efitools: Uprev to fix LockDown.efi for UEFI built after 2018

Versions of the UEFI core from 2018 on will not work properly with LockDown.efi's key install. It will report that the PK key cannot be installed due to the handling of the signature header with the PKCS7 data. There are several other minor bug fixes, with the short log shown below. ==== James Bottomley (13): cert-to-efi-hash-list: fix for openssl 1.1 Version: 1.8.0 Fix Fedora build Version: 1.8.1 factor out variable signing code support engine based keys use SignedData instead of PKCS7 for variable updates Version: 1.9.0 Makefile: Reverse the order of lib.a and -lcrypto Version: 1.9.1 sign-efi-sig-list: add man page entry for engine option sha256: do not align raw section sizes Version: 1.9.2 pai-yi.huang (1): efi-updatevar: remove all authenticated attributes from signature Make.rules | 6 ++--- Makefile | 12 +++++----- cert-to-efi-hash-list.c | 6 ++++- efi-updatevar.c | 28 +++++++++++------------ include/openssl_sign.h | 10 ++++++++ include/version.h | 2 +- lib/Makefile | 2 +- lib/openssl_sign.c | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lib/sha256.c | 8 ++++--- sign-efi-sig-list.c | 59 +++++++++++------------------------------------ 10 files changed, 213 insertions(+), 76 deletions(-) create mode 100644 include/openssl_sign.h create mode 100644 lib/openssl_sign.c [ Issue: LINUXEXEC-2450 ] Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2026-01-12 01:00:15 +00:00 · 2019-10-02 04:00:05 -07:00
parent 393b80fa35
commit 1473c05286
4 changed files with 30 additions and 80 deletions
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
@@ -15,7 +15,7 @@ DEPENDS_append += "\
    libfile-slurp-perl-native \
 "

-PV = "1.7.0+git${SRCPV}"
+PV = "1.9.2+git${SRCPV}"

 SRC_URI = "\
    git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git \
@@ -29,9 +29,8 @@ SRC_URI = "\
    file://Reuse-xxdi.pl.patch \
    file://Add-static-keyword-for-IsValidVariableHeader.patch \
    file://Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch \
-    file://cert-to-efi-hash-list-support-to-build-with-openssl-.patch \
 "
-SRCREV = "0649468475d20d8ca5634433c4912467cef3ce93"
+SRCREV = "392836a46ce3c92b55dc88a1aebbcfdfc5dcddce"

 PARALLEL_MAKE = ""

--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Fix-for-the-cross-compilation.patch
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Fix-for-the-cross-compilation.patch
@@ -8,11 +8,9 @@ Upstream-Status: Pending
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
 Make.rules |   51 ++++++++++++++++++++++++++++-----------------------
- Makefile   |   12 ++++++------
- 2 files changed, 34 insertions(+), 29 deletions(-)
+ Makefile   |   20 ++++++++++----------
+ 2 files changed, 38 insertions(+), 33 deletions(-)

-diff --git a/Make.rules b/Make.rules
-index 88d5481bef6a..c794a621095b 100644
 --- a/Make.rules
 +++ b/Make.rules
@@ -13,21 +13,26 @@ ARCH3264 =
@@ -21,21 +19,21 @@ index 88d5481bef6a..c794a621095b 100644
 endif
 -INCDIR	   = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol
 -CPPFLAGS   = -DCONFIG_$(ARCH)
-CFLAGS	   = -O2 $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
+-CFLAGS	   = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
 -LDFLAGS	   = -nostdlib
-+INCDIR	   = -I$(TOPDIR)include/ -I$(INCDIR_PREFIX)/usr/include/efi -I$(INCDIR_PREFIX)/usr/include/efi/$(ARCH) -I$(INCDIR_PREFIX)/usr/include/efi/protocol
+INCDIR	   = -I$(TOPDIR)include/ -I$(INCDIR_PREFIX)/usr/include -I$(INCDIR_PREFIX)/usr/include/efi -I$(INCDIR_PREFIX)/usr/include/efi/$(ARCH) -I$(INCDIR_PREFIX)/usr/include/efi/protocol
 +cppflags   = -DCONFIG_$(ARCH)
-+cflags	   = -O2 $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check $(CFLAGS)
+cflags	   = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
 +ldflags	   = -nostdlib
 CRTOBJ		= crt0-efi-$(ARCH).o
- CRTPATHS	= /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi
+ CRTPATHS	= /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi
 -CRTPATH		= $(shell for f in $(CRTPATHS); do if [ -e $$f/$(CRTOBJ) ]; then echo $$f; break; fi; done)
 +CRTPATH		= $(shell for f in $(CRTPATHS); do if [ -e $(CRTPATH_PREFIX)/$$f/$(CRTOBJ) ]; then echo $(CRTPATH_PREFIX)/$$f; break; fi; done)
 CRTOBJS		= $(CRTPATH)/$(CRTOBJ)
 # there's a bug in the gnu tools ... the .reloc section has to be
 # aligned otherwise the file alignment gets screwed up
 LDSCRIPT	= elf_$(ARCH)_efi.lds
-LDFLAGS		+= -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -T $(LDSCRIPT)
+-LDFLAGS		+= -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -L /usr/lib -L /usr/lib64 -T $(LDSCRIPT)
 +ldflags		+= -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -T $(LDSCRIPT)
 LOADLIBES	= -lefi -lgnuefi $(shell $(CC) $(ARCH3264) -print-libgcc-file-name)
 FORMAT		= --target=efi-app-$(ARCH)
@@ -48,7 +46,7 @@ index 88d5481bef6a..c794a621095b 100644
 MYGUID		= 11111111-2222-3333-4444-123456789abc
 INSTALL		= install
 BINDIR		= $(DESTDIR)/usr/bin
-@@ -36,23 +41,23 @@ EFIDIR		= $(DESTDIR)/usr/share/efitools/efi
+@@ -36,23 +41,23 @@ EFIDIR		= $(DESTDIR)/usr/share/efitools/
 DOCDIR		= $(DESTDIR)/usr/share/efitools
 
 # globally use EFI calling conventions (requires gcc >= 4.7)
@@ -93,7 +91,7 @@ index 88d5481bef6a..c794a621095b 100644
 
 %.hash: %.efi hash-to-efi-sig-list
 	./hash-to-efi-sig-list $< $@
-@@ -99,28 +104,28 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
+@@ -99,28 +104,28 @@ getvar = $(shell if [ "$(1)" = "PK" -o "
 	./sign-efi-sig-list -a -c PK.crt -k PK.key dbx $< $@
 
 %.o: %.c
@@ -130,7 +128,7 @@ index 88d5481bef6a..c794a621095b 100644
 
 ##
 # No need for KEK signing
-@@ -129,7 +134,7 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
+@@ -129,7 +134,7 @@ getvar = $(shell if [ "$(1)" = "PK" -o "
 #	sbsign --key KEK.key --cert KEK.crt --output $@ $<
 
 %.a:
@@ -139,8 +137,6 @@ index 88d5481bef6a..c794a621095b 100644
 
 doc/%.1: doc/%.1.in %
 	$(HELP2MAN) --no-info -i $< -o $@ ./$*
-diff --git a/Makefile b/Makefile
-index 774ee0aed7e9..4c3f91b5850f 100644
 --- a/Makefile
 +++ b/Makefile
@@ -73,7 +73,7 @@ ms-%.esl: ms-%.crt cert-to-efi-sig-list
@@ -156,36 +152,36 @@ index 774ee0aed7e9..4c3f91b5850f 100644
 ShimReplace.so: lib/lib-efi.a
 
 cert-to-efi-sig-list: cert-to-efi-sig-list.o lib/lib.a
-	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
 
 sig-list-to-certs: sig-list-to-certs.o lib/lib.a
-	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
 
 sign-efi-sig-list: sign-efi-sig-list.o lib/lib.a
-	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
 
 hash-to-efi-sig-list: hash-to-efi-sig-list.o lib/lib.a
 -	$(CC) $(ARCH3264) -o $@ $< lib/lib.a
 +	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a
 
 cert-to-efi-hash-list: cert-to-efi-hash-list.o lib/lib.a
-	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
 
 efi-keytool: efi-keytool.o lib/lib.a
 -	$(CC) $(ARCH3264) -o $@ $< lib/lib.a
 +	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a
 
 efi-readvar: efi-readvar.o lib/lib.a
-	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
 
 efi-updatevar: efi-updatevar.o lib/lib.a
-	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
 
 flash-var: flash-var.o lib/lib.a
 -	$(CC) $(ARCH3264) -o $@ $< lib/lib.a
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Kill-all-the-build-warning-caused-by-implicit-declar.patch
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Kill-all-the-build-warning-caused-by-implicit-declar.patch
@@ -8,15 +8,13 @@ Upstream-Status: Pending

 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
- Loader.c                | 1 +
- cert-to-efi-hash-list.c | 2 +-
- flash-var.c             | 2 ++
- lib/pecoff.c            | 1 +
- sign-efi-sig-list.c     | 2 ++
+ Loader.c                |    1 +
+ cert-to-efi-hash-list.c |    2 +-
+ flash-var.c             |    2 ++
+ lib/pecoff.c            |    1 +
+ sign-efi-sig-list.c     |    2 ++
 5 files changed, 7 insertions(+), 1 deletion(-)

-diff --git a/Loader.c b/Loader.c
-index 1f9201a..044469a 100644
 --- a/Loader.c
 +++ b/Loader.c
@@ -9,6 +9,7 @@
@@ -27,8 +25,6 @@ index 1f9201a..044469a 100644
 #include <simple_file.h>
 #include <pecoff.h>
 #include <sha256.h>
-diff --git a/cert-to-efi-hash-list.c b/cert-to-efi-hash-list.c
-index d4484f9..3792553 100644
 --- a/cert-to-efi-hash-list.c
 +++ b/cert-to-efi-hash-list.c
@@ -3,7 +3,7 @@
@@ -39,9 +35,7 @@ index d4484f9..3792553 100644
 +#define _GNU_SOURCE
 
 #include <stdint.h>
- #define __STDC_VERSION__ 199901L
-diff --git a/flash-var.c b/flash-var.c
-index aa10ae6..10429bc 100644
+ #define _XOPEN_SOURCE
 --- a/flash-var.c
 +++ b/flash-var.c
@@ -1,3 +1,5 @@
@@ -50,8 +44,6 @@ index aa10ae6..10429bc 100644
 #include <stdlib.h>
 #include <stdint.h>
 #include <sys/types.h>
-diff --git a/lib/pecoff.c b/lib/pecoff.c
-index 26d9dcf..10b898a 100644
 --- a/lib/pecoff.c
 +++ b/lib/pecoff.c
@@ -59,6 +59,7 @@
@@ -62,8 +54,6 @@ index 26d9dcf..10b898a 100644
 #include <pecoff.h>
 #include <guid.h>
 #include <simple_file.h>
-diff --git a/sign-efi-sig-list.c b/sign-efi-sig-list.c
-index e19ef97..5abcf27 100644
 --- a/sign-efi-sig-list.c
 +++ b/sign-efi-sig-list.c
@@ -3,6 +3,8 @@
@@ -75,6 +65,3 @@ index e19ef97..5abcf27 100644
 #include <stdint.h>
 #define __STDC_VERSION__ 199901L
 #include <efi.h>
-- 
-1.9.1
-
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch
@@ -1,32 +0,0 @@
-From 1b87c0e53efdccec4c05d2b92699f49cd3d6ec79 Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Wed, 16 Aug 2017 19:52:37 +0800
-Subject: [PATCH] cert-to-efi-hash-list: support to build with openssl-1.1.x
-
-X509 becomes opaque since openssl-1.1.x and thus uses the equivalent
-function i2d_re_X509_tbs() instead to encode tbs portion of the certificate.
-
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
- cert-to-efi-hash-list.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/cert-to-efi-hash-list.c b/cert-to-efi-hash-list.c
-index 3792553..2f2584c 100644
--- a/cert-to-efi-hash-list.c
-+++ b/cert-to-efi-hash-list.c
-@@ -135,7 +135,11 @@ main(int argc, char *argv[])
-         X509 *cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL);
- 	unsigned char *cert_buf = NULL;
- 
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- 	int cert_len = i2d_X509_CINF(cert->cert_info, &cert_buf);
-+#else
-+	int cert_len = i2d_re_X509_tbs(cert, &cert_buf);
-+#endif
- 	ERR_print_errors_fp(stdout);
- 
- 	int len, digest_len, time_offset;
-- 
-2.7.5
-