meta-signing-key, meta-efi-secure-boot: Rework for dependencies

The content of meta-signing-key depends on a few recipes within
meta-efi-secure-boot.  However, meta-signing-key can be used without
meta-efi-secure-boot if we move libsign and sbsigntool over.  Doing this will
also provide a more correct set of dependencies as we cannot say that both
layers depend on eachother.  While doing this, within meta-signing-key only
depend on content from meta-efi-secure-boot if the efi-secure-boot
DISTRO_FEATURE is set.

Signed-off-by: Tom Rini <trini@konsulko.com>
This commit is contained in:
Tom Rini
2017-11-15 22:28:01 -05:00
committed by Jia Zhang
parent d3a05a62c1
commit 3ad05893e5
11 changed files with 1 additions and 1 deletions
@@ -1,53 +0,0 @@
SUMMARY = "A generic signing tool framework"
DESCRIPTION = "\
This project targets to provide a generic signing framework. This framework \
separates the signing request and signing process and correspondingly forms \
the so-called signlet and signaturelet. \
Each signaturelet only concerns about the details about how to construct the \
layout of a signature format, and signlet only cares how to construct the \
signing request. \
"
AUTHOR = "Jia Zhang"
HOMEPAGE = "https://github.com/jiazhang0/libsign"
SECTION = "devel"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee"
DEPENDS += "openssl"
PV = "0.3.2+git${SRCPV}"
SRC_URI = "\
git://github.com/jiazhang0/libsign.git \
"
SRCREV = "0e8005f1c546ef25d834084f5cd85d386cf7cd1d"
PARALLEL_MAKE = ""
S = "${WORKDIR}/git"
EXTRA_OEMAKE = "\
CC="${CC}" \
bindir="${STAGING_BINDIR}" \
libdir="${STAGING_LIBDIR}" \
includedir="${STAGING_INCDIR}" \
EXTRA_CFLAGS="${CFLAGS}" \
EXTRA_LDFLAGS="${LDFLAGS}" \
SIGNATURELET_DIR="${libdir}/signaturelet" \
BINDIR="${bindir}" \
LIBDIR="${libdir}" \
"
do_install() {
oe_runmake install DESTDIR="${D}"
}
FILES_${PN} += "\
${libdir}/signaturelet \
"
RDEPENDS_${PN}_class-target += "libcrypto"
RDEPENDS_${PN}_class-native += "openssl"
BBCLASSEXTEND = "native"
@@ -1,71 +0,0 @@
SUMMARY = "Utilities for signing UEFI binaries for use with secure boot"
LICENSE = "GPLv3"
LIC_FILES_CHKSUM = "\
file://LICENSE.GPLv3;md5=9eef91148a9b14ec7f9df333daebc746 \
file://COPYING;md5=a7710ac18adec371b84a9594ed04fd20 \
"
DEPENDS += "binutils-native openssl-native gnu-efi-native util-linux-native"
PV = "0.6+git${SRCPV}"
SRC_URI = "\
git://kernel.ubuntu.com/jk/sbsigntool \
file://ccan.git.tar.bz2 \
file://fix-mixed-implicit-and-normal-rules.patch;apply=0 \
file://disable-man-page-creation.patch \
file://Fix-for-multi-sign.patch \
file://sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \
file://image-fix-the-segment-fault-caused-by-the-uninitiali.patch \
file://Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch \
file://Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch \
"
SRCREV="951ee95a301674c046f55330cd7460e1314deff2"
S = "${WORKDIR}/git"
inherit autotools-brokensep pkgconfig native
def efi_arch(d):
import re
arch = d.getVar("TARGET_ARCH")
if re.match("i[3456789]86", arch):
return "ia32"
return arch
# Avoids build breaks when using no-static-libs.inc
#DISABLE_STATIC_class-target = ""
#EXTRA_OECONF_remove_class-target += "\
# --with-libtool-sysroot \
#"
EXTRA_OEMAKE += "\
INCLUDES='-I${S}/lib/ccan.git' \
EFI_CPPFLAGS='-I${STAGING_INCDIR}/efi \
-I${STAGING_INCDIR}/efi/${@efi_arch(d)}' \
"
do_configure() {
cd "${S}"
rm -rf "lib/ccan.git"
git clone "${WORKDIR}/ccan.git" lib/ccan.git
cd lib/ccan.git && \
git apply "${WORKDIR}/fix-mixed-implicit-and-normal-rules.patch" && \
cd -
OLD_CC="${CC}"
if [ ! -e lib/ccan ]; then
export CC="${BUILD_CC}"
lib/ccan.git/tools/create-ccan-tree \
--build-type=automake lib/ccan \
talloc read_write_all build_assert array_size endian || exit 1
fi
export CC="${OLD_CC}"
./autogen.sh --noconfigure
oe_runconf
}
@@ -1,41 +0,0 @@
From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001
From: James Bottomley <JBottomley@Parallels.com>
Date: Mon, 30 Sep 2013 19:25:37 -0700
Subject: [PATCH] Fix for multi-sign
Upstream-Status: Inappropriate [embedded specific]
The new Tianocore multi-sign code fails now for images signed with
sbsigntools. The reason is that we don't actually align the signature table,
we just slap it straight after the binary data. Unfortunately, the new
multi-signature code checks that our alignment offsets are correct and fails
the signature for this reason. Fix by adding junk to the end of the image to
align the signature section.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---
src/image.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/image.c b/src/image.c
index 10eba0e..519e288 100644
--- a/src/image.c
+++ b/src/image.c
@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image)
/* record the size of non-signature data */
r = &image->checksum_regions[image->n_checksum_regions - 1];
- image->data_size = (r->data - (void *)image->buf) + r->size;
+ /*
+ * The new Tianocore multisign does a stricter check of the signatures
+ * in particular, the signature table must start at an aligned offset
+ * fix this by adding bytes to the end of the text section (which must
+ * be included in the hash)
+ */
+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8);
return 0;
}
--
1.8.4
@@ -1,73 +0,0 @@
From 6ef94a67490176a6d84b4968f303e6d1c51a49ce Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Wed, 16 Aug 2017 10:09:43 +0800
Subject: [PATCH] Fix the deprecated ASN1_STRING_data() in openssl-1.1.0
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
src/idc.c | 4 ++--
src/idc.h | 4 ++++
src/sbkeysync.c | 3 ++-
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/idc.c b/src/idc.c
index 236cefd..7f99a53 100644
--- a/src/idc.c
+++ b/src/idc.c
@@ -238,7 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
/* extract the idc from the signed PKCS7 'other' data */
str = p7->d.sign->contents->d.other->value.asn1_string;
- idcbuf = buf = ASN1_STRING_data(str);
+ idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str);
idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
/* If we were passed a BIO, write the idc data, minus type and length,
@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image)
}
/* check hash against the one we calculated from the image */
- buf = ASN1_STRING_data(str);
+ buf = (const unsigned char *)ASN1_STRING_get0_data(str);
if (memcmp(buf, sha, sizeof(sha))) {
fprintf(stderr, "Hash doesn't match image\n");
fprintf(stderr, " got: %s\n", sha256_str(buf));
diff --git a/src/idc.h b/src/idc.h
index a6526de..8011237 100644
--- a/src/idc.h
+++ b/src/idc.h
@@ -36,6 +36,10 @@
#include <openssl/pkcs7.h>
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#endif
+
struct idc;
int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image);
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index a63d3b8..223a047 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -54,6 +54,7 @@
#include "fileio.h"
#include "efivars.h"
+#include "idc.h"
#define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars"
#define PSTORE_FSTYPE 0x6165676C
@@ -210,7 +211,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
serial = x509->cert_info->serialNumber;
key->id_len = ASN1_STRING_length(serial);
- key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
key->description = talloc_array(key, char, description_len);
X509_NAME_oneline(x509->cert_info->subject,
--
2.7.5
@@ -1,158 +0,0 @@
From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Tue, 15 Aug 2017 13:05:14 +0800
Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1
Most structure definitions in OpenSSL are now opaque and we must call
the appropriate accessor functions to get information from them.
Not all the accessors are available in older versions, so define the
missing accessors as macros.
The X509_retrieve_match() function is no longer usable, as we cannot
initialise an X509_OBJECT ourselves. Instead, iterate over the
certificate store and use X509_OBJECT_get_type and X509_cmp to
compare certificates.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
src/sbkeysync.c | 7 +++----
src/sbverify.c | 52 ++++++++++++++++++++++++++++++++++++++--------------
2 files changed, 41 insertions(+), 18 deletions(-)
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index ef028ef..19e3064 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
return -1;
/* we use the X509 serial number as the key ID */
- if (!x509->cert_info || !x509->cert_info->serialNumber)
+ serial = X509_get_serialNumber(x509);
+ if (!serial)
goto out;
- serial = x509->cert_info->serialNumber;
-
key->id_len = ASN1_STRING_length(serial);
key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
key->description = talloc_array(key, char, description_len);
- X509_NAME_oneline(x509->cert_info->subject,
+ X509_NAME_oneline(X509_get_subject_name(x509),
key->description, description_len);
rc = 0;
diff --git a/src/sbverify.c b/src/sbverify.c
index fb03d21..0aed71a 100644
--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -55,6 +55,14 @@
#include <openssl/pem.h>
#include <openssl/x509v3.h>
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
+#define X509_OBJECT_get_type(obj) ((obj)->type)
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
+#endif
+
static const char *toolname = "sbverify";
static const int cert_name_len = 160;
@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7)
for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
cert = sk_X509_value(p7->d.sign->cert, i);
- X509_NAME_oneline(cert->cert_info->subject,
+ X509_NAME_oneline(X509_get_subject_name(cert),
subject_name, cert_name_len);
- X509_NAME_oneline(cert->cert_info->issuer,
+ X509_NAME_oneline(X509_get_issuer_name(cert),
issuer_name, cert_name_len);
printf(" - subject: %s\n", subject_name);
@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7)
static void print_certificate_store_certs(X509_STORE *certs)
{
char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
+ STACK_OF(X509_OBJECT) *objs;
X509_OBJECT *obj;
+ X509 *cert;
int i;
printf("certificate store:\n");
- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
- obj = sk_X509_OBJECT_value(certs->objs, i);
+ objs = X509_STORE_get0_objects(certs);
+
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+ obj = sk_X509_OBJECT_value(objs, i);
- if (obj->type != X509_LU_X509)
+ if (X509_OBJECT_get_type(obj) != X509_LU_X509)
continue;
- X509_NAME_oneline(obj->data.x509->cert_info->subject,
+ cert = X509_OBJECT_get0_X509(obj);
+
+ X509_NAME_oneline(X509_get_subject_name(cert),
subject_name, cert_name_len);
- X509_NAME_oneline(obj->data.x509->cert_info->issuer,
+ X509_NAME_oneline(X509_get_issuer_name(cert),
issuer_name, cert_name_len);
printf(" - subject: %s\n", subject_name);
@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image,
static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
{
- X509_OBJECT obj;
+ STACK_OF(X509_OBJECT) *objs;
+ X509_OBJECT *obj;
+ int i;
+
+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
- obj.type = X509_LU_X509;
- obj.data.x509 = cert;
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+ obj = sk_X509_OBJECT_value(objs, i);
- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
+ return 1;
+ }
+
+ return 0;
}
static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
int err = X509_STORE_CTX_get_error(ctx);
/* also accept code-signing keys */
- if (err == X509_V_ERR_INVALID_PURPOSE
- && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
+ if (err == X509_V_ERR_INVALID_PURPOSE &&
+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
+ == XKU_CODE_SIGN)
status = 1;
/* all certs given with the --cert argument are trusted */
else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
err == X509_V_ERR_CERT_UNTRUSTED) {
- if (cert_in_store(ctx->current_cert, ctx))
+ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
status = 1;
}
--
2.7.5
@@ -1,15 +0,0 @@
Upstream-Status: Inappropriate [embedded specific]
diff --git a/docs/Makefile.am b/docs/Makefile.am
index 1b5a588..6918dd8 100644
--- a/docs/Makefile.am
+++ b/docs/Makefile.am
@@ -1,8 +1,4 @@
-man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1
-
-EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \
- sbvarsign.1.in sbsiglist.1.in
CLEANFILES = $(man1_MANS)
$(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/%
@@ -1,33 +0,0 @@
From 05e73dbe1f25600ad0dbb36b2d690560c5a36281 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Tue, 31 Mar 2015 15:34:38 +0800
Subject: [PATCH] Fix mixed implicit and normal rules
Upstream-Status: Inappropriate [embedded specific]
This patch comes from upstream:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-luv/plain/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
Makefile | 4 ----
1 file changed, 4 deletions(-)
diff --git a/Makefile b/Makefile
index 65d0d8f..a83185d 100644
--- a/Makefile
+++ b/Makefile
@@ -39,10 +39,6 @@ $(SCOREDIR)/SUMMARY: $(MODS:%=$(SCOREDIR)/%.score)
$(CC) -v >> $@
cat $^ | grep 'Total score:' >> $@
-$(SCOREDIR)/%.score: ccan/%/_info tools/ccanlint/ccanlint $(OBJFILES)
- mkdir -p `dirname $@`
- $(CCANLINT) -v -s ccan/$* > $@ || true
-
$(ALL_DEPENDS): %/.depends: %/_info tools/ccan_depends
tools/ccan_depends $* > $@ || ( rm -f $@; exit 1 )
--
1.8.3.1
@@ -1,30 +0,0 @@
From a6862cb3bb3b00a1d6704b2bd1fedbd1374be861 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Thu, 6 Apr 2017 11:11:14 +0800
Subject: [PATCH] image: fix the segment fault caused by the uninitialized
sigbuf
The uninitialized struct image might contain a non-zeroed sigbuf and then
it is wrongly freed by image_add_signature().
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
src/image.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/image.c b/src/image.c
index cc55791..644e8f1 100644
--- a/src/image.c
+++ b/src/image.c
@@ -395,7 +395,7 @@ struct image *image_load(const char *filename)
struct image *image;
int rc;
- image = talloc(NULL, struct image);
+ image = talloc_zero(NULL, struct image);
if (!image) {
perror("talloc(image)");
return NULL;
--
2.11.0
@@ -1,75 +0,0 @@
From 0016a571a5ea1ab65817973f179800947e1aa8de Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Fri, 15 Jan 2016 09:40:56 +0800
Subject: [PATCH] sbsign: add -x option to avoid overwrite existing signature
Upstream-Status: Pending
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
src/sbsign.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/src/sbsign.c b/src/sbsign.c
index dcf6eed..7dc101f 100644
--- a/src/sbsign.c
+++ b/src/sbsign.c
@@ -66,6 +66,7 @@ struct sign_context {
};
static struct option options[] = {
+ { "noresign", no_argument, NULL, 'x' },
{ "output", required_argument, NULL, 'o' },
{ "cert", required_argument, NULL, 'c' },
{ "key", required_argument, NULL, 'k' },
@@ -87,6 +88,7 @@ static void usage(void)
"\t--cert <certfile> certificate (x509 certificate)\n"
"\t--detached write a detached signature, instead of\n"
"\t a signed binary\n"
+ "\t--noresign don't re-sign the binary if signed\n"
"\t--output <file> write signed data to <file>\n"
"\t (default <efi-boot-image>.signed,\n"
"\t or <efi-boot-image>.pk7 for detached\n"
@@ -114,7 +116,7 @@ int main(int argc, char **argv)
const char *keyfilename, *certfilename;
struct sign_context *ctx;
uint8_t *buf, *tmp;
- int rc, c, sigsize;
+ int rc, c, sigsize, no_resign = 0;
ctx = talloc_zero(NULL, struct sign_context);
@@ -123,11 +125,14 @@ int main(int argc, char **argv)
for (;;) {
int idx;
- c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx);
+ c = getopt_long(argc, argv, "xo:c:k:dvVh", options, &idx);
if (c == -1)
break;
switch (c) {
+ case 'x':
+ no_resign = 1;
+ break;
case 'o':
ctx->outfilename = talloc_strdup(ctx, optarg);
break;
@@ -178,6 +183,14 @@ int main(int argc, char **argv)
if (!ctx->image)
return EXIT_FAILURE;
+ if (ctx->image->cert_table) {
+ if (no_resign) {
+ fprintf(stderr,
+ "Don't overwrite existing signature\n");
+ return EXIT_SUCCESS;
+ }
+ }
+
talloc_steal(ctx, ctx->image);
ERR_load_crypto_strings();
--
1.9.1