sbsigntool-native: add recipe

imported from meta-intel. Signed-off-by: Matt Madison <matt@madison.systems>
2025-11-01 12:57:53 +00:00 · 2023-02-03 06:00:08 -08:00
parent 05ca0bc31b
commit dabb6a7867
3 changed files with 170 additions and 0 deletions
--- a/recipes-support/sbsigntool/sbsigntool-native_git.bb
+++ b/recipes-support/sbsigntool/sbsigntool-native_git.bb
@@ -0,0 +1,84 @@
 DESCRIPTION = "Utility for signing and verifying files for UEFI Secure Boot"
 LICENSE = "GPL-3.0-only & LGPL-2.1-only & LGPL-3.0-only & MIT"
 # sbsigntool statically links to libccan.a which is built with modules
 # passed to "create-ccan-tree" (and their dependencies). Therefore,
 # we also keep track of all the ccan module licenses.
 LIC_FILES_CHKSUM = "file://LICENSE.GPLv3;md5=9eef91148a9b14ec7f9df333daebc746 \
                    file://COPYING;md5=a7710ac18adec371b84a9594ed04fd20 \
                    file://lib/ccan.git/ccan/endian/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/htable/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/list/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/read_write_all/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/talloc/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/typesafe_cb/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
                    file://lib/ccan.git/ccan/failtest/LICENSE;md5=6a6a8e020838b23406c81b19c1d46df6 \
                    file://lib/ccan.git/ccan/tlist/LICENSE;md5=6a6a8e020838b23406c81b19c1d46df6 \
                    file://lib/ccan.git/ccan/time/LICENSE;md5=838c366f69b72c5df05c96dff79b35f2 \
 "
 # The original upstream is git://kernel.ubuntu.com/jk/sbsigntool but it has
 # not been maintained and many patches have been backported in this repo.
 SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntools;branch=master \
           git://github.com/rustyrussell/ccan.git;protocol=https;destsuffix=git/lib/ccan.git;name=ccan;branch=master \
           file://0001-configure-Fixup-build-dependencies-for-cross-compili.patch \
           file://0002-fix-openssl-3-0.patch \
          "
 SRCREV_sbsigntools  ?= "f12484869c9590682ac3253d583bf59b890bb826"
 SRCREV_ccan         ?= "b1f28e17227f2320d07fe052a8a48942fe17caa5"
 SRCREV_FORMAT       =  "sbsigntools_ccan"
 DEPENDS = "binutils-native gnu-efi-native help2man-native openssl-native util-linux-native"
 PV = "0.9.4-git${SRCPV}"
 S = "${WORKDIR}/git"
 inherit autotools pkgconfig
 inherit native
 do_configure:prepend() {
 	cd ${S}
 	sed -i s#RECIPE_SYSROOT#${RECIPE_SYSROOT_NATIVE}#g configure.ac
 	if [ ! -e lib/ccan ]; then
 		# Use empty SCOREDIR because 'make scores' is not run.
 		# The default setting depends on (non-whitelisted) host tools.
 		sed -i -e 's#^\(SCOREDIR=\).*#\1#' lib/ccan.git/Makefile
 		lib/ccan.git/tools/create-ccan-tree \
 		--build-type=automake lib/ccan \
 		talloc read_write_all build_assert array_size endian
 	fi
 	# Create generatable docs from git
 	(
 	 echo "Authors of sbsigntool:"
 	 echo
 	 git log --format='%an' | sort -u | sed 's,^,\t,'
 	) > AUTHORS
 	# Generate simple ChangeLog
 	git log --date=short --format='%ad %t %an <%ae>%n%n  * %s%n' > ChangeLog
 	cd ${B}
 }
 def efi_arch(d):
    import re
    harch = d.getVar("HOST_ARCH")
    if re.match("i[3456789]86", harch):
        return "ia32"
    return harch
 EXTRA_OEMAKE = "\
    INCLUDES+='-I${S}/lib/ccan.git/ \
              -I${STAGING_INCDIR_NATIVE}/efi \
              -I${STAGING_INCDIR_NATIVE} \
              -I${STAGING_INCDIR_NATIVE}/efi/${@efi_arch(d)}' \
    "
 CFLAGS:append = " -Wno-error"
--- a/recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
+++ b/recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
@@ -0,0 +1,54 @@
 From c3533b8da1e1425801d2fc0bcd231e13d593f16b Mon Sep 17 00:00:00 2001
 From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
 Date: Tue, 19 Feb 2019 20:07:45 +0800
 Subject: [PATCH] configure: Fixup build dependencies for cross-compiling
 When cross-compiling, custom header files and libraries need to be
 specified. sbsign assumes that all the dependencies are located
 under /usr/include and /usr/lib.
 Prepend these paths with a placeholder that can be replaced with the
 actual paths once they are resolved.
 Upstream status: inappropriate [OE specific]
 Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
 Taken from :
 https://github.com/intel/luv-yocto/tree/master/meta-luv/recipes-devtools/sbsigntool/sbsigntool
 Corrected typo error and ported to version 0.9.2
 Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
 ---
 configure.ac | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)
 diff --git a/configure.ac b/configure.ac
 index 1459e91..3e34c8d 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -70,7 +70,10 @@ AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "
 ##
 # no consistent view of where gnu-efi should dump the efi stuff, so find it
 ##
 -for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do
 +for path in RECIPE_SYSROOT/lib RECIPE_SYSROOT/lib64 RECIPE_SYSROOT/usr/lib \
 +            RECIPE_SYSROOT/usr/lib64 RECIPE_SYSROOT/usr/lib32 \
 +            RECIPE_SYSROOT/lib/efi RECIPE_SYSROOT/lib64/efi \
 +            RECIPE_SYSROOT/usr/lib/efi RECIPE_SYSROOT/usr/lib64/efi; do
     if test -e $path/crt0-efi-$EFI_ARCH.o; then
        CRTPATH=$path
     fi
@@ -79,7 +82,7 @@ if test -z "$CRTPATH"; then
    AC_MSG_ERROR([cannot find the gnu-efi crt path])
 fi
 -EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
 +EFI_CPPFLAGS="-IRECIPE_SYSROOT/usr/include/efi -IRECIPE_SYSROOT/usr/include/efi/$EFI_ARCH \
  -DEFI_FUNCTION_WRAPPER"
 CPPFLAGS_save="$CPPFLAGS"
 CPPFLAGS="$CPPFLAGS $EFI_CPPFLAGS"
 -- 
 2.7.4
--- a/recipes-support/sbsigntool/sbsigntool/0002-fix-openssl-3-0.patch
+++ b/recipes-support/sbsigntool/sbsigntool/0002-fix-openssl-3-0.patch
@@ -0,0 +1,32 @@
 Use ASN1_ITEM_rptr() instead of taking the address of IDC_PEID_it.
 openssl-3.0 changed the type of TYPE_it from `const ASN1_ITEM TYPE_it` to
 `const ASN1_ITEM *TYPE_it(void)`. This was previously hidden behind
 OPENSSL_EXPORT_VAR_AS_FUNCTION but in 3.0 only the function version is
 available. This change should have been transparent to the application, but
 only if the `ASN1_ITEM_rptr()` macro is used.
 This change passes `make check` with both openssl 1.1 and 3.0.
 Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
 Upstream-status: Submited [https://groups.io/g/sbsigntools/topic/patch_fix_openssl_3_0_issue/85903418]
 ---
 src/idc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/idc.c b/src/idc.c
 index 6d87bd4..0a82218 100644
 --- a/src/idc.c
 +++ b/src/idc.c
@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image)
 	idc->data->type = OBJ_nid2obj(peid_nid);
 	idc->data->value = ASN1_TYPE_new();
 -	type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
 +	type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
         idc->digest->alg->parameter = ASN1_TYPE_new();
         idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
 --
 2.25.1