Recommended update for shim-susesigned

Announcement ID:	SUSE-RU-2021:3224-1
Rating:	moderate
References:	bsc#1177315 bsc#1177789 bsc#1182057 bsc#1184454 bsc#1185232 bsc#1185261 bsc#1185441 bsc#1185464 bsc#1185621 bsc#1185961 bsc#1187260 bsc#1187696
Affected Products:	Basesystem Module 15-SP2 Basesystem Module 15-SP3 SUSE Linux Enterprise Desktop 15 SP2 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise High Performance Computing 15 SP2 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Micro 5.0 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP2 SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.1 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.1 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.1 SUSE Manager Server 4.2

An update that has 12 fixes can now be installed.

Description:

This update for shim-susesigned fixes the following issues:

Sync with Microsoft signed shim to Thu Jul 15 08:13:26 UTC 2021.

This update addresses the "susesigned" shim component.

shim was updated to 15.4 (bsc#1182057)

• console: Move the countdown function to console.c
• fallback: show a countdown menu before reset
• MOK: Fix the missing vendor cert in MokListRT
• mok: fix the mirroring of RT variables
• Add the license change statement for errlog.c and mok.c
• Remove a couple of incorrect license claims.
• MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid
• Make EFI variable copying fatal only on secureboot enabled systems
• Remove call to TPM2 get_event_log
• tpm: Fix off-by-one error when calculating event size
• tpm: Define EFI_VARIABLE_DATA_TREE as packed
• tpm: Don't log duplicate identical events
• VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
• OpenSSL: always provide OBJ_create() with name strings.
• translate_slashes(): don't write to string literals
• Fix a use of strlen() instead of Strlen()
• shim: Update EFI_LOADED_IMAGE with the second stage loader file path
• tpm: Include information about PE/COFF images in the TPM Event Log
• Fix a broken tpm type
• All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore.
• Fix the NULL pointer dereference in AuthenticodeVerify()
• Remove the build ID to make the binary reproducible when building with AArch64 container
• Prevent the build id being added to the binary. That can cause issues with the signature
• Allocate MOK config table as BootServicesData to avoid the error message from linux kernel
• Handle ignore_db and user_insecure_mode correctly (bsc#1185441)
• Relax the maximum variable size check for u-boot
• Relax the check for import_mok_state() when Secure Boot is off
• Relax the check for the LoadOptions length
• Fix the size of rela* sections for AArch64
• Disable exporting vendor-dbx to MokListXRT
• Don't call QueryVariableInfo() on EFI 1.10 machines
• Avoid buffer overflow when copying the MOK config table
• Avoid deleting the mirrored RT variables
• Update to 15.3 for SBAT support (bsc#1182057)
• Generate vender-specific SBAT metadata
• Rename the SBAT variable and fix the self-check of SBAT
• Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261)
• shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't exist
• shim-install: instead of assuming "removable" for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961)
• shim-install: always assume "removable" for Azure to avoid the endless reset loop (bsc#1185464)
• shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315)
• Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys:
• SLES-UEFI-SIGN-Certificate-2020-07.crt
• openSUSE-UEFI-SIGN-Certificate-2020-07.crt

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Basesystem Module 15-SP2
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3224=1
• Basesystem Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3224=1
• SUSE Linux Enterprise Micro 5.0
  zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3224=1

Package List:

• Basesystem Module 15-SP2 (x86_64)
  • shim-15.4-3.32.1
  • shim-debuginfo-15.4-3.32.1
  • shim-debugsource-15.4-3.32.1
• Basesystem Module 15-SP3 (x86_64)
  • shim-susesigned-15.4-3.10.1
• SUSE Linux Enterprise Micro 5.0 (x86_64)
  • shim-15.4-3.32.1
  • shim-debuginfo-15.4-3.32.1
  • shim-debugsource-15.4-3.32.1

References:

• https://bugzilla.suse.com/show_bug.cgi?id=1177315
• https://bugzilla.suse.com/show_bug.cgi?id=1177789
• https://bugzilla.suse.com/show_bug.cgi?id=1182057
• https://bugzilla.suse.com/show_bug.cgi?id=1184454
• https://bugzilla.suse.com/show_bug.cgi?id=1185232
• https://bugzilla.suse.com/show_bug.cgi?id=1185261
• https://bugzilla.suse.com/show_bug.cgi?id=1185441
• https://bugzilla.suse.com/show_bug.cgi?id=1185464
• https://bugzilla.suse.com/show_bug.cgi?id=1185621
• https://bugzilla.suse.com/show_bug.cgi?id=1185961
• https://bugzilla.suse.com/show_bug.cgi?id=1187260
• https://bugzilla.suse.com/show_bug.cgi?id=1187696