From ceaad5e057570467b205f7d1c9e0673505cd0b3437fa72804a69e1c3105caf6c Mon Sep 17 00:00:00 2001 From: Joey Lee Date: Wed, 18 Sep 2024 04:26:12 +0000 Subject: [PATCH] - Update shim-install to apply the missing fix for openSUSE Leap (bsc#1210382) * 86b73d1 Fix that bootx64.efi is not updated on Leap - Update shim-install to use the 'removable' way for SL-Micro (bsc#1230316) * 433cc4e Always use the removable way for SL-Micro OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=215 --- .gitattributes | 23 + .gitignore | 1 + SIGNATURE_UPDATE.txt | 25 + SLES-UEFI-CA-Certificate.crt | 29 + attach_signature.sh | 14 + extract_signature.sh | 15 + generate-vendor-dbx.sh | 22 + openSUSE-UEFI-CA-Certificate.crt | 26 + remove_build_id.patch | 26 + ...ked-SLES-UEFI-SIGN-Certificate-2013-01.crt | 34 + ...ked-SLES-UEFI-SIGN-Certificate-2013-04.crt | 29 + ...ked-SLES-UEFI-SIGN-Certificate-2016-02.crt | 29 + ...ked-SLES-UEFI-SIGN-Certificate-2020-07.crt | 29 + ...ked-SLES-UEFI-SIGN-Certificate-2021-05.crt | 29 + ...openSUSE-UEFI-SIGN-Certificate-2013-01.crt | 32 + ...openSUSE-UEFI-SIGN-Certificate-2013-08.crt | 27 + ...openSUSE-UEFI-SIGN-Certificate-2020-01.crt | 27 + ...openSUSE-UEFI-SIGN-Certificate-2020-07.crt | 27 + ...openSUSE-UEFI-SIGN-Certificate-2021-05.crt | 27 + shim-15.8.tar.bz2 | 3 + shim-arch-independent-names.patch | 61 + shim-bsc1177315-verify-eku-codesign.patch | 696 ++++++ shim-change-debug-file-path.patch | 54 + shim-disable-export-vendor-dbx.patch | 36 + shim-install | 530 +++++ shim.changes | 1876 +++++++++++++++++ shim.spec | 379 ++++ show_hash.sh | 12 + show_signatures.sh | 12 + signature-opensuse.aarch64.asc | 210 ++ signature-opensuse.x86_64.asc | 208 ++ signature-sles.aarch64.asc | 210 ++ signature-sles.x86_64.asc | 208 ++ strip_signature.sh | 13 + timestamp.pl | 146 ++ 35 files changed, 5125 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 SIGNATURE_UPDATE.txt create mode 100644 SLES-UEFI-CA-Certificate.crt create mode 100644 attach_signature.sh create mode 100644 extract_signature.sh create mode 100644 generate-vendor-dbx.sh create mode 100644 openSUSE-UEFI-CA-Certificate.crt create mode 100644 remove_build_id.patch create mode 100644 revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt create mode 100644 revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt create mode 100644 revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt create mode 100644 revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt create mode 100644 revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt create mode 100644 revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt create mode 100644 revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt create mode 100644 revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt create mode 100644 revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt create mode 100644 revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt create mode 100644 shim-15.8.tar.bz2 create mode 100644 shim-arch-independent-names.patch create mode 100644 shim-bsc1177315-verify-eku-codesign.patch create mode 100644 shim-change-debug-file-path.patch create mode 100644 shim-disable-export-vendor-dbx.patch create mode 100644 shim-install create mode 100644 shim.changes create mode 100644 shim.spec create mode 100644 show_hash.sh create mode 100644 show_signatures.sh create mode 100644 signature-opensuse.aarch64.asc create mode 100644 signature-opensuse.x86_64.asc create mode 100644 signature-sles.aarch64.asc create mode 100644 signature-sles.x86_64.asc create mode 100644 strip_signature.sh create mode 100644 timestamp.pl diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/SIGNATURE_UPDATE.txt b/SIGNATURE_UPDATE.txt new file mode 100644 index 0000000..265e452 --- /dev/null +++ b/SIGNATURE_UPDATE.txt @@ -0,0 +1,25 @@ +==== openSUSE ==== +For openSUSE, the devel project of shim is devel:openSUSE:Factory. ALWAYS +use the latest Leap to build shim-opensuse.efi for UEFI CA. Tumbleweed +shares the same binary with Leap, so do the older Leap releases. + +The steps to udpate signature-opensuse.asc: +1) Branch devel:openSUSE:Factory/shim. +2) Add the latest Leap, e.g. 42.2, to the build target. +3) Build shim-opensuse.efi against the latest Leap. +4) Strip the signature from shim-opensuse.efi with strip_signature.sh. +5) Send shim-opensuse.efi to UEFI CA to request a new signature. +6) Extract the signature from the signed shim.efi with extract_signature.sh +7) Update signature-opensuse.asc. + +==== SLES === +Since there is no devel project for shim in SLES, just build shim-sles.efi with +the latest SLES and then send it to UEFI CA for a new signature. + +The steps to update signature-sles.asc: +1) Branch shim from the latest SLES and apply the update/fix. +2) Build shim-sles.efi against the latest SLES. +3) Strip the signature from shim-sles.efi with strip_signature.sh. +4) Send shim-sles.efi to UEFI CA to request a new signature. +5) Extract the signature from the signed shim.efi with extract_signature.sh +6) Update signature-sles.asc. diff --git a/SLES-UEFI-CA-Certificate.crt b/SLES-UEFI-CA-Certificate.crt new file mode 100644 index 0000000..480fa09 --- /dev/null +++ b/SLES-UEFI-CA-Certificate.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT +RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES +MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz +IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk +QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG +A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD +VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4 +IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B +CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p +ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE +WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv +abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7 +e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+ +whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/ +MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs +qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51 +eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE +BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx +EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu +ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU +Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw +pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL +jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M +rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3 +SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0 +rvc1p6G0YWtO +-----END CERTIFICATE----- diff --git a/attach_signature.sh b/attach_signature.sh new file mode 100644 index 0000000..689a7e4 --- /dev/null +++ b/attach_signature.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# attach ascii armored signature to a PE binary +set -e + +sig="$1" +infile="$2" +if [ -z "$sig" -o ! -e "$sig" -o -z "$infile" -o ! -e "$infile" ]; then + echo "USAGE: $0 sig.asc file.efi" + exit 1 +fi + +outfile="${infile%.efi}-signed.efi" + +pesign -m "$sig" -i "$infile" -o "$outfile" diff --git a/extract_signature.sh b/extract_signature.sh new file mode 100644 index 0000000..0a989e5 --- /dev/null +++ b/extract_signature.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# extract ascii armored signature from a PE binary +set -e + +infile="$1" + +if [ -z "$infile" -o ! -e "$infile" ]; then + echo "USAGE: $0 file.efi" + exit 1 +fi + +# wtf? +(pesign -h -P -i "$infile"; +perl $(dirname $0)/timestamp.pl "$infile"; +pesign -a -f -e /dev/stdout -i "$infile")|cat diff --git a/generate-vendor-dbx.sh b/generate-vendor-dbx.sh new file mode 100644 index 0000000..604d74e --- /dev/null +++ b/generate-vendor-dbx.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +set -e + +# random UUID for SUSE +owner=353f0911-0788-451c-aaf7-31688391e8fd + +: > vendor-dbx-opensuse.esl +: > vendor-dbx-sles.esl +# vendor dbx file with all certs for testing environment +: > vendor-dbx.esl + +for cert in "$@"; do + esl="${cert##*/}" + esl="${cert%.crt}.esl" + cert-to-efi-sig-list -g "$owner" "$cert" "$esl" + case "$cert" in + *openSUSE*) cat "$esl" >> "vendor-dbx-opensuse.esl" ;; + *SLES*) cat "$esl" >> "vendor-dbx-sles.esl" ;; + esac + cat "$esl" >> "vendor-dbx.esl" +done diff --git a/openSUSE-UEFI-CA-Certificate.crt b/openSUSE-UEFI-CA-Certificate.crt new file mode 100644 index 0000000..eb49085 --- /dev/null +++ b/openSUSE-UEFI-CA-Certificate.crt @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEdDCCA1ygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl +blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl +bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW +EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjEyMDdaFw0zNTA3MjIxNjEy +MDdaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE +BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv +amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3t9hknqk/oPRfTtoDrGn8E6Sk/xHPnAt +Tojcmp76M7Sm2w4jwQ2owdVlBIQE/zpIGE85MuTKTvkEnp8PzSBdYaunANil/yt/ +vuhHwy9bAsi73o4a6UbThu//iJmQ6xCJuIs/PqgHxlV6btNf/IM8PRbtJsUTc5Kx +cB4ilcgAbCV2RvGi2dCwmGgPpy2xDWeJypRK6hLFkVV2f2x6LvkYiZ/49CRD1TVq +ywAOLu1L4l0J2BuXcJmeWm+mgaidqVh2fWlxgtO6OpZDm/DaFcZO6cgVuenLx+Rx +zuoQG2vEKnABqVK0F94AUs995P0PTQMYspAo1G/Erla8NmBJRotrCwIDAQABo4H0 +MIHxMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGhCYA3iLExHfpW+I9/qlRPl +lxdiMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPllxdioYGHpIGEMIGB +MSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUx +EjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEh +MB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEBMA4GA1UdDwEB/wQE +AwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAiqOJwo7Z+YIL8zPO6RkXF6NlgM0zrgZR +Vim2OId79J38KI6q4FMSDjpgxwbYOmF2O3cI9JSkjHxHOpnYhJsXzCBiLuJ25MY2 +DSbpLlM1Cvs6NZNFw5OCwQvzCOlXH1k3qdBsafto6n87r9P3WSeO1MeWc/QMCvc+ +5K9sjMd6bwl59EEf428R+z5ssaB75JK3yvky9d7DsHN947OCXc3sYdz+DD7Gteds +LV2Sc//tqmqpm2aeXjptcLAxwM7fLyEQaAyH83egMzEKDxX27jKIxZpTcc0NGqEo +idC/9lasSzs2BisBxevl3HKDPZSsKIMT+8FdJ5wT9jJf9h9Ktz5Tig== +-----END CERTIFICATE----- diff --git a/remove_build_id.patch b/remove_build_id.patch new file mode 100644 index 0000000..12f58d7 --- /dev/null +++ b/remove_build_id.patch @@ -0,0 +1,26 @@ +Index: shim-15.8/gnu-efi/Make.defaults +=================================================================== +--- shim-15.8.orig/gnu-efi/Make.defaults ++++ shim-15.8/gnu-efi/Make.defaults +@@ -205,7 +205,7 @@ endif + + ASFLAGS += $(ARCH3264) + LDFLAGS += -nostdlib --warn-common --no-undefined --fatal-warnings \ +- --build-id=sha1 --no-warn-rwx-segments ++ --no-warn-rwx-segments + + ifneq ($(ARCH),arm) + export LIBGCC=$(shell $(CC) $(CFLAGS) $(ARCH3264) -print-libgcc-file-name) +Index: shim-15.8/Make.defaults +=================================================================== +--- shim-15.8.orig/Make.defaults ++++ shim-15.8/Make.defaults +@@ -192,7 +192,7 @@ ifneq ($(origin SBAT_AUTOMATIC_DATE), un + DEFINES += -DSBAT_AUTOMATIC_DATE=$(SBAT_AUTOMATIC_DATE) + endif + +-LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined ++LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) $(ARCH_LDFLAGS) --no-undefined + + ifneq ($(DEBUG),) + export DEBUG diff --git a/revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt b/revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt new file mode 100644 index 0000000..32cb743 --- /dev/null +++ b/revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF/DCCA+SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT +RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES +MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz +IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk +QHN1c2UuZGUwHhcNMTMwMTIyMTQ1ODUxWhcNMjIxMjAxMTQ1ODUxWjCBqzEyMDAG +A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx +CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug +TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG +SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK +o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5 +HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V +R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t +og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN +q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC +MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA +FD1NQM+ThTkCSxz8WhLe3+ixfnVfoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp +bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD +VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i +SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz +ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ +KoZIhvcNAQELBQADggIBAFs0xW7Uzi3a52ho92ninU9yy1doEodWf8f37zmq3Kxf +v/y+mFCFuMw5zps4xyK1xfDBmVZ6f5GMolfkPnioYzKujqTgFCmKDZXjXIgHEej5 +h+xzCalIYT3XT+JsmKvvZKcFMV9/py7+okEhekyFdak6WbxinisyEh6a7I+edNzB +2/dPkbIS7x2UmlFzXvAYTCwOqMwCuOWsICK/NRrPlCEdkPJFq2HU11umtZ+U4eCM +bJcCY2pqIVLxrDgRIMoUeJ7N2XIcfKlP8cHn9eHVWRd+n/v3nlJRvBjlw2d9oTm2 +EB0vfpp01ihr6yvkckLwWHdrRcmiy6OmtTScAEwpMGPmBcFiHIb1nxhPbKqqw9Xb +t/y8tLRf6HvuhaApJhj3/ZBNLTLRSHk4O4DO4p3GpupPTvfxkx9cg/TxcF0kabPF ++dwu5cbRZpvBmkQ947aul0y+3QRHgIhmyqdZzC2OuL6Sl74zZc3BgsQsBFeIN4gz +YBsXtzyEVFsmSSj2ci+9JM8HCfeL0Ux7TeyoN5jAW5F7c8BSBBSSafZYUtq3DZHR +8ILtz5L7cCLkZY3da5a/csVz3zicnrAG8uiU91Jy6hVh+Y83vARz6hp8O/tX4o00 +9ff5zunFUwyN3/krDEoX6dXMcSh8UftjzvFOYCUfF+cDt9eV8Ix0dcfP/cenyv/t +-----END CERTIFICATE----- diff --git a/revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt b/revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt new file mode 100644 index 0000000..e0f0a84 --- /dev/null +++ b/revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE/DCCA+SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT +RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES +MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz +IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk +QHN1c2UuZGUwHhcNMTMwNDE4MTQzNDM0WhcNMjMwMjI1MTQzNDM0WjCBqzEyMDAG +A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx +CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug +TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG +SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK +o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5 +HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V +R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t +og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN +q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC +MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA +FOyrDULEVs93BDa5c5k4YpZehyYvoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp +bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD +VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i +SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz +ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ +KoZIhvcNAQELBQADggEBAFEYo0sWgMCODHZEHWcoltp5RMcVj2DAYfw2NePbPqxW +AmIgpMU0yG01JPbwJZu6dcuNeYoytgfDrSRLuloKm0JR8oR3+G7/oxbKQCxtMubB +Qdflq7PIz73b/JSGiV5Pi77f9oAHijgnKEZrz4obs6sFp2gvuMvJ4w9jteCaofpq +IDNhu7i2KFx4rC6FYF/p6V9xnVwOnZS1G56cJALfP/7kOD4k3TVSMiE2FCS3wLwR +RI7VE0I/3oJHsi8CR++CT1BI02PI+EWgRcuW8jOzJ3+tYa77HCKpXNyIi7/L5QAK +N5ZinPyv68tae+GHkL5U2FxLY365gABSXqXUA9mTquU= +-----END CERTIFICATE----- diff --git a/revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt b/revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt new file mode 100644 index 0000000..39e65e0 --- /dev/null +++ b/revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIE/DCCA+SgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT +RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES +MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz +IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk +QHN1c2UuZGUwHhcNMTYwMjI0MTUzMDI3WhcNMjYwMTAyMTUzMDI3WjCBqzEyMDAG +A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx +CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug +TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG +SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK +o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5 +HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V +R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t +og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN +q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC +MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA +FOyrDULEVs93BDa5c5k4YpZehyYvoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp +bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD +VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i +SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz +ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ +KoZIhvcNAQELBQADggEBAKMaX+dWtp9Y9SW1XvV3xc/sAURe1uZfEBcd7g+yu9ff +q/n9pbWW4gz9LtuIudi/CmltNlKHEQnB/RSgAd4VB28g7GeJNKVTn+5z7evgWUOz +tEB0tHgTfVCx6dYoIsNxT9atIVHREDPXef/s2TARKfpd77BG+X0+ZsvQe8NuooP1 +B+qwl1rXR+cw46Q7dgM5XG418OPZsqHhk/AyC4/slHx65rQ//PBsgSANx8bBUr5Z +nDzy1X/0aZqB56/e2sscuhjs7IcXNftztewsNB7w4XtmOuVZpj2obAhbWshPaMLY +4PSS6JTVT/vhDJUJknm4XqbE16d0dSZPn8y1t6Ua0PM= +-----END CERTIFICATE----- diff --git a/revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt b/revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt new file mode 100644 index 0000000..03e093f --- /dev/null +++ b/revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ0MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD +VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV +BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg +UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ +ARYNYnVpbGRAc3VzZS5kZTAeFw0yMDA3MjMxNDA3MThaFw0yNDA3MjIxNDA3MTha +MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg +U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE +CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt +MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAwrRYIcn7XQ2/nQfdCUM7EUzIfYB5Lra03/q9nggEfUke +N5O9qmA9uFWTvgdq2Nh8hia16TawyHMFyUd/PsdU2/pVydC6+OGDxE1sRJvu0pzP +3wvr+QQXnDjBYon+AGkuw/K8baUInl/1He2idCIB7pH3tGjj6jcorK70yZHU5Hl1 +UwuQXlfQpG3zEJy1yZ7fg3RxAQ/716BOy1CceK0qCLi/qgR8w5GE92Xg1CHZe62u +I+9EmhXBbY2UcsfxRGEtdCU55L0R/MtHztfVHZw9Vazw8rCCvBjwPOxxjUx5It5N +yG0JaYXgAXqRXE88Gwo9VlEWNOKrC0vUUfxA63IZ0wIDAQABo4IBLDCCASgwDAYD +VR0TAQH/BAIwADAdBgNVHQ4EFgQUSrDGl8kQcydsJ97/PCIPsAfh3mEwgdMGA1Ud +IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM +JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC +REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k +dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i +dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF +BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAazJCs7IIjYUma9ZT1NLJZ7QSy/d6oAaW +E6JI1u3LHancnU3kXH19U7z1mni74OQdlsbIyfddR+AIvIu1RrepQ6BHNVrXO90J +LxvORpholbgeXk/FdIHWFu6AhL2jg8UM4Jxq/P3FxckGj25LxCPgd5C/L5ITufhf +1yPQ3CDxqfUiqlfdrQCROJ21sErLoYXoZim5pd1kT5vimyVrdaLM7eTq6G5LbKZ3 +/TqRXPpVzwZGXXeZvM5s55kGKqNTUIZ2Cft5g9CBkRZujJ5gLGToxUHYbb6Fj5UT +Xr5Yh68j1IgvhQz+abALb/87Z3r2V+BWh1icc0rnCli1ulmZMd0H8A== +-----END CERTIFICATE----- diff --git a/revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt b/revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt new file mode 100644 index 0000000..785afc9 --- /dev/null +++ b/revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ+MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD +VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV +BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg +UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ +ARYNYnVpbGRAc3VzZS5kZTAeFw0yMTAzMDgxMDE1MDhaFw0zMDEyMzExMDE1MDha +MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg +U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE +CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt +MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAtvApQ4qgxDibOpYufFyQG3HDsQvwjPfrQHdYqkcKDZvz +hKFJSpAu4gulkuKnOeMO1+ecpOC9f0G6mbIwYCsM/GKBCUKRQZPOB5eSeGU+NJaI +XV6IimhfYi3MXmheVrP64Xd6pvcn/iplk2IPLbbdjIeiSImg1xtfnrcaWa+tzOMu +MAQfF4wUlVnFF4Pnh0goS2sv2Lj3fVQ4XV7d8bsB9gwdWSQQMwbSb5SXoiLZOIrZ +iI/n6DD5UL8Yap+2f5sBXA1MtonX91MSUu68Vh7l/9UXEntkx5byOdRAKxndIpnP +QQazhXtQoFskPtVzKs+8jIemDOosn7cTkBgOEP49iQIDAQABo4IBLDCCASgwDAYD +VR0TAQH/BAIwADAdBgNVHQ4EFgQUWiQESdKf0NinoYfm/A4muV0aqHswgdMGA1Ud +IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM +JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC +REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k +dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i +dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF +BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAqFI4lVQf3heh0TWrZwc0ej30p1EhVJms +NxCy/mtn6IDkRzmzAe9F/Tx5B6Kytjtj2WvU2mOhjDW61Tdvk2UBqlapTbT0X2oF +Co4ww8gm2uDyY3nCEM0jdPj8XnA+T+raxwcw6NosK3J6g+bEWjkX0lWryl1jgxuA +q3zup4t2rl792z+nAUAmCSrsYeQQxnKIeCvZCYMGgixSoYrv2SxD8hTFC8XW606v +ITVb9fxaYF1cCjCLjhkQpnegViT0mV5QcPW/IIjqKla1N9sH26buFwcJIHXQRB4h +1boVtIqiQZOe4BjGRTvRILGOa/WXn8UhQvMc39bCr1SxMRvpCV7zKw== +-----END CERTIFICATE----- diff --git a/revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt b/revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt new file mode 100644 index 0000000..db321a4 --- /dev/null +++ b/revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl +blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl +bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW +EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNTEwMjhaFw0yMjEyMDcxNTEw +MjhaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw +CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT +RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo +HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7 +RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf +0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N +p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2 +EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB +AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o +KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79aHtKXeKGpaGBh6SB +hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT +AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl +Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B +Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggIB +AK25J4ntAoU8yF37KEUEFnh0WElBVYinTCB3VVNq0nJbcLq2Ak/yPb4/hVJGvUQx +M2EgafGBfjA6sVvqvZEqbn0bQnSTJqjlwAUpzVB9ll3vanT0SwwmRdbHtFLfkmfc +6sv7dUsizScXeth2C7vf2rxqJKBIdCs7EkUWibKm34y59wJYqsZT/jLeFraLi/+R +NWeiWY9AlyXm5QzNqEr3qqhVQohKI0gRUwJS0dx3xSMFd8td+q+22iYuNMx2Dk3A +D9HenFMZiSw4r+8R5mm8Dn6DJEB7Y5mJhR1zZk7Q3gVhwjeR/sdrIF9K8tSkyIHt +T4f+qNF1vBfQ9+8zHqQ/X2o2Cky/eyW9rx3V/fYLOXzOdbxIy5nDOd5gbXIDoZNV +cJn/af+MgMrUI7vqDZ1A1UmwKSAJRZjIJCX+2mjrAtQl9W7h8qZt2Hgq/4zCCNSH +v4gGoDtYEtcvs1kqS56/XQRyZikDfEUkBE1hXOW4hepuS9Zs6LihGpKSffqQH0Oy +gvCaWjLNzErjx5Hl9pTvH2qkLLX6P1i/YubW+3E6AuDks9u6eF78GkKb6ALsczQf +jHf22C1rl9y3Ex+9q3vKzeo9HtIBv/FEyt+GEzdCXdf4Lmjmf1l1uBX6+EJFAVsG +UPxqiJZLOo8dEbWIDzoxE8vXjZTNFBA9mkYmipdZwGaV +-----END CERTIFICATE----- diff --git a/revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt b/revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt new file mode 100644 index 0000000..1a61802 --- /dev/null +++ b/revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl +blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl +bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW +EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjE4MzdaFw0yMzA3MDUxNjE4 +MzdaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw +CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT +RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo +HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7 +RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf +0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N +p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2 +EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB +AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o +KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBRoQmAN4ixMR36VviPf6pUT5ZcXYqGBh6SB +hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT +AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl +Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B +Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEB +AI3sxNvPFB/+Cjj9GVCvNbaOGFV+5X6Dd7ZMJat0xI93GS+FvUOO1i53iCpnfSld +gE+2chifX2W3u6RyiJTTfwke4EVU4GWjFy78WwwszCih0byVa/YSQguvPuMjvQY6 +mw+exom0ri68328yWb1oCDaPOhI9Fr51hj50yUWWBbmpu2YPi5blN6CBE+9B2cbp +HVDPxoUWjYJ9leK951nfSu0E1+cLNYDpZ39h4dBHNvU1a3AueVKIXyEYaiwy0VDS +8CQJluUCE4eLlt/cbJqMs0/iY7nRnbVOOyZUYTYxq7ACvDrMyStkfdR4KLDzvLWo +8Gu+1aY2qw6wZ+TKiiRRYjQ= +-----END CERTIFICATE----- diff --git a/revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt b/revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt new file mode 100644 index 0000000..05981bf --- /dev/null +++ b/revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIElTCCA32gAwIBAgIJAPq+2L9Aml5gMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD +VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV +BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG +SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIwMDEwODE2MjU1NFoXDTI5 +MTExNjE2MjU1NFowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp +Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM +EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMs14JzP2PdL6+OU +LPIRdzOGnCgdGd5FaSFeoJRKC7VBLmcBa5F2OoVmKmOLhyvolIoSbiUTsAc/KCt2 +JT4pslVC5ztEJB23mTLLRNK0iMupT6ezBr5cqu4rBAmq7FhjWshix9loQ/u9DpL/ +TOwCRLyVyZ/RviH49LJtWgrVTZhlzMGM79/yn9pFBXb5GsCL1RwF8sC4SrAS30PK +1QsYRrMDvs2n1wGA8cXK7tk6H0ozfVABq9c6SG5iWXNiHjjvMjHuWBh9WQWK+33U +DV6dR5vYr7YRnzznE4TkAOwKl4kikPMU5t/BdQetJDjY4I/2ucDbReNugVweKdB4 +rmynSx8CAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAMy+py/ +DYi/IZJLDegqCaVNXe/IMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl +lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL +MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV +U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB +MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B +AQsFAAOCAQEAUWNziRn2X/uOcFWaCkKqIVa0xlk8joaztllVkRLoDpv97O6p087k +OOfqNsv1gUgIHqQvZ9Z2woQcpd2gUa0uj5yqpqSGp0eSEtBOOKApVuybplTDSyC3 +6ENwF5BKMJ8ysURsIx6ZGCq1PbaruA28sG/XFrhxjezLwN9mcmLd6nCd4xmPuH78 +IsHPP6c6VzrFtNN3yP5ZIs9bIzDHTf2qGXvVYhLBrNuTczTwUzeSfKG+qpP/dO1I +EGtd7tTFPTqNwXkWq3oat9TVYMdPLRWWZ2zzE65k0rdSSJTgc/1Z4WSKb55J6FMP +8MJRwgi62+9JF6hsBy7WuBE8cWvtIwbyYA== +-----END CERTIFICATE----- diff --git a/revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt b/revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt new file mode 100644 index 0000000..c71abb8 --- /dev/null +++ b/revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIElTCCA32gAwIBAgIJAPq+2L9Aml5jMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD +VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV +BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG +SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIwMDgwMzEyMzUzOVoXDTMw +MDYxMjEyMzUzOVowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp +Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM +EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKVKfWLm7OvwYpDO +4s0qzbUDWG2GTlxFOkZe4XaFsjxAnmuXZTVm1SJ3N12zSdRH60YMqcns7yuISYQz +0K79shGDOfktO8iqxSE0JdUvhEFnJUECaXYAq+ioiSwkm7QQWhHAUE3htshJeMt4 +SK4dTGmTQNQBKCZ3xQTTHi1sOl8wYt0QdhkucqvgDUyPaxHrI4LV1OV9R3XjGclG +ZD6QEkXLhVcir2yLIA9G1qPZDXpNbrdfSx3GDEnSsD+GS0D/k5oe32w1KGMnEM/S +fYrY1nsP6/k0hVO1KH9WJWV/DUoyO/4U75C6swg7SVTxyigT3s92/UV4N9Es5kZv +aHhsuncCAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMi9x6wa +HYWWYhf9k+v8FPSiALgUMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl +lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL +MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV +U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB +MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B +AQsFAAOCAQEAS1NWAHYBV1uaK7wE6c+Xz8t4c2hgTkFR4E0iVZ+2aTz8OFzztQZq +CyZ9QYgSpApmvwmgFEQog6UUzw2f19W7qhIskDHfhBmK2uQtazHZ/Pd8oXyHrbgK +TVh7GDc9OjrZe2wg03Q0N/KVUHD5lKYXY4rfAqKdc1XKfo7t8GIu+TnWDLXWVI40 +oDIXwSmg+JOZFXpf9cxZ2zENZnsaH0KTKNk6bNq8wjum4W54Tgk7UbDE6roJp5C3 +7cUt/j+dL00gyFK66PFR1wXflZFtKixxVbMOLa13ZldsuNs0ye6whPqIKZ9ev4M4 +rjWQD5k14Ui+48/MDJt4Nc2Sm1LYrdXJMw== +-----END CERTIFICATE----- diff --git a/revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt b/revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt new file mode 100644 index 0000000..6cbdec5 --- /dev/null +++ b/revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIElTCCA32gAwIBAgIJAPq+2L9Aml5kMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD +VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV +BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG +SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIxMDMwMjEzMDE1NFoXDTMx +MDEwOTEzMDE1NFowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp +Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM +EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLI9AESuA0aqXLg +RwX7lU1td6HhC3Oj+kwKJJvF/kwA+1viW/1cC4vS9muigFHe3b4CPwZ9WRxb5Wyi +3nxP1fjYwFmygBnqWvzMTxGZBFuhcQQpSPDbjWOEiFspVZbvkBF7t0cu1EcpKaHl ++pPqVdWrh11mk7bSjnYGAZ0BFHQ3bnhCuH1+p4PIMLAFZIRQ9suW9t5caOoHK6pi +fisOYy+WR3a/2AFTCZIdZIueVpvPHhGgjEDoE0wnoAg5lKDn+SAUS7JiWy/hdT2U +c/OjH1onXi99kTWDOMwQA+g2d7JAPtLuepcKpiUbFaR+7KJYWhkfit6WYz40sC6Q +PMAHIj8CAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJ3fQ9nx +oCcnP1LGwHdZCO4BZxMlMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl +lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL +MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV +U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB +MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B +AQsFAAOCAQEAnjK7rL3T/Fu443EQSB3cV2V84pQcOcQf3dCSx8VT14ZTgkp1RGM4 +qr4V8foA7Fyr9UE+x2zEMzcVy2eZ2aihO/qaQ/JGZi8cp1pjq0nNMUQjgXF0YGyn +Qanjb/48V5eOF9Z1h/wQ0HISTdkwsvGUS0leHT3LjXWNRL9QBp1Qi5A5IE5t8vpX +OxAvHNTsKsx6x2p8R3yVLX7rY84xvBJCqHDY9tYDQ2VbVX7CEw5x9FffobYpY/s1 +lCV/fhOThm/q/p9Pr3hydxKP4PoxxwBtII/p0zJTMWEEfOsK/zAS3v8Ltlz83gTk +WX+2oXpj/WRFsYWIEXTPwEm4MwYWxw5rMw== +-----END CERTIFICATE----- diff --git a/shim-15.8.tar.bz2 b/shim-15.8.tar.bz2 new file mode 100644 index 0000000..06115c7 --- /dev/null +++ b/shim-15.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 +size 2315201 diff --git a/shim-arch-independent-names.patch b/shim-arch-independent-names.patch new file mode 100644 index 0000000..4b96a33 --- /dev/null +++ b/shim-arch-independent-names.patch @@ -0,0 +1,61 @@ +From 71ca8f761fb5434ef65895345d96ccf063da7d66 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Tue, 22 Aug 2017 12:43:36 +0800 +Subject: [PATCH] Make the names of EFI binaries arch-independent + +Since we only build the 64-bit binaries, we don't have the issue of the +mixed architecture binaries in the same directory. Besides, we will use +the same install script for x86_64 and AArch64. It's easier to maintain +the script with the same names. + +Signed-off-by: Gary Lin +--- + fallback.c | 2 +- + shim.c | 2 +- + shim.h | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fallback.c b/fallback.c +index fc81c5e4..44b2d464 100644 +--- a/fallback.c ++++ b/fallback.c +@@ -1058,7 +1058,7 @@ debug_hook(void) + + x = 1; + console_print(L"add-symbol-file "DEBUGDIR +- L"fb" EFI_ARCH L".efi.debug %p -s .data %p\n", ++ L"fallback.efi.debug %p -s .data %p\n", + &_etext, &_edata); + } + +diff --git a/shim.c b/shim.c +index 765c9254..6751a2bc 100644 +--- a/shim.c ++++ b/shim.c +@@ -1811,7 +1811,7 @@ debug_hook(void) + FreePool(data); + + console_print(L"add-symbol-file "DEBUGDIR +- L"shim" EFI_ARCH L".efi.debug 0x%08x -s .data 0x%08x\n", ++ L"shim.efi.debug 0x%08x -s .data 0x%08x\n", + &_text, &_data); + + console_print(L"Pausing for debugger attachment.\n"); +diff --git a/shim.h b/shim.h +index 0a6c8cfa..b9c3c4d8 100644 +--- a/shim.h ++++ b/shim.h +@@ -105,8 +105,8 @@ + #define DEBUGSRC L"/usr/src/debug/shim-" VERSIONSTR "." EFI_ARCH + #endif + +-#define FALLBACK L"\\fb" EFI_ARCH L".efi" +-#define MOK_MANAGER L"\\mm" EFI_ARCH L".efi" ++#define FALLBACK L"\\fallback.efi" ++#define MOK_MANAGER L"\\MokManager.efi" + + #if defined(VENDOR_DB_FILE) + # define vendor_authorized vendor_db +-- +2.29.2 + diff --git a/shim-bsc1177315-verify-eku-codesign.patch b/shim-bsc1177315-verify-eku-codesign.patch new file mode 100644 index 0000000..bb931ba --- /dev/null +++ b/shim-bsc1177315-verify-eku-codesign.patch @@ -0,0 +1,696 @@ +From 6ff890bf0af9d37acc6ea8ad64f597060e8bb143 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Wed, 14 Oct 2020 14:31:12 +0800 +Subject: [PATCH] Enforce EKU CodeSign extension check + +Per NIAP OS_PP, the signer certificate of the UEFI image has to contain +"CodeSign" extension in its Extended Key Usage(EKU). + +This commit borrows VerifyEKUsInPkcs7Signature() from edk2 and enforces +the CodeSign check in Pkcs7Verify(). ++ Also merged the buffer use-after-free fix (*) + +(*) https://bugzilla.tianocore.org/show_bug.cgi?id=2459 + +Signed-off-by: Gary Lin +--- + Cryptlib/InternalCryptLib.h | 32 ++ + Cryptlib/Library/BaseCryptLib.h | 40 +++ + Cryptlib/Makefile | 1 + + Cryptlib/Pk/CryptPkcs7Verify.c | 10 + + Cryptlib/Pk/CryptPkcs7VerifyEku.c | 516 ++++++++++++++++++++++++++++++ + 5 files changed, 599 insertions(+) + create mode 100644 Cryptlib/Pk/CryptPkcs7VerifyEku.c + +diff --git a/Cryptlib/InternalCryptLib.h b/Cryptlib/InternalCryptLib.h +index e9a4c20..8c9a2a4 100644 +--- a/Cryptlib/InternalCryptLib.h ++++ b/Cryptlib/InternalCryptLib.h +@@ -30,5 +30,37 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + #define OBJ_length(o) ((o)->length) + #endif + ++/** ++ Check input P7Data is a wrapped ContentInfo structure or not. If not construct ++ a new structure to wrap P7Data. ++ ++ Caution: This function may receive untrusted input. ++ UEFI Authenticated Variable is external input, so this function will do basic ++ check for PKCS#7 data structure. ++ ++ @param[in] P7Data Pointer to the PKCS#7 message to verify. ++ @param[in] P7Length Length of the PKCS#7 message in bytes. ++ @param[out] WrapFlag If TRUE P7Data is a ContentInfo structure, otherwise ++ return FALSE. ++ @param[out] WrapData If return status of this function is TRUE: ++ 1) when WrapFlag is TRUE, pointer to P7Data. ++ 2) when WrapFlag is FALSE, pointer to a new ContentInfo ++ structure. It's caller's responsibility to free this ++ buffer. ++ @param[out] WrapDataSize Length of ContentInfo structure in bytes. ++ ++ @retval TRUE The operation is finished successfully. ++ @retval FALSE The operation is failed due to lack of resources. ++ ++**/ ++BOOLEAN ++WrapPkcs7Data ( ++ IN CONST UINT8 *P7Data, ++ IN UINTN P7Length, ++ OUT BOOLEAN *WrapFlag, ++ OUT UINT8 **WrapData, ++ OUT UINTN *WrapDataSize ++ ); ++ + #endif + +diff --git a/Cryptlib/Library/BaseCryptLib.h b/Cryptlib/Library/BaseCryptLib.h +index 2df8bd2..ed482d3 100644 +--- a/Cryptlib/Library/BaseCryptLib.h ++++ b/Cryptlib/Library/BaseCryptLib.h +@@ -2403,6 +2403,46 @@ Pkcs7Verify ( + IN UINTN DataLength + ); + ++/** ++ This function receives a PKCS#7 formatted signature blob, ++ looks for the EKU SEQUENCE blob, and if found then looks ++ for all the required EKUs. This function was created so that ++ the Surface team can cut down on the number of Certificate ++ Authorities (CA's) by checking EKU's on leaf signers for ++ a specific product. This prevents one product's certificate ++ from signing another product's firmware or unlock blobs. ++ ++ Note that this function does not validate the certificate chain. ++ That needs to be done before using this function. ++ ++ @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array ++ containing the content block with both the signature, ++ the signer's certificate, and any necessary intermediate ++ certificates. ++ @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. ++ @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of ++ required EKUs that must be present in the signature. ++ @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array. ++ @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's ++ must be present in the leaf signer. If it is ++ FALSE, then we will succeed if we find any ++ of the specified EKU's. ++ ++ @retval EFI_SUCCESS The required EKUs were found in the signature. ++ @retval EFI_INVALID_PARAMETER A parameter was invalid. ++ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. ++ ++**/ ++EFI_STATUS ++EFIAPI ++VerifyEKUsInPkcs7Signature ( ++ IN CONST UINT8 *Pkcs7Signature, ++ IN CONST UINT32 SignatureSize, ++ IN CONST CHAR8 *RequiredEKUs[], ++ IN CONST UINT32 RequiredEKUsSize, ++ IN BOOLEAN RequireAllPresent ++ ); ++ + /** + Extracts the attached content from a PKCS#7 signed data if existed. The input signed + data could be wrapped in a ContentInfo structure. +diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile +index 18a33b1..a1d8b02 100644 +--- a/Cryptlib/Makefile ++++ b/Cryptlib/Makefile +@@ -41,6 +41,7 @@ OBJS = Hash/CryptMd4Null.o \ + Pk/CryptRsaExtNull.o \ + Pk/CryptPkcs7SignNull.o \ + Pk/CryptPkcs7Verify.o \ ++ Pk/CryptPkcs7VerifyEku.o \ + Pk/CryptDhNull.o \ + Pk/CryptTs.o \ + Pk/CryptX509.o \ +diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c +index 09895d8..da15be2 100644 +--- a/Cryptlib/Pk/CryptPkcs7Verify.c ++++ b/Cryptlib/Pk/CryptPkcs7Verify.c +@@ -29,6 +29,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + #include + + UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 }; ++/* EKU CodeSign */ ++CHAR8 mOidCodeSign[] = "1.3.6.1.5.5.7.3.3"; + + #if 1 + #if OPENSSL_VERSION_NUMBER < 0x10100000L +@@ -846,6 +848,8 @@ Pkcs7Verify ( + CONST UINT8 *Temp; + UINTN SignedDataSize; + BOOLEAN Wrapped; ++ CONST CHAR8 *Ekus[1]; ++ EFI_STATUS EFI_Status; + + // + // Check input parameters. +@@ -859,6 +863,7 @@ Pkcs7Verify ( + DataBio = NULL; + Cert = NULL; + CertStore = NULL; ++ Ekus[0] = mOidCodeSign; + + // + // Register & Initialize necessary digest algorithms for PKCS#7 Handling +@@ -958,6 +963,11 @@ Pkcs7Verify ( + // + X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY); + ++ EFI_Status = VerifyEKUsInPkcs7Signature(P7Data, P7Length, Ekus, 1, TRUE); ++ if (EFI_Status != EFI_SUCCESS) { ++ goto _Exit; ++ } ++ + // + // Verifies the PKCS#7 signedData structure + // +diff --git a/Cryptlib/Pk/CryptPkcs7VerifyEku.c b/Cryptlib/Pk/CryptPkcs7VerifyEku.c +new file mode 100644 +index 0000000..2c172e2 +--- /dev/null ++++ b/Cryptlib/Pk/CryptPkcs7VerifyEku.c +@@ -0,0 +1,516 @@ ++/** @file ++ This module verifies that Enhanced Key Usages (EKU's) are present within ++ a PKCS7 signature blob using OpenSSL. ++ ++ Copyright (C) Microsoft Corporation. All Rights Reserved. ++ Copyright (c) 2019, Intel Corporation. All rights reserved.
++ ++ SPDX-License-Identifier: BSD-2-Clause-Patent ++ ++**/ ++ ++#include ++#include "InternalCryptLib.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/** ++ This function will return the leaf signer certificate in a chain. This is ++ required because certificate chains are not guaranteed to have the ++ certificates in the order that they were issued. ++ ++ A typical certificate chain looks like this: ++ ++ ++ ---------------------------- ++ | Root | ++ ---------------------------- ++ ^ ++ | ++ ---------------------------- ++ | Policy CA | <-- Typical Trust Anchor. ++ ---------------------------- ++ ^ ++ | ++ ---------------------------- ++ | Issuing CA | ++ ---------------------------- ++ ^ ++ | ++ ----------------------------- ++ / End-Entity (leaf) signer / <-- Bottom certificate. ++ ----------------------------- EKU: "1.3.6.1.4.1.311.76.9.21.1" ++ (Firmware Signing) ++ ++ ++ @param[in] CertChain Certificate chain. ++ ++ @param[out] SignerCert Last certificate in the chain. For PKCS7 signatures, ++ this will be the end-entity (leaf) signer cert. ++ ++ @retval EFI_SUCCESS The required EKUs were found in the signature. ++ @retval EFI_INVALID_PARAMETER A parameter was invalid. ++ @retval EFI_NOT_FOUND The number of signers found was not 1. ++ ++**/ ++EFI_STATUS ++GetSignerCertificate ( ++ IN CONST PKCS7 *CertChain, ++ OUT X509 **SignerCert ++ ) ++{ ++ EFI_STATUS Status; ++ STACK_OF(X509) *Signers; ++ INT32 NumberSigners; ++ ++ Status = EFI_SUCCESS; ++ Signers = NULL; ++ NumberSigners = 0; ++ ++ if (CertChain == NULL || SignerCert == NULL) { ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ // ++ // Get the signers from the chain. ++ // ++ Signers = PKCS7_get0_signers ((PKCS7*) CertChain, NULL, PKCS7_BINARY); ++ if (Signers == NULL) { ++ // ++ // Fail to get signers form PKCS7 ++ // ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ // ++ // There should only be one signer in the PKCS7 stack. ++ // ++ NumberSigners = sk_X509_num (Signers); ++ if (NumberSigners != 1) { ++ // ++ // The number of singers should have been 1 ++ // ++ Status = EFI_NOT_FOUND; ++ goto Exit; ++ } ++ ++ *SignerCert = sk_X509_value (Signers, 0); ++ ++Exit: ++ // ++ // Release Resources ++ // ++ if (Signers != NULL) { ++ sk_X509_free (Signers); ++ } ++ ++ return Status; ++} ++ ++ ++/** ++ Determines if the specified EKU represented in ASN1 form is present ++ in a given certificate. ++ ++ @param[in] Cert The certificate to check. ++ ++ @param[in] Asn1ToFind The EKU to look for. ++ ++ @retval EFI_SUCCESS We successfully identified the signing type. ++ @retval EFI_INVALID_PARAMETER A parameter was invalid. ++ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. ++ ++**/ ++EFI_STATUS ++IsEkuInCertificate ( ++ IN CONST X509 *Cert, ++ IN ASN1_OBJECT *Asn1ToFind ++ ) ++{ ++ EFI_STATUS Status; ++ X509 *ClonedCert; ++ X509_EXTENSION *Extension; ++ EXTENDED_KEY_USAGE *Eku; ++ INT32 ExtensionIndex; ++ INTN NumExtensions; ++ ASN1_OBJECT *Asn1InCert; ++ INTN Index; ++ ++ Status = EFI_NOT_FOUND; ++ ClonedCert = NULL; ++ Extension = NULL; ++ Eku = NULL; ++ ExtensionIndex = -1; ++ NumExtensions = 0; ++ Asn1InCert = NULL; ++ ++ if (Cert == NULL || Asn1ToFind == NULL) { ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ // ++ // Clone the certificate. This is required because the Extension API's ++ // only work once per instance of an X509 object. ++ // ++ ClonedCert = X509_dup ((X509*)Cert); ++ if (ClonedCert == NULL) { ++ // ++ // Fail to duplicate cert. ++ // ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ // ++ // Look for the extended key usage. ++ // ++ ExtensionIndex = X509_get_ext_by_NID (ClonedCert, NID_ext_key_usage, -1); ++ ++ if (ExtensionIndex < 0) { ++ // ++ // Fail to find 'NID_ext_key_usage' in Cert. ++ // ++ goto Exit; ++ } ++ ++ Extension = X509_get_ext (ClonedCert, ExtensionIndex); ++ if (Extension == NULL) { ++ // ++ // Fail to get Extension form cert. ++ // ++ goto Exit; ++ } ++ ++ Eku = (EXTENDED_KEY_USAGE*)X509V3_EXT_d2i (Extension); ++ if (Eku == NULL) { ++ // ++ // Fail to get Eku from extension. ++ // ++ goto Exit; ++ } ++ ++ NumExtensions = sk_ASN1_OBJECT_num (Eku); ++ ++ // ++ // Now loop through the extensions, looking for the specified Eku. ++ // ++ for (Index = 0; Index < NumExtensions; Index++) { ++ Asn1InCert = sk_ASN1_OBJECT_value (Eku, (INT32)Index); ++ if (Asn1InCert == NULL) { ++ // ++ // Fail to get ASN object from Eku. ++ // ++ goto Exit; ++ } ++ ++ if (OBJ_cmp(Asn1InCert, Asn1ToFind) == 0) { ++ // ++ // Found Eku in certificate. ++ // ++ Status = EFI_SUCCESS; ++ goto Exit; ++ } ++ } ++ ++Exit: ++ ++ // ++ // Release Resources ++ // ++ if (ClonedCert != NULL) { ++ X509_free (ClonedCert); ++ } ++ ++ if (Eku != NULL) { ++ sk_ASN1_OBJECT_pop_free (Eku, ASN1_OBJECT_free); ++ } ++ ++ return Status; ++} ++ ++ ++/** ++ Determines if the specified EKUs are present in a signing certificate. ++ ++ @param[in] SignerCert The certificate to check. ++ @param[in] RequiredEKUs The EKUs to look for. ++ @param[in] RequiredEKUsSize The number of EKUs ++ @param[in] RequireAllPresent If TRUE, then all the specified EKUs ++ must be present in the certificate. ++ ++ @retval EFI_SUCCESS We successfully identified the signing type. ++ @retval EFI_INVALID_PARAMETER A parameter was invalid. ++ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. ++**/ ++EFI_STATUS ++CheckEKUs( ++ IN CONST X509 *SignerCert, ++ IN CONST CHAR8 *RequiredEKUs[], ++ IN CONST UINT32 RequiredEKUsSize, ++ IN BOOLEAN RequireAllPresent ++ ) ++{ ++ EFI_STATUS Status; ++ ASN1_OBJECT *Asn1ToFind; ++ UINT32 NumEkusFound; ++ UINT32 Index; ++ ++ Status = EFI_NOT_FOUND; ++ Asn1ToFind = NULL; ++ NumEkusFound = 0; ++ ++ if (SignerCert == NULL || RequiredEKUs == NULL || RequiredEKUsSize == 0) { ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ for (Index = 0; Index < RequiredEKUsSize; Index++) { ++ // ++ // Finding required EKU in cert. ++ // ++ if (Asn1ToFind != NULL) { ++ ASN1_OBJECT_free(Asn1ToFind); ++ Asn1ToFind = NULL; ++ } ++ ++ Asn1ToFind = OBJ_txt2obj (RequiredEKUs[Index], 0); ++ if (Asn1ToFind == NULL) { ++ // ++ // Fail to convert required EKU to ASN1. ++ // ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ Status = IsEkuInCertificate (SignerCert, Asn1ToFind); ++ if (Status == EFI_SUCCESS) { ++ NumEkusFound++; ++ if (!RequireAllPresent) { ++ // ++ // Found at least one, so we are done. ++ // ++ goto Exit; ++ } ++ } else { ++ // ++ // Fail to find Eku in cert ++ break; ++ } ++ } ++ ++Exit: ++ ++ if (Asn1ToFind != NULL) { ++ ASN1_OBJECT_free(Asn1ToFind); ++ } ++ ++ if (RequireAllPresent && ++ NumEkusFound == RequiredEKUsSize) { ++ // ++ // Found all required EKUs in certificate. ++ // ++ Status = EFI_SUCCESS; ++ } ++ ++ return Status; ++} ++ ++/** ++ This function receives a PKCS#7 formatted signature blob, ++ looks for the EKU SEQUENCE blob, and if found then looks ++ for all the required EKUs. This function was created so that ++ the Surface team can cut down on the number of Certificate ++ Authorities (CA's) by checking EKU's on leaf signers for ++ a specific product. This prevents one product's certificate ++ from signing another product's firmware or unlock blobs. ++ ++ Note that this function does not validate the certificate chain. ++ That needs to be done before using this function. ++ ++ @param[in] Pkcs7Signature The PKCS#7 signed information content block. An array ++ containing the content block with both the signature, ++ the signer's certificate, and any necessary intermediate ++ certificates. ++ @param[in] Pkcs7SignatureSize Number of bytes in Pkcs7Signature. ++ @param[in] RequiredEKUs Array of null-terminated strings listing OIDs of ++ required EKUs that must be present in the signature. ++ @param[in] RequiredEKUsSize Number of elements in the RequiredEKUs string array. ++ @param[in] RequireAllPresent If this is TRUE, then all of the specified EKU's ++ must be present in the leaf signer. If it is ++ FALSE, then we will succeed if we find any ++ of the specified EKU's. ++ ++ @retval EFI_SUCCESS The required EKUs were found in the signature. ++ @retval EFI_INVALID_PARAMETER A parameter was invalid. ++ @retval EFI_NOT_FOUND One or more EKU's were not found in the signature. ++ ++**/ ++EFI_STATUS ++EFIAPI ++VerifyEKUsInPkcs7Signature ( ++ IN CONST UINT8 *Pkcs7Signature, ++ IN CONST UINT32 SignatureSize, ++ IN CONST CHAR8 *RequiredEKUs[], ++ IN CONST UINT32 RequiredEKUsSize, ++ IN BOOLEAN RequireAllPresent ++ ) ++{ ++ EFI_STATUS Status; ++ PKCS7 *Pkcs7; ++ STACK_OF(X509) *CertChain; ++ INT32 SignatureType; ++ INT32 NumberCertsInSignature; ++ X509 *SignerCert; ++ UINT8 *SignedData; ++ UINT8 *Temp; ++ UINTN SignedDataSize; ++ BOOLEAN IsWrapped; ++ BOOLEAN Ok; ++ ++ Status = EFI_SUCCESS; ++ Pkcs7 = NULL; ++ CertChain = NULL; ++ SignatureType = 0; ++ NumberCertsInSignature = 0; ++ SignerCert = NULL; ++ SignedData = NULL; ++ SignedDataSize = 0; ++ IsWrapped = FALSE; ++ Ok = FALSE; ++ ++ // ++ //Validate the input parameters. ++ // ++ if (Pkcs7Signature == NULL || ++ SignatureSize == 0 || ++ RequiredEKUs == NULL || ++ RequiredEKUsSize == 0) { ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ if (RequiredEKUsSize == 1) { ++ RequireAllPresent = TRUE; ++ } ++ ++ // ++ // Wrap the PKCS7 data if needed. ++ // ++ Ok = WrapPkcs7Data (Pkcs7Signature, ++ SignatureSize, ++ &IsWrapped, ++ &SignedData, ++ &SignedDataSize); ++ if (!Ok) { ++ // ++ // Fail to Wrap the PKCS7 data. ++ // ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ Temp = SignedData; ++ ++ // ++ // Create the PKCS7 object. ++ // ++ Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (INT32)SignedDataSize); ++ if (Pkcs7 == NULL) { ++ // ++ // Fail to read PKCS7 data. ++ // ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ // ++ // Get the certificate chain. ++ // ++ SignatureType = OBJ_obj2nid (Pkcs7->type); ++ switch (SignatureType) { ++ case NID_pkcs7_signed: ++ if (Pkcs7->d.sign != NULL) { ++ CertChain = Pkcs7->d.sign->cert; ++ } ++ break; ++ case NID_pkcs7_signedAndEnveloped: ++ if (Pkcs7->d.signed_and_enveloped != NULL) { ++ CertChain = Pkcs7->d.signed_and_enveloped->cert; ++ } ++ break; ++ default: ++ break; ++ } ++ ++ // ++ // Ensure we have a certificate stack ++ // ++ if (CertChain == NULL) { ++ // ++ // Fail to get the certificate stack from signature. ++ // ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ // ++ // Find out how many certificates were in the PKCS7 signature. ++ // ++ NumberCertsInSignature = sk_X509_num (CertChain); ++ ++ if (NumberCertsInSignature == 0) { ++ // ++ // Fail to find any certificates in signature. ++ // ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ // ++ // Get the leaf signer. ++ // ++ Status = GetSignerCertificate (Pkcs7, &SignerCert); ++ if (Status != EFI_SUCCESS || SignerCert == NULL) { ++ // ++ // Fail to get the end-entity leaf signer certificate. ++ // ++ Status = EFI_INVALID_PARAMETER; ++ goto Exit; ++ } ++ ++ Status = CheckEKUs (SignerCert, RequiredEKUs, RequiredEKUsSize, RequireAllPresent); ++ if (Status != EFI_SUCCESS) { ++ goto Exit; ++ } ++ ++Exit: ++ ++ // ++ // Release Resources ++ // ++ // If the signature was not wrapped, then the call to WrapData() will allocate ++ // the data and add a header to it ++ // ++ if (!IsWrapped && SignedData) { ++ free (SignedData); ++ } ++ ++ if (Pkcs7 != NULL) { ++ PKCS7_free (Pkcs7); ++ } ++ ++ return Status; ++} ++ +-- +2.29.2 + diff --git a/shim-change-debug-file-path.patch b/shim-change-debug-file-path.patch new file mode 100644 index 0000000..90e3755 --- /dev/null +++ b/shim-change-debug-file-path.patch @@ -0,0 +1,54 @@ +From ac7e88b1f2219ec2b09c9596e6f7d5911e5f6ffd Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Thu, 4 Jan 2018 12:28:37 +0800 +Subject: [PATCH] Use our own debug path + +Signed-off-by: Gary Lin +--- + Make.defaults | 2 +- + fallback.c | 2 +- + shim.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/Make.defaults b/Make.defaults +index bef3cb51..d88367e3 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -167,7 +167,7 @@ BOOTEFINAME ?= BOOT$(ARCH_SUFFIX_UPPER).EFI + BOOTCSVNAME ?= BOOT$(ARCH_SUFFIX_UPPER).CSV + + DEFINES += -DEFI_ARCH='L"$(ARCH_SUFFIX)"' \ +- -DDEBUGDIR='L"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/"' ++ -DDEBUGDIR=L\"/usr/lib/debug/usr/share/efi/"$(ARCH)/"\" + + ifneq ($(origin VENDOR_DB_FILE), undefined) + DEFINES += -DVENDOR_DB_FILE=\"$(VENDOR_DB_FILE)\" +diff --git a/fallback.c b/fallback.c +index 44b2d464..8e0de901 100644 +--- a/fallback.c ++++ b/fallback.c +@@ -1058,7 +1058,7 @@ debug_hook(void) + + x = 1; + console_print(L"add-symbol-file "DEBUGDIR +- L"fallback.efi.debug %p -s .data %p\n", ++ L"fallback.debug %p -s .data %p\n", + &_etext, &_edata); + } + +diff --git a/shim.c b/shim.c +index 1d539855..f8d2ba5f 100644 +--- a/shim.c ++++ b/shim.c +@@ -1818,7 +1818,7 @@ debug_hook(void) + FreePool(data); + + console_print(L"add-symbol-file "DEBUGDIR +- L"shim.efi.debug 0x%08x -s .data 0x%08x\n", ++ L"shim.debug 0x%08x -s .data 0x%08x\n", + &_text, &_data); + + console_print(L"Pausing for debugger attachment.\n"); +-- +2.29.2 + diff --git a/shim-disable-export-vendor-dbx.patch b/shim-disable-export-vendor-dbx.patch new file mode 100644 index 0000000..defe242 --- /dev/null +++ b/shim-disable-export-vendor-dbx.patch @@ -0,0 +1,36 @@ +From 41da21f1f9d4af213f9f235a864772b99ce85fc7 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 18 Jun 2021 17:54:46 +0800 +Subject: [PATCH] Disable exporting vendor-dbx to MokListXRT + +As the vendor-dbx grows, it caused some problems when writing such +a large variable. Some firmwares lie the avaiable space(*1) , and +some even crash(*2) for no good reason after the writing of +MokListXRT. Both shim and kernel don't rely on MokListXRT to block +anything, so we just stop exporting vendor-dbx to MokListXRT to +avoid the potential hassles. + +(*1) https://bugzilla.suse.com/show_bug.cgi?id=1185261 +(*2) https://github.com/rhboot/shim/pull/369#issuecomment-855275115 + +Signed-off-by: Gary Lin +--- + mok.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/mok.c b/mok.c +index beac0ff6..a687a92b 100644 +--- a/mok.c ++++ b/mok.c +@@ -194,8 +194,6 @@ struct mok_state_variable mok_state_variables[] = { + EFI_VARIABLE_NON_VOLATILE, + .no_attr = EFI_VARIABLE_RUNTIME_ACCESS, + .categorize_addend = categorize_deauthorized, +- .addend = &vendor_deauthorized, +- .addend_size = &vendor_deauthorized_size, + .flags = MOK_MIRROR_KEYDB | + MOK_MIRROR_DELETE_FIRST | + MOK_VARIABLE_LOG, +-- +2.31.1 + diff --git a/shim-install b/shim-install new file mode 100644 index 0000000..3ba6f72 --- /dev/null +++ b/shim-install @@ -0,0 +1,530 @@ +#! /bin/bash -e + +arch=`uname -m` +rootdir= +bootdir= +efidir= +install_device= +efibootdir= +ca_string= +no_nvram=no +removable=no +clean=no +sysconfdir="/etc" +libdir="/usr/lib64" # Beware, this is arch dependent! +datadir="/usr/share" +source_dir="${datadir}/efi/${arch}" +efibootmgr="/usr/sbin/efibootmgr" +grub_probe="/usr/sbin/grub2-probe" +grub_mkrelpath="/usr/bin/grub2-mkrelpath" +no_grub_install=no +grub_install="/usr/sbin/grub2-install" +grub_install_target= +self="`basename $0`" +grub_cfg="/boot/grub2/grub.cfg" +update_boot=no +def_grub_efi="${source_dir}/grub.efi" +def_boot_efi= + +[ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim +[ ! -r /etc/default/shim ] || . /etc/default/shim + +if [ -z "$def_shim_efi" -o ! -e ${source_dir}/${def_shim_efi} ] ; then + def_shim_efi="shim.efi" +fi + +source_shim_efi="${source_dir}/${def_shim_efi}" + +if [ x${arch} = xx86_64 ] ; then + grub_install_target="x86_64-efi" + def_boot_efi="bootx64.efi" +elif [ x${arch} = xaarch64 ] ; then + grub_install_target="arm64-efi" + def_boot_efi="bootaa64.efi" +else + echo "Unsupported architecture: ${arch}" + exit 1 +fi + +if [ ! -d "${source_dir}" -o ! -e "${def_grub_efi}" ] ; then + # for outdated packages fall back to previous behavior + source_dir="$libdir/efi" + def_grub_efi="${source_dir}/grub.efi" +fi + +# Get GRUB_DISTRIBUTOR. +if test -f "${sysconfdir}/default/grub" ; then + . "${sysconfdir}/default/grub" +fi + +if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then + . "${sysconfdir}/os-release" + GRUB_DISTRIBUTOR="${NAME} ${VERSION}" + OS_ID="${ID}" +fi + +bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)" +if test -z "$bootloader_id"; then + bootloader_id=grub +fi + +efi_distributor="$bootloader_id" +bootloader_id="${bootloader_id}-secureboot" + +case "$bootloader_id" in + "sle"*) + ca_string='SUSE Linux Enterprise Secure Boot CA1';; + "opensuse"*) + ca_string='openSUSE Secure Boot CA1';; + *) ca_string="";; +esac + +case "$OS_ID" in + "opensuse-leap") + ca_string='SUSE Linux Enterprise Secure Boot CA1';; +esac + +# bsc#1230316 For SL-Micro, always install shim/grub2 with the "removable" way +if test "$GRUB_DISTRIBUTOR" = "SL Micro"; then + removable=yes +fi + +is_azure () { + local bios_vendor; + local product_name; + local sys_vendor; + + local sysfs_dmi_id="/sys/class/dmi/id" + + if test -e "${sysfs_dmi_id}/bios_vendor"; then + bios_vendor=$(cat "${sysfs_dmi_id}/bios_vendor") + fi + if test -e "${sysfs_dmi_id}/product_name"; then + product_name=$(cat "${sysfs_dmi_id}/product_name") + fi + if test -e "${sysfs_dmi_id}/sys_vendor"; then + sys_vendor=$(cat "${sysfs_dmi_id}/sys_vendor") + fi + + if test "x${bios_vendor}" != "xMicrosoft Corporation"; then + # return false + return 1 + fi + + if test "x${product_name}" != "xVirtual Machine"; then + # return false + return 1 + fi + + if test "x${sys_vendor}" != "xMicrosoft Corporation"; then + # return false + return 1 + fi + + # return true + return 0 +} + +usage () { + echo "Usage: $self [OPTION] [INSTALL_DEVICE]" + echo + echo "Install Secure Boot Loaders on your drive." + echo + echo "--directory=DIR use images from DIR." + echo "--grub-probe=FILE use FILE as grub-probe." + echo "--removable the installation device is removable." + echo "--no-nvram don't update the NVRAM variable." + echo "--bootloader-id=ID the ID of bootloader." + echo "--efi-directory=DIR use DIR as the EFI System Partition root." + echo "--config-file=FILE use FILE as config file, default is $grub_cfg." + echo "--clean remove all installed files and configs." + echo "--suse-enable-tpm install grub.efi with TPM support." + echo "--no-grub-install Do not run grub2-install." + echo + echo "INSTALL_DEVICE must be system device filename." +} + +argument () { + opt="$1" + shift + + if test $# -eq 0; then + echo "$0: option requires an argument -- \`$opt'" 1>&2 + exit 1 + fi + echo "$1" +} + +# Check the arguments. +while test $# -gt 0 +do + option=$1 + shift + + case "$option" in + -h | --help) + usage + exit 0 ;; + + --root-directory) + rootdir="`argument $option "$@"`"; shift;; + --root-directory=*) + rootdir="`echo "$option" | sed 's/--root-directory=//'`" ;; + + --efi-directory) + efidir="`argument $option "$@"`"; shift;; + --efi-directory=*) + efidir="`echo "$option" | sed 's/--efi-directory=//'`" ;; + + --directory | -d) + source_dir="`argument $option "$@"`"; shift;; + --directory=*) + source_dir="`echo "$option" | sed 's/--directory=//'`" ;; + + --bootloader-id) + bootloader_id="`argument $option "$@"`"; shift;; + --bootloader-id=*) + bootloader_id="`echo "$option" | sed 's/--bootloader-id=//'`" ;; + + --grub-probe) + grub_probe="`argument "$option" "$@"`"; shift;; + --grub-probe=*) + grub_probe="`echo "$option" | sed 's/--grub-probe=//'`" ;; + + --config-file) + grub_cfg="`argument "$option" "$@"`"; shift;; + --config-file=*) + grub_cfg="`echo "$option" | sed 's/--config-file=//'`" ;; + + --removable) + no_nvram=yes + removable=yes ;; + + --no-nvram) + no_nvram=yes ;; + + --suse-enable-tpm) + # bsc#1174320 shim-install uses wrong paths for EFI files + # There are 3 possible locations of grub-tpm.efi and we will check them + # one by one. + if [ -e "${source_dir}/grub-tpm.efi" ]; then + source_grub_efi="${source_dir}/grub-tpm.efi" + elif [ -e "${datadir}/grub2/${grub_install_target}/grub-tpm.efi" ] ; then + source_grub_efi="${datadir}/grub2/${grub_install_target}/grub-tpm.efi" + else + source_grub_efi="/usr/lib/grub2/${grub_install_target}/grub-tpm.efi" + fi + ;; + + --clean) + clean=yes ;; + + --no-grub-install) + no_grub_install=yes ;; + + -*) + echo "Unrecognized option \`$option'" 1>&2 + usage + exit 1 + ;; + *) + if test "x$install_device" != x; then + echo "More than one install device?" 1>&2 + usage + exit 1 + fi + install_device="${option}" ;; + esac +done + +if test -n "$efidir"; then + efi_fs=`"$grub_probe" --target=fs "${efidir}"` + if test "x$efi_fs" = xfat; then :; else + echo "$efidir doesn't look like an EFI partition." 1>&2 + efidir= + fi +fi + + +if [ -z "$bootdir" ]; then + bootdir="/boot" + if [ -n "$rootdir" ] ; then + # Initialize bootdir if rootdir was initialized. + bootdir="${rootdir}/boot" + fi +fi + +# Find the EFI System Partition. +if test -n "$efidir"; then + install_device="`"$grub_probe" --target=device --device-map= "${efidir}"`" +else + if test -d "${bootdir}/efi"; then + install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/efi"`" + # Is it a mount point? + if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then + efidir="${bootdir}/efi" + fi + elif test -d "${bootdir}/EFI"; then + install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/EFI"`" + # Is it a mount point? + if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then + efidir="${bootdir}/EFI" + fi + elif test -n "$rootdir" && test "x$rootdir" != "x/"; then + # The EFI System Partition may have been given directly using + # --root-directory. + install_device="`"$grub_probe" --target=device --device-map= "${rootdir}"`" + # Is it a mount point? + if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${rootdir}/.."`"; then + efidir="${rootdir}" + fi + fi + + if test -n "$efidir"; then + efi_fs=`"$grub_probe" --target=fs "${efidir}"` + if test "x$efi_fs" = xfat; then :; else + echo "$efidir doesn't look like an EFI partition." 1>&2 + efidir= + fi + fi +fi + +if test -n "$efidir"; then + efi_file=shim.efi + efibootdir="$efidir/EFI/boot" + mkdir -p "$efibootdir" || exit 1 + if test "$removable" = "yes" ; then + efidir="$efibootdir" + else + efidir="$efidir/EFI/$efi_distributor" + mkdir -p "$efidir" || exit 1 + fi +else + echo "No valid EFI partition" 1>&2 + exit 1; +fi + +if test "$removable" = "no" -a -f "$efibootdir/$def_boot_efi"; then + if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/$def_boot_efi"); then + update_boot=yes + fi +else + update_boot=yes +fi + +if test "$clean" = "yes"; then + rm -f "${efidir}/shim.efi" + rm -f "${efidir}/MokManager.efi" + rm -f "${efidir}/grub.efi" + rm -f "${efidir}/grub.cfg" + rm -f "${efidir}/boot.csv" + if test "$update_boot" = "yes"; then + rm -f "${efibootdir}/${def_boot_efi}" + rm -f "${efibootdir}/fallback.efi" + # bsc#1175626, bsc#1175656 also clean up MokManager + rm -f "${efibootdir}/MokManager.efi" + fi + if test "$no_nvram" = no && test -n "$bootloader_id"; then + # Delete old entries from the same distributor. + for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ + fgrep -i " $bootloader_id" | cut -b5-8`; do + $efibootmgr -b "$bootnum" -B + done + fi + exit 0 +fi + +cp "${source_dir}/MokManager.efi" "${efidir}" + +if test -n "$source_grub_efi" && ! test -f "$source_grub_efi"; then + echo "File $source_grub_efi doesn't exist, fallback to default one" 1>&2 + source_grub_efi="" +fi + +if test -z "$source_grub_efi"; then + source_grub_efi="$def_grub_efi" +fi + +echo "copying $source_grub_efi to ${efidir}/grub.efi" +cp "$source_grub_efi" "${efidir}/grub.efi" + +if test "$efidir" != "$efibootdir" ; then + cp "${source_shim_efi}" "${efidir}/shim.efi" + if test -n "$bootloader_id"; then + echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" + fi +fi + +if test "$update_boot" = "yes"; then + cp "$source_shim_efi" "${efibootdir}/${def_boot_efi}" + if test "$removable" = "no"; then + cp "${source_dir}/fallback.efi" "${efibootdir}" + # bsc#1175626, bsc#1175656 Since shim 15, loading MokManager becomes + # mandatory if a MOK request exists. Copy MokManager to \EFI\boot so + # that boot*.efi can load MokManager to process the request instead + # of shutting down the system immediately. + cp "${source_dir}/MokManager.efi" "${efibootdir}" + fi +fi + + +prepare_cryptodisk () { + uuid="$1" + + if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then + echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\"" + return + fi + + if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then + echo "cryptomount -u $uuid" + return + fi + + tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}" + + declare -g TPM_PCR_SNAPSHOT_TAKEN + + if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then + TPM_PCR_SNAPSHOT_TAKEN=1 + + # Check if tpm_record_pcrs is available and set the command to + # grub.cfg. + if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; then + echo "tpm_record_pcrs 0-9" + fi + fi + + tpm_srk_alg="${GRUB_TPM2_SRK_ALG}" + + if [ -z "$tpm_srk_alg" ]; then + tpm_srk_alg="RSA" + fi + + cat < /dev/null`" + +if [ "x$hints" != x ]; then + echo "if [ x\$feature_platform_search_hint = xy ]; then" + echo " search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}" + echo "else" + echo " search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}" + echo "fi" +else + echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}" +fi + +cat < "${efidir}/grub.cfg" + +if test "$no_nvram" = no && test -n "$bootloader_id"; then + + modprobe -q efivars 2>/dev/null || true + + # Delete old entries from the same distributor. + for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ + fgrep -i " $bootloader_id" | cut -b5-8`; do + $efibootmgr -b "$bootnum" -B + done + + # bsc#1230316 Skip the creation of the boot option for SL-Micro to make + # the system always boot from HDD + if test "$GRUB_DISTRIBUTOR" != "SL Micro"; then + efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")" + efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")" + if test -z "$efidir_drive" || test -z "$efidir_disk"; then + echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2 + # bsc#1119762 If the MD device is partitioned, we just need to create one + # boot entry since the partitions are nested partitions and the mirrored + # partitions share the same UUID. + elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then + eval $(mdadm --detail --export "$efidir_disk" | + perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$}); + sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};') + if [ "$MD_LEVEL" != "raid1" ]; then + echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2 + fi + for mddev in $MD_DEVS; do + efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")" + efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")" + efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" + efidir_d=${mddev#/dev/} + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" + done + else + efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" + fi + fi +fi + +# bsc#1185464 bsc#1185961 +# The Azure firmware sometimes doesn't respect the boot option created by +# either efibootmgr or fallback.efi so we have to remove fallback.efi to +# avoid the endless reset loop. +if is_azure; then + # Skip the workaround if we don't own \EFI\Boot or the removable + # option is used + if test "$update_boot" = "yes" && test "$removable" = "no"; then + # Remove fallback.efi which could cause the reset loop in Azure + rm -f "${efibootdir}/fallback.efi" + # Remove the older grub binary and config + rm -f "${efibootdir}/grub.efi" + rm -f "${efibootdir}/grub.cfg" + # Install new grub binary and config file to \EFI\Boot as + # the "removable" option + cp "${efidir}/grub.cfg" "${efibootdir}/grub.cfg" + cp "${efidir}/grub.efi" "${efibootdir}/grub.efi" + fi +fi diff --git a/shim.changes b/shim.changes new file mode 100644 index 0000000..c6cf6ec --- /dev/null +++ b/shim.changes @@ -0,0 +1,1876 @@ +------------------------------------------------------------------- +Mon Sep 16 06:56:21 UTC 2024 - Gary Ching-Pang Lin + +- Update shim-install to apply the missing fix for openSUSE Leap + (bsc#1210382) + * 86b73d1 Fix that bootx64.efi is not updated on Leap +- Update shim-install to use the 'removable' way for SL-Micro + (bsc#1230316) + * 433cc4e Always use the removable way for SL-Micro + +------------------------------------------------------------------- +Tue Jun 25 04:12:39 UTC 2024 - Dennis Tseng + +- Update asc files of shim-15.8 after being signed back from + Microsoft, including: + signature-opensuse.x86_64.asc, + signature-opensuse.aarch64.asc, + signature-sles.x86_64.asc, + signature-sles.aarch64.asc. + +- Enable aarch64 signature comparison which was disabled temporarily + before. Now, we got a real one. So it is enabled again. + +------------------------------------------------------------------- +Tue Apr 2 03:09:15 UTC 2024 - Gary Ching-Pang Lin + +- Introduce %shim_use_fde_tpm_helper macro so that the project + can include the fde-tpm-helper-macros for the build targets + other than Tumbleweed + +------------------------------------------------------------------- +Mon Feb 26 13:09:29 UTC 2024 - Dominique Leuenberger + +- Use %autosetup macro. Allows to eliminate the usage of deprecated + PatchN. + +------------------------------------------------------------------- +Sat Feb 17 07:51:01 UTC 2024 - Joey Lee + +- Modified shim.spec file to add suffix string of project to filename + of included certificates. e.g. + rpm -pql shim-15.8-lp155.6.1.x86_64.rpm + /etc/uefi + /etc/uefi/certs + /etc/uefi/certs/2B697CB1-shim-devel.crt + /etc/uefi/certs/4659838C-shim-opensuse.crt + /etc/uefi/certs/BCA4E38E-shim-sles.crt + + The original name of crt files are: + /etc/uefi/certs/2B697CB1-shim.crt + /etc/uefi/certs/4659838C-shim.crt + /etc/uefi/certs/BCA4E38E-shim.crt + + It can indicate the souce project of certificates. + +------------------------------------------------------------------- +Thu Feb 15 09:46:09 UTC 2024 - Joey Lee + +- Sometimes SLE shim signature be Microsoft updated before openSUSE shim + signature. When submit request on IBS for updating SLE shim, the submitreq + project be generated, but it always be blocked by checking the signature + of openSUSE shim. + It doesn't make sense checking openSUSE shim signature when building + SLE shim on SLE platform, and vice versa. So the following change adds the + logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). + When and only when hash mismatch and distro_id match with suffix, stop + building. + # compare suffix (sles, opensuse) with distro_id (sle, opensuse) + # when hash mismatch and distro_id match with suffix, stop building +- Sync the changelog between openSUSE:Factory/shim with SLE-15-SP3/shim + - Add CVE-2022-28737 number to "Mon Mar 27 09:26:02 UTC 2023" record + - Add "Thu Apr 13 05:28:10 UTC 2023" record for updating shim-install + for bsc#1210382. + - Add "Thu Apr 13 09:13:22 UTC 2023" record for changing the logic of + checking shim signature. + +------------------------------------------------------------------- +Wed Feb 7 08:54:52 UTC 2024 - Gary Ching-Pang Lin + +- Update shim-install to set the TPM2 SRK algorithm (bsc#1213945) + 92d0f4305df73 Set the SRK algorithm for the TPM2 protector + +------------------------------------------------------------------- +Fri Feb 2 05:57:07 UTC 2024 - Gary Ching-Pang Lin + +- Limit the requirement of fde-tpm-helper-macros to the distro with + suse_version 1600 and above (bsc#1219460) + +------------------------------------------------------------------- +Sun Jan 28 09:32:32 UTC 2024 - Dennis Tseng + +-- Update to version 15.8 + - Various CVE fixes are already merged into this version + mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546) + avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547) + Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548) + Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549) + pe: Fix an out-of-bound read in verify_buffer_sbat() (bsc#1215102,CVE-2023-40550) + pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551) + - remove shim-Enable-the-NX-compatibility-flag-by-default.patch + The codes in this patch are already existing in shim-15.8 + The NX flag is disable which is same as the default value of shim-15.8, + hence, not need to enable it by this patch now. + - Patches (git log --oneline --reverse 15.7..15.8) + 657b248 Make sbat_var.S parse right with buggy gcc/binutils + 7c76425 Enable the NX compatibility flag by default. + 89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper + c7b3051 pe: Align section size up to page size for mem attrs + e4f40ae pe: Add IS_PAGE_ALIGNED macro + f23883c Don't loop forever in load_certs() with buggy firmware + 1f38cb3 Optionally allow to keep shim protocol installed + 102a658 Drop invalid calls to `CRYPTO_set_mem_functions` + aae3df0 test-sbat: Fix exit code + cca3933 Block Debian grub binaries with SBAT < 4 + cf59f34 Further improve load_certs() for non-compliant drivers/firmwares + 0601f44 SBAT-related documents formatting and spelling + 0640e13 Add a security contact email address in README.md + 0bfc397 Work around malformed path delimiters in file paths from DHCP + a8b0b60 pe: only process RelocDir->Size of reloc section + f7a4338 Skip testing msleep() + 549d346 Rename 'msecs' to 'usecs' to avoid potential confusion + 908c388 Change type of fallback_verbose_wait from int to unsigned long + 05eae92 Add SbatLevel_Variable.txt to document the various revocations + 243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL + 89d25a1 Add a make rule for compile_commands.json + 118ff87 Add gnu-stack notes + f132655 test: Make our fake dprintf be a statement. + be00279 Remove CentOS 7 test builds. + 9964960 Split pe.c up even more. + 569270d Test (and fix) ImageAddress() + 61e9894 Verify signature before verifying sbat levels + 1578b55 Add libFuzzer support for csv.c + a0673e3 Fix a 1-byte memory leak in .sbat parsing. + e246812 Add libFuzzer support to the .sbat parser. + fd43eda Work around ImageAddress() usage mistake + 1e985a3 Correctly free memory allocated in handle_image() + dbbe3c8 mok: Avoid underflow in maximum variable size calculation + 04111d4 Make some of the static analysis tools a little easier to run + 7ba7440 compile_commands.json: remove stuff clang doesn't like + 66e6579 CVE-2023-40546 mok: fix LogError() invocation + f271826 Add primitives for overflow-checked arithmetic operations. + 8372147 pe-relocate: Add a fuzzer for read_header() + 5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries + e912071 pe-relocate: make read_header() use checked arithmetic operations. + 93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() + e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550 + afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds. + 96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system + dae82f6 Further mitigations against CVE-2023-40546 as a class + ea0f9df Allow SbatLevel data from external binary + b078ef2 Always clear SbatLevel when Secure Boot is disabled + 7dfb687 BS Variables for bootmgr revocations + a967c0e shim should not self revoke + 577cedd Print message when refusing to apply SbatLevel + e801b0d sbat revocations: check the full section name + 0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers + 6f0c8d2 Print errors when setting/clearing memory attrs + 57c0eed Updated Revocations for January 2024 CVEs + 49c6d95 Fix some minor ia32 build issues. + be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all. + 13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5 + c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist + 30a4f37 Rename "previous" revocations to "automatic" + 6f395c2 Build time selectable automatic SBATLevel revocations + a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER + 993a345 Try to load revocations.efi even if directory read fails + 1770a03 gitmodules: use shim-15.8 for gnu-efi branch + 5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8 + +------------------------------------------------------------------- +Wed Jan 24 12:40:36 UTC 2024 - Ludwig Nussel + +- Generate dbx during build so we don't include binary files in sources + +------------------------------------------------------------------- +Thu Oct 5 13:19:48 UTC 2023 - Ludwig Nussel + +- Don't require grub so shim can still be used with systemd-boot + +------------------------------------------------------------------- +Wed Sep 20 04:33:59 UTC 2023 - Michael Chang + +- Update shim-install to fix boot failure of ext4 root file system + on RAID10 (bsc#1205855) + 226c94ca5cfca Use hint in looking for root if possible + +------------------------------------------------------------------- +Tue Sep 19 08:36:17 UTC 2023 - Gary Ching-Pang Lin + +- Adopt the macros from fde-tpm-helper-macros to update the + signature in the sealed key after a bootloader upgrade + +------------------------------------------------------------------- +Mon May 15 03:28:47 UTC 2023 - Gary Ching-Pang Lin + +- Update shim-install to amend full disk encryption support + b540061e041b Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector + f2e8143ce831 Use the long name to specify the grub2 key protector + 72830120e5ea cryptodisk: support TPM authorized policies + 49e7a0d307f3 Do not use tpm_record_pcrs unless the command is in command.lst + +------------------------------------------------------------------- +Thu Apr 13 09:13:22 UTC 2023 - Joey Lee + +- Sometimes SLE shim signature be Microsoft updated before openSUSE shim + signature. When submit request on IBS for updating SLE shim, the submitreq + project be generated, but it always be blocked by checking the signature + of openSUSE shim. + It doesn't make sense checking openSUSE shim signature when building + SLE shim on SLE platform, and vice versa. So the following change adds the + logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). + When and only when hash mismatch and distro_id match with suffix, stop + building. + # compare suffix (sles, opensuse) with distro_id (sle, opensuse) + # when hash mismatch and distro_id match with suffix, stop building + +------------------------------------------------------------------- +Thu Apr 13 05:28:10 UTC 2023 - Joey Lee + +- Upgrade shim-install for bsc#1210382 + After closing Leap-gap project since Leap 15.3, openSUSE Leap direct + uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot + CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no, + so all files in /boot/efi/EFI/boot are not updated. + + The 86b73d1 patch added the logic that using ID field in os-release for + checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure + Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated. +- https://github.com/SUSE/shim-resources (git log --oneline) + 86b73d1 Fix that bootx64.efi is not updated on Leap + f2e8143 Use the long name to specify the grub2 key protector + 7283012 cryptodisk: support TPM authorized policies + 49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst + 26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs + 5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot + a5c5734 Introduce --no-grub-install option + +------------------------------------------------------------------- +Mon Apr 10 05:04:33 UTC 2023 - Joey Lee + +- Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to + enable the NX compatibility flag when using post-process-pe after + discussed with grub2 experts in mail. It's useful for further development + and testing. (bsc#1205588) + +------------------------------------------------------------------- +Mon Mar 27 09:26:02 UTC 2023 - Joey Lee + +- Updated shim signature after shim 15.7 of SLE be signed back: + signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737) + +------------------------------------------------------------------- +Thu Jan 12 07:00:19 UTC 2023 - Joey Lee + +- Removed shim-bsc1198101-opensuse-cert-prompt.patch (bsc#1198101) + - Detail discussion is in bugzilla: + https://bugzilla.suse.com/show_bug.cgi?id=1198101 + - The shim community review and challenge this prompt. No other + distro shows prompt (Have checked Fedora 37, CentOS 9 and Ubuntu 22.10). + Currently, it blocked the review process of openSUSE shim. + - Other distros lock-down kernel when secure boot is enabled. Some of + them used different key for signing kernel binary with In-tree kernel + module. And their build service does not provide signed Out-off-tree + module. + +------------------------------------------------------------------- +Fri Dec 9 08:38:14 UTC 2022 - Joey Lee + +- Modified shim-install, add the following Olaf Kirch's patches to support + full disk encryption: (jsc#PED-922) + a5c57340740c Introduce --no-grub-install option + 5c2c3addc51f Handle different cases of controlling cryptomount volumes during first stage boot + 26c6bd5df7ae Have grub take a snapshot of "relevant" TPM PCRs + +------------------------------------------------------------------- +Wed Nov 23 07:28:57 UTC 2022 - Joey Lee + +- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to + disable the NX compatibility flag when using post-process-pe because + grub2 is not ready. (bsc#1205588) + - Kernel can boot with the NX compatibility flag since 82e0d6d76a2a7 + be merged to v5.19. On the other hand, upstream is working on + improve compressed kernel stage for NX: + [PATCH v3 00/24] x86_64: Improvements at compressed kernel stage + https://www.spinics.net/lists/kernel/msg4599636.html + +------------------------------------------------------------------- +Fri Nov 18 04:52:49 UTC 2022 - Joey Lee + +- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to + enable the NX compatibility flag by default. (jsc#PED-127) + +------------------------------------------------------------------- +Fri Nov 18 03:17:46 UTC 2022 - Joey Lee + +- Drop upstreamed patch: + - shim-Enable-TDX-measurement-to-RTMR-register.patch + - Enable TDX measurement to RTMR register (jsc#PED-1273) + - 4fd484e4c2 15.7 + +------------------------------------------------------------------- +Thu Nov 17 05:17:34 UTC 2022 - Joey Lee + +- Update to 15.7 (bsc#1198458)(jsc#PED-127) + - Patches (git log --oneline --reverse 15.6..15.7) + 0eb07e1 Make SBAT variable payload introspectable + 092c2b2 Reference MokListRT instead of MokList + 8b59b69 Add a link to the test plan in the readme. + 4fd484e Enable TDX measurement to RTMR register + 14d6339 Discard load-options that start with a NUL + 5c537b3 shim: Flush the memory region from i-cache before execution + 2d4ebb5 load_cert_file: Fix stack issue + ea4911c load_cert_file: Use EFI RT memory function + 0cf43ac Add -malign-double to IA32 compiler flags + 17f0233 pe: Fix image section entry-point validation + 5169769 make-archive: Build reproducible tarball + aa1b289 mok: remove MokListTrusted from PCR 7 + 53509ea CryptoPkg/BaseCryptLib: fix NULL dereference + 616c566 More coverity modeling + ea0d0a5 Update shim's .sbat to sbat,3 + dd8be98 Bump grub's sbat requirement to grub,3 + 1149161 (HEAD -> main, tag: 15.7, origin/main, origin/HEAD) Update version to 15.7 + - 15.7 release note https://github.com/rhboot/shim/releases + Make SBAT variable payload introspectable by @chrisccoulson in #483 + Reference MokListRT instead of MokList by @esnowberg in #488 + Add a link to the test plan in the readme. by @vathpela in #494 + [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485 + Discard load-options that start with a NUL by @frozencemetery in #505 + load_cert_file bugs by @esnowberg in #523 + Add -malign-double to IA32 compiler flags by @nicholasbishop in #516 + pe: Fix image section entry-point validation by @iokomin in #518 + make-archive: Build reproducible tarball by @julian-klode in #527 + mok: remove MokListTrusted from PCR 7 by @baloo in #519 + - Drop upstreamed patch: + - shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch + - Cryptlib/CryptAuthenticode: fix NULL pointer dereference in AuthenticodeVerify() + - 53509eaf22 15.7 + - shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch + - For backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127) + - The following patches are merged to 15.7 + aa1b289a1a mok: remove MokListTrusted from PCR 7 + 0cf43ac6d7 Add -malign-double to IA32 compiler flags + ea4911c2f3 load_cert_file: Use EFI RT memory function + 2d4ebb5a79 load_cert_file: Fix stack issue + 5c537b3d0c shim: Flush the memory region from i-cache before execution + 14d6339829 Discard load-options that start with a NUL + 092c2b2bbe Reference MokListRT instead of MokList + 0eb07e11b2 Make SBAT variable payload introspectable + +------------------------------------------------------------------- +Thu Nov 17 05:08:49 UTC 2022 - Joey Lee + +- Update shim.changes, added missed shim 15.6-rc1 and 15.6 changelog to + the item in Update to 15.6. (bsc#1198458) + +------------------------------------------------------------------- +Tue Nov 15 08:06:24 UTC 2022 - Joey Lee + +- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following + patches between 15.6 with aa1b289a1a (jsc#PED-127): + aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from PCR 7 + 0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 compiler flags + ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory function + 2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue + 5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region from i-cache before execution + 14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start with a NUL + 092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of MokList + 0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload introspectable + +------------------------------------------------------------------- +Tue Nov 15 08:06:05 UTC 2022 - Joey Lee + +- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support + enhance shim measurement to TD RTMR. (jsc#PED-1273) + +------------------------------------------------------------------- +Tue Nov 15 07:53:59 UTC 2022 - Joey Lee + +- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec + and shim.changes: (jsc#PED-127) + - Add some change log from SLE shim.changes to Factory shim.changes + Those messages are added "(sync shim.changes from SLE)" tag. + - Add the following changes to shim.spec + - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch + on openSUSE. + - Enable the AArch64 signature check for SLE: + # AArch64 signature + signature=%{SOURCE13} + +------------------------------------------------------------------- +Thu Sep 29 02:42:35 UTC 2022 - Michael Chang + +- shim-install: ensure grub.cfg created is not overwritten after + installing grub related files + +------------------------------------------------------------------- +Mon Sep 12 12:30:54 UTC 2022 - Kilian Hanich + +- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. + (bsc#1201066) + +------------------------------------------------------------------- +Fri Aug 5 05:25:16 UTC 2022 - Joey Lee + +- Add logic to shim.spec for detecting --set-sbat-policy option before + using mokutil to set sbat policy. (bsc#1202120) + +------------------------------------------------------------------- +Fri Jul 29 02:36:36 UTC 2022 - Joey Lee + +- Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282) + +------------------------------------------------------------------- +Mon Jul 25 12:44:24 UTC 2022 - Joey Lee + +- Revoked the change in shim.spec for "use common SBAT values (boo#1193282)" + - we need to build openSUSE Tumbleweed's shim on Leap 15.4 because Factory + is unstable for building out a stable shim binary for signing. (bsc#1198458) + - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4 + because closing-the-leap-gap. So sbat_distro_* variables are SLE version, + not for openSUSE. (bsc#1198458) + +------------------------------------------------------------------- +Tue Jun 28 04:03:45 UTC 2022 - Joey Lee + +- Update to 15.6 (bsc#1198458) + - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76 + which is from upstream grub2.cve_2021_3695.ms keybase channel. + - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to + support efi-app-aarch64 target. So we need the following patches in bintuils: + - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch + b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64). + - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch + 32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64) + - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch + d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64) + - Patches (git log --oneline --reverse 15.5~..77144e5a4) + 448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458) + a2da05f shim: implement SBAT verification for the shim_lock protocol + bda03b8 post-process-pe: Fix a missing return code check + af18810 CI: don't cancel testing when one fails + ba580f9 CI: remove EOL Fedoras from github actions + bfeb4b3 Remove aarch64 build tests before f35 + 38cc646 CI: Add f36 and centos9 CI build tests. + b5185cb post-process-pe: Fix format string warnings on 32-bit platforms + 31094e5 tests: also look for system headers in multi-arch directories + 4df989a mock-variables.c: fix gcc warning + 6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled + 2670c6a Allow MokListTrusted to be enabled by default + 5c44aaf Add code of conduct + d6eb9c6 Modernize aarch64 + 9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail + de87985 make: don't treat cert.S specially + 803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode + 6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry. + bb4b60e Add verify_image + acfd48f Abstract out image reading + 35d7378 Load additional certs from a signed binary + 8ce2832 post-process-pe: there is no 's' argument. + 465663e Add some missing PE image flag definitions + 226fee2 PE Loader: support and require NX + df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX + b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT + f81a7cc SBAT revocation management + abe41ab make: unbreak scan-build again for gnu-efi + 610a1ac sbat.h: minor reformatting for legibility + f28833f peimage.h: make our signature macros force the type + 5d789ca Always initialize data/datasize before calling read_image() + a50d364 sbat policy: make our policy change actions symbolic + 5868789 load_certs: trust dir->Read() slightly less. + a78673b mok.c: fix a trivial dead assignment + 759f061 Fix preserve_sbat_uefi_variable() logic + aa61fdf Give the Coverity scanner some more GCC blinders... + 0214cd9 load_cert_file(): don't defererence NULL + 1eca363 mok import: handle OOM case + 75449bc sbat: Make nth_sbat_field() honor the size limit + c0bcd04 shim-15.6~rc1 + 77144e5 SBAT Policy latest should be a one-shot + - 15.5 release note https://github.com/rhboot/shim/releases + Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357 + mok: allocate MOK config table as BootServicesData by @lcp in #361 + Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364 + Relax the check for import_mok_state() by @lcp in #372 + SBAT.md: trivial changes by @hallyn in #389 + shim: another attempt to fix load options handling by @chrisccoulson in #379 + Add tests for our load options parsing. by @vathpela in #390 + arm/aa64: fix the size of .rela* sections by @lcp in #383 + mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365 + mok: relax the maximum variable size check by @lcp in #369 + Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378 + fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396 + httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403 + Fallback allocation errors by @vathpela in #402 + shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406 + str: remove duplicate parameter check by @xypron in #408 + fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359 + Test mok mirror by @vathpela in #394 + Modify sbat.md to help with readability. by @eshiman in #398 + csv: detect end of csv file correctly by @xypron in #404 + Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413 + tests: add "include-fixed" GCC directory to include directories by @diabonas in #415 + pe: simplify generate_hash() by @xypron in #411 + Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414 + Fallback to default loader if parsed one does not exist by @julian-klode in #393 + fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422 + Better console checks by @vathpela in #416 + docs: update SBAT UEFI variable name by @nicholasbishop in #421 + Don't parse load options if invoked from removable media path by @julian-klode in #399 + fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433 + shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438 + Shim 15.5 coverity by @vathpela in #439 + Allocate mokvar table in runtime memory. by @vathpela in #447 + Remove post-process-pe on 'make clean' by @vathpela in #448 + pe: missing perror argument by @xypron in #443 + - 15.6-rc1 release note https://github.com/rhboot/shim/releases + MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 + shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 + post-process-pe: Fix a missing return code check by @vathpela in #462 + Update github actions matrix to be more useful by @frozencemetery in #469 + Add f36 and centos9 CI builds by @vathpela in #470 + post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 + tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 + tests: fix gcc warnings by @akodanev in #463 + Allow MokListTrusted to be enabled by default by @esnowberg in #455 + Add code of conduct by @frozencemetery in #427 + Re-add ARM AArch64 support by @vathpela in #468 + Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 + make: don't treat cert.S specially by @vathpela in #475 + shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 + Break out of the inner sbat loop if we find the entry. by @vathpela in #476 + Support loading additional certificates by @esnowberg in #446 + Add support for NX (W^X) mitigations. by @vathpela in #459 + Misc fixups from scan-build. by @vathpela in #477 + Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 + - 15.6 release note https://github.com/rhboot/shim/releases + MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 + shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 + post-process-pe: Fix a missing return code check by @vathpela in #462 + Update github actions matrix to be more useful by @frozencemetery in #469 + Add f36 and centos9 CI builds by @vathpela in #470 + post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 + tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 + tests: fix gcc warnings by @akodanev in #463 + Allow MokListTrusted to be enabled by default by @esnowberg in #455 + Add code of conduct by @frozencemetery in #427 + Re-add ARM AArch64 support by @vathpela in #468 + Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 + make: don't treat cert.S specially by @vathpela in #475 + shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 + Break out of the inner sbat loop if we find the entry. by @vathpela in #476 + Support loading additional certificates by @esnowberg in #446 + Add support for NX (W^X) mitigations. by @vathpela in #459 + Misc fixups from scan-build. by @vathpela in #477 + Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 + SBAT Policy latest should be a one-shot by @jsetje in #481 + pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson + pe: Perform image verification earlier when loading grub by @chriscoulson + Update advertised sbat generation number for shim by @jsetje + Update SBAT generation requirements for 05/24/22 by @jsetje + Also avoid CVE-2022-28737 in verify_image() by @vathpela + - Drop upstreamed patch: + - shim-bsc1184454-allocate-mok-config-table-BS.patch + - Allocate MOK config table as BootServicesData to avoid the error message + from linux kernel + - 4068fd42c8 15.5-rc1~70 + - shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + - Handle ignore_db and user_insecure_mode correctly + - 822d07ad4f07 15.5-rc1~73 + - shim-bsc1185621-relax-max-var-sz-check.patch + - Relax the maximum variable size check for u-boot + - 3f327f546c219634b2 15.5-rc1~49 + - shim-bsc1185261-relax-import_mok_state-check.patch + - Relax the check for import_mok_state() when Secure Boot is off + - 9f973e4e95b113 15.5-rc1~67 + - shim-bsc1185232-relax-loadoptions-length-check.patch + - Relax the check for the LoadOptions length + - ada7ff69bd8a95 15.5-rc1~52 + - shim-fix-aa64-relsz.patch + - Fix the size of rela* sections for AArch64 + - 34e3ef205c5d65 15.5-rc1~51 + - shim-bsc1187260-fix-efi-1.10-machines.patch + - Don't call QueryVariableInfo() on EFI 1.10 machines + - 493bd940e5 15.5-rc1~69 + - shim-bsc1185232-fix-config-table-copying.patch + - Avoid buffer overflow when copying the MOK config table + - 7501b6bb44 15.5-rc1~50 + - shim-bsc1187696-avoid-deleting-rt-variables.patch + - Avoid deleting the mirrored RT variables + - b1fead0f7c9 15.5-rc1~37 + - Add "rm -f *.o" after building MokManager/fallback in shim.spec + to make sure all object files gets rebuilt + - reference: https://github.com/rhboot/shim/pull/461 +- The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included + in shim-15.6.tar.bz2 + - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch + pe: Fix a buffer overflow when SizeOfRawData VirtualSize + - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch + pe: Perform image verification earlier when loading grub + - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch + Update advertised sbat generation number for shim + - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch + Update SBAT generation requirements for 05/24/22 + - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch + Also avoid CVE-2022-28737 in verify_image() + - 0006-shim-15.6-rc2.patch + - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch + sbat: add the parsed SBAT variable entries to the debug log + - 0008-bump-version-to-shim-15.6.patch +- Add mokutil command to post script for setting sbat policy to latest mode + when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. + (bsc#1198458) +- Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to + show the prompt to ask whether the user trusts openSUSE certificate or not + (bsc#1198101) +- Updated vendor dbx binary and script (bsc#1198458) + - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding + SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. + - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding + openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. + - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt + and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. + - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin + file which includes all .der for testing environment. + +------------------------------------------------------------------- +Tue Apr 12 06:35:16 UTC 2022 - Ludwig Nussel + +- use common SBAT values (boo#1193282) + +------------------------------------------------------------------- +Thu Jul 15 08:13:26 UTC 2021 - Johannes Segitz + +- Update the SLE signatures (sync shim.changes from SLE) + +------------------------------------------------------------------- +Thu Jul 1 04:07:03 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid + deleting the mirrored RT variables (bsc#1187696) + +------------------------------------------------------------------- +Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin + +(sync shim.changes from SLE) +- Split the keys in vendor-dbx.bin to vendor-dbx-sles and + vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce + the size of MokListXRT (bsc#1185261) + + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz +- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + to handle ignore_db and user_insecure_mode correctly + (bsc#1185441, bsc#1187071) +- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the + maximum variable size check for u-boot (bsc#1185621) + + Also drop AArch64 suse-signed shim since we merged this patch +- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax + the check for import_mok_state() when Secure Boot is off. + (bsc#1185261) +- Add shim-bsc1185232-relax-loadoptions-length-check.patch to + ignore the odd LoadOptions length (bsc#1185232) +- shim-install: reset def_shim_efi to "shim.efi" if the given + file doesn't exist +- Add shim-fix-aa64-relsz.patch to fix the size of rela sections + for AArch64 + Fix: https://github.com/rhboot/shim/issues/371 +- Add shim-disable-export-vendor-dbx.patch to disable exporting + vendor-dbx to MokListXRT since writing a large RT variable + could crash some machines (bsc#1185261) +- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the + potential crash when calling QueryVariableInfo in EFI 1.10 + machines (bsc#1187260) +- Add shim-bsc1185232-fix-config-table-copying.patch to avoid + buffer overflow when copying data to the MOK config table + (bsc#1185232) + +------------------------------------------------------------------- +Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185232-fix-config-table-copying.patch to avoid + buffer overflow when copying data to the MOK config table + (bsc#1185232) + +------------------------------------------------------------------- +Mon Jun 21 01:58:00 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-disable-export-vendor-dbx.patch to disable exporting + vendor-dbx to MokListXRT since writing a large RT variable + could crash some machines (bsc#1185261) +- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the + potential crash when calling QueryVariableInfo in EFI 1.10 + machines (bsc#1187260) + +------------------------------------------------------------------- +Thu Jun 17 03:03:37 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-fix-aa64-relsz.patch to fix the size of rela sections + for AArch64 + Fix: https://github.com/rhboot/shim/issues/371 + +------------------------------------------------------------------- +Fri Jun 4 09:22:51 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185232-relax-loadoptions-length-check.patch to + ignore the odd LoadOptions length (bsc#1185232) + +------------------------------------------------------------------- +Fri Jun 4 07:02:03 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: reset def_shim_efi to "shim.efi" if the given + file doesn't exist + +------------------------------------------------------------------- +Wed May 19 01:07:43 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: instead of assuming "removable" for Azure, remove + fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot + to make \EFI\Boot bootable and keep the boot option created by + efibootmgr (bsc#1185464, bsc#1185961) + +------------------------------------------------------------------- +Tue May 11 02:57:14 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax + the check for import_mok_state() when Secure Boot is off. + (bsc#1185261) + +------------------------------------------------------------------- +Fri May 7 08:33:49 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: always assume "removable" for Azure to avoid the + endless reset loop (bsc#1185464) + +------------------------------------------------------------------- +Thu May 6 06:45:39 UTC 2021 - Gary Ching-Pang Lin + +- Include suse-signed shim for AArch64 (bsc#1185621) + (sync shim.changes from SLE) + +------------------------------------------------------------------- +Thu May 6 03:18:32 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the + maximum variable size check for u-boot (bsc#1185621) + +------------------------------------------------------------------- +Mon May 3 03:46:27 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch + to handle ignore_db and user_insecure_mode correctly + (bsc#1185441, bsc#1187071) + +------------------------------------------------------------------- +Wed Apr 28 09:28:30 UTC 2021 - Gary Ching-Pang Lin + +- Split the keys in vendor-dbx.bin to vendor-dbx-sles and + vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce + the size of MokListXRT (bsc#1185261) + + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz + +------------------------------------------------------------------- +Thu Apr 22 03:26:48 UTC 2021 - Gary Ching-Pang Lin + +- Enable the AArch64 signature check for SLE (sync shim.changes from SLE) + +------------------------------------------------------------------- +Wed Apr 21 05:44:35 UTC 2021 - Johannes Segitz + +- Update the SLE signatures (sync shim.changes from SLE) + +------------------------------------------------------------------- +Thu Apr 8 08:44:27 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid + the error message during linux system boot (bsc#1184454) + +------------------------------------------------------------------- +Wed Apr 7 12:25:02 UTC 2021 - Johannes Segitz + +- Add remove_build_id.patch to prevent the build id being added to + the binary. That can cause issues with the signature + +------------------------------------------------------------------- +Wed Mar 31 08:40:49 UTC 2021 - Gary Ching-Pang Lin + +- Update to 15.4 (bsc#1182057) + + Rename the SBAT variable and fix the self-check of SBAT + + sbat: add more dprint() + + arm/aa64: Swizzle some sections to make old sbsign happier + + arm/aa64 targets: put .rel* and .dyn* in .rodata +- Drop upstreamed patch: + + shim-bsc1182057-sbat-variable-enhancement.patch + +------------------------------------------------------------------- +Mon Mar 29 07:18:20 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1182057-sbat-variable-enhancement.patch to change + the SBAT variable name and enhance the handling of SBAT + (bsc#1182057) + +------------------------------------------------------------------- +Wed Mar 24 01:29:17 UTC 2021 - Gary Ching-Pang Lin + +- Update to 15.3 for SBAT support (bsc#1182057) + + Drop gnu-efi from BuildRequires since upstream pull it into the + tar ball. +- Generate vender-specific SBAT metadata + + Add dos2unix to BuildRequires since Makefile requires it for + vendor SBAT +- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following + sign keys: + + SLES-UEFI-SIGN-Certificate-2020-07.crt + + openSUSE-UEFI-SIGN-Certificate-2020-07.crt +- Refresh patches + + shim-arch-independent-names.patch + + shim-change-debug-file-path.patch + + shim-bsc1177315-verify-eku-codesign.patch + - Unified with shim-bsc1177315-fix-buffer-use-after-free.patch +- Drop upstreamed fixes + + shim-correct-license-in-headers.patch + + shim-always-mirror-mok-variables.patch + + shim-bsc1175509-more-tpm-fixes.patch + + shim-bsc1173411-only-check-efi-var-on-sb.patch + + shim-fix-verify-eku.patch + + gcc9-fix-warnings.patch + + shim-fix-gnu-efi-3.0.11.patch + + shim-bsc1177404-fix-a-use-of-strlen.patch + + shim-do-not-write-string-literals.patch + + shim-VLogError-Avoid-Null-pointer-dereferences.patch + + shim-bsc1092000-fallback-menu.patch + + shim-bsc1175509-tpm2-fixes.patch + + shim-bsc1174512-correct-license-in-headers.patch + + shim-bsc1182776-fix-crash-at-exit.patch +- Drop shim-opensuse-cert-prompt.patch + + All newly released openSUSE kernels enable kernel lockdown + and signature verification, so there is no need to add the + prompt anymore. + +------------------------------------------------------------------- +Thu Mar 11 03:15:03 UTC 2021 - Gary Ching-Pang Lin + +- Refresh shim-bsc1182776-fix-crash-at-exit.patch to do the cleanup + also when Secure Boot is disabled (bsc#1183213, bsc#1182776) +- Merged linker-version.pl into timestamp.pl and add the linker + version to signature files accordingly + +------------------------------------------------------------------- +Mon Mar 8 03:13:13 UTC 2021 - Gary Ching-Pang Lin + +- Add shim-bsc1182776-fix-crash-at-exit.patch to fix the potential + crash at Exit() (bsc#1182776) + +------------------------------------------------------------------- +Fri Jan 22 03:29:56 UTC 2021 - Gary Ching-Pang Lin + +- Update the SLE signature +- Exclude some patches from x86_64 to avoid breaking the signature +- Add shim-correct-license-in-headers.patch back for x86_64 to + match the SLE signature +- Add linker-version.pl to modify the EFI/PE header to match the + SLE signature + +------------------------------------------------------------------- +Wed Nov 4 05:53:35 UTC 2020 - Gary Ching-Pang Lin + +- Disable the signature attachment for AArch64 temporarily until + we get a real one. + +------------------------------------------------------------------- +Mon Nov 2 06:52:13 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-bsc1177315-verify-eku-codesign.patch to check CodeSign + in the signer's EKU (bsc#1177315) +- Add shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch + to fix NULL pointer dereference in AuthenticodeVerify() + (bsc#1177789, CVE-2019-14584) +- shim-install: Support changing default shim efi binary in + /usr/etc/default/shim and /etc/default/shim (bsc#1177315) +- Add shim-bsc1177315-fix-buffer-use-after-free.patch to fix buffer + use-after-free at the end of the EKU verification (bsc#1177315) + +------------------------------------------------------------------- +Wed Oct 14 07:34:18 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-bsc1177404-fix-a-use-of-strlen.patch to fix the length + of the option data string to launch the program correctly + (bsc#1177404) +- Add shim-bsc1175509-more-tpm-fixes.patch to fix the file path + in the tpm even log (bsc#1175509) + +------------------------------------------------------------------- +Mon Sep 14 08:06:27 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-VLogError-Avoid-Null-pointer-dereferences.patch to fix + VLogError crash in AArch64 (jsc#SLE-15824) +- Add shim-fix-verify-eku.patch to fix the potential crash at + verify_eku() (jsc#SLE-15824) +- Add shim-do-not-write-string-literals.patch to fix the potential + crash when accessing the DEFAULT_LOADER string (jsc#SLE-15824) + +------------------------------------------------------------------- +Fri Sep 4 15:08:19 UTC 2020 - Guillaume GARDET + +- Enable build on aarch64 + +------------------------------------------------------------------- +Mon Aug 24 03:20:52 UTC 2020 - Gary Ching-Pang Lin + +- shim-install: install MokManager to \EFI\boot to process the + pending MOK request (bsc#1175626, bsc#1175656) + +------------------------------------------------------------------- +Fri Aug 21 04:00:39 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-bsc1175509-tpm2-fixes.patch to fix the TPM2 measurement + (bsc#1175509) + +------------------------------------------------------------------- +Thu Aug 6 09:43:19 UTC 2020 - Gary Ching-Pang Lin + +- Amend the check of %shim_enforce_ms_signature + +------------------------------------------------------------------- +Fri Jul 31 07:41:26 UTC 2020 - Johannes Segitz + +- Updated openSUSE signature + +------------------------------------------------------------------- +Mon Jul 27 07:26:03 UTC 2020 - Gary Ching-Pang Lin + +- Replace shim-correct-license-in-headers.patch with the upstream + commit: shim-bsc1174512-correct-license-in-headers.patch + (bsc#1174512) + +------------------------------------------------------------------- +Wed Jul 22 09:23:02 UTC 2020 - Gary Ching-Pang Lin + +- Update the path to grub-tpm.efi in shim-install (bsc#1174320) + +------------------------------------------------------------------- +Fri Jul 10 07:21:27 UTC 2020 - Gary Ching-Pang Lin + +- Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994) + + Add dbx-cert.tar.xz which contains the certificates to block + and a script, generate-vendor-dbx.sh, to generate + vendor-dbx.bin + + Add vendor-dbx.bin as the vendor dbx to block unwanted keys +- Drop shim-opensuse-signed.efi + + We don't need it anymore + +------------------------------------------------------------------- +Fri Jul 10 06:28:44 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check + EFI variable copying when Secure Boot is enabled (bsc#1173411) + +------------------------------------------------------------------- +Tue Mar 31 08:38:56 UTC 2020 - Gary Ching-Pang Lin + +- Use the full path of efibootmgr to avoid errors when invoking + shim-install from packagekitd (bsc#1168104) + +------------------------------------------------------------------- +Mon Mar 30 06:20:47 UTC 2020 - Gary Ching-Pang Lin + +- Use "suse_version" instead of "sle_version" to avoid + shim_lib64_share_compat being set in Tumbleweed forever. + +------------------------------------------------------------------- +Mon Mar 16 09:42:34 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-fix-gnu-efi-3.0.11.patch to fix the build error caused + by the upgrade of gnu-efi + +------------------------------------------------------------------- +Wed Nov 27 06:23:11 UTC 2019 - Michael Chang + +- shim-install: add check for btrfs is used as root file system to enable + relative path lookup for file. (bsc#1153953) + +------------------------------------------------------------------- +Fri Aug 16 04:07:30 UTC 2019 - Gary Ching-Pang Lin + +- Fix a typo in shim-install (bsc#1145802) + +------------------------------------------------------------------- +Fri Apr 19 10:32:11 UTC 2019 - Martin Liška + +- Add gcc9-fix-warnings.patch (bsc#1121268). + +------------------------------------------------------------------- +Mon Apr 15 09:24:07 UTC 2019 - Gary Ching-Pang Lin + +- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary + (bsc#1113225) + +------------------------------------------------------------------- +Fri Apr 12 08:50:49 UTC 2019 - Gary Ching-Pang Lin + +- Disable AArch64 build (FATE#325971) + + AArch64 machines don't use UEFI CA, at least for now. + +------------------------------------------------------------------- +Thu Apr 11 15:52:47 UTC 2019 - jsegitz@suse.com + +- Updated shim signature: signature-sles.x86_64.asc (bsc#1120026) + +------------------------------------------------------------------- +Thu Feb 14 17:03:00 UTC 2019 - rw@suse.com + +- Fix conditions for '/usr/share/efi'-move (FATE#326960) + +------------------------------------------------------------------- +Mon Jan 28 03:18:53 UTC 2019 - Gary Ching-Pang Lin + +- Amend shim.spec to remove $RPM_BUILD_ROOT + +------------------------------------------------------------------- +Thu Jan 17 17:12:14 UTC 2019 - rw@suse.com + +- Move 'efi'-executables to '/usr/share/efi' (FATE#326960) + (preparing the move to 'noarch' for this package) + +------------------------------------------------------------------- +Mon Jan 14 09:48:59 UTC 2019 - Gary Ching-Pang Lin + +- Update shim-install to handle the partitioned MD devices + (bsc#1119762, bsc#1119763) + +------------------------------------------------------------------- +Thu Dec 20 04:13:00 UTC 2018 - Gary Ching-Pang Lin + +- Update to 15+git47 (bsc#1120026, FATE#325971) + + git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d +- Retire the old openSUSE 4096 bit certificate + + Those programs are already out of maintenance. +- Add shim-always-mirror-mok-variables.patch to mirror MOK + variables correctly +- Add shim-correct-license-in-headers.patch to correct the license + declaration +- Refresh patches: + + shim-arch-independent-names.patch + + shim-change-debug-file-path.patch + + shim-bsc1092000-fallback-menu.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: + + shim-bsc1088585-handle-mok-allocations-better.patch + + shim-httpboot-amend-device-path.patch + + shim-httpboot-include-console.h.patch + + shim-only-os-name.patch + + shim-remove-cryptpem.patch + +------------------------------------------------------------------- +Wed Dec 5 10:28:00 UTC 2018 - Gary Ching-Pang Lin + +- Update shim-install to specify the target for grub2-install and + change the boot efi file name according to the architecture + (bsc#1118363, FATE#325971) + +------------------------------------------------------------------- +Tue Aug 21 07:36:36 UTC 2018 - glin@suse.com + +- Enable AArch64 build (FATE#325971) + + Also add the aarch64 signature files and rename the x86_64 + signature files + +------------------------------------------------------------------- +Tue May 29 06:41:59 UTC 2018 - glin@suse.com + +- Add shim-bsc1092000-fallback-menu.patch to show a menu before + system reset ((bsc#1092000)) + +------------------------------------------------------------------- +Tue Apr 10 03:45:39 UTC 2018 - glin@suse.com + +- Add shim-bsc1088585-handle-mok-allocations-better.patch to avoid + double-freeing after enrolling a key from the disk (bsc#1088585) + + Also refresh shim-opensuse-cert-prompt.patch due to the change + in MokManager.c + +------------------------------------------------------------------- +Tue Apr 3 08:37:55 UTC 2018 - glin@suse.com + +- Install the certificates with a shim suffix to avoid conflicting + with other packages (bsc#1087847) + +------------------------------------------------------------------- +Fri Mar 23 04:47:35 UTC 2018 - glin@suse.com + +- Add the missing leading backlash to the DEFAULT_LOADER + (bsc#1086589) + +------------------------------------------------------------------- +Fri Jan 5 08:41:42 UTC 2018 - glin@suse.com + +- Add shim-httpboot-amend-device-path.patch to amend the device + path matching rule for httpboot (bsc#1065370) + +------------------------------------------------------------------- +Thu Jan 4 08:17:44 UTC 2018 - glin@suse.com + +- Update to 14 (bsc#1054712) +- Adjust make commands in spec +- Drop upstreamed fixes + + shim-add-fallback-verbose-print.patch + + shim-back-to-openssl-1.0.2e.patch + + shim-fallback-workaround-masked-ami-variables.patch + + shim-fix-fallback-double-free.patch + + shim-fix-httpboot-crash.patch + + shim-fix-openssl-flags.patch + + shim-more-tpm-measurement.patch +- Add shim-httpboot-include-console.h.patch to include console.h + in httpboot.c to avoid build failure +- Add shim-remove-cryptpem.patch to replace functions in CryptPem.c + with the null function +- Update SUSE/openSUSE specific patches + + shim-only-os-name.patch + + shim-arch-independent-names.patch + + shim-change-debug-file-path.patch + + shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Fri Dec 29 18:41:12 UTC 2017 - ngompa13@gmail.com + +- Fix debuginfo + debugsource subpackage generation for RPM 4.14 +- Set the RPM groups correctly for debug{info,source} subpackages +- Drop deprecated and out of date Authors information in description + +------------------------------------------------------------------- +Wed Sep 13 04:13:21 UTC 2017 - glin@suse.com + +- Add shim-back-to-openssl-1.0.2e.patch to avoid rejecting some + legit certificates (bsc#1054712) +- Add the stderr mask back while compiling MokManager.efi since the + warnings in Cryptlib is back after reverting the openssl commits. + +------------------------------------------------------------------- +Tue Aug 29 08:44:25 UTC 2017 - glin@suse.com + +- Add shim-add-fallback-verbose-print.patch to print the debug + messages in fallback.efi dynamically +- Refresh shim-fallback-workaround-masked-ami-variables.patch +- Add shim-more-tpm-measurement.patch to measure more components + and support TPM better + +------------------------------------------------------------------- +Wed Aug 23 10:28:44 UTC 2017 - glin@suse.com + +- Add upstream fixes + + shim-fix-httpboot-crash.patch + + shim-fix-openssl-flags.patch + + shim-fix-fallback-double-free.patch + + shim-fallback-workaround-masked-ami-variables.patch +- Remove the stderr mask while compiling MokManager.efi since the + warnings in Cryptlib were fixed. + +------------------------------------------------------------------- +Tue Aug 22 04:51:08 UTC 2017 - glin@suse.com + +- Add shim-arch-independent-names.patch to use the Arch-independent + names. (bsc#1054712) +- Refresh shim-change-debug-file-path.patch +- Disable shim-opensuse-cert-prompt.patch automatically in SLE +- Diable AArch64 until we have a real user and aarch64 signature + +------------------------------------------------------------------- +Fri Jul 14 16:40:52 UTC 2017 - bwiedemann@suse.com + +- Make build reproducible by avoiding race between find and cp + +------------------------------------------------------------------- +Thu Jun 22 03:26:00 UTC 2017 - glin@suse.com + +- Update to 12 +- Rename the result EFI images due to the upstream name change + + shimx64 -> shim + + mmx64 -> MokManager + + fbx64 -> fallback +- Refresh patches: + + shim-only-os-name.patch + + shim-change-debug-file-path.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: + + shim-httpboot-support.patch + + shim-bsc973496-mokmanager-no-append-write.patch + + shim-bsc991885-fix-sig-length.patch + + shim-update-openssl-1.0.2g.patch + + shim-update-openssl-1.0.2h.patch + +------------------------------------------------------------------- +Tue May 23 03:44:48 UTC 2017 - glin@suse.com + +- Add the build flag to enable HTTPBoot + +------------------------------------------------------------------- +Wed Mar 22 10:54:41 UTC 2017 - mchang@suse.com + +- shim-install: add option --suse-enable-tpm (fate#315831) + +------------------------------------------------------------------- +Fri Jan 13 09:21:49 UTC 2017 - mchang@suse.com + +- Support %posttrans with marcos provided by update-bootloader-rpm-macros + package (bsc#997317) + +------------------------------------------------------------------- +Fri Nov 18 09:23:01 UTC 2016 - glin@suse.com + +- Add SIGNATURE_UPDATE.txt to state the steps to update + signature-*.asc +- Update the comment of strip_signature.sh + +------------------------------------------------------------------- +Wed Sep 21 09:55:40 UTC 2016 - mchang@suse.com + +- shim-install : + * add option --no-nvram (bsc#999818) + * improve removable media and fallback mode handling + +------------------------------------------------------------------- +Fri Aug 19 06:46:59 UTC 2016 - mchang@suse.com + +- shim-install : fix regression of password prompt (bsc#993764) + +------------------------------------------------------------------- +Fri Aug 5 02:53:54 UTC 2016 - glin@suse.com + +- Add shim-bsc991885-fix-sig-length.patch to fix the signature + length passed to Authenticode (bsc#991885) + +------------------------------------------------------------------- +Wed Aug 3 09:10:25 UTC 2016 - glin@suse.com + +- Update shim-bsc973496-mokmanager-no-append-write.patch to try + append write first + +------------------------------------------------------------------- +Tue Aug 2 02:59:46 UTC 2016 - glin@suse.com + +- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h +- Bump the requirement of gnu-efi due to the HTTPBoot support + +------------------------------------------------------------------- +Mon Aug 1 09:01:59 UTC 2016 - glin@suse.com + +- Add shim-httpboot-support.patch to support HTTPBoot +- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g + and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6 +- Drop patches since they are merged into + shim-update-openssl-1.0.2g.patch + + shim-update-openssl-1.0.2d.patch + + shim-gcc5.patch + + shim-bsc950569-fix-cryptlib-va-functions.patch + + shim-fix-aarch64.patch +- Refresh shim-change-debug-file-path.patch +- Add shim-bsc973496-mokmanager-no-append-write.patch to work + around the firmware that doesn't support APPEND_WRITE (bsc973496) +- shim-install : remove '\n' from the help message (bsc#991188) +- shim-install : print a message if there is no valid EFI partition + (bsc#991187) + +------------------------------------------------------------------- +Mon May 9 11:20:56 UTC 2016 - rw@suse.com + +- shim-install : support simple MD RAID1 target devices (FATE#314829) + +------------------------------------------------------------------- +Wed May 4 10:40:52 UTC 2016 - agraf@suse.com + +- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438) + +------------------------------------------------------------------- +Wed Mar 9 07:15:52 UTC 2016 - mchang@suse.com + +- shim-install : fix typing ESC can escape to parent config which is + in command mode and cannot return back (bsc#966701) +- shim-install : fix no which command for JeOS (bsc#968264) + +------------------------------------------------------------------- +Thu Dec 3 10:26:14 UTC 2015 - jsegitz@novell.com + +- acquired updated signature from Microsoft + +------------------------------------------------------------------- +Mon Nov 9 08:22:43 UTC 2015 - glin@suse.com + +- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the + definition of va functions to avoid the potential crash + (bsc#950569) +- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to + MokListRT (bsc#950801) +- Drop shim-fix-mokmanager-sections.patch as we are using the + newer binutils now +- Refresh shim-change-debug-file-path.patch + +------------------------------------------------------------------- +Thu Oct 8 06:49:43 UTC 2015 - jsegitz@novell.com + +- acquired updated signature from Microsoft + +------------------------------------------------------------------- +Tue Sep 15 05:03:10 UTC 2015 - mchang@suse.com + +- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release + if it is empty or not set by user (bsc#942519) + +------------------------------------------------------------------- +Thu Jul 16 06:49:01 UTC 2015 - glin@suse.com + +- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d +- Refresh shim-gcc5.patch and add it back since we really need it +- Add shim-change-debug-file-path.patch to change the debug file + path in shim.efi + + also add the debuginfo and debugsource subpackages +- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore + +------------------------------------------------------------------- +Mon Jul 6 09:06:02 UTC 2015 - glin@suse.com + +- Update to 0.9 +- Refresh patches + + shim-fix-gnu-efi-30w.patch + + shim-fix-mokmanager-sections.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches + + shim-bsc920515-fix-fallback-buffer-length.patch + + shim-mokx-support.patch + + shim-update-cryptlib.patch +- Drop shim-bsc919675-uninstall-shim-protocols.patch since + upstream fixed the bug in another way. +- Drop shim-gcc5.patch which was fixed in another way + +------------------------------------------------------------------- +Wed Apr 8 07:10:39 UTC 2015 - glin@suse.com + +- Fix tags in the spec file + +------------------------------------------------------------------- +Tue Apr 7 07:42:06 UTC 2015 - glin@suse.com + +- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and + openssl to 0.9.8zf +- Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall + the shim protocols at Exit (bsc#919675) +- Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust + the buffer size for the boot options (bsc#920515) +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Thu Apr 2 16:31:28 UTC 2015 - crrodriguez@opensuse.org + +- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5 + +------------------------------------------------------------------- +Tue Feb 17 06:02:34 UTC 2015 - mchang@suse.com + +- shim-install : fix cryptodisk installation (boo#917427) + +------------------------------------------------------------------- +Tue Nov 11 04:26:00 UTC 2014 - glin@suse.com + +- Add shim-fix-mokmanager-sections.patch to fix the objcopy + parameters for the EFI files + +------------------------------------------------------------------- +Tue Oct 28 04:00:51 UTC 2014 - glin@suse.com + +- Update to 0.8 +- Add shim-fix-gnu-efi-30w.patch to adapt the change in + gnu-efi-3.0w +- Merge shim-signed-unsigned-compares.patch, + shim-mokmanager-support-sha-family.patch and + shim-bnc863205-mokmanager-fix-hash-delete.patch into + shim-mokx-support.patch +- Refresh shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch, + bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch +- Enable aarch64 + +------------------------------------------------------------------- +Mon Oct 13 13:09:14 UTC 2014 - jsegitz@novell.com + +- Fixed buffer overflow and OOB access in shim trusted code path + (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677) + * added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch +- Added new certificate by Microsoft + +------------------------------------------------------------------- +Wed Sep 3 12:32:25 UTC 2014 - lnussel@suse.de + +- re-introduce build failure if shim_enforce_ms_signature is defined. That way + a project like openSUSE:Factory can decide whether or not shim needs a valid + MS signature. + +------------------------------------------------------------------- +Tue Aug 19 04:38:36 UTC 2014 - glin@suse.com + +- Add shim-update-openssl-0.9.8zb.patch to update openssl to + 0.9.8zb + +------------------------------------------------------------------- +Tue Aug 12 14:19:36 UTC 2014 - jsegitz@suse.com + +- updated shim to new version (OpenSSL 0.9.8za) and requested a new + certificate from Microsoft. Removed + * shim-allow-fallback-use-system-loadimage.patch + * shim-bnc872503-check-key-encoding.patch + * shim-bnc877003-fetch-from-the-same-device.patch + * shim-correct-user_insecure-usage.patch + * shim-fallback-avoid-duplicate-bootorder.patch + * shim-fallback-improve-entries-creation.patch + * shim-fix-dhcpv4-path-generation.patch + * shim-fix-uninitialized-variable.patch + * shim-fix-verify-mok.patch + * shim-get-variable-check.patch + * shim-improve-error-messages.patch + * shim-mokmanager-delete-bs-var-right.patch + * shim-mokmanager-handle-keystroke-error.patch + * shim-remove-unused-variables.patch + since they're included in upstream and rebased the remaining onces. + Added shim-signed-unsigned-compares.patch to fix some compiler + warnings + +------------------------------------------------------------------- +Tue Aug 12 09:18:42 UTC 2014 - glin@suse.com + +- Keep shim-devel.efi for the devel project + +------------------------------------------------------------------- +Fri Aug 8 11:18:36 UTC 2014 - lnussel@suse.de + +- don't fail the build if the UEFI signing service signature can't + be attached anymore. This way shim can still pass through staging + projects. We will verify the correct signature for release builds + using openQA instead. + +------------------------------------------------------------------- +Mon Aug 4 07:53:22 UTC 2014 - mchang@suse.com + +- shim-install: fix GRUB shows broken letters at boot by calling + grub2-install to initialize /boot/grub2 directory with files + needed by grub.cfg (bnc#889765) + +------------------------------------------------------------------- +Wed May 28 04:13:33 UTC 2014 - glin@suse.com + +- Add shim-remove-unused-variables.patch to remove the unused + variables +- Add shim-bnc872503-check-key-encoding.patch to check the encoding + of the keys (bnc#872503) +- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the + netboot image from the same device (bnc#877003) +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Wed May 14 09:39:02 UTC 2014 - glin@suse.com + +- Use --reinit instead of --refresh in %post to update the files + in /boot + +------------------------------------------------------------------- +Tue Apr 29 07:38:11 UTC 2014 - mchang@suse.com + +- shim-install: fix boot partition and rollback support kluge + (bnc#875385) + +------------------------------------------------------------------- +Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com + +- Replace shim-mokmanager-support-sha1.patch with + shim-mokmanager-support-sha-family.patch to support the SHA + family + +------------------------------------------------------------------- +Mon Apr 7 09:32:21 UTC 2014 - glin@suse.com + +- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in + MOK + +------------------------------------------------------------------- +Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com + +- snapper rollback support (fate#317062) + - refresh shim-install + +------------------------------------------------------------------- +Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com + +- Insert the right signature (bnc#867974) + +------------------------------------------------------------------- +Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com + +- Add shim-fix-uninitialized-variable.patch to fix the use of + uninitialzed variables in lib + +------------------------------------------------------------------- +Fri Mar 7 09:09:12 UTC 2014 - glin@suse.com + +- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV + variables the right way +- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify + correctly + +------------------------------------------------------------------- +Thu Mar 6 07:37:57 UTC 2014 - glin@suse.com + +- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the + duplicate entries in BootOrder +- Add shim-allow-fallback-use-system-loadimage.patch to handle the + shim protocol properly to keep only one protocol entity +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Thu Mar 6 03:53:49 UTC 2014 - mchang@suse.com + +- shim-install: fix the $prefix to use grub2-mkrelpath for paths + on btrfs subvolume (bnc#866690). + +------------------------------------------------------------------- +Tue Mar 4 04:19:05 UTC 2014 - glin@suse.com + +- FATE#315002: Update shim-install to install shim.efi as the EFI + default bootloader when none exists in \EFI\boot. + +------------------------------------------------------------------- +Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com + +- Update signature-sles.asc: shim signed by UEFI signing service, + based on code from "Thu Feb 20 11:57:01 UTC 2014" + +------------------------------------------------------------------- +Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com + +- Add shim-opensuse-cert-prompt.patch to show the prompt to ask + whether the user trusts the openSUSE certificate or not + +------------------------------------------------------------------- +Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de + +- allow package to carry multiple signatures +- check correct certificate is embedded + +------------------------------------------------------------------- +Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de + +- always clean up generated files that embed certificates + (shim_cert.h shim.cer shim.crt) to make sure next build loop + rebuilds them properly + +------------------------------------------------------------------- +Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com + +- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the + hash deletion operation to avoid ruining the whole list + (bnc#863205) + +------------------------------------------------------------------- +Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com + +- Update shim-mokx-support.patch to support the resetting of MOK + blacklist +- Add shim-get-variable-check.patch to fix the variable checking + in get_variable_attr +- Add shim-fallback-improve-entries-creation.patch to improve the + boot entry pathes and avoid generating the boot entries that + are already there +- Update SUSE certificate +- Update attach_signature.sh, show_hash.sh, strip_signature.sh, + extract_signature.sh and show_signatures.sh to remove the + creation of the temporary nss database +- Add shim-only-os-name.patch: remove the kernel version of the + build server +- Match the the prefix of the project name properly by escaping the + percent sign. + +------------------------------------------------------------------- +Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de + +- enable signature assertion also in SUSE: hierarchy + +------------------------------------------------------------------- +Fri Dec 6 06:44:43 UTC 2013 - glin@suse.com + +- Add shim-mokmanager-handle-keystroke-error.patch to handle the + error status from ReadKeyStroke to avoid unexpected keys + +------------------------------------------------------------------- +Thu Dec 5 02:05:13 UTC 2013 - glin@suse.com + +- Update to 0.7 +- Add upstream patches: + + shim-fix-verify-mok.patch + + shim-improve-error-messages.patch + + shim-correct-user_insecure-usage.patch + + shim-fix-dhcpv4-path-generation.patch +- Add shim-mokx-support.patch to support the MOK blacklist + (Fate#316531) +- Drop upstreamed patches + + shim-fix-pointer-casting.patch + + shim-merge-lf-loader-code.patch + + shim-fix-simple-file-selector.patch + + shim-mokmanager-support-crypt-hash-method.patch + + shim-bnc804631-fix-broken-bootpath.patch + + shim-bnc798043-no-doulbe-separators.patch + + shim-bnc807760-change-pxe-2nd-loader-name.patch + + shim-bnc808106-correct-certcount.patch + + shim-mokmanager-ui-revamp.patch + + shim-netboot-fixes.patch + + shim-mokmanager-disable-gfx-console.patch +- Drop shim-suse-build.patch: it's not necessary anymore +- Drop shim-bnc841426-silence-shim-protocols.patch: shim is not + verbose by default + +------------------------------------------------------------------- +Thu Oct 31 09:11:18 UTC 2013 - fcrozat@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Tue Oct 1 04:29:29 UTC 2013". + +------------------------------------------------------------------- +Tue Oct 1 04:29:29 UTC 2013 - glin@suse.com + +- Add shim-netboot-fixes.patch to include upstream netboot fixes +- Add shim-mokmanager-disable-gfx-console.patch to disable the + graphics console to avoid system hang on some machines +- Add shim-bnc841426-silence-shim-protocols.patch to silence the + shim protocols (bnc#841426) + +------------------------------------------------------------------- +Wed Sep 25 07:17:54 UTC 2013 - glin@suse.com + +- Create boot.csv in ESP for fallback.efi to restore the boot entry + +------------------------------------------------------------------- +Tue Sep 17 10:53:50 CEST 2013 - fcrozat@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Fri Sep 6 13:57:36 UTC 2013". +- Improve extract_signature.sh to work on current path. + +------------------------------------------------------------------- +Fri Sep 6 13:57:36 UTC 2013 - lnussel@suse.de + +- set timestamp of PE file to time of the binary the signature was + made for. +- make sure cert.o get's rebuilt for each target + +------------------------------------------------------------------- +Fri Sep 6 11:48:14 CEST 2013 - fcrozat@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Wed Aug 28 15:54:38 UTC 2013" + +------------------------------------------------------------------- +Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de + +- always build a shim that embeds the distro's certificate (e.g. + shim-opensuse.efi). If the package is built in the devel project + additionally shim-devel.efi is created. That allows us to either + load grub2/kernel signed by the distro or signed by the devel + project, depending on use case. Also shim-$distro.efi from the + devel project can be used to request additional signatures. + +------------------------------------------------------------------- +Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de + +- also include old openSUSE 4096 bit certificate to be able to still + boot kernels signed with that key. +- add show_signatures script + +------------------------------------------------------------------- +Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de + +- replace the 4096 bit openSUSE UEFI CA certificate with new a + standard compliant 2048 bit one. + +------------------------------------------------------------------- +Tue Aug 20 11:48:25 UTC 2013 - lnussel@suse.de + +- fix shell syntax error + +------------------------------------------------------------------- +Wed Aug 7 15:51:36 UTC 2013 - lnussel@suse.de + +- don't include binary in the sources. Instead package the raw + signature and attach it during build (bnc#813448). + +------------------------------------------------------------------- +Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com + +- Update shim-mokmanager-ui-revamp.patch to include fixes for + MokManager + + reboot the system after clearing MOK password + + fetch more info from X509 name + + check the suffix of the key file + +------------------------------------------------------------------- +Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com + +- Update to 0.4 +- Rebase patches + + shim-suse-build.patch + + shim-mokmanager-support-crypt-hash-method.patch + + shim-bnc804631-fix-broken-bootpath.patch + + shim-bnc798043-no-doulbe-separators.patch + + shim-bnc807760-change-pxe-2nd-loader-name.patch + + shim-bnc808106-correct-certcount.patch + + shim-mokmanager-ui-revamp.patch +- Add patches + + shim-merge-lf-loader-code.patch: merge the Linux Foundation + loader UI code + + shim-fix-pointer-casting.patch: fix a casting issue and the + size of an empty vendor cert + + shim-fix-simple-file-selector.patch: fix the buffer allocation + in the simple file selector +- Remove upstreamed patches + + shim-support-mok-delete.patch + + shim-reboot-after-changes.patch + + shim-clear-queued-key.patch + + shim-local-key-sign-mokmanager.patch + + shim-get-2nd-stage-loader.patch + + shim-fix-loadoptions.patch +- Remove unused patch: shim-mokmanager-new-pw-hash.patch and + shim-keep-unsigned-mokmanager.patch +- Install the vendor certificate to /etc/uefi/certs + +------------------------------------------------------------------- +Wed May 8 06:40:12 UTC 2013 - glin@suse.com + +- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI + +------------------------------------------------------------------- +Wed Apr 3 03:54:22 UTC 2013 - glin@suse.com + +- Call update-bootloader in %post to update *.efi in \efi\opensuse + (bnc#813079) + +------------------------------------------------------------------- +Fri Mar 8 06:53:47 UTC 2013 - glin@suse.com + +- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the + PXE 2nd stage loader name (bnc#807760) +- Add shim-bnc808106-correct-certcount.patch to correct the + certificate count of the signature list (bnc#808106) + +------------------------------------------------------------------- +Fri Mar 1 10:07:55 UTC 2013 - glin@suse.com + +- Add shim-bnc798043-no-doulbe-separators.patch to remove double + seperators from the bootpath (bnc#798043#c4) + +------------------------------------------------------------------- +Thu Feb 28 08:57:48 UTC 2013 - lnussel@suse.de + +- sign shim also with openSUSE certificate + +------------------------------------------------------------------- +Wed Feb 27 15:52:53 CET 2013 - mls@suse.de + +- identify project, export certificate as DER file +- don't create an unused extra keypair + +------------------------------------------------------------------- +Thu Feb 21 10:08:12 UTC 2013 - glin@suse.com + +- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken + bootpath generated in generate_path(). (bnc#804631) + +------------------------------------------------------------------- +Mon Feb 11 12:15:25 UTC 2013 - fcrozat@suse.com + +- Update with shim signed by UEFI signing service, based on code + from "Thu Feb 7 06:56:19 UTC 2013". + +------------------------------------------------------------------- +Thu Feb 7 13:54:06 UTC 2013 - lnussel@suse.de + +- prepare for having a signed shim from the UEFI signing service + +------------------------------------------------------------------- +Thu Feb 7 06:56:19 UTC 2013 - glin@suse.com + +- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert +- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned + MokManager and sign it later. + +------------------------------------------------------------------- +Wed Feb 6 06:35:45 UTC 2013 - mchang@suse.com + +- Add shim-install utility +- Add Recommends to grub2-efi + +------------------------------------------------------------------- +Wed Jan 30 09:00:31 UTC 2013 - glin@suse.com + +- Add shim-mokmanager-support-crypt-hash-method.patch to support + password hash from /etc/shadow (FATE#314506) + +------------------------------------------------------------------- +Tue Jan 29 03:20:48 UTC 2013 - glin@suse.com + +- Embed openSUSE-UEFI-CA-Certificate.crt in shim +- Rename shim-unsigned.efi to shim-opensuse.efi. + +------------------------------------------------------------------- +Fri Jan 18 10:06:13 UTC 2013 - glin@suse.com + +- Update shim-mokmanager-new-pw-hash.patch to extend the password + hash format +- Rename shim.efi as shim-unsigned.efi + +------------------------------------------------------------------- +Wed Jan 16 08:01:55 UTC 2013 - glin@suse.com + +- Merge patches for FATE#314506 + + Add shim-support-mok-delete.patch to add support for deleting + specific keys + + Add shim-mokmanager-new-pw-hash.patch to support the new + password hash. +- Drop shim-correct-mok-size.patch which is included in + shim-support-mok-delete.patch +- Merge shim-remove-debug-code.patch and + shim-local-sign-mokmanager.patch into + shim-local-key-sign-mokmanager.patch +- Install COPYRIGHT + +------------------------------------------------------------------- +Tue Jan 15 03:17:53 UTC 2013 - glin@suse.com + +- Add shim-fix-loadoptions.patch to adopt the UEFI shell style + LoadOptions (bnc#798043) +- Drop shim-check-pk-kek.patch since upstream rejected the patch + due to violation of SPEC. +- Install EFI binaries to /usr/lib64/efi + +------------------------------------------------------------------- +Wed Dec 26 07:05:02 UTC 2012 - glin@suse.com + +- Update shim-reboot-after-changes.patch to avoid rebooting the + system after enrolling keys/hashes from the file system +- Add shim-correct-mok-size.patch to correct the size of MOK +- Add shim-clear-queued-key.patch to clear the queued key and show + the menu properly + +------------------------------------------------------------------- +Wed Dec 12 15:16:18 UTC 2012 - fcrozat@suse.com + +- Remove shim-rpmlintrc, it wasn't fixing the error, hide error + stdout to prevent post build check to get triggered by cast + warnings in openSSL code +- Add shim-remove-debug-code.patch: remove debug code + +------------------------------------------------------------------- +Wed Dec 12 04:01:52 UTC 2012 - glin@suse.com + +- Add shim-rpmlintrc to filter 64bit portability errors + +------------------------------------------------------------------- +Tue Dec 11 07:36:32 UTC 2012 - glin@suse.com + +- Add shim-local-sign-mokmanager.patch to create a local certicate + to sign MokManager +- Add shim-get-2nd-stage-loader.patch to get the second stage + loader path from the load options +- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK +- Add shim-reboot-after-changes.patch to reboot the system after + enrolling or erasing keys +- Install the EFI images to /usr/lib64/shim instead of the EFI + partition +- Update the mail address of the author + +------------------------------------------------------------------- +Fri Nov 2 08:19:37 UTC 2012 - glin@suse.com + +- Add new package shim 0.2 (FATE#314484) + + It's in fact git 2fd180a92 since there is no tag for 0.2 + diff --git a/shim.spec b/shim.spec new file mode 100644 index 0000000..c293418 --- /dev/null +++ b/shim.spec @@ -0,0 +1,379 @@ +# +# spec file for package shim +# +# Copyright (c) 2021 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# +# needssslcertforbuild + + +%undefine _debuginfo_subpackages +%undefine _build_create_debug +%ifarch aarch64 +%define grubplatform arm64-efi +%else +%define grubplatform %{_target_cpu}-efi +%endif +%if %{defined sle_version} && 0%{?sle_version} <= 150000 +%define sysefidir /usr/lib64/efi +%else +%define sysefibasedir %{_datadir}/efi +%define sysefidir %{sysefibasedir}/%{_target_cpu} +%if "%{grubplatform}" == "x86_64-efi" && 0%{?suse_version} < 1600 +# provide compatibility sym-link for residual kiwi, etc. +%define shim_lib64_share_compat 1 +%endif +%endif + +%if 0%{?suse_version} >= 1600 +%define shim_use_fde_tpm_helper 1 +%endif + +Name: shim +Version: 15.8 +Release: 0 +Summary: UEFI shim loader +License: BSD-2-Clause +Group: System/Boot +URL: https://github.com/rhboot/shim +Source: %{name}-%{version}.tar.bz2 +# run "extract_signature.sh shim.efi" where shim.efi is the binary +# with the signature from the UEFI signing service. +# Note: For signature requesting, check SIGNATURE_UPDATE.txt +Source1: signature-opensuse.x86_64.asc +Source2: openSUSE-UEFI-CA-Certificate.crt +Source3: shim-install +Source4: SLES-UEFI-CA-Certificate.crt +Source5: extract_signature.sh +Source6: attach_signature.sh +Source7: show_hash.sh +Source8: show_signatures.sh +Source9: timestamp.pl +Source10: strip_signature.sh +Source11: signature-sles.x86_64.asc +Source12: signature-opensuse.aarch64.asc +Source13: signature-sles.aarch64.asc +Source14: generate-vendor-dbx.sh +# revoked certificates for dbx +Source50: revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt +Source51: revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt +Source52: revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt +Source53: revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt +Source54: revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt +Source55: revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt +Source56: revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt +Source57: revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt +Source58: revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt +Source59: revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt +### +Source99: SIGNATURE_UPDATE.txt +# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names +Patch1: shim-arch-independent-names.patch +# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path +Patch2: shim-change-debug-file-path.patch +# PATCH-FIX-SUSE shim-bsc1177315-verify-eku-codesign.patch bsc#1177315 glin@suse.com -- Verify CodeSign in the signer's EKU +Patch3: shim-bsc1177315-verify-eku-codesign.patch +# PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container +Patch4: remove_build_id.patch +# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT +Patch5: shim-disable-export-vendor-dbx.patch +BuildRequires: dos2unix +BuildRequires: efitools +BuildRequires: mozilla-nss-tools +BuildRequires: openssl >= 0.9.8 +BuildRequires: pesign +BuildRequires: pesign-obs-integration +%if 0%{?shim_use_fde_tpm_helper:1} +BuildRequires: fde-tpm-helper-rpm-macros +%endif +%if 0%{?suse_version} > 1320 +BuildRequires: update-bootloader-rpm-macros +%endif +%if 0%{?update_bootloader_requires:1} +%update_bootloader_requires +%else +Requires: perl-Bootloader +%endif +%if 0%{?fde_tpm_update_requires:1} +%fde_tpm_update_requires +%endif +BuildRoot: %{_tmppath}/%{name}-%{version}-build +# For shim-install script grub is needed but we also want to use +# shim for systemd-boot where shim-install is not actually used. +# Requires: grub2-%{grubplatform} +Requires: mokutil +ExclusiveArch: x86_64 aarch64 + +%description +shim is a trivial EFI application that, when run, attempts to open and +execute another application. + +%package -n shim-debuginfo +Summary: UEFI shim loader - debug symbols +Group: Development/Debug + +%description -n shim-debuginfo +The debug symbols of UEFI shim loader + +%package -n shim-debugsource +Summary: UEFI shim loader - debug source +Group: Development/Debug + +%description -n shim-debugsource +The source code of UEFI shim loader + +%prep +%autosetup -p1 + +%build +# generate the vendor SBAT metadata +%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0 +distro_id="opensuse" +distro_name="The openSUSE project" +%else +distro_id="sle" +distro_name="SUSE Linux Enterprise" +%endif +distro_sbat=1 +sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security@suse.de" +echo "${sbat}" > data/sbat.vendor.csv + +# generate dbx files based on revoked certs +bash %{_sourcedir}/generate-vendor-dbx.sh %{_sourcedir}/revoked-*.crt +ls -al *.esl + +# first, build MokManager and fallback as they don't depend on a +# specific certificate +make RELEASE=0 \ + MMSTEM=MokManager FBSTEM=fallback \ + MokManager.efi.debug fallback.efi.debug \ + MokManager.efi fallback.efi +# make sure all object files gets rebuilt +rm -f *.o + +# now build variants of shim that embed different certificates +default='' +suffixes=(opensuse sles) +# check whether the project cert is a known one. If it is we build +# just one shim that embeds this specific cert. If it's a devel +# project we build all variants to simplify testing. +if test -e %{_sourcedir}/_projectcert.crt ; then + prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) + prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) + opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) + slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) + if test "$prjissuer" = "$opensusesubject" ; then + suffixes=(opensuse) + elif test "$prjissuer" = "$slessubject" ; then + suffixes=(sles) + elif test "$prjsubject" = "$prjissuer" ; then + suffixes=(devel opensuse sles) + fi +fi + +for suffix in "${suffixes[@]}"; do + if test "$suffix" = "opensuse"; then + cert=%{SOURCE2} + verify='openSUSE Secure Boot CA1' + vendor_dbx='vendor-dbx-opensuse.esl' +%ifarch x86_64 + signature=%{SOURCE1} +%else + # AArch64 signature + # Disable AArch64 signature attachment temporarily + # until we get a real one. + # Now, we got a real one. So enable it again. + signature=%{SOURCE12} +%endif + elif test "$suffix" = "sles"; then + cert=%{SOURCE4} + verify='SUSE Linux Enterprise Secure Boot CA1' + vendor_dbx='vendor-dbx-opensuse.esl' +%ifarch x86_64 + signature=%{SOURCE11} +%else + # AArch64 signature + signature=%{SOURCE13} +%endif + elif test "$suffix" = "devel"; then + cert=%{_sourcedir}/_projectcert.crt + verify=`openssl x509 -in "$cert" -noout -email` + vendor_dbx='vendor-dbx.esl' + signature='' + test -e "$cert" || continue + else + echo "invalid suffix" + false + fi + + openssl x509 -in $cert -outform DER -out shim-$suffix.der + make RELEASE=0 SHIMSTEM=shim \ + VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ + DEFAULT_LOADER="\\\\\\\\grub.efi" \ + VENDOR_DBX_FILE=$vendor_dbx \ + shim.efi.debug shim.efi + # + # assert correct certificate embedded + grep -q "$verify" shim.efi + # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx + chmod 755 %{SOURCE9} + # alternative: verify signature + #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi + if test -n "$signature"; then + head -1 "$signature" > hash1 + cp shim.efi shim.efi.bak + # pe header contains timestamp and checksum. we need to + # restore that + %{SOURCE9} --set-from-file "$signature" shim.efi + pesign -h -P -i shim.efi > hash2 + cat hash1 hash2 + if ! cmp -s hash1 hash2; then + echo "ERROR: $suffix binary changed, need to request new signature!" +%if %{defined shim_enforce_ms_signature} && 0%{?shim_enforce_ms_signature} > 0 + # compare suffix (sles, opensuse) with distro_id (sle, opensuse) + # when hash mismatch and distro_id match with suffix, stop building + if test "$suffix" = "$distro_id" || test "$suffix" = "${distro_id}s"; then + false + fi +%endif + mv shim.efi.bak shim-$suffix.efi + rm shim.efi + else + # attach signature + pesign -m "$signature" -i shim.efi -o shim-$suffix.efi + rm -f shim.efi + fi + else + mv shim.efi shim-$suffix.efi + fi + mv shim.efi.debug shim-$suffix.debug + # remove the build cert if exists + rm -f shim_cert.h shim.cer shim.crt + # make sure all object files gets rebuilt + rm -f *.o +done + +ln -s shim-${suffixes[0]}.efi shim.efi +mv shim-${suffixes[0]}.debug shim.debug + +# Collect the source for debugsource +mkdir ../source +find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} ../source/ \; +mv ../source . + +%install +export BRP_PESIGN_FILES='%{sysefidir}/shim*.efi %{sysefidir}/MokManager.efi %{sysefidir}/fallback.efi' +install -d %{buildroot}/%{sysefidir} +cp -a shim*.efi %{buildroot}/%{sysefidir} +install -m 444 shim-*.der %{buildroot}/%{sysefidir} +install -m 644 MokManager.efi %{buildroot}/%{sysefidir}/MokManager.efi +install -m 644 fallback.efi %{buildroot}/%{sysefidir}/fallback.efi +install -d %{buildroot}/%{_sbindir} +install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ +# install SUSE certificate +install -d %{buildroot}/%{_sysconfdir}/uefi/certs/ +for file in shim-*.der; do + filename=$(echo "$file" | cut -f 1 -d '.') + fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') + install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-${filename}.crt +done +%if %{defined shim_lib64_share_compat} + [ "%{sysefidir}" != "/usr/lib64/efi" ] || exit 1 + # provide compatibility sym-link for residual "consumers" + install -d %{buildroot}/usr/lib64/efi + ln -srf %{buildroot}/%{sysefidir}/*.efi %{buildroot}/usr/lib64/efi/ +%endif + +# install the debug symbols +install -d %{buildroot}/usr/lib/debug/%{sysefidir} +install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{sysefidir} +install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/MokManager.debug +install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/fallback.debug + +# install the debug source +install -d %{buildroot}/usr/src/debug/%{name}-%{version} +cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version} + +%clean +%{?buildroot:%__rm -rf "%{buildroot}"} + +%post +%if 0%{?fde_tpm_update_post:1} +%fde_tpm_update_post shim +%endif + +%if 0%{?update_bootloader_check_type_reinit_post:1} +%update_bootloader_check_type_reinit_post grub2-efi +%else +/sbin/update-bootloader --reinit || true +%endif + +# copy from kernel-scriptlets/cert-script +is_efi () { + local msg rc=0 +# The below statement fails if mokutil isn't installed or UEFI is unsupported. +# It doesn't fail if UEFI is available but secure boot is off. + msg="$(mokutil --sb-state 2>&1)" || rc=$? + return $rc +} +# run mokutil for setting sbat policy to latest mode +EFIVARFS=/sys/firmware/efi/efivars +SBAT_POLICY="$EFIVARFS/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23" +if is_efi; then + if [ -w $EFIVARFS ] && \ + [ ! -f "$SBAT_POLICY" ] && \ + mokutil -h | grep -q "set-sbat-policy"; \ + then + # Only apply CA check on the kernel package certs (bsc#1173115) + mokutil --set-sbat-policy latest + fi +fi + +%if %{defined update_bootloader_posttrans} +%posttrans +%{?update_bootloader_posttrans} +%{?fde_tpm_update_posttrans} +%endif + +%files +%defattr(-,root,root) +%doc COPYRIGHT +%dir %{?sysefibasedir} +%dir %{sysefidir} +%{sysefidir}/shim.efi +%{sysefidir}/shim-*.efi +%{sysefidir}/shim-*.der +%{sysefidir}/MokManager.efi +%{sysefidir}/fallback.efi +%{_sbindir}/shim-install +%dir %{_sysconfdir}/uefi/ +%dir %{_sysconfdir}/uefi/certs/ +%{_sysconfdir}/uefi/certs/*.crt +%if %{defined shim_lib64_share_compat} +# provide compatibility sym-link for previous kiwi, etc. +%dir /usr/lib64/efi +/usr/lib64/efi/*.efi +%endif + +%files -n shim-debuginfo +%defattr(-,root,root,-) +/usr/lib/debug%{sysefidir}/shim.debug +/usr/lib/debug%{sysefidir}/MokManager.debug +/usr/lib/debug%{sysefidir}/fallback.debug + +%files -n shim-debugsource +%defattr(-,root,root,-) +%dir /usr/src/debug/%{name}-%{version} +/usr/src/debug/%{name}-%{version}/* + +%changelog diff --git a/show_hash.sh b/show_hash.sh new file mode 100644 index 0000000..a485768 --- /dev/null +++ b/show_hash.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# show hash of PE binary +set -e + +infile="$1" + +if [ -z "$infile" -o ! -e "$infile" ]; then + echo "USAGE: $0 file.efi" + exit 1 +fi + +pesign -h -P -i "$infile" diff --git a/show_signatures.sh b/show_signatures.sh new file mode 100644 index 0000000..ab9acdb --- /dev/null +++ b/show_signatures.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# show signatures on a PE binary +set -e + +infile="$1" + +if [ -z "$infile" -o ! -e "$infile" ]; then + echo "USAGE: $0 file.efi" + exit 1 +fi + +pesign -S -i "$infile" diff --git a/signature-opensuse.aarch64.asc b/signature-opensuse.aarch64.asc new file mode 100644 index 0000000..66ebf7d --- /dev/null +++ b/signature-opensuse.aarch64.asc @@ -0,0 +1,210 @@ +hash: 15854cd77be6b61bb6d22b4d448fe9b2d5d06dfa67d8161b6497e10af5b1bfb3 +# 1970-01-01 00:00:00 +timestamp: 0 +linker: 2902 +checksum: e2b1 +-----BEGIN AUTHENTICODE SIGNATURE----- +MIIl/AYJKoZIhvcNAQcCoIIl7TCCJekCAQExDzANBglghkgBZQMEAgEFADBcBgor +BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB +ZQMEAgEFAAQgFYVM13vmthu20itNRI/pstXQbfpn2BYbZJfhCvWxv7OgggszMIIF +GzCCBAOgAwIBAgITMwAAAF4N6/Cb7d174QABAAAAXjANBgkqhkiG9w0BAQsFADCB +gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl +ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMzEwMTkxOTUz +MjNaFw0yNDEwMTYxOTUzMjNaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv +cnBvcmF0aW9uMTAwLgYDVQQDEydNaWNyb3NvZnQgV2luZG93cyBVRUZJIERyaXZl +ciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzpvyW +cc7Gs+Ea6UCnwbKrckBd4Q7X4TqLmyMXmzQ0qR3SXfpXij+zVEgVsEiZu/q2EpK0 +yMFaXzI2XRxUEh4OUvEr/YxnOIf4RC2LBhrMtGgxRgtsquEcYqpmpwD0/55+CAGt +Ro1lBKt6xjNg94JoiTyO06zfNsSU8XbAWKH/D6yNhmJy2sx8LCOzQ84FrnUw8WX5 +qrYMxn098IVb7OWiT77OZDfQAacxPmjCl1Mu0B97JbkSXJQjC9i6bojYQiyj644u +l/AZ0PNQnsskHt3wRCWbt6JeJoBvZ1AfyB18YZlSTErrsLWMMdskxjDxaPQZ89np +hh8x1pp4s+rRydvnAgMBAAGjggGDMIIBfzAfBgNVHSUEGDAWBgorBgEEAYI3UAIB +BggrBgEFBQcDAzAdBgNVHQ4EFgQUlfB5rBZSx3/3mPyB55Q8ze/1EU8wVAYDVR0R +BE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJhdGlvbnMg +TGltaXRlZDEWMBQGA1UEBRMNMjI5OTExKzUwMTY1NzAfBgNVHSMEGDAWgBQTrb9D +Cb2CcJyM1U8xbtUimIob1DBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vd3d3Lm1p +Y3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIwMTFfMjAxMS0wNi0y +Ny5jcmwlMjAwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3 +Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNBMjAxMV8yMDEx +LTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAbF+I8 +wqogC0dVERcDh9mPeIvBJ0MJAYE7RraCaQHgjl8vQi8X1yB8o/xzzP7vTJWxdHLx +uuVLIZMGW922OtA5zth05/mwOwYJClf5IEpj7lAYYDAFYLy4Q7amg0s13bFnpwJx +h4pNfvoZYaGpQw5HOTTz8fAZW5U61Kcbvy5sjbfKWJMxyD6GP1B8CkWHXsc5OdxU +y+GvmwuguWtgW7MNFOTxxccPocRo7/KKhTL68jZysOPdEyCbLnuiICwowAK2GHCh +cdxsOKwu/Lqb+rbJEv+Tj8aFNyuymDw6CYl/cfwbBrlh7EWB9Tr2bp8HRCYgZDC7 +/3VMVGyApvwRUC4VMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0B +AQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV +BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkG +A1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBs +YWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkG +A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx +HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9z +b2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArG +SkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFP +mop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rb +eALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw +4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6 +hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsG +AQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsP +IHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIE +DB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNV +HSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhkto +dHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JU +aGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsG +AQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0Nv +clRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEA +NQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C +2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GI +yr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxq +IWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A +1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr +8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSw +mzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3G +jYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1 +sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+ +P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS4 +4Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxgho8MIIaOAIBATCBmTCB +gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl +ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAAAF4N6/Cb7d17 +4QABAAAAXjANBglghkgBZQMEAgEFAKCB3DAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC +NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx +IgQgdd6O5OEsvX0UU4vyeSu44XBSQRO/CoXFU+Q16f3KizEwcAYKKwYBBAGCNwIB +DDFiMGCgMoAwAFMAVQBTAEUAIABMAGkAbgB1AHgAIABQAHIAbwBkAHUAYwB0AHMA +IABHAG0AYgBIoSqAKGh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20vZW4tdXMvd2lu +ZG93cyAwDQYJKoZIhvcNAQEBBQAEggEANynVV3RYU3XrN2kuW5q48FQdL6+9XreN +YTq+i6An7ocXv4UjRtYxwYbtU7SMy/qrFYwAT9cj4HVREs34FNvXeYejGxDyxxD6 +0pgVKcaQ3w+3EtszP0a8l7ahRZzDbPwxOmzPzLlK6dB7t9WUBFPEHN4j2kap7p1x +B7hdYcY7R8EH9svUpkGBAJ4/5uzmin+NUx80qXRIgsXqNScyVewef5FPgoANbD6x +QQ3UHeMNbA1ByThJoLG1Fiui2/FespBytRlyrU+ACJ+b5Q1evQBW4M6JD8j3vvvx +ZCRv4QhRUcqDgtN4n34V8bEyVyg2uCDc2W4YKs6hHyEQed1mb9pubqGCF5QwgheQ +BgorBgEEAYI3AwMBMYIXgDCCF3wGCSqGSIb3DQEHAqCCF20wghdpAgEDMQ8wDQYJ +YIZIAWUDBAIBBQAwggFSBgsqhkiG9w0BCRABBKCCAUEEggE9MIIBOQIBAQYKKwYB +BAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCBH+zcM3Y8L8q9zybET5lorN3TWvV09 +WbQ2Z9foWEPK+AIGZkYjrOQ7GBMyMDI0MDYwNDIzMjMwOC43MjRaMASAAgH0oIHR +pIHOMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE +BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYD +VQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hp +ZWxkIFRTUyBFU046N0YwMC0wNUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBU +aW1lLVN0YW1wIFNlcnZpY2WgghHqMIIHIDCCBQigAwIBAgITMwAAAfAqfB1ZO+Yf +rQABAAAB8DANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMK +V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 +IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0Eg +MjAxMDAeFw0yMzEyMDYxODQ1NTFaFw0yNTAzMDUxODQ1NTFaMIHLMQswCQYDVQQG +EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG +A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQg +QW1lcmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046N0Yw +MC0wNUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZp +Y2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC1Hi1Tozh3O0czE8xf +RnrymlJNCaGWommPy0eINf+4EJr7rf8tSzlgE8Il4Zj48T5fTTOAh6nITRf2lK7+ +upcnZ/xg0AKoDYpBQOWrL9ObFShylIHfr/DQ4PsRX8GRtInuJsMkwSg63bfB4Q2U +ikMEP/CtZHi8xW5XtAKp95cs3mvUCMvIAA83Jr/UyADACJXVU4maYisczUz7J111 +eD1KrG9mQ+ITgnRR/X2xTDMCz+io8ZZFHGwEZg+c3vmPp87m4OqOKWyhcqMUupPv +eO/gQC9Rv4szLNGDaoePeK6IU0JqcGjXqxbcEoS/s1hCgPd7Ux6YWeWrUXaxbb+J +osgOazUgUGs1aqpnLjz0YKfUqn8i5TbmR1dqElR4QA+OZfeVhpTonrM4sE/MlJ1J +LpR2FwAIHUeMfotXNQiytYfRBUOJHFeJYEflZgVk0Xx/4kZBdzgFQPOWfVd2NozX +lC2epGtUjaluA2osOvQHZzGOoKTvWUPX99MssGObO0xJHd0DygP/JAVp+bRGJqa2 +u7AqLm2+tAT26yI5veccDmNZsg3vDh1HcpCJa9QpRW/MD3a+AF2ygV1sRnGVUVG3 +VODX3BhGT8TMU/GiUy3h7ClXOxmZ+weCuIOzCkTDbK5OlAS8qSPpgp+XGlOLEPaM +31Mgf6YTppAaeP0ophx345ohtwIDAQABo4IBSTCCAUUwHQYDVR0OBBYEFNCCsqdX +Ry/MmjZGVTAvx7YFWpslMB8GA1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1Gely +MF8GA1UdHwRYMFYwVKBSoFCGTmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lv +cHMvY3JsL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNy +bDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9z +b2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBD +QSUyMDIwMTAoMSkuY3J0MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYB +BQUHAwgwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4ICAQA4IvSbnr4j +EPgo5W4xj3/+0dCGwsz863QGZ2mB9Z4SwtGGLMvwfsRUs3NIlPD/LsWAxdVYHklA +zwLTwQ5M+PRdy92DGftyEOGMHfut7Gq8L3RUcvrvr0AL/NNtfEpbAEkCFzseextY +5s3hzj3rX2wvoBZm2ythwcLeZmMgHQCmjZp/20fHWJgrjPYjse6RDJtUTlvUsjr+ +878/t+vrQEIqlmebCeEi+VQVxc7wF0LuMTw/gCWdcqHoqL52JotxKzY8jZSQ7ccN +HhC4eHGFRpaKeiSQ0GXtlbGIbP4kW1O3JzlKjfwG62NCSvfmM1iPD90XYiFm7/8m +gR16AmqefDsfjBCWwf3qheIMfgZzWqeEz8laFmM8DdkXjuOCQE/2L0TxhrjUtdMk +ATfXdZjYRlscBDyr8zGMlprFC7LcxqCXlhxhtd2CM+mpcTc8RB2D3Eor0UdoP36Q +9r4XWCVV/2Kn0AXtvWxvIfyOFm5aLl0eEzkhfv/XmUlBeOCElS7jdddWpBlQjJuH +HUHjOVGXlrJT7X4hicF1o23x5U+j7qPKBceryP2/1oxfmHc6uBXlXBKukV/QCZBV +AiBMYJhnktakWHpo9uIeSnYT6Qx7wf2RauYHIER8SLRmblMzPOs+JHQzrvh7xStx +310LOp+0DaOXs8xjZvhpn+WuZij5RmZijDCCB3EwggVZoAMCAQICEzMAAAAVxedr +ngKbSZkAAAAAABUwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy +b3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRp +ZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4 +MzIyNVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV +BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG +A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3 +DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qls +TnXIyjVX9gF/bErg4r25PhdgM/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLA +EBjoYH1qUoNEt6aORmsHFPPFdvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrE +qv1yaa8dq6z2Nr41JmTamDu6GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyF +Vk3v3byNpOORj7I5LFGc6XBpDco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1o +O5pGve2krnopN6zL64NF50ZuyjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg +3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2 +TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07B +MzlMjgK8QmguEOqEUUbi0b1qGFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJ +NmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6 +r1AFemzFER1y7435UsSFF5PAPBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+ +auIurQIDAQABo4IB3TCCAdkwEgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3 +FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl +0mWnG1M1GelyMFwGA1UdIARVMFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUH +AgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0 +b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMA +dQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAW +gBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8v +Y3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRf +MjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRw +Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEw +LTA2LTIzLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL +/Klv6lwUtj5OR2R4sQaTlz0xM7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu +6WZnOlNN3Zi6th542DYunKmCVgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5t +ggz1bSNU5HhTdSRXud2f8449xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfg +QJY4rPf5KYnDvBewVIVCs/wMnosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8s +CXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCr +dTDFNLB62FD+CljdQDzHVG2dY3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZ +c9d/HltEAY5aGZFrDZ+kKNxnGSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2 +tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8C +wYKiexcdFYmNcP7ntdAoGokLjzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9 +JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDB +cQZqELQdVTNYs6FwZvKhggNNMIICNQIBATCB+aGB0aSBzjCByzELMAkGA1UEBhMC +VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV +BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFt +ZXJpY2EgT3BlcmF0aW9uczEnMCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjdGMDAt +MDVFMC1EOTQ3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNl +oiMKAQEwBwYFKw4DAhoDFQDCKAZKKv5lsdC2yoMGKYiQy79p/6CBgzCBgKR+MHwx +CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt +b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1p +Y3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBCwUAAgUA6gmt +WzAiGA8yMDI0MDYwNDE1MTIyN1oYDzIwMjQwNjA1MTUxMjI3WjB0MDoGCisGAQQB +hFkKBAExLDAqMAoCBQDqCa1bAgEAMAcCAQACAiULMAcCAQACAhPVMAoCBQDqCv7b +AgEAMDYGCisGAQQBhFkKBAIxKDAmMAwGCisGAQQBhFkKAwKgCjAIAgEAAgMHoSCh +CjAIAgEAAgMBhqAwDQYJKoZIhvcNAQELBQADggEBAHolMT4L9I0SutF3YnhwNYu2 +YXSXlO/SBw+kSGfZhsd2dAMl/EwPJX6NOt40bMi38USPjMpVJYBat6ct4JqeWnMl +lulwgq/KAfBwFAaETmoV48HmxyfO99F1u5YRUvemd9+U7W0MPeXjkaDz25qpfhha +tU14R7nLfXtDLSGxaVeQLyR8ouW+XTuyUuEObm9kHRZ2msZWIOUH0mQE8rQJNxAW +Ehv4dVBJKvO6k8TbPNV6r5mBm1QXi1l6vDohjKyGNHyykorqXd8wmdiaouPXTuGF +iq4thVMWSCYThT85O8p/l7laCjm+GQ4ks1qCzABczTL/2LEp9u2e4Q/TUmH63n8x +ggQNMIIECQIBATCBkzB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3Rv +bjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0 +aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAITMwAA +AfAqfB1ZO+YfrQABAAAB8DANBglghkgBZQMEAgEFAKCCAUowGgYJKoZIhvcNAQkD +MQ0GCyqGSIb3DQEJEAEEMC8GCSqGSIb3DQEJBDEiBCCytUxVcGL6Gu6+Fd5gOmD8 +Z/fWSBbY6FqGCJZeKQR2wTCB+gYLKoZIhvcNAQkQAi8xgeowgecwgeQwgb0EIFwB +mqOlcv3kU7mAB5sWR74QFAiS6mb+CM6asnFAZUuLMIGYMIGApH4wfDELMAkGA1UE +BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc +BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0 +IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAHwKnwdWTvmH60AAQAAAfAwIgQgRo6b +vZCcjM/SRxVihFUomVuIknAPbYj/yyQL+Bp0NeswDQYJKoZIhvcNAQELBQAEggIA +paEygUmyjWVAYjiGQU+zKcghm+zdl5BLreyE6+hbSaJDyuCIBZ0YSlfXbr3z5cJx +Ug/dw1qlobSkToQ7TunKq2gQRROZxjxB2yIVyL+O5DgV9KDikgNCJrrOERrC1de8 +ovDpqlChsBjotatUtkrNynrV298WcYll8KWAAP0EE+BGc9oVFCTE9WXvidcc19y4 +1NijUGEdV4c+t2pjY3vehramPT8aDcHBFGx1WKEZsjjNtNDnvWeyLCZ42MjAzD1l +2ITVRLVdEXx9n0TH5VHRCaHT85f2IIj3mbKCSmkxZdl2T7H2VD8NJvJhEWgIpDIj +sbRU4tatbNyByU/bPcPepXH37q9IxhCG9lNDgbauZcxLqHlp9LwXFFZriG23ok9j +uYoOLoPeFO3P6lI6sSsc9z7T86APzmg1L/GZP3wJUAkSGOLVyszWJtRyB1cPvfxN +JzLTqyLO2JkcJ4KyXAWXZK3Feeg+QPXinDkVwE22W2K3mS7V9S1MDlyoLjkYK5dG +jMvc6fyO+8NOujjsLCaLHsyQdWDgTsFbjbW07beBbwrIZykc2lT/2n+5iN6fHjHd +gThwqZ6wGvnyGr7zFIwJ6GqrTCd0kd4mIxSWD6daciTLy9J22sAywF77FjPOs5sF +5jUQbZ2ovnImA2QW96pcdlUT+bZTu2PhTFfQ/X+NX+g= +-----END AUTHENTICODE SIGNATURE----- diff --git a/signature-opensuse.x86_64.asc b/signature-opensuse.x86_64.asc new file mode 100644 index 0000000..341ffd0 --- /dev/null +++ b/signature-opensuse.x86_64.asc @@ -0,0 +1,208 @@ +hash: 211669e51a5e8c2315afe7a978740a972d721116ab81cbe384f993301ecde884 +# 1970-01-01 00:00:00 +timestamp: 0 +linker: 2902 +checksum: 8a95 +-----BEGIN AUTHENTICODE SIGNATURE----- +MIIlkQYJKoZIhvcNAQcCoIIlgjCCJX4CAQExDzANBglghkgBZQMEAgEFADBcBgor +BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB +ZQMEAgEFAAQgIRZp5RpejCMVr+epeHQKly1yERargcvjhPmTMB7N6ISgggszMIIF +GzCCBAOgAwIBAgITMwAAAF4N6/Cb7d174QABAAAAXjANBgkqhkiG9w0BAQsFADCB +gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl +ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMzEwMTkxOTUz +MjNaFw0yNDEwMTYxOTUzMjNaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv +cnBvcmF0aW9uMTAwLgYDVQQDEydNaWNyb3NvZnQgV2luZG93cyBVRUZJIERyaXZl +ciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzpvyW +cc7Gs+Ea6UCnwbKrckBd4Q7X4TqLmyMXmzQ0qR3SXfpXij+zVEgVsEiZu/q2EpK0 +yMFaXzI2XRxUEh4OUvEr/YxnOIf4RC2LBhrMtGgxRgtsquEcYqpmpwD0/55+CAGt +Ro1lBKt6xjNg94JoiTyO06zfNsSU8XbAWKH/D6yNhmJy2sx8LCOzQ84FrnUw8WX5 +qrYMxn098IVb7OWiT77OZDfQAacxPmjCl1Mu0B97JbkSXJQjC9i6bojYQiyj644u +l/AZ0PNQnsskHt3wRCWbt6JeJoBvZ1AfyB18YZlSTErrsLWMMdskxjDxaPQZ89np +hh8x1pp4s+rRydvnAgMBAAGjggGDMIIBfzAfBgNVHSUEGDAWBgorBgEEAYI3UAIB +BggrBgEFBQcDAzAdBgNVHQ4EFgQUlfB5rBZSx3/3mPyB55Q8ze/1EU8wVAYDVR0R +BE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJhdGlvbnMg +TGltaXRlZDEWMBQGA1UEBRMNMjI5OTExKzUwMTY1NzAfBgNVHSMEGDAWgBQTrb9D +Cb2CcJyM1U8xbtUimIob1DBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vd3d3Lm1p +Y3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIwMTFfMjAxMS0wNi0y +Ny5jcmwlMjAwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3 +Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNBMjAxMV8yMDEx +LTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAbF+I8 +wqogC0dVERcDh9mPeIvBJ0MJAYE7RraCaQHgjl8vQi8X1yB8o/xzzP7vTJWxdHLx +uuVLIZMGW922OtA5zth05/mwOwYJClf5IEpj7lAYYDAFYLy4Q7amg0s13bFnpwJx +h4pNfvoZYaGpQw5HOTTz8fAZW5U61Kcbvy5sjbfKWJMxyD6GP1B8CkWHXsc5OdxU +y+GvmwuguWtgW7MNFOTxxccPocRo7/KKhTL68jZysOPdEyCbLnuiICwowAK2GHCh +cdxsOKwu/Lqb+rbJEv+Tj8aFNyuymDw6CYl/cfwbBrlh7EWB9Tr2bp8HRCYgZDC7 +/3VMVGyApvwRUC4VMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0B +AQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV +BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkG +A1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBs +YWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkG +A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx +HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9z +b2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArG +SkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFP +mop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rb +eALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw +4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6 +hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsG +AQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsP +IHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIE +DB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNV +HSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhkto +dHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JU +aGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsG +AQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0Nv +clRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEA +NQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C +2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GI +yr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxq +IWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A +1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr +8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSw +mzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3G +jYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1 +sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+ +P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS4 +4Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghnRMIIZzQIBATCBmTCB +gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl +ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAAAF4N6/Cb7d17 +4QABAAAAXjANBglghkgBZQMEAgEFAKCB3DAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC +NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx +IgQgWnkyutU58W19ODC1kGSE40Jvsfnzovm0ZYV45zV/dKMwcAYKKwYBBAGCNwIB +DDFiMGCgMoAwAFMAVQBTAEUAIABMAGkAbgB1AHgAIABQAHIAbwBkAHUAYwB0AHMA +IABHAG0AYgBIoSqAKGh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20vZW4tdXMvd2lu +ZG93cyAwDQYJKoZIhvcNAQEBBQAEggEAos9I8lNSjXX3fLXt3Dq0Fw7skD87RHf1 +NSg9XI1A/pgkgSeaYTXexCA59ohpmfJOrEWgnm30XpCRAdu85cQCRXGgatG6hyLI +2eWs5qmXBT70y8qrbH17oN1WGChXtUu9wy7k2Yd6z12yD5UuHLVPlc8qYw6q374H +h7g1mnnpKznGvJF1hC1oAyJoaIiqTJY8UgwRfoHagRW4V+YsiDrJhyJzStGw/fQ1 +46mqtWO7SIMXki4X9XpKxRXGVb2hoPjAl988nfGuP89bv4DvLYzXUfy6z4yGLrfH +6sQ83JTzhHedoY5RpqGaAi0RmzcfWT7izJ+wnAftep+1NPTrn687XaGCFykwghcl +BgorBgEEAYI3AwMBMYIXFTCCFxEGCSqGSIb3DQEHAqCCFwIwghb+AgEDMQ8wDQYJ +YIZIAWUDBAIBBQAwggFZBgsqhkiG9w0BCRABBKCCAUgEggFEMIIBQAIBAQYKKwYB +BAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCArI7TJixF2Sfy1u9xlXF9UJOqmXAgu +042XVn0qGO7bpwIGZldczm2dGBMyMDI0MDYwNDIzMjM0MC4yNTJaMASAAgH0oIHY +pIHVMIHSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE +BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYD +VQQLEyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNV +BAsTHVRoYWxlcyBUU1MgRVNOOkQwODItNEJGRC1FRUJBMSUwIwYDVQQDExxNaWNy +b3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloIIReDCCBycwggUPoAMCAQICEzMAAAHc +weCMwl9YXo4AAQAAAdwwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p +Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh +bXAgUENBIDIwMTAwHhcNMjMxMDEyMTkwNzA2WhcNMjUwMTEwMTkwNzA2WjCB0jEL +MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v +bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWlj +cm9zb2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFs +ZXMgVFNTIEVTTjpEMDgyLTRCRkQtRUVCQTElMCMGA1UEAxMcTWljcm9zb2Z0IFRp +bWUtU3RhbXAgU2VydmljZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB +AIvIsyA1sjg9kSKJzelrUWF5ShqYWL83amn3SE5JyIVPUC7F6qTcLphhHZ9idf21 +f0RaGrU8EHydF8NxPMR2KVNiAtCGPJa8kV1CGvn3beGB2m2ltmqJanG71mAywrkK +ATYniwKLPQLJ00EkXw5TSwfmJXbdgQLFlHyfA5Kg+pUsJXzqumkIvEr0DXPvptAG +qkdFLKwo4BTlEgnvzeTfXukzX8vQtTALfVJuTUgRU7zoP/RFWt3WagahZ6UloI0F +C8XlBQDVDX5JeMEsx7jgJDdEnK44Y8gHuEWRDq+SG9Xo0GIOjiuTWD5uv3vlEmIA +yR/7rSFvcLnwAqMdqcy/iqQPMlDOcd0AbniP8ia1BQEUnfZT3UxyK9rLB/SRiKPy +HDlg8oWwXyiv3+bGB6dmdM61ur6nUtfDf51lPcKhK4Vo83pOE1/niWlVnEHQV9NJ +5/DbUSqW2RqTUa2O2KuvsyRGMEgjGJA12/SqrRqlvE2fiN5ZmZVtqSPWaIasx7a0 +GB+fdTw+geRn6Mo2S6+/bZEwS/0IJ5gcKGinNbfyQ1xrvWXPtXzKOfjkh75iRuXo +urGVPRqkmz5UYz+R5ybMJWj+mfcGqz2hXV8iZnCZDBrrnZivnErCMh5Flfg8496p +T0phjUTH2GChHIvE4SDSk2hwWP/uHB9gEs8p/9Pe/mt9AgMBAAGjggFJMIIBRTAd +BgNVHQ4EFgQU6HPSBd0OfEX3uNWsdkSraUGe3dswHwYDVR0jBBgwFoAUn6cVXQBe +Yl2D9OXSZacbUzUZ6XIwXwYDVR0fBFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNy +b3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBD +QSUyMDIwMTAoMSkuY3JsMGwGCCsGAQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0 +cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBU +aW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNV +HSUBAf8EDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEL +BQADggIBANnrb8Ewr8eX/H1sKt3rnwTDx4AqgHbkMNQo+kUGwCINXS3y1GUcdqsK +/R1g6Tf7tNx1q0NpKk1JTupUJfHdExKtkuhHA+82lT7yISp/Y74dqJ03RCT4Q+8o +oQXTMzxiewfErVLt8WefebncST0i6ypKv87pCYkxM24bbqbM/V+M5VBppCUs7R+c +ETiz/zEA1AbZL/viXtHmryA0CGd+Pt9c+adsYfm7qe5UMnS0f/YJmEEMkEqGXCzy +LK+dh+UsFi0d4lkdcE+Zq5JNjIHesX1wztGVAtvX0DYDZdN2WZ1kk+hOMblUV/L8 +n1YWzhP/5XQnYl03AfXErn+1Eatylifzd3ChJ1xuGG76YbWgiRXnDvCiwDqvUJev +VRY1qy4y4vlVKaShtbdfgPyGeeJ/YcSBONOc0DNTWbjMbL50qeIEC0lHSpL2rRYN +Vu3hsHzG8n5u5CQajPwx9PzpsZIeFTNHyVF6kujI4Vo9NvO/zF8Ot44IMj4M7UX9 +Za4QwGf5B71x57OjaX53gxT4vzoHvEBXF9qCmHRgXBLbRomJfDn60alzv7dpCVQI +uQ062nyIZKnsXxzuKFb0TjXWw6OFpG1bsjXpOo5DMHkysribxHor4Yz5dZjVyHAN +yKo0bSrAlVeihcaG5F74SZT8FtyHAW6IgLc5w/3D+R1obDhKZ21WMIIHcTCCBVmg +AwIBAgITMwAAABXF52ueAptJmQAAAAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkG +A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx +HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9z +b2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgy +MjI1WhcNMzAwOTMwMTgzMjI1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv +cnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAx +MDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOThpkzntHIhC3miy9ck +eb0O1YLT/e6cBwfSqWxOdcjKNVf2AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+ +uDZnhUYjDLWNE893MsAQGOhgfWpSg0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4 +bo3t1w/YJlN8OWECesSq/XJprx2rrPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhi +JdxqD89d9P6OU8/W7IVWTe/dvI2k45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD +4MmPfrVUj9z6BVWYbWg7mka97aSueik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKN +iOSWrAFKu75xqRdbZ2De+JKRHh09/SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXf +tnIv231fgLrbqn427DZM9ituqBJR6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8 +P0zbr17C89XYcz1DTsEzOUyOArxCaC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMY +ctenIPDC+hIK12NvDMk2ZItboKaDIV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9 +stQcxWv2XFJRXRLbJbqvUAV6bMURHXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUe +h17aj54WcmnGrnu3tz5q4i6tAgMBAAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQID +AQABMCMGCSsGAQQBgjcVAgQWBBQqp1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4E +FgQUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9 +AQEwQTA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9w +cy9Eb2NzL1JlcG9zaXRvcnkuaHRtMBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsG +AQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTAD +AQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0w +S6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3Rz +L01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYI +KwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWlj +Um9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38 +Kq3hLB9nATEkW+Geckv8qW/qXBS2Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTlt +uw8x5MKP+2zRoZQYIu7pZmc6U03dmLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99q +b74py27YP0h1AdkY3m2CDPVtI1TkeFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQ +JL1AoL8ZthISEV09J+BAljis9/kpicO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1 +ijbCHcNhcy4sa3tuPywJeBTpkbKpW99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP +9pEB9s7GdP32THJvEKt1MMU0sHrYUP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkk +vnNtyo4JvbMBV0lUZNlz138eW0QBjloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFH +qfG3rsjoiV5PndLQTHa1V1QJsWkBRH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g7 +5LcVv7TOPqUxUYS8vwLBgqJ7Fx0ViY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr +4A245oyZ1uEi6vAnQj0llOZ0dFtq0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghi +f9lwY1NNje6CbaUFEMFxBmoQtB1VM1izoXBm8qGCAtQwggI9AgEBMIIBAKGB2KSB +1TCB0jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT +B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UE +CxMkTWljcm9zb2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQL +Ex1UaGFsZXMgVFNTIEVTTjpEMDgyLTRCRkQtRUVCQTElMCMGA1UEAxMcTWljcm9z +b2Z0IFRpbWUtU3RhbXAgU2VydmljZaIjCgEBMAcGBSsOAwIaAxUAHDn/cz+3yRkI +UCJfSbL3djnQEqaggYMwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv +cnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAx +MDANBgkqhkiG9w0BAQUFAAIFAOoJw8wwIhgPMjAyNDA2MDUwMDQ4MTJaGA8yMDI0 +MDYwNjAwNDgxMlowdDA6BgorBgEEAYRZCgQBMSwwKjAKAgUA6gnDzAIBADAHAgEA +AgICgTAHAgEAAgIRODAKAgUA6gsVTAIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgor +BgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUA +A4GBAC8f4b6D4ICk8noOTebv0jGeslnSLucbojAcUpvzBes/5xMWJlO9c9lpsGHs +e8H5gavRMLuGnbxQBB4cKoV1gMDuoUmdkcLoP/M/KkpHCEQ09Oy0VdiS6glNmqfD +MJ19kqSQEeWYCD5rctJ/js7reWZAxi5IvNDe/dMJ0GjVtLrXMYIEDTCCBAkCAQEw +gZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT +B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UE +AxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAHcweCMwl9YXo4A +AQAAAdwwDQYJYIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0B +CRABBDAvBgkqhkiG9w0BCQQxIgQgych9UPNiK7mD96e7HrSeRWh2CFQ0dV4wppRX +rfyb4iswgfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCBTpxeKatlEP4y8qZzj +uWL0Ou0IqxELDhX2TLylxIINNzCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy +b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w +IFBDQSAyMDEwAhMzAAAB3MHgjMJfWF6OAAEAAAHcMCIEILInP7QqpUGxqWx5NrYV +ySYRHR4t3MB7S+UItLqJz9liMA0GCSqGSIb3DQEBCwUABIICAEgVl52woahMzwzO +xColP2EZtBTo/ZJI0PjvH+NpdO0ElptMOSGRTpveI4i9Dy5n5RI4GGVx89vPK5F5 +ypVWKyliaU+Cq/xMx+HeNOWMhpBJp76QkYQHnHHtqMm7CTRFqUCVoXF/YS176sdl +Sp5ltlXom7ubkVkVt33FW7kkZcN7iIS+XR/e4MxVloCYSPW63LQOveYq41cv9r8H +vwiLlXWKujFmJRUW6PqcS2TCH24b4zi0TJMd0kzt68qPzCSbA1dJAz6UY0GfN4df +s9gGdePUoK51m2qempsMAAie3qeYDyzM7GhyTJgE4Dw4IY2wnH6cFy3MyuTKGXxB +b+/RiSejYTym87Q07mMVOIfWUzwJzuovprzXZ0xTfFuHCXffRJ7/vHcA0m2UkBWV +HIeLK1cUtOmuRUdFvdpH4N9keP4hGIZetrSio3Z1gUuU/LO2ZjpMtqYrPcv6xCwE +PhirRpF51u0ytAfDqQxtVwYKUm8Dh2jI7/QlGtI04xhXzTeeHBW65XgjRV6+J3x7 +hnVYxvN6315f76RhpDmx3bCAT1/IJLGFgPaXM+jCpHGV2gWeiZsoKCRyTudysf1r +T2WD2QBZvRcaHXBsR60RDLNKGLXLKPuRiT5kssBkTKPYHcqKhzued4MPu9rR2WvB +KZfWKFVEiNFsMJ4PCiRxSyQmcQycAAAA +-----END AUTHENTICODE SIGNATURE----- diff --git a/signature-sles.aarch64.asc b/signature-sles.aarch64.asc new file mode 100644 index 0000000..3dee0fd --- /dev/null +++ b/signature-sles.aarch64.asc @@ -0,0 +1,210 @@ +hash: 8bfe4fc6a7506d82a4efdd39ecac04ef0ab6f65d9ac3514d803462a7b4ae7fcf +# 1970-01-01 00:00:00 +timestamp: 0 +linker: 2902 +checksum: 3f4c +-----BEGIN AUTHENTICODE SIGNATURE----- +MIIl+wYJKoZIhvcNAQcCoIIl7DCCJegCAQExDzANBglghkgBZQMEAgEFADBcBgor +BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB +ZQMEAgEFAAQgi/5PxqdQbYKk79057KwE7wq29l2aw1FNgDRip7Suf8+gggszMIIF +GzCCBAOgAwIBAgITMwAAAF4N6/Cb7d174QABAAAAXjANBgkqhkiG9w0BAQsFADCB +gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl +ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMzEwMTkxOTUz +MjNaFw0yNDEwMTYxOTUzMjNaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv +cnBvcmF0aW9uMTAwLgYDVQQDEydNaWNyb3NvZnQgV2luZG93cyBVRUZJIERyaXZl +ciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzpvyW +cc7Gs+Ea6UCnwbKrckBd4Q7X4TqLmyMXmzQ0qR3SXfpXij+zVEgVsEiZu/q2EpK0 +yMFaXzI2XRxUEh4OUvEr/YxnOIf4RC2LBhrMtGgxRgtsquEcYqpmpwD0/55+CAGt +Ro1lBKt6xjNg94JoiTyO06zfNsSU8XbAWKH/D6yNhmJy2sx8LCOzQ84FrnUw8WX5 +qrYMxn098IVb7OWiT77OZDfQAacxPmjCl1Mu0B97JbkSXJQjC9i6bojYQiyj644u +l/AZ0PNQnsskHt3wRCWbt6JeJoBvZ1AfyB18YZlSTErrsLWMMdskxjDxaPQZ89np +hh8x1pp4s+rRydvnAgMBAAGjggGDMIIBfzAfBgNVHSUEGDAWBgorBgEEAYI3UAIB +BggrBgEFBQcDAzAdBgNVHQ4EFgQUlfB5rBZSx3/3mPyB55Q8ze/1EU8wVAYDVR0R +BE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJhdGlvbnMg +TGltaXRlZDEWMBQGA1UEBRMNMjI5OTExKzUwMTY1NzAfBgNVHSMEGDAWgBQTrb9D +Cb2CcJyM1U8xbtUimIob1DBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vd3d3Lm1p +Y3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIwMTFfMjAxMS0wNi0y +Ny5jcmwlMjAwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3 +Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNBMjAxMV8yMDEx +LTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAbF+I8 +wqogC0dVERcDh9mPeIvBJ0MJAYE7RraCaQHgjl8vQi8X1yB8o/xzzP7vTJWxdHLx +uuVLIZMGW922OtA5zth05/mwOwYJClf5IEpj7lAYYDAFYLy4Q7amg0s13bFnpwJx +h4pNfvoZYaGpQw5HOTTz8fAZW5U61Kcbvy5sjbfKWJMxyD6GP1B8CkWHXsc5OdxU +y+GvmwuguWtgW7MNFOTxxccPocRo7/KKhTL68jZysOPdEyCbLnuiICwowAK2GHCh +cdxsOKwu/Lqb+rbJEv+Tj8aFNyuymDw6CYl/cfwbBrlh7EWB9Tr2bp8HRCYgZDC7 +/3VMVGyApvwRUC4VMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0B +AQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV +BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkG +A1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBs +YWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkG +A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx +HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9z +b2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArG +SkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFP +mop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rb +eALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw +4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6 +hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsG +AQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsP +IHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIE +DB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNV +HSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhkto +dHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JU +aGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsG +AQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0Nv +clRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEA +NQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C +2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GI +yr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxq +IWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A +1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr +8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSw +mzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3G +jYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1 +sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+ +P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS4 +4Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxgho7MIIaNwIBATCBmTCB +gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl +ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAAAF4N6/Cb7d17 +4QABAAAAXjANBglghkgBZQMEAgEFAKCB3DAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC +NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx +IgQgHGa3pq6cZ6ju8xNpkCN24qz9D/S8mRmzmwE7aHgdbDMwcAYKKwYBBAGCNwIB +DDFiMGCgMoAwAFMAVQBTAEUAIABMAGkAbgB1AHgAIABQAHIAbwBkAHUAYwB0AHMA +IABHAG0AYgBIoSqAKGh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20vZW4tdXMvd2lu +ZG93cyAwDQYJKoZIhvcNAQEBBQAEggEAN7uAsMHOmhG69Ub1ymL32RVrpwF5DycX +lg+oLDJbtBQYv57qGpADcYmhDkJ0op9do6JirMRswk7ClioQkHg3NuOEtHXbt3+7 +tSJx5GiT67nKvq5D6ZqRqc+q5k3np5MNXmGw3Alk2dShd62BFkOb5Kjf9TP5U7+M +0qCgaxXBLZ2Fu84Hu4yXp3KmCfdXFtsicEwbjT3Yhj3nhiZqHi9Y05XOqHuNdII2 +blnEK0PgX1KyMcTXq2gIMtqIQ3ZEe7rxnG0lVdJcXl0iUdlVgfcB3VRD881IFVqq +ByKlMcmMV+WuWeMRRT7k2m+LLGn1GMR1WdWVnbBtOidqAn8Des3S9qGCF5MwgheP +BgorBgEEAYI3AwMBMYIXfzCCF3sGCSqGSIb3DQEHAqCCF2wwghdoAgEDMQ8wDQYJ +YIZIAWUDBAIBBQAwggFSBgsqhkiG9w0BCRABBKCCAUEEggE9MIIBOQIBAQYKKwYB +BAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCBoDPoWLlW8ISntMA2A0ZpkDTfW4KSB +C8mDh6J8aGLfMgIGZhfUMtF7GBMyMDI0MDQxMTIyNTAxOC44NDRaMASAAgH0oIHR +pIHOMIHLMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE +BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYD +VQQLExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hp +ZWxkIFRTUyBFU046OTIwMC0wNUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBU +aW1lLVN0YW1wIFNlcnZpY2WgghHpMIIHIDCCBQigAwIBAgITMwAAAecujy+TC08b +6QABAAAB5zANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMK +V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 +IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0Eg +MjAxMDAeFw0yMzEyMDYxODQ1MTlaFw0yNTAzMDUxODQ1MTlaMIHLMQswCQYDVQQG +EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG +A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQLExxNaWNyb3NvZnQg +QW1lcmljYSBPcGVyYXRpb25zMScwJQYDVQQLEx5uU2hpZWxkIFRTUyBFU046OTIw +MC0wNUUwLUQ5NDcxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZp +Y2UwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDCV58v4IuQ659XPM1D +taWMv9/HRUC5kdiEF89YBP6/Rn7kjqMkZ5ESemf5Eli4CLtQVSefRpF1j7S5LLKi +sMWOGRaLcaVbGTfcmI1vMRJ1tzMwCNIoCq/vy8WH8QdV1B/Ab5sK+Q9yIvzGw47T +fXPE8RlrauwK/e+nWnwMt060akEZiJJz1Vh1LhSYKaiP9Z23EZmGETCWigkKbcuA +nhvh3yrMa89uBfaeHQZEHGQqdskM48EBcWSWdpiSSBiAxyhHUkbknl9PPztB/SUx +zRZjUzWHg9bf1mqZ0cIiAWC0EjK7ONhlQfKSRHVLKLNPpl3/+UL4Xjc0Yvdqc88g +OLUr/84T9/xK5r82ulvRp2A8/ar9cG4W7650uKaAxRAmgL4hKgIX5/0aIAsbyqJO +a6OIGSF9a+DfXl1LpQPNKR792scF7tjD5WqwIuifS9YUiHMvRLjjKk0SSCV/mpXC +0BoPkk5asfxrrJbCsJePHSOEblpJzRmzaP6OMXwRcrb7TXFQOsTkKuqkWvvYIPvV +zC68UM+MskLPld1eqdOOMK7Sbbf2tGSZf3+iOwWQMcWXB9gw5gK3AIYK08WkJJuy +zPqfitgubdRCmYr9CVsNOuW+wHDYGhciJDF2LkrjkFUjUcXSIJd9f2ssYitZ9Cur +GV74BQcfrxjvk1L8jvtN7mulIwIDAQABo4IBSTCCAUUwHQYDVR0OBBYEFM/+4JiA +nzY4dpEf/Zlrh1K73o9YMB8GA1UdIwQYMBaAFJ+nFV0AXmJdg/Tl0mWnG1M1Gely +MF8GA1UdHwRYMFYwVKBSoFCGTmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lv +cHMvY3JsL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAyMDEwKDEpLmNy +bDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUGh0dHA6Ly93d3cubWljcm9z +b2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBD +QSUyMDIwMTAoMSkuY3J0MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYB +BQUHAwgwDgYDVR0PAQH/BAQDAgeAMA0GCSqGSIb3DQEBCwUAA4ICAQB0ofDbk+ll +Wi1cC6nsfie5Jtp09o6b6ARCpvtDPq2KFP+hi+UNNP7LGciKuckqXCmBTFIhfBeG +Sxvk6ycokdQr3815pEOaYWTnHvQ0+8hKy86r1F4rfBu4oHB5cTy08T4ohrG/OYG/ +B/gNnz0Ol6v7u/qEjz48zXZ6ZlxKGyZwKmKZWaBd2DYEwzKpdLkBxs6A6enWZR0j +Y+q5FdbV45ghGTKgSr5ECAOnLD4njJwfjIq0mRZWwDZQoXtJSaVHSu2lHQL3YHEF +ikunbUTJfNfBDLL7Gv+sTmRiDZky5OAxoLG2gaTfuiFbfpmSfPcgl5COUzfMQnzp +KfX6+FkI0QQNvuPpWsDU8sR+uni2VmDo7rmqJrom4ihgVNdLaMfNUqvBL5ZiSK1z +maELBJ9a+YOjE5pmSarW5sGbn7iVkF2W9JQIOH6tGWLFJS5Hs36zahkoHh8iD963 +LeGjZqkFusKaUW72yMj/yxTeGEDOoIr35kwXxr1Uu+zkur2y+FuNY0oZjppzp95A +W1lehP0xaO+oBV1XfvaCur/B5PVAp2xzrosMEUcAwpJpio+VYfIufGj7meXcGQYW +A8Umr8K6Auo+Jlj8IeFS6lSvKhqQpmdBzAMGqPOQKt1Ow3ZXxehK7vAiim3ZiALl +M0K546k0sZrxdZPgpmz7O8w9gHLuyZAQezCCB3EwggVZoAMCAQICEzMAAAAVxedr +ngKbSZkAAAAAABUwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy +b3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29mdCBSb290IENlcnRp +ZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4 +MzIyNVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV +BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG +A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwggIiMA0GCSqGSIb3 +DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM57RyIQt5osvXJHm9DtWC0/3unAcH0qls +TnXIyjVX9gF/bErg4r25PhdgM/9cT8dm95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLA +EBjoYH1qUoNEt6aORmsHFPPFdvWGUNzBRMhxXFExN6AKOG6N7dcP2CZTfDlhAnrE +qv1yaa8dq6z2Nr41JmTamDu6GnszrYBbfowQHJ1S/rboYiXcag/PXfT+jlPP1uyF +Vk3v3byNpOORj7I5LFGc6XBpDco2LXCOMcg1KL3jtIckw+DJj361VI/c+gVVmG1o +O5pGve2krnopN6zL64NF50ZuyjLVwIYwXE8s4mKyzbnijYjklqwBSru+cakXW2dg +3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2 +TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/wEPK3Rxjtp+iZfD9M269ewvPV2HM9Q07B +MzlMjgK8QmguEOqEUUbi0b1qGFphAXPKZ6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJ +NmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6 +r1AFemzFER1y7435UsSFF5PAPBXbGjfHCBUYP3irRbb1Hode2o+eFnJpxq57t7c+ +auIurQIDAQABo4IB3TCCAdkwEgYJKwYBBAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3 +FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8vBO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl +0mWnG1M1GelyMFwGA1UdIARVMFMwUQYMKwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUH +AgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0 +b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEFBQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMA +dQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAW +gBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8v +Y3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXRf +MjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRw +Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8yMDEw +LTA2LTIzLmNydDANBgkqhkiG9w0BAQsFAAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL +/Klv6lwUtj5OR2R4sQaTlz0xM7U518JxNj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu +6WZnOlNN3Zi6th542DYunKmCVgADsAW+iehp4LoJ7nvfam++Kctu2D9IdQHZGN5t +ggz1bSNU5HhTdSRXud2f8449xvNo32X2pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfg +QJY4rPf5KYnDvBewVIVCs/wMnosZiefwC2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8s +CXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCr +dTDFNLB62FD+CljdQDzHVG2dY3RILLFORy3BFARxv2T5JL5zbcqOCb2zAVdJVGTZ +c9d/HltEAY5aGZFrDZ+kKNxnGSgkujhLmm77IVRrakURR6nxt67I6IleT53S0Ex2 +tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3LwUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8C +wYKiexcdFYmNcP7ntdAoGokLjzbaukz5m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9 +JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDB +cQZqELQdVTNYs6FwZvKhggNMMIICNAIBATCB+aGB0aSBzjCByzELMAkGA1UEBhMC +VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV +BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjElMCMGA1UECxMcTWljcm9zb2Z0IEFt +ZXJpY2EgT3BlcmF0aW9uczEnMCUGA1UECxMeblNoaWVsZCBUU1MgRVNOOjkyMDAt +MDVFMC1EOTQ3MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNl +oiMKAQEwBwYFKw4DAhoDFQCzcgTnGasSwe/dru+cPe1NF/vwQ6CBgzCBgKR+MHwx +CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt +b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1p +Y3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwMA0GCSqGSIb3DQEBCwUAAgUA6cJS +mjAiGA8yMDI0MDQxMTEyMTQxOFoYDzIwMjQwNDEyMTIxNDE4WjBzMDkGCisGAQQB +hFkKBAExKzApMAoCBQDpwlKaAgEAMAYCAQACASgwBwIBAAICEiYwCgIFAOnDpBoC +AQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAKMAgCAQACAwehIKEK +MAgCAQACAwGGoDANBgkqhkiG9w0BAQsFAAOCAQEAf4tOpQ5gBGzARNdwp1pVuYXp +bWyRCRiqfYb68+JtblKjwyWYDtAOXNP2qRUjZ6X8oJgO1wEjxpDVYRN5VIn+ban3 +PildnY8xy8jasAWW0wURKgJqtFO0xdetSgjXn5MaHGJTxGtpCS8heC+YnwWNoSlJ +HsVR52ZcVPu+9Y3MlCbjtWbSOaTuksLHSnqUZiAX7wjjIqTbj6upzev8jnmrlx6R +onVk/tA2kvLIDpVpe2jBPd2EfinE7D67aQomuwxPBFW2bBjrDt/JNFym7jkeCy1d +CmdZDhJimT8pT1+tQeZRzePOgI7ZnXKmebMGQqYQcHxbEU0am/7hKiBpeaD2ujGC +BA0wggQJAgEBMIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u +MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp +b24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAB +5y6PL5MLTxvpAAEAAAHnMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMx +DQYLKoZIhvcNAQkQAQQwLwYJKoZIhvcNAQkEMSIEIOkQmYDXPmLBh1DaIG8Y2CTX +QdhW9VMILYHR4VUkQa/MMIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQg5TZd +DXZqhv0N4MVcz1QUd4RfvgW/QAG9AwbuoLnWc60wgZgwgYCkfjB8MQswCQYDVQQG +EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG +A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg +VGltZS1TdGFtcCBQQ0EgMjAxMAITMwAAAecujy+TC08b6QABAAAB5zAiBCCsloFX +cLJwMLkxizfVMbeIkTSyF84H12/TwwH1v8D0vjANBgkqhkiG9w0BAQsFAASCAgCI +dACF0FS2OCOfS1jUu0GACyb39hQIlVJVPzSRhPj8Zc/h4mkTP358Wq57p+Qqm/zN +5UqpfHRCdaXB/KwG0re3rzYo8kqv5TIvMm+GTp4EUtqksyjaEeUCwjvo5pLinf56 +ks0KADhqgddaHRjYeCeKyYvcdH78iTKM++NRupz0fwifHKNVo1FEGhtG++a0LdPp +UZk4DpvgoGfPnOGxt9fCchLHLxvHikWejK4cwsMA00otQUfhZnDm5vdQbi/NKBBV +RFmXPjHeY8He1h3hTuCO0O/spqVLhF2cK8Lid+F0HWwuOgVeCjy1RnpVKaTcQtMo +UmsGm75tdyQcKKTPvdtpuk72RAG2PqjtuC5U8fIo0c1l3cCr80ijVqkC7/PF1cfT +GY6T77CWexF5AwrJBX4ghnT0TsQU5kNBvqHEthWqKQjPyQuXh0wJ/5IlPJcaFa7X +QH4tMJMxAujRbWTQD+mS6HRYC7oRpdKKcQkZbE9z0NBaOK9e4Xn5tRjcGPVOK7DX +NizSCu+SXl7trZDH8uhqQBx1oBjEPP+/Og1q6pXjrITpsPUPKp9C56aIn8sQRitb +dtzdbywveaOcTy/8boBjsEpSipXVFZVETGs/MbKOkD2RkV5IFKAhr05dA58OisKA +8mbwwIi8UZuUQzdvx+U0FJakJqQONhWbdPUvFcViTAA= +-----END AUTHENTICODE SIGNATURE----- diff --git a/signature-sles.x86_64.asc b/signature-sles.x86_64.asc new file mode 100644 index 0000000..ff63cd4 --- /dev/null +++ b/signature-sles.x86_64.asc @@ -0,0 +1,208 @@ +hash: f327bfe0e31193974df9fa68b621a2c87d154ef2986059ce16fc6d0bd7537a96 +# 1970-01-01 00:00:00 +timestamp: 0 +linker: 2902 +checksum: 5cd1 +-----BEGIN AUTHENTICODE SIGNATURE----- +MIIlkQYJKoZIhvcNAQcCoIIlgjCCJX4CAQExDzANBglghkgBZQMEAgEFADBcBgor +BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB +ZQMEAgEFAAQg8ye/4OMRk5dN+fpotiGiyH0VTvKYYFnOFvxtC9dTepagggszMIIF +GzCCBAOgAwIBAgITMwAAAF4N6/Cb7d174QABAAAAXjANBgkqhkiG9w0BAQsFADCB +gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl +ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMzEwMTkxOTUz +MjNaFw0yNDEwMTYxOTUzMjNaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv +cnBvcmF0aW9uMTAwLgYDVQQDEydNaWNyb3NvZnQgV2luZG93cyBVRUZJIERyaXZl +ciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzpvyW +cc7Gs+Ea6UCnwbKrckBd4Q7X4TqLmyMXmzQ0qR3SXfpXij+zVEgVsEiZu/q2EpK0 +yMFaXzI2XRxUEh4OUvEr/YxnOIf4RC2LBhrMtGgxRgtsquEcYqpmpwD0/55+CAGt +Ro1lBKt6xjNg94JoiTyO06zfNsSU8XbAWKH/D6yNhmJy2sx8LCOzQ84FrnUw8WX5 +qrYMxn098IVb7OWiT77OZDfQAacxPmjCl1Mu0B97JbkSXJQjC9i6bojYQiyj644u +l/AZ0PNQnsskHt3wRCWbt6JeJoBvZ1AfyB18YZlSTErrsLWMMdskxjDxaPQZ89np +hh8x1pp4s+rRydvnAgMBAAGjggGDMIIBfzAfBgNVHSUEGDAWBgorBgEEAYI3UAIB +BggrBgEFBQcDAzAdBgNVHQ4EFgQUlfB5rBZSx3/3mPyB55Q8ze/1EU8wVAYDVR0R +BE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJhdGlvbnMg +TGltaXRlZDEWMBQGA1UEBRMNMjI5OTExKzUwMTY1NzAfBgNVHSMEGDAWgBQTrb9D +Cb2CcJyM1U8xbtUimIob1DBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vd3d3Lm1p +Y3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIwMTFfMjAxMS0wNi0y +Ny5jcmwlMjAwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3 +Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNBMjAxMV8yMDEx +LTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAbF+I8 +wqogC0dVERcDh9mPeIvBJ0MJAYE7RraCaQHgjl8vQi8X1yB8o/xzzP7vTJWxdHLx +uuVLIZMGW922OtA5zth05/mwOwYJClf5IEpj7lAYYDAFYLy4Q7amg0s13bFnpwJx +h4pNfvoZYaGpQw5HOTTz8fAZW5U61Kcbvy5sjbfKWJMxyD6GP1B8CkWHXsc5OdxU +y+GvmwuguWtgW7MNFOTxxccPocRo7/KKhTL68jZysOPdEyCbLnuiICwowAK2GHCh +cdxsOKwu/Lqb+rbJEv+Tj8aFNyuymDw6CYl/cfwbBrlh7EWB9Tr2bp8HRCYgZDC7 +/3VMVGyApvwRUC4VMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0B +AQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV +BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkG +A1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBs +YWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkG +A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx +HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9z +b2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArG +SkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFP +mop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rb +eALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw +4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6 +hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsG +AQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsP +IHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIE +DB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNV +HSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhkto +dHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JU +aGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsG +AQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0Nv +clRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEA +NQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C +2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GI +yr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxq +IWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A +1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr +8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSw +mzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3G +jYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1 +sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+ +P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS4 +4Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghnRMIIZzQIBATCBmTCB +gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl +ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAAAF4N6/Cb7d17 +4QABAAAAXjANBglghkgBZQMEAgEFAKCB3DAZBgkqhkiG9w0BCQMxDAYKKwYBBAGC +NwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQx +IgQgRq9ceIYVwwT7J59sqDneA0/YIuLUvyKjjHH2OiRZab8wcAYKKwYBBAGCNwIB +DDFiMGCgMoAwAFMAVQBTAEUAIABMAGkAbgB1AHgAIABQAHIAbwBkAHUAYwB0AHMA +IABHAG0AYgBIoSqAKGh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20vZW4tdXMvd2lu +ZG93cyAwDQYJKoZIhvcNAQEBBQAEggEAVdCpoMwPovJGd29CZUkSPe9UvvahoUB9 +FYbVATVEA3P3GkBfNoWAr1fhdA5FFu+9gSXuBaevn1JfAYj1oXeOJaDNtY+WsuJ4 +VxtCEbM+o4VVWLst4gWTojlrjGsaV2OOXNbNw98+8XGJsA932dqzYv8X7uhrjZW/ +wC9F/8OoPDDAoM8R7tKIm6hmwnyjiWGfGIOLHuhL5gvXP0Qy+Ex6AgrQW/GDUGjV +jKAE8rA0JStEqUulLw6dUXM1lUV5kQT7IDRKjh91Gwn7s8M98dRzWR9NCG/LfU5B +5S+qGxsMiNDvJ46ZwIeAXtzLmf1FygcQQXzJen4UyxoCjx2QOt91DKGCFykwghcl +BgorBgEEAYI3AwMBMYIXFTCCFxEGCSqGSIb3DQEHAqCCFwIwghb+AgEDMQ8wDQYJ +YIZIAWUDBAIBBQAwggFZBgsqhkiG9w0BCRABBKCCAUgEggFEMIIBQAIBAQYKKwYB +BAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCCNpBEsuuGuUzmV1OJ8tm5CTBqO275y +oxDGfw8ttfhG5gIGZfxowbM5GBMyMDI0MDQxMTIyNDk0NC44NDNaMASAAgH0oIHY +pIHVMIHSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE +BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYD +VQQLEyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNV +BAsTHVRoYWxlcyBUU1MgRVNOOjE3OUUtNEJCMC04MjQ2MSUwIwYDVQQDExxNaWNy +b3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloIIReDCCBycwggUPoAMCAQICEzMAAAHg +1PwfExUffl0AAQAAAeAwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p +Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh +bXAgUENBIDIwMTAwHhcNMjMxMDEyMTkwNzE5WhcNMjUwMTEwMTkwNzE5WjCB0jEL +MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v +bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWlj +cm9zb2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFs +ZXMgVFNTIEVTTjoxNzlFLTRCQjAtODI0NjElMCMGA1UEAxMcTWljcm9zb2Z0IFRp +bWUtU3RhbXAgU2VydmljZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB +AKyHnPOhxbvRATnGjb/6fuBhh3ZLzotAxAgdLaZ/zkRFUdeSKzyNt3tqorMK7GDv +cXdKs+qIMUbvenlH+w53ssPa6rYP760ZuFrABrfserf0kFayNXVzwT7jarJOEjnF +MBp+yi+uwQ2TnJuxczceG5FDHrII6sF6F879lP6ydY0BBZkZ9t39e/svNRieA5gU +nv/YcM/bIMY/QYmd9F0B+ebFYi+PH4AkXahNkFgK85OIaRrDGvhnxOa/5zGL7Oii +i7+J9/QHkdJGlfnRfbQ3QXM/5/umBOKG4JoFY1niZ5RVH5PT0+uCjwcqhTbnvUtf +K+N+yB2b9rEZvp2Tv4ZwYzEd9A9VsYMuZiCSbaFMk77LwVbklpnw4aHWJXJkEYmJ +vxRbcThE8FQyOoVkSuKc5OWZ2+WM/j50oblA0tCU53AauvUOZRoQBh89nHK+m5pO +XKXdYMJ+ceuLYF8h5y/cXLQMOmqLJz5l7MLqGwU0zHV+MEO8L1Fo2zEEQ4iL4BX8 +YknKXonHGQacSCaLZot2kyJVRsFSxn0PlPvHVp0YdsCMzdeiw9jAZ7K9s1WxsZGE +BrK/obipX6uxjEpyUA9mbVPljlb3R4MWI0E2xI/NM6F4Ac8Ceax3YWLT+aWCZeqi +IMLxyyWZg+i1KY8ZEzMeNTKCEI5wF1wxqr6T1/MQo+8tAgMBAAGjggFJMIIBRTAd +BgNVHQ4EFgQUcF4XP26dV+8SusoA1XXQ2TDSmdIwHwYDVR0jBBgwFoAUn6cVXQBe +Yl2D9OXSZacbUzUZ6XIwXwYDVR0fBFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNy +b3NvZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBD +QSUyMDIwMTAoMSkuY3JsMGwGCCsGAQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0 +cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBU +aW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNV +HSUBAf8EDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQEL +BQADggIBAMATzg6R/A0ldO7MqGxD1VJji5yVA1hHb0Hc0Yjtv7WkxQ8iwfflulX5 +Us64tD3+3NT1JkphWzaAWf2wKdAw35RxtQG1iON3HEZ0X23nde4Kg/Wfbx5rEHkZ +9bzKnR/2N5A16+w/1pbwJzdfRcnJT3cLyawr/kYjMWd63OP0Glq70ua4WUE/Po5p +U7rQRbWEoQozY24hAqOcwuRcm6Cb0JBeTOCeRBntEKgjKep4pRaQt7b9vusT97We +JcfaVosmmPtsZsawgnpIjbBa55tHfuk0vDkZtbIXjU4mr5dns9dnanBdBS2PY3N3 +hIfCPEOszquwHLkfkFZ/9bxw8/eRJldtoukHo16afE/AqP/smmGJh5ZR0pmgW6Qc +X+61rdi5kDJTzCFaoMyYzUS0SEbyrDZ/p2KOuKAYNngljiOlllct0uJVz2agfczG +jjsKi2AS1WaXvOhgZNmGw42SFB1qaloa8Kaux9Q2HHLE8gee/5rgOnx9zSbfVUc7 +IcRNodq6R7v+Rz+P6XKtOgyCqW/+rhPmp/n7Fq2BGTRkcy//hmS32p6qyglr2K4O +oJDJXxFs6lwc8D86qlUeGjUyo7hVy5VvyA+y0mGnEAuA85tsOcUPlzwWF5sv+B5f +z35OW3X4Spk5SiNulnLFRPM5XCsSHqvcbC8R3qwj2w1evPhZxDuNMIIHcTCCBVmg +AwIBAgITMwAAABXF52ueAptJmQAAAAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkG +A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx +HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9z +b2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgy +MjI1WhcNMzAwOTMwMTgzMjI1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv +cnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAx +MDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOThpkzntHIhC3miy9ck +eb0O1YLT/e6cBwfSqWxOdcjKNVf2AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+ +uDZnhUYjDLWNE893MsAQGOhgfWpSg0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4 +bo3t1w/YJlN8OWECesSq/XJprx2rrPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhi +JdxqD89d9P6OU8/W7IVWTe/dvI2k45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD +4MmPfrVUj9z6BVWYbWg7mka97aSueik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKN +iOSWrAFKu75xqRdbZ2De+JKRHh09/SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXf +tnIv231fgLrbqn427DZM9ituqBJR6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8 +P0zbr17C89XYcz1DTsEzOUyOArxCaC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMY +ctenIPDC+hIK12NvDMk2ZItboKaDIV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9 +stQcxWv2XFJRXRLbJbqvUAV6bMURHXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUe +h17aj54WcmnGrnu3tz5q4i6tAgMBAAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQID +AQABMCMGCSsGAQQBgjcVAgQWBBQqp1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4E +FgQUn6cVXQBeYl2D9OXSZacbUzUZ6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9 +AQEwQTA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9w +cy9Eb2NzL1JlcG9zaXRvcnkuaHRtMBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsG +AQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTAD +AQH/MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0w +S6BJoEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3Rz +L01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYI +KwYBBQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWlj +Um9vQ2VyQXV0XzIwMTAtMDYtMjMuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38 +Kq3hLB9nATEkW+Geckv8qW/qXBS2Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTlt +uw8x5MKP+2zRoZQYIu7pZmc6U03dmLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99q +b74py27YP0h1AdkY3m2CDPVtI1TkeFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQ +JL1AoL8ZthISEV09J+BAljis9/kpicO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1 +ijbCHcNhcy4sa3tuPywJeBTpkbKpW99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP +9pEB9s7GdP32THJvEKt1MMU0sHrYUP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkk +vnNtyo4JvbMBV0lUZNlz138eW0QBjloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFH +qfG3rsjoiV5PndLQTHa1V1QJsWkBRH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g7 +5LcVv7TOPqUxUYS8vwLBgqJ7Fx0ViY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr +4A245oyZ1uEi6vAnQj0llOZ0dFtq0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghi +f9lwY1NNje6CbaUFEMFxBmoQtB1VM1izoXBm8qGCAtQwggI9AgEBMIIBAKGB2KSB +1TCB0jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT +B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UE +CxMkTWljcm9zb2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQL +Ex1UaGFsZXMgVFNTIEVTTjoxNzlFLTRCQjAtODI0NjElMCMGA1UEAxMcTWljcm9z +b2Z0IFRpbWUtU3RhbXAgU2VydmljZaIjCgEBMAcGBSsOAwIaAxUAbfPR1fBX6HxY +fyPx8zYzJU5fIQyggYMwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv +cnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAx +MDANBgkqhkiG9w0BAQUFAAIFAOnClEYwIhgPMjAyNDA0MTIwMDU0MzBaGA8yMDI0 +MDQxMzAwNTQzMFowdDA6BgorBgEEAYRZCgQBMSwwKjAKAgUA6cKURgIBADAHAgEA +AgIkVTAHAgEAAgISQzAKAgUA6cPlxgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgor +BgEEAYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUA +A4GBACjhO5VNAZ4M+K68yoopbRRXNkatDqiQlGGRo/28TSyoZNsfDPS9PbP8mudH +iZdF33as5llpEGH7q3arPBjAQzA6l/m+RbBs+Sn/sbMHSwWKFwaC9J3/tN1/KzZZ +WMhpLY36EhTg2vgw6mWqQgCCzRiXkJOe03FLMocETNDUQYeoMYIEDTCCBAkCAQEw +gZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT +B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UE +AxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAHg1PwfExUffl0A +AQAAAeAwDQYJYIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0B +CRABBDAvBgkqhkiG9w0BCQQxIgQgDu4FStwQQV5IJr8tEGfg8gGlF/nGnBCygv/Z +/nhL00cwgfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCDj7lK/8jnlbTjPvc77 +DCCSb4TZApY9nJm5whsK/2kKwTCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy +b3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1w +IFBDQSAyMDEwAhMzAAAB4NT8HxMVH35dAAEAAAHgMCIEIPXZ6G4PFa+g0bETF5xr +w6GJUvcLtV90GLZw7lwhz3W8MA0GCSqGSIb3DQEBCwUABIICABwmE4kR0CUYylqX +iG/hm7ezIt+1hOmbQezOCkQBc8Ko29zNzOHH4sRFcP9FD3e+B9wlDj832ZC7jsVL +y8c9kRt2msQziN/yzBgfB9D0hOXpJR7VEtPxFyOf3BRH8sS4ZMWKXNb4NK9NuNA8 +ydFQQC4TKgfiFPhZ92DQB1IUs+j6NlZnwis1B6q9zP3ix7wOjz+sOUGv8TrN7V44 +8E0OkPdLeZQaMcYMtkBIpjJUP2G+u+dPCERjDWNPH8SzSwdfxe/+0rX2YR0EO43W +eVWB0P8mtsKXP6dHVmie5NNfvfBM6cDheuAx2d7SAqWNiAvp5h+HYO0rHfpmYig8 +Rbq2/Vl42by4FahVG8yAEelVe+riOHtV1qrgeA2hTtJ/iTU5IbmWyGIbQ00s98Uc +fTM/fGj1kVhk03yyT38GTSowo1xCHCjbX/aNXR1WqXEWixLZrPWPw/blu1oYr5q9 +3khGOK7jgacSxKTQ/9a+CPm5lv6SMCtTJbdxpPSnf1vOLn9EI2o+S322oR+WXJxg +nKc/1U32u2wjDw29SFYMZvN+8RifaOHV/1TcbcD5k/YsjkYv1lw/6Sfigo2iE82P +SwWBsJdmS1jI1h02q49TFYW/aEQ6QI7bqYZgatyXqzo0wKPIp56dWJMliJ7CmHBG +nO0K5xLYtOjQNErZcXyOqvs1XDvuAAAA +-----END AUTHENTICODE SIGNATURE----- diff --git a/strip_signature.sh b/strip_signature.sh new file mode 100644 index 0000000..4362c84 --- /dev/null +++ b/strip_signature.sh @@ -0,0 +1,13 @@ +#!/bin/bash +# strip the signature from a PE binary +set -e + +infile="$1" +if [ -z "$infile" -o ! -e "$infile" ]; then + echo "USAGE: $0 file.efi" + exit 1 +fi + +outfile="${infile%.efi}-unsigned.efi" + +pesign -r -i "$infile" -o "$outfile" diff --git a/timestamp.pl b/timestamp.pl new file mode 100644 index 0000000..9a93bab --- /dev/null +++ b/timestamp.pl @@ -0,0 +1,146 @@ +#!/usr/bin/perl -w +# Copyright (c) 2012-2021 SUSE LLC +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +=head1 timestamp.pl + +timestamp.pl - show or set pe timestamp in file + +=head1 SYNOPSIS + +timestamp.pl [OPTIONS] FILE... + +=head1 OPTIONS + +=over 4 + +=item B<--set-form-file=FILE> + +parse timestamp, checksum, and linker version from file + +=item B<--help, -h> + +print help + +=back + +=head1 DESCRIPTION + +lorem ipsum ... + +=cut + +use strict; +use Getopt::Long; +Getopt::Long::Configure("no_ignore_case"); +use POSIX qw/strftime/; + +my %options; + +sub usage($) { + my $r = shift; + eval "use Pod::Usage; pod2usage($r);"; + if ($@) { + die "cannot display help, install perl(Pod::Usage)\n"; + } +} + +GetOptions( + \%options, + "set-from-file=s", + "verbose|v", + "help|h", +) or usage(1); + +usage(1) unless @ARGV; +usage(0) if ($options{'help'}); + +my $set_timestamp; +my $set_checksum; +my $set_linker; + +if ($options{'set-from-file'}) { + die "$options{'set-from-file'}: $!\n" unless open(my $fh, '<', $options{'set-from-file'}); + while (<$fh>) { + chomp; + if (/^timestamp: ([0-9a-f]+)/) { + $set_timestamp = pack('L', hex($1)); + next; + } elsif (/^linker: ([0-9a-f]+)/) { + $set_linker = pack('S', hex($1)); + next; + } elsif (/^checksum: ([0-9a-f]+)/) { + $set_checksum = pack('S', hex($1)); + next; + } + last if $set_timestamp && $set_checksum && $set_linker; + } + close($fh); + die "file didn't contain timestamp, checksum, or linker\n" unless $set_timestamp && $set_checksum && $set_linker; +} + +sub do_show($) +{ + my $file = shift; + die "$file: $!\n" unless open(my $fh, '<', $file); + die "seek $file: $!\n" unless seek($fh, 136, 0); + my $value; + die "read $file: $!\n" unless read($fh, $value, 4); + + my $timestamp = unpack('L', $value); + print strftime("# %Y-%m-%d %H:%M:%S\n", gmtime($timestamp)); + printf ("timestamp: %x\n", $timestamp); + + die "seek $file: $!\n" unless seek($fh, 154, 0); + die "read $file: $!\n" unless read($fh, $value, 2); + + printf ("linker: %x\n", unpack('S', $value)); + + die "seek $file: $!\n" unless seek($fh, 216, 0); + die "read $file: $!\n" unless read($fh, $value, 2); + + printf ("checksum: %x\n", unpack('S', $value)); + + close($fh); +} + +sub do_set($) +{ + my $file = shift; + die "$file: $!\n" unless open(my $fh, '+<', $file); + die "seek $file: $!\n" unless seek($fh, 136, 0); + die "write $file: $!\n" unless print $fh $set_timestamp; + + die "seek $file: $!\n" unless seek($fh, 154, 0); + die "write $file: $!\n" unless print $fh $set_linker; + + die "seek $file: $!\n" unless seek($fh, 216, 0); + die "read $file: $!\n" unless print $fh $set_checksum; + close($fh); +} + +for my $file (@ARGV) { + if ($options{'set-from-file'}) { + do_set($file); + } else { + do_show($file); + } + +}