openSUSE Security Update : shim (openSUSE-2021-598)


This update for shim fixes the following issues : - Updated openSUSE x86 signature - Avoid the error message during linux system boot (boo#1184454) - Prevent the build id being added to the binary. That can cause issues with the signature Update to 15.4 (boo#1182057) + Rename the SBAT variable and fix the self-check of SBAT + sbat: add more dprint() + arm/aa64: Swizzle some sections to make old sbsign happier + arm/aa64 targets: put .rel* and .dyn* in .rodata - Change the SBAT variable name and enhance the handling of SBAT (boo#1182057) Update to 15.3 for SBAT support (boo#1182057) + Drop gnu-efi from BuildRequires since upstream pull it into the - Generate vender-specific SBAT metadata + Add dos2unix to BuildRequires since Makefile requires it for vendor SBAT - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys : + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt - Check CodeSign in the signer's EKU (boo#1177315) - Fixed NULL pointer dereference in AuthenticodeVerify() (boo#1177789, CVE-2019-14584) - All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore. - shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (boo#1177315)