Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move efitools & sbsigntool recipes from meta-secure-core #883

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
546 changes: 546 additions & 0 deletions meta-oe/classes/user-key-store.bbclass

Large diffs are not rendered by default.

10 changes: 10 additions & 0 deletions meta-oe/recipes-bsp/efitools/efitools-native_1.9.2.bb
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
require efitools.inc

inherit native

DEPENDS:append = " gnu-efi-native"

EXTRA_OEMAKE:append = " \
INCDIR_PREFIX='${STAGING_DIR_NATIVE}' \
CRTPATH_PREFIX='${STAGING_DIR_NATIVE}' \
"
86 changes: 86 additions & 0 deletions meta-oe/recipes-bsp/efitools/efitools.inc
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
SUMMARY = "Tools to support reading and manipulating the UEFI signature database"
DESCRIPTION = "\
From the EFI Tools package in the Linux user-space, it's now possible \
to read and manipulate the UEFI signatures database via the new \
efi-readvar and efi-updatevar commands. Aside from needing efitools \
1.4, the EFIVARFS file-system is also needed, which was only introduced \
in the Linux 3.8 kernel. \
"

LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=e28f66b16cb46be47b20a4cdfe6e99a1"

SRC_URI = "\
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git;branch=master \
file://0001-Fix-for-the-cross-compilation.patch \
file://0002-Make.rules-define-_GNU_SOURCE-for-a-declaration-of-f.patch \
file://0003-Fix-the-wrong-dependency-for-blacklist.esl.patch \
file://0004-LockDown-run-system-warm-reset-after-the-key-provisi.patch \
file://0005-Allow-to-override-tools-for-target-build.patch \
file://0006-Makefile-remove-help2man-dependency.patch \
file://0007-Add-static-keyword-for-IsValidVariableHeader.patch \
file://0008-Dynamically-load-openssl.cnf-for-openssl-1.0.x-1.1.x.patch \
file://0009-console.c-Fix-compilation-against-latest-usr-include.patch \
file://0010-LockDown-enable-the-enrollment-for-DBX.patch \
file://0011-LockDown-show-the-error-message-with-3-sec-timeout.patch \
file://0012-Makefile-do-not-build-signed-efi-image.patch \
file://0013-Build-DBX-by-default.patch \
file://0014-LockDown-disable-the-entrance-into-BIOS-setup-to-re-.patch \
file://0015-fix-segfault-for-efitools-commands.patch \
file://0016-Make.rules-Pass-CFLAGS-to-Makefile.patch \
file://0017-Make.rules-fix-efi-files-for-gnu-efi-3.0.18.patch \
"
SRCREV = "392836a46ce3c92b55dc88a1aebbcfdfc5dcddce"

DEPENDS = "openssl-native sbsigntool-native \
libfile-slurp-perl-native \
"

PARALLEL_MAKE = ""

COMPATIBLE_HOST = '(i.86|x86_64|aarch64).*-linux'

S = "${WORKDIR}/git"

inherit perlnative

EXTRA_OEMAKE = "\
OPENSSL='${STAGING_BINDIR_NATIVE}/openssl' \
SBSIGN='${STAGING_BINDIR_NATIVE}/sbsign' \
NM='${NM}' AR='${AR}' \
OPENSSL_LIB='${STAGING_LIBDIR_NATIVE}' \
EXTRA_LDFLAGS='${LDFLAGS}' \
CFLAGS='${CFLAGS}' \
OBJCOPY='${OBJCOPY}' \
"
EXTRA_OEMAKE:append:x86 = " ARCH=ia32"
EXTRA_OEMAKE:append:x86-64 = " ARCH=x86_64"
EXTRA_OEMAKE:append:aarch64 = " ARCH=aarch64"

EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"

do_compile:prepend() {
sed -i -e "1s:#!.*:#!/usr/bin/env nativeperl:" xxdi.pl
}

do_install() {
oe_runmake install DESTDIR='${D}${base_prefix}'
}

fakeroot python do_sign:class-target() {
if d.getVar('GRUB_SIGN_VERIFY') != '1':
return

image_dir = d.getVar('D')
efi_boot_path = d.getVar('EFI_BOOT_PATH')
uks_boot_sign(os.path.join(image_dir + efi_boot_path, 'LockDown.efi'), d)
}
addtask sign after do_install before do_deploy do_package
do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY') == '1' else ''}"

fakeroot python do_sign() {
}

FILES:${PN} += "${EFI_BOOT_PATH}"

SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/LockDown.efi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
From 2e42e857584bd06541daf3fa79db84af30d11de4 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Tue, 15 Mar 2016 21:28:33 +0800
Subject: [PATCH] Fix for the cross compilation

Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
Make.rules | 48 ++++++++++++++++++++++++++----------------------
Makefile | 18 +++++++++---------
2 files changed, 35 insertions(+), 31 deletions(-)

diff --git a/Make.rules b/Make.rules
index 903a5a4..65a634c 100644
--- a/Make.rules
+++ b/Make.rules
@@ -13,21 +13,25 @@ ARCH3264 =
else
$(error unknown architecture $(ARCH))
endif
-INCDIR = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol
-CPPFLAGS = -DCONFIG_$(ARCH)
-CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
-LDFLAGS = -nostdlib
+INCDIR = -I$(TOPDIR)include/ -I$(INCDIR_PREFIX)/usr/include -I$(INCDIR_PREFIX)/usr/include/efi -I$(INCDIR_PREFIX)/usr/include/efi/$(ARCH) -I$(INCDIR_PREFIX)/usr/include/efi/protocol
+cppflags = -DCONFIG_$(ARCH)
+cflags = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
+ldflags = -nostdlib
CRTOBJ = crt0-efi-$(ARCH).o
CRTPATHS = /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi
-CRTPATH = $(shell for f in $(CRTPATHS); do if [ -e $$f/$(CRTOBJ) ]; then echo $$f; break; fi; done)
+CRTPATH = $(shell for f in $(CRTPATHS); do if [ -e $(CRTPATH_PREFIX)/$$f/$(CRTOBJ) ]; then echo $(CRTPATH_PREFIX)/$$f; break; fi; done)
CRTOBJS = $(CRTPATH)/$(CRTOBJ)
# there's a bug in the gnu tools ... the .reloc section has to be
# aligned otherwise the file alignment gets screwed up
LDSCRIPT = elf_$(ARCH)_efi.lds
-LDFLAGS += -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -L /usr/lib -L /usr/lib64 -T $(LDSCRIPT)
+ldflags += -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -T $(LDSCRIPT)
LOADLIBES = -lefi -lgnuefi $(shell $(CC) $(ARCH3264) -print-libgcc-file-name)
FORMAT = --target=efi-app-$(ARCH)
OBJCOPY = objcopy
+NM = nm
+AR = ar
+OPENSSL = openssl
+SBSIGN = sbsign
MYGUID = 11111111-2222-3333-4444-123456789abc
INSTALL = install
BINDIR = $(DESTDIR)/usr/bin
@@ -36,23 +40,23 @@ EFIDIR = $(DESTDIR)/usr/share/efitools/efi
DOCDIR = $(DESTDIR)/usr/share/efitools

# globally use EFI calling conventions (requires gcc >= 4.7)
-CFLAGS += -DGNU_EFI_USE_MS_ABI
+cflags += -DGNU_EFI_USE_MS_ABI

ifeq ($(ARCH),x86_64)
- CFLAGS += -DEFI_FUNCTION_WRAPPER -mno-red-zone
+ cflags += -DEFI_FUNCTION_WRAPPER -mno-red-zone
endif

ifeq ($(ARCH),ia32)
- CFLAGS += -mno-red-zone
+ cflags += -mno-red-zone
endif

ifeq ($(ARCH),arm)
- LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
+ ldflags += --defsym=EFI_SUBSYSTEM=0x0a
FORMAT = -O binary
endif

ifeq ($(ARCH),aarch64)
- LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
+ ldflags += --defsym=EFI_SUBSYSTEM=0x0a
FORMAT = -O binary
endif

@@ -61,9 +65,9 @@ endif
-j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* \
-j .reloc $(FORMAT) $*.so $@
%.so: %.o
- $(LD) $(LDFLAGS) $^ -o $@ $(LOADLIBES)
+ $(LD) $(ldflags) $^ -o $@ $(LOADLIBES)
# check we have no undefined symbols
- nm -D $@ | grep ' U ' && exit 1 || exit 0
+ ${NM} -D $@ | grep ' U ' && exit 1 || exit 0

%.h: %.auth
./xxdi.pl $< > $@
@@ -99,28 +103,28 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
./sign-efi-sig-list -a -c PK.crt -k PK.key dbx $< $@

%.o: %.c
- $(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
+ $(CC) $(INCDIR) $(cflags) $(cppflags) -c $< -o $@

%.efi.o: %.c
- $(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
+ $(CC) $(INCDIR) $(cflags) $(cppflags) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@

%.efi.s: %.c
- $(CC) -S $(INCDIR) $(CFLAGS) $(CPPFLAGS) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
+ $(CC) -S $(INCDIR) $(cflags) $(cppflags) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@

%.crt:
- openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
+ $(OPENSSL) req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256

%.cer: %.crt
- openssl x509 -in $< -out $@ -outform DER
+ $(OPENSSL) x509 -in $< -out $@ -outform DER

%-subkey.csr:
- openssl req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
+ $(OPENSSL) req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes

%-subkey.crt: %-subkey.csr KEK.crt
- openssl x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
+ $(OPENSSL) x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365

%-signed.efi: %.efi DB.crt
- sbsign --key DB.key --cert DB.crt --output $@ $<
+ $(SBSIGN) --key DB.key --cert DB.crt --output $@ $<

##
# No need for KEK signing
@@ -129,7 +133,7 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
# sbsign --key KEK.key --cert KEK.crt --output $@ $<

%.a:
- ar rcv $@ $^
+ $(AR) rcv $@ $^

doc/%.1: doc/%.1.in %
$(HELP2MAN) --no-info -i $< -o $@ ./$*
diff --git a/Makefile b/Makefile
index 7d471da..124c2aa 100644
--- a/Makefile
+++ b/Makefile
@@ -88,31 +88,31 @@ HelloWorld.so: lib/lib-efi.a
ShimReplace.so: lib/lib-efi.a

cert-to-efi-sig-list: cert-to-efi-sig-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto

sig-list-to-certs: sig-list-to-certs.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto

sign-efi-sig-list: sign-efi-sig-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto

hash-to-efi-sig-list: hash-to-efi-sig-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a
+ $(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a

cert-to-efi-hash-list: cert-to-efi-hash-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto

efi-keytool: efi-keytool.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a
+ $(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a

efi-readvar: efi-readvar.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto

efi-updatevar: efi-updatevar.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto

flash-var: flash-var.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a
+ $(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a

clean:
rm -f PK.* KEK.* DB.* $(EFIFILES) $(EFISIGNED) $(BINARIES) *.o *.so
--
2.25.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
From 410e12bf3f917581d1da54cdc760e4618f7589cf Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Sat, 24 Jun 2023 14:58:14 +0800
Subject: [PATCH] Make.rules: define _GNU_SOURCE for a declaration of function

Upstream-Status: Pending

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
Make.rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Make.rules b/Make.rules
index 65a634c..66d63f0 100644
--- a/Make.rules
+++ b/Make.rules
@@ -14,7 +14,7 @@ else
$(error unknown architecture $(ARCH))
endif
INCDIR = -I$(TOPDIR)include/ -I$(INCDIR_PREFIX)/usr/include -I$(INCDIR_PREFIX)/usr/include/efi -I$(INCDIR_PREFIX)/usr/include/efi/$(ARCH) -I$(INCDIR_PREFIX)/usr/include/efi/protocol
-cppflags = -DCONFIG_$(ARCH)
+cppflags = -DCONFIG_$(ARCH) -D_GNU_SOURCE
cflags = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
ldflags = -nostdlib
CRTOBJ = crt0-efi-$(ARCH).o
--
2.25.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
From 2d9f8f766278c092426c9c0f1db5a5fd77dfed8c Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Tue, 15 Mar 2016 21:07:31 +0800
Subject: [PATCH] Fix the wrong dependency for %-blacklist.esl

Upstream-Status: Pending

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
Make.rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Make.rules b/Make.rules
index 66d63f0..fed93b9 100644
--- a/Make.rules
+++ b/Make.rules
@@ -75,7 +75,7 @@ endif
%.hash: %.efi hash-to-efi-sig-list
./hash-to-efi-sig-list $< $@

-%-blacklist.esl: %.crt cert-to-efi-hash-list
+%-blacklist.esl: %.crt cert-to-efi-sig-list
./cert-to-efi-sig-list $< $@

%-hash-blacklist.esl: %.crt cert-to-efi-hash-list
--
2.25.1

Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
From 59e05fa48aa32cbe044e597d3d3e6707c1ad6ee9 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Fri, 25 Mar 2016 10:52:34 +0800
Subject: [PATCH] LockDown: run system warm reset after the key provision
success

In addition, BIOS would stop at its setup screen. The end user can thus
enable UEFI secure boot immediately.

Upstream-Status: Inappropriate [embedded specific]

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
LockDown.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)

diff --git a/LockDown.c b/LockDown.c
index 29df9de..821985c 100644
--- a/LockDown.c
+++ b/LockDown.c
@@ -99,5 +99,20 @@ efi_main (EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
}
Print(L"Platform %s set to boot securely\n", SecureBoot ? L"is" : L"is not");

+ /* Reset system to go back the real UEFI secure boot flow.
+ * If SecureBoot is still false, the user needs to turn on
+ * UEFI secure boot in BIOS setup.
+ */
+ Print(L"Prepare to execute system warm reset after 3 seconds ...\n");
+ if (!SecureBoot)
+ Print(L"After warm reset, enter to BIOS setup to enable UEFI Secure Boot.\n");
+
+ BS->Stall(3000000);
+
+ if (!SecureBoot)
+ SETOSIndicationsAndReboot(EFI_OS_INDICATIONS_BOOT_TO_FW_UI);
+ else
+ RT->ResetSystem(EfiResetWarm, EFI_SUCCESS, 0, NULL);
+
return EFI_SUCCESS;
}
--
2.25.1

Loading