meta-signing-key: When deploying keys UEFI keys, deploy DER format

Generally speaking, for firmware to import PK/KEK/DB keys they need to be in the binary "DER" format and typically have the "cer" file extension. When deploying our keys, convert what we have to that format and deploy as well for ease of use. Signed-off-by: Tom Rini <trini@konsulko.com>
2026-01-12 09:10:12 +00:00 · 2018-10-25 10:37:34 -04:00
parent bd155539ec
commit 92316d4b40
1 changed files with 4 additions and 0 deletions
--- a/meta-signing-key/classes/user-key-store.bbclass
+++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -336,6 +336,10 @@ deploy_uefi_sb_keys() {
        install -d "$deploy_dir"

        cp -af "${UEFI_SB_KEYS_DIR}"/* "$deploy_dir"
+        for KEY in DB KEK PK; do
+             openssl x509 -in "${UEFI_SB_KEYS_DIR}"/${KEY}.crt \
+                 -out "$deploy_dir"/${KEY}.cer -outform DER;
+        done
    fi
 }