rhboot · andreabolognani · Jun 18, 2025 · Apr 29, 2025 · Apr 29, 2025 · Mar 31, 2026
diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
@@ -78,6 +78,21 @@ jobs:
             gccarch: x86_64
             makearch: ia32
             distro: f43
+          - arch: amd64
+            efiarch: riscv64
+            gccarch: riscv64
+            makearch: riscv64
+            distro: f45
+          - arch: amd64
+            efiarch: riscv64
+            gccarch: riscv64
+            makearch: riscv64
+            distro: f44
+          - arch: amd64
+            efiarch: riscv64
+            gccarch: riscv64
+            makearch: riscv64
+            distro: f43
 
     steps:
       - name: Checkout

diff --git a/.gitmodules b/.gitmodules
@@ -1,4 +1,4 @@
 [submodule "gnu-efi"]
 	path = gnu-efi
-	url = https://github.com/rhboot/gnu-efi.git
-	branch = shim-16.1
+	url = https://github.com/ncroxon/gnu-efi.git
+	branch = master
diff --git a/Cryptlib/Include/OpenSslSupport.h b/Cryptlib/Include/OpenSslSupport.h
@@ -18,9 +18,6 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #if defined(__x86_64__)
 /* shim.h will check if the compiler is new enough in some other CU */
 
-#if !defined(GNU_EFI_USE_EXTERNAL_STDARG)
-#define GNU_EFI_USE_EXTERNAL_STDARG
-#endif
 
 #if !defined(GNU_EFI_USE_MS_ABI)
 #define GNU_EFI_USE_MS_ABI
@@ -61,7 +58,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 
 #define CONFIG_HEADER_BN_H
 
-#if defined(MDE_CPU_X64) || defined(MDE_CPU_AARCH64) || defined(MDE_CPU_IA64)
+#if defined(MDE_CPU_X64) || defined(MDE_CPU_AARCH64) || \
+    defined(MDE_CPU_IA64) || defined(MDE_CPU_RISCV64)
 //
 // With GCC we would normally use SIXTY_FOUR_BIT_LONG, but MSVC needs
 // SIXTY_FOUR_BIT, because 'long' is 32-bit and only 'long long' is

diff --git a/Cryptlib/Library/BaseLib.h b/Cryptlib/Library/BaseLib.h
@@ -1,10 +1,6 @@
 #if defined(__x86_64__)
 /* shim.h will check if the compiler is new enough in some other CU */
 
-#if !defined(GNU_EFI_USE_EXTERNAL_STDARG)
-#define GNU_EFI_USE_EXTERNAL_STDARG
-#endif
-
 #if !defined(GNU_EFI_USE_MS_ABI)
 #define GNU_EFI_USE_MS_ABI
 #endif

diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
@@ -40,6 +40,9 @@ endif
 ifeq ($(ARCH),arm)
 DEFINES		+= -DMDE_CPU_ARM
 endif
+ifeq ($(ARCH),riscv64)
+DEFINES		+= -DMDE_CPU_RISCV64
+endif
 ifeq ($(ENABLE_CODESIGN_EKU),1)
 DEFINES += -DENABLE_CODESIGN_EKU
 endif

diff --git a/Cryptlib/OpenSSL/Makefile b/Cryptlib/OpenSSL/Makefile
@@ -52,6 +52,9 @@ endif
 ifeq ($(ARCH),arm)
 DEFINES		+= -DMDE_CPU_ARM
 endif
+ifeq ($(ARCH),riscv64)
+DEFINES		+= -DMDE_CPU_RISCV64
+endif
 
 LDFLAGS		= -nostdlib -znocombreloc
 

diff --git a/Cryptlib/SysCall/BaseStrings.c b/Cryptlib/SysCall/BaseStrings.c
@@ -3,7 +3,7 @@
 CHAR8 *
 AsciiStrCat(CHAR8 *Destination, const CHAR8 *Source)
 {
-	UINTN dest_len = strlen((CHAR8 *)Destination);
+	UINTN dest_len = strlen((char *)Destination);
 	UINTN i;
 
 	for (i = 0; Source[i] != '\0'; i++)
@@ -61,7 +61,7 @@ WriteUnaligned32(UINT32 *Buffer, UINT32 Value)
 UINTN
 AsciiStrSize(const CHAR8 *string)
 {
-	return strlen(string) + 1;
+	return strlen((char *)string) + 1;
 }
 
 /* Based on AsciiStrDecimalToUintnS() in edk2

diff --git a/Make.defaults b/Make.defaults
@@ -100,6 +100,13 @@ ifeq ($(ARCH),arm)
 	ARCH_LDFLAGS		+= --defsym=EFI_SUBSYSTEM=$(SUBSYSTEM)
 	ARCH_SECTION_ALIGNMENT	?= 0x1000
 endif
+ifeq ($(ARCH),riscv64)
+	ARCH_CFLAGS		?= -DMDE_CPU_RISCV64 -DPAGE_SIZE=4096
+	ARCH_GNUEFI		?= riscv64
+	ARCH_SUFFIX		?= riscv64
+	ARCH_SUFFIX_UPPER	?= RISCV64
+	ARCH_SECTION_ALIGNMENT	?= 0x1000
+endif
 
 DEFINES		= -DDEFAULT_LOADER='L"$(DEFAULT_LOADER)"' \
 		  -DDEFAULT_LOADER_CHAR='"$(DEFAULT_LOADER)"'
@@ -160,8 +167,8 @@ endif
 LIB_GCC		= $(shell $(CC) $(ARCH_CFLAGS) -print-libgcc-file-name)
 EFI_LIBS	= -lefi -lgnuefi --start-group Cryptlib/libcryptlib.a Cryptlib/OpenSSL/libopenssl.a --end-group $(LIB_GCC)
 FORMAT		?= --output-target efi-app-$(ARCH)
-LOCAL_EFI_PATH	= gnu-efi/$(ARCH_GNUEFI)/gnuefi
-LIBDIR		= gnu-efi/$(ARCH_GNUEFI)/lib
+LOCAL_EFI_PATH	= $(TOPDIR)/gnu-efi/$(ARCH_GNUEFI)/gnuefi
+LIBDIR		= $(TOPDIR)/gnu-efi/$(ARCH_GNUEFI)/lib
 
 MMSTEM		?= mm$(ARCH_SUFFIX)
 MMNAME		= $(MMSTEM).efi
@@ -192,7 +199,7 @@ ifneq ($(origin SBAT_AUTOMATIC_DATE), undefined)
 DEFINES		+= -DSBAT_AUTOMATIC_DATE=$(SBAT_AUTOMATIC_DATE)
 endif
 
-LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined
+LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LIBDIR) -L$(LOCAL_EFI_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined
 
 ifneq ($(DEBUG),)
 export DEBUG

diff --git a/Makefile b/Makefile
@@ -150,8 +150,8 @@ $(SHIMNAME) $(MMNAME) $(FBNAME) : | post-process-pe
 LIBS = Cryptlib/libcryptlib.a \
        Cryptlib/OpenSSL/libopenssl.a \
        lib/lib.a \
-       gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a \
-       gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a
+       $(TOPDIR)/gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a \
+       $(TOPDIR)/gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a
 
 $(SHIMSONAME): $(OBJS) $(LIBS)
 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
@@ -166,15 +166,16 @@ MokManager.o: $(MOK_SOURCES)
 $(MMSONAME): $(MOK_OBJS) $(LIBS)
 	$(LD) -o $@ $(LDFLAGS) $^ $(EFI_LIBS) lib/lib.a
 
-gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
-gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
+$(TOPDIR)/gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a $(TOPDIR)/gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
 	mkdir -p gnu-efi/lib gnu-efi/gnuefi
 	$(MAKE) -C gnu-efi \
 		COMPILER="$(COMPILER)" \
 		CCC_CC="$(COMPILER)" \
 		CC="$(CC)" \
 		ARCH=$(ARCH_GNUEFI) \
+		NO_GLIBC=1 \
 		TOPDIR=$(TOPDIR)/gnu-efi \
+		VPATH=$(TOPDIR)/gnu-efi \
 		-f $(TOPDIR)/gnu-efi/Makefile \
 		lib gnuefi inc $(IGNORE_COMPILER_ERRORS)
 
@@ -358,6 +359,7 @@ clean-gnu-efi:
 			COMPILER="$(COMPILER)" \
 			ARCH=$(ARCH_GNUEFI) \
 			TOPDIR=$(TOPDIR)/gnu-efi \
+			VPATH=$(TOPDIR)/gnu-efi \
 			-f $(TOPDIR)/gnu-efi/Makefile \
 			clean ; \
 	fi

diff --git a/MokManager.c b/MokManager.c
@@ -89,29 +89,29 @@ static EFI_STATUS get_sha1sum(void *Data, int DataSize, UINT8 * hash)
 
 static BOOLEAN is_sha2_hash(EFI_GUID Type)
 {
-	if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID) == 0)
+	if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID))
 		return TRUE;
-	else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID) == 0)
+	else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID))
 		return TRUE;
-	else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID) == 0)
+	else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID))
 		return TRUE;
-	else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID) == 0)
+	else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID))
 		return TRUE;
 
 	return FALSE;
 }
 
 static UINT32 sha_size(EFI_GUID Type)
 {
-	if (CompareGuid(&Type, &EFI_CERT_SHA1_GUID) == 0)
+	if (CompareGuid(&Type, &EFI_CERT_SHA1_GUID))
 		return SHA1_DIGEST_SIZE;
-	else if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID) == 0)
+	else if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID))
 		return SHA224_DIGEST_LENGTH;
-	else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID) == 0)
+	else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID))
 		return SHA256_DIGEST_SIZE;
-	else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID) == 0)
+	else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID))
 		return SHA384_DIGEST_LENGTH;
-	else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID) == 0)
+	else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID))
 		return SHA512_DIGEST_LENGTH;
 
 	return 0;
@@ -121,7 +121,7 @@ static BOOLEAN is_valid_siglist(EFI_GUID Type, UINT32 SigSize)
 {
 	UINT32 hash_sig_size;
 
-	if (CompareGuid (&Type, &X509_GUID) == 0 && SigSize != 0)
+	if (CompareGuid (&Type, &X509_GUID) && SigSize != 0)
 		return TRUE;
 
 	if (!is_sha2_hash(Type))
@@ -206,7 +206,7 @@ static MokListNode *build_mok_list(UINT32 num, void *Data, UINTN DataSize)
 		}
 
 		list[count].Type = CertList->SignatureType;
-		if (CompareGuid (&CertList->SignatureType, &X509_GUID) == 0) {
+		if (CompareGuid (&CertList->SignatureType, &X509_GUID)) {
 			list[count].MokSize = CertList->SignatureSize -
 			    sizeof(EFI_GUID);
 			list[count].Mok = (void *)Cert->SignatureData;
@@ -463,19 +463,19 @@ static void show_sha_digest(EFI_GUID Type, UINT8 * hash)
 	int i;
 	int length;
 
-	if (CompareGuid(&Type, &EFI_CERT_SHA1_GUID) == 0) {
+	if (CompareGuid(&Type, &EFI_CERT_SHA1_GUID)) {
 		length = SHA1_DIGEST_SIZE;
 		text[0] = L"SHA1 hash";
-	} else if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID) == 0) {
+	} else if (CompareGuid(&Type, &EFI_CERT_SHA224_GUID)) {
 		length = SHA224_DIGEST_LENGTH;
 		text[0] = L"SHA224 hash";
-	} else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID) == 0) {
+	} else if (CompareGuid(&Type, &EFI_CERT_SHA256_GUID)) {
 		length = SHA256_DIGEST_SIZE;
 		text[0] = L"SHA256 hash";
-	} else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID) == 0) {
+	} else if (CompareGuid(&Type, &EFI_CERT_SHA384_GUID)) {
 		length = SHA384_DIGEST_LENGTH;
 		text[0] = L"SHA384 hash";
-	} else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID) == 0) {
+	} else if (CompareGuid(&Type, &EFI_CERT_SHA512_GUID)) {
 		length = SHA512_DIGEST_LENGTH;
 		text[0] = L"SHA512 hash";
 	} else {
@@ -564,7 +564,7 @@ static void show_mok_info(EFI_GUID Type, void *Mok, UINTN MokSize)
 	if (!Mok || MokSize == 0)
 		return;
 
-	if (CompareGuid (&Type, &X509_GUID) == 0) {
+	if (CompareGuid (&Type, &X509_GUID)) {
 		UINT8 hash[SHA1_DIGEST_SIZE];
 		X509 *X509Cert;
 
@@ -1062,7 +1062,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
 
 		DataSize += sizeof(EFI_SIGNATURE_LIST);
 		type = list[i].Type; /* avoid -Werror=address-of-packed-member */
-		if (CompareGuid(&type, &X509_GUID) == 0)
+		if (CompareGuid(&type, &X509_GUID))
 			DataSize += sizeof(EFI_GUID);
 		DataSize += list[i].MokSize;
 	}
@@ -1093,7 +1093,7 @@ static EFI_STATUS write_back_mok_list(MokListNode * list, INTN key_num,
 		CertList->SignatureType = list[i].Type;
 		CertList->SignatureHeaderSize = 0;
 
-		if (CompareGuid(&(CertList->SignatureType), &X509_GUID) == 0) {
+		if (CompareGuid(&(CertList->SignatureType), &X509_GUID)) {
 			CertList->SignatureListSize = list[i].MokSize +
 			    sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID);
 			CertList->SignatureSize =
@@ -1136,7 +1136,7 @@ static void delete_cert(void *key, UINT32 key_size,
 
 	for (i = 0; i < mok_num; i++) {
 		type = mok[i].Type; /* avoid -Werror=address-of-packed-member */
-		if (CompareGuid(&type, &X509_GUID) != 0)
+		if (!CompareGuid(&type, &X509_GUID))
 			continue;
 
 		if (mok[i].MokSize == key_size &&
@@ -1189,7 +1189,7 @@ static void delete_hash_in_list(EFI_GUID Type, UINT8 * hash, UINT32 hash_size,
 
 	for (i = 0; i < mok_num; i++) {
 		type = mok[i].Type; /* avoid -Werror=address-of-packed-member */
-		if ((CompareGuid(&type, &Type) != 0) ||
+		if ((!CompareGuid(&type, &Type)) ||
 		    (mok[i].MokSize < sig_size))
 			continue;
 
@@ -1360,7 +1360,7 @@ static EFI_STATUS delete_keys(void *MokDel, UINTN MokDelSize, BOOLEAN MokX)
 	dprint(L"deleting certs from %a\n", MokX ? "MokListX" : "MokList");
 	for (i = 0; i < del_num; i++) {
 		type = del_key[i].Type; /* avoid -Werror=address-of-packed-member */
-		if (CompareGuid(&type, &X509_GUID) == 0) {
+		if (CompareGuid(&type, &X509_GUID)) {
 			dprint(L"deleting key %d (total %d):\n", i, mok_num);
 			dhexdumpat(del_key[i].Mok, del_key[i].MokSize, 0);
 			delete_cert(del_key[i].Mok, del_key[i].MokSize,

diff --git a/csv.c b/csv.c
@@ -63,7 +63,7 @@ parse_csv_data(char *data, char *data_end, size_t n_columns, list_t *list)
 	}
 
 	max = (uintptr_t)end - (uintptr_t)line + (end > line ? 1 : 0);
-	if (is_utf8_bom(line, max))
+	if (is_utf8_bom((CHAR8 *)line, max))
 
 		line += UTF8_BOM_SIZE;