mirror of
https://github.com/jiazhang0/meta-secure-core.git
synced 2026-07-16 20:56:58 +00:00
6274757665
In order to deploy our secure boot keys in DER format we need to use
openssl. This must be listed in our DEPENDS line in order for the
sysroot to be populated correctly when we run do_sign. Also drop the
explicit fakeroot on our empty grub-efi do_sign as we may not have
globally populated virtual/fakeroot-native at that point in time.
Fixes: 92316d4b40 ("meta-signing-key: When deploying keys UEFI keys, deploy DER format")
Signed-off-by: Tom Rini <trini@konsulko.com>
106 lines
3.5 KiB
BlitzBasic
106 lines
3.5 KiB
BlitzBasic
SUMMARY = "The bootloader capable of authenticating the PE and non-PE files."
|
|
DESCRIPTION = "The SELoader is designed to authenticate the non-PE files, \
|
|
such as grub configuration, initrd, grub modules, which cannot be verified \
|
|
by the MOK Verify Protocol registered by shim loader. \
|
|
\
|
|
In order to conveniently authenticate the PE file with gBS->LoadImage() \
|
|
and gBS->StartImage(), the SELoader hooks EFI Security2 Architectural \
|
|
Protocol and employs MOK Verify Protocol to verify the PE file. If only \
|
|
UEFI Secure Boot is enabled, the SELoader just simplily calls \
|
|
gBS->LoadImage() and gBS->StartImage() to allow BIOS to verify PE file. \
|
|
\
|
|
The SELoader publishes MOK2 Verify Protocol which provides a flexible \
|
|
interface to allow the bootloader to verify the file, file buffer or \
|
|
memory buffer without knowing the file format. \
|
|
"
|
|
AUTHOR = "Jia Zhang"
|
|
HOMEPAGE = "https://github.com/jiazhang0/SELoader"
|
|
SECTION = "bootloaders"
|
|
|
|
LICENSE = "BSD-3-Clause"
|
|
LIC_FILES_CHKSUM = "file://LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee"
|
|
|
|
DEPENDS += "\
|
|
gnu-efi sbsigntool-native openssl-native \
|
|
"
|
|
|
|
PV = "0.4.6+git${SRCPV}"
|
|
|
|
SRC_URI = "\
|
|
git://github.com/jiazhang0/SELoader.git \
|
|
"
|
|
SRCREV = "8b90f76a8df51d9020e67824026556434f407086"
|
|
|
|
S = "${WORKDIR}/git"
|
|
|
|
COMPATIBLE_HOST = '(i.86|x86_64).*-linux'
|
|
PARALLEL_MAKE = ""
|
|
|
|
inherit deploy user-key-store
|
|
|
|
EXTRA_OEMAKE = "\
|
|
CROSS_COMPILE="${TARGET_PREFIX}" \
|
|
SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \
|
|
gnuefi_libdir=${STAGING_LIBDIR} \
|
|
LIB_GCC="`${CC} -print-libgcc-file-name`" \
|
|
"
|
|
|
|
EFI_ARCH_x86 = "ia32"
|
|
EFI_ARCH_x86-64 = "x64"
|
|
|
|
EFI_TARGET = "/boot/efi/EFI/BOOT"
|
|
|
|
python do_sign() {
|
|
sb_sign(d.expand('${B}/Src/Efi/SELoader.efi'), \
|
|
d.expand('${B}/Src/Efi/SELoader.efi.signed'), d)
|
|
sb_sign(d.expand('${B}/Bin/Hash2DxeCrypto.efi'), \
|
|
d.expand('${B}/Bin/Hash2DxeCrypto.efi.signed'), d)
|
|
sb_sign(d.expand('${B}/Bin/Pkcs7VerifyDxe.efi'), \
|
|
d.expand('${B}/Bin/Pkcs7VerifyDxe.efi.signed'), d)
|
|
}
|
|
addtask sign after do_compile before do_install
|
|
do_sign[prefuncs] += "check_deploy_keys"
|
|
|
|
do_install() {
|
|
install -d ${D}${EFI_TARGET}
|
|
|
|
oe_runmake install EFI_DESTDIR=${D}${EFI_TARGET}
|
|
|
|
if [ x"${UEFI_SB}" = x"1" ]; then
|
|
if [ x"${MOK_SB}" != x"1" ]; then
|
|
mv "${D}${EFI_TARGET}/SELoader${EFI_ARCH}.efi" \
|
|
"${D}${EFI_TARGET}/boot${EFI_ARCH}.efi"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
do_deploy() {
|
|
# Deploy the unsigned images for manual signing
|
|
install -d "${DEPLOYDIR}/efi-unsigned"
|
|
|
|
install -m 0600 "${B}/Src/Efi/SELoader.efi" \
|
|
"${DEPLOYDIR}/efi-unsigned/SELoader${EFI_ARCH}.efi"
|
|
install -m 0600 "${B}/Bin/Hash2DxeCrypto.efi" "${DEPLOYDIR}/efi-unsigned"
|
|
install -m 0600 "${B}/Bin/Pkcs7VerifyDxe.efi" "${DEPLOYDIR}/efi-unsigned"
|
|
|
|
# Deploy the signed images
|
|
if [ x"${UEFI_SB}" = x"1" -a x"${MOK_SB}" != x"1" ]; then
|
|
SEL_NAME=boot
|
|
else
|
|
SEL_NAME=SELoader
|
|
fi
|
|
install -m 0600 "${D}${EFI_TARGET}/${SEL_NAME}${EFI_ARCH}.efi" \
|
|
"${DEPLOYDIR}/${SEL_NAME}${EFI_ARCH}.efi"
|
|
install -m 0600 "${D}${EFI_TARGET}/Hash2DxeCrypto.efi" \
|
|
"${DEPLOYDIR}/Hash2DxeCrypto.efi"
|
|
install -m 0600 "${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi" \
|
|
"${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
|
|
}
|
|
addtask deploy after do_install before do_build
|
|
|
|
FILES_${PN} += "${EFI_TARGET}"
|
|
|
|
SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/efi-unsigned"
|
|
SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/Hash2DxeCrypto.efi"
|
|
SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/Pkcs7VerifyDxe.efi"
|