From 1473c05286859f4b2ed7c7e97422f1fa226c9dfb Mon Sep 17 00:00:00 2001
From: Jason Wessel <jason.wessel@windriver.com>
Date: Wed, 2 Oct 2019 04:00:05 -0700
Subject: efitools: Uprev to fix LockDown.efi for UEFI built after 2018

Versions of the UEFI core from 2018 on will not work properly with
LockDown.efi's key install.  It will report that the PK key cannot be
installed due to the handling of the signature header with the PKCS7
data.  There are several other minor bug fixes, with the short log
shown below.

====

James Bottomley (13):
      cert-to-efi-hash-list: fix for openssl 1.1
      Version: 1.8.0
      Fix Fedora build
      Version: 1.8.1
      factor out variable signing code
      support engine based keys
      use SignedData instead of PKCS7 for variable updates
      Version: 1.9.0
      Makefile: Reverse the order of lib.a and -lcrypto
      Version: 1.9.1
      sign-efi-sig-list: add man page entry for engine option
      sha256: do not align raw section sizes
      Version: 1.9.2

pai-yi.huang (1):
      efi-updatevar: remove all authenticated attributes from signature

 Make.rules              |   6 ++---
 Makefile                |  12 +++++-----
 cert-to-efi-hash-list.c |   6 ++++-
 efi-updatevar.c         |  28 +++++++++++------------
 include/openssl_sign.h  |  10 ++++++++
 include/version.h       |   2 +-
 lib/Makefile            |   2 +-
 lib/openssl_sign.c      | 156 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 lib/sha256.c            |   8 ++++---
 sign-efi-sig-list.c     |  59 +++++++++++------------------------------------
 10 files changed, 213 insertions(+), 76 deletions(-)
 create mode 100644 include/openssl_sign.h
 create mode 100644 lib/openssl_sign.c

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
---
 .../recipes-bsp/efitools/efitools.inc              |  5 +--
 .../efitools/Fix-for-the-cross-compilation.patch   | 48 ++++++++++------------
 ...e-build-warning-caused-by-implicit-declar.patch | 25 +++--------
 ...-hash-list-support-to-build-with-openssl-.patch | 32 ---------------
 4 files changed, 30 insertions(+), 80 deletions(-)
 delete mode 100644 meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch

diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
index 0217818..a1a1d1d 100644
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
@@ -15,7 +15,7 @@ DEPENDS_append += "\
     libfile-slurp-perl-native \
 "
 
-PV = "1.7.0+git${SRCPV}"
+PV = "1.9.2+git${SRCPV}"
 
 SRC_URI = "\
     git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git \
@@ -29,9 +29,8 @@ SRC_URI = "\
     file://Reuse-xxdi.pl.patch \
     file://Add-static-keyword-for-IsValidVariableHeader.patch \
     file://Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch \
-    file://cert-to-efi-hash-list-support-to-build-with-openssl-.patch \
 "
-SRCREV = "0649468475d20d8ca5634433c4912467cef3ce93"
+SRCREV = "392836a46ce3c92b55dc88a1aebbcfdfc5dcddce"
 
 PARALLEL_MAKE = ""
 
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Fix-for-the-cross-compilation.patch b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Fix-for-the-cross-compilation.patch
index a5be1ef..d846fb1 100644
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Fix-for-the-cross-compilation.patch
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Fix-for-the-cross-compilation.patch
@@ -8,11 +8,9 @@ Upstream-Status: Pending
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
  Make.rules |   51 ++++++++++++++++++++++++++++-----------------------
- Makefile   |   12 ++++++------
- 2 files changed, 34 insertions(+), 29 deletions(-)
+ Makefile   |   20 ++++++++++----------
+ 2 files changed, 38 insertions(+), 33 deletions(-)
 
-diff --git a/Make.rules b/Make.rules
-index 88d5481bef6a..c794a621095b 100644
 --- a/Make.rules
 +++ b/Make.rules
 @@ -13,21 +13,26 @@ ARCH3264 =
@@ -21,21 +19,21 @@ index 88d5481bef6a..c794a621095b 100644
  endif
 -INCDIR	   = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol
 -CPPFLAGS   = -DCONFIG_$(ARCH)
--CFLAGS	   = -O2 $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
+-CFLAGS	   = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
 -LDFLAGS	   = -nostdlib
-+INCDIR	   = -I$(TOPDIR)include/ -I$(INCDIR_PREFIX)/usr/include/efi -I$(INCDIR_PREFIX)/usr/include/efi/$(ARCH) -I$(INCDIR_PREFIX)/usr/include/efi/protocol
++INCDIR	   = -I$(TOPDIR)include/ -I$(INCDIR_PREFIX)/usr/include -I$(INCDIR_PREFIX)/usr/include/efi -I$(INCDIR_PREFIX)/usr/include/efi/$(ARCH) -I$(INCDIR_PREFIX)/usr/include/efi/protocol
 +cppflags   = -DCONFIG_$(ARCH)
-+cflags	   = -O2 $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check $(CFLAGS)
++cflags	   = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
 +ldflags	   = -nostdlib
  CRTOBJ		= crt0-efi-$(ARCH).o
- CRTPATHS	= /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi
+ CRTPATHS	= /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi
 -CRTPATH		= $(shell for f in $(CRTPATHS); do if [ -e $$f/$(CRTOBJ) ]; then echo $$f; break; fi; done)
 +CRTPATH		= $(shell for f in $(CRTPATHS); do if [ -e $(CRTPATH_PREFIX)/$$f/$(CRTOBJ) ]; then echo $(CRTPATH_PREFIX)/$$f; break; fi; done)
  CRTOBJS		= $(CRTPATH)/$(CRTOBJ)
  # there's a bug in the gnu tools ... the .reloc section has to be
  # aligned otherwise the file alignment gets screwed up
  LDSCRIPT	= elf_$(ARCH)_efi.lds
--LDFLAGS		+= -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -T $(LDSCRIPT)
+-LDFLAGS		+= -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -L /usr/lib -L /usr/lib64 -T $(LDSCRIPT)
 +ldflags		+= -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -T $(LDSCRIPT)
  LOADLIBES	= -lefi -lgnuefi $(shell $(CC) $(ARCH3264) -print-libgcc-file-name)
  FORMAT		= --target=efi-app-$(ARCH)
@@ -48,7 +46,7 @@ index 88d5481bef6a..c794a621095b 100644
  MYGUID		= 11111111-2222-3333-4444-123456789abc
  INSTALL		= install
  BINDIR		= $(DESTDIR)/usr/bin
-@@ -36,23 +41,23 @@ EFIDIR		= $(DESTDIR)/usr/share/efitools/efi
+@@ -36,23 +41,23 @@ EFIDIR		= $(DESTDIR)/usr/share/efitools/
  DOCDIR		= $(DESTDIR)/usr/share/efitools
  
  # globally use EFI calling conventions (requires gcc >= 4.7)
@@ -93,7 +91,7 @@ index 88d5481bef6a..c794a621095b 100644
  
  %.hash: %.efi hash-to-efi-sig-list
  	./hash-to-efi-sig-list $< $@
-@@ -99,28 +104,28 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
+@@ -99,28 +104,28 @@ getvar = $(shell if [ "$(1)" = "PK" -o "
  	./sign-efi-sig-list -a -c PK.crt -k PK.key dbx $< $@
  
  %.o: %.c
@@ -130,7 +128,7 @@ index 88d5481bef6a..c794a621095b 100644
  
  ##
  # No need for KEK signing
-@@ -129,7 +134,7 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
+@@ -129,7 +134,7 @@ getvar = $(shell if [ "$(1)" = "PK" -o "
  #	sbsign --key KEK.key --cert KEK.crt --output $@ $<
  
  %.a:
@@ -139,8 +137,6 @@ index 88d5481bef6a..c794a621095b 100644
  
  doc/%.1: doc/%.1.in %
  	$(HELP2MAN) --no-info -i $< -o $@ ./$*
-diff --git a/Makefile b/Makefile
-index 774ee0aed7e9..4c3f91b5850f 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -73,7 +73,7 @@ ms-%.esl: ms-%.crt cert-to-efi-sig-list
@@ -156,36 +152,36 @@ index 774ee0aed7e9..4c3f91b5850f 100644
  ShimReplace.so: lib/lib-efi.a
  
  cert-to-efi-sig-list: cert-to-efi-sig-list.o lib/lib.a
--	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
++	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
  
  sig-list-to-certs: sig-list-to-certs.o lib/lib.a
--	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
++	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
  
  sign-efi-sig-list: sign-efi-sig-list.o lib/lib.a
--	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
++	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
  
  hash-to-efi-sig-list: hash-to-efi-sig-list.o lib/lib.a
 -	$(CC) $(ARCH3264) -o $@ $< lib/lib.a
 +	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a
  
  cert-to-efi-hash-list: cert-to-efi-hash-list.o lib/lib.a
--	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
++	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
  
  efi-keytool: efi-keytool.o lib/lib.a
 -	$(CC) $(ARCH3264) -o $@ $< lib/lib.a
 +	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a
  
  efi-readvar: efi-readvar.o lib/lib.a
--	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
++	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
  
  efi-updatevar: efi-updatevar.o lib/lib.a
--	$(CC) $(ARCH3264) -o $@ $< -lcrypto lib/lib.a
-+	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) -lcrypto lib/lib.a
+-	$(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
++	$(CC) $(ARCH3264) -o $@ $< $(EXTRA_LDFLAGS) lib/lib.a -lcrypto
  
  flash-var: flash-var.o lib/lib.a
 -	$(CC) $(ARCH3264) -o $@ $< lib/lib.a
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Kill-all-the-build-warning-caused-by-implicit-declar.patch b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Kill-all-the-build-warning-caused-by-implicit-declar.patch
index f7f32c3..b072e89 100644
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Kill-all-the-build-warning-caused-by-implicit-declar.patch
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Kill-all-the-build-warning-caused-by-implicit-declar.patch
@@ -8,15 +8,13 @@ Upstream-Status: Pending
 
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
- Loader.c                | 1 +
- cert-to-efi-hash-list.c | 2 +-
- flash-var.c             | 2 ++
- lib/pecoff.c            | 1 +
- sign-efi-sig-list.c     | 2 ++
+ Loader.c                |    1 +
+ cert-to-efi-hash-list.c |    2 +-
+ flash-var.c             |    2 ++
+ lib/pecoff.c            |    1 +
+ sign-efi-sig-list.c     |    2 ++
  5 files changed, 7 insertions(+), 1 deletion(-)
 
-diff --git a/Loader.c b/Loader.c
-index 1f9201a..044469a 100644
 --- a/Loader.c
 +++ b/Loader.c
 @@ -9,6 +9,7 @@
@@ -27,8 +25,6 @@ index 1f9201a..044469a 100644
  #include <simple_file.h>
  #include <pecoff.h>
  #include <sha256.h>
-diff --git a/cert-to-efi-hash-list.c b/cert-to-efi-hash-list.c
-index d4484f9..3792553 100644
 --- a/cert-to-efi-hash-list.c
 +++ b/cert-to-efi-hash-list.c
 @@ -3,7 +3,7 @@
@@ -39,9 +35,7 @@ index d4484f9..3792553 100644
 +#define _GNU_SOURCE
  
  #include <stdint.h>
- #define __STDC_VERSION__ 199901L
-diff --git a/flash-var.c b/flash-var.c
-index aa10ae6..10429bc 100644
+ #define _XOPEN_SOURCE
 --- a/flash-var.c
 +++ b/flash-var.c
 @@ -1,3 +1,5 @@
@@ -50,8 +44,6 @@ index aa10ae6..10429bc 100644
  #include <stdlib.h>
  #include <stdint.h>
  #include <sys/types.h>
-diff --git a/lib/pecoff.c b/lib/pecoff.c
-index 26d9dcf..10b898a 100644
 --- a/lib/pecoff.c
 +++ b/lib/pecoff.c
 @@ -59,6 +59,7 @@
@@ -62,8 +54,6 @@ index 26d9dcf..10b898a 100644
  #include <pecoff.h>
  #include <guid.h>
  #include <simple_file.h>
-diff --git a/sign-efi-sig-list.c b/sign-efi-sig-list.c
-index e19ef97..5abcf27 100644
 --- a/sign-efi-sig-list.c
 +++ b/sign-efi-sig-list.c
 @@ -3,6 +3,8 @@
@@ -75,6 +65,3 @@ index e19ef97..5abcf27 100644
  #include <stdint.h>
  #define __STDC_VERSION__ 199901L
  #include <efi.h>
--- 
-1.9.1
-
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch
deleted file mode 100644
index b4f9ff6..0000000
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 1b87c0e53efdccec4c05d2b92699f49cd3d6ec79 Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Wed, 16 Aug 2017 19:52:37 +0800
-Subject: [PATCH] cert-to-efi-hash-list: support to build with openssl-1.1.x
-
-X509 becomes opaque since openssl-1.1.x and thus uses the equivalent
-function i2d_re_X509_tbs() instead to encode tbs portion of the certificate.
-
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
----
- cert-to-efi-hash-list.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/cert-to-efi-hash-list.c b/cert-to-efi-hash-list.c
-index 3792553..2f2584c 100644
---- a/cert-to-efi-hash-list.c
-+++ b/cert-to-efi-hash-list.c
-@@ -135,7 +135,11 @@ main(int argc, char *argv[])
-         X509 *cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL);
- 	unsigned char *cert_buf = NULL;
- 
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- 	int cert_len = i2d_X509_CINF(cert->cert_info, &cert_buf);
-+#else
-+	int cert_len = i2d_re_X509_tbs(cert, &cert_buf);
-+#endif
- 	ERR_print_errors_fp(stdout);
- 
- 	int len, digest_len, time_offset;
--- 
-2.7.5
-
-- 
cgit v1.2.3-54-g00ecf