fix(coreos-efi-secureboot): only install sb key if needed

Checking for COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR was not done properly resulting of the key always being installed inside the EFI partition.
2023-01-30 15:31:13 +01:00 · 2023-01-30 15:31:13 +01:00 · 92d900ba2f
parent cfb1638fb4
commit 92d900ba2f
2 changed files with 7 additions and 9 deletions
--- a/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
+++ b/layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
@ -18,14 +18,14 @@ HOSTTOOLS += "sbsign"
 # before running wic
 do_image_wic[depends] += "efi-secureboot-keys:do_deploy"

-
+COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
 def get_coreos_secureboot_efi_boot_files(d):
    """
        Return the list of pubkey file inside deploy if 
        COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string
        otherwise
    """
-    if d.getVar('COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR', True):
+    if d.getVar('COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR') == '1':
        return "db.auth KEK.auth PK.auth db.esl KEK.esl PK.esl db.crt KEK.crt PK.crt db.der KEK.der PK.der"
    return ""

--- a/layers/meta-belden-coreos/classes/coreos-image-ci.bbclass
+++ b/layers/meta-belden-coreos/classes/coreos-image-ci.bbclass
@ -15,7 +15,7 @@ def get_coreos_ci_artifacts(d):
    
    if(bb.utils.contains('IMAGE_FSTYPES', 'oci', True, False, d)):

-        artifacts.append(d.getVar('IMAGE_NAME') + '.rootfs-oci.tar')
+        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.rootfs-oci.tar')
        
        # Special case for container, we just need the OCI tarball
        return " ".join(artifacts)
@ -24,13 +24,13 @@ def get_coreos_ci_artifacts(d):
    # ==========================================================================

    if(bb.utils.contains('IMAGE_FSTYPES', 'wic.xz', True, False, d)):
-        artifacts.append(d.getVar('IMAGE_NAME') + '.wic.xz')
+        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.xz')
    
    if(bb.utils.contains('IMAGE_FSTYPES', 'wic.bmap', True, False, d)):
-        artifacts.append(d.getVar('IMAGE_NAME') + '.wic.bmap')
+        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.bmap')

    if(d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1'):
-        artifacts.append(d.getVar('IMAGE_NAME') + '.swu')
+        artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.swu')

    # Kernel
    # ==========================================================================
@ -78,13 +78,11 @@ COREOS_CI_DEPLOY_ARTIFACTS += "${@get_coreos_ci_artifacts(d)}"
 do_deploy_ci() {
    # Create the .ci-artifacts file inside the deploy directory
    cd "${DEPLOY_DIR_IMAGE}"
-    output="${IMAGE_NAME}.ci-artifacts"
+    output="${IMAGE_LINK_NAME}.ci-artifacts"

    rm -f "${output}"
    for file in ${COREOS_CI_DEPLOY_ARTIFACTS}; do
        echo $file >> $output
    done
-
-    ln -sf "${output}" "${IMAGE_LINK_NAME}.ci-artifacts"
 } 
 addtask deploy_ci after do_image before do_build