diff --git a/debian/changelog b/debian/changelog index 0415a15fa..ba1575eb0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +shim (15.8-1~deb12u1endless2) master; urgency=medium + + * Drop downstream fallback patches (T31604) + + -- Dan Nicholson Tue, 10 Sep 2024 09:01:50 -0600 + shim (15.8-1~deb12u1endless1) master; urgency=medium [ Dan Nicholson ] diff --git a/debian/patches/0003-Revert-fallback-work-around-the-issue-of-boot-option.patch b/debian/patches/0003-Revert-fallback-work-around-the-issue-of-boot-option.patch deleted file mode 100644 index 0f179fabc..000000000 --- a/debian/patches/0003-Revert-fallback-work-around-the-issue-of-boot-option.patch +++ /dev/null @@ -1,161 +0,0 @@ -From: =?utf-8?q?Jo=C3=A3o_Paulo_Rechi_Vita?= -Date: Mon, 5 Apr 2021 17:47:32 -0700 -Subject: Revert "fallback: work around the issue of boot option creation with - AMI BIOS" -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -This reverts commit 0cc030c2f2fba53b74fb09466a07b8e6297a52d3. - -If we consider two entries with the same label as duplicates (next -commit) we don't need to worry about AMI's masking of boot entries. - -Signed-off-by: João Paulo Rechi Vita ---- - fallback.c | 113 ++++--------------------------------------------------------- - 1 file changed, 6 insertions(+), 107 deletions(-) - -diff --git a/fallback.c b/fallback.c -index 600cc7a..67a22aa 100644 ---- a/fallback.c -+++ b/fallback.c -@@ -295,105 +295,6 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, - return EFI_OUT_OF_RESOURCES; - } - --/* -- * AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX -- * variables with ami_masked_device_path_guid. We can get the valid device path -- * if just skipping it and its next end path. -- */ -- --static EFI_GUID ami_masked_device_path_guid = { -- 0x99e275e7, 0x75a0, 0x4b37, -- { 0xa2, 0xe6, 0xc5, 0x38, 0x5e, 0x6c, 0x0, 0xcb } --}; -- --static unsigned int --calc_masked_boot_option_size(unsigned int size) --{ -- return size + sizeof(EFI_DEVICE_PATH) + -- sizeof(ami_masked_device_path_guid) + sizeof(EFI_DEVICE_PATH); --} -- --static int --check_masked_boot_option(CHAR8 *candidate, unsigned int candidate_size, -- CHAR8 *data, unsigned int data_size) --{ -- /* -- * The patched BootXXXX variables contain a hardware device path and -- * an end path, preceding the real device path. -- */ -- if (calc_masked_boot_option_size(data_size) != candidate_size) -- return 1; -- -- CHAR8 *cursor = candidate; -- -- /* Check whether the BootXXXX is patched */ -- cursor += sizeof(UINT32) + sizeof(UINT16); -- cursor += StrSize((CHAR16 *)cursor); -- -- unsigned int min_valid_size = cursor - candidate + sizeof(EFI_DEVICE_PATH); -- -- if (candidate_size <= min_valid_size) -- return 1; -- -- EFI_DEVICE_PATH *dp = (EFI_DEVICE_PATH *)cursor; -- unsigned int node_size = DevicePathNodeLength(dp) - sizeof(EFI_DEVICE_PATH); -- -- min_valid_size += node_size; -- if (candidate_size <= min_valid_size || -- DevicePathType(dp) != HARDWARE_DEVICE_PATH || -- DevicePathSubType(dp) != HW_VENDOR_DP || -- node_size != sizeof(ami_masked_device_path_guid) || -- CompareGuid((EFI_GUID *)(cursor + sizeof(EFI_DEVICE_PATH)), -- &ami_masked_device_path_guid)) -- return 1; -- -- /* Check whether the patched guid is followed by an end path */ -- min_valid_size += sizeof(EFI_DEVICE_PATH); -- if (candidate_size <= min_valid_size) -- return 1; -- -- dp = NextDevicePathNode(dp); -- if (!IsDevicePathEnd(dp)) -- return 1; -- -- /* -- * OK. We may really get a masked BootXXXX variable. The next -- * step is to test whether it is hidden. -- */ -- UINT32 attrs = *(UINT32 *)candidate; --#ifndef LOAD_OPTION_HIDDEN --# define LOAD_OPTION_HIDDEN 0x00000008 --#endif -- if (!(attrs & LOAD_OPTION_HIDDEN)) -- return 1; -- -- attrs &= ~LOAD_OPTION_HIDDEN; -- -- /* Compare the field Attributes */ -- if (attrs != *(UINT32 *)data) -- return 1; -- -- /* Compare the field FilePathListLength */ -- data += sizeof(UINT32); -- candidate += sizeof(UINT32); -- if (calc_masked_boot_option_size(*(UINT16 *)data) != -- *(UINT16 *)candidate) -- return 1; -- -- /* Compare the field Description */ -- data += sizeof(UINT16); -- candidate += sizeof(UINT16); -- if (CompareMem(candidate, data, cursor - candidate)) -- return 1; -- -- /* Compare the filed FilePathList */ -- cursor = (CHAR8 *)NextDevicePathNode(dp); -- data += sizeof(UINT16); -- data += StrSize((CHAR16 *)data); -- -- return CompareMem(cursor, data, candidate_size - min_valid_size); --} -- - EFI_STATUS - find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, - CHAR16 *filename, CHAR16 *label, CHAR16 *arguments, -@@ -425,8 +326,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, - if (!varname) - return EFI_OUT_OF_RESOURCES; - -- UINTN max_candidate_size = calc_masked_boot_option_size(size); -- CHAR8 *candidate = AllocateZeroPool(max_candidate_size); -+ CHAR8 *candidate = AllocateZeroPool(size); - if (!candidate) { - FreePool(data); - return EFI_OUT_OF_RESOURCES; -@@ -466,17 +366,16 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, - !isxdigit(varname[6]) || !isxdigit(varname[7])) - continue; - -- UINTN candidate_size = max_candidate_size; -+ UINTN candidate_size = size; - efi_status = RT->GetVariable(varname, &GV_GUID, NULL, - &candidate_size, candidate); - if (EFI_ERROR(efi_status)) - continue; - -- if (candidate_size != size) { -- if (check_masked_boot_option(candidate, candidate_size, -- data, size)) -- continue; -- } else if (CompareMem(candidate, data, size)) -+ if (candidate_size != size) -+ continue; -+ -+ if (CompareMem(candidate, data, size)) - continue; - - VerbosePrint(L"Found boot entry \"%s\" with label \"%s\" " diff --git a/debian/patches/0004-fallback-Clean-up-duplicate-boot-entries.patch b/debian/patches/0004-fallback-Clean-up-duplicate-boot-entries.patch deleted file mode 100644 index 6e757c5d3..000000000 --- a/debian/patches/0004-fallback-Clean-up-duplicate-boot-entries.patch +++ /dev/null @@ -1,237 +0,0 @@ -From: =?utf-8?q?Jo=C3=A3o_Paulo_Rechi_Vita?= -Date: Fri, 7 Dec 2018 16:14:49 -0800 -Subject: fallback: Clean-up duplicate boot entries -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 8bit - -Consider all existing entries with the same label as the one we are -trying to create as duplicates. When a duplicate is detected, add it to -a remove list and later go over the remove list removing each boot entry -and its occurrence in BootOrder, and finally let the rest of the logic -work as if there was no boot entry. - -This change is needed for distributions that ship raw disk images -instead of having an installer program partition the disk (ex., Endless -OS) and generate a unique UUID for all partitions on first boot -(otherwise every installation of the same release would have the same -partition UUIDs). This setup relies on fallback to create a new boot -entry pointing to the new ESP UUID on the second boot. Without this -change, fallback will create a new boot entry with the same label -pointing a the file path in the new ESP UUID while keeping the old entry -that points at the non-existent UUID as a duplicate. While some firmware -implemetations will clean-up these invalid boot entries on the next -boot, other will just leave it around forever. - -However, this change breaks systems where it is desirable to have more -than one boot entry with the same label pointing at different file paths -for some reason (ex., two installations of the same OS on different -ESPs). I'm not sure if this is a practical real-world use-case. - -https://phabricator.endlessm.com/T14430 -https://phabricator.endlessm.com/T16731 - -Signed-off-by: João Paulo Rechi Vita ---- - fallback.c | 141 +++++++++++++++++++++++-------------------------------------- - 1 file changed, 52 insertions(+), 89 deletions(-) - -diff --git a/fallback.c b/fallback.c -index 67a22aa..0cebe84 100644 ---- a/fallback.c -+++ b/fallback.c -@@ -296,41 +296,25 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, - } - - EFI_STATUS --find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, -- CHAR16 *filename, CHAR16 *label, CHAR16 *arguments, -- UINT16 *optnum) -+remove_duplicates(EFI_DEVICE_PATH *dp, CHAR16 *label, CHAR16 *arguments) - { - unsigned int label_size = StrLen(label)*2 + 2; -- unsigned int size = sizeof(UINT32) + sizeof (UINT16) + -- label_size + DevicePathSize(dp) + -+ unsigned int header_size = sizeof(UINT32) + sizeof (UINT16); -+ unsigned int size = header_size + label_size + DevicePathSize(dp) + - StrLen(arguments) * 2; - -- CHAR8 *data = AllocateZeroPool(size + 2); -- if (!data) -- return EFI_OUT_OF_RESOURCES; -- CHAR8 *cursor = data; -- *(UINT32 *)cursor = LOAD_OPTION_ACTIVE; -- cursor += sizeof (UINT32); -- *(UINT16 *)cursor = DevicePathSize(dp); -- cursor += sizeof (UINT16); -- StrCpy((CHAR16 *)cursor, label); -- cursor += label_size; -- CopyMem(cursor, dp, DevicePathSize(dp)); -- cursor += DevicePathSize(dp); -- StrCpy((CHAR16 *)cursor, arguments); -- - EFI_STATUS efi_status; - EFI_GUID vendor_guid = NullGuid; -+ UINTN rmlist_len = 0; -+ CHAR16 **rmlist = NULL; - UINTN buffer_size = 256 * sizeof(CHAR16); - CHAR16 *varname = AllocateZeroPool(buffer_size); - if (!varname) - return EFI_OUT_OF_RESOURCES; - - CHAR8 *candidate = AllocateZeroPool(size); -- if (!candidate) { -- FreePool(data); -+ if (!candidate) - return EFI_OUT_OF_RESOURCES; -- } - - while (1) { - UINTN varname_size = buffer_size; -@@ -358,6 +342,7 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, - - /* EFI_NOT_FOUND means we listed all variables */ - VerbosePrint(L"Checked all boot entries\n"); -+ efi_status = EFI_SUCCESS; - break; - } - -@@ -366,35 +351,62 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, - !isxdigit(varname[6]) || !isxdigit(varname[7])) - continue; - -+ VerbosePrint(L"Checking %s\n", varname); -+ - UINTN candidate_size = size; - efi_status = RT->GetVariable(varname, &GV_GUID, NULL, - &candidate_size, candidate); - if (EFI_ERROR(efi_status)) - continue; - -- if (candidate_size != size) -+ /* Check that we won't overrun the buffer when comparing */ -+ if (candidate_size < header_size + label_size) - continue; - -- if (CompareMem(candidate, data, size)) -+ /* Check if the label matches the one we are looking for */ -+ CHAR8 *cursor = candidate + header_size; -+ VerbosePrint(L"%s: \"%s\"\n", varname, cursor); -+ if (CompareMem(cursor, label, label_size)) - continue; - -- VerbosePrint(L"Found boot entry \"%s\" with label \"%s\" " -- L"for file \"%s\"\n", varname, label, filename); -+ VerbosePrint(L"Found duplicate boot entry \"%s\" for \"%s\"\n", -+ varname, label); - -- /* at this point, we have duplicate data. */ -- if (!first_new_option) { -- first_new_option = DuplicateDevicePath(fulldp); -- first_new_option_args = StrDuplicate(arguments); -- first_new_option_size = StrLen(arguments) * sizeof (CHAR16); -- } -- -- *optnum = xtoi(varname + 4); -- FreePool(candidate); -- FreePool(data); -- return EFI_SUCCESS; -+ /* add duplicate entry to rmlist */ -+ rmlist = ReallocatePool(rmlist, rmlist_len * sizeof(CHAR16 *), -+ (rmlist_len+1) * sizeof(CHAR16 *)); -+ if (!rmlist) -+ return EFI_OUT_OF_RESOURCES; -+ rmlist[rmlist_len] = AllocateZeroPool(varname_size); -+ CopyMem(rmlist[rmlist_len], varname, varname_size); -+ rmlist_len++; - } -+ -+ /* remove all entries in rmlist */ -+ while (rmlist_len) { -+ rmlist_len--; -+ VerbosePrint(L"Removing \"%s\"\n", rmlist[rmlist_len]); -+ if (!EFI_ERROR(LibDeleteVariable(rmlist[rmlist_len], &GV_GUID))) { -+ int i, newnbootorder = 0; -+ int bootnum = xtoi(rmlist[rmlist_len] + 4); -+ -+ CHAR16 *newbootorder = NULL; -+ newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder); -+ if (!newbootorder) -+ return EFI_OUT_OF_RESOURCES; -+ -+ for (i = 0; i < nbootorder; i++) -+ if (bootorder[i] != bootnum) -+ newbootorder[newnbootorder++] = bootorder[i]; -+ -+ FreePool(bootorder); -+ bootorder = newbootorder; -+ nbootorder = newnbootorder; -+ } -+ FreePool(rmlist[rmlist_len]); -+ } -+ - FreePool(candidate); -- FreePool(data); - FreePool(varname); - return efi_status; - } -@@ -508,57 +520,8 @@ add_to_boot_list(CHAR16 *dirname, CHAR16 *filename, CHAR16 *label, CHAR16 *argum - FreePool(dps); - } - -- UINT16 option; -- efi_status = find_boot_option(dp, full_device_path, fullpath, label, -- arguments, &option); -- if (EFI_ERROR(efi_status)) { -- add_boot_option(dp, full_device_path, fullpath, label, -- arguments); -- goto done; -- } -- -- UINT16 bootnum; -- CHAR16 *newbootorder; -- /* Search for the option in the current bootorder */ -- for (bootnum = 0; bootnum < nbootorder; bootnum++) -- if (bootorder[bootnum] == option) -- break; -- if (bootnum == nbootorder) { -- /* Option not found, prepend option and copy the rest */ -- newbootorder = AllocateZeroPool(sizeof(CHAR16) -- * (nbootorder + 1)); -- if (!newbootorder) { -- efi_status = EFI_OUT_OF_RESOURCES; -- goto done; -- } -- newbootorder[0] = option; -- CopyMem(newbootorder + 1, bootorder, -- sizeof(CHAR16) * nbootorder); -- FreePool(bootorder); -- bootorder = newbootorder; -- nbootorder += 1; -- } else { -- /* Option found, put first and slice the rest */ -- newbootorder = AllocateZeroPool( -- sizeof(CHAR16) * nbootorder); -- if (!newbootorder) { -- efi_status = EFI_OUT_OF_RESOURCES; -- goto done; -- } -- newbootorder[0] = option; -- CopyMem(newbootorder + 1, bootorder, -- sizeof(CHAR16) * bootnum); -- CopyMem(newbootorder + 1 + bootnum, -- bootorder + bootnum + 1, -- sizeof(CHAR16) * (nbootorder - bootnum - 1)); -- FreePool(bootorder); -- bootorder = newbootorder; -- } -- VerbosePrint(L"New nbootorder: %d\nBootOrder: ", -- nbootorder); -- for (int i = 0 ; i < nbootorder ; i++) -- VerbosePrintUnprefixed(L"%04x ", bootorder[i]); -- VerbosePrintUnprefixed(L"\n"); -+ remove_duplicates(dp, label, arguments); -+ add_boot_option(dp, full_device_path, fullpath, label, arguments); - - done: - if (full_device_path) diff --git a/debian/patches/series b/debian/patches/series index 6f9fc99f1..01fd29872 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,4 +1,2 @@ 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch -0003-Revert-fallback-work-around-the-issue-of-boot-option.patch -0004-fallback-Clean-up-duplicate-boot-entries.patch