From 5a8d5924a2ca2e1876a68657026070d01d8d8152 Mon Sep 17 00:00:00 2001
From: Mingli Yu <mingli.yu@windriver.com>
Date: Tue, 29 Nov 2022 13:05:33 +0800
Subject: [PATCH] meta-efi-secure-boot: check efi-secure-boot DISTRO_FEATURES

Fix the below yocto compliance issue:
  INFO: ======================================================================
  INFO: FAIL: test_signatures (common.CommonCheckLayer)
  INFO: ----------------------------------------------------------------------
  INFO: Traceback (most recent call last):
   File "/build/layers/oe-core/scripts/lib/checklayer/cases/common.py", line 81, in test_signatures
    self.fail('Adding layer %s changed signatures.\n%s' % (self.tc.layer['name'], msg))
AssertionError: Adding layer meta-efi-secure-boot changed signatures.
17 signatures changed, initial differences (first hash before, second after):
   ovmf-native:do_configure: 98621d634860b524863c76c61a3b48d7aa4080bbe87b02a848ae6574ca349b5e -> 51b7ed0cd68914fe2a74e7db489ee0251fde1feab3ff4826e6df8a8be6f710bc
      bitbake-diffsigs --task ovmf-native do_configure --signature 98621d634860b524863c76c61a3b48d7aa4080bbe87b02a848ae6574ca349b5e 51b7ed0cd68914fe2a74e7db489ee0251fde1feab3ff4826e6df8a8be6f710bc
      NOTE: Starting bitbake server...
      basehash changed from 8b274e0d376c63104cbbcc0004a3758f2673d9e7f959854a0ffaa82ea04a9653 to d53127a75e96264ab92cffc956f93864435d48d1a0bf22899b35f78f1daf3bb3
      Variable PACKAGECONFIG value changed:
      @@ -1,3 +1,3 @@
      - ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)}
      + ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'tpm', '', d)} ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'tpm', '', d)} secureboot
       MACHINE_FEATURES{tpm} = Unset
       MACHINE_FEATURES{tpm2} = Unset

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
 .../recipes-bsp/seloader/seloader_git.bb      |  2 +-
 .../ovmf/ovmf-efi-secure-boot.inc             | 59 ++++++++++++++++++
 .../recipes-core/ovmf/ovmf_%.bbappend         | 60 +------------------
 3 files changed, 61 insertions(+), 60 deletions(-)
 create mode 100644 meta-efi-secure-boot/recipes-core/ovmf/ovmf-efi-secure-boot.inc

diff --git a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
index 07fa865..7f3d3ed 100644
--- a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
@@ -91,7 +91,7 @@ do_deploy() {
 }
 addtask deploy after do_install before do_build
 
-RDEPENDS:${PN} += "ovmf-pkcs7-efi"
+RDEPENDS:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'ovmf-pkcs7-efi', '', d)}"
 
 FILES:${PN} += "${EFI_TARGET}"
 
diff --git a/meta-efi-secure-boot/recipes-core/ovmf/ovmf-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-core/ovmf/ovmf-efi-secure-boot.inc
new file mode 100644
index 0000000..5d1a163
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-core/ovmf/ovmf-efi-secure-boot.inc
@@ -0,0 +1,59 @@
+inherit user-key-store
+
+PACKAGECONFIG:append = " secureboot"
+
+# For SELoader
+do_compile:class-target:append() {
+    if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
+	secbuild_dir="${S}/Build/SecurityPkg/RELEASE_${FIXED_GCCVER}"
+        ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} -p SecurityPkg/SecurityPkg.dsc
+	ln ${secbuild_dir}/${OVMF_ARCH}/Hash2DxeCrypto.efi ${WORKDIR}/ovmf/
+	ln ${secbuild_dir}/${OVMF_ARCH}/Pkcs7VerifyDxe.efi ${WORKDIR}/ovmf/
+    fi
+}
+
+EFI_TARGET = "/boot/efi/EFI/BOOT"
+
+do_install:class-target:append() {
+    if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
+        mkdir -p ${D}${EFI_TARGET}
+        if [ x"${UEFI_SB}" = x"1" ]; then
+            install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
+            install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
+        else
+            install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
+            install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
+        fi
+    fi
+}
+
+python do_sign() {
+}
+
+python do_sign:class-target() {
+    sb_sign(d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi'), d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed'), d)
+    sb_sign(d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi'), d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed'), d)
+}
+addtask sign after do_compile before do_install do_deploy
+
+do_deploy:class-target:append() {
+    if [ x"${UEFI_SB}" = x"1" ]; then
+        install -d ${DEPLOYDIR}/efi-unsigned
+        install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/efi-unsigned/Pkcs7VerifyDxe.efi"
+        install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/efi-unsigned/Hash2DxeCrypto.efi"
+        install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
+        install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed "${DEPLOYDIR}/Hash2DxeCrypto.efi"
+    else
+        install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
+        install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/Hash2DxeCrypto.efi"
+    fi
+}
+
+PACKAGES += " \
+   ovmf-pkcs7-efi \
+"
+
+FILES:ovmf-pkcs7-efi += " \
+    ${EFI_TARGET}/Hash2DxeCrypto.efi \
+    ${EFI_TARGET}/Pkcs7VerifyDxe.efi \
+"
diff --git a/meta-efi-secure-boot/recipes-core/ovmf/ovmf_%.bbappend b/meta-efi-secure-boot/recipes-core/ovmf/ovmf_%.bbappend
index 5d1a163..eed44f9 100644
--- a/meta-efi-secure-boot/recipes-core/ovmf/ovmf_%.bbappend
+++ b/meta-efi-secure-boot/recipes-core/ovmf/ovmf_%.bbappend
@@ -1,59 +1 @@
-inherit user-key-store
-
-PACKAGECONFIG:append = " secureboot"
-
-# For SELoader
-do_compile:class-target:append() {
-    if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
-	secbuild_dir="${S}/Build/SecurityPkg/RELEASE_${FIXED_GCCVER}"
-        ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} -p SecurityPkg/SecurityPkg.dsc
-	ln ${secbuild_dir}/${OVMF_ARCH}/Hash2DxeCrypto.efi ${WORKDIR}/ovmf/
-	ln ${secbuild_dir}/${OVMF_ARCH}/Pkcs7VerifyDxe.efi ${WORKDIR}/ovmf/
-    fi
-}
-
-EFI_TARGET = "/boot/efi/EFI/BOOT"
-
-do_install:class-target:append() {
-    if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
-        mkdir -p ${D}${EFI_TARGET}
-        if [ x"${UEFI_SB}" = x"1" ]; then
-            install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
-            install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
-        else
-            install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
-            install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
-        fi
-    fi
-}
-
-python do_sign() {
-}
-
-python do_sign:class-target() {
-    sb_sign(d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi'), d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed'), d)
-    sb_sign(d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi'), d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed'), d)
-}
-addtask sign after do_compile before do_install do_deploy
-
-do_deploy:class-target:append() {
-    if [ x"${UEFI_SB}" = x"1" ]; then
-        install -d ${DEPLOYDIR}/efi-unsigned
-        install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/efi-unsigned/Pkcs7VerifyDxe.efi"
-        install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/efi-unsigned/Hash2DxeCrypto.efi"
-        install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
-        install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed "${DEPLOYDIR}/Hash2DxeCrypto.efi"
-    else
-        install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
-        install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/Hash2DxeCrypto.efi"
-    fi
-}
-
-PACKAGES += " \
-   ovmf-pkcs7-efi \
-"
-
-FILES:ovmf-pkcs7-efi += " \
-    ${EFI_TARGET}/Hash2DxeCrypto.efi \
-    ${EFI_TARGET}/Pkcs7VerifyDxe.efi \
-"
+require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', '${BPN}-efi-secure-boot.inc', '', d)}