mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-07 04:56:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

app-crypt/efitools: Drop in favour of app-emulation/virt-firmware

Browse Source 
virt-fw-vars handles X.509 conversion and QCOW2 conversion transparently
and can update all the variables in a single invocation.

Bonus: Asking it to list the variables doesn't cause a segfault due to
the feature not really being implemented. :D

The 00000000-0000-0000-0000-000000000000 owner GUID is what flash-var
used to set, as we didn't specify the -g argument. We don't need to set
a meaningful value as this file is only for testing.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This commit is contained in:
James Le Cuirot 2024-10-01 16:26:13 +01:00
parent 86ebb70552
commit bcd203ebcb
No known key found for this signature in database
GPG Key ID: 1226415D00DD3137
9 changed files with 15 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/portage-stable-packages-list vendored
View File

@ -117,7 +117,6 @@ app-containers/runc
app-crypt/adcli
app-crypt/argon2
app-crypt/ccid
app-crypt/efitools
app-crypt/gnupg
app-crypt/gpgme
app-crypt/libb2

20
build_library/vm_image_util.sh
View File

@ -816,13 +816,12 @@ _write_qemu_conf() {
}
_write_qemu_uefi_conf() {
local flash_ro="$(_dst_name "_efi_code.fd")"
local flash_rw="$(_dst_name "_efi_vars.fd")"
local script="$(_dst_dir)/$(_dst_name ".sh")"
_write_qemu_conf
local flash_ro="$(_dst_name "_efi_code.fd")"
local flash_rw="$(_dst_name "_efi_vars.fd")"
case $BOARD in
amd64-usr)
cp "/usr/share/edk2-ovmf/OVMF_CODE.fd" "$(_dst_dir)/${flash_ro}"
@ -861,15 +860,18 @@ _write_qemu_uefi_secure_conf() {
local flash_rw="$(_dst_name "_efi_vars.fd")"
local flash_ro="$(_dst_name "_efi_code.fd")"
local script="$(_dst_dir)/$(_dst_name ".sh")"
local owner="00000000-0000-0000-0000-000000000000"
_write_qemu_uefi_conf
cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}"
cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl"
cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl"
cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl"
flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl"
flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl"
flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl"
virt-fw-vars \
--inplace "$(_dst_dir)/${flash_rw}" \
--set-pk "${owner}" /usr/share/sb_keys/PK.crt \
--add-kek "${owner}" /usr/share/sb_keys/KEK.crt \
--add-db "${owner}" /usr/share/sb_keys/DB.crt \
--secure-boot --no-microsoft
sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}"
}

2
sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild vendored
View File

@ -17,9 +17,9 @@ DEPEND="
app-admin/sudo
app-admin/updateservicectl
app-arch/pbzip2
app-crypt/efitools
app-crypt/sbsigntools
app-emulation/open-vmdk
app-emulation/virt-firmware
app-eselect/eselect-python
app-misc/jq
app-shells/bash-completion

4
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords vendored
View File

@ -53,8 +53,10 @@
# The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet.
=app-crypt/clevis-19-r1 **
# Needed in SDK for Secure Boot.
=app-emulation/virt-firmware-24.7 ~amd64 ~arm64
# Needed by arm64-native SDK.
=app-crypt/efitools-1.9.2-r1 ~arm64
=app-emulation/open-vmdk-1.0 *
# Keep versions on both arches in sync.

1
sdk_container/src/third_party/portage-stable/app-crypt/efitools/Manifest vendored
View File

@ -1 +0,0 @@
DIST efitools-1.9.2.tar.gz 116037 BLAKE2B b3540932eb112e362fd0eed47090360603807dcaec8c6a10058618f8252eeb5dcbbd703d313cb6fadae62c1312815080cf2c77fc86f9dfc9f9afca24ad97f584 SHA512 77e0ad7e865814ed388ff6daabe0f4b49ba51672bf2cbb98b7905e209cbd28f9ede2f73213ce45af8a978c1e67dba24ec88a1188661317cc22317b47e575cde8

56
sdk_container/src/third_party/portage-stable/app-crypt/efitools/efitools-1.9.2-r1.ebuild vendored
View File

@ -1,56 +0,0 @@
# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
inherit flag-o-matic toolchain-funcs
DESCRIPTION="Tools for manipulating UEFI secure boot platforms"
HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/efitools.git"
SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/snapshot/${P}.tar.gz"
LICENSE="GPL-2 LGPL-2.1"
SLOT="0"
KEYWORDS="amd64 ~arm64 x86"
IUSE="static"
LIB_DEPEND="dev-libs/openssl:=[static-libs(+)]"
RDEPEND="
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
sys-apps/util-linux"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
sys-boot/gnu-efi"
BDEPEND="
app-crypt/sbsigntools
dev-perl/File-Slurp
sys-apps/help2man
virtual/pkgconfig"
PATCHES=(
"${FILESDIR}"/1.9.2-clang16.patch
"${FILESDIR}"/1.9.2-Makefile.patch
)
src_prepare() {
default
# Let it build with clang
if tc-is-clang; then
sed -i -e 's/-fno-toplevel-reorder//g' Make.rules || die
fi
if use static; then
append-ldflags -static
export STATIC_FLAG=--static
fi
}
src_configure() {
# Calls LD directly, doesn't respect LDFLAGS. Low level package anyway.
# See bug #908813.
filter-lto
tc-export AR CC LD NM OBJCOPY PKG_CONFIG
}

121
sdk_container/src/third_party/portage-stable/app-crypt/efitools/files/1.9.2-Makefile.patch vendored
View File

@ -1,121 +0,0 @@
--- a/Makefile
+++ b/Makefile
@@ -21,6 +21,8 @@
KEYBLACKLISTAUTH = $(ALLKEYS:=-blacklist.auth)
KEYHASHBLACKLISTAUTH = $(ALLKEYS:=-hash-blacklist.auth)
+SSL_LIBS = $(shell $(PKG_CONFIG) $(STATIC_FLAG) --libs libcrypto)
+
export TOPDIR := $(shell pwd)/
include Make.rules
@@ -88,31 +90,31 @@
ShimReplace.so: lib/lib-efi.a
cert-to-efi-sig-list: cert-to-efi-sig-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS)
sig-list-to-certs: sig-list-to-certs.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS)
sign-efi-sig-list: sign-efi-sig-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS)
hash-to-efi-sig-list: hash-to-efi-sig-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a
+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a
cert-to-efi-hash-list: cert-to-efi-hash-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS)
efi-keytool: efi-keytool.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a
+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a
efi-readvar: efi-readvar.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS)
efi-updatevar: efi-updatevar.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS)
flash-var: flash-var.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a
+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a
clean:
rm -f PK.* KEK.* DB.* $(EFIFILES) $(EFISIGNED) $(BINARIES) *.o *.so
--- a/Make.rules
+++ b/Make.rules
@@ -15,8 +15,7 @@
endif
INCDIR = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol
CPPFLAGS = -DCONFIG_$(ARCH)
-CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
-LDFLAGS = -nostdlib
+CFLAGS += $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
CRTOBJ = crt0-efi-$(ARCH).o
CRTPATHS = /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi
CRTPATH = $(shell for f in $(CRTPATHS); do if [ -e $$f/$(CRTOBJ) ]; then echo $$f; break; fi; done)
@@ -24,10 +23,9 @@
# there's a bug in the gnu tools ... the .reloc section has to be
# aligned otherwise the file alignment gets screwed up
LDSCRIPT = elf_$(ARCH)_efi.lds
-LDFLAGS += -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -L /usr/lib -L /usr/lib64 -T $(LDSCRIPT)
+LIBS += -nostdlib -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -T $(LDSCRIPT)
LOADLIBES = -lefi -lgnuefi $(shell $(CC) $(ARCH3264) -print-libgcc-file-name)
FORMAT = --target=efi-app-$(ARCH)
-OBJCOPY = objcopy
MYGUID = 11111111-2222-3333-4444-123456789abc
INSTALL = install
BINDIR = $(DESTDIR)/usr/bin
@@ -47,12 +45,12 @@
endif
ifeq ($(ARCH),arm)
- LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
+ LIBS += --defsym=EFI_SUBSYSTEM=0x0a
FORMAT = -O binary
endif
ifeq ($(ARCH),aarch64)
- LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
+ LIBS += --defsym=EFI_SUBSYSTEM=0x0a
FORMAT = -O binary
endif
@@ -61,9 +59,9 @@
-j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* \
-j .reloc $(FORMAT) $*.so $@
%.so: %.o
- $(LD) $(LDFLAGS) $^ -o $@ $(LOADLIBES)
+ $(LD) $(LIBS) $^ -o $@ $(LOADLIBES)
# check we have no undefined symbols
- nm -D $@ | grep ' U ' && exit 1 || exit 0
+ $(NM) -D $@ | grep ' U ' && exit 1 || exit 0
%.h: %.auth
./xxdi.pl $< > $@
@@ -71,7 +69,7 @@
%.hash: %.efi hash-to-efi-sig-list
./hash-to-efi-sig-list $< $@
-%-blacklist.esl: %.crt cert-to-efi-hash-list
+%-blacklist.esl: %.crt cert-to-efi-sig-list
./cert-to-efi-sig-list $< $@
%-hash-blacklist.esl: %.crt cert-to-efi-hash-list
@@ -129,7 +127,7 @@
# sbsign --key KEK.key --cert KEK.crt --output $@ $<
%.a:
- ar rcv $@ $^
+ $(AR) rcv $@ $^
doc/%.1: doc/%.1.in %
$(HELP2MAN) --no-info -i $< -o $@ ./$*

108
sdk_container/src/third_party/portage-stable/app-crypt/efitools/files/1.9.2-clang16.patch vendored
View File

@ -1,108 +0,0 @@
--- a/cert-to-efi-sig-list.c
+++ b/cert-to-efi-sig-list.c
@@ -6,7 +6,6 @@
#include <stdint.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#ifdef CONFIG_arm
/* FIXME:
--- a/efi-keytool.c
+++ b/efi-keytool.c
@@ -15,7 +15,6 @@
#include <fcntl.h>
#include <unistd.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <kernel_efivars.h>
--- a/efi-readvar.c
+++ b/efi-readvar.c
@@ -17,7 +17,6 @@
#include <openssl/x509.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <kernel_efivars.h>
--- a/efi-updatevar.c
+++ b/efi-updatevar.c
@@ -20,7 +20,6 @@
#include <openssl/err.h>
#include <openssl/pem.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <kernel_efivars.h>
--- a/flash-var.c
+++ b/flash-var.c
@@ -1,3 +1,5 @@
+#define _XOPEN_SOURCE 700
+
#include <stdlib.h>
#include <stdint.h>
#include <sys/types.h>
@@ -10,7 +12,6 @@
#include <fcntl.h>
#include <unistd.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <version.h>
--- a/hash-to-efi-sig-list.c
+++ b/hash-to-efi-sig-list.c
@@ -4,7 +4,6 @@
* see COPYING file
*/
#include <stdint.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#ifdef CONFIG_arm
/* FIXME:
--- a/include/variableformat.h
+++ b/include/variableformat.h
@@ -109,7 +109,7 @@
#pragma pack()
-inline BOOLEAN
+static inline BOOLEAN
IsValidVariableHeader (VARIABLE_HEADER *vh) {
if (vh == NULL || vh->StartId != VARIABLE_DATA)
return FALSE;
--- a/lib/kernel_efivars.c
+++ b/lib/kernel_efivars.c
@@ -16,7 +16,6 @@
#include <unistd.h>
#include <time.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <kernel_efivars.h>
--- a/sig-list-to-certs.c
+++ b/sig-list-to-certs.c
@@ -4,7 +4,6 @@
* see COPYING file
*/
#include <stdint.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#ifdef CONFIG_arm
/* FIXME:
--- a/sign-efi-sig-list.c
+++ b/sign-efi-sig-list.c
@@ -4,7 +4,7 @@
* see COPYING file
*/
#include <stdint.h>
-#define __STDC_VERSION__ 199901L
+#define _XOPEN_SOURCE 700
#include <efi.h>
#ifdef CONFIG_arm
/* FIXME:

5
sdk_container/src/third_party/portage-stable/app-crypt/efitools/metadata.xml vendored
View File

@ -1,5 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<!-- maintainer-needed -->
</pkgmetadata>