In insecure mode, don't abort if we can't create the MokListXRT var

Upstream issue rhboot#372. Closes: #989962, #990158
endlessm · Jun 22, 2021 · ec8a172 · ec8a172
1 parent 9ace660
commit ec8a172
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 0 deletions.
diff --git a/debian/changelog b/debian/changelog
@@ -2,6 +2,8 @@ shim (15.4-6) UNRELEASED; urgency=high
 
   * Add arm64 patch to tweak section layout and stop crashing
     problems. Upstream issue #371. Closes: #990082, #990190
+  * In insecure mode, don't abort if we can't create the MokListXRT
+    variable. Upstream issue #372. Closes: #989962, #990158
 
  -- Steve McIntyre <[email protected]>  Tue, 22 Jun 2021 22:16:54 +0100
 

diff --git a/debian/patches/relax_check_for_import_mok_state.patch b/debian/patches/relax_check_for_import_mok_state.patch
@@ -0,0 +1,53 @@
+From: Gary Lin <[email protected]>
+Date: Tue, 11 May 2021 10:41:43 +0800
+Subject: Relax the check for import_mok_state()
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+An openSUSE user reported(*) that shim 15.4 failed to boot the system
+with the following message:
+
+  "Could not create MokListXRT: Out of Resources"
+
+In the beginning, I thought it's caused by the growing size of
+vendor-dbx. However, we found the following messages after set
+SHIM_VERBOSE:
+
+  max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000
+  SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources
+
+Even though the firmware claimed the remaining storage size is 0x85EC
+and the maximum variable size is 0x8000, it still rejected MokListXRT
+with size 0x1404. It seems that the return values from QueryVariableInfo()
+are not reliable. Since this firmware didn't really support Secure Boot,
+the variable mirroring is not so critical, so we can just accept the
+failure of import_mok_state() and continue boot.
+
+(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261
+
+Signed-off-by: Gary Lin <[email protected]>
+---
+ shim.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index c5cfbb8..40e4894 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
+ 	 * boot-services-only state variables are what we think they are.
+ 	 */
+ 	efi_status = import_mok_state(image_handle);
+-	if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
++	if (!secure_mode() &&
++	    (efi_status == EFI_INVALID_PARAMETER ||
++	     efi_status == EFI_OUT_OF_RESOURCES)) {
+ 		/*
+ 		 * Make copy failures fatal only if secure_mode is enabled, or
+-		 * the error was anything else than EFI_INVALID_PARAMETER.
++		 * the error was anything else than EFI_INVALID_PARAMETER or
++		 * EFI_OUT_OF_RESOURCES.
+ 		 * There are non-secureboot firmware implementations that don't
+ 		 * reserve enough EFI variable memory to fit the variable.
+ 		 */
diff --git a/debian/patches/series b/debian/patches/series
@@ -2,4 +2,5 @@ fix-import_one_mok_state.patch
 fix-broken-ia32-reloc.patch
 MOK-BootServicesData.patch
 Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
+relax_check_for_import_mok_state.patch
 fix_arm64_rela_sections.patch