Accepting request 888994 from home:gary_lin:branches:devel:openSUSE:Factory

- Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz OBS-URL: https://build.opensuse.org/request/show/888994 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=178
2021-04-28 10:01:26 +00:00 · 2021-04-28 10:01:26 +00:00 · 14a92e6f61
commit 14a92e6f61
parent 0f47283b84
5 changed files with 19 additions and 7 deletions
--- a/dbx-cert.tar.xz
+++ b/dbx-cert.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:7cea42a328d6dbac923fce1a15f1e941eee7c829aeff6c0b5016475cca99c47c
-size 7032
+oid sha256:c872989a35b85ff4a284871d95bae930f6372a31f3353e72890775bf151e5ff2
+size 7052
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Apr 28 09:28:30 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
+  vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
+  the size of MokListXRT (bsc#1185261) 
+  + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
+
 -------------------------------------------------------------------
 Thu Apr  8 08:44:27 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>

--- a/shim.spec
+++ b/shim.spec
@ -60,8 +60,10 @@ Source11:       signature-sles.x86_64.asc
 Source12:       signature-opensuse.aarch64.asc
 Source13:       signature-sles.aarch64.asc
 Source50:       dbx-cert.tar.xz
-# vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
+# vendor-dbx*.bin are generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
 Source51:       vendor-dbx.bin
+Source52:       vendor-dbx-sles.bin
+Source53:       vendor-dbx-opensuse.bin
 Source99:       SIGNATURE_UPDATE.txt
 # PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
 Patch1:         shim-arch-independent-names.patch
@ -111,7 +113,6 @@ Group:          Development/Debug
 %description -n shim-debugsource
 The source code of UEFI shim loader

-
 %prep
 %setup -q
 %patch1 -p1
@ -165,6 +166,7 @@ for suffix in "${suffixes[@]}"; do
    if test "$suffix" = "opensuse"; then
 	cert=%{SOURCE2}
 	verify='openSUSE Secure Boot CA1'
+	vendor_dbx=%{SOURCE53}
 %ifarch x86_64
 	signature=%{SOURCE1}
 %else
@ -176,6 +178,7 @@ for suffix in "${suffixes[@]}"; do
    elif test "$suffix" = "sles"; then
 	cert=%{SOURCE4}
 	verify='SUSE Linux Enterprise Secure Boot CA1'
+	vendor_dbx=%{SOURCE52}
 %ifarch x86_64
 	signature=%{SOURCE11}
 %else
@ -187,6 +190,7 @@ for suffix in "${suffixes[@]}"; do
    elif test "$suffix" = "devel"; then
 	cert=%{_sourcedir}/_projectcert.crt
 	verify=`openssl x509 -in "$cert" -noout -email`
+	vendor_dbx=%{SOURCE51}
 	signature=''
 	test -e "$cert" || continue
    else
@ -198,7 +202,7 @@ for suffix in "${suffixes[@]}"; do
    make RELEASE=0 SHIMSTEM=shim \
         VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
         DEFAULT_LOADER="\\\\\\\\grub.efi" \
-         VENDOR_DBX_FILE=%{SOURCE51} \
+         VENDOR_DBX_FILE=$vendor_dbx \
         shim.efi.debug shim.efi
    #
    # assert correct certificate embedded
--- a/vendor-dbx-opensuse.bin
+++ b/vendor-dbx-opensuse.bin
--- a/vendor-dbx-sles.bin
+++ b/vendor-dbx-sles.bin