From ec8a172b6fdef6e9d0a73591dcd928c781752a19 Mon Sep 17 00:00:00 2001 From: Steve McIntyre Date: Tue, 22 Jun 2021 22:19:08 +0100 Subject: [PATCH] In insecure mode, don't abort if we can't create the MokListXRT var Upstream issue #372. Closes: #989962, #990158 --- debian/changelog | 2 + .../relax_check_for_import_mok_state.patch | 53 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 56 insertions(+) create mode 100644 debian/patches/relax_check_for_import_mok_state.patch diff --git a/debian/changelog b/debian/changelog index d727cc748..2284fd070 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ shim (15.4-6) UNRELEASED; urgency=high * Add arm64 patch to tweak section layout and stop crashing problems. Upstream issue #371. Closes: #990082, #990190 + * In insecure mode, don't abort if we can't create the MokListXRT + variable. Upstream issue #372. Closes: #989962, #990158 -- Steve McIntyre <93sam@debian.org> Tue, 22 Jun 2021 22:16:54 +0100 diff --git a/debian/patches/relax_check_for_import_mok_state.patch b/debian/patches/relax_check_for_import_mok_state.patch new file mode 100644 index 000000000..09f00a1cb --- /dev/null +++ b/debian/patches/relax_check_for_import_mok_state.patch @@ -0,0 +1,53 @@ +From: Gary Lin +Date: Tue, 11 May 2021 10:41:43 +0800 +Subject: Relax the check for import_mok_state() +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +An openSUSE user reported(*) that shim 15.4 failed to boot the system +with the following message: + + "Could not create MokListXRT: Out of Resources" + +In the beginning, I thought it's caused by the growing size of +vendor-dbx. However, we found the following messages after set +SHIM_VERBOSE: + + max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000 + SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources + +Even though the firmware claimed the remaining storage size is 0x85EC +and the maximum variable size is 0x8000, it still rejected MokListXRT +with size 0x1404. It seems that the return values from QueryVariableInfo() +are not reliable. Since this firmware didn't really support Secure Boot, +the variable mirroring is not so critical, so we can just accept the +failure of import_mok_state() and continue boot. + +(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261 + +Signed-off-by: Gary Lin +--- + shim.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/shim.c b/shim.c +index c5cfbb8..40e4894 100644 +--- a/shim.c ++++ b/shim.c +@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) + * boot-services-only state variables are what we think they are. + */ + efi_status = import_mok_state(image_handle); +- if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { ++ if (!secure_mode() && ++ (efi_status == EFI_INVALID_PARAMETER || ++ efi_status == EFI_OUT_OF_RESOURCES)) { + /* + * Make copy failures fatal only if secure_mode is enabled, or +- * the error was anything else than EFI_INVALID_PARAMETER. ++ * the error was anything else than EFI_INVALID_PARAMETER or ++ * EFI_OUT_OF_RESOURCES. + * There are non-secureboot firmware implementations that don't + * reserve enough EFI variable memory to fit the variable. + */ diff --git a/debian/patches/series b/debian/patches/series index eecb8c2ac..dff99bc76 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,4 +2,5 @@ fix-import_one_mok_state.patch fix-broken-ia32-reloc.patch MOK-BootServicesData.patch Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch +relax_check_for_import_mok_state.patch fix_arm64_rela_sections.patch