diff options
| author | Lans Zhang <jia.zhang@windriver.com> | 2017-07-24 12:31:26 +0800 |
|---|---|---|
| committer | Lans Zhang <jia.zhang@windriver.com> | 2017-07-24 17:14:51 +0800 |
| commit | 008b18270f8d9d3e0c7a1eebb0cb4531e4e60ebe (patch) | |
| tree | 089d0a517e5e5f60a13cc8b446db91a54f715170 | |
| parent | 9b96939178b9bf7ffb0a207e6f608b784b9bc1b2 (diff) | |
| download | meta-secure-core-008b18270f8d9d3e0c7a1eebb0cb4531e4e60ebe.tar.gz | |
shim: use fallback loading SELoader
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
| -rw-r--r-- | meta-efi-secure-boot/recipes-bsp/shim/shim/0013-fallback-allow-to-search-.csv-in-EFI-BOOT.patch | 27 | ||||
| -rw-r--r-- | meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv | bin | 0 -> 102 bytes | |||
| -rw-r--r-- | meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv | bin | 0 -> 100 bytes | |||
| -rw-r--r-- | meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb | 66 |
4 files changed, 69 insertions, 24 deletions
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0013-fallback-allow-to-search-.csv-in-EFI-BOOT.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0013-fallback-allow-to-search-.csv-in-EFI-BOOT.patch new file mode 100644 index 0000000..a876179 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim/0013-fallback-allow-to-search-.csv-in-EFI-BOOT.patch | |||
| @@ -0,0 +1,27 @@ | |||
| 1 | From d008d75860433bc640aaf1c2dabe5742912bdac4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Lans Zhang <jia.zhang@windriver.com> | ||
| 3 | Date: Mon, 24 Jul 2017 15:15:33 +0800 | ||
| 4 | Subject: [PATCH] fallback: allow to search .csv in \EFI\BOOT | ||
| 5 | |||
| 6 | Signed-off-by: Lans Zhang <jia.zhang@windriver.com> | ||
| 7 | --- | ||
| 8 | fallback.c | 3 +-- | ||
| 9 | 1 file changed, 1 insertion(+), 2 deletions(-) | ||
| 10 | |||
| 11 | diff --git a/fallback.c b/fallback.c | ||
| 12 | index 5e4a396..8c408fd 100644 | ||
| 13 | --- a/fallback.c | ||
| 14 | +++ b/fallback.c | ||
| 15 | @@ -729,8 +729,7 @@ find_boot_options(EFI_HANDLE device) | ||
| 16 | continue; | ||
| 17 | } | ||
| 18 | if (!StrCmp(fi->FileName, L".") || | ||
| 19 | - !StrCmp(fi->FileName, L"..") || | ||
| 20 | - !StrCaseCmp(fi->FileName, L"BOOT")) { | ||
| 21 | + !StrCmp(fi->FileName, L"..")) { | ||
| 22 | FreePool(buffer); | ||
| 23 | buffer = NULL; | ||
| 24 | continue; | ||
| 25 | -- | ||
| 26 | 2.7.5 | ||
| 27 | |||
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv new file mode 100644 index 0000000..c2d784e --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootia32.csv | |||
| Binary files differ | |||
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv new file mode 100644 index 0000000..c89c303 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim/bootx64.csv | |||
| Binary files differ | |||
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb index 36e691f..6428eeb 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb | |||
| @@ -21,6 +21,8 @@ PV = "12+git${SRCPV}" | |||
| 21 | 21 | ||
| 22 | SRC_URI = "\ | 22 | SRC_URI = "\ |
| 23 | git://github.com/rhinstaller/shim.git \ | 23 | git://github.com/rhinstaller/shim.git \ |
| 24 | file://bootx64.csv \ | ||
| 25 | file://bootia32.csv \ | ||
| 24 | file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch \ | 26 | file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch \ |
| 25 | file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \ | 27 | file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \ |
| 26 | file://0006-Prevent-from-removing-intermediate-.efi.patch \ | 28 | file://0006-Prevent-from-removing-intermediate-.efi.patch \ |
| @@ -29,6 +31,7 @@ SRC_URI = "\ | |||
| 29 | file://0010-Makefile-do-not-sign-the-efi-file.patch \ | 31 | file://0010-Makefile-do-not-sign-the-efi-file.patch \ |
| 30 | file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \ | 32 | file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \ |
| 31 | file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \ | 33 | file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \ |
| 34 | file://0013-fallback-allow-to-search-.csv-in-EFI-BOOT.patch \ | ||
| 32 | " | 35 | " |
| 33 | SRC_URI_append_x86-64 = "\ | 36 | SRC_URI_append_x86-64 = "\ |
| 34 | ${@bb.utils.contains('DISTRO_FEATURES', 'msft', \ | 37 | ${@bb.utils.contains('DISTRO_FEATURES', 'msft', \ |
| @@ -42,29 +45,31 @@ S = "${WORKDIR}/git" | |||
| 42 | inherit deploy user-key-store | 45 | inherit deploy user-key-store |
| 43 | 46 | ||
| 44 | EXTRA_OEMAKE = "\ | 47 | EXTRA_OEMAKE = "\ |
| 45 | CROSS_COMPILE="${TARGET_PREFIX}" \ | 48 | CROSS_COMPILE="${TARGET_PREFIX}" \ |
| 46 | LIB_GCC="`${CC} -print-libgcc-file-name`" \ | 49 | LIB_GCC="`${CC} -print-libgcc-file-name`" \ |
| 47 | LIB_PATH="${STAGING_LIBDIR}" \ | 50 | LIB_PATH="${STAGING_LIBDIR}" \ |
| 48 | EFI_PATH="${STAGING_LIBDIR}" \ | 51 | EFI_PATH="${STAGING_LIBDIR}" \ |
| 49 | EFI_INCLUDE="${STAGING_INCDIR}/efi" \ | 52 | EFI_INCLUDE="${STAGING_INCDIR}/efi" \ |
| 50 | RELEASE="_${DISTRO}_${DISTRO_VERSION}" \ | 53 | RELEASE="_${DISTRO}_${DISTRO_VERSION}" \ |
| 51 | DEFAULT_LOADER=\\\\\\SELoader${EFI_ARCH}.efi \ | 54 | DEFAULT_LOADER=\\\\\\SELoader${EFI_ARCH}.efi \ |
| 52 | OPENSSL=${STAGING_BINDIR_NATIVE}/openssl \ | 55 | OPENSSL=${STAGING_BINDIR_NATIVE}/openssl \ |
| 53 | HEXDUMP=${STAGING_BINDIR_NATIVE}/hexdump \ | 56 | HEXDUMP=${STAGING_BINDIR_NATIVE}/hexdump \ |
| 54 | PK12UTIL=${STAGING_BINDIR_NATIVE}/pk12util \ | 57 | PK12UTIL=${STAGING_BINDIR_NATIVE}/pk12util \ |
| 55 | CERTUTIL=${STAGING_BINDIR_NATIVE}/certutil \ | 58 | CERTUTIL=${STAGING_BINDIR_NATIVE}/certutil \ |
| 56 | SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \ | 59 | SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \ |
| 57 | AR=${AR} \ | 60 | AR=${AR} \ |
| 58 | ${@'VENDOR_CERT_FILE=${WORKDIR}/vendor_cert.cer' if d.getVar('MOK_SB', True) == '1' else ''} \ | 61 | ${@'VENDOR_CERT_FILE=${WORKDIR}/vendor_cert.cer' \ |
| 59 | ${@'VENDOR_DBX_FILE=${WORKDIR}/vendor_dbx.esl' if uks_signing_model(d) == 'user' else ''} \ | 62 | if d.getVar('MOK_SB', True) == '1' else ''} \ |
| 60 | ENABLE_HTTPBOOT=1 \ | 63 | ${@'VENDOR_DBX_FILE=${WORKDIR}/vendor_dbx.esl' \ |
| 64 | if uks_signing_model(d) == 'user' else ''} \ | ||
| 65 | ENABLE_HTTPBOOT=1 \ | ||
| 66 | OVERRIDE_SECURITY_POLICY=1 \ | ||
| 61 | " | 67 | " |
| 62 | 68 | ||
| 63 | PARALLEL_MAKE = "" | 69 | PARALLEL_MAKE = "" |
| 64 | COMPATIBLE_HOST = '(i.86|x86_64).*-linux' | 70 | COMPATIBLE_HOST = '(i.86|x86_64).*-linux' |
| 65 | 71 | ||
| 66 | EFI_TARGET = "/boot/efi/EFI/BOOT" | 72 | EFI_TARGET = "/boot/efi/EFI/BOOT" |
| 67 | FILES_${PN} += "${EFI_TARGET}" | ||
| 68 | 73 | ||
| 69 | MSFT = "${@bb.utils.contains('DISTRO_FEATURES', 'msft', '1', '0', d)}" | 74 | MSFT = "${@bb.utils.contains('DISTRO_FEATURES', 'msft', '1', '0', d)}" |
| 70 | 75 | ||
| @@ -115,27 +120,40 @@ python do_sign() { | |||
| 115 | addtask sign after do_compile before do_install | 120 | addtask sign after do_compile before do_install |
| 116 | 121 | ||
| 117 | do_install() { | 122 | do_install() { |
| 118 | install -d ${D}${EFI_TARGET} | 123 | install -d "${D}${EFI_TARGET}" |
| 119 | 124 | ||
| 120 | local shim_dst="${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" | 125 | local shim_dst="${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" |
| 121 | local mm_dst="${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" | 126 | local mm_dst="${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" |
| 127 | local fb_dst="${D}${EFI_TARGET}/fb${EFI_ARCH}.efi" | ||
| 122 | if [ x"${UEFI_SB}" = x"1" ]; then | 128 | if [ x"${UEFI_SB}" = x"1" ]; then |
| 123 | install -m 0600 ${B}/shim${EFI_ARCH}.efi.signed $shim_dst | 129 | install -m 0600 "${B}/shim${EFI_ARCH}.efi.signed" "$shim_dst" |
| 124 | install -m 0600 ${B}/mm${EFI_ARCH}.efi.signed $mm_dst | 130 | install -m 0600 "${B}/mm${EFI_ARCH}.efi.signed" "$mm_dst" |
| 131 | install -m 0600 "${B}/fb${EFI_ARCH}.efi.signed" "$fb_dst" | ||
| 125 | else | 132 | else |
| 126 | install -m 0600 ${B}/shim${EFI_ARCH}.efi $shim_dst | 133 | install -m 0600 "${B}/shim${EFI_ARCH}.efi" "$shim_dst" |
| 127 | install -m 0600 ${B}/mm${EFI_ARCH}.efi $mm_dst | 134 | install -m 0600 "${B}/mm${EFI_ARCH}.efi" "$mm_dst" |
| 135 | install -m 0600 "${B}/fb${EFI_ARCH}.efi" "$fb_dst" | ||
| 128 | fi | 136 | fi |
| 137 | |||
| 138 | install -m 0600 "${WORKDIR}/boot${EFI_ARCH}.csv" "${D}${EFI_TARGET}" | ||
| 129 | } | 139 | } |
| 130 | 140 | ||
| 131 | # Install the unsigned images for manual signing | 141 | # Install the unsigned images for manual signing |
| 132 | do_deploy() { | 142 | do_deploy() { |
| 133 | install -d ${DEPLOYDIR}/efi-unsigned | 143 | install -d ${DEPLOYDIR}/efi-unsigned |
| 134 | 144 | ||
| 135 | install -m 0600 ${B}/shim${EFI_ARCH}.efi ${DEPLOYDIR}/efi-unsigned/boot${EFI_ARCH}.efi | 145 | install -m 0600 "${B}/shim${EFI_ARCH}.efi" \ |
| 136 | install -m 0600 ${B}/mm${EFI_ARCH}.efi ${DEPLOYDIR}/efi-unsigned/mm${EFI_ARCH}.efi | 146 | "${DEPLOYDIR}/efi-unsigned/boot${EFI_ARCH}.efi" |
| 147 | install -m 0600 "${B}/mm${EFI_ARCH}.efi" \ | ||
| 148 | "${DEPLOYDIR}/efi-unsigned/mm${EFI_ARCH}.efi" | ||
| 149 | install -m 0600 "${B}/fb${EFI_ARCH}.efi" \ | ||
| 150 | "${DEPLOYDIR}/efi-unsigned/fb${EFI_ARCH}.efi" | ||
| 137 | 151 | ||
| 138 | install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}" | 152 | install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}" |
| 139 | install -m 0600 "${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}" | 153 | install -m 0600 "${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}" |
| 154 | install -m 0600 "${D}${EFI_TARGET}/fb${EFI_ARCH}.efi" "${DEPLOYDIR}" | ||
| 155 | install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.csv" "${DEPLOYDIR}" | ||
| 140 | } | 156 | } |
| 141 | addtask deploy after do_install before do_build | 157 | addtask deploy after do_install before do_build |
| 158 | |||
| 159 | FILES_${PN} += "${EFI_TARGET}" | ||