[meta-intel] [PATCH RFC 1/4] classes: Add uefi-sign.bbclass
California Sullivan
california.l.sullivan at intel.com
Fri Jul 14 19:11:58 PDT 2017
This configurable class uses sbsign to sign arbitrary EFI binaries.
Signed-off-by: California Sullivan <california.l.sullivan at intel.com>
---
classes/uefi-sign.bbclass | 52 +++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
create mode 100644 classes/uefi-sign.bbclass
diff --git a/classes/uefi-sign.bbclass b/classes/uefi-sign.bbclass
new file mode 100644
index 0000000..7bb8bb1
--- /dev/null
+++ b/classes/uefi-sign.bbclass
@@ -0,0 +1,52 @@
+# By default, sign all .efi binaries in S after compiling and before installation
+SIGNING_DIR ?= "${B}"
+SIGNING_BINARIES ?= "*.efi"
+SIGN_BEFORE ?= "do_deploy"
+SIGN_AFTER ?= "do_compile"
+
+python () {
+ import os
+ import hashlib
+
+ secureboot = bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d)
+ # Ensure that if the signing key or cert change, we rerun the uefiapp process
+ if secureboot:
+ for varname in ('SECURE_BOOT_SIGNING_CERT', 'SECURE_BOOT_SIGNING_KEY'):
+ filename = d.getVar(varname)
+ if filename is None:
+ bb.fatal('%s is not set.' % varname)
+ if not os.path.isfile(filename):
+ bb.fatal('%s=%s is not a file.' % (varname, filename))
+ with open(filename, 'rb') as f:
+ data = f.read()
+ hash = hashlib.sha256(data).hexdigest()
+ d.setVar('%s_HASH' % varname, hash)
+
+ # Must reparse and thus rehash on file changes.
+ bb.parse.mark_dependency(d, filename)
+
+ bb.build.addtask('uefi_sign', d.getVar('SIGN_BEFORE'), d.getVar('SIGN_AFTER'), d)
+}
+
+do_uefi_sign() {
+ if [ -f ${SECURE_BOOT_SIGNING_KEY} ] && [ -f ${SECURE_BOOT_SIGNING_CERT} ]; then
+ for i in `find ${SIGNING_DIR}/ -name '${SIGNING_BINARIES}'`; do
+ sbsign --key ${SECURE_BOOT_SIGNING_KEY} --cert ${SECURE_BOOT_SIGNING_CERT} $i
+ sbverify --cert ${SECURE_BOOT_SIGNING_CERT} $i.signed
+ mv $i.signed $i
+ done
+ fi
+}
+
+do_uefi_sign[depends] += "sbsigntool-native:do_populate_sysroot"
+
+do_uefi_sign[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \
+ SECURE_BOOT_SIGNING_KEY_HASH \
+ SIGNING_BINARIES SIGNING_DIR \
+ SIGN_BEFORE SIGN_AFTER \
+ "
+
+# Does this actually work? Doesn't cause a parse error.
+${SIGN_AFTER}[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \
+ SECURE_BOOT_SIGNING_KEY_HASH \
+ "
--
2.9.4
More information about the meta-intel
mailing list