boot/shim: new package

This commit adds a package for 'shim', an EFI bootloader for secure
boot chain loading.

While gnu-efi supports 32bit ARM, this is currently broken in shim.

Patches to fix this have been submitted upstream but are not included
here for now.

https://github.com/rhboot/shim/pull/162

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
[Thomas: use BR2_PACKAGE_GNU_EFI_ARCH_SUPPORTS, add separate depends
on to exclude ARM32 build.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

diff --git a/DEVELOPERS b/DEVELOPERS
index 3b3923ae4ff1cd08c34511a1004f5b8b4ea47960..aa1bf325cb12269db2870f2514c671027422c509 100644 (file)
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1649,6 +1649,7 @@ F:        board/openblocks/a6/
 F:     board/orangepi/
 F:     board/pandaboard/
 F:     board/roseapplepi/
+F:     boot/shim/
 F:     configs/minnowboard_max-graphical_defconfig
 F:     configs/minnowboard_max_defconfig
 F:     configs/nexbox_a95x_defconfig

diff --git a/boot/Config.in b/boot/Config.in
index 8e0c8e5df49a26c31bee5c25a4b7dd7dbd7a3b1a..11856fd9c7dc8eee6925e33e36cb37667236d3a7 100644 (file)
--- a/boot/Config.in
+++ b/boot/Config.in
@@ -15,6 +15,7 @@ source "boot/mv-ddr-marvell/Config.in"
 source "boot/mxs-bootlets/Config.in"
 source "boot/riscv-pk/Config.in"
 source "boot/s500-bootloader/Config.in"
+source "boot/shim/Config.in"
 source "boot/syslinux/Config.in"
 source "boot/ts4800-mbrboot/Config.in"
 source "boot/uboot/Config.in"

diff --git a/boot/shim/Config.in b/boot/shim/Config.in
new file mode 100644 (file)
index 0000000..ea6650f
--- /dev/null
+++ b/boot/shim/Config.in
@@ -0,0 +1,19 @@
+config BR2_TARGET_SHIM
+       bool "shim"
+       depends on BR2_PACKAGE_GNU_EFI_ARCH_SUPPORTS
+       # ARM32 build currently broken
+       depends on !BR2_ARM_CPU_HAS_ARM
+       select BR2_PACKAGE_GNU_EFI
+       help
+         Boot loader to chain-load signed boot loaders under Secure
+         Boot.
+
+         This package provides a minimalist boot loader which allows
+         verifying signatures of other UEFI binaries against either
+         the Secure Boot DB/DBX or against a built-in signature
+         database.  Its purpose is to allow a small,
+         infrequently-changing binary to be signed by the UEFI CA,
+         while allowing an OS distributor to revision their main
+         bootloader independently of the CA.
+
+         https://github.com/rhboot/shim

diff --git a/boot/shim/shim.hash b/boot/shim/shim.hash
new file mode 100644 (file)
index 0000000..318390f
--- /dev/null
+++ b/boot/shim/shim.hash
@@ -0,0 +1,3 @@
+# locally computed hash
+sha256 279d19cc95b9974ea2379401a6a0653d949c3fa3d61f0c4bd6a7b9e840bdc425  shim-15.tar.gz
+sha256 15edf527919ddcb2f514ab9d16ad07ef219e4bb490e0b79560be510f0c159cc2  COPYRIGHT

diff --git a/boot/shim/shim.mk b/boot/shim/shim.mk
new file mode 100644 (file)
index 0000000..ba5bc51
--- /dev/null
+++ b/boot/shim/shim.mk
@@ -0,0 +1,31 @@
+################################################################################
+#
+# shim
+#
+################################################################################
+
+SHIM_VERSION = 15
+SHIM_SITE = $(call github,rhboot,shim,$(SHIM_VERSION))
+SHIM_LICENSE = BSD-2-Clause
+SHIM_LICENSE_FILES = COPYRIGHT
+SHIM_DEPENDENCIES = gnu-efi
+SHIM_INSTALL_TARGET = NO
+SHIM_INSTALL_IMAGES = YES
+
+SHIM_MAKE_OPTS = \
+       ARCH="$(GNU_EFI_PLATFORM)" \
+       CROSS_COMPILE="$(TARGET_CROSS)" \
+       DASHJ="-j$(PARALLEL_JOBS)" \
+       EFI_INCLUDE="$(STAGING_DIR)/usr/include/efi" \
+       EFI_PATH="$(STAGING_DIR)/usr/lib" \
+       LIBDIR="$(STAGING_DIR)/usr/lib"
+
+define SHIM_BUILD_CMDS
+       $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) $(SHIM_MAKE_OPTS)
+endef
+
+define SHIM_INSTALL_IMAGES_CMDS
+       $(INSTALL) -m 0755 -t $(BINARIES_DIR) $(@D)/*.efi
+endef
+
+$(eval $(generic-package))