commit sdbootutil for openSUSE:Factory

Source-Sync Wed, 23 Jul 2025 07:35:20 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package sdbootutil for openSUSE:Factory 
checked in at 2025-07-23 16:32:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sdbootutil (Old)
 and      /work/SRC/openSUSE:Factory/.sdbootutil.new.8875 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "sdbootutil"

Wed Jul 23 16:32:58 2025 rev:69 rq:1295113 version:1+git20250722.bf18f3b

Changes:
--------
--- /work/SRC/openSUSE:Factory/sdbootutil/sdbootutil.changes    2025-07-21 
19:58:41.791104376 +0200
+++ /work/SRC/openSUSE:Factory/.sdbootutil.new.8875/sdbootutil.changes  
2025-07-23 16:33:55.332887928 +0200
@@ -1,0 +2,6 @@
+Tue Jul 22 13:41:54 UTC 2025 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Update to version 1+git20250722.bf18f3b:
+  * Measure kernel in PCR4 for grub2-bls if secure-boot
+
+-------------------------------------------------------------------

Old:
----
  sdbootutil-1+git20250718.9f557f7.obscpio

New:
----
  sdbootutil-1+git20250722.bf18f3b.obscpio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ sdbootutil.spec ++++++
--- /var/tmp/diff_new_pack.lSPpFU/_old  2025-07-23 16:33:55.904911898 +0200
+++ /var/tmp/diff_new_pack.lSPpFU/_new  2025-07-23 16:33:55.904911898 +0200
@@ -18,7 +18,7 @@
 
 %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
 Name:           sdbootutil
-Version:        1+git20250718.9f557f7
+Version:        1+git20250722.bf18f3b
 Release:        0
 Summary:        bootctl wrapper for BLS boot loaders
 License:        MIT

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.lSPpFU/_old  2025-07-23 16:33:55.948913742 +0200
+++ /var/tmp/diff_new_pack.lSPpFU/_new  2025-07-23 16:33:55.948913742 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://github.com/openSUSE/sdbootutil.git</param>
-              <param 
name="changesrevision">9f557f706f928ce68f23b6148964d7b99d8d160b</param></service></servicedata>
+              <param 
name="changesrevision">bf18f3b7000989738f928d5d8388025db824111b</param></service></servicedata>
 (No newline at EOF)
 

++++++ sdbootutil-1+git20250718.9f557f7.obscpio -> 
sdbootutil-1+git20250722.bf18f3b.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/sdbootutil-1+git20250718.9f557f7/sdbootutil 
new/sdbootutil-1+git20250722.bf18f3b/sdbootutil
--- old/sdbootutil-1+git20250718.9f557f7/sdbootutil     2025-07-18 
18:22:02.000000000 +0200
+++ new/sdbootutil-1+git20250722.bf18f3b/sdbootutil     2025-07-22 
15:40:31.000000000 +0200
@@ -287,6 +287,11 @@
        done
 }
 
+is_secure_boot()
+{
+       grep -q $'\x01' 
/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
+}
+
 is_sdboot()
 {
        local sdboot grub2_bls
@@ -2387,6 +2392,34 @@
                done < <(jq --raw-output '.[] | .options, .linux, .initrd[0]' 
"$initialentryfile")
        fi
 
+       # With secure boot, grub2-bls will make shim to extend PCR4
+       if is_secure_boot; then
+               # 650-kernel-efi-application.pcrlock is not part of
+               # the pcrlock standards
+               # TODO: move to kernel-TYPE-pcrlock.rpm
+               shift_component 650-kernel-efi-application
+               local n=0
+               local -A kernels
+               while read -r linux; do
+                       [ -f "${boot_root}$linux" ] || {
+                               info "Missing ${boot_root}$linux, ignoring 
entry for prediction"
+                               continue
+                       }
+                       [ -z "${kernels["$linux"]}" ] || continue
+                       kernels["$linux"]=1
+                       n=$((n+1))
+                       # Limit to 4 because of the separator
+                       [ "$n" -le 4 ] || {
+                               info "More than 4 variations for 
650-kernel-efi-application"
+                               continue
+                       }
+                       pcrlock \
+                               lock-pe \
+                               
--pcrlock=/var/lib/pcrlock.d/650-kernel-efi-application.pcrlock.d/linux-"$n".pcrlock
 \
+                               "${boot_root}/$linux"
+               done < <(jq --raw-output 'sort_by(.priority, (.kernel | 
map(-.))) | map(.linux) | .[]' "$entryfile")
+       fi
+
        # Join the kernel and the initrd in a single component
        shift_component 710-grub2-bls-kernel-initrd-entry
        n=0

++++++ sdbootutil.obsinfo ++++++
--- /var/tmp/diff_new_pack.lSPpFU/_old  2025-07-23 16:33:56.088919609 +0200
+++ /var/tmp/diff_new_pack.lSPpFU/_new  2025-07-23 16:33:56.092919776 +0200
@@ -1,5 +1,5 @@
 name: sdbootutil
-version: 1+git20250718.9f557f7
-mtime: 1752855722
-commit: 9f557f706f928ce68f23b6148964d7b99d8d160b
+version: 1+git20250722.bf18f3b
+mtime: 1753191631
+commit: bf18f3b7000989738f928d5d8388025db824111b

commit sdbootutil for openSUSE:Factory

Reply via email to