From d5a4de8f096e2a03d89b5a756f5ab65f316a79dc Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Wed, 16 Aug 2017 20:31:33 +0800
Subject: efitools: support to build with openssl-1.1.x

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
 .../recipes-bsp/efitools/efitools.inc              |  3 ++
 ...-load-openssl.cnf-for-openssl-1.0.x-and-1.patch | 43 ++++++++++++++++++++++
 ...-hash-list-support-to-build-with-openssl-.patch | 32 ++++++++++++++++
 3 files changed, 78 insertions(+)
 create mode 100644 meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch
 create mode 100644 meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch

diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
index 446c713..74d262b 100644
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
@@ -28,6 +28,8 @@ SRC_URI = "\
     file://Don-t-build-PreLoader.efi.patch \
     file://Reuse-xxdi.pl.patch \
     file://Add-static-keyword-for-IsValidVariableHeader.patch \
+    file://Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch \
+    file://cert-to-efi-hash-list-support-to-build-with-openssl-.patch \
 "
 SRCREV = "0649468475d20d8ca5634433c4912467cef3ce93"
 
@@ -40,6 +42,7 @@ inherit perlnative
 EXTRA_OEMAKE = "\
     HELP2MAN='${STAGING_BINDIR_NATIVE}/help2man' \
     OPENSSL='${STAGING_BINDIR_NATIVE}/openssl' \
+    OPENSSL_CFG=' -config ${STAGING_LIBDIR_NATIVE}/ssl-1.1/openssl.cnf' \
     SBSIGN='${STAGING_BINDIR_NATIVE}/sbsign' \
     OPENSSL_LIB='${STAGING_LIBDIR}' \
     NM='${NM}' AR='${AR}' \
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch
new file mode 100644
index 0000000..5236893
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/Dynamically-load-openssl.cnf-for-openssl-1.0.x-and-1.patch
@@ -0,0 +1,43 @@
+From ae36390629bd9c92cb732800a341f04ca11cd9c7 Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Wed, 16 Aug 2017 22:59:12 +0800
+Subject: [PATCH] Dynamically load openssl.cnf for openssl-1.0.x and 1.1.x
+
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ Make.rules | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/Make.rules b/Make.rules
+index 38c7a22..69c57cb 100644
+--- a/Make.rules
++++ b/Make.rules
+@@ -117,13 +117,23 @@ getvar = $(shell if [ "$(1)" = "PK" -o "$(1)" = "KEK" ]; then echo $(1); else ec
+ 	$(CC) -S $(INCDIR) $(cflags) $(cppflags) -fno-toplevel-reorder -DBUILD_EFI -c $< -o $@
+ 
+ %.crt:
+-	$(OPENSSL) req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
++	@if [ -s "$(OPENSSL_LIB)/ssl/openssl.cnf" ]; then \
++	    cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
++	else \
++	    cfg="$(OPENSSL_LIB)/ssl-1.1/openssl.cnf"; \
++	fi; \
++	$(OPENSSL) req -config $$cfg -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes -sha256
+ 
+ %.cer: %.crt
+ 	$(OPENSSL) x509 -in $< -out $@ -outform DER
+ 
+ %-subkey.csr:
+-	$(OPENSSL) req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
++	@if [ -s "$(OPENSSL_LIB)/ssl/openssl.cnf" ]; then \
++	    cfg="$(OPENSSL_LIB)/ssl/openssl.cnf"; \
++	else \
++	    cfg="$(OPENSSL_LIB)/ssl-1.1/openssl.cnf"; \
++	fi; \
++	$(OPENSSL) req -config $$cfg -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes
+ 
+ %-subkey.crt: %-subkey.csr KEK.crt
+ 	$(OPENSSL) x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365
+-- 
+2.7.5
+
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch
new file mode 100644
index 0000000..b4f9ff6
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools/cert-to-efi-hash-list-support-to-build-with-openssl-.patch
@@ -0,0 +1,32 @@
+From 1b87c0e53efdccec4c05d2b92699f49cd3d6ec79 Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Wed, 16 Aug 2017 19:52:37 +0800
+Subject: [PATCH] cert-to-efi-hash-list: support to build with openssl-1.1.x
+
+X509 becomes opaque since openssl-1.1.x and thus uses the equivalent
+function i2d_re_X509_tbs() instead to encode tbs portion of the certificate.
+
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ cert-to-efi-hash-list.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/cert-to-efi-hash-list.c b/cert-to-efi-hash-list.c
+index 3792553..2f2584c 100644
+--- a/cert-to-efi-hash-list.c
++++ b/cert-to-efi-hash-list.c
+@@ -135,7 +135,11 @@ main(int argc, char *argv[])
+         X509 *cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL);
+ 	unsigned char *cert_buf = NULL;
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	int cert_len = i2d_X509_CINF(cert->cert_info, &cert_buf);
++#else
++	int cert_len = i2d_re_X509_tbs(cert, &cert_buf);
++#endif
+ 	ERR_print_errors_fp(stdout);
+ 
+ 	int len, digest_len, time_offset;
+-- 
+2.7.5
+
-- 
cgit v1.2.3-54-g00ecf