commit 682c22204c604cbbebc313f5d6d2bafbca55472a322adabe9dd40e0c67f03241 Author: Joey Lee Date: Mon Aug 5 06:42:56 2024 +0000 Accepting request 1191006 from home:dtseng:branches:devel:openSUSE:Factory bugowner: dtseng Submitting for upgrading shim to v15.8 (bsc#1215099, bsc#1215098,bsc#1215100,bsc#1215101,bsc#1215102,and bsc#1215103) OBS-URL: https://build.opensuse.org/request/show/1191006 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim-leap?expand=0&rev=42 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/README b/README new file mode 100644 index 0000000..4e746e7 --- /dev/null +++ b/README @@ -0,0 +1,5 @@ +Since shim needs a "stable" environment to reproduce the binary to match +the signature from UEFI CA, it's difficult to maintain shim in Tumbleweed +due to the nature of a rolling release distro. Instead of compiling shim +for Tumbleweed, we directly import the binary the latest stable Leap +release to maintain a stable and reproducible shim binary. diff --git a/shim-15.4-lp152.4.17.1.x86_64.rpm b/shim-15.4-lp152.4.17.1.x86_64.rpm new file mode 100644 index 0000000..aea6869 --- /dev/null +++ b/shim-15.4-lp152.4.17.1.x86_64.rpm @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:13776ed2b68698091297f5e0e7156b401b1f7a9940785a1871335266fb524a30 +size 456552 diff --git a/shim-15.8-lp155.8.2.x86_64.rpm b/shim-15.8-lp155.8.2.x86_64.rpm new file mode 100644 index 0000000..6c3770e --- /dev/null +++ b/shim-15.8-lp155.8.2.x86_64.rpm @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2dde0a04e9468988abe978355ba50a3f14e10e110fdbcf80f52c94e922501cb0 +size 503544 diff --git a/shim-install b/shim-install new file mode 100644 index 0000000..708d026 --- /dev/null +++ b/shim-install @@ -0,0 +1,515 @@ +#! /bin/bash -e + +arch=`uname -m` +rootdir= +bootdir= +efidir= +install_device= +efibootdir= +ca_string= +no_nvram=no +removable=no +clean=no +sysconfdir="/etc" +libdir="/usr/lib64" # Beware, this is arch dependent! +datadir="/usr/share" +source_dir="${datadir}/efi/${arch}" +efibootmgr="/usr/sbin/efibootmgr" +grub_probe="/usr/sbin/grub2-probe" +grub_mkrelpath="/usr/bin/grub2-mkrelpath" +no_grub_install=no +grub_install="/usr/sbin/grub2-install" +grub_install_target= +self="`basename $0`" +grub_cfg="/boot/grub2/grub.cfg" +update_boot=no +def_grub_efi="${source_dir}/grub.efi" +def_boot_efi= + +[ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim +[ ! -r /etc/default/shim ] || . /etc/default/shim + +if [ -z "$def_shim_efi" -o ! -e ${source_dir}/${def_shim_efi} ] ; then + def_shim_efi="shim.efi" +fi + +source_shim_efi="${source_dir}/${def_shim_efi}" + +if [ x${arch} = xx86_64 ] ; then + grub_install_target="x86_64-efi" + def_boot_efi="bootx64.efi" +elif [ x${arch} = xaarch64 ] ; then + grub_install_target="arm64-efi" + def_boot_efi="bootaa64.efi" +else + echo "Unsupported architecture: ${arch}" + exit 1 +fi + +if [ ! -d "${source_dir}" -o ! -e "${def_grub_efi}" ] ; then + # for outdated packages fall back to previous behavior + source_dir="$libdir/efi" + def_grub_efi="${source_dir}/grub.efi" +fi + +# Get GRUB_DISTRIBUTOR. +if test -f "${sysconfdir}/default/grub" ; then + . "${sysconfdir}/default/grub" +fi + +if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then + . "${sysconfdir}/os-release" + GRUB_DISTRIBUTOR="${NAME} ${VERSION}" +fi + +bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)" +if test -z "$bootloader_id"; then + bootloader_id=grub +fi + +efi_distributor="$bootloader_id" +bootloader_id="${bootloader_id}-secureboot" + +case "$bootloader_id" in + "sle"*) + ca_string='SUSE Linux Enterprise Secure Boot CA1';; + "opensuse"*) + ca_string='openSUSE Secure Boot CA1';; + *) ca_string="";; +esac + +is_azure () { + local bios_vendor; + local product_name; + local sys_vendor; + + local sysfs_dmi_id="/sys/class/dmi/id" + + if test -e "${sysfs_dmi_id}/bios_vendor"; then + bios_vendor=$(cat "${sysfs_dmi_id}/bios_vendor") + fi + if test -e "${sysfs_dmi_id}/product_name"; then + product_name=$(cat "${sysfs_dmi_id}/product_name") + fi + if test -e "${sysfs_dmi_id}/sys_vendor"; then + sys_vendor=$(cat "${sysfs_dmi_id}/sys_vendor") + fi + + if test "x${bios_vendor}" != "xMicrosoft Corporation"; then + # return false + return 1 + fi + + if test "x${product_name}" != "xVirtual Machine"; then + # return false + return 1 + fi + + if test "x${sys_vendor}" != "xMicrosoft Corporation"; then + # return false + return 1 + fi + + # return true + return 0 +} + +usage () { + echo "Usage: $self [OPTION] [INSTALL_DEVICE]" + echo + echo "Install Secure Boot Loaders on your drive." + echo + echo "--directory=DIR use images from DIR." + echo "--grub-probe=FILE use FILE as grub-probe." + echo "--removable the installation device is removable." + echo "--no-nvram don't update the NVRAM variable." + echo "--bootloader-id=ID the ID of bootloader." + echo "--efi-directory=DIR use DIR as the EFI System Partition root." + echo "--config-file=FILE use FILE as config file, default is $grub_cfg." + echo "--clean remove all installed files and configs." + echo "--suse-enable-tpm install grub.efi with TPM support." + echo "--no-grub-install Do not run grub2-install." + echo + echo "INSTALL_DEVICE must be system device filename." +} + +argument () { + opt="$1" + shift + + if test $# -eq 0; then + echo "$0: option requires an argument -- \`$opt'" 1>&2 + exit 1 + fi + echo "$1" +} + +# Check the arguments. +while test $# -gt 0 +do + option=$1 + shift + + case "$option" in + -h | --help) + usage + exit 0 ;; + + --root-directory) + rootdir="`argument $option "$@"`"; shift;; + --root-directory=*) + rootdir="`echo "$option" | sed 's/--root-directory=//'`" ;; + + --efi-directory) + efidir="`argument $option "$@"`"; shift;; + --efi-directory=*) + efidir="`echo "$option" | sed 's/--efi-directory=//'`" ;; + + --directory | -d) + source_dir="`argument $option "$@"`"; shift;; + --directory=*) + source_dir="`echo "$option" | sed 's/--directory=//'`" ;; + + --bootloader-id) + bootloader_id="`argument $option "$@"`"; shift;; + --bootloader-id=*) + bootloader_id="`echo "$option" | sed 's/--bootloader-id=//'`" ;; + + --grub-probe) + grub_probe="`argument "$option" "$@"`"; shift;; + --grub-probe=*) + grub_probe="`echo "$option" | sed 's/--grub-probe=//'`" ;; + + --config-file) + grub_cfg="`argument "$option" "$@"`"; shift;; + --config-file=*) + grub_cfg="`echo "$option" | sed 's/--config-file=//'`" ;; + + --removable) + no_nvram=yes + removable=yes ;; + + --no-nvram) + no_nvram=yes ;; + + --suse-enable-tpm) + # bsc#1174320 shim-install uses wrong paths for EFI files + # There are 3 possible locations of grub-tpm.efi and we will check them + # one by one. + if [ -e "${source_dir}/grub-tpm.efi" ]; then + source_grub_efi="${source_dir}/grub-tpm.efi" + elif [ -e "${datadir}/grub2/${grub_install_target}/grub-tpm.efi" ] ; then + source_grub_efi="${datadir}/grub2/${grub_install_target}/grub-tpm.efi" + else + source_grub_efi="/usr/lib/grub2/${grub_install_target}/grub-tpm.efi" + fi + ;; + + --clean) + clean=yes ;; + + --no-grub-install) + no_grub_install=yes ;; + + -*) + echo "Unrecognized option \`$option'" 1>&2 + usage + exit 1 + ;; + *) + if test "x$install_device" != x; then + echo "More than one install device?" 1>&2 + usage + exit 1 + fi + install_device="${option}" ;; + esac +done + +if test -n "$efidir"; then + efi_fs=`"$grub_probe" --target=fs "${efidir}"` + if test "x$efi_fs" = xfat; then :; else + echo "$efidir doesn't look like an EFI partition." 1>&2 + efidir= + fi +fi + + +if [ -z "$bootdir" ]; then + bootdir="/boot" + if [ -n "$rootdir" ] ; then + # Initialize bootdir if rootdir was initialized. + bootdir="${rootdir}/boot" + fi +fi + +# Find the EFI System Partition. +if test -n "$efidir"; then + install_device="`"$grub_probe" --target=device --device-map= "${efidir}"`" +else + if test -d "${bootdir}/efi"; then + install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/efi"`" + # Is it a mount point? + if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then + efidir="${bootdir}/efi" + fi + elif test -d "${bootdir}/EFI"; then + install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/EFI"`" + # Is it a mount point? + if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then + efidir="${bootdir}/EFI" + fi + elif test -n "$rootdir" && test "x$rootdir" != "x/"; then + # The EFI System Partition may have been given directly using + # --root-directory. + install_device="`"$grub_probe" --target=device --device-map= "${rootdir}"`" + # Is it a mount point? + if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${rootdir}/.."`"; then + efidir="${rootdir}" + fi + fi + + if test -n "$efidir"; then + efi_fs=`"$grub_probe" --target=fs "${efidir}"` + if test "x$efi_fs" = xfat; then :; else + echo "$efidir doesn't look like an EFI partition." 1>&2 + efidir= + fi + fi +fi + +if test -n "$efidir"; then + efi_file=shim.efi + efibootdir="$efidir/EFI/boot" + mkdir -p "$efibootdir" || exit 1 + if test "$removable" = "yes" ; then + efidir="$efibootdir" + else + efidir="$efidir/EFI/$efi_distributor" + mkdir -p "$efidir" || exit 1 + fi +else + echo "No valid EFI partition" 1>&2 + exit 1; +fi + +if test "$removable" = "no" -a -f "$efibootdir/$def_boot_efi"; then + if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/$def_boot_efi"); then + update_boot=yes + fi +else + update_boot=yes +fi + +if test "$clean" = "yes"; then + rm -f "${efidir}/shim.efi" + rm -f "${efidir}/MokManager.efi" + rm -f "${efidir}/grub.efi" + rm -f "${efidir}/grub.cfg" + rm -f "${efidir}/boot.csv" + if test "$update_boot" = "yes"; then + rm -f "${efibootdir}/${def_boot_efi}" + rm -f "${efibootdir}/fallback.efi" + # bsc#1175626, bsc#1175656 also clean up MokManager + rm -f "${efibootdir}/MokManager.efi" + fi + if test "$no_nvram" = no && test -n "$bootloader_id"; then + # Delete old entries from the same distributor. + for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ + fgrep -i " $bootloader_id" | cut -b5-8`; do + $efibootmgr -b "$bootnum" -B + done + fi + exit 0 +fi + +cp "${source_dir}/MokManager.efi" "${efidir}" + +if test -n "$source_grub_efi" && ! test -f "$source_grub_efi"; then + echo "File $source_grub_efi doesn't exist, fallback to default one" 1>&2 + source_grub_efi="" +fi + +if test -z "$source_grub_efi"; then + source_grub_efi="$def_grub_efi" +fi + +echo "copying $source_grub_efi to ${efidir}/grub.efi" +cp "$source_grub_efi" "${efidir}/grub.efi" + +if test "$efidir" != "$efibootdir" ; then + cp "${source_shim_efi}" "${efidir}/shim.efi" + if test -n "$bootloader_id"; then + echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" + fi +fi + +if test "$update_boot" = "yes"; then + cp "$source_shim_efi" "${efibootdir}/${def_boot_efi}" + if test "$removable" = "no"; then + cp "${source_dir}/fallback.efi" "${efibootdir}" + # bsc#1175626, bsc#1175656 Since shim 15, loading MokManager becomes + # mandatory if a MOK request exists. Copy MokManager to \EFI\boot so + # that boot*.efi can load MokManager to process the request instead + # of shutting down the system immediately. + cp "${source_dir}/MokManager.efi" "${efibootdir}" + fi +fi + + +prepare_cryptodisk () { + uuid="$1" + + if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then + echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\"" + return + fi + + if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then + echo "cryptomount -u $uuid" + return + fi + + tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}" + + declare -g TPM_PCR_SNAPSHOT_TAKEN + + if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then + TPM_PCR_SNAPSHOT_TAKEN=1 + + # Check if tpm_record_pcrs is available and set the command to + # grub.cfg. + if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; then + echo "tpm_record_pcrs 0-9" + fi + fi + + tpm_srk_alg="${GRUB_TPM2_SRK_ALG}" + + if [ -z "$tpm_srk_alg" ]; then + tpm_srk_alg="RSA" + fi + + cat < /dev/null`" + +if [ "x$hints" != x ]; then + echo "if [ x\$feature_platform_search_hint = xy ]; then" + echo " search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}" + echo "else" + echo " search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}" + echo "fi" +else + echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}" +fi + +cat < "${efidir}/grub.cfg" + +if test "$no_nvram" = no && test -n "$bootloader_id"; then + + modprobe -q efivars 2>/dev/null || true + + # Delete old entries from the same distributor. + for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ + fgrep -i " $bootloader_id" | cut -b5-8`; do + $efibootmgr -b "$bootnum" -B + done + + efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")" + efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")" + if test -z "$efidir_drive" || test -z "$efidir_disk"; then + echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2 + # bsc#1119762 If the MD device is partitioned, we just need to create one + # boot entry since the partitions are nested partitions and the mirrored + # partitions share the same UUID. + elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then + eval $(mdadm --detail --export "$efidir_disk" | + perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$}); + sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};') + if [ "$MD_LEVEL" != "raid1" ]; then + echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2 + fi + for mddev in $MD_DEVS; do + efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")" + efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")" + efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" + efidir_d=${mddev#/dev/} + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" + done + else + efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" + fi +fi + +# bsc#1185464 bsc#1185961 +# The Azure firmware sometimes doesn't respect the boot option created by +# either efibootmgr or fallback.efi so we have to remove fallback.efi to +# avoid the endless reset loop. +if is_azure; then + # Skip the workaround if we don't own \EFI\Boot or the removable + # option is used + if test "$update_boot" = "yes" && test "$removable" = "no"; then + # Remove fallback.efi which could cause the reset loop in Azure + rm -f "${efibootdir}/fallback.efi" + # Remove the older grub binary and config + rm -f "${efibootdir}/grub.efi" + rm -f "${efibootdir}/grub.cfg" + # Install new grub binary and config file to \EFI\Boot as + # the "removable" option + cp "${efidir}/grub.cfg" "${efibootdir}/grub.cfg" + cp "${efidir}/grub.efi" "${efibootdir}/grub.efi" + fi +fi diff --git a/shim-leap.changes b/shim-leap.changes new file mode 100644 index 0000000..a73095b --- /dev/null +++ b/shim-leap.changes @@ -0,0 +1,823 @@ +------------------------------------------------------------------- +Tue Jul 23 03:27:56 UTC 2024 - Dennis Tseng + +- Update to shim to 15.8-shim-15.8-lp155.8.2.x86_64.rpm from + openSUSE secure-boot 15.5 + + Version: 15.8, "Jan 23 2024" + + Align the outside shim-install with the one in RPM file. + This is because all important fixes in outside shim-install are + also fixed in shim-install of RPM file. For consistency purposes, + the outside shim-install is updated in this version. + + Include the bug fixes for bsc#1215099,bsc#1215098,bsc#1215100,bsc#1215101, + bsc#1215102, and bsc#1215103. + +------------------------------------------------------------------- +Thu Mar 14 05:58:13 UTC 2024 - Gary Ching-Pang Lin + +- Update shim-install to set the SRK algorithm for grub2 TPM2 + key protector (bsc#1213945) + + 92d0f4305df73 Set the SRK algorithm for the TPM2 protector +- Build with update-bootloader-rpm-macros and + fde-tpm-helper-rpm-macros and update the %post and %posttrans + macros correctly + +------------------------------------------------------------------- +Wed Jun 7 02:29:44 UTC 2023 - Gary Ching-Pang Lin + +- Update shim-install to support FDE + + Read GRUB_CRYPTODISK_PASSWORD and GRUB_TPM2_SEALED_KEY to + create the proper cryptomount command for grub.cfg + + Save the PCR snapshot if grub2 supports the command + + Support 'no_grub_install' to skip grub2-install + + Detect the OS ID of openSUSE Leap + +------------------------------------------------------------------- +Thu May 25 07:48:54 UTC 2023 - Gary Ching-Pang Lin + +- Remove the sym-links in /usr/lib64/efi for the newer distro + versions since we don't use them anymore + +------------------------------------------------------------------- +Wed Jul 21 09:38:30 UTC 2021 - jlee@suse.com + +- Update to shim to 15.4-lp152.4.17.1 from openSUSE Leap 15.2 + + Version: 15.4, "Thu Jul 15 2021" + + Updated openSUSE x86 signature + + Include the fixes for bsc#1187696, bsc#1185261, bsc#1185441, + bsc#1187071, bsc#1185621, bsc#1185261, bsc#1185232, bsc#1185261, + bsc#1187260, bsc#1185232. +- Remove shim-install because the shim-install is updated in Leap + 15.2 RPM. + +------------------------------------------------------------------- +Thu May 20 01:25:06 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: instead of assuming "removable" for Azure, remove + fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot + to make \EFI\Boot bootable and keep the boot option created by + efibootmgr (bsc#1185464, bsc#1185961) + +------------------------------------------------------------------- +Fri May 7 08:54:20 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: always assume "removable" for Azure to avoid the + endless reset loop (bsc#1185464) + +------------------------------------------------------------------- +Tue Apr 27 07:45:26 UTC 2021 - Gary Ching-Pang Lin + +- Update to shim to 15.4-lp152.4.8.1 from openSUSE Leap 15.2 for + SBAT support (bsc#1182057) + + Version: 15.4, "Wed Apr 21 05:46:19 UTC 2021" + + Include the fixes for bsc#1177789, CVE-2019-14584, bsc#1177315, + bsc#1175509, bsc#1173411, bsc#1177404, bsc#1174512, bsc#1184454 +- Add README to note why we need shim-leap for Tumbleweed + +------------------------------------------------------------------- +Thu Aug 27 07:27:54 UTC 2020 - Gary Ching-Pang Lin + +- Update shim to 15+git47-lp152.4.5.1 from openSUSE Leap 15.2 + + shim-install: install MokManager to \EFI\boot to process the + pending MOK request (bsc#1175626, bsc#1175656) + +------------------------------------------------------------------- +Tue Aug 11 06:36:37 UTC 2020 - Gary Ching-Pang Lin + +- Update shim to 15+git47-lp152.4.3.1 from openSUSE Leap 15.2 + + Version: 15+git47 "Fri Jul 31 07:41:26 UTC 2020" + + Use shim-install in the rpm package + +------------------------------------------------------------------- +Wed Jul 22 09:33:51 UTC 2020 - Gary Ching-Pang Lin + +- Update the path to grub-tpm.efi in shim-install (bsc#1174320) +- shim-install: add check for btrfs is used as root file system to enable + relative path lookup for file. (bsc#1153953) +- Update shim-install to handle the partitioned MD devices + (bsc#1119762, bsc#1119763) +- Update grub2 path in shim-install + +------------------------------------------------------------------- +Tue Mar 31 08:38:56 UTC 2020 - Gary Ching-Pang Lin + +- Use the full path of efibootmgr to avoid errors when invoking + shim-install from packagekitd (bsc#1168104) + +------------------------------------------------------------------- +Mon Mar 30 06:05:58 UTC 2020 - Gary Ching-Pang Lin + +- Use "suse_version" instead of "sle_version" to avoid + shim_lib64_share_compat being set in Tumbleweed forever. + +------------------------------------------------------------------- +Fri Mar 27 05:32:11 UTC 2020 - Gary Ching-Pang Lin + +- Move 'efi'-executables to '/usr/share/efi' + (FATE#326960, bsc#1166523) + +------------------------------------------------------------------- +Thu Dec 6 03:23:04 UTC 2018 - Gary Ching-Pang Lin + +- Update shim-install to set the grub2-install target explicitly + for some special cases. (bsc#1118363) + +------------------------------------------------------------------- +Fri Jun 8 10:39:42 UTC 2018 - glin@suse.com + +- Update shim to 14-lp150.8.5.1 + + Replace shim-bsc1092000-fallback-always-try-first-option.patch + with shim-bsc1092000-fallback-menu.patch to show a countdown + menu before reset (bsc#1092000) + +------------------------------------------------------------------- +Mon May 14 08:52:34 UTC 2018 - glin@suse.com + +- Update shim to 14-lp150.7.3 + + Amend fallback.efi to avoid being trapped in the infinite reset + loop (bsc#1092000) + +------------------------------------------------------------------- +Wed Apr 25 08:17:45 UTC 2018 - mlin@suse.com + +- Update shim to 14-lp150.4.1 +- New signature from Microsoft + +------------------------------------------------------------------- +Tue Apr 25 03:44:04 UTC 2017 - glin@suse.com + +- Update shim to 0.9-15.3.1 + + shim-install: add option --suse-enable-tpm (fate#315831) + (Fix from mchang@suse.com) + +------------------------------------------------------------------- +Tue Dec 27 05:47:23 UTC 2016 - glin@suse.com + +- Update shim to 0.9-13.1 + + Update shim-install to support "--no-nvram" and improve + removable media and fallback mode handling (bsc#985568, + bsc#999818) (Fix from mchang@suse.com) + +------------------------------------------------------------------- +Fri Oct 7 09:31:29 UTC 2016 - jsegitz@novell.com + +- New signature from Microsoft + +------------------------------------------------------------------- +Fri Aug 19 06:46:59 UTC 2016 - mchang@suse.com + +- shim-install : fix regression of password prompt (bsc#993764) + +------------------------------------------------------------------- +Fri Aug 5 02:53:54 UTC 2016 - glin@suse.com + +- Add shim-bsc991885-fix-sig-length.patch to fix the signature + length passed to Authenticode (bsc#991885) + +------------------------------------------------------------------- +Wed Aug 3 09:10:25 UTC 2016 - glin@suse.com + +- Update shim-bsc973496-mokmanager-no-append-write.patch to try + append write first + +------------------------------------------------------------------- +Tue Aug 2 02:59:46 UTC 2016 - glin@suse.com + +- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h +- Bump the requirement of gnu-efi due to the HTTPBoot support + +------------------------------------------------------------------- +Mon Aug 1 09:01:59 UTC 2016 - glin@suse.com + +- Add shim-httpboot-support.patch to support HTTPBoot +- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g + and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6 +- Drop patches since they are merged into + shim-update-openssl-1.0.2g.patch + + shim-update-openssl-1.0.2d.patch + + shim-gcc5.patch + + shim-bsc950569-fix-cryptlib-va-functions.patch + + shim-fix-aarch64.patch +- Refresh shim-change-debug-file-path.patch +- Add shim-bsc973496-mokmanager-no-append-write.patch to work + around the firmware that doesn't support APPEND_WRITE (bsc973496) +- shim-install : remove '\n' from the help message (bsc#991188) +- shim-install : print a message if there is no valid EFI partition + (bsc#991187) + +------------------------------------------------------------------- +Mon May 9 11:20:56 UTC 2016 - rw@suse.com + +- shim-install : support simple MD RAID1 target devices (FATE#314829) + +------------------------------------------------------------------- +Wed May 4 10:40:52 UTC 2016 - agraf@suse.com + +- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438) + +------------------------------------------------------------------- +Wed Mar 9 07:15:52 UTC 2016 - mchang@suse.com + +- shim-install : fix typing ESC can escape to parent config which is + in command mode and cannot return back (bsc#966701) +- shim-install : fix no which command for JeOS (bsc#968264) + +------------------------------------------------------------------- +Thu Dec 3 10:26:14 UTC 2015 - jsegitz@novell.com + +- acquired updated signature from Microsoft + +------------------------------------------------------------------- +Mon Nov 9 08:22:43 UTC 2015 - glin@suse.com + +- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the + definition of va functions to avoid the potential crash + (bsc#950569) +- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to + MokListRT (bsc#950801) +- Drop shim-fix-mokmanager-sections.patch as we are using the + newer binutils now +- Refresh shim-change-debug-file-path.patch + +------------------------------------------------------------------- +Thu Oct 8 06:49:43 UTC 2015 - jsegitz@novell.com + +- acquired updated signature from Microsoft + +------------------------------------------------------------------- +Tue Sep 15 05:03:10 UTC 2015 - mchang@suse.com + +- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release + if it is empty or not set by user (bsc#942519) + +------------------------------------------------------------------- +Thu Jul 16 06:49:01 UTC 2015 - glin@suse.com + +- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d +- Refresh shim-gcc5.patch and add it back since we really need it +- Add shim-change-debug-file-path.patch to change the debug file + path in shim.efi + + also add the debuginfo and debugsource subpackages +- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore + +------------------------------------------------------------------- +Mon Jul 6 09:06:02 UTC 2015 - glin@suse.com + +- Update to 0.9 +- Refresh patches + + shim-fix-gnu-efi-30w.patch + + shim-fix-mokmanager-sections.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches + + shim-bsc920515-fix-fallback-buffer-length.patch + + shim-mokx-support.patch + + shim-update-cryptlib.patch +- Drop shim-bsc919675-uninstall-shim-protocols.patch since + upstream fixed the bug in another way. +- Drop shim-gcc5.patch which was fixed in another way + +------------------------------------------------------------------- +Wed Apr 8 07:10:39 UTC 2015 - glin@suse.com + +- Fix tags in the spec file + +------------------------------------------------------------------- +Tue Apr 7 07:42:06 UTC 2015 - glin@suse.com + +- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and + openssl to 0.9.8zf +- Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall + the shim protocols at Exit (bsc#919675) +- Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust + the buffer size for the boot options (bsc#920515) +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Thu Apr 2 16:31:28 UTC 2015 - crrodriguez@opensuse.org + +- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5 + +------------------------------------------------------------------- +Tue Feb 17 06:02:34 UTC 2015 - mchang@suse.com + +- shim-install : fix cryptodisk installation (boo#917427) + +------------------------------------------------------------------- +Tue Nov 11 04:26:00 UTC 2014 - glin@suse.com + +- Add shim-fix-mokmanager-sections.patch to fix the objcopy + parameters for the EFI files + +------------------------------------------------------------------- +Tue Oct 28 04:00:51 UTC 2014 - glin@suse.com + +- Update to 0.8 +- Add shim-fix-gnu-efi-30w.patch to adapt the change in + gnu-efi-3.0w +- Merge shim-signed-unsigned-compares.patch, + shim-mokmanager-support-sha-family.patch and + shim-bnc863205-mokmanager-fix-hash-delete.patch into + shim-mokx-support.patch +- Refresh shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch, + bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch +- Enable aarch64 + +------------------------------------------------------------------- +Mon Oct 13 13:09:14 UTC 2014 - jsegitz@novell.com + +- Fixed buffer overflow and OOB access in shim trusted code path + (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677) + * added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch +- Added new certificate by Microsoft + +------------------------------------------------------------------- +Wed Sep 3 12:32:25 UTC 2014 - lnussel@suse.de + +- re-introduce build failure if shim_enforce_ms_signature is defined. That way + a project like openSUSE:Factory can decide whether or not shim needs a valid + MS signature. + +------------------------------------------------------------------- +Tue Aug 19 04:38:36 UTC 2014 - glin@suse.com + +- Add shim-update-openssl-0.9.8zb.patch to update openssl to + 0.9.8zb + +------------------------------------------------------------------- +Tue Aug 12 14:19:36 UTC 2014 - jsegitz@suse.com + +- updated shim to new version (OpenSSL 0.9.8za) and requested a new + certificate from Microsoft. Removed + * shim-allow-fallback-use-system-loadimage.patch + * shim-bnc872503-check-key-encoding.patch + * shim-bnc877003-fetch-from-the-same-device.patch + * shim-correct-user_insecure-usage.patch + * shim-fallback-avoid-duplicate-bootorder.patch + * shim-fallback-improve-entries-creation.patch + * shim-fix-dhcpv4-path-generation.patch + * shim-fix-uninitialized-variable.patch + * shim-fix-verify-mok.patch + * shim-get-variable-check.patch + * shim-improve-error-messages.patch + * shim-mokmanager-delete-bs-var-right.patch + * shim-mokmanager-handle-keystroke-error.patch + * shim-remove-unused-variables.patch + since they're included in upstream and rebased the remaining onces. + Added shim-signed-unsigned-compares.patch to fix some compiler + warnings + +------------------------------------------------------------------- +Tue Aug 12 09:18:42 UTC 2014 - glin@suse.com + +- Keep shim-devel.efi for the devel project + +------------------------------------------------------------------- +Fri Aug 8 11:18:36 UTC 2014 - lnussel@suse.de + +- don't fail the build if the UEFI signing service signature can't + be attached anymore. This way shim can still pass through staging + projects. We will verify the correct signature for release builds + using openQA instead. + +------------------------------------------------------------------- +Mon Aug 4 07:53:22 UTC 2014 - mchang@suse.com + +- shim-install: fix GRUB shows broken letters at boot by calling + grub2-install to initialize /boot/grub2 directory with files + needed by grub.cfg (bnc#889765) + +------------------------------------------------------------------- +Wed May 28 04:13:33 UTC 2014 - glin@suse.com + +- Add shim-remove-unused-variables.patch to remove the unused + variables +- Add shim-bnc872503-check-key-encoding.patch to check the encoding + of the keys (bnc#872503) +- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the + netboot image from the same device (bnc#877003) +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Wed May 14 09:39:02 UTC 2014 - glin@suse.com + +- Use --reinit instead of --refresh in %post to update the files + in /boot + +------------------------------------------------------------------- +Tue Apr 29 07:38:11 UTC 2014 - mchang@suse.com + +- shim-install: fix boot partition and rollback support kluge + (bnc#875385) + +------------------------------------------------------------------- +Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com + +- Replace shim-mokmanager-support-sha1.patch with + shim-mokmanager-support-sha-family.patch to support the SHA + family + +------------------------------------------------------------------- +Mon Apr 7 09:32:21 UTC 2014 - glin@suse.com + +- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in + MOK + +------------------------------------------------------------------- +Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com + +- snapper rollback support (fate#317062) + - refresh shim-install + +------------------------------------------------------------------- +Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com + +- Insert the right signature (bnc#867974) + +------------------------------------------------------------------- +Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com + +- Add shim-fix-uninitialized-variable.patch to fix the use of + uninitialzed variables in lib + +------------------------------------------------------------------- +Fri Mar 7 09:09:12 UTC 2014 - glin@suse.com + +- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV + variables the right way +- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify + correctly + +------------------------------------------------------------------- +Thu Mar 6 07:37:57 UTC 2014 - glin@suse.com + +- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the + duplicate entries in BootOrder +- Add shim-allow-fallback-use-system-loadimage.patch to handle the + shim protocol properly to keep only one protocol entity +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Thu Mar 6 03:53:49 UTC 2014 - mchang@suse.com + +- shim-install: fix the $prefix to use grub2-mkrelpath for paths + on btrfs subvolume (bnc#866690). + +------------------------------------------------------------------- +Tue Mar 4 04:19:05 UTC 2014 - glin@suse.com + +- FATE#315002: Update shim-install to install shim.efi as the EFI + default bootloader when none exists in \EFI\boot. + +------------------------------------------------------------------- +Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com + +- Update signature-sles.asc: shim signed by UEFI signing service, + based on code from "Thu Feb 20 11:57:01 UTC 2014" + +------------------------------------------------------------------- +Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com + +- Add shim-opensuse-cert-prompt.patch to show the prompt to ask + whether the user trusts the openSUSE certificate or not + +------------------------------------------------------------------- +Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de + +- allow package to carry multiple signatures +- check correct certificate is embedded + +------------------------------------------------------------------- +Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de + +- always clean up generated files that embed certificates + (shim_cert.h shim.cer shim.crt) to make sure next build loop + rebuilds them properly + +------------------------------------------------------------------- +Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com + +- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the + hash deletion operation to avoid ruining the whole list + (bnc#863205) + +------------------------------------------------------------------- +Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com + +- Update shim-mokx-support.patch to support the resetting of MOK + blacklist +- Add shim-get-variable-check.patch to fix the variable checking + in get_variable_attr +- Add shim-fallback-improve-entries-creation.patch to improve the + boot entry pathes and avoid generating the boot entries that + are already there +- Update SUSE certificate +- Update attach_signature.sh, show_hash.sh, strip_signature.sh, + extract_signature.sh and show_signatures.sh to remove the + creation of the temporary nss database +- Add shim-only-os-name.patch: remove the kernel version of the + build server +- Match the the prefix of the project name properly by escaping the + percent sign. + +------------------------------------------------------------------- +Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de + +- enable signature assertion also in SUSE: hierarchy + +------------------------------------------------------------------- +Fri Dec 6 06:44:43 UTC 2013 - glin@suse.com + +- Add shim-mokmanager-handle-keystroke-error.patch to handle the + error status from ReadKeyStroke to avoid unexpected keys + +------------------------------------------------------------------- +Thu Dec 5 02:05:13 UTC 2013 - glin@suse.com + +- Update to 0.7 +- Add upstream patches: + + shim-fix-verify-mok.patch + + shim-improve-error-messages.patch + + shim-correct-user_insecure-usage.patch + + shim-fix-dhcpv4-path-generation.patch +- Add shim-mokx-support.patch to support the MOK blacklist + (Fate#316531) +- Drop upstreamed patches + + shim-fix-pointer-casting.patch + + shim-merge-lf-loader-code.patch + + shim-fix-simple-file-selector.patch + + shim-mokmanager-support-crypt-hash-method.patch + + shim-bnc804631-fix-broken-bootpath.patch + + shim-bnc798043-no-doulbe-separators.patch + + shim-bnc807760-change-pxe-2nd-loader-name.patch + + shim-bnc808106-correct-certcount.patch + + shim-mokmanager-ui-revamp.patch + + shim-netboot-fixes.patch + + shim-mokmanager-disable-gfx-console.patch +- Drop shim-suse-build.patch: it's not necessary anymore +- Drop shim-bnc841426-silence-shim-protocols.patch: shim is not + verbose by default + +------------------------------------------------------------------- +Thu Oct 31 09:11:18 UTC 2013 - fcrozat@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Tue Oct 1 04:29:29 UTC 2013". + +------------------------------------------------------------------- +Tue Oct 1 04:29:29 UTC 2013 - glin@suse.com + +- Add shim-netboot-fixes.patch to include upstream netboot fixes +- Add shim-mokmanager-disable-gfx-console.patch to disable the + graphics console to avoid system hang on some machines +- Add shim-bnc841426-silence-shim-protocols.patch to silence the + shim protocols (bnc#841426) + +------------------------------------------------------------------- +Wed Sep 25 07:17:54 UTC 2013 - glin@suse.com + +- Create boot.csv in ESP for fallback.efi to restore the boot entry + +------------------------------------------------------------------- +Tue Sep 17 10:53:50 CEST 2013 - fcrozat@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Fri Sep 6 13:57:36 UTC 2013". +- Improve extract_signature.sh to work on current path. + +------------------------------------------------------------------- +Fri Sep 6 13:57:36 UTC 2013 - lnussel@suse.de + +- set timestamp of PE file to time of the binary the signature was + made for. +- make sure cert.o get's rebuilt for each target + +------------------------------------------------------------------- +Fri Sep 6 11:48:14 CEST 2013 - fcrozat@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Wed Aug 28 15:54:38 UTC 2013" + +------------------------------------------------------------------- +Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de + +- always build a shim that embeds the distro's certificate (e.g. + shim-opensuse.efi). If the package is built in the devel project + additionally shim-devel.efi is created. That allows us to either + load grub2/kernel signed by the distro or signed by the devel + project, depending on use case. Also shim-$distro.efi from the + devel project can be used to request additional signatures. + +------------------------------------------------------------------- +Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de + +- also include old openSUSE 4096 bit certificate to be able to still + boot kernels signed with that key. +- add show_signatures script + +------------------------------------------------------------------- +Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de + +- replace the 4096 bit openSUSE UEFI CA certificate with new a + standard compliant 2048 bit one. + +------------------------------------------------------------------- +Tue Aug 20 11:48:25 UTC 2013 - lnussel@suse.de + +- fix shell syntax error + +------------------------------------------------------------------- +Wed Aug 7 15:51:36 UTC 2013 - lnussel@suse.de + +- don't include binary in the sources. Instead package the raw + signature and attach it during build (bnc#813448). + +------------------------------------------------------------------- +Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com + +- Update shim-mokmanager-ui-revamp.patch to include fixes for + MokManager + + reboot the system after clearing MOK password + + fetch more info from X509 name + + check the suffix of the key file + +------------------------------------------------------------------- +Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com + +- Update to 0.4 +- Rebase patches + + shim-suse-build.patch + + shim-mokmanager-support-crypt-hash-method.patch + + shim-bnc804631-fix-broken-bootpath.patch + + shim-bnc798043-no-doulbe-separators.patch + + shim-bnc807760-change-pxe-2nd-loader-name.patch + + shim-bnc808106-correct-certcount.patch + + shim-mokmanager-ui-revamp.patch +- Add patches + + shim-merge-lf-loader-code.patch: merge the Linux Foundation + loader UI code + + shim-fix-pointer-casting.patch: fix a casting issue and the + size of an empty vendor cert + + shim-fix-simple-file-selector.patch: fix the buffer allocation + in the simple file selector +- Remove upstreamed patches + + shim-support-mok-delete.patch + + shim-reboot-after-changes.patch + + shim-clear-queued-key.patch + + shim-local-key-sign-mokmanager.patch + + shim-get-2nd-stage-loader.patch + + shim-fix-loadoptions.patch +- Remove unused patch: shim-mokmanager-new-pw-hash.patch and + shim-keep-unsigned-mokmanager.patch +- Install the vendor certificate to /etc/uefi/certs + +------------------------------------------------------------------- +Wed May 8 06:40:12 UTC 2013 - glin@suse.com + +- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI + +------------------------------------------------------------------- +Wed Apr 3 03:54:22 UTC 2013 - glin@suse.com + +- Call update-bootloader in %post to update *.efi in \efi\opensuse + (bnc#813079) + +------------------------------------------------------------------- +Fri Mar 8 06:53:47 UTC 2013 - glin@suse.com + +- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the + PXE 2nd stage loader name (bnc#807760) +- Add shim-bnc808106-correct-certcount.patch to correct the + certificate count of the signature list (bnc#808106) + +------------------------------------------------------------------- +Fri Mar 1 10:07:55 UTC 2013 - glin@suse.com + +- Add shim-bnc798043-no-doulbe-separators.patch to remove double + seperators from the bootpath (bnc#798043#c4) + +------------------------------------------------------------------- +Thu Feb 28 08:57:48 UTC 2013 - lnussel@suse.de + +- sign shim also with openSUSE certificate + +------------------------------------------------------------------- +Wed Feb 27 15:52:53 CET 2013 - mls@suse.de + +- identify project, export certificate as DER file +- don't create an unused extra keypair + +------------------------------------------------------------------- +Thu Feb 21 10:08:12 UTC 2013 - glin@suse.com + +- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken + bootpath generated in generate_path(). (bnc#804631) + +------------------------------------------------------------------- +Mon Feb 11 12:15:25 UTC 2013 - fcrozat@suse.com + +- Update with shim signed by UEFI signing service, based on code + from "Thu Feb 7 06:56:19 UTC 2013". + +------------------------------------------------------------------- +Thu Feb 7 13:54:06 UTC 2013 - lnussel@suse.de + +- prepare for having a signed shim from the UEFI signing service + +------------------------------------------------------------------- +Thu Feb 7 06:56:19 UTC 2013 - glin@suse.com + +- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert +- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned + MokManager and sign it later. + +------------------------------------------------------------------- +Wed Feb 6 06:35:45 UTC 2013 - mchang@suse.com + +- Add shim-install utility +- Add Recommends to grub2-efi + +------------------------------------------------------------------- +Wed Jan 30 09:00:31 UTC 2013 - glin@suse.com + +- Add shim-mokmanager-support-crypt-hash-method.patch to support + password hash from /etc/shadow (FATE#314506) + +------------------------------------------------------------------- +Tue Jan 29 03:20:48 UTC 2013 - glin@suse.com + +- Embed openSUSE-UEFI-CA-Certificate.crt in shim +- Rename shim-unsigned.efi to shim-opensuse.efi. + +------------------------------------------------------------------- +Fri Jan 18 10:06:13 UTC 2013 - glin@suse.com + +- Update shim-mokmanager-new-pw-hash.patch to extend the password + hash format +- Rename shim.efi as shim-unsigned.efi + +------------------------------------------------------------------- +Wed Jan 16 08:01:55 UTC 2013 - glin@suse.com + +- Merge patches for FATE#314506 + + Add shim-support-mok-delete.patch to add support for deleting + specific keys + + Add shim-mokmanager-new-pw-hash.patch to support the new + password hash. +- Drop shim-correct-mok-size.patch which is included in + shim-support-mok-delete.patch +- Merge shim-remove-debug-code.patch and + shim-local-sign-mokmanager.patch into + shim-local-key-sign-mokmanager.patch +- Install COPYRIGHT + +------------------------------------------------------------------- +Tue Jan 15 03:17:53 UTC 2013 - glin@suse.com + +- Add shim-fix-loadoptions.patch to adopt the UEFI shell style + LoadOptions (bnc#798043) +- Drop shim-check-pk-kek.patch since upstream rejected the patch + due to violation of SPEC. +- Install EFI binaries to /usr/lib64/efi + +------------------------------------------------------------------- +Wed Dec 26 07:05:02 UTC 2012 - glin@suse.com + +- Update shim-reboot-after-changes.patch to avoid rebooting the + system after enrolling keys/hashes from the file system +- Add shim-correct-mok-size.patch to correct the size of MOK +- Add shim-clear-queued-key.patch to clear the queued key and show + the menu properly + +------------------------------------------------------------------- +Wed Dec 12 15:16:18 UTC 2012 - fcrozat@suse.com + +- Remove shim-rpmlintrc, it wasn't fixing the error, hide error + stdout to prevent post build check to get triggered by cast + warnings in openSSL code +- Add shim-remove-debug-code.patch: remove debug code + +------------------------------------------------------------------- +Wed Dec 12 04:01:52 UTC 2012 - glin@suse.com + +- Add shim-rpmlintrc to filter 64bit portability errors + +------------------------------------------------------------------- +Tue Dec 11 07:36:32 UTC 2012 - glin@suse.com + +- Add shim-local-sign-mokmanager.patch to create a local certicate + to sign MokManager +- Add shim-get-2nd-stage-loader.patch to get the second stage + loader path from the load options +- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK +- Add shim-reboot-after-changes.patch to reboot the system after + enrolling or erasing keys +- Install the EFI images to /usr/lib64/shim instead of the EFI + partition +- Update the mail address of the author + +------------------------------------------------------------------- +Fri Nov 2 08:19:37 UTC 2012 - glin@suse.com + +- Add new package shim 0.2 (FATE#314484) + + It's in fact git 2fd180a92 since there is no tag for 0.2 + diff --git a/shim-leap.spec b/shim-leap.spec new file mode 100644 index 0000000..ddf3e65 --- /dev/null +++ b/shim-leap.spec @@ -0,0 +1,107 @@ +# +# spec file for package shim-leap +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +# Move 'efi'-executables to '/usr/share/efi' (FATE#326960, bsc#1166523) +%define sysefibasedir %{_datadir}/efi +%define sysefidir %{sysefibasedir}/%{_target_cpu} +%if 0%{?suse_version} < 1600 +# provide compatibility sym-link for residual kiwi, etc. +%define shim_lib64_share_compat 1 +%endif + +Name: shim-leap +Version: 15.8 +Release: 0 +Summary: UEFI shim loader +License: BSD-2-Clause +Group: System/Boot +Source: shim-15.8-lp155.8.2.x86_64.rpm +Source1: README +Source2: shim-install +BuildRequires: fde-tpm-helper-rpm-macros +BuildRequires: update-bootloader-rpm-macros +BuildRoot: %{_tmppath}/%{name}-%{version}-build +ExclusiveArch: x86_64 + +%description +does not exist + +%package -n shim +Summary: UEFI shim loader +Group: System/Boot +Requires: perl-Bootloader +%if 0%{?fde_tpm_update_requires:1} +%fde_tpm_update_requires +%endif + +%description -n shim +shim is a trivial EFI application that, when run, attempts to open and +execute another application. + +%prep +rpm2cpio %{SOURCE0} | cpio --extract --unconditional --preserve-modification-time --make-directories + +%build + +%install +# purely repackaged +cp -a * %{buildroot} +cp %{S:1} . + +# Override shim-install +install -m 755 %{S:2} %{buildroot}/%{_sbindir}/shim-install + +%if %{undefined shim_lib64_share_compat} +# Remove the sym-links in /usr/lib64/efi +rm -rf %{buildroot}/usr/lib64/efi +%endif + +%post -n shim +%if 0%{?fde_tpm_update_post:1} +%fde_tpm_update_post shim +%endif + +%if 0%{?update_bootloader_check_type_reinit_post:1} +%update_bootloader_check_type_reinit_post grub2-efi +%else +/sbin/update-bootloader --reinit || true +%endif + +%posttrans -n shim +%{?update_bootloader_posttrans} +%{?fde_tpm_update_posttrans} + +%files -n shim +%doc README +%dir %{?sysefibasedir} +%dir %{sysefidir} +%{sysefidir}/shim.efi +%{sysefidir}/shim-*.efi +%{sysefidir}/shim-*.der +%{sysefidir}/MokManager.efi +%{sysefidir}/fallback.efi +%if %{defined shim_lib64_share_compat} +# provide compatibility sym-link for previous kiwi, etc. +%dir /usr/lib64/efi +/usr/lib64/efi/*.efi +%endif +/etc/uefi +%{_sbindir}/shim-install +/usr/share/doc/packages/shim + +%changelog