summaryrefslogtreecommitdiffstats
path: root/classes/uefi-sign.bbclass
diff options
context:
space:
mode:
Diffstat (limited to 'classes/uefi-sign.bbclass')
-rw-r--r--classes/uefi-sign.bbclass50
1 files changed, 50 insertions, 0 deletions
diff --git a/classes/uefi-sign.bbclass b/classes/uefi-sign.bbclass
new file mode 100644
index 00000000..e8f203b9
--- /dev/null
+++ b/classes/uefi-sign.bbclass
@@ -0,0 +1,50 @@
1# By default, sign all .efi binaries in ${B} after compiling and before deploying
2SIGNING_DIR ?= "${B}"
3SIGNING_BINARIES ?= "*.efi"
4SIGN_AFTER ?= "do_compile"
5SIGN_BEFORE ?= "do_deploy"
6
7python () {
8 import os
9 import hashlib
10
11 # Ensure that if the signing key or cert change, we rerun the uefiapp process
12 if bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d):
13 for varname in ('SECURE_BOOT_SIGNING_CERT', 'SECURE_BOOT_SIGNING_KEY'):
14 filename = d.getVar(varname)
15 if filename is None:
16 bb.fatal('%s is not set.' % varname)
17 if not os.path.isfile(filename):
18 bb.fatal('%s=%s is not a file.' % (varname, filename))
19 with open(filename, 'rb') as f:
20 data = f.read()
21 hash = hashlib.sha256(data).hexdigest()
22 d.setVar('%s_HASH' % varname, hash)
23
24 # Must reparse and thus rehash on file changes.
25 bb.parse.mark_dependency(d, filename)
26
27 bb.build.addtask('uefi_sign', d.getVar('SIGN_BEFORE'), d.getVar('SIGN_AFTER'), d)
28
29 # Original binary needs to be regenerated if the hash changes since we overwrite it
30 # SIGN_AFTER isn't necessarily when it gets generated, but its our best guess
31 d.appendVarFlag(d.getVar('SIGN_AFTER'), 'vardeps', 'SECURE_BOOT_SIGNING_CERT_HASH SECURE_BOOT_SIGNING_KEY_HASH')
32}
33
34do_uefi_sign() {
35 if [ -f ${SECURE_BOOT_SIGNING_KEY} ] && [ -f ${SECURE_BOOT_SIGNING_CERT} ]; then
36 for i in `find ${SIGNING_DIR}/ -name '${SIGNING_BINARIES}'`; do
37 sbsign --key ${SECURE_BOOT_SIGNING_KEY} --cert ${SECURE_BOOT_SIGNING_CERT} $i
38 sbverify --cert ${SECURE_BOOT_SIGNING_CERT} $i.signed
39 mv $i.signed $i
40 done
41 fi
42}
43
44do_uefi_sign[depends] += "sbsigntool-native:do_populate_sysroot"
45
46do_uefi_sign[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \
47 SECURE_BOOT_SIGNING_KEY_HASH \
48 SIGNING_BINARIES SIGNING_DIR \
49 SIGN_BEFORE SIGN_AFTER \
50 "