Shim 15.5 build fail with VENDOR_CERT_FILE and VENDOR_DBX_FILE

[joeyli]

I got the following error when building shim 15.5 with VENDOR_CERT_FILE and VENDOR_DBX_FILE:

[ 58s] ld -o shim.so --hash-style=sysv -nostdlib -znocombreloc -T /home/abuild/rpmbuild/BUILD/shim-15.4/elf_aarch64_efi.lds -shared -Bsymbolic -Lgnu-efi/aarch64/gnuefi -Lgnu-efi/aarch64/lib -LCryptlib -LCryptl [ 58s] ld: shim.o: in function check_denylist: [ 58s] /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:285: undefined reference to vendor_dbx [ 58s] ld: /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:287: undefined reference to vendor_dbx_size [ 58s] ld: shim.o: in function verify_one_signature: [ 58s] /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:526: undefined reference to vendor_cert_size [ 58s] ld: /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:529: undefined reference to vendor_cert_size [ 58s] ld: /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:530: undefined reference to vendor_cert [ 58s] ld: /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:536: undefined reference to vendor_cert [ 58s] ld: /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:536: undefined reference to vendor_cert_size [ 58s] ld: shim.o: in function shim_init: [ 58s] /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:1286: undefined reference to vendor_cert_size [ 58s] ld: /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:1286: undefined reference to vendor_dbx_size [ 58s] ld: shim.o: in function efi_main: [ 58s] /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:1424: undefined reference to vendor_cert_size [ 58s] ld: /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:1425: undefined reference to vendor_cert [ 58s] ld: /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:1427: undefined reference to vendor_dbx_size [ 58s] ld: /home/abuild/rpmbuild/BUILD/shim-15.4/shim.c:1428: undefined reference to vendor_dbx [ 58s] ld: mok.o:(.data.rel+0x48): undefined reference to vendor_cert [ 58s] ld: mok.o:(.data.rel+0x50): undefined reference to vendor_cert_size [ 58s] ld: mok.o:(.data.rel+0xc8): undefined reference to vendor_dbx [ 58s] ld: mok.o:(.data.rel+0xd0): undefined reference to vendor_dbx_size [ 58s] make: *** [Makefile:140: shim.so] Error 1

The building command is here in my spec file for reference:

make RELEASE=0 SHIMSTEM=shim \
     VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
     DEFAULT_LOADER="\\\\\\\\grub.efi" \
     VENDOR_DBX_FILE=$vendor_dbx \
     shim.efi.debug shim.efi

[joeyli]

I found the it causes by patch "cae5e2f7c10 shim/mm/fb: move global state to its own source file". It moved vendor_authorized and vendor_deauthorized from shim.c to globals.c causes this issue. They are using by the vendor_cert and vendor_cert_size code in shim.h:

shim.h

        #elif defined(VENDOR_CERT_FILE)
        # define vendor_authorized vendor_cert
        # define vendor_authorized_size vendor_cert_size
        # define vendor_authorized_category VENDOR_ADDEND_X509
        #else
        # define vendor_authorized vendor_null
        # define vendor_authorized_size vendor_null_size
        # define vendor_authorized_category VENDOR_ADDEND_NONE
        #endif

        #if defined(VENDOR_DBX_FILE)
        # define vendor_deauthorized vendor_dbx
        # define vendor_deauthorized_size vendor_dbx_size
        #else
        # define vendor_deauthorized vendor_deauthorized_null
        # define vendor_deauthorized_size vendor_deauthorized_null_size
        #endif

Looks that the macro default can not reference to a variable in other .c file?

[joeyli]

I have sent pull quest to here:

https://github.com/rhboot/shim/pull/461

[joeyli]

I found that root cause is that my shim.spec didn't clear *.o files after building MokManager.efi and fallback.efi. So the later shim.efi building used the dirty globals.o. The globals.o be built without VENDOR_CERT_FILE or VENDOR_DBX_FILE option. So it causes the ld complain.

I can simply reproduce issue by local build:

make RELEASE=0 MMSTEM=MokManager FBSTEM=fallback MokManager.efi.debug fallback.efi.debug MokManager.efi fallback.efi

make RELEASE=0 SHIMSTEM=shim VENDOR_CERT_FILE=/sle-cert/SLES-UEFI-CA-Certificate.der ENABLE_HTTPBOOT=1 DEFAULT_LOADER="\\grub.efi" VENDOR_DBX_FILE=/sle-cert/vendor-dbx-sles.bin shim.efi.debug shim.efi

So please ignore my issue report. Set close here.