pool/shim-leap
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bugowner: dtseng

Browse Source 
Submitting for upgrading shim aarch64 to v15.8 (bsc#1215099, bsc#1215098,bsc#1215100,bsc#1215101,bsc#1215102,and bsc#1215103)

OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim-leap?expand=0&rev=44
This commit is contained in:
Joey Lee 2024-09-09 11:44:42 +00:00 committed by Git OBS Bridge
commit 6ea45df45f
9 changed files with 1499 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

5
README Normal file
View File

@ -0,0 +1,5 @@
Since shim needs a "stable" environment to reproduce the binary to match
the signature from UEFI CA, it's difficult to maintain shim in Tumbleweed
due to the nature of a rolling release distro. Instead of compiling shim
for Tumbleweed, we directly import the binary the latest stable Leap
release to maintain a stable and reproducible shim binary.

3
shim-15.4-lp152.4.17.1.x86_64.rpm Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:13776ed2b68698091297f5e0e7156b401b1f7a9940785a1871335266fb524a30
size 456552

3
shim-15.8-lp155.8.2.x86_64.rpm Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2dde0a04e9468988abe978355ba50a3f14e10e110fdbcf80f52c94e922501cb0
size 503544

3
shim-15.8-lp155.8.8.aarch64.rpm Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:4fd9310c3fcf4ec3da4327250841fb4748e1b0d8a3880cb967389f7d4e51ee25
size 440512

515
shim-install Normal file
View File

@ -0,0 +1,515 @@
#! /bin/bash -e
arch=`uname -m`
rootdir=
bootdir=
efidir=
install_device=
efibootdir=
ca_string=
no_nvram=no
removable=no
clean=no
sysconfdir="/etc"
libdir="/usr/lib64" # Beware, this is arch dependent!
datadir="/usr/share"
source_dir="${datadir}/efi/${arch}"
efibootmgr="/usr/sbin/efibootmgr"
grub_probe="/usr/sbin/grub2-probe"
grub_mkrelpath="/usr/bin/grub2-mkrelpath"
no_grub_install=no
grub_install="/usr/sbin/grub2-install"
grub_install_target=
self="`basename $0`"
grub_cfg="/boot/grub2/grub.cfg"
update_boot=no
def_grub_efi="${source_dir}/grub.efi"
def_boot_efi=
[ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim
[ ! -r /etc/default/shim ] || . /etc/default/shim
if [ -z "$def_shim_efi" -o ! -e ${source_dir}/${def_shim_efi} ] ; then
def_shim_efi="shim.efi"
fi
source_shim_efi="${source_dir}/${def_shim_efi}"
if [ x${arch} = xx86_64 ] ; then
grub_install_target="x86_64-efi"
def_boot_efi="bootx64.efi"
elif [ x${arch} = xaarch64 ] ; then
grub_install_target="arm64-efi"
def_boot_efi="bootaa64.efi"
else
echo "Unsupported architecture: ${arch}"
exit 1
fi
if [ ! -d "${source_dir}" -o ! -e "${def_grub_efi}" ] ; then
# for outdated packages fall back to previous behavior
source_dir="$libdir/efi"
def_grub_efi="${source_dir}/grub.efi"
fi
# Get GRUB_DISTRIBUTOR.
if test -f "${sysconfdir}/default/grub" ; then
. "${sysconfdir}/default/grub"
fi
if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then
. "${sysconfdir}/os-release"
GRUB_DISTRIBUTOR="${NAME} ${VERSION}"
fi
bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)"
if test -z "$bootloader_id"; then
bootloader_id=grub
fi
efi_distributor="$bootloader_id"
bootloader_id="${bootloader_id}-secureboot"
case "$bootloader_id" in
"sle"*)
ca_string='SUSE Linux Enterprise Secure Boot CA1';;
"opensuse"*)
ca_string='openSUSE Secure Boot CA1';;
*) ca_string="";;
esac
is_azure () {
local bios_vendor;
local product_name;
local sys_vendor;
local sysfs_dmi_id="/sys/class/dmi/id"
if test -e "${sysfs_dmi_id}/bios_vendor"; then
bios_vendor=$(cat "${sysfs_dmi_id}/bios_vendor")
fi
if test -e "${sysfs_dmi_id}/product_name"; then
product_name=$(cat "${sysfs_dmi_id}/product_name")
fi
if test -e "${sysfs_dmi_id}/sys_vendor"; then
sys_vendor=$(cat "${sysfs_dmi_id}/sys_vendor")
fi
if test "x${bios_vendor}" != "xMicrosoft Corporation"; then
# return false
return 1
fi
if test "x${product_name}" != "xVirtual Machine"; then
# return false
return 1
fi
if test "x${sys_vendor}" != "xMicrosoft Corporation"; then
# return false
return 1
fi
# return true
return 0
}
usage () {
echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
echo
echo "Install Secure Boot Loaders on your drive."
echo
echo "--directory=DIR use images from DIR."
echo "--grub-probe=FILE use FILE as grub-probe."
echo "--removable the installation device is removable."
echo "--no-nvram don't update the NVRAM variable."
echo "--bootloader-id=ID the ID of bootloader."
echo "--efi-directory=DIR use DIR as the EFI System Partition root."
echo "--config-file=FILE use FILE as config file, default is $grub_cfg."
echo "--clean remove all installed files and configs."
echo "--suse-enable-tpm install grub.efi with TPM support."
echo "--no-grub-install Do not run grub2-install."
echo
echo "INSTALL_DEVICE must be system device filename."
}
argument () {
opt="$1"
shift
if test $# -eq 0; then
echo "$0: option requires an argument -- \`$opt'" 1>&2
exit 1
fi
echo "$1"
}
# Check the arguments.
while test $# -gt 0
do
option=$1
shift
case "$option" in
-h | --help)
usage
exit 0 ;;
--root-directory)
rootdir="`argument $option "$@"`"; shift;;
--root-directory=*)
rootdir="`echo "$option" | sed 's/--root-directory=//'`" ;;
--efi-directory)
efidir="`argument $option "$@"`"; shift;;
--efi-directory=*)
efidir="`echo "$option" | sed 's/--efi-directory=//'`" ;;
--directory | -d)
source_dir="`argument $option "$@"`"; shift;;
--directory=*)
source_dir="`echo "$option" | sed 's/--directory=//'`" ;;
--bootloader-id)
bootloader_id="`argument $option "$@"`"; shift;;
--bootloader-id=*)
bootloader_id="`echo "$option" | sed 's/--bootloader-id=//'`" ;;
--grub-probe)
grub_probe="`argument "$option" "$@"`"; shift;;
--grub-probe=*)
grub_probe="`echo "$option" | sed 's/--grub-probe=//'`" ;;
--config-file)
grub_cfg="`argument "$option" "$@"`"; shift;;
--config-file=*)
grub_cfg="`echo "$option" | sed 's/--config-file=//'`" ;;
--removable)
no_nvram=yes
removable=yes ;;
--no-nvram)
no_nvram=yes ;;
--suse-enable-tpm)
# bsc#1174320 shim-install uses wrong paths for EFI files
# There are 3 possible locations of grub-tpm.efi and we will check them
# one by one.
if [ -e "${source_dir}/grub-tpm.efi" ]; then
source_grub_efi="${source_dir}/grub-tpm.efi"
elif [ -e "${datadir}/grub2/${grub_install_target}/grub-tpm.efi" ] ; then
source_grub_efi="${datadir}/grub2/${grub_install_target}/grub-tpm.efi"
else
source_grub_efi="/usr/lib/grub2/${grub_install_target}/grub-tpm.efi"
fi
;;
--clean)
clean=yes ;;
--no-grub-install)
no_grub_install=yes ;;
-*)
echo "Unrecognized option \`$option'" 1>&2
usage
exit 1
;;
*)
if test "x$install_device" != x; then
echo "More than one install device?" 1>&2
usage
exit 1
fi
install_device="${option}" ;;
esac
done
if test -n "$efidir"; then
efi_fs=`"$grub_probe" --target=fs "${efidir}"`
if test "x$efi_fs" = xfat; then :; else
echo "$efidir doesn't look like an EFI partition." 1>&2
efidir=
fi
fi
if [ -z "$bootdir" ]; then
bootdir="/boot"
if [ -n "$rootdir" ] ; then
# Initialize bootdir if rootdir was initialized.
bootdir="${rootdir}/boot"
fi
fi
# Find the EFI System Partition.
if test -n "$efidir"; then
install_device="`"$grub_probe" --target=device --device-map= "${efidir}"`"
else
if test -d "${bootdir}/efi"; then
install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/efi"`"
# Is it a mount point?
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then
efidir="${bootdir}/efi"
fi
elif test -d "${bootdir}/EFI"; then
install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/EFI"`"
# Is it a mount point?
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then
efidir="${bootdir}/EFI"
fi
elif test -n "$rootdir" && test "x$rootdir" != "x/"; then
# The EFI System Partition may have been given directly using
# --root-directory.
install_device="`"$grub_probe" --target=device --device-map= "${rootdir}"`"
# Is it a mount point?
if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${rootdir}/.."`"; then
efidir="${rootdir}"
fi
fi
if test -n "$efidir"; then
efi_fs=`"$grub_probe" --target=fs "${efidir}"`
if test "x$efi_fs" = xfat; then :; else
echo "$efidir doesn't look like an EFI partition." 1>&2
efidir=
fi
fi
fi
if test -n "$efidir"; then
efi_file=shim.efi
efibootdir="$efidir/EFI/boot"
mkdir -p "$efibootdir" || exit 1
if test "$removable" = "yes" ; then
efidir="$efibootdir"
else
efidir="$efidir/EFI/$efi_distributor"
mkdir -p "$efidir" || exit 1
fi
else
echo "No valid EFI partition" 1>&2
exit 1;
fi
if test "$removable" = "no" -a -f "$efibootdir/$def_boot_efi"; then
if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/$def_boot_efi"); then
update_boot=yes
fi
else
update_boot=yes
fi
if test "$clean" = "yes"; then
rm -f "${efidir}/shim.efi"
rm -f "${efidir}/MokManager.efi"
rm -f "${efidir}/grub.efi"
rm -f "${efidir}/grub.cfg"
rm -f "${efidir}/boot.csv"
if test "$update_boot" = "yes"; then
rm -f "${efibootdir}/${def_boot_efi}"
rm -f "${efibootdir}/fallback.efi"
# bsc#1175626, bsc#1175656 also clean up MokManager
rm -f "${efibootdir}/MokManager.efi"
fi
if test "$no_nvram" = no && test -n "$bootloader_id"; then
# Delete old entries from the same distributor.
for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \
fgrep -i " $bootloader_id" | cut -b5-8`; do
$efibootmgr -b "$bootnum" -B
done
fi
exit 0
fi
cp "${source_dir}/MokManager.efi" "${efidir}"
if test -n "$source_grub_efi" && ! test -f "$source_grub_efi"; then
echo "File $source_grub_efi doesn't exist, fallback to default one" 1>&2
source_grub_efi=""
fi
if test -z "$source_grub_efi"; then
source_grub_efi="$def_grub_efi"
fi
echo "copying $source_grub_efi to ${efidir}/grub.efi"
cp "$source_grub_efi" "${efidir}/grub.efi"
if test "$efidir" != "$efibootdir" ; then
cp "${source_shim_efi}" "${efidir}/shim.efi"
if test -n "$bootloader_id"; then
echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv"
fi
fi
if test "$update_boot" = "yes"; then
cp "$source_shim_efi" "${efibootdir}/${def_boot_efi}"
if test "$removable" = "no"; then
cp "${source_dir}/fallback.efi" "${efibootdir}"
# bsc#1175626, bsc#1175656 Since shim 15, loading MokManager becomes
# mandatory if a MOK request exists. Copy MokManager to \EFI\boot so
# that boot*.efi can load MokManager to process the request instead
# of shutting down the system immediately.
cp "${source_dir}/MokManager.efi" "${efibootdir}"
fi
fi
prepare_cryptodisk () {
uuid="$1"
if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then
echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\""
return
fi
if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then
echo "cryptomount -u $uuid"
return
fi
tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"
declare -g TPM_PCR_SNAPSHOT_TAKEN
if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
TPM_PCR_SNAPSHOT_TAKEN=1
# Check if tpm_record_pcrs is available and set the command to
# grub.cfg.
if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; then
echo "tpm_record_pcrs 0-9"
fi
fi
tpm_srk_alg="${GRUB_TPM2_SRK_ALG}"
if [ -z "$tpm_srk_alg" ]; then
tpm_srk_alg="RSA"
fi
cat <<EOF
tpm2_key_protector_init -a $tpm_srk_alg -T \$prefix/$tpm_sealed_key
if ! cryptomount -u $uuid --protector tpm2; then
cryptomount -u $uuid
fi
EOF
}
make_grubcfg () {
grub_cfg_dirname=`dirname $grub_cfg`
grub_cfg_basename=`basename $grub_cfg`
cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"`
# bsc#1153953 - Leap 42.3 boot error snapshot missing
# We have to check btrfs is used as root file system to enable relative path
# lookup for file to be on par with other utility which also accounts for it.
GRUB_FS="$(stat -f --printf=%T / || echo unknown)"
if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue" &&
[ "x${GRUB_FS}" = "xbtrfs" ] ; then
cat <<EOF
set btrfs_relative_path="yes"
EOF
if ${grub_mkrelpath} --usage | grep -q -e '--relative'; then
grub_mkrelpath="${grub_mkrelpath} -r"
fi
fi
if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then
for uuid in `"${grub_probe}" --target=cryptodisk_uuid --device-map= "${grub_cfg_dirname}"`; do
prepare_cryptodisk "$uuid"
done
fi
hints="`"${grub_probe}" --target=hints_string "${grub_cfg_dirname}" 2> /dev/null`"
if [ "x$hints" != x ]; then
echo "if [ x\$feature_platform_search_hint = xy ]; then"
echo " search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}"
echo "else"
echo " search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
echo "fi"
else
echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
fi
cat <<EOF
set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}`
source "\${prefix}/${grub_cfg_basename}"
EOF
}
# bnc#889765 GRUB shows broken letters at boot
# invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg
# bsc#1118363 shim-install didn't specify the target for grub2-install
# set the target explicitly for some special cases
if test "$no_grub_install" != "yes"; then
${grub_install} --target=${grub_install_target} --no-nvram
fi
# Making sure grub.cfg not overwritten by grub-install above
make_grubcfg > "${efidir}/grub.cfg"
if test "$no_nvram" = no && test -n "$bootloader_id"; then
modprobe -q efivars 2>/dev/null || true
# Delete old entries from the same distributor.
for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \
fgrep -i " $bootloader_id" | cut -b5-8`; do
$efibootmgr -b "$bootnum" -B
done
efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")"
efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")"
if test -z "$efidir_drive" || test -z "$efidir_disk"; then
echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2
# bsc#1119762 If the MD device is partitioned, we just need to create one
# boot entry since the partitions are nested partitions and the mirrored
# partitions share the same UUID.
elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then
eval $(mdadm --detail --export "$efidir_disk" |
perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$});
sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};')
if [ "$MD_LEVEL" != "raid1" ]; then
echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2
fi
for mddev in $MD_DEVS; do
efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")"
efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")"
efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
efidir_d=${mddev#/dev/}
$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
-L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file"
done
else
efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
-L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file"
fi
fi
# bsc#1185464 bsc#1185961
# The Azure firmware sometimes doesn't respect the boot option created by
# either efibootmgr or fallback.efi so we have to remove fallback.efi to
# avoid the endless reset loop.
if is_azure; then
# Skip the workaround if we don't own \EFI\Boot or the removable
# option is used
if test "$update_boot" = "yes" && test "$removable" = "no"; then
# Remove fallback.efi which could cause the reset loop in Azure
rm -f "${efibootdir}/fallback.efi"
# Remove the older grub binary and config
rm -f "${efibootdir}/grub.efi"
rm -f "${efibootdir}/grub.cfg"
# Install new grub binary and config file to \EFI\Boot as
# the "removable" option
cp "${efidir}/grub.cfg" "${efibootdir}/grub.cfg"
cp "${efidir}/grub.efi" "${efibootdir}/grub.efi"
fi
fi

832
shim-leap.changes Normal file
View File

@ -0,0 +1,832 @@
-------------------------------------------------------------------
Mon Sep 2 08:07:02 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
- Update shim version for aarch64 to shim-15.8-lp155.8.8.aarch64.rpm
coming from openSUSE secure-boot 15.5
+ Version: 15.8, "Jan 23 2024"
+ Include the bug fixes for bsc#1215099,bsc#1215098,bsc#1215100,bsc#1215101,
bsc#1215102, and bsc#1215103.
-------------------------------------------------------------------
Tue Jul 23 03:27:56 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
- Update to shim to 15.8-shim-15.8-lp155.8.2.x86_64.rpm from
openSUSE secure-boot 15.5
+ Version: 15.8, "Jan 23 2024"
+ Align the outside shim-install with the one in RPM file.
This is because all important fixes in outside shim-install are
also fixed in shim-install of RPM file. For consistency purposes,
the outside shim-install is updated in this version.
+ Include the bug fixes for bsc#1215099,bsc#1215098,bsc#1215100,bsc#1215101,
bsc#1215102, and bsc#1215103.
-------------------------------------------------------------------
Thu Mar 14 05:58:13 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Update shim-install to set the SRK algorithm for grub2 TPM2
key protector (bsc#1213945)
+ 92d0f4305df73 Set the SRK algorithm for the TPM2 protector
- Build with update-bootloader-rpm-macros and
fde-tpm-helper-rpm-macros and update the %post and %posttrans
macros correctly
-------------------------------------------------------------------
Wed Jun 7 02:29:44 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Update shim-install to support FDE
+ Read GRUB_CRYPTODISK_PASSWORD and GRUB_TPM2_SEALED_KEY to
create the proper cryptomount command for grub.cfg
+ Save the PCR snapshot if grub2 supports the command
+ Support 'no_grub_install' to skip grub2-install
+ Detect the OS ID of openSUSE Leap
-------------------------------------------------------------------
Thu May 25 07:48:54 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
- Remove the sym-links in /usr/lib64/efi for the newer distro
versions since we don't use them anymore
-------------------------------------------------------------------
Wed Jul 21 09:38:30 UTC 2021 - jlee@suse.com
- Update to shim to 15.4-lp152.4.17.1 from openSUSE Leap 15.2
+ Version: 15.4, "Thu Jul 15 2021"
+ Updated openSUSE x86 signature
+ Include the fixes for bsc#1187696, bsc#1185261, bsc#1185441,
bsc#1187071, bsc#1185621, bsc#1185261, bsc#1185232, bsc#1185261,
bsc#1187260, bsc#1185232.
- Remove shim-install because the shim-install is updated in Leap
15.2 RPM.
-------------------------------------------------------------------
Thu May 20 01:25:06 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
- shim-install: instead of assuming "removable" for Azure, remove
fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
to make \EFI\Boot bootable and keep the boot option created by
efibootmgr (bsc#1185464, bsc#1185961)
-------------------------------------------------------------------
Fri May 7 08:54:20 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
- shim-install: always assume "removable" for Azure to avoid the
endless reset loop (bsc#1185464)
-------------------------------------------------------------------
Tue Apr 27 07:45:26 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
- Update to shim to 15.4-lp152.4.8.1 from openSUSE Leap 15.2 for
SBAT support (bsc#1182057)
+ Version: 15.4, "Wed Apr 21 05:46:19 UTC 2021"
+ Include the fixes for bsc#1177789, CVE-2019-14584, bsc#1177315,
bsc#1175509, bsc#1173411, bsc#1177404, bsc#1174512, bsc#1184454
- Add README to note why we need shim-leap for Tumbleweed
-------------------------------------------------------------------
Thu Aug 27 07:27:54 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
- Update shim to 15+git47-lp152.4.5.1 from openSUSE Leap 15.2
+ shim-install: install MokManager to \EFI\boot to process the
pending MOK request (bsc#1175626, bsc#1175656)
-------------------------------------------------------------------
Tue Aug 11 06:36:37 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
- Update shim to 15+git47-lp152.4.3.1 from openSUSE Leap 15.2
+ Version: 15+git47 "Fri Jul 31 07:41:26 UTC 2020"
+ Use shim-install in the rpm package
-------------------------------------------------------------------
Wed Jul 22 09:33:51 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
- Update the path to grub-tpm.efi in shim-install (bsc#1174320)
- shim-install: add check for btrfs is used as root file system to enable
relative path lookup for file. (bsc#1153953)
- Update shim-install to handle the partitioned MD devices
(bsc#1119762, bsc#1119763)
- Update grub2 path in shim-install
-------------------------------------------------------------------
Tue Mar 31 08:38:56 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
- Use the full path of efibootmgr to avoid errors when invoking
shim-install from packagekitd (bsc#1168104)
-------------------------------------------------------------------
Mon Mar 30 06:05:58 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
- Use "suse_version" instead of "sle_version" to avoid
shim_lib64_share_compat being set in Tumbleweed forever.
-------------------------------------------------------------------
Fri Mar 27 05:32:11 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
- Move 'efi'-executables to '/usr/share/efi'
(FATE#326960, bsc#1166523)
-------------------------------------------------------------------
Thu Dec 6 03:23:04 UTC 2018 - Gary Ching-Pang Lin <glin@suse.com>
- Update shim-install to set the grub2-install target explicitly
for some special cases. (bsc#1118363)
-------------------------------------------------------------------
Fri Jun 8 10:39:42 UTC 2018 - glin@suse.com
- Update shim to 14-lp150.8.5.1
+ Replace shim-bsc1092000-fallback-always-try-first-option.patch
with shim-bsc1092000-fallback-menu.patch to show a countdown
menu before reset (bsc#1092000)
-------------------------------------------------------------------
Mon May 14 08:52:34 UTC 2018 - glin@suse.com
- Update shim to 14-lp150.7.3
+ Amend fallback.efi to avoid being trapped in the infinite reset
loop (bsc#1092000)
-------------------------------------------------------------------
Wed Apr 25 08:17:45 UTC 2018 - mlin@suse.com
- Update shim to 14-lp150.4.1
- New signature from Microsoft
-------------------------------------------------------------------
Tue Apr 25 03:44:04 UTC 2017 - glin@suse.com
- Update shim to 0.9-15.3.1
+ shim-install: add option --suse-enable-tpm (fate#315831)
(Fix from mchang@suse.com)
-------------------------------------------------------------------
Tue Dec 27 05:47:23 UTC 2016 - glin@suse.com
- Update shim to 0.9-13.1
+ Update shim-install to support "--no-nvram" and improve
removable media and fallback mode handling (bsc#985568,
bsc#999818) (Fix from mchang@suse.com)
-------------------------------------------------------------------
Fri Oct 7 09:31:29 UTC 2016 - jsegitz@novell.com
- New signature from Microsoft
-------------------------------------------------------------------
Fri Aug 19 06:46:59 UTC 2016 - mchang@suse.com
- shim-install : fix regression of password prompt (bsc#993764)
-------------------------------------------------------------------
Fri Aug 5 02:53:54 UTC 2016 - glin@suse.com
- Add shim-bsc991885-fix-sig-length.patch to fix the signature
length passed to Authenticode (bsc#991885)
-------------------------------------------------------------------
Wed Aug 3 09:10:25 UTC 2016 - glin@suse.com
- Update shim-bsc973496-mokmanager-no-append-write.patch to try
append write first
-------------------------------------------------------------------
Tue Aug 2 02:59:46 UTC 2016 - glin@suse.com
- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h
- Bump the requirement of gnu-efi due to the HTTPBoot support
-------------------------------------------------------------------
Mon Aug 1 09:01:59 UTC 2016 - glin@suse.com
- Add shim-httpboot-support.patch to support HTTPBoot
- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g
and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6
- Drop patches since they are merged into
shim-update-openssl-1.0.2g.patch
+ shim-update-openssl-1.0.2d.patch
+ shim-gcc5.patch
+ shim-bsc950569-fix-cryptlib-va-functions.patch
+ shim-fix-aarch64.patch
- Refresh shim-change-debug-file-path.patch
- Add shim-bsc973496-mokmanager-no-append-write.patch to work
around the firmware that doesn't support APPEND_WRITE (bsc973496)
- shim-install : remove '\n' from the help message (bsc#991188)
- shim-install : print a message if there is no valid EFI partition
(bsc#991187)
-------------------------------------------------------------------
Mon May 9 11:20:56 UTC 2016 - rw@suse.com
- shim-install : support simple MD RAID1 target devices (FATE#314829)
-------------------------------------------------------------------
Wed May 4 10:40:52 UTC 2016 - agraf@suse.com
- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438)
-------------------------------------------------------------------
Wed Mar 9 07:15:52 UTC 2016 - mchang@suse.com
- shim-install : fix typing ESC can escape to parent config which is
in command mode and cannot return back (bsc#966701)
- shim-install : fix no which command for JeOS (bsc#968264)
-------------------------------------------------------------------
Thu Dec 3 10:26:14 UTC 2015 - jsegitz@novell.com
- acquired updated signature from Microsoft
-------------------------------------------------------------------
Mon Nov 9 08:22:43 UTC 2015 - glin@suse.com
- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the
definition of va functions to avoid the potential crash
(bsc#950569)
- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to
MokListRT (bsc#950801)
- Drop shim-fix-mokmanager-sections.patch as we are using the
newer binutils now
- Refresh shim-change-debug-file-path.patch
-------------------------------------------------------------------
Thu Oct 8 06:49:43 UTC 2015 - jsegitz@novell.com
- acquired updated signature from Microsoft
-------------------------------------------------------------------
Tue Sep 15 05:03:10 UTC 2015 - mchang@suse.com
- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release
if it is empty or not set by user (bsc#942519)
-------------------------------------------------------------------
Thu Jul 16 06:49:01 UTC 2015 - glin@suse.com
- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d
- Refresh shim-gcc5.patch and add it back since we really need it
- Add shim-change-debug-file-path.patch to change the debug file
path in shim.efi
+ also add the debuginfo and debugsource subpackages
- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore
-------------------------------------------------------------------
Mon Jul 6 09:06:02 UTC 2015 - glin@suse.com
- Update to 0.9
- Refresh patches
+ shim-fix-gnu-efi-30w.patch
+ shim-fix-mokmanager-sections.patch
+ shim-opensuse-cert-prompt.patch
- Drop upstreamed patches
+ shim-bsc920515-fix-fallback-buffer-length.patch
+ shim-mokx-support.patch
+ shim-update-cryptlib.patch
- Drop shim-bsc919675-uninstall-shim-protocols.patch since
upstream fixed the bug in another way.
- Drop shim-gcc5.patch which was fixed in another way
-------------------------------------------------------------------
Wed Apr 8 07:10:39 UTC 2015 - glin@suse.com
- Fix tags in the spec file
-------------------------------------------------------------------
Tue Apr 7 07:42:06 UTC 2015 - glin@suse.com
- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and
openssl to 0.9.8zf
- Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall
the shim protocols at Exit (bsc#919675)
- Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust
the buffer size for the boot options (bsc#920515)
- Refresh shim-opensuse-cert-prompt.patch
-------------------------------------------------------------------
Thu Apr 2 16:31:28 UTC 2015 - crrodriguez@opensuse.org
- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5
-------------------------------------------------------------------
Tue Feb 17 06:02:34 UTC 2015 - mchang@suse.com
- shim-install : fix cryptodisk installation (boo#917427)
-------------------------------------------------------------------
Tue Nov 11 04:26:00 UTC 2014 - glin@suse.com
- Add shim-fix-mokmanager-sections.patch to fix the objcopy
parameters for the EFI files
-------------------------------------------------------------------
Tue Oct 28 04:00:51 UTC 2014 - glin@suse.com
- Update to 0.8
- Add shim-fix-gnu-efi-30w.patch to adapt the change in
gnu-efi-3.0w
- Merge shim-signed-unsigned-compares.patch,
shim-mokmanager-support-sha-family.patch and
shim-bnc863205-mokmanager-fix-hash-delete.patch into
shim-mokx-support.patch
- Refresh shim-opensuse-cert-prompt.patch
- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch,
bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch
- Enable aarch64
-------------------------------------------------------------------
Mon Oct 13 13:09:14 UTC 2014 - jsegitz@novell.com
- Fixed buffer overflow and OOB access in shim trusted code path
(bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677)
* added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch
- Added new certificate by Microsoft
-------------------------------------------------------------------
Wed Sep 3 12:32:25 UTC 2014 - lnussel@suse.de
- re-introduce build failure if shim_enforce_ms_signature is defined. That way
a project like openSUSE:Factory can decide whether or not shim needs a valid
MS signature.
-------------------------------------------------------------------
Tue Aug 19 04:38:36 UTC 2014 - glin@suse.com
- Add shim-update-openssl-0.9.8zb.patch to update openssl to
0.9.8zb
-------------------------------------------------------------------
Tue Aug 12 14:19:36 UTC 2014 - jsegitz@suse.com
- updated shim to new version (OpenSSL 0.9.8za) and requested a new
certificate from Microsoft. Removed
* shim-allow-fallback-use-system-loadimage.patch
* shim-bnc872503-check-key-encoding.patch
* shim-bnc877003-fetch-from-the-same-device.patch
* shim-correct-user_insecure-usage.patch
* shim-fallback-avoid-duplicate-bootorder.patch
* shim-fallback-improve-entries-creation.patch
* shim-fix-dhcpv4-path-generation.patch
* shim-fix-uninitialized-variable.patch
* shim-fix-verify-mok.patch
* shim-get-variable-check.patch
* shim-improve-error-messages.patch
* shim-mokmanager-delete-bs-var-right.patch
* shim-mokmanager-handle-keystroke-error.patch
* shim-remove-unused-variables.patch
since they're included in upstream and rebased the remaining onces.
Added shim-signed-unsigned-compares.patch to fix some compiler
warnings
-------------------------------------------------------------------
Tue Aug 12 09:18:42 UTC 2014 - glin@suse.com
- Keep shim-devel.efi for the devel project
-------------------------------------------------------------------
Fri Aug 8 11:18:36 UTC 2014 - lnussel@suse.de
- don't fail the build if the UEFI signing service signature can't
be attached anymore. This way shim can still pass through staging
projects. We will verify the correct signature for release builds
using openQA instead.
-------------------------------------------------------------------
Mon Aug 4 07:53:22 UTC 2014 - mchang@suse.com
- shim-install: fix GRUB shows broken letters at boot by calling
grub2-install to initialize /boot/grub2 directory with files
needed by grub.cfg (bnc#889765)
-------------------------------------------------------------------
Wed May 28 04:13:33 UTC 2014 - glin@suse.com
- Add shim-remove-unused-variables.patch to remove the unused
variables
- Add shim-bnc872503-check-key-encoding.patch to check the encoding
of the keys (bnc#872503)
- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the
netboot image from the same device (bnc#877003)
- Refresh shim-opensuse-cert-prompt.patch
-------------------------------------------------------------------
Wed May 14 09:39:02 UTC 2014 - glin@suse.com
- Use --reinit instead of --refresh in %post to update the files
in /boot
-------------------------------------------------------------------
Tue Apr 29 07:38:11 UTC 2014 - mchang@suse.com
- shim-install: fix boot partition and rollback support kluge
(bnc#875385)
-------------------------------------------------------------------
Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com
- Replace shim-mokmanager-support-sha1.patch with
shim-mokmanager-support-sha-family.patch to support the SHA
family
-------------------------------------------------------------------
Mon Apr 7 09:32:21 UTC 2014 - glin@suse.com
- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in
MOK
-------------------------------------------------------------------
Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com
- snapper rollback support (fate#317062)
- refresh shim-install
-------------------------------------------------------------------
Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com
- Insert the right signature (bnc#867974)
-------------------------------------------------------------------
Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com
- Add shim-fix-uninitialized-variable.patch to fix the use of
uninitialzed variables in lib
-------------------------------------------------------------------
Fri Mar 7 09:09:12 UTC 2014 - glin@suse.com
- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
variables the right way
- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
correctly
-------------------------------------------------------------------
Thu Mar 6 07:37:57 UTC 2014 - glin@suse.com
- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
duplicate entries in BootOrder
- Add shim-allow-fallback-use-system-loadimage.patch to handle the
shim protocol properly to keep only one protocol entity
- Refresh shim-opensuse-cert-prompt.patch
-------------------------------------------------------------------
Thu Mar 6 03:53:49 UTC 2014 - mchang@suse.com
- shim-install: fix the $prefix to use grub2-mkrelpath for paths
on btrfs subvolume (bnc#866690).
-------------------------------------------------------------------
Tue Mar 4 04:19:05 UTC 2014 - glin@suse.com
- FATE#315002: Update shim-install to install shim.efi as the EFI
default bootloader when none exists in \EFI\boot.
-------------------------------------------------------------------
Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com
- Update signature-sles.asc: shim signed by UEFI signing service,
based on code from "Thu Feb 20 11:57:01 UTC 2014"
-------------------------------------------------------------------
Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com
- Add shim-opensuse-cert-prompt.patch to show the prompt to ask
whether the user trusts the openSUSE certificate or not
-------------------------------------------------------------------
Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de
- allow package to carry multiple signatures
- check correct certificate is embedded
-------------------------------------------------------------------
Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de
- always clean up generated files that embed certificates
(shim_cert.h shim.cer shim.crt) to make sure next build loop
rebuilds them properly
-------------------------------------------------------------------
Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com
- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
hash deletion operation to avoid ruining the whole list
(bnc#863205)
-------------------------------------------------------------------
Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com
- Update shim-mokx-support.patch to support the resetting of MOK
blacklist
- Add shim-get-variable-check.patch to fix the variable checking
in get_variable_attr
- Add shim-fallback-improve-entries-creation.patch to improve the
boot entry pathes and avoid generating the boot entries that
are already there
- Update SUSE certificate
- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
extract_signature.sh and show_signatures.sh to remove the
creation of the temporary nss database
- Add shim-only-os-name.patch: remove the kernel version of the
build server
- Match the the prefix of the project name properly by escaping the
percent sign.
-------------------------------------------------------------------
Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de
- enable signature assertion also in SUSE: hierarchy
-------------------------------------------------------------------
Fri Dec 6 06:44:43 UTC 2013 - glin@suse.com
- Add shim-mokmanager-handle-keystroke-error.patch to handle the
error status from ReadKeyStroke to avoid unexpected keys
-------------------------------------------------------------------
Thu Dec 5 02:05:13 UTC 2013 - glin@suse.com
- Update to 0.7
- Add upstream patches:
+ shim-fix-verify-mok.patch
+ shim-improve-error-messages.patch
+ shim-correct-user_insecure-usage.patch
+ shim-fix-dhcpv4-path-generation.patch
- Add shim-mokx-support.patch to support the MOK blacklist
(Fate#316531)
- Drop upstreamed patches
+ shim-fix-pointer-casting.patch
+ shim-merge-lf-loader-code.patch
+ shim-fix-simple-file-selector.patch
+ shim-mokmanager-support-crypt-hash-method.patch
+ shim-bnc804631-fix-broken-bootpath.patch
+ shim-bnc798043-no-doulbe-separators.patch
+ shim-bnc807760-change-pxe-2nd-loader-name.patch
+ shim-bnc808106-correct-certcount.patch
+ shim-mokmanager-ui-revamp.patch
+ shim-netboot-fixes.patch
+ shim-mokmanager-disable-gfx-console.patch
- Drop shim-suse-build.patch: it's not necessary anymore
- Drop shim-bnc841426-silence-shim-protocols.patch: shim is not
verbose by default
-------------------------------------------------------------------
Thu Oct 31 09:11:18 UTC 2013 - fcrozat@suse.com
- Update microsoft.asc: shim signed by UEFI signing service, based
on code from "Tue Oct 1 04:29:29 UTC 2013".
-------------------------------------------------------------------
Tue Oct 1 04:29:29 UTC 2013 - glin@suse.com
- Add shim-netboot-fixes.patch to include upstream netboot fixes
- Add shim-mokmanager-disable-gfx-console.patch to disable the
graphics console to avoid system hang on some machines
- Add shim-bnc841426-silence-shim-protocols.patch to silence the
shim protocols (bnc#841426)
-------------------------------------------------------------------
Wed Sep 25 07:17:54 UTC 2013 - glin@suse.com
- Create boot.csv in ESP for fallback.efi to restore the boot entry
-------------------------------------------------------------------
Tue Sep 17 10:53:50 CEST 2013 - fcrozat@suse.com
- Update microsoft.asc: shim signed by UEFI signing service, based
on code from "Fri Sep 6 13:57:36 UTC 2013".
- Improve extract_signature.sh to work on current path.
-------------------------------------------------------------------
Fri Sep 6 13:57:36 UTC 2013 - lnussel@suse.de
- set timestamp of PE file to time of the binary the signature was
made for.
- make sure cert.o get's rebuilt for each target
-------------------------------------------------------------------
Fri Sep 6 11:48:14 CEST 2013 - fcrozat@suse.com
- Update microsoft.asc: shim signed by UEFI signing service, based
on code from "Wed Aug 28 15:54:38 UTC 2013"
-------------------------------------------------------------------
Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de
- always build a shim that embeds the distro's certificate (e.g.
shim-opensuse.efi). If the package is built in the devel project
additionally shim-devel.efi is created. That allows us to either
load grub2/kernel signed by the distro or signed by the devel
project, depending on use case. Also shim-$distro.efi from the
devel project can be used to request additional signatures.
-------------------------------------------------------------------
Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de
- also include old openSUSE 4096 bit certificate to be able to still
boot kernels signed with that key.
- add show_signatures script
-------------------------------------------------------------------
Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de
- replace the 4096 bit openSUSE UEFI CA certificate with new a
standard compliant 2048 bit one.
-------------------------------------------------------------------
Tue Aug 20 11:48:25 UTC 2013 - lnussel@suse.de
- fix shell syntax error
-------------------------------------------------------------------
Wed Aug 7 15:51:36 UTC 2013 - lnussel@suse.de
- don't include binary in the sources. Instead package the raw
signature and attach it during build (bnc#813448).
-------------------------------------------------------------------
Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com
- Update shim-mokmanager-ui-revamp.patch to include fixes for
MokManager
+ reboot the system after clearing MOK password
+ fetch more info from X509 name
+ check the suffix of the key file
-------------------------------------------------------------------
Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com
- Update to 0.4
- Rebase patches
+ shim-suse-build.patch
+ shim-mokmanager-support-crypt-hash-method.patch
+ shim-bnc804631-fix-broken-bootpath.patch
+ shim-bnc798043-no-doulbe-separators.patch
+ shim-bnc807760-change-pxe-2nd-loader-name.patch
+ shim-bnc808106-correct-certcount.patch
+ shim-mokmanager-ui-revamp.patch
- Add patches
+ shim-merge-lf-loader-code.patch: merge the Linux Foundation
loader UI code
+ shim-fix-pointer-casting.patch: fix a casting issue and the
size of an empty vendor cert
+ shim-fix-simple-file-selector.patch: fix the buffer allocation
in the simple file selector
- Remove upstreamed patches
+ shim-support-mok-delete.patch
+ shim-reboot-after-changes.patch
+ shim-clear-queued-key.patch
+ shim-local-key-sign-mokmanager.patch
+ shim-get-2nd-stage-loader.patch
+ shim-fix-loadoptions.patch
- Remove unused patch: shim-mokmanager-new-pw-hash.patch and
shim-keep-unsigned-mokmanager.patch
- Install the vendor certificate to /etc/uefi/certs
-------------------------------------------------------------------
Wed May 8 06:40:12 UTC 2013 - glin@suse.com
- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI
-------------------------------------------------------------------
Wed Apr 3 03:54:22 UTC 2013 - glin@suse.com
- Call update-bootloader in %post to update *.efi in \efi\opensuse
(bnc#813079)
-------------------------------------------------------------------
Fri Mar 8 06:53:47 UTC 2013 - glin@suse.com
- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the
PXE 2nd stage loader name (bnc#807760)
- Add shim-bnc808106-correct-certcount.patch to correct the
certificate count of the signature list (bnc#808106)
-------------------------------------------------------------------
Fri Mar 1 10:07:55 UTC 2013 - glin@suse.com
- Add shim-bnc798043-no-doulbe-separators.patch to remove double
seperators from the bootpath (bnc#798043#c4)
-------------------------------------------------------------------
Thu Feb 28 08:57:48 UTC 2013 - lnussel@suse.de
- sign shim also with openSUSE certificate
-------------------------------------------------------------------
Wed Feb 27 15:52:53 CET 2013 - mls@suse.de
- identify project, export certificate as DER file
- don't create an unused extra keypair
-------------------------------------------------------------------
Thu Feb 21 10:08:12 UTC 2013 - glin@suse.com
- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken
bootpath generated in generate_path(). (bnc#804631)
-------------------------------------------------------------------
Mon Feb 11 12:15:25 UTC 2013 - fcrozat@suse.com
- Update with shim signed by UEFI signing service, based on code
from "Thu Feb 7 06:56:19 UTC 2013".
-------------------------------------------------------------------
Thu Feb 7 13:54:06 UTC 2013 - lnussel@suse.de
- prepare for having a signed shim from the UEFI signing service
-------------------------------------------------------------------
Thu Feb 7 06:56:19 UTC 2013 - glin@suse.com
- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert
- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned
MokManager and sign it later.
-------------------------------------------------------------------
Wed Feb 6 06:35:45 UTC 2013 - mchang@suse.com
- Add shim-install utility
- Add Recommends to grub2-efi
-------------------------------------------------------------------
Wed Jan 30 09:00:31 UTC 2013 - glin@suse.com
- Add shim-mokmanager-support-crypt-hash-method.patch to support
password hash from /etc/shadow (FATE#314506)
-------------------------------------------------------------------
Tue Jan 29 03:20:48 UTC 2013 - glin@suse.com
- Embed openSUSE-UEFI-CA-Certificate.crt in shim
- Rename shim-unsigned.efi to shim-opensuse.efi.
-------------------------------------------------------------------
Fri Jan 18 10:06:13 UTC 2013 - glin@suse.com
- Update shim-mokmanager-new-pw-hash.patch to extend the password
hash format
- Rename shim.efi as shim-unsigned.efi
-------------------------------------------------------------------
Wed Jan 16 08:01:55 UTC 2013 - glin@suse.com
- Merge patches for FATE#314506
+ Add shim-support-mok-delete.patch to add support for deleting
specific keys
+ Add shim-mokmanager-new-pw-hash.patch to support the new
password hash.
- Drop shim-correct-mok-size.patch which is included in
shim-support-mok-delete.patch
- Merge shim-remove-debug-code.patch and
shim-local-sign-mokmanager.patch into
shim-local-key-sign-mokmanager.patch
- Install COPYRIGHT
-------------------------------------------------------------------
Tue Jan 15 03:17:53 UTC 2013 - glin@suse.com
- Add shim-fix-loadoptions.patch to adopt the UEFI shell style
LoadOptions (bnc#798043)
- Drop shim-check-pk-kek.patch since upstream rejected the patch
due to violation of SPEC.
- Install EFI binaries to /usr/lib64/efi
-------------------------------------------------------------------
Wed Dec 26 07:05:02 UTC 2012 - glin@suse.com
- Update shim-reboot-after-changes.patch to avoid rebooting the
system after enrolling keys/hashes from the file system
- Add shim-correct-mok-size.patch to correct the size of MOK
- Add shim-clear-queued-key.patch to clear the queued key and show
the menu properly
-------------------------------------------------------------------
Wed Dec 12 15:16:18 UTC 2012 - fcrozat@suse.com
- Remove shim-rpmlintrc, it wasn't fixing the error, hide error
stdout to prevent post build check to get triggered by cast
warnings in openSSL code
- Add shim-remove-debug-code.patch: remove debug code
-------------------------------------------------------------------
Wed Dec 12 04:01:52 UTC 2012 - glin@suse.com
- Add shim-rpmlintrc to filter 64bit portability errors
-------------------------------------------------------------------
Tue Dec 11 07:36:32 UTC 2012 - glin@suse.com
- Add shim-local-sign-mokmanager.patch to create a local certicate
to sign MokManager
- Add shim-get-2nd-stage-loader.patch to get the second stage
loader path from the load options
- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK
- Add shim-reboot-after-changes.patch to reboot the system after
enrolling or erasing keys
- Install the EFI images to /usr/lib64/shim instead of the EFI
partition
- Update the mail address of the author
-------------------------------------------------------------------
Fri Nov 2 08:19:37 UTC 2012 - glin@suse.com
- Add new package shim 0.2 (FATE#314484)
+ It's in fact git 2fd180a92 since there is no tag for 0.2

114
shim-leap.spec Normal file
View File

@ -0,0 +1,114 @@
#
# spec file for package shim-leap
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# Move 'efi'-executables to '/usr/share/efi' (FATE#326960, bsc#1166523)
%define sysefibasedir %{_datadir}/efi
%define sysefidir %{sysefibasedir}/%{_target_cpu}
%if 0%{?suse_version} < 1600
# provide compatibility sym-link for residual kiwi, etc.
%define shim_lib64_share_compat 1
%endif
%ifarch x86_64
%define pkg_t lp155.8.2.x86_64
%endif
%ifarch aarch64
%define pkg_t lp155.8.8.aarch64
%endif
Name: shim-leap
Version: 15.8
Release: 0
Summary: UEFI shim loader
License: BSD-2-Clause
Group: System/Boot
Source0: shim-15.8-%{pkg_t}.rpm
Source1: README
Source2: shim-install
BuildRequires: fde-tpm-helper-rpm-macros
BuildRequires: update-bootloader-rpm-macros
BuildRoot: %{_tmppath}/%{name}-%{version}-build
ExclusiveArch: x86_64 aarch64
%description
does not exist
%package -n shim
Summary: UEFI shim loader
Group: System/Boot
Requires: perl-Bootloader
%if 0%{?fde_tpm_update_requires:1}
%fde_tpm_update_requires
%endif
%description -n shim
shim is a trivial EFI application that, when run, attempts to open and
execute another application.
%prep
rpm2cpio %{SOURCE0} | cpio --extract --unconditional --preserve-modification-time --make-directories
%build
%install
# purely repackaged
cp -a * %{buildroot}
cp %{S:1} .
# Override shim-install
install -m 755 %{S:2} %{buildroot}/%{_sbindir}/shim-install
%if %{undefined shim_lib64_share_compat}
# Remove the sym-links in /usr/lib64/efi
rm -rf %{buildroot}/usr/lib64/efi
%endif
%post -n shim
%if 0%{?fde_tpm_update_post:1}
%fde_tpm_update_post shim
%endif
%if 0%{?update_bootloader_check_type_reinit_post:1}
%update_bootloader_check_type_reinit_post grub2-efi
%else
/sbin/update-bootloader --reinit || true
%endif
%posttrans -n shim
%{?update_bootloader_posttrans}
%{?fde_tpm_update_posttrans}
%files -n shim
%doc README
%dir %{?sysefibasedir}
%dir %{sysefidir}
%{sysefidir}/shim.efi
%{sysefidir}/shim-*.efi
%{sysefidir}/shim-*.der
%{sysefidir}/MokManager.efi
%{sysefidir}/fallback.efi
%if %{defined shim_lib64_share_compat}
# provide compatibility sym-link for previous kiwi, etc.
%dir /usr/lib64/efi
/usr/lib64/efi/*.efi
%endif
/etc/uefi
%{_sbindir}/shim-install
/usr/share/doc/packages/shim
%changelog