Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sdbootutil for openSUSE:Factory checked in at 2026-02-11 18:47:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sdbootutil (Old) and /work/SRC/openSUSE:Factory/.sdbootutil.new.1670 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sdbootutil" Wed Feb 11 18:47:30 2026 rev:92 rq:1332244 version:1+git20260210.81c4815 Changes: -------- --- /work/SRC/openSUSE:Factory/sdbootutil/sdbootutil.changes 2026-02-07 15:32:56.400160592 +0100 +++ /work/SRC/openSUSE:Factory/.sdbootutil.new.1670/sdbootutil.changes 2026-02-11 18:47:52.030907237 +0100 @@ -1,0 +2,12 @@ +Tue Feb 10 12:49:11 UTC 2026 - Alberto Planas Dominguez <[email protected]> + +- Update to version 1+git20260210.81c4815: + * Recover old predictions if service fails + +------------------------------------------------------------------- +Tue Feb 10 07:19:12 UTC 2026 - Alberto Planas Dominguez <[email protected]> + +- Update to version 1+git20260210.1bc4b9e (bsc#1257612): + * Limit kernel measures because combinatorial explosion + +------------------------------------------------------------------- Old: ---- sdbootutil-1+git20260206.54f4a16.obscpio New: ---- sdbootutil-1+git20260210.81c4815.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sdbootutil.spec ++++++ --- /var/tmp/diff_new_pack.bsUvw1/_old 2026-02-11 18:47:54.859026002 +0100 +++ /var/tmp/diff_new_pack.bsUvw1/_new 2026-02-11 18:47:54.867026338 +0100 @@ -18,7 +18,7 @@ %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now' Name: sdbootutil -Version: 1+git20260206.54f4a16 +Version: 1+git20260210.81c4815 Release: 0 Summary: Bootctl wrapper for BLS boot loaders License: MIT ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.bsUvw1/_old 2026-02-11 18:47:55.195040113 +0100 +++ /var/tmp/diff_new_pack.bsUvw1/_new 2026-02-11 18:47:55.231041625 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/sdbootutil.git</param> - <param name="changesrevision">54f4a16fae58b295cda853a2aa102a969267ecbc</param></service></servicedata> + <param name="changesrevision">81c48154d681e5d93625629081fe66aa838e8095</param></service></servicedata> (No newline at EOF) ++++++ sdbootutil-1+git20260206.54f4a16.obscpio -> sdbootutil-1+git20260210.81c4815.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20260206.54f4a16/sdbootutil new/sdbootutil-1+git20260210.81c4815/sdbootutil --- old/sdbootutil-1+git20260206.54f4a16/sdbootutil 2026-02-06 11:18:28.000000000 +0100 +++ new/sdbootutil-1+git20260210.81c4815/sdbootutil 2026-02-10 13:47:27.000000000 +0100 @@ -2593,15 +2593,63 @@ done < <(jq --raw-output 'sort_by(.priority, (.kernel | map(-.))) | map(.linux) | .[]' "$entryfile") fi + # In MicroOS with GRUB2-BLS we can easily exceed to 8 arms + # limit for PolicyOR in PCR#9. For each update: + # - 641-grub2-bls-grubenv: `grubenv` change after the + # `set-default` for the new boot entry + # - 643-grub2-bls-entry-files: a new boot entry is added wrt + # the current state + # - 710-kernel-cmdline-initrd-entry: the new snapshot + # requires a new cmdline (rootflags), so there is one per + # snapshot + # - 710-grub2-bls-kernel-initrd-entry: if the kernel or + # initrd gets updated, a new entry with different hashes + # will appear here + # + # If not kernel/initrd gets updated, the possible valies for + # PCR#9 are 2x2xn, but if a kernel gets update is 2x2xnx2 + # + # Solutions: + # - GRUB2-BLS use BLI and drops `grubenv` + # - PolicyOR limit is resolved in systemd-pcrlock + # - MicroOS uses only systemd-boot + # - Make n=2 and predict only one kernel. + # + # This code select the last option. One issue is that if a + # kernel is updated and a rollback is needed, the password + # will be asked. To resolve this we can drop PCR#9 when there + # is a new kernel and allow the rollback without a password, + # and lock on PCR#9 during boot time, via the + # sdbootutil-update-predictions service + local limit=1 + is_transactional || limit=3 + + # If the system is transactional, drop the shift variation. + # If there is a new kernel, only the newest one will be + # measured (sort_by) and the current one that is in the event + # log will not be present in any variation. This will make + # pcrlock lost the track and drop the component. But if there + # is not new kernel or initrd, then the only variation will be + # found in the event log + # Join the kernel and the initrd in a single component - shift_component 710-grub2-bls-kernel-initrd-entry + is_transactional || shift_component 710-grub2-bls-kernel-initrd-entry n=0 while read -r linux; do read -r initrd - [ -f "${boot_root}$linux" ] || continue - [ -f "${boot_root}$initrd" ] || continue + [ -f "${boot_root}$linux" ] || { + info "Missing ${boot_root}$linux, ignoring entry for prediction" + continue + } + [ -f "${boot_root}$initrd" ] || { + info "Missing ${boot_root}$initrd, ignoring entry for prediction" + continue + } n=$((n+1)) - [ "$n" -le 8 ] || continue + [ "$n" -le "$limit" ] || { + info "More than $limit variations for 710-grub2-bls-kernel-initrd-entry" + continue + } pcrlock_grub2_bls_kernel_initrd "${boot_root}$linux" "${boot_root}$initrd" "$n" done < <(jq --raw-output 'sort_by(.priority, (.kernel | map(-.))) | .[] | .linux, .initrd[0]' "$entryfile") @@ -2616,24 +2664,21 @@ done < <(jq --raw-output '.[] | .linux, .initrd[0]' "$initialentryfile") fi + local limit=2 + is_transactional || limit=3 + # Join the cmdline and the initrd in a single component + # TODO: If shim is not installed, should we drop this? shift_component 710-kernel-cmdline-initrd-entry - shift_component 710-kernel-cmdline-boot-loader n=0 while read -r cmdline; do read -r linux read -r initrd - [ -f "${boot_root}$linux" ] || { - info "Missing ${boot_root}$linux, ignoring entry for prediction" - continue - } - [ -f "${boot_root}$initrd" ] || { - info "Missing ${boot_root}$initrd, ignoring entry for prediction" - continue - } + [ -f "${boot_root}$linux" ] || continue + [ -f "${boot_root}$initrd" ] || continue n=$((n+1)) - [ "$n" -le 8 ] || { - info "More than 8 variations for 710-kernel-cmdline-initrd-entry" + [ "$n" -le "$limit" ] || { + info "More than $limit variations for 710-kernel-cmdline-initrd-entry" continue } pcrlock_cmdline_initrd "BOOT_IMAGE=${grub2_bls_drive}$linux $cmdline" "${boot_root}$initrd" "$n" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20260206.54f4a16/sdbootutil-update-predictions.service new/sdbootutil-1+git20260210.81c4815/sdbootutil-update-predictions.service --- old/sdbootutil-1+git20260206.54f4a16/sdbootutil-update-predictions.service 2026-02-06 11:18:28.000000000 +0100 +++ new/sdbootutil-1+git20260210.81c4815/sdbootutil-update-predictions.service 2026-02-10 13:47:27.000000000 +0100 @@ -6,7 +6,16 @@ Type=oneshot RemainAfterExit=yes KeyringMode=shared -ExecStart=/usr/bin/sdbootutil update-predictions +PrivateTmp=no +ExecStartPre=/usr/bin/sh -c 'cp -a /var/lib/pcrlock.d /tmp/pcrlock.d.bak' +ExecStart=/usr/bin/sdbootutil -v update-predictions +ExecStopPost=/usr/bin/sh -c '\ + if [ "$EXIT_STATUS" != "0" ]; then \ + echo "Command failed (Status: $EXIT_STATUS). Restoring backup..."; \ + rm -rf /var/lib/pcrlock.d/*; \ + cp -a /tmp/pcrlock.d.bak/. /var/lib/pcrlock.d/; \ + fi; \ + rm -rf /tmp/pcrlock.d.bak' ImportCredential=sdbootutil-update-predictions.* [Install] ++++++ sdbootutil.obsinfo ++++++ --- /var/tmp/diff_new_pack.bsUvw1/_old 2026-02-11 18:47:56.355088829 +0100 +++ /var/tmp/diff_new_pack.bsUvw1/_new 2026-02-11 18:47:56.395090509 +0100 @@ -1,5 +1,5 @@ name: sdbootutil -version: 1+git20260206.54f4a16 -mtime: 1770373108 -commit: 54f4a16fae58b295cda853a2aa102a969267ecbc +version: 1+git20260210.81c4815 +mtime: 1770727647 +commit: 81c48154d681e5d93625629081fe66aa838e8095
