Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sdbootutil for openSUSE:Factory
checked in at 2025-04-07 17:35:12
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sdbootutil (Old)
and /work/SRC/openSUSE:Factory/.sdbootutil.new.1907 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sdbootutil"
Mon Apr 7 17:35:12 2025 rev:56 rq:1267670 version:1+git20250407.f84e1da
Changes:
--------
--- /work/SRC/openSUSE:Factory/sdbootutil/sdbootutil.changes 2025-04-04
17:29:34.125161848 +0200
+++ /work/SRC/openSUSE:Factory/.sdbootutil.new.1907/sdbootutil.changes
2025-04-07 17:35:27.757926180 +0200
@@ -1,0 +2,15 @@
+Mon Apr 07 13:02:21 UTC 2025 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Update to version 1+git20250407.f84e1da:
+ * Drop PCR2 if in virtual machine
+ * Add have_slot function
+ * Get boot time from /proc/stat (boo#1240851)
+
+-------------------------------------------------------------------
+Fri Apr 04 19:18:07 UTC 2025 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Update to version 1+git20250404.f9b9576:
+ * Check free space early
+ * Add kernel version in title if grub2-bls
+
+-------------------------------------------------------------------
Old:
----
sdbootutil-1+git20250404.20a1dfb.obscpio
New:
----
sdbootutil-1+git20250407.f84e1da.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sdbootutil.spec ++++++
--- /var/tmp/diff_new_pack.Etw7Dx/_old 2025-04-07 17:35:28.277947931 +0200
+++ /var/tmp/diff_new_pack.Etw7Dx/_new 2025-04-07 17:35:28.281948098 +0200
@@ -17,7 +17,7 @@
Name: sdbootutil
-Version: 1+git20250404.20a1dfb
+Version: 1+git20250407.f84e1da
Release: 0
Summary: bootctl wrapper for BLS boot loaders
License: MIT
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.Etw7Dx/_old 2025-04-07 17:35:28.321949771 +0200
+++ /var/tmp/diff_new_pack.Etw7Dx/_new 2025-04-07 17:35:28.325949938 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/openSUSE/sdbootutil.git</param>
- <param
name="changesrevision">20a1dfbaa97e6bff8f36b5ac80904df18b2266b8</param></service></servicedata>
+ <param
name="changesrevision">f84e1dadb523d1486bdec2aff048dd0b7b63a5e4</param></service></servicedata>
(No newline at EOF)
++++++ sdbootutil-1+git20250404.20a1dfb.obscpio ->
sdbootutil-1+git20250407.f84e1da.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/sdbootutil-1+git20250404.20a1dfb/sdbootutil
new/sdbootutil-1+git20250407.f84e1da/sdbootutil
--- old/sdbootutil-1+git20250404.20a1dfb/sdbootutil 2025-04-04
15:13:34.000000000 +0200
+++ new/sdbootutil-1+git20250407.f84e1da/sdbootutil 2025-04-07
15:00:40.000000000 +0200
@@ -767,6 +767,12 @@
[ -n "$os_release_VERSION" ] || title="$title $os_release_VERSION_ID"
}
+add_kernel_version_to_title()
+{
+ # grub2-bls does not show the `version` field
+ title="$title ($snapshot@$kernel_version)"
+}
+
pending_kernel_size()
{
echo $(($(stat -c %s "$1") / 1024 + 1))
@@ -890,6 +896,10 @@
info "Required free space in ESP: $required_size KB"
+ # If there is already free space, shortcut the code
+ free_space="$(boot_free_space)"
+ [ "$required_size" -gt "$free_space" ] || return 0
+
# "Cleaning /boot/efi" message is presented via stderr
dbg "Calling bootctl cleanup"
bootctl -q cleanup 2> /dev/null
@@ -980,7 +990,7 @@
if [ "${verbose:-0}" -le 1 ]; then
dracut_args+=('--quiet')
fi
-
+
info "Generating new initrd"
[ "$subvol" != "$root_subvol" ] && [ -n "$have_snapshots" ] &&
mount_chroot "${snapshot_dir}"
@@ -1017,11 +1027,11 @@
# shellcheck disable=SC2154
sort_key="$os_release_ID"
- if is_transactional; then
- add_version_to_title
- elif subvol_is_ro "$subvol"; then
- add_version_to_title
+ add_version_to_title
+ if ! is_transactional && subvol_is_ro "$subvol"; then
set_snapper_title_and_sortkey "$snapshot"
+ elif is_grub2_bls; then
+ add_kernel_version_to_title
fi
local entry_machine_id=
@@ -1354,7 +1364,7 @@
for dev in "${tracked_devices[@]}"; do
echo "$dev"
- done
+ done
}
is_bootable()
@@ -1432,7 +1442,7 @@
riscv32*) grub2_arch=riscv32 ;;
riscv64*) grub2_arch=riscv64 ;;
esac
-
+
# The old grub.efi will contain the BLS patches, but we cannot
# use it because we also dropped the process of creating the
# configuration file and installing bli.mod
@@ -2347,10 +2357,9 @@
# file gets replaced (loader.conf) the new measurement cannot
# be found in the event log, as contains the old hash, making
# the aligment fail.
- local last_reboot
- last_reboot="$(systemctl show --property ActiveEnterTimestamp
init.scope)"
- last_reboot="${last_reboot#ActiveEnterTimestamp=}"
- local minutes=$((1 + ($(date +%s) - $(date -d"$last_reboot" +%s)) / 60))
+ local btime
+ read -r _ btime < <(grep btime /proc/stat)
+ local minutes=$((1 + ($(date +%s) - btime) / 60))
dbg "Cleaning shifted measurements older than $minutes minutes"
find /var/lib/pcrlock.d -name 'shift-*.pcrlock' -type f -cmin
+"$minutes" -delete
@@ -2427,7 +2436,7 @@
# If the prediction fails, the system will ask for a password,
# but we can do a re-enrollment using the recovery PIN. To
- # register a recovery PIN the installer (disk-encryption-tool,
+ # register a recovery PIN the installer (sdbootutil-enroll,
# YaST) will call this script deploying in the %u keyring
# "sdbootutil[-pin]" entry. For re-enrollments we can use the
# same entry, the PIN environment variable, or the
@@ -2764,6 +2773,13 @@
[ -n "$(systemd-cryptenroll --fido2-device=list 2>/dev/null)" ]
}
+have_slot()
+{
+ local dev="${1:?}"
+ local kind="${2:?}"
+ grep -q "$kind" < <(systemd-cryptenroll "$dev")
+}
+
add_crypttab_option()
{
# This version will share the same options for all crypto_LUKS
@@ -2860,14 +2876,12 @@
keyid="$(keyctl id %user:cryptenroll 2> /dev/null)" || true
[ -z "$keyid" ] || return 0
- local slots
- slots=$(systemd-cryptenroll "$dev")
# Do not use TPM2 slot for enrolling TPM2
- if [ "$arg_method" != "tpm2" ] && [ "$arg_method" != "tpm2+pin" ] &&
echo "$slots" | grep -q tpm2; then
+ if [ "$arg_method" != "tpm2" ] && [ "$arg_method" != "tpm2+pin" ] &&
have_slot "$dev" "tpm2"; then
info "Unlocking using TPM2"
unlock_method="--unlock-tpm2-device=auto"
# Same for FIDO2
- elif [ "$arg_method" != "fido2" ] && echo "$slots" | grep -q fido2; then
+ elif [ "$arg_method" != "fido2" ] && have_slot "$dev" "fido2"; then
info "Unlocking using FIDO2"
unlock_method="--unlock-fido2-device=auto"
fi
@@ -3049,9 +3063,7 @@
# the recovery key the same as the recovery PIN. But if the
# PIN is missing from the keyring, then we missed the
# synchronization and the key and the PIN are different.
- local slots
- slots=$(systemd-cryptenroll "$dev")
- if [ -z "$keyid_int" ] && echo "$slots" | grep -q tpm2; then
+ if [ -z "$keyid_int" ] && have_slot "$dev" "tpm2"; then
warn "There is already a recovery PIN for the TPM2"
warn "The recovery key and the recovery PIN are now different"
fi
@@ -3170,15 +3182,15 @@
if [ "$arg_method" = "tpm2" ] || [ "$arg_method" = "tpm2+pin" ]; then
if [ -z "${FDE_SEAL_PCR_LIST}" ]; then
if systemd-detect-virt -q; then
- info "Virtualized systemd detected
($(systemd-detect-virt)). Dropping PCR0"
+ info "Virtualized systemd detected
($(systemd-detect-virt)). Dropping PCR0 and PCR2"
FDE_SEAL_PCR_LIST=""
else
- FDE_SEAL_PCR_LIST="0,"
+ FDE_SEAL_PCR_LIST="0,2,"
fi
if is_sdboot; then
- FDE_SEAL_PCR_LIST+="2,4,7,9"
+ FDE_SEAL_PCR_LIST+="4,7,9"
elif is_grub2_bls; then
- FDE_SEAL_PCR_LIST+="2,4,7,8,9"
+ FDE_SEAL_PCR_LIST+="4,7,8,9"
else
err "Bootloader not detected"
fi
++++++ sdbootutil.obsinfo ++++++
--- /var/tmp/diff_new_pack.Etw7Dx/_old 2025-04-07 17:35:28.509957635 +0200
+++ /var/tmp/diff_new_pack.Etw7Dx/_new 2025-04-07 17:35:28.513957802 +0200
@@ -1,5 +1,5 @@
name: sdbootutil
-version: 1+git20250404.20a1dfb
-mtime: 1743772414
-commit: 20a1dfbaa97e6bff8f36b5ac80904df18b2266b8
+version: 1+git20250407.f84e1da
+mtime: 1744030840
+commit: f84e1dadb523d1486bdec2aff048dd0b7b63a5e4
