96 Commits

Author SHA1 Message Date
Archana Polampalli d218a980af shim: fix CVE-2022-28737
shim: Buffer overflow when loading crafted EFI images.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-2873

Upstream-Status: Backport [https://github.com/rhboot/shim/commit/e99bdbb827a50cde019393d3ca1e89397db221a7,
https://github.com/rhboot/shim/commit/159151b6649008793d6204a34d7b9c41221fb4b0]

CVE: CVE-2022-28737

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
2023-01-19 11:16:39 +08:00
Xiangyu Chen 551802f96f grub-efi: refresh patches for grub with fix of CVE-2022-28736
CVE-2022-28736 has 3 patches as below was conflicted with some meta-secure-boot layers patches.
loader-efi-chainloader-Simplify-the-loader-state.patch
commands-boot-Add-API-to-pass-context-to-loader.patch
CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
2023-01-19 11:15:47 +08:00
Mingli Yu 5a8d5924a2 meta-efi-secure-boot: check efi-secure-boot DISTRO_FEATURES
Fix the below yocto compliance issue:
  INFO: ======================================================================
  INFO: FAIL: test_signatures (common.CommonCheckLayer)
  INFO: ----------------------------------------------------------------------
  INFO: Traceback (most recent call last):
   File "/build/layers/oe-core/scripts/lib/checklayer/cases/common.py", line 81, in test_signatures
    self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg))
AssertionError: Adding layer meta-efi-secure-boot changed signatures.
17 signatures changed, initial differences (first hash before, second after):
   ovmf-native:do_configure: 98621d634860b524863c76c61a3b48d7aa4080bbe87b02a848ae6574ca349b5e -> 51b7ed0cd68914fe2a74e7db489ee0251fde1feab3ff4826e6df8a8be6f710bc
      bitbake-diffsigs --task ovmf-native do_configure --signature 98621d634860b524863c76c61a3b48d7aa4080bbe87b02a848ae6574ca349b5e 51b7ed0cd68914fe2a74e7db489ee0251fde1feab3ff4826e6df8a8be6f710bc
      NOTE: Starting bitbake server...
      basehash changed from 8b274e0d376c63104cbbcc0004a3758f2673d9e7f959854a0ffaa82ea04a9653 to d53127a75e96264ab92cffc956f93864435d48d1a0bf22899b35f78f1daf3bb3
      Variable PACKAGECONFIG value changed:
      @@ -1,3 +1,3 @@
      - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)}
      + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)} secureboot
       MACHINE_FEATURES{tpm} = Unset
       MACHINE_FEATURES{tpm2} = Unset

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
2022-12-06 09:16:14 +08:00
Yi Zhao fa438247c3 grub-efi: remove build host references from modinfo.sh
Fix buildpaths warning:
WARNING: grub-efi-2.06-r0 do_package_qa: QA Issue: File
/boot/efi/EFI/BOOT/x86_64-efi/modinfo.sh in package grub-efi contains
reference to TMPDIR [buildpaths]

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2022-11-03 09:48:02 +08:00
corey cothrum b4522579c0 (conditionally) add 'tpm' to list of grub built-in modules
If tpm/tpm2 is enabled in DISTRO features, add the grub 'tpm' module to
GRUB_BUILDIN.

This is now required for secureboot to work w/ TPM is also enabled in a
BIOS.
2022-04-12 08:34:09 +08:00
Yi Zhao bbd671ca72 meta-secure-core: Handle bitbake variable renaming
This is the result of automated script conversion:
poky/scripts/contrib/convert-variable-renames.py meta-secure-core

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2022-04-08 09:05:06 +08:00
Yi Zhao 56731a69db recipes: Update LICENSE variable to use SPDX license identifiers
Fix QA warnings:
WARNING: efitools-1.9.2+gitAUTOINC+392836a46c-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license]
WARNING: mokutil-0.3.0+gitAUTOINC+e19adc575c-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv3 [obsolete-license]

This is the result of automated script conversion:
poky/scripts/contrib/convert-spdx-licenses.py meta-secure-core

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2022-04-08 09:05:06 +08:00
Hongxu Jia 5d274050c7 grub-efi: split grub serure builtin option from GRUB_BUILDIN
Use variable GRUB_SECURE_BUILDIN to split grub secure
builtin option from GRUB_BUILDIN, then GRUB_BUILDIN will
not contain secure option for others grub-mkimage to
create no secure grub even though secure boot is enabled

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2022-03-15 10:02:19 +08:00
Yi Zhao fea6a37625 recipes: update SRC_URI branch and protocols
Update SRC_URIs using git to include branch=master if no branch is set
and also to use protocol=https for github urls.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-11-15 09:56:02 +08:00
Peter Hatina 5fcb2f0e67 grub-efi: Remove $cmdpath from configuration for for grub-mkimage
Signed-off-by: Peter Hatina <peter@hatina.eu>
2021-10-29 15:37:21 +08:00
Yi Zhao 3fa3fc6dcb efitools: fix openssl.cnf path for openssl 3.0
Fix openssl.cnf path for openssl 3.0 to make sure openssl command can
find it.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-10-21 15:57:54 +08:00
Yi Zhao 4042043742 meta-secure-core: Convert to new override syntax
Converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-08-09 18:51:13 +08:00
Mingli Yu b84dc32e1d shim_git: fix the do_fetch warning
Fixes:
WARNING: shim-12+gitAUTOINC+5202f80c32-r0 do_fetch: Failed to fetch URL git://github.com/rhboot/shim.git, attempting MIRRORS if available

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
2021-07-29 18:44:07 +08:00
jbouchard b9f183a416 prevent contamining the cache with embeded cfg 2021-05-01 09:29:19 +08:00
Yi Zhao bc84821aa4 grub: disable inside lockdown and shim_lock verifiers
The lockdown support[1] and secure boot detection[2] have been added to
grub 2.06. These verifiers are registered when UEFI Secure Boot is
enabled. Unfortunately, they conflict with the current MOK2 Verify
mechanism. So disable them.

Fixes grub error:
error: failed to verify kernel /bzImage

[1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc
[2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-04-21 12:57:22 +08:00
Ovidiu Panait 596c6c76ae grub-efi: enable secure-boot support only for target builds
grub-efi-native does not benefit from the extra code/modules that get built for
secure-boot support, it just increases the build time of the package.
Therefore, mark all secure-boot related procedures in the recipe for
class-target only.

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
2021-04-04 22:39:35 +08:00
Alexandru Avadanii f7ae553e6c grub: Drop useless insmod verify from cfg
- the 'verify' grub module has been renamed to 'pgp' in grub 2.04;
- the 'pgp' grub module is already built-in if GRUB_SIGN_VERIFY is set,
  so there's no need to call insmod;

While at it, remove some unnecessary code duplication.

Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
2021-03-29 21:01:36 +08:00
Yi Zhao 4e1cc676dc grub-efi: refresh patches for grub 2.06
Rebase patch:
0001-grub-verify-Add-strict_security-variable.patch
Grub-get-and-set-efi-variables.patch
mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch

Drop 0001-fs-ext2-fix-the-file-not-found-error-when-symlink-fi.patch
since it has been merged upstream.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-03-24 18:11:20 +08:00
Chen Qi ee0d07240e grub-efi: update the bbapepnd file name
oe-core now uses the git version for grub-efi, so we'd better to
use the '%' wildcard for the bbappend file name.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
2021-03-24 18:11:20 +08:00
Corey Cothrum 1397fdd78f shim: update github address in SRC_URI 2021-03-03 10:56:30 +08:00
Jussi Keranen 64097c52a0 Grub: Verify buffiles, e.g. fonts and images 2021-02-02 18:55:52 +08:00
Jussi Keranen d72746bfa7 Grub: Parameterize prefix dir 2021-01-22 10:24:34 +08:00
Yi Zhao 2d1fb96206 grub: fix the file not found error when sysmlink filesize is 60
We encountered a file not found error when the symlink filesize is 60:

$ ls -l initrd
lrwxrwxrwx 1 root root 60 Jan  6 16:37 initrd -> secure-core-image-initramfs-5.10.2-yoctodev-standard.cpio.gz

When booting, we got the following error in grub:
error: file `/initrd' not found

The root cause is although the size of diro->inode.symlink is 60, it
includes the trailing '\0'. So if the symlink filesize is exactly 60, it
is also stored in a separate block rather than in the inode.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-01-19 17:44:02 +08:00
Yi Zhao 2747958070 grub-efi: refresh patch
Refresh mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch to
adapt the recent CVEs fixing.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2020-11-10 10:36:25 +08:00
Hongxu Jia 696ee1495c grub-efi-efi-secure-boot.inc: Adapt to potential psuedo changes
If we do adopt path filtering for pseudo, we may filter out ${DEPLOY_DIR}
as not needing to be tracked for "root" permissions. but we do track
the data in ${D} though, when we copy file from ${D} to ${DEPLOY_DIR},
pseudo report a failure
...
|cp: failed to preserve ownership for 'tmp-glibc/work/corei7-64-wrs-linux/
grub-efi/2.04-r0/deploy-grub-efi/efi-unsigned/x86_64-efi/fdt.lst'
: Operation not permitted
...

Disable pseudo for the copy operation

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2020-10-14 19:40:03 +08:00
Hongxu Jia 8834753407 Revert "Removed unneeded patch to fix compilation error in efi-tool's console.c"
The patch to fix compilation error in efi-tool's console.c is required

This reverts commit a6c3d9fcd2.

In <=gnu-efi-3.0.9 variable is named EFI_WARN_UNKOWN_GLYPH, and
in gnu-efi-3.0.11 is renamed in EFI_WARN_UNKNOWN_GLYPH. The patch is
only for users with installed >=gnu-efi-3.0.11 because is in this
version that variable has changed name from EFI_WARN_UNKOWN_GLYPH
to EFI_WARN_UNKNOWN_GLYPH. [1]

In oe-core master branch, the gnu-efi is 3.0.11, we need to add
the fix back

[1] https://bugs.gentoo.org/701152

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2020-04-16 16:33:23 +08:00
Abdelrahman Ibrahem a6c3d9fcd2 Removed unneeded patch to fix compilation error in efi-tool's console.c 2020-04-08 21:52:18 +08:00
richard d496407fc1 modified grub-efi-efi-secure-boot.inc to install also the grub configuration files in the DEPLOYDIR 2020-03-01 19:27:54 +08:00
Sandra Tobajas 561800fe3f grub-efi-efi-secure-boot.inc: append do_deploy instead overriding it
Append do_deploy function instead of overriding it.

Signed-off-by: Sandra Tobajas <sandra.tobajas@savoirfairelinux.com>
2020-01-16 08:35:40 +08:00
Sandra Tobajas 44a12b93b1 grub-efi-efi-secure-boot.inc: let EFI_BOOT_PATH be overrided
Let the EFI_BOOT_PATH Bitbake variable be overrided if needed.

Signed-off-by: Sandra Tobajas <sandra.tobajas@savoirfairelinux.com>
2020-01-16 08:35:40 +08:00
Yi Zhao c0e7d60718 grub-efi-efi-secure-boot.inc: use task_prepend instead of prefuncs for do_sign
The grub-efi-native build doesn't need to run do_sign task but there are
two prefuncs for do_sign still run in native build. This will cause a
build error when there is no gpg command on the host. Move the functions
to do_sign_prepend_class-target to make sure they only run in target
build.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-12-13 18:50:47 +08:00
Hongxu Jia 08c3f81a5f efitools: do not do_sign if GRUB_SIGN_VERIFY not enabled
If GRUB_SIGN_VERIFY is not enabled, do_sign will fail in which GPG_PATH
is not set (--homedir None)
...
|DEBUG: Executing python function do_sign
|NOTE: Running: echo "SecureCore" | tmp-glibc/hosttools/gpg  --pinentry-mode
loopback --batch --homedir None -u "SecureBootCore" --detach-sign
--passphrase-fd 0 "tmp-glibc/work/core2-32-wrs-linux/efitools/
1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi"
|ERROR: Failed to sign: tmp-glibc/work/core2-32-wrs-linux/efitools/
1.9.2+gitAUTOINC+392836a46c-r0/image/boot/efi/EFI/BOOT/LockDown.efi
...

Since GPG_PATH is set in do_sign's prefunc check_boot_public_key if
GRUB_SIGN_VERIFY is enabled, add the same condition to do_sign

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2019-11-19 18:09:03 +08:00
Hongxu Jia 73602a5eea efitools-native: Fix compilation problem with latest /usr/include/efi
Since commit [382ffa1 efitools: Fix compilation problem with
latest /usr/include/efi], we should apply the fix to native also.

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
2019-11-19 16:05:17 +08:00
Jason Wessel 31d2105b7a secure boot: Make SELoader optional and copy sig files when GRUB_SIGN_VERIFY=1
This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.

It will be possible in a template or local.conf:

UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Jason Wessel 01f67e4c7e grub: Make SELoader optional and add gpg verify support
Allow SELoader to be an optional component for secure boot
verification.  The GPG_SIGN_VERIFY variable was added to control the
ability to have grub perform all of the verification of the loaded
files using a public key which gets built into grub at the time that
mkimage is run.

It is not intended that GPG_SIGN_VERIFY and UEFI_SELOADER would both
be set to "1".  While this configuration could work, it makes very
little sense to use the system that way.

Also enabled is the tftp feature for grub as a builtin.  This allows
grub to start from the network when the UEFI is configured to boot off
the network with tftp.

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Jason Wessel 382ffa19cf efitools: Fix compilation problem with latest /usr/include/efi
| gcc  -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/git/include/ -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi/x86_64 -I/opt/tmp/work/x86_64-linux/efitools-native/1.9.2+gitAUTOINC+392836a46c-r0/recipe-sysroot-native/usr/include/efi/protocol -O2 -g  -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check -DGNU_EFI_USE_MS_ABI -DEFI_FUNCTION_WRAPPER -mno-red-zone -DCONFIG_x86_64 -fno-toplevel-reorder -DBUILD_EFI -c console.c -o console.efi.o
| console.c:360:5: error: ‘EFI_WARN_UNKOWN_GLYPH’ undeclared here (not in a function); did you mean ‘EFI_WARN_UNKNOWN_GLYPH’?
|   {  EFI_WARN_UNKOWN_GLYPH,      L"Warning Unknown Glyph"},
|      ^~~~~~~~~~~~~~~~~~~~~
|      EFI_WARN_UNKNOWN_GLYPH
| ../Make.rules:113: recipe for target 'console.efi.o' failed

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Jason Wessel fab7b8d93d shim: Fix compilation problem with latest /usr/include/efi
| x86_64-poky-linux-gcc -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin -Werror=sign-compare -ffreestanding -std=gnu89 -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot-native/usr/bin/x86_64-poky-linux/../../lib/x86_64-poky-linux/gcc/x86_64-poky-linux/9.2.0/include -DDEFAULT_LOADER=L"\SELoaderx64.efi" -DDEFAULT_LOADER_CHAR="\SELoaderx64.efi" -nostdinc -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/Cryptlib -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/Cryptlib/Include -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot/usr/include/efi -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot/usr/include/efi/x86_64 -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/recipe-sysroot/usr/include/efi/protocol -I/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/include -iquote /opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git -iquote /opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git -DOVERRIDE_SECURITY_POLICY -DENABLE_HTTPBOOT -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 -DPAGE_SIZE=4096 -DEFI_ARCH=L"x64" -DDEBUGDIR=L"/usr/lib/debug/usr/share/shim/x64-12-_poky_3.0/" -DVENDOR_CERT_FILE="/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/vendor_cert.cer"   -c -o console.o console.c
| console.c:363:5: error: 'EFI_WARN_UNKOWN_GLYPH' undeclared here (not in a function); did you mean 'EFI_WARN_UNKNOWN_GLYPH'?
|   363 |  {  EFI_WARN_UNKOWN_GLYPH,      L"Warning Unknown Glyph"},
|       |     ^~~~~~~~~~~~~~~~~~~~~
|       |     EFI_WARN_UNKNOWN_GLYPH
| <builtin>: recipe for target 'console.o' failed
| make[1]: *** [console.o] Error 1
| make[1]: Leaving directory '/opt/tmp/work/core2-64-poky-linux/shim/12+gitAUTOINC+5202f80c32-r0/git/lib'
| Makefile:223: recipe for target 'lib/lib.a' failed
| make: *** [lib/lib.a] Error 2
| WARNING: exit code 1 from a shell command.

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Jason Wessel 1473c05286 efitools: Uprev to fix LockDown.efi for UEFI built after 2018
Versions of the UEFI core from 2018 on will not work properly with
LockDown.efi's key install.  It will report that the PK key cannot be
installed due to the handling of the signature header with the PKCS7
data.  There are several other minor bug fixes, with the short log
shown below.

====

James Bottomley (13):
      cert-to-efi-hash-list: fix for openssl 1.1
      Version: 1.8.0
      Fix Fedora build
      Version: 1.8.1
      factor out variable signing code
      support engine based keys
      use SignedData instead of PKCS7 for variable updates
      Version: 1.9.0
      Makefile: Reverse the order of lib.a and -lcrypto
      Version: 1.9.1
      sign-efi-sig-list: add man page entry for engine option
      sha256: do not align raw section sizes
      Version: 1.9.2

pai-yi.huang (1):
      efi-updatevar: remove all authenticated attributes from signature

 Make.rules              |   6 ++---
 Makefile                |  12 +++++-----
 cert-to-efi-hash-list.c |   6 ++++-
 efi-updatevar.c         |  28 +++++++++++------------
 include/openssl_sign.h  |  10 ++++++++
 include/version.h       |   2 +-
 lib/Makefile            |   2 +-
 lib/openssl_sign.c      | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/sha256.c            |   8 ++++---
 sign-efi-sig-list.c     |  59 +++++++++++------------------------------------
 10 files changed, 213 insertions(+), 76 deletions(-)
 create mode 100644 include/openssl_sign.h
 create mode 100644 lib/openssl_sign.c

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2019-11-08 13:27:23 +08:00
Zhao Yi 5698bb8529 grub-efi/boot-menu.inc: remove invalid menuentry (#122)
Currently the recovery menuentry is not available because we don't
provide bzImage_backup and initrd_backup. Remove this entry.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-11-01 18:21:09 +08:00
Dmitry Eremin-Solenikov 883be5aff5 seloader: use pkcs7 drivers from OVMF
Rather than using pre-compiled EFI drivers, use freshly compiled drivers
from OVMF source tree.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 16:39:59 +03:00
Dmitry Eremin-Solenikov 26ced755f5 grub-efi: support mok2 verify in multiboot2 protocol
Add support for verifying PKCS#7 signatures via MOK2 protocol to
multiboot2 command enabling one to load multiboot-capable kernels.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
2019-09-04 12:01:45 +03:00
Liwei Song c624ea2843 grub-efi: fix uid contamination by host QA warning
Fix the following QA issue:
WARNING: grub-efi-2.04-r0 do_package_qa: QA Issue: grub-efi: /boot/efi/EFI/BOOT/grub.cfg.p7b is owned by uid 19183

chown to root for p7b file to fix uid contamination by host.

Signed-off-by: Liwei Song <liwei.song@windriver.com>
2019-08-26 22:47:38 -04:00
Mark Hatle ed0de6b295 meta-efi-secure-boot: only apply if efi-secure-boot distro flag set
Only apply grub-efi and linux-yocto bbappend if feature efi-secure-boot
set

Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-13 20:53:14 +08:00
Yi Zhao 70e22755a6 grub-efi: update bbappend and refresh patches
The grub-efi has been upgraded to 2.04 in oe-core. Update the bbappend
and refresh patches to adapt it.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-08-13 20:53:14 +08:00
Yi Zhao 6f94e34e05 shim: fix build failure with gcc9
Backport patch to fix build error with gcc9 for option
"-Werror=address-of-packed-member"

MokManager.c: In function 'write_back_mok_list':
MokManager.c:1125:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
 1125 |   if (CompareGuid(&(list[i].Type), &CertType) == 0)
      |                   ^~~~~~~~~~~~~~~
MokManager.c:1147:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
 1147 |   if (CompareGuid(&(list[i].Type), &CertType) == 0) {
      |                   ^~~~~~~~~~~~~~~
MokManager.c: In function 'delete_cert':
MokManager.c:1188:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
 1188 |   if (CompareGuid(&(mok[i].Type), &CertType) != 0)
      |                   ^~~~~~~~~~~~~~
MokManager.c: In function 'delete_hash_in_list':
MokManager.c:1239:20: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
 1239 |   if ((CompareGuid(&(mok[i].Type), &Type) != 0) ||
      |                    ^~~~~~~~~~~~~~
MokManager.c: In function 'delete_keys':
MokManager.c:1410:19: error: taking address of packed member of 'struct
<anonymous>' may result in an unaligned pointer value
[-Werror=address-of-packed-member]
 1410 |   if (CompareGuid(&(del_key[i].Type), &CertType) == 0) {
      |                   ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
<builtin>: recipe for target 'MokManager.o' failed

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2019-06-05 11:33:01 +08:00
Wenzong Fan dba3038152 grub-efi: fix the potential uninitialized error for variable 'err'
Fix the build errors with DEBUG_BUILD enabled:
  grub-core/loader/linux.c: In function 'grub_initrd_load':
  grub-core/loader/linux.c:326:10: error: 'err' may be used \
  uninitialized in this function [-Werror=maybe-uninitialized]

In function grub_initrd_load:
grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
          char *argv[], void *target)
{
  [snip]
  grub_err_t err;
  [snip]

  #ifdef GRUB_MACHINE_EFI
      [snip]
      err = grub_verify_file (argv[i]);
      [snip]
  #endif

  [snip]
fail:
  [snip]
  return err;
}

If the GRUB_MACHINE_EFI is not defined, the function would return an
uninitialized value for 'err'. We should initialize it when this
variable is assigned.

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-12-03 15:12:41 +08:00
Tom Rini 6274757665 meta-efi-secure-boot: Ensure openssl-native exists when we need it
In order to deploy our secure boot keys in DER format we need to use
openssl.  This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign.  Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.

Fixes: 92316d4b40 ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
2018-11-07 23:40:20 +08:00
Jia Zhang 139a9b656d Clean up the stuffs for stable branches
The following commits are reverted by the way:

- seloader: Fix building for rocko (bc6bbe2)
- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)

Because they are only applicable to rocko.

Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
2018-09-20 21:21:37 -04:00
Yi Zhao 41c93d4802 efitools: refresh patch to fix QA warning
Refresh patch Build-DBX-by-default.patch

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-06 16:58:07 +08:00
Yi Zhao ec8e07c9fd efitools: add the deployed artifacts to SSTATE_DUPWHITELIST
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:

$ bitbake efitools lib32-efitools

ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The
recipe lib32-efitools is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
  /buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi
      (matched in manifest-qemux86_64-efitools.deploy)
Please verify which recipe should provide the above files.

Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2018-09-06 16:57:21 +08:00