[isar-cip-core][PATCH 0/4] Fix EFI Boot Guard for aarch64

[isar-cip-core][PATCH 0/4] Fix EFI Boot Guard for aarch64

[Jan Kiszka]

This is unfortunately not yet stressed in isar-cip-core itself (someone
should add a non-secure SWUpdate via U-Boot UEFI first), so it was only
found while trying to enable a layer that uses isar-cip-core. But to
move forward, I'm pushing the fixes already.

Jan

Jan Kiszka (4):
  shtab: Fix cross build
  shtab: Fix PYBUILD_NAME
  efibootguard: Fix non-x86 builds
  efibootguard: Fix plugins for aarch64

 recipes-bsp/efibootguard/efibootguard_0.10.bb | 17 +++++++++--
 .../0001-configure-Fix-aarch64-EFI-arch.patch | 28 +++++++++++++++++++
 ....install => efibootguard-dev.install.tmpl} |  3 +-
 recipes-python/shtab/files/rules              |  2 +-
 recipes-python/shtab/python3-shtab_1.4.2.bb   |  2 +-
 .../wic/plugins/source/efibootguard-boot.py   | 11 ++++++--
 .../wic/plugins/source/efibootguard-efi.py    |  2 +-
 7 files changed, 55 insertions(+), 10 deletions(-)
 create mode 100644 recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch
 rename recipes-bsp/efibootguard/files/debian/{efibootguard-dev.install => efibootguard-dev.install.tmpl} (50%)

-- 
2.34.1

[isar-cip-core][PATCH 1/4] shtab: Fix cross build

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Not tested via isar-cip-core yet: When building python3-shtab cross, one
dependency needs a ':native' suffix due to transient dependencies on a
arch-specific package.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-python/shtab/python3-shtab_1.4.2.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-python/shtab/python3-shtab_1.4.2.bb b/recipes-python/shtab/python3-shtab_1.4.2.bb
index eb5feda..ce83d6b 100644
--- a/recipes-python/shtab/python3-shtab_1.4.2.bb
+++ b/recipes-python/shtab/python3-shtab_1.4.2.bb
@@ -24,7 +24,7 @@ DEBIAN_BUILD_DEPENDS = " \
     dh-python, \
     python3-all, \
     python3-setuptools, \
-    python3-setuptools-scm, \
+    python3-setuptools-scm:native, \
     "
 
 DEB_BUILD_PROFILES = "nocheck"
-- 
2.34.1

[isar-cip-core][PATCH 2/4] shtab: Fix PYBUILD_NAME

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

Copy&pasted from meta-coral. Seems to have had only cosmetic impact.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-python/shtab/files/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-python/shtab/files/rules b/recipes-python/shtab/files/rules
index 43ba686..2dd07b2 100755
--- a/recipes-python/shtab/files/rules
+++ b/recipes-python/shtab/files/rules
@@ -11,7 +11,7 @@
 
 export DH_VERBOSE=1
 export PYBUILD_VERBOSE=1
-export PYBUILD_NAME=pasta
+export PYBUILD_NAME=shtab
 
 ifneq ($(filter nocheck,$(DEB_BUILD_PROFILES)),)
 export PYBUILD_DISABLE=test
-- 
2.34.1

[isar-cip-core][PATCH 3/4] efibootguard: Fix non-x86 builds

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

The libc6-dev-i386 package is obviously x86-only.

Furthermore, the installation path must use DEB_HOST_MULTIARCH in order
to drop libebgenv.a in the right folder. This might have been already
broken for i386. As we still support buster, templating is needed to
translate DEB_HOST_MULTIARCH. This would just work with bullseye and
compat level 13 + dh-exec.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-bsp/efibootguard/efibootguard_0.10.bb    | 16 +++++++++++++---
 ...dev.install => efibootguard-dev.install.tmpl} |  3 +--
 2 files changed, 14 insertions(+), 5 deletions(-)
 rename recipes-bsp/efibootguard/files/debian/{efibootguard-dev.install => efibootguard-dev.install.tmpl} (50%)

diff --git a/recipes-bsp/efibootguard/efibootguard_0.10.bb b/recipes-bsp/efibootguard/efibootguard_0.10.bb
index 7d09c85..b0877d0 100644
--- a/recipes-bsp/efibootguard/efibootguard_0.10.bb
+++ b/recipes-bsp/efibootguard/efibootguard_0.10.bb
@@ -26,12 +26,22 @@ PROVIDES = "${PN}"
 PROVIDES += "${PN}-dev"
 
 DEPENDS = "python3-shtab"
-BUILD_DEB_DEPENDS = "dh-exec,gnu-efi,libpci-dev,check,pkg-config,libc6-dev-i386,python3-shtab"
+BUILD_DEB_DEPENDS = "dh-exec,gnu-efi,libpci-dev,check,pkg-config,python3-shtab"
+BUILD_DEB_DEPENDS_append_amd64 = ",libc6-dev-i386"
+BUILD_DEB_DEPENDS_append_i386 = ",libc6-dev-i386"
 
 inherit dpkg
 
-TEMPLATE_FILES = "debian/control.tmpl"
-TEMPLATE_VARS += "DESCRIPTION_DEV BUILD_DEB_DEPENDS"
+# needed for buster, bullseye could use compat >= 13
+python() {
+    arch = d.getVar('DISTRO_ARCH')
+    cmd = 'dpkg-architecture -a {} -q DEB_HOST_MULTIARCH'.format(arch)
+    with os.popen(cmd) as proc:
+        d.setVar('DEB_HOST_MULTIARCH', proc.read())
+}
+
+TEMPLATE_FILES = "debian/control.tmpl debian/efibootguard-dev.install.tmpl"
+TEMPLATE_VARS += "DESCRIPTION_DEV BUILD_DEB_DEPENDS DEB_HOST_MULTIARCH"
 
 do_prepare_build() {
     cp -R ${WORKDIR}/debian ${S}
diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install.tmpl
similarity index 50%
rename from recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
rename to recipes-bsp/efibootguard/files/debian/efibootguard-dev.install.tmpl
index 7b45bd8..948019a 100644
--- a/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install
+++ b/recipes-bsp/efibootguard/files/debian/efibootguard-dev.install.tmpl
@@ -1,3 +1,2 @@
 include/ebgenv.h usr/include/efibootguard
-libebgenv.a usr/lib/x86_64-linux-gnu
-
+libebgenv.a usr/lib/${DEB_HOST_MULTIARCH}
-- 
2.34.1

[isar-cip-core][PATCH 4/4] efibootguard: Fix plugins for aarch64

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This requires to add a post-0.10 fix from upstream EBG and own changes
so that the right arch string is used, for the loader as well as the
stub.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 recipes-bsp/efibootguard/efibootguard_0.10.bb |  1 +
 .../0001-configure-Fix-aarch64-EFI-arch.patch | 28 +++++++++++++++++++
 .../wic/plugins/source/efibootguard-boot.py   | 11 ++++++--
 .../wic/plugins/source/efibootguard-efi.py    |  2 +-
 4 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch

diff --git a/recipes-bsp/efibootguard/efibootguard_0.10.bb b/recipes-bsp/efibootguard/efibootguard_0.10.bb
index b0877d0..bfc0ede 100644
--- a/recipes-bsp/efibootguard/efibootguard_0.10.bb
+++ b/recipes-bsp/efibootguard/efibootguard_0.10.bb
@@ -19,6 +19,7 @@ MAINTAINER = "Jan Kiszka <jan.kiszka@siemens.com>"
 SRC_URI = " \
     https://github.com/siemens/efibootguard/archive/refs/tags/v${PV}.tar.gz;downloadfilename=efitbootguard-v${PV}.tar.gz \
     file://debian \
+    file://0001-configure-Fix-aarch64-EFI-arch.patch \
     "
 SRC_URI[sha256sum] = "4d58574a0bb8f1e56056ab0bcc2487d37e49fa147dc991e719c2ec8e20f88dd3"
 
diff --git a/recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch b/recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch
new file mode 100644
index 0000000..ee05e94
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch
@@ -0,0 +1,28 @@
+From 3f11612fbcbd1c17988d634ecdaecf1ec241f6e0 Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Mon, 21 Mar 2022 07:02:28 +0100
+Subject: [PATCH] configure: Fix aarch64 EFI arch
+
+It's aa64 here according to the UEFI spec.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index a1a83e9..09d06d7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -102,7 +102,7 @@ AM_COND_IF(ARCH_X86_64, [
+ 	   MACHINE_TYPE_NAME=x64])
+ 
+ AM_COND_IF(ARCH_AARCH64, [
+-	   MACHINE_TYPE_NAME=aarch64])
++	   MACHINE_TYPE_NAME=aa64])
+ 
+ AC_SUBST([ARCH])
+ AC_SUBST([MACHINE_TYPE_NAME])
+-- 
+2.34.1
+
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 05cef4e..5061629 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -176,10 +176,17 @@ class EfibootguardBootPlugin(SourcePlugin):
     def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline,
                                      uefi_kernel, deploy_dir, kernel_image,
                                      initrd_image, source_params):
+        # we need to map the distro_arch to uefi values
+        distro_to_efi_arch = {
+            "amd64": "x64",
+            "arm64": "aa64",
+            "i386": "ia32"
+        }
         rootfs_path = rootfs_dir.get('ROOTFS_DIR')
         os_release_file = "{root}/etc/os-release".format(root=rootfs_path)
-        efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linuxx64.efi.stub"\
-            .format(rootfs_path=rootfs_path)
+        efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linux{efiarch}.stub"\
+            .format(rootfs_path=rootfs_path,
+                    efiarch=distro_to_efi_arch[get_bitbake_var("DISTRO_ARCH")])
         msger.debug("osrelease path: %s", os_release_file)
         kernel_cmdline_file = "{cr_workdir}/kernel-command-line-file.txt"\
             .format(cr_workdir=cr_workdir)
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
index 9e6febe..e1411cb 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -54,7 +54,7 @@ class EfibootguardEFIPlugin(SourcePlugin):
         # we need to map the distro_arch to uefi values
         distro_to_efi_arch = {
             "amd64": "x64",
-            "arm64": "aarch64",
+            "arm64": "aa64",
             "i386": "ia32"
         }
 
-- 
2.34.1

[isar-cip-core v2][PATCH 4/4] efibootguard: Fix plugins for aarch64

[Jan Kiszka]

From: Jan Kiszka <jan.kiszka@siemens.com>

This requires to add a post-0.10 fix from upstream EBG and own changes
so that the right arch string is used, for the loader as well as the
stub.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

Changes in v2:
 - fix a regression in the linux<arch>.efi.stub filename

 recipes-bsp/efibootguard/efibootguard_0.10.bb |  1 +
 .../0001-configure-Fix-aarch64-EFI-arch.patch | 28 +++++++++++++++++++
 .../wic/plugins/source/efibootguard-boot.py   | 11 ++++++--
 .../wic/plugins/source/efibootguard-efi.py    |  2 +-
 4 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch

diff --git a/recipes-bsp/efibootguard/efibootguard_0.10.bb b/recipes-bsp/efibootguard/efibootguard_0.10.bb
index b0877d0..bfc0ede 100644
--- a/recipes-bsp/efibootguard/efibootguard_0.10.bb
+++ b/recipes-bsp/efibootguard/efibootguard_0.10.bb
@@ -19,6 +19,7 @@ MAINTAINER = "Jan Kiszka <jan.kiszka@siemens.com>"
 SRC_URI = " \
     https://github.com/siemens/efibootguard/archive/refs/tags/v${PV}.tar.gz;downloadfilename=efitbootguard-v${PV}.tar.gz \
     file://debian \
+    file://0001-configure-Fix-aarch64-EFI-arch.patch \
     "
 SRC_URI[sha256sum] = "4d58574a0bb8f1e56056ab0bcc2487d37e49fa147dc991e719c2ec8e20f88dd3"
 
diff --git a/recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch b/recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch
new file mode 100644
index 0000000..ee05e94
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/0001-configure-Fix-aarch64-EFI-arch.patch
@@ -0,0 +1,28 @@
+From 3f11612fbcbd1c17988d634ecdaecf1ec241f6e0 Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Mon, 21 Mar 2022 07:02:28 +0100
+Subject: [PATCH] configure: Fix aarch64 EFI arch
+
+It's aa64 here according to the UEFI spec.
+
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index a1a83e9..09d06d7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -102,7 +102,7 @@ AM_COND_IF(ARCH_X86_64, [
+ 	   MACHINE_TYPE_NAME=x64])
+ 
+ AM_COND_IF(ARCH_AARCH64, [
+-	   MACHINE_TYPE_NAME=aarch64])
++	   MACHINE_TYPE_NAME=aa64])
+ 
+ AC_SUBST([ARCH])
+ AC_SUBST([MACHINE_TYPE_NAME])
+-- 
+2.34.1
+
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 05cef4e..98a327c 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -176,10 +176,17 @@ class EfibootguardBootPlugin(SourcePlugin):
     def _create_unified_kernel_image(cls, rootfs_dir, cr_workdir, cmdline,
                                      uefi_kernel, deploy_dir, kernel_image,
                                      initrd_image, source_params):
+        # we need to map the distro_arch to uefi values
+        distro_to_efi_arch = {
+            "amd64": "x64",
+            "arm64": "aa64",
+            "i386": "ia32"
+        }
         rootfs_path = rootfs_dir.get('ROOTFS_DIR')
         os_release_file = "{root}/etc/os-release".format(root=rootfs_path)
-        efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linuxx64.efi.stub"\
-            .format(rootfs_path=rootfs_path)
+        efistub = "{rootfs_path}/usr/lib/systemd/boot/efi/linux{efiarch}.efi.stub"\
+            .format(rootfs_path=rootfs_path,
+                    efiarch=distro_to_efi_arch[get_bitbake_var("DISTRO_ARCH")])
         msger.debug("osrelease path: %s", os_release_file)
         kernel_cmdline_file = "{cr_workdir}/kernel-command-line-file.txt"\
             .format(cr_workdir=cr_workdir)
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
index 9e6febe..e1411cb 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -54,7 +54,7 @@ class EfibootguardEFIPlugin(SourcePlugin):
         # we need to map the distro_arch to uefi values
         distro_to_efi_arch = {
             "amd64": "x64",
-            "arm64": "aarch64",
+            "arm64": "aa64",
             "i386": "ia32"
         }
 
-- 
2.34.1