Add an rpminspect.yaml

Signed-off-by: Peter Jones <pjones@redhat.com>
Update to shim-15.8
2024-03-19 15:43:19 -04:00 · 2024-03-07 17:23:33 -05:00
7 changed files with 72 additions and 119 deletions
--- a/0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch
+++ b/0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch
@ -1,105 +0,0 @@
-From de8c3582d2eb280bf6b358349e04a959b945f1a5 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 1 Jul 2022 15:52:51 -0400
-Subject: [PATCH] aarch64: Keep _relocate() from being dirtied by _relocate()
-
-[Patch is a gnu-efi patch we apply to the bundled copy.]
-
-This could all be wrong, but the fix seems to work.  Here's my theory of
-what's going on.  We have a bug report that says:
-
-    No EFI system partition
-    Booting /efi\boot\bootaa64.efi
-    No EFI system partition
-    Failed to persist EFI variables
-    "Synchronous Abort" handler, esr 0x02000000
-    elr: fffffffffeb48a28 lr : fffffffffeb3f024 (reloc)
-    elr: 000000003ca1aa28 lr : 000000003ca11024
-    x0 : 000000003ca0d000 x1 : 000000003ca22018
-    x2 : 000000003ca22000 x3 : 0000000000000018
-    x4 : 0000000000001488 x5 : 0000000000000000
-    x6 : 0000000000001000 x7 : 0000000000000000
-    x8 : 0000000000000007 x9 : 0000000000003ca0
-    x10: 000000003ca3e040 x11: 00000000b0b87665
-    x12: 000000007c70ea25 x13: 000000005a827999
-    x14: 000000006ed9eba1 x15: 000000008f1bbcdc
-    x16: 000000003df97394 x17: 00000000b7ce40b7
-    x18: 0000000000000011 x19: 000000003caeb000
-    x20: 0000000000000000 x21: 000000003dc1ba50
-    x22: 000000003caff2f8 x23: 0000000000000001
-    x24: 000000003caff000 x25: 000000003caff3c0
-    x26: 000000003caff3c8 x27: 000000003caff3d0
-    x28: 000000003caff3d8 x29: 000000003db3e600
-
-    Code: 8b000021 f82068a1 8b030042 cb030084 (f100009f)
-    UEFI image [0x000000003ca0d000:0x000000003ca24fff] pc=0xda28 '/efi\boot\fbaa64.efi'
-    Resetting CPU ...
-
-    resetting ...
-
-When I disassemble it, "8b000021 f82068a1 8b030042 cb030084 (f100009f)"
-at 0xda28 (aka 0x3ca1aa28 in our register dump above) is:
-
-    da18:       8b000021        add     x1, x1, x0
-    da1c:       f82068a1        str     x1, [x5, x0]
-    da20:       8b030042        add     x2, x2, x3
-    da24:       cb030084        sub     x4, x4, x3
-    da28:       f100009f        cmp     x4, #0x0
-
-Of course the Arm ARM says "cmp" cannot fault in this way, and %esr is
-less than helpful, for reasons I don't understand.  I believe what is
-happening is this.  Farther up in the file is the function
-StatusToString(), as seen here:
-
-  000000000000d960 <StatusToString>:
-    d960:       d0000022        adrp    x2, 13000 <gEfiGraphicsOutputProtocolGuid+0x8>
-    d964:       aa0103e3        mov     x3, x1
-    d968:       911f0042        add     x2, x2, #0x7c0
-    d96c:       f9400441        ldr     x1, [x2, #8]
-    d970:       b5000081        cbnz    x1, d980 <StatusToString+0x20>
-    d974:       b0000022        adrp    x2, 12000 <CSWTCH.43+0x516>
-    d978:       91124842        add     x2, x2, #0x492
-    d97c:       17fffc32        b       ca44 <SPrint>
-    d980:       f8410444        ldr     x4, [x2], #16
-    d984:       eb03009f        cmp     x4, x3
-    d988:       54ffff21        b.ne    d96c <StatusToString+0xc>  // b.any
-    d98c:       17fffe47        b       d2a8 <StrCpy>
-
-I believe when _relocate() gets to the relocations for 0xd960 the page
-being processed is evicted from the i$ and moved into the d$, and then
-when execution continues, the i$ raises an exception because it doesn't
-have the page in question, and it can't stall execution to fill it,
-because it's now owned (and dirty) in the other cache.
-
-There are a couple of ways to solve this, but I've taken the laziest
-one: align the code in _relocate() to its own page boundary.  This
-partially works because our link order means this code is actually the
-last function in .text, and so no relocations will ever land on this
-page.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
-[rharwood@redhat.com: adapt to shim]
-Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
- gnu-efi/gnuefi/reloc_aarch64.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/gnu-efi/gnuefi/reloc_aarch64.c b/gnu-efi/gnuefi/reloc_aarch64.c
-index 086727961c2..0022abdaca7 100644
--- a/gnu-efi/gnuefi/reloc_aarch64.c
-+++ b/gnu-efi/gnuefi/reloc_aarch64.c
-@@ -48,6 +48,11 @@ EFI_STATUS _relocate (long ldbase, Elf64_Dyn *dyn,
- 	unsigned long *addr;
- 	int i;
- 
-+	/*
-+	 * We need this code to not be on the same page as any relocations.
-+	 */
-+	__asm__(".balign 4096\n");
-+
- 	for (i = 0; dyn[i].d_tag != DT_NULL; ++i) {
- 		switch (dyn[i].d_tag) {
- 			case DT_RELA:
-- 
-2.35.1
-
--- a/fedora-ca-20200709.cer
+++ b/fedora-ca-20200709.cer
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -0,0 +1,41 @@
+# rpminspect configuration
+
+---
+common:
+    workdir: /var/tmp/rpminspect
+    profiledir: /usr/share/rpminspect/profiles/fedora
+koji:
+    hub: https://koji.fedoraproject.org/kojihub
+    download_ursine: https://kojipkgs.fedoraproject.org
+    download_mbs: https://kojipkgs.fedoraproject.org
+commands:
+    msgunfmt: msgunfmt
+    desktop-file-validate: desktop-file-validate
+    abidiff: abidiff
+    kmidiff: kmidiff
+    annocheck: annocheck
+    udevadm: udevadm
+vendor:
+    vendor_data_dir: /usr/share/rpminspect
+    licensedb:
+        - /usr/share/fedora-license-data/licenses/fedora-licenses.json
+    favor_release: newest
+inspections:
+    abidiff: off
+    disttag: off
+    manpage: off
+    javabytecode: off
+metadata:
+    # Required Vendor string.  This is part of the RPM header and is
+    # the value expected in packages checked by rpminspect.
+    vendor: Fedora Project
+
+    # Allowed build host subdomain.  The RPM header contains information about
+    # where the package was built.  rpminspect verifies the hostnames are in
+    # the expected subdomain listed below.
+    #
+    # This is an array of allowed subdomains.
+    buildhost_subdomain:
+        - .fedoraproject.org
+        - .bos.redhat.com
+
--- a/sbat.redhat.csv
+++ b/sbat.redhat.csv
@ -1 +1,3 @@
-shim.rh,2,The Fedora Project,shim,15.6,https://src.fedoraproject.org/rpms/shim-unsigned-x64
+shim.rh,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64
+shim.redhat,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64
+shim.fedora,3,The Fedora Project,shim,15.8,https://src.fedoraproject.org/rpms/shim-unsigned-x64
--- a/shim-unsigned-aarch64.spec
+++ b/shim-unsigned-aarch64.spec
@ -21,8 +21,11 @@
 %global __debug_install_post %{SOURCE100} %{efiarch}
 %undefine _debuginfo_subpackages

+# currently here's what's in our dbx: nothing
+%global dbxfile %{nil}
+
 Name:		shim-unsigned-aarch64
-Version:	15.6
+Version:	15.8
 Release:	2
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
@ -44,7 +47,7 @@ BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
-BuildRequires: dos2unix findutils
+BuildRequires:	dos2unix findutils

 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@ -87,17 +90,17 @@ mkdir build-%{efiarch}
 cp %{SOURCE3} data/

 %build
-COMMITID=$(cat commit)
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
+COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-MAKEFLAGS+="%{_smp_mflags}"
+MAKEFLAGS+=" %{_smp_mflags} "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
 fi
 %endif

@ -108,16 +111,16 @@ make ${MAKEFLAGS} \
 cd ..

 %install
-COMMITID=$(cat commit)
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
+COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
 fi
 %endif

@ -143,6 +146,19 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list

 %changelog
+* Thu Mar 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2
+- Update to shim-15.8
+  Resolves: CVE-2023-40546
+  Resolves: CVE-2023-40547
+  Resolves: CVE-2023-40548
+  Resolves: CVE-2023-40549
+  Resolves: CVE-2023-40550
+  Resolves: CVE-2023-40551
+  Resolves: rhbz#2113005
+  Resolves: rhbz#2189197
+  Resolves: rhbz#2238884
+  Resolves: rhbz#2259264
+
 * Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2
 - Add pjones's aarch64 relocation fix
 - Resolves: #2101248
--- a/shim.patches
+++ b/shim.patches
@ -1 +0,0 @@
-Patch0001: 0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (shim-15.6.tar.bz2) = ddc5d5234851d05ed7124ad748ad3fee2df8a335493948a045653322c873f3f055d34894aeb2ac7495086984ca62183907d341e46e6bdf108856e39c646455fc
+SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1
				`@ -1 +0,0 @@`
				`Patch0001: 0001-aarch64-Keep-_relocate-from-being-dirtied-by-_reloca.patch`