sbsigntool: Fix compilation when gnu-efi is missing and re-add patches

commit fa5550d97de6("sbsigntool: Update to latest and change repos") tried to fix compilation for arm architectures. Due to the changes in the upstream package though host gnu-efi was required to compile the package. Also that commit removed a useful commit (-x support on sbsigntool), which I mistakenly remembered it was already upstreamed. So fix the gnu-efi error and fixup the useful patch to keep the existring functionality. The old package was also depending on binutils-dev being installed on the host. Fix that and depend on binutils-native. While at it purge the unused patches. Fixes: commit fa5550d97de6("sbsigntool: Update to latest and change repos") Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2026-06-03 15:49:42 +00:00 · 2021-03-10 16:03:50 +02:00
parent 477e4a812b
commit a7d57f04b8
11 changed files with 144 additions and 380 deletions
@@ -0,0 +1,52 @@
 From 7a555e12924393104b4bdd361ca74c9d3e589166 Mon Sep 17 00:00:00 2001
 From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
 Date: Wed, 10 Mar 2021 15:51:49 +0200
 Subject: [PATCH 1/3] configure: Dont't check for gnu-efi
 The configure.ac is searching the gnu-efi libs in hardcoded paths making
 the configure fail.
 We explictly include the paths in our .bb recipe, so let's get rid of
 the check
 Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
 ---
 configure.ac | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 4ffb68ffa024..346296f82f06 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -17,9 +17,9 @@ AC_PROG_MKDIR_P
 AC_CHECK_TOOL(OBJCOPY, [objcopy])
 AC_CHECK_TOOL(STRIP, [strip])
 - AC_CHECK_HEADER([bfd.h], [],
 -  AC_MSG_ERROR([bfd.h not found.]
 -[bfd.h is usually distributed in a binutils development package.]))
 + #AC_CHECK_HEADER([bfd.h], [],
 +  #AC_MSG_ERROR([bfd.h not found.]
 +#[bfd.h is usually distributed in a binutils development package.]))
 if test $cross_compiling = no; then
   AM_MISSING_PROG(HELP2MAN, help2man)
@@ -75,12 +75,11 @@ for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/
        CRTPATH=$path
     fi
 done
 -if test -z "$CRTPATH"; then
 -   AC_MSG_ERROR([cannot find the gnu-efi crt path])
 -fi
 +#if test -z "$CRTPATH"; then
 +   #AC_MSG_ERROR([cannot find the gnu-efi crt path])
 +#fi
 -EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
 - -DEFI_FUNCTION_WRAPPER"
 +EFI_CPPFLAGS="-DEFI_FUNCTION_WRAPPER"
 CPPFLAGS_save="$CPPFLAGS"
 CPPFLAGS="$CPPFLAGS $EFI_CPPFLAGS"
 AC_CHECK_HEADERS([efi.h], [], [], $EFI_INCLUDES)
 -- 
 2.30.2
@@ -0,0 +1,29 @@
 From fb2663b257947effc510ec4133214a22d344a9a8 Mon Sep 17 00:00:00 2001
 From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
 Date: Wed, 10 Mar 2021 15:52:52 +0200
 Subject: [PATCH 2/3] docs: Don't build man pages
 Man pages not needed on embedded targets
 Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
 ---
 docs/Makefile.am | 5 -----
 1 file changed, 5 deletions(-)
 diff --git a/docs/Makefile.am b/docs/Makefile.am
 index 89ed11012492..6918dd8cc3b8 100644
 --- a/docs/Makefile.am
 +++ b/docs/Makefile.am
@@ -1,9 +1,4 @@
 -man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 \
 -		sbkeysync.1
 -
 -EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \
 -		sbvarsign.1.in sbsiglist.1.in sbkeysync.1.in
 CLEANFILES = $(man1_MANS)
 $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/%
 -- 
 2.30.2
@@ -1,20 +1,20 @@
-From 0016a571a5ea1ab65817973f179800947e1aa8de Mon Sep 17 00:00:00 2001
+From 441f69eb94daa514f7dd4ba0db45a4e31f93015f Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
+From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
-Date: Fri, 15 Jan 2016 09:40:56 +0800
+Date: Wed, 10 Mar 2021 15:53:21 +0200
-Subject: [PATCH] sbsign: add -x option to avoid overwrite existing signature
+Subject: [PATCH 3/3] sbsign: add -x option to avoid overwrite existing
-
+ signature
 Upstream-Status: Pending
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
 ---
 src/sbsign.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)
 diff --git a/src/sbsign.c b/src/sbsign.c
-index dcf6eed..7dc101f 100644
+index 898fe669f9dd..3a5ed3248948 100644
 --- a/src/sbsign.c
 +++ b/src/sbsign.c
-@@ -66,6 +66,7 @@ struct sign_context {
+@@ -69,6 +69,7 @@ struct sign_context {
 };
 static struct option options[] = {
@@ -22,29 +22,29 @@ index dcf6eed..7dc101f 100644
 	{ "output", required_argument, NULL, 'o' },
 	{ "cert", required_argument, NULL, 'c' },
 	{ "key", required_argument, NULL, 'k' },
-@@ -87,6 +88,7 @@ static void usage(void)
+@@ -94,6 +95,7 @@ static void usage(void)
- 		"\t--cert <certfile>  certificate (x509 certificate)\n"
+ 		"\t--addcert <addcertfile> additional intermediate certificates in a file\n"
 		"\t--detached         write a detached signature, instead of\n"
 		"\t                    a signed binary\n"
 +		"\t--noresign         don't re-sign the binary if signed\n"
 		"\t--output <file>    write signed data to <file>\n"
 		"\t                    (default <efi-boot-image>.signed,\n"
 		"\t                    or <efi-boot-image>.pk7 for detached\n"
-@@ -114,7 +116,7 @@ int main(int argc, char **argv)
+@@ -155,7 +157,7 @@ int main(int argc, char **argv)
- 	const char *keyfilename, *certfilename;
+ 	const char *keyfilename, *certfilename, *addcertfilename, *engine;
 	struct sign_context *ctx;
 	uint8_t *buf, *tmp;
 -	int rc, c, sigsize;
 +	int rc, c, sigsize, no_resign = 0;
 	EVP_PKEY *pkey;
 	ctx = talloc_zero(NULL, struct sign_context);
- 
+@@ -167,11 +169,14 @@ int main(int argc, char **argv)
@@ -123,11 +125,14 @@ int main(int argc, char **argv)
 	for (;;) {
 		int idx;
-		c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx);
+-		c = getopt_long(argc, argv, "o:c:k:dvVhe:a:", options, &idx);
-+		c = getopt_long(argc, argv, "xo:c:k:dvVh", options, &idx);
+		c = getopt_long(argc, argv, "xo:c:k:dvVhe:a:", options, &idx);
 		if (c == -1)
 			break;
@@ -55,7 +55,7 @@ index dcf6eed..7dc101f 100644
 		case 'o':
 			ctx->outfilename = talloc_strdup(ctx, optarg);
 			break;
-@@ -178,6 +183,14 @@ int main(int argc, char **argv)
+@@ -228,6 +233,14 @@ int main(int argc, char **argv)
 	if (!ctx->image)
 		return EXIT_FAILURE;
@@ -71,5 +71,5 @@ index dcf6eed..7dc101f 100644
 	ERR_load_crypto_strings();
 -- 
-1.9.1
+2.30.2
@@ -1,41 +0,0 @@
 From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001
 From: James Bottomley <JBottomley@Parallels.com>
 Date: Mon, 30 Sep 2013 19:25:37 -0700
 Subject: [PATCH] Fix for multi-sign
 Upstream-Status: Inappropriate [embedded specific]
 The new Tianocore multi-sign code fails now for images signed with
 sbsigntools.  The reason is that we don't actually align the signature table,
 we just slap it straight after the binary data.  Unfortunately, the new
 multi-signature code checks that our alignment offsets are correct and fails
 the signature for this reason.  Fix by adding junk to the end of the image to
 align the signature section.
 Signed-off-by: James Bottomley <JBottomley@Parallels.com>
 ---
 src/image.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/src/image.c b/src/image.c
 index 10eba0e..519e288 100644
 --- a/src/image.c
 +++ b/src/image.c
@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image)
 	/* record the size of non-signature data */
 	r = &image->checksum_regions[image->n_checksum_regions - 1];
 -	image->data_size = (r->data - (void *)image->buf) + r->size;
 +	/*
 +	 * The new Tianocore multisign does a stricter check of the signatures
 +	 * in particular, the signature table must start at an aligned offset
 +	 * fix this by adding bytes to the end of the text section (which must
 +	 * be included in the hash)
 +	 */
 +	image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8);
 	return 0;
 }
 -- 
 1.8.4
@@ -1,73 +0,0 @@
 From 6ef94a67490176a6d84b4968f303e6d1c51a49ce Mon Sep 17 00:00:00 2001
 From: Lans Zhang <jia.zhang@windriver.com>
 Date: Wed, 16 Aug 2017 10:09:43 +0800
 Subject: [PATCH] Fix the deprecated ASN1_STRING_data() in openssl-1.1.0
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
 src/idc.c       | 4 ++--
 src/idc.h       | 4 ++++
 src/sbkeysync.c | 3 ++-
 3 files changed, 8 insertions(+), 3 deletions(-)
 diff --git a/src/idc.c b/src/idc.c
 index 236cefd..7f99a53 100644
 --- a/src/idc.c
 +++ b/src/idc.c
@@ -238,7 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
 	/* extract the idc from the signed PKCS7 'other' data */
 	str = p7->d.sign->contents->d.other->value.asn1_string;
 -	idcbuf = buf = ASN1_STRING_data(str);
 +	idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str);
 	idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
 	/* If we were passed a BIO, write the idc data, minus type and length,
@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image)
 	}
 	/* check hash against the one we calculated from the image */
 -	buf = ASN1_STRING_data(str);
 +	buf = (const unsigned char *)ASN1_STRING_get0_data(str);
 	if (memcmp(buf, sha, sizeof(sha))) {
 		fprintf(stderr, "Hash doesn't match image\n");
 		fprintf(stderr, " got:       %s\n", sha256_str(buf));
 diff --git a/src/idc.h b/src/idc.h
 index a6526de..8011237 100644
 --- a/src/idc.h
 +++ b/src/idc.h
@@ -36,6 +36,10 @@
 #include <openssl/pkcs7.h>
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#define ASN1_STRING_get0_data	ASN1_STRING_data
 +#endif
 +
 struct idc;
 int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image);
 diff --git a/src/sbkeysync.c b/src/sbkeysync.c
 index a63d3b8..223a047 100644
 --- a/src/sbkeysync.c
 +++ b/src/sbkeysync.c
@@ -54,6 +54,7 @@
 #include "fileio.h"
 #include "efivars.h"
 +#include "idc.h"
 #define EFIVARS_MOUNTPOINT	"/sys/firmware/efi/efivars"
 #define PSTORE_FSTYPE		0x6165676C
@@ -210,7 +211,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
 	serial = x509->cert_info->serialNumber;
 	key->id_len = ASN1_STRING_length(serial);
 -	key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
 +	key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
 	key->description = talloc_array(key, char, description_len);
 	X509_NAME_oneline(x509->cert_info->subject,
 -- 
 2.7.5
@@ -1,158 +0,0 @@
 From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001
 From: Lans Zhang <jia.zhang@windriver.com>
 Date: Tue, 15 Aug 2017 13:05:14 +0800
 Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1
 Most structure definitions in OpenSSL are now opaque and we must call
 the appropriate accessor functions to get information from them.
 Not all the accessors are available in older versions, so define the
 missing accessors as macros.
 The X509_retrieve_match() function is no longer usable, as we cannot
 initialise an X509_OBJECT ourselves.  Instead, iterate over the
 certificate store and use X509_OBJECT_get_type and X509_cmp to
 compare certificates.
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
 src/sbkeysync.c |  7 +++----
 src/sbverify.c  | 52 ++++++++++++++++++++++++++++++++++++++--------------
 2 files changed, 41 insertions(+), 18 deletions(-)
 diff --git a/src/sbkeysync.c b/src/sbkeysync.c
 index ef028ef..19e3064 100644
 --- a/src/sbkeysync.c
 +++ b/src/sbkeysync.c
@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
 		return -1;
 	/* we use the X509 serial number as the key ID */
 -	if (!x509->cert_info || !x509->cert_info->serialNumber)
 +	serial = X509_get_serialNumber(x509);
 +	if (!serial)
 		goto out;
 -	serial = x509->cert_info->serialNumber;
 -
 	key->id_len = ASN1_STRING_length(serial);
 	key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
 	key->description = talloc_array(key, char, description_len);
 -	X509_NAME_oneline(x509->cert_info->subject,
 +	X509_NAME_oneline(X509_get_subject_name(x509),
 			key->description, description_len);
 	rc = 0;
 diff --git a/src/sbverify.c b/src/sbverify.c
 index fb03d21..0aed71a 100644
 --- a/src/sbverify.c
 +++ b/src/sbverify.c
@@ -55,6 +55,14 @@
 #include <openssl/pem.h>
 #include <openssl/x509v3.h>
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
 +#define X509_OBJECT_get_type(obj) ((obj)->type)
 +#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
 +#define X509_STORE_get0_objects(certs) ((certs)->objs)
 +#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
 +#endif
 +
 static const char *toolname = "sbverify";
 static const int cert_name_len = 160;
@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7)
 	for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
 		cert = sk_X509_value(p7->d.sign->cert, i);
 -		X509_NAME_oneline(cert->cert_info->subject,
 +		X509_NAME_oneline(X509_get_subject_name(cert),
 				subject_name, cert_name_len);
 -		X509_NAME_oneline(cert->cert_info->issuer,
 +		X509_NAME_oneline(X509_get_issuer_name(cert),
 				issuer_name, cert_name_len);
 		printf(" - subject: %s\n", subject_name);
@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7)
 static void print_certificate_store_certs(X509_STORE *certs)
 {
 	char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
 +	STACK_OF(X509_OBJECT) *objs;
 	X509_OBJECT *obj;
 +	X509 *cert;
 	int i;
 	printf("certificate store:\n");
 -	for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
 -		obj = sk_X509_OBJECT_value(certs->objs, i);
 +	objs = X509_STORE_get0_objects(certs);
 +
 +	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
 +		obj = sk_X509_OBJECT_value(objs, i);
 -		if (obj->type != X509_LU_X509)
 +		if (X509_OBJECT_get_type(obj) != X509_LU_X509)
 			continue;
 -		X509_NAME_oneline(obj->data.x509->cert_info->subject,
 +		cert = X509_OBJECT_get0_X509(obj);
 +
 +		X509_NAME_oneline(X509_get_subject_name(cert),
 				subject_name, cert_name_len);
 -		X509_NAME_oneline(obj->data.x509->cert_info->issuer,
 +		X509_NAME_oneline(X509_get_issuer_name(cert),
 				issuer_name, cert_name_len);
 		printf(" - subject: %s\n", subject_name);
@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image,
 static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
 {
 -	X509_OBJECT obj;
 +	STACK_OF(X509_OBJECT) *objs;
 +	X509_OBJECT *obj;
 +	int i;
 +
 +	objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
 -	obj.type = X509_LU_X509;
 -	obj.data.x509 = cert;
 +	for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
 +		obj = sk_X509_OBJECT_value(objs, i);
 -	return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
 +		if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
 +		    !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
 +			return 1;
 +	}
 +
 +	return 0;
 }
 static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
 	int err = X509_STORE_CTX_get_error(ctx);
 	/* also accept code-signing keys */
 -	if (err == X509_V_ERR_INVALID_PURPOSE
 -			&& ctx->cert->ex_xkusage == XKU_CODE_SIGN)
 +	if (err == X509_V_ERR_INVALID_PURPOSE &&
 +			X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
 +			== XKU_CODE_SIGN)
 		status = 1;
 	/* all certs given with the --cert argument are trusted */
 	else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
 			err == X509_V_ERR_CERT_UNTRUSTED) {
 -		if (cert_in_store(ctx->current_cert, ctx))
 +		if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
 			status = 1;
 	}
 -- 
 2.7.5
@@ -1,15 +0,0 @@
 Upstream-Status: Inappropriate [embedded specific]
 diff --git a/docs/Makefile.am b/docs/Makefile.am
 index 1b5a588..6918dd8 100644
 --- a/docs/Makefile.am
 +++ b/docs/Makefile.am
@@ -1,8 +1,4 @@
 -man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1
 -
 -EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \
 -		sbvarsign.1.in sbsiglist.1.in
 CLEANFILES = $(man1_MANS)
 $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/%
@@ -1,33 +0,0 @@
 From 05e73dbe1f25600ad0dbb36b2d690560c5a36281 Mon Sep 17 00:00:00 2001
 From: Lans Zhang <jia.zhang@windriver.com>
 Date: Tue, 31 Mar 2015 15:34:38 +0800
 Subject: [PATCH] Fix mixed implicit and normal rules
 Upstream-Status: Inappropriate [embedded specific]
 This patch comes from upstream:
 http://git.yoctoproject.org/cgit/cgit.cgi/meta-luv/plain/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
 Makefile | 4 ----
 1 file changed, 4 deletions(-)
 diff --git a/Makefile b/Makefile
 index 65d0d8f..a83185d 100644
 --- a/Makefile
 +++ b/Makefile
@@ -39,10 +39,6 @@ $(SCOREDIR)/SUMMARY: $(MODS:%=$(SCOREDIR)/%.score)
 	$(CC) -v >> $@
 	cat $^ | grep 'Total score:' >> $@
 -$(SCOREDIR)/%.score: ccan/%/_info tools/ccanlint/ccanlint $(OBJFILES)
 -	mkdir -p `dirname $@`
 -	$(CCANLINT) -v -s ccan/$* > $@ || true
 -
 $(ALL_DEPENDS): %/.depends: %/_info tools/ccan_depends
 	tools/ccan_depends $* > $@ || ( rm -f $@; exit 1 )
 -- 
 1.8.3.1
@@ -1,30 +0,0 @@
 From a6862cb3bb3b00a1d6704b2bd1fedbd1374be861 Mon Sep 17 00:00:00 2001
 From: Lans Zhang <jia.zhang@windriver.com>
 Date: Thu, 6 Apr 2017 11:11:14 +0800
 Subject: [PATCH] image: fix the segment fault caused by the uninitialized
 sigbuf
 The uninitialized struct image might contain a non-zeroed sigbuf and then
 it is wrongly freed by image_add_signature().
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
 src/image.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/image.c b/src/image.c
 index cc55791..644e8f1 100644
 --- a/src/image.c
 +++ b/src/image.c
@@ -395,7 +395,7 @@ struct image *image_load(const char *filename)
 	struct image *image;
 	int rc;
 -	image = talloc(NULL, struct image);
 +	image = talloc_zero(NULL, struct image);
 	if (!image) {
 		perror("talloc(image)");
 		return NULL;
 -- 
 2.11.0
@@ -8,18 +8,24 @@ LIC_FILES_CHKSUM = "\
 "
 DEPENDS += "binutils openssl gnu-efi gnu-efi-native"
-DEPENDS += "help2man-native coreutils-native openssl-native util-linux-native"
+DEPENDS += "binutils-native help2man-native coreutils-native openssl-native util-linux-native"
-PV = "0.8+git${SRCPV}"
+SRC_URI = " \
-
+    git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntools \
-SRC_URI = "\
+    git://github.com/rustyrussell/ccan.git;protocol=https;destsuffix=git/lib/ccan.git;name=ccan \
-    git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntool \
+    file://0001-configure-Dont-t-check-for-gnu-efi.patch \
    file://0002-docs-Don-t-build-man-pages.patch \
    file://0003-sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \
 "
-SRCREV="f12484869c9590682ac3253d583bf59b890bb826"
+SRCREV_sbsigntools  ?= "f12484869c9590682ac3253d583bf59b890bb826"
 SRCREV_ccan         ?= "b1f28e17227f2320d07fe052a8a48942fe17caa5"
 SRCREV_FORMAT       =  "sbsigntools_ccan"
 PV = "0.9.2-git${SRCPV}"
 S = "${WORKDIR}/git"
-inherit native  autotools-brokensep pkgconfig
+inherit autotools-brokensep pkgconfig native
 def efi_arch(d):
    import re
@@ -35,16 +41,43 @@ def efi_arch(d):
 #    --with-libtool-sysroot \
 #"
 HOST_EXTRACFLAGS += "\
    INCLUDES+='-I${S}/lib/ccan.git/ \
              -I${STAGING_INCDIR_NATIVE}/efi \
              -I${STAGING_INCDIR_NATIVE} \
 "
 EXTRA_OEMAKE += "\
    INCLUDES='-I${S}/lib/ccan.git' \
-    EFI_CPPFLAGS='-I${STAGING_INCDIR}/efi \
+    EFI_CPPFLAGS='-I${STAGING_INCDIR} -I${STAGING_INCDIR}/efi \
                  -I${STAGING_INCDIR}/efi/${@efi_arch(d)}' \
 "
-do_configure() {
+do_configure_prepend() {
-    cd "${S}"
+    cd ${S}
-    ./autogen.sh
+
-    oe_runconf
+    if [ ! -e lib/ccan ]; then
        # Use empty SCOREDIR because 'make scores' is not run.
        # The default setting depends on (non-whitelisted) host tools.
        sed -i -e 's#^\(SCOREDIR=\).*#\1#' lib/ccan.git/Makefile
        lib/ccan.git/tools/create-ccan-tree \
            --build-type=automake lib/ccan \
            talloc read_write_all build_assert array_size endian
    fi
    # Create generatable docs from git
    (
    echo "Authors of sbsigntool:"
    echo
    git log --format='%an' | sort -u | sed 's,^,\t,'
    ) > AUTHORS
    # Generate simple ChangeLog
    git log --date=short --format='%ad %t %an <%ae>%n%n  * %s%n' > ChangeLog
    cd ${B}
 }
 BBCLASSEXTEND = "native nativesdk"