commit shim for openSUSE:12.3

Fri, 01 Mar 2013 01:55:16 -0800 

Hello community,

here is the log from the commit of package shim for openSUSE:12.3 checked in at 
2013-03-01 10:55:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3/shim (Old)
 and      /work/SRC/openSUSE:12.3/.shim.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "shim", Maintainer is "[email protected]"

Changes:
--------
--- /work/SRC/openSUSE:12.3/shim/shim.changes   2013-02-11 14:55:01.000000000 
+0100
+++ /work/SRC/openSUSE:12.3/.shim.new/shim.changes      2013-03-01 
10:55:12.000000000 +0100
@@ -1,0 +2,17 @@
+Thu Feb 28 08:57:48 UTC 2013 - [email protected]
+
+- sign shim also with openSUSE certificate
+
+-------------------------------------------------------------------
+Wed Feb 27 15:52:53 CET 2013 - [email protected]
+
+- identify project, export certificate as DER file
+- don't create an unused extra keypair
+
+-------------------------------------------------------------------
+Thu Feb 21 10:08:12 UTC 2013 - [email protected]
+
+- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken
+  bootpath generated in generate_path(). (bnc#804631)
+
+-------------------------------------------------------------------

New:
----
  SLES-UEFI-CA-Certificate.crt
  shim-bnc804631-fix-broken-bootpath.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.cSzEcs/_old  2013-03-01 10:55:12.000000000 +0100
+++ /var/tmp/diff_new_pack.cSzEcs/_new  2013-03-01 10:55:12.000000000 +0100
@@ -32,6 +32,7 @@
 Source1:        shim-signed.efi
 Source2:        openSUSE-UEFI-CA-Certificate.crt
 Source3:        shim-install
+Source4:        SLES-UEFI-CA-Certificate.crt
 # PATCH-FIX-SUSE shim-suse-build.patch [email protected] -- Adjust Makefile for 
the build service
 Patch0:         shim-suse-build.patch
 # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch [email protected] -- 
Sign MokManager.efi with the local generated certificate
@@ -52,6 +53,8 @@
 Patch9:         shim-mokmanager-support-crypt-hash-method.patch
 # PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch [email protected] -- Keep 
MokManager.efi and sign it with the openSUSE key later
 Patch10:        shim-keep-unsigned-mokmanager.patch
+# PATCH-FIX-UPSTREAM shim-bnc804631-fix-broken-bootpath.patch bnc#804631 
[email protected] -- Fix the broken bootpath generated in generate_path()
+Patch11:        shim-bnc804631-fix-broken-bootpath.patch
 BuildRequires:  gnu-efi >= 3.0q
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
@@ -83,19 +86,50 @@
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 %build
 chmod +x "make-certs"
-openssl x509 -in %{S:2} -outform DER -out openSUSE-UEFI-CA-Certificate.der
+
+if test -e %{_sourcedir}/_projectcert.crt ; then
+    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout 
-subject_hash)
+    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout 
-issuer_hash)
+    opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
+    slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
+    if test "$prjissuer" = "$opensusesubject" ; then
+        suffix=opensuse
+        cert=%{SOURCE2}
+    fi
+    if test "$prjissuer" = "$slessubject" ; then
+        suffix=sles
+        cert=%{SOURCE4}
+    fi
+    if test "$prjsubject" = "$prjissuer" ; then
+        suffix=local
+        cert=%{_sourcedir}/_projectcert.crt
+    fi
+fi
+if test -z "$suffix" ; then
+    echo "cannot identify project, assuming openSUSE signing"
+    suffix=opensuse
+    cert=%{SOURCE2}
+fi
+
+openssl x509 -in $cert -outform DER -out shim-$suffix.der
+# create empty local cert file, we don't need a local key pair as we
+# sign the mokmanager with our vendor key
+touch shim.crt
+touch shim.cer
 # make sure cast warnings don't trigger post build check
-make VENDOR_CERT_FILE=openSUSE-UEFI-CA-Certificate.der 2>/dev/null
+make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi 2>/dev/null
 # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
-mv shim.efi shim-opensuse.efi
+mv shim.efi shim-$suffix.efi
 
 %install
-export BRP_PESIGN_FILES='%{_libdir}/efi/shim-opensuse.efi 
%{_libdir}/efi/MokManager.efi'
+export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi 
%{_libdir}/efi/MokManager.efi'
 install -d %{buildroot}/%{_libdir}/efi
-install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi
+install -m 444 shim-*.efi %{buildroot}/%{_libdir}/efi
+install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
 # FIXME: install signed shim here
 install -m 444 %{SOURCE1} %{buildroot}/%{_libdir}/efi/shim.efi
 install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
@@ -110,7 +144,8 @@
 %doc COPYRIGHT
 %dir %{_libdir}/efi
 %{_libdir}/efi/shim.efi
-%{_libdir}/efi/shim-opensuse.efi
+%{_libdir}/efi/shim-*.efi
+%{_libdir}/efi/shim-*.der
 %{_libdir}/efi/MokManager.efi
 %{_sbindir}/shim-install
 

++++++ SLES-UEFI-CA-Certificate.crt ++++++
-----BEGIN CERTIFICATE-----
MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG
A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR
QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d
FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ
BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O
d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B
J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt
HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi
yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc
dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/
cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+
KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw
DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w
gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr
BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG
A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51
eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN
AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS
1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI
eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5
Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt
z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P
yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv
4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc
ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC
OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z
yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV
a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8=
-----END CERTIFICATE-----
++++++ shim-bnc804631-fix-broken-bootpath.patch ++++++
>From 6b70850baa958b196ec332cf0224ffa9d5a81f5f Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <[email protected]>
Date: Thu, 21 Feb 2013 17:49:29 +0800
Subject: [PATCH] Fix the broken bootpath

- The file path from DevicePathToStr may use slash as the file
  seperator. Change all slashes to backslashes to avoid the strange
  bootpath.
- Remove the redundant backslashes.
- ImagePath no longer requires the leading backslash.
- Fix a memory leak

Based on the patch from Michal Marek <[email protected]>
---
 shim.c |   22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/shim.c b/shim.c
index 37a5898..690d064 100644
--- a/shim.c
+++ b/shim.c
@@ -919,15 +919,25 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, 
CHAR16 *ImagePath,
 
        pathlen = StrLen(bootpath);
 
+       /*
+        * DevicePathToStr() concatenates two nodes with '/'.
+        * Convert '/' to '\\'.
+        */
+       for (i = 0; i < pathlen; i++) {
+               if (bootpath[i] == '/')
+                       bootpath[i] = '\\';
+       }
        for (i=pathlen; i>0; i--) {
-               if (bootpath[i] == '\\')
+               if (bootpath[i] == '\\' && bootpath[i-1] != '\\')
                        break;
        }
+       if (bootpath[i] == '\\')
+               bootpath[i+1] = '\0';
+       else
+               bootpath[0] = '\0';
 
-       bootpath[i+1] = '\0';
-
-       if (i == 0 || bootpath[i-i] == '\\')
-               bootpath[i] = '\0';
+       while (*ImagePath == '\\')
+               ImagePath++;
 
        *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath));
 
@@ -944,6 +954,8 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, 
CHAR16 *ImagePath,
        *grubpath = FileDevicePath(device, *PathName);
 
 error:
+       FreePool(bootpath);
+
        return efi_status;
 }
 
-- 
1.7.10.4


-- 
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to