmany; -+ UINTN adj = 0; -+ howmany = min((max_var_sz - sizeof(*esl)) / esl->SignatureSize, -+ (esl->SignatureListSize - sizeof(*esl)) / esl->SignatureSize); -+ if (!only_first && i == 0 && howmany >= 1) { -+ adj = howmany * esl->SignatureSize; -+ dprint(L"pos:0x%llx->0x%llx\n", pos, pos + adj); -+ pos += adj; -+ i++; -+ continue; -+ -+ } -+ -+ efi_status = mirror_one_esl(namen, guid, attrs, -+ esl, esd, &adj, max_var_sz); -+ dprint(L"esd:0x%llx adj:0x%llx\n", esd, adj); -+ if (EFI_ERROR(efi_status) && efi_status != EFI_BUFFER_TOO_SMALL) { -+ LogError(L"Could not mirror mok variable \"%s\": %r\n", -+ namen, efi_status); -+ break; -+ } -+ -+ if (!EFI_ERROR(efi_status)) { -+ did_one = TRUE; -+ if (only_first) -+ break; -+ dprint(L"pos:0x%llx->0x%llx\n", pos, pos + adj); -+ pos += adj; -+ i++; -+ } -+ } -+ -+ if (only_first && !did_one) { -+ /* -+ * In this case we're going to try to create a -+ * dummy variable so that there's one there. It -+ * may or may not work, because on some firmware -+ * builds when the SetVariable call above fails it -+ * does actually set the variable(!), so aside from -+ * not using the allocation if it doesn't work, we -+ * don't care about failures here. -+ */ -+ UINT8 *var; -+ UINTN varsz; -+ -+ efi_status = variable_create_esl( -+ null_sha256, sizeof(null_sha256), -+ &EFI_CERT_SHA256_GUID, &SHIM_LOCK_GUID, -+ &var, &varsz); -+ /* -+ * from here we don't really care if it works or -+ * doesn't. -+ */ -+ if (!EFI_ERROR(efi_status) && var && varsz) { -+ SetVariable(name, guid, -+ EFI_VARIABLE_BOOTSERVICE_ACCESS -+ | EFI_VARIABLE_RUNTIME_ACCESS, -+ varsz, var); -+ FreePool(var); -+ } -+ efi_status = EFI_INVALID_PARAMETER; -+ } else if (EFI_ERROR(efi_status)) { -+ perror(L"Failed to set %s: %r\n", name, efi_status); -+ } -+ return efi_status; -+} -+ -+ - static EFI_STATUS nonnull(1) --mirror_one_mok_variable(struct mok_state_variable *v) -+mirror_one_mok_variable(struct mok_state_variable *v, -+ BOOLEAN only_first) - { - EFI_STATUS efi_status = EFI_SUCCESS; - uint8_t *FullData = NULL; - size_t FullDataSize = 0; - vendor_addend_category_t addend_category = VENDOR_ADDEND_NONE; - uint8_t *p = NULL; -- -+ uint32_t attrs = EFI_VARIABLE_BOOTSERVICE_ACCESS | -+ EFI_VARIABLE_RUNTIME_ACCESS; -+ BOOLEAN measure = v->flags & MOK_VARIABLE_MEASURE; -+ BOOLEAN log = v->flags & MOK_VARIABLE_LOG; - size_t build_cert_esl_sz = 0, addend_esl_sz = 0; -+ bool reuse = FALSE; - - if (v->categorize_addend) - addend_category = v->categorize_addend(v); - -- /* -- * we're always mirroring the original data, whether this is an efi -- * security database or not -- */ -- dprint(L"v->name:\"%s\" v->rtname:\"%s\"\n", v->name, v->rtname); -- dprint(L"v->data_size:%lu v->data:0x%08llx\n", v->data_size, v->data); -- dprint(L"FullDataSize:%lu FullData:0x%08llx\n", FullDataSize, FullData); -- if (v->data_size) { -- FullDataSize = v->data_size; -- dprint(L"FullDataSize:%lu FullData:0x%08llx\n", -- FullDataSize, FullData); -- } -- - /* - * if it is, there's more data - */ -@@ -227,7 +501,7 @@ mirror_one_mok_variable(struct mok_state_variable *v) - - /* - * We're mirroring (into) an efi security database, aka an -- * array of efi_signature_list_t. Its layout goes like: -+ * array of EFI_SIGNATURE_LIST. Its layout goes like: - * - * existing_variable_data - * existing_variable_data_size -@@ -251,30 +525,7 @@ mirror_one_mok_variable(struct mok_state_variable *v) - */ - - /* -- * first bit is existing data, but we added that above -- */ -- -- /* -- * then the build cert if it's there -- */ -- if (should_mirror_build_cert(v)) { -- efi_status = fill_esl(*v->build_cert, -- *v->build_cert_size, -- &EFI_CERT_TYPE_X509_GUID, -- &SHIM_LOCK_GUID, -- NULL, &build_cert_esl_sz); -- if (efi_status != EFI_BUFFER_TOO_SMALL) { -- perror(L"Could not add built-in cert to %s: %r\n", -- v->name, efi_status); -- return efi_status; -- } -- FullDataSize += build_cert_esl_sz; -- dprint(L"FullDataSize:%lu FullData:0x%08llx\n", -- FullDataSize, FullData); -- } -- -- /* -- * then the addend data -+ * *first* vendor_db or vendor_cert - */ - switch (addend_category) { - case VENDOR_ADDEND_DB: -@@ -282,7 +533,7 @@ mirror_one_mok_variable(struct mok_state_variable *v) - * if it's an ESL already, we use it wholesale - */ - FullDataSize += *v->addend_size; -- dprint(L"FullDataSize:%lu FullData:0x%08llx\n", -+ dprint(L"FullDataSize:%lu FullData:0x%llx\n", - FullDataSize, FullData); - break; - case VENDOR_ADDEND_X509: -@@ -296,17 +547,51 @@ mirror_one_mok_variable(struct mok_state_variable *v) - return efi_status; - } - FullDataSize += addend_esl_sz; -- dprint(L"FullDataSize:%lu FullData:0x%08llx\n", -+ dprint(L"FullDataSize:%lu FullData:0x%llx\n", - FullDataSize, FullData); - break; - default: - case VENDOR_ADDEND_NONE: -- dprint(L"FullDataSize:%lu FullData:0x%08llx\n", -+ dprint(L"FullDataSize:%lu FullData:0x%llx\n", - FullDataSize, FullData); - break; - } -+ -+ /* -+ * then the build cert if it's there -+ */ -+ if (should_mirror_build_cert(v)) { -+ efi_status = fill_esl(*v->build_cert, -+ *v->build_cert_size, -+ &EFI_CERT_TYPE_X509_GUID, -+ &SHIM_LOCK_GUID, -+ NULL, &build_cert_esl_sz); -+ if (efi_status != EFI_BUFFER_TOO_SMALL) { -+ perror(L"Could not add built-in cert to %s: %r\n", -+ v->name, efi_status); -+ return efi_status; -+ } -+ FullDataSize += build_cert_esl_sz; -+ dprint(L"FullDataSize:0x%lx FullData:0x%llx\n", -+ FullDataSize, FullData); -+ } -+ - } - -+ /* -+ * we're always mirroring the original data, whether this is an efi -+ * security database or not -+ */ -+ dprint(L"v->name:\"%s\" v->rtname:\"%s\"\n", v->name, v->rtname); -+ dprint(L"v->data_size:%lu v->data:0x%llx\n", v->data_size, v->data); -+ dprint(L"FullDataSize:%lu FullData:0x%llx\n", FullDataSize, FullData); -+ if (v->data_size) { -+ FullDataSize += v->data_size; -+ dprint(L"FullDataSize:%lu FullData:0x%llx\n", -+ FullDataSize, FullData); -+ } -+ if (v->data_size == FullDataSize) -+ reuse = TRUE; - - /* - * Now we have the full size -@@ -316,38 +601,33 @@ mirror_one_mok_variable(struct mok_state_variable *v) - * allocate the buffer, or use the old one if it's just the - * existing data. - */ -- if (FullDataSize != v->data_size) { -- dprint(L"FullDataSize:%lu FullData:0x%08llx allocating FullData\n", -+ if (FullDataSize == v->data_size) { -+ FullData = v->data; -+ FullDataSize = v->data_size; -+ p = FullData + FullDataSize; -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ v->data = NULL; -+ v->data_size = 0; -+ } else { -+ dprint(L"FullDataSize:%lu FullData:0x%llx allocating FullData\n", - FullDataSize, FullData); -- FullData = AllocatePool(FullDataSize); -+ /* -+ * make sure we've got some zeroes at the end, just -+ * in case. -+ */ -+ UINTN allocsz = FullDataSize + sizeof(EFI_SIGNATURE_LIST); -+ allocsz = ALIGN_VALUE(allocsz, 4096); -+ FullData = AllocateZeroPool(FullDataSize); - if (!FullData) { -- FreePool(v->data); -- v->data = NULL; -- v->data_size = 0; - perror(L"Failed to allocate %lu bytes for %s\n", - FullDataSize, v->name); - return EFI_OUT_OF_RESOURCES; - } - p = FullData; -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -- FullDataSize, FullData, p, p-(uintptr_t)FullData); -- if (v->data && v->data_size) { -- CopyMem(p, v->data, v->data_size); -- p += v->data_size; -- } -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -- FullDataSize, FullData, p, p-(uintptr_t)FullData); -- } else { -- FullData = v->data; -- FullDataSize = v->data_size; -- p = FullData + FullDataSize; -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -- FullDataSize, FullData, p, p-(uintptr_t)FullData); -- v->data = NULL; -- v->data_size = 0; - } - } -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", - FullDataSize, FullData, p, p-(uintptr_t)FullData); - - /* -@@ -355,35 +635,13 @@ mirror_one_mok_variable(struct mok_state_variable *v) - */ - if (v->flags & MOK_MIRROR_KEYDB) { - /* -- * first bit is existing data, but again, we added that above -+ * first vendor_cert or vendor_db - */ -- -- /* -- * second is the build cert -- */ -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -- FullDataSize, FullData, p, p-(uintptr_t)FullData); -- if (should_mirror_build_cert(v)) { -- efi_status = fill_esl(*v->build_cert, -- *v->build_cert_size, -- &EFI_CERT_TYPE_X509_GUID, -- &SHIM_LOCK_GUID, -- p, &build_cert_esl_sz); -- if (EFI_ERROR(efi_status)) { -- perror(L"Could not add built-in cert to %s: %r\n", -- v->name, efi_status); -- return efi_status; -- } -- p += build_cert_esl_sz; -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -- FullDataSize, FullData, p, p-(uintptr_t)FullData); -- } -- - switch (addend_category) { - case VENDOR_ADDEND_DB: - CopyMem(p, *v->addend, *v->addend_size); - p += *v->addend_size; -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", - FullDataSize, FullData, p, p-(uintptr_t)FullData); - break; - case VENDOR_ADDEND_X509: -@@ -397,16 +655,53 @@ mirror_one_mok_variable(struct mok_state_variable *v) - return efi_status; - } - p += addend_esl_sz; -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", - FullDataSize, FullData, p, p-(uintptr_t)FullData); - break; - default: - case VENDOR_ADDEND_NONE: -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", - FullDataSize, FullData, p, p-(uintptr_t)FullData); - break; - } -+ -+ /* -+ * then is the build cert -+ */ -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ if (should_mirror_build_cert(v)) { -+ efi_status = fill_esl(*v->build_cert, -+ *v->build_cert_size, -+ &EFI_CERT_TYPE_X509_GUID, -+ &SHIM_LOCK_GUID, -+ p, &build_cert_esl_sz); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Could not add built-in cert to %s: %r\n", -+ v->name, efi_status); -+ return efi_status; -+ } -+ p += build_cert_esl_sz; -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ } - } -+ -+ /* -+ * last bit is existing data, unless it's the only thing, -+ * in which case it's already there. -+ */ -+ if (!reuse) { -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ if (v->data && v->data_size) { -+ CopyMem(p, v->data, v->data_size); -+ p += v->data_size; -+ } -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", -+ FullDataSize, FullData, p, p-(uintptr_t)FullData); -+ } -+ - /* - * We always want to create our key databases, so in this case we - * need a dummy entry -@@ -422,68 +717,55 @@ mirror_one_mok_variable(struct mok_state_variable *v) - return efi_status; - } - p = FullData + FullDataSize; -- dprint(L"FullDataSize:%lu FullData:0x%08llx p:0x%08llx pos:%lld\n", -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", - FullDataSize, FullData, p, p-(uintptr_t)FullData); - } - -- dprint(L"FullDataSize:%lu FullData:0x%016llx p:0x%016llx pos:%lld\n", -+ dprint(L"FullDataSize:%lu FullData:0x%llx p:0x%llx pos:%lld\n", - FullDataSize, FullData, p, p-(uintptr_t)FullData); -- if (FullDataSize) { -- uint32_t attrs = EFI_VARIABLE_BOOTSERVICE_ACCESS | -- EFI_VARIABLE_RUNTIME_ACCESS; -- uint64_t max_storage_sz = 0; -- uint64_t remaining_sz = 0; -- uint64_t max_var_sz = 0; -- UINT8 *tmp = NULL; -- UINTN tmpsz = 0; -- -- efi_status = gRT->QueryVariableInfo(attrs, &max_storage_sz, -- &remaining_sz, &max_var_sz); -- if (EFI_ERROR(efi_status)) { -- perror(L"Could not get variable storage info: %r\n", efi_status); -- return efi_status; -- } -- dprint(L"calling SetVariable(\"%s\", 0x%016llx, 0x%08lx, %lu, 0x%016llx)\n", -- v->rtname, v->guid, -- EFI_VARIABLE_BOOTSERVICE_ACCESS -- | EFI_VARIABLE_RUNTIME_ACCESS, -- FullDataSize, FullData); -- efi_status = gRT->SetVariable(v->rtname, v->guid, -- EFI_VARIABLE_BOOTSERVICE_ACCESS -- | EFI_VARIABLE_RUNTIME_ACCESS, -- FullDataSize, FullData); -- if (efi_status == EFI_INVALID_PARAMETER && max_var_sz < FullDataSize) { -+ if (FullDataSize && v->flags & MOK_MIRROR_KEYDB) { -+ dprint(L"calling mirror_mok_db(\"%s\", datasz=%lu)\n", -+ v->rtname, FullDataSize); -+ efi_status = mirror_mok_db(v->rtname, (CHAR8 *)v->rtname8, v->guid, -+ attrs, FullData, FullDataSize, -+ only_first); -+ dprint(L"mirror_mok_db(\"%s\", datasz=%lu) returned %r\n", -+ v->rtname, FullDataSize, efi_status); -+ } else if (FullDataSize && only_first) { -+ efi_status = SetVariable(v->rtname, v->guid, attrs, -+ FullDataSize, FullData); -+ } -+ if (FullDataSize && only_first) { -+ if (measure) { - /* -- * In this case we're going to try to create a -- * dummy variable so that there's one there. It -- * may or may not work, because on some firmware -- * builds when the SetVariable call above fails it -- * does actually set the variable(!), so aside from -- * not using the allocation if it doesn't work, we -- * don't care about failures here. -+ * Measure this into PCR 7 in the Microsoft format - */ -- console_print(L"WARNING: Maximum volatile variable size is %lu.\n", max_var_sz); -- console_print(L"WARNING: Cannot set %s (%lu bytes)\n", v->rtname, FullDataSize); -- perror(L"Failed to set %s: %r\n", v->rtname, efi_status); -- efi_status = variable_create_esl( -- null_sha256, sizeof(null_sha256), -- &EFI_CERT_SHA256_GUID, &SHIM_LOCK_GUID, -- &tmp, &tmpsz); -+ efi_status = tpm_measure_variable(v->name, *v->guid, -+ FullDataSize, FullData); -+ if (EFI_ERROR(efi_status)) { -+ dprint(L"tpm_measure_variable(\"%s\",%lu,0x%llx)->%r\n", -+ v->name, FullDataSize, FullData, efi_status); -+ return efi_status; -+ } -+ } -+ -+ if (log) { - /* -- * from here we don't really care if it works or -- * doens't. -+ * Log this variable into whichever PCR the table -+ * says. - */ -- if (!EFI_ERROR(efi_status) && tmp && tmpsz) { -- gRT->SetVariable(v->rtname, v->guid, -- EFI_VARIABLE_BOOTSERVICE_ACCESS -- | EFI_VARIABLE_RUNTIME_ACCESS, -- tmpsz, tmp); -- FreePool(tmp); -+ EFI_PHYSICAL_ADDRESS datap = -+ (EFI_PHYSICAL_ADDRESS)(UINTN)FullData, -+ efi_status = tpm_log_event(datap, FullDataSize, -+ v->pcr, (CHAR8 *)v->name8); -+ if (EFI_ERROR(efi_status)) { -+ dprint(L"tpm_log_event(0x%llx, %lu, %lu, \"%s\")->%r\n", -+ FullData, FullDataSize, v->pcr, v->name, -+ efi_status); -+ return efi_status; - } -- efi_status = EFI_INVALID_PARAMETER; -- } else if (EFI_ERROR(efi_status)) { -- perror(L"Failed to set %s: %r\n", v->rtname, efi_status); - } -+ - } - if (v->data && v->data_size && v->data != FullData) { - FreePool(v->data); -@@ -501,19 +783,20 @@ mirror_one_mok_variable(struct mok_state_variable *v) - * EFI_SECURITY_VIOLATION status at the same time. - */ - static EFI_STATUS nonnull(1) --maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) -+maybe_mirror_one_mok_variable(struct mok_state_variable *v, -+ EFI_STATUS ret, BOOLEAN only_first) - { - EFI_STATUS efi_status; - BOOLEAN present = FALSE; - - if (v->rtname) { -- if (v->flags & MOK_MIRROR_DELETE_FIRST) { -+ if (!only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) { - dprint(L"deleting \"%s\"\n", v->rtname); - efi_status = LibDeleteVariable(v->rtname, v->guid); - dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", v->rtname, efi_status); - } - -- efi_status = mirror_one_mok_variable(v); -+ efi_status = mirror_one_mok_variable(v, only_first); - if (EFI_ERROR(efi_status)) { - if (ret != EFI_SECURITY_VIOLATION) - ret = efi_status; -@@ -530,34 +813,6 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v, EFI_STATUS ret) - *v->state = v->data[0]; - } - -- if (v->flags & MOK_VARIABLE_MEASURE) { -- /* -- * Measure this into PCR 7 in the Microsoft format -- */ -- efi_status = tpm_measure_variable(v->name, *v->guid, -- v->data_size, -- v->data); -- if (EFI_ERROR(efi_status)) { -- if (ret != EFI_SECURITY_VIOLATION) -- ret = efi_status; -- } -- } -- -- if (v->flags & MOK_VARIABLE_LOG) { -- /* -- * Log this variable into whichever PCR the table -- * says. -- */ -- EFI_PHYSICAL_ADDRESS datap = -- (EFI_PHYSICAL_ADDRESS)(UINTN)v->data, -- efi_status = tpm_log_event(datap, v->data_size, -- v->pcr, (CHAR8 *)v->name8); -- if (EFI_ERROR(efi_status)) { -- if (ret != EFI_SECURITY_VIOLATION) -- ret = efi_status; -- } -- } -- - return ret; - } - -@@ -567,6 +822,66 @@ struct mok_variable_config_entry { - UINT8 data[]; - }; - -+EFI_STATUS import_one_mok_state(struct mok_state_variable *v, -+ BOOLEAN only_first) -+{ -+ EFI_STATUS ret = EFI_SUCCESS; -+ EFI_STATUS efi_status; -+ -+ user_insecure_mode = 0; -+ ignore_db = 0; -+ -+ UINT32 attrs = 0; -+ BOOLEAN delete = FALSE; -+ -+ dprint(L"importing mok state for \"%s\"\n", v->name); -+ -+ efi_status = get_variable_attr(v->name, -+ &v->data, &v->data_size, -+ *v->guid, &attrs); -+ if (efi_status == EFI_NOT_FOUND) { -+ v->data = NULL; -+ v->data_size = 0; -+ } else if (EFI_ERROR(efi_status)) { -+ perror(L"Could not verify %s: %r\n", v->name, -+ efi_status); -+ delete = TRUE; -+ } else { -+ if (!(attrs & v->yes_attr)) { -+ perror(L"Variable %s is missing attributes:\n", -+ v->name); -+ perror(L" 0x%08x should have 0x%08x set.\n", -+ attrs, v->yes_attr); -+ delete = TRUE; -+ } -+ if (attrs & v->no_attr) { -+ perror(L"Variable %s has incorrect attribute:\n", -+ v->name); -+ perror(L" 0x%08x should not have 0x%08x set.\n", -+ attrs, v->no_attr); -+ delete = TRUE; -+ } -+ } -+ if (delete == TRUE) { -+ perror(L"Deleting bad variable %s\n", v->name); -+ efi_status = LibDeleteVariable(v->name, v->guid); -+ if (EFI_ERROR(efi_status)) { -+ perror(L"Failed to erase %s\n", v->name); -+ ret = EFI_SECURITY_VIOLATION; -+ } -+ FreePool(v->data); -+ v->data = NULL; -+ v->data_size = 0; -+ } -+ -+ dprint(L"maybe mirroring \"%s\". original data:\n", v->name); -+ dhexdumpat(v->data, v->data_size, 0); -+ -+ ret = maybe_mirror_one_mok_variable(v, ret, only_first); -+ dprint(L"returning %r\n", ret); -+ return ret; -+} -+ - /* - * Verify our non-volatile MoK state. This checks the variables above - * accessable and have valid attributes. If they don't, it removes -@@ -594,58 +909,22 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - size_t npages = 0; - struct mok_variable_config_entry config_template; - -- dprint(L"importing mok state\n"); -+ dprint(L"importing minimal mok state variables\n"); - for (i = 0; mok_state_variables[i].name != NULL; i++) { - struct mok_state_variable *v = &mok_state_variables[i]; -- UINT32 attrs = 0; -- BOOLEAN delete = FALSE; - -- efi_status = get_variable_attr(v->name, -- &v->data, &v->data_size, -- *v->guid, &attrs); -- dprint(L"maybe mirroring %s\n", v->name); -- if (efi_status == EFI_NOT_FOUND) { -- v->data = NULL; -- v->data_size = 0; -- } else if (EFI_ERROR(efi_status)) { -- perror(L"Could not verify %s: %r\n", v->name, -- efi_status); -+ efi_status = import_one_mok_state(v, TRUE); -+ if (EFI_ERROR(efi_status)) { -+ dprint(L"import_one_mok_state(ih, \"%s\", TRUE): %r\n", -+ v->rtname); - /* - * don't clobber EFI_SECURITY_VIOLATION from some - * other variable in the list. - */ - if (ret != EFI_SECURITY_VIOLATION) - ret = efi_status; -- delete = TRUE; -- } else { -- if (!(attrs & v->yes_attr)) { -- perror(L"Variable %s is missing attributes:\n", -- v->name); -- perror(L" 0x%08x should have 0x%08x set.\n", -- attrs, v->yes_attr); -- delete = TRUE; -- } -- if (attrs & v->no_attr) { -- perror(L"Variable %s has incorrect attribute:\n", -- v->name); -- perror(L" 0x%08x should not have 0x%08x set.\n", -- attrs, v->no_attr); -- delete = TRUE; -- } -- } -- if (delete == TRUE) { -- perror(L"Deleting bad variable %s\n", v->name); -- efi_status = LibDeleteVariable(v->name, v->guid); -- if (EFI_ERROR(efi_status)) { -- perror(L"Failed to erase %s\n", v->name); -- ret = EFI_SECURITY_VIOLATION; -- } -- FreePool(v->data); -- v->data = NULL; -- v->data_size = 0; - } - -- ret = maybe_mirror_one_mok_variable(v, ret); - if (v->data && v->data_size) { - config_sz += v->data_size; - config_sz += sizeof(config_template); -@@ -669,8 +948,6 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - if (EFI_ERROR(efi_status) || !config_table) { - console_print(L"Allocating %lu pages for mok config table failed: %r\n", - npages, efi_status); -- if (ret != EFI_SECURITY_VIOLATION) -- ret = efi_status; - config_table = NULL; - } else { - ZeroMem(config_table, npages << EFI_PAGE_SHIFT); -@@ -703,6 +980,16 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - } - } - -+ /* -+ * This is really just to make it easy for userland. -+ */ -+ dprint(L"importing full mok state variables\n"); -+ for (i = 0; mok_state_variables[i].name != NULL; i++) { -+ struct mok_state_variable *v = &mok_state_variables[i]; -+ -+ import_one_mok_state(v, FALSE); -+ } -+ - /* - * Enter MokManager if necessary. Any actual *changes* here will - * cause MokManager to demand a machine reboot, so this is safe to -@@ -712,6 +999,9 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle) - efi_status = check_mok_request(image_handle); - dprint(L"mok returned %r\n", efi_status); - if (EFI_ERROR(efi_status)) { -+ /* -+ * don't clobber EFI_SECURITY_VIOLATION -+ */ - if (ret != EFI_SECURITY_VIOLATION) - ret = efi_status; - return ret; -diff --git a/shim.c b/shim.c -index 9248642bd57..1a4d7bb9ded 100644 ---- a/shim.c -+++ b/shim.c -@@ -1445,7 +1445,10 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, - sha256hash, sha1hash); - - if (EFI_ERROR(efi_status)) { -- console_error(L"Verification failed", efi_status); -+ if (verbose) -+ console_print(L"Verification failed: %r\n", efi_status); -+ else -+ console_error(L"Verification failed", efi_status); - return efi_status; - } else { - if (verbose) -@@ -2648,7 +2651,6 @@ shim_init(void) - { - EFI_STATUS efi_status; - -- setup_verbosity(); - dprint(L"%a", shim_version); - - /* Set the second stage loader */ -@@ -2797,6 +2799,7 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) - * Ensure that gnu-efi functions are available - */ - InitializeLib(image_handle, systab); -+ setup_verbosity(); - - dprint(L"vendor_authorized:0x%08lx vendor_authorized_size:%lu\n", - __FILE__, __LINE__, __func__, vendor_authorized, vendor_authorized_size); -diff --git a/include/PeImage.h b/include/PeImage.h -index a606e8b2a9f..209b96fb8ff 100644 ---- a/include/PeImage.h -+++ b/include/PeImage.h -@@ -768,7 +768,8 @@ typedef struct { - UINT8 CertData[1]; - } WIN_CERTIFICATE_EFI_PKCS; - --#define SHA256_DIGEST_SIZE 32 -+#define SHA1_DIGEST_SIZE 20 -+#define SHA256_DIGEST_SIZE 32 - #define WIN_CERT_TYPE_PKCS_SIGNED_DATA 0x0002 - - typedef struct { --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/0063-hexdump.h-fix-arithmetic-error.patch b/SPECS/shim-unsigned-x64/0063-hexdump.h-fix-arithmetic-error.patch deleted file mode 100644 index 42eb0480e08..00000000000 --- a/SPECS/shim-unsigned-x64/0063-hexdump.h-fix-arithmetic-error.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 9313a515432ba938e66f2edc1e22d548fed1eb5c Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Thu, 30 Jul 2020 14:34:22 -0400 -Subject: [PATCH] hexdump.h: fix arithmetic error. - -When I modified the hexdumper to help debug MokListRT mirroring not -working because of PcdMaxVolatileVariableSize being tiny, I -inadvertently added something that is effectively: - -hexdump(..., char *buf, ..., int position) -{ - unsigned long begin = (position % 16); - unsigned long i; - ... - for (i = 0; i < begin; i++) { - ... - } - ... -} - -Unfortunately, in c if 0x8 is set in position, that means begin is -0xfffffffffffff8, because signed integer math is horrifying: - -include/hexdump.h:99:vhexdumpf() &data[offset]:0x9E77E6BC size-offset:0x14 -include/hexdump.h:15:prepare_hex() position:0x9E77E6BC -include/hexdump.h:17:prepare_hex() before:0xFFFFFFFFFFFFFFFC size:0x14 -include/hexdump.h:19:prepare_hex() before:0xFFFFFFFFFFFFFFFC after:0x0 -include/hexdump.h:21:prepare_hex() buf:0x000000009E77E2BC offset:0 &buf[offset]:0x000000009E77E2BC - -Woops. - -This could further have been prevented in /some/ cases by simply not -preparing the hexdump buffer when "verbose" is disabled. - -This patch makes "pos" be unsigned in all cases, and also checks for -verbose in vhexdumpf() and simply returns if it is 0. - -Signed-off-by: Peter Jones ---- - include/hexdump.h | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/include/hexdump.h b/include/hexdump.h -index f3f3ac284a3..b2968cd4f85 100644 ---- a/include/hexdump.h -+++ b/include/hexdump.h -@@ -4,7 +4,7 @@ - #include - - static inline unsigned long UNUSED --prepare_hex(const void *data, size_t size, char *buf, int position) -+prepare_hex(const void *data, size_t size, char *buf, unsigned int position) - { - char hexchars[] = "0123456789abcdef"; - int offset = 0; -@@ -48,7 +48,7 @@ prepare_hex(const void *data, size_t size, char *buf, int position) - #define isprint(c) ((c) >= 0x20 && (c) <= 0x7e) - - static inline void UNUSED --prepare_text(const void *data, size_t size, char *buf, int position) -+prepare_text(const void *data, size_t size, char *buf, unsigned int position) - { - int offset = 0; - unsigned long i; -@@ -84,6 +84,9 @@ vhexdumpf(const char *file, int line, const char *func, const CHAR16 * const fmt - unsigned long display_offset = at; - unsigned long offset = 0; - -+ if (verbose == 0) -+ return; -+ - while (offset < size) { - char hexbuf[49]; - char txtbuf[19]; --- -2.26.2 - diff --git a/SPECS/shim-unsigned-x64/cbl-mariner-ca-20210127.der b/SPECS/shim-unsigned-x64/cbl-mariner-ca-20210127.der new file mode 100644 index 00000000000..411415aed6a Binary files /dev/null and b/SPECS/shim-unsigned-x64/cbl-mariner-ca-20210127.der differ diff --git a/SPECS/shim-unsigned-x64/cbl-mariner-ca.der b/SPECS/shim-unsigned-x64/cbl-mariner-ca.der deleted file mode 100644 index a1de99e51fc..00000000000 Binary files a/SPECS/shim-unsigned-x64/cbl-mariner-ca.der and /dev/null differ diff --git a/SPECS/shim-unsigned-x64/sbat.csv.in b/SPECS/shim-unsigned-x64/sbat.csv.in new file mode 100644 index 00000000000..9759dab89c5 --- /dev/null +++ b/SPECS/shim-unsigned-x64/sbat.csv.in @@ -0,0 +1 @@ +shim.mariner,1,Microsoft,shim,@@VERSION_RELEASE@@,https://github.com/microsoft/CBL-Mariner diff --git a/SPECS/shim-unsigned-x64/shim-unsigned-x64.signatures.json b/SPECS/shim-unsigned-x64/shim-unsigned-x64.signatures.json index 89dce6cf63b..6edaf813255 100644 --- a/SPECS/shim-unsigned-x64/shim-unsigned-x64.signatures.json +++ b/SPECS/shim-unsigned-x64/shim-unsigned-x64.signatures.json @@ -1,6 +1,7 @@ { "Signatures": { - "cbl-mariner-ca.der": "ce1290f2bbdf5a7f68053951a9f7fc7f1852a562ea103f46ca5249b497fb1faf", - "shim-15.tar.bz2": "473720200e6dae7cfd3ce7fb27c66367a8d6b08233fe63f01aa1d6b3888deeb6" + "cbl-mariner-ca-20210127.der": "34f7436bc56c7b4e526e55dbc207ad6311dbace0403e1d462ad1f9ce3479d386", + "sbat.csv.in": "a218d091e73ee91fc1dd5e99d391cc6c5cb660a34b70444b5c861b0eac52d2fd", + "shim-15.4.tar.bz2": "8344473dd10569588b8238a4656b8fab226714eea9f5363f8c410aa8a5090297" } } \ No newline at end of file diff --git a/SPECS/shim-unsigned-x64/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64/shim-unsigned-x64.spec index 764881fd479..0071d009950 100644 --- a/SPECS/shim-unsigned-x64/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64/shim-unsigned-x64.spec @@ -1,83 +1,19 @@ %global debug_package %{nil} Summary: First stage UEFI bootloader Name: shim-unsigned-x64 -Version: 15 -Release: 6%{?dist} -URL: https://github.com/rhboot/shim +Version: 15.4 +Release: 1%{?dist} License: BSD -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner +URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: cbl-mariner-ca.der +Source1: sbat.csv.in +Source100: cbl-mariner-ca-20210127.der +BuildRequires: dos2unix +BuildRequires: vim-extra ExclusiveArch: x86_64 -BuildRequires: gnu-efi -BuildRequires: gnu-efi-devel - -Patch0001: 0001-Make-some-things-dprint-instead-of-console_print.patch -Patch0002: 0002-Makefiles-ensure-m32-gets-propogated-to-our-gcc-para.patch -Patch0003: 0003-Let-MokManager-follow-a-MokTimeout-var-for-timeout-l.patch -Patch0004: 0004-httpboot-return-EFI_NOT_FOUND-when-it-fails-to-find-.patch -Patch0005: 0005-httpboot-print-more-messages-when-it-fails-to-set-IP.patch -Patch0006: 0006-httpboot-allow-the-IPv4-gateway-to-be-empty.patch -Patch0007: 0007-httpboot-show-the-error-message-for-the-ChildHandle.patch -Patch0008: 0008-Fix-typo-in-debug-path-in-shim.h.patch -Patch0009: 0009-MokManager-Stop-using-EFI_VARIABLE_APPEND_WRITE.patch -Patch0010: 0010-shim-Extend-invalid-reloc-size-warning-message.patch -Patch0011: 0011-Add-GRUB-s-PCR-Usage-to-README.tpm.patch -Patch0012: 0012-Fix-the-compile-error-of-mkdir-wrong-directory.patch -Patch0013: 0013-shim-Properly-generate-absolute-paths-from-relative-.patch -Patch0014: 0014-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch -Patch0015: 0015-Fix-for-Section-0-has-negative-size-error-when-loadi.patch -Patch0016: 0016-Fix-apparent-typo-in-ARM-32-on-64-code.patch -Patch0017: 0017-Makefile-do-not-run-git-on-clean-if-there-s-no-.git-.patch -Patch0018: 0018-Make.default-use-correct-flags-to-disable-unaligned-.patch -Patch0019: 0019-Cryptlib-fix-build-on-32bit-ARM.patch -Patch0020: 0020-Make-sure-that-MOK-variables-always-get-mirrored.patch -Patch0021: 0021-mok-fix-the-mirroring-of-RT-variables.patch -Patch0022: 0022-mok-consolidate-mirroring-code-in-a-helper-instead-o.patch -Patch0023: 0023-shim-only-include-shim_cert.h-in-shim.c.patch -Patch0024: 0024-mok-also-mirror-the-build-cert-to-MokListRT.patch -Patch0025: 0025-mok-minor-cleanups.patch -Patch0026: 0026-Remove-call-to-TPM2-get_event_log.patch -Patch0027: 0027-Make-EFI-variable-copying-fatal-only-on-secureboot-e.patch -Patch0028: 0028-VLogError-Avoid-NULL-pointer-dereferences-in-V-Sprin.patch -Patch0029: 0029-Once-again-try-even-harder-to-get-binaries-without-t.patch -Patch0030: 0030-shim-Rework-pause-functions-and-add-read_counter.patch -Patch0031: 0031-Hook-exit-when-shim_lock-protocol-installed.patch -Patch0032: 0032-Work-around-stuff-Waddress-of-packed-member-finds.patch -Patch0033: 0033-Fix-a-use-of-strlen-instead-of-Strlen.patch -Patch0034: 0034-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch -Patch0035: 0035-OpenSSL-always-provide-OBJ_create-with-name-strings.patch -Patch0036: 0036-Use-portable-shebangs-bin-bash-usr-bin-env-bash.patch -Patch0037: 0037-tpm-Fix-off-by-one-error-when-calculating-event-size.patch -Patch0038: 0038-tpm-Define-EFI_VARIABLE_DATA_TREE-as-packed.patch -Patch0039: 0039-MokManager-console-mode-modification-for-hi-dpi-scre.patch -Patch0040: 0040-MokManager-avoid-Werror-address-of-packed-member.patch -Patch0041: 0041-tpm-Don-t-log-duplicate-identical-events.patch -Patch0042: 0042-Slightly-better-debugging-messages.patch -Patch0043: 0043-Actually-check-for-errors-from-set_second_stage.patch -Patch0044: 0044-translate_slashes-don-t-write-to-string-literals.patch -Patch0045: 0045-shim-Update-EFI_LOADED_IMAGE-with-the-second-stage-l.patch -Patch0046: 0046-tpm-Include-information-about-PE-COFF-images-in-the-.patch -Patch0047: 0047-Fix-the-license-on-our-buildid-extractor.patch -Patch0048: 0048-Update-README.tpm.patch -Patch0049: 0049-Check-PxeReplyReceived-as-fallback-in-netboot.patch -Patch0050: 0050-Remove-a-couple-of-incorrect-license-claims.patch -Patch0051: 0051-MokManager-fix-uninitialized-value.patch -Patch0052: 0052-Fix-some-volatile-usage-gcc-whines-about.patch -Patch0053: 0053-MokManager-fix-a-wrong-allocation-failure-check.patch -Patch0054: 0054-simple_file-fix-uninitialized-variable-unchecked-ret.patch -Patch0055: 0055-Fix-a-broken-tpm-type.patch -Patch0056: 0056-Make-cert.S-not-impossible-to-read.patch -Patch0057: 0057-Add-support-for-vendor_db-built-in-shim-authorized-l.patch -Patch0058: 0058-Handle-binaries-with-multiple-signatures.patch -Patch0059: 0059-Make-openssl-accept-the-right-set-of-KU-EKUs.patch -Patch0060: 0060-Improve-debug-output-some.patch -Patch0061: 0061-Also-use-a-config-table-to-mirror-mok-variables.patch -Patch0062: 0062-Implement-lennysz-s-suggestions-for-MokListRT.patch -Patch0063: 0063-hexdump.h-fix-arithmetic-error.patch - %description shim is a trivial EFI application that, when run, attempts to open and execute another application. @@ -87,30 +23,45 @@ loading. %prep %autosetup -n shim-%{version} -p1 +# shim Makefile expects vendor SBATs to be in data/sbat..csv +sed -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" %{SOURCE1} > ./data/sbat.microsoft.csv +cat ./data/sbat.microsoft.csv %build -cp %{SOURCE1} cert.der -make shimx64.efi VENDOR_CERT_FILE=cert.der EFI_PATH=/usr/lib/gnuefi +cp %{SOURCE100} cert.der +make shimx64.efi VENDOR_CERT_FILE=cert.der %install -install -vdm 755 %{buildroot}/usr/share/%{name} -install -vm 644 shimx64.efi %{buildroot}/usr/share/%{name}/shimx64.efi +install -vdm 755 %{buildroot}%{_datadir}/%{name} +install -vm 644 shimx64.efi %{buildroot}%{_datadir}/%{name}/shimx64.efi + +%check +make VENDOR_CERT_FILE=cert.der test %files %defattr(-,root,root) %license COPYRIGHT -/usr/share/%{name}/shimx64.efi +%{_datadir}/%{name}/shimx64.efi %changelog -* Tue Aug 25 2020 Chris Co 15-6 +* Tue Mar 30 2021 Chris Co - 15.4-1 +- Update to 15.4 +- Remove extra patches. These are incorporated into latest version + +* Tue Aug 25 2020 Chris Co - 15-6 - Apply patch files (from CentOS: shim-15-8.el7) -* Wed Jul 29 2020 Chris Co 15-5 + +* Wed Jul 29 2020 Chris Co - 15-5 - Update built-in cert -* Mon Jun 22 2020 Chris Co 15-4 + +* Mon Jun 22 2020 Chris Co - 15-4 - Update install path -* Thu May 14 2020 Chris Co 15-3 + +* Thu May 14 2020 Chris Co - 15-3 - Update test key -* Mon May 04 2020 Emre Girgin 15-2 + +* Mon May 04 2020 Emre Girgin - 15-2 - Replace BuildArch with ExclusiveArch -* Wed Apr 29 2020 Chris Co 15-1 -- Original version for CBL-Mariner. \ No newline at end of file + +* Wed Apr 29 2020 Chris Co - 15-1 +- Original version for CBL-Mariner. diff --git a/SPECS/shim-unsigned/shim-unsigned.spec b/SPECS/shim-unsigned/shim-unsigned.spec index 573a961c7ad..b0957b823b6 100644 --- a/SPECS/shim-unsigned/shim-unsigned.spec +++ b/SPECS/shim-unsigned/shim-unsigned.spec @@ -1,19 +1,21 @@ %global debug_package %{nil} Summary: First stage UEFI bootloader Name: shim-unsigned -Version: 15 -Release: 3%{?dist} -URL: https://github.com/rhboot/shim +Version: 15.4 +Release: 2%{?dist} License: BSD -Vendor: Microsoft +Vendor: Microsoft Corporation Distribution: Mariner - +URL: https://github.com/rhboot/shim %ifarch x86_64 BuildRequires: shim-unsigned-x64 %endif - %ifarch aarch64 -BuildRequires: shim-unsigned-aarch64 +# Force using shim-15 release for aarch64 builds. +# There is a regression in shim-15.4 aarch64 builds where, if built with +# binutils pre-2.35, the binary will fail to boot with "Synchronous Exception" +# error. +BuildRequires: shim-unsigned-aarch64 = 15 %endif %description @@ -24,11 +26,11 @@ under secure boot environments. %install %ifarch x86_64 -install -D -m 0744 /usr/share/shim-unsigned-x64/shimx64.efi %{buildroot}/boot/efi/EFI/BOOT/bootx64.efi +install -D -m 0744 %{_datadir}/shim-unsigned-x64/shimx64.efi %{buildroot}/boot/efi/EFI/BOOT/bootx64.efi %endif %ifarch aarch64 -install -D -m 0744 /usr/share/shim-unsigned-aarch64/shimaa64.efi %{buildroot}/boot/efi/EFI/BOOT/bootaa64.efi +install -D -m 0744 %{_datadir}/shim-unsigned-aarch64/shimaa64.efi %{buildroot}/boot/efi/EFI/BOOT/bootaa64.efi %endif %files @@ -41,9 +43,17 @@ install -D -m 0744 /usr/share/shim-unsigned-aarch64/shimaa64.efi %{buildroot}/bo %endif %changelog -* Tue Aug 25 2020 Chris Co 15-3 +* Fri Apr 23 2021 Chris Co - 15.4-2 +- Enforce using aarch64 shim-15 + +* Tue Mar 30 2021 Chris Co - 15.4-1 +- Update to 15.4 + +* Tue Aug 25 2020 Chris Co - 15-3 - Bump release to get patched shims -* Thu Jul 30 2020 Chris Co 15-2 + +* Thu Jul 30 2020 Chris Co - 15-2 - Update aarch64 source binary path -* Wed Jul 29 2020 Chris Co 15-1 -- Original version for CBL-Mariner. \ No newline at end of file + +* Wed Jul 29 2020 Chris Co - 15-1 +- Original version for CBL-Mariner. diff --git a/SPECS/shim/shim.signatures.json b/SPECS/shim/shim.signatures.json new file mode 100644 index 00000000000..cf6b1dab951 --- /dev/null +++ b/SPECS/shim/shim.signatures.json @@ -0,0 +1,5 @@ +{ + "Signatures": { + "signed-shim-15.4-1.tar.gz": "c3c39483d449f77aec917e054947f51dcc6da07d46cf683ec5048e6826319a41" + } +} \ No newline at end of file diff --git a/SPECS/shim/shim.spec b/SPECS/shim/shim.spec new file mode 100644 index 00000000000..0e00845d835 --- /dev/null +++ b/SPECS/shim/shim.spec @@ -0,0 +1,42 @@ +%global debug_package %{nil} +%global release_number 1 +Summary: First stage UEFI bootloader +Name: shim +Version: 15.4 +Release: %{release_number}%{?dist} +License: BSD +Vendor: Microsoft Corporation +Distribution: Mariner +URL: https://github.com/rhboot/shim +# This signed-shim tarball contains the shim binary signed with +# the Microsoft UEFI CA key +Source0: signed-%{name}-%{version}-%{release_number}.tar.gz +# Currently, the tarball only contains a UEFI CA signed x86_64 shim binary. +# Upstream aarch64 shim 15.4 builds are in a bad state. They will break using +# binutils versions before 2.35, and even after that they may give +# unpredictable results. Due to this, aarch64 shims are not being accepted +# for shim signing at this time. +# +# Once upstream aarch64 shim builds stabilize and are being accepted for +# review/signing, we should update this spec to also include UEFI CA signed +# aarch64 shim binaries +ExclusiveArch: x86_64 + +%description +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. + +%prep +%autosetup + +%install +install -d %{buildroot}/boot/efi/EFI/BOOT +install -m644 shimx64.efi %{buildroot}/boot/efi/EFI/BOOT/bootx64.efi + +%files +%defattr(-,root,root) +/boot/efi/EFI/BOOT/bootx64.efi + +%changelog +* Fri Apr 16 2021 Chris Co - 15.4-1 +- Original version for CBL-Mariner. diff --git a/SPECS/sqlite/sqlite.signatures.json b/SPECS/sqlite/sqlite.signatures.json index c202217a6ac..66a24c19eeb 100644 --- a/SPECS/sqlite/sqlite.signatures.json +++ b/SPECS/sqlite/sqlite.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "sqlite-autoconf-3320300.tar.gz": "a31507123c1c2e3a210afec19525fd7b5bb1e19a6a34ae5b998fbd7302568b66" + "sqlite-autoconf-3340100.tar.gz": "2a3bca581117b3b88e5361d0ef3803ba6d8da604b1c1a47d902ef785c1b53e89" } } \ No newline at end of file diff --git a/SPECS/sqlite/sqlite.spec b/SPECS/sqlite/sqlite.spec index 40d9efcd453..1621152c78b 100644 --- a/SPECS/sqlite/sqlite.spec +++ b/SPECS/sqlite/sqlite.spec @@ -1,19 +1,19 @@ -%define sourcever 3320300 +%define sourcever 3340100 Summary: A portable, high level programming interface to various calling conventions Name: sqlite -Version: 3.32.3 -Release: 2%{?dist} +Version: 3.34.1 +Release: 1%{?dist} License: Public Domain -URL: https://www.sqlite.org -Group: System Environment/GeneralLibraries Vendor: Microsoft Corporation Distribution: Mariner -Source0: https://www.sqlite.org/2020/%{name}-autoconf-%{sourcever}.tar.gz -# CVE-2015-3717 applies to versions shipped in iOS and OS X +Group: System Environment/GeneralLibraries +URL: https://www.sqlite.org +Source0: https://www.sqlite.org/2021/%{name}-autoconf-%{sourcever}.tar.gz +# CVE-2015-3717 applies to versions shipped in iOS and OS X Patch0: CVE-2015-3717.nopatch -Obsoletes: sqlite-autoconf Requires: sqlite-libs = %{version}-%{release} Provides: sqlite3 + %description This package contains most of the static files that comprise the www.sqlite.org website including all of the SQL Syntax and the @@ -31,8 +31,7 @@ header files for development. Summary: sqlite3 library Group: Libraries Provides: pkgconfig(sqlite3) -Obsoletes: libsqlite -Obsoletes: sqlite-autoconf + %description libs The sqlite3 library. @@ -54,25 +53,21 @@ make [ %{buildroot} != "/"] && rm -rf %{buildroot}/* make DESTDIR=%{buildroot} install install -D -m644 sqlite3.1 %{buildroot}/%{_mandir}/man1/sqlite3.1 -find %{buildroot}/%{_libdir} -name '*.la' -delete +find %{buildroot} -type f -name "*.la" -delete -print rm -rf %{buildroot}/%{_infodir} %{_fixperms} %{buildroot}/* %check make %{?_smp_mflags} check -%postun devel -/sbin/ldconfig - -%post libs -/sbin/ldconfig - -%postun libs -/sbin/ldconfig +%postun devel -p /sbin/ldconfig +%post libs -p /sbin/ldconfig +%postun libs -p /sbin/ldconfig %clean rm -rf %{buildroot}/* + %files %defattr(-,root,root) %license tea/license.terms @@ -91,46 +86,69 @@ rm -rf %{buildroot}/* %{_libdir}/libsqlite3.so.0.8.6 %changelog -* Thu Oct 22 2020 Ruying Chen 3.32.3-2 -- Nopatch CVE-2015-3717. Applies to versions shipped in iOS and OS X. -* Tue Jul 07 2020 Joe Schmitt 3.32.3-1 -- Update to version 3.32.3 to fix CVE-2020-15358. -- Update URL to use https. -* Thu May 28 2020 Andrew Phelps 3.32.1-1 -- Update to version 3.32.1 to fix CVEs. -* Sat May 09 2020 Nick Samson 3.26.0-5 -- Added %%license line automatically -* Tue Apr 21 2020 Nicolas Ontiveros 3.26.0-4 -- Fix CVE-2019-8457. -- Remove sha1 macro. -* Wed Jan 22 2020 Pawel Winogrodzki 3.26.0-3 -- Adding 'ldconfig' call in 'sqlite-devel' %postun. -* Tue Sep 03 2019 Mateusz Malisz 3.26.0-2 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Wed Feb 3 2019 Michelle Wang 3.26.0-1 -- Upgrade to 3.26.0 for a critical Vulnerability named 'Magallan'. -* Fri Sep 21 2018 Srinidhi Rao 3.25.1-1 -- Upgrade to version 3.25.1 -* Tue Feb 20 2018 Xiaolin Li 3.22.0-1 -- Upgrade to version 3.22.0 -* Fri Nov 10 2017 Xiaolin Li 3.21.0-1 -- Upgrade to version 3.21.0 -* Fri Jul 14 2017 Dheeraj Shetty 3.19.3-1 -- Upgrading to version 3.19.0 and adding patch for CVE-2017-10989 -* Thu Jun 29 2017 Divya Thaluru 3.18.0-2 -- Added obseletes for deprecated sqlite-autoconf package -* Fri Apr 7 2017 Alexey Makhalov 3.18.0-1 -- Version update -- Package rename: sqlite-autoconf -> sqlite -* Wed Nov 16 2016 Alexey Makhalov 3.11.0-4 -- Added -devel and -libs subpackages -* Tue Oct 04 2016 ChangLee 3.11.0-3 -- Modified %check -* Tue May 24 2016 Priyesh Padmavilasom 3.11.0-2 -- GA - Bump release of all rpms -* Tue Feb 23 2016 Xiaolin Li 3.11.0-1 -- Updated to version 3.11.0 -* Wed Feb 03 2016 Anish Swaminathan - 3.8.3.1-2 -- Fix versioning -* Tue Oct 7 2014 Divya Thaluru 3080301-1 -- Initial build. First version +* Tue Apr 20 2021 Thomas Crain - 3.34.1-1 +- Update to 3.34.1 to fix CVE-2021-20227 +- Remove Obsoletes tags + +* Thu Oct 22 2020 Ruying Chen - 3.32.3-2 +- Nopatch CVE-2015-3717. Applies to versions shipped in iOS and OS X. + +* Tue Jul 07 2020 Joe Schmitt - 3.32.3-1 +- Update to version 3.32.3 to fix CVE-2020-15358. +- Update URL to use https. + +* Thu May 28 2020 Andrew Phelps - 3.32.1-1 +- Update to version 3.32.1 to fix CVEs. + +* Sat May 09 2020 Nick Samson - 3.26.0-5 +- Added %%license line automatically + +* Tue Apr 21 2020 Nicolas Ontiveros - 3.26.0-4 +- Fix CVE-2019-8457. +- Remove sha1 macro. + +* Wed Jan 22 2020 Pawel Winogrodzki - 3.26.0-3 +- Adding 'ldconfig' call in 'sqlite-devel' %postun. + +* Tue Sep 03 2019 Mateusz Malisz - 3.26.0-2 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Wed Feb 3 2019 Michelle Wang - 3.26.0-1 +- Upgrade to 3.26.0 for a critical Vulnerability named 'Magallan'. + +* Fri Sep 21 2018 Srinidhi Rao - 3.25.1-1 +- Upgrade to version 3.25.1 + +* Tue Feb 20 2018 Xiaolin Li - 3.22.0-1 +- Upgrade to version 3.22.0 + +* Fri Nov 10 2017 Xiaolin Li - 3.21.0-1 +- Upgrade to version 3.21.0 + +* Fri Jul 14 2017 Dheeraj Shetty - 3.19.3-1 +- Upgrading to version 3.19.0 and adding patch for CVE-2017-10989 + +* Thu Jun 29 2017 Divya Thaluru - 3.18.0-2 +- Added obseletes for deprecated sqlite-autoconf package + +* Fri Apr 7 2017 Alexey Makhalov - 3.18.0-1 +- Version update +- Package rename: sqlite-autoconf -> sqlite + +* Wed Nov 16 2016 Alexey Makhalov - 3.11.0-4 +- Added -devel and -libs subpackages + +* Tue Oct 04 2016 ChangLee - 3.11.0-3 +- Modified %check + +* Tue May 24 2016 Priyesh Padmavilasom - 3.11.0-2 +- GA - Bump release of all rpms + +* Tue Feb 23 2016 Xiaolin Li - 3.11.0-1 +- Updated to version 3.11.0 + +* Wed Feb 03 2016 Anish Swaminathan - 3.8.3.1-2 +- Fix versioning + +* Tue Oct 7 2014 Divya Thaluru - 3080301-1 +- Initial build. First version diff --git a/SPECS/tzdata/tzdata.signatures.json b/SPECS/tzdata/tzdata.signatures.json index 7fb67dc5957..06be011dc6f 100644 --- a/SPECS/tzdata/tzdata.signatures.json +++ b/SPECS/tzdata/tzdata.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "tzdata2019c.tar.gz": "79c7806dab09072308da0e3d22c37d3b245015a591891ea147d3b133b60ffc7c" + "tzdata2021a.tar.gz": "39e7d2ba08c68cbaefc8de3227aab0dec2521be8042cf56855f7dc3a9fb14e08" } } \ No newline at end of file diff --git a/SPECS/tzdata/tzdata.spec b/SPECS/tzdata/tzdata.spec index 2f6974ca658..91406d29cf1 100644 --- a/SPECS/tzdata/tzdata.spec +++ b/SPECS/tzdata/tzdata.spec @@ -1,7 +1,7 @@ Summary: Time zone data Name: tzdata -Version: 2019c -Release: 3%{?dist} +Version: 2021a +Release: 1%{?dist} URL: https://www.iana.org/time-zones License: Public Domain Group: Applications/System @@ -26,7 +26,7 @@ cd %{blddir} ZONEINFO=%{buildroot}%{_datarootdir}/zoneinfo install -vdm 755 $ZONEINFO/{posix,right} for tz in etcetera southamerica northamerica europe africa antarctica \ - asia australasia backward pacificnew systemv; do + asia australasia backward; do zic -L /dev/null -d $ZONEINFO -y "sh yearistype.sh" ${tz} zic -L /dev/null -d $ZONEINFO/posix -y "sh yearistype.sh" ${tz} zic -L leapseconds -d $ZONEINFO/right -y "sh yearistype.sh" ${tz} @@ -43,6 +43,10 @@ ln -svf %{_datarootdir}/zoneinfo/UTC %{buildroot}%{_sysconfdir}/localtime %{_datadir}/* %changelog +* Mon Apr 05 2021 CBL-Mariner Service Account - 2021a-1 +- Update to version "2021a". +- Removed 'pacificnew' and 'systemv' from parsed zone info, since they have been removed from the sources. + * Sat May 09 00:21:12 PST 2020 Nick Samson - 2019c-3 - Added %%license line automatically diff --git a/SPECS/wpa_supplicant/CVE-2021-30004.patch b/SPECS/wpa_supplicant/CVE-2021-30004.patch new file mode 100644 index 00000000000..3eb51bc632b --- /dev/null +++ b/SPECS/wpa_supplicant/CVE-2021-30004.patch @@ -0,0 +1,114 @@ +From a0541334a6394f8237a4393b7372693cd7e96f15 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Sat, 13 Mar 2021 18:19:31 +0200 +Subject: ASN.1: Validate DigestAlgorithmIdentifier parameters + +The supported hash algorithms do not use AlgorithmIdentifier parameters. +However, there are implementations that include NULL parameters in +addition to ones that omit the parameters. Previous implementation did +not check the parameters value at all which supported both these cases, +but did not reject any other unexpected information. + +Use strict validation of digest algorithm parameters and reject any +unexpected value when validating a signature. This is needed to prevent +potential forging attacks. + +Signed-off-by: Jouni Malinen +--- + src/tls/pkcs1.c | 21 +++++++++++++++++++++ + src/tls/x509v3.c | 20 ++++++++++++++++++++ + 2 files changed, 41 insertions(+) + +diff --git a/src/tls/pkcs1.c b/src/tls/pkcs1.c +index bbdb0d7..5761dfe 100644 +--- a/src/tls/pkcs1.c ++++ b/src/tls/pkcs1.c +@@ -244,6 +244,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestInfo", ++ hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -265,6 +267,8 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -273,6 +277,23 @@ int pkcs1_v15_sig_ver(struct crypto_public_key *pk, + os_free(decrypted); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "PKCS #1: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "PKCS #1: Unexpected digest algorithm parameters"); ++ os_free(decrypted); ++ return -1; ++ } + + if (!asn1_oid_equal(&oid, hash_alg)) { + char txt[100], txt2[100]; +diff --git a/src/tls/x509v3.c b/src/tls/x509v3.c +index a8944dd..df337ec 100644 +--- a/src/tls/x509v3.c ++++ b/src/tls/x509v3.c +@@ -1964,6 +1964,7 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestInfo", hdr.payload, hdr.length); + + pos = hdr.payload; + end = pos + hdr.length; +@@ -1985,6 +1986,8 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: DigestAlgorithmIdentifier", ++ hdr.payload, hdr.length); + da_end = hdr.payload + hdr.length; + + if (asn1_get_oid(hdr.payload, hdr.length, &oid, &next)) { +@@ -1992,6 +1995,23 @@ int x509_check_signature(struct x509_certificate *issuer, + os_free(data); + return -1; + } ++ wpa_hexdump(MSG_MSGDUMP, "X509: Digest algorithm parameters", ++ next, da_end - next); ++ ++ /* ++ * RFC 5754: The correct encoding for the SHA2 algorithms would be to ++ * omit the parameters, but there are implementation that encode these ++ * as a NULL element. Allow these two cases and reject anything else. ++ */ ++ if (da_end > next && ++ (asn1_get_next(next, da_end - next, &hdr) < 0 || ++ !asn1_is_null(&hdr) || ++ hdr.payload + hdr.length != da_end)) { ++ wpa_printf(MSG_DEBUG, ++ "X509: Unexpected digest algorithm parameters"); ++ os_free(data); ++ return -1; ++ } + + if (x509_sha1_oid(&oid)) { + if (signature->oid.oid[6] != 5 /* sha-1WithRSAEncryption */) { +-- +cgit v0.12 diff --git a/SPECS/wpa_supplicant/wpa_supplicant.spec b/SPECS/wpa_supplicant/wpa_supplicant.spec index e862c9d24fe..09fb3f0ca09 100644 --- a/SPECS/wpa_supplicant/wpa_supplicant.spec +++ b/SPECS/wpa_supplicant/wpa_supplicant.spec @@ -1,7 +1,7 @@ Summary: WPA client Name: wpa_supplicant Version: 2.9 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD Vendor: Microsoft Corporation Distribution: Mariner @@ -11,6 +11,7 @@ Source0: https://w1.fi/releases/%{name}-%{version}.tar.gz Patch0: CVE-2019-16275.patch Patch1: CVE-2021-0326.patch Patch2: CVE-2021-27803.patch +Patch3: CVE-2021-30004.patch BuildRequires: libnl3-devel BuildRequires: openssl-devel Requires: libnl3 @@ -98,6 +99,9 @@ EOF %{_sysconfdir}/wpa_supplicant/wpa_supplicant-wlan0.conf %changelog +* Fri Apr 09 2021 Suresh Babu Chalamalasetty - 2.9-4 +- Add patch for CVE-2021-30004 + * Mon Mar 08 2021 Thomas Crain - 2.9-3 - Add patch for CVE-2021-0326 and CVE-2021-27803 diff --git a/cgmanifest.json b/cgmanifest.json index bfc244c8651..b0d83af4db9 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -360,6 +360,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "bmake", + "version": "20201010", + "downloadUrl": "https://ftp.netbsd.org/pub/NetBSD/misc/sjg/bmake-20201010.tar.gz" + } + } + }, { "component": { "type": "other", @@ -475,8 +485,8 @@ "type": "other", "other": { "name": "cairo", - "version": "1.16.0", - "downloadUrl": "http://cairographics.org/releases/cairo-1.16.0.tar.xz" + "version": "1.17.4", + "downloadUrl": "https://cairographics.org/snapshots/cairo-1.17.4.tar.xz" } } }, @@ -585,8 +595,8 @@ "type": "other", "other": { "name": "clamav", - "version": "0.103.0", - "downloadUrl": "https://www.clamav.net/downloads/production/clamav-0.103.0.tar.gz" + "version": "0.103.2", + "downloadUrl": "https://www.clamav.net/downloads/production/clamav-0.103.2.tar.gz" } } }, @@ -670,16 +680,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "coredns", - "version": "1.6.5", - "downloadUrl": "https://github.com/coredns/coredns/archive/v1.6.5.tar.gz" - } - } - }, { "component": { "type": "other", @@ -825,8 +825,8 @@ "type": "other", "other": { "name": "curl", - "version": "7.74.0", - "downloadUrl": "https://curl.haxx.se/download/curl-7.74.0.tar.gz" + "version": "7.76.0", + "downloadUrl": "https://curl.haxx.se/download/curl-7.76.0.tar.gz" } } }, @@ -945,8 +945,8 @@ "type": "other", "other": { "name": "dnsmasq", - "version": "2.84", - "downloadUrl": "http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.84.tar.xz" + "version": "2.85", + "downloadUrl": "http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.85.tar.xz" } } }, @@ -1385,8 +1385,8 @@ "type": "other", "other": { "name": "git", - "version": "2.23.3", - "downloadUrl": "https://www.kernel.org/pub/software/scm/git/git-2.23.3.tar.xz" + "version": "2.23.4", + "downloadUrl": "https://www.kernel.org/pub/software/scm/git/git-2.23.4.tar.xz" } } }, @@ -1745,8 +1745,8 @@ "type": "other", "other": { "name": "hyperv-daemons", - "version": "5.10.21.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.21.1.tar.gz" + "version": "5.10.28.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" } } }, @@ -1775,8 +1775,8 @@ "type": "other", "other": { "name": "icu", - "version": "64.2.0.2", - "downloadUrl": "https://github.com/microsoft/icu/archive/v64.2.0.2.tar.gz" + "version": "68.2.0.6", + "downloadUrl": "https://github.com/microsoft/icu/archive/v68.2.0.6.tar.gz" } } }, @@ -2055,8 +2055,8 @@ "type": "other", "other": { "name": "kernel-headers", - "version": "5.10.21.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.21.1.tar.gz" + "version": "5.10.28.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" } } }, @@ -2065,8 +2065,8 @@ "type": "other", "other": { "name": "kernel-hyperv", - "version": "5.10.21.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.21.1.tar.gz" + "version": "5.10.28.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" } } }, @@ -2075,8 +2075,8 @@ "type": "other", "other": { "name": "kernel", - "version": "5.10.21.1", - "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.21.1.tar.gz" + "version": "5.10.28.1", + "downloadUrl": "https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz" } } }, @@ -2175,8 +2175,8 @@ "type": "other", "other": { "name": "kubernetes", - "version": "1.17.13", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.17.13-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz" + "version": "1.18.14", + "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.14-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" } } }, @@ -2185,8 +2185,8 @@ "type": "other", "other": { "name": "kubernetes", - "version": "1.17.16", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.17.16-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz" + "version": "1.18.17", + "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.17-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" } } }, @@ -2195,8 +2195,8 @@ "type": "other", "other": { "name": "kubernetes", - "version": "1.18.10", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.10-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz" + "version": "1.19.7", + "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.7-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" } } }, @@ -2205,8 +2205,18 @@ "type": "other", "other": { "name": "kubernetes", - "version": "1.18.14", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.18.14-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz" + "version": "1.19.9", + "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.9-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" + } + } + }, + { + "component": { + "type": "other", + "other": { + "name": "kubernetes", + "version": "1.20.2", + "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.20.2-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" } } }, @@ -2215,8 +2225,8 @@ "type": "other", "other": { "name": "kubernetes", - "version": "1.19.6", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.6-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz" + "version": "1.20.5", + "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.20.5-hotfix.20210428/binaries/kubernetes-node-linux-amd64.tar.gz" } } }, @@ -2270,16 +2280,6 @@ } } }, - { - "component": { - "type": "other", - "other": { - "name": "kubernetes", - "version": "1.19.7", - "downloadUrl": "https://kubernetesartifacts.azureedge.net/kubernetes/v1.19.7-hotfix.20210310/binaries/kubernetes-node-linux-amd64.tar.gz" - } - } - }, { "component": { "type": "other", @@ -3355,8 +3355,8 @@ "type": "other", "other": { "name": "mariadb", - "version": "10.3.17", - "downloadUrl": "https://github.com/MariaDB/server/archive/mariadb-10.3.17.tar.gz" + "version": "10.3.28", + "downloadUrl": "https://github.com/MariaDB/server/archive/mariadb-10.3.28.tar.gz" } } }, @@ -3435,8 +3435,8 @@ "type": "other", "other": { "name": "moby-cli", - "version": "19.03.11+azure", - "downloadUrl": "https://github.com/docker/cli/archive/v19.03.11.tar.gz" + "version": "19.03.15+azure", + "downloadUrl": "https://github.com/docker/cli/archive/v19.03.15.tar.gz" } } }, @@ -3455,8 +3455,8 @@ "type": "other", "other": { "name": "moby-engine", - "version": "19.03.11+azure", - "downloadUrl": "https://github.com/moby/moby/archive/v19.03.11.tar.gz" + "version": "19.03.15+azure", + "downloadUrl": "https://github.com/moby/moby/archive/v19.03.15.tar.gz" } } }, @@ -3545,8 +3545,8 @@ "type": "other", "other": { "name": "mysql", - "version": "8.0.23", - "downloadUrl": "https://cdn.mysql.com/Downloads/MySQL-8.0/mysql-boost-8.0.23.tar.gz" + "version": "8.0.24", + "downloadUrl": "https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-boost-8.0.24.tar.gz" } } }, @@ -3615,8 +3615,8 @@ "type": "other", "other": { "name": "nettle", - "version": "3.4.1", - "downloadUrl": "https://ftp.gnu.org/gnu/nettle/nettle-3.4.1.tar.gz" + "version": "3.7.2", + "downloadUrl": "https://ftp.gnu.org/gnu/nettle/nettle-3.7.2.tar.gz" } } }, @@ -3800,6 +3800,16 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "nvidia-container-runtime", + "version": "3.4.2", + "downloadUrl": "https://github.com/NVIDIA/nvidia-container-runtime/archive/v3.4.2.tar.gz" + } + } + }, { "component": { "type": "other", @@ -3840,13 +3850,23 @@ } } }, + { + "component": { + "type": "other", + "other": { + "name": "openjdk8_aarch64", + "version": "1.8.0.292", + "downloadUrl": "https://github.com/AdoptOpenJDK/openjdk-aarch64-jdk8u/archive/aarch64-shenandoah-jdk8u292-b10.tar.gz" + } + } + }, { "component": { "type": "other", "other": { "name": "openjdk8", - "version": "1.8.0.181", - "downloadUrl": "https://github.com/AdoptOpenJDK/openjdk-aarch64-jdk8u//archive/aarch64-jdk8u181-b13.tar.gz" + "version": "1.8.0.292", + "downloadUrl": "https://github.com/AdoptOpenJDK/openjdk-jdk8u/archive/jdk8u292-b10.tar.gz" } } }, @@ -3905,8 +3925,8 @@ "type": "other", "other": { "name": "openvswitch", - "version": "2.12.0", - "downloadUrl": "http://openvswitch.org/releases/openvswitch-2.12.0.tar.gz" + "version": "2.12.3", + "downloadUrl": "http://openvswitch.org/releases/openvswitch-2.12.3.tar.gz" } } }, @@ -6465,8 +6485,8 @@ "type": "other", "other": { "name": "shim-unsigned-x64", - "version": "15", - "downloadUrl": "https://github.com/rhboot/shim/releases/download/15/shim-15.tar.bz2" + "version": "15.4", + "downloadUrl": "https://github.com/rhboot/shim/releases/download/15.4/shim-15.4.tar.bz2" } } }, @@ -6515,8 +6535,8 @@ "type": "other", "other": { "name": "sqlite", - "version": "3.32.3", - "downloadUrl": "https://www.sqlite.org/2020/sqlite-autoconf-3320300.tar.gz" + "version": "3.34.1", + "downloadUrl": "https://www.sqlite.org/2021/sqlite-autoconf-3340100.tar.gz" } } }, @@ -6865,8 +6885,8 @@ "type": "other", "other": { "name": "tzdata", - "version": "2019c", - "downloadUrl": "https://data.iana.org/time-zones/releases/tzdata2019c.tar.gz" + "version": "2021a", + "downloadUrl": "https://data.iana.org/time-zones/releases/tzdata2021a.tar.gz" } } }, diff --git a/toolkit/docs/building/building.md b/toolkit/docs/building/building.md index 46c9b2bfb37..389d1f6f3f8 100644 --- a/toolkit/docs/building/building.md +++ b/toolkit/docs/building/building.md @@ -177,7 +177,7 @@ Note that the image build commands in [Build Images](#build-images) will **autom ## **Image Stage** -Different images and image formats can be produced from the build system. Images are assembled from a combination of _Image Configuration_ files and _Package list_ files. Each Package List file (in toolkit/imageconfigs/packagelists) describes a set of packages to install in an image. Each Image Configuration file defines the image output format and selects one or more Package Lists to include in the image. +Different images and image formats can be produced from the build system. Images are assembled from a combination of _Image Configuration_ files and _Package list_ files. Each [Package List](https://github.com/microsoft/CBL-MarinerDemo#package-lists) file (in [toolkit/imageconfigs/packagelists](https://github.com/microsoft/CBL-Mariner/tree/1.0/toolkit/imageconfigs/packagelists)) describes a set of packages to install in an image. Each Image Configuration file defines the image output format and selects one or more Package Lists to include in the image. All images are generated in the `out/images` folder. @@ -206,7 +206,7 @@ The following builds an ISO with an interactive UI and selectable image configur sudo make iso CONFIG_FILE=./imageconfigs/full.json REBUILD_TOOLS=y ``` -To create an unattended ISO installer (no interactive UI) use `UNATTENDED_INSTALLER=y` and run with a `CONFIG_FILE` that only specifies a _single_ SystemConfig. +To create an unattended ISO installer (no interactive UI) use `UNATTENDED_INSTALLER=y` and run with a [`CONFIG_FILE`](https://github.com/microsoft/CBL-MarinerDemo#image-config-file) that only specifies a _single_ SystemConfig. ```bash # Build the standard ISO with unattended installer @@ -217,7 +217,7 @@ sudo make iso -j$(nproc) CONFIG_FILE=./imageconfigs/core-legacy.json REBUILD_TOO ## Packages -The toolkit can download packages from remote RPM repositories, or build them locally. By default any `*.spec` files found in `SPECS_DIR="./SPECS"` will be built locally. Dependencies will be downloaded as needed. Only those packages needed to build the current config will be built (`core-efi.json` by default). An additional space separated list of packages may be added using the `PACKAGE_BUILD_LIST=` variable. +The toolkit can download packages from remote RPM repositories, or build them locally. By default any `*.spec` files found in `SPECS_DIR="./SPECS"` will be built locally. Dependencies will be downloaded as needed. Only those packages needed to build the current [config](https://github.com/microsoft/CBL-MarinerDemo#image-config-file) will be built (`core-efi.json` by default). An additional space separated list of packages may be added using the `PACKAGE_BUILD_LIST=` variable. Build all local packages needed for the default `core-efi.json`: @@ -576,10 +576,10 @@ To reproduce an ISO build, run the same make invocation as before, but set: | Variable | Default | Description |:------------------------------|:-------------------------------------------------------------------------------------------------------|:--- -| CONFIG_FILE | `$(RESOURCES_DIR)`/imageconfigs/core-efi/core-efi.json | Image config file to build -| CONFIG_BASE_DIR | `$(dir $(CONFIG_FILE))` | Base directory to search for image files in (see [image_config.md](../images/image_config.md)) +| CONFIG_FILE | `$(RESOURCES_DIR)`/imageconfigs/core-efi/core-efi.json | Image config file to build. +| CONFIG_BASE_DIR | `$(dir $(CONFIG_FILE))` | Base directory on the **build machine** to search for any **relative** file paths mentioned inside the [image config file](https://github.com/microsoft/CBL-MarinerDemo#image-config-file). This has no effect on **absolute** file paths or file paths on the **built image**. | UNATTENDED_INSTALLER | | Create unattended ISO installer if set. Overrides all other installer options. -| PACKAGE_BUILD_LIST | | Additional packages to build +| PACKAGE_BUILD_LIST | | Additional packages to build. | PACKAGE_REBUILD_LIST | | Always rebuild this package, even if it is up-to-date. Base package name, will match all virtual packages produced as well. | PACKAGE_IGNORE_LIST | | Pretend this package is always available, never rebuild it. Base package name, will match all virtual packages produced as well. | SSH_KEY_FILE | | Use with `make meta-user-data` to add the ssh key from this file into `user-data`. diff --git a/toolkit/docs/formats/imageconfig.md b/toolkit/docs/formats/imageconfig.md index 38f007eb34d..806fda9373b 100644 --- a/toolkit/docs/formats/imageconfig.md +++ b/toolkit/docs/formats/imageconfig.md @@ -251,6 +251,10 @@ A sample KernelCommandLine enabling a basic IMA mode and passing two additional }, ``` +### HidepidDisabled + +An optional flag that removes the `hidepid` option from `/proc`. `Hidepid` prevents proc IDs from being visible to all users. Set this flag if mounting `/proc` in postinstall scripts to ensure the mount options are set correctly. + ### Users Users is an array of user information. The User information is a map of key value pairs. diff --git a/toolkit/imageconfigs/core-efi-aarch64.json b/toolkit/imageconfigs/core-efi-aarch64.json new file mode 100644 index 00000000000..c0ec5d4cba4 --- /dev/null +++ b/toolkit/imageconfigs/core-efi-aarch64.json @@ -0,0 +1,58 @@ +{ + "Disks": [ + { + "PartitionTableType": "gpt", + "MaxSize": 4096, + "Artifacts": [ + { + "Name": "core", + "Type": "vhdx" + } + ], + "Partitions": [ + { + "ID": "boot", + "Flags": [ + "esp", + "boot" + ], + "Start": 1, + "End": 9, + "FsType": "fat32" + }, + { + "ID": "rootfs", + "Start": 9, + "End": 0, + "FsType": "ext4" + } + ] + } + ], + "SystemConfigs": [ + { + "Name": "Standard", + "BootType": "efi", + "PartitionSettings": [ + { + "ID": "boot", + "MountPoint": "/boot/efi", + "MountOptions" : "umask=0077" + }, + { + "ID": "rootfs", + "MountPoint": "/" + } + ], + "PackageLists": [ + "packagelists/hyperv-packages.json", + "packagelists/core-packages-image-aarch64.json", + "packagelists/cloud-init-packages.json" + ], + "KernelOptions": { + "default": "kernel" + }, + "Hostname": "cbl-mariner" + } + ] +} diff --git a/toolkit/imageconfigs/full-aarch64.json b/toolkit/imageconfigs/full-aarch64.json new file mode 100644 index 00000000000..73b1c03e218 --- /dev/null +++ b/toolkit/imageconfigs/full-aarch64.json @@ -0,0 +1,26 @@ +{ + "SystemConfigs": [ + { + "Name": "CBL-Mariner Full", + "PackageLists": [ + "packagelists/hyperv-packages.json", + "packagelists/developer-packages.json", + "packagelists/virtualization-host-packages.json", + "packagelists/core-packages-image-aarch64.json" + ], + "KernelOptions": { + "default": "kernel" + } + }, + { + "Name": "CBL-Mariner Core", + "PackageLists": [ + "packagelists/hyperv-packages.json", + "packagelists/core-packages-image-aarch64.json" + ], + "KernelOptions": { + "default": "kernel" + } + } + ] +} \ No newline at end of file diff --git a/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json b/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json new file mode 100644 index 00000000000..15aff253e47 --- /dev/null +++ b/toolkit/imageconfigs/packagelists/core-packages-image-aarch64.json @@ -0,0 +1,10 @@ +{ + "packages": [ + "shim-unsigned", + "grub2-efi-binary", + "ca-certificates", + "core-packages-base-image", + "initramfs" + ], + "_comment": "Install 'initramfs' last to avoid unnecessary regeneration when other packages, such as 'kernel', are installed." +} diff --git a/toolkit/imageconfigs/packagelists/core-packages-image.json b/toolkit/imageconfigs/packagelists/core-packages-image.json index 15aff253e47..865b8595e29 100644 --- a/toolkit/imageconfigs/packagelists/core-packages-image.json +++ b/toolkit/imageconfigs/packagelists/core-packages-image.json @@ -1,6 +1,6 @@ { "packages": [ - "shim-unsigned", + "shim", "grub2-efi-binary", "ca-certificates", "core-packages-base-image", diff --git a/toolkit/resources/imageconfigs/additionalfiles/iso_initrd/root/runliveinstaller b/toolkit/resources/imageconfigs/additionalfiles/iso_initrd/root/runliveinstaller index 1fc2a55eb56..b43a832eb1c 100755 --- a/toolkit/resources/imageconfigs/additionalfiles/iso_initrd/root/runliveinstaller +++ b/toolkit/resources/imageconfigs/additionalfiles/iso_initrd/root/runliveinstaller @@ -28,24 +28,26 @@ else done fi -# FIXME(thcrain-msft) -# This is a loop of silence to keep the default audio device alive -# This is a temporary workaround that is needed for VirtualBox, -# which is currently the most convenient platform to test on which -# has sound driver support. It creates a bit of hiss. -speaker-test -l0 -t wav -w ../../../../root/silence.wav -r 22050 >/dev/null 2>&1 & - -# Set better defaults for speakup punctuation level/speed -echo 2 > /sys/accessibility/speakup/punc_level -echo 2 > /sys/accessibility/speakup/reading_punc -echo 2 > /sys/accessibility/speakup/soft/rate +CONFIG_ROOT=$ISO_ROOT/config -# Ensure the userspace speakup connector is up -systemctl enable espeakup -systemctl start espeakup +# Restrict speakup use to attended installs +if [[ ! -f "$CONFIG_ROOT/unattended_config.json" ]]; then + # FIXME(thcrain-msft) + # This is a loop of silence to keep the default audio device alive + # This is a temporary workaround that is needed for VirtualBox, + # which is currently the most convenient platform to test on which + # has sound driver support. It creates a bit of hiss. + speaker-test -l0 -t wav -w ../../../../root/silence.wav -r 22050 >/dev/null 2>&1 & + # Set better defaults for speakup punctuation level/speed + echo 2 > /sys/accessibility/speakup/punc_level + echo 2 > /sys/accessibility/speakup/reading_punc + echo 2 > /sys/accessibility/speakup/soft/rate -CONFIG_ROOT=$ISO_ROOT/config + # Ensure the userspace speakup connector is up + systemctl enable espeakup + systemctl start espeakup +fi cd /installer @@ -70,4 +72,4 @@ if [ $installerExitCode -eq 0 ]; then reboot else /bin/bash -fi \ No newline at end of file +fi diff --git a/toolkit/resources/imageconfigs/packagelists/iso-initrd-packages.json b/toolkit/resources/imageconfigs/packagelists/iso-initrd-packages.json index 20b2997ac0f..f6e6c558e91 100644 --- a/toolkit/resources/imageconfigs/packagelists/iso-initrd-packages.json +++ b/toolkit/resources/imageconfigs/packagelists/iso-initrd-packages.json @@ -57,7 +57,7 @@ "rpm", "sed", "shadow-utils", - "shim-unsigned", + "shim", "sqlite", "systemd", "tar", diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 65781506dda..5cfc6ddfdd7 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -1,12 +1,12 @@ filesystem-1.1-7.cm1.aarch64.rpm -kernel-headers-5.10.21.1-4.cm1.noarch.rpm -glibc-2.28-17.cm1.aarch64.rpm -glibc-devel-2.28-17.cm1.aarch64.rpm -glibc-i18n-2.28-17.cm1.aarch64.rpm -glibc-iconv-2.28-17.cm1.aarch64.rpm -glibc-lang-2.28-17.cm1.aarch64.rpm -glibc-nscd-2.28-17.cm1.aarch64.rpm -glibc-tools-2.28-17.cm1.aarch64.rpm +kernel-headers-5.10.28.1-4.cm1.noarch.rpm +glibc-2.28-18.cm1.aarch64.rpm +glibc-devel-2.28-18.cm1.aarch64.rpm +glibc-i18n-2.28-18.cm1.aarch64.rpm +glibc-iconv-2.28-18.cm1.aarch64.rpm +glibc-lang-2.28-18.cm1.aarch64.rpm +glibc-nscd-2.28-18.cm1.aarch64.rpm +glibc-tools-2.28-18.cm1.aarch64.rpm zlib-1.2.11-3.cm1.aarch64.rpm zlib-devel-1.2.11-3.cm1.aarch64.rpm file-5.38-1.cm1.aarch64.rpm @@ -58,7 +58,7 @@ findutils-lang-4.6.0-7.cm1.aarch64.rpm gettext-0.19.8.1-4.cm1.aarch64.rpm gzip-1.9-5.cm1.aarch64.rpm make-4.2.1-5.cm1.aarch64.rpm -mariner-release-1.0-15.cm1.noarch.rpm +mariner-release-1.0-16.cm1.noarch.rpm patch-2.7.6-7.cm1.aarch64.rpm util-linux-2.32.1-3.cm1.aarch64.rpm util-linux-devel-2.32.1-3.cm1.aarch64.rpm @@ -80,9 +80,9 @@ popt-devel-1.16-7.cm1.aarch64.rpm popt-lang-1.16-7.cm1.aarch64.rpm nspr-4.21-2.cm1.aarch64.rpm nspr-devel-4.21-2.cm1.aarch64.rpm -sqlite-3.32.3-2.cm1.aarch64.rpm -sqlite-devel-3.32.3-2.cm1.aarch64.rpm -sqlite-libs-3.32.3-2.cm1.aarch64.rpm +sqlite-3.34.1-1.cm1.aarch64.rpm +sqlite-devel-3.34.1-1.cm1.aarch64.rpm +sqlite-libs-3.34.1-1.cm1.aarch64.rpm nss-3.44-4.cm1.aarch64.rpm nss-devel-3.44-4.cm1.aarch64.rpm nss-libs-3.44-4.cm1.aarch64.rpm @@ -116,12 +116,12 @@ libcap-devel-2.26-2.cm1.aarch64.rpm libdb-5.3.28-4.cm1.aarch64.rpm libdb-devel-5.3.28-4.cm1.aarch64.rpm libdb-docs-5.3.28-4.cm1.aarch64.rpm -rpm-4.14.2-10.cm1.aarch64.rpm -rpm-build-4.14.2-10.cm1.aarch64.rpm -rpm-build-libs-4.14.2-10.cm1.aarch64.rpm -rpm-devel-4.14.2-10.cm1.aarch64.rpm -rpm-lang-4.14.2-10.cm1.aarch64.rpm -rpm-libs-4.14.2-10.cm1.aarch64.rpm +rpm-4.14.2-11.cm1.aarch64.rpm +rpm-build-4.14.2-11.cm1.aarch64.rpm +rpm-build-libs-4.14.2-11.cm1.aarch64.rpm +rpm-devel-4.14.2-11.cm1.aarch64.rpm +rpm-lang-4.14.2-11.cm1.aarch64.rpm +rpm-libs-4.14.2-11.cm1.aarch64.rpm cpio-2.13-2.cm1.aarch64.rpm cpio-lang-2.13-2.cm1.aarch64.rpm e2fsprogs-libs-1.44.6-4.cm1.aarch64.rpm @@ -129,9 +129,9 @@ libsolv-0.7.7-4.cm1.aarch64.rpm libsolv-devel-0.7.7-4.cm1.aarch64.rpm libssh2-1.9.0-1.cm1.aarch64.rpm libssh2-devel-1.9.0-1.cm1.aarch64.rpm -curl-7.74.0-1.cm1.aarch64.rpm -curl-devel-7.74.0-1.cm1.aarch64.rpm -curl-libs-7.74.0-1.cm1.aarch64.rpm +curl-7.76.0-1.cm1.aarch64.rpm +curl-devel-7.76.0-1.cm1.aarch64.rpm +curl-libs-7.76.0-1.cm1.aarch64.rpm tdnf-2.1.0-6.cm1.aarch64.rpm tdnf-cli-libs-2.1.0-6.cm1.aarch64.rpm tdnf-devel-2.1.0-6.cm1.aarch64.rpm @@ -139,7 +139,7 @@ tdnf-plugin-repogpgcheck-2.1.0-6.cm1.aarch64.rpm createrepo_c-0.11.1-6.cm1.aarch64.rpm libxml2-2.9.10-4.cm1.aarch64.rpm libxml2-devel-2.9.10-4.cm1.aarch64.rpm -glib-2.58.0-8.cm1.aarch64.rpm +glib-2.58.0-9.cm1.aarch64.rpm libltdl-2.4.6-5.cm1.aarch64.rpm libltdl-devel-2.4.6-5.cm1.aarch64.rpm pcre-libs-8.44-1.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 4519abbd12a..cc97ddeb86a 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -1,12 +1,12 @@ filesystem-1.1-7.cm1.x86_64.rpm -kernel-headers-5.10.21.1-4.cm1.noarch.rpm -glibc-2.28-17.cm1.x86_64.rpm -glibc-devel-2.28-17.cm1.x86_64.rpm -glibc-i18n-2.28-17.cm1.x86_64.rpm -glibc-iconv-2.28-17.cm1.x86_64.rpm -glibc-lang-2.28-17.cm1.x86_64.rpm -glibc-nscd-2.28-17.cm1.x86_64.rpm -glibc-tools-2.28-17.cm1.x86_64.rpm +kernel-headers-5.10.28.1-4.cm1.noarch.rpm +glibc-2.28-18.cm1.x86_64.rpm +glibc-devel-2.28-18.cm1.x86_64.rpm +glibc-i18n-2.28-18.cm1.x86_64.rpm +glibc-iconv-2.28-18.cm1.x86_64.rpm +glibc-lang-2.28-18.cm1.x86_64.rpm +glibc-nscd-2.28-18.cm1.x86_64.rpm +glibc-tools-2.28-18.cm1.x86_64.rpm zlib-1.2.11-3.cm1.x86_64.rpm zlib-devel-1.2.11-3.cm1.x86_64.rpm file-5.38-1.cm1.x86_64.rpm @@ -58,7 +58,7 @@ findutils-lang-4.6.0-7.cm1.x86_64.rpm gettext-0.19.8.1-4.cm1.x86_64.rpm gzip-1.9-5.cm1.x86_64.rpm make-4.2.1-5.cm1.x86_64.rpm -mariner-release-1.0-15.cm1.noarch.rpm +mariner-release-1.0-16.cm1.noarch.rpm patch-2.7.6-7.cm1.x86_64.rpm util-linux-2.32.1-3.cm1.x86_64.rpm util-linux-devel-2.32.1-3.cm1.x86_64.rpm @@ -80,9 +80,9 @@ popt-devel-1.16-7.cm1.x86_64.rpm popt-lang-1.16-7.cm1.x86_64.rpm nspr-4.21-2.cm1.x86_64.rpm nspr-devel-4.21-2.cm1.x86_64.rpm -sqlite-3.32.3-2.cm1.x86_64.rpm -sqlite-devel-3.32.3-2.cm1.x86_64.rpm -sqlite-libs-3.32.3-2.cm1.x86_64.rpm +sqlite-3.34.1-1.cm1.x86_64.rpm +sqlite-devel-3.34.1-1.cm1.x86_64.rpm +sqlite-libs-3.34.1-1.cm1.x86_64.rpm nss-3.44-4.cm1.x86_64.rpm nss-devel-3.44-4.cm1.x86_64.rpm nss-libs-3.44-4.cm1.x86_64.rpm @@ -116,12 +116,12 @@ libcap-devel-2.26-2.cm1.x86_64.rpm libdb-5.3.28-4.cm1.x86_64.rpm libdb-devel-5.3.28-4.cm1.x86_64.rpm libdb-docs-5.3.28-4.cm1.x86_64.rpm -rpm-4.14.2-10.cm1.x86_64.rpm -rpm-build-4.14.2-10.cm1.x86_64.rpm -rpm-build-libs-4.14.2-10.cm1.x86_64.rpm -rpm-devel-4.14.2-10.cm1.x86_64.rpm -rpm-lang-4.14.2-10.cm1.x86_64.rpm -rpm-libs-4.14.2-10.cm1.x86_64.rpm +rpm-4.14.2-11.cm1.x86_64.rpm +rpm-build-4.14.2-11.cm1.x86_64.rpm +rpm-build-libs-4.14.2-11.cm1.x86_64.rpm +rpm-devel-4.14.2-11.cm1.x86_64.rpm +rpm-lang-4.14.2-11.cm1.x86_64.rpm +rpm-libs-4.14.2-11.cm1.x86_64.rpm cpio-2.13-2.cm1.x86_64.rpm cpio-lang-2.13-2.cm1.x86_64.rpm e2fsprogs-libs-1.44.6-4.cm1.x86_64.rpm @@ -129,9 +129,9 @@ libsolv-0.7.7-4.cm1.x86_64.rpm libsolv-devel-0.7.7-4.cm1.x86_64.rpm libssh2-1.9.0-1.cm1.x86_64.rpm libssh2-devel-1.9.0-1.cm1.x86_64.rpm -curl-7.74.0-1.cm1.x86_64.rpm -curl-devel-7.74.0-1.cm1.x86_64.rpm -curl-libs-7.74.0-1.cm1.x86_64.rpm +curl-7.76.0-1.cm1.x86_64.rpm +curl-devel-7.76.0-1.cm1.x86_64.rpm +curl-libs-7.76.0-1.cm1.x86_64.rpm tdnf-2.1.0-6.cm1.x86_64.rpm tdnf-cli-libs-2.1.0-6.cm1.x86_64.rpm tdnf-devel-2.1.0-6.cm1.x86_64.rpm @@ -139,7 +139,7 @@ tdnf-plugin-repogpgcheck-2.1.0-6.cm1.x86_64.rpm createrepo_c-0.11.1-6.cm1.x86_64.rpm libxml2-2.9.10-4.cm1.x86_64.rpm libxml2-devel-2.9.10-4.cm1.x86_64.rpm -glib-2.58.0-8.cm1.x86_64.rpm +glib-2.58.0-9.cm1.x86_64.rpm libltdl-2.4.6-5.cm1.x86_64.rpm libltdl-devel-2.4.6-5.cm1.x86_64.rpm pcre-libs-8.44-1.cm1.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index 1cf15d2fb8a..87ed99f8337 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -47,10 +47,10 @@ cryptsetup-debuginfo-2.3.3-2.cm1.aarch64.rpm cryptsetup-devel-2.3.3-2.cm1.aarch64.rpm cryptsetup-libs-2.3.3-2.cm1.aarch64.rpm cryptsetup-reencrypt-2.3.3-2.cm1.aarch64.rpm -curl-7.74.0-1.cm1.aarch64.rpm -curl-debuginfo-7.74.0-1.cm1.aarch64.rpm -curl-devel-7.74.0-1.cm1.aarch64.rpm -curl-libs-7.74.0-1.cm1.aarch64.rpm +curl-7.76.0-1.cm1.aarch64.rpm +curl-debuginfo-7.76.0-1.cm1.aarch64.rpm +curl-devel-7.76.0-1.cm1.aarch64.rpm +curl-libs-7.76.0-1.cm1.aarch64.rpm device-mapper-2.03.05-5.cm1.aarch64.rpm device-mapper-devel-2.03.05-5.cm1.aarch64.rpm device-mapper-event-2.03.05-5.cm1.aarch64.rpm @@ -103,17 +103,17 @@ gdbm-lang-1.18-3.cm1.aarch64.rpm gettext-0.19.8.1-4.cm1.aarch64.rpm gettext-debuginfo-0.19.8.1-4.cm1.aarch64.rpm gfortran-9.1.0-7.cm1.aarch64.rpm -glib-2.58.0-8.cm1.aarch64.rpm -glibc-2.28-17.cm1.aarch64.rpm -glibc-devel-2.28-17.cm1.aarch64.rpm -glibc-i18n-2.28-17.cm1.aarch64.rpm -glibc-iconv-2.28-17.cm1.aarch64.rpm -glibc-lang-2.28-17.cm1.aarch64.rpm -glibc-nscd-2.28-17.cm1.aarch64.rpm -glibc-tools-2.28-17.cm1.aarch64.rpm -glib-debuginfo-2.58.0-8.cm1.aarch64.rpm -glib-devel-2.58.0-8.cm1.aarch64.rpm -glib-schemas-2.58.0-8.cm1.aarch64.rpm +glib-2.58.0-9.cm1.aarch64.rpm +glibc-2.28-18.cm1.aarch64.rpm +glibc-devel-2.28-18.cm1.aarch64.rpm +glibc-i18n-2.28-18.cm1.aarch64.rpm +glibc-iconv-2.28-18.cm1.aarch64.rpm +glibc-lang-2.28-18.cm1.aarch64.rpm +glibc-nscd-2.28-18.cm1.aarch64.rpm +glibc-tools-2.28-18.cm1.aarch64.rpm +glib-debuginfo-2.58.0-9.cm1.aarch64.rpm +glib-devel-2.58.0-9.cm1.aarch64.rpm +glib-schemas-2.58.0-9.cm1.aarch64.rpm gmock-1.8.1-5.cm1.aarch64.rpm gmock-devel-1.8.1-5.cm1.aarch64.rpm gmock-static-1.8.1-5.cm1.aarch64.rpm @@ -145,7 +145,7 @@ json-c-debuginfo-0.14-3.cm1.aarch64.rpm json-c-devel-0.14-3.cm1.aarch64.rpm kbd-2.0.4-5.cm1.aarch64.rpm kbd-debuginfo-2.0.4-5.cm1.aarch64.rpm -kernel-headers-5.10.21.1-4.cm1.noarch.rpm +kernel-headers-5.10.28.1-4.cm1.noarch.rpm kmod-25-4.cm1.aarch64.rpm kmod-debuginfo-25-4.cm1.aarch64.rpm kmod-devel-25-4.cm1.aarch64.rpm @@ -240,7 +240,7 @@ m4-debuginfo-1.4.18-4.cm1.aarch64.rpm make-4.2.1-5.cm1.aarch64.rpm make-debuginfo-4.2.1-5.cm1.aarch64.rpm mariner-check-macros-1.0-3.cm1.noarch.rpm -mariner-release-1.0-15.cm1.noarch.rpm +mariner-release-1.0-16.cm1.noarch.rpm mariner-repos-1.0-13.cm1.noarch.rpm mariner-repos-extras-1.0-13.cm1.noarch.rpm mariner-repos-extras-preview-1.0-13.cm1.noarch.rpm @@ -270,12 +270,12 @@ nss-3.44-4.cm1.aarch64.rpm nss-debuginfo-3.44-4.cm1.aarch64.rpm nss-devel-3.44-4.cm1.aarch64.rpm nss-libs-3.44-4.cm1.aarch64.rpm -openjdk8-1.8.0.181-8.cm1.aarch64.rpm -openjdk8-debuginfo-1.8.0.181-8.cm1.aarch64.rpm -openjdk8-doc-1.8.0.181-8.cm1.aarch64.rpm -openjdk8-sample-1.8.0.181-8.cm1.aarch64.rpm -openjdk8-src-1.8.0.181-8.cm1.aarch64.rpm -openjre8-1.8.0.181-8.cm1.aarch64.rpm +openjdk8-1.8.0.292-1.cm1.aarch64.rpm +openjdk8-debuginfo-1.8.0.292-1.cm1.aarch64.rpm +openjdk8-doc-1.8.0.292-1.cm1.aarch64.rpm +openjdk8-sample-1.8.0.292-1.cm1.aarch64.rpm +openjdk8-src-1.8.0.292-1.cm1.aarch64.rpm +openjre8-1.8.0.292-1.cm1.aarch64.rpm openssl-1.1.1k-1.cm1.aarch64.rpm openssl-debuginfo-1.1.1k-1.cm1.aarch64.rpm openssl-devel-1.1.1k-1.cm1.aarch64.rpm @@ -333,31 +333,31 @@ python3-cracklib-2.9.7-2.cm1.aarch64.rpm python3-gpg-1.13.1-6.cm1.aarch64.rpm python3-libxml2-2.9.10-4.cm1.aarch64.rpm python3-pwquality-1.4.2-6.cm1.aarch64.rpm -python3-rpm-4.14.2-10.cm1.aarch64.rpm +python3-rpm-4.14.2-11.cm1.aarch64.rpm python-curses-2.7.18-6.cm1.aarch64.rpm python-gpg-1.13.1-6.cm1.aarch64.rpm -python-rpm-4.14.2-10.cm1.aarch64.rpm +python-rpm-4.14.2-11.cm1.aarch64.rpm python-setuptools-40.2.0-6.cm1.noarch.rpm python-xml-2.7.18-6.cm1.aarch64.rpm readline-7.0-4.cm1.aarch64.rpm readline-debuginfo-7.0-4.cm1.aarch64.rpm readline-devel-7.0-4.cm1.aarch64.rpm -rpm-4.14.2-10.cm1.aarch64.rpm -rpm-build-4.14.2-10.cm1.aarch64.rpm -rpm-build-libs-4.14.2-10.cm1.aarch64.rpm -rpm-debuginfo-4.14.2-10.cm1.aarch64.rpm -rpm-devel-4.14.2-10.cm1.aarch64.rpm -rpm-lang-4.14.2-10.cm1.aarch64.rpm -rpm-libs-4.14.2-10.cm1.aarch64.rpm +rpm-4.14.2-11.cm1.aarch64.rpm +rpm-build-4.14.2-11.cm1.aarch64.rpm +rpm-build-libs-4.14.2-11.cm1.aarch64.rpm +rpm-debuginfo-4.14.2-11.cm1.aarch64.rpm +rpm-devel-4.14.2-11.cm1.aarch64.rpm +rpm-lang-4.14.2-11.cm1.aarch64.rpm +rpm-libs-4.14.2-11.cm1.aarch64.rpm sed-4.5-3.cm1.aarch64.rpm sed-debuginfo-4.5-3.cm1.aarch64.rpm sed-lang-4.5-3.cm1.aarch64.rpm shadow-utils-4.6-10.cm1.aarch64.rpm shadow-utils-debuginfo-4.6-10.cm1.aarch64.rpm -sqlite-3.32.3-2.cm1.aarch64.rpm -sqlite-debuginfo-3.32.3-2.cm1.aarch64.rpm -sqlite-devel-3.32.3-2.cm1.aarch64.rpm -sqlite-libs-3.32.3-2.cm1.aarch64.rpm +sqlite-3.34.1-1.cm1.aarch64.rpm +sqlite-debuginfo-3.34.1-1.cm1.aarch64.rpm +sqlite-devel-3.34.1-1.cm1.aarch64.rpm +sqlite-libs-3.34.1-1.cm1.aarch64.rpm swig-3.0.12-5.cm1.aarch64.rpm swig-debuginfo-3.0.12-5.cm1.aarch64.rpm systemd-239-36.cm1.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index 26d0cd9390f..96e6687be1a 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -47,10 +47,10 @@ cryptsetup-debuginfo-2.3.3-2.cm1.x86_64.rpm cryptsetup-devel-2.3.3-2.cm1.x86_64.rpm cryptsetup-libs-2.3.3-2.cm1.x86_64.rpm cryptsetup-reencrypt-2.3.3-2.cm1.x86_64.rpm -curl-7.74.0-1.cm1.x86_64.rpm -curl-debuginfo-7.74.0-1.cm1.x86_64.rpm -curl-devel-7.74.0-1.cm1.x86_64.rpm -curl-libs-7.74.0-1.cm1.x86_64.rpm +curl-7.76.0-1.cm1.x86_64.rpm +curl-debuginfo-7.76.0-1.cm1.x86_64.rpm +curl-devel-7.76.0-1.cm1.x86_64.rpm +curl-libs-7.76.0-1.cm1.x86_64.rpm device-mapper-2.03.05-5.cm1.x86_64.rpm device-mapper-devel-2.03.05-5.cm1.x86_64.rpm device-mapper-event-2.03.05-5.cm1.x86_64.rpm @@ -103,17 +103,17 @@ gdbm-lang-1.18-3.cm1.x86_64.rpm gettext-0.19.8.1-4.cm1.x86_64.rpm gettext-debuginfo-0.19.8.1-4.cm1.x86_64.rpm gfortran-9.1.0-7.cm1.x86_64.rpm -glib-2.58.0-8.cm1.x86_64.rpm -glibc-2.28-17.cm1.x86_64.rpm -glibc-devel-2.28-17.cm1.x86_64.rpm -glibc-i18n-2.28-17.cm1.x86_64.rpm -glibc-iconv-2.28-17.cm1.x86_64.rpm -glibc-lang-2.28-17.cm1.x86_64.rpm -glibc-nscd-2.28-17.cm1.x86_64.rpm -glibc-tools-2.28-17.cm1.x86_64.rpm -glib-debuginfo-2.58.0-8.cm1.x86_64.rpm -glib-devel-2.58.0-8.cm1.x86_64.rpm -glib-schemas-2.58.0-8.cm1.x86_64.rpm +glib-2.58.0-9.cm1.x86_64.rpm +glibc-2.28-18.cm1.x86_64.rpm +glibc-devel-2.28-18.cm1.x86_64.rpm +glibc-i18n-2.28-18.cm1.x86_64.rpm +glibc-iconv-2.28-18.cm1.x86_64.rpm +glibc-lang-2.28-18.cm1.x86_64.rpm +glibc-nscd-2.28-18.cm1.x86_64.rpm +glibc-tools-2.28-18.cm1.x86_64.rpm +glib-debuginfo-2.58.0-9.cm1.x86_64.rpm +glib-devel-2.58.0-9.cm1.x86_64.rpm +glib-schemas-2.58.0-9.cm1.x86_64.rpm gmock-1.8.1-5.cm1.x86_64.rpm gmock-devel-1.8.1-5.cm1.x86_64.rpm gmock-static-1.8.1-5.cm1.x86_64.rpm @@ -145,7 +145,7 @@ json-c-debuginfo-0.14-3.cm1.x86_64.rpm json-c-devel-0.14-3.cm1.x86_64.rpm kbd-2.0.4-5.cm1.x86_64.rpm kbd-debuginfo-2.0.4-5.cm1.x86_64.rpm -kernel-headers-5.10.21.1-4.cm1.noarch.rpm +kernel-headers-5.10.28.1-4.cm1.noarch.rpm kmod-25-4.cm1.x86_64.rpm kmod-debuginfo-25-4.cm1.x86_64.rpm kmod-devel-25-4.cm1.x86_64.rpm @@ -240,7 +240,7 @@ m4-debuginfo-1.4.18-4.cm1.x86_64.rpm make-4.2.1-5.cm1.x86_64.rpm make-debuginfo-4.2.1-5.cm1.x86_64.rpm mariner-check-macros-1.0-3.cm1.noarch.rpm -mariner-release-1.0-15.cm1.noarch.rpm +mariner-release-1.0-16.cm1.noarch.rpm mariner-repos-1.0-13.cm1.noarch.rpm mariner-repos-extras-1.0-13.cm1.noarch.rpm mariner-repos-extras-preview-1.0-13.cm1.noarch.rpm @@ -270,12 +270,12 @@ nss-3.44-4.cm1.x86_64.rpm nss-debuginfo-3.44-4.cm1.x86_64.rpm nss-devel-3.44-4.cm1.x86_64.rpm nss-libs-3.44-4.cm1.x86_64.rpm -openjdk8-1.8.0.212-10.cm1.x86_64.rpm -openjdk8-debuginfo-1.8.0.212-10.cm1.x86_64.rpm -openjdk8-doc-1.8.0.212-10.cm1.x86_64.rpm -openjdk8-sample-1.8.0.212-10.cm1.x86_64.rpm -openjdk8-src-1.8.0.212-10.cm1.x86_64.rpm -openjre8-1.8.0.212-10.cm1.x86_64.rpm +openjdk8-1.8.0.292-1.cm1.x86_64.rpm +openjdk8-debuginfo-1.8.0.292-1.cm1.x86_64.rpm +openjdk8-doc-1.8.0.292-1.cm1.x86_64.rpm +openjdk8-sample-1.8.0.292-1.cm1.x86_64.rpm +openjdk8-src-1.8.0.292-1.cm1.x86_64.rpm +openjre8-1.8.0.292-1.cm1.x86_64.rpm openssl-1.1.1k-1.cm1.x86_64.rpm openssl-debuginfo-1.1.1k-1.cm1.x86_64.rpm openssl-devel-1.1.1k-1.cm1.x86_64.rpm @@ -333,31 +333,31 @@ python3-cracklib-2.9.7-2.cm1.x86_64.rpm python3-gpg-1.13.1-6.cm1.x86_64.rpm python3-libxml2-2.9.10-4.cm1.x86_64.rpm python3-pwquality-1.4.2-6.cm1.x86_64.rpm -python3-rpm-4.14.2-10.cm1.x86_64.rpm +python3-rpm-4.14.2-11.cm1.x86_64.rpm python-curses-2.7.18-6.cm1.x86_64.rpm python-gpg-1.13.1-6.cm1.x86_64.rpm -python-rpm-4.14.2-10.cm1.x86_64.rpm +python-rpm-4.14.2-11.cm1.x86_64.rpm python-setuptools-40.2.0-6.cm1.noarch.rpm python-xml-2.7.18-6.cm1.x86_64.rpm readline-7.0-4.cm1.x86_64.rpm readline-debuginfo-7.0-4.cm1.x86_64.rpm readline-devel-7.0-4.cm1.x86_64.rpm -rpm-4.14.2-10.cm1.x86_64.rpm -rpm-build-4.14.2-10.cm1.x86_64.rpm -rpm-build-libs-4.14.2-10.cm1.x86_64.rpm -rpm-debuginfo-4.14.2-10.cm1.x86_64.rpm -rpm-devel-4.14.2-10.cm1.x86_64.rpm -rpm-lang-4.14.2-10.cm1.x86_64.rpm -rpm-libs-4.14.2-10.cm1.x86_64.rpm +rpm-4.14.2-11.cm1.x86_64.rpm +rpm-build-4.14.2-11.cm1.x86_64.rpm +rpm-build-libs-4.14.2-11.cm1.x86_64.rpm +rpm-debuginfo-4.14.2-11.cm1.x86_64.rpm +rpm-devel-4.14.2-11.cm1.x86_64.rpm +rpm-lang-4.14.2-11.cm1.x86_64.rpm +rpm-libs-4.14.2-11.cm1.x86_64.rpm sed-4.5-3.cm1.x86_64.rpm sed-debuginfo-4.5-3.cm1.x86_64.rpm sed-lang-4.5-3.cm1.x86_64.rpm shadow-utils-4.6-10.cm1.x86_64.rpm shadow-utils-debuginfo-4.6-10.cm1.x86_64.rpm -sqlite-3.32.3-2.cm1.x86_64.rpm -sqlite-debuginfo-3.32.3-2.cm1.x86_64.rpm -sqlite-devel-3.32.3-2.cm1.x86_64.rpm -sqlite-libs-3.32.3-2.cm1.x86_64.rpm +sqlite-3.34.1-1.cm1.x86_64.rpm +sqlite-debuginfo-3.34.1-1.cm1.x86_64.rpm +sqlite-devel-3.34.1-1.cm1.x86_64.rpm +sqlite-libs-3.34.1-1.cm1.x86_64.rpm swig-3.0.12-5.cm1.x86_64.rpm swig-debuginfo-3.0.12-5.cm1.x86_64.rpm systemd-239-36.cm1.x86_64.rpm diff --git a/toolkit/scripts/addcerts.sh b/toolkit/scripts/addcerts.sh index 6a49a5f466f..1d1d5edddb5 100755 --- a/toolkit/scripts/addcerts.sh +++ b/toolkit/scripts/addcerts.sh @@ -16,7 +16,7 @@ TLS_CERT_BASENAME=$(basename $TLS_CERT) TLS_KEY_BASENAME=$(basename $TLS_KEY) CA_CERT_BASENAME=$(basename $CA_CERT) -while IFS= read -r line; do +while IFS= read -r line || [ -n "$line" ]; do echo $line echo "$line" >> $USER_DATA_TEMP if [ $line = "#cloud-config" ]; then diff --git a/SPECS/LICENSES-AND-NOTICES/data/license_map.py b/toolkit/scripts/licenses/license_map.py similarity index 88% rename from SPECS/LICENSES-AND-NOTICES/data/license_map.py rename to toolkit/scripts/licenses/license_map.py index 5d5719900a4..f49ddb449da 100644 --- a/SPECS/LICENSES-AND-NOTICES/data/license_map.py +++ b/toolkit/scripts/licenses/license_map.py @@ -51,18 +51,21 @@ def get_missing_specs(spec_directories, license_collection): return specs_not_in_json, specs_not_in_dir -def main(input_filename, output_filename, spec_directories): +def main(input_filename, output_filename, spec_directories, only_update): with open(input_filename, 'r') as input_file: license_collection = deserialize_json(input_file) - specs_not_in_json, specs_not_in_dir = get_missing_specs(spec_directories, license_collection) - with open(output_filename, 'r') as output_file: old_content = output_file.read() new_content = generate_markdown(license_collection) with open(output_filename, 'w') as output_file: output_file.write(new_content) + if only_update: + return + + specs_not_in_json, specs_not_in_dir = get_missing_specs(spec_directories, license_collection) + if len(specs_not_in_json) or len(specs_not_in_dir) or old_content != new_content: if len(specs_not_in_json): print("Specs present in spec directories that are not present in data file:") @@ -83,8 +86,9 @@ def main(input_filename, output_filename, spec_directories): if __name__ == '__main__': parser = argparse.ArgumentParser(description='Processes spec license data, find missing entries, and regenerate license map file.') - parser.add_argument('input_filename', type=Path, help='Path to data file with license data') - parser.add_argument('output_filename', type=Path, help='Path to license map markdown file') - parser.add_argument('spec_directories', type=Path, nargs='+', help='Directories containing specs') + parser.add_argument('input_filename', type=Path, help='Path to data file with license data.') + parser.add_argument('output_filename', type=Path, help='Path to license map markdown file.') + parser.add_argument('spec_directories', type=Path, nargs='+', help='Directories containing specs.') + parser.add_argument('--only_update', help='Does not perform a check, only updates the markdown file according to the input JSON.', action='store_true') p = parser.parse_args() - main(p.input_filename, p.output_filename, p.spec_directories) + main(p.input_filename, p.output_filename, p.spec_directories, p.only_update) diff --git a/toolkit/scripts/preparemacros.sh b/toolkit/scripts/preparemacros.sh index 85fcf67dcc0..0ed6477d6a2 100755 --- a/toolkit/scripts/preparemacros.sh +++ b/toolkit/scripts/preparemacros.sh @@ -23,7 +23,7 @@ mkdir -p ${dir} cd ${dir} echo "Expanding rpms into MACRO_DIR ${dir}" -while read p; do +while read p || [ -n "$p" ]; do # Regex find for rpms with the correct package name # Reverse sort the list so the highest version/revision is the top result exact=`find ${rpmdir} -regextype sed -regex ".*/$p-[^-]*-[^-]*.rpm" | sort -r | head -1` diff --git a/toolkit/scripts/toolchain/container/Dockerfile b/toolkit/scripts/toolchain/container/Dockerfile index 4dc69069cd1..abf4b36d3dd 100644 --- a/toolkit/scripts/toolchain/container/Dockerfile +++ b/toolkit/scripts/toolchain/container/Dockerfile @@ -68,7 +68,7 @@ COPY [ "./toolchain-md5sums", \ WORKDIR $LFS/sources RUN wget -nv --no-clobber --timeout=30 --no-check-certificate --continue --input-file=$LFS/tools/toolchain-local-wget-list --directory-prefix=$LFS/sources; exit 0 RUN wget -nv --no-clobber --timeout=30 --continue --input-file=$LFS/tools/toolchain-remote-wget-list --directory-prefix=$LFS/sources; exit 0 -RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.21.1.tar.gz -O kernel-5.10.21.1.tar.gz --directory-prefix=$LFS/sources; exit 0 +RUN wget -nv --no-clobber --timeout=30 --continue https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/rolling-lts/mariner/5.10.28.1.tar.gz -O kernel-5.10.28.1.tar.gz --directory-prefix=$LFS/sources; exit 0 USER root RUN /tools/toolchain-jdk8-wget.sh; exit 0 RUN md5sum -c $LFS/tools/toolchain-md5sums && \ diff --git a/toolkit/scripts/toolchain/container/toolchain-md5sums b/toolkit/scripts/toolchain/container/toolchain-md5sums index f005773f76e..cc08717a8f3 100644 --- a/toolkit/scripts/toolchain/container/toolchain-md5sums +++ b/toolkit/scripts/toolchain/container/toolchain-md5sums @@ -59,7 +59,7 @@ bc62e7df6f75357b6dd1ec34600dbeaf jdk8u212-b04-langtools.tar.bz2 d0272e7a6107c64dae62b80ca7ec65e2 jdk8u212-b04-nashorn.tar.bz2 befd51c2b53a442e1fa6644bba89a95a jdk8u212-b04.tar.bz2 94afc90c1f7bef4a27fdd59ece39c878 kbproto-1.0.7.tar.bz2 -385192d9be43a19ffa5a1a6074278d79 kernel-5.10.21.1.tar.gz +e0c6f0946012317df6dc4a56b82410e3 kernel-5.10.28.1.tar.gz d953ed6b47694dadf0e6042f8f9ff451 libarchive-3.4.2.tar.gz 968ac4d42a1a71754313527be2ab5df3 libcap-2.26.tar.xz ba983eba5a9f05d152a0725b8e863151 libdmx-1.1.3.tar.bz2 diff --git a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh index 5931fcb3ff2..bd2bab8f47b 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_in_chroot.sh @@ -57,14 +57,14 @@ set -e # cd /sources -echo Linux-5.10.21.1 API Headers -tar xf kernel-5.10.21.1.tar.gz -pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.21.1 +echo Linux-5.10.28.1 API Headers +tar xf kernel-5.10.28.1.tar.gz +pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 make mrproper make headers cp -rv usr/include/* /usr/include popd -rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.21.1 +rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 touch /logs/status_kernel_headers_complete echo 6.8. Man-pages-5.02 diff --git a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh index b557c0a9214..8df1b2accbd 100755 --- a/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh +++ b/toolkit/scripts/toolchain/container/toolchain_build_temp_tools.sh @@ -113,14 +113,14 @@ rm -rf gcc-9.1.0 touch $LFS/logs/temptoolchain/status_gcc_pass1_complete -echo Linux-5.10.21.1 API Headers -tar xf kernel-5.10.21.1.tar.gz -pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.21.1 +echo Linux-5.10.28.1 API Headers +tar xf kernel-5.10.28.1.tar.gz +pushd CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 make mrproper make headers cp -rv usr/include/* /tools/include popd -rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.21.1 +rm -rf CBL-Mariner-Linux-Kernel-rolling-lts-mariner-5.10.28.1 touch $LFS/logs/temptoolchain/status_kernel_headers_complete diff --git a/toolkit/tools/imagegen/attendedinstaller/speakuputils/speakuputils.go b/toolkit/tools/imagegen/attendedinstaller/speakuputils/speakuputils.go index 61071ad292d..280a0e9bb1d 100644 --- a/toolkit/tools/imagegen/attendedinstaller/speakuputils/speakuputils.go +++ b/toolkit/tools/imagegen/attendedinstaller/speakuputils/speakuputils.go @@ -8,6 +8,13 @@ import ( "microsoft.com/pkggen/internal/shell" ) +// Constants for start/stop speakup functions +const ( + squashError = false + systemctlProgram = "systemctl" + espeakupService = "espeakup.service" +) + // CreateVirtualKeyboard creates and returns a virtual keyboard from the uinput package func CreateVirtualKeyboard() (keyboard uinput.Keyboard, err error) { keyboard, err = uinput.CreateKeyboard("/dev/uinput", []byte("MarinerVirtualKeyboard")) @@ -39,16 +46,20 @@ func ClearSpeakupBuffer(k uinput.Keyboard) (err error) { // StopSpeakup stops the espeakup connector daemon using systemctl func StopSpeakup() (err error) { - const ( - squashError = "false" - systemctlProgram = "systemctl" - espeakupService = "espeakup.service" - ) + err = shell.ExecuteLive(squashError, systemctlProgram, []string{"disable", espeakupService}...) + if err != nil { + return + } + err = shell.ExecuteLive(squashError, systemctlProgram, []string{"stop", espeakupService}...) + return +} - err = shell.ExecuteLive(false, systemctlProgram, []string{"disable", espeakupService}...) +// StartSpeakup stops the espeakup connector daemon using systemctl +func StartSpeakup() (err error) { + err = shell.ExecuteLive(squashError, systemctlProgram, []string{"enable", espeakupService}...) if err != nil { return } - err = shell.ExecuteLive(false, systemctlProgram, []string{"stop", espeakupService}...) + err = shell.ExecuteLive(squashError, systemctlProgram, []string{"start", espeakupService}...) return } diff --git a/toolkit/tools/imagegen/attendedinstaller/views/installerview/installerview.go b/toolkit/tools/imagegen/attendedinstaller/views/installerview/installerview.go index a98311cedf9..54041e0e2da 100644 --- a/toolkit/tools/imagegen/attendedinstaller/views/installerview/installerview.go +++ b/toolkit/tools/imagegen/attendedinstaller/views/installerview/installerview.go @@ -147,6 +147,11 @@ func (iv *InstallerView) Primitive() tview.Primitive { // OnShow gets called when the view is shown to the user func (iv *InstallerView) OnShow() { + err := speakuputils.StartSpeakup() + if err != nil { + logger.Log.Warnf("Failed to start speakup, continuing") + err = nil + } } func (iv *InstallerView) onNextButton(nextPage func()) { diff --git a/toolkit/tools/imagegen/configuration/configuration_test.go b/toolkit/tools/imagegen/configuration/configuration_test.go index 8d1e925d478..6ea8603c45a 100644 --- a/toolkit/tools/imagegen/configuration/configuration_test.go +++ b/toolkit/tools/imagegen/configuration/configuration_test.go @@ -354,6 +354,7 @@ var expectedConfiguration Config = Config{ TmpfsOverlays: nil, TmpfsOverlaySize: "20%", }, + HidepidDisabled: true, }, { Name: "BiggerDiskA", diff --git a/toolkit/tools/imagegen/configuration/systemconfig.go b/toolkit/tools/imagegen/configuration/systemconfig.go index b64d25ae4eb..c937e528514 100644 --- a/toolkit/tools/imagegen/configuration/systemconfig.go +++ b/toolkit/tools/imagegen/configuration/systemconfig.go @@ -30,6 +30,7 @@ type SystemConfig struct { Encryption RootEncryption `json:"Encryption"` RemoveRpmDb bool `json:"RemoveRpmDb"` ReadOnlyVerityRoot ReadOnlyVerityRoot `json:"ReadOnlyVerityRoot"` + HidepidDisabled bool `json:"HidepidDisabled"` } // GetRootPartitionSetting returns a pointer to the partition setting describing the disk which @@ -133,6 +134,8 @@ func (s *SystemConfig) IsValid() (err error) { //Validate Encryption + //Validate HidepidDisabled + return } diff --git a/toolkit/tools/imagegen/configuration/testdata/test_configuration.json b/toolkit/tools/imagegen/configuration/testdata/test_configuration.json index 1e106394166..ba5d6ec756f 100644 --- a/toolkit/tools/imagegen/configuration/testdata/test_configuration.json +++ b/toolkit/tools/imagegen/configuration/testdata/test_configuration.json @@ -186,7 +186,8 @@ "RemoveRpmDb": false, "ReadOnlyVerityRoot": { "Enable": false - } + }, + "HidepidDisabled": true }, { "Name": "BiggerDiskA", diff --git a/toolkit/tools/imagegen/installutils/installutils.go b/toolkit/tools/imagegen/installutils/installutils.go index e43af60e958..1a828c685ab 100644 --- a/toolkit/tools/imagegen/installutils/installutils.go +++ b/toolkit/tools/imagegen/installutils/installutils.go @@ -373,8 +373,9 @@ func PackageNamesFromConfig(config configuration.Config) (packageList []*pkgjson // - mountPointToMountArgsMap is a map of mountpoints to mount options // - isRootFS specifies if the installroot is either backed by a directory (rootfs) or a raw disk // - encryptedRoot stores information about the encrypted root device if root encryption is enabled -//- diffDiskBuild is a flag that denotes whether this is a diffdisk build or not -func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []string, config configuration.SystemConfig, installMap, mountPointToFsTypeMap, mountPointToMountArgsMap map[string]string, isRootFS bool, encryptedRoot diskutils.EncryptedRootDevice, diffDiskBuild bool) (err error) { +// - diffDiskBuild is a flag that denotes whether this is a diffdisk build or not +// - hidepidEnabled is a flag that denotes whether /proc will be mounted with the hidepid option +func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []string, config configuration.SystemConfig, installMap, mountPointToFsTypeMap, mountPointToMountArgsMap map[string]string, isRootFS bool, encryptedRoot diskutils.EncryptedRootDevice, diffDiskBuild, hidepidEnabled bool) (err error) { const ( filesystemPkg = "filesystem" ) @@ -446,7 +447,7 @@ func PopulateInstallRoot(installChroot *safechroot.Chroot, packagesToInstall []s if !isRootFS { // Configure system files - err = configureSystemFiles(installChroot, hostname, installMap, mountPointToFsTypeMap, mountPointToMountArgsMap, encryptedRoot) + err = configureSystemFiles(installChroot, hostname, installMap, mountPointToFsTypeMap, mountPointToMountArgsMap, encryptedRoot, hidepidEnabled) if err != nil { return } @@ -599,7 +600,7 @@ func initializeTdnfConfiguration(installRoot string) (err error) { return } -func configureSystemFiles(installChroot *safechroot.Chroot, hostname string, installMap, mountPointToFsTypeMap, mountPointToMountArgsMap map[string]string, encryptedRoot diskutils.EncryptedRootDevice) (err error) { +func configureSystemFiles(installChroot *safechroot.Chroot, hostname string, installMap, mountPointToFsTypeMap, mountPointToMountArgsMap map[string]string, encryptedRoot diskutils.EncryptedRootDevice, hidepidEnabled bool) (err error) { // Update hosts file err = updateHosts(installChroot.RootDir(), hostname) if err != nil { @@ -607,7 +608,7 @@ func configureSystemFiles(installChroot *safechroot.Chroot, hostname string, ins } // Update fstab - err = updateFstab(installChroot.RootDir(), installMap, mountPointToFsTypeMap, mountPointToMountArgsMap) + err = updateFstab(installChroot.RootDir(), installMap, mountPointToFsTypeMap, mountPointToMountArgsMap, hidepidEnabled) if err != nil { return } @@ -761,21 +762,31 @@ func updateInitramfsForEncrypt(installChroot *safechroot.Chroot) (err error) { return } -func updateFstab(installRoot string, installMap, mountPointToFsTypeMap, mountPointToMountArgsMap map[string]string) (err error) { +func updateFstab(installRoot string, installMap, mountPointToFsTypeMap, mountPointToMountArgsMap map[string]string, hidepidEnabled bool) (err error) { + const ( + doPseudoFsMount = true + ) ReportAction("Configuring fstab") for mountPoint, devicePath := range installMap { if mountPoint != "" && devicePath != NullDevice { - err = addEntryToFstab(installRoot, mountPoint, devicePath, mountPointToFsTypeMap[mountPoint], mountPointToMountArgsMap[mountPoint]) + err = addEntryToFstab(installRoot, mountPoint, devicePath, mountPointToFsTypeMap[mountPoint], mountPointToMountArgsMap[mountPoint], !doPseudoFsMount) if err != nil { return } } } + + if hidepidEnabled { + err = addEntryToFstab(installRoot, "/proc", "proc", "proc", "rw,nosuid,nodev,noexec,relatime,hidepid=2", doPseudoFsMount) + if err != nil { + return + } + } return } -func addEntryToFstab(installRoot, mountPoint, devicePath, fsType, mountArgs string) (err error) { +func addEntryToFstab(installRoot, mountPoint, devicePath, fsType, mountArgs string, doPseudoFsMount bool) (err error) { const ( uuidPrefix = "UUID=" fstabPath = "/etc/fstab" @@ -803,9 +814,7 @@ func addEntryToFstab(installRoot, mountPoint, devicePath, fsType, mountArgs stri // Get the block device var device string - if diskutils.IsEncryptedDevice(devicePath) { - device = devicePath - } else if diskutils.IsReadOnlyDevice(devicePath) { + if diskutils.IsEncryptedDevice(devicePath) || diskutils.IsReadOnlyDevice(devicePath) || doPseudoFsMount { device = devicePath } else { uuid, err := GetUUID(devicePath) @@ -821,6 +830,8 @@ func addEntryToFstab(installRoot, mountPoint, devicePath, fsType, mountArgs stri pass := defaultPass if mountPoint == rootfsMountPoint { pass = rootPass + } else if doPseudoFsMount { + pass = disablePass } // Construct fstab entry and append to fstab file diff --git a/toolkit/tools/imager/imager.go b/toolkit/tools/imager/imager.go index 6fee2a80ca9..b476fe703db 100644 --- a/toolkit/tools/imager/imager.go +++ b/toolkit/tools/imager/imager.go @@ -481,6 +481,9 @@ func buildImage(mountPointMap, mountPointToFsTypeMap, mountPointToMountArgsMap m setupChrootPackages = append(setupChrootPackages, toolingPackage.Name) } + logger.Log.Infof("HidepidDisabled is %v.", systemConfig.HidepidDisabled) + hidepidEnabled := !systemConfig.HidepidDisabled + if systemConfig.ReadOnlyVerityRoot.Enable { // We will need the veritysetup package (and its dependencies) to manage the verity disk, add them to our // image setup environment (setuproot chroot or live installer). @@ -508,7 +511,7 @@ func buildImage(mountPointMap, mountPointToFsTypeMap, mountPointToMountArgsMap m defer installChroot.Close(leaveChrootOnDisk) // Populate image contents - err = installutils.PopulateInstallRoot(installChroot, packagesToInstall, systemConfig, installMap, mountPointToFsTypeMap, mountPointToMountArgsMap, isRootFS, encryptedRoot, diffDiskBuild) + err = installutils.PopulateInstallRoot(installChroot, packagesToInstall, systemConfig, installMap, mountPointToFsTypeMap, mountPointToMountArgsMap, isRootFS, encryptedRoot, diffDiskBuild, hidepidEnabled) if err != nil { err = fmt.Errorf("failed to populate image contents: %s", err) return diff --git a/toolkit/tools/pkggen/worker/create_worker_chroot.sh b/toolkit/tools/pkggen/worker/create_worker_chroot.sh index b8da51f6f99..d005ec32bbe 100755 --- a/toolkit/tools/pkggen/worker/create_worker_chroot.sh +++ b/toolkit/tools/pkggen/worker/create_worker_chroot.sh @@ -50,7 +50,7 @@ mkdir -p "$log_path" ORIGINAL_HOME=$HOME HOME=/root -while read -r package; do +while read -r package || [ -n "$package" ]; do install_one_toolchain_rpm "$package" done < "$packages"