Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in
at 2021-03-15 10:53:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new.2401 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Mon Mar 15 10:53:37 2021 rev:92 rq:878251 version:15+git47
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2021-03-10
08:52:02.978566589 +0100
+++ /work/SRC/openSUSE:Factory/.shim.new.2401/shim.changes 2021-03-15
10:53:43.801109986 +0100
@@ -1,0 +2,8 @@
+Thu Mar 11 03:15:03 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Refresh shim-bsc1182776-fix-crash-at-exit.patch to do the cleanup
+ also when Secure Boot is disabled (bsc#1183213, bsc#1182776)
+- Merged linker-version.pl into timestamp.pl and add the linker
+ version to signature files accordingly
+
+-------------------------------------------------------------------
Old:
----
linker-version.pl
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.2yL7CV/_old 2021-03-15 10:53:44.709111380 +0100
+++ /var/tmp/diff_new_pack.2yL7CV/_new 2021-03-15 10:53:44.709111380 +0100
@@ -59,7 +59,6 @@
Source11: signature-sles.x86_64.asc
Source12: signature-opensuse.aarch64.asc
Source13: signature-sles.aarch64.asc
-Source14: linker-version.pl
Source50: dbx-cert.tar.xz
# vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
Source51: vendor-dbx.bin
@@ -246,14 +245,6 @@
# alternative: verify signature
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
if test -n "$signature"; then
-%ifarch x86_64
- # Modify MajorLinkerVersion and MinorLinkerVersion in the
- # EFI/PE header to match the one for the SLE signature.
- if test "$suffix" = "sles"; then
- chmod 755 %{SOURCE14}
- %{SOURCE14} shim.efi
- fi
-%endif
head -1 "$signature" > hash1
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to
++++++ shim-bsc1182776-fix-crash-at-exit.patch ++++++
--- /var/tmp/diff_new_pack.2yL7CV/_old 2021-03-15 10:53:44.805111527 +0100
+++ /var/tmp/diff_new_pack.2yL7CV/_new 2021-03-15 10:53:44.809111532 +0100
@@ -1,7 +1,58 @@
-From 74d26654d55a4f32e58b76757efca50ceedefef4 Mon Sep 17 00:00:00 2001
+From 999983b82c611d7d3b864f5f46764645f4eed096 Mon Sep 17 00:00:00 2001
+From: Stuart Hayes <stuart.w.ha...@gmail.com>
+Date: Fri, 8 Feb 2019 15:48:20 -0500
+Subject: [PATCH 1/2] Hook exit when shim_lock protocol installed
+
+A recent commit moved where the shim_lock protocol is loaded and
+unloaded, but did not move where exit was hooked and unhooked. Exit
+needs to be hooked when the protocol is installed, so that the protocol
+will be uninstalled on exit. Otherwise, the system can crash if, for
+example, shim loads grub, the user exits grub, shim is run again, which
+installs a second instance of the protocol, and then grub tries to use
+the shim_lock protocol that was installed by the first instance of shim.
+
+Signed-off-by: Stuart Hayes <stuart.w.ha...@gmail.com>
+Upstream-commit-id: 06c92591e94
+(cherry picked from commit b5e10f70c7a495dc1788e3604803ee633f1e5f76)
+---
+ shim.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/shim.c b/shim.c
+index 6ce30a06..e9ab8f1a 100644
+--- a/shim.c
++++ b/shim.c
+@@ -2517,9 +2517,9 @@ shim_init(void)
+ loader_is_participating = 0;
+ }
+
+- hook_exit(systab);
+ }
+
++ hook_exit(systab);
+ return install_shim_protocols();
+ }
+
+@@ -2537,9 +2537,10 @@ shim_fini(void)
+ * Remove our hooks from system services.
+ */
+ unhook_system_services();
+- unhook_exit();
+ }
+
++ unhook_exit();
++
+ /*
+ * Free the space allocated for the alternative 2nd stage loader
+ */
+--
+2.29.2
+
+
+From 13eeece966bf2e5b2d1c1cca0c8b47bbded0f98e Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Fri, 5 Mar 2021 15:00:29 +0800
-Subject: [PATCH] Restore loaded image of shim at Exit()
+Subject: [PATCH 2/2] Restore loaded image of shim at Exit()
When grub2 invoked Exit() in AArch64 AAVMF, the VM crashed with the
following messsages:
@@ -24,17 +75,18 @@
do_exit().
Signed-off-by: Gary Lin <g...@suse.com>
+(cherry picked from commit 74d26654d55a4f32e58b76757efca50ceedefef4)
---
replacements.c | 2 ++
shim.c | 41 ++++++++++++++++++++++++-----------------
shim.h | 1 +
3 files changed, 27 insertions(+), 17 deletions(-)
-Index: shim-15+git47/replacements.c
-===================================================================
---- shim-15+git47.orig/replacements.c
-+++ shim-15+git47/replacements.c
-@@ -159,6 +159,8 @@ do_exit(EFI_HANDLE ImageHandle, EFI_STAT
+diff --git a/replacements.c b/replacements.c
+index 944c779d..1d06b0cf 100644
+--- a/replacements.c
++++ b/replacements.c
+@@ -159,6 +159,8 @@ do_exit(EFI_HANDLE ImageHandle, EFI_STATUS ExitStatus,
shim_fini();
@@ -43,11 +95,11 @@
efi_status = gBS->Exit(ImageHandle, ExitStatus,
ExitDataSize, ExitData);
if (EFI_ERROR(efi_status)) {
-Index: shim-15+git47/shim.c
-===================================================================
---- shim-15+git47.orig/shim.c
-+++ shim-15+git47/shim.c
-@@ -58,6 +58,8 @@
+diff --git a/shim.c b/shim.c
+index e9ab8f1a..b5882768 100644
+--- a/shim.c
++++ b/shim.c
+@@ -62,6 +62,8 @@
static EFI_SYSTEM_TABLE *systab;
static EFI_HANDLE global_image_handle;
@@ -56,7 +108,7 @@
static CHAR16 *second_stage;
static void *load_options;
-@@ -1861,13 +1863,24 @@ static EFI_STATUS shim_read_header(void
+@@ -1863,13 +1865,24 @@ static EFI_STATUS shim_read_header(void *data,
unsigned int datasize,
return efi_status;
}
@@ -82,7 +134,7 @@
EFI_IMAGE_ENTRY_POINT entry_point;
EFI_PHYSICAL_ADDRESS alloc_address;
UINTN alloc_pages;
-@@ -1882,7 +1895,7 @@ EFI_STATUS start_image(EFI_HANDLE image_
+@@ -1884,7 +1897,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16
*ImagePath)
* binary in order to find our path
*/
efi_status = gBS->HandleProtocol(image_handle, &EFI_LOADED_IMAGE_GUID,
@@ -91,7 +143,7 @@
if (EFI_ERROR(efi_status)) {
perror(L"Unable to init protocol\n");
return efi_status;
-@@ -1891,14 +1904,14 @@ EFI_STATUS start_image(EFI_HANDLE image_
+@@ -1893,14 +1906,14 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16
*ImagePath)
/*
* Build a new path from the existing one plus the executable name
*/
@@ -108,7 +160,7 @@
efi_status = parseNetbootinfo(image_handle);
if (EFI_ERROR(efi_status)) {
perror(L"Netboot parsing failed: %r\n", efi_status);
-@@ -1914,7 +1927,7 @@ EFI_STATUS start_image(EFI_HANDLE image_
+@@ -1916,7 +1929,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16
*ImagePath)
data = sourcebuffer;
datasize = sourcesize;
#if defined(ENABLE_HTTPBOOT)
@@ -117,7 +169,7 @@
efi_status = httpboot_fetch_buffer (image_handle,
&sourcebuffer,
&sourcesize);
-@@ -1930,7 +1943,7 @@ EFI_STATUS start_image(EFI_HANDLE image_
+@@ -1932,7 +1945,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16
*ImagePath)
/*
* Read the new executable off disk
*/
@@ -126,7 +178,7 @@
if (EFI_ERROR(efi_status)) {
perror(L"Failed to load image %s: %r\n",
PathName, efi_status);
-@@ -1949,13 +1962,13 @@ EFI_STATUS start_image(EFI_HANDLE image_
+@@ -1951,13 +1964,13 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16
*ImagePath)
* We need to modify the loaded image protocol entry before running
* the new binary, so back it up
*/
@@ -143,7 +195,7 @@
perror(L"Unable to update loaded image file path\n");
efi_status = EFI_OUT_OF_RESOURCES;
goto restore;
-@@ -1964,7 +1977,7 @@ EFI_STATUS start_image(EFI_HANDLE image_
+@@ -1966,7 +1979,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16
*ImagePath)
/*
* Verify and, if appropriate, relocate and execute the executable
*/
@@ -152,7 +204,7 @@
&alloc_address, &alloc_pages);
if (EFI_ERROR(efi_status)) {
perror(L"Failed to load image: %r\n", efi_status);
-@@ -1981,13 +1994,7 @@ EFI_STATUS start_image(EFI_HANDLE image_
+@@ -1983,13 +1996,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16
*ImagePath)
efi_status = entry_point(image_handle, systab);
restore:
@@ -167,11 +219,11 @@
done:
if (PathName)
FreePool(PathName);
-Index: shim-15+git47/shim.h
-===================================================================
---- shim-15+git47.orig/shim.h
-+++ shim-15+git47/shim.h
-@@ -163,6 +163,7 @@ extern EFI_STATUS LogError_(const char *
+diff --git a/shim.h b/shim.h
+index 3db7df9d..38627abf 100644
+--- a/shim.h
++++ b/shim.h
+@@ -160,6 +160,7 @@ extern EFI_STATUS LogError_(const char *file, int line,
const char *func, CHAR16
extern EFI_STATUS VLogError(const char *file, int line, const char *func,
CHAR16 *fmt, va_list args);
extern VOID PrintErrors(VOID);
extern VOID ClearErrors(VOID);
@@ -179,3 +231,6 @@
extern EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath);
extern EFI_STATUS import_mok_state(EFI_HANDLE image_handle);
+--
+2.29.2
+
++++++ signature-opensuse.aarch64.asc ++++++
--- /var/tmp/diff_new_pack.2yL7CV/_old 2021-03-15 10:53:44.861111613 +0100
+++ /var/tmp/diff_new_pack.2yL7CV/_new 2021-03-15 10:53:44.861111613 +0100
@@ -1,6 +1,7 @@
hash: 96275dfd6282a522b011177ee049296952ac794832091f937fbbf92869028629
# 2069-04-10 06:07:54
timestamp: babababa
+linker: 2002
checksum: ef25
-----BEGIN AUTHENTICODE SIGNATURE-----
MIIhwQYJKoZIhvcNAQcCoIIhsjCCIa4CAQExDzANBglghkgBZQMEAgEFADBcBgor
++++++ signature-opensuse.x86_64.asc ++++++
--- /var/tmp/diff_new_pack.2yL7CV/_old 2021-03-15 10:53:44.881111643 +0100
+++ /var/tmp/diff_new_pack.2yL7CV/_new 2021-03-15 10:53:44.881111643 +0100
@@ -1,6 +1,7 @@
hash: f5e892dd6ec4c2defa4a495c09219b621379b64da3d1b2e34adf4b5f1102bd39
# 1970-01-01 00:00:00
timestamp: 0
+linker: 2002
checksum: 65ba
-----BEGIN AUTHENTICODE SIGNATURE-----
MIIhVgYJKoZIhvcNAQcCoIIhRzCCIUMCAQExDzANBglghkgBZQMEAgEFADBcBgor
++++++ signature-sles.aarch64.asc ++++++
--- /var/tmp/diff_new_pack.2yL7CV/_old 2021-03-15 10:53:44.901111674 +0100
+++ /var/tmp/diff_new_pack.2yL7CV/_new 2021-03-15 10:53:44.905111680 +0100
@@ -1,6 +1,7 @@
hash: f31fd461c5e99510403fc97c1da2d8a9cbe270597d32badf8fd66b77495f8d94
# 2069-04-10 06:07:54
timestamp: babababa
+linker: 2002
checksum: 61c9
-----BEGIN AUTHENTICODE SIGNATURE-----
MIIh9AYJKoZIhvcNAQcCoIIh5TCCIeECAQExDzANBglghkgBZQMEAgEFADBcBgor
++++++ signature-sles.x86_64.asc ++++++
--- /var/tmp/diff_new_pack.2yL7CV/_old 2021-03-15 10:53:44.925111711 +0100
+++ /var/tmp/diff_new_pack.2yL7CV/_new 2021-03-15 10:53:44.925111711 +0100
@@ -1,6 +1,7 @@
hash: 040b3bc339e9b6f9acd828b88f3482a5c3f64e67e5a714ba1da8a70453b34af6
# 1970-01-01 00:00:00
timestamp: 0
+linker: 2002
checksum: 15eb
-----BEGIN AUTHENTICODE SIGNATURE-----
MIIhRgYJKoZIhvcNAQcCoIIhNzCCITMCAQExDzANBglghkgBZQMEAgEFADBcBgor
++++++ timestamp.pl ++++++
--- /var/tmp/diff_new_pack.2yL7CV/_old 2021-03-15 10:53:44.945111741 +0100
+++ /var/tmp/diff_new_pack.2yL7CV/_new 2021-03-15 10:53:44.945111741 +0100
@@ -1,5 +1,5 @@
#!/usr/bin/perl -w
-# Copyright (c) 2012,2013 SUSE Linux Products GmbH
+# Copyright (c) 2012-2021 SUSE LLC
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
@@ -33,7 +33,7 @@
=item B<--set-form-file=FILE>
-parse timestamp and checksum from file
+parse timestamp, checksum, and linker version from file
=item B<--help, -h>
@@ -74,6 +74,7 @@
my $set_timestamp;
my $set_checksum;
+my $set_linker;
if ($options{'set-from-file'}) {
die "$options{'set-from-file'}: $!\n" unless open(my $fh, '<',
$options{'set-from-file'});
@@ -82,14 +83,17 @@
if (/^timestamp: ([0-9a-f]+)/) {
$set_timestamp = pack('L', hex($1));
next;
+ } elsif (/^linker: ([0-9a-f]+)/) {
+ $set_linker = pack('S', hex($1));
+ next;
} elsif (/^checksum: ([0-9a-f]+)/) {
$set_checksum = pack('S', hex($1));
next;
}
- last if $set_timestamp && $set_checksum;
+ last if $set_timestamp && $set_checksum && $set_linker;
}
close($fh);
- die "file didn't contain timestamp and checksum\n" unless
$set_timestamp && $set_checksum;
+ die "file didn't contain timestamp, checksum, or linker\n" unless
$set_timestamp && $set_checksum && $set_linker;
}
sub do_show($)
@@ -104,6 +108,11 @@
print strftime("# %Y-%m-%d %H:%M:%S\n", gmtime($timestamp));
printf ("timestamp: %x\n", $timestamp);
+ die "seek $file: $!\n" unless seek($fh, 154, 0);
+ die "read $file: $!\n" unless read($fh, $value, 2);
+
+ printf ("linker: %x\n", unpack('S', $value));
+
die "seek $file: $!\n" unless seek($fh, 216, 0);
die "read $file: $!\n" unless read($fh, $value, 2);
@@ -119,12 +128,14 @@
die "seek $file: $!\n" unless seek($fh, 136, 0);
die "write $file: $!\n" unless print $fh $set_timestamp;
+ die "seek $file: $!\n" unless seek($fh, 154, 0);
+ die "write $file: $!\n" unless print $fh $set_linker;
+
die "seek $file: $!\n" unless seek($fh, 216, 0);
die "read $file: $!\n" unless print $fh $set_checksum;
close($fh);
}
-
for my $file (@ARGV) {
if ($options{'set-from-file'}) {
do_set($file);
