secure boot: Make SELoader optional and copy sig files when GRUB_SIGN_VERIFY=1

This commit makes the SELoader entire optional and allows it to be removed, with the intended replacement being to use grub's built in gpg key verification. It will be possible in a template or local.conf: UEFI_SELOADER = "0" GRUB_SIGN_VERIFY = "1" [ Issue: LINUXEXEC-2450 ] Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2026-01-12 01:00:15 +00:00 · 2019-10-24 14:14:55 -07:00
parent 59a1f79ad8
commit 31d2105b7a
7 changed files with 62 additions and 30 deletions
--- a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb
+++ b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "\

 S = "${WORKDIR}"

+SELOADER_PKG = "${@'seloader' if d.getVar('UEFI_SELOADER', True) == '1' else ''}"
 ALLOW_EMPTY_${PN} = "1"

 pkgs = "\
@@ -13,7 +14,7 @@ pkgs = "\
    efitools \
    efibootmgr \
    mokutil \
-    seloader \
+    ${SELOADER_PKG} \
    shim \
 "

--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
@@ -59,6 +59,17 @@ do_install() {
    oe_runmake install DESTDIR='${D}${base_prefix}'
 }

+fakeroot python do_sign_class-target() {
+    image_dir = d.getVar('D', True)
+    efi_boot_path = d.getVar('EFI_BOOT_PATH', True)
+    uks_boot_sign(os.path.join(image_dir + efi_boot_path, 'LockDown.efi'), d)
+}
+addtask sign after do_install before do_deploy do_package
+do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"
+
+fakeroot python do_sign() {
+}
+
 FILES_${PN} += "${EFI_BOOT_PATH}"

 SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/LockDown.efi"
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb
@@ -77,6 +77,9 @@ do_deploy() {
    install -d ${DEPLOYDIR}

    install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi "${DEPLOYDIR}"
+    if [ -e ${D}${EFI_BOOT_PATH}/LockDown.efi.sig ] ; then
+        install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi.sig "${DEPLOYDIR}"
+    fi
 }
 addtask deploy after do_install before do_build

--- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
@@ -41,6 +41,8 @@ S = "${WORKDIR}/git"

 inherit deploy user-key-store

+SHIM_DEFAULT_LOADER = "${@'DEFAULT_LOADER=\\\\\\\\\\\\SELoader${EFI_ARCH}.efi' if d.getVar('UEFI_SELOADER', True) == '1' else ''}"
+
 EXTRA_OEMAKE = "\
    CROSS_COMPILE="${TARGET_PREFIX}" \
    prefix="${STAGING_DIR_HOST}/${prefix}" \
@@ -49,9 +51,9 @@ EXTRA_OEMAKE = "\
    EFI_PATH="${STAGING_LIBDIR}" \
    EFI_INCLUDE="${STAGING_INCDIR}/efi" \
    RELEASE="_${DISTRO}_${DISTRO_VERSION}" \
-    DEFAULT_LOADER=\\\\\\SELoader${EFI_ARCH}.efi \
    OPENSSL=${STAGING_BINDIR_NATIVE}/openssl \
    HEXDUMP=${STAGING_BINDIR_NATIVE}/hexdump \
+    ${SHIM_DEFAULT_LOADER} \
    PK12UTIL=${STAGING_BINDIR_NATIVE}/pk12util \
    CERTUTIL=${STAGING_BINDIR_NATIVE}/certutil \
    SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \
--- a/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc
@@ -7,31 +7,35 @@ do_install[nostamp] = "1"
 fakeroot python do_sign() {
    if d.getVar('BUNDLE', True) == '0':
        for compr in d.getVar('INITRAMFS_FSTYPES').split():
-            uks_sel_sign(d.expand('${D}/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.') + compr, d)
+            uks_bl_sign(d.expand('${D}/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.') + compr, d)
    else:
-        uks_sel_sign(d.expand('${D}/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}'), d)
+        uks_bl_sign(d.expand('${D}/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}'), d)
 }
 addtask sign after do_install before do_deploy do_package
 do_sign[prefuncs] += "check_deploy_keys"
+do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"

 do_deploy() {
    install -d "${DEPLOYDIR}"
-    for SIG in ${D}/boot/*.p7b; do
-        install -m 0644 ${SIG} ${DEPLOYDIR}
-    done
+    if [ "${UEFI_SELOADER}" = "1" ] ; then
+        for SIG in ${D}/boot/*${SB_FILE_EXT}; do
+            install -m 0644 ${SIG} ${DEPLOYDIR}
+        done
+    fi
 }
 addtask deploy after do_install before do_build

 python do_package_prepend () {
+    ext = d.expand('${SB_FILE_EXT}')
    if d.getVar('BUNDLE') == '1':
-        d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${KERNEL_IMAGETYPE}' + '-initramfs.p7b'))
-        d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs.p7b'))
-        d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}.p7b'))
-        d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', '50101')
+        d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${KERNEL_IMAGETYPE}' + '-initramfs' + ext))
+        d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs' + ext))
+        d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}' + ext))
+        d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, '50101')
    else:
        for compr in d.getVar('INITRAMFS_FSTYPES').split():
-            d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${INITRAMFS_IMAGE}') + '.p7b')
-            d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${INITRAMFS_IMAGE}') + '.p7b', d.expand('/boot/${INITRAMFS_IMAGE}.p7b'))
-            d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${INITRAMFS_IMAGE}') + '.p7b', d.expand('/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.' + compr + '.p7b'))
-            d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${INITRAMFS_IMAGE}') + '.p7b', '50101')
+            d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${INITRAMFS_IMAGE}') + ext)
+            d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${INITRAMFS_IMAGE}') + ext, d.expand('/boot/${INITRAMFS_IMAGE}.p7b'))
+            d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${INITRAMFS_IMAGE}') + ext, d.expand('/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.' + compr + ext))
+            d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${INITRAMFS_IMAGE}') + ext, '50101')
 }
--- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc
@@ -29,17 +29,19 @@ fakeroot python do_sign() {

        # SELoader signature is always based on the unsigned kernel image,
        # disallowing chainloader to kernel efi-stub.
-        uks_sel_sign(kernel, d)
+        uks_bl_sign(kernel, d)

        shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}'))
-        shutil.copyfile(kernel + '.p7b', d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}.p7b'))
-        os.symlink(type + d.expand('-${KERNEL_RELEASE}.p7b'), d.expand('${D}/boot/') + type + '.p7b')
+        ext = d.expand('${SB_FILE_EXT}')
+        shutil.copyfile(kernel + ext, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}' + ext))
+        os.symlink(type + d.expand('-${KERNEL_RELEASE}' + ext), d.expand('${D}/boot/') + type + ext)
 }

 # Make sure the kernel image has been signed before kernel_do_deploy()
 # which prepares the kernel image for creating usb/iso.
 addtask sign after do_install before do_package do_populate_sysroot do_deploy
 do_sign[prefuncs] += "check_deploy_keys"
+do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"

 fakeroot python do_sign_bundled_kernel() {
    import re
@@ -63,10 +65,11 @@ fakeroot python do_sign_bundled_kernel() {

        # SELoader signature is always based on the unsigned kernel image,
        # disallowing chainloader to kernel efi-stub.
-        uks_sel_sign(kernel, d)
+        uks_bl_sign(kernel, d)

        shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin'))
-        shutil.copyfile(kernel + '.p7b', d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin.p7b'))
+        ext = d.expand('${SB_FILE_EXT}')
+        shutil.copyfile(kernel + ext, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin' + ext))
 }
 addtask sign_bundled_kernel after do_bundle_initramfs before do_deploy

@@ -82,24 +85,24 @@ do_deploy_append() {
            install -m 0644 "${B}/$imageType.initramfs.unsigned" "${DEPLOYDIR}/efi-unsigned/$imageType.initramfs"
        fi

-        if [ -f "${D}/boot/$imageType-initramfs-${MACHINE}.bin.p7b" ]; then
-            install -m 0644 "${D}/boot/$imageType-initramfs-${MACHINE}.bin.p7b" "${DEPLOYDIR}"
+        if [ -f "${D}/boot/$imageType-initramfs-${MACHINE}.bin${SB_FILE_EXT}" ]; then
+            install -m 0644 "${D}/boot/$imageType-initramfs-${MACHINE}.bin${SB_FILE_EXT}" "${DEPLOYDIR}"
        fi

-        if [ -f "${B}/${KERNEL_OUTPUT_DIR}/$imageType.p7b" ]; then
-            base_name="${imageType}-${KERNEL_IMAGE_NAME}.bin.p7b"
+        if [ -f "${B}/${KERNEL_OUTPUT_DIR}/$imageType${SB_FILE_EXT}" ]; then
+            base_name="${imageType}-${KERNEL_IMAGE_NAME}.bin${SB_FILE_EXT}"

-            install -m 0644 "${B}/${KERNEL_OUTPUT_DIR}/$imageType.p7b" "${DEPLOYDIR}/$base_name"
-            ln -sf "$base_name" "${DEPLOYDIR}/$imageType-${KERNEL_IMAGE_LINK_NAME}.bin.p7b"
-            ln -sf "$base_name" "${DEPLOYDIR}/$imageType.p7b"
+            install -m 0644 "${B}/${KERNEL_OUTPUT_DIR}/$imageType${SB_FILE_EXT}" "${DEPLOYDIR}/$base_name"
+            ln -sf "$base_name" "${DEPLOYDIR}/$imageType-${KERNEL_IMAGE_LINK_NAME}.bin${SB_FILE_EXT}"
+            ln -sf "$base_name" "${DEPLOYDIR}/$imageType${SB_FILE_EXT}"
        fi
    done
 }

-# Ship *.p7b files to related packages
+# Ship *.p7b or *.sig files to related packages
 python do_package_prepend() {
    for type in d.expand('${KERNEL_IMAGETYPES}').split():
        typelower = type.lower()
-        d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('-${KERNEL_VERSION_NAME}.p7b'))
-        d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + '.p7b')
+        d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('-${KERNEL_VERSION_NAME}${SB_FILE_EXT}'))
+        d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('${SB_FILE_EXT}'))
 }
--- a/meta-signing-key/classes/user-key-store.bbclass
+++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -413,6 +413,9 @@ def deploy_keys(name, d):
    bb.build.exec_func('deploy_' + name.lower() + '_keys', d)

 def sanity_check_user_keys(name, may_exit, d):
+    if d.getVar('UEFI_SELOADER', True) == '1' and d.getVar('GRUB_SIGN_VERIFY', True) == '1':
+        bb.fatal("UEFI_SELOADER and GRUB_SIGN_VERIFY cannot both be set to '1'")
+
    if name == 'UEFI_SB':
        _ = check_uefi_sb_user_keys(d)
    elif name == 'MOK_SB':
@@ -521,5 +524,10 @@ def boot_sign(input, d):
        bb.fatal('Failed to sign: %s' % (input))

 def uks_boot_sign(input, d):
+    boot_sign(input, d)
+
+def uks_bl_sign(input, d):
+    if d.getVar('UEFI_SELOADER', True) == '1':
+        uks_sel_sign(input, d)
    if d.getVar('GRUB_SIGN_VERIFY', True) == '1':
        boot_sign(input, d)