Date: Thu, 15 Jan 2015 10:09:36 +0000 (UTC) From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r377070 - in head/sysutils: . shim shim/files Message-ID: <201501151009.t0FA9aQk080893@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trasz Date: Thu Jan 15 10:09:35 2015 New Revision: 377070 URL: https://svnweb.freebsd.org/changeset/ports/377070 QAT: https://qat.redports.org/buildarchive/r377070/ Log: New port: sysutils/shim shim is a trivial EFI application that, when run, attempts to open and execute another application. It will initially attempt to do this via the standard EFI LoadImage() and StartImage() calls. If these fail (because secure boot is enabled and the binary is not signed with an appropriate key, for instance) it will then validate the binary against a built-in certificate. If this succeeds and if the binary or signing key are not blacklisted then shim will relocate and execute the binary. Sponsored by: The FreeBSD Foundation Added: head/sysutils/shim/ head/sysutils/shim/Makefile (contents, props changed) head/sysutils/shim/distinfo (contents, props changed) head/sysutils/shim/files/ head/sysutils/shim/files/patch-Cryptlib-Makefile (contents, props changed) head/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile (contents, props changed) head/sysutils/shim/files/patch-Makefile (contents, props changed) head/sysutils/shim/files/patch-elf_x86_64_efi.lds (contents, props changed) head/sysutils/shim/files/patch-lib-Makefile (contents, props changed) head/sysutils/shim/pkg-descr (contents, props changed) Modified: head/sysutils/Makefile Modified: head/sysutils/Makefile ============================================================================== --- head/sysutils/Makefile Thu Jan 15 10:04:10 2015 (r377069) +++ head/sysutils/Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -875,6 +875,7 @@ SUBDIR += setquota SUBDIR += sformat SUBDIR += sg3_utils + SUBDIR += shim SUBDIR += shlock SUBDIR += shmcat SUBDIR += sievelog Added: head/sysutils/shim/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,37 @@ +# Created by: Edward Tomasz Napierala <trasz@FreeBSD.org> +# $FreeBSD$ + +PORTNAME= shim +PORTVERSION= 0.8 +CATEGORIES= sysutils + +MAINTAINER= trasz@FreeBSD.org +COMMENT= UEFI Secure Boot shim loader + +LICENSE= BSD2CLAUSE + +BUILD_DEPENDS= ${NONEXISTENT}:${PORTSDIR}/devel/gnu-efi \ + bash:${PORTSDIR}/shells/bash + +USE_GITHUB= yes +GH_ACCOUNT= mjg59 +GH_COMMIT= 6f4d516 + +USES= gmake +USE_GCC= 4.8+ +USE_GITHUB= yes +MAKE_JOBS_UNSAFE= yes +ONLY_FOR_ARCHS= amd64 + +PLIST_FILES= lib/shim/MokManager.efi lib/shim/fallback.efi lib/shim/shim.efi + +post-patch: + @${REINPLACE_CMD} -e "s|/bin/bash|${LOCALBASE}/bin/bash|" ${WRKSRC}/make-certs + +do-install: + ${MKDIR} ${STAGEDIR}/${PREFIX}/lib/shim + ${INSTALL_PROGRAM} ${WRKSRC}/shim.efi ${STAGEDIR}/${PREFIX}/lib/shim + ${INSTALL_PROGRAM} ${WRKSRC}/MokManager.efi ${STAGEDIR}/${PREFIX}/lib/shim + ${INSTALL_PROGRAM} ${WRKSRC}/fallback.efi ${STAGEDIR}/${PREFIX}/lib/shim + +.include <bsd.port.mk> Added: head/sysutils/shim/distinfo ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/distinfo Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,2 @@ +SHA256 (shim-0.8.tar.gz) = 150692b908c8502872a357025e70434c75bad8416d9a52e3e946fd75d3f6cf9e +SIZE (shim-0.8.tar.gz) = 1252057 Added: head/sysutils/shim/files/patch-Cryptlib-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/files/patch-Cryptlib-Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,9 @@ +--- Cryptlib/Makefile.orig 2014-10-13 22:41:51.000000000 +0200 ++++ Cryptlib/Makefile 2014-11-30 20:23:01.000000000 +0100 +@@ -1,3 +1,6 @@ ++ifeq ($(ARCH),amd64) ++ override ARCH = x86_64 ++endif + + EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + Added: head/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,9 @@ +--- Cryptlib/OpenSSL/Makefile.orig 2014-11-30 20:31:14.000000000 +0100 ++++ Cryptlib/OpenSSL/Makefile 2014-11-30 20:31:23.000000000 +0100 +@@ -1,3 +1,6 @@ ++ifeq ($(ARCH),amd64) ++ override ARCH = x86_64 ++endif + + EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + Added: head/sysutils/shim/files/patch-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/files/patch-Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,49 @@ +--- Makefile.orig 2014-10-13 22:41:51.000000000 +0200 ++++ Makefile 2014-12-21 16:18:40.000000000 +0100 +@@ -1,16 +1,22 @@ +-CC = $(CROSS_COMPILE)gcc ++CROSS_COMPILE = $(LOCALBASE)/bin/ ++ ++CC = $(CROSS_COMPILE)gcc48 + LD = $(CROSS_COMPILE)ld + OBJCOPY = $(CROSS_COMPILE)objcopy + + ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) + ++ifeq ($(ARCH),amd64) ++ override ARCH := x86_64 ++endif ++ + SUBDIRS = Cryptlib lib + +-LIB_PATH = /usr/lib64 ++LIB_PATH = $(LOCALBASE)/lib + +-EFI_INCLUDE := /usr/include/efi ++EFI_INCLUDE := $(LOCALBASE)/include/efi + EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude +-EFI_PATH := /usr/lib64/gnuefi ++EFI_PATH := $(LOCALBASE)/lib + + LIB_GCC = $(shell $(CC) -print-libgcc-file-name) + EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) +@@ -57,7 +63,7 @@ LDFLAGS = -nostdlib -znocombreloc -T $( + + VERSION = 0.8 + +-TARGET = shim.efi MokManager.efi.signed fallback.efi.signed ++TARGET = shim.efi MokManager.efi fallback.efi + OBJS = shim.o netboot.o cert.o replacements.o version.o + KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer + SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h +@@ -144,8 +150,8 @@ FORMAT ?= --target efi-app-$(ARCH) + -j .debug_line -j .debug_str -j .debug_ranges \ + $(FORMAT) $^ $@.debug + +-%.efi.signed: %.efi certdb/secmod.db +- pesign -n certdb -i $< -c "shim" -s -o $@ -f ++#%.efi.signed: %.efi certdb/secmod.db ++# pesign -n certdb -i $< -c "shim" -s -o $@ -f + + clean: + $(MAKE) -C Cryptlib clean Added: head/sysutils/shim/files/patch-elf_x86_64_efi.lds ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/files/patch-elf_x86_64_efi.lds Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,10 @@ +--- elf_x86_64_efi.lds.orig 2014-12-21 16:01:08.000000000 +0100 ++++ elf_x86_64_efi.lds 2014-12-21 16:01:16.000000000 +0100 +@@ -1,5 +1,5 @@ +-/* Same as elf_x86_64_fbsd_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */ +-OUTPUT_FORMAT("elf64-x86-64", "elf64-x86-64", "elf64-x86-64") ++/* Same as elf_x86_64_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */ ++OUTPUT_FORMAT("elf64-x86-64-freebsd", "elf64-x86-64-freebsd", "elf64-x86-64-freebsd") + OUTPUT_ARCH(i386:x86-64) + ENTRY(_start) + SECTIONS Added: head/sysutils/shim/files/patch-lib-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/files/patch-lib-Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,10 @@ +--- lib/Makefile.orig 2014-11-30 20:34:06.000000000 +0100 ++++ lib/Makefile 2014-11-30 20:34:20.000000000 +0100 +@@ -1,3 +1,7 @@ ++ifeq ($(ARCH),amd64) ++ override ARCH = x86_64 ++endif ++ + TARGET = lib.a + + LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o Added: head/sysutils/shim/pkg-descr ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/pkg-descr Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,9 @@ +shim is a trivial EFI application that, when run, attempts to open and +execute another application. It will initially attempt to do this via the +standard EFI LoadImage() and StartImage() calls. If these fail (because secure +boot is enabled and the binary is not signed with an appropriate key, for +instance) it will then validate the binary against a built-in certificate. If +this succeeds and if the binary or signing key are not blacklisted then shim +will relocate and execute the binary. + +WWW: https://github.com/mjg59/shim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501151009.t0FA9aQk080893>