commit shim for openSUSE:12.3
![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package shim for openSUSE:12.3 checked in at 2013-03-01 10:55:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3/shim (Old) and /work/SRC/openSUSE:12.3/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shim", Maintainer is "GLin@suse.com" Changes: -------- --- /work/SRC/openSUSE:12.3/shim/shim.changes 2013-02-11 14:55:01.000000000 +0100 +++ /work/SRC/openSUSE:12.3/.shim.new/shim.changes 2013-03-01 10:55:12.000000000 +0100 @@ -1,0 +2,17 @@ +Thu Feb 28 08:57:48 UTC 2013 - lnussel@suse.de + +- sign shim also with openSUSE certificate + +------------------------------------------------------------------- +Wed Feb 27 15:52:53 CET 2013 - mls@suse.de + +- identify project, export certificate as DER file +- don't create an unused extra keypair + +------------------------------------------------------------------- +Thu Feb 21 10:08:12 UTC 2013 - glin@suse.com + +- Add shim-bnc804631-fix-broken-bootpath.patch to fix the broken + bootpath generated in generate_path(). (bnc#804631) + +------------------------------------------------------------------- New: ---- SLES-UEFI-CA-Certificate.crt shim-bnc804631-fix-broken-bootpath.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.cSzEcs/_old 2013-03-01 10:55:12.000000000 +0100 +++ /var/tmp/diff_new_pack.cSzEcs/_new 2013-03-01 10:55:12.000000000 +0100 @@ -32,6 +32,7 @@ Source1: shim-signed.efi Source2: openSUSE-UEFI-CA-Certificate.crt Source3: shim-install +Source4: SLES-UEFI-CA-Certificate.crt # PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch glin@suse.com -- Sign MokManager.efi with the local generated certificate @@ -52,6 +53,8 @@ Patch9: shim-mokmanager-support-crypt-hash-method.patch # PATCH-FIX-OPENSUSE shim-keep-unsigned-mokmanager.patch glin@suse.com -- Keep MokManager.efi and sign it with the openSUSE key later Patch10: shim-keep-unsigned-mokmanager.patch +# PATCH-FIX-UPSTREAM shim-bnc804631-fix-broken-bootpath.patch bnc#804631 glin@suse.com -- Fix the broken bootpath generated in generate_path() +Patch11: shim-bnc804631-fix-broken-bootpath.patch BuildRequires: gnu-efi >= 3.0q BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -83,19 +86,50 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 %build chmod +x "make-certs" -openssl x509 -in %{S:2} -outform DER -out openSUSE-UEFI-CA-Certificate.der + +if test -e %{_sourcedir}/_projectcert.crt ; then + prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) + prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) + opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) + slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) + if test "$prjissuer" = "$opensusesubject" ; then + suffix=opensuse + cert=%{SOURCE2} + fi + if test "$prjissuer" = "$slessubject" ; then + suffix=sles + cert=%{SOURCE4} + fi + if test "$prjsubject" = "$prjissuer" ; then + suffix=local + cert=%{_sourcedir}/_projectcert.crt + fi +fi +if test -z "$suffix" ; then + echo "cannot identify project, assuming openSUSE signing" + suffix=opensuse + cert=%{SOURCE2} +fi + +openssl x509 -in $cert -outform DER -out shim-$suffix.der +# create empty local cert file, we don't need a local key pair as we +# sign the mokmanager with our vendor key +touch shim.crt +touch shim.cer # make sure cast warnings don't trigger post build check -make VENDOR_CERT_FILE=openSUSE-UEFI-CA-Certificate.der 2>/dev/null +make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx -mv shim.efi shim-opensuse.efi +mv shim.efi shim-$suffix.efi %install -export BRP_PESIGN_FILES='%{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi' +export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi' install -d %{buildroot}/%{_libdir}/efi -install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi +install -m 444 shim-*.efi %{buildroot}/%{_libdir}/efi +install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi # FIXME: install signed shim here install -m 444 %{SOURCE1} %{buildroot}/%{_libdir}/efi/shim.efi install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi @@ -110,7 +144,8 @@ %doc COPYRIGHT %dir %{_libdir}/efi %{_libdir}/efi/shim.efi -%{_libdir}/efi/shim-opensuse.efi +%{_libdir}/efi/shim-*.efi +%{_libdir}/efi/shim-*.der %{_libdir}/efi/MokManager.efi %{_sbindir}/shim-install ++++++ SLES-UEFI-CA-Certificate.crt ++++++ -----BEGIN CERTIFICATE----- MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/ cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+ KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51 eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS 1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5 Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv 4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8= -----END CERTIFICATE----- ++++++ shim-bnc804631-fix-broken-bootpath.patch ++++++
From 6b70850baa958b196ec332cf0224ffa9d5a81f5f Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <glin@suse.com> Date: Thu, 21 Feb 2013 17:49:29 +0800 Subject: [PATCH] Fix the broken bootpath
- The file path from DevicePathToStr may use slash as the file seperator. Change all slashes to backslashes to avoid the strange bootpath. - Remove the redundant backslashes. - ImagePath no longer requires the leading backslash. - Fix a memory leak Based on the patch from Michal Marek <mmarek@suse.com> --- shim.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/shim.c b/shim.c index 37a5898..690d064 100644 --- a/shim.c +++ b/shim.c @@ -919,15 +919,25 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, pathlen = StrLen(bootpath); + /* + * DevicePathToStr() concatenates two nodes with '/'. + * Convert '/' to '\\'. + */ + for (i = 0; i < pathlen; i++) { + if (bootpath[i] == '/') + bootpath[i] = '\\'; + } for (i=pathlen; i>0; i--) { - if (bootpath[i] == '\\') + if (bootpath[i] == '\\' && bootpath[i-1] != '\\') break; } + if (bootpath[i] == '\\') + bootpath[i+1] = '\0'; + else + bootpath[0] = '\0'; - bootpath[i+1] = '\0'; - - if (i == 0 || bootpath[i-i] == '\\') - bootpath[i] = '\0'; + while (*ImagePath == '\\') + ImagePath++; *PathName = AllocatePool(StrSize(bootpath) + StrSize(ImagePath)); @@ -944,6 +954,8 @@ static EFI_STATUS generate_path(EFI_LOADED_IMAGE *li, CHAR16 *ImagePath, *grubpath = FileDevicePath(device, *PathName); error: + FreePool(bootpath); + return efi_status; } -- 1.7.10.4 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de