New port: sysutils/shim

shim is a trivial EFI application that, when run, attempts to open and
execute another application. It will initially attempt to do this via the
standard EFI LoadImage() and StartImage() calls. If these fail (because secure
boot is enabled and the binary is not signed with an appropriate key, for
instance) it will then validate the binary against a built-in certificate. If
this succeeds and if the binary or signing key are not blacklisted then shim
will relocate and execute the binary.

Sponsored by:	The FreeBSD Foundation

sysutils/Makefile

@@ -875,6 +875,7 @@
     SUBDIR += setquota
     SUBDIR += sformat
     SUBDIR += sg3_utils
+    SUBDIR += shim
     SUBDIR += shlock
     SUBDIR += shmcat
     SUBDIR += sievelog

sysutils/shim/Makefile

@@ -0,0 +1,37 @@
+# Created by: Edward Tomasz Napierala <trasz@FreeBSD.org>
+# $FreeBSD$
+
+PORTNAME=	shim
+PORTVERSION=	0.8
+CATEGORIES=	sysutils
+
+MAINTAINER=	trasz@FreeBSD.org
+COMMENT=	UEFI Secure Boot shim loader
+
+LICENSE=	BSD2CLAUSE
+
+BUILD_DEPENDS=	${NONEXISTENT}:${PORTSDIR}/devel/gnu-efi \
+		bash:${PORTSDIR}/shells/bash
+
+USE_GITHUB=	yes
+GH_ACCOUNT=	mjg59
+GH_COMMIT=	6f4d516
+
+USES=		gmake
+USE_GCC=	4.8+
+USE_GITHUB=	yes
+MAKE_JOBS_UNSAFE=	yes
+ONLY_FOR_ARCHS=	amd64
+
+PLIST_FILES=	lib/shim/MokManager.efi lib/shim/fallback.efi lib/shim/shim.efi
+
+post-patch:
+	@${REINPLACE_CMD} -e "s|/bin/bash|${LOCALBASE}/bin/bash|" ${WRKSRC}/make-certs
+
+do-install:
+	${MKDIR} ${STAGEDIR}/${PREFIX}/lib/shim
+	${INSTALL_PROGRAM} ${WRKSRC}/shim.efi ${STAGEDIR}/${PREFIX}/lib/shim
+	${INSTALL_PROGRAM} ${WRKSRC}/MokManager.efi ${STAGEDIR}/${PREFIX}/lib/shim
+	${INSTALL_PROGRAM} ${WRKSRC}/fallback.efi ${STAGEDIR}/${PREFIX}/lib/shim
+
+.include <bsd.port.mk>

sysutils/shim/distinfo

@@ -0,0 +1,2 @@
+SHA256 (shim-0.8.tar.gz) = 150692b908c8502872a357025e70434c75bad8416d9a52e3e946fd75d3f6cf9e
+SIZE (shim-0.8.tar.gz) = 1252057

sysutils/shim/files/patch-Cryptlib-Makefile

@@ -0,0 +1,9 @@
+--- Cryptlib/Makefile.orig	2014-10-13 22:41:51.000000000 +0200
++++ Cryptlib/Makefile	2014-11-30 20:23:01.000000000 +0100
+@@ -1,3 +1,6 @@
++ifeq ($(ARCH),amd64)
++	override ARCH	= x86_64
++endif
+ 
+ EFI_INCLUDES	= -IInclude -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+ 

sysutils/shim/files/patch-Cryptlib-OpenSSL-Makefile

@@ -0,0 +1,9 @@
+--- Cryptlib/OpenSSL/Makefile.orig	2014-11-30 20:31:14.000000000 +0100
++++ Cryptlib/OpenSSL/Makefile	2014-11-30 20:31:23.000000000 +0100
+@@ -1,3 +1,6 @@
++ifeq ($(ARCH),amd64)
++	override ARCH	= x86_64
++endif
+ 
+ EFI_INCLUDES	= -I../Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol
+ 

sysutils/shim/files/patch-Makefile

@@ -0,0 +1,49 @@
+--- Makefile.orig	2014-10-13 22:41:51.000000000 +0200
++++ Makefile	2014-12-21 16:18:40.000000000 +0100
+@@ -1,16 +1,22 @@
+-CC		= $(CROSS_COMPILE)gcc
++CROSS_COMPILE	= $(LOCALBASE)/bin/
++
++CC		= $(CROSS_COMPILE)gcc48
+ LD		= $(CROSS_COMPILE)ld
+ OBJCOPY		= $(CROSS_COMPILE)objcopy
+ 
+ ARCH		= $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,)
+ 
++ifeq ($(ARCH),amd64)
++  override ARCH := x86_64
++endif
++
+ SUBDIRS		= Cryptlib lib
+ 
+-LIB_PATH	= /usr/lib64
++LIB_PATH	= $(LOCALBASE)/lib
+ 
+-EFI_INCLUDE	:= /usr/include/efi
++EFI_INCLUDE	:= $(LOCALBASE)/include/efi
+ EFI_INCLUDES	= -nostdinc -ICryptlib -ICryptlib/Include -I$(EFI_INCLUDE) -I$(EFI_INCLUDE)/$(ARCH) -I$(EFI_INCLUDE)/protocol -Iinclude
+-EFI_PATH	:= /usr/lib64/gnuefi
++EFI_PATH	:= $(LOCALBASE)/lib
+ 
+ LIB_GCC		= $(shell $(CC) -print-libgcc-file-name)
+ EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC) 
+@@ -57,7 +63,7 @@ LDFLAGS		= -nostdlib -znocombreloc -T $(
+ 
+ VERSION		= 0.8
+ 
+-TARGET	= shim.efi MokManager.efi.signed fallback.efi.signed
++TARGET	= shim.efi MokManager.efi fallback.efi
+ OBJS	= shim.o netboot.o cert.o replacements.o version.o
+ KEYS	= shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer
+ SOURCES	= shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h version.c version.h
+@@ -144,8 +150,8 @@ FORMAT		?= --target efi-app-$(ARCH)
+ 		-j .debug_line -j .debug_str -j .debug_ranges \
+ 		$(FORMAT) $^ $@.debug
+ 
+-%.efi.signed: %.efi certdb/secmod.db
+-	pesign -n certdb -i $< -c "shim" -s -o $@ -f
++#%.efi.signed: %.efi certdb/secmod.db
++#	pesign -n certdb -i $< -c "shim" -s -o $@ -f
+ 
+ clean:
+ 	$(MAKE) -C Cryptlib clean

sysutils/shim/files/patch-elf_x86_64_efi.lds

@@ -0,0 +1,10 @@
+--- elf_x86_64_efi.lds.orig	2014-12-21 16:01:08.000000000 +0100
++++ elf_x86_64_efi.lds	2014-12-21 16:01:16.000000000 +0100
+@@ -1,5 +1,5 @@
+-/* Same as elf_x86_64_fbsd_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */
+-OUTPUT_FORMAT("elf64-x86-64", "elf64-x86-64", "elf64-x86-64")
++/* Same as elf_x86_64_efi.lds, except for OUTPUT_FORMAT below - KEEP IN SYNC */
++OUTPUT_FORMAT("elf64-x86-64-freebsd", "elf64-x86-64-freebsd", "elf64-x86-64-freebsd")
+ OUTPUT_ARCH(i386:x86-64)
+ ENTRY(_start)
+ SECTIONS

sysutils/shim/files/patch-lib-Makefile

@@ -0,0 +1,10 @@
+--- lib/Makefile.orig	2014-11-30 20:34:06.000000000 +0100
++++ lib/Makefile	2014-11-30 20:34:20.000000000 +0100
+@@ -1,3 +1,7 @@
++ifeq ($(ARCH),amd64)
++	override ARCH	= x86_64
++endif
++
+ TARGET = lib.a
+ 
+ LIBFILES = simple_file.o guid.o console.o execute.o configtable.o shell.o variables.o security_policy.o

sysutils/shim/pkg-descr

@@ -0,0 +1,9 @@
+shim is a trivial EFI application that, when run, attempts to open and
+execute another application. It will initially attempt to do this via the
+standard EFI LoadImage() and StartImage() calls. If these fail (because secure
+boot is enabled and the binary is not signed with an appropriate key, for
+instance) it will then validate the binary against a built-in certificate. If
+this succeeds and if the binary or signing key are not blacklisted then shim
+will relocate and execute the binary.
+
+WWW: https://github.com/mjg59/shim