diff --git a/0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch b/0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch deleted file mode 100644 index c6efb63..0000000 --- a/0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch +++ /dev/null @@ -1,105 +0,0 @@ -From de8c3582d2eb280bf6b358349e04a959b945f1a5 Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Fri, 1 Jul 2022 15:52:51 -0400 -Subject: [PATCH] aarch64: Keep _relocate() from being dirtied by _relocate() - -[Patch is a gnu-efi patch we apply to the bundled copy.] - -This could all be wrong, but the fix seems to work. Here's my theory of -what's going on. We have a bug report that says: - - No EFI system partition - Booting /efi\boot\bootaa64.efi - No EFI system partition - Failed to persist EFI variables - "Synchronous Abort" handler, esr 0x02000000 - elr: fffffffffeb48a28 lr : fffffffffeb3f024 (reloc) - elr: 000000003ca1aa28 lr : 000000003ca11024 - x0 : 000000003ca0d000 x1 : 000000003ca22018 - x2 : 000000003ca22000 x3 : 0000000000000018 - x4 : 0000000000001488 x5 : 0000000000000000 - x6 : 0000000000001000 x7 : 0000000000000000 - x8 : 0000000000000007 x9 : 0000000000003ca0 - x10: 000000003ca3e040 x11: 00000000b0b87665 - x12: 000000007c70ea25 x13: 000000005a827999 - x14: 000000006ed9eba1 x15: 000000008f1bbcdc - x16: 000000003df97394 x17: 00000000b7ce40b7 - x18: 0000000000000011 x19: 000000003caeb000 - x20: 0000000000000000 x21: 000000003dc1ba50 - x22: 000000003caff2f8 x23: 0000000000000001 - x24: 000000003caff000 x25: 000000003caff3c0 - x26: 000000003caff3c8 x27: 000000003caff3d0 - x28: 000000003caff3d8 x29: 000000003db3e600 - - Code: 8b000021 f82068a1 8b030042 cb030084 (f100009f) - UEFI image [0x000000003ca0d000:0x000000003ca24fff] pc=0xda28 '/efi\boot\fbaa64.efi' - Resetting CPU ... - - resetting ... - -When I disassemble it, "8b000021 f82068a1 8b030042 cb030084 (f100009f)" -at 0xda28 (aka 0x3ca1aa28 in our register dump above) is: - - da18: 8b000021 add x1, x1, x0 - da1c: f82068a1 str x1, [x5, x0] - da20: 8b030042 add x2, x2, x3 - da24: cb030084 sub x4, x4, x3 - da28: f100009f cmp x4, #0x0 - -Of course the Arm ARM says "cmp" cannot fault in this way, and %esr is -less than helpful, for reasons I don't understand. I believe what is -happening is this. Farther up in the file is the function -StatusToString(), as seen here: - - 000000000000d960 : - d960: d0000022 adrp x2, 13000 - d964: aa0103e3 mov x3, x1 - d968: 911f0042 add x2, x2, #0x7c0 - d96c: f9400441 ldr x1, [x2, #8] - d970: b5000081 cbnz x1, d980 - d974: b0000022 adrp x2, 12000 - d978: 91124842 add x2, x2, #0x492 - d97c: 17fffc32 b ca44 - d980: f8410444 ldr x4, [x2], #16 - d984: eb03009f cmp x4, x3 - d988: 54ffff21 b.ne d96c // b.any - d98c: 17fffe47 b d2a8 - -I believe when _relocate() gets to the relocations for 0xd960 the page -being processed is evicted from the i$ and moved into the d$, and then -when execution continues, the i$ raises an exception because it doesn't -have the page in question, and it can't stall execution to fill it, -because it's now owned (and dirty) in the other cache. - -There are a couple of ways to solve this, but I've taken the laziest -one: align the code in _relocate() to its own page boundary. This -partially works because our link order means this code is actually the -last function in .text, and so no relocations will ever land on this -page. - -Signed-off-by: Peter Jones -[rharwood@redhat.com: adapt to shim] -Signed-off-by: Robbie Harwood ---- - gnu-efi/gnuefi/reloc_aarch64.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/gnu-efi/gnuefi/reloc_aarch64.c b/gnu-efi/gnuefi/reloc_aarch64.c -index 086727961c2..0022abdaca7 100644 ---- a/gnu-efi/gnuefi/reloc_aarch64.c -+++ b/gnu-efi/gnuefi/reloc_aarch64.c -@@ -48,6 +48,11 @@ EFI_STATUS _relocate (long ldbase, Elf64_Dyn *dyn, - unsigned long *addr; - int i; - -+ /* -+ * We need this code to not be on the same page as any relocations. -+ */ -+ __asm__(".balign 4096\n"); -+ - for (i = 0; dyn[i].d_tag != DT_NULL; ++i) { - switch (dyn[i].d_tag) { - case DT_RELA: --- -2.35.1 - diff --git a/fedora-ca-20200709.cer b/fedora-ca-20200709.cer index b81707b..29b3ce3 100644 Binary files a/fedora-ca-20200709.cer and b/fedora-ca-20200709.cer differ diff --git a/rpminspect.yaml b/rpminspect.yaml new file mode 100644 index 0000000..26433b7 --- /dev/null +++ b/rpminspect.yaml @@ -0,0 +1,41 @@ +# rpminspect configuration + +--- +common: + workdir: /var/tmp/rpminspect + profiledir: /usr/share/rpminspect/profiles/fedora +koji: + hub: https://koji.fedoraproject.org/kojihub + download_ursine: https://kojipkgs.fedoraproject.org + download_mbs: https://kojipkgs.fedoraproject.org +commands: + msgunfmt: msgunfmt + desktop-file-validate: desktop-file-validate + abidiff: abidiff + kmidiff: kmidiff + annocheck: annocheck + udevadm: udevadm +vendor: + vendor_data_dir: /usr/share/rpminspect + licensedb: + - /usr/share/fedora-license-data/licenses/fedora-licenses.json + favor_release: newest +inspections: + abidiff: off + disttag: off + manpage: off + javabytecode: off +metadata: + # Required Vendor string. This is part of the RPM header and is + # the value expected in packages checked by rpminspect. + vendor: Fedora Project + + # Allowed build host subdomain. The RPM header contains information about + # where the package was built. rpminspect verifies the hostnames are in + # the expected subdomain listed below. + # + # This is an array of allowed subdomains. + buildhost_subdomain: + - .fedoraproject.org + - .bos.redhat.com + diff --git a/sbat.redhat.csv b/sbat.redhat.csv index 0c40529..cfcf013 100644 --- a/sbat.redhat.csv +++ b/sbat.redhat.csv @@ -1 +1,3 @@ -shim.rh,2,The Fedora Project,shim,15.6,https://src.fedoraproject.org/rpms/shim-unsigned-x64 +shim.rh,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64 +shim.redhat,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64 +shim.fedora,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64 diff --git a/shim-unsigned-aarch64.spec b/shim-unsigned-aarch64.spec index 4431c6f..ea8b737 100644 --- a/shim-unsigned-aarch64.spec +++ b/shim-unsigned-aarch64.spec @@ -21,8 +21,11 @@ %global __debug_install_post %{SOURCE100} %{efiarch} %undefine _debuginfo_subpackages +# currently here's what's in our dbx: nothing +%global dbxfile %{nil} + Name: shim-unsigned-aarch64 -Version: 15.6 +Version: 15.8 Release: 2 Summary: First-stage UEFI bootloader ExclusiveArch: aarch64 @@ -44,7 +47,7 @@ BuildRequires: gcc make BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl BuildRequires: pesign >= %{pesign_vre} -BuildRequires: dos2unix findutils +BuildRequires: dos2unix findutils # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not # compatible with SysV (there's no red zone under UEFI) and there isn't a @@ -87,17 +90,17 @@ mkdir build-%{efiarch} cp %{SOURCE3} data/ %build -COMMITID=$(cat commit) -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " -MAKEFLAGS+="%{_smp_mflags}" +MAKEFLAGS+=" %{_smp_mflags} " if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} " fi %if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} " fi %endif @@ -108,16 +111,16 @@ make ${MAKEFLAGS} \ cd .. %install -COMMITID=$(cat commit) -MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " +COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6 +MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" + MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} " fi %if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}" + MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} " fi %endif @@ -143,6 +146,19 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Thu Mar 07 2024 Peter Jones - 15.8-2 +- Update to shim-15.8 + Resolves: CVE-2023-40546 + Resolves: CVE-2023-40547 + Resolves: CVE-2023-40548 + Resolves: CVE-2023-40549 + Resolves: CVE-2023-40550 + Resolves: CVE-2023-40551 + Resolves: rhbz#2113005 + Resolves: rhbz#2189197 + Resolves: rhbz#2238884 + Resolves: rhbz#2259264 + * Thu Jul 07 2022 Robbie Harwood - 15.6-2 - Add pjones's aarch64 relocation fix - Resolves: #2101248 diff --git a/shim.patches b/shim.patches index 6eb41ae..e69de29 100644 --- a/shim.patches +++ b/shim.patches @@ -1 +0,0 @@ -Patch0001: 0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch diff --git a/sources b/sources index bcb0302..5428b75 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (shim-15.6.tar.bz2) = ddc5d5234851d05ed7124ad748ad3fee2df8a335493948a045653322c873f3f055d34894aeb2ac7495086984ca62183907d341e46e6bdf108856e39c646455fc +SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1