svn commit: r377070 - in head/sysutils: . shim shim/files
Edward Tomasz Napierala
trasz at FreeBSD.org
Thu Jan 15 10:09:38 UTC 2015
Author: trasz
Date: Thu Jan 15 10:09:35 2015
New Revision: 377070
URL: https://svnweb.freebsd.org/changeset/ports/377070
QAT: https://qat.redports.org/buildarchive/r377070/
Log:
New port: sysutils/shim
shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.
Sponsored by: The FreeBSD Foundation
Added:
head/sysutils/shim/
head/sysutils/shim/Makefile (contents, props changed)
head/sysutils/shim/distinfo (contents, props changed)
head/sysutils/shim/files/
head/sysutils/shim/files/patch-Cryptlib-Makefile (contents, props changed)
head/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile (contents, props changed)
head/sysutils/shim/files/patch-Makefile (contents, props changed)
head/sysutils/shim/files/patch-elf_x86_64_efi.lds (contents, props changed)
head/sysutils/shim/files/patch-lib-Makefile (contents, props changed)
head/sysutils/shim/pkg-descr (contents, props changed)
Modified:
head/sysutils/Makefile
Modified: head/sysutils/Makefile
==============================================================================
--- head/sysutils/Makefile Thu Jan 15 10:04:10 2015 (r377069)
+++ head/sysutils/Makefile Thu Jan 15 10:09:35 2015 (r377070)
@@ -875,6 +875,7 @@
SUBDIR += setquota
SUBDIR += sformat
SUBDIR += sg3_utils
+ SUBDIR += shim
SUBDIR += shlock
SUBDIR += shmcat
SUBDIR += sievelog
Added: head/sysutils/shim/Makefile
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sysutils/shim/Makefile Thu Jan 15 10:09:35 2015 (r377070)
@@ -0,0 +1,37 @@
+# Created by: Edward Tomasz Napierala <trasz at FreeBSD.org>
+# $FreeBSD$
+
+PORTNAME= shim
+PORTVERSION= 0.8
+CATEGORIES= sysutils
+
+MAINTAINER= trasz at FreeBSD.org
+COMMENT= UEFI Secure Boot shim loader
+
+LICENSE= BSD2CLAUSE
+
+BUILD_DEPENDS= ${NONEXISTENT}:${PORTSDIR}/devel/gnu-efi \
+ bash:${PORTSDIR}/shells/bash
+
+USE_GITHUB= yes
+GH_ACCOUNT= mjg59
+GH_COMMIT= 6f4d516
+
+USES= gmake
+USE_GCC= 4.8+
+USE_GITHUB= yes
+MAKE_JOBS_UNSAFE= yes
+ONLY_FOR_ARCHS= amd64
+
+PLIST_FILES= lib/shim/MokManager.efi lib/shim/fallback.efi lib/shim/shim.efi
+
+post-patch:
+ @${REINPLACE_CMD} -e "s|/bin/bash|${LOCALBASE}/bin/bash|" ${WRKSRC}/make-certs
+
+do-install:
+ ${MKDIR} ${STAGEDIR}/${PREFIX}/lib/shim
+ ${INSTALL_PROGRAM} ${WRKSRC}/shim.efi ${STAGEDIR}/${PREFIX}/lib/shim
+ ${INSTALL_PROGRAM} ${WRKSRC}/MokManager.efi ${STAGEDIR}/${PREFIX}/lib/shim
+ ${INSTALL_PROGRAM} ${WRKSRC}/fallback.efi ${STAGEDIR}/${PREFIX}/lib/shim
+
+.include <bsd.port.mk>
Added: head/sysutils/shim/distinfo
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sysutils/shim/distinfo Thu Jan 15 10:09:35 2015 (r377070)
@@ -0,0 +1,2 @@
+SHA256 (shim-0.8.tar.gz) = 150692b908c8502872a357025e70434c75bad8416d9a52e3e946fd75d3f6cf9e
+SIZE (shim-0.8.tar.gz) = 1252057
Added: head/sysutils/shim/files/patch-Cryptlib-Makefile
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sysutils/shim/files/patch-Cryptlib-Makefile Thu Jan 15 10:09:35 2015 (r377070)
@@ -0,0 +1,9 @@
+--- Cryptlib/Makefile.orig 2014-10-13 22:41:51.000000000 +0200
++++ Cryptlib/Makefile 2014-11-30 20:23:01.000000000 +0100
+@@ -1,3 +1,6 @@
++ifeq ($(ARCH),amd64)
++ override ARCH = x86_64
++endif
+
+ EFI_INCLUDES = -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+
Added: head/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile Thu Jan 15 10:09:35 2015 (r377070)
@@ -0,0 +1,9 @@
+--- Cryptlib/OpenSSL/Makefile.orig 2014-11-30 20:31:14.000000000 +0100
++++ Cryptlib/OpenSSL/Makefile 2014-11-30 20:31:23.000000000 +0100
+@@ -1,3 +1,6 @@
++ifeq ($(ARCH),amd64)
++ override ARCH = x86_64
++endif
+
+ EFI_INCLUDES = -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+
Added: head/sysutils/shim/files/patch-Makefile
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sysutils/shim/files/patch-Makefile Thu Jan 15 10:09:35 2015 (r377070)
@@ -0,0 +1,49 @@
+--- Makefile.orig 2014-10-13 22:41:51.000000000 +0200
++++ Makefile 2014-12-21 16:18:40.000000000 +0100
+@@ -1,16 +1,22 @@
+-CC = $(CROSS_COMPILE)gcc
++CROSS_COMPILE = $(LOCALBASE)/bin/
++
++CC = $(CROSS_COMPILE)gcc48
+ LD = $(CROSS_COMPILE)ld
+ OBJCOPY = $(CROSS_COMPILE)objcopy
+
+ ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
+
++ifeq ($(ARCH),amd64)
++ override ARCH := x86_64
++endif
++
+ SUBDIRS = Cryptlib lib
+
+-LIB_PATH = /usr/lib64
++LIB_PATH = $(LOCALBASE)/lib
+
+-EFI_INCLUDE := /usr/include/efi
++EFI_INCLUDE := $(LOCALBASE)/include/efi
+ EFI_INCLUDES = -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude
+-EFI_PATH := /usr/lib64/gnuefi
++EFI_PATH := $(LOCALBASE)/lib
+
+ LIB_GCC = $(shell $(CC) -print-libgcc-file-name)
+ EFI_LIBS = -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
+@@ -57,7 +63,7 @@ LDFLAGS = -nostdlib -znocombreloc -T $(
+
+ VERSION = 0.8
+
+-TARGET = shim.efi MokManager.efi.signed fallback.efi.signed
++TARGET = shim.efi MokManager.efi fallback.efi
+ OBJS = shim.o netboot.o cert.o replacements.o version.o
+ KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+ SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h
+@@ -144,8 +150,8 @@ FORMAT ?= --target efi-app-$(ARCH)
+ -j .debug_line -j .debug_str -j .debug_ranges \
+ $(FORMAT) $^ $@.debug
+
+-%.efi.signed: %.efi certdb/secmod.db
+- pesign -n certdb -i $< -c "shim" -s -o $@ -f
++#%.efi.signed: %.efi certdb/secmod.db
++# pesign -n certdb -i $< -c "shim" -s -o $@ -f
+
+ clean:
+ $(MAKE) -C Cryptlib clean
Added: head/sysutils/shim/files/patch-elf_x86_64_efi.lds
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sysutils/shim/files/patch-elf_x86_64_efi.lds Thu Jan 15 10:09:35 2015 (r377070)
@@ -0,0 +1,10 @@
+--- elf_x86_64_efi.lds.orig 2014-12-21 16:01:08.000000000 +0100
++++ elf_x86_64_efi.lds 2014-12-21 16:01:16.000000000 +0100
+@@ -1,5 +1,5 @@
+-/* Same as elf_x86_64_fbsd_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */
+-OUTPUT_FORMAT("elf64-x86-64", "elf64-x86-64", "elf64-x86-64")
++/* Same as elf_x86_64_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */
++OUTPUT_FORMAT("elf64-x86-64-freebsd", "elf64-x86-64-freebsd", "elf64-x86-64-freebsd")
+ OUTPUT_ARCH(i386:x86-64)
+ ENTRY(_start)
+ SECTIONS
Added: head/sysutils/shim/files/patch-lib-Makefile
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sysutils/shim/files/patch-lib-Makefile Thu Jan 15 10:09:35 2015 (r377070)
@@ -0,0 +1,10 @@
+--- lib/Makefile.orig 2014-11-30 20:34:06.000000000 +0100
++++ lib/Makefile 2014-11-30 20:34:20.000000000 +0100
+@@ -1,3 +1,7 @@
++ifeq ($(ARCH),amd64)
++ override ARCH = x86_64
++endif
++
+ TARGET = lib.a
+
+ LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o
Added: head/sysutils/shim/pkg-descr
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/sysutils/shim/pkg-descr Thu Jan 15 10:09:35 2015 (r377070)
@@ -0,0 +1,9 @@
+shim is a trivial EFI application that, when run, attempts to open and
+execute another application. It will initially attempt to do this via the
+standard EFI LoadImage() and StartImage() calls. If these fail (because secure
+boot is enabled and the binary is not signed with an appropriate key, for
+instance) it will then validate the binary against a built-in certificate. If
+this succeeds and if the binary or signing key are not blacklisted then shim
+will relocate and execute the binary.
+
+WWW: https://github.com/mjg59/shim
More information about the svn-ports-head
mailing list