efitools: support to build with openssl-1.1.x

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
author: Lans Zhang <jia.zhang@windriver.com> 2017-08-16 20:31:33 +0800
committer: Lans Zhang <jia.zhang@windriver.com> 2017-08-16 23:01:13 +0800
commit: d5a4de8f096e2a03d89b5a756f5ab65f316a79dc (patch)
tree: 5537e6d319ca994a4d639843cd5f22f44aa8fec7
parent: 8ff4d25a90d5d0c5ae011cd46a10fc1c4e238c32 (diff)
download: meta-secure-core-d5a4de8f096e2a03d89b5a756f5ab65f316a79dc.tar.gz
3 files changed, 78 insertions, 0 deletions
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
index 446c713..74d262b 100644
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
@@ -28,6 +28,8 @@ SRC_URI = "\
    file://Don-t-build-PreLoader.efi.patch \
    file://Reuse-xxdi.pl.patch \
    file://Add-static-keyword-for-IsValidVariableHeader.patch \
+    file://Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch \
+    file://cert-to-efi-hash-list-support-to-build-with-openssl-.patch \
 "
 SRCREV = "0649468475d20d8ca5634433c4912467cef3ce93"
@@ -40,6 +42,7 @@ inherit perlnative
 EXTRA_OEMAKE = "\
    HELP2MAN='${STAGING_BINDIR_NATIVE}/help2man' \
    OPENSSL='${STAGING_BINDIR_NATIVE}/openssl' \
+    OPENSSL_CFG=' -config ${STAGING_LIBDIR_NATIVE}/ssl-1.1/openssl.cnf' \
    SBSIGN='${STAGING_BINDIR_NATIVE}/sbsign' \
    OPENSSL_LIB='${STAGING_LIBDIR}' \
    NM='${NM}' AR='${AR}' \
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch
new file mode 100644
index 0000000..5236893
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch
@@ -0,0 +1,43 @@
+From ae36390629bd9c92cb732800a341f04ca11cd9c7 Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Wed, 16 Aug 2017 22:59:12 +0800
+Subject: [PATCH] Dynamically load openssl.cnf for openssl-1.0.x and 1.1.x
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ Make.rules | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+diff --git a/Make.rules b/Make.rules
+index 38c7a22..69c57cb 100644
+--- a/Make.rules
+++ b/Make.rules
+@@ -117,13 +117,23 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
+        $(CC) -S $(INCDIR) $(cflags) $(cppflags) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
+ 
+ %.crt:
+-       $(OPENSSL) req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
+       @if [ -s "$(OPENSSL_LIB)/ssl/openssl.cnf" ]; then \
+           cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
+       else \
+           cfg="$(OPENSSL_LIB)/ssl-1.1/openssl.cnf"; \
+       fi; \
+       $(OPENSSL) req -config $$cfg -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
+ 
+ %.cer: %.crt
+        $(OPENSSL) x509 -in $< -out $@ -outform DER
+ 
+ %-subkey.csr:
+-       $(OPENSSL) req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
+       @if [ -s "$(OPENSSL_LIB)/ssl/openssl.cnf" ]; then \
+           cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
+       else \
+           cfg="$(OPENSSL_LIB)/ssl-1.1/openssl.cnf"; \
+       fi; \
+       $(OPENSSL) req -config $$cfg -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
+ 
+ %-subkey.crt: %-subkey.csr KEK.crt
+        $(OPENSSL) x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
+-- 
+2.7.5
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch
new file mode 100644
index 0000000..b4f9ff6
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch
@@ -0,0 +1,32 @@
+From 1b87c0e53efdccec4c05d2b92699f49cd3d6ec79 Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Wed, 16 Aug 2017 19:52:37 +0800
+Subject: [PATCH] cert-to-efi-hash-list: support to build with openssl-1.1.x
+X509 becomes opaque since openssl-1.1.x and thus uses the equivalent
+function i2d_re_X509_tbs() instead to encode tbs portion of the certificate.
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ cert-to-efi-hash-list.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/cert-to-efi-hash-list.c b/cert-to-efi-hash-list.c
+index 3792553..2f2584c 100644
+--- a/cert-to-efi-hash-list.c
+++ b/cert-to-efi-hash-list.c
+@@ -135,7 +135,11 @@ main(int argc, char *argv[])
+         X509 *cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL);
+        unsigned char *cert_buf = NULL;
+ 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+        int cert_len = i2d_X509_CINF(cert->cert_info, &cert_buf);
+#else
+       int cert_len = i2d_re_X509_tbs(cert, &cert_buf);
+#endif
+        ERR_print_errors_fp(stdout);
+ 
+        int len, digest_len, time_offset;
+-- 
+2.7.5
author	Lans Zhang <jia.zhang@windriver.com>	2017-08-16 20:31:33 +0800
committer	Lans Zhang <jia.zhang@windriver.com>	2017-08-16 23:01:13 +0800
commit	d5a4de8f096e2a03d89b5a756f5ab65f316a79dc (patch)
tree	5537e6d319ca994a4d639843cd5f22f44aa8fec7
parent	8ff4d25a90d5d0c5ae011cd46a10fc1c4e238c32 (diff)
download	meta-secure-core-d5a4de8f096e2a03d89b5a756f5ab65f316a79dc.tar.gz

diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc index 446c713..74d262b 100644 --- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc +++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
@@ -28,6 +28,8 @@ SRC_URI = "\
28	file://Don-t-build-PreLoader.efi.patch \	28	file://Don-t-build-PreLoader.efi.patch \
29	file://Reuse-xxdi.pl.patch \	29	file://Reuse-xxdi.pl.patch \
30	file://Add-static-keyword-for-IsValidVariableHeader.patch \	30	file://Add-static-keyword-for-IsValidVariableHeader.patch \
		31	file://Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch \
		32	file://cert-to-efi-hash-list-support-to-build-with-openssl-.patch \
31	"	33	"
32	SRCREV = "0649468475d20d8ca5634433c4912467cef3ce93"	34	SRCREV = "0649468475d20d8ca5634433c4912467cef3ce93"
33		35
@@ -40,6 +42,7 @@ inherit perlnative
40	EXTRA_OEMAKE = "\	42	EXTRA_OEMAKE = "\
41	HELP2MAN='${STAGING_BINDIR_NATIVE}/help2man' \	43	HELP2MAN='${STAGING_BINDIR_NATIVE}/help2man' \
42	OPENSSL='${STAGING_BINDIR_NATIVE}/openssl' \	44	OPENSSL='${STAGING_BINDIR_NATIVE}/openssl' \
		45	OPENSSL_CFG=' -config ${STAGING_LIBDIR_NATIVE}/ssl-1.1/openssl.cnf' \
43	SBSIGN='${STAGING_BINDIR_NATIVE}/sbsign' \	46	SBSIGN='${STAGING_BINDIR_NATIVE}/sbsign' \
44	OPENSSL_LIB='${STAGING_LIBDIR}' \	47	OPENSSL_LIB='${STAGING_LIBDIR}' \
45	NM='${NM}' AR='${AR}' \	48	NM='${NM}' AR='${AR}' \


diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch new file mode 100644 index 0000000..5236893 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch
@@ -0,0 +1,43 @@
		1	From ae36390629bd9c92cb732800a341f04ca11cd9c7 Mon Sep 17 00:00:00 2001
		2	From: Lans Zhang <jia.zhang@windriver.com>
		3	Date: Wed, 16 Aug 2017 22:59:12 +0800
		4	Subject: [PATCH] Dynamically load openssl.cnf for openssl-1.0.x and 1.1.x
		5
		6	Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
		7	---
		8	Make.rules \| 14 ++++++++++++--
		9	1 file changed, 12 insertions(+), 2 deletions(-)
		10
		11	diff --git a/Make.rules b/Make.rules
		12	index 38c7a22..69c57cb 100644
		13	--- a/Make.rules
		14	+++ b/Make.rules
		15	@@ -117,13 +117,23 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
		16	$(CC) -S $(INCDIR) $(cflags) $(cppflags) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
		17
		18	%.crt:
		19	- $(OPENSSL) req -new -x509 -newkey rsa:2048 -subj "/CN=$/" -keyout $.key -out $@ -days 3650 -nodes -sha256
		20	+ @if [ -s "$(OPENSSL_LIB)/ssl/openssl.cnf" ]; then \
		21	+ cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
		22	+ else \
		23	+ cfg="$(OPENSSL_LIB)/ssl-1.1/openssl.cnf"; \
		24	+ fi; \
		25	+ $(OPENSSL) req -config $$cfg -new -x509 -newkey rsa:2048 -subj "/CN=$/" -keyout $.key -out $@ -days 3650 -nodes -sha256
		26
		27	%.cer: %.crt
		28	$(OPENSSL) x509 -in $< -out $@ -outform DER
		29
		30	%-subkey.csr:
		31	- $(OPENSSL) req -new -newkey rsa:2048 -keyout $-subkey.key -subj "/CN=Subkey $ of KEK/" -out $@ -nodes
		32	+ @if [ -s "$(OPENSSL_LIB)/ssl/openssl.cnf" ]; then \
		33	+ cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
		34	+ else \
		35	+ cfg="$(OPENSSL_LIB)/ssl-1.1/openssl.cnf"; \
		36	+ fi; \
		37	+ $(OPENSSL) req -config $$cfg -new -newkey rsa:2048 -keyout $-subkey.key -subj "/CN=Subkey $ of KEK/" -out $@ -nodes
		38
		39	%-subkey.crt: %-subkey.csr KEK.crt
		40	$(OPENSSL) x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
		41	--
		42	2.7.5
		43


diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch new file mode 100644 index 0000000..b4f9ff6 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch
@@ -0,0 +1,32 @@
		1	From 1b87c0e53efdccec4c05d2b92699f49cd3d6ec79 Mon Sep 17 00:00:00 2001
		2	From: Lans Zhang <jia.zhang@windriver.com>
		3	Date: Wed, 16 Aug 2017 19:52:37 +0800
		4	Subject: [PATCH] cert-to-efi-hash-list: support to build with openssl-1.1.x
		5
		6	X509 becomes opaque since openssl-1.1.x and thus uses the equivalent
		7	function i2d_re_X509_tbs() instead to encode tbs portion of the certificate.
		8
		9	Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
		10	---
		11	cert-to-efi-hash-list.c \| 4 ++++
		12	1 file changed, 4 insertions(+)
		13
		14	diff --git a/cert-to-efi-hash-list.c b/cert-to-efi-hash-list.c
		15	index 3792553..2f2584c 100644
		16	--- a/cert-to-efi-hash-list.c
		17	+++ b/cert-to-efi-hash-list.c
		18	@@ -135,7 +135,11 @@ main(int argc, char *argv[])
		19	X509 *cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL);
		20	unsigned char *cert_buf = NULL;
		21
		22	+#if OPENSSL_VERSION_NUMBER < 0x10100000L
		23	int cert_len = i2d_X509_CINF(cert->cert_info, &cert_buf);
		24	+#else
		25	+ int cert_len = i2d_re_X509_tbs(cert, &cert_buf);
		26	+#endif
		27	ERR_print_errors_fp(stdout);
		28
		29	int len, digest_len, time_offset;
		30	--
		31	2.7.5
		32