[OE-core] [PATCH v2 5/5] shim: add first-stage UEFI bootloader implementing MOK protocol

Khem Raj raj.khem at gmail.com
Sat Oct 12 22:30:23 UTC 2019 

fail on musl/clang/aarch64
https://errors.yoctoproject.org/Errors/Details/273493/

does it depend on gcc being system compiler ?

On Sun, Sep 29, 2019 at 1:15 PM <dbaryshkov at gmail.com> wrote:
>
> From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
>
> Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov at mentor.com>
> ---
>  ...ompareMem-on-MokListNode.Type-instea.patch | 69 ++++++++++++++++++
>  meta/recipes-bsp/shim/shim_git.bb             | 72 +++++++++++++++++++
>  2 files changed, 141 insertions(+)
>  create mode 100644 meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
>  create mode 100644 meta/recipes-bsp/shim/shim_git.bb
>
> diff --git a/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
> new file mode 100644
> index 000000000000..12ee342e9f64
> --- /dev/null
> +++ b/meta/recipes-bsp/shim/shim/0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch
> @@ -0,0 +1,69 @@
> +From f30cd0b6330be8ea72a93bf25e43829c222ba611 Mon Sep 17 00:00:00 2001
> +From: Gary Lin <glin at suse.com>
> +Date: Tue, 26 Feb 2019 11:33:53 +0800
> +Subject: [PATCH] MokManager: Use CompareMem on MokListNode.Type instead of
> + CompareGuid
> +
> +Fix the errors from gcc9 '-Werror=address-of-packed-member'
> +
> +https://github.com/rhboot/shim/issues/161
> +
> +Signed-off-by: Gary Lin <glin at suse.com>
> +Upstream-Status: Submitted[https://github.com/rhboot/shim/pull/170]
> +---
> + MokManager.c | 14 +++++++++-----
> + 1 file changed, 9 insertions(+), 5 deletions(-)
> +
> +diff --git a/MokManager.c b/MokManager.c
> +index d69b4dbe..05dc1622 100644
> +--- a/MokManager.c
> ++++ b/MokManager.c
> +@@ -1053,7 +1053,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
> +                       continue;
> +
> +               DataSize += sizeof(EFI_SIGNATURE_LIST);
> +-              if (CompareGuid(&(list[i].Type), &X509_GUID) == 0)
> ++              if (CompareMem(&(list[i].Type), &X509_GUID,
> ++                             sizeof(EFI_GUID)) == 0)
> +                       DataSize += sizeof(EFI_GUID);
> +               DataSize += list[i].MokSize;
> +       }
> +@@ -1075,7 +1076,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
> +               CertList->SignatureType = list[i].Type;
> +               CertList->SignatureHeaderSize = 0;
> +
> +-              if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) {
> ++              if (CompareMem(&(list[i].Type), &X509_GUID,
> ++                             sizeof(EFI_GUID)) == 0) {
> +                       CertList->SignatureListSize = list[i].MokSize +
> +                           sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
> +                       CertList->SignatureSize =
> +@@ -1116,7 +1118,8 @@ static void delete_cert(void *key, UINT32 key_size,
> +       int i;
> +
> +       for (i = 0; i < mok_num; i++) {
> +-              if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0)
> ++              if (CompareMem(&(mok[i].Type), &X509_GUID,
> ++                             sizeof(EFI_GUID)) != 0)
> +                       continue;
> +
> +               if (mok[i].MokSize == key_size &&
> +@@ -1167,7 +1170,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size,
> +       sig_size = hash_size + sizeof(EFI_GUID);
> +
> +       for (i = 0; i < mok_num; i++) {
> +-              if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
> ++              if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) ||
> +                   (mok[i].MokSize < sig_size))
> +                       continue;
> +
> +@@ -1331,7 +1334,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
> +
> +       /* Search and destroy */
> +       for (i = 0; i < del_num; i++) {
> +-              if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) {
> ++              if (CompareMem(&(del_key[i].Type), &X509_GUID,
> ++                             sizeof(EFI_GUID)) == 0) {
> +                       delete_cert(del_key[i].Mok, del_key[i].MokSize,
> +                                   mok, mok_num);
> +               } else if (is_sha2_hash(del_key[i].Type)) {
> diff --git a/meta/recipes-bsp/shim/shim_git.bb b/meta/recipes-bsp/shim/shim_git.bb
> new file mode 100644
> index 000000000000..10769ac75a0a
> --- /dev/null
> +++ b/meta/recipes-bsp/shim/shim_git.bb
> @@ -0,0 +1,72 @@
> +SUMMARY = "shim is a first stage EFI bootloader."
> +DESCRIPTION = "shim is a trivial EFI application that, when run, \
> +attempts to open and execute another application. It will initially \
> +attempt to do this via the standard EFI LoadImage() and StartImage() \
> +calls. If these fail (because secure boot is enabled and the binary \
> +is not signed with an appropriate key, for instance) it will then \
> +validate the binary against a built-in certificate. If this succeeds \
> +and if the binary or signing key are not blacklisted then shim will \
> +relocate and execute the binary."
> +HOMEPAGE = "https://github.com/rhboot/shim.git"
> +SECTION = "bootloaders"
> +
> +LICENSE = "BSD-2-Clause"
> +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b92e63892681ee4e8d27e7a7e87ef2bc"
> +
> +DEPENDS += "\
> +    gnu-efi \
> +"
> +
> +PV = "15+git${SRCPV}"
> +
> +SRC_URI = "\
> +    git://github.com/rhboot/shim.git \
> +    file://0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch \
> +"
> +
> +SRCREV = "a4a1fbe728c9545fc5647129df0cf1593b953bec"
> +
> +S = "${WORKDIR}/git"
> +
> +SHIM_IMAGE = "shim-${EFI_BOOT_IMAGE}"
> +
> +# install to the image as boot*.efi if its the EFI_PROVIDER,
> +# otherwise install as the full name.
> +# This allows multiple bootloaders to coexist in a single image.
> +python __anonymous () {
> +    if d.getVar('EFI_PROVIDER') == "shim":
> +        d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("EFI_BOOT_IMAGE"))
> +    else:
> +        d.setVar("SHIM_EFI_BOOT_IMAGE", d.getVar("SHIM_IMAGE"))
> +}
> +
> +inherit deploy
> +
> +TUNE_CCARGS_remove = "-mfpmath=sse"
> +
> +EXTRA_OEMAKE = "\
> +    CROSS_COMPILE="${TARGET_PREFIX}" \
> +    COMPILER="gcc ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}" \
> +    EFI_INCLUDE="${STAGING_INCDIR}/efi" \
> +    EFI_PATH="${STAGING_LIBDIR}" \
> +    LIBDIR="${STAGING_LIBDIR}" \
> +"
> +
> +COMPATIBLE_HOST = "${EFI_COMPATIBLE_HOST}"
> +
> +require conf/image-uefi.conf
> +
> +do_install() {
> +    install -d ${D}${EFI_FILES_PATH}
> +    install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/
> +    install -m 0755 shim${EFI_ARCH}.efi ${D}${EFI_FILES_PATH}/${SHIM_EFI_BOOT_IMAGE}
> +}
> +
> +# Install the unsigned images for manual signing
> +do_deploy() {
> +    install -m 0755 mm${EFI_ARCH}.efi fb${EFI_ARCH}.efi ${DEPLOYDIR}
> +    install -m 0755 shim${EFI_ARCH}.efi ${DEPLOYDIR}/${SHIM_IMAGE}
> +}
> +addtask deploy after do_install before do_build
> +
> +FILES_${PN} += "${EFI_FILES_PATH}"
> --
> 2.23.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

More information about the Openembedded-core mailing list