Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim-leap for openSUSE:Factory checked in at 2026-06-25 10:55:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim-leap (Old) and /work/SRC/openSUSE:Factory/.shim-leap.new.2088 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim-leap" Thu Jun 25 10:55:00 2026 rev:30 rq:1361510 version:16.1 Changes: -------- --- /work/SRC/openSUSE:Factory/shim-leap/shim-leap.changes 2026-05-27 16:18:48.773466638 +0200 +++ /work/SRC/openSUSE:Factory/.shim-leap.new.2088/shim-leap.changes 2026-06-25 10:58:06.291236198 +0200 @@ -1,0 +2,27 @@ +Wed Jun 17 05:14:51 UTC 2026 - Joey Lee <[email protected]> + +- Apply nx-shim, create non-nx shim boot entry: + shim-16.1-lp156.7.1.aarch64.rpm + shim-16.1-lp156.7.1.x86_64.rpm + RPMs are coming from openSUSE secure-boot shim 15.6: + https://build.opensuse.org/projects/openSUSE:Factory:secure-boot/packages/shim/repositories/15.6/binaries + - Version: 16.1, "Aug 14 2025" + - Include the bug fixes for bsc#1205588 +- Use nx shim as the default shim binary. + Add Microsoft-signed nx-shim: + Source40 shim-opensuse.nx.x86.efi + Source41 shim-opensuse.nx.aarch64.efi +- Use ms-signed nx shim when the version equals with the version of + newly built shim + - Version mismatch indicates development of a new shim. +- Create non-nx shim boot entry as a fallback option + Because we apply nx shim as the default shim binary in + /boot/efi/EFI/opensuse/shim.efi + /boot/efi/EFI/boot/bootx64.efi or bootaa64.efi + In case that user got any problem when the machine boots with nx-shim, + so we create a new boot entry for non-nx shim as a fallback option by + efibootmgr. +- Removed the override shim-install. Let's direct use the shim-install + script from shim-16.1*.rpm. + +------------------------------------------------------------------- Old: ---- shim-16.1-lp156.4.1.aarch64.rpm shim-16.1-lp156.4.1.x86_64.rpm shim-install New: ---- shim-16.1-lp156.7.1.aarch64.rpm shim-16.1-lp156.7.1.x86_64.rpm ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim-leap.spec ++++++ --- /var/tmp/diff_new_pack.jA2BJ3/_old 2026-06-25 10:58:06.911257595 +0200 +++ /var/tmp/diff_new_pack.jA2BJ3/_new 2026-06-25 10:58:06.915257734 +0200 @@ -30,10 +30,9 @@ Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot -Source0: shim-16.1-lp156.4.1.x86_64.rpm -Source1: shim-16.1-lp156.4.1.aarch64.rpm +Source0: shim-16.1-lp156.7.1.x86_64.rpm +Source1: shim-16.1-lp156.7.1.aarch64.rpm Source2: README -Source3: shim-install # Certificates Used to Verify the Shim (DER format) # SUSE CA is also built-in to the shim via VENDOR_CERT_FILE # openSUSE Secure Boot CA, 2013-2035 @@ -94,9 +93,6 @@ cp -a etc usr %{buildroot} cp %{S:2} . -# Override shim-install -install -m 755 %{S:3} %{buildroot}/%{_sbindir}/shim-install - %if %{undefined shim_lib64_share_compat} # Remove the sym-links in /usr/lib64/efi rm -rf %{buildroot}/usr/lib64/efi @@ -313,6 +309,9 @@ %dir %{sysefidir} %{sysefidir}/shim.efi %{sysefidir}/shim-*.efi +%{sysefidir}/shim.non-nx.efi +%{sysefidir}/shim.nx.efi +%{sysefidir}/shim-*.nx.efi %{sysefidir}/shim-*.der %{sysefidir}/MokManager.efi %{sysefidir}/fallback.efi ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.jA2BJ3/_old 2026-06-25 10:58:06.991260356 +0200 +++ /var/tmp/diff_new_pack.jA2BJ3/_new 2026-06-25 10:58:06.995260495 +0200 @@ -1,6 +1,6 @@ -mtime: 1773308481 -commit: bc6b6ed6d2bd7fdf525b987c9f97aa9aa6f33b7034ab21f4f63a4a49a0bf0b35 +mtime: 1782201120 +commit: 85b02b1760238be1429fafa4f1ce3e1f230aa6a95c2ca5fbbeeea9e2d262dc45 url: https://src.opensuse.org/devel-factory/shim-leap -revision: bc6b6ed6d2bd7fdf525b987c9f97aa9aa6f33b7034ab21f4f63a4a49a0bf0b35 +revision: 85b02b1760238be1429fafa4f1ce3e1f230aa6a95c2ca5fbbeeea9e2d262dc45 projectscmsync: https://src.opensuse.org/devel-factory/_ObsPrj.git ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-23 09:52:00.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ shim-16.1-lp156.4.1.aarch64.rpm -> shim-16.1-lp156.7.1.aarch64.rpm ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/sbin/shim-install new/usr/sbin/shim-install --- old/usr/sbin/shim-install 2025-12-01 11:13:48.000000000 +0100 +++ new/usr/sbin/shim-install 2026-06-18 18:41:53.000000000 +0200 @@ -35,6 +35,13 @@ source_shim_efi="${source_dir}/${def_shim_efi}" +# non-nx shim +def_shim_non_nx_efi="${def_shim_efi%.efi}.non-nx.efi" +if [ ! -e "${source_dir}/${def_shim_non_nx_efi}" ]; then + def_shim_non_nx_efi="shim.non-nx.efi" +fi +source_shim_nx_efi="${source_dir}/${def_shim_non_nx_efi}" + if [ x${arch} = xx86_64 ] ; then grub_install_target="x86_64-efi" def_boot_efi="bootx64.efi" @@ -71,9 +78,12 @@ efi_distributor="$bootloader_id" bootloader_id="${bootloader_id}-secureboot" +# bsc#1254336 The sl is for SL Micro. It can be removed afrer SL Micro is EoL case "$bootloader_id" in "sle"*) ca_string='SUSE Linux Enterprise Secure Boot CA1';; + "sl"*) + ca_string='SUSE Linux Enterprise Secure Boot CA1';; "opensuse"*) ca_string='openSUSE Secure Boot CA1';; *) ca_string="";; @@ -302,6 +312,7 @@ if test -n "$efidir"; then efi_file=shim.efi + efi_non_nx_file=shim.non-nx.efi efibootdir="$efidir/EFI/boot" mkdir -p "$efibootdir" || exit 1 if test "$removable" = "yes" ; then @@ -341,6 +352,11 @@ fgrep -i " $bootloader_id" | cut -b5-8`; do $efibootmgr -b "$bootnum" -B done + # Delete old entries for non-nx from the same distributor. + for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ + fgrep " $bootloader_id-non-nx" | cut -b5-8`; do + $efibootmgr -b "$bootnum" -B + done fi exit 0 fi @@ -361,6 +377,8 @@ if test "$efidir" != "$efibootdir" ; then cp "${source_shim_efi}" "${efidir}/shim.efi" + # copy non-nx shim + cp "${source_shim_nx_efi}" "${efidir}/shim.non-nx.efi" if test -n "$bootloader_id"; then echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" fi @@ -368,6 +386,7 @@ if test "$update_boot" = "yes"; then cp "$source_shim_efi" "${efibootdir}/${def_boot_efi}" + # firmware only support bootx64.efi, NOT support bootx64.non-nx.efi if test "$removable" = "no"; then cp "${source_dir}/fallback.efi" "${efibootdir}" # bsc#1175626, bsc#1175656 Since shim 15, loading MokManager becomes @@ -486,6 +505,11 @@ fgrep -i " $bootloader_id" | cut -b5-8`; do $efibootmgr -b "$bootnum" -B done + # Delete old entries for non-nx from the same distributor. + for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ + fgrep " $bootloader_id-non-nx" | cut -b5-8`; do + $efibootmgr -b "$bootnum" -B + done # bsc#1230316 Skip the creation of the boot option for encrypted SL-Micro to make # the system always boot from the default boot path (\EFI\BOOT\boot<arch>.efi) @@ -509,11 +533,19 @@ efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")" efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" efidir_d=${mddev#/dev/} + # create boot entry for non-nx shim + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id-non-nx ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_non_nx_file" + # create boot entry for default shim (nx) $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" done else efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" + # create boot entry for default shim (nx) + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id-non-nx" -l "\\EFI\\$efi_distributor\\$efi_non_nx_file" + # create boot entry for default shim (nx) $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" fi Binary files old/usr/share/efi/aarch64/MokManager.efi and new/usr/share/efi/aarch64/MokManager.efi differ Binary files old/usr/share/efi/aarch64/fallback.efi and new/usr/share/efi/aarch64/fallback.efi differ Binary files old/usr/share/efi/aarch64/shim-opensuse.efi and new/usr/share/efi/aarch64/shim-opensuse.efi differ Binary files old/usr/share/efi/aarch64/shim-opensuse.nx.efi and new/usr/share/efi/aarch64/shim-opensuse.nx.efi differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/share/efi/aarch64/shim.efi new/usr/share/efi/aarch64/shim.efi --- old/usr/share/efi/aarch64/shim.efi 2026-06-25 10:58:07.339272367 +0200 +++ new/usr/share/efi/aarch64/shim.efi 2026-06-25 10:58:07.351272781 +0200 @@ -1 +1 @@ -symbolic link to shim-opensuse.efi +symbolic link to shim.nx.efi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/share/efi/aarch64/shim.non-nx.efi new/usr/share/efi/aarch64/shim.non-nx.efi --- old/usr/share/efi/aarch64/shim.non-nx.efi 1970-01-01 01:00:00.000000000 +0100 +++ new/usr/share/efi/aarch64/shim.non-nx.efi 2026-06-25 10:58:07.343272505 +0200 @@ -0,0 +1 @@ +symbolic link to shim-opensuse.efi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/share/efi/aarch64/shim.nx.efi new/usr/share/efi/aarch64/shim.nx.efi --- old/usr/share/efi/aarch64/shim.nx.efi 1970-01-01 01:00:00.000000000 +0100 +++ new/usr/share/efi/aarch64/shim.nx.efi 2026-06-25 10:58:07.367273333 +0200 @@ -0,0 +1 @@ +symbolic link to shim-opensuse.nx.efi ++++++ shim-16.1-lp156.4.1.x86_64.rpm -> shim-16.1-lp156.7.1.x86_64.rpm ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/lib64/efi/shim-opensuse.nx.efi new/usr/lib64/efi/shim-opensuse.nx.efi --- old/usr/lib64/efi/shim-opensuse.nx.efi 1970-01-01 01:00:00.000000000 +0100 +++ new/usr/lib64/efi/shim-opensuse.nx.efi 2026-06-25 10:58:07.659283411 +0200 @@ -0,0 +1 @@ +symbolic link to ../../share/efi/x86_64/shim-opensuse.nx.efi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/lib64/efi/shim.efi new/usr/lib64/efi/shim.efi --- old/usr/lib64/efi/shim.efi 2026-06-25 10:58:07.627282306 +0200 +++ new/usr/lib64/efi/shim.efi 2026-06-25 10:58:07.671283825 +0200 @@ -1 +1 @@ -symbolic link to ../../share/efi/x86_64/shim-opensuse.efi +symbolic link to ../../share/efi/x86_64/shim-opensuse.nx.efi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/lib64/efi/shim.non-nx.efi new/usr/lib64/efi/shim.non-nx.efi --- old/usr/lib64/efi/shim.non-nx.efi 1970-01-01 01:00:00.000000000 +0100 +++ new/usr/lib64/efi/shim.non-nx.efi 2026-06-25 10:58:07.663283549 +0200 @@ -0,0 +1 @@ +symbolic link to ../../share/efi/x86_64/shim-opensuse.efi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/lib64/efi/shim.nx.efi new/usr/lib64/efi/shim.nx.efi --- old/usr/lib64/efi/shim.nx.efi 1970-01-01 01:00:00.000000000 +0100 +++ new/usr/lib64/efi/shim.nx.efi 2026-06-25 10:58:07.695284653 +0200 @@ -0,0 +1 @@ +symbolic link to ../../share/efi/x86_64/shim-opensuse.nx.efi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/sbin/shim-install new/usr/sbin/shim-install --- old/usr/sbin/shim-install 2025-12-01 11:14:54.000000000 +0100 +++ new/usr/sbin/shim-install 2026-06-18 18:43:30.000000000 +0200 @@ -35,6 +35,13 @@ source_shim_efi="${source_dir}/${def_shim_efi}" +# non-nx shim +def_shim_non_nx_efi="${def_shim_efi%.efi}.non-nx.efi" +if [ ! -e "${source_dir}/${def_shim_non_nx_efi}" ]; then + def_shim_non_nx_efi="shim.non-nx.efi" +fi +source_shim_nx_efi="${source_dir}/${def_shim_non_nx_efi}" + if [ x${arch} = xx86_64 ] ; then grub_install_target="x86_64-efi" def_boot_efi="bootx64.efi" @@ -71,9 +78,12 @@ efi_distributor="$bootloader_id" bootloader_id="${bootloader_id}-secureboot" +# bsc#1254336 The sl is for SL Micro. It can be removed afrer SL Micro is EoL case "$bootloader_id" in "sle"*) ca_string='SUSE Linux Enterprise Secure Boot CA1';; + "sl"*) + ca_string='SUSE Linux Enterprise Secure Boot CA1';; "opensuse"*) ca_string='openSUSE Secure Boot CA1';; *) ca_string="";; @@ -302,6 +312,7 @@ if test -n "$efidir"; then efi_file=shim.efi + efi_non_nx_file=shim.non-nx.efi efibootdir="$efidir/EFI/boot" mkdir -p "$efibootdir" || exit 1 if test "$removable" = "yes" ; then @@ -341,6 +352,11 @@ fgrep -i " $bootloader_id" | cut -b5-8`; do $efibootmgr -b "$bootnum" -B done + # Delete old entries for non-nx from the same distributor. + for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ + fgrep " $bootloader_id-non-nx" | cut -b5-8`; do + $efibootmgr -b "$bootnum" -B + done fi exit 0 fi @@ -361,6 +377,8 @@ if test "$efidir" != "$efibootdir" ; then cp "${source_shim_efi}" "${efidir}/shim.efi" + # copy non-nx shim + cp "${source_shim_nx_efi}" "${efidir}/shim.non-nx.efi" if test -n "$bootloader_id"; then echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" fi @@ -368,6 +386,7 @@ if test "$update_boot" = "yes"; then cp "$source_shim_efi" "${efibootdir}/${def_boot_efi}" + # firmware only support bootx64.efi, NOT support bootx64.non-nx.efi if test "$removable" = "no"; then cp "${source_dir}/fallback.efi" "${efibootdir}" # bsc#1175626, bsc#1175656 Since shim 15, loading MokManager becomes @@ -486,6 +505,11 @@ fgrep -i " $bootloader_id" | cut -b5-8`; do $efibootmgr -b "$bootnum" -B done + # Delete old entries for non-nx from the same distributor. + for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ + fgrep " $bootloader_id-non-nx" | cut -b5-8`; do + $efibootmgr -b "$bootnum" -B + done # bsc#1230316 Skip the creation of the boot option for encrypted SL-Micro to make # the system always boot from the default boot path (\EFI\BOOT\boot<arch>.efi) @@ -509,11 +533,19 @@ efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")" efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" efidir_d=${mddev#/dev/} + # create boot entry for non-nx shim + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id-non-nx ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_non_nx_file" + # create boot entry for default shim (nx) $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" done else efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" + # create boot entry for default shim (nx) + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id-non-nx" -l "\\EFI\\$efi_distributor\\$efi_non_nx_file" + # create boot entry for default shim (nx) $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" fi Binary files old/usr/share/efi/x86_64/MokManager.efi and new/usr/share/efi/x86_64/MokManager.efi differ Binary files old/usr/share/efi/x86_64/fallback.efi and new/usr/share/efi/x86_64/fallback.efi differ Binary files old/usr/share/efi/x86_64/shim-opensuse.efi and new/usr/share/efi/x86_64/shim-opensuse.efi differ Binary files old/usr/share/efi/x86_64/shim-opensuse.nx.efi and new/usr/share/efi/x86_64/shim-opensuse.nx.efi differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/share/efi/x86_64/shim.efi new/usr/share/efi/x86_64/shim.efi --- old/usr/share/efi/x86_64/shim.efi 2026-06-25 10:58:07.611281754 +0200 +++ new/usr/share/efi/x86_64/shim.efi 2026-06-25 10:58:07.647282997 +0200 @@ -1 +1 @@ -symbolic link to shim-opensuse.efi +symbolic link to shim.nx.efi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/share/efi/x86_64/shim.non-nx.efi new/usr/share/efi/x86_64/shim.non-nx.efi --- old/usr/share/efi/x86_64/shim.non-nx.efi 1970-01-01 01:00:00.000000000 +0100 +++ new/usr/share/efi/x86_64/shim.non-nx.efi 2026-06-25 10:58:07.643282858 +0200 @@ -0,0 +1 @@ +symbolic link to shim-opensuse.efi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/share/efi/x86_64/shim.nx.efi new/usr/share/efi/x86_64/shim.nx.efi --- old/usr/share/efi/x86_64/shim.nx.efi 1970-01-01 01:00:00.000000000 +0100 +++ new/usr/share/efi/x86_64/shim.nx.efi 2026-06-25 10:58:07.651283135 +0200 @@ -0,0 +1 @@ +symbolic link to shim-opensuse.nx.efi
