diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/ChangeLog b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/ChangeLog new file mode 100644 index 0000000000..d2e116e052 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/ChangeLog @@ -0,0 +1,33 @@ +# ChangeLog for app-crypt/sbsigntool +# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/sbsigntool/ChangeLog,v 1.7 2014/01/14 13:55:54 ago Exp $ + + 14 Jan 2014; Agostino Sarubbo sbsigntool-0.6-r1.ebuild: + Stable for x86, wrt bug #495328 + + 12 Jan 2014; Pacho Ramos sbsigntool-0.6-r1.ebuild: + amd64 stable, bug #495328 + +*sbsigntool-0.6-r1 (03 Oct 2013) + + 03 Oct 2013; Greg Kroah-Hartman + +files/0002-image.c-clear-image-variable.patch, + +files/0003-Fix-for-multi-sign.patch, +sbsigntool-0.6-r1.ebuild: + patches to fix multi-key signing, fixing bugs with new versions of UEFI + firmware. Taken from the openSUSE packages as the upstream Launchpad project + is now dead. + + 05 Sep 2013; Mike Frysinger sbsigntool-0.6.ebuild: + Fix $AR handling #481480 by Agostino Sarubbo. + + 28 Aug 2013; Agostino Sarubbo sbsigntool-0.6.ebuild: + Stable for x86, wrt bug #481396 + + 17 Aug 2013; Agostino Sarubbo sbsigntool-0.6.ebuild: + Stable for amd64, wrt bug #481396 + +*sbsigntool-0.6 (24 Dec 2012) + + 24 Dec 2012; Mike Frysinger +metadata.xml, + +sbsigntool-0.6.ebuild: + New package #444830 by Maxim Kammerer. diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/Manifest new file mode 100644 index 0000000000..27e0890209 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/Manifest @@ -0,0 +1,27 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA256 + +AUX 0002-image.c-clear-image-variable.patch 822 SHA256 7877d69c0a6d014f43e1dc922db3fb503c1c3176dd2665a96f85ddfd73ed7e12 SHA512 004ba118cbe8fe5cc291888966e5994373c0b9d8149bc5c652a72971138fab5e64d721061c69e8b864d6ca5cdb4ffa193520156941b6bd9c998b256f8d72697b WHIRLPOOL 3872d97cde83e9423622f348dc50eb414f8512f95673cbf7e4b908f699455003d57711bda6bd0893f3a21b876a66ec480416bed5df52e5ecb33c00b21cbbb6c9 +AUX 0003-Fix-for-multi-sign.patch 1452 SHA256 803f97f6c01a573367371f9ffd4c53aab5916ea3218fdc515429ca559f5dad31 SHA512 2aba55a116536e7f41e4aac2fd33eeb92cf89b14bcdd8b93b6e9dc9bdaf2f0162134e56f7d365640445bf801ad8590f6d49f14cdf80b791324647067d52ae435 WHIRLPOOL a83c8dde50cf82559408be58482f73aa1c3460a63424578decfc36033b5c368f8ad219b1412a7eb0a478e91b8654e7a7392dc886a496f9efea6f12dcd2f0e379 +DIST sbsigntool_0.6.orig.tar.gz 212375 SHA256 84fb0c8f6fb1e79aa418a4f70a3139b38d5630043b28291c875f383e9b4294b8 SHA512 ed314d1cb7278cf5f27d4c3cd17f2195678419a7f9e47770429b6f95df35f7df035331e60c45970183ddd9b150a9b752f876c777929598b0525872b3255af95c WHIRLPOOL 3b86b9861f5e26586e8a9eb9bbf48adf1a12714b294f0acd605d53e37c27192006c6ecc81d31bf4f200f8e88508f38a52ef93e9e01e301c4245a11894227cecc +EBUILD sbsigntool-0.6-r1.ebuild 1151 SHA256 639b4edebf714b1c12eafce03c53961fda89e3488b3bcd0d483c100fb0459b70 SHA512 4ceb4e52b9bedbd1c8e548b3b27a7360f1ca8a0e4dda647897d0a7b19f475ccce696ca92db1bd34a9202af5b5b8091447bfcc1d8213849fdabaa1f13ed0c7bfd WHIRLPOOL 1cc2fd6a4eadc7c6de4d39115e7f5195302a78be3ab672e2b1895a93f91167a081f43aa74d0774328b334f21f119b556241eff449a823fa36a71f813fd408f8b +EBUILD sbsigntool-0.6.ebuild 1030 SHA256 8bc44c1f02f282908aa16e638f3d950a270b3997906055bb4d5b24b1f249bace SHA512 40f1746f5e87f8f5fda0fccd3907ee62aab3f6c0268c9cc474b2182f367cf0d28d05bfec7569a73c72c71dc7071e942a3841cac2f4dde671664cef72053ab2ff WHIRLPOOL e25a70fbadd8cded0c5daa1a28a0518bd3c13d4f182498a7c784fed88bc0972dd54a03fe4fe243eef4fdd9a1f21d3f66a9f93597a097a224f1d00ecde938cc1c +MISC ChangeLog 1296 SHA256 e43b8ad6d0b157b04ce9d2aedbc27ace4e2d7b1d74203e431700227e6301ea74 SHA512 8e365b7d6858a39baf2bfe5f4c5f8ed48587c004801e52c1406adaef0382de780008773538954f96033c8e4e3c77cccab970f6b3c3846f0fdc7f514dfa51529a WHIRLPOOL 7bdc2c38f447adef46eb0967fb264b067b8be8c1c2423807c0549cb5d796877998aff404afebb470dfa2dcfd2bec8a30f1d25f53fda9dd22c0f4d68e273f41e8 +MISC metadata.xml 240 SHA256 060d4d570194ff567e10d66246f85d4b9fee1efb17d111aeb9f03345f6e20efd SHA512 41a5c4b9e67d814937a0524714617a059c1351a00ac12d9344373f43b41d074e24fab5598e44c8a22f1848bfa12b8fc76cd5674ca62cd1f917b3235c77721971 WHIRLPOOL da0b560d9528cfe4fcff409de2d9749cf9ae8b7a04468b42463e8097b89e152a67a0da0ea7e6db1186f852687979c2e843e487a5eb76e663717148a796aa093d +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v2.0.22 (GNU/Linux) + +iQIcBAEBCAAGBQJS1UHrAAoJELp701BxlEWfYJMP/25zmGEaSRVtpesZ2OhvUSfp +G+GlDZxKHCK6yq+/eOpRkm8zKnr3RomNiCN91RNYXmkmueO+FGt+Rs8r5GirVd03 +iraLslXIzlT79oft6OKdOPVKmWxtVBpdIyUJRR159J86hV5VLWHSeOLqOCN30Uhl +JBk85iim/3/cGoJhNGrPQG/2Uv+r+90sS/kzjrpWvM7WCeY3GvOF6b4asRQf1hqI +kbTpZtIN5t5eJb1wPXDq1MRL7upQutMCajZL5FYoYJvy5J693ZWLK2nV2ueipBAS +a0iPd8ZWxYuc8jQlYu/DyscD+wZeoQ56bhmRzwS/3ukipBrGgUuffAcehFumGOhG +MtZ4iCUpoBityyA/JqXmZGyLqF5JnvfGB1C7BmnW9HeMZkQ6PFFnZnft/q2c9S0x +cS9uzgUBOLBwfbvaqRPv5iiR7w4aXjDoMZvceSgUfFwxLG5puwb+cOTyK6EybNRB +hj+OcnqdYN9mVbNxkI4ynFcODXhtaD/di2zgG42G713iJzlXZa5DvfbaB/pRF+yy +hJ65o3njE+1mdlsq5zLAAfRBOM/PvtUz2X8gqKgyph5rqebeXxDbbn9dOb7WKFTW +7udikXc767F6QIEuM/1kd63q2pw1JbnbPN9mqEY8KqUcpsmPKdBeM4wzfaUuJ22D +O7CfSgXtIT0edtHNtU6L +=sTMV +-----END PGP SIGNATURE----- diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/0001-Support-openssl-1.0.2b-and-above.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/0001-Support-openssl-1.0.2b-and-above.patch new file mode 100644 index 0000000000..ec75501948 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/0001-Support-openssl-1.0.2b-and-above.patch @@ -0,0 +1,29 @@ +From 3186e24f5a46172cd771d61cdeec5e590f73743e Mon Sep 17 00:00:00 2001 +From: Steve Langasek +Date: Wed, 15 Jul 2015 08:48:25 -0700 +Subject: [PATCH] Support openssl 1.0.2b and above + +Newer versions of openssl return a different error with alternate +certificate chains; update for compatibility. + +Signed-off-by: Marc Deslauriers +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541 +--- + src/sbverify.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/sbverify.c b/src/sbverify.c +index fb03d21..35890b9 100644 +--- a/src/sbverify.c ++++ b/src/sbverify.c +@@ -201,6 +201,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx) + + /* all certs given with the --cert argument are trusted */ + else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || ++ err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT || + err == X509_V_ERR_CERT_UNTRUSTED) { + + if (cert_in_store(ctx->current_cert, ctx)) +-- +2.1.4 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/Align-signature-data-to-8-bytes.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/Align-signature-data-to-8-bytes.patch new file mode 100644 index 0000000000..accd832ce7 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/Align-signature-data-to-8-bytes.patch @@ -0,0 +1,26 @@ +From 8b6b7a9904881757254b92a928b95dfb8634605b Mon Sep 17 00:00:00 2001 +From: Steve Langasek +Date: Fri, 12 Oct 2012 16:27:13 -0700 +Subject: [PATCH] Align signature data to 8 bytes + +Before appending the signature data to our binary, pad the file out to +8-byte alignment. This matches the Microsoft signing implementation, which +enables us to use sbattach to verify the integrity of the binaries returned +by the SysDev signing service. +--- + src/image.c | 2 ++ + 1 file changed, 2 insertions(+) + +Index: sbsigntool-0.6/src/image.c +=================================================================== +--- sbsigntool-0.6.orig/src/image.c ++++ sbsigntool-0.6/src/image.c +@@ -425,6 +425,8 @@ + * we've calculated during the pecoff parsing, so we need to redo that + * too. + */ ++ image->data_size = align_up(image->data_size, 8); ++ + if (image->data_size > image->size) { + image->buf = talloc_realloc(image, image->buf, uint8_t, + image->data_size); diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/add_corrected_efivars_magic.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/add_corrected_efivars_magic.patch new file mode 100644 index 0000000000..8973227328 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/add_corrected_efivars_magic.patch @@ -0,0 +1,23 @@ +Index: sbsigntool/src/sbkeysync.c +=================================================================== +--- sbsigntool.orig/src/sbkeysync.c 2013-12-03 15:45:49.007312000 +0100 ++++ sbsigntool/src/sbkeysync.c 2013-12-03 15:47:47.396135699 +0100 +@@ -56,7 +56,8 @@ + #include "efivars.h" + + #define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars" +-#define EFIVARS_FSTYPE 0x6165676C ++#define PSTORE_FSTYPE 0x6165676C ++#define EFIVARS_FSTYPE 0xde5e81e4 + + #define EFI_IMAGE_SECURITY_DATABASE_GUID \ + { 0xd719b2cb, 0x3d3a, 0x4596, \ +@@ -533,7 +534,7 @@ + if (rc) + return -1; + +- if (statbuf.f_type != EFIVARS_FSTYPE) ++ if (statbuf.f_type != EFIVARS_FSTYPE && statbuf.f_type != PSTORE_FSTYPE) + return -1; + + return 0; diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/arm-arm64-support.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/arm-arm64-support.patch new file mode 100644 index 0000000000..6a137c4f27 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/arm-arm64-support.patch @@ -0,0 +1,50 @@ +commit a3413e76f95472639d1b25f0564105d8bb4e2837 +Author: Ard Biesheuvel +Date: Tue Nov 19 09:25:32 2013 +0100 + + sbsigntool: add support for ARM and Aarch64 PE/COFF images + + Note that for the ARM case, we are using IMAGE_FILE_MACHINE_THUMB (0x1c2) + rather than IMAGE_FILE_MACHINE_ARM (0x1c0), as the latter refers to + an older calling convention that is incompatible with Tianocore UEFI. + + Signed-off-by: Ard Biesheuvel + +diff --git a/src/coff/pe.h b/src/coff/pe.h +index 3a43174..0d1036e 100644 +--- a/src/coff/pe.h ++++ b/src/coff/pe.h +@@ -151,6 +151,7 @@ + #define IMAGE_FILE_MACHINE_THUMB 0x01c2 + #define IMAGE_FILE_MACHINE_TRICORE 0x0520 + #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 ++#define IMAGE_FILE_MACHINE_AARCH64 0xaa64 + + #define IMAGE_SUBSYSTEM_UNKNOWN 0 + #define IMAGE_SUBSYSTEM_NATIVE 1 +diff --git a/src/image.c b/src/image.c +index c30d6e3..d6e3c48 100644 +--- a/src/image.c ++++ b/src/image.c +@@ -232,13 +232,16 @@ static int image_pecoff_parse(struct image *image) + image->opthdr.addr = image->pehdr + 1; + magic = pehdr_u16(image->pehdr->f_magic); + +- if (magic == IMAGE_FILE_MACHINE_AMD64) { ++ switch (magic) { ++ case IMAGE_FILE_MACHINE_AMD64: ++ case IMAGE_FILE_MACHINE_AARCH64: + rc = image_pecoff_parse_64(image); +- +- } else if (magic == IMAGE_FILE_MACHINE_I386) { ++ break; ++ case IMAGE_FILE_MACHINE_I386: ++ case IMAGE_FILE_MACHINE_THUMB: + rc = image_pecoff_parse_32(image); +- +- } else { ++ break; ++ default: + fprintf(stderr, "Invalid PE header magic\n"); + return -1; + } diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/del-duplicate-define.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/del-duplicate-define.patch new file mode 100644 index 0000000000..23c8c0e312 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/del-duplicate-define.patch @@ -0,0 +1,20 @@ +commit f09bf94b29cf050e7c489d8bd771b4392b3111ea +Author: Ard Biesheuvel +Date: Tue Nov 19 09:23:31 2013 +0100 + + sbsigntool: remove doubly defined IMAGE_FILE_MACHINE_AMD64 + + Signed-off-by: Ard Biesheuvel + +diff --git a/src/coff/pe.h b/src/coff/pe.h +index 601a68e..3a43174 100644 +--- a/src/coff/pe.h ++++ b/src/coff/pe.h +@@ -151,7 +151,6 @@ + #define IMAGE_FILE_MACHINE_THUMB 0x01c2 + #define IMAGE_FILE_MACHINE_TRICORE 0x0520 + #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 +-#define IMAGE_FILE_MACHINE_AMD64 0x8664 + + #define IMAGE_SUBSYSTEM_UNKNOWN 0 + #define IMAGE_SUBSYSTEM_NATIVE 1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/efi_arch_ia32.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/efi_arch_ia32.patch new file mode 100644 index 0000000000..e07f50d247 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/efi_arch_ia32.patch @@ -0,0 +1,50 @@ +From ffbf59032c9dff0afc19490f012066d4bbd5a0c3 Mon Sep 17 00:00:00 2001 +From: Steve Langasek +Date: Fri, 12 Oct 2012 16:48:53 -0700 +Subject: [PATCH] Use AC_CANONICAL_HOST, not uname -m, to determine target + +The EFI architecture should be set from the standard autoconf macros, not +from uname -m. Uname -m is wrong not just when cross-building, but also when +running 32-bit userspace on a 64-bit kernel. + +Ref: https://bugs.launchpad.net/bugs/1066038 +--- + configure.ac | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 0d8f0bb..a693d96 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -7,6 +7,8 @@ AC_PREREQ(2.60) + AC_CONFIG_HEADERS(config.h) + AC_CONFIG_SRCDIR(src/sbsign.c) + ++AC_CANONICAL_HOST ++ + AM_PROG_AS + AC_PROG_CC + AM_PROG_CC_C_O +@@ -64,7 +66,18 @@ PKG_CHECK_MODULES(uuid, uuid, + AC_MSG_ERROR([libuuid (from the uuid package) is required])) + + dnl gnu-efi headers require extra include dirs +-EFI_ARCH=$(uname -m) ++case $host_cpu in ++ x86_64) ++ EFI_ARCH=$host_cpu ++ ;; ++ i*86) ++ EFI_ARCH=ia32 ++ ;; ++ *) ++ AC_MSG_ERROR([unsupported EFI architecture $host_cpu]) ++ ;; ++esac ++ + EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \ + -DEFI_FUNCTION_WRAPPER" + CPPFLAGS_save="$CPPFLAGS" +-- +1.7.10.4 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/fix-signature-padding.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/fix-signature-padding.patch new file mode 100644 index 0000000000..5028cd4c86 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/fix-signature-padding.patch @@ -0,0 +1,24 @@ +Description: fix calculation of the size of our signature data + The 'size' field of the certificate table header includes the size of the + header itself. When parsing a signed file, we should therefore subtract the + size of this header from the field representing the size of the pkcs7 data + packet; otherwise when we detach (and subsequently reattach) a signature, + we wind up with 8 extra bytes of zeroes at the end each time. Fixing this + ensures that detaching and signature and then reattaching it to the file + gives us back the original file. +Author: Steve Langasek +Last-Update: 2013-09-07 + +Index: sbsigntool-0.6/src/image.c +=================================================================== +--- sbsigntool-0.6.orig/src/image.c ++++ sbsigntool-0.6/src/image.c +@@ -285,7 +285,7 @@ + if (cert_table && cert_table->revision == CERT_TABLE_REVISION && + cert_table->type == CERT_TABLE_TYPE_PKCS && + cert_table->size < size) { +- image->sigsize = cert_table->size; ++ image->sigsize = cert_table->size - sizeof(*cert_table); + image->sigbuf = talloc_memdup(image, cert_table + 1, + image->sigsize); + } diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/ignore-certificate-expiries.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/ignore-certificate-expiries.patch new file mode 100644 index 0000000000..b27e0cbeb4 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/ignore-certificate-expiries.patch @@ -0,0 +1,25 @@ +Description: ignore certificate expiries when verifying signatures + The UEFI implementation explicitly ignores all errors due to expired (or + not yet valid) signatures. Ensure that sbverify behaves compatibly. +Author: Steve Langasek +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1234649. +Last-Update: 2013-10-03 + +Index: sbsigntool-0.6/src/sbverify.c +=================================================================== +--- sbsigntool-0.6.orig/src/sbverify.c ++++ sbsigntool-0.6/src/sbverify.c +@@ -206,6 +206,13 @@ + if (cert_in_store(ctx->current_cert, ctx)) + status = 1; + } ++ /* UEFI doesn't care about expired signatures, so we shouldn't either. */ ++ else if (err == X509_V_ERR_CERT_HAS_EXPIRED || ++ err == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD || ++ err == X509_V_ERR_CERT_NOT_YET_VALID || ++ err == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD) { ++ status = 1; ++ } + + return status; + } diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/update_checksums.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/update_checksums.patch new file mode 100644 index 0000000000..3ffdd503b9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/update_checksums.patch @@ -0,0 +1,327 @@ +From: Steve Langasek + +Update the PE checksum field using the somewhat-underdocumented +algorithm, so that we match the Microsoft implementation in our +signature generation. + +Signed-off-by: Jeremy Kerr + +--- + autogen.sh | 2 - + src/image.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 60 insertions(+), 1 deletion(-) + +Index: sbsigntool-0.6/src/image.c +=================================================================== +--- sbsigntool-0.6.orig/src/image.c ++++ sbsigntool-0.6/src/image.c +@@ -38,6 +38,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -129,6 +130,62 @@ + return 0; + } + ++static uint16_t csum_update_fold(uint16_t csum, uint16_t x) ++{ ++ uint32_t new = csum + x; ++ new = (new >> 16) + (new & 0xffff); ++ return new; ++} ++ ++static uint16_t csum_bytes(uint16_t checksum, void *buf, size_t len) ++{ ++ unsigned int i; ++ uint16_t *p; ++ ++ for (i = 0; i < len; i += sizeof(*p)) { ++ p = buf + i; ++ checksum = csum_update_fold(checksum, *p); ++ } ++ ++ return checksum; ++} ++ ++static void image_pecoff_update_checksum(struct image *image, ++ struct cert_table_header *cert_table) ++{ ++ bool is_signed = image->sigsize && image->sigbuf; ++ uint32_t checksum; ++ ++ /* We carefully only include the signature data in the checksum (and ++ * in the file length) if we're outputting the signature. Otherwise, ++ * in case of signature removal, the signature data is in the buffer ++ * we read in (as indicated by image->size), but we do *not* want to ++ * checksum it. ++ * ++ * We also skip the 32-bits of checksum data in the PE/COFF header. ++ */ ++ checksum = csum_bytes(0, image->buf, ++ (void *)image->checksum - (void *)image->buf); ++ checksum = csum_bytes(checksum, ++ image->checksum + 1, ++ (void *)(image->buf + image->data_size) - ++ (void *)(image->checksum + 1)); ++ ++ if (is_signed) { ++ checksum = csum_bytes(checksum, ++ cert_table, sizeof(*cert_table)); ++ ++ checksum = csum_bytes(checksum, image->sigbuf, image->sigsize); ++ } ++ ++ checksum += image->data_size; ++ ++ if (is_signed) ++ checksum += sizeof(*cert_table) + image->sigsize; ++ ++ *(image->checksum) = cpu_to_le32(checksum); ++} ++ + static int image_pecoff_parse(struct image *image) + { + struct cert_table_header *cert_table; +@@ -524,6 +581,8 @@ + image->data_dir_sigtable->size = 0; + } + ++ image_pecoff_update_checksum(image, &cert_table_header); ++ + fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (fd < 0) { + perror("open"); +--- /dev/null ++++ sbsigntool-0.6/lib/ccan/ccan/endian/endian.h +@@ -0,0 +1,227 @@ ++/* Licensed under LGPLv2.1+ - see LICENSE file for details */ ++#ifndef CCAN_ENDIAN_H ++#define CCAN_ENDIAN_H ++#include ++#include "config.h" ++ ++#if HAVE_BYTESWAP_H ++#include ++#else ++/** ++ * bswap_16 - reverse bytes in a uint16_t value. ++ * @val: value whose bytes to swap. ++ * ++ * Example: ++ * // Output contains "1024 is 4 as two bytes reversed" ++ * printf("1024 is %u as two bytes reversed\n", bswap_16(1024)); ++ */ ++static inline uint16_t bswap_16(uint16_t val) ++{ ++ return ((val & (uint16_t)0x00ffU) << 8) ++ | ((val & (uint16_t)0xff00U) >> 8); ++} ++ ++/** ++ * bswap_32 - reverse bytes in a uint32_t value. ++ * @val: value whose bytes to swap. ++ * ++ * Example: ++ * // Output contains "1024 is 262144 as four bytes reversed" ++ * printf("1024 is %u as four bytes reversed\n", bswap_32(1024)); ++ */ ++static inline uint32_t bswap_32(uint32_t val) ++{ ++ return ((val & (uint32_t)0x000000ffUL) << 24) ++ | ((val & (uint32_t)0x0000ff00UL) << 8) ++ | ((val & (uint32_t)0x00ff0000UL) >> 8) ++ | ((val & (uint32_t)0xff000000UL) >> 24); ++} ++#endif /* !HAVE_BYTESWAP_H */ ++ ++#if !HAVE_BSWAP_64 ++/** ++ * bswap_64 - reverse bytes in a uint64_t value. ++ * @val: value whose bytes to swap. ++ * ++ * Example: ++ * // Output contains "1024 is 1125899906842624 as eight bytes reversed" ++ * printf("1024 is %llu as eight bytes reversed\n", ++ * (unsigned long long)bswap_64(1024)); ++ */ ++static inline uint64_t bswap_64(uint64_t val) ++{ ++ return ((val & (uint64_t)0x00000000000000ffULL) << 56) ++ | ((val & (uint64_t)0x000000000000ff00ULL) << 40) ++ | ((val & (uint64_t)0x0000000000ff0000ULL) << 24) ++ | ((val & (uint64_t)0x00000000ff000000ULL) << 8) ++ | ((val & (uint64_t)0x000000ff00000000ULL) >> 8) ++ | ((val & (uint64_t)0x0000ff0000000000ULL) >> 24) ++ | ((val & (uint64_t)0x00ff000000000000ULL) >> 40) ++ | ((val & (uint64_t)0xff00000000000000ULL) >> 56); ++} ++#endif ++ ++/* Sanity check the defines. We don't handle weird endianness. */ ++#if !HAVE_LITTLE_ENDIAN && !HAVE_BIG_ENDIAN ++#error "Unknown endian" ++#elif HAVE_LITTLE_ENDIAN && HAVE_BIG_ENDIAN ++#error "Can't compile for both big and little endian." ++#endif ++ ++/** ++ * cpu_to_le64 - convert a uint64_t value to little-endian ++ * @native: value to convert ++ */ ++static inline uint64_t cpu_to_le64(uint64_t native) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return native; ++#else ++ return bswap_64(native); ++#endif ++} ++ ++/** ++ * cpu_to_le32 - convert a uint32_t value to little-endian ++ * @native: value to convert ++ */ ++static inline uint32_t cpu_to_le32(uint32_t native) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return native; ++#else ++ return bswap_32(native); ++#endif ++} ++ ++/** ++ * cpu_to_le16 - convert a uint16_t value to little-endian ++ * @native: value to convert ++ */ ++static inline uint16_t cpu_to_le16(uint16_t native) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return native; ++#else ++ return bswap_16(native); ++#endif ++} ++ ++/** ++ * le64_to_cpu - convert a little-endian uint64_t value ++ * @le_val: little-endian value to convert ++ */ ++static inline uint64_t le64_to_cpu(uint64_t le_val) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return le_val; ++#else ++ return bswap_64(le_val); ++#endif ++} ++ ++/** ++ * le32_to_cpu - convert a little-endian uint32_t value ++ * @le_val: little-endian value to convert ++ */ ++static inline uint32_t le32_to_cpu(uint32_t le_val) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return le_val; ++#else ++ return bswap_32(le_val); ++#endif ++} ++ ++/** ++ * le16_to_cpu - convert a little-endian uint16_t value ++ * @le_val: little-endian value to convert ++ */ ++static inline uint16_t le16_to_cpu(uint16_t le_val) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return le_val; ++#else ++ return bswap_16(le_val); ++#endif ++} ++ ++/** ++ * cpu_to_be64 - convert a uint64_t value to big endian. ++ * @native: value to convert ++ */ ++static inline uint64_t cpu_to_be64(uint64_t native) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return bswap_64(native); ++#else ++ return native; ++#endif ++} ++ ++/** ++ * cpu_to_be32 - convert a uint32_t value to big endian. ++ * @native: value to convert ++ */ ++static inline uint32_t cpu_to_be32(uint32_t native) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return bswap_32(native); ++#else ++ return native; ++#endif ++} ++ ++/** ++ * cpu_to_be16 - convert a uint16_t value to big endian. ++ * @native: value to convert ++ */ ++static inline uint16_t cpu_to_be16(uint16_t native) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return bswap_16(native); ++#else ++ return native; ++#endif ++} ++ ++/** ++ * be64_to_cpu - convert a big-endian uint64_t value ++ * @be_val: big-endian value to convert ++ */ ++static inline uint64_t be64_to_cpu(uint64_t be_val) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return bswap_64(be_val); ++#else ++ return be_val; ++#endif ++} ++ ++/** ++ * be32_to_cpu - convert a big-endian uint32_t value ++ * @be_val: big-endian value to convert ++ */ ++static inline uint32_t be32_to_cpu(uint32_t be_val) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return bswap_32(be_val); ++#else ++ return be_val; ++#endif ++} ++ ++/** ++ * be16_to_cpu - convert a big-endian uint16_t value ++ * @be_val: big-endian value to convert ++ */ ++static inline uint16_t be16_to_cpu(uint16_t be_val) ++{ ++#if HAVE_LITTLE_ENDIAN ++ return bswap_16(be_val); ++#else ++ return be_val; ++#endif ++} ++ ++#endif /* CCAN_ENDIAN_H */ diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/zero-sized-sections.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/zero-sized-sections.patch new file mode 100644 index 0000000000..c9e265b889 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/zero-sized-sections.patch @@ -0,0 +1,81 @@ +commit 8f596c238f36723c803e45dfb1f6f817e67bc51d +Author: Ard Biesheuvel +Date: Tue Nov 19 09:24:10 2013 +0100 + + sbsigntool: fix handling of zero sized sections + + The loop that iterates over the PE/COFF sections correctly skips zero + sized sections, but still increments the loop index 'i'. This results in + subsequent iterations poking into unallocated memory. + + Signed-off-by: Ard Biesheuvel + +diff --git a/src/image.c b/src/image.c +index a34f117..c30d6e3 100644 +--- a/src/image.c ++++ b/src/image.c +@@ -366,6 +366,7 @@ static int image_find_regions(struct image *image) + /* add COFF sections */ + for (i = 0; i < image->sections; i++) { + uint32_t file_offset, file_size; ++ int n; + + file_offset = pehdr_u32(image->scnhdr[i].s_scnptr); + file_size = pehdr_u32(image->scnhdr[i].s_size); +@@ -373,39 +374,39 @@ static int image_find_regions(struct image *image) + if (!file_size) + continue; + +- image->n_checksum_regions++; ++ n = image->n_checksum_regions++; + image->checksum_regions = talloc_realloc(image, + image->checksum_regions, + struct region, + image->n_checksum_regions); + regions = image->checksum_regions; + +- regions[i + 3].data = buf + file_offset; +- regions[i + 3].size = align_up(file_size, ++ regions[n].data = buf + file_offset; ++ regions[n].size = align_up(file_size, + image->file_alignment); +- regions[i + 3].name = talloc_strndup(image->checksum_regions, ++ regions[n].name = talloc_strndup(image->checksum_regions, + image->scnhdr[i].s_name, 8); +- bytes += regions[i + 3].size; ++ bytes += regions[n].size; + +- if (file_offset + regions[i+3].size > image->size) { ++ if (file_offset + regions[n].size > image->size) { + fprintf(stderr, "warning: file-aligned section %s " + "extends beyond end of file\n", +- regions[i+3].name); ++ regions[n].name); + } + +- if (regions[i+2].data + regions[i+2].size +- != regions[i+3].data) { ++ if (regions[n-1].data + regions[n-1].size ++ != regions[n].data) { + fprintf(stderr, "warning: gap in section table:\n"); + fprintf(stderr, " %-8s: 0x%08tx - 0x%08tx,\n", +- regions[i+2].name, +- regions[i+2].data - buf, +- regions[i+2].data + +- regions[i+2].size - buf); ++ regions[n-1].name, ++ regions[n-1].data - buf, ++ regions[n-1].data + ++ regions[n-1].size - buf); + fprintf(stderr, " %-8s: 0x%08tx - 0x%08tx,\n", +- regions[i+3].name, +- regions[i+3].data - buf, +- regions[i+3].data + +- regions[i+3].size - buf); ++ regions[n].name, ++ regions[n].data - buf, ++ regions[n].data + ++ regions[n].size - buf); + + + gap_warn = 1; diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/metadata.xml new file mode 100644 index 0000000000..0947421cbd --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/metadata.xml @@ -0,0 +1,8 @@ + + + + + vapier@gentoo.org + do whatever + + diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/sbsigntool-0.6-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/sbsigntool-0.6-r2.ebuild new file mode 100644 index 0000000000..97ad7279cf --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/sbsigntool-0.6-r2.ebuild @@ -0,0 +1,45 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/sbsigntool/sbsigntool-0.6-r1.ebuild,v 1.3 2014/01/14 13:55:54 ago Exp $ + +EAPI="4" + +inherit eutils toolchain-funcs + +DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot" +HOMEPAGE="https://launchpad.net/ubuntu/+source/sbsigntool" +SRC_URI="https://launchpad.net/ubuntu/+archive/primary/+files/${PN}_${PV}.orig.tar.gz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="amd64 x86" +IUSE="" + +RDEPEND="dev-libs/openssl + sys-apps/util-linux" +DEPEND="${RDEPEND} + sys-apps/help2man + sys-boot/gnu-efi + virtual/pkgconfig" + +src_prepare() { + local iarch + case ${ARCH} in + ia64) iarch=ia64 ;; + x86) iarch=ia32 ;; + amd64) iarch=x86_64 ;; + *) die "unsupported architecture: ${ARCH}" ;; + esac + sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure || die + sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.in || die + sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480 + epatch "${FILESDIR}"/Align-signature-data-to-8-bytes.patch + epatch "${FILESDIR}"/update_checksums.patch + epatch "${FILESDIR}"/fix-signature-padding.patch + epatch "${FILESDIR}"/ignore-certificate-expiries.patch + epatch "${FILESDIR}"/add_corrected_efivars_magic.patch + epatch "${FILESDIR}"/del-duplicate-define.patch + epatch "${FILESDIR}"/zero-sized-sections.patch + epatch "${FILESDIR}"/arm-arm64-support.patch + epatch "${FILESDIR}"/0001-Support-openssl-1.0.2b-and-above.patch +} diff --git a/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-crypt/sbsigntool-0.6 b/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-crypt/sbsigntool-0.6 new file mode 100644 index 0000000000..64c4caef38 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-crypt/sbsigntool-0.6 @@ -0,0 +1,12 @@ +DEFINED_PHASES=prepare +DEPEND=dev-libs/openssl sys-apps/util-linux sys-apps/help2man sys-boot/gnu-efi virtual/pkgconfig +DESCRIPTION=Utilities for signing and verifying files for UEFI Secure Boot +EAPI=4 +HOMEPAGE=https://launchpad.net/ubuntu/+source/sbsigntool +KEYWORDS=amd64 x86 +LICENSE=GPL-3 +RDEPEND=dev-libs/openssl sys-apps/util-linux +SLOT=0 +SRC_URI=https://launchpad.net/ubuntu/+archive/primary/+files/sbsigntool_0.6.orig.tar.gz +_eclasses_=multilib 62927b3db3a589b0806255f3a002d5d3 toolchain-funcs 42408102d713fbad60ca21349865edb4 +_md5_=67d8413dba828ac50bc52f74898ed8ba diff --git a/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-crypt/sbsigntool-0.6-r1 b/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-crypt/sbsigntool-0.6-r1 new file mode 100644 index 0000000000..f4ba473f90 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-crypt/sbsigntool-0.6-r1 @@ -0,0 +1,12 @@ +DEFINED_PHASES=prepare +DEPEND=dev-libs/openssl sys-apps/util-linux sys-apps/help2man sys-boot/gnu-efi virtual/pkgconfig +DESCRIPTION=Utilities for signing and verifying files for UEFI Secure Boot +EAPI=4 +HOMEPAGE=https://launchpad.net/ubuntu/+source/sbsigntool +KEYWORDS=amd64 x86 +LICENSE=GPL-3 +RDEPEND=dev-libs/openssl sys-apps/util-linux +SLOT=0 +SRC_URI=https://launchpad.net/ubuntu/+archive/primary/+files/sbsigntool_0.6.orig.tar.gz +_eclasses_=eutils 9fb270e417e0e83d64ca52586c4a79de multilib 62927b3db3a589b0806255f3a002d5d3 toolchain-funcs 42408102d713fbad60ca21349865edb4 +_md5_=427c30edc6a836c466889f579e58235b