From d33006b0e08287e4ceb4d9f00dcce0e00cb8fb6bdda8841decdeaa92d743f9a6 Mon Sep 17 00:00:00 2001 From: Chun-Yi Lee Date: Thu, 27 Nov 2025 18:56:46 +0800 Subject: [PATCH 1/2] shim.spec: Specify the certificate format in openssl commands The old openssl in SLE-15-SP3 assumes the format of input certificate is PEM. In d279b0c45350 patch, we converted the SUSE certificates from PEM to DER format for using by Lua in pretrans script. It causes the openssl command to fail with old openssl. So we specify the certificate format in openssl commands. --- shim.spec | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/shim.spec b/shim.spec index 2c3dc11..99f2cba 100644 --- a/shim.spec +++ b/shim.spec @@ -210,10 +210,10 @@ suffixes=(opensuse sles) # just one shim that embeds this specific cert. If it's a devel # project we build all variants to simplify testing. if test -e %{_sourcedir}/_projectcert.crt ; then - prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) - prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) - opensusesubject=$(openssl x509 -in %{SOURCE11} -noout -subject_hash) - slessubject=$(openssl x509 -in %{SOURCE12} -noout -subject_hash) + prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash) + prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash) + opensusesubject=$(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash) + slessubject=$(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash) if test "$prjissuer" = "$opensusesubject" ; then suffixes=(opensuse) elif test "$prjissuer" = "$slessubject" ; then @@ -226,6 +226,7 @@ fi for suffix in "${suffixes[@]}"; do if test "$suffix" = "opensuse"; then cert=%{SOURCE11} + cp $cert shim-$suffix.der verify='openSUSE Secure Boot CA1' vendor_dbx='vendor-dbx-opensuse.esl' %ifarch x86_64 @@ -236,6 +237,7 @@ for suffix in "${suffixes[@]}"; do %endif elif test "$suffix" = "sles"; then cert=%{SOURCE12} + cp $cert shim-$suffix.der verify='SUSE Linux Enterprise Secure Boot CA1' vendor_dbx='vendor-dbx-sles.esl' %ifarch x86_64 @@ -250,12 +252,12 @@ for suffix in "${suffixes[@]}"; do vendor_dbx='vendor-dbx.esl' ms_shim='' test -e "$cert" || continue + openssl x509 -in $cert -inform PEM -outform DER -out shim-$suffix.der else echo "invalid suffix" false fi - openssl x509 -in $cert -outform DER -out shim-$suffix.der make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ DEFAULT_LOADER="\\\\\\\\grub.efi" \ -- 2.51.1 From 2a0ca4d82bf491f6d21810f7465419c7c69ea43fdecb4e85bb3de3e8ee9b9687 Mon Sep 17 00:00:00 2001 From: Chun-Yi Lee Date: Thu, 27 Nov 2025 20:25:15 +0800 Subject: [PATCH 2/2] shim.spec: Workaround the string comparison issue in elif directive With the rpm-4.14.3 on SLE-15-SP3, the string comparison in elif directive has problem. It causes that the certificate block in the elif-endif to disappear permanently, regardless of whether the comparison succeeds or fails. This change can also workaround the issue that elif can not handle special issue_hash/subject_hash from 'openSUSE Secure Boot Signkey': shim> openssl x509 -in factory-secure-boot.crt -inform PEM -noout -subject_hash babd5674 shim> openssl x509 -in factory-secure-boot.crt -inform PEM -noout -issuer_hash d29860c3 Directlly put to global define in shim.spec can reproduce issue: global prjissuer_hash d29860c3 global prjsubjec_hash babd5674 This patch changed codes by using if-endif instead of elif-endif to workaround the above two problems --- shim.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/shim.spec b/shim.spec index 99f2cba..9015251 100644 --- a/shim.spec +++ b/shim.spec @@ -410,10 +410,12 @@ local TARGET_CERT_HEXES = { %if "%{prjissuer_hash}" == "%{opensusesubject_hash}" -- Certificate #3, openSUSE Secure Boot CA 2013 "%{opensuse_ca_hex}", -%elif "%{prjissuer_hash}" == "%{slessubject_hash}" +%endif +%if "%{prjissuer_hash}" == "%{slessubject_hash}" -- Certificate #3, SUSE Linux Enterprise Secure Boot CA 2013 "%{sles_ca_hex}", -%elif "%{prjissuer_hash}" == "%{prjsubjec_hash}" +%endif +%if "%{prjissuer_hash}" == "%{prjsubjec_hash}" -- We put all keys for testing on devel/staging project -- Certificate #3, openSUSE Secure Boot CA 2013 "%{opensuse_ca_hex}", -- 2.51.1