[Buildroot] [PATCH 0/3] New packages to support UEFI Secure Boot

[Buildroot] [PATCH 0/3] New packages to support UEFI Secure Boot

[Celso Varella]

Patch 1: add efitools package
Patch 2: add gnu-efi host variante required by host-sbsigntools
Patch 3: add sbsigntools host and target package

Celso Varella (3):
  efitools: new package
  gnu-efi: add host variant
  sbsigntools: new package

 package/Config.in                                  |   2 +
 package/Config.in.host                             |   1 +
 ...kefile-remove-all-dependencies-from-sbsig.patch | 155 ++++++++++++++++++++
 ...ke.rules-remove-all-dependencies-from-sbs.patch | 159 +++++++++++++++++++++
 ...tion-of-mount-command-to-turn-compatible-.patch |  27 ++++
 package/efitools/Config.in                         |   9 ++
 package/efitools/efitools.hash                     |   3 +
 package/efitools/efitools.mk                       |  21 +++
 package/gnu-efi/gnu-efi.mk                         |  20 +++
 .../0001-configure-fix-AM_INIT_AUTOMAKE-call.patch |  32 +++++
 ...rove-error-handling-in-__fileio_read_file.patch |  68 +++++++++
 package/sbsigntools/Config.in                      |  20 +++
 package/sbsigntools/Config.in.host                 |   7 +
 package/sbsigntools/sbsigntools.hash               |  10 ++
 package/sbsigntools/sbsigntools.mk                 |  83 +++++++++++
 15 files changed, 617 insertions(+)
 create mode 100644 package/efitools/0001-Efitools-Makefile-remove-all-dependencies-from-sbsig.patch
 create mode 100644 package/efitools/0002-Efitools-Make.rules-remove-all-dependencies-from-sbs.patch
 create mode 100644 package/efitools/0003-remove-l-option-of-mount-command-to-turn-compatible-.patch
 create mode 100644 package/efitools/Config.in
 create mode 100644 package/efitools/efitools.hash
 create mode 100644 package/efitools/efitools.mk
 create mode 100644 package/sbsigntools/0001-configure-fix-AM_INIT_AUTOMAKE-call.patch
 create mode 100644 package/sbsigntools/0002-fileio-improve-error-handling-in-__fileio_read_file.patch
 create mode 100644 package/sbsigntools/Config.in
 create mode 100644 package/sbsigntools/Config.in.host
 create mode 100644 package/sbsigntools/sbsigntools.hash
 create mode 100644 package/sbsigntools/sbsigntools.mk

-- 
2.7.4

[Buildroot] [PATCH 1/3] efitools: new package

[Celso Varella]

Linux user-space application to manipulate UEFI signatures database

Patches 1 and 2 remove dependencies from sbsigntools and perl scripts

Patch 3 remove "-l" option from mount command in lib/kernel_efivars.c
for compatibility with Busybox mount command

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/about/

Signed-off-by: Celso Varella <celso.neto.cwi@datacom.com.br>
---
 package/Config.in                                  |   1 +
 ...kefile-remove-all-dependencies-from-sbsig.patch | 155 ++++++++++++++++++++
 ...ke.rules-remove-all-dependencies-from-sbs.patch | 159 +++++++++++++++++++++
 ...tion-of-mount-command-to-turn-compatible-.patch |  27 ++++
 package/efitools/Config.in                         |   9 ++
 package/efitools/efitools.hash                     |   3 +
 package/efitools/efitools.mk                       |  21 +++
 7 files changed, 375 insertions(+)
 create mode 100644 package/efitools/0001-Efitools-Makefile-remove-all-dependencies-from-sbsig.patch
 create mode 100644 package/efitools/0002-Efitools-Make.rules-remove-all-dependencies-from-sbs.patch
 create mode 100644 package/efitools/0003-remove-l-option-of-mount-command-to-turn-compatible-.patch
 create mode 100644 package/efitools/Config.in
 create mode 100644 package/efitools/efitools.hash
 create mode 100644 package/efitools/efitools.mk

diff --git a/package/Config.in b/package/Config.in
index 20fe5ad..a61ace3 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2011,6 +2011,7 @@ menu "System tools"
 	source "package/docker-proxy/Config.in"
 	source "package/dsp-tools/Config.in"
 	source "package/efibootmgr/Config.in"
+	source "package/efitools/Config.in"
 	source "package/efivar/Config.in"
 	source "package/emlog/Config.in"
 	source "package/ftop/Config.in"
diff --git a/package/efitools/0001-Efitools-Makefile-remove-all-dependencies-from-sbsig.patch b/package/efitools/0001-Efitools-Makefile-remove-all-dependencies-from-sbsig.patch
new file mode 100644
index 0000000..ac624b3
--- /dev/null
+++ b/package/efitools/0001-Efitools-Makefile-remove-all-dependencies-from-sbsig.patch
@@ -0,0 +1,155 @@
+From 396c7592005c62a2a12a0311fe480454e48b294c Mon Sep 17 00:00:00 2001
+From: "celso.neto.cwi" <celso.neto.cwi@datacom.ind.br>
+Date: Mon, 25 Jun 2018 10:45:27 -0300
+Subject: [PATCH 1/2] Efitools - Makefile remove all dependencies from
+ sbsigntools and perl script
+
+Signed-off-by: celso.neto.cwi <celso.neto.cwi@datacom.ind.br>
+---
+ Makefile | 87 ++++++++++++++++++++++++++++++++--------------------------------
+ 1 file changed, 44 insertions(+), 43 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 774ee0a..6f6674d 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,4 +1,4 @@
+-EFIFILES = HelloWorld.efi LockDown.efi Loader.efi ReadVars.efi UpdateVars.efi \
++#EFIFILES = HelloWorld.efi LockDown.efi Loader.efi ReadVars.efi UpdateVars.efi \
+ 	KeyTool.efi HashTool.efi SetNull.efi ShimReplace.efi
+ BINARIES = cert-to-efi-sig-list sig-list-to-certs sign-efi-sig-list \
+ 	hash-to-efi-sig-list efi-readvar efi-updatevar cert-to-efi-hash-list \
+@@ -8,34 +8,35 @@ ifeq ($(ARCH),x86_64)
+ EFIFILES += PreLoader.efi
+ endif
+ 
+-MSGUID = 77FA9ABD-0359-4D32-BD60-28F4E78F784B
++#MSGUID = 77FA9ABD-0359-4D32-BD60-28F4E78F784B
+ 
+-KEYS = PK KEK DB
+-EXTRAKEYS = DB1 DB2
+-EXTERNALKEYS = ms-uefi ms-kek
++#KEYS = PK KEK DB
++#EXTRAKEYS = DB1 DB2
++#EXTERNALKEYS = ms-uefi ms-kek
+ 
+-ALLKEYS = $(KEYS) $(EXTRAKEYS) $(EXTERNALKEYS)
++#ALLKEYS = $(KEYS) $(EXTRAKEYS) $(EXTERNALKEYS)
+ 
+-KEYAUTH = $(ALLKEYS:=.auth)
+-KEYUPDATEAUTH = $(ALLKEYS:=-update.auth) $(ALLKEYS:=-pkupdate.auth)
+-KEYBLACKLISTAUTH = $(ALLKEYS:=-blacklist.auth)
+-KEYHASHBLACKLISTAUTH = $(ALLKEYS:=-hash-blacklist.auth)
++#KEYAUTH = $(ALLKEYS:=.auth)
++#KEYUPDATEAUTH = $(ALLKEYS:=-update.auth) $(ALLKEYS:=-pkupdate.auth)
++#KEYBLACKLISTAUTH = $(ALLKEYS:=-blacklist.auth)
++#KEYHASHBLACKLISTAUTH = $(ALLKEYS:=-hash-blacklist.auth)
+ 
+ export TOPDIR	:= $(shell pwd)/
+ 
+ include Make.rules
+ 
+-EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
++#EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
+ 
+-all: $(EFISIGNED) $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \
++#all: $(EFISIGNED) $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \
+ 	$(KEYUPDATEAUTH) $(KEYBLACKLISTAUTH) $(KEYHASHBLACKLISTAUTH)
+ 
++all: $(BINARIES) 
+ 
+ install: all
+-	$(INSTALL) -m 755 -d $(MANDIR)
+-	$(INSTALL) -m 644 $(MANPAGES) $(MANDIR)
+-	$(INSTALL) -m 755 -d $(EFIDIR)
+-	$(INSTALL) -m 755 $(EFIFILES) $(EFIDIR)
++#	$(INSTALL) -m 755 -d $(MANDIR)
++#	$(INSTALL) -m 644 $(MANPAGES) $(MANDIR)
++#	$(INSTALL) -m 755 -d $(EFIDIR)
++#	$(INSTALL) -m 755 $(EFIFILES) $(EFIDIR)
+ 	$(INSTALL) -m 755 -d $(BINDIR)
+ 	$(INSTALL) -m 755 $(BINARIES) $(BINDIR)
+ 	$(INSTALL) -m 755 mkusb.sh $(BINDIR)/efitool-mkusb
+@@ -48,44 +49,44 @@ lib/lib.a lib/lib-efi.a: FORCE
+ lib/asn1/libasn1.a lib/asn1/libasn1-efi.a: FORCE
+ 	$(MAKE) -C lib/asn1 $(notdir $@)
+ 
+-.SUFFIXES: .crt
++#.SUFFIXES: .crt
+ 
+-.KEEP: PK.crt KEK.crt DB.crt PK.key KEK.key DB.key PK.esl DB.esl KEK.esl \
++#.KEEP: PK.crt KEK.crt DB.crt PK.key KEK.key DB.key PK.esl DB.esl KEK.esl \
+ 	$(EFIFILES)
+ 
+-LockDown.o: PK.h KEK.h DB.h
+-PreLoader.o: hashlist.h
++#LockDown.o: PK.h KEK.h DB.h
++#PreLoader.o: hashlist.h
+ 
+-PK.h: PK.auth
++#PK.h: PK.auth
+ 
+-KEK.h: KEK.auth
++#KEK.h: KEK.auth
+ 
+-DB.h: DB.auth
++#DB.h: DB.auth
+ 
+-noPK.esl:
+-	> noPK.esl
++#noPK.esl:
++#	> noPK.esl
+ 
+-noPK.auth: noPK.esl PK.crt sign-efi-sig-list
+-	./sign-efi-sig-list -t "$(shell date --date='1 second' +'%Y-%m-%d %H:%M:%S')" -c PK.crt -k PK.key PK $< $@
++#noPK.auth: noPK.esl PK.crt sign-efi-sig-list
++#	./sign-efi-sig-list -t "$(shell date --date='1 second' +'%Y-%m-%d %H:%M:%S')" -c PK.crt -k PK.key PK $< $@
+ 
+-ms-%.esl: ms-%.crt cert-to-efi-sig-list
+-	./cert-to-efi-sig-list -g $(MSGUID) $< $@
++#ms-%.esl: ms-%.crt cert-to-efi-sig-list
++#	./cert-to-efi-sig-list -g $(MSGUID) $< $@
+ 
+-hashlist.h: HashTool.hash
+-	cat $^ > /tmp/tmp.hash
+-	./xxdi.pl /tmp/tmp.hash > $@
+-	rm -f /tmp/tmp.hash
++#hashlist.h: HashTool.hash
++#	cat $^ > /tmp/tmp.hash
++#	./xxdi.pl /tmp/tmp.hash > $@
++#	rm -f /tmp/tmp.hash
+ 
+ 
+-Loader.so: lib/lib-efi.a
+-ReadVars.so: lib/lib-efi.a lib/asn1/libasn1-efi.a
+-UpdateVars.so: lib/lib-efi.a
+-LockDown.so: lib/lib-efi.a
+-KeyTool.so: lib/lib-efi.a lib/asn1/libasn1-efi.a
+-HashTool.so: lib/lib-efi.a
+-PreLoader.so: lib/lib-efi.a
+-HelloWorld.so: lib/lib-efi.a
+-ShimReplace.so: lib/lib-efi.a
++#Loader.so: lib/lib-efi.a
++#ReadVars.so: lib/lib-efi.a lib/asn1/libasn1-efi.a
++#UpdateVars.so: lib/lib-efi.a
++#LockDown.so: lib/lib-efi.a
++#KeyTool.so: lib/lib-efi.a lib/asn1/libasn1-efi.a
++#HashTool.so: lib/lib-efi.a
++#PreLoader.so: lib/lib-efi.a
++#HelloWorld.so: lib/lib-efi.a
++#ShimReplace.so: lib/lib-efi.a
+ 
+ cert-to-efi-sig-list: cert-to-efi-sig-list.o lib/lib.a
+ 	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
+@@ -115,7 +116,7 @@ flash-var: flash-var.o lib/lib.a
+ 	$(CC) $(ARCH3264) -o $@ $< lib/lib.a
+ 
+ clean:
+-	rm -f PK.* KEK.* DB.* $(EFIFILES) $(EFISIGNED) $(BINARIES) *.o *.so
++	rm -f PK.* KEK.* DB.* $(BINARIES) *.o *.so
+ 	rm -f noPK.*
+ 	rm -f doc/*.1
+ 	$(MAKE) -C lib clean
+-- 
+2.7.4
+
diff --git a/package/efitools/0002-Efitools-Make.rules-remove-all-dependencies-from-sbs.patch b/package/efitools/0002-Efitools-Make.rules-remove-all-dependencies-from-sbs.patch
new file mode 100644
index 0000000..20d72f2
--- /dev/null
+++ b/package/efitools/0002-Efitools-Make.rules-remove-all-dependencies-from-sbs.patch
@@ -0,0 +1,159 @@
+From bbefa8ec090a0df4ecb31b734d3a1d41d8aadad4 Mon Sep 17 00:00:00 2001
+From: "celso.neto.cwi" <celso.neto.cwi@datacom.ind.br>
+Date: Mon, 25 Jun 2018 11:27:43 -0300
+Subject: [PATCH 2/2] Efitools - Make.rules remove all dependencies from
+ sbsigntools and perl script
+
+Signed-off-by: celso.neto.cwi <celso.neto.cwi@datacom.ind.br>
+---
+ Make.rules | 94 +++++++++++++++++++++++++++++++-------------------------------
+ 1 file changed, 47 insertions(+), 47 deletions(-)
+
+diff --git a/Make.rules b/Make.rules
+index 903a5a4..446f9e8 100644
+--- a/Make.rules
++++ b/Make.rules
+@@ -1,6 +1,6 @@
+-EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
+-MANPAGES = $(patsubst doc/%.1.in,doc/%.1,$(wildcard doc/*.1.in))
+-HELP2MAN = help2man
++#EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
++#MANPAGES = $(patsubst doc/%.1.in,doc/%.1,$(wildcard doc/*.1.in))
++#HELP2MAN = help2man
+ ARCH	 = $(shell uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
+ ifeq ($(ARCH),ia32)
+ ARCH3264 = -m32
+@@ -31,8 +31,8 @@ OBJCOPY		= objcopy
+ MYGUID		= 11111111-2222-3333-4444-123456789abc
+ INSTALL		= install
+ BINDIR		= $(DESTDIR)/usr/bin
+-MANDIR		= $(DESTDIR)/usr/share/man/man1
+-EFIDIR		= $(DESTDIR)/usr/share/efitools/efi
++#MANDIR		= $(DESTDIR)/usr/share/man/man1
++#EFIDIR		= $(DESTDIR)/usr/share/efitools/efi
+ DOCDIR		= $(DESTDIR)/usr/share/efitools
+ 
+ # globally use EFI calling conventions (requires gcc >= 4.7)
+@@ -56,71 +56,71 @@ ifeq ($(ARCH),aarch64)
+   FORMAT = -O binary
+ endif
+ 
+-%.efi: %.so
+-	$(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic -j .dynsym \
+-		   -j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* \
+-		   -j .reloc $(FORMAT) $*.so $@
++#%.efi: %.so
++#	$(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic -j .dynsym \
++#		   -j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* \
++#		   -j .reloc $(FORMAT) $*.so $@
+ %.so: %.o
+ 	$(LD) $(LDFLAGS) $^ -o $@ $(LOADLIBES)
+ 	# check we have no undefined symbols
+ 	nm -D $@ | grep ' U ' && exit 1 || exit 0
+ 
+-%.h: %.auth
+-	./xxdi.pl $< > $@
++#%.h: %.auth
++#	./xxdi.pl $< > $@
+ 
+-%.hash: %.efi hash-to-efi-sig-list
+-	./hash-to-efi-sig-list $< $@
++#%.hash: %.efi hash-to-efi-sig-list
++#	./hash-to-efi-sig-list $< $@
+ 
+-%-blacklist.esl: %.crt cert-to-efi-hash-list
+-	./cert-to-efi-sig-list $< $@
++#%-blacklist.esl: %.crt cert-to-efi-hash-list
++#	./cert-to-efi-sig-list $< $@
+ 
+-%-hash-blacklist.esl: %.crt cert-to-efi-hash-list
+-	./cert-to-efi-hash-list $< $@
++#%-hash-blacklist.esl: %.crt cert-to-efi-hash-list
++#	./cert-to-efi-hash-list $< $@
+ 
+-%.esl: %.crt cert-to-efi-sig-list
+-	./cert-to-efi-sig-list -g $(MYGUID) $< $@
++#%.esl: %.crt cert-to-efi-sig-list
++#	./cert-to-efi-sig-list -g $(MYGUID) $< $@
+ 
+-getcert = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo "-c PK.crt -k PK.key"; else echo "-c KEK.crt -k KEK.key"; fi)
+-getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else echo db; fi)
++#getcert = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo "-c PK.crt -k PK.key"; else echo "-c KEK.crt -k KEK.key"; fi)
++#getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else echo db; fi)
+ 
+-%.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
+-	./sign-efi-sig-list $(call getcert,$*) $(call getvar,$*) $< $@
++#%.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
++#	./sign-efi-sig-list $(call getcert,$*) $(call getvar,$*) $< $@
+ 
+-%-update.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
+-	./sign-efi-sig-list -a $(call getcert,$*) $(call getvar,$*) $< $@
++#%-update.auth: %.esl PK.crt KEK.crt sign-efi-sig-list
++#	./sign-efi-sig-list -a $(call getcert,$*) $(call getvar,$*) $< $@
+ 
+-%-pkupdate.auth: %.esl PK.crt sign-efi-sig-list
+-	./sign-efi-sig-list -a -c PK.crt -k PK.key $(call getvar,$*) $< $@
++#%-pkupdate.auth: %.esl PK.crt sign-efi-sig-list
++#	./sign-efi-sig-list -a -c PK.crt -k PK.key $(call getvar,$*) $< $@
+ 
+-%-blacklist.auth: %-blacklist.esl KEK.crt sign-efi-sig-list
+-	./sign-efi-sig-list -a -c KEK.crt -k KEK.key dbx $< $@
++#%-blacklist.auth: %-blacklist.esl KEK.crt sign-efi-sig-list
++#	./sign-efi-sig-list -a -c KEK.crt -k KEK.key dbx $< $@
+ 
+-%-pkblacklist.auth: %-blacklist.esl PK.crt sign-efi-sig-list
+-	./sign-efi-sig-list -a -c PK.crt -k PK.key dbx $< $@
++#%-pkblacklist.auth: %-blacklist.esl PK.crt sign-efi-sig-list
++#	./sign-efi-sig-list -a -c PK.crt -k PK.key dbx $< $@
+ 
+ %.o: %.c
+ 	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
+ 
+-%.efi.o: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
++#%.efi.o: %.c
++#	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
+ 
+-%.efi.s: %.c
+-	$(CC) -S $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
++#%.efi.s: %.c
++#	$(CC) -S $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
+ 
+-%.crt:
+-	openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
++#%.crt:
++#	openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
+ 
+-%.cer: %.crt
+-	openssl x509 -in $< -out $@ -outform DER
++#%.cer: %.crt
++#	openssl x509 -in $< -out $@ -outform DER
+ 
+-%-subkey.csr:
+-	openssl req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
++#%-subkey.csr:
++#	openssl req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
+ 
+-%-subkey.crt: %-subkey.csr KEK.crt
+-	openssl x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
++#%-subkey.crt: %-subkey.csr KEK.crt
++#	openssl x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
+ 
+-%-signed.efi: %.efi DB.crt
+-	sbsign --key DB.key --cert DB.crt --output $@ $<
++#%-signed.efi: %.efi DB.crt
++#	sbsign --key DB.key --cert DB.crt --output $@ $<
+ 
+ ##
+ # No need for KEK signing
+@@ -131,5 +131,5 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
+ %.a:
+ 	ar rcv $@ $^
+ 
+-doc/%.1: doc/%.1.in %
+-	$(HELP2MAN) --no-info -i $< -o $@ ./$*
++#doc/%.1: doc/%.1.in %
++#	$(HELP2MAN) --no-info -i $< -o $@ ./$*
+-- 
+2.7.4
+
diff --git a/package/efitools/0003-remove-l-option-of-mount-command-to-turn-compatible-.patch b/package/efitools/0003-remove-l-option-of-mount-command-to-turn-compatible-.patch
new file mode 100644
index 0000000..680e69f
--- /dev/null
+++ b/package/efitools/0003-remove-l-option-of-mount-command-to-turn-compatible-.patch
@@ -0,0 +1,27 @@
+From ccd65d5fa22a95c48c1301ab50d3547f162e3e54 Mon Sep 17 00:00:00 2001
+From: "celso.neto.cwi" <celso.neto.cwi@datacom.ind.br>
+Date: Tue, 26 Jun 2018 08:31:51 -0300
+Subject: [PATCH 3/3] remove "-l" option of mount command to turn compatible
+ with mount of busybox
+
+Signen-off-by: celso.neto.cwi <celso.neto.cwi@datacom.ind.br>
+---
+ lib/kernel_efivars.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/kernel_efivars.c b/lib/kernel_efivars.c
+index 630088b..636217b 100644
+--- a/lib/kernel_efivars.c
++++ b/lib/kernel_efivars.c
+@@ -38,7 +38,7 @@ kernel_variable_init(void)
+ 	if (kernel_efi_path)
+ 		return;
+ 	mktemp(fname);
+-	snprintf(cmdline, sizeof(cmdline), "mount -l > %s", fname);
++	snprintf(cmdline, sizeof(cmdline), "mount > %s", fname);
+ 	ret = system(cmdline);
+ 	if (WEXITSTATUS(ret) != 0)
+ 		/* hopefully stderr said what was wrong */
+-- 
+2.7.4
+
diff --git a/package/efitools/Config.in b/package/efitools/Config.in
new file mode 100644
index 0000000..83894a1
--- /dev/null
+++ b/package/efitools/Config.in
@@ -0,0 +1,9 @@
+config BR2_PACKAGE_EFITOOLS
+	bool "efitools"
+	select BR2_PACKAGE_GNU_EFI
+	select BR2_PACKAGE_OPENSSL
+	help
+	  A Linux user-space application to manipulate UEFI signatures
+	  database
+
+	  https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/about/
diff --git a/package/efitools/efitools.hash b/package/efitools/efitools.hash
new file mode 100644
index 0000000..2346ed7
--- /dev/null
+++ b/package/efitools/efitools.hash
@@ -0,0 +1,3 @@
+# Locally computed:
+sha256 64f4f53a1a1b92f38c4cfae9edcb5ba3eb4ef0e8c5d079e04cc03204699d3d38 efitools-1.8.1.tar.gz
+sha256 824d6063f4319acb32fe5de52738c72e54ce8ff3dea3470462ff135b958480b5 COPYING
diff --git a/package/efitools/efitools.mk b/package/efitools/efitools.mk
new file mode 100644
index 0000000..4257b2a
--- /dev/null
+++ b/package/efitools/efitools.mk
@@ -0,0 +1,21 @@
+################################################################################
+#
+# efitools
+#
+################################################################################
+
+EFITOOLS_VERSION = 1.8.1
+EFITOOLS_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/snapshot
+EFITOOLS_LICENSE = GPL-2.0+
+EFITOOLS_LICENSE_FILES = COPYING
+EFITOOLS_DEPENDENCIES = gnu-efi openssl
+
+define EFITOOLS_BUILD_CMDS
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D)
+endef
+
+define EFITOOLS_INSTALL_TARGET_CMDS
+	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
+endef
+
+$(eval $(generic-package))
-- 
2.7.4

[Buildroot] [PATCH 2/3] gnu-efi: add host variant

[Celso Varella]

It will be required by host-sbsigntools (forthcoming package).

Signed-off-by: Carlos Santos <casantos@datacom.com.br>
---
 package/gnu-efi/gnu-efi.mk | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/package/gnu-efi/gnu-efi.mk b/package/gnu-efi/gnu-efi.mk
index d55e027..b106010 100644
--- a/package/gnu-efi/gnu-efi.mk
+++ b/package/gnu-efi/gnu-efi.mk
@@ -26,6 +26,12 @@ else ifeq ($(BR2_aarch64)$(BR2_aarch64_be),y)
 GNU_EFI_PLATFORM = aarch64
 endif
 
+ifeq ($(HOSTARCH),x86)
+HOST_GNU_EFI_PLATFORM = ia32
+else
+HOST_GNU_EFI_PLATFORM = $(HOSTARCH)
+endif
+
 define GNU_EFI_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) \
 		$(TARGET_CONFIGURE_OPTS) \
@@ -39,4 +45,18 @@ define GNU_EFI_INSTALL_STAGING_CMDS
 		PREFIX=/usr ARCH=$(GNU_EFI_PLATFORM) install
 endef
 
+define HOST_GNU_EFI_BUILD_CMDS
+	$(HOST_MAKE_ENV) $(MAKE) -C $(@D) \
+		$(HOST_CONFIGURE_OPTS) \
+		ARCH=$(HOST_GNU_EFI_PLATFORM)
+endef
+
+define HOST_GNU_EFI_INSTALL_CMDS
+	$(HOST_MAKE_ENV) $(MAKE) -C $(@D) \
+		$(HOST_CONFIGURE_OPTS) \
+		INSTALLROOT=$(HOST_DIR) \
+		PREFIX= ARCH=$(HOST_GNU_EFI_PLATFORM) install
+endef
+
 $(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
2.7.4

[Buildroot] [PATCH 3/3] sbsigntools: new package

[Celso Varella]

Linux user-space utility for signing and verifying files for UEFI Secure
Boot.

The recipe is a bit complicated because sbsigntools requires a specific
version of CCAN (see https://github.com/rustyrussell/ccan/) and uses a
script to download, configure and build it. We must patch configure.ac,
Makefile.am and the ccan Makefile to remove hard-coded paths and git
invocations.

We must also apply two patches already sent to the maintainer by email

- Fix an automake warning that source file 'ccan/time/time.c' is in a
  subdirectory but option 'subdir-objects' is disabled.
- Improve error handling and prevent a memory leak in an internal
  function.

The project does not seem to have a bug tracking system neither a
mailing list, just a page at kernel.org.

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/about/

Signed-off-by: Celso Varella <celso.neto.cwi@datacom.com.br>
Signed-off-by: Carlos Santos <casantos@datacom.com.br>
---
 package/Config.in                                  |  1 +
 package/Config.in.host                             |  1 +
 .../0001-configure-fix-AM_INIT_AUTOMAKE-call.patch | 32 +++++++++
 ...rove-error-handling-in-__fileio_read_file.patch | 68 ++++++++++++++++++
 package/sbsigntools/Config.in                      | 20 ++++++
 package/sbsigntools/Config.in.host                 |  7 ++
 package/sbsigntools/sbsigntools.hash               | 10 +++
 package/sbsigntools/sbsigntools.mk                 | 83 ++++++++++++++++++++++
 8 files changed, 222 insertions(+)
 create mode 100644 package/sbsigntools/0001-configure-fix-AM_INIT_AUTOMAKE-call.patch
 create mode 100644 package/sbsigntools/0002-fileio-improve-error-handling-in-__fileio_read_file.patch
 create mode 100644 package/sbsigntools/Config.in
 create mode 100644 package/sbsigntools/Config.in.host
 create mode 100644 package/sbsigntools/sbsigntools.hash
 create mode 100644 package/sbsigntools/sbsigntools.mk

diff --git a/package/Config.in b/package/Config.in
index a61ace3..676555c 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2048,6 +2048,7 @@ menu "System tools"
 	source "package/s6-linux-utils/Config.in"
 	source "package/s6-portable-utils/Config.in"
 	source "package/s6-rc/Config.in"
+	source "package/sbsigntools/Config.in"
 	source "package/scrub/Config.in"
 	source "package/scrypt/Config.in"
 	source "package/smack/Config.in"
diff --git a/package/Config.in.host b/package/Config.in.host
index 7838ffc..8103c00 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -52,6 +52,7 @@ menu "Host utilities"
 	source "package/rauc/Config.in.host"
 	source "package/rustc/Config.in.host"
 	source "package/s6-rc/Config.in.host"
+	source "package/sbsigntools/Config.in.host"
 	source "package/sam-ba/Config.in.host"
 	source "package/squashfs/Config.in.host"
 	source "package/sunxi-tools/Config.in.host"
diff --git a/package/sbsigntools/0001-configure-fix-AM_INIT_AUTOMAKE-call.patch b/package/sbsigntools/0001-configure-fix-AM_INIT_AUTOMAKE-call.patch
new file mode 100644
index 0000000..a8fb3ac
--- /dev/null
+++ b/package/sbsigntools/0001-configure-fix-AM_INIT_AUTOMAKE-call.patch
@@ -0,0 +1,32 @@
+From 0af33976848d515703b07c45a2fbfd08b867d4b0 Mon Sep 17 00:00:00 2001
+From: Carlos Santos <casantos@datacom.com.br>
+Date: Tue, 3 Jul 2018 15:45:04 -0300
+Subject: [PATCH] configure: fix AM_INIT_AUTOMAKE call
+
+Requires subdir-objects to prevent warning messages:
+
+    lib/ccan/Makefile.am:2: warning: source file 'ccan/time/time.c' is in a subdirectory,
+    lib/ccan/Makefile.am:2: but option 'subdir-objects' is disabled
+    automake: warning: possible forward-incompatibility.
+    automake: At least a source file is in a subdirectory, but the 'subdir-objects'
+
+Signed-off-by: Carlos Santos <casantos@datacom.com.br>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index f39400a..e9fc906 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1,6 +1,6 @@
+ AC_INIT([sbsigntool], [0.9.1], [James.Bottomley at HansenPartnership.com])
+ 
+-AM_INIT_AUTOMAKE()
++AM_INIT_AUTOMAKE([subdir-objects])
+ 
+ AC_PREREQ(2.60)
+ 
+-- 
+2.14.4
+
diff --git a/package/sbsigntools/0002-fileio-improve-error-handling-in-__fileio_read_file.patch b/package/sbsigntools/0002-fileio-improve-error-handling-in-__fileio_read_file.patch
new file mode 100644
index 0000000..557b123
--- /dev/null
+++ b/package/sbsigntools/0002-fileio-improve-error-handling-in-__fileio_read_file.patch
@@ -0,0 +1,68 @@
+From fb10558edc146bdba4383171144c35d152208041 Mon Sep 17 00:00:00 2001
+From: Carlos Santos <casantos@datacom.com.br>
+Date: Wed, 4 Jul 2018 11:07:31 -0300
+Subject: [PATCH] fileio: improve error handling in __fileio_read_file
+
+Prevent compiler warnings:
+    fileio.c:178:12: warning: 'buf' may be used uninitialized in this function [-Wmaybe-uninitialized]
+    fileio.c:179:12: warning: 'len' may be used uninitialized in this function [-Wmaybe-uninitialized]
+
+Call talloc_free before returning on read errors to prevent memory leak.
+
+Signed-off-by: Carlos Santos <casantos@datacom.com.br>
+---
+ src/fileio.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/src/fileio.c b/src/fileio.c
+index 032eb1e..5a109a7 100644
+--- a/src/fileio.c
++++ b/src/fileio.c
+@@ -154,30 +154,30 @@ static int __fileio_read_file(void *ctx, const char *filename,
+ 
+ 	rc = fstat(fd, &statbuf);
+ 	if (rc)
+-		goto out;
++		goto close_fd;
+ 
+ 	len = statbuf.st_size;
+ 
+ 	buf = talloc_array(ctx, uint8_t, len);
+ 	if (!buf)
+-		goto out;
++		goto close_fd;
+ 
+ 	if (!read_all(fd, buf, len))
+-		goto out;
++		goto read_error;
+ 
++	*out_buf = buf;
++	*out_len = len;
+ 	rc = 0;
+-
++	goto close_fd;
++
++read_error:
++	if (!(flags & FLAG_NOERROR))
++		fprintf(stderr, "Error reading file %s: %s\n", filename,
++				strerror(errno));
++	talloc_free(ctx);
++close_fd:
++	close(fd);
+ out:
+-	if (fd >= 0)
+-		close(fd);
+-	if (rc) {
+-		if (!(flags & FLAG_NOERROR))
+-			fprintf(stderr, "Error reading file %s: %s\n",
+-					filename, strerror(errno));
+-	} else {
+-		*out_buf = buf;
+-		*out_len = len;
+-	}
+ 	return rc;
+ 
+ }
+-- 
+2.14.4
+
diff --git a/package/sbsigntools/Config.in b/package/sbsigntools/Config.in
new file mode 100644
index 0000000..a536315
--- /dev/null
+++ b/package/sbsigntools/Config.in
@@ -0,0 +1,20 @@
+config BR2_PACKAGE_SBSIGNTOOLS
+	bool "sbsigntools"
+	depends on BR2_ARM_CPU_HAS_ARM || BR2_aarch64 || \
+		BR2_aarch64_be || BR2_i386 || BR2_x86_64 # gnu-efi
+	depends on !BR2_nios2    # binutils
+	depends on BR2_USE_WCHAR # binutils
+	select BR2_PACKAGE_BINUTILS
+	select BR2_PACKAGE_GNU_EFI
+	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_UTIL_LINUX
+	select BR2_PACKAGE_UTIL_LINUX_LIBUUID
+	help
+	  A Linux user-space application to sign and verify application
+	  for UEFI Secure Boot
+
+	  https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/about/
+
+comment "sbsigntools needs a toolchain w/ wchar"
+	depends on !BR2_nios2
+	depends on !BR2_USE_WCHAR
diff --git a/package/sbsigntools/Config.in.host b/package/sbsigntools/Config.in.host
new file mode 100644
index 0000000..7fdf297
--- /dev/null
+++ b/package/sbsigntools/Config.in.host
@@ -0,0 +1,7 @@
+config BR2_PACKAGE_HOST_SBSIGNTOOLS
+	bool "host sbsigntools"
+	help
+	  A Linux user-space application to sign and verify application
+	  for UEFI Secure Boot
+
+	  https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/about/
diff --git a/package/sbsigntools/sbsigntools.hash b/package/sbsigntools/sbsigntools.hash
new file mode 100644
index 0000000..2778a40
--- /dev/null
+++ b/package/sbsigntools/sbsigntools.hash
@@ -0,0 +1,10 @@
+# locally computed
+sha256	981b3576fc16392e2a764aa4089ce7e51843e3c787143ba7dec8cca88cf5ec07  sbsigntools-0.9.1.tar.gz
+sha256	d479cffd70764aa6078d7b198472a9ec0b517b2123479fb578b3e5c8ddaa01b0  ccan-b1f28e17227f2320d07fe052a8a48942fe17caa5.tar.gz
+sha256	7f424707cdb69df658b7b66ea1f9c9ab3ea0a0988999ecba3dad10a811db654f  COPYING
+sha256	02a66d6af5a4ef501849a33e6d8a0624e2b4284c8bed19ba0b0c24e8ac1add4e  lib/ccan.git/licenses/BSD-3CLAUSE
+sha256	89807acf2309bd285f033404ee78581602f3cd9b819a16ac2f0e5f60ff4a473e  lib/ccan.git/licenses/BSD-MIT
+sha256	ab15fd526bd8dd18a9e77ebc139656bf4d33e97fc7238cd11bf60e2b9b8666c6  lib/ccan.git/licenses/GPL-2
+sha256	fc82ca8b6fdb18d4e3e85cfd8ab58d1bcd3f1b29abe782895abd91d64763f8e7  lib/ccan.git/licenses/GPL-3
+sha256	a9bdde5616ecdd1e980b44f360600ee8783b1f99b8cc83a2beb163a0a390e861  lib/ccan.git/licenses/LGPL-2.1
+sha256	a853c2ffec17057872340eee242ae4d96cbf2b520ae27d903e1b2fef1a5f9d1c  lib/ccan.git/licenses/LGPL-3
diff --git a/package/sbsigntools/sbsigntools.mk b/package/sbsigntools/sbsigntools.mk
new file mode 100644
index 0000000..235229b
--- /dev/null
+++ b/package/sbsigntools/sbsigntools.mk
@@ -0,0 +1,83 @@
+################################################################################
+#
+# sbsigntools
+#
+################################################################################
+
+SBSIGNTOOLS_VERSION = 0.9.1
+SBSIGNTOOLS_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/snapshot
+SBSIGNTOOLS_LICENSE = GPL-3.0+
+SBSIGNTOOLS_LICENSE_FILES = COPYING \
+	lib/ccan.git/licenses/BSD-3CLAUSE \
+	lib/ccan.git/licenses/BSD-MIT \
+	lib/ccan.git/licenses/GPL-2 \
+	lib/ccan.git/licenses/GPL-3 \
+	lib/ccan.git/licenses/LGPL-2.1 \
+	lib/ccan.git/licenses/LGPL-3
+SBSIGNTOOLS_AUTORECONF = YES
+
+SBSIGNTOOLS_DEPENDENCIES = host-pkgconf binutils gnu-efi openssl util-linux
+SBSIGNTOOLS_CFLAGS = \
+	-I$(BINUTILS_DIR)/bfd \
+	-I$(BINUTILS_DIR)/include \
+	 $(TARGET_CFLAGS)
+SBSIGNTOOLS_EFI_CPPFLAGS = -I$(HOST_DIR)/include/efi \
+	-I$(HOST_DIR)/include/efi/$(HOST_GNU_EFI_PLATFORM)
+SBSIGNTOOLS_CONF_ENV = \
+	CFLAGS="$(SBSIGNTOOLS_CFLAGS)" \
+	CRTPATH="$(STAGING_DIR)/lib/crt0-efi-$(GNU_EFI_PLATFORM).o" \
+	ac_cv_header_bfd_h=yes
+
+HOST_SBSIGNTOOLS_DEPENDENCIES = host-pkgconf host-binutils host-gnu-efi \
+	host-openssl host-util-linux
+HOST_SBSIGNTOOLS_CFLAGS = \
+	-I$(HOST_BINUTILS_DIR)/bfd \
+	-I$(HOST_BINUTILS_DIR)/include \
+	$(HOST_CFLAGS)
+HOST_SBSIGNTOOLS_CONF_ENV = \
+	CFLAGS="$(HOST_SBSIGNTOOLS_CFLAGS)" \
+	CRTPATH="$(HOST_DIR)/lib/crt0-efi-$(HOST_GNU_EFI_PLATFORM).o" \
+	ac_cv_header_bfd_h=yes
+
+SBSIGNTOOLS_CCAN_VERSION = b1f28e17227f2320d07fe052a8a48942fe17caa5
+SBSIGNTOOLS_CCAN_SITE = $(call github,rustyrussell,ccan,$(SBSIGNTOOLS_CCAN_VERSION))
+SBSIGNTOOLS_CCAN_SOURCE = ccan-$(SBSIGNTOOLS_CCAN_VERSION).tar.gz
+SBSIGNTOOLS_CCAN_MODULES = talloc read_write_all build_assert array_size endian
+SBSIGNTOOLS_EXTRA_DOWNLOADS = $(SBSIGNTOOLS_CCAN_SITE)/$(SBSIGNTOOLS_CCAN_SOURCE)
+
+define SBSIGNTOOLS_POST_EXTRACT
+	set -e; \
+	$(ZCAT) $(SBSIGNTOOLS_DL_DIR)/$(SBSIGNTOOLS_CCAN_SOURCE) |\
+		$(TAR) --strip-components=1 -C $(@D)/lib/ccan.git -x -f -; \
+	rm $(@D)/lib/ccan.git/Makefile-web; \
+	$(SED) 's|\[docs/Makefile tests/Makefile\]||;s|AM_MISSING_PROG(HELP2MAN.*|HELP2MAN=:|' \
+		$(@D)/configure.ac; \
+	echo 'SUBDIRS = lib/ccan src' > $(@D)/Makefile.am; \
+	$(SED) 's|\(SCOREDIR=scores\)/.*|\1|;/git describe/d' $(@D)/lib/ccan.git/Makefile
+endef
+define SBSIGNTOOLS_FIX_EFI_CPPFLAGS
+	$(SED) 's|^EFI_ARCH=.*|EFI_ARCH=$(GNU_EFI_PLATFORM)|;\
+		s|/usr/include/efi|$(STAGING_DIR)/usr/include/efi|g' \
+		$(@D)/configure.ac
+endef
+define HOST_SBSIGNTOOLS_FIX_EFI_CPPFLAGS
+	$(SED) 's|^EFI_ARCH=.*|EFI_ARCH=$(HOST_GNU_EFI_PLATFORM)|;\
+		s|/usr/include/efi|$(HOST_DIR)/include/efi|g' \
+		$(@D)/configure.ac
+endef
+SBSIGNTOOLS_POST_EXTRACT_HOOKS += SBSIGNTOOLS_POST_EXTRACT SBSIGNTOOLS_FIX_EFI_CPPFLAGS
+HOST_SBSIGNTOOLS_POST_EXTRACT_HOOKS += SBSIGNTOOLS_POST_EXTRACT HOST_SBSIGNTOOLS_FIX_EFI_CPPFLAGS
+
+define SBSIGNTOOLS_PRE_CONFIGURE_AUTOGEN
+	set -e; \
+	cd $(@D); \
+	rm -rf lib/ccan; \
+	lib/ccan.git/tools/create-ccan-tree --build-type=automake \
+		lib/ccan $(SBSIGNTOOLS_CCAN_MODULES); \
+	touch AUTHORS ChangeLog
+endef
+SBSIGNTOOLS_PRE_CONFIGURE_HOOKS += SBSIGNTOOLS_PRE_CONFIGURE_AUTOGEN
+HOST_SBSIGNTOOLS_PRE_CONFIGURE_HOOKS += SBSIGNTOOLS_PRE_CONFIGURE_AUTOGEN
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
2.7.4

[Buildroot] [PATCH 1/3] efitools: new package

[Peter Korsgaard]

>>>>> "Celso" == Celso Varella <celso.neto.cwi@datacom.com.br> writes:

 > Linux user-space application to manipulate UEFI signatures database
 > Patches 1 and 2 remove dependencies from sbsigntools and perl scripts

These patches are not very nice, as they don't look upstreamable and are
likely to cause conflicts every time this package is bumped. Can you
explain why exactly they are needed? Your series already add a
sbsigntools package, so why would we need to drop the dependency?
host-perl is similary available.

Looking at the code, the sbsigntools dependency seems to be for the
*-signed.efi files that gets signed by a just created key. That indeed
might not be useful for real use cases, but presumably we can just pass
EFISIGNED= to make to drop that?


 > Patch 3 remove "-l" option from mount command in lib/kernel_efivars.c
 > for compatibility with Busybox mount command

Did you try to submit this upstream? What is the -l option used for in
this context? E.G. what are we missing from not using it for builds with
util-linux mount?

 > +################################################################################
 > +#
 > +# efitools
 > +#
 > +################################################################################
 > +
 > +EFITOOLS_VERSION = 1.8.1
 > +EFITOOLS_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/snapshot
 > +EFITOOLS_LICENSE = GPL-2.0+
 > +EFITOOLS_LICENSE_FILES = COPYING
 > +EFITOOLS_DEPENDENCIES = gnu-efi openssl
 > +
 > +define EFITOOLS_BUILD_CMDS
 > +	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D)

The Makefile does different things depending on ARCH (which comes from
uname -m). This naturally doesn't work in a cross compilation setup, so
we need to pass ARCH=<value> depending on the target architecture (and
add the needed dependencies to the package so it can only be built for
those supported architectures).

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 3/3] sbsigntools: new package

[Peter Korsgaard]

>>>>> "Celso" == Celso Varella <celso.neto.cwi@datacom.com.br> writes:

 > Linux user-space utility for signing and verifying files for UEFI Secure
 > Boot.

 > The recipe is a bit complicated because sbsigntools requires a specific
 > version of CCAN (see https://github.com/rustyrussell/ccan/) and uses a
 > script to download, configure and build it. We must patch configure.ac,
 > Makefile.am and the ccan Makefile to remove hard-coded paths and git
 > invocations.

Does the script (I take it that you are referring to
lib/ccan.git/tools/create-ccan-tree) really download anything? To me it
just looks like it copies a number of files from lib/ccan.git to
lib/ccan?

As this package comes from git and it already has submodule pointing to
the specific version of ccan, perhaps the easiest solution is to get it
from git and set SBSIGNTOOL_GIT_SUBMODULES = YES to also fetch the
submodule?

 > We must also apply two patches already sent to the maintainer by email

 > - Fix an automake warning that source file 'ccan/time/time.c' is in a
 >   subdirectory but option 'subdir-objects' is disabled.
 > - Improve error handling and prevent a memory leak in an internal
 >   function.

While certainly nice, these doesn't sound like something really
critical as sbsign isn't a long running program.

 > +################################################################################
 > +#
 > +# sbsigntools
 > +#
 > +################################################################################
 > +
 > +SBSIGNTOOLS_VERSION = 0.9.1
 > +SBSIGNTOOLS_SITE = https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/snapshot
 > +SBSIGNTOOLS_LICENSE = GPL-3.0+
 > +SBSIGNTOOLS_LICENSE_FILES = COPYING \
 > +	lib/ccan.git/licenses/BSD-3CLAUSE \
 > +	lib/ccan.git/licenses/BSD-MIT \
 > +	lib/ccan.git/licenses/GPL-2 \
 > +	lib/ccan.git/licenses/GPL-3 \
 > +	lib/ccan.git/licenses/LGPL-2.1 \
 > +	lib/ccan.git/licenses/LGPL-3
 > +SBSIGNTOOLS_AUTORECONF = YES
 > +
 > +SBSIGNTOOLS_DEPENDENCIES = host-pkgconf binutils gnu-efi openssl util-linux
 > +SBSIGNTOOLS_CFLAGS = \
 > +	-I$(BINUTILS_DIR)/bfd \
 > +	-I$(BINUTILS_DIR)/include \
 > +	 $(TARGET_CFLAGS)

Hmm, looking directly in the files of binutils isn't really
nice. Doesn't the binutils package install these under
$STAGING_DIR/usr/include? If not, shouldn't it?

 > +SBSIGNTOOLS_EFI_CPPFLAGS = -I$(HOST_DIR)/include/efi \
 > +	-I$(HOST_DIR)/include/efi/$(HOST_GNU_EFI_PLATFORM)

Hmm, why would a target package need to look at host includes? This
variable doesn't seem to be used anywhere?

 > +define SBSIGNTOOLS_FIX_EFI_CPPFLAGS
 > +	$(SED) 's|^EFI_ARCH=.*|EFI_ARCH=$(GNU_EFI_PLATFORM)|;\
 > +		s|/usr/include/efi|$(STAGING_DIR)/usr/include/efi|g' \
 > +		$(@D)/configure.ac
 > +endef
 > +define HOST_SBSIGNTOOLS_FIX_EFI_CPPFLAGS
 > +	$(SED) 's|^EFI_ARCH=.*|EFI_ARCH=$(HOST_GNU_EFI_PLATFORM)|;\
 > +		s|/usr/include/efi|$(HOST_DIR)/include/efi|g' \
 > +		$(@D)/configure.ac
 > +endef
 > +SBSIGNTOOLS_POST_EXTRACT_HOOKS += SBSIGNTOOLS_POST_EXTRACT SBSIGNTOOLS_FIX_EFI_CPPFLAGS
 > +HOST_SBSIGNTOOLS_POST_EXTRACT_HOOKS += SBSIGNTOOLS_POST_EXTRACT HOST_SBSIGNTOOLS_FIX_EFI_CPPFLAGS

As we already autoreconf this package it would be great if we could
create upstreamable patches add configure options for EFI_ARCH and the
efi includes.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 2/3] gnu-efi: add host variant

[Peter Korsgaard]

>>>>> "Celso" == Celso Varella <celso.neto.cwi@datacom.com.br> writes:

 > It will be required by host-sbsigntools (forthcoming package).
 > Signed-off-by: Carlos Santos <casantos@datacom.com.br>
 > ---
 >  package/gnu-efi/gnu-efi.mk | 20 ++++++++++++++++++++
 >  1 file changed, 20 insertions(+)

 > diff --git a/package/gnu-efi/gnu-efi.mk b/package/gnu-efi/gnu-efi.mk
 > index d55e027..b106010 100644
 > --- a/package/gnu-efi/gnu-efi.mk
 > +++ b/package/gnu-efi/gnu-efi.mk
 > @@ -26,6 +26,12 @@ else ifeq ($(BR2_aarch64)$(BR2_aarch64_be),y)
 >  GNU_EFI_PLATFORM = aarch64
 >  endif
 
 > +ifeq ($(HOSTARCH),x86)
 > +HOST_GNU_EFI_PLATFORM = ia32
 > +else
 > +HOST_GNU_EFI_PLATFORM = $(HOSTARCH)
 > +endif

While host-gnu-efi shouldn't be a user visible config option, it would
still be nice to add a Config.in.host with hidden
BR2_PACKAGE_HOST_GNU_EFI_ARCH_SUPPORTS option depending on the supported
host architectures, so E.G. host-sbsigntools can depend on it.

-- 
Bye, Peter Korsgaard