Sisyphus repository
Last update: 1 october 2023 | SRPMs: 18631 | Visits: 37618254
en ru br
ALT Linux repos
S:15.7-alt3

Group :: System/Kernel and hardware
RPM: shim

 Main   Changelog   Spec   Patches   Sources   Download   Gear   Bugs and FR  Repocop 

Patch: shim-15.4-upstream-0007-Relax-the-check-for-import_mok_state.patch
Download

From 9f973e4e95b1136b8c98051dbbdb1773072cc998 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 11 May 2021 10:41:43 +0800
Subject: [PATCH 07/35] Relax the check for import_mok_state()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
An openSUSE user reported(*) that shim 15.4 failed to boot the system
with the following message:
  "Could not create MokListXRT: Out of Resources"
In the beginning, I thought it's caused by the growing size of
vendor-dbx. However, we found the following messages after set
SHIM_VERBOSE:
  max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000
  SetVariable(“MokListXRT”, ... varsz=0x1404) = Out of Resources
Even though the firmware claimed the remaining storage size is 0x85EC
and the maximum variable size is 0x8000, it still rejected MokListXRT
with size 0x1404. It seems that the return values from QueryVariableInfo()
are not reliable. Since this firmware didn't really support Secure Boot,
the variable mirroring is not so critical, so we can just accept the
failure of import_mok_state() and continue boot.
(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261
Signed-off-by: Gary Lin <glin@suse.com>
---
 shim.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/shim.c b/shim.c
index c5cfbb83..40e48948 100644
--- a/shim.c
+++ b/shim.c
@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab)
 	 * boot-services-only state variables are what we think they are.
 	 */
 	efi_status = import_mok_state(image_handle);
-	if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
+	if (!secure_mode() &&
+	    (efi_status == EFI_INVALID_PARAMETER ||
+	     efi_status == EFI_OUT_OF_RESOURCES)) {
 		/*
 		 * Make copy failures fatal only if secure_mode is enabled, or
-		 * the error was anything else than EFI_INVALID_PARAMETER.
+		 * the error was anything else than EFI_INVALID_PARAMETER or
+		 * EFI_OUT_OF_RESOURCES.
 		 * There are non-secureboot firmware implementations that don't
 		 * reserve enough EFI variable memory to fit the variable.
 		 */
-- 
2.32.0








 






	design & coding: Vladimir Lettiev aka crux © 2004-2005,
	Andrew Avramenko aka liks © 2007-2008

	current maintainer: Michael Shigorin