Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2026-06-12 19:24:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Fri Jun 12 19:24:55 2026 rev:137 rq:1358621 version:16.1 Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2026-05-27 16:13:44.216971349 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.1981/shim.changes 2026-06-12 19:24:59.803835687 +0200 @@ -1,0 +2,19 @@ +Tue Jun 9 09:04:18 UTC 2026 - Joey Lee <[email protected]> + +- Apply nx-shim, create non-nx shim boot entry +- Use nx shim as the default shim binary. + Add Microsoft-signed nx-shim: + Source40 shim-opensuse.nx.x86.efi + Source41 shim-opensuse.nx.aarch64.efi +- Use ms-signed nx shim when the version equals with the version of + newly built shim + - Version mismatch indicates development of a new shim. +- Create non-nx shim boot entry as a fallback option + Because we apply nx shim as the default shim binary in + /boot/efi/EFI/opensuse/shim.efi + /boot/efi/EFI/boot/bootx64.efi or bootaa64.efi + In case that user got any problem when the machine boots with nx-shim, + so we create a new boot entry for non-nx shim as a fallback option by + efibootmgr. + +------------------------------------------------------------------- New: ---- shim-opensuse.nx.aarch64.efi shim-opensuse.nx.x86.efi ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.KSKYAr/_old 2026-06-12 19:25:05.220062708 +0200 +++ /var/tmp/diff_new_pack.KSKYAr/_new 2026-06-12 19:25:05.240063546 +0200 @@ -79,6 +79,9 @@ Source31: shim-opensuse.aarch64.efi Source32: shim-sles.x86.efi Source33: shim-sles.aarch64.efi +# Microsoft-signed nx-shim +Source40: shim-opensuse.nx.x86.efi +Source41: shim-opensuse.nx.aarch64.efi # revoked certificates for dbx Source50: revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt Source51: revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt @@ -231,9 +234,11 @@ vendor_dbx='vendor-dbx-opensuse.esl' %ifarch x86_64 ms_shim=%{SOURCE30} + ms_shim_nx=%{SOURCE40} %else # opensuse aarch64 ms_shim=%{SOURCE31} + ms_shim_nx=%{SOURCE41} %endif elif test "$suffix" = "sles"; then cert=%{SOURCE12} @@ -242,15 +247,18 @@ vendor_dbx='vendor-dbx-sles.esl' %ifarch x86_64 ms_shim=%{SOURCE32} + ms_shim_nx="" %else # sles aarch64 ms_shim=%{SOURCE33} + ms_shim_nx="" %endif elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt verify=`openssl x509 -in "$cert" -noout -email` vendor_dbx='vendor-dbx.esl' ms_shim='' + ms_shim_nx='' test -e "$cert" || continue openssl x509 -in $cert -inform PEM -outform DER -out shim-$suffix.der else @@ -288,7 +296,6 @@ # make sure all object files gets rebuilt rm -f *.o -%if 0%{?shim_nx:1} # building shim.nx.efi make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim.nx \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ @@ -299,21 +306,37 @@ # # assert correct certificate embedded grep -q "$verify" shim.nx.efi + # Use ms-signed nx shim when the version equals with the version of newly built shim + # Version mismatch indicates development of a new shim. + if test -n "$ms_shim_nx"; then + ms_version=$(strings "$ms_shim_nx" | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//') + dev_version=$(strings shim.nx.efi | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//') + if [ "$ms_version" = "$dev_version" ]; then + cp $ms_shim_nx shim-$suffix.nx.efi + else + cp shim.nx.efi shim-$suffix.nx.efi + fi + rm shim.nx.efi + else + # devel shim mv shim.nx.efi shim-$suffix.nx.efi + fi + # FIX: using debug info from devel shim doesn't match with ms-signed shim mv shim.nx.efi.debug shim-$suffix.nx.debug # remove the build cert if exists rm -f shim_cert.h shim.cer shim.crt # make sure all object files gets rebuilt rm -f *.o -%endif # 0%{?shim_nx:1} done -ln -s shim-${suffixes[0]}.efi shim.efi -mv shim-${suffixes[0]}.debug shim.debug -%if 0%{?shim_nx:1} +# link nx and non-nx shim +ln -s shim-${suffixes[0]}.efi shim.non-nx.efi +mv shim-${suffixes[0]}.debug shim.non-nx.debug ln -s shim-${suffixes[0]}.nx.efi shim.nx.efi mv shim-${suffixes[0]}.nx.debug shim.nx.debug -%endif # 0%{?shim_nx:1} +# default shim link to nx shim +ln -s shim.nx.efi shim.efi +mv shim.nx.debug shim.debug # Collect the source for debugsource mkdir ../source @@ -593,9 +616,12 @@ %dir %{sysefidir} %{sysefidir}/shim.efi %{sysefidir}/shim-*.efi +%{sysefidir}/shim.non-nx.efi %if 0%{?shim_nx:1} %exclude %{sysefidir}/shim-*.nx.efi %endif # 0%{?shim_nx:1} +%{sysefidir}/shim.nx.efi +%{sysefidir}/shim-*.nx.efi %{sysefidir}/shim-*.der %{sysefidir}/MokManager.efi %{sysefidir}/fallback.efi ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.KSKYAr/_old 2026-06-12 19:25:05.960093726 +0200 +++ /var/tmp/diff_new_pack.KSKYAr/_new 2026-06-12 19:25:05.996095235 +0200 @@ -1,6 +1,6 @@ -mtime: 1773304354 -commit: f38c3e6d430bb360664c85a60c2ffe66ec7152b4df13ea58b169a80ddd8a9bf1 +mtime: 1781089266 +commit: 5aff585bda65ef7c2e0ffa8a5715ffbadb5687f73f71314034c97433b63e68f5 url: https://src.opensuse.org/devel-factory/shim -revision: f38c3e6d430bb360664c85a60c2ffe66ec7152b4df13ea58b169a80ddd8a9bf1 +revision: 5aff585bda65ef7c2e0ffa8a5715ffbadb5687f73f71314034c97433b63e68f5 projectscmsync: https://src.opensuse.org/devel-factory/_ObsPrj.git ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-10 13:01:06.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ shim-install ++++++ --- /var/tmp/diff_new_pack.KSKYAr/_old 2026-06-12 19:25:08.376194997 +0200 +++ /var/tmp/diff_new_pack.KSKYAr/_new 2026-06-12 19:25:08.404196171 +0200 @@ -35,6 +35,13 @@ source_shim_efi="${source_dir}/${def_shim_efi}" +# non-nx shim +def_shim_non_nx_efi="${def_shim_efi%.efi}.non-nx.efi" +if [ ! -e "${source_dir}/${def_shim_non_nx_efi}" ]; then + def_shim_non_nx_efi="shim.non-nx.efi" +fi +source_shim_nx_efi="${source_dir}/${def_shim_non_nx_efi}" + if [ x${arch} = xx86_64 ] ; then grub_install_target="x86_64-efi" def_boot_efi="bootx64.efi" @@ -305,6 +312,7 @@ if test -n "$efidir"; then efi_file=shim.efi + efi_non_nx_file=shim.non-nx.efi efibootdir="$efidir/EFI/boot" mkdir -p "$efibootdir" || exit 1 if test "$removable" = "yes" ; then @@ -344,6 +352,11 @@ fgrep -i " $bootloader_id" | cut -b5-8`; do $efibootmgr -b "$bootnum" -B done + # Delete old entries for non-nx from the same distributor. + for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ + fgrep " $bootloader_id-non-nx" | cut -b5-8`; do + $efibootmgr -b "$bootnum" -B + done fi exit 0 fi @@ -364,6 +377,8 @@ if test "$efidir" != "$efibootdir" ; then cp "${source_shim_efi}" "${efidir}/shim.efi" + # copy non-nx shim + cp "${source_shim_nx_efi}" "${efidir}/shim.non-nx.efi" if test -n "$bootloader_id"; then echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" fi @@ -371,6 +386,7 @@ if test "$update_boot" = "yes"; then cp "$source_shim_efi" "${efibootdir}/${def_boot_efi}" + # firmware only support bootx64.efi, NOT support bootx64.non-nx.efi if test "$removable" = "no"; then cp "${source_dir}/fallback.efi" "${efibootdir}" # bsc#1175626, bsc#1175656 Since shim 15, loading MokManager becomes @@ -489,6 +505,11 @@ fgrep -i " $bootloader_id" | cut -b5-8`; do $efibootmgr -b "$bootnum" -B done + # Delete old entries for non-nx from the same distributor. + for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ + fgrep " $bootloader_id-non-nx" | cut -b5-8`; do + $efibootmgr -b "$bootnum" -B + done # bsc#1230316 Skip the creation of the boot option for encrypted SL-Micro to make # the system always boot from the default boot path (\EFI\BOOT\boot<arch>.efi) @@ -514,11 +535,17 @@ efidir_d=${mddev#/dev/} $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" + # handle non-nx shim + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id-non-nx ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_non_nx_file" done else efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" + # handle non-nx shim + $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id-non-nx" -l "\\EFI\\$efi_distributor\\$efi_non_nx_file" fi fi fi
