diff options
| author | Ricardo Neri <ricardo.neri-calderon@linux.intel.com> | 2019-07-30 18:28:29 -0400 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-08-12 16:23:57 +0100 |
| commit | c7fb87ee6fb9cc4c6ed8bf93978445a0794e40aa (patch) | |
| tree | 4994fa66a8a4a8f9d9643feb987ee01f312a7685 | |
| parent | 29fb47861fdac6f0b061b16c7a2a122b23444f5e (diff) | |
| download | poky-c7fb87ee6fb9cc4c6ed8bf93978445a0794e40aa.tar.gz | |
ovmf: Generate test Platform key and first Key Exchange Key
Commit from EDK2 be9470b3c91f ("OvmfPkg/EnrollDefaultKeys: enroll
PK/KEK1 from the Type 11 SMBIOS table") mandates that a Platform Key
and first Key Exchange Key certificate is provided to the
EnrollDefaultKeys application.
Previously, the application was using a hard-coded certificate
from Red Hat embedded in the application.
Create a certificate that can QEMU can subsequently pass to
EnrollDefaultKeys when running qemu-shell-image.
Cc: Ross Burton <ross.burton@intel.com>
Cc: Patrick Ohly <patrick.ohly@intel.com>
Cc: Alexander Kanavin <alex.kanavin@gmail.com>
(From OE-Core rev: daaf9d7bd8c3586609ab0eccf49af38dbdb0b02e)
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-core/ovmf/ovmf_git.bb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb index 834ee32466..7944ee97d4 100644 --- a/meta/recipes-core/ovmf/ovmf_git.bb +++ b/meta/recipes-core/ovmf/ovmf_git.bb | |||
| @@ -217,6 +217,7 @@ FILES_ovmf-shell-efi = " \ | |||
| 217 | 217 | ||
| 218 | DEPLOYDEP = "" | 218 | DEPLOYDEP = "" |
| 219 | DEPLOYDEP_class-target = "qemu-system-native:do_populate_sysroot" | 219 | DEPLOYDEP_class-target = "qemu-system-native:do_populate_sysroot" |
| 220 | DEPLOYDEP_class-target += " ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'openssl-native:do_populate_sysroot', '', d)}" | ||
| 220 | do_deploy[depends] += "${DEPLOYDEP}" | 221 | do_deploy[depends] += "${DEPLOYDEP}" |
| 221 | 222 | ||
| 222 | do_deploy() { | 223 | do_deploy() { |
| @@ -232,6 +233,13 @@ do_deploy_class-target() { | |||
| 232 | ; do | 233 | ; do |
| 233 | qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/$i.qcow2 | 234 | qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/$i.qcow2 |
| 234 | done | 235 | done |
| 236 | |||
| 237 | if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then | ||
| 238 | # Create a test Platform Key and first Key Exchange Key to use with EnrollDefaultKeys | ||
| 239 | openssl req -new -x509 -newkey rsa:2048 -keyout ${DEPLOYDIR}/OvmfPkKek1.key \ | ||
| 240 | -out ${DEPLOYDIR}/OvmfPkKek1.crt -nodes -days 20 -subj "/CN=OVMFSecBootTest" | ||
| 241 | openssl x509 -in ${DEPLOYDIR}/OvmfPkKek1.crt -out ${DEPLOYDIR}/OvmfPkKek1.pem -outform PEM | ||
| 242 | fi | ||
| 235 | } | 243 | } |
| 236 | addtask do_deploy after do_compile before do_build | 244 | addtask do_deploy after do_compile before do_build |
| 237 | 245 | ||