Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sdbootutil for openSUSE:Factory checked in at 2024-12-08 11:36:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sdbootutil (Old) and /work/SRC/openSUSE:Factory/.sdbootutil.new.21547 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sdbootutil" Sun Dec 8 11:36:13 2024 rev:42 rq:1228721 version:1+git20241206.dccea55 Changes: -------- --- /work/SRC/openSUSE:Factory/sdbootutil/sdbootutil.changes 2024-11-14 16:07:28.987764223 +0100 +++ /work/SRC/openSUSE:Factory/.sdbootutil.new.21547/sdbootutil.changes 2024-12-08 11:37:23.550274857 +0100 @@ -1,0 +2,25 @@ +Fri Dec 06 09:09:56 UTC 2024 - apla...@suse.com + +- Update to version 1+git20241206.dccea55: + * Fix quotes in bind mount command (bsc#1233378) + * Allow multiple entries for initial measurements + +------------------------------------------------------------------- +Tue Nov 26 08:04:39 UTC 2024 - apla...@suse.com + +- Update to version 1+git20241126.83ebe2c: + * Fix help for get-timeout + * Add get default and timeout + * Replace -a with && + * Drop PATH field + * sdbootutil-enroll: harden script against unexpected conditions + +------------------------------------------------------------------- +Mon Nov 18 13:10:27 UTC 2024 - apla...@suse.com + +- Update to version 1+git20241118.23c1900: + * Fix missing grep file + * Detect new bootctl error message + * If BLI is not active use the loader.conf + +------------------------------------------------------------------- Old: ---- sdbootutil-1+git20241112.ecf5f97.obscpio New: ---- sdbootutil-1+git20241206.dccea55.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sdbootutil.spec ++++++ --- /var/tmp/diff_new_pack.fGFWZy/_old 2024-12-08 11:37:24.034294964 +0100 +++ /var/tmp/diff_new_pack.fGFWZy/_new 2024-12-08 11:37:24.038295131 +0100 @@ -17,7 +17,7 @@ Name: sdbootutil -Version: 1+git20241112.ecf5f97 +Version: 1+git20241206.dccea55 Release: 0 Summary: bootctl wrapper for BLS boot loaders License: MIT ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.fGFWZy/_old 2024-12-08 11:37:24.078296792 +0100 +++ /var/tmp/diff_new_pack.fGFWZy/_new 2024-12-08 11:37:24.082296959 +0100 @@ -1,8 +1,6 @@ <servicedata> <service name="tar_scm"> - <param name="url">https://github.com/lnussel/sdbootutil.git</param> - <param name="changesrevision">708592a5033bb41d14e378172466ae9e90dfb3c4</param></service><service name="tar_scm"> <param name="url">https://github.com/openSUSE/sdbootutil.git</param> - <param name="changesrevision">ecf5f97d8573cd18fcfc8e51bcb172c2d3be5324</param></service></servicedata> + <param name="changesrevision">dccea55a79e4c76880b82251c43e22feb58d0660</param></service></servicedata> (No newline at EOF) ++++++ sdbootutil-1+git20241112.ecf5f97.obscpio -> sdbootutil-1+git20241206.dccea55.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20241112.ecf5f97/jeos-firstboot-enroll new/sdbootutil-1+git20241206.dccea55/jeos-firstboot-enroll --- old/sdbootutil-1+git20241112.ecf5f97/jeos-firstboot-enroll 2024-11-12 14:56:25.000000000 +0100 +++ new/sdbootutil-1+git20241206.dccea55/jeos-firstboot-enroll 2024-12-06 10:03:06.000000000 +0100 @@ -14,7 +14,7 @@ have_luks2() { - lsblk --noheadings -o PATH,FSTYPE | grep -q crypto_LUKS + lsblk --noheadings -o FSTYPE | grep -q crypto_LUKS } # exit early without defining any helper functions if there are no luks devices diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20241112.ecf5f97/sdbootutil new/sdbootutil-1+git20241206.dccea55/sdbootutil --- old/sdbootutil-1+git20241112.ecf5f97/sdbootutil 2024-11-12 14:56:25.000000000 +0100 +++ new/sdbootutil-1+git20241206.dccea55/sdbootutil 2024-12-06 10:03:06.000000000 +0100 @@ -169,9 +169,15 @@ set-default ID Set default boot loader entry + get-default + Get default boot loader entry + set-timeout SECONDS Set the menu timeout + get-timeout + Get the menu timeout in seconds + enroll Enroll a TPM2 (+PIN), a FIDO2 key or a password for all devices @@ -665,7 +671,7 @@ # This is needed so that the rootfs appears in the mounts # under the chroot, allowing dracut to properly detect the fs # type and load the relevant module - mount --bind "$snapshot_dir $snapshot_dir" + mount --bind "$snapshot_dir" "$snapshot_dir" mount -t tmpfs -o size=10m tmpfs "$snapshot_dir/run" for i in proc dev sys var tmp; do @@ -1661,6 +1667,15 @@ d --aspect 60 --msgbox "Installed into $boot_root" 0 0 } +bli_efi_var_get() +{ + # BLI uses this vendor UUID + local efi_var="/sys/firmware/efi/efivars/${1:?}-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" + if [ -e "$efi_var" ]; then + echo "$(dd "if=$efi_var" bs=2 skip=2 conv=lcase status=none | tr -d '\0')" + fi +} + loader_conf_set() { local key="${1:?}" @@ -1673,6 +1688,15 @@ fi } +loader_conf_get() +{ + local key="${1:?}" + if [ -e "${boot_root}/loader/loader.conf" ]; then + IFS=' ' read -r key value < <(grep "^$key " "${boot_root}/loader/loader.conf") + echo -n "$value" + fi +} + grubenv_set() { local key="${1:?}" @@ -1696,11 +1720,22 @@ mv "$grubenv" "${boot_root}${boot_dst}/grubenv" } +grubenv_get() +{ + local key="${1:?}" + + if [ -e "${boot_root}${boot_dst}/grubenv" ]; then + IFS='=' read -r key value < <(grep "^$key=" "${boot_root}${boot_dst}/grubenv") + echo -n "$value" + fi +} + set_default_sdboot() { local id="${1:?}" if ! bootctl set-default "$id" > "$tmpfile" 2>&1; then - if grep -q "Failed to update EFI variable" "$tmpfile"; then + if grep -q "Failed to update EFI variable" "$tmpfile" || + grep -q "Not booted with a supported boot loader" "$tmpfile"; then loader_conf_set "default" "$id" else err "$(cat "$tmpfile")" @@ -1711,7 +1746,7 @@ set_default_grub2_bls() { local id="${1:?}" - bootctl set-default "$id" 2>&1 + set_default_sdboot "$id" grubenv_set "default" "$id" } @@ -1731,11 +1766,38 @@ update_predictions=1 } +get_default_sdboot() +{ + local val + val="$(bli_efi_var_get "LoaderEntryDefault")" + [ -n "$val" ] || val="$(loader_conf_get "default")" + echo "$val" +} + +get_default_grub2_bls() +{ + local val + val="$(grubenv_get "default")" + echo "$val" +} + +get_default_entry() +{ + if is_sdboot; then + get_default_sdboot + elif is_grub2_bls; then + get_default_grub2_bls + else + err "Bootloader not detected" + fi +} + set_timeout_sdboot() { local timeout="${1:?}" if ! bootctl set-timeout "$timeout" > "$tmpfile" 2>&1; then - if grep -q "Failed to update EFI variable" "$tmpfile"; then + if grep -q "Failed to update EFI variable" "$tmpfile" || + grep -q "Not booted with a supported boot loader" "$tmpfile"; then loader_conf_set "timeout" "$timeout" else err "$(cat "$tmpfile")" @@ -1746,7 +1808,7 @@ set_timeout_grub2_bls() { local timeout="${1:?}" - bootctl set-timeout "$timeout" 2>&1 + set_timeout_sdboot "$timeout" grubenv_set "timeout" "$timeout" } @@ -1761,6 +1823,35 @@ else err "Bootloader not detected" fi + + # This action will require to update the PCR predictions + update_predictions=1 +} + +get_timeout_sdboot() +{ + local val + val="$(bli_efi_var_get "LoaderConfigTimeout")" + [ -n "$val" ] || val="$(loader_conf_get "timeout")" + echo "$val" +} + +get_timeout_grub2_bls() +{ + local val + val="$(grubenv_get "timeout")" + echo "$val" +} + +get_timeout() +{ + if is_sdboot; then + get_timeout_sdboot + elif is_grub2_bls; then + get_timeout_grub2_bls + else + err "Bootloader not detected" + fi } set_default_snapshot() @@ -2036,10 +2127,12 @@ # required because disk-encryption-tool generates a new initrd # during the first boot, making the event log impossible to # align for systemd-pcrlock + n=0 if [ "$SDB_ADD_INITIAL_COMPONENT" = "1" ]; then while read -r cmdline; do read -r initrd - pcrlock_sdboot_cmdline_initrd "initrd=$cmdline" "${tmpdir}$initrd" "0" + n=$((n+1)) + pcrlock_sdboot_cmdline_initrd "initrd=$cmdline" "${tmpdir}$initrd" "0-$n" done < <(jq --raw-output '.[] | ([(.initrd[0] | sub("/"; "\\"; "g")), .options] | join(" ")), .initrd[0]' "$initialentryfile") fi } @@ -2088,13 +2181,15 @@ # because disk-encryption-tool generates a new initrd during # the first boot, making the event log impossible to align for # systemd-pcrlock + n=0 if [ "$SDB_ADD_INITIAL_COMPONENT" = "1" ]; then while read -r options; do read -r kernel read -r initrd + n=$((n+1)) pcrlock_grub2_bls_cmdline "linux ${grub2_bls_drive}$kernel $options" \ "${grub2_bls_drive}$kernel $options" \ - "initrd ${grub2_bls_drive}$initrd" "0" + "initrd ${grub2_bls_drive}$initrd" "0-$n" done < <(jq --raw-output '.[] | .options, .linux, .initrd[0]' "$initialentryfile") fi @@ -2109,10 +2204,12 @@ # Generate variation for 710-grub2-bls-kernel-initrd-entry for the # same reason than before. + n=0 if [ "$SDB_ADD_INITIAL_COMPONENT" = "1" ]; then while read -r kernel; do read -r initrd - pcrlock_grub2_bls_kernel_initrd "$tmpdir$kernel" "$tmpdir$initrd" "0" + n=$((n+1)) + pcrlock_grub2_bls_kernel_initrd "$tmpdir$kernel" "$tmpdir$initrd" "0-$n" done < <(jq --raw-output '.[] | .linux, .initrd[0]' "$initialentryfile") fi } @@ -2939,7 +3036,7 @@ fi case "$1" in - install|needs-update|update|force-update|add-kernel|remove-kernel|set-default-snapshot|add-all-kernels|mkinitrd|remove-all-kernels|is-installed|list-snapshots|list-entries|list-kernels|list-devices|show-entry|update-entry|update-all-entries|is-bootable|set-default|set-timeout|enroll|unenroll|update-predictions|bootloader) ;; + install|needs-update|update|force-update|add-kernel|remove-kernel|set-default-snapshot|add-all-kernels|mkinitrd|remove-all-kernels|is-installed|list-snapshots|list-entries|list-kernels|list-devices|show-entry|update-entry|update-all-entries|is-bootable|set-default|get-default|set-timeout|get-timeout|enroll|unenroll|update-predictions|bootloader) ;; kernels|snapshots|entries|"") stty_size; interactive=1 ;; *) err "unknown command $1" ;; esac @@ -3061,8 +3158,12 @@ is_bootable "${2:-$root_snapshot}" elif [ "$1" = "set-default" ]; then set_default_entry "$2" +elif [ "$1" = "get-default" ]; then + get_default_entry "$2" elif [ "$1" = "set-timeout" ]; then set_timeout "$2" +elif [ "$1" = "get-timeout" ]; then + get_timeout "$2" elif [ "$1" = "enroll" ]; then enroll elif [ "$1" = "unenroll" ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20241112.ecf5f97/sdbootutil-enroll new/sdbootutil-1+git20241206.dccea55/sdbootutil-enroll --- old/sdbootutil-1+git20241112.ecf5f97/sdbootutil-enroll 2024-11-12 14:56:25.000000000 +0100 +++ new/sdbootutil-1+git20241206.dccea55/sdbootutil-enroll 2024-12-06 10:03:06.000000000 +0100 @@ -6,7 +6,7 @@ local keyid keyid="$(keyctl id %user:"$name" 2> /dev/null)" || true - if [ -e "$CREDENTIALS_DIRECTORY/$name" ]; then + if [ -n "$CREDENTIALS_DIRECTORY" ] && [ -e "$CREDENTIALS_DIRECTORY/$name" ]; then read -r "$var" < "$CREDENTIALS_DIRECTORY/$name" elif [ -n "$keyid" ]; then read -r "$var" <<<"$(keyctl pipe "$keyid")" @@ -14,7 +14,7 @@ } have_luks2() { - lsblk --noheadings -o PATH,FSTYPE | grep -q crypto_LUKS + lsblk --noheadings -o FSTYPE | grep -q crypto_LUKS } write_issue_file() ++++++ sdbootutil.obsinfo ++++++ --- /var/tmp/diff_new_pack.fGFWZy/_old 2024-12-08 11:37:24.190301445 +0100 +++ /var/tmp/diff_new_pack.fGFWZy/_new 2024-12-08 11:37:24.194301612 +0100 @@ -1,5 +1,5 @@ name: sdbootutil -version: 1+git20241112.ecf5f97 -mtime: 1731419785 -commit: ecf5f97d8573cd18fcfc8e51bcb172c2d3be5324 +version: 1+git20241206.dccea55 +mtime: 1733475786 +commit: dccea55a79e4c76880b82251c43e22feb58d0660
