diff options
Diffstat (limited to 'classes')
-rw-r--r-- | classes/uefi-comboapp.bbclass | 39 | ||||
-rw-r--r-- | classes/uefi-sign.bbclass | 50 |
2 files changed, 55 insertions, 34 deletions
diff --git a/classes/uefi-comboapp.bbclass b/classes/uefi-comboapp.bbclass index fc7e1b6f..5c3ca8c9 100644 --- a/classes/uefi-comboapp.bbclass +++ b/classes/uefi-comboapp.bbclass | |||
@@ -83,27 +83,14 @@ python create_uefiapps () { | |||
83 | create_uefiapp(d, uuid=uuid) | 83 | create_uefiapp(d, uuid=uuid) |
84 | } | 84 | } |
85 | 85 | ||
86 | sign_uefiapps () { | ||
87 | if ${@ bb.utils.contains('IMAGE_FEATURES', 'secureboot', 'true', 'false', d) } && | ||
88 | [ -f ${UEFIAPP_SIGNING_KEY} ] && [ -f ${UEFIAPP_SIGNING_CERT} ]; then | ||
89 | for i in `find ${DEPLOY_DIR_IMAGE}/ -name '${IMAGE_LINK_NAME}.boot*.efi'`; do | ||
90 | sbsign --key ${UEFIAPP_SIGNING_KEY} --cert ${UEFIAPP_SIGNING_CERT} $i | ||
91 | sbverify --cert ${UEFIAPP_SIGNING_CERT} $i.signed | ||
92 | mv $i.signed $i | ||
93 | done | ||
94 | fi | ||
95 | } | ||
96 | |||
97 | # This is intentionally split into different parts. This way, derived | 86 | # This is intentionally split into different parts. This way, derived |
98 | # classes or images can extend the individual parts. We can also use | 87 | # classes or images can extend the individual parts. We can also use |
99 | # whatever language (shell script or Python) is more suitable. | 88 | # whatever language (shell script or Python) is more suitable. |
100 | python do_uefiapp() { | 89 | python do_uefiapp() { |
101 | bb.build.exec_func('create_uefiapps', d) | 90 | bb.build.exec_func('create_uefiapps', d) |
102 | bb.build.exec_func('sign_uefiapps', d) | ||
103 | } | 91 | } |
104 | 92 | ||
105 | do_uefiapp[vardeps] += "APPEND DISK_SIGNATURE_UUID INITRD_LIVE KERNEL_IMAGETYPE IMAGE_LINK_NAME" | 93 | do_uefiapp[vardeps] += "APPEND DISK_SIGNATURE_UUID INITRD_LIVE KERNEL_IMAGETYPE IMAGE_LINK_NAME" |
106 | do_uefiapp[depends] += "${@ bb.utils.contains('IMAGE_FEATURES', 'secureboot', 'sbsigntool-native:do_populate_sysroot', '', d) }" | ||
107 | 94 | ||
108 | uefiapp_deploy_at() { | 95 | uefiapp_deploy_at() { |
109 | dest=$1 | 96 | dest=$1 |
@@ -126,26 +113,6 @@ do_uefiapp_deploy[depends] += "${PN}:do_uefiapp" | |||
126 | 113 | ||
127 | # This decides when/how we add our tasks to the image | 114 | # This decides when/how we add our tasks to the image |
128 | python () { | 115 | python () { |
129 | import os | ||
130 | import hashlib | ||
131 | |||
132 | secureboot = bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d) | ||
133 | # Ensure that if the signing key or cert change, we rerun the uefiapp process | ||
134 | if secureboot: | ||
135 | for varname in ('UEFIAPP_SIGNING_CERT', 'UEFIAPP_SIGNING_KEY'): | ||
136 | filename = d.getVar(varname) | ||
137 | if filename is None: | ||
138 | bb.fatal('%s is not set.' % varname) | ||
139 | if not os.path.isfile(filename): | ||
140 | bb.fatal('%s=%s is not a file.' % (varname, filename)) | ||
141 | with open(filename, 'rb') as f: | ||
142 | data = f.read() | ||
143 | hash = hashlib.sha256(data).hexdigest() | ||
144 | d.setVar('%s_HASH' % varname, hash) | ||
145 | |||
146 | # Must reparse and thus rehash on file changes. | ||
147 | bb.parse.mark_dependency(d, filename) | ||
148 | |||
149 | image_fstypes = d.getVar('IMAGE_FSTYPES', True) | 116 | image_fstypes = d.getVar('IMAGE_FSTYPES', True) |
150 | initramfs_fstypes = d.getVar('INITRAMFS_FSTYPES', True) | 117 | initramfs_fstypes = d.getVar('INITRAMFS_FSTYPES', True) |
151 | 118 | ||
@@ -155,7 +122,11 @@ python () { | |||
155 | bb.build.addtask('uefiapp_deploy', 'do_image', 'do_rootfs', d) | 122 | bb.build.addtask('uefiapp_deploy', 'do_image', 'do_rootfs', d) |
156 | } | 123 | } |
157 | 124 | ||
158 | do_uefiapp[vardeps] += "UEFIAPP_SIGNING_CERT_HASH UEFIAPP_SIGNING_KEY_HASH" | 125 | SIGN_AFTER ?= "do_uefiapp" |
126 | SIGN_BEFORE ?= "do_uefiapp_deploy" | ||
127 | SIGNING_DIR ?= "${DEPLOY_DIR_IMAGE}" | ||
128 | SIGNING_BINARIES ?= "${IMAGE_LINK_NAME}.boot*.efi" | ||
129 | inherit uefi-sign | ||
159 | 130 | ||
160 | # Legacy hddimg support below this line | 131 | # Legacy hddimg support below this line |
161 | efi_hddimg_populate() { | 132 | efi_hddimg_populate() { |
diff --git a/classes/uefi-sign.bbclass b/classes/uefi-sign.bbclass new file mode 100644 index 00000000..e8f203b9 --- /dev/null +++ b/classes/uefi-sign.bbclass | |||
@@ -0,0 +1,50 @@ | |||
1 | # By default, sign all .efi binaries in ${B} after compiling and before deploying | ||
2 | SIGNING_DIR ?= "${B}" | ||
3 | SIGNING_BINARIES ?= "*.efi" | ||
4 | SIGN_AFTER ?= "do_compile" | ||
5 | SIGN_BEFORE ?= "do_deploy" | ||
6 | |||
7 | python () { | ||
8 | import os | ||
9 | import hashlib | ||
10 | |||
11 | # Ensure that if the signing key or cert change, we rerun the uefiapp process | ||
12 | if bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d): | ||
13 | for varname in ('SECURE_BOOT_SIGNING_CERT', 'SECURE_BOOT_SIGNING_KEY'): | ||
14 | filename = d.getVar(varname) | ||
15 | if filename is None: | ||
16 | bb.fatal('%s is not set.' % varname) | ||
17 | if not os.path.isfile(filename): | ||
18 | bb.fatal('%s=%s is not a file.' % (varname, filename)) | ||
19 | with open(filename, 'rb') as f: | ||
20 | data = f.read() | ||
21 | hash = hashlib.sha256(data).hexdigest() | ||
22 | d.setVar('%s_HASH' % varname, hash) | ||
23 | |||
24 | # Must reparse and thus rehash on file changes. | ||
25 | bb.parse.mark_dependency(d, filename) | ||
26 | |||
27 | bb.build.addtask('uefi_sign', d.getVar('SIGN_BEFORE'), d.getVar('SIGN_AFTER'), d) | ||
28 | |||
29 | # Original binary needs to be regenerated if the hash changes since we overwrite it | ||
30 | # SIGN_AFTER isn't necessarily when it gets generated, but its our best guess | ||
31 | d.appendVarFlag(d.getVar('SIGN_AFTER'), 'vardeps', 'SECURE_BOOT_SIGNING_CERT_HASH SECURE_BOOT_SIGNING_KEY_HASH') | ||
32 | } | ||
33 | |||
34 | do_uefi_sign() { | ||
35 | if [ -f ${SECURE_BOOT_SIGNING_KEY} ] && [ -f ${SECURE_BOOT_SIGNING_CERT} ]; then | ||
36 | for i in `find ${SIGNING_DIR}/ -name '${SIGNING_BINARIES}'`; do | ||
37 | sbsign --key ${SECURE_BOOT_SIGNING_KEY} --cert ${SECURE_BOOT_SIGNING_CERT} $i | ||
38 | sbverify --cert ${SECURE_BOOT_SIGNING_CERT} $i.signed | ||
39 | mv $i.signed $i | ||
40 | done | ||
41 | fi | ||
42 | } | ||
43 | |||
44 | do_uefi_sign[depends] += "sbsigntool-native:do_populate_sysroot" | ||
45 | |||
46 | do_uefi_sign[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \ | ||
47 | SECURE_BOOT_SIGNING_KEY_HASH \ | ||
48 | SIGNING_BINARIES SIGNING_DIR \ | ||
49 | SIGN_BEFORE SIGN_AFTER \ | ||
50 | " | ||