* [Buildroot] [PATCH 1/3] efitools: new package
2018-07-06 14:36 [Buildroot] [PATCH 0/3] New packages to support UEFI Secure Boot Celso Varella
@ 2018-07-06 14:36 ` Celso Varella
2018-07-17 20:32 ` Peter Korsgaard
2018-07-06 14:36 ` [Buildroot] [PATCH 2/3] gnu-efi: add host variant Celso Varella
2018-07-06 14:36 ` [Buildroot] [PATCH 3/3] sbsigntools: new package Celso Varella
2 siblings, 1 reply; 7+ messages in thread
From: Celso Varella @ 2018-07-06 14:36 UTC (permalink / raw)
To: buildroot
Linux user-space application to manipulate UEFI signatures database
Patches 1 and 2 remove dependencies from sbsigntools and perl scripts
Patch 3 remove "-l" option from mount command in lib/kernel_efivars.c
for compatibility with Busybox mount command
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/about/
Signed-off-by: Celso Varella <celso.neto.cwi@datacom.com.br>
---
package/Config.in | 1 +
...kefile-remove-all-dependencies-from-sbsig.patch | 155 ++++++++++++++++++++
...ke.rules-remove-all-dependencies-from-sbs.patch | 159 +++++++++++++++++++++
...tion-of-mount-command-to-turn-compatible-.patch | 27 ++++
package/efitools/Config.in | 9 ++
package/efitools/efitools.hash | 3 +
package/efitools/efitools.mk | 21 +++
7 files changed, 375 insertions(+)
create mode 100644 package/efitools/0001-Efitools-Makefile-remove-all-dependencies-from-sbsig.patch
create mode 100644 package/efitools/0002-Efitools-Make.rules-remove-all-dependencies-from-sbs.patch
create mode 100644 package/efitools/0003-remove-l-option-of-mount-command-to-turn-compatible-.patch
create mode 100644 package/efitools/Config.in
create mode 100644 package/efitools/efitools.hash
create mode 100644 package/efitools/efitools.mk
diff --git a/package/Config.in b/package/Config.in
index 20fe5ad..a61ace3 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2011,6 +2011,7 @@ menu "System tools"
source "package/docker-proxy/Config.in"
source "package/dsp-tools/Config.in"
source "package/efibootmgr/Config.in"
+ source "package/efitools/Config.in"
source "package/efivar/Config.in"
source "package/emlog/Config.in"
source "package/ftop/Config.in"
diff --git a/package/efitools/0001-Efitools-Makefile-remove-all-dependencies-from-sbsig.patch b/package/efitools/0001-Efitools-Makefile-remove-all-dependencies-from-sbsig.patch
new file mode 100644
index 0000000..ac624b3
--- /dev/null
+++ b/package/efitools/0001-Efitools-Makefile-remove-all-dependencies-from-sbsig.patch
@@ -0,0 +1,155 @@
+From 396c7592005c62a2a12a0311fe480454e48b294c Mon Sep 17 00:00:00 2001
+From: "celso.neto.cwi" <celso.neto.cwi@datacom.ind.br>
+Date: Mon, 25 Jun 2018 10:45:27 -0300
+Subject: [PATCH 1/2] Efitools - Makefile remove all dependencies from
+ sbsigntools and perl script
+
+Signed-off-by: celso.neto.cwi <celso.neto.cwi@datacom.ind.br>
+---
+ Makefile | 87 ++++++++++++++++++++++++++++++++--------------------------------
+ 1 file changed, 44 insertions(+), 43 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 774ee0a..6f6674d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,4 +1,4 @@
+-EFIFILES = HelloWorld.efi LockDown.efi Loader.efi ReadVars.efi UpdateVars.efi \
++#EFIFILES = HelloWorld.efi LockDown.efi Loader.efi ReadVars.efi UpdateVars.efi \
+ KeyTool.efi HashTool.efi SetNull.efi ShimReplace.efi
+ BINARIES = cert-to-efi-sig-list sig-list-to-certs sign-efi-sig-list \
+ hash-to-efi-sig-list efi-readvar efi-updatevar cert-to-efi-hash-list \
+@@ -8,34 +8,35 @@ ifeq ($(ARCH),x86_64)
+ EFIFILES += PreLoader.efi
+ endif
+
+-MSGUID = 77FA9ABD-0359-4D32-BD60-28F4E78F784B
++#MSGUID = 77FA9ABD-0359-4D32-BD60-28F4E78F784B
+
+-KEYS = PK KEK DB
+-EXTRAKEYS = DB1 DB2
+-EXTERNALKEYS = ms-uefi ms-kek
++#KEYS = PK KEK DB
++#EXTRAKEYS = DB1 DB2
++#EXTERNALKEYS = ms-uefi ms-kek
+
+-ALLKEYS = $(KEYS) $(EXTRAKEYS) $(EXTERNALKEYS)
++#ALLKEYS = $(KEYS) $(EXTRAKEYS) $(EXTERNALKEYS)
+
+-KEYAUTH = $(ALLKEYS:=.auth)
+-KEYUPDATEAUTH = $(ALLKEYS:=-update.auth) $(ALLKEYS:=-pkupdate.auth)
+-KEYBLACKLISTAUTH = $(ALLKEYS:=-blacklist.auth)
+-KEYHASHBLACKLISTAUTH = $(ALLKEYS:=-hash-blacklist.auth)
++#KEYAUTH = $(ALLKEYS:=.auth)
++#KEYUPDATEAUTH = $(ALLKEYS:=-update.auth) $(ALLKEYS:=-pkupdate.auth)
++#KEYBLACKLISTAUTH = $(ALLKEYS:=-blacklist.auth)
++#KEYHASHBLACKLISTAUTH = $(ALLKEYS:=-hash-blacklist.auth)
+
+ export TOPDIR := $(shell pwd)/
+
+ include Make.rules
+
+-EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
++#EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
+
+-all: $(EFISIGNED) $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \
++#all: $(EFISIGNED) $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \
+ $(KEYUPDATEAUTH) $(KEYBLACKLISTAUTH) $(KEYHASHBLACKLISTAUTH)
+
++all: $(BINARIES)
+
+ install: all
+- $(INSTALL) -m 755 -d $(MANDIR)
+- $(INSTALL) -m 644 $(MANPAGES) $(MANDIR)
+- $(INSTALL) -m 755 -d $(EFIDIR)
+- $(INSTALL) -m 755 $(EFIFILES) $(EFIDIR)
++# $(INSTALL) -m 755 -d $(MANDIR)
++# $(INSTALL) -m 644 $(MANPAGES) $(MANDIR)
++# $(INSTALL) -m 755 -d $(EFIDIR)
++# $(INSTALL) -m 755 $(EFIFILES) $(EFIDIR)
+ $(INSTALL) -m 755 -d $(BINDIR)
+ $(INSTALL) -m 755 $(BINARIES) $(BINDIR)
+ $(INSTALL) -m 755 mkusb.sh $(BINDIR)/efitool-mkusb
+@@ -48,44 +49,44 @@ lib/lib.a lib/lib-efi.a: FORCE
+ lib/asn1/libasn1.a lib/asn1/libasn1-efi.a: FORCE
+ $(MAKE) -C lib/asn1 $(notdir $@)
+
+-.SUFFIXES: .crt
++#.SUFFIXES: .crt
+
+-.KEEP: PK.crt KEK.crt DB.crt PK.key KEK.key DB.key PK.esl DB.esl KEK.esl \
++#.KEEP: PK.crt KEK.crt DB.crt PK.key KEK.key DB.key PK.esl DB.esl KEK.esl \
+ $(EFIFILES)
+
+-LockDown.o: PK.h KEK.h DB.h
+-PreLoader.o: hashlist.h
++#LockDown.o: PK.h KEK.h DB.h
++#PreLoader.o: hashlist.h
+
+-PK.h: PK.auth
++#PK.h: PK.auth
+
+-KEK.h: KEK.auth
++#KEK.h: KEK.auth
+
+-DB.h: DB.auth
++#DB.h: DB.auth
+
+-noPK.esl:
+- > noPK.esl
++#noPK.esl:
++# > noPK.esl
+
+-noPK.auth: noPK.esl PK.crt sign-efi-sig-list
+- ./sign-efi-sig-list -t "$(shell date --date='1 second' +'%Y-%m-%d %H:%M:%S')" -c PK.crt -k PK.key PK $< $@
++#noPK.auth: noPK.esl PK.crt sign-efi-sig-list
++# ./sign-efi-sig-list -t "$(shell date --date='1 second' +'%Y-%m-%d %H:%M:%S')" -c PK.crt -k PK.key PK $< $@
+
+-ms-%.esl: ms-%.crt cert-to-efi-sig-list
+- ./cert-to-efi-sig-list -g $(MSGUID) $< $@
++#ms-%.esl: ms-%.crt cert-to-efi-sig-list
++# ./cert-to-efi-sig-list -g $(MSGUID) $< $@
+
+-hashlist.h: HashTool.hash
+- cat $^ > /tmp/tmp.hash
+- ./xxdi.pl /tmp/tmp.hash > $@
+- rm -f /tmp/tmp.hash
++#hashlist.h: HashTool.hash
++# cat $^ > /tmp/tmp.hash
++# ./xxdi.pl /tmp/tmp.hash > $@
++# rm -f /tmp/tmp.hash
+
+
+-Loader.so: lib/lib-efi.a
+-ReadVars.so: lib/lib-efi.a lib/asn1/libasn1-efi.a
+-UpdateVars.so: lib/lib-efi.a
+-LockDown.so: lib/lib-efi.a
+-KeyTool.so: lib/lib-efi.a lib/asn1/libasn1-efi.a
+-HashTool.so: lib/lib-efi.a
+-PreLoader.so: lib/lib-efi.a
+-HelloWorld.so: lib/lib-efi.a
+-ShimReplace.so: lib/lib-efi.a
++#Loader.so: lib/lib-efi.a
++#ReadVars.so: lib/lib-efi.a lib/asn1/libasn1-efi.a
++#UpdateVars.so: lib/lib-efi.a
++#LockDown.so: lib/lib-efi.a
++#KeyTool.so: lib/lib-efi.a lib/asn1/libasn1-efi.a
++#HashTool.so: lib/lib-efi.a
++#PreLoader.so: lib/lib-efi.a
++#HelloWorld.so: lib/lib-efi.a
++#ShimReplace.so: lib/lib-efi.a
+
+ cert-to-efi-sig-list: cert-to-efi-sig-list.o lib/lib.a
+ $(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
+@@ -115,7 +116,7 @@ flash-var: flash-var.o lib/lib.a
+ $(CC) $(ARCH3264) -o $@ $< lib/lib.a
+
+ clean:
+- rm -f PK.* KEK.* DB.* $(EFIFILES) $(EFISIGNED) $(BINARIES) *.o *.so
++ rm -f PK.* KEK.* DB.* $(BINARIES) *.o *.so
+ rm -f noPK.*
+ rm -f doc/*.1
+ $(MAKE) -C lib clean
+--
+2.7.4
+
diff --git a/package/efitools/0002-Efitools-Make.rules-remove-all-dependencies-from-sbs.patch b/package/efitools/0002-Efitools-Make.rules-remove-all-dependencies-from-sbs.patch
new file mode 100644
index 0000000..20d72f2
--- /dev/null
+++ b/package/efitools/0002-Efitools-Make.rules-remove-all-dependencies-from-sbs.patch
@@ -0,0 +1,159 @@
+From bbefa8ec090a0df4ecb31b734d3a1d41d8aadad4 Mon Sep 17 00:00:00 2001
+From: "celso.neto.cwi" <celso.neto.cwi@datacom.ind.br>
+Date: Mon, 25 Jun 2018 11:27:43 -0300
+Subject: [PATCH 2/2] Efitools - Make.rules remove all dependencies from
+ sbsigntools and perl script
+
+Signed-off-by: celso.neto.cwi <celso.neto.cwi@datacom.ind.br>
+---
+ Make.rules | 94 +++++++++++++++++++++++++++++++-------------------------------
+ 1 file changed, 47 insertions(+), 47 deletions(-)
+
+diff --git a/Make.rules b/Make.rules
+index 903a5a4..446f9e8 100644
+--- a/Make.rules
++++ b/Make.rules
+@@ -1,6 +1,6 @@
+-EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
+-MANPAGES = $(patsubst doc/%.1.in,doc/%.1,$(wildcard doc/*.1.in))
+-HELP2MAN = help2man
++#EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
++#MANPAGES = $(patsubst doc/%.1.in,doc/%.1,$(wildcard doc/*.1.in))
++#HELP2MAN = help2man
+ ARCH = $(shell uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
+ ifeq ($(ARCH),ia32)
+ ARCH3264 = -m32
+@@ -31,8 +31,8 @@ OBJCOPY = objcopy
+ MYGUID = 11111111-2222-3333-4444-123456789abc
+ INSTALL = install
+ BINDIR = $(DESTDIR)/usr/bin
+-MANDIR = $(DESTDIR)/usr/share/man/man1
+-EFIDIR = $(DESTDIR)/usr/share/efitools/efi
++#MANDIR = $(DESTDIR)/usr/share/man/man1
++#EFIDIR = $(DESTDIR)/usr/share/efitools/efi
+ DOCDIR = $(DESTDIR)/usr/share/efitools
+
+ # globally use EFI calling conventions (requires gcc >= 4.7)
+@@ -56,71 +56,71 @@ ifeq ($(ARCH),aarch64)
+ FORMAT = -O binary
+ endif
+
+-%.efi: %.so
+- $(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic -j .dynsym \
+- -j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* \
+- -j .reloc $(FORMAT) $*.so $@
++#%.efi: %.so
++# $(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic -j .dynsym \
++# -j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* \
++# -j .reloc $(FORMAT) $*.so $@
+ %.so: %.o
+ $(LD) $(LDFLAGS) $^ -o $@ $(LOADLIBES)
+ # check we have no undefined symbols
+ nm -D $@ | grep ' U ' && exit 1 || exit 0
+
+-%.h: %.auth
+- ./xxdi.pl $< > $@
++#%.h: %.auth
++# ./xxdi.pl $< > $@
+
+-%.hash: %.efi hash-to-efi-sig-list
+- ./hash-to-efi-sig-list $< $@
++#%.hash: %.efi hash-to-efi-sig-list
++# ./hash-to-efi-sig-list $< $@
+
+-%-blacklist.esl: %.crt cert-to-efi-hash-list
+- ./cert-to-efi-sig-list $< $@
++#%-blacklist.esl: %.crt cert-to-efi-hash-list
++# ./cert-to-efi-sig-list $< $@
+
+-%-hash-blacklist.esl: %.crt cert-to-efi-hash-list
+- ./cert-to-efi-hash-list $< $@
++#%-hash-blacklist.esl: %.crt cert-to-efi-hash-list
++# ./cert-to-efi-hash-list $< $@
+
+-%.esl: %.crt cert-to-efi-sig-list
+- ./cert-to-efi-sig-list -g $(MYGUID) $< $@
++#%.esl: %.crt cert-to-efi-sig-list
++# ./cert-to-efi-sig-list -g $(MYGUID) $< $@
+
+-getcert = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo "-c PK.crt -k PK.key"; else echo "-c KEK.crt -k KEK.key"; fi)
+-getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else echo db; fi)
++#getcert = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo "-c PK.crt -k PK.key"; else echo "-c KEK.crt -k KEK.key"; fi)
++#getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else echo db; fi)
+
+-%.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
+- ./sign-efi-sig-list $(call getcert,$*) $(call getvar,$*) $< $@
++#%.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
++# ./sign-efi-sig-list $(call getcert,$*) $(call getvar,$*) $< $@
+
+-%-update.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
+- ./sign-efi-sig-list -a $(call getcert,$*) $(call getvar,$*) $< $@
++#%-update.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
++# ./sign-efi-sig-list -a $(call getcert,$*) $(call getvar,$*) $< $@
+
+-%-pkupdate.auth: %.esl PK.crt sign-efi-sig-list
+- ./sign-efi-sig-list -a -c PK.crt -k PK.key $(call getvar,$*) $< $@
++#%-pkupdate.auth: %.esl PK.crt sign-efi-sig-list
++# ./sign-efi-sig-list -a -c PK.crt -k PK.key $(call getvar,$*) $< $@
+
+-%-blacklist.auth: %-blacklist.esl KEK.crt sign-efi-sig-list
+- ./sign-efi-sig-list -a -c KEK.crt -k KEK.key dbx $< $@
++#%-blacklist.auth: %-blacklist.esl KEK.crt sign-efi-sig-list
++# ./sign-efi-sig-list -a -c KEK.crt -k KEK.key dbx $< $@
+
+-%-pkblacklist.auth: %-blacklist.esl PK.crt sign-efi-sig-list
+- ./sign-efi-sig-list -a -c PK.crt -k PK.key dbx $< $@
++#%-pkblacklist.auth: %-blacklist.esl PK.crt sign-efi-sig-list
++# ./sign-efi-sig-list -a -c PK.crt -k PK.key dbx $< $@
+
+ %.o: %.c
+ $(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
+
+-%.efi.o: %.c
+- $(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
++#%.efi.o: %.c
++# $(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
+
+-%.efi.s: %.c
+- $(CC) -S $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
++#%.efi.s: %.c
++# $(CC) -S $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
+
+-%.crt:
+- openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
++#%.crt:
++# openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
+
+-%.cer: %.crt
+- openssl x509 -in $< -out $@ -outform DER
++#%.cer: %.crt
++# openssl x509 -in $< -out $@ -outform DER
+
+-%-subkey.csr:
+- openssl req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
++#%-subkey.csr:
++# openssl req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
+
+-%-subkey.crt: %-subkey.csr KEK.crt
+- openssl x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
++#%-subkey.crt: %-subkey.csr KEK.crt
++# openssl x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
+
+-%-signed.efi: %.efi DB.crt
+- sbsign --key DB.key --cert DB.crt --output $@ $<
++#%-signed.efi: %.efi DB.crt
++# sbsign --key DB.key --cert DB.crt --output $@ $<
+
+ ##
+ # No need for KEK signing
+@@ -131,5 +131,5 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
+ %.a:
+ ar rcv $@ $^
+
+-doc/%.1: doc/%.1.in %
+- $(HELP2MAN) --no-info -i $< -o $@ ./$*
++#doc/%.1: doc/%.1.in %
++# $(HELP2MAN) --no-info -i $< -o $@ ./$*
+--
+2.7.4
+
diff --git a/package/efitools/0003-remove-l-option-of-mount-command-to-turn-compatible-.patch b/package/efitools/0003-remove-l-option-of-mount-command-to-turn-compatible-.patch
new file mode 100644
index 0000000..680e69f
--- /dev/null
+++ b/package/efitools/0003-remove-l-option-of-mount-command-to-turn-compatible-.patch
@@ -0,0 +1,27 @@
+From ccd65d5fa22a95c48c1301ab50d3547f162e3e54 Mon Sep 17 00:00:00 2001
+From: "celso.neto.cwi" <celso.neto.cwi@datacom.ind.br>
+Date: Tue, 26 Jun 2018 08:31:51 -0300
+Subject: [PATCH 3/3] remove "-l" option of mount command to turn compatible
+ with mount of busybox
+
+Signen-off-by: celso.neto.cwi <celso.neto.cwi@datacom.ind.br>
+---
+ lib/kernel_efivars.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/kernel_efivars.c b/lib/kernel_efivars.c
+index 630088b..636217b 100644
+--- a/lib/kernel_efivars.c
++++ b/lib/kernel_efivars.c
+@@ -38,7 +38,7 @@ kernel_variable_init(void)
+ if (kernel_efi_path)
+ return;
+ mktemp(fname);
+- snprintf(cmdline, sizeof(cmdline), "mount -l > %s", fname);
++ snprintf(cmdline, sizeof(cmdline), "mount > %s", fname);
+ ret = system(cmdline);
+ if (WEXITSTATUS(ret) != 0)
+ /* hopefully stderr said what was wrong */
+--
+2.7.4
+
diff --git a/package/efitools/Config.in b/package/efitools/Config.in
new file mode 100644
index 0000000..83894a1
--- /dev/null
+++ b/package/efitools/Config.in
@@ -0,0 +1,9 @@
+config BR2_PACKAGE_EFITOOLS
+ bool "efitools"
+ select BR2_PACKAGE_GNU_EFI
+ select BR2_PACKAGE_OPENSSL
+ help
+ A Linux user-space application to manipulate UEFI signatures
+ database
+
+ https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/about/
diff --git a/package/efitools/efitools.hash b/package/efitools/efitools.hash
new file mode 100644
index 0000000..2346ed7
--- /dev/null
+++ b/package/efitools/efitools.hash
@@ -0,0 +1,3 @@
+# Locally computed:
+sha256 64f4f53a1a1b92f38c4cfae9edcb5ba3eb4ef0e8c5d079e04cc03204699d3d38 efitools-1.8.1.tar.gz
+sha256 824d6063f4319acb32fe5de52738c72e54ce8ff3dea3470462ff135b958480b5 COPYING
diff --git a/package/efitools/efitools.mk b/package/efitools/efitools.mk
new file mode 100644
index 0000000..4257b2a
--- /dev/null
+++ b/package/efitools/efitools.mk
@@ -0,0 +1,21 @@
+################################################################################
+#
+# efitools
+#
+################################################################################
+
+EFITOOLS_VERSION = 1.8.1
+EFITOOLS_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/snapshot
+EFITOOLS_LICENSE = GPL-2.0+
+EFITOOLS_LICENSE_FILES = COPYING
+EFITOOLS_DEPENDENCIES = gnu-efi openssl
+
+define EFITOOLS_BUILD_CMDS
+ $(TARGET_MAKE_ENV) $(MAKE) -C $(@D)
+endef
+
+define EFITOOLS_INSTALL_TARGET_CMDS
+ $(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
+endef
+
+$(eval $(generic-package))
--
2.7.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 3/3] sbsigntools: new package
2018-07-06 14:36 [Buildroot] [PATCH 0/3] New packages to support UEFI Secure Boot Celso Varella
2018-07-06 14:36 ` [Buildroot] [PATCH 1/3] efitools: new package Celso Varella
2018-07-06 14:36 ` [Buildroot] [PATCH 2/3] gnu-efi: add host variant Celso Varella
@ 2018-07-06 14:36 ` Celso Varella
2018-07-17 21:25 ` Peter Korsgaard
2 siblings, 1 reply; 7+ messages in thread
From: Celso Varella @ 2018-07-06 14:36 UTC (permalink / raw)
To: buildroot
Linux user-space utility for signing and verifying files for UEFI Secure
Boot.
The recipe is a bit complicated because sbsigntools requires a specific
version of CCAN (see https://github.com/rustyrussell/ccan/) and uses a
script to download, configure and build it. We must patch configure.ac,
Makefile.am and the ccan Makefile to remove hard-coded paths and git
invocations.
We must also apply two patches already sent to the maintainer by email
- Fix an automake warning that source file 'ccan/time/time.c' is in a
subdirectory but option 'subdir-objects' is disabled.
- Improve error handling and prevent a memory leak in an internal
function.
The project does not seem to have a bug tracking system neither a
mailing list, just a page at kernel.org.
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/about/
Signed-off-by: Celso Varella <celso.neto.cwi@datacom.com.br>
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
---
package/Config.in | 1 +
package/Config.in.host | 1 +
.../0001-configure-fix-AM_INIT_AUTOMAKE-call.patch | 32 +++++++++
...rove-error-handling-in-__fileio_read_file.patch | 68 ++++++++++++++++++
package/sbsigntools/Config.in | 20 ++++++
package/sbsigntools/Config.in.host | 7 ++
package/sbsigntools/sbsigntools.hash | 10 +++
package/sbsigntools/sbsigntools.mk | 83 ++++++++++++++++++++++
8 files changed, 222 insertions(+)
create mode 100644 package/sbsigntools/0001-configure-fix-AM_INIT_AUTOMAKE-call.patch
create mode 100644 package/sbsigntools/0002-fileio-improve-error-handling-in-__fileio_read_file.patch
create mode 100644 package/sbsigntools/Config.in
create mode 100644 package/sbsigntools/Config.in.host
create mode 100644 package/sbsigntools/sbsigntools.hash
create mode 100644 package/sbsigntools/sbsigntools.mk
diff --git a/package/Config.in b/package/Config.in
index a61ace3..676555c 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2048,6 +2048,7 @@ menu "System tools"
source "package/s6-linux-utils/Config.in"
source "package/s6-portable-utils/Config.in"
source "package/s6-rc/Config.in"
+ source "package/sbsigntools/Config.in"
source "package/scrub/Config.in"
source "package/scrypt/Config.in"
source "package/smack/Config.in"
diff --git a/package/Config.in.host b/package/Config.in.host
index 7838ffc..8103c00 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -52,6 +52,7 @@ menu "Host utilities"
source "package/rauc/Config.in.host"
source "package/rustc/Config.in.host"
source "package/s6-rc/Config.in.host"
+ source "package/sbsigntools/Config.in.host"
source "package/sam-ba/Config.in.host"
source "package/squashfs/Config.in.host"
source "package/sunxi-tools/Config.in.host"
diff --git a/package/sbsigntools/0001-configure-fix-AM_INIT_AUTOMAKE-call.patch b/package/sbsigntools/0001-configure-fix-AM_INIT_AUTOMAKE-call.patch
new file mode 100644
index 0000000..a8fb3ac
--- /dev/null
+++ b/package/sbsigntools/0001-configure-fix-AM_INIT_AUTOMAKE-call.patch
@@ -0,0 +1,32 @@
+From 0af33976848d515703b07c45a2fbfd08b867d4b0 Mon Sep 17 00:00:00 2001
+From: Carlos Santos <casantos@datacom.com.br>
+Date: Tue, 3 Jul 2018 15:45:04 -0300
+Subject: [PATCH] configure: fix AM_INIT_AUTOMAKE call
+
+Requires subdir-objects to prevent warning messages:
+
+ lib/ccan/Makefile.am:2: warning: source file 'ccan/time/time.c' is in a subdirectory,
+ lib/ccan/Makefile.am:2: but option 'subdir-objects' is disabled
+ automake: warning: possible forward-incompatibility.
+ automake: At least a source file is in a subdirectory, but the 'subdir-objects'
+
+Signed-off-by: Carlos Santos <casantos@datacom.com.br>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index f39400a..e9fc906 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1,6 +1,6 @@
+ AC_INIT([sbsigntool], [0.9.1], [James.Bottomley at HansenPartnership.com])
+
+-AM_INIT_AUTOMAKE()
++AM_INIT_AUTOMAKE([subdir-objects])
+
+ AC_PREREQ(2.60)
+
+--
+2.14.4
+
diff --git a/package/sbsigntools/0002-fileio-improve-error-handling-in-__fileio_read_file.patch b/package/sbsigntools/0002-fileio-improve-error-handling-in-__fileio_read_file.patch
new file mode 100644
index 0000000..557b123
--- /dev/null
+++ b/package/sbsigntools/0002-fileio-improve-error-handling-in-__fileio_read_file.patch
@@ -0,0 +1,68 @@
+From fb10558edc146bdba4383171144c35d152208041 Mon Sep 17 00:00:00 2001
+From: Carlos Santos <casantos@datacom.com.br>
+Date: Wed, 4 Jul 2018 11:07:31 -0300
+Subject: [PATCH] fileio: improve error handling in __fileio_read_file
+
+Prevent compiler warnings:
+ fileio.c:178:12: warning: 'buf' may be used uninitialized in this function [-Wmaybe-uninitialized]
+ fileio.c:179:12: warning: 'len' may be used uninitialized in this function [-Wmaybe-uninitialized]
+
+Call talloc_free before returning on read errors to prevent memory leak.
+
+Signed-off-by: Carlos Santos <casantos@datacom.com.br>
+---
+ src/fileio.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/src/fileio.c b/src/fileio.c
+index 032eb1e..5a109a7 100644
+--- a/src/fileio.c
++++ b/src/fileio.c
+@@ -154,30 +154,30 @@ static int __fileio_read_file(void *ctx, const char *filename,
+
+ rc = fstat(fd, &statbuf);
+ if (rc)
+- goto out;
++ goto close_fd;
+
+ len = statbuf.st_size;
+
+ buf = talloc_array(ctx, uint8_t, len);
+ if (!buf)
+- goto out;
++ goto close_fd;
+
+ if (!read_all(fd, buf, len))
+- goto out;
++ goto read_error;
+
++ *out_buf = buf;
++ *out_len = len;
+ rc = 0;
+-
++ goto close_fd;
++
++read_error:
++ if (!(flags & FLAG_NOERROR))
++ fprintf(stderr, "Error reading file %s: %s\n", filename,
++ strerror(errno));
++ talloc_free(ctx);
++close_fd:
++ close(fd);
+ out:
+- if (fd >= 0)
+- close(fd);
+- if (rc) {
+- if (!(flags & FLAG_NOERROR))
+- fprintf(stderr, "Error reading file %s: %s\n",
+- filename, strerror(errno));
+- } else {
+- *out_buf = buf;
+- *out_len = len;
+- }
+ return rc;
+
+ }
+--
+2.14.4
+
diff --git a/package/sbsigntools/Config.in b/package/sbsigntools/Config.in
new file mode 100644
index 0000000..a536315
--- /dev/null
+++ b/package/sbsigntools/Config.in
@@ -0,0 +1,20 @@
+config BR2_PACKAGE_SBSIGNTOOLS
+ bool "sbsigntools"
+ depends on BR2_ARM_CPU_HAS_ARM || BR2_aarch64 || \
+ BR2_aarch64_be || BR2_i386 || BR2_x86_64 # gnu-efi
+ depends on !BR2_nios2 # binutils
+ depends on BR2_USE_WCHAR # binutils
+ select BR2_PACKAGE_BINUTILS
+ select BR2_PACKAGE_GNU_EFI
+ select BR2_PACKAGE_OPENSSL
+ select BR2_PACKAGE_UTIL_LINUX
+ select BR2_PACKAGE_UTIL_LINUX_LIBUUID
+ help
+ A Linux user-space application to sign and verify application
+ for UEFI Secure Boot
+
+ https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/about/
+
+comment "sbsigntools needs a toolchain w/ wchar"
+ depends on !BR2_nios2
+ depends on !BR2_USE_WCHAR
diff --git a/package/sbsigntools/Config.in.host b/package/sbsigntools/Config.in.host
new file mode 100644
index 0000000..7fdf297
--- /dev/null
+++ b/package/sbsigntools/Config.in.host
@@ -0,0 +1,7 @@
+config BR2_PACKAGE_HOST_SBSIGNTOOLS
+ bool "host sbsigntools"
+ help
+ A Linux user-space application to sign and verify application
+ for UEFI Secure Boot
+
+ https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/about/
diff --git a/package/sbsigntools/sbsigntools.hash b/package/sbsigntools/sbsigntools.hash
new file mode 100644
index 0000000..2778a40
--- /dev/null
+++ b/package/sbsigntools/sbsigntools.hash
@@ -0,0 +1,10 @@
+# locally computed
+sha256 981b3576fc16392e2a764aa4089ce7e51843e3c787143ba7dec8cca88cf5ec07 sbsigntools-0.9.1.tar.gz
+sha256 d479cffd70764aa6078d7b198472a9ec0b517b2123479fb578b3e5c8ddaa01b0 ccan-b1f28e17227f2320d07fe052a8a48942fe17caa5.tar.gz
+sha256 7f424707cdb69df658b7b66ea1f9c9ab3ea0a0988999ecba3dad10a811db654f COPYING
+sha256 02a66d6af5a4ef501849a33e6d8a0624e2b4284c8bed19ba0b0c24e8ac1add4e lib/ccan.git/licenses/BSD-3CLAUSE
+sha256 89807acf2309bd285f033404ee78581602f3cd9b819a16ac2f0e5f60ff4a473e lib/ccan.git/licenses/BSD-MIT
+sha256 ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6 lib/ccan.git/licenses/GPL-2
+sha256 fc82ca8b6fdb18d4e3e85cfd8ab58d1bcd3f1b29abe782895abd91d64763f8e7 lib/ccan.git/licenses/GPL-3
+sha256 a9bdde5616ecdd1e980b44f360600ee8783b1f99b8cc83a2beb163a0a390e861 lib/ccan.git/licenses/LGPL-2.1
+sha256 a853c2ffec17057872340eee242ae4d96cbf2b520ae27d903e1b2fef1a5f9d1c lib/ccan.git/licenses/LGPL-3
diff --git a/package/sbsigntools/sbsigntools.mk b/package/sbsigntools/sbsigntools.mk
new file mode 100644
index 0000000..235229b
--- /dev/null
+++ b/package/sbsigntools/sbsigntools.mk
@@ -0,0 +1,83 @@
+################################################################################
+#
+# sbsigntools
+#
+################################################################################
+
+SBSIGNTOOLS_VERSION = 0.9.1
+SBSIGNTOOLS_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/snapshot
+SBSIGNTOOLS_LICENSE = GPL-3.0+
+SBSIGNTOOLS_LICENSE_FILES = COPYING \
+ lib/ccan.git/licenses/BSD-3CLAUSE \
+ lib/ccan.git/licenses/BSD-MIT \
+ lib/ccan.git/licenses/GPL-2 \
+ lib/ccan.git/licenses/GPL-3 \
+ lib/ccan.git/licenses/LGPL-2.1 \
+ lib/ccan.git/licenses/LGPL-3
+SBSIGNTOOLS_AUTORECONF = YES
+
+SBSIGNTOOLS_DEPENDENCIES = host-pkgconf binutils gnu-efi openssl util-linux
+SBSIGNTOOLS_CFLAGS = \
+ -I$(BINUTILS_DIR)/bfd \
+ -I$(BINUTILS_DIR)/include \
+ $(TARGET_CFLAGS)
+SBSIGNTOOLS_EFI_CPPFLAGS = -I$(HOST_DIR)/include/efi \
+ -I$(HOST_DIR)/include/efi/$(HOST_GNU_EFI_PLATFORM)
+SBSIGNTOOLS_CONF_ENV = \
+ CFLAGS="$(SBSIGNTOOLS_CFLAGS)" \
+ CRTPATH="$(STAGING_DIR)/lib/crt0-efi-$(GNU_EFI_PLATFORM).o" \
+ ac_cv_header_bfd_h=yes
+
+HOST_SBSIGNTOOLS_DEPENDENCIES = host-pkgconf host-binutils host-gnu-efi \
+ host-openssl host-util-linux
+HOST_SBSIGNTOOLS_CFLAGS = \
+ -I$(HOST_BINUTILS_DIR)/bfd \
+ -I$(HOST_BINUTILS_DIR)/include \
+ $(HOST_CFLAGS)
+HOST_SBSIGNTOOLS_CONF_ENV = \
+ CFLAGS="$(HOST_SBSIGNTOOLS_CFLAGS)" \
+ CRTPATH="$(HOST_DIR)/lib/crt0-efi-$(HOST_GNU_EFI_PLATFORM).o" \
+ ac_cv_header_bfd_h=yes
+
+SBSIGNTOOLS_CCAN_VERSION = b1f28e17227f2320d07fe052a8a48942fe17caa5
+SBSIGNTOOLS_CCAN_SITE = $(call github,rustyrussell,ccan,$(SBSIGNTOOLS_CCAN_VERSION))
+SBSIGNTOOLS_CCAN_SOURCE = ccan-$(SBSIGNTOOLS_CCAN_VERSION).tar.gz
+SBSIGNTOOLS_CCAN_MODULES = talloc read_write_all build_assert array_size endian
+SBSIGNTOOLS_EXTRA_DOWNLOADS = $(SBSIGNTOOLS_CCAN_SITE)/$(SBSIGNTOOLS_CCAN_SOURCE)
+
+define SBSIGNTOOLS_POST_EXTRACT
+ set -e; \
+ $(ZCAT) $(SBSIGNTOOLS_DL_DIR)/$(SBSIGNTOOLS_CCAN_SOURCE) |\
+ $(TAR) --strip-components=1 -C $(@D)/lib/ccan.git -x -f -; \
+ rm $(@D)/lib/ccan.git/Makefile-web; \
+ $(SED) 's|\[docs/Makefile tests/Makefile\]||;s|AM_MISSING_PROG(HELP2MAN.*|HELP2MAN=:|' \
+ $(@D)/configure.ac; \
+ echo 'SUBDIRS = lib/ccan src' > $(@D)/Makefile.am; \
+ $(SED) 's|\(SCOREDIR=scores\)/.*|\1|;/git describe/d' $(@D)/lib/ccan.git/Makefile
+endef
+define SBSIGNTOOLS_FIX_EFI_CPPFLAGS
+ $(SED) 's|^EFI_ARCH=.*|EFI_ARCH=$(GNU_EFI_PLATFORM)|;\
+ s|/usr/include/efi|$(STAGING_DIR)/usr/include/efi|g' \
+ $(@D)/configure.ac
+endef
+define HOST_SBSIGNTOOLS_FIX_EFI_CPPFLAGS
+ $(SED) 's|^EFI_ARCH=.*|EFI_ARCH=$(HOST_GNU_EFI_PLATFORM)|;\
+ s|/usr/include/efi|$(HOST_DIR)/include/efi|g' \
+ $(@D)/configure.ac
+endef
+SBSIGNTOOLS_POST_EXTRACT_HOOKS += SBSIGNTOOLS_POST_EXTRACT SBSIGNTOOLS_FIX_EFI_CPPFLAGS
+HOST_SBSIGNTOOLS_POST_EXTRACT_HOOKS += SBSIGNTOOLS_POST_EXTRACT HOST_SBSIGNTOOLS_FIX_EFI_CPPFLAGS
+
+define SBSIGNTOOLS_PRE_CONFIGURE_AUTOGEN
+ set -e; \
+ cd $(@D); \
+ rm -rf lib/ccan; \
+ lib/ccan.git/tools/create-ccan-tree --build-type=automake \
+ lib/ccan $(SBSIGNTOOLS_CCAN_MODULES); \
+ touch AUTHORS ChangeLog
+endef
+SBSIGNTOOLS_PRE_CONFIGURE_HOOKS += SBSIGNTOOLS_PRE_CONFIGURE_AUTOGEN
+HOST_SBSIGNTOOLS_PRE_CONFIGURE_HOOKS += SBSIGNTOOLS_PRE_CONFIGURE_AUTOGEN
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
--
2.7.4
^ permalink raw reply related [flat|nested] 7+ messages in thread