Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim-leap for openSUSE:Factory 
checked in at 2024-08-05 17:22:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim-leap (Old)
 and      /work/SRC/openSUSE:Factory/.shim-leap.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "shim-leap"

Mon Aug  5 17:22:14 2024 rev:22 rq:1191593 version:15.8

Changes:
--------
--- /work/SRC/openSUSE:Factory/shim-leap/shim-leap.changes      2024-03-19 
17:32:55.677157596 +0100
+++ /work/SRC/openSUSE:Factory/.shim-leap.new.7232/shim-leap.changes    
2024-08-05 17:23:16.268032076 +0200
@@ -1,0 +2,13 @@
+Tue Jul 23 03:27:56 UTC 2024 - Dennis Tseng <dennis.ts...@suse.com>
+
+- Update to shim to 15.8-shim-15.8-lp155.8.2.x86_64.rpm from 
+  openSUSE secure-boot 15.5
+  + Version: 15.8, "Jan 23 2024"
+  + Align the outside shim-install with the one in RPM file.
+    This is because all important fixes in outside shim-install are
+    also fixed in shim-install of RPM file. For consistency purposes,
+    the outside shim-install is updated in this version.
+  + Include the bug fixes for bsc#1215099,bsc#1215098,bsc#1215100,bsc#1215101,
+    bsc#1215102, and bsc#1215103.
+
+-------------------------------------------------------------------

Old:
----
  shim-15.4-lp152.4.17.1.x86_64.rpm

New:
----
  shim-15.8-lp155.8.2.x86_64.rpm

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ shim-leap.spec ++++++
--- /var/tmp/diff_new_pack.xQ2FKh/_old  2024-08-05 17:23:17.096066031 +0200
+++ /var/tmp/diff_new_pack.xQ2FKh/_new  2024-08-05 17:23:17.096066031 +0200
@@ -25,12 +25,12 @@
 %endif
 
 Name:           shim-leap
-Version:        15.4
+Version:        15.8
 Release:        0
 Summary:        UEFI shim loader
 License:        BSD-2-Clause
 Group:          System/Boot
-Source:         shim-15.4-lp152.4.17.1.x86_64.rpm
+Source:         shim-15.8-lp155.8.2.x86_64.rpm
 Source1:        README
 Source2:        shim-install
 BuildRequires:  fde-tpm-helper-rpm-macros

++++++ shim-15.4-lp152.4.17.1.x86_64.rpm -> shim-15.8-lp155.8.2.x86_64.rpm 
++++++
Binary files old/etc/uefi/certs/4659838C-shim-opensuse.crt and 
new/etc/uefi/certs/4659838C-shim-opensuse.crt differ
Binary files old/etc/uefi/certs/4659838C-shim.crt and 
new/etc/uefi/certs/4659838C-shim.crt differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/usr/sbin/shim-install new/usr/sbin/shim-install
--- old/usr/sbin/shim-install   2021-07-15 12:12:57.000000000 +0200
+++ new/usr/sbin/shim-install   2024-07-04 16:26:35.000000000 +0200
@@ -17,6 +17,7 @@
 efibootmgr="/usr/sbin/efibootmgr"
 grub_probe="/usr/sbin/grub2-probe"
 grub_mkrelpath="/usr/bin/grub2-mkrelpath"
+no_grub_install=no
 grub_install="/usr/sbin/grub2-install"
 grub_install_target=
 self="`basename $0`"
@@ -28,7 +29,7 @@
 [ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim
 [ ! -r /etc/default/shim ] || . /etc/default/shim
 
-if [ -z "$def_shim_efi" ] ; then
+if [ -z "$def_shim_efi" -o ! -e ${source_dir}/${def_shim_efi} ] ; then
        def_shim_efi="shim.efi"
 fi
 
@@ -127,6 +128,7 @@
     echo "--config-file=FILE use FILE as config file, default is $grub_cfg."
     echo "--clean remove all installed files and configs."
     echo "--suse-enable-tpm install grub.efi with TPM support."
+    echo "--no-grub-install Do not run grub2-install."
     echo
     echo "INSTALL_DEVICE must be system device filename."
 }
@@ -206,6 +208,9 @@
     --clean)
        clean=yes ;;
 
+    --no-grub-install)
+       no_grub_install=yes ;;
+
     -*)
        echo "Unrecognized option \`$option'"  1>&2
        usage
@@ -352,6 +357,48 @@
 fi
 
 
+prepare_cryptodisk () {
+  uuid="$1"
+
+  if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then
+    echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\""
+    return
+  fi
+
+  if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then
+    echo "cryptomount -u $uuid"
+    return
+  fi
+
+  tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"
+
+  declare -g TPM_PCR_SNAPSHOT_TAKEN
+
+  if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
+    TPM_PCR_SNAPSHOT_TAKEN=1
+
+    # Check if tpm_record_pcrs is available and set the command to
+    # grub.cfg.
+    if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; 
then
+      echo "tpm_record_pcrs 0-9"
+    fi
+  fi
+
+  tpm_srk_alg="${GRUB_TPM2_SRK_ALG}"
+
+  if [ -z "$tpm_srk_alg" ]; then
+    tpm_srk_alg="RSA"
+  fi
+
+  cat <<EOF
+tpm2_key_protector_init -a $tpm_srk_alg -T \$prefix/$tpm_sealed_key
+if ! cryptomount -u $uuid --protector tpm2; then
+    cryptomount -u $uuid
+fi
+EOF
+}
+
+
 make_grubcfg () {
 
 grub_cfg_dirname=`dirname $grub_cfg`
@@ -374,24 +421,39 @@
 
 if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then
   for uuid in `"${grub_probe}" --target=cryptodisk_uuid --device-map= 
"${grub_cfg_dirname}"`; do
-    echo "cryptomount -u $uuid"
+    prepare_cryptodisk "$uuid"
   done
 fi
 
+hints="`"${grub_probe}" --target=hints_string "${grub_cfg_dirname}" 2> 
/dev/null`"
+
+if [ "x$hints" != x ]; then
+  echo "if [ x\$feature_platform_search_hint = xy ]; then"
+  echo "  search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}"
+  echo "else"
+  echo "  search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
+  echo "fi"
+else
+  echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
+fi
+
 cat <<EOF
-search --fs-uuid --set=root ${cfg_fs_uuid}
 set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}`
 source "\${prefix}/${grub_cfg_basename}"
 EOF
 
 }
 
-make_grubcfg > "${efidir}/grub.cfg"
 # bnc#889765 GRUB shows broken letters at boot
 # invoke grub_install to initialize /boot/grub2 directory with files needed by 
grub.cfg
 # bsc#1118363 shim-install didn't specify the target for grub2-install
 # set the target explicitly for some special cases 
-${grub_install} --target=${grub_install_target} --no-nvram
+if test "$no_grub_install" != "yes"; then
+  ${grub_install} --target=${grub_install_target} --no-nvram
+fi
+
+# Making sure grub.cfg not overwritten by grub-install above 
+make_grubcfg > "${efidir}/grub.cfg"
 
 if test "$no_nvram" = no && test -n "$bootloader_id"; then
 
Binary files old/usr/share/efi/x86_64/MokManager.efi and 
new/usr/share/efi/x86_64/MokManager.efi differ
Binary files old/usr/share/efi/x86_64/fallback.efi and 
new/usr/share/efi/x86_64/fallback.efi differ
Binary files old/usr/share/efi/x86_64/shim-opensuse.efi and 
new/usr/share/efi/x86_64/shim-opensuse.efi differ

++++++ shim-install ++++++
--- /var/tmp/diff_new_pack.xQ2FKh/_old  2024-08-05 17:23:17.384077841 +0200
+++ /var/tmp/diff_new_pack.xQ2FKh/_new  2024-08-05 17:23:17.388078005 +0200
@@ -60,7 +60,6 @@
 if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then
     . "${sysconfdir}/os-release"
     GRUB_DISTRIBUTOR="${NAME} ${VERSION}"
-    OS_ID="${ID}"
 fi
 
 bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)"
@@ -79,11 +78,6 @@
     *) ca_string="";;
 esac
 
-case "$OS_ID" in
-    "opensuse-leap")
-        ca_string='SUSE Linux Enterprise Secure Boot CA1';;
-esac
-
 is_azure () {
     local bios_vendor;
     local product_name;
@@ -431,8 +425,19 @@
   done
 fi
 
+hints="`"${grub_probe}" --target=hints_string "${grub_cfg_dirname}" 2> 
/dev/null`"
+
+if [ "x$hints" != x ]; then
+  echo "if [ x\$feature_platform_search_hint = xy ]; then"
+  echo "  search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}"
+  echo "else"
+  echo "  search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
+  echo "fi"
+else
+  echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
+fi
+
 cat <<EOF
-search --fs-uuid --set=root ${cfg_fs_uuid}
 set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}`
 source "\${prefix}/${grub_cfg_basename}"
 EOF

Reply via email to