Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sdbootutil for openSUSE:Factory checked in at 2026-03-13 21:15:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sdbootutil (Old) and /work/SRC/openSUSE:Factory/.sdbootutil.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sdbootutil" Fri Mar 13 21:15:59 2026 rev:95 rq:1338747 version:1+git20260313.ff5ea17 Changes: -------- --- /work/SRC/openSUSE:Factory/sdbootutil/sdbootutil.changes 2026-03-12 22:22:19.066385748 +0100 +++ /work/SRC/openSUSE:Factory/.sdbootutil.new.8177/sdbootutil.changes 2026-03-13 21:16:28.580477613 +0100 @@ -1,0 +2,9 @@ +Fri Mar 13 14:05:03 UTC 2026 - Alberto Planas Dominguez <[email protected]> + +- Update to version 1+git20260313.ff5ea17: + * Support cmdline.d directory + * Avoid update policy if no new hash + * Requires libtss2-tcti-device0 + * More explicit bootloader detection, honour sysconfig if set + +------------------------------------------------------------------- Old: ---- sdbootutil-1+git20260311.73a155b.obscpio New: ---- sdbootutil-1+git20260313.ff5ea17.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sdbootutil.spec ++++++ --- /var/tmp/diff_new_pack.kRtBdX/_old 2026-03-13 21:16:29.532517153 +0100 +++ /var/tmp/diff_new_pack.kRtBdX/_new 2026-03-13 21:16:29.536517319 +0100 @@ -18,7 +18,7 @@ %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now' Name: sdbootutil -Version: 1+git20260311.73a155b +Version: 1+git20260313.ff5ea17 Release: 0 Summary: Bootctl wrapper for BLS boot loaders License: MIT @@ -41,6 +41,7 @@ Requires: (%{name}-snapper if (snapper and btrfsprogs)) Requires: (%{name}-tukit if read-only-root-fs) Requires: tpm2.0-tools +Requires: libtss2-tcti-device0 # For bootctl and systemd-pcrlock Requires: (udev >= 257.9 or systemd-experimental < 257.9) Supplements: (grub2-x86_64-efi-bls and shim) ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.kRtBdX/_old 2026-03-13 21:16:29.596519811 +0100 +++ /var/tmp/diff_new_pack.kRtBdX/_new 2026-03-13 21:16:29.600519978 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/openSUSE/sdbootutil.git</param> - <param name="changesrevision">73a155bdc01e5e2e29de7d2e30f80e63eb713acd</param></service></servicedata> + <param name="changesrevision">ff5ea17c75654f3e3ff6d7ea0c1c123f3328c60e</param></service></servicedata> (No newline at EOF) ++++++ sdbootutil-1+git20260311.73a155b.obscpio -> sdbootutil-1+git20260313.ff5ea17.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20260311.73a155b/sdbootutil new/sdbootutil-1+git20260313.ff5ea17/sdbootutil --- old/sdbootutil-1+git20260311.73a155b/sdbootutil 2026-03-11 15:54:50.000000000 +0100 +++ new/sdbootutil-1+git20260313.ff5ea17/sdbootutil 2026-03-13 14:28:44.000000000 +0100 @@ -410,38 +410,37 @@ grep -q $'\x01' /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c 2> /dev/null } -is_sdboot() +bootloader_type() { + # If LOADER_TYPE is set, use that + if [ -n "$LOADER_TYPE" ]; then + echo "$LOADER_TYPE" + return + fi + local sdboot grub2_bls sdboot="$(find_sdboot "${1-$root_snapshot}")" grub2_bls="$(find_grub2_bls "${1-$root_snapshot}")" - # If boot loader is not found, then we check LOADER_TYPE, but - # if is not present and systemd-boot and grub2-bls are - # co-installed, we favor grub2-bls in the detection - if [ ! -e "$sdboot" ] && [ ! -e "$grub2_bls" ]; then - [ -z "$LOADER_TYPE" ] || [ "$LOADER_TYPE" = "systemd-boot" ] - else - [ -e "$sdboot" ] && [ ! -e "$grub2_bls" ] + # If LOADER_TYPE is unset and only systemd-boot is installed, use that + if [ -e "$sdboot" ] && ! [ -e "$grub2_bls" ]; then + echo "systemd-boot" + return fi + + # Otherwise, use grub2-bls + echo "grub2-bls" } -is_grub2_bls() +is_sdboot() { - local sdboot grub2_bls - - sdboot="$(find_sdboot "${1-$root_snapshot}")" - grub2_bls="$(find_grub2_bls "${1-$root_snapshot}")" + [ "$(bootloader_type "${1-$root_snapshot}")" = "systemd-boot" ] +} - # If boot loader is not found, then we check LOADER_TYPE, but - # if is not present and systemd-boot and grub2-bls are - # co-installed, we favor grub2-bls in the detection - if [ ! -e "$sdboot" ] && [ ! -e "$grub2_bls" ]; then - [ -z "$LOADER_TYPE" ] || [ "$LOADER_TYPE" = "grub2-bls" ] - else - [ -e "$grub2_bls" ] - fi +is_grub2_bls() +{ + [ "$(bootloader_type "${1-$root_snapshot}")" = "grub2-bls" ] } reset_rollback() @@ -1129,11 +1128,11 @@ local required_size="$2" local required_size_extra - required_size_extra=$(("$(boot_space)" * $ESP_FREE_SPACE / 100)) + required_size_extra=$(("$(boot_space)" * ESP_FREE_SPACE / 100)) info "Required free space in ESP: ${required_size}KB + ${required_size_extra}KB (${ESP_FREE_SPACE}% ESP size)" - required_size=$(($required_size + $required_size_extra)) + required_size=$((required_size + required_size_extra)) # If there is already free space, shortcut the code local free_space @@ -1177,13 +1176,29 @@ create_boot_options() { local subvol="$1" - local boot_options= + local cmdline + local boot_options for i in "${subvol:1}/etc/kernel/cmdline" "${subvol:1}/usr/lib/kernel/cmdline" /proc/cmdline; do [ -f "$i" ] || continue dbg_cat "$i" - boot_options="$(sedrootflags "$subvol" < "$i")" + cmdline="$(<"$i")" break done + + for i in "${subvol:1}"/usr/kernel/cmdline.d/*; do + [ -e "${subvol:1}/etc/kernel/cmdline.d/$(basename "$i")" ] && continue + dbg_cat "$i" + [ -s "$i" ] || continue + cmdline="${cmdline:+$cmdline }$(<"$i")" + done + + for i in "${subvol:1}"/etc/kernel/cmdline.d/*; do + dbg_cat "$i" + [ -s "$i" ] || continue + cmdline="${cmdline:+$cmdline }$(<"$i")" + done + + [ -z "$cmdline" ] || boot_options="$(echo "$cmdline" | sedrootflags "$subvol")" echo "$boot_options" } @@ -1525,6 +1540,7 @@ { local snapshot="$1" local kernel_version="$2" + [ -n "$kernel_version" ] || err "Missing kernel version" settle_entry_token "${snapshot}" local id @@ -2935,6 +2951,11 @@ fi } +get_predicted_hashes() +{ + find /var/lib/pcrlock.d/ -name "*.pcrlock" -type f -exec jq -r '.records[].digests[] | select(.hashAlg == "sha256") | .digest' {} + | sort -u +} + get_final_pcrs() { local pcrs="$1" @@ -2998,6 +3019,14 @@ clean_pcrlock_d + # Get the list of hashes that can participate in the policy. + # We will compare them with the generated for the next + # prediction. If there are no new hashes, a new policy will + # include all the PCR values form the current one, and we can + # skip the update + local pre_hashes + pre_hashes="$(get_predicted_hashes)" + shift_component 250-firmware-code-early shift_component 550-firmware-code-late pcrlock lock-firmware-code @@ -3111,6 +3140,11 @@ extra=("--recovery-pin=show") fi + local post_hashes + post_hashes="$(get_predicted_hashes)" + + [ -n "$(comm -13 <(echo "$pre_hashes") <(echo "$post_hashes"))" ] || return 0 + local final_pcrs final_pcrs="$(get_final_pcrs "$pcrs")" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20260311.73a155b/sdbootutil.spec new/sdbootutil-1+git20260313.ff5ea17/sdbootutil.spec --- old/sdbootutil-1+git20260311.73a155b/sdbootutil.spec 2026-03-11 15:54:50.000000000 +0100 +++ new/sdbootutil-1+git20260313.ff5ea17/sdbootutil.spec 2026-03-13 14:28:44.000000000 +0100 @@ -41,6 +41,7 @@ Requires: (%{name}-snapper if (snapper and btrfsprogs)) Requires: (%{name}-tukit if read-only-root-fs) Requires: tpm2.0-tools +Requires: libtss2-tcti-device0 # For bootctl and systemd-pcrlock Requires: (udev >= 257.9 or systemd-experimental < 257.9) Supplements: (grub2-x86_64-efi-bls and shim) ++++++ sdbootutil.obsinfo ++++++ --- /var/tmp/diff_new_pack.kRtBdX/_old 2026-03-13 21:16:29.816528949 +0100 +++ /var/tmp/diff_new_pack.kRtBdX/_new 2026-03-13 21:16:29.816528949 +0100 @@ -1,5 +1,5 @@ name: sdbootutil -version: 1+git20260311.73a155b -mtime: 1773240890 -commit: 73a155bdc01e5e2e29de7d2e30f80e63eb713acd +version: 1+git20260313.ff5ea17 +mtime: 1773408524 +commit: ff5ea17c75654f3e3ff6d7ea0c1c123f3328c60e
