Accepting request 1089032 from devel:openSUSE:Factory

OBS-URL: https://build.opensuse.org/request/show/1089032 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=113
2023-05-26 18:15:09 +00:00 · 2023-05-26 18:15:09 +00:00 · b42affaed6
commit b42affaed6
parent 6d8249d4ab b90dab54cc
2 changed files with 17 additions and 5 deletions
--- a/13
+++ b/13
@ -370,20 +370,23 @@ prepare_cryptodisk () {
    return
  fi

-  tpm_pcr_bank="${GRUB_TPM2_PCR_BANK:-sha256}"
-  tpm_pcr_list="${GRUB_TPM2_PCR_LIST:-0,2,4,7,9}"
  tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"

  declare -g TPM_PCR_SNAPSHOT_TAKEN

  if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
    TPM_PCR_SNAPSHOT_TAKEN=1
-    echo "tpm_record_pcrs 0-9"
+
+    # Check if tpm_record_pcrs is available and set the command to
+    # grub.cfg.
+    if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; then
+      echo "tpm_record_pcrs 0-9"
+    fi
  fi

  cat <<EOF
-tpm2_key_protector_init -b $tpm_pcr_bank -p $tpm_pcr_list -k \$prefix/$tpm_sealed_key
-if ! cryptomount -u $uuid -k tpm2; then
+tpm2_key_protector_init -T \$prefix/$tpm_sealed_key
+if ! cryptomount -u $uuid --protector tpm2; then
    cryptomount -u $uuid
 fi
 EOF
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon May 15 03:28:47 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update shim-install to amend full disk encryption support
+    b540061e041b  Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector
+    f2e8143ce831  Use the long name to specify the grub2 key protector
+    72830120e5ea  cryptodisk: support TPM authorized policies
+    49e7a0d307f3  Do not use tpm_record_pcrs unless the command is in command.lst
+
 -------------------------------------------------------------------
 Mon Apr 10 05:04:33 UTC 2023 - Joey Lee <jlee@suse.com>