commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2024-07-02 18:15:29

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.18349 (New)


Package is "shim"

Tue Jul  2 18:15:29 2024 rev:121 rq:1184771 version:15.8

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2024-04-02 
16:38:41.216993558 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.18349/shim.changes 2024-07-02 
18:15:30.681358825 +0200
@@ -1,0 +2,13 @@
+Tue Jun 25 04:12:39 UTC 2024 - Dennis Tseng 
+
+- Update asc files of shim-15.8 after being signed back from 
+  Microsoft, including:
+  signature-opensuse.x86_64.asc,
+  signature-opensuse.aarch64.asc,
+  signature-sles.x86_64.asc,
+  signature-sles.aarch64.asc.
+
+- Enable aarch64 signature comparison which was disabled temporarily
+  before. Now, we got a real one. So it is enabled again.  
+
+---



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.25LOH1/_old  2024-07-02 18:15:31.665394834 +0200
+++ /var/tmp/diff_new_pack.25LOH1/_new  2024-07-02 18:15:31.669394980 +0200
@@ -192,7 +192,8 @@
# AArch64 signature
# Disable AArch64 signature attachment temporarily
# until we get a real one.
-   #signature=%{SOURCE12}
+# Now, we got a real one. So enable it again.
+   signature=%{SOURCE12}
 %endif
 elif test "$suffix" = "sles"; then
cert=%{SOURCE4}













++ signature-opensuse.aarch64.asc ++
--- /var/tmp/diff_new_pack.25LOH1/_old  2024-07-02 18:15:31.881402738 +0200
+++ /var/tmp/diff_new_pack.25LOH1/_new  2024-07-02 18:15:31.885402885 +0200
@@ -1,189 +1,211 @@
-hash: 96275dfd6282a522b011177ee049296952ac794832091f937fbbf92869028629
-# 2069-04-10 06:07:54
-timestamp: babababa
-linker: 2002
-checksum: ef25
+hash: 15854cd77be6b61bb6d22b4d448fe9b2d5d06dfa67d8161b6497e10af5b1bfb3
+# 1970-01-01 00:00:00
+timestamp: 0
+linker: 2902
+checksum: e2b1
 -BEGIN AUTHENTICODE SIGNATURE-
-MIIhwQYJKoZIhvcNAQcCoIIhsjCCIa4CAQExDzANBglghkgBZQMEAgEFADBcBgor
+MIIl/AYJKoZIhvcNAQcCoIIl7TCCJekCAQExDzANBglghkgBZQMEAgEFADBcBgor
 BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
-ZQMEAgEFAAQglidd/WKCpSKwERd+4EkpaVKseUgyCR+Tf7v5KGkChimgggs8MIIF
-JDCCBAygAwIBAgITMwAAABjnMIN/Ryp7WwABGDANBgkqhkiG9w0BAQsFADCB
+ZQMEAgEFAAQgFYVM13vmthu20itNRI/pstXQbfpn2BYbZJfhCvWxv7OgggszMIIF
+GzCCBAOgAwIBAgITMwAAAF4N6/Cb7d174QABXjANBgkqhkiG9w0BAQsFADCB
 gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
 ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
-TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xNTEwMjgyMDQz
-MzdaFw0xNzAxMjgyMDQzMzdaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
+TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMzEwMTkxOTUz
+MjNaFw0yNDEwMTYxOTUzMjNaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
 aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
-cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu
-ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCxZkprRvykOB1+X8MMpDVlB36RVafGyaZ8Dsl5/8U92WKQvqdx
-T7SsnmbDv9TNSndVGzFvH5p4dn1Q/52kuDMpwpjGUqTWrx1+jrZOYrb02uTL/+QZ
-H/nxW96fPJqKIEnqe16lLp2WCjT6J7AzckF67KEW6voOzXITZLP8t3OCqNWIWXy3
-ABLiZllI3O+VAwmRlosEmPYcD2qM3KxhPNvT+GZ2gb+FrLKvuRNxpHK0iZBxnrSg
-SnTlSfqzOAf9LWP6f4ajn04tdPOCRh3xuPM/bHJlCS40hBH2hYAV40s1vKTL8/Uf
-lTVdaBrq6f6NZAc4RFWnQgc/32xiYIcQ6AmjAgMBAAGjggF9MIIBeTAfBgNVHSUE
-GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQUI3JhxfMYweN5Brdl
-fggzjB4hb1owUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT
-KjMxNjE5K2UyOTg0YTM1LWNmNGYtNDEwZC04ZWMzLTcxOTYxNWJmOGMxYjAfBgNV
-HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo
-dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw
-MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo
-dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB
-MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA
-A4IBAQBxu75jhm/XBbQkp7pR8jykioQZc4KXLTqPQ1l/Z5KO1yY6oKImgbidhR3b
-ZV+cz5MqktoNxsf0Pt7WVxbuZe0nOe8UC7ldmH3NwbfukTSr0CNw4Sw+unFmLxDo
-g3BhCstsmP/yfDizuCkzPXVCjoBK3tCbNIZxfUEYjwSJAsFpeHvPEJlse2beTfpb
-ghe9sCMUOT2yiKjf+1tbY6FNeB6/DvpaxkBYX99jcLy1KHD5LWcoIjEREhFybILA
-mhoagQQ7upVbQLvJHAMyctmHUh432Kod0PpUUTwSrMChSAgB0t+l5DinGgowpoSj
-kjMiS55xRj22uZpnBzckogBCW0LGMIIGEDCCA/igAwIBAgIKYQjTxAAABDAN
-BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
-b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
-dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5
-IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEz

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2024-04-02 16:38:25

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1905 (New)


Package is "shim"

Tue Apr  2 16:38:25 2024 rev:120 rq:1164003 version:15.8

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2024-03-06 
23:03:27.222968378 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.1905/shim.changes  2024-04-02 
16:38:41.216993558 +0200
@@ -1,0 +2,7 @@
+Tue Apr  2 03:09:15 UTC 2024 - Gary Ching-Pang Lin 
+
+- Introduce %shim_use_fde_tpm_helper macro so that the project
+  can include the fde-tpm-helper-macros for the build targets
+  other than Tumbleweed
+
+---



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.tj23i1/_old  2024-04-02 16:38:42.057024513 +0200
+++ /var/tmp/diff_new_pack.tj23i1/_new  2024-04-02 16:38:42.057024513 +0200
@@ -35,6 +35,10 @@
 %endif
 %endif
 
+%if 0%{?suse_version} >= 1600
+%define shim_use_fde_tpm_helper 1
+%endif
+
 Name:   shim
 Version:15.8
 Release:0
@@ -89,7 +93,7 @@
 BuildRequires:  openssl >= 0.9.8
 BuildRequires:  pesign
 BuildRequires:  pesign-obs-integration
-%if 0%{?suse_version} >= 1600
+%if 0%{?shim_use_fde_tpm_helper:1}
 BuildRequires:  fde-tpm-helper-rpm-macros
 %endif
 %if 0%{?suse_version} > 1320

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2024-03-06 23:03:16

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1770 (New)


Package is "shim"

Wed Mar  6 23:03:16 2024 rev:119 rq:1155012 version:15.8

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2024-02-18 
20:23:23.682498178 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.1770/shim.changes  2024-03-06 
23:03:27.222968378 +0100
@@ -1,0 +2,6 @@
+Mon Feb 26 13:09:29 UTC 2024 - Dominique Leuenberger 
+
+- Use %autosetup macro. Allows to eliminate the usage of deprecated
+  PatchN.
+
+---



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.BeMp6M/_old  2024-03-06 23:03:29.019033492 +0100
+++ /var/tmp/diff_new_pack.BeMp6M/_new  2024-03-06 23:03:29.023033638 +0100
@@ -129,12 +129,7 @@
 The source code of UEFI shim loader
 
 %prep
-%setup -q
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
+%autosetup -p1
 
 %build
 # generate the vendor SBAT metadata

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2024-02-01 18:04:12

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1815 (New)


Package is "shim"

Thu Feb  1 18:04:12 2024 rev:115 rq:1143192 version:15.8

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2023-10-10 
20:52:30.165123807 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1815/shim.changes  2024-02-01 
18:04:18.908808714 +0100
@@ -1,0 +2,81 @@
+Sun Jan 28 09:32:32 UTC 2024 - Dennis Tseng 
+
+-- Update to version 15.8
+- Various CVE fixes are already merged into this version
+mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
+avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
+Fix integer overflow on SBAT section size on 32-bit system 
(bsc#1215100,CVE-2023-40548)
+Authenticode: verify that the signature header is in bounds 
(bsc#1215101,CVE-2023-40549)
+pe: Fix an out-of-bound read in verify_buffer_sbat() 
(bsc#1215102,CVE-2023-40550)
+pe-relocate: Fix bounds check for MZ binaries 
(bsc#1215103,CVE-2023-40551)
+- remove shim-Enable-the-NX-compatibility-flag-by-default.patch
+The codes in this patch are already existing in shim-15.8
+The NX flag is disable which is same as the default value of 
shim-15.8, 
+hence, not need to enable it by this patch now.
+- Patches (git log --oneline --reverse 15.7..15.8)
+657b248 Make sbat_var.S parse right with buggy gcc/binutils
+7c76425 Enable the NX compatibility flag by default.
+89972ae CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc 
wrapper
+c7b3051 pe: Align section size up to page size for mem attrs
+e4f40ae pe: Add IS_PAGE_ALIGNED macro
+f23883c Don't loop forever in load_certs() with buggy firmware
+1f38cb3 Optionally allow to keep shim protocol installed
+102a658 Drop invalid calls to `CRYPTO_set_mem_functions`
+aae3df0 test-sbat: Fix exit code
+cca3933 Block Debian grub binaries with SBAT < 4
+cf59f34 Further improve load_certs() for non-compliant 
drivers/firmwares
+0601f44 SBAT-related documents formatting and spelling
+0640e13 Add a security contact email address in README.md
+0bfc397 Work around malformed path delimiters in file paths from DHCP
+a8b0b60 pe: only process RelocDir->Size of reloc section
+f7a4338 Skip testing msleep()
+549d346 Rename 'msecs' to 'usecs' to avoid potential confusion
+908c388 Change type of fallback_verbose_wait from int to unsigned long
+05eae92 Add SbatLevel_Variable.txt to document the various revocations
+243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL
+89d25a1 Add a make rule for compile_commands.json
+118ff87 Add gnu-stack notes
+f132655 test: Make our fake dprintf be a statement.
+be00279 Remove CentOS 7 test builds.
+9964960 Split pe.c up even more.
+569270d Test (and fix) ImageAddress()
+61e9894 Verify signature before verifying sbat levels
+1578b55 Add libFuzzer support for csv.c
+a0673e3 Fix a 1-byte memory leak in .sbat parsing.
+e246812 Add libFuzzer support to the .sbat parser.
+fd43eda Work around ImageAddress() usage mistake
+1e985a3 Correctly free memory allocated in handle_image()
+dbbe3c8 mok: Avoid underflow in maximum variable size calculation
+04111d4 Make some of the static analysis tools a little easier to run
+7ba7440 compile_commands.json: remove stuff clang doesn't like
+66e6579 CVE-2023-40546 mok: fix LogError() invocation
+f271826 Add primitives for overflow-checked arithmetic operations.
+8372147 pe-relocate: Add a fuzzer for read_header()
+5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
+e912071 pe-relocate: make read_header() use checked arithmetic 
operations.
+93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in 
verify_buffer_sbat()
+e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550
+afdc503 CVE-2023-40549 Authenticode: verify that the signature header 
is in bounds.
+96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 
32-bit system
+dae82f6 Further mitigations against CVE-2023-40546 as a class
+ea0f9df Allow SbatLevel data from external binary
+b078ef2 Always clear SbatLevel when Secure Boot is disabled
+7dfb687 BS Variables for bootmgr revocations
+a967c0e shim should not self revoke
+577cedd Print message when refusing to apply SbatLev

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2023-10-10 20:52:13

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.28202 (New)


Package is "shim"

Tue Oct 10 20:52:13 2023 rev:114 rq:1116629 version:15.7

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2023-05-26 
20:15:15.336184744 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.28202/shim.changes 2023-10-10 
20:52:30.165123807 +0200
@@ -1,0 +2,18 @@
+Thu Oct  5 13:19:48 UTC 2023 - Ludwig Nussel 
+
+- Don't require grub so shim can still be used with systemd-boot
+
+---
+Wed Sep 20 04:33:59 UTC 2023 - Michael Chang 
+
+- Update shim-install to fix boot failure of ext4 root file system
+  on RAID10 (bsc#1205855)
+   226c94ca5cfca  Use hint in looking for root if possible
+
+---
+Tue Sep 19 08:36:17 UTC 2023 - Gary Ching-Pang Lin 
+
+- Adopt the macros from fde-tpm-helper-macros to update the
+  signature in the sealed key after a bootloader upgrade
+
+---



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.2B6odh/_old  2023-10-10 20:52:33.481243978 +0200
+++ /var/tmp/diff_new_pack.2B6odh/_new  2023-10-10 20:52:33.485244123 +0200
@@ -83,6 +83,7 @@
 BuildRequires:  pesign
 BuildRequires:  pesign-obs-integration
 %if 0%{?suse_version} > 1320
+BuildRequires:  fde-tpm-helper-rpm-macros
 BuildRequires:  update-bootloader-rpm-macros
 %endif
 %if 0%{?update_bootloader_requires:1}
@@ -90,9 +91,13 @@
 %else
 Requires:   perl-Bootloader
 %endif
+%if 0%{?fde_tpm_update_requires:1}
+%fde_tpm_update_requires
+%endif
 BuildRoot:  %{_tmppath}/%{name}-%{version}-build
-# For shim-install script
-Requires:   grub2-%{grubplatform}
+# For shim-install script grub is needed but we also want to use
+# shim for systemd-boot where shim-install is not actually used.
+# Requires:   grub2-%{grubplatform}
 Requires:   mokutil
 ExclusiveArch:  x86_64 aarch64
 
@@ -286,6 +291,10 @@
 %{?buildroot:%__rm -rf "%{buildroot}"}
 
 %post
+%if 0%{?fde_tpm_update_post:1}
+%fde_tpm_update_post shim
+%endif
+
 %if 0%{?update_bootloader_check_type_reinit_post:1}
 %update_bootloader_check_type_reinit_post grub2-efi
 %else
@@ -316,6 +325,7 @@
 %if %{defined update_bootloader_posttrans}
 %posttrans
 %{?update_bootloader_posttrans}
+%{?fde_tpm_update_posttrans}
 %endif
 
 %files



++ shim-install ++
--- /var/tmp/diff_new_pack.2B6odh/_old  2023-10-10 20:52:33.593248037 +0200
+++ /var/tmp/diff_new_pack.2B6odh/_new  2023-10-10 20:52:33.597248182 +0200
@@ -419,8 +419,19 @@
   done
 fi
 
+hints="`"${grub_probe}" --target=hints_string "${grub_cfg_dirname}" 2> 
/dev/null`"
+
+if [ "x$hints" != x ]; then
+  echo "if [ x\$feature_platform_search_hint = xy ]; then"
+  echo "  search --no-floppy --fs-uuid --set=root ${hints} ${cfg_fs_uuid}"
+  echo "else"
+  echo "  search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
+  echo "fi"
+else
+  echo "search --no-floppy --fs-uuid --set=root ${cfg_fs_uuid}"
+fi
+
 cat <

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2023-05-26 20:15:09

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1533 (New)


Package is "shim"

Fri May 26 20:15:09 2023 rev:113 rq:1089032 version:15.7

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2023-04-11 
13:50:58.379295938 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1533/shim.changes  2023-05-26 
20:15:15.336184744 +0200
@@ -1,0 +2,9 @@
+Mon May 15 03:28:47 UTC 2023 - Gary Ching-Pang Lin 
+
+- Update shim-install to amend full disk encryption support
+b540061e041b  Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector
+f2e8143ce831  Use the long name to specify the grub2 key protector
+72830120e5ea  cryptodisk: support TPM authorized policies
+49e7a0d307f3  Do not use tpm_record_pcrs unless the command is in 
command.lst
+
+---



Other differences:
--


++ shim-install ++
--- /var/tmp/diff_new_pack.zujSGz/_old  2023-05-26 20:15:15.968188511 +0200
+++ /var/tmp/diff_new_pack.zujSGz/_new  2023-05-26 20:15:15.972188535 +0200
@@ -370,20 +370,23 @@
 return
   fi
 
-  tpm_pcr_bank="${GRUB_TPM2_PCR_BANK:-sha256}"
-  tpm_pcr_list="${GRUB_TPM2_PCR_LIST:-0,2,4,7,9}"
   tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"
 
   declare -g TPM_PCR_SNAPSHOT_TAKEN
 
   if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
 TPM_PCR_SNAPSHOT_TAKEN=1
-echo "tpm_record_pcrs 0-9"
+
+# Check if tpm_record_pcrs is available and set the command to
+# grub.cfg.
+if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; 
then
+  echo "tpm_record_pcrs 0-9"
+fi
   fi
 
   cat <

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2023-04-11 13:50:40

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.19717 (New)


Package is "shim"

Tue Apr 11 13:50:40 2023 rev:112 rq:1078224 version:15.7

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2023-01-14 
00:02:21.645411393 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.19717/shim.changes 2023-04-11 
13:50:58.379295938 +0200
@@ -1,0 +2,14 @@
+Mon Apr 10 05:04:33 UTC 2023 - Joey Lee 
+
+- Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to
+  enable the NX compatibility flag when using post-process-pe after
+  discussed with grub2 experts in mail. It's useful for further development
+  and testing. (bsc#1205588)
+
+---
+Mon Mar 27 09:26:02 UTC 2023 - Joey Lee 
+
+- Updated shim signature after shim 15.7 of SLE be signed back:
+  signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)
+
+---



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.WeqhQM/_old  2023-04-11 13:50:59.083300017 +0200
+++ /var/tmp/diff_new_pack.WeqhQM/_new  2023-04-11 13:50:59.087300040 +0200
@@ -204,7 +204,6 @@
  VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
  DEFAULT_LOADER="grub.efi" \
  VENDOR_DBX_FILE=$vendor_dbx \
- POST_PROCESS_PE_FLAGS=-N \
  shim.efi.debug shim.efi
 #
 # assert correct certificate embedded



++ signature-sles.aarch64.asc ++
--- /var/tmp/diff_new_pack.WeqhQM/_old  2023-04-11 13:50:59.223300828 +0200
+++ /var/tmp/diff_new_pack.WeqhQM/_new  2023-04-11 13:50:59.227300851 +0200
@@ -1,190 +1,208 @@
-hash: f31fd461c5e99510403fc97c1da2d8a9cbe270597d32badf8fd66b77495f8d94
-# 2069-04-10 06:07:54
-timestamp: babababa
-linker: 2002
-checksum: 61c9
+hash: 04478d49dfa6c5f8442ec919568e1eda59de99cc1b5192f18028084409bbebe5
+# 1970-01-01 00:00:00
+timestamp: 0
+linker: 2702
+checksum: dfaa
 -BEGIN AUTHENTICODE SIGNATURE-
-MIIh9AYJKoZIhvcNAQcCoIIh5TCCIeECAQExDzANBglghkgBZQMEAgEFADBcBgor
+MIIlYgYJKoZIhvcNAQcCoIIlUzCCJU8CAQExDzANBglghkgBZQMEAgEFADBcBgor
 BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
-ZQMEAgEFAAQg8x/UYcXplRBAP8l8HaLYqcvicFl9Mrrfj9Zrd0lfjZSgggs8MIIF
-JDCCBAygAwIBAgITMwpmQvP0n7c3lgABCjANBgkqhkiG9w0BAQsFADCB
+ZQMEAgEFAAQgBEeNSd+mxfhELskZVo4e2lnemcwbUZLxgCgIRAm76+WgggswMIIF
+GDCCBACgAwIBAgITMwAAAFRJgAequ/NAsgABVDANBgkqhkiG9w0BAQsFADCB
 gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
 ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
-TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0
-MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
+TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMzAyMTYyMDE5
+NTdaFw0yNDAxMzEyMDE5NTdaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
 aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
-cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu
-ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s
-ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG
-CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23
-BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc
-cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH
-SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE
-GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP
-ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT
-KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV
-HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo
-dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw
-MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo
-dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB
-MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA
-A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3
-We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC
-5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g
-78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj
-PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+
-Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAABDAN
-BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
-b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
-dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2023-01-14 00:02:14

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.32243 (New)


Package is "shim"

Sat Jan 14 00:02:14 2023 rev:111 rq:1057935 version:15.7

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-12-10 
21:17:50.185559326 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.32243/shim.changes 2023-01-14 
00:02:21.645411393 +0100
@@ -1,0 +2,14 @@
+Thu Jan 12 07:00:19 UTC 2023 - Joey Lee 
+
+- Removed shim-bsc1198101-opensuse-cert-prompt.patch (bsc#1198101) 
+   - Detail discussion is in bugzilla:
+   https://bugzilla.suse.com/show_bug.cgi?id=1198101
+   - The shim community review and challenge this prompt. No other
+ distro shows prompt (Have checked Fedora 37, CentOS 9 and Ubuntu 22.10).
+ Currently, it blocked the review process of openSUSE shim.
+   - Other distros lock-down kernel when secure boot is enabled. Some of
+ them used different key for signing kernel binary with In-tree kernel
+ module. And their build service does not provide signed Out-off-tree
+ module.
+
+---

Old:

  shim-bsc1198101-opensuse-cert-prompt.patch



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.tS2rJR/_old  2023-01-14 00:02:22.949418989 +0100
+++ /var/tmp/diff_new_pack.tS2rJR/_new  2023-01-14 00:02:22.957419036 +0100
@@ -77,8 +77,6 @@
 Patch5: shim-disable-export-vendor-dbx.patch
 # PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch 
j...@suse.com -- Enable the NX compatibility flag by default
 Patch6: shim-Enable-the-NX-compatibility-flag-by-default.patch
-# PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch g...@suse.com 
-- Show the prompt to ask whether the user trusts openSUSE certificate or not
-Patch100:  shim-bsc1198101-opensuse-cert-prompt.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -124,9 +122,6 @@
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
-%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
-%patch100 -p1
-%endif
 
 %build
 # generate the vendor SBAT metadata

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-12-10 21:17:34

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1835 (New)


Package is "shim"

Sat Dec 10 21:17:34 2022 rev:110 rq:1041832 version:15.7

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-11-24 
12:22:09.908891828 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.1835/shim.changes  2022-12-10 
21:17:50.185559326 +0100
@@ -1,0 +2,9 @@
+Fri Dec  9 08:38:14 UTC 2022 - Joey Lee 
+
+- Modified shim-install, add the following Olaf Kirch's patches to support
+  full disk encryption: (jsc#PED-922)
+a5c57340740c   Introduce --no-grub-install option
+5c2c3addc51f   Handle different cases of controlling cryptomount 
volumes during first stage boot
+26c6bd5df7ae   Have grub take a snapshot of "relevant" TPM PCRs 
+
+---



Other differences:
--


++ shim-install ++
--- /var/tmp/diff_new_pack.cerdcY/_old  2022-12-10 21:17:50.901563513 +0100
+++ /var/tmp/diff_new_pack.cerdcY/_new  2022-12-10 21:17:50.905563536 +0100
@@ -17,6 +17,7 @@
 efibootmgr="/usr/sbin/efibootmgr"
 grub_probe="/usr/sbin/grub2-probe"
 grub_mkrelpath="/usr/bin/grub2-mkrelpath"
+no_grub_install=no
 grub_install="/usr/sbin/grub2-install"
 grub_install_target=
 self="`basename $0`"
@@ -127,6 +128,7 @@
 echo "--config-file=FILE use FILE as config file, default is $grub_cfg."
 echo "--clean remove all installed files and configs."
 echo "--suse-enable-tpm install grub.efi with TPM support."
+echo "--no-grub-install Do not run grub2-install."
 echo
 echo "INSTALL_DEVICE must be system device filename."
 }
@@ -206,6 +208,9 @@
 --clean)
clean=yes ;;
 
+--no-grub-install)
+   no_grub_install=yes ;;
+
 -*)
echo "Unrecognized option \`$option'"  1>&2
usage
@@ -352,6 +357,39 @@
 fi
 
 
+prepare_cryptodisk () {
+  uuid="$1"
+
+  if [ "x$GRUB_CRYPTODISK_PASSWORD" != x ]; then
+echo "cryptomount -u $uuid -p \"$GRUB_CRYPTODISK_PASSWORD\""
+return
+  fi
+
+  if [ "x$GRUB_TPM2_SEALED_KEY" = x ]; then
+echo "cryptomount -u $uuid"
+return
+  fi
+
+  tpm_pcr_bank="${GRUB_TPM2_PCR_BANK:-sha256}"
+  tpm_pcr_list="${GRUB_TPM2_PCR_LIST:-0,2,4,7,9}"
+  tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"
+
+  declare -g TPM_PCR_SNAPSHOT_TAKEN
+
+  if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
+TPM_PCR_SNAPSHOT_TAKEN=1
+echo "tpm_record_pcrs 0-9"
+  fi
+
+  cat < "${efidir}/grub.cfg"

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-11-24 12:22:07

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1597 (New)


Package is "shim"

Thu Nov 24 12:22:07 2022 rev:109 rq:1037458 version:15.7

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-11-22 
16:09:24.841795668 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.1597/shim.changes  2022-11-24 
12:22:09.908891828 +0100
@@ -1,0 +2,12 @@
+Wed Nov 23 07:28:57 UTC 2022 - Joey Lee 
+
+- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to
+  disable the NX compatibility flag when using post-process-pe because
+  grub2 is not ready. (bsc#1205588)
+- Kernel can boot with the NX compatibility flag since 82e0d6d76a2a7
+  be merged to v5.19. On the other hand, upstream is working on
+  improve compressed kernel stage for NX:
+[PATCH v3 00/24] x86_64: Improvements at compressed kernel stage
+https://www.spinics.net/lists/kernel/msg4599636.html
+
+---



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.FQePnN/_old  2022-11-24 12:22:10.608896275 +0100
+++ /var/tmp/diff_new_pack.FQePnN/_new  2022-11-24 12:22:10.612896301 +0100
@@ -209,6 +209,7 @@
  VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
  DEFAULT_LOADER="grub.efi" \
  VENDOR_DBX_FILE=$vendor_dbx \
+ POST_PROCESS_PE_FLAGS=-N \
  shim.efi.debug shim.efi
 #
 # assert correct certificate embedded

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-11-22 16:09:23

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1597 (New)


Package is "shim"

Tue Nov 22 16:09:23 2022 rev:108 rq:1037006 version:15.7

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-11-19 
18:08:42.706231922 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.1597/shim.changes  2022-11-22 
16:09:24.841795668 +0100
@@ -1,0 +2,6 @@
+Fri Nov 18 04:52:49 UTC 2022 - Joey Lee 
+
+- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to
+  enable the NX compatibility flag by default. (jsc#PED-127) 
+
+---

New:

  shim-Enable-the-NX-compatibility-flag-by-default.patch



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.UZiYEX/_old  2022-11-22 16:09:25.749800282 +0100
+++ /var/tmp/diff_new_pack.UZiYEX/_new  2022-11-22 16:09:25.757800323 +0100
@@ -75,6 +75,8 @@
 Patch4: remove_build_id.patch
 # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 
g...@suse.com -- Disable exporting vendor-dbx to MokListXRT
 Patch5: shim-disable-export-vendor-dbx.patch
+# PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch 
j...@suse.com -- Enable the NX compatibility flag by default
+Patch6: shim-Enable-the-NX-compatibility-flag-by-default.patch
 # PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch g...@suse.com 
-- Show the prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:  shim-bsc1198101-opensuse-cert-prompt.patch
 BuildRequires:  dos2unix
@@ -121,6 +123,7 @@
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 %if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
 %patch100 -p1
 %endif



++ shim-Enable-the-NX-compatibility-flag-by-default.patch ++
>From a53b9f7ceec1dfa1487f4d675573449c5b2a16fb Mon Sep 17 00:00:00 2001
From: Peter Jones 
Date: Thu, 17 Nov 2022 12:31:31 -0500
Subject: [PATCH] Enable the NX compatibility flag by default.

Currently by default, when we build shim we do not set the PE
NX-compatibility DLL Characteristic flag.  This signifies to the
firmware that shim (including the components it loads) is not prepared
for several related firmware changes:

- non-executable stack
- non-executable pages from AllocatePages()/AllocatePool()/etc.
- non-writable 0 page (not strictly related but some firmware will be
  transitioning at the same time)
- the need to use the UEFI 2.10 Memory Attribute Protocol to set page
  permissions.

This patch changes that default to be enabled by default.  Distributors
of shim will need to ensure that either their builds disable this bit
(using "post-process-pe -N"), or that the bootloaders and kernels you
support loading are all compliant with this change.  A new make
variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so.

Signed-off-by: Peter Jones 
---
 BUILDING  | 3 +++
 Make.defaults | 2 ++
 Makefile  | 2 +-
 post-process-pe.c | 2 +-
 4 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/BUILDING b/BUILDING
index 3b2e85d3..17cd98d3 100644
--- a/BUILDING
+++ b/BUILDING
@@ -78,6 +78,9 @@ Variables you could set to customize the build:
 - OSLABEL
   This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
   By default this is the same value as EFIDIR .
+- POST_PROCESS_PE_FLAGS
+  This allows you to add flags to the invocation of "post-process-pe", for
+  example to disable the NX compatibility flag.
 
 Vendor SBAT data:
 It will sometimes be requested by reviewers that a build includes extra
diff --git a/Make.defaults b/Make.defaults
index c46164a3..9af89f4e 100644
--- a/Make.defaults
+++ b/Make.defaults
@@ -139,6 +139,8 @@ CFLAGS  = $(FEATUREFLAGS) \
  $(INCLUDES) \
  $(DEFINES)
 
+POST_PROCESS_PE_FLAGS =
+
 ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
DEFINES += -DOVERRIDE_SECURITY_POLICY
 endif
diff --git a/Makefile b/Makefile
index a9202f46..f0f53f8f 100644
--- a/Makefile
+++ b/Makefile
@@ -255,7 +255,7 @@ endif
-j .rela* -j .dyn -j .reloc -j .eh_frame \
-j .vendor_cert -j .sbat -j .sbatlevel \
$(FORMAT) $< $@
-   ./post-process-pe -vv $@
+   ./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@
 
 ifneq ($(origin ENABLE_SHIM_HASH),undefined)
 %.hash : %.efi
diff --git a/post-process-pe.c b/post-process-pe.c
index de8f4a38..f39fdddf 100644
--- a/post-process-pe.c
+++ b/post-process-pe.c
@@ -42,7 +42,7 @@ static int verbosity;
0;   

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-11-19 18:08:40

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1597 (New)


Package is "shim"

Sat Nov 19 18:08:40 2022 rev:107 rq:1036529 version:15.7

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-11-16 
15:42:26.435618660 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.1597/shim.changes  2022-11-19 
18:08:42.706231922 +0100
@@ -1,0 +2,63 @@
+Fri Nov 18 03:17:46 UTC 2022 - Joey Lee 
+
+- Drop upstreamed patch:
+- shim-Enable-TDX-measurement-to-RTMR-register.patch
+- Enable TDX measurement to RTMR register (jsc#PED-1273) 
+   - 4fd484e4c215.7
+
+---
+Thu Nov 17 05:17:34 UTC 2022 - Joey Lee 
+
+- Update to 15.7 (bsc#1198458)(jsc#PED-127)
+- Patches (git log --oneline --reverse 15.6..15.7)
+   0eb07e1 Make SBAT variable payload introspectable
+   092c2b2 Reference MokListRT instead of MokList
+   8b59b69 Add a link to the test plan in the readme.
+   4fd484e Enable TDX measurement to RTMR register
+   14d6339 Discard load-options that start with a NUL
+   5c537b3 shim: Flush the memory region from i-cache before execution
+   2d4ebb5 load_cert_file: Fix stack issue
+   ea4911c load_cert_file: Use EFI RT memory function
+   0cf43ac Add -malign-double to IA32 compiler flags
+   17f0233 pe: Fix image section entry-point validation
+   5169769 make-archive: Build reproducible tarball
+   aa1b289 mok: remove MokListTrusted from PCR 7
+   53509ea CryptoPkg/BaseCryptLib: fix NULL dereference
+   616c566 More coverity modeling
+   ea0d0a5 Update shim's .sbat to sbat,3
+   dd8be98 Bump grub's sbat requirement to grub,3
+   1149161 (HEAD -> main, tag: 15.7, origin/main, origin/HEAD) Update 
version to 15.7
+- 15.7 release note https://github.com/rhboot/shim/releases
+   Make SBAT variable payload introspectable by @chrisccoulson in #483
+   Reference MokListRT instead of MokList by @esnowberg in #488
+   Add a link to the test plan in the readme. by @vathpela in #494
+   [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485
+   Discard load-options that start with a NUL by @frozencemetery in #505
+   load_cert_file bugs by @esnowberg in #523
+   Add -malign-double to IA32 compiler flags by @nicholasbishop in #516
+   pe: Fix image section entry-point validation by @iokomin in #518
+   make-archive: Build reproducible tarball by @julian-klode in #527
+   mok: remove MokListTrusted from PCR 7 by @baloo in #519
+- Drop upstreamed patch:
+   - shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
+   - Cryptlib/CryptAuthenticode: fix NULL pointer dereference in  
AuthenticodeVerify()
+   - 53509eaf2215.7
+   - shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch
+   - For backporting the following patches between 15.6 with 
aa1b289a1a (jsc#PED-127)
+   - The following patches are merged to 15.7
+   aa1b289a1a mok: remove MokListTrusted from PCR 7
+   0cf43ac6d7 Add -malign-double to IA32 compiler flags
+   ea4911c2f3 load_cert_file: Use EFI RT memory function
+   2d4ebb5a79 load_cert_file: Fix stack issue
+   5c537b3d0c shim: Flush the memory region from i-cache before 
execution
+   14d6339829 Discard load-options that start with a NUL
+   092c2b2bbe Reference MokListRT instead of MokList
+   0eb07e11b2 Make SBAT variable payload introspectable
+
+---
+Thu Nov 17 05:08:49 UTC 2022 - Joey Lee 
+
+- Update shim.changes, added missed shim 15.6-rc1 and 15.6 changelog to
+  the item in Update to 15.6. (bsc#1198458)
+
+---
@@ -159,0 +223,46 @@
+- 15.6-rc1 release note https://github.com/rhboot/shim/releases
+   MokManager: removed Locate graphic output protocol fail error message 
by @joeyli in #441
+   shim: implement SBAT verification for the shim_lock protocol by 
@chrisccoulson in #456
+   post-process-pe: Fix a missing return code check by @vathpela in #462
+   Update github actions matrix to be more useful by @frozencemetery in 
#469
+   Add f36 and centos9 CI builds by @vathpela in #470
+   post-process-pe: Fix format string warnings on 32-bit platforms by 
@steve-mcintyre in #464
+   tests: also look for system headers in multi-arch directories by 
@steve-mcintyre in #466
+   tests: fix gcc warnings by @akodanev in #463
+   Al

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-11-16 15:42:21

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1597 (New)


Package is "shim"

Wed Nov 16 15:42:21 2022 rev:106 rq:1035800 version:15.6

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-10-03 
13:44:30.845316706 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1597/shim.changes  2022-11-16 
15:42:26.435618660 +0100
@@ -1,0 +2,34 @@
+Tue Nov 15 08:06:24 UTC 2022 - Joey Lee 
+
+- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the 
following
+  patches between 15.6 with aa1b289a1a (jsc#PED-127):
+aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from 
PCR 7
+0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 
compiler flags
+ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory 
function
+2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue
+5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region 
from i-cache before execution
+14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start 
with a NUL
+092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of 
MokList
+0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload 
introspectable
+
+---
+Tue Nov 15 08:06:05 UTC 2022 - Joey Lee 
+
+- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support
+  enhance shim measurement to TD RTMR. (jsc#PED-1273) 
+
+---
+Tue Nov 15 07:53:59 UTC 2022 - Joey Lee 
+
+- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec
+  and shim.changes: (jsc#PED-127)
+- Add some change log from SLE shim.changes to Factory shim.changes
+  Those messages are added "(sync shim.changes from SLE)" tag.
+- Add the following changes to shim.spec
+   - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch
+  on openSUSE.
+   - Enable the AArch64 signature check for SLE:
+   # AArch64 signature
+   signature=%{SOURCE13} 
+
+---
@@ -195,0 +230,5 @@
+Thu Jul 15 08:13:26 UTC 2021 - Johannes Segitz 
+
+- Update the SLE signatures (sync shim.changes from SLE)
+
+---
@@ -203,0 +243,34 @@
+(sync shim.changes from SLE)
+- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
+  vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
+  the size of MokListXRT (bsc#1185261)
+  + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
+- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+  to handle ignore_db and user_insecure_mode correctly
+  (bsc#1185441, bsc#1187071)
+- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the
+  maximum variable size check for u-boot (bsc#1185621)
+  + Also drop AArch64 suse-signed shim since we merged this patch
+- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax
+  the check for import_mok_state() when Secure Boot is off.
+  (bsc#1185261)
+- Add shim-bsc1185232-relax-loadoptions-length-check.patch to
+  ignore the odd LoadOptions length (bsc#1185232)
+- shim-install: reset def_shim_efi to "shim.efi" if the given
+  file doesn't exist
+- Add shim-fix-aa64-relsz.patch to fix the size of rela sections
+  for AArch64
+  Fix: https://github.com/rhboot/shim/issues/371
+- Add shim-disable-export-vendor-dbx.patch to disable exporting
+  vendor-dbx to MokListXRT since writing a large RT variable
+  could crash some machines (bsc#1185261)
+- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the
+  potential crash when calling QueryVariableInfo in EFI 1.10
+  machines (bsc#1187260)
+- Add shim-bsc1185232-fix-config-table-copying.patch to avoid
+  buffer overflow when copying data to the MOK config table
+  (bsc#1185232)
+
+---
+Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin 
+
@@ -258,0 +332,6 @@
+Thu May  6 06:45:39 UTC 2021 - Gary Ching-Pang Lin 
+
+- Include suse-signed shim for AArch64 (bsc#1185621)
+  (sync shim.changes from SLE)
+
+---
@@ -277,0 +357,10 @@
+
+---
+Thu Apr 22 03:26:48 UTC 2021 - Gary Ching-Pang Lin 
+
+- Enable the AArch64 signature check for SLE (sync shim.changes from SLE)
+
+---
+Wed Apr 21 05:44

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-10-03 13:44:20

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.2275 (New)


Package is "shim"

Mon Oct  3 13:44:20 2022 rev:105 rq:1007166 version:15.6

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-09-17 
20:10:06.861117813 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.2275/shim.changes  2022-10-03 
13:44:30.845316706 +0200
@@ -1,0 +2,6 @@
+Thu Sep 29 02:42:35 UTC 2022 - Michael Chang 
+
+- shim-install: ensure grub.cfg created is not overwritten after
+  installing grub related files
+
+---



Other differences:
--


++ shim-install ++
--- /var/tmp/diff_new_pack.f47vFd/_old  2022-10-03 13:44:31.597318360 +0200
+++ /var/tmp/diff_new_pack.f47vFd/_new  2022-10-03 13:44:31.601318369 +0200
@@ -386,13 +386,15 @@
 
 }
 
-make_grubcfg > "${efidir}/grub.cfg"
 # bnc#889765 GRUB shows broken letters at boot
 # invoke grub_install to initialize /boot/grub2 directory with files needed by 
grub.cfg
 # bsc#1118363 shim-install didn't specify the target for grub2-install
 # set the target explicitly for some special cases 
 ${grub_install} --target=${grub_install_target} --no-nvram
 
+# Making sure grub.cfg not overwritten by grub-install above 
+make_grubcfg > "${efidir}/grub.cfg"
+
 if test "$no_nvram" = no && test -n "$bootloader_id"; then
 
 modprobe -q efivars 2>/dev/null || true

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-09-17 20:10:05

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.2083 (New)


Package is "shim"

Sat Sep 17 20:10:05 2022 rev:104 rq:1004027 version:15.6

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-08-05 
19:50:56.657446872 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.2083/shim.changes  2022-09-17 
20:10:06.861117813 +0200
@@ -1,0 +2,6 @@
+Mon Sep 12 12:30:54 UTC 2022 - Kilian Hanich 
+
+- Add logic to shim.spec to only set sbat policy when efivarfs is writeable.
+  (bsc#1201066)
+
+---



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.OqeMTj/_old  2022-09-17 20:10:07.573119867 +0200
+++ /var/tmp/diff_new_pack.OqeMTj/_new  2022-09-17 20:10:07.577119878 +0200
@@ -306,9 +306,13 @@
 return $rc
 }
 # run mokutil for setting sbat policy to latest mode
-SBAT_POLICY=/sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23
+EFIVARFS=/sys/firmware/efi/efivars
+SBAT_POLICY="$EFIVARFS/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23"
 if is_efi; then
-if [ ! -f "$SBAT_POLICY" ] && mokutil -h | grep -q "set-sbat-policy"; 
then
+if [ -w $EFIVARFS ] && \
+   [ ! -f "$SBAT_POLICY" ] && \
+   mokutil -h | grep -q "set-sbat-policy"; \
+then
 # Only apply CA check on the kernel package certs (bsc#1173115)
 mokutil --set-sbat-policy latest
 fi

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-08-05 19:50:25

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1521 (New)


Package is "shim"

Fri Aug  5 19:50:25 2022 rev:103 rq:993204 version:15.6

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-07-31 
23:01:04.847715594 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1521/shim.changes  2022-08-05 
19:50:56.657446872 +0200
@@ -1,0 +2,6 @@
+Fri Aug  5 05:25:16 UTC 2022 - Joey Lee 
+
+- Add logic to shim.spec for detecting --set-sbat-policy option before
+  using mokutil to set sbat policy. (bsc#1202120)
+
+---



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.9b1OOX/_old  2022-08-05 19:50:57.353448670 +0200
+++ /var/tmp/diff_new_pack.9b1OOX/_new  2022-08-05 19:50:57.357448679 +0200
@@ -308,7 +308,8 @@
 # run mokutil for setting sbat policy to latest mode
 
SBAT_POLICY=/sys/firmware/efi/efivars/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23
 if is_efi; then
-if [ ! -f "$SBAT_POLICY" ]; then
+if [ ! -f "$SBAT_POLICY" ] && mokutil -h | grep -q "set-sbat-policy"; 
then
+# Only apply CA check on the kernel package certs (bsc#1173115)
 mokutil --set-sbat-policy latest
 fi
 fi

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-07-31 23:00:49

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1533 (New)


Package is "shim"

Sun Jul 31 23:00:49 2022 rev:102 rq:991619 version:15.6

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-07-18 
18:32:53.977668924 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1533/shim.changes  2022-07-31 
23:01:04.847715594 +0200
@@ -1,0 +2,15 @@
+Fri Jul 29 02:36:36 UTC 2022 - Joey Lee 
+
+- Change the URL in SBAT section to mail:secur...@suse.de. (bsc#1193282)
+
+---
+Mon Jul 25 12:44:24 UTC 2022 - Joey Lee 
+
+- Revoked the change in shim.spec for "use common SBAT values (boo#1193282)"
+  - we need to build openSUSE Tumbleweed's shim on Leap 15.4 because Factory
+is unstable for building out a stable shim binary for signing. 
(bsc#1198458)
+  - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4
+because closing-the-leap-gap. So sbat_distro_* variables are SLE version,
+not for openSUSE. (bsc#1198458)
+
+---



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.GxjqO3/_old  2022-07-31 23:01:05.563717675 +0200
+++ /var/tmp/diff_new_pack.GxjqO3/_new  2022-07-31 23:01:05.567717686 +0200
@@ -35,13 +35,6 @@
 %endif
 %endif
 
-%if %{defined sbat_distro}
-# SBAT metadata
-%define sbat_generation 1
-%else
-%{error please define sbat_distro, sbat_distro_summary and sbat_distro_url}
-%endif
-
 Name:   shim
 Version:15.6
 Release:0
@@ -134,10 +127,17 @@
 %patch100 -p1
 
 %build
-%if 0%{?sbat_generation}
 # generate the vendor SBAT metadata
-echo 
"shim.%{sbat_distro},%{sbat_generation},%{sbat_distro_summary},%{name},%{version},%{sbat_distro_url}"
 > data/sbat.vendor.csv
+%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
+distro_id="opensuse"
+distro_name="The openSUSE project"
+%else
+distro_id="sle"
+distro_name="SUSE Linux Enterprise"
 %endif
+distro_sbat=1
+sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:secur...@suse.de"
+echo "${sbat}" > data/sbat.vendor.csv
 
 # first, build MokManager and fallback as they don't depend on a
 # specific certificate

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-07-18 18:32:49

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1523 (New)


Package is "shim"

Mon Jul 18 18:32:49 2022 rev:101 rq:989068 version:15.6

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2022-06-29 
16:00:23.488538457 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1523/shim.changes  2022-07-18 
18:32:53.977668924 +0200
@@ -157,0 +158,5 @@
+Tue Apr 12 06:35:16 UTC 2022 - Ludwig Nussel 
+
+- use common SBAT values (boo#1193282)
+
+---



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.DSnmIW/_old  2022-07-18 18:32:54.861670181 +0200
+++ /var/tmp/diff_new_pack.DSnmIW/_new  2022-07-18 18:32:54.865670186 +0200
@@ -35,6 +35,13 @@
 %endif
 %endif
 
+%if %{defined sbat_distro}
+# SBAT metadata
+%define sbat_generation 1
+%else
+%{error please define sbat_distro, sbat_distro_summary and sbat_distro_url}
+%endif
+
 Name:   shim
 Version:15.6
 Release:0
@@ -127,17 +134,10 @@
 %patch100 -p1
 
 %build
+%if 0%{?sbat_generation}
 # generate the vendor SBAT metadata
-%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
-distro_id="opensuse"
-distro_name="The openSUSE project"
-%else
-distro_id="sle"
-distro_name="SUSE Linux Enterprise"
+echo 
"shim.%{sbat_distro},%{sbat_generation},%{sbat_distro_summary},%{name},%{version},%{sbat_distro_url}"
 > data/sbat.vendor.csv
 %endif
-distro_sbat=1
-sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security-t...@suse.de"
-echo "${sbat}" > data/sbat.vendor.csv
 
 # first, build MokManager and fallback as they don't depend on a
 # specific certificate

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2022-06-29 16:00:19

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1548 (New)


Package is "shim"

Wed Jun 29 16:00:19 2022 rev:100 rq:985419 version:15.6

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2021-07-04 
22:09:59.417578323 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1548/shim.changes  2022-06-29 
16:00:23.488538457 +0200
@@ -1,0 +2,156 @@
+Tue Jun 28 04:03:45 UTC 2022 - Joey Lee 
+
+- Update to 15.6 (bsc#1198458)
+- shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76
+  which is from upstream grub2.cve_2021_3695.ms keybase channel.
+- For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy 
needs to
+  support efi-app-aarch64 target. So we need the following patches in 
bintuils:
+- binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch
+b69c9d41e8 AArch64: Add support for AArch64 EFI 
(efi-*-aarch64).
+- binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch
+32384aa396 Re: AArch64: Add support for AArch64 EFI 
(efi-*-aarch64)
+- binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch
+d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64)
+- Patches (git log --oneline --reverse 15.5~..77144e5a4)
+448f096 MokManager: removed Locate graphic output protocol fail error 
message (bsc#1193315, bsc#1198458)
+a2da05f shim: implement SBAT verification for the shim_lock protocol
+bda03b8 post-process-pe: Fix a missing return code check
+af18810 CI: don't cancel testing when one fails
+ba580f9 CI: remove EOL Fedoras from github actions
+bfeb4b3 Remove aarch64 build tests before f35
+38cc646 CI: Add f36 and centos9 CI build tests.
+b5185cb post-process-pe: Fix format string warnings on 32-bit platforms
+31094e5 tests: also look for system headers in multi-arch directories
+4df989a mock-variables.c: fix gcc warning
+6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled
+2670c6a Allow MokListTrusted to be enabled by default
+5c44aaf Add code of conduct
+d6eb9c6 Modernize aarch64
+9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail
+de87985 make: don't treat cert.S specially
+803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode
+6402f1f SBAT matching: Break out of the inner sbat loop if we find the 
entry.
+bb4b60e Add verify_image
+acfd48f Abstract out image reading
+35d7378 Load additional certs from a signed binary
+8ce2832 post-process-pe: there is no 's' argument.
+465663e Add some missing PE image flag definitions
+226fee2 PE Loader: support and require NX
+df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX
+b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT
+f81a7cc SBAT revocation management
+abe41ab make: unbreak scan-build again for gnu-efi
+610a1ac sbat.h: minor reformatting for legibility
+f28833f peimage.h: make our signature macros force the type
+5d789ca Always initialize data/datasize before calling read_image()
+a50d364 sbat policy: make our policy change actions symbolic
+5868789 load_certs: trust dir->Read() slightly less.
+a78673b mok.c: fix a trivial dead assignment
+759f061 Fix preserve_sbat_uefi_variable() logic
+aa61fdf Give the Coverity scanner some more GCC blinders...
+0214cd9 load_cert_file(): don't defererence NULL
+1eca363 mok import: handle OOM case
+75449bc sbat: Make nth_sbat_field() honor the size limit
+c0bcd04 shim-15.6~rc1
+77144e5 SBAT Policy latest should be a one-shot
+- 15.5 release note https://github.com/rhboot/shim/releases
+   Broken ia32 relocs and an unimportant submodule change. by @vathpela in 
#357
+   mok: allocate MOK config table as BootServicesData by @lcp in #361
+   Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364
+   Relax the check for import_mok_state() by @lcp in #372
+   SBAT.md: trivial changes by @hallyn in #389
+   shim: another attempt to fix load options handling by @chrisccoulson in 
#379
+   Add tests for our load options parsing. by @vathpela in #390
+   arm/aa64: fix the size of .rela* sections by @lcp in #383
+   mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365
+   mok: relax the maximum variable size check by @lcp in #369
+   Don't unhook ExitBootServices when EBS protec

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2021-07-04 22:09:58

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.2625 (New)


Package is "shim"

Sun Jul  4 22:09:58 2021 rev:99 rq:903340 version:15.4

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2021-06-25 
15:00:51.492116465 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.2625/shim.changes  2021-07-04 
22:09:59.417578323 +0200
@@ -1,0 +2,6 @@
+Thu Jul  1 04:07:03 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid
+  deleting the mirrored RT variables (bsc#1187696)
+
+---

New:

  shim-bsc1187696-avoid-deleting-rt-variables.patch



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.2EWFDC/_old  2021-07-04 22:10:00.157572600 +0200
+++ /var/tmp/diff_new_pack.2EWFDC/_new  2021-07-04 22:10:00.161572569 +0200
@@ -93,6 +93,8 @@
 Patch13:shim-bsc1187260-fix-efi-1.10-machines.patch
 # PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch 
bsc#1185232 g...@suse.com -- Avoid buffer overflow when copying the MOK config 
table
 Patch14:shim-bsc1185232-fix-config-table-copying.patch
+# PATCH-FIX-UPSTREAM shim-bsc1187696-avoid-deleting-rt-variables.patch 
bsc#1187696 g...@suse.com -- Avoid deleting the mirrored RT variables
+Patch15:shim-bsc1187696-avoid-deleting-rt-variables.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -145,6 +147,7 @@
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
 
 %build
 # generate the vendor SBAT metadata



++ shim-bsc1187696-avoid-deleting-rt-variables.patch ++
>From 14f6e10b8272ce34d3c373e000c583e5345b526b Mon Sep 17 00:00:00 2001
From: Gary Lin 
Date: Wed, 30 Jun 2021 16:34:51 +0800
Subject: [PATCH] mok: delete the existing RT variables only when
 only_first=TRUE

For the firmware without the variable writing issues, MOK variables are
mirrored when only_first=TRUE. However, LibDeleteVariable() was called
in maybe_mirror_one_mok_variable() when only_first=FALSE, and this
could delete MOK variables that were just mirrored in the first round.

This bug was hidden since LibDeleteVariable() deletes BS+RT+NV variables
while we mirror MOK variables as BS+RT, and the firmware refused to
delete the mirrored MOK variable due to mismatching attributes. However,
some firmwares, such as VMWare, didn't enforce the attribute check and
just deleted the variables with matched name and GUID. In such system,
MokListRT was always removed before it reached OS.

Fixes: https://github.com/rhboot/shim/issues/386

Signed-off-by: Gary Lin 
---
 mok.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mok.c b/mok.c
index beac0ff6..5ea39d54 100644
--- a/mok.c
+++ b/mok.c
@@ -863,7 +863,7 @@ maybe_mirror_one_mok_variable(struct mok_state_variable *v,
BOOLEAN present = FALSE;
 
if (v->rtname) {
-   if (!only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
+   if (only_first && (v->flags & MOK_MIRROR_DELETE_FIRST)) {
dprint(L"deleting \"%s\"\n", v->rtname);
efi_status = LibDeleteVariable(v->rtname, v->guid);
dprint(L"LibDeleteVariable(\"%s\",...) => %r\n", 
v->rtname, efi_status);
-- 
2.31.1

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2021-06-25 15:00:33

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.2625 (New)


Package is "shim"

Fri Jun 25 15:00:33 2021 rev:98 rq:901237 version:15.4

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2021-06-15 
16:37:12.693680451 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.2625/shim.changes  2021-06-25 
15:00:51.492116465 +0200
@@ -1,0 +2,24 @@
+Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-bsc1185232-fix-config-table-copying.patch to avoid
+  buffer overflow when copying data to the MOK config table
+  (bsc#1185232)
+
+---
+Mon Jun 21 01:58:00 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-disable-export-vendor-dbx.patch to disable exporting
+  vendor-dbx to MokListXRT since writing a large RT variable
+  could crash some machines (bsc#1185261)
+- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the
+  potential crash when calling QueryVariableInfo in EFI 1.10
+  machines (bsc#1187260)
+
+---
+Thu Jun 17 03:03:37 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-fix-aa64-relsz.patch to fix the size of rela sections
+  for AArch64
+  Fix: https://github.com/rhboot/shim/issues/371 
+
+---

New:

  shim-bsc1185232-fix-config-table-copying.patch
  shim-bsc1187260-fix-efi-1.10-machines.patch
  shim-disable-export-vendor-dbx.patch
  shim-fix-aa64-relsz.patch



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.23NATu/_old  2021-06-25 15:00:52.612117831 +0200
+++ /var/tmp/diff_new_pack.23NATu/_new  2021-06-25 15:00:52.612117831 +0200
@@ -85,6 +85,14 @@
 Patch9: shim-bsc1185261-relax-import_mok_state-check.patch
 # PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch 
bsc#1185232 g...@suse.com -- Relax the check for the LoadOptions length
 Patch10:shim-bsc1185232-relax-loadoptions-length-check.patch
+# PATCH-FIX-UPSTREAM shim-fix-aa64-relsz.patch g...@suse.com -- Fix the size 
of rela* sections for AArch64
+Patch11:shim-fix-aa64-relsz.patch
+# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 
g...@suse.com -- Disable exporting vendor-dbx to MokListXRT
+Patch12:shim-disable-export-vendor-dbx.patch
+# PATCH-FIX-UPSTREAM shim-bsc1187260-fix-efi-1.10-machines.patch bsc#1187260 
g...@suse.com -- Don't call QueryVariableInfo() on EFI 1.10 machines
+Patch13:shim-bsc1187260-fix-efi-1.10-machines.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185232-fix-config-table-copying.patch 
bsc#1185232 g...@suse.com -- Avoid buffer overflow when copying the MOK config 
table
+Patch14:shim-bsc1185232-fix-config-table-copying.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -133,6 +141,10 @@
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
+%patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 %build
 # generate the vendor SBAT metadata



++ shim-bsc1185232-fix-config-table-copying.patch ++
>From 42c6148c7ebd026862ab96405e78191ff8ebf298 Mon Sep 17 00:00:00 2001
From: Gary Lin 
Date: Mon, 21 Jun 2021 16:38:02 +0800
Subject: [PATCH] mok: skip the empty variables when copying the data to MOK
 config table

When calculating the size of the MOK config table, we skip the empty
variables. However, when copying the data, we copied the zeroed config
templates for those empty variables, and this could cause crash since we
may write more data than the allocated pages. This commit skips the
empty variables when copying the data so that the size of copied data
matches config_sz.

Signed-off-by: Gary Lin 
---
 mok.c | 18 ++
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/mok.c b/mok.c
index beac0ff6..add21223 100644
--- a/mok.c
+++ b/mok.c
@@ -1028,16 +1028,18 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
for (i = 0; p && mok_state_variables[i].name != NULL; i++) {
struct mok_state_variable *v = &mok_state_variables[i];
 
-   ZeroMem(&config_template, sizeof(config_template));
-   strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
-   config_template.name[255] = '\0';
+   if (v->data && v->data_size) {
+   ZeroMem(&config_template, sizeof(config_template));
+   strncpy(config_template.name, (CHAR8 *)v->rtname8, 255);
+   config_template.name[255] = '\0';
 

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2021-06-15 16:37:00

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.32437 (New)


Package is "shim"

Tue Jun 15 16:37:00 2021 rev:97 rq:99 version:15.4

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2021-06-02 
22:10:28.152127832 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.32437/shim.changes 2021-06-15 
16:37:12.693680451 +0200
@@ -1,0 +2,12 @@
+Fri Jun  4 09:22:51 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-bsc1185232-relax-loadoptions-length-check.patch to
+  ignore the odd LoadOptions length (bsc#1185232)
+
+---
+Fri Jun  4 07:02:03 UTC 2021 - Gary Ching-Pang Lin 
+
+- shim-install: reset def_shim_efi to "shim.efi" if the given
+  file doesn't exist
+
+---
@@ -33 +45 @@
-  (bsc#1185441)
+  (bsc#1185441, bsc#1187071)

New:

  shim-bsc1185232-relax-loadoptions-length-check.patch



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.HwiD8w/_old  2021-06-15 16:37:13.401681676 +0200
+++ /var/tmp/diff_new_pack.HwiD8w/_new  2021-06-15 16:37:13.405681684 +0200
@@ -83,6 +83,8 @@
 Patch8: shim-bsc1185621-relax-max-var-sz-check.patch
 # PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch 
bsc#1185261 g...@suse.com -- Relax the check for import_mok_state() when Secure 
Boot is off
 Patch9: shim-bsc1185261-relax-import_mok_state-check.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185232-relax-loadoptions-length-check.patch 
bsc#1185232 g...@suse.com -- Relax the check for the LoadOptions length
+Patch10:shim-bsc1185232-relax-loadoptions-length-check.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -130,6 +132,7 @@
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 %build
 # generate the vendor SBAT metadata



++ shim-bsc1185232-relax-loadoptions-length-check.patch ++
>From 795c62cb023886d39f1ee15977dc3194e01da57f Mon Sep 17 00:00:00 2001
From: Gary Lin 
Date: Fri, 4 Jun 2021 17:02:31 +0800
Subject: [PATCH] shim: don't fail on the odd LoadOptions length

Some firmware feeds the LoadOptions with an odd length when booting from
an USB device(*). We should only skip this kind of LoadOptions, not fail
it, or the user won't be able to boot the system from USB or CD-ROM.

(*) https://bugzilla.suse.com/show_bug.cgi?id=1185232#c62

Signed-off-by: Gary Lin 
---
 shim.c | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/shim.c b/shim.c
index c5cfbb83..dd563cf6 100644
--- a/shim.c
+++ b/shim.c
@@ -1411,9 +1411,16 @@ EFI_STATUS set_second_stage (EFI_HANDLE image_handle)
return efi_status;
}
 
-   /* Sanity check since we make several assumptions about the length */
+   /* Sanity check since we make several assumptions about the length
+* Some firmware feeds the following load option when booting from
+* an USB device:
+*
+*0x46 0x4a 0x00 |FJ.|
+*
+* The string is meaningless for shim and so just ignore it.
+* */
if (li->LoadOptionsSize % 2 != 0)
-   return EFI_INVALID_PARAMETER;
+   return EFI_SUCCESS;
 
/* So, load options are a giant pain in the ass.  If we're invoked
 * from the EFI shell, we get something like this:
-- 
2.31.1

++ shim-install ++
--- /var/tmp/diff_new_pack.HwiD8w/_old  2021-06-15 16:37:13.509681864 +0200
+++ /var/tmp/diff_new_pack.HwiD8w/_new  2021-06-15 16:37:13.509681864 +0200
@@ -28,7 +28,7 @@
 [ ! -r /usr/etc/default/shim ] || . /usr/etc/default/shim
 [ ! -r /etc/default/shim ] || . /etc/default/shim
 
-if [ -z "$def_shim_efi" ] ; then
+if [ -z "$def_shim_efi" -o ! -e ${source_dir}/${def_shim_efi} ] ; then
def_shim_efi="shim.efi"
 fi
 

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2021-06-02 22:10:23

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1898 (New)


Package is "shim"

Wed Jun  2 22:10:23 2021 rev:96 rq:895435 version:15.4

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2021-05-08 
22:07:24.353745628 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1898/shim.changes  2021-06-02 
22:10:28.152127832 +0200
@@ -1,0 +2,15 @@
+Wed May 19 01:07:43 UTC 2021 - Gary Ching-Pang Lin 
+
+- shim-install: instead of assuming "removable" for Azure, remove
+  fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
+  to make \EFI\Boot bootable and keep the boot option created by
+  efibootmgr (bsc#1185464, bsc#1185961)
+
+---
+Tue May 11 02:57:14 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax
+  the check for import_mok_state() when Secure Boot is off.
+  (bsc#1185261)
+
+---

New:

  shim-bsc1185261-relax-import_mok_state-check.patch



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.QbU0Hm/_old  2021-06-02 22:10:29.016127762 +0200
+++ /var/tmp/diff_new_pack.QbU0Hm/_new  2021-06-02 22:10:29.020127761 +0200
@@ -81,6 +81,8 @@
 Patch7: 
shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
 # PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 
g...@suse.com -- Relax the maximum variable size check for u-boot
 Patch8: shim-bsc1185621-relax-max-var-sz-check.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185261-relax-import_mok_state_check.patch 
bsc#1185261 g...@suse.com -- Relax the check for import_mok_state() when Secure 
Boot is off
+Patch9: shim-bsc1185261-relax-import_mok_state-check.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -127,6 +129,7 @@
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 %build
 # generate the vendor SBAT metadata



++ shim-bsc1185261-relax-import_mok_state-check.patch ++
>From 3e33205b9c957624df7e30a2e5e2847f23d37989 Mon Sep 17 00:00:00 2001
From: Gary Lin 
Date: Tue, 11 May 2021 10:41:43 +0800
Subject: [PATCH] Relax the check for import_mok_state()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

An openSUSE user reported(*) that shim 15.4 failed to boot the system
with the following message:

  "Could not create MokListXRT: Out of Resources"

In the beginning, I thought it's caused by the growing size of
vendor-dbx. However, we found the following messages after set
SHIM_VERBOSE:

  max_var_sz:8000 remaining_sz:85EC max_storage_sz:9000
  SetVariable(???MokListXRT???, ... varsz=0x1404) = Out of Resources

Even though the firmware claimed the remaining storage size is 0x85EC,
it still rejected MokListXRT with size 0x1404. It seems that the return
values from QueryVariableInfo() are not reliable. Since this firmware
didn't really support Secure Boot, the variable mirroring is not so
critical, so we can just accept the failure of import_mok_state() and
continue boot.

(*) https://bugzilla.suse.com/show_bug.cgi?id=1185261

Signed-off-by: Gary Lin 
---
 shim.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/shim.c b/shim.c
index c5cfbb83..d38ae2f0 100644
--- a/shim.c
+++ b/shim.c
@@ -1973,10 +1973,13 @@ efi_main (EFI_HANDLE passed_image_handle, 
EFI_SYSTEM_TABLE *passed_systab)
 * boot-services-only state variables are what we think they are.
 */
efi_status = import_mok_state(image_handle);
-   if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) {
+   if (!secure_mode() && 
+   (efi_status == EFI_INVALID_PARAMETER ||
+efi_status == EFI_OUT_OF_RESOURCES)) {
/*
 * Make copy failures fatal only if secure_mode is enabled, or
-* the error was anything else than EFI_INVALID_PARAMETER.
+* the error was anything else than EFI_INVALID_PARAMETER or
+* EFI_OUT_OF_RESOURCES.
 * There are non-secureboot firmware implementations that don't
 * reserve enough EFI variable memory to fit the variable.
 */
-- 
2.31.1

++ shim-install ++
--- /var/tmp/diff_new_pack.QbU0Hm/_old  2021-06-02 22:10:29.120127753 +0200
+++ /var/tmp/diff_new_pack.QbU0Hm/_new  2021-06-02 22:10:29.120127753 +0200
@@ -221,15 +221,6 @@
 esac
 done
 
-# bsc#1185464
-# The A

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2021-05-08 22:07:23

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.2988 (New)


Package is "shim"

Sat May  8 22:07:23 2021 rev:95 rq:891231 version:15.4

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2021-05-02 
18:35:40.793059319 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.2988/shim.changes  2021-05-08 
22:07:24.353745628 +0200
@@ -1,0 +2,19 @@
+Fri May  7 08:33:49 UTC 2021 - Gary Ching-Pang Lin 
+
+- shim-install: always assume "removable" for Azure to avoid the
+  endless reset loop (bsc#1185464)
+
+---
+Thu May  6 03:18:32 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the
+  maximum variable size check for u-boot (bsc#1185621)
+
+---
+Mon May  3 03:46:27 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+  to handle ignore_db and user_insecure_mode correctly
+  (bsc#1185441)
+
+---

New:

  shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
  shim-bsc1185621-relax-max-var-sz-check.patch



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.Om96XS/_old  2021-05-08 22:07:25.001742823 +0200
+++ /var/tmp/diff_new_pack.Om96XS/_new  2021-05-08 22:07:25.005742805 +0200
@@ -77,6 +77,10 @@
 Patch5: remove_build_id.patch
 # PATCH-FIX-UPSTREAM shim-bsc1184454-allocate-mok-config-table-BS.patch 
bsc#1184454 g...@suse.com -- Allocate MOK config table as BootServicesData to 
avoid the error message from linux kernel
 Patch6: shim-bsc1184454-allocate-mok-config-table-BS.patch
+# PATCH-FIX-UPSTREAM 
shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch 
bsc#1184454 g...@suse.com -- Handle ignore_db and user_insecure_mode correctly
+Patch7: 
shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+# PATCH-FIX-UPSTREAM shim-bsc1185621-relax-max-var-sz-check.patch bsc#1185621 
g...@suse.com -- Relax the maximum variable size check for u-boot
+Patch8: shim-bsc1185621-relax-max-var-sz-check.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -121,6 +125,8 @@
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
 
 %build
 # generate the vendor SBAT metadata



++ shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch 
++
>From 822d07ad4f07ef66fe447a130e1027c88d02a394 Mon Sep 17 00:00:00 2001
From: Adam Williamson 
Date: Thu, 8 Apr 2021 22:39:02 -0700
Subject: [PATCH] Fix handling of ignore_db and user_insecure_mode

In 65be350308783a8ef537246c8ad0545b4e6ad069, import_mok_state() is split
up into a function that manages the whole mok state, and one that
handles the state machine for an individual state variable.
Unfortunately, the code that initializes the global ignore_db and
user_insecure_mode was copied from import_mok_state() into the new
import_one_mok_state() function, and thus re-initializes that state each
time it processes a MoK state variable, before even assessing if that
variable is set.  As a result, we never honor either flag, and the
machine owner cannot disable trusting the system firmware's db/dbx
databases or disable validation altogether.

This patch removes the extra re-initialization, allowing those variables
to be set properly.

Signed-off-by: Adam Williamson 
---
 mok.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/mok.c b/mok.c
index 5ad9072b..9e37d6ab 100644
--- a/mok.c
+++ b/mok.c
@@ -888,9 +888,6 @@ EFI_STATUS import_one_mok_state(struct mok_state_variable 
*v,
EFI_STATUS ret = EFI_SUCCESS;
EFI_STATUS efi_status;
 
-   user_insecure_mode = 0;
-   ignore_db = 0;
-
UINT32 attrs = 0;
BOOLEAN delete = FALSE;
 
-- 
2.31.1

++ shim-bsc1185621-relax-max-var-sz-check.patch ++
commit 690ec2419a8c2c4246450e447629adc85f9a6f40
Author: Gary Lin 
Date:   Wed May 5 11:25:07 2021 +0800

mok: relax the maximum variable size check

Some UEFI environment such as u-boot doesn't implement
QueryVariableInfo(), so we couldn't rely on the function to estimate the
available space for RT variables. All we can do is to call SetVariable()
directly and check the return value of SetVariable().

Signed-off-by: Gary Lin 

diff --git a/mok.c b/mok.c
index 5ad9072b..1f9820e7 100644
--- a/mok.c
+++ b/mok.c

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2021-05-02 18:35:23

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.1947 (New)


Package is "shim"

Sun May  2 18:35:23 2021 rev:94 rq:888995 version:15.4

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2021-04-10 
15:26:29.766316259 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1947/shim.changes  2021-05-02 
18:35:40.793059319 +0200
@@ -1,0 +2,8 @@
+Wed Apr 28 09:28:30 UTC 2021 - Gary Ching-Pang Lin 
+
+- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
+  vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
+  the size of MokListXRT (bsc#1185261) 
+  + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
+
+---

New:

  vendor-dbx-opensuse.bin
  vendor-dbx-sles.bin



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.ytlyp9/_old  2021-05-02 18:35:41.493056336 +0200
+++ /var/tmp/diff_new_pack.ytlyp9/_new  2021-05-02 18:35:41.497056319 +0200
@@ -60,8 +60,10 @@
 Source12:   signature-opensuse.aarch64.asc
 Source13:   signature-sles.aarch64.asc
 Source50:   dbx-cert.tar.xz
-# vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
+# vendor-dbx*.bin are generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
 Source51:   vendor-dbx.bin
+Source52:   vendor-dbx-sles.bin
+Source53:   vendor-dbx-opensuse.bin
 Source99:   SIGNATURE_UPDATE.txt
 # PATCH-FIX-SUSE shim-arch-independent-names.patch g...@suse.com -- Use the 
Arch-independent names
 Patch1: shim-arch-independent-names.patch
@@ -111,7 +113,6 @@
 %description -n shim-debugsource
 The source code of UEFI shim loader
 
-
 %prep
 %setup -q
 %patch1 -p1
@@ -165,6 +166,7 @@
 if test "$suffix" = "opensuse"; then
cert=%{SOURCE2}
verify='openSUSE Secure Boot CA1'
+   vendor_dbx=%{SOURCE53}
 %ifarch x86_64
signature=%{SOURCE1}
 %else
@@ -176,6 +178,7 @@
 elif test "$suffix" = "sles"; then
cert=%{SOURCE4}
verify='SUSE Linux Enterprise Secure Boot CA1'
+   vendor_dbx=%{SOURCE52}
 %ifarch x86_64
signature=%{SOURCE11}
 %else
@@ -187,6 +190,7 @@
 elif test "$suffix" = "devel"; then
cert=%{_sourcedir}/_projectcert.crt
verify=`openssl x509 -in "$cert" -noout -email`
+   vendor_dbx=%{SOURCE51}
signature=''
test -e "$cert" || continue
 else
@@ -198,7 +202,7 @@
 make RELEASE=0 SHIMSTEM=shim \
  VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
  DEFAULT_LOADER="grub.efi" \
- VENDOR_DBX_FILE=%{SOURCE51} \
+ VENDOR_DBX_FILE=$vendor_dbx \
  shim.efi.debug shim.efi
 #
 # assert correct certificate embedded


++ dbx-cert.tar.xz ++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/dbx-cert/generate-vendor-dbx.sh 
new/dbx-cert/generate-vendor-dbx.sh
--- old/dbx-cert/generate-vendor-dbx.sh 2020-07-10 09:18:35.508195647 +0200
+++ new/dbx-cert/generate-vendor-dbx.sh 2021-04-28 11:21:35.387363178 +0200
@@ -3,16 +3,20 @@
 # This script goes through all .crt files in this directory and stores
 # them in EFI signature database format.
 
-OUTPUT=vendor-dbx.bin
+FLAVORS="openSUSE SLES"
 
-mkdir tmp
+for flavor in ${FLAVORS}; do
+   OUTPUT=vendor-dbx-$(echo ${flavor} | tr '[:upper:]' '[:lower:]').bin
 
-for cert in *.crt
-do
-   BASENAME=`basename $cert .crt`
-   openssl x509 -in $cert -outform der -out tmp/${BASENAME}.der
-   efisiglist -a -c tmp/${BASENAME}.der -o tmp/${BASENAME}.bin
-done
+   mkdir tmp
+
+   for cert in ${flavor}-*.crt
+   do
+   BASENAME=`basename $cert .crt`
+   openssl x509 -in $cert -outform der -out tmp/${BASENAME}.der
+   efisiglist -a -c tmp/${BASENAME}.der -o tmp/${BASENAME}.bin
+   done
 
-cat tmp/*bin > $OUTPUT
-rm -rf tmp
+   cat tmp/*bin > $OUTPUT
+   rm -rf tmp
+done

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2021-04-10 15:26:12

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.2401 (New)


Package is "shim"

Sat Apr 10 15:26:12 2021 rev:93 rq:883801 version:15.4

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2021-03-15 
10:53:43.801109986 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.2401/shim.changes  2021-04-10 
15:26:29.766316259 +0200
@@ -1,0 +2,68 @@
+Thu Apr  8 08:44:27 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid
+  the error message during linux system boot (bsc#1184454)
+
+---
+Wed Apr  7 12:25:02 UTC 2021 - Johannes Segitz 
+
+- Add remove_build_id.patch to prevent the build id being added to 
+  the binary. That can cause issues with the signature
+
+---
+Wed Mar 31 08:40:49 UTC 2021 - Gary Ching-Pang Lin 
+
+- Update to 15.4 (bsc#1182057)
+  + Rename the SBAT variable and fix the self-check of SBAT
+  + sbat: add more dprint()
+  + arm/aa64: Swizzle some sections to make old sbsign happier
+  + arm/aa64 targets: put .rel* and .dyn* in .rodata
+- Drop upstreamed patch:
+  + shim-bsc1182057-sbat-variable-enhancement.patch
+
+---
+Mon Mar 29 07:18:20 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-bsc1182057-sbat-variable-enhancement.patch to change
+  the SBAT variable name and enhance the handling of SBAT
+  (bsc#1182057)
+
+---
+Wed Mar 24 01:29:17 UTC 2021 - Gary Ching-Pang Lin 
+
+- Update to 15.3 for SBAT support (bsc#1182057)
+  + Drop gnu-efi from BuildRequires since upstream pull it into the
+tar ball.
+- Generate vender-specific SBAT metadata
+  + Add dos2unix to BuildRequires since Makefile requires it for
+vendor SBAT
+- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following
+  sign keys:
+  + SLES-UEFI-SIGN-Certificate-2020-07.crt
+  + openSUSE-UEFI-SIGN-Certificate-2020-07.crt
+- Refresh patches
+  + shim-arch-independent-names.patch
+  + shim-change-debug-file-path.patch
+  + shim-bsc1177315-verify-eku-codesign.patch
+- Unified with shim-bsc1177315-fix-buffer-use-after-free.patch
+- Drop upstreamed fixes
+  + shim-correct-license-in-headers.patch
+  + shim-always-mirror-mok-variables.patch
+  + shim-bsc1175509-more-tpm-fixes.patch
+  + shim-bsc1173411-only-check-efi-var-on-sb.patch
+  + shim-fix-verify-eku.patch
+  + gcc9-fix-warnings.patch
+  + shim-fix-gnu-efi-3.0.11.patch
+  + shim-bsc1177404-fix-a-use-of-strlen.patch
+  + shim-do-not-write-string-literals.patch
+  + shim-VLogError-Avoid-Null-pointer-dereferences.patch
+  + shim-bsc1092000-fallback-menu.patch
+  + shim-bsc1175509-tpm2-fixes.patch
+  + shim-bsc1174512-correct-license-in-headers.patch
+  + shim-bsc1182776-fix-crash-at-exit.patch
+- Drop shim-opensuse-cert-prompt.patch
+  + All newly released openSUSE kernels enable kernel lockdown
+and signature verification, so there is no need to add the
+prompt anymore.
+
+---

Old:

  gcc9-fix-warnings.patch
  shim-15+git47.tar.bz2
  shim-VLogError-Avoid-Null-pointer-dereferences.patch
  shim-always-mirror-mok-variables.patch
  shim-bsc1092000-fallback-menu.patch
  shim-bsc1173411-only-check-efi-var-on-sb.patch
  shim-bsc1174512-correct-license-in-headers.patch
  shim-bsc1175509-more-tpm-fixes.patch
  shim-bsc1175509-tpm2-fixes.patch
  shim-bsc1177315-fix-buffer-use-after-free.patch
  shim-bsc1177404-fix-a-use-of-strlen.patch
  shim-bsc1182776-fix-crash-at-exit.patch
  shim-correct-license-in-headers.patch
  shim-do-not-write-string-literals.patch
  shim-fix-gnu-efi-3.0.11.patch
  shim-fix-verify-eku.patch
  shim-opensuse-cert-prompt.patch

New:

  remove_build_id.patch
  shim-15.4.tar.bz2
  shim-bsc1184454-allocate-mok-config-table-BS.patch



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.wLskZp/_old  2021-04-10 15:26:30.466317083 +0200
+++ /var/tmp/diff_new_pack.wLskZp/_new  2021-04-10 15:26:30.470317088 +0200
@@ -36,7 +36,7 @@
 %endif
 
 Name:   shim
-Version:15+git47
+Version:15.4
 Release:0
 Summary:UEFI shim loader
 License:BSD-2-Clause
@@ -67,43 +67,15 @@
 Patch1: shim-arch-independent-names.patch
 # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change 
the default debug file path
 Patch2: shim-change-debug-file-pat

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2021-03-15 10:53:37

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.2401 (New)


Package is "shim"

Mon Mar 15 10:53:37 2021 rev:92 rq:878251 version:15+git47

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2021-03-10 
08:52:02.978566589 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.2401/shim.changes  2021-03-15 
10:53:43.801109986 +0100
@@ -1,0 +2,8 @@
+Thu Mar 11 03:15:03 UTC 2021 - Gary Ching-Pang Lin 
+
+- Refresh shim-bsc1182776-fix-crash-at-exit.patch to do the cleanup
+  also when Secure Boot is disabled (bsc#1183213, bsc#1182776)
+- Merged linker-version.pl into timestamp.pl and add the linker
+  version to signature files accordingly
+
+---

Old:

  linker-version.pl



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.2yL7CV/_old  2021-03-15 10:53:44.709111380 +0100
+++ /var/tmp/diff_new_pack.2yL7CV/_new  2021-03-15 10:53:44.709111380 +0100
@@ -59,7 +59,6 @@
 Source11:   signature-sles.x86_64.asc
 Source12:   signature-opensuse.aarch64.asc
 Source13:   signature-sles.aarch64.asc
-Source14:   linker-version.pl
 Source50:   dbx-cert.tar.xz
 # vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
 Source51:   vendor-dbx.bin
@@ -246,14 +245,6 @@
 # alternative: verify signature
 #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
 if test -n "$signature"; then
-%ifarch x86_64
-# Modify MajorLinkerVersion and MinorLinkerVersion in the
-   # EFI/PE header to match the one for the SLE signature.
-if test "$suffix" = "sles"; then
-chmod 755 %{SOURCE14}
-%{SOURCE14} shim.efi
-fi
-%endif
head -1 "$signature" > hash1
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to



++ shim-bsc1182776-fix-crash-at-exit.patch ++
--- /var/tmp/diff_new_pack.2yL7CV/_old  2021-03-15 10:53:44.805111527 +0100
+++ /var/tmp/diff_new_pack.2yL7CV/_new  2021-03-15 10:53:44.809111532 +0100
@@ -1,7 +1,58 @@
-From 74d26654d55a4f32e58b76757efca50ceedefef4 Mon Sep 17 00:00:00 2001
+From 83b82c611d7d3b864f5f46764645f4eed096 Mon Sep 17 00:00:00 2001
+From: Stuart Hayes 
+Date: Fri, 8 Feb 2019 15:48:20 -0500
+Subject: [PATCH 1/2] Hook exit when shim_lock protocol installed
+
+A recent commit moved where the shim_lock protocol is loaded and
+unloaded, but did not move where exit was hooked and unhooked.  Exit
+needs to be hooked when the protocol is installed, so that the protocol
+will be uninstalled on exit.  Otherwise, the system can crash if, for
+example, shim loads grub, the user exits grub, shim is run again, which
+installs a second instance of the protocol, and then grub tries to use
+the shim_lock protocol that was installed by the first instance of shim.
+
+Signed-off-by: Stuart Hayes 
+Upstream-commit-id: 06c92591e94
+(cherry picked from commit b5e10f70c7a495dc1788e3604803ee633f1e5f76)
+---
+ shim.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index 6ce30a06..e9ab8f1a 100644
+--- a/shim.c
 b/shim.c
+@@ -2517,9 +2517,9 @@ shim_init(void)
+   loader_is_participating = 0;
+   }
+ 
+-  hook_exit(systab);
+   }
+ 
++  hook_exit(systab);
+   return install_shim_protocols();
+ }
+ 
+@@ -2537,9 +2537,10 @@ shim_fini(void)
+* Remove our hooks from system services.
+*/
+   unhook_system_services();
+-  unhook_exit();
+   }
+ 
++  unhook_exit();
++
+   /*
+* Free the space allocated for the alternative 2nd stage loader
+*/
+-- 
+2.29.2
+
+
+From 13eeece966bf2e5b2d1c1cca0c8b47bbded0f98e Mon Sep 17 00:00:00 2001
 From: Gary Lin 
 Date: Fri, 5 Mar 2021 15:00:29 +0800
-Subject: [PATCH] Restore loaded image of shim at Exit()
+Subject: [PATCH 2/2] Restore loaded image of shim at Exit()
 
 When grub2 invoked Exit() in AArch64 AAVMF, the VM crashed with the
 following messsages:
@@ -24,17 +75,18 @@
 do_exit().
 
 Signed-off-by: Gary Lin 
+(cherry picked from commit 74d26654d55a4f32e58b76757efca50ceedefef4)
 ---
  replacements.c |  2 ++
  shim.c | 41 -
  shim.h |  1 +
  3 files changed, 27 insertions(+), 17 deletions(-)
 
-Index: shim-15+git47/replacements.c
-===
 shim-15+git47.orig/replacements.c
-+++ shim-15+git47/repla

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2021-03-10 08:50:40

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.2378 (New)


Package is "shim"

Wed Mar 10 08:50:40 2021 rev:91 rq:877920 version:15+git47

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2021-01-27 
18:56:54.424310121 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.2378/shim.changes  2021-03-10 
08:52:02.978566589 +0100
@@ -1,0 +2,6 @@
+Mon Mar  8 03:13:13 UTC 2021 - Gary Ching-Pang Lin 
+
+- Add shim-bsc1182776-fix-crash-at-exit.patch to fix the potential
+  crash at Exit() (bsc#1182776)
+
+---

New:

  shim-bsc1182776-fix-crash-at-exit.patch



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.tVYUQ2/_old  2021-03-10 08:52:03.794567431 +0100
+++ /var/tmp/diff_new_pack.tVYUQ2/_new  2021-03-10 08:52:03.798567435 +0100
@@ -100,6 +100,8 @@
 Patch16:shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
 # PATCH-FIX-SUSE shim-bsc1177315-fix-buffer-use-after-free.patch bsc#1177315 
g...@suse.com -- Fix buffer use-after-free at the end of the EKU verification
 Patch17:shim-bsc1177315-fix-buffer-use-after-free.patch
+# PATCH-FIX-UPSTREAM shim-bsc1182776-fix-crash-at-exit.patch bsc#1182776 
g...@suse.com -- Fix the potential crash at Exit()
+Patch18:shim-bsc1182776-fix-crash-at-exit.patch
 # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the 
prompt to ask whether the user trusts openSUSE certificate or not
 Patch100:   shim-opensuse-cert-prompt.patch
 BuildRequires:  gnu-efi >= 3.0.3
@@ -163,6 +165,7 @@
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
 %endif
 %if 0%{?is_opensuse} == 1
 %patch100 -p1



++ shim-bsc1182776-fix-crash-at-exit.patch ++
>From 74d26654d55a4f32e58b76757efca50ceedefef4 Mon Sep 17 00:00:00 2001
From: Gary Lin 
Date: Fri, 5 Mar 2021 15:00:29 +0800
Subject: [PATCH] Restore loaded image of shim at Exit()

When grub2 invoked Exit() in AArch64 AAVMF, the VM crashed with the
following messsages:

Unloading driver at 0x000B7D7B000

Synchronous Exception at 0xBF5D5E68
AllocatePool: failed to allocate 800 bytes

Synchronous Exception at 0xBF5D5E68

The similar error also showed when I modified MokManager to call
gBS->Exit() at the end of efi_main(). However, if MokManager just
returned, the error never showed. One significant difference is
whether the loaded image was restored or not, and the firmware seems
to need the original ImageBase pointer to do clean-up.

To avoid the potential crash, this commit adds restore_loaded_image() so
that we can restore the loaded image both in start_image() and
do_exit().

Signed-off-by: Gary Lin 
---
 replacements.c |  2 ++
 shim.c | 41 -
 shim.h |  1 +
 3 files changed, 27 insertions(+), 17 deletions(-)

Index: shim-15+git47/replacements.c
===
--- shim-15+git47.orig/replacements.c
+++ shim-15+git47/replacements.c
@@ -159,6 +159,8 @@ do_exit(EFI_HANDLE ImageHandle, EFI_STAT
 
shim_fini();
 
+   restore_loaded_image();
+
efi_status = gBS->Exit(ImageHandle, ExitStatus,
   ExitDataSize, ExitData);
if (EFI_ERROR(efi_status)) {
Index: shim-15+git47/shim.c
===
--- shim-15+git47.orig/shim.c
+++ shim-15+git47/shim.c
@@ -58,6 +58,8 @@
 
 static EFI_SYSTEM_TABLE *systab;
 static EFI_HANDLE global_image_handle;
+static EFI_LOADED_IMAGE *shim_li;
+static EFI_LOADED_IMAGE shim_li_bak;
 
 static CHAR16 *second_stage;
 static void *load_options;
@@ -1861,13 +1863,24 @@ static EFI_STATUS shim_read_header(void
return efi_status;
 }
 
+VOID
+restore_loaded_image(VOID)
+{
+   if (shim_li->FilePath)
+   FreePool(shim_li->FilePath);
+
+   /*
+* Restore our original loaded image values
+*/
+   CopyMem(shim_li, &shim_li_bak, sizeof(shim_li_bak));
+}
+
 /*
  * Load and run an EFI executable
  */
 EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath)
 {
EFI_STATUS efi_status;
-   EFI_LOADED_IMAGE *li, li_bak;
EFI_IMAGE_ENTRY_POINT entry_point;
EFI_PHYSICAL_ADDRESS alloc_address;
UINTN alloc_pages;
@@ -1882,7 +1895,7 @@ EFI_STATUS start_image(EFI_HANDLE image_
 * binary in order to find our path
 */
efi_status = gBS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID,
-

commit shim for openSUSE:Factory

[Source-Sync]

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2021-01-27 18:56:50

Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and  /work/SRC/openSUSE:Factory/.shim.new.28504 (New)


Package is "shim"

Wed Jan 27 18:56:50 2021 rev:90 rq:865544 version:15+git47

Changes:

--- /work/SRC/openSUSE:Factory/shim/shim.changes2020-11-05 
21:55:22.516122752 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.28504/shim.changes 2021-01-27 
18:56:54.424310121 +0100
@@ -1,0 +2,10 @@
+Fri Jan 22 03:29:56 UTC 2021 - Gary Ching-Pang Lin 
+
+- Update the SLE signature
+- Exclude some patches from x86_64 to avoid breaking the signature
+- Add shim-correct-license-in-headers.patch back for x86_64 to
+  match the SLE signature
+- Add linker-version.pl to modify the EFI/PE header to match the
+  SLE signature
+
+---

New:

  linker-version.pl
  shim-correct-license-in-headers.patch



Other differences:
--
++ shim.spec ++
--- /var/tmp/diff_new_pack.uTvaNg/_old  2021-01-27 18:56:56.040312621 +0100
+++ /var/tmp/diff_new_pack.uTvaNg/_new  2021-01-27 18:56:56.040312621 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package shim
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -59,6 +59,7 @@
 Source11:   signature-sles.x86_64.asc
 Source12:   signature-opensuse.aarch64.asc
 Source13:   signature-sles.aarch64.asc
+Source14:   linker-version.pl
 Source50:   dbx-cert.tar.xz
 # vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
 Source51:   vendor-dbx.bin
@@ -73,6 +74,8 @@
 Patch4: shim-always-mirror-mok-variables.patch
 # PATCH-FIX-UPSTREAM shim-bsc1174512-correct-license-in-headers.patch 
g...@suse.com -- Fix the license header in errlog.c and mok.c
 Patch5: shim-bsc1174512-correct-license-in-headers.patch
+# PATCH-FIX-SUSE shim-correct-license-in-headers.patch g...@suse.com -- 
Another fix for the license header in errlog.c and mok.c
+Patch51:shim-correct-license-in-headers.patch
 # PATCH-FIX-UPSTREAM gcc9-fix-warnings.patch mli...@suse.cz -- MokManager: Use 
CompareMem on MokListNode.Type instead of CompareGuid 
 Patch6: gcc9-fix-warnings.patch
 # PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch g...@suse.com -- Fix the 
build error caused by the typo fix in gnu-efi 3.0.11
@@ -142,10 +145,15 @@
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%ifarch x86_64
+%patch51 -p1
+%else
 %patch5 -p1
+%endif
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%ifarch aarch64
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
@@ -155,6 +163,7 @@
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%endif
 %if 0%{?is_opensuse} == 1
 %patch100 -p1
 %endif
@@ -234,6 +243,14 @@
 # alternative: verify signature
 #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
 if test -n "$signature"; then
+%ifarch x86_64
+# Modify MajorLinkerVersion and MinorLinkerVersion in the
+   # EFI/PE header to match the one for the SLE signature.
+if test "$suffix" = "sles"; then
+chmod 755 %{SOURCE14}
+%{SOURCE14} shim.efi
+fi
+%endif
head -1 "$signature" > hash1
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to


++ linker-version.pl ++
#!/usr/bin/perl -w
#
# Modify the linker version in the EFI/PE header
# 
# NOTE: only use this script when the signature doesn't match after 
#   a binutils upgrade
#

use strict;

# The target version of binutils: 2.32
my $major_linker_version = 2;
my $minor_linker_version = 32;

my ($file) = @ARGV;

die "$file: $!\n" unless open(my $fh, '+<', $file);
# Set MajorLinkerVersion at 0x9a
die "seek $file: $!\n" unless seek($fh, 0x9a, 0);
die "write $file: $!\n" unless print $fh pack('C', $major_linker_version);
# Set MinorLinkerVersion at 0x9b
die "seek $file: $!\n" unless seek($fh, 0x9b, 0);
die "write $file: $!\n" unless print $fh pack('C', $minor_linker_version);
close($fh);

++ shim-correct-license-in-headers.patch ++
>From 64492acf8b1d72cea0c3e203887bfe26fb840f1d Mon Sep 17 00:00:00 2001
From: Gary Lin 
Date: Thu, 13 Dec 2018 17:19:36 +0800
Subject: [PATCH] Add the license change statement for errlog.c and mok.c

---
 errlog.c | 6 ++
 mok.c| 6 ++
 2 files changed, 12 insertions(+)

diff --git a/errlog.c b/errlog.c
index 18be482..4a1fffb 100644
--- a/errlog.c
+++ b/errlog.c
@@ -3,6 +3,12 @@
  * Copyright 2017 Peter Jones 
  *
  * Distributed under terms of the GPLv3 l