From owner-svn-ports-all@FreeBSD.ORG Thu Jan 15 10:09:38 2015 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7D7E9351; Thu, 15 Jan 2015 10:09:38 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 686C097C; Thu, 15 Jan 2015 10:09:38 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t0FA9crR080904; Thu, 15 Jan 2015 10:09:38 GMT (envelope-from trasz@FreeBSD.org) Received: (from trasz@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t0FA9aQk080893; Thu, 15 Jan 2015 10:09:36 GMT (envelope-from trasz@FreeBSD.org) Message-Id: <201501151009.t0FA9aQk080893@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: trasz set sender to trasz@FreeBSD.org using -f From: Edward Tomasz Napierala Date: Thu, 15 Jan 2015 10:09:36 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r377070 - in head/sysutils: . shim shim/files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Jan 2015 10:09:38 -0000 Author: trasz Date: Thu Jan 15 10:09:35 2015 New Revision: 377070 URL: https://svnweb.freebsd.org/changeset/ports/377070 QAT: https://qat.redports.org/buildarchive/r377070/ Log: New port: sysutils/shim shim is a trivial EFI application that, when run, attempts to open and execute another application. It will initially attempt to do this via the standard EFI LoadImage() and StartImage() calls. If these fail (because secure boot is enabled and the binary is not signed with an appropriate key, for instance) it will then validate the binary against a built-in certificate. If this succeeds and if the binary or signing key are not blacklisted then shim will relocate and execute the binary. Sponsored by: The FreeBSD Foundation Added: head/sysutils/shim/ head/sysutils/shim/Makefile (contents, props changed) head/sysutils/shim/distinfo (contents, props changed) head/sysutils/shim/files/ head/sysutils/shim/files/patch-Cryptlib-Makefile (contents, props changed) head/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile (contents, props changed) head/sysutils/shim/files/patch-Makefile (contents, props changed) head/sysutils/shim/files/patch-elf_x86_64_efi.lds (contents, props changed) head/sysutils/shim/files/patch-lib-Makefile (contents, props changed) head/sysutils/shim/pkg-descr (contents, props changed) Modified: head/sysutils/Makefile Modified: head/sysutils/Makefile ============================================================================== --- head/sysutils/Makefile Thu Jan 15 10:04:10 2015 (r377069) +++ head/sysutils/Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -875,6 +875,7 @@ SUBDIR += setquota SUBDIR += sformat SUBDIR += sg3_utils + SUBDIR += shim SUBDIR += shlock SUBDIR += shmcat SUBDIR += sievelog Added: head/sysutils/shim/Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,37 @@ +# Created by: Edward Tomasz Napierala +# $FreeBSD$ + +PORTNAME= shim +PORTVERSION= 0.8 +CATEGORIES= sysutils + +MAINTAINER= trasz@FreeBSD.org +COMMENT= UEFI Secure Boot shim loader + +LICENSE= BSD2CLAUSE + +BUILD_DEPENDS= ${NONEXISTENT}:${PORTSDIR}/devel/gnu-efi \ + bash:${PORTSDIR}/shells/bash + +USE_GITHUB= yes +GH_ACCOUNT= mjg59 +GH_COMMIT= 6f4d516 + +USES= gmake +USE_GCC= 4.8+ +USE_GITHUB= yes +MAKE_JOBS_UNSAFE= yes +ONLY_FOR_ARCHS= amd64 + +PLIST_FILES= lib/shim/MokManager.efi lib/shim/fallback.efi lib/shim/shim.efi + +post-patch: + @${REINPLACE_CMD} -e "s|/bin/bash|${LOCALBASE}/bin/bash|" ${WRKSRC}/make-certs + +do-install: + ${MKDIR} ${STAGEDIR}/${PREFIX}/lib/shim + ${INSTALL_PROGRAM} ${WRKSRC}/shim.efi ${STAGEDIR}/${PREFIX}/lib/shim + ${INSTALL_PROGRAM} ${WRKSRC}/MokManager.efi ${STAGEDIR}/${PREFIX}/lib/shim + ${INSTALL_PROGRAM} ${WRKSRC}/fallback.efi ${STAGEDIR}/${PREFIX}/lib/shim + +.include Added: head/sysutils/shim/distinfo ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/distinfo Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,2 @@ +SHA256 (shim-0.8.tar.gz) = 150692b908c8502872a357025e70434c75bad8416d9a52e3e946fd75d3f6cf9e +SIZE (shim-0.8.tar.gz) = 1252057 Added: head/sysutils/shim/files/patch-Cryptlib-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/files/patch-Cryptlib-Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,9 @@ +--- Cryptlib/Makefile.orig 2014-10-13 22:41:51.000000000 +0200 ++++ Cryptlib/Makefile 2014-11-30 20:23:01.000000000 +0100 +@@ -1,3 +1,6 @@ ++ifeq ($(ARCH),amd64) ++ override ARCH = x86_64 ++endif + + EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + Added: head/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,9 @@ +--- Cryptlib/OpenSSL/Makefile.orig 2014-11-30 20:31:14.000000000 +0100 ++++ Cryptlib/OpenSSL/Makefile 2014-11-30 20:31:23.000000000 +0100 +@@ -1,3 +1,6 @@ ++ifeq ($(ARCH),amd64) ++ override ARCH = x86_64 ++endif + + EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol + Added: head/sysutils/shim/files/patch-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/files/patch-Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,49 @@ +--- Makefile.orig 2014-10-13 22:41:51.000000000 +0200 ++++ Makefile 2014-12-21 16:18:40.000000000 +0100 +@@ -1,16 +1,22 @@ +-CC = $(CROSS_COMPILE)gcc ++CROSS_COMPILE = $(LOCALBASE)/bin/ ++ ++CC = $(CROSS_COMPILE)gcc48 + LD = $(CROSS_COMPILE)ld + OBJCOPY = $(CROSS_COMPILE)objcopy + + ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) + ++ifeq ($(ARCH),amd64) ++ override ARCH := x86_64 ++endif ++ + SUBDIRS = Cryptlib lib + +-LIB_PATH = /usr/lib64 ++LIB_PATH = $(LOCALBASE)/lib + +-EFI_INCLUDE := /usr/include/efi ++EFI_INCLUDE := $(LOCALBASE)/include/efi + EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude +-EFI_PATH := /usr/lib64/gnuefi ++EFI_PATH := $(LOCALBASE)/lib + + LIB_GCC = $(shell $(CC) -print-libgcc-file-name) + EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) +@@ -57,7 +63,7 @@ LDFLAGS = -nostdlib -znocombreloc -T $( + + VERSION = 0.8 + +-TARGET = shim.efi MokManager.efi.signed fallback.efi.signed ++TARGET = shim.efi MokManager.efi fallback.efi + OBJS = shim.o netboot.o cert.o replacements.o version.o + KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer + SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h +@@ -144,8 +150,8 @@ FORMAT ?= --target efi-app-$(ARCH) + -j .debug_line -j .debug_str -j .debug_ranges \ + $(FORMAT) $^ $@.debug + +-%.efi.signed: %.efi certdb/secmod.db +- pesign -n certdb -i $< -c "shim" -s -o $@ -f ++#%.efi.signed: %.efi certdb/secmod.db ++# pesign -n certdb -i $< -c "shim" -s -o $@ -f + + clean: + $(MAKE) -C Cryptlib clean Added: head/sysutils/shim/files/patch-elf_x86_64_efi.lds ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/files/patch-elf_x86_64_efi.lds Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,10 @@ +--- elf_x86_64_efi.lds.orig 2014-12-21 16:01:08.000000000 +0100 ++++ elf_x86_64_efi.lds 2014-12-21 16:01:16.000000000 +0100 +@@ -1,5 +1,5 @@ +-/* Same as elf_x86_64_fbsd_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */ +-OUTPUT_FORMAT("elf64-x86-64", "elf64-x86-64", "elf64-x86-64") ++/* Same as elf_x86_64_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */ ++OUTPUT_FORMAT("elf64-x86-64-freebsd", "elf64-x86-64-freebsd", "elf64-x86-64-freebsd") + OUTPUT_ARCH(i386:x86-64) + ENTRY(_start) + SECTIONS Added: head/sysutils/shim/files/patch-lib-Makefile ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/files/patch-lib-Makefile Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,10 @@ +--- lib/Makefile.orig 2014-11-30 20:34:06.000000000 +0100 ++++ lib/Makefile 2014-11-30 20:34:20.000000000 +0100 +@@ -1,3 +1,7 @@ ++ifeq ($(ARCH),amd64) ++ override ARCH = x86_64 ++endif ++ + TARGET = lib.a + + LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o Added: head/sysutils/shim/pkg-descr ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/sysutils/shim/pkg-descr Thu Jan 15 10:09:35 2015 (r377070) @@ -0,0 +1,9 @@ +shim is a trivial EFI application that, when run, attempts to open and +execute another application. It will initially attempt to do this via the +standard EFI LoadImage() and StartImage() calls. If these fail (because secure +boot is enabled and the binary is not signed with an appropriate key, for +instance) it will then validate the binary against a built-in certificate. If +this succeeds and if the binary or signing key are not blacklisted then shim +will relocate and execute the binary. + +WWW: https://github.com/mjg59/shim