Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2017-07-04 09:08:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Tue Jul 4 09:08:05 2017 rev:58 rq:506933 version:12 Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2017-06-07 09:51:59.571770857 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2017-07-04 09:08:07.545749329 +0200 @@ -1,0 +2,19 @@ +Thu Jun 22 03:26:00 UTC 2017 - [email protected] + +- Update to 12 +- Rename the result EFI images due to the upstream name change + + shimx64 -> shim + + mmx64 -> MokManager + + fbx64 -> fallback +- Refresh patches: + + shim-only-os-name.patch + + shim-change-debug-file-path.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: + + shim-httpboot-support.patch + + shim-bsc973496-mokmanager-no-append-write.patch + + shim-bsc991885-fix-sig-length.patch + + shim-update-openssl-1.0.2g.patch + + shim-update-openssl-1.0.2h.patch + +------------------------------------------------------------------- Old: ---- shim-0.9.tar.bz2 shim-bsc973496-mokmanager-no-append-write.patch shim-bsc991885-fix-sig-length.patch shim-httpboot-support.patch shim-update-openssl-1.0.2g.patch shim-update-openssl-1.0.2h.patch New: ---- shim-12.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.IvQpx4/_old 2017-07-04 09:08:08.445622753 +0200 +++ /var/tmp/diff_new_pack.IvQpx4/_new 2017-07-04 09:08:08.445622753 +0200 @@ -20,13 +20,13 @@ %undefine _build_create_debug Name: shim -Version: 0.9 +Version: 12 Release: 0 Summary: UEFI shim loader License: BSD-2-Clause Group: System/Boot -Url: https://github.com/mjg59/shim -Source: %{name}-%{version}.tar.bz2 +Url: https://github.com/rhboot/shim +Source: https://github.com/rhboot/shim/releases/download/%{version}/%{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. # Note: For signature requesting, check SIGNATURE_UPDATE.txt @@ -45,16 +45,6 @@ Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-only-os-name.patch [email protected] -- Only include the OS name in version.c Patch1: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM FATE#320129 shim-httpboot-support.patch [email protected] -- Add HTTPBoot support -Patch2: shim-httpboot-support.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2g.patch [email protected] -- Update openssl to 1.0.2g -Patch3: shim-update-openssl-1.0.2g.patch -# PATCH-FIX-UPSTREAM bsc#973496 shim-bsc973496-mokmanager-no-append-write.patch [email protected] -- Work around the firmware that doesn't support APPEND_WRITE -Patch4: shim-bsc973496-mokmanager-no-append-write.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2h.patch [email protected] -- Update openssl to 1.0.2h -Patch5: shim-update-openssl-1.0.2h.patch -# PATCH-FIX-UPSTREAM bsc#991885 shim-bsc991885-fix-sig-length.patch [email protected] -- Fix the signature length passed to Authenticode -Patch6: shim-bsc991885-fix-sig-length.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch [email protected] -- Change the default debug file path Patch50: shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch [email protected] -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -102,17 +92,14 @@ %prep %setup -q %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 %patch50 -p1 %patch100 -p1 %build # first, build MokManager and fallback as they don't depend on a # specific certificate -make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2>/dev/null +make EFI_PATH=/usr/lib64 RELEASE=0 mmx64.efi fbx64.efi 2>/dev/null +rename mmx64 MokManager mmx64.* +rename fbx64 fallback fbx64.* # now build variants of shim that embed different certificates default='' @@ -167,7 +154,8 @@ cp $cert2 shim.crt fi # make sure cast warnings don't trigger post build check - make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 shim.efi 2>/dev/null + make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 shimx64.efi + rename shimx64 shim shimx64.* # # assert correct certificate embedded grep -q "$verify" shim.efi ++++++ shim-0.9.tar.bz2 -> shim-12.tar.bz2 ++++++ ++++ 251670 lines of diff (skipped) ++++++ shim-change-debug-file-path.patch ++++++ --- /var/tmp/diff_new_pack.IvQpx4/_old 2017-07-04 09:08:09.637455111 +0200 +++ /var/tmp/diff_new_pack.IvQpx4/_new 2017-07-04 09:08:09.637455111 +0200 @@ -8,16 +8,16 @@ Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -Index: shim-0.9/Makefile +Index: shim-12/Makefile =================================================================== ---- shim-0.9.orig/Makefile -+++ shim-0.9/Makefile -@@ -45,7 +45,7 @@ ifeq ($(ARCH),x86_64) +--- shim-12.orig/Makefile ++++ shim-12/Makefile +@@ -50,7 +50,7 @@ ifeq ($(ARCH),x86_64) + -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \ -DNO_BUILTIN_VA_FUNCS \ - -DMDE_CPU_X64 \ - "-DEFI_ARCH=L\"x64\"" \ + -DMDE_CPU_X64 "-DEFI_ARCH=L\"x64\"" -DPAGE_SIZE=4096 \ - "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\"" + "-DDEBUGDIR=L\"/usr/lib/debug/usr/lib64/efi/shim.debug\"" - endif - ifeq ($(ARCH),ia32) - CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc \ + MMNAME = mmx64 + FBNAME = fbx64 + SHIMNAME= shimx64 ++++++ shim-only-os-name.patch ++++++ --- /var/tmp/diff_new_pack.IvQpx4/_old 2017-07-04 09:08:09.653452860 +0200 +++ /var/tmp/diff_new_pack.IvQpx4/_new 2017-07-04 09:08:09.657452298 +0200 @@ -1,13 +1,13 @@ -Index: shim-0.7/Makefile +Index: shim-12/Makefile =================================================================== ---- shim-0.7.orig/Makefile -+++ shim-0.7/Makefile -@@ -67,7 +67,7 @@ shim_cert.h: shim.cer +--- shim-12.orig/Makefile ++++ shim-12/Makefile +@@ -117,7 +117,7 @@ shim_cert.h: shim.cer version.c : version.c.in sed -e "s,@@VERSION@@,$(VERSION)," \ - -e "s,@@UNAME@@,$(shell uname -a)," \ + -e "s,@@UNAME@@,$(shell uname -o)," \ - -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \ + -e "s,@@COMMIT@@,$(COMMITID)," \ < version.c.in > version.c ++++++ shim-opensuse-cert-prompt.patch ++++++ --- /var/tmp/diff_new_pack.IvQpx4/_old 2017-07-04 09:08:09.665451172 +0200 +++ /var/tmp/diff_new_pack.IvQpx4/_new 2017-07-04 09:08:09.669450610 +0200 @@ -1,4 +1,4 @@ -From 6718680400c48e463aac6ceef2a3238f2a0e1d57 Mon Sep 17 00:00:00 2001 +From ccd53ba8892ce8955611c9dc519454ddd4b2a62f Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Tue, 18 Feb 2014 17:29:19 +0800 Subject: [PATCH 1/4] Show the build-in certificate prompt @@ -21,10 +21,10 @@ 1 file changed, 75 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c -index 4c6bdc5..4e8ed3a 100644 +index f8a1e67..b1fe60f 100644 --- a/shim.c +++ b/shim.c -@@ -91,6 +91,7 @@ UINT8 *vendor_dbx; +@@ -99,6 +99,7 @@ UINT8 *vendor_dbx; */ verification_method_t verification_method; int loader_is_participating; @@ -32,7 +32,7 @@ #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} -@@ -959,7 +960,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, +@@ -1016,7 +1017,7 @@ static EFI_STATUS verify_buffer (char *data, int datasize, if (status == EFI_SUCCESS) return status; @@ -41,7 +41,7 @@ /* * Check against the shim build key */ -@@ -1730,7 +1731,7 @@ EFI_STATUS mirror_mok_list() +@@ -1941,7 +1942,7 @@ EFI_STATUS mirror_mok_list() if (efi_status != EFI_SUCCESS) DataSize = 0; @@ -50,7 +50,7 @@ FullDataSize = DataSize + sizeof (*CertList) + sizeof (EFI_GUID) -@@ -2140,6 +2141,75 @@ shim_fini(void) +@@ -2648,6 +2649,75 @@ shim_fini(void) setup_console(0); } @@ -126,7 +126,7 @@ extern EFI_STATUS efi_main(EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab); -@@ -2228,6 +2298,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) +@@ -2750,6 +2820,9 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) */ check_mok_sb(); @@ -137,10 +137,10 @@ if (EFI_ERROR(efi_status)) { Print(L"Something has gone seriously wrong: %r\n", efi_status); -- -2.1.4 +2.13.1 -From 60e38ea2418c8e77a5e85cb833de7a3967be1343 Mon Sep 17 00:00:00 2001 +From 04cef138d17143fb1b5e9e52b593991f783536e8 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Thu, 20 Feb 2014 16:57:08 +0800 Subject: [PATCH 2/4] Support revoking the openSUSE cert @@ -156,10 +156,10 @@ 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/MokManager.c b/MokManager.c -index ee6dffb..68d4099 100644 +index e0ba789..81ae8aa 100644 --- a/MokManager.c +++ b/MokManager.c -@@ -1729,6 +1729,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { +@@ -1812,6 +1812,33 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { return -1; } @@ -193,7 +193,7 @@ static BOOLEAN verify_certificate(UINT8 *cert, UINTN size) { X509 *X509Cert; -@@ -2081,6 +2108,7 @@ typedef enum { +@@ -2164,6 +2191,7 @@ typedef enum { MOK_CHANGE_SB, MOK_SET_PW, MOK_CHANGE_DB, @@ -201,7 +201,7 @@ MOK_KEY_ENROLL, MOK_HASH_ENROLL } mok_menu_item; -@@ -2092,7 +2120,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +@@ -2175,7 +2203,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, void *MokPW, UINTN MokPWSize, void *MokDB, UINTN MokDBSize, void *MokXNew, UINTN MokXNewSize, @@ -211,7 +211,7 @@ { CHAR16 **menu_strings; mok_menu_item *menu_item; -@@ -2166,6 +2195,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +@@ -2249,6 +2278,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, if (MokDB) menucount++; @@ -221,7 +221,7 @@ menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1)); if (!menu_strings) -@@ -2235,6 +2267,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +@@ -2318,6 +2350,12 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, i++; } @@ -234,7 +234,7 @@ menu_strings[i] = L"Enroll key from disk"; menu_item[i] = MOK_KEY_ENROLL; i++; -@@ -2285,6 +2323,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, +@@ -2368,6 +2406,9 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, case MOK_CHANGE_DB: mok_db_prompt(MokDB, MokDBSize); break; @@ -244,7 +244,7 @@ case MOK_KEY_ENROLL: mok_key_enroll(); break; -@@ -2310,6 +2351,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -2393,6 +2434,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0; UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0; @@ -252,7 +252,7 @@ void *MokNew = NULL; void *MokDel = NULL; void *MokSB = NULL; -@@ -2317,6 +2359,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -2400,6 +2442,7 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) void *MokDB = NULL; void *MokXNew = NULL; void *MokXDel = NULL; @@ -260,7 +260,7 @@ EFI_STATUS status; status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize, -@@ -2389,9 +2432,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -2472,9 +2515,20 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) console_error(L"Could not retrieve MokXDel", status); } @@ -282,7 +282,7 @@ if (MokNew) FreePool (MokNew); -@@ -2414,6 +2468,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -2497,6 +2551,9 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) if (MokXDel) FreePool (MokXDel); @@ -293,10 +293,10 @@ LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); LibDeleteVariable(L"MokXAuth", &shim_lock_guid); diff --git a/shim.c b/shim.c -index 4e8ed3a..8848e6a 100644 +index b1fe60f..909c4b7 100644 --- a/shim.c +++ b/shim.c -@@ -1840,7 +1840,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) +@@ -2092,7 +2092,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) check_var(L"MokPW") || check_var(L"MokAuth") || check_var(L"MokDel") || check_var(L"MokDB") || check_var(L"MokXNew") || check_var(L"MokXDel") || @@ -306,10 +306,10 @@ if (efi_status != EFI_SUCCESS) { -- -2.1.4 +2.13.1 -From fd62fb657674e9cb63f2bd814c6c8c50acf2c6aa Mon Sep 17 00:00:00 2001 +From c7d47d6050bac84d99651278a7e1a3defddaed86 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Fri, 7 Mar 2014 16:17:20 +0800 Subject: [PATCH 3/4] Delete openSUSE_Verify the right way @@ -322,10 +322,10 @@ 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/MokManager.c b/MokManager.c -index 68d4099..c7f2b65 100644 +index 81ae8aa..d839355 100644 --- a/MokManager.c +++ b/MokManager.c -@@ -1743,7 +1743,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { +@@ -1826,7 +1826,10 @@ static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { if (status != EFI_SUCCESS) return -1; @@ -338,10 +338,10 @@ console_error(L"Failed to delete openSUSE_Verify", status); return -1; -- -2.1.4 +2.13.1 -From 2014c6b629a4c5543d0531f59303dbd7bcdd4051 Mon Sep 17 00:00:00 2001 +From 29a7dd0330a75dce47131c4165c06d0b425e2159 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <[email protected]> Date: Mon, 19 Oct 2015 16:36:14 +0800 Subject: [PATCH 4/4] Don't pass NULL to set MokListRT @@ -354,10 +354,10 @@ 1 file changed, 5 insertions(+) diff --git a/shim.c b/shim.c -index 8848e6a..7a21bb2 100644 +index 909c4b7..1804f1c 100644 --- a/shim.c +++ b/shim.c -@@ -1768,6 +1768,11 @@ EFI_STATUS mirror_mok_list() +@@ -1979,6 +1979,11 @@ EFI_STATUS mirror_mok_list() FullData = Data; } @@ -370,5 +370,5 @@ &shim_lock_guid, EFI_VARIABLE_BOOTSERVICE_ACCESS -- -2.1.4 +2.13.1
