sbsigntool-native: add recipe

imported from meta-intel. Signed-off-by: Matt Madison <matt@madison.systems>
2025-10-29 11:32:30 +00:00 · 2023-02-03 06:00:08 -08:00
parent 05ca0bc31b
commit dabb6a7867
3 changed files with 170 additions and 0 deletions
--- a/recipes-support/sbsigntool/sbsigntool-native_git.bb
+++ b/recipes-support/sbsigntool/sbsigntool-native_git.bb
@@ -0,0 +1,84 @@
+DESCRIPTION = "Utility for signing and verifying files for UEFI Secure Boot"
+LICENSE = "GPL-3.0-only & LGPL-2.1-only & LGPL-3.0-only & MIT"
+
+# sbsigntool statically links to libccan.a which is built with modules
+# passed to "create-ccan-tree" (and their dependencies). Therefore,
+# we also keep track of all the ccan module licenses.
+LIC_FILES_CHKSUM = "file://LICENSE.GPLv3;md5=9eef91148a9b14ec7f9df333daebc746 \
+                    file://COPYING;md5=a7710ac18adec371b84a9594ed04fd20 \
+                    file://lib/ccan.git/ccan/endian/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
+                    file://lib/ccan.git/ccan/htable/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
+                    file://lib/ccan.git/ccan/list/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
+                    file://lib/ccan.git/ccan/read_write_all/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
+                    file://lib/ccan.git/ccan/talloc/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
+                    file://lib/ccan.git/ccan/typesafe_cb/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
+                    file://lib/ccan.git/ccan/failtest/LICENSE;md5=6a6a8e020838b23406c81b19c1d46df6 \
+                    file://lib/ccan.git/ccan/tlist/LICENSE;md5=6a6a8e020838b23406c81b19c1d46df6 \
+                    file://lib/ccan.git/ccan/time/LICENSE;md5=838c366f69b72c5df05c96dff79b35f2 \
+"
+
+# The original upstream is git://kernel.ubuntu.com/jk/sbsigntool but it has
+# not been maintained and many patches have been backported in this repo.
+SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntools;branch=master \
+           git://github.com/rustyrussell/ccan.git;protocol=https;destsuffix=git/lib/ccan.git;name=ccan;branch=master \
+           file://0001-configure-Fixup-build-dependencies-for-cross-compili.patch \
+           file://0002-fix-openssl-3-0.patch \
+          "
+
+SRCREV_sbsigntools  ?= "f12484869c9590682ac3253d583bf59b890bb826"
+SRCREV_ccan         ?= "b1f28e17227f2320d07fe052a8a48942fe17caa5"
+SRCREV_FORMAT       =  "sbsigntools_ccan"
+
+DEPENDS = "binutils-native gnu-efi-native help2man-native openssl-native util-linux-native"
+
+PV = "0.9.4-git${SRCPV}"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig
+inherit native
+
+do_configure:prepend() {
+	cd ${S}
+
+	sed -i s#RECIPE_SYSROOT#${RECIPE_SYSROOT_NATIVE}#g configure.ac
+
+	if [ ! -e lib/ccan ]; then
+
+		# Use empty SCOREDIR because 'make scores' is not run.
+		# The default setting depends on (non-whitelisted) host tools.
+		sed -i -e 's#^\(SCOREDIR=\).*#\1#' lib/ccan.git/Makefile
+
+		lib/ccan.git/tools/create-ccan-tree \
+		--build-type=automake lib/ccan \
+		talloc read_write_all build_assert array_size endian
+	fi
+
+	# Create generatable docs from git
+	(
+	 echo "Authors of sbsigntool:"
+	 echo
+	 git log --format='%an' | sort -u | sed 's,^,\t,'
+	) > AUTHORS
+
+	# Generate simple ChangeLog
+	git log --date=short --format='%ad %t %an <%ae>%n%n  * %s%n' > ChangeLog
+
+	cd ${B}
+}
+
+def efi_arch(d):
+    import re
+    harch = d.getVar("HOST_ARCH")
+    if re.match("i[3456789]86", harch):
+        return "ia32"
+    return harch
+
+EXTRA_OEMAKE = "\
+    INCLUDES+='-I${S}/lib/ccan.git/ \
+              -I${STAGING_INCDIR_NATIVE}/efi \
+              -I${STAGING_INCDIR_NATIVE} \
+              -I${STAGING_INCDIR_NATIVE}/efi/${@efi_arch(d)}' \
+    "
+
+CFLAGS:append = " -Wno-error"
--- a/recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
+++ b/recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
@@ -0,0 +1,54 @@
+From c3533b8da1e1425801d2fc0bcd231e13d593f16b Mon Sep 17 00:00:00 2001
+From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+Date: Tue, 19 Feb 2019 20:07:45 +0800
+Subject: [PATCH] configure: Fixup build dependencies for cross-compiling
+
+When cross-compiling, custom header files and libraries need to be
+specified. sbsign assumes that all the dependencies are located
+under /usr/include and /usr/lib.
+
+Prepend these paths with a placeholder that can be replaced with the
+actual paths once they are resolved.
+
+Upstream status: inappropriate [OE specific]
+
+Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
+
+Taken from :
+https://github.com/intel/luv-yocto/tree/master/meta-luv/recipes-devtools/sbsigntool/sbsigntool
+
+Corrected typo error and ported to version 0.9.2
+
+Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
+---
+ configure.ac | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 1459e91..3e34c8d 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -70,7 +70,10 @@ AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "
+ ##
+ # no consistent view of where gnu-efi should dump the efi stuff, so find it
+ ##
+-for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do
+for path in RECIPE_SYSROOT/lib RECIPE_SYSROOT/lib64 RECIPE_SYSROOT/usr/lib \
+            RECIPE_SYSROOT/usr/lib64 RECIPE_SYSROOT/usr/lib32 \
+            RECIPE_SYSROOT/lib/efi RECIPE_SYSROOT/lib64/efi \
+            RECIPE_SYSROOT/usr/lib/efi RECIPE_SYSROOT/usr/lib64/efi; do
+     if test -e $path/crt0-efi-$EFI_ARCH.o; then
+        CRTPATH=$path
+     fi
+@@ -79,7 +82,7 @@ if test -z "$CRTPATH"; then
+    AC_MSG_ERROR([cannot find the gnu-efi crt path])
+ fi
+ 
+-EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
+EFI_CPPFLAGS="-IRECIPE_SYSROOT/usr/include/efi -IRECIPE_SYSROOT/usr/include/efi/$EFI_ARCH \
+  -DEFI_FUNCTION_WRAPPER"
+ CPPFLAGS_save="$CPPFLAGS"
+ CPPFLAGS="$CPPFLAGS $EFI_CPPFLAGS"
+-- 
+2.7.4
+
--- a/recipes-support/sbsigntool/sbsigntool/0002-fix-openssl-3-0.patch
+++ b/recipes-support/sbsigntool/sbsigntool/0002-fix-openssl-3-0.patch
@@ -0,0 +1,32 @@
+Use ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it.
+
+openssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it` to
+`const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind
+OPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is
+available. This change should have been transparent to the application, but
+only if the `ASN1_ITEM_rptr()` macro is used.
+
+This change passes `make check` with both openssl 1.1 and 3.0.
+
+Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
+Upstream-status: Submited [https://groups.io/g/sbsigntools/topic/patch_fix_openssl_3_0_issue/85903418]
+---
+ src/idc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/idc.c b/src/idc.c
+index 6d87bd4..0a82218 100644
+--- a/src/idc.c
+++ b/src/idc.c
+@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image)
+
+ 	idc->data->type = OBJ_nid2obj(peid_nid);
+ 	idc->data->value = ASN1_TYPE_new();
+-	type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
+	type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
+
+         idc->digest->alg->parameter = ASN1_TYPE_new();
+         idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
+--
+2.25.1
+