Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-02-07 14:54:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2013-01-30 11:19:51.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-02-07 14:54:47.000000000 +0100 @@ -1,0 +2,13 @@ +Thu Feb 7 06:56:19 UTC 2013 - [email protected] + +- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert +- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned + MokManager and sign it later. + +------------------------------------------------------------------- +Wed Feb 6 06:35:45 UTC 2013 - [email protected] + +- Add shim-install utility +- Add Recommends to grub2-efi + +------------------------------------------------------------------- New: ---- shim-install shim-keep-unsigned-mokmanager.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.2qSTep/_old 2013-02-07 14:54:48.000000000 +0100 +++ /var/tmp/diff_new_pack.2qSTep/_new 2013-02-07 14:54:48.000000000 +0100 @@ -16,6 +16,8 @@ # +# needssslcertforbuild + Name: shim Version: 0.2 Release: 0 @@ -25,6 +27,7 @@ Url: https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 Source2: openSUSE-UEFI-CA-Certificate.crt +Source3: shim-install # PATCH-FIX-SUSE shim-suse-build.patch [email protected] -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch [email protected] -- Sign MokManager.efi with the local generated certificate @@ -43,11 +46,15 @@ Patch8: shim-mokmanager-new-pw-hash.patch # PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch [email protected] -- Support the password hashes from /etc/shadow Patch9: shim-mokmanager-support-crypt-hash-method.patch +# PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch [email protected] -- Keep MokManager.efi and sign it with the openSUSE key later +Patch10: shim-keep-unsigned-mokmanager.patch BuildRequires: gnu-efi >= 3.0q BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign +BuildRequires: pesign-obs-integration BuildRoot: %{_tmppath}/%{name}-%{version}-build +Recommends: grub2-efi ExclusiveArch: x86_64 %description @@ -71,6 +78,7 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 %build chmod +x "make-certs" @@ -81,9 +89,12 @@ mv shim.efi shim-opensuse.efi %install +export BRP_PESIGN_FILES='%{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi' install -d %{buildroot}/%{_libdir}/efi install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi -install -m 444 MokManager.efi.signed %{buildroot}/%{_libdir}/efi/MokManager.efi +install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi +install -d %{buildroot}/%{_sbindir} +install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ %clean %{?buildroot:%__rm -rf "%{buildroot}"} @@ -94,5 +105,6 @@ %dir %{_libdir}/efi %{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi +%{_sbindir}/shim-install %changelog ++++++ shim-install ++++++ #! /bin/bash -e rootdir= bootdir= efidir= install_device= removable=no clean=no sysconfdir="/etc" libdir="/usr/lib64" source_dir="$libdir/efi" grub_probe="`which grub2-probe`" self="`basename $0`" grub_cfg="/boot/grub2/grub.cfg" # Get GRUB_DISTRIBUTOR. if test -f "${sysconfdir}/default/grub" ; then . "${sysconfdir}/default/grub" fi bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)" if test -z "$bootloader_id"; then bootloader_id=grub fi efi_distributor="$bootloader_id" bootloader_id="${bootloader_id}-secureboot" usage () { echo "Usage: $self [OPTION] [INSTALL_DEVICE]" echo echo "Install Secure Boot Loaders on your drive.\n" echo echo "--directory=DIR use images from DIR.\n" echo "--grub-probe=FILE use FILE as grub-probe.\n" echo "--removable the installation device is removable.\n" echo "--bootloader-id=ID the ID of bootloader.\n" echo "--efi-directory=DIR use DIR as the EFI System Partition root.\n" echo "--config-file=FILE use FILE as config file, default is $grub_cfg.\n" echo "--clean remove all installed files and configs.\n" echo echo "INSTALL_DEVICE must be system device filename.\n" } argument () { opt="$1" shift if test $# -eq 0; then echo "$0: option requires an argument -- \`$opt'" 1>&2 exit 1 fi echo "$1" } # Check the arguments. while test $# -gt 0 do option=$1 shift case "$option" in -h | --help) usage exit 0 ;; --root-directory) rootdir="`argument $option "$@"`"; shift;; --root-directory=*) rootdir="`echo "$option" | sed 's/--root-directory=//'`" ;; --efi-directory) efidir="`argument $option "$@"`"; shift;; --efi-directory=*) efidir="`echo "$option" | sed 's/--efi-directory=//'`" ;; --directory | -d) source_dir="`argument $option "$@"`"; shift;; --directory=*) source_dir="`echo "$option" | sed 's/--directory=//'`" ;; --bootloader-id) bootloader_id="`argument $option "$@"`"; shift;; --bootloader-id=*) bootloader_id="`echo "$option" | sed 's/--bootloader-id=//'`" ;; --grub-probe) grub_probe="`argument "$option" "$@"`"; shift;; --grub-probe=*) grub_probe="`echo "$option" | sed 's/--grub-probe=//'`" ;; --config-file) grub_cfg="`argument "$option" "$@"`"; shift;; --config-file=*) grub_cfg="`echo "$option" | sed 's/--config-file=//'`" ;; --removable) removable=yes ;; --clean) clean=yes ;; -*) echo "Unrecognized option \`$option'" 1>&2 usage exit 1 ;; *) if test "x$install_device" != x; then echo "More than one install device?" 1>&2 usage exit 1 fi install_device="${option}" ;; esac done if test -n "$efidir"; then efi_fs=`"$grub_probe" --target=fs "${efidir}"` if test "x$efi_fs" = xfat; then :; else echo "$efidir doesn't look like an EFI partition." 1>&2 efidir= fi fi if [ -z "$bootdir" ]; then bootdir="/boot" if [ -n "$rootdir" ] ; then # Initialize bootdir if rootdir was initialized. bootdir="${rootdir}/boot" fi fi # Find the EFI System Partition. if test -n "$efidir"; then install_device="`"$grub_probe" --target=device --device-map= "${efidir}"`" else if test -d "${bootdir}/efi"; then install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/efi"`" # Is it a mount point? if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then efidir="${bootdir}/efi" fi elif test -d "${bootdir}/EFI"; then install_device="`"$grub_probe" --target=device --device-map= "${bootdir}/EFI"`" # Is it a mount point? if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${bootdir}"`"; then efidir="${bootdir}/EFI" fi elif test -n "$rootdir" && test "x$rootdir" != "x/"; then # The EFI System Partition may have been given directly using # --root-directory. install_device="`"$grub_probe" --target=device --device-map= "${rootdir}"`" # Is it a mount point? if test "x$install_device" != "x`"$grub_probe" --target=device --device-map= "${rootdir}/.."`"; then efidir="${rootdir}" fi fi if test -n "$efidir"; then efi_fs=`"$grub_probe" --target=fs "${efidir}"` if test "x$efi_fs" = xfat; then :; else echo "$efidir doesn't look like an EFI partition." 1>&2 efidir= fi fi fi if test -n "$efidir"; then efi_file=shim.efi efidir="$efidir/EFI/$efi_distributor" mkdir -p "$efidir" || exit 1 else exit 1; fi if test "$clean" = "yes"; then rm -f "${efidir}/shim.efi" rm -f "${efidir}/MokManager.efi" rm -f "${efidir}/grub.efi" rm -f "${efidir}/grub.cfg" efibootmgr="`which efibootmgr`" if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then # Delete old entries from the same distributor. for bootnum in `efibootmgr | grep '^Boot[0-9]' | \ fgrep -i " $bootloader_id" | cut -b5-8`; do efibootmgr -b "$bootnum" -B done fi exit 0 fi cp "${source_dir}/shim.efi" "${efidir}" cp "${source_dir}/MokManager.efi" "${efidir}" cp "${source_dir}/grub.efi" "${efidir}" grub_cfg_dirname=`dirname $grub_cfg` grub_cfg_basename=`basename $grub_cfg` cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"` (cat << EOF search --fs-uuid --set=root ${cfg_fs_uuid} set prefix=(\${root})${grub_cfg_dirname} EOF echo "configfile \$prefix/${grub_cfg_basename}") \ > "${efidir}/grub.cfg" efibootmgr="`which efibootmgr`" if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then modprobe -q efivars 2>/dev/null || true # Delete old entries from the same distributor. for bootnum in `efibootmgr | grep '^Boot[0-9]' | \ fgrep -i " $bootloader_id" | cut -b5-8`; do efibootmgr -b "$bootnum" -B done efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")" efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")" if test -z "$efidir_drive" || test -z "$efidir_disk"; then echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2 else efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" fi fi ++++++ shim-keep-unsigned-mokmanager.patch ++++++ diff --git a/Makefile b/Makefile index 9217ba1..cd1c688 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ LDFLAGS = -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH VERSION = 0.2 -TARGET = shim.efi MokManager.efi.signed +TARGET = shim.efi MokManager.efi.signed MokManager.efi OBJS = shim.o netboot.o cert.o dbx.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key SOURCES = shim.c shim.h netboot.c signature.h PeImage.h -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
