mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 20:56:58 +00:00
@@ -1,13 +1,15 @@
|
|||||||
DESCRIPTION = "EFI Secure Boot packages for secure-environment."
|
DESCRIPTION = "EFI Secure Boot packages for secure-environment."
|
||||||
LICENSE = "MIT"
|
LICENSE = "MIT"
|
||||||
LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
|
LIC_FILES_CHKSUM = "\
|
||||||
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
|
file://${COREBASE}/LICENSE;md5=4d92cd373abda3937c2bc47fbc49d690 \
|
||||||
|
file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420 \
|
||||||
|
"
|
||||||
|
|
||||||
S = "${WORKDIR}"
|
S = "${WORKDIR}"
|
||||||
|
|
||||||
ALLOW_EMPTY_${PN} = "1"
|
ALLOW_EMPTY_${PN} = "1"
|
||||||
|
|
||||||
pkgs = " \
|
pkgs = "\
|
||||||
grub-efi \
|
grub-efi \
|
||||||
efitools \
|
efitools \
|
||||||
efibootmgr \
|
efibootmgr \
|
||||||
@@ -19,7 +21,7 @@ pkgs = " \
|
|||||||
RDEPENDS_${PN}_x86 = "${pkgs}"
|
RDEPENDS_${PN}_x86 = "${pkgs}"
|
||||||
RDEPENDS_${PN}_x86-64 = "${pkgs}"
|
RDEPENDS_${PN}_x86-64 = "${pkgs}"
|
||||||
|
|
||||||
kmods = " \
|
kmods = "\
|
||||||
kernel-module-efivarfs \
|
kernel-module-efivarfs \
|
||||||
kernel-module-efivars \
|
kernel-module-efivars \
|
||||||
"
|
"
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ inherit native
|
|||||||
|
|
||||||
DEPENDS_append = " gnu-efi-native"
|
DEPENDS_append = " gnu-efi-native"
|
||||||
|
|
||||||
EXTRA_OEMAKE_append = " \
|
EXTRA_OEMAKE_append = "\
|
||||||
INCDIR_PREFIX='${STAGING_DIR_NATIVE}' \
|
INCDIR_PREFIX='${STAGING_DIR_NATIVE}' \
|
||||||
CRTPATH_PREFIX='${STAGING_DIR_NATIVE}' \
|
CRTPATH_PREFIX='${STAGING_DIR_NATIVE}' \
|
||||||
EXTRA_LDFLAGS='-Wl,-rpath,${libdir}' \
|
EXTRA_LDFLAGS='-Wl,-rpath,${libdir}' \
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ in the Linux 3.8 kernel. \
|
|||||||
LICENSE = "GPLv2"
|
LICENSE = "GPLv2"
|
||||||
LIC_FILES_CHKSUM = "file://COPYING;md5=e28f66b16cb46be47b20a4cdfe6e99a1"
|
LIC_FILES_CHKSUM = "file://COPYING;md5=e28f66b16cb46be47b20a4cdfe6e99a1"
|
||||||
|
|
||||||
SRC_URI = " \
|
SRC_URI = "\
|
||||||
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git \
|
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git \
|
||||||
file://Fix-for-the-cross-compilation.patch \
|
file://Fix-for-the-cross-compilation.patch \
|
||||||
file://Kill-all-the-build-warning-caused-by-implicit-declar.patch \
|
file://Kill-all-the-build-warning-caused-by-implicit-declar.patch \
|
||||||
@@ -37,7 +37,7 @@ DEPENDS_append += "\
|
|||||||
|
|
||||||
S = "${WORKDIR}/git"
|
S = "${WORKDIR}/git"
|
||||||
|
|
||||||
EXTRA_OEMAKE = " \
|
EXTRA_OEMAKE = "\
|
||||||
HELP2MAN='${STAGING_BINDIR_NATIVE}/help2man' \
|
HELP2MAN='${STAGING_BINDIR_NATIVE}/help2man' \
|
||||||
OPENSSL='${STAGING_BINDIR_NATIVE}/openssl' \
|
OPENSSL='${STAGING_BINDIR_NATIVE}/openssl' \
|
||||||
SBSIGN='${STAGING_BINDIR_NATIVE}/sbsign' \
|
SBSIGN='${STAGING_BINDIR_NATIVE}/sbsign' \
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
require efitools.inc
|
require efitools.inc
|
||||||
|
|
||||||
SRC_URI_append += " \
|
SRC_URI_append += "\
|
||||||
file://LockDown-enable-the-enrollment-for-DBX.patch \
|
file://LockDown-enable-the-enrollment-for-DBX.patch \
|
||||||
file://LockDown-show-the-error-message-with-3-sec-timeout.patch \
|
file://LockDown-show-the-error-message-with-3-sec-timeout.patch \
|
||||||
file://Makefile-do-not-build-signed-efi-image.patch \
|
file://Makefile-do-not-build-signed-efi-image.patch \
|
||||||
@@ -16,11 +16,11 @@ inherit user-key-store deploy
|
|||||||
# The generated native binaries are used during native and target build
|
# The generated native binaries are used during native and target build
|
||||||
DEPENDS += "${BPN}-native gnu-efi openssl"
|
DEPENDS += "${BPN}-native gnu-efi openssl"
|
||||||
|
|
||||||
RDEPENDS_${PN}_append += " \
|
RDEPENDS_${PN}_append += "\
|
||||||
parted mtools coreutils util-linux openssl libcrypto \
|
parted mtools coreutils util-linux openssl libcrypto \
|
||||||
"
|
"
|
||||||
|
|
||||||
EXTRA_OEMAKE_append += " \
|
EXTRA_OEMAKE_append += "\
|
||||||
INCDIR_PREFIX='${STAGING_DIR_TARGET}' \
|
INCDIR_PREFIX='${STAGING_DIR_TARGET}' \
|
||||||
CRTPATH_PREFIX='${STAGING_DIR_TARGET}' \
|
CRTPATH_PREFIX='${STAGING_DIR_TARGET}' \
|
||||||
SIGN_EFI_SIG_LIST='${STAGING_BINDIR_NATIVE}/sign-efi-sig-list' \
|
SIGN_EFI_SIG_LIST='${STAGING_BINDIR_NATIVE}/sign-efi-sig-list' \
|
||||||
|
|||||||
@@ -1,10 +1,10 @@
|
|||||||
FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:"
|
FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:"
|
||||||
|
|
||||||
EXTRA_SRC_URI = " \
|
EXTRA_SRC_URI = "\
|
||||||
${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \
|
${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI += " \
|
SRC_URI += "\
|
||||||
file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \
|
file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \
|
||||||
file://0002-shim-add-needed-data-structures.patch \
|
file://0002-shim-add-needed-data-structures.patch \
|
||||||
file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \
|
file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \
|
||||||
@@ -27,7 +27,7 @@ SRC_URI += " \
|
|||||||
|
|
||||||
EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"
|
EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"
|
||||||
|
|
||||||
#GRUB_BUILDIN_append = " chain ${@'efivar mok2verify password_pbkdf2' if d.getVar('UEFI_SB', True) == '1' else ''}"
|
# TODO: re-add mok2verify when refreshed
|
||||||
GRUB_BUILDIN_append += " chain ${@'efivar password_pbkdf2' if d.getVar('UEFI_SB', True) == '1' else ''}"
|
GRUB_BUILDIN_append += " chain ${@'efivar password_pbkdf2' if d.getVar('UEFI_SB', True) == '1' else ''}"
|
||||||
|
|
||||||
# For efi_call_foo and efi_shim_exit
|
# For efi_call_foo and efi_shim_exit
|
||||||
|
|||||||
@@ -19,7 +19,7 @@ SECTION = "bootloaders"
|
|||||||
LICENSE = "BSD-3-Clause"
|
LICENSE = "BSD-3-Clause"
|
||||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee"
|
LIC_FILES_CHKSUM = "file://LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee"
|
||||||
PR = "r0"
|
PR = "r0"
|
||||||
SRC_URI = " \
|
SRC_URI = "\
|
||||||
git://github.com/jiazhang0/SELoader.git \
|
git://github.com/jiazhang0/SELoader.git \
|
||||||
"
|
"
|
||||||
SRCREV = "32e3292c33603f319354aac273938fe63897a8da"
|
SRCREV = "32e3292c33603f319354aac273938fe63897a8da"
|
||||||
@@ -30,14 +30,14 @@ COMPATIBLE_HOST = '(i.86|x86_64).*-linux'
|
|||||||
inherit deploy user-key-store
|
inherit deploy user-key-store
|
||||||
|
|
||||||
S = "${WORKDIR}/git"
|
S = "${WORKDIR}/git"
|
||||||
DEPENDS += " \
|
DEPENDS += "\
|
||||||
gnu-efi sbsigntool-native \
|
gnu-efi sbsigntool-native \
|
||||||
"
|
"
|
||||||
|
|
||||||
EFI_ARCH_x86 = "ia32"
|
EFI_ARCH_x86 = "ia32"
|
||||||
EFI_ARCH_x86-64 = "x64"
|
EFI_ARCH_x86-64 = "x64"
|
||||||
|
|
||||||
EXTRA_OEMAKE = " \
|
EXTRA_OEMAKE = "\
|
||||||
CROSS_COMPILE="${TARGET_PREFIX}" \
|
CROSS_COMPILE="${TARGET_PREFIX}" \
|
||||||
SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \
|
SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \
|
||||||
gnuefi_libdir=${STAGING_LIBDIR} \
|
gnuefi_libdir=${STAGING_LIBDIR} \
|
||||||
@@ -50,9 +50,12 @@ EFI_TARGET = "/boot/efi/EFI/BOOT"
|
|||||||
FILES_${PN} += "${EFI_TARGET}"
|
FILES_${PN} += "${EFI_TARGET}"
|
||||||
|
|
||||||
python do_sign() {
|
python do_sign() {
|
||||||
sb_sign(d.expand('${B}/Src/Efi/SELoader.efi'), d.expand('${B}/Src/Efi/SELoader.efi.signed'), d)
|
sb_sign(d.expand('${B}/Src/Efi/SELoader.efi'), \
|
||||||
sb_sign(d.expand('${B}/Bin/Hash2DxeCrypto.efi'), d.expand('${B}/Bin/Hash2DxeCrypto.efi.signed'), d)
|
d.expand('${B}/Src/Efi/SELoader.efi.signed'), d)
|
||||||
sb_sign(d.expand('${B}/Bin/Pkcs7VerifyDxe.efi'), d.expand('${B}/Bin/Pkcs7VerifyDxe.efi.signed'), d)
|
sb_sign(d.expand('${B}/Bin/Hash2DxeCrypto.efi'), \
|
||||||
|
d.expand('${B}/Bin/Hash2DxeCrypto.efi.signed'), d)
|
||||||
|
sb_sign(d.expand('${B}/Bin/Pkcs7VerifyDxe.efi'), \
|
||||||
|
d.expand('${B}/Bin/Pkcs7VerifyDxe.efi.signed'), d)
|
||||||
}
|
}
|
||||||
addtask sign after do_compile before do_install
|
addtask sign after do_compile before do_install
|
||||||
|
|
||||||
@@ -63,20 +66,20 @@ do_install() {
|
|||||||
|
|
||||||
if [ x"${UEFI_SB}" = x"1" ]; then
|
if [ x"${UEFI_SB}" = x"1" ]; then
|
||||||
if [ x"${MOK_SB}" != x"1" ]; then
|
if [ x"${MOK_SB}" != x"1" ]; then
|
||||||
mv ${D}${EFI_TARGET}/SELoader${EFI_ARCH}.efi \
|
mv "${D}${EFI_TARGET}/SELoader${EFI_ARCH}.efi" \
|
||||||
${D}${EFI_TARGET}/boot${EFI_ARCH}.efi
|
"${D}${EFI_TARGET}/boot${EFI_ARCH}.efi"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
do_deploy() {
|
do_deploy() {
|
||||||
# Deploy the unsigned images for manual signing
|
# Deploy the unsigned images for manual signing
|
||||||
install -d ${DEPLOYDIR}/efi-unsigned
|
install -d "${DEPLOYDIR}/efi-unsigned"
|
||||||
|
|
||||||
install -m 0600 ${B}/Src/Efi/SELoader.efi \
|
install -m 0600 "${B}/Src/Efi/SELoader.efi" \
|
||||||
${DEPLOYDIR}/efi-unsigned/SELoader${EFI_ARCH}.efi
|
"${DEPLOYDIR}/efi-unsigned/SELoader${EFI_ARCH}.efi"
|
||||||
install -m 0600 ${B}/Bin/Hash2DxeCrypto.efi ${DEPLOYDIR}/efi-unsigned/
|
install -m 0600 "${B}/Bin/Hash2DxeCrypto.efi" "${DEPLOYDIR}/efi-unsigned"
|
||||||
install -m 0600 ${B}/Bin/Pkcs7VerifyDxe.efi ${DEPLOYDIR}/efi-unsigned/
|
install -m 0600 "${B}/Bin/Pkcs7VerifyDxe.efi" "${DEPLOYDIR}/efi-unsigned"
|
||||||
|
|
||||||
# Deploy the signed images
|
# Deploy the signed images
|
||||||
if [ x"${UEFI_SB}" = x"1" -a x"${MOK_SB}" != x"1" ]; then
|
if [ x"${UEFI_SB}" = x"1" -a x"${MOK_SB}" != x"1" ]; then
|
||||||
@@ -84,11 +87,11 @@ do_deploy() {
|
|||||||
else
|
else
|
||||||
SEL_NAME=SELoader
|
SEL_NAME=SELoader
|
||||||
fi
|
fi
|
||||||
install -m 0600 ${D}${EFI_TARGET}/${SEL_NAME}${EFI_ARCH}.efi \
|
install -m 0600 "${D}${EFI_TARGET}/${SEL_NAME}${EFI_ARCH}.efi" \
|
||||||
${DEPLOYDIR}/${SEL_NAME}${EFI_ARCH}.efi
|
"${DEPLOYDIR}/${SEL_NAME}${EFI_ARCH}.efi"
|
||||||
install -m 0600 ${D}${EFI_TARGET}/Hash2DxeCrypto.efi \
|
install -m 0600 "${D}${EFI_TARGET}/Hash2DxeCrypto.efi" \
|
||||||
${DEPLOYDIR}/Hash2DxeCrypto.efi
|
"${DEPLOYDIR}/Hash2DxeCrypto.efi"
|
||||||
install -m 0600 ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi \
|
install -m 0600 "${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi" \
|
||||||
${DEPLOYDIR}/Pkcs7VerifyDxe.efi
|
"${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
|
||||||
}
|
}
|
||||||
addtask deploy after do_install before do_build
|
addtask deploy after do_install before do_build
|
||||||
|
|||||||
@@ -17,7 +17,7 @@ COMPATIBLE_HOST = '(i.86|x86_64).*-linux'
|
|||||||
|
|
||||||
inherit deploy user-key-store
|
inherit deploy user-key-store
|
||||||
|
|
||||||
SRC_URI = " \
|
SRC_URI = "\
|
||||||
git://github.com/rhinstaller/shim.git \
|
git://github.com/rhinstaller/shim.git \
|
||||||
file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch \
|
file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch \
|
||||||
file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \
|
file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \
|
||||||
@@ -28,7 +28,7 @@ SRC_URI = " \
|
|||||||
file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \
|
file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \
|
||||||
file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \
|
file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \
|
||||||
"
|
"
|
||||||
SRC_URI_append_x86-64 = " \
|
SRC_URI_append_x86-64 = "\
|
||||||
${@bb.utils.contains('DISTRO_FEATURES', 'msft', 'file://shim${EFI_ARCH}.efi.signed file://LICENSE' if uks_signing_model(d) == 'sample' else '', '', d)} \
|
${@bb.utils.contains('DISTRO_FEATURES', 'msft', 'file://shim${EFI_ARCH}.efi.signed file://LICENSE' if uks_signing_model(d) == 'sample' else '', '', d)} \
|
||||||
"
|
"
|
||||||
|
|
||||||
@@ -43,7 +43,7 @@ DEPENDS += "\
|
|||||||
EFI_ARCH_x86 = "ia32"
|
EFI_ARCH_x86 = "ia32"
|
||||||
EFI_ARCH_x86-64 = "x64"
|
EFI_ARCH_x86-64 = "x64"
|
||||||
|
|
||||||
EXTRA_OEMAKE = " \
|
EXTRA_OEMAKE = "\
|
||||||
CROSS_COMPILE="${TARGET_PREFIX}" \
|
CROSS_COMPILE="${TARGET_PREFIX}" \
|
||||||
LIB_GCC="`${CC} -print-libgcc-file-name`" \
|
LIB_GCC="`${CC} -print-libgcc-file-name`" \
|
||||||
LIB_PATH="${STAGING_LIBDIR}" \
|
LIB_PATH="${STAGING_LIBDIR}" \
|
||||||
|
|||||||
@@ -1,7 +1,9 @@
|
|||||||
DEPENDS += " \
|
DEPENDS += "\
|
||||||
${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'gnu-efi', '', d)} \
|
${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'gnu-efi', '', d)} \
|
||||||
"
|
"
|
||||||
|
|
||||||
EXTRA_OECONF += " \
|
EXTRA_OECONF += "\
|
||||||
${@bb.utils.contains('MACHINE_FEATURES', 'efi', '--enable-efi --enable-gnuefi --with-efi-libdir=${STAGING_LIBDIR} --with-efi-ldsdir=${STAGING_LIBDIR} --with-efi-includedir=${STAGING_INCDIR}', '', d)} \
|
${@bb.utils.contains('MACHINE_FEATURES', 'efi', \
|
||||||
|
'--enable-efi --enable-gnuefi --with-efi-libdir=${STAGING_LIBDIR} --with-efi-ldsdir=${STAGING_LIBDIR} --with-efi-includedir=${STAGING_INCDIR}', \
|
||||||
|
'', d)} \
|
||||||
"
|
"
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
|
FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
|
||||||
|
|
||||||
efi_secure_boot_sccs = " \
|
efi_secure_boot_sccs = "\
|
||||||
${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', \
|
${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', \
|
||||||
'cfg/efi-ext.scc', '', d)} \
|
'cfg/efi-ext.scc', '', d)} \
|
||||||
"
|
"
|
||||||
|
|||||||
@@ -6,13 +6,15 @@ DEPENDS += "${@'key-store openssl-native' if d.getVar('IMA_ENABLED', True) == '1
|
|||||||
# key-store-ima-cert is required in runtime but we hope it is available
|
# key-store-ima-cert is required in runtime but we hope it is available
|
||||||
# in initramfs only. So we don't add it to RDEPENDS_${PN} here.
|
# in initramfs only. So we don't add it to RDEPENDS_${PN} here.
|
||||||
|
|
||||||
SRC_URI += " \
|
SRC_URI += "\
|
||||||
${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \
|
${@'file://ima.scc file://ima.cfg file://integrity.scc file://integrity.cfg' if d.getVar('IMA_ENABLED', True) == '1' else ''} \
|
||||||
"
|
"
|
||||||
|
|
||||||
do_configure_append() {
|
do_configure_append() {
|
||||||
[ -f "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" ] &&
|
if [ -f "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" ]; then
|
||||||
openssl x509 -in "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" \
|
openssl x509 -in "${STAGING_DIR_TARGET}${sysconfdir}/keys/system_trusted_key.pem" \
|
||||||
-outform DER -out "${B}/system_trusted_cert.x509" ||
|
-outform DER -out "${B}/system_trusted_cert.x509"
|
||||||
|
else
|
||||||
true
|
true
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user