rpms/efitools
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import Fedora efitools-1.9.2-19.fc44

Browse Source
This commit is contained in:
Andrew Lukoshko 2026-02-17 14:47:00 +00:00
parent 17eca39493
commit 35bc15114e
14 changed files with 771 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.efitools.metadata
View File

@ -1 +0,0 @@
eb06da832e02ca4a6afeefb89c015ee566961c58 SOURCES/efitools-1.9.2.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/efitools-1.9.2.tar.gz
efitools-1.9.2.tar.gz

24
SOURCES/efitools-c99-1.patch
View File

@ -1,24 +0,0 @@
Define _GNU_SOURCE for a declaration of strptime
This is needed for compatibility with future C compilers which reject
implicit function declarations by default. Without _GNU_SOURCE (or a
similar feature test macro), <time.h> does not declare the strptime
function, and compilation can fail.
Submitted upstream:
<https://lore.kernel.org/linux-efi/87fsdhllhk.fsf@oldenburg.str.redhat.com/>
diff --git a/Make.rules b/Make.rules
index 903a5a4..d4de1ef 100644
--- a/Make.rules
+++ b/Make.rules
@@ -14,7 +14,7 @@ else
$(error unknown architecture $(ARCH))
endif
INCDIR = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol
-CPPFLAGS = -DCONFIG_$(ARCH)
+CPPFLAGS = -DCONFIG_$(ARCH) -D_GNU_SOURCE
CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
LDFLAGS = -nostdlib
CRTOBJ = crt0-efi-$(ARCH).o

21
SOURCES/efitools-c99-2.patch
View File

@ -1,21 +0,0 @@
Include <strings.h> for the strcasecmp function
Otherwise, an implicit function declaration is the result, and the
code may fail to compile with future compilers.
Submitted upstream:
<https://lore.kernel.org/linux-efi/87pmcllll9.fsf@oldenburg.str.redhat.com/>
diff --git a/efi-updatevar.c b/efi-updatevar.c
index 4247105..033d938 100644
--- a/efi-updatevar.c
+++ b/efi-updatevar.c
@@ -11,6 +11,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <strings.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>

45
SOURCES/efitools-riscv64.patch
View File

@ -1,45 +0,0 @@
We can use just the same flags as for aarch64.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@xxxxxx>
---
RISC-V patches for gnu-efi are not yet accepted in upstream. Cf.
[Gnu-efi-discuss] [PATCH 1/1] Initial support for RISCV64
https://sourceforge.net/p/gnu-efi/mailman/gnu-efi-discuss/thread/20210401153553.103286-1-xypron.glpk%40gmx.de/#msg37253360
[Gnu-efi-discuss] [PATCH 1/1] Undefined Status in LibGetVariableAndSize()
https://sourceforge.net/p/gnu-efi/mailman/gnu-efi-discuss/thread/20210319162557.334645-1-xypron.glpk%40gmx.de/#msg37243995
You can use
https://github.com/xypron/gnu-efi/releases/tag/riscv64-2021-04-01 for
building sbsigntools and efitools.
---
Make.rules | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/Make.rules b/Make.rules
index 903a5a4..69bd3bd 100644
--- a/Make.rules
+++ b/Make.rules
@@ -10,6 +10,8 @@ else ifeq ($(ARCH),aarch64)
ARCH3264 =
else ifeq ($(ARCH),arm)
ARCH3264 =
+else ifeq ($(ARCH),riscv64)
+ARCH3264 =
else
$(error unknown architecture $(ARCH))
endif
@@ -56,6 +58,11 @@ ifeq ($(ARCH),aarch64)
FORMAT = -O binary
endif
+ifeq ($(ARCH),riscv64)
+ LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
+ FORMAT = -O binary
+endif
+
%.efi: %.so
$(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic -j .dynsym \
-j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* \
--
2.30.2

97
SPECS/efitools.spec
View File

@ -1,97 +0,0 @@
Name: efitools
Version: 1.9.2
Release: 9%{?dist}
Summary: Tools to manipulate EFI secure boot keys and signatures
License: GPLv2 and LGPLv2 and BSD
# call-to-mktemp:
# https://github.com/vathpela/efitools/issues/2
URL: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
Source0: %{url}/snapshot/%{name}-%{version}.tar.gz
Patch1: efitools-c99-1.patch
Patch2: efitools-c99-2.patch
Patch3: efitools-riscv64.patch
# same as gnu-efi
ExclusiveArch: %{efi}
BuildRequires: pkgconfig(openssl)
BuildRequires: gcc
BuildRequires: gnu-efi-devel
BuildRequires: help2man
BuildRequires: openssl
BuildRequires: perl-File-Slurp
BuildRequires: sbsigntools
Requires: coreutils%{_isa}
Requires: mtools%{_isa}
Requires: parted%{_isa}
Requires: util-linux%{_isa}
Recommends: sbsigntools%{_isa}
%description
This package installs a variety of tools for manipulating keys and binary
signatures on UEFI secure boot platforms.
The tools provide access to the keys and certificates stored in the
secure variables of the UEFI firmware, usually in the NVRAM area.
%prep
%autosetup -p1
%build
%set_build_flags
%__make -O
%install
%make_install DOCDIR=%{buildroot}%{_docdir}/%{name}/ CFLAGS="%{optflags}"
rm -v %{buildroot}%{_docdir}/%{name}/COPYING
%files
%doc README
%license COPYING
%{_datadir}/%{name}/
%{_mandir}/man1/*.1.*
%{_bindir}/cert-to-efi-hash-list
%{_bindir}/cert-to-efi-sig-list
%{_bindir}/efi-readvar
%{_bindir}/efi-updatevar
%{_bindir}/efitool-mkusb
%{_bindir}/flash-var
%{_bindir}/hash-to-efi-sig-list
%{_bindir}/sig-list-to-certs
%{_bindir}/sign-efi-sig-list
%changelog
* Wed Dec 14 2022 Florian Weimer <fweimer@redhat.com> - 1.9.2-9
- C99 port
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.9.2-6
- Rebuilt with OpenSSL 3.0.0
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Sun Mar 07 2021 Vladislav Kazakov <vpackager@gmail.com> - 1.9.2-4
- Fix incorrect build.
* Sat Feb 06 2021 Vladislav Kazakov <vpackager@gmail.com> - 1.9.2-3
- Add system flags to CFLAGS.
- Remove i686 support.
* Sun Jan 31 2021 Vladislav Kazakov <vpackager@gmail.com> - 1.9.2-2
- Add BSD license.
- Rename LGPLv2.1 to LGPLv2.
- Add reference to issue about mktemp usage.
* Sun Jan 17 2021 Vladislav Kazakov <vpackager@gmail.com> - 1.9.2-1
- Initial SPEC release.

23
allow-riscv64-build.patch Normal file
View File

@ -0,0 +1,23 @@
--- a/Make.rules
+++ b/Make.rules
@@ -8,6 +8,8 @@
ARCH3264 =
else ifeq ($(ARCH),aarch64)
ARCH3264 =
+else ifeq ($(ARCH),riscv64)
+ARCH3264 =
else ifeq ($(ARCH),arm)
ARCH3264 =
else
@@ -55,6 +57,11 @@
LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
FORMAT = -O binary
endif
+
+ifeq ($(ARCH),riscv64)
+ LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a
+ FORMAT = -O binary
+endif
%.efi: %.so
$(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic -j .dynsym \

212
drop-engine-options.patch Normal file
View File

@ -0,0 +1,212 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Tue, 10 Jun 2025 22:30:24 +0100
Subject: [PATCH] Drop engine options
OpenSSL engines are deprecated in Fedora, remove support
---
efi-updatevar.c | 8 +-----
include/openssl_sign.h | 4 +--
lib/openssl_sign.c | 62 +++---------------------------------------
sign-efi-sig-list.c | 10 ++-----
4 files changed, 9 insertions(+), 75 deletions(-)
diff --git a/efi-updatevar.c b/efi-updatevar.c
index f9375de..77f3d29 100644
--- a/efi-updatevar.c
+++ b/efi-updatevar.c
@@ -52,7 +52,6 @@ help(const char *progname)
"\t-g <guid>\tOptional <guid> for the X509 Certificate\n"
"\t-k <key>\tSecret key file for authorising User Mode updates\n"
"\t-d <list>[-<entry>]\tDelete the signature list <list> (or just a single <entry> within the list)\n"
- "\t--engine <eng>\tUse engine <eng> for private key\n"
);
}
@@ -61,7 +60,6 @@ main(int argc, char *argv[])
{
char *variables[] = { "PK", "KEK", "db", "dbx" };
char *signedby[] = { "PK", "PK", "KEK", "KEK" };
- char *engine = NULL;
EFI_GUID *owners[] = { &GV_GUID, &GV_GUID, &SIG_DB, &SIG_DB };
EFI_GUID *owner, guid = MOK_OWNER;
int i, esl_mode = 0, fd, ret, delsig = -1, delentry = -1;
@@ -116,10 +114,6 @@ main(int argc, char *argv[])
sscanf(argv[2], "%d-%d", &delsig, &delentry);
argv += 2;
argc -= 2;
- } else if (strcmp(argv[1], "--engine") == 0) {
- engine = argv[2];
- argv += 2;
- argc -= 2;
} else {
/* unrecognised option */
break;
@@ -286,7 +280,7 @@ main(int argc, char *argv[])
fprintf(stderr, "Can't update variable%s without a key\n", variable_is_setupmode() ? "" : " in User Mode");
exit(1);
}
- EVP_PKEY *pkey = read_private_key(engine, key_file);
+ EVP_PKEY *pkey = read_private_key(key_file);
if (!pkey) {
fprintf(stderr, "error reading private key %s\n", key_file);
exit(1);
diff --git a/include/openssl_sign.h b/include/openssl_sign.h
index 136ad75..f067565 100644
--- a/include/openssl_sign.h
+++ b/include/openssl_sign.h
@@ -2,9 +2,9 @@
int
sign_efi_var(char *payload, int payload_size, char *keyfile, char *certfile,
- unsigned char **sig, int *sigsize, char *engine);
+ unsigned char **sig, int *sigsize);
int
sign_efi_var_ssl(char *payload, int payload_size, EVP_PKEY *pkey, X509 *cert,
unsigned char **sig, int *sigsize);
EVP_PKEY *
-read_private_key(char *engine, char *keyfile);
+read_private_key(char *keyfile);
diff --git a/lib/openssl_sign.c b/lib/openssl_sign.c
index 714ce1a..c1e8dc2 100644
--- a/lib/openssl_sign.c
+++ b/lib/openssl_sign.c
@@ -7,7 +7,6 @@
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/sha.h>
-#include <openssl/engine.h>
#include <openssl_sign.h>
@@ -33,7 +32,7 @@ sign_efi_var_ssl(char *payload, int payload_size, EVP_PKEY *pkey, X509 *cert,
int
sign_efi_var(char *payload, int payload_size, char *keyfile, char *certfile,
- unsigned char **sig, int *sigsize, char *engine)
+ unsigned char **sig, int *sigsize)
{
int ret;
@@ -60,7 +59,7 @@ sign_efi_var(char *payload, int payload_size, char *keyfile, char *certfile,
return 1;
}
- EVP_PKEY *pkey = read_private_key(engine, keyfile);
+ EVP_PKEY *pkey = read_private_key(keyfile);
if (!pkey) {
ERR_print_errors_fp(stdout);
fprintf(stderr, "error reading private key %s\n", keyfile);
@@ -96,61 +95,8 @@ read_pem_private_key(char *keyfile)
return pkey;
}
-static int ui_read(UI *ui, UI_STRING *uis)
-{
- char password[128];
-
- if (UI_get_string_type(uis) != UIT_PROMPT)
- return 0;
-
- EVP_read_pw_string(password, sizeof(password), "Enter engine key pass phrase:", 0);
- UI_set_result(ui, uis, password);
- return 1;
-}
-
-static EVP_PKEY *
-read_engine_private_key(char *engine, char *keyfile)
-{
- UI_METHOD *ui;
- ENGINE *e;
- EVP_PKEY *pkey = NULL;
-
- ENGINE_load_builtin_engines();
- e = ENGINE_by_id(engine);
-
- if (!e) {
- fprintf(stderr, "Failed to load engine: %s\n", engine);
- ERR_print_errors_fp(stderr);
- return NULL;
- }
-
- ui = UI_create_method("sbsigntools");
- if (!ui) {
- fprintf(stderr, "Failed to create UI method\n");
- ERR_print_errors_fp(stderr);
- goto out_free;
- }
- UI_method_set_reader(ui, ui_read);
-
- if (!ENGINE_init(e)) {
- fprintf(stderr, "Failed to initialize engine %s\n", engine);
- ERR_print_errors_fp(stderr);
- goto out_free;
- }
-
- pkey = ENGINE_load_private_key(e, keyfile, ui, NULL);
- ENGINE_finish(e);
-
- out_free:
- ENGINE_free(e);
- return pkey;
-}
-
EVP_PKEY *
-read_private_key(char *engine, char *keyfile)
+read_private_key(char *keyfile)
{
- if (engine)
- return read_engine_private_key(engine, keyfile);
- else
- return read_pem_private_key(keyfile);
+ return read_pem_private_key(keyfile);
}
diff --git a/sign-efi-sig-list.c b/sign-efi-sig-list.c
index 90f3d9f..109d28d 100644
--- a/sign-efi-sig-list.c
+++ b/sign-efi-sig-list.c
@@ -30,7 +30,7 @@
static void
usage(const char *progname)
{
- printf("Usage: %s [-r] [-m] [-a] [-g <guid>] [-o] [-t <timestamp>] [-i <infile>] [-c <crt file>] [-k <key file>] [-e <engine>] <var> <efi sig list file> <output file>\n", progname);
+ printf("Usage: %s [-r] [-m] [-a] [-g <guid>] [-o] [-t <timestamp>] [-i <infile>] [-c <crt file>] [-k <key file>] <var> <efi sig list file> <output file>\n", progname);
}
static void
@@ -55,7 +55,6 @@ help(const char *progname)
"\t-g <guid> Use <guid> as the signature owner GUID\n"
"\t-c <crt> <crt> is the file containing the signing certificate in PEM format\n"
"\t-k <key> <key> is the file containing the key for <crt> in PEM format\n"
- "\t-e <engine> Use openssl engine <engine> for the private key\n"
);
}
@@ -66,7 +65,6 @@ main(int argc, char *argv[])
*str, *signedinput = NULL, *timestampstr = NULL;
void *out;
const char *progname = argv[0];
- char *engine = NULL;
unsigned char *sigbuf;
int rsasig = 0, monotonic = 0, varlen, i, outputforsign = 0, outlen,
sigsize;
@@ -125,10 +123,6 @@ main(int argc, char *argv[])
certfile = argv[2];
argv += 2;
argc -= 2;
- } else if (strcmp("-e", argv[1]) == 0) {
- engine = argv[2];
- argv += 2;
- argc -= 2;
} else {
break;
}
@@ -248,7 +242,7 @@ main(int argc, char *argv[])
exit(1);
}
if (sign_efi_var(signbuf, signbuflen, keyfile, certfile,
- &sigbuf, &sigsize, engine))
+ &sigbuf, &sigsize))
exit(1);
}
printf("Signature of size %d\n", sigsize);

142
efitools.spec Normal file
View File

@ -0,0 +1,142 @@
## START: Set by rpmautospec
## (rpmautospec version 0.8.3)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 19;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
Name: efitools
Version: 1.9.2
Release: %autorelease
Summary: Tools to manipulate EFI secure boot keys and signatures
License: GPL-2.0-only and LGPL-2.1-or-later and BSD-2-Clause
# call-to-mktemp:
# https://github.com/vathpela/efitools/issues/2
URL: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
Source0: %{url}/snapshot/%{name}-%{version}.tar.gz
Patch1: makefile-enable-harden-local-files.patch
Patch2: fix-deps.patch
Patch3: allow-riscv64-build.patch
Patch4: sbat-compat.patch
Patch5: fix-ftbfs-lp2083030.patch
Patch6: drop-engine-options.patch
# same as gnu-efi
ExclusiveArch: %{efi}
BuildRequires: pkgconfig(openssl)
BuildRequires: gcc
BuildRequires: gnu-efi-devel
BuildRequires: help2man
BuildRequires: openssl
BuildRequires: perl-File-Slurp
BuildRequires: sbsigntools
Requires: coreutils
Requires: mtools
Requires: parted
Requires: util-linux
Recommends: sbsigntools
%description
This package installs a variety of tools for manipulating keys and binary
signatures on UEFI secure boot platforms. The tools provide access to the keys
and certificates stored in the secure variables of the UEFI firmware, usually
in the NVRAM area.
%prep
%autosetup -p1
%build
%set_build_flags
%make_build
%install
%make_install DOCDIR=%{buildroot}%{_docdir}/%{name}/ CFLAGS="%{optflags}"
rm -v %{buildroot}%{_docdir}/%{name}/COPYING
%global efi_tool() \
%{_bindir}/%{1}\
%{_mandir}/man1/%{1}.1*
%files
%doc README
%license COPYING
%efi_tool cert-to-efi-hash-list
%efi_tool cert-to-efi-sig-list
%efi_tool efi-readvar
%efi_tool efi-updatevar
%efi_tool hash-to-efi-sig-list
%efi_tool sig-list-to-certs
%efi_tool sign-efi-sig-list
%{_bindir}/flash-var
%{_bindir}/efitool-mkusb
%changelog
## START: Generated by rpmautospec
* Fri Jan 16 2026 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-19
- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* Fri Aug 15 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.9.2-17
- Convert license tags to SPDX
* Fri Aug 15 2025 Luca Boccassi <luca.boccassi@gmail.com> - 1.9.2-16
- Fix build and reintroduce package
- The build is fixed by importing patches from Ubuntu/SUSE
- Patch to disable OpenSSL Engine support (deprecated in Fedora) is added
* Fri Aug 15 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.9.2-15
- Drop %%{_isa} from Requires
* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Dec 14 2022 Florian Weimer <fweimer@redhat.com> - 1.9.2-9
- C99 port
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.9.2-6
- Rebuilt with OpenSSL 3.0.0
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Sun Mar 07 2021 Vladislav Kazakov <vpackager@gmail.com> - 1.9.2-4
- Fix incorrect build.
* Sat Feb 06 2021 Vladislav Kazakov <vpackager@gmail.com> - 1.9.2-3
- Add system flags to CFLAGS.
- Remove i686 support.
* Sun Jan 31 2021 Vladislav Kazakov <vpackager@gmail.com> - 1.9.2-2
- Add BSD license.
- Rename LGPLv2.1 to LGPLv2.
- Add reference to issue about mktemp usage.
* Sun Jan 17 2021 Vladislav Kazakov <vpackager@gmail.com> - 1.9.2-1
- Initial SPEC release.
## END: Generated by rpmautospec

15
fix-deps.patch Normal file
View File

@ -0,0 +1,15 @@
Description: Fix a typo in the %-blacklist.esl rule
This sometimes resulted in FTBFS.
Author: Adrian Bunk <bunk@debian.org>
--- efitools-1.9.2.orig/Make.rules
+++ efitools-1.9.2/Make.rules
@@ -71,7 +71,7 @@ endif
%.hash: %.efi hash-to-efi-sig-list
./hash-to-efi-sig-list $< $@
-%-blacklist.esl: %.crt cert-to-efi-hash-list
+%-blacklist.esl: %.crt cert-to-efi-sig-list
./cert-to-efi-sig-list $< $@
%-hash-blacklist.esl: %.crt cert-to-efi-hash-list

240
fix-ftbfs-lp2083030.patch Normal file
View File

@ -0,0 +1,240 @@
Description: Fix FTBFS
- Remove redefintions of __STDC_VERSION__
- Add _XOPEN_SOURCE=700 to expose some APIs being used
- Remove dangerous usage of mktemp and sscanf
- Use standard C types over non-standard aliases
- Remove CFLAGS disabling mitigations
- Stop building EFI binaries
Author: Mate Kukri <mate.kukri@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/efitools/+bug/2083030
Last-Update: 2024-09-27
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/Make.rules
+++ b/Make.rules
@@ -17,7 +17,7 @@
endif
INCDIR = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol
CPPFLAGS = -DCONFIG_$(ARCH)
-CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check
+CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -D_XOPEN_SOURCE=700
LDFLAGS = -nostdlib
CRTOBJ = crt0-efi-$(ARCH).o
CRTPATHS = /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi
--- a/cert-to-efi-sig-list.c
+++ b/cert-to-efi-sig-list.c
@@ -6,7 +6,6 @@
#include <stdint.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#ifdef CONFIG_arm
/* FIXME:
--- a/efi-keytool.c
+++ b/efi-keytool.c
@@ -15,7 +15,6 @@
#include <fcntl.h>
#include <unistd.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <kernel_efivars.h>
--- a/efi-readvar.c
+++ b/efi-readvar.c
@@ -17,7 +17,6 @@
#include <openssl/x509.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <kernel_efivars.h>
--- a/efi-updatevar.c
+++ b/efi-updatevar.c
@@ -11,6 +11,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <strings.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
@@ -20,7 +21,6 @@
#include <openssl/err.h>
#include <openssl/pem.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <kernel_efivars.h>
--- a/flash-var.c
+++ b/flash-var.c
@@ -10,7 +10,6 @@
#include <fcntl.h>
#include <unistd.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <version.h>
--- a/hash-to-efi-sig-list.c
+++ b/hash-to-efi-sig-list.c
@@ -4,7 +4,6 @@
* see COPYING file
*/
#include <stdint.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#ifdef CONFIG_arm
/* FIXME:
--- a/lib/kernel_efivars.c
+++ b/lib/kernel_efivars.c
@@ -16,7 +16,6 @@
#include <unistd.h>
#include <time.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#include <kernel_efivars.h>
@@ -29,54 +28,39 @@
void
kernel_variable_init(void)
{
- char fname[] = "/tmp/efi.XXXXXX";
- char cmdline[256];
- int fd, ret;
- struct stat st;
- char *buf;
-
- if (kernel_efi_path)
- return;
- mktemp(fname);
- snprintf(cmdline, sizeof(cmdline), "mount -l > %s", fname);
- ret = system(cmdline);
- if (WEXITSTATUS(ret) != 0)
- /* hopefully stderr said what was wrong */
- exit(1);
- fd = open(fname, O_RDONLY);
- unlink(fname);
- if (fd < 0) {
- fprintf(stderr, "Failed to open output of %s\n", cmdline);
- exit(1);
- }
- if (fstat(fd, &st) < 0) {
- perror("stat failed");
- exit(1);
- }
- if (st.st_size == 0) {
- fprintf(stderr, "No efivarfs filesystem is mounted\n");
+ FILE *mount_l_fp = NULL;
+ char *path = NULL;
+ char *type = NULL;
+
+ mount_l_fp = popen("mount -l", "r");
+
+ if (mount_l_fp == NULL) {
+ fprintf(stderr, "Failed to get output of mount -l\n");
exit(1);
}
- buf = malloc(st.st_size);
- read(fd, buf, st.st_size);
- close(fd);
-
- char *ptr = buf;
- char path[512], type[512];
- while (ptr < buf + st.st_size) {
- int count;
-
- sscanf(ptr, "%*s on %s type %s %*[^\n]\n%n", path, type, &count);
- ptr += count;
- if (strcmp(type, "efivarfs") == 0)
+
+ while (fscanf(mount_l_fp, "%*s on %ms type %ms %*[^\n]\n", &path, &type) == 2) {
+ if (strcmp(type, "efivarfs") == 0) {
+ kernel_efi_path = strdup(path);
break;
+ }
+ free(path);
+ path = NULL;
+ free(type);
+ type = NULL;
}
- if (strcmp(type, "efivarfs") != 0) {
+
+ if (mount_l_fp != NULL)
+ pclose(mount_l_fp);
+ if (path != NULL)
+ free(path);
+ if (type != NULL)
+ free(type);
+
+ if (kernel_efi_path == NULL) {
fprintf(stderr, "No efivarfs filesystem is mounted\n");
exit(1);
}
- kernel_efi_path = malloc(strlen(path) + 1);
- strcpy(kernel_efi_path, path);
}
int
--- a/sig-list-to-certs.c
+++ b/sig-list-to-certs.c
@@ -4,7 +4,6 @@
* see COPYING file
*/
#include <stdint.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#ifdef CONFIG_arm
/* FIXME:
--- a/sign-efi-sig-list.c
+++ b/sign-efi-sig-list.c
@@ -4,7 +4,6 @@
* see COPYING file
*/
#include <stdint.h>
-#define __STDC_VERSION__ 199901L
#include <efi.h>
#ifdef CONFIG_arm
/* FIXME:
--- a/lib/asn1/oid.h
+++ b/lib/asn1/oid.h
@@ -11,11 +11,11 @@
#define OID_H_
typedef struct {
- u_char octet;
- u_int next;
- u_int down;
- u_int level;
- const u_char *name;
+ unsigned char octet;
+ unsigned int next;
+ unsigned int down;
+ unsigned int level;
+ const unsigned char *name;
} oid_t;
extern const oid_t oid_names[];
--- a/Makefile
+++ b/Makefile
@@ -30,15 +30,13 @@
EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES))
-all: $(EFISIGNED) $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \
+all: $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \
$(KEYUPDATEAUTH) $(KEYBLACKLISTAUTH) $(KEYHASHBLACKLISTAUTH)
install: all
$(INSTALL) -m 755 -d $(MANDIR)
$(INSTALL) -m 644 $(MANPAGES) $(MANDIR)
- $(INSTALL) -m 755 -d $(EFIDIR)
- $(INSTALL) -m 755 $(EFIFILES) $(EFIDIR)
$(INSTALL) -m 755 -d $(BINDIR)
$(INSTALL) -m 755 $(BINARIES) $(BINDIR)
$(INSTALL) -m 755 mkusb.sh $(BINDIR)/efitool-mkusb

53
makefile-enable-harden-local-files.patch Normal file
View File

@ -0,0 +1,53 @@
--- a/Makefile
+++ b/Makefile
@@ -21,6 +21,9 @@ KEYUPDATEAUTH = $(ALLKEYS:=-update.auth)
KEYBLACKLISTAUTH = $(ALLKEYS:=-blacklist.auth)
KEYHASHBLACKLISTAUTH = $(ALLKEYS:=-hash-blacklist.auth)
+OLD_CFLAGS:=$(CFLAGS)
+OLD_LDFLAGS:=$(LDFLAGS)
+
export TOPDIR := $(shell pwd)/
include Make.rules
@@ -88,31 +91,31 @@ HelloWorld.so: lib/lib-efi.a
ShimReplace.so: lib/lib-efi.a
cert-to-efi-sig-list: cert-to-efi-sig-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto
sig-list-to-certs: sig-list-to-certs.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto
sign-efi-sig-list: sign-efi-sig-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto
hash-to-efi-sig-list: hash-to-efi-sig-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a
+ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a
cert-to-efi-hash-list: cert-to-efi-hash-list.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto
efi-keytool: efi-keytool.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a
+ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a
efi-readvar: efi-readvar.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto
efi-updatevar: efi-updatevar.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto
+ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto
flash-var: flash-var.o lib/lib.a
- $(CC) $(ARCH3264) -o $@ $< lib/lib.a
+ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a
clean:
rm -f PK.* KEK.* DB.* $(EFIFILES) $(EFISIGNED) $(BINARIES) *.o *.so

84
sbat-compat.patch Normal file
View File

@ -0,0 +1,84 @@
diff --git a/include/pecoff.h b/include/pecoff.h
index 537d134..6ac57d1 100644
--- a/include/pecoff.h
+++ b/include/pecoff.h
@@ -1,7 +1,8 @@
#include <PeImage.h>
EFI_STATUS
-pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data);
+pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data,
+ UINTN size);
EFI_STATUS
pecoff_relocate(PE_COFF_LOADER_IMAGE_CONTEXT *context, void **data);
EFI_STATUS
diff --git a/lib/pecoff.c b/lib/pecoff.c
index 26d9dcf..96878b9 100644
--- a/lib/pecoff.c
+++ b/lib/pecoff.c
@@ -69,7 +69,7 @@
#include <buildefi.h>
EFI_STATUS
-pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data)
+pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data, UINTN size)
{
EFI_IMAGE_DOS_HEADER *DosHdr = data;
EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr = data;
@@ -116,7 +116,7 @@ pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data)
context->NumberOfSections = PEHdr->Pe32.FileHeader.NumberOfSections;
context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER));
- if (context->SecDir->VirtualAddress >= context->ImageSize) {
+ if (context->SecDir->VirtualAddress >= size) {
Print(L"Malformed security header\n");
return EFI_INVALID_PARAMETER;
}
@@ -404,7 +404,7 @@ pecoff_execute_image(EFI_FILE *file, CHAR16 *name, EFI_HANDLE image,
}
Print(L"Read %d bytes from %s\n", DataSize, name);
- efi_status = pecoff_read_header(&context, buffer);
+ efi_status = pecoff_read_header(&context, buffer, DataSize);
if (efi_status != EFI_SUCCESS) {
Print(L"Failed to read header\n");
goto out;
diff --git a/lib/pkcs7verify.c b/lib/pkcs7verify.c
index 06701fd..2bdadbe 100644
--- a/lib/pkcs7verify.c
+++ b/lib/pkcs7verify.c
@@ -172,7 +172,7 @@ pkcs7verify_allow(VOID *data, UINTN len)
EFI_STATUS status;
int i;
- status = pecoff_read_header(&context, data);
+ status = pecoff_read_header(&context, data, len);
if (status != EFI_SUCCESS)
goto out;
diff --git a/lib/sha256.c b/lib/sha256.c
index 180fa16..9ca1c21 100644
--- a/lib/sha256.c
+++ b/lib/sha256.c
@@ -290,7 +290,7 @@ sha256_get_pecoff_digest_mem(void *buffer, UINTN DataSize,
* filled to the end of the page */
DataSize = ALIGN_VALUE(DataSize, 8);
- efi_status = pecoff_read_header(&context, buffer);
+ efi_status = pecoff_read_header(&context, buffer, DataSize);
if (efi_status != EFI_SUCCESS) {
Print(L"Failed to read header\n");
return efi_status;
diff --git a/lib/shim_protocol.c b/lib/shim_protocol.c
index a735aa1..9ef4a20 100644
--- a/lib/shim_protocol.c
+++ b/lib/shim_protocol.c
@@ -13,7 +13,7 @@
static EFI_STATUS shimprotocol_context(void *data, unsigned int size,
PE_COFF_LOADER_IMAGE_CONTEXT *context)
{
- return pecoff_read_header(context, data);
+ return pecoff_read_header(context, data, size);
}
static EFI_STATUS shimprotocol_verify(void *buffer, UINT32 size)

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (efitools-1.9.2.tar.gz) = 77e0ad7e865814ed388ff6daabe0f4b49ba51672bf2cbb98b7905e209cbd28f9ede2f73213ce45af8a978c1e67dba24ec88a1188661317cc22317b47e575cde8