Accepting request 1191006 from home:dtseng:branches:devel:openSUSE:Factory
bugowner: dtseng Submitting for upgrading shim to v15.8 (bsc#1215099, bsc#1215098,bsc#1215100,bsc#1215101,bsc#1215102,and bsc#1215103) OBS-URL: https://build.opensuse.org/request/show/1191006 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim-leap?expand=0&rev=42
This commit is contained in:
commit
682c22204c
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Default LFS
|
||||||
|
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.png filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
.osc
|
5
README
Normal file
5
README
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
Since shim needs a "stable" environment to reproduce the binary to match
|
||||||
|
the signature from UEFI CA, it's difficult to maintain shim in Tumbleweed
|
||||||
|
due to the nature of a rolling release distro. Instead of compiling shim
|
||||||
|
for Tumbleweed, we directly import the binary the latest stable Leap
|
||||||
|
release to maintain a stable and reproducible shim binary.
|
3
shim-15.4-lp152.4.17.1.x86_64.rpm
Normal file
3
shim-15.4-lp152.4.17.1.x86_64.rpm
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:13776ed2b68698091297f5e0e7156b401b1f7a9940785a1871335266fb524a30
|
||||||
|
size 456552
|
3
shim-15.8-lp155.8.2.x86_64.rpm
Normal file
3
shim-15.8-lp155.8.2.x86_64.rpm
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:2dde0a04e9468988abe978355ba50a3f14e10e110fdbcf80f52c94e922501cb0
|
||||||
|
size 503544
|
515
shim-install
Normal file
515
shim-install
Normal file
@ -0,0 +1,515 @@
|
|||||||
|
#! /bin/bash -e
|
||||||
|
|
||||||
|
arch=`uname -m`
|
||||||
|
rootdir=
|
||||||
|
bootdir=
|
||||||
|
efidir=
|
||||||
|
install_device=
|
||||||
|
efibootdir=
|
||||||
|
ca_string=
|
||||||
|
no_nvram=no
|
||||||
|
removable=no
|
||||||
|
clean=no
|
||||||
|
sysconfdir="/etc"
|
||||||
|
libdir="/usr/lib64" # Beware, this is arch dependent!
|
||||||
|
datadir="/usr/share"
|
||||||
|
source_dir="${datadir}/efi/${arch}"
|
||||||
|
efibootmgr="/usr/sbin/efibootmgr"
|
||||||
|
grub_probe="/usr/sbin/grub2-probe"
|
||||||
|
grub_mkrelpath="/usr/bin/grub2-mkrelpath"
|
||||||
|
no_grub_install=no
|
||||||
|
grub_install="/usr/sbin/grub2-install"
|
||||||
|
grub_install_target=
|
||||||
|
self="`basename $0`"
|
||||||
|
grub_cfg="/boot/grub2/grub.cfg"
|
||||||
|
update_boot=no
|
||||||
|
def_grub_efi="${source_dir}/grub.efi"
|
||||||
|
def_boot_efi=
|
||||||
|
|
||||||
|
[ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim
|
||||||
|
[ ! -r /etc/default/shim ] || . /etc/default/shim
|
||||||
|
|
||||||
|
if [ -z "$def_shim_efi" -o ! -e ${source_dir}/${def_shim_efi} ] ; then
|
||||||
|
def_shim_efi="shim.efi"
|
||||||
|
fi
|
||||||
|
|
||||||
|
source_shim_efi="${source_dir}/${def_shim_efi}"
|
||||||
|
|
||||||
|
if [ x${arch} = xx86_64 ] ; then
|
||||||
|
grub_install_target="x86_64-efi"
|
||||||
|
def_boot_efi="bootx64.efi"
|
||||||
|
elif [ x${arch} = xaarch64 ] ; then
|
||||||
|
grub_install_target="arm64-efi"
|
||||||
|
def_boot_efi="bootaa64.efi"
|
||||||
|
else
|
||||||
|
echo "Unsupported architecture: ${arch}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -d "${source_dir}" -o ! -e "${def_grub_efi}" ] ; then
|
||||||
|
# for outdated packages fall back to previous behavior
|
||||||
|
source_dir="$libdir/efi"
|
||||||
|
def_grub_efi="${source_dir}/grub.efi"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Get GRUB_DISTRIBUTOR.
|
||||||
|
if test -f "${sysconfdir}/default/grub" ; then
|
||||||
|
. "${sysconfdir}/default/grub"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then
|
||||||
|
. "${sysconfdir}/os-release"
|
||||||
|
GRUB_DISTRIBUTOR="${NAME} ${VERSION}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)"
|
||||||
|
if test -z "$bootloader_id"; then
|
||||||
|
bootloader_id=grub
|
||||||
|
fi
|
||||||
|
|
||||||
|
efi_distributor="$bootloader_id"
|
||||||
|
bootloader_id="${bootloader_id}-secureboot"
|
||||||
|
|
||||||
|
case "$bootloader_id" in
|
||||||
|
"sle"*)
|
||||||
|
ca_string='SUSE Linux Enterprise Secure Boot CA1';;
|
||||||
|
"opensuse"*)
|
||||||
|
ca_string='openSUSE Secure Boot CA1';;
|
||||||
|
*) ca_string="";;
|
||||||
|
esac
|
||||||
|
|
||||||
|
is_azure () {
|
||||||
|
local bios_vendor;
|
||||||
|
local product_name;
|
||||||
|
local sys_vendor;
|
||||||
|
|
||||||
|
local sysfs_dmi_id="/sys/class/dmi/id"
|
||||||
|
|
||||||
|
if test -e "${sysfs_dmi_id}/bios_vendor"; then
|
||||||
|
bios_vendor=$(cat "${sysfs_dmi_id}/bios_vendor")
|
||||||
|
fi
|
||||||
|
if test -e "${sysfs_dmi_id}/product_name"; then
|
||||||
|
product_name=$(cat "${sysfs_dmi_id}/product_name")
|
||||||
|
fi
|
||||||
|
if test -e "${sysfs_dmi_id}/sys_vendor"; then
|
||||||
|
sys_vendor=$(cat "${sysfs_dmi_id}/sys_vendor")
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "x${bios_vendor}" != "xMicrosoft Corporation"; then
|
||||||
|
# return false
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "x${product_name}" != "xVirtual Machine"; then
|
||||||
|
# return false
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "x${sys_vendor}" != "xMicrosoft Corporation"; then
|
||||||
|
# return false
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# return true
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
usage () {
|
||||||
|
echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
|
||||||
|
echo
|
||||||
|
echo "Install Secure Boot Loaders on your drive."
|
||||||
|
echo
|
||||||
|
echo "--directory=DIR use images from DIR."
|
||||||
|
echo "--grub-probe=FILE use FILE as grub-probe."
|
||||||
|
echo "--removable the installation device is removable."
|
||||||
|
echo "--no-nvram don't update the NVRAM variable."
|
||||||
|
echo "--bootloader-id=ID the ID of bootloader."
|
||||||
|
echo "--efi-directory=DIR use DIR as the EFI System Partition root."
|
||||||
|
echo "--config-file=FILE use FILE as config file, default is $grub_cfg."
|
||||||
|
echo "--clean remove all installed files and configs."
|
||||||
|
echo "--suse-enable-tpm install grub.efi with TPM support."
|
||||||
|
echo "--no-grub-install Do not run grub2-install."
|
||||||
|
echo
|
||||||
|
echo "INSTALL_DEVICE must be system device filename."
|
||||||
|
}
|
||||||
|
|
||||||
|
argument () {
|
||||||
|
opt="$1"
|
||||||
|
shift
|
||||||
|
|
||||||
|
if test $# -eq 0; then
|
||||||
|
echo "$0: option requires an argument -- \`$opt'" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
echo "$1"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Check the arguments.
|
||||||
|
while test $# -gt 0
|
||||||
|
do
|
||||||
|
option=$1
|
||||||
|
shift
|
||||||
|
|
||||||
|
case "$option" in
|
||||||
|
-h | --help)
|
||||||
|
usage
|
||||||
|
exit 0 ;;
|
||||||
|
|
||||||
|
--root-directory)
|
||||||
|
rootdir="`argument $option "$@"`"; shift;;
|
||||||
|
--root-directory=*)
|
||||||
|
rootdir="`echo "$option" | sed 's/--root-directory=//'`" ;;
|
||||||
|
|
||||||
|
--efi-directory)
|
||||||
|
efidir="`argument $option "$@"`"; shift;;
|
||||||
|
--efi-directory=*)
|
||||||
|
efidir="`echo "$option" | sed 's/--efi-directory=//'`" ;;
|
||||||
|
|
||||||
|
--directory | -d)
|
||||||
|
source_dir="`argument $option "$@"`"; shift;;
|
||||||
|
--directory=*)
|
||||||
|
source_dir="`echo "$option" | sed 's/--directory=//'`" ;;
|
||||||
|
|
||||||
|
--bootloader-id)
|
||||||
|
bootloader_id="`argument $option "$@"`"; shift;;
|
||||||
|
--bootloader-id=*)
|
||||||
|
bootloader_id="`echo "$option" | sed 's/--bootloader-id=//'`" ;;
|
||||||
|
|
||||||
|
--grub-probe)
|
||||||
|
grub_probe="`argument "$option" "$@"`"; shift;;
|
||||||
|
--grub-probe=*)
|
||||||
|
grub_probe="`echo "$option" | sed 's/--grub-probe=//'`" ;;
|
||||||
|
|
||||||
|
--config-file)
|
||||||
|
grub_cfg="`argument "$option" "$@"`"; shift;;
|
||||||
|
--config-file=*)
|
||||||
|
grub_cfg="`echo "$option" | sed 's/--config-file=//'`" ;;
|
||||||
|
|
||||||
|
--removable)
|
||||||
|
no_nvram=yes
|
||||||
|
removable=yes ;;
|
||||||
|
|
||||||
|
--no-nvram)
|
||||||
|
no_nvram=yes ;;
|
||||||
|
|
||||||
|
--suse-enable-tpm)
|
||||||
|
# bsc#1174320 shim-install uses wrong paths for EFI files
|
||||||
|
# There are 3 possible locations of grub-tpm.efi and we will check them
|
||||||
|
# one by one.
|
||||||
|
if [ -e "${source_dir}/grub-tpm.efi" ]; then
|
||||||
|
source_grub_efi="${source_dir}/grub-tpm.efi"
|
||||||
|
elif [ -e "${datadir}/grub2/${grub_install_target}/grub-tpm.efi" ] ; then
|
||||||
|
source_grub_efi="${datadir}/grub2/${grub_install_target}/grub-tpm.efi"
|
||||||
|
else
|
||||||
|
source_grub_efi="/usr/lib/grub2/${grub_install_target}/grub-tpm.efi"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
--clean)
|
||||||
|
clean=yes ;;
|
||||||
|
|
||||||
|
--no-grub-install)
|
||||||
|
no_grub_install=yes ;;
|
||||||
|
|
||||||
|
-*)
|
||||||
|
echo "Unrecognized option \`$option'" 1>&2
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
if test "x$install_device" != x; then
|
||||||
|
echo "More than one install device?" 1>&2
|
||||||
|
usage
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
install_device="${option}" ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if test -n "$efidir"; then
|
||||||
|
efi_fs=`"$grub_probe" --target=fs "${efidir}"`
|
||||||
|
if test "x$efi_fs" = xfat; then :; else
|
||||||
|
echo "$efidir doesn't look like an EFI partition." 1>&2
|
||||||
|
efidir=
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ -z "$bootdir" ]; then
|
||||||
|
bootdir="/boot"
|
||||||
|
if [ -n "$rootdir" ] ; then
|
||||||
|
# Initialize bootdir if rootdir was initialized.
|
||||||
|
bootdir="${rootdir}/boot"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Find the EFI System Partition.
|
||||||
|
if test -n "$efidir"; then
|
||||||
|
install_device="`"$grub_probe" --target=device --device-map= "${efidir}"`"
|
||||||
|
else
|
||||||
|
if test -d "${bootdir}/efi"; then
|
||||||
|
install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/efi"`"
|
||||||
|
# Is it a mount point?
|
||||||
|
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then
|
||||||
|
efidir="${bootdir}/efi"
|
||||||
|
fi
|
||||||
|
elif test -d "${bootdir}/EFI"; then
|
||||||
|
install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/EFI"`"
|
||||||
|
# Is it a mount point?
|
||||||
|
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then
|
||||||
|
efidir="${bootdir}/EFI"
|
||||||
|
fi
|
||||||
|
elif test -n "$rootdir" && test "x$rootdir" != "x/"; then
|
||||||
|
# The EFI System Partition may have been given directly using
|
||||||
|
# --root-directory.
|
||||||
|
install_device="`"$grub_probe" --target=device --device-map= "${rootdir}"`"
|
||||||
|
# Is it a mount point?
|
||||||
|
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${rootdir}/.."`"; then
|
||||||
|
efidir="${rootdir}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test -n "$efidir"; then
|
||||||
|
efi_fs=`"$grub_probe" --target=fs "${efidir}"`
|
||||||
|
if test "x$efi_fs" = xfat; then :; else
|
||||||
|
echo "$efidir doesn't look like an EFI partition." 1>&2
|
||||||
|
efidir=
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test -n "$efidir"; then
|
||||||
|
efi_file=shim.efi
|
||||||
|
efibootdir="$efidir/EFI/boot"
|
||||||
|
mkdir -p "$efibootdir" || exit 1
|
||||||
|
if test "$removable" = "yes" ; then
|
||||||
|
efidir="$efibootdir"
|
||||||
|
else
|
||||||
|
efidir="$efidir/EFI/$efi_distributor"
|
||||||
|
mkdir -p "$efidir" || exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "No valid EFI partition" 1>&2
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "$removable" = "no" -a -f "$efibootdir/$def_boot_efi"; then
|
||||||
|
if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/$def_boot_efi"); then
|
||||||
|
update_boot=yes
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
update_boot=yes
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "$clean" = "yes"; then
|
||||||
|
rm -f "${efidir}/shim.efi"
|
||||||
|
rm -f "${efidir}/MokManager.efi"
|
||||||
|
rm -f "${efidir}/grub.efi"
|
||||||
|
rm -f "${efidir}/grub.cfg"
|
||||||
|
rm -f "${efidir}/boot.csv"
|
||||||
|
if test "$update_boot" = "yes"; then
|
||||||
|
rm -f "${efibootdir}/${def_boot_efi}"
|
||||||
|
rm -f "${efibootdir}/fallback.efi"
|
||||||
|
# bsc#1175626, bsc#1175656 also clean up MokManager
|
||||||
|
rm -f "${efibootdir}/MokManager.efi"
|
||||||
|
fi
|
||||||
|
if test "$no_nvram" = no && test -n "$bootloader_id"; then
|
||||||
|
# Delete old entries from the same distributor.
|
||||||
|
for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \
|
||||||
|
fgrep -i " $bootloader_id" | cut -b5-8`; do
|
||||||
|
$efibootmgr -b "$bootnum" -B
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
cp "${source_dir}/MokManager.efi" "${efidir}"
|
||||||
|
|
||||||
|
if test -n "$source_grub_efi" && ! test -f "$source_grub_efi"; then
|
||||||
|
echo "File $source_grub_efi doesn't exist, fallback to default one" 1>&2
|
||||||
|
source_grub_efi=""
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test -z "$source_grub_efi"; then
|
||||||
|
source_grub_efi="$def_grub_efi"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "copying $source_grub_efi to ${efidir}/grub.efi"
|
||||||
|
cp "$source_grub_efi" "${efidir}/grub.efi"
|
||||||
|
|
||||||
|
if test "$efidir" != "$efibootdir" ; then
|
||||||
|
cp "${source_shim_efi}" "${efidir}/shim.efi"
|
||||||
|
if test -n "$bootloader_id"; then
|
||||||
|
echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test "$update_boot" = "yes"; then
|
||||||
|
cp "$source_shim_efi" "${efibootdir}/${def_boot_efi}"
|
||||||
|
if test "$removable" = "no"; then
|
||||||
|
cp "${source_dir}/fallback.efi" "${efibootdir}"
|
||||||
|
# bsc#1175626, bsc#1175656 Since shim 15, loading MokManager becomes
|
||||||
|
# mandatory if a MOK request exists. Copy MokManager to \EFI\boot so
|
||||||
|
# that boot*.efi can load MokManager to process the request instead
|
||||||
|
# of shutting down the system immediately.
|
||||||
|
cp "${source_dir}/MokManager.efi" "${efibootdir}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
prepare_cryptodisk () {
|
||||||
|
uuid="$1"
|
||||||
|
|
||||||
|
if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then
|
||||||
|
echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\""
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then
|
||||||
|
echo "cryptomount -u $uuid"
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"
|
||||||
|
|
||||||
|
declare -g TPM_PCR_SNAPSHOT_TAKEN
|
||||||
|
|
||||||
|
if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
|
||||||
|
TPM_PCR_SNAPSHOT_TAKEN=1
|
||||||
|
|
||||||
|
# Check if tpm_record_pcrs is available and set the command to
|
||||||
|
# grub.cfg.
|
||||||
|
if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; then
|
||||||
|
echo "tpm_record_pcrs 0-9"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
tpm_srk_alg="${GRUB_TPM2_SRK_ALG}"
|
||||||
|
|
||||||
|
if [ -z "$tpm_srk_alg" ]; then
|
||||||
|
tpm_srk_alg="RSA"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat <<EOF
|
||||||
|
tpm2_key_protector_init -a $tpm_srk_alg -T \$prefix/$tpm_sealed_key
|
||||||
|
if ! cryptomount -u $uuid --protector tpm2; then
|
||||||
|
cryptomount -u $uuid
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
make_grubcfg () {
|
||||||
|
|
||||||
|
grub_cfg_dirname=`dirname $grub_cfg`
|
||||||
|
grub_cfg_basename=`basename $grub_cfg`
|
||||||
|
cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"`
|
||||||
|
# bsc#1153953 - Leap 42.3 boot error snapshot missing
|
||||||
|
# We have to check btrfs is used as root file system to enable relative path
|
||||||
|
# lookup for file to be on par with other utility which also accounts for it.
|
||||||
|
GRUB_FS="$(stat -f --printf=%T / || echo unknown)"
|
||||||
|
|
||||||
|
if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue" &&
|
||||||
|
[ "x${GRUB_FS}" = "xbtrfs" ] ; then
|
||||||
|
cat <<EOF
|
||||||
|
set btrfs_relative_path="yes"
|
||||||
|
EOF
|
||||||
|
if ${grub_mkrelpath} --usage | grep -q -e '--relative'; then
|
||||||
|
grub_mkrelpath="${grub_mkrelpath} -r"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then
|
||||||
|
for uuid in `"${grub_probe}" --target=cryptodisk_uuid --device-map= "${grub_cfg_dirname}"`; do
|
||||||
|
prepare_cryptodisk "$uuid"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
hints="`"${grub_probe}" --target=hints_string "${grub_cfg_dirname}" 2> /dev/null`"
|
||||||
|
|
||||||
|
if [ "x$hints" != x ]; then
|
||||||
|
echo "if [ x\$feature_platform_search_hint = xy ]; then"
|
||||||
|
echo " search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}"
|
||||||
|
echo "else"
|
||||||
|
echo " search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
|
||||||
|
echo "fi"
|
||||||
|
else
|
||||||
|
echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat <<EOF
|
||||||
|
set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}`
|
||||||
|
source "\${prefix}/${grub_cfg_basename}"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# bnc#889765 GRUB shows broken letters at boot
|
||||||
|
# invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg
|
||||||
|
# bsc#1118363 shim-install didn't specify the target for grub2-install
|
||||||
|
# set the target explicitly for some special cases
|
||||||
|
if test "$no_grub_install" != "yes"; then
|
||||||
|
${grub_install} --target=${grub_install_target} --no-nvram
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Making sure grub.cfg not overwritten by grub-install above
|
||||||
|
make_grubcfg > "${efidir}/grub.cfg"
|
||||||
|
|
||||||
|
if test "$no_nvram" = no && test -n "$bootloader_id"; then
|
||||||
|
|
||||||
|
modprobe -q efivars 2>/dev/null || true
|
||||||
|
|
||||||
|
# Delete old entries from the same distributor.
|
||||||
|
for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \
|
||||||
|
fgrep -i " $bootloader_id" | cut -b5-8`; do
|
||||||
|
$efibootmgr -b "$bootnum" -B
|
||||||
|
done
|
||||||
|
|
||||||
|
efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")"
|
||||||
|
efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")"
|
||||||
|
if test -z "$efidir_drive" || test -z "$efidir_disk"; then
|
||||||
|
echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2
|
||||||
|
# bsc#1119762 If the MD device is partitioned, we just need to create one
|
||||||
|
# boot entry since the partitions are nested partitions and the mirrored
|
||||||
|
# partitions share the same UUID.
|
||||||
|
elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then
|
||||||
|
eval $(mdadm --detail --export "$efidir_disk" |
|
||||||
|
perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$});
|
||||||
|
sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};')
|
||||||
|
if [ "$MD_LEVEL" != "raid1" ]; then
|
||||||
|
echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2
|
||||||
|
fi
|
||||||
|
for mddev in $MD_DEVS; do
|
||||||
|
efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")"
|
||||||
|
efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")"
|
||||||
|
efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
|
||||||
|
efidir_d=${mddev#/dev/}
|
||||||
|
$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
|
||||||
|
-L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
|
||||||
|
$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
|
||||||
|
-L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# bsc#1185464 bsc#1185961
|
||||||
|
# The Azure firmware sometimes doesn't respect the boot option created by
|
||||||
|
# either efibootmgr or fallback.efi so we have to remove fallback.efi to
|
||||||
|
# avoid the endless reset loop.
|
||||||
|
if is_azure; then
|
||||||
|
# Skip the workaround if we don't own \EFI\Boot or the removable
|
||||||
|
# option is used
|
||||||
|
if test "$update_boot" = "yes" && test "$removable" = "no"; then
|
||||||
|
# Remove fallback.efi which could cause the reset loop in Azure
|
||||||
|
rm -f "${efibootdir}/fallback.efi"
|
||||||
|
# Remove the older grub binary and config
|
||||||
|
rm -f "${efibootdir}/grub.efi"
|
||||||
|
rm -f "${efibootdir}/grub.cfg"
|
||||||
|
# Install new grub binary and config file to \EFI\Boot as
|
||||||
|
# the "removable" option
|
||||||
|
cp "${efidir}/grub.cfg" "${efibootdir}/grub.cfg"
|
||||||
|
cp "${efidir}/grub.efi" "${efibootdir}/grub.efi"
|
||||||
|
fi
|
||||||
|
fi
|
823
shim-leap.changes
Normal file
823
shim-leap.changes
Normal file
@ -0,0 +1,823 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 23 03:27:56 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
|
||||||
|
|
||||||
|
- Update to shim to 15.8-shim-15.8-lp155.8.2.x86_64.rpm from
|
||||||
|
openSUSE secure-boot 15.5
|
||||||
|
+ Version: 15.8, "Jan 23 2024"
|
||||||
|
+ Align the outside shim-install with the one in RPM file.
|
||||||
|
This is because all important fixes in outside shim-install are
|
||||||
|
also fixed in shim-install of RPM file. For consistency purposes,
|
||||||
|
the outside shim-install is updated in this version.
|
||||||
|
+ Include the bug fixes for bsc#1215099,bsc#1215098,bsc#1215100,bsc#1215101,
|
||||||
|
bsc#1215102, and bsc#1215103.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Mar 14 05:58:13 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update shim-install to set the SRK algorithm for grub2 TPM2
|
||||||
|
key protector (bsc#1213945)
|
||||||
|
+ 92d0f4305df73 Set the SRK algorithm for the TPM2 protector
|
||||||
|
- Build with update-bootloader-rpm-macros and
|
||||||
|
fde-tpm-helper-rpm-macros and update the %post and %posttrans
|
||||||
|
macros correctly
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 7 02:29:44 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update shim-install to support FDE
|
||||||
|
+ Read GRUB_CRYPTODISK_PASSWORD and GRUB_TPM2_SEALED_KEY to
|
||||||
|
create the proper cryptomount command for grub.cfg
|
||||||
|
+ Save the PCR snapshot if grub2 supports the command
|
||||||
|
+ Support 'no_grub_install' to skip grub2-install
|
||||||
|
+ Detect the OS ID of openSUSE Leap
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 25 07:48:54 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Remove the sym-links in /usr/lib64/efi for the newer distro
|
||||||
|
versions since we don't use them anymore
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 21 09:38:30 UTC 2021 - jlee@suse.com
|
||||||
|
|
||||||
|
- Update to shim to 15.4-lp152.4.17.1 from openSUSE Leap 15.2
|
||||||
|
+ Version: 15.4, "Thu Jul 15 2021"
|
||||||
|
+ Updated openSUSE x86 signature
|
||||||
|
+ Include the fixes for bsc#1187696, bsc#1185261, bsc#1185441,
|
||||||
|
bsc#1187071, bsc#1185621, bsc#1185261, bsc#1185232, bsc#1185261,
|
||||||
|
bsc#1187260, bsc#1185232.
|
||||||
|
- Remove shim-install because the shim-install is updated in Leap
|
||||||
|
15.2 RPM.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu May 20 01:25:06 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- shim-install: instead of assuming "removable" for Azure, remove
|
||||||
|
fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
|
||||||
|
to make \EFI\Boot bootable and keep the boot option created by
|
||||||
|
efibootmgr (bsc#1185464, bsc#1185961)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri May 7 08:54:20 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- shim-install: always assume "removable" for Azure to avoid the
|
||||||
|
endless reset loop (bsc#1185464)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Apr 27 07:45:26 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update to shim to 15.4-lp152.4.8.1 from openSUSE Leap 15.2 for
|
||||||
|
SBAT support (bsc#1182057)
|
||||||
|
+ Version: 15.4, "Wed Apr 21 05:46:19 UTC 2021"
|
||||||
|
+ Include the fixes for bsc#1177789, CVE-2019-14584, bsc#1177315,
|
||||||
|
bsc#1175509, bsc#1173411, bsc#1177404, bsc#1174512, bsc#1184454
|
||||||
|
- Add README to note why we need shim-leap for Tumbleweed
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 27 07:27:54 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update shim to 15+git47-lp152.4.5.1 from openSUSE Leap 15.2
|
||||||
|
+ shim-install: install MokManager to \EFI\boot to process the
|
||||||
|
pending MOK request (bsc#1175626, bsc#1175656)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 11 06:36:37 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update shim to 15+git47-lp152.4.3.1 from openSUSE Leap 15.2
|
||||||
|
+ Version: 15+git47 "Fri Jul 31 07:41:26 UTC 2020"
|
||||||
|
+ Use shim-install in the rpm package
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 22 09:33:51 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update the path to grub-tpm.efi in shim-install (bsc#1174320)
|
||||||
|
- shim-install: add check for btrfs is used as root file system to enable
|
||||||
|
relative path lookup for file. (bsc#1153953)
|
||||||
|
- Update shim-install to handle the partitioned MD devices
|
||||||
|
(bsc#1119762, bsc#1119763)
|
||||||
|
- Update grub2 path in shim-install
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Mar 31 08:38:56 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Use the full path of efibootmgr to avoid errors when invoking
|
||||||
|
shim-install from packagekitd (bsc#1168104)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 30 06:05:58 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Use "suse_version" instead of "sle_version" to avoid
|
||||||
|
shim_lib64_share_compat being set in Tumbleweed forever.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Mar 27 05:32:11 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Move 'efi'-executables to '/usr/share/efi'
|
||||||
|
(FATE#326960, bsc#1166523)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Dec 6 03:23:04 UTC 2018 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update shim-install to set the grub2-install target explicitly
|
||||||
|
for some special cases. (bsc#1118363)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jun 8 10:39:42 UTC 2018 - glin@suse.com
|
||||||
|
|
||||||
|
- Update shim to 14-lp150.8.5.1
|
||||||
|
+ Replace shim-bsc1092000-fallback-always-try-first-option.patch
|
||||||
|
with shim-bsc1092000-fallback-menu.patch to show a countdown
|
||||||
|
menu before reset (bsc#1092000)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 14 08:52:34 UTC 2018 - glin@suse.com
|
||||||
|
|
||||||
|
- Update shim to 14-lp150.7.3
|
||||||
|
+ Amend fallback.efi to avoid being trapped in the infinite reset
|
||||||
|
loop (bsc#1092000)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 25 08:17:45 UTC 2018 - mlin@suse.com
|
||||||
|
|
||||||
|
- Update shim to 14-lp150.4.1
|
||||||
|
- New signature from Microsoft
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Apr 25 03:44:04 UTC 2017 - glin@suse.com
|
||||||
|
|
||||||
|
- Update shim to 0.9-15.3.1
|
||||||
|
+ shim-install: add option --suse-enable-tpm (fate#315831)
|
||||||
|
(Fix from mchang@suse.com)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 27 05:47:23 UTC 2016 - glin@suse.com
|
||||||
|
|
||||||
|
- Update shim to 0.9-13.1
|
||||||
|
+ Update shim-install to support "--no-nvram" and improve
|
||||||
|
removable media and fallback mode handling (bsc#985568,
|
||||||
|
bsc#999818) (Fix from mchang@suse.com)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Oct 7 09:31:29 UTC 2016 - jsegitz@novell.com
|
||||||
|
|
||||||
|
- New signature from Microsoft
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Aug 19 06:46:59 UTC 2016 - mchang@suse.com
|
||||||
|
|
||||||
|
- shim-install : fix regression of password prompt (bsc#993764)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Aug 5 02:53:54 UTC 2016 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-bsc991885-fix-sig-length.patch to fix the signature
|
||||||
|
length passed to Authenticode (bsc#991885)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 3 09:10:25 UTC 2016 - glin@suse.com
|
||||||
|
|
||||||
|
- Update shim-bsc973496-mokmanager-no-append-write.patch to try
|
||||||
|
append write first
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 2 02:59:46 UTC 2016 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h
|
||||||
|
- Bump the requirement of gnu-efi due to the HTTPBoot support
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Aug 1 09:01:59 UTC 2016 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-httpboot-support.patch to support HTTPBoot
|
||||||
|
- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g
|
||||||
|
and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6
|
||||||
|
- Drop patches since they are merged into
|
||||||
|
shim-update-openssl-1.0.2g.patch
|
||||||
|
+ shim-update-openssl-1.0.2d.patch
|
||||||
|
+ shim-gcc5.patch
|
||||||
|
+ shim-bsc950569-fix-cryptlib-va-functions.patch
|
||||||
|
+ shim-fix-aarch64.patch
|
||||||
|
- Refresh shim-change-debug-file-path.patch
|
||||||
|
- Add shim-bsc973496-mokmanager-no-append-write.patch to work
|
||||||
|
around the firmware that doesn't support APPEND_WRITE (bsc973496)
|
||||||
|
- shim-install : remove '\n' from the help message (bsc#991188)
|
||||||
|
- shim-install : print a message if there is no valid EFI partition
|
||||||
|
(bsc#991187)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon May 9 11:20:56 UTC 2016 - rw@suse.com
|
||||||
|
|
||||||
|
- shim-install : support simple MD RAID1 target devices (FATE#314829)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 4 10:40:52 UTC 2016 - agraf@suse.com
|
||||||
|
|
||||||
|
- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 9 07:15:52 UTC 2016 - mchang@suse.com
|
||||||
|
|
||||||
|
- shim-install : fix typing ESC can escape to parent config which is
|
||||||
|
in command mode and cannot return back (bsc#966701)
|
||||||
|
- shim-install : fix no which command for JeOS (bsc#968264)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Dec 3 10:26:14 UTC 2015 - jsegitz@novell.com
|
||||||
|
|
||||||
|
- acquired updated signature from Microsoft
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 9 08:22:43 UTC 2015 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the
|
||||||
|
definition of va functions to avoid the potential crash
|
||||||
|
(bsc#950569)
|
||||||
|
- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to
|
||||||
|
MokListRT (bsc#950801)
|
||||||
|
- Drop shim-fix-mokmanager-sections.patch as we are using the
|
||||||
|
newer binutils now
|
||||||
|
- Refresh shim-change-debug-file-path.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 8 06:49:43 UTC 2015 - jsegitz@novell.com
|
||||||
|
|
||||||
|
- acquired updated signature from Microsoft
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 15 05:03:10 UTC 2015 - mchang@suse.com
|
||||||
|
|
||||||
|
- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release
|
||||||
|
if it is empty or not set by user (bsc#942519)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Jul 16 06:49:01 UTC 2015 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d
|
||||||
|
- Refresh shim-gcc5.patch and add it back since we really need it
|
||||||
|
- Add shim-change-debug-file-path.patch to change the debug file
|
||||||
|
path in shim.efi
|
||||||
|
+ also add the debuginfo and debugsource subpackages
|
||||||
|
- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jul 6 09:06:02 UTC 2015 - glin@suse.com
|
||||||
|
|
||||||
|
- Update to 0.9
|
||||||
|
- Refresh patches
|
||||||
|
+ shim-fix-gnu-efi-30w.patch
|
||||||
|
+ shim-fix-mokmanager-sections.patch
|
||||||
|
+ shim-opensuse-cert-prompt.patch
|
||||||
|
- Drop upstreamed patches
|
||||||
|
+ shim-bsc920515-fix-fallback-buffer-length.patch
|
||||||
|
+ shim-mokx-support.patch
|
||||||
|
+ shim-update-cryptlib.patch
|
||||||
|
- Drop shim-bsc919675-uninstall-shim-protocols.patch since
|
||||||
|
upstream fixed the bug in another way.
|
||||||
|
- Drop shim-gcc5.patch which was fixed in another way
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 8 07:10:39 UTC 2015 - glin@suse.com
|
||||||
|
|
||||||
|
- Fix tags in the spec file
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Apr 7 07:42:06 UTC 2015 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and
|
||||||
|
openssl to 0.9.8zf
|
||||||
|
- Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall
|
||||||
|
the shim protocols at Exit (bsc#919675)
|
||||||
|
- Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust
|
||||||
|
the buffer size for the boot options (bsc#920515)
|
||||||
|
- Refresh shim-opensuse-cert-prompt.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 2 16:31:28 UTC 2015 - crrodriguez@opensuse.org
|
||||||
|
|
||||||
|
- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Feb 17 06:02:34 UTC 2015 - mchang@suse.com
|
||||||
|
|
||||||
|
- shim-install : fix cryptodisk installation (boo#917427)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 11 04:26:00 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-fix-mokmanager-sections.patch to fix the objcopy
|
||||||
|
parameters for the EFI files
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 28 04:00:51 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Update to 0.8
|
||||||
|
- Add shim-fix-gnu-efi-30w.patch to adapt the change in
|
||||||
|
gnu-efi-3.0w
|
||||||
|
- Merge shim-signed-unsigned-compares.patch,
|
||||||
|
shim-mokmanager-support-sha-family.patch and
|
||||||
|
shim-bnc863205-mokmanager-fix-hash-delete.patch into
|
||||||
|
shim-mokx-support.patch
|
||||||
|
- Refresh shim-opensuse-cert-prompt.patch
|
||||||
|
- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch,
|
||||||
|
bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch
|
||||||
|
- Enable aarch64
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Oct 13 13:09:14 UTC 2014 - jsegitz@novell.com
|
||||||
|
|
||||||
|
- Fixed buffer overflow and OOB access in shim trusted code path
|
||||||
|
(bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677)
|
||||||
|
* added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch
|
||||||
|
- Added new certificate by Microsoft
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 3 12:32:25 UTC 2014 - lnussel@suse.de
|
||||||
|
|
||||||
|
- re-introduce build failure if shim_enforce_ms_signature is defined. That way
|
||||||
|
a project like openSUSE:Factory can decide whether or not shim needs a valid
|
||||||
|
MS signature.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 19 04:38:36 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-update-openssl-0.9.8zb.patch to update openssl to
|
||||||
|
0.9.8zb
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 12 14:19:36 UTC 2014 - jsegitz@suse.com
|
||||||
|
|
||||||
|
- updated shim to new version (OpenSSL 0.9.8za) and requested a new
|
||||||
|
certificate from Microsoft. Removed
|
||||||
|
* shim-allow-fallback-use-system-loadimage.patch
|
||||||
|
* shim-bnc872503-check-key-encoding.patch
|
||||||
|
* shim-bnc877003-fetch-from-the-same-device.patch
|
||||||
|
* shim-correct-user_insecure-usage.patch
|
||||||
|
* shim-fallback-avoid-duplicate-bootorder.patch
|
||||||
|
* shim-fallback-improve-entries-creation.patch
|
||||||
|
* shim-fix-dhcpv4-path-generation.patch
|
||||||
|
* shim-fix-uninitialized-variable.patch
|
||||||
|
* shim-fix-verify-mok.patch
|
||||||
|
* shim-get-variable-check.patch
|
||||||
|
* shim-improve-error-messages.patch
|
||||||
|
* shim-mokmanager-delete-bs-var-right.patch
|
||||||
|
* shim-mokmanager-handle-keystroke-error.patch
|
||||||
|
* shim-remove-unused-variables.patch
|
||||||
|
since they're included in upstream and rebased the remaining onces.
|
||||||
|
Added shim-signed-unsigned-compares.patch to fix some compiler
|
||||||
|
warnings
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 12 09:18:42 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Keep shim-devel.efi for the devel project
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Aug 8 11:18:36 UTC 2014 - lnussel@suse.de
|
||||||
|
|
||||||
|
- don't fail the build if the UEFI signing service signature can't
|
||||||
|
be attached anymore. This way shim can still pass through staging
|
||||||
|
projects. We will verify the correct signature for release builds
|
||||||
|
using openQA instead.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Aug 4 07:53:22 UTC 2014 - mchang@suse.com
|
||||||
|
|
||||||
|
- shim-install: fix GRUB shows broken letters at boot by calling
|
||||||
|
grub2-install to initialize /boot/grub2 directory with files
|
||||||
|
needed by grub.cfg (bnc#889765)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 28 04:13:33 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-remove-unused-variables.patch to remove the unused
|
||||||
|
variables
|
||||||
|
- Add shim-bnc872503-check-key-encoding.patch to check the encoding
|
||||||
|
of the keys (bnc#872503)
|
||||||
|
- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the
|
||||||
|
netboot image from the same device (bnc#877003)
|
||||||
|
- Refresh shim-opensuse-cert-prompt.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 14 09:39:02 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Use --reinit instead of --refresh in %post to update the files
|
||||||
|
in /boot
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Apr 29 07:38:11 UTC 2014 - mchang@suse.com
|
||||||
|
|
||||||
|
- shim-install: fix boot partition and rollback support kluge
|
||||||
|
(bnc#875385)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Replace shim-mokmanager-support-sha1.patch with
|
||||||
|
shim-mokmanager-support-sha-family.patch to support the SHA
|
||||||
|
family
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Apr 7 09:32:21 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in
|
||||||
|
MOK
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com
|
||||||
|
|
||||||
|
- snapper rollback support (fate#317062)
|
||||||
|
- refresh shim-install
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Insert the right signature (bnc#867974)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-fix-uninitialized-variable.patch to fix the use of
|
||||||
|
uninitialzed variables in lib
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Mar 7 09:09:12 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
|
||||||
|
variables the right way
|
||||||
|
- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
|
||||||
|
correctly
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Mar 6 07:37:57 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
|
||||||
|
duplicate entries in BootOrder
|
||||||
|
- Add shim-allow-fallback-use-system-loadimage.patch to handle the
|
||||||
|
shim protocol properly to keep only one protocol entity
|
||||||
|
- Refresh shim-opensuse-cert-prompt.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Mar 6 03:53:49 UTC 2014 - mchang@suse.com
|
||||||
|
|
||||||
|
- shim-install: fix the $prefix to use grub2-mkrelpath for paths
|
||||||
|
on btrfs subvolume (bnc#866690).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Mar 4 04:19:05 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- FATE#315002: Update shim-install to install shim.efi as the EFI
|
||||||
|
default bootloader when none exists in \EFI\boot.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com
|
||||||
|
|
||||||
|
- Update signature-sles.asc: shim signed by UEFI signing service,
|
||||||
|
based on code from "Thu Feb 20 11:57:01 UTC 2014"
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-opensuse-cert-prompt.patch to show the prompt to ask
|
||||||
|
whether the user trusts the openSUSE certificate or not
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de
|
||||||
|
|
||||||
|
- allow package to carry multiple signatures
|
||||||
|
- check correct certificate is embedded
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de
|
||||||
|
|
||||||
|
- always clean up generated files that embed certificates
|
||||||
|
(shim_cert.h shim.cer shim.crt) to make sure next build loop
|
||||||
|
rebuilds them properly
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
|
||||||
|
hash deletion operation to avoid ruining the whole list
|
||||||
|
(bnc#863205)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com
|
||||||
|
|
||||||
|
- Update shim-mokx-support.patch to support the resetting of MOK
|
||||||
|
blacklist
|
||||||
|
- Add shim-get-variable-check.patch to fix the variable checking
|
||||||
|
in get_variable_attr
|
||||||
|
- Add shim-fallback-improve-entries-creation.patch to improve the
|
||||||
|
boot entry pathes and avoid generating the boot entries that
|
||||||
|
are already there
|
||||||
|
- Update SUSE certificate
|
||||||
|
- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
|
||||||
|
extract_signature.sh and show_signatures.sh to remove the
|
||||||
|
creation of the temporary nss database
|
||||||
|
- Add shim-only-os-name.patch: remove the kernel version of the
|
||||||
|
build server
|
||||||
|
- Match the the prefix of the project name properly by escaping the
|
||||||
|
percent sign.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de
|
||||||
|
|
||||||
|
- enable signature assertion also in SUSE: hierarchy
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Dec 6 06:44:43 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-mokmanager-handle-keystroke-error.patch to handle the
|
||||||
|
error status from ReadKeyStroke to avoid unexpected keys
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Dec 5 02:05:13 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Update to 0.7
|
||||||
|
- Add upstream patches:
|
||||||
|
+ shim-fix-verify-mok.patch
|
||||||
|
+ shim-improve-error-messages.patch
|
||||||
|
+ shim-correct-user_insecure-usage.patch
|
||||||
|
+ shim-fix-dhcpv4-path-generation.patch
|
||||||
|
- Add shim-mokx-support.patch to support the MOK blacklist
|
||||||
|
(Fate#316531)
|
||||||
|
- Drop upstreamed patches
|
||||||
|
+ shim-fix-pointer-casting.patch
|
||||||
|
+ shim-merge-lf-loader-code.patch
|
||||||
|
+ shim-fix-simple-file-selector.patch
|
||||||
|
+ shim-mokmanager-support-crypt-hash-method.patch
|
||||||
|
+ shim-bnc804631-fix-broken-bootpath.patch
|
||||||
|
+ shim-bnc798043-no-doulbe-separators.patch
|
||||||
|
+ shim-bnc807760-change-pxe-2nd-loader-name.patch
|
||||||
|
+ shim-bnc808106-correct-certcount.patch
|
||||||
|
+ shim-mokmanager-ui-revamp.patch
|
||||||
|
+ shim-netboot-fixes.patch
|
||||||
|
+ shim-mokmanager-disable-gfx-console.patch
|
||||||
|
- Drop shim-suse-build.patch: it's not necessary anymore
|
||||||
|
- Drop shim-bnc841426-silence-shim-protocols.patch: shim is not
|
||||||
|
verbose by default
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 31 09:11:18 UTC 2013 - fcrozat@suse.com
|
||||||
|
|
||||||
|
- Update microsoft.asc: shim signed by UEFI signing service, based
|
||||||
|
on code from "Tue Oct 1 04:29:29 UTC 2013".
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Oct 1 04:29:29 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-netboot-fixes.patch to include upstream netboot fixes
|
||||||
|
- Add shim-mokmanager-disable-gfx-console.patch to disable the
|
||||||
|
graphics console to avoid system hang on some machines
|
||||||
|
- Add shim-bnc841426-silence-shim-protocols.patch to silence the
|
||||||
|
shim protocols (bnc#841426)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 25 07:17:54 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Create boot.csv in ESP for fallback.efi to restore the boot entry
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Sep 17 10:53:50 CEST 2013 - fcrozat@suse.com
|
||||||
|
|
||||||
|
- Update microsoft.asc: shim signed by UEFI signing service, based
|
||||||
|
on code from "Fri Sep 6 13:57:36 UTC 2013".
|
||||||
|
- Improve extract_signature.sh to work on current path.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 6 13:57:36 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- set timestamp of PE file to time of the binary the signature was
|
||||||
|
made for.
|
||||||
|
- make sure cert.o get's rebuilt for each target
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 6 11:48:14 CEST 2013 - fcrozat@suse.com
|
||||||
|
|
||||||
|
- Update microsoft.asc: shim signed by UEFI signing service, based
|
||||||
|
on code from "Wed Aug 28 15:54:38 UTC 2013"
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- always build a shim that embeds the distro's certificate (e.g.
|
||||||
|
shim-opensuse.efi). If the package is built in the devel project
|
||||||
|
additionally shim-devel.efi is created. That allows us to either
|
||||||
|
load grub2/kernel signed by the distro or signed by the devel
|
||||||
|
project, depending on use case. Also shim-$distro.efi from the
|
||||||
|
devel project can be used to request additional signatures.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- also include old openSUSE 4096 bit certificate to be able to still
|
||||||
|
boot kernels signed with that key.
|
||||||
|
- add show_signatures script
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- replace the 4096 bit openSUSE UEFI CA certificate with new a
|
||||||
|
standard compliant 2048 bit one.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Aug 20 11:48:25 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- fix shell syntax error
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 7 15:51:36 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- don't include binary in the sources. Instead package the raw
|
||||||
|
signature and attach it during build (bnc#813448).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Update shim-mokmanager-ui-revamp.patch to include fixes for
|
||||||
|
MokManager
|
||||||
|
+ reboot the system after clearing MOK password
|
||||||
|
+ fetch more info from X509 name
|
||||||
|
+ check the suffix of the key file
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Update to 0.4
|
||||||
|
- Rebase patches
|
||||||
|
+ shim-suse-build.patch
|
||||||
|
+ shim-mokmanager-support-crypt-hash-method.patch
|
||||||
|
+ shim-bnc804631-fix-broken-bootpath.patch
|
||||||
|
+ shim-bnc798043-no-doulbe-separators.patch
|
||||||
|
+ shim-bnc807760-change-pxe-2nd-loader-name.patch
|
||||||
|
+ shim-bnc808106-correct-certcount.patch
|
||||||
|
+ shim-mokmanager-ui-revamp.patch
|
||||||
|
- Add patches
|
||||||
|
+ shim-merge-lf-loader-code.patch: merge the Linux Foundation
|
||||||
|
loader UI code
|
||||||
|
+ shim-fix-pointer-casting.patch: fix a casting issue and the
|
||||||
|
size of an empty vendor cert
|
||||||
|
+ shim-fix-simple-file-selector.patch: fix the buffer allocation
|
||||||
|
in the simple file selector
|
||||||
|
- Remove upstreamed patches
|
||||||
|
+ shim-support-mok-delete.patch
|
||||||
|
+ shim-reboot-after-changes.patch
|
||||||
|
+ shim-clear-queued-key.patch
|
||||||
|
+ shim-local-key-sign-mokmanager.patch
|
||||||
|
+ shim-get-2nd-stage-loader.patch
|
||||||
|
+ shim-fix-loadoptions.patch
|
||||||
|
- Remove unused patch: shim-mokmanager-new-pw-hash.patch and
|
||||||
|
shim-keep-unsigned-mokmanager.patch
|
||||||
|
- Install the vendor certificate to /etc/uefi/certs
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed May 8 06:40:12 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 3 03:54:22 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Call update-bootloader in %post to update *.efi in \efi\opensuse
|
||||||
|
(bnc#813079)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Mar 8 06:53:47 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the
|
||||||
|
PXE 2nd stage loader name (bnc#807760)
|
||||||
|
- Add shim-bnc808106-correct-certcount.patch to correct the
|
||||||
|
certificate count of the signature list (bnc#808106)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Mar 1 10:07:55 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-bnc798043-no-doulbe-separators.patch to remove double
|
||||||
|
seperators from the bootpath (bnc#798043#c4)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 28 08:57:48 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- sign shim also with openSUSE certificate
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 27 15:52:53 CET 2013 - mls@suse.de
|
||||||
|
|
||||||
|
- identify project, export certificate as DER file
|
||||||
|
- don't create an unused extra keypair
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 21 10:08:12 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken
|
||||||
|
bootpath generated in generate_path(). (bnc#804631)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Feb 11 12:15:25 UTC 2013 - fcrozat@suse.com
|
||||||
|
|
||||||
|
- Update with shim signed by UEFI signing service, based on code
|
||||||
|
from "Thu Feb 7 06:56:19 UTC 2013".
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 7 13:54:06 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- prepare for having a signed shim from the UEFI signing service
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Feb 7 06:56:19 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert
|
||||||
|
- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned
|
||||||
|
MokManager and sign it later.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 6 06:35:45 UTC 2013 - mchang@suse.com
|
||||||
|
|
||||||
|
- Add shim-install utility
|
||||||
|
- Add Recommends to grub2-efi
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jan 30 09:00:31 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-mokmanager-support-crypt-hash-method.patch to support
|
||||||
|
password hash from /etc/shadow (FATE#314506)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 29 03:20:48 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Embed openSUSE-UEFI-CA-Certificate.crt in shim
|
||||||
|
- Rename shim-unsigned.efi to shim-opensuse.efi.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Jan 18 10:06:13 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Update shim-mokmanager-new-pw-hash.patch to extend the password
|
||||||
|
hash format
|
||||||
|
- Rename shim.efi as shim-unsigned.efi
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jan 16 08:01:55 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Merge patches for FATE#314506
|
||||||
|
+ Add shim-support-mok-delete.patch to add support for deleting
|
||||||
|
specific keys
|
||||||
|
+ Add shim-mokmanager-new-pw-hash.patch to support the new
|
||||||
|
password hash.
|
||||||
|
- Drop shim-correct-mok-size.patch which is included in
|
||||||
|
shim-support-mok-delete.patch
|
||||||
|
- Merge shim-remove-debug-code.patch and
|
||||||
|
shim-local-sign-mokmanager.patch into
|
||||||
|
shim-local-key-sign-mokmanager.patch
|
||||||
|
- Install COPYRIGHT
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 15 03:17:53 UTC 2013 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-fix-loadoptions.patch to adopt the UEFI shell style
|
||||||
|
LoadOptions (bnc#798043)
|
||||||
|
- Drop shim-check-pk-kek.patch since upstream rejected the patch
|
||||||
|
due to violation of SPEC.
|
||||||
|
- Install EFI binaries to /usr/lib64/efi
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 26 07:05:02 UTC 2012 - glin@suse.com
|
||||||
|
|
||||||
|
- Update shim-reboot-after-changes.patch to avoid rebooting the
|
||||||
|
system after enrolling keys/hashes from the file system
|
||||||
|
- Add shim-correct-mok-size.patch to correct the size of MOK
|
||||||
|
- Add shim-clear-queued-key.patch to clear the queued key and show
|
||||||
|
the menu properly
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 12 15:16:18 UTC 2012 - fcrozat@suse.com
|
||||||
|
|
||||||
|
- Remove shim-rpmlintrc, it wasn't fixing the error, hide error
|
||||||
|
stdout to prevent post build check to get triggered by cast
|
||||||
|
warnings in openSSL code
|
||||||
|
- Add shim-remove-debug-code.patch: remove debug code
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Dec 12 04:01:52 UTC 2012 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-rpmlintrc to filter 64bit portability errors
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 11 07:36:32 UTC 2012 - glin@suse.com
|
||||||
|
|
||||||
|
- Add shim-local-sign-mokmanager.patch to create a local certicate
|
||||||
|
to sign MokManager
|
||||||
|
- Add shim-get-2nd-stage-loader.patch to get the second stage
|
||||||
|
loader path from the load options
|
||||||
|
- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK
|
||||||
|
- Add shim-reboot-after-changes.patch to reboot the system after
|
||||||
|
enrolling or erasing keys
|
||||||
|
- Install the EFI images to /usr/lib64/shim instead of the EFI
|
||||||
|
partition
|
||||||
|
- Update the mail address of the author
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 2 08:19:37 UTC 2012 - glin@suse.com
|
||||||
|
|
||||||
|
- Add new package shim 0.2 (FATE#314484)
|
||||||
|
+ It's in fact git 2fd180a92 since there is no tag for 0.2
|
||||||
|
|
107
shim-leap.spec
Normal file
107
shim-leap.spec
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
#
|
||||||
|
# spec file for package shim-leap
|
||||||
|
#
|
||||||
|
# Copyright (c) 2024 SUSE LLC
|
||||||
|
#
|
||||||
|
# All modifications and additions to the file contributed by third parties
|
||||||
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
# upon. The license for this file, and modifications and additions to the
|
||||||
|
# file, is the same license as for the pristine package itself (unless the
|
||||||
|
# license for the pristine package is not an Open Source License, in which
|
||||||
|
# case the license is the MIT License). An "Open Source License" is a
|
||||||
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
# Move 'efi'-executables to '/usr/share/efi' (FATE#326960, bsc#1166523)
|
||||||
|
%define sysefibasedir %{_datadir}/efi
|
||||||
|
%define sysefidir %{sysefibasedir}/%{_target_cpu}
|
||||||
|
%if 0%{?suse_version} < 1600
|
||||||
|
# provide compatibility sym-link for residual kiwi, etc.
|
||||||
|
%define shim_lib64_share_compat 1
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Name: shim-leap
|
||||||
|
Version: 15.8
|
||||||
|
Release: 0
|
||||||
|
Summary: UEFI shim loader
|
||||||
|
License: BSD-2-Clause
|
||||||
|
Group: System/Boot
|
||||||
|
Source: shim-15.8-lp155.8.2.x86_64.rpm
|
||||||
|
Source1: README
|
||||||
|
Source2: shim-install
|
||||||
|
BuildRequires: fde-tpm-helper-rpm-macros
|
||||||
|
BuildRequires: update-bootloader-rpm-macros
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
ExclusiveArch: x86_64
|
||||||
|
|
||||||
|
%description
|
||||||
|
does not exist
|
||||||
|
|
||||||
|
%package -n shim
|
||||||
|
Summary: UEFI shim loader
|
||||||
|
Group: System/Boot
|
||||||
|
Requires: perl-Bootloader
|
||||||
|
%if 0%{?fde_tpm_update_requires:1}
|
||||||
|
%fde_tpm_update_requires
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%description -n shim
|
||||||
|
shim is a trivial EFI application that, when run, attempts to open and
|
||||||
|
execute another application.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
rpm2cpio %{SOURCE0} | cpio --extract --unconditional --preserve-modification-time --make-directories
|
||||||
|
|
||||||
|
%build
|
||||||
|
|
||||||
|
%install
|
||||||
|
# purely repackaged
|
||||||
|
cp -a * %{buildroot}
|
||||||
|
cp %{S:1} .
|
||||||
|
|
||||||
|
# Override shim-install
|
||||||
|
install -m 755 %{S:2} %{buildroot}/%{_sbindir}/shim-install
|
||||||
|
|
||||||
|
%if %{undefined shim_lib64_share_compat}
|
||||||
|
# Remove the sym-links in /usr/lib64/efi
|
||||||
|
rm -rf %{buildroot}/usr/lib64/efi
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%post -n shim
|
||||||
|
%if 0%{?fde_tpm_update_post:1}
|
||||||
|
%fde_tpm_update_post shim
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?update_bootloader_check_type_reinit_post:1}
|
||||||
|
%update_bootloader_check_type_reinit_post grub2-efi
|
||||||
|
%else
|
||||||
|
/sbin/update-bootloader --reinit || true
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%posttrans -n shim
|
||||||
|
%{?update_bootloader_posttrans}
|
||||||
|
%{?fde_tpm_update_posttrans}
|
||||||
|
|
||||||
|
%files -n shim
|
||||||
|
%doc README
|
||||||
|
%dir %{?sysefibasedir}
|
||||||
|
%dir %{sysefidir}
|
||||||
|
%{sysefidir}/shim.efi
|
||||||
|
%{sysefidir}/shim-*.efi
|
||||||
|
%{sysefidir}/shim-*.der
|
||||||
|
%{sysefidir}/MokManager.efi
|
||||||
|
%{sysefidir}/fallback.efi
|
||||||
|
%if %{defined shim_lib64_share_compat}
|
||||||
|
# provide compatibility sym-link for previous kiwi, etc.
|
||||||
|
%dir /usr/lib64/efi
|
||||||
|
/usr/lib64/efi/*.efi
|
||||||
|
%endif
|
||||||
|
/etc/uefi
|
||||||
|
%{_sbindir}/shim-install
|
||||||
|
/usr/share/doc/packages/shim
|
||||||
|
|
||||||
|
%changelog
|
Loading…
Reference in New Issue
Block a user