SUSE-RU-2021:3224-1: moderate: Recommended update for shim-susesigned

[sle-updates at lists.suse.com]

   SUSE Recommended Update: Recommended update for shim-susesigned
______________________________________________________________________________

Announcement ID:    SUSE-RU-2021:3224-1
Rating:             moderate
References:         #1177315 #1177789 #1182057 #1184454 #1185232 
                    #1185261 #1185441 #1185464 #1185621 #1185961 
                    #1187260 #1187696 
Affected Products:
                    SUSE MicroOS 5.0
                    SUSE Linux Enterprise Module for Basesystem 15-SP3
                    SUSE Linux Enterprise Module for Basesystem 15-SP2
______________________________________________________________________________

   An update that has 12 recommended fixes can now be
   installed.

Description:

   This update for shim-susesigned fixes the following issues:

   Sync with Microsoft signed shim to Thu Jul 15 08:13:26 UTC 2021.

   This update addresses the "susesigned" shim component.

   shim was updated to 15.4 (bsc#1182057)

   - console: Move the countdown function to console.c
   - fallback: show a countdown menu before reset
   - MOK: Fix the missing vendor cert in MokListRT
   - mok: fix the mirroring of RT variables
   - Add the license change statement for errlog.c and mok.c
   - Remove a couple of incorrect license claims.
   - MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid
   - Make EFI variable copying fatal only on secureboot enabled systems
   - Remove call to TPM2 get_event_log
   - tpm: Fix off-by-one error when calculating event size
   - tpm: Define EFI_VARIABLE_DATA_TREE as packed
   - tpm: Don't log duplicate identical events
   - VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
   - OpenSSL: always provide OBJ_create() with name strings.
   - translate_slashes(): don't write to string literals
   - Fix a use of strlen() instead of Strlen()
   - shim: Update EFI_LOADED_IMAGE with the second stage loader file path
   - tpm: Include information about PE/COFF images in the TPM Event Log
   - Fix a broken tpm type
   - All newly released openSUSE kernels enable kernel lockdown and signature
     verification, so there is no need to add the prompt anymore.
   - Fix the NULL pointer dereference in AuthenticodeVerify()
   - Remove the build ID to make the binary reproducible when building with
     AArch64 container
   - Prevent the build id being added to the binary. That can cause issues
     with the signature
   - Allocate MOK config table as BootServicesData to avoid the error message
     from linux kernel
   - Handle ignore_db and user_insecure_mode correctly (bsc#1185441)
   - Relax the maximum variable size check for u-boot
   - Relax the check for import_mok_state() when Secure Boot is off
   - Relax the check for the LoadOptions length
   - Fix the size of rela* sections for AArch64
   - Disable exporting vendor-dbx to MokListXRT
   - Don't call QueryVariableInfo() on EFI 1.10 machines
   - Avoid buffer overflow when copying the MOK config table
   - Avoid deleting the mirrored RT variables
   - Update to 15.3 for SBAT support (bsc#1182057)
   - Generate vender-specific SBAT metadata
   - Rename the SBAT variable and fix the self-check of SBAT
   - Split the keys in vendor-dbx.bin to vendor-dbx-sles and
     vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size
     of MokListXRT (bsc#1185261)
   - shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't
     exist
   - shim-install: instead of assuming "removable" for Azure, remove
     fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make
     \EFI\Boot bootable and keep the boot option created by efibootmgr
     (bsc#1185464, bsc#1185961)
   - shim-install: always assume "removable" for Azure to avoid the endless
     reset loop (bsc#1185464)
   - shim-install: Support changing default shim efi binary in
     /usr/etc/default/shim and /etc/default/shim (bsc#1177315)
   - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign
     keys:
     + SLES-UEFI-SIGN-Certificate-2020-07.crt
     + openSUSE-UEFI-SIGN-Certificate-2020-07.crt


Patch Instructions:

   To install this SUSE Recommended Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE MicroOS 5.0:

      zypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-3224=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3224=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP2:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-3224=1



Package List:

   - SUSE MicroOS 5.0 (x86_64):

      shim-15.4-3.32.1
      shim-debuginfo-15.4-3.32.1
      shim-debugsource-15.4-3.32.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64):

      shim-susesigned-15.4-3.10.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP2 (x86_64):

      shim-15.4-3.32.1
      shim-debuginfo-15.4-3.32.1
      shim-debugsource-15.4-3.32.1


References:

   https://bugzilla.suse.com/1177315
   https://bugzilla.suse.com/1177789
   https://bugzilla.suse.com/1182057
   https://bugzilla.suse.com/1184454
   https://bugzilla.suse.com/1185232
   https://bugzilla.suse.com/1185261
   https://bugzilla.suse.com/1185441
   https://bugzilla.suse.com/1185464
   https://bugzilla.suse.com/1185621
   https://bugzilla.suse.com/1185961
   https://bugzilla.suse.com/1187260
   https://bugzilla.suse.com/1187696