commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-11-05 21:54:40 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.11331 (New) Package is "shim" Thu Nov 5 21:54:40 2020 rev:89 rq:845886 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-10-24 15:14:56.924063819 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.11331/shim.changes 2020-11-05 21:55:22.516122752 +0100 @@ -1,0 +2,19 @@ +Wed Nov 4 05:53:35 UTC 2020 - Gary Ching-Pang Lin + +- Disable the signature attachment for AArch64 temporarily until + we get a real one. + +--- +Mon Nov 2 06:52:13 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-bsc1177315-verify-eku-codesign.patch to check CodeSign + in the signer's EKU (bsc#1177315) +- Add shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch + to fix NULL pointer dereference in AuthenticodeVerify() + (bsc#1177789, CVE-2019-14584) +- shim-install: Support changing default shim efi binary in + /usr/etc/default/shim and /etc/default/shim (bsc#1177315) +- Add shim-bsc1177315-fix-buffer-use-after-free.patch to fix buffer + use-after-free at the end of the EKU verification (bsc#1177315) + +--- New: shim-bsc1177315-fix-buffer-use-after-free.patch shim-bsc1177315-verify-eku-codesign.patch shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.xUi9NJ/_old 2020-11-05 21:55:23.600120315 +0100 +++ /var/tmp/diff_new_pack.xUi9NJ/_new 2020-11-05 21:55:23.600120315 +0100 @@ -91,6 +91,12 @@ Patch13:shim-bsc1177404-fix-a-use-of-strlen.patch # PATCH-FIX-UPSTREAM shim-bsc1175509-more-tpm-fixes.patch bsc#1175509 g...@suse.com -- Fix the file path in tpm event log Patch14:shim-bsc1175509-more-tpm-fixes.patch +# PATCH-FIX-SUSE shim-bsc1177315-verify-eku-codesign.patch bsc#1177315 g...@suse.com -- Verify CodeSign in the signer's EKU +Patch15:shim-bsc1177315-verify-eku-codesign.patch +# PATCH-FIX-UPSTREAM shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789 g...@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify() +Patch16:shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch +# PATCH-FIX-SUSE shim-bsc1177315-fix-buffer-use-after-free.patch bsc#1177315 g...@suse.com -- Fix buffer use-after-free at the end of the EKU verification +Patch17:shim-bsc1177315-fix-buffer-use-after-free.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -146,6 +152,9 @@ %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif @@ -186,7 +195,9 @@ signature=%{SOURCE1} %else # AArch64 signature - signature=%{SOURCE12} + # Disable AArch64 signature attachment temporarily + # until we get a real one. + #signature=%{SOURCE12} %endif elif test "$suffix" = "sles"; then cert=%{SOURCE4} @@ -195,7 +206,9 @@ signature=%{SOURCE11} %else # AArch64 signature - signature=%{SOURCE13} + # Disable AArch64 signature attachment temporarily + # until we get a real one. + #signature=%{SOURCE13} %endif elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt ++ shim-bsc1177315-fix-buffer-use-after-free.patch ++ >From 049bf5c1bd83643b9a6e8b7e67ea51ef7076cbc6 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Thu, 22 Oct 2020 14:00:04 +0800 Subject: [PATCH] Cryptlib/CryptPkcs7VerifyEku: fix buffer use-after-free Merge the patch from edk2 upstream: https://bugzilla.tianocore.org/show_bug.cgi?id=2459 Since SignerCert is actually a part of Pkcs7, PKCS7_free() also fress SignerCert, so there is no need to free SignerCert. Signed-off-by: Gary Lin --- Cryptlib/Pk/CryptPkcs7VerifyEku.c | 4 1 file changed, 4 deletions(-) diff --git a/Cryptlib/Pk/CryptPkcs7VerifyEku.c b/Cryptlib/Pk/CryptPkcs7VerifyEku.c index d086886..2c172e2 100644 --- a/Cryptlib/Pk/CryptPkcs7VerifyEku.c +++ b/Cryptlib/Pk/CryptPkcs7VerifyEku.c @@ -507,10 +507,6 @@ Exit: free (SignedData); } - if (SignerCert != NULL) { -X509_free (SignerCert); - } - if (Pkcs7 != NULL) { PKCS7_free (Pkcs7); } -- 2.28.0 ++ shim-bsc1177315-verify-eku-codesign.patch ++ 697 lines (skippe
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-10-24 15:14:54 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.3463 (New) Package is "shim" Sat Oct 24 15:14:54 2020 rev:88 rq:843143 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-09-23 18:36:58.049137266 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.3463/shim.changes 2020-10-24 15:14:56.924063819 +0200 @@ -1,0 +2,9 @@ +Wed Oct 14 07:34:18 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-bsc1177404-fix-a-use-of-strlen.patch to fix the length + of the option data string to launch the program correctly + (bsc#1177404) +- Add shim-bsc1175509-more-tpm-fixes.patch to fix the file path + in the tpm even log (bsc#1175509) + +--- New: shim-bsc1175509-more-tpm-fixes.patch shim-bsc1177404-fix-a-use-of-strlen.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.lXkbx1/_old 2020-10-24 15:14:57.884065016 +0200 +++ /var/tmp/diff_new_pack.lXkbx1/_new 2020-10-24 15:14:57.884065016 +0200 @@ -87,6 +87,10 @@ Patch11:shim-fix-verify-eku.patch # PATCH-FIX-UPSTREAM shim-do-not-write-string-literals.patch -- Fix the potential crash when accessing the DEFAULT_LOADER string Patch12:shim-do-not-write-string-literals.patch +# PATCH-FIX-UPSTREAM shim-bsc1177404-fix-a-use-of-strlen.patch bsc#1177404 g...@suse.com -- Fix the length of the option data string to launch the program correctly +Patch13:shim-bsc1177404-fix-a-use-of-strlen.patch +# PATCH-FIX-UPSTREAM shim-bsc1175509-more-tpm-fixes.patch bsc#1175509 g...@suse.com -- Fix the file path in tpm event log +Patch14:shim-bsc1175509-more-tpm-fixes.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -140,6 +144,8 @@ %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif ++ shim-bsc1175509-more-tpm-fixes.patch ++ >From 3574fb71d1849295f662c3fcf0818bcd40373649 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Tue, 18 Feb 2020 12:03:28 +0100 Subject: [PATCH 1/3] shim: Update EFI_LOADED_IMAGE with the second stage loader file path When shim loads the second stage loader (e.g: GRUB) the FilePath field of the EFI_LOADED_IMAGE structure isn't updated with the path of the loaded binary. So it still contains the file path of the shim binary. This isn't a problem since the file path is currently not used. But should be used to set the DevicePath field of the EFI_IMAGE_LOAD_EVENT structure that is logged when measuring the PE/COFF binaries. In that case the TPM Event Log will have an incorrect file path for the measured binary, i.e: $ hexdump -Cv /sys/kernel/security/tpm0/binary_bios_measurements ... 0a50 00 00 00 00 00 00 04 04 34 00 5c 00 45 00 46 00 |4.\.E.F.| 0a60 49 00 5c 00 72 00 65 00 64 00 68 00 61 00 74 00 |I.\.r.e.d.h.a.t.| 0a70 5c 00 73 00 68 00 69 00 6d 00 78 00 36 00 34 00 |\.s.h.i.m.x.6.4.| 0a80 2e 00 65 00 66 00 69 00 00 00 7f ff 04 00 00 00 |..e.f.i.| 0a90 00 00 00 00 00 00 af 08 00 00 00 0d 00 00 00 b5 || 0aa0 cd d0 8f bb 16 31 e2 80 8b e8 58 75 c9 89 18 95 |.1Xu| 0ab0 d2 de 15 15 00 00 00 67 72 75 62 5f 63 6d 64 20 |...grub_cmd | 0ac0 73 65 74 20 70 61 67 65 72 3d 31 00 08 00 00 00 |set pager=1.| ... So update the EFI_LOADED_IMAGE structure with the second stage loader file path to have the correct value in the log, i.e: $ hexdump -Cv /sys/kernel/security/tpm0/binary_bios_measurements ... 0a50 00 00 00 00 00 00 04 04 34 00 5c 00 45 00 46 00 |4.\.E.F.| 0a60 49 00 5c 00 72 00 65 00 64 00 68 00 61 00 74 00 |I.\.r.e.d.h.a.t.| 0a70 5c 00 67 00 72 00 75 00 62 00 78 00 36 00 34 00 |\.g.r.u.b.x.6.4.| 0a80 2e 00 65 00 66 00 69 00 00 00 7f ff 04 00 00 00 |..e.f.i.| 0a90 00 00 00 00 00 00 af 08 00 00 00 0d 00 00 00 b5 || 0aa0 cd d0 8f bb 16 31 e2 80 8b e8 58 75 c9 89 18 95 |.1Xu| 0ab0 d2 de 15 15 00 00 00 67 72 75 62 5f 63 6d 64 20 |...grub_cmd | 0ac0 73 65 74 20 70 61 67 65 72 3d 31 00 08 00 00 00 |set pager=1.| ... Signed-off-by: Javier Martinez Canillas (cherry picked from commit cd7d42d493d2913625b9852743db99d97ad15c72) --- shim.c | 17 +++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --gi
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-09-23 18:36:27 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.4249 (New) Package is "shim" Wed Sep 23 18:36:27 2020 rev:87 rq:834243 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-09-09 17:49:06.294532010 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.4249/shim.changes 2020-09-23 18:36:58.049137266 +0200 @@ -1,0 +2,10 @@ +Mon Sep 14 08:06:27 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-VLogError-Avoid-Null-pointer-dereferences.patch to fix + VLogError crash in AArch64 (jsc#SLE-15824) +- Add shim-fix-verify-eku.patch to fix the potential crash at + verify_eku() (jsc#SLE-15824) +- Add shim-do-not-write-string-literals.patch to fix the potential + crash when accessing the DEFAULT_LOADER string (jsc#SLE-15824) + +--- New: shim-VLogError-Avoid-Null-pointer-dereferences.patch shim-do-not-write-string-literals.patch shim-fix-verify-eku.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.btyeFI/_old 2020-09-23 18:37:00.025138988 +0200 +++ /var/tmp/diff_new_pack.btyeFI/_new 2020-09-23 18:37:00.029138991 +0200 @@ -81,6 +81,12 @@ Patch8: shim-bsc1173411-only-check-efi-var-on-sb.patch # PATCH-FIX-UPSTREAM shim-bsc1175509-tpm2-fixes.patch bsc#1175509 g...@suse.com -- Upstream fixes for the TPM2 measurement Patch9: shim-bsc1175509-tpm2-fixes.patch +# PATCH-FIX-UPSTREAM shim-VLogError-Avoid-Null-pointer-dereferences.patch g...@suse.com -- Fix VlogError crash in AArch64 +Patch10:shim-VLogError-Avoid-Null-pointer-dereferences.patch +# PATCH-FIX-UPSTREAM shim-fix-verify-eku.patch g...@suse.com -- Fix the potential crash at verify_eku() +Patch11:shim-fix-verify-eku.patch +# PATCH-FIX-UPSTREAM shim-do-not-write-string-literals.patch -- Fix the potential crash when accessing the DEFAULT_LOADER string +Patch12:shim-do-not-write-string-literals.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -131,6 +137,9 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif ++ shim-VLogError-Avoid-Null-pointer-dereferences.patch ++ >From 20e731f423a438f53738de73af9ef3d67c4cba2f Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 12 Feb 2019 18:04:49 -0500 Subject: [PATCH] VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls VLogError() calculates the size of format strings by using calls to SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer. Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize of "0" is special-cased to mean "there is no limit". So, we end up writing our string to address 0x0. This was discovered because it causes a crash on ARM where, unlike x86, it does not necessarily have memory mapped at 0x0. Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which handles the size calculation and allocation for us. Signed-off-by: Peter Jones Fixes: 25f6fd08cd26 ("try to show errors more usefully.") [dannf: commit message ] Signed-off-by: dann frazier --- errlog.c | 15 +++ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/errlog.c b/errlog.c index 18be482..eebb266 100644 --- a/errlog.c +++ b/errlog.c @@ -14,29 +14,20 @@ EFI_STATUS VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args) { va_list args2; - UINTN size = 0, size2; CHAR16 **newerrs; - size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func); - va_copy(args2, args); - size2 = VSPrint(NULL, 0, fmt, args2); - va_end(args2); - newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs), (nerrs + 3) * sizeof(*errs)); if (!newerrs) return EFI_OUT_OF_RESOURCES; - newerrs[nerrs] = AllocatePool(size*2+2); + newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func); if (!newerrs[nerrs]) return EFI_OUT_OF_RESOURCES; - newerrs[nerrs+1] = AllocatePool(size2*2+2); + va_copy(args2, args); + newerrs[nerrs+1] = VPoolPrint(fmt, args2); if (!newerrs[nerrs+1]) return EFI_OUT_OF_RESOURCES; - - SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func); - va_copy(args2, args); - VSPrint(new
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-09-09 17:48:13 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.3399 (New) Package is "shim" Wed Sep 9 17:48:13 2020 rev:86 rq:832636 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-09-01 20:02:14.184448407 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.3399/shim.changes 2020-09-09 17:49:06.294532010 +0200 @@ -1,0 +2,5 @@ +Fri Sep 4 15:08:19 UTC 2020 - Guillaume GARDET + +- Enable build on aarch64 + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.DSXtuz/_old 2020-09-09 17:49:09.514534626 +0200 +++ /var/tmp/diff_new_pack.DSXtuz/_new 2020-09-09 17:49:09.518534629 +0200 @@ -99,7 +99,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-%{grubplatform} -ExclusiveArch: x86_64 +ExclusiveArch: x86_64 aarch64 %description shim is a trivial EFI application that, when run, attempts to open and
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-09-01 20:02:03 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.3399 (New) Package is "shim" Tue Sep 1 20:02:03 2020 rev:85 rq:828866 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-08-13 10:16:54.730726342 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.3399/shim.changes 2020-09-01 20:02:14.184448407 +0200 @@ -1,0 +2,12 @@ +Mon Aug 24 03:20:52 UTC 2020 - Gary Ching-Pang Lin + +- shim-install: install MokManager to \EFI\boot to process the + pending MOK request (bsc#1175626, bsc#1175656) + +--- +Fri Aug 21 04:00:39 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-bsc1175509-tpm2-fixes.patch to fix the TPM2 measurement + (bsc#1175509) + +--- New: shim-bsc1175509-tpm2-fixes.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.ARLXaO/_old 2020-09-01 20:02:15.824449174 +0200 +++ /var/tmp/diff_new_pack.ARLXaO/_new 2020-09-01 20:02:15.828449176 +0200 @@ -79,6 +79,8 @@ Patch7: shim-fix-gnu-efi-3.0.11.patch # PATCH-FIX-UPSTREAM shim-bsc1173411-only-check-efi-var-on-sb.patch bsc#1173411 g...@suse.com -- Make EFI variable copying check only fatal on SB systems Patch8: shim-bsc1173411-only-check-efi-var-on-sb.patch +# PATCH-FIX-UPSTREAM shim-bsc1175509-tpm2-fixes.patch bsc#1175509 g...@suse.com -- Upstream fixes for the TPM2 measurement +Patch9: shim-bsc1175509-tpm2-fixes.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -128,6 +130,7 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif ++ shim-bsc1175509-tpm2-fixes.patch ++ >From 551bab0a7c3199cad3bd1273d57e98e54bdf2ce9 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 11 Dec 2018 15:25:44 -0800 Subject: [PATCH 1/4] Remove call to TPM2 get_event_log() Calling the TPM2 get_event_log causes the firmware to start logging events to the final events table, but implementations may also continue logging to the boot services event log. Any OS that wishes to reconstruct the full PCR state must already look at both the final events log and the boot services event log, so if this call is made anywhere other than immediately before ExitBootServices() then the OS must deduplicate events that occur in both, complicating things immensely. Linux already has support for copying up the boot services event log across the ExitBootServices() boundary, so there's no reason to make this call. Remove it. Signed-off-by: Matthew Garrett (cherry picked from commit fd7c3bd920ba39082cb7c619afb7203d150a4cd3) --- tpm.c | 46 -- 1 file changed, 46 deletions(-) diff --git a/tpm.c b/tpm.c index 674e69b..f07362c 100644 --- a/tpm.c +++ b/tpm.c @@ -70,41 +70,6 @@ static BOOLEAN tpm2_present(EFI_TCG2_BOOT_SERVICE_CAPABILITY *caps, return FALSE; } -static inline EFI_TCG2_EVENT_LOG_BITMAP -tpm2_get_supported_logs(efi_tpm2_protocol_t *tpm, - EFI_TCG2_BOOT_SERVICE_CAPABILITY *caps, - BOOLEAN old_caps) -{ - if (old_caps) - return ((TREE_BOOT_SERVICE_CAPABILITY *)caps)->SupportedEventLogs; - - return caps->SupportedEventLogs; -} - -/* - * According to TCG EFI Protocol Specification for TPM 2.0 family, - * all events generated after the invocation of EFI_TCG2_GET_EVENT_LOG - * shall be stored in an instance of an EFI_CONFIGURATION_TABLE aka - * EFI TCG 2.0 final events table. Hence, it is necessary to trigger the - * internal switch through calling get_event_log() in order to allow - * to retrieve the logs from OS runtime. - */ -static EFI_STATUS trigger_tcg2_final_events_table(efi_tpm2_protocol_t *tpm2, - EFI_TCG2_EVENT_LOG_BITMAP supported_logs) -{ - EFI_TCG2_EVENT_LOG_FORMAT log_fmt; - EFI_PHYSICAL_ADDRESS start; - EFI_PHYSICAL_ADDRESS end; - BOOLEAN truncated; - - if (supported_logs & EFI_TCG2_EVENT_LOG_FORMAT_TCG_2) - log_fmt = EFI_TCG2_EVENT_LOG_FORMAT_TCG_2; - else - log_fmt = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2; - - return tpm2->get_event_log(tpm2, log_fmt, &start, &end, &truncated); -} - static EFI_STATUS tpm_locate_protocol(efi_tpm_protocol_t **tpm,
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-08-13 10:14:50 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.3399 (New) Package is "shim" Thu Aug 13 10:14:50 2020 rev:84 rq:824674 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-07-28 17:23:58.389811800 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.3399/shim.changes 2020-08-13 10:16:54.730726342 +0200 @@ -1,0 +2,10 @@ +Thu Aug 6 09:43:19 UTC 2020 - Gary Ching-Pang Lin + +- Amend the check of %shim_enforce_ms_signature + +--- +Fri Jul 31 07:41:26 UTC 2020 - Johannes Segitz + +- Updated openSUSE signature + +--- @@ -11,0 +22,11 @@ + +--- +Fri Jul 10 07:21:27 UTC 2020 - Gary Ching-Pang Lin + +- Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994) + + Add dbx-cert.tar.xz which contains the certificates to block +and a script, generate-vendor-dbx.sh, to generate +vendor-dbx.bin + + Add vendor-dbx.bin as the vendor dbx to block unwanted keys +- Drop shim-opensuse-signed.efi + + We don't need it anymore Old: shim-opensuse-signed.efi New: dbx-cert.tar.xz vendor-dbx.bin Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.rDDIwI/_old 2020-08-13 10:16:57.662727546 +0200 +++ /var/tmp/diff_new_pack.rDDIwI/_new 2020-08-13 10:16:57.662727546 +0200 @@ -59,8 +59,9 @@ Source11: signature-sles.x86_64.asc Source12: signature-opensuse.aarch64.asc Source13: signature-sles.aarch64.asc -# bsc#1113225 the shim-15+git47 binary for opensuse -Source20: shim-opensuse-signed.efi +Source50: dbx-cert.tar.xz +# vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz +Source51: vendor-dbx.bin Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-arch-independent-names.patch g...@suse.com -- Use the Arch-independent names Patch1: shim-arch-independent-names.patch @@ -132,12 +133,6 @@ %endif %build -# copy the shim binary to "signed" dir -# NOTE: this is the last resort and we should remove the binary -# once we can build shim.efi properly -mkdir signed -cp %{SOURCE20} signed - # first, build MokManager and fallback as they don't depend on a # specific certificate make EFI_PATH=/usr/lib64 RELEASE=0 \ @@ -195,33 +190,29 @@ fi openssl x509 -in $cert -outform DER -out shim-$suffix.der -# option for dbx: VENDOR_DBX_FILE=dbx make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ DEFAULT_LOADER="grub.efi" \ + VENDOR_DBX_FILE=%{SOURCE51} \ shim.efi.debug shim.efi # # assert correct certificate embedded grep -q "$verify" shim.efi - -# copy the shim binary directly -if test -f signed/shim-$suffix-signed.efi; then -rm -f shim.efi -mv -f signed/shim-$suffix-signed.efi shim-$suffix.efi +# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx +chmod 755 %{SOURCE9} # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi -elif test -n "$signature"; then +if test -n "$signature"; then head -1 "$signature" > hash1 cp shim.efi shim.efi.bak # pe header contains timestamp and checksum. we need to # restore that -chmod 755 %{SOURCE9} %{SOURCE9} --set-from-file "$signature" shim.efi pesign -h -P -i shim.efi > hash2 cat hash1 hash2 if ! cmp -s hash1 hash2; then echo "ERROR: $suffix binary changed, need to request new signature!" -%if %{defined shim_enforce_ms_signature} +%if %{defined shim_enforce_ms_signature} && 0%{?shim_enforce_ms_signature} > 0 false %endif mv shim.efi.bak shim-$suffix.efi ++ signature-opensuse.x86_64.asc ++ --- /var/tmp/diff_new_pack.rDDIwI/_old 2020-08-13 10:16:57.810727607 +0200 +++ /var/tmp/diff_new_pack.rDDIwI/_new 2020-08-13 10:16:57.810727607 +0200 @@ -1,187 +1,184 @@ -hash: 96275dfd6282a522b011177ee049296952ac794832091f937fbbf92869028629 -# 2069-04-10 06:07:54 -timestamp: babababa -checksum: ef25 +hash: f5e892dd6ec4c2defa4a495c09219b621379b64da3d1b2e34adf4b5f1102bd39 +# 1970-01-01 00:00:00 +timestamp: 0 +checksum: 65ba -BEGIN AUTHENTICODE SIGNATURE- -MIIhwQYJKoZIhvcNAQcCoIIhsjCCIa4CAQExDzANBglghkgBZQMEAgEFADBcBgor +MIIhVgYJKoZIhvcNAQcCoIIhRzCCIUMCAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEE
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-07-28 17:23:23 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.3592 (New) Package is "shim" Tue Jul 28 17:23:23 2020 rev:83 rq:822930 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-07-26 16:16:56.324673583 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.3592/shim.changes 2020-07-28 17:23:58.389811800 +0200 @@ -1,0 +2,7 @@ +Mon Jul 27 07:26:03 UTC 2020 - Gary Ching-Pang Lin + +- Replace shim-correct-license-in-headers.patch with the upstream + commit: shim-bsc1174512-correct-license-in-headers.patch + (bsc#1174512) + +--- Old: shim-correct-license-in-headers.patch New: shim-bsc1174512-correct-license-in-headers.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.DbIYRg/_old 2020-07-28 17:23:59.817813420 +0200 +++ /var/tmp/diff_new_pack.DbIYRg/_new 2020-07-28 17:23:59.821813425 +0200 @@ -70,7 +70,8 @@ Patch3: shim-bsc1092000-fallback-menu.patch # PATCH-FIX-UPSTREAM shim-always-mirror-mok-variables.patch g...@suse.com -- Mirror MOK variables correctly Patch4: shim-always-mirror-mok-variables.patch -Patch5: shim-correct-license-in-headers.patch +# PATCH-FIX-UPSTREAM shim-bsc1174512-correct-license-in-headers.patch g...@suse.com -- Fix the license header in errlog.c and mok.c +Patch5: shim-bsc1174512-correct-license-in-headers.patch # PATCH-FIX-UPSTREAM gcc9-fix-warnings.patch mli...@suse.cz -- MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid Patch6: gcc9-fix-warnings.patch # PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch g...@suse.com -- Fix the build error caused by the typo fix in gnu-efi 3.0.11 ++ shim-bsc1174512-correct-license-in-headers.patch ++ >From 248e327146daf008b32615423f86d0a985d9d519 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 9 Jul 2020 00:24:57 -0400 Subject: [PATCH] Remove a couple of incorrect license claims. A certain someone's default editor template leaked in to a couple of source files, and claims they're GPL licensed. They're not. Signed-off-by: Peter Jones (cherry picked from commit 476cbff111001d01a5a27dc2289fc7cd2d34c38e) --- errlog.c | 3 --- mok.c| 2 -- 2 files changed, 5 deletions(-) diff --git a/errlog.c b/errlog.c index 18be482..e2ac04a 100644 --- a/errlog.c +++ b/errlog.c @@ -1,10 +1,7 @@ /* * errlog.c * Copyright 2017 Peter Jones - * - * Distributed under terms of the GPLv3 license. */ - #include "shim.h" static CHAR16 **errs = NULL; diff --git a/mok.c b/mok.c index 0bcab32..9498440 100644 --- a/mok.c +++ b/mok.c @@ -1,8 +1,6 @@ /* * mok.c * Copyright 2017 Peter Jones - * - * Distributed under terms of the GPLv3 license. */ #include "shim.h" -- 2.27.0
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-07-26 16:15:31 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.3592 (New) Package is "shim" Sun Jul 26 16:15:31 2020 rev:82 rq:822330 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-07-13 09:04:55.784002540 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.3592/shim.changes 2020-07-26 16:16:56.324673583 +0200 @@ -1,0 +2,5 @@ +Wed Jul 22 09:23:02 UTC 2020 - Gary Ching-Pang Lin + +- Update the path to grub-tpm.efi in shim-install (bsc#1174320) + +--- Other differences: -- ++ shim-install ++ --- /var/tmp/diff_new_pack.piuUm9/_old 2020-07-26 16:16:57.028674175 +0200 +++ /var/tmp/diff_new_pack.piuUm9/_new 2020-07-26 16:16:57.028674175 +0200 @@ -146,7 +146,17 @@ no_nvram=yes ;; --suse-enable-tpm) -source_grub_efi="/usr/lib/grub2/${grub_install_target}/grub-tpm.efi" ;; +# bsc#1174320 shim-install uses wrong paths for EFI files +# There are 3 possible locations of grub-tpm.efi and we will check them +# one by one. +if [ -e "${source_dir}/grub-tpm.efi" ]; then +source_grub_efi="${source_dir}/grub-tpm.efi" + elif [ -e "${datadir}/grub2/${grub_install_target}/grub-tpm.efi" ] ; then + source_grub_efi="${datadir}/grub2/${grub_install_target}/grub-tpm.efi" +else + source_grub_efi="/usr/lib/grub2/${grub_install_target}/grub-tpm.efi" +fi + ;; --clean) clean=yes ;;
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-07-13 09:04:41 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.3060 (New) Package is "shim" Mon Jul 13 09:04:41 2020 rev:81 rq:819891 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-04-04 12:19:41.475637883 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.3060/shim.changes 2020-07-13 09:04:55.784002540 +0200 @@ -1,0 +2,6 @@ +Fri Jul 10 06:28:44 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check + EFI variable copying when Secure Boot is enabled (bsc#1173411) + +--- New: shim-bsc1173411-only-check-efi-var-on-sb.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.52X9VG/_old 2020-07-13 09:04:56.472004269 +0200 +++ /var/tmp/diff_new_pack.52X9VG/_new 2020-07-13 09:04:56.472004269 +0200 @@ -75,6 +75,8 @@ Patch6: gcc9-fix-warnings.patch # PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch g...@suse.com -- Fix the build error caused by the typo fix in gnu-efi 3.0.11 Patch7: shim-fix-gnu-efi-3.0.11.patch +# PATCH-FIX-UPSTREAM shim-bsc1173411-only-check-efi-var-on-sb.patch bsc#1173411 g...@suse.com -- Make EFI variable copying check only fatal on SB systems +Patch8: shim-bsc1173411-only-check-efi-var-on-sb.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -123,6 +125,7 @@ %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif ++ shim-bsc1173411-only-check-efi-var-on-sb.patch ++ >From 741c61abba7d5c74166f8d0c1b9ee8001ebcd186 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Thu, 6 Dec 2018 10:08:45 +0100 Subject: [PATCH] Make EFI variable copying fatal only on secureboot enabled systems I have come across systems that are unwilling to reserve enough memory for a MokListRT big enough for big certificates. This seems to be the case with firmware implementations that do not support secureboot, which is probably the reason they went with much lower variable storage. This patch set makes sure we can still boot on those systems, by only making the copy action fatal if the system has secure boot enabled, or if the error was anything other than EFI_INVALID_PARAMETER. Signed-off-by: Patrick Uiterwijk --- shim.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/shim.c b/shim.c index 7d25ad6..aee4727 100644 --- a/shim.c +++ b/shim.c @@ -2639,7 +2639,17 @@ efi_main (EFI_HANDLE passed_image_handle, EFI_SYSTEM_TABLE *passed_systab) * boot-services-only state variables are what we think they are. */ efi_status = import_mok_state(image_handle); - if (EFI_ERROR(efi_status)) { + if (!secure_mode() && efi_status == EFI_INVALID_PARAMETER) { + /* +* Make copy failures fatal only if secure_mode is enabled, or +* the error was anything else than EFI_INVALID_PARAMETER. +* There are non-secureboot firmware implementations that don't +* reserve enough EFI variable memory to fit the variable. +*/ + console_print(L"Importing MOK states has failed: %s: %r\n", + msgs[msg], efi_status); + console_print(L"Continuing boot since secure mode is disabled"); + } else if (EFI_ERROR(efi_status)) { die: console_print(L"Something has gone seriously wrong: %s: %r\n", msgs[msg], efi_status); -- 2.25.1
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-04-04 12:19:37 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.3248 (New) Package is "shim" Sat Apr 4 12:19:37 2020 rev:80 rq:790063 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2020-03-25 23:42:52.927985471 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.3248/shim.changes 2020-04-04 12:19:41.475637883 +0200 @@ -1,0 +2,12 @@ +Tue Mar 31 08:38:56 UTC 2020 - Gary Ching-Pang Lin + +- Use the full path of efibootmgr to avoid errors when invoking + shim-install from packagekitd (bsc#1168104) + +--- +Mon Mar 30 06:20:47 UTC 2020 - Gary Ching-Pang Lin + +- Use "suse_version" instead of "sle_version" to avoid + shim_lib64_share_compat being set in Tumbleweed forever. + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.Xy5W3C/_old 2020-04-04 12:19:42.739638970 +0200 +++ /var/tmp/diff_new_pack.Xy5W3C/_new 2020-04-04 12:19:42.743638973 +0200 @@ -29,7 +29,7 @@ %else %define sysefibasedir %{_datadir}/efi %define sysefidir %{sysefibasedir}/%{_target_cpu} -%if "%{grubplatform}" == "x86_64-efi" && 0%{?sle_version} < 16 +%if "%{grubplatform}" == "x86_64-efi" && 0%{?suse_version} < 1600 # provide compatibility sym-link for residual kiwi, etc. %define shim_lib64_share_compat 1 %endif ++ shim-install ++ --- /var/tmp/diff_new_pack.Xy5W3C/_old 2020-04-04 12:19:42.831639049 +0200 +++ /var/tmp/diff_new_pack.Xy5W3C/_new 2020-04-04 12:19:42.831639049 +0200 @@ -14,6 +14,7 @@ libdir="/usr/lib64"# Beware, this is arch dependent! datadir="/usr/share" source_dir="${datadir}/efi/${arch}" +efibootmgr="/usr/sbin/efibootmgr" grub_probe="/usr/sbin/grub2-probe" grub_mkrelpath="/usr/bin/grub2-mkrelpath" grub_install="/usr/sbin/grub2-install" @@ -252,9 +253,9 @@ fi if test "$no_nvram" = no && test -n "$bootloader_id"; then # Delete old entries from the same distributor. -for bootnum in `efibootmgr | grep '^Boot[0-9]' | \ +for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ fgrep -i " $bootloader_id" | cut -b5-8`; do -efibootmgr -b "$bootnum" -B +$efibootmgr -b "$bootnum" -B done fi exit 0 @@ -335,9 +336,9 @@ modprobe -q efivars 2>/dev/null || true # Delete old entries from the same distributor. -for bootnum in `efibootmgr | grep '^Boot[0-9]' | \ +for bootnum in `$efibootmgr | grep '^Boot[0-9]' | \ fgrep -i " $bootloader_id" | cut -b5-8`; do -efibootmgr -b "$bootnum" -B +$efibootmgr -b "$bootnum" -B done efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")" @@ -359,12 +360,12 @@ efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")" efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" efidir_d=${mddev#/dev/} -efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ +$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" done else efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" -efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ +$efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file" fi fi
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2020-03-25 23:42:38 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.3160 (New) Package is "shim" Wed Mar 25 23:42:38 2020 rev:79 rq:787396 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2019-12-02 11:36:15.694434422 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.3160/shim.changes 2020-03-25 23:42:52.927985471 +0100 @@ -1,0 +2,6 @@ +Mon Mar 16 09:42:34 UTC 2020 - Gary Ching-Pang Lin + +- Add shim-fix-gnu-efi-3.0.11.patch to fix the build error caused + by the upgrade of gnu-efi + +--- New: shim-fix-gnu-efi-3.0.11.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.XXwm50/_old 2020-03-25 23:42:54.331985930 +0100 +++ /var/tmp/diff_new_pack.XXwm50/_new 2020-03-25 23:42:54.351985937 +0100 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -41,7 +41,7 @@ Summary:UEFI shim loader License:BSD-2-Clause Group: System/Boot -Url:https://github.com/rhboot/shim +URL:https://github.com/rhboot/shim Source: %{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. @@ -73,6 +73,8 @@ Patch5: shim-correct-license-in-headers.patch # PATCH-FIX-UPSTREAM gcc9-fix-warnings.patch mli...@suse.cz -- MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid Patch6: gcc9-fix-warnings.patch +# PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch g...@suse.com -- Fix the build error caused by the typo fix in gnu-efi 3.0.11 +Patch7: shim-fix-gnu-efi-3.0.11.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -120,6 +122,7 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif ++ shim-fix-gnu-efi-3.0.11.patch ++ diff --git a/lib/console.c b/lib/console.c index 2d421af..6e2a8ca 100644 --- a/lib/console.c +++ b/lib/console.c @@ -521,7 +521,11 @@ static struct { { EFI_SECURITY_VIOLATION, L"Security Violation"}, // warnings +#ifdef EFI_WARN_UNKOWN_GLYPH { EFI_WARN_UNKOWN_GLYPH, L"Warning Unknown Glyph"}, +#else + { EFI_WARN_UNKNOWN_GLYPH, L"Warning Unknown Glyph"}, +#endif { EFI_WARN_DELETE_FAILURE,L"Warning Delete Failure"}, { EFI_WARN_WRITE_FAILURE, L"Warning Write Failure"}, { EFI_WARN_BUFFER_TOO_SMALL, L"Warning Buffer Too Small"},
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2019-12-02 11:31:28 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.4691 (New) Package is "shim" Mon Dec 2 11:31:28 2019 rev:78 rq:751191 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2019-08-28 16:00:45.690807001 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.4691/shim.changes 2019-12-02 11:36:15.694434422 +0100 @@ -1,0 +2,6 @@ +Wed Nov 27 06:23:11 UTC 2019 - Michael Chang + +- shim-install: add check for btrfs is used as root file system to enable + relative path lookup for file. (bsc#1153953) + +--- Other differences: -- ++ shim-install ++ --- /var/tmp/diff_new_pack.96nMEW/_old 2019-12-02 11:36:17.138434726 +0100 +++ /var/tmp/diff_new_pack.96nMEW/_new 2019-12-02 11:36:17.142434727 +0100 @@ -294,8 +294,13 @@ grub_cfg_dirname=`dirname $grub_cfg` grub_cfg_basename=`basename $grub_cfg` cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"` +# bsc#1153953 - Leap 42.3 boot error snapshot missing +# We have to check btrfs is used as root file system to enable relative path +# lookup for file to be on par with other utility which also accounts for it. +GRUB_FS="$(stat -f --printf=%T / || echo unknown)" -if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue"; then +if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue" && + [ "x${GRUB_FS}" = "xbtrfs" ] ; then cat <
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2019-08-28 16:00:42 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.7948 (New) Package is "shim" Wed Aug 28 16:00:42 2019 rev:77 rq:725433 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2019-05-25 13:14:00.984475294 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.7948/shim.changes 2019-08-28 16:00:45.690807001 +0200 @@ -1,0 +2,5 @@ +Fri Aug 16 04:07:30 UTC 2019 - Gary Ching-Pang Lin + +- Fix a typo in shim-install (bsc#1145802) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.Eog7Mt/_old 2019-08-28 16:00:46.426806891 +0200 +++ /var/tmp/diff_new_pack.Eog7Mt/_new 2019-08-28 16:00:46.430806889 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # # needssslcertforbuild ++ shim-install ++ --- /var/tmp/diff_new_pack.Eog7Mt/_old 2019-08-28 16:00:46.498806879 +0200 +++ /var/tmp/diff_new_pack.Eog7Mt/_new 2019-08-28 16:00:46.498806879 +0200 @@ -13,7 +13,7 @@ sysconfdir="/etc" libdir="/usr/lib64"# Beware, this is arch dependent! datadir="/usr/share" -source_dir="${data_dir}/efi/${arch}" +source_dir="${datadir}/efi/${arch}" grub_probe="/usr/sbin/grub2-probe" grub_mkrelpath="/usr/bin/grub2-mkrelpath" grub_install="/usr/sbin/grub2-install"
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2019-05-25 13:13:55 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.5148 (New) Package is "shim" Sat May 25 13:13:55 2019 rev:76 rq:702795 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2019-04-17 11:23:12.490408484 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.5148/shim.changes 2019-05-25 13:14:00.984475294 +0200 @@ -1,0 +2,5 @@ +Fri Apr 19 10:32:11 UTC 2019 - Martin Liška + +- Add gcc9-fix-warnings.patch (bsc#1121268). + +--- New: gcc9-fix-warnings.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.Br4SSE/_old 2019-05-25 13:14:02.652474673 +0200 +++ /var/tmp/diff_new_pack.Br4SSE/_new 2019-05-25 13:14:02.656474672 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # # needssslcertforbuild @@ -71,6 +71,8 @@ # PATCH-FIX-UPSTREAM shim-always-mirror-mok-variables.patch g...@suse.com -- Mirror MOK variables correctly Patch4: shim-always-mirror-mok-variables.patch Patch5: shim-correct-license-in-headers.patch +# PATCH-FIX-UPSTREAM gcc9-fix-warnings.patch mli...@suse.cz -- MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid +Patch6: gcc9-fix-warnings.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0.3 @@ -117,6 +119,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif ++ gcc9-fix-warnings.patch ++ >From f30cd0b6330be8ea72a93bf25e43829c222ba611 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Tue, 26 Feb 2019 11:33:53 +0800 Subject: [PATCH] MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid Fix the errors from gcc9 '-Werror=address-of-packed-member' https://github.com/rhboot/shim/issues/161 Signed-off-by: Gary Lin --- MokManager.c | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/MokManager.c b/MokManager.c index d69b4dbe..05dc1622 100644 --- a/MokManager.c +++ b/MokManager.c @@ -1053,7 +1053,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, continue; DataSize += sizeof(EFI_SIGNATURE_LIST); - if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) + if (CompareMem(&(list[i].Type), &X509_GUID, + sizeof(EFI_GUID)) == 0) DataSize += sizeof(EFI_GUID); DataSize += list[i].MokSize; } @@ -1075,7 +1076,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, CertList->SignatureType = list[i].Type; CertList->SignatureHeaderSize = 0; - if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) { + if (CompareMem(&(list[i].Type), &X509_GUID, + sizeof(EFI_GUID)) == 0) { CertList->SignatureListSize = list[i].MokSize + sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); CertList->SignatureSize = @@ -1116,7 +1118,8 @@ static void delete_cert(void *key, UINT32 key_size, int i; for (i = 0; i < mok_num; i++) { - if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0) + if (CompareMem(&(mok[i].Type), &X509_GUID, + sizeof(EFI_GUID)) != 0) continue; if (mok[i].MokSize == key_size && @@ -1167,7 +1170,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size, sig_size = hash_size + sizeof(EFI_GUID); for (i = 0; i < mok_num; i++) { - if ((CompareGuid(&(mok[i].Type), &Type) != 0) || + if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) || (mok[i].MokSize < sig_size)) continue; @@ -1331,7 +1334,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) /* Search and destroy */ for (i = 0; i < del_num; i++) { - if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) { + if (CompareMem(&(del_key[i
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2019-04-17 11:22:51 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.17052 (New) Package is "shim" Wed Apr 17 11:22:51 2019 rev:75 rq:694231 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2019-04-15 11:51:58.094534824 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.17052/shim.changes 2019-04-17 11:23:12.490408484 +0200 @@ -1,0 +2,6 @@ +Mon Apr 15 09:24:07 UTC 2019 - Gary Ching-Pang Lin + +- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary + (bsc#1113225) + +--- New: shim-opensuse-signed.efi Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.jhMpX4/_old 2019-04-17 11:23:13.882410121 +0200 +++ /var/tmp/diff_new_pack.jhMpX4/_new 2019-04-17 11:23:13.886410126 +0200 @@ -59,6 +59,8 @@ Source11: signature-sles.x86_64.asc Source12: signature-opensuse.aarch64.asc Source13: signature-sles.aarch64.asc +# bsc#1113225 the shim-15+git47 binary for opensuse +Source20: shim-opensuse-signed.efi Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-arch-independent-names.patch g...@suse.com -- Use the Arch-independent names Patch1: shim-arch-independent-names.patch @@ -120,6 +122,12 @@ %endif %build +# copy the shim binary to "signed" dir +# NOTE: this is the last resort and we should remove the binary +# once we can build shim.efi properly +mkdir signed +cp %{SOURCE20} signed + # first, build MokManager and fallback as they don't depend on a # specific certificate make EFI_PATH=/usr/lib64 RELEASE=0 \ @@ -177,6 +185,7 @@ fi openssl x509 -in $cert -outform DER -out shim-$suffix.der +# option for dbx: VENDOR_DBX_FILE=dbx make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ DEFAULT_LOADER="grub.efi" \ @@ -184,15 +193,19 @@ # # assert correct certificate embedded grep -q "$verify" shim.efi -# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx -chmod 755 %{SOURCE9} + +# copy the shim binary directly +if test -f signed/shim-$suffix-signed.efi; then +rm -f shim.efi +mv -f signed/shim-$suffix-signed.efi shim-$suffix.efi # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi -if test -n "$signature"; then +elif test -n "$signature"; then head -1 "$signature" > hash1 cp shim.efi shim.efi.bak # pe header contains timestamp and checksum. we need to # restore that +chmod 755 %{SOURCE9} %{SOURCE9} --set-from-file "$signature" shim.efi pesign -h -P -i shim.efi > hash2 cat hash1 hash2
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2019-04-15 11:51:57 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.17052 (New) Package is "shim" Mon Apr 15 11:51:57 2019 rev:74 rq:693692 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2019-02-20 14:06:45.147030781 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.17052/shim.changes 2019-04-15 11:51:58.094534824 +0200 @@ -1,0 +2,11 @@ +Fri Apr 12 08:50:49 UTC 2019 - Gary Ching-Pang Lin + +- Disable AArch64 build (FATE#325971) + + AArch64 machines don't use UEFI CA, at least for now. + +--- +Thu Apr 11 15:52:47 UTC 2019 - jseg...@suse.com + +- Updated shim signature: signature-sles.x86_64.asc (bsc#1120026) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.OGjswG/_old 2019-04-15 11:51:58.726535158 +0200 +++ /var/tmp/diff_new_pack.OGjswG/_new 2019-04-15 11:51:58.726535158 +0200 @@ -87,7 +87,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-%{grubplatform} -ExclusiveArch: x86_64 aarch64 +ExclusiveArch: x86_64 %description shim is a trivial EFI application that, when run, attempts to open and ++ signature-sles.x86_64.asc ++ --- /var/tmp/diff_new_pack.OGjswG/_old 2019-04-15 11:51:58.870535235 +0200 +++ /var/tmp/diff_new_pack.OGjswG/_new 2019-04-15 11:51:58.870535235 +0200 @@ -1,188 +1,184 @@ -hash: f31fd461c5e99510403fc97c1da2d8a9cbe270597d32badf8fd66b77495f8d94 -# 2069-04-10 06:07:54 -timestamp: babababa -checksum: 61c9 +hash: 06eb5badd26e4fae65f9a42358deef7c18e52cc05fbb7fc76776e69d1b982a14 +# 1970-01-01 00:00:00 +timestamp: 0 +checksum: f349 -BEGIN AUTHENTICODE SIGNATURE- -MIIh9AYJKoZIhvcNAQcCoIIh5TCCIeECAQExDzANBglghkgBZQMEAgEFADBcBgor +MIIhRgYJKoZIhvcNAQcCoIIhNzCCITMCAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB -ZQMEAgEFAAQg8x/UYcXplRBAP8l8HaLYqcvicFl9Mrrfj9Zrd0lfjZSgggs8MIIF -JDCCBAygAwIBAgITMwpmQvP0n7c3lgABCjANBgkqhkiG9w0BAQsFADCB +ZQMEAgEFAAQgButbrdJuT65l+aQjWN7vfBjlLMBfu3/HZ3bmnRuYKhSgggssMIIF +FDCCA/ygAwIBAgITMwAAACtLebNpTRIRhwABKzANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi -TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0 -MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xODA3MDMyMDUz +MDFaFw0xOTA3MjYyMDUzMDFaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv -cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu -ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s -ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG -CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23 -BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc -cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH -SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE -GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP -ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT -KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV -HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo -dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw -MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo -dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB -MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA -A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3 -We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC -5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g -78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj -PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+ -Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAABDAN -BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 -b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh -dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5 -IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1 -WjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT -B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UE -AxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMj
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2019-02-20 14:06:40 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.28833 (New) Package is "shim" Wed Feb 20 14:06:40 2019 rev:73 rq:676274 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2019-02-02 21:44:40.532218525 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.28833/shim.changes 2019-02-20 14:06:45.147030781 +0100 @@ -1,0 +2,5 @@ +Thu Feb 14 17:03:00 UTC 2019 - r...@suse.com + +- Fix conditions for '/usr/share/efi'-move (FATE#326960) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.diBfNJ/_old 2019-02-20 14:06:46.967030156 +0100 +++ /var/tmp/diff_new_pack.diBfNJ/_new 2019-02-20 14:06:46.971030156 +0100 @@ -24,11 +24,15 @@ %else %define grubplatform %{_target_cpu}-efi %endif -%if 0%{?suse_version} > 1500 +%if %{defined sle_version} && 0%{?sle_version} <= 15 +%define sysefidir /usr/lib64/efi +%else %define sysefibasedir %{_datadir}/efi %define sysefidir %{sysefibasedir}/%{_target_cpu} -%else -%define sysefidir /usr/lib64/efi +%if "%{grubplatform}" == "x86_64-efi" && 0%{?sle_version} < 16 +# provide compatibility sym-link for residual kiwi, etc. +%define shim_lib64_share_compat 1 +%endif %endif Name: shim @@ -237,14 +241,11 @@ fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-shim.crt done -%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1600 -%ifarch x86_64 -if [ "%{sysefidir}" != "/usr/lib64/efi" ]; then - # provide compatibility sym-link for previous kiwi, etc. +%if %{defined shim_lib64_share_compat} +[ "%{sysefidir}" != "/usr/lib64/efi" ] || exit 1 +# provide compatibility sym-link for residual "consumers" install -d %{buildroot}/usr/lib64/efi ln -srf %{buildroot}/%{sysefidir}/*.efi %{buildroot}/usr/lib64/efi/ -fi -%endif %endif # install the debug symbols @@ -267,8 +268,10 @@ /sbin/update-bootloader --reinit || true %endif +%if %{defined update_bootloader_posttrans} %posttrans %{?update_bootloader_posttrans} +%endif %files %defattr(-,root,root) @@ -284,13 +287,11 @@ %dir %{_sysconfdir}/uefi/ %dir %{_sysconfdir}/uefi/certs/ %{_sysconfdir}/uefi/certs/*.crt -%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1600 -%ifarch x86_64 +%if %{defined shim_lib64_share_compat} # provide compatibility sym-link for previous kiwi, etc. %dir /usr/lib64/efi /usr/lib64/efi/*.efi %endif -%endif %files -n shim-debuginfo %defattr(-,root,root,-)
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2019-02-02 21:44:39 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.28833 (New) Package is "shim" Sat Feb 2 21:44:39 2019 rev:72 rq:668950 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2018-12-27 00:22:17.864010614 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.28833/shim.changes 2019-02-02 21:44:40.532218525 +0100 @@ -1,0 +2,17 @@ +Mon Jan 28 03:18:53 UTC 2019 - Gary Ching-Pang Lin + +- Amend shim.spec to remove $RPM_BUILD_ROOT + +--- +Thu Jan 17 17:12:14 UTC 2019 - r...@suse.com + +- Move 'efi'-executables to '/usr/share/efi' (FATE#326960) + (preparing the move to 'noarch' for this package) + +--- +Mon Jan 14 09:48:59 UTC 2019 - Gary Ching-Pang Lin + +- Update shim-install to handle the partitioned MD devices + (bsc#1119762, bsc#1119763) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.0POHKk/_old 2019-02-02 21:44:41.320217842 +0100 +++ /var/tmp/diff_new_pack.0POHKk/_new 2019-02-02 21:44:41.328217836 +0100 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,6 +19,17 @@ %undefine _debuginfo_subpackages %undefine _build_create_debug +%ifarch aarch64 +%define grubplatform arm64-efi +%else +%define grubplatform %{_target_cpu}-efi +%endif +%if 0%{?suse_version} > 1500 +%define sysefibasedir %{_datadir}/efi +%define sysefidir %{sysefibasedir}/%{_target_cpu} +%else +%define sysefidir /usr/lib64/efi +%endif Name: shim Version:15+git47 @@ -71,7 +82,7 @@ %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script -Requires: grub2-efi +Requires: grub2-%{grubplatform} ExclusiveArch: x86_64 aarch64 %description @@ -103,6 +114,7 @@ %if 0%{?is_opensuse} == 1 %patch100 -p1 %endif + %build # first, build MokManager and fallback as they don't depend on a # specific certificate @@ -211,12 +223,12 @@ mv ../source . %install -export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi' -install -d %{buildroot}/%{_libdir}/efi -cp -a shim*.efi %{buildroot}/%{_libdir}/efi -install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi -install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi -install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi +export BRP_PESIGN_FILES='%{sysefidir}/shim*.efi %{sysefidir}/MokManager.efi %{sysefidir}/fallback.efi' +install -d %{buildroot}/%{sysefidir} +cp -a shim*.efi %{buildroot}/%{sysefidir} +install -m 444 shim-*.der %{buildroot}/%{sysefidir} +install -m 644 MokManager.efi %{buildroot}/%{sysefidir}/MokManager.efi +install -m 644 fallback.efi %{buildroot}/%{sysefidir}/fallback.efi install -d %{buildroot}/%{_sbindir} install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ # install SUSE certificate @@ -225,12 +237,21 @@ fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-shim.crt done +%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1600 +%ifarch x86_64 +if [ "%{sysefidir}" != "/usr/lib64/efi" ]; then + # provide compatibility sym-link for previous kiwi, etc. + install -d %{buildroot}/usr/lib64/efi + ln -srf %{buildroot}/%{sysefidir}/*.efi %{buildroot}/usr/lib64/efi/ +fi +%endif +%endif # install the debug symbols -install -d %{buildroot}/usr/lib/debug/%{_libdir}/efi -install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi -install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi/MokManager.debug -install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{_libdir}/efi/fallback.debug +install -d %{buildroot}/usr/lib/debug/%{sysefidir} +install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{sysefidir} +install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/MokManager.debug +install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/fallback.debug # install the debug source install -d %{buildroot}/usr/src/debug/%{name}-%{version} @@ -252,22 +273,30 @@ %files %defattr(-
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2018-12-27 00:22:16 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.28833 (New) Package is "shim" Thu Dec 27 00:22:16 2018 rev:71 rq:660489 version:15+git47 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2018-12-11 15:42:05.746584508 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new.28833/shim.changes 2018-12-27 00:22:17.864010614 +0100 @@ -1,0 +2,23 @@ +Thu Dec 20 04:13:00 UTC 2018 - Gary Ching-Pang Lin + +- Update to 15+git47 (bsc#1120026, FATE#325971) + + git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d +- Retire the old openSUSE 4096 bit certificate + + Those programs are already out of maintenance. +- Add shim-always-mirror-mok-variables.patch to mirror MOK + variables correctly +- Add shim-correct-license-in-headers.patch to correct the license + declaration +- Refresh patches: + + shim-arch-independent-names.patch + + shim-change-debug-file-path.patch + + shim-bsc1092000-fallback-menu.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: + + shim-bsc1088585-handle-mok-allocations-better.patch + + shim-httpboot-amend-device-path.patch + + shim-httpboot-include-console.h.patch + + shim-only-os-name.patch + + shim-remove-cryptpem.patch + +--- Old: openSUSE-UEFI-CA-Certificate-4096.crt shim-14.tar.bz2 shim-bsc1088585-handle-mok-allocations-better.patch shim-httpboot-amend-device-path.patch shim-httpboot-include-console.h.patch shim-only-os-name.patch shim-remove-cryptpem.patch New: shim-15+git47.tar.bz2 shim-always-mirror-mok-variables.patch shim-correct-license-in-headers.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.xhi2B1/_old 2018-12-27 00:22:18.508010090 +0100 +++ /var/tmp/diff_new_pack.xhi2B1/_new 2018-12-27 00:22:18.508010090 +0100 @@ -21,13 +21,13 @@ %undefine _build_create_debug Name: shim -Version:14 +Version:15+git47 Release:0 Summary:UEFI shim loader License:BSD-2-Clause Group: System/Boot Url:https://github.com/rhboot/shim -Source: https://github.com/rhboot/shim/releases/download/%{version}/%{name}-%{version}.tar.bz2 +Source: %{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. # Note: For signature requesting, check SIGNATURE_UPDATE.txt @@ -39,29 +39,21 @@ Source6:attach_signature.sh Source7:show_hash.sh Source8:show_signatures.sh -Source9:openSUSE-UEFI-CA-Certificate-4096.crt -Source10: timestamp.pl -Source11: strip_signature.sh -Source12: signature-sles.x86_64.asc -Source13: signature-opensuse.aarch64.asc -Source14: signature-sles.aarch64.asc +Source9:timestamp.pl +Source10: strip_signature.sh +Source11: signature-sles.x86_64.asc +Source12: signature-opensuse.aarch64.asc +Source13: signature-sles.aarch64.asc Source99: SIGNATURE_UPDATE.txt -# PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c -Patch1: shim-only-os-name.patch # PATCH-FIX-SUSE shim-arch-independent-names.patch g...@suse.com -- Use the Arch-independent names -Patch2: shim-arch-independent-names.patch -# PATCH-FIX-UPSTREAM shim-httpboot-include-console.h.patch g...@suse.com -- Include console.h in httpboot.c -Patch3: shim-httpboot-include-console.h.patch -# PATCH-FIX-UPSTREAM shim-remove-cryptpem.patch g...@suse.com -- Replace the functions in CryptPem.c with the null function -Patch4: shim-remove-cryptpem.patch -# PATCH-FIX-UPSTREAM shim-httpboot-amend-device-path.patch bsc#1065370 g...@suse.com -- Amend the device path matching rule for httpboot -Patch5: shim-httpboot-amend-device-path.patch -# PATCH-FIX-UPSTREAM shim-bsc1088585-handle-mok-allocations-better.patch bsc#1088585 g...@suse.com -- Handle the mok parameter allocations better -Patch6: shim-bsc1088585-handle-mok-allocations-better.patch -# PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-menu.patch bsc#1092000 g...@suse.com -- Show a menu before reset -Patch7: shim-bsc1092000-fallback-menu.patch +Patch1: shim-arch-independent-names.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path -Patch50:shim-change-debug-file-path.patch +Patch2: shim-change-debug-file-path.patch +# PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-m
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2018-12-11 15:42:04 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.19453 (New) Package is "shim" Tue Dec 11 15:42:04 2018 rev:70 rq:655466 version:14 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2018-09-18 11:42:16.227983696 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.19453/shim.changes 2018-12-11 15:42:05.746584508 +0100 @@ -1,0 +2,7 @@ +Wed Dec 5 10:28:00 UTC 2018 - Gary Ching-Pang Lin + +- Update shim-install to specify the target for grub2-install and + change the boot efi file name according to the architecture + (bsc#1118363, FATE#325971) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.3620Cu/_old 2018-12-11 15:42:06.486583698 +0100 +++ /var/tmp/diff_new_pack.3620Cu/_new 2018-12-11 15:42:06.486583698 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # # needssslcertforbuild ++ shim-install ++ --- /var/tmp/diff_new_pack.3620Cu/_old 2018-12-11 15:42:06.582583593 +0100 +++ /var/tmp/diff_new_pack.3620Cu/_new 2018-12-11 15:42:06.590583584 +0100 @@ -15,10 +15,24 @@ grub_probe="/usr/sbin/grub2-probe" grub_mkrelpath="/usr/bin/grub2-mkrelpath" grub_install="/usr/sbin/grub2-install" +grub_install_target= self="`basename $0`" grub_cfg="/boot/grub2/grub.cfg" update_boot=no def_grub_efi="${source_dir}/grub.efi" +def_boot_efi= + +arch=`uname -m` +if [ x${arch} = xx86_64 ] ; then + grub_install_target="x86_64-efi" + def_boot_efi="bootx64.efi" +elif [ x${arch} = xaarch64 ] ; then + grub_install_target="arm64-efi" + def_boot_efi="bootaa64.efi" +else + echo "Unsupported architecture: ${arch}" + exit 1 +fi # Get GRUB_DISTRIBUTOR. if test -f "${sysconfdir}/default/grub" ; then @@ -124,7 +138,7 @@ no_nvram=yes ;; --suse-enable-tpm) -source_grub_efi="/usr/lib/grub2/x86_64-efi/grub-tpm.efi" ;; +source_grub_efi="/usr/lib/grub2/${grub_install_target}/grub-tpm.efi" ;; --clean) clean=yes ;; @@ -211,8 +225,8 @@ exit 1; fi -if test "$removable" = "no" -a -f "$efibootdir/bootx64.efi"; then -if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/bootx64.efi"); then +if test "$removable" = "no" -a -f "$efibootdir/$def_boot_efi"; then +if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/$def_boot_efi"); then update_boot=yes fi else @@ -226,7 +240,7 @@ rm -f "${efidir}/grub.cfg" rm -f "${efidir}/boot.csv" if test "$update_boot" = "yes"; then -rm -f "${efibootdir}/bootx64.efi" +rm -f "${efibootdir}/${def_boot_efi}" rm -f "${efibootdir}/fallback.efi" fi if test "$no_nvram" = no && test -n "$bootloader_id"; then @@ -261,7 +275,7 @@ fi if test "$update_boot" = "yes"; then -cp "${source_dir}/shim.efi" "${efibootdir}/bootx64.efi" +cp "${source_dir}/shim.efi" "${efibootdir}/${def_boot_efi}" if test "$removable" = "no"; then cp "${source_dir}/fallback.efi" "${efibootdir}" fi @@ -300,7 +314,9 @@ make_grubcfg > "${efidir}/grub.cfg" # bnc#889765 GRUB shows broken letters at boot # invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg -${grub_install} --no-nvram +# bsc#1118363 shim-install didn't specify the target for grub2-install +# set the target explicitly for some special cases +${grub_install} --target=${grub_install_target} --no-nvram if test "$no_nvram" = no && test -n "$bootloader_id"; then
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2018-09-18 11:42:13 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Tue Sep 18 11:42:13 2018 rev:69 rq:634130 version:14 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2018-06-03 12:28:37.800829403 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2018-09-18 11:42:16.227983696 +0200 @@ -1,0 +2,7 @@ +Tue Aug 21 07:36:36 UTC 2018 - g...@suse.com + +- Enable AArch64 build (FATE#325971) + + Also add the aarch64 signature files and rename the x86_64 +signature files + +--- Old: signature-opensuse.asc signature-sles.asc New: signature-opensuse.aarch64.asc signature-opensuse.x86_64.asc signature-sles.aarch64.asc signature-sles.x86_64.asc Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.kdpPOk/_old 2018-09-18 11:42:18.031981808 +0200 +++ /var/tmp/diff_new_pack.kdpPOk/_new 2018-09-18 11:42:18.035981803 +0200 @@ -31,7 +31,7 @@ # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. # Note: For signature requesting, check SIGNATURE_UPDATE.txt -Source1:signature-opensuse.asc +Source1:signature-opensuse.x86_64.asc Source2:openSUSE-UEFI-CA-Certificate.crt Source3:shim-install Source4:SLES-UEFI-CA-Certificate.crt @@ -42,7 +42,9 @@ Source9:openSUSE-UEFI-CA-Certificate-4096.crt Source10: timestamp.pl Source11: strip_signature.sh -Source12: signature-sles.asc +Source12: signature-sles.x86_64.asc +Source13: signature-opensuse.aarch64.asc +Source14: signature-sles.aarch64.asc Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch @@ -78,8 +80,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-efi -# Disable AArch64 until we have the signature -ExclusiveArch: x86_64 +ExclusiveArch: x86_64 aarch64 %description shim is a trivial EFI application that, when run, attempts to open and @@ -146,12 +147,22 @@ cert=%{SOURCE2} cert2=%{SOURCE9} verify='openSUSE Secure Boot CA1' +%ifarch x86_64 signature=%{SOURCE1} +%else + # AArch64 signature + signature=%{SOURCE13} +%endif elif test "$suffix" = "sles"; then cert=%{SOURCE4} cert2='' verify='SUSE Linux Enterprise Secure Boot CA1' +%ifarch x86_64 signature=%{SOURCE12} +%else + # AArch64 signature + signature=%{SOURCE14} +%endif elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt cert2='' ++ signature-opensuse.aarch64.asc ++ hash: 96275dfd6282a522b011177ee049296952ac794832091f937fbbf92869028629 # 2069-04-10 06:07:54 timestamp: babababa checksum: ef25 -BEGIN AUTHENTICODE SIGNATURE- MIIhwQYJKoZIhvcNAQcCoIIhsjCCIa4CAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB ZQMEAgEFAAQglidd/WKCpSKwERd+4EkpaVKseUgyCR+Tf7v5KGkChimgggs8MIIF JDCCBAygAwIBAgITMwAAABjnMIN/Ryp7WwABGDANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xNTEwMjgyMDQz MzdaFw0xNzAxMjgyMDQzMzdaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCxZkprRvykOB1+X8MMpDVlB36RVafGyaZ8Dsl5/8U92WKQvqdx T7SsnmbDv9TNSndVGzFvH5p4dn1Q/52kuDMpwpjGUqTWrx1+jrZOYrb02uTL/+QZ H/nxW96fPJqKIEnqe16lLp2WCjT6J7AzckF67KEW6voOzXITZLP8t3OCqNWIWXy3 ABLiZllI3O+VAwmRlosEmPYcD2qM3KxhPNvT+GZ2gb+FrLKvuRNxpHK0iZBxnrSg SnTlSfqzOAf9LWP6f4ajn04tdPOCRh3xuPM/bHJlCS40hBH2hYAV40s1vKTL8/Uf lTVdaBrq6f6NZAc4RFWnQgc/32xiYIcQ6AmjAgMBAAGjggF9MIIBeTAfBgNVHSUE GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQUI3JhxfMYweN5Brdl fggzjB4hb1owUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT KjMxNjE5K2UyOTg0YTM1LWNmNGYtNDEwZC04ZWMzLTcxOTYxNWJmOGMxYjAfBgNV HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVH
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2018-06-03 12:28:35 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Sun Jun 3 12:28:35 2018 rev:68 rq:612953 version:14 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2018-04-17 11:10:32.514039687 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2018-06-03 12:28:37.800829403 +0200 @@ -1,0 +2,6 @@ +Tue May 29 06:41:59 UTC 2018 - g...@suse.com + +- Add shim-bsc1092000-fallback-menu.patch to show a menu before + system reset ((bsc#1092000)) + +--- New: shim-bsc1092000-fallback-menu.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.6ZKRmz/_old 2018-06-03 12:28:38.600800116 +0200 +++ /var/tmp/diff_new_pack.6ZKRmz/_new 2018-06-03 12:28:38.604799970 +0200 @@ -56,6 +56,8 @@ Patch5: shim-httpboot-amend-device-path.patch # PATCH-FIX-UPSTREAM shim-bsc1088585-handle-mok-allocations-better.patch bsc#1088585 g...@suse.com -- Handle the mok parameter allocations better Patch6: shim-bsc1088585-handle-mok-allocations-better.patch +# PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-menu.patch bsc#1092000 g...@suse.com -- Show a menu before reset +Patch7: shim-bsc1092000-fallback-menu.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -106,6 +108,7 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch50 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 ++ shim-bsc1092000-fallback-menu.patch ++ >From 22269728415432718e7757842086785d7daf0cc3 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Mon, 28 May 2018 10:57:06 +0800 Subject: [PATCH] fallback: show a countdown menu before reset Some machines with the faulty firmware may keep booting the default boot path instead of the boot option we create. To avoid the infinite reset loop, this commit introduce a countdown screen before fallback resets the system, so the user can interrupt the system reset and choose to boot the restored boot option. The "Always continue boot" option creates a BS+RT+NV variable, FB_NO_REBOOT, to make fallback boot the first boot option afterward without asking. The user can revert the behavior by removing the variable. https://github.com/rhboot/shim/issues/128 https://bugzilla.opensuse.org/show_bug.cgi?id=1092000 Signed-off-by: Gary Lin --- fallback.c | 144 + 1 file changed, 144 insertions(+) diff --git a/fallback.c b/fallback.c index 886e052..1f3eb78 100644 --- a/fallback.c +++ b/fallback.c @@ -13,6 +13,9 @@ #include "ucs2.h" #include "variables.h" #include "tpm.h" +#include "console.h" + +#define NO_REBOOT L"FB_NO_REBOOT" EFI_LOADED_IMAGE *this_image = NULL; @@ -953,6 +956,127 @@ try_start_first_option(EFI_HANDLE parent_image_handle) return rc; } +static UINT32 +get_fallback_no_reboot(void) +{ + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS efi_status; + UINT32 no_reboot; + UINTN size = sizeof(UINT32); + + efi_status = uefi_call_wrapper(RT->GetVariable, 5, + NO_REBOOT, &shim_lock_guid, + NULL, &size, &no_reboot); + if (!EFI_ERROR(efi_status)) { + return no_reboot; + } + return 0; +} + +static EFI_STATUS +set_fallback_no_reboot(void) +{ + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS efi_status; + UINT32 no_reboot = 1; + efi_status = uefi_call_wrapper(RT->SetVariable, 5, + NO_REBOOT, &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE + | EFI_VARIABLE_BOOTSERVICE_ACCESS + | EFI_VARIABLE_RUNTIME_ACCESS, + sizeof(UINT32), &no_reboot); + return efi_status; +} + +static void console_save_and_set_mode (SIMPLE_TEXT_OUTPUT_MODE *SavedMode) +{ + if (!SavedMode) { + Print(L"Invalid parameter: SavedMode\n"); + return; + } + + CopyMem(SavedMode, ST->ConOut->Mode, sizeof(SIMPLE_TEXT_OUTPUT_MODE)); + uefi_call_wrapper(ST->ConOut->EnableCursor, 2, ST->ConOut, FALSE); + uefi_call_wrapper(ST->ConOut->SetAttribute, 2, ST->ConO
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2018-04-17 11:10:28 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Tue Apr 17 11:10:28 2018 rev:67 rq:595022 version:14 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2018-04-04 11:03:17.936649114 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2018-04-17 11:10:32.514039687 +0200 @@ -1,0 +2,8 @@ +Tue Apr 10 03:45:39 UTC 2018 - g...@suse.com + +- Add shim-bsc1088585-handle-mok-allocations-better.patch to avoid + double-freeing after enrolling a key from the disk (bsc#1088585) + + Also refresh shim-opensuse-cert-prompt.patch due to the change +in MokManager.c + +--- New: shim-bsc1088585-handle-mok-allocations-better.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.QpIsnx/_old 2018-04-17 11:10:33.925973446 +0200 +++ /var/tmp/diff_new_pack.QpIsnx/_new 2018-04-17 11:10:33.929973258 +0200 @@ -54,6 +54,8 @@ Patch4: shim-remove-cryptpem.patch # PATCH-FIX-UPSTREAM shim-httpboot-amend-device-path.patch bsc#1065370 g...@suse.com -- Amend the device path matching rule for httpboot Patch5: shim-httpboot-amend-device-path.patch +# PATCH-FIX-UPSTREAM shim-bsc1088585-handle-mok-allocations-better.patch bsc#1088585 g...@suse.com -- Handle the mok parameter allocations better +Patch6: shim-bsc1088585-handle-mok-allocations-better.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -103,6 +105,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch50 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 ++ shim-bsc1088585-handle-mok-allocations-better.patch ++ >From c232e8577b0608664fd4ce7a6b24b8ed7d2fc7a4 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Wed, 27 Sep 2017 14:17:20 -0400 Subject: [PATCH] MokManager: handle mok parameter allocations better. Covscan daftly claims: 288. var_compare_op: Comparing MokSB to null implies that MokSB might be null. 2330if (MokSB) { 2331menu_strings[i] = L"Change Secure Boot state"; 2332menu_item[i] = MOK_CHANGE_SB; 2333i++; 2334} 2335 ... 2358choice = console_select(perform_mok_mgmt, menu_strings, 0); 2359if (choice < 0) 2360goto out; ... 2362switch (menu_item[choice]) { ... 2395case MOK_CHANGE_SB: CID 182841 (#1 of 1): Dereference after null check (FORWARD_NULL)293. var_deref_model: Passing null pointer MokSB to mok_sb_prompt, which dereferences it. [show details] 2396efi_status = mok_sb_prompt(MokSB, MokSBSize); Which is, of course, entirely false, beause for menu_item[choice] to be MOK_CHANGE_SB, MokSB must be !NULL. And then: 252. Condition efi_status == 0, taking true branch. 2397if (efi_status == EFI_SUCCESS) 2398MokSB = NULL; This guarantees it won't be in the list the next time through the loop. This adds tests for NULLness before mok_sb_prompt(), just to make it more clear to covscan what's going on. Also do the same thing for all of: MOK_CHANGE_SB MOK_SET_PW MOK_CHANGE_DB MOK_ENROLL_MOKX MOK_DELETE_MOKX I also Lindent-ed everything I had to touch. Three other minor errors are also fixed: 1) the loop in enter_mok_menu() leaked the menu allocations each time through the loop 2) mok_sb_prompt(), mok_pw_prompt(), and mok_db_prompt() all call FreePool() on their respective variables (MokSB, etc), and check_mok_request() also calls FreePool() on these. This sounds horrible, but it turns out it's not an issue, because they only free them in their EFI_SUCCESS paths, and enter_mok_menu() resets the system if any of the mok_XX_prompt() calls actually returned EFI_SUCCESS, so we never get back to check_mok_request() for it to do its FreePool() calls. 3) the loop in enter_mok_menu() winds up introducing a double free in the call to free_menu(), but we also can't hit this bug, because all the exit paths from the loop are "goto out" (or return error) rather than actually exiting on the loop conditional. Signed-off-by: Peter Jones (cherry picked from commit a32651360
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2018-04-04 11:03:01 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Wed Apr 4 11:03:01 2018 rev:66 rq:593111 version:14 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2018-03-29 11:47:09.584652974 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2018-04-04 11:03:17.936649114 +0200 @@ -1,0 +2,6 @@ +Tue Apr 3 08:37:55 UTC 2018 - g...@suse.com + +- Install the certificates with a shim suffix to avoid conflicting + with other packages (bsc#1087847) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.F7DNYg/_old 2018-04-04 11:03:19.400596053 +0200 +++ /var/tmp/diff_new_pack.F7DNYg/_new 2018-04-04 11:03:19.404595908 +0200 @@ -229,7 +229,7 @@ install -d %{buildroot}/%{_sysconfdir}/uefi/certs/ for file in shim-*.der; do fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') -install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt +install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-shim.crt done # install the debug symbols
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2018-03-29 11:47:08 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Thu Mar 29 11:47:08 2018 rev:65 rq:590556 version:14 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2018-01-07 17:22:06.363214408 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2018-03-29 11:47:09.584652974 +0200 @@ -1,0 +2,6 @@ +Fri Mar 23 04:47:35 UTC 2018 - g...@suse.com + +- Add the missing leading backlash to the DEFAULT_LOADER + (bsc#1086589) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.oR4WGT/_old 2018-03-29 11:47:10.536618668 +0200 +++ /var/tmp/diff_new_pack.oR4WGT/_new 2018-03-29 11:47:10.544618380 +0200 @@ -170,7 +170,7 @@ # make sure cast warnings don't trigger post build check make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ - DEFAULT_LOADER="grub.efi" \ + DEFAULT_LOADER="grub.efi" \ shim.efi.debug shim.efi # # assert correct certificate embedded
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2018-01-07 17:21:55 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Sun Jan 7 17:21:55 2018 rev:64 rq:561806 version:14 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2017-09-18 19:52:44.285691772 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2018-01-07 17:22:06.363214408 +0100 @@ -1,0 +2,36 @@ +Fri Jan 5 08:41:42 UTC 2018 - g...@suse.com + +- Add shim-httpboot-amend-device-path.patch to amend the device + path matching rule for httpboot (bsc#1065370) + +--- +Thu Jan 4 08:17:44 UTC 2018 - g...@suse.com + +- Update to 14 (bsc#1054712) +- Adjust make commands in spec +- Drop upstreamed fixes + + shim-add-fallback-verbose-print.patch + + shim-back-to-openssl-1.0.2e.patch + + shim-fallback-workaround-masked-ami-variables.patch + + shim-fix-fallback-double-free.patch + + shim-fix-httpboot-crash.patch + + shim-fix-openssl-flags.patch + + shim-more-tpm-measurement.patch +- Add shim-httpboot-include-console.h.patch to include console.h + in httpboot.c to avoid build failure +- Add shim-remove-cryptpem.patch to replace functions in CryptPem.c + with the null function +- Update SUSE/openSUSE specific patches + + shim-only-os-name.patch + + shim-arch-independent-names.patch + + shim-change-debug-file-path.patch + + shim-opensuse-cert-prompt.patch + +--- +Fri Dec 29 18:41:12 UTC 2017 - ngomp...@gmail.com + +- Fix debuginfo + debugsource subpackage generation for RPM 4.14 +- Set the RPM groups correctly for debug{info,source} subpackages +- Drop deprecated and out of date Authors information in description + +--- Old: shim-12.tar.bz2 shim-add-fallback-verbose-print.patch shim-back-to-openssl-1.0.2e.patch shim-fallback-workaround-masked-ami-variables.patch shim-fix-fallback-double-free.patch shim-fix-httpboot-crash.patch shim-fix-openssl-flags.patch shim-more-tpm-measurement.patch New: shim-14.tar.bz2 shim-httpboot-amend-device-path.patch shim-httpboot-include-console.h.patch shim-remove-cryptpem.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.pHYk2N/_old 2018-01-07 17:22:07.779148039 +0100 +++ /var/tmp/diff_new_pack.pHYk2N/_new 2018-01-07 17:22:07.783147852 +0100 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,10 +17,11 @@ # needssslcertforbuild +%undefine _debuginfo_subpackages %undefine _build_create_debug Name: shim -Version:12 +Version:14 Release:0 Summary:UEFI shim loader License:BSD-2-Clause @@ -47,20 +48,12 @@ Patch1: shim-only-os-name.patch # PATCH-FIX-SUSE shim-arch-independent-names.patch g...@suse.com -- Use the Arch-independent names Patch2: shim-arch-independent-names.patch -# PATCH-FIX-UPSTREAM shim-fix-httpboot-crash.patch g...@suse.com -- Fix HTTPBoot crash -Patch3: shim-fix-httpboot-crash.patch -# PATCH-FIX-UPSTREAM shim-fix-openssl-flags.patch g...@suse.com -- Fix the openssl compiler flags -Patch4: shim-fix-openssl-flags.patch -# PATCH-FIX-UPSTREAM shim-fix-fallback-double-free.patch g...@suse.com -- Fix double free in fallback.c -Patch5: shim-fix-fallback-double-free.patch -# PATCH-FIX-UPSTREAM shim-add-fallback-verbose-print.patch g...@suse.com -- Print debug messages dynamically -Patch6: shim-add-fallback-verbose-print.patch -# PATCH-FIX-UPSTREAM shim-fallback-workaround-masked-ami-variables.patch g...@suse.com -- Work around the masked AMI variables -Patch7: shim-fallback-workaround-masked-ami-variables.patch -# PATCH-FIX-UPSTREAM shim-more-tpm-measurement.patch g...@suse.com -- Measure more components for TPM -Patch8: shim-more-tpm-measurement.patch -# PATCH-FIX-UPSTREAM shim-back-to-openssl-1.0.2e.patch bsc#1054712 g...@suse.com -- Revert openssl back to 1.0.2e due to the rejection of some legit certificates -Patch9: shim-back-to-openssl-1.0.2e.patch +# PATCH-FIX-UPSTREAM shim-httpboot-include-console.h.patch g...@suse.com -- Include console.h in httpboot.c +Patch3: shim-httpboot-include-console.h.patch +# PATCH-FIX-UPSTREAM shim-remove-cryptpe
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2017-09-18 19:52:41 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Mon Sep 18 19:52:41 2017 rev:63 rq:523850 version:12 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2017-09-04 12:18:26.598335869 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2017-09-18 19:52:44.285691772 +0200 @@ -1,0 +2,8 @@ +Wed Sep 13 04:13:21 UTC 2017 - g...@suse.com + +- Add shim-back-to-openssl-1.0.2e.patch to avoid rejecting some + legit certificates (bsc#1054712) +- Add the stderr mask back while compiling MokManager.efi since the + warnings in Cryptlib is back after reverting the openssl commits. + +--- New: shim-back-to-openssl-1.0.2e.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.rhdnaI/_old 2017-09-18 19:52:45.173566893 +0200 +++ /var/tmp/diff_new_pack.rhdnaI/_new 2017-09-18 19:52:45.177566331 +0200 @@ -45,7 +45,7 @@ Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch -# PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Use the Arch-independent names +# PATCH-FIX-SUSE shim-arch-independent-names.patch g...@suse.com -- Use the Arch-independent names Patch2: shim-arch-independent-names.patch # PATCH-FIX-UPSTREAM shim-fix-httpboot-crash.patch g...@suse.com -- Fix HTTPBoot crash Patch3: shim-fix-httpboot-crash.patch @@ -59,6 +59,8 @@ Patch7: shim-fallback-workaround-masked-ami-variables.patch # PATCH-FIX-UPSTREAM shim-more-tpm-measurement.patch g...@suse.com -- Measure more components for TPM Patch8: shim-more-tpm-measurement.patch +# PATCH-FIX-UPSTREAM shim-back-to-openssl-1.0.2e.patch bsc#1054712 g...@suse.com -- Revert openssl back to 1.0.2e due to the rejection of some legit certificates +Patch9: shim-back-to-openssl-1.0.2e.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -114,6 +116,7 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %patch50 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 @@ -121,7 +124,7 @@ %build # first, build MokManager and fallback as they don't depend on a # specific certificate -make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi +make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2> /dev/null # now build variants of shim that embed different certificates default='' ++ shim-back-to-openssl-1.0.2e.patch ++ 178031 lines (skipped)
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2017-09-04 12:18:25 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Mon Sep 4 12:18:25 2017 rev:62 rq:519293 version:12 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2017-08-28 16:16:20.537747923 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2017-09-04 12:18:26.598335869 +0200 @@ -1,0 +2,9 @@ +Tue Aug 29 08:44:25 UTC 2017 - g...@suse.com + +- Add shim-add-fallback-verbose-print.patch to print the debug + messages in fallback.efi dynamically +- Refresh shim-fallback-workaround-masked-ami-variables.patch +- Add shim-more-tpm-measurement.patch to measure more components + and support TPM better + +--- New: shim-add-fallback-verbose-print.patch shim-more-tpm-measurement.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.fnPROW/_old 2017-09-04 12:18:27.894153702 +0200 +++ /var/tmp/diff_new_pack.fnPROW/_new 2017-09-04 12:18:27.906152015 +0200 @@ -53,8 +53,12 @@ Patch4: shim-fix-openssl-flags.patch # PATCH-FIX-UPSTREAM shim-fix-fallback-double-free.patch g...@suse.com -- Fix double free in fallback.c Patch5: shim-fix-fallback-double-free.patch +# PATCH-FIX-UPSTREAM shim-add-fallback-verbose-print.patch g...@suse.com -- Print debug messages dynamically +Patch6: shim-add-fallback-verbose-print.patch # PATCH-FIX-UPSTREAM shim-fallback-workaround-masked-ami-variables.patch g...@suse.com -- Work around the masked AMI variables -Patch6: shim-fallback-workaround-masked-ami-variables.patch +Patch7: shim-fallback-workaround-masked-ami-variables.patch +# PATCH-FIX-UPSTREAM shim-more-tpm-measurement.patch g...@suse.com -- Measure more components for TPM +Patch8: shim-more-tpm-measurement.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -108,6 +112,8 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %patch50 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 ++ shim-add-fallback-verbose-print.patch ++ >From 5b7f867367131e758548f9b537b765611ce3d874 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 31 Jul 2017 11:07:06 -0400 Subject: [PATCH 1/2] fallback: Minor whitespace cleanup Signed-off-by: Peter Jones (cherry picked from commit 87c8f07e98995c7a2bd040e9d7b7c35b15ff05e4) --- fallback.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fallback.c b/fallback.c index 0a7058b..9ec40b8 100644 --- a/fallback.c +++ b/fallback.c @@ -114,7 +114,7 @@ EFI_STATUS make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen) { UINT64 len; - + len = StrLen(L"\\EFI\\") + StrLen(dirname) + StrLen(L"\\") + StrLen(filename) + 2; @@ -358,12 +358,12 @@ add_to_boot_list(EFI_FILE_HANDLE fh, CHAR16 *dirname, CHAR16 *filename, CHAR16 * rc = make_full_path(dirname, filename, &fullpath, &pathlen); if (EFI_ERROR(rc)) return rc; - + EFI_DEVICE_PATH *dph = NULL; EFI_DEVICE_PATH *file = NULL; EFI_DEVICE_PATH *full_device_path = NULL; EFI_DEVICE_PATH *dp = NULL; - + dph = DevicePathFromHandle(this_image->DeviceHandle); if (!dph) { rc = EFI_OUT_OF_RESOURCES; -- 2.14.1 >From 74608d8f3dded28addbc09046c626f1a02251f3d Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 31 Jul 2017 12:51:46 -0400 Subject: [PATCH 2/2] Make fallback debug printing be dynamic at runtime. Signed-off-by: Peter Jones (cherry picked from commit c0f7d130746e82613b88cdaa9929fe37aff54c57) --- fallback.c | 133 +++-- 1 file changed, 94 insertions(+), 39 deletions(-) diff --git a/fallback.c b/fallback.c index 9ec40b8..5602a88 100644 --- a/fallback.c +++ b/fallback.c @@ -15,6 +15,57 @@ EFI_LOADED_IMAGE *this_image = NULL; +EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; + +int +get_fallback_verbose(void) +{ + EFI_GUID guid = SHIM_LOCK_GUID; + UINT8 *data = NULL; + UINTN dataSize = 0; + EFI_STATUS efi_status; + unsigned int i; + static int state = -1; + + if (state != -1) + return state; + + efi_s
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2017-08-28 16:16:19 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Mon Aug 28 16:16:19 2017 rev:61 rq:518614 version:12 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2017-08-24 18:23:21.550846588 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2017-08-28 16:16:20.537747923 +0200 @@ -1,0 +2,11 @@ +Wed Aug 23 10:28:44 UTC 2017 - g...@suse.com + +- Add upstream fixes + + shim-fix-httpboot-crash.patch + + shim-fix-openssl-flags.patch + + shim-fix-fallback-double-free.patch + + shim-fallback-workaround-masked-ami-variables.patch +- Remove the stderr mask while compiling MokManager.efi since the + warnings in Cryptlib were fixed. + +--- New: shim-fallback-workaround-masked-ami-variables.patch shim-fix-fallback-double-free.patch shim-fix-httpboot-crash.patch shim-fix-openssl-flags.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.Xv3sl9/_old 2017-08-28 16:16:22.201514121 +0200 +++ /var/tmp/diff_new_pack.Xv3sl9/_new 2017-08-28 16:16:22.205513560 +0200 @@ -47,6 +47,14 @@ Patch1: shim-only-os-name.patch # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Use the Arch-independent names Patch2: shim-arch-independent-names.patch +# PATCH-FIX-UPSTREAM shim-fix-httpboot-crash.patch g...@suse.com -- Fix HTTPBoot crash +Patch3: shim-fix-httpboot-crash.patch +# PATCH-FIX-UPSTREAM shim-fix-openssl-flags.patch g...@suse.com -- Fix the openssl compiler flags +Patch4: shim-fix-openssl-flags.patch +# PATCH-FIX-UPSTREAM shim-fix-fallback-double-free.patch g...@suse.com -- Fix double free in fallback.c +Patch5: shim-fix-fallback-double-free.patch +# PATCH-FIX-UPSTREAM shim-fallback-workaround-masked-ami-variables.patch g...@suse.com -- Work around the masked AMI variables +Patch6: shim-fallback-workaround-masked-ami-variables.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -96,6 +104,10 @@ %setup -q %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 %patch50 -p1 %if 0%{?is_opensuse} == 1 %patch100 -p1 @@ -103,7 +115,7 @@ %build # first, build MokManager and fallback as they don't depend on a # specific certificate -make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2>/dev/null +make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi # now build variants of shim that embed different certificates default='' ++ shim-fallback-workaround-masked-ami-variables.patch ++ >From 40eef4450fd4d5ec9ea666a02c276bbe073300d3 Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Fri, 11 Aug 2017 13:42:20 +0800 Subject: [PATCH 1/2] fallback: work around the issue of boot option creation with AMI BIOS AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch Boot variables with ami_masked_device_path_guid. Initially, the normal boot option created by fallback looks like this: 01 00 00 00 5e 00 42 00 6f 00 6f 00 74 00 6c 00 |^.B.o.o.t.l.| 0010 6f 00 61 00 64 00 65 00 72 00 20 00 54 00 65 00 |o.a.d.e.r. .T.e.| 0020 73 00 74 00 20 00 28 00 36 00 34 00 2d 00 62 00 |s.t. .(.6.4.-.b.| 0030 69 00 74 00 29 00 00 00 04 01 2a 00 01 00 00 00 |i.t.).*.| 0040 00 08 00 00 00 00 00 00 00 00 08 00 00 00 00 00 || 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 || 0060 01 01 04 04 30 00 5c 00 45 00 46 00 49 00 5c 00 |0.\.E.F.I.\.| 0070 42 00 4f 00 4f 00 54 00 5c 00 74 00 65 00 73 00 |B.O.O.T.\.t.e.s.| 0080 74 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 |t.x.6.4...e.f.i.| 0090 00 00 7f ff 04 00 |..| 0096 after reboot, fallback has to create a new one due to the previous boot option is hidden and masked by AMI BIOS: 09 00 00 00 76 00 42 00 6f 00 6f 00 74 00 6c 00 |v.B.o.o.t.l.| 0010 6f 00 61 00 64 00 65 00 72 00 20 00 54 00 65 00 |o.a.d.e.r. .T.e.| 0020 73 00 74 00 20 00 28 00 36 00 34 00 2d 00 62 00 |s.t. .(.6.4.-.b.| 0030 69 00 74 00 29 00 00 00 01 04 14 00 e7 75 e2 99 |i.t.)u..| 0040 a0 75 37 4b a2 e6 c5 38 5e 6c 00 cb 7f ff 04 00 |.u7K...8^l..| 0050 04 01 2a 00 01 00 00 00 00 08
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2017-08-24 18:23:17 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Thu Aug 24 18:23:17 2017 rev:60 rq:518043 version:12 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2017-08-01 09:24:32.706751144 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2017-08-24 18:23:21.550846588 +0200 @@ -1,0 +2,9 @@ +Tue Aug 22 04:51:08 UTC 2017 - g...@suse.com + +- Add shim-arch-independent-names.patch to use the Arch-independent + names. (bsc#1054712) +- Refresh shim-change-debug-file-path.patch +- Disable shim-opensuse-cert-prompt.patch automatically in SLE +- Diable AArch64 until we have a real user and aarch64 signature + +--- New: shim-arch-independent-names.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.crmXDz/_old 2017-08-24 18:23:22.478715939 +0200 +++ /var/tmp/diff_new_pack.crmXDz/_new 2017-08-24 18:23:22.482715376 +0200 @@ -45,6 +45,8 @@ Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch +# PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Use the Arch-independent names +Patch2: shim-arch-independent-names.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -65,7 +67,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-efi -ExclusiveArch: x86_64 aarch64 +# Disable AArch64 until we have the signature +ExclusiveArch: x86_64 %description shim is a trivial EFI application that, when run, attempts to open and @@ -92,14 +95,15 @@ %prep %setup -q %patch1 -p1 +%patch2 -p1 %patch50 -p1 +%if 0%{?is_opensuse} == 1 %patch100 -p1 +%endif %build # first, build MokManager and fallback as they don't depend on a # specific certificate -make EFI_PATH=/usr/lib64 RELEASE=0 mmx64.efi fbx64.efi 2>/dev/null -rename mmx64 MokManager mmx64.* -rename fbx64 fallback fbx64.* +make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2>/dev/null # now build variants of shim that embed different certificates default='' @@ -154,8 +158,7 @@ cp $cert2 shim.crt fi # make sure cast warnings don't trigger post build check -make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 shimx64.efi -rename shimx64 shim shimx64.* +make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 shim.efi # # assert correct certificate embedded grep -q "$verify" shim.efi ++ shim-arch-independent-names.patch ++ >From 927d98bacff515fdbac1ba13c6ca655385f3d6a7 Mon Sep 17 00:00:00 2001 From: Gary Lin Date: Tue, 22 Aug 2017 12:43:36 +0800 Subject: [PATCH] Make the names of EFI binaries arch-independent Since we only build the 64-bit binaries, we don't have the issue of the mixed architecture binaries in the same directory. Besides, we will use the same install script for x86_64 and AArch64. It's easier to maintain the script with the same names. Signed-off-by: Gary Lin --- Makefile | 9 - fallback.c | 2 +- shim.c | 6 +++--- 3 files changed, 4 insertions(+), 13 deletions(-) diff --git a/Makefile b/Makefile index 6ece282..d518615 100644 --- a/Makefile +++ b/Makefile @@ -51,9 +51,6 @@ ifeq ($(ARCH),x86_64) -DNO_BUILTIN_VA_FUNCS \ -DMDE_CPU_X64 "-DEFI_ARCH=L\"x64\"" -DPAGE_SIZE=4096 \ "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-$(VERSION)$(RELEASE)/\"" - MMNAME = mmx64 - FBNAME = fbx64 - SHIMNAME= shimx64 EFI_PATH:=/usr/lib64/gnuefi LIB_PATH:=/usr/lib64 @@ -63,18 +60,12 @@ ifeq ($(ARCH),ia32) -maccumulate-outgoing-args -m32 \ -DMDE_CPU_IA32 "-DEFI_ARCH=L\"ia32\"" -DPAGE_SIZE=4096 \ "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\"" - MMNAME = mmia32 - FBNAME = fbia32 - SHIMNAME= shimia32 EFI_PATH:=/usr/lib/gnuefi LIB_PATH:=/usr/lib endif ifeq ($(ARCH),aarch64) CFLAGS += -DMDE_CPU_AARCH64 "-DEFI_ARCH=L\"aa64\"" -DPAGE_SIZE=4096 \ "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSIO
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2017-08-01 09:24:31 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Tue Aug 1 09:24:31 2017 rev:59 rq:513024 version:12 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2017-07-04 09:08:07.545749329 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2017-08-01 09:24:32.706751144 +0200 @@ -1,0 +2,5 @@ +Fri Jul 14 16:40:52 UTC 2017 - bwiedem...@suse.com + +- Make build reproducible by avoiding race between find and cp + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.lsKhAv/_old 2017-08-01 09:24:33.462644616 +0200 +++ /var/tmp/diff_new_pack.lsKhAv/_new 2017-08-01 09:24:33.466644052 +0200 @@ -196,8 +196,9 @@ mv shim-${suffixes[0]}.debug shim.debug # Collect the source for debugsource -mkdir source -find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} source/ \; +mkdir ../source +find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} ../source/ \; +mv ../source . %install export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2017-07-04 09:08:05 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Tue Jul 4 09:08:05 2017 rev:58 rq:506933 version:12 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2017-06-07 09:51:59.571770857 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2017-07-04 09:08:07.545749329 +0200 @@ -1,0 +2,19 @@ +Thu Jun 22 03:26:00 UTC 2017 - g...@suse.com + +- Update to 12 +- Rename the result EFI images due to the upstream name change + + shimx64 -> shim + + mmx64 -> MokManager + + fbx64 -> fallback +- Refresh patches: + + shim-only-os-name.patch + + shim-change-debug-file-path.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: + + shim-httpboot-support.patch + + shim-bsc973496-mokmanager-no-append-write.patch + + shim-bsc991885-fix-sig-length.patch + + shim-update-openssl-1.0.2g.patch + + shim-update-openssl-1.0.2h.patch + +--- Old: shim-0.9.tar.bz2 shim-bsc973496-mokmanager-no-append-write.patch shim-bsc991885-fix-sig-length.patch shim-httpboot-support.patch shim-update-openssl-1.0.2g.patch shim-update-openssl-1.0.2h.patch New: shim-12.tar.bz2 Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.IvQpx4/_old 2017-07-04 09:08:08.445622753 +0200 +++ /var/tmp/diff_new_pack.IvQpx4/_new 2017-07-04 09:08:08.445622753 +0200 @@ -20,13 +20,13 @@ %undefine _build_create_debug Name: shim -Version:0.9 +Version:12 Release:0 Summary:UEFI shim loader License:BSD-2-Clause Group: System/Boot -Url:https://github.com/mjg59/shim -Source: %{name}-%{version}.tar.bz2 +Url:https://github.com/rhboot/shim +Source: https://github.com/rhboot/shim/releases/download/%{version}/%{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. # Note: For signature requesting, check SIGNATURE_UPDATE.txt @@ -45,16 +45,6 @@ Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM FATE#320129 shim-httpboot-support.patch g...@suse.com -- Add HTTPBoot support -Patch2: shim-httpboot-support.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2g.patch g...@suse.com -- Update openssl to 1.0.2g -Patch3: shim-update-openssl-1.0.2g.patch -# PATCH-FIX-UPSTREAM bsc#973496 shim-bsc973496-mokmanager-no-append-write.patch g...@suse.com -- Work around the firmware that doesn't support APPEND_WRITE -Patch4: shim-bsc973496-mokmanager-no-append-write.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2h.patch g...@suse.com -- Update openssl to 1.0.2h -Patch5: shim-update-openssl-1.0.2h.patch -# PATCH-FIX-UPSTREAM bsc#991885 shim-bsc991885-fix-sig-length.patch g...@suse.com -- Fix the signature length passed to Authenticode -Patch6: shim-bsc991885-fix-sig-length.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -102,17 +92,14 @@ %prep %setup -q %patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 %patch50 -p1 %patch100 -p1 %build # first, build MokManager and fallback as they don't depend on a # specific certificate -make EFI_PATH=/usr/lib64 RELEASE=0 MokManager.efi fallback.efi 2>/dev/null +make EFI_PATH=/usr/lib64 RELEASE=0 mmx64.efi fbx64.efi 2>/dev/null +rename mmx64 MokManager mmx64.* +rename fbx64 fallback fbx64.* # now build variants of shim that embed different certificates default='' @@ -167,7 +154,8 @@ cp $cert2 shim.crt fi # make sure cast warnings don't trigger post build check -make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 shim.efi 2>/dev/null +make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 shimx64.efi +rename shimx64 shim shimx64.* # # assert correct certificate embedded grep -q "$verify" shim.efi ++ shim-0.9.tar.bz2 -> shim-12.tar.bz2 ++ 251670 lines of diff (skipped) ++ shim-change-debug-file-path.patch ++ --- /var/tmp/diff_new_pack.IvQpx4/_ol
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2017-06-07 09:51:58 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Wed Jun 7 09:51:58 2017 rev:57 rq:499877 version:0.9 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2017-04-11 09:28:36.629370970 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2017-06-07 09:51:59.571770857 +0200 @@ -1,0 +2,5 @@ +Tue May 23 03:44:48 UTC 2017 - g...@suse.com + +- Add the build flag to enable HTTPBoot + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.XWAo4Q/_old 2017-06-07 09:52:00.535634644 +0200 +++ /var/tmp/diff_new_pack.XWAo4Q/_new 2017-06-07 09:52:00.539634078 +0200 @@ -167,7 +167,7 @@ cp $cert2 shim.crt fi # make sure cast warnings don't trigger post build check -make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null +make EFI_PATH=/usr/lib64 RELEASE=0 VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 shim.efi 2>/dev/null # # assert correct certificate embedded grep -q "$verify" shim.efi
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2017-04-11 09:28:32 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Tue Apr 11 09:28:32 2017 rev:56 rq:483743 version:0.9 Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2017-02-26 17:00:27.919908628 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2017-04-11 09:28:36.629370970 +0200 @@ -1,0 +2,5 @@ +Wed Mar 22 10:54:41 UTC 2017 - mch...@suse.com + +- shim-install: add option --suse-enable-tpm (fate#315831) + +--- Other differences: -- ++ shim-install ++ --- /var/tmp/diff_new_pack.Q1h3PY/_old 2017-04-11 09:28:38.561098152 +0200 +++ /var/tmp/diff_new_pack.Q1h3PY/_new 2017-04-11 09:28:38.561098152 +0200 @@ -18,6 +18,7 @@ self="`basename $0`" grub_cfg="/boot/grub2/grub.cfg" update_boot=no +def_grub_efi="${source_dir}/grub.efi" # Get GRUB_DISTRIBUTOR. if test -f "${sysconfdir}/default/grub" ; then @@ -58,6 +59,7 @@ echo "--efi-directory=DIR use DIR as the EFI System Partition root." echo "--config-file=FILE use FILE as config file, default is $grub_cfg." echo "--clean remove all installed files and configs." +echo "--suse-enable-tpm install grub.efi with TPM support." echo echo "INSTALL_DEVICE must be system device filename." } @@ -121,6 +123,9 @@ --no-nvram) no_nvram=yes ;; +--suse-enable-tpm) +source_grub_efi="/usr/lib/grub2/x86_64-efi/grub-tpm.efi" ;; + --clean) clean=yes ;; @@ -235,7 +240,18 @@ fi cp "${source_dir}/MokManager.efi" "${efidir}" -cp "${source_dir}/grub.efi" "${efidir}" + +if test -n "$source_grub_efi" && ! test -f "$source_grub_efi"; then +echo "File $source_grub_efi doesn't exist, fallback to default one" 1>&2 +source_grub_efi="" +fi + +if test -z "$source_grub_efi"; then +source_grub_efi="$def_grub_efi" +fi + +echo "copying $source_grub_efi to ${efidir}/grub.efi" +cp "$source_grub_efi" "${efidir}/grub.efi" if test "$efidir" != "$efibootdir" ; then cp "${source_dir}/shim.efi" "${efidir}"
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2017-02-26 17:00:27 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2016-12-13 17:41:16.961301951 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2017-02-26 17:00:27.919908628 +0100 @@ -1,0 +2,13 @@ +Fri Jan 13 09:21:49 UTC 2017 - mch...@suse.com + +- Support %posttrans with marcos provided by update-bootloader-rpm-macros + package (bsc#997317) + +--- +Fri Nov 18 09:23:01 UTC 2016 - g...@suse.com + +- Add SIGNATURE_UPDATE.txt to state the steps to update + signature-*.asc +- Update the comment of strip_signature.sh + +--- New: SIGNATURE_UPDATE.txt Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.ncwN5S/_old 2017-02-26 17:00:29.395684776 +0100 +++ /var/tmp/diff_new_pack.ncwN5S/_new 2017-02-26 17:00:29.399684169 +0100 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -14,10 +14,9 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - - # needssslcertforbuild + %undefine _build_create_debug Name: shim @@ -30,6 +29,7 @@ Source: %{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. +# Note: For signature requesting, check SIGNATURE_UPDATE.txt Source1:signature-opensuse.asc Source2:openSUSE-UEFI-CA-Certificate.crt Source3:shim-install @@ -42,6 +42,7 @@ Source10: timestamp.pl Source11: strip_signature.sh Source12: signature-sles.asc +Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch # PATCH-FIX-UPSTREAM FATE#320129 shim-httpboot-support.patch g...@suse.com -- Add HTTPBoot support @@ -63,7 +64,14 @@ BuildRequires: openssl >= 0.9.8 BuildRequires: pesign BuildRequires: pesign-obs-integration +%if 0%{?suse_version} > 1320 +BuildRequires: update-bootloader-rpm-macros +%endif +%if 0%{?update_bootloader_requires:1} +%update_bootloader_requires +%else Requires: perl-Bootloader +%endif BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-efi @@ -233,7 +241,14 @@ %{?buildroot:%__rm -rf "%{buildroot}"} %post +%if 0%{?update_bootloader_check_type_reinit_post:1} +%update_bootloader_check_type_reinit_post grub2-efi +%else /sbin/update-bootloader --reinit || true +%endif + +%posttrans +%{?update_bootloader_posttrans} %files %defattr(-,root,root) ++ SIGNATURE_UPDATE.txt ++ openSUSE For openSUSE, the devel project of shim is devel:openSUSE:Factory. ALWAYS use the latest Leap to build shim-opensuse.efi for UEFI CA. Tumbleweed shares the same binary with Leap, so do the older Leap releases. The steps to udpate signature-opensuse.asc: 1) Branch devel:openSUSE:Factory/shim. 2) Add the latest Leap, e.g. 42.2, to the build target. 3) Build shim-opensuse.efi against the latest Leap. 4) Strip the signature from shim-opensuse.efi with strip_signature.sh. 5) Send shim-opensuse.efi to UEFI CA to request a new signature. 6) Extract the signature from the signed shim.efi with extract_signature.sh 7) Update signature-opensuse.asc. SLES === Since there is no devel project for shim in SLES, just build shim-sles.efi with the latest SLES and then send it to UEFI CA for a new signature. The steps to update signature-sles.asc: 1) Branch shim from the latest SLES and apply the update/fix. 2) Build shim-sles.efi against the latest SLES. 3) Strip the signature from shim-sles.efi with strip_signature.sh. 4) Send shim-sles.efi to UEFI CA to request a new signature. 5) Extract the signature from the signed shim.efi with extract_signature.sh 6) Update signature-sles.asc. ++ strip_signature.sh ++ --- /var/tmp/diff_new_pack.ncwN5S/_old 2017-02-26 17:00:29.599653837 +0100 +++ /var/tmp/diff_new_pack.ncwN5S/_new 2017-02-26 17:00:29.603653231 +0100 @@ -1,5 +1,5 @@ #!/bin/bash -# attach ascii armored signature to a PE binary +# strip the signature from a PE binary set -e infile="$1"
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2016-10-02 00:06:41 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2016-09-09 10:15:23.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2016-10-02 00:07:10.0 +0200 @@ -1,0 +2,7 @@ +Wed Sep 21 09:55:40 UTC 2016 - mch...@suse.com + +- shim-install : + * add option --no-nvram (bsc#999818) + * improve removable media and fallback mode handling + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.tkIsuc/_old 2016-10-02 00:07:12.0 +0200 +++ /var/tmp/diff_new_pack.tkIsuc/_new 2016-10-02 00:07:12.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++ shim-install ++ --- /var/tmp/diff_new_pack.tkIsuc/_old 2016-10-02 00:07:12.0 +0200 +++ /var/tmp/diff_new_pack.tkIsuc/_new 2016-10-02 00:07:12.0 +0200 @@ -6,6 +6,7 @@ install_device= efibootdir= ca_string= +no_nvram=no removable=no clean=no sysconfdir="/etc" @@ -52,6 +53,7 @@ echo "--directory=DIR use images from DIR." echo "--grub-probe=FILE use FILE as grub-probe." echo "--removable the installation device is removable." +echo "--no-nvram don't update the NVRAM variable." echo "--bootloader-id=ID the ID of bootloader." echo "--efi-directory=DIR use DIR as the EFI System Partition root." echo "--config-file=FILE use FILE as config file, default is $grub_cfg." @@ -113,8 +115,12 @@ grub_cfg="`echo "$option" | sed 's/--config-file=//'`" ;; --removable) + no_nvram=yes removable=yes ;; +--no-nvram) + no_nvram=yes ;; + --clean) clean=yes ;; @@ -189,14 +195,18 @@ efi_file=shim.efi efibootdir="$efidir/EFI/boot" mkdir -p "$efibootdir" || exit 1 -efidir="$efidir/EFI/$efi_distributor" -mkdir -p "$efidir" || exit 1 +if test "$removable" = "yes" ; then + efidir="$efibootdir" +else + efidir="$efidir/EFI/$efi_distributor" + mkdir -p "$efidir" || exit 1 +fi else echo "No valid EFI partition" 1>&2 exit 1; fi -if test -f "$efibootdir/bootx64.efi"; then +if test "$removable" = "no" -a -f "$efibootdir/bootx64.efi"; then if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/bootx64.efi"); then update_boot=yes fi @@ -214,7 +224,7 @@ rm -f "${efibootdir}/bootx64.efi" rm -f "${efibootdir}/fallback.efi" fi -if test "$removable" = no && test -n "$bootloader_id"; then +if test "$no_nvram" = no && test -n "$bootloader_id"; then # Delete old entries from the same distributor. for bootnum in `efibootmgr | grep '^Boot[0-9]' | \ fgrep -i " $bootloader_id" | cut -b5-8`; do @@ -224,13 +234,21 @@ exit 0 fi -cp "${source_dir}/shim.efi" "${efidir}" cp "${source_dir}/MokManager.efi" "${efidir}" cp "${source_dir}/grub.efi" "${efidir}" -echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" + +if test "$efidir" != "$efibootdir" ; then +cp "${source_dir}/shim.efi" "${efidir}" +if test -n "$bootloader_id"; then +echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" +fi +fi + if test "$update_boot" = "yes"; then cp "${source_dir}/shim.efi" "${efibootdir}/bootx64.efi" -cp "${source_dir}/fallback.efi" "${efibootdir}" +if test "$removable" = "no"; then +cp "${source_dir}/fallback.efi" "${efibootdir}" +fi fi @@ -268,7 +286,7 @@ # invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg ${grub_install} --no-nvram -if test "$removable" = no && test -n "$bootloader_id"; then +if test "$no_nvram" = no && test -n "$bootloader_id"; then modprobe -q efivars 2>/dev/null || true
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2016-09-09 10:15:19 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2016-08-17 11:59:48.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2016-09-09 10:15:23.0 +0200 @@ -1,0 +2,5 @@ +Fri Aug 19 06:46:59 UTC 2016 - mch...@suse.com + +- shim-install : fix regression of password prompt (bsc#993764) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.shvCLl/_old 2016-09-09 10:15:24.0 +0200 +++ /var/tmp/diff_new_pack.shvCLl/_new 2016-09-09 10:15:24.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++ shim-install ++ --- /var/tmp/diff_new_pack.shvCLl/_old 2016-09-09 10:15:24.0 +0200 +++ /var/tmp/diff_new_pack.shvCLl/_new 2016-09-09 10:15:24.0 +0200 @@ -237,6 +237,7 @@ make_grubcfg () { grub_cfg_dirname=`dirname $grub_cfg` +grub_cfg_basename=`basename $grub_cfg` cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"` if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue"; then @@ -257,8 +258,7 @@ cat <
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2016-08-17 11:59:46 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2016-05-13 09:22:00.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2016-08-17 11:59:48.0 +0200 @@ -1,0 +2,37 @@ +Fri Aug 5 02:53:54 UTC 2016 - g...@suse.com + +- Add shim-bsc991885-fix-sig-length.patch to fix the signature + length passed to Authenticode (bsc#991885) + +--- +Wed Aug 3 09:10:25 UTC 2016 - g...@suse.com + +- Update shim-bsc973496-mokmanager-no-append-write.patch to try + append write first + +--- +Tue Aug 2 02:59:46 UTC 2016 - g...@suse.com + +- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h +- Bump the requirement of gnu-efi due to the HTTPBoot support + +--- +Mon Aug 1 09:01:59 UTC 2016 - g...@suse.com + +- Add shim-httpboot-support.patch to support HTTPBoot +- Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g + and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6 +- Drop patches since they are merged into + shim-update-openssl-1.0.2g.patch + + shim-update-openssl-1.0.2d.patch + + shim-gcc5.patch + + shim-bsc950569-fix-cryptlib-va-functions.patch + + shim-fix-aarch64.patch +- Refresh shim-change-debug-file-path.patch +- Add shim-bsc973496-mokmanager-no-append-write.patch to work + around the firmware that doesn't support APPEND_WRITE (bsc973496) +- shim-install : remove '\n' from the help message (bsc#991188) +- shim-install : print a message if there is no valid EFI partition + (bsc#991187) + +--- Old: shim-bsc950569-fix-cryptlib-va-functions.patch shim-fix-aarch64.patch shim-gcc5.patch shim-update-openssl-1.0.2d.patch New: shim-bsc973496-mokmanager-no-append-write.patch shim-bsc991885-fix-sig-length.patch shim-httpboot-support.patch shim-update-openssl-1.0.2g.patch shim-update-openssl-1.0.2h.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.qZ1cTj/_old 2016-08-17 11:59:50.0 +0200 +++ /var/tmp/diff_new_pack.qZ1cTj/_new 2016-08-17 11:59:50.0 +0200 @@ -44,18 +44,21 @@ Source12: signature-sles.asc # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2d.patch g...@suse.com -- Update openssl to 1.0.2d -Patch4: shim-update-openssl-1.0.2d.patch -# PATCH-FIX-UPSTREAM shim-gcc5.patch g...@suse.com -- Specify the gnu89 standard -Patch5: shim-gcc5.patch -# PATCH-FIX-UPSTREAM shim-bsc950569-fix-cryptlib-va-functions.patch bsc#950569 g...@suse.com -- Fix the definition of the va functions to avoid the potential crash -Patch6: shim-bsc950569-fix-cryptlib-va-functions.patch -Patch7: shim-fix-aarch64.patch +# PATCH-FIX-UPSTREAM FATE#320129 shim-httpboot-support.patch g...@suse.com -- Add HTTPBoot support +Patch2: shim-httpboot-support.patch +# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2g.patch g...@suse.com -- Update openssl to 1.0.2g +Patch3: shim-update-openssl-1.0.2g.patch +# PATCH-FIX-UPSTREAM bsc#973496 shim-bsc973496-mokmanager-no-append-write.patch g...@suse.com -- Work around the firmware that doesn't support APPEND_WRITE +Patch4: shim-bsc973496-mokmanager-no-append-write.patch +# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2h.patch g...@suse.com -- Update openssl to 1.0.2h +Patch5: shim-update-openssl-1.0.2h.patch +# PATCH-FIX-UPSTREAM bsc#991885 shim-bsc991885-fix-sig-length.patch g...@suse.com -- Fix the signature length passed to Authenticode +Patch6: shim-bsc991885-fix-sig-length.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch -BuildRequires: gnu-efi >= 3.0t +BuildRequires: gnu-efi >= 3.0.3 BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign @@ -91,10 +94,11 @@ %prep %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2016-05-13 09:21:58 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2016-03-16 10:25:16.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2016-05-13 09:22:00.0 +0200 @@ -1,0 +2,10 @@ +Mon May 9 11:20:56 UTC 2016 - r...@suse.com + +- shim-install : support simple MD RAID1 target devices (FATE#314829) + +--- +Wed May 4 10:40:52 UTC 2016 - ag...@suse.com + +- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438) + +--- New: shim-fix-aarch64.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.JUlMCV/_old 2016-05-13 09:22:02.0 +0200 +++ /var/tmp/diff_new_pack.JUlMCV/_new 2016-05-13 09:22:02.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -50,6 +50,7 @@ Patch5: shim-gcc5.patch # PATCH-FIX-UPSTREAM shim-bsc950569-fix-cryptlib-va-functions.patch bsc#950569 g...@suse.com -- Fix the definition of the va functions to avoid the potential crash Patch6: shim-bsc950569-fix-cryptlib-va-functions.patch +Patch7: shim-fix-aarch64.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -93,6 +94,7 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 %patch50 -p1 %patch100 -p1 %build ++ shim-fix-aarch64.patch ++ Index: shim-0.9/Makefile === --- shim-0.9.orig/Makefile +++ shim-0.9/Makefile @@ -53,7 +53,7 @@ ifeq ($(ARCH),ia32) "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/ia32-$(VERSION)$(RELEASE)/\"" endif ifeq ($(ARCH),aarch64) - CFLAGS += "-DEFI_ARCH=L\"aa64\"" + CFLAGS += "-DEFI_ARCH=L\"aa64\"" \ "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/aa64-$(VERSION)$(RELEASE)/\"" endif ++ shim-install ++ --- /var/tmp/diff_new_pack.JUlMCV/_old 2016-05-13 09:22:02.0 +0200 +++ /var/tmp/diff_new_pack.JUlMCV/_new 2016-05-13 09:22:02.0 +0200 @@ -281,6 +281,21 @@ efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")" if test -z "$efidir_drive" || test -z "$efidir_disk"; then echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2 +elif [[ "$efidir_drive" == \(mduuid/* ]]; then +eval $(mdadm --detail --export "$efidir_disk" | + perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$}); +sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};') +if [ "$MD_LEVEL" != "raid1" ]; then +echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2 +fi +for mddev in $MD_DEVS; do +efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")" +efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")" +efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" +efidir_d=${mddev#/dev/} +efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \ + -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file" +done else efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')" efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2016-03-16 10:25:15 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2015-12-09 22:34:05.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2016-03-16 10:25:16.0 +0100 @@ -1,0 +2,7 @@ +Wed Mar 9 07:15:52 UTC 2016 - mch...@suse.com + +- shim-install : fix typing ESC can escape to parent config which is + in command mode and cannot return back (bsc#966701) +- shim-install : fix no which command for JeOS (bsc#968264) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.XrHjdD/_old 2016-03-16 10:25:17.0 +0100 +++ /var/tmp/diff_new_pack.XrHjdD/_new 2016-03-16 10:25:17.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++ shim-install ++ --- /var/tmp/diff_new_pack.XrHjdD/_old 2016-03-16 10:25:17.0 +0100 +++ /var/tmp/diff_new_pack.XrHjdD/_new 2016-03-16 10:25:17.0 +0100 @@ -11,9 +11,9 @@ sysconfdir="/etc" libdir="/usr/lib64" source_dir="$libdir/efi" -grub_probe="`which grub2-probe`" -grub_mkrelpath="`which grub2-mkrelpath`" -grub_install="`which grub2-install`" +grub_probe="/usr/sbin/grub2-probe" +grub_mkrelpath="/usr/bin/grub2-mkrelpath" +grub_install="/usr/sbin/grub2-install" self="`basename $0`" grub_cfg="/boot/grub2/grub.cfg" update_boot=no @@ -213,8 +213,7 @@ rm -f "${efibootdir}/bootx64.efi" rm -f "${efibootdir}/fallback.efi" fi -efibootmgr="`which efibootmgr`" -if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then +if test "$removable" = no && test -n "$bootloader_id"; then # Delete old entries from the same distributor. for bootnum in `efibootmgr | grep '^Boot[0-9]' | \ fgrep -i " $bootloader_id" | cut -b5-8`; do @@ -237,7 +236,6 @@ make_grubcfg () { grub_cfg_dirname=`dirname $grub_cfg` -grub_cfg_basename=`basename $grub_cfg` cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"` if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue"; then @@ -258,7 +256,8 @@ cat
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2015-12-09 19:51:07 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2015-11-23 07:29:05.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2015-12-09 22:34:05.0 +0100 @@ -1,0 +2,5 @@ +Thu Dec 3 10:26:14 UTC 2015 - jseg...@novell.com + +- acquired updated signature from Microsoft + +--- Other differences: -- ++ signature-opensuse.asc ++ --- /var/tmp/diff_new_pack.mWyfRF/_old 2015-12-09 22:34:07.0 +0100 +++ /var/tmp/diff_new_pack.mWyfRF/_new 2015-12-09 22:34:07.0 +0100 @@ -1,39 +1,39 @@ -hash: 410260b1b6f5af5fbeeb9ea3220658435e876cb3247126ee907a437f312db373 +hash: 96275dfd6282a522b011177ee049296952ac794832091f937fbbf92869028629 # 2069-04-10 06:07:54 timestamp: babababa -checksum: f8c3 +checksum: ef25 -BEGIN AUTHENTICODE SIGNATURE- -MIIhwwYJKoZIhvcNAQcCoIIhtDCCIbACAQExDzANBglghkgBZQMEAgEFADBcBgor +MIIhwQYJKoZIhvcNAQcCoIIhsjCCIa4CAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB -ZQMEAgEFAAQgQQJgsbb1r1++656jIgZYQ16HbLMkcSbukHpDfzEts3Ogggs8MIIF -JDCCBAygAwIBAgITMwAAABCkkSlD2UzmLgABEDANBgkqhkiG9w0BAQsFADCB +ZQMEAgEFAAQglidd/WKCpSKwERd+4EkpaVKseUgyCR+Tf7v5KGkChimgggs8MIIF +JDCCBAygAwIBAgITMwAAABjnMIN/Ryp7WwABGDANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi -TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xNDEwMDExODAy -MTBaFw0xNjAxMDExODAyMTBaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xNTEwMjgyMDQz +MzdaFw0xNzAxMjgyMDQzMzdaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQCrOWu2NBXiasW7Oi7/N6NEe27jZ/9cYueb9aHYznf0HmI9yzsW -VL2bdi//3yyrb1JgYYMHKovB4jQA+EKiAhfaDHsf8i6piqXTnkrma3IjbvWzYo90 -uoHJj9wRss0seA9dEwJRvTPctJPjuGmSNNkBSJkes+ZtFjvFLi8/kEEWcDIy1pxC -2rxvwRut5jfFN1XSdG75/Ho+DKcrac1iSd4qxHfhLqBBGya68Ar75BEeBQakPhv9 -HL9SOvhxOrgv4TDAQEaeFssfl9Fb3G4LC5+YEfjFSNrK05f7DXJi0kxr+TTx/1Iq -eRmp28gYjvN6ln1LU6K1trMciLpTu8Wu40lrAgMBAAGjggF9MIIBeTAfBgNVHSUE -GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQUgU9+kB/S6oPylTrh -rnCRk7+dXZQwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT -KjMxNjE5Kzk1Mzg3ZDM3LThhZjktNDBjNC04ZWQ5LWI2MTNkNjljNjgwMDAfBgNV +DwAwggEKAoIBAQCxZkprRvykOB1+X8MMpDVlB36RVafGyaZ8Dsl5/8U92WKQvqdx +T7SsnmbDv9TNSndVGzFvH5p4dn1Q/52kuDMpwpjGUqTWrx1+jrZOYrb02uTL/+QZ +H/nxW96fPJqKIEnqe16lLp2WCjT6J7AzckF67KEW6voOzXITZLP8t3OCqNWIWXy3 +ABLiZllI3O+VAwmRlosEmPYcD2qM3KxhPNvT+GZ2gb+FrLKvuRNxpHK0iZBxnrSg +SnTlSfqzOAf9LWP6f4ajn04tdPOCRh3xuPM/bHJlCS40hBH2hYAV40s1vKTL8/Uf +lTVdaBrq6f6NZAc4RFWnQgc/32xiYIcQ6AmjAgMBAAGjggF9MIIBeTAfBgNVHSUE +GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQUI3JhxfMYweN5Brdl +fggzjB4hb1owUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT +KjMxNjE5K2UyOTg0YTM1LWNmNGYtNDEwZC04ZWMzLTcxOTYxNWJmOGMxYjAfBgNV HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA -A4IBAQArGwiyBnS4rLrVJIdaQvC01Lpt9CS5rbHoPJMJ5lf+SZ84bN+TpPcTk6tX -2l7uTjRuvM35p+mQtEp2Qzr0Bx6Q7g4PyHRAA/mv5r3aHL0TL++CNdOckyu5lg9S -u+ogYu13OlK+7yazM/YD2OmgqWUsIioBPLG9RLtdyWwaQTUoTJF4Tw1motfZfFni -b9GdZF5zC2VtVueoFm8iinUadFxEkfGGXI1aSxv2H9SlZIEeMmmd7/A6MyiCnNiI -rlP8ywgZlX7kmaKtedHB1z73MkVivuhldRk5g7QfZsEsletdFx31xL7aeZxPsxTo -4nvEexleHIos0tO/uynIJk6935XaMIIGEDCCA/igAwIBAgIKYQjTxAAABDAN +A4IBAQBxu75jhm/XBbQkp7pR8jykioQZc4KXLTqPQ1l/Z5KO1yY6oKImgbidhR3b +ZV+cz5MqktoNxsf0Pt7WVxbuZe0nOe8UC7ldmH3NwbfukTSr0CNw4Sw+unFmLxDo +g3BhCstsmP/yfDizuCkzPXVCjoBK3tCbNIZxfUEYjwSJAsFpeHvPEJlse2beTfpb +ghe9sCMUOT2yiKjf+1tbY6FNeB6/DvpaxkBYX99jcLy1KHD5LWcoIjEREhFybILA +mhoagQQ7upVbQLvJHAMyctmHUh432Kod0PpUUTwSrMChSAgB0t+l5DinGgowpoSj +kjMiS55xRj22uZpnBzckogBCW0LGMIIGEDCCA/igAwIBAgIKYQjTxAAABDAN BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5 @@ -65,123 +65,123 @@ I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2015-11-23 07:29:04 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2015-10-08 13:44:04.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2015-11-23 07:29:05.0 +0100 @@ -1,0 +2,12 @@ +Mon Nov 9 08:22:43 UTC 2015 - g...@suse.com + +- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the + definition of va functions to avoid the potential crash + (bsc#950569) +- Update shim-opensuse-cert-prompt.patch to avoid setting NULL to + MokListRT (bsc#950801) +- Drop shim-fix-mokmanager-sections.patch as we are using the + newer binutils now +- Refresh shim-change-debug-file-path.patch + +--- Old: shim-fix-mokmanager-sections.patch New: shim-bsc950569-fix-cryptlib-va-functions.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.asTbz4/_old 2015-11-23 07:29:07.0 +0100 +++ /var/tmp/diff_new_pack.asTbz4/_new 2015-11-23 07:29:07.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -44,12 +44,12 @@ Source12: signature-sles.asc # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch g...@suse.com -- Fix the objcopy parameters for the EFI files -Patch3: shim-fix-mokmanager-sections.patch # PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2d.patch g...@suse.com -- Update openssl to 1.0.2d Patch4: shim-update-openssl-1.0.2d.patch # PATCH-FIX-UPSTREAM shim-gcc5.patch g...@suse.com -- Specify the gnu89 standard Patch5: shim-gcc5.patch +# PATCH-FIX-UPSTREAM shim-bsc950569-fix-cryptlib-va-functions.patch bsc#950569 g...@suse.com -- Fix the definition of the va functions to avoid the potential crash +Patch6: shim-bsc950569-fix-cryptlib-va-functions.patch # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not @@ -90,9 +90,9 @@ %prep %setup -q %patch1 -p1 -%patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch50 -p1 %patch100 -p1 %build ++ shim-bsc950569-fix-cryptlib-va-functions.patch ++ >From b74c635bfd5d131f2848ce2cd2ffc838dc616ee8 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 27 Oct 2015 12:00:13 +0800 Subject: [PATCH] Cryptlib: Define the va functions for EFIAPI It turned out that my previous crash fix(*) was wrong. We actually always used the gcc built-in va functions instead of the "real" va functions for EFIAPI, and we are just lucky that ERR_add_error_data didn't crash before. This commit copies the va functions from MdePkg/Include/Base.h in edk2 and introdues NO_BUILTIN_VA_FUNCS for x86_64, so that all the x86_64 build will adopt the new va functions. For safety, I also added EFIAPI to all the functions which use va_* to avoid the potential trouble. (*) a7f4b26cc35204165bd04e75c34e8e7aa2a87ecc Signed-off-by: Gary Ching-Pang Lin --- Cryptlib/Include/OpenSslSupport.h | 75 +++ Cryptlib/Include/openssl/bio.h| 8 Cryptlib/Include/openssl/err.h| 4 -- Cryptlib/Makefile | 2 +- Cryptlib/OpenSSL/Makefile | 3 +- Cryptlib/OpenSSL/crypto/bio/b_print.c | 8 Cryptlib/OpenSSL/crypto/cryptlib.c| 4 ++ Cryptlib/OpenSSL/crypto/cryptlib.h| 4 ++ Cryptlib/OpenSSL/crypto/err/err.c | 4 -- Makefile | 1 + 10 files changed, 103 insertions(+), 10 deletions(-) diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h index e5e1adc..004c3e8 100644 --- a/Cryptlib/Include/OpenSslSupport.h +++ b/Cryptlib/Include/OpenSslSupport.h @@ -47,6 +47,9 @@ typedef VOID *FILE; #define va_argVA_ARG #define va_start VA_START #define va_endVA_END + +# if !defined(NO_BUILTIN_VA_FUNCS) + typedef __builtin_va_list VA_LIST; #define VA_START(Marker, Parameter) __builtin_va_start (Marker, P
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2015-10-08 13:44:03 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2015-10-02 09:22:41.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2015-10-08 13:44:04.0 +0200 @@ -1,0 +2,5 @@ +Thu Oct 8 06:49:43 UTC 2015 - jseg...@novell.com + +- acquired updated signature from Microsoft + +--- Other differences: -- ++ signature-opensuse.asc ++ --- /var/tmp/diff_new_pack.sNJ2eY/_old 2015-10-08 13:44:05.0 +0200 +++ /var/tmp/diff_new_pack.sNJ2eY/_new 2015-10-08 13:44:05.0 +0200 @@ -1,39 +1,39 @@ -hash: be435df7cd28aa2a7c8db4fc8173475b77e5abf392f76b7c76fa3f698cb71a9a +hash: 410260b1b6f5af5fbeeb9ea3220658435e876cb3247126ee907a437f312db373 # 2069-04-10 06:07:54 timestamp: babababa -checksum: ee96 +checksum: f8c3 -BEGIN AUTHENTICODE SIGNATURE- -MIIh2QYJKoZIhvcNAQcCoIIhyjCCIcYCAQExDzANBglghkgBZQMEAgEFADBcBgor +MIIhwwYJKoZIhvcNAQcCoIIhtDCCIbACAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB -ZQMEAgEFAAQgvkNd980oqip8jbT8gXNHW3flq/OS92t8dvo/aYy3Gpqgggs8MIIF -JDCCBAygAwIBAgITMwpmQvP0n7c3lgABCjANBgkqhkiG9w0BAQsFADCB +ZQMEAgEFAAQgQQJgsbb1r1++656jIgZYQ16HbLMkcSbukHpDfzEts3Ogggs8MIIF +JDCCBAygAwIBAgITMwAAABCkkSlD2UzmLgABEDANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi -TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0 -MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xNDEwMDExODAy +MTBaFw0xNjAxMDExODAyMTBaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s -ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG -CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23 -BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc -cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH -SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE -GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP -ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT -KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV +DwAwggEKAoIBAQCrOWu2NBXiasW7Oi7/N6NEe27jZ/9cYueb9aHYznf0HmI9yzsW +VL2bdi//3yyrb1JgYYMHKovB4jQA+EKiAhfaDHsf8i6piqXTnkrma3IjbvWzYo90 +uoHJj9wRss0seA9dEwJRvTPctJPjuGmSNNkBSJkes+ZtFjvFLi8/kEEWcDIy1pxC +2rxvwRut5jfFN1XSdG75/Ho+DKcrac1iSd4qxHfhLqBBGya68Ar75BEeBQakPhv9 +HL9SOvhxOrgv4TDAQEaeFssfl9Fb3G4LC5+YEfjFSNrK05f7DXJi0kxr+TTx/1Iq +eRmp28gYjvN6ln1LU6K1trMciLpTu8Wu40lrAgMBAAGjggF9MIIBeTAfBgNVHSUE +GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQUgU9+kB/S6oPylTrh +rnCRk7+dXZQwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT +KjMxNjE5Kzk1Mzg3ZDM3LThhZjktNDBjNC04ZWQ5LWI2MTNkNjljNjgwMDAfBgNV HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA -A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3 -We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC -5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g -78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj -PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+ -Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAABDAN +A4IBAQArGwiyBnS4rLrVJIdaQvC01Lpt9CS5rbHoPJMJ5lf+SZ84bN+TpPcTk6tX +2l7uTjRuvM35p+mQtEp2Qzr0Bx6Q7g4PyHRAA/mv5r3aHL0TL++CNdOckyu5lg9S +u+ogYu13OlK+7yazM/YD2OmgqWUsIioBPLG9RLtdyWwaQTUoTJF4Tw1motfZfFni +b9GdZF5zC2VtVueoFm8iinUadFxEkfGGXI1aSxv2H9SlZIEeMmmd7/A6MyiCnNiI +rlP8ywgZlX7kmaKtedHB1z73MkVivuhldRk5g7QfZsEsletdFx31xL7aeZxPsxTo +4nvEexleHIos0tO/uynIJk6935XaMIIGEDCCA/igAwIBAgIKYQjTxAAABDAN BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5 @@ -65,123 +65,123 @@ I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2015-10-02 09:22:40 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2015-08-21 07:38:56.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2015-10-02 09:22:41.0 +0200 @@ -1,0 +2,6 @@ +Tue Sep 15 05:03:10 UTC 2015 - mch...@suse.com + +- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release + if it is empty or not set by user (bsc#942519) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.4udk2p/_old 2015-10-02 09:22:42.0 +0200 +++ /var/tmp/diff_new_pack.4udk2p/_new 2015-10-02 09:22:42.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++ shim-install ++ --- /var/tmp/diff_new_pack.4udk2p/_old 2015-10-02 09:22:42.0 +0200 +++ /var/tmp/diff_new_pack.4udk2p/_new 2015-10-02 09:22:42.0 +0200 @@ -23,6 +23,11 @@ . "${sysconfdir}/default/grub" fi +if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then +. "${sysconfdir}/os-release" +GRUB_DISTRIBUTOR="${NAME} ${VERSION}" +fi + bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)" if test -z "$bootloader_id"; then bootloader_id=grub
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2015-08-21 07:38:54 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2015-04-22 01:10:27.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2015-08-21 07:38:56.0 +0200 @@ -1,0 +2,26 @@ +Thu Jul 16 06:49:01 UTC 2015 - g...@suse.com + +- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d +- Refresh shim-gcc5.patch and add it back since we really need it +- Add shim-change-debug-file-path.patch to change the debug file + path in shim.efi + + also add the debuginfo and debugsource subpackages +- Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore + +--- +Mon Jul 6 09:06:02 UTC 2015 - g...@suse.com + +- Update to 0.9 +- Refresh patches + + shim-fix-gnu-efi-30w.patch + + shim-fix-mokmanager-sections.patch + + shim-opensuse-cert-prompt.patch +- Drop upstreamed patches + + shim-bsc920515-fix-fallback-buffer-length.patch + + shim-mokx-support.patch + + shim-update-cryptlib.patch +- Drop shim-bsc919675-uninstall-shim-protocols.patch since + upstream fixed the bug in another way. +- Drop shim-gcc5.patch which was fixed in another way + +--- Old: shim-0.8.tar.bz2 shim-bsc919675-uninstall-shim-protocols.patch shim-bsc920515-fix-fallback-buffer-length.patch shim-fix-gnu-efi-30w.patch shim-mokx-support.patch shim-update-cryptlib.patch New: shim-0.9.tar.bz2 shim-change-debug-file-path.patch shim-update-openssl-1.0.2d.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.6MzlGi/_old 2015-08-21 07:38:58.0 +0200 +++ /var/tmp/diff_new_pack.6MzlGi/_new 2015-08-21 07:38:58.0 +0200 @@ -18,8 +18,10 @@ # needssslcertforbuild +%undefine _build_create_debug + Name: shim -Version:0.8 +Version:0.9 Release:0 Summary:UEFI shim loader License:BSD-2-Clause @@ -40,23 +42,18 @@ Source10: timestamp.pl Source11: strip_signature.sh Source12: signature-sles.asc -# PATCH-FIX-UPSTREAM shim-mokx-support.patch g...@suse.com -- Support MOK blacklist -Patch1: shim-mokx-support.patch # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c -Patch2: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM shim-fix-gnu-efi-30w.patch g...@suse.com -- Adapt the change in gnu-efi 3.0w -Patch3: shim-fix-gnu-efi-30w.patch +Patch1: shim-only-os-name.patch # PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch g...@suse.com -- Fix the objcopy parameters for the EFI files -Patch4: shim-fix-mokmanager-sections.patch -# PATCH-FIX-UPSTREAM shim-bsc919675-uninstall-shim-protocols.patch bsc#919675 g...@suse.com -- Uinstall the shim protocols at Exit -Patch5: shim-bsc919675-uninstall-shim-protocols.patch -# PATCH-FIX-UPSTREAM shim-bsc920515-fix-fallback-buffer-length.patch bsc#920515 g...@suse.com -- Fix the buffer size for the boot options -Patch6: shim-bsc920515-fix-fallback-buffer-length.patch -# PATCH-FIX-UPSTREAM shim-update-cryptlib.patch g...@suse.com -- Update Cryptlib and openssl -Patch7: shim-update-cryptlib.patch +Patch3: shim-fix-mokmanager-sections.patch +# PATCH-FIX-UPSTREAM shim-update-openssl-1.0.2d.patch g...@suse.com -- Update openssl to 1.0.2d +Patch4: shim-update-openssl-1.0.2d.patch +# PATCH-FIX-UPSTREAM shim-gcc5.patch g...@suse.com -- Specify the gnu89 standard +Patch5: shim-gcc5.patch +# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch g...@suse.com -- Change the default debug file path +Patch50:shim-change-debug-file-path.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch -Patch101: shim-gcc5.patch BuildRequires: gnu-efi >= 3.0t BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -72,7 +69,19 @@ shim is a trivial EFI application that, when run, attempts to open and execute another application. +%package -n shim-debuginfo +Summary:UEFI shim loader - debug symbols +Group: System/Boot + +%description -n shim-debuginfo +The debug symbols of UEFI shim loader + +%package -n shim-debugsource +Summary:UEFI shim loader - debug source +Group: System/Boot +%description -n shim-debugso
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2015-04-22 01:10:25 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2015-03-03 11:11:02.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2015-04-22 01:10:27.0 +0200 @@ -1,0 +2,21 @@ +Wed Apr 8 07:10:39 UTC 2015 - g...@suse.com + +- Fix tags in the spec file + +--- +Tue Apr 7 07:42:06 UTC 2015 - g...@suse.com + +- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and + openssl to 0.9.8zf +- Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall + the shim protocols at Exit (bsc#919675) +- Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust + the buffer size for the boot options (bsc#920515) +- Refresh shim-opensuse-cert-prompt.patch + +--- +Thu Apr 2 16:31:28 UTC 2015 - crrodrig...@opensuse.org + +- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5 + +--- New: shim-bsc919675-uninstall-shim-protocols.patch shim-bsc920515-fix-fallback-buffer-length.patch shim-gcc5.patch shim-update-cryptlib.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.hmTRZn/_old 2015-04-22 01:10:28.0 +0200 +++ /var/tmp/diff_new_pack.hmTRZn/_new 2015-04-22 01:10:28.0 +0200 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -40,7 +40,7 @@ Source10: timestamp.pl Source11: strip_signature.sh Source12: signature-sles.asc -# REBASE PATCH-FIX-UPSTREAM shim-mokx-support.patch g...@suse.com -- Support MOK blacklist +# PATCH-FIX-UPSTREAM shim-mokx-support.patch g...@suse.com -- Support MOK blacklist Patch1: shim-mokx-support.patch # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c Patch2: shim-only-os-name.patch @@ -48,8 +48,15 @@ Patch3: shim-fix-gnu-efi-30w.patch # PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch g...@suse.com -- Fix the objcopy parameters for the EFI files Patch4: shim-fix-mokmanager-sections.patch +# PATCH-FIX-UPSTREAM shim-bsc919675-uninstall-shim-protocols.patch bsc#919675 g...@suse.com -- Uinstall the shim protocols at Exit +Patch5: shim-bsc919675-uninstall-shim-protocols.patch +# PATCH-FIX-UPSTREAM shim-bsc920515-fix-fallback-buffer-length.patch bsc#920515 g...@suse.com -- Fix the buffer size for the boot options +Patch6: shim-bsc920515-fix-fallback-buffer-length.patch +# PATCH-FIX-UPSTREAM shim-update-cryptlib.patch g...@suse.com -- Update Cryptlib and openssl +Patch7: shim-update-cryptlib.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch +Patch101: shim-gcc5.patch BuildRequires: gnu-efi >= 3.0t BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -77,8 +84,11 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %patch100 -p1 - +%patch101 -p1 %build # first, build MokManager and fallback as they don't depend on a # specific certificate ++ shim-bsc919675-uninstall-shim-protocols.patch ++ >From 4f8bf8c570dadf8044e7f3f260c55e3e22630998 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 3 Mar 2015 16:53:11 +0800 Subject: [PATCH] Uninstall shim protocols at Exit() Shim uninstalls its own protocol at the end of the program. However, if the loaded binary, e.g. grub2, calls Exit(), the uninstall function would never be called, i.e. the shim protocol handle existed even if shim was gone. This already caused crashes on the dell machines with the following steps: 1. boot to grub2 and press 'C' for the grub2 shell 2. type "exit" to quit the shell 3. boot to grub2 again and boot an OS While grub2 uses the shim protocol to verify the OS image, it may get the old dead shim handle and crash the system. This commit adds uninstall_shim_protocols() to the hooked exit function and always hook Exit to clean up the protocol handle. Signed-off-by: Gary Ching-Pang Lin --- replacements.c | 35 ++
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2015-03-03 11:11:00 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2014-11-12 00:21:07.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2015-03-03 11:11:02.0 +0100 @@ -1,0 +2,5 @@ +Tue Feb 17 06:02:34 UTC 2015 - mch...@suse.com + +- shim-install : fix cryptodisk installation (boo#917427) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.uWjoOI/_old 2015-03-03 11:11:03.0 +0100 +++ /var/tmp/diff_new_pack.uWjoOI/_new 2015-03-03 11:11:03.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++ shim-install ++ --- /var/tmp/diff_new_pack.uWjoOI/_old 2015-03-03 11:11:04.0 +0100 +++ /var/tmp/diff_new_pack.uWjoOI/_new 2015-03-03 11:11:04.0 +0100 @@ -243,6 +243,13 @@ grub_mkrelpath="${grub_mkrelpath} -r" fi fi + +if [ x$GRUB_ENABLE_CRYPTODISK = xy ]; then + for uuid in `"${grub_probe}" --target=cryptodisk_uuid --device-map= "${grub_cfg_dirname}"`; do +echo "cryptomount -u $uuid" + done +fi + cat <
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-11-12 00:21:06 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2014-10-14 07:10:25.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-11-12 00:21:07.0 +0100 @@ -1,0 +2,21 @@ +Tue Nov 11 04:26:00 UTC 2014 - g...@suse.com + +- Add shim-fix-mokmanager-sections.patch to fix the objcopy + parameters for the EFI files + +--- +Tue Oct 28 04:00:51 UTC 2014 - g...@suse.com + +- Update to 0.8 +- Add shim-fix-gnu-efi-30w.patch to adapt the change in + gnu-efi-3.0w +- Merge shim-signed-unsigned-compares.patch, + shim-mokmanager-support-sha-family.patch and + shim-bnc863205-mokmanager-fix-hash-delete.patch into + shim-mokx-support.patch +- Refresh shim-opensuse-cert-prompt.patch +- Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch, + bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch +- Enable aarch64 + +--- Old: bug-889332_shim-mok-oob.patch bug-889332_shim-overflow.patch shim-0.7.318.81ee561d.tar.bz2 shim-bnc863205-mokmanager-fix-hash-delete.patch shim-mokmanager-support-sha-family.patch shim-signed-unsigned-compares.patch shim-update-openssl-0.9.8zb.patch New: shim-0.8.tar.bz2 shim-fix-gnu-efi-30w.patch shim-fix-mokmanager-sections.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.VNSw7k/_old 2014-11-12 00:21:09.0 +0100 +++ /var/tmp/diff_new_pack.VNSw7k/_new 2014-11-12 00:21:09.0 +0100 @@ -17,13 +17,9 @@ # needssslcertforbuild -%define commit 81ee561dde0213bc487aa1b701799f6d2faeaf31 -%define shortcommit 81ee561d Name: shim -# to ensure newer versions of the git export are always higher numbers the output of -# git rev-list master|wc -l is added before the git commit hash -Version:0.7.318.%{shortcommit} +Version:0.8 Release:0 Summary:UEFI shim loader License:BSD-2-Clause @@ -44,22 +40,14 @@ Source10: timestamp.pl Source11: strip_signature.sh Source12: signature-sles.asc -# PATCH-FIX-UPSTREAM shim-mokx-support.patch g...@suse.com -- Support MOK blacklist +# REBASE PATCH-FIX-UPSTREAM shim-mokx-support.patch g...@suse.com -- Support MOK blacklist Patch1: shim-mokx-support.patch # PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c Patch2: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 g...@suse.com -- Fix the hash deletion operation to avoid ruining the whole list -Patch3: shim-bnc863205-mokmanager-fix-hash-delete.patch -# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch g...@suse.com -- Support SHA hashes in MOK -Patch4: shim-mokmanager-support-sha-family.patch -# PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jseg...@suse.com -- Fixed some signed - unsigned comparisons -Patch5: shim-signed-unsigned-compares.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch g...@suse.com -- Update openssl to 0.9.8zb -Patch6: shim-update-openssl-0.9.8zb.patch -# PATCH-FIX-UPSTREAM bug-889332_shim-overflow.patch krah...@suse.com -- patch for overflow issue. -Patch7: bug-889332_shim-overflow.patch -# PATCH-FIX-UPSTREAM bug-889332_shim-mok-oob.patch krah...@suse.com -- patch for MOK OOB access. -Patch8: bug-889332_shim-mok-oob.patch +# PATCH-FIX-UPSTREAM shim-fix-gnu-efi-30w.patch g...@suse.com -- Adapt the change in gnu-efi 3.0w +Patch3: shim-fix-gnu-efi-30w.patch +# PATCH-FIX-UPSTREAM shim-fix-mokmanager-sections.patch g...@suse.com -- Fix the objcopy parameters for the EFI files +Patch4: shim-fix-mokmanager-sections.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t @@ -71,7 +59,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build # For shim-install script Requires: grub2-efi -ExclusiveArch: x86_64 +ExclusiveArch: x86_64 aarch64 %description shim is a trivial EFI application that, when run, attempts to open and @@ -89,10 +77,6 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 %patch100 -p1 %build ++ shim-0.7.318.81ee561d.tar.bz
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-10-14 07:10:08 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2014-09-05 11:49:13.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-10-14 07:10:25.0 +0200 @@ -1,0 +2,8 @@ +Mon Oct 13 13:09:14 UTC 2014 - jseg...@novell.com + +- Fixed buffer overflow and OOB access in shim trusted code path + (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677) + * added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch +- Added new certificate by Microsoft + +--- New: bug-889332_shim-mok-oob.patch bug-889332_shim-overflow.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.EYb5Bl/_old 2014-10-14 07:10:26.0 +0200 +++ /var/tmp/diff_new_pack.EYb5Bl/_new 2014-10-14 07:10:26.0 +0200 @@ -56,6 +56,10 @@ Patch5: shim-signed-unsigned-compares.patch # PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch g...@suse.com -- Update openssl to 0.9.8zb Patch6: shim-update-openssl-0.9.8zb.patch +# PATCH-FIX-UPSTREAM bug-889332_shim-overflow.patch krah...@suse.com -- patch for overflow issue. +Patch7: bug-889332_shim-overflow.patch +# PATCH-FIX-UPSTREAM bug-889332_shim-mok-oob.patch krah...@suse.com -- patch for MOK OOB access. +Patch8: bug-889332_shim-mok-oob.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t @@ -87,6 +91,8 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %patch100 -p1 %build ++ bug-889332_shim-mok-oob.patch ++ Index: shim-0.7.318.81ee561d/MokManager.c === --- shim-0.7.318.81ee561d.orig/MokManager.c +++ shim-0.7.318.81ee561d/MokManager.c @@ -163,8 +163,18 @@ static UINT32 count_keys(void *Data, UIN EFI_SIGNATURE_LIST *CertList = Data; UINTN dbsize = DataSize; UINT32 MokNum = 0; + void *end = Data + DataSize; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { + + /* Use ptr arithmetics to ensure bounded access. Do not allow 0 +* SignatureListSize that will cause endless loop. +*/ + if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) { + console_notify(L"Invalid MOK detected! Ignoring MOK List."); + return 0; + } + if (CertList->SignatureListSize == 0 || CertList->SignatureListSize <= CertList->SignatureSize) { console_errorbox(L"Corrupted signature list"); @@ -192,6 +202,7 @@ static MokListNode *build_mok_list(UINT3 EFI_GUID CertType = X509_GUID; UINTN dbsize = DataSize; UINTN count = 0; + void *end = Data + DataSize; list = AllocatePool(sizeof(MokListNode) * num); @@ -201,12 +212,24 @@ static MokListNode *build_mok_list(UINT3 } while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { + /* CertList out of bounds? */ + if ((void *)(CertList + 1) > end || CertList->SignatureListSize == 0) { + FreePool(list); + return NULL; + } + /* Omit the signature check here since we already did it in count_keys() */ Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); + /* Cert out of bounds? */ + if ((void *)(Cert + 1) > end || CertList->SignatureSize <= sizeof(EFI_GUID)) { + FreePool(list); + return NULL; + } + list[count].Type = CertList->SignatureType; if (CompareGuid (&CertList->SignatureType, &CertType) == 0) { list[count].MokSize = CertList->SignatureSize - @@ -218,6 +241,12 @@ static MokListNode *build_mok_list(UINT3 list[count].Mok = (void *)Cert; } + /* MOK out of bounds? */ + if (list[count].MokSize > end - (void *)list[count].Mok) { + FreePool(list); + return NULL; +
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-09-05 11:49:12 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2014-09-05 11:17:48.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-09-05 11:49:13.0 +0200 @@ -1,0 +2,13 @@ +Wed Sep 3 12:32:25 UTC 2014 - lnus...@suse.de + +- re-introduce build failure if shim_enforce_ms_signature is defined. That way + a project like openSUSE:Factory can decide whether or not shim needs a valid + MS signature. + +--- +Tue Aug 19 04:38:36 UTC 2014 - g...@suse.com + +- Add shim-update-openssl-0.9.8zb.patch to update openssl to + 0.9.8zb + +--- New: shim-update-openssl-0.9.8zb.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.SDLdNF/_old 2014-09-05 11:49:14.0 +0200 +++ /var/tmp/diff_new_pack.SDLdNF/_new 2014-09-05 11:49:14.0 +0200 @@ -54,6 +54,8 @@ Patch4: shim-mokmanager-support-sha-family.patch # PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jseg...@suse.com -- Fixed some signed - unsigned comparisons Patch5: shim-signed-unsigned-compares.patch +# PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch g...@suse.com -- Update openssl to 0.9.8zb +Patch6: shim-update-openssl-0.9.8zb.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t @@ -84,6 +86,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch100 -p1 %build @@ -162,6 +165,9 @@ cat hash1 hash2 if ! cmp -s hash1 hash2; then echo "ERROR: $suffix binary changed, need to request new signature!" +%if %{defined shim_enforce_ms_signature} + false +%endif mv shim.efi.bak shim-$suffix.efi rm shim.efi else ++ shim-update-openssl-0.9.8zb.patch ++ 4231 lines (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-09-05 11:17:41 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2014-09-05 09:34:08.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-09-05 11:17:48.0 +0200 @@ -2,13 +1,0 @@ -Wed Sep 3 12:32:25 UTC 2014 - lnus...@suse.de - -- re-introduce build failure if shim_enforce_ms_signature is defined. That way - a project like openSUSE:Factory can decide whether or not shim needs a valid - MS signature. - -Tue Aug 19 04:38:36 UTC 2014 - g...@suse.com - -- Add shim-update-openssl-0.9.8zb.patch to update openssl to - 0.9.8zb - Old: shim-update-openssl-0.9.8zb.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.plSAw1/_old 2014-09-05 11:17:49.0 +0200 +++ /var/tmp/diff_new_pack.plSAw1/_new 2014-09-05 11:17:49.0 +0200 @@ -54,8 +54,6 @@ Patch4: shim-mokmanager-support-sha-family.patch # PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jseg...@suse.com -- Fixed some signed - unsigned comparisons Patch5: shim-signed-unsigned-compares.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch g...@suse.com -- Update openssl to 0.9.8zb -Patch6: shim-update-openssl-0.9.8zb.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t @@ -86,7 +84,6 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 %patch100 -p1 %build @@ -165,9 +162,6 @@ cat hash1 hash2 if ! cmp -s hash1 hash2; then echo "ERROR: $suffix binary changed, need to request new signature!" -%if %{defined shim_enforce_ms_signature} - false -%endif mv shim.efi.bak shim-$suffix.efi rm shim.efi else -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-09-05 09:34:06 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2014-09-03 11:55:33.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-09-05 09:34:08.0 +0200 @@ -1,0 +2,13 @@ +Wed Sep 3 12:32:25 UTC 2014 - lnus...@suse.de + +- re-introduce build failure if shim_enforce_ms_signature is defined. That way + a project like openSUSE:Factory can decide whether or not shim needs a valid + MS signature. + +--- +Tue Aug 19 04:38:36 UTC 2014 - g...@suse.com + +- Add shim-update-openssl-0.9.8zb.patch to update openssl to + 0.9.8zb + +--- New: shim-update-openssl-0.9.8zb.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.fP5XkW/_old 2014-09-05 09:34:09.0 +0200 +++ /var/tmp/diff_new_pack.fP5XkW/_new 2014-09-05 09:34:09.0 +0200 @@ -54,6 +54,8 @@ Patch4: shim-mokmanager-support-sha-family.patch # PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jseg...@suse.com -- Fixed some signed - unsigned comparisons Patch5: shim-signed-unsigned-compares.patch +# PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch g...@suse.com -- Update openssl to 0.9.8zb +Patch6: shim-update-openssl-0.9.8zb.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t @@ -84,6 +86,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch100 -p1 %build @@ -162,6 +165,9 @@ cat hash1 hash2 if ! cmp -s hash1 hash2; then echo "ERROR: $suffix binary changed, need to request new signature!" +%if %{defined shim_enforce_ms_signature} + false +%endif mv shim.efi.bak shim-$suffix.efi rm shim.efi else ++ shim-update-openssl-0.9.8zb.patch ++ 4231 lines (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-09-03 11:55:32 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2014-08-27 07:45:51.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-09-03 11:55:33.0 +0200 @@ -2,6 +1,0 @@ -Tue Aug 19 04:38:36 UTC 2014 - g...@suse.com - -- Add shim-update-openssl-0.9.8zb.patch to update openssl to - 0.9.8zb - Old: shim-update-openssl-0.9.8zb.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.Vcwbuk/_old 2014-09-03 11:55:35.0 +0200 +++ /var/tmp/diff_new_pack.Vcwbuk/_new 2014-09-03 11:55:35.0 +0200 @@ -54,8 +54,6 @@ Patch4: shim-mokmanager-support-sha-family.patch # PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jseg...@suse.com -- Fixed some signed - unsigned comparisons Patch5: shim-signed-unsigned-compares.patch -# PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch g...@suse.com -- Update openssl to 0.9.8zb -Patch6: shim-update-openssl-0.9.8zb.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t @@ -86,7 +84,6 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 %patch100 -p1 %build -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-08-27 07:45:39 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2014-08-18 11:23:49.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-08-27 07:45:51.0 +0200 @@ -1,0 +2,6 @@ +Tue Aug 19 04:38:36 UTC 2014 - g...@suse.com + +- Add shim-update-openssl-0.9.8zb.patch to update openssl to + 0.9.8zb + +--- New: shim-update-openssl-0.9.8zb.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.OuU9un/_old 2014-08-27 07:45:53.0 +0200 +++ /var/tmp/diff_new_pack.OuU9un/_new 2014-08-27 07:45:53.0 +0200 @@ -54,6 +54,8 @@ Patch4: shim-mokmanager-support-sha-family.patch # PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jseg...@suse.com -- Fixed some signed - unsigned comparisons Patch5: shim-signed-unsigned-compares.patch +# PATCH-FIX-UPSTREAM shim-update-openssl-0.9.8zb.patch g...@suse.com -- Update openssl to 0.9.8zb +Patch6: shim-update-openssl-0.9.8zb.patch # PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t @@ -84,6 +86,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %patch100 -p1 %build ++ shim-update-openssl-0.9.8zb.patch ++ 4231 lines (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-08-18 11:23:47 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2014-04-21 11:05:28.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-08-18 11:23:49.0 +0200 @@ -1,0 +2,176 @@ +Tue Aug 12 14:19:36 UTC 2014 - jseg...@suse.com + +- updated shim to new version (OpenSSL 0.9.8za) and requested a new + certificate from Microsoft. Removed + * shim-allow-fallback-use-system-loadimage.patch + * shim-bnc872503-check-key-encoding.patch + * shim-bnc877003-fetch-from-the-same-device.patch + * shim-correct-user_insecure-usage.patch + * shim-fallback-avoid-duplicate-bootorder.patch + * shim-fallback-improve-entries-creation.patch + * shim-fix-dhcpv4-path-generation.patch + * shim-fix-uninitialized-variable.patch + * shim-fix-verify-mok.patch + * shim-get-variable-check.patch + * shim-improve-error-messages.patch + * shim-mokmanager-delete-bs-var-right.patch + * shim-mokmanager-handle-keystroke-error.patch + * shim-remove-unused-variables.patch + since they're included in upstream and rebased the remaining onces. + Added shim-signed-unsigned-compares.patch to fix some compiler + warnings + +--- +Tue Aug 12 09:18:42 UTC 2014 - g...@suse.com + +- Keep shim-devel.efi for the devel project + +--- +Fri Aug 8 11:18:36 UTC 2014 - lnus...@suse.de + +- don't fail the build if the UEFI signing service signature can't + be attached anymore. This way shim can still pass through staging + projects. We will verify the correct signature for release builds + using openQA instead. + +--- +Mon Aug 4 07:53:22 UTC 2014 - mch...@suse.com + +- shim-install: fix GRUB shows broken letters at boot by calling + grub2-install to initialize /boot/grub2 directory with files + needed by grub.cfg (bnc#889765) + +--- +Wed May 28 04:13:33 UTC 2014 - g...@suse.com + +- Add shim-remove-unused-variables.patch to remove the unused + variables +- Add shim-bnc872503-check-key-encoding.patch to check the encoding + of the keys (bnc#872503) +- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the + netboot image from the same device (bnc#877003) +- Refresh shim-opensuse-cert-prompt.patch + +--- +Wed May 14 09:39:02 UTC 2014 - g...@suse.com + +- Use --reinit instead of --refresh in %post to update the files + in /boot + +--- +Tue Apr 29 07:38:11 UTC 2014 - mch...@suse.com + +- shim-install: fix boot partition and rollback support kluge + (bnc#875385) + +--- +Thu Apr 10 08:20:20 UTC 2014 - g...@suse.com + +- Replace shim-mokmanager-support-sha1.patch with + shim-mokmanager-support-sha-family.patch to support the SHA + family + +--- +Mon Apr 7 09:32:21 UTC 2014 - g...@suse.com + +- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in + MOK + +--- +Mon Mar 31 11:57:13 UTC 2014 - mch...@suse.com + +- snapper rollback support (fate#317062) + - refresh shim-install + +--- +Thu Mar 13 02:32:15 UTC 2014 - g...@suse.com + +- Insert the right signature (bnc#867974) + +--- +Mon Mar 10 07:56:44 UTC 2014 - g...@suse.com + +- Add shim-fix-uninitialized-variable.patch to fix the use of + uninitialzed variables in lib + +--- +Fri Mar 7 09:09:12 UTC 2014 - g...@suse.com + +- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV + variables the right way +- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify + correctly + +--- +Thu Mar 6 07:37:57 UTC 2014 - g...@suse.com + +- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the + duplicate entries in BootOrder +- Add shim-allow-fallback-use-system-loadimage.patch to handle the + shim protocol properly to keep only one protocol entity +- Refresh shim-opensuse-cert-prompt.patch + +--- +Thu Mar 6 03:53:49 UTC 2014 - mch...@suse
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-04-21 11:05:08 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2014-04-20 11:35:07.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-04-21 11:05:28.0 +0200 @@ -2,110 +1,0 @@ -Thu Apr 10 08:20:20 UTC 2014 - g...@suse.com - -- Replace shim-mokmanager-support-sha1.patch with - shim-mokmanager-support-sha-family.patch to support the SHA - family - -Mon Apr 7 09:32:21 UTC 2014 - g...@suse.com - -- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in - MOK - -Mon Mar 31 11:57:13 UTC 2014 - mch...@suse.com - -- snapper rollback support (fate#317062) - - refresh shim-install - -Thu Mar 13 02:32:15 UTC 2014 - g...@suse.com - -- Insert the right signature (bnc#867974) - -Mon Mar 10 07:56:44 UTC 2014 - g...@suse.com - -- Add shim-fix-uninitialized-variable.patch to fix the use of - uninitialzed variables in lib - -Fri Mar 7 09:09:12 UTC 2014 - g...@suse.com - -- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV - variables the right way -- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify - correctly - -Thu Mar 6 07:37:57 UTC 2014 - g...@suse.com - -- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the - duplicate entries in BootOrder -- Add shim-allow-fallback-use-system-loadimage.patch to handle the - shim protocol properly to keep only one protocol entity -- Refresh shim-opensuse-cert-prompt.patch - -Thu Mar 6 03:53:49 UTC 2014 - mch...@suse.com - -- shim-install: fix the $prefix to use grub2-mkrelpath for paths - on btrfs subvolume (bnc#866690). - -Tue Mar 4 04:19:05 UTC 2014 - g...@suse.com - -- FATE#315002: Update shim-install to install shim.efi as the EFI - default bootloader when none exists in \EFI\boot. - -Thu Feb 27 09:46:49 UTC 2014 - fcro...@suse.com - -- Update signature-sles.asc: shim signed by UEFI signing service, - based on code from "Thu Feb 20 11:57:01 UTC 2014" - -Fri Feb 21 08:45:46 UTC 2014 - g...@suse.com - -- Add shim-opensuse-cert-prompt.patch to show the prompt to ask - whether the user trusts the openSUSE certificate or not - -Thu Feb 20 11:57:01 UTC 2014 - lnus...@suse.de - -- allow package to carry multiple signatures -- check correct certificate is embedded - -Thu Feb 20 10:06:47 UTC 2014 - lnus...@suse.de - -- always clean up generated files that embed certificates - (shim_cert.h shim.cer shim.crt) to make sure next build loop - rebuilds them properly - -Mon Feb 17 09:58:56 UTC 2014 - g...@suse.com - -- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the - hash deletion operation to avoid ruining the whole list - (bnc#863205) - -Tue Feb 11 06:30:02 UTC 2014 - g...@suse.com - -- Update shim-mokx-support.patch to support the resetting of MOK - blacklist -- Add shim-get-variable-check.patch to fix the variable checking - in get_variable_attr -- Add shim-improve-fallback-entries-creation.patch to improve the - boot entry pathes and avoid generating the boot entries that - are already there -- Update SUSE certificate -- Update attach_signature.sh, show_hash.sh, strip_signature.sh, - extract_signature.sh and show_signatures.sh to remove the - creation of the temporary nss database -- Add shim-only-os-name.patch: remove the kernel version of the - build server -- Match the the prefix of the project name properly by escaping the - percent sign. - Old: shim-allow-fallback-use-system-loadimage.patch shim-bnc863205-mokmanager-fix-hash-delete.patch shim-fallback-avoid-duplicate-bootorder.patch shim-fallback-improve-entries-creation.patch shim-f
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-01-30 11:37:50 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-12-06 14:45:40.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-01-30 11:37:51.0 +0100 @@ -1,0 +2,5 @@ +Wed Jan 22 13:45:44 UTC 2014 - lnus...@suse.de + +- enable signature assertion also in SUSE: hierarchy + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.qYPKeY/_old 2014-01-30 11:37:51.0 +0100 +++ /var/tmp/diff_new_pack.qYPKeY/_new 2014-01-30 11:37:51.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package shim # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -147,7 +147,7 @@ echo "ERROR: binary changed, need to request new signature!" # don't fail in devel projects prj="%{_project}" - if [ "${prj%%:*}" = "openSUSE" ]; then + if [ "${prj%%:*}" = "openSUSE" -o "${prj%%:*}" = "SUSE" ]; then false fi mv shim.efi.bak shim-$suffix.efi -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-12-06 11:48:26 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-10-31 16:00:07.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-12-06 14:45:40.0 +0100 @@ -1,0 +2,33 @@ +Fri Dec 6 06:44:43 UTC 2013 - g...@suse.com + +- Add shim-mokmanager-handle-keystroke-error.patch to handle the + error status from ReadKeyStroke to avoid unexpected keys + +--- +Thu Dec 5 02:05:13 UTC 2013 - g...@suse.com + +- Update to 0.7 +- Add upstream patches: + + shim-fix-verify-mok.patch + + shim-improve-error-messages.patch + + shim-correct-user_insecure-usage.patch + + shim-fix-dhcpv4-path-generation.patch +- Add shim-mokx-support.patch to support the MOK blacklist + (Fate#316531) +- Drop upstreamed patches + + shim-fix-pointer-casting.patch + + shim-merge-lf-loader-code.patch + + shim-fix-simple-file-selector.patch + + shim-mokmanager-support-crypt-hash-method.patch + + shim-bnc804631-fix-broken-bootpath.patch + + shim-bnc798043-no-doulbe-separators.patch + + shim-bnc807760-change-pxe-2nd-loader-name.patch + + shim-bnc808106-correct-certcount.patch + + shim-mokmanager-ui-revamp.patch + + shim-netboot-fixes.patch + + shim-mokmanager-disable-gfx-console.patch +- Drop shim-suse-build.patch: it's not necessary anymore +- Drop shim-bnc841426-silence-shim-protocols.patch: shim is not + verbose by default + +--- Old: shim-0.4.tar.bz2 shim-bnc798043-no-doulbe-separators.patch shim-bnc804631-fix-broken-bootpath.patch shim-bnc807760-change-pxe-2nd-loader-name.patch shim-bnc808106-correct-certcount.patch shim-bnc841426-silence-shim-protocols.patch shim-fix-pointer-casting.patch shim-fix-simple-file-selector.patch shim-merge-lf-loader-code.patch shim-mokmanager-disable-gfx-console.patch shim-mokmanager-support-crypt-hash-method.patch shim-mokmanager-ui-revamp.patch shim-netboot-fixes.patch shim-suse-build.patch New: shim-0.7.tar.bz2 shim-correct-user_insecure-usage.patch shim-fix-dhcpv4-path-generation.patch shim-fix-verify-mok.patch shim-improve-error-messages.patch shim-mokmanager-handle-keystroke-error.patch shim-mokx-support.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.qXYoka/_old 2013-12-06 14:45:41.0 +0100 +++ /var/tmp/diff_new_pack.qXYoka/_new 2013-12-06 14:45:41.0 +0100 @@ -19,7 +19,7 @@ # needssslcertforbuild Name: shim -Version:0.4 +Version:0.7 Release:0 Summary:UEFI shim loader License:BSD-2-Clause @@ -38,32 +38,18 @@ Source8:show_signatures.sh Source9:openSUSE-UEFI-CA-Certificate-4096.crt Source10: timestamp.pl -# PATCH-FIX-SUSE shim-suse-build.patch g...@suse.com -- Adjust Makefile for the build service -Patch0: shim-suse-build.patch -# PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch g...@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert. -Patch1: shim-fix-pointer-casting.patch -# PATCH-FIX-UPSTREAM shim-merge-lf-loader-code.patch g...@suse.com -- Merge the Linux Foundation loader UI code -Patch2: shim-merge-lf-loader-code.patch -# PATCH-FIX-UPSTREAM shim-fix-simple-file-selector.patch g...@suse.com -- Fix the buffer allocation in the simple file selector -Patch3: shim-fix-simple-file-selector.patch -# PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch g...@suse.com -- Support the password hashes from /etc/shadow -Patch4: shim-mokmanager-support-crypt-hash-method.patch -# PATCH-FIX-UPSTREAM shim-bnc804631-fix-broken-bootpath.patch bnc#804631 g...@suse.com -- Fix the broken bootpath generated in generate_path() -Patch5: shim-bnc804631-fix-broken-bootpath.patch -# PATCH-FIX-UPSTREAM shim-bnc798043-no-doulbe-separators.patch bnc#798043 g...@suse.com -- Remove all double-separators from the bootpath -Patch6: shim-bnc798043-no-doulbe-separators.patch -# PATCH-FIX-UPSTREAM shim-bnc807760-change-pxe-2nd-loader-name.patch bnc#807760 g...@suse.com -- Change the PXE 2nd stage loader to match the filename we are using -Patch7: shim-bnc807760-change-pxe-2nd-loader-name.patch -# PATCH-FIX-UPSTREAM shim-bnc808106-correct-certcount.patch bnc#808106 g...@suse.com -- Correct the certifcate count of the signature list -Patch8: shim-bnc808106-correct-certcount.patch
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-10-31 16:00:05 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-10-02 13:33:53.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-10-31 16:00:07.0 +0100 @@ -1,0 +2,6 @@ +Thu Oct 31 09:11:18 UTC 2013 - fcro...@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Tue Oct 1 04:29:29 UTC 2013". + +--- Other differences: -- ++ microsoft.asc ++ --- /var/tmp/diff_new_pack.ooLgFa/_old 2013-10-31 16:00:08.0 +0100 +++ /var/tmp/diff_new_pack.ooLgFa/_new 2013-10-31 16:00:08.0 +0100 @@ -1,186 +1,188 @@ -hash: 9dd2dcb72f5e741627f2e9e03ab18503a3403cf6a904a479a4db05d97e2250a9 -# 2013-09-09 08:13:59 -timestamp: 522d8347 -checksum: 6727 +hash: 97a8c5ba11d61fefbb5d6a05da4e15ba472dc4c6cd4972fc1a035de321342fe4 +# 2013-10-01 08:29:53 +timestamp: 524a8801 +checksum: d364 -BEGIN AUTHENTICODE SIGNATURE- -MIIhngYJKoZIhvcNAQcCoIIhjzCCIYsCAQExDzANBglghkgBZQMEAgEFADBcBgor +MIIh8QYJKoZIhvcNAQcCoIIh4jCCId4CAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB -ZQMEAgEFAAQgndLcty9edBYn8ungOrGFA6NAPPapBKR5pNsF2X4iUKmgggrpMIIE -0TCCA7mgAwIBAgITMwgesX6cFfyDegABCDANBgkqhkiG9w0BAQsFADCB +ZQMEAgEFAAQgl6jFuhHWH++7XWoF2k4VukctxMbNSXL8GgNd4yE0L+Sgggs8MIIF +JDCCBAygAwIBAgITMwpmQvP0n7c3lgABCjANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi -TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMjA3MDIyMjI1 -MTRaFw0xMzEwMDIyMjI1MTRaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz +TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0 +MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQDpIk+20zs8FhtIQeSe7u0Zy3v+A6a9a/HrKH3WwokbEKW/s5l9 -TL84I+diNjk92FTXhCTT6uJTxVvjPiaojAHGmeDtq63hMdG1ohoCVzKoUjy0k6eH -e7X4svz0S57G14dtK742GhM2iIw9y9FedPZxfG4PjC9+y/iNpdXnszHwPysxNtYd -/qPkE1AA0c7qPgm1/twwtB95d+UCgyyfwHAHY+fmjEOBC5HJc2PZRbmEWgeuve5t -xFZ0LhGHcyXPleVtJftuv6Nx8VVpGzC959IdseQBbuNtLyCH4tqAAGfsWEoHCVcN -gk+COheAFQanfGIbi+Yi16CmV+YfjpAgLzbnAgMBAAGjggEqMIIBJjAfBgNVHSUE -GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQUwEz8eC+VFd3VZV26 -/zKXOWqTUqYwHwYDVR0jBBgwFoAUE62/Qwm9gnCcjNVPMW7VIpiKG9QwUwYDVR0f -BEwwSjBIoEagRIZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jcmwv -TWljQ29yVUVGQ0EyMDExXzIwMTEtMDYtMjcuY3JsMGAGCCsGAQUFBwEBBFQwUjBQ -BggrBgEFBQcwAoZEaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0 -cy9NaWNDb3JVRUZDQTIwMTFfMjAxMS0wNi0yNy5jcnQwDAYDVR0TAQH/BAIwADAN -BgkqhkiG9w0BAQsFAAOCAQEAhAgxQ55OY+iNAOGwwGeNcLuJ9GbpAnqygXeSbV3v -gXWzJA5yn5Q/HmvZSg8nyS5palABwHR/a/dXTAnoSFpettcCQkTd1zI2wo6d+tWO -xQmLdFFiNCMlUtkjDB0N2ucxCLCgFEvZ6SZdrFbr3M51Es82J6aFjUGHbt4Z014O -J5V6aJaq6eoVAJgydFD+fHI4Wqxv7/Bhaz0GbNC+flpTe7GEiMZ9ufBzHDCseRj+ -l3tCUP+/vuqB4bo7igMFuTdPDSJFN4HMWCO1+q1eUOhDBjgfgzgv4O2LF2qcn/GG -jMZUPn8SsfESrcYkMP0bpTDYd6KQ8NLgnqzOB+037EOcJTCCBhAwggP4oAMCAQIC -CmEI08QAAAQwDQYJKoZIhvcNAQELBQAwgZExCzAJBgNVBAYTAlVTMRMwEQYD -VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy -b3NvZnQgQ29ycG9yYXRpb24xOzA5BgNVBAMTMk1pY3Jvc29mdCBDb3Jwb3JhdGlv -biBUaGlyZCBQYXJ0eSBNYXJrZXRwbGFjZSBSb290MB4XDTExMDYyNzIxMjI0NVoX -DTI2MDYyNzIxMzI0NVowgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5n -dG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9y -YXRpb24xKzApBgNVBAMTIk1pY3Jvc29mdCBDb3Jwb3JhdGlvbiBVRUZJIENBIDIw -MTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQClCGxMx0UJaksMpMCH -fwZ1DEMBVGTgFn8H7ZJ9C7JzvwwKxkpFYaDFFi2W0/UroPtNSZtBgJA8uVT95rzR -ncSkGIp/QYpcWYNoMruMR8nucbwhT5qKfP9EP42PMrImSK51te7JTB5KGX7kgpod -eHdNDLC99g/TFtO8+iulUThd9fu623gC2//sChuW1YO4GRPptsB7QHvhHygnyfrv -Vl4c5n6UfsDwRLJ5OeXasmKLTb84cOJoJBTJM6QIN9VYaV7TfO3BBFMI506wKodj -CGFvYxVZ6rIredcMYWeKW/1erYd/uoZnT3FYEiIEIiLOi+9UcQDOUDVYdpUI7mqx -ogHVAgMBAAGjggF2MIIBcjASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcV -AgQWBBT4wWu3f3dTSvMlNx1OoSZ7DyBwgDAdBgNVHQ4EFgQUE62/Qwm9gnCcjNVP -MW7VIpiKG9QwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGG -MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAURWZSQ+F+WBG/1k6eI1UIOzoi -aqgwXAYDVR0fBFUwUzBRoE+gTYZLaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3Br -aS9jcmwvcHJvZHVjdHMvTWljQ29yVGhpUGFyTWFyUm9vXzIwMTAtMTAtMDUuY3Js -MGAGCCsGAQUFBwEBBFQwUjBQBggrBgEFBQcw
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-10-02 13:33:52 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-09-25 17:20:28.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-10-02 13:33:53.0 +0200 @@ -1,0 +2,9 @@ +Tue Oct 1 04:29:29 UTC 2013 - g...@suse.com + +- Add shim-netboot-fixes.patch to include upstream netboot fixes +- Add shim-mokmanager-disable-gfx-console.patch to disable the + graphics console to avoid system hang on some machines +- Add shim-bnc841426-silence-shim-protocols.patch to silence the + shim protocols (bnc#841426) + +--- New: shim-bnc841426-silence-shim-protocols.patch shim-mokmanager-disable-gfx-console.patch shim-netboot-fixes.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.m2SgPz/_old 2013-10-02 13:33:54.0 +0200 +++ /var/tmp/diff_new_pack.m2SgPz/_new 2013-10-02 13:33:54.0 +0200 @@ -58,6 +58,12 @@ Patch8: shim-bnc808106-correct-certcount.patch # PATCH-FIX-UPSTREAM shim-mokmanager-ui-revamp.patch g...@suse.com -- Revamp the MokManager UI Patch9: shim-mokmanager-ui-revamp.patch +# PATCH-FIX-UPSTREAM shim-netboot-fixes.patch g...@suse.com -- Upstream netboot fixes +Patch10:shim-netboot-fixes.patch +# PATCH-FIX-UPSTREAM shim-mokmanager-disable-gfx-console.patch g...@suse.com -- Disable graphics console to avoid system hang on some machines +Patch11:shim-mokmanager-disable-gfx-console.patch +# PATCH-FIX-UPSTREAM shim-bnc841426-silence-shim-protocols.patch bnc#841426 g...@suse.com -- Silence the shim protocols to avoid system hang +Patch12:shim-bnc841426-silence-shim-protocols.patch BuildRequires: gnu-efi >= 3.0t BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -90,6 +96,9 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 %build chmod +x "make-certs" ++ shim-bnc841426-silence-shim-protocols.patch ++ 789 lines (skipped) ++ shim-mokmanager-disable-gfx-console.patch ++ >From c19cef4b4a61c82ba9a2c323659a20ec5d1d7ba2 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Thu, 26 Sep 2013 09:44:50 -0400 Subject: [PATCH] MokManager needs to disable the graphics console. Without this patch, on some machines we never see MokManager's UI. This protocol has never (I think?) been officially published, and yet I still have new hardware that needs it. If you're looking for a reference, look at: EdkCompatibilityPkg/Foundation/Protocol/ConsoleControl/ConsoleControl.c in the edk2 tree from Tiano. Signed-off-by: Peter Jones --- Makefile | 2 +- MokManager.c | 32 console_control.h | 44 3 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 console_control.h diff --git a/Makefile b/Makefile index 77f3e52..1e4aed8 100644 --- a/Makefile +++ b/Makefile @@ -37,7 +37,7 @@ OBJS = shim.o netboot.o cert.o dbx.o KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key SOURCES= shim.c shim.h netboot.c signature.h PeImage.h MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o -MOK_SOURCES = MokManager.c shim.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h +MOK_SOURCES = MokManager.c shim.h console_control.h PasswordCrypt.c PasswordCrypt.h crypt_blowfish.c crypt_blowfish.h FALLBACK_OBJS = fallback.o FALLBACK_SRCS = fallback.c diff --git a/MokManager.c b/MokManager.c index 604129f..01362f2 100644 --- a/MokManager.c +++ b/MokManager.c @@ -6,6 +6,7 @@ #include "signature.h" #include "PeImage.h" #include "PasswordCrypt.h" +#include "console_control.h" #include "include/console.h" #include "include/simple_file.h" @@ -1741,6 +1742,34 @@ static EFI_STATUS check_mok_request(EFI_HANDLE image_handle) return EFI_SUCCESS; } +static VOID setup_console (int text) +{ + EFI_STATUS status; + EFI_GUID console_control_guid = EFI_CONSOLE_CONTROL_PROTOCOL_GUID; + EFI_CONSOLE_CONTROL_PROTOCOL *concon; + static EFI_CONSOLE_CONTROL_SCREEN_MODE mode = + EfiConsoleControlScreenGraphics; + EFI_CONSOLE_CONTROL_SCREEN_MODE new_mode; + + status = LibLocateProtocol(&console_control_guid, (VOID **)&concon); + if (status != EFI_SUCCESS) + return; + + if (text) { + new_mode = EfiConsoleControlScreenText; + +
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-09-25 17:20:27 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-09-17 15:03:18.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-09-25 17:20:28.0 +0200 @@ -1,0 +2,5 @@ +Wed Sep 25 07:17:54 UTC 2013 - g...@suse.com + +- Create boot.csv in ESP for fallback.efi to restore the boot entry + +--- Other differences: -- ++ shim-install ++ --- /var/tmp/diff_new_pack.leEZSP/_old 2013-09-25 17:20:28.0 +0200 +++ /var/tmp/diff_new_pack.leEZSP/_new 2013-09-25 17:20:28.0 +0200 @@ -180,6 +180,7 @@ rm -f "${efidir}/MokManager.efi" rm -f "${efidir}/grub.efi" rm -f "${efidir}/grub.cfg" +rm -f "${efidir}/boot.csv" efibootmgr="`which efibootmgr`" if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then # Delete old entries from the same distributor. @@ -194,6 +195,7 @@ cp "${source_dir}/shim.efi" "${efidir}" cp "${source_dir}/MokManager.efi" "${efidir}" cp "${source_dir}/grub.efi" "${efidir}" +echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" grub_cfg_dirname=`dirname $grub_cfg` grub_cfg_basename=`basename $grub_cfg` -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-09-17 15:03:17 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-09-11 13:09:53.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-09-17 15:03:18.0 +0200 @@ -1,0 +2,7 @@ +Tue Sep 17 10:53:50 CEST 2013 - fcro...@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Fri Sep 6 13:57:36 UTC 2013". +- Improve extract_signature.sh to work on current path. + +--- Other differences: -- ++ extract_signature.sh ++ --- /var/tmp/diff_new_pack.40paP1/_old 2013-09-17 15:03:19.0 +0200 +++ /var/tmp/diff_new_pack.40paP1/_new 2013-09-17 15:03:19.0 +0200 @@ -20,5 +20,5 @@ # wtf? (pesign -n "$nssdir" -h -P -i "$infile"; -${0%/*}/timestamp.pl "$infile"; +perl $(dirname $0)/timestamp.pl "$infile"; pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat ++ microsoft.asc ++ --- /var/tmp/diff_new_pack.40paP1/_old 2013-09-17 15:03:19.0 +0200 +++ /var/tmp/diff_new_pack.40paP1/_new 2013-09-17 15:03:19.0 +0200 @@ -1,11 +1,11 @@ -hash: 9c259fcb301d5fc7397ed5759963e0ef6b36e42057fd73046e6bd08b149f751c -# 2013-08-29 08:45:28 -timestamp: 521f0a28 -checksum: bd3e +hash: 9dd2dcb72f5e741627f2e9e03ab18503a3403cf6a904a479a4db05d97e2250a9 +# 2013-09-09 08:13:59 +timestamp: 522d8347 +checksum: 6727 -BEGIN AUTHENTICODE SIGNATURE- MIIhngYJKoZIhvcNAQcCoIIhjzCCIYsCAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB -ZQMEAgEFAAQgnCWfyzAdX8c5ftV1mWPg72s25CBX/XMEbmvQixSfdRygggrpMIIE +ZQMEAgEFAAQgndLcty9edBYn8ungOrGFA6NAPPapBKR5pNsF2X4iUKmgggrpMIIE 0TCCA7mgAwIBAgITMwgesX6cFfyDegABCDANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi @@ -69,24 +69,24 @@ Q29ycG9yYXRpb24xKzApBgNVBAMTIk1pY3Jvc29mdCBDb3Jwb3JhdGlvbiBVRUZJ IENBIDIwMTECEzMIHrF+nBX8g3oAAQgwDQYJYIZIAWUDBAIBBQCgggER MBkGCSqGSIb3DQEJAzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAMBgor -BgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCBS5Kww7Vp9GTSzYl0ETiSOSzPtmBUV -zygB6+YZJOjQ/DCBpAYKKwYBBAGCNwIBDDGBlTCBkqBegFwAaAB0AHQAcAA6AC8A +BgEEAYI3AgEVMC8GCSqGSIb3DQEJBDEiBCBA/P8iJTGhFZqjAlTPUjht5f2UYtM6 +E9rKs2KkNG6rrTCBpAYKKwYBBAGCNwIBDDGBlTCBkqBegFwAaAB0AHQAcAA6AC8A LwB3AHcAdwAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwB3AGgAZABjAC8A aABjAGwALwBkAGUAZgBhAHUAbAB0AC4AbQBzAHAAeKEwgC5odHRwOi8vd3d3Lm1p Y3Jvc29mdC5jb20vd2hkYy9oY2wvZGVmYXVsdC5tc3B4MA0GCSqGSIb3DQEBAQUA -BIIBALoEW5yyw2YtVS3lSj8F//twwjORHHvMF2jC805z5mqdAmsdUDfthKKofBLJ -LIOylgbXW11Vax7ZfnZ2WHs9JBCrTVDjc5+sI34kpYA98lHAywYVfEfIrvHPAC6O -JZXF0cV5Qqe3hjRGd3SGmQkzC6lecVD+3uBmfCnzfE2Rahfy8C3ugLuEutvCGY07 -RB4/sKz6bGoYjx+MIS2hk65Ieip5htZaYirn+5IBMHX3xrTxpIhomOmyL4CpeW7B -48IUvekaQal+/ePEg/bnDzqUFJ2PdEH03fP0VsKS7z7nJdxfu2XP4wdx/KJin61d -N0oWjcyKpy7wKHSFWrAMRAs5zW2hghNKMIITRgYKKwYBBAGCNwMDATGCEzYwghMy +BIIBAFAituzjMzXSk4wYYwJa8sxkXImhBElRZahlWo/9L0zZmPEEc7X3iHZtaVKP +99sx6xnKEs6yRlo2Ayfg3d4BvM6AXKdoswGzhBUCxKstoFGhBEuH6K2rdJBTTZ4i +NafSTHk65HDxGPetF7/ekCHqrEg2JTwTukaYFcwllBGcOqR+73UbzQBaiibH4faR +9qg+I43s3nVI3q1nwFBBlq1js4tvI2dKK3XsmkmhW7gxauK+G8Xfv8adpMaTbKyG +lebnb+JVc6m9JwopBqwq0raIXYJ3wwYxruDC4yrdr8bn6IcKVElCteahjmdPdBkZ +ms8BA9upfnH7cMuHXjgipkN8e/2hghNKMIITRgYKKwYBBAGCNwMDATGCEzYwghMy BgkqhkiG9w0BBwKgghMjMIITHwIBAzEPMA0GCWCGSAFlAwQCAQUAMIIBPQYLKoZI hvcNAQkQAQSgggEsBIIBKDCCASQCAQEGCisGAQQBhFkKAwEwMTANBglghkgBZQME -AgEFAAQgDiEkqbSjOTIMfAFQV0jV58xTCE9vCJ2mmQQvVlsMEB8CBlIjIBHCFxgT -MjAxMzA5MDYwNjM2NDYuNTkyWjAHAgEBgAIB9KCBuaSBtjCBszELMAkGA1UEBhMC +AgEFAAQgL31xoUHdzzBFLPcF2LjQFMTZ/1x9rGb7c261B8wCQ90CBlHXBjs6pRgT +MjAxMzA5MTYxNzE3MzkuMDQzWjAHAgEBgAIB9KCBuaSBtjCBszELMAkGA1UEBhMC VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNV BAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjENMAsGA1UECxMETU9QUjEnMCUGA1UE -CxMebkNpcGhlciBEU0UgRVNOOjMxQzUtMzBCQS03QzkxMSUwIwYDVQQDExxNaWNy +CxMebkNpcGhlciBEU0UgRVNOOkY1MjgtMzc3Ny04QTc2MSUwIwYDVQQDExxNaWNy b3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNloIIOzTCCBnEwggRZoAMCAQICCmEJgSoA AAIwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg @@ -122,65 +122,65 @@ ObJb2sgNVZl6h3M7COaYLeqN4DMuEin1wC9UJyH3yKxO2ii4sanblrKnQqLJzxlB TeCG+SqaoxFmMNO7dDJL32N79ZmKLxvHIa9Zta7cRDyXUHHXodLFVeNp3lfB0d4w wP3M5k37Db9dT+mdHhk4L7zPWAUu7w2gUDXa7wknHNWzfjUeCLraNtvTX4/edIhJ -EjCCBNowggPCoAMCAQICEzMrcqou9km77NcAACswDQYJKoZIhvcNAQEL +EjCCB
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-09-11 13:09:51 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-08-30 11:49:19.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-09-11 13:09:53.0 +0200 @@ -1,0 +2,13 @@ +Fri Sep 6 13:57:36 UTC 2013 - lnus...@suse.de + +- set timestamp of PE file to time of the binary the signature was + made for. +- make sure cert.o get's rebuilt for each target + +--- +Fri Sep 6 11:48:14 CEST 2013 - fcro...@suse.com + +- Update microsoft.asc: shim signed by UEFI signing service, based + on code from "Wed Aug 28 15:54:38 UTC 2013" + +--- New: strip_signature.sh timestamp.pl Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.A12SY7/_old 2013-09-11 13:09:54.0 +0200 +++ /var/tmp/diff_new_pack.A12SY7/_new 2013-09-11 13:09:54.0 +0200 @@ -37,6 +37,7 @@ Source7:show_hash.sh Source8:show_signatures.sh Source9:openSUSE-UEFI-CA-Certificate-4096.crt +Source10: timestamp.pl # PATCH-FIX-SUSE shim-suse-build.patch g...@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch g...@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert. @@ -146,10 +147,14 @@ # make sure cast warnings don't trigger post build check make VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx -chmod 755 %{SOURCE6} %{SOURCE7} +chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10} # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi head -1 %{SOURCE1} > hash1 +cp shim.efi shim.efi.bak +# pe header contains timestamp and checksum. we need to +# restore that +%{SOURCE10} --set-from-file %{SOURCE1} shim.efi %{SOURCE7} shim.efi > hash2 cat hash1 hash2 if ! cmp -s hash1 hash2; then @@ -159,13 +164,17 @@ if [ "${prj%%:*}" = "openSUSE" ]; then false fi - mv shim.efi shim-$suffix.efi + mv shim.efi.bak shim-$suffix.efi + rm shim.efi else + # attach signature %{SOURCE6} %{SOURCE1} shim.efi mv shim-signed.efi shim-$suffix.efi rm -f shim.efi fi rm -f shim.cer shim.crt +# make sure cert.o gets rebuilt +rm -f cert.o done ln -s shim-${suffixes[0]}.efi shim.efi ++ extract_signature.sh ++ --- /var/tmp/diff_new_pack.A12SY7/_old 2013-09-11 13:09:54.0 +0200 +++ /var/tmp/diff_new_pack.A12SY7/_new 2013-09-11 13:09:54.0 +0200 @@ -20,4 +20,5 @@ # wtf? (pesign -n "$nssdir" -h -P -i "$infile"; +${0%/*}/timestamp.pl "$infile"; pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat ++ microsoft.asc ++ --- /var/tmp/diff_new_pack.A12SY7/_old 2013-09-11 13:09:54.0 +0200 +++ /var/tmp/diff_new_pack.A12SY7/_new 2013-09-11 13:09:54.0 +0200 @@ -1,8 +1,11 @@ -hash: cb340011afeb0d74c4a588b36ebaa441961608e8d2fa80dca8c13872c850796b +hash: 9c259fcb301d5fc7397ed5759963e0ef6b36e42057fd73046e6bd08b149f751c +# 2013-08-29 08:45:28 +timestamp: 521f0a28 +checksum: bd3e -BEGIN AUTHENTICODE SIGNATURE- -MIIhPgYJKoZIhvcNAQcCoIIhLzCCISsCAQExDzANBglghkgBZQMEAgEFADBcBgor +MIIhngYJKoZIhvcNAQcCoIIhjzCCIYsCAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB -ZQMEAgEFAAQgyzQAEa/rDXTEpYizbrqkQZYWCOjS+oDcqME4cshQeWugggrpMIIE +ZQMEAgEFAAQgnCWfyzAdX8c5ftV1mWPg72s25CBX/XMEbmvQixSfdRygggrpMIIE 0TCCA7mgAwIBAgITMwgesX6cFfyDegABCDANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi @@ -61,121 +64,123 @@ 2q0sd1MeJTI3x2xScpWGsPE1YWoZ9bI7gVBWpjIt/qKJ+UKGJxhVoYLKWpv4MJhU FKZHliUvyCbkQZQaXAI/5ZbjhVs8Pj+7RxZyVeIlIrHZe+cDBiqj9x6QRsMADdYZ ieMONSdiA3EVpu/QJ6CgWTdg+DiUuOB4cPi6TIaHlPbgrgJF7mXCtqN+aRZ1B5Kb -9aa8WYNYMYIVyDCCFcQCAQEwgZkwgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX +9aa8WYNYMYIWKDCCFiQCAQEwgZkwgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg Q29ycG9yYXRpb24xKzApBgNVBAMTIk1pY3Jvc29mdCBDb3Jwb3JhdGlvbiBVRUZJ -IENBIDIwMTECEzMIHrF+nBX8g3oAAQgwDQYJYIZIAWUDBAIBBQCggcow -GQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQ
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-08-30 11:49:18 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-08-28 21:17:52.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-08-30 11:49:19.0 +0200 @@ -1,0 +2,10 @@ +Wed Aug 28 15:54:38 UTC 2013 - lnus...@suse.de + +- always build a shim that embeds the distro's certificate (e.g. + shim-opensuse.efi). If the package is built in the devel project + additionally shim-devel.efi is created. That allows us to either + load grub2/kernel signed by the distro or signed by the devel + project, depending on use case. Also shim-$distro.efi from the + devel project can be used to request additional signatures. + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.VjIeva/_old 2013-08-30 11:49:20.0 +0200 +++ /var/tmp/diff_new_pack.VjIeva/_new 2013-08-30 11:49:20.0 +0200 @@ -93,75 +93,98 @@ %build chmod +x "make-certs" -cert2='' +# first, build MokManager and fallback as they don't depend on a +# specific certificate +make MokManager.efi fallback.efi 2>/dev/null + +# now build variants of shim that embed different certificates +default='' +suffixes=(opensuse sles) +# check whether the project cert is a known one. If it is we build +# just one shim that embeds this specific cert. If it's a devel +# project we build all variants to simplify testing. if test -e %{_sourcedir}/_projectcert.crt ; then prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) if test "$prjissuer" = "$opensusesubject" ; then -suffix=opensuse + suffixes=(opensuse) +elif test "$prjissuer" = "$slessubject" ; then + suffixes=(sles) +elif test "$prjsubject" = "$prjissuer" ; then + suffixes=(devel opensuse sles) +fi +fi + +for suffix in "${suffixes[@]}"; do +if test "$suffix" = "opensuse"; then cert=%{SOURCE2} cert2=%{SOURCE9} -fi -if test "$prjissuer" = "$slessubject" ; then -suffix=sles +elif test "$suffix" = "sles"; then cert=%{SOURCE4} -fi -if test "$prjsubject" = "$prjissuer" ; then -suffix=local + cert2='' +elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt + cert2='' + test -e "$cert" || continue +else + echo "invalid suffix" + false fi -fi -if test -z "$suffix" ; then -echo "cannot identify project, assuming openSUSE signing" -suffix=opensuse -cert=%{SOURCE2} -fi -openssl x509 -in $cert -outform DER -out shim-$suffix.der -if [ -z "$cert2" ]; then +openssl x509 -in $cert -outform DER -out shim-$suffix.der +if [ -z "$cert2" ]; then # create empty local cert file, we don't need a local key pair as we # sign the mokmanager with our vendor key touch shim.crt touch shim.cer -else +else cp $cert2 shim.crt -fi -# make sure cast warnings don't trigger post build check -make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null -# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx -cp shim.efi shim-$suffix.efi -chmod 755 %{SOURCE6} %{SOURCE7} -# alternative: verify signature -#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi -head -1 %{SOURCE1} > hash1 -%{SOURCE7} shim.efi > hash2 -cat hash1 hash2 -if ! cmp -s hash1 hash2; then + rm -f shim.cer +fi +# make sure cast warnings don't trigger post build check +make VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null +# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx +chmod 755 %{SOURCE6} %{SOURCE7} +# alternative: verify signature +#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi +head -1 %{SOURCE1} > hash1 +%{SOURCE7} shim.efi > hash2 +cat hash1 hash2 +if ! cmp -s hash1 hash2; then echo "ERROR: binary changed, need to request new signature!" # don't fail in devel projects prj="%{_project}" if [ "${prj%%:*}" = "openSUSE" ]; then false fi -fi -%{SOURCE6} %{SOURCE1} shim.efi + mv shim.efi shim-$suffix.efi +else + %{SOURCE6} %{SOURCE1} shim.efi + mv shim-sign
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-08-28 21:17:50 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-08-27 21:22:39.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-08-28 21:17:52.0 +0200 @@ -1,0 +2,7 @@ +Wed Aug 28 07:16:51 UTC 2013 - lnus...@suse.de + +- also include old openSUSE 4096 bit certificate to be able to still + boot kernels signed with that key. +- add show_signatures script + +--- New: openSUSE-UEFI-CA-Certificate-4096.crt show_signatures.sh Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.8MqiVw/_old 2013-08-28 21:17:52.0 +0200 +++ /var/tmp/diff_new_pack.8MqiVw/_new 2013-08-28 21:17:52.0 +0200 @@ -35,6 +35,8 @@ Source5:extract_signature.sh Source6:attach_signature.sh Source7:show_hash.sh +Source8:show_signatures.sh +Source9:openSUSE-UEFI-CA-Certificate-4096.crt # PATCH-FIX-SUSE shim-suse-build.patch g...@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch g...@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert. @@ -91,6 +93,7 @@ %build chmod +x "make-certs" +cert2='' if test -e %{_sourcedir}/_projectcert.crt ; then prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) @@ -99,6 +102,7 @@ if test "$prjissuer" = "$opensusesubject" ; then suffix=opensuse cert=%{SOURCE2} +cert2=%{SOURCE9} fi if test "$prjissuer" = "$slessubject" ; then suffix=sles @@ -116,10 +120,14 @@ fi openssl x509 -in $cert -outform DER -out shim-$suffix.der -# create empty local cert file, we don't need a local key pair as we -# sign the mokmanager with our vendor key -touch shim.crt -touch shim.cer +if [ -z "$cert2" ]; then + # create empty local cert file, we don't need a local key pair as we + # sign the mokmanager with our vendor key + touch shim.crt + touch shim.cer +else + cp $cert2 shim.crt +fi # make sure cast warnings don't trigger post build check make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx ++ openSUSE-UEFI-CA-Certificate-4096.crt ++ -BEGIN CERTIFICATE- MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8 YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/ w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg 4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79 aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/ phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0 nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU6ALvnDFNN0Sm7xhB+d3c sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-08-27 21:11:58 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-08-22 10:55:23.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-08-27 21:22:39.0 +0200 @@ -1,0 +2,6 @@ +Tue Aug 27 06:41:03 UTC 2013 - lnus...@suse.de + +- replace the 4096 bit openSUSE UEFI CA certificate with new a + standard compliant 2048 bit one. + +--- Other differences: -- ++ openSUSE-UEFI-CA-Certificate.crt ++ --- /var/tmp/diff_new_pack.gPp1ZD/_old 2013-08-27 21:22:40.0 +0200 +++ /var/tmp/diff_new_pack.gPp1ZD/_new 2013-08-27 21:22:40.0 +0200 @@ -1,37 +1,26 @@ -BEGIN CERTIFICATE- -MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl +MIIEdDCCA1ygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW -EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz -MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE +EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjEyMDdaFw0zNTA3MjIxNjEy +MDdaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv -amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8 -YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN -z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh -O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/ -w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf -RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM -ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx -ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg -i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i -EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH -CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg -4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ -DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79 -aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg -Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w -ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y -Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu -Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/ -phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD -dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0 -nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD -eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU6ALvnDFNN0Sm7xhB+d3c -sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO -Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3 -BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG -A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI -xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp -4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL +amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3t9hknqk/oPRfTtoDrGn8E6Sk/xHPnAt +Tojcmp76M7Sm2w4jwQ2owdVlBIQE/zpIGE85MuTKTvkEnp8PzSBdYaunANil/yt/ +vuhHwy9bAsi73o4a6UbThu//iJmQ6xCJuIs/PqgHxlV6btNf/IM8PRbtJsUTc5Kx +cB4ilcgAbCV2RvGi2dCwmGgPpy2xDWeJypRK6hLFkVV2f2x6LvkYiZ/49CRD1TVq +ywAOLu1L4l0J2BuXcJmeWm+mgaidqVh2fWlxgtO6OpZDm/DaFcZO6cgVuenLx+Rx +zuoQG2vEKnABqVK0F94AUs995P0PTQMYspAo1G/Erla8NmBJRotrCwIDAQABo4H0 +MIHxMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGhCYA3iLExHfpW+I9/qlRPl +lxdiMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPllxdioYGHpIGEMIGB +MSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUx +EjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEh +MB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEBMA4GA1UdDwEB/wQE +AwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAiqOJwo7Z+YIL8zPO6RkXF6NlgM0zrgZR +Vim2OId79J38KI6q4FMSDjpgxwbYOmF2O3cI9JSkjHxHOpnYhJsXzCBiLuJ25MY2 +DSbpLlM1Cvs6NZNFw5OCwQvzCOlXH1k3qdBsafto6n87r9P3WSeO1MeWc/QMCvc+ +5K9sjMd6bwl59EEf428R+z5ssaB75JK3yvky9d7DsHN947OCXc3sYdz+DD7Gteds +LV2Sc//tqmqpm2aeXjptcLAxwM7fLyEQaAyH83egMzEKDxX27jKIxZpTcc0NGqEo +idC/9lasSzs2BisBxevl3HKDPZSsKIMT+8FdJ5wT9jJf9h9Ktz5Tig== -END CERTIFICATE- -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@ope
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-08-22 10:55:23 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-08-12 14:22:14.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-08-22 10:55:23.0 +0200 @@ -1,0 +2,5 @@ +Tue Aug 20 11:48:25 UTC 2013 - lnus...@suse.de + +- fix shell syntax error + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.vFRRoU/_old 2013-08-22 10:55:24.0 +0200 +++ /var/tmp/diff_new_pack.vFRRoU/_new 2013-08-22 10:55:24.0 +0200 @@ -134,7 +134,7 @@ echo "ERROR: binary changed, need to request new signature!" # don't fail in devel projects prj="%{_project}" - if "${prj%%:*}" = "openSUSE"; then + if [ "${prj%%:*}" = "openSUSE" ]; then false fi fi -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-08-12 14:22:13 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-08-01 16:08:56.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-08-12 14:22:14.0 +0200 @@ -1,0 +2,6 @@ +Wed Aug 7 15:51:36 UTC 2013 - lnus...@suse.de + +- don't include binary in the sources. Instead package the raw + signature and attach it during build (bnc#813448). + +--- Old: shim-signed.efi New: attach_signature.sh extract_signature.sh microsoft.asc show_hash.sh Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.EeRpj4/_old 2013-08-12 14:22:15.0 +0200 +++ /var/tmp/diff_new_pack.EeRpj4/_new 2013-08-12 14:22:15.0 +0200 @@ -26,13 +26,15 @@ Group: System/Boot Url:https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 -# this binary has been signed by UEFI signing service -# FIXME: evaluate whether using signature only and attaching that -# to the built binary also works -Source1:shim-signed.efi +# run "extract_signature.sh shim.efi" where shim.efi is the binary +# with the signature from the UEFI signing service. +Source1:microsoft.asc Source2:openSUSE-UEFI-CA-Certificate.crt Source3:shim-install Source4:SLES-UEFI-CA-Certificate.crt +Source5:extract_signature.sh +Source6:attach_signature.sh +Source7:show_hash.sh # PATCH-FIX-SUSE shim-suse-build.patch g...@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch g...@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert. @@ -121,15 +123,29 @@ # make sure cast warnings don't trigger post build check make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx -mv shim.efi shim-$suffix.efi +cp shim.efi shim-$suffix.efi +chmod 755 %{SOURCE6} %{SOURCE7} +# alternative: verify signature +#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi +head -1 %{SOURCE1} > hash1 +%{SOURCE7} shim.efi > hash2 +cat hash1 hash2 +if ! cmp -s hash1 hash2; then + echo "ERROR: binary changed, need to request new signature!" + # don't fail in devel projects + prj="%{_project}" + if "${prj%%:*}" = "openSUSE"; then + false + fi +fi +%{SOURCE6} %{SOURCE1} shim.efi %install export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi' install -d %{buildroot}/%{_libdir}/efi install -m 644 shim-*.efi %{buildroot}/%{_libdir}/efi install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi -# FIXME: install signed shim here -install -m 644 %{SOURCE1} %{buildroot}/%{_libdir}/efi/shim.efi +install -m 644 shim-signed.efi %{buildroot}/%{_libdir}/efi/shim.efi install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi install -d %{buildroot}/%{_sbindir} ++ attach_signature.sh ++ #!/bin/bash # attach ascii armored signature to a PE binary set -e sig="$1" infile="$2" if [ -z "$sig" -o ! -e "$sig" -o -z "$infile" -o ! -e "$infile" ]; then echo "USAGE: $0 sig.asc file.efi" exit 1 fi outfile="${infile%.efi}-signed.efi" nssdir=`mktemp -d` cleanup() { rm -r "$nssdir" } trap cleanup EXIT echo > "$nssdir/pw" certutil -f "$nssdir/pw" -d "$nssdir" -N pesign -n "$nssdir" -m "$sig" -i "$infile" -o "$outfile" ++ extract_signature.sh ++ #!/bin/bash # extract ascii armored signature from a PE binary set -e infile="$1" if [ -z "$infile" -o ! -e "$infile" ]; then echo "USAGE: $0 file.efi" exit 1 fi nssdir=`mktemp -d` cleanup() { rm -r "$nssdir" } trap cleanup EXIT echo > "$nssdir/pw" certutil -f "$nssdir/pw" -d "$nssdir" -N # wtf? (pesign -n "$nssdir" -h -P -i "$infile"; pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat ++ microsoft.asc ++ hash: cb340011afeb0d74c4a588b36ebaa441961608e8d2fa80dca8c13872c850796b -BEGIN AUTHENTICODE SIGNATURE- MIIhPgYJKoZIhvcNAQcCoIIhLzCCISsCAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB ZQMEAgEFAAQgyzQAEa/rDXTEpYizbrqkQZYWCOjS+oDcqME4cshQeWugggrpMIIE 0TCCA7mgAwIBAgITMwgesX6cFfyDegABCDANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMx
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-08-01 16:08:55 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-07-24 17:29:48.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-08-01 16:08:56.0 +0200 @@ -1,0 +2,9 @@ +Tue Jul 30 07:36:28 UTC 2013 - g...@suse.com + +- Update shim-mokmanager-ui-revamp.patch to include fixes for + MokManager + + reboot the system after clearing MOK password + + fetch more info from X509 name + + check the suffix of the key file + +--- Other differences: -- ++ shim-mokmanager-ui-revamp.patch ++ --- /var/tmp/diff_new_pack.o1p9jg/_old 2013-08-01 16:08:57.0 +0200 +++ /var/tmp/diff_new_pack.o1p9jg/_new 2013-08-01 16:08:57.0 +0200 @@ -1,7 +1,7 @@ From a6436443a82b23de4c5dfe83f3c8389f8b554ad3 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 30 May 2013 14:22:43 +0800 -Subject: [PATCH 1/8] MokManager: Remove the unnecessary string duplication +Subject: [PATCH 01/11] MokManager: Remove the unnecessary string duplication --- MokManager.c | 19 --- @@ -82,7 +82,7 @@ From ef8fdc597fd532cc4c91c3d2ee638ef339002618 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 18 Apr 2013 17:13:12 +0800 -Subject: [PATCH 2/8] MokManager: draw the countdown screen +Subject: [PATCH 02/11] MokManager: draw the countdown screen --- MokManager.c | 60 @@ -173,7 +173,7 @@ From 9ff682d251b3d30fae63c026aa0105c49db7db16 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 26 Jun 2013 12:23:26 +0800 -Subject: [PATCH 3/8] MokManager: remove the duplicate get_keystroke() +Subject: [PATCH 03/11] MokManager: remove the duplicate get_keystroke() --- MokManager.c | 14 +- @@ -218,7 +218,7 @@ From 4c9f6b0b2100f5e878d8578db3ee232c20440735 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Wed, 26 Jun 2013 15:21:35 +0800 -Subject: [PATCH 4/8] MokManager: enhance the password prompt +Subject: [PATCH 04/11] MokManager: enhance the password prompt --- MokManager.c | 106 +-- @@ -429,7 +429,7 @@ From 6e71cb7900b99482c7b51a6076f8392022ba15a6 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 27 Jun 2013 11:59:09 +0800 -Subject: [PATCH 5/8] Enable openssl bio_printf() +Subject: [PATCH 05/11] Enable openssl bio_printf() bio_printf() was replaced with a dummy function and this made several openssl functions useless. This commit adds the print @@ -1330,7 +1330,7 @@ From 0b5a0362d6bd3fd1a0721e05353046e387ef2a22 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 27 Jun 2013 12:03:14 +0800 -Subject: [PATCH 6/8] Disable floating points in b_print +Subject: [PATCH 06/11] Disable floating points in b_print The long double declaration will enable SSE and cause a compilation error. Disabling everything related to floating points avoids the @@ -1403,7 +1403,7 @@ From bb29385b30d6958fa99e43bfcf64815ca4bc4a53 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 27 Jun 2013 12:28:08 +0800 -Subject: [PATCH 7/8] MokManager: rearrange the output of MOK info +Subject: [PATCH 07/11] MokManager: rearrange the output of MOK info --- MokManager.c | 239 --- @@ -1758,7 +1758,7 @@ From 139e31d514772f7aa74cf130ac1e4f2d548734ca Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 27 Jun 2013 15:04:07 +0800 -Subject: [PATCH 8/8] MokManager: enhance the password prompt for SB state +Subject: [PATCH 08/11] MokManager: enhance the password prompt for SB state --- MokManager.c | 62 +--- @@ -1862,3 +1862,221 @@ -- 1.8.1.4 + +From f6102590b773cef0825eb707a793e70b54b882e9 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Wed, 24 Jul 2013 14:39:39 +0800 +Subject: [PATCH 09/11] MokManager: reboot the system after clearing MOK + password + +--- + MokManager.c | 6 +- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/MokManager.c b/MokManager.c +index b832e40..bef4d8c 100644 +--- a/MokManager.c b/MokManager.c +@@ -1107,7 +1107,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN MokPWSize) { + + LibDeleteVariable(L"MokPWStore", &shim_lock_guid); + LibDeleteVariable(L"MokPW", &shim_lock_guid); +- return 0; ++ console
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-07-24 17:29:46 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-05-13 15:33:45.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-07-24 17:29:48.0 +0200 @@ -1,0 +2,30 @@ +Tue Jul 23 03:55:05 UTC 2013 - g...@suse.com + +- Update to 0.4 +- Rebase patches + + shim-suse-build.patch + + shim-mokmanager-support-crypt-hash-method.patch + + shim-bnc804631-fix-broken-bootpath.patch + + shim-bnc798043-no-doulbe-separators.patch + + shim-bnc807760-change-pxe-2nd-loader-name.patch + + shim-bnc808106-correct-certcount.patch + + shim-mokmanager-ui-revamp.patch +- Add patches + + shim-merge-lf-loader-code.patch: merge the Linux Foundation +loader UI code + + shim-fix-pointer-casting.patch: fix a casting issue and the +size of an empty vendor cert + + shim-fix-simple-file-selector.patch: fix the buffer allocation +in the simple file selector +- Remove upstreamed patches + + shim-support-mok-delete.patch + + shim-reboot-after-changes.patch + + shim-clear-queued-key.patch + + shim-local-key-sign-mokmanager.patch + + shim-get-2nd-stage-loader.patch + + shim-fix-loadoptions.patch +- Remove unused patch: shim-mokmanager-new-pw-hash.patch and + shim-keep-unsigned-mokmanager.patch +- Install the vendor certificate to /etc/uefi/certs + +--- Old: shim-0.2.tar.bz2 shim-clear-queued-key.patch shim-fix-loadoptions.patch shim-get-2nd-stage-loader.patch shim-keep-unsigned-mokmanager.patch shim-local-key-sign-mokmanager.patch shim-mokmanager-new-pw-hash.patch shim-reboot-after-changes.patch shim-support-mok-delete.patch New: shim-0.4.tar.bz2 shim-fix-pointer-casting.patch shim-fix-simple-file-selector.patch shim-merge-lf-loader-code.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.Jr1LqW/_old 2013-07-24 17:29:49.0 +0200 +++ /var/tmp/diff_new_pack.Jr1LqW/_new 2013-07-24 17:29:49.0 +0200 @@ -19,7 +19,7 @@ # needssslcertforbuild Name: shim -Version:0.2 +Version:0.4 Release:0 Summary:UEFI shim loader License:BSD-2-Clause @@ -35,35 +35,25 @@ Source4:SLES-UEFI-CA-Certificate.crt # PATCH-FIX-SUSE shim-suse-build.patch g...@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch -# PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch g...@suse.com -- Sign MokManager.efi with the local generated certificate -Patch1: shim-local-key-sign-mokmanager.patch -# PATCH-FEATURE-UPSTREAM shim-get-2nd-stage-loader.patch g...@suse.com -- Get the second stage loader path from the load options -Patch2: shim-get-2nd-stage-loader.patch -# PATCH-FIX-UPSTREAM shim-reboot-after-changes.patch g...@suse.com -- Reboot the system after enrolling or erasing keys -Patch3: shim-reboot-after-changes.patch -# PATCH-FIX-UPSTREAM shim-clear-queued-key.patch g...@suse.com -- Clear the queued key to show the menu properly -Patch5: shim-clear-queued-key.patch -# PATCH-FIX-UPSTREAM shim-fix-loadoptions.patch bnc#798043 g...@suse.com -- Adopt the UEFI shell style LoadOptions -Patch6: shim-fix-loadoptions.patch -# PATCH-FIX-UPSTREAM shim-support-mok-delete.patch g...@suse.com -- Support for deleting specific keys -Patch7: shim-support-mok-delete.patch -# PATCH-FIX-UPSTREAM shim-mokmanager-new-pw-hash.patch g...@suse.com -- Support the new password hash -Patch8: shim-mokmanager-new-pw-hash.patch +# PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch g...@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert. +Patch1: shim-fix-pointer-casting.patch +# PATCH-FIX-UPSTREAM shim-merge-lf-loader-code.patch g...@suse.com -- Merge the Linux Foundation loader UI code +Patch2: shim-merge-lf-loader-code.patch +# PATCH-FIX-UPSTREAM shim-fix-simple-file-selector.patch g...@suse.com -- Fix the buffer allocation in the simple file selector +Patch3: shim-fix-simple-file-selector.patch # PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch g...@suse.com -- Support the password hashes from /etc/shadow -Patch9: shim-mokmanager-support-crypt-hash-method.patch -# PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch g...@suse.com -- Keep MokManager.efi and sign it with the openSUSE key later -Patch10:shim-keep-unsigned-mokmanager.patch +Patch4: shi
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-05-13 15:33:43 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-04-03 13:06:31.0 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-05-13 15:33:45.0 +0200 @@ -1,0 +2,5 @@ +Wed May 8 06:40:12 UTC 2013 - g...@suse.com + +- Add shim-mokmanager-ui-revamp.patch to update the MokManager UI + +--- New: shim-mokmanager-ui-revamp.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.jq4fni/_old 2013-05-13 15:33:48.0 +0200 +++ /var/tmp/diff_new_pack.jq4fni/_new 2013-05-13 15:33:48.0 +0200 @@ -61,6 +61,8 @@ Patch13:shim-bnc807760-change-pxe-2nd-loader-name.patch # PATCH-FIX-UPSTREAM shim-bnc808106-correct-certcount.patch bnc#808106 g...@suse.com -- Correct the certifcate count of the signature list Patch14:shim-bnc808106-correct-certcount.patch +# PATCH-FIX-UPSTREAM shim-mokmanager-ui-revamp.patch g...@suse.com -- Revamp the MokManager UI +Patch15:shim-mokmanager-ui-revamp.patch BuildRequires: gnu-efi >= 3.0q BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -97,6 +99,7 @@ %patch12 -p1 %patch13 -p1 %patch14 -p1 +%patch15 -p1 %build chmod +x "make-certs" ++ shim-mokmanager-ui-revamp.patch ++ 10787 lines (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-04-03 13:06:28 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-03-08 13:40:38.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-04-03 13:06:31.0 +0200 @@ -1,0 +2,6 @@ +Wed Apr 3 03:54:22 UTC 2013 - g...@suse.com + +- Call update-bootloader in %post to update *.efi in \efi\opensuse + (bnc#813079) + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.LSxtTI/_old 2013-04-03 13:06:37.0 +0200 +++ /var/tmp/diff_new_pack.LSxtTI/_new 2013-04-03 13:06:37.0 +0200 @@ -66,6 +66,7 @@ BuildRequires: openssl >= 0.9.8 BuildRequires: pesign BuildRequires: pesign-obs-integration +Requires: perl-Bootloader BuildRoot: %{_tmppath}/%{name}-%{version}-build Recommends: grub2-efi ExclusiveArch: x86_64 @@ -148,6 +149,9 @@ %clean %{?buildroot:%__rm -rf "%{buildroot}"} +%post +/sbin/update-bootloader --refresh || true + %files %defattr(-,root,root) %doc COPYRIGHT -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-03-08 13:40:37 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-03-05 13:08:10.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-03-08 13:40:38.0 +0100 @@ -1,0 +2,8 @@ +Fri Mar 8 06:53:47 UTC 2013 - g...@suse.com + +- Add shim-bnc807760-change-pxe-2nd-loader-name.patch to change the + PXE 2nd stage loader name (bnc#807760) +- Add shim-bnc808106-correct-certcount.patch to correct the + certificate count of the signature list (bnc#808106) + +--- New: shim-bnc807760-change-pxe-2nd-loader-name.patch shim-bnc808106-correct-certcount.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.6sdEcn/_old 2013-03-08 13:40:40.0 +0100 +++ /var/tmp/diff_new_pack.6sdEcn/_new 2013-03-08 13:40:40.0 +0100 @@ -57,6 +57,10 @@ Patch11:shim-bnc804631-fix-broken-bootpath.patch # PATCH-FIX-UPSTREAM shim-bnc798043-no-doulbe-separators.patch bnc#798043 g...@suse.com -- Remove all double-separators from the bootpath Patch12:shim-bnc798043-no-doulbe-separators.patch +# PATCH-FIX-UPSTREAM shim-bnc807760-change-pxe-2nd-loader-name.patch bnc#807760 g...@suse.com -- Change the PXE 2nd stage loader to match the filename we are using +Patch13:shim-bnc807760-change-pxe-2nd-loader-name.patch +# PATCH-FIX-UPSTREAM shim-bnc808106-correct-certcount.patch bnc#808106 g...@suse.com -- Correct the certifcate count of the signature list +Patch14:shim-bnc808106-correct-certcount.patch BuildRequires: gnu-efi >= 3.0q BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -90,6 +94,8 @@ %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 %build chmod +x "make-certs" ++ shim-bnc807760-change-pxe-2nd-loader-name.patch ++ >From 8222b5f6dd8ff34368173b86ae6108cb792802a7 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 7 Mar 2013 11:59:44 +0800 Subject: [PATCH] Define the PXE 2nd stage loader in the beginning of the file Make it easier to change the PXE 2nd stage loader. --- netboot.c | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/netboot.c b/netboot.c index 90fb9cb..ae723c7 100644 --- a/netboot.c +++ b/netboot.c @@ -39,6 +39,7 @@ #include "shim.h" #include "netboot.h" +#define DEFAULT_LOADER "/grub.efi" static inline unsigned short int __swap16(unsigned short int x) { @@ -238,7 +239,7 @@ static BOOLEAN extract_tftp_info(char *url) { char *start, *end; char ip6str[128]; - char *template = "/grubx64.efi"; + char *template = DEFAULT_LOADER; if (strncmp((UINT8 *)url, (UINT8 *)"tftp://";, 7)) { Print(L"URLS MUST START WITH tftp://\n";); @@ -294,9 +295,11 @@ static EFI_STATUS parseDhcp6() static EFI_STATUS parseDhcp4() { - char *template = "/grubx64.efi"; - char *tmp = AllocatePool(16); + char *template = DEFAULT_LOADER; + char *tmp; + int len = strlen((CHAR8 *)template); + tmp = AllocatePool(len+1); if (!tmp) return EFI_OUT_OF_RESOURCES; @@ -304,8 +307,7 @@ static EFI_STATUS parseDhcp4() memcpy(&tftp_addr.v4, pxe->Mode->DhcpAck.Dhcpv4.BootpSiAddr, 4); - memcpy(tmp, template, 12); - tmp[13] = '\0'; + memcpy(tmp, template, len+1); full_path = tmp; /* Note we don't capture the filename option here because we know its shim.efi -- 1.7.10.4 ++ shim-bnc808106-correct-certcount.patch ++ >From 822b44b8d978449a43fb2cd7bcd1381d961d0b25 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 8 Mar 2013 14:44:50 +0800 Subject: [PATCH] Correct the certificate count of the signature list --- shim.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c index c36b641..1daa84b 100644 --- a/shim.c +++ b/shim.c @@ -228,7 +228,7 @@ static CHECK_STATUS check_db_cert_in_ram(EFI_SIGNATURE_LIST *CertList, while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { if (CompareGuid (&CertList->SignatureType, &CertType) == 0) { - CertCount = (CertList->SignatureListSize - CertList->SignatureHeaderSize) / CertList->SignatureSize; + CertCount = (CertList->SignatureListSize - sizeof (EFI_SIGNATURE_LIST) - CertList->SignatureHeaderSize) / CertList->SignatureSize;
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-03-05 13:08:08 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-03-01 10:55:10.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-03-05 13:08:10.0 +0100 @@ -1,0 +2,6 @@ +Fri Mar 1 10:07:55 UTC 2013 - g...@suse.com + +- Add shim-bnc798043-no-doulbe-separators.patch to remove double + seperators from the bootpath (bnc#798043#c4) + +--- New: shim-bnc798043-no-doulbe-separators.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.SjAEj6/_old 2013-03-05 13:08:12.0 +0100 +++ /var/tmp/diff_new_pack.SjAEj6/_new 2013-03-05 13:08:12.0 +0100 @@ -55,6 +55,8 @@ Patch10:shim-keep-unsigned-mokmanager.patch # PATCH-FIX-UPSTREAM shim-bnc804631-fix-broken-bootpath.patch bnc#804631 g...@suse.com -- Fix the broken bootpath generated in generate_path() Patch11:shim-bnc804631-fix-broken-bootpath.patch +# PATCH-FIX-UPSTREAM shim-bnc798043-no-doulbe-separators.patch bnc#798043 g...@suse.com -- Remove all double-separators from the bootpath +Patch12:shim-bnc798043-no-doulbe-separators.patch BuildRequires: gnu-efi >= 3.0q BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -87,6 +89,7 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 %build chmod +x "make-certs" ++ shim-bnc798043-no-doulbe-separators.patch ++ >From 5c736550e8f7645f39df6948785ab5cae2201418 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Fri, 1 Mar 2013 18:04:06 +0800 Subject: [PATCH] Remove double-separators from the bootpath --- shim.c | 27 --- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/shim.c b/shim.c index 690d064..c36b641 100644 --- a/shim.c +++ b/shim.c @@ -907,7 +907,7 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, { EFI_DEVICE_PATH *devpath; EFI_HANDLE device; - int i; + int i, j, last = -1; unsigned int pathlen = 0; EFI_STATUS efi_status = EFI_SUCCESS; CHAR16 *bootpath; @@ -927,14 +927,27 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, if (bootpath[i] == '/') bootpath[i] = '\\'; } + for (i=pathlen; i>0; i--) { - if (bootpath[i] == '\\' && bootpath[i-1] != '\\') - break; + if (bootpath[i] == '\\' && bootpath[i-1] == '\\') + bootpath[i] = '/'; + else if (last == -1 && bootpath[i] == '\\') + last = i; + } + + if (last == -1 && bootpath[0] == '\\') + last = 0; + bootpath[last+1] = '\0'; + + if (last > 0) { + for (i = 0, j = 0; bootpath[i] != '\0'; i++) { + if (bootpath[i] != '/') { + bootpath[j] = bootpath[i]; + j++; + } + } + bootpath[j] = '\0'; } - if (bootpath[i] == '\\') - bootpath[i+1] = '\0'; - else - bootpath[0] = '\0'; while (*ImagePath == '\\') ImagePath++; -- 1.7.10.4 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-03-01 10:55:08 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-02-23 16:45:51.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-03-01 10:55:10.0 +0100 @@ -1,0 +2,11 @@ +Thu Feb 28 08:57:48 UTC 2013 - lnus...@suse.de + +- sign shim also with openSUSE certificate + +--- +Wed Feb 27 15:52:53 CET 2013 - m...@suse.de + +- identify project, export certificate as DER file +- don't create an unused extra keypair + +--- New: SLES-UEFI-CA-Certificate.crt Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.jeFSgE/_old 2013-03-01 10:55:11.0 +0100 +++ /var/tmp/diff_new_pack.jeFSgE/_new 2013-03-01 10:55:11.0 +0100 @@ -32,6 +32,7 @@ Source1:shim-signed.efi Source2:openSUSE-UEFI-CA-Certificate.crt Source3:shim-install +Source4:SLES-UEFI-CA-Certificate.crt # PATCH-FIX-SUSE shim-suse-build.patch g...@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch g...@suse.com -- Sign MokManager.efi with the local generated certificate @@ -89,16 +90,46 @@ %build chmod +x "make-certs" -openssl x509 -in %{S:2} -outform DER -out openSUSE-UEFI-CA-Certificate.der + +if test -e %{_sourcedir}/_projectcert.crt ; then +prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) +prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) +opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) +slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) +if test "$prjissuer" = "$opensusesubject" ; then +suffix=opensuse +cert=%{SOURCE2} +fi +if test "$prjissuer" = "$slessubject" ; then +suffix=sles +cert=%{SOURCE4} +fi +if test "$prjsubject" = "$prjissuer" ; then +suffix=local +cert=%{_sourcedir}/_projectcert.crt +fi +fi +if test -z "$suffix" ; then +echo "cannot identify project, assuming openSUSE signing" +suffix=opensuse +cert=%{SOURCE2} +fi + +openssl x509 -in $cert -outform DER -out shim-$suffix.der +# create empty local cert file, we don't need a local key pair as we +# sign the mokmanager with our vendor key +touch shim.crt +touch shim.cer # make sure cast warnings don't trigger post build check -make VENDOR_CERT_FILE=openSUSE-UEFI-CA-Certificate.der 2>/dev/null +make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx -mv shim.efi shim-opensuse.efi +mv shim.efi shim-$suffix.efi %install -export BRP_PESIGN_FILES='%{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi' +export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi' install -d %{buildroot}/%{_libdir}/efi -install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi +install -m 444 shim-*.efi %{buildroot}/%{_libdir}/efi +install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi # FIXME: install signed shim here install -m 444 %{SOURCE1} %{buildroot}/%{_libdir}/efi/shim.efi install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi @@ -113,7 +144,8 @@ %doc COPYRIGHT %dir %{_libdir}/efi %{_libdir}/efi/shim.efi -%{_libdir}/efi/shim-opensuse.efi +%{_libdir}/efi/shim-*.efi +%{_libdir}/efi/shim-*.der %{_libdir}/efi/MokManager.efi %{_sbindir}/shim-install ++ SLES-UEFI-CA-Certificate.crt ++ -BEGIN CERTIFICATE- MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCz
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-02-23 16:45:49 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-02-11 14:54:57.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-02-23 16:45:51.0 +0100 @@ -1,0 +2,6 @@ +Thu Feb 21 10:08:12 UTC 2013 - g...@suse.com + +- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken + bootpath generated in generate_path(). (bnc#804631) + +--- New: shim-bnc804631-fix-broken-bootpath.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.b5SreF/_old 2013-02-23 16:45:53.0 +0100 +++ /var/tmp/diff_new_pack.b5SreF/_new 2013-02-23 16:45:53.0 +0100 @@ -52,6 +52,8 @@ Patch9: shim-mokmanager-support-crypt-hash-method.patch # PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch g...@suse.com -- Keep MokManager.efi and sign it with the openSUSE key later Patch10:shim-keep-unsigned-mokmanager.patch +# PATCH-FIX-UPSTREAM shim-bnc804631-fix-broken-bootpath.patch bnc#804631 g...@suse.com -- Fix the broken bootpath generated in generate_path() +Patch11:shim-bnc804631-fix-broken-bootpath.patch BuildRequires: gnu-efi >= 3.0q BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -83,6 +85,7 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 %build chmod +x "make-certs" ++ shim-bnc804631-fix-broken-bootpath.patch ++ >From 6b70850baa958b196ec332cf0224ffa9d5a81f5f Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 21 Feb 2013 17:49:29 +0800 Subject: [PATCH] Fix the broken bootpath - The file path from DevicePathToStr may use slash as the file seperator. Change all slashes to backslashes to avoid the strange bootpath. - Remove the redundant backslashes. - ImagePath no longer requires the leading backslash. - Fix a memory leak Based on the patch from Michal Marek --- shim.c | 22 +- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/shim.c b/shim.c index 37a5898..690d064 100644 --- a/shim.c +++ b/shim.c @@ -919,15 +919,25 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, pathlen = StrLen(bootpath); + /* +* DevicePathToStr() concatenates two nodes with '/'. +* Convert '/' to '\\'. +*/ + for (i = 0; i < pathlen; i++) { + if (bootpath[i] == '/') + bootpath[i] = '\\'; + } for (i=pathlen; i>0; i--) { - if (bootpath[i] == '\\') + if (bootpath[i] == '\\' && bootpath[i-1] != '\\') break; } + if (bootpath[i] == '\\') + bootpath[i+1] = '\0'; + else + bootpath[0] = '\0'; - bootpath[i+1] = '\0'; - - if (i == 0 || bootpath[i-i] == '\\') - bootpath[i] = '\0'; + while (*ImagePath == '\\') + ImagePath++; *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath)); @@ -944,6 +954,8 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, *grubpath = FileDevicePath(device, *PathName); error: + FreePool(bootpath); + return efi_status; } -- 1.7.10.4 -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-02-11 14:54:55 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-02-07 17:10:32.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-02-11 14:54:57.0 +0100 @@ -1,0 +2,6 @@ +Mon Feb 11 12:15:25 UTC 2013 - fcro...@suse.com + +- Update with shim signed by UEFI signing service, based on code + from "Thu Feb 7 06:56:19 UTC 2013". + +--- Other differences: -- ++ shim-signed.efi ++ Files /var/tmp/diff_new_pack.XYdG9f/_old and /var/tmp/diff_new_pack.XYdG9f/_new differ -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-02-07 17:10:30 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-02-07 14:54:47.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-02-07 17:10:32.0 +0100 @@ -1,0 +2,5 @@ +Thu Feb 7 13:54:06 UTC 2013 - lnus...@suse.de + +- prepare for having a signed shim from the UEFI signing service + +--- New: shim-signed.efi Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.lvbDhZ/_old 2013-02-07 17:10:35.0 +0100 +++ /var/tmp/diff_new_pack.lvbDhZ/_new 2013-02-07 17:10:35.0 +0100 @@ -26,6 +26,10 @@ Group: System/Boot Url:https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 +# this binary has been signed by UEFI signing service +# FIXME: evaluate whether using signature only and attaching that +# to the built binary also works +Source1:shim-signed.efi Source2:openSUSE-UEFI-CA-Certificate.crt Source3:shim-install # PATCH-FIX-SUSE shim-suse-build.patch g...@suse.com -- Adjust Makefile for the build service @@ -92,6 +96,8 @@ export BRP_PESIGN_FILES='%{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi' install -d %{buildroot}/%{_libdir}/efi install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi +# FIXME: install signed shim here +install -m 444 %{SOURCE1} %{buildroot}/%{_libdir}/efi/shim.efi install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi install -d %{buildroot}/%{_sbindir} install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ @@ -103,6 +109,7 @@ %defattr(-,root,root) %doc COPYRIGHT %dir %{_libdir}/efi +%{_libdir}/efi/shim.efi %{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi %{_sbindir}/shim-install -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-02-07 14:54:45 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-01-30 11:19:51.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-02-07 14:54:47.0 +0100 @@ -1,0 +2,13 @@ +Thu Feb 7 06:56:19 UTC 2013 - g...@suse.com + +- Sign shim-opensuse.efi and MokManager.efi with the openSUSE cert +- Add shim-keep-unsigned-mokmanager.patch to keep the unsigned + MokManager and sign it later. + +--- +Wed Feb 6 06:35:45 UTC 2013 - mch...@suse.com + +- Add shim-install utility +- Add Recommends to grub2-efi + +--- New: shim-install shim-keep-unsigned-mokmanager.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.2qSTep/_old 2013-02-07 14:54:48.0 +0100 +++ /var/tmp/diff_new_pack.2qSTep/_new 2013-02-07 14:54:48.0 +0100 @@ -16,6 +16,8 @@ # +# needssslcertforbuild + Name: shim Version:0.2 Release:0 @@ -25,6 +27,7 @@ Url:https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 Source2:openSUSE-UEFI-CA-Certificate.crt +Source3:shim-install # PATCH-FIX-SUSE shim-suse-build.patch g...@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch g...@suse.com -- Sign MokManager.efi with the local generated certificate @@ -43,11 +46,15 @@ Patch8: shim-mokmanager-new-pw-hash.patch # PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch g...@suse.com -- Support the password hashes from /etc/shadow Patch9: shim-mokmanager-support-crypt-hash-method.patch +# PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch g...@suse.com -- Keep MokManager.efi and sign it with the openSUSE key later +Patch10:shim-keep-unsigned-mokmanager.patch BuildRequires: gnu-efi >= 3.0q BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 BuildRequires: pesign +BuildRequires: pesign-obs-integration BuildRoot: %{_tmppath}/%{name}-%{version}-build +Recommends: grub2-efi ExclusiveArch: x86_64 %description @@ -71,6 +78,7 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 %build chmod +x "make-certs" @@ -81,9 +89,12 @@ mv shim.efi shim-opensuse.efi %install +export BRP_PESIGN_FILES='%{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi' install -d %{buildroot}/%{_libdir}/efi install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi -install -m 444 MokManager.efi.signed %{buildroot}/%{_libdir}/efi/MokManager.efi +install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi +install -d %{buildroot}/%{_sbindir} +install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ %clean %{?buildroot:%__rm -rf "%{buildroot}"} @@ -94,5 +105,6 @@ %dir %{_libdir}/efi %{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi +%{_sbindir}/shim-install %changelog ++ shim-install ++ #! /bin/bash -e rootdir= bootdir= efidir= install_device= removable=no clean=no sysconfdir="/etc" libdir="/usr/lib64" source_dir="$libdir/efi" grub_probe="`which grub2-probe`" self="`basename $0`" grub_cfg="/boot/grub2/grub.cfg" # Get GRUB_DISTRIBUTOR. if test -f "${sysconfdir}/default/grub" ; then . "${sysconfdir}/default/grub" fi bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)" if test -z "$bootloader_id"; then bootloader_id=grub fi efi_distributor="$bootloader_id" bootloader_id="${bootloader_id}-secureboot" usage () { echo "Usage: $self [OPTION] [INSTALL_DEVICE]" echo echo "Install Secure Boot Loaders on your drive.\n" echo echo "--directory=DIR use images from DIR.\n" echo "--grub-probe=FILE use FILE as grub-probe.\n" echo "--removable the installation device is removable.\n" echo "--bootloader-id=ID the ID of bootloader.\n" echo "--efi-directory=DIR use DIR as the EFI System Partition root.\n" echo "--config-file=FILE use FILE as config file, default is $grub_cfg.\n" echo "--clean remove all installed files and configs.\n" echo echo "INSTALL_DEVICE must be system device filename.\n" } argument () { opt="$1" shift if test $# -eq 0; then echo "$0: option requires an argument -- \`$opt'" 1>&2 exit 1 fi echo "$1" } # Check the arguments. while test $# -gt 0
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-01-30 11:19:49 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-01-29 14:42:19.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-01-30 11:19:51.0 +0100 @@ -1,0 +2,6 @@ +Wed Jan 30 09:00:31 UTC 2013 - g...@suse.com + +- Add shim-mokmanager-support-crypt-hash-method.patch to support + password hash from /etc/shadow (FATE#314506) + +--- New: shim-mokmanager-support-crypt-hash-method.patch Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.f3pN3g/_old 2013-01-30 11:19:53.0 +0100 +++ /var/tmp/diff_new_pack.f3pN3g/_new 2013-01-30 11:19:53.0 +0100 @@ -41,6 +41,8 @@ Patch7: shim-support-mok-delete.patch # PATCH-FIX-UPSTREAM shim-mokmanager-new-pw-hash.patch g...@suse.com -- Support the new password hash Patch8: shim-mokmanager-new-pw-hash.patch +# PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch g...@suse.com -- Support the password hashes from /etc/shadow +Patch9: shim-mokmanager-support-crypt-hash-method.patch BuildRequires: gnu-efi >= 3.0q BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -68,6 +70,7 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 %build chmod +x "make-certs" ++ shim-mokmanager-support-crypt-hash-method.patch ++ 1868 lines (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-01-29 14:42:18 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-01-20 14:53:48.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-01-29 14:42:19.0 +0100 @@ -1,0 +2,6 @@ +Tue Jan 29 03:20:48 UTC 2013 - g...@suse.com + +- Embed openSUSE-UEFI-CA-Certificate.crt in shim +- Rename shim-unsigned.efi to shim-opensuse.efi. + +--- New: openSUSE-UEFI-CA-Certificate.crt Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.KcLs4P/_old 2013-01-29 14:42:20.0 +0100 +++ /var/tmp/diff_new_pack.KcLs4P/_new 2013-01-29 14:42:20.0 +0100 @@ -24,6 +24,7 @@ Group: System/Boot Url:https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 +Source2:openSUSE-UEFI-CA-Certificate.crt # PATCH-FIX-SUSE shim-suse-build.patch g...@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch g...@suse.com -- Sign MokManager.efi with the local generated certificate @@ -70,14 +71,15 @@ %build chmod +x "make-certs" +openssl x509 -in %{S:2} -outform DER -out openSUSE-UEFI-CA-Certificate.der # make sure cast warnings don't trigger post build check -make 2>/dev/null +make VENDOR_CERT_FILE=openSUSE-UEFI-CA-Certificate.der 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx -mv shim.efi shim-unsigned.efi +mv shim.efi shim-opensuse.efi %install install -d %{buildroot}/%{_libdir}/efi -install -m 444 shim-unsigned.efi %{buildroot}/%{_libdir}/efi +install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi install -m 444 MokManager.efi.signed %{buildroot}/%{_libdir}/efi/MokManager.efi %clean @@ -87,7 +89,7 @@ %defattr(-,root,root) %doc COPYRIGHT %dir %{_libdir}/efi -%{_libdir}/efi/shim-unsigned.efi +%{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi %changelog ++ openSUSE-UEFI-CA-Certificate.crt ++ -BEGIN CERTIFICATE- MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8 YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/ w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg 4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79 aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/ phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0 nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU6ALvnDFNN0Sm7xhB+d3c sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3 BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp 4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL -END CERTIFICATE- -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-01-20 14:53:46 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: --- /work/SRC/openSUSE:Factory/shim/shim.changes2013-01-17 10:43:07.0 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-01-20 14:53:48.0 +0100 @@ -1,0 +2,7 @@ +Fri Jan 18 10:06:13 UTC 2013 - g...@suse.com + +- Update shim-mokmanager-new-pw-hash.patch to extend the password + hash format +- Rename shim.efi as shim-unsigned.efi + +--- Other differences: -- ++ shim.spec ++ --- /var/tmp/diff_new_pack.QEcDlE/_old 2013-01-20 14:53:49.0 +0100 +++ /var/tmp/diff_new_pack.QEcDlE/_new 2013-01-20 14:53:49.0 +0100 @@ -73,10 +73,11 @@ # make sure cast warnings don't trigger post build check make 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx +mv shim.efi shim-unsigned.efi %install install -d %{buildroot}/%{_libdir}/efi -install -m 444 shim.efi %{buildroot}/%{_libdir}/efi +install -m 444 shim-unsigned.efi %{buildroot}/%{_libdir}/efi install -m 444 MokManager.efi.signed %{buildroot}/%{_libdir}/efi/MokManager.efi %clean @@ -86,7 +87,7 @@ %defattr(-,root,root) %doc COPYRIGHT %dir %{_libdir}/efi -%{_libdir}/efi/shim.efi +%{_libdir}/efi/shim-unsigned.efi %{_libdir}/efi/MokManager.efi %changelog ++ shim-mokmanager-new-pw-hash.patch ++ --- /var/tmp/diff_new_pack.QEcDlE/_old 2013-01-20 14:53:49.0 +0100 +++ /var/tmp/diff_new_pack.QEcDlE/_new 2013-01-20 14:53:49.0 +0100 @@ -1,7 +1,7 @@ From 6e816e3e0f8b2013c1bccd67ec27db10ccaabc67 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Tue, 15 Jan 2013 18:01:41 +0800 -Subject: [PATCH 2/2] Support new password hash +Subject: [PATCH 1/2] Support new password hash Old password hash: sha256sum(key_list + password) New password hash: salt + sha256sum(salt + password) @@ -216,3 +216,372 @@ -- 1.7.10.4 + +From cf448e938a54ee3006f0fca214b83e0a40499ea5 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Fri, 18 Jan 2013 15:51:02 +0800 +Subject: [PATCH 2/2] Extend the password hash format + +Several new fields were added to support hash from /etc/shadow. +Affected variables: MokAuth, MokDelAuth, MokPW, MokPWStore + +[Hash Method][Interation Count][Salt Size][Salt][hash] + +Besides, the password is converted to a 8-bit char array before +hashing with salt. +--- + MokManager.c | 145 +--- + PasswordHash.h | 23 + + 2 files changed, 110 insertions(+), 58 deletions(-) + create mode 100644 PasswordHash.h + +diff --git a/MokManager.c b/MokManager.c +index be2a764..9c8f32f 100644 +--- a/MokManager.c b/MokManager.c +@@ -5,6 +5,7 @@ + #include "shim.h" + #include "signature.h" + #include "PeImage.h" ++#include "PasswordHash.h" + + #define PASSWORD_MAX 16 + #define PASSWORD_MIN 8 +@@ -19,9 +20,6 @@ + #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" + #define HASH_STRING L"Select a file to trust:\n\n" + +-#define SALT_LEN 16 +-#define AUTH_LEN (SALT_LEN + SHA256_DIGEST_SIZE) +- + struct menu_item { + CHAR16 *text; + INTN (* callback)(void *data, void *data2, void *data3); +@@ -553,8 +551,8 @@ static UINT8 get_line (UINT32 *length, CHAR16 *line, UINT32 line_max, UINT8 show + return 1; + } + +-static EFI_STATUS compute_pw_hash (void *MokNew, UINTN MokNewSize, CHAR16 *password, +- UINT32 pw_length, UINT8 *hash) ++static EFI_STATUS compute_pw_hash (void *Data, UINTN DataSize, UINT8 *password, ++ UINT32 pw_length, UINT8 *hash) + { + EFI_STATUS status; + unsigned int ctxsize; +@@ -574,15 +572,15 @@ static EFI_STATUS compute_pw_hash (void *MokNew, UINTN MokNewSize, CHAR16 *passw + goto done; + } + +- if (MokNew && MokNewSize) { +- if (!(Sha256Update(ctx, MokNew, MokNewSize))) { ++ if (Data && DataSize) { ++ if (!(Sha256Update(ctx, Data, DataSize))) { + Print(L"Unable to generate hash\n"); + status = EFI_OUT_OF_RESOURCES; + goto done; + } + } + +- if (!(Sha256Update(ctx, password, pw_length * sizeof(CHAR16 { ++ if (!(Sha256Update(ctx, password, pw_length))) { + Print(L"Unable to generate hash\n"); + status = EFI_OUT_OF_RESOURCES; + goto done; +@@ -599,15 +597,34 @@ done: + return status; + } + +-s
commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-01-17 10:43:06 Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) Package is "shim", Maintainer is "g...@suse.com" Changes: New Changes file: --- /dev/null 2013-01-09 19:40:42.352580873 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-01-17 10:43:07.0 +0100 @@ -0,0 +1,66 @@ +--- +Wed Jan 16 08:01:55 UTC 2013 - g...@suse.com + +- Merge patches for FATE#314506 + + Add shim-support-mok-delete.patch to add support for deleting +specific keys + + Add shim-mokmanager-new-pw-hash.patch to support the new +password hash. +- Drop shim-correct-mok-size.patch which is included in + shim-support-mok-delete.patch +- Merge shim-remove-debug-code.patch and + shim-local-sign-mokmanager.patch into + shim-local-key-sign-mokmanager.patch +- Install COPYRIGHT + +--- +Tue Jan 15 03:17:53 UTC 2013 - g...@suse.com + +- Add shim-fix-loadoptions.patch to adopt the UEFI shell style + LoadOptions (bnc#798043) +- Drop shim-check-pk-kek.patch since upstream rejected the patch + due to violation of SPEC. +- Install EFI binaries to /usr/lib64/efi + +--- +Wed Dec 26 07:05:02 UTC 2012 - g...@suse.com + +- Update shim-reboot-after-changes.patch to avoid rebooting the + system after enrolling keys/hashes from the file system +- Add shim-correct-mok-size.patch to correct the size of MOK +- Add shim-clear-queued-key.patch to clear the queued key and show + the menu properly + +--- +Wed Dec 12 15:16:18 UTC 2012 - fcro...@suse.com + +- Remove shim-rpmlintrc, it wasn't fixing the error, hide error + stdout to prevent post build check to get triggered by cast + warnings in openSSL code +- Add shim-remove-debug-code.patch: remove debug code + +--- +Wed Dec 12 04:01:52 UTC 2012 - g...@suse.com + +- Add shim-rpmlintrc to filter 64bit portability errors + +--- +Tue Dec 11 07:36:32 UTC 2012 - g...@suse.com + +- Add shim-local-sign-mokmanager.patch to create a local certicate + to sign MokManager +- Add shim-get-2nd-stage-loader.patch to get the second stage + loader path from the load options +- Add shim-check-pk-kek.patch to verify EFI images with PK and KEK +- Add shim-reboot-after-changes.patch to reboot the system after + enrolling or erasing keys +- Install the EFI images to /usr/lib64/shim instead of the EFI + partition +- Update the mail address of the author + +--- +Fri Nov 2 08:19:37 UTC 2012 - g...@suse.com + +- Add new package shim 0.2 (FATE#314484) + + It's in fact git 2fd180a92 since there is no tag for 0.2 + New: shim-0.2.tar.bz2 shim-clear-queued-key.patch shim-fix-loadoptions.patch shim-get-2nd-stage-loader.patch shim-local-key-sign-mokmanager.patch shim-mokmanager-new-pw-hash.patch shim-reboot-after-changes.patch shim-support-mok-delete.patch shim-suse-build.patch shim.changes shim.spec Other differences: -- ++ shim.spec ++ # # spec file for package shim # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: shim Version:0.2 Release:0 Summary:UEFI shim loader License:BSD-2-Clause Group: System/Boot Url:https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 # PATCH-FIX-SUSE shim-suse-build.patch g...@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch g...@suse.com -- Sign MokManager.efi with the local generated certificate Patch1: shim-local-key-sign-mokmanager.patch # PATCH-FEATURE-UPSTREAM s