diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 3535ced81c..f7eea886f3 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -117,7 +117,6 @@ app-containers/runc app-crypt/adcli app-crypt/argon2 app-crypt/ccid -app-crypt/efitools app-crypt/gnupg app-crypt/gpgme app-crypt/libb2 diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index ecaa792d5a..2d1826487e 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -816,13 +816,12 @@ _write_qemu_conf() { } _write_qemu_uefi_conf() { + local flash_ro="$(_dst_name "_efi_code.fd")" + local flash_rw="$(_dst_name "_efi_vars.fd")" local script="$(_dst_dir)/$(_dst_name ".sh")" _write_qemu_conf - local flash_ro="$(_dst_name "_efi_code.fd")" - local flash_rw="$(_dst_name "_efi_vars.fd")" - case $BOARD in amd64-usr) cp "/usr/share/edk2-ovmf/OVMF_CODE.fd" "$(_dst_dir)/${flash_ro}" @@ -861,15 +860,18 @@ _write_qemu_uefi_secure_conf() { local flash_rw="$(_dst_name "_efi_vars.fd")" local flash_ro="$(_dst_name "_efi_code.fd")" local script="$(_dst_dir)/$(_dst_name ".sh")" + local owner="00000000-0000-0000-0000-000000000000" _write_qemu_uefi_conf cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}" - cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl" - cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl" - cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl" - flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl" - flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl" - flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl" + + virt-fw-vars \ + --inplace "$(_dst_dir)/${flash_rw}" \ + --set-pk "${owner}" /usr/share/sb_keys/PK.crt \ + --add-kek "${owner}" /usr/share/sb_keys/KEK.crt \ + --add-db "${owner}" /usr/share/sb_keys/DB.crt \ + --secure-boot --no-microsoft + sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}" } diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild index 2d1778bc5c..ed4d4fe0b2 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild @@ -17,9 +17,9 @@ DEPEND=" app-admin/sudo app-admin/updateservicectl app-arch/pbzip2 - app-crypt/efitools app-crypt/sbsigntools app-emulation/open-vmdk + app-emulation/virt-firmware app-eselect/eselect-python app-misc/jq app-shells/bash-completion diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index f665b05bf7..cfbe026846 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -53,8 +53,10 @@ # The only available ebuild (from GURU) has ~amd64 and no keyword for arm64 yet. =app-crypt/clevis-19-r1 ** +# Needed in SDK for Secure Boot. +=app-emulation/virt-firmware-24.7 ~amd64 ~arm64 + # Needed by arm64-native SDK. -=app-crypt/efitools-1.9.2-r1 ~arm64 =app-emulation/open-vmdk-1.0 * # Keep versions on both arches in sync. diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/Manifest b/sdk_container/src/third_party/portage-stable/app-crypt/efitools/Manifest deleted file mode 100644 index aced0dc8f9..0000000000 --- a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/Manifest +++ /dev/null @@ -1 +0,0 @@ -DIST efitools-1.9.2.tar.gz 116037 BLAKE2B b3540932eb112e362fd0eed47090360603807dcaec8c6a10058618f8252eeb5dcbbd703d313cb6fadae62c1312815080cf2c77fc86f9dfc9f9afca24ad97f584 SHA512 77e0ad7e865814ed388ff6daabe0f4b49ba51672bf2cbb98b7905e209cbd28f9ede2f73213ce45af8a978c1e67dba24ec88a1188661317cc22317b47e575cde8 diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/efitools-1.9.2-r1.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/efitools/efitools-1.9.2-r1.ebuild deleted file mode 100644 index 0deba136bb..0000000000 --- a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/efitools-1.9.2-r1.ebuild +++ /dev/null @@ -1,56 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -inherit flag-o-matic toolchain-funcs - -DESCRIPTION="Tools for manipulating UEFI secure boot platforms" -HOMEPAGE="https://git.kernel.org/cgit/linux/kernel/git/jejb/efitools.git" -SRC_URI="https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/snapshot/${P}.tar.gz" - -LICENSE="GPL-2 LGPL-2.1" -SLOT="0" -KEYWORDS="amd64 ~arm64 x86" -IUSE="static" - -LIB_DEPEND="dev-libs/openssl:=[static-libs(+)]" - -RDEPEND=" - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - sys-apps/util-linux" -DEPEND="${RDEPEND} - static? ( ${LIB_DEPEND} ) - sys-boot/gnu-efi" -BDEPEND=" - app-crypt/sbsigntools - dev-perl/File-Slurp - sys-apps/help2man - virtual/pkgconfig" - -PATCHES=( - "${FILESDIR}"/1.9.2-clang16.patch - "${FILESDIR}"/1.9.2-Makefile.patch -) - -src_prepare() { - default - - # Let it build with clang - if tc-is-clang; then - sed -i -e 's/-fno-toplevel-reorder//g' Make.rules || die - fi - - if use static; then - append-ldflags -static - export STATIC_FLAG=--static - fi -} - -src_configure() { - # Calls LD directly, doesn't respect LDFLAGS. Low level package anyway. - # See bug #908813. - filter-lto - - tc-export AR CC LD NM OBJCOPY PKG_CONFIG -} diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/files/1.9.2-Makefile.patch b/sdk_container/src/third_party/portage-stable/app-crypt/efitools/files/1.9.2-Makefile.patch deleted file mode 100644 index e8e99b1858..0000000000 --- a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/files/1.9.2-Makefile.patch +++ /dev/null @@ -1,121 +0,0 @@ ---- a/Makefile -+++ b/Makefile -@@ -21,6 +21,8 @@ - KEYBLACKLISTAUTH = $(ALLKEYS:=-blacklist.auth) - KEYHASHBLACKLISTAUTH = $(ALLKEYS:=-hash-blacklist.auth) - -+SSL_LIBS = $(shell $(PKG_CONFIG) $(STATIC_FLAG) --libs libcrypto) -+ - export TOPDIR := $(shell pwd)/ - - include Make.rules -@@ -88,31 +90,31 @@ - ShimReplace.so: lib/lib-efi.a - - cert-to-efi-sig-list: cert-to-efi-sig-list.o lib/lib.a -- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto -+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS) - - sig-list-to-certs: sig-list-to-certs.o lib/lib.a -- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto -+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS) - - sign-efi-sig-list: sign-efi-sig-list.o lib/lib.a -- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto -+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS) - - hash-to-efi-sig-list: hash-to-efi-sig-list.o lib/lib.a -- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a - - cert-to-efi-hash-list: cert-to-efi-hash-list.o lib/lib.a -- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto -+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS) - - efi-keytool: efi-keytool.o lib/lib.a -- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a - - efi-readvar: efi-readvar.o lib/lib.a -- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto -+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS) - - efi-updatevar: efi-updatevar.o lib/lib.a -- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto -+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a $(SSL_LIBS) - - flash-var: flash-var.o lib/lib.a -- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -+ $(CC) $(LDFLAGS) $(ARCH3264) -o $@ $< lib/lib.a - - clean: - rm -f PK.* KEK.* DB.* $(EFIFILES) $(EFISIGNED) $(BINARIES) *.o *.so ---- a/Make.rules -+++ b/Make.rules -@@ -15,8 +15,7 @@ - endif - INCDIR = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol - CPPFLAGS = -DCONFIG_$(ARCH) --CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check --LDFLAGS = -nostdlib -+CFLAGS += $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check - CRTOBJ = crt0-efi-$(ARCH).o - CRTPATHS = /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi - CRTPATH = $(shell for f in $(CRTPATHS); do if [ -e $$f/$(CRTOBJ) ]; then echo $$f; break; fi; done) -@@ -24,10 +23,9 @@ - # there's a bug in the gnu tools ... the .reloc section has to be - # aligned otherwise the file alignment gets screwed up - LDSCRIPT = elf_$(ARCH)_efi.lds --LDFLAGS += -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -L /usr/lib -L /usr/lib64 -T $(LDSCRIPT) -+LIBS += -nostdlib -shared -Bsymbolic $(CRTOBJS) -L $(CRTPATH) -T $(LDSCRIPT) - LOADLIBES = -lefi -lgnuefi $(shell $(CC) $(ARCH3264) -print-libgcc-file-name) - FORMAT = --target=efi-app-$(ARCH) --OBJCOPY = objcopy - MYGUID = 11111111-2222-3333-4444-123456789abc - INSTALL = install - BINDIR = $(DESTDIR)/usr/bin -@@ -47,12 +45,12 @@ - endif - - ifeq ($(ARCH),arm) -- LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a -+ LIBS += --defsym=EFI_SUBSYSTEM=0x0a - FORMAT = -O binary - endif - - ifeq ($(ARCH),aarch64) -- LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a -+ LIBS += --defsym=EFI_SUBSYSTEM=0x0a - FORMAT = -O binary - endif - -@@ -61,9 +59,9 @@ - -j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* \ - -j .reloc $(FORMAT) $*.so $@ - %.so: %.o -- $(LD) $(LDFLAGS) $^ -o $@ $(LOADLIBES) -+ $(LD) $(LIBS) $^ -o $@ $(LOADLIBES) - # check we have no undefined symbols -- nm -D $@ | grep ' U ' && exit 1 || exit 0 -+ $(NM) -D $@ | grep ' U ' && exit 1 || exit 0 - - %.h: %.auth - ./xxdi.pl $< > $@ -@@ -71,7 +69,7 @@ - %.hash: %.efi hash-to-efi-sig-list - ./hash-to-efi-sig-list $< $@ - --%-blacklist.esl: %.crt cert-to-efi-hash-list -+%-blacklist.esl: %.crt cert-to-efi-sig-list - ./cert-to-efi-sig-list $< $@ - - %-hash-blacklist.esl: %.crt cert-to-efi-hash-list -@@ -129,7 +127,7 @@ - # sbsign --key KEK.key --cert KEK.crt --output $@ $< - - %.a: -- ar rcv $@ $^ -+ $(AR) rcv $@ $^ - - doc/%.1: doc/%.1.in % - $(HELP2MAN) --no-info -i $< -o $@ ./$* diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/files/1.9.2-clang16.patch b/sdk_container/src/third_party/portage-stable/app-crypt/efitools/files/1.9.2-clang16.patch deleted file mode 100644 index 944a731bcd..0000000000 --- a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/files/1.9.2-clang16.patch +++ /dev/null @@ -1,108 +0,0 @@ ---- a/cert-to-efi-sig-list.c -+++ b/cert-to-efi-sig-list.c -@@ -6,7 +6,6 @@ - - - #include --#define __STDC_VERSION__ 199901L - #include - #ifdef CONFIG_arm - /* FIXME: ---- a/efi-keytool.c -+++ b/efi-keytool.c -@@ -15,7 +15,6 @@ - #include - #include - --#define __STDC_VERSION__ 199901L - #include - - #include ---- a/efi-readvar.c -+++ b/efi-readvar.c -@@ -17,7 +17,6 @@ - - #include - --#define __STDC_VERSION__ 199901L - #include - - #include ---- a/efi-updatevar.c -+++ b/efi-updatevar.c -@@ -20,7 +20,6 @@ - #include - #include - --#define __STDC_VERSION__ 199901L - #include - - #include ---- a/flash-var.c -+++ b/flash-var.c -@@ -1,3 +1,5 @@ -+#define _XOPEN_SOURCE 700 -+ - #include - #include - #include -@@ -10,7 +12,6 @@ - #include - #include - --#define __STDC_VERSION__ 199901L - #include - - #include ---- a/hash-to-efi-sig-list.c -+++ b/hash-to-efi-sig-list.c -@@ -4,7 +4,6 @@ - * see COPYING file - */ - #include --#define __STDC_VERSION__ 199901L - #include - #ifdef CONFIG_arm - /* FIXME: ---- a/include/variableformat.h -+++ b/include/variableformat.h -@@ -109,7 +109,7 @@ - - #pragma pack() - --inline BOOLEAN -+static inline BOOLEAN - IsValidVariableHeader (VARIABLE_HEADER *vh) { - if (vh == NULL || vh->StartId != VARIABLE_DATA) - return FALSE; ---- a/lib/kernel_efivars.c -+++ b/lib/kernel_efivars.c -@@ -16,7 +16,6 @@ - #include - #include - --#define __STDC_VERSION__ 199901L - #include - - #include ---- a/sig-list-to-certs.c -+++ b/sig-list-to-certs.c -@@ -4,7 +4,6 @@ - * see COPYING file - */ - #include --#define __STDC_VERSION__ 199901L - #include - #ifdef CONFIG_arm - /* FIXME: ---- a/sign-efi-sig-list.c -+++ b/sign-efi-sig-list.c -@@ -4,7 +4,7 @@ - * see COPYING file - */ - #include --#define __STDC_VERSION__ 199901L -+#define _XOPEN_SOURCE 700 - #include - #ifdef CONFIG_arm - /* FIXME: diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/metadata.xml b/sdk_container/src/third_party/portage-stable/app-crypt/efitools/metadata.xml deleted file mode 100644 index 115e9d64a6..0000000000 --- a/sdk_container/src/third_party/portage-stable/app-crypt/efitools/metadata.xml +++ /dev/null @@ -1,5 +0,0 @@ - - - - -