47 Commits

Author SHA256 Message Date
23696729d5 shim.changes: Update change log for Fixed some issues in RPM Macro
and pretrans lus script with the old  rpm-4.14.3 on SLE-15-SP3
2025-11-28 16:35:03 +08:00
9ba7595340 shim.spec: Use io.open instead of pcall rpm.open in pretrans lua script
With the rpm-4.14.3 on SLE-15-SP3, using rpm.open through pcall can
not access the db and SecureBoot efi variable files. We got the
following message when the pretrans lua script is running:

WARNING: Attempt to open db EFI variable file failed. Error message:
attempt to call a nil value

Using io.open instead of pcall(rpm.open can workaround this issue.
2025-11-28 14:33:01 +08:00
2a0ca4d82b shim.spec: Workaround the string comparison issue in elif directive
With the rpm-4.14.3 on SLE-15-SP3, the string comparison in elif
directive has problem. It causes that the certificate block in the
elif-endif to disappear permanently, regardless of whether the
comparison succeeds or fails.

This change can also workaround the issue that elif can not handle
special issue_hash/subject_hash from 'openSUSE Secure Boot Signkey':

shim> openssl x509 -in factory-secure-boot.crt -inform PEM -noout -subject_hash
babd5674
shim> openssl x509 -in factory-secure-boot.crt -inform PEM -noout -issuer_hash
d29860c3

Directlly put to global define in shim.spec can reproduce issue:
global prjissuer_hash d29860c3
global prjsubjec_hash babd5674

This patch changed codes by using if-endif instead of elif-endif to
workaround the above two problems
2025-11-28 11:18:47 +08:00
d33006b0e0 shim.spec: Specify the certificate format in openssl commands
The old openssl in SLE-15-SP3 assumes the format of input
certificate is PEM. In d279b0c453 patch, we converted the SUSE
certificates from PEM to DER format for using by Lua in pretrans
script. It causes the openssl command to fail with old openssl.
So we specify the certificate format in openssl commands.
2025-11-27 18:56:46 +08:00
aa888406ee shim.changes: Update change log for adding Microsoft-signed 16.1 shim 2025-11-26 15:51:58 +08:00
afcba83ba7 shim.spec: Temporarily disable nx-shim
We still need time to test nx (non-executable) shim and develop
the script for delivery. We will not support nx-shim on all Leap
and SLE distros because the function should also be supported by
grub2 and kernel.

A shim_nx macro flag be added to shim.spec to block all sections
for building shim-nx package.
2025-11-26 15:29:34 +08:00
204009db90 Add Microsoft-signed 16.1 shim
Add Microsoft-signed 16.1 shim for openSUSE and SLE which includes
x86_64 and aarch64 versions
2025-11-26 14:15:45 +08:00
bca01ceeb2 shim.spec: directly package Microsoft-signed shim
Directly package Microsoft-signed shim when the version of shim
equals with the version of devel shim. The Microsoft-signed shim
can be directly deliveied because we build the binary before and
have the log (shim-review) to prove it.

When the version of build service built shim (aka. devel shim)
does NOT equal to the version of Microsoft-signed shim, it means
we are developing a new shim. We package devel shim instead of
Microsoft-signed shim. The devel shim binary will also be the
candidate for next shim-review.
2025-11-26 14:04:42 +08:00
b9bbafe2c8 shim.spec: Remove the reproducibility check for the shim binary
Remove the reproducibility check for the shim binary before attacing
Microsoft signature. The binutils on Leap 15.6 and SLE-15-SP3 has been
upgraded to 2.45 when we are waiting shim-review and Microsoft signing.
It causes that the shim binary is NOT reproducible on build services.
Which means that the signature of shim from Microsoft can not be
attached on rebuilt shim.

The original design is extract signature from the Microsoft signed back
shim, rebuild shim binary, check the pesign hash of rebuilt shim and
attach Microsoft signature. But in past years, we got at least two times
the bulid service environment be changed when waiting shim-review.
Microsoft doesn't resign shim binary because SUSE build environment be
changed.

In the discussion with Johannes Segitz, he raised the idea from Ludwig
Nussel that we just direct use the Microsoft signed-back shim binaries
because we build this binary before and have the logs to prove it.

Before we find a good approach to save/restore the build service
environment, let’s directly use the Microsoft signed-back shim for
delivery.

This patch removes the reproducibility check logic and all *.asc
signature files.
2025-11-26 00:41:23 +08:00
be10e5ccf5 shim.spec: Improve the target certificates array in pretrans script
For checking Microsoft CA keys in UEFI db, let's add
Microsoft_Corporation_UEFI_CA_2011.crt and Microsoft_UEFI_CA_2023.crt
to the target certificates array (TARGET_CERT_HEXES) in pretrans script.
Because shim 16.1 will be signed by them. This is a transitional period
from MS 2011 key to MS 2023 key. We will receive two MS signatures.

On the other hand, in order to pass the QA test on the devel/staging
project. We also add _projectcert.crt key to TARGET_CERT_HEXES. It's
useful for testing our pretrans lua script on staging project.
2025-11-18 00:21:22 +08:00
a8afdafbaf Certificates: Add Microsoft UEFI CA files
Add Microsoft UEFI

The download links are from Microsoft document:

Windows Secure Boot Key Creation and Management Guidance, 05/19/2022
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11

------------------------------------------------------------------------
1. Microsoft Corporation UEFI CA 2011
    SHA-1 cert hash: 46DEF63B5CE61CF8BA0DE2E6639C1019D0ED14F3.
    SignatureOwner GUID: {77fa9abd-0359-4d32-bd60-28f4e78f784b}.
    Microsoft will provide the certificate to partners and it can be
added either as an EFI_CERT_X509_GUID or an EFI_CERT_RSA2048_GUID type
signature.
    The Microsoft Corporation UEFI CA 2011 can be downloaded from here:
https://go.microsoft.com/fwlink/p/?linkid=321194.

2. Microsoft UEFI CA 2023
    SHA-1 cert hash: B5EEB4A6706048073F0ED296E7F580A790B59EAA.
    SignatureOwner GUID: {77fa9abd-0359-4d32-bd60-28f4e78f784b}.
    Microsoft will provide the certificate to partners and it can be
added either as an EFI_CERT_X509_GUID or an EFI_CERT_RSA2048_GUID type
signature.
    The Microsoft UEFI CA 2023 can be downloaded from here:
https://go.microsoft.com/fwlink/?linkid=2239872.
------------------------------------------------------------------------

Those two Microsoft certificates will be used in TARGET_CERT_HEXES array
in pretrans script for checking UEFI db has necessary public key before
shim installation is started.
2025-11-17 23:32:10 +08:00
d279b0c453 Certificates: Convert the SUSE certificates from PEM to DER format
OVMF and shim only support DER the format. We will also use pretrans script
to check necessary certificates in the UEFI db to verify shim.
2025-11-17 19:53:45 +08:00
a6485e1d93 shim.changes: Fix typo 2025-11-17 18:52:13 +08:00
7378d6ad88 shim.spec: Reorder the source files
We will put more certificates for checking in installation stage. And
We will also include more signature asc files from Microsoft UEFI CA
2023 key. Therefore, the source files were reordered to facilitate
subsequent development. No functional updates.
2025-11-17 18:33:04 +08:00
44b75cefd8 timestamp.pl: fix the size of checksum in PE Optional Header
Base on Microsoft Portable Executable and Common Object File
Format Specification (Revision 10 – June 15, 2016), the size
of CheckSum in Optional Header is 4 bytes. But temstamp.pl
read and write the CheckSum by 2 bytes. This patch fixes this
size issue.

For a long time, the incorrect size of CheckSum in SUSE shim
did not cause any errors in shim/shim-review. This fact implicitly
confirms that CheckSum is useless for shim boot loader. We didn't
see any Windows loader attempting to load shim.

But I still keep CheckSum in timestamp in case there are any use
case haven't discovered yet.
2025-11-17 17:03:51 +08:00
31c000ebae Add a pretrans script to verify that the necessary certificate is in the UEFI db
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
2025-10-14 00:47:16 +08:00
aa93d6da2e Accepting request 1300222 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1300222
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=133
2025-08-20 11:25:09 +00:00
8a094dabf9 Removed two patches because they are merged to shim 16.1
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=230
2025-08-19 07:50:35 +00:00
6dc4e55076 Update to 16.1
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=229
2025-08-19 06:47:04 +00:00
b26ab35e2e Accepting request 1298953 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1298953
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=132
2025-08-13 14:23:00 +00:00
eb1ced8475 SLE shim should includes vendor-dbx-sles.esl instead of vendor-dbx-opensuse.esl
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=228
2025-08-12 03:09:17 +00:00
c4f6186bec Accepting request 1297873 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1297873
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=131
2025-08-07 14:48:24 +00:00
ec10240d7d Building with the latest version of gcc in the codebase (bsc#1247432)
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=227
2025-08-06 06:39:11 +00:00
a21b86b1b9 Add revoked-openSUSE-UEFI-SIGN-Certificate-2022-06.crt
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=226
2025-08-03 15:23:10 +00:00
9df054b2af Accepting request 1296812 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1296812
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=130
2025-08-01 20:40:03 +00:00
2e9102bfde Add shim-disable-dxe-get-mem-attrs.patch (bsc#1247432)
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=225
2025-07-31 13:00:46 +00:00
4746dbe081 Removed pre script in shim package for checking UEFI db has valid key for shim because it will interrupt group update of RPMs
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=224
2025-07-28 16:41:26 +00:00
d29b2b2cc6 Add pre script to shim package for checking UEFI db has valid key for shim.
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=223
2025-07-27 05:23:54 +00:00
c999685b44 Accepting request 1295680 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1295680
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=129
2025-07-26 11:39:46 +00:00
b7c7f7042a Building out shim.nx.efi for supporting non-executable (bsc#1205588)
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=222
2025-07-25 06:37:09 +00:00
5c02720025 Accepting request 1291309 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1291309
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=128
2025-07-09 15:26:23 +00:00
b078c5cf79 Replace shim-16.0.tar.bz2 by upstream tarball
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=221
2025-07-08 14:45:51 +00:00
3f64394ee8 Accepting request 1285933 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1285933
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=127
2025-06-17 16:20:14 +00:00
cca66ed8c7 bugowner: dtseng\nSubmitting for upgrading shim to v16.0 (bsc#1240871)
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=220
2025-06-16 03:45:08 +00:00
8da6aa4679 Accepting request 1281737 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1281737
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=126
2025-06-03 15:50:11 +00:00
05905a4760 bugowner: dtseng\nSubmitting for upgrading shim to v16.0 (bsc#1240871)
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=219
2025-06-02 05:53:58 +00:00
6ff4187e10 Accepting request 1276758 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1276758
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=125
2025-05-13 18:12:10 +00:00
23fef8ea41 bugowner: dtseng\nSubmitting for upgrading shim to v16.0 (bsc#1240871)
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=218
2025-05-12 07:55:45 +00:00
2c76119d92 Accepting request 1232808 from devel:openSUSE:Factory
undefine %_enable_debug_packages to fix building with rpm-4.20

OBS-URL: https://build.opensuse.org/request/show/1232808
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=124
2025-01-31 15:01:53 +00:00
cb2d0c2d89 - undefine %_enable_debug_packages to fix building with rpm-4.20
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=217
2024-12-20 10:36:18 +00:00
cbf49f2693 Accepting request 1219481 from devel:openSUSE:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/1219481
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=123
2024-10-31 15:09:15 +00:00
f78b88d606 Accepting request 1201941 from home:gary_lin:branches:devel:openSUSE:Factory
- Update shim-install to limit the scope of the 'removable'
  SL-Micro to the image booting with TPM2 unsealing (bsc#1210382)
  * 769e41d Limit the removable option to encrypted SL-Micro

OBS-URL: https://build.opensuse.org/request/show/1201941
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=216
2024-10-15 02:08:00 +00:00
fb4f6ece94 Accepting request 1201684 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1201684
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=122
2024-09-18 13:26:07 +00:00
e246151428 Accepting request 1201364 from home:gary_lin:branches:devel:openSUSE:Factory
- Update shim-install to apply the missing fix for openSUSE Leap
  (bsc#1210382)
  * 86b73d1 Fix that bootx64.efi is not updated on Leap
- Update shim-install to use the 'removable' way for SL-Micro
  (bsc#1230316)
  * 433cc4e Always use the removable way for SL-Micro

OBS-URL: https://build.opensuse.org/request/show/1201364
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=215
2024-09-18 04:26:12 +00:00
2a80121e13 Accepting request 1184771 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/1184771
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=121
2024-07-02 16:15:29 +00:00
Tseng
e6086c9560 Accepting request 1184770 from home:dtseng:branches:devel:openSUSE:Factory
bugowner: dtseng
Submitting for updating asc files after being signed back from Microsoft

OBS-URL: https://build.opensuse.org/request/show/1184770
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=214
2024-07-02 05:35:57 +00:00
Tseng
fe5c6d29be Accepting request 1183124 from home:dtseng:branches:devel:openSUSE:Factory
bugowner: dtseng
Submitting for updating asc files after being signed back from Microsoft

OBS-URL: https://build.opensuse.org/request/show/1183124
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=213
2024-06-25 09:12:15 +00:00
38 changed files with 2163 additions and 197 deletions

25
SIGNATURE_UPDATE.txt Normal file
View File

@@ -0,0 +1,25 @@
==== openSUSE ====
For openSUSE, the devel project of shim is devel:openSUSE:Factory. ALWAYS
use the latest Leap to build shim-opensuse.efi for UEFI CA. Tumbleweed
shares the same binary with Leap, so do the older Leap releases.
The steps to udpate signature-opensuse.asc:
1) Branch devel:openSUSE:Factory/shim.
2) Add the latest Leap, e.g. 42.2, to the build target.
3) Build shim-opensuse.efi against the latest Leap.
4) Strip the signature from shim-opensuse.efi with strip_signature.sh.
5) Send shim-opensuse.efi to UEFI CA to request a new signature.
6) Extract the signature from the signed shim.efi with extract_signature.sh
7) Update signature-opensuse.asc.
==== SLES ===
Since there is no devel project for shim in SLES, just build shim-sles.efi with
the latest SLES and then send it to UEFI CA for a new signature.
The steps to update signature-sles.asc:
1) Branch shim from the latest SLES and apply the update/fix.
2) Build shim-sles.efi against the latest SLES.
3) Strip the signature from shim-sles.efi with strip_signature.sh.
4) Send shim-sles.efi to UEFI CA to request a new signature.
5) Extract the signature from the signed shim.efi with extract_signature.sh
6) Update signature-sles.asc.

14
attach_signature.sh Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# attach ascii armored signature to a PE binary
set -e
sig="$1"
infile="$2"
if [ -z "$sig" -o ! -e "$sig" -o -z "$infile" -o ! -e "$infile" ]; then
echo "USAGE: $0 sig.asc file.efi"
exit 1
fi
outfile="${infile%.efi}-signed.efi"
pesign -m "$sig" -i "$infile" -o "$outfile"

15
extract_signature.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# extract ascii armored signature from a PE binary
set -e
infile="$1"
if [ -z "$infile" -o ! -e "$infile" ]; then
echo "USAGE: $0 file.efi"
exit 1
fi
# wtf?
(pesign -h -P -i "$infile";
perl $(dirname $0)/timestamp.pl "$infile";
pesign -a -f -e /dev/stdout -i "$infile")|cat

22
generate-vendor-dbx.sh Normal file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
set -e
# random UUID for SUSE
owner=353f0911-0788-451c-aaf7-31688391e8fd
: > vendor-dbx-opensuse.esl
: > vendor-dbx-sles.esl
# vendor dbx file with all certs for testing environment
: > vendor-dbx.esl
for cert in "$@"; do
esl="${cert##*/}"
esl="${cert%.crt}.esl"
cert-to-efi-sig-list -g "$owner" "$cert" "$esl"
case "$cert" in
*openSUSE*) cat "$esl" >> "vendor-dbx-opensuse.esl" ;;
*SLES*) cat "$esl" >> "vendor-dbx-sles.esl" ;;
esac
cat "$esl" >> "vendor-dbx.esl"
done

26
remove_build_id.patch Normal file
View File

@@ -0,0 +1,26 @@
Index: shim-15.8/gnu-efi/Make.defaults
===================================================================
--- shim-15.8.orig/gnu-efi/Make.defaults
+++ shim-15.8/gnu-efi/Make.defaults
@@ -205,7 +205,7 @@ endif
ASFLAGS += $(ARCH3264)
LDFLAGS += -nostdlib --warn-common --no-undefined --fatal-warnings \
- --build-id=sha1 --no-warn-rwx-segments
+ --no-warn-rwx-segments
ifneq ($(ARCH),arm)
export LIBGCC=$(shell $(CC) $(CFLAGS) $(ARCH3264) -print-libgcc-file-name)
Index: shim-15.8/Make.defaults
===================================================================
--- shim-15.8.orig/Make.defaults
+++ shim-15.8/Make.defaults
@@ -192,7 +192,7 @@ ifneq ($(origin SBAT_AUTOMATIC_DATE), un
DEFINES += -DSBAT_AUTOMATIC_DATE=$(SBAT_AUTOMATIC_DATE)
endif
-LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined
+LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) $(ARCH_LDFLAGS) --no-undefined
ifneq ($(DEBUG),)
export DEBUG

View File

@@ -0,0 +1,34 @@
-----BEGIN CERTIFICATE-----
MIIF/DCCA+SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
QHN1c2UuZGUwHhcNMTMwMTIyMTQ1ODUxWhcNMjIxMjAxMTQ1ODUxWjCBqzEyMDAG
A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx
CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug
TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG
SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK
o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5
HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V
R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t
og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN
q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA
FD1NQM+ThTkCSxz8WhLe3+ixfnVfoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp
bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD
VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i
SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz
ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ
KoZIhvcNAQELBQADggIBAFs0xW7Uzi3a52ho92ninU9yy1doEodWf8f37zmq3Kxf
v/y+mFCFuMw5zps4xyK1xfDBmVZ6f5GMolfkPnioYzKujqTgFCmKDZXjXIgHEej5
h+xzCalIYT3XT+JsmKvvZKcFMV9/py7+okEhekyFdak6WbxinisyEh6a7I+edNzB
2/dPkbIS7x2UmlFzXvAYTCwOqMwCuOWsICK/NRrPlCEdkPJFq2HU11umtZ+U4eCM
bJcCY2pqIVLxrDgRIMoUeJ7N2XIcfKlP8cHn9eHVWRd+n/v3nlJRvBjlw2d9oTm2
EB0vfpp01ihr6yvkckLwWHdrRcmiy6OmtTScAEwpMGPmBcFiHIb1nxhPbKqqw9Xb
t/y8tLRf6HvuhaApJhj3/ZBNLTLRSHk4O4DO4p3GpupPTvfxkx9cg/TxcF0kabPF
+dwu5cbRZpvBmkQ947aul0y+3QRHgIhmyqdZzC2OuL6Sl74zZc3BgsQsBFeIN4gz
YBsXtzyEVFsmSSj2ci+9JM8HCfeL0Ux7TeyoN5jAW5F7c8BSBBSSafZYUtq3DZHR
8ILtz5L7cCLkZY3da5a/csVz3zicnrAG8uiU91Jy6hVh+Y83vARz6hp8O/tX4o00
9ff5zunFUwyN3/krDEoX6dXMcSh8UftjzvFOYCUfF+cDt9eV8Ix0dcfP/cenyv/t
-----END CERTIFICATE-----

View File

@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE/DCCA+SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
QHN1c2UuZGUwHhcNMTMwNDE4MTQzNDM0WhcNMjMwMjI1MTQzNDM0WjCBqzEyMDAG
A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx
CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug
TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG
SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK
o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5
HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V
R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t
og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN
q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA
FOyrDULEVs93BDa5c5k4YpZehyYvoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp
bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD
VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i
SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz
ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ
KoZIhvcNAQELBQADggEBAFEYo0sWgMCODHZEHWcoltp5RMcVj2DAYfw2NePbPqxW
AmIgpMU0yG01JPbwJZu6dcuNeYoytgfDrSRLuloKm0JR8oR3+G7/oxbKQCxtMubB
Qdflq7PIz73b/JSGiV5Pi77f9oAHijgnKEZrz4obs6sFp2gvuMvJ4w9jteCaofpq
IDNhu7i2KFx4rC6FYF/p6V9xnVwOnZS1G56cJALfP/7kOD4k3TVSMiE2FCS3wLwR
RI7VE0I/3oJHsi8CR++CT1BI02PI+EWgRcuW8jOzJ3+tYa77HCKpXNyIi7/L5QAK
N5ZinPyv68tae+GHkL5U2FxLY365gABSXqXUA9mTquU=
-----END CERTIFICATE-----

View File

@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIE/DCCA+SgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
QHN1c2UuZGUwHhcNMTYwMjI0MTUzMDI3WhcNMjYwMTAyMTUzMDI3WjCBqzEyMDAG
A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx
CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug
TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG
SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK
o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5
HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V
R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t
og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN
q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA
FOyrDULEVs93BDa5c5k4YpZehyYvoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp
bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD
VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i
SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz
ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ
KoZIhvcNAQELBQADggEBAKMaX+dWtp9Y9SW1XvV3xc/sAURe1uZfEBcd7g+yu9ff
q/n9pbWW4gz9LtuIudi/CmltNlKHEQnB/RSgAd4VB28g7GeJNKVTn+5z7evgWUOz
tEB0tHgTfVCx6dYoIsNxT9atIVHREDPXef/s2TARKfpd77BG+X0+ZsvQe8NuooP1
B+qwl1rXR+cw46Q7dgM5XG418OPZsqHhk/AyC4/slHx65rQ//PBsgSANx8bBUr5Z
nDzy1X/0aZqB56/e2sscuhjs7IcXNftztewsNB7w4XtmOuVZpj2obAhbWshPaMLY
4PSS6JTVT/vhDJUJknm4XqbE16d0dSZPn8y1t6Ua0PM=
-----END CERTIFICATE-----

View File

@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ0MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
ARYNYnVpbGRAc3VzZS5kZTAeFw0yMDA3MjMxNDA3MThaFw0yNDA3MjIxNDA3MTha
MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAwrRYIcn7XQ2/nQfdCUM7EUzIfYB5Lra03/q9nggEfUke
N5O9qmA9uFWTvgdq2Nh8hia16TawyHMFyUd/PsdU2/pVydC6+OGDxE1sRJvu0pzP
3wvr+QQXnDjBYon+AGkuw/K8baUInl/1He2idCIB7pH3tGjj6jcorK70yZHU5Hl1
UwuQXlfQpG3zEJy1yZ7fg3RxAQ/716BOy1CceK0qCLi/qgR8w5GE92Xg1CHZe62u
I+9EmhXBbY2UcsfxRGEtdCU55L0R/MtHztfVHZw9Vazw8rCCvBjwPOxxjUx5It5N
yG0JaYXgAXqRXE88Gwo9VlEWNOKrC0vUUfxA63IZ0wIDAQABo4IBLDCCASgwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUSrDGl8kQcydsJ97/PCIPsAfh3mEwgdMGA1Ud
IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAazJCs7IIjYUma9ZT1NLJZ7QSy/d6oAaW
E6JI1u3LHancnU3kXH19U7z1mni74OQdlsbIyfddR+AIvIu1RrepQ6BHNVrXO90J
LxvORpholbgeXk/FdIHWFu6AhL2jg8UM4Jxq/P3FxckGj25LxCPgd5C/L5ITufhf
1yPQ3CDxqfUiqlfdrQCROJ21sErLoYXoZim5pd1kT5vimyVrdaLM7eTq6G5LbKZ3
/TqRXPpVzwZGXXeZvM5s55kGKqNTUIZ2Cft5g9CBkRZujJ5gLGToxUHYbb6Fj5UT
Xr5Yh68j1IgvhQz+abALb/87Z3r2V+BWh1icc0rnCli1ulmZMd0H8A==
-----END CERTIFICATE-----

View File

@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ+MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
ARYNYnVpbGRAc3VzZS5kZTAeFw0yMTAzMDgxMDE1MDhaFw0zMDEyMzExMDE1MDha
MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAtvApQ4qgxDibOpYufFyQG3HDsQvwjPfrQHdYqkcKDZvz
hKFJSpAu4gulkuKnOeMO1+ecpOC9f0G6mbIwYCsM/GKBCUKRQZPOB5eSeGU+NJaI
XV6IimhfYi3MXmheVrP64Xd6pvcn/iplk2IPLbbdjIeiSImg1xtfnrcaWa+tzOMu
MAQfF4wUlVnFF4Pnh0goS2sv2Lj3fVQ4XV7d8bsB9gwdWSQQMwbSb5SXoiLZOIrZ
iI/n6DD5UL8Yap+2f5sBXA1MtonX91MSUu68Vh7l/9UXEntkx5byOdRAKxndIpnP
QQazhXtQoFskPtVzKs+8jIemDOosn7cTkBgOEP49iQIDAQABo4IBLDCCASgwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUWiQESdKf0NinoYfm/A4muV0aqHswgdMGA1Ud
IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAqFI4lVQf3heh0TWrZwc0ej30p1EhVJms
NxCy/mtn6IDkRzmzAe9F/Tx5B6Kytjtj2WvU2mOhjDW61Tdvk2UBqlapTbT0X2oF
Co4ww8gm2uDyY3nCEM0jdPj8XnA+T+raxwcw6NosK3J6g+bEWjkX0lWryl1jgxuA
q3zup4t2rl792z+nAUAmCSrsYeQQxnKIeCvZCYMGgixSoYrv2SxD8hTFC8XW606v
ITVb9fxaYF1cCjCLjhkQpnegViT0mV5QcPW/IIjqKla1N9sH26buFwcJIHXQRB4h
1boVtIqiQZOe4BjGRTvRILGOa/WXn8UhQvMc39bCr1SxMRvpCV7zKw==
-----END CERTIFICATE-----

View File

@@ -0,0 +1,29 @@
-----BEGIN CERTIFICATE-----
MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ/MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
ARYNYnVpbGRAc3VzZS5kZTAeFw0yMjA2MDIyMjUyNTBaFw0zMjEyMzAyMjUyNTBa
MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAwDNrJ6NGA3ca+mIR0xPimAmBiC0p/LKKFf2nM64gGr2p
l+VYf4tZONMJpeJSASChD9KEuDFpAfKJm0S+lvmMUEJSxdj6p8ynLtypcE/k9+TP
5j8STpdA5L+P9RIt0r4USGUNf9WT5CfLmQVx6EWjjnUqP6H7t4gS76NXxI6ODu7G
ihPiG4acjYxtgAmErXHP42Tk8srzYN+RVddZLnKQWhLWahuomq8320iHm2biZ01B
coHFZnPO62fw5LHeig94UXixf7NPgwPBr9owuKw4WouDfH4nCY6KEOZG+flF/ME+
6TuExYRCPwG3wXgOmGHNYyH8vAvR9s99sZFIGXYdrwIDAQABo4IBLDCCASgwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUCsYrHz9TQnETJYbinTsQQVkcgkowgdMGA1Ud
IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAgB40iq70uOw6SLvHhZb8NpJuETDdfQzE
RuEDtd0bHgHfhvjLpzaHP8ZVLHr8lpsyaLwVE4598cmys8Zn1vvkCQOo4LwwVILR
8Jar2gvgJ2xqTUVU3bYhr+MaGpScbDyK6n2Kb8/vuEpaHHTJWMx5js2jGh1G2+AG
hohfQX+K5UPUKyBRfiDwcZhq2JpCOq5F/SDbm1kpX5dwzu/Y0yDYfukz4tqvpq+S
8SW1+fv37Fbch6DjFw51ALUtkfPmNShlgcub3deyD0vZvBWxlJRllBv16c+yLXSx
1XmOY8MOEntYKKgKb4zpNKAnCwP7yc/R5Chk1tvLgvoymbxAKfkd3Q==
-----END CERTIFICATE-----

View File

@@ -0,0 +1,32 @@
-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNTEwMjhaFw0yMjEyMDcxNTEw
MjhaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw
CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT
RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo
HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7
RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf
0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N
p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2
EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB
AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o
KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79aHtKXeKGpaGBh6SB
hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT
AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl
Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B
Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggIB
AK25J4ntAoU8yF37KEUEFnh0WElBVYinTCB3VVNq0nJbcLq2Ak/yPb4/hVJGvUQx
M2EgafGBfjA6sVvqvZEqbn0bQnSTJqjlwAUpzVB9ll3vanT0SwwmRdbHtFLfkmfc
6sv7dUsizScXeth2C7vf2rxqJKBIdCs7EkUWibKm34y59wJYqsZT/jLeFraLi/+R
NWeiWY9AlyXm5QzNqEr3qqhVQohKI0gRUwJS0dx3xSMFd8td+q+22iYuNMx2Dk3A
D9HenFMZiSw4r+8R5mm8Dn6DJEB7Y5mJhR1zZk7Q3gVhwjeR/sdrIF9K8tSkyIHt
T4f+qNF1vBfQ9+8zHqQ/X2o2Cky/eyW9rx3V/fYLOXzOdbxIy5nDOd5gbXIDoZNV
cJn/af+MgMrUI7vqDZ1A1UmwKSAJRZjIJCX+2mjrAtQl9W7h8qZt2Hgq/4zCCNSH
v4gGoDtYEtcvs1kqS56/XQRyZikDfEUkBE1hXOW4hepuS9Zs6LihGpKSffqQH0Oy
gvCaWjLNzErjx5Hl9pTvH2qkLLX6P1i/YubW+3E6AuDks9u6eF78GkKb6ALsczQf
jHf22C1rl9y3Ex+9q3vKzeo9HtIBv/FEyt+GEzdCXdf4Lmjmf1l1uBX6+EJFAVsG
UPxqiJZLOo8dEbWIDzoxE8vXjZTNFBA9mkYmipdZwGaV
-----END CERTIFICATE-----

View File

@@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjE4MzdaFw0yMzA3MDUxNjE4
MzdaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw
CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT
RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo
HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7
RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf
0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N
p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2
EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB
AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o
KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBRoQmAN4ixMR36VviPf6pUT5ZcXYqGBh6SB
hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT
AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl
Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B
Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEB
AI3sxNvPFB/+Cjj9GVCvNbaOGFV+5X6Dd7ZMJat0xI93GS+FvUOO1i53iCpnfSld
gE+2chifX2W3u6RyiJTTfwke4EVU4GWjFy78WwwszCih0byVa/YSQguvPuMjvQY6
mw+exom0ri68328yWb1oCDaPOhI9Fr51hj50yUWWBbmpu2YPi5blN6CBE+9B2cbp
HVDPxoUWjYJ9leK951nfSu0E1+cLNYDpZ39h4dBHNvU1a3AueVKIXyEYaiwy0VDS
8CQJluUCE4eLlt/cbJqMs0/iY7nRnbVOOyZUYTYxq7ACvDrMyStkfdR4KLDzvLWo
8Gu+1aY2qw6wZ+TKiiRRYjQ=
-----END CERTIFICATE-----

View File

@@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIElTCCA32gAwIBAgIJAPq+2L9Aml5gMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIwMDEwODE2MjU1NFoXDTI5
MTExNjE2MjU1NFowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMs14JzP2PdL6+OU
LPIRdzOGnCgdGd5FaSFeoJRKC7VBLmcBa5F2OoVmKmOLhyvolIoSbiUTsAc/KCt2
JT4pslVC5ztEJB23mTLLRNK0iMupT6ezBr5cqu4rBAmq7FhjWshix9loQ/u9DpL/
TOwCRLyVyZ/RviH49LJtWgrVTZhlzMGM79/yn9pFBXb5GsCL1RwF8sC4SrAS30PK
1QsYRrMDvs2n1wGA8cXK7tk6H0ozfVABq9c6SG5iWXNiHjjvMjHuWBh9WQWK+33U
DV6dR5vYr7YRnzznE4TkAOwKl4kikPMU5t/BdQetJDjY4I/2ucDbReNugVweKdB4
rmynSx8CAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAMy+py/
DYi/IZJLDegqCaVNXe/IMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
AQsFAAOCAQEAUWNziRn2X/uOcFWaCkKqIVa0xlk8joaztllVkRLoDpv97O6p087k
OOfqNsv1gUgIHqQvZ9Z2woQcpd2gUa0uj5yqpqSGp0eSEtBOOKApVuybplTDSyC3
6ENwF5BKMJ8ysURsIx6ZGCq1PbaruA28sG/XFrhxjezLwN9mcmLd6nCd4xmPuH78
IsHPP6c6VzrFtNN3yP5ZIs9bIzDHTf2qGXvVYhLBrNuTczTwUzeSfKG+qpP/dO1I
EGtd7tTFPTqNwXkWq3oat9TVYMdPLRWWZ2zzE65k0rdSSJTgc/1Z4WSKb55J6FMP
8MJRwgi62+9JF6hsBy7WuBE8cWvtIwbyYA==
-----END CERTIFICATE-----

View File

@@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIElTCCA32gAwIBAgIJAPq+2L9Aml5jMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIwMDgwMzEyMzUzOVoXDTMw
MDYxMjEyMzUzOVowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKVKfWLm7OvwYpDO
4s0qzbUDWG2GTlxFOkZe4XaFsjxAnmuXZTVm1SJ3N12zSdRH60YMqcns7yuISYQz
0K79shGDOfktO8iqxSE0JdUvhEFnJUECaXYAq+ioiSwkm7QQWhHAUE3htshJeMt4
SK4dTGmTQNQBKCZ3xQTTHi1sOl8wYt0QdhkucqvgDUyPaxHrI4LV1OV9R3XjGclG
ZD6QEkXLhVcir2yLIA9G1qPZDXpNbrdfSx3GDEnSsD+GS0D/k5oe32w1KGMnEM/S
fYrY1nsP6/k0hVO1KH9WJWV/DUoyO/4U75C6swg7SVTxyigT3s92/UV4N9Es5kZv
aHhsuncCAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMi9x6wa
HYWWYhf9k+v8FPSiALgUMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
AQsFAAOCAQEAS1NWAHYBV1uaK7wE6c+Xz8t4c2hgTkFR4E0iVZ+2aTz8OFzztQZq
CyZ9QYgSpApmvwmgFEQog6UUzw2f19W7qhIskDHfhBmK2uQtazHZ/Pd8oXyHrbgK
TVh7GDc9OjrZe2wg03Q0N/KVUHD5lKYXY4rfAqKdc1XKfo7t8GIu+TnWDLXWVI40
oDIXwSmg+JOZFXpf9cxZ2zENZnsaH0KTKNk6bNq8wjum4W54Tgk7UbDE6roJp5C3
7cUt/j+dL00gyFK66PFR1wXflZFtKixxVbMOLa13ZldsuNs0ye6whPqIKZ9ev4M4
rjWQD5k14Ui+48/MDJt4Nc2Sm1LYrdXJMw==
-----END CERTIFICATE-----

View File

@@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIElTCCA32gAwIBAgIJAPq+2L9Aml5kMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIxMDMwMjEzMDE1NFoXDTMx
MDEwOTEzMDE1NFowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLI9AESuA0aqXLg
RwX7lU1td6HhC3Oj+kwKJJvF/kwA+1viW/1cC4vS9muigFHe3b4CPwZ9WRxb5Wyi
3nxP1fjYwFmygBnqWvzMTxGZBFuhcQQpSPDbjWOEiFspVZbvkBF7t0cu1EcpKaHl
+pPqVdWrh11mk7bSjnYGAZ0BFHQ3bnhCuH1+p4PIMLAFZIRQ9suW9t5caOoHK6pi
fisOYy+WR3a/2AFTCZIdZIueVpvPHhGgjEDoE0wnoAg5lKDn+SAUS7JiWy/hdT2U
c/OjH1onXi99kTWDOMwQA+g2d7JAPtLuepcKpiUbFaR+7KJYWhkfit6WYz40sC6Q
PMAHIj8CAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJ3fQ9nx
oCcnP1LGwHdZCO4BZxMlMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
AQsFAAOCAQEAnjK7rL3T/Fu443EQSB3cV2V84pQcOcQf3dCSx8VT14ZTgkp1RGM4
qr4V8foA7Fyr9UE+x2zEMzcVy2eZ2aihO/qaQ/JGZi8cp1pjq0nNMUQjgXF0YGyn
Qanjb/48V5eOF9Z1h/wQ0HISTdkwsvGUS0leHT3LjXWNRL9QBp1Qi5A5IE5t8vpX
OxAvHNTsKsx6x2p8R3yVLX7rY84xvBJCqHDY9tYDQ2VbVX7CEw5x9FffobYpY/s1
lCV/fhOThm/q/p9Pr3hydxKP4PoxxwBtII/p0zJTMWEEfOsK/zAS3v8Ltlz83gTk
WX+2oXpj/WRFsYWIEXTPwEm4MwYWxw5rMw==
-----END CERTIFICATE-----

View File

@@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIElTCCA32gAwIBAgIJAPq+2L9Aml5lMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIyMDYxMzEzMjIxNloXDTMy
MDQyMTEzMjIxNlowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIpQH6tn3NeRGrk
VgrzbnoFSWg/sk8TQYI93YDE8csRBkj9pZAZDpF92m6Y7pfhQ5C8eOUwwBmRxj/c
KeCvo9hBhN39kBnP0U0fH5eE5WSBk2+H2DT5TeGKh35pxqPUXGyz5wFtIdVGlDeS
O+XvFb82Se2MSJhnBO0AHMP0jdqm8M6VOwOVeYb99YTJcCRpglmMhlkqytCghmAL
Xdn8AcI5cwuInkeDGynsjYJmgaAOWh6Vl2D1HvCzJ2bVEw8x346bt0AKzS8iMYpJ
5TDLWfV565L6LTVqni1IPGfppDtOd9L7oc//SufGMWppYT8FBDjDquNSnXh80QE+
vWHVF+cCAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFP2fLBLl
mdZ8x/kGdUGt9Ca3EkaeMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
AQsFAAOCAQEAW5MXYWfpK0ryVDBdXGPLWpORgKh6JT4nS7vU5BW5fX1DIc0fhE9q
PmxwMX74OjXZ3520NfV1jrAg/dmyzUGu4pyvmTfRbwXweDnG1t3zb0PU1ntfzRht
wnfQGm10eICZNKTwxp9D9ca6jIP0pQJXilRSBSqZpw0pNBPeX5FB87DBJnDkpsxV
7FrzR+XjIZwFfBGNecyQdCBiCXtGUU7eDTKqtITL0WzwJ18heFKslwtcoESi6xSS
jsVDsk0gyLxbGlAJy0VeEb1YhlJVbvZiCcEYq5W+U+S31807U+sz1nB+zAyc7JER
JgSHwPK02VwNlY+9558V95Lkp+GZRSNJEA==
-----END CERTIFICATE-----

Binary file not shown.

Binary file not shown.

3
shim-16.1.tar.bz2 Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:46319cd228d8f2c06c744241c0f342412329a7c630436fce7f82cf6936b1d603
size 2348998

View File

@@ -0,0 +1,61 @@
From 71ca8f761fb5434ef65895345d96ccf063da7d66 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 22 Aug 2017 12:43:36 +0800
Subject: [PATCH] Make the names of EFI binaries arch-independent
Since we only build the 64-bit binaries, we don't have the issue of the
mixed architecture binaries in the same directory. Besides, we will use
the same install script for x86_64 and AArch64. It's easier to maintain
the script with the same names.
Signed-off-by: Gary Lin <glin@suse.com>
---
fallback.c | 2 +-
shim.c | 2 +-
shim.h | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/fallback.c b/fallback.c
index fc81c5e4..44b2d464 100644
--- a/fallback.c
+++ b/fallback.c
@@ -1058,7 +1058,7 @@ debug_hook(void)
x = 1;
console_print(L"add-symbol-file "DEBUGDIR
- L"fb" EFI_ARCH L".efi.debug %p -s .data %p\n",
+ L"fallback.efi.debug %p -s .data %p\n",
&_etext, &_edata);
}
diff --git a/shim.c b/shim.c
index 765c9254..6751a2bc 100644
--- a/shim.c
+++ b/shim.c
@@ -1811,7 +1811,7 @@ debug_hook(void)
FreePool(data);
console_print(L"add-symbol-file "DEBUGDIR
- L"shim" EFI_ARCH L".efi.debug 0x%08x -s .data 0x%08x\n",
+ L"shim.efi.debug 0x%08x -s .data 0x%08x\n",
&_text, &_data);
console_print(L"Pausing for debugger attachment.\n");
diff --git a/shim.h b/shim.h
index 0a6c8cfa..b9c3c4d8 100644
--- a/shim.h
+++ b/shim.h
@@ -105,8 +105,8 @@
#define DEBUGSRC L"/usr/src/debug/shim-" VERSIONSTR "." EFI_ARCH
#endif
-#define FALLBACK L"\\fb" EFI_ARCH L".efi"
-#define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
+#define FALLBACK L"\\fallback.efi"
+#define MOK_MANAGER L"\\MokManager.efi"
#if defined(VENDOR_DB_FILE)
# define vendor_authorized vendor_db
--
2.29.2

View File

@@ -0,0 +1,54 @@
From ac7e88b1f2219ec2b09c9596e6f7d5911e5f6ffd Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 4 Jan 2018 12:28:37 +0800
Subject: [PATCH] Use our own debug path
Signed-off-by: Gary Lin <glin@suse.com>
---
Make.defaults | 2 +-
fallback.c | 2 +-
shim.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/Make.defaults b/Make.defaults
index bef3cb51..d88367e3 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -167,7 +167,7 @@ BOOTEFINAME ?= BOOT$(ARCH_SUFFIX_UPPER).EFI
BOOTCSVNAME ?= BOOT$(ARCH_SUFFIX_UPPER).CSV
DEFINES += -DEFI_ARCH='L"$(ARCH_SUFFIX)"' \
- -DDEBUGDIR='L"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/"'
+ -DDEBUGDIR=L\"/usr/lib/debug/usr/share/efi/"$(ARCH)/"\"
ifneq ($(origin VENDOR_DB_FILE), undefined)
DEFINES += -DVENDOR_DB_FILE=\"$(VENDOR_DB_FILE)\"
diff --git a/fallback.c b/fallback.c
index 44b2d464..8e0de901 100644
--- a/fallback.c
+++ b/fallback.c
@@ -1058,7 +1058,7 @@ debug_hook(void)
x = 1;
console_print(L"add-symbol-file "DEBUGDIR
- L"fallback.efi.debug %p -s .data %p\n",
+ L"fallback.debug %p -s .data %p\n",
&_etext, &_edata);
}
diff --git a/shim.c b/shim.c
index 1d539855..f8d2ba5f 100644
--- a/shim.c
+++ b/shim.c
@@ -1818,7 +1818,7 @@ debug_hook(void)
FreePool(data);
console_print(L"add-symbol-file "DEBUGDIR
- L"shim.efi.debug 0x%08x -s .data 0x%08x\n",
+ L"shim.debug 0x%08x -s .data 0x%08x\n",
&_text, &_data);
console_print(L"Pausing for debugger attachment.\n");
--
2.29.2

View File

@@ -0,0 +1,36 @@
From 41da21f1f9d4af213f9f235a864772b99ce85fc7 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 18 Jun 2021 17:54:46 +0800
Subject: [PATCH] Disable exporting vendor-dbx to MokListXRT
As the vendor-dbx grows, it caused some problems when writing such
a large variable. Some firmwares lie the avaiable space(*1) , and
some even crash(*2) for no good reason after the writing of
MokListXRT. Both shim and kernel don't rely on MokListXRT to block
anything, so we just stop exporting vendor-dbx to MokListXRT to
avoid the potential hassles.
(*1) https://bugzilla.suse.com/show_bug.cgi?id=1185261
(*2) https://github.com/rhboot/shim/pull/369#issuecomment-855275115
Signed-off-by: Gary Lin <glin@suse.com>
---
mok.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/mok.c b/mok.c
index beac0ff6..a687a92b 100644
--- a/mok.c
+++ b/mok.c
@@ -194,8 +194,6 @@ struct mok_state_variable mok_state_variables[] = {
EFI_VARIABLE_NON_VOLATILE,
.no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
.categorize_addend = categorize_deauthorized,
- .addend = &vendor_deauthorized,
- .addend_size = &vendor_deauthorized_size,
.flags = MOK_MIRROR_KEYDB |
MOK_MIRROR_DELETE_FIRST |
MOK_VARIABLE_LOG,
--
2.31.1

View File

@@ -71,12 +71,9 @@ fi
efi_distributor="$bootloader_id"
bootloader_id="${bootloader_id}-secureboot"
# bsc#1254336 The sl is for SL Micro. It can be removed afrer SL Micro is EoL
case "$bootloader_id" in
"sle"*)
ca_string='SUSE Linux Enterprise Secure Boot CA1';;
"sl"*)
ca_string='SUSE Linux Enterprise Secure Boot CA1';;
"opensuse"*)
ca_string='openSUSE Secure Boot CA1';;
*) ca_string="";;

BIN
shim-opensuse.aarch64.efi Normal file

Binary file not shown.

BIN
shim-opensuse.x86.efi Normal file

Binary file not shown.

BIN
shim-sles.aarch64.efi Normal file

Binary file not shown.

BIN
shim-sles.x86.efi Normal file

Binary file not shown.

File diff suppressed because it is too large Load Diff

369
shim.spec
View File

@@ -14,19 +14,36 @@
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# needssslcertforbuild
%undefine _debuginfo_subpackages
%undefine _build_create_debug
%undefine _enable_debug_packages
# Move 'efi'-executables to '/usr/share/efi' (FATE#326960, bsc#1166523)
%ifarch aarch64
%define grubplatform arm64-efi
%else
%define grubplatform %{_target_cpu}-efi
%endif
%if %{defined sle_version} && 0%{?sle_version} <= 150000
%define sysefidir /usr/lib64/efi
%else
%define sysefibasedir %{_datadir}/efi
%define sysefidir %{sysefibasedir}/%{_target_cpu}
%if 0%{?suse_version} < 1600
%ifarch x86_64
%if "%{grubplatform}" == "x86_64-efi" && 0%{?suse_version} < 1600
# provide compatibility sym-link for residual kiwi, etc.
%define shim_lib64_share_compat 1
%endif
%endif
# Set gcc version, the minimum version is gcc-13
%if %gcc_version < 13
%define gcc_version 13
%endif
%global cc_compiler /usr/bin/gcc-%{gcc_version}
%if 0%{?suse_version} >= 1600
%define shim_use_fde_tpm_helper 1
%endif
Name: shim
Version: 16.1
@@ -35,13 +52,18 @@ Summary: UEFI shim loader
License: BSD-2-Clause
Group: System/Boot
URL: https://github.com/rhboot/shim
Source: shim-16.1-150300.4.31.1.x86_64.rpm
Source1: shim-debuginfo-16.1-150300.4.31.1.x86_64.rpm
Source2: shim-debugsource-16.1-150300.4.31.1.x86_64.rpm
Source3: shim-16.1-150300.4.31.1.aarch64.rpm
Source4: shim-debuginfo-16.1-150300.4.31.1.aarch64.rpm
Source5: shim-debugsource-16.1-150300.4.31.1.aarch64.rpm
Source6: shim-install
Source: %{name}-%{version}.tar.bz2
# run "extract_signature.sh shim.efi" where shim.efi is the binary
# with the signature from the UEFI signing service.
# Note: For signature requesting, check SIGNATURE_UPDATE.txt
Source1: shim-install
Source2: extract_signature.sh
Source3: attach_signature.sh
Source4: show_hash.sh
Source5: show_signatures.sh
Source6: timestamp.pl
Source7: strip_signature.sh
Source8: generate-vendor-dbx.sh
# Certificates Used to Verify the Shim (DER format)
# SUSE CA is also built-in to the shim via VENDOR_CERT_FILE
# openSUSE Secure Boot CA, 2013-2035
@@ -52,19 +74,62 @@ Source12: SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt
Source13: Microsoft_Corporation_UEFI_CA_2011.crt
# Microsoft UEFI CA 2023, 2023-2038
Source14: Microsoft_UEFI_CA_2023.crt
#BuildRequires: shim-susesigned
BuildRequires: fde-tpm-helper-rpm-macros
BuildRequires: update-bootloader-rpm-macros
# Microsoft-signed shim
Source30: shim-opensuse.x86.efi
Source31: shim-opensuse.aarch64.efi
Source32: shim-sles.x86.efi
Source33: shim-sles.aarch64.efi
# revoked certificates for dbx
Source50: revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt
Source51: revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt
Source52: revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt
Source53: revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt
Source54: revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt
Source55: revoked-openSUSE-UEFI-SIGN-Certificate-2022-06.crt
Source56: revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt
Source57: revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt
Source58: revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt
Source59: revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt
Source60: revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt
Source61: revoked-SLES-UEFI-SIGN-Certificate-2022-05.crt
###
Source99: SIGNATURE_UPDATE.txt
# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
Patch1: shim-arch-independent-names.patch
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
Patch2: shim-change-debug-file-path.patch
# PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container
Patch3: remove_build_id.patch
# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT
Patch4: shim-disable-export-vendor-dbx.patch
BuildRequires: gcc%{gcc_version}
BuildRequires: dos2unix
BuildRequires: efitools
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
BuildRequires: pesign
BuildRequires: pesign-obs-integration
# we need xxd in global macro in shim.spec
BuildRequires: vim
%if 0%{?shim_use_fde_tpm_helper:1}
BuildRequires: fde-tpm-helper-rpm-macros
%endif
%if 0%{?suse_version} > 1320
BuildRequires: update-bootloader-rpm-macros
%endif
%if 0%{?update_bootloader_requires:1}
%update_bootloader_requires
%else
Requires: perl-Bootloader
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# For shim-install script
Requires: grub2-efi
%endif
%if 0%{?fde_tpm_update_requires:1}
%fde_tpm_update_requires
%endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
# For shim-install script grub is needed but we also want to use
# shim for systemd-boot where shim-install is not actually used.
# Requires: grub2-%{grubplatform}
Requires: mokutil
ExclusiveArch: x86_64 aarch64
# subject hash of openSUSE/SLE/devel certificates for identifying devel project
@@ -83,54 +148,215 @@ ExclusiveArch: x86_64 aarch64
shim is a trivial EFI application that, when run, attempts to open and
execute another application.
%package debuginfo
%if 0%{?shim_nx:1}
%package -n shim-nx
Summary: UEFI shim loader - supports non-executable
Group: System/Boot
Requires: shim = %{version}
%description -n shim-nx
shim with NX_COMPAT field (aka. NxCompatible field in DllCharacteristics)
for supporting non-executable
%endif # 0%{?shim_nx:1}
%package -n shim-debuginfo
Summary: UEFI shim loader - debug symbols
Group: Development/Debug
%description debuginfo
%description -n shim-debuginfo
The debug symbols of UEFI shim loader
%package debugsource
%package -n shim-debugsource
Summary: UEFI shim loader - debug source
Group: Development/Debug
%description debugsource
%description -n shim-debugsource
The source code of UEFI shim loader
%prep
%ifarch x86_64
rpm2cpio %{SOURCE0} | cpio --extract --unconditional --preserve-modification-time --make-directories
rpm2cpio %{SOURCE1} | cpio --extract --unconditional --preserve-modification-time --make-directories
rpm2cpio %{SOURCE2} | cpio --extract --unconditional --preserve-modification-time --make-directories
%endif
%ifarch aarch64
rpm2cpio %{SOURCE3} | cpio --extract --unconditional --preserve-modification-time --make-directories
rpm2cpio %{SOURCE4} | cpio --extract --unconditional --preserve-modification-time --make-directories
rpm2cpio %{SOURCE5} | cpio --extract --unconditional --preserve-modification-time --make-directories
%endif
%autosetup -p1
%build
# generate the vendor SBAT metadata
%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
distro_id="opensuse"
distro_name="The openSUSE project"
%else
distro_id="sle"
distro_name="SUSE Linux Enterprise"
%endif
distro_sbat=1
sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security@suse.de"
echo "${sbat}" > data/sbat.vendor.csv
# generate dbx files based on revoked certs
bash %{_sourcedir}/generate-vendor-dbx.sh %{_sourcedir}/revoked-*.crt
ls -al *.esl
# first, build MokManager and fallback as they don't depend on a
# specific certificate
make CC=%{cc_compiler} RELEASE=0 \
MMSTEM=MokManager FBSTEM=fallback \
POST_PROCESS_PE_FLAGS=-n \
MokManager.efi.debug fallback.efi.debug \
MokManager.efi fallback.efi
# make sure all object files gets rebuilt
rm -f *.o
# now build variants of shim that embed different certificates
default=''
suffixes=(opensuse sles)
# check whether the project cert is a known one. If it is we build
# just one shim that embeds this specific cert. If it's a devel
# project we build all variants to simplify testing.
if test -e %{_sourcedir}/_projectcert.crt ; then
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash)
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash)
opensusesubject=$(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash)
slessubject=$(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash)
if test "$prjissuer" = "$opensusesubject" ; then
suffixes=(opensuse)
elif test "$prjissuer" = "$slessubject" ; then
suffixes=(sles)
elif test "$prjsubject" = "$prjissuer" ; then
suffixes=(devel opensuse sles)
fi
fi
for suffix in "${suffixes[@]}"; do
if test "$suffix" = "opensuse"; then
cert=%{SOURCE11}
cp $cert shim-$suffix.der
verify='openSUSE Secure Boot CA1'
vendor_dbx='vendor-dbx-opensuse.esl'
%ifarch x86_64
ms_shim=%{SOURCE30}
%else
# opensuse aarch64
ms_shim=%{SOURCE31}
%endif
elif test "$suffix" = "sles"; then
cert=%{SOURCE12}
cp $cert shim-$suffix.der
verify='SUSE Linux Enterprise Secure Boot CA1'
vendor_dbx='vendor-dbx-sles.esl'
%ifarch x86_64
ms_shim=%{SOURCE32}
%else
# sles aarch64
ms_shim=%{SOURCE33}
%endif
elif test "$suffix" = "devel"; then
cert=%{_sourcedir}/_projectcert.crt
verify=`openssl x509 -in "$cert" -noout -email`
vendor_dbx='vendor-dbx.esl'
ms_shim=''
test -e "$cert" || continue
openssl x509 -in $cert -inform PEM -outform DER -out shim-$suffix.der
else
echo "invalid suffix"
false
fi
make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim \
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
DEFAULT_LOADER="\\\\\\\\grub.efi" \
VENDOR_DBX_FILE=$vendor_dbx \
shim.efi.debug shim.efi
#
# assert correct certificate embedded
grep -q "$verify" shim.efi
# Use ms-signed shim when the version equals with the version of newly built shim
# Version mismatch indicates development of a new shim.
if test -n "$ms_shim"; then
ms_version=$(strings "$ms_shim" | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//')
dev_version=$(strings shim.efi | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//')
if [ "$ms_version" = "$dev_version" ]; then
cp $ms_shim shim-$suffix.efi
else
cp shim.efi shim-$suffix.efi
fi
rm shim.efi
else
# devel shim
mv shim.efi shim-$suffix.efi
fi
# FIX: using debug info from devel shim doesn't match with ms-signed shim
mv shim.efi.debug shim-$suffix.debug
# remove the build cert if exists
rm -f shim_cert.h shim.cer shim.crt
# make sure all object files gets rebuilt
rm -f *.o
%if 0%{?shim_nx:1}
# building shim.nx.efi
make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim.nx \
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
DEFAULT_LOADER="\\\\\\\\grub.efi" \
VENDOR_DBX_FILE=$vendor_dbx \
POST_PROCESS_PE_FLAGS=-n \
shim.nx.efi.debug shim.nx.efi
#
# assert correct certificate embedded
grep -q "$verify" shim.nx.efi
mv shim.nx.efi shim-$suffix.nx.efi
mv shim.nx.efi.debug shim-$suffix.nx.debug
# remove the build cert if exists
rm -f shim_cert.h shim.cer shim.crt
# make sure all object files gets rebuilt
rm -f *.o
%endif # 0%{?shim_nx:1}
done
ln -s shim-${suffixes[0]}.efi shim.efi
mv shim-${suffixes[0]}.debug shim.debug
%if 0%{?shim_nx:1}
ln -s shim-${suffixes[0]}.nx.efi shim.nx.efi
mv shim-${suffixes[0]}.nx.debug shim.nx.debug
%endif # 0%{?shim_nx:1}
# Collect the source for debugsource
mkdir ../source
find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} ../source/ \;
mv ../source .
%install
# purely repackaged
cp -a etc usr %{buildroot}
export BRP_PESIGN_FILES='%{sysefidir}/shim*.efi %{sysefidir}/MokManager.efi %{sysefidir}/fallback.efi'
install -d %{buildroot}/%{sysefidir}
cp -a shim*.efi %{buildroot}/%{sysefidir}
install -m 444 shim-*.der %{buildroot}/%{sysefidir}
install -m 644 MokManager.efi %{buildroot}/%{sysefidir}/MokManager.efi
install -m 644 fallback.efi %{buildroot}/%{sysefidir}/fallback.efi
install -d %{buildroot}/%{_sbindir}
install -m 755 %{SOURCE1} %{buildroot}/%{_sbindir}/
# install SUSE certificate
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
for file in shim-*.der; do
filename=$(echo "$file" | cut -f 1 -d '.')
fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-${filename}.crt
done
%if %{defined shim_lib64_share_compat}
echo old
%else
rm -rf %{buildroot}/usr/lib64/efi
[ "%{sysefidir}" != "/usr/lib64/efi" ] || exit 1
# provide compatibility sym-link for residual "consumers"
install -d %{buildroot}/usr/lib64/efi
ln -srf %{buildroot}/%{sysefidir}/*.efi %{buildroot}/usr/lib64/efi/
%endif
# also copy over the susesigned shim
# we did this to shortcut some cert work in 15-sp2, we currently do not need it
#install -m 444 %{sysefidir}/shim-susesigned.* %{buildroot}/%{sysefidir}
# install the debug symbols
install -d %{buildroot}/usr/lib/debug/%{sysefidir}
install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{sysefidir}
install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/MokManager.debug
install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/fallback.debug
# Install the updated shim-install
install -m 755 %{SOURCE6} %{buildroot}/%{_sbindir}
# install the debug source
install -d %{buildroot}/usr/src/debug/%{name}-%{version}
cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}
# This pretrans Lua script is directly copied from openSUSE:Factory/shim/shim.spec
# Please remember to sync this script if it be modified
%pretrans -n shim -p <lua>
%clean
%{?buildroot:%__rm -rf "%{buildroot}"}
%pretrans -p <lua>
-- Using Lua
print("INFO: Current Lua Version: " .. tostring(_VERSION))
@@ -169,8 +395,10 @@ local TARGET_CERT_HEXES = {
-- Certificate #3, openSUSE Secure Boot CA 2013
"%{opensuse_ca_hex}",
%endif
-- Certificate #4, SUSE Linux Enterprise Secure Boot CA 2013
%if "%{prjissuer_hash}" == "%{slessubject_hash}"
-- Certificate #3, SUSE Linux Enterprise Secure Boot CA 2013
"%{sles_ca_hex}",
%endif
%if "%{prjissuer_hash}" == "%{prjsubjec_hash}"
-- We put all keys for testing on devel/staging project
-- Certificate #3, openSUSE Secure Boot CA 2013
@@ -317,22 +545,49 @@ end
%fde_tpm_update_post shim
%endif
%if 0%{?update_bootloader_check_type_reinit_post:1}
%if 0%{?update_bootloader_check_type_reinit_post:1}
%update_bootloader_check_type_reinit_post grub2-efi
%else
/sbin/update-bootloader --reinit || true
%endif
# copy from kernel-scriptlets/cert-script
is_efi () {
local msg rc=0
# The below statement fails if mokutil isn't installed or UEFI is unsupported.
# It doesn't fail if UEFI is available but secure boot is off.
msg="$(mokutil --sb-state 2>&1)" || rc=$?
return $rc
}
# run mokutil for setting sbat policy to latest mode
EFIVARFS=/sys/firmware/efi/efivars
SBAT_POLICY="$EFIVARFS/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23"
if is_efi; then
if [ -w $EFIVARFS ] && \
[ ! -f "$SBAT_POLICY" ] && \
mokutil -h | grep -q "set-sbat-policy"; \
then
# Only apply CA check on the kernel package certs (bsc#1173115)
mokutil --set-sbat-policy latest
fi
fi
%if %{defined update_bootloader_posttrans}
%posttrans
%{?update_bootloader_posttrans}
%{?fde_tpm_update_posttrans}
%endif
%files
%defattr(-,root,root)
%doc COPYRIGHT
%dir %{?sysefibasedir}
%dir %{sysefidir}
%{sysefidir}/shim.efi
%{sysefidir}/shim-*.efi
%if 0%{?shim_nx:1}
%exclude %{sysefidir}/shim-*.nx.efi
%endif # 0%{?shim_nx:1}
%{sysefidir}/shim-*.der
%{sysefidir}/MokManager.efi
%{sysefidir}/fallback.efi
@@ -345,13 +600,23 @@ end
%dir /usr/lib64/efi
/usr/lib64/efi/*.efi
%endif
/usr/share/doc/packages/shim
%files debuginfo
/usr/lib/debug/%{sysefidir}/*.debug
%if 0%{?shim_nx:1}
%files -n shim-nx
%defattr(-,root,root)
%{sysefidir}/shim.nx.efi
%{sysefidir}/shim-*.nx.efi
%endif # 0%{?shim_nx:1}
%files debugsource
%dir /usr/src/debug/shim-*
/usr/src/debug/shim-*/*
%files -n shim-debuginfo
%defattr(-,root,root,-)
/usr/lib/debug%{sysefidir}/shim.debug
/usr/lib/debug%{sysefidir}/MokManager.debug
/usr/lib/debug%{sysefidir}/fallback.debug
%files -n shim-debugsource
%defattr(-,root,root,-)
%dir /usr/src/debug/%{name}-%{version}
/usr/src/debug/%{name}-%{version}/*
%changelog

12
show_hash.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
# show hash of PE binary
set -e
infile="$1"
if [ -z "$infile" -o ! -e "$infile" ]; then
echo "USAGE: $0 file.efi"
exit 1
fi
pesign -h -P -i "$infile"

12
show_signatures.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
# show signatures on a PE binary
set -e
infile="$1"
if [ -z "$infile" -o ! -e "$infile" ]; then
echo "USAGE: $0 file.efi"
exit 1
fi
pesign -S -i "$infile"

13
strip_signature.sh Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
# strip the signature from a PE binary
set -e
infile="$1"
if [ -z "$infile" -o ! -e "$infile" ]; then
echo "USAGE: $0 file.efi"
exit 1
fi
outfile="${infile%.efi}-unsigned.efi"
pesign -r -i "$infile" -o "$outfile"

146
timestamp.pl Normal file
View File

@@ -0,0 +1,146 @@
#!/usr/bin/perl -w
# Copyright (c) 2012-2021 SUSE LLC
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
=head1 timestamp.pl
timestamp.pl - show or set pe timestamp in file
=head1 SYNOPSIS
timestamp.pl [OPTIONS] FILE...
=head1 OPTIONS
=over 4
=item B<--set-form-file=FILE>
parse timestamp, checksum, and linker version from file
=item B<--help, -h>
print help
=back
=head1 DESCRIPTION
lorem ipsum ...
=cut
use strict;
use Getopt::Long;
Getopt::Long::Configure("no_ignore_case");
use POSIX qw/strftime/;
my %options;
sub usage($) {
my $r = shift;
eval "use Pod::Usage; pod2usage($r);";
if ($@) {
die "cannot display help, install perl(Pod::Usage)\n";
}
}
GetOptions(
\%options,
"set-from-file=s",
"verbose|v",
"help|h",
) or usage(1);
usage(1) unless @ARGV;
usage(0) if ($options{'help'});
my $set_timestamp;
my $set_checksum;
my $set_linker;
if ($options{'set-from-file'}) {
die "$options{'set-from-file'}: $!\n" unless open(my $fh, '<', $options{'set-from-file'});
while (<$fh>) {
chomp;
if (/^timestamp: ([0-9a-f]+)/) {
$set_timestamp = pack('L', hex($1));
next;
} elsif (/^linker: ([0-9a-f]+)/) {
$set_linker = pack('S', hex($1));
next;
} elsif (/^checksum: ([0-9a-f]+)/) {
$set_checksum = pack('L', hex($1));
next;
}
last if $set_timestamp && $set_checksum && $set_linker;
}
close($fh);
die "file didn't contain timestamp, checksum, or linker\n" unless $set_timestamp && $set_checksum && $set_linker;
}
sub do_show($)
{
my $file = shift;
die "$file: $!\n" unless open(my $fh, '<', $file);
die "seek $file: $!\n" unless seek($fh, 136, 0);
my $value;
die "read $file: $!\n" unless read($fh, $value, 4);
my $timestamp = unpack('L', $value);
print strftime("# %Y-%m-%d %H:%M:%S\n", gmtime($timestamp));
printf ("timestamp: %x\n", $timestamp);
die "seek $file: $!\n" unless seek($fh, 154, 0);
die "read $file: $!\n" unless read($fh, $value, 2);
printf ("linker: %x\n", unpack('S', $value));
die "seek $file: $!\n" unless seek($fh, 216, 0);
die "read $file: $!\n" unless read($fh, $value, 4);
printf ("checksum: %x\n", unpack('L', $value));
close($fh);
}
sub do_set($)
{
my $file = shift;
die "$file: $!\n" unless open(my $fh, '+<', $file);
die "seek $file: $!\n" unless seek($fh, 136, 0);
die "write $file: $!\n" unless print $fh $set_timestamp;
die "seek $file: $!\n" unless seek($fh, 154, 0);
die "write $file: $!\n" unless print $fh $set_linker;
die "seek $file: $!\n" unless seek($fh, 216, 0);
die "write $file: $!\n" unless print $fh $set_checksum;
close($fh);
}
for my $file (@ARGV) {
if ($options{'set-from-file'}) {
do_set($file);
} else {
do_show($file);
}
}