1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
SUMMARY = "shim is a trivial EFI application."
DESCRIPTION = "shim is a trivial EFI application that, when run, \
attempts to open and execute another application. It will initially \
attempt to do this via the standard EFI LoadImage() and StartImage() \
calls. If these fail (because secure boot is enabled and the binary \
is not signed with an appropriate key, for instance) it will then \
validate the binary against a built-in certificate. If this succeeds \
and if the binary or signing key are not blacklisted then shim will \
relocate and execute the binary."
HOMEPAGE = "https://github.com/rhboot/shim.git"
SECTION = "bootloaders"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=b92e63892681ee4e8d27e7a7e87ef2bc"
DEPENDS += "\
gnu-efi openssl util-linux-native openssl-native \
"
PV = "12+git${SRCPV}"
SRC_URI = "\
git://github.com/rhboot/shim.git;branch=main \
file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch;apply=0 \
file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \
file://0006-Prevent-from-removing-intermediate-.efi.patch \
file://0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch \
file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \
file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \
file://0001-MokManager-Use-CompareMem-on-MokListNode.Type-instea.patch \
file://0001-console.c-Fix-compilation-against-latest-usr-include.patch \
"
SRC_URI_append_x86-64 = "\
${@bb.utils.contains('DISTRO_FEATURES', 'msft', \
'file://shim' + d.expand('EFI_ARCH') + '.efi.signed file://LICENSE' \
if uks_signing_model(d) == 'sample' else '', '', d)} \
"
SRCREV = "5202f80c32bdcab0469785e953bf9fa8dd4eaaa1"
S = "${WORKDIR}/git"
inherit deploy user-key-store
SHIM_DEFAULT_LOADER = "${@'DEFAULT_LOADER=\\\\\\\\\\\\SELoader${EFI_ARCH}.efi' if d.getVar('UEFI_SELOADER', True) == '1' else ''}"
EXTRA_OEMAKE = "\
CROSS_COMPILE="${TARGET_PREFIX}" \
prefix="${STAGING_DIR_HOST}/${prefix}" \
LIB_GCC="`${CC} -print-libgcc-file-name`" \
LIB_PATH="${STAGING_LIBDIR}" \
EFI_PATH="${STAGING_LIBDIR}" \
EFI_INCLUDE="${STAGING_INCDIR}/efi" \
RELEASE="_${DISTRO}_${DISTRO_VERSION}" \
OPENSSL=${STAGING_BINDIR_NATIVE}/openssl \
HEXDUMP=${STAGING_BINDIR_NATIVE}/hexdump \
${SHIM_DEFAULT_LOADER} \
PK12UTIL=${STAGING_BINDIR_NATIVE}/pk12util \
CERTUTIL=${STAGING_BINDIR_NATIVE}/certutil \
SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \
AR=${AR} \
${@'VENDOR_CERT_FILE=${WORKDIR}/vendor_cert.cer' \
if d.getVar('MOK_SB', True) == '1' else ''} \
${@'VENDOR_DBX_FILE=${WORKDIR}/vendor_dbx.esl' \
if uks_signing_model(d) == 'user' else ''} \
ENABLE_HTTPBOOT=1 \
ENABLE_SBSIGN=1 \
"
EXTRA_OEMAKE_append_x86-64 = " OVERRIDE_SECURITY_POLICY=1"
PARALLEL_MAKE = ""
COMPATIBLE_HOST = '(i.86|x86_64).*-linux'
EFI_TARGET = "/boot/efi/EFI/BOOT"
MSFT = "${@bb.utils.contains('DISTRO_FEATURES', 'msft', '1', '0', d)}"
EFI_ARCH_x86 = "ia32"
EFI_ARCH_x86-64 = "x64"
# Prepare the signing certificate and keys
python do_prepare_signing_keys() {
# For UEFI_SB, shim is not built
if d.getVar('MOK_SB', True) != '1':
return
path = create_mok_vendor_dbx(d)
# Prepare shim_cert and vendor_cert.
dir = mok_sb_keys_dir(d)
import shutil
shutil.copyfile(dir + 'shim_cert.crt', d.getVar('S', True) + '/shim.pem')
pem2der(dir + 'vendor_cert.crt', d.getVar('WORKDIR', True) + '/vendor_cert.cer', d)
# Replace the shim certificate with EV certificate for speeding up
# the progress of MSFT signing.
if d.expand('${MSFT}') == "1" and uks_signing_model(d) == "sample":
shutil.copyfile(d.expand('${EV_CERT}'), d.expand('${S}/shim.pem'))
}
addtask prepare_signing_keys after do_configure before do_compile
do_prepare_signing_keys[prefuncs] += "check_deploy_keys"
python do_sign() {
# The pre-signed shim binary will override the one built from the
# scratch.
pre_signed = d.expand('${WORKDIR}/shim${EFI_ARCH}.efi.signed')
dst = d.expand('${B}/shim${EFI_ARCH}.efi.signed')
if d.expand('${MSFT}') == "1" and os.path.exists(pre_signed):
import shutil
shutil.copyfile(pre_signed, dst)
else:
if uks_signing_model(d) in ('sample', 'user'):
uefi_sb_sign(d.expand('${S}/shim${EFI_ARCH}.efi'), dst, d)
elif uks_signing_model(d) == 'edss':
edss_sign_efi_image(d.expand('${S}/shim${EFI_ARCH}.efi'), dst, d)
sb_sign(d.expand('${S}/mm${EFI_ARCH}.efi'), d.expand('${B}/mm${EFI_ARCH}.efi.signed'), d)
}
addtask sign after do_compile before do_install
do_install() {
install -d "${D}${EFI_TARGET}"
local shim_dst="${D}${EFI_TARGET}/boot${EFI_ARCH}.efi"
local mm_dst="${D}${EFI_TARGET}/mm${EFI_ARCH}.efi"
if [ x"${UEFI_SB}" = x"1" ]; then
install -m 0600 "${B}/shim${EFI_ARCH}.efi.signed" "$shim_dst"
install -m 0600 "${B}/mm${EFI_ARCH}.efi.signed" "$mm_dst"
else
install -m 0600 "${B}/shim${EFI_ARCH}.efi" "$shim_dst"
install -m 0600 "${B}/mm${EFI_ARCH}.efi" "$mm_dst"
fi
}
# Install the unsigned images for manual signing
do_deploy() {
install -d ${DEPLOYDIR}/efi-unsigned
install -m 0600 "${B}/shim${EFI_ARCH}.efi" \
"${DEPLOYDIR}/efi-unsigned/boot${EFI_ARCH}.efi"
install -m 0600 "${B}/mm${EFI_ARCH}.efi" \
"${DEPLOYDIR}/efi-unsigned/mm${EFI_ARCH}.efi"
install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}"
install -m 0600 "${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}"
}
addtask deploy after do_install before do_build
FILES_${PN} += "${EFI_TARGET}"
|
