aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCalifornia Sullivan <california.l.sullivan@intel.com>2017-07-18 16:56:18 -0700
committerSaul Wold <sgw@linux.intel.com>2017-07-19 08:30:08 -0700
commit625a588f70785cf777ec9fb072b127b126aba781 (patch)
tree89711df42d09a572c40d27300e40a6061497bf40
parent21086869beba0c6e38275be97af2e689e17820ec (diff)
downloadmeta-intel-625a588f70785cf777ec9fb072b127b126aba781.tar.gz
meta-intel-625a588f70785cf777ec9fb072b127b126aba781.tar.bz2
meta-intel-625a588f70785cf777ec9fb072b127b126aba781.zip
uefi-comboapp.bbclass: Split signing functionality into its own bbclass
In the future more secure boot implementations will be offered, with each one needing the signing method. Instead of repeating a forty line block of code across several recipes, just use a configurable bbclass. Signed-off-by: California Sullivan <california.l.sullivan@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
-rw-r--r--classes/uefi-comboapp.bbclass39
-rw-r--r--classes/uefi-sign.bbclass50
2 files changed, 55 insertions, 34 deletions
diff --git a/classes/uefi-comboapp.bbclass b/classes/uefi-comboapp.bbclass
index fc7e1b6f..5c3ca8c9 100644
--- a/classes/uefi-comboapp.bbclass
+++ b/classes/uefi-comboapp.bbclass
@@ -83,27 +83,14 @@ python create_uefiapps () {
create_uefiapp(d, uuid=uuid)
}
-sign_uefiapps () {
- if ${@ bb.utils.contains('IMAGE_FEATURES', 'secureboot', 'true', 'false', d) } &&
- [ -f ${UEFIAPP_SIGNING_KEY} ] && [ -f ${UEFIAPP_SIGNING_CERT} ]; then
- for i in `find ${DEPLOY_DIR_IMAGE}/ -name '${IMAGE_LINK_NAME}.boot*.efi'`; do
- sbsign --key ${UEFIAPP_SIGNING_KEY} --cert ${UEFIAPP_SIGNING_CERT} $i
- sbverify --cert ${UEFIAPP_SIGNING_CERT} $i.signed
- mv $i.signed $i
- done
- fi
-}
-
# This is intentionally split into different parts. This way, derived
# classes or images can extend the individual parts. We can also use
# whatever language (shell script or Python) is more suitable.
python do_uefiapp() {
bb.build.exec_func('create_uefiapps', d)
- bb.build.exec_func('sign_uefiapps', d)
}
do_uefiapp[vardeps] += "APPEND DISK_SIGNATURE_UUID INITRD_LIVE KERNEL_IMAGETYPE IMAGE_LINK_NAME"
-do_uefiapp[depends] += "${@ bb.utils.contains('IMAGE_FEATURES', 'secureboot', 'sbsigntool-native:do_populate_sysroot', '', d) }"
uefiapp_deploy_at() {
dest=$1
@@ -126,26 +113,6 @@ do_uefiapp_deploy[depends] += "${PN}:do_uefiapp"
# This decides when/how we add our tasks to the image
python () {
- import os
- import hashlib
-
- secureboot = bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d)
- # Ensure that if the signing key or cert change, we rerun the uefiapp process
- if secureboot:
- for varname in ('UEFIAPP_SIGNING_CERT', 'UEFIAPP_SIGNING_KEY'):
- filename = d.getVar(varname)
- if filename is None:
- bb.fatal('%s is not set.' % varname)
- if not os.path.isfile(filename):
- bb.fatal('%s=%s is not a file.' % (varname, filename))
- with open(filename, 'rb') as f:
- data = f.read()
- hash = hashlib.sha256(data).hexdigest()
- d.setVar('%s_HASH' % varname, hash)
-
- # Must reparse and thus rehash on file changes.
- bb.parse.mark_dependency(d, filename)
-
image_fstypes = d.getVar('IMAGE_FSTYPES', True)
initramfs_fstypes = d.getVar('INITRAMFS_FSTYPES', True)
@@ -155,7 +122,11 @@ python () {
bb.build.addtask('uefiapp_deploy', 'do_image', 'do_rootfs', d)
}
-do_uefiapp[vardeps] += "UEFIAPP_SIGNING_CERT_HASH UEFIAPP_SIGNING_KEY_HASH"
+SIGN_AFTER ?= "do_uefiapp"
+SIGN_BEFORE ?= "do_uefiapp_deploy"
+SIGNING_DIR ?= "${DEPLOY_DIR_IMAGE}"
+SIGNING_BINARIES ?= "${IMAGE_LINK_NAME}.boot*.efi"
+inherit uefi-sign
# Legacy hddimg support below this line
efi_hddimg_populate() {
diff --git a/classes/uefi-sign.bbclass b/classes/uefi-sign.bbclass
new file mode 100644
index 00000000..e8f203b9
--- /dev/null
+++ b/classes/uefi-sign.bbclass
@@ -0,0 +1,50 @@
+# By default, sign all .efi binaries in ${B} after compiling and before deploying
+SIGNING_DIR ?= "${B}"
+SIGNING_BINARIES ?= "*.efi"
+SIGN_AFTER ?= "do_compile"
+SIGN_BEFORE ?= "do_deploy"
+
+python () {
+ import os
+ import hashlib
+
+ # Ensure that if the signing key or cert change, we rerun the uefiapp process
+ if bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d):
+ for varname in ('SECURE_BOOT_SIGNING_CERT', 'SECURE_BOOT_SIGNING_KEY'):
+ filename = d.getVar(varname)
+ if filename is None:
+ bb.fatal('%s is not set.' % varname)
+ if not os.path.isfile(filename):
+ bb.fatal('%s=%s is not a file.' % (varname, filename))
+ with open(filename, 'rb') as f:
+ data = f.read()
+ hash = hashlib.sha256(data).hexdigest()
+ d.setVar('%s_HASH' % varname, hash)
+
+ # Must reparse and thus rehash on file changes.
+ bb.parse.mark_dependency(d, filename)
+
+ bb.build.addtask('uefi_sign', d.getVar('SIGN_BEFORE'), d.getVar('SIGN_AFTER'), d)
+
+ # Original binary needs to be regenerated if the hash changes since we overwrite it
+ # SIGN_AFTER isn't necessarily when it gets generated, but its our best guess
+ d.appendVarFlag(d.getVar('SIGN_AFTER'), 'vardeps', 'SECURE_BOOT_SIGNING_CERT_HASH SECURE_BOOT_SIGNING_KEY_HASH')
+}
+
+do_uefi_sign() {
+ if [ -f ${SECURE_BOOT_SIGNING_KEY} ] && [ -f ${SECURE_BOOT_SIGNING_CERT} ]; then
+ for i in `find ${SIGNING_DIR}/ -name '${SIGNING_BINARIES}'`; do
+ sbsign --key ${SECURE_BOOT_SIGNING_KEY} --cert ${SECURE_BOOT_SIGNING_CERT} $i
+ sbverify --cert ${SECURE_BOOT_SIGNING_CERT} $i.signed
+ mv $i.signed $i
+ done
+ fi
+}
+
+do_uefi_sign[depends] += "sbsigntool-native:do_populate_sysroot"
+
+do_uefi_sign[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \
+ SECURE_BOOT_SIGNING_KEY_HASH \
+ SIGNING_BINARIES SIGNING_DIR \
+ SIGN_BEFORE SIGN_AFTER \
+ "