Merge pull request #116 from lumag/master

Use PKCS7 drivers compiled from OVMF source
author: Jia Zhang <qianyue.zj@alibaba-inc.com> 2019-09-04 22:20:29 +0800
committer: GitHub <noreply@github.com> 2019-09-04 22:20:29 +0800
commit: 0cea6e869fe9b1597042b2febaa60c85710ba306 (patch)
tree: 58fb9da74ff4b530f2a1ffccc79456370f822aa1
parent: df51a87b5a8a99902a43cf3ec139df0a0927fe81 (diff)
parent: 883be5aff51ab9e752357fae358d654529bf3d1f (diff)
download: meta-secure-core-0cea6e869fe9b1597042b2febaa60c85710ba306.tar.gz
2 files changed, 65 insertions, 13 deletions
diff --git a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
index 0931af3..fee1504 100644
--- a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
@@ -21,7 +21,7 @@ LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee"
 DEPENDS += "\
-    gnu-efi sbsigntool-native openssl-native \
+    gnu-efi sbsigntool-native openssl-native ovmf \
 "
 PV = "0.4.6+git${SRCPV}"
@@ -53,10 +53,6 @@ EFI_TARGET = "/boot/efi/EFI/BOOT"
 python do_sign() {
    sb_sign(d.expand('${B}/Src/Efi/SELoader.efi'), \
            d.expand('${B}/Src/Efi/SELoader.efi.signed'), d)
-    sb_sign(d.expand('${B}/Bin/Hash2DxeCrypto.efi'), \
-            d.expand('${B}/Bin/Hash2DxeCrypto.efi.signed'), d)
-    sb_sign(d.expand('${B}/Bin/Pkcs7VerifyDxe.efi'), \
-            d.expand('${B}/Bin/Pkcs7VerifyDxe.efi.signed'), d)
 }
 addtask sign after do_compile before do_install
 do_sign[prefuncs] += "check_deploy_keys"
@@ -65,6 +61,9 @@ do_install() {
    install -d ${D}${EFI_TARGET}
    oe_runmake install EFI_DESTDIR=${D}${EFI_TARGET}
+    # Remove precompiled files, now provided by OVMF
+    rm -f ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
+    rm -f ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
    if [ x"${UEFI_SB}" = x"1" ]; then
        if [ x"${MOK_SB}" != x"1" ]; then
@@ -80,8 +79,6 @@ do_deploy() {
    install -m 0600 "${B}/Src/Efi/SELoader.efi" \
        "${DEPLOYDIR}/efi-unsigned/SELoader${EFI_ARCH}.efi"
-    install -m 0600 "${B}/Bin/Hash2DxeCrypto.efi" "${DEPLOYDIR}/efi-unsigned"
-    install -m 0600 "${B}/Bin/Pkcs7VerifyDxe.efi" "${DEPLOYDIR}/efi-unsigned"
    # Deploy the signed images
    if [ x"${UEFI_SB}" = x"1" -a x"${MOK_SB}" != x"1" ]; then
@@ -91,15 +88,11 @@ do_deploy() {
    fi
    install -m 0600 "${D}${EFI_TARGET}/${SEL_NAME}${EFI_ARCH}.efi" \
        "${DEPLOYDIR}/${SEL_NAME}${EFI_ARCH}.efi"
-    install -m 0600 "${D}${EFI_TARGET}/Hash2DxeCrypto.efi" \
-        "${DEPLOYDIR}/Hash2DxeCrypto.efi"
-    install -m 0600 "${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi" \
-        "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
 }
 addtask deploy after do_install before do_build
+RDEPENDS_${PN} += "ovmf-pkcs7-efi"
 FILES_${PN} += "${EFI_TARGET}"
 SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/efi-unsigned"
-SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/Hash2DxeCrypto.efi"
-SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/Pkcs7VerifyDxe.efi"
diff --git a/meta-efi-secure-boot/recipes-core/ovmf/ovmf_%.bbappend b/meta-efi-secure-boot/recipes-core/ovmf/ovmf_%.bbappend
new file mode 100644
index 0000000..69a0e4b
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-core/ovmf/ovmf_%.bbappend
@@ -0,0 +1,59 @@
+inherit user-key-store
+PACKAGECONFIG_append = " secureboot"
+# For SELoader
+do_compile_class-target_append() {
+    if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
+        secbuild_dir="${S}/Build/SecurityPkg/RELEASE_${FIXED_GCCVER}"
+        ${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} -p SecurityPkg/SecurityPkg.dsc
+        ln ${secbuild_dir}/${OVMF_ARCH}/Hash2DxeCrypto.efi ${WORKDIR}/ovmf/
+        ln ${secbuild_dir}/${OVMF_ARCH}/Pkcs7VerifyDxe.efi ${WORKDIR}/ovmf/
+    fi
+}
+EFI_TARGET = "/boot/efi/EFI/BOOT"
+do_install_class-target_append() {
+    if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
+        mkdir -p ${D}${EFI_TARGET}
+        if [ x"${UEFI_SB}" = x"1" ]; then
+            install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
+            install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
+        else
+            install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
+            install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
+        fi
+    fi
+}
+python do_sign() {
+}
+python do_sign_class-target() {
+    sb_sign(d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi'), d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed'), d)
+    sb_sign(d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi'), d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed'), d)
+}
+addtask sign after do_compile before do_install
+do_deploy_class-target_append() {
+    if [ x"${UEFI_SB}" = x"1" ]; then
+        install -d ${DEPLOYDIR}/efi-unsigned
+        install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/efi-unsigned/Pkcs7VerifyDxe.efi"
+        install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/efi-unsigned/Hash2DxeCrypto.efi"
+        install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
+        install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed "${DEPLOYDIR}/Hash2DxeCrypto.efi"
+    else
+        install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
+        install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/Hash2DxeCrypto.efi"
+    fi
+}
+PACKAGES += " \
+   ovmf-pkcs7-efi \
+"
+FILES_ovmf-pkcs7-efi += " \
+    ${EFI_TARGET}/Hash2DxeCrypto.efi \
+    ${EFI_TARGET}/Pkcs7VerifyDxe.efi \
+"
author	Jia Zhang <qianyue.zj@alibaba-inc.com>	2019-09-04 22:20:29 +0800
committer	GitHub <noreply@github.com>	2019-09-04 22:20:29 +0800
commit	0cea6e869fe9b1597042b2febaa60c85710ba306 (patch)
tree	58fb9da74ff4b530f2a1ffccc79456370f822aa1
parent	df51a87b5a8a99902a43cf3ec139df0a0927fe81 (diff)
parent	883be5aff51ab9e752357fae358d654529bf3d1f (diff)
download	meta-secure-core-0cea6e869fe9b1597042b2febaa60c85710ba306.tar.gz

diff --git a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb index 0931af3..fee1504 100644 --- a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
@@ -21,7 +21,7 @@ LICENSE = "BSD-3-Clause"
21	LIC_FILES_CHKSUM = "file://LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee"	21	LIC_FILES_CHKSUM = "file://LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee"
22		22
23	DEPENDS += "\	23	DEPENDS += "\
24	gnu-efi sbsigntool-native openssl-native \	24	gnu-efi sbsigntool-native openssl-native ovmf \
25	"	25	"
26		26
27	PV = "0.4.6+git${SRCPV}"	27	PV = "0.4.6+git${SRCPV}"
@@ -53,10 +53,6 @@ EFI_TARGET = "/boot/efi/EFI/BOOT"
53	python do_sign() {	53	python do_sign() {
54	sb_sign(d.expand('${B}/Src/Efi/SELoader.efi'), \	54	sb_sign(d.expand('${B}/Src/Efi/SELoader.efi'), \
55	d.expand('${B}/Src/Efi/SELoader.efi.signed'), d)	55	d.expand('${B}/Src/Efi/SELoader.efi.signed'), d)
56	sb_sign(d.expand('${B}/Bin/Hash2DxeCrypto.efi'), \
57	d.expand('${B}/Bin/Hash2DxeCrypto.efi.signed'), d)
58	sb_sign(d.expand('${B}/Bin/Pkcs7VerifyDxe.efi'), \
59	d.expand('${B}/Bin/Pkcs7VerifyDxe.efi.signed'), d)
60	}	56	}
61	addtask sign after do_compile before do_install	57	addtask sign after do_compile before do_install
62	do_sign[prefuncs] += "check_deploy_keys"	58	do_sign[prefuncs] += "check_deploy_keys"
@@ -65,6 +61,9 @@ do_install() {
65	install -d ${D}${EFI_TARGET}	61	install -d ${D}${EFI_TARGET}
66		62
67	oe_runmake install EFI_DESTDIR=${D}${EFI_TARGET}	63	oe_runmake install EFI_DESTDIR=${D}${EFI_TARGET}
		64	# Remove precompiled files, now provided by OVMF
		65	rm -f ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
		66	rm -f ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
68		67
69	if [ x"${UEFI_SB}" = x"1" ]; then	68	if [ x"${UEFI_SB}" = x"1" ]; then
70	if [ x"${MOK_SB}" != x"1" ]; then	69	if [ x"${MOK_SB}" != x"1" ]; then
@@ -80,8 +79,6 @@ do_deploy() {
80		79
81	install -m 0600 "${B}/Src/Efi/SELoader.efi" \	80	install -m 0600 "${B}/Src/Efi/SELoader.efi" \
82	"${DEPLOYDIR}/efi-unsigned/SELoader${EFI_ARCH}.efi"	81	"${DEPLOYDIR}/efi-unsigned/SELoader${EFI_ARCH}.efi"
83	install -m 0600 "${B}/Bin/Hash2DxeCrypto.efi" "${DEPLOYDIR}/efi-unsigned"
84	install -m 0600 "${B}/Bin/Pkcs7VerifyDxe.efi" "${DEPLOYDIR}/efi-unsigned"
85		82
86	# Deploy the signed images	83	# Deploy the signed images
87	if [ x"${UEFI_SB}" = x"1" -a x"${MOK_SB}" != x"1" ]; then	84	if [ x"${UEFI_SB}" = x"1" -a x"${MOK_SB}" != x"1" ]; then
@@ -91,15 +88,11 @@ do_deploy() {
91	fi	88	fi
92	install -m 0600 "${D}${EFI_TARGET}/${SEL_NAME}${EFI_ARCH}.efi" \	89	install -m 0600 "${D}${EFI_TARGET}/${SEL_NAME}${EFI_ARCH}.efi" \
93	"${DEPLOYDIR}/${SEL_NAME}${EFI_ARCH}.efi"	90	"${DEPLOYDIR}/${SEL_NAME}${EFI_ARCH}.efi"
94	install -m 0600 "${D}${EFI_TARGET}/Hash2DxeCrypto.efi" \
95	"${DEPLOYDIR}/Hash2DxeCrypto.efi"
96	install -m 0600 "${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi" \
97	"${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
98	}	91	}
99	addtask deploy after do_install before do_build	92	addtask deploy after do_install before do_build
100		93
		94	RDEPENDS_${PN} += "ovmf-pkcs7-efi"
		95
101	FILES_${PN} += "${EFI_TARGET}"	96	FILES_${PN} += "${EFI_TARGET}"
102		97
103	SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/efi-unsigned"	98	SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/efi-unsigned"
104	SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/Hash2DxeCrypto.efi"
105	SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/Pkcs7VerifyDxe.efi"


diff --git a/meta-efi-secure-boot/recipes-core/ovmf/ovmf_%.bbappend b/meta-efi-secure-boot/recipes-core/ovmf/ovmf_%.bbappend new file mode 100644 index 0000000..69a0e4b --- /dev/null +++ b/meta-efi-secure-boot/recipes-core/ovmf/ovmf_%.bbappend
@@ -0,0 +1,59 @@
		1	inherit user-key-store
		2
		3	PACKAGECONFIG_append = " secureboot"
		4
		5	# For SELoader
		6	do_compile_class-target_append() {
		7	if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
		8	secbuild_dir="${S}/Build/SecurityPkg/RELEASE_${FIXED_GCCVER}"
		9	${S}/OvmfPkg/build.sh $PARALLEL_JOBS -a $OVMF_ARCH -b RELEASE -t ${FIXED_GCCVER} ${OVMF_SECURE_BOOT_FLAGS} -p SecurityPkg/SecurityPkg.dsc
		10	ln ${secbuild_dir}/${OVMF_ARCH}/Hash2DxeCrypto.efi ${WORKDIR}/ovmf/
		11	ln ${secbuild_dir}/${OVMF_ARCH}/Pkcs7VerifyDxe.efi ${WORKDIR}/ovmf/
		12	fi
		13	}
		14
		15	EFI_TARGET = "/boot/efi/EFI/BOOT"
		16
		17	do_install_class-target_append() {
		18	if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
		19	mkdir -p ${D}${EFI_TARGET}
		20	if [ x"${UEFI_SB}" = x"1" ]; then
		21	install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
		22	install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
		23	else
		24	install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
		25	install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
		26	fi
		27	fi
		28	}
		29
		30	python do_sign() {
		31	}
		32
		33	python do_sign_class-target() {
		34	sb_sign(d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi'), d.expand('${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed'), d)
		35	sb_sign(d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi'), d.expand('${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed'), d)
		36	}
		37	addtask sign after do_compile before do_install
		38
		39	do_deploy_class-target_append() {
		40	if [ x"${UEFI_SB}" = x"1" ]; then
		41	install -d ${DEPLOYDIR}/efi-unsigned
		42	install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/efi-unsigned/Pkcs7VerifyDxe.efi"
		43	install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/efi-unsigned/Hash2DxeCrypto.efi"
		44	install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi.signed "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
		45	install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi.signed "${DEPLOYDIR}/Hash2DxeCrypto.efi"
		46	else
		47	install ${WORKDIR}/ovmf/Pkcs7VerifyDxe.efi "${DEPLOYDIR}/Pkcs7VerifyDxe.efi"
		48	install ${WORKDIR}/ovmf/Hash2DxeCrypto.efi "${DEPLOYDIR}/Hash2DxeCrypto.efi"
		49	fi
		50	}
		51
		52	PACKAGES += " \
		53	ovmf-pkcs7-efi \
		54	"
		55
		56	FILES_ovmf-pkcs7-efi += " \
		57	${EFI_TARGET}/Hash2DxeCrypto.efi \
		58	${EFI_TARGET}/Pkcs7VerifyDxe.efi \
		59	"