commit shim for openSUSE:Factory
Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-04-21 11:05:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shim" Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2014-04-20 11:35:07.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-04-21 11:05:28.000000000 +0200 @@ -2,110 +1,0 @@ -Thu Apr 10 08:20:20 UTC 2014 - glin@suse.com - -- Replace shim-mokmanager-support-sha1.patch with - shim-mokmanager-support-sha-family.patch to support the SHA - family - -------------------------------------------------------------------- -Mon Apr 7 09:32:21 UTC 2014 - glin@suse.com - -- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in - MOK - -------------------------------------------------------------------- -Mon Mar 31 11:57:13 UTC 2014 - mchang@suse.com - -- snapper rollback support (fate#317062) - - refresh shim-install - -------------------------------------------------------------------- -Thu Mar 13 02:32:15 UTC 2014 - glin@suse.com - -- Insert the right signature (bnc#867974) - -------------------------------------------------------------------- -Mon Mar 10 07:56:44 UTC 2014 - glin@suse.com - -- Add shim-fix-uninitialized-variable.patch to fix the use of - uninitialzed variables in lib - -------------------------------------------------------------------- -Fri Mar 7 09:09:12 UTC 2014 - glin@suse.com - -- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV - variables the right way -- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify - correctly - -------------------------------------------------------------------- -Thu Mar 6 07:37:57 UTC 2014 - glin@suse.com - -- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the - duplicate entries in BootOrder -- Add shim-allow-fallback-use-system-loadimage.patch to handle the - shim protocol properly to keep only one protocol entity -- Refresh shim-opensuse-cert-prompt.patch - -------------------------------------------------------------------- -Thu Mar 6 03:53:49 UTC 2014 - mchang@suse.com - -- shim-install: fix the $prefix to use grub2-mkrelpath for paths - on btrfs subvolume (bnc#866690). - -------------------------------------------------------------------- -Tue Mar 4 04:19:05 UTC 2014 - glin@suse.com - -- FATE#315002: Update shim-install to install shim.efi as the EFI - default bootloader when none exists in \EFI\boot. - -------------------------------------------------------------------- -Thu Feb 27 09:46:49 UTC 2014 - fcrozat@suse.com - -- Update signature-sles.asc: shim signed by UEFI signing service, - based on code from "Thu Feb 20 11:57:01 UTC 2014" - -------------------------------------------------------------------- -Fri Feb 21 08:45:46 UTC 2014 - glin@suse.com - -- Add shim-opensuse-cert-prompt.patch to show the prompt to ask - whether the user trusts the openSUSE certificate or not - -------------------------------------------------------------------- -Thu Feb 20 11:57:01 UTC 2014 - lnussel@suse.de - -- allow package to carry multiple signatures -- check correct certificate is embedded - -------------------------------------------------------------------- -Thu Feb 20 10:06:47 UTC 2014 - lnussel@suse.de - -- always clean up generated files that embed certificates - (shim_cert.h shim.cer shim.crt) to make sure next build loop - rebuilds them properly - -------------------------------------------------------------------- -Mon Feb 17 09:58:56 UTC 2014 - glin@suse.com - -- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the - hash deletion operation to avoid ruining the whole list - (bnc#863205) - -------------------------------------------------------------------- -Tue Feb 11 06:30:02 UTC 2014 - glin@suse.com - -- Update shim-mokx-support.patch to support the resetting of MOK - blacklist -- Add shim-get-variable-check.patch to fix the variable checking - in get_variable_attr -- Add shim-improve-fallback-entries-creation.patch to improve the - boot entry pathes and avoid generating the boot entries that - are already there -- Update SUSE certificate -- Update attach_signature.sh, show_hash.sh, strip_signature.sh, - extract_signature.sh and show_signatures.sh to remove the - creation of the temporary nss database -- Add shim-only-os-name.patch: remove the kernel version of the - build server -- Match the the prefix of the project name properly by escaping the - percent sign. - -------------------------------------------------------------------- Old: ---- shim-allow-fallback-use-system-loadimage.patch shim-bnc863205-mokmanager-fix-hash-delete.patch shim-fallback-avoid-duplicate-bootorder.patch shim-fallback-improve-entries-creation.patch shim-fix-uninitialized-variable.patch shim-get-variable-check.patch shim-mokmanager-delete-bs-var-right.patch shim-mokmanager-support-sha-family.patch shim-only-os-name.patch shim-opensuse-cert-prompt.patch signature-opensuse.asc signature-sles.asc New: ---- microsoft.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:29.000000000 +0200 +++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:29.000000000 +0200 @@ -28,7 +28,7 @@ Source: %{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. -Source1: signature-opensuse.asc +Source1: microsoft.asc Source2: openSUSE-UEFI-CA-Certificate.crt Source3: shim-install Source4: SLES-UEFI-CA-Certificate.crt @@ -38,8 +38,6 @@ Source8: show_signatures.sh Source9: openSUSE-UEFI-CA-Certificate-4096.crt Source10: timestamp.pl -Source11: strip_signature.sh -Source12: signature-sles.asc # PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch glin@suse.com -- Fix the error handling in verify_mok() Patch1: shim-fix-verify-mok.patch # PATCH-FIX-UPSTREAM shim-improve-error-messages.patch glin@suse.com -- Improve the error messages @@ -52,26 +50,6 @@ Patch5: shim-mokx-support.patch # PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch glin@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys Patch6: shim-mokmanager-handle-keystroke-error.patch -# PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c -Patch7: shim-only-os-name.patch -# PATCH-FIX-UPSTREAM shim-get-variable-check.patch glin@suse.com -- Fix the variable checking in get_variable_attr -Patch8: shim-get-variable-check.patch -# PATCH-FIX-UPSTREAM shim-fallback-improve--entries-creation.patch glin@suse.com -- Improve the boot entry pathes and avoid generating the boot entries that are already there -Patch9: shim-fallback-improve-entries-creation.patch -# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 glin@suse.com -- Fix the hash deletion operation to avoid ruining the whole list -Patch10: shim-bnc863205-mokmanager-fix-hash-delete.patch -# PATCH-FIX-UPSTREAM shim-fallback-avoid-duplicate-bootorder.patch glin@suse.com -- Fix the duplicate BootOrder entries generated by fallback.efi -Patch11: shim-fallback-avoid-duplicate-bootorder.patch -# PATCH-FIX-UPSTREAM shim-allow-fallback-use-system-loadimage.patch glin@suse.com -- Handle the shim protocol properly to keep only one protocol entity -Patch12: shim-allow-fallback-use-system-loadimage.patch -# PATCH-FIX-UPSTREAM shim-mokmanager-delete-bs-var-right.patch glin@suse.com -- Delete BootService non-volatile variables the right way -Patch13: shim-mokmanager-delete-bs-var-right.patch -# PATCH-FIX-UPSTREAM shim-fix-uninitialized-variable.patch glin@suse.com -- Initialize the variable in lib properly -Patch14: shim-fix-uninitialized-variable.patch -# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch glin@suse.com -- Support SHA hashes in MOK -Patch15: shim-mokmanager-support-sha-family.patch -# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not -Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -100,16 +78,6 @@ %patch4 -p1 %patch5 -p1 %patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch100 -p1 %build # first, build MokManager and fallback as they don't depend on a @@ -140,18 +108,12 @@ if test "$suffix" = "opensuse"; then cert=%{SOURCE2} cert2=%{SOURCE9} - verify='openSUSE Secure Boot CA1' - signature=%{SOURCE1} elif test "$suffix" = "sles"; then cert=%{SOURCE4} cert2='' - verify='SUSE Linux Enterprise Secure Boot CA1' - signature=%{SOURCE12} elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt cert2='' - verify=`openssl x509 -in "$cert" -noout -email` - signature='' test -e "$cert" || continue else echo "invalid suffix" @@ -159,7 +121,6 @@ fi openssl x509 -in $cert -outform DER -out shim-$suffix.der - rm -f shim_cert.h shim.cer shim.crt if [ -z "$cert2" ]; then # create empty local cert file, we don't need a local key pair as we # sign the mokmanager with our vendor key @@ -167,39 +128,36 @@ touch shim.cer else cp $cert2 shim.crt + rm -f shim.cer fi # make sure cast warnings don't trigger post build check make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null - # - # assert correct certificate embedded - grep -q "$verify" shim.efi # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx - chmod 755 %{SOURCE10} + chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10} # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi - if test -n "$signature"; then - head -1 "$signature" > hash1 + head -1 %{SOURCE1} > hash1 cp shim.efi shim.efi.bak # pe header contains timestamp and checksum. we need to # restore that - %{SOURCE10} --set-from-file "$signature" shim.efi - pesign -h -P -i shim.efi > hash2 + %{SOURCE10} --set-from-file %{SOURCE1} shim.efi + %{SOURCE7} shim.efi > hash2 cat hash1 hash2 if ! cmp -s hash1 hash2; then - echo "ERROR: $suffix binary changed, need to request new signature!" + echo "ERROR: binary changed, need to request new signature!" # don't fail in devel projects prj="%{_project}" - if [ "${prj%%%:*}" = "openSUSE" -o "${prj%%%:*}" = "SUSE" ]; then + if [ "${prj%%:*}" = "openSUSE" -o "${prj%%:*}" = "SUSE" ]; then false fi mv shim.efi.bak shim-$suffix.efi rm shim.efi else # attach signature - pesign -m "$signature" -i shim.efi -o shim-$suffix.efi + %{SOURCE6} %{SOURCE1} shim.efi + mv shim-signed.efi shim-$suffix.efi rm -f shim.efi fi - fi rm -f shim.cer shim.crt # make sure cert.o gets rebuilt rm -f cert.o ++++++ SLES-UEFI-CA-Certificate.crt ++++++ --- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:29.000000000 +0200 +++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:29.000000000 +0200 @@ -1,29 +1,39 @@ -----BEGIN CERTIFICATE----- -MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT +MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk -QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG +QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B -CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p -ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE -WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv -abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7 -e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+ -whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/ -MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs -qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51 -eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE -BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx -EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu -ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU -Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw -pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL -jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M -rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3 -SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0 -rvc1p6G0YWtO +CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC +AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR +QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d +FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ +BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O +d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B +J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt +HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi +yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc +dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/ +cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+ +KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw +DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w +gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr +BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG +A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51 +eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN +AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B +AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS +1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI +eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5 +Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt +z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P +yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv +4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc +ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC +OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z +yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV +a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8= -----END CERTIFICATE----- ++++++ attach_signature.sh ++++++ --- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:29.000000000 +0200 +++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:29.000000000 +0200 @@ -11,4 +11,13 @@ outfile="${infile%.efi}-signed.efi" -pesign -m "$sig" -i "$infile" -o "$outfile" +nssdir=`mktemp -d` +cleanup() +{ + rm -r "$nssdir" +} +trap cleanup EXIT +echo > "$nssdir/pw" +certutil -f "$nssdir/pw" -d "$nssdir" -N + +pesign -n "$nssdir" -m "$sig" -i "$infile" -o "$outfile" ++++++ extract_signature.sh ++++++ --- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:29.000000000 +0200 +++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:29.000000000 +0200 @@ -9,7 +9,16 @@ exit 1 fi +nssdir=`mktemp -d` +cleanup() +{ + rm -r "$nssdir" +} +trap cleanup EXIT +echo > "$nssdir/pw" +certutil -f "$nssdir/pw" -d "$nssdir" -N + # wtf? -(pesign -h -P -i "$infile"; +(pesign -n "$nssdir" -h -P -i "$infile"; perl $(dirname $0)/timestamp.pl "$infile"; -pesign -a -f -e /dev/stdout -i "$infile")|cat +pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat ++++++ microsoft.asc ++++++ hash: 97a8c5ba11d61fefbb5d6a05da4e15ba472dc4c6cd4972fc1a035de321342fe4 # 2013-10-01 08:29:53 timestamp: 524a8801 checksum: d364 -----BEGIN AUTHENTICODE SIGNATURE----- MIIh8QYJKoZIhvcNAQcCoIIh4jCCId4CAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB ZQMEAgEFAAQgl6jFuhHWH++7XWoF2k4VukctxMbNSXL8GgNd4yE0L+Sgggs8MIIF JDCCBAygAwIBAgITMwAAAApmQvP0n7c3lgABAAAACjANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0 MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23 BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3 We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC 5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g 78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+ Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDAN BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5 IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1 WjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UE AxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwft kn0LsnO/DArGSkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gy u4xHye5xvCFPmop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6 K6VROF31+7rbeALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk5 5dqyYotNvzhw4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxh Z4pb/V6th3+6hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYw ggFyMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK 8yU3HU6hJnsPIHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkr BgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw AwEB/zAfBgNVHSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBT MFGgT6BNhktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0 cy9NaWNDb3JUaGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEE VDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl cnRzL01pY0NvclRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0B AQsFAAOCAgEANQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lY NKYWC4KqXa2C2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ 2w/8d56Vc5GIyr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8 uSs9SSsfMvxqIWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLR B7+7dN/cHo+A1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K67 3YaFmCwhTDMr8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0 HYw9Rw5EpuSwmzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6Q I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJy lYaw8TVhahn1sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpc Aj/lluOFWzw+P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79An oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghYoMIIW JAIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEr MCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAA AApmQvP0n7c3lgABAAAACjANBglghkgBZQMEAgEFAKCCAREwGQYJKoZIhvcNAQkD MQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJ KoZIhvcNAQkEMSIEIOBR1lXJ0yMtGJm8ETD6MEFIJCyjBPLlLe2aF6PcGN1xMIGk BgorBgEEAYI3AgEMMYGVMIGSoF6AXABoAHQAdABwADoALwAvAHcAdwB3AC4AbQBp AGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAHcAaABkAGMALwBoAGMAbAAvAGQAZQBm AGEAdQBsAHQALgBtAHMAcAB4oTCALmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS93 aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAVajbL42oQSy1 NUS6HAoCq0L01hhN9fHn8acFrSpXK+GjijNspEcxVWSmJCWUWj4oVgBU7hgB2cFr YBm7M6VLl0h45tCI0jyHURNs4bYeKhBlywIAKQ1B3sxBi84vrNmVv7tZqtV8eAte tmX/8X6mOObVtD1YfYRVc2/EAEqv/Dee3BKb2/3MJ8TlUDuPZ1yAjAq4MViGs0J3 m4T63cugiWPuoaZEGJ6eaPiVXPcEKiDDOboCMm6MY1CLADE0moMrQ86dtbmycXIu N44ImKRkPSSCnRbmNDl/OkITHAicitORyvpet6uciDQtXQEq8xuRHJ7tOrwTmuLs r+BEVn7BR6GCE0owghNGBgorBgEEAYI3AwMBMYITNjCCEzIGCSqGSIb3DQEHAqCC EyMwghMfAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE9BgsqhkiG9w0BCRABBKCCASwE ggEoMIIBJAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCBfmL3wsdu9 3kovdSnRVAah9huZNZbgGFJ05HSVLqfy9gIGUmk4IyjpGBMyMDEzMTAzMDE5MTY0 My42ODZaMAcCAQGAAgH0oIG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMK V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERT RSBFU046QzBGNC0zMDg2LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0 YW1wIFNlcnZpY2Wggg7NMIIGcTCCBFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG 9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEy MDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw MTAwHhcNMTAwNzAxMjEzNjU1WhcNMjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJV UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt ZS1TdGFtcCBQQ0EgMjAxMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AKkdDbx3EYo6IOz8E5f1+n9plGt0VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vw FVMnBDEfQRsalR3OCROOfGEwWbEwRA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNF DdDq9UeBzb8kYDJYYEbyWEeGMoQedGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC7 32H8RsEnHSRnEnIaIYqvS2SJUGKxXf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOW RH7v0Ev9buWayrGo8noqCjHw2k4GkbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJ k3jN/LzAyURdXhacAQVPIk0CAwEAAaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEA MB0GA1UdDgQWBBTVYzpcijGQ80N7fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4K AFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME GDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRw Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJB dXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5o dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8y MDEwLTA2LTIzLmNydDCBoAYDVR0gAQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEw PQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9D UFMvZGVmYXVsdC5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABv AGwAaQBjAHkAXwBTAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQAD ggIBAAfmiFEN4sbgmD+BcQM9naOhIW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/1 5/B4vceoniXj+bzta1RXCCtRgkQS+7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRW S3TvQhDIr79/xn/yN31aPxzymXlKkVIArzgPF/UveYFl2am1a+THzvbKegBvSzBE JCI8z+0DpZaPWSm8tv0E4XCfMkon/VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/ 3cVKC5Em4jnsGUpxY517IW3DnKOiPPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9 nhquBEKDuLWAmyI4ILUl5WTs9/S/fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5H moDF0M2n0O99g/DhO3EJ3110mCIIYdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv3 3nJ+YWtvd6mBy6cJrDm77MbL2IK0cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI 5pgt6o3gMy4SKfXAL1QnIffIrE7aKLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0 MkvfY3v1mYovG8chr1m1rtxEPJdQcdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0e GTgvvM9YBS7vDaBQNdrvCScc1bN+NR4Iuto229Nfj950iEkSMIIE2jCCA8KgAwIB AgITMwAAACiQZ7kEsDxuZgAAAAAAKDANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQG EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg VGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0xMzAzMjcyMDEzMTNaFw0xNDA2MjcyMDEz MTNaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0wCwYD VQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2LURF RjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdpUi/akidSiGckmve4C3c5GP4zLmJ xMcbvee10/vtrs8x/vNmsEQD2plnCFq/dQYiEYnQZ1LM+s+SN0Xo+vG9M9PMc+O4 IaSgFX3LL8QDBdo/lnPTWeWYTQtWhi+dR9HWX52R6ceE2ZVrMky0awBS4EHTPGl0 qM7MfWidUlXmcH8UB6KeZ7CGRPMzP3Ndxij4F19SAS1EL9bteAi45TsvwLnDS8O3 Oy/TprWcsUhK3TIJVqEbS1rTqiYnDBJDYMVq19pADWCYiUG7k3Pdv/7EjFvO+lUn yk1Nmm99EWyxRyOwTHxsfwahdIIfUngY6QYaFlCawzrdgYH3mydyIX91AgMBAAGj ggEbMIIBFzAdBgNVHQ4EFgQU3JgInXnRBLKLR8Nx0Izns+awU50wHwYDVR0jBBgw FoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDov L2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGltU3RhUENB XzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0 cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNUaW1TdGFQQ0FfMjAx MC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCDAN BgkqhkiG9w0BAQsFAAOCAQEAgiLztz1kfhJL/Cb84OS30MQUTgn+q1aa0VqYpr6M QR6UtDK+hLS3RXbj72AYJIeoz+m00VQpvMrkyxJ7wPHUDp8xMxsRP3o73d0CqhjK yjz6luNsu6+7yYQ+x9gMhctyCwEbpPUxERAMRaVaSJl+2r5Fhte6TeSB/9NYCnZl Blkv9sJCzwTJqxv6YZ3185hJcLFJ0GTEIejuYBdTfusC2miVi/UKPAHbo7WYFFF0 nlPp2nKYZqBfKc+Prx+CnNPr5vFMG1T46DLcwRXDrCpudAUWg+NEmJ/L7+gweX+v UqU6H99lx43+J9hHGZIItIs0jmknNxoC9pGzlSL/CEgq/qGCA3YwggJeAgEBMIHj oYG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0w CwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2 LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiJQoB ATAJBgUrDgMCGgUAAxUA8120HsdfO2ZOZQ7emART9hWnH0SggcIwgb+kgbwwgbkx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1P UFIxJzAlBgNVBAsTHm5DaXBoZXIgTlRTIEVTTjpCMDI3LUM2RjgtMUQ4ODErMCkG A1UEAxMiTWljcm9zb2Z0IFRpbWUgU291cmNlIE1hc3RlciBDbG9jazANBgkqhkiG 9w0BAQUFAAIFANYbbXkwIhgPMjAxMzEwMzAxMTM1MjFaGA8yMDEzMTAzMTExMzUy MVowdDA6BgorBgEEAYRZCgQBMSwwKjAKAgUA1htteQIBADAHAgEAAgIQxzAHAgEA AgIYcDAKAgUA1hy++QIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMB oAowCAIBAAIDFuNgoQowCAIBAAIDB6EgMA0GCSqGSIb3DQEBBQUAA4IBAQAxxOL5 p8WZx+WQXwsf9YpPA4dWCU2xk7l1MY2R653keklyM7ks9Md5/7JbBzMPQXMPJ0Ts SllTUWF+wCUwW84ZAJCG4IUS5MrfbC5yXPkCjYEW6pll2A77OgwC+UG7X5VN67nm XfRbw+3lyAAcCjpreeEOiMRTNP1UW3Th2x5Lmbgc4AW/6p+6VEj/7QJEuj7oMXVe KQNp/I+lJn1rBGU42wqteobjNmUI55+i5PN+Wa5uGh7IhkqpDRPIkBM9wqVDQoHb d727DRVQMwzTAGYdSaOPJjLYti078h71WDJYyM1waA435nrkukJ6ObWdMTNjJqsy /Tz7rYZPgMPKLjtfMYIC9TCCAvECAQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNV BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg UENBIDIwMTACEzMAAAAokGe5BLA8bmYAAAAAACgwDQYJYIZIAWUDBAIBBQCgggEy MBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQgqtHU /PG7RLWN/Y5UsjD6+lFX/RpWbpbjNV/x7SF3lQwwgeIGCyqGSIb3DQEJEAIMMYHS MIHPMIHMMIGxBBTzXbQex187Zk5lDt6YBFP2FacfRDCBmDCBgKR+MHwxCzAJBgNV BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29m dCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAAKJBnuQSwPG5mAAAAAAAoMBYEFLWf +tQPMIlyzZih4uVtvwa31BWHMA0GCSqGSIb3DQEBCwUABIIBAEJSSeyhVFmVBArn o02R+f9PxUVjdMsHRqTWdnfA6F4uFU2GGGB2NoGTPHVeHrTTejo2bzXf5Di0jO5r nIM1KVSUIDmM6xgvcIgxMuo2oM8MxHnYSh9QdWTCnJsqcR+PzIhsdrxaQOLRXNiS uEyj0MgaJuYATAmhM2oM4BFNmbFavr0Sar3fj54zoZ9/p7ZhROSVm40OKt8tzSDu 7KrU8rr6VikJV2svuvLsmBKP7H6A+ZBWgrSlraQhdOxgjdPci6rhoZ9GG3WzNIcg c+4KZEXs0hxinuZA2+Z9QhyXcTeLXm1UbKtN+P6hEv6ABEaghtj238dcrBtwijpX BkfJeJoAAAA= -----END AUTHENTICODE SIGNATURE----- ++++++ shim-install ++++++ --- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:30.000000000 +0200 +++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:30.000000000 +0200 @@ -4,18 +4,14 @@ bootdir= efidir= install_device= -efibootdir= -ca_string= removable=no clean=no sysconfdir="/etc" libdir="/usr/lib64" source_dir="$libdir/efi" grub_probe="`which grub2-probe`" -grub_mkrelpath="`which grub2-mkrelpath`" self="`basename $0`" grub_cfg="/boot/grub2/grub.cfg" -update_boot=no # Get GRUB_DISTRIBUTOR. if test -f "${sysconfdir}/default/grub" ; then @@ -30,14 +26,6 @@ efi_distributor="$bootloader_id" bootloader_id="${bootloader_id}-secureboot" -case "$bootloader_id" in - "sle"*) - ca_string='SUSE Linux Enterprise Secure Boot CA1';; - "opensuse"*) - ca_string='openSUSE Secure Boot CA1';; - *) ca_string="";; -esac - usage () { echo "Usage: $self [OPTION] [INSTALL_DEVICE]" echo @@ -181,32 +169,18 @@ if test -n "$efidir"; then efi_file=shim.efi - efibootdir="$efidir/EFI/boot" - mkdir -p "$efibootdir" || exit 1 efidir="$efidir/EFI/$efi_distributor" mkdir -p "$efidir" || exit 1 else exit 1; fi -if test -f "$efibootdir/bootx64.efi"; then - if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/bootx64.efi"); then - update_boot=yes - fi -else - update_boot=yes -fi - if test "$clean" = "yes"; then rm -f "${efidir}/shim.efi" rm -f "${efidir}/MokManager.efi" rm -f "${efidir}/grub.efi" rm -f "${efidir}/grub.cfg" rm -f "${efidir}/boot.csv" - if test "$update_boot" = "yes"; then - rm -f "${efibootdir}/bootx64.efi" - rm -f "${efibootdir}/fallback.efi" - fi efibootmgr="`which efibootmgr`" if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then # Delete old entries from the same distributor. @@ -222,70 +196,17 @@ cp "${source_dir}/MokManager.efi" "${efidir}" cp "${source_dir}/grub.efi" "${efidir}" echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" -if test "$update_boot" = "yes"; then - cp "${source_dir}/shim.efi" "${efibootdir}/bootx64.efi" - cp "${source_dir}/fallback.efi" "${efibootdir}" -fi - - -make_grubcfg () { grub_cfg_dirname=`dirname $grub_cfg` grub_cfg_basename=`basename $grub_cfg` cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"` -descriptive_config="snapshot_submenu.cfg" -root_fstype=`$grub_probe -t fs /` -boot_fstype=`$grub_probe -t fs /boot` -if [ "x${root_fstype}" != "xbtrfs" ] || - [ "x${boot_fstype}" != "xbtrfs" ]; then - echo "/ is not on btrfs" >&2 - exit 1; -fi - -if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue" && - test "x$root_fstype" = "xbtrfs" && - test "x$boot_fstype" = "xbtrfs"; then - -cat <<EOF -set btrfs_relative_path="yes" -set extra_cmdline="" -btrfs_subvolid="" -btrfs_subvol="/" - -export btrfs_relative_path -export extra_cmdline +(cat << EOF search --fs-uuid --set=root ${cfg_fs_uuid} - -set timeout=0 - -terminal_input console -terminal_output console - -menuentry 'default' { - btrfs_subvol="" - configfile /boot/grub2/grub.cfg - btrfs_subvol="/" -} - -if [ -f "/.snapshots/${descriptive_config}" ]; then - source "/.snapshots/${descriptive_config}" -fi - -EOF - -else - -cat <<EOF -search --fs-uuid --set=root ${cfg_fs_uuid} -set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}` -configfile \$prefix/${grub_cfg_basename} +set prefix=(\${root})${grub_cfg_dirname} EOF -fi - -} - -make_grubcfg > "${efidir}/grub.cfg" +echo "configfile \$prefix/${grub_cfg_basename}") \ +> "${efidir}/grub.cfg" efibootmgr="`which efibootmgr`" if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then ++++++ shim-mokx-support.patch ++++++ --- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:30.000000000 +0200 +++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:30.000000000 +0200 @@ -1,12 +1,10 @@ -From 58b8e54ef60d488886a9f0d0877b7187eb200d07 Mon Sep 17 00:00:00 2001 +From 8614cf8c164049e77d702eb234d608d5342e975b Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Thu, 24 Oct 2013 17:02:08 +0800 -Subject: [PATCH 01/10] Support MOK blacklist +Subject: [PATCH 1/9] Support MOK blacklist The new blacklist, MokListX, stores the keys and hashes that are banned. - -Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- MokManager.c | 241 +++++++++++++++++++++++++++++++++++++++++++++++++---------- shim.c | 3 +- @@ -512,7 +510,7 @@ return EFI_SUCCESS; } diff --git a/shim.c b/shim.c -index cf93d65..2c23a2f 100644 +index 9ae1936..c133bb2 100644 --- a/shim.c +++ b/shim.c @@ -1510,7 +1510,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) @@ -526,15 +524,14 @@ if (efi_status != EFI_SUCCESS) { -- -1.8.4.5 +1.8.1.4 -From d2980a5cbee887223405a24be44ffd5bb439e3f1 Mon Sep 17 00:00:00 2001 +From f36f4093bb72344242949b16b83905cefb93d3cd Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Thu, 24 Oct 2013 17:32:31 +0800 -Subject: [PATCH 02/10] MokManager: show the hash list properly +Subject: [PATCH 2/9] MokManager: show the hash list properly -Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- MokManager.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 71 insertions(+), 11 deletions(-) @@ -678,15 +675,14 @@ for (i=0; menu_strings[i] != NULL; i++) -- -1.8.4.5 +1.8.1.4 -From 9c4b5d58385c64056adb5386c097219665f2f50d Mon Sep 17 00:00:00 2001 +From f1073a9bc757008d44b5b86cb5002a3654faf2d2 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Fri, 25 Oct 2013 16:54:25 +0800 -Subject: [PATCH 03/10] MokManager: delete the hash properly +Subject: [PATCH 3/9] MokManager: delete the hash properly -Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- MokManager.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 114 insertions(+), 10 deletions(-) @@ -844,15 +840,14 @@ } -- -1.8.4.5 +1.8.1.4 -From 54ce2f9605990c00f9cafae7cab22a1c885828c1 Mon Sep 17 00:00:00 2001 +From b5cb83a92620b0b41857f3e3a292d1577eb3a3a5 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Fri, 25 Oct 2013 17:05:10 +0800 -Subject: [PATCH 04/10] MokManager: Match all hashes in the list +Subject: [PATCH 4/9] MokManager: Match all hashes in the list -Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- MokManager.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) @@ -913,17 +908,15 @@ } } -- -1.8.4.5 +1.8.1.4 -From 4c1912c8521cca4d320a1417abff6f7954809a20 Mon Sep 17 00:00:00 2001 +From 70a4e12d2e6ba37541d0b78ec3c8ed5e8da9a941 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Fri, 25 Oct 2013 18:30:48 +0800 -Subject: [PATCH 05/10] MokManager: Write the hash list properly +Subject: [PATCH 5/9] MokManager: Write the hash list properly also return to the previous entry in the list - -Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- MokManager.c | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) @@ -998,21 +991,20 @@ efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name, -- -1.8.4.5 +1.8.1.4 -From 8b96a93bda39617efbe51f24d1dc606ad8835d26 Mon Sep 17 00:00:00 2001 +From 225e5fca2f7cf63e365b77243d6e43b1eb9860c8 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Mon, 28 Oct 2013 15:08:40 +0800 -Subject: [PATCH 06/10] Copy the MOK blacklist to a RT variable +Subject: [PATCH 6/9] Copy the MOK blacklist to a RT variable -Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- shim.c | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/shim.c b/shim.c -index 2c23a2f..ccb3071 100644 +index c133bb2..a0383a8 100644 --- a/shim.c +++ b/shim.c @@ -1480,6 +1480,33 @@ EFI_STATUS mirror_mok_list() @@ -1049,7 +1041,7 @@ * Check if a variable exists */ static BOOLEAN check_var(CHAR16 *varname) -@@ -1799,6 +1826,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) +@@ -1795,6 +1822,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) */ efi_status = mirror_mok_list(); @@ -1059,21 +1051,20 @@ * Create the runtime MokIgnoreDB variable so the kernel can make * use of it -- -1.8.4.5 +1.8.1.4 -From 044d04dbed3ef3f2f3004a770e3751eabc052c2c Mon Sep 17 00:00:00 2001 +From f9db55b719281ce491780ecd4ec269c5286a7251 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Mon, 28 Oct 2013 16:36:34 +0800 -Subject: [PATCH 07/10] No newline for console_notify +Subject: [PATCH 7/9] No newline for console_notify -Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- shim.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shim.c b/shim.c -index ccb3071..e30a464 100644 +index a0383a8..a2e0862 100644 --- a/shim.c +++ b/shim.c @@ -470,7 +470,7 @@ static BOOLEAN secure_mode (void) @@ -1095,13 +1086,13 @@ } -- -1.8.4.5 +1.8.1.4 -From 0e97d1576fcc1924f0f17b7f31baf1dd74a7f83e Mon Sep 17 00:00:00 2001 +From 0bf2da5c7d9442f3249fc977b3fbffab924a374c Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Mon, 4 Nov 2013 14:45:33 +0800 -Subject: [PATCH 08/10] Verify the EFI images with MOK blacklist +Subject: [PATCH 8/9] Verify the EFI images with MOK blacklist Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> --- @@ -1109,7 +1100,7 @@ 1 file changed, 9 insertions(+) diff --git a/shim.c b/shim.c -index e30a464..efd3d85 100644 +index a2e0862..5f5e9a6 100644 --- a/shim.c +++ b/shim.c @@ -365,6 +365,7 @@ static EFI_STATUS check_blacklist (WIN_CERTIFICATE_EFI_PKCS *cert, @@ -1136,13 +1127,13 @@ return EFI_SUCCESS; } -- -1.8.4.5 +1.8.1.4 -From a166edaa42ef96eaf5b000d0e4ad71779b745d68 Mon Sep 17 00:00:00 2001 +From 20ced27d1785bceaf814c07ca0d5686506a119ad Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Mon, 4 Nov 2013 17:51:55 +0800 -Subject: [PATCH 09/10] Exclude ca.crt while signing EFI images +Subject: [PATCH 9/9] Exclude ca.crt while signing EFI images If ca.crt was added into the certificate database, ca.crt would be the first certificate in the signature. Because shim couldn't verify ca.crt with the @@ -1167,33 +1158,5 @@ certutil -d certdb/ -A -i shim.crt -n shim -t u -- -1.8.4.5 - - -From cce37bfa5298e8e9c12d3509c78592f711699c4f Mon Sep 17 00:00:00 2001 -From: Gary Ching-Pang Lin <glin@suse.com> -Date: Tue, 11 Feb 2014 14:11:15 +0800 -Subject: [PATCH 10/10] Make shim to check MokXAuth for MOKX reset - -Signed-off-by: Gary Ching-Pang Lin <glin@suse.com> ---- - shim.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/shim.c b/shim.c -index efd3d85..7093c45 100644 ---- a/shim.c -+++ b/shim.c -@@ -1547,7 +1547,8 @@ EFI_STATUS check_mok_request(EFI_HANDLE image_handle) - if (check_var(L"MokNew") || check_var(L"MokSB") || - check_var(L"MokPW") || check_var(L"MokAuth") || - check_var(L"MokDel") || check_var(L"MokDB") || -- check_var(L"MokXNew") || check_var(L"MokXDel")) { -+ check_var(L"MokXNew") || check_var(L"MokXDel") || -+ check_var(L"MokXAuth")) { - efi_status = start_image(image_handle, MOK_MANAGER); - - if (efi_status != EFI_SUCCESS) { --- -1.8.4.5 +1.8.1.4 ++++++ show_hash.sh ++++++ --- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:30.000000000 +0200 +++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:30.000000000 +0200 @@ -9,4 +9,13 @@ exit 1 fi -pesign -h -P -i "$infile" +nssdir=`mktemp -d` +cleanup() +{ + rm -r "$nssdir" +} +trap cleanup EXIT +echo > "$nssdir/pw" +certutil -f "$nssdir/pw" -d "$nssdir" -N + +pesign -n "$nssdir" -h -P -i "$infile" ++++++ show_signatures.sh ++++++ --- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:30.000000000 +0200 +++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:30.000000000 +0200 @@ -9,4 +9,13 @@ exit 1 fi -pesign -S -i "$infile" +nssdir=`mktemp -d` +cleanup() +{ + rm -r "$nssdir" +} +trap cleanup EXIT +echo > "$nssdir/pw" +certutil -f "$nssdir/pw" -d "$nssdir" -N + +pesign -n "$nssdir" -S -i "$infile" ++++++ strip_signature.sh ++++++ --- /var/tmp/diff_new_pack.caxf2B/_old 2014-04-21 11:05:30.000000000 +0200 +++ /var/tmp/diff_new_pack.caxf2B/_new 2014-04-21 11:05:30.000000000 +0200 @@ -10,4 +10,13 @@ outfile="${infile%.efi}-unsigned.efi" -pesign -r -i "$infile" -o "$outfile" +nssdir=`mktemp -d` +cleanup() +{ + rm -r "$nssdir" +} +trap cleanup EXIT +echo > "$nssdir/pw" +certutil -f "$nssdir/pw" -d "$nssdir" -N + +pesign -n "$nssdir" -r -i "$infile" -o "$outfile" -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de