diff --git a/.efitools.metadata b/.efitools.metadata deleted file mode 100644 index 991ce64..0000000 --- a/.efitools.metadata +++ /dev/null @@ -1 +0,0 @@ -eb06da832e02ca4a6afeefb89c015ee566961c58 SOURCES/efitools-1.9.2.tar.gz diff --git a/.gitignore b/.gitignore index 6563af7..9a87adf 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/efitools-1.9.2.tar.gz +efitools-1.9.2.tar.gz diff --git a/SOURCES/efitools-c99-1.patch b/SOURCES/efitools-c99-1.patch deleted file mode 100644 index 5d36fdd..0000000 --- a/SOURCES/efitools-c99-1.patch +++ /dev/null @@ -1,24 +0,0 @@ -Define _GNU_SOURCE for a declaration of strptime - -This is needed for compatibility with future C compilers which reject -implicit function declarations by default. Without _GNU_SOURCE (or a -similar feature test macro), does not declare the strptime -function, and compilation can fail. - -Submitted upstream: - - - -diff --git a/Make.rules b/Make.rules -index 903a5a4..d4de1ef 100644 ---- a/Make.rules -+++ b/Make.rules -@@ -14,7 +14,7 @@ else - $(error unknown architecture $(ARCH)) - endif - INCDIR = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol --CPPFLAGS = -DCONFIG_$(ARCH) -+CPPFLAGS = -DCONFIG_$(ARCH) -D_GNU_SOURCE - CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check - LDFLAGS = -nostdlib - CRTOBJ = crt0-efi-$(ARCH).o diff --git a/SOURCES/efitools-c99-2.patch b/SOURCES/efitools-c99-2.patch deleted file mode 100644 index 021732c..0000000 --- a/SOURCES/efitools-c99-2.patch +++ /dev/null @@ -1,21 +0,0 @@ -Include for the strcasecmp function - -Otherwise, an implicit function declaration is the result, and the -code may fail to compile with future compilers. - -Submitted upstream: - - - -diff --git a/efi-updatevar.c b/efi-updatevar.c -index 4247105..033d938 100644 ---- a/efi-updatevar.c -+++ b/efi-updatevar.c -@@ -11,6 +11,7 @@ - #include - #include - #include -+#include - #include - #include - #include diff --git a/SOURCES/efitools-riscv64.patch b/SOURCES/efitools-riscv64.patch deleted file mode 100644 index b98c138..0000000 --- a/SOURCES/efitools-riscv64.patch +++ /dev/null @@ -1,45 +0,0 @@ -We can use just the same flags as for aarch64. - -Signed-off-by: Heinrich Schuchardt ---- -RISC-V patches for gnu-efi are not yet accepted in upstream. Cf. - -[Gnu-efi-discuss] [PATCH 1/1] Initial support for RISCV64 -https://sourceforge.net/p/gnu-efi/mailman/gnu-efi-discuss/thread/20210401153553.103286-1-xypron.glpk%40gmx.de/#msg37253360 -[Gnu-efi-discuss] [PATCH 1/1] Undefined Status in LibGetVariableAndSize() -https://sourceforge.net/p/gnu-efi/mailman/gnu-efi-discuss/thread/20210319162557.334645-1-xypron.glpk%40gmx.de/#msg37243995 - -You can use -https://github.com/xypron/gnu-efi/releases/tag/riscv64-2021-04-01 for -building sbsigntools and efitools. ---- - Make.rules | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/Make.rules b/Make.rules -index 903a5a4..69bd3bd 100644 ---- a/Make.rules -+++ b/Make.rules -@@ -10,6 +10,8 @@ else ifeq ($(ARCH),aarch64) - ARCH3264 = - else ifeq ($(ARCH),arm) - ARCH3264 = -+else ifeq ($(ARCH),riscv64) -+ARCH3264 = - else - $(error unknown architecture $(ARCH)) - endif -@@ -56,6 +58,11 @@ ifeq ($(ARCH),aarch64) - FORMAT = -O binary - endif - -+ifeq ($(ARCH),riscv64) -+ LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a -+ FORMAT = -O binary -+endif -+ - %.efi: %.so - $(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic -j .dynsym \ - -j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* \ --- -2.30.2 diff --git a/SPECS/efitools.spec b/SPECS/efitools.spec deleted file mode 100644 index ddc2aea..0000000 --- a/SPECS/efitools.spec +++ /dev/null @@ -1,97 +0,0 @@ -Name: efitools -Version: 1.9.2 -Release: 9%{?dist} -Summary: Tools to manipulate EFI secure boot keys and signatures -License: GPLv2 and LGPLv2 and BSD - -# call-to-mktemp: -# https://github.com/vathpela/efitools/issues/2 -URL: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git -Source0: %{url}/snapshot/%{name}-%{version}.tar.gz -Patch1: efitools-c99-1.patch -Patch2: efitools-c99-2.patch -Patch3: efitools-riscv64.patch - -# same as gnu-efi -ExclusiveArch: %{efi} - -BuildRequires: pkgconfig(openssl) - -BuildRequires: gcc -BuildRequires: gnu-efi-devel -BuildRequires: help2man -BuildRequires: openssl -BuildRequires: perl-File-Slurp -BuildRequires: sbsigntools - -Requires: coreutils%{_isa} -Requires: mtools%{_isa} -Requires: parted%{_isa} -Requires: util-linux%{_isa} -Recommends: sbsigntools%{_isa} - -%description -This package installs a variety of tools for manipulating keys and binary -signatures on UEFI secure boot platforms. -The tools provide access to the keys and certificates stored in the -secure variables of the UEFI firmware, usually in the NVRAM area. - -%prep -%autosetup -p1 - -%build -%set_build_flags -%__make -O - -%install -%make_install DOCDIR=%{buildroot}%{_docdir}/%{name}/ CFLAGS="%{optflags}" - -rm -v %{buildroot}%{_docdir}/%{name}/COPYING - -%files -%doc README -%license COPYING - -%{_datadir}/%{name}/ -%{_mandir}/man1/*.1.* - -%{_bindir}/cert-to-efi-hash-list -%{_bindir}/cert-to-efi-sig-list -%{_bindir}/efi-readvar -%{_bindir}/efi-updatevar -%{_bindir}/efitool-mkusb -%{_bindir}/flash-var -%{_bindir}/hash-to-efi-sig-list -%{_bindir}/sig-list-to-certs -%{_bindir}/sign-efi-sig-list - -%changelog -* Wed Dec 14 2022 Florian Weimer - 1.9.2-9 -- C99 port - -* Thu Jul 21 2022 Fedora Release Engineering - 1.9.2-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Thu Jan 20 2022 Fedora Release Engineering - 1.9.2-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Tue Sep 14 2021 Sahana Prasad - 1.9.2-6 -- Rebuilt with OpenSSL 3.0.0 - -* Wed Jul 21 2021 Fedora Release Engineering - 1.9.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Sun Mar 07 2021 Vladislav Kazakov - 1.9.2-4 -- Fix incorrect build. - -* Sat Feb 06 2021 Vladislav Kazakov - 1.9.2-3 -- Add system flags to CFLAGS. -- Remove i686 support. - -* Sun Jan 31 2021 Vladislav Kazakov - 1.9.2-2 -- Add BSD license. -- Rename LGPLv2.1 to LGPLv2. -- Add reference to issue about mktemp usage. - -* Sun Jan 17 2021 Vladislav Kazakov - 1.9.2-1 -- Initial SPEC release. diff --git a/allow-riscv64-build.patch b/allow-riscv64-build.patch new file mode 100644 index 0000000..1f8ca90 --- /dev/null +++ b/allow-riscv64-build.patch @@ -0,0 +1,23 @@ +--- a/Make.rules ++++ b/Make.rules +@@ -8,6 +8,8 @@ + ARCH3264 = + else ifeq ($(ARCH),aarch64) + ARCH3264 = ++else ifeq ($(ARCH),riscv64) ++ARCH3264 = + else ifeq ($(ARCH),arm) + ARCH3264 = + else +@@ -55,6 +57,11 @@ + LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a + FORMAT = -O binary + endif ++ ++ifeq ($(ARCH),riscv64) ++ LDFLAGS += --defsym=EFI_SUBSYSTEM=0x0a ++ FORMAT = -O binary ++endif + + %.efi: %.so + $(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic -j .dynsym \ diff --git a/drop-engine-options.patch b/drop-engine-options.patch new file mode 100644 index 0000000..5775716 --- /dev/null +++ b/drop-engine-options.patch @@ -0,0 +1,212 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 10 Jun 2025 22:30:24 +0100 +Subject: [PATCH] Drop engine options + +OpenSSL engines are deprecated in Fedora, remove support +--- + efi-updatevar.c | 8 +----- + include/openssl_sign.h | 4 +-- + lib/openssl_sign.c | 62 +++--------------------------------------- + sign-efi-sig-list.c | 10 ++----- + 4 files changed, 9 insertions(+), 75 deletions(-) + +diff --git a/efi-updatevar.c b/efi-updatevar.c +index f9375de..77f3d29 100644 +--- a/efi-updatevar.c ++++ b/efi-updatevar.c +@@ -52,7 +52,6 @@ help(const char *progname) + "\t-g \tOptional for the X509 Certificate\n" + "\t-k \tSecret key file for authorising User Mode updates\n" + "\t-d [-]\tDelete the signature list (or just a single within the list)\n" +- "\t--engine \tUse engine for private key\n" + ); + } + +@@ -61,7 +60,6 @@ main(int argc, char *argv[]) + { + char *variables[] = { "PK", "KEK", "db", "dbx" }; + char *signedby[] = { "PK", "PK", "KEK", "KEK" }; +- char *engine = NULL; + EFI_GUID *owners[] = { &GV_GUID, &GV_GUID, &SIG_DB, &SIG_DB }; + EFI_GUID *owner, guid = MOK_OWNER; + int i, esl_mode = 0, fd, ret, delsig = -1, delentry = -1; +@@ -116,10 +114,6 @@ main(int argc, char *argv[]) + sscanf(argv[2], "%d-%d", &delsig, &delentry); + argv += 2; + argc -= 2; +- } else if (strcmp(argv[1], "--engine") == 0) { +- engine = argv[2]; +- argv += 2; +- argc -= 2; + } else { + /* unrecognised option */ + break; +@@ -286,7 +280,7 @@ main(int argc, char *argv[]) + fprintf(stderr, "Can't update variable%s without a key\n", variable_is_setupmode() ? "" : " in User Mode"); + exit(1); + } +- EVP_PKEY *pkey = read_private_key(engine, key_file); ++ EVP_PKEY *pkey = read_private_key(key_file); + if (!pkey) { + fprintf(stderr, "error reading private key %s\n", key_file); + exit(1); +diff --git a/include/openssl_sign.h b/include/openssl_sign.h +index 136ad75..f067565 100644 +--- a/include/openssl_sign.h ++++ b/include/openssl_sign.h +@@ -2,9 +2,9 @@ + + int + sign_efi_var(char *payload, int payload_size, char *keyfile, char *certfile, +- unsigned char **sig, int *sigsize, char *engine); ++ unsigned char **sig, int *sigsize); + int + sign_efi_var_ssl(char *payload, int payload_size, EVP_PKEY *pkey, X509 *cert, + unsigned char **sig, int *sigsize); + EVP_PKEY * +-read_private_key(char *engine, char *keyfile); ++read_private_key(char *keyfile); +diff --git a/lib/openssl_sign.c b/lib/openssl_sign.c +index 714ce1a..c1e8dc2 100644 +--- a/lib/openssl_sign.c ++++ b/lib/openssl_sign.c +@@ -7,7 +7,6 @@ + #include + #include + #include +-#include + + #include + +@@ -33,7 +32,7 @@ sign_efi_var_ssl(char *payload, int payload_size, EVP_PKEY *pkey, X509 *cert, + + int + sign_efi_var(char *payload, int payload_size, char *keyfile, char *certfile, +- unsigned char **sig, int *sigsize, char *engine) ++ unsigned char **sig, int *sigsize) + { + int ret; + +@@ -60,7 +59,7 @@ sign_efi_var(char *payload, int payload_size, char *keyfile, char *certfile, + return 1; + } + +- EVP_PKEY *pkey = read_private_key(engine, keyfile); ++ EVP_PKEY *pkey = read_private_key(keyfile); + if (!pkey) { + ERR_print_errors_fp(stdout); + fprintf(stderr, "error reading private key %s\n", keyfile); +@@ -96,61 +95,8 @@ read_pem_private_key(char *keyfile) + return pkey; + } + +-static int ui_read(UI *ui, UI_STRING *uis) +-{ +- char password[128]; +- +- if (UI_get_string_type(uis) != UIT_PROMPT) +- return 0; +- +- EVP_read_pw_string(password, sizeof(password), "Enter engine key pass phrase:", 0); +- UI_set_result(ui, uis, password); +- return 1; +-} +- +-static EVP_PKEY * +-read_engine_private_key(char *engine, char *keyfile) +-{ +- UI_METHOD *ui; +- ENGINE *e; +- EVP_PKEY *pkey = NULL; +- +- ENGINE_load_builtin_engines(); +- e = ENGINE_by_id(engine); +- +- if (!e) { +- fprintf(stderr, "Failed to load engine: %s\n", engine); +- ERR_print_errors_fp(stderr); +- return NULL; +- } +- +- ui = UI_create_method("sbsigntools"); +- if (!ui) { +- fprintf(stderr, "Failed to create UI method\n"); +- ERR_print_errors_fp(stderr); +- goto out_free; +- } +- UI_method_set_reader(ui, ui_read); +- +- if (!ENGINE_init(e)) { +- fprintf(stderr, "Failed to initialize engine %s\n", engine); +- ERR_print_errors_fp(stderr); +- goto out_free; +- } +- +- pkey = ENGINE_load_private_key(e, keyfile, ui, NULL); +- ENGINE_finish(e); +- +- out_free: +- ENGINE_free(e); +- return pkey; +-} +- + EVP_PKEY * +-read_private_key(char *engine, char *keyfile) ++read_private_key(char *keyfile) + { +- if (engine) +- return read_engine_private_key(engine, keyfile); +- else +- return read_pem_private_key(keyfile); ++ return read_pem_private_key(keyfile); + } +diff --git a/sign-efi-sig-list.c b/sign-efi-sig-list.c +index 90f3d9f..109d28d 100644 +--- a/sign-efi-sig-list.c ++++ b/sign-efi-sig-list.c +@@ -30,7 +30,7 @@ + static void + usage(const char *progname) + { +- printf("Usage: %s [-r] [-m] [-a] [-g ] [-o] [-t ] [-i ] [-c ] [-k ] [-e ] \n", progname); ++ printf("Usage: %s [-r] [-m] [-a] [-g ] [-o] [-t ] [-i ] [-c ] [-k ] \n", progname); + } + + static void +@@ -55,7 +55,6 @@ help(const char *progname) + "\t-g Use as the signature owner GUID\n" + "\t-c is the file containing the signing certificate in PEM format\n" + "\t-k is the file containing the key for in PEM format\n" +- "\t-e Use openssl engine for the private key\n" + ); + } + +@@ -66,7 +65,6 @@ main(int argc, char *argv[]) + *str, *signedinput = NULL, *timestampstr = NULL; + void *out; + const char *progname = argv[0]; +- char *engine = NULL; + unsigned char *sigbuf; + int rsasig = 0, monotonic = 0, varlen, i, outputforsign = 0, outlen, + sigsize; +@@ -125,10 +123,6 @@ main(int argc, char *argv[]) + certfile = argv[2]; + argv += 2; + argc -= 2; +- } else if (strcmp("-e", argv[1]) == 0) { +- engine = argv[2]; +- argv += 2; +- argc -= 2; + } else { + break; + } +@@ -248,7 +242,7 @@ main(int argc, char *argv[]) + exit(1); + } + if (sign_efi_var(signbuf, signbuflen, keyfile, certfile, +- &sigbuf, &sigsize, engine)) ++ &sigbuf, &sigsize)) + exit(1); + } + printf("Signature of size %d\n", sigsize); diff --git a/efitools.spec b/efitools.spec new file mode 100644 index 0000000..6d50f80 --- /dev/null +++ b/efitools.spec @@ -0,0 +1,142 @@ +## START: Set by rpmautospec +## (rpmautospec version 0.8.3) +## RPMAUTOSPEC: autorelease, autochangelog +%define autorelease(e:s:pb:n) %{?-p:0.}%{lua: + release_number = 19; + base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); + print(release_number + base_release_number - 1); +}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} +## END: Set by rpmautospec + +Name: efitools +Version: 1.9.2 +Release: %autorelease +Summary: Tools to manipulate EFI secure boot keys and signatures +License: GPL-2.0-only and LGPL-2.1-or-later and BSD-2-Clause + +# call-to-mktemp: +# https://github.com/vathpela/efitools/issues/2 +URL: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git +Source0: %{url}/snapshot/%{name}-%{version}.tar.gz +Patch1: makefile-enable-harden-local-files.patch +Patch2: fix-deps.patch +Patch3: allow-riscv64-build.patch +Patch4: sbat-compat.patch +Patch5: fix-ftbfs-lp2083030.patch +Patch6: drop-engine-options.patch + +# same as gnu-efi +ExclusiveArch: %{efi} + +BuildRequires: pkgconfig(openssl) + +BuildRequires: gcc +BuildRequires: gnu-efi-devel +BuildRequires: help2man +BuildRequires: openssl +BuildRequires: perl-File-Slurp +BuildRequires: sbsigntools + +Requires: coreutils +Requires: mtools +Requires: parted +Requires: util-linux +Recommends: sbsigntools + +%description +This package installs a variety of tools for manipulating keys and binary +signatures on UEFI secure boot platforms. The tools provide access to the keys +and certificates stored in the secure variables of the UEFI firmware, usually +in the NVRAM area. + +%prep +%autosetup -p1 + +%build +%set_build_flags +%make_build + +%install +%make_install DOCDIR=%{buildroot}%{_docdir}/%{name}/ CFLAGS="%{optflags}" + +rm -v %{buildroot}%{_docdir}/%{name}/COPYING + +%global efi_tool() \ +%{_bindir}/%{1}\ +%{_mandir}/man1/%{1}.1* + +%files +%doc README +%license COPYING +%efi_tool cert-to-efi-hash-list +%efi_tool cert-to-efi-sig-list +%efi_tool efi-readvar +%efi_tool efi-updatevar +%efi_tool hash-to-efi-sig-list +%efi_tool sig-list-to-certs +%efi_tool sign-efi-sig-list +%{_bindir}/flash-var +%{_bindir}/efitool-mkusb + +%changelog +## START: Generated by rpmautospec +* Fri Jan 16 2026 Fedora Release Engineering - 1.9.2-19 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild + +* Fri Aug 15 2025 Zbigniew Jędrzejewski-Szmek - 1.9.2-17 +- Convert license tags to SPDX + +* Fri Aug 15 2025 Luca Boccassi - 1.9.2-16 +- Fix build and reintroduce package +- The build is fixed by importing patches from Ubuntu/SUSE +- Patch to disable OpenSSL Engine support (deprecated in Fedora) is added + +* Fri Aug 15 2025 Zbigniew Jędrzejewski-Szmek - 1.9.2-15 +- Drop %%{_isa} from Requires + +* Wed Jul 17 2024 Fedora Release Engineering - 1.9.2-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Wed Jan 24 2024 Fedora Release Engineering - 1.9.2-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 1.9.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jul 19 2023 Fedora Release Engineering - 1.9.2-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Thu Jan 19 2023 Fedora Release Engineering - 1.9.2-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Dec 14 2022 Florian Weimer - 1.9.2-9 +- C99 port + +* Thu Jul 21 2022 Fedora Release Engineering - 1.9.2-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jan 20 2022 Fedora Release Engineering - 1.9.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 1.9.2-6 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Jul 21 2021 Fedora Release Engineering - 1.9.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Sun Mar 07 2021 Vladislav Kazakov - 1.9.2-4 +- Fix incorrect build. + +* Sat Feb 06 2021 Vladislav Kazakov - 1.9.2-3 +- Add system flags to CFLAGS. +- Remove i686 support. + +* Sun Jan 31 2021 Vladislav Kazakov - 1.9.2-2 +- Add BSD license. +- Rename LGPLv2.1 to LGPLv2. +- Add reference to issue about mktemp usage. + +* Sun Jan 17 2021 Vladislav Kazakov - 1.9.2-1 +- Initial SPEC release. + +## END: Generated by rpmautospec diff --git a/fix-deps.patch b/fix-deps.patch new file mode 100644 index 0000000..501421a --- /dev/null +++ b/fix-deps.patch @@ -0,0 +1,15 @@ +Description: Fix a typo in the %-blacklist.esl rule + This sometimes resulted in FTBFS. +Author: Adrian Bunk + +--- efitools-1.9.2.orig/Make.rules ++++ efitools-1.9.2/Make.rules +@@ -71,7 +71,7 @@ endif + %.hash: %.efi hash-to-efi-sig-list + ./hash-to-efi-sig-list $< $@ + +-%-blacklist.esl: %.crt cert-to-efi-hash-list ++%-blacklist.esl: %.crt cert-to-efi-sig-list + ./cert-to-efi-sig-list $< $@ + + %-hash-blacklist.esl: %.crt cert-to-efi-hash-list diff --git a/fix-ftbfs-lp2083030.patch b/fix-ftbfs-lp2083030.patch new file mode 100644 index 0000000..c6537d9 --- /dev/null +++ b/fix-ftbfs-lp2083030.patch @@ -0,0 +1,240 @@ +Description: Fix FTBFS + - Remove redefintions of __STDC_VERSION__ + - Add _XOPEN_SOURCE=700 to expose some APIs being used + - Remove dangerous usage of mktemp and sscanf + - Use standard C types over non-standard aliases + - Remove CFLAGS disabling mitigations + - Stop building EFI binaries +Author: Mate Kukri +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/efitools/+bug/2083030 +Last-Update: 2024-09-27 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/Make.rules ++++ b/Make.rules +@@ -17,7 +17,7 @@ + endif + INCDIR = -I$(TOPDIR)include/ -I/usr/include/efi -I/usr/include/efi/$(ARCH) -I/usr/include/efi/protocol + CPPFLAGS = -DCONFIG_$(ARCH) +-CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -fno-stack-protector -ffreestanding -fno-stack-check ++CFLAGS = -O2 -g $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants -D_XOPEN_SOURCE=700 + LDFLAGS = -nostdlib + CRTOBJ = crt0-efi-$(ARCH).o + CRTPATHS = /lib /lib64 /lib/efi /lib64/efi /usr/lib /usr/lib64 /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi +--- a/cert-to-efi-sig-list.c ++++ b/cert-to-efi-sig-list.c +@@ -6,7 +6,6 @@ + + + #include +-#define __STDC_VERSION__ 199901L + #include + #ifdef CONFIG_arm + /* FIXME: +--- a/efi-keytool.c ++++ b/efi-keytool.c +@@ -15,7 +15,6 @@ + #include + #include + +-#define __STDC_VERSION__ 199901L + #include + + #include +--- a/efi-readvar.c ++++ b/efi-readvar.c +@@ -17,7 +17,6 @@ + + #include + +-#define __STDC_VERSION__ 199901L + #include + + #include +--- a/efi-updatevar.c ++++ b/efi-updatevar.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -20,7 +21,6 @@ + #include + #include + +-#define __STDC_VERSION__ 199901L + #include + + #include +--- a/flash-var.c ++++ b/flash-var.c +@@ -10,7 +10,6 @@ + #include + #include + +-#define __STDC_VERSION__ 199901L + #include + + #include +--- a/hash-to-efi-sig-list.c ++++ b/hash-to-efi-sig-list.c +@@ -4,7 +4,6 @@ + * see COPYING file + */ + #include +-#define __STDC_VERSION__ 199901L + #include + #ifdef CONFIG_arm + /* FIXME: +--- a/lib/kernel_efivars.c ++++ b/lib/kernel_efivars.c +@@ -16,7 +16,6 @@ + #include + #include + +-#define __STDC_VERSION__ 199901L + #include + + #include +@@ -29,54 +28,39 @@ + void + kernel_variable_init(void) + { +- char fname[] = "/tmp/efi.XXXXXX"; +- char cmdline[256]; +- int fd, ret; +- struct stat st; +- char *buf; +- +- if (kernel_efi_path) +- return; +- mktemp(fname); +- snprintf(cmdline, sizeof(cmdline), "mount -l > %s", fname); +- ret = system(cmdline); +- if (WEXITSTATUS(ret) != 0) +- /* hopefully stderr said what was wrong */ +- exit(1); +- fd = open(fname, O_RDONLY); +- unlink(fname); +- if (fd < 0) { +- fprintf(stderr, "Failed to open output of %s\n", cmdline); +- exit(1); +- } +- if (fstat(fd, &st) < 0) { +- perror("stat failed"); +- exit(1); +- } +- if (st.st_size == 0) { +- fprintf(stderr, "No efivarfs filesystem is mounted\n"); ++ FILE *mount_l_fp = NULL; ++ char *path = NULL; ++ char *type = NULL; ++ ++ mount_l_fp = popen("mount -l", "r"); ++ ++ if (mount_l_fp == NULL) { ++ fprintf(stderr, "Failed to get output of mount -l\n"); + exit(1); + } +- buf = malloc(st.st_size); +- read(fd, buf, st.st_size); +- close(fd); +- +- char *ptr = buf; +- char path[512], type[512]; +- while (ptr < buf + st.st_size) { +- int count; +- +- sscanf(ptr, "%*s on %s type %s %*[^\n]\n%n", path, type, &count); +- ptr += count; +- if (strcmp(type, "efivarfs") == 0) ++ ++ while (fscanf(mount_l_fp, "%*s on %ms type %ms %*[^\n]\n", &path, &type) == 2) { ++ if (strcmp(type, "efivarfs") == 0) { ++ kernel_efi_path = strdup(path); + break; ++ } ++ free(path); ++ path = NULL; ++ free(type); ++ type = NULL; + } +- if (strcmp(type, "efivarfs") != 0) { ++ ++ if (mount_l_fp != NULL) ++ pclose(mount_l_fp); ++ if (path != NULL) ++ free(path); ++ if (type != NULL) ++ free(type); ++ ++ if (kernel_efi_path == NULL) { + fprintf(stderr, "No efivarfs filesystem is mounted\n"); + exit(1); + } +- kernel_efi_path = malloc(strlen(path) + 1); +- strcpy(kernel_efi_path, path); + } + + int +--- a/sig-list-to-certs.c ++++ b/sig-list-to-certs.c +@@ -4,7 +4,6 @@ + * see COPYING file + */ + #include +-#define __STDC_VERSION__ 199901L + #include + #ifdef CONFIG_arm + /* FIXME: +--- a/sign-efi-sig-list.c ++++ b/sign-efi-sig-list.c +@@ -4,7 +4,6 @@ + * see COPYING file + */ + #include +-#define __STDC_VERSION__ 199901L + #include + #ifdef CONFIG_arm + /* FIXME: +--- a/lib/asn1/oid.h ++++ b/lib/asn1/oid.h +@@ -11,11 +11,11 @@ + #define OID_H_ + + typedef struct { +- u_char octet; +- u_int next; +- u_int down; +- u_int level; +- const u_char *name; ++ unsigned char octet; ++ unsigned int next; ++ unsigned int down; ++ unsigned int level; ++ const unsigned char *name; + } oid_t; + + extern const oid_t oid_names[]; +--- a/Makefile ++++ b/Makefile +@@ -30,15 +30,13 @@ + + EFISIGNED = $(patsubst %.efi,%-signed.efi,$(EFIFILES)) + +-all: $(EFISIGNED) $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \ ++all: $(BINARIES) $(MANPAGES) noPK.auth $(KEYAUTH) \ + $(KEYUPDATEAUTH) $(KEYBLACKLISTAUTH) $(KEYHASHBLACKLISTAUTH) + + + install: all + $(INSTALL) -m 755 -d $(MANDIR) + $(INSTALL) -m 644 $(MANPAGES) $(MANDIR) +- $(INSTALL) -m 755 -d $(EFIDIR) +- $(INSTALL) -m 755 $(EFIFILES) $(EFIDIR) + $(INSTALL) -m 755 -d $(BINDIR) + $(INSTALL) -m 755 $(BINARIES) $(BINDIR) + $(INSTALL) -m 755 mkusb.sh $(BINDIR)/efitool-mkusb diff --git a/makefile-enable-harden-local-files.patch b/makefile-enable-harden-local-files.patch new file mode 100644 index 0000000..4652970 --- /dev/null +++ b/makefile-enable-harden-local-files.patch @@ -0,0 +1,53 @@ +--- a/Makefile ++++ b/Makefile +@@ -21,6 +21,9 @@ KEYUPDATEAUTH = $(ALLKEYS:=-update.auth) + KEYBLACKLISTAUTH = $(ALLKEYS:=-blacklist.auth) + KEYHASHBLACKLISTAUTH = $(ALLKEYS:=-hash-blacklist.auth) + ++OLD_CFLAGS:=$(CFLAGS) ++OLD_LDFLAGS:=$(LDFLAGS) ++ + export TOPDIR := $(shell pwd)/ + + include Make.rules +@@ -88,31 +91,31 @@ HelloWorld.so: lib/lib-efi.a + ShimReplace.so: lib/lib-efi.a + + cert-to-efi-sig-list: cert-to-efi-sig-list.o lib/lib.a +- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto ++ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto + + sig-list-to-certs: sig-list-to-certs.o lib/lib.a +- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto ++ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto + + sign-efi-sig-list: sign-efi-sig-list.o lib/lib.a +- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto ++ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto + + hash-to-efi-sig-list: hash-to-efi-sig-list.o lib/lib.a +- $(CC) $(ARCH3264) -o $@ $< lib/lib.a ++ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a + + cert-to-efi-hash-list: cert-to-efi-hash-list.o lib/lib.a +- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto ++ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto + + efi-keytool: efi-keytool.o lib/lib.a +- $(CC) $(ARCH3264) -o $@ $< lib/lib.a ++ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a + + efi-readvar: efi-readvar.o lib/lib.a +- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto ++ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto + + efi-updatevar: efi-updatevar.o lib/lib.a +- $(CC) $(ARCH3264) -o $@ $< lib/lib.a -lcrypto ++ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a -lcrypto + + flash-var: flash-var.o lib/lib.a +- $(CC) $(ARCH3264) -o $@ $< lib/lib.a ++ $(CC) $(ARCH3264) -o $@ $< $(OLD_CFLAGS) $(OLD_LDFLAGS) lib/lib.a + + clean: + rm -f PK.* KEK.* DB.* $(EFIFILES) $(EFISIGNED) $(BINARIES) *.o *.so diff --git a/sbat-compat.patch b/sbat-compat.patch new file mode 100644 index 0000000..6798306 --- /dev/null +++ b/sbat-compat.patch @@ -0,0 +1,84 @@ +diff --git a/include/pecoff.h b/include/pecoff.h +index 537d134..6ac57d1 100644 +--- a/include/pecoff.h ++++ b/include/pecoff.h +@@ -1,7 +1,8 @@ + #include + + EFI_STATUS +-pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data); ++pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data, ++ UINTN size); + EFI_STATUS + pecoff_relocate(PE_COFF_LOADER_IMAGE_CONTEXT *context, void **data); + EFI_STATUS +diff --git a/lib/pecoff.c b/lib/pecoff.c +index 26d9dcf..96878b9 100644 +--- a/lib/pecoff.c ++++ b/lib/pecoff.c +@@ -69,7 +69,7 @@ + #include + + EFI_STATUS +-pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data) ++pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data, UINTN size) + { + EFI_IMAGE_DOS_HEADER *DosHdr = data; + EFI_IMAGE_OPTIONAL_HEADER_UNION *PEHdr = data; +@@ -116,7 +116,7 @@ pecoff_read_header(PE_COFF_LOADER_IMAGE_CONTEXT *context, void *data) + context->NumberOfSections = PEHdr->Pe32.FileHeader.NumberOfSections; + context->FirstSection = (EFI_IMAGE_SECTION_HEADER *)((char *)PEHdr + PEHdr->Pe32.FileHeader.SizeOfOptionalHeader + sizeof(UINT32) + sizeof(EFI_IMAGE_FILE_HEADER)); + +- if (context->SecDir->VirtualAddress >= context->ImageSize) { ++ if (context->SecDir->VirtualAddress >= size) { + Print(L"Malformed security header\n"); + return EFI_INVALID_PARAMETER; + } +@@ -404,7 +404,7 @@ pecoff_execute_image(EFI_FILE *file, CHAR16 *name, EFI_HANDLE image, + } + + Print(L"Read %d bytes from %s\n", DataSize, name); +- efi_status = pecoff_read_header(&context, buffer); ++ efi_status = pecoff_read_header(&context, buffer, DataSize); + if (efi_status != EFI_SUCCESS) { + Print(L"Failed to read header\n"); + goto out; +diff --git a/lib/pkcs7verify.c b/lib/pkcs7verify.c +index 06701fd..2bdadbe 100644 +--- a/lib/pkcs7verify.c ++++ b/lib/pkcs7verify.c +@@ -172,7 +172,7 @@ pkcs7verify_allow(VOID *data, UINTN len) + EFI_STATUS status; + int i; + +- status = pecoff_read_header(&context, data); ++ status = pecoff_read_header(&context, data, len); + if (status != EFI_SUCCESS) + goto out; + +diff --git a/lib/sha256.c b/lib/sha256.c +index 180fa16..9ca1c21 100644 +--- a/lib/sha256.c ++++ b/lib/sha256.c +@@ -290,7 +290,7 @@ sha256_get_pecoff_digest_mem(void *buffer, UINTN DataSize, + * filled to the end of the page */ + DataSize = ALIGN_VALUE(DataSize, 8); + +- efi_status = pecoff_read_header(&context, buffer); ++ efi_status = pecoff_read_header(&context, buffer, DataSize); + if (efi_status != EFI_SUCCESS) { + Print(L"Failed to read header\n"); + return efi_status; +diff --git a/lib/shim_protocol.c b/lib/shim_protocol.c +index a735aa1..9ef4a20 100644 +--- a/lib/shim_protocol.c ++++ b/lib/shim_protocol.c +@@ -13,7 +13,7 @@ + static EFI_STATUS shimprotocol_context(void *data, unsigned int size, + PE_COFF_LOADER_IMAGE_CONTEXT *context) + { +- return pecoff_read_header(context, data); ++ return pecoff_read_header(context, data, size); + } + + static EFI_STATUS shimprotocol_verify(void *buffer, UINT32 size) diff --git a/sources b/sources new file mode 100644 index 0000000..55345c1 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (efitools-1.9.2.tar.gz) = 77e0ad7e865814ed388ff6daabe0f4b49ba51672bf2cbb98b7905e209cbd28f9ede2f73213ce45af8a978c1e67dba24ec88a1188661317cc22317b47e575cde8