From fd0d5287831e73dee5481ae21090247ced192773 Mon Sep 17 00:00:00 2001 From: Jose Quaresma Date: Tue, 29 Oct 2024 11:06:46 +0000 Subject: [PATCH 1/2] base: efitools: sign the UnLock efi at install phase We can't change files of ${D} in the do_deploy task and so we need to move it to the do_install task. This new UnLock efi is only required in the target and this is the reason of the class-target override. Before it don't fail on the class native because the do_deploy only runs for the class target. Signed-off-by: Jose Quaresma --- meta-lmp-base/recipes-bsp/efitools/efitools.inc | 14 ++++++++++++++ meta-lmp-base/recipes-bsp/efitools/efitools_git.bb | 13 ------------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/meta-lmp-base/recipes-bsp/efitools/efitools.inc b/meta-lmp-base/recipes-bsp/efitools/efitools.inc index 587ebac5c..0a641cfd0 100644 --- a/meta-lmp-base/recipes-bsp/efitools/efitools.inc +++ b/meta-lmp-base/recipes-bsp/efitools/efitools.inc @@ -58,4 +58,18 @@ do_install() { oe_runmake install DESTDIR='${D}${base_prefix}' } +do_install:append:class-target() { + if ! sbsign --key ${UEFI_SIGN_KEYDIR}/DB.key \ + --cert ${UEFI_SIGN_KEYDIR}/DB.crt \ + --output ${D}${datadir}/efitools/efi/UnLock-signed.efi \ + ${D}${datadir}/efitools/efi/UnLock.efi; then + bbfatal_log "Failed to sign UnLock.efi" + fi + + if ! sbverify --cert ${UEFI_SIGN_KEYDIR}/DB.crt \ + ${D}${datadir}/efitools/efi/UnLock-signed.efi; then + bbfatal_log "Failed to verify UnLock-signed.efi" + fi +} + SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/LockDown.efi ${DEPLOY_DIR_IMAGE}/UnLock-signed.efi" diff --git a/meta-lmp-base/recipes-bsp/efitools/efitools_git.bb b/meta-lmp-base/recipes-bsp/efitools/efitools_git.bb index d0d042e54..8eb5af1c8 100644 --- a/meta-lmp-base/recipes-bsp/efitools/efitools_git.bb +++ b/meta-lmp-base/recipes-bsp/efitools/efitools_git.bb @@ -55,19 +55,6 @@ do_deploy() { install -d ${DEPLOYDIR} install -m 0600 ${D}${datadir}/efitools/efi/LockDown.efi ${DEPLOYDIR} install -m 0600 ${WORKDIR}/lockdown.conf ${DEPLOYDIR} - - if ! sbsign --key ${UEFI_SIGN_KEYDIR}/DB.key \ - --cert ${UEFI_SIGN_KEYDIR}/DB.crt \ - --output ${D}${datadir}/efitools/efi/UnLock-signed.efi \ - ${D}${datadir}/efitools/efi/UnLock.efi; then - bbfatal "Failed to sign UnLock.efi" - fi - - if ! sbverify --cert ${UEFI_SIGN_KEYDIR}/DB.crt \ - ${D}${datadir}/efitools/efi/UnLock-signed.efi; then - bbfatal "Failed to verify UnLock-signed.efi" - fi - install -m 0600 ${D}${datadir}/efitools/efi/UnLock-signed.efi ${DEPLOYDIR} install -m 0600 ${WORKDIR}/unlock.conf ${DEPLOYDIR} } From 219c3aac1715f07949ec519b239be31bbdea6dee Mon Sep 17 00:00:00 2001 From: Jose Quaresma Date: Tue, 29 Oct 2024 11:07:23 +0000 Subject: [PATCH 2/2] base: efitools: check if we have the keys in place Instaed of faling with a python exception we can check if we have all keys reqired and fail with a useful message if not. Signed-off-by: Jose Quaresma --- meta-lmp-base/recipes-bsp/efitools/efitools_git.bb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/meta-lmp-base/recipes-bsp/efitools/efitools_git.bb b/meta-lmp-base/recipes-bsp/efitools/efitools_git.bb index 8eb5af1c8..7774c2e16 100644 --- a/meta-lmp-base/recipes-bsp/efitools/efitools_git.bb +++ b/meta-lmp-base/recipes-bsp/efitools/efitools_git.bb @@ -42,10 +42,15 @@ python do_prepare_local_auths() { dir = d.expand('${UEFI_SIGN_KEYDIR}/') import shutil + import os # Use auths already generated by the user for _ in ('PK', 'KEK', 'DB', 'DBX', 'noPK', 'noKEK'): - shutil.copyfile(dir + _ + '.auth', d.expand('${S}/') + _ + '.auth') + file = _ + '.auth' + src = dir + file + if not os.path.isfile(src): + bb.fatal("File '%s' not found!" % src) + shutil.copyfile(src, d.expand('${S}/') + file) } addtask prepare_local_auths after do_configure before do_compile