diff --git a/.versionbot/CHANGELOG.yml b/.versionbot/CHANGELOG.yml index 498f89c..8e106ca 100644 --- a/.versionbot/CHANGELOG.yml +++ b/.versionbot/CHANGELOG.yml @@ -1,3 +1,86 @@ +- commits: + - subject: Update layers/meta-balena to d0b1a5a80c691e752dd5b396ce7da995507dd619 + hash: 07c73fd8c48891af0600b13457da3ab1390dc37c + body: Update layers/meta-balena + footer: + Changelog-entry: Update layers/meta-balena to d0b1a5a80c691e752dd5b396ce7da995507dd619 + changelog-entry: Update layers/meta-balena to d0b1a5a80c691e752dd5b396ce7da995507dd619 + author: Renovate Bot + nested: + - commits: + - subject: "resin-init-flasher: add more comments around efi/boot partition split" + hash: 63663b30f8962be8b6d8070340fe89e435f8915b + body: | + This is hard to follow when reading the code without context. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Michal Toman + signed-off-by: Michal Toman + author: Michal Toman + nested: [] + - subject: "resin-init-flasher: reboot into signed flasher when provisioning + secure boot" + hash: ceedc55646898e4eacb840f89710f39c58674323 + body: > + When programming keys for secure boot, some devices do not clear + + the setup mode flag after a new PK is installed. In this case + + flasher will reboot in order to ensure the keys are actually saved + + and the device comes back with secure boot enabled. Since we changed + + flasher to be unsigned by default, this reboot causes a security + + violation. + + + With this patch flasher will add a new boot entry before issuing + + the reboot so that signed flasher comes up and the installation process + + can continue. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Michal Toman + signed-off-by: Michal Toman + author: Michal Toman + nested: [] + - subject: "resin-init-flasher: Fill db EFI variable from esl file instead of + auth" + hash: d1e045b826c48168d75163cf9bb9fb1a387ed4f2 + body: > + Currently the db.auth file is signed as "append" in order to + make HUP work. + + Most UEFI firmwares will accept such file even for "replace", which we do + + during the initial provisioning, however we have seen devices that will + + only allow appending, which makes flasher fail. + + + With this patch flasher will use the esl file for initial programming + + of the db variable. + + + PK and KEK are unaffected. + footer: + Change-type: patch + change-type: patch + Signed-off-by: Michal Toman + signed-off-by: Michal Toman + author: Michal Toman + nested: [] + version: meta-balena-2.114.24 + title: "" + date: 2023-05-11T20:31:43.765Z + version: 2.114.24 + title: "" + date: 2023-05-11T23:19:17.360Z - commits: - subject: Update layers/meta-balena to 3f2f215e39c39fc3ef227db665c99fb8ad77ee08 hash: 7155621e3e419840628ab4c0e9ad972037cf2f4b diff --git a/CHANGELOG.md b/CHANGELOG.md index 68a0f9a..a91afb7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,23 @@ Change log ----------- +# v2.114.24 +## (2023-05-11) + + +
+ Update layers/meta-balena to d0b1a5a80c691e752dd5b396ce7da995507dd619 [Renovate Bot] + +> ## meta-balena-2.114.24 +> ### (2023-05-11) +> +> * resin-init-flasher: add more comments around efi/boot partition split [Michal Toman] +> * resin-init-flasher: reboot into signed flasher when provisioning secure boot [Michal Toman] +> * resin-init-flasher: Fill db EFI variable from esl file instead of auth [Michal Toman] +> + +
+ # v2.114.23 ## (2023-05-06) diff --git a/VERSION b/VERSION index 85585a3..eecb67a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.114.23 \ No newline at end of file +2.114.24 \ No newline at end of file