On Thu, 2016-01-28 at 16:34 +0100, Ard Biesheuvel wrote:
On 28 January 2016 at 16:31, James Bottomley James.Bottomley@hansenpartnership.com wrote:
On Thu, 2016-01-28 at 10:30 +0100, Ard Biesheuvel wrote:
On 28 January 2016 at 01:10, James Bottomley James.Bottomley@hansenpartnership.com wrote:
On Thu, 2016-01-28 at 07:45 +0800, Jeremy Kerr wrote:
Hi James,
On 27/01/16 23:20, James Bottomley wrote:
On Wed, 2016-01-27 at 13:17 +0100, Ard Biesheuvel wrote: > These patches have been in my personal queue for about > two > years, > and > have already been incorporated into the Ubuntu packaged > version > of > sbsigntool. > > Patch #1 and #2 fixes some generic issues, and patch #3 > introduces > the ARM and AArch64 magic values in the PE/COFF header > check, > which > is all that is needed to get sbsign to sign ARM images. > > > Ard Biesheuvel (3): > sbsigntool: remove doubly defined > IMAGE_FILE_MACHINE_AMD64 > sbsigntool: fix handling of zero sized sections > sbsigntool: add support for ARM and Aarch64 PE/COFF > images > > src/coff/pe.h | 2 +- > src/image.c | 48 +++++++++++--------- > 2 files changed, 27 insertions(+), 23 deletions(-)
I can incorporate them into my build service package like I did for multi-sign. The problem is that Jeremy maintains the upstream and it's not moving:
git://kernel.ubuntu.com/jk/sbsigntool
Yes - I don't have access to the git repo above anymore. I believe Steve Langasek was doing some work on it more recently. Steve
Do you have a new repo somewhere?
That would be useful. The Ubuntu source is missing multi-sign, which really needs to be added. In the meantime, my integrated repo is here:
http://git.kernel.org/cgit/linux/kernel/git/jejb/sbsigntools.gi t/
I also set up OBS targets for armv7 and aarch64 here
https://build.opensuse.org/project/show/home:jejb1:UEFI
It's building for them, but I've no idea if it's working. I actually changed the whole setup of the sbsigntools build so the rpm build is effectively slaved from the debian one.
Is there any need to get efitools building for aarch64? It's got a calling convention thunk which prevents the build, but I've been meaning to get rid of it.
I have added support for ARM and AArch64 to gnu-efi, so porting efitools should be possible as well, but it is non-trivial since the GNU tools for ARM don't support PE/COFF. I will put it on my TODO list.
It's not just efitools; sbsigntools needs it as well. Aarch64 is actually building on OBS, so it must have gnu-efi. armv7l failed because it doesn't.
It does not look like sbsigntools builds anything that executes under UEFI, it only uses the GNUEFI headers to interpret the PE/COFF header format.
That's right, but under OBS, which does native building in a virtual machine, it means the gnu-efi package has to be installed for the architectures it builds. If you click on one of the builds, you can see it being installed as part of the build log.
James