Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in
at 2022-12-10 21:17:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new.1835 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Sat Dec 10 21:17:34 2022 rev:110 rq:1041832 version:15.7
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2022-11-24
12:22:09.908891828 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.1835/shim.changes 2022-12-10
21:17:50.185559326 +0100
@@ -1,0 +2,9 @@
+Fri Dec 9 08:38:14 UTC 2022 - Joey Lee <j...@suse.com>
+
+- Modified shim-install, add the following Olaf Kirch's patches to support
+ full disk encryption: (jsc#PED-922)
+ a5c57340740c Introduce --no-grub-install option
+ 5c2c3addc51f Handle different cases of controlling cryptomount
volumes during first stage boot
+ 26c6bd5df7ae Have grub take a snapshot of "relevant" TPM PCRs
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim-install ++++++
--- /var/tmp/diff_new_pack.cerdcY/_old 2022-12-10 21:17:50.901563513 +0100
+++ /var/tmp/diff_new_pack.cerdcY/_new 2022-12-10 21:17:50.905563536 +0100
@@ -17,6 +17,7 @@
efibootmgr="/usr/sbin/efibootmgr"
grub_probe="/usr/sbin/grub2-probe"
grub_mkrelpath="/usr/bin/grub2-mkrelpath"
+no_grub_install=no
grub_install="/usr/sbin/grub2-install"
grub_install_target=
self="`basename $0`"
@@ -127,6 +128,7 @@
echo "--config-file=FILE use FILE as config file, default is $grub_cfg."
echo "--clean remove all installed files and configs."
echo "--suse-enable-tpm install grub.efi with TPM support."
+ echo "--no-grub-install Do not run grub2-install."
echo
echo "INSTALL_DEVICE must be system device filename."
}
@@ -206,6 +208,9 @@
--clean)
clean=yes ;;
+ --no-grub-install)
+ no_grub_install=yes ;;
+
-*)
echo "Unrecognized option \`$option'" 1>&2
usage
@@ -352,6 +357,39 @@
fi
+prepare_cryptodisk () {
+ uuid="$1"
+
+ if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then
+ echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\""
+ return
+ fi
+
+ if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then
+ echo "cryptomount -u $uuid"
+ return
+ fi
+
+ tpm_pcr_bank="${GRUB_TPM2_PCR_BANK:-sha256}"
+ tpm_pcr_list="${GRUB_TPM2_PCR_LIST:-0,2,4,7,9}"
+ tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"
+
+ declare -g TPM_PCR_SNAPSHOT_TAKEN
+
+ if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
+ TPM_PCR_SNAPSHOT_TAKEN=1
+ echo "tpm_record_pcrs 0-9"
+ fi
+
+ cat <<EOF
+tpm2_key_protector_init -b $tpm_pcr_bank -p $tpm_pcr_list -k
\$prefix/$tpm_sealed_key
+if ! cryptomount -u $uuid -k tpm2; then
+ cryptomount -u $uuid
+fi
+EOF
+}
+
+
make_grubcfg () {
grub_cfg_dirname=`dirname $grub_cfg`
@@ -374,7 +412,7 @@
if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then
for uuid in `"${grub_probe}" --target=cryptodisk_uuid --device-map=
"${grub_cfg_dirname}"`; do
- echo "cryptomount -u $uuid"
+ prepare_cryptodisk "$uuid"
done
fi
@@ -390,7 +428,9 @@
# invoke grub_install to initialize /boot/grub2 directory with files needed by
grub.cfg
# bsc#1118363 shim-install didn't specify the target for grub2-install
# set the target explicitly for some special cases
-${grub_install} --target=${grub_install_target} --no-nvram
+if test "$no_grub_install" != "yes"; then
+ ${grub_install} --target=${grub_install_target} --no-nvram
+fi
# Making sure grub.cfg not overwritten by grub-install above
make_grubcfg > "${efidir}/grub.cfg"
