mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-01-12 01:00:15 +00:00
meta-efi-secure-boot: check efi-secure-boot DISTRO_FEATURES
Fix the below yocto compliance issue:
INFO: ======================================================================
INFO: FAIL: test_signatures (common.CommonCheckLayer)
INFO: ----------------------------------------------------------------------
INFO: Traceback (most recent call last):
File "/build/layers/oe-core/scripts/lib/checklayer/cases/common.py", line 81, in test_signatures
self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg))
AssertionError: Adding layer meta-efi-secure-boot changed signatures.
17 signatures changed, initial differences (first hash before, second after):
ovmf-native:do_configure: 98621d634860b524863c76c61a3b48d7aa4080bbe87b02a848ae6574ca349b5e -> 51b7ed0cd68914fe2a74e7db489ee0251fde1feab3ff4826e6df8a8be6f710bc
bitbake-diffsigs --task ovmf-native do_configure --signature 98621d634860b524863c76c61a3b48d7aa4080bbe87b02a848ae6574ca349b5e 51b7ed0cd68914fe2a74e7db489ee0251fde1feab3ff4826e6df8a8be6f710bc
NOTE: Starting bitbake server...
basehash changed from 8b274e0d376c63104cbbcc0004a3758f2673d9e7f959854a0ffaa82ea04a9653 to d53127a75e96264ab92cffc956f93864435d48d1a0bf22899b35f78f1daf3bb3
Variable PACKAGECONFIG value changed:
@@ -1,3 +1,3 @@
- ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)}
+ ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)} secureboot
MACHINE_FEATURES{tpm} = Unset
MACHINE_FEATURES{tpm2} = Unset
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
This commit is contained in:
Mingli Yu
Jia Zhang
@@ -91,7 +91,7 @@ do_deploy() {
|
||||
}
|
||||
addtask deploy after do_install before do_build
|
||||
|
||||
RDEPENDS:${PN} += "ovmf-pkcs7-efi"
|
||||
RDEPENDS:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'ovmf-pkcs7-efi', '', d)}"
|
||||
|
||||
FILES:${PN} += "${EFI_TARGET}"
|
||||
|
||||
|
||||
@@ -0,0 +1,59 @@
|
||||
inherit user-key-store
|
||||
|
||||
PACKAGECONFIG:append = " secureboot"
|
||||
|
||||
# For SELoader
|
||||
do_compile:class-target:append() {
|
||||
if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
|
||||
secbuild_dir="${S}/Build/SecurityPkg/RELEASE_${FIXED_GCCVER}"
|
||||
${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} -p SecurityPkg/SecurityPkg.dsc
|
||||
ln ${secbuild_dir}/${OVMF_ARCH}/Hash2DxeCrypto.efi ${WORKDIR}/ovmf/
|
||||
ln ${secbuild_dir}/${OVMF_ARCH}/Pkcs7VerifyDxe.efi ${WORKDIR}/ovmf/
|
||||
fi
|
||||
}
|
||||
|
||||
EFI_TARGET = "/boot/efi/EFI/BOOT"
|
||||
|
||||
do_install:class-target:append() {
|
||||
if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
|
||||
mkdir -p ${D}${EFI_TARGET}
|
||||
if [ x"${UEFI_SB}" = x"1" ]; then
|
||||
install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
|
||||
install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
|
||||
else
|
||||
install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
|
||||
install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
python do_sign() {
|
||||
}
|
||||
|
||||
python do_sign:class-target() {
|
||||
sb_sign(d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi'), d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed'), d)
|
||||
sb_sign(d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi'), d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed'), d)
|
||||
}
|
||||
addtask sign after do_compile before do_install do_deploy
|
||||
|
||||
do_deploy:class-target:append() {
|
||||
if [ x"${UEFI_SB}" = x"1" ]; then
|
||||
install -d ${DEPLOYDIR}/efi-unsigned
|
||||
install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/efi-unsigned/Pkcs7VerifyDxe.efi"
|
||||
install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/efi-unsigned/Hash2DxeCrypto.efi"
|
||||
install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
|
||||
install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed "${DEPLOYDIR}/Hash2DxeCrypto.efi"
|
||||
else
|
||||
install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
|
||||
install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/Hash2DxeCrypto.efi"
|
||||
fi
|
||||
}
|
||||
|
||||
PACKAGES += " \
|
||||
ovmf-pkcs7-efi \
|
||||
"
|
||||
|
||||
FILES:ovmf-pkcs7-efi += " \
|
||||
${EFI_TARGET}/Hash2DxeCrypto.efi \
|
||||
${EFI_TARGET}/Pkcs7VerifyDxe.efi \
|
||||
"
|
||||
@@ -1,59 +1 @@
|
||||
inherit user-key-store
|
||||
|
||||
PACKAGECONFIG:append = " secureboot"
|
||||
|
||||
# For SELoader
|
||||
do_compile:class-target:append() {
|
||||
if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
|
||||
secbuild_dir="${S}/Build/SecurityPkg/RELEASE_${FIXED_GCCVER}"
|
||||
${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} -p SecurityPkg/SecurityPkg.dsc
|
||||
ln ${secbuild_dir}/${OVMF_ARCH}/Hash2DxeCrypto.efi ${WORKDIR}/ovmf/
|
||||
ln ${secbuild_dir}/${OVMF_ARCH}/Pkcs7VerifyDxe.efi ${WORKDIR}/ovmf/
|
||||
fi
|
||||
}
|
||||
|
||||
EFI_TARGET = "/boot/efi/EFI/BOOT"
|
||||
|
||||
do_install:class-target:append() {
|
||||
if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
|
||||
mkdir -p ${D}${EFI_TARGET}
|
||||
if [ x"${UEFI_SB}" = x"1" ]; then
|
||||
install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
|
||||
install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
|
||||
else
|
||||
install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
|
||||
install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
python do_sign() {
|
||||
}
|
||||
|
||||
python do_sign:class-target() {
|
||||
sb_sign(d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi'), d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed'), d)
|
||||
sb_sign(d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi'), d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed'), d)
|
||||
}
|
||||
addtask sign after do_compile before do_install do_deploy
|
||||
|
||||
do_deploy:class-target:append() {
|
||||
if [ x"${UEFI_SB}" = x"1" ]; then
|
||||
install -d ${DEPLOYDIR}/efi-unsigned
|
||||
install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/efi-unsigned/Pkcs7VerifyDxe.efi"
|
||||
install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/efi-unsigned/Hash2DxeCrypto.efi"
|
||||
install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
|
||||
install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed "${DEPLOYDIR}/Hash2DxeCrypto.efi"
|
||||
else
|
||||
install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
|
||||
install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/Hash2DxeCrypto.efi"
|
||||
fi
|
||||
}
|
||||
|
||||
PACKAGES += " \
|
||||
ovmf-pkcs7-efi \
|
||||
"
|
||||
|
||||
FILES:ovmf-pkcs7-efi += " \
|
||||
${EFI_TARGET}/Hash2DxeCrypto.efi \
|
||||
${EFI_TARGET}/Pkcs7VerifyDxe.efi \
|
||||
"
|
||||
require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', '${BPN}-efi-secure-boot.inc', '', d)}
|
||||
|
||||
Reference in New Issue
Block a user