mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-17 13:17:00 +00:00
meta-signing-key, meta-efi-secure-boot: Rework for dependencies
The content of meta-signing-key depends on a few recipes within meta-efi-secure-boot. However, meta-signing-key can be used without meta-efi-secure-boot if we move libsign and sbsigntool over. Doing this will also provide a more correct set of dependencies as we cannot say that both layers depend on eachother. While doing this, within meta-signing-key only depend on content from meta-efi-secure-boot if the efi-secure-boot DISTRO_FEATURE is set. Signed-off-by: Tom Rini <trini@konsulko.com>
This commit is contained in:
@@ -1,53 +0,0 @@
|
||||
SUMMARY = "A generic signing tool framework"
|
||||
DESCRIPTION = "\
|
||||
This project targets to provide a generic signing framework. This framework \
|
||||
separates the signing request and signing process and correspondingly forms \
|
||||
the so-called signlet and signaturelet. \
|
||||
Each signaturelet only concerns about the details about how to construct the \
|
||||
layout of a signature format, and signlet only cares how to construct the \
|
||||
signing request. \
|
||||
"
|
||||
AUTHOR = "Jia Zhang"
|
||||
HOMEPAGE = "https://github.com/jiazhang0/libsign"
|
||||
SECTION = "devel"
|
||||
|
||||
LICENSE = "BSD-3-Clause"
|
||||
LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee"
|
||||
|
||||
DEPENDS += "openssl"
|
||||
|
||||
PV = "0.3.2+git${SRCPV}"
|
||||
|
||||
SRC_URI = "\
|
||||
git://github.com/jiazhang0/libsign.git \
|
||||
"
|
||||
SRCREV = "0e8005f1c546ef25d834084f5cd85d386cf7cd1d"
|
||||
|
||||
PARALLEL_MAKE = ""
|
||||
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
EXTRA_OEMAKE = "\
|
||||
CC="${CC}" \
|
||||
bindir="${STAGING_BINDIR}" \
|
||||
libdir="${STAGING_LIBDIR}" \
|
||||
includedir="${STAGING_INCDIR}" \
|
||||
EXTRA_CFLAGS="${CFLAGS}" \
|
||||
EXTRA_LDFLAGS="${LDFLAGS}" \
|
||||
SIGNATURELET_DIR="${libdir}/signaturelet" \
|
||||
BINDIR="${bindir}" \
|
||||
LIBDIR="${libdir}" \
|
||||
"
|
||||
|
||||
do_install() {
|
||||
oe_runmake install DESTDIR="${D}"
|
||||
}
|
||||
|
||||
FILES_${PN} += "\
|
||||
${libdir}/signaturelet \
|
||||
"
|
||||
|
||||
RDEPENDS_${PN}_class-target += "libcrypto"
|
||||
RDEPENDS_${PN}_class-native += "openssl"
|
||||
|
||||
BBCLASSEXTEND = "native"
|
||||
@@ -1,71 +0,0 @@
|
||||
SUMMARY = "Utilities for signing UEFI binaries for use with secure boot"
|
||||
|
||||
LICENSE = "GPLv3"
|
||||
|
||||
LIC_FILES_CHKSUM = "\
|
||||
file://LICENSE.GPLv3;md5=9eef91148a9b14ec7f9df333daebc746 \
|
||||
file://COPYING;md5=a7710ac18adec371b84a9594ed04fd20 \
|
||||
"
|
||||
|
||||
DEPENDS += "binutils-native openssl-native gnu-efi-native util-linux-native"
|
||||
|
||||
PV = "0.6+git${SRCPV}"
|
||||
|
||||
SRC_URI = "\
|
||||
git://kernel.ubuntu.com/jk/sbsigntool \
|
||||
file://ccan.git.tar.bz2 \
|
||||
file://fix-mixed-implicit-and-normal-rules.patch;apply=0 \
|
||||
file://disable-man-page-creation.patch \
|
||||
file://Fix-for-multi-sign.patch \
|
||||
file://sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \
|
||||
file://image-fix-the-segment-fault-caused-by-the-uninitiali.patch \
|
||||
file://Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch \
|
||||
file://Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch \
|
||||
"
|
||||
SRCREV="951ee95a301674c046f55330cd7460e1314deff2"
|
||||
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
inherit autotools-brokensep pkgconfig native
|
||||
|
||||
def efi_arch(d):
|
||||
import re
|
||||
arch = d.getVar("TARGET_ARCH")
|
||||
if re.match("i[3456789]86", arch):
|
||||
return "ia32"
|
||||
return arch
|
||||
|
||||
# Avoids build breaks when using no-static-libs.inc
|
||||
#DISABLE_STATIC_class-target = ""
|
||||
|
||||
#EXTRA_OECONF_remove_class-target += "\
|
||||
# --with-libtool-sysroot \
|
||||
#"
|
||||
|
||||
EXTRA_OEMAKE += "\
|
||||
INCLUDES='-I${S}/lib/ccan.git' \
|
||||
EFI_CPPFLAGS='-I${STAGING_INCDIR}/efi \
|
||||
-I${STAGING_INCDIR}/efi/${@efi_arch(d)}' \
|
||||
"
|
||||
|
||||
do_configure() {
|
||||
cd "${S}"
|
||||
rm -rf "lib/ccan.git"
|
||||
git clone "${WORKDIR}/ccan.git" lib/ccan.git
|
||||
cd lib/ccan.git && \
|
||||
git apply "${WORKDIR}/fix-mixed-implicit-and-normal-rules.patch" && \
|
||||
cd -
|
||||
|
||||
OLD_CC="${CC}"
|
||||
|
||||
if [ ! -e lib/ccan ]; then
|
||||
export CC="${BUILD_CC}"
|
||||
lib/ccan.git/tools/create-ccan-tree \
|
||||
--build-type=automake lib/ccan \
|
||||
talloc read_write_all build_assert array_size endian || exit 1
|
||||
fi
|
||||
|
||||
export CC="${OLD_CC}"
|
||||
./autogen.sh --noconfigure
|
||||
oe_runconf
|
||||
}
|
||||
@@ -1,41 +0,0 @@
|
||||
From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001
|
||||
From: James Bottomley <JBottomley@Parallels.com>
|
||||
Date: Mon, 30 Sep 2013 19:25:37 -0700
|
||||
Subject: [PATCH] Fix for multi-sign
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
The new Tianocore multi-sign code fails now for images signed with
|
||||
sbsigntools. The reason is that we don't actually align the signature table,
|
||||
we just slap it straight after the binary data. Unfortunately, the new
|
||||
multi-signature code checks that our alignment offsets are correct and fails
|
||||
the signature for this reason. Fix by adding junk to the end of the image to
|
||||
align the signature section.
|
||||
|
||||
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
|
||||
---
|
||||
src/image.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/image.c b/src/image.c
|
||||
index 10eba0e..519e288 100644
|
||||
--- a/src/image.c
|
||||
+++ b/src/image.c
|
||||
@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image)
|
||||
|
||||
/* record the size of non-signature data */
|
||||
r = &image->checksum_regions[image->n_checksum_regions - 1];
|
||||
- image->data_size = (r->data - (void *)image->buf) + r->size;
|
||||
+ /*
|
||||
+ * The new Tianocore multisign does a stricter check of the signatures
|
||||
+ * in particular, the signature table must start at an aligned offset
|
||||
+ * fix this by adding bytes to the end of the text section (which must
|
||||
+ * be included in the hash)
|
||||
+ */
|
||||
+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8);
|
||||
|
||||
return 0;
|
||||
}
|
||||
--
|
||||
1.8.4
|
||||
|
||||
-73
@@ -1,73 +0,0 @@
|
||||
From 6ef94a67490176a6d84b4968f303e6d1c51a49ce Mon Sep 17 00:00:00 2001
|
||||
From: Lans Zhang <jia.zhang@windriver.com>
|
||||
Date: Wed, 16 Aug 2017 10:09:43 +0800
|
||||
Subject: [PATCH] Fix the deprecated ASN1_STRING_data() in openssl-1.1.0
|
||||
|
||||
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||
---
|
||||
src/idc.c | 4 ++--
|
||||
src/idc.h | 4 ++++
|
||||
src/sbkeysync.c | 3 ++-
|
||||
3 files changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/idc.c b/src/idc.c
|
||||
index 236cefd..7f99a53 100644
|
||||
--- a/src/idc.c
|
||||
+++ b/src/idc.c
|
||||
@@ -238,7 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
|
||||
|
||||
/* extract the idc from the signed PKCS7 'other' data */
|
||||
str = p7->d.sign->contents->d.other->value.asn1_string;
|
||||
- idcbuf = buf = ASN1_STRING_data(str);
|
||||
+ idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str);
|
||||
idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
|
||||
|
||||
/* If we were passed a BIO, write the idc data, minus type and length,
|
||||
@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image)
|
||||
}
|
||||
|
||||
/* check hash against the one we calculated from the image */
|
||||
- buf = ASN1_STRING_data(str);
|
||||
+ buf = (const unsigned char *)ASN1_STRING_get0_data(str);
|
||||
if (memcmp(buf, sha, sizeof(sha))) {
|
||||
fprintf(stderr, "Hash doesn't match image\n");
|
||||
fprintf(stderr, " got: %s\n", sha256_str(buf));
|
||||
diff --git a/src/idc.h b/src/idc.h
|
||||
index a6526de..8011237 100644
|
||||
--- a/src/idc.h
|
||||
+++ b/src/idc.h
|
||||
@@ -36,6 +36,10 @@
|
||||
|
||||
#include <openssl/pkcs7.h>
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+#define ASN1_STRING_get0_data ASN1_STRING_data
|
||||
+#endif
|
||||
+
|
||||
struct idc;
|
||||
|
||||
int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image);
|
||||
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
|
||||
index a63d3b8..223a047 100644
|
||||
--- a/src/sbkeysync.c
|
||||
+++ b/src/sbkeysync.c
|
||||
@@ -54,6 +54,7 @@
|
||||
|
||||
#include "fileio.h"
|
||||
#include "efivars.h"
|
||||
+#include "idc.h"
|
||||
|
||||
#define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars"
|
||||
#define PSTORE_FSTYPE 0x6165676C
|
||||
@@ -210,7 +211,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
|
||||
serial = x509->cert_info->serialNumber;
|
||||
|
||||
key->id_len = ASN1_STRING_length(serial);
|
||||
- key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
|
||||
+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
|
||||
|
||||
key->description = talloc_array(key, char, description_len);
|
||||
X509_NAME_oneline(x509->cert_info->subject,
|
||||
--
|
||||
2.7.5
|
||||
|
||||
-158
@@ -1,158 +0,0 @@
|
||||
From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001
|
||||
From: Lans Zhang <jia.zhang@windriver.com>
|
||||
Date: Tue, 15 Aug 2017 13:05:14 +0800
|
||||
Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1
|
||||
|
||||
Most structure definitions in OpenSSL are now opaque and we must call
|
||||
the appropriate accessor functions to get information from them.
|
||||
Not all the accessors are available in older versions, so define the
|
||||
missing accessors as macros.
|
||||
|
||||
The X509_retrieve_match() function is no longer usable, as we cannot
|
||||
initialise an X509_OBJECT ourselves. Instead, iterate over the
|
||||
certificate store and use X509_OBJECT_get_type and X509_cmp to
|
||||
compare certificates.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||
---
|
||||
src/sbkeysync.c | 7 +++----
|
||||
src/sbverify.c | 52 ++++++++++++++++++++++++++++++++++++++--------------
|
||||
2 files changed, 41 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
|
||||
index ef028ef..19e3064 100644
|
||||
--- a/src/sbkeysync.c
|
||||
+++ b/src/sbkeysync.c
|
||||
@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
|
||||
return -1;
|
||||
|
||||
/* we use the X509 serial number as the key ID */
|
||||
- if (!x509->cert_info || !x509->cert_info->serialNumber)
|
||||
+ serial = X509_get_serialNumber(x509);
|
||||
+ if (!serial)
|
||||
goto out;
|
||||
|
||||
- serial = x509->cert_info->serialNumber;
|
||||
-
|
||||
key->id_len = ASN1_STRING_length(serial);
|
||||
key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
|
||||
|
||||
key->description = talloc_array(key, char, description_len);
|
||||
- X509_NAME_oneline(x509->cert_info->subject,
|
||||
+ X509_NAME_oneline(X509_get_subject_name(x509),
|
||||
key->description, description_len);
|
||||
|
||||
rc = 0;
|
||||
diff --git a/src/sbverify.c b/src/sbverify.c
|
||||
index fb03d21..0aed71a 100644
|
||||
--- a/src/sbverify.c
|
||||
+++ b/src/sbverify.c
|
||||
@@ -55,6 +55,14 @@
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
|
||||
+#define X509_OBJECT_get_type(obj) ((obj)->type)
|
||||
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
|
||||
+#define X509_STORE_get0_objects(certs) ((certs)->objs)
|
||||
+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
|
||||
+#endif
|
||||
+
|
||||
static const char *toolname = "sbverify";
|
||||
static const int cert_name_len = 160;
|
||||
|
||||
@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7)
|
||||
|
||||
for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
|
||||
cert = sk_X509_value(p7->d.sign->cert, i);
|
||||
- X509_NAME_oneline(cert->cert_info->subject,
|
||||
+ X509_NAME_oneline(X509_get_subject_name(cert),
|
||||
subject_name, cert_name_len);
|
||||
- X509_NAME_oneline(cert->cert_info->issuer,
|
||||
+ X509_NAME_oneline(X509_get_issuer_name(cert),
|
||||
issuer_name, cert_name_len);
|
||||
|
||||
printf(" - subject: %s\n", subject_name);
|
||||
@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7)
|
||||
static void print_certificate_store_certs(X509_STORE *certs)
|
||||
{
|
||||
char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
|
||||
+ STACK_OF(X509_OBJECT) *objs;
|
||||
X509_OBJECT *obj;
|
||||
+ X509 *cert;
|
||||
int i;
|
||||
|
||||
printf("certificate store:\n");
|
||||
|
||||
- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
|
||||
- obj = sk_X509_OBJECT_value(certs->objs, i);
|
||||
+ objs = X509_STORE_get0_objects(certs);
|
||||
+
|
||||
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
|
||||
+ obj = sk_X509_OBJECT_value(objs, i);
|
||||
|
||||
- if (obj->type != X509_LU_X509)
|
||||
+ if (X509_OBJECT_get_type(obj) != X509_LU_X509)
|
||||
continue;
|
||||
|
||||
- X509_NAME_oneline(obj->data.x509->cert_info->subject,
|
||||
+ cert = X509_OBJECT_get0_X509(obj);
|
||||
+
|
||||
+ X509_NAME_oneline(X509_get_subject_name(cert),
|
||||
subject_name, cert_name_len);
|
||||
- X509_NAME_oneline(obj->data.x509->cert_info->issuer,
|
||||
+ X509_NAME_oneline(X509_get_issuer_name(cert),
|
||||
issuer_name, cert_name_len);
|
||||
|
||||
printf(" - subject: %s\n", subject_name);
|
||||
@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image,
|
||||
|
||||
static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
|
||||
{
|
||||
- X509_OBJECT obj;
|
||||
+ STACK_OF(X509_OBJECT) *objs;
|
||||
+ X509_OBJECT *obj;
|
||||
+ int i;
|
||||
+
|
||||
+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
|
||||
|
||||
- obj.type = X509_LU_X509;
|
||||
- obj.data.x509 = cert;
|
||||
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
|
||||
+ obj = sk_X509_OBJECT_value(objs, i);
|
||||
|
||||
- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
|
||||
+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
|
||||
+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
|
||||
@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
|
||||
int err = X509_STORE_CTX_get_error(ctx);
|
||||
|
||||
/* also accept code-signing keys */
|
||||
- if (err == X509_V_ERR_INVALID_PURPOSE
|
||||
- && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
|
||||
+ if (err == X509_V_ERR_INVALID_PURPOSE &&
|
||||
+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
|
||||
+ == XKU_CODE_SIGN)
|
||||
status = 1;
|
||||
|
||||
/* all certs given with the --cert argument are trusted */
|
||||
else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
|
||||
err == X509_V_ERR_CERT_UNTRUSTED) {
|
||||
|
||||
- if (cert_in_store(ctx->current_cert, ctx))
|
||||
+ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
|
||||
status = 1;
|
||||
}
|
||||
|
||||
--
|
||||
2.7.5
|
||||
|
||||
Binary file not shown.
-15
@@ -1,15 +0,0 @@
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
diff --git a/docs/Makefile.am b/docs/Makefile.am
|
||||
index 1b5a588..6918dd8 100644
|
||||
--- a/docs/Makefile.am
|
||||
+++ b/docs/Makefile.am
|
||||
@@ -1,8 +1,4 @@
|
||||
|
||||
-man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1
|
||||
-
|
||||
-EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \
|
||||
- sbvarsign.1.in sbsiglist.1.in
|
||||
CLEANFILES = $(man1_MANS)
|
||||
|
||||
$(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/%
|
||||
-33
@@ -1,33 +0,0 @@
|
||||
From 05e73dbe1f25600ad0dbb36b2d690560c5a36281 Mon Sep 17 00:00:00 2001
|
||||
From: Lans Zhang <jia.zhang@windriver.com>
|
||||
Date: Tue, 31 Mar 2015 15:34:38 +0800
|
||||
Subject: [PATCH] Fix mixed implicit and normal rules
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
This patch comes from upstream:
|
||||
http://git.yoctoproject.org/cgit/cgit.cgi/meta-luv/plain/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch
|
||||
|
||||
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||
---
|
||||
Makefile | 4 ----
|
||||
1 file changed, 4 deletions(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 65d0d8f..a83185d 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -39,10 +39,6 @@ $(SCOREDIR)/SUMMARY: $(MODS:%=$(SCOREDIR)/%.score)
|
||||
$(CC) -v >> $@
|
||||
cat $^ | grep 'Total score:' >> $@
|
||||
|
||||
-$(SCOREDIR)/%.score: ccan/%/_info tools/ccanlint/ccanlint $(OBJFILES)
|
||||
- mkdir -p `dirname $@`
|
||||
- $(CCANLINT) -v -s ccan/$* > $@ || true
|
||||
-
|
||||
$(ALL_DEPENDS): %/.depends: %/_info tools/ccan_depends
|
||||
tools/ccan_depends $* > $@ || ( rm -f $@; exit 1 )
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
-30
@@ -1,30 +0,0 @@
|
||||
From a6862cb3bb3b00a1d6704b2bd1fedbd1374be861 Mon Sep 17 00:00:00 2001
|
||||
From: Lans Zhang <jia.zhang@windriver.com>
|
||||
Date: Thu, 6 Apr 2017 11:11:14 +0800
|
||||
Subject: [PATCH] image: fix the segment fault caused by the uninitialized
|
||||
sigbuf
|
||||
|
||||
The uninitialized struct image might contain a non-zeroed sigbuf and then
|
||||
it is wrongly freed by image_add_signature().
|
||||
|
||||
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||
---
|
||||
src/image.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/image.c b/src/image.c
|
||||
index cc55791..644e8f1 100644
|
||||
--- a/src/image.c
|
||||
+++ b/src/image.c
|
||||
@@ -395,7 +395,7 @@ struct image *image_load(const char *filename)
|
||||
struct image *image;
|
||||
int rc;
|
||||
|
||||
- image = talloc(NULL, struct image);
|
||||
+ image = talloc_zero(NULL, struct image);
|
||||
if (!image) {
|
||||
perror("talloc(image)");
|
||||
return NULL;
|
||||
--
|
||||
2.11.0
|
||||
|
||||
-75
@@ -1,75 +0,0 @@
|
||||
From 0016a571a5ea1ab65817973f179800947e1aa8de Mon Sep 17 00:00:00 2001
|
||||
From: Lans Zhang <jia.zhang@windriver.com>
|
||||
Date: Fri, 15 Jan 2016 09:40:56 +0800
|
||||
Subject: [PATCH] sbsign: add -x option to avoid overwrite existing signature
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||
---
|
||||
src/sbsign.c | 17 +++++++++++++++--
|
||||
1 file changed, 15 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/sbsign.c b/src/sbsign.c
|
||||
index dcf6eed..7dc101f 100644
|
||||
--- a/src/sbsign.c
|
||||
+++ b/src/sbsign.c
|
||||
@@ -66,6 +66,7 @@ struct sign_context {
|
||||
};
|
||||
|
||||
static struct option options[] = {
|
||||
+ { "noresign", no_argument, NULL, 'x' },
|
||||
{ "output", required_argument, NULL, 'o' },
|
||||
{ "cert", required_argument, NULL, 'c' },
|
||||
{ "key", required_argument, NULL, 'k' },
|
||||
@@ -87,6 +88,7 @@ static void usage(void)
|
||||
"\t--cert <certfile> certificate (x509 certificate)\n"
|
||||
"\t--detached write a detached signature, instead of\n"
|
||||
"\t a signed binary\n"
|
||||
+ "\t--noresign don't re-sign the binary if signed\n"
|
||||
"\t--output <file> write signed data to <file>\n"
|
||||
"\t (default <efi-boot-image>.signed,\n"
|
||||
"\t or <efi-boot-image>.pk7 for detached\n"
|
||||
@@ -114,7 +116,7 @@ int main(int argc, char **argv)
|
||||
const char *keyfilename, *certfilename;
|
||||
struct sign_context *ctx;
|
||||
uint8_t *buf, *tmp;
|
||||
- int rc, c, sigsize;
|
||||
+ int rc, c, sigsize, no_resign = 0;
|
||||
|
||||
ctx = talloc_zero(NULL, struct sign_context);
|
||||
|
||||
@@ -123,11 +125,14 @@ int main(int argc, char **argv)
|
||||
|
||||
for (;;) {
|
||||
int idx;
|
||||
- c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx);
|
||||
+ c = getopt_long(argc, argv, "xo:c:k:dvVh", options, &idx);
|
||||
if (c == -1)
|
||||
break;
|
||||
|
||||
switch (c) {
|
||||
+ case 'x':
|
||||
+ no_resign = 1;
|
||||
+ break;
|
||||
case 'o':
|
||||
ctx->outfilename = talloc_strdup(ctx, optarg);
|
||||
break;
|
||||
@@ -178,6 +183,14 @@ int main(int argc, char **argv)
|
||||
if (!ctx->image)
|
||||
return EXIT_FAILURE;
|
||||
|
||||
+ if (ctx->image->cert_table) {
|
||||
+ if (no_resign) {
|
||||
+ fprintf(stderr,
|
||||
+ "Don't overwrite existing signature\n");
|
||||
+ return EXIT_SUCCESS;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
talloc_steal(ctx, ctx->image);
|
||||
|
||||
ERR_load_crypto_strings();
|
||||
--
|
||||
1.9.1
|
||||
|
||||
Reference in New Issue
Block a user