Accepting request 1146844 from home:joeyli:branches:devel:openSUSE:Factory

Sync shim.spec and changelog between openSUSE:Factory/shim with SLE-15-SP3/shim OBS-URL: https://build.opensuse.org/request/show/1146844 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=209
2024-02-15 13:09:03 +00:00 · 2024-02-15 13:09:03 +00:00 · e7152e6c04
commit e7152e6c04
parent 05ae7fe0d8
2 changed files with 63 additions and 2 deletions
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Thu Feb 15 09:46:09 UTC 2024 - Joey Lee <jlee@suse.com>
+
+- Sometimes SLE shim signature be Microsoft updated before openSUSE shim
+  signature. When submit request on IBS for updating SLE shim, the submitreq
+  project be generated, but it always be blocked by checking the signature
+  of openSUSE shim.
+  It doesn't make sense checking openSUSE shim signature when building
+  SLE shim on SLE platform, and vice versa. So the following change adds the
+  logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse).
+  When and only when hash mismatch and distro_id match with suffix, stop
+  building.
+        # compare suffix (sles, opensuse) with distro_id (sle, opensuse)
+        # when hash mismatch and distro_id match with suffix, stop building 
+- Sync the changelog between openSUSE:Factory/shim with SLE-15-SP3/shim
+    - Add CVE-2022-28737 number to "Mon Mar 27 09:26:02 UTC 2023" record
+    - Add "Thu Apr 13 05:28:10 UTC 2023" record for updating shim-install
+      for bsc#1210382.
+    - Add "Thu Apr 13 09:13:22 UTC 2023" record for changing the logic of
+      checking shim signature. 
+
 -------------------------------------------------------------------
 Wed Feb  7 08:54:52 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>

@ -123,6 +144,42 @@ Mon May 15 03:28:47 UTC 2023 - Gary Ching-Pang Lin <glin@suse.com>
    72830120e5ea  cryptodisk: support TPM authorized policies
    49e7a0d307f3  Do not use tpm_record_pcrs unless the command is in command.lst

+-------------------------------------------------------------------
+Thu Apr 13 09:13:22 UTC 2023 - Joey Lee <jlee@suse.com>
+
+- Sometimes SLE shim signature be Microsoft updated before openSUSE shim
+  signature. When submit request on IBS for updating SLE shim, the submitreq
+  project be generated, but it always be blocked by checking the signature
+  of openSUSE shim.
+  It doesn't make sense checking openSUSE shim signature when building
+  SLE shim on SLE platform, and vice versa. So the following change adds the
+  logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse).
+  When and only when hash mismatch and distro_id match with suffix, stop
+  building.
+        # compare suffix (sles, opensuse) with distro_id (sle, opensuse)
+        # when hash mismatch and distro_id match with suffix, stop building 
+
+-------------------------------------------------------------------
+Thu Apr 13 05:28:10 UTC 2023 - Joey Lee <jlee@suse.com>
+
+- Upgrade shim-install for bsc#1210382
+  After closing Leap-gap project since Leap 15.3, openSUSE Leap direct
+  uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot
+  CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no,
+  so all files in /boot/efi/EFI/boot are not updated.
+
+  The 86b73d1 patch added the logic that using ID field in os-release for
+  checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure
+  Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated.
+- https://github.com/SUSE/shim-resources (git log --oneline)
+	86b73d1 Fix that bootx64.efi is not updated on Leap
+	f2e8143 Use the long name to specify the grub2 key protector
+	7283012 cryptodisk: support TPM authorized policies
+	49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst
+	26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs
+	5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot
+	a5c5734 Introduce --no-grub-install option
+
 -------------------------------------------------------------------
 Mon Apr 10 05:04:33 UTC 2023 - Joey Lee <jlee@suse.com>

@ -135,7 +192,7 @@ Mon Apr 10 05:04:33 UTC 2023 - Joey Lee <jlee@suse.com>
 Mon Mar 27 09:26:02 UTC 2023 - Joey Lee <jlee@suse.com>

 - Updated shim signature after shim 15.7 of SLE be signed back:
-  signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)
+  signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737)

 -------------------------------------------------------------------
 Thu Jan 12 07:00:19 UTC 2023 - Joey Lee <jlee@suse.com>
--- a/shim.spec
+++ b/shim.spec
@ -240,7 +240,11 @@ for suffix in "${suffixes[@]}"; do
 	if ! cmp -s hash1 hash2; then
 		echo "ERROR: $suffix binary changed, need to request new signature!"
 %if %{defined shim_enforce_ms_signature} && 0%{?shim_enforce_ms_signature} > 0
-		false
+		# compare suffix (sles, opensuse) with distro_id (sle, opensuse)
+		# when hash mismatch and distro_id match with suffix, stop building 
+		if test "$suffix" = "$distro_id" || test "$suffix" = "${distro_id}s"; then
+			false
+		fi
 %endif
 		mv shim.efi.bak shim-$suffix.efi
 		rm shim.efi