Fix the build errors with DEBUG_BUILD enabled:
grub-core/loader/linux.c: In function 'grub_initrd_load':
grub-core/loader/linux.c:326:10: error: 'err' may be used \
uninitialized in this function [-Werror=maybe-uninitialized]
In function grub_initrd_load:
grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
char *argv[], void *target)
{
[snip]
grub_err_t err;
[snip]
#ifdef GRUB_MACHINE_EFI
[snip]
err = grub_verify_file (argv[i]);
[snip]
#endif
[snip]
fail:
[snip]
return err;
}
If the GRUB_MACHINE_EFI is not defined, the function would return an
uninitialized value for 'err'. We should initialize it when this
variable is assigned.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
In order to deploy our secure boot keys in DER format we need to use
openssl. This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign. Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.
Fixes: 92316d4b40 ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
The following commits are reverted by the way:
- seloader: Fix building for rocko (bc6bbe2)
- meta-integrity: rpm: Add back in required patches for rocko (5fa9c85)
Because they are only applicable to rocko.
Signed-off-by: Jia Zhang <zhang.jia@linux.alibaba.com>
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake efitools lib32-efitools
ERROR: lib32-efitools-1.7.0+gitAUTOINC+0649468475-r0 do_deploy: The
recipe lib32-efitools is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/LockDown.efi
(matched in manifest-qemux86_64-efitools.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
The oe-core commit 05f6042a40bb772f7ce8d6819c5b2937d8c9808d removed
DEPLOY_DIR_IMAGE from SSTATE_DUPWHITELIST which caused a do_depoy error
when enable multilib:
$ bitbake seloader lib32-seloader
ERROR: lib32-seloader-0.4.6+gitAUTOINC+8b90f76a8d-r0 do_deploy: The
recipe lib32-seloader is trying to install files into a shared area when
those files already exist. Those files and their manifest location are:
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Pkcs7VerifyDxe.efi
(matched in manifest-qemux86_64-seloader.deploy)
/buildarea/build/tmp-glibc/deploy/images/qemux86-64/efi-unsigned/Hash2DxeCrypto.efi
(matched in manifest-qemux86_64-seloader.deploy)
Please verify which recipe should provide the above files.
Add the deployed artifacts to SSTATE_DUPWHITELIST to fix this issue.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
There are times were we might want to include sbsigntool into an SDK so
rename the recipe and extend to include nativesdk. We also need gnu-efi
to support nativesdk so include that in a bbappend.
Signed-off-by: Tom Rini <trini@konsulko.com>
When building on rocko we have gnu-efi version 3.0.6 around and seloader
needs to be told this for certain string functions to be provided by
itself rather than gnu-efi. Add in conditional logic to pass this only
for rocko.
Signed-off-by: Tom Rini <trini@konsulko.com>
It is helpful when secure boot is enabled, because you can not
modify boot command line after boot-menu.inc is signed before deploying.
Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
Functions efi_call_foo and efi_shim_exit are not implemented for arm64
yet, so remove 'aarch64' from COMPATIBLE_HOST for now.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
It fails to build grub-efi for arm64. Add definitions of missing macros
and replace x86 specified asm codes with function grub_halt().
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Refresh the following patches:
0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch
0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch
Grub-get-and-set-efi-variables.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
- In all cases, when building Linux apps (and thus linking with gcc) we
need to pass in the normal set of LDFLAGS for both rpath and link hash
type.
- Rework Fix-for-the-cross-compilation.patch a bit. When linking EFI
apps (and thus linking with ld) we don't need to pass in other special
flags. When linking the "openssl" apps we do not need to spell out
the crtN files as gcc handles that for us, they are normal Linux apps.
Ensure that all Linux apps get our EXTRA_LDFLAGS passed in.
With all of these changes we are now able to reuse sstate cache between
build directories.
Signed-off-by: Tom Rini <trini@konsulko.com>
oe_filter_out has been removed from oe-core so use the
replacement function oe.utils.str_filter_out.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
shim will uninstall MOK Verify Protocol when launching fallack,
implying it is impossible to get the instance of MOK Verify Protocol
for SELoader. This behavior violates the original intention of
introducing fallback.
Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
Fix the error:
mok2verify.c:169:53: error: \
format '%lx' expects argument of type 'long unsigned int', \
but argument 3 has type 'grub_efi_status_t {aka int}' \
[-Werror=format=]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
encrypted-storage layer will include more security features about encrypted
storage so the term "encrypted-storage" won't be used to specify a dedicated
technology term such as "LUKS".
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
Currently, OPENSSL_LIB is only used for locating openssl.cnf in order
to work around openssl-1.1.x.
Signed-off-by: Jia Zhang <lans.zhang2008@gmail.com>
- httpboot.o cannot be built if ".PRECIOUS: " is placed ahead
of "<tab>CFLAGS +=".
- uri pointer should not be freed if NULL.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>