openSUSE Build Service

Overview Repositories Revisions Requests Users Attributes Meta

File project.diff of Package shim

--- shim-install.orig
+++ shim-install
@@ -374,15 +374,27 @@ prepare_cryptodisk () {
   tpm_pcr_list="${GRUB_TPM2_PCR_LIST:-0,2,4,7,9}"
   tpm_sealed_key="${GRUB_TPM2_SEALED_KEY}"
 
+  tpm_mode=""
+  tpm_extra_options=""
+  if [ -n "$GRUB_TPM_AUTHORIZED_POLICY" ]; then
+    tpm_mode="-m authpol"
+    tpm_extra_options="-P \$prefix/$GRUB_TPM_PUBLIC_KEY -S \$prefix/$GRUB_TPM_SIGNATURE"
+  fi
+
   declare -g TPM_PCR_SNAPSHOT_TAKEN
 
   if [ -z "$TPM_PCR_SNAPSHOT_TAKEN" ]; then
     TPM_PCR_SNAPSHOT_TAKEN=1
-    echo "tpm_record_pcrs 0-9"
+
+    # Check if tpm_record_pcrs is available and set the command to
+    # grub.cfg.
+    if grep -q "tpm_record_pcrs" ${datadir}/grub2/${arch}-efi/command.lst ; then
+      echo "tpm_record_pcrs 0-9"
+    fi
   fi
 
   cat <<EOF
-tpm2_key_protector_init -b $tpm_pcr_bank -p $tpm_pcr_list -k \$prefix/$tpm_sealed_key
+tpm2_key_protector_init $tpm_mode -b $tpm_pcr_bank -p $tpm_pcr_list -k \$prefix/$tpm_sealed_key $tpm_extra_options
 if ! cryptomount -u $uuid -k tpm2; then
     cryptomount -u $uuid
 fi
--- shim.changes.orig
+++ shim.changes
@@ -1,4 +1,13 @@
 -------------------------------------------------------------------
+Tue Feb  7 16:00:16 UTC 2023 - Olaf Kirch <okir@suse.com>
+
+- Enhance cryptodisk code to recognize new variables in /etc/default/grub:
+  * GRUB_TPM_AUTHORIZED_POLICY
+  * GRUB_TPM_PUBLIC_KEY
+  * GRUB_TPM_SIGNATURE
+  These were added in support of TPM2 authorized policies
+
+-------------------------------------------------------------------
 Fri Dec  9 08:38:14 UTC 2022 - Joey Lee <jlee@suse.com>
 
 - Modified shim-install, add the following Olaf Kirch's patches to support
@@ -20,6 +29,15 @@ Wed Nov 23 07:28:57 UTC 2022 - Joey Lee
         https://www.spinics.net/lists/kernel/msg4599636.html
 
 -------------------------------------------------------------------
+Tue Nov 22 14:53:36 UTC 2022 - Olaf Kirch <okir@suse.com>
+
+- Enhance cryptodisk code to recognize new variables in /etc/default/grub:
+ * GRUB_CRYPTODISK_PASSWORD
+ * GRUB_TPM2_SEALED_KEY
+ * GRUB_TPM2_PCR_BANK and GRUB_TPM2_PCR_LIST
+- Introduce --no-grub-install option
+
+-------------------------------------------------------------------
 Fri Nov 18 04:52:49 UTC 2022 - Joey Lee <jlee@suse.com>
 
 - Add shim-Enable-the-NX-compatibility-flag-by-default.patch to
@@ -129,6 +147,11 @@ Thu Sep 29 02:42:35 UTC 2022 - Michael C
   installing grub related files
 
 -------------------------------------------------------------------
+Tue Sep 20 13:31:44 UTC 2022 - Olaf Kirch <okir@suse.com>
+
+- Add "tpm_record_pcrs" to EFI grub.cfg
+
+-------------------------------------------------------------------
 Mon Sep 12 12:30:54 UTC 2022 - Kilian Hanich <khanich.opensource@gmx.de>
 
 - Add logic to shim.spec to only set sbat policy when efivarfs is writeable.
--- shim.spec.orig
+++ shim.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package shim
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -78,7 +78,7 @@ Patch5:         shim-disable-export-vend
 # PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch jlee@suse.com -- Enable the NX compatibility flag by default
 Patch6:         shim-Enable-the-NX-compatibility-flag-by-default.patch
 # PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
-Patch100:	shim-bsc1198101-opensuse-cert-prompt.patch
+Patch100:       shim-bsc1198101-opensuse-cert-prompt.patch
 BuildRequires:  dos2unix
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8

Places

File project.diff of Package shim

Places