Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim-leap for openSUSE:Factory checked in at 2024-08-05 17:22:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim-leap (Old) and /work/SRC/openSUSE:Factory/.shim-leap.new.7232 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim-leap" Mon Aug 5 17:22:14 2024 rev:22 rq:1191593 version:15.8 Changes: -------- --- /work/SRC/openSUSE:Factory/shim-leap/shim-leap.changes 2024-03-19 17:32:55.677157596 +0100 +++ /work/SRC/openSUSE:Factory/.shim-leap.new.7232/shim-leap.changes 2024-08-05 17:23:16.268032076 +0200 @@ -1,0 +2,13 @@ +Tue Jul 23 03:27:56 UTC 2024 - Dennis Tseng <dennis.ts...@suse.com> + +- Update to shim to 15.8-shim-15.8-lp155.8.2.x86_64.rpm from + openSUSE secure-boot 15.5 + + Version: 15.8, "Jan 23 2024" + + Align the outside shim-install with the one in RPM file. + This is because all important fixes in outside shim-install are + also fixed in shim-install of RPM file. For consistency purposes, + the outside shim-install is updated in this version. + + Include the bug fixes for bsc#1215099,bsc#1215098,bsc#1215100,bsc#1215101, + bsc#1215102, and bsc#1215103. + +------------------------------------------------------------------- Old: ---- shim-15.4-lp152.4.17.1.x86_64.rpm New: ---- shim-15.8-lp155.8.2.x86_64.rpm ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim-leap.spec ++++++ --- /var/tmp/diff_new_pack.xQ2FKh/_old 2024-08-05 17:23:17.096066031 +0200 +++ /var/tmp/diff_new_pack.xQ2FKh/_new 2024-08-05 17:23:17.096066031 +0200 @@ -25,12 +25,12 @@ %endif Name: shim-leap -Version: 15.4 +Version: 15.8 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot -Source: shim-15.4-lp152.4.17.1.x86_64.rpm +Source: shim-15.8-lp155.8.2.x86_64.rpm Source1: README Source2: shim-install BuildRequires: fde-tpm-helper-rpm-macros ++++++ shim-15.4-lp152.4.17.1.x86_64.rpm -> shim-15.8-lp155.8.2.x86_64.rpm ++++++ Binary files old/etc/uefi/certs/4659838C-shim-opensuse.crt and new/etc/uefi/certs/4659838C-shim-opensuse.crt differ Binary files old/etc/uefi/certs/4659838C-shim.crt and new/etc/uefi/certs/4659838C-shim.crt differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/sbin/shim-install new/usr/sbin/shim-install --- old/usr/sbin/shim-install 2021-07-15 12:12:57.000000000 +0200 +++ new/usr/sbin/shim-install 2024-07-04 16:26:35.000000000 +0200 @@ -17,6 +17,7 @@ efibootmgr="/usr/sbin/efibootmgr" grub_probe="/usr/sbin/grub2-probe" grub_mkrelpath="/usr/bin/grub2-mkrelpath" +no_grub_install=no grub_install="/usr/sbin/grub2-install" grub_install_target= self="`basename $0`" @@ -28,7 +29,7 @@ [ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim [ ! -r /etc/default/shim ] || . /etc/default/shim -if [ -z "$def_shim_efi" ] ; then +if [ -z "$def_shim_efi" -o ! -e ${source_dir}/${def_shim_efi} ] ; then def_shim_efi="shim.efi" fi @@ -127,6 +128,7 @@ echo "--config-file=FILE use FILE as config file, default is $grub_cfg." echo "--clean remove all installed files and configs." echo "--suse-enable-tpm install grub.efi with TPM support." + echo "--no-grub-install Do not run grub2-install." echo echo "INSTALL_DEVICE must be system device filename." } @@ -206,6 +208,9 @@ --clean) clean=yes ;; + --no-grub-install) + no_grub_install=yes ;; + -*) echo "Unrecognized option \`$option'" 1>&2 usage @@ -352,6 +357,48 @@ fi +prepare_cryptodisk () { + uuid="$1" + + if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then + echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\"" + return + fi + + if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then + echo "cryptomount -u $uuid" + return + fi + + tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}" + + declare -g TPM_PCR_SNAPSHOT_TAKEN + + if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then + TPM_PCR_SNAPSHOT_TAKEN=1 + + # Check if tpm_record_pcrs is available and set the command to + # grub.cfg. + if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; then + echo "tpm_record_pcrs 0-9" + fi + fi + + tpm_srk_alg="${GRUB_TPM2_SRK_ALG}" + + if [ -z "$tpm_srk_alg" ]; then + tpm_srk_alg="RSA" + fi + + cat <<EOF +tpm2_key_protector_init -a $tpm_srk_alg -T \$prefix/$tpm_sealed_key +if ! cryptomount -u $uuid --protector tpm2; then + cryptomount -u $uuid +fi +EOF +} + + make_grubcfg () { grub_cfg_dirname=`dirname $grub_cfg` @@ -374,24 +421,39 @@ if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then for uuid in `"${grub_probe}" --target=cryptodisk_uuid --device-map= "${grub_cfg_dirname}"`; do - echo "cryptomount -u $uuid" + prepare_cryptodisk "$uuid" done fi +hints="`"${grub_probe}" --target=hints_string "${grub_cfg_dirname}" 2> /dev/null`" + +if [ "x$hints" != x ]; then + echo "if [ x\$feature_platform_search_hint = xy ]; then" + echo " search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}" + echo "else" + echo " search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}" + echo "fi" +else + echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}" +fi + cat <<EOF -search --fs-uuid --set=root ${cfg_fs_uuid} set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}` source "\${prefix}/${grub_cfg_basename}" EOF } -make_grubcfg > "${efidir}/grub.cfg" # bnc#889765 GRUB shows broken letters at boot # invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg # bsc#1118363 shim-install didn't specify the target for grub2-install # set the target explicitly for some special cases -${grub_install} --target=${grub_install_target} --no-nvram +if test "$no_grub_install" != "yes"; then + ${grub_install} --target=${grub_install_target} --no-nvram +fi + +# Making sure grub.cfg not overwritten by grub-install above +make_grubcfg > "${efidir}/grub.cfg" if test "$no_nvram" = no && test -n "$bootloader_id"; then Binary files old/usr/share/efi/x86_64/MokManager.efi and new/usr/share/efi/x86_64/MokManager.efi differ Binary files old/usr/share/efi/x86_64/fallback.efi and new/usr/share/efi/x86_64/fallback.efi differ Binary files old/usr/share/efi/x86_64/shim-opensuse.efi and new/usr/share/efi/x86_64/shim-opensuse.efi differ ++++++ shim-install ++++++ --- /var/tmp/diff_new_pack.xQ2FKh/_old 2024-08-05 17:23:17.384077841 +0200 +++ /var/tmp/diff_new_pack.xQ2FKh/_new 2024-08-05 17:23:17.388078005 +0200 @@ -60,7 +60,6 @@ if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then . "${sysconfdir}/os-release" GRUB_DISTRIBUTOR="${NAME} ${VERSION}" - OS_ID="${ID}" fi bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)" @@ -79,11 +78,6 @@ *) ca_string="";; esac -case "$OS_ID" in - "opensuse-leap") - ca_string='SUSE Linux Enterprise Secure Boot CA1';; -esac - is_azure () { local bios_vendor; local product_name; @@ -431,8 +425,19 @@ done fi +hints="`"${grub_probe}" --target=hints_string "${grub_cfg_dirname}" 2> /dev/null`" + +if [ "x$hints" != x ]; then + echo "if [ x\$feature_platform_search_hint = xy ]; then" + echo " search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}" + echo "else" + echo " search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}" + echo "fi" +else + echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}" +fi + cat <<EOF -search --fs-uuid --set=root ${cfg_fs_uuid} set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}` source "\${prefix}/${grub_cfg_basename}" EOF