I'm still having some trouble with the offsetof() definition, so just
nerf it to what stddef.h would say anyway.
Signed-off-by: Peter Jones <pjones@redhat.com>
Disable DES completely since it's already old and insecure.
This makes MokManager not support the DES based password hash but
probably no one is using it.
Signed-off-by: Gary Lin <glin@suse.com>
- Declare some functions in the proper headers
+ We missed them for a long time...
- Cast offsetof to UINTN
+ The original casting triggers the gcc warning since int can not
present the offset for the 64bit machines.
- Cast the "char" array to "CHAR8 *" to avoid the gcc warnings
- Implement atoi correctly
Signed-off-by: Gary Lin <glin@suse.com>
strcmp() and strcasecmp() are widely used in openssl. Implement those
two functions to eliminate the gcc warnings and the potential crash.
Signed-off-by: Gary Lin <glin@suse.com>
The changes in the openssl headers cause the inclusion of
CrtLibSupport.h eariler than the inclusion of stddef.h, so "offsetof"
was defined twice and this caused the followling build error:
In file included from Cryptlib/Include/openssl/buffer.h:23:0,
from Cryptlib/Include/openssl/x509.h:22,
from shim.c:56:
/usr/lib64/gcc/x86_64-suse-linux/6/include/stddef.h:417:0: error: "offsetof" redefined [-Werror]
#define offsetof(TYPE, MEMBER) __builtin_offsetof (TYPE, MEMBER)
In file included from Cryptlib/Include/limits.h:15:0,
from Cryptlib/Include/openssl/ossl_typ.h:13,
from Cryptlib/Include/openssl/x509.h:20,
from shim.c:56:
Cryptlib/Include/CrtLibSupport.h:192:0: note: this is the location of the previous definition
#define offsetof(type, member) ( (int) & ((type*)0) -> member )
We can lower the priority of the gcc include path or just remove the
path, but this might cause problem since the path was introduced on
purpose(*). Instead, including stddef.h first is more feasible.
(*) d51739a416
Signed-off-by: Gary Lin <glin@suse.com>
OpenSSL changes quite a bit of the key validation, and most of the keys
I can find in the wild aren't marked as trusted by the new checker.
Intel noticed this too: https://github.com/vathpela/edk2/commit/f536d7c3ed
but instead of fixing the compatibility error, they switched their test
data to match the bug.
So that's pretty broken.
For now, I'm reverting OpenSSL 1.1.0e, because we need those certs in
the wild to work.
This reverts commit 513cbe2aea.
This reverts commit e9cc33d6f2.
This reverts commit 80d49f758e.
This reverts commit 9bc647e2b2.
This reverts commit ae75df6232.
This reverts commit e883479f35.
This reverts commit 97469449fd.
This reverts commit e39692647f.
This reverts commit 0f3dfc01e2.
This reverts commit 4da6ac8195.
This reverts commit d064bd7eef.
This reverts commit 9bc86cfd6f.
This reverts commit ab9a05a10f.
Signed-off-by: Peter Jones <pjones@redhat.com>
Rather than looping once through the possible actions (MokNew, MokDel, etc.),
revise the logic so that instead of rebooting immediately we get back to the
main menu setting a flag to replace "Continue booting" with a proper reboot.
Getting back to the menu means we can go make other changes before rebooting.
For instance, you might want to enable validation, but beforehand you also
need to enroll a MOK. You can already do so from userland; except the requests
were cleared as soon as one of them was processed.
This involves some extra cleanup of the states to avoid running the same
request more than once, removing the option from the menu once it's done, and
changing prompting functions to return an EFI_STATUS so we can better track
whether the process has succeeded.
Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>
If the boot option recorded in csv is not in a media device path, the
corresponding full device path will be referred for creating the boot
variable.
However, the current code logic always frees the full device path
(full_device_path) and the media device path (dp) separately. In order
to resolve this issue, always check whether dp equals to full_device_path
before freeing dp.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
