35 lines
1.3 KiB
Plaintext
35 lines
1.3 KiB
Plaintext
# This class is ihnerited globally in the CoreOS distro
|
|
|
|
# UEFI Secure boot configuration
|
|
# ==============================================================================
|
|
|
|
COREOS_EFI_SECUREBOOT_KEYDIR ??= "${RECIPE_SYSROOT_NATIVE}/${datadir}/keys"
|
|
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
|
|
|
|
# UEFI Secure boot helpers
|
|
# ==============================================================================
|
|
|
|
# Image are signed with sbsign, but sbsign is not availabe in OE-Core, let's
|
|
# use from the host. This only work if this class is inherited in a global
|
|
# configuration file, like it's the case in the CoreOS distro
|
|
HOSTTOOLS += "sbsign"
|
|
|
|
# Ensure that the public keys are always deployed to the deploy directory
|
|
# before running wic
|
|
do_image_wic[depends] += "certificates-and-keys-native:do_deploy"
|
|
|
|
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR ??= "0"
|
|
def get_coreos_secureboot_efi_boot_files(d):
|
|
"""
|
|
Return the list of pubkey file inside deploy if
|
|
COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR is set or an empty string
|
|
otherwise
|
|
"""
|
|
if d.getVar('COREOS_EFI_SECUREBOOT_INSTALL_PUBKEY_IN_EFIDIR') == '1':
|
|
return "db.auth KEK.auth PK.auth db.esl KEK.esl PK.esl db.crt KEK.crt PK.crt db.der KEK.der PK.der"
|
|
return ""
|
|
|
|
IMAGE_EFI_BOOT_FILES:append = " ${@get_coreos_secureboot_efi_boot_files(d)}"
|
|
|
|
|