From patchwork Fri Jan 11 10:01:11 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Korsgaard <peter@korsgaard.com>
X-Patchwork-Id: 1023477
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.137; helo=fraxinus.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=korsgaard.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="XT5f0yt3"; dkim-atps=neutral
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 43bdgB4QH9z9sCh
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Fri, 11 Jan 2019 21:01:25 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by fraxinus.osuosl.org (Postfix) with ESMTP id C022D85D4C;
	Fri, 11 Jan 2019 10:01:22 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id LDas9WHG5y0q; Fri, 11 Jan 2019 10:01:22 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by fraxinus.osuosl.org (Postfix) with ESMTP id E799A85E8A;
	Fri, 11 Jan 2019 10:01:21 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by ash.osuosl.org (Postfix) with ESMTP id 566991C1135
	for <buildroot@lists.busybox.net>;
	Fri, 11 Jan 2019 10:01:20 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 505C587C0D
	for <buildroot@lists.busybox.net>;
	Fri, 11 Jan 2019 10:01:20 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 2KXT9j0yVM6v for <buildroot@lists.busybox.net>;
	Fri, 11 Jan 2019 10:01:18 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-ed1-f67.google.com (mail-ed1-f67.google.com
	[209.85.208.67])
	by hemlock.osuosl.org (Postfix) with ESMTPS id 0409287BDE
	for <buildroot@buildroot.org>; Fri, 11 Jan 2019 10:01:18 +0000 (UTC)
Received: by mail-ed1-f67.google.com with SMTP id d39so12561456edb.12
	for <buildroot@buildroot.org>; Fri, 11 Jan 2019 02:01:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=vpItSyjn9HCM4MJQIvNAmrELxHM9/s63ueXGF+b+QFM=;
	b=XT5f0yt3lvqjsGB8X/1dDYxplGVTnjvE8GCrv2LAZwlpp8y+ZW2BQFVvGR81d3yn9d
	xMxU9OlIXXYw3dCztu457jq2W+C5BbGYyHiu77tTJSNgrYINr8HJlKwOs5SN0Ycyah33
	pdYv26EXdWmcC51mhU6gb8UV/l183TcJsm+cGCMPmftai3pVWJ/lta7gGq1iKI6oAsoC
	KtLsE9CFfrm8FgeA4a+uxhTawAuuyE5tc0wStV10AOpUffd7+Fm9NL/0JmJNc0eFi1fy
	wfLWvE+NkOe8R+dNbpXnQ4CnAxup6iWzO/XuUUl7tYhHZhf5ehsFyRcSKp/khm0MpzIr
	JJBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
	:in-reply-to:references;
	bh=vpItSyjn9HCM4MJQIvNAmrELxHM9/s63ueXGF+b+QFM=;
	b=kGNiXdNhbXj8bFE1FqXBj9607p98htWvltlHY28FviBkNVcq+gGb7cx214q2UMAPw+
	xR34YiaDlGFqf2oS+Fk20OdS9gLn4lCMGRff/1UoELNIFx1pK3n41dAqa7VBaI7PE0Zf
	oDK9n8jZtQD99FrssEUOeAyHumnLZ/1wuxWF2HNhBuK+WLLVhUD4gBblv4m5nfqTfcZW
	RXhWuO5aYDsiGU+ugtpQ0C0NBdNSquCKoXH3sE4PDOdl3kwml4Y+jm7ynfv8a182cDpo
	tXdmaTTMI4L9v9llqJag6EZZQl+XXMuZDvlCgqStyO6Sv3x5Lj8H9qTm8fJId6lVT1uE
	jrPw==
X-Gm-Message-State: AJcUukeFa0BODDoIQRp2g9JobQ35dyhtMzMcnQ2YdpOms+wJJtJ27k/g
	b+QAy29uh1Kk9oRsLhh/mknsQD+2
X-Google-Smtp-Source: 
 ALg8bN4ygfRZJ44PuAAV/aOt+GzbTyGAjad9tWLTdAqu1J3elXWsCr1qnFPGApJQdFYqwkG06cHx/w==
X-Received: by 2002:a17:906:798e:: with SMTP id
	c14-v6mr11447493ejo.123.1547200875994;
	Fri, 11 Jan 2019 02:01:15 -0800 (PST)
Received: from dell.be.48ers.dk (d51a5bc31.access.telenet.be.
	[81.165.188.49]) by smtp.gmail.com with ESMTPSA id
	j4sm2300111edh.69.2019.01.11.02.01.13
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Fri, 11 Jan 2019 02:01:14 -0800 (PST)
Received: from peko by dell.be.48ers.dk with local (Exim 4.89)
	(envelope-from <peko@dell.be.48ers.dk>)
	id 1ghtcn-0004gZ-5c; Fri, 11 Jan 2019 11:01:13 +0100
From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Date: Fri, 11 Jan 2019 11:01:11 +0100
Message-Id: <20190111100111.17867-3-peter@korsgaard.com>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20190111100111.17867-1-peter@korsgaard.com>
References: <20190111100111.17867-1-peter@korsgaard.com>
Subject: [Buildroot] [PATCH 3/3] boot: add shim EFI bootloader for secure
	boot chain loading
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Peter Korsgaard <peter@korsgaard.com>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

While gnu-efi supports 32bit ARM, this is currently broken in shim.

Patches to fix this have been submitted upstream but are not included here
for now.

https://github.com/rhboot/shim/pull/162

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 DEVELOPERS          |  1 +
 boot/Config.in      |  1 +
 boot/shim/Config.in | 18 ++++++++++++++++++
 boot/shim/shim.hash |  3 +++
 boot/shim/shim.mk   | 31 +++++++++++++++++++++++++++++++
 5 files changed, 54 insertions(+)
 create mode 100644 boot/shim/Config.in
 create mode 100644 boot/shim/shim.hash
 create mode 100644 boot/shim/shim.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 3b3923ae4f..aa1bf325cb 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -1649,6 +1649,7 @@ F:	board/openblocks/a6/
 F:	board/orangepi/
 F:	board/pandaboard/
 F:	board/roseapplepi/
+F:	boot/shim/
 F:	configs/minnowboard_max-graphical_defconfig
 F:	configs/minnowboard_max_defconfig
 F:	configs/nexbox_a95x_defconfig
diff --git a/boot/Config.in b/boot/Config.in
index 8e0c8e5df4..11856fd9c7 100644
--- a/boot/Config.in
+++ b/boot/Config.in
@@ -15,6 +15,7 @@ source "boot/mv-ddr-marvell/Config.in"
 source "boot/mxs-bootlets/Config.in"
 source "boot/riscv-pk/Config.in"
 source "boot/s500-bootloader/Config.in"
+source "boot/shim/Config.in"
 source "boot/syslinux/Config.in"
 source "boot/ts4800-mbrboot/Config.in"
 source "boot/uboot/Config.in"
diff --git a/boot/shim/Config.in b/boot/shim/Config.in
new file mode 100644
index 0000000000..15d50e3c82
--- /dev/null
+++ b/boot/shim/Config.in
@@ -0,0 +1,18 @@
+config BR2_TARGET_SHIM
+	bool "shim"
+	depends on BR2_aarch64 || BR2_aarch64_be || \
+		BR2_i386 || BR2_x86_64 # gnu-efi
+	select BR2_PACKAGE_GNU_EFI
+	help
+	  Boot loader to chain-load signed boot loaders under Secure
+	  Boot.
+
+	  This package provides a minimalist boot loader which allows
+	  verifying signatures of other UEFI binaries against either
+	  the Secure Boot DB/DBX or against a built-in signature
+	  database.  Its purpose is to allow a small,
+	  infrequently-changing binary to be signed by the UEFI CA,
+	  while allowing an OS distributor to revision their main
+	  bootloader independently of the CA.
+
+	  https://github.com/rhboot/shim
diff --git a/boot/shim/shim.hash b/boot/shim/shim.hash
new file mode 100644
index 0000000000..318390f80b
--- /dev/null
+++ b/boot/shim/shim.hash
@@ -0,0 +1,3 @@
+# locally computed hash
+sha256 279d19cc95b9974ea2379401a6a0653d949c3fa3d61f0c4bd6a7b9e840bdc425  shim-15.tar.gz
+sha256 15edf527919ddcb2f514ab9d16ad07ef219e4bb490e0b79560be510f0c159cc2  COPYRIGHT
diff --git a/boot/shim/shim.mk b/boot/shim/shim.mk
new file mode 100644
index 0000000000..ba5bc51957
--- /dev/null
+++ b/boot/shim/shim.mk
@@ -0,0 +1,31 @@
+################################################################################
+#
+# shim
+#
+################################################################################
+
+SHIM_VERSION = 15
+SHIM_SITE = $(call github,rhboot,shim,$(SHIM_VERSION))
+SHIM_LICENSE = BSD-2-Clause
+SHIM_LICENSE_FILES = COPYRIGHT
+SHIM_DEPENDENCIES = gnu-efi
+SHIM_INSTALL_TARGET = NO
+SHIM_INSTALL_IMAGES = YES
+
+SHIM_MAKE_OPTS = \
+	ARCH="$(GNU_EFI_PLATFORM)" \
+	CROSS_COMPILE="$(TARGET_CROSS)" \
+	DASHJ="-j$(PARALLEL_JOBS)" \
+	EFI_INCLUDE="$(STAGING_DIR)/usr/include/efi" \
+	EFI_PATH="$(STAGING_DIR)/usr/lib" \
+	LIBDIR="$(STAGING_DIR)/usr/lib"
+
+define SHIM_BUILD_CMDS
+	$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) $(SHIM_MAKE_OPTS)
+endef
+
+define SHIM_INSTALL_IMAGES_CMDS
+	$(INSTALL) -m 0755 -t $(BINARIES_DIR) $(@D)/*.efi
+endef
+
+$(eval $(generic-package))