Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in
at 2014-04-21 11:05:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2014-04-20
11:35:07.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-04-21
11:05:28.000000000 +0200
@@ -2,110 +1,0 @@
-Thu Apr 10 08:20:20 UTC 2014 - g...@suse.com
-
-- Replace shim-mokmanager-support-sha1.patch with
- shim-mokmanager-support-sha-family.patch to support the SHA
- family
-
--------------------------------------------------------------------
-Mon Apr 7 09:32:21 UTC 2014 - g...@suse.com
-
-- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in
- MOK
-
--------------------------------------------------------------------
-Mon Mar 31 11:57:13 UTC 2014 - mch...@suse.com
-
-- snapper rollback support (fate#317062)
- - refresh shim-install
-
--------------------------------------------------------------------
-Thu Mar 13 02:32:15 UTC 2014 - g...@suse.com
-
-- Insert the right signature (bnc#867974)
-
--------------------------------------------------------------------
-Mon Mar 10 07:56:44 UTC 2014 - g...@suse.com
-
-- Add shim-fix-uninitialized-variable.patch to fix the use of
- uninitialzed variables in lib
-
--------------------------------------------------------------------
-Fri Mar 7 09:09:12 UTC 2014 - g...@suse.com
-
-- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV
- variables the right way
-- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify
- correctly
-
--------------------------------------------------------------------
-Thu Mar 6 07:37:57 UTC 2014 - g...@suse.com
-
-- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the
- duplicate entries in BootOrder
-- Add shim-allow-fallback-use-system-loadimage.patch to handle the
- shim protocol properly to keep only one protocol entity
-- Refresh shim-opensuse-cert-prompt.patch
-
--------------------------------------------------------------------
-Thu Mar 6 03:53:49 UTC 2014 - mch...@suse.com
-
-- shim-install: fix the $prefix to use grub2-mkrelpath for paths
- on btrfs subvolume (bnc#866690).
-
--------------------------------------------------------------------
-Tue Mar 4 04:19:05 UTC 2014 - g...@suse.com
-
-- FATE#315002: Update shim-install to install shim.efi as the EFI
- default bootloader when none exists in \EFI\boot.
-
--------------------------------------------------------------------
-Thu Feb 27 09:46:49 UTC 2014 - fcro...@suse.com
-
-- Update signature-sles.asc: shim signed by UEFI signing service,
- based on code from "Thu Feb 20 11:57:01 UTC 2014"
-
--------------------------------------------------------------------
-Fri Feb 21 08:45:46 UTC 2014 - g...@suse.com
-
-- Add shim-opensuse-cert-prompt.patch to show the prompt to ask
- whether the user trusts the openSUSE certificate or not
-
--------------------------------------------------------------------
-Thu Feb 20 11:57:01 UTC 2014 - lnus...@suse.de
-
-- allow package to carry multiple signatures
-- check correct certificate is embedded
-
--------------------------------------------------------------------
-Thu Feb 20 10:06:47 UTC 2014 - lnus...@suse.de
-
-- always clean up generated files that embed certificates
- (shim_cert.h shim.cer shim.crt) to make sure next build loop
- rebuilds them properly
-
--------------------------------------------------------------------
-Mon Feb 17 09:58:56 UTC 2014 - g...@suse.com
-
-- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the
- hash deletion operation to avoid ruining the whole list
- (bnc#863205)
-
--------------------------------------------------------------------
-Tue Feb 11 06:30:02 UTC 2014 - g...@suse.com
-
-- Update shim-mokx-support.patch to support the resetting of MOK
- blacklist
-- Add shim-get-variable-check.patch to fix the variable checking
- in get_variable_attr
-- Add shim-improve-fallback-entries-creation.patch to improve the
- boot entry pathes and avoid generating the boot entries that
- are already there
-- Update SUSE certificate
-- Update attach_signature.sh, show_hash.sh, strip_signature.sh,
- extract_signature.sh and show_signatures.sh to remove the
- creation of the temporary nss database
-- Add shim-only-os-name.patch: remove the kernel version of the
- build server
-- Match the the prefix of the project name properly by escaping the
- percent sign.
-
--------------------------------------------------------------------
Old:
----
shim-allow-fallback-use-system-loadimage.patch
shim-bnc863205-mokmanager-fix-hash-delete.patch
shim-fallback-avoid-duplicate-bootorder.patch
shim-fallback-improve-entries-creation.patch
shim-fix-uninitialized-variable.patch
shim-get-variable-check.patch
shim-mokmanager-delete-bs-var-right.patch
shim-mokmanager-support-sha-family.patch
shim-only-os-name.patch
shim-opensuse-cert-prompt.patch
signature-opensuse.asc
signature-sles.asc
New:
----
microsoft.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:29.000000000 +0200
+++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:29.000000000 +0200
@@ -28,7 +28,7 @@
Source: %{name}-%{version}.tar.bz2
# run "extract_signature.sh shim.efi" where shim.efi is the binary
# with the signature from the UEFI signing service.
-Source1: signature-opensuse.asc
+Source1: microsoft.asc
Source2: openSUSE-UEFI-CA-Certificate.crt
Source3: shim-install
Source4: SLES-UEFI-CA-Certificate.crt
@@ -38,8 +38,6 @@
Source8: show_signatures.sh
Source9: openSUSE-UEFI-CA-Certificate-4096.crt
Source10: timestamp.pl
-Source11: strip_signature.sh
-Source12: signature-sles.asc
# PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch g...@suse.com -- Fix the error
handling in verify_mok()
Patch1: shim-fix-verify-mok.patch
# PATCH-FIX-UPSTREAM shim-improve-error-messages.patch g...@suse.com --
Improve the error messages
@@ -52,26 +50,6 @@
Patch5: shim-mokx-support.patch
# PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch
g...@suse.com -- Handle the error status from ReadKeyStroke to avoid the
unexpected keys
Patch6: shim-mokmanager-handle-keystroke-error.patch
-# PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS
name in version.c
-Patch7: shim-only-os-name.patch
-# PATCH-FIX-UPSTREAM shim-get-variable-check.patch g...@suse.com -- Fix the
variable checking in get_variable_attr
-Patch8: shim-get-variable-check.patch
-# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch
g...@suse.com -- Improve the boot entry pathes and avoid generating the boot
entries that are already there
-Patch9: shim-fallback-improve-entries-creation.patch
-# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch
bnc#863205 g...@suse.com -- Fix the hash deletion operation to avoid ruining
the whole list
-Patch10: shim-bnc863205-mokmanager-fix-hash-delete.patch
-# PATCH-FIX-UPSTREAM shim-fallback-avoid-duplicate-bootorder.patch
g...@suse.com -- Fix the duplicate BootOrder entries generated by fallback.efi
-Patch11: shim-fallback-avoid-duplicate-bootorder.patch
-# PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch
g...@suse.com -- Handle the shim protocol properly to keep only one protocol
entity
-Patch12: shim-allow-fallback-use-system-loadimage.patch
-# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch g...@suse.com
-- Delete BootService non-volatile variables the right way
-Patch13: shim-mokmanager-delete-bs-var-right.patch
-# PATCH-FIX-UPSTREAM shim-fix-uninitialized-variable.patch g...@suse.com --
Initialize the variable in lib properly
-Patch14: shim-fix-uninitialized-variable.patch
-# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch g...@suse.com --
Support SHA hashes in MOK
-Patch15: shim-mokmanager-support-sha-family.patch
-# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the
prompt to ask whether the user trusts openSUSE certificate or not
-Patch100: shim-opensuse-cert-prompt.patch
BuildRequires: gnu-efi >= 3.0t
BuildRequires: mozilla-nss-tools
BuildRequires: openssl >= 0.9.8
@@ -100,16 +78,6 @@
%patch4 -p1
%patch5 -p1
%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch100 -p1
%build
# first, build MokManager and fallback as they don't depend on a
@@ -140,18 +108,12 @@
if test "$suffix" = "opensuse"; then
cert=%{SOURCE2}
cert2=%{SOURCE9}
- verify='openSUSE Secure Boot CA1'
- signature=%{SOURCE1}
elif test "$suffix" = "sles"; then
cert=%{SOURCE4}
cert2=''
- verify='SUSE Linux Enterprise Secure Boot CA1'
- signature=%{SOURCE12}
elif test "$suffix" = "devel"; then
cert=%{_sourcedir}/_projectcert.crt
cert2=''
- verify=`openssl x509 -in "$cert" -noout -email`
- signature=''
test -e "$cert" || continue
else
echo "invalid suffix"
@@ -159,7 +121,6 @@
fi
openssl x509 -in $cert -outform DER -out shim-$suffix.der
- rm -f shim_cert.h shim.cer shim.crt
if [ -z "$cert2" ]; then
# create empty local cert file, we don't need a local key pair as we
# sign the mokmanager with our vendor key
@@ -167,39 +128,36 @@
touch shim.cer
else
cp $cert2 shim.crt
+ rm -f shim.cer
fi
# make sure cast warnings don't trigger post build check
make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi
2>/dev/null
- #
- # assert correct certificate embedded
- grep -q "$verify" shim.efi
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
- chmod 755 %{SOURCE10}
+ chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10}
# alternative: verify signature
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
- if test -n "$signature"; then
- head -1 "$signature" > hash1
+ head -1 %{SOURCE1} > hash1
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to
# restore that
- %{SOURCE10} --set-from-file "$signature" shim.efi
- pesign -h -P -i shim.efi > hash2
+ %{SOURCE10} --set-from-file %{SOURCE1} shim.efi
+ %{SOURCE7} shim.efi > hash2
cat hash1 hash2
if ! cmp -s hash1 hash2; then
- echo "ERROR: $suffix binary changed, need to request new
signature!"
+ echo "ERROR: binary changed, need to request new signature!"
# don't fail in devel projects
prj="%{_project}"
- if [ "${prj%%%:*}" = "openSUSE" -o "${prj%%%:*}" = "SUSE" ];
then
+ if [ "${prj%%:*}" = "openSUSE" -o "${prj%%:*}" = "SUSE" ]; then
false
fi
mv shim.efi.bak shim-$suffix.efi
rm shim.efi
else
# attach signature
- pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
+ %{SOURCE6} %{SOURCE1} shim.efi
+ mv shim-signed.efi shim-$suffix.efi
rm -f shim.efi
fi
- fi
rm -f shim.cer shim.crt
# make sure cert.o gets rebuilt
rm -f cert.o
++++++ SLES-UEFI-CA-Certificate.crt ++++++
--- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:29.000000000 +0200
+++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:29.000000000 +0200
@@ -1,29 +1,39 @@
-----BEGIN CERTIFICATE-----
-MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
+MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
-QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG
+QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG
A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
-CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p
-ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE
-WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv
-abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7
-e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+
-whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/
-MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs
-qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51
-eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE
-BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx
-EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu
-ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU
-Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw
-pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL
-jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M
-rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3
-SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0
-rvc1p6G0YWtO
+CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR
+QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d
+FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ
+BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O
+d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B
+J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt
+HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi
+yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc
+dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/
+cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+
+KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w
+gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr
+BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG
+A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51
+eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN
+AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
+AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS
+1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI
+eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5
+Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt
+z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P
+yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv
+4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc
+ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC
+OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z
+yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV
+a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8=
-----END CERTIFICATE-----
++++++ attach_signature.sh ++++++
--- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:29.000000000 +0200
+++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:29.000000000 +0200
@@ -11,4 +11,13 @@
outfile="${infile%.efi}-signed.efi"
-pesign -m "$sig" -i "$infile" -o "$outfile"
+nssdir=`mktemp -d`
+cleanup()
+{
+ rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
+pesign -n "$nssdir" -m "$sig" -i "$infile" -o "$outfile"
++++++ extract_signature.sh ++++++
--- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:29.000000000 +0200
+++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:29.000000000 +0200
@@ -9,7 +9,16 @@
exit 1
fi
+nssdir=`mktemp -d`
+cleanup()
+{
+ rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
# wtf?
-(pesign -h -P -i "$infile";
+(pesign -n "$nssdir" -h -P -i "$infile";
perl $(dirname $0)/timestamp.pl "$infile";
-pesign -a -f -e /dev/stdout -i "$infile")|cat
+pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat
++++++ microsoft.asc ++++++
hash: 97a8c5ba11d61fefbb5d6a05da4e15ba472dc4c6cd4972fc1a035de321342fe4
# 2013-10-01 08:29:53
timestamp: 524a8801
checksum: d364
-----BEGIN AUTHENTICODE SIGNATURE-----
MIIh8QYJKoZIhvcNAQcCoIIh4jCCId4CAQExDzANBglghkgBZQMEAgEFADBcBgor
BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
ZQMEAgEFAAQgl6jFuhHWH++7XWoF2k4VukctxMbNSXL8GgNd4yE0L+Sgggs8MIIF
JDCCBAygAwIBAgITMwAAAApmQvP0n7c3lgABAAAACjANBgkqhkiG9w0BAQsFADCB
gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0
MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu
ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s
ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG
CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23
BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc
cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH
SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE
GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP
ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT
KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV
HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw
MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB
MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA
A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3
We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC
5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g
78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj
PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+
Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDAN
BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5
IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1
WjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UE
AxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwft
kn0LsnO/DArGSkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gy
u4xHye5xvCFPmop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6
K6VROF31+7rbeALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk5
5dqyYotNvzhw4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxh
Z4pb/V6th3+6hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYw
ggFyMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK
8yU3HU6hJnsPIHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkr
BgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw
AwEB/zAfBgNVHSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBT
MFGgT6BNhktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0
cy9NaWNDb3JUaGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEE
VDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl
cnRzL01pY0NvclRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0B
AQsFAAOCAgEANQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lY
NKYWC4KqXa2C2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ
2w/8d56Vc5GIyr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8
uSs9SSsfMvxqIWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLR
B7+7dN/cHo+A1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K67
3YaFmCwhTDMr8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0
HYw9Rw5EpuSwmzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6Q
I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJy
lYaw8TVhahn1sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpc
Aj/lluOFWzw+P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79An
oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghYoMIIW
JAIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEr
MCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAA
AApmQvP0n7c3lgABAAAACjANBglghkgBZQMEAgEFAKCCAREwGQYJKoZIhvcNAQkD
MQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJ
KoZIhvcNAQkEMSIEIOBR1lXJ0yMtGJm8ETD6MEFIJCyjBPLlLe2aF6PcGN1xMIGk
BgorBgEEAYI3AgEMMYGVMIGSoF6AXABoAHQAdABwADoALwAvAHcAdwB3AC4AbQBp
AGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAHcAaABkAGMALwBoAGMAbAAvAGQAZQBm
AGEAdQBsAHQALgBtAHMAcAB4oTCALmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS93
aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAVajbL42oQSy1
NUS6HAoCq0L01hhN9fHn8acFrSpXK+GjijNspEcxVWSmJCWUWj4oVgBU7hgB2cFr
YBm7M6VLl0h45tCI0jyHURNs4bYeKhBlywIAKQ1B3sxBi84vrNmVv7tZqtV8eAte
tmX/8X6mOObVtD1YfYRVc2/EAEqv/Dee3BKb2/3MJ8TlUDuPZ1yAjAq4MViGs0J3
m4T63cugiWPuoaZEGJ6eaPiVXPcEKiDDOboCMm6MY1CLADE0moMrQ86dtbmycXIu
N44ImKRkPSSCnRbmNDl/OkITHAicitORyvpet6uciDQtXQEq8xuRHJ7tOrwTmuLs
r+BEVn7BR6GCE0owghNGBgorBgEEAYI3AwMBMYITNjCCEzIGCSqGSIb3DQEHAqCC
EyMwghMfAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE9BgsqhkiG9w0BCRABBKCCASwE
ggEoMIIBJAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCBfmL3wsdu9
3kovdSnRVAah9huZNZbgGFJ05HSVLqfy9gIGUmk4IyjpGBMyMDEzMTAzMDE5MTY0
My42ODZaMAcCAQGAAgH0oIG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERT
RSBFU046QzBGNC0zMDg2LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0
YW1wIFNlcnZpY2Wggg7NMIIGcTCCBFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG
9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEy
MDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw
MTAwHhcNMTAwNzAxMjEzNjU1WhcNMjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJV
UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt
ZS1TdGFtcCBQQ0EgMjAxMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKkdDbx3EYo6IOz8E5f1+n9plGt0VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vw
FVMnBDEfQRsalR3OCROOfGEwWbEwRA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNF
DdDq9UeBzb8kYDJYYEbyWEeGMoQedGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC7
32H8RsEnHSRnEnIaIYqvS2SJUGKxXf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOW
RH7v0Ev9buWayrGo8noqCjHw2k4GkbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJ
k3jN/LzAyURdXhacAQVPIk0CAwEAAaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEA
MB0GA1UdDgQWBBTVYzpcijGQ80N7fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4K
AFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
GDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRw
Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJB
dXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5o
dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8y
MDEwLTA2LTIzLmNydDCBoAYDVR0gAQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEw
PQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9D
UFMvZGVmYXVsdC5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABv
AGwAaQBjAHkAXwBTAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQAD
ggIBAAfmiFEN4sbgmD+BcQM9naOhIW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/1
5/B4vceoniXj+bzta1RXCCtRgkQS+7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRW
S3TvQhDIr79/xn/yN31aPxzymXlKkVIArzgPF/UveYFl2am1a+THzvbKegBvSzBE
JCI8z+0DpZaPWSm8tv0E4XCfMkon/VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/
3cVKC5Em4jnsGUpxY517IW3DnKOiPPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9
nhquBEKDuLWAmyI4ILUl5WTs9/S/fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5H
moDF0M2n0O99g/DhO3EJ3110mCIIYdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv3
3nJ+YWtvd6mBy6cJrDm77MbL2IK0cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI
5pgt6o3gMy4SKfXAL1QnIffIrE7aKLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0
MkvfY3v1mYovG8chr1m1rtxEPJdQcdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0e
GTgvvM9YBS7vDaBQNdrvCScc1bN+NR4Iuto229Nfj950iEkSMIIE2jCCA8KgAwIB
AgITMwAAACiQZ7kEsDxuZgAAAAAAKDANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQG
EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg
VGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0xMzAzMjcyMDEzMTNaFw0xNDA2MjcyMDEz
MTNaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE
BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0wCwYD
VQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2LURF
RjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdpUi/akidSiGckmve4C3c5GP4zLmJ
xMcbvee10/vtrs8x/vNmsEQD2plnCFq/dQYiEYnQZ1LM+s+SN0Xo+vG9M9PMc+O4
IaSgFX3LL8QDBdo/lnPTWeWYTQtWhi+dR9HWX52R6ceE2ZVrMky0awBS4EHTPGl0
qM7MfWidUlXmcH8UB6KeZ7CGRPMzP3Ndxij4F19SAS1EL9bteAi45TsvwLnDS8O3
Oy/TprWcsUhK3TIJVqEbS1rTqiYnDBJDYMVq19pADWCYiUG7k3Pdv/7EjFvO+lUn
yk1Nmm99EWyxRyOwTHxsfwahdIIfUngY6QYaFlCawzrdgYH3mydyIX91AgMBAAGj
ggEbMIIBFzAdBgNVHQ4EFgQU3JgInXnRBLKLR8Nx0Izns+awU50wHwYDVR0jBBgw
FoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDov
L2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGltU3RhUENB
XzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0
cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNUaW1TdGFQQ0FfMjAx
MC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCDAN
BgkqhkiG9w0BAQsFAAOCAQEAgiLztz1kfhJL/Cb84OS30MQUTgn+q1aa0VqYpr6M
QR6UtDK+hLS3RXbj72AYJIeoz+m00VQpvMrkyxJ7wPHUDp8xMxsRP3o73d0CqhjK
yjz6luNsu6+7yYQ+x9gMhctyCwEbpPUxERAMRaVaSJl+2r5Fhte6TeSB/9NYCnZl
Blkv9sJCzwTJqxv6YZ3185hJcLFJ0GTEIejuYBdTfusC2miVi/UKPAHbo7WYFFF0
nlPp2nKYZqBfKc+Prx+CnNPr5vFMG1T46DLcwRXDrCpudAUWg+NEmJ/L7+gweX+v
UqU6H99lx43+J9hHGZIItIs0jmknNxoC9pGzlSL/CEgq/qGCA3YwggJeAgEBMIHj
oYG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G
A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0w
CwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2
LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiJQoB
ATAJBgUrDgMCGgUAAxUA8120HsdfO2ZOZQ7emART9hWnH0SggcIwgb+kgbwwgbkx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt
b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1P
UFIxJzAlBgNVBAsTHm5DaXBoZXIgTlRTIEVTTjpCMDI3LUM2RjgtMUQ4ODErMCkG
A1UEAxMiTWljcm9zb2Z0IFRpbWUgU291cmNlIE1hc3RlciBDbG9jazANBgkqhkiG
9w0BAQUFAAIFANYbbXkwIhgPMjAxMzEwMzAxMTM1MjFaGA8yMDEzMTAzMTExMzUy
MVowdDA6BgorBgEEAYRZCgQBMSwwKjAKAgUA1htteQIBADAHAgEAAgIQxzAHAgEA
AgIYcDAKAgUA1hy++QIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMB
oAowCAIBAAIDFuNgoQowCAIBAAIDB6EgMA0GCSqGSIb3DQEBBQUAA4IBAQAxxOL5
p8WZx+WQXwsf9YpPA4dWCU2xk7l1MY2R653keklyM7ks9Md5/7JbBzMPQXMPJ0Ts
SllTUWF+wCUwW84ZAJCG4IUS5MrfbC5yXPkCjYEW6pll2A77OgwC+UG7X5VN67nm
XfRbw+3lyAAcCjpreeEOiMRTNP1UW3Th2x5Lmbgc4AW/6p+6VEj/7QJEuj7oMXVe
KQNp/I+lJn1rBGU42wqteobjNmUI55+i5PN+Wa5uGh7IhkqpDRPIkBM9wqVDQoHb
d727DRVQMwzTAGYdSaOPJjLYti078h71WDJYyM1waA435nrkukJ6ObWdMTNjJqsy
/Tz7rYZPgMPKLjtfMYIC9TCCAvECAQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg
UENBIDIwMTACEzMAAAAokGe5BLA8bmYAAAAAACgwDQYJYIZIAWUDBAIBBQCgggEy
MBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQgqtHU
/PG7RLWN/Y5UsjD6+lFX/RpWbpbjNV/x7SF3lQwwgeIGCyqGSIb3DQEJEAIMMYHS
MIHPMIHMMIGxBBTzXbQex187Zk5lDt6YBFP2FacfRDCBmDCBgKR+MHwxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w
HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29m
dCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAAKJBnuQSwPG5mAAAAAAAoMBYEFLWf
+tQPMIlyzZih4uVtvwa31BWHMA0GCSqGSIb3DQEBCwUABIIBAEJSSeyhVFmVBArn
o02R+f9PxUVjdMsHRqTWdnfA6F4uFU2GGGB2NoGTPHVeHrTTejo2bzXf5Di0jO5r
nIM1KVSUIDmM6xgvcIgxMuo2oM8MxHnYSh9QdWTCnJsqcR+PzIhsdrxaQOLRXNiS
uEyj0MgaJuYATAmhM2oM4BFNmbFavr0Sar3fj54zoZ9/p7ZhROSVm40OKt8tzSDu
7KrU8rr6VikJV2svuvLsmBKP7H6A+ZBWgrSlraQhdOxgjdPci6rhoZ9GG3WzNIcg
c+4KZEXs0hxinuZA2+Z9QhyXcTeLXm1UbKtN+P6hEv6ABEaghtj238dcrBtwijpX
BkfJeJoAAAA=
-----END AUTHENTICODE SIGNATURE-----
++++++ shim-install ++++++
--- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:30.000000000 +0200
+++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:30.000000000 +0200
@@ -4,18 +4,14 @@
bootdir=
efidir=
install_device=
-efibootdir=
-ca_string=
removable=no
clean=no
sysconfdir="/etc"
libdir="/usr/lib64"
source_dir="$libdir/efi"
grub_probe="`which grub2-probe`"
-grub_mkrelpath="`which grub2-mkrelpath`"
self="`basename $0`"
grub_cfg="/boot/grub2/grub.cfg"
-update_boot=no
# Get GRUB_DISTRIBUTOR.
if test -f "${sysconfdir}/default/grub" ; then
@@ -30,14 +26,6 @@
efi_distributor="$bootloader_id"
bootloader_id="${bootloader_id}-secureboot"
-case "$bootloader_id" in
- "sle"*)
- ca_string='SUSE Linux Enterprise Secure Boot CA1';;
- "opensuse"*)
- ca_string='openSUSE Secure Boot CA1';;
- *) ca_string="";;
-esac
-
usage () {
echo "Usage: $self [OPTION] [INSTALL_DEVICE]"
echo
@@ -181,32 +169,18 @@
if test -n "$efidir"; then
efi_file=shim.efi
- efibootdir="$efidir/EFI/boot"
- mkdir -p "$efibootdir" || exit 1
efidir="$efidir/EFI/$efi_distributor"
mkdir -p "$efidir" || exit 1
else
exit 1;
fi
-if test -f "$efibootdir/bootx64.efi"; then
- if test -n "$ca_string" && (grep -q "$ca_string"
"$efibootdir/bootx64.efi"); then
- update_boot=yes
- fi
-else
- update_boot=yes
-fi
-
if test "$clean" = "yes"; then
rm -f "${efidir}/shim.efi"
rm -f "${efidir}/MokManager.efi"
rm -f "${efidir}/grub.efi"
rm -f "${efidir}/grub.cfg"
rm -f "${efidir}/boot.csv"
- if test "$update_boot" = "yes"; then
- rm -f "${efibootdir}/bootx64.efi"
- rm -f "${efibootdir}/fallback.efi"
- fi
efibootmgr="`which efibootmgr`"
if test "$removable" = no && test -n "$bootloader_id" && test -n
"$efibootmgr"; then
# Delete old entries from the same distributor.
@@ -222,70 +196,17 @@
cp "${source_dir}/MokManager.efi" "${efidir}"
cp "${source_dir}/grub.efi" "${efidir}"
echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 >
"${efidir}/boot.csv"
-if test "$update_boot" = "yes"; then
- cp "${source_dir}/shim.efi" "${efibootdir}/bootx64.efi"
- cp "${source_dir}/fallback.efi" "${efibootdir}"
-fi
-
-
-make_grubcfg () {
grub_cfg_dirname=`dirname $grub_cfg`
grub_cfg_basename=`basename $grub_cfg`
cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"`
-descriptive_config="snapshot_submenu.cfg"
-root_fstype=`$grub_probe -t fs /`
-boot_fstype=`$grub_probe -t fs /boot`
-if [ "x${root_fstype}" != "xbtrfs" ] ||
- [ "x${boot_fstype}" != "xbtrfs" ]; then
- echo "/ is not on btrfs" >&2
- exit 1;
-fi
-
-if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue" &&
- test "x$root_fstype" = "xbtrfs" &&
- test "x$boot_fstype" = "xbtrfs"; then
-
-cat <<EOF
-set btrfs_relative_path="yes"
-set extra_cmdline=""
-btrfs_subvolid=""
-btrfs_subvol="/"
-
-export btrfs_relative_path
-export extra_cmdline
+(cat << EOF
search --fs-uuid --set=root ${cfg_fs_uuid}
-
-set timeout=0
-
-terminal_input console
-terminal_output console
-
-menuentry 'default' {
- btrfs_subvol=""
- configfile /boot/grub2/grub.cfg
- btrfs_subvol="/"
-}
-
-if [ -f "/.snapshots/${descriptive_config}" ]; then
- source "/.snapshots/${descriptive_config}"
-fi
-
-EOF
-
-else
-
-cat <<EOF
-search --fs-uuid --set=root ${cfg_fs_uuid}
-set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}`
-configfile \$prefix/${grub_cfg_basename}
+set prefix=(\${root})${grub_cfg_dirname}
EOF
-fi
-
-}
-
-make_grubcfg > "${efidir}/grub.cfg"
+echo "configfile \$prefix/${grub_cfg_basename}") \
+> "${efidir}/grub.cfg"
efibootmgr="`which efibootmgr`"
if test "$removable" = no && test -n "$bootloader_id" && test -n
"$efibootmgr"; then
++++++ shim-mokx-support.patch ++++++
--- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:30.000000000 +0200
+++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:30.000000000 +0200
@@ -1,12 +1,10 @@
-From 58b8e54ef60d488886a9f0d0877b7187eb200d07 Mon Sep 17 00:00:00 2001
+From 8614cf8c164049e77d702eb234d608d5342e975b Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Thu, 24 Oct 2013 17:02:08 +0800
-Subject: [PATCH 01/10] Support MOK blacklist
+Subject: [PATCH 1/9] Support MOK blacklist
The new blacklist, MokListX, stores the keys and hashes that are
banned.
-
-Signed-off-by: Gary Ching-Pang Lin <g...@suse.com>
---
MokManager.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++----------
shim.c | 3 +-
@@ -512,7 +510,7 @@
return EFI_SUCCESS;
}
diff --git a/shim.c b/shim.c
-index cf93d65..2c23a2f 100644
+index 9ae1936..c133bb2 100644
--- a/shim.c
+++ b/shim.c
@@ -1510,7 +1510,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
@@ -526,15 +524,14 @@
if (efi_status != EFI_SUCCESS) {
--
-1.8.4.5
+1.8.1.4
-From d2980a5cbee887223405a24be44ffd5bb439e3f1 Mon Sep 17 00:00:00 2001
+From f36f4093bb72344242949b16b83905cefb93d3cd Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Thu, 24 Oct 2013 17:32:31 +0800
-Subject: [PATCH 02/10] MokManager: show the hash list properly
+Subject: [PATCH 2/9] MokManager: show the hash list properly
-Signed-off-by: Gary Ching-Pang Lin <g...@suse.com>
---
MokManager.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 71 insertions(+), 11 deletions(-)
@@ -678,15 +675,14 @@
for (i=0; menu_strings[i] != NULL; i++)
--
-1.8.4.5
+1.8.1.4
-From 9c4b5d58385c64056adb5386c097219665f2f50d Mon Sep 17 00:00:00 2001
+From f1073a9bc757008d44b5b86cb5002a3654faf2d2 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Fri, 25 Oct 2013 16:54:25 +0800
-Subject: [PATCH 03/10] MokManager: delete the hash properly
+Subject: [PATCH 3/9] MokManager: delete the hash properly
-Signed-off-by: Gary Ching-Pang Lin <g...@suse.com>
---
MokManager.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 114 insertions(+), 10 deletions(-)
@@ -844,15 +840,14 @@
}
--
-1.8.4.5
+1.8.1.4
-From 54ce2f9605990c00f9cafae7cab22a1c885828c1 Mon Sep 17 00:00:00 2001
+From b5cb83a92620b0b41857f3e3a292d1577eb3a3a5 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Fri, 25 Oct 2013 17:05:10 +0800
-Subject: [PATCH 04/10] MokManager: Match all hashes in the list
+Subject: [PATCH 4/9] MokManager: Match all hashes in the list
-Signed-off-by: Gary Ching-Pang Lin <g...@suse.com>
---
MokManager.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
@@ -913,17 +908,15 @@
}
}
--
-1.8.4.5
+1.8.1.4
-From 4c1912c8521cca4d320a1417abff6f7954809a20 Mon Sep 17 00:00:00 2001
+From 70a4e12d2e6ba37541d0b78ec3c8ed5e8da9a941 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Fri, 25 Oct 2013 18:30:48 +0800
-Subject: [PATCH 05/10] MokManager: Write the hash list properly
+Subject: [PATCH 5/9] MokManager: Write the hash list properly
also return to the previous entry in the list
-
-Signed-off-by: Gary Ching-Pang Lin <g...@suse.com>
---
MokManager.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
@@ -998,21 +991,20 @@
efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
--
-1.8.4.5
+1.8.1.4
-From 8b96a93bda39617efbe51f24d1dc606ad8835d26 Mon Sep 17 00:00:00 2001
+From 225e5fca2f7cf63e365b77243d6e43b1eb9860c8 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Mon, 28 Oct 2013 15:08:40 +0800
-Subject: [PATCH 06/10] Copy the MOK blacklist to a RT variable
+Subject: [PATCH 6/9] Copy the MOK blacklist to a RT variable
-Signed-off-by: Gary Ching-Pang Lin <g...@suse.com>
---
shim.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/shim.c b/shim.c
-index 2c23a2f..ccb3071 100644
+index c133bb2..a0383a8 100644
--- a/shim.c
+++ b/shim.c
@@ -1480,6 +1480,33 @@ EFI_STATUS mirror_mok_list()
@@ -1049,7 +1041,7 @@
* Check if a variable exists
*/
static BOOLEAN check_var(CHAR16 *varname)
-@@ -1799,6 +1826,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle,
EFI_SYSTEM_TABLE *passed_systab)
+@@ -1795,6 +1822,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle,
EFI_SYSTEM_TABLE *passed_systab)
*/
efi_status = mirror_mok_list();
@@ -1059,21 +1051,20 @@
* Create the runtime MokIgnoreDB variable so the kernel can make
* use of it
--
-1.8.4.5
+1.8.1.4
-From 044d04dbed3ef3f2f3004a770e3751eabc052c2c Mon Sep 17 00:00:00 2001
+From f9db55b719281ce491780ecd4ec269c5286a7251 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Mon, 28 Oct 2013 16:36:34 +0800
-Subject: [PATCH 07/10] No newline for console_notify
+Subject: [PATCH 7/9] No newline for console_notify
-Signed-off-by: Gary Ching-Pang Lin <g...@suse.com>
---
shim.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/shim.c b/shim.c
-index ccb3071..e30a464 100644
+index a0383a8..a2e0862 100644
--- a/shim.c
+++ b/shim.c
@@ -470,7 +470,7 @@ static BOOLEAN secure_mode (void)
@@ -1095,13 +1086,13 @@
}
--
-1.8.4.5
+1.8.1.4
-From 0e97d1576fcc1924f0f17b7f31baf1dd74a7f83e Mon Sep 17 00:00:00 2001
+From 0bf2da5c7d9442f3249fc977b3fbffab924a374c Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Mon, 4 Nov 2013 14:45:33 +0800
-Subject: [PATCH 08/10] Verify the EFI images with MOK blacklist
+Subject: [PATCH 8/9] Verify the EFI images with MOK blacklist
Signed-off-by: Gary Ching-Pang Lin <g...@suse.com>
---
@@ -1109,7 +1100,7 @@
1 file changed, 9 insertions(+)
diff --git a/shim.c b/shim.c
-index e30a464..efd3d85 100644
+index a2e0862..5f5e9a6 100644
--- a/shim.c
+++ b/shim.c
@@ -365,6 +365,7 @@ static EFI_STATUS check_blacklist
(WIN_CERTIFICATE_EFI_PKCS *cert,
@@ -1136,13 +1127,13 @@
return EFI_SUCCESS;
}
--
-1.8.4.5
+1.8.1.4
-From a166edaa42ef96eaf5b000d0e4ad71779b745d68 Mon Sep 17 00:00:00 2001
+From 20ced27d1785bceaf814c07ca0d5686506a119ad Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <g...@suse.com>
Date: Mon, 4 Nov 2013 17:51:55 +0800
-Subject: [PATCH 09/10] Exclude ca.crt while signing EFI images
+Subject: [PATCH 9/9] Exclude ca.crt while signing EFI images
If ca.crt was added into the certificate database, ca.crt would be the first
certificate in the signature. Because shim couldn't verify ca.crt with the
@@ -1167,33 +1158,5 @@
certutil -d certdb/ -A -i shim.crt -n shim -t u
--
-1.8.4.5
-
-
-From cce37bfa5298e8e9c12d3509c78592f711699c4f Mon Sep 17 00:00:00 2001
-From: Gary Ching-Pang Lin <g...@suse.com>
-Date: Tue, 11 Feb 2014 14:11:15 +0800
-Subject: [PATCH 10/10] Make shim to check MokXAuth for MOKX reset
-
-Signed-off-by: Gary Ching-Pang Lin <g...@suse.com>
----
- shim.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/shim.c b/shim.c
-index efd3d85..7093c45 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1547,7 +1547,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle)
- if (check_var(L"MokNew") || check_var(L"MokSB") ||
- check_var(L"MokPW") || check_var(L"MokAuth") ||
- check_var(L"MokDel") || check_var(L"MokDB") ||
-- check_var(L"MokXNew") || check_var(L"MokXDel")) {
-+ check_var(L"MokXNew") || check_var(L"MokXDel") ||
-+ check_var(L"MokXAuth")) {
- efi_status = start_image(image_handle, MOK_MANAGER);
-
- if (efi_status != EFI_SUCCESS) {
---
-1.8.4.5
+1.8.1.4
++++++ show_hash.sh ++++++
--- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:30.000000000 +0200
+++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:30.000000000 +0200
@@ -9,4 +9,13 @@
exit 1
fi
-pesign -h -P -i "$infile"
+nssdir=`mktemp -d`
+cleanup()
+{
+ rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
+pesign -n "$nssdir" -h -P -i "$infile"
++++++ show_signatures.sh ++++++
--- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:30.000000000 +0200
+++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:30.000000000 +0200
@@ -9,4 +9,13 @@
exit 1
fi
-pesign -S -i "$infile"
+nssdir=`mktemp -d`
+cleanup()
+{
+ rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
+pesign -n "$nssdir" -S -i "$infile"
++++++ strip_signature.sh ++++++
--- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:30.000000000 +0200
+++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:30.000000000 +0200
@@ -10,4 +10,13 @@
outfile="${infile%.efi}-unsigned.efi"
-pesign -r -i "$infile" -o "$outfile"
+nssdir=`mktemp -d`
+cleanup()
+{
+ rm -r "$nssdir"
+}
+trap cleanup EXIT
+echo > "$nssdir/pw"
+certutil -f "$nssdir/pw" -d "$nssdir" -N
+
+pesign -n "$nssdir" -r -i "$infile" -o "$outfile"
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
