57 lines
2.1 KiB
Plaintext
57 lines
2.1 KiB
Plaintext
# This class is ihnerited globally in the CoreOS distro
|
|
|
|
# UEFI Secure boot configuration
|
|
# ==============================================================================
|
|
|
|
COREOS_EFI_SECUREBOOT_KEYDIR ??= "${TOPDIR}/keys"
|
|
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
|
|
|
|
# UEFI Secure boot helpers
|
|
# ==============================================================================
|
|
|
|
# Image are signed with sbsign, but sbsign is not availabe in OE-Core, let's
|
|
# use from the host. This only work if this class is inherited in a global
|
|
# configuration file, like it's the case in the CoreOS distro
|
|
HOSTTOOLS += "sbsign"
|
|
|
|
# Ensure that the public keys are always deployed to the deploy directory
|
|
# before running wic
|
|
do_image_wic[depends] += "efi-secureboot-keys:do_deploy"
|
|
|
|
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
|
|
def get_coreos_secureboot_efi_boot_files(d):
|
|
"""
|
|
Return the list of pubkey file inside deploy if
|
|
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string
|
|
otherwise
|
|
"""
|
|
if d.getVar('COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR') == '1':
|
|
return "db.auth KEK.auth PK.auth db.esl KEK.esl PK.esl db.crt KEK.crt PK.crt db.der KEK.der PK.der"
|
|
return ""
|
|
|
|
IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
|
|
|
|
def get_coreos_secureboot_keydir_hash(d):
|
|
"""
|
|
Generate a space separate list, with a value for each file inside of
|
|
keydir. Fromat: <filename>:md5:<md5sum>
|
|
"""
|
|
import hashlib
|
|
|
|
keydir = d.getVar('COREOS_EFI_SECUREBOOT_KEYDIR')
|
|
value = ""
|
|
|
|
for keyname in os.listdir(keydir):
|
|
filepath = os.path.join(keydir, keyname)
|
|
if os.path.isfile(filepath):
|
|
md5 = bb.utils.md5_file(filepath)
|
|
value += f"{keyname}:md5:{md5} "
|
|
|
|
return value
|
|
|
|
# The build system should detect if someone change one of the key inside
|
|
# COREOS_EFI_SECUREBOOT_KEYDIR and rebuild all the recipes and artifacts that
|
|
# depends on this directory
|
|
COREOS_EFI_SECUREBOOT_KEYDIR_HASH = "${@get_coreos_secureboot_keydir_hash(d)}"
|
|
COREOS_EFI_SECUREBOOT_KEYDIR[vardeps] += "COREOS_EFI_SECUREBOOT_KEYDIR_HASH"
|