New port: sysutils/shim

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

Sponsored by:	The FreeBSD Foundation

8 files changed, 135 insertions, 0 deletions

diff --git a/sysutils/shim/Makefile b/sysutils/shim/Makefile
new file mode 100644
index 000000000000..72363f1f88fb
--- /dev/null
+++ b/sysutils/shim/Makefile
@@ -0,0 +1,37 @@
+# Created by: Edward Tomasz Napierala <trasz@FreeBSD.org>
+# $FreeBSD$
+
+PORTNAME=	shim
+PORTVERSION=	0.8
+CATEGORIES=	sysutils
+
+MAINTAINER=	trasz@FreeBSD.org
+COMMENT=	UEFI Secure Boot shim loader
+
+LICENSE=	BSD2CLAUSE
+
+BUILD_DEPENDS=	${NONEXISTENT}:${PORTSDIR}/devel/gnu-efi \
+		bash:${PORTSDIR}/shells/bash
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	mjg59
+GH_COMMIT=	6f4d516
+
+USES=		gmake
+USE_GCC=	4.8+
+USE_GITHUB=	yes
+MAKE_JOBS_UNSAFE=	yes
+ONLY_FOR_ARCHS=	amd64
+
+PLIST_FILES=	lib/shim/MokManager.efi lib/shim/fallback.efi lib/shim/shim.efi
+
+post-patch:
+	@${REINPLACE_CMD} -e "s|/bin/bash|${LOCALBASE}/bin/bash|" ${WRKSRC}/make-certs
+
+do-install:
+	${MKDIR} ${STAGEDIR}/${PREFIX}/lib/shim
+	${INSTALL_PROGRAM} ${WRKSRC}/shim.efi ${STAGEDIR}/${PREFIX}/lib/shim
+	${INSTALL_PROGRAM} ${WRKSRC}/MokManager.efi ${STAGEDIR}/${PREFIX}/lib/shim
+	${INSTALL_PROGRAM} ${WRKSRC}/fallback.efi ${STAGEDIR}/${PREFIX}/lib/shim
+
+.include <bsd.port.mk>
diff --git a/sysutils/shim/distinfo b/sysutils/shim/distinfo
new file mode 100644
index 000000000000..b0e5f98656a0
--- /dev/null
+++ b/sysutils/shim/distinfo
@@ -0,0 +1,2 @@
+SHA256 (shim-0.8.tar.gz) = 150692b908c8502872a357025e70434c75bad8416d9a52e3e946fd75d3f6cf9e
+SIZE (shim-0.8.tar.gz) = 1252057
diff --git a/sysutils/shim/files/patch-Cryptlib-Makefile b/sysutils/shim/files/patch-Cryptlib-Makefile
new file mode 100644
index 000000000000..f383cb0b2728
--- /dev/null
+++ b/sysutils/shim/files/patch-Cryptlib-Makefile
@@ -0,0 +1,9 @@
+--- Cryptlib/Makefile.orig	2014-10-13 22:41:51.000000000 +0200
++++ Cryptlib/Makefile	2014-11-30 20:23:01.000000000 +0100
+@@ -1,3 +1,6 @@
++ifeq ($(ARCH),amd64)
++	override ARCH	= x86_64
++endif
+ 
+ EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+ 
diff --git a/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile b/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile
new file mode 100644
index 000000000000..89343408e159
--- /dev/null
+++ b/sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile
@@ -0,0 +1,9 @@
+--- Cryptlib/OpenSSL/Makefile.orig	2014-11-30 20:31:14.000000000 +0100
++++ Cryptlib/OpenSSL/Makefile	2014-11-30 20:31:23.000000000 +0100
+@@ -1,3 +1,6 @@
++ifeq ($(ARCH),amd64)
++	override ARCH	= x86_64
++endif
+ 
+ EFI_INCLUDES	= -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+ 
diff --git a/sysutils/shim/files/patch-Makefile b/sysutils/shim/files/patch-Makefile
new file mode 100644
index 000000000000..ff4383ff952c
--- /dev/null
+++ b/sysutils/shim/files/patch-Makefile
@@ -0,0 +1,49 @@
+--- Makefile.orig	2014-10-13 22:41:51.000000000 +0200
++++ Makefile	2014-12-21 16:18:40.000000000 +0100
+@@ -1,16 +1,22 @@
+-CC		= $(CROSS_COMPILE)gcc
++CROSS_COMPILE	= $(LOCALBASE)/bin/
++
++CC		= $(CROSS_COMPILE)gcc48
+ LD		= $(CROSS_COMPILE)ld
+ OBJCOPY		= $(CROSS_COMPILE)objcopy
+ 
+ ARCH		= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
+ 
++ifeq ($(ARCH),amd64)
++  override ARCH := x86_64
++endif
++
+ SUBDIRS		= Cryptlib lib
+ 
+-LIB_PATH	= /usr/lib64
++LIB_PATH	= $(LOCALBASE)/lib
+ 
+-EFI_INCLUDE	:= /usr/include/efi
++EFI_INCLUDE	:= $(LOCALBASE)/include/efi
+ EFI_INCLUDES	= -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude
+-EFI_PATH	:= /usr/lib64/gnuefi
++EFI_PATH	:= $(LOCALBASE)/lib
+ 
+ LIB_GCC		= $(shell $(CC) -print-libgcc-file-name)
+ EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) 
+@@ -57,7 +63,7 @@ LDFLAGS		= -nostdlib -znocombreloc -T $(
+ 
+ VERSION		= 0.8
+ 
+-TARGET	= shim.efi MokManager.efi.signed fallback.efi.signed
++TARGET	= shim.efi MokManager.efi fallback.efi
+ OBJS	= shim.o netboot.o cert.o replacements.o version.o
+ KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+ SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h
+@@ -144,8 +150,8 @@ FORMAT		?= --target efi-app-$(ARCH)
+ 		-j .debug_line -j .debug_str -j .debug_ranges \
+ 		$(FORMAT) $^ $@.debug
+ 
+-%.efi.signed: %.efi certdb/secmod.db
+-	pesign -n certdb -i $< -c "shim" -s -o $@ -f
++#%.efi.signed: %.efi certdb/secmod.db
++#	pesign -n certdb -i $< -c "shim" -s -o $@ -f
+ 
+ clean:
+ 	$(MAKE) -C Cryptlib clean
diff --git a/sysutils/shim/files/patch-elf_x86_64_efi.lds b/sysutils/shim/files/patch-elf_x86_64_efi.lds
new file mode 100644
index 000000000000..4a876315a1fe
--- /dev/null
+++ b/sysutils/shim/files/patch-elf_x86_64_efi.lds
@@ -0,0 +1,10 @@
+--- elf_x86_64_efi.lds.orig	2014-12-21 16:01:08.000000000 +0100
++++ elf_x86_64_efi.lds	2014-12-21 16:01:16.000000000 +0100
+@@ -1,5 +1,5 @@
+-/* Same as elf_x86_64_fbsd_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */
+-OUTPUT_FORMAT("elf64-x86-64", "elf64-x86-64", "elf64-x86-64")
++/* Same as elf_x86_64_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */
++OUTPUT_FORMAT("elf64-x86-64-freebsd", "elf64-x86-64-freebsd", "elf64-x86-64-freebsd")
+ OUTPUT_ARCH(i386:x86-64)
+ ENTRY(_start)
+ SECTIONS
diff --git a/sysutils/shim/files/patch-lib-Makefile b/sysutils/shim/files/patch-lib-Makefile
new file mode 100644
index 000000000000..d1d0b81bb99c
--- /dev/null
+++ b/sysutils/shim/files/patch-lib-Makefile
@@ -0,0 +1,10 @@
+--- lib/Makefile.orig	2014-11-30 20:34:06.000000000 +0100
++++ lib/Makefile	2014-11-30 20:34:20.000000000 +0100
+@@ -1,3 +1,7 @@
++ifeq ($(ARCH),amd64)
++	override ARCH	= x86_64
++endif
++
+ TARGET = lib.a
+ 
+ LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o
diff --git a/sysutils/shim/pkg-descr b/sysutils/shim/pkg-descr
new file mode 100644
index 000000000000..e7025805b34e
--- /dev/null
+++ b/sysutils/shim/pkg-descr
@@ -0,0 +1,9 @@
+shim is a trivial EFI application that, when run, attempts to open and
+execute another application. It will initially attempt to do this via the
+standard EFI LoadImage() and StartImage() calls. If these fail (because secure
+boot is enabled and the binary is not signed with an appropriate key, for
+instance) it will then validate the binary against a built-in certificate. If
+this succeeds and if the binary or signing key are not blacklisted then shim
+will relocate and execute the binary.
+
+WWW: https://github.com/mjg59/shim