On 27 January 2016 at 17:32, James Bottomley James.Bottomley@hansenpartnership.com wrote:
On Wed, 2016-01-27 at 17:20 +0100, Ard Biesheuvel wrote:
On 27 January 2016 at 17:16, James Bottomley James.Bottomley@hansenpartnership.com wrote:
On Wed, 2016-01-27 at 16:38 +0100, Ard Biesheuvel wrote:
On 27 January 2016 at 16:37, James Bottomley James.Bottomley@hansenpartnership.com wrote:
On Wed, 2016-01-27 at 16:31 +0100, Ard Biesheuvel wrote:
On 27 January 2016 at 16:20, James Bottomley James.Bottomley@hansenpartnership.com wrote: > On Wed, 2016-01-27 at 13:17 +0100, Ard Biesheuvel wrote: > > These patches have been in my personal queue for about > > two > > years, > > and > > have already been incorporated into the Ubuntu packaged > > version > > of > > sbsigntool. > > > > Patch #1 and #2 fixes some generic issues, and patch #3 > > introduces > > the ARM and AArch64 magic values in the PE/COFF header > > check, > > which > > is all that is needed to get sbsign to sign ARM images. > > > > > > Ard Biesheuvel (3): > > sbsigntool: remove doubly defined > > IMAGE_FILE_MACHINE_AMD64 > > sbsigntool: fix handling of zero sized sections > > sbsigntool: add support for ARM and Aarch64 PE/COFF > > images > > > > src/coff/pe.h | 2 +- > > src/image.c | 48 +++++++++++--------- > > 2 files changed, 27 insertions(+), 23 deletions(-) > > I can incorporate them into my build service package like I > did > for > multi-sign. The problem is that Jeremy maintains the > upstream > and > it's > not moving: > > git://kernel.ubuntu.com/jk/sbsigntool > > I presume because Jeremy is now at Ozlabs? Do you have a > different > upstream URL? >
To be honest, I wrote these 2+ years ago, so I don't remember exactly. Someone brought it to my attention that these are not upstream, but if that is still Jeremy instead of you, then yes, I suppose they need to be sent to Jeremy.
You mean
http://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.gi t/
It's where I keep my changes, but it's not where Ubuntu pulls from.
OK. Perhaps Jeremy can confirm where I should send these patches, and which tree to base them on?
If Jeremy doesn't want to, I can. I think the first order of business would be to resolve all the divergent patches, although when I look through the ubuntu one (is this the master?):
https://launchpad.net/ubuntu/+source/sbsigntool
The patch efi_arch_ia32.patch should make it not build for aarch64, so I suspect there's another more recent one somewhere.
I honestly haven't tried an aarch64 host, only aarch64 target, which is what I care about mostly tbh.
Hmm, well here be dragons: the selector selects the EFI ABI based on the host architecture, so if you're cross building for AARCH64 on x86, it's actually pulling in the ABI header files from /usr/include/efi/x86_64 ... I suppose we're just lucky and this happens to be identical to the aarch64 ABI?
The parts of the PE/COFF headers that sbsign manipulates only differ between 32-bit and 64-bit (i.e., PE and PE+). Since x86_64 sbsign can correctly sign i386 images (afaict) this shouldn't be an issue
I know my Ubuntu box's sbsign v0.6 happily signs ARM images since Adam Conrad merged these 3 patches into the ubuntu version (0.6 -0ubuntu7 as per your URL)
So if we can decide on a base to continue on, I'll try to resolve any AArch64 host issues if they are still present, and rebase these 3 patches onto it as well.
I'll begin the integration in the 1h we just got back from Vincent. At least then we'll know what a combined tree might look like. I can also turn on the aarch64 build on OBS ... although without a test platform I'm not sure that will be useful.
I'd be happy to organize some automated testing for the ARM and AArch64 side (build time and runtime)