From: dbaryshkov@gmail.com
To: openembedded-core@lists.openembedded.org
Cc: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Subject: [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol
Date: Sun, 29 Sep 2019 23:13:59 +0300 [thread overview]
Message-ID: <20190929201359.9837-5-dbaryshkov@gmail.com> (raw)
In-Reply-To: <20190929201359.9837-1-dbaryshkov@gmail.com>
From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
...ompareMem-on-MokListNode.Type-instea.patch | 69 ++++++++++++++++++
meta/recipes-bsp/shim/shim_git.bb | 72 +++++++++++++++++++
2 files changed, 141 insertions(+)
create mode 100644 meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
create mode 100644 meta/recipes-bsp/shim/shim_git.bb
diff --git a/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
new file mode 100644
index 000000000000..12ee342e9f64
--- /dev/null
+++ b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
@@ -0,0 +1,69 @@
+From f30cd0b6330be8ea72a93bf25e43829c222ba611 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Tue, 26 Feb 2019 11:33:53 +0800
+Subject: [PATCH] MokManager: Use CompareMem on MokListNode.Type instead of
+ CompareGuid
+
+Fix the errors from gcc9 '-Werror=address-of-packed-member'
+
+https://github.com/rhboot/shim/issues/161
+
+Signed-off-by: Gary Lin <glin@suse.com>
+Upstream-Status: Submitted[https://github.com/rhboot/shim/pull/170]
+---
+ MokManager.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index d69b4dbe..05dc1622 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1053,7 +1053,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
+ continue;
+
+ DataSize += sizeof(EFI_SIGNATURE_LIST);
+- if (CompareGuid(&(list[i].Type), &X509_GUID) == 0)
++ if (CompareMem(&(list[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0)
+ DataSize += sizeof(EFI_GUID);
+ DataSize += list[i].MokSize;
+ }
+@@ -1075,7 +1076,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
+ CertList->SignatureType = list[i].Type;
+ CertList->SignatureHeaderSize = 0;
+
+- if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) {
++ if (CompareMem(&(list[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0) {
+ CertList->SignatureListSize = list[i].MokSize +
+ sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
+ CertList->SignatureSize =
+@@ -1116,7 +1118,8 @@ static void delete_cert(void *key, UINT32 key_size,
+ int i;
+
+ for (i = 0; i < mok_num; i++) {
+- if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0)
++ if (CompareMem(&(mok[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) != 0)
+ continue;
+
+ if (mok[i].MokSize == key_size &&
+@@ -1167,7 +1170,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size,
+ sig_size = hash_size + sizeof(EFI_GUID);
+
+ for (i = 0; i < mok_num; i++) {
+- if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
++ if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) ||
+ (mok[i].MokSize < sig_size))
+ continue;
+
+@@ -1331,7 +1334,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+
+ /* Search and destroy */
+ for (i = 0; i < del_num; i++) {
+- if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) {
++ if (CompareMem(&(del_key[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0) {
+ delete_cert(del_key[i].Mok, del_key[i].MokSize,
+ mok, mok_num);
+ } else if (is_sha2_hash(del_key[i].Type)) {
diff --git a/meta/recipes-bsp/shim/shim_git.bb b/meta/recipes-bsp/shim/shim_git.bb
new file mode 100644
index 000000000000..10769ac75a0a
--- /dev/null
+++ b/meta/recipes-bsp/shim/shim_git.bb
@@ -0,0 +1,72 @@
+SUMMARY = "shim is a first stage EFI bootloader."
+DESCRIPTION = "shim is a trivial EFI application that, when run, \
+attempts to open and execute another application. It will initially \
+attempt to do this via the standard EFI LoadImage() and StartImage() \
+calls. If these fail (because secure boot is enabled and the binary \
+is not signed with an appropriate key, for instance) it will then \
+validate the binary against a built-in certificate. If this succeeds \
+and if the binary or signing key are not blacklisted then shim will \
+relocate and execute the binary."
+HOMEPAGE = "https://github.com/rhboot/shim.git"
+SECTION = "bootloaders"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b92e63892681ee4e8d27e7a7e87ef2bc"
+
+DEPENDS += "\
+ gnu-efi \
+"
+
+PV = "15+git${SRCPV}"
+
+SRC_URI = "\
+ git://github.com/rhboot/shim.git \
+ file://0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch \
+"
+
+SRCREV = "a4a1fbe728c9545fc5647129df0cf1593b953bec"
+
+S = "${WORKDIR}/git"
+
+SHIM_IMAGE = "shim-${EFI_BOOT_IMAGE}"
+
+# install to the image as boot*.efi if its the EFI_PROVIDER,
+# otherwise install as the full name.
+# This allows multiple bootloaders to coexist in a single image.
+python __anonymous () {
+ if d.getVar('EFI_PROVIDER') == "shim":
+ d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
+ else:
+ d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("SHIM_IMAGE"))
+}
+
+inherit deploy
+
+TUNE_CCARGS_remove = "-mfpmath=sse"
+
+EXTRA_OEMAKE = "\
+ CROSS_COMPILE="${TARGET_PREFIX}" \
+ COMPILER="gcc ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}" \
+ EFI_INCLUDE="${STAGING_INCDIR}/efi" \
+ EFI_PATH="${STAGING_LIBDIR}" \
+ LIBDIR="${STAGING_LIBDIR}" \
+"
+
+COMPATIBLE_HOST = "${EFI_COMPATIBLE_HOST}"
+
+require conf/image-uefi.conf
+
+do_install() {
+ install -d ${D}${EFI_FILES_PATH}
+ install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/
+ install -m 0755 shim${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/${SHIM_EFI_BOOT_IMAGE}
+}
+
+# Install the unsigned images for manual signing
+do_deploy() {
+ install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${DEPLOYDIR}
+ install -m 0755 shim${EFI_ARCH}.efi ${DEPLOYDIR}/${SHIM_IMAGE}
+}
+addtask deploy after do_install before do_build
+
+FILES_${PN} += "${EFI_FILES_PATH}"
--
2.23.0
next prev parent reply other threads:[~2019-09-29 20:14 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-29 20:13 [PATCH v2 1/5] grub-efi: replace anonymous function with static configuration dbaryshkov
2019-09-29 20:13 ` [PATCH v2 2/5] systemd-boot: " dbaryshkov
2019-09-29 20:13 ` [PATCH v2 3/5] image-uefi.conf: define EFI_ARCH variable dbaryshkov
2019-09-29 20:13 ` [PATCH v2 4/5] image-uefi.conf: define generic EFI_COMPATIBLE_HOST dbaryshkov
2019-09-29 20:13 ` dbaryshkov [this message]
2019-10-12 22:30 ` [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol Khem Raj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190929201359.9837-5-dbaryshkov@gmail.com \
--to=dbaryshkov@gmail.com \
--cc=dmitry_eremin-solenikov@mentor.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.