meta-efi-secure-boot: only apply if efi-secure-boot distro flag set

Only apply grub-efi and linux-yocto bbappend if feature efi-secure-boot set Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
author: Mark Hatle <mark.hatle@windriver.com> 2017-09-04 21:23:42 -0500
committer: Jia Zhang <zhang.jia@linux.alibaba.com> 2019-08-13 20:53:14 +0800
commit: ed0de6b2955a849fcc87fcb7b09607e3948faa85 (patch)
tree: 8bc1ac5ae2a22a26b62bc25b547ff6bb94bbf340
parent: 70e22755a6a80d80c0e5327b35206372c5bb3380 (diff)
download: meta-secure-core-ed0de6b2955a849fcc87fcb7b09607e3948faa85.tar.gz
4 files changed, 151 insertions, 150 deletions
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
new file mode 100644
index 0000000..da3fda9
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -0,0 +1,148 @@
+DEPENDS += "openssl-native"
+FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:"
+EXTRA_SRC_URI = "\
+    ${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \
+"
+SRC_URI += "\
+    file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \
+    file://0002-shim-add-needed-data-structures.patch \
+    file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \
+    file://0004-efi-chainloader-port-shim-to-grub.patch \
+    file://0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch \
+    file://0006-efi-chainloader-boot-the-image-using-shim.patch \
+    file://0007-efi-chainloader-take-care-of-unload-undershim.patch \
+    file://chainloader-handle-the-unauthenticated-image-by-shim.patch \
+    file://chainloader-Don-t-check-empty-section-in-file-like-..patch \
+    file://chainloader-Actually-find-the-relocations-correctly-.patch \
+    file://efi-chainloader-implemented-for-32-bit.patch \
+    file://Grub-get-and-set-efi-variables.patch \
+    file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
+    file://grub-efi.cfg \
+    file://boot-menu.inc \
+    ${EXTRA_SRC_URI} \
+"
+# functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet
+COMPATIBLE_HOST_aarch64 = 'null'
+EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"
+GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \
+                                  if d.getVar('UEFI_SB', True) == '1' else ''}"
+# For efi_call_foo and efi_shim_exit
+CFLAGS_append = " -fno-toplevel-reorder"
+# Set a default root specifier.
+inherit user-key-store
+python __anonymous () {
+    if d.getVar('UEFI_SB', True) != "1":
+        return
+    # Override the default filename if efi-secure-boot enabled.
+    # grub-efi must be renamed as grub${arch}.efi for working with shim
+    # or SELoader.
+    import re
+    target = d.getVar('TARGET_ARCH', True)
+    if target == "x86_64":
+        grubimage = "grubx64.efi"
+    elif re.match('i.86', target):
+        grubimage = "grubia32.efi"
+    else:
+        raise bb.parse.SkipPackage("grub-efi is incompatible with target %s" % target)
+    d.setVar("GRUB_IMAGE", grubimage)
+}
+do_compile_append_class-native() {
+    make grub-editenv
+}
+do_install_append_class-native() {
+    install -m 0755 grub-editenv "${D}${bindir}"
+}
+do_install_append_class-target() {
+    local menu="${WORKDIR}/boot-menu.inc"
+    # Enable the default IMA rules if IMA is enabled and luks is disabled.
+    # This is because unseal operation will fail when any PCR is extended
+    # due to updating the aggregate integrity value by the default IMA rules.
+    [ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && {
+        ! grep -q "ima_policy=tcb" "$menu" &&
+            sed -i 's/^\s*linux\s\+.*bzImage.*/& ima_policy=tcb/g' "$menu"
+    }
+    # Replace the root parameter in boot command line with BOOT_CMD_ROOT,
+    # which can be configured. It is helpful when secure boot is enabled.
+    [ -n "${BOOT_CMD_ROOT}" ] && {
+        sed -i "s,root=/dev/hda2,root=${BOOT_CMD_ROOT},g" "$menu"
+    }
+    # Install the stacked grub configs.
+    install -d "${D}${EFI_BOOT_PATH}"
+    install -m 0600 "${WORKDIR}/grub-efi.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg"
+    install -m 0600 "$menu" "${D}${EFI_BOOT_PATH}"
+    [ x"${UEFI_SB}" = x"1" ] && {
+        install -m 0600 "${WORKDIR}/efi-secure-boot.inc" "${D}${EFI_BOOT_PATH}"
+        install -m 0600 "${WORKDIR}/password.inc" "${D}${EFI_BOOT_PATH}"
+    }
+    # Create the initial environment block with empty item.
+    grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create
+    install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi"
+    grub-mkimage -p /EFI/BOOT -d "./grub-core" \
+        -O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \
+        ${GRUB_BUILDIN}
+    install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}"
+    # Install the modules to grub-efi's search path
+    make -C grub-core install DESTDIR="${D}${EFI_BOOT_PATH}" pkglibdir=""
+    # Remove .module
+    rm -f ${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi/*.module
+}
+fakeroot python do_sign_class-target() {
+    image_dir = d.getVar('D', True)
+    efi_boot_path = d.getVar('EFI_BOOT_PATH', True)
+    grub_image = d.getVar('GRUB_IMAGE', True)
+    dir = image_dir + efi_boot_path + '/'
+    sb_sign(dir + grub_image, dir + grub_image, d)
+    uks_sel_sign(dir + 'grub.cfg', d)
+    uks_sel_sign(dir + 'boot-menu.inc', d)
+    if d.getVar('UEFI_SB', True) == "1":
+        uks_sel_sign(dir + 'efi-secure-boot.inc', d)
+        uks_sel_sign(dir + 'password.inc', d)
+}
+python do_sign() {
+}
+addtask sign after do_install before do_deploy do_package
+do_sign[prefuncs] += "check_deploy_keys"
+# Override the do_deploy() in oe-core.
+do_deploy_class-target() {
+    install -m 0644 "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}"
+    install -d "${DEPLOYDIR}/efi-unsigned"
+    install -m 0644 "${B}/${GRUB_IMAGE}" "${DEPLOYDIR}/efi-unsigned"
+    cp -af "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned"
+}
+FILES_${PN} += "/boot/efi"
+CONFFILES_${PN} += "\
+    ${EFI_BOOT_PATH}/grub.cfg \
+    ${EFI_BOOT_PATH}/grubenv \
+    ${EFI_BOOT_PATH}/boot-menu.inc \
+    ${EFI_BOOT_PATH}/efi-secure-boot.inc \
+"
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend
index da3fda9..e14f815 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend
@@ -1,148 +1 @@
-DEPENDS += "openssl-native"
+require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'grub-efi-efi-secure-boot.inc', '', d)}
-FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:"
-EXTRA_SRC_URI = "\
-    ${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \
-"
-SRC_URI += "\
-    file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \
-    file://0002-shim-add-needed-data-structures.patch \
-    file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \
-    file://0004-efi-chainloader-port-shim-to-grub.patch \
-    file://0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch \
-    file://0006-efi-chainloader-boot-the-image-using-shim.patch \
-    file://0007-efi-chainloader-take-care-of-unload-undershim.patch \
-    file://chainloader-handle-the-unauthenticated-image-by-shim.patch \
-    file://chainloader-Don-t-check-empty-section-in-file-like-..patch \
-    file://chainloader-Actually-find-the-relocations-correctly-.patch \
-    file://efi-chainloader-implemented-for-32-bit.patch \
-    file://Grub-get-and-set-efi-variables.patch \
-    file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
-    file://grub-efi.cfg \
-    file://boot-menu.inc \
-    ${EXTRA_SRC_URI} \
-"
-# functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet
-COMPATIBLE_HOST_aarch64 = 'null'
-EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"
-GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \
-                                  if d.getVar('UEFI_SB', True) == '1' else ''}"
-# For efi_call_foo and efi_shim_exit
-CFLAGS_append = " -fno-toplevel-reorder"
-# Set a default root specifier.
-inherit user-key-store
-python __anonymous () {
-    if d.getVar('UEFI_SB', True) != "1":
-        return
-    # Override the default filename if efi-secure-boot enabled.
-    # grub-efi must be renamed as grub${arch}.efi for working with shim
-    # or SELoader.
-    import re
-    target = d.getVar('TARGET_ARCH', True)
-    if target == "x86_64":
-        grubimage = "grubx64.efi"
-    elif re.match('i.86', target):
-        grubimage = "grubia32.efi"
-    else:
-        raise bb.parse.SkipPackage("grub-efi is incompatible with target %s" % target)
-    d.setVar("GRUB_IMAGE", grubimage)
-}
-do_compile_append_class-native() {
-    make grub-editenv
-}
-do_install_append_class-native() {
-    install -m 0755 grub-editenv "${D}${bindir}"
-}
-do_install_append_class-target() {
-    local menu="${WORKDIR}/boot-menu.inc"
-    # Enable the default IMA rules if IMA is enabled and luks is disabled.
-    # This is because unseal operation will fail when any PCR is extended
-    # due to updating the aggregate integrity value by the default IMA rules.
-    [ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && {
-        ! grep -q "ima_policy=tcb" "$menu" &&
-            sed -i 's/^\s*linux\s\+.*bzImage.*/& ima_policy=tcb/g' "$menu"
-    }
-    # Replace the root parameter in boot command line with BOOT_CMD_ROOT,
-    # which can be configured. It is helpful when secure boot is enabled.
-    [ -n "${BOOT_CMD_ROOT}" ] && {
-        sed -i "s,root=/dev/hda2,root=${BOOT_CMD_ROOT},g" "$menu"
-    }
-    # Install the stacked grub configs.
-    install -d "${D}${EFI_BOOT_PATH}"
-    install -m 0600 "${WORKDIR}/grub-efi.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg"
-    install -m 0600 "$menu" "${D}${EFI_BOOT_PATH}"
-    [ x"${UEFI_SB}" = x"1" ] && {
-        install -m 0600 "${WORKDIR}/efi-secure-boot.inc" "${D}${EFI_BOOT_PATH}"
-        install -m 0600 "${WORKDIR}/password.inc" "${D}${EFI_BOOT_PATH}"
-    }
-    # Create the initial environment block with empty item.
-    grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create
-    install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi"
-    grub-mkimage -p /EFI/BOOT -d "./grub-core" \
-        -O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \
-        ${GRUB_BUILDIN}
-    install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}"
-    # Install the modules to grub-efi's search path
-    make -C grub-core install DESTDIR="${D}${EFI_BOOT_PATH}" pkglibdir=""
-    # Remove .module
-    rm -f ${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi/*.module
-}
-fakeroot python do_sign_class-target() {
-    image_dir = d.getVar('D', True)
-    efi_boot_path = d.getVar('EFI_BOOT_PATH', True)
-    grub_image = d.getVar('GRUB_IMAGE', True)
-    dir = image_dir + efi_boot_path + '/'
-    sb_sign(dir + grub_image, dir + grub_image, d)
-    uks_sel_sign(dir + 'grub.cfg', d)
-    uks_sel_sign(dir + 'boot-menu.inc', d)
-    if d.getVar('UEFI_SB', True) == "1":
-        uks_sel_sign(dir + 'efi-secure-boot.inc', d)
-        uks_sel_sign(dir + 'password.inc', d)
-}
-python do_sign() {
-}
-addtask sign after do_install before do_deploy do_package
-do_sign[prefuncs] += "check_deploy_keys"
-# Override the do_deploy() in oe-core.
-do_deploy_class-target() {
-    install -m 0644 "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}"
-    install -d "${DEPLOYDIR}/efi-unsigned"
-    install -m 0644 "${B}/${GRUB_IMAGE}" "${DEPLOYDIR}/efi-unsigned"
-    cp -af "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned"
-}
-FILES_${PN} += "/boot/efi"
-CONFFILES_${PN} += "\
-    ${EFI_BOOT_PATH}/grub.cfg \
-    ${EFI_BOOT_PATH}/grubenv \
-    ${EFI_BOOT_PATH}/boot-menu.inc \
-    ${EFI_BOOT_PATH}/efi-secure-boot.inc \
-"
diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend
index 956a35c..83ea2eb 100644
--- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend
+++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend
@@ -1 +1 @@
-require linux-yocto-efi-secure-boot.inc
+require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'linux-yocto-efi-secure-boot.inc', '', d)}
diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend
index 956a35c..83ea2eb 100644
--- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend
+++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend
@@ -1 +1 @@
-require linux-yocto-efi-secure-boot.inc
+require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'linux-yocto-efi-secure-boot.inc', '', d)}
author	Mark Hatle <mark.hatle@windriver.com>	2017-09-04 21:23:42 -0500
committer	Jia Zhang <zhang.jia@linux.alibaba.com>	2019-08-13 20:53:14 +0800
commit	ed0de6b2955a849fcc87fcb7b09607e3948faa85 (patch)
tree	8bc1ac5ae2a22a26b62bc25b547ff6bb94bbf340
parent	70e22755a6a80d80c0e5327b35206372c5bb3380 (diff)
download	meta-secure-core-ed0de6b2955a849fcc87fcb7b09607e3948faa85.tar.gz

diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc new file mode 100644 index 0000000..da3fda9 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -0,0 +1,148 @@
		1	DEPENDS += "openssl-native"
		2	FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:"
		3
		4	EXTRA_SRC_URI = "\
		5	${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \
		6	"
		7
		8	SRC_URI += "\
		9	file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \
		10	file://0002-shim-add-needed-data-structures.patch \
		11	file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \
		12	file://0004-efi-chainloader-port-shim-to-grub.patch \
		13	file://0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch \
		14	file://0006-efi-chainloader-boot-the-image-using-shim.patch \
		15	file://0007-efi-chainloader-take-care-of-unload-undershim.patch \
		16	file://chainloader-handle-the-unauthenticated-image-by-shim.patch \
		17	file://chainloader-Don-t-check-empty-section-in-file-like-..patch \
		18	file://chainloader-Actually-find-the-relocations-correctly-.patch \
		19	file://efi-chainloader-implemented-for-32-bit.patch \
		20	file://Grub-get-and-set-efi-variables.patch \
		21	file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
		22	file://grub-efi.cfg \
		23	file://boot-menu.inc \
		24	${EXTRA_SRC_URI} \
		25	"
		26
		27	# functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet
		28	COMPATIBLE_HOST_aarch64 = 'null'
		29
		30	EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"
		31
		32	GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \
		33	if d.getVar('UEFI_SB', True) == '1' else ''}"
		34
		35	# For efi_call_foo and efi_shim_exit
		36	CFLAGS_append = " -fno-toplevel-reorder"
		37
		38	# Set a default root specifier.
		39	inherit user-key-store
		40
		41	python __anonymous () {
		42	if d.getVar('UEFI_SB', True) != "1":
		43	return
		44
		45	# Override the default filename if efi-secure-boot enabled.
		46	# grub-efi must be renamed as grub${arch}.efi for working with shim
		47	# or SELoader.
		48	import re
		49
		50	target = d.getVar('TARGET_ARCH', True)
		51	if target == "x86_64":
		52	grubimage = "grubx64.efi"
		53	elif re.match('i.86', target):
		54	grubimage = "grubia32.efi"
		55	else:
		56	raise bb.parse.SkipPackage("grub-efi is incompatible with target %s" % target)
		57
		58	d.setVar("GRUB_IMAGE", grubimage)
		59	}
		60
		61	do_compile_append_class-native() {
		62	make grub-editenv
		63	}
		64
		65	do_install_append_class-native() {
		66	install -m 0755 grub-editenv "${D}${bindir}"
		67	}
		68
		69	do_install_append_class-target() {
		70	local menu="${WORKDIR}/boot-menu.inc"
		71
		72	# Enable the default IMA rules if IMA is enabled and luks is disabled.
		73	# This is because unseal operation will fail when any PCR is extended
		74	# due to updating the aggregate integrity value by the default IMA rules.
		75	[ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && {
		76	! grep -q "ima_policy=tcb" "$menu" &&
		77	sed -i 's/^\slinux\s\+.bzImage.*/& ima_policy=tcb/g' "$menu"
		78	}
		79
		80	# Replace the root parameter in boot command line with BOOT_CMD_ROOT,
		81	# which can be configured. It is helpful when secure boot is enabled.
		82	[ -n "${BOOT_CMD_ROOT}" ] && {
		83	sed -i "s,root=/dev/hda2,root=${BOOT_CMD_ROOT},g" "$menu"
		84	}
		85
		86	# Install the stacked grub configs.
		87	install -d "${D}${EFI_BOOT_PATH}"
		88	install -m 0600 "${WORKDIR}/grub-efi.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg"
		89	install -m 0600 "$menu" "${D}${EFI_BOOT_PATH}"
		90	[ x"${UEFI_SB}" = x"1" ] && {
		91	install -m 0600 "${WORKDIR}/efi-secure-boot.inc" "${D}${EFI_BOOT_PATH}"
		92	install -m 0600 "${WORKDIR}/password.inc" "${D}${EFI_BOOT_PATH}"
		93	}
		94
		95	# Create the initial environment block with empty item.
		96	grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create
		97
		98	install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi"
		99	grub-mkimage -p /EFI/BOOT -d "./grub-core" \
		100	-O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \
		101	${GRUB_BUILDIN}
		102
		103	install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}"
		104
		105	# Install the modules to grub-efi's search path
		106	make -C grub-core install DESTDIR="${D}${EFI_BOOT_PATH}" pkglibdir=""
		107
		108	# Remove .module
		109	rm -f ${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi/*.module
		110	}
		111
		112	fakeroot python do_sign_class-target() {
		113	image_dir = d.getVar('D', True)
		114	efi_boot_path = d.getVar('EFI_BOOT_PATH', True)
		115	grub_image = d.getVar('GRUB_IMAGE', True)
		116	dir = image_dir + efi_boot_path + '/'
		117
		118	sb_sign(dir + grub_image, dir + grub_image, d)
		119	uks_sel_sign(dir + 'grub.cfg', d)
		120	uks_sel_sign(dir + 'boot-menu.inc', d)
		121
		122	if d.getVar('UEFI_SB', True) == "1":
		123	uks_sel_sign(dir + 'efi-secure-boot.inc', d)
		124	uks_sel_sign(dir + 'password.inc', d)
		125	}
		126
		127	python do_sign() {
		128	}
		129	addtask sign after do_install before do_deploy do_package
		130	do_sign[prefuncs] += "check_deploy_keys"
		131
		132	# Override the do_deploy() in oe-core.
		133	do_deploy_class-target() {
		134	install -m 0644 "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}"
		135
		136	install -d "${DEPLOYDIR}/efi-unsigned"
		137	install -m 0644 "${B}/${GRUB_IMAGE}" "${DEPLOYDIR}/efi-unsigned"
		138	cp -af "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned"
		139	}
		140
		141	FILES_${PN} += "/boot/efi"
		142
		143	CONFFILES_${PN} += "\
		144	${EFI_BOOT_PATH}/grub.cfg \
		145	${EFI_BOOT_PATH}/grubenv \
		146	${EFI_BOOT_PATH}/boot-menu.inc \
		147	${EFI_BOOT_PATH}/efi-secure-boot.inc \
		148	"


diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend index da3fda9..e14f815 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend
@@ -1,148 +1 @@
1	DEPENDS += "openssl-native"		require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'grub-efi-efi-secure-boot.inc', '', d)}
2	FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:"
3
4	EXTRA_SRC_URI = "\
5	${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \
6	"
7
8	SRC_URI += "\
9	file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \
10	file://0002-shim-add-needed-data-structures.patch \
11	file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \
12	file://0004-efi-chainloader-port-shim-to-grub.patch \
13	file://0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch \
14	file://0006-efi-chainloader-boot-the-image-using-shim.patch \
15	file://0007-efi-chainloader-take-care-of-unload-undershim.patch \
16	file://chainloader-handle-the-unauthenticated-image-by-shim.patch \
17	file://chainloader-Don-t-check-empty-section-in-file-like-..patch \
18	file://chainloader-Actually-find-the-relocations-correctly-.patch \
19	file://efi-chainloader-implemented-for-32-bit.patch \
20	file://Grub-get-and-set-efi-variables.patch \
21	file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
22	file://grub-efi.cfg \
23	file://boot-menu.inc \
24	${EXTRA_SRC_URI} \
25	"
26
27	# functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet
28	COMPATIBLE_HOST_aarch64 = 'null'
29
30	EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"
31
32	GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \
33	if d.getVar('UEFI_SB', True) == '1' else ''}"
34
35	# For efi_call_foo and efi_shim_exit
36	CFLAGS_append = " -fno-toplevel-reorder"
37
38	# Set a default root specifier.
39	inherit user-key-store
40
41	python __anonymous () {
42	if d.getVar('UEFI_SB', True) != "1":
43	return
44
45	# Override the default filename if efi-secure-boot enabled.
46	# grub-efi must be renamed as grub${arch}.efi for working with shim
47	# or SELoader.
48	import re
49
50	target = d.getVar('TARGET_ARCH', True)
51	if target == "x86_64":
52	grubimage = "grubx64.efi"
53	elif re.match('i.86', target):
54	grubimage = "grubia32.efi"
55	else:
56	raise bb.parse.SkipPackage("grub-efi is incompatible with target %s" % target)
57
58	d.setVar("GRUB_IMAGE", grubimage)
59	}
60
61	do_compile_append_class-native() {
62	make grub-editenv
63	}
64
65	do_install_append_class-native() {
66	install -m 0755 grub-editenv "${D}${bindir}"
67	}
68
69	do_install_append_class-target() {
70	local menu="${WORKDIR}/boot-menu.inc"
71
72	# Enable the default IMA rules if IMA is enabled and luks is disabled.
73	# This is because unseal operation will fail when any PCR is extended
74	# due to updating the aggregate integrity value by the default IMA rules.
75	[ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && {
76	! grep -q "ima_policy=tcb" "$menu" &&
77	sed -i 's/^\slinux\s\+.bzImage.*/& ima_policy=tcb/g' "$menu"
78	}
79
80	# Replace the root parameter in boot command line with BOOT_CMD_ROOT,
81	# which can be configured. It is helpful when secure boot is enabled.
82	[ -n "${BOOT_CMD_ROOT}" ] && {
83	sed -i "s,root=/dev/hda2,root=${BOOT_CMD_ROOT},g" "$menu"
84	}
85
86	# Install the stacked grub configs.
87	install -d "${D}${EFI_BOOT_PATH}"
88	install -m 0600 "${WORKDIR}/grub-efi.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg"
89	install -m 0600 "$menu" "${D}${EFI_BOOT_PATH}"
90	[ x"${UEFI_SB}" = x"1" ] && {
91	install -m 0600 "${WORKDIR}/efi-secure-boot.inc" "${D}${EFI_BOOT_PATH}"
92	install -m 0600 "${WORKDIR}/password.inc" "${D}${EFI_BOOT_PATH}"
93	}
94
95	# Create the initial environment block with empty item.
96	grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create
97
98	install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi"
99	grub-mkimage -p /EFI/BOOT -d "./grub-core" \
100	-O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \
101	${GRUB_BUILDIN}
102
103	install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}"
104
105	# Install the modules to grub-efi's search path
106	make -C grub-core install DESTDIR="${D}${EFI_BOOT_PATH}" pkglibdir=""
107
108	# Remove .module
109	rm -f ${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi/*.module
110	}
111
112	fakeroot python do_sign_class-target() {
113	image_dir = d.getVar('D', True)
114	efi_boot_path = d.getVar('EFI_BOOT_PATH', True)
115	grub_image = d.getVar('GRUB_IMAGE', True)
116	dir = image_dir + efi_boot_path + '/'
117
118	sb_sign(dir + grub_image, dir + grub_image, d)
119	uks_sel_sign(dir + 'grub.cfg', d)
120	uks_sel_sign(dir + 'boot-menu.inc', d)
121
122	if d.getVar('UEFI_SB', True) == "1":
123	uks_sel_sign(dir + 'efi-secure-boot.inc', d)
124	uks_sel_sign(dir + 'password.inc', d)
125	}
126
127	python do_sign() {
128	}
129	addtask sign after do_install before do_deploy do_package
130	do_sign[prefuncs] += "check_deploy_keys"
131
132	# Override the do_deploy() in oe-core.
133	do_deploy_class-target() {
134	install -m 0644 "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}"
135
136	install -d "${DEPLOYDIR}/efi-unsigned"
137	install -m 0644 "${B}/${GRUB_IMAGE}" "${DEPLOYDIR}/efi-unsigned"
138	cp -af "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned"
139	}
140
141	FILES_${PN} += "/boot/efi"
142
143	CONFFILES_${PN} += "\
144	${EFI_BOOT_PATH}/grub.cfg \
145	${EFI_BOOT_PATH}/grubenv \
146	${EFI_BOOT_PATH}/boot-menu.inc \
147	${EFI_BOOT_PATH}/efi-secure-boot.inc \
148	"


diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend index 956a35c..83ea2eb 100644 --- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend +++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend
@@ -1 +1 @@
	require linux-yocto-efi-secure-boot.inc		require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'linux-yocto-efi-secure-boot.inc', '', d)}


diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend index 956a35c..83ea2eb 100644 --- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend +++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend
@@ -1 +1 @@
	require linux-yocto-efi-secure-boot.inc		require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'linux-yocto-efi-secure-boot.inc', '', d)}