lucab/1877995-afterburn.patch

## 1877995-afterburn.patch
From 700abbf35b5848fea0364778145d9b70c6d9aa95 Mon Sep 17 00:00:00 2001
From: Luca BRUNO <luca.bruno@coreos.com>
Date: Thu, 17 Sep 2020 16:09:51 +0000
Subject: [PATCH] vendor/vmw_backdoor: quickfix to skip performing iopl

This is a quickfix to avoid performing an `iopl`, which is blocked by
kernel_lockdown under SecureBoot.

Refs:
 * https://bugzilla.redhat.com/show_bug.cgi?id=1877995
 * https://github.com/lucab/vmw_backdoor-rs/issues/6
 * https://github.com/coreos/ignition/issues/1092
---
 vendor/vmw_backdoor/.cargo-checksum.json | 2 +-
 vendor/vmw_backdoor/src/backdoor.rs      | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/vendor/vmw_backdoor/.cargo-checksum.json b/vendor/vmw_backdoor/.cargo-checksum.json
index 8ad2ae7..8b84aa7 100644
--- a/vendor/vmw_backdoor/.cargo-checksum.json
+++ b/vendor/vmw_backdoor/.cargo-checksum.json
@@ -1 +1 @@
-{"files":{"COPYRIGHT":"2ff7da7108334444f5766cd065d0ee5b12fa7f6c1633446b53eb3ef4dbab65ae","Cargo.lock":"3dd6e01ab9290fb30a8d5dfd1920aca0e8d1a472b250d49cca68657c76526753","Cargo.toml":"bbee31b1bd137783ee5d2b7407cc13cc597053e487521b9ad3fbde67cf1d461f","LICENSE-APACHE-2.0":"cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30","LICENSE-MIT":"cb5aedb296c5246d1f22e9099f925a65146f9f0d6b4eebba97fd27a6cdbbab2d","README.md":"3515627e9358d043127d1657b090b10786c21225cfec90b66b55df0768384ee7","build.rs":"e1602b93c1979c11cf8b44452639ba0851c7f1d4550c9c583bbcaec223443608","examples/check-backdoor.rs":"5c350a3fdf4d600c9a806261a6a15c3349dc665fc9c93cf6e0971217b95a69c0","examples/get-guestinfo.rs":"adf5ee55ee617dad41d5892de11f92020468e5ccf29bbe8a770d629fbbaf5b51","examples/log.rs":"a6633e1f920680a1ca83fb7b09fca5db4734e41ac85e0f1b05edf89c3d6fad83","examples/report-agent.rs":"293f0144b302bdc3ab59b387bc9ab8ba3858dd1a068b8fd1636f3adaac8c5037","src/asm/mod.rs":"e0c313723042b3564a13e5f2e7c274b587a85b56c58cba99073012aa68ddb12b","src/asm/x86_64-linux.s":"01635098b699002f9f6f8a952cfbdaf13f91f7583a3ae79f298c45e9b4683f5e","src/backdoor.rs":"a714c7c6706cde95bba50bf36cd257763352e3be55895976b859105c7be06690","src/erpc.rs":"324c72a15b4a50c5320c0bf6fb9e6d41dc2083fdb8a440cfc50e663e9fe6ad2d","src/error.rs":"cb3fd4763b60db8cbeda4c9abc0754a947258da5e5ed8d72fddc6b63d6c179ab","src/lib.rs":"35e1400c2b2d6e0e695ee15327a6f2057cd9e57623a514a0912fabcd35f6290c","src/low_bw.rs":"77e8586255483a5305aaaa12d325e586e890f78bc07647d5fce744dc7b2dd78a"},"package":"62a285ffd5ddbf0d4fb5f5d581498b4340678ca82d41da2e3678600591c0583e"}
\ No newline at end of file
+{"files":{"COPYRIGHT":"2ff7da7108334444f5766cd065d0ee5b12fa7f6c1633446b53eb3ef4dbab65ae","Cargo.lock":"3dd6e01ab9290fb30a8d5dfd1920aca0e8d1a472b250d49cca68657c76526753","Cargo.toml":"bbee31b1bd137783ee5d2b7407cc13cc597053e487521b9ad3fbde67cf1d461f","LICENSE-APACHE-2.0":"cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30","LICENSE-MIT":"cb5aedb296c5246d1f22e9099f925a65146f9f0d6b4eebba97fd27a6cdbbab2d","README.md":"3515627e9358d043127d1657b090b10786c21225cfec90b66b55df0768384ee7","build.rs":"e1602b93c1979c11cf8b44452639ba0851c7f1d4550c9c583bbcaec223443608","examples/check-backdoor.rs":"5c350a3fdf4d600c9a806261a6a15c3349dc665fc9c93cf6e0971217b95a69c0","examples/get-guestinfo.rs":"adf5ee55ee617dad41d5892de11f92020468e5ccf29bbe8a770d629fbbaf5b51","examples/log.rs":"a6633e1f920680a1ca83fb7b09fca5db4734e41ac85e0f1b05edf89c3d6fad83","examples/report-agent.rs":"293f0144b302bdc3ab59b387bc9ab8ba3858dd1a068b8fd1636f3adaac8c5037","src/asm/mod.rs":"e0c313723042b3564a13e5f2e7c274b587a85b56c58cba99073012aa68ddb12b","src/asm/x86_64-linux.s":"01635098b699002f9f6f8a952cfbdaf13f91f7583a3ae79f298c45e9b4683f5e","src/backdoor.rs":"84095ad3a42418d4ca18b38c7240ed9dfc2cf2b86fb80cfcd6ebe6f4220aec85","src/erpc.rs":"324c72a15b4a50c5320c0bf6fb9e6d41dc2083fdb8a440cfc50e663e9fe6ad2d","src/error.rs":"cb3fd4763b60db8cbeda4c9abc0754a947258da5e5ed8d72fddc6b63d6c179ab","src/lib.rs":"35e1400c2b2d6e0e695ee15327a6f2057cd9e57623a514a0912fabcd35f6290c","src/low_bw.rs":"77e8586255483a5305aaaa12d325e586e890f78bc07647d5fce744dc7b2dd78a"},"package":"62a285ffd5ddbf0d4fb5f5d581498b4340678ca82d41da2e3678600591c0583e"}
diff --git a/vendor/vmw_backdoor/src/backdoor.rs b/vendor/vmw_backdoor/src/backdoor.rs
index d84bbbc..030d468 100644
--- a/vendor/vmw_backdoor/src/backdoor.rs
+++ b/vendor/vmw_backdoor/src/backdoor.rs
@@ -69,7 +69,9 @@ impl BackdoorGuard {
         EnhancedChan::open(self)
     }

-    pub(crate) fn change_io_access(acquire: bool) -> Result<(), VmwError> {
+    pub(crate) fn change_io_access(_acquire: bool) -> Result<(), VmwError> {
+        // XXX(lucab): quickfix for https://github.com/lucab/vmw_backdoor-rs/issues/6.
+        /*
         // NOTE(lucab): `ioperm()` is not enough here, as the backdoor
         //  protocol uses a dynamic range of I/O ports.
         let level = if acquire { 0b11 } else { 0b00 };
@@ -77,6 +79,7 @@ impl BackdoorGuard {
         if err != 0 {
             return Err(format!("iopl failed, errno={}", err).into());
         };
+        */

         Ok(())
     }
--
2.27.0


## 1877995-ignition.patch
From 069ab246129be6860aed3389c526543afa87e712 Mon Sep 17 00:00:00 2001
From: Luca BRUNO <luca.bruno@coreos.com>
Date: Thu, 17 Sep 2020 16:07:59 +0000
Subject: [PATCH] vendor/vmw-guestinfo: quickfix to skip performing iopl

This is a quickfix to avoid performing an `iopl`, which is blocked by
kernel_lockdown under SecureBoot.

Refs:
 * https://bugzilla.redhat.com/show_bug.cgi?id=1877995
 * https://github.com/lucab/vmw_backdoor-rs/issues/6
 * https://github.com/coreos/ignition/issues/1092
---
 .../vmware/vmw-guestinfo/vmcheck/vmcheck.go           | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
index c46cc5e4..9e974aee 100644
--- a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
+++ b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
@@ -41,10 +41,13 @@ func IsVirtualWorld() (bool, error) {

 // hypervisorPortCheck tests the availability of the HV port.
 func hypervisorPortCheck() (bool, error) {
-       // Privilege level 3 to access all ports above 0x3ff
-       if err := openPortsAccess(); err != nil {
-               return false, err
-       }
+       // XXX(lucab): quickfix for https://github.com/coreos/ignition/issues/1092.
+       /*
+               // Privilege level 3 to access all ports above 0x3ff
+               if err := openPortsAccess(); err != nil {
+                       return false, err
+               }
+       */

        p := &bdoor.BackdoorProto{}

--
2.27.0


## manual-check.txt
# grep -o ignition.platform.id='[[:alnum:]]*' /proc/cmdline
ignition.platform.id=vmware

# mokutil --sb-state
SecureBoot enabled

# mkdir -p /etc/cmdline.d
# /usr/local/bin/afterburn exp rd-network-kargs --default-value 'dhcp,dhcp6' --cmdline
# find /etc/cmdline.d/ -type f -print -exec cat {} \;
/etc/cmdline.d/50-afterburn-network-kargs.conf
custom-check-for-1877995

# /usr/local/bin/ignition --stage fetch-offline --clear-cache --log-to-stdout --platform vmware
INFO     : Ignition v2.6.0-1-g069ab246
INFO     : Stage: fetch-offline
ERROR    : unable to clear cache: remove /run/ignition.json: no such file or directory
INFO     : reading system config file "/usr/lib/ignition/base.ign"
INFO     : no config at "/usr/lib/ignition/base.ign"
DEBUG    : parsed url from cmdline: ""
INFO     : no config URL provided
INFO     : reading system config file "/usr/lib/ignition/user.ign"
INFO     : no config at "/usr/lib/ignition/user.ign"
DEBUG    : using OVF environment from guestinfo
DEBUG    : config successfully fetched
DEBUG    : parsing config with SHA512: a2e44f9fab7e4b1e8b56ab74b35b5f2ef354de4eb40fe2bc4c22e818c37c46f5ad699b1e2d0c8d1d757d04eb08287bbcd75eecd3506a084d7e70323d936a2b39
INFO     : fetch-offline: fetch-offline passed
INFO     : Ignition finished successfully
	From 700abbf35b5848fea0364778145d9b70c6d9aa95 Mon Sep 17 00:00:00 2001
	From: Luca BRUNO <luca.bruno@coreos.com>
	Date: Thu, 17 Sep 2020 16:09:51 +0000
	Subject: [PATCH] vendor/vmw_backdoor: quickfix to skip performing iopl

	This is a quickfix to avoid performing an `iopl`, which is blocked by
	kernel_lockdown under SecureBoot.

	Refs:
	* https://bugzilla.redhat.com/show_bug.cgi?id=1877995
	* https://github.com/lucab/vmw_backdoor-rs/issues/6
	* https://github.com/coreos/ignition/issues/1092
	---
	vendor/vmw_backdoor/.cargo-checksum.json \| 2 +-
	vendor/vmw_backdoor/src/backdoor.rs \| 5 ++++-
	2 files changed, 5 insertions(+), 2 deletions(-)

	diff --git a/vendor/vmw_backdoor/.cargo-checksum.json b/vendor/vmw_backdoor/.cargo-checksum.json
	index 8ad2ae7..8b84aa7 100644
	--- a/vendor/vmw_backdoor/.cargo-checksum.json
	+++ b/vendor/vmw_backdoor/.cargo-checksum.json
	@@ -1 +1 @@
	-{"files":{"COPYRIGHT":"2ff7da7108334444f5766cd065d0ee5b12fa7f6c1633446b53eb3ef4dbab65ae","Cargo.lock":"3dd6e01ab9290fb30a8d5dfd1920aca0e8d1a472b250d49cca68657c76526753","Cargo.toml":"bbee31b1bd137783ee5d2b7407cc13cc597053e487521b9ad3fbde67cf1d461f","LICENSE-APACHE-2.0":"cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30","LICENSE-MIT":"cb5aedb296c5246d1f22e9099f925a65146f9f0d6b4eebba97fd27a6cdbbab2d","README.md":"3515627e9358d043127d1657b090b10786c21225cfec90b66b55df0768384ee7","build.rs":"e1602b93c1979c11cf8b44452639ba0851c7f1d4550c9c583bbcaec223443608","examples/check-backdoor.rs":"5c350a3fdf4d600c9a806261a6a15c3349dc665fc9c93cf6e0971217b95a69c0","examples/get-guestinfo.rs":"adf5ee55ee617dad41d5892de11f92020468e5ccf29bbe8a770d629fbbaf5b51","examples/log.rs":"a6633e1f920680a1ca83fb7b09fca5db4734e41ac85e0f1b05edf89c3d6fad83","examples/report-agent.rs":"293f0144b302bdc3ab59b387bc9ab8ba3858dd1a068b8fd1636f3adaac8c5037","src/asm/mod.rs":"e0c313723042b3564a13e5f2e7c274b587a85b56c58cba99073012aa68ddb12b","src/asm/x86_64-linux.s":"01635098b699002f9f6f8a952cfbdaf13f91f7583a3ae79f298c45e9b4683f5e","src/backdoor.rs":"a714c7c6706cde95bba50bf36cd257763352e3be55895976b859105c7be06690","src/erpc.rs":"324c72a15b4a50c5320c0bf6fb9e6d41dc2083fdb8a440cfc50e663e9fe6ad2d","src/error.rs":"cb3fd4763b60db8cbeda4c9abc0754a947258da5e5ed8d72fddc6b63d6c179ab","src/lib.rs":"35e1400c2b2d6e0e695ee15327a6f2057cd9e57623a514a0912fabcd35f6290c","src/low_bw.rs":"77e8586255483a5305aaaa12d325e586e890f78bc07647d5fce744dc7b2dd78a"},"package":"62a285ffd5ddbf0d4fb5f5d581498b4340678ca82d41da2e3678600591c0583e"}
	\ No newline at end of file
	+{"files":{"COPYRIGHT":"2ff7da7108334444f5766cd065d0ee5b12fa7f6c1633446b53eb3ef4dbab65ae","Cargo.lock":"3dd6e01ab9290fb30a8d5dfd1920aca0e8d1a472b250d49cca68657c76526753","Cargo.toml":"bbee31b1bd137783ee5d2b7407cc13cc597053e487521b9ad3fbde67cf1d461f","LICENSE-APACHE-2.0":"cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30","LICENSE-MIT":"cb5aedb296c5246d1f22e9099f925a65146f9f0d6b4eebba97fd27a6cdbbab2d","README.md":"3515627e9358d043127d1657b090b10786c21225cfec90b66b55df0768384ee7","build.rs":"e1602b93c1979c11cf8b44452639ba0851c7f1d4550c9c583bbcaec223443608","examples/check-backdoor.rs":"5c350a3fdf4d600c9a806261a6a15c3349dc665fc9c93cf6e0971217b95a69c0","examples/get-guestinfo.rs":"adf5ee55ee617dad41d5892de11f92020468e5ccf29bbe8a770d629fbbaf5b51","examples/log.rs":"a6633e1f920680a1ca83fb7b09fca5db4734e41ac85e0f1b05edf89c3d6fad83","examples/report-agent.rs":"293f0144b302bdc3ab59b387bc9ab8ba3858dd1a068b8fd1636f3adaac8c5037","src/asm/mod.rs":"e0c313723042b3564a13e5f2e7c274b587a85b56c58cba99073012aa68ddb12b","src/asm/x86_64-linux.s":"01635098b699002f9f6f8a952cfbdaf13f91f7583a3ae79f298c45e9b4683f5e","src/backdoor.rs":"84095ad3a42418d4ca18b38c7240ed9dfc2cf2b86fb80cfcd6ebe6f4220aec85","src/erpc.rs":"324c72a15b4a50c5320c0bf6fb9e6d41dc2083fdb8a440cfc50e663e9fe6ad2d","src/error.rs":"cb3fd4763b60db8cbeda4c9abc0754a947258da5e5ed8d72fddc6b63d6c179ab","src/lib.rs":"35e1400c2b2d6e0e695ee15327a6f2057cd9e57623a514a0912fabcd35f6290c","src/low_bw.rs":"77e8586255483a5305aaaa12d325e586e890f78bc07647d5fce744dc7b2dd78a"},"package":"62a285ffd5ddbf0d4fb5f5d581498b4340678ca82d41da2e3678600591c0583e"}
	diff --git a/vendor/vmw_backdoor/src/backdoor.rs b/vendor/vmw_backdoor/src/backdoor.rs
	index d84bbbc..030d468 100644
	--- a/vendor/vmw_backdoor/src/backdoor.rs
	+++ b/vendor/vmw_backdoor/src/backdoor.rs
	@@ -69,7 +69,9 @@ impl BackdoorGuard {
	EnhancedChan::open(self)
	}

	- pub(crate) fn change_io_access(acquire: bool) -> Result<(), VmwError> {
	+ pub(crate) fn change_io_access(_acquire: bool) -> Result<(), VmwError> {
	+ // XXX(lucab): quickfix for https://github.com/lucab/vmw_backdoor-rs/issues/6.
	+ /*
	// NOTE(lucab): `ioperm()` is not enough here, as the backdoor
	// protocol uses a dynamic range of I/O ports.
	let level = if acquire { 0b11 } else { 0b00 };
	@@ -77,6 +79,7 @@ impl BackdoorGuard {
	if err != 0 {
	return Err(format!("iopl failed, errno={}", err).into());
	};
	+ */

	Ok(())
	}
	--
	2.27.0
	From 069ab246129be6860aed3389c526543afa87e712 Mon Sep 17 00:00:00 2001
	From: Luca BRUNO <luca.bruno@coreos.com>
	Date: Thu, 17 Sep 2020 16:07:59 +0000
	Subject: [PATCH] vendor/vmw-guestinfo: quickfix to skip performing iopl

	This is a quickfix to avoid performing an `iopl`, which is blocked by
	kernel_lockdown under SecureBoot.

	Refs:
	* https://bugzilla.redhat.com/show_bug.cgi?id=1877995
	* https://github.com/lucab/vmw_backdoor-rs/issues/6
	* https://github.com/coreos/ignition/issues/1092
	---
	.../vmware/vmw-guestinfo/vmcheck/vmcheck.go \| 11 +++++++----
	1 file changed, 7 insertions(+), 4 deletions(-)

	diff --git a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
	index c46cc5e4..9e974aee 100644
	--- a/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
	+++ b/vendor/github.com/vmware/vmw-guestinfo/vmcheck/vmcheck.go
	@@ -41,10 +41,13 @@ func IsVirtualWorld() (bool, error) {

	// hypervisorPortCheck tests the availability of the HV port.
	func hypervisorPortCheck() (bool, error) {
	- // Privilege level 3 to access all ports above 0x3ff
	- if err := openPortsAccess(); err != nil {
	- return false, err
	- }
	+ // XXX(lucab): quickfix for https://github.com/coreos/ignition/issues/1092.
	+ /*
	+ // Privilege level 3 to access all ports above 0x3ff
	+ if err := openPortsAccess(); err != nil {
	+ return false, err
	+ }
	+ */

	p := &bdoor.BackdoorProto{}

	--
	2.27.0
	# grep -o ignition.platform.id='[[:alnum:]]*' /proc/cmdline
	ignition.platform.id=vmware

	# mokutil --sb-state
	SecureBoot enabled

	# mkdir -p /etc/cmdline.d
	# /usr/local/bin/afterburn exp rd-network-kargs --default-value 'dhcp,dhcp6' --cmdline
	# find /etc/cmdline.d/ -type f -print -exec cat {} \;
	/etc/cmdline.d/50-afterburn-network-kargs.conf
	custom-check-for-1877995

	# /usr/local/bin/ignition --stage fetch-offline --clear-cache --log-to-stdout --platform vmware
	INFO : Ignition v2.6.0-1-g069ab246
	INFO : Stage: fetch-offline
	ERROR : unable to clear cache: remove /run/ignition.json: no such file or directory
	INFO : reading system config file "/usr/lib/ignition/base.ign"
	INFO : no config at "/usr/lib/ignition/base.ign"
	DEBUG : parsed url from cmdline: ""
	INFO : no config URL provided
	INFO : reading system config file "/usr/lib/ignition/user.ign"
	INFO : no config at "/usr/lib/ignition/user.ign"
	DEBUG : using OVF environment from guestinfo
	DEBUG : config successfully fetched
	DEBUG : parsing config with SHA512: a2e44f9fab7e4b1e8b56ab74b35b5f2ef354de4eb40fe2bc4c22e818c37c46f5ad699b1e2d0c8d1d757d04eb08287bbcd75eecd3506a084d7e70323d936a2b39
	INFO : fetch-offline: fetch-offline passed
	INFO : Ignition finished successfully