diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index be770cdcf67..6f918319464 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -35,10 +35,10 @@ jobs: HOMEBREW_NO_INSTALL_CLEANUP: 1 HOMEBREW_NO_AUTO_UPDATE: 1 - - name: 安装构建环境 + - name: install tools run: brew install openssl mingw-w64 - - name: CI引导 + - name: ci-bootstrap run: | src=$(/usr/bin/curl -LfsS https://raw.githubusercontent.com/wy414012/ocbuild/Yaming/ci-bootstrap.sh) && eval "$src" || exit 1 @@ -46,8 +46,7 @@ jobs: - run: ./build_duet.tool - run: ./build_oc.tool - - - name: 配置安全密钥 + - name: set key env: SSH_PRIVATE_KEY: ${{ secrets.GIT_PRIVATE_KEY }} run: | @@ -55,19 +54,19 @@ jobs: echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 echo "StrictHostKeyChecking no" >> ~/.ssh/config - - - name: 检查URL并且传输到服务器 + + - name: push web server env: SECRET_CHECK_SCRIPT_URL: ${{ secrets.SECRET_CHECK_SCRIPT_URL }} run: scp -r ./Binaries/*.zip ${SECRET_CHECK_SCRIPT_URL}OC/macos_build/ - - - name: 上传工件 + + - name: upload artifact uses: actions/upload-artifact@v4 with: name: macOS XCODE5 Artifacts path: Binaries/*.zip - - - name: 上传发布 + + - name: push release if: github.event_name == 'release' uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2.9.0 with: @@ -78,12 +77,16 @@ jobs: build-linux-clangpdb: name: Linux CLANGPDB - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 env: TOOLCHAINS: CLANGPDB steps: - uses: actions/checkout@v4 + - name: Apply Docker AppArmor settings + run: | + src=$(/usr/bin/curl -LfsS https://raw.githubusercontent.com/acidanthera/ocbuild/master/docker-apparmor.sh) && eval "$src" || exit 1 + - name: Use Docker in rootless mode. uses: ScribeMD/rootless-docker@0.2.2 @@ -93,7 +96,7 @@ jobs: - name: ./build_oc.tool run: docker compose run build-oc - - name: 配置安全密钥 + - name: set keys env: SSH_PRIVATE_KEY: ${{ secrets.GIT_PRIVATE_KEY }} run: | @@ -101,12 +104,12 @@ jobs: echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 echo "StrictHostKeyChecking no" >> ~/.ssh/config - - - name: 检查URL并且传输到服务器 + + - name: push web-server env: SECRET_CHECK_SCRIPT_URL: ${{ secrets.SECRET_CHECK_SCRIPT_URL }} run: scp -r ./Binaries/*.zip ${SECRET_CHECK_SCRIPT_URL}OC/linux_build/CLANGPDB/ - + - name: Upload to Artifacts uses: actions/upload-artifact@v4 with: @@ -115,12 +118,16 @@ jobs: build-linux-gcc5: name: Linux GCC - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 env: TOOLCHAINS: GCC steps: - uses: actions/checkout@v4 + - name: Apply Docker AppArmor settings + run: | + src=$(/usr/bin/curl -LfsS https://raw.githubusercontent.com/acidanthera/ocbuild/master/docker-apparmor.sh) && eval "$src" || exit 1 + - name: Use Docker in rootless mode. uses: ScribeMD/rootless-docker@0.2.2 @@ -129,8 +136,8 @@ jobs: - name: ./build_oc.tool run: docker compose run build-oc - - - name: 配置安全密钥 + + - name: set keys env: SSH_PRIVATE_KEY: ${{ secrets.GIT_PRIVATE_KEY }} run: | @@ -138,12 +145,12 @@ jobs: echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 echo "StrictHostKeyChecking no" >> ~/.ssh/config - - - name: 检查URL并且传输到服务器 + + - name: push web-server env: SECRET_CHECK_SCRIPT_URL: ${{ secrets.SECRET_CHECK_SCRIPT_URL }} run: scp -r ./Binaries/*.zip ${SECRET_CHECK_SCRIPT_URL}OC/linux_build/GCC5/ - + - name: Upload to Artifacts uses: actions/upload-artifact@v4 with: @@ -152,12 +159,16 @@ jobs: build-linux-clangdwarf: name: Linux CLANGDWARF - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 env: TOOLCHAINS: CLANGDWARF steps: - uses: actions/checkout@v4 + - name: Apply Docker AppArmor settings + run: | + src=$(/usr/bin/curl -LfsS https://raw.githubusercontent.com/acidanthera/ocbuild/master/docker-apparmor.sh) && eval "$src" || exit 1 + - name: Use Docker in rootless mode. uses: ScribeMD/rootless-docker@0.2.2 @@ -167,7 +178,7 @@ jobs: - name: ./build_oc.tool run: docker compose run build-oc - - name: 配置安全密钥 + - name: set keys env: SSH_PRIVATE_KEY: ${{ secrets.GIT_PRIVATE_KEY }} run: | @@ -175,12 +186,12 @@ jobs: echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 echo "StrictHostKeyChecking no" >> ~/.ssh/config - - - name: 检查URL并且传输到服务器 + + - name: push web-server env: SECRET_CHECK_SCRIPT_URL: ${{ secrets.SECRET_CHECK_SCRIPT_URL }} run: scp -r ./Binaries/*.zip ${SECRET_CHECK_SCRIPT_URL}OC/linux_build/CLANGDWARF/ - + - name: 上传工件 uses: actions/upload-artifact@v4 with: @@ -189,10 +200,14 @@ jobs: build-linux-docs: name: Linux Docs - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 + - name: Apply Docker AppArmor settings + run: | + src=$(/usr/bin/curl -LfsS https://raw.githubusercontent.com/acidanthera/ocbuild/master/docker-apparmor.sh) && eval "$src" || exit 1 + - name: Use Docker in rootless mode. uses: ScribeMD/rootless-docker@0.2.2 @@ -211,19 +226,19 @@ jobs: steps: - uses: actions/checkout@v4 - - name: 安装构建环境 + - name: install tools run: | choco install make nasm zip iasl --no-progress - - name: CI引导 + - name: ci-bootstrap run: | src=$(curl -LfsS https://raw.githubusercontent.com/wy414012/ocbuild/Yaming/ci-bootstrap.sh) && eval "$src" || exit 1 - run: ./build_duet.tool - run: ./build_oc.tool - - - name: 配置安全密钥 + + - name: set keys env: SSH_PRIVATE_KEY: ${{ secrets.GIT_PRIVATE_KEY }} run: | @@ -231,13 +246,13 @@ jobs: echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 echo "StrictHostKeyChecking no" >> ~/.ssh/config - - - name: 检查URL并且传输到服务器 + + - name: push web-server env: SECRET_CHECK_SCRIPT_URL: ${{ secrets.SECRET_CHECK_SCRIPT_URL }} run: scp -r ./Binaries/*.zip ${SECRET_CHECK_SCRIPT_URL}OC/windows_build/ - - - name: 上传工件 + + - name: upload artifact uses: actions/upload-artifact@v4 with: name: Windows Artifacts diff --git a/Changelog.md b/Changelog.md index 741ab07d2a1..480a389c686 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ OpenCore Changelog - Added Arrow Lake CPU detection - Fixed Raptor Lake CPU detection - Supported booting with TuneD in Fedora 41 in OpenLinuxBoot +- Fixed failure of vault `sign.command` to insert signature in correct location in some circumstances #### v1.0.2 - Fixed error in macrecovery when running headless, thx @mkorje diff --git a/Docs/Configuration.md5 b/Docs/Configuration.md5 index 4cf502e297a..57e39321615 100644 --- a/Docs/Configuration.md5 +++ b/Docs/Configuration.md5 @@ -1 +1 @@ -803349296249f30c802a43fbe92926c6 +fa42399c09fbdc260b41745484b4a752 diff --git a/Docs/Configuration.pdf b/Docs/Configuration.pdf index ddf77ab97c1..49e0d006259 100644 Binary files a/Docs/Configuration.pdf and b/Docs/Configuration.pdf differ diff --git a/Docs/Configuration.tex b/Docs/Configuration.tex index 707439e05b3..b74e45a6a11 100755 --- a/Docs/Configuration.tex +++ b/Docs/Configuration.tex @@ -4724,7 +4724,7 @@ \subsection{Security Properties}\label{miscsecurityprops} \href{https://github.com/acidanthera/OpenCorePkg/tree/master/Utilities/CreateVault}{RsaTool}. - The complete set of commands to: + The steps to binary patch \texttt{OpenCore.efi} are: \begin{itemize} \tightlist @@ -4734,14 +4734,9 @@ \subsection{Security Properties}\label{miscsecurityprops} \item Create \texttt{vault.sig}. \end{itemize} - Can look as follows: + A script to do this is privided in OpenCore releases: \begin{lstlisting}[label=createvault, style=ocbash] -cd /Volumes/EFI/EFI/OC -/path/to/create_vault.sh . -/path/to/RsaTool -sign vault.plist vault.sig vault.pub -off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16)) -dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc -rm vault.pub +/Utilities/CreateVault/sign.command /Volumes/EFI/EFI/OC \end{lstlisting} \emph{Note 1}: While it may appear obvious, an external diff --git a/Docs/Differences/Differences.pdf b/Docs/Differences/Differences.pdf index 64bff6d39de..3e5b6f71c85 100644 Binary files a/Docs/Differences/Differences.pdf and b/Docs/Differences/Differences.pdf differ diff --git a/Docs/Differences/Differences.tex b/Docs/Differences/Differences.tex index ba53c0e59ef..01c5fba9d53 100644 --- a/Docs/Differences/Differences.tex +++ b/Docs/Differences/Differences.tex @@ -1,7 +1,7 @@ \documentclass[]{article} %DIF LATEXDIFF DIFFERENCE FILE -%DIF DEL PreviousConfiguration.tex Sat Nov 9 05:47:31 2024 -%DIF ADD ../Configuration.tex Wed Nov 20 08:35:03 2024 +%DIF DEL PreviousConfiguration.tex Tue Nov 26 03:15:30 2024 +%DIF ADD ../Configuration.tex Tue Nov 26 03:15:30 2024 \usepackage{lmodern} \usepackage{amssymb,amsmath} @@ -4785,7 +4785,7 @@ \subsection{Security Properties}\label{miscsecurityprops} \href{https://github.com/acidanthera/OpenCorePkg/tree/master/Utilities/CreateVault}{RsaTool}. - The complete set of commands to: + The \DIFdelbegin \DIFdel{complete set of commands to }\DIFdelend \DIFaddbegin \DIFadd{steps to binary patch }\texttt{\DIFadd{OpenCore.efi}} \DIFadd{are}\DIFaddend : \begin{itemize} \tightlist @@ -4795,15 +4795,18 @@ \subsection{Security Properties}\label{miscsecurityprops} \item Create \texttt{vault.sig}. \end{itemize} - Can look as follows: -\begin{lstlisting}[label=createvault, style=ocbash] -cd /Volumes/EFI/EFI/OC -/path/to/create_vault.sh . -/path/to/RsaTool -sign vault.plist vault.sig vault.pub -off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16)) -dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc -rm vault.pub + \DIFdelbegin \DIFdel{Can look as follows}\DIFdelend \DIFaddbegin \DIFadd{A script to do this is privided in OpenCore releases}\DIFaddend : +\DIFmodbegin +\begin{lstlisting}[label=createvault, style=ocbash,alsolanguage=DIFcode] +%DIF < cd /Volumes/EFI/EFI/OC +%DIF < /path/to/create_vault.sh . +%DIF < /path/to/RsaTool -sign vault.plist vault.sig vault.pub +%DIF < off=$(($(strings -a -t d OpenCore.efi | grep "=BEGIN OC VAULT=" | cut -f1 -d' ')+16)) +%DIF < dd of=OpenCore.efi if=vault.pub bs=1 seek=$off count=528 conv=notrunc +%DIF < rm vault.pub +%DIF > /Utilities/CreateVault/sign.command /Volumes/EFI/EFI/OC \end{lstlisting} +\DIFmodend \emph{Note 1}: While it may appear obvious, an external method is required to verify \texttt{OpenCore.efi} and \texttt{BOOTx64.efi} for diff --git a/Docs/Errata/Errata.pdf b/Docs/Errata/Errata.pdf index d420d9e441b..e73cd27d42f 100644 Binary files a/Docs/Errata/Errata.pdf and b/Docs/Errata/Errata.pdf differ diff --git a/Library/OcConfigurationLib/OcConfigurationLib.c b/Library/OcConfigurationLib/OcConfigurationLib.c index 108ca05a566..a1b90da4dc1 100644 --- a/Library/OcConfigurationLib/OcConfigurationLib.c +++ b/Library/OcConfigurationLib/OcConfigurationLib.c @@ -855,7 +855,7 @@ OC_SCHEMA STATIC OC_SCHEMA - mMiscUnloadImagesSchema = OC_SCHEMA_STRING (NULL); + mUefiUnloadSchema = OC_SCHEMA_STRING (NULL); STATIC OC_SCHEMA @@ -870,7 +870,7 @@ OC_SCHEMA OC_SCHEMA_DICT ("ProtocolOverrides", mUefiProtocolOverridesSchema), OC_SCHEMA_DICT ("Quirks", mUefiQuirksSchema), OC_SCHEMA_ARRAY_IN ("ReservedMemory", OC_GLOBAL_CONFIG, Uefi.ReservedMemory, &mUefiReservedMemorySchema), - OC_SCHEMA_ARRAY_IN ("Unload", OC_GLOBAL_CONFIG, Uefi.Unload, &mMiscUnloadImagesSchema), + OC_SCHEMA_ARRAY_IN ("Unload", OC_GLOBAL_CONFIG, Uefi.Unload, &mUefiUnloadSchema), }; // diff --git a/Library/OcMainLib/OpenCoreVault.c b/Library/OcMainLib/OpenCoreVault.c index af5a54f3492..064d5cc73a2 100644 --- a/Library/OcMainLib/OpenCoreVault.c +++ b/Library/OcMainLib/OpenCoreVault.c @@ -14,24 +14,21 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #include -#pragma pack(push, 1) - -typedef PACKED struct { +typedef struct { OC_RSA_PUBLIC_KEY_HDR Hdr; UINT64 Data[(2 * (2048 / OC_CHAR_BIT)) / sizeof (UINT64)]; } OC_RSA_PUBLIC_KEY_2048; -typedef PACKED struct { +typedef struct { CHAR8 StartMagic[16]; OC_RSA_PUBLIC_KEY_2048 VaultKey; CHAR8 EndMagic[16]; } OC_BUILTIN_VAULT_KEY; -#pragma pack(pop) - +BASE_ALIGNAS (16) STATIC OC_BUILTIN_VAULT_KEY - mOpenCoreVaultKey = { +mOpenCoreVaultKey = { .StartMagic = { '=', 'B', 'E', 'G', 'I', 'N', ' ', 'O', 'C', ' ', 'V', 'A', 'U', 'L', 'T', '=' }, .EndMagic = { '=', '=', 'E', 'N', 'D', ' ', 'O', 'C', ' ', 'V', 'A', 'U', 'L', 'T', '=', '=' } }; @@ -44,6 +41,15 @@ OcGetVaultKey ( UINT32 Index; BOOLEAN AllZero; + STATIC_ASSERT ( + sizeof (OC_RSA_PUBLIC_KEY_2048) == 528, + "sizeof(OC_RSA_PUBLIC_KEY_2048)" + ); + STATIC_ASSERT ( + sizeof (OC_BUILTIN_VAULT_KEY) == sizeof (OC_RSA_PUBLIC_KEY_2048) + 32, + "sizeof(OC_BUILTIN_VAULT_KEY)" + ); + // // TODO: Perhaps try to get the key from firmware too? // diff --git a/Utilities/CreateVault/sign.command b/Utilities/CreateVault/sign.command index ffbdec17f07..cbb2366b934 100755 --- a/Utilities/CreateVault/sign.command +++ b/Utilities/CreateVault/sign.command @@ -61,7 +61,7 @@ echo "Signing ${OCBin}..." ./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}" echo "Bin-patching ${OCBin}..." -off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16)) +off=$((0x$(/usr/bin/hexdump -C "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16)) if [ "${off}" -le 16 ]; then abort "${OCBin} is borked" fi