Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim-leap for openSUSE:Factory checked in at 2025-12-11 18:39:01 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim-leap (Old) and /work/SRC/openSUSE:Factory/.shim-leap.new.1939 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim-leap" Thu Dec 11 18:39:01 2025 rev:28 rq:1322096 version:16.1 Changes: -------- --- /work/SRC/openSUSE:Factory/shim-leap/shim-leap.changes 2025-12-10 15:36:35.941631914 +0100 +++ /work/SRC/openSUSE:Factory/.shim-leap.new.1939/shim-leap.changes 2025-12-11 18:40:45.516003863 +0100 @@ -1,0 +2,40 @@ +Wed Dec 10 14:23:59 UTC 2025 - Joey Lee <[email protected]> + +- shim-leap.spec: Always put openSUSE Secure Boot CA to target array + + Unlike shim.spec, shim-leap.spec does not have #needssslcertforbuild + because our shim.efi is already signed by openSUSE key in + openSUSE:Factory:secure-boot/shim. It causes that the _projectcert.crt + can not be found by shim-leap which means the openSUSE CA can not be + added to the target certificates array in pretrans Lua script. + + I can not directly add '# needssslcertforbuild' to shim-leap.spec + because it will causes that shim.efi be signed by openSUSE key again. + + Let's always put openSUSE Secure Boot CA to target certificates array + because the shim.efi already has openSUSE signature. (bsc#1254679) + +------------------------------------------------------------------- +Mon Dec 8 08:32:29 UTC 2025 - Joey Lee <[email protected]> + +- Update shim version to 16.1: + shim-16.1-lp156.4.1.aarch64.rpm + shim-16.1-lp156.4.1.x86_64.rpm + RPMs are coming from openSUSE secure-boot shim 15.6: + https://build.opensuse.org/projects/openSUSE:Factory:secure-boot/packages/shim/repositories/15.6/binaries + - Version: 16.1, "Aug 14 2025" + - Include the bug fixes for bsc#1205588 +- Add a pretrans script to verify that the necessary certificate is + in the UEFI db. +- Add DER format certificate files for the pretrans script to verify + that the necessary certificate is in the UEFI db + - openSUSE Secure Boot CA, 2013-2035 + openSUSE_Secure_Boot_CA_2013.crt + - SUSE Linux Enterprise Secure Boot CA, 2013-2035 + SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt + - Microsoft Corporation UEFI CA 2011, 2011-2026 + Microsoft_Corporation_UEFI_CA_2011.crt + - Microsoft UEFI CA 2023, 2023-2038 + Microsoft_UEFI_CA_2023.crt + +------------------------------------------------------------------- Old: ---- shim-15.8-lp155.8.2.x86_64.rpm shim-15.8-lp155.8.8.aarch64.rpm New: ---- Microsoft_Corporation_UEFI_CA_2011.crt Microsoft_UEFI_CA_2023.crt SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt _scmsync.obsinfo build.specials.obscpio openSUSE_Secure_Boot_CA_2013.crt shim-16.1-lp156.4.1.aarch64.rpm shim-16.1-lp156.4.1.x86_64.rpm ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim-leap.spec ++++++ --- /var/tmp/diff_new_pack.NtNmnW/_old 2025-12-11 18:40:46.224033616 +0100 +++ /var/tmp/diff_new_pack.NtNmnW/_new 2025-12-11 18:40:46.236034120 +0100 @@ -25,20 +25,45 @@ %endif Name: shim-leap -Version: 15.8 +Version: 16.1 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot -Source0: shim-15.8-lp155.8.2.x86_64.rpm -Source1: shim-15.8-lp155.8.8.aarch64.rpm +Source0: shim-16.1-lp156.4.1.x86_64.rpm +Source1: shim-16.1-lp156.4.1.aarch64.rpm Source2: README Source3: shim-install +# Certificates Used to Verify the Shim (DER format) +# SUSE CA is also built-in to the shim via VENDOR_CERT_FILE +# openSUSE Secure Boot CA, 2013-2035 +Source11: openSUSE_Secure_Boot_CA_2013.crt +# SUSE Linux Enterprise Secure Boot CA, 2013-2035 +Source12: SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt +# Microsoft Corporation UEFI CA 2011, 2011-2026 +Source13: Microsoft_Corporation_UEFI_CA_2011.crt +# Microsoft UEFI CA 2023, 2023-2038 +Source14: Microsoft_UEFI_CA_2023.crt BuildRequires: fde-tpm-helper-rpm-macros BuildRequires: update-bootloader-rpm-macros +BuildRequires: openssl >= 0.9.8 +# we need xxd in global macro in shim.spec +BuildRequires: vim BuildRoot: %{_tmppath}/%{name}-%{version}-build ExclusiveArch: x86_64 aarch64 +# subject hash of openSUSE/SLE/devel certificates for identifying devel project +%global prjissuer_hash %(test -f %{_sourcedir}/_projectcert.crt && openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash 2>/dev/null || echo "PRJ_ISSUER_NOT_FOUND") +%global prjsubjec_hash %(test -f %{_sourcedir}/_projectcert.crt && openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash 2>/dev/null || echo "PRJ_SUBJECT_NOT_FOUND") +%global opensusesubject_hash %(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash 2>/dev/null) +%global slessubject_hash %(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash 2>/dev/null) +# Hex content of certs (DER format) will be used in the TARGET_CERT_HEXES array in pretrans script +%global opensuse_ca_hex %(xxd -p %{SOURCE11} | tr -d '\\n') +%global sles_ca_hex %(xxd -p %{SOURCE12} | tr -d '\\n') +%global microsoft_ca_hex %(xxd -p %{SOURCE13} | tr -d '\\n') +%global microsoft_ca_2023_hex %(xxd -p %{SOURCE14} | tr -d '\\n') +%global prjcert_hex %(test -f %{_sourcedir}/_projectcert.crt && (openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER -out - | xxd -p | tr -d '\\n') 2>/dev/null) + %description does not exist @@ -56,10 +81,11 @@ %prep %ifarch x86_64 -rpm2cpio %{SOURCE0} | cpio --extract --unconditional --preserve-modification-time --make-directories +shim_rpm=%{SOURCE0} %else -rpm2cpio %{SOURCE1} | cpio --extract --unconditional --preserve-modification-time --make-directories +shim_rpm=%{SOURCE1} %endif +rpm2cpio $shim_rpm | cpio --extract --unconditional --preserve-modification-time --make-directories %build @@ -76,6 +102,188 @@ rm -rf %{buildroot}/usr/lib64/efi %endif +# This pretrans Lua script is directly copied from shim.spec +# Please remember to sync this script if it be modified +%pretrans -n shim -p <lua> +-- Using Lua +print("INFO: Current Lua Version: " .. tostring(_VERSION)) + +-- ========================================================================================== +-- This pretrans script verifies that the UEFI db should have the necessary certificate to +-- allow the shim binary to boot. +-- The installation will be aborted if the db is missing the target certificate. To proceed, +-- the user must enroll the target certificate in the db or disable UEFI Secure Boot. +-- ========================================================================================== + +local db_filename = "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f" + +-- The db file existence check +local f_check, err_check = io.open(db_filename, "rb") + +if not f_check then + print("WARNING: Attempt to open db EFI variable file failed. Error message: " .. tostring(err_check)) + print("WARNING: This usually means the system is not booted in UEFI mode. Skipping all db check steps.") + return 0 +end +f_check:close() + +-- ========================================================================================== +-- This is the hardcoded target certificate content used to check for its existence. +-- HEX_CONTENT=$(xxd -p taget_certificate.der | tr -d '\n') && echo "$HEX_CONTENT" +-- ========================================================================================== + +-- Only the DER format is supported +local TARGET_CERT_HEXES = { + -- Always check Microsoft keys + -- Certificate #1, Microsoft Corporation UEFI CA 2011 + "%{microsoft_ca_hex}", + -- Certificate #2, Microsoft UEFI CA 2023 + "%{microsoft_ca_2023_hex}", + -- Certificate #3, openSUSE Secure Boot CA 2013 + "%{opensuse_ca_hex}", +%if "%{prjissuer_hash}" == "%{slessubject_hash}" + -- Certificate #4, SUSE Linux Enterprise Secure Boot CA 2013 + "%{sles_ca_hex}", +%endif +%if "%{prjissuer_hash}" == "%{prjsubjec_hash}" + -- We put all keys for testing on devel/staging project + -- Certificate #4, SUSE Linux Enterprise Secure Boot CA 2013 + "%{sles_ca_hex}", + -- Certificate #5, _projectcert.crt + "%{prjcert_hex}", +%endif # prjissuer_hash check +} + +-- Check if the TARGET_CERT_HEXES array is empty +if #TARGET_CERT_HEXES == 0 then + print("INFO: certificate list is empty. Skipping certificate check.") + -- Exiting safely as the certificate list is empty. + return 0 +else + -- Check if the Hex string for certificate is valid + for i, cert_hex in ipairs(TARGET_CERT_HEXES) do + if #cert_hex % 2 ~= 0 then + print("Error: The length of hard-coded hex string for certificate #" .. i .. " must be an even number.") + error("The Hex string is invalid. The transaction is being aborted in the pretrans script.") + end + end +end + +-- ========================================================================= +-- Helper functions +-- ========================================================================= + +-- Convert hexadecimal string to original binary string +local function hex_to_binary(hex) + local binary = "" + for i = 1, #hex, 2 do + local byte_hex = hex:sub(i, i + 1) + binary = binary .. string.char(tonumber(byte_hex, 16)) + end + return binary +end + +-- ========================================================================= +-- Main logic for checking if the db has any target certificate +-- ========================================================================= + +-- Read existing db contents +local db_content = "" +do + -- The db file is now confirmed to exist, open it again to read the contents + local f_db, err_db = io.open(db_filename, "rb") + + if f_db then + local chunks = {} + local CHUNK_SIZE = 4096 + local raw_content = "" + local chunk = f_db:read(CHUNK_SIZE) + + while chunk do + -- If an empty string is read, it means EOF has been reached and the loop is exited. + if chunk == "" then + break + end + table.insert(chunks, chunk) + chunk = f_db:read(CHUNK_SIZE) + end + + raw_content = table.concat(chunks) + + f_db:close() + + -- Skip the first 4 bytes (EFI attributes) + if #raw_content > 4 then + -- Truncate from the 5th byte to the end + db_content = string.sub(raw_content, 5) + print("INFO: Successfully read existing db content") + else + -- The file is too small or only has attributes, so it is considered blank. + db_content = "" + print("WARNING: db file content length is abnormal (<= 4 bytes). Treated as blank.") + end + end +end + +-- Check all target certificates +for i, cert_hex in ipairs(TARGET_CERT_HEXES) do + + local target_binary_content = hex_to_binary(cert_hex) + + -- Perform binary string matching + local start_pos, end_pos = db_content:find(target_binary_content, 1, true) + + if start_pos then + -- Success: Certificate exist in db + -- Return 0 to allow the RPM transaction to continue + print("Target certificate #" .. i .. " was found in the db variable. Proceed with install.") + return 0 + end +end + +-- Certificate not present in db +print("WARNING: The target certificate binary was not found in the db variable.") +print("Please add the appropriate certificate to the db or disable UEFI secure boot.") + +-- Secure Boot status check: We only proceed with installation if the certificate is not present in the db and Secure Boot is disabled. +local sb_filename = "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" + +local f_sb, err_sb = io.open(sb_filename, "rb") + +if not f_sb then + -- If the file is missing, it typically means the system is not UEFI, or Secure Boot is disabled/the variable is absent. + print("WARNING: SecureBoot EFI variable file does not exist. Proceed with install.") +else + local raw_content_sb = "" + local sb_status = 0 + + -- Read file contents + local chunk_sb = f_sb:read(4096) + while chunk_sb do + if chunk_sb == "" then break end + raw_content_sb = raw_content_sb .. chunk_sb + chunk_sb = f_sb:read(4096) + end + f_sb:close() + + -- SecureBoot status check + if #raw_content_sb >= 5 then + -- Skip the first 4-byte attribute header and read the 5th byte (status byte) + sb_status = string.byte(raw_content_sb, 5) + + if sb_status == 0x00 then + print("INFO: Since Secure Boot is DISABLED, proceed with install.") + return 0 + elseif sb_status == 0x01 then + error("Fatal error: Secure Boot is ENABLED (status = 0x01), but the target certificate was not found in the db. Aborting installation.") + else + error("Fatal error: Secure Boot status is unrecognized (0x" .. string.format("%02x", sb_status) .. "). Aborting installation.") + end + else + error("Fatal error: SecureBoot variable content is too short to determine status. Aborting installation.") + end +end + %post -n shim %if 0%{?fde_tpm_update_post:1} %fde_tpm_update_post shim ++++++ _scmsync.obsinfo ++++++ mtime: 1765376699 commit: a2db30ed3bf32e8e097ecf1c1878adbdf0e08334dff21d5d55f63db87d846ab5 url: https://src.opensuse.org/devel-factory/shim-leap.git revision: a2db30ed3bf32e8e097ecf1c1878adbdf0e08334dff21d5d55f63db87d846ab5 projectscmsync: https://src.opensuse.org/devel-factory/_ObsPrj.git ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-12-11 01:57:10.000000000 +0100 @@ -0,0 +1 @@ +.osc ++++++ shim-15.8-lp155.8.8.aarch64.rpm -> shim-16.1-lp156.4.1.aarch64.rpm ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/sbin/shim-install new/usr/sbin/shim-install --- old/usr/sbin/shim-install 2024-08-13 11:45:31.000000000 +0200 +++ new/usr/sbin/shim-install 2025-12-01 11:13:48.000000000 +0100 @@ -60,6 +60,7 @@ if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then . "${sysconfdir}/os-release" GRUB_DISTRIBUTOR="${NAME} ${VERSION}" + OS_ID="${ID}" fi bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)" @@ -78,6 +79,27 @@ *) ca_string="";; esac +case "$OS_ID" in + "opensuse-leap") + ca_string='SUSE Linux Enterprise Secure Boot CA1';; +esac + +# bsc#1230316 Check if the system is encrypted SL-Micro +is_encrypted_slm () { + if test "$GRUB_DISTRIBUTOR" = "SL Micro" && test -n "$GRUB_TPM2_SEALED_KEY" ; then + # return true + return 0 + fi + + # return false + return 1 +} + +# bsc#1230316 For encrypted SL-Micro, always install shim/grub2 with the "removable" way +if is_encrypted_slm; then + removable=yes +fi + is_azure () { local bios_vendor; local product_name; @@ -465,32 +487,36 @@ $efibootmgr -b "$bootnum" -B done - efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")" - efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")" - if test -z "$efidir_drive" || test -z "$efidir_disk"; then - echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2 - # bsc#1119762 If the MD device is partitioned, we just need to create one - # boot entry since the partitions are nested partitions and the mirrored - # partitions share the same UUID. - elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then - eval $(mdadm --detail --export "$efidir_disk" | - perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$}); - sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};') - if [ "$MD_LEVEL" != "raid1" ]; then - echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2 - fi - for mddev in $MD_DEVS; do - efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")" - efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")" + # bsc#1230316 Skip the creation of the boot option for encrypted SL-Micro to make + # the system always boot from the default boot path (\EFI\BOOT\boot<arch>.efi) + if ! is_encrypted_slm; then + efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")" + efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")" + if test -z "$efidir_drive" || test -z "$efidir_disk"; then + echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2 + # bsc#1119762 If the MD device is partitioned, we just need to create one + # boot entry since the partitions are nested partitions and the mirrored + # partitions share the same UUID. + elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then + eval $(mdadm --detail --export "$efidir_disk" | + perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$}); + sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};') + if [ "$MD_LEVEL" != "raid1" ]; then + echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2 + fi + for mddev in $MD_DEVS; do + efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")" + efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")" + efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" + efidir_d=${mddev#/dev/} + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" + done + else efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" - efidir_d=${mddev#/dev/} $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ - -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" - done - else - efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" - $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ - -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" + -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" + fi fi fi Binary files old/usr/share/efi/aarch64/MokManager.efi and new/usr/share/efi/aarch64/MokManager.efi differ Binary files old/usr/share/efi/aarch64/fallback.efi and new/usr/share/efi/aarch64/fallback.efi differ Binary files old/usr/share/efi/aarch64/shim-opensuse.efi and new/usr/share/efi/aarch64/shim-opensuse.efi differ ++++++ shim-15.8-lp155.8.2.x86_64.rpm -> shim-16.1-lp156.4.1.x86_64.rpm ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/usr/sbin/shim-install new/usr/sbin/shim-install --- old/usr/sbin/shim-install 2024-07-04 16:26:35.000000000 +0200 +++ new/usr/sbin/shim-install 2025-12-01 11:14:54.000000000 +0100 @@ -60,6 +60,7 @@ if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then . "${sysconfdir}/os-release" GRUB_DISTRIBUTOR="${NAME} ${VERSION}" + OS_ID="${ID}" fi bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)" @@ -78,6 +79,27 @@ *) ca_string="";; esac +case "$OS_ID" in + "opensuse-leap") + ca_string='SUSE Linux Enterprise Secure Boot CA1';; +esac + +# bsc#1230316 Check if the system is encrypted SL-Micro +is_encrypted_slm () { + if test "$GRUB_DISTRIBUTOR" = "SL Micro" && test -n "$GRUB_TPM2_SEALED_KEY" ; then + # return true + return 0 + fi + + # return false + return 1 +} + +# bsc#1230316 For encrypted SL-Micro, always install shim/grub2 with the "removable" way +if is_encrypted_slm; then + removable=yes +fi + is_azure () { local bios_vendor; local product_name; @@ -465,32 +487,36 @@ $efibootmgr -b "$bootnum" -B done - efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")" - efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")" - if test -z "$efidir_drive" || test -z "$efidir_disk"; then - echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2 - # bsc#1119762 If the MD device is partitioned, we just need to create one - # boot entry since the partitions are nested partitions and the mirrored - # partitions share the same UUID. - elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then - eval $(mdadm --detail --export "$efidir_disk" | - perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$}); - sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};') - if [ "$MD_LEVEL" != "raid1" ]; then - echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2 - fi - for mddev in $MD_DEVS; do - efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")" - efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")" + # bsc#1230316 Skip the creation of the boot option for encrypted SL-Micro to make + # the system always boot from the default boot path (\EFI\BOOT\boot<arch>.efi) + if ! is_encrypted_slm; then + efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")" + efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")" + if test -z "$efidir_drive" || test -z "$efidir_disk"; then + echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2 + # bsc#1119762 If the MD device is partitioned, we just need to create one + # boot entry since the partitions are nested partitions and the mirrored + # partitions share the same UUID. + elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then + eval $(mdadm --detail --export "$efidir_disk" | + perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$}); + sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};') + if [ "$MD_LEVEL" != "raid1" ]; then + echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2 + fi + for mddev in $MD_DEVS; do + efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")" + efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")" + efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" + efidir_d=${mddev#/dev/} + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" + done + else efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" - efidir_d=${mddev#/dev/} $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ - -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" - done - else - efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" - $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ - -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" + -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" + fi fi fi Binary files old/usr/share/efi/x86_64/MokManager.efi and new/usr/share/efi/x86_64/MokManager.efi differ Binary files old/usr/share/efi/x86_64/fallback.efi and new/usr/share/efi/x86_64/fallback.efi differ Binary files old/usr/share/efi/x86_64/shim-opensuse.efi and new/usr/share/efi/x86_64/shim-opensuse.efi differ
