mirrors/meta-secure-core
1
0
Fork 0
mirror of https://github.com/jiazhang0/meta-secure-core.git synced 2026-04-30 14:59:37 +00:00
Code Issues Projects Releases Wiki Activity
Files
4e1cc676dc566de9b9f779d4209dd28fa7a80788
meta-secure-core/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
Yi Zhao 4e1cc676dc grub-efi: refresh patches for grub 2.06 
Rebase patch:
0001-grub-verify-Add-strict_security-variable.patch
Grub-get-and-set-efi-variables.patch
mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch

Drop 0001-fs-ext2-fix-the-file-not-found-error-when-symlink-fi.patch
since it has been merged upstream.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-03-24 18:11:20 +08:00

213 lines
7.6 KiB
PHP
Raw Blame History

DEPENDS += "openssl-native"
FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:"
GRUB_SIGN_VERIFY_STRICT ?= "1"
EXTRA_SRC_URI = "\
${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \
"
GRUB_MOKVERIFY_PATCH = " \
file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
file://mok2verify-multiboot.patch \
file://verify-all-buffiles.patch \
"
SRC_URI += "\
file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \
file://0002-shim-add-needed-data-structures.patch \
file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \
file://0004-efi-chainloader-port-shim-to-grub.patch \
file://0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch \
file://0006-efi-chainloader-boot-the-image-using-shim.patch \
file://0007-efi-chainloader-take-care-of-unload-undershim.patch \
file://chainloader-handle-the-unauthenticated-image-by-shim.patch \
file://chainloader-Don-t-check-empty-section-in-file-like-..patch \
file://chainloader-Actually-find-the-relocations-correctly-.patch \
file://efi-chainloader-implemented-for-32-bit.patch \
file://Grub-get-and-set-efi-variables.patch \
file://uefi_verify.patch \
file://0001-grub-verify-Add-strict_security-variable.patch \
file://grub-efi.cfg \
file://boot-menu.inc \
${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \
${EXTRA_SRC_URI} \
"
# functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet
COMPATIBLE_HOST_aarch64 = 'null'
GRUB_PREFIX_DIR ?= "/EFI/BOOT"
EFI_BOOT_PATH ?= "/boot/efi/EFI/BOOT"
GRUB_SECURE_BOOT_MODULES += "${@'efivar password_pbkdf2 ' if d.getVar('UEFI_SB', True) == '1' else ''}"
GRUB_SIGNING_MODULES += "${@'pgp gcry_rsa gcry_sha256 gcry_sha512 --pubkey %s ' % d.getVar('GRUB_PUB_KEY', True) \
if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"
GRUB_SELOADER_MODULES += "${@'mok2verify ' if d.getVar('UEFI_SELOADER', True) == '1' else ''}"
GRUB_BUILDIN_append += "tftp reboot chain \
${GRUB_SECURE_BOOT_MODULES} \
${GRUB_SIGNING_MODULES} \
${GRUB_SELOADER_MODULES}"
# For efi_call_foo and efi_shim_exit
CFLAGS_append = " -fno-toplevel-reorder"
# Set a default root specifier.
inherit user-key-store
python __anonymous () {
if d.getVar('UEFI_SB', True) != "1":
return
# Override the default filename if efi-secure-boot enabled.
# grub-efi must be renamed as grub${arch}.efi for working with shim
# or SELoader.
import re
target = d.getVar('TARGET_ARCH', True)
if target == "x86_64":
grubimage = "grubx64.efi"
elif re.match('i.86', target):
grubimage = "grubia32.efi"
else:
raise bb.parse.SkipPackage("grub-efi is incompatible with target %s" % target)
d.setVar("GRUB_IMAGE", grubimage)
}
do_compile_append() {
if [ "${GRUB_SIGN_VERIFY}" = "1" -a "${GRUB_SIGN_VERIFY_STRICT}" = "1" ] ; then
cat<<EOF>${WORKDIR}/cfg
insmod verify
set strict_security=1
search.file (\$cmdpath)${GRUB_PREFIX_DIR}/grub.cfg root
set prefix=(\$root)${GRUB_PREFIX_DIR}
EOF
else
cat<<EOF>${WORKDIR}/cfg
search.file (\$cmdpath)${GRUB_PREFIX_DIR}/grub.cfg root
set prefix=(\$root)${GRUB_PREFIX_DIR}
EOF
fi
}
do_compile_append_class-native() {
make grub-editenv
}
do_install_append_class-native() {
install -m 0755 grub-editenv "${D}${bindir}"
}
do_install_append_class-target() {
local menu="${WORKDIR}/boot-menu.inc"
# Enable the default IMA rules if IMA is enabled and luks is disabled.
# This is because unseal operation will fail when any PCR is extended
# due to updating the aggregate integrity value by the default IMA rules.
[ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && {
! grep -q "ima_policy=tcb" "$menu" &&
sed -i 's/^\s*linux\s\+.*bzImage.*/& ima_policy=tcb/g' "$menu"
}
# Replace the root parameter in boot command line with BOOT_CMD_ROOT,
# which can be configured. It is helpful when secure boot is enabled.
[ -n "${BOOT_CMD_ROOT}" ] && {
sed -i "s,root=/dev/hda2,root=${BOOT_CMD_ROOT},g" "$menu"
}
# Install the stacked grub configs.
install -d "${D}${EFI_BOOT_PATH}"
install -m 0600 "${WORKDIR}/grub-efi.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg"
install -m 0600 "$menu" "${D}${EFI_BOOT_PATH}"
[ x"${UEFI_SB}" = x"1" ] && {
install -m 0600 "${WORKDIR}/efi-secure-boot.inc" "${D}${EFI_BOOT_PATH}"
install -m 0600 "${WORKDIR}/password.inc" "${D}${EFI_BOOT_PATH}"
}
# Create the initial environment block with empty item.
grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create
install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi"
grub-mkimage -c ../cfg -p "${GRUB_PREFIX_DIR}" -d "./grub-core" \
-O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \
${GRUB_BUILDIN}
install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}"
# Install the modules to grub-efi's search path
make -C grub-core install DESTDIR="${D}${EFI_BOOT_PATH}" pkglibdir=""
# Remove .module
rm -f ${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi/*.module
}
python do_sign_prepend_class-target() {
bb.build.exec_func("check_deploy_keys", d)
if d.getVar('GRUB_SIGN_VERIFY') == '1':
bb.build.exec_func("check_boot_public_key", d)
}
fakeroot python do_sign_class-target() {
image_dir = d.getVar('D', True)
efi_boot_path = d.getVar('EFI_BOOT_PATH', True)
grub_image = d.getVar('GRUB_IMAGE', True)
dir = image_dir + efi_boot_path + '/'
sb_sign(dir + grub_image, dir + grub_image, d)
uks_bl_sign(dir + 'grub.cfg', d)
uks_bl_sign(dir + 'boot-menu.inc', d)
if d.getVar('UEFI_SB', True) == "1":
uks_bl_sign(dir + 'efi-secure-boot.inc', d)
uks_bl_sign(dir + 'password.inc', d)
}
python do_sign() {
}
addtask sign after do_install before do_deploy do_package
fakeroot do_chownboot() {
chown root:root -R "${D}${EFI_BOOT_PATH}/grub.cfg${SB_FILE_EXT}"
chown root:root -R "${D}${EFI_BOOT_PATH}/boot-menu.inc${SB_FILE_EXT}"
[ x"${UEFI_SB}" = x"1" ] && {
chown root:root -R "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc${SB_FILE_EXT}"
chown root:root -R "${D}${EFI_BOOT_PATH}/password.inc${SB_FILE_EXT}"
}
}
addtask chownboot after do_deploy before do_package
# Append the do_deploy() in oe-core.
do_deploy_append_class-target() {
install -m 0644 "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}"
# Deploy the stacked grub configs.
install -m 0600 "${D}${EFI_BOOT_PATH}/grubenv" "${DEPLOYDIR}"
install -m 0600 "${D}${EFI_BOOT_PATH}/grub.cfg" "${DEPLOYDIR}"
install -m 0600 "${D}${EFI_BOOT_PATH}/boot-menu.inc" "${DEPLOYDIR}"
install -m 0600 "${D}${EFI_BOOT_PATH}/grub.cfg${SB_FILE_EXT}" "${DEPLOYDIR}"
install -m 0600 "${D}${EFI_BOOT_PATH}/boot-menu.inc${SB_FILE_EXT}" "${DEPLOYDIR}"
[ x"${UEFI_SB}" = x"1" ] && {
install -m 0600 "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc" "${DEPLOYDIR}"
install -m 0600 "${D}${EFI_BOOT_PATH}/password.inc" "${DEPLOYDIR}"
install -m 0600 "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc${SB_FILE_EXT}" "${DEPLOYDIR}"
install -m 0600 "${D}${EFI_BOOT_PATH}/password.inc${SB_FILE_EXT}" "${DEPLOYDIR}"
}
install -d "${DEPLOYDIR}/efi-unsigned"
install -m 0644 "${B}/${GRUB_IMAGE}" "${DEPLOYDIR}/efi-unsigned"
PSEUDO_DISABLED=1 cp -af "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned"
}
FILES_${PN} += "${EFI_BOOT_PATH}"
CONFFILES_${PN} += "\
${EFI_BOOT_PATH}/grub.cfg \
${EFI_BOOT_PATH}/grubenv \
${EFI_BOOT_PATH}/boot-menu.inc \
${EFI_BOOT_PATH}/efi-secure-boot.inc \
"
Reference in New Issue View Git Blame Copy Permalink