shim.changes: Update change log for shim-install add ca_string for

SL Micro to update fallback loader

shim-install

@@ -71,9 +71,12 @@ fi
 efi_distributor="$bootloader_id"
 bootloader_id="${bootloader_id}-secureboot"
 
+# bsc#1254336 The sl is for SL Micro. It can be removed afrer SL Micro is EoL
 case "$bootloader_id" in
     "sle"*)
         ca_string='SUSE Linux Enterprise Secure Boot CA1';;
+    "sl"*)
+        ca_string='SUSE Linux Enterprise Secure Boot CA1';;
     "opensuse"*)
         ca_string='openSUSE Secure Boot CA1';;
     *) ca_string="";;

shim.changes

@@ -1,3 +1,124 @@
+-------------------------------------------------------------------
+Tue Dec 16 09:41:56 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- shim-install: Add ca_string for SL Micro to update fallback loader
+
+  The fallback loader, /boot/efi/EFI/BOOT/bootaa64.efi or bootx64.efi,
+  cannot be upgraded by shim-install on SL Micro. The issue case is
+  SL Micro 6.0. It causes that system gets regression bug because it's
+  fallback to a old shim. So this patch adds ca_string to SL Micro.
+  (bsc#1254336)
+
+-------------------------------------------------------------------
+Mon Dec 15 05:17:48 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Add DER format certificate files for the pretrans script to verify
+  that the necessary certificate is in the UEFI db
+    - openSUSE Secure Boot CA, 2013-2035
+        openSUSE_Secure_Boot_CA_2013.crt
+    - SUSE Linux Enterprise Secure Boot CA, 2013-2035
+        SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt
+    - Microsoft Corporation UEFI CA 2011, 2011-2026
+        Microsoft_Corporation_UEFI_CA_2011.crt
+    - Microsoft UEFI CA 2023, 2023-2038
+        Microsoft_UEFI_CA_2023.crt
+- shim.spec: Add a pretrans script to verify that the necessary certificate
+  is in the UEFI db.
+- Always put SUSE Linux Enterprise Secure Boot CA to target array.
+  (bsc#1254679)
+
+-------------------------------------------------------------------
+Fri Dec 12 15:03:38 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Update to 16.1
+    - RPMs
+      shim-16.1-150300.4.31.1.x86_64.rpm
+      shim-debuginfo-16.1-150300.4.31.1.x86_64.rpm
+      shim-debugsource-16.1-150300.4.31.1.x86_64.rpm
+      shim-16.1-150300.4.31.1.aarch64.rpm
+      shim-debuginfo-16.1-150300.4.31.1.aarch64.rpm
+      shim-debugsource-16.1-150300.4.31.1.aarch64.rpm
+        - submitreq: https://build.suse.de/request/show/395247
+        - repo: https://build.suse.de/package/show/SUSE:Maintenance:39913/shim.SUSE_SLE-15-SP3_Update
+    - Patches (git log --oneline --reverse 16.0..16.1)
+        4040ec4 shim_start_image(): fix guid/handle pairing when uninstalling protocols
+        39c0aa1 str2ip6(): parsing of "uncompressed" ipv6 addresses
+        3133d19 test-mock-variables: make our filter list entries safer.
+        d44405e mock-variables: remove unused variable
+        0e8459f Update CI to use ubuntu-24.04 instead of ubuntu-20.04
+        d16a5a6 SbatLevel_Variable.txt: minor typo fix.
+        32804cf Realloc() needs one more byte for sprintf()
+        431d370 IPv6: Add more check to avoid multiple double colon and illegal char
+        5e4d93c Loader Proto: make freeing of bprop.buffer conditional.
+        33deac2 Prepare to move things from shim.c to verify.c
+        030e7df Move a bunch of stuff from shim.c to verify.c
+        f3ddda7 handle_image(): make verification conditional
+        774f226 Cache sections of a loaded image and sub-images from them.
+        eb0d20b loader-protocol: handle sub-section loading for UKIs
+        2f64bb9 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
+        1abc7ca loader-protocol: NULL output variable in load_image on failure
+        fb77b44 Generate Authenticode for the entire PE file
+        b86b909 README: mention new loader protocol and interaction with UKIs
+        8522612 ci: add mkosi configuration and CI
+        9ebab84 mkosi workflow: fix the branch name for main.
+        72a4c41 shim: change automatically enable MOK_POLICY_REQUIRE_NX
+        a2f0dfa This is an organizational patch to move some things around in mok.c
+        54b9946 Update to the shim-16.1 branch of gnu-efi to get AsciiSPrint()
+        a5a6922 get_max_var_sz(): add more debugging for apple platforms
+        77a2922 Add a "VariableInfo" variable to mok-variables.
+        efc71c9 build: Avoid passing *FLAGS to sub-make
+        7670932 Fixes for 'make TOPDIR=... clean'
+        13ab598 add SbatLevel entry 2025051000 for PSA-2025-00012-1
+        617aed5 Update version to 16.1~rc1
+        d316ba8 format_variable_info(): fix wrong size test.
+        f5fad0e _do_sha256_sum(): Fix missing error check.
+        3a9734d doc: add howto for running mkosi locally
+        ced5f71 mkosi: remove spurious slashes from script
+        0076155 ci: update mkosi commit
+        5481105 fix http boot
+        121cddf loader-protocol: Handle UnloadImage after StartImage properly
+        6a1d1a9 loader-protocol: Fix memory leaks
+        27a5d22 gitignore: add more mkosi dirs and vscode dir
+        346ed15 mkosi: disable repository key check on Fedora
+        afc4955 Update version to 16.1
+    - 16.1 release note https://github.com/rhboot/shim/releases
+            shim_start_image(): fix guid/handle pairing when uninstalling protocols by @vathpela in #738
+            Fix uncompressed ipv6 netboot by @hrvach in #742
+            fix test segfaults caused by uninitialized memory by @Fabian-Gruenbichler in #739
+            Update CI to use ubuntu-24.04 instead of ubuntu-20.04 by @vathpela in #749
+            SbatLevel_Variable.txt: minor typo fix. by @vathpela in #751
+            Realloc() needs to allocate one more byte for sprintf() by @dennis-tseng99 in #746
+            IPv6: Add more check to avoid multiple double colon and illegal char by @dennis-tseng99 in #753
+            Loader proto v2 by @vathpela in #748
+            loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages by @bluca in #750
+            Generate Authenticode for the entire PE file by @esnowberg in #604
+            README: mention new loader protocol and interaction with UKIs by @bluca in #755
+            ci: add mkosi configuration and CI by @bluca in #764
+            shim: change automatically enable MOK_POLICY_REQUIRE_NX by @vathpela in #761
+            Save var info by @vathpela in #763
+            build: Avoid passing *FLAGS to sub-make by @rosslagerwall in #758
+            Fixes for 'make TOPDIR=... clean' by @bluca in #762
+            add SbatLevel entry 2025051000 for PSA-2025-00012-1 by @Fabian-Gruenbichler in #766
+            Coverity fixes 20250804 by @vathpela in #767
+            ci: fixlets and docs for mkosi workflow by @bluca in #768
+            fix http boot by @jsetje in #770
+            Fix double free and leak in the loader protocol by @rosslagerwall in #769
+            gitignore: add more mkosi dirs and vscode dir by @bluca in #771
+    - Drop upstreamed patch:
+      The following patches are merged to 16.1
+        - shim-alloc-one-more-byte-for-sprintf.patch
+            - 32804cf5d9 Realloc() needs one more byte for sprintf()    [16.1]
+        - shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch (bsc#1205588)
+            - 72a4c41877 shim: change automatically enable MOK_POLICY_REQUIRE_NX [16.1]
+- Building MokManager.efi and fallback.efi with POST_PROCESS_PE_FLAGS=-n (bsc#1205588)
+- Building with the latest version of gcc in the codebase:
+    - The gcc13 can workaround dxe_get_mem_attrs() hsi_status problem
+    - We prefer that building shim with the latest version of gcc in codebase.
+    - Set the minimum version is gcc-13.
+  (bsc#1247432)
+- SLE shim should includes vendor-dbx-sles.esl instead of
+  vendor-dbx-opensuse.esl. Fixed it in shim.spec.
+
 -------------------------------------------------------------------
 Tue Apr 22 20:39:33 UTC 2025 - Eugenio Paolantonio <eugenio.paolantonio@suse.com>
 

shim.spec

@@ -29,22 +29,35 @@
 %endif
 
 Name:           shim
-Version:        15.8
+Version:        16.1
 Release:        0
 Summary:        UEFI shim loader
 License:        BSD-2-Clause
 Group:          System/Boot
 URL:            https://github.com/rhboot/shim
-Source:         shim-15.8-150300.4.20.2.x86_64.rpm
-Source1:        shim-debuginfo-15.8-150300.4.20.2.x86_64.rpm
-Source2:        shim-debugsource-15.8-150300.4.20.2.x86_64.rpm
-Source3:        shim-15.8-150300.4.20.2.aarch64.rpm
-Source4:        shim-debuginfo-15.8-150300.4.20.2.aarch64.rpm
-Source5:        shim-debugsource-15.8-150300.4.20.2.aarch64.rpm
+Source:		shim-16.1-150300.4.31.1.x86_64.rpm
+Source1:	shim-debuginfo-16.1-150300.4.31.1.x86_64.rpm
+Source2:	shim-debugsource-16.1-150300.4.31.1.x86_64.rpm
+Source3:	shim-16.1-150300.4.31.1.aarch64.rpm
+Source4:	shim-debuginfo-16.1-150300.4.31.1.aarch64.rpm
+Source5:	shim-debugsource-16.1-150300.4.31.1.aarch64.rpm
 Source6:        shim-install
+# Certificates Used to Verify the Shim (DER format)
+# SUSE CA is also built-in to the shim via VENDOR_CERT_FILE
+# openSUSE Secure Boot CA, 2013-2035
+Source11:	openSUSE_Secure_Boot_CA_2013.crt
+# SUSE Linux Enterprise Secure Boot CA, 2013-2035
+Source12:	SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt
+# Microsoft Corporation UEFI CA 2011, 2011-2026
+Source13:	Microsoft_Corporation_UEFI_CA_2011.crt
+# Microsoft UEFI CA 2023, 2023-2038
+Source14:	Microsoft_UEFI_CA_2023.crt
 #BuildRequires:	shim-susesigned
 BuildRequires:  fde-tpm-helper-rpm-macros
 BuildRequires:  update-bootloader-rpm-macros
+BuildRequires:  openssl >= 0.9.8
+# we need xxd in global macro in shim.spec
+BuildRequires:  vim
 Requires:       perl-Bootloader
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 # For shim-install script
@@ -54,6 +67,18 @@ Requires:       grub2-efi
 %endif
 ExclusiveArch:  x86_64 aarch64
 
+# subject hash of openSUSE/SLE/devel certificates for identifying devel project
+%global prjissuer_hash %(test -f %{_sourcedir}/_projectcert.crt && openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash 2>/dev/null || echo "PRJ_ISSUER_NOT_FOUND")
+%global prjsubjec_hash %(test -f %{_sourcedir}/_projectcert.crt && openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash 2>/dev/null || echo "PRJ_SUBJECT_NOT_FOUND")
+%global opensusesubject_hash %(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash 2>/dev/null)
+%global slessubject_hash %(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash 2>/dev/null)
+# Hex content of certs (DER format) will be used in the TARGET_CERT_HEXES array in pretrans script
+%global opensuse_ca_hex %(xxd -p %{SOURCE11} | tr -d '\\n')
+%global sles_ca_hex %(xxd -p %{SOURCE12} | tr -d '\\n')
+%global microsoft_ca_hex %(xxd -p %{SOURCE13} | tr -d '\\n')
+%global microsoft_ca_2023_hex %(xxd -p %{SOURCE14} | tr -d '\\n')
+%global prjcert_hex %(test -f %{_sourcedir}/_projectcert.crt && (openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER -out - | xxd -p | tr -d '\\n') 2>/dev/null)
+
 %description
 shim is a trivial EFI application that, when run, attempts to open and
 execute another application.
@@ -103,6 +128,190 @@ rm -rf %{buildroot}/usr/lib64/efi
 # Install the updated shim-install
 install -m 755 %{SOURCE6} %{buildroot}/%{_sbindir}
 
+# This pretrans Lua script is directly copied from openSUSE:Factory/shim/shim.spec
+# Please remember to sync this script if it be modified
+%pretrans -n shim -p <lua>
+-- Using Lua
+print("INFO: Current Lua Version: " .. tostring(_VERSION))
+
+-- ==========================================================================================
+-- This pretrans script verifies that the UEFI db should have the necessary certificate to
+-- allow the shim binary to boot.
+-- The installation will be aborted if the db is missing the target certificate. To proceed,
+-- the user must enroll the target certificate in the db or disable UEFI Secure Boot.
+-- ==========================================================================================
+
+local db_filename = "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
+
+-- The db file existence check
+local f_check, err_check = io.open(db_filename, "rb")
+
+if not f_check then
+    print("WARNING: Attempt to open db EFI variable file failed. Error message: " .. tostring(err_check))
+    print("WARNING: This usually means the system is not booted in UEFI mode. Skipping all db check steps.")
+    return 0
+end
+f_check:close()
+
+-- ==========================================================================================
+-- This is the hardcoded target certificate content used to check for its existence.
+-- HEX_CONTENT=$(xxd -p taget_certificate.der | tr -d '\n') && echo "$HEX_CONTENT"
+-- ==========================================================================================
+
+-- Only the DER format is supported
+local TARGET_CERT_HEXES = {
+    -- Always check Microsoft keys
+    -- Certificate #1, Microsoft Corporation UEFI CA 2011
+    "%{microsoft_ca_hex}",
+    -- Certificate #2, Microsoft UEFI CA 2023
+    "%{microsoft_ca_2023_hex}",
+%if "%{prjissuer_hash}" == "%{opensusesubject_hash}"
+    -- Certificate #3, openSUSE Secure Boot CA 2013
+    "%{opensuse_ca_hex}",
+%endif
+    -- Certificate #4, SUSE Linux Enterprise Secure Boot CA 2013
+    "%{sles_ca_hex}",
+%if "%{prjissuer_hash}" == "%{prjsubjec_hash}"
+    -- We put all keys for testing on devel/staging project
+    -- Certificate #3, openSUSE Secure Boot CA 2013
+    "%{opensuse_ca_hex}",
+    -- Certificate #4, SUSE Linux Enterprise Secure Boot CA 2013
+    "%{sles_ca_hex}",
+    -- Certificate #5, _projectcert.crt
+    "%{prjcert_hex}",
+%endif  # prjissuer_hash check
+}
+
+-- Check if the TARGET_CERT_HEXES array is empty
+if #TARGET_CERT_HEXES == 0 then
+    print("INFO: certificate list is empty. Skipping certificate check.")
+    -- Exiting safely as the certificate list is empty.
+    return 0
+else
+    -- Check if the Hex string for certificate is valid
+    for i, cert_hex in ipairs(TARGET_CERT_HEXES) do
+        if #cert_hex % 2 ~= 0 then
+            print("Error: The length of hard-coded hex string for certificate #" .. i .. " must be an even number.")
+            error("The Hex string is invalid. The transaction is being aborted in the pretrans script.")
+        end
+    end
+end
+
+-- =========================================================================
+-- Helper functions
+-- =========================================================================
+
+-- Convert hexadecimal string to original binary string
+local function hex_to_binary(hex)
+    local binary = ""
+    for i = 1, #hex, 2 do
+        local byte_hex = hex:sub(i, i + 1)
+        binary = binary .. string.char(tonumber(byte_hex, 16))
+    end
+    return binary
+end
+
+-- =========================================================================
+-- Main logic for checking if the db has any target certificate
+-- =========================================================================
+
+-- Read existing db contents
+local db_content = ""
+do
+    -- The db file is now confirmed to exist, open it again to read the contents
+    local f_db, err_db = io.open(db_filename, "rb")
+
+    if f_db then
+        local chunks = {}
+        local CHUNK_SIZE = 4096
+        local raw_content = ""
+        local chunk = f_db:read(CHUNK_SIZE)
+
+        while chunk do
+	    -- If an empty string is read, it means EOF has been reached and the loop is exited.
+            if chunk == "" then
+                break
+            end
+            table.insert(chunks, chunk)
+            chunk = f_db:read(CHUNK_SIZE)
+        end
+
+        raw_content = table.concat(chunks)
+
+        f_db:close()
+
+	-- Skip the first 4 bytes (EFI attributes)
+        if #raw_content > 4 then
+	    -- Truncate from the 5th byte to the end
+            db_content = string.sub(raw_content, 5)
+	    print("INFO: Successfully read existing db content")
+        else
+	    -- The file is too small or only has attributes, so it is considered blank.
+            db_content = ""
+            print("WARNING: db file content length is abnormal (<= 4 bytes). Treated as blank.")
+        end
+    end
+end
+
+-- Check all target certificates
+for i, cert_hex in ipairs(TARGET_CERT_HEXES) do
+
+    local target_binary_content = hex_to_binary(cert_hex)
+
+    -- Perform binary string matching
+    local start_pos, end_pos = db_content:find(target_binary_content, 1, true)
+
+    if start_pos then
+        -- Success: Certificate exist in db
+        -- Return 0 to allow the RPM transaction to continue
+        print("Target certificate #" .. i .. " was found in the db variable. Proceed with install.")
+        return 0
+    end
+end
+
+-- Certificate not present in db
+print("WARNING: The target certificate binary was not found in the db variable.")
+print("Please add the appropriate certificate to the db or disable UEFI secure boot.")
+
+-- Secure Boot status check: We only proceed with installation if the certificate is not present in the db and Secure Boot is disabled.
+local sb_filename = "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
+
+local f_sb, err_sb = io.open(sb_filename, "rb")
+
+if not f_sb then
+    -- If the file is missing, it typically means the system is not UEFI, or Secure Boot is disabled/the variable is absent.
+    print("WARNING: SecureBoot EFI variable file does not exist. Proceed with install.")
+else
+    local raw_content_sb = ""
+    local sb_status = 0
+
+    -- Read file contents
+    local chunk_sb = f_sb:read(4096)
+    while chunk_sb do
+        if chunk_sb == "" then break end
+        raw_content_sb = raw_content_sb .. chunk_sb
+        chunk_sb = f_sb:read(4096)
+    end
+    f_sb:close()
+
+    -- SecureBoot status check
+    if #raw_content_sb >= 5 then
+	-- Skip the first 4-byte attribute header and read the 5th byte (status byte)
+        sb_status = string.byte(raw_content_sb, 5)
+
+        if sb_status == 0x00 then
+            print("INFO: Since Secure Boot is DISABLED, proceed with install.")
+            return 0
+        elseif sb_status == 0x01 then
+	    error("Fatal error: Secure Boot is ENABLED (status = 0x01), but the target certificate was not found in the db. Aborting installation.")
+        else
+            error("Fatal error: Secure Boot status is unrecognized (0x" .. string.format("%02x", sb_status) .. "). Aborting installation.")
+        end
+    else
+	error("Fatal error: SecureBoot variable content is too short to determine status. Aborting installation.")
+    end
+end
+
 %post
 %if 0%{?fde_tpm_update_post:1}
 %fde_tpm_update_post shim