From 55c524d46fe3d7f8070b75eaea586196b6433b92 Mon Sep 17 00:00:00 2001 From: Thomas Petazzoni Date: Mon, 5 Apr 2021 22:21:54 +0200 Subject: [PATCH] boot/shim: bump to version 15.4 - Use the tarball provided by upstream developers instead of the one generated by Github. Indeed https://github.com/rhboot/shim/releases/tag/15.4 indicates "As usual, please use the shim-15.4.tar.bz2 tarball, rather than the other two archives github automatically produces." - The tarball now includes the gnu-efi code, so we no longer need to select gnu-efi and have it as a build dependency. We continue to use BR2_PACKAGE_GNU_EFI_ARCH_SUPPORTS as we still only build for those architectures that have gnu-efi support. We also drop the EFI_INCLUDE, EFI_PATH and LIBDIR variables, as gnu-efi no longer needs to be searched in STAGING_DIR. - Drop all four patches, which were backports from upstream. Signed-off-by: Thomas Petazzoni Signed-off-by: Peter Korsgaard --- ...po-in-the-EFI-warning-list-in-gnu-ef.patch | 57 --------- ...tuff-Waddress-of-packed-member-finds.patch | 90 -------------- ...ompareMem-on-MokListNode.Type-instea.patch | 73 ------------ ...void-Werror-address-of-packed-member.patch | 112 ------------------ boot/shim/Config.in | 2 +- boot/shim/shim.hash | 2 +- boot/shim/shim.mk | 11 +- 7 files changed, 6 insertions(+), 341 deletions(-) delete mode 100644 boot/shim/0001-console-Fix-a-typo-in-the-EFI-warning-list-in-gnu-ef.patch delete mode 100644 boot/shim/0002-Work-around-stuff-Waddress-of-packed-member-finds.patch delete mode 100644 boot/shim/0003-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch delete mode 100644 boot/shim/0004-MokManager-avoid-Werror-address-of-packed-member.patch diff --git a/boot/shim/0001-console-Fix-a-typo-in-the-EFI-warning-list-in-gnu-ef.patch b/boot/shim/0001-console-Fix-a-typo-in-the-EFI-warning-list-in-gnu-ef.patch deleted file mode 100644 index 77d1b54f16..0000000000 --- a/boot/shim/0001-console-Fix-a-typo-in-the-EFI-warning-list-in-gnu-ef.patch +++ /dev/null @@ -1,57 +0,0 @@ -From b00d7f63df7ee6f74a63515f1469768e9cb2aa7a Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 26 Aug 2019 16:12:05 -0400 -Subject: [PATCH] console: Fix a typo in the EFI warning list in gnu-efi - -Some versions of gnu-efi have a typo, in which "EFI_WARN_UNKNOWN_GLYPH" -is accidentally "EFI_WARN_UNKOWN_GLYPH". Work around that, so that we -can use the not-silly one in console.c's list of error and warning -messages. - -This is a backport from devel for: - - commit 5f62b22ccd636d326b3229a2b196118701c6f3f7 - Author: Peter Jones - Date: Mon Aug 26 16:12:05 2019 -0400 - -Signed-off-by: Peter Jones -Upstream: d230d02f990f02293736dca78b108f86c86d1bd0 -Signed-off-by: Thomas Petazzoni ---- - include/console.h | 6 ++++++ - lib/console.c | 2 +- - 2 files changed, 7 insertions(+), 1 deletion(-) - -diff --git a/include/console.h b/include/console.h -index deb4fa3..00da98d 100644 ---- a/include/console.h -+++ b/include/console.h -@@ -7,6 +7,12 @@ - #define PrintAt(fmt, ...) \ - ({"Do not directly call PrintAt() use console_print_at() instead" = 1;}); - -+#if !defined(EFI_WARN_UNKNOWN_GLYPH) && defined(EFI_WARN_UNKOWN_GLYPH) -+#define EFI_WARN_UNKNOWN_GLYPH EFI_WARN_UNKOWN_GLYPH -+#elif !defined(EFI_WARN_UNKNOWN_GLYPH) -+#define EFI_WARN_UNKNOWN_GLYPH EFIWARN(1) -+#endif -+ - EFI_STATUS - console_get_keystroke(EFI_INPUT_KEY *key); - UINTN -diff --git a/lib/console.c b/lib/console.c -index 3aee41c..ccd4d4d 100644 ---- a/lib/console.c -+++ b/lib/console.c -@@ -445,7 +445,7 @@ static struct { - { EFI_SECURITY_VIOLATION, L"Security Violation"}, - - // warnings -- { EFI_WARN_UNKOWN_GLYPH, L"Warning Unknown Glyph"}, -+ { EFI_WARN_UNKNOWN_GLYPH, L"Warning Unknown Glyph"}, - { EFI_WARN_DELETE_FAILURE, L"Warning Delete Failure"}, - { EFI_WARN_WRITE_FAILURE, L"Warning Write Failure"}, - { EFI_WARN_BUFFER_TOO_SMALL, L"Warning Buffer Too Small"}, --- -2.30.2 - diff --git a/boot/shim/0002-Work-around-stuff-Waddress-of-packed-member-finds.patch b/boot/shim/0002-Work-around-stuff-Waddress-of-packed-member-finds.patch deleted file mode 100644 index 9a6187b1a1..0000000000 --- a/boot/shim/0002-Work-around-stuff-Waddress-of-packed-member-finds.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 7c1d3d8116b78bf096b7b8c6da5486f37efeb75f Mon Sep 17 00:00:00 2001 -From: Peter Jones -Date: Mon, 13 May 2019 16:34:35 -0400 -Subject: [PATCH] Work around stuff -Waddress-of-packed-member finds. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -In MokManager we get a lot of these: - -../src/MokManager.c:1063:19: error: taking address of packed member of ‘struct ’ may result in an unaligned pointer value [-Werror=address-of-packed-member] - 1063 | if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) - | ^~~~~~~~~~~~~~~ - -The reason for this is that gnu-efi takes EFI_GUID * as its argument -instead of VOID *, and there's nothing telling the compiler that it -doesn't have alignment constraints on the input, so the compiler wants -it to have 16-byte alignment. - -Just use CompareMem() for these, as that's all CompareGuid is calling -anyway. - -Signed-off-by: Peter Jones -Upstream: 2cbf56b82a5102777b37c4f7f47c8cf058cea027 -Signed-off-by: Thomas Petazzoni ---- - MokManager.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/MokManager.c b/MokManager.c -index 7e40a38..5d0a979 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -22,6 +22,8 @@ - #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" - #define HASH_STRING L"Select a file to trust:\n\n" - -+#define CompareMemberGuid(x, y) CompareMem(x, y, sizeof(EFI_GUID)) -+ - typedef struct { - UINT32 MokSize; - UINT8 *Mok; -@@ -1078,7 +1080,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - continue; - - DataSize += sizeof(EFI_SIGNATURE_LIST); -- if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) -+ if (CompareMemberGuid(&(list[i].Type), &X509_GUID) == 0) - DataSize += sizeof(EFI_GUID); - DataSize += list[i].MokSize; - } -@@ -1100,7 +1102,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - CertList->SignatureType = list[i].Type; - CertList->SignatureHeaderSize = 0; - -- if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) { -+ if (CompareMemberGuid(&(list[i].Type), &X509_GUID) == 0) { - CertList->SignatureListSize = list[i].MokSize + - sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); - CertList->SignatureSize = -@@ -1141,7 +1143,7 @@ static void delete_cert(void *key, UINT32 key_size, - int i; - - for (i = 0; i < mok_num; i++) { -- if (CompareGuid(&(mok[i].Type), &X509_GUID) != 0) -+ if (CompareMemberGuid(&(mok[i].Type), &X509_GUID) != 0) - continue; - - if (mok[i].MokSize == key_size && -@@ -1192,7 +1194,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size, - sig_size = hash_size + sizeof(EFI_GUID); - - for (i = 0; i < mok_num; i++) { -- if ((CompareGuid(&(mok[i].Type), &Type) != 0) || -+ if ((CompareMemberGuid(&(mok[i].Type), &Type) != 0) || - (mok[i].MokSize < sig_size)) - continue; - -@@ -1356,7 +1358,7 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) - - /* Search and destroy */ - for (i = 0; i < del_num; i++) { -- if (CompareGuid(&(del_key[i].Type), &X509_GUID) == 0) { -+ if (CompareMemberGuid(&(del_key[i].Type), &X509_GUID) == 0) { - delete_cert(del_key[i].Mok, del_key[i].MokSize, - mok, mok_num); - } else if (is_sha2_hash(del_key[i].Type)) { --- -2.30.2 - diff --git a/boot/shim/0003-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch b/boot/shim/0003-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch deleted file mode 100644 index 5f8f44519d..0000000000 --- a/boot/shim/0003-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 694a91664a7f5018bdc1e1092e07a8ac7fc35fc0 Mon Sep 17 00:00:00 2001 -From: Gary Lin -Date: Tue, 26 Feb 2019 11:33:53 +0800 -Subject: [PATCH] MokManager: Use CompareMem on MokListNode.Type instead of - CompareGuid - -Fix the errors from gcc9 '-Werror=address-of-packed-member' - -https://github.com/rhboot/shim/issues/161 - -Signed-off-by: Gary Lin -Upstream: 5d30a31fef4eb7e773da24c5e6c20576282a9c3a -Signed-off-by: Thomas Petazzoni ---- - MokManager.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/MokManager.c b/MokManager.c -index 5d0a979..e13400b 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -1080,7 +1080,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - continue; - - DataSize += sizeof(EFI_SIGNATURE_LIST); -- if (CompareMemberGuid(&(list[i].Type), &X509_GUID) == 0) -+ if (CompareMem(&(list[i].Type), &X509_GUID, -+ sizeof(EFI_GUID)) == 0) - DataSize += sizeof(EFI_GUID); - DataSize += list[i].MokSize; - } -@@ -1102,7 +1103,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - CertList->SignatureType = list[i].Type; - CertList->SignatureHeaderSize = 0; - -- if (CompareMemberGuid(&(list[i].Type), &X509_GUID) == 0) { -+ if (CompareMem(&(list[i].Type), &X509_GUID, -+ sizeof(EFI_GUID)) == 0) { - CertList->SignatureListSize = list[i].MokSize + - sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); - CertList->SignatureSize = -@@ -1143,7 +1145,8 @@ static void delete_cert(void *key, UINT32 key_size, - int i; - - for (i = 0; i < mok_num; i++) { -- if (CompareMemberGuid(&(mok[i].Type), &X509_GUID) != 0) -+ if (CompareMem(&(mok[i].Type), &X509_GUID, -+ sizeof(EFI_GUID)) != 0) - continue; - - if (mok[i].MokSize == key_size && -@@ -1194,7 +1197,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size, - sig_size = hash_size + sizeof(EFI_GUID); - - for (i = 0; i < mok_num; i++) { -- if ((CompareMemberGuid(&(mok[i].Type), &Type) != 0) || -+ if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) || - (mok[i].MokSize < sig_size)) - continue; - -@@ -1358,7 +1361,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) - - /* Search and destroy */ - for (i = 0; i < del_num; i++) { -- if (CompareMemberGuid(&(del_key[i].Type), &X509_GUID) == 0) { -+ if (CompareMem(&(del_key[i].Type), &X509_GUID, -+ sizeof(EFI_GUID)) == 0) { - delete_cert(del_key[i].Mok, del_key[i].MokSize, - mok, mok_num); - } else if (is_sha2_hash(del_key[i].Type)) { --- -2.30.2 - diff --git a/boot/shim/0004-MokManager-avoid-Werror-address-of-packed-member.patch b/boot/shim/0004-MokManager-avoid-Werror-address-of-packed-member.patch deleted file mode 100644 index d86c5bb005..0000000000 --- a/boot/shim/0004-MokManager-avoid-Werror-address-of-packed-member.patch +++ /dev/null @@ -1,112 +0,0 @@ -From f17f67fef7ae05cbad8609aacef41a448a2d8d54 Mon Sep 17 00:00:00 2001 -From: Jonas Witschel -Date: Thu, 5 Sep 2019 10:39:37 +0200 -Subject: [PATCH] MokManager: avoid -Werror=address-of-packed-member -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When compiling with GCC 9, there are a couple of errors of the form - -MokManager.c: In function ‘write_back_mok_list’: -MokManager.c:1056:19: error: taking address of packed member of ‘struct ’ may result in an unaligned pointer value [-Werror=address-of-packed-member] - 1056 | if (CompareGuid(&(list[i].Type), &X509_GUID) == 0) - | ^~~~~~~~~~~~~~~ - -Copying the member of the packed struct to a temporary variable and -pointing to that variable solves the problem. - -Upstream: d57e53f3bddc4bc7299b3d5efd5ba8c547e8dfa5 -Signed-off-by: Thomas Petazzoni ---- - MokManager.c | 22 +++++++++++++--------- - 1 file changed, 13 insertions(+), 9 deletions(-) - -diff --git a/MokManager.c b/MokManager.c -index e13400b..1a8d666 100644 ---- a/MokManager.c -+++ b/MokManager.c -@@ -1065,6 +1065,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - EFI_STATUS efi_status; - EFI_SIGNATURE_LIST *CertList; - EFI_SIGNATURE_DATA *CertData; -+ EFI_GUID type; - void *Data = NULL, *ptr; - INTN DataSize = 0; - int i; -@@ -1080,8 +1081,8 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - continue; - - DataSize += sizeof(EFI_SIGNATURE_LIST); -- if (CompareMem(&(list[i].Type), &X509_GUID, -- sizeof(EFI_GUID)) == 0) -+ type = list[i].Type; /* avoid -Werror=address-of-packed-member */ -+ if (CompareGuid(&type, &X509_GUID) == 0) - DataSize += sizeof(EFI_GUID); - DataSize += list[i].MokSize; - } -@@ -1103,8 +1104,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - CertList->SignatureType = list[i].Type; - CertList->SignatureHeaderSize = 0; - -- if (CompareMem(&(list[i].Type), &X509_GUID, -- sizeof(EFI_GUID)) == 0) { -+ if (CompareGuid(&(CertList->SignatureType), &X509_GUID) == 0) { - CertList->SignatureListSize = list[i].MokSize + - sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); - CertList->SignatureSize = -@@ -1142,11 +1142,12 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num, - static void delete_cert(void *key, UINT32 key_size, - MokListNode * mok, INTN mok_num) - { -+ EFI_GUID type; - int i; - - for (i = 0; i < mok_num; i++) { -- if (CompareMem(&(mok[i].Type), &X509_GUID, -- sizeof(EFI_GUID)) != 0) -+ type = mok[i].Type; /* avoid -Werror=address-of-packed-member */ -+ if (CompareGuid(&type, &X509_GUID) != 0) - continue; - - if (mok[i].MokSize == key_size && -@@ -1188,6 +1189,7 @@ static void mem_move(void *dest, void *src, UINTN size) - static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size, - MokListNode * mok, INTN mok_num) - { -+ EFI_GUID type; - UINT32 sig_size; - UINT32 list_num; - int i, del_ind; -@@ -1197,7 +1199,8 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size, - sig_size = hash_size + sizeof(EFI_GUID); - - for (i = 0; i < mok_num; i++) { -- if ((CompareMem(&(mok[i].Type), &Type, sizeof(EFI_GUID)) != 0) || -+ type = mok[i].Type; /* avoid -Werror=address-of-packed-member */ -+ if ((CompareGuid(&type, &Type) != 0) || - (mok[i].MokSize < sig_size)) - continue; - -@@ -1253,6 +1256,7 @@ static void delete_hash_list(EFI_GUID Type, void *hash_list, UINT32 list_size, - static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) - { - EFI_STATUS efi_status; -+ EFI_GUID type; - CHAR16 *db_name; - CHAR16 *auth_name; - CHAR16 *err_strs[] = { NULL, NULL, NULL }; -@@ -1361,8 +1365,8 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX) - - /* Search and destroy */ - for (i = 0; i < del_num; i++) { -- if (CompareMem(&(del_key[i].Type), &X509_GUID, -- sizeof(EFI_GUID)) == 0) { -+ type = del_key[i].Type; /* avoid -Werror=address-of-packed-member */ -+ if (CompareGuid(&type, &X509_GUID) == 0) { - delete_cert(del_key[i].Mok, del_key[i].MokSize, - mok, mok_num); - } else if (is_sha2_hash(del_key[i].Type)) { --- -2.30.2 - diff --git a/boot/shim/Config.in b/boot/shim/Config.in index ea6650f54c..596ff5b2cf 100644 --- a/boot/shim/Config.in +++ b/boot/shim/Config.in @@ -1,9 +1,9 @@ config BR2_TARGET_SHIM bool "shim" + # it includes gnu-efi depends on BR2_PACKAGE_GNU_EFI_ARCH_SUPPORTS # ARM32 build currently broken depends on !BR2_ARM_CPU_HAS_ARM - select BR2_PACKAGE_GNU_EFI help Boot loader to chain-load signed boot loaders under Secure Boot. diff --git a/boot/shim/shim.hash b/boot/shim/shim.hash index 318390f80b..15c763abca 100644 --- a/boot/shim/shim.hash +++ b/boot/shim/shim.hash @@ -1,3 +1,3 @@ # locally computed hash -sha256 279d19cc95b9974ea2379401a6a0653d949c3fa3d61f0c4bd6a7b9e840bdc425 shim-15.tar.gz +sha256 8344473dd10569588b8238a4656b8fab226714eea9f5363f8c410aa8a5090297 shim-15.4.tar.bz2 sha256 15edf527919ddcb2f514ab9d16ad07ef219e4bb490e0b79560be510f0c159cc2 COPYRIGHT diff --git a/boot/shim/shim.mk b/boot/shim/shim.mk index e0f01a8a9d..0a6d1527aa 100644 --- a/boot/shim/shim.mk +++ b/boot/shim/shim.mk @@ -4,22 +4,19 @@ # ################################################################################ -SHIM_VERSION = 15 -SHIM_SITE = $(call github,rhboot,shim,$(SHIM_VERSION)) +SHIM_VERSION = 15.4 +SHIM_SITE = https://github.com/rhboot/shim/releases/download/$(SHIM_VERSION) +SHIM_SOURCE = shim-$(SHIM_VERSION).tar.bz2 SHIM_LICENSE = BSD-2-Clause SHIM_LICENSE_FILES = COPYRIGHT SHIM_CPE_ID_VENDOR = redhat -SHIM_DEPENDENCIES = gnu-efi SHIM_INSTALL_TARGET = NO SHIM_INSTALL_IMAGES = YES SHIM_MAKE_OPTS = \ ARCH="$(GNU_EFI_PLATFORM)" \ CROSS_COMPILE="$(TARGET_CROSS)" \ - DASHJ="-j$(PARALLEL_JOBS)" \ - EFI_INCLUDE="$(STAGING_DIR)/usr/include/efi" \ - EFI_PATH="$(STAGING_DIR)/usr/lib" \ - LIBDIR="$(STAGING_DIR)/usr/lib" + DASHJ="-j$(PARALLEL_JOBS)" define SHIM_BUILD_CMDS $(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) $(SHIM_MAKE_OPTS) -- 2.30.2