mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-17 13:17:00 +00:00
4042043742
Converting the metadata to use ":" as the override character instead of "_". Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
88 lines
3.0 KiB
BlitzBasic
88 lines
3.0 KiB
BlitzBasic
require efitools.inc
|
|
|
|
# The generated native binaries are used during native and target build
|
|
DEPENDS += "${BPN}-native gnu-efi openssl"
|
|
|
|
SRC_URI:append = " \
|
|
file://LockDown-enable-the-enrollment-for-DBX.patch \
|
|
file://LockDown-show-the-error-message-with-3-sec-timeout.patch \
|
|
file://Makefile-do-not-build-signed-efi-image.patch \
|
|
file://Build-DBX-by-default.patch \
|
|
file://LockDown-disable-the-entrance-into-BIOS-setup-to-re-.patch \
|
|
file://Fix-help2man-error.patch \
|
|
"
|
|
|
|
COMPATIBLE_HOST = '(i.86|x86_64).*-linux'
|
|
|
|
inherit user-key-store deploy
|
|
|
|
EXTRA_OEMAKE:append = " \
|
|
INCDIR_PREFIX='${STAGING_DIR_TARGET}' \
|
|
CRTPATH_PREFIX='${STAGING_DIR_TARGET}' \
|
|
SIGN_EFI_SIG_LIST='${STAGING_BINDIR_NATIVE}/sign-efi-sig-list' \
|
|
CERT_TO_EFI_SIG_LIST='${STAGING_BINDIR_NATIVE}/cert-to-efi-sig-list' \
|
|
CERT_TO_EFI_HASH_LIST='${STAGING_BINDIR_NATIVE}/cert-to-efi-hash-list' \
|
|
HASH_TO_EFI_SIG_LIST='${STAGING_BINDIR_NATIVE}/hash-to-efi-sig-list' \
|
|
MYGUID='${UEFI_SIG_OWNER_GUID}' \
|
|
HELP2MAN_PROG_PREFIX='${STAGING_BINDIR_NATIVE}' \
|
|
"
|
|
|
|
python do_prepare_signing_keys() {
|
|
if d.expand('${UEFI_SB}') != '1':
|
|
return
|
|
|
|
# Prepare PK, KEK and DB for LockDown.efi.
|
|
if uks_signing_model(d) in ('sample', 'user'):
|
|
dir = uefi_sb_keys_dir(d)
|
|
else:
|
|
dir = d.expand('${SAMPLE_UEFI_SB_KEYS_DIR}/')
|
|
|
|
import shutil
|
|
|
|
for _ in ('PK', 'KEK', 'DB'):
|
|
shutil.copyfile(dir + _ + '.crt', d.expand('${S}/') + _ + '.crt')
|
|
shutil.copyfile(dir + _ + '.key', d.expand('${S}/') + _ + '.key')
|
|
|
|
# Make sure LockDown.efi contains the DB and KEK from Microsoft.
|
|
if "${@bb.utils.contains('DISTRO_FEATURES', 'msft', '1', '0', d)}" == '1':
|
|
shutil.copyfile(d.expand('${MSFT_DB_CERT}'), d.expand('${S}/DB.crt'))
|
|
shutil.copyfile(d.expand('${MSFT_KEK_CERT}'), d.expand('${S}/KEK.crt'))
|
|
|
|
path = create_uefi_dbx(d)
|
|
if path:
|
|
with open(d.expand('${S}/DBX.crt'), 'w') as f:
|
|
pass
|
|
|
|
shutil.copyfile(path, d.expand('${S}/DBX.esl'))
|
|
|
|
# Cheat the Makefile to avoid running this rule:
|
|
# %.esl: %.crt cert-to-efi-sig-list
|
|
# $(CERT_TO_EFI_SIG_LIST) -g $(MYGUID) $< $@
|
|
import time, os
|
|
tm = time.strptime('2038-01-01 00:00:00', \
|
|
'%Y-%m-%d %H:%M:%S')
|
|
time_stamp = time.mktime(tm)
|
|
os.utime(d.expand('${S}/DBX.esl'), (time_stamp, time_stamp))
|
|
}
|
|
addtask prepare_signing_keys after do_configure before do_compile
|
|
do_prepare_signing_keys[prefuncs] += "check_deploy_keys"
|
|
|
|
do_install:append() {
|
|
install -d ${D}${EFI_BOOT_PATH}
|
|
install -m 0755 ${D}${datadir}/efitools/efi/LockDown.efi ${D}${EFI_BOOT_PATH}
|
|
}
|
|
|
|
do_deploy() {
|
|
install -d ${DEPLOYDIR}
|
|
|
|
install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi "${DEPLOYDIR}"
|
|
if [ -e ${D}${EFI_BOOT_PATH}/LockDown.efi.sig ] ; then
|
|
install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi.sig "${DEPLOYDIR}"
|
|
fi
|
|
}
|
|
addtask deploy after do_install before do_build
|
|
|
|
RDEPENDS:${PN}:append = " \
|
|
parted mtools coreutils util-linux openssl libcrypto \
|
|
"
|