SUSE-SU-2024:1462-1 -- SLES shimID: oval:org.secpod.oval:def:89051830 | Date: (C)2024-06-18 (M)2024-06-18 |
Class: PATCH | Family: unix |
This update for shim fixes the following issues: * Update shim-install to set the TPM2 SRK algorithm * Limit the requirement of fde-tpm-helper-macros to the distro with suse_version 1600 and above Update to version 15.8: Security issues fixed: * mok: fix LogError invocation * avoid incorrectly trusting HTTP headers * Fix integer overflow on SBAT section size on 32-bit system * Authenticode: verify that the signature header is in bounds * pe: Fix an out-of-bound read in verify_buffer_sbat * pe-relocate: Fix bounds check for MZ binaries The NX flag is disable which is same as the default value of shim-15.8, hence, not need to enable it by this patch now. * Generate dbx during build so we don"t include binary files in sources * Don"t require grub so shim can still be used with systemd-boot * Update shim-install to fix boot failure of ext4 root file system on RAID10 * Adopt the macros from fde-tpm-helper-macros to update the signature in the sealed key after a bootloader upgrade * Update shim-install to amend full disk encryption support * Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector * Use the long name to specify the grub2 key protector * cryptodisk: support TPM authorized policies * Do not use tpm_record_pcrs unless the command is in command.lst * Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to enable the NX compatibility flag when using post-process-pe after discussed with grub2 experts in mail. It"s useful for further development and testing
Platform: |
SUSE Linux Enterprise Server 12 SP5 |