diff --git a/.versionbot/CHANGELOG.yml b/.versionbot/CHANGELOG.yml index b28d3ff65..d32bbc8e9 100644 --- a/.versionbot/CHANGELOG.yml +++ b/.versionbot/CHANGELOG.yml @@ -1,3 +1,698 @@ +- commits: + - subject: Update layers/meta-balena to 5d7a7ecfdc69c481e6e762e38e66b8b291a70e32 + hash: 96ae30310b37824ca86e93feddba2fc73c0ab319 + body: Update layers/meta-balena + footer: + Changelog-entry: Update layers/meta-balena to 5d7a7ecfdc69c481e6e762e38e66b8b291a70e32 + changelog-entry: Update layers/meta-balena to 5d7a7ecfdc69c481e6e762e38e66b8b291a70e32 + author: Self-hosted Renovate Bot + nested: + - commits: + - subject: "Test: Unmanaged: Replace ping command in tests with curl" + hash: 071c0180a03203cb34fc80b127501dc1385dbb3d + body: > + This change is required to migrate existing tests to run QEMU + worker tests on GitHub Actions. + + GitHub hosted runners can't run the `ping` command: + https://github.com/actions/runner-images/issues/1519 by design. + + If we still intend to use `ping`, the solution would be running + QEMU worker tests on self-hosted runners which allow ICMP + packets + footer: + Change-type: patch + change-type: patch + Signed-off-by: Vipul Gupta (@vipulgupta2048) + signed-off-by: Vipul Gupta (@vipulgupta2048) + author: Vipul Gupta (@vipulgupta2048) + nested: [] + version: meta-balena-5.2.8 + title: "" + date: 2024-04-17T15:22:20.514Z + - commits: + - subject: "packagegroup-resin: Install ldd script in balenaOS images" + hash: 9ef3aea59fdcc2909ab4d42e7bf7986c75ff14ca + body: > + The takeover project currently relies on the ldd script being + present in the hostOS pre-migration. + + + While takeover can be adapted to use this script from a + different location, it wouldn't hurt to have ldd in the hostOS + from this point on. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Alexandru Costache + signed-off-by: Alexandru Costache + author: Alexandru + nested: [] + version: meta-balena-5.2.7 + title: "" + date: 2024-04-16T21:04:47.973Z + - commits: + - subject: Update tests/leviathan digest to 0c2f44d + hash: 8e362ab8c82719b5d18909f8295d5641cbd02170 + body: Update tests/leviathan + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: + - commits: + - subject: Update Lock file maintenance + hash: 9b54072506553292307ca9096a6cb7a8cbeb00b5 + body: | + Update + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.30.9 + title: "" + date: 2024-04-15T03:06:11.003Z + - commits: + - subject: Update core/contracts digest to d06ad25 + hash: 15fd9358b8b78b140f67180472e339d8a089e678 + body: | + Update core/contracts + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.30.8 + title: "" + date: 2024-04-11T13:32:23.711Z + - commits: + - subject: Update core/contracts digest to bdc5ec8 + hash: dd2e237ba8805ba88d98e0ab40c0ce47d22adc6e + body: | + Update core/contracts + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.30.7 + title: "" + date: 2024-04-11T11:33:17.144Z + - commits: + - subject: Update core/contracts digest to 619554d + hash: 12a9383b4cc99f91f27626995c52b9838bd558a5 + body: | + Update core/contracts + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.30.6 + title: "" + date: 2024-04-10T10:33:42.221Z + - commits: + - subject: Update Lock file maintenance + hash: d6ed71f5ec59715663a4ee736f40520b00d28ff4 + body: | + Update + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.30.5 + title: "" + date: 2024-04-08T02:00:38.626Z + - commits: + - subject: Update core/contracts digest to cb7b222 + hash: c17d66a976d9e9f0c0cba108e1c972bf12d822fc + body: | + Update core/contracts + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.30.4 + title: "" + date: 2024-04-08T00:51:21.605Z + - commits: + - subject: Update balena-os/leviathan-worker to v2.9.37 + hash: d9209f59fe962434d45dec77c4f3aa0ef5ccdf47 + body: | + Update balena-os/leviathan-worker from 2.9.36 to 2.9.37 + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.30.3 + title: "" + date: 2024-04-04T15:33:01.233Z + - commits: + - subject: "core/lib/components: Specify Jetson Xavier boot partition indexes" + hash: 6388fbbfb04c27fe4a1337d41481d6a55b2f432c + body: > + so that the config.json can be injected in the right + partition + footer: + Change-type: patch + change-type: patch + Signed-off-by: Alexandru Costache + signed-off-by: Alexandru Costache + author: Alexandru Costache + nested: [] + version: leviathan-2.30.2 + title: "" + date: 2024-04-04T14:20:05.216Z + - commits: + - subject: Update Lock file maintenance + hash: 55b1560c8b3543a0041809f18ee3cf834a054895 + body: | + Update + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.30.1 + title: "" + date: 2024-04-01T00:51:30.207Z + - commits: + - subject: "minor: Add general FAQ to Leviathan" + hash: 2ee9236585807f16959ecbc2f24983b0abe0d8f4 + body: "" + footer: + Signed-off-by: Vipul Gupta (@vipulgupta2048) + signed-off-by: Vipul Gupta (@vipulgupta2048) + author: Vipul Gupta (@vipulgupta2048) + nested: [] + version: leviathan-2.30.0 + title: "" + date: 2024-03-26T19:12:11.114Z + - commits: + - subject: Update Lock file maintenance + hash: 427bab2b42a128fa0cb067c99f122d2bc1e743b1 + body: | + Update + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.29.67 + title: "" + date: 2024-03-26T14:30:08.265Z + - commits: + - subject: Update core/contracts digest to 8631765 + hash: 431288192a1bbbe6a75e847d94268f34342caa34 + body: | + Update core/contracts + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.29.66 + title: "" + date: 2024-03-26T13:35:15.787Z + - commits: + - subject: Update core/contracts digest to 2de3526 + hash: dbd017ddf87ab36e3f10dfb09c5e82edad3b9703 + body: | + Update core/contracts + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: [] + version: leviathan-2.29.65 + title: "" + date: 2024-03-21T08:29:35.853Z + version: meta-balena-5.2.6 + title: "" + date: 2024-04-16T14:13:33.263Z + - commits: + - subject: "classes: sign-rsa: add class for RSA artifact signing" + hash: 65a73907c12f03599cec6aed5d83b4f0f4538f84 + body: "" + footer: + Change-type: patch + change-type: patch + Signed-off-by: Alex Gonzalez + signed-off-by: Alex Gonzalez + author: Alex Gonzalez + nested: [] + version: meta-balena-5.2.5 + title: "" + date: 2024-04-12T15:16:52.502Z + - commits: + - subject: Update balena-supervisor to v16.1.10 + hash: fab3d6cf5bfe10546dbafba54f3c6955da8f10c4 + body: | + Update balena-supervisor from 16.1.5 to 16.1.10 + footer: + Change-type: patch + change-type: patch + author: Self-hosted Renovate Bot + nested: + - commits: + - subject: Add revpi-connect-4 to RPi variants We need the supervisor to be able + to manage config.txt changes for the RevPi Connect 4. + hash: b5dbef82d75a701cc2accb8f52e5865641e416fc + body: "" + footer: + Change-type: patch + change-type: patch + Signed-off-by: Shreya Patel + signed-off-by: Shreya Patel + author: Shreya Patel + nested: [] + version: balena-supervisor-16.1.10 + title: "" + date: 2024-03-28T16:51:48.764Z + - commits: + - subject: Log the full error on device state report failure as it is more useful + hash: 20e57f7f168884ccbc048911be15cedc91334192 + body: > + The message can be an empty string or similarly + unhelpful, therefore + + logging the entire error means that we will have + whatever the message + + may be along with the stack trace and other info that + will be helpful + + even when the message is not + footer: + Change-type: patch + change-type: patch + author: Pagan Gazzard + nested: [] + version: balena-supervisor-16.1.9 + title: "" + date: 2024-03-25T18:36:42.735Z + - commits: + - subject: Set @balena/es-version to es2022 to match tsconfig.json + hash: 6b0500cdbcd24b718460f35f6f9412ba6093389c + body: "" + footer: + Change-type: patch + change-type: patch + author: Pagan Gazzard + nested: [] + version: balena-supervisor-16.1.8 + title: "" + date: 2024-03-25T18:11:08.037Z + - commits: + - subject: Increase the timeout for auto select family to 5000ms to avoid issues + hash: 5cd37e73acb63a3bd705aea8e5edb4d255cd1c37 + body: > + On slower networks the default of 250ms can cause + problems as all + + attempts will fail rather than only the ones for + interfaces that do not + + actually work correctly. Increasing this timeout to + 5000ms will help to + + avoid these issues + footer: + Change-type: patch + change-type: patch + author: Pagan Gazzard + nested: [] + version: balena-supervisor-16.1.7 + title: "" + date: 2024-03-25T15:25:23.860Z + - commits: + - subject: Pin iptables to 1.8.9 (legacy) + hash: 3d881347e7d9721b00bcc41411996bd40b48d781 + body: > + With Alpine 3.19, iptables gets bumped to 1.8.10 which + uses nftables. + + The host OS still uses iptables 1.8.7 (legacy), and we + should + + use legacy as well until the OS uses nftables. + footer: + See: https://balena.zulipchat.com/#narrow/stream/345889-balena-io.2Fos/topic/iptables.20host.20vs.2E.20nftables.20Supervisor + see: https://balena.zulipchat.com/#narrow/stream/345889-balena-io.2Fos/topic/iptables.20host.20vs.2E.20nftables.20Supervisor + Change-type: patch + change-type: patch + Signed-off-by: Christina Ying Wang + signed-off-by: Christina Ying Wang + author: Christina Ying Wang + nested: [] + version: balena-supervisor-16.1.6 + title: "" + date: 2024-03-18T21:37:24.676Z + version: meta-balena-5.2.4 + title: "" + date: 2024-04-03T17:13:37.301Z + - commits: + - subject: mv docs/{,uefi-}secure-boot.md + hash: 18e35c55cb486d93aadc43df1f5e0db0ef840c03 + body: "" + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "docs: secure-boot: update for PCR7 sealing" + hash: e3c6131e6979390292c72e5e18c96d83165096fe + body: > + Update secure boot docs to reflect changes made for PCR7 + sealing, + + including: + + + * No first boot needed anymore to reach secure state + + * PCR roles + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "os-helpers: compute_pcr7: merge event log digests" + hash: e10d67084621e5ce10f14557f2466e91ff684b41 + body: > + The main variables measured into PCR7 to ensure secure boot + + configuration integrity are the state and EFI vars, including + PK, KEK, + + db, dbx, etc. + + + However, some systems have firmware that will measure other, + unexpected + + events, such as "DMA Protection Disabled" (related to a Windows + feature + + [0]), or "Unknown event type" with strange data. + + + These events can't be predicted, and other devices may have + different + + measured events that aren't compliant with the TCG spec, so + attempt to + + check the TPM event log and extend our digest with any unknown + events + + that fit the bill. + + + [0] + https://learn.microsoft.com/en-us/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: Update policy's PCR7 value in hostapp-update hook + hash: f05deea2cd1003e186fa7756eecf8f113db26a7f + body: > + When performing a hostapp-update, we may touch file and efivars + that are + + measured into PCR7. Re-generate the predicted value and reseal + the LUKS + + passphrase using this new digest. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "os-helpers-tpm2: compute_pcr7: allow overriding efivars" + hash: 3e0911a5c4317ea4b9ca03a7816ce600e5b202c5 + body: > + When computing the digest of PCR7, it may be necessary to + override the + + input variables used, in order to predict the value on the next + boot. + + Allow these inputs to be overridden using function parameters. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: Move policy update to HUP commit hook + hash: 80f9bd84de394aa728ed802a2d4c02f3a87f370b + body: > + When migrating the TPM2 policy used to secure the LUKS + passphrase to use + + different PCRs, we temporarily want to maintain fallback + capability in + + case the newly installed hostapp doesn't pass healthchecks. This + allows + + the system to boot back into the original OS and try again. + + + In order to do so, we leave the passphrase in place with the old + PCR + + authentication policy. The cryptsetup hook in the initramfs will + try + + PCRs 0,2,3,7 and if those don't work we fallback to the original + PCRs. + + + Once the new system successfully boots, we'll re-encrypt the + passphrase + + and use the new PCRs to create a policy to secure the key. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "rollback-health: move apply-dbx to HUP commit hook" + hash: 3d78d26366b284313ea718adb8d5498ac4f27e1f + body: > + This operation is done after rollback-health completes and the + new OS is + + running to ensure the OS is healthy before appending to the + forbidden + + signatures list. + + + Move this out of rollback-health and into a HUP commit hook, + which + + allows it to be excluded from OS images that don't use EFI or + support + + secure boot. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "hostapp-hooks: include 0-signed-update only for efi" + hash: 328222014146f0116e0208443f3e255d0e85ef15 + body: > + This hook is only applicable for EFI machines. Include it in the + build + + only when MACHINE_FEATURES includes EFI. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "secure boot: seal luks passphrase w/ PCR7" + hash: 86460d1fa00e40caa1e3edd3ebed5d2098dafe31 + body: "" + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "os-helpers-tpm2: separate authentication from crypto" + hash: 6a4e3cd2f48dc7e48acc35f04200317397d6d0b1 + body: > + When encrypting the LUKS passphrase, we need the ability to + construct a + + policy that can logically OR together multiple policies, such as + when + + the machine may or may not measure binaries loaded through EFI + boot + + services into PCR7. + + + We also need the ability to update the sealing policy to revoke + + previously valid configurations, such as after + hostapp-healthcheck + + completes successfully. Ideally, this should be completed before + + modifying any efi variables, to prevent the system from becoming + + unbootable in the event of an interrupted update. + + + These requirements necessitate the ability to create sealing + policies + + and authenticate against them outside of the + hw_{en,de}crypt_passphrase + + functions. + + + This commit allows the caller to setup the sealing policy when + + encrypting, and choose what kind of authentication to use when + + decrypting. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "tcgtool: new recipe" + hash: 5217a6c8e8599f18ef84d319fb41049c476be265 + body: > + Create recipe for tcgtool, a program that replicates the + structures used + + to represent data measured and hashed to extend TPM PCRs. + + + This is useful to compute a PCR hash at runtime, which is + normally + + computed by the firmware before the OS boots. This allows for + adjusting + + a TPM2 policy to unlock the disk encryption passphrase with the + updated + + state on the next boot. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "recipes-bsp: add recipe for GRUB 2.12" + hash: 27808e2da6740bcd17d435aa15d644fef7b2b69c + body: > + This version changes how kernel images are booted, passing them + to the EFI + + boot services LoadImage method, which uses EFISTUB and retains + the TPM + + event log in memory. + + + Copy this recipe from Poky rev 43f9098. This may be removed once + Poky is + + bumped to Scarthgap (5.0). + + + More info: https://edk2.groups.io/g/devel/topic/93730585 + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "tests: skip bootloader config integrity check" + hash: ad70f51fcc899dd3ec521c280c0a074302f7498f + body: > + GRUB 2.12 no longer outputs the escape codes the previous + version did. + + Skip this test until we can patch the bootloader to output a + string we + + can match against. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + - subject: "secureboot: enroll kernel hash in db for EFISTUB" + hash: 45fe30fcc01bb2f3c423c11e2ea244546da30d57 + body: > + Generate hash for second stage bootloader and enroll in db + efivar to + + allow the firmware to verify the image for booting when using + EFISTUB. + + + This is necessary to update to GRUB 2.12, which passes the EFI + image to + + the EFI boot services LoadImage method, which then validates the + image + + when secure boot is enabled. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Joseph Kogut + signed-off-by: Joseph Kogut + author: Joseph Kogut + nested: [] + version: meta-balena-5.2.3 + title: "" + date: 2024-03-22T08:48:01.071Z + version: 5.2.8 + title: "" + date: 2024-04-19T09:39:55.532Z - commits: - subject: Use balena bootloader for raspberrypicm4-ioboard-sb hash: c18a5e88c9f37539aebaa3f91744028bfb00c972 diff --git a/CHANGELOG.md b/CHANGELOG.md index c46b02667..e1c59a563 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,161 @@ Change log ----------- +# v5.2.8 +## (2024-04-19) + + +
+ Update layers/meta-balena to 5d7a7ecfdc69c481e6e762e38e66b8b291a70e32 [Self-hosted Renovate Bot] + +> ## meta-balena-5.2.8 +> ### (2024-04-17) +> +> * Test: Unmanaged: Replace ping command in tests with curl [Vipul Gupta (@vipulgupta2048)] +> +> ## meta-balena-5.2.7 +> ### (2024-04-16) +> +> * packagegroup-resin: Install ldd script in balenaOS images [Alexandru] +> +> ## meta-balena-5.2.6 +> ### (2024-04-16) +> +> +>
+> Update tests/leviathan digest to 0c2f44d [Self-hosted Renovate Bot] +> +>> ### leviathan-2.30.9 +>> #### (2024-04-15) +>> +>> * Update Lock file maintenance [Self-hosted Renovate Bot] +>> +>> ### leviathan-2.30.8 +>> #### (2024-04-11) +>> +>> * Update core/contracts digest to d06ad25 [Self-hosted Renovate Bot] +>> +>> ### leviathan-2.30.7 +>> #### (2024-04-11) +>> +>> * Update core/contracts digest to bdc5ec8 [Self-hosted Renovate Bot] +>> +>> ### leviathan-2.30.6 +>> #### (2024-04-10) +>> +>> * Update core/contracts digest to 619554d [Self-hosted Renovate Bot] +>> +>> ### leviathan-2.30.5 +>> #### (2024-04-08) +>> +>> * Update Lock file maintenance [Self-hosted Renovate Bot] +>> +>> ### leviathan-2.30.4 +>> #### (2024-04-08) +>> +>> * Update core/contracts digest to cb7b222 [Self-hosted Renovate Bot] +>> +>> ### leviathan-2.30.3 +>> #### (2024-04-04) +>> +>> * Update balena-os/leviathan-worker to v2.9.37 [Self-hosted Renovate Bot] +>> +>> ### leviathan-2.30.2 +>> #### (2024-04-04) +>> +>> * core/lib/components: Specify Jetson Xavier boot partition indexes [Alexandru Costache] +>> +>> ### leviathan-2.30.1 +>> #### (2024-04-01) +>> +>> * Update Lock file maintenance [Self-hosted Renovate Bot] +>> +>> ### leviathan-2.30.0 +>> #### (2024-03-26) +>> +>> * minor: Add general FAQ to Leviathan [Vipul Gupta (@vipulgupta2048)] +>> +>> ### leviathan-2.29.67 +>> #### (2024-03-26) +>> +>> * Update Lock file maintenance [Self-hosted Renovate Bot] +>> +>> ### leviathan-2.29.66 +>> #### (2024-03-26) +>> +>> * Update core/contracts digest to 8631765 [Self-hosted Renovate Bot] +>> +>> ### leviathan-2.29.65 +>> #### (2024-03-21) +>> +>> * Update core/contracts digest to 2de3526 [Self-hosted Renovate Bot] +>> +> +>
+> +> +> ## meta-balena-5.2.5 +> ### (2024-04-12) +> +> * classes: sign-rsa: add class for RSA artifact signing [Alex Gonzalez] +> +> ## meta-balena-5.2.4 +> ### (2024-04-03) +> +> +>
+> Update balena-supervisor to v16.1.10 [Self-hosted Renovate Bot] +> +>> ### balena-supervisor-16.1.10 +>> #### (2024-03-28) +>> +>> * Add revpi-connect-4 to RPi variants We need the supervisor to be able to manage config.txt changes for the RevPi Connect 4. [Shreya Patel] +>> +>> ### balena-supervisor-16.1.9 +>> #### (2024-03-25) +>> +>> * Log the full error on device state report failure as it is more useful [Pagan Gazzard] +>> +>> ### balena-supervisor-16.1.8 +>> #### (2024-03-25) +>> +>> * Set @balena/es-version to es2022 to match tsconfig.json [Pagan Gazzard] +>> +>> ### balena-supervisor-16.1.7 +>> #### (2024-03-25) +>> +>> * Increase the timeout for auto select family to 5000ms to avoid issues [Pagan Gazzard] +>> +>> ### balena-supervisor-16.1.6 +>> #### (2024-03-18) +>> +>> * Pin iptables to 1.8.9 (legacy) [Christina Ying Wang] +>> +> +>
+> +> +> ## meta-balena-5.2.3 +> ### (2024-03-22) +> +> * mv docs/{,uefi-}secure-boot.md [Joseph Kogut] +> * docs: secure-boot: update for PCR7 sealing [Joseph Kogut] +> * os-helpers: compute_pcr7: merge event log digests [Joseph Kogut] +> * Update policy's PCR7 value in hostapp-update hook [Joseph Kogut] +> * os-helpers-tpm2: compute_pcr7: allow overriding efivars [Joseph Kogut] +> * Move policy update to HUP commit hook [Joseph Kogut] +> * rollback-health: move apply-dbx to HUP commit hook [Joseph Kogut] +> * hostapp-hooks: include 0-signed-update only for efi [Joseph Kogut] +> * secure boot: seal luks passphrase w/ PCR7 [Joseph Kogut] +> * os-helpers-tpm2: separate authentication from crypto [Joseph Kogut] +> * tcgtool: new recipe [Joseph Kogut] +> * recipes-bsp: add recipe for GRUB 2.12 [Joseph Kogut] +> * tests: skip bootloader config integrity check [Joseph Kogut] +> * secureboot: enroll kernel hash in db for EFISTUB [Joseph Kogut] +> + +
+ # v5.2.2+rev1 ## (2024-04-15) diff --git a/VERSION b/VERSION index d411baa8a..5812e97de 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -5.2.2+rev1 \ No newline at end of file +5.2.8 \ No newline at end of file