1 files changed, 50 insertions, 0 deletions
diff --git a/classes/uefi-sign.bbclass b/classes/uefi-sign.bbclass
new file mode 100644
index 00000000..e8f203b9
--- /dev/null
+++ b/classes/uefi-sign.bbclass
@@ -0,0 +1,50 @@
+# By default, sign all .efi binaries in ${B} after compiling and before deploying
+SIGNING_DIR ?= "${B}"
+SIGNING_BINARIES ?= "*.efi"
+SIGN_AFTER ?= "do_compile"
+SIGN_BEFORE ?= "do_deploy"
+python () {
+    import os
+    import hashlib
+    # Ensure that if the signing key or cert change, we rerun the uefiapp process
+    if bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d):
+        for varname in ('SECURE_BOOT_SIGNING_CERT', 'SECURE_BOOT_SIGNING_KEY'):
+            filename = d.getVar(varname)
+            if filename is None:
+                bb.fatal('%s is not set.' % varname)
+            if not os.path.isfile(filename):
+                bb.fatal('%s=%s is not a file.' % (varname, filename))
+            with open(filename, 'rb') as f:
+                data = f.read()
+            hash = hashlib.sha256(data).hexdigest()
+            d.setVar('%s_HASH' % varname, hash)
+            # Must reparse and thus rehash on file changes.
+            bb.parse.mark_dependency(d, filename)
+        bb.build.addtask('uefi_sign', d.getVar('SIGN_BEFORE'), d.getVar('SIGN_AFTER'), d)
+        # Original binary needs to be regenerated if the hash changes since we overwrite it
+        # SIGN_AFTER isn't necessarily when it gets generated, but its our best guess
+        d.appendVarFlag(d.getVar('SIGN_AFTER'), 'vardeps', 'SECURE_BOOT_SIGNING_CERT_HASH SECURE_BOOT_SIGNING_KEY_HASH')
+}
+do_uefi_sign() {
+    if [ -f ${SECURE_BOOT_SIGNING_KEY} ] && [ -f ${SECURE_BOOT_SIGNING_CERT} ]; then
+        for i in `find ${SIGNING_DIR}/ -name '${SIGNING_BINARIES}'`; do
+            sbsign --key ${SECURE_BOOT_SIGNING_KEY} --cert ${SECURE_BOOT_SIGNING_CERT} $i
+            sbverify --cert ${SECURE_BOOT_SIGNING_CERT} $i.signed
+            mv $i.signed $i
+        done
+    fi
+}
+do_uefi_sign[depends] += "sbsigntool-native:do_populate_sysroot"
+do_uefi_sign[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \
+                          SECURE_BOOT_SIGNING_KEY_HASH  \
+                          SIGNING_BINARIES SIGNING_DIR  \
+                          SIGN_BEFORE SIGN_AFTER        \
+                         "

diff --git a/classes/uefi-sign.bbclass b/classes/uefi-sign.bbclass new file mode 100644 index 00000000..e8f203b9 --- /dev/null +++ b/classes/uefi-sign.bbclass
@@ -0,0 +1,50 @@
	1	# By default, sign all .efi binaries in ${B} after compiling and before deploying
	2	SIGNING_DIR ?= "${B}"
	3	SIGNING_BINARIES ?= "*.efi"
	4	SIGN_AFTER ?= "do_compile"
	5	SIGN_BEFORE ?= "do_deploy"
	6
	7	python () {
	8	import os
	9	import hashlib
	10
	11	# Ensure that if the signing key or cert change, we rerun the uefiapp process
	12	if bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d):
	13	for varname in ('SECURE_BOOT_SIGNING_CERT', 'SECURE_BOOT_SIGNING_KEY'):
	14	filename = d.getVar(varname)
	15	if filename is None:
	16	bb.fatal('%s is not set.' % varname)
	17	if not os.path.isfile(filename):
	18	bb.fatal('%s=%s is not a file.' % (varname, filename))
	19	with open(filename, 'rb') as f:
	20	data = f.read()
	21	hash = hashlib.sha256(data).hexdigest()
	22	d.setVar('%s_HASH' % varname, hash)
	23
	24	# Must reparse and thus rehash on file changes.
	25	bb.parse.mark_dependency(d, filename)
	26
	27	bb.build.addtask('uefi_sign', d.getVar('SIGN_BEFORE'), d.getVar('SIGN_AFTER'), d)
	28
	29	# Original binary needs to be regenerated if the hash changes since we overwrite it
	30	# SIGN_AFTER isn't necessarily when it gets generated, but its our best guess
	31	d.appendVarFlag(d.getVar('SIGN_AFTER'), 'vardeps', 'SECURE_BOOT_SIGNING_CERT_HASH SECURE_BOOT_SIGNING_KEY_HASH')
	32	}
	33
	34	do_uefi_sign() {
	35	if [ -f ${SECURE_BOOT_SIGNING_KEY} ] && [ -f ${SECURE_BOOT_SIGNING_CERT} ]; then
	36	for i in `find ${SIGNING_DIR}/ -name '${SIGNING_BINARIES}'`; do
	37	sbsign --key ${SECURE_BOOT_SIGNING_KEY} --cert ${SECURE_BOOT_SIGNING_CERT} $i
	38	sbverify --cert ${SECURE_BOOT_SIGNING_CERT} $i.signed
	39	mv $i.signed $i
	40	done
	41	fi
	42	}
	43
	44	do_uefi_sign[depends] += "sbsigntool-native:do_populate_sysroot"
	45
	46	do_uefi_sign[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \
	47	SECURE_BOOT_SIGNING_KEY_HASH \
	48	SIGNING_BINARIES SIGNING_DIR \
	49	SIGN_BEFORE SIGN_AFTER \
	50	"