sys-boot/shim: update to 15.4
Update RH EFI shim to version 15.4.
New ldscript file causes internal error in gold linker so force-use
bfd one.
BUG=b/186856815
TEST=presubmit
RELEASE_NOTE=Updated UEFI shim to 15.4.
Change-Id: I05e96be88cd623576e0b4d18369724630c45ae14
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/27580
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Reviewed-by: Roy Yang <royyang@google.com>
diff --git a/project-lakitu/sys-boot/shim/Manifest b/project-lakitu/sys-boot/shim/Manifest
index 131eb9f..c788153 100644
--- a/project-lakitu/sys-boot/shim/Manifest
+++ b/project-lakitu/sys-boot/shim/Manifest
@@ -1 +1 @@
-DIST shim-15.tar.bz2 1027215 BLAKE2B 425055998fd7af4751615241a69934b023581716eeb76d01e074e159b12bf414079d450ff6c574e0c398b259563149fe8a83a43f4c5496bbfb6c3550fdb7e4b6 SHA512 f7dfac774d644111431ca56da76b5575b891b0abad970b318edaede11a0d83c869728bc39cb6af3689bdb203c6826545caf8ddd3d14228831027e334963cf957
+DIST shim-15.4.tar.bz2 1260475 BLAKE2B b3a3c43df62ccc833fc2ffcae7d913d236b18469f73fd4abcf6a64b904c3cde445592562cac387f8d960184758bcfeb7fa4b0f088caa6402e2e56fc5a460faf9 SHA512 b9712fe6964f60de251f1bff83914c4aac0f6430474c44741c059f31b72c2d5987c313cbb5e8bc07bfd04e61e6b511ea2d19a9975cde8c6127bc05f2de834526
diff --git a/project-lakitu/sys-boot/shim/files/shim-15-built-in-platform-key.patch b/project-lakitu/sys-boot/shim/files/shim-15-built-in-platform-key.patch
deleted file mode 100644
index d371bcf..0000000
--- a/project-lakitu/sys-boot/shim/files/shim-15-built-in-platform-key.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff --git a/mok.c b/mok.c
-index 3867521..2b081f5 100644
---- a/mok.c
-+++ b/mok.c
-@@ -79,6 +79,7 @@ struct mok_state_variable {
- #define MOK_MIRROR_DELETE_FIRST 0x02
- #define MOK_VARIABLE_MEASURE 0x04
- #define MOK_VARIABLE_LOG 0x08
-+#define MOK_USE_BUILTIN 0x10
-
- struct mok_state_variable mok_state_variables[] = {
- {.name = L"MokList",
-@@ -91,7 +92,8 @@ struct mok_state_variable mok_state_variables[] = {
- .addend_source = &vendor_cert,
- .addend_size = &vendor_cert_size,
- .flags = MOK_MIRROR_KEYDB |
-- MOK_VARIABLE_LOG,
-+ MOK_VARIABLE_LOG |
-+ MOK_USE_BUILTIN,
- .pcr = 14,
- },
- {.name = L"MokListX",
-@@ -130,6 +132,63 @@ struct mok_state_variable mok_state_variables[] = {
- { NULL, }
- };
-
-+
-+static EFI_STATUS builtin_one_mok_variable(struct mok_state_variable *v)
-+{
-+ EFI_STATUS efi_status = EFI_SUCCESS;
-+ void *FullData = NULL;
-+ UINTN FullDataSize = 0;
-+ uint8_t *p = NULL;
-+
-+ if ((v->flags & MOK_MIRROR_KEYDB) &&
-+ v->addend_source && *v->addend_source &&
-+ v->addend_size && *v->addend_size) {
-+ EFI_SIGNATURE_LIST *CertList = NULL;
-+ EFI_SIGNATURE_DATA *CertData = NULL;
-+ FullDataSize = sizeof (*CertList)
-+ + sizeof (EFI_GUID)
-+ + *v->addend_size;
-+ FullData = AllocatePool(FullDataSize);
-+ if (!FullData) {
-+ perror(L"Failed to allocate space for MokListRT\n");
-+ return EFI_OUT_OF_RESOURCES;
-+ }
-+ p = FullData;
-+
-+ CertList = (EFI_SIGNATURE_LIST *)p;
-+ p += sizeof (*CertList);
-+ CertData = (EFI_SIGNATURE_DATA *)p;
-+ p += sizeof (EFI_GUID);
-+
-+ CertList->SignatureType = EFI_CERT_TYPE_X509_GUID;
-+ CertList->SignatureListSize = *v->addend_size
-+ + sizeof (*CertList)
-+ + sizeof (*CertData)
-+ -1;
-+ CertList->SignatureHeaderSize = 0;
-+ CertList->SignatureSize = *v->addend_size + sizeof (EFI_GUID);
-+
-+ CertData->SignatureOwner = SHIM_LOCK_GUID;
-+ CopyMem(p, *v->addend_source, *v->addend_size);
-+ } else if (v->state) {
-+ FullDataSize = sizeof (UINT8);
-+ FullData = v->state;
-+ }
-+
-+ if (FullDataSize) {
-+ efi_status = gRT->SetVariable(v->rtname, v->guid,
-+ EFI_VARIABLE_BOOTSERVICE_ACCESS |
-+ EFI_VARIABLE_RUNTIME_ACCESS,
-+ FullDataSize, FullData);
-+ if (EFI_ERROR(efi_status)) {
-+ perror(L"Failed to set %s: %r\n",
-+ v->rtname, efi_status);
-+ }
-+ }
-+
-+ return efi_status;
-+}
-+
- static EFI_STATUS mirror_one_mok_variable(struct mok_state_variable *v)
- {
- EFI_STATUS efi_status = EFI_SUCCESS;
-@@ -226,8 +285,16 @@ EFI_STATUS import_mok_state(EFI_HANDLE image_handle)
- efi_status = get_variable_attr(v->name,
- &v->data, &v->data_size,
- *v->guid, &attrs);
-- if (efi_status == EFI_NOT_FOUND)
-+ if (efi_status == EFI_NOT_FOUND) {
-+ if (v->flags & MOK_USE_BUILTIN) {
-+ efi_status = builtin_one_mok_variable(v);
-+ if (EFI_ERROR(efi_status) &&
-+ ret != EFI_SECURITY_VIOLATION)
-+ ret = efi_status;
-+ }
- continue;
-+ }
-+
- if (EFI_ERROR(efi_status)) {
- perror(L"Could not verify %s: %r\n", v->name,
- efi_status);
diff --git a/project-lakitu/sys-boot/shim/files/shim-15-fix-aarch64-build.patch b/project-lakitu/sys-boot/shim/files/shim-15-fix-aarch64-build.patch
deleted file mode 100644
index 88d7c1e..0000000
--- a/project-lakitu/sys-boot/shim/files/shim-15-fix-aarch64-build.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/Make.defaults b/Make.defaults
-index e11ab5a..ac2a25b 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -89,7 +89,7 @@ ifeq ($(ARCH),aarch64)
- ARCH_SUFFIX_UPPER ?= AA64
- FORMAT := -O binary
- SUBSYSTEM := 0xa
-- ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
-+ override ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
- endif
- ifeq ($(ARCH),arm)
- CFLAGS += -DMDE_CPU_ARM -DPAGE_SIZE=4096 -mstrict-align
-@@ -98,7 +98,7 @@ ifeq ($(ARCH),arm)
- ARCH_SUFFIX_UPPER ?= ARM
- FORMAT := -O binary
- SUBSYSTEM := 0xa
-- ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
-+ override ARCH_LDFLAGS += --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
- endif
-
- FORMAT ?= --target efi-app-$(ARCH)
diff --git a/project-lakitu/sys-boot/shim/files/shim-15-fix-vlogerror-arm64-crash.patch b/project-lakitu/sys-boot/shim/files/shim-15-fix-vlogerror-arm64-crash.patch
deleted file mode 100644
index 0e78d88..0000000
--- a/project-lakitu/sys-boot/shim/files/shim-15-fix-vlogerror-arm64-crash.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 344a8364cb05cdaafc43231d0f73d5217c4e118c Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 12 Feb 2019 18:04:49 -0500
-Subject: [PATCH] VLogError(): Avoid NULL pointer dereferences in (V)Sprint
- calls
-
-VLogError() calculates the size of format strings by using calls to
-SPrint and VSPrint with a StrSize of 0 and NULL for an output buffer.
-Unfortunately, this is an incorrect usage of (V)Sprint. A StrSize
-of "0" is special-cased to mean "there is no limit". So, we end up
-writing our string to address 0x0. This was discovered because it
-causes a crash on ARM where, unlike x86, it does not necessarily
-have memory mapped at 0x0.
-
-Avoid the (V)Sprint calls altogether by using (V)PoolPrint, which
-handles the size calculation and allocation for us.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
-Fixes: 25f6fd08cd26 ("try to show errors more usefully.")
-[dannf: commit message ]
-Signed-off-by: dann frazier <dann.frazier@canonical.com>
-Upstream-commit-id: 20e731f423a
----
- errlog.c | 15 +++------------
- 1 file changed, 3 insertions(+), 12 deletions(-)
-
-diff --git a/errlog.c b/errlog.c
-index 18be4822..eebb266d 100644
---- a/errlog.c
-+++ b/errlog.c
-@@ -14,29 +14,20 @@ EFI_STATUS
- VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args)
- {
- va_list args2;
-- UINTN size = 0, size2;
- CHAR16 **newerrs;
-
-- size = SPrint(NULL, 0, L"%a:%d %a() ", file, line, func);
-- va_copy(args2, args);
-- size2 = VSPrint(NULL, 0, fmt, args2);
-- va_end(args2);
--
- newerrs = ReallocatePool(errs, (nerrs + 1) * sizeof(*errs),
- (nerrs + 3) * sizeof(*errs));
- if (!newerrs)
- return EFI_OUT_OF_RESOURCES;
-
-- newerrs[nerrs] = AllocatePool(size*2+2);
-+ newerrs[nerrs] = PoolPrint(L"%a:%d %a() ", file, line, func);
- if (!newerrs[nerrs])
- return EFI_OUT_OF_RESOURCES;
-- newerrs[nerrs+1] = AllocatePool(size2*2+2);
-+ va_copy(args2, args);
-+ newerrs[nerrs+1] = VPoolPrint(fmt, args2);
- if (!newerrs[nerrs+1])
- return EFI_OUT_OF_RESOURCES;
--
-- SPrint(newerrs[nerrs], size*2+2, L"%a:%d %a() ", file, line, func);
-- va_copy(args2, args);
-- VSPrint(newerrs[nerrs+1], size2*2+2, fmt, args2);
- va_end(args2);
-
- nerrs += 2;
diff --git a/project-lakitu/sys-boot/shim/files/shim-15.4-fix-gcc-host-leak.patch b/project-lakitu/sys-boot/shim/files/shim-15.4-fix-gcc-host-leak.patch
new file mode 100644
index 0000000..7655c9f
--- /dev/null
+++ b/project-lakitu/sys-boot/shim/files/shim-15.4-fix-gcc-host-leak.patch
@@ -0,0 +1,11 @@
+--- a/gnu-efi/Make.defaults 2021-04-09 17:35:17.978394775 +0000
++++ b/gnu-efi/Make.defaults 2021-04-09 17:35:25.311076592 +0000
+@@ -67,7 +67,7 @@
+ # Compilation tools
+ COMPILER ?= gcc
+ ARCHIVER ?= gcc-ar
+-HOSTCC := $(COMPILER)
++HOSTCC := $(BUILD_CC)
+ CC := $(CROSS_COMPILE)$(COMPILER)
+ AS := $(CROSS_COMPILE)as
+ LD := $(CROSS_COMPILE)ld
diff --git a/project-lakitu/sys-boot/shim/files/shim-15.4-force-ld.bfd.patch b/project-lakitu/sys-boot/shim/files/shim-15.4-force-ld.bfd.patch
new file mode 100644
index 0000000..a7f4aa3
--- /dev/null
+++ b/project-lakitu/sys-boot/shim/files/shim-15.4-force-ld.bfd.patch
@@ -0,0 +1,13 @@
+diff --git a/Make.defaults b/Make.defaults
+index a775083e..d569476f 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -6,7 +6,7 @@
+ COMPILER ?= gcc
+ CC = $(CROSS_COMPILE)$(COMPILER)
+ HOSTCC = $(COMPILER)
+-LD = $(CROSS_COMPILE)ld
++LD = $(CROSS_COMPILE)ld.bfd
+ OBJCOPY = $(CROSS_COMPILE)objcopy
+ DOS2UNIX ?= dos2unix
+ D2UFLAGS ?= -r -l -F -f -n
diff --git a/project-lakitu/sys-boot/shim/shim-15-r3.ebuild b/project-lakitu/sys-boot/shim/shim-15-r3.ebuild
deleted file mode 120000
index aa8fc90..0000000
--- a/project-lakitu/sys-boot/shim/shim-15-r3.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-shim-15.ebuild
\ No newline at end of file
diff --git a/project-lakitu/sys-boot/shim/shim-15.4-r1.ebuild b/project-lakitu/sys-boot/shim/shim-15.4-r1.ebuild
new file mode 120000
index 0000000..f3ba15b
--- /dev/null
+++ b/project-lakitu/sys-boot/shim/shim-15.4-r1.ebuild
@@ -0,0 +1 @@
+shim-15.4.ebuild
\ No newline at end of file
diff --git a/project-lakitu/sys-boot/shim/shim-15.ebuild b/project-lakitu/sys-boot/shim/shim-15.4.ebuild
similarity index 75%
rename from project-lakitu/sys-boot/shim/shim-15.ebuild
rename to project-lakitu/sys-boot/shim/shim-15.4.ebuild
index 133959a..c62dd81 100644
--- a/project-lakitu/sys-boot/shim/shim-15.ebuild
+++ b/project-lakitu/sys-boot/shim/shim-15.4.ebuild
@@ -17,13 +17,10 @@
RDEPEND=""
DEPEND="dev-libs/openssl
- sys-boot/gnu-efi
platform-key? ( sys-boot/platform-key )
"
IUSE="platform-key"
-S="${WORKDIR}/${P}"
-
shim_arch() {
case ${ARCH} in
amd64) echo "x86_64";;
@@ -41,28 +38,21 @@
}
src_prepare() {
- cros_use_gcc
- epatch "${FILESDIR}"/${PN}-15-fix-aarch64-build.patch
- epatch "${FILESDIR}"/${PN}-15-fix-vlogerror-arm64-crash.patch
- epatch "${FILESDIR}"/${PN}-15-built-in-platform-key.patch
+ epatch "${FILESDIR}"/${P}-fix-gcc-host-leak.patch
+ epatch "${FILESDIR}"/${P}-force-ld.bfd.patch
default
}
src_compile() {
local extra_opts=()
- if tc-ld-is-gold; then
- extra_opts+=( ARCH_LDFLAGS="--no-experimental-use-relr" )
- fi
-
if use platform-key; then
extra_opts+=( VENDOR_CERT_FILE="${ROOT}/build/share/platform-key/signing_key.cer" )
fi
emake ARCH="$(shim_arch)" \
CROSS_COMPILE="${CHOST}-" \
- EFI_INCLUDE="${ROOT}/usr/include/efi" \
- EFI_PATH="${ROOT}/usr/$(get_libdir)" \
+ COMMITID="${GIT_COMMIT_ID}" \
DEFAULT_LOADER="\\\\\\\\grub-lakitu.efi" \
"${extra_opts[@]}" \
$(shim_binary)