summaryrefslogtreecommitdiffstats
path: root/classes/uefi-comboapp.bbclass
diff options
context:
space:
mode:
authorCalifornia Sullivan <california.l.sullivan@intel.com>2017-07-18 23:56:18 (GMT)
committerSaul Wold <sgw@linux.intel.com>2017-07-19 15:30:08 (GMT)
commit625a588f70785cf777ec9fb072b127b126aba781 (patch)
tree89711df42d09a572c40d27300e40a6061497bf40 /classes/uefi-comboapp.bbclass
parent21086869beba0c6e38275be97af2e689e17820ec (diff)
downloadmeta-intel-625a588f70785cf777ec9fb072b127b126aba781.tar.gz
uefi-comboapp.bbclass: Split signing functionality into its own bbclass
In the future more secure boot implementations will be offered, with each one needing the signing method. Instead of repeating a forty line block of code across several recipes, just use a configurable bbclass. Signed-off-by: California Sullivan <california.l.sullivan@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
Diffstat (limited to 'classes/uefi-comboapp.bbclass')
-rw-r--r--classes/uefi-comboapp.bbclass39
1 files changed, 5 insertions, 34 deletions
diff --git a/classes/uefi-comboapp.bbclass b/classes/uefi-comboapp.bbclass
index fc7e1b6..5c3ca8c 100644
--- a/classes/uefi-comboapp.bbclass
+++ b/classes/uefi-comboapp.bbclass
@@ -83,27 +83,14 @@ python create_uefiapps () {
83 create_uefiapp(d, uuid=uuid) 83 create_uefiapp(d, uuid=uuid)
84} 84}
85 85
86sign_uefiapps () {
87 if ${@ bb.utils.contains('IMAGE_FEATURES', 'secureboot', 'true', 'false', d) } &&
88 [ -f ${UEFIAPP_SIGNING_KEY} ] && [ -f ${UEFIAPP_SIGNING_CERT} ]; then
89 for i in `find ${DEPLOY_DIR_IMAGE}/ -name '${IMAGE_LINK_NAME}.boot*.efi'`; do
90 sbsign --key ${UEFIAPP_SIGNING_KEY} --cert ${UEFIAPP_SIGNING_CERT} $i
91 sbverify --cert ${UEFIAPP_SIGNING_CERT} $i.signed
92 mv $i.signed $i
93 done
94 fi
95}
96
97# This is intentionally split into different parts. This way, derived 86# This is intentionally split into different parts. This way, derived
98# classes or images can extend the individual parts. We can also use 87# classes or images can extend the individual parts. We can also use
99# whatever language (shell script or Python) is more suitable. 88# whatever language (shell script or Python) is more suitable.
100python do_uefiapp() { 89python do_uefiapp() {
101 bb.build.exec_func('create_uefiapps', d) 90 bb.build.exec_func('create_uefiapps', d)
102 bb.build.exec_func('sign_uefiapps', d)
103} 91}
104 92
105do_uefiapp[vardeps] += "APPEND DISK_SIGNATURE_UUID INITRD_LIVE KERNEL_IMAGETYPE IMAGE_LINK_NAME" 93do_uefiapp[vardeps] += "APPEND DISK_SIGNATURE_UUID INITRD_LIVE KERNEL_IMAGETYPE IMAGE_LINK_NAME"
106do_uefiapp[depends] += "${@ bb.utils.contains('IMAGE_FEATURES', 'secureboot', 'sbsigntool-native:do_populate_sysroot', '', d) }"
107 94
108uefiapp_deploy_at() { 95uefiapp_deploy_at() {
109 dest=$1 96 dest=$1
@@ -126,26 +113,6 @@ do_uefiapp_deploy[depends] += "${PN}:do_uefiapp"
126 113
127# This decides when/how we add our tasks to the image 114# This decides when/how we add our tasks to the image
128python () { 115python () {
129 import os
130 import hashlib
131
132 secureboot = bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d)
133 # Ensure that if the signing key or cert change, we rerun the uefiapp process
134 if secureboot:
135 for varname in ('UEFIAPP_SIGNING_CERT', 'UEFIAPP_SIGNING_KEY'):
136 filename = d.getVar(varname)
137 if filename is None:
138 bb.fatal('%s is not set.' % varname)
139 if not os.path.isfile(filename):
140 bb.fatal('%s=%s is not a file.' % (varname, filename))
141 with open(filename, 'rb') as f:
142 data = f.read()
143 hash = hashlib.sha256(data).hexdigest()
144 d.setVar('%s_HASH' % varname, hash)
145
146 # Must reparse and thus rehash on file changes.
147 bb.parse.mark_dependency(d, filename)
148
149 image_fstypes = d.getVar('IMAGE_FSTYPES', True) 116 image_fstypes = d.getVar('IMAGE_FSTYPES', True)
150 initramfs_fstypes = d.getVar('INITRAMFS_FSTYPES', True) 117 initramfs_fstypes = d.getVar('INITRAMFS_FSTYPES', True)
151 118
@@ -155,7 +122,11 @@ python () {
155 bb.build.addtask('uefiapp_deploy', 'do_image', 'do_rootfs', d) 122 bb.build.addtask('uefiapp_deploy', 'do_image', 'do_rootfs', d)
156} 123}
157 124
158do_uefiapp[vardeps] += "UEFIAPP_SIGNING_CERT_HASH UEFIAPP_SIGNING_KEY_HASH" 125SIGN_AFTER ?= "do_uefiapp"
126SIGN_BEFORE ?= "do_uefiapp_deploy"
127SIGNING_DIR ?= "${DEPLOY_DIR_IMAGE}"
128SIGNING_BINARIES ?= "${IMAGE_LINK_NAME}.boot*.efi"
129inherit uefi-sign
159 130
160# Legacy hddimg support below this line 131# Legacy hddimg support below this line
161efi_hddimg_populate() { 132efi_hddimg_populate() {