diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 42389b919c1..a5c00470d06 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -364,6 +364,7 @@ eclass/python-utils-r1.eclass eclass/readme.gentoo-r1.eclass eclass/ruby-single.eclass eclass/ruby-utils.eclass +eclass/rpm.eclass eclass/savedconfig.eclass eclass/selinux-policy-2.eclass eclass/strip-linguas.eclass @@ -507,6 +508,7 @@ sys-block/parted sys-block/thin-provisioning-tools sys-boot/efibootmgr +sys-boot/mokutil # Updating to 3.0.17 breaks building of sys-boot/shim. # # sys-boot/gnu-efi diff --git a/build_library/build_image_util.sh b/build_library/build_image_util.sh index 570743c2393..64a7a89b861 100755 --- a/build_library/build_image_util.sh +++ b/build_library/build_image_util.sh @@ -828,8 +828,8 @@ EOF # Sign the kernel after /usr is in a consistent state and verity is calculated if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then - sudo sbsign --key /usr/share/sb_keys/DB.key \ - --cert /usr/share/sb_keys/DB.crt \ + sudo sbsign --key /usr/share/sb_keys/shim.key \ + --cert /usr/share/sb_keys/shim.pem \ "${root_fs_dir}/boot/flatcar/vmlinuz-a" sudo mv "${root_fs_dir}/boot/flatcar/vmlinuz-a.signed" \ "${root_fs_dir}/boot/flatcar/vmlinuz-a" diff --git a/build_library/grub.cfg b/build_library/grub.cfg index 9e6da4b8693..39bf5107255 100644 --- a/build_library/grub.cfg +++ b/build_library/grub.cfg @@ -23,18 +23,6 @@ set linux_append="" set secure_boot="0" -if [ "$grub_platform" = "efi" ]; then - getenv -e SecureBoot -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b sb - getenv -e SetupMode -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b setupmode - if [ "$sb" = "01" -a "$setupmode" = "00" ]; then - set secure_boot="1" - getenv -e NetBootVerificationKey -g b8ade7d5-d400-4213-8d15-d47be0a621bf -b gpgpubkey - if [ "$gpgpubkey" != "" ]; then - trust_var gpgpubkey - fi - fi -fi - if [ "$net_default_server" != "" ]; then smbios --type 1 --get-uuid 8 --set uuid smbios --type 1 --get-string 7 --set serial diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index 9b4c82f8c1f..71600591402 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -50,7 +50,9 @@ CORE_NAME= # Whether the SDK's grub or the board root's grub is used. Once amd64 is # fixed up the board root's grub will always be used. -BOARD_GRUB=0 +BOARD_GRUB=1 + +SBAT_ARG=() case "${FLAGS_target}" in i386-pc) @@ -58,8 +60,9 @@ case "${FLAGS_target}" in CORE_NAME="core.img" ;; x86_64-efi) - CORE_MODULES+=( serial efi_gop efinet pgp http tftp ) + CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp ) CORE_NAME="core.efi" + SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" ) ;; x86_64-xen) CORE_NAME="core.elf" @@ -68,6 +71,7 @@ case "${FLAGS_target}" in CORE_MODULES+=( serial linux efi_gop efinet pgp http tftp ) CORE_NAME="core.efi" BOARD_GRUB=1 + SBAT_ARG=( --sbat "${BOARD_ROOT}/usr/share/grub/sbat.csv" ) ;; *) die_notrace "Unknown GRUB target ${FLAGS_target}" @@ -164,7 +168,7 @@ if [[ ! -f "${ESP_DIR}/flatcar/grub/grub.cfg.tar" ]]; then fi sudo tar cf "${ESP_DIR}/flatcar/grub/grub.cfg.tar" \ - -C "${GRUB_TEMP_DIR}" "grub.cfg" + -C "${GRUB_TEMP_DIR}" "grub.cfg" fi info "Generating ${GRUB_DIR}/${CORE_NAME}" @@ -174,6 +178,7 @@ sudo grub-mkimage \ --directory "${GRUB_SRC}" \ --config "${ESP_DIR}/${GRUB_DIR}/load.cfg" \ --memdisk "${ESP_DIR}/flatcar/grub/grub.cfg.tar" \ + "${SBAT_ARG[@]}" \ --output "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \ "${CORE_MODULES[@]}" @@ -192,26 +197,36 @@ case "${FLAGS_target}" in x86_64-efi) info "Installing default x86_64 UEFI bootloader." sudo mkdir -p "${ESP_DIR}/EFI/boot" - # Use the test keys for signing unofficial builds - if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then - sudo sbsign --key /usr/share/sb_keys/DB.key \ - --cert /usr/share/sb_keys/DB.crt \ - "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" + # Use the test keys for signing unofficial builds + if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then + # Sign the GRUB with the shim-embedded key + sudo sbsign --key /usr/share/sb_keys/shim.key \ + --cert /usr/share/sb_keys/shim.pem \ + "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}.signed" \ - "${ESP_DIR}/EFI/boot/grub.efi" + "${ESP_DIR}/EFI/boot/grubx64.efi" + # Sign the mokmanager(mm) with the shim-embedded key + sudo sbsign --key /usr/share/sb_keys/shim.key \ + --cert /usr/share/sb_keys/shim.pem \ + "/usr/lib/shim/mmx64.efi" + sudo cp "/usr/lib/shim/mmx64.efi.signed" \ + "${ESP_DIR}/EFI/boot/mmx64.efi" + sudo sbsign --key /usr/share/sb_keys/DB.key \ - --cert /usr/share/sb_keys/DB.crt \ - --output "${ESP_DIR}/EFI/boot/bootx64.efi" \ - "/usr/lib/shim/shim.efi" + --cert /usr/share/sb_keys/DB.crt \ + --output "${ESP_DIR}/EFI/boot/bootx64.efi" \ + "/usr/lib/shim/shim.efi" else sudo cp "${ESP_DIR}/${GRUB_DIR}/${CORE_NAME}" \ - "${ESP_DIR}/EFI/boot/grub.efi" + "${ESP_DIR}/EFI/boot/grubx64.efi" sudo cp "/usr/lib/shim/shim.efi" \ "${ESP_DIR}/EFI/boot/bootx64.efi" - fi + sudo cp "/usr/lib/shim/mmx64.efi" \ + "${ESP_DIR}/EFI/boot/mmx64.efi" + fi # copying from vfat so ignore permissions if [[ -n "${FLAGS_copy_efi_grub}" ]]; then - cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grub.efi" \ + cp --no-preserve=mode "${ESP_DIR}/EFI/boot/grubx64.efi" \ "${FLAGS_copy_efi_grub}" fi if [[ -n "${FLAGS_copy_shim}" ]]; then diff --git a/build_library/qemu_template.sh b/build_library/qemu_template.sh index 3118ef96c9b..50c254fd46b 100755 --- a/build_library/qemu_template.sh +++ b/build_library/qemu_template.sh @@ -155,10 +155,14 @@ if [ "${SAFE_ARGS}" -eq 1 ]; then else case "${VM_BOARD}+$(uname -m)" in amd64-usr+x86_64) + set -- -global ICH9-LPC.disable_s3=1 \ + -global driver=cfi.pflash01,property=secure,value=on \ + "$@" # Emulate the host CPU closely in both features and cores. - set -- -machine accel=kvm:hvf:tcg -cpu host -smp "${VM_NCPUS}" "$@" ;; + set -- -machine q35,accel=kvm:hvf:tcg,smm=on -cpu host -smp "${VM_NCPUS}" "$@" + ;; amd64-usr+*) - set -- -machine pc-q35-2.8 -cpu kvm64 -smp 1 -nographic "$@" ;; + set -- -machine q35 -cpu kvm64 -smp 1 -nographic "$@" ;; arm64-usr+aarch64) set -- -machine virt,accel=kvm,gic-version=3 -cpu host -smp "${VM_NCPUS}" -nographic "$@" ;; arm64-usr+*) @@ -215,8 +219,8 @@ fi if [ -n "${VM_PFLASH_RO}" ] && [ -n "${VM_PFLASH_RW}" ]; then set -- \ - -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \ - -drive if=pflash,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@" + -drive if=pflash,unit=0,file="${SCRIPT_DIR}/${VM_PFLASH_RO}",format=raw,readonly=on \ + -drive if=pflash,unit=1,file="${SCRIPT_DIR}/${VM_PFLASH_RW}",format=raw "$@" fi if [ -n "${IGNITION_CONFIG_FILE}" ]; then diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh index e7a966b75be..70c4564ef3c 100644 --- a/build_library/vm_image_util.sh +++ b/build_library/vm_image_util.sh @@ -807,14 +807,10 @@ _write_qemu_uefi_conf() { # Get edk2 files into local build workspace. info "Updating edk2 in /build/${BOARD}" emerge-${BOARD} --nodeps --select --verbose --update --getbinpkg --newuse sys-firmware/edk2-aarch64 - # Create 64MiB flash device image files. - dd if=/dev/zero bs=1M count=64 of="$(_dst_dir)/${flash_rw}" \ - status=none - cp "/build/${BOARD}/usr/share/edk2-aarch64/QEMU_EFI.fd" \ - "$(_dst_dir)/${flash_ro}.work" - truncate --reference="$(_dst_dir)/${flash_rw}" \ - "$(_dst_dir)/${flash_ro}.work" - mv "$(_dst_dir)/${flash_ro}.work" "$(_dst_dir)/${flash_ro}" + cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_CODE.fd" "$(_dst_dir)/${flash_ro}" + cp "${BOARD_ROOT}/usr/share/AAVMF/AAVMF_VARS.fd" "$(_dst_dir)/${flash_rw}" + truncate -s 64M "$(_dst_dir)/${flash_ro}" + truncate -s 64M "$(_dst_dir)/${flash_rw}" ;; esac @@ -825,14 +821,18 @@ _write_qemu_uefi_conf() { _write_qemu_uefi_secure_conf() { local flash_rw="$(_dst_name "_efi_vars.fd")" + local flash_ro="$(_dst_name "_efi_code.fd")" + local script="$(_dst_dir)/$(_dst_name ".sh")" _write_qemu_uefi_conf + cp "/usr/share/edk2-ovmf/OVMF_CODE.secboot.fd" "$(_dst_dir)/${flash_ro}" cert-to-efi-sig-list "/usr/share/sb_keys/PK.crt" "${VM_TMP_DIR}/PK.esl" cert-to-efi-sig-list "/usr/share/sb_keys/KEK.crt" "${VM_TMP_DIR}/KEK.esl" cert-to-efi-sig-list "/usr/share/sb_keys/DB.crt" "${VM_TMP_DIR}/DB.esl" flash-var "$(_dst_dir)/${flash_rw}" "PK" "${VM_TMP_DIR}/PK.esl" flash-var "$(_dst_dir)/${flash_rw}" "KEK" "${VM_TMP_DIR}/KEK.esl" flash-var "$(_dst_dir)/${flash_rw}" "db" "${VM_TMP_DIR}/DB.esl" + sed -e "s%^SECURE_BOOT=.*%SECURE_BOOT=1%" -i "${script}" } _write_pxe_conf() { diff --git a/changelog/changes/2024-01-25-shim-secureboot-update.md b/changelog/changes/2024-01-25-shim-secureboot-update.md new file mode 100644 index 00000000000..c44298c1905 --- /dev/null +++ b/changelog/changes/2024-01-25-shim-secureboot-update.md @@ -0,0 +1 @@ +- A new format `qemu_uefi_secure` is introduced to test Flatcar for SecureBoot-enabled features. The format will be later merged into `qemu_uefi`. diff --git a/changelog/updates/2024-01-25-shim-15.8.ebuild.md b/changelog/updates/2024-01-25-shim-15.8.ebuild.md new file mode 100644 index 00000000000..e417f8232f4 --- /dev/null +++ b/changelog/updates/2024-01-25-shim-15.8.ebuild.md @@ -0,0 +1 @@ +- shim ([15.8](https://github.com/rhboot/shim/releases/tag/15.8)) diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env index 6c177bb4c5c..9188dc454a4 100644 --- a/ci-automation/ci-config.env +++ b/ci-automation/ci-config.env @@ -66,6 +66,7 @@ QEMU_BIOS="/usr/share/qemu/bios-256k.bin" # UEFI bios filename on build cache. # Published by vms.sh as part of the qemu vendor build. QEMU_UEFI_BIOS="${QEMU_UEFI_BIOS:-flatcar_production_qemu_uefi_efi_code.fd}" +QEMU_UEFI_SECURE_BIOS="${QEMU_UEFI_SECURE_BIOS:-flatcar_production_qemu_uefi_secure_efi_code.fd}" # Update payload for the qemu_update.sh test. # The default path set below is relative to TEST_WORK_DIR diff --git a/ci-automation/vendor-testing/qemu.sh b/ci-automation/vendor-testing/qemu.sh index 7b426889e41..75c97fb8551 100755 --- a/ci-automation/vendor-testing/qemu.sh +++ b/ci-automation/vendor-testing/qemu.sh @@ -34,6 +34,13 @@ fi bios="${QEMU_BIOS}" if [ "${CIA_TESTSCRIPT}" = "qemu_uefi.sh" ] ; then bios="${QEMU_UEFI_BIOS}" +fi + +if [ "${CIA_TESTSCRIPT}" = "qemu_uefi_secure.sh" ] ; then + bios="${QEMU_UEFI_SECURE_BIOS}" +fi + +if [ "${CIA_TESTSCRIPT}" = "qemu_uefi.sh" ] || [ "${CIA_TESTSCRIPT}" = "qemu_uefi_secure.sh" ] ; then if [ -f "${bios}" ] ; then echo "++++ ${CIA_TESTSCRIPT}: Using existing ${bios} ++++" else diff --git a/ci-automation/vendor-testing/qemu_uefi_secure.sh b/ci-automation/vendor-testing/qemu_uefi_secure.sh new file mode 120000 index 00000000000..a142d967c89 --- /dev/null +++ b/ci-automation/vendor-testing/qemu_uefi_secure.sh @@ -0,0 +1 @@ +qemu.sh \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md new file mode 100644 index 00000000000..0231aa542e0 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/README.md @@ -0,0 +1,18 @@ +## Keys & Certificates + +- PK (Platform Key): The Platform Key is the key to the platform. +- KEK (Key Exchange Key): The Key Exchange Key is used to update the signature database. +- DB (Signature Database): The signature database is used to validate signed EFI binaries. +- Shim Certificates: Our set of certificates + + +## Generation of Keys & Certificates + + +Generate the our shim certificates: + +``` +openssl genrsa -out "shim.key" 2048 +openssl req -new -x509 -sha256 -subj "/CN=shim/" -key "shim.key" -out "shim.pem" -days 7300 +openssl x509 -in "shim.pem" -inform PEM -out "shim.der" -outform DER +``` diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.1.ebuild deleted file mode 100644 index 9ff15fdf5d5..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.1.ebuild +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright (c) 2015 CoreOS Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -DESCRIPTION="CoreOS Secure Boot keys" -HOMEPAGE="" -SRC_URI="" -LICENSE="BSD" -SLOT="0" -KEYWORDS="amd64 arm arm64 x86" -IUSE="" - -S="${WORKDIR}" - -src_install() { - insinto /usr/share/sb_keys - newins "${FILESDIR}/PK.key" PK.key - newins "${FILESDIR}/PK.crt" PK.crt - newins "${FILESDIR}/KEK.key" KEK.key - newins "${FILESDIR}/KEK.crt" KEK.crt - newins "${FILESDIR}/DB.key" DB.key - newins "${FILESDIR}/DB.crt" DB.crt -} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild new file mode 100644 index 00000000000..9562a134a11 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/coreos-sb-keys-0.0.3.ebuild @@ -0,0 +1,30 @@ +# Copyright (c) 2015 CoreOS Inc. +# Copyright (c) 2024 The Flatcar Maintainers. +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="Flatcar Secure Boot keys" +HOMEPAGE="" +SRC_URI="" +LICENSE="BSD" +SLOT="0" +KEYWORDS="amd64 arm64" +IUSE="" + +S="${WORKDIR}" + +src_install() { + insinto /usr/share/sb_keys + newins "${FILESDIR}/PK.key" PK.key + newins "${FILESDIR}/PK.crt" PK.crt + newins "${FILESDIR}/KEK.key" KEK.key + newins "${FILESDIR}/KEK.crt" KEK.crt + newins "${FILESDIR}/DB.key" DB.key + newins "${FILESDIR}/DB.crt" DB.crt + + # shim keys + newins "${FILESDIR}/shim.key" shim.key + newins "${FILESDIR}/shim.der" shim.der + newins "${FILESDIR}/shim.pem" shim.pem +} diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.der b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.der new file mode 100644 index 00000000000..2194987d0f9 Binary files /dev/null and b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.der differ diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.key b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.key new file mode 100644 index 00000000000..52f9fe1e7ac --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDpPGgXHDI8K9Th +CzVTNPyKZqVAvgUKZE+Wzvnuj6Bsghud//17MFUcLIjrrOl3o+hYUzK8dbdQl2Mw +zq1gpPDs+bEe0+AFoyLU1LrPZVrZxRRXhRrAsGinkOOsApjMlikSEBrevqvbVElU +0hONyj4mvSaVof6AqVObJyslYerxZVoMkbIIm5gfsGu05xBgdVs5cnYUYpQxNmPy +LK1ImwFVXZSg0ZxdsEIdLDbWaAFVxBmezv+7U7UZaGi1fFZv6m8LxSMvGtxPFyh2 +Mx3NXFKShgr/QhuAATcMNsYWASgp5tQetOBBlZ8wNefLWtKTdhMDF5Ni88brpuls +MQO/dpRJAgMBAAECggEAIbJpBYG83kWk5XillSZwIBzRXke12bkBaLPxlx5oGpU3 +oT21ZSFoAoCKraYXOwJS1MP8bg8B06Jzob8SfIaICmzOwrnwwU++/gnYDZPCqvjW +xghEg7dY/3Cm/BiJ8/Dz8RijkS/yC2ejip4pVhB0p0snsnGrn/IW0rE3ghiiBYsM +971GSgbGp6o25rhA8/yx5+OOFvGoDX2nIymfFASSPmxiAbXcb4DmdMlrRZ6P4z51 +8WJ8gXiTYvALFVWMNtv8GJZCQFi2fHcat/mWiVzg28J4Mzz9n79E0MrZ+4pxXLFT +lbtI6OvcjRgvsyxPwkExCsBTKnOeAdgKXKwiczBdMwKBgQD4u5NSEpx98GxiWVZX +DtT7WuCN257S0KztWzAYpTI5SZIRv4jylZPo+JnSrCvNt4hVs0Jz/aQQXhRIzVSj +4VrkhlxXGnJpZz1DkICIoFQLi9maazgj1aB9Y6lZeGxAlzCnDHP7pR7dxUj4FF2p +G6udyGhb3qfsevbSdykZ7DsHMwKBgQDwDOvheT71dNlcNuKrHi89sT5SoD4A2yTv +pyzBCvh2a+UFxveFa6l+/VgxR8AkX9z37hQxi++QFrBHnTD/NZcLijLnPI1V0pIQ +uNym6dx1PfuCtulZ24i2Fn5zrNUiNnTLBR31Fa1RJcyJv50IoTMK6F+0Bz4Qxan1 +0Um+xgDGkwKBgAb32ky2UMQGdELdFdoihDz2cswGlxB44B9WKqbGGf4Y3Yq5vvBs +2FPygvyv7ho5RgyAlSACvxHmUNMpTXG54n38daHLD+F8Du9RoQgy1aftJw94aX43 +geOBY0Eqan30vlwvsSAfpBm6aSzqBSWzrL8i2imYt0OcvkVvKSucvpqZAoGAWoXk +5dAdJ976oMWp0LG/StpuECaRey0ozp8SR3HlpHKnmPghG1UwQ80x1tOh55Wm9G/5 +eX21x3Zm33qtoXAKF7Xz4DN7cOPJZTjxLJiAJE5NbEuhz9rzwQbWhLSmYxJ6FJ1H +YMbd5v4EFeYGR9zSLMjYXkFk7Fo9748O6jwsyrUCgYEApBlTWbna9BoxiVElEmvT +u/NgdKZIEBbeX/NWJz8BJWiBVRg5WaAeuriga/1tMhiX8dgo7z7uGm3moEsXGlVD +IhZiJeAgMmamr1yqII1q9RTBcA7iPqKmAgto+7zwcVxRmXCMRM/daJ04uqGine+K +dM/o7gBtadQHJ1KPftM8SqQ= +-----END PRIVATE KEY----- diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.pem b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.pem new file mode 100644 index 00000000000..de044d7959a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-sb-keys/files/shim.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIC/zCCAeegAwIBAgIUbWirlHd6eCJi2JtP3Z0GEGWTWTMwDQYJKoZIhvcNAQEL +BQAwDzENMAsGA1UEAwwEc2hpbTAeFw0yMzExMjMyMzAxNTBaFw00MzExMTgyMzAx +NTBaMA8xDTALBgNVBAMMBHNoaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDpPGgXHDI8K9ThCzVTNPyKZqVAvgUKZE+Wzvnuj6Bsghud//17MFUcLIjr +rOl3o+hYUzK8dbdQl2Mwzq1gpPDs+bEe0+AFoyLU1LrPZVrZxRRXhRrAsGinkOOs +ApjMlikSEBrevqvbVElU0hONyj4mvSaVof6AqVObJyslYerxZVoMkbIIm5gfsGu0 +5xBgdVs5cnYUYpQxNmPyLK1ImwFVXZSg0ZxdsEIdLDbWaAFVxBmezv+7U7UZaGi1 +fFZv6m8LxSMvGtxPFyh2Mx3NXFKShgr/QhuAATcMNsYWASgp5tQetOBBlZ8wNefL +WtKTdhMDF5Ni88brpulsMQO/dpRJAgMBAAGjUzBRMB0GA1UdDgQWBBSAVx8cxySJ +XcuJa6P2jBwOxJTNpDAfBgNVHSMEGDAWgBSAVx8cxySJXcuJa6P2jBwOxJTNpDAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCaj3785ElsU/QkPB3B +25xaCz23R2079ir0I6p91Zb9QM+n4fOLvEhhrb0tia1X6xaBHBtGk1kpCMP/JTQ2 +ZNW43HuVLieiQnp+oSPGVZ52HnL4keptRr4Dvm+d7K6DDcn8Lcov4euDCsVzgBKE +EQcjIhAjKdc+nbI51cSoaDhtbBxNsF+ErsWi6+VIyBZ1ATsO6AbSZdKiE2o/3CDv +il7KIEEJsG43bTdeeuM1d/NLOoZjAnXUPizP0BGJtEE4GljYkN7PHr3czETsRIQ0 +d5JUeoW3b2lYOf85n0ru+fCudk0NSSUyF4LEW6pLmCZCtCAb2GDQ5jeVmFF7BIFl +M8F2 +-----END CERTIFICATE----- diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild index 3303cdd5ee5..e8e896f7d64 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos/coreos-0.0.1.ebuild @@ -76,6 +76,7 @@ RDEPEND="${RDEPEND} amd64? ( app-emulation/xenserver-pv-version app-emulation/xenstore + sys-boot/mokutil )" # sys-devel/gettext: it embeds 'envsubst' binary which is useful for simple file templating. diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild index 5166713cb19..9cd818a1949 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild @@ -25,10 +25,7 @@ RDEPEND=" coreos-base/nova-agent-container coreos-base/nova-agent-watcher ) - arm64? ( - sys-boot/grub - sys-firmware/edk2-ovmf-bin - ) + sys-boot/grub app-containers/containerd app-containers/docker app-containers/docker-cli diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index 182e207a404..b974f065f42 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -104,3 +104,6 @@ # Accept unstable host Rust compilers. =virtual/rust-1.76.0 ~amd64 ~arm64 + +# Upgrade to latest version for secureboot +=sys-boot/mokutil-0.6.0 ~amd64 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/sbat.csv.in b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/sbat.csv.in new file mode 100644 index 00000000000..21d760043e7 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/sbat.csv.in @@ -0,0 +1,3 @@ +sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md +grub,4,Free Software Foundation,grub,@@UPSTREAM_VERSION@@,https://www.gnu.org/software/grub/ +grub.flatcar,1,Flatcar,grub2,@@VERSION@@,https://github.com/flatcar/flatcar diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r9.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild index 72140d4ab9b..a4b46efcd3f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r9.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r10.ebuild @@ -321,6 +321,11 @@ src_install() { # https://bugs.gentoo.org/231935 dostrip -x /usr/lib/grub + + # SBAT format documentation https://github.com/rhboot/shim/blob/main/SBAT.md + dodir /usr/share/grub + sed -e "s/@@UPSTREAM_VERSION@@/${PV}/" -e "s/@@VERSION@@/${PVR}/" "${FILESDIR}"/sbat.csv.in >"${ED}/usr/share/grub/sbat.csv" || die + } pkg_postinst() { diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest new file mode 100644 index 00000000000..aeb21c8d0a5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/Manifest @@ -0,0 +1 @@ +DIST shim-15.8.tar.bz2 2315201 BLAKE2B 24da29cf45a08bceffc15682fcdd16e34e42d3b33f2a0b2e528193d8e3455a034b6242c13cebf43db481f73a83329effd9812f0d1e04861ecf7329e54f9059b9 SHA512 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-0.8_p20150423-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-0.8_p20150423-r2.ebuild deleted file mode 120000 index ac0bdc5b80a..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-0.8_p20150423-r2.ebuild +++ /dev/null @@ -1 +0,0 @@ -shim-9999.ebuild \ No newline at end of file diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8.ebuild new file mode 100644 index 00000000000..af215598e1f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-15.8.ebuild @@ -0,0 +1,55 @@ +# Copyright 2015 CoreOS, Inc. +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 +inherit multilib + +DESCRIPTION="UEFI Shim loader" +HOMEPAGE="https://github.com/rhboot/shim" +SRC_URI="https://github.com/rhboot/shim/releases/download/${PV}/shim-${PV}.tar.bz2" +KEYWORDS="amd64 arm64" + +LICENSE="BSD" +SLOT="0" +IUSE="" + +RDEPEND="" +# TODO: Would be ideal to depend on sys-boot/gnu-efi package, but +# currently the shim insists on using the bundled copy. This will need +# to be addressed by patching this check out after making sure that +# our copy of gnu-efi is as usable as the bundled one. +DEPEND=" + dev-libs/openssl + coreos-base/coreos-sb-keys +" +src_compile() { + local emake_args=( + CROSS_COMPILE="${CHOST}-" + ) + # Apparently our environment already has the ARCH variable in + # it, and Makefile picks it up instead of figuring it out + # itself with the compiler -dumpmachine flag. But also it + # expects a different format of the values. It wants x86_64 + # instead of amd64, and aarch64 instead of arm64. + if use amd64; then + emake_args+=( ARCH=x86_64 ) + elif use arm64; then + emake_args+=( ARCH=aarch64 ) + fi + emake_args+=( ENABLE_SBSIGN=1 ) + emake_args+=( VENDOR_CERT_FILE="/usr/share/sb_keys/shim.der" ) + emake "${emake_args[@]}" || die +} + +src_install() { + local suffix + suffix='' + if use amd64; then + suffix=x64 + elif use arm64; then + suffix=aa64 + fi + insinto /usr/lib/shim + newins "shim${suffix}.efi" 'shim.efi' + newins "mm${suffix}.efi" "mm${suffix}.efi" +} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild deleted file mode 100644 index b2e4e6bd061..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/shim/shim-9999.ebuild +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright 2015 CoreOS, Inc. -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 -CROS_WORKON_PROJECT="flatcar/shim" -CROS_WORKON_REPO="https://github.com" - -if [[ "${PV}" == 9999 ]]; then - KEYWORDS="~amd64 ~arm64" -else - CROS_WORKON_COMMIT="e98d00c2eb00b1cfb25212f7527ed47d8ab3bb3a" - KEYWORDS="amd64 arm64" -fi - -inherit cros-workon multilib - -DESCRIPTION="UEFI Shim loader" -HOMEPAGE="https://github.com/rhinstaller/shim" - -LICENSE="BSD" -SLOT="0" -IUSE="" - -RDEPEND="" -DEPEND="sys-boot/gnu-efi dev-libs/openssl" - -src_unpack() { - cros-workon_src_unpack - default_src_unpack -} - -src_compile() { - emake \ - CROSS_COMPILE="${CHOST}-" \ - EFI_INCLUDE="${SYSROOT%/}"/usr/include/efi \ - EFI_PATH="${SYSROOT%/}"/usr/$(get_libdir) \ - shim.efi || die -} - -src_install() { - insinto /usr/lib/shim - doins "shim.efi" -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest index 29730be8906..22b3138c398 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/Manifest @@ -1 +1 @@ -DIST QEMU_EFI.fd 2097152 BLAKE2B 0b65476a7b7363d7ab195dddf59fc69f8c3352de0e41a33cd967629300ee0affc063056603ac5fb53e2b11933060894f74fc8384f117eee6344b518c382eb58a SHA512 ebf456fe789a52ae3a367a1f277255d3db3602af4206fc9a4f8912580312f9262d61221df8f894392dffc98a85535be86196336edc12e0df709110df4b477313 +DIST edk2-aarch64-20230524-3.fc38.noarch.rpm 7363923 BLAKE2B 75ff00ea1e988148fbc9a56b8ee3eb44bdec5ceb51b554c3d298191feeb2c876f43740aa3608d3e4b4cc3223aa6bfd8a275f8c6f4c92595af07498b5d6ee68af SHA512 bfe814e0b2230104887a2638f6871fda54cde65937c93226c56cac1a4e1a915b474d690e2862f71ecfc584c3c74d5a091482e038cfc83de9091e5dc49916119b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-18.02.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-18.02.ebuild deleted file mode 100644 index 0feb414c60f..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-18.02.ebuild +++ /dev/null @@ -1,22 +0,0 @@ -# Copyright 1999-2019 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -DESCRIPTION="Linaro edk2 ARM64 EFI firmware" -HOMEPAGE="https://github.com/tianocore/edk2" -SRC_URI="http://releases.linaro.org/reference-platform/enterprise/firmware/18.02/release/qemu-aarch64/QEMU_EFI.fd" - -LICENSE="BSD-2-Clause-Patent" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" - -src_unpack() { - mkdir "${S}" - cp ../distdir/"${A}" "${S}"/QEMU_EFI.fd -} - -src_install() { - mkdir -p "${D}/usr/share/edk2-aarch64" - cp QEMU_EFI.fd "${D}/usr/share/edk2-aarch64/QEMU_EFI.fd" -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild new file mode 100644 index 00000000000..d1fead7ff07 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-firmware/edk2-aarch64/edk2-aarch64-20220221.ebuild @@ -0,0 +1,23 @@ +# Copyright (c) 2024 The Flatcar Maintainers. +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit rpm + +DESCRIPTION="Fedora's build of edk2 ARM64 EFI firmware" +HOMEPAGE="https://packages.fedoraproject.org/pkgs/edk2/edk2-aarch64/" +SRC_URI="https://kojipkgs.fedoraproject.org//packages/edk2/20230524/3.fc38/noarch/edk2-aarch64-20230524-3.fc38.noarch.rpm" + +LICENSE="BSD-2-Clause-Patent openssl" +SLOT="0" +KEYWORDS="amd64 arm64" + +S="${WORKDIR}" + +src_install() { + # Avoid collision with qemu installed config file + mv usr/share/qemu/firmware/{60,61}-edk2-aarch64.json + insinto / + doins -r * +} diff --git a/sdk_container/src/third_party/portage-stable/eclass/rpm.eclass b/sdk_container/src/third_party/portage-stable/eclass/rpm.eclass new file mode 100644 index 00000000000..d8bb0ad2814 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/eclass/rpm.eclass @@ -0,0 +1,146 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# @ECLASS: rpm.eclass +# @MAINTAINER: +# base-system@gentoo.org +# @SUPPORTED_EAPIS: 6 7 8 +# @BLURB: convenience class for extracting RPMs + +case ${EAPI} in + 6) inherit epatch eutils ;; # eutils for eqawarn + 7|8) ;; + *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; +esac + +if [[ -z ${_RPM_ECLASS} ]] ; then +_RPM_ECLASS=1 + +inherit estack + +case ${EAPI} in + 6) DEPEND="app-arch/rpm2targz" ;; + *) BDEPEND="app-arch/rpm2targz" ;; +esac + +# @FUNCTION: rpm_unpack +# @USAGE: +# @DESCRIPTION: +# Unpack the contents of the specified rpms like the unpack() function. +rpm_unpack() { + [[ $# -eq 0 ]] && set -- ${A} + local a + for a in "$@" ; do + echo ">>> Unpacking ${a} to ${PWD}" + if [[ ${a} == ./* ]] ; then + : # nothing to do -- path is local + elif [[ ${a} == "${DISTDIR}"/* ]] ; then + eqawarn 'do not use ${DISTDIR} with rpm_unpack -- it is added for you' + elif [[ ${a} == /* ]] ; then + eqawarn 'do not use full paths with rpm_unpack -- use ./ paths instead' + else + a="${DISTDIR}/${a}" + fi + rpm2tar -O "${a}" | tar xf - + assert "failure unpacking ${a}" + done +} + +# @FUNCTION: srcrpm_unpack +# @USAGE: +# @DESCRIPTION: +# Unpack the contents of the specified rpms like the unpack() function as well +# as any archives that it might contain. Note that the secondary archive +# unpack isn't perfect in that it simply unpacks all archives in the working +# directory (with the assumption that there weren't any to start with). +srcrpm_unpack() { + [[ $# -eq 0 ]] && set -- ${A} + rpm_unpack "$@" + + # no .src.rpm files, then nothing to do + [[ "$* " != *".src.rpm " ]] && return 0 + + eshopts_push -s nullglob + + # unpack everything + local a + for a in *.tar.{gz,bz2,xz} *.t{gz,bz2,xz} *.zip *.ZIP ; do + unpack "./${a}" + rm -f "${a}" || die + done + + eshopts_pop + + return 0 +} + +# @FUNCTION: rpm_src_unpack +# @DESCRIPTION: +# Automatically unpack all archives in ${A} including rpms. If one of the +# archives in a source rpm, then the sub archives will be unpacked as well. +rpm_src_unpack() { + local a + for a in ${A} ; do + case ${a} in + *.rpm) srcrpm_unpack "${a}" ;; + *) unpack "${a}" ;; + esac + done +} + +# @FUNCTION: rpm_spec_epatch +# @USAGE: [spec] +# @DEPRECATED: none +# @DESCRIPTION: +# Read the specified spec (defaults to ${PN}.spec) and attempt to apply +# all the patches listed in it. If the spec does funky things like moving +# files around, well this won't handle that. +rpm_spec_epatch() { + # no epatch in EAPI 7 and later + [[ ${EAPI} == 6 ]] || die "${FUNCNAME} is banned in EAPI ${EAPI}" + + local p spec=$1 + local dir + + if [[ -z ${spec} ]] ; then + # search likely places for the spec file + for spec in "${PWD}" "${S}" "${WORKDIR}" ; do + spec+="/${PN}.spec" + [[ -e ${spec} ]] && break + done + fi + [[ ${spec} == */* ]] \ + && dir=${spec%/*} \ + || dir= + + ebegin "Applying patches from ${spec}" + + grep '^%patch' "${spec}" | \ + while read line ; do + # expand the %patch line + set -- ${line} + p=$1 + shift + + # process the %patch arguments + local arg + EPATCH_OPTS= + for arg in "$@" ; do + case ${arg} in + -b) EPATCH_OPTS+=" --suffix" ;; + *) EPATCH_OPTS+=" ${arg}" ;; + esac + done + + # extract the patch name from the Patch# line + set -- $(grep "^P${p#%p}: " "${spec}") + shift + epatch "${dir:+${dir}/}$*" + done + + eend +} + +fi + +EXPORT_FUNCTIONS src_unpack diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/Manifest b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/Manifest new file mode 100644 index 00000000000..24fa911ab2e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/Manifest @@ -0,0 +1 @@ +DIST mokutil-0.6.0.tar.gz 38047 BLAKE2B f2307807c700091f1e5a783b3ad8e7b3eaa17e05580b2c24fd0e92433c6b9bedfb51e9eb2d5d1c71448623b12b6667a573dd51ed03fc738aaf9815083e118ca0 SHA512 11a9d172dba4fbb674e58e5d82cb1dc65a80cff844c0eaebd106b4d4608b24a8207e0cfabf36fe1eedb67f68a8a18db2136c7b62aa3230ac104615e8284dbd7d diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/files/mokutil-0.6.0-conflict.patch b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/files/mokutil-0.6.0-conflict.patch new file mode 100644 index 00000000000..6283fa33163 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/files/mokutil-0.6.0-conflict.patch @@ -0,0 +1,38 @@ +From dd55c28236809fc30a7f079882914cde45560277 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Fri, 30 Jun 2023 10:36:54 +0800 +Subject: [PATCH] Avoid conflicting efi_char16_t type definitions + +It's not necessary to define 'efi_char16_t' as 'wchar_t' since we don't +need any wchar functions. Besides, it may conflict with efivar-38. This +commit defines 'efi_char16_t' as 'uint16_t' and adds the conditional +check to avoid the potential conflict. + +Fixes: https://github.com/lcp/mokutil/issues/66 + +Signed-off-by: Gary Lin +--- + src/mokutil.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/mokutil.h b/src/mokutil.h +index d47a380..bd02608 100644 +--- a/src/mokutil.h ++++ b/src/mokutil.h +@@ -33,13 +33,14 @@ + #define __MOKUTIL_H__ + + #include +-#include + + #include "signature.h" + + typedef unsigned long efi_status_t; + typedef uint8_t efi_bool_t; +-typedef wchar_t efi_char16_t; /* UNICODE character */ ++#ifndef efi_char16_t ++typedef uint16_t efi_char16_t; /* UNICODE character */ ++#endif + + typedef enum { + DELETE_MOK = 0, diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/metadata.xml new file mode 100644 index 00000000000..cc8c212f86d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/metadata.xml @@ -0,0 +1,11 @@ + + + + + zerochaos@gentoo.org + Rick Farina + + + lcp/mokutil + + diff --git a/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/mokutil-0.6.0.ebuild b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/mokutil-0.6.0.ebuild new file mode 100644 index 00000000000..b57693258f1 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-boot/mokutil/mokutil-0.6.0.ebuild @@ -0,0 +1,28 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools + +DESCRIPTION="The utility to manipulate machines owner keys which managed in shim" +HOMEPAGE="https://github.com/lcp/mokutil" +SRC_URI="https://github.com/lcp/mokutil/archive/${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~amd64 ~x86" + +DEPEND="dev-libs/openssl:= + sys-apps/keyutils:= + sys-libs/efivar:= + virtual/libcrypt:=" +RDEPEND="${DEPEND}" +BDEPEND="virtual/pkgconfig" + +PATCHES=( "${FILESDIR}"/mokutil-0.6.0-conflict.patch ) + +src_prepare() { + default + eautoreconf +}