On Wed, 2016-01-27 at 17:36 +0100, Ard Biesheuvel wrote:
On 27 January 2016 at 17:32, James Bottomley James.Bottomley@hansenpartnership.com wrote:
On Wed, 2016-01-27 at 17:20 +0100, Ard Biesheuvel wrote:
On 27 January 2016 at 17:16, James Bottomley James.Bottomley@hansenpartnership.com wrote:
On Wed, 2016-01-27 at 16:38 +0100, Ard Biesheuvel wrote:
On 27 January 2016 at 16:37, James Bottomley James.Bottomley@hansenpartnership.com wrote:
On Wed, 2016-01-27 at 16:31 +0100, Ard Biesheuvel wrote: > On 27 January 2016 at 16:20, James Bottomley > James.Bottomley@hansenpartnership.com wrote: > > On Wed, 2016-01-27 at 13:17 +0100, Ard Biesheuvel > > wrote: > > > These patches have been in my personal queue for > > > about > > > two > > > years, > > > and > > > have already been incorporated into the Ubuntu > > > packaged > > > version > > > of > > > sbsigntool. > > > > > > Patch #1 and #2 fixes some generic issues, and patch > > > #3 > > > introduces > > > the ARM and AArch64 magic values in the PE/COFF > > > header > > > check, > > > which > > > is all that is needed to get sbsign to sign ARM > > > images. > > > > > > > > > Ard Biesheuvel (3): > > > sbsigntool: remove doubly defined > > > IMAGE_FILE_MACHINE_AMD64 > > > sbsigntool: fix handling of zero sized sections > > > sbsigntool: add support for ARM and Aarch64 PE/COFF > > > images > > > > > > src/coff/pe.h | 2 +- > > > src/image.c | 48 +++++++++++--------- > > > 2 files changed, 27 insertions(+), 23 deletions(-) > > > > I can incorporate them into my build service package > > like I > > did > > for > > multi-sign. The problem is that Jeremy maintains the > > upstream > > and > > it's > > not moving: > > > > git://kernel.ubuntu.com/jk/sbsigntool > > > > I presume because Jeremy is now at Ozlabs? Do you have > > a > > different > > upstream URL? > > > > To be honest, I wrote these 2+ years ago, so I don't > remember > exactly. Someone brought it to my attention that these > are > not > upstream, but if that is still Jeremy instead of you, > then > yes, I > suppose they need to be sent to Jeremy.
You mean
http://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntool s.gi t/
It's where I keep my changes, but it's not where Ubuntu pulls from.
OK. Perhaps Jeremy can confirm where I should send these patches, and which tree to base them on?
If Jeremy doesn't want to, I can. I think the first order of business would be to resolve all the divergent patches, although when I look through the ubuntu one (is this the master?):
https://launchpad.net/ubuntu/+source/sbsigntool
The patch efi_arch_ia32.patch should make it not build for aarch64, so I suspect there's another more recent one somewhere.
I honestly haven't tried an aarch64 host, only aarch64 target, which is what I care about mostly tbh.
Hmm, well here be dragons: the selector selects the EFI ABI based on the host architecture, so if you're cross building for AARCH64 on x86, it's actually pulling in the ABI header files from /usr/include/efi/x86_64 ... I suppose we're just lucky and this happens to be identical to the aarch64 ABI?
The parts of the PE/COFF headers that sbsign manipulates only differ between 32-bit and 64-bit (i.e., PE and PE+). Since x86_64 sbsign can correctly sign i386 images (afaict) this shouldn't be an issue
I know my Ubuntu box's sbsign v0.6 happily signs ARM images since Adam Conrad merged these 3 patches into the ubuntu version (0.6 -0ubuntu7 as per your URL)
So if we can decide on a base to continue on, I'll try to resolve any AArch64 host issues if they are still present, and rebase these 3 patches onto it as well.
I'll begin the integration in the 1h we just got back from Vincent. At least then we'll know what a combined tree might look like. I can also turn on the aarch64 build on OBS ... although without a test platform I'm not sure that will be useful.
I'd be happy to organize some automated testing for the ARM and AArch64 side (build time and runtime)
OK, I got all the ubuntu patches extracted and updated. There's plenty of scope for problems here because the ubuntu tree doesn't do multi -sign and mine does, so there was quite a bit of code motion.
http://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.git/
I'll push it to OBS and if it all seem to work move the version to 0.8
Thanks,
James