Sync from SUSE:SLFO:Main shim revision 2425476e169cbba2a05f50b0541b7410
This commit is contained in:
commit
2b2d68530f
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
BIN
shim-15.7-150300.4.16.1.aarch64.rpm
(Stored with Git LFS)
Normal file
BIN
shim-15.7-150300.4.16.1.aarch64.rpm
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
shim-15.7-150300.4.16.1.x86_64.rpm
(Stored with Git LFS)
Normal file
BIN
shim-15.7-150300.4.16.1.x86_64.rpm
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
shim-debuginfo-15.7-150300.4.16.1.aarch64.rpm
(Stored with Git LFS)
Normal file
BIN
shim-debuginfo-15.7-150300.4.16.1.aarch64.rpm
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
shim-debuginfo-15.7-150300.4.16.1.x86_64.rpm
(Stored with Git LFS)
Normal file
BIN
shim-debuginfo-15.7-150300.4.16.1.x86_64.rpm
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
shim-debugsource-15.7-150300.4.16.1.aarch64.rpm
(Stored with Git LFS)
Normal file
BIN
shim-debugsource-15.7-150300.4.16.1.aarch64.rpm
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
shim-debugsource-15.7-150300.4.16.1.x86_64.rpm
(Stored with Git LFS)
Normal file
BIN
shim-debugsource-15.7-150300.4.16.1.x86_64.rpm
(Stored with Git LFS)
Normal file
Binary file not shown.
521
shim-install
Normal file
521
shim-install
Normal file
@ -0,0 +1,521 @@
|
||||
#! /bin/bash -e
|
||||
|
||||
arch=`uname -m`
|
||||
rootdir=
|
||||
bootdir=
|
||||
efidir=
|
||||
install_device=
|
||||
efibootdir=
|
||||
ca_string=
|
||||
no_nvram=no
|
||||
removable=no
|
||||
clean=no
|
||||
sysconfdir="/etc"
|
||||
libdir="/usr/lib64" # Beware, this is arch dependent!
|
||||
datadir="/usr/share"
|
||||
source_dir="${datadir}/efi/${arch}"
|
||||
efibootmgr="/usr/sbin/efibootmgr"
|
||||
grub_probe="/usr/sbin/grub2-probe"
|
||||
grub_mkrelpath="/usr/bin/grub2-mkrelpath"
|
||||
no_grub_install=no
|
||||
grub_install="/usr/sbin/grub2-install"
|
||||
grub_install_target=
|
||||
self="`basename $0`"
|
||||
grub_cfg="/boot/grub2/grub.cfg"
|
||||
update_boot=no
|
||||
def_grub_efi="${source_dir}/grub.efi"
|
||||
def_boot_efi=
|
||||
|
||||
[ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim
|
||||
[ ! -r /etc/default/shim ] || . /etc/default/shim
|
||||
|
||||
if [ -z "$def_shim_efi" -o ! -e ${source_dir}/${def_shim_efi} ] ; then
|
||||
def_shim_efi="shim.efi"
|
||||
fi
|
||||
|
||||
source_shim_efi="${source_dir}/${def_shim_efi}"
|
||||
|
||||
if [ x${arch} = xx86_64 ] ; then
|
||||
grub_install_target="x86_64-efi"
|
||||
def_boot_efi="bootx64.efi"
|
||||
elif [ x${arch} = xaarch64 ] ; then
|
||||
grub_install_target="arm64-efi"
|
||||
def_boot_efi="bootaa64.efi"
|
||||
else
|
||||
echo "Unsupported architecture: ${arch}"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -d "${source_dir}" -o ! -e "${def_grub_efi}" ] ; then
|
||||
# for outdated packages fall back to previous behavior
|
||||
source_dir="$libdir/efi"
|
||||
def_grub_efi="${source_dir}/grub.efi"
|
||||
fi
|
||||
|
||||
# Get GRUB_DISTRIBUTOR.
|
||||
if test -f "${sysconfdir}/default/grub" ; then
|
||||
. "${sysconfdir}/default/grub"
|
||||
fi
|
||||
|
||||
if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then
|
||||
. "${sysconfdir}/os-release"
|
||||
GRUB_DISTRIBUTOR="${NAME} ${VERSION}"
|
||||
OS_ID="${ID}"
|
||||
fi
|
||||
|
||||
bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)"
|
||||
if test -z "$bootloader_id"; then
|
||||
bootloader_id=grub
|
||||
fi
|
||||
|
||||
efi_distributor="$bootloader_id"
|
||||
bootloader_id="${bootloader_id}-secureboot"
|
||||
|
||||
case "$bootloader_id" in
|
||||
"sle"*)
|
||||
ca_string='SUSE Linux Enterprise Secure Boot CA1';;
|
||||
"opensuse"*)
|
||||
ca_string='openSUSE Secure Boot CA1';;
|
||||
*) ca_string="";;
|
||||
esac
|
||||
|
||||
case "$OS_ID" in
|
||||
"opensuse-leap")
|
||||
ca_string='SUSE Linux Enterprise Secure Boot CA1';;
|
||||
esac
|
||||
|
||||
is_azure () {
|
||||
local bios_vendor;
|
||||
local product_name;
|
||||
local sys_vendor;
|
||||
|
||||
local sysfs_dmi_id="/sys/class/dmi/id"
|
||||
|
||||
if test -e "${sysfs_dmi_id}/bios_vendor"; then
|
||||
bios_vendor=$(cat "${sysfs_dmi_id}/bios_vendor")
|
||||
fi
|
||||
if test -e "${sysfs_dmi_id}/product_name"; then
|
||||
product_name=$(cat "${sysfs_dmi_id}/product_name")
|
||||
fi
|
||||
if test -e "${sysfs_dmi_id}/sys_vendor"; then
|
||||
sys_vendor=$(cat "${sysfs_dmi_id}/sys_vendor")
|
||||
fi
|
||||
|
||||
if test "x${bios_vendor}" != "xMicrosoft Corporation"; then
|
||||
# return false
|
||||
return 1
|
||||
fi
|
||||
|
||||
if test "x${product_name}" != "xVirtual Machine"; then
|
||||
# return false
|
||||
return 1
|
||||
fi
|
||||
|
||||
if test "x${sys_vendor}" != "xMicrosoft Corporation"; then
|
||||
# return false
|
||||
return 1
|
||||
fi
|
||||
|
||||
# return true
|
||||
return 0
|
||||
}
|
||||
|
||||
usage () {
|
||||
echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
|
||||
echo
|
||||
echo "Install Secure Boot Loaders on your drive."
|
||||
echo
|
||||
echo "--directory=DIR use images from DIR."
|
||||
echo "--grub-probe=FILE use FILE as grub-probe."
|
||||
echo "--removable the installation device is removable."
|
||||
echo "--no-nvram don't update the NVRAM variable."
|
||||
echo "--bootloader-id=ID the ID of bootloader."
|
||||
echo "--efi-directory=DIR use DIR as the EFI System Partition root."
|
||||
echo "--config-file=FILE use FILE as config file, default is $grub_cfg."
|
||||
echo "--clean remove all installed files and configs."
|
||||
echo "--suse-enable-tpm install grub.efi with TPM support."
|
||||
echo "--no-grub-install Do not run grub2-install."
|
||||
echo
|
||||
echo "INSTALL_DEVICE must be system device filename."
|
||||
}
|
||||
|
||||
argument () {
|
||||
opt="$1"
|
||||
shift
|
||||
|
||||
if test $# -eq 0; then
|
||||
echo "$0: option requires an argument -- \`$opt'" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
echo "$1"
|
||||
}
|
||||
|
||||
# Check the arguments.
|
||||
while test $# -gt 0
|
||||
do
|
||||
option=$1
|
||||
shift
|
||||
|
||||
case "$option" in
|
||||
-h | --help)
|
||||
usage
|
||||
exit 0 ;;
|
||||
|
||||
--root-directory)
|
||||
rootdir="`argument $option "$@"`"; shift;;
|
||||
--root-directory=*)
|
||||
rootdir="`echo "$option" | sed 's/--root-directory=//'`" ;;
|
||||
|
||||
--efi-directory)
|
||||
efidir="`argument $option "$@"`"; shift;;
|
||||
--efi-directory=*)
|
||||
efidir="`echo "$option" | sed 's/--efi-directory=//'`" ;;
|
||||
|
||||
--directory | -d)
|
||||
source_dir="`argument $option "$@"`"; shift;;
|
||||
--directory=*)
|
||||
source_dir="`echo "$option" | sed 's/--directory=//'`" ;;
|
||||
|
||||
--bootloader-id)
|
||||
bootloader_id="`argument $option "$@"`"; shift;;
|
||||
--bootloader-id=*)
|
||||
bootloader_id="`echo "$option" | sed 's/--bootloader-id=//'`" ;;
|
||||
|
||||
--grub-probe)
|
||||
grub_probe="`argument "$option" "$@"`"; shift;;
|
||||
--grub-probe=*)
|
||||
grub_probe="`echo "$option" | sed 's/--grub-probe=//'`" ;;
|
||||
|
||||
--config-file)
|
||||
grub_cfg="`argument "$option" "$@"`"; shift;;
|
||||
--config-file=*)
|
||||
grub_cfg="`echo "$option" | sed 's/--config-file=//'`" ;;
|
||||
|
||||
--removable)
|
||||
no_nvram=yes
|
||||
removable=yes ;;
|
||||
|
||||
--no-nvram)
|
||||
no_nvram=yes ;;
|
||||
|
||||
--suse-enable-tpm)
|
||||
# bsc#1174320 shim-install uses wrong paths for EFI files
|
||||
# There are 3 possible locations of grub-tpm.efi and we will check them
|
||||
# one by one.
|
||||
if [ -e "${source_dir}/grub-tpm.efi" ]; then
|
||||
source_grub_efi="${source_dir}/grub-tpm.efi"
|
||||
elif [ -e "${datadir}/grub2/${grub_install_target}/grub-tpm.efi" ] ; then
|
||||
source_grub_efi="${datadir}/grub2/${grub_install_target}/grub-tpm.efi"
|
||||
else
|
||||
source_grub_efi="/usr/lib/grub2/${grub_install_target}/grub-tpm.efi"
|
||||
fi
|
||||
;;
|
||||
|
||||
--clean)
|
||||
clean=yes ;;
|
||||
|
||||
--no-grub-install)
|
||||
no_grub_install=yes ;;
|
||||
|
||||
-*)
|
||||
echo "Unrecognized option \`$option'" 1>&2
|
||||
usage
|
||||
exit 1
|
||||
;;
|
||||
*)
|
||||
if test "x$install_device" != x; then
|
||||
echo "More than one install device?" 1>&2
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
install_device="${option}" ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if test -n "$efidir"; then
|
||||
efi_fs=`"$grub_probe" --target=fs "${efidir}"`
|
||||
if test "x$efi_fs" = xfat; then :; else
|
||||
echo "$efidir doesn't look like an EFI partition." 1>&2
|
||||
efidir=
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [ -z "$bootdir" ]; then
|
||||
bootdir="/boot"
|
||||
if [ -n "$rootdir" ] ; then
|
||||
# Initialize bootdir if rootdir was initialized.
|
||||
bootdir="${rootdir}/boot"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Find the EFI System Partition.
|
||||
if test -n "$efidir"; then
|
||||
install_device="`"$grub_probe" --target=device --device-map= "${efidir}"`"
|
||||
else
|
||||
if test -d "${bootdir}/efi"; then
|
||||
install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/efi"`"
|
||||
# Is it a mount point?
|
||||
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then
|
||||
efidir="${bootdir}/efi"
|
||||
fi
|
||||
elif test -d "${bootdir}/EFI"; then
|
||||
install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/EFI"`"
|
||||
# Is it a mount point?
|
||||
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then
|
||||
efidir="${bootdir}/EFI"
|
||||
fi
|
||||
elif test -n "$rootdir" && test "x$rootdir" != "x/"; then
|
||||
# The EFI System Partition may have been given directly using
|
||||
# --root-directory.
|
||||
install_device="`"$grub_probe" --target=device --device-map= "${rootdir}"`"
|
||||
# Is it a mount point?
|
||||
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${rootdir}/.."`"; then
|
||||
efidir="${rootdir}"
|
||||
fi
|
||||
fi
|
||||
|
||||
if test -n "$efidir"; then
|
||||
efi_fs=`"$grub_probe" --target=fs "${efidir}"`
|
||||
if test "x$efi_fs" = xfat; then :; else
|
||||
echo "$efidir doesn't look like an EFI partition." 1>&2
|
||||
efidir=
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if test -n "$efidir"; then
|
||||
efi_file=shim.efi
|
||||
efibootdir="$efidir/EFI/boot"
|
||||
mkdir -p "$efibootdir" || exit 1
|
||||
if test "$removable" = "yes" ; then
|
||||
efidir="$efibootdir"
|
||||
else
|
||||
efidir="$efidir/EFI/$efi_distributor"
|
||||
mkdir -p "$efidir" || exit 1
|
||||
fi
|
||||
else
|
||||
echo "No valid EFI partition" 1>&2
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if test "$removable" = "no" -a -f "$efibootdir/$def_boot_efi"; then
|
||||
if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/$def_boot_efi"); then
|
||||
update_boot=yes
|
||||
fi
|
||||
else
|
||||
update_boot=yes
|
||||
fi
|
||||
|
||||
if test "$clean" = "yes"; then
|
||||
rm -f "${efidir}/shim.efi"
|
||||
rm -f "${efidir}/MokManager.efi"
|
||||
rm -f "${efidir}/grub.efi"
|
||||
rm -f "${efidir}/grub.cfg"
|
||||
rm -f "${efidir}/boot.csv"
|
||||
if test "$update_boot" = "yes"; then
|
||||
rm -f "${efibootdir}/${def_boot_efi}"
|
||||
rm -f "${efibootdir}/fallback.efi"
|
||||
# bsc#1175626, bsc#1175656 also clean up MokManager
|
||||
rm -f "${efibootdir}/MokManager.efi"
|
||||
fi
|
||||
if test "$no_nvram" = no && test -n "$bootloader_id"; then
|
||||
# Delete old entries from the same distributor.
|
||||
for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \
|
||||
fgrep -i " $bootloader_id" | cut -b5-8`; do
|
||||
$efibootmgr -b "$bootnum" -B
|
||||
done
|
||||
fi
|
||||
exit 0
|
||||
fi
|
||||
|
||||
cp "${source_dir}/MokManager.efi" "${efidir}"
|
||||
|
||||
if test -n "$source_grub_efi" && ! test -f "$source_grub_efi"; then
|
||||
echo "File $source_grub_efi doesn't exist, fallback to default one" 1>&2
|
||||
source_grub_efi=""
|
||||
fi
|
||||
|
||||
if test -z "$source_grub_efi"; then
|
||||
source_grub_efi="$def_grub_efi"
|
||||
fi
|
||||
|
||||
echo "copying $source_grub_efi to ${efidir}/grub.efi"
|
||||
cp "$source_grub_efi" "${efidir}/grub.efi"
|
||||
|
||||
if test "$efidir" != "$efibootdir" ; then
|
||||
cp "${source_shim_efi}" "${efidir}/shim.efi"
|
||||
if test -n "$bootloader_id"; then
|
||||
echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv"
|
||||
fi
|
||||
fi
|
||||
|
||||
if test "$update_boot" = "yes"; then
|
||||
cp "$source_shim_efi" "${efibootdir}/${def_boot_efi}"
|
||||
if test "$removable" = "no"; then
|
||||
cp "${source_dir}/fallback.efi" "${efibootdir}"
|
||||
# bsc#1175626, bsc#1175656 Since shim 15, loading MokManager becomes
|
||||
# mandatory if a MOK request exists. Copy MokManager to \EFI\boot so
|
||||
# that boot*.efi can load MokManager to process the request instead
|
||||
# of shutting down the system immediately.
|
||||
cp "${source_dir}/MokManager.efi" "${efibootdir}"
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
prepare_cryptodisk () {
|
||||
uuid="$1"
|
||||
|
||||
if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then
|
||||
echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\""
|
||||
return
|
||||
fi
|
||||
|
||||
if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then
|
||||
echo "cryptomount -u $uuid"
|
||||
return
|
||||
fi
|
||||
|
||||
tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"
|
||||
|
||||
declare -g TPM_PCR_SNAPSHOT_TAKEN
|
||||
|
||||
if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
|
||||
TPM_PCR_SNAPSHOT_TAKEN=1
|
||||
|
||||
# Check if tpm_record_pcrs is available and set the command to
|
||||
# grub.cfg.
|
||||
if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; then
|
||||
echo "tpm_record_pcrs 0-9"
|
||||
fi
|
||||
fi
|
||||
|
||||
tpm_srk_alg="${GRUB_TPM2_SRK_ALG}"
|
||||
|
||||
if [ -z "$tpm_srk_alg" ]; then
|
||||
tpm_srk_alg="RSA"
|
||||
fi
|
||||
|
||||
cat <<EOF
|
||||
tpm2_key_protector_init -a $tpm_srk_alg -T \$prefix/$tpm_sealed_key
|
||||
if ! cryptomount -u $uuid --protector tpm2; then
|
||||
cryptomount -u $uuid
|
||||
fi
|
||||
EOF
|
||||
}
|
||||
|
||||
|
||||
make_grubcfg () {
|
||||
|
||||
grub_cfg_dirname=`dirname $grub_cfg`
|
||||
grub_cfg_basename=`basename $grub_cfg`
|
||||
cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"`
|
||||
# bsc#1153953 - Leap 42.3 boot error snapshot missing
|
||||
# We have to check btrfs is used as root file system to enable relative path
|
||||
# lookup for file to be on par with other utility which also accounts for it.
|
||||
GRUB_FS="$(stat -f --printf=%T / || echo unknown)"
|
||||
|
||||
if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue" &&
|
||||
[ "x${GRUB_FS}" = "xbtrfs" ] ; then
|
||||
cat <<EOF
|
||||
set btrfs_relative_path="yes"
|
||||
EOF
|
||||
if ${grub_mkrelpath} --usage | grep -q -e '--relative'; then
|
||||
grub_mkrelpath="${grub_mkrelpath} -r"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then
|
||||
for uuid in `"${grub_probe}" --target=cryptodisk_uuid --device-map= "${grub_cfg_dirname}"`; do
|
||||
prepare_cryptodisk "$uuid"
|
||||
done
|
||||
fi
|
||||
|
||||
hints="`"${grub_probe}" --target=hints_string "${grub_cfg_dirname}" 2> /dev/null`"
|
||||
|
||||
if [ "x$hints" != x ]; then
|
||||
echo "if [ x\$feature_platform_search_hint = xy ]; then"
|
||||
echo " search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}"
|
||||
echo "else"
|
||||
echo " search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
|
||||
echo "fi"
|
||||
else
|
||||
echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
|
||||
fi
|
||||
|
||||
cat <<EOF
|
||||
set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}`
|
||||
source "\${prefix}/${grub_cfg_basename}"
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
# bnc#889765 GRUB shows broken letters at boot
|
||||
# invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg
|
||||
# bsc#1118363 shim-install didn't specify the target for grub2-install
|
||||
# set the target explicitly for some special cases
|
||||
if test "$no_grub_install" != "yes"; then
|
||||
${grub_install} --target=${grub_install_target} --no-nvram
|
||||
fi
|
||||
|
||||
# Making sure grub.cfg not overwritten by grub-install above
|
||||
make_grubcfg > "${efidir}/grub.cfg"
|
||||
|
||||
if test "$no_nvram" = no && test -n "$bootloader_id"; then
|
||||
|
||||
modprobe -q efivars 2>/dev/null || true
|
||||
|
||||
# Delete old entries from the same distributor.
|
||||
for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \
|
||||
fgrep -i " $bootloader_id" | cut -b5-8`; do
|
||||
$efibootmgr -b "$bootnum" -B
|
||||
done
|
||||
|
||||
efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")"
|
||||
efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")"
|
||||
if test -z "$efidir_drive" || test -z "$efidir_disk"; then
|
||||
echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2
|
||||
# bsc#1119762 If the MD device is partitioned, we just need to create one
|
||||
# boot entry since the partitions are nested partitions and the mirrored
|
||||
# partitions share the same UUID.
|
||||
elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then
|
||||
eval $(mdadm --detail --export "$efidir_disk" |
|
||||
perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$});
|
||||
sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};')
|
||||
if [ "$MD_LEVEL" != "raid1" ]; then
|
||||
echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2
|
||||
fi
|
||||
for mddev in $MD_DEVS; do
|
||||
efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")"
|
||||
efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")"
|
||||
efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
|
||||
efidir_d=${mddev#/dev/}
|
||||
$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
|
||||
-L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file"
|
||||
done
|
||||
else
|
||||
efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
|
||||
$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
|
||||
-L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file"
|
||||
fi
|
||||
fi
|
||||
|
||||
# bsc#1185464 bsc#1185961
|
||||
# The Azure firmware sometimes doesn't respect the boot option created by
|
||||
# either efibootmgr or fallback.efi so we have to remove fallback.efi to
|
||||
# avoid the endless reset loop.
|
||||
if is_azure; then
|
||||
# Skip the workaround if we don't own \EFI\Boot or the removable
|
||||
# option is used
|
||||
if test "$update_boot" = "yes" && test "$removable" = "no"; then
|
||||
# Remove fallback.efi which could cause the reset loop in Azure
|
||||
rm -f "${efibootdir}/fallback.efi"
|
||||
# Remove the older grub binary and config
|
||||
rm -f "${efibootdir}/grub.efi"
|
||||
rm -f "${efibootdir}/grub.cfg"
|
||||
# Install new grub binary and config file to \EFI\Boot as
|
||||
# the "removable" option
|
||||
cp "${efidir}/grub.cfg" "${efibootdir}/grub.cfg"
|
||||
cp "${efidir}/grub.efi" "${efibootdir}/grub.efi"
|
||||
fi
|
||||
fi
|
1099
shim.changes
Normal file
1099
shim.changes
Normal file
File diff suppressed because it is too large
Load Diff
147
shim.spec
Normal file
147
shim.spec
Normal file
@ -0,0 +1,147 @@
|
||||
#
|
||||
# spec file for package shim
|
||||
#
|
||||
# Copyright (c) 2021 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
%undefine _debuginfo_subpackages
|
||||
%undefine _build_create_debug
|
||||
# Move 'efi'-executables to '/usr/share/efi' (FATE#326960, bsc#1166523)
|
||||
%define sysefibasedir %{_datadir}/efi
|
||||
%define sysefidir %{sysefibasedir}/%{_target_cpu}
|
||||
%if 0%{?suse_version} < 1600
|
||||
%ifarch x86_64
|
||||
# provide compatibility sym-link for residual kiwi, etc.
|
||||
%define shim_lib64_share_compat 1
|
||||
%endif
|
||||
%endif
|
||||
|
||||
Name: shim
|
||||
Version: 15.7
|
||||
Release: 0
|
||||
Summary: UEFI shim loader
|
||||
License: BSD-2-Clause
|
||||
Group: System/Boot
|
||||
URL: https://github.com/rhboot/shim
|
||||
Source: shim-15.7-150300.4.16.1.x86_64.rpm
|
||||
Source1: shim-debuginfo-15.7-150300.4.16.1.x86_64.rpm
|
||||
Source2: shim-debugsource-15.7-150300.4.16.1.x86_64.rpm
|
||||
Source3: shim-15.7-150300.4.16.1.aarch64.rpm
|
||||
Source4: shim-debuginfo-15.7-150300.4.16.1.aarch64.rpm
|
||||
Source5: shim-debugsource-15.7-150300.4.16.1.aarch64.rpm
|
||||
Source6: shim-install
|
||||
#BuildRequires: shim-susesigned
|
||||
BuildRequires: fde-tpm-helper-rpm-macros
|
||||
BuildRequires: update-bootloader-rpm-macros
|
||||
Requires: perl-Bootloader
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
# For shim-install script
|
||||
Requires: grub2-efi
|
||||
%if 0%{?fde_tpm_update_requires:1}
|
||||
%fde_tpm_update_requires
|
||||
%endif
|
||||
ExclusiveArch: x86_64 aarch64
|
||||
|
||||
%description
|
||||
shim is a trivial EFI application that, when run, attempts to open and
|
||||
execute another application.
|
||||
|
||||
%package debuginfo
|
||||
Summary: UEFI shim loader - debug symbols
|
||||
Group: Development/Debug
|
||||
|
||||
%description debuginfo
|
||||
The debug symbols of UEFI shim loader
|
||||
|
||||
%package debugsource
|
||||
Summary: UEFI shim loader - debug source
|
||||
Group: Development/Debug
|
||||
|
||||
%description debugsource
|
||||
The source code of UEFI shim loader
|
||||
|
||||
%prep
|
||||
%ifarch x86_64
|
||||
rpm2cpio %{SOURCE0} | cpio --extract --unconditional --preserve-modification-time --make-directories
|
||||
rpm2cpio %{SOURCE1} | cpio --extract --unconditional --preserve-modification-time --make-directories
|
||||
rpm2cpio %{SOURCE2} | cpio --extract --unconditional --preserve-modification-time --make-directories
|
||||
%endif
|
||||
%ifarch aarch64
|
||||
rpm2cpio %{SOURCE3} | cpio --extract --unconditional --preserve-modification-time --make-directories
|
||||
rpm2cpio %{SOURCE4} | cpio --extract --unconditional --preserve-modification-time --make-directories
|
||||
rpm2cpio %{SOURCE5} | cpio --extract --unconditional --preserve-modification-time --make-directories
|
||||
%endif
|
||||
|
||||
%build
|
||||
|
||||
%install
|
||||
# purely repackaged
|
||||
cp -a * %{buildroot}
|
||||
|
||||
%if %{defined shim_lib64_share_compat}
|
||||
echo old
|
||||
%else
|
||||
rm -rf %{buildroot}/usr/lib64/efi
|
||||
%endif
|
||||
|
||||
# also copy over the susesigned shim
|
||||
# we did this to shortcut some cert work in 15-sp2, we currently do not need it
|
||||
#install -m 444 %{sysefidir}/shim-susesigned.* %{buildroot}/%{sysefidir}
|
||||
|
||||
# Install the updated shim-install
|
||||
install -m 755 %{SOURCE6} %{buildroot}/%{_sbindir}
|
||||
|
||||
%post
|
||||
%if 0%{?fde_tpm_update_post:1}
|
||||
%fde_tpm_update_post shim
|
||||
%endif
|
||||
|
||||
%if 0%{?update_bootloader_check_type_reinit_post:1}
|
||||
%update_bootloader_check_type_reinit_post grub2-efi
|
||||
%else
|
||||
/sbin/update-bootloader --reinit || true
|
||||
%endif
|
||||
|
||||
%posttrans
|
||||
%{?update_bootloader_posttrans}
|
||||
%{?fde_tpm_update_posttrans}
|
||||
|
||||
%files
|
||||
%defattr(-,root,root)
|
||||
%dir %{?sysefibasedir}
|
||||
%dir %{sysefidir}
|
||||
%{sysefidir}/shim.efi
|
||||
%{sysefidir}/shim-*.efi
|
||||
%{sysefidir}/shim-*.der
|
||||
%{sysefidir}/MokManager.efi
|
||||
%{sysefidir}/fallback.efi
|
||||
%{_sbindir}/shim-install
|
||||
%dir %{_sysconfdir}/uefi/
|
||||
%dir %{_sysconfdir}/uefi/certs/
|
||||
%{_sysconfdir}/uefi/certs/*.crt
|
||||
%if %{defined shim_lib64_share_compat}
|
||||
# provide compatibility sym-link for previous kiwi, etc.
|
||||
%dir /usr/lib64/efi
|
||||
/usr/lib64/efi/*.efi
|
||||
%endif
|
||||
/usr/share/doc/packages/shim
|
||||
|
||||
%files debuginfo
|
||||
/usr/lib/debug/%{sysefidir}/*.debug
|
||||
|
||||
%files debugsource
|
||||
%dir /usr/src/debug/shim-*
|
||||
/usr/src/debug/shim-*/*
|
||||
|
||||
%changelog
|
Loading…
Reference in New Issue
Block a user