[Buildroot] [PATCH 1/3] package/gnu-efi: get rid of patch

[Buildroot] [PATCH 1/3] package/gnu-efi: get rid of patch

[Peter Korsgaard]

Pass TARGET_CONFIGURE_OPTS in the environment instead of on the make command
line, so 'CFLAGS +=' does the right thing in the Makefile without patching.

TARGET_CONFIGURE_OPTS includes TARGET_MAKE_ENV, so drop that.

This does require us to pass CROSS_COMPILE to ensure the native tools are
not used though.

Add a GNU_EFI_MAKE_OPTS and use in both the build and install steps, instead
of repeating the various arguments.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...S-CPPFLAGS-to-be-completed-from-the-envir.patch | 103 ---------------------
 package/gnu-efi/gnu-efi.mk                         |  15 +--
 2 files changed, 8 insertions(+), 110 deletions(-)
 delete mode 100644 package/gnu-efi/0001-Allow-CFLAGS-CPPFLAGS-to-be-completed-from-the-envir.patch

diff --git a/package/gnu-efi/0001-Allow-CFLAGS-CPPFLAGS-to-be-completed-from-the-envir.patch b/package/gnu-efi/0001-Allow-CFLAGS-CPPFLAGS-to-be-completed-from-the-envir.patch
deleted file mode 100644
index 11507388ea..0000000000
--- a/package/gnu-efi/0001-Allow-CFLAGS-CPPFLAGS-to-be-completed-from-the-envir.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From eea0f62a1f6712f10afe47635b80a061505d2d2f Mon Sep 17 00:00:00 2001
-From: Romain Naour <romain.naour@openwide.fr>
-Date: Sat, 17 Jan 2015 18:33:37 +0100
-Subject: [PATCH 1/2] Allow CFLAGS/CPPFLAGS to be completed from the
- environment
-
-Buildroot passes its own CPPFLAGS and CFLAGS in the environment, so
-the CFLAGS += and CPPFLAGS += statements in gnu-efi Makefile have no
-effect. Change these to override <VARIABLE> += so that they extend the
-flags passed by Buildroot.
-
-[Romain:
- - rebase on top of 3.0.1 release]
-[Bernd:
- - rebase on top of 3.0.5 release]
-[Beno?t:
- - rebase on top of 3.0.6 release]
-
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-Signed-off-by: Romain Naour <romain.naour@openwide.fr>
-Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
-Signed-off-by: Beno?t Allard <benoit.allard@greenbone.net>
----
- Make.defaults |   22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/Make.defaults b/Make.defaults
-index 51bd7d8..7d7e8e7 100755
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -85,14 +85,14 @@ OBJDIR       := $(TOPDIR)/$(ARCH)
- #
- 
- # Arch-specific compilation flags
--CPPFLAGS += -DCONFIG_$(ARCH)
-+override CPPFLAGS += -DCONFIG_$(ARCH)
- 
- ifeq ($(ARCH),ia64)
--  CFLAGS += -mfixed-range=f32-f127
-+  override CFLAGS += -mfixed-range=f32-f127
- endif
- 
- ifeq ($(ARCH),ia32)
--  CFLAGS += -mno-mmx -mno-sse
-+  override CFLAGS += -mno-mmx -mno-sse
-   ifeq ($(HOSTARCH),x86_64)
-     ARCH3264 = -m32
-   endif
-@@ -109,19 +109,19 @@ ifeq ($(ARCH),x86_64)
-                                  && [ $(GCCMINOR) -ge "7" ] ) ) \
-                           && echo 1)
-   ifeq ($(GCCNEWENOUGH),1)
--    CPPFLAGS += -DGNU_EFI_USE_MS_ABI -maccumulate-outgoing-args --std=c11
-+    override CPPFLAGS += -DGNU_EFI_USE_MS_ABI -maccumulate-outgoing-args --std=c11
-   else ifeq ($(USING_CLANG),clang)
--    CPPFLAGS += -DGNU_EFI_USE_MS_ABI --std=c11
-+    override CPPFLAGS += -DGNU_EFI_USE_MS_ABI --std=c11
-   endif
- 
--  CFLAGS += -mno-red-zone
-+  override CFLAGS += -mno-red-zone
-   ifeq ($(HOSTARCH),ia32)
-     ARCH3264 = -m64
-   endif
- endif
- 
- ifeq ($(ARCH),mips64el)
--  CFLAGS += -march=mips64r2
-+  override CFLAGS += -march=mips64r2
-   ARCH3264 = -mabi=64
- endif
- 
-@@ -142,7 +142,7 @@ export LIBGCC=$(shell $(CC) $(ARCH3264)
- endif
- 
- ifeq ($(ARCH),arm)
--CFLAGS += -marm
-+override CFLAGS += -marm
- endif
- 
- # Generic compilation flags
-@@ -152,15 +152,15 @@ INCDIR  += -I$(SRCDIR) -I$(TOPDIR)/inc -
- # Only enable -fpic for non MinGW compilers (unneeded on MinGW)
- GCCMACHINE := $(shell $(CC) -dumpmachine)
- ifneq (mingw32,$(findstring mingw32, $(GCCMACHINE)))
--  CFLAGS += -fpic
-+  override CFLAGS += -fpic
- endif
- 
- ifeq (FreeBSD, $(findstring FreeBSD, $(OS)))
--CFLAGS  += $(ARCH3264) -g -O2 -Wall -Wextra -Werror \
-+override CFLAGS  += $(ARCH3264) -g -O2 -Wall -Wextra -Werror \
-            -fshort-wchar -fno-strict-aliasing \
-            -ffreestanding -fno-stack-protector
- else
--CFLAGS  += $(ARCH3264) -g -O2 -Wall -Wextra -Werror \
-+override CFLAGS  += $(ARCH3264) -g -O2 -Wall -Wextra -Werror \
-            -fshort-wchar -fno-strict-aliasing \
-            -fno-merge-all-constants -ffreestanding -fno-stack-protector \
-            -fno-stack-check
--- 
-2.11.0
-
diff --git a/package/gnu-efi/gnu-efi.mk b/package/gnu-efi/gnu-efi.mk
index d55e0274df..b83a5a9eb4 100644
--- a/package/gnu-efi/gnu-efi.mk
+++ b/package/gnu-efi/gnu-efi.mk
@@ -26,17 +26,18 @@ else ifeq ($(BR2_aarch64)$(BR2_aarch64_be),y)
 GNU_EFI_PLATFORM = aarch64
 endif
 
+GNU_EFI_MAKE_OPTS = \
+	ARCH=$(GNU_EFI_PLATFORM) \
+	CROSS_COMPILE="$(TARGET_CROSS)" \
+	PREFIX=/usr
+
 define GNU_EFI_BUILD_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
-		$(TARGET_CONFIGURE_OPTS) \
-		ARCH=$(GNU_EFI_PLATFORM)
+	$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) $(GNU_EFI_MAKE_OPTS)
 endef
 
 define GNU_EFI_INSTALL_STAGING_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
-		$(TARGET_CONFIGURE_OPTS) \
-		INSTALLROOT=$(STAGING_DIR) \
-		PREFIX=/usr ARCH=$(GNU_EFI_PLATFORM) install
+	$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) $(GNU_EFI_MAKE_OPTS) \
+		INSTALLROOT=$(STAGING_DIR) install
 endef
 
 $(eval $(generic-package))
-- 
2.11.0

[Buildroot] [PATCH 2/3] package/gnu-efi: bump version to 3.0.9

[Peter Korsgaard]

Adds support for StrnCat, needed by shim.

Also add a hash for the license file.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/gnu-efi/gnu-efi.hash | 7 ++++---
 package/gnu-efi/gnu-efi.mk   | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/package/gnu-efi/gnu-efi.hash b/package/gnu-efi/gnu-efi.hash
index 1bd0f8c5dc..9ac2b51fe3 100644
--- a/package/gnu-efi/gnu-efi.hash
+++ b/package/gnu-efi/gnu-efi.hash
@@ -1,5 +1,6 @@
 # From http://sourceforge.net/projects/gnu-efi/files
-md5 46f633758a8a37db9fd6909fe270c26b gnu-efi-3.0.6.tar.bz2
-sha1 9f0f75b64c84423f3386da6f3200f5ed7471d9cb gnu-efi-3.0.6.tar.bz2
+md5 32af17b917545a693e549af2439c4a99 gnu-efi-3.0.9.tar.bz2
+sha1 9b39e06206e63eba56d59a648a7e4f20aead6962 gnu-efi-3.0.9.tar.bz2
 # Locally computed
-sha256 21515902d80fbea23328a61d70d3d51a47204abd1507ebfa27550a7b9bf22c91 gnu-efi-3.0.6.tar.bz2
+sha256 6715ea7eae1c7e4fc5041034bd3f107ec2911962ed284a081e491646b12277f0  gnu-efi-3.0.9.tar.bz2
+sha256 42d352e9c28dd446fd0209cd6f75588c8e41f0934540bb382bbd61c752360265  README.efilib
diff --git a/package/gnu-efi/gnu-efi.mk b/package/gnu-efi/gnu-efi.mk
index b83a5a9eb4..fe3c8ac343 100644
--- a/package/gnu-efi/gnu-efi.mk
+++ b/package/gnu-efi/gnu-efi.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-GNU_EFI_VERSION = 3.0.6
+GNU_EFI_VERSION = 3.0.9
 GNU_EFI_SOURCE = gnu-efi-$(GNU_EFI_VERSION).tar.bz2
 GNU_EFI_SITE = http://downloads.sourceforge.net/project/gnu-efi
 GNU_EFI_INSTALL_STAGING = YES
-- 
2.11.0

[Buildroot] [PATCH 3/3] boot: add shim EFI bootloader for secure boot chain loading

[Peter Korsgaard]

While gnu-efi supports 32bit ARM, this is currently broken in shim.

Patches to fix this have been submitted upstream but are not included here
for now.

https://github.com/rhboot/shim/pull/162

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 DEVELOPERS          |  1 +
 boot/Config.in      |  1 +
 boot/shim/Config.in | 18 ++++++++++++++++++
 boot/shim/shim.hash |  3 +++
 boot/shim/shim.mk   | 31 +++++++++++++++++++++++++++++++
 5 files changed, 54 insertions(+)
 create mode 100644 boot/shim/Config.in
 create mode 100644 boot/shim/shim.hash
 create mode 100644 boot/shim/shim.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 3b3923ae4f..aa1bf325cb 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1649,6 +1649,7 @@ F:	board/openblocks/a6/
 F:	board/orangepi/
 F:	board/pandaboard/
 F:	board/roseapplepi/
+F:	boot/shim/
 F:	configs/minnowboard_max-graphical_defconfig
 F:	configs/minnowboard_max_defconfig
 F:	configs/nexbox_a95x_defconfig
diff --git a/boot/Config.in b/boot/Config.in
index 8e0c8e5df4..11856fd9c7 100644
--- a/boot/Config.in
+++ b/boot/Config.in
@@ -15,6 +15,7 @@ source "boot/mv-ddr-marvell/Config.in"
 source "boot/mxs-bootlets/Config.in"
 source "boot/riscv-pk/Config.in"
 source "boot/s500-bootloader/Config.in"
+source "boot/shim/Config.in"
 source "boot/syslinux/Config.in"
 source "boot/ts4800-mbrboot/Config.in"
 source "boot/uboot/Config.in"
diff --git a/boot/shim/Config.in b/boot/shim/Config.in
new file mode 100644
index 0000000000..15d50e3c82
--- /dev/null
+++ b/boot/shim/Config.in
@@ -0,0 +1,18 @@
+config BR2_TARGET_SHIM
+	bool "shim"
+	depends on BR2_aarch64 || BR2_aarch64_be || \
+		BR2_i386 || BR2_x86_64 # gnu-efi
+	select BR2_PACKAGE_GNU_EFI
+	help
+	  Boot loader to chain-load signed boot loaders under Secure
+	  Boot.
+
+	  This package provides a minimalist boot loader which allows
+	  verifying signatures of other UEFI binaries against either
+	  the Secure Boot DB/DBX or against a built-in signature
+	  database.  Its purpose is to allow a small,
+	  infrequently-changing binary to be signed by the UEFI CA,
+	  while allowing an OS distributor to revision their main
+	  bootloader independently of the CA.
+
+	  https://github.com/rhboot/shim
diff --git a/boot/shim/shim.hash b/boot/shim/shim.hash
new file mode 100644
index 0000000000..318390f80b
--- /dev/null
+++ b/boot/shim/shim.hash
@@ -0,0 +1,3 @@
+# locally computed hash
+sha256 279d19cc95b9974ea2379401a6a0653d949c3fa3d61f0c4bd6a7b9e840bdc425  shim-15.tar.gz
+sha256 15edf527919ddcb2f514ab9d16ad07ef219e4bb490e0b79560be510f0c159cc2  COPYRIGHT
diff --git a/boot/shim/shim.mk b/boot/shim/shim.mk
new file mode 100644
index 0000000000..ba5bc51957
--- /dev/null
+++ b/boot/shim/shim.mk
@@ -0,0 +1,31 @@
+################################################################################
+#
+# shim
+#
+################################################################################
+
+SHIM_VERSION = 15
+SHIM_SITE = $(call github,rhboot,shim,$(SHIM_VERSION))
+SHIM_LICENSE = BSD-2-Clause
+SHIM_LICENSE_FILES = COPYRIGHT
+SHIM_DEPENDENCIES = gnu-efi
+SHIM_INSTALL_TARGET = NO
+SHIM_INSTALL_IMAGES = YES
+
+SHIM_MAKE_OPTS = \
+	ARCH="$(GNU_EFI_PLATFORM)" \
+	CROSS_COMPILE="$(TARGET_CROSS)" \
+	DASHJ="-j$(PARALLEL_JOBS)" \
+	EFI_INCLUDE="$(STAGING_DIR)/usr/include/efi" \
+	EFI_PATH="$(STAGING_DIR)/usr/lib" \
+	LIBDIR="$(STAGING_DIR)/usr/lib"
+
+define SHIM_BUILD_CMDS
+	$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) $(SHIM_MAKE_OPTS)
+endef
+
+define SHIM_INSTALL_IMAGES_CMDS
+	$(INSTALL) -m 0755 -t $(BINARIES_DIR) $(@D)/*.efi
+endef
+
+$(eval $(generic-package))
-- 
2.11.0

[Buildroot] [PATCH 1/3] package/gnu-efi: get rid of patch

[Thomas Petazzoni]

Hello,

On Fri, 11 Jan 2019 11:01:09 +0100, Peter Korsgaard wrote:
> Pass TARGET_CONFIGURE_OPTS in the environment instead of on the make command
> line, so 'CFLAGS +=' does the right thing in the Makefile without patching.
> 
> TARGET_CONFIGURE_OPTS includes TARGET_MAKE_ENV, so drop that.
> 
> This does require us to pass CROSS_COMPILE to ensure the native tools are
> not used though.
> 
> Add a GNU_EFI_MAKE_OPTS and use in both the build and install steps, instead
> of repeating the various arguments.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  ...S-CPPFLAGS-to-be-completed-from-the-envir.patch | 103 ---------------------
>  package/gnu-efi/gnu-efi.mk                         |  15 +--
>  2 files changed, 8 insertions(+), 110 deletions(-)
>  delete mode 100644 package/gnu-efi/0001-Allow-CFLAGS-CPPFLAGS-to-be-completed-from-the-envir.patch

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 2/3] package/gnu-efi: bump version to 3.0.9

[Thomas Petazzoni]

Hello,

On Fri, 11 Jan 2019 11:01:10 +0100, Peter Korsgaard wrote:
> Adds support for StrnCat, needed by shim.
> 
> Also add a hash for the license file.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  package/gnu-efi/gnu-efi.hash | 7 ++++---
>  package/gnu-efi/gnu-efi.mk   | 2 +-
>  2 files changed, 5 insertions(+), 4 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 3/3] boot: add shim EFI bootloader for secure boot chain loading

[Thomas Petazzoni]

Hello,

On Fri, 11 Jan 2019 11:01:11 +0100, Peter Korsgaard wrote:
> While gnu-efi supports 32bit ARM, this is currently broken in shim.
> 
> Patches to fix this have been submitted upstream but are not included here
> for now.
> 
> https://github.com/rhboot/shim/pull/162
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

I've changed the title to:

	boot/shim: new package

and moved the description of what it is inside the commit log.

> diff --git a/boot/shim/Config.in b/boot/shim/Config.in
> new file mode 100644
> index 0000000000..15d50e3c82
> --- /dev/null
> +++ b/boot/shim/Config.in
> @@ -0,0 +1,18 @@
> +config BR2_TARGET_SHIM
> +	bool "shim"
> +	depends on BR2_aarch64 || BR2_aarch64_be || \
> +		BR2_i386 || BR2_x86_64 # gnu-efi

In a separate patch, I introduced BR2_PACKAGE_GNU_EFI_ARCH_SUPPORTS,
and used that here + added a separate depends on !BR2_ARM_CPU_HAS_ARM
to cope with the ARM32 build issue.

Some support/testing/ test case would be good to have though :-)

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com