shim-15.8-150300.4.20.2<>,8f! p9|3zqN} 57$:tm qb<w2e)[U4T@5PzUX,JX9%fΧ<1ҷDpw 0\xm#X^+"4з9zPCwS*<&xq'' g@Μ?Όd   +  ,29L   $   J     D  ( 8 |9 |:4|>!G,HtIȼXY\]H^ bʷc`defluvDw̌xy 3<@FΈCshim15.8150300.4.20.2UEFI shim loadershim is a trivial EFI application that, when run, attempts to open and execute another application.f! h04-ch2al=SUSE Linux Enterprise 15SUSE LLC BSD-2-Clausehttps://www.suse.com/System/Boothttps://github.com/rhboot/shimlinuxx86_64 loader_type=`sed -n \ "/^[^#]*LOADER_TYPE=/{s@.*=\(.*\)@\1@;s@^[\"']@@;s@[\"']\\$@@;p;q}" \ /etc/sysconfig/bootloader \ 2>/dev/null || :` for bl in grub2-efi; do if test "x${bl}" == "x$loader_type"; then mkdir -p /run/update-bootloader/ touch /run/update-bootloader/reinit break fi done # copy from kernel-scriptlets/cert-script is_efi () { local msg rc=0 # The below statement fails if mokutil isn't installed or UEFI is unsupported. # It doesn't fail if UEFI is available but secure boot is off. msg="$(mokutil --sb-state 2>&1)" || rc=$? return $rc } # run mokutil for setting sbat policy to latest mode EFIVARFS=/sys/firmware/efi/efivars SBAT_POLICY="$EFIVARFS/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23" if is_efi; then if [ -w $EFIVARFS ] && \ [ ! -f "$SBAT_POLICY" ] && \ mokutil -h | grep -q "set-sbat-policy"; \ then # Only apply CA check on the kernel package certs (bsc#1173115) mokutil --set-sbat-policy latest fi fi%#$$< b( AA큤AA큤AA큤$f! f! f! f! f! f! f! f! f! f! emf! f! f! f! f! f! f! c315e37690d6847d6603db8c6f7b4c20aae7c89af3bf5e8e41c48416ea1da5b449f2e63f2e7f0cc94dab42932e26ea4160ef96860f6e2cc0f9d72ec12c1b8cbf15edf527919ddcb2f514ab9d16ad07ef219e4bb490e0b79560be510f0c159cc276835854721ad33f1a3ac4184ddf05484a3958db5813e28516b16e0d59819a2ec840eb1f5b5e97dad1554d4dcec72ae4fadc65d81500dfb6a15b32f5902002a5c315e37690d6847d6603db8c6f7b4c20aae7c89af3bf5e8e41c48416ea1da5b4a60d256c802849a0a5e23fe5298ddcf7f78445cc71f519b64573dcb61af0e6ff../../share/efi/x86_64/MokManager.efi../../share/efi/x86_64/fallback.efi../../share/efi/x86_64/shim-sles.efi../../share/efi/x86_64/shim-sles.efishim-sles.efirootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootshim-15.8-150300.4.20.2.src.rpmshimshim(x86-64)@      /bin/bash/bin/sh/bin/shmokutilperl-Bootloaderrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-14.14.3f! @eepe@eAee@e e @dbd7d7d3@d!@c@c#@c~ @cwscwscv"@cv"@cs@cs@cs@c5c@b@bbޅb@bUi`#@`ݮ@`@`@`@`9@````q`+`@`@``N@`e@``n@`m`dd@`a@`[)`J@`F` @___@__[@_R,@_C_?@_+_$__*@_X@_X@^0^@^oj@]e@]V\@\r@\}\,@\eX@\N\@n@\Size of reloc section f7a4338 Skip testing msleep() 549d346 Rename 'msecs' to 'usecs' to avoid potential confusion 908c388 Change type of fallback_verbose_wait from int to unsigned long 05eae92 Add SbatLevel_Variable.txt to document the various revocations 243f125 Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL 89d25a1 Add a make rule for compile_commands.json 118ff87 Add gnu-stack notes f132655 test: Make our fake dprintf be a statement. be00279 Remove CentOS 7 test builds. 9964960 Split pe.c up even more. 569270d Test (and fix) ImageAddress() 61e9894 Verify signature before verifying sbat levels 1578b55 Add libFuzzer support for csv.c a0673e3 Fix a 1-byte memory leak in .sbat parsing. e246812 Add libFuzzer support to the .sbat parser. fd43eda Work around ImageAddress() usage mistake 1e985a3 Correctly free memory allocated in handle_image() dbbe3c8 mok: Avoid underflow in maximum variable size calculation 04111d4 Make some of the static analysis tools a little easier to run 7ba7440 compile_commands.json: remove stuff clang doesn't like 66e6579 CVE-2023-40546 mok: fix LogError() invocation f271826 Add primitives for overflow-checked arithmetic operations. 8372147 pe-relocate: Add a fuzzer for read_header() 5a5147d CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries e912071 pe-relocate: make read_header() use checked arithmetic operations. 93ce255 CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() e7f5fdf pe-relocate: Ensure nothing else implements CVE-2023-40550 afdc503 CVE-2023-40549 Authenticode: verify that the signature header is in bounds. 96dccc2 CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system dae82f6 Further mitigations against CVE-2023-40546 as a class ea0f9df Allow SbatLevel data from external binary b078ef2 Always clear SbatLevel when Secure Boot is disabled 7dfb687 BS Variables for bootmgr revocations a967c0e shim should not self revoke 577cedd Print message when refusing to apply SbatLevel e801b0d sbat revocations: check the full section name 0226b56 CVE-2023-40547 - avoid incorrectly trusting HTTP headers 6f0c8d2 Print errors when setting/clearing memory attrs 57c0eed Updated Revocations for January 2024 CVEs 49c6d95 Fix some minor ia32 build issues. be8ff7c post-process-pe: Don't set the NX_COMPAT flag by default after all. 13abd9f pe-relocate: Avoid __builtin_add_overflow() on GCC < 5 c46c975 Suppress "Failed to open <..>\revocations.efi" when file does not exist 30a4f37 Rename "previous" revocations to "automatic" 6f395c2 Build time selectable automatic SBATLevel revocations a23e2f0 netboot read_image() should not hardcode DEFAULT_LOADER 993a345 Try to load revocations.efi even if directory read fails 1770a03 gitmodules: use shim-15.8 for gnu-efi branch 5914984 (HEAD -> main, tag: latest-release, tag: 15.8, origin/main, origin/HEAD) Bump version to 15.8- Generate dbx during build so we don't include binary files in sources- Don't require grub so shim can still be used with systemd-boot- Update shim-install to fix boot failure of ext4 root file system on RAID10 (bsc#1205855) 226c94ca5cfca Use hint in looking for root if possible- Adopt the macros from fde-tpm-helper-macros to update the signature in the sealed key after a bootloader upgrade- Update shim-install to amend full disk encryption support b540061e041b Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector f2e8143ce831 Use the long name to specify the grub2 key protector 72830120e5ea cryptodisk: support TPM authorized policies 49e7a0d307f3 Do not use tpm_record_pcrs unless the command is in command.lst- Sometimes SLE shim signature be Microsoft updated before openSUSE shim signature. When submit request on IBS for updating SLE shim, the submitreq project be generated, but it always be blocked by checking the signature of openSUSE shim. It doesn't make sense checking openSUSE shim signature when building SLE shim on SLE platform, and vice versa. So the following change adds the logic to compare suffix (sles, opensuse) with distro_id (sle, opensuse). When and only when hash mismatch and distro_id match with suffix, stop building. [#] compare suffix (sles, opensuse) with distro_id (sle, opensuse) [#] when hash mismatch and distro_id match with suffix, stop building- Upgrade shim-install for bsc#1210382 After closing Leap-gap project since Leap 15.3, openSUSE Leap direct uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no, so all files in /boot/efi/EFI/boot are not updated. The 86b73d1 patch added the logic that using ID field in os-release for checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated. - https://github.com/SUSE/shim-resources (git log --oneline) 86b73d1 Fix that bootx64.efi is not updated on Leap f2e8143 Use the long name to specify the grub2 key protector 7283012 cryptodisk: support TPM authorized policies 49e7a0d Do not use tpm_record_pcrs unless the command is in command.lst 26c6bd5 Have grub take a snapshot of "relevant" TPM PCRs 5c2c3ad Handle different cases of controlling cryptomount volumes during first stage boot a5c5734 Introduce --no-grub-install option- Removed POST_PROCESS_PE_FLAGS=-N from the build command in shim.spec to enable the NX compatibility flag when using post-process-pe after discussed with grub2 experts in mail. It's useful for further development and testing. (bsc#1205588)- Updated shim signature after shim 15.7 of SLE be signed back: signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458, CVE-2022-28737)- Removed shim-bsc1198101-opensuse-cert-prompt.patch (bsc#1198101) - Detail discussion is in bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1198101 - The shim community review and challenge this prompt. No other distro shows prompt (Have checked Fedora 37, CentOS 9 and Ubuntu 22.10). Currently, it blocked the review process of openSUSE shim. - Other distros lock-down kernel when secure boot is enabled. Some of them used different key for signing kernel binary with In-tree kernel module. And their build service does not provide signed Out-off-tree module.- Modified shim-install, add the following Olaf Kirch's patches to support full disk encryption: (jsc#PED-922) a5c57340740c Introduce --no-grub-install option 5c2c3addc51f Handle different cases of controlling cryptomount volumes during first stage boot 26c6bd5df7ae Have grub take a snapshot of "relevant" TPM PCRs- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to disable the NX compatibility flag when using post-process-pe because grub2 is not ready. (bsc#1205588) - Kernel can boot with the NX compatibility flag since 82e0d6d76a2a7 be merged to v5.19. On the other hand, upstream is working on improve compressed kernel stage for NX: [PATCH v3 00/24] x86_64: Improvements at compressed kernel stage https://www.spinics.net/lists/kernel/msg4599636.html- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to enable the NX compatibility flag by default. (jsc#PED-127)- Drop upstreamed patch: - shim-Enable-TDX-measurement-to-RTMR-register.patch - Enable TDX measurement to RTMR register (jsc#PED-1273) - 4fd484e4c2 15.7- Update to 15.7 (bsc#1198458)(jsc#PED-127) - Patches (git log --oneline --reverse 15.6..15.7) 0eb07e1 Make SBAT variable payload introspectable 092c2b2 Reference MokListRT instead of MokList 8b59b69 Add a link to the test plan in the readme. 4fd484e Enable TDX measurement to RTMR register 14d6339 Discard load-options that start with a NUL 5c537b3 shim: Flush the memory region from i-cache before execution 2d4ebb5 load_cert_file: Fix stack issue ea4911c load_cert_file: Use EFI RT memory function 0cf43ac Add -malign-double to IA32 compiler flags 17f0233 pe: Fix image section entry-point validation 5169769 make-archive: Build reproducible tarball aa1b289 mok: remove MokListTrusted from PCR 7 53509ea CryptoPkg/BaseCryptLib: fix NULL dereference 616c566 More coverity modeling ea0d0a5 Update shim's .sbat to sbat,3 dd8be98 Bump grub's sbat requirement to grub,3 1149161 (HEAD -> main, tag: 15.7, origin/main, origin/HEAD) Update version to 15.7 - 15.7 release note https://github.com/rhboot/shim/releases Make SBAT variable payload introspectable by @chrisccoulson in #483 Reference MokListRT instead of MokList by @esnowberg in #488 Add a link to the test plan in the readme. by @vathpela in #494 [V3] Enable TDX measurement to RTMR register by @kenplusplus in #485 Discard load-options that start with a NUL by @frozencemetery in #505 load_cert_file bugs by @esnowberg in #523 Add -malign-double to IA32 compiler flags by @nicholasbishop in #516 pe: Fix image section entry-point validation by @iokomin in #518 make-archive: Build reproducible tarball by @julian-klode in #527 mok: remove MokListTrusted from PCR 7 by @baloo in #519 - Drop upstreamed patch: - shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch - Cryptlib/CryptAuthenticode: fix NULL pointer dereference in AuthenticodeVerify() - 53509eaf22 15.7 - shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch - For backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127) - The following patches are merged to 15.7 aa1b289a1a mok: remove MokListTrusted from PCR 7 0cf43ac6d7 Add -malign-double to IA32 compiler flags ea4911c2f3 load_cert_file: Use EFI RT memory function 2d4ebb5a79 load_cert_file: Fix stack issue 5c537b3d0c shim: Flush the memory region from i-cache before execution 14d6339829 Discard load-options that start with a NUL 092c2b2bbe Reference MokListRT instead of MokList 0eb07e11b2 Make SBAT variable payload introspectable- Update shim.changes, added missed shim 15.6-rc1 and 15.6 changelog to the item in Update to 15.6. (bsc#1198458)- Add shim-jscPED-127-upgrade-shim-in-SLE15-SP5.patch for backporting the following patches between 15.6 with aa1b289a1a (jsc#PED-127): aa1b289a1a16774afc3143b8948d97261f0872d0 mok: remove MokListTrusted from PCR 7 0cf43ac6d78c6f47f8b91210639ac1aa63665f0b Add -malign-double to IA32 compiler flags ea4911c2f3ce8f8f703a1476febac86bb16b00fd load_cert_file: Use EFI RT memory function 2d4ebb5a798aafd3b06d2c3cb9c9840c1caa41ef load_cert_file: Fix stack issue 5c537b3d0cf8c393dad2e61d49aade68f3af1401 shim: Flush the memory region from i-cache before execution 14d63398298c8de23036a4cf61594108b7345863 Discard load-options that start with a NUL 092c2b2bbed950727e41cf450b61c794881c33e7 Reference MokListRT instead of MokList 0eb07e11b20680200d3ce9c5bc59299121a75388 Make SBAT variable payload introspectable- Add shim-Enable-TDX-measurement-to-RTMR-register.patch to support enhance shim measurement to TD RTMR. (jsc#PED-1273)- For pushing openSUSE:Factory/shim to SLE15-SP5, sync the shim.spec and shim.changes: (jsc#PED-127) - Add some change log from SLE shim.changes to Factory shim.changes Those messages are added "(sync shim.changes from SLE)" tag. - Add the following changes to shim.spec - only apply Patch100, the shim-bsc1198101-opensuse-cert-prompt.patch on openSUSE. - Enable the AArch64 signature check for SLE: [#] AArch64 signature signature=%{SOURCE13}- shim-install: ensure grub.cfg created is not overwritten after installing grub related files- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066)- Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120)- Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282)- Revoked the change in shim.spec for "use common SBAT values (boo#1193282)" - we need to build openSUSE Tumbleweed's shim on Leap 15.4 because Factory is unstable for building out a stable shim binary for signing. (bsc#1198458) - But the rpm-config-suse package in Leap 15.4 is direct copied from SLE 15.4 because closing-the-leap-gap. So sbat_distro_* variables are SLE version, not for openSUSE. (bsc#1198458)- Update to 15.6 (bsc#1198458) - shim-15.6.tar.bz2 is downloaded from bsc#1198458#c76 which is from upstream grub2.cve_2021_3695.ms keybase channel. - For building 15.6~rc1 aarch64 image (d6eb9c6 Modernize aarch64), objcopy needs to support efi-app-aarch64 target. So we need the following patches in bintuils: - binutils-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch b69c9d41e8 AArch64: Add support for AArch64 EFI (efi-*-aarch64). - binutils-Re-AArch64-Add-support-for-AArch64-EFI-efi-aarch64.patch 32384aa396 Re: AArch64: Add support for AArch64 EFI (efi-*-aarch64) - binutils-Re-Add-support-for-AArch64-EFI-efi-aarch64.patch d91c67e873 Re: Add support for AArch64 EFI (efi-*-aarch64) - Patches (git log --oneline --reverse 15.5~..77144e5a4) 448f096 MokManager: removed Locate graphic output protocol fail error message (bsc#1193315, bsc#1198458) a2da05f shim: implement SBAT verification for the shim_lock protocol bda03b8 post-process-pe: Fix a missing return code check af18810 CI: don't cancel testing when one fails ba580f9 CI: remove EOL Fedoras from github actions bfeb4b3 Remove aarch64 build tests before f35 38cc646 CI: Add f36 and centos9 CI build tests. b5185cb post-process-pe: Fix format string warnings on 32-bit platforms 31094e5 tests: also look for system headers in multi-arch directories 4df989a mock-variables.c: fix gcc warning 6aac595 test-str.c: fix gcc warnings with FORTIFY_SOURCE enabled 2670c6a Allow MokListTrusted to be enabled by default 5c44aaf Add code of conduct d6eb9c6 Modernize aarch64 9af50c1 Use ASCII as fallback if Unicode Box Drawing characters fail de87985 make: don't treat cert.S specially 803dc5c shim: use SHIM_DEVEL_VERBOSE when built in devel mode 6402f1f SBAT matching: Break out of the inner sbat loop if we find the entry. bb4b60e Add verify_image acfd48f Abstract out image reading 35d7378 Load additional certs from a signed binary 8ce2832 post-process-pe: there is no 's' argument. 465663e Add some missing PE image flag definitions 226fee2 PE Loader: support and require NX df96f48 Add MokPolicy variable and MOK_POLICY_REQUIRE_NX b104fc4 post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT f81a7cc SBAT revocation management abe41ab make: unbreak scan-build again for gnu-efi 610a1ac sbat.h: minor reformatting for legibility f28833f peimage.h: make our signature macros force the type 5d789ca Always initialize data/datasize before calling read_image() a50d364 sbat policy: make our policy change actions symbolic 5868789 load_certs: trust dir->Read() slightly less. a78673b mok.c: fix a trivial dead assignment 759f061 Fix preserve_sbat_uefi_variable() logic aa61fdf Give the Coverity scanner some more GCC blinders... 0214cd9 load_cert_file(): don't defererence NULL 1eca363 mok import: handle OOM case 75449bc sbat: Make nth_sbat_field() honor the size limit c0bcd04 shim-15.6~rc1 77144e5 SBAT Policy latest should be a one-shot - 15.5 release note https://github.com/rhboot/shim/releases Broken ia32 relocs and an unimportant submodule change. by @vathpela in #357 mok: allocate MOK config table as BootServicesData by @lcp in #361 Don't call QueryVariableInfo() on EFI 1.10 machines by @vathpela in #364 Relax the check for import_mok_state() by @lcp in #372 SBAT.md: trivial changes by @hallyn in #389 shim: another attempt to fix load options handling by @chrisccoulson in #379 Add tests for our load options parsing. by @vathpela in #390 arm/aa64: fix the size of .rela* sections by @lcp in #383 mok: fix potential buffer overrun in import_mok_state by @jyong2 in #365 mok: relax the maximum variable size check by @lcp in #369 Don't unhook ExitBootServices when EBS protection is disabled by @sforshee in #378 fallback: find_boot_option() needs to return the index for the boot entry in optnum by @jsetje in #396 httpboot: Ignore case when checking HTTP headers by @frozencemetery in #403 Fallback allocation errors by @vathpela in #402 shim: avoid BOOTx64.EFI in message on other architectures by @xypron in #406 str: remove duplicate parameter check by @xypron in #408 fallback: add compile option FALLBACK_NONINTERACTIVE by @xnox in #359 Test mok mirror by @vathpela in #394 Modify sbat.md to help with readability. by @eshiman in #398 csv: detect end of csv file correctly by @xypron in #404 Specify that the .sbat section is ASCII not UTF-8 by @daxtens in #413 tests: add "include-fixed" GCC directory to include directories by @diabonas in #415 pe: simplify generate_hash() by @xypron in #411 Don't make shim abort when TPM log event fails (RHBZ #2002265) by @rmetrich in #414 Fallback to default loader if parsed one does not exist by @julian-klode in #393 fallback: Fix for BootOrder crash when index returned by find_boot_option() is not in current BootOrder list by @rmetrich in #422 Better console checks by @vathpela in #416 docs: update SBAT UEFI variable name by @nicholasbishop in #421 Don't parse load options if invoked from removable media path by @julian-klode in #399 fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in #433 shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in #438 Shim 15.5 coverity by @vathpela in #439 Allocate mokvar table in runtime memory. by @vathpela in #447 Remove post-process-pe on 'make clean' by @vathpela in #448 pe: missing perror argument by @xypron in #443 - 15.6-rc1 release note https://github.com/rhboot/shim/releases MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 post-process-pe: Fix a missing return code check by @vathpela in #462 Update github actions matrix to be more useful by @frozencemetery in #469 Add f36 and centos9 CI builds by @vathpela in #470 post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 tests: fix gcc warnings by @akodanev in #463 Allow MokListTrusted to be enabled by default by @esnowberg in #455 Add code of conduct by @frozencemetery in #427 Re-add ARM AArch64 support by @vathpela in #468 Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 make: don't treat cert.S specially by @vathpela in #475 shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 Break out of the inner sbat loop if we find the entry. by @vathpela in #476 Support loading additional certificates by @esnowberg in #446 Add support for NX (W^X) mitigations. by @vathpela in #459 Misc fixups from scan-build. by @vathpela in #477 Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 - 15.6 release note https://github.com/rhboot/shim/releases MokManager: removed Locate graphic output protocol fail error message by @joeyli in #441 shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in #456 post-process-pe: Fix a missing return code check by @vathpela in #462 Update github actions matrix to be more useful by @frozencemetery in #469 Add f36 and centos9 CI builds by @vathpela in #470 post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in #464 tests: also look for system headers in multi-arch directories by @steve-mcintyre in #466 tests: fix gcc warnings by @akodanev in #463 Allow MokListTrusted to be enabled by default by @esnowberg in #455 Add code of conduct by @frozencemetery in #427 Re-add ARM AArch64 support by @vathpela in #468 Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in #428 make: don't treat cert.S specially by @vathpela in #475 shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in #474 Break out of the inner sbat loop if we find the entry. by @vathpela in #476 Support loading additional certificates by @esnowberg in #446 Add support for NX (W^X) mitigations. by @vathpela in #459 Misc fixups from scan-build. by @vathpela in #477 Fix preserve_sbat_uefi_variable() logic by @jsetje in #478 SBAT Policy latest should be a one-shot by @jsetje in #481 pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson pe: Perform image verification earlier when loading grub by @chriscoulson Update advertised sbat generation number for shim by @jsetje Update SBAT generation requirements for 05/24/22 by @jsetje Also avoid CVE-2022-28737 in verify_image() by @vathpela - Drop upstreamed patch: - shim-bsc1184454-allocate-mok-config-table-BS.patch - Allocate MOK config table as BootServicesData to avoid the error message from linux kernel - 4068fd42c8 15.5-rc1~70 - shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch - Handle ignore_db and user_insecure_mode correctly - 822d07ad4f07 15.5-rc1~73 - shim-bsc1185621-relax-max-var-sz-check.patch - Relax the maximum variable size check for u-boot - 3f327f546c219634b2 15.5-rc1~49 - shim-bsc1185261-relax-import_mok_state-check.patch - Relax the check for import_mok_state() when Secure Boot is off - 9f973e4e95b113 15.5-rc1~67 - shim-bsc1185232-relax-loadoptions-length-check.patch - Relax the check for the LoadOptions length - ada7ff69bd8a95 15.5-rc1~52 - shim-fix-aa64-relsz.patch - Fix the size of rela* sections for AArch64 - 34e3ef205c5d65 15.5-rc1~51 - shim-bsc1187260-fix-efi-1.10-machines.patch - Don't call QueryVariableInfo() on EFI 1.10 machines - 493bd940e5 15.5-rc1~69 - shim-bsc1185232-fix-config-table-copying.patch - Avoid buffer overflow when copying the MOK config table - 7501b6bb44 15.5-rc1~50 - shim-bsc1187696-avoid-deleting-rt-variables.patch - Avoid deleting the mirrored RT variables - b1fead0f7c9 15.5-rc1~37 - Add "rm -f *.o" after building MokManager/fallback in shim.spec to make sure all object files gets rebuilt - reference: https://github.com/rhboot/shim/pull/461 - The following fix-CVE-2022-28737-v6 patches against bsc#1198458 are included in shim-15.6.tar.bz2 - shim-bsc1198458-pe-Fix-a-buffer-overflow-when-SizeOfRawData-VirtualS.patch pe: Fix a buffer overflow when SizeOfRawData VirtualSize - shim-bsc1198458-pe-Perform-image-verification-earlier-when-loading-g.patch pe: Perform image verification earlier when loading grub - shim-bsc1198458-Update-advertised-sbat-generation-number-for-shim.patch Update advertised sbat generation number for shim - shim-bsc1198458-Update-SBAT-generation-requirements-for-05-24-22.patch Update SBAT generation requirements for 05/24/22 - shim-bsc1198458-Also-avoid-CVE-2022-28737-in-verify_image.patch Also avoid CVE-2022-28737 in verify_image() - 0006-shim-15.6-rc2.patch - 0007-sbat-add-the-parsed-SBAT-variable-entries-to-the-deb.patch sbat: add the parsed SBAT variable entries to the debug log - 0008-bump-version-to-shim-15.6.patch - Add mokutil command to post script for setting sbat policy to latest mode when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. (bsc#1198458) - Add shim-bsc1198101-opensuse-cert-prompt.patch back to openSUSE shim to show the prompt to ask whether the user trusts openSUSE certificate or not (bsc#1198101) - Updated vendor dbx binary and script (bsc#1198458) - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin file which includes all .der for testing environment.- use common SBAT values (boo#1193282)- Update the SLE signatures (sync shim.changes from SLE)- Add shim-bsc1187696-avoid-deleting-rt-variables.patch to avoid deleting the mirrored RT variables (bsc#1187696)(sync shim.changes from SLE) - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz - Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071) - Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621) + Also drop AArch64 suse-signed shim since we merged this patch - Add shim-bsc1185261-relax-import_mok_state-check.patch to relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261) - Add shim-bsc1185232-relax-loadoptions-length-check.patch to ignore the odd LoadOptions length (bsc#1185232) - shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't exist - Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371 - Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260) - Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232)- Add shim-bsc1185232-fix-config-table-copying.patch to avoid buffer overflow when copying data to the MOK config table (bsc#1185232)- Add shim-disable-export-vendor-dbx.patch to disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - Add shim-bsc1187260-fix-efi-1.10-machines.patch to avoid the potential crash when calling QueryVariableInfo in EFI 1.10 machines (bsc#1187260)- Add shim-fix-aa64-relsz.patch to fix the size of rela sections for AArch64 Fix: https://github.com/rhboot/shim/issues/371- Add shim-bsc1185232-relax-loadoptions-length-check.patch to ignore the odd LoadOptions length (bsc#1185232)- shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't exist- shim-install: instead of assuming "removable" for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961)- Add shim-bsc1185261-relax-import_mok_state-check.patch to relax the check for import_mok_state() when Secure Boot is off. (bsc#1185261)- shim-install: always assume "removable" for Azure to avoid the endless reset loop (bsc#1185464)- Include suse-signed shim for AArch64 (bsc#1185621) (sync shim.changes from SLE)- Add shim-bsc1185621-relax-max-var-sz-check.patch to relax the maximum variable size check for u-boot (bsc#1185621)- Add shim-bsc1185441-fix-handling-of-ignore_db-and-user_insecure_mode.patch to handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)- Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz- Enable the AArch64 signature check for SLE (sync shim.changes from SLE)- Update the SLE signatures (sync shim.changes from SLE)- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid the error message during linux system boot (bsc#1184454)- Add remove_build_id.patch to prevent the build id being added to the binary. That can cause issues with the signature- Update to 15.4 (bsc#1182057) + Rename the SBAT variable and fix the self-check of SBAT + sbat: add more dprint() + arm/aa64: Swizzle some sections to make old sbsign happier + arm/aa64 targets: put .rel* and .dyn* in .rodata - Drop upstreamed patch: + shim-bsc1182057-sbat-variable-enhancement.patch- Add shim-bsc1182057-sbat-variable-enhancement.patch to change the SBAT variable name and enhance the handling of SBAT (bsc#1182057)- Update to 15.3 for SBAT support (bsc#1182057) + Drop gnu-efi from BuildRequires since upstream pull it into the tar ball. - Generate vender-specific SBAT metadata + Add dos2unix to BuildRequires since Makefile requires it for vendor SBAT - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt - Refresh patches + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-bsc1177315-verify-eku-codesign.patch - Unified with shim-bsc1177315-fix-buffer-use-after-free.patch - Drop upstreamed fixes + shim-correct-license-in-headers.patch + shim-always-mirror-mok-variables.patch + shim-bsc1175509-more-tpm-fixes.patch + shim-bsc1173411-only-check-efi-var-on-sb.patch + shim-fix-verify-eku.patch + gcc9-fix-warnings.patch + shim-fix-gnu-efi-3.0.11.patch + shim-bsc1177404-fix-a-use-of-strlen.patch + shim-do-not-write-string-literals.patch + shim-VLogError-Avoid-Null-pointer-dereferences.patch + shim-bsc1092000-fallback-menu.patch + shim-bsc1175509-tpm2-fixes.patch + shim-bsc1174512-correct-license-in-headers.patch + shim-bsc1182776-fix-crash-at-exit.patch - Drop shim-opensuse-cert-prompt.patch + All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore.- Refresh shim-bsc1182776-fix-crash-at-exit.patch to do the cleanup also when Secure Boot is disabled (bsc#1183213, bsc#1182776) - Merged linker-version.pl into timestamp.pl and add the linker version to signature files accordingly- Add shim-bsc1182776-fix-crash-at-exit.patch to fix the potential crash at Exit() (bsc#1182776)- Update the SLE signature - Exclude some patches from x86_64 to avoid breaking the signature - Add shim-correct-license-in-headers.patch back for x86_64 to match the SLE signature - Add linker-version.pl to modify the EFI/PE header to match the SLE signature- Disable the signature attachment for AArch64 temporarily until we get a real one.- Add shim-bsc1177315-verify-eku-codesign.patch to check CodeSign in the signer's EKU (bsc#1177315) - Add shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch to fix NULL pointer dereference in AuthenticodeVerify() (bsc#1177789, CVE-2019-14584) - shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315) - Add shim-bsc1177315-fix-buffer-use-after-free.patch to fix buffer use-after-free at the end of the EKU verification (bsc#1177315)- Add shim-bsc1177404-fix-a-use-of-strlen.patch to fix the length of the option data string to launch the program correctly (bsc#1177404) - Add shim-bsc1175509-more-tpm-fixes.patch to fix the file path in the tpm even log (bsc#1175509)- Add shim-VLogError-Avoid-Null-pointer-dereferences.patch to fix VLogError crash in AArch64 (jsc#SLE-15824) - Add shim-fix-verify-eku.patch to fix the potential crash at verify_eku() (jsc#SLE-15824) - Add shim-do-not-write-string-literals.patch to fix the potential crash when accessing the DEFAULT_LOADER string (jsc#SLE-15824)- Enable build on aarch64- shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656)- Add shim-bsc1175509-tpm2-fixes.patch to fix the TPM2 measurement (bsc#1175509)- Amend the check of %shim_enforce_ms_signature- Updated openSUSE signature- Replace shim-correct-license-in-headers.patch with the upstream commit: shim-bsc1174512-correct-license-in-headers.patch (bsc#1174512)- Update the path to grub-tpm.efi in shim-install (bsc#1174320)- Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994) + Add dbx-cert.tar.xz which contains the certificates to block and a script, generate-vendor-dbx.sh, to generate vendor-dbx.bin + Add vendor-dbx.bin as the vendor dbx to block unwanted keys - Drop shim-opensuse-signed.efi + We don't need it anymore- Add shim-bsc1173411-only-check-efi-var-on-sb.patch to only check EFI variable copying when Secure Boot is enabled (bsc#1173411)- Use the full path of efibootmgr to avoid errors when invoking shim-install from packagekitd (bsc#1168104)- Use "suse_version" instead of "sle_version" to avoid shim_lib64_share_compat being set in Tumbleweed forever.- Add shim-fix-gnu-efi-3.0.11.patch to fix the build error caused by the upgrade of gnu-efi- shim-install: add check for btrfs is used as root file system to enable relative path lookup for file. (bsc#1153953)- Fix a typo in shim-install (bsc#1145802)- Add gcc9-fix-warnings.patch (bsc#1121268).- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary (bsc#1113225)- Disable AArch64 build (FATE#325971) + AArch64 machines don't use UEFI CA, at least for now.- Updated shim signature: signature-sles.x86_64.asc (bsc#1120026)- Fix conditions for '/usr/share/efi'-move (FATE#326960)- Amend shim.spec to remove $RPM_BUILD_ROOT- Move 'efi'-executables to '/usr/share/efi' (FATE#326960) (preparing the move to 'noarch' for this package)- Update shim-install to handle the partitioned MD devices (bsc#1119762, bsc#1119763)- Update to 15+git47 (bsc#1120026, FATE#325971) + git commit: b3e4d1f7555aabbf5d54de5ea7cd7e839e7bd83d - Retire the old openSUSE 4096 bit certificate + Those programs are already out of maintenance. - Add shim-always-mirror-mok-variables.patch to mirror MOK variables correctly - Add shim-correct-license-in-headers.patch to correct the license declaration - Refresh patches: + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-bsc1092000-fallback-menu.patch + shim-opensuse-cert-prompt.patch - Drop upstreamed patches: + shim-bsc1088585-handle-mok-allocations-better.patch + shim-httpboot-amend-device-path.patch + shim-httpboot-include-console.h.patch + shim-only-os-name.patch + shim-remove-cryptpem.patch- Update shim-install to specify the target for grub2-install and change the boot efi file name according to the architecture (bsc#1118363, FATE#325971)- Enable AArch64 build (FATE#325971) + Also add the aarch64 signature files and rename the x86_64 signature files- Add shim-bsc1092000-fallback-menu.patch to show a menu before system reset ((bsc#1092000))- Add shim-bsc1088585-handle-mok-allocations-better.patch to avoid double-freeing after enrolling a key from the disk (bsc#1088585) + Also refresh shim-opensuse-cert-prompt.patch due to the change in MokManager.c- Install the certificates with a shim suffix to avoid conflicting with other packages (bsc#1087847)- Add the missing leading backlash to the DEFAULT_LOADER (bsc#1086589)- Add shim-httpboot-amend-device-path.patch to amend the device path matching rule for httpboot (bsc#1065370)- Update to 14 (bsc#1054712) - Adjust make commands in spec - Drop upstreamed fixes + shim-add-fallback-verbose-print.patch + shim-back-to-openssl-1.0.2e.patch + shim-fallback-workaround-masked-ami-variables.patch + shim-fix-fallback-double-free.patch + shim-fix-httpboot-crash.patch + shim-fix-openssl-flags.patch + shim-more-tpm-measurement.patch - Add shim-httpboot-include-console.h.patch to include console.h in httpboot.c to avoid build failure - Add shim-remove-cryptpem.patch to replace functions in CryptPem.c with the null function - Update SUSE/openSUSE specific patches + shim-only-os-name.patch + shim-arch-independent-names.patch + shim-change-debug-file-path.patch + shim-opensuse-cert-prompt.patch- Fix debuginfo + debugsource subpackage generation for RPM 4.14 - Set the RPM groups correctly for debug{info,source} subpackages - Drop deprecated and out of date Authors information in description- Add shim-back-to-openssl-1.0.2e.patch to avoid rejecting some legit certificates (bsc#1054712) - Add the stderr mask back while compiling MokManager.efi since the warnings in Cryptlib is back after reverting the openssl commits.- Add shim-add-fallback-verbose-print.patch to print the debug messages in fallback.efi dynamically - Refresh shim-fallback-workaround-masked-ami-variables.patch - Add shim-more-tpm-measurement.patch to measure more components and support TPM better- Add upstream fixes + shim-fix-httpboot-crash.patch + shim-fix-openssl-flags.patch + shim-fix-fallback-double-free.patch + shim-fallback-workaround-masked-ami-variables.patch - Remove the stderr mask while compiling MokManager.efi since the warnings in Cryptlib were fixed.- Add shim-arch-independent-names.patch to use the Arch-independent names. (bsc#1054712) - Refresh shim-change-debug-file-path.patch - Disable shim-opensuse-cert-prompt.patch automatically in SLE - Diable AArch64 until we have a real user and aarch64 signature- Make build reproducible by avoiding race between find and cp- Update to 12 - Rename the result EFI images due to the upstream name change + shimx64 -> shim + mmx64 -> MokManager + fbx64 -> fallback - Refresh patches: + shim-only-os-name.patch + shim-change-debug-file-path.patch + shim-opensuse-cert-prompt.patch - Drop upstreamed patches: + shim-httpboot-support.patch + shim-bsc973496-mokmanager-no-append-write.patch + shim-bsc991885-fix-sig-length.patch + shim-update-openssl-1.0.2g.patch + shim-update-openssl-1.0.2h.patch- Add the build flag to enable HTTPBoot- shim-install: add option --suse-enable-tpm (fate#315831)- Support %posttrans with marcos provided by update-bootloader-rpm-macros package (bsc#997317)- Add SIGNATURE_UPDATE.txt to state the steps to update signature-*.asc - Update the comment of strip_signature.sh- shim-install : * add option --no-nvram (bsc#999818) * improve removable media and fallback mode handling- shim-install : fix regression of password prompt (bsc#993764)- Add shim-bsc991885-fix-sig-length.patch to fix the signature length passed to Authenticode (bsc#991885)- Update shim-bsc973496-mokmanager-no-append-write.patch to try append write first- Add shim-update-openssl-1.0.2h.patch to update openssl to 1.0.2h - Bump the requirement of gnu-efi due to the HTTPBoot support- Add shim-httpboot-support.patch to support HTTPBoot - Add shim-update-openssl-1.0.2g.patch to update openssl to 1.0.2g and Cryptlib to 5e2318dd37a51948aaf845c7d920b11f47cdcfe6 - Drop patches since they are merged into shim-update-openssl-1.0.2g.patch + shim-update-openssl-1.0.2d.patch + shim-gcc5.patch + shim-bsc950569-fix-cryptlib-va-functions.patch + shim-fix-aarch64.patch - Refresh shim-change-debug-file-path.patch - Add shim-bsc973496-mokmanager-no-append-write.patch to work around the firmware that doesn't support APPEND_WRITE (bsc973496) - shim-install : remove '\n' from the help message (bsc#991188) - shim-install : print a message if there is no valid EFI partition (bsc#991187)- shim-install : support simple MD RAID1 target devices (FATE#314829)- Add shim-fix-aarch64.patch to fix compilation on AArch64 (bsc#978438)- shim-install : fix typing ESC can escape to parent config which is in command mode and cannot return back (bsc#966701) - shim-install : fix no which command for JeOS (bsc#968264)- acquired updated signature from Microsoft- Add shim-bsc950569-fix-cryptlib-va-functions.patch to fix the definition of va functions to avoid the potential crash (bsc#950569) - Update shim-opensuse-cert-prompt.patch to avoid setting NULL to MokListRT (bsc#950801) - Drop shim-fix-mokmanager-sections.patch as we are using the newer binutils now - Refresh shim-change-debug-file-path.patch- acquired updated signature from Microsoft- shim-install : set default GRUB_DISTRIBUTOR from /etc/os-release if it is empty or not set by user (bsc#942519)- Add shim-update-openssl-1.0.2d.patch to update openssl to 1.0.2d - Refresh shim-gcc5.patch and add it back since we really need it - Add shim-change-debug-file-path.patch to change the debug file path in shim.efi + also add the debuginfo and debugsource subpackages - Drop shim-fix-gnu-efi-30w.patch which is not necessary anymore- Update to 0.9 - Refresh patches + shim-fix-gnu-efi-30w.patch + shim-fix-mokmanager-sections.patch + shim-opensuse-cert-prompt.patch - Drop upstreamed patches + shim-bsc920515-fix-fallback-buffer-length.patch + shim-mokx-support.patch + shim-update-cryptlib.patch - Drop shim-bsc919675-uninstall-shim-protocols.patch since upstream fixed the bug in another way. - Drop shim-gcc5.patch which was fixed in another way- Fix tags in the spec file- Add shim-update-cryptlib.patch to update Cryptlib to r16559 and openssl to 0.9.8zf - Add shim-bsc919675-uninstall-shim-protocols.patch to uninstall the shim protocols at Exit (bsc#919675) - Add shim-bsc920515-fix-fallback-buffer-length.patch to adjust the buffer size for the boot options (bsc#920515) - Refresh shim-opensuse-cert-prompt.patch- shim-gcc5.patch: shim needs -std=gnu89 to build with GCC5- shim-install : fix cryptodisk installation (boo#917427)- Add shim-fix-mokmanager-sections.patch to fix the objcopy parameters for the EFI files- Update to 0.8 - Add shim-fix-gnu-efi-30w.patch to adapt the change in gnu-efi-3.0w - Merge shim-signed-unsigned-compares.patch, shim-mokmanager-support-sha-family.patch and shim-bnc863205-mokmanager-fix-hash-delete.patch into shim-mokx-support.patch - Refresh shim-opensuse-cert-prompt.patch - Drop upstreamed patches: shim-update-openssl-0.9.8zb.patch, bug-889332_shim-overflow.patch, and bug-889332_shim-mok-oob.patch - Enable aarch64- Fixed buffer overflow and OOB access in shim trusted code path (bnc#889332, CVE-2014-3675, CVE-2014-3676, CVE-2014-3677) * added bug-889332_shim-mok-oob.patch, bug-889332_shim-overflow.patch - Added new certificate by Microsoft/bin/sh 15.8-150300.4.20.215.8-150300.4.20.2 ueficertsBCA4E38E-shim.crtefiMokManager.efifallback.efishim-sles.efishim.efishim-installshimCOPYRIGHTefix86_64MokManager.efifallback.efishim-sles.dershim-sles.efishim.efi/etc//etc/uefi//etc/uefi/certs//usr/lib64//usr/lib64/efi//usr/sbin//usr/share/doc/packages//usr/share/doc/packages/shim//usr/share//usr/share/efi//usr/share/efi/x86_64/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:32617/SUSE_SLE-15-SP3_Update/10512b51de6e9b9964e2848322fbcfdb-shim.SUSE_SLE-15-SP3_Updatedrpmxz5x86_64-suse-linuxdirectoryBourne-Again shell script, ASCII text executableASCII textR if test -f /run/update-bootloader/reinit; then rm -f /run/update-bootloader/{reinit,refresh} /sbin/update-bootloader --reinit || : elif test -f /run/update-bootloader/refresh; then rm -f /run/update-bootloader/refresh /sbin/update-bootloader --refresh || : fi/bin/shutf-8f9719e6724b515679af17e8048ba41133b2b9e45c578a92a8af73d14845a2851?7zXZ !t/4]"k%jz<^x5kq"YQ_*7} 48`c|_'7(Th(v7O)]ĽMs&sW0߷pfPLM8Ձ\f~9A`ySїJyױwU=Ak;So7wY{ 5"|ޜaI~F#؍6J#$7Fr`л9B.=5dOsZPm?\y@\GF_)cC~ F=/98/U)݄XQ}CaG~ Kqfl=˷iZ_"bJbW֭)iƺ]3'"Zνq]|ہT9<8Y(ϑGazSŘ-.9@G-Q4pHM*FyM83HAvsM7Z-i^8c&$[;2vA)D֣ Kpq XD ` <ɺNaI$39>߁|D&__naBoF2G$7jUo 7S̻S]cj1b[ʃ(ns @g=Gڕr@ԇY >Jan]<ЩkUҹLDzQF/i4UߦO9DٝPRuҨ"h$.NT{Ow[L˔{1&?s^HM+;:]Qʈz`27 gluj ]cIHA+Pq3ؓȲ0ͪI>9鵝"P*RSwa YZ