From 3ad05893e58cd171ee202afbacfa035726560e72 Mon Sep 17 00:00:00 2001 From: Tom Rini Date: Wed, 15 Nov 2017 22:28:01 -0500 Subject: meta-signing-key, meta-efi-secure-boot: Rework for dependencies The content of meta-signing-key depends on a few recipes within meta-efi-secure-boot. However, meta-signing-key can be used without meta-efi-secure-boot if we move libsign and sbsigntool over. Doing this will also provide a more correct set of dependencies as we cannot say that both layers depend on eachother. While doing this, within meta-signing-key only depend on content from meta-efi-secure-boot if the efi-secure-boot DISTRO_FEATURE is set. Signed-off-by: Tom Rini --- .../recipes-devtools/libsign/libsign_git.bb | 53 ------- .../sbsigntool/sbsigntool-native_git.bb | 71 --------- .../sbsigntool/sbsigntool/Fix-for-multi-sign.patch | 41 ------ ...recated-ASN1_STRING_data-in-openssl-1.1.0.patch | 73 ---------- ...-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch | 158 --------------------- .../sbsigntool/sbsigntool/ccan.git.tar.bz2 | Bin 13964172 -> 0 bytes .../sbsigntool/disable-man-page-creation.patch | 15 -- .../fix-mixed-implicit-and-normal-rules.patch | 33 ----- ...he-segment-fault-caused-by-the-uninitiali.patch | 30 ---- ...x-option-to-avoid-overwrite-existing-sign.patch | 75 ---------- meta-signing-key/classes/user-key-store.bbclass | 2 +- .../recipes-devtools/libsign/libsign_git.bb | 53 +++++++ .../sbsigntool/sbsigntool-native_git.bb | 71 +++++++++ .../sbsigntool/sbsigntool/Fix-for-multi-sign.patch | 41 ++++++ ...recated-ASN1_STRING_data-in-openssl-1.1.0.patch | 73 ++++++++++ ...-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch | 158 +++++++++++++++++++++ .../sbsigntool/sbsigntool/ccan.git.tar.bz2 | Bin 0 -> 13964172 bytes .../sbsigntool/disable-man-page-creation.patch | 15 ++ .../fix-mixed-implicit-and-normal-rules.patch | 33 +++++ ...he-segment-fault-caused-by-the-uninitiali.patch | 30 ++++ ...x-option-to-avoid-overwrite-existing-sign.patch | 75 ++++++++++ 21 files changed, 550 insertions(+), 550 deletions(-) delete mode 100644 meta-efi-secure-boot/recipes-devtools/libsign/libsign_git.bb delete mode 100644 meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb delete mode 100644 meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch delete mode 100644 meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch delete mode 100644 meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch delete mode 100644 meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2 delete mode 100644 meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch delete mode 100644 meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch delete mode 100644 meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch delete mode 100644 meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch create mode 100644 meta-signing-key/recipes-devtools/libsign/libsign_git.bb create mode 100644 meta-signing-key/recipes-devtools/sbsigntool/sbsigntool-native_git.bb create mode 100644 meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch create mode 100644 meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch create mode 100644 meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch create mode 100644 meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2 create mode 100644 meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch create mode 100644 meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch create mode 100644 meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch create mode 100644 meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch diff --git a/meta-efi-secure-boot/recipes-devtools/libsign/libsign_git.bb b/meta-efi-secure-boot/recipes-devtools/libsign/libsign_git.bb deleted file mode 100644 index 72f9d7a..0000000 --- a/meta-efi-secure-boot/recipes-devtools/libsign/libsign_git.bb +++ /dev/null @@ -1,53 +0,0 @@ -SUMMARY = "A generic signing tool framework" -DESCRIPTION = "\ -This project targets to provide a generic signing framework. This framework \ -separates the signing request and signing process and correspondingly forms \ -the so-called signlet and signaturelet. \ -Each signaturelet only concerns about the details about how to construct the \ -layout of a signature format, and signlet only cares how to construct the \ -signing request. \ -" -AUTHOR = "Jia Zhang" -HOMEPAGE = "https://github.com/jiazhang0/libsign" -SECTION = "devel" - -LICENSE = "BSD-3-Clause" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee" - -DEPENDS += "openssl" - -PV = "0.3.2+git${SRCPV}" - -SRC_URI = "\ - git://github.com/jiazhang0/libsign.git \ -" -SRCREV = "0e8005f1c546ef25d834084f5cd85d386cf7cd1d" - -PARALLEL_MAKE = "" - -S = "${WORKDIR}/git" - -EXTRA_OEMAKE = "\ - CC="${CC}" \ - bindir="${STAGING_BINDIR}" \ - libdir="${STAGING_LIBDIR}" \ - includedir="${STAGING_INCDIR}" \ - EXTRA_CFLAGS="${CFLAGS}" \ - EXTRA_LDFLAGS="${LDFLAGS}" \ - SIGNATURELET_DIR="${libdir}/signaturelet" \ - BINDIR="${bindir}" \ - LIBDIR="${libdir}" \ -" - -do_install() { - oe_runmake install DESTDIR="${D}" -} - -FILES_${PN} += "\ - ${libdir}/signaturelet \ -" - -RDEPENDS_${PN}_class-target += "libcrypto" -RDEPENDS_${PN}_class-native += "openssl" - -BBCLASSEXTEND = "native" diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb deleted file mode 100644 index f52b5fc..0000000 --- a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool-native_git.bb +++ /dev/null @@ -1,71 +0,0 @@ -SUMMARY = "Utilities for signing UEFI binaries for use with secure boot" - -LICENSE = "GPLv3" - -LIC_FILES_CHKSUM = "\ - file://LICENSE.GPLv3;md5=9eef91148a9b14ec7f9df333daebc746 \ - file://COPYING;md5=a7710ac18adec371b84a9594ed04fd20 \ -" - -DEPENDS += "binutils-native openssl-native gnu-efi-native util-linux-native" - -PV = "0.6+git${SRCPV}" - -SRC_URI = "\ - git://kernel.ubuntu.com/jk/sbsigntool \ - file://ccan.git.tar.bz2 \ - file://fix-mixed-implicit-and-normal-rules.patch;apply=0 \ - file://disable-man-page-creation.patch \ - file://Fix-for-multi-sign.patch \ - file://sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \ - file://image-fix-the-segment-fault-caused-by-the-uninitiali.patch \ - file://Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch \ - file://Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch \ -" -SRCREV="951ee95a301674c046f55330cd7460e1314deff2" - -S = "${WORKDIR}/git" - -inherit autotools-brokensep pkgconfig native - -def efi_arch(d): - import re - arch = d.getVar("TARGET_ARCH") - if re.match("i[3456789]86", arch): - return "ia32" - return arch - -# Avoids build breaks when using no-static-libs.inc -#DISABLE_STATIC_class-target = "" - -#EXTRA_OECONF_remove_class-target += "\ -# --with-libtool-sysroot \ -#" - -EXTRA_OEMAKE += "\ - INCLUDES='-I${S}/lib/ccan.git' \ - EFI_CPPFLAGS='-I${STAGING_INCDIR}/efi \ - -I${STAGING_INCDIR}/efi/${@efi_arch(d)}' \ -" - -do_configure() { - cd "${S}" - rm -rf "lib/ccan.git" - git clone "${WORKDIR}/ccan.git" lib/ccan.git - cd lib/ccan.git && \ - git apply "${WORKDIR}/fix-mixed-implicit-and-normal-rules.patch" && \ - cd - - - OLD_CC="${CC}" - - if [ ! -e lib/ccan ]; then - export CC="${BUILD_CC}" - lib/ccan.git/tools/create-ccan-tree \ - --build-type=automake lib/ccan \ - talloc read_write_all build_assert array_size endian || exit 1 - fi - - export CC="${OLD_CC}" - ./autogen.sh --noconfigure - oe_runconf -} diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch deleted file mode 100644 index 873ade0..0000000 --- a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch +++ /dev/null @@ -1,41 +0,0 @@ -From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001 -From: James Bottomley -Date: Mon, 30 Sep 2013 19:25:37 -0700 -Subject: [PATCH] Fix for multi-sign - -Upstream-Status: Inappropriate [embedded specific] - -The new Tianocore multi-sign code fails now for images signed with -sbsigntools. The reason is that we don't actually align the signature table, -we just slap it straight after the binary data. Unfortunately, the new -multi-signature code checks that our alignment offsets are correct and fails -the signature for this reason. Fix by adding junk to the end of the image to -align the signature section. - -Signed-off-by: James Bottomley ---- - src/image.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/image.c b/src/image.c -index 10eba0e..519e288 100644 ---- a/src/image.c -+++ b/src/image.c -@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image) - - /* record the size of non-signature data */ - r = &image->checksum_regions[image->n_checksum_regions - 1]; -- image->data_size = (r->data - (void *)image->buf) + r->size; -+ /* -+ * The new Tianocore multisign does a stricter check of the signatures -+ * in particular, the signature table must start at an aligned offset -+ * fix this by adding bytes to the end of the text section (which must -+ * be included in the hash) -+ */ -+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8); - - return 0; - } --- -1.8.4 - diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch deleted file mode 100644 index 3619945..0000000 --- a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 6ef94a67490176a6d84b4968f303e6d1c51a49ce Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Wed, 16 Aug 2017 10:09:43 +0800 -Subject: [PATCH] Fix the deprecated ASN1_STRING_data() in openssl-1.1.0 - -Signed-off-by: Lans Zhang ---- - src/idc.c | 4 ++-- - src/idc.h | 4 ++++ - src/sbkeysync.c | 3 ++- - 3 files changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/idc.c b/src/idc.c -index 236cefd..7f99a53 100644 ---- a/src/idc.c -+++ b/src/idc.c -@@ -238,7 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio) - - /* extract the idc from the signed PKCS7 'other' data */ - str = p7->d.sign->contents->d.other->value.asn1_string; -- idcbuf = buf = ASN1_STRING_data(str); -+ idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str); - idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str)); - - /* If we were passed a BIO, write the idc data, minus type and length, -@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image) - } - - /* check hash against the one we calculated from the image */ -- buf = ASN1_STRING_data(str); -+ buf = (const unsigned char *)ASN1_STRING_get0_data(str); - if (memcmp(buf, sha, sizeof(sha))) { - fprintf(stderr, "Hash doesn't match image\n"); - fprintf(stderr, " got: %s\n", sha256_str(buf)); -diff --git a/src/idc.h b/src/idc.h -index a6526de..8011237 100644 ---- a/src/idc.h -+++ b/src/idc.h -@@ -36,6 +36,10 @@ - - #include - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define ASN1_STRING_get0_data ASN1_STRING_data -+#endif -+ - struct idc; - - int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image); -diff --git a/src/sbkeysync.c b/src/sbkeysync.c -index a63d3b8..223a047 100644 ---- a/src/sbkeysync.c -+++ b/src/sbkeysync.c -@@ -54,6 +54,7 @@ - - #include "fileio.h" - #include "efivars.h" -+#include "idc.h" - - #define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars" - #define PSTORE_FSTYPE 0x6165676C -@@ -210,7 +211,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len) - serial = x509->cert_info->serialNumber; - - key->id_len = ASN1_STRING_length(serial); -- key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len); -+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len); - - key->description = talloc_array(key, char, description_len); - X509_NAME_oneline(x509->cert_info->subject, --- -2.7.5 - diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch deleted file mode 100644 index f517e47..0000000 --- a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch +++ /dev/null @@ -1,158 +0,0 @@ -From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Tue, 15 Aug 2017 13:05:14 +0800 -Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1 - -Most structure definitions in OpenSSL are now opaque and we must call -the appropriate accessor functions to get information from them. -Not all the accessors are available in older versions, so define the -missing accessors as macros. - -The X509_retrieve_match() function is no longer usable, as we cannot -initialise an X509_OBJECT ourselves. Instead, iterate over the -certificate store and use X509_OBJECT_get_type and X509_cmp to -compare certificates. - -Signed-off-by: Ben Hutchings -Signed-off-by: Lans Zhang ---- - src/sbkeysync.c | 7 +++---- - src/sbverify.c | 52 ++++++++++++++++++++++++++++++++++++++-------------- - 2 files changed, 41 insertions(+), 18 deletions(-) - -diff --git a/src/sbkeysync.c b/src/sbkeysync.c -index ef028ef..19e3064 100644 ---- a/src/sbkeysync.c -+++ b/src/sbkeysync.c -@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len) - return -1; - - /* we use the X509 serial number as the key ID */ -- if (!x509->cert_info || !x509->cert_info->serialNumber) -+ serial = X509_get_serialNumber(x509); -+ if (!serial) - goto out; - -- serial = x509->cert_info->serialNumber; -- - key->id_len = ASN1_STRING_length(serial); - key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len); - - key->description = talloc_array(key, char, description_len); -- X509_NAME_oneline(x509->cert_info->subject, -+ X509_NAME_oneline(X509_get_subject_name(x509), - key->description, description_len); - - rc = 0; -diff --git a/src/sbverify.c b/src/sbverify.c -index fb03d21..0aed71a 100644 ---- a/src/sbverify.c -+++ b/src/sbverify.c -@@ -55,6 +55,14 @@ - #include - #include - -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509) -+#define X509_OBJECT_get_type(obj) ((obj)->type) -+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert) -+#define X509_STORE_get0_objects(certs) ((certs)->objs) -+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage) -+#endif -+ - static const char *toolname = "sbverify"; - static const int cert_name_len = 160; - -@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7) - - for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) { - cert = sk_X509_value(p7->d.sign->cert, i); -- X509_NAME_oneline(cert->cert_info->subject, -+ X509_NAME_oneline(X509_get_subject_name(cert), - subject_name, cert_name_len); -- X509_NAME_oneline(cert->cert_info->issuer, -+ X509_NAME_oneline(X509_get_issuer_name(cert), - issuer_name, cert_name_len); - - printf(" - subject: %s\n", subject_name); -@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7) - static void print_certificate_store_certs(X509_STORE *certs) - { - char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1]; -+ STACK_OF(X509_OBJECT) *objs; - X509_OBJECT *obj; -+ X509 *cert; - int i; - - printf("certificate store:\n"); - -- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) { -- obj = sk_X509_OBJECT_value(certs->objs, i); -+ objs = X509_STORE_get0_objects(certs); -+ -+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { -+ obj = sk_X509_OBJECT_value(objs, i); - -- if (obj->type != X509_LU_X509) -+ if (X509_OBJECT_get_type(obj) != X509_LU_X509) - continue; - -- X509_NAME_oneline(obj->data.x509->cert_info->subject, -+ cert = X509_OBJECT_get0_X509(obj); -+ -+ X509_NAME_oneline(X509_get_subject_name(cert), - subject_name, cert_name_len); -- X509_NAME_oneline(obj->data.x509->cert_info->issuer, -+ X509_NAME_oneline(X509_get_issuer_name(cert), - issuer_name, cert_name_len); - - printf(" - subject: %s\n", subject_name); -@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image, - - static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx) - { -- X509_OBJECT obj; -+ STACK_OF(X509_OBJECT) *objs; -+ X509_OBJECT *obj; -+ int i; -+ -+ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx)); - -- obj.type = X509_LU_X509; -- obj.data.x509 = cert; -+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { -+ obj = sk_X509_OBJECT_value(objs, i); - -- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL; -+ if (X509_OBJECT_get_type(obj) == X509_LU_X509 && -+ !X509_cmp(X509_OBJECT_get0_X509(obj), cert)) -+ return 1; -+ } -+ -+ return 0; - } - - static int x509_verify_cb(int status, X509_STORE_CTX *ctx) -@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx) - int err = X509_STORE_CTX_get_error(ctx); - - /* also accept code-signing keys */ -- if (err == X509_V_ERR_INVALID_PURPOSE -- && ctx->cert->ex_xkusage == XKU_CODE_SIGN) -+ if (err == X509_V_ERR_INVALID_PURPOSE && -+ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx)) -+ == XKU_CODE_SIGN) - status = 1; - - /* all certs given with the --cert argument are trusted */ - else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || - err == X509_V_ERR_CERT_UNTRUSTED) { - -- if (cert_in_store(ctx->current_cert, ctx)) -+ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx)) - status = 1; - } - --- -2.7.5 - diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2 b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2 deleted file mode 100644 index 9a2994f..0000000 Binary files a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2 and /dev/null differ diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch deleted file mode 100644 index 9310628..0000000 --- a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch +++ /dev/null @@ -1,15 +0,0 @@ -Upstream-Status: Inappropriate [embedded specific] - -diff --git a/docs/Makefile.am b/docs/Makefile.am -index 1b5a588..6918dd8 100644 ---- a/docs/Makefile.am -+++ b/docs/Makefile.am -@@ -1,8 +1,4 @@ - --man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 -- --EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \ -- sbvarsign.1.in sbsiglist.1.in - CLEANFILES = $(man1_MANS) - - $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/% diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch deleted file mode 100644 index 3031e4a..0000000 --- a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 05e73dbe1f25600ad0dbb36b2d690560c5a36281 Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Tue, 31 Mar 2015 15:34:38 +0800 -Subject: [PATCH] Fix mixed implicit and normal rules - -Upstream-Status: Inappropriate [embedded specific] - -This patch comes from upstream: -http://git.yoctoproject.org/cgit/cgit.cgi/meta-luv/plain/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch - -Signed-off-by: Lans Zhang ---- - Makefile | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/Makefile b/Makefile -index 65d0d8f..a83185d 100644 ---- a/Makefile -+++ b/Makefile -@@ -39,10 +39,6 @@ $(SCOREDIR)/SUMMARY: $(MODS:%=$(SCOREDIR)/%.score) - $(CC) -v >> $@ - cat $^ | grep 'Total score:' >> $@ - --$(SCOREDIR)/%.score: ccan/%/_info tools/ccanlint/ccanlint $(OBJFILES) -- mkdir -p `dirname $@` -- $(CCANLINT) -v -s ccan/$* > $@ || true -- - $(ALL_DEPENDS): %/.depends: %/_info tools/ccan_depends - tools/ccan_depends $* > $@ || ( rm -f $@; exit 1 ) - --- -1.8.3.1 - diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch deleted file mode 100644 index 6fef038..0000000 --- a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch +++ /dev/null @@ -1,30 +0,0 @@ -From a6862cb3bb3b00a1d6704b2bd1fedbd1374be861 Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Thu, 6 Apr 2017 11:11:14 +0800 -Subject: [PATCH] image: fix the segment fault caused by the uninitialized - sigbuf - -The uninitialized struct image might contain a non-zeroed sigbuf and then -it is wrongly freed by image_add_signature(). - -Signed-off-by: Lans Zhang ---- - src/image.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/image.c b/src/image.c -index cc55791..644e8f1 100644 ---- a/src/image.c -+++ b/src/image.c -@@ -395,7 +395,7 @@ struct image *image_load(const char *filename) - struct image *image; - int rc; - -- image = talloc(NULL, struct image); -+ image = talloc_zero(NULL, struct image); - if (!image) { - perror("talloc(image)"); - return NULL; --- -2.11.0 - diff --git a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch b/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch deleted file mode 100644 index b67f56a..0000000 --- a/meta-efi-secure-boot/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 0016a571a5ea1ab65817973f179800947e1aa8de Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Fri, 15 Jan 2016 09:40:56 +0800 -Subject: [PATCH] sbsign: add -x option to avoid overwrite existing signature - -Upstream-Status: Pending - -Signed-off-by: Lans Zhang ---- - src/sbsign.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - -diff --git a/src/sbsign.c b/src/sbsign.c -index dcf6eed..7dc101f 100644 ---- a/src/sbsign.c -+++ b/src/sbsign.c -@@ -66,6 +66,7 @@ struct sign_context { - }; - - static struct option options[] = { -+ { "noresign", no_argument, NULL, 'x' }, - { "output", required_argument, NULL, 'o' }, - { "cert", required_argument, NULL, 'c' }, - { "key", required_argument, NULL, 'k' }, -@@ -87,6 +88,7 @@ static void usage(void) - "\t--cert certificate (x509 certificate)\n" - "\t--detached write a detached signature, instead of\n" - "\t a signed binary\n" -+ "\t--noresign don't re-sign the binary if signed\n" - "\t--output write signed data to \n" - "\t (default .signed,\n" - "\t or .pk7 for detached\n" -@@ -114,7 +116,7 @@ int main(int argc, char **argv) - const char *keyfilename, *certfilename; - struct sign_context *ctx; - uint8_t *buf, *tmp; -- int rc, c, sigsize; -+ int rc, c, sigsize, no_resign = 0; - - ctx = talloc_zero(NULL, struct sign_context); - -@@ -123,11 +125,14 @@ int main(int argc, char **argv) - - for (;;) { - int idx; -- c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx); -+ c = getopt_long(argc, argv, "xo:c:k:dvVh", options, &idx); - if (c == -1) - break; - - switch (c) { -+ case 'x': -+ no_resign = 1; -+ break; - case 'o': - ctx->outfilename = talloc_strdup(ctx, optarg); - break; -@@ -178,6 +183,14 @@ int main(int argc, char **argv) - if (!ctx->image) - return EXIT_FAILURE; - -+ if (ctx->image->cert_table) { -+ if (no_resign) { -+ fprintf(stderr, -+ "Don't overwrite existing signature\n"); -+ return EXIT_SUCCESS; -+ } -+ } -+ - talloc_steal(ctx, ctx->image); - - ERR_load_crypto_strings(); --- -1.9.1 - diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 7e29ea0..9af758f 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass @@ -2,7 +2,7 @@ DEPENDS_append_class-target += "\ sbsigntool-native \ libsign-native \ openssl-native \ - efitools-native \ + ${@bb.utils.contains("DISTRO_FEATURES", "efi-secure-boot", "efitools-native", "", d)} \ " USER_KEY_SHOW_VERBOSE = "1" diff --git a/meta-signing-key/recipes-devtools/libsign/libsign_git.bb b/meta-signing-key/recipes-devtools/libsign/libsign_git.bb new file mode 100644 index 0000000..72f9d7a --- /dev/null +++ b/meta-signing-key/recipes-devtools/libsign/libsign_git.bb @@ -0,0 +1,53 @@ +SUMMARY = "A generic signing tool framework" +DESCRIPTION = "\ +This project targets to provide a generic signing framework. This framework \ +separates the signing request and signing process and correspondingly forms \ +the so-called signlet and signaturelet. \ +Each signaturelet only concerns about the details about how to construct the \ +layout of a signature format, and signlet only cares how to construct the \ +signing request. \ +" +AUTHOR = "Jia Zhang" +HOMEPAGE = "https://github.com/jiazhang0/libsign" +SECTION = "devel" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee" + +DEPENDS += "openssl" + +PV = "0.3.2+git${SRCPV}" + +SRC_URI = "\ + git://github.com/jiazhang0/libsign.git \ +" +SRCREV = "0e8005f1c546ef25d834084f5cd85d386cf7cd1d" + +PARALLEL_MAKE = "" + +S = "${WORKDIR}/git" + +EXTRA_OEMAKE = "\ + CC="${CC}" \ + bindir="${STAGING_BINDIR}" \ + libdir="${STAGING_LIBDIR}" \ + includedir="${STAGING_INCDIR}" \ + EXTRA_CFLAGS="${CFLAGS}" \ + EXTRA_LDFLAGS="${LDFLAGS}" \ + SIGNATURELET_DIR="${libdir}/signaturelet" \ + BINDIR="${bindir}" \ + LIBDIR="${libdir}" \ +" + +do_install() { + oe_runmake install DESTDIR="${D}" +} + +FILES_${PN} += "\ + ${libdir}/signaturelet \ +" + +RDEPENDS_${PN}_class-target += "libcrypto" +RDEPENDS_${PN}_class-native += "openssl" + +BBCLASSEXTEND = "native" diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool-native_git.bb b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool-native_git.bb new file mode 100644 index 0000000..f52b5fc --- /dev/null +++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool-native_git.bb @@ -0,0 +1,71 @@ +SUMMARY = "Utilities for signing UEFI binaries for use with secure boot" + +LICENSE = "GPLv3" + +LIC_FILES_CHKSUM = "\ + file://LICENSE.GPLv3;md5=9eef91148a9b14ec7f9df333daebc746 \ + file://COPYING;md5=a7710ac18adec371b84a9594ed04fd20 \ +" + +DEPENDS += "binutils-native openssl-native gnu-efi-native util-linux-native" + +PV = "0.6+git${SRCPV}" + +SRC_URI = "\ + git://kernel.ubuntu.com/jk/sbsigntool \ + file://ccan.git.tar.bz2 \ + file://fix-mixed-implicit-and-normal-rules.patch;apply=0 \ + file://disable-man-page-creation.patch \ + file://Fix-for-multi-sign.patch \ + file://sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \ + file://image-fix-the-segment-fault-caused-by-the-uninitiali.patch \ + file://Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch \ + file://Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch \ +" +SRCREV="951ee95a301674c046f55330cd7460e1314deff2" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig native + +def efi_arch(d): + import re + arch = d.getVar("TARGET_ARCH") + if re.match("i[3456789]86", arch): + return "ia32" + return arch + +# Avoids build breaks when using no-static-libs.inc +#DISABLE_STATIC_class-target = "" + +#EXTRA_OECONF_remove_class-target += "\ +# --with-libtool-sysroot \ +#" + +EXTRA_OEMAKE += "\ + INCLUDES='-I${S}/lib/ccan.git' \ + EFI_CPPFLAGS='-I${STAGING_INCDIR}/efi \ + -I${STAGING_INCDIR}/efi/${@efi_arch(d)}' \ +" + +do_configure() { + cd "${S}" + rm -rf "lib/ccan.git" + git clone "${WORKDIR}/ccan.git" lib/ccan.git + cd lib/ccan.git && \ + git apply "${WORKDIR}/fix-mixed-implicit-and-normal-rules.patch" && \ + cd - + + OLD_CC="${CC}" + + if [ ! -e lib/ccan ]; then + export CC="${BUILD_CC}" + lib/ccan.git/tools/create-ccan-tree \ + --build-type=automake lib/ccan \ + talloc read_write_all build_assert array_size endian || exit 1 + fi + + export CC="${OLD_CC}" + ./autogen.sh --noconfigure + oe_runconf +} diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch new file mode 100644 index 0000000..873ade0 --- /dev/null +++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch @@ -0,0 +1,41 @@ +From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Mon, 30 Sep 2013 19:25:37 -0700 +Subject: [PATCH] Fix for multi-sign + +Upstream-Status: Inappropriate [embedded specific] + +The new Tianocore multi-sign code fails now for images signed with +sbsigntools. The reason is that we don't actually align the signature table, +we just slap it straight after the binary data. Unfortunately, the new +multi-signature code checks that our alignment offsets are correct and fails +the signature for this reason. Fix by adding junk to the end of the image to +align the signature section. + +Signed-off-by: James Bottomley +--- + src/image.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/image.c b/src/image.c +index 10eba0e..519e288 100644 +--- a/src/image.c ++++ b/src/image.c +@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image) + + /* record the size of non-signature data */ + r = &image->checksum_regions[image->n_checksum_regions - 1]; +- image->data_size = (r->data - (void *)image->buf) + r->size; ++ /* ++ * The new Tianocore multisign does a stricter check of the signatures ++ * in particular, the signature table must start at an aligned offset ++ * fix this by adding bytes to the end of the text section (which must ++ * be included in the hash) ++ */ ++ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8); + + return 0; + } +-- +1.8.4 + diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch new file mode 100644 index 0000000..3619945 --- /dev/null +++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch @@ -0,0 +1,73 @@ +From 6ef94a67490176a6d84b4968f303e6d1c51a49ce Mon Sep 17 00:00:00 2001 +From: Lans Zhang +Date: Wed, 16 Aug 2017 10:09:43 +0800 +Subject: [PATCH] Fix the deprecated ASN1_STRING_data() in openssl-1.1.0 + +Signed-off-by: Lans Zhang +--- + src/idc.c | 4 ++-- + src/idc.h | 4 ++++ + src/sbkeysync.c | 3 ++- + 3 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/idc.c b/src/idc.c +index 236cefd..7f99a53 100644 +--- a/src/idc.c ++++ b/src/idc.c +@@ -238,7 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio) + + /* extract the idc from the signed PKCS7 'other' data */ + str = p7->d.sign->contents->d.other->value.asn1_string; +- idcbuf = buf = ASN1_STRING_data(str); ++ idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str); + idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str)); + + /* If we were passed a BIO, write the idc data, minus type and length, +@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image) + } + + /* check hash against the one we calculated from the image */ +- buf = ASN1_STRING_data(str); ++ buf = (const unsigned char *)ASN1_STRING_get0_data(str); + if (memcmp(buf, sha, sizeof(sha))) { + fprintf(stderr, "Hash doesn't match image\n"); + fprintf(stderr, " got: %s\n", sha256_str(buf)); +diff --git a/src/idc.h b/src/idc.h +index a6526de..8011237 100644 +--- a/src/idc.h ++++ b/src/idc.h +@@ -36,6 +36,10 @@ + + #include + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define ASN1_STRING_get0_data ASN1_STRING_data ++#endif ++ + struct idc; + + int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image); +diff --git a/src/sbkeysync.c b/src/sbkeysync.c +index a63d3b8..223a047 100644 +--- a/src/sbkeysync.c ++++ b/src/sbkeysync.c +@@ -54,6 +54,7 @@ + + #include "fileio.h" + #include "efivars.h" ++#include "idc.h" + + #define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars" + #define PSTORE_FSTYPE 0x6165676C +@@ -210,7 +211,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len) + serial = x509->cert_info->serialNumber; + + key->id_len = ASN1_STRING_length(serial); +- key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len); ++ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len); + + key->description = talloc_array(key, char, description_len); + X509_NAME_oneline(x509->cert_info->subject, +-- +2.7.5 + diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch new file mode 100644 index 0000000..f517e47 --- /dev/null +++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch @@ -0,0 +1,158 @@ +From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001 +From: Lans Zhang +Date: Tue, 15 Aug 2017 13:05:14 +0800 +Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1 + +Most structure definitions in OpenSSL are now opaque and we must call +the appropriate accessor functions to get information from them. +Not all the accessors are available in older versions, so define the +missing accessors as macros. + +The X509_retrieve_match() function is no longer usable, as we cannot +initialise an X509_OBJECT ourselves. Instead, iterate over the +certificate store and use X509_OBJECT_get_type and X509_cmp to +compare certificates. + +Signed-off-by: Ben Hutchings +Signed-off-by: Lans Zhang +--- + src/sbkeysync.c | 7 +++---- + src/sbverify.c | 52 ++++++++++++++++++++++++++++++++++++++-------------- + 2 files changed, 41 insertions(+), 18 deletions(-) + +diff --git a/src/sbkeysync.c b/src/sbkeysync.c +index ef028ef..19e3064 100644 +--- a/src/sbkeysync.c ++++ b/src/sbkeysync.c +@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len) + return -1; + + /* we use the X509 serial number as the key ID */ +- if (!x509->cert_info || !x509->cert_info->serialNumber) ++ serial = X509_get_serialNumber(x509); ++ if (!serial) + goto out; + +- serial = x509->cert_info->serialNumber; +- + key->id_len = ASN1_STRING_length(serial); + key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len); + + key->description = talloc_array(key, char, description_len); +- X509_NAME_oneline(x509->cert_info->subject, ++ X509_NAME_oneline(X509_get_subject_name(x509), + key->description, description_len); + + rc = 0; +diff --git a/src/sbverify.c b/src/sbverify.c +index fb03d21..0aed71a 100644 +--- a/src/sbverify.c ++++ b/src/sbverify.c +@@ -55,6 +55,14 @@ + #include + #include + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509) ++#define X509_OBJECT_get_type(obj) ((obj)->type) ++#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert) ++#define X509_STORE_get0_objects(certs) ((certs)->objs) ++#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage) ++#endif ++ + static const char *toolname = "sbverify"; + static const int cert_name_len = 160; + +@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7) + + for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) { + cert = sk_X509_value(p7->d.sign->cert, i); +- X509_NAME_oneline(cert->cert_info->subject, ++ X509_NAME_oneline(X509_get_subject_name(cert), + subject_name, cert_name_len); +- X509_NAME_oneline(cert->cert_info->issuer, ++ X509_NAME_oneline(X509_get_issuer_name(cert), + issuer_name, cert_name_len); + + printf(" - subject: %s\n", subject_name); +@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7) + static void print_certificate_store_certs(X509_STORE *certs) + { + char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1]; ++ STACK_OF(X509_OBJECT) *objs; + X509_OBJECT *obj; ++ X509 *cert; + int i; + + printf("certificate store:\n"); + +- for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) { +- obj = sk_X509_OBJECT_value(certs->objs, i); ++ objs = X509_STORE_get0_objects(certs); ++ ++ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { ++ obj = sk_X509_OBJECT_value(objs, i); + +- if (obj->type != X509_LU_X509) ++ if (X509_OBJECT_get_type(obj) != X509_LU_X509) + continue; + +- X509_NAME_oneline(obj->data.x509->cert_info->subject, ++ cert = X509_OBJECT_get0_X509(obj); ++ ++ X509_NAME_oneline(X509_get_subject_name(cert), + subject_name, cert_name_len); +- X509_NAME_oneline(obj->data.x509->cert_info->issuer, ++ X509_NAME_oneline(X509_get_issuer_name(cert), + issuer_name, cert_name_len); + + printf(" - subject: %s\n", subject_name); +@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image, + + static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx) + { +- X509_OBJECT obj; ++ STACK_OF(X509_OBJECT) *objs; ++ X509_OBJECT *obj; ++ int i; ++ ++ objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx)); + +- obj.type = X509_LU_X509; +- obj.data.x509 = cert; ++ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { ++ obj = sk_X509_OBJECT_value(objs, i); + +- return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL; ++ if (X509_OBJECT_get_type(obj) == X509_LU_X509 && ++ !X509_cmp(X509_OBJECT_get0_X509(obj), cert)) ++ return 1; ++ } ++ ++ return 0; + } + + static int x509_verify_cb(int status, X509_STORE_CTX *ctx) +@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx) + int err = X509_STORE_CTX_get_error(ctx); + + /* also accept code-signing keys */ +- if (err == X509_V_ERR_INVALID_PURPOSE +- && ctx->cert->ex_xkusage == XKU_CODE_SIGN) ++ if (err == X509_V_ERR_INVALID_PURPOSE && ++ X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx)) ++ == XKU_CODE_SIGN) + status = 1; + + /* all certs given with the --cert argument are trusted */ + else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || + err == X509_V_ERR_CERT_UNTRUSTED) { + +- if (cert_in_store(ctx->current_cert, ctx)) ++ if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx)) + status = 1; + } + +-- +2.7.5 + diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2 b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2 new file mode 100644 index 0000000..9a2994f Binary files /dev/null and b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2 differ diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch new file mode 100644 index 0000000..9310628 --- /dev/null +++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch @@ -0,0 +1,15 @@ +Upstream-Status: Inappropriate [embedded specific] + +diff --git a/docs/Makefile.am b/docs/Makefile.am +index 1b5a588..6918dd8 100644 +--- a/docs/Makefile.am ++++ b/docs/Makefile.am +@@ -1,8 +1,4 @@ + +-man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 +- +-EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \ +- sbvarsign.1.in sbsiglist.1.in + CLEANFILES = $(man1_MANS) + + $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/% diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch new file mode 100644 index 0000000..3031e4a --- /dev/null +++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch @@ -0,0 +1,33 @@ +From 05e73dbe1f25600ad0dbb36b2d690560c5a36281 Mon Sep 17 00:00:00 2001 +From: Lans Zhang +Date: Tue, 31 Mar 2015 15:34:38 +0800 +Subject: [PATCH] Fix mixed implicit and normal rules + +Upstream-Status: Inappropriate [embedded specific] + +This patch comes from upstream: +http://git.yoctoproject.org/cgit/cgit.cgi/meta-luv/plain/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch + +Signed-off-by: Lans Zhang +--- + Makefile | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/Makefile b/Makefile +index 65d0d8f..a83185d 100644 +--- a/Makefile ++++ b/Makefile +@@ -39,10 +39,6 @@ $(SCOREDIR)/SUMMARY: $(MODS:%=$(SCOREDIR)/%.score) + $(CC) -v >> $@ + cat $^ | grep 'Total score:' >> $@ + +-$(SCOREDIR)/%.score: ccan/%/_info tools/ccanlint/ccanlint $(OBJFILES) +- mkdir -p `dirname $@` +- $(CCANLINT) -v -s ccan/$* > $@ || true +- + $(ALL_DEPENDS): %/.depends: %/_info tools/ccan_depends + tools/ccan_depends $* > $@ || ( rm -f $@; exit 1 ) + +-- +1.8.3.1 + diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch new file mode 100644 index 0000000..6fef038 --- /dev/null +++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch @@ -0,0 +1,30 @@ +From a6862cb3bb3b00a1d6704b2bd1fedbd1374be861 Mon Sep 17 00:00:00 2001 +From: Lans Zhang +Date: Thu, 6 Apr 2017 11:11:14 +0800 +Subject: [PATCH] image: fix the segment fault caused by the uninitialized + sigbuf + +The uninitialized struct image might contain a non-zeroed sigbuf and then +it is wrongly freed by image_add_signature(). + +Signed-off-by: Lans Zhang +--- + src/image.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/image.c b/src/image.c +index cc55791..644e8f1 100644 +--- a/src/image.c ++++ b/src/image.c +@@ -395,7 +395,7 @@ struct image *image_load(const char *filename) + struct image *image; + int rc; + +- image = talloc(NULL, struct image); ++ image = talloc_zero(NULL, struct image); + if (!image) { + perror("talloc(image)"); + return NULL; +-- +2.11.0 + diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch new file mode 100644 index 0000000..b67f56a --- /dev/null +++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch @@ -0,0 +1,75 @@ +From 0016a571a5ea1ab65817973f179800947e1aa8de Mon Sep 17 00:00:00 2001 +From: Lans Zhang +Date: Fri, 15 Jan 2016 09:40:56 +0800 +Subject: [PATCH] sbsign: add -x option to avoid overwrite existing signature + +Upstream-Status: Pending + +Signed-off-by: Lans Zhang +--- + src/sbsign.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/src/sbsign.c b/src/sbsign.c +index dcf6eed..7dc101f 100644 +--- a/src/sbsign.c ++++ b/src/sbsign.c +@@ -66,6 +66,7 @@ struct sign_context { + }; + + static struct option options[] = { ++ { "noresign", no_argument, NULL, 'x' }, + { "output", required_argument, NULL, 'o' }, + { "cert", required_argument, NULL, 'c' }, + { "key", required_argument, NULL, 'k' }, +@@ -87,6 +88,7 @@ static void usage(void) + "\t--cert certificate (x509 certificate)\n" + "\t--detached write a detached signature, instead of\n" + "\t a signed binary\n" ++ "\t--noresign don't re-sign the binary if signed\n" + "\t--output write signed data to \n" + "\t (default .signed,\n" + "\t or .pk7 for detached\n" +@@ -114,7 +116,7 @@ int main(int argc, char **argv) + const char *keyfilename, *certfilename; + struct sign_context *ctx; + uint8_t *buf, *tmp; +- int rc, c, sigsize; ++ int rc, c, sigsize, no_resign = 0; + + ctx = talloc_zero(NULL, struct sign_context); + +@@ -123,11 +125,14 @@ int main(int argc, char **argv) + + for (;;) { + int idx; +- c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx); ++ c = getopt_long(argc, argv, "xo:c:k:dvVh", options, &idx); + if (c == -1) + break; + + switch (c) { ++ case 'x': ++ no_resign = 1; ++ break; + case 'o': + ctx->outfilename = talloc_strdup(ctx, optarg); + break; +@@ -178,6 +183,14 @@ int main(int argc, char **argv) + if (!ctx->image) + return EXIT_FAILURE; + ++ if (ctx->image->cert_table) { ++ if (no_resign) { ++ fprintf(stderr, ++ "Don't overwrite existing signature\n"); ++ return EXIT_SUCCESS; ++ } ++ } ++ + talloc_steal(ctx, ctx->image); + + ERR_load_crypto_strings(); +-- +1.9.1 + -- cgit v1.2.3-54-g00ecf