shim: drop fallback

shim will uninstall MOK Verify Protocol when launching fallack, implying it is impossible to get the instance of MOK Verify Protocol for SELoader. This behavior violates the original intention of introducing fallback. Signed-off-by: Jia Zhang <qianyue.zj@alibaba-inc.com>
author: Jia Zhang <qianyue.zj@alibaba-inc.com> 2017-10-22 19:48:39 +0800
committer: Jia Zhang <qianyue.zj@alibaba-inc.com> 2017-10-27 21:57:43 +0800
commit: ffe79fe91ed8d10391de976fe615932eeaffab70 (patch)
tree: 70e5164aa920ea31a280e2f082fed36dfe3f71fd
parent: 6aa83f98bc1f989f72d4a6e60b433dfc7b2045ba (diff)
download: meta-secure-core-ffe79fe91ed8d10391de976fe615932eeaffab70.tar.gz
7 files changed, 7 insertions, 148 deletions
diff --git a/meta-efi-secure-boot/README.md b/meta-efi-secure-boot/README.md
index ce8d7fb..f69127f 100644
--- a/meta-efi-secure-boot/README.md
+++ b/meta-efi-secure-boot/README.md
@@ -10,12 +10,8 @@ chainloader the next stage bootloader with the integrity check using the
 shim-managed certificates corresponding to another set of trusted keys, which
 may be different than the trusted keys used by UEFI Secure Boot.
-fallback is the second-stage bootloader used to by-pass the Red Hat shim
+This layer introduces the SELoader as the second-stage bootloader and eventually
-signing review. It is designed to read a .csv file and will create a boot
+chainliader to the third-stage bootloader "grub". With the extension provided
-option in BIOS boot manager for the first boot entry in .csv.
-This layer introduces the SELoader as the third-stage bootloader and eventually
-chainliader to the fourth-stage bootloader "grub". With the extension provided
 by SELoader, grub configuration files, kernel (even without EFI stub support)
 and initrd can be authenticated. This capability is not available in the shim
 bootloader.
@@ -35,12 +31,11 @@ A complete boot flow looks like as following:
 - UEFI firmware boot manager (UEFI Secure Boot enabled) ->
  - shim (verified by a DB certificate) ->
-    - fallback (verified by a shim-managed certificate) ->
+    - SELoader (ditto) ->
-      - SELoader (ditto) ->
+      - grub (ditto) ->
-        - grub (ditto) ->
+        - grub.cfg (ditto)
-          - grub.cfg (ditto)
+        - kernel (ditto)
-          - kernel (ditto)
+        - initramfs (ditto)
-          - initramfs (ditto)
 ### Quick Start For The First Boot
 - Deploy the rootfs
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch
deleted file mode 100644
index 404e3de..0000000
--- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 8990fdd360bc5db39e33e3a15c447bed0c1ca46e Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Mon, 24 Jul 2017 15:15:33 +0800
-Subject: [PATCH 3/5] fallback: allow to search .csv in \EFI\BOOT
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
- fallback.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-diff --git a/fallback.c b/fallback.c
-index 423b3ee..b55755b 100644
--- a/fallback.c
-+++ b/fallback.c
-@@ -874,8 +874,7 @@ find_boot_options(EFI_HANDLE device)
-                        continue;
-                }
-                if (!StrCmp(fi->FileName, L".") ||
-                               !StrCmp(fi->FileName, L"..") ||
-                               !StrCaseCmp(fi->FileName, L"BOOT")) {
-+                               !StrCmp(fi->FileName, L"..")) {
-                        FreePool(buffer);
-                        buffer = NULL;
-                        continue;
-- 
-2.7.5
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch
deleted file mode 100644
index 7f23caf..0000000
--- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From b992209b060f7916de20a5926788a751f1c6636f Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Tue, 1 Aug 2017 10:25:45 +0800
-Subject: [PATCH 4/5] fallback: don't set the csv entry as the first boot by
- default
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
- fallback.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-diff --git a/fallback.c b/fallback.c
-index b55755b..2794cc1 100644
--- a/fallback.c
-+++ b/fallback.c
-@@ -199,6 +199,11 @@ make_full_path(CHAR16 *dirname, CHAR16 *filename, CHAR16 **out, UINT64 *outlen)
- CHAR16 *bootorder = NULL;
- int nbootorder = 0;
- 
-+#ifdef FALLBACK_RUN_AS_FIRST_BOOT
-+UINTN run_as_first_boot = 1;
-+#else
-+UINTN run_as_first_boot = 0;
-+#endif
- EFI_DEVICE_PATH *first_new_option = NULL;
- VOID *first_new_option_args = NULL;
- UINTN first_new_option_size = 0;
-@@ -260,6 +265,9 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp,
-                                return rc;
-                        }
- 
-+                       if (!run_as_first_boot)
-+                               return EFI_SUCCESS;
-+
-                        CHAR16 *newbootorder = AllocateZeroPool(sizeof (CHAR16)
-                                                        * (nbootorder + 1));
-                        if (!newbootorder)
-@@ -569,7 +577,7 @@ add_to_boot_list(CHAR16 *dirname, CHAR16 *filename, CHAR16 *label, CHAR16 *argum
-        rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option);
-        if (EFI_ERROR(rc)) {
-                add_boot_option(dp, full_device_path, fullpath, label, arguments);
-       } else if (option != 0) {
-+       } else if (run_as_first_boot && option != 0) {
-                CHAR16 *newbootorder;
-                newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder);
-                if (!newbootorder)
-@@ -899,7 +907,7 @@ find_boot_options(EFI_HANDLE device)
- 
-        } while (1);
- 
-       if (rc == EFI_SUCCESS && nbootorder > 0)
-+       if (run_as_first_boot && rc == EFI_SUCCESS && nbootorder > 0)
-                rc = update_boot_order();
- 
-        uefi_call_wrapper(fh2->Close, 1, fh2);
-- 
-2.7.5
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch
deleted file mode 100644
index 470693b..0000000
--- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 92ed1e297632a718d1392c8d163beb713c00ccbf Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Wed, 9 Aug 2017 16:29:08 +0800
-Subject: [PATCH 5/5] fallback: always try to boot the option recorded in csv
-We intend to use fallback to work around MSFT for the next bootloader
-of shim. Thus, we don't mind fallback is involved for PCR measurement
-at all.
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
- fallback.c | 8 +-------
- 1 file changed, 1 insertion(+), 7 deletions(-)
-diff --git a/fallback.c b/fallback.c
-index 2794cc1..0a645a4 100644
--- a/fallback.c
-+++ b/fallback.c
-@@ -1016,13 +1016,7 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
-                return rc;
-        }
- 
-       rc = fallback_should_prefer_reset();
-       if (EFI_ERROR(rc)) {
-               VerbosePrint(L"tpm not present, starting the first image\n");
-               try_start_first_option(image);
-       } else {
-               VerbosePrint(L"tpm present, resetting system\n");
-       }
-+       try_start_first_option(image);
- 
-        Print(L"Reset System\n");
- 
-- 
-2.7.5
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv
deleted file mode 100644
index c2d784e..0000000
--- a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv
+++ /dev/null
Binary files differ
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv
deleted file mode 100644
index c89c303..0000000
--- a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv
+++ /dev/null
Binary files differ
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
index d07680b..fb58727 100644
--- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
@@ -21,17 +21,12 @@ PV = "12+git${SRCPV}"
 SRC_URI = "\
    git://github.com/rhinstaller/shim.git \
-    file://bootx64.csv \
-    file://bootia32.csv \
    file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch;apply=0 \
    file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \
    file://0006-Prevent-from-removing-intermediate-.efi.patch \
    file://0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch \
    file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \
    file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \
-    file://0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch \
-    file://0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch \
-    file://0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch \
 "
 SRC_URI_append_x86-64 = "\
    ${@bb.utils.contains('DISTRO_FEATURES', 'msft', \
@@ -118,7 +113,6 @@ python do_sign() {
            edss_sign_efi_image(d.expand('${S}/shim${EFI_ARCH}.efi'), dst, d)
    sb_sign(d.expand('${S}/mm${EFI_ARCH}.efi'), d.expand('${B}/mm${EFI_ARCH}.efi.signed'), d)
-    sb_sign(d.expand('${S}/fb${EFI_ARCH}.efi'), d.expand('${B}/fb${EFI_ARCH}.efi.signed'), d)
 }
 addtask sign after do_compile before do_install
@@ -127,18 +121,13 @@ do_install() {
    local shim_dst="${D}${EFI_TARGET}/boot${EFI_ARCH}.efi"
    local mm_dst="${D}${EFI_TARGET}/mm${EFI_ARCH}.efi"
-    local fb_dst="${D}${EFI_TARGET}/fb${EFI_ARCH}.efi"
    if [ x"${UEFI_SB}" = x"1" ]; then
        install -m 0600 "${B}/shim${EFI_ARCH}.efi.signed" "$shim_dst"
        install -m 0600 "${B}/mm${EFI_ARCH}.efi.signed" "$mm_dst"
-        install -m 0600 "${B}/fb${EFI_ARCH}.efi.signed" "$fb_dst"
    else
        install -m 0600 "${B}/shim${EFI_ARCH}.efi" "$shim_dst"
        install -m 0600 "${B}/mm${EFI_ARCH}.efi" "$mm_dst"
-        install -m 0600 "${B}/fb${EFI_ARCH}.efi" "$fb_dst"
    fi
-    install -m 0600 "${WORKDIR}/boot${EFI_ARCH}.csv" "${D}${EFI_TARGET}"
 }
 # Install the unsigned images for manual signing
@@ -149,13 +138,9 @@ do_deploy() {
        "${DEPLOYDIR}/efi-unsigned/boot${EFI_ARCH}.efi"
    install -m 0600 "${B}/mm${EFI_ARCH}.efi" \
        "${DEPLOYDIR}/efi-unsigned/mm${EFI_ARCH}.efi"
-    install -m 0600 "${B}/fb${EFI_ARCH}.efi" \
-        "${DEPLOYDIR}/efi-unsigned/fb${EFI_ARCH}.efi"
    install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}"
    install -m 0600 "${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}"
-    install -m 0600 "${D}${EFI_TARGET}/fb${EFI_ARCH}.efi" "${DEPLOYDIR}"
-    install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.csv" "${DEPLOYDIR}"
 }
 addtask deploy after do_install before do_build
author	Jia Zhang <qianyue.zj@alibaba-inc.com>	2017-10-22 19:48:39 +0800
committer	Jia Zhang <qianyue.zj@alibaba-inc.com>	2017-10-27 21:57:43 +0800
commit	ffe79fe91ed8d10391de976fe615932eeaffab70 (patch)
tree	70e5164aa920ea31a280e2f082fed36dfe3f71fd
parent	6aa83f98bc1f989f72d4a6e60b433dfc7b2045ba (diff)
download	meta-secure-core-ffe79fe91ed8d10391de976fe615932eeaffab70.tar.gz

diff --git a/meta-efi-secure-boot/README.md b/meta-efi-secure-boot/README.md index ce8d7fb..f69127f 100644 --- a/meta-efi-secure-boot/README.md +++ b/meta-efi-secure-boot/README.md
@@ -10,12 +10,8 @@ chainloader the next stage bootloader with the integrity check using the
10	shim-managed certificates corresponding to another set of trusted keys, which	10	shim-managed certificates corresponding to another set of trusted keys, which
11	may be different than the trusted keys used by UEFI Secure Boot.	11	may be different than the trusted keys used by UEFI Secure Boot.
12		12
13	fallback is the second-stage bootloader used to by-pass the Red Hat shim	13	This layer introduces the SELoader as the second-stage bootloader and eventually
14	signing review. It is designed to read a .csv file and will create a boot	14	chainliader to the third-stage bootloader "grub". With the extension provided
15	option in BIOS boot manager for the first boot entry in .csv.
16
17	This layer introduces the SELoader as the third-stage bootloader and eventually
18	chainliader to the fourth-stage bootloader "grub". With the extension provided
19	by SELoader, grub configuration files, kernel (even without EFI stub support)	15	by SELoader, grub configuration files, kernel (even without EFI stub support)
20	and initrd can be authenticated. This capability is not available in the shim	16	and initrd can be authenticated. This capability is not available in the shim
21	bootloader.	17	bootloader.
@@ -35,12 +31,11 @@ A complete boot flow looks like as following:
35		31
36	- UEFI firmware boot manager (UEFI Secure Boot enabled) ->	32	- UEFI firmware boot manager (UEFI Secure Boot enabled) ->
37	- shim (verified by a DB certificate) ->	33	- shim (verified by a DB certificate) ->
38	- fallback (verified by a shim-managed certificate) ->	34	- SELoader (ditto) ->
39	- SELoader (ditto) ->	35	- grub (ditto) ->
40	- grub (ditto) ->	36	- grub.cfg (ditto)
41	- grub.cfg (ditto)	37	- kernel (ditto)
42	- kernel (ditto)	38	- initramfs (ditto)
43	- initramfs (ditto)
44		39
45	### Quick Start For The First Boot	40	### Quick Start For The First Boot
46	- Deploy the rootfs	41	- Deploy the rootfs


diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch deleted file mode 100644 index 404e3de..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch +++ /dev/null
@@ -1,27 +0,0 @@
1	From 8990fdd360bc5db39e33e3a15c447bed0c1ca46e Mon Sep 17 00:00:00 2001
2	From: Lans Zhang <jia.zhang@windriver.com>
3	Date: Mon, 24 Jul 2017 15:15:33 +0800
4	Subject: [PATCH 3/5] fallback: allow to search .csv in \EFI\BOOT
5
6	Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
7	---
8	fallback.c \| 3 +--
9	1 file changed, 1 insertion(+), 2 deletions(-)
10
11	diff --git a/fallback.c b/fallback.c
12	index 423b3ee..b55755b 100644
13	--- a/fallback.c
14	+++ b/fallback.c
15	@@ -874,8 +874,7 @@ find_boot_options(EFI_HANDLE device)
16	continue;
17	}
18	if (!StrCmp(fi->FileName, L".") \|\|
19	- !StrCmp(fi->FileName, L"..") \|\|
20	- !StrCaseCmp(fi->FileName, L"BOOT")) {
21	+ !StrCmp(fi->FileName, L"..")) {
22	FreePool(buffer);
23	buffer = NULL;
24	continue;
25	--
26	2.7.5
27


diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch deleted file mode 100644 index 7f23caf..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch +++ /dev/null
@@ -1,58 +0,0 @@
1	From b992209b060f7916de20a5926788a751f1c6636f Mon Sep 17 00:00:00 2001
2	From: Lans Zhang <jia.zhang@windriver.com>
3	Date: Tue, 1 Aug 2017 10:25:45 +0800
4	Subject: [PATCH 4/5] fallback: don't set the csv entry as the first boot by
5	default
6
7	Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
8	---
9	fallback.c \| 12 ++++++++++--
10	1 file changed, 10 insertions(+), 2 deletions(-)
11
12	diff --git a/fallback.c b/fallback.c
13	index b55755b..2794cc1 100644
14	--- a/fallback.c
15	+++ b/fallback.c
16	@@ -199,6 +199,11 @@ make_full_path(CHAR16 dirname, CHAR16 filename, CHAR16 *out, UINT64 outlen)
17	CHAR16 *bootorder = NULL;
18	int nbootorder = 0;
19
20	+#ifdef FALLBACK_RUN_AS_FIRST_BOOT
21	+UINTN run_as_first_boot = 1;
22	+#else
23	+UINTN run_as_first_boot = 0;
24	+#endif
25	EFI_DEVICE_PATH *first_new_option = NULL;
26	VOID *first_new_option_args = NULL;
27	UINTN first_new_option_size = 0;
28	@@ -260,6 +265,9 @@ add_boot_option(EFI_DEVICE_PATH hddp, EFI_DEVICE_PATH fulldp,
29	return rc;
30	}
31
32	+ if (!run_as_first_boot)
33	+ return EFI_SUCCESS;
34	+
35	CHAR16 *newbootorder = AllocateZeroPool(sizeof (CHAR16)
36	* (nbootorder + 1));
37	if (!newbootorder)
38	@@ -569,7 +577,7 @@ add_to_boot_list(CHAR16 dirname, CHAR16 filename, CHAR16 label, CHAR16 argum
39	rc = find_boot_option(dp, full_device_path, fullpath, label, arguments, &option);
40	if (EFI_ERROR(rc)) {
41	add_boot_option(dp, full_device_path, fullpath, label, arguments);
42	- } else if (option != 0) {
43	+ } else if (run_as_first_boot && option != 0) {
44	CHAR16 *newbootorder;
45	newbootorder = AllocateZeroPool(sizeof (CHAR16) * nbootorder);
46	if (!newbootorder)
47	@@ -899,7 +907,7 @@ find_boot_options(EFI_HANDLE device)
48
49	} while (1);
50
51	- if (rc == EFI_SUCCESS && nbootorder > 0)
52	+ if (run_as_first_boot && rc == EFI_SUCCESS && nbootorder > 0)
53	rc = update_boot_order();
54
55	uefi_call_wrapper(fh2->Close, 1, fh2);
56	--
57	2.7.5
58


diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch deleted file mode 100644 index 470693b..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch +++ /dev/null
@@ -1,36 +0,0 @@
1	From 92ed1e297632a718d1392c8d163beb713c00ccbf Mon Sep 17 00:00:00 2001
2	From: Lans Zhang <jia.zhang@windriver.com>
3	Date: Wed, 9 Aug 2017 16:29:08 +0800
4	Subject: [PATCH 5/5] fallback: always try to boot the option recorded in csv
5
6	We intend to use fallback to work around MSFT for the next bootloader
7	of shim. Thus, we don't mind fallback is involved for PCR measurement
8	at all.
9
10	Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
11	---
12	fallback.c \| 8 +-------
13	1 file changed, 1 insertion(+), 7 deletions(-)
14
15	diff --git a/fallback.c b/fallback.c
16	index 2794cc1..0a645a4 100644
17	--- a/fallback.c
18	+++ b/fallback.c
19	@@ -1016,13 +1016,7 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
20	return rc;
21	}
22
23	- rc = fallback_should_prefer_reset();
24	- if (EFI_ERROR(rc)) {
25	- VerbosePrint(L"tpm not present, starting the first image\n");
26	- try_start_first_option(image);
27	- } else {
28	- VerbosePrint(L"tpm present, resetting system\n");
29	- }
30	+ try_start_first_option(image);
31
32	Print(L"Reset System\n");
33
34	--
35	2.7.5
36


diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv deleted file mode 100644 index c2d784e..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv +++ /dev/null
Binary files differ


diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv deleted file mode 100644 index c89c303..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv +++ /dev/null
Binary files differ


diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb index d07680b..fb58727 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
@@ -21,17 +21,12 @@ PV = "12+git${SRCPV}"
21		21
22	SRC_URI = "\	22	SRC_URI = "\
23	git://github.com/rhinstaller/shim.git \	23	git://github.com/rhinstaller/shim.git \
24	file://bootx64.csv \
25	file://bootia32.csv \
26	file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch;apply=0 \	24	file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch;apply=0 \
27	file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \	25	file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \
28	file://0006-Prevent-from-removing-intermediate-.efi.patch \	26	file://0006-Prevent-from-removing-intermediate-.efi.patch \
29	file://0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch \	27	file://0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch \
30	file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \	28	file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \
31	file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \	29	file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \
32	file://0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch \
33	file://0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch \
34	file://0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch \
35	"	30	"
36	SRC_URI_append_x86-64 = "\	31	SRC_URI_append_x86-64 = "\
37	${@bb.utils.contains('DISTRO_FEATURES', 'msft', \	32	${@bb.utils.contains('DISTRO_FEATURES', 'msft', \
@@ -118,7 +113,6 @@ python do_sign() {
118	edss_sign_efi_image(d.expand('${S}/shim${EFI_ARCH}.efi'), dst, d)	113	edss_sign_efi_image(d.expand('${S}/shim${EFI_ARCH}.efi'), dst, d)
119		114
120	sb_sign(d.expand('${S}/mm${EFI_ARCH}.efi'), d.expand('${B}/mm${EFI_ARCH}.efi.signed'), d)	115	sb_sign(d.expand('${S}/mm${EFI_ARCH}.efi'), d.expand('${B}/mm${EFI_ARCH}.efi.signed'), d)
121	sb_sign(d.expand('${S}/fb${EFI_ARCH}.efi'), d.expand('${B}/fb${EFI_ARCH}.efi.signed'), d)
122	}	116	}
123	addtask sign after do_compile before do_install	117	addtask sign after do_compile before do_install
124		118
@@ -127,18 +121,13 @@ do_install() {
127		121
128	local shim_dst="${D}${EFI_TARGET}/boot${EFI_ARCH}.efi"	122	local shim_dst="${D}${EFI_TARGET}/boot${EFI_ARCH}.efi"
129	local mm_dst="${D}${EFI_TARGET}/mm${EFI_ARCH}.efi"	123	local mm_dst="${D}${EFI_TARGET}/mm${EFI_ARCH}.efi"
130	local fb_dst="${D}${EFI_TARGET}/fb${EFI_ARCH}.efi"
131	if [ x"${UEFI_SB}" = x"1" ]; then	124	if [ x"${UEFI_SB}" = x"1" ]; then
132	install -m 0600 "${B}/shim${EFI_ARCH}.efi.signed" "$shim_dst"	125	install -m 0600 "${B}/shim${EFI_ARCH}.efi.signed" "$shim_dst"
133	install -m 0600 "${B}/mm${EFI_ARCH}.efi.signed" "$mm_dst"	126	install -m 0600 "${B}/mm${EFI_ARCH}.efi.signed" "$mm_dst"
134	install -m 0600 "${B}/fb${EFI_ARCH}.efi.signed" "$fb_dst"
135	else	127	else
136	install -m 0600 "${B}/shim${EFI_ARCH}.efi" "$shim_dst"	128	install -m 0600 "${B}/shim${EFI_ARCH}.efi" "$shim_dst"
137	install -m 0600 "${B}/mm${EFI_ARCH}.efi" "$mm_dst"	129	install -m 0600 "${B}/mm${EFI_ARCH}.efi" "$mm_dst"
138	install -m 0600 "${B}/fb${EFI_ARCH}.efi" "$fb_dst"
139	fi	130	fi
140
141	install -m 0600 "${WORKDIR}/boot${EFI_ARCH}.csv" "${D}${EFI_TARGET}"
142	}	131	}
143		132
144	# Install the unsigned images for manual signing	133	# Install the unsigned images for manual signing
@@ -149,13 +138,9 @@ do_deploy() {
149	"${DEPLOYDIR}/efi-unsigned/boot${EFI_ARCH}.efi"	138	"${DEPLOYDIR}/efi-unsigned/boot${EFI_ARCH}.efi"
150	install -m 0600 "${B}/mm${EFI_ARCH}.efi" \	139	install -m 0600 "${B}/mm${EFI_ARCH}.efi" \
151	"${DEPLOYDIR}/efi-unsigned/mm${EFI_ARCH}.efi"	140	"${DEPLOYDIR}/efi-unsigned/mm${EFI_ARCH}.efi"
152	install -m 0600 "${B}/fb${EFI_ARCH}.efi" \
153	"${DEPLOYDIR}/efi-unsigned/fb${EFI_ARCH}.efi"
154		141
155	install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}"	142	install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}"
156	install -m 0600 "${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}"	143	install -m 0600 "${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}"
157	install -m 0600 "${D}${EFI_TARGET}/fb${EFI_ARCH}.efi" "${DEPLOYDIR}"
158	install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.csv" "${DEPLOYDIR}"
159	}	144	}
160	addtask deploy after do_install before do_build	145	addtask deploy after do_install before do_build
161		146