Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sdbootutil for openSUSE:Factory checked in at 2024-10-02 21:32:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sdbootutil (Old) and /work/SRC/openSUSE:Factory/.sdbootutil.new.19354 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "sdbootutil" Wed Oct 2 21:32:57 2024 rev:33 rq:1205163 version:1+git20241002.7da4a47 Changes: -------- --- /work/SRC/openSUSE:Factory/sdbootutil/sdbootutil.changes 2024-09-04 13:22:26.884303478 +0200 +++ /work/SRC/openSUSE:Factory/.sdbootutil.new.19354/sdbootutil.changes 2024-10-02 21:33:25.074464924 +0200 @@ -1,0 +2,27 @@ +Wed Oct 02 09:15:48 UTC 2024 - aplanas@suse.com + +- Update to version 1+git20241002.7da4a47: + * Do not specify bootloader requirement + +------------------------------------------------------------------- +Wed Oct 02 07:43:16 UTC 2024 - aplanas@suse.com + +- Update to version 1+git20241002.7b8957c: + * Requires udev for bootctl + * Use chroot instead of --sysroot in dracut + * Replace cut with idiomatic code + * Show recovery PIN generated by systemd-pcrlock + +------------------------------------------------------------------- +Thu Sep 12 14:03:12 UTC 2024 - aplanas@suse.com + +- Update to version 1+git20240912.02d30ed: + * Generate predictions for update_entry + +------------------------------------------------------------------- +Thu Sep 05 13:53:58 UTC 2024 - aplanas@suse.com + +- Update to version 1+git20240905.e7ca8cf: + * Replace root=UUID= with root=device + +------------------------------------------------------------------- Old: ---- sdbootutil-1+git20240903.81f1f40.obscpio New: ---- sdbootutil-1+git20241002.7da4a47.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sdbootutil.spec ++++++ --- /var/tmp/diff_new_pack.mZDykE/_old 2024-10-02 21:33:25.866497851 +0200 +++ /var/tmp/diff_new_pack.mZDykE/_new 2024-10-02 21:33:25.866497851 +0200 @@ -27,24 +27,26 @@ %define git_version %{nil} %endif Name: sdbootutil -Version: 1+git20240903.81f1f40%{git_version} +Version: 1+git20241002.7da4a47%{git_version} Release: 0 Summary: script to install shim with sd-boot License: MIT URL: https://en.opensuse.org/openSUSE:Usr_merge Source: %{name}-%{version}.tar Requires: dialog +Requires: dracut-pcr-signature Requires: efibootmgr Requires: jq Requires: pcr-oracle Requires: sed -Requires: systemd-boot # While systemd-pcrlock is in experimental Requires: systemd-experimental -Requires: dracut-pcr-signature -Supplements: (systemd-boot and shim) +# While bootctl is in udev +Requires: udev Requires: (%{name}-snapper if (snapper and btrfsprogs)) Requires: (%{name}-tukit if read-only-root-fs) +Supplements: (grub2-x86_64-efi-bls and shim) +Supplements: (systemd-boot and shim) ExclusiveArch: aarch64 ppc64le riscv64 x86_64 %description ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.mZDykE/_old 2024-10-02 21:33:25.914499847 +0200 +++ /var/tmp/diff_new_pack.mZDykE/_new 2024-10-02 21:33:25.918500013 +0200 @@ -3,6 +3,6 @@ <param name="url">https://github.com/lnussel/sdbootutil.git</param> <param name="changesrevision">708592a5033bb41d14e378172466ae9e90dfb3c4</param></service><service name="tar_scm"> <param name="url">https://github.com/openSUSE/sdbootutil.git</param> - <param name="changesrevision">81f1f40666b325a807fb4d220782cfce642f2160</param></service></servicedata> + <param name="changesrevision">7da4a479cf89b2d20e9cc81e15ba58cf32294735</param></service></servicedata> (No newline at EOF) ++++++ sdbootutil-1+git20240903.81f1f40.obscpio -> sdbootutil-1+git20241002.7da4a47.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20240903.81f1f40/sdbootutil new/sdbootutil-1+git20241002.7da4a47/sdbootutil --- old/sdbootutil-1+git20240903.81f1f40/sdbootutil 2024-09-03 14:09:58.000000000 +0200 +++ new/sdbootutil-1+git20241002.7da4a47/sdbootutil 2024-10-02 11:14:41.000000000 +0200 @@ -327,7 +327,7 @@ { local subvol="$1" # - delete BOOT_IMAGE= and initrd= - # - make sure root= refers to uuid + # - replace or add root= to refers to UUID or mapped device (if encrypted) # - replace or add rootflags to point at correct subvolume # - replace or add systemd.machine-id to match current machine-id # @@ -341,9 +341,12 @@ # already there). Since we always operate on the same line, # "empty" t jumps are used to reset the condition after very # s///. - local sed_arguments=("-e s/[ \t]\+/ /g"\ - "-e s/\<\(BOOT_IMAGE\|initrd\)=[^ ]* \?//"\ - "-e s/\<root=[^ ]*/root=UUID=$root_uuid/;tb;s,\$, root=UUID=$root_uuid,;tc;:c;:b") + local root_param="UUID=$root_uuid" + [ -z "$root_device_is_crypt" ] || root_param="$root_device" + local sed_arguments=("-e s/[ \t]\+/ /g" + "-e s/\<\(BOOT_IMAGE\|initrd\)=[^ ]* \?//" + "-e s/\$//;ta;:a" + "-e s,\<root=[^ ]*,root=$root_param,;tb;s,\$, root=$root_param,;tc;:c;:b") [ -z "$have_snapshots" ] || sed_arguments+=("-e s,\<rootflags=subvol=[^ ]*,rootflags=subvol=$subvol,;td;s,\$, rootflags=subvol=$subvol,;te;:e;:d") [ -z "$machine_id" ] || sed_arguments+=("-e s,\<systemd.machine_id=[^ ]*,systemd.machine_id=$machine_id,;tf;s,\$, systemd.machine_id=$machine_id,;tg;:g;:f") sed "${sed_arguments[@]}" @@ -362,7 +365,7 @@ local ext="${2:-}" [ -z "$ext" ] || ext="|$ext" - update_entries jq "[.[]|select(has(\"options\"))|select(.options|test(\"root=UUID=$root_uuid .*rootflags=subvol=$subvol\")$ext)]" + update_entries jq "[.[]|select(has(\"options\"))|select(.options|test(\"root=(?:UUID=$root_uuid|$root_device) .*rootflags=subvol=$subvol\")$ext)]" } update_entries_for_snapshot() @@ -379,7 +382,7 @@ update_entries_for_this_system() { - update_entries jq "[.[]|select(has(\"options\"))|select(.options|test(\"root=UUID=$root_uuid\"))]" + update_entries jq "[.[]|select(has(\"options\"))|select(.options|test(\"root=(?:UUID=$root_uuid|$root_device)\"))]" } entry_conf_file() @@ -607,6 +610,25 @@ return 1 } +mount_chroot() +{ + local snapshot_dir="$1" + + mount -t tmpfs -o size=10m tmpfs "$snapshot_dir/run" + for i in proc dev sys var tmp; do + mount --bind "/$i" "$snapshot_dir/$i" + done +} + +umount_chroot() +{ + local snapshot_dir="$1" + + for i in proc dev sys var tmp run; do + umount "$snapshot_dir/$i" + done +} + mount_etc() { local snapshot_dir="$1" @@ -728,21 +750,28 @@ /usr/bin/mkmoduleinitrd "${subvol#"${subvol_prefix}"}" "$kernel_version" "$tmpdir/initrd-$i" elif ! reuse_initrd "$snapshot" "$subvol" "$kernel_version"; then local snapshot_dir="/.snapshots/$snapshot/snapshot" - local dracut_args=() - dracut_args=('--force' '--tmpdir' '/var/tmp') - if [ "$subvol" != "$root_subvol" ] && [ -n "$have_snapshots" ]; then - dracut_args+=('--sysroot' "${snapshot_dir}" '--add-device' "$root_device") - fi + local dracut_args=( + '--quiet' + '--reproducible' + '--force' + '--tmpdir' '/var/tmp' + ) log_info "generating new initrd" + [ "$subvol" != "$root_subvol" ] && [ -n "$have_snapshots" ] && mount_chroot "${snapshot_dir}" # In MicroOS we need to be sure to have the same /etc # inside the snapshot. For example, /etc/crypttab can # have modifications in the overlay that will be # visible once the snapshot is active, but the version # in /.snashots is still the unmodified base is_transactional && mount_etc "${snapshot_dir}" - run_command_live_output dracut --quiet --reproducible "${dracut_args[@]}" "$tmpdir/initrd-0" "$kernel_version" + if [ "$subvol" != "$root_subvol" ] && [ -n "$have_snapshots" ]; then + run_command_live_output chroot "${snapshot_dir}" dracut "${dracut_args[@]}" "$tmpdir/initrd-0" "$kernel_version" + else + run_command_live_output dracut "${dracut_args[@]}" "$tmpdir/initrd-0" "$kernel_version" + fi is_transactional && umount_etc "${snapshot_dir}" + [ "$subvol" != "$root_subvol" ] && [ -n "$have_snapshots" ] && umount_chroot "${snapshot_dir}" fi make_free_space "$snapshot" || err "No free space in $boot_root for new kernel" @@ -1079,6 +1108,8 @@ echo "Updating $id" update_entry_conf "$conf" "$snapshot" + # This action will require to update the PCR predictions + update_predictions=1 } update_all_entries() @@ -1954,16 +1985,30 @@ elif [ -n "$keyid" ]; then pin="$(keyctl pipe "$keyid")" extra=("--recovery-pin=yes") + else + # No PIN was provided, systemd-pcrlock will generate one + # Add this argument to show it + extra=("--recovery-pin=show") fi - PIN="$pin" pcrlock --pcr="$pcrs" "${extra[@]}" make-policy || { + local output + if ! output="$(PIN="$pin" pcrlock --pcr="$pcrs" "${extra[@]}" make-policy)"; then echo "Error creating the policy!" if [ -z "$pin" ]; then echo "Please, provide the recovery PIN to register the new policy" else echo "Provided PIN incorrect or TPM2 locked after too many retries" fi - } + elif [ -z "$pin" ]; then + if ! echo "$output" | grep "recovery PIN"; then + echo "Unable to find the generated recovery PIN" + elif [ -x /usr/bin/qrencode ]; then + echo "You can also scan it with your mobile phone:" + local split + IFS=":" read -r -a split <<< "$output" + echo "${split[1]}" | qrencode -t utf8i + fi + fi # Publish the assets in the ESP, so can be imported by # dracut-pcr-signature @@ -2531,6 +2576,8 @@ # shellcheck disable=SC2016 eval "$(bootctl 2>/dev/null | sed -ne 's/Firmware Arch: *\(\w\+\)/firmware_arch="\1"/p;s/ *token: *\(\w\+\)/entry_token="\1"/p;s, *\$BOOT: *\([^ ]\+\).*,boot_root="\1",p')" read -r root_uuid root_device < <(findmnt / -v -r -n -o UUID,SOURCE) +root_device_is_crypt= +[ "$(lsblk --noheadings -o TYPE "$root_device")" = "crypt" ] && root_device_is_crypt=1 root_subvol="" subvol_prefix="" if [ "$(stat -f -c %T /)" = "btrfs" ] && [ -d /.snapshots ]; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sdbootutil-1+git20240903.81f1f40/sdbootutil.spec new/sdbootutil-1+git20241002.7da4a47/sdbootutil.spec --- old/sdbootutil-1+git20240903.81f1f40/sdbootutil.spec 2024-09-03 14:09:58.000000000 +0200 +++ new/sdbootutil-1+git20241002.7da4a47/sdbootutil.spec 2024-10-02 11:14:41.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package sdbootutil # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,18 +33,20 @@ License: MIT URL: https://en.opensuse.org/openSUSE:Usr_merge Source: %{name}-%{version}.tar +Requires: dracut-pcr-signature +Requires: dialog Requires: efibootmgr -Requires: systemd-boot Requires: jq -Requires: sed Requires: pcr-oracle -Requires: dialog +Requires: sed # While systemd-pcrlock is in experimental Requires: systemd-experimental -Requires: dracut-pcr-signature -Supplements: (systemd-boot and shim) +# While bootctl is in udev +Requires: udev Requires: (%{name}-snapper if (snapper and btrfsprogs)) Requires: (%{name}-tukit if read-only-root-fs) +Supplements: (systemd-boot and shim) +Supplements: (grub2-x86_64-efi-bls and shim) ExclusiveArch: aarch64 ppc64le riscv64 x86_64 %description ++++++ sdbootutil.obsinfo ++++++ --- /var/tmp/diff_new_pack.mZDykE/_old 2024-10-02 21:33:26.050505501 +0200 +++ /var/tmp/diff_new_pack.mZDykE/_new 2024-10-02 21:33:26.054505668 +0200 @@ -1,5 +1,5 @@ name: sdbootutil -version: 1+git20240903.81f1f40 -mtime: 1725365398 -commit: 81f1f40666b325a807fb4d220782cfce642f2160 +version: 1+git20241002.7da4a47 +mtime: 1727860481 +commit: 7da4a479cf89b2d20e9cc81e15ba58cf32294735