New upstream version 12+1503074702.5202f80c

parent 48d77ce6
......@@ -2,6 +2,7 @@
certdb
shim_cert.h
*.a
*.CSV
*.cer
*.crl
*.crt
......
It's pretty straightforward:
cp $MY_DER_ENCODED_CERT pub.cer
make VENDOR_CERT_FILE=pub.cer
make EFIDIR=my_esp_dir_name install
There are a couple of ways to customize the build:
Install targets:
- install
installs shim as if to a hard drive, including installing MokManager and
fallback appropriately.
- install-as-data
installs shim files to /usr/share/shim/$(EFI_ARCH)-$(VERSION)/
Variables you should set to customize the build:
- EFIDIR
This is the name of the ESP directory. The install targets won't work
without it.
- DESTDIR
This will be prepended to any install targets, so you don't have to
install to a live root directory.
- DEFAULT_LOADER
defaults to \\\\grub$(EFI_ARCH).efi , but you could set it to whatever.
Be careful with the leading backslashes, they can be hard to get
correct.
Variables you could set to customize the build:
- ENABLE_SHIM_CERT
if this variable is defined one the make command line, shim will
generate keys during the build and sign MokManager and fallback with
them, and the signed version will be what gets installed with the
install targets
- ENABLE_HTTPBOOT
build support for http booting
- ARCH
This allows you to do a build for a different arch that we support. For
instance, on x86_64 you could do "setarch linux32 make ARCH=ia32" to get
the ia32 build instead. (DEFAULT_LOADER will be automatically adjusted
in that case.)
- TOPDIR
You can use this along with make -f to build in a subdir. For instance,
on an x86_64 machine you could do:
mkdir build-ia32 build-x64 inst
cd build-ia32
setarch linux32 make TOPDIR=.. ARCH=ia32 -f ../Makefile
setarch linux32 make TOPDIR=.. ARCH=ia32 \
DESTDIR=../inst EFIDIR=debian \
-f ../Makefile install
cd ../build-x64
make TOPDIR=.. -f ../Makefile
make TOPDIR=.. DESTDIR=../inst EFIDIR=debian \
-f ../Makefile install
That would get you x86_64 and ia32 builds in the "inst" subdir.
- OSLABEL
This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
By default this is the same value as EFIDIR .
# vim:filetype=mail:tw=74
......@@ -8,7 +8,7 @@ CFLAGS = -ggdb -O0 -I$(TOPDIR) -iquote $(TOPDIR) -fno-stack-protector -fno-stri
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DNO_BUILTIN_VA_FUNCS \
-DMDE_CPU_IA64
-DMDE_CPU_X64
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -m32 \
......
......@@ -11,7 +11,7 @@ CFLAGS = -ggdb -O0 -I$(TOPDIR) -I$(TOPDIR)/.. -I$(TOPDIR)/../Include/ -I$(TOPDI
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
-DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI \
-UNO_BUILTIN_VA_FUNCS -DMDE_CPU_IA64
-UNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64
endif
ifeq ($(ARCH),ia32)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -maccumulate-outgoing-args \
......
This diff is collapsed.
......@@ -60,6 +60,11 @@ as described in the UEFI specification. BS,NV
MokListRT: A copy of MokList made available to the kernel at runtime. RT
MokListX: A list of blacklisted keys and hashes. An EFI_SIGNATURE_LIST
as described in the UEFI specification. BS,NV
MokListXRT: A copy of MokListX made available to the kernel at runtime. RT
MokSBState: An 8-bit unsigned integer. If 1, shim will switch to
insecure mode. BS,NV
......
......@@ -12,5 +12,12 @@ in the shim.h header file and provides a single entry point. On 64-bit systems
this entry point expects to be called with SysV ABI rather than MSABI, and
so calls to it should not be wrapped.
On systems with a TPM chip enabled and supported by the system firmware,
shim will extend various PCRs with the digests of the targets it is
loading. A full list is in the file README.tpm .
To use shim, simply place a DER-encoded public certificate in a file such as
pub.cer and build with "make VENDOR_CERT_FILE=pub.cer".
There are a couple of build options, and a couple of ways to customize the
build, described in BUILDING.
The following PCRs are extended by shim:
PCR4:
- the Authenticode hash of the binary being loaded will be extended into
PCR4 before SB verification.
PCR7:
- Any certificate in one of our certificate databases that matches a binary
we try to load will be extended into PCR7. That includes:
- DBX - the system blacklist, logged as "dbx"
- MokListX - the Mok blacklist, logged as "MokListX"
- vendor_dbx - shim's built-in vendor blacklist, logged as "dbx"
- DB - the system whitelist, logged as "db"
- MokList the Mok whitelist, logged as "MokList"
- vendor_cert - shim's built-in vendor whitelist, logged as "Shim"
- shim_cert - shim's build-time generated whitelist, logged as "Shim"
- MokSBState will be extended into PCR7 if it is set, logged as
"MokSBState".
PCR14:
- MokList, MokListX, and MokSBState will be extended into PCR14 if they are
set.
Versioned protocol:
- Make shim and the bootloaders using it express how enlightened they
are to one another, so we can stop earlier without tricks like
the one above
MokListRT signing:
- For kexec and hybernate to work right, MokListRT probably needs to
be an authenticated variable. It's probable this needs to be done
in the kernel boot stub instead, just because it'll need an
ephemeral key to be generated, and that means we need some entropy
to build up.
New security protocol:
- TBD
kexec MoK Management:
Modsign enforcement mgmt MoK:
- This is part of the plan for SecureBoot patches. Basically these
features need to be disableable/enableable in MokManager.
Variable for debug:
- basically we need to be able to set a UEFI variable and get debug
output. Right now some code uses SHIM_VERBOSE but that needs a fair
amount of work to actually be useful.
Hashing of option roms:
- hash option roms and add them to MokListRT
- probably belongs in MokManager
- Versioned protocol:
- Make shim and the bootloaders using it express how enlightened they
are to one another, so we can stop earlier without tricks like the one
above
- Make a LoadImage/CheckImage/StartImage based protocol
- Hashing of option roms:
- hash option roms and add them to MokListRT
- probably belongs in MokManager
- Ability to specify second stage as a device path
- including vendor path that means "parent of this image's path"
- including vendor path that means "this image"
- including path that's like Fv() to embed images.
# vim:filetype=mail:tw=74
/*
* Walk a list of input files, printing the name and buildid of any file
* that has one.
*
* This program is licensed under the GNU Public License version 2.
*/
#include <err.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <getopt.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <libelf.h>
#include <gelf.h>
static Elf_Scn *get_scn_named(Elf * elf, char *goal, GElf_Shdr * shdrp_out)
{
int rc;
size_t shstrndx = -1;
int scn_no = 0;
Elf_Scn *scn = NULL;
GElf_Shdr shdr_data, *shdrp;
shdrp = shdrp_out ? shdrp_out : &shdr_data;
rc = elf_getshdrstrndx(elf, &shstrndx);
if (rc < 0)
return NULL;
do {
GElf_Shdr *shdr;
char *name;
scn = elf_getscn(elf, ++scn_no);
if (!scn)
break;
shdr = gelf_getshdr(scn, shdrp);
if (!shdr)
/*
* the binary is malformed, but hey, maybe the next
* one is fine, why not...
*/
continue;
name = elf_strptr(elf, shstrndx, shdr->sh_name);
if (name && !strcmp(name, goal))
return scn;
} while (scn != NULL);
return NULL;
}
static void *get_buildid(Elf * elf, size_t * sz)
{
Elf_Scn *scn;
size_t notesz;
size_t offset = 0;
Elf_Data *data;
GElf_Shdr shdr;
scn = get_scn_named(elf, ".note.gnu.build-id", &shdr);
if (!scn)
return NULL;
data = elf_getdata(scn, NULL);
if (!data)
return NULL;
do {
size_t nameoff;
size_t descoff;
GElf_Nhdr nhdr;
char *name;
notesz = gelf_getnote(data, offset, &nhdr, &nameoff, &descoff);
if (!notesz)
break;
offset += notesz;
if (nhdr.n_type != NT_GNU_BUILD_ID)
continue;
name = data->d_buf + nameoff;
if (!name || strcmp(name, ELF_NOTE_GNU))
continue;
*sz = nhdr.n_descsz;
return data->d_buf + descoff;
} while (notesz);
return NULL;
}
static void data2hex(uint8_t * data, size_t ds, char *str)
{
const char hex[] = "0123456789abcdef";
int s;
unsigned int d;
for (d = 0, s = 0; d < ds; d += 1, s += 2) {
str[s + 0] = hex[(data[d] >> 4) & 0x0f];
str[s + 1] = hex[(data[d] >> 0) & 0x0f];
}
str[s] = '\0';
}
static void handle_one(char *f)
{
int fd;
Elf *elf;
char *b = NULL;
size_t sz;
uint8_t *data;
if (!strcmp(f, "-")) {
fd = STDIN_FILENO;
if ((elf = elf_begin(fd, ELF_C_READ, NULL)) == NULL)
errx(1, "Couldn't read ELF data from \"%s\"", f);
} else {
if ((fd = open(f, O_RDONLY)) < 0)
err(1, "Couldn't open \"%s\"", f);
if ((elf = elf_begin(fd, ELF_C_READ_MMAP, NULL)) == NULL)
errx(1, "Couldn't read ELF data from \"%s\"", f);
}
data = get_buildid(elf, &sz);
if (data) {
b = alloca(sz * 2 + 1);
data2hex(data, sz, b);
if (b) {
write(1, f, strlen(f));
write(1, " ", 1);
write(1, b, strlen(b));
write(1, "\n", 1);
}
}
elf_end(elf);
close(fd);
}
static void
__attribute__ ((__noreturn__))
usage(int status)
{
FILE *out = status ? stderr : stdout;
fprintf(out, "Usage: buildid [ flags | file0 [file1 [.. fileN]]]\n");
fprintf(out, "Flags:\n");
fprintf(out, " -h Print this help text and exit\n");
exit(status);
}
int main(int argc, char **argv)
{
int i;
struct option options[] = {
{.name = "help",
.val = '?',
},
{.name = "usage",
.val = '?',
},
{.name = ""}
};
int longindex = -1;
while ((i = getopt_long(argc, argv, "h", options, &longindex)) != -1) {
switch (i) {
case 'h':
case '?':
usage(longindex == -1 ? 1 : 0);
break;
}
}
elf_version(EV_CURRENT);
if (optind == argc)
usage(1);
for (i = optind; i < argc; i++)
handle_one(argv[i]);
return 0;
}
// vim:fenc=utf-8:tw=75
478f9bb2ea91b361ab52dac6604fdfb47e1e963c
\ No newline at end of file
5202f80c32bdcab0469785e953bf9fa8dd4eaaa1
\ No newline at end of file
shim (12+1502324945.478f9bb-0) UNRELEASED; urgency=medium
* New upstream snapshot: 12+1502324945.478f9bb.
* debian/control: add a Build-Depends on libnss3-tools for pk12-util.
* debian/rules:
- Update dh_auto_build/dh_auto_clean for new upstream options: set
MAKELEVEL.
- Set DEFAULT_LOADER; this makes second-stage-path unnecessary.
- Define an EFI_ARCH variable, and use that for paths to shim. This
makes it possible to build a shim for other architectures than amd64.
* debian/patches/second-stage-path: dropped.
* debian/patches/sbsigntool-no-pesign: refreshed.
* debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped,
included upstream.
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 09 Aug 2017 20:39:15 -0400
shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium
[ Steve Langasek ]
* Merge (not yet NEW cleared) changes from Debian branch.
[ Mathieu Trudel-Lapierre ]
* debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard
against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu
for the patch. This will fix issues updating MokSBStateRT if the variable
already exists with different attributes. (LP: #1644806)
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 01 Dec 2016 16:55:50 -0500
shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
[ Steve Langasek ]
* Initial Debian upload. Closes: #820052.
* Update Standards-Version.
* Embed the newly-minted Debian CA certificate.
* Vendorize debian/rules so that the same package can be used in both
Debian and Ubuntu without modification.
* Fix debian/copyright to match the spec (last match wins, not first)
* Fix shim.efi to not be executable.
* Add watchfile.
* Support parallel builds, because eh why not
* Update Vcs-Bzr.
* Resync with Ubuntu, including patch to fix debian/copyright.
[ Julien Cristau ]
* Add some missing copyright holders in d/copyright, update
Upstream-Contact. Thanks to Helen Koike for the help.
-- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium
[ Helen Koike ]
* debian/copyright: add OpenSSL license
[ Mathieu Trudel-Lapierre ]
* New upstream release. (LP: #1624096)
* debian/copyright: patches should be BSD, like the rest of the upstream
code.
* debian/patches/unused-variable: dropped; applied upstream.
* debian/patches/binutils-version-matching: dropped, fixed upstream.
* debian/shim.install: built EFI binaries were renamed; update our install
file to properly pick up shim (shim$arch), MokManager (mm$arch), and
fallback (fb$arch).
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 22 Sep 2016 15:02:20 -0400
shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
* New upstream release.
- Better handle LoadOptions. (LP: #1581299)
- Measure state and second stage in TPM.
- Mirror MokSBState in runtime as MokSBStateRT.
- Fix failure to build with GCC 5. (LP: #1429978)
- Various bug fixes and other improvements.
* Refreshed patches.
- Remaining patches:
+ second-stage-path
+ sbsigntool-not-pesign
* debian/patches/unused-variable: remove unused variable size.
* debian/patches/binutils-version-matching: revert d9a4c912 to correctly
match objcopy's version on Ubuntu.
* debian/copyright: update copyright for patches.
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
shim (0.8-0ubuntu2) wily; urgency=medium
* No-change rebuild against gnu-efi 3.0v-5ubuntu1.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
shim (0.8-0ubuntu1) wily; urgency=medium
* New upstream release.
- Clarify meaning of insecure_mode. (LP: #1384973)
* debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
in the upstream release.
* debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
refreshed.
-- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
shim (0.7-0ubuntu4) utopic; urgency=medium
* SECURITY UPDATE: heap overflow and out-of-bounds read access when
parsing DHCPv6 information
- debian/patches/CVE-2014-3675.patch: apply proper bounds checking
when parsing data provided in DHCPv6 packets.
- CVE-2014-3675
- CVE-2014-3676
* SECURITY UPDATE: memory corruption when processing user-provided key
lists
- debian/patches/CVE-2014-3677.patch: detect malformed machine owner
key (MOK) lists and ignore them, avoiding possible memory corruption.
- CVE-2014-3677
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
shim (0.7-0ubuntu2) utopic; urgency=medium
* Restore debian/patches/prototypes, which still is needed on shim 0.7
but only detected on the buildds.
* Update debian/patches/prototypes with some new declarations needed for
openssl 0.9.8za update.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
shim (0.7-0ubuntu1) utopic; urgency=medium
* New upstream release.
- fix spurious error message when fallback.efi is not present, as will
always be the case for removable media. LP: #1297069.
- drop most patches, included upstream.
* debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
openssl 0.9.8za in via upstream.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
shim (0.4-0ubuntu5) utopic; urgency=low
* Install fallback.efi.signed as well, to lay the groundwork for fallback
handling (wanted when we have to move a drive between machines, or when
the firmware loses its marbles^W nvram).
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
shim (0.4-0ubuntu4) saucy; urgency=low
* debian/patches/fix-tftp-prototype: pass the right arguments to
EFI_PXE_BASE_CODE_TFTP_READ_FILE.
* debian/patches/build-with-Werror: Build with -Werror to catch future
prototype mismatches.
* debian/patches/fix-compiler-warnings: Fix remaining compiler
warnings in netboot.c.
* debian/patches/tftp-proper-nul-termination: fix nul termination
errors in filenames passed to tftp.
* debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
the netboot code.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
shim (0.4-0ubuntu3) saucy; urgency=low
[ Steve Langasek ]
* Install MokManager.efi.signed in the package.
* debian/patches/no-output-by-default.patch: Don't print any
informational messages. Closes LP: #1074302.
[ Stéphane Graber ]
* debian/patches/no-print-on-unsigned: Don't print an error message when
validating an unsigned binary as that tends to hang Lenovo machines.
(LP: #1087501)
-- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
shim (0.4-0ubuntu2) saucy; urgency=low
* Add missing build-dependency on openssl.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
shim (0.4-0ubuntu1) saucy; urgency=low
* New upstream release.
* Drop debian/patches/shim-before-loadimage; upstream has changed this to
not call loadimage at all.
* debian/patches/sbsigntool-not-pesign: Sign MokManager with
sbsigntool instead of pesign.
* Add a versioned build-dependency on gnu-efi.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
* debian/patches/shim-before-loadimage: Use direct verification first
before LoadImage. Addresses an issue where Lenovo's SecureBoot
implementation pops an error message on any verification failure - avoid
calling LoadImage at all unless we have to.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
* debian/patches/second-stage-path: Chainload grubx64.efi, not
grub.efi.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
* debian/patches/prototypes: Include missing prototypes, and disable
use of BIO_new_file.
* Only build the package for amd64; we're not signing an i386 shim at this
stage so there's no point in building it.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
* Initial release.
* Include the Canonical Secure Boot master CA.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700
Source: shim
Section: admin
Priority: optional
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
Standards-Version: 3.9.8
Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libnss3-tools
Vcs-Bzr: lp:~ubuntu-core-dev/shim/trunk
Package: shim
Architecture: amd64
Depends: ${shlibs:Depends}, ${misc:Depends}
Description: boot loader to chain-load signed boot loaders under Secure Boot
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of the CA.
This diff is collapsed.
---
Cryptlib/Makefile | 2 +-
Cryptlib/OpenSSL/Makefile | 2 +-
Makefile | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
Index: b/Makefile
===================================================================
--- a/Makefile
+++ b/Makefile
@@ -19,7 +19,7 @@ EFI_CRT_OBJS = $(EFI_PATH)/crt0-efi-$(A
EFI_LDS = elf_$(ARCH)_efi.lds
DEFAULT_LOADER := \\\\grubx64.efi
-CFLAGS = -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
+CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
-Werror=sign-compare \
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
Index: b/Cryptlib/Makefile
===================================================================
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -1,7 +1,7 @@
EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
-CFLAGS = -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
+CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
-Wall $(EFI_INCLUDES)
ifeq ($(ARCH),x86_64)
Index: b/Cryptlib/OpenSSL/Makefile
===================================================================
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -1,7 +1,7 @@
EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
-CFLAGS = -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
+CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
ifeq ($(ARCH),x86_64)
From d51739a416400ad348d8a1c7e3886abce11fff1b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 7 Apr 2015 11:59:25 -0400
Subject: [PATCH] gcc 5.0 changes some include bits, so copy what arm does on
x86.
Basically they messed around with stdarg some and now we need to do it
the other way.
Signed-off-by: Peter Jones <pjones@redhat.com>
---
Cryptlib/Include/OpenSslSupport.h | 4 +++-
Cryptlib/Makefile | 3 ++-
Cryptlib/OpenSSL/Makefile | 5 +++--
Makefile | 17 ++++++-----------
MokManager.c | 1 +
5 files changed, 15 insertions(+), 15 deletions(-)
Index: b/Cryptlib/Include/OpenSslSupport.h
===================================================================
--- a/Cryptlib/Include/OpenSslSupport.h
+++ b/Cryptlib/Include/OpenSslSupport.h
@@ -34,7 +34,7 @@ typedef VOID *FILE;
//
// Map all va_xxxx elements to VA_xxx defined in MdePkg/Include/Base.h
//
-#if !defined(__CC_ARM) // if va_list is not already defined
+#if !defined(__CC_ARM) || defined(_STDARG_H) // if va_list is not already defined
/*
* These are now unconditionally #defined by GNU_EFI's efistdarg.h,
* so we should #undef them here before providing a new definition.
@@ -94,7 +94,9 @@ typedef __builtin_va_list VA_LIST;
portably, hence it is provided by a Standard C header file.
For pre-Standard C compilers, here is a version that usually works
(but watch out!): */
+#ifndef offsetof
#define offsetof(type, member) ( (int) & ((type*)0) -> member )
+#endif
//
// Basic types from EFI Application Toolkit required to buiild Open SSL
Index: b/Cryptlib/Makefile
===================================================================
--- a/Cryptlib/Makefile
+++ b/Cryptlib/Makefile
@@ -2,7 +2,8 @@
EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
CFLAGS = -std=gnu89 -ggdb -O0 -I. -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar \
- -Wall $(EFI_INCLUDES)
+ -Wall $(EFI_INCLUDES) \
+ -ffreestanding -I$(shell $(CC) -print-file-name=include)
ifeq ($(ARCH),x86_64)
CFLAGS += -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args \
Index: b/Cryptlib/OpenSSL/Makefile
===================================================================
--- a/Cryptlib/OpenSSL/Makefile
+++ b/Cryptlib/OpenSSL/Makefile
@@ -2,6 +2,7 @@
EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
CFLAGS = -std=gnu89 -ggdb -O0 -I. -I.. -I../Include/ -Icrypto -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -nostdinc \
+ -ffreestanding -I$(shell $(CC) -print-file-name=include) \
-Wall $(EFI_INCLUDES) -DOPENSSL_SYSNAME_UWIN -DOPENSSL_SYS_UEFI -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_SOCK -DOPENSSL_NO_CMS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_ERR -DOPENSSL_NO_KRB5 -DOPENSSL_NO_DYNAMIC_ENGINE -DGETPID_IS_MEANINGLESS -DOPENSSL_NO_STDIO -DOPENSSL_NO_FP_API -DOPENSSL_NO_DGRAM -DOPENSSL_NO_SHA0 -DOPENSSL_NO_LHASH -DOPENSSL_NO_HW -DOPENSSL_NO_OCSP -DOPENSSL_NO_LOCKING -DOPENSSL_NO_DEPRECATED -DOPENSSL_SMALL_FOOTPRINT -DPEDANTIC
ifeq ($(ARCH),x86_64)
@@ -13,10 +14,10 @@ ifeq ($(ARCH),ia32)
-m32 -DTHIRTY_TWO_BIT
endif
ifeq ($(ARCH),aarch64)
- CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ CFLAGS += -O2 -DSIXTY_FOUR_BIT_LONG
endif
ifeq ($(ARCH),arm)
- CFLAGS += -O2 -DTHIRTY_TWO_BIT -ffreestanding -I$(shell $(CC) -print-file-name=include)
+ CFLAGS += -O2 -DTHIRTY_TWO_BIT
endif
LDFLAGS = -nostdlib -znocombreloc
Index: b/Makefile
===================================================================
--- a/Makefile
+++ b/Makefile
@@ -21,7 +21,8 @@ EFI_LDS = elf_$(ARCH)_efi.lds
DEFAULT_LOADER := \\\\grubx64.efi
CFLAGS = -std=gnu89 -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
-fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
- -Werror=sign-compare \
+ -Werror=sign-compare -ffreestanding \
+ -I$(shell $(CC) -print-file-name=include) \
"-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
"-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \