* [PATCH v2 1/5] grub-efi: replace anonymous function with static configuration
@ 2019-09-29 20:13 dbaryshkov
2019-09-29 20:13 ` [PATCH v2 2/5] systemd-boot: " dbaryshkov
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: dbaryshkov @ 2019-09-29 20:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Dmitry Eremin-Solenikov
From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Replace anonymous function setting GRUB_* variables with static
configuration, since grub-efi.bbclass will use fixed names for grub
bootloader.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
meta/recipes-bsp/grub/grub-efi_2.04.bb | 40 ++++++++++++--------------
1 file changed, 18 insertions(+), 22 deletions(-)
diff --git a/meta/recipes-bsp/grub/grub-efi_2.04.bb b/meta/recipes-bsp/grub/grub-efi_2.04.bb
index b9d6225d2774..419f25c014b9 100644
--- a/meta/recipes-bsp/grub/grub-efi_2.04.bb
+++ b/meta/recipes-bsp/grub/grub-efi_2.04.bb
@@ -13,26 +13,22 @@ SRC_URI += " \
S = "${WORKDIR}/grub-${PV}"
-# Determine the target arch for the grub modules
+GRUB_TARGET = "UNSUPPORTED"
+GRUB_TARGET_x86-64 = "x86_64"
+GRUB_TARGET_x86 = "i386"
+GRUB_TARGET_aarch64 = "arm64"
+GRUB_TARGET_arm = "arm"
+
+GRUB_IMAGE = "grub-efi-${EFI_BOOT_IMAGE}"
+
+# install to the image as boot*.efi if its the EFI_PROVIDER,
+# otherwise install as the full name.
+# This allows multiple bootloaders to coexist in a single image.
python __anonymous () {
- import re
- target = d.getVar('TARGET_ARCH')
- prefix = "" if d.getVar('EFI_PROVIDER') == "grub-efi" else "grub-efi-"
- if target == "x86_64":
- grubtarget = 'x86_64'
- elif re.match('i.86', target):
- grubtarget = 'i386'
- elif re.match('aarch64', target):
- grubtarget = 'arm64'
- elif re.match('arm', target):
- grubtarget = 'arm'
+ if d.getVar('EFI_PROVIDER') == "grub-efi":
+ d.setVar("GRUB_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
else:
- raise bb.parse.SkipRecipe("grub-efi is incompatible with target %s" % target)
- grubimage = prefix + d.getVar("EFI_BOOT_IMAGE")
- d.setVar("GRUB_TARGET", grubtarget)
- d.setVar("GRUB_IMAGE", grubimage)
- prefix = "grub-efi-" if prefix == "" else ""
- d.setVar("GRUB_IMAGE_PREFIX", prefix)
+ d.setVar("GRUB_EFI_BOOT_IMAGE", d.getVar("GRUB_IMAGE"))
}
inherit deploy
@@ -45,7 +41,7 @@ do_mkimage() {
# Search for the grub.cfg on the local boot media by using the
# built in cfg file provided via this recipe
grub-mkimage -c ../cfg -p ${EFIDIR} -d ./grub-core/ \
- -O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} \
+ -O ${GRUB_TARGET}-efi -o ./${GRUB_IMAGE} \
${GRUB_BUILDIN}
}
@@ -57,7 +53,7 @@ do_mkimage_class-native() {
do_install_append_class-target() {
install -d ${D}${EFI_FILES_PATH}
- install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${D}${EFI_FILES_PATH}/${GRUB_IMAGE}
+ install -m 644 ${B}/${GRUB_IMAGE} ${D}${EFI_FILES_PATH}/${GRUB_EFI_BOOT_IMAGE}
}
do_install_class-native() {
@@ -86,7 +82,7 @@ GRUB_BUILDIN ?= "boot linux ext2 fat serial part_msdos part_gpt normal \
efi_gop iso9660 configfile search loadenv test"
do_deploy() {
- install -m 644 ${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE} ${DEPLOYDIR}
+ install -m 644 ${B}/${GRUB_IMAGE} ${DEPLOYDIR}
}
do_deploy_class-native() {
@@ -97,7 +93,7 @@ addtask deploy after do_install before do_build
FILES_${PN} = "${libdir}/grub/${GRUB_TARGET}-efi \
${datadir}/grub \
- ${EFI_FILES_PATH}/${GRUB_IMAGE} \
+ ${EFI_FILES_PATH}/${GRUB_EFI_BOOT_IMAGE} \
"
FILES_${PN}_remove_aarch64 = "${libdir}/grub/${GRUB_TARGET}-efi"
--
2.23.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2 2/5] systemd-boot: replace anonymous function with static configuration
2019-09-29 20:13 [PATCH v2 1/5] grub-efi: replace anonymous function with static configuration dbaryshkov
@ 2019-09-29 20:13 ` dbaryshkov
2019-09-29 20:13 ` [PATCH v2 3/5] image-uefi.conf: define EFI_ARCH variable dbaryshkov
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: dbaryshkov @ 2019-09-29 20:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Dmitry Eremin-Solenikov
From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Replace anonymous function setting GRUB_* variables with static
configuration, since systemd-boot.bbclass will use fixed names for
systemd bootloader.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
meta/recipes-core/systemd/systemd-boot_243.bb | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/meta/recipes-core/systemd/systemd-boot_243.bb b/meta/recipes-core/systemd/systemd-boot_243.bb
index 515abc289bef..832532077d07 100644
--- a/meta/recipes-core/systemd/systemd-boot_243.bb
+++ b/meta/recipes-core/systemd/systemd-boot_243.bb
@@ -28,20 +28,19 @@ EXTRA_OEMESON += "-Defi=true \
-Defi-objcopy='${OBJCOPY}' \
"
+SYSTEMD_BOOT_IMAGE = "systemd-${EFI_BOOT_IMAGE}"
+
# install to the image as boot*.efi if its the EFI_PROVIDER,
# otherwise install as the full name.
# This allows multiple bootloaders to coexist in a single image.
python __anonymous () {
- import re
- target = d.getVar('TARGET_ARCH')
- prefix = "" if d.getVar('EFI_PROVIDER') == "systemd-boot" else "systemd-"
- systemdimage = prefix + d.getVar("EFI_BOOT_IMAGE")
- d.setVar("SYSTEMD_BOOT_IMAGE", systemdimage)
- prefix = "systemd-" if prefix == "" else ""
- d.setVar("SYSTEMD_BOOT_IMAGE_PREFIX", prefix)
+ if d.getVar('EFI_PROVIDER') == "grub-efi":
+ d.setVar("SYSTEMD_BOOT_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
+ else:
+ d.setVar("SYSTEMD_BOOT_EFI_BOOT_IMAGE", d.getVar("SYSTEMD_BOOT_IMAGE"))
}
-FILES_${PN} = "${EFI_FILES_PATH}/${SYSTEMD_BOOT_IMAGE}"
+FILES_${PN} = "${EFI_FILES_PATH}/${SYSTEMD_BOOT_EFI_BOOT_IMAGE}"
RDEPENDS_${PN} += "virtual/systemd-bootconf"
@@ -56,12 +55,12 @@ do_compile() {
SYSTEMD_BOOT_EFI_ARCH="x64"
fi
- ninja src/boot/efi/${SYSTEMD_BOOT_IMAGE_PREFIX}${SYSTEMD_BOOT_IMAGE}
+ ninja src/boot/efi/${SYSTEMD_BOOT_IMAGE}
}
do_install() {
install -d ${D}${EFI_FILES_PATH}
- install ${B}/src/boot/efi/systemd-boot*.efi ${D}${EFI_FILES_PATH}/${SYSTEMD_BOOT_IMAGE}
+ install ${B}/src/boot/efi/systemd-boot*.efi ${D}${EFI_FILES_PATH}/${SYSTEMD_BOOT_EFI_BOOT_IMAGE}
}
do_deploy () {
--
2.23.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2 3/5] image-uefi.conf: define EFI_ARCH variable
2019-09-29 20:13 [PATCH v2 1/5] grub-efi: replace anonymous function with static configuration dbaryshkov
2019-09-29 20:13 ` [PATCH v2 2/5] systemd-boot: " dbaryshkov
@ 2019-09-29 20:13 ` dbaryshkov
2019-09-29 20:13 ` [PATCH v2 4/5] image-uefi.conf: define generic EFI_COMPATIBLE_HOST dbaryshkov
2019-09-29 20:13 ` [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol dbaryshkov
3 siblings, 0 replies; 6+ messages in thread
From: dbaryshkov @ 2019-09-29 20:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Dmitry Eremin-Solenikov
From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Define EFI_ARCH to suffix used by UEFI on the platform to name files.
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
meta/conf/image-uefi.conf | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/meta/conf/image-uefi.conf b/meta/conf/image-uefi.conf
index aaeff12ccb80..669c16d42af4 100644
--- a/meta/conf/image-uefi.conf
+++ b/meta/conf/image-uefi.conf
@@ -9,8 +9,10 @@ EFI_PREFIX ?= "/boot"
EFI_FILES_PATH = "${EFI_PREFIX}${EFIDIR}"
# Determine name of bootloader image
-EFI_BOOT_IMAGE ?= "bootINVALID.efi"
-EFI_BOOT_IMAGE_x86-64 = "bootx64.efi"
-EFI_BOOT_IMAGE_x86 = "bootia32.efi"
-EFI_BOOT_IMAGE_aarch64 = "bootaa64.efi"
-EFI_BOOT_IMAGE_arm = "bootarm.efi"
+EFI_ARCH ?= "INVALID"
+EFI_ARCH_x86-64 = "x64"
+EFI_ARCH_x86 = "ia32"
+EFI_ARCH_aarch64 = "aa64"
+EFI_ARCH_arm = "arm"
+
+EFI_BOOT_IMAGE ?= "boot${EFI_ARCH}.efi"
--
2.23.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2 4/5] image-uefi.conf: define generic EFI_COMPATIBLE_HOST
2019-09-29 20:13 [PATCH v2 1/5] grub-efi: replace anonymous function with static configuration dbaryshkov
2019-09-29 20:13 ` [PATCH v2 2/5] systemd-boot: " dbaryshkov
2019-09-29 20:13 ` [PATCH v2 3/5] image-uefi.conf: define EFI_ARCH variable dbaryshkov
@ 2019-09-29 20:13 ` dbaryshkov
2019-09-29 20:13 ` [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol dbaryshkov
3 siblings, 0 replies; 6+ messages in thread
From: dbaryshkov @ 2019-09-29 20:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Dmitry Eremin-Solenikov
From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
meta/conf/image-uefi.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/conf/image-uefi.conf b/meta/conf/image-uefi.conf
index 669c16d42af4..19729c401dfa 100644
--- a/meta/conf/image-uefi.conf
+++ b/meta/conf/image-uefi.conf
@@ -16,3 +16,5 @@ EFI_ARCH_aarch64 = "aa64"
EFI_ARCH_arm = "arm"
EFI_BOOT_IMAGE ?= "boot${EFI_ARCH}.efi"
+
+EFI_COMPATIBLE_HOST = "(x86_64.*|i.86.*|arm.*|aarch64.*)-linux.*"
--
2.23.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol
2019-09-29 20:13 [PATCH v2 1/5] grub-efi: replace anonymous function with static configuration dbaryshkov
` (2 preceding siblings ...)
2019-09-29 20:13 ` [PATCH v2 4/5] image-uefi.conf: define generic EFI_COMPATIBLE_HOST dbaryshkov
@ 2019-09-29 20:13 ` dbaryshkov
2019-10-12 22:30 ` Khem Raj
3 siblings, 1 reply; 6+ messages in thread
From: dbaryshkov @ 2019-09-29 20:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Dmitry Eremin-Solenikov
From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
...ompareMem-on-MokListNode.Type-instea.patch | 69 ++++++++++++++++++
meta/recipes-bsp/shim/shim_git.bb | 72 +++++++++++++++++++
2 files changed, 141 insertions(+)
create mode 100644 meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
create mode 100644 meta/recipes-bsp/shim/shim_git.bb
diff --git a/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
new file mode 100644
index 000000000000..12ee342e9f64
--- /dev/null
+++ b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
@@ -0,0 +1,69 @@
+From f30cd0b6330be8ea72a93bf25e43829c222ba611 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Tue, 26 Feb 2019 11:33:53 +0800
+Subject: [PATCH] MokManager: Use CompareMem on MokListNode.Type instead of
+ CompareGuid
+
+Fix the errors from gcc9 '-Werror=address-of-packed-member'
+
+https://github.com/rhboot/shim/issues/161
+
+Signed-off-by: Gary Lin <glin@suse.com>
+Upstream-Status: Submitted[https://github.com/rhboot/shim/pull/170]
+---
+ MokManager.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/MokManager.c b/MokManager.c
+index d69b4dbe..05dc1622 100644
+--- a/MokManager.c
++++ b/MokManager.c
+@@ -1053,7 +1053,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
+ continue;
+
+ DataSize += sizeof(EFI_SIGNATURE_LIST);
+- if (CompareGuid(&(list[i].Type), &X509_GUID) == 0)
++ if (CompareMem(&(list[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0)
+ DataSize += sizeof(EFI_GUID);
+ DataSize += list[i].MokSize;
+ }
+@@ -1075,7 +1076,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
+ CertList->SignatureType = list[i].Type;
+ CertList->SignatureHeaderSize = 0;
+
+- if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) {
++ if (CompareMem(&(list[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0) {
+ CertList->SignatureListSize = list[i].MokSize +
+ sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
+ CertList->SignatureSize =
+@@ -1116,7 +1118,8 @@ static void delete_cert(void *key, UINT32 key_size,
+ int i;
+
+ for (i = 0; i < mok_num; i++) {
+- if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0)
++ if (CompareMem(&(mok[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) != 0)
+ continue;
+
+ if (mok[i].MokSize == key_size &&
+@@ -1167,7 +1170,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size,
+ sig_size = hash_size + sizeof(EFI_GUID);
+
+ for (i = 0; i < mok_num; i++) {
+- if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
++ if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) ||
+ (mok[i].MokSize < sig_size))
+ continue;
+
+@@ -1331,7 +1334,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
+
+ /* Search and destroy */
+ for (i = 0; i < del_num; i++) {
+- if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) {
++ if (CompareMem(&(del_key[i].Type), &X509_GUID,
++ sizeof(EFI_GUID)) == 0) {
+ delete_cert(del_key[i].Mok, del_key[i].MokSize,
+ mok, mok_num);
+ } else if (is_sha2_hash(del_key[i].Type)) {
diff --git a/meta/recipes-bsp/shim/shim_git.bb b/meta/recipes-bsp/shim/shim_git.bb
new file mode 100644
index 000000000000..10769ac75a0a
--- /dev/null
+++ b/meta/recipes-bsp/shim/shim_git.bb
@@ -0,0 +1,72 @@
+SUMMARY = "shim is a first stage EFI bootloader."
+DESCRIPTION = "shim is a trivial EFI application that, when run, \
+attempts to open and execute another application. It will initially \
+attempt to do this via the standard EFI LoadImage() and StartImage() \
+calls. If these fail (because secure boot is enabled and the binary \
+is not signed with an appropriate key, for instance) it will then \
+validate the binary against a built-in certificate. If this succeeds \
+and if the binary or signing key are not blacklisted then shim will \
+relocate and execute the binary."
+HOMEPAGE = "https://github.com/rhboot/shim.git"
+SECTION = "bootloaders"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b92e63892681ee4e8d27e7a7e87ef2bc"
+
+DEPENDS += "\
+ gnu-efi \
+"
+
+PV = "15+git${SRCPV}"
+
+SRC_URI = "\
+ git://github.com/rhboot/shim.git \
+ file://0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch \
+"
+
+SRCREV = "a4a1fbe728c9545fc5647129df0cf1593b953bec"
+
+S = "${WORKDIR}/git"
+
+SHIM_IMAGE = "shim-${EFI_BOOT_IMAGE}"
+
+# install to the image as boot*.efi if its the EFI_PROVIDER,
+# otherwise install as the full name.
+# This allows multiple bootloaders to coexist in a single image.
+python __anonymous () {
+ if d.getVar('EFI_PROVIDER') == "shim":
+ d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
+ else:
+ d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("SHIM_IMAGE"))
+}
+
+inherit deploy
+
+TUNE_CCARGS_remove = "-mfpmath=sse"
+
+EXTRA_OEMAKE = "\
+ CROSS_COMPILE="${TARGET_PREFIX}" \
+ COMPILER="gcc ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}" \
+ EFI_INCLUDE="${STAGING_INCDIR}/efi" \
+ EFI_PATH="${STAGING_LIBDIR}" \
+ LIBDIR="${STAGING_LIBDIR}" \
+"
+
+COMPATIBLE_HOST = "${EFI_COMPATIBLE_HOST}"
+
+require conf/image-uefi.conf
+
+do_install() {
+ install -d ${D}${EFI_FILES_PATH}
+ install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/
+ install -m 0755 shim${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/${SHIM_EFI_BOOT_IMAGE}
+}
+
+# Install the unsigned images for manual signing
+do_deploy() {
+ install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${DEPLOYDIR}
+ install -m 0755 shim${EFI_ARCH}.efi ${DEPLOYDIR}/${SHIM_IMAGE}
+}
+addtask deploy after do_install before do_build
+
+FILES_${PN} += "${EFI_FILES_PATH}"
--
2.23.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol
2019-09-29 20:13 ` [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol dbaryshkov
@ 2019-10-12 22:30 ` Khem Raj
0 siblings, 0 replies; 6+ messages in thread
From: Khem Raj @ 2019-10-12 22:30 UTC (permalink / raw)
To: Dmitry Eremin-Solenikov
Cc: Dmitry Eremin-Solenikov, Patches and discussions about the oe-core layer
fail on musl/clang/aarch64
https://errors.yoctoproject.org/Errors/Details/273493/
does it depend on gcc being system compiler ?
On Sun, Sep 29, 2019 at 1:15 PM <dbaryshkov@gmail.com> wrote:
>
> From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
>
> Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
> ---
> ...ompareMem-on-MokListNode.Type-instea.patch | 69 ++++++++++++++++++
> meta/recipes-bsp/shim/shim_git.bb | 72 +++++++++++++++++++
> 2 files changed, 141 insertions(+)
> create mode 100644 meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
> create mode 100644 meta/recipes-bsp/shim/shim_git.bb
>
> diff --git a/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
> new file mode 100644
> index 000000000000..12ee342e9f64
> --- /dev/null
> +++ b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
> @@ -0,0 +1,69 @@
> +From f30cd0b6330be8ea72a93bf25e43829c222ba611 Mon Sep 17 00:00:00 2001
> +From: Gary Lin <glin@suse.com>
> +Date: Tue, 26 Feb 2019 11:33:53 +0800
> +Subject: [PATCH] MokManager: Use CompareMem on MokListNode.Type instead of
> + CompareGuid
> +
> +Fix the errors from gcc9 '-Werror=address-of-packed-member'
> +
> +https://github.com/rhboot/shim/issues/161
> +
> +Signed-off-by: Gary Lin <glin@suse.com>
> +Upstream-Status: Submitted[https://github.com/rhboot/shim/pull/170]
> +---
> + MokManager.c | 14 +++++++++-----
> + 1 file changed, 9 insertions(+), 5 deletions(-)
> +
> +diff --git a/MokManager.c b/MokManager.c
> +index d69b4dbe..05dc1622 100644
> +--- a/MokManager.c
> ++++ b/MokManager.c
> +@@ -1053,7 +1053,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
> + continue;
> +
> + DataSize += sizeof(EFI_SIGNATURE_LIST);
> +- if (CompareGuid(&(list[i].Type), &X509_GUID) == 0)
> ++ if (CompareMem(&(list[i].Type), &X509_GUID,
> ++ sizeof(EFI_GUID)) == 0)
> + DataSize += sizeof(EFI_GUID);
> + DataSize += list[i].MokSize;
> + }
> +@@ -1075,7 +1076,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
> + CertList->SignatureType = list[i].Type;
> + CertList->SignatureHeaderSize = 0;
> +
> +- if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) {
> ++ if (CompareMem(&(list[i].Type), &X509_GUID,
> ++ sizeof(EFI_GUID)) == 0) {
> + CertList->SignatureListSize = list[i].MokSize +
> + sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
> + CertList->SignatureSize =
> +@@ -1116,7 +1118,8 @@ static void delete_cert(void *key, UINT32 key_size,
> + int i;
> +
> + for (i = 0; i < mok_num; i++) {
> +- if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0)
> ++ if (CompareMem(&(mok[i].Type), &X509_GUID,
> ++ sizeof(EFI_GUID)) != 0)
> + continue;
> +
> + if (mok[i].MokSize == key_size &&
> +@@ -1167,7 +1170,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size,
> + sig_size = hash_size + sizeof(EFI_GUID);
> +
> + for (i = 0; i < mok_num; i++) {
> +- if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
> ++ if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) ||
> + (mok[i].MokSize < sig_size))
> + continue;
> +
> +@@ -1331,7 +1334,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
> +
> + /* Search and destroy */
> + for (i = 0; i < del_num; i++) {
> +- if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) {
> ++ if (CompareMem(&(del_key[i].Type), &X509_GUID,
> ++ sizeof(EFI_GUID)) == 0) {
> + delete_cert(del_key[i].Mok, del_key[i].MokSize,
> + mok, mok_num);
> + } else if (is_sha2_hash(del_key[i].Type)) {
> diff --git a/meta/recipes-bsp/shim/shim_git.bb b/meta/recipes-bsp/shim/shim_git.bb
> new file mode 100644
> index 000000000000..10769ac75a0a
> --- /dev/null
> +++ b/meta/recipes-bsp/shim/shim_git.bb
> @@ -0,0 +1,72 @@
> +SUMMARY = "shim is a first stage EFI bootloader."
> +DESCRIPTION = "shim is a trivial EFI application that, when run, \
> +attempts to open and execute another application. It will initially \
> +attempt to do this via the standard EFI LoadImage() and StartImage() \
> +calls. If these fail (because secure boot is enabled and the binary \
> +is not signed with an appropriate key, for instance) it will then \
> +validate the binary against a built-in certificate. If this succeeds \
> +and if the binary or signing key are not blacklisted then shim will \
> +relocate and execute the binary."
> +HOMEPAGE = "https://github.com/rhboot/shim.git"
> +SECTION = "bootloaders"
> +
> +LICENSE = "BSD-2-Clause"
> +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b92e63892681ee4e8d27e7a7e87ef2bc"
> +
> +DEPENDS += "\
> + gnu-efi \
> +"
> +
> +PV = "15+git${SRCPV}"
> +
> +SRC_URI = "\
> + git://github.com/rhboot/shim.git \
> + file://0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch \
> +"
> +
> +SRCREV = "a4a1fbe728c9545fc5647129df0cf1593b953bec"
> +
> +S = "${WORKDIR}/git"
> +
> +SHIM_IMAGE = "shim-${EFI_BOOT_IMAGE}"
> +
> +# install to the image as boot*.efi if its the EFI_PROVIDER,
> +# otherwise install as the full name.
> +# This allows multiple bootloaders to coexist in a single image.
> +python __anonymous () {
> + if d.getVar('EFI_PROVIDER') == "shim":
> + d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
> + else:
> + d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("SHIM_IMAGE"))
> +}
> +
> +inherit deploy
> +
> +TUNE_CCARGS_remove = "-mfpmath=sse"
> +
> +EXTRA_OEMAKE = "\
> + CROSS_COMPILE="${TARGET_PREFIX}" \
> + COMPILER="gcc ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}" \
> + EFI_INCLUDE="${STAGING_INCDIR}/efi" \
> + EFI_PATH="${STAGING_LIBDIR}" \
> + LIBDIR="${STAGING_LIBDIR}" \
> +"
> +
> +COMPATIBLE_HOST = "${EFI_COMPATIBLE_HOST}"
> +
> +require conf/image-uefi.conf
> +
> +do_install() {
> + install -d ${D}${EFI_FILES_PATH}
> + install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/
> + install -m 0755 shim${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/${SHIM_EFI_BOOT_IMAGE}
> +}
> +
> +# Install the unsigned images for manual signing
> +do_deploy() {
> + install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${DEPLOYDIR}
> + install -m 0755 shim${EFI_ARCH}.efi ${DEPLOYDIR}/${SHIM_IMAGE}
> +}
> +addtask deploy after do_install before do_build
> +
> +FILES_${PN} += "${EFI_FILES_PATH}"
> --
> 2.23.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-10-12 22:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-29 20:13 [PATCH v2 1/5] grub-efi: replace anonymous function with static configuration dbaryshkov
2019-09-29 20:13 ` [PATCH v2 2/5] systemd-boot: " dbaryshkov
2019-09-29 20:13 ` [PATCH v2 3/5] image-uefi.conf: define EFI_ARCH variable dbaryshkov
2019-09-29 20:13 ` [PATCH v2 4/5] image-uefi.conf: define generic EFI_COMPATIBLE_HOST dbaryshkov
2019-09-29 20:13 ` [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol dbaryshkov
2019-10-12 22:30 ` Khem Raj
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.