mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-12-16 14:52:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

app-crypt/sbsigntool: Move back to portage-stable (as sbsigntools)

Browse Source
This commit is contained in:
David Michael 2018-10-25 18:07:46 +00:00
parent 72c4e2ce94
commit b23b3ccc9c
15 changed files with 0 additions and 781 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/ChangeLog vendored
View File

@ -1,33 +0,0 @@
# ChangeLog for app-crypt/sbsigntool
# Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
# $Header: /var/cvsroot/gentoo-x86/app-crypt/sbsigntool/ChangeLog,v 1.7 2014/01/14 13:55:54 ago Exp $
14 Jan 2014; Agostino Sarubbo <ago@gentoo.org> sbsigntool-0.6-r1.ebuild:
Stable for x86, wrt bug #495328
12 Jan 2014; Pacho Ramos <pacho@gentoo.org> sbsigntool-0.6-r1.ebuild:
amd64 stable, bug #495328
*sbsigntool-0.6-r1 (03 Oct 2013)
03 Oct 2013; Greg Kroah-Hartman <gregkh@gentoo.org>
+files/0002-image.c-clear-image-variable.patch,
+files/0003-Fix-for-multi-sign.patch, +sbsigntool-0.6-r1.ebuild:
patches to fix multi-key signing, fixing bugs with new versions of UEFI
firmware. Taken from the openSUSE packages as the upstream Launchpad project
is now dead.
05 Sep 2013; Mike Frysinger <vapier@gentoo.org> sbsigntool-0.6.ebuild:
Fix $AR handling #481480 by Agostino Sarubbo.
28 Aug 2013; Agostino Sarubbo <ago@gentoo.org> sbsigntool-0.6.ebuild:
Stable for x86, wrt bug #481396
17 Aug 2013; Agostino Sarubbo <ago@gentoo.org> sbsigntool-0.6.ebuild:
Stable for amd64, wrt bug #481396
*sbsigntool-0.6 (24 Dec 2012)
24 Dec 2012; Mike Frysinger <vapier@gentoo.org> +metadata.xml,
+sbsigntool-0.6.ebuild:
New package #444830 by Maxim Kammerer.

27
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/Manifest vendored
View File

@ -1,27 +0,0 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
AUX 0002-image.c-clear-image-variable.patch 822 SHA256 7877d69c0a6d014f43e1dc922db3fb503c1c3176dd2665a96f85ddfd73ed7e12 SHA512 004ba118cbe8fe5cc291888966e5994373c0b9d8149bc5c652a72971138fab5e64d721061c69e8b864d6ca5cdb4ffa193520156941b6bd9c998b256f8d72697b WHIRLPOOL 3872d97cde83e9423622f348dc50eb414f8512f95673cbf7e4b908f699455003d57711bda6bd0893f3a21b876a66ec480416bed5df52e5ecb33c00b21cbbb6c9
AUX 0003-Fix-for-multi-sign.patch 1452 SHA256 803f97f6c01a573367371f9ffd4c53aab5916ea3218fdc515429ca559f5dad31 SHA512 2aba55a116536e7f41e4aac2fd33eeb92cf89b14bcdd8b93b6e9dc9bdaf2f0162134e56f7d365640445bf801ad8590f6d49f14cdf80b791324647067d52ae435 WHIRLPOOL a83c8dde50cf82559408be58482f73aa1c3460a63424578decfc36033b5c368f8ad219b1412a7eb0a478e91b8654e7a7392dc886a496f9efea6f12dcd2f0e379
DIST sbsigntool_0.6.orig.tar.gz 212375 SHA256 84fb0c8f6fb1e79aa418a4f70a3139b38d5630043b28291c875f383e9b4294b8 SHA512 ed314d1cb7278cf5f27d4c3cd17f2195678419a7f9e47770429b6f95df35f7df035331e60c45970183ddd9b150a9b752f876c777929598b0525872b3255af95c WHIRLPOOL 3b86b9861f5e26586e8a9eb9bbf48adf1a12714b294f0acd605d53e37c27192006c6ecc81d31bf4f200f8e88508f38a52ef93e9e01e301c4245a11894227cecc
EBUILD sbsigntool-0.6-r1.ebuild 1151 SHA256 639b4edebf714b1c12eafce03c53961fda89e3488b3bcd0d483c100fb0459b70 SHA512 4ceb4e52b9bedbd1c8e548b3b27a7360f1ca8a0e4dda647897d0a7b19f475ccce696ca92db1bd34a9202af5b5b8091447bfcc1d8213849fdabaa1f13ed0c7bfd WHIRLPOOL 1cc2fd6a4eadc7c6de4d39115e7f5195302a78be3ab672e2b1895a93f91167a081f43aa74d0774328b334f21f119b556241eff449a823fa36a71f813fd408f8b
EBUILD sbsigntool-0.6.ebuild 1030 SHA256 8bc44c1f02f282908aa16e638f3d950a270b3997906055bb4d5b24b1f249bace SHA512 40f1746f5e87f8f5fda0fccd3907ee62aab3f6c0268c9cc474b2182f367cf0d28d05bfec7569a73c72c71dc7071e942a3841cac2f4dde671664cef72053ab2ff WHIRLPOOL e25a70fbadd8cded0c5daa1a28a0518bd3c13d4f182498a7c784fed88bc0972dd54a03fe4fe243eef4fdd9a1f21d3f66a9f93597a097a224f1d00ecde938cc1c
MISC ChangeLog 1296 SHA256 e43b8ad6d0b157b04ce9d2aedbc27ace4e2d7b1d74203e431700227e6301ea74 SHA512 8e365b7d6858a39baf2bfe5f4c5f8ed48587c004801e52c1406adaef0382de780008773538954f96033c8e4e3c77cccab970f6b3c3846f0fdc7f514dfa51529a WHIRLPOOL 7bdc2c38f447adef46eb0967fb264b067b8be8c1c2423807c0549cb5d796877998aff404afebb470dfa2dcfd2bec8a30f1d25f53fda9dd22c0f4d68e273f41e8
MISC metadata.xml 240 SHA256 060d4d570194ff567e10d66246f85d4b9fee1efb17d111aeb9f03345f6e20efd SHA512 41a5c4b9e67d814937a0524714617a059c1351a00ac12d9344373f43b41d074e24fab5598e44c8a22f1848bfa12b8fc76cd5674ca62cd1f917b3235c77721971 WHIRLPOOL da0b560d9528cfe4fcff409de2d9749cf9ae8b7a04468b42463e8097b89e152a67a0da0ea7e6db1186f852687979c2e843e487a5eb76e663717148a796aa093d
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJS1UHrAAoJELp701BxlEWfYJMP/25zmGEaSRVtpesZ2OhvUSfp
G+GlDZxKHCK6yq+/eOpRkm8zKnr3RomNiCN91RNYXmkmueO+FGt+Rs8r5GirVd03
iraLslXIzlT79oft6OKdOPVKmWxtVBpdIyUJRR159J86hV5VLWHSeOLqOCN30Uhl
JBk85iim/3/cGoJhNGrPQG/2Uv+r+90sS/kzjrpWvM7WCeY3GvOF6b4asRQf1hqI
kbTpZtIN5t5eJb1wPXDq1MRL7upQutMCajZL5FYoYJvy5J693ZWLK2nV2ueipBAS
a0iPd8ZWxYuc8jQlYu/DyscD+wZeoQ56bhmRzwS/3ukipBrGgUuffAcehFumGOhG
MtZ4iCUpoBityyA/JqXmZGyLqF5JnvfGB1C7BmnW9HeMZkQ6PFFnZnft/q2c9S0x
cS9uzgUBOLBwfbvaqRPv5iiR7w4aXjDoMZvceSgUfFwxLG5puwb+cOTyK6EybNRB
hj+OcnqdYN9mVbNxkI4ynFcODXhtaD/di2zgG42G713iJzlXZa5DvfbaB/pRF+yy
hJ65o3njE+1mdlsq5zLAAfRBOM/PvtUz2X8gqKgyph5rqebeXxDbbn9dOb7WKFTW
7udikXc767F6QIEuM/1kd63q2pw1JbnbPN9mqEY8KqUcpsmPKdBeM4wzfaUuJ22D
O7CfSgXtIT0edtHNtU6L
=sTMV
-----END PGP SIGNATURE-----

29
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/0001-Support-openssl-1.0.2b-and-above.patch vendored
View File

@ -1,29 +0,0 @@
From 3186e24f5a46172cd771d61cdeec5e590f73743e Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@canonical.com>
Date: Wed, 15 Jul 2015 08:48:25 -0700
Subject: [PATCH] Support openssl 1.0.2b and above
Newer versions of openssl return a different error with alternate
certificate chains; update for compatibility.
Signed-off-by: Marc Deslauriers <marc.deslauriers@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1474541
---
src/sbverify.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/sbverify.c b/src/sbverify.c
index fb03d21..35890b9 100644
--- a/src/sbverify.c
+++ b/src/sbverify.c
@@ -201,6 +201,7 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
/* all certs given with the --cert argument are trusted */
else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
+ err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT ||
err == X509_V_ERR_CERT_UNTRUSTED) {
if (cert_in_store(ctx->current_cert, ctx))
--
2.1.4

26
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/Align-signature-data-to-8-bytes.patch vendored
View File

@ -1,26 +0,0 @@
From 8b6b7a9904881757254b92a928b95dfb8634605b Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@canonical.com>
Date: Fri, 12 Oct 2012 16:27:13 -0700
Subject: [PATCH] Align signature data to 8 bytes
Before appending the signature data to our binary, pad the file out to
8-byte alignment. This matches the Microsoft signing implementation, which
enables us to use sbattach to verify the integrity of the binaries returned
by the SysDev signing service.
---
src/image.c | 2 ++
1 file changed, 2 insertions(+)
Index: sbsigntool-0.6/src/image.c
===================================================================
--- sbsigntool-0.6.orig/src/image.c
+++ sbsigntool-0.6/src/image.c
@@ -425,6 +425,8 @@
* we've calculated during the pecoff parsing, so we need to redo that
* too.
*/
+ image->data_size = align_up(image->data_size, 8);
+
if (image->data_size > image->size) {
image->buf = talloc_realloc(image, image->buf, uint8_t,
image->data_size);

23
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/add_corrected_efivars_magic.patch vendored
View File

@ -1,23 +0,0 @@
Index: sbsigntool/src/sbkeysync.c
===================================================================
--- sbsigntool.orig/src/sbkeysync.c 2013-12-03 15:45:49.007312000 +0100
+++ sbsigntool/src/sbkeysync.c 2013-12-03 15:47:47.396135699 +0100
@@ -56,7 +56,8 @@
#include "efivars.h"
#define EFIVARS_MOUNTPOINT "/sys/firmware/efi/efivars"
-#define EFIVARS_FSTYPE 0x6165676C
+#define PSTORE_FSTYPE 0x6165676C
+#define EFIVARS_FSTYPE 0xde5e81e4
#define EFI_IMAGE_SECURITY_DATABASE_GUID \
{ 0xd719b2cb, 0x3d3a, 0x4596, \
@@ -533,7 +534,7 @@
if (rc)
return -1;
- if (statbuf.f_type != EFIVARS_FSTYPE)
+ if (statbuf.f_type != EFIVARS_FSTYPE && statbuf.f_type != PSTORE_FSTYPE)
return -1;
return 0;

50
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/arm-arm64-support.patch vendored
View File

@ -1,50 +0,0 @@
commit a3413e76f95472639d1b25f0564105d8bb4e2837
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Nov 19 09:25:32 2013 +0100
sbsigntool: add support for ARM and Aarch64 PE/COFF images
Note that for the ARM case, we are using IMAGE_FILE_MACHINE_THUMB (0x1c2)
rather than IMAGE_FILE_MACHINE_ARM (0x1c0), as the latter refers to
an older calling convention that is incompatible with Tianocore UEFI.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
diff --git a/src/coff/pe.h b/src/coff/pe.h
index 3a43174..0d1036e 100644
--- a/src/coff/pe.h
+++ b/src/coff/pe.h
@@ -151,6 +151,7 @@
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
#define IMAGE_FILE_MACHINE_TRICORE 0x0520
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169
+#define IMAGE_FILE_MACHINE_AARCH64 0xaa64
#define IMAGE_SUBSYSTEM_UNKNOWN 0
#define IMAGE_SUBSYSTEM_NATIVE 1
diff --git a/src/image.c b/src/image.c
index c30d6e3..d6e3c48 100644
--- a/src/image.c
+++ b/src/image.c
@@ -232,13 +232,16 @@ static int image_pecoff_parse(struct image *image)
image->opthdr.addr = image->pehdr + 1;
magic = pehdr_u16(image->pehdr->f_magic);
- if (magic == IMAGE_FILE_MACHINE_AMD64) {
+ switch (magic) {
+ case IMAGE_FILE_MACHINE_AMD64:
+ case IMAGE_FILE_MACHINE_AARCH64:
rc = image_pecoff_parse_64(image);
-
- } else if (magic == IMAGE_FILE_MACHINE_I386) {
+ break;
+ case IMAGE_FILE_MACHINE_I386:
+ case IMAGE_FILE_MACHINE_THUMB:
rc = image_pecoff_parse_32(image);
-
- } else {
+ break;
+ default:
fprintf(stderr, "Invalid PE header magic\n");
return -1;
}

20
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/del-duplicate-define.patch vendored
View File

@ -1,20 +0,0 @@
commit f09bf94b29cf050e7c489d8bd771b4392b3111ea
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Nov 19 09:23:31 2013 +0100
sbsigntool: remove doubly defined IMAGE_FILE_MACHINE_AMD64
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
diff --git a/src/coff/pe.h b/src/coff/pe.h
index 601a68e..3a43174 100644
--- a/src/coff/pe.h
+++ b/src/coff/pe.h
@@ -151,7 +151,6 @@
#define IMAGE_FILE_MACHINE_THUMB 0x01c2
#define IMAGE_FILE_MACHINE_TRICORE 0x0520
#define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169
-#define IMAGE_FILE_MACHINE_AMD64 0x8664
#define IMAGE_SUBSYSTEM_UNKNOWN 0
#define IMAGE_SUBSYSTEM_NATIVE 1

50
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/efi_arch_ia32.patch vendored
View File

@ -1,50 +0,0 @@
From ffbf59032c9dff0afc19490f012066d4bbd5a0c3 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@canonical.com>
Date: Fri, 12 Oct 2012 16:48:53 -0700
Subject: [PATCH] Use AC_CANONICAL_HOST, not uname -m, to determine target
The EFI architecture should be set from the standard autoconf macros, not
from uname -m. Uname -m is wrong not just when cross-building, but also when
running 32-bit userspace on a 64-bit kernel.
Ref: https://bugs.launchpad.net/bugs/1066038
---
configure.ac | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 0d8f0bb..a693d96 100644
--- a/configure.ac
+++ b/configure.ac
@@ -7,6 +7,8 @@ AC_PREREQ(2.60)
AC_CONFIG_HEADERS(config.h)
AC_CONFIG_SRCDIR(src/sbsign.c)
+AC_CANONICAL_HOST
+
AM_PROG_AS
AC_PROG_CC
AM_PROG_CC_C_O
@@ -64,7 +66,18 @@ PKG_CHECK_MODULES(uuid, uuid,
AC_MSG_ERROR([libuuid (from the uuid package) is required]))
dnl gnu-efi headers require extra include dirs
-EFI_ARCH=$(uname -m)
+case $host_cpu in
+ x86_64)
+ EFI_ARCH=$host_cpu
+ ;;
+ i*86)
+ EFI_ARCH=ia32
+ ;;
+ *)
+ AC_MSG_ERROR([unsupported EFI architecture $host_cpu])
+ ;;
+esac
+
EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
-DEFI_FUNCTION_WRAPPER"
CPPFLAGS_save="$CPPFLAGS"
--
1.7.10.4

24
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/fix-signature-padding.patch vendored
View File

@ -1,24 +0,0 @@
Description: fix calculation of the size of our signature data
The 'size' field of the certificate table header includes the size of the
header itself. When parsing a signed file, we should therefore subtract the
size of this header from the field representing the size of the pkcs7 data
packet; otherwise when we detach (and subsequently reattach) a signature,
we wind up with 8 extra bytes of zeroes at the end each time. Fixing this
ensures that detaching and signature and then reattaching it to the file
gives us back the original file.
Author: Steve Langasek <steve.langasek@canonical.com>
Last-Update: 2013-09-07
Index: sbsigntool-0.6/src/image.c
===================================================================
--- sbsigntool-0.6.orig/src/image.c
+++ sbsigntool-0.6/src/image.c
@@ -285,7 +285,7 @@
if (cert_table && cert_table->revision == CERT_TABLE_REVISION &&
cert_table->type == CERT_TABLE_TYPE_PKCS &&
cert_table->size < size) {
- image->sigsize = cert_table->size;
+ image->sigsize = cert_table->size - sizeof(*cert_table);
image->sigbuf = talloc_memdup(image, cert_table + 1,
image->sigsize);
}

25
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/ignore-certificate-expiries.patch vendored
View File

@ -1,25 +0,0 @@
Description: ignore certificate expiries when verifying signatures
The UEFI implementation explicitly ignores all errors due to expired (or
not yet valid) signatures. Ensure that sbverify behaves compatibly.
Author: Steve Langasek <steve.langasek@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1234649.
Last-Update: 2013-10-03
Index: sbsigntool-0.6/src/sbverify.c
===================================================================
--- sbsigntool-0.6.orig/src/sbverify.c
+++ sbsigntool-0.6/src/sbverify.c
@@ -206,6 +206,13 @@
if (cert_in_store(ctx->current_cert, ctx))
status = 1;
}
+ /* UEFI doesn't care about expired signatures, so we shouldn't either. */
+ else if (err == X509_V_ERR_CERT_HAS_EXPIRED ||
+ err == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD ||
+ err == X509_V_ERR_CERT_NOT_YET_VALID ||
+ err == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD) {
+ status = 1;
+ }
return status;
}

327
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/update_checksums.patch vendored
View File

@ -1,327 +0,0 @@
From: Steve Langasek <steve.langasek@canonical.com>
Update the PE checksum field using the somewhat-underdocumented
algorithm, so that we match the Microsoft implementation in our
signature generation.
Signed-off-by: Jeremy Kerr <jeremy.kerr@canonical.com>
---
autogen.sh | 2 -
src/image.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 60 insertions(+), 1 deletion(-)
Index: sbsigntool-0.6/src/image.c
===================================================================
--- sbsigntool-0.6.orig/src/image.c
+++ sbsigntool-0.6/src/image.c
@@ -38,6 +38,7 @@
#include <unistd.h>
#include <string.h>
+#include <ccan/endian/endian.h>
#include <ccan/talloc/talloc.h>
#include <ccan/read_write_all/read_write_all.h>
#include <ccan/build_assert/build_assert.h>
@@ -129,6 +130,62 @@
return 0;
}
+static uint16_t csum_update_fold(uint16_t csum, uint16_t x)
+{
+ uint32_t new = csum + x;
+ new = (new >> 16) + (new & 0xffff);
+ return new;
+}
+
+static uint16_t csum_bytes(uint16_t checksum, void *buf, size_t len)
+{
+ unsigned int i;
+ uint16_t *p;
+
+ for (i = 0; i < len; i += sizeof(*p)) {
+ p = buf + i;
+ checksum = csum_update_fold(checksum, *p);
+ }
+
+ return checksum;
+}
+
+static void image_pecoff_update_checksum(struct image *image,
+ struct cert_table_header *cert_table)
+{
+ bool is_signed = image->sigsize && image->sigbuf;
+ uint32_t checksum;
+
+ /* We carefully only include the signature data in the checksum (and
+ * in the file length) if we're outputting the signature. Otherwise,
+ * in case of signature removal, the signature data is in the buffer
+ * we read in (as indicated by image->size), but we do *not* want to
+ * checksum it.
+ *
+ * We also skip the 32-bits of checksum data in the PE/COFF header.
+ */
+ checksum = csum_bytes(0, image->buf,
+ (void *)image->checksum - (void *)image->buf);
+ checksum = csum_bytes(checksum,
+ image->checksum + 1,
+ (void *)(image->buf + image->data_size) -
+ (void *)(image->checksum + 1));
+
+ if (is_signed) {
+ checksum = csum_bytes(checksum,
+ cert_table, sizeof(*cert_table));
+
+ checksum = csum_bytes(checksum, image->sigbuf, image->sigsize);
+ }
+
+ checksum += image->data_size;
+
+ if (is_signed)
+ checksum += sizeof(*cert_table) + image->sigsize;
+
+ *(image->checksum) = cpu_to_le32(checksum);
+}
+
static int image_pecoff_parse(struct image *image)
{
struct cert_table_header *cert_table;
@@ -524,6 +581,8 @@
image->data_dir_sigtable->size = 0;
}
+ image_pecoff_update_checksum(image, &cert_table_header);
+
fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0644);
if (fd < 0) {
perror("open");
--- /dev/null
+++ sbsigntool-0.6/lib/ccan/ccan/endian/endian.h
@@ -0,0 +1,227 @@
+/* Licensed under LGPLv2.1+ - see LICENSE file for details */
+#ifndef CCAN_ENDIAN_H
+#define CCAN_ENDIAN_H
+#include <stdint.h>
+#include "config.h"
+
+#if HAVE_BYTESWAP_H
+#include <byteswap.h>
+#else
+/**
+ * bswap_16 - reverse bytes in a uint16_t value.
+ * @val: value whose bytes to swap.
+ *
+ * Example:
+ * // Output contains "1024 is 4 as two bytes reversed"
+ * printf("1024 is %u as two bytes reversed\n", bswap_16(1024));
+ */
+static inline uint16_t bswap_16(uint16_t val)
+{
+ return ((val & (uint16_t)0x00ffU) << 8)
+ | ((val & (uint16_t)0xff00U) >> 8);
+}
+
+/**
+ * bswap_32 - reverse bytes in a uint32_t value.
+ * @val: value whose bytes to swap.
+ *
+ * Example:
+ * // Output contains "1024 is 262144 as four bytes reversed"
+ * printf("1024 is %u as four bytes reversed\n", bswap_32(1024));
+ */
+static inline uint32_t bswap_32(uint32_t val)
+{
+ return ((val & (uint32_t)0x000000ffUL) << 24)
+ | ((val & (uint32_t)0x0000ff00UL) << 8)
+ | ((val & (uint32_t)0x00ff0000UL) >> 8)
+ | ((val & (uint32_t)0xff000000UL) >> 24);
+}
+#endif /* !HAVE_BYTESWAP_H */
+
+#if !HAVE_BSWAP_64
+/**
+ * bswap_64 - reverse bytes in a uint64_t value.
+ * @val: value whose bytes to swap.
+ *
+ * Example:
+ * // Output contains "1024 is 1125899906842624 as eight bytes reversed"
+ * printf("1024 is %llu as eight bytes reversed\n",
+ * (unsigned long long)bswap_64(1024));
+ */
+static inline uint64_t bswap_64(uint64_t val)
+{
+ return ((val & (uint64_t)0x00000000000000ffULL) << 56)
+ | ((val & (uint64_t)0x000000000000ff00ULL) << 40)
+ | ((val & (uint64_t)0x0000000000ff0000ULL) << 24)
+ | ((val & (uint64_t)0x00000000ff000000ULL) << 8)
+ | ((val & (uint64_t)0x000000ff00000000ULL) >> 8)
+ | ((val & (uint64_t)0x0000ff0000000000ULL) >> 24)
+ | ((val & (uint64_t)0x00ff000000000000ULL) >> 40)
+ | ((val & (uint64_t)0xff00000000000000ULL) >> 56);
+}
+#endif
+
+/* Sanity check the defines. We don't handle weird endianness. */
+#if !HAVE_LITTLE_ENDIAN && !HAVE_BIG_ENDIAN
+#error "Unknown endian"
+#elif HAVE_LITTLE_ENDIAN && HAVE_BIG_ENDIAN
+#error "Can't compile for both big and little endian."
+#endif
+
+/**
+ * cpu_to_le64 - convert a uint64_t value to little-endian
+ * @native: value to convert
+ */
+static inline uint64_t cpu_to_le64(uint64_t native)
+{
+#if HAVE_LITTLE_ENDIAN
+ return native;
+#else
+ return bswap_64(native);
+#endif
+}
+
+/**
+ * cpu_to_le32 - convert a uint32_t value to little-endian
+ * @native: value to convert
+ */
+static inline uint32_t cpu_to_le32(uint32_t native)
+{
+#if HAVE_LITTLE_ENDIAN
+ return native;
+#else
+ return bswap_32(native);
+#endif
+}
+
+/**
+ * cpu_to_le16 - convert a uint16_t value to little-endian
+ * @native: value to convert
+ */
+static inline uint16_t cpu_to_le16(uint16_t native)
+{
+#if HAVE_LITTLE_ENDIAN
+ return native;
+#else
+ return bswap_16(native);
+#endif
+}
+
+/**
+ * le64_to_cpu - convert a little-endian uint64_t value
+ * @le_val: little-endian value to convert
+ */
+static inline uint64_t le64_to_cpu(uint64_t le_val)
+{
+#if HAVE_LITTLE_ENDIAN
+ return le_val;
+#else
+ return bswap_64(le_val);
+#endif
+}
+
+/**
+ * le32_to_cpu - convert a little-endian uint32_t value
+ * @le_val: little-endian value to convert
+ */
+static inline uint32_t le32_to_cpu(uint32_t le_val)
+{
+#if HAVE_LITTLE_ENDIAN
+ return le_val;
+#else
+ return bswap_32(le_val);
+#endif
+}
+
+/**
+ * le16_to_cpu - convert a little-endian uint16_t value
+ * @le_val: little-endian value to convert
+ */
+static inline uint16_t le16_to_cpu(uint16_t le_val)
+{
+#if HAVE_LITTLE_ENDIAN
+ return le_val;
+#else
+ return bswap_16(le_val);
+#endif
+}
+
+/**
+ * cpu_to_be64 - convert a uint64_t value to big endian.
+ * @native: value to convert
+ */
+static inline uint64_t cpu_to_be64(uint64_t native)
+{
+#if HAVE_LITTLE_ENDIAN
+ return bswap_64(native);
+#else
+ return native;
+#endif
+}
+
+/**
+ * cpu_to_be32 - convert a uint32_t value to big endian.
+ * @native: value to convert
+ */
+static inline uint32_t cpu_to_be32(uint32_t native)
+{
+#if HAVE_LITTLE_ENDIAN
+ return bswap_32(native);
+#else
+ return native;
+#endif
+}
+
+/**
+ * cpu_to_be16 - convert a uint16_t value to big endian.
+ * @native: value to convert
+ */
+static inline uint16_t cpu_to_be16(uint16_t native)
+{
+#if HAVE_LITTLE_ENDIAN
+ return bswap_16(native);
+#else
+ return native;
+#endif
+}
+
+/**
+ * be64_to_cpu - convert a big-endian uint64_t value
+ * @be_val: big-endian value to convert
+ */
+static inline uint64_t be64_to_cpu(uint64_t be_val)
+{
+#if HAVE_LITTLE_ENDIAN
+ return bswap_64(be_val);
+#else
+ return be_val;
+#endif
+}
+
+/**
+ * be32_to_cpu - convert a big-endian uint32_t value
+ * @be_val: big-endian value to convert
+ */
+static inline uint32_t be32_to_cpu(uint32_t be_val)
+{
+#if HAVE_LITTLE_ENDIAN
+ return bswap_32(be_val);
+#else
+ return be_val;
+#endif
+}
+
+/**
+ * be16_to_cpu - convert a big-endian uint16_t value
+ * @be_val: big-endian value to convert
+ */
+static inline uint16_t be16_to_cpu(uint16_t be_val)
+{
+#if HAVE_LITTLE_ENDIAN
+ return bswap_16(be_val);
+#else
+ return be_val;
+#endif
+}
+
+#endif /* CCAN_ENDIAN_H */

81
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/files/zero-sized-sections.patch vendored
View File

@ -1,81 +0,0 @@
commit 8f596c238f36723c803e45dfb1f6f817e67bc51d
Author: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date: Tue Nov 19 09:24:10 2013 +0100
sbsigntool: fix handling of zero sized sections
The loop that iterates over the PE/COFF sections correctly skips zero
sized sections, but still increments the loop index 'i'. This results in
subsequent iterations poking into unallocated memory.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
diff --git a/src/image.c b/src/image.c
index a34f117..c30d6e3 100644
--- a/src/image.c
+++ b/src/image.c
@@ -366,6 +366,7 @@ static int image_find_regions(struct image *image)
/* add COFF sections */
for (i = 0; i < image->sections; i++) {
uint32_t file_offset, file_size;
+ int n;
file_offset = pehdr_u32(image->scnhdr[i].s_scnptr);
file_size = pehdr_u32(image->scnhdr[i].s_size);
@@ -373,39 +374,39 @@ static int image_find_regions(struct image *image)
if (!file_size)
continue;
- image->n_checksum_regions++;
+ n = image->n_checksum_regions++;
image->checksum_regions = talloc_realloc(image,
image->checksum_regions,
struct region,
image->n_checksum_regions);
regions = image->checksum_regions;
- regions[i + 3].data = buf + file_offset;
- regions[i + 3].size = align_up(file_size,
+ regions[n].data = buf + file_offset;
+ regions[n].size = align_up(file_size,
image->file_alignment);
- regions[i + 3].name = talloc_strndup(image->checksum_regions,
+ regions[n].name = talloc_strndup(image->checksum_regions,
image->scnhdr[i].s_name, 8);
- bytes += regions[i + 3].size;
+ bytes += regions[n].size;
- if (file_offset + regions[i+3].size > image->size) {
+ if (file_offset + regions[n].size > image->size) {
fprintf(stderr, "warning: file-aligned section %s "
"extends beyond end of file\n",
- regions[i+3].name);
+ regions[n].name);
}
- if (regions[i+2].data + regions[i+2].size
- != regions[i+3].data) {
+ if (regions[n-1].data + regions[n-1].size
+ != regions[n].data) {
fprintf(stderr, "warning: gap in section table:\n");
fprintf(stderr, " %-8s: 0x%08tx - 0x%08tx,\n",
- regions[i+2].name,
- regions[i+2].data - buf,
- regions[i+2].data +
- regions[i+2].size - buf);
+ regions[n-1].name,
+ regions[n-1].data - buf,
+ regions[n-1].data +
+ regions[n-1].size - buf);
fprintf(stderr, " %-8s: 0x%08tx - 0x%08tx,\n",
- regions[i+3].name,
- regions[i+3].data - buf,
- regions[i+3].data +
- regions[i+3].size - buf);
+ regions[n].name,
+ regions[n].data - buf,
+ regions[n].data +
+ regions[n].size - buf);
gap_warn = 1;

8
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/metadata.xml vendored
View File

@ -1,8 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer>
<email>vapier@gentoo.org</email>
<description>do whatever</description>
</maintainer>
</pkgmetadata>

46
sdk_container/src/third_party/coreos-overlay/app-crypt/sbsigntool/sbsigntool-0.6-r3.ebuild vendored
View File

@ -1,46 +0,0 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/app-crypt/sbsigntool/sbsigntool-0.6-r1.ebuild,v 1.3 2014/01/14 13:55:54 ago Exp $
EAPI="4"
inherit eutils toolchain-funcs
DESCRIPTION="Utilities for signing and verifying files for UEFI Secure Boot"
HOMEPAGE="https://launchpad.net/ubuntu/+source/sbsigntool"
SRC_URI="https://launchpad.net/ubuntu/+archive/primary/+files/${PN}_${PV}.orig.tar.gz"
LICENSE="GPL-3"
SLOT="0"
KEYWORDS="amd64 x86"
IUSE=""
RDEPEND="dev-libs/openssl
sys-apps/util-linux"
DEPEND="${RDEPEND}
sys-apps/help2man
sys-boot/gnu-efi
sys-libs/binutils-libs
virtual/pkgconfig"
src_prepare() {
local iarch
case ${ARCH} in
ia64) iarch=ia64 ;;
x86) iarch=ia32 ;;
amd64) iarch=x86_64 ;;
*) die "unsupported architecture: ${ARCH}" ;;
esac
sed -i "/^EFI_ARCH=/s:=.*:=${iarch}:" configure || die
sed -i 's/-m64$/& -march=x86-64/' tests/Makefile.in || die
sed -i "/^AR /s:=.*:= $(tc-getAR):" lib/ccan/Makefile.in || die #481480
epatch "${FILESDIR}"/Align-signature-data-to-8-bytes.patch
epatch "${FILESDIR}"/update_checksums.patch
epatch "${FILESDIR}"/fix-signature-padding.patch
epatch "${FILESDIR}"/ignore-certificate-expiries.patch
epatch "${FILESDIR}"/add_corrected_efivars_magic.patch
epatch "${FILESDIR}"/del-duplicate-define.patch
epatch "${FILESDIR}"/zero-sized-sections.patch
epatch "${FILESDIR}"/arm-arm64-support.patch
epatch "${FILESDIR}"/0001-Support-openssl-1.0.2b-and-above.patch
}

12
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/app-crypt/sbsigntool-0.6-r3 vendored
View File

@ -1,12 +0,0 @@
DEFINED_PHASES=prepare
DEPEND=dev-libs/openssl sys-apps/util-linux sys-apps/help2man sys-boot/gnu-efi sys-libs/binutils-libs virtual/pkgconfig
DESCRIPTION=Utilities for signing and verifying files for UEFI Secure Boot
EAPI=4
HOMEPAGE=https://launchpad.net/ubuntu/+source/sbsigntool
KEYWORDS=amd64 x86
LICENSE=GPL-3
RDEPEND=dev-libs/openssl sys-apps/util-linux
SLOT=0
SRC_URI=https://launchpad.net/ubuntu/+archive/primary/+files/sbsigntool_0.6.orig.tar.gz
_eclasses_=desktop b1d22ac8bdd4679ab79c71aca235009d epatch a1bf4756dba418a7238f3be0cb010c54 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 6e6c2737b59a4b982de6fb3ecefd87f8 ltprune 08f9e1d9ee0af8f5d9a7854efbcd8c0e multilib b2f01ad412baf81650c23fcf0975fa33 preserve-libs ef207dc62baddfddfd39a164d9797648 toolchain-funcs f164325a2cdb5b3ea39311d483988861 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf
_md5_=29dbea59b5513ac7d26a7a79244fe42f