Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package pcr-oracle for openSUSE:Factory
checked in at 2025-03-07 16:39:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pcr-oracle (Old)
and /work/SRC/openSUSE:Factory/.pcr-oracle.new.19136 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pcr-oracle"
Fri Mar 7 16:39:40 2025 rev:18 rq:1251154 version:0.5.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/pcr-oracle/pcr-oracle.changes 2025-02-27
14:51:04.520830854 +0100
+++ /work/SRC/openSUSE:Factory/.pcr-oracle.new.19136/pcr-oracle.changes
2025-03-07 16:40:56.386271311 +0100
@@ -1,0 +2,9 @@
+Fri Mar 7 06:19:42 UTC 2025 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Add fix-bsc1230316-predict-sbatlevelrt-sb-off.patch to fix the
+ prediction of SbatLevelRT when Secure Boot is disabled
+ (bsc#1230316)
+- Add fix-bsc1230316-make-pcr4-hard-requirement.patch to make PCR4
+ a hard requirement for SbatLevelRT prediction (bsc#1230316)
+
+-------------------------------------------------------------------
New:
----
fix-bsc1230316-make-pcr4-hard-requirement.patch
fix-bsc1230316-predict-sbatlevelrt-sb-off.patch
BETA DEBUG BEGIN:
New: (bsc#1230316)
- Add fix-bsc1230316-make-pcr4-hard-requirement.patch to make PCR4
a hard requirement for SbatLevelRT prediction (bsc#1230316)
New:
- Add fix-bsc1230316-predict-sbatlevelrt-sb-off.patch to fix the
prediction of SbatLevelRT when Secure Boot is disabled
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pcr-oracle.spec ++++++
--- /var/tmp/diff_new_pack.0YzfDj/_old 2025-03-07 16:40:56.998296921 +0100
+++ /var/tmp/diff_new_pack.0YzfDj/_new 2025-03-07 16:40:56.998296921 +0100
@@ -42,6 +42,10 @@
Patch6: fix-event-reshash-for-cryptouuid.patch
# PATCH-FIX-UPSTREAM fix-bsc1230316-predict-sbatlevelrt.patch
gh#okirch/pcr-oracle!61
Patch7: fix-bsc1230316-predict-sbatlevelrt.patch
+# PATCH-FIX-UPSTREAM fix-bsc1230316-predict-sbatlevelrt-sb-off.patch
gh#okirch/pcr-oracle!61
+Patch8: fix-bsc1230316-predict-sbatlevelrt-sb-off.patch
+# PATCH-FIX-UPSTREAM fix-bsc1230316-make-pcr4-hard-requirement.patch
gh#okirch/pcr-oracle!61
+Patch9: fix-bsc1230316-make-pcr4-hard-requirement.patch
BuildRequires: libopenssl-devel >= 0.9.8
BuildRequires: tpm2-0-tss-devel >= 2.4.0
Requires: libtss2-tcti-device0
++++++ fix-bsc1230316-make-pcr4-hard-requirement.patch ++++++
>From 55fe5c34cf41813fd91fff85281770da77913b68 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Fri, 7 Mar 2025 16:40:36 +0800
Subject: [PATCH 2/2] Stop the SbatLevelRT prediction if .sbatlevel not
available
The SbatLevelRT prediction relies on the PCR4 events to locate shim.efi,
so PCR4 has to be a hard requirement.
Signed-off-by: Gary Lin <g...@suse.com>
---
src/efi-variable.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/efi-variable.c b/src/efi-variable.c
index b70f63b..f8527cc 100644
--- a/src/efi-variable.c
+++ b/src/efi-variable.c
@@ -291,9 +291,9 @@ efi_variable_authority_get_record(const tpm_parsed_event_t
*parsed, const char *
db_name = "MokList";
} else
if (!strcmp(var_short_name, "SbatLevel")) {
- if (ctx->sbatlevel != NULL)
- return efi_sbatlevel_get_record(ctx->sbatlevel);
- return runtime_read_efi_variable(var_name);
+ if (ctx->sbatlevel == NULL)
+ fatal("No reference .sbatlevel section. Please add PCR4
into the PCR index list\n");
+ return efi_sbatlevel_get_record(ctx->sbatlevel);
} else {
/* Read as-is (this could be SbatLevel, or some other variable
that's not
* a signature db). */
--
2.43.0
++++++ fix-bsc1230316-predict-sbatlevelrt-sb-off.patch ++++++
>From 07e43365379ef5bd9fb53a45306af02025442b92 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Fri, 7 Mar 2025 14:09:34 +0800
Subject: [PATCH 1/2] Fix SbatLevelRT prediction when Secure Boot is disabled
Since shim 15.8, instead of using SBAT automatic as the default
candidate, it always resets SbatLevel to SBAT_ORIGINAL. To make the
prediction work for shim >= 15.8, the additinal check is added to adjust
the SBAT candidate.
Also fix POLICY_RESET for not setting sbat_reset to true and a few
typos.
Signed-off-by: Gary Lin <g...@suse.com>
---
src/efi-variable.c | 30 ++++++++++++++++++++++++++----
1 file changed, 26 insertions(+), 4 deletions(-)
diff --git a/src/efi-variable.c b/src/efi-variable.c
index 9c56eec..b70f63b 100644
--- a/src/efi-variable.c
+++ b/src/efi-variable.c
@@ -100,6 +100,7 @@ __tpm_event_efi_variable_build_event(const
tpm_parsed_event_t *parsed, const voi
#define POLICY_LATEST 1
#define POLICY_AUTOMATIC 2
#define POLICY_RESET 3
+#define POLICY_NOTREAD 255
#define SBAT_ORIGINAL "sbat,1,2021030218\n"
@@ -169,6 +170,7 @@ efi_sbatlevel_get_record(buffer_t *sbatlevel)
buffer_t *result = NULL;
uint8_t secureboot;
uint8_t sbatpolicy;
+ uint32_t auto_date;
uint32_t current_date;
uint32_t candidate_date;
bool sbat_reset = false;
@@ -178,6 +180,11 @@ efi_sbatlevel_get_record(buffer_t *sbatlevel)
return NULL;
}
+ if (!fetch_sbat_datestamp(sbat_automatic, strlen(sbat_automatic),
&auto_date)) {
+ error("Unable to get datestamp of SBAT automatic\n");
+ return NULL;
+ }
+
buffer = runtime_read_efi_variable(SECUREBOOT_VARNAME);
if (buffer == NULL || !buffer_get_u8(buffer, &secureboot))
secureboot = 0;
@@ -185,7 +192,7 @@ efi_sbatlevel_get_record(buffer_t *sbatlevel)
buffer = runtime_read_efi_variable(SBATPOLICY_VARNAME);
if (buffer == NULL || !buffer_get_u8(buffer, &sbatpolicy))
- sbatpolicy = POLICY_AUTOMATIC;
+ sbatpolicy = POLICY_NOTREAD;
buffer_free(buffer);
switch (sbatpolicy) {
@@ -200,9 +207,24 @@ efi_sbatlevel_get_record(buffer_t *sbatlevel)
infomsg("SBAT cannot be reset when Secure Boot is
enabled.\n");
sbat_candidate = sbat_automatic;
} else {
+ sbat_reset = true;
sbat_candidate = SBAT_ORIGINAL;
}
break;
+ case POLICY_NOTREAD:
+ if (secureboot == 1) {
+ sbat_candidate = sbat_automatic;
+ } else {
+ /* shim 15.8 always resets SbatLevel when Secure Boot
is disabled.
+ * The automatic datestamp of shim 15.8 is 2023012900.
*/
+ if (auto_date >= 2023012900) {
+ sbat_reset = true;
+ sbat_candidate = SBAT_ORIGINAL;
+ } else {
+ sbat_candidate = sbat_automatic;
+ }
+ }
+ break;
default:
error("Invalid SBAT policy\n");
return NULL;
@@ -217,12 +239,12 @@ efi_sbatlevel_get_record(buffer_t *sbatlevel)
if (!fetch_sbat_datestamp(sbat_current, sbatlvlrt->size, ¤t_date)
|| !fetch_sbat_datestamp(sbat_candidate, strlen(sbat_candidate),
&candidate_date)) {
- error("Unable to get SBAT timestamp\n");
+ error("Unable to get SBAT datestamp\n");
goto fail;
}
- debug("Current SBAT datestampe: %u\n", current_date);
- debug("Candidate SBAT datestampe: %u\n", candidate_date);
+ debug("Current SBAT datestamp: %u\n", current_date);
+ debug("Candidate SBAT datestamp: %u\n", candidate_date);
if (current_date >= candidate_date && sbat_reset == false) {
debug("Use current SbatLevel\n");
--
2.43.0
