1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
DEPENDS += "openssl-native"
efi_secure_boot_sccs = "\
${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', \
'cfg/efi-ext.scc', '', d)} \
"
KERNEL_FEATURES:append:x86 = " ${efi_secure_boot_sccs}"
KERNEL_FEATURES:append:x86-64 = " ${efi_secure_boot_sccs}"
inherit user-key-store
fakeroot python do_sign() {
import re
if (d.expand('${TARGET_ARCH}') != 'x86_64') and (not re.match('i.86', d.expand('${TARGET_ARCH}'))):
return
if d.expand('${UEFI_SB}') != '1':
return
import shutil
for type in d.expand('${KERNEL_IMAGETYPES}').split():
kernel = d.expand('${B}/${KERNEL_OUTPUT_DIR}/') + type
# Prepare the unsigned kernel image for manual signing.
shutil.copy(kernel, d.expand('${B}/') + type + '.unsigned')
# SELoader signature is always based on the unsigned kernel image,
# disallowing chainloader to kernel efi-stub.
uks_bl_sign(kernel, d)
shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}'))
ext = d.expand('${SB_FILE_EXT}')
shutil.copyfile(kernel + ext, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}' + ext))
dst = d.expand('${D}/boot/') + type + ext
if os.path.exists(dst):
os.unlink(dst)
os.symlink(type + d.expand('-${KERNEL_RELEASE}' + ext), dst)
}
# Make sure the kernel image has been signed before kernel_do_deploy()
# which prepares the kernel image for creating usb/iso.
addtask sign after do_install before do_package do_populate_sysroot do_deploy
do_sign[prefuncs] += "check_deploy_keys"
do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"
fakeroot python do_sign_bundled_kernel() {
import re
if (d.expand('${TARGET_ARCH}') != 'x86_64') and (not re.match('i.86', d.expand('${TARGET_ARCH}'))):
return
if d.expand('${UEFI_SB}') != '1':
return
if (d.expand('${INITRAMFS_IMAGE}') == '') or (d.expand('${INITRAMFS_IMAGE_BUNDLE}') != '1'):
return
import shutil
for type in d.expand('${KERNEL_IMAGETYPES}').split():
kernel = d.expand('${B}/${KERNEL_OUTPUT_DIR}/') + type + '.initramfs'
# Prepare the unsigned kernel image for manual signing.
shutil.copy(kernel, d.expand('${B}/') + type + '.initramfs.unsigned')
# SELoader signature is always based on the unsigned kernel image,
# disallowing chainloader to kernel efi-stub.
uks_bl_sign(kernel, d)
shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin'))
ext = d.expand('${SB_FILE_EXT}')
shutil.copyfile(kernel + ext, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin' + ext))
}
addtask sign_bundled_kernel after do_bundle_initramfs before do_deploy
do_deploy:append() {
install -d "${DEPLOYDIR}/efi-unsigned"
for imageType in ${KERNEL_IMAGETYPES}; do
if [ -f "${B}/$imageType.unsigned" ]; then
install -m 0644 "${B}/$imageType.unsigned" "${DEPLOYDIR}/efi-unsigned/$imageType"
fi
if [ -f "${B}/$imageType.initramfs.unsigned" ]; then
install -m 0644 "${B}/$imageType.initramfs.unsigned" "${DEPLOYDIR}/efi-unsigned/$imageType.initramfs"
fi
if [ -f "${D}/boot/$imageType-initramfs-${MACHINE}.bin${SB_FILE_EXT}" ]; then
install -m 0644 "${D}/boot/$imageType-initramfs-${MACHINE}.bin${SB_FILE_EXT}" "${DEPLOYDIR}"
fi
if [ -f "${B}/${KERNEL_OUTPUT_DIR}/$imageType${SB_FILE_EXT}" ]; then
base_name="${imageType}-${KERNEL_IMAGE_NAME}.bin${SB_FILE_EXT}"
install -m 0644 "${B}/${KERNEL_OUTPUT_DIR}/$imageType${SB_FILE_EXT}" "${DEPLOYDIR}/$base_name"
ln -sf "$base_name" "${DEPLOYDIR}/$imageType-${KERNEL_IMAGE_LINK_NAME}.bin${SB_FILE_EXT}"
ln -sf "$base_name" "${DEPLOYDIR}/$imageType${SB_FILE_EXT}"
fi
done
}
# Ship *.p7b or *.sig files to related packages
python do_package:prepend() {
for type in d.expand('${KERNEL_IMAGETYPES}').split():
typelower = type.lower()
d.appendVar('FILES:kernel-image-' + typelower, ' /boot/' + type + d.expand('-${KERNEL_VERSION_NAME}${SB_FILE_EXT}'))
d.appendVar('FILES:kernel-image-' + typelower, ' /boot/' + type + d.expand('${SB_FILE_EXT}'))
}
|