LM
/
coreos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(coreos-efi-secureboot): only install sb key if needed 

Checking for COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR
was not done properly resulting of the key always being
installed inside the EFI partition.
This commit is contained in:
Samuel Dolt 2023-01-30 15:31:13 +01:00
parent cfb1638fb4
commit 92d900ba2f
2 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
layers/meta-belden-coreos-bsp/classes/coreos-efi-secureboot.bbclass
View File

@ -18,14 +18,14 @@ HOSTTOOLS += "sbsign"
# before running wic # before running wic
do_image_wic[depends] += "efi-secureboot-keys:do_deploy" do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
def get_coreos_secureboot_efi_boot_files(d): def get_coreos_secureboot_efi_boot_files(d):
""" """
Return the list of pubkey file inside deploy if Return the list of pubkey file inside deploy if
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string
otherwise otherwise
""" """
if d.getVar('COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR', True): if d.getVar('COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR') == '1':
return "db.auth KEK.auth PK.auth db.esl KEK.esl PK.esl db.crt KEK.crt PK.crt db.der KEK.der PK.der" return "db.auth KEK.auth PK.auth db.esl KEK.esl PK.esl db.crt KEK.crt PK.crt db.der KEK.der PK.der"
return "" return ""

12
layers/meta-belden-coreos/classes/coreos-image-ci.bbclass
View File

@ -15,7 +15,7 @@ def get_coreos_ci_artifacts(d):
if(bb.utils.contains('IMAGE_FSTYPES', 'oci', True, False, d)): if(bb.utils.contains('IMAGE_FSTYPES', 'oci', True, False, d)):
artifacts.append(d.getVar('IMAGE_NAME') + '.rootfs-oci.tar') artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.rootfs-oci.tar')
# Special case for container, we just need the OCI tarball # Special case for container, we just need the OCI tarball
return " ".join(artifacts) return " ".join(artifacts)
@ -24,13 +24,13 @@ def get_coreos_ci_artifacts(d):
# ========================================================================== # ==========================================================================
if(bb.utils.contains('IMAGE_FSTYPES', 'wic.xz', True, False, d)): if(bb.utils.contains('IMAGE_FSTYPES', 'wic.xz', True, False, d)):
artifacts.append(d.getVar('IMAGE_NAME') + '.wic.xz') artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.xz')
if(bb.utils.contains('IMAGE_FSTYPES', 'wic.bmap', True, False, d)): if(bb.utils.contains('IMAGE_FSTYPES', 'wic.bmap', True, False, d)):
artifacts.append(d.getVar('IMAGE_NAME') + '.wic.bmap') artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.wic.bmap')
if(d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1'): if(d.getVar('COREOS_IMAGE_GENERATE_SWU') == '1'):
artifacts.append(d.getVar('IMAGE_NAME') + '.swu') artifacts.append(d.getVar('IMAGE_LINK_NAME') + '.swu')
# Kernel # Kernel
# ========================================================================== # ==========================================================================
@ -78,13 +78,11 @@ COREOS_CI_DEPLOY_ARTIFACTS += "${@get_coreos_ci_artifacts(d)}"
do_deploy_ci() { do_deploy_ci() {
# Create the .ci-artifacts file inside the deploy directory # Create the .ci-artifacts file inside the deploy directory
cd "${DEPLOY_DIR_IMAGE}" cd "${DEPLOY_DIR_IMAGE}"
output="${IMAGE_NAME}.ci-artifacts" output="${IMAGE_LINK_NAME}.ci-artifacts"
rm -f "${output}" rm -f "${output}"
for file in ${COREOS_CI_DEPLOY_ARTIFACTS}; do for file in ${COREOS_CI_DEPLOY_ARTIFACTS}; do
echo $file >> $output echo $file >> $output
done done
ln -sf "${output}" "${IMAGE_LINK_NAME}.ci-artifacts"
} }
addtask deploy_ci after do_image before do_build addtask deploy_ci after do_image before do_build