Support ARM images in sbsigntool

Import the Ubuntu patchset for sbsigntool so we pick up support for
signing ARM binaries.

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/ChangeLog

@@ -0,0 +1,33 @@
+# ChangeLog for app-crypt/sbsigntool
+# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/sbsigntool/ChangeLog,v 1.7 2014/01/14 13:55:54 ago Exp $
+
+  14 Jan 2014; Agostino Sarubbo <ago@gentoo.org> sbsigntool-0.6-r1.ebuild:
+  Stable for x86, wrt bug #495328
+
+  12 Jan 2014; Pacho Ramos <pacho@gentoo.org> sbsigntool-0.6-r1.ebuild:
+  amd64 stable, bug #495328
+
+*sbsigntool-0.6-r1 (03 Oct 2013)
+
+  03 Oct 2013; Greg Kroah-Hartman <gregkh@gentoo.org>
+  +files/0002-image.c-clear-image-variable.patch,
+  +files/0003-Fix-for-multi-sign.patch, +sbsigntool-0.6-r1.ebuild:
+  patches to fix multi-key signing, fixing bugs with new versions of UEFI
+  firmware. Taken from the openSUSE packages as the upstream Launchpad project
+  is now dead.
+
+  05 Sep 2013; Mike Frysinger <vapier@gentoo.org> sbsigntool-0.6.ebuild:
+  Fix $AR handling #481480 by Agostino Sarubbo.
+
+  28 Aug 2013; Agostino Sarubbo <ago@gentoo.org> sbsigntool-0.6.ebuild:
+  Stable for x86, wrt bug #481396
+
+  17 Aug 2013; Agostino Sarubbo <ago@gentoo.org> sbsigntool-0.6.ebuild:
+  Stable for amd64, wrt bug #481396
+
+*sbsigntool-0.6 (24 Dec 2012)
+
+  24 Dec 2012; Mike Frysinger <vapier@gentoo.org> +metadata.xml,
+  +sbsigntool-0.6.ebuild:
+  New package #444830 by Maxim Kammerer.

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/Manifest

@@ -0,0 +1,27 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+AUX 0002-image.c-clear-image-variable.patch 822 SHA256 7877d69c0a6d014f43e1dc922db3fb503c1c3176dd2665a96f85ddfd73ed7e12 SHA512 004ba118cbe8fe5cc291888966e5994373c0b9d8149bc5c652a72971138fab5e64d721061c69e8b864d6ca5cdb4ffa193520156941b6bd9c998b256f8d72697b WHIRLPOOL 3872d97cde83e9423622f348dc50eb414f8512f95673cbf7e4b908f699455003d57711bda6bd0893f3a21b876a66ec480416bed5df52e5ecb33c00b21cbbb6c9
+AUX 0003-Fix-for-multi-sign.patch 1452 SHA256 803f97f6c01a573367371f9ffd4c53aab5916ea3218fdc515429ca559f5dad31 SHA512 2aba55a116536e7f41e4aac2fd33eeb92cf89b14bcdd8b93b6e9dc9bdaf2f0162134e56f7d365640445bf801ad8590f6d49f14cdf80b791324647067d52ae435 WHIRLPOOL a83c8dde50cf82559408be58482f73aa1c3460a63424578decfc36033b5c368f8ad219b1412a7eb0a478e91b8654e7a7392dc886a496f9efea6f12dcd2f0e379
+DIST sbsigntool_0.6.orig.tar.gz 212375 SHA256 84fb0c8f6fb1e79aa418a4f70a3139b38d5630043b28291c875f383e9b4294b8 SHA512 ed314d1cb7278cf5f27d4c3cd17f2195678419a7f9e47770429b6f95df35f7df035331e60c45970183ddd9b150a9b752f876c777929598b0525872b3255af95c WHIRLPOOL 3b86b9861f5e26586e8a9eb9bbf48adf1a12714b294f0acd605d53e37c27192006c6ecc81d31bf4f200f8e88508f38a52ef93e9e01e301c4245a11894227cecc
+EBUILD sbsigntool-0.6-r1.ebuild 1151 SHA256 639b4edebf714b1c12eafce03c53961fda89e3488b3bcd0d483c100fb0459b70 SHA512 4ceb4e52b9bedbd1c8e548b3b27a7360f1ca8a0e4dda647897d0a7b19f475ccce696ca92db1bd34a9202af5b5b8091447bfcc1d8213849fdabaa1f13ed0c7bfd WHIRLPOOL 1cc2fd6a4eadc7c6de4d39115e7f5195302a78be3ab672e2b1895a93f91167a081f43aa74d0774328b334f21f119b556241eff449a823fa36a71f813fd408f8b
+EBUILD sbsigntool-0.6.ebuild 1030 SHA256 8bc44c1f02f282908aa16e638f3d950a270b3997906055bb4d5b24b1f249bace SHA512 40f1746f5e87f8f5fda0fccd3907ee62aab3f6c0268c9cc474b2182f367cf0d28d05bfec7569a73c72c71dc7071e942a3841cac2f4dde671664cef72053ab2ff WHIRLPOOL e25a70fbadd8cded0c5daa1a28a0518bd3c13d4f182498a7c784fed88bc0972dd54a03fe4fe243eef4fdd9a1f21d3f66a9f93597a097a224f1d00ecde938cc1c
+MISC ChangeLog 1296 SHA256 e43b8ad6d0b157b04ce9d2aedbc27ace4e2d7b1d74203e431700227e6301ea74 SHA512 8e365b7d6858a39baf2bfe5f4c5f8ed48587c004801e52c1406adaef0382de780008773538954f96033c8e4e3c77cccab970f6b3c3846f0fdc7f514dfa51529a WHIRLPOOL 7bdc2c38f447adef46eb0967fb264b067b8be8c1c2423807c0549cb5d796877998aff404afebb470dfa2dcfd2bec8a30f1d25f53fda9dd22c0f4d68e273f41e8
+MISC metadata.xml 240 SHA256 060d4d570194ff567e10d66246f85d4b9fee1efb17d111aeb9f03345f6e20efd SHA512 41a5c4b9e67d814937a0524714617a059c1351a00ac12d9344373f43b41d074e24fab5598e44c8a22f1848bfa12b8fc76cd5674ca62cd1f917b3235c77721971 WHIRLPOOL da0b560d9528cfe4fcff409de2d9749cf9ae8b7a04468b42463e8097b89e152a67a0da0ea7e6db1186f852687979c2e843e487a5eb76e663717148a796aa093d
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+iQIcBAEBCAAGBQJS1UHrAAoJELp701BxlEWfYJMP/25zmGEaSRVtpesZ2OhvUSfp
+G+GlDZxKHCK6yq+/eOpRkm8zKnr3RomNiCN91RNYXmkmueO+FGt+Rs8r5GirVd03
+iraLslXIzlT79oft6OKdOPVKmWxtVBpdIyUJRR159J86hV5VLWHSeOLqOCN30Uhl
+JBk85iim/3/cGoJhNGrPQG/2Uv+r+90sS/kzjrpWvM7WCeY3GvOF6b4asRQf1hqI
+kbTpZtIN5t5eJb1wPXDq1MRL7upQutMCajZL5FYoYJvy5J693ZWLK2nV2ueipBAS
+a0iPd8ZWxYuc8jQlYu/DyscD+wZeoQ56bhmRzwS/3ukipBrGgUuffAcehFumGOhG
+MtZ4iCUpoBityyA/JqXmZGyLqF5JnvfGB1C7BmnW9HeMZkQ6PFFnZnft/q2c9S0x
+cS9uzgUBOLBwfbvaqRPv5iiR7w4aXjDoMZvceSgUfFwxLG5puwb+cOTyK6EybNRB
+hj+OcnqdYN9mVbNxkI4ynFcODXhtaD/di2zgG42G713iJzlXZa5DvfbaB/pRF+yy
+hJ65o3njE+1mdlsq5zLAAfRBOM/PvtUz2X8gqKgyph5rqebeXxDbbn9dOb7WKFTW
+7udikXc767F6QIEuM/1kd63q2pw1JbnbPN9mqEY8KqUcpsmPKdBeM4wzfaUuJ22D
+O7CfSgXtIT0edtHNtU6L
+=sTMV
+-----END PGP SIGNATURE-----

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/0001-Support-openssl-1.0.2b-and-above.patch

@@ -0,0 +1,29 @@
+From 3186e24f5a46172cd771d61cdeec5e590f73743e Mon Sep 17 00:00:00 2001
+From: Steve Langasek <steve.langasek@canonical.com>
+Date: Wed, 15 Jul 2015 08:48:25 -0700
+Subject: [PATCH] Support openssl 1.0.2b and above
+
+Newer versions of openssl return a different error with alternate
+certificate chains; update for compatibility.
+
+Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541
+---
+ src/sbverify.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/sbverify.c b/src/sbverify.c
+index fb03d21..35890b9 100644
+--- a/src/sbverify.c
++++ b/src/sbverify.c
+@@ -201,6 +201,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
+ 
+ 	/* all certs given with the --cert argument are trusted */
+ 	else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
++			err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
+ 			err == X509_V_ERR_CERT_UNTRUSTED) {
+ 
+ 		if (cert_in_store(ctx->current_cert, ctx))
+-- 
+2.1.4
+

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/Align-signature-data-to-8-bytes.patch

@@ -0,0 +1,26 @@
+From 8b6b7a9904881757254b92a928b95dfb8634605b Mon Sep 17 00:00:00 2001
+From: Steve Langasek <steve.langasek@canonical.com>
+Date: Fri, 12 Oct 2012 16:27:13 -0700
+Subject: [PATCH] Align signature data to 8 bytes
+
+Before appending the signature data to our binary, pad the file out to
+8-byte alignment.  This matches the Microsoft signing implementation, which
+enables us to use sbattach to verify the integrity of the binaries returned
+by the SysDev signing service.
+---
+ src/image.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: sbsigntool-0.6/src/image.c
+===================================================================
+--- sbsigntool-0.6.orig/src/image.c
++++ sbsigntool-0.6/src/image.c
+@@ -425,6 +425,8 @@
+ 	 * we've calculated during the pecoff parsing, so we need to redo that
+ 	 * too.
+ 	 */
++	image->data_size = align_up(image->data_size, 8);
++
+ 	if (image->data_size > image->size) {
+ 		image->buf = talloc_realloc(image, image->buf, uint8_t,
+ 				image->data_size);

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/add_corrected_efivars_magic.patch

@@ -0,0 +1,23 @@
+Index: sbsigntool/src/sbkeysync.c
+===================================================================
+--- sbsigntool.orig/src/sbkeysync.c	2013-12-03 15:45:49.007312000 +0100
++++ sbsigntool/src/sbkeysync.c	2013-12-03 15:47:47.396135699 +0100
+@@ -56,7 +56,8 @@
+ #include "efivars.h"
+ 
+ #define EFIVARS_MOUNTPOINT	"/sys/firmware/efi/efivars"
+-#define EFIVARS_FSTYPE		0x6165676C
++#define PSTORE_FSTYPE		0x6165676C
++#define EFIVARS_FSTYPE		0xde5e81e4
+ 
+ #define EFI_IMAGE_SECURITY_DATABASE_GUID \
+ 	{ 0xd719b2cb, 0x3d3a, 0x4596, \
+@@ -533,7 +534,7 @@
+ 	if (rc)
+ 		return -1;
+ 
+-	if (statbuf.f_type != EFIVARS_FSTYPE)
++	if (statbuf.f_type != EFIVARS_FSTYPE && statbuf.f_type != PSTORE_FSTYPE)
+ 		return -1;
+ 
+ 	return 0;

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/arm-arm64-support.patch

@@ -0,0 +1,50 @@
+commit a3413e76f95472639d1b25f0564105d8bb4e2837
+Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date:   Tue Nov 19 09:25:32 2013 +0100
+
+    sbsigntool: add support for ARM and Aarch64 PE/COFF images
+    
+    Note that for the ARM case, we are using IMAGE_FILE_MACHINE_THUMB (0x1c2)
+    rather than IMAGE_FILE_MACHINE_ARM (0x1c0), as the latter refers to
+    an older calling convention that is incompatible with Tianocore UEFI.
+    
+    Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+diff --git a/src/coff/pe.h b/src/coff/pe.h
+index 3a43174..0d1036e 100644
+--- a/src/coff/pe.h
++++ b/src/coff/pe.h
+@@ -151,6 +151,7 @@
+ #define IMAGE_FILE_MACHINE_THUMB             0x01c2
+ #define IMAGE_FILE_MACHINE_TRICORE           0x0520
+ #define IMAGE_FILE_MACHINE_WCEMIPSV2         0x0169
++#define IMAGE_FILE_MACHINE_AARCH64           0xaa64
+ 
+ #define IMAGE_SUBSYSTEM_UNKNOWN			 0
+ #define IMAGE_SUBSYSTEM_NATIVE			 1
+diff --git a/src/image.c b/src/image.c
+index c30d6e3..d6e3c48 100644
+--- a/src/image.c
++++ b/src/image.c
+@@ -232,13 +232,16 @@ static int image_pecoff_parse(struct image *image)
+ 	image->opthdr.addr = image->pehdr + 1;
+ 	magic = pehdr_u16(image->pehdr->f_magic);
+ 
+-	if (magic == IMAGE_FILE_MACHINE_AMD64) {
++	switch (magic) {
++	case IMAGE_FILE_MACHINE_AMD64:
++	case IMAGE_FILE_MACHINE_AARCH64:
+ 		rc = image_pecoff_parse_64(image);
+-
+-	} else if (magic == IMAGE_FILE_MACHINE_I386) {
++		break;
++	case IMAGE_FILE_MACHINE_I386:
++	case IMAGE_FILE_MACHINE_THUMB:
+ 		rc = image_pecoff_parse_32(image);
+-
+-	} else {
++		break;
++	default:
+ 		fprintf(stderr, "Invalid PE header magic\n");
+ 		return -1;
+ 	}

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/del-duplicate-define.patch

@@ -0,0 +1,20 @@
+commit f09bf94b29cf050e7c489d8bd771b4392b3111ea
+Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date:   Tue Nov 19 09:23:31 2013 +0100
+
+    sbsigntool: remove doubly defined IMAGE_FILE_MACHINE_AMD64
+    
+    Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+diff --git a/src/coff/pe.h b/src/coff/pe.h
+index 601a68e..3a43174 100644
+--- a/src/coff/pe.h
++++ b/src/coff/pe.h
+@@ -151,7 +151,6 @@
+ #define IMAGE_FILE_MACHINE_THUMB             0x01c2
+ #define IMAGE_FILE_MACHINE_TRICORE           0x0520
+ #define IMAGE_FILE_MACHINE_WCEMIPSV2         0x0169
+-#define IMAGE_FILE_MACHINE_AMD64             0x8664
+ 
+ #define IMAGE_SUBSYSTEM_UNKNOWN			 0
+ #define IMAGE_SUBSYSTEM_NATIVE			 1

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/efi_arch_ia32.patch

@@ -0,0 +1,50 @@
+From ffbf59032c9dff0afc19490f012066d4bbd5a0c3 Mon Sep 17 00:00:00 2001
+From: Steve Langasek <steve.langasek@canonical.com>
+Date: Fri, 12 Oct 2012 16:48:53 -0700
+Subject: [PATCH] Use AC_CANONICAL_HOST, not uname -m, to determine target
+
+The EFI architecture should be set from the standard autoconf macros, not
+from uname -m.  Uname -m is wrong not just when cross-building, but also when
+running 32-bit userspace on a 64-bit kernel.
+
+Ref: https://bugs.launchpad.net/bugs/1066038
+---
+ configure.ac |   15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 0d8f0bb..a693d96 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -7,6 +7,8 @@ AC_PREREQ(2.60)
+ AC_CONFIG_HEADERS(config.h)
+ AC_CONFIG_SRCDIR(src/sbsign.c)
+ 
++AC_CANONICAL_HOST
++
+ AM_PROG_AS
+ AC_PROG_CC
+ AM_PROG_CC_C_O
+@@ -64,7 +66,18 @@ PKG_CHECK_MODULES(uuid, uuid,
+     AC_MSG_ERROR([libuuid (from the uuid package) is required]))
+ 
+ dnl gnu-efi headers require extra include dirs
+-EFI_ARCH=$(uname -m)
++case $host_cpu in
++	x86_64)
++		EFI_ARCH=$host_cpu
++		;;
++	i*86)
++		EFI_ARCH=ia32
++		;;
++	*)
++		AC_MSG_ERROR([unsupported EFI architecture $host_cpu])
++		;;
++esac
++
+ EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
+  -DEFI_FUNCTION_WRAPPER"
+ CPPFLAGS_save="$CPPFLAGS"
+-- 
+1.7.10.4
+

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/fix-signature-padding.patch

@@ -0,0 +1,24 @@
+Description: fix calculation of the size of our signature data
+ The 'size' field of the certificate table header includes the size of the
+ header itself.  When parsing a signed file, we should therefore subtract the
+ size of this header from the field representing the size of the pkcs7 data
+ packet; otherwise when we detach (and subsequently reattach) a signature,
+ we wind up with 8 extra bytes of zeroes at the end each time.  Fixing this
+ ensures that detaching and signature and then reattaching it to the file
+ gives us back the original file.
+Author: Steve Langasek <steve.langasek@canonical.com>
+Last-Update: 2013-09-07
+
+Index: sbsigntool-0.6/src/image.c
+===================================================================
+--- sbsigntool-0.6.orig/src/image.c
++++ sbsigntool-0.6/src/image.c
+@@ -285,7 +285,7 @@
+ 	if (cert_table && cert_table->revision == CERT_TABLE_REVISION &&
+ 			cert_table->type == CERT_TABLE_TYPE_PKCS &&
+ 			cert_table->size < size) {
+-		image->sigsize = cert_table->size;
++		image->sigsize = cert_table->size - sizeof(*cert_table);
+ 		image->sigbuf = talloc_memdup(image, cert_table + 1,
+ 				image->sigsize);
+ 	}

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/ignore-certificate-expiries.patch

@@ -0,0 +1,25 @@
+Description: ignore certificate expiries when verifying signatures
+ The UEFI implementation explicitly ignores all errors due to expired (or
+ not yet valid) signatures.  Ensure that sbverify behaves compatibly.
+Author: Steve Langasek <steve.langasek@canonical.com>
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1234649.
+Last-Update: 2013-10-03
+
+Index: sbsigntool-0.6/src/sbverify.c
+===================================================================
+--- sbsigntool-0.6.orig/src/sbverify.c
++++ sbsigntool-0.6/src/sbverify.c
+@@ -206,6 +206,13 @@
+ 		if (cert_in_store(ctx->current_cert, ctx))
+ 			status = 1;
+ 	}
++	/* UEFI doesn't care about expired signatures, so we shouldn't either. */
++	else if (err == X509_V_ERR_CERT_HAS_EXPIRED ||
++			err == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ||
++			err == X509_V_ERR_CERT_NOT_YET_VALID ||
++			err == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD) {
++		status = 1;
++	}
+ 
+ 	return status;
+ }

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/update_checksums.patch

@@ -0,0 +1,327 @@
+From: Steve Langasek <steve.langasek@canonical.com>
+
+Update the PE checksum field using the somewhat-underdocumented
+algorithm, so that we match the Microsoft implementation in our
+signature generation.
+
+Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
+
+---
+ autogen.sh  |    2 -
+ src/image.c |   59 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 60 insertions(+), 1 deletion(-)
+
+Index: sbsigntool-0.6/src/image.c
+===================================================================
+--- sbsigntool-0.6.orig/src/image.c
++++ sbsigntool-0.6/src/image.c
+@@ -38,6 +38,7 @@
+ #include <unistd.h>
+ #include <string.h>
+ 
++#include <ccan/endian/endian.h>
+ #include <ccan/talloc/talloc.h>
+ #include <ccan/read_write_all/read_write_all.h>
+ #include <ccan/build_assert/build_assert.h>
+@@ -129,6 +130,62 @@
+ 	return 0;
+ }
+ 
++static uint16_t csum_update_fold(uint16_t csum, uint16_t x)
++{
++	uint32_t new = csum + x;
++	new = (new >> 16) + (new & 0xffff);
++	return new;
++}
++
++static uint16_t csum_bytes(uint16_t checksum, void *buf, size_t len)
++{
++	unsigned int i;
++	uint16_t *p;
++
++	for (i = 0; i < len; i += sizeof(*p)) {
++		p = buf + i;
++		checksum = csum_update_fold(checksum, *p);
++	}
++
++	return checksum;
++}
++
++static void image_pecoff_update_checksum(struct image *image,
++                                        struct cert_table_header *cert_table)
++{
++	bool is_signed = image->sigsize && image->sigbuf;
++	uint32_t checksum;
++
++	/* We carefully only include the signature data in the checksum (and
++	 * in the file length) if we're outputting the signature.  Otherwise,
++	 * in case of signature removal, the signature data is in the buffer
++	 * we read in (as indicated by image->size), but we do *not* want to
++	 * checksum it.
++	 *
++	 * We also skip the 32-bits of checksum data in the PE/COFF header.
++	 */
++	checksum = csum_bytes(0, image->buf,
++			(void *)image->checksum - (void *)image->buf);
++	checksum = csum_bytes(checksum,
++			image->checksum + 1,
++			(void *)(image->buf + image->data_size) -
++			(void *)(image->checksum + 1));
++
++	if (is_signed) {
++		checksum = csum_bytes(checksum,
++				cert_table, sizeof(*cert_table));
++
++		checksum = csum_bytes(checksum, image->sigbuf, image->sigsize);
++	}
++
++	checksum += image->data_size;
++
++	if (is_signed)
++		checksum += sizeof(*cert_table) + image->sigsize;
++
++	*(image->checksum) = cpu_to_le32(checksum);
++}
++
+ static int image_pecoff_parse(struct image *image)
+ {
+ 	struct cert_table_header *cert_table;
+@@ -524,6 +581,8 @@
+ 		image->data_dir_sigtable->size = 0;
+ 	}
+ 
++	image_pecoff_update_checksum(image, &cert_table_header);
++
+ 	fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+ 	if (fd < 0) {
+ 		perror("open");
+--- /dev/null
++++ sbsigntool-0.6/lib/ccan/ccan/endian/endian.h
+@@ -0,0 +1,227 @@
++/* Licensed under LGPLv2.1+ - see LICENSE file for details */
++#ifndef CCAN_ENDIAN_H
++#define CCAN_ENDIAN_H
++#include <stdint.h>
++#include "config.h"
++
++#if HAVE_BYTESWAP_H
++#include <byteswap.h>
++#else
++/**
++ * bswap_16 - reverse bytes in a uint16_t value.
++ * @val: value whose bytes to swap.
++ *
++ * Example:
++ *	// Output contains "1024 is 4 as two bytes reversed"
++ *	printf("1024 is %u as two bytes reversed\n", bswap_16(1024));
++ */
++static inline uint16_t bswap_16(uint16_t val)
++{
++	return ((val & (uint16_t)0x00ffU) << 8)
++		| ((val & (uint16_t)0xff00U) >> 8);
++}
++
++/**
++ * bswap_32 - reverse bytes in a uint32_t value.
++ * @val: value whose bytes to swap.
++ *
++ * Example:
++ *	// Output contains "1024 is 262144 as four bytes reversed"
++ *	printf("1024 is %u as four bytes reversed\n", bswap_32(1024));
++ */
++static inline uint32_t bswap_32(uint32_t val)
++{
++	return ((val & (uint32_t)0x000000ffUL) << 24)
++		| ((val & (uint32_t)0x0000ff00UL) <<  8)
++		| ((val & (uint32_t)0x00ff0000UL) >>  8)
++		| ((val & (uint32_t)0xff000000UL) >> 24);
++}
++#endif /* !HAVE_BYTESWAP_H */
++
++#if !HAVE_BSWAP_64
++/**
++ * bswap_64 - reverse bytes in a uint64_t value.
++ * @val: value whose bytes to swap.
++ *
++ * Example:
++ *	// Output contains "1024 is 1125899906842624 as eight bytes reversed"
++ *	printf("1024 is %llu as eight bytes reversed\n",
++ *		(unsigned long long)bswap_64(1024));
++ */
++static inline uint64_t bswap_64(uint64_t val)
++{
++	return ((val & (uint64_t)0x00000000000000ffULL) << 56)
++		| ((val & (uint64_t)0x000000000000ff00ULL) << 40)
++		| ((val & (uint64_t)0x0000000000ff0000ULL) << 24)
++		| ((val & (uint64_t)0x00000000ff000000ULL) <<  8)
++		| ((val & (uint64_t)0x000000ff00000000ULL) >>  8)
++		| ((val & (uint64_t)0x0000ff0000000000ULL) >> 24)
++		| ((val & (uint64_t)0x00ff000000000000ULL) >> 40)
++		| ((val & (uint64_t)0xff00000000000000ULL) >> 56);
++}
++#endif
++
++/* Sanity check the defines.  We don't handle weird endianness. */
++#if !HAVE_LITTLE_ENDIAN && !HAVE_BIG_ENDIAN
++#error "Unknown endian"
++#elif HAVE_LITTLE_ENDIAN && HAVE_BIG_ENDIAN
++#error "Can't compile for both big and little endian."
++#endif
++
++/**
++ * cpu_to_le64 - convert a uint64_t value to little-endian
++ * @native: value to convert
++ */
++static inline uint64_t cpu_to_le64(uint64_t native)
++{
++#if HAVE_LITTLE_ENDIAN
++	return native;
++#else
++	return bswap_64(native);
++#endif
++}
++
++/**
++ * cpu_to_le32 - convert a uint32_t value to little-endian
++ * @native: value to convert
++ */
++static inline uint32_t cpu_to_le32(uint32_t native)
++{
++#if HAVE_LITTLE_ENDIAN
++	return native;
++#else
++	return bswap_32(native);
++#endif
++}
++
++/**
++ * cpu_to_le16 - convert a uint16_t value to little-endian
++ * @native: value to convert
++ */
++static inline uint16_t cpu_to_le16(uint16_t native)
++{
++#if HAVE_LITTLE_ENDIAN
++	return native;
++#else
++	return bswap_16(native);
++#endif
++}
++
++/**
++ * le64_to_cpu - convert a little-endian uint64_t value
++ * @le_val: little-endian value to convert
++ */
++static inline uint64_t le64_to_cpu(uint64_t le_val)
++{
++#if HAVE_LITTLE_ENDIAN
++	return le_val;
++#else
++	return bswap_64(le_val);
++#endif
++}
++
++/**
++ * le32_to_cpu - convert a little-endian uint32_t value
++ * @le_val: little-endian value to convert
++ */
++static inline uint32_t le32_to_cpu(uint32_t le_val)
++{
++#if HAVE_LITTLE_ENDIAN
++	return le_val;
++#else
++	return bswap_32(le_val);
++#endif
++}
++
++/**
++ * le16_to_cpu - convert a little-endian uint16_t value
++ * @le_val: little-endian value to convert
++ */
++static inline uint16_t le16_to_cpu(uint16_t le_val)
++{
++#if HAVE_LITTLE_ENDIAN
++	return le_val;
++#else
++	return bswap_16(le_val);
++#endif
++}
++
++/**
++ * cpu_to_be64 - convert a uint64_t value to big endian.
++ * @native: value to convert
++ */
++static inline uint64_t cpu_to_be64(uint64_t native)
++{
++#if HAVE_LITTLE_ENDIAN
++	return bswap_64(native);
++#else
++	return native;
++#endif
++}
++
++/**
++ * cpu_to_be32 - convert a uint32_t value to big endian.
++ * @native: value to convert
++ */
++static inline uint32_t cpu_to_be32(uint32_t native)
++{
++#if HAVE_LITTLE_ENDIAN
++	return bswap_32(native);
++#else
++	return native;
++#endif
++}
++
++/**
++ * cpu_to_be16 - convert a uint16_t value to big endian.
++ * @native: value to convert
++ */
++static inline uint16_t cpu_to_be16(uint16_t native)
++{
++#if HAVE_LITTLE_ENDIAN
++	return bswap_16(native);
++#else
++	return native;
++#endif
++}
++
++/**
++ * be64_to_cpu - convert a big-endian uint64_t value
++ * @be_val: big-endian value to convert
++ */
++static inline uint64_t be64_to_cpu(uint64_t be_val)
++{
++#if HAVE_LITTLE_ENDIAN
++	return bswap_64(be_val);
++#else
++	return be_val;
++#endif
++}
++
++/**
++ * be32_to_cpu - convert a big-endian uint32_t value
++ * @be_val: big-endian value to convert
++ */
++static inline uint32_t be32_to_cpu(uint32_t be_val)
++{
++#if HAVE_LITTLE_ENDIAN
++	return bswap_32(be_val);
++#else
++	return be_val;
++#endif
++}
++
++/**
++ * be16_to_cpu - convert a big-endian uint16_t value
++ * @be_val: big-endian value to convert
++ */
++static inline uint16_t be16_to_cpu(uint16_t be_val)
++{
++#if HAVE_LITTLE_ENDIAN
++	return bswap_16(be_val);
++#else
++	return be_val;
++#endif
++}
++
++#endif /* CCAN_ENDIAN_H */

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/zero-sized-sections.patch

@@ -0,0 +1,81 @@
+commit 8f596c238f36723c803e45dfb1f6f817e67bc51d
+Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Date:   Tue Nov 19 09:24:10 2013 +0100
+
+    sbsigntool: fix handling of zero sized sections
+    
+    The loop that iterates over the PE/COFF sections correctly skips zero
+    sized sections, but still increments the loop index 'i'. This results in
+    subsequent iterations poking into unallocated memory.
+    
+    Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+
+diff --git a/src/image.c b/src/image.c
+index a34f117..c30d6e3 100644
+--- a/src/image.c
++++ b/src/image.c
+@@ -366,6 +366,7 @@ static int image_find_regions(struct image *image)
+ 	/* add COFF sections */
+ 	for (i = 0; i < image->sections; i++) {
+ 		uint32_t file_offset, file_size;
++		int n;
+ 
+ 		file_offset = pehdr_u32(image->scnhdr[i].s_scnptr);
+ 		file_size = pehdr_u32(image->scnhdr[i].s_size);
+@@ -373,39 +374,39 @@ static int image_find_regions(struct image *image)
+ 		if (!file_size)
+ 			continue;
+ 
+-		image->n_checksum_regions++;
++		n = image->n_checksum_regions++;
+ 		image->checksum_regions = talloc_realloc(image,
+ 				image->checksum_regions,
+ 				struct region,
+ 				image->n_checksum_regions);
+ 		regions = image->checksum_regions;
+ 
+-		regions[i + 3].data = buf + file_offset;
+-		regions[i + 3].size = align_up(file_size,
++		regions[n].data = buf + file_offset;
++		regions[n].size = align_up(file_size,
+ 					image->file_alignment);
+-		regions[i + 3].name = talloc_strndup(image->checksum_regions,
++		regions[n].name = talloc_strndup(image->checksum_regions,
+ 					image->scnhdr[i].s_name, 8);
+-		bytes += regions[i + 3].size;
++		bytes += regions[n].size;
+ 
+-		if (file_offset + regions[i+3].size > image->size) {
++		if (file_offset + regions[n].size > image->size) {
+ 			fprintf(stderr, "warning: file-aligned section %s "
+ 					"extends beyond end of file\n",
+-					regions[i+3].name);
++					regions[n].name);
+ 		}
+ 
+-		if (regions[i+2].data + regions[i+2].size
+-				!= regions[i+3].data) {
++		if (regions[n-1].data + regions[n-1].size
++				!= regions[n].data) {
+ 			fprintf(stderr, "warning: gap in section table:\n");
+ 			fprintf(stderr, "    %-8s: 0x%08tx - 0x%08tx,\n",
+-					regions[i+2].name,
+-					regions[i+2].data - buf,
+-					regions[i+2].data +
+-						regions[i+2].size - buf);
++					regions[n-1].name,
++					regions[n-1].data - buf,
++					regions[n-1].data +
++						regions[n-1].size - buf);
+ 			fprintf(stderr, "    %-8s: 0x%08tx - 0x%08tx,\n",
+-					regions[i+3].name,
+-					regions[i+3].data - buf,
+-					regions[i+3].data +
+-						regions[i+3].size - buf);
++					regions[n].name,
++					regions[n].data - buf,
++					regions[n].data +
++						regions[n].size - buf);
+ 
+ 
+ 			gap_warn = 1;

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/metadata.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+<maintainer>
+ <email>vapier@gentoo.org</email>
+ <description>do whatever</description>
+</maintainer>
+</pkgmetadata>

sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/sbsigntool-0.6-r2.ebuild

@@ -0,0 +1,45 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/sbsigntool/sbsigntool-0.6-r1.ebuild,v 1.3 2014/01/14 13:55:54 ago Exp $
+
+EAPI="4"
+
+inherit eutils toolchain-funcs
+
+DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
+HOMEPAGE="https://launchpad.net/ubuntu/+source/sbsigntool"
+SRC_URI="https://launchpad.net/ubuntu/+archive/primary/+files/${PN}_${PV}.orig.tar.gz"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="amd64 x86"
+IUSE=""
+
+RDEPEND="dev-libs/openssl
+	sys-apps/util-linux"
+DEPEND="${RDEPEND}
+	sys-apps/help2man
+	sys-boot/gnu-efi
+	virtual/pkgconfig"
+
+src_prepare() {
+	local iarch
+	case ${ARCH} in
+		ia64)  iarch=ia64 ;;
+		x86)   iarch=ia32 ;;
+		amd64) iarch=x86_64 ;;
+		*)     die "unsupported architecture: ${ARCH}" ;;
+	esac
+	sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure || die
+	sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.in || die
+	sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
+	epatch "${FILESDIR}"/Align-signature-data-to-8-bytes.patch
+	epatch "${FILESDIR}"/update_checksums.patch
+	epatch "${FILESDIR}"/fix-signature-padding.patch
+	epatch "${FILESDIR}"/ignore-certificate-expiries.patch
+	epatch "${FILESDIR}"/add_corrected_efivars_magic.patch
+	epatch "${FILESDIR}"/del-duplicate-define.patch
+	epatch "${FILESDIR}"/zero-sized-sections.patch
+	epatch "${FILESDIR}"/arm-arm64-support.patch
+	epatch "${FILESDIR}"/0001-Support-openssl-1.0.2b-and-above.patch
+}

sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-crypt/sbsigntool-0.6

@@ -0,0 +1,12 @@
+DEFINED_PHASES=prepare
+DEPEND=dev-libs/openssl sys-apps/util-linux sys-apps/help2man sys-boot/gnu-efi virtual/pkgconfig
+DESCRIPTION=Utilities for signing and verifying files for UEFI Secure Boot
+EAPI=4
+HOMEPAGE=https://launchpad.net/ubuntu/+source/sbsigntool
+KEYWORDS=amd64 x86
+LICENSE=GPL-3
+RDEPEND=dev-libs/openssl sys-apps/util-linux
+SLOT=0
+SRC_URI=https://launchpad.net/ubuntu/+archive/primary/+files/sbsigntool_0.6.orig.tar.gz
+_eclasses_=multilib	62927b3db3a589b0806255f3a002d5d3	toolchain-funcs	42408102d713fbad60ca21349865edb4
+_md5_=67d8413dba828ac50bc52f74898ed8ba

sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-crypt/sbsigntool-0.6-r1

@@ -0,0 +1,12 @@
+DEFINED_PHASES=prepare
+DEPEND=dev-libs/openssl sys-apps/util-linux sys-apps/help2man sys-boot/gnu-efi virtual/pkgconfig
+DESCRIPTION=Utilities for signing and verifying files for UEFI Secure Boot
+EAPI=4
+HOMEPAGE=https://launchpad.net/ubuntu/+source/sbsigntool
+KEYWORDS=amd64 x86
+LICENSE=GPL-3
+RDEPEND=dev-libs/openssl sys-apps/util-linux
+SLOT=0
+SRC_URI=https://launchpad.net/ubuntu/+archive/primary/+files/sbsigntool_0.6.orig.tar.gz
+_eclasses_=eutils	9fb270e417e0e83d64ca52586c4a79de	multilib	62927b3db3a589b0806255f3a002d5d3	toolchain-funcs	42408102d713fbad60ca21349865edb4
+_md5_=427c30edc6a836c466889f579e58235b