diff --git a/_config b/_config index 023dbc2..3a0f922 100644 --- a/_config +++ b/_config @@ -86,6 +86,7 @@ BuildFlags: onlybuild:release-manifest-image BuildFlags: onlybuild:metallb-controller-image BuildFlags: onlybuild:metallb-speaker-image BuildFlags: onlybuild:nm-configurator + BuildFlags: onlybuild:shim-noarch %endif %endif @@ -112,6 +113,9 @@ BuildFlags: onlybuild:release-manifest-image %if "%_repository" == "standard" # for build openstack-ironic-image BuildFlags: allowrootforbuild + + # ironic-ipa-ramdisk are noarch packages that need to be availble to both archs + ExportFilter: ^ironic-ipa-ramdisk-.*\.noarch\.rpm$ aarch64 x86_64 %endif # Enable reproducible builds diff --git a/baremetal-operator/_service b/baremetal-operator/_service index 5ec987e..a4725fd 100644 --- a/baremetal-operator/_service +++ b/baremetal-operator/_service @@ -2,7 +2,7 @@ https://github.com/metal3-io/baremetal-operator git - v0.9.0 + v0.9.1 _auto_ @PARENT_TAG@ enable diff --git a/baremetal-operator/baremetal-operator.spec b/baremetal-operator/baremetal-operator.spec index 9e2f10a..5e31967 100644 --- a/baremetal-operator/baremetal-operator.spec +++ b/baremetal-operator/baremetal-operator.spec @@ -17,7 +17,7 @@ Name: baremetal-operator -Version: 0.9.0 +Version: 0.9.1 Release: 0 Summary: Implements a Kubernetes API for managing bare metal hosts License: Apache-2.0 diff --git a/ironic-image/Dockerfile b/ironic-image/Dockerfile index d072397..ea5e3e3 100644 --- a/ironic-image/Dockerfile +++ b/ironic-image/Dockerfile @@ -1,6 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 -#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.3 -#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.3-%RELEASE% +#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.4 +#!BuildTag: %%IMG_PREFIX%%ironic:26.1.2.4-%RELEASE% #!BuildVersion: 15.6 ARG SLE_VERSION @@ -8,14 +8,8 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base -#!ArchExclusiveLine: x86_64 -RUN if [ "$(uname -m)" = "x86_64" ];then \ - zypper -n in --no-recommends gcc git make xz-devel shim dosfstools mtools glibc-extra grub2-x86_64-efi grub2; zypper -n clean; rm -rf /var/log/*; \ - fi -#!ArchExclusiveLine: aarch64 -RUN if [ "$(uname -m)" = "aarch64" ];then \ - zypper -n rm kubic-locale-archive-2.31-10.36.noarch openssl-1_1-1.1.1l-150500.17.37.1.aarch64; zypper -n in --no-recommends gcc git make xz-devel openssl-3 mokutil shim dosfstools mtools glibc glibc-extra grub2 grub2-arm64-efi; zypper -n clean; rm -rf /var/log/* ;\ - fi +RUN zypper -n in --no-recommends shim-x86_64 shim-aarch64 grub2-x86_64-efi grub2-arm64-efi dosfstools mtools + WORKDIR /tmp COPY prepare-efi.sh /bin/ RUN set -euo pipefail; chmod +x /bin/prepare-efi.sh @@ -46,8 +40,8 @@ LABEL org.opencontainers.image.description="Openstack Ironic based on the SLE Ba LABEL org.opencontainers.image.url="https://www.suse.com/products/server/" LABEL org.opencontainers.image.created="%BUILDTIME%" LABEL org.opencontainers.image.vendor="SUSE LLC" -LABEL org.opencontainers.image.version="26.1.2.3" -LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.3-%RELEASE%" +LABEL org.opencontainers.image.version="26.1.2.4" +LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic:26.1.2.4-%RELEASE%" LABEL org.openbuildservice.disturl="%DISTURL%" LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%" LABEL com.suse.eula="SUSE Combined EULA February 2024" @@ -88,7 +82,8 @@ RUN if [ "$(uname -m)" = "aarch64" ]; then\ cp /usr/share/ipxe/snp-arm64.efi /tftpboot/ipxe.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp-arm64.efi; cp /usr/share/ipxe/snp-arm64.efi /tftpboot/snp.efi ;\ fi -COPY --from=base /tmp/esp.img /tmp/uefi_esp.img +COPY --from=base /tmp/esp-x86_64.img /tmp/uefi_esp-x86_64.img +COPY --from=base /tmp/esp-aarch64.img /tmp/uefi_esp-arm64.img COPY ironic.conf.j2 /etc/ironic/ COPY inspector.ipxe.j2 httpd-ironic-api.conf.j2 ipxe_config.template /tmp/ diff --git a/ironic-image/configure-ironic.sh b/ironic-image/configure-ironic.sh index dbf8a67..8ab2404 100644 --- a/ironic-image/configure-ironic.sh +++ b/ironic-image/configure-ironic.sh @@ -68,7 +68,7 @@ if [[ -n "$IRONIC_EXTERNAL_IP" ]]; then fi fi -IMAGE_CACHE_PREFIX=/shared/html/images/ironic-python-agent +IMAGE_CACHE_PREFIX="/shared/html/images/ironic-python-agent-${DEPLOY_ARCHITECTURE}" if [[ -f "${IMAGE_CACHE_PREFIX}.kernel" ]] && [[ -f "${IMAGE_CACHE_PREFIX}.initramfs" ]]; then export IRONIC_DEFAULT_KERNEL="${IMAGE_CACHE_PREFIX}.kernel" export IRONIC_DEFAULT_RAMDISK="${IMAGE_CACHE_PREFIX}.initramfs" diff --git a/ironic-image/inspector.ipxe.j2 b/ironic-image/inspector.ipxe.j2 index 7616b12..c105178 100644 --- a/ironic-image/inspector.ipxe.j2 +++ b/ironic-image/inspector.ipxe.j2 @@ -5,6 +5,6 @@ echo In inspector.ipxe imgfree # NOTE(dtantsur): keep inspection kernel params in [mdns]params in # ironic-inspector-image and configuration in configure-ironic.sh -kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot -initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent.initramfs || goto retry_boot +kernel --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent-${buildarch}.kernel ipa-insecure=1 ipa-inspection-collectors={{ env.IRONIC_IPA_COLLECTORS }} systemd.journald.forward_to_console=yes BOOTIF=${mac} ipa-debug=1 ipa-enable-vlan-interfaces={{ env.IRONIC_ENABLE_VLAN_INTERFACES }} ipa-inspection-dhcp-all-interfaces=1 ipa-collect-lldp=1 {{ env.INSPECTOR_EXTRA_ARGS }} initrd=ironic-python-agent.initramfs {% if env.IRONIC_RAMDISK_SSH_KEY %}sshkey="{{ env.IRONIC_RAMDISK_SSH_KEY|trim }}"{% endif %} {{ env.IRONIC_KERNEL_PARAMS|trim }} || goto retry_boot +initrd --timeout 60000 http://{{ env.IRONIC_URL_HOST }}:{{ env.HTTP_PORT }}/images/ironic-python-agent-${buildarch}.initramfs || goto retry_boot boot diff --git a/ironic-image/ironic.conf.j2 b/ironic-image/ironic.conf.j2 index 894b8cc..58bc69d 100644 --- a/ironic-image/ironic.conf.j2 +++ b/ironic-image/ironic.conf.j2 @@ -83,7 +83,7 @@ send_sensor_data = {{ env.SEND_SENSOR_DATA }} # Power state is checked every 60 seconds and BMC activity should # be avoided more often than once every sixty seconds. send_sensor_data_interval = 160 -bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp.img +bootloader = {{ env.IRONIC_BOOT_BASE_URL }}/uefi_esp-{{ env.DEPLOY_ARCHITECTURE }}.img verify_step_priority_override = management.clear_job_queue:90 # We don't use this feature, and it creates an additional load on the database node_history = False diff --git a/ironic-image/prepare-efi.sh b/ironic-image/prepare-efi.sh index a293187..d4b2f2e 100644 --- a/ironic-image/prepare-efi.sh +++ b/ironic-image/prepare-efi.sh @@ -2,41 +2,26 @@ set -euxo pipefail -ARCH=$(uname -m) -DEST=${2:-/tmp/esp.img} -OS=${1:-sles} +declare -A efi_arch=( + ["x86_64"]="X64" + ["aarch64"]="AA64" + ) -if [ $ARCH = "aarch64" ]; then - BOOTEFI=BOOTAA64.EFI - GRUBEFI=grubaa64.efi -else - BOOTEFI=BOOTX64.efi - GRUBEFI=grubx64.efi -fi +for arch in "${!efi_arch[@]}"; do + + DEST=/tmp/esp-${arch}.img -dd bs=1024 count=6400 if=/dev/zero of=$DEST -mkfs.msdos -F 12 -n 'ESP_IMAGE' $DEST + dd bs=1024 count=6400 if=/dev/zero of=$DEST + mkfs.msdos -F 12 -n 'ESP_IMAGE' $DEST + + mmd -i $DEST EFI + mmd -i $DEST EFI/BOOT + + mcopy -i $DEST -v /usr/share/efi/${arch}/shim.efi ::EFI/BOOT/BOOT${efi_arch[$arch]}.EFI + mcopy -i $DEST -v /usr/share/efi/${arch}/grub.efi ::EFI/BOOT/GRUB.EFI + + mdir -i $DEST ::EFI/BOOT; +done -mkdir -p /boot/efi/EFI/BOOT -mkdir -p /boot/efi/EFI/$OS -if [ $ARCH = "aarch64" ]; then - cp -L /usr/share/efi/aarch64/shim.efi /boot/efi/EFI/BOOT/$BOOTEFI - cp -L /usr/share/efi/aarch64/grub.efi /boot/efi/EFI/BOOT/grub.efi - cp /usr/share/grub2/arm64-efi/grub.efi /boot/efi/EFI/$OS/grubaa64.efi -else - cp -L /usr/lib64/efi/shim.efi /boot/efi/EFI/BOOT/$BOOTEFI - #cp /usr/share/grub2/x86_64-efi/grub.efi /boot/efi/EFI/$OS/$GRUBEFI - cp /usr/share/grub2/x86_64-efi/grub.efi /boot/efi/EFI/$OS/grub.efi -fi -mmd -i $DEST EFI -mmd -i $DEST EFI/BOOT -mcopy -i $DEST -v /boot/efi/EFI/BOOT/$BOOTEFI ::EFI/BOOT -if [ $ARCH = "aarch64" ]; then - mcopy -i $DEST -v /boot/efi/EFI/BOOT/grub.efi ::EFI/BOOT - mcopy -i $DEST -v /boot/efi/EFI/$OS/$GRUBEFI ::EFI/BOOT -else - mcopy -i $DEST -v /boot/efi/EFI/$OS/grub.efi ::EFI/BOOT -fi -mdir -i $DEST ::EFI/BOOT; diff --git a/ironic-image/runhttpd b/ironic-image/runhttpd index 4622f26..e5b8dcc 100644 --- a/ironic-image/runhttpd +++ b/ironic-image/runhttpd @@ -39,7 +39,7 @@ export INSPECTOR_EXTRA_ARGS # Copy files to shared mount render_j2_config /tmp/inspector.ipxe.j2 /shared/html/inspector.ipxe -cp /tmp/uefi_esp.img /shared/html/uefi_esp.img +cp /tmp/uefi_esp*.img /shared/html/ # Render the core httpd config render_j2_config /etc/httpd/conf/httpd.conf.j2 /etc/httpd/conf/httpd.conf diff --git a/ironic-ipa-downloader-image/Dockerfile b/ironic-ipa-downloader-image/Dockerfile index 9bad185..1122428 100644 --- a/ironic-ipa-downloader-image/Dockerfile +++ b/ironic-ipa-downloader-image/Dockerfile @@ -1,6 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 -#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.2 -#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.2-%RELEASE% +#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.3 +#!BuildTag: %%IMG_PREFIX%%ironic-ipa-downloader:3.0.3-%RELEASE% #!BuildVersion: 15.6 ARG SLE_VERSION FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro @@ -8,15 +8,8 @@ FROM registry.suse.com/bci/bci-micro:$SLE_VERSION AS micro FROM registry.suse.com/bci/bci-base:$SLE_VERSION AS base COPY --from=micro / /installroot/ RUN sed -i -e 's%^# rpm.install.excludedocs = no.*%rpm.install.excludedocs = yes%g' /etc/zypp/zypp.conf -#!ArchExclusiveLine: x86_64 -RUN if [ "$(uname -m)" = "x86_64" ];then \ - zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*; \ - fi -#!ArchExclusiveLine: aarch64 -RUN if [ "$(uname -m)" = "aarch64" ];then \ - zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-aarch64 python311-devel python311 python311-pip tar gawk git curl xz fakeroot shadow sed cpio; zypper -n clean; rm -rf /var/log/*; \ - fi -#RUN zypper --installroot /installroot --non-interactive install --no-recommends sles-release; +RUN zypper --installroot /installroot --non-interactive install --no-recommends ironic-ipa-ramdisk-x86_64 ironic-ipa-ramdisk-aarch64 tar gawk curl xz zstd shadow cpio findutils + RUN cp /usr/bin/getopt /installroot/ FROM micro AS final @@ -26,11 +19,11 @@ FROM micro AS final LABEL org.opencontainers.image.authors="SUSE LLC (https://www.suse.com/)" LABEL org.opencontainers.image.title="SLE Based Ironic IPA Downloader Container Image" LABEL org.opencontainers.image.description="ironic-ipa-downloader based on the SLE Base Container Image." -LABEL org.opencontainers.image.version="3.0.2" +LABEL org.opencontainers.image.version="3.0.3" LABEL org.opencontainers.image.url="https://www.suse.com/solutions/edge-computing/" LABEL org.opencontainers.image.created="%BUILDTIME%" LABEL org.opencontainers.image.vendor="SUSE LLC" -LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.2-%RELEASE%" +LABEL org.opensuse.reference="%%IMG_REPO%%/%%IMG_PREFIX%%ironic-ipa-downloader:3.0.3-%RELEASE%" LABEL org.openbuildservice.disturl="%DISTURL%" LABEL com.suse.supportlevel="%%SUPPORT_LEVEL%%" LABEL com.suse.eula="SUSE Combined EULA February 2024" @@ -41,8 +34,9 @@ LABEL com.suse.release-stage="released" COPY --from=base /installroot / RUN cp /getopt /usr/bin/ -RUN cp /srv/tftpboot/openstack-ironic-image/initrd.xz /tmp +RUN cp /srv/tftpboot/openstack-ironic-image/initrd*.zst /tmp RUN cp /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel /tmp +RUN sha256sum /srv/tftpboot/openstack-ironic-image/initrd*.zst /srv/tftpboot/openstack-ironic-image/openstack-ironic-image*.kernel > /tmp/images.sha256 # configure non-root user COPY configure-nonroot.sh /bin/ RUN set -euo pipefail; chmod +x /bin/configure-nonroot.sh diff --git a/ironic-ipa-downloader-image/get-resource.sh b/ironic-ipa-downloader-image/get-resource.sh index 2b11a24..4a75f6c 100644 --- a/ironic-ipa-downloader-image/get-resource.sh +++ b/ironic-ipa-downloader-image/get-resource.sh @@ -6,12 +6,33 @@ export http_proxy=${http_proxy:-$HTTP_PROXY} export https_proxy=${https_proxy:-$HTTPS_PROXY} export no_proxy=${no_proxy:-$NO_PROXY} +if [ -d "/tmp/ironic-certificates" ]; then + sha256sum /tmp/ironic-certificates/* > /tmp/certificates.sha256 + if cmp "/shared/certificates.sha256" "/tmp/certificates.sha256"; then + CERTS_CHANGED=0 + else + CERTS_CHANGED=1 + fi +fi + # Which image should we use if [ -z "${IPA_BASEURI}" ]; then - # SLES BASED IPA - ironic-ipa-ramdisk-x86_64 package + if cmp "/shared/images.sha256" "/tmp/images.sha256"; then + if [ "${CERTS_CHANGED:-0}" = "0" ]; then + # everything is the same exit early + exit 0 + fi + fi + IMAGE_CHANGED=1 + # SLES BASED IPA - ironic-ipa-ramdisk-x86_64 and ironic-ipa-ramdisk-aarch64 packages mkdir -p /shared/html/images - cp /tmp/initrd.xz /shared/html/images/ironic-python-agent.initramfs - cp /tmp/openstack-ironic-image*.kernel /shared/html/images/ironic-python-agent.kernel + cp /tmp/initrd-x86_64.zst /shared/html/images/ironic-python-agent-x86_64.initramfs + cp /tmp/openstack-ironic-image.x86_64*.kernel /shared/html/images/ironic-python-agent-x86_64.kernel + # Use arm64 as destination for iPXE compatibility + cp /tmp/initrd-aarch64.zst /shared/html/images/ironic-python-agent-arm64.initramfs + cp /tmp/openstack-ironic-image.aarch64*.kernel /shared/html/images/ironic-python-agent-arm64.kernel + + cp /tmp/images.sha256 /shared/images.sha256 else FILENAME=ironic-python-agent FILENAME_EXT=.tar @@ -25,47 +46,56 @@ else # If we have a CACHEURL and nothing has yet been downloaded # get header info from the cache ls -l - if [ -n "$CACHEURL" -a ! -e $FFILENAME.headers ] ; then + if [ -n "$CACHEURL" ] && [ ! -e $FFILENAME.headers ] ; then curl -g --verbose --fail -O "$CACHEURL/$FFILENAME.headers" || true fi # Download the most recent version of IPA if [ -e $FFILENAME.headers ] ; then ETAG=$(awk '/ETag:/ {print $2}' $FFILENAME.headers | tr -d "\r") - cd $TMPDIR - curl -g --verbose --dump-header $FFILENAME.headers -O $IPA_BASEURI/$FFILENAME --header "If-None-Match: $ETAG" || cp /shared/html/images/$FFILENAME.headers . + cd "$TMPDIR" + curl -g --verbose --dump-header $FFILENAME.headers -O "$IPA_BASEURI/$FFILENAME" --header "If-None-Match: $ETAG" || cp /shared/html/images/$FFILENAME.headers . # curl didn't download anything because we have the ETag already # but we don't have it in the images directory # Its in the cache, go get it ETAG=$(awk '/ETag:/ {print $2}' $FFILENAME.headers | tr -d "\"\r") - if [ ! -s $FFILENAME -a ! -e /shared/html/images/$FILENAME-$ETAG/$FFILENAME ] ; then + if [ ! -s $FFILENAME ] && [ ! -e "/shared/html/images/$FILENAME-$ETAG/$FFILENAME" ] ; then mv /shared/html/images/$FFILENAME.headers . curl -g --verbose -O "$CACHEURL/$FILENAME-$ETAG/$FFILENAME" fi else - cd $TMPDIR - curl -g --verbose --dump-header $FFILENAME.headers -O $IPA_BASEURI/$FFILENAME + cd "$TMPDIR" + curl -g --verbose --dump-header $FFILENAME.headers -O "$IPA_BASEURI/$FFILENAME" fi if [ -s $FFILENAME ] ; then tar -xf $FFILENAME - + xz -d -c -k --fast $FILENAME.initramfs | zstd -c > $FILENAME.initramfs.zstd + mv $FILENAME.initramfs.zstd $FILENAME.initramfs + ARCH=$(file -b ${FILENAME}.kernel | cut -d ' ' -f 3) + if [ "$ARCH" = "x86" ]; then + ARCH="x86_64" + fi ETAG=$(awk '/ETag:/ {print $2}' $FFILENAME.headers | tr -d "\"\r") cd - - chmod 755 $TMPDIR - mv $TMPDIR $FILENAME-$ETAG - ln -sf $FILENAME-$ETAG/$FFILENAME.headers $FFILENAME.headers - ln -sf $FILENAME-$ETAG/$FILENAME.initramfs $FILENAME.initramfs - ln -sf $FILENAME-$ETAG/$FILENAME.kernel $FILENAME.kernel + chmod 755 "$TMPDIR" + mv "$TMPDIR" "$FILENAME-$ETAG" + ln -sf "$FILENAME-$ETAG/$FFILENAME.headers" "$FFILENAME.headers" + ln -sf "$FILENAME-$ETAG/$FILENAME.initramfs" "$FILENAME-${ARCH,,}.initramfs" + ln -sf "$FILENAME-$ETAG/$FILENAME.kernel" "$FILENAME-${ARCH,,}.kernel" + + IMAGE_CHANGED=1 else - rm -rf $TMPDIR + rm -rf "$TMPDIR" fi fi -if [ -d "/tmp/ironic-certificates" ]; then +if [ "${CERTS_CHANGED:-0}" = "1" ] || [ "${IMAGE_CHANGED:-0}" = "1" ]; then mkdir -p /tmp/ca/tmp-initrd && cd /tmp/ca/tmp-initrd - xz -d -c -k --fast /shared/html/images/ironic-python-agent.initramfs | fakeroot -s ../initrd.fakeroot cpio -i mkdir -p etc/ironic-python-agent.d/ca-certs cp /tmp/ironic-certificates/* etc/ironic-python-agent.d/ca-certs/ - find . | fakeroot -i ../initrd.fakeroot cpio -o -H newc | xz --check=crc32 --x86 --lzma2 --fast > /shared/html/images/ironic-python-agent.initramfs + for initramfs in /shared/html/images/ironic-python-agent-*.initramfs; do + find . | cpio -o -H newc --reproducible | zstd -c >> "${initramfs}" + done + cp /tmp/certificates.sha256 /shared/certificates.sha256 fi diff --git a/ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi b/ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi index dfe043c..594b8c0 100644 --- a/ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi +++ b/ironic-ipa-ramdisk/ironic-ipa-ramdisk.kiwi @@ -1,5 +1,5 @@ - + Cloud developers cloud-devel@suse.de diff --git a/ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec b/ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec index ceda68c..3785871 100644 --- a/ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec +++ b/ironic-ipa-ramdisk/ironic-ipa-ramdisk.spec @@ -19,7 +19,7 @@ Name: ironic-ipa-ramdisk -Version: 3.0.2 +Version: 3.0.3 Release: 0 Summary: Kernel and ramdisk image for OpenStack Ironic License: SUSE-EULA @@ -148,10 +148,8 @@ TDIR=`mktemp -d /tmp/openstack-ironic-image.XXXXX` cd /tmp/openstack-ironic-image/img/build/image-root find . | cpio --create --format=newc --quiet > $TDIR/initrdtmp cd $TDIR -gzip -9 -f initrdtmp -INITRDGZ=`ls *.gz | head -1` -gzip -cd $INITRDGZ | xz --check=crc32 -c9 > initrd.xz -INITRD=`ls *.xz | head -1` +zstd initrdtmp -o initrd-%{_arch}.zst +INITRD=`ls *.zst | head -1` ls /tmp/openstack-ironic-image/img/openstack-ironic-image* KERNEL=`ls /tmp/openstack-ironic-image/img/openstack-ironic-image*default*kernel | head -1` diff --git a/metal3-chart/Chart.yaml b/metal3-chart/Chart.yaml index d7f6529..bdaef46 100644 --- a/metal3-chart/Chart.yaml +++ b/metal3-chart/Chart.yaml @@ -1,16 +1,16 @@ -#!BuildTag: %%IMG_PREFIX%%metal3-chart:%%CHART_MAJOR%%.0.0_up0.10.1 -#!BuildTag: %%IMG_PREFIX%%metal3-chart:%%CHART_MAJOR%%.0.0_up0.10.1-%RELEASE% +#!BuildTag: %%IMG_PREFIX%%metal3-chart:%%CHART_MAJOR%%.0.2_up0.11.0 +#!BuildTag: %%IMG_PREFIX%%metal3-chart:%%CHART_MAJOR%%.0.2_up0.11.0-%RELEASE% apiVersion: v2 -appVersion: 0.10.1 +appVersion: 0.11.0 dependencies: - alias: metal3-baremetal-operator name: baremetal-operator repository: file://./charts/baremetal-operator - version: 0.9.0 + version: 0.9.1 - alias: metal3-ironic name: ironic repository: file://./charts/ironic - version: 0.9.4 + version: 0.10.0 - alias: metal3-mariadb condition: global.enable_mariadb name: mariadb @@ -25,4 +25,4 @@ description: A Helm chart that installs all of the dependencies needed for Metal icon: https://github.com/cncf/artwork/raw/master/projects/metal3/icon/color/metal3-icon-color.svg name: metal3 type: application -version: "%%CHART_MAJOR%%.0.0+up0.10.1" +version: "%%CHART_MAJOR%%.0.2+up0.11.0" diff --git a/metal3-chart/charts/baremetal-operator/Chart.yaml b/metal3-chart/charts/baremetal-operator/Chart.yaml index ffc076a..d9b1527 100644 --- a/metal3-chart/charts/baremetal-operator/Chart.yaml +++ b/metal3-chart/charts/baremetal-operator/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -appVersion: 0.9.0 +appVersion: 0.9.1 description: A Helm chart for baremetal-operator, used by Metal3 name: baremetal-operator type: application -version: 0.9.0 +version: 0.9.1 diff --git a/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml b/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml index 86ed040..550e610 100644 --- a/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml +++ b/metal3-chart/charts/baremetal-operator/templates/configmap-ironic.yaml @@ -5,6 +5,7 @@ {{- $ironicApiHost := print $ironicIP ":6385" }} {{- $ironicBootHost := print $ironicIP ":6180" }} {{- $ironicCacheHost := print $ironicIP ":6180" }} + {{- $deployArch := .Values.global.deployArchitecture }} apiVersion: v1 data: @@ -19,8 +20,9 @@ data: {{- $protocol = "http" }} {{- end }} CACHEURL: "{{ $protocol }}://{{ $ironicCacheHost }}/images" - DEPLOY_KERNEL_URL: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent.kernel" - DEPLOY_RAMDISK_URL: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent.initramfs" + DEPLOY_KERNEL_URL: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.kernel" + DEPLOY_RAMDISK_URL: "{{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.initramfs" + DEPLOY_ARCHITECTURE: "{{ $deployArch }}" kind: ConfigMap metadata: name: baremetal-operator-ironic diff --git a/metal3-chart/charts/baremetal-operator/values.yaml b/metal3-chart/charts/baremetal-operator/values.yaml index 90008e7..07bd439 100644 --- a/metal3-chart/charts/baremetal-operator/values.yaml +++ b/metal3-chart/charts/baremetal-operator/values.yaml @@ -28,7 +28,7 @@ images: baremetalOperator: repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/baremetal-operator pullPolicy: IfNotPresent - tag: "0.9.0" + tag: "0.9.1" imagePullSecrets: [] nameOverride: "manger" diff --git a/metal3-chart/charts/ironic/Chart.yaml b/metal3-chart/charts/ironic/Chart.yaml index 4dfed9b..c6c7aa7 100644 --- a/metal3-chart/charts/ironic/Chart.yaml +++ b/metal3-chart/charts/ironic/Chart.yaml @@ -3,4 +3,4 @@ appVersion: 26.1.2 description: A Helm chart for Ironic, used by Metal3 name: ironic type: application -version: 0.9.4 +version: 0.10.0 diff --git a/metal3-chart/charts/ironic/templates/configmap.yaml b/metal3-chart/charts/ironic/templates/configmap.yaml index dafe310..c5846db 100644 --- a/metal3-chart/charts/ironic/templates/configmap.yaml +++ b/metal3-chart/charts/ironic/templates/configmap.yaml @@ -12,6 +12,7 @@ data: {{- $ironicApiHost := print $ironicIP ":6385" }} {{- $ironicBootHost := print $ironicIP ":6180" }} {{- $ironicCacheHost := print $ironicIP ":6180" }} + {{- $deployArch := .Values.global.deployArchitecture }} {{- if ( .Values.global.enable_dnsmasq ) }} DNSMASQ_BOOT_SERVER_ADDRESS: {{ $ironicBootHost }} @@ -39,8 +40,9 @@ data: {{- end }} IRONIC_EXTERNAL_HTTP_URL: {{ $protocol }}://{{ $ironicCacheHost }} CACHEURL: {{ $protocol }}://{{ $ironicCacheHost }}/images - DEPLOY_KERNEL_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent.kernel - DEPLOY_RAMDISK_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent.initramfs + DEPLOY_KERNEL_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.kernel + DEPLOY_RAMDISK_URL: {{ $protocol }}://{{ $ironicBootHost }}/images/ironic-python-agent-{{ $deployArch }}.initramfs + DEPLOY_ARCHITECTURE: {{ $deployArch }} IRONIC_BOOT_BASE_URL: {{ $protocol }}://{{ $ironicBootHost }} IRONIC_VMEDIA_HTTPD_SERVER_NAME: {{ $ironicBootHost }} ENABLE_PXE_BOOT: "{{ .Values.global.enable_pxe_boot }}" diff --git a/metal3-chart/charts/ironic/values.yaml b/metal3-chart/charts/ironic/values.yaml index e061b6f..f62e089 100644 --- a/metal3-chart/charts/ironic/values.yaml +++ b/metal3-chart/charts/ironic/values.yaml @@ -56,11 +56,11 @@ images: ironic: repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic pullPolicy: IfNotPresent - tag: 26.1.2.3 + tag: 26.1.2.4 ironicIPADownloader: repository: registry.opensuse.org/isv/suse/edge/metal3/containers/images/ironic-ipa-downloader pullPolicy: IfNotPresent - tag: 3.0.2 + tag: 3.0.3 nameOverride: "" fullnameOverride: "" diff --git a/metal3-chart/values.yaml b/metal3-chart/values.yaml index b4ac0f9..e7c4f1b 100644 --- a/metal3-chart/values.yaml +++ b/metal3-chart/values.yaml @@ -63,6 +63,9 @@ global: # Name for the MariaDB service databaseServiceName: metal3-mariadb + # Architecture for deployed nodes (either x86_64 or arm64) + deployArchitecture: x86_64 + # In a multi-node cluster use the node selector to ensure the pods # all run on the same host where the dnsmasqDNSServer and provisioningIP # and /opt/media exist. Uncomment the nodeSelector and update the diff --git a/shim-noarch/shim-15.7-150300.4.16.1.aarch64.rpm b/shim-noarch/shim-15.7-150300.4.16.1.aarch64.rpm new file mode 100644 index 0000000..d780602 Binary files /dev/null and b/shim-noarch/shim-15.7-150300.4.16.1.aarch64.rpm differ diff --git a/shim-noarch/shim-15.7-150300.4.16.1.x86_64.rpm b/shim-noarch/shim-15.7-150300.4.16.1.x86_64.rpm new file mode 100644 index 0000000..e8cac3d Binary files /dev/null and b/shim-noarch/shim-15.7-150300.4.16.1.x86_64.rpm differ diff --git a/shim-noarch/shim.changes b/shim-noarch/shim.changes new file mode 100644 index 0000000..f8eced6 --- /dev/null +++ b/shim-noarch/shim.changes @@ -0,0 +1,1099 @@ +------------------------------------------------------------------- +Thu Mar 14 06:05:12 UTC 2024 - Gary Ching-Pang Lin + +- Update shim-install to set the SRK algorithm for the grub2 + TPM2 key protector (bsc#1213945) + 92d0f4305df73 Set the SRK algorithm for the TPM2 protector +- Add the missing BuildRequires: update-bootloader-rpm-macros + for the update_bootloader_* macros in %post and %posttrans + +------------------------------------------------------------------- +Wed Sep 20 09:00:36 UTC 2023 - Gary Ching-Pang Lin + +- Update shim-install to fix boot failure of ext4 root file system + on RAID10 (bsc#1205855) + 226c94ca5cfca Use hint in looking for root if possible +- Adopt the macros from fde-tpm-helper-macros to update the + signature in the sealed key after a bootloader upgrade + +------------------------------------------------------------------- +Thu Jul 13 07:20:50 UTC 2023 - Gary Ching-Pang Lin + +- Upgrade shim-install to support TPM 2.0 Key File + b540061 Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector + +------------------------------------------------------------------- +Tue Jul 11 14:02:16 UTC 2023 - Marcus Meissner + +- remove compat efi dir and binaries + +------------------------------------------------------------------- +Mon Jun 12 11:12:36 UTC 2023 - Marcus Meissner + +- Update shim to 15.7-150300.4.16.1 from SLE15-SP3 + - include aarch64 shims. + - do not require shim-susesigned, was a workaround on 15-sp2. + +- quieten factory-auto bot as we are not buiding from source: + - shim-arch-independent-names.patch removed + - shim-change-debug-file-path.patch removed + +------------------------------------------------------------------- +Wed Apr 26 07:09:48 UTC 2023 - Dennis Tseng + +- Update shim to 15.7-150300.4.11.1 from SLE15-SP3 + + Version: 15.7, "Thu Mar 17 2023" + + Update the SLE signatures + + Include the fixes for bsc#1205588, bsc#1202120, bsc#1201066, + (bsc#1198458, CVE-2022-28737), bsc#1198101, bsc#1193315, bsc#1193282 + +------------------------------------------------------------------- +Thu Apr 13 05:28:10 UTC 2023 - Joey Lee + +- Upgrade shim-install for bsc#1210382 + After closing Leap-gap project since Leap 15.3, openSUSE Leap direct + uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot + CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no, + so all files in /boot/efi/EFI/boot are not updated. + + The 86b73d1 patch added the logic that using ID field in os-release for + checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure + Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated. +- https://github.com/SUSE/shim-resources (git log --oneline) + 86b73d1 Fix that bootx64.efi is not updated on Leap + f2e8143 Use the long name to specify the grub2 key protector + 7283012 cryptodisk: support TPM authorized policies + 49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst + 26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs + 5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot + a5c5734 Introduce --no-grub-install option + +------------------------------------------------------------------- +Tue Aug 17 09:29:05 UTC 2021 - Marcus Meissner + +- restore the shim-susesigned installation via buildrequires here. + +------------------------------------------------------------------- +Thu Jul 22 06:47:20 UTC 2021 - jlee@suse.com + +- Update to shim to 15.4-4.7.1 from SLE15-SP3 + + Version: 15.4, "Thu Jul 15 2021" + + Update the SLE signatures + + Include the fixes for bsc#1187696, bsc#1185261, bsc#1185441, + bsc#1187071, bsc#1185621, bsc#1185261, bsc#1185232, bsc#1185261, + bsc#1187260, bsc#1185232. +- Remove shim-install because the shim-install is updated in SLE + 15.4 RPM. + +------------------------------------------------------------------- +Wed May 26 11:50:43 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: remove the unexpected residual "removable" label + for Azure (bsc#1185464, bsc#1185961) + +------------------------------------------------------------------- +Wed May 19 01:31:02 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: instead of assuming "removable" for Azure, remove + fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot + to make \EFI\Boot bootable and keep the boot option created by + efibootmgr (bsc#1185464, bsc#1185961) + +------------------------------------------------------------------- +Fri May 7 08:46:32 UTC 2021 - Gary Ching-Pang Lin + +- shim-install: always assume "removable" for Azure to avoid the + endless reset loop (bsc#1185464) + +------------------------------------------------------------------- +Tue Apr 27 08:58:26 UTC 2021 - Gary Ching-Pang Lin + +- Also package the debuginfo and debugsource +- Drop COPYRIGHT file since it's already in the shim rpm package + +------------------------------------------------------------------- +Tue Apr 27 01:33:36 UTC 2021 - Gary Ching-Pang Lin + +- Update to the unified shim binary from SLE15-SP3 for SBAT support + (bsc#1182057) + + Version: 15.4, "Thu Apr 22 03:26:48 UTC 2021" + + Merged EKU codesign check (bsc#1177315) +- Drop merged patches + + shim-arch-independent-names.patch + + shim-change-debug-file-path.patch + + shim-bsc1092000-fallback-menu.patch + + shim-always-mirror-mok-variables.patch + + shim-correct-license-in-headers.patch + + gcc9-fix-warnings.patch + + shim-fix-gnu-efi-3.0.11.patch + + shim-bsc1173411-only-check-efi-var-on-sb.patch +- Drop shim-opensuse-cert-prompt.patch since the openSUSE kernel + enabled lockdown. + +------------------------------------------------------------------- +Fri Oct 16 02:00:45 UTC 2020 - Gary Ching-Pang Lin + +- Include suse-signed shim (bsc#1177315) +- shim-install: Support changing default shim efi binary in + /usr/etc/default/shim and /etc/default/shim (bsc#1177315) + +------------------------------------------------------------------- +Mon Aug 24 09:12:18 UTC 2020 - Gary Ching-Pang Lin + +- shim-install: install MokManager to \EFI\boot to process the + pending MOK request (bsc#1175626, bsc#1175656) + +------------------------------------------------------------------- +Thu Aug 6 09:43:19 UTC 2020 - Gary Ching-Pang Lin + +- Amend the check of %shim_enforce_ms_signature + +------------------------------------------------------------------- +Fri Jul 31 08:05:05 UTC 2020 - Johannes Segitz + +- Updated SUSE signature + +------------------------------------------------------------------- +Wed Jul 22 09:23:02 UTC 2020 - Gary Ching-Pang Lin + +- Update the path to grub-tpm.efi in shim-install (bsc#1174320) + +------------------------------------------------------------------- +Fri Jul 10 07:21:27 UTC 2020 - Gary Ching-Pang Lin + +- Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994) + + Add dbx-cert.tar.xz which contains the certificates to block + and a script, generate-vendor-dbx.sh, to generate + vendor-dbx.bin + + Add vendor-dbx.bin as the vendor dbx to block unwanted keys +- Drop shim-opensuse-signed.efi + + We don't need it anymore + +------------------------------------------------------------------- +Fri Jul 10 06:28:44 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check + EFI variable copying when Secure Boot is enabled (bsc#1173411) + +------------------------------------------------------------------- +Tue Mar 31 08:38:56 UTC 2020 - Gary Ching-Pang Lin + +- Use the full path of efibootmgr to avoid errors when invoking + shim-install from packagekitd (bsc#1168104) + +------------------------------------------------------------------- +Mon Mar 30 06:20:47 UTC 2020 - Gary Ching-Pang Lin + +- Use "suse_version" instead of "sle_version" to avoid + shim_lib64_share_compat being set in Tumbleweed forever. + +------------------------------------------------------------------- +Mon Mar 16 09:42:34 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-fix-gnu-efi-3.0.11.patch to fix the build error caused + by the upgrade of gnu-efi + +------------------------------------------------------------------- +Wed Nov 27 06:23:11 UTC 2019 - Michael Chang + +- shim-install: add check for btrfs is used as root file system to enable + relative path lookup for file. (bsc#1153953) + +------------------------------------------------------------------- +Fri Aug 16 04:07:30 UTC 2019 - Gary Ching-Pang Lin + +- Fix a typo in shim-install (bsc#1145802) + +------------------------------------------------------------------- +Fri Apr 19 10:32:11 UTC 2019 - Martin Liška + +- Add gcc9-fix-warnings.patch (bsc#1121268). + +------------------------------------------------------------------- +Mon Apr 15 09:24:07 UTC 2019 - Gary Ching-Pang Lin + +- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary + (bsc#1113225) + +------------------------------------------------------------------- +Fri Apr 12 08:50:49 UTC 2019 - Gary Ching-Pang Lin + +- Disable AArch64 build (FATE#325971) + + AArch64 machines don't use UEFI CA, at least for now. + +------------------------------------------------------------------- +Thu Apr 11 15:52:47 UTC 2019 - jsegitz@suse.com + +- Updated shim signature: signature-sles.x86_64.asc (bsc#1120026) + +------------------------------------------------------------------- +Thu Feb 14 17:03:00 UTC 2019 - rw@suse.com + +- Fix conditions for '/usr/share/efi'-move (FATE#326960) + +------------------------------------------------------------------- +Mon Jan 28 03:18:53 UTC 2019 - Gary Ching-Pang Lin + +- Amend shim.spec to remove $RPM_BUILD_ROOT + +------------------------------------------------------------------- +Thu Jan 17 17:12:14 UTC 2019 - rw@suse.com + +- Move 'efi'-executables to '/usr/share/efi' (FATE#326960) + (preparing the move to 'noarch' for this package) + +------------------------------------------------------------------- +Mon Jan 14 09:48:59 UTC 2019 - Gary Ching-Pang Lin + +- Update shim-install to handle the partitioned MD devices + (bsc#1119762, bsc#1119763) + +------------------------------------------------------------------- +Thu Dec 20 04:13:00 UTC 2018 - Gary Ching-Pang Lin + +- Update to 15+git47 (bsc#1120026, FATE#325971) + + git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d +- Retire the old openSUSE 4096 bit certificate + + Those programs are already out of maintenance. +- Add shim-always-mirror-mok-variables.patch to mirror MOK + variables correctly +- Add shim-correct-license-in-headers.patch to correct the license + declaration +- Refresh patches: + + shim-arch-independent-names.patch + + shim-change-debug-file-path.patch + + shim-bsc1092000-fallback-menu.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: + + shim-bsc1088585-handle-mok-allocations-better.patch + + shim-httpboot-amend-device-path.patch + + shim-httpboot-include-console.h.patch + + shim-only-os-name.patch + + shim-remove-cryptpem.patch + +------------------------------------------------------------------- +Wed Dec 5 10:28:00 UTC 2018 - Gary Ching-Pang Lin + +- Update shim-install to specify the target for grub2-install and + change the boot efi file name according to the architecture + (bsc#1118363, FATE#325971) + +------------------------------------------------------------------- +Tue Aug 21 07:36:36 UTC 2018 - glin@suse.com + +- Enable AArch64 build (FATE#325971) + + Also add the aarch64 signature files and rename the x86_64 + signature files + +------------------------------------------------------------------- +Tue May 29 06:41:59 UTC 2018 - glin@suse.com + +- Add shim-bsc1092000-fallback-menu.patch to show a menu before + system reset ((bsc#1092000)) + +------------------------------------------------------------------- +Tue Apr 10 03:45:39 UTC 2018 - glin@suse.com + +- Add shim-bsc1088585-handle-mok-allocations-better.patch to avoid + double-freeing after enrolling a key from the disk (bsc#1088585) + + Also refresh shim-opensuse-cert-prompt.patch due to the change + in MokManager.c + +------------------------------------------------------------------- +Tue Apr 3 08:37:55 UTC 2018 - glin@suse.com + +- Install the certificates with a shim suffix to avoid conflicting + with other packages (bsc#1087847) + +------------------------------------------------------------------- +Fri Mar 23 04:47:35 UTC 2018 - glin@suse.com + +- Add the missing leading backlash to the DEFAULT_LOADER + (bsc#1086589) + +------------------------------------------------------------------- +Fri Jan 5 08:41:42 UTC 2018 - glin@suse.com + +- Add shim-httpboot-amend-device-path.patch to amend the device + path matching rule for httpboot (bsc#1065370) + +------------------------------------------------------------------- +Thu Jan 4 08:17:44 UTC 2018 - glin@suse.com + +- Update to 14 (bsc#1054712) +- Adjust make commands in spec +- Drop upstreamed fixes + + shim-add-fallback-verbose-print.patch + + shim-back-to-openssl-1.0.2e.patch + + shim-fallback-workaround-masked-ami-variables.patch + + shim-fix-fallback-double-free.patch + + shim-fix-httpboot-crash.patch + + shim-fix-openssl-flags.patch + + shim-more-tpm-measurement.patch +- Add shim-httpboot-include-console.h.patch to include console.h + in httpboot.c to avoid build failure +- Add shim-remove-cryptpem.patch to replace functions in CryptPem.c + with the null function +- Update SUSE/openSUSE specific patches + + shim-only-os-name.patch + + shim-arch-independent-names.patch + + shim-change-debug-file-path.patch + + shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Fri Dec 29 18:41:12 UTC 2017 - ngompa13@gmail.com + +- Fix debuginfo + debugsource subpackage generation for RPM 4.14 +- Set the RPM groups correctly for debug{info,source} subpackages +- Drop deprecated and out of date Authors information in description + +------------------------------------------------------------------- +Wed Sep 13 04:13:21 UTC 2017 - glin@suse.com + +- Add shim-back-to-openssl-1.0.2e.patch to avoid rejecting some + legit certificates (bsc#1054712) +- Add the stderr mask back while compiling MokManager.efi since the + warnings in Cryptlib is back after reverting the openssl commits. + +------------------------------------------------------------------- +Tue Aug 29 08:44:25 UTC 2017 - glin@suse.com + +- Add shim-add-fallback-verbose-print.patch to print the debug + messages in fallback.efi dynamically +- Refresh shim-fallback-workaround-masked-ami-variables.patch +- Add shim-more-tpm-measurement.patch to measure more components + and support TPM better + +------------------------------------------------------------------- +Wed Aug 23 10:28:44 UTC 2017 - glin@suse.com + +- Add upstream fixes + + shim-fix-httpboot-crash.patch + + shim-fix-openssl-flags.patch + + shim-fix-fallback-double-free.patch + + shim-fallback-workaround-masked-ami-variables.patch +- Remove the stderr mask while compiling MokManager.efi since the + warnings in Cryptlib were fixed. + +------------------------------------------------------------------- +Tue Aug 22 04:51:08 UTC 2017 - glin@suse.com + +- Add shim-arch-independent-names.patch to use the Arch-independent + names. (bsc#1054712) +- Refresh shim-change-debug-file-path.patch +- Disable shim-opensuse-cert-prompt.patch automatically in SLE +- Diable AArch64 until we have a real user and aarch64 signature + +------------------------------------------------------------------- +Fri Jul 14 16:40:52 UTC 2017 - bwiedemann@suse.com + +- Make build reproducible by avoiding race between find and cp + +------------------------------------------------------------------- +Thu Jun 22 03:26:00 UTC 2017 - glin@suse.com + +- Update to 12 +- Rename the result EFI images due to the upstream name change + + shimx64 -> shim + + mmx64 -> MokManager + + fbx64 -> fallback +- Refresh patches: + + shim-only-os-name.patch + + shim-change-debug-file-path.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: + + shim-httpboot-support.patch + + shim-bsc973496-mokmanager-no-append-write.patch + + shim-bsc991885-fix-sig-length.patch + + shim-update-openssl-1.0.2g.patch + + shim-update-openssl-1.0.2h.patch + +------------------------------------------------------------------- +Tue May 23 03:44:48 UTC 2017 - glin@suse.com + +- Add the build flag to enable HTTPBoot + +------------------------------------------------------------------- +Wed Mar 22 10:54:41 UTC 2017 - mchang@suse.com + +- shim-install: add option --suse-enable-tpm (fate#315831) + +------------------------------------------------------------------- +Fri Jan 13 09:21:49 UTC 2017 - mchang@suse.com + +- Support %posttrans with marcos provided by update-bootloader-rpm-macros + package (bsc#997317) + +------------------------------------------------------------------- +Fri Nov 18 09:23:01 UTC 2016 - glin@suse.com + +- Add SIGNATURE_UPDATE.txt to state the steps to update + signature-*.asc +- Update the comment of strip_signature.sh + +------------------------------------------------------------------- +Wed Sep 21 09:55:40 UTC 2016 - mchang@suse.com + +- shim-install : + * add option --no-nvram (bsc#999818) + * improve removable media and fallback mode handling + +------------------------------------------------------------------- +Fri Aug 19 06:46:59 UTC 2016 - mchang@suse.com + +- shim-install : fix regression of password prompt (bsc#993764) + +------------------------------------------------------------------- +Fri Aug 5 02:53:54 UTC 2016 - glin@suse.com + +- Add shim-bsc991885-fix-sig-length.patch to fix the signature + length passed to Authenticode (bsc#991885) + +------------------------------------------------------------------- +Wed Aug 3 09:10:25 UTC 2016 - glin@suse.com + +- Update shim-bsc973496-mokmanager-no-append-write.patch to try + append write first + +------------------------------------------------------------------- +Tue Aug 2 02:59:46 UTC 2016 - glin@suse.com + +- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h +- Bump the requirement of gnu-efi due to the HTTPBoot support + +------------------------------------------------------------------- +Mon Aug 1 09:01:59 UTC 2016 - glin@suse.com + +- Add shim-httpboot-support.patch to support HTTPBoot +- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g + and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6 +- Drop patches since they are merged into + shim-update-openssl-1.0.2g.patch + + shim-update-openssl-1.0.2d.patch + + shim-gcc5.patch + + shim-bsc950569-fix-cryptlib-va-functions.patch + + shim-fix-aarch64.patch +- Refresh shim-change-debug-file-path.patch +- Add shim-bsc973496-mokmanager-no-append-write.patch to work + around the firmware that doesn't support APPEND_WRITE (bsc973496) +- shim-install : remove '\n' from the help message (bsc#991188) +- shim-install : print a message if there is no valid EFI partition + (bsc#991187) + +------------------------------------------------------------------- +Mon May 9 11:20:56 UTC 2016 - rw@suse.com + +- shim-install : support simple MD RAID1 target devices (FATE#314829) + +------------------------------------------------------------------- +Wed May 4 10:40:52 UTC 2016 - agraf@suse.com + +- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438) + +------------------------------------------------------------------- +Wed Mar 9 07:15:52 UTC 2016 - mchang@suse.com + +- shim-install : fix typing ESC can escape to parent config which is + in command mode and cannot return back (bsc#966701) +- shim-install : fix no which command for JeOS (bsc#968264) + +------------------------------------------------------------------- +Thu Dec 3 10:26:14 UTC 2015 - jsegitz@novell.com + +- acquired updated signature from Microsoft + +------------------------------------------------------------------- +Mon Nov 9 08:22:43 UTC 2015 - glin@suse.com + +- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the + definition of va functions to avoid the potential crash + (bsc#950569) +- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to + MokListRT (bsc#950801) +- Drop shim-fix-mokmanager-sections.patch as we are using the + newer binutils now +- Refresh shim-change-debug-file-path.patch + +------------------------------------------------------------------- +Thu Oct 8 06:49:43 UTC 2015 - jsegitz@novell.com + +- acquired updated signature from Microsoft + +------------------------------------------------------------------- +Tue Sep 15 05:03:10 UTC 2015 - mchang@suse.com + +- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release + if it is empty or not set by user (bsc#942519) + +------------------------------------------------------------------- +Thu Jul 16 06:49:01 UTC 2015 - glin@suse.com + +- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d +- Refresh shim-gcc5.patch and add it back since we really need it +- Add shim-change-debug-file-path.patch to change the debug file + path in shim.efi + + also add the debuginfo and debugsource subpackages +- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore + +------------------------------------------------------------------- +Mon Jul 6 09:06:02 UTC 2015 - glin@suse.com + +- Update to 0.9 +- Refresh patches + + shim-fix-gnu-efi-30w.patch + + shim-fix-mokmanager-sections.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches + + shim-bsc920515-fix-fallback-buffer-length.patch + + shim-mokx-support.patch + + shim-update-cryptlib.patch +- Drop shim-bsc919675-uninstall-shim-protocols.patch since + upstream fixed the bug in another way. +- Drop shim-gcc5.patch which was fixed in another way + +------------------------------------------------------------------- +Wed Apr 8 07:10:39 UTC 2015 - glin@suse.com + +- Fix tags in the spec file + +------------------------------------------------------------------- +Tue Apr 7 07:42:06 UTC 2015 - glin@suse.com + +- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and + openssl to 0.9.8zf +- Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall + the shim protocols at Exit (bsc#919675) +- Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust + the buffer size for the boot options (bsc#920515) +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Thu Apr 2 16:31:28 UTC 2015 - crrodriguez@opensuse.org + +- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5 + +------------------------------------------------------------------- +Tue Feb 17 06:02:34 UTC 2015 - mchang@suse.com + +- shim-install : fix cryptodisk installation (boo#917427) + +------------------------------------------------------------------- +Tue Nov 11 04:26:00 UTC 2014 - glin@suse.com + +- Add shim-fix-mokmanager-sections.patch to fix the objcopy + parameters for the EFI files + +------------------------------------------------------------------- +Tue Oct 28 04:00:51 UTC 2014 - glin@suse.com + +- Update to 0.8 +- Add shim-fix-gnu-efi-30w.patch to adapt the change in + gnu-efi-3.0w +- Merge shim-signed-unsigned-compares.patch, + shim-mokmanager-support-sha-family.patch and + shim-bnc863205-mokmanager-fix-hash-delete.patch into + shim-mokx-support.patch +- Refresh shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch, + bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch +- Enable aarch64 + +------------------------------------------------------------------- +Mon Oct 13 13:09:14 UTC 2014 - jsegitz@novell.com + +- Fixed buffer overflow and OOB access in shim trusted code path + (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677) + * added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch +- Added new certificate by Microsoft + +------------------------------------------------------------------- +Wed Sep 3 12:32:25 UTC 2014 - lnussel@suse.de + +- re-introduce build failure if shim_enforce_ms_signature is defined. That way + a project like openSUSE:Factory can decide whether or not shim needs a valid + MS signature. + +------------------------------------------------------------------- +Tue Aug 19 04:38:36 UTC 2014 - glin@suse.com + +- Add shim-update-openssl-0.9.8zb.patch to update openssl to + 0.9.8zb + +------------------------------------------------------------------- +Tue Aug 12 14:19:36 UTC 2014 - jsegitz@suse.com + +- updated shim to new version (OpenSSL 0.9.8za) and requested a new + certificate from Microsoft. Removed + * shim-allow-fallback-use-system-loadimage.patch + * shim-bnc872503-check-key-encoding.patch + * shim-bnc877003-fetch-from-the-same-device.patch + * shim-correct-user_insecure-usage.patch + * shim-fallback-avoid-duplicate-bootorder.patch + * shim-fallback-improve-entries-creation.patch + * shim-fix-dhcpv4-path-generation.patch + * shim-fix-uninitialized-variable.patch + * shim-fix-verify-mok.patch + * shim-get-variable-check.patch + * shim-improve-error-messages.patch + * shim-mokmanager-delete-bs-var-right.patch + * shim-mokmanager-handle-keystroke-error.patch + * shim-remove-unused-variables.patch + since they're included in upstream and rebased the remaining onces. + Added shim-signed-unsigned-compares.patch to fix some compiler + warnings + +------------------------------------------------------------------- +Tue Aug 12 09:18:42 UTC 2014 - glin@suse.com + +- Keep shim-devel.efi for the devel project + +------------------------------------------------------------------- +Fri Aug 8 11:18:36 UTC 2014 - lnussel@suse.de + +- don't fail the build if the UEFI signing service signature can't + be attached anymore. This way shim can still pass through staging + projects. We will verify the correct signature for release builds + using openQA instead. + +------------------------------------------------------------------- +Mon Aug 4 07:53:22 UTC 2014 - mchang@suse.com + +- shim-install: fix GRUB shows broken letters at boot by calling + grub2-install to initialize /boot/grub2 directory with files + needed by grub.cfg (bnc#889765) + +------------------------------------------------------------------- +Wed May 28 04:13:33 UTC 2014 - glin@suse.com + +- Add shim-remove-unused-variables.patch to remove the unused + variables +- Add shim-bnc872503-check-key-encoding.patch to check the encoding + of the keys (bnc#872503) +- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the + netboot image from the same device (bnc#877003) +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Wed May 14 09:39:02 UTC 2014 - glin@suse.com + +- Use --reinit instead of --refresh in %post to update the files + in /boot + +------------------------------------------------------------------- +Tue Apr 29 07:38:11 UTC 2014 - mchang@suse.com + +- shim-install: fix boot partition and rollback support kluge + (bnc#875385) + +------------------------------------------------------------------- +Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com + +- Replace shim-mokmanager-support-sha1.patch with + shim-mokmanager-support-sha-family.patch to support the SHA + family + +------------------------------------------------------------------- +Mon Apr 7 09:32:21 UTC 2014 - glin@suse.com + +- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in + MOK + +------------------------------------------------------------------- +Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com + +- snapper rollback support (fate#317062) + - refresh shim-install + +------------------------------------------------------------------- +Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com + +- Insert the right signature (bnc#867974) + +------------------------------------------------------------------- +Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com + +- Add shim-fix-uninitialized-variable.patch to fix the use of + uninitialzed variables in lib + +------------------------------------------------------------------- +Fri Mar 7 09:09:12 UTC 2014 - glin@suse.com + +- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV + variables the right way +- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify + correctly + +------------------------------------------------------------------- +Thu Mar 6 07:37:57 UTC 2014 - glin@suse.com + +- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the + duplicate entries in BootOrder +- Add shim-allow-fallback-use-system-loadimage.patch to handle the + shim protocol properly to keep only one protocol entity +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Thu Mar 6 03:53:49 UTC 2014 - mchang@suse.com + +- shim-install: fix the $prefix to use grub2-mkrelpath for paths + on btrfs subvolume (bnc#866690). + +------------------------------------------------------------------- +Tue Mar 4 04:19:05 UTC 2014 - glin@suse.com + +- FATE#315002: Update shim-install to install shim.efi as the EFI + default bootloader when none exists in \EFI\boot. + +------------------------------------------------------------------- +Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com + +- Update signature-sles.asc: shim signed by UEFI signing service, + based on code from "Thu Feb 20 11:57:01 UTC 2014" + +------------------------------------------------------------------- +Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com + +- Add shim-opensuse-cert-prompt.patch to show the prompt to ask + whether the user trusts the openSUSE certificate or not + +------------------------------------------------------------------- +Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de + +- allow package to carry multiple signatures +- check correct certificate is embedded + +------------------------------------------------------------------- +Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de + +- always clean up generated files that embed certificates + (shim_cert.h shim.cer shim.crt) to make sure next build loop + rebuilds them properly + +------------------------------------------------------------------- +Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com + +- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the + hash deletion operation to avoid ruining the whole list + (bnc#863205) + +------------------------------------------------------------------- +Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com + +- Update shim-mokx-support.patch to support the resetting of MOK + blacklist +- Add shim-get-variable-check.patch to fix the variable checking + in get_variable_attr +- Add shim-fallback-improve-entries-creation.patch to improve the + boot entry pathes and avoid generating the boot entries that + are already there +- Update SUSE certificate +- Update attach_signature.sh, show_hash.sh, strip_signature.sh, + extract_signature.sh and show_signatures.sh to remove the + creation of the temporary nss database +- Add shim-only-os-name.patch: remove the kernel version of the + build server +- Match the the prefix of the project name properly by escaping the + percent sign. + +------------------------------------------------------------------- +Wed Jan 22 13:45:44 UTC 2014 - lnussel@suse.de + +- enable signature assertion also in SUSE: hierarchy + +------------------------------------------------------------------- +Fri Dec 6 06:44:43 UTC 2013 - glin@suse.com + +- Add shim-mokmanager-handle-keystroke-error.patch to handle the + error status from ReadKeyStroke to avoid unexpected keys + +------------------------------------------------------------------- +Thu Dec 5 02:05:13 UTC 2013 - glin@suse.com + +- Update to 0.7 +- Add upstream patches: + + shim-fix-verify-mok.patch + + shim-improve-error-messages.patch + + shim-correct-user_insecure-usage.patch + + shim-fix-dhcpv4-path-generation.patch +- Add shim-mokx-support.patch to support the MOK blacklist + (Fate#316531) +- Drop upstreamed patches + + shim-fix-pointer-casting.patch + + shim-merge-lf-loader-code.patch + + shim-fix-simple-file-selector.patch + + shim-mokmanager-support-crypt-hash-method.patch + + shim-bnc804631-fix-broken-bootpath.patch + + shim-bnc798043-no-doulbe-separators.patch + + shim-bnc807760-change-pxe-2nd-loader-name.patch + + shim-bnc808106-correct-certcount.patch + + shim-mokmanager-ui-revamp.patch + + shim-netboot-fixes.patch + + shim-mokmanager-disable-gfx-console.patch +- Drop shim-suse-build.patch: it's not necessary anymore +- Drop shim-bnc841426-silence-shim-protocols.patch: shim is not + verbose by default + +------------------------------------------------------------------- +Thu Oct 31 09:11:18 UTC 2013 - fcrozat@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Tue Oct 1 04:29:29 UTC 2013". + +------------------------------------------------------------------- +Tue Oct 1 04:29:29 UTC 2013 - glin@suse.com + +- Add shim-netboot-fixes.patch to include upstream netboot fixes +- Add shim-mokmanager-disable-gfx-console.patch to disable the + graphics console to avoid system hang on some machines +- Add shim-bnc841426-silence-shim-protocols.patch to silence the + shim protocols (bnc#841426) + +------------------------------------------------------------------- +Wed Sep 25 07:17:54 UTC 2013 - glin@suse.com + +- Create boot.csv in ESP for fallback.efi to restore the boot entry + +------------------------------------------------------------------- +Tue Sep 17 10:53:50 CEST 2013 - fcrozat@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Fri Sep 6 13:57:36 UTC 2013". +- Improve extract_signature.sh to work on current path. + +------------------------------------------------------------------- +Fri Sep 6 13:57:36 UTC 2013 - lnussel@suse.de + +- set timestamp of PE file to time of the binary the signature was + made for. +- make sure cert.o get's rebuilt for each target + +------------------------------------------------------------------- +Fri Sep 6 11:48:14 CEST 2013 - fcrozat@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Wed Aug 28 15:54:38 UTC 2013" + +------------------------------------------------------------------- +Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de + +- always build a shim that embeds the distro's certificate (e.g. + shim-opensuse.efi). If the package is built in the devel project + additionally shim-devel.efi is created. That allows us to either + load grub2/kernel signed by the distro or signed by the devel + project, depending on use case. Also shim-$distro.efi from the + devel project can be used to request additional signatures. + +------------------------------------------------------------------- +Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de + +- also include old openSUSE 4096 bit certificate to be able to still + boot kernels signed with that key. +- add show_signatures script + +------------------------------------------------------------------- +Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de + +- replace the 4096 bit openSUSE UEFI CA certificate with new a + standard compliant 2048 bit one. + +------------------------------------------------------------------- +Tue Aug 20 11:48:25 UTC 2013 - lnussel@suse.de + +- fix shell syntax error + +------------------------------------------------------------------- +Wed Aug 7 15:51:36 UTC 2013 - lnussel@suse.de + +- don't include binary in the sources. Instead package the raw + signature and attach it during build (bnc#813448). + +------------------------------------------------------------------- +Tue Jul 30 07:36:28 UTC 2013 - glin@suse.com + +- Update shim-mokmanager-ui-revamp.patch to include fixes for + MokManager + + reboot the system after clearing MOK password + + fetch more info from X509 name + + check the suffix of the key file + +------------------------------------------------------------------- +Tue Jul 23 03:55:05 UTC 2013 - glin@suse.com + +- Update to 0.4 +- Rebase patches + + shim-suse-build.patch + + shim-mokmanager-support-crypt-hash-method.patch + + shim-bnc804631-fix-broken-bootpath.patch + + shim-bnc798043-no-doulbe-separators.patch + + shim-bnc807760-change-pxe-2nd-loader-name.patch + + shim-bnc808106-correct-certcount.patch + + shim-mokmanager-ui-revamp.patch +- Add patches + + shim-merge-lf-loader-code.patch: merge the Linux Foundation + loader UI code + + shim-fix-pointer-casting.patch: fix a casting issue and the + size of an empty vendor cert + + shim-fix-simple-file-selector.patch: fix the buffer allocation + in the simple file selector +- Remove upstreamed patches + + shim-support-mok-delete.patch + + shim-reboot-after-changes.patch + + shim-clear-queued-key.patch + + shim-local-key-sign-mokmanager.patch + + shim-get-2nd-stage-loader.patch + + shim-fix-loadoptions.patch +- Remove unused patch: shim-mokmanager-new-pw-hash.patch and + shim-keep-unsigned-mokmanager.patch +- Install the vendor certificate to /etc/uefi/certs + +------------------------------------------------------------------- +Wed May 8 06:40:12 UTC 2013 - glin@suse.com + +- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI + +------------------------------------------------------------------- +Wed Apr 3 03:54:22 UTC 2013 - glin@suse.com + +- Call update-bootloader in %post to update *.efi in \efi\opensuse + (bnc#813079) + +------------------------------------------------------------------- +Fri Mar 8 06:53:47 UTC 2013 - glin@suse.com + +- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the + PXE 2nd stage loader name (bnc#807760) +- Add shim-bnc808106-correct-certcount.patch to correct the + certificate count of the signature list (bnc#808106) + +------------------------------------------------------------------- +Fri Mar 1 10:07:55 UTC 2013 - glin@suse.com + +- Add shim-bnc798043-no-doulbe-separators.patch to remove double + seperators from the bootpath (bnc#798043#c4) + +------------------------------------------------------------------- +Thu Feb 28 08:57:48 UTC 2013 - lnussel@suse.de + +- sign shim also with openSUSE certificate + +------------------------------------------------------------------- +Wed Feb 27 15:52:53 CET 2013 - mls@suse.de + +- identify project, export certificate as DER file +- don't create an unused extra keypair + +------------------------------------------------------------------- +Thu Feb 21 10:08:12 UTC 2013 - glin@suse.com + +- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken + bootpath generated in generate_path(). (bnc#804631) + +------------------------------------------------------------------- +Mon Feb 11 12:15:25 UTC 2013 - fcrozat@suse.com + +- Update with shim signed by UEFI signing service, based on code + from "Thu Feb 7 06:56:19 UTC 2013". + +------------------------------------------------------------------- +Thu Feb 7 13:54:06 UTC 2013 - lnussel@suse.de + +- prepare for having a signed shim from the UEFI signing service + +------------------------------------------------------------------- +Thu Feb 7 06:56:19 UTC 2013 - glin@suse.com + +- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert +- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned + MokManager and sign it later. + +------------------------------------------------------------------- +Wed Feb 6 06:35:45 UTC 2013 - mchang@suse.com + +- Add shim-install utility +- Add Recommends to grub2-efi + +------------------------------------------------------------------- +Wed Jan 30 09:00:31 UTC 2013 - glin@suse.com + +- Add shim-mokmanager-support-crypt-hash-method.patch to support + password hash from /etc/shadow (FATE#314506) + +------------------------------------------------------------------- +Tue Jan 29 03:20:48 UTC 2013 - glin@suse.com + +- Embed openSUSE-UEFI-CA-Certificate.crt in shim +- Rename shim-unsigned.efi to shim-opensuse.efi. + +------------------------------------------------------------------- +Fri Jan 18 10:06:13 UTC 2013 - glin@suse.com + +- Update shim-mokmanager-new-pw-hash.patch to extend the password + hash format +- Rename shim.efi as shim-unsigned.efi + +------------------------------------------------------------------- +Wed Jan 16 08:01:55 UTC 2013 - glin@suse.com + +- Merge patches for FATE#314506 + + Add shim-support-mok-delete.patch to add support for deleting + specific keys + + Add shim-mokmanager-new-pw-hash.patch to support the new + password hash. +- Drop shim-correct-mok-size.patch which is included in + shim-support-mok-delete.patch +- Merge shim-remove-debug-code.patch and + shim-local-sign-mokmanager.patch into + shim-local-key-sign-mokmanager.patch +- Install COPYRIGHT + +------------------------------------------------------------------- +Tue Jan 15 03:17:53 UTC 2013 - glin@suse.com + +- Add shim-fix-loadoptions.patch to adopt the UEFI shell style + LoadOptions (bnc#798043) +- Drop shim-check-pk-kek.patch since upstream rejected the patch + due to violation of SPEC. +- Install EFI binaries to /usr/lib64/efi + +------------------------------------------------------------------- +Wed Dec 26 07:05:02 UTC 2012 - glin@suse.com + +- Update shim-reboot-after-changes.patch to avoid rebooting the + system after enrolling keys/hashes from the file system +- Add shim-correct-mok-size.patch to correct the size of MOK +- Add shim-clear-queued-key.patch to clear the queued key and show + the menu properly + +------------------------------------------------------------------- +Wed Dec 12 15:16:18 UTC 2012 - fcrozat@suse.com + +- Remove shim-rpmlintrc, it wasn't fixing the error, hide error + stdout to prevent post build check to get triggered by cast + warnings in openSSL code +- Add shim-remove-debug-code.patch: remove debug code + +------------------------------------------------------------------- +Wed Dec 12 04:01:52 UTC 2012 - glin@suse.com + +- Add shim-rpmlintrc to filter 64bit portability errors + +------------------------------------------------------------------- +Tue Dec 11 07:36:32 UTC 2012 - glin@suse.com + +- Add shim-local-sign-mokmanager.patch to create a local certicate + to sign MokManager +- Add shim-get-2nd-stage-loader.patch to get the second stage + loader path from the load options +- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK +- Add shim-reboot-after-changes.patch to reboot the system after + enrolling or erasing keys +- Install the EFI images to /usr/lib64/shim instead of the EFI + partition +- Update the mail address of the author + +------------------------------------------------------------------- +Fri Nov 2 08:19:37 UTC 2012 - glin@suse.com + +- Add new package shim 0.2 (FATE#314484) + + It's in fact git 2fd180a92 since there is no tag for 0.2 + diff --git a/shim-noarch/shim.spec b/shim-noarch/shim.spec new file mode 100644 index 0000000..44c1652 --- /dev/null +++ b/shim-noarch/shim.spec @@ -0,0 +1,90 @@ +# +# spec file for package shim +# +# Copyright (c) 2021 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + +%undefine _debuginfo_subpackages +%undefine _build_create_debug +# Move 'efi'-executables to '/usr/share/efi' (FATE#326960, bsc#1166523) +%define sysefibasedir %{_datadir}/efi + +Name: shim +Version: 15.7 +Release: 0 +Summary: UEFI shim loader +License: BSD-2-Clause +Group: System/Boot +URL: https://github.com/rhboot/shim +Source: shim-15.7-150300.4.16.1.x86_64.rpm +Source1: shim-15.7-150300.4.16.1.aarch64.rpm +Requires: perl-Bootloader +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildArch: noarch + +%description +shim is a trivial EFI application that, when run, attempts to open and +execute another application. + +%package aarch64 +Provides: shim(aarch64) +Group: System/Boot +Summary: UEFI shim loader + +%package x86_64 +Provides: shim(x86_64) +Group: System/Boot +Summary: UEFI shim loader + +%description aarch64 +shim is a trivial EFI application that, when run, attempts to open and +execute another application. + +%description x86_64 +shim is a trivial EFI application that, when run, attempts to open and +execute another application. + +%prep +rpm2cpio %{SOURCE0} | cpio --extract --unconditional --preserve-modification-time --make-directories +rpm2cpio %{SOURCE1} | cpio --extract --unconditional --preserve-modification-time --make-directories + +%build + +%install +# purely repackaged +cp -a * %{buildroot} +rm -rf %{buildroot}/usr/lib64/efi +rm %{buildroot}/etc/uefi/certs/BCA4E38E-shim.crt %{buildroot}/usr/sbin/shim-install %{buildroot}/usr/share/doc/packages/shim/COPYRIGHT + +%files aarch64 +%defattr(-,root,root) +%dir %{?sysefibasedir} +%dir %{sysefibasedir}/aarch64 +%{sysefibasedir}/aarch64/shim.efi +%{sysefibasedir}/aarch64/shim-*.efi +%{sysefibasedir}/aarch64/shim-*.der +%{sysefibasedir}/aarch64/MokManager.efi +%{sysefibasedir}/aarch64/fallback.efi + +%files x86_64 +%defattr(-,root,root) +%dir %{?sysefibasedir} +%dir %{sysefibasedir}/x86_64 +%{sysefibasedir}/x86_64/shim.efi +%{sysefibasedir}/x86_64/shim-*.efi +%{sysefibasedir}/x86_64/shim-*.der +%{sysefibasedir}/x86_64/MokManager.efi +%{sysefibasedir}/x86_64/fallback.efi + +%changelog