[PATCH v2 1/5] grub-efi: replace anonymous function with static configuration

[PATCH v2 1/5] grub-efi: replace anonymous function with static configuration

[dbaryshkov]

From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>

Replace anonymous function setting GRUB_* variables with static
configuration, since grub-efi.bbclass will use fixed names for grub
bootloader.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
 meta/recipes-bsp/grub/grub-efi_2.04.bb | 40 ++++++++++++--------------
 1 file changed, 18 insertions(+), 22 deletions(-)

diff --git a/meta/recipes-bsp/grub/grub-efi_2.04.bb b/meta/recipes-bsp/grub/grub-efi_2.04.bb
index b9d6225d2774..419f25c014b9 100644
--- a/meta/recipes-bsp/grub/grub-efi_2.04.bb
+++ b/meta/recipes-bsp/grub/grub-efi_2.04.bb
@@ -13,26 +13,22 @@ SRC_URI += " \
 
 S = "${WORKDIR}/grub-${PV}"
 
-# Determine the target arch for the grub modules
+GRUB_TARGET = "UNSUPPORTED"
+GRUB_TARGET_x86-64 = "x86_64"
+GRUB_TARGET_x86 = "i386"
+GRUB_TARGET_aarch64 = "arm64"
+GRUB_TARGET_arm = "arm"
+
+GRUB_IMAGE = "grub-efi-${EFI_BOOT_IMAGE}"
+
+# install to the image as boot*.efi if its the EFI_PROVIDER,
+# otherwise install as the full name.
+# This allows multiple bootloaders to coexist in a single image.
 python __anonymous () {
-    import re
-    target = d.getVar('TARGET_ARCH')
-    prefix = "" if d.getVar('EFI_PROVIDER') == "grub-efi" else "grub-efi-"
-    if target == "x86_64":
-        grubtarget = 'x86_64'
-    elif re.match('i.86', target):
-        grubtarget = 'i386'
-    elif re.match('aarch64', target):
-        grubtarget = 'arm64'
-    elif re.match('arm', target):
-        grubtarget = 'arm'
+    if d.getVar('EFI_PROVIDER') == "grub-efi":
+        d.setVar("GRUB_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
     else:
-        raise bb.parse.SkipRecipe("grub-efi is incompatible with target %s" % target)
-    grubimage = prefix + d.getVar("EFI_BOOT_IMAGE")
-    d.setVar("GRUB_TARGET", grubtarget)
-    d.setVar("GRUB_IMAGE", grubimage)
-    prefix = "grub-efi-" if prefix == "" else ""
-    d.setVar("GRUB_IMAGE_PREFIX", prefix)
+        d.setVar("GRUB_EFI_BOOT_IMAGE", d.getVar("GRUB_IMAGE"))
 }
 
 inherit deploy
@@ -45,7 +41,7 @@ do_mkimage() {
 	# Search for the grub.cfg on the local boot media by using the
 	# built in cfg file provided via this recipe
 	grub-mkimage -c ../cfg -p ${EFIDIR} -d ./grub-core/ \
-	               -O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} \
+	               -O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE} \
 	               ${GRUB_BUILDIN}
 }
 
@@ -57,7 +53,7 @@ do_mkimage_class-native() {
 
 do_install_append_class-target() {
 	install -d ${D}${EFI_FILES_PATH}
-	install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${D}${EFI_FILES_PATH}/${GRUB_IMAGE}
+	install -m 644 ${B}/${GRUB_IMAGE} ${D}${EFI_FILES_PATH}/${GRUB_EFI_BOOT_IMAGE}
 }
 
 do_install_class-native() {
@@ -86,7 +82,7 @@ GRUB_BUILDIN ?= "boot linux ext2 fat serial part_msdos part_gpt normal \
                  efi_gop iso9660 configfile search loadenv test"
 
 do_deploy() {
-	install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${DEPLOYDIR}
+	install -m 644 ${B}/${GRUB_IMAGE} ${DEPLOYDIR}
 }
 
 do_deploy_class-native() {
@@ -97,7 +93,7 @@ addtask deploy after do_install before do_build
 
 FILES_${PN} = "${libdir}/grub/${GRUB_TARGET}-efi \
                ${datadir}/grub \
-               ${EFI_FILES_PATH}/${GRUB_IMAGE} \
+               ${EFI_FILES_PATH}/${GRUB_EFI_BOOT_IMAGE} \
                "
 
 FILES_${PN}_remove_aarch64 = "${libdir}/grub/${GRUB_TARGET}-efi"
-- 
2.23.0

[PATCH v2 2/5] systemd-boot: replace anonymous function with static configuration

[dbaryshkov]

From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>

Replace anonymous function setting GRUB_* variables with static
configuration, since systemd-boot.bbclass will use fixed names for
systemd bootloader.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
 meta/recipes-core/systemd/systemd-boot_243.bb | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd-boot_243.bb b/meta/recipes-core/systemd/systemd-boot_243.bb
index 515abc289bef..832532077d07 100644
--- a/meta/recipes-core/systemd/systemd-boot_243.bb
+++ b/meta/recipes-core/systemd/systemd-boot_243.bb
@@ -28,20 +28,19 @@ EXTRA_OEMESON += "-Defi=true \
                   -Defi-objcopy='${OBJCOPY}' \
                   "
 
+SYSTEMD_BOOT_IMAGE = "systemd-${EFI_BOOT_IMAGE}"
+
 # install to the image as boot*.efi if its the EFI_PROVIDER,
 # otherwise install as the full name.
 # This allows multiple bootloaders to coexist in a single image.
 python __anonymous () {
-    import re
-    target = d.getVar('TARGET_ARCH')
-    prefix = "" if d.getVar('EFI_PROVIDER') == "systemd-boot" else "systemd-"
-    systemdimage = prefix + d.getVar("EFI_BOOT_IMAGE")
-    d.setVar("SYSTEMD_BOOT_IMAGE", systemdimage)
-    prefix = "systemd-" if prefix == "" else ""
-    d.setVar("SYSTEMD_BOOT_IMAGE_PREFIX", prefix)
+    if d.getVar('EFI_PROVIDER') == "grub-efi":
+        d.setVar("SYSTEMD_BOOT_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
+    else:
+        d.setVar("SYSTEMD_BOOT_EFI_BOOT_IMAGE", d.getVar("SYSTEMD_BOOT_IMAGE"))
 }
 
-FILES_${PN} = "${EFI_FILES_PATH}/${SYSTEMD_BOOT_IMAGE}"
+FILES_${PN} = "${EFI_FILES_PATH}/${SYSTEMD_BOOT_EFI_BOOT_IMAGE}"
 
 RDEPENDS_${PN} += "virtual/systemd-bootconf"
 
@@ -56,12 +55,12 @@ do_compile() {
 		SYSTEMD_BOOT_EFI_ARCH="x64"
 	fi
 
-	ninja src/boot/efi/${SYSTEMD_BOOT_IMAGE_PREFIX}${SYSTEMD_BOOT_IMAGE}
+	ninja src/boot/efi/${SYSTEMD_BOOT_IMAGE}
 }
 
 do_install() {
 	install -d ${D}${EFI_FILES_PATH}
-	install ${B}/src/boot/efi/systemd-boot*.efi ${D}${EFI_FILES_PATH}/${SYSTEMD_BOOT_IMAGE}
+	install ${B}/src/boot/efi/systemd-boot*.efi ${D}${EFI_FILES_PATH}/${SYSTEMD_BOOT_EFI_BOOT_IMAGE}
 }
 
 do_deploy () {
-- 
2.23.0

[PATCH v2 3/5] image-uefi.conf: define EFI_ARCH variable

[dbaryshkov]

From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>

Define EFI_ARCH to suffix used by UEFI on the platform to name files.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
 meta/conf/image-uefi.conf | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/meta/conf/image-uefi.conf b/meta/conf/image-uefi.conf
index aaeff12ccb80..669c16d42af4 100644
--- a/meta/conf/image-uefi.conf
+++ b/meta/conf/image-uefi.conf
@@ -9,8 +9,10 @@ EFI_PREFIX ?= "/boot"
 EFI_FILES_PATH = "${EFI_PREFIX}${EFIDIR}"
 
 # Determine name of bootloader image
-EFI_BOOT_IMAGE ?= "bootINVALID.efi"
-EFI_BOOT_IMAGE_x86-64 = "bootx64.efi"
-EFI_BOOT_IMAGE_x86 = "bootia32.efi"
-EFI_BOOT_IMAGE_aarch64 = "bootaa64.efi"
-EFI_BOOT_IMAGE_arm = "bootarm.efi"
+EFI_ARCH ?= "INVALID"
+EFI_ARCH_x86-64 = "x64"
+EFI_ARCH_x86 = "ia32"
+EFI_ARCH_aarch64 = "aa64"
+EFI_ARCH_arm = "arm"
+
+EFI_BOOT_IMAGE ?= "boot${EFI_ARCH}.efi"
-- 
2.23.0

[PATCH v2 4/5] image-uefi.conf: define generic EFI_COMPATIBLE_HOST

[dbaryshkov]

From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
 meta/conf/image-uefi.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/conf/image-uefi.conf b/meta/conf/image-uefi.conf
index 669c16d42af4..19729c401dfa 100644
--- a/meta/conf/image-uefi.conf
+++ b/meta/conf/image-uefi.conf
@@ -16,3 +16,5 @@ EFI_ARCH_aarch64 = "aa64"
 EFI_ARCH_arm = "arm"
 
 EFI_BOOT_IMAGE ?= "boot${EFI_ARCH}.efi"
+
+EFI_COMPATIBLE_HOST = "(x86_64.*|i.86.*|arm.*|aarch64.*)-linux.*"
-- 
2.23.0

[PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol

[dbaryshkov]

From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
 ...ompareMem-on-MokListNode.Type-instea.patch | 69 ++++++++++++++++++
 meta/recipes-bsp/shim/shim_git.bb             | 72 +++++++++++++++++++
 2 files changed, 141 insertions(+)
 create mode 100644 meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
 create mode 100644 meta/recipes-bsp/shim/shim_git.bb

diff --git a/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
new file mode 100644
index 000000000000..12ee342e9f64
--- /dev/null
+++ b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
@@ -0,0 +1,69 @@
+From f30cd0b6330be8ea72a93bf25e43829c222ba611 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Tue, 26 Feb 2019 11:33:53 +0800
+Subject: [PATCH] MokManager: Use CompareMem on MokListNode.Type instead of
+ CompareGuid
+
+Fix the errors from gcc9 '-Werror=address-of-packed-member'
+
+https://github.com/rhboot/shim/issues/161
+
+Signed-off-by: Gary Lin <glin@suse.com>
+Upstream-Status: Submitted[https://github.com/rhboot/shim/pull/170]
+---
+ MokManager.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index d69b4dbe..05dc1622 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1053,7 +1053,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
+ 			continue;
+ 
+ 		DataSize += sizeof(EFI_SIGNATURE_LIST);
+-		if (CompareGuid(&(list[i].Type), &X509_GUID) == 0)
++		if (CompareMem(&(list[i].Type), &X509_GUID,
++			       sizeof(EFI_GUID)) == 0)
+ 			DataSize += sizeof(EFI_GUID);
+ 		DataSize += list[i].MokSize;
+ 	}
+@@ -1075,7 +1076,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
+ 		CertList->SignatureType = list[i].Type;
+ 		CertList->SignatureHeaderSize = 0;
+ 
+-		if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) {
++		if (CompareMem(&(list[i].Type), &X509_GUID,
++			       sizeof(EFI_GUID)) == 0) {
+ 			CertList->SignatureListSize = list[i].MokSize +
+ 			    sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
+ 			CertList->SignatureSize =
+@@ -1116,7 +1118,8 @@ static void delete_cert(void *key, UINT32 key_size,
+ 	int i;
+ 
+ 	for (i = 0; i < mok_num; i++) {
+-		if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0)
++		if (CompareMem(&(mok[i].Type), &X509_GUID,
++			       sizeof(EFI_GUID)) != 0)
+ 			continue;
+ 
+ 		if (mok[i].MokSize == key_size &&
+@@ -1167,7 +1170,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size,
+ 	sig_size = hash_size + sizeof(EFI_GUID);
+ 
+ 	for (i = 0; i < mok_num; i++) {
+-		if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
++		if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) ||
+ 		    (mok[i].MokSize < sig_size))
+ 			continue;
+ 
+@@ -1331,7 +1334,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+ 
+ 	/* Search and destroy */
+ 	for (i = 0; i < del_num; i++) {
+-		if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) {
++		if (CompareMem(&(del_key[i].Type), &X509_GUID,
++			       sizeof(EFI_GUID)) == 0) {
+ 			delete_cert(del_key[i].Mok, del_key[i].MokSize,
+ 				    mok, mok_num);
+ 		} else if (is_sha2_hash(del_key[i].Type)) {
diff --git a/meta/recipes-bsp/shim/shim_git.bb b/meta/recipes-bsp/shim/shim_git.bb
new file mode 100644
index 000000000000..10769ac75a0a
--- /dev/null
+++ b/meta/recipes-bsp/shim/shim_git.bb
@@ -0,0 +1,72 @@
+SUMMARY = "shim is a first stage EFI bootloader."
+DESCRIPTION = "shim is a trivial EFI application that, when run, \
+attempts to open and execute another application. It will initially \
+attempt to do this via the standard EFI LoadImage() and StartImage() \
+calls. If these fail (because secure boot is enabled and the binary \
+is not signed with an appropriate key, for instance) it will then \
+validate the binary against a built-in certificate. If this succeeds \
+and if the binary or signing key are not blacklisted then shim will \
+relocate and execute the binary."
+HOMEPAGE = "https://github.com/rhboot/shim.git"
+SECTION = "bootloaders"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b92e63892681ee4e8d27e7a7e87ef2bc"
+
+DEPENDS += "\
+    gnu-efi \
+"
+
+PV = "15+git${SRCPV}"
+
+SRC_URI = "\
+    git://github.com/rhboot/shim.git \
+    file://0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch \
+"
+
+SRCREV = "a4a1fbe728c9545fc5647129df0cf1593b953bec"
+
+S = "${WORKDIR}/git"
+
+SHIM_IMAGE = "shim-${EFI_BOOT_IMAGE}"
+
+# install to the image as boot*.efi if its the EFI_PROVIDER,
+# otherwise install as the full name.
+# This allows multiple bootloaders to coexist in a single image.
+python __anonymous () {
+    if d.getVar('EFI_PROVIDER') == "shim":
+        d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
+    else:
+        d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("SHIM_IMAGE"))
+}
+
+inherit deploy
+
+TUNE_CCARGS_remove = "-mfpmath=sse"
+
+EXTRA_OEMAKE = "\
+    CROSS_COMPILE="${TARGET_PREFIX}" \
+    COMPILER="gcc ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}" \
+    EFI_INCLUDE="${STAGING_INCDIR}/efi" \
+    EFI_PATH="${STAGING_LIBDIR}" \
+    LIBDIR="${STAGING_LIBDIR}" \
+"
+
+COMPATIBLE_HOST = "${EFI_COMPATIBLE_HOST}"
+
+require conf/image-uefi.conf
+
+do_install() {
+    install -d ${D}${EFI_FILES_PATH}
+    install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/
+    install -m 0755 shim${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/${SHIM_EFI_BOOT_IMAGE}
+}
+
+# Install the unsigned images for manual signing
+do_deploy() {
+    install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${DEPLOYDIR}
+    install -m 0755 shim${EFI_ARCH}.efi ${DEPLOYDIR}/${SHIM_IMAGE}
+}
+addtask deploy after do_install before do_build
+
+FILES_${PN} += "${EFI_FILES_PATH}"
-- 
2.23.0

Re: [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol

[Khem Raj]

fail on musl/clang/aarch64
https://errors.yoctoproject.org/Errors/Details/273493/

does it depend on gcc being system compiler ?

On Sun, Sep 29, 2019 at 1:15 PM <dbaryshkov@gmail.com> wrote:
>
> From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
>
> Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
> ---
>  ...ompareMem-on-MokListNode.Type-instea.patch | 69 ++++++++++++++++++
>  meta/recipes-bsp/shim/shim_git.bb             | 72 +++++++++++++++++++
>  2 files changed, 141 insertions(+)
>  create mode 100644 meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
>  create mode 100644 meta/recipes-bsp/shim/shim_git.bb
>
> diff --git a/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
> new file mode 100644
> index 000000000000..12ee342e9f64
> --- /dev/null
> +++ b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
> @@ -0,0 +1,69 @@
> +From f30cd0b6330be8ea72a93bf25e43829c222ba611 Mon Sep 17 00:00:00 2001
> +From: Gary Lin <glin@suse.com>
> +Date: Tue, 26 Feb 2019 11:33:53 +0800
> +Subject: [PATCH] MokManager: Use CompareMem on MokListNode.Type instead of
> + CompareGuid
> +
> +Fix the errors from gcc9 '-Werror=address-of-packed-member'
> +
> +https://github.com/rhboot/shim/issues/161
> +
> +Signed-off-by: Gary Lin <glin@suse.com>
> +Upstream-Status: Submitted[https://github.com/rhboot/shim/pull/170]
> +---
> + MokManager.c | 14 +++++++++-----
> + 1 file changed, 9 insertions(+), 5 deletions(-)
> +
> +diff --git a/MokManager.c b/MokManager.c
> +index d69b4dbe..05dc1622 100644
> +--- a/MokManager.c
> ++++ b/MokManager.c
> +@@ -1053,7 +1053,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
> +                       continue;
> +
> +               DataSize += sizeof(EFI_SIGNATURE_LIST);
> +-              if (CompareGuid(&(list[i].Type), &X509_GUID) == 0)
> ++              if (CompareMem(&(list[i].Type), &X509_GUID,
> ++                             sizeof(EFI_GUID)) == 0)
> +                       DataSize += sizeof(EFI_GUID);
> +               DataSize += list[i].MokSize;
> +       }
> +@@ -1075,7 +1076,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
> +               CertList->SignatureType = list[i].Type;
> +               CertList->SignatureHeaderSize = 0;
> +
> +-              if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) {
> ++              if (CompareMem(&(list[i].Type), &X509_GUID,
> ++                             sizeof(EFI_GUID)) == 0) {
> +                       CertList->SignatureListSize = list[i].MokSize +
> +                           sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
> +                       CertList->SignatureSize =
> +@@ -1116,7 +1118,8 @@ static void delete_cert(void *key, UINT32 key_size,
> +       int i;
> +
> +       for (i = 0; i < mok_num; i++) {
> +-              if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0)
> ++              if (CompareMem(&(mok[i].Type), &X509_GUID,
> ++                             sizeof(EFI_GUID)) != 0)
> +                       continue;
> +
> +               if (mok[i].MokSize == key_size &&
> +@@ -1167,7 +1170,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size,
> +       sig_size = hash_size + sizeof(EFI_GUID);
> +
> +       for (i = 0; i < mok_num; i++) {
> +-              if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
> ++              if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) ||
> +                   (mok[i].MokSize < sig_size))
> +                       continue;
> +
> +@@ -1331,7 +1334,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
> +
> +       /* Search and destroy */
> +       for (i = 0; i < del_num; i++) {
> +-              if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) {
> ++              if (CompareMem(&(del_key[i].Type), &X509_GUID,
> ++                             sizeof(EFI_GUID)) == 0) {
> +                       delete_cert(del_key[i].Mok, del_key[i].MokSize,
> +                                   mok, mok_num);
> +               } else if (is_sha2_hash(del_key[i].Type)) {
> diff --git a/meta/recipes-bsp/shim/shim_git.bb b/meta/recipes-bsp/shim/shim_git.bb
> new file mode 100644
> index 000000000000..10769ac75a0a
> --- /dev/null
> +++ b/meta/recipes-bsp/shim/shim_git.bb
> @@ -0,0 +1,72 @@
> +SUMMARY = "shim is a first stage EFI bootloader."
> +DESCRIPTION = "shim is a trivial EFI application that, when run, \
> +attempts to open and execute another application. It will initially \
> +attempt to do this via the standard EFI LoadImage() and StartImage() \
> +calls. If these fail (because secure boot is enabled and the binary \
> +is not signed with an appropriate key, for instance) it will then \
> +validate the binary against a built-in certificate. If this succeeds \
> +and if the binary or signing key are not blacklisted then shim will \
> +relocate and execute the binary."
> +HOMEPAGE = "https://github.com/rhboot/shim.git"
> +SECTION = "bootloaders"
> +
> +LICENSE = "BSD-2-Clause"
> +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b92e63892681ee4e8d27e7a7e87ef2bc"
> +
> +DEPENDS += "\
> +    gnu-efi \
> +"
> +
> +PV = "15+git${SRCPV}"
> +
> +SRC_URI = "\
> +    git://github.com/rhboot/shim.git \
> +    file://0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch \
> +"
> +
> +SRCREV = "a4a1fbe728c9545fc5647129df0cf1593b953bec"
> +
> +S = "${WORKDIR}/git"
> +
> +SHIM_IMAGE = "shim-${EFI_BOOT_IMAGE}"
> +
> +# install to the image as boot*.efi if its the EFI_PROVIDER,
> +# otherwise install as the full name.
> +# This allows multiple bootloaders to coexist in a single image.
> +python __anonymous () {
> +    if d.getVar('EFI_PROVIDER') == "shim":
> +        d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
> +    else:
> +        d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("SHIM_IMAGE"))
> +}
> +
> +inherit deploy
> +
> +TUNE_CCARGS_remove = "-mfpmath=sse"
> +
> +EXTRA_OEMAKE = "\
> +    CROSS_COMPILE="${TARGET_PREFIX}" \
> +    COMPILER="gcc ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}" \
> +    EFI_INCLUDE="${STAGING_INCDIR}/efi" \
> +    EFI_PATH="${STAGING_LIBDIR}" \
> +    LIBDIR="${STAGING_LIBDIR}" \
> +"
> +
> +COMPATIBLE_HOST = "${EFI_COMPATIBLE_HOST}"
> +
> +require conf/image-uefi.conf
> +
> +do_install() {
> +    install -d ${D}${EFI_FILES_PATH}
> +    install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/
> +    install -m 0755 shim${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/${SHIM_EFI_BOOT_IMAGE}
> +}
> +
> +# Install the unsigned images for manual signing
> +do_deploy() {
> +    install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${DEPLOYDIR}
> +    install -m 0755 shim${EFI_ARCH}.efi ${DEPLOYDIR}/${SHIM_IMAGE}
> +}
> +addtask deploy after do_install before do_build
> +
> +FILES_${PN} += "${EFI_FILES_PATH}"
> --
> 2.23.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core