Accepting request 1157811 from home:gary_lin:branches:devel:openSUSE:Factory

- Update shim-install to set the SRK algorithm for grub2 TPM2 key protector (bsc#1213945) + 92d0f4305df73 Set the SRK algorithm for the TPM2 protector - Build with update-bootloader-rpm-macros and fde-tpm-helper-rpm-macros and update the %post and %posttrans macros correctly OBS-URL: https://build.opensuse.org/request/show/1157811 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim-leap?expand=0&rev=40
2024-03-19 08:49:25 +00:00 · 2024-03-19 08:49:25 +00:00 · 20648210a3
commit 20648210a3
parent 3a2248b45e
3 changed files with 35 additions and 2 deletions
--- a/8
+++ b/8
@ -390,8 +390,14 @@ prepare_cryptodisk () {
    fi
  fi

+  tpm_srk_alg="${GRUB_TPM2_SRK_ALG}"
+
+  if [ -z "$tpm_srk_alg" ]; then
+    tpm_srk_alg="RSA"
+  fi
+
  cat <<EOF
-tpm2_key_protector_init -T \$prefix/$tpm_sealed_key
+tpm2_key_protector_init -a $tpm_srk_alg -T \$prefix/$tpm_sealed_key
 if ! cryptomount -u $uuid --protector tpm2; then
    cryptomount -u $uuid
 fi
--- a/shim-leap.changes
+++ b/shim-leap.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Mar 14 05:58:13 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update shim-install to set the SRK algorithm for grub2 TPM2
+  key protector (bsc#1213945)
+  + 92d0f4305df73 Set the SRK algorithm for the TPM2 protector
+- Build with update-bootloader-rpm-macros and
+  fde-tpm-helper-rpm-macros and update the %post and %posttrans
+  macros correctly
+
 -------------------------------------------------------------------
 Wed Jun  7 02:29:44 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>

--- a/shim-leap.spec
+++ b/shim-leap.spec
@ -1,7 +1,7 @@
 #
 # spec file for package shim-leap
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -33,6 +33,8 @@ Group:          System/Boot
 Source:         shim-15.4-lp152.4.17.1.x86_64.rpm
 Source1:        README
 Source2:        shim-install
+BuildRequires:  fde-tpm-helper-rpm-macros
+BuildRequires:  update-bootloader-rpm-macros
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 ExclusiveArch:  x86_64

@ -43,6 +45,9 @@ does not exist
 Summary:        UEFI shim loader
 Group:          System/Boot
 Requires:       perl-Bootloader
+%if 0%{?fde_tpm_update_requires:1}
+%fde_tpm_update_requires
+%endif

 %description -n shim
 shim is a trivial EFI application that, when run, attempts to open and
@ -67,7 +72,19 @@ rm -rf %{buildroot}/usr/lib64/efi
 %endif

 %post -n shim
+%if 0%{?fde_tpm_update_post:1}
+%fde_tpm_update_post shim
+%endif
+
+%if 0%{?update_bootloader_check_type_reinit_post:1}
+%update_bootloader_check_type_reinit_post grub2-efi
+%else
 /sbin/update-bootloader --reinit || true
+%endif
+
+%posttrans -n shim
+%{?update_bootloader_posttrans}
+%{?fde_tpm_update_posttrans}

 %files -n shim
 %doc README