diff -Nru fwupd-efi-1.2/contrib/ci.sh fwupd-efi-1.4/contrib/ci.sh --- fwupd-efi-1.2/contrib/ci.sh 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/contrib/ci.sh 2023-01-27 09:29:20.000000000 +0000 @@ -4,6 +4,9 @@ shopt -s extglob rm -rf build/ +# disable the safe directory feature +git config --global safe.directory "*" + if [ "$OS" = "fedora" ]; then meson build VERSION=`meson introspect build --projectinfo | jq -r .version` diff -Nru fwupd-efi-1.2/contrib/fwupd-efi.spec.in fwupd-efi-1.4/contrib/fwupd-efi.spec.in --- fwupd-efi-1.2/contrib/fwupd-efi.spec.in 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/contrib/fwupd-efi.spec.in 2023-01-27 09:29:20.000000000 +0000 @@ -14,9 +14,11 @@ # these are the only architectures supporting UEFI SecureBoot ExclusiveArch: x86_64 aarch64 +BuildRequires: gcc BuildRequires: meson BuildRequires: gnu-efi-devel BuildRequires: pesign +BuildRequires: python3-pefile %description fwupd is a daemon to allow session software to update device firmware, and this @@ -64,5 +66,4 @@ %{_libdir}/pkgconfig/fwupd-efi.pc %changelog -* #LONGDATE# Richard Hughes #VERSION#-0.#BUILD##ALPHATAG# -- Update from git +%autochangelog diff -Nru fwupd-efi-1.2/contrib/org.freedesktop.fwupd.efi.metainfo.xml fwupd-efi-1.4/contrib/org.freedesktop.fwupd.efi.metainfo.xml --- fwupd-efi-1.2/contrib/org.freedesktop.fwupd.efi.metainfo.xml 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/contrib/org.freedesktop.fwupd.efi.metainfo.xml 2023-01-27 09:29:20.000000000 +0000 @@ -23,6 +23,28 @@ richard_at_hughsie.com + + +

This release fixes the following bugs:

+
    +
  • Add additional checks for incompatible CRT0
    • +
  • Align sections to 512 bytes
    • +
  • Generate images that are NX compatible
    • +
  • Use manual symbols mode on ARM32
    • +
  • Use objcopy to build arm/aarch64 binaries for new binutils
    • +
+ + + + +

This release fixes the following bugs:

+
    +
  • Fix a regression when applying updates on an HP M60
    • +
  • Fix the ARM system crt0 name
    • +
  • Show the version when starting fwupd-efi
    • +
+ +

This release fixes the following bugs:

diff -Nru fwupd-efi-1.2/debian/changelog fwupd-efi-1.4/debian/changelog --- fwupd-efi-1.2/debian/changelog 2023-01-19 17:00:56.000000000 +0000 +++ fwupd-efi-1.4/debian/changelog 2023-03-20 12:11:14.000000000 +0000 @@ -1,8 +1,24 @@ -fwupd-efi (1:1.2-3ubuntu0.2) kinetic; urgency=medium +fwupd-efi (1:1.4-0ubuntu0.1) kinetic; urgency=medium - * No-change rebuild for 2022v1 resigning (LP: #2003365) + * Stable release series backport (LP: #2011808) + * Remove i386 from list of architectures, we do not build on there in + the target build release. armhf will continue to receive unsigned + updates. - -- Julian Andres Klode Thu, 19 Jan 2023 18:00:56 +0100 + -- Julian Andres Klode Mon, 20 Mar 2023 13:11:14 +0100 + +fwupd-efi (1:1.4-1) unstable; urgency=medium + + [ Mario Limonciello ] + * New upstream release. + * Notable changes: + - Enforces NX by default. + - Improvements for aarch64 builds. + + [ Jelmer Vernooij ] + * Specify branch in Vcs-Git/Vcs-Browser headers + + -- Mario Limonciello Fri, 27 Jan 2023 09:15:57 -0600 fwupd-efi (1:1.2-3) unstable; urgency=medium diff -Nru fwupd-efi-1.2/debian/control fwupd-efi-1.4/debian/control --- fwupd-efi-1.2/debian/control 2023-01-19 17:00:56.000000000 +0000 +++ fwupd-efi-1.4/debian/control 2023-03-20 12:11:14.000000000 +0000 @@ -6,17 +6,17 @@ Matthias Klumpp , Mario Limonciello Build-Depends: debhelper (>= 13), - gnu-efi [amd64 arm64 armhf i386], + gnu-efi [amd64 arm64 armhf], meson, - mingw-w64-tools [amd64 arm64 armhf i386], + mingw-w64-tools [amd64 arm64 armhf], Standards-Version: 4.6.0.1 Section: admin Homepage: https://github.com/fwupd/fwupd-efi -Vcs-Git: https://salsa.debian.org/efi-team/fwupd-efi.git -Vcs-Browser: https://salsa.debian.org/efi-team/fwupd-efi +Vcs-Git: https://salsa.debian.org/efi-team/fwupd-efi.git -b debian/unstable +Vcs-Browser: https://salsa.debian.org/efi-team/fwupd-efi/-/tree/debian/unstable Package: fwupd-unsigned -Architecture: amd64 arm64 armhf i386 +Architecture: amd64 arm64 armhf Depends: ${misc:Depends}, ${shlibs:Depends}, Recommends: fwupd-signed @@ -33,7 +33,7 @@ This package provides the EFI binaries used for UEFI capsule updates Package: fwupd-unsigned-dev -Architecture: amd64 arm64 armhf i386 +Architecture: amd64 arm64 armhf Depends: ${misc:Depends}, fwupd-unsigned (= ${binary:Version}) Description: Firmware update daemon (Development information) @@ -50,15 +50,6 @@ Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev -Description: Template for signed fwupd package - This package is used to control code signing by the Debian signing - service. - -Package: fwupd-i386-signed-template -Architecture: i386 -Depends: ${shlibs:Depends}, - ${misc:Depends}, - make | build-essential | dpkg-dev Description: Template for signed fwupd package This package is used to control code signing by the Debian signing service. diff -Nru fwupd-efi-1.2/efi/crt0/meson.build fwupd-efi-1.4/efi/crt0/meson.build --- fwupd-efi-1.2/efi/crt0/meson.build 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/efi/crt0/meson.build 2023-01-27 09:29:20.000000000 +0000 @@ -1,5 +1,5 @@ o_crt0 = custom_target('efi_crt0', input : arch_crt_source, output : arch_crt, - command : [efi_cc, '-c', '@INPUT@', '-o', '@OUTPUT@'] + command : [cc.cmd_array(), '-c', '@INPUT@', '-o', '@OUTPUT@'] + compile_args) diff -Nru fwupd-efi-1.2/efi/fwupdate.c fwupd-efi-1.4/efi/fwupdate.c --- fwupd-efi-1.2/efi/fwupdate.c 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/efi/fwupdate.c 2023-01-27 09:29:20.000000000 +0000 @@ -4,13 +4,15 @@ * SPDX-License-Identifier: LGPL-2.1+ */ +#include "config.h" + #include #include #include "fwup-cleanups.h" #include "fwup-common.h" -#include "fwup-efi.h" #include "fwup-debug.h" +#include "fwup-efi.h" #define UNUSED __attribute__((__unused__)) #define GNVN_BUF_SIZE 1024 @@ -454,12 +456,16 @@ rc = uefi_call_wrapper(RT->QueryCapsuleCapabilities, 4, capsules, num_updates, &max_capsule_size, reset); - if (EFI_ERROR(rc)) { - fwup_warning(L"Could not query capsule capabilities: %r", rc); - return rc; + if (rc == EFI_SUCCESS) { + fwup_debug(L"QueryCapsuleCapabilities: %r max: %ld reset:%d", + rc, + max_capsule_size, + *reset); + } else { + fwup_warning(L"QueryCapsuleCapabilities failed, assuming EfiResetWarm: %r", rc); + *reset = EfiResetWarm; } - fwup_debug(L"QueryCapsuleCapabilities: %r max: %ld reset:%d", - rc, max_capsule_size, *reset); + fwup_debug(L"Capsules: %d", num_updates); fwup_msleep(1 * SECONDS); @@ -544,6 +550,9 @@ /* if SHIM_DEBUG is set, fwup_info info for our attached debugger */ fwup_debug_hook(); + /* show the version to screen */ + fwup_info(L"fwupd-efi version " PACKAGE_VERSION); + /* step 1: find and validate update state variables */ /* XXX TODO: * 1) survey the reset types first, and separate into groups diff -Nru fwupd-efi-1.2/efi/generate_binary.py fwupd-efi-1.4/efi/generate_binary.py --- fwupd-efi-1.2/efi/generate_binary.py 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/efi/generate_binary.py 2023-01-27 09:29:20.000000000 +0000 @@ -30,13 +30,15 @@ ".rodata", "-j", ".rel*", + "--section-alignment", + "512", args.infile, args.outfile, ] - # aarch64 and arm32 don't have an EFI capable objcopy - # Use 'binary' instead, and add required symbols manually - if args.arch in ["aarch64", "arm"]: + # older objcopy for Aarch64 and ARM32 are not EFI capable. + # Use "binary" instead, and add required symbols manually. + if args.objcopy_manualsymbols: argv.extend(["-O", "binary"]) elif args.os == "freebsd": # `--target` option is missing and --input-target doesn't recognize @@ -56,7 +58,7 @@ if not args.genpeimg: return - argv = [args.genpeimg, "-d", "+d", "+n", "-d", "+s", args.outfile] + argv = [args.genpeimg, "-d", "+d", "-d", "+n", "-d", "+s", args.outfile] try: subprocess.run(argv, check=True) except FileNotFoundError as e: @@ -64,6 +66,23 @@ sys.exit(1) +def _add_nx_pefile(args): + # unnecessary if we have genpeimg + if args.genpeimg: + return + try: + import pefile + except ImportError: + print("Unable to add NX support to binaries without genpeimg or python3-pefile") + sys.exit(1) + + pe = pefile.PE(args.outfile) + pe.OPTIONAL_HEADER.DllCharacteristics |= pefile.DLL_CHARACTERISTICS[ + "IMAGE_DLLCHARACTERISTICS_NX_COMPAT" + ] + pe.write(args.outfile) + + if __name__ == "__main__": parser = argparse.ArgumentParser() @@ -73,10 +92,16 @@ parser.add_argument("--genpeimg", help="Binary file to use for genpeimg") parser.add_argument("--arch", default="x86_64", help="EFI architecture") parser.add_argument("--os", help="OS type") + parser.add_argument( + "--objcopy-manualsymbols", + action="store_true", + help="whether adding symbols direct to binary", + ) parser.add_argument("infile", help="Input file") parser.add_argument("outfile", help="Output file") _args = parser.parse_args() _run_objcopy(_args) _run_genpeimg(_args) + _add_nx_pefile(_args) sys.exit(0) diff -Nru fwupd-efi-1.2/efi/generate_sbat.py fwupd-efi-1.4/efi/generate_sbat.py --- fwupd-efi-1.2/efi/generate_sbat.py 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/efi/generate_sbat.py 2023-01-27 09:29:20.000000000 +0000 @@ -18,9 +18,12 @@ FWUPD_SUMMARY = "Firmware update daemon" FWUPD_URL = "https://github.com/fwupd/fwupd-efi" - subprocess.run( - [args.cc, "-x", "c", "-c", "-o", args.outfile, "/dev/null"], check=True + cmd = ( + args.cc.split() + + ["-x", "c", "-c", "-o", args.outfile, "/dev/null"] + + args.cflags.split(" ") ) + subprocess.run(cmd, check=True) # not specified if not args.sbat_distro_id: @@ -83,6 +86,7 @@ parser.add_argument( "--cc", default="gcc", help="Compiler to use for generating sbat object" ) + parser.add_argument("--cflags", help="C compiler flags to be used by CC") parser.add_argument( "--objcopy", default="objcopy", help="Binary file to use for objcopy" ) diff -Nru fwupd-efi-1.2/efi/meson.build fwupd-efi-1.4/efi/meson.build --- fwupd-efi-1.2/efi/meson.build 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/efi/meson.build 2023-01-27 09:29:20.000000000 +0000 @@ -1,8 +1,6 @@ generate_sbat = find_program('generate_sbat.py', native: true) generate_binary = find_program('generate_binary.py', native: true) -efi_cc = get_option('efi-cc') -efi_ld = get_option('efi-ld') efi_ldsdir = get_option('efi-ldsdir') efi_incdir = get_option('efi-includedir') @@ -20,11 +18,8 @@ efi_libdir = get_option('efi-libdir') if efi_libdir == '' - cmd = 'cd /usr/lib/$(@0@ -print-multi-os-directory) && pwd'.format(efi_cc) - ret = run_command('sh', '-c', cmd) - if ret.returncode() == 0 - efi_libdir = ret.stdout().strip() - endif + multi = run_command(cc.cmd_array(), '-print-multi-os-directory').stdout().strip() + efi_libdir = join_paths('/usr/lib/', multi) endif have_gnu_efi = gnu_efi_path_arch != '' and efi_libdir != '' @@ -68,10 +63,27 @@ error('Cannot find @0@'.format(arch_lds)) endif endif +efi_crtdir = efi_ldsdir + +# If using objcopy, crt0 must not include the PE/COFF header +if run_command('grep', '-q', 'coff_header', join_paths(efi_crtdir, arch_crt), check: false).returncode() == 0 + coff_header_in_crt0 = true +else + coff_header_in_crt0 = false +endif + +# older objcopy for Aarch64 and ARM32 are not EFI capable. +# Use 'binary' instead, and add required symbols manually. +if host_cpu == 'arm' or (host_cpu == 'aarch64' and (objcopy_version.version_compare ('< 2.38') or coff_header_in_crt0)) + objcopy_manualsymbols = true + generate_binary_extra = ['--objcopy-manualsymbols'] +else + objcopy_manualsymbols = false + generate_binary_extra = [] +endif # is the system linker script new enough to know about SBAT? # i.e. gnu-efi with https://github.com/vathpela/gnu-efi/pull/14 has been installed -efi_crtdir = efi_ldsdir if get_option('efi_sbat_distro_id') != '' cmd = run_command('grep', '-q', 'sbat', join_paths(efi_ldsdir, arch_lds)) if cmd.returncode() != 0 @@ -81,12 +93,12 @@ endif # is the system crt0 for arm and aarch64 new enough to know about SBAT? -if host_cpu == 'aarch64' or host_cpu == 'arm' +if objcopy_manualsymbols if get_option('efi_sbat_distro_id') != '' arch_crt_source = 'crt0-efi-@0@.S'.format(gnu_efi_path_arch) - cmd = run_command('grep', '-q', 'sbat', join_paths(efi_crtdir, arch_crt_source)) + cmd = run_command('grep', '-q', 'sbat', join_paths(efi_crtdir, arch_crt)) if cmd.returncode() != 0 - warning('Cannot find SBAT section in @0@, using local copy'.format(join_paths(efi_crtdir, arch_crt_source))) + warning('Cannot find SBAT section in @0@, using local copy'.format(join_paths(efi_crtdir, arch_crt))) # The gnuefi libraries are still needed efi_libdir = efi_crtdir efi_crtdir = join_paths(meson.current_build_dir(), 'crt0') @@ -121,6 +133,7 @@ '-Wno-address-of-packed-member', '-grecord-gcc-switches', '-DDEBUGDIR="@0@"'.format(debugdir), + '-I.', '-isystem', efi_incdir, '-isystem', join_paths(efi_incdir, gnu_efi_path_arch)] if get_option('werror') @@ -149,37 +162,38 @@ '-L', efi_crtdir, '-L', efi_libdir, join_paths(efi_crtdir, arch_crt)] -if host_cpu == 'aarch64' or host_cpu == 'arm' - # Aarch64 and ARM32 don't have an EFI capable objcopy. Use 'binary' - # instead, and add required symbols manually. + +if objcopy_manualsymbols + # older objcopy for Aarch64 and ARM32 are not EFI capable. + # Use 'binary' instead, and add required symbols manually. efi_ldflags += ['--defsym=EFI_SUBSYSTEM=0xa'] efi_format = ['-O', 'binary'] else efi_format = ['--target=efi-app-@0@'.format(gnu_efi_arch)] endif -libgcc_file_name = run_command(efi_cc, '-print-libgcc-file-name').stdout().strip() +libgcc_file_name = run_command(cc.cmd_array(), '-print-libgcc-file-name').stdout().strip() efi_name = 'fwupd@0@.efi'.format(EFI_MACHINE_TYPE_NAME) o_file1 = custom_target('fwupdate.o', input : 'fwupdate.c', output : 'fwupdate.o', - command : [efi_cc, '-c', '@INPUT@', '-o', '@OUTPUT@'] + command : [cc.cmd_array(), '-c', '@INPUT@', '-o', '@OUTPUT@'] + compile_args) o_file2 = custom_target('fwup-debug.o', input : 'fwup-debug.c', output : 'fwup-debug.o', - command : [efi_cc, '-c', '@INPUT@', '-o', '@OUTPUT@'] + command : [cc.cmd_array(), '-c', '@INPUT@', '-o', '@OUTPUT@'] + compile_args) o_file3 = custom_target('fwup-efi.o', input : 'fwup-efi.c', output : 'fwup-efi.o', - command : [efi_cc, '-c', '@INPUT@', '-o', '@OUTPUT@'] + command : [cc.cmd_array(), '-c', '@INPUT@', '-o', '@OUTPUT@'] + compile_args) o_file4 = custom_target('fwup-common.o', input : 'fwup-common.c', output : 'fwup-common.o', - command : [efi_cc, '-c', '@INPUT@', '-o', '@OUTPUT@'] + command : [cc.cmd_array(), '-c', '@INPUT@', '-o', '@OUTPUT@'] + compile_args) o_file5 = custom_target('fwup-sbat.o', @@ -187,7 +201,8 @@ command : [ generate_sbat, '@OUTPUT@', - '--cc', efi_cc, + '--cc', ' '.join(cc.cmd_array()), + '--cflags', ' '.join(compile_args), '--objcopy', objcopy, '--project-name', meson.project_name(), '--project-version', meson.project_version(), @@ -211,7 +226,7 @@ so = custom_target('fwup.so', input : [o_file1, o_file2, o_file3, o_file4, o_file5], output : 'fwup.so', - command : [efi_ld, '-o', '@OUTPUT@'] + + command : [ld, '-o', '@OUTPUT@'] + efi_ldflags + ['@INPUT@'] + ['-lefi', '-lgnuefi', libgcc_file_name], depends: fwupd_so_deps) @@ -226,7 +241,8 @@ '--os', host_machine.system(), '--objcopy', objcopy, '--genpeimg', genpeimg.found() ? genpeimg : '' - ], + ] + + generate_binary_extra, install : true, install_dir : efi_app_location) diff -Nru fwupd-efi-1.2/meson.build fwupd-efi-1.4/meson.build --- fwupd-efi-1.2/meson.build 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/meson.build 2023-01-27 09:29:20.000000000 +0000 @@ -1,12 +1,17 @@ project('fwupd-efi', 'c', - version : '1.2', + version : '1.4', license : 'LGPL-2.1+', meson_version : '>=0.53.0', default_options : ['warning_level=2', 'c_std=c99'], ) +conf = configuration_data() +conf.set_quoted('PACKAGE_VERSION', meson.project_version()) + cc = meson.get_compiler('c') +ld = cc.get_linker_id() objcopy = find_program('objcopy') +objcopy_version = run_command(objcopy, '--version').stdout().split('\n')[0].split(' ')[-1] prefix = get_option('prefix') libdir = join_paths(prefix, get_option('libdir')) @@ -37,6 +42,11 @@ warning('-Defi_sbat_distro_id is unset, see README.md') endif +configure_file( + output : 'config.h', + configuration : conf +) + pkgg = import('pkgconfig') pkgg.generate( version : meson.project_version(), diff -Nru fwupd-efi-1.2/meson_options.txt fwupd-efi-1.4/meson_options.txt --- fwupd-efi-1.2/meson_options.txt 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/meson_options.txt 2023-01-27 09:29:20.000000000 +0000 @@ -1,5 +1,3 @@ -option('efi-cc', type : 'string', value : 'gcc', description : 'the compiler to use for EFI modules') -option('efi-ld', type : 'string', value : 'ld', description : 'the linker to use for EFI modules') option('efi-libdir', type : 'string', description : 'path to the EFI lib directory') option('efi-ldsdir', type : 'string', description : 'path to the EFI lds directory') option('efi-includedir', type : 'string', value : '/usr/include/efi', description : 'path to the EFI header directory') diff -Nru fwupd-efi-1.2/.pre-commit-config.yaml fwupd-efi-1.4/.pre-commit-config.yaml --- fwupd-efi-1.2/.pre-commit-config.yaml 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/.pre-commit-config.yaml 2023-01-27 09:29:20.000000000 +0000 @@ -1,6 +1,6 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.4.0 + rev: v4.1.0 hooks: - id: no-commit-to-branch args: [--branch, main] @@ -26,7 +26,7 @@ - id: codespell args: ['--config', './contrib/codespell.cfg', --write-changes] - repo: https://github.com/ambv/black - rev: 21.6b0 + rev: 22.3.0 hooks: - id: black - repo: local @@ -42,7 +42,7 @@ entry: ./contrib/reformat-code.py types: [c] - repo: https://github.com/igorshubovych/markdownlint-cli - rev: v0.27.1 + rev: v0.31.1 hooks: - id: markdownlint args: ['--fix', '--ignore', '.github'] diff -Nru fwupd-efi-1.2/RELEASE fwupd-efi-1.4/RELEASE --- fwupd-efi-1.2/RELEASE 2022-01-23 17:52:39.000000000 +0000 +++ fwupd-efi-1.4/RELEASE 2023-01-27 09:29:20.000000000 +0000 @@ -2,14 +2,14 @@ Write release entries: -git log --format="%s" --cherry-pick --right-only 1.1... | grep -i -v trivial | grep -v Merge | sort | uniq +git log --format="%s" --cherry-pick --right-only 1.3... | grep -i -v trivial | grep -v Merge | sort | uniq Add any user visible changes into ../contrib/org.freedesktop.fwupd.efi.metainfo.xml appstream-util appdata-to-news ../contrib/org.freedesktop.fwupd.efi.metainfo.xml > NEWS 2. Commit changes to git: # MAKE SURE THIS IS CORRECT -export release_ver="1.2" +export release_ver="1.4" git commit -a -m "Release fwupd-efi ${release_ver}" --no-verify git tag -s -f -m "Release fwupd-efi ${release_ver}" "${release_ver}"