Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in
at 2022-11-16 15:42:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Wed Nov 16 15:42:21 2022 rev:106 rq:1035800 version:15.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2022-10-03
13:44:30.845316706 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1597/shim.changes 2022-11-16
15:42:26.435618660 +0100
@@ -1,0 +2,34 @@
+Tue Nov 15 08:06:24 UTC 2022 - Joey Lee <j...@suse.com>
+
+- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the
following
+ patches between 15.6 with aa1b289a1a (jsc#PED-127):
+ aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from
PCR 7
+ 0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32
compiler flags
+ ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory
function
+ 2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue
+ 5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region
from i-cache before execution
+ 14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start
with a NUL
+ 092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of
MokList
+ 0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload
introspectable
+
+-------------------------------------------------------------------
+Tue Nov 15 08:06:05 UTC 2022 - Joey Lee <j...@suse.com>
+
+- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support
+ enhance shim measurement to TD RTMR. (jsc#PED-1273)
+
+-------------------------------------------------------------------
+Tue Nov 15 07:53:59 UTC 2022 - Joey Lee <j...@suse.com>
+
+- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec
+ and shim.changes: (jsc#PED-127)
+ - Add some change log from SLE shim.changes to Factory shim.changes
+ Those messages are added "(sync shim.changes from SLE)" tag.
+ - Add the following changes to shim.spec
+ - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch
+ on openSUSE.
+ - Enable the AArch64 signature check for SLE:
+ # AArch64 signature
+ signature=%{SOURCE13}
+
+-------------------------------------------------------------------
@@ -195,0 +230,5 @@
+Thu Jul 15 08:13:26 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Update the SLE signatures (sync shim.changes from SLE)
+
+-------------------------------------------------------------------
@@ -203,0 +243,34 @@
+(sync shim.changes from SLE)
+- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
+ vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
+ the size of MokListXRT (bsc#1185261)
+ + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
+- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch
+ to handle ignore_db and user_insecure_mode correctly
+ (bsc#1185441, bsc#1187071)
+- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the
+ maximum variable size check for u-boot (bsc#1185621)
+ + Also drop AArch64 suse-signed shim since we merged this patch
+- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax
+ the check for import_mok_state() when Secure Boot is off.
+ (bsc#1185261)
+- Add shim-bsc1185232-relax-loadoptions-length-check.patch to
+ ignore the odd LoadOptions length (bsc#1185232)
+- shim-install: reset def_shim_efi to "shim.efi" if the given
+ file doesn't exist
+- Add shim-fix-aa64-relsz.patch to fix the size of rela sections
+ for AArch64
+ Fix: https://github.com/rhboot/shim/issues/371
+- Add shim-disable-export-vendor-dbx.patch to disable exporting
+ vendor-dbx to MokListXRT since writing a large RT variable
+ could crash some machines (bsc#1185261)
+- Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the
+ potential crash when calling QueryVariableInfo in EFI 1.10
+ machines (bsc#1187260)
+- Add shim-bsc1185232-fix-config-table-copying.patch to avoid
+ buffer overflow when copying data to the MOK config table
+ (bsc#1185232)
+
+-------------------------------------------------------------------
+Mon Jun 21 08:51:37 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
@@ -258,0 +332,6 @@
+Thu May 6 06:45:39 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Include suse-signed shim for AArch64 (bsc#1185621)
+ (sync shim.changes from SLE)
+
+-------------------------------------------------------------------
@@ -277,0 +357,10 @@
+
+-------------------------------------------------------------------
+Thu Apr 22 03:26:48 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Enable the AArch64 signature check for SLE (sync shim.changes from SLE)
+
+-------------------------------------------------------------------
+Wed Apr 21 05:44:35 UTC 2021 - Johannes Segitz <jseg...@suse.com>
+
+- Update the SLE signatures (sync shim.changes from SLE)
New:
----
shim-Enable-TDX-measurement-to-RTMR-register.patch
shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.fpkDSj/_old 2022-11-16 15:42:27.195622581 +0100
+++ /var/tmp/diff_new_pack.fpkDSj/_new 2022-11-16 15:42:27.203622623 +0100
@@ -77,6 +77,10 @@
Patch5: remove_build_id.patch
# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261
g...@suse.com -- Disable exporting vendor-dbx to MokListXRT
Patch6: shim-disable-export-vendor-dbx.patch
+# PATCH-FIX-UPSTREAM shim-Enable-TDX-measurement-to-RTMR-register.patch
jsc#PED-1273 j...@suse.com -- Impl: [TDX Guest] TDX: Enhance shim measurement
to TD RTMR
+Patch7: shim-Enable-TDX-measurement-to-RTMR-register.patch
+# PATCH-FIX-UPSTREAM shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch
jsc#PED-127 j...@suse.com -- Impl: Upgrade shim in SLE 15-SP5 and openSUSE TW
for some issues
+Patch8: shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch
# PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch g...@suse.com
-- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100: shim-bsc1198101-opensuse-cert-prompt.patch
BuildRequires: dos2unix
@@ -124,7 +128,11 @@
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
%patch100 -p1
+%endif
%build
# generate the vendor SBAT metadata
@@ -189,9 +197,7 @@
signature=%{SOURCE11}
%else
# AArch64 signature
- # Disable AArch64 signature attachment temporarily
- # until we get a real one.
- #signature=%{SOURCE13}
+ signature=%{SOURCE13}
%endif
elif test "$suffix" = "devel"; then
cert=%{_sourcedir}/_projectcert.crt
++++++ shim-Enable-TDX-measurement-to-RTMR-register.patch ++++++
>From 4fd484e4c29364b4fdf4d043556fa0a210c5fdfc Mon Sep 17 00:00:00 2001
From: Lu Ken <ken...@intel.com>
Date: Sun, 22 May 2022 16:02:20 +0800
Subject: [PATCH] Enable TDX measurement to RTMR register
Intel Trust Domain Extensions (Intel TDX) extends Virtual Machine
Extensions (VMX) and Multi-Key Total Memory Encryption (MK-TME) with a
new kind of virtual machine guest called a Trust Domain(TD)[1]. A TD
runs in a CPU mode that is designed to protect the confidentiality of
its memory contents and its CPU state from any other software, including
the hosting Virtual Machine Monitor (VMM).
Trust Domain Virtual Firmware (TDVF) is required to provide Intel TDX
implementation and service for EFI_CC_MEASUREMENT_PROTOCOL[2]. The bugzilla
for TDVF is at https://bugzilla.tianocore.org/show_bug.cgi?id=3625.
To support CC measurement/attestation with Intel TDX technology, these 4
RTMR registers will be extended by TDX service like TPM/TPM2 PCR:
- RTMR[0] for TDVF configuration
- RTMR[1] for the TD OS loader and kernel
- RTMR[2] for the OS application
- RTMR[3] reserved for special usage only
Add a TDX Implementation for CC Measurement protocol along with
TPM/TPM2 protocol.
References:
[1]
https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf
[2]
https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf
[3]
https://software.intel.com/content/dam/develop/external/us/en/documents/intel-tdx-guest-hypervisor-communication-interface-1.0-344426-002.pdf
Signed-off-by: Lu Ken <ken...@intel.com>
[rharwood: style pass on code and commit message]
Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
include/cc.h | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++
include/guid.h | 1 +
lib/guid.c | 1 +
shim.h | 1 +
tpm.c | 48 ++++++++++++++++++++++++++++
5 files changed, 136 insertions(+)
create mode 100644 include/cc.h
diff --git a/include/cc.h b/include/cc.h
new file mode 100644
index 0000000..8b12720
--- /dev/null
+++ b/include/cc.h
@@ -0,0 +1,85 @@
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+
+#ifndef SHIM_CC_H
+#define SHIM_CC_H
+
+typedef struct {
+ uint8_t Major;
+ uint8_t Minor;
+} EFI_CC_VERSION;
+
+#define EFI_CC_TYPE_NONE 0
+#define EFI_CC_TYPE_SEV 1
+#define EFI_CC_TYPE_TDX 2
+
+typedef struct {
+ uint8_t Type;
+ uint8_t SubType;
+} EFI_CC_TYPE;
+
+typedef uint32_t EFI_CC_EVENT_LOG_BITMAP;
+typedef uint32_t EFI_CC_EVENT_LOG_FORMAT;
+typedef uint32_t EFI_CC_EVENT_ALGORITHM_BITMAP;
+typedef uint32_t EFI_CC_MR_INDEX;
+
+#define TDX_MR_INDEX_MRTD 0
+#define TDX_MR_INDEX_RTMR0 1
+#define TDX_MR_INDEX_RTMR1 2
+#define TDX_MR_INDEX_RTMR2 3
+#define TDX_MR_INDEX_RTMR3 4
+
+#define EFI_CC_EVENT_LOG_FORMAT_TCG_2 0x00000002
+#define EFI_CC_BOOT_HASH_ALG_SHA384 0x00000004
+#define EFI_CC_EVENT_HEADER_VERSION 1
+
+typedef struct tdEFI_CC_EVENT_HEADER {
+ uint32_t HeaderSize;
+ uint16_t HeaderVersion;
+ EFI_CC_MR_INDEX MrIndex;
+ uint32_t EventType;
+} __attribute__((packed)) EFI_CC_EVENT_HEADER;
+
+typedef struct tdEFI_CC_EVENT {
+ uint32_t Size;
+ EFI_CC_EVENT_HEADER Header;
+ uint8_t Event[1];
+} __attribute__((packed)) EFI_CC_EVENT;
+
+typedef struct tdEFI_CC_BOOT_SERVICE_CAPABILITY {
+ uint8_t Size;
+ EFI_CC_VERSION StructureVersion;
+ EFI_CC_VERSION ProtocolVersion;
+ EFI_CC_EVENT_ALGORITHM_BITMAP HashAlgorithmBitmap;
+ EFI_CC_EVENT_LOG_BITMAP SupportedEventLogs;
+ EFI_CC_TYPE CcType;
+} EFI_CC_BOOT_SERVICE_CAPABILITY;
+
+struct efi_cc_protocol
+{
+ EFI_STATUS (EFIAPI *get_capability) (
+ struct efi_cc_protocol *this,
+ EFI_CC_BOOT_SERVICE_CAPABILITY *ProtocolCapability);
+ EFI_STATUS (EFIAPI *get_event_log) (
+ struct efi_cc_protocol *this,
+ EFI_CC_EVENT_LOG_FORMAT EventLogFormat,
+ EFI_PHYSICAL_ADDRESS *EventLogLocation,
+ EFI_PHYSICAL_ADDRESS *EventLogLastEntry,
+ BOOLEAN *EventLogTruncated);
+ EFI_STATUS (EFIAPI *hash_log_extend_event) (
+ struct efi_cc_protocol *this,
+ uint64_t Flags,
+ EFI_PHYSICAL_ADDRESS DataToHash,
+ uint64_t DataToHashLen,
+ EFI_CC_EVENT *EfiCcEvent);
+ EFI_STATUS (EFIAPI *map_pcr_to_mr_index) (
+ struct efi_cc_protocol *this,
+ uint32_t PcrIndex,
+ EFI_CC_MR_INDEX *MrIndex);
+};
+
+typedef struct efi_cc_protocol efi_cc_protocol_t;
+
+#define EFI_CC_FLAG_PE_COFF_IMAGE 0x0000000000000010
+
+#endif /* SHIM_CC_H */
+// vim:fenc=utf-8:tw=75
diff --git a/include/guid.h b/include/guid.h
index d9910ff..dad63f0 100644
--- a/include/guid.h
+++ b/include/guid.h
@@ -29,6 +29,7 @@ extern EFI_GUID EFI_IP6_CONFIG_GUID;
extern EFI_GUID EFI_LOADED_IMAGE_GUID;
extern EFI_GUID EFI_TPM_GUID;
extern EFI_GUID EFI_TPM2_GUID;
+extern EFI_GUID EFI_CC_MEASUREMENT_PROTOCOL_GUID;
extern EFI_GUID EFI_SECURE_BOOT_DB_GUID;
extern EFI_GUID EFI_SIMPLE_FILE_SYSTEM_GUID;
extern EFI_GUID SECURITY_PROTOCOL_GUID;
diff --git a/lib/guid.c b/lib/guid.c
index e100c92..904629e 100644
--- a/lib/guid.c
+++ b/lib/guid.c
@@ -28,6 +28,7 @@ EFI_GUID EFI_IP6_CONFIG_GUID = { 0x937fe521, 0x95ae, 0x4d1a,
{0x89, 0x29, 0x48,
EFI_GUID EFI_LOADED_IMAGE_GUID = EFI_LOADED_IMAGE_PROTOCOL_GUID;
EFI_GUID EFI_TPM_GUID = { 0xf541796d, 0xa62e, 0x4954, {0xa7, 0x75, 0x95, 0x84,
0xf6, 0x1b, 0x9c, 0xdd } };
EFI_GUID EFI_TPM2_GUID = { 0x607f766c, 0x7455, 0x42be, {0x93, 0x0b, 0xe4,
0xd7, 0x6d, 0xb2, 0x72, 0x0f } };
+EFI_GUID EFI_CC_MEASUREMENT_PROTOCOL_GUID = { 0x96751a3d, 0x72f4, 0x41a6,
{0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b } };
EFI_GUID EFI_SECURE_BOOT_DB_GUID = { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3,
0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f } };
EFI_GUID EFI_SIMPLE_FILE_SYSTEM_GUID = SIMPLE_FILE_SYSTEM_PROTOCOL;
EFI_GUID SECURITY_PROTOCOL_GUID = { 0xA46423E3, 0x4617, 0x49f1, {0xB9, 0xFF,
0xD1, 0xBF, 0xA9, 0x11, 0x58, 0x39 } };
diff --git a/shim.h b/shim.h
index 7e9d10e..14824c6 100644
--- a/shim.h
+++ b/shim.h
@@ -186,6 +186,7 @@
#include "include/simple_file.h"
#include "include/str.h"
#include "include/tpm.h"
+#include "include/cc.h"
#include "include/ucs2.h"
#include "include/variables.h"
#include "include/hexdump.h"
diff --git a/tpm.c b/tpm.c
index 41f3665..388f8d1 100644
--- a/tpm.c
+++ b/tpm.c
@@ -108,6 +108,45 @@ static EFI_STATUS tpm_locate_protocol(efi_tpm_protocol_t
**tpm,
return EFI_NOT_FOUND;
}
+static EFI_STATUS cc_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size,
+ UINT8 pcr, const CHAR8 *log, UINTN logsize,
+ UINT32 type, BOOLEAN is_pe_image)
+{
+ EFI_STATUS efi_status;
+ EFI_CC_EVENT *event;
+ efi_cc_protocol_t *cc;
+ EFI_CC_MR_INDEX mr;
+ uint64_t flags = is_pe_image ? EFI_CC_FLAG_PE_COFF_IMAGE : 0;
+
+ efi_status = LibLocateProtocol(&EFI_CC_MEASUREMENT_PROTOCOL_GUID,
+ (VOID **)&cc);
+ if (EFI_ERROR(efi_status) || !cc)
+ return EFI_SUCCESS;
+
+ efi_status = cc->map_pcr_to_mr_index(cc, pcr, &mr);
+ if (EFI_ERROR(efi_status))
+ return EFI_NOT_FOUND;
+
+ UINTN event_size = sizeof(*event) - sizeof(event->Event) + logsize;
+
+ event = AllocatePool(event_size);
+ if (!event) {
+ perror(L"Unable to allocate event structure\n");
+ return EFI_OUT_OF_RESOURCES;
+ }
+
+ event->Header.HeaderSize = sizeof(EFI_CC_EVENT_HEADER);
+ event->Header.HeaderVersion = EFI_CC_EVENT_HEADER_VERSION;
+ event->Header.MrIndex = mr;
+ event->Header.EventType = type;
+ event->Size = event_size;
+ CopyMem(event->Event, (VOID *)log, logsize);
+ efi_status = cc->hash_log_extend_event(cc, flags, buf, (UINT64)size,
+ event);
+ FreePool(event);
+ return efi_status;
+}
+
static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS buf, UINTN size,
UINT8 pcr, const CHAR8 *log, UINTN logsize,
UINT32 type, CHAR8 *hash)
@@ -118,6 +157,15 @@ static EFI_STATUS tpm_log_event_raw(EFI_PHYSICAL_ADDRESS
buf, UINTN size,
BOOLEAN old_caps;
EFI_TCG2_BOOT_SERVICE_CAPABILITY caps;
+ /* CC guest like TDX or SEV will measure the buffer and log the event,
+ extend the result into a specific CC MR like TCG's PCR. It could
+ coexists with TCG's TPM 1.2 and TPM 2.
+ */
+ efi_status = cc_log_event_raw(buf, size, pcr, log, logsize, type,
+ (hash != NULL));
+ if (EFI_ERROR(efi_status))
+ return efi_status;
+
efi_status = tpm_locate_protocol(&tpm, &tpm2, &old_caps, &caps);
if (EFI_ERROR(efi_status)) {
#ifdef REQUIRE_TPM
--
2.35.3
++++++ shim-bsc1198101-opensuse-cert-prompt.patch ++++++
--- /var/tmp/diff_new_pack.fpkDSj/_old 2022-11-16 15:42:27.303623137 +0100
+++ /var/tmp/diff_new_pack.fpkDSj/_new 2022-11-16 15:42:27.307623159 +0100
@@ -22,10 +22,10 @@
shim.h | 1 +
3 files changed, 71 insertions(+), 2 deletions(-)
-Index: shim-15.6~rc1+77144e5a/mok.c
+Index: shim-15.6/mok.c
===================================================================
---- shim-15.6~rc1+77144e5a.orig/mok.c
-+++ shim-15.6~rc1+77144e5a/mok.c
+--- shim-15.6.orig/mok.c
++++ shim-15.6/mok.c
@@ -46,7 +46,8 @@ static EFI_STATUS check_mok_request(EFI_
check_var(L"MokPW") || check_var(L"MokAuth") ||
check_var(L"MokDel") || check_var(L"MokDB") ||
@@ -46,10 +46,10 @@
return VENDOR_ADDEND_NONE;
}
-Index: shim-15.6~rc1+77144e5a/shim.c
+Index: shim-15.6/shim.c
===================================================================
---- shim-15.6~rc1+77144e5a.orig/shim.c
-+++ shim-15.6~rc1+77144e5a/shim.c
+--- shim-15.6.orig/shim.c
++++ shim-15.6/shim.c
@@ -496,6 +496,8 @@ verify_one_signature(WIN_CERTIFICATE_EFI
}
@@ -59,7 +59,7 @@
#if defined(ENABLE_SHIM_CERT)
/*
* Check against the shim build key
-@@ -1572,6 +1574,69 @@ shim_fini(void)
+@@ -1568,6 +1570,69 @@ shim_fini(void)
console_fini();
}
@@ -129,7 +129,7 @@
extern EFI_STATUS
efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab);
-@@ -1712,6 +1777,9 @@ efi_main (EFI_HANDLE passed_image_handle
+@@ -1708,6 +1773,9 @@ efi_main (EFI_HANDLE passed_image_handle
*/
debug_hook();
@@ -139,10 +139,10 @@
efi_status = set_sbat_uefi_variable();
if (EFI_ERROR(efi_status) && secure_mode()) {
perror(L"%s variable initialization failed\n", SBAT_VAR_NAME);
-Index: shim-15.6~rc1+77144e5a/MokManager.c
+Index: shim-15.6/MokManager.c
===================================================================
---- shim-15.6~rc1+77144e5a.orig/MokManager.c
-+++ shim-15.6~rc1+77144e5a/MokManager.c
+--- shim-15.6.orig/MokManager.c
++++ shim-15.6/MokManager.c
@@ -1864,6 +1864,36 @@ mokpw_done:
return EFI_SUCCESS;
}
@@ -280,10 +280,10 @@
LibDeleteVariable(L"MokAuth", &SHIM_LOCK_GUID);
LibDeleteVariable(L"MokDelAuth", &SHIM_LOCK_GUID);
LibDeleteVariable(L"MokXAuth", &SHIM_LOCK_GUID);
-Index: shim-15.6~rc1+77144e5a/globals.c
+Index: shim-15.6/globals.c
===================================================================
---- shim-15.6~rc1+77144e5a.orig/globals.c
-+++ shim-15.6~rc1+77144e5a/globals.c
+--- shim-15.6.orig/globals.c
++++ shim-15.6/globals.c
@@ -25,6 +25,7 @@ UINT8 *build_cert;
*/
verification_method_t verification_method;
@@ -292,11 +292,11 @@
UINT8 user_insecure_mode;
UINT8 ignore_db;
-Index: shim-15.6~rc1+77144e5a/shim.h
+Index: shim-15.6/shim.h
===================================================================
---- shim-15.6~rc1+77144e5a.orig/shim.h
-+++ shim-15.6~rc1+77144e5a/shim.h
-@@ -268,6 +268,7 @@ extern UINT8 mok_policy;
+--- shim-15.6.orig/shim.h
++++ shim-15.6/shim.h
+@@ -270,6 +270,7 @@ extern UINT8 mok_policy;
extern UINT8 in_protocol;
extern void *load_options;
extern UINT32 load_options_size;
++++++ shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch ++++++
++++ 673 lines (skipped)
