mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-10-02 19:11:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

app-crypt/sbsigntools: sync with ::gentoo

Browse Source 
Commit-Ref: bc01370226f4b5f773ae0da7d49ae09b90622666

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
This commit is contained in:
Mathieu Tortuyaux 2022-01-31 16:59:44 +01:00
parent 19a486c58d
commit 258e8530ba
8 changed files with 54 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/Manifest vendored
View File

@ -1,3 +1,3 @@
DIST sbsigntool-0.8-ccan.tar.gz 113537 BLAKE2B 8fbf27463d30c1895930628a145be2d521ae4f6adb7af3299bf2f5f4319fd643df0a07347ef6851bd41d233af4c3fc5f77002771af1c43aa0f20665aef2390b8 SHA512 6857096879f116f1802eb6b44789cbea7bb24440bc0f16503aeadf5f276fa45943f322f844dbb9abee717655205d82b830143be3a7f4424fd4146b9360674a09 DIST sbsigntool-0.8-ccan.tar.gz 113537 BLAKE2B 8fbf27463d30c1895930628a145be2d521ae4f6adb7af3299bf2f5f4319fd643df0a07347ef6851bd41d233af4c3fc5f77002771af1c43aa0f20665aef2390b8 SHA512 6857096879f116f1802eb6b44789cbea7bb24440bc0f16503aeadf5f276fa45943f322f844dbb9abee717655205d82b830143be3a7f4424fd4146b9360674a09
DIST sbsigntool_0.6.orig.tar.gz 212375 BLAKE2B fab9141c7fbfa01ec24f975503ac83be4ae0664251a1311afb3d95124fec3750ce20a5ffab35b6965d4ee4585ab4ee91f25ae49488214a983b6fc006071d0968 SHA512 ed314d1cb7278cf5f27d4c3cd17f2195678419a7f9e47770429b6f95df35f7df035331e60c45970183ddd9b150a9b752f876c777929598b0525872b3255af95c DIST sbsigntools-0.9.2.tar.gz 56525 BLAKE2B 0bce1f534aa960672eab6a415e287b79ff9f18eb947e2217ad4533081f8b854e160b57828afbb56423b2dcab723d3a8aacb2e6affeb2057d17ce3c1761d96b11 SHA512 060753ed9c8db794e4755cc66c1940a2ccc89f4ddf0e825da1f1e6eaa75fc67c21060ee4b5dfb0c757b69e6f5959bfa68156d9f95a945cf63c6a20f1414a2c27
DIST sbsigntools-0.9.1.tar.gz 56497 BLAKE2B 22791bd4b490f36963a19e82da3ce7b93a56d948bf44d1ffdb62fa3291a3f815b2c19d68f9180b607c2b1438f656367ec1f9002f0b1225734d16a9aadc6d20ec SHA512 ae16232327c098bbc60a9701185d856d851cb7fa8f62be64d3c8f75c8b274b8521fcc4212226189def05db980690878ee6ac9a9b418166c92442aaf35e790d29 DIST sbsigntools-0.9.4.tar.gz 57714 BLAKE2B 94797af6c98a9c13cb71e52ba6f7ff07de70660af2194b14061e0cb618d6effff52ef7a4dd2fd4e44e75f022b979442d4290b1d65d63017b2fbebdca5951c5c9 SHA512 953d3d9a7f92b837da966eabe3572163a29c5292e792d5ef17cf842d7373ffaa901377cb4ec68006a6ef2f9c97d48db8ffdd3a6d2853be67016d3484a118bba9

29
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/files/0002-image.c-clear-image-variable.patch vendored
View File

@ -1,29 +0,0 @@
From 21e984fa9d93a760cc03f5d9d13d023809227df2 Mon Sep 17 00:00:00 2001
From: James Bottomley <JBottomley@Parallels.com>
Date: Thu, 11 Apr 2013 21:12:17 -0700
Subject: image.c: clear image variable
Not zeroing the image after talloc occasionally leads to a segfault because
the programme thinks it has a signature when in reality it just has a junk
pointer and segfaults.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---
src/image.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/image.c b/src/image.c
index cc55791..10eba0e 100644
--- a/src/image.c
+++ b/src/image.c
@@ -401,6 +401,7 @@ struct image *image_load(const char *filename)
return NULL;
}
+ memset(image, 0, sizeof(*image));
rc = fileio_read_file(image, filename, &image->buf, &image->size);
if (rc)
goto err;
--
1.8.2.1

39
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/files/0003-Fix-for-multi-sign.patch vendored
View File

@ -1,39 +0,0 @@
From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001
From: James Bottomley <JBottomley@Parallels.com>
Date: Mon, 30 Sep 2013 19:25:37 -0700
Subject: [PATCH 4/4] Fix for multi-sign
The new Tianocore multi-sign code fails now for images signed with
sbsigntools. The reason is that we don't actually align the signature table,
we just slap it straight after the binary data. Unfortunately, the new
multi-signature code checks that our alignment offsets are correct and fails
the signature for this reason. Fix by adding junk to the end of the image to
align the signature section.
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
---
src/image.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/image.c b/src/image.c
index 10eba0e..519e288 100644
--- a/src/image.c
+++ b/src/image.c
@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image)
/* record the size of non-signature data */
r = &image->checksum_regions[image->n_checksum_regions - 1];
- image->data_size = (r->data - (void *)image->buf) + r->size;
+ /*
+ * The new Tianocore multisign does a stricter check of the signatures
+ * in particular, the signature table must start at an aligned offset
+ * fix this by adding bytes to the end of the text section (which must
+ * be included in the hash)
+ */
+ image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8);
return 0;
}
--
1.8.4

15
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/files/openssl-3-compat.patch vendored
View File

@ -1,15 +0,0 @@
diff --git a/src/idc.c b/src/idc.c
index 6d87bd4..0a82218 100644
--- a/src/idc.c
+++ b/src/idc.c
@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image)
idc->data->type = OBJ_nid2obj(peid_nid);
idc->data->value = ASN1_TYPE_new();
- type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
+ type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
idc->digest->alg->parameter = ASN1_TYPE_new();
idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
--
2.25.1

152
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/files/sbsigntools-0.9.1-openssl-1.1.0-compat.patch vendored
View File

@ -1,152 +0,0 @@
diff --git a/src/fileio.c b/src/fileio.c
index 032eb1e..09bc3aa 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -40,6 +40,7 @@
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/engine.h>
+#include <openssl/ui.h>
#include <ccan/talloc/talloc.h>
#include <ccan/read_write_all/read_write_all.h>
diff --git a/src/idc.c b/src/idc.c
index 236cefd..6d87bd4 100644
--- a/src/idc.c
+++ b/src/idc.c
@@ -238,7 +238,11 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
/* extract the idc from the signed PKCS7 'other' data */
str = p7->d.sign->contents->d.other->value.asn1_string;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
idcbuf = buf = ASN1_STRING_data(str);
+#else
+ idcbuf = buf = ASN1_STRING_get0_data(str);
+#endif
idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
/* If we were passed a BIO, write the idc data, minus type and length,
@@ -289,7 +293,11 @@ int IDC_check_hash(struct idc *idc, struct image *image)
}
/* check hash against the one we calculated from the image */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
buf = ASN1_STRING_data(str);
+#else
+ buf = ASN1_STRING_get0_data(str);
+#endif
if (memcmp(buf, sha, sizeof(sha))) {
fprintf(stderr, "Hash doesn't match image\n");
fprintf(stderr, " got: %s\n", sha256_str(buf));
diff --git a/src/sbattach.c b/src/sbattach.c
index a0c01b8..e89a23e 100644
--- a/src/sbattach.c
+++ b/src/sbattach.c
@@ -231,6 +231,7 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OPENSSL_config(NULL);
@@ -239,6 +240,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
image = image_load(image_filename);
if (!image) {
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index 7b17f40..419b1e7 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -208,7 +208,11 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
goto out;
key->id_len = ASN1_STRING_length(serial);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
+#else
+ key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
+#endif
key->description = talloc_array(key, char, description_len);
X509_NAME_oneline(X509_get_subject_name(x509),
@@ -927,6 +931,7 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
@@ -936,6 +941,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
ctx->filesystem_keys = init_keyset(ctx);
ctx->firmware_keys = init_keyset(ctx);
diff --git a/src/sbsign.c b/src/sbsign.c
index ff1fdfd..78d8d64 100644
--- a/src/sbsign.c
+++ b/src/sbsign.c
@@ -188,6 +188,7 @@ int main(int argc, char **argv)
talloc_steal(ctx, ctx->image);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ERR_load_crypto_strings();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
@@ -197,6 +198,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
if (engine)
pkey = fileio_read_engine_key(engine, keyfilename);
else
diff --git a/src/sbvarsign.c b/src/sbvarsign.c
index 7dcbe51..9319c8b 100644
--- a/src/sbvarsign.c
+++ b/src/sbvarsign.c
@@ -509,6 +509,7 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* initialise openssl */
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
@@ -519,6 +520,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
/* set up the variable signing context */
varname = argv[optind];
diff --git a/src/sbverify.c b/src/sbverify.c
index 3920d91..d0b203a 100644
--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -250,6 +250,7 @@ int main(int argc, char **argv)
verbose = false;
detached_sig_filename = NULL;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OpenSSL_add_all_digests();
ERR_load_crypto_strings();
OPENSSL_config(NULL);
@@ -258,6 +259,7 @@ int main(int argc, char **argv)
* module isn't present). In either case ignore the errors
* (malloc will cause other failures out lower down */
ERR_clear_error();
+#endif
for (;;) {
int idx;

2
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/metadata.xml vendored
View File

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata> <pkgmetadata>
<maintainer type="person"> <maintainer type="person">
<email>tamiko@gentoo.org</email> <email>tamiko@gentoo.org</email>

13
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/sbsigntools-0.9.1-r1.ebuild → sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/sbsigntools-0.9.2.ebuild vendored
View File

@ -1,11 +1,11 @@
# Copyright 1999-2018 Gentoo Foundation # Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
EAPI="6" EAPI="7"
MY_PN="${PN::-1}" MY_PN="${PN::-1}"
inherit eutils autotools inherit autotools toolchain-funcs
DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot" DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.git/" HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.git/"
@ -14,7 +14,7 @@ SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/${PN}.git/snapshot
LICENSE="GPL-3 LGPL-3 LGPL-2.1 CC0-1.0" LICENSE="GPL-3 LGPL-3 LGPL-2.1 CC0-1.0"
SLOT="0" SLOT="0"
KEYWORDS="amd64 arm64 ~x86" KEYWORDS="amd64 ~arm64 x86"
IUSE="" IUSE=""
RDEPEND=" RDEPEND="
@ -26,11 +26,6 @@ DEPEND="${RDEPEND}
sys-libs/binutils-libs sys-libs/binutils-libs
virtual/pkgconfig" virtual/pkgconfig"
PATCHES=(
"${FILESDIR}"/${P}-openssl-1.1.0-compat.patch
"${FILESDIR}"/openssl-3-compat.patch
)
src_prepare() { src_prepare() {
mv "${WORKDIR}"/lib/ccan "${S}"/lib || die "mv failed" mv "${WORKDIR}"/lib/ccan "${S}"/lib || die "mv failed"
rmdir "${WORKDIR}"/lib || die "rmdir failed" rmdir "${WORKDIR}"/lib || die "rmdir failed"

47
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntools/sbsigntools-0.9.4.ebuild vendored Normal file
View File

@ -0,0 +1,47 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
MY_PN="${PN::-1}"
inherit autotools toolchain-funcs
DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.git/"
SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/${PN}.git/snapshot/${P}.tar.gz
https://dev.gentoo.org/~tamiko/distfiles/${MY_PN}-0.8-ccan.tar.gz"
LICENSE="GPL-3 LGPL-3 LGPL-2.1 CC0-1.0"
SLOT="0"
KEYWORDS="~amd64 ~arm64 ~x86"
IUSE=""
RDEPEND="
dev-libs/openssl:0=
sys-apps/util-linux"
DEPEND="${RDEPEND}
sys-apps/help2man
sys-boot/gnu-efi
sys-libs/binutils-libs
virtual/pkgconfig"
src_prepare() {
mv "${WORKDIR}"/lib/ccan "${S}"/lib || die "mv failed"
rmdir "${WORKDIR}"/lib || die "rmdir failed"
local iarch
case ${ARCH} in
amd64) iarch=x86_64 ;;
arm64) iarch=aarch64 ;;
ia64) iarch=ia64 ;;
x86) iarch=ia32 ;;
*) die "unsupported architecture: ${ARCH}" ;;
esac
sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure.ac || die
sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.am || die
sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
default
eautoreconf
}