Skip to content

Commit

Permalink
同步库到最新提交
Browse files Browse the repository at this point in the history
  • Loading branch information
ymwl committed Nov 27, 2024
2 parents 2ad7e57 + 6cb95d5 commit e3c9b92
Show file tree
Hide file tree
Showing 11 changed files with 85 additions and 65 deletions.
85 changes: 50 additions & 35 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,39 +35,38 @@ jobs:
HOMEBREW_NO_INSTALL_CLEANUP: 1
HOMEBREW_NO_AUTO_UPDATE: 1

- name: 安装构建环境
- name: install tools
run: brew install openssl mingw-w64

- name: CI引导
- name: ci-bootstrap
run: |
src=$(/usr/bin/curl -LfsS https://raw.githubusercontent.com/wy414012/ocbuild/Yaming/ci-bootstrap.sh) && eval "$src" || exit 1
- run: ./build_duet.tool
- run: ./build_oc.tool


- name: 配置安全密钥
- name: set key
env:
SSH_PRIVATE_KEY: ${{ secrets.GIT_PRIVATE_KEY }}
run: |
mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
echo "StrictHostKeyChecking no" >> ~/.ssh/config
- name: 检查URL并且传输到服务器
- name: push web server
env:
SECRET_CHECK_SCRIPT_URL: ${{ secrets.SECRET_CHECK_SCRIPT_URL }}
run: scp -r ./Binaries/*.zip ${SECRET_CHECK_SCRIPT_URL}OC/macos_build/
- name: 上传工件

- name: upload artifact
uses: actions/upload-artifact@v4
with:
name: macOS XCODE5 Artifacts
path: Binaries/*.zip
- name: 上传发布

- name: push release
if: github.event_name == 'release'
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2.9.0
with:
Expand All @@ -78,12 +77,16 @@ jobs:

build-linux-clangpdb:
name: Linux CLANGPDB
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
env:
TOOLCHAINS: CLANGPDB
steps:
- uses: actions/checkout@v4

- name: Apply Docker AppArmor settings
run: |
src=$(/usr/bin/curl -LfsS https://raw.githubusercontent.com/acidanthera/ocbuild/master/docker-apparmor.sh) && eval "$src" || exit 1
- name: Use Docker in rootless mode.
uses: ScribeMD/[email protected]

Expand All @@ -93,20 +96,20 @@ jobs:
- name: ./build_oc.tool
run: docker compose run build-oc

- name: 配置安全密钥
- name: set keys
env:
SSH_PRIVATE_KEY: ${{ secrets.GIT_PRIVATE_KEY }}
run: |
mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
echo "StrictHostKeyChecking no" >> ~/.ssh/config
- name: 检查URL并且传输到服务器
- name: push web-server
env:
SECRET_CHECK_SCRIPT_URL: ${{ secrets.SECRET_CHECK_SCRIPT_URL }}
run: scp -r ./Binaries/*.zip ${SECRET_CHECK_SCRIPT_URL}OC/linux_build/CLANGPDB/

- name: Upload to Artifacts
uses: actions/upload-artifact@v4
with:
Expand All @@ -115,12 +118,16 @@ jobs:

build-linux-gcc5:
name: Linux GCC
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
env:
TOOLCHAINS: GCC
steps:
- uses: actions/checkout@v4

- name: Apply Docker AppArmor settings
run: |
src=$(/usr/bin/curl -LfsS https://raw.githubusercontent.com/acidanthera/ocbuild/master/docker-apparmor.sh) && eval "$src" || exit 1
- name: Use Docker in rootless mode.
uses: ScribeMD/[email protected]

Expand All @@ -129,21 +136,21 @@ jobs:

- name: ./build_oc.tool
run: docker compose run build-oc
- name: 配置安全密钥

- name: set keys
env:
SSH_PRIVATE_KEY: ${{ secrets.GIT_PRIVATE_KEY }}
run: |
mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
echo "StrictHostKeyChecking no" >> ~/.ssh/config
- name: 检查URL并且传输到服务器
- name: push web-server
env:
SECRET_CHECK_SCRIPT_URL: ${{ secrets.SECRET_CHECK_SCRIPT_URL }}
run: scp -r ./Binaries/*.zip ${SECRET_CHECK_SCRIPT_URL}OC/linux_build/GCC5/

- name: Upload to Artifacts
uses: actions/upload-artifact@v4
with:
Expand All @@ -152,12 +159,16 @@ jobs:

build-linux-clangdwarf:
name: Linux CLANGDWARF
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
env:
TOOLCHAINS: CLANGDWARF
steps:
- uses: actions/checkout@v4

- name: Apply Docker AppArmor settings
run: |
src=$(/usr/bin/curl -LfsS https://raw.githubusercontent.com/acidanthera/ocbuild/master/docker-apparmor.sh) && eval "$src" || exit 1
- name: Use Docker in rootless mode.
uses: ScribeMD/[email protected]

Expand All @@ -167,20 +178,20 @@ jobs:
- name: ./build_oc.tool
run: docker compose run build-oc

- name: 配置安全密钥
- name: set keys
env:
SSH_PRIVATE_KEY: ${{ secrets.GIT_PRIVATE_KEY }}
run: |
mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
echo "StrictHostKeyChecking no" >> ~/.ssh/config
- name: 检查URL并且传输到服务器
- name: push web-server
env:
SECRET_CHECK_SCRIPT_URL: ${{ secrets.SECRET_CHECK_SCRIPT_URL }}
run: scp -r ./Binaries/*.zip ${SECRET_CHECK_SCRIPT_URL}OC/linux_build/CLANGDWARF/

- name: 上传工件
uses: actions/upload-artifact@v4
with:
Expand All @@ -189,10 +200,14 @@ jobs:

build-linux-docs:
name: Linux Docs
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4

- name: Apply Docker AppArmor settings
run: |
src=$(/usr/bin/curl -LfsS https://raw.githubusercontent.com/acidanthera/ocbuild/master/docker-apparmor.sh) && eval "$src" || exit 1
- name: Use Docker in rootless mode.
uses: ScribeMD/[email protected]

Expand All @@ -211,33 +226,33 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: 安装构建环境
- name: install tools
run: |
choco install make nasm zip iasl --no-progress
- name: CI引导
- name: ci-bootstrap
run: |
src=$(curl -LfsS https://raw.githubusercontent.com/wy414012/ocbuild/Yaming/ci-bootstrap.sh) && eval "$src" || exit 1
- run: ./build_duet.tool
- run: ./build_oc.tool
- name: 配置安全密钥

- name: set keys
env:
SSH_PRIVATE_KEY: ${{ secrets.GIT_PRIVATE_KEY }}
run: |
mkdir -p ~/.ssh
echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
echo "StrictHostKeyChecking no" >> ~/.ssh/config
- name: 检查URL并且传输到服务器
- name: push web-server
env:
SECRET_CHECK_SCRIPT_URL: ${{ secrets.SECRET_CHECK_SCRIPT_URL }}
run: scp -r ./Binaries/*.zip ${SECRET_CHECK_SCRIPT_URL}OC/windows_build/
- name: 上传工件

- name: upload artifact
uses: actions/upload-artifact@v4
with:
name: Windows Artifacts
Expand Down
1 change: 1 addition & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ OpenCore Changelog
- Added Arrow Lake CPU detection
- Fixed Raptor Lake CPU detection
- Supported booting with TuneD in Fedora 41 in OpenLinuxBoot
- Fixed failure of vault `sign.command` to insert signature in correct location in some circumstances

#### v1.0.2
- Fixed error in macrecovery when running headless, thx @mkorje
Expand Down
2 changes: 1 addition & 1 deletion Docs/Configuration.md5
Original file line number Diff line number Diff line change
@@ -1 +1 @@
803349296249f30c802a43fbe92926c6
fa42399c09fbdc260b41745484b4a752
Binary file modified Docs/Configuration.pdf
Binary file not shown.
11 changes: 3 additions & 8 deletions Docs/Configuration.tex
Original file line number Diff line number Diff line change
Expand Up @@ -4724,7 +4724,7 @@ \subsection{Security Properties}\label{miscsecurityprops}
\href{https://github.com/acidanthera/OpenCorePkg/tree/master/Utilities/CreateVault}{RsaTool}.


The complete set of commands to:
The steps to binary patch \texttt{OpenCore.efi} are:

\begin{itemize}
\tightlist
Expand All @@ -4734,14 +4734,9 @@ \subsection{Security Properties}\label{miscsecurityprops}
\item Create \texttt{vault.sig}.
\end{itemize}

Can look as follows:
A script to do this is privided in OpenCore releases:
\begin{lstlisting}[label=createvault, style=ocbash]
cd /Volumes/EFI/EFI/OC
/path/to/create_vault.sh .
/path/to/RsaTool -sign vault.plist vault.sig vault.pub
off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16))
dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc
rm vault.pub
/Utilities/CreateVault/sign.command /Volumes/EFI/EFI/OC
\end{lstlisting}

\emph{Note 1}: While it may appear obvious, an external
Expand Down
Binary file modified Docs/Differences/Differences.pdf
Binary file not shown.
25 changes: 14 additions & 11 deletions Docs/Differences/Differences.tex
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
\documentclass[]{article}
%DIF LATEXDIFF DIFFERENCE FILE
%DIF DEL PreviousConfiguration.tex Sat Nov 9 05:47:31 2024
%DIF ADD ../Configuration.tex Wed Nov 20 08:35:03 2024
%DIF DEL PreviousConfiguration.tex Tue Nov 26 03:15:30 2024
%DIF ADD ../Configuration.tex Tue Nov 26 03:15:30 2024

\usepackage{lmodern}
\usepackage{amssymb,amsmath}
Expand Down Expand Up @@ -4785,7 +4785,7 @@ \subsection{Security Properties}\label{miscsecurityprops}
\href{https://github.com/acidanthera/OpenCorePkg/tree/master/Utilities/CreateVault}{RsaTool}.


The complete set of commands to:
The \DIFdelbegin \DIFdel{complete set of commands to }\DIFdelend \DIFaddbegin \DIFadd{steps to binary patch }\texttt{\DIFadd{OpenCore.efi}} \DIFadd{are}\DIFaddend :

\begin{itemize}
\tightlist
Expand All @@ -4795,15 +4795,18 @@ \subsection{Security Properties}\label{miscsecurityprops}
\item Create \texttt{vault.sig}.
\end{itemize}

Can look as follows:
\begin{lstlisting}[label=createvault, style=ocbash]
cd /Volumes/EFI/EFI/OC
/path/to/create_vault.sh .
/path/to/RsaTool -sign vault.plist vault.sig vault.pub
off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16))
dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc
rm vault.pub
\DIFdelbegin \DIFdel{Can look as follows}\DIFdelend \DIFaddbegin \DIFadd{A script to do this is privided in OpenCore releases}\DIFaddend :
\DIFmodbegin
\begin{lstlisting}[label=createvault, style=ocbash,alsolanguage=DIFcode]
%DIF < cd /Volumes/EFI/EFI/OC
%DIF < /path/to/create_vault.sh .
%DIF < /path/to/RsaTool -sign vault.plist vault.sig vault.pub
%DIF < off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16))
%DIF < dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc
%DIF < rm vault.pub
%DIF > /Utilities/CreateVault/sign.command /Volumes/EFI/EFI/OC
\end{lstlisting}
\DIFmodend

\emph{Note 1}: While it may appear obvious, an external
method is required to verify \texttt{OpenCore.efi} and \texttt{BOOTx64.efi} for
Expand Down
Binary file modified Docs/Errata/Errata.pdf
Binary file not shown.
4 changes: 2 additions & 2 deletions Library/OcConfigurationLib/OcConfigurationLib.c
Original file line number Diff line number Diff line change
Expand Up @@ -855,7 +855,7 @@ OC_SCHEMA

STATIC
OC_SCHEMA
mMiscUnloadImagesSchema = OC_SCHEMA_STRING (NULL);
mUefiUnloadSchema = OC_SCHEMA_STRING (NULL);

STATIC
OC_SCHEMA
Expand All @@ -870,7 +870,7 @@ OC_SCHEMA
OC_SCHEMA_DICT ("ProtocolOverrides", mUefiProtocolOverridesSchema),
OC_SCHEMA_DICT ("Quirks", mUefiQuirksSchema),
OC_SCHEMA_ARRAY_IN ("ReservedMemory", OC_GLOBAL_CONFIG, Uefi.ReservedMemory, &mUefiReservedMemorySchema),
OC_SCHEMA_ARRAY_IN ("Unload", OC_GLOBAL_CONFIG, Uefi.Unload, &mMiscUnloadImagesSchema),
OC_SCHEMA_ARRAY_IN ("Unload", OC_GLOBAL_CONFIG, Uefi.Unload, &mUefiUnloadSchema),
};

//
Expand Down
20 changes: 13 additions & 7 deletions Library/OcMainLib/OpenCoreVault.c
Original file line number Diff line number Diff line change
Expand Up @@ -14,24 +14,21 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.

#include <Library/OcMainLib.h>

#pragma pack(push, 1)

typedef PACKED struct {
typedef struct {
OC_RSA_PUBLIC_KEY_HDR Hdr;
UINT64 Data[(2 * (2048 / OC_CHAR_BIT)) / sizeof (UINT64)];
} OC_RSA_PUBLIC_KEY_2048;

typedef PACKED struct {
typedef struct {
CHAR8 StartMagic[16];
OC_RSA_PUBLIC_KEY_2048 VaultKey;
CHAR8 EndMagic[16];
} OC_BUILTIN_VAULT_KEY;

#pragma pack(pop)

BASE_ALIGNAS (16)
STATIC
OC_BUILTIN_VAULT_KEY
mOpenCoreVaultKey = {
mOpenCoreVaultKey = {
.StartMagic = { '=', 'B', 'E', 'G', 'I', 'N', ' ', 'O', 'C', ' ', 'V', 'A', 'U', 'L', 'T', '=' },
.EndMagic = { '=', '=', 'E', 'N', 'D', ' ', 'O', 'C', ' ', 'V', 'A', 'U', 'L', 'T', '=', '=' }
};
Expand All @@ -44,6 +41,15 @@ OcGetVaultKey (
UINT32 Index;
BOOLEAN AllZero;

STATIC_ASSERT (
sizeof (OC_RSA_PUBLIC_KEY_2048) == 528,
"sizeof(OC_RSA_PUBLIC_KEY_2048)"
);
STATIC_ASSERT (
sizeof (OC_BUILTIN_VAULT_KEY) == sizeof (OC_RSA_PUBLIC_KEY_2048) + 32,
"sizeof(OC_BUILTIN_VAULT_KEY)"
);

//
// TODO: Perhaps try to get the key from firmware too?
//
Expand Down
2 changes: 1 addition & 1 deletion Utilities/CreateVault/sign.command
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ echo "Signing ${OCBin}..."
./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"

echo "Bin-patching ${OCBin}..."
off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
off=$((0x$(/usr/bin/hexdump -C "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
if [ "${off}" -le 16 ]; then
abort "${OCBin} is borked"
fi
Expand Down

0 comments on commit e3c9b92

Please sign in to comment.