efitools: fix openssl.cnf path for openssl 3.0

Fix openssl.cnf path for openssl 3.0 to make sure openssl command can find it. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2026-01-12 01:00:15 +00:00 · 2021-10-20 16:57:23 +08:00
parent 4caca5b780
commit 3fa3fc6dcb
2 changed files with 19 additions and 14 deletions
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
@@ -28,7 +28,7 @@ SRC_URI = "\
    file://Don-t-build-PreLoader.efi.patch \
    file://Reuse-xxdi.pl.patch \
    file://Add-static-keyword-for-IsValidVariableHeader.patch \
-    file://Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch \
+    file://Dynamically-load-openssl.cnf-for-openssl-1.0.x-1.1.x.patch \
    file://0001-console.c-Fix-compilation-against-latest-usr-include.patch \
 "
 SRCREV = "392836a46ce3c92b55dc88a1aebbcfdfc5dcddce"
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-1.1.x.patch
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-1.1.x.patch
@@ -1,26 +1,29 @@
-From ae36390629bd9c92cb732800a341f04ca11cd9c7 Mon Sep 17 00:00:00 2001
+From 0b579e0382ac86d6a6a72bbd5898cee75457922e Mon Sep 17 00:00:00 2001
 From: Lans Zhang <jia.zhang@windriver.com>
 Date: Wed, 16 Aug 2017 22:59:12 +0800
-Subject: [PATCH] Dynamically load openssl.cnf for openssl-1.0.x and 1.1.x
+Subject: [PATCH] Dynamically load openssl.cnf for openssl-1.0.x/1.1.x/3.0

 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- Make.rules | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
+ Make.rules | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)

 diff --git a/Make.rules b/Make.rules
-index 38c7a22..69c57cb 100644
+index b90c4d3..faf2ae4 100644
 --- a/Make.rules
 +++ b/Make.rules
-@@ -117,13 +117,23 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
+@@ -116,13 +116,27 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
 	$(CC) -S $(INCDIR) $(cflags) $(cppflags) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
 
 %.crt:
 -	$(OPENSSL) req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
-+	@if [ -s "$(OPENSSL_LIB)/ssl/openssl.cnf" ]; then \
-+	    cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
-+	else \
+	@if [ -s "$(OPENSSL_LIB)/ssl-3/openssl.cnf" ]; then \
+	    cfg="$(OPENSSL_LIB)/ssl-3/openssl.cnf"; \
+	elif [ -s "$(OPENSSL_LIB)/ssl-1.1/openssl.cnf" ]; then \
 +	    cfg="$(OPENSSL_LIB)/ssl-1.1/openssl.cnf"; \
+	else \
+	    cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
 +	fi; \
 +	$(OPENSSL) req -config $$cfg -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
 
@@ -29,15 +32,17 @@ index 38c7a22..69c57cb 100644
 
 %-subkey.csr:
 -	$(OPENSSL) req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
-+	@if [ -s "$(OPENSSL_LIB)/ssl/openssl.cnf" ]; then \
-+	    cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
-+	else \
+	@if [ -s "$(OPENSSL_LIB)/ssl-3/openssl.cnf" ]; then \
+	    cfg="$(OPENSSL_LIB)/ssl-3/openssl.cnf"; \
+	elif [ -s "$(OPENSSL_LIB)/ssl-1.1/openssl.cnf" ]; then \
 +	    cfg="$(OPENSSL_LIB)/ssl-1.1/openssl.cnf"; \
+	else \
+	    cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
 +	fi; \
 +	$(OPENSSL) req -config $$cfg -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
 
 %-subkey.crt: %-subkey.csr KEK.crt
 	$(OPENSSL) x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
 -- 
-2.7.5
+2.17.1