diff --git a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb index 1dee84e..341e767 100644 --- a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb +++ b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "\ S = "${WORKDIR}" +SELOADER_PKG = "${@'seloader' if d.getVar('UEFI_SELOADER', True) == '1' else ''}" ALLOW_EMPTY_${PN} = "1" pkgs = "\ @@ -13,7 +14,7 @@ pkgs = "\ efitools \ efibootmgr \ mokutil \ - seloader \ + ${SELOADER_PKG} \ shim \ " diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc index a1a1d1d..9006fd3 100644 --- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc +++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc @@ -59,6 +59,17 @@ do_install() { oe_runmake install DESTDIR='${D}${base_prefix}' } +fakeroot python do_sign_class-target() { + image_dir = d.getVar('D', True) + efi_boot_path = d.getVar('EFI_BOOT_PATH', True) + uks_boot_sign(os.path.join(image_dir + efi_boot_path, 'LockDown.efi'), d) +} +addtask sign after do_install before do_deploy do_package +do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}" + +fakeroot python do_sign() { +} + FILES_${PN} += "${EFI_BOOT_PATH}" SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/LockDown.efi" diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb index efa8674..763ab72 100644 --- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb @@ -77,6 +77,9 @@ do_deploy() { install -d ${DEPLOYDIR} install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi "${DEPLOYDIR}" + if [ -e ${D}${EFI_BOOT_PATH}/LockDown.efi.sig ] ; then + install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi.sig "${DEPLOYDIR}" + fi } addtask deploy after do_install before do_build diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb index e7eef0c..6ebe282 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb @@ -41,6 +41,8 @@ S = "${WORKDIR}/git" inherit deploy user-key-store +SHIM_DEFAULT_LOADER = "${@'DEFAULT_LOADER=\\\\\\\\\\\\SELoader${EFI_ARCH}.efi' if d.getVar('UEFI_SELOADER', True) == '1' else ''}" + EXTRA_OEMAKE = "\ CROSS_COMPILE="${TARGET_PREFIX}" \ prefix="${STAGING_DIR_HOST}/${prefix}" \ @@ -49,9 +51,9 @@ EXTRA_OEMAKE = "\ EFI_PATH="${STAGING_LIBDIR}" \ EFI_INCLUDE="${STAGING_INCDIR}/efi" \ RELEASE="_${DISTRO}_${DISTRO_VERSION}" \ - DEFAULT_LOADER=\\\\\\SELoader${EFI_ARCH}.efi \ OPENSSL=${STAGING_BINDIR_NATIVE}/openssl \ HEXDUMP=${STAGING_BINDIR_NATIVE}/hexdump \ + ${SHIM_DEFAULT_LOADER} \ PK12UTIL=${STAGING_BINDIR_NATIVE}/pk12util \ CERTUTIL=${STAGING_BINDIR_NATIVE}/certutil \ SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \ diff --git a/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc index fb073a1..1a7a74f 100644 --- a/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc @@ -7,31 +7,35 @@ do_install[nostamp] = "1" fakeroot python do_sign() { if d.getVar('BUNDLE', True) == '0': for compr in d.getVar('INITRAMFS_FSTYPES').split(): - uks_sel_sign(d.expand('${D}/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.') + compr, d) + uks_bl_sign(d.expand('${D}/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.') + compr, d) else: - uks_sel_sign(d.expand('${D}/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}'), d) + uks_bl_sign(d.expand('${D}/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}'), d) } addtask sign after do_install before do_deploy do_package do_sign[prefuncs] += "check_deploy_keys" +do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}" do_deploy() { install -d "${DEPLOYDIR}" - for SIG in ${D}/boot/*.p7b; do - install -m 0644 ${SIG} ${DEPLOYDIR} - done + if [ "${UEFI_SELOADER}" = "1" ] ; then + for SIG in ${D}/boot/*${SB_FILE_EXT}; do + install -m 0644 ${SIG} ${DEPLOYDIR} + done + fi } addtask deploy after do_install before do_build python do_package_prepend () { + ext = d.expand('${SB_FILE_EXT}') if d.getVar('BUNDLE') == '1': - d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${KERNEL_IMAGETYPE}' + '-initramfs.p7b')) - d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs.p7b')) - d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}.p7b')) - d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', '50101') + d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${KERNEL_IMAGETYPE}' + '-initramfs' + ext)) + d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs' + ext)) + d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}' + ext)) + d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, '50101') else: for compr in d.getVar('INITRAMFS_FSTYPES').split(): - d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${INITRAMFS_IMAGE}') + '.p7b') - d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${INITRAMFS_IMAGE}') + '.p7b', d.expand('/boot/${INITRAMFS_IMAGE}.p7b')) - d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${INITRAMFS_IMAGE}') + '.p7b', d.expand('/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.' + compr + '.p7b')) - d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${INITRAMFS_IMAGE}') + '.p7b', '50101') + d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${INITRAMFS_IMAGE}') + ext) + d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${INITRAMFS_IMAGE}') + ext, d.expand('/boot/${INITRAMFS_IMAGE}.p7b')) + d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${INITRAMFS_IMAGE}') + ext, d.expand('/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.' + compr + ext)) + d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${INITRAMFS_IMAGE}') + ext, '50101') } diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc index df594ba..34b2eb5 100644 --- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc @@ -29,17 +29,19 @@ fakeroot python do_sign() { # SELoader signature is always based on the unsigned kernel image, # disallowing chainloader to kernel efi-stub. - uks_sel_sign(kernel, d) + uks_bl_sign(kernel, d) shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}')) - shutil.copyfile(kernel + '.p7b', d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}.p7b')) - os.symlink(type + d.expand('-${KERNEL_RELEASE}.p7b'), d.expand('${D}/boot/') + type + '.p7b') + ext = d.expand('${SB_FILE_EXT}') + shutil.copyfile(kernel + ext, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}' + ext)) + os.symlink(type + d.expand('-${KERNEL_RELEASE}' + ext), d.expand('${D}/boot/') + type + ext) } # Make sure the kernel image has been signed before kernel_do_deploy() # which prepares the kernel image for creating usb/iso. addtask sign after do_install before do_package do_populate_sysroot do_deploy do_sign[prefuncs] += "check_deploy_keys" +do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}" fakeroot python do_sign_bundled_kernel() { import re @@ -63,10 +65,11 @@ fakeroot python do_sign_bundled_kernel() { # SELoader signature is always based on the unsigned kernel image, # disallowing chainloader to kernel efi-stub. - uks_sel_sign(kernel, d) + uks_bl_sign(kernel, d) shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin')) - shutil.copyfile(kernel + '.p7b', d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin.p7b')) + ext = d.expand('${SB_FILE_EXT}') + shutil.copyfile(kernel + ext, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin' + ext)) } addtask sign_bundled_kernel after do_bundle_initramfs before do_deploy @@ -82,24 +85,24 @@ do_deploy_append() { install -m 0644 "${B}/$imageType.initramfs.unsigned" "${DEPLOYDIR}/efi-unsigned/$imageType.initramfs" fi - if [ -f "${D}/boot/$imageType-initramfs-${MACHINE}.bin.p7b" ]; then - install -m 0644 "${D}/boot/$imageType-initramfs-${MACHINE}.bin.p7b" "${DEPLOYDIR}" + if [ -f "${D}/boot/$imageType-initramfs-${MACHINE}.bin${SB_FILE_EXT}" ]; then + install -m 0644 "${D}/boot/$imageType-initramfs-${MACHINE}.bin${SB_FILE_EXT}" "${DEPLOYDIR}" fi - if [ -f "${B}/${KERNEL_OUTPUT_DIR}/$imageType.p7b" ]; then - base_name="${imageType}-${KERNEL_IMAGE_NAME}.bin.p7b" + if [ -f "${B}/${KERNEL_OUTPUT_DIR}/$imageType${SB_FILE_EXT}" ]; then + base_name="${imageType}-${KERNEL_IMAGE_NAME}.bin${SB_FILE_EXT}" - install -m 0644 "${B}/${KERNEL_OUTPUT_DIR}/$imageType.p7b" "${DEPLOYDIR}/$base_name" - ln -sf "$base_name" "${DEPLOYDIR}/$imageType-${KERNEL_IMAGE_LINK_NAME}.bin.p7b" - ln -sf "$base_name" "${DEPLOYDIR}/$imageType.p7b" + install -m 0644 "${B}/${KERNEL_OUTPUT_DIR}/$imageType${SB_FILE_EXT}" "${DEPLOYDIR}/$base_name" + ln -sf "$base_name" "${DEPLOYDIR}/$imageType-${KERNEL_IMAGE_LINK_NAME}.bin${SB_FILE_EXT}" + ln -sf "$base_name" "${DEPLOYDIR}/$imageType${SB_FILE_EXT}" fi done } -# Ship *.p7b files to related packages +# Ship *.p7b or *.sig files to related packages python do_package_prepend() { for type in d.expand('${KERNEL_IMAGETYPES}').split(): typelower = type.lower() - d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('-${KERNEL_VERSION_NAME}.p7b')) - d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + '.p7b') + d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('-${KERNEL_VERSION_NAME}${SB_FILE_EXT}')) + d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('${SB_FILE_EXT}')) } diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 7abe1cf..f9ca09a 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass @@ -413,6 +413,9 @@ def deploy_keys(name, d): bb.build.exec_func('deploy_' + name.lower() + '_keys', d) def sanity_check_user_keys(name, may_exit, d): + if d.getVar('UEFI_SELOADER', True) == '1' and d.getVar('GRUB_SIGN_VERIFY', True) == '1': + bb.fatal("UEFI_SELOADER and GRUB_SIGN_VERIFY cannot both be set to '1'") + if name == 'UEFI_SB': _ = check_uefi_sb_user_keys(d) elif name == 'MOK_SB': @@ -521,5 +524,10 @@ def boot_sign(input, d): bb.fatal('Failed to sign: %s' % (input)) def uks_boot_sign(input, d): + boot_sign(input, d) + +def uks_bl_sign(input, d): + if d.getVar('UEFI_SELOADER', True) == '1': + uks_sel_sign(input, d) if d.getVar('GRUB_SIGN_VERIFY', True) == '1': boot_sign(input, d)