diff options
| author | Jason Wessel <jason.wessel@windriver.com> | 2019-10-24 14:14:55 -0700 |
|---|---|---|
| committer | Jia Zhang <zhang.jia@linux.alibaba.com> | 2019-11-08 13:27:23 +0800 |
| commit | 31d2105b7a4b8535f8ddb252857af483e4ab32fd (patch) | |
| tree | c301db25efe205c5a32a7cb49809c44012f14916 | |
| parent | 59a1f79ad80140ccd1788dcffe4ca609f3e25df2 (diff) | |
| download | meta-secure-core-31d2105b7a4b8535f8ddb252857af483e4ab32fd.tar.gz | |
secure boot: Make SELoader optional and copy sig files when GRUB_SIGN_VERIFY=1
This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.
It will be possible in a template or local.conf:
UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"
[ Issue: LINUXEXEC-2450 ]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
7 files changed, 62 insertions, 30 deletions
diff --git a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb index 1dee84e..341e767 100644 --- a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb +++ b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb | |||
| @@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "\ | |||
| 6 | 6 | ||
| 7 | S = "${WORKDIR}" | 7 | S = "${WORKDIR}" |
| 8 | 8 | ||
| 9 | SELOADER_PKG = "${@'seloader' if d.getVar('UEFI_SELOADER', True) == '1' else ''}" | ||
| 9 | ALLOW_EMPTY_${PN} = "1" | 10 | ALLOW_EMPTY_${PN} = "1" |
| 10 | 11 | ||
| 11 | pkgs = "\ | 12 | pkgs = "\ |
| @@ -13,7 +14,7 @@ pkgs = "\ | |||
| 13 | efitools \ | 14 | efitools \ |
| 14 | efibootmgr \ | 15 | efibootmgr \ |
| 15 | mokutil \ | 16 | mokutil \ |
| 16 | seloader \ | 17 | ${SELOADER_PKG} \ |
| 17 | shim \ | 18 | shim \ |
| 18 | " | 19 | " |
| 19 | 20 | ||
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc index a1a1d1d..9006fd3 100644 --- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc +++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc | |||
| @@ -59,6 +59,17 @@ do_install() { | |||
| 59 | oe_runmake install DESTDIR='${D}${base_prefix}' | 59 | oe_runmake install DESTDIR='${D}${base_prefix}' |
| 60 | } | 60 | } |
| 61 | 61 | ||
| 62 | fakeroot python do_sign_class-target() { | ||
| 63 | image_dir = d.getVar('D', True) | ||
| 64 | efi_boot_path = d.getVar('EFI_BOOT_PATH', True) | ||
| 65 | uks_boot_sign(os.path.join(image_dir + efi_boot_path, 'LockDown.efi'), d) | ||
| 66 | } | ||
| 67 | addtask sign after do_install before do_deploy do_package | ||
| 68 | do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}" | ||
| 69 | |||
| 70 | fakeroot python do_sign() { | ||
| 71 | } | ||
| 72 | |||
| 62 | FILES_${PN} += "${EFI_BOOT_PATH}" | 73 | FILES_${PN} += "${EFI_BOOT_PATH}" |
| 63 | 74 | ||
| 64 | SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/LockDown.efi" | 75 | SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/LockDown.efi" |
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb index efa8674..763ab72 100644 --- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb | |||
| @@ -77,6 +77,9 @@ do_deploy() { | |||
| 77 | install -d ${DEPLOYDIR} | 77 | install -d ${DEPLOYDIR} |
| 78 | 78 | ||
| 79 | install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi "${DEPLOYDIR}" | 79 | install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi "${DEPLOYDIR}" |
| 80 | if [ -e ${D}${EFI_BOOT_PATH}/LockDown.efi.sig ] ; then | ||
| 81 | install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi.sig "${DEPLOYDIR}" | ||
| 82 | fi | ||
| 80 | } | 83 | } |
| 81 | addtask deploy after do_install before do_build | 84 | addtask deploy after do_install before do_build |
| 82 | 85 | ||
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb index e7eef0c..6ebe282 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb | |||
| @@ -41,6 +41,8 @@ S = "${WORKDIR}/git" | |||
| 41 | 41 | ||
| 42 | inherit deploy user-key-store | 42 | inherit deploy user-key-store |
| 43 | 43 | ||
| 44 | SHIM_DEFAULT_LOADER = "${@'DEFAULT_LOADER=\\\\\\\\\\\\SELoader${EFI_ARCH}.efi' if d.getVar('UEFI_SELOADER', True) == '1' else ''}" | ||
| 45 | |||
| 44 | EXTRA_OEMAKE = "\ | 46 | EXTRA_OEMAKE = "\ |
| 45 | CROSS_COMPILE="${TARGET_PREFIX}" \ | 47 | CROSS_COMPILE="${TARGET_PREFIX}" \ |
| 46 | prefix="${STAGING_DIR_HOST}/${prefix}" \ | 48 | prefix="${STAGING_DIR_HOST}/${prefix}" \ |
| @@ -49,9 +51,9 @@ EXTRA_OEMAKE = "\ | |||
| 49 | EFI_PATH="${STAGING_LIBDIR}" \ | 51 | EFI_PATH="${STAGING_LIBDIR}" \ |
| 50 | EFI_INCLUDE="${STAGING_INCDIR}/efi" \ | 52 | EFI_INCLUDE="${STAGING_INCDIR}/efi" \ |
| 51 | RELEASE="_${DISTRO}_${DISTRO_VERSION}" \ | 53 | RELEASE="_${DISTRO}_${DISTRO_VERSION}" \ |
| 52 | DEFAULT_LOADER=\\\\\\SELoader${EFI_ARCH}.efi \ | ||
| 53 | OPENSSL=${STAGING_BINDIR_NATIVE}/openssl \ | 54 | OPENSSL=${STAGING_BINDIR_NATIVE}/openssl \ |
| 54 | HEXDUMP=${STAGING_BINDIR_NATIVE}/hexdump \ | 55 | HEXDUMP=${STAGING_BINDIR_NATIVE}/hexdump \ |
| 56 | ${SHIM_DEFAULT_LOADER} \ | ||
| 55 | PK12UTIL=${STAGING_BINDIR_NATIVE}/pk12util \ | 57 | PK12UTIL=${STAGING_BINDIR_NATIVE}/pk12util \ |
| 56 | CERTUTIL=${STAGING_BINDIR_NATIVE}/certutil \ | 58 | CERTUTIL=${STAGING_BINDIR_NATIVE}/certutil \ |
| 57 | SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \ | 59 | SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \ |
diff --git a/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc index fb073a1..1a7a74f 100644 --- a/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc | |||
| @@ -7,31 +7,35 @@ do_install[nostamp] = "1" | |||
| 7 | fakeroot python do_sign() { | 7 | fakeroot python do_sign() { |
| 8 | if d.getVar('BUNDLE', True) == '0': | 8 | if d.getVar('BUNDLE', True) == '0': |
| 9 | for compr in d.getVar('INITRAMFS_FSTYPES').split(): | 9 | for compr in d.getVar('INITRAMFS_FSTYPES').split(): |
| 10 | uks_sel_sign(d.expand('${D}/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.') + compr, d) | 10 | uks_bl_sign(d.expand('${D}/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.') + compr, d) |
| 11 | else: | 11 | else: |
| 12 | uks_sel_sign(d.expand('${D}/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}'), d) | 12 | uks_bl_sign(d.expand('${D}/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}'), d) |
| 13 | } | 13 | } |
| 14 | addtask sign after do_install before do_deploy do_package | 14 | addtask sign after do_install before do_deploy do_package |
| 15 | do_sign[prefuncs] += "check_deploy_keys" | 15 | do_sign[prefuncs] += "check_deploy_keys" |
| 16 | do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}" | ||
| 16 | 17 | ||
| 17 | do_deploy() { | 18 | do_deploy() { |
| 18 | install -d "${DEPLOYDIR}" | 19 | install -d "${DEPLOYDIR}" |
| 19 | for SIG in ${D}/boot/*.p7b; do | 20 | if [ "${UEFI_SELOADER}" = "1" ] ; then |
| 20 | install -m 0644 ${SIG} ${DEPLOYDIR} | 21 | for SIG in ${D}/boot/*${SB_FILE_EXT}; do |
| 21 | done | 22 | install -m 0644 ${SIG} ${DEPLOYDIR} |
| 23 | done | ||
| 24 | fi | ||
| 22 | } | 25 | } |
| 23 | addtask deploy after do_install before do_build | 26 | addtask deploy after do_install before do_build |
| 24 | 27 | ||
| 25 | python do_package_prepend () { | 28 | python do_package_prepend () { |
| 29 | ext = d.expand('${SB_FILE_EXT}') | ||
| 26 | if d.getVar('BUNDLE') == '1': | 30 | if d.getVar('BUNDLE') == '1': |
| 27 | d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${KERNEL_IMAGETYPE}' + '-initramfs.p7b')) | 31 | d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${KERNEL_IMAGETYPE}' + '-initramfs' + ext)) |
| 28 | d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs.p7b')) | 32 | d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs' + ext)) |
| 29 | d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}.p7b')) | 33 | d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}' + ext)) |
| 30 | d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', '50101') | 34 | d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, '50101') |
| 31 | else: | 35 | else: |
| 32 | for compr in d.getVar('INITRAMFS_FSTYPES').split(): | 36 | for compr in d.getVar('INITRAMFS_FSTYPES').split(): |
| 33 | d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${INITRAMFS_IMAGE}') + '.p7b') | 37 | d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${INITRAMFS_IMAGE}') + ext) |
| 34 | d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${INITRAMFS_IMAGE}') + '.p7b', d.expand('/boot/${INITRAMFS_IMAGE}.p7b')) | 38 | d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${INITRAMFS_IMAGE}') + ext, d.expand('/boot/${INITRAMFS_IMAGE}.p7b')) |
| 35 | d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${INITRAMFS_IMAGE}') + '.p7b', d.expand('/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.' + compr + '.p7b')) | 39 | d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${INITRAMFS_IMAGE}') + ext, d.expand('/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.' + compr + ext)) |
| 36 | d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${INITRAMFS_IMAGE}') + '.p7b', '50101') | 40 | d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${INITRAMFS_IMAGE}') + ext, '50101') |
| 37 | } | 41 | } |
diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc index df594ba..34b2eb5 100644 --- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc | |||
| @@ -29,17 +29,19 @@ fakeroot python do_sign() { | |||
| 29 | 29 | ||
| 30 | # SELoader signature is always based on the unsigned kernel image, | 30 | # SELoader signature is always based on the unsigned kernel image, |
| 31 | # disallowing chainloader to kernel efi-stub. | 31 | # disallowing chainloader to kernel efi-stub. |
| 32 | uks_sel_sign(kernel, d) | 32 | uks_bl_sign(kernel, d) |
| 33 | 33 | ||
| 34 | shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}')) | 34 | shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}')) |
| 35 | shutil.copyfile(kernel + '.p7b', d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}.p7b')) | 35 | ext = d.expand('${SB_FILE_EXT}') |
| 36 | os.symlink(type + d.expand('-${KERNEL_RELEASE}.p7b'), d.expand('${D}/boot/') + type + '.p7b') | 36 | shutil.copyfile(kernel + ext, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}' + ext)) |
| 37 | os.symlink(type + d.expand('-${KERNEL_RELEASE}' + ext), d.expand('${D}/boot/') + type + ext) | ||
| 37 | } | 38 | } |
| 38 | 39 | ||
| 39 | # Make sure the kernel image has been signed before kernel_do_deploy() | 40 | # Make sure the kernel image has been signed before kernel_do_deploy() |
| 40 | # which prepares the kernel image for creating usb/iso. | 41 | # which prepares the kernel image for creating usb/iso. |
| 41 | addtask sign after do_install before do_package do_populate_sysroot do_deploy | 42 | addtask sign after do_install before do_package do_populate_sysroot do_deploy |
| 42 | do_sign[prefuncs] += "check_deploy_keys" | 43 | do_sign[prefuncs] += "check_deploy_keys" |
| 44 | do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}" | ||
| 43 | 45 | ||
| 44 | fakeroot python do_sign_bundled_kernel() { | 46 | fakeroot python do_sign_bundled_kernel() { |
| 45 | import re | 47 | import re |
| @@ -63,10 +65,11 @@ fakeroot python do_sign_bundled_kernel() { | |||
| 63 | 65 | ||
| 64 | # SELoader signature is always based on the unsigned kernel image, | 66 | # SELoader signature is always based on the unsigned kernel image, |
| 65 | # disallowing chainloader to kernel efi-stub. | 67 | # disallowing chainloader to kernel efi-stub. |
| 66 | uks_sel_sign(kernel, d) | 68 | uks_bl_sign(kernel, d) |
| 67 | 69 | ||
| 68 | shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin')) | 70 | shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin')) |
| 69 | shutil.copyfile(kernel + '.p7b', d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin.p7b')) | 71 | ext = d.expand('${SB_FILE_EXT}') |
| 72 | shutil.copyfile(kernel + ext, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin' + ext)) | ||
| 70 | } | 73 | } |
| 71 | addtask sign_bundled_kernel after do_bundle_initramfs before do_deploy | 74 | addtask sign_bundled_kernel after do_bundle_initramfs before do_deploy |
| 72 | 75 | ||
| @@ -82,24 +85,24 @@ do_deploy_append() { | |||
| 82 | install -m 0644 "${B}/$imageType.initramfs.unsigned" "${DEPLOYDIR}/efi-unsigned/$imageType.initramfs" | 85 | install -m 0644 "${B}/$imageType.initramfs.unsigned" "${DEPLOYDIR}/efi-unsigned/$imageType.initramfs" |
| 83 | fi | 86 | fi |
| 84 | 87 | ||
| 85 | if [ -f "${D}/boot/$imageType-initramfs-${MACHINE}.bin.p7b" ]; then | 88 | if [ -f "${D}/boot/$imageType-initramfs-${MACHINE}.bin${SB_FILE_EXT}" ]; then |
| 86 | install -m 0644 "${D}/boot/$imageType-initramfs-${MACHINE}.bin.p7b" "${DEPLOYDIR}" | 89 | install -m 0644 "${D}/boot/$imageType-initramfs-${MACHINE}.bin${SB_FILE_EXT}" "${DEPLOYDIR}" |
| 87 | fi | 90 | fi |
| 88 | 91 | ||
| 89 | if [ -f "${B}/${KERNEL_OUTPUT_DIR}/$imageType.p7b" ]; then | 92 | if [ -f "${B}/${KERNEL_OUTPUT_DIR}/$imageType${SB_FILE_EXT}" ]; then |
| 90 | base_name="${imageType}-${KERNEL_IMAGE_NAME}.bin.p7b" | 93 | base_name="${imageType}-${KERNEL_IMAGE_NAME}.bin${SB_FILE_EXT}" |
| 91 | 94 | ||
| 92 | install -m 0644 "${B}/${KERNEL_OUTPUT_DIR}/$imageType.p7b" "${DEPLOYDIR}/$base_name" | 95 | install -m 0644 "${B}/${KERNEL_OUTPUT_DIR}/$imageType${SB_FILE_EXT}" "${DEPLOYDIR}/$base_name" |
| 93 | ln -sf "$base_name" "${DEPLOYDIR}/$imageType-${KERNEL_IMAGE_LINK_NAME}.bin.p7b" | 96 | ln -sf "$base_name" "${DEPLOYDIR}/$imageType-${KERNEL_IMAGE_LINK_NAME}.bin${SB_FILE_EXT}" |
| 94 | ln -sf "$base_name" "${DEPLOYDIR}/$imageType.p7b" | 97 | ln -sf "$base_name" "${DEPLOYDIR}/$imageType${SB_FILE_EXT}" |
| 95 | fi | 98 | fi |
| 96 | done | 99 | done |
| 97 | } | 100 | } |
| 98 | 101 | ||
| 99 | # Ship *.p7b files to related packages | 102 | # Ship *.p7b or *.sig files to related packages |
| 100 | python do_package_prepend() { | 103 | python do_package_prepend() { |
| 101 | for type in d.expand('${KERNEL_IMAGETYPES}').split(): | 104 | for type in d.expand('${KERNEL_IMAGETYPES}').split(): |
| 102 | typelower = type.lower() | 105 | typelower = type.lower() |
| 103 | d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('-${KERNEL_VERSION_NAME}.p7b')) | 106 | d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('-${KERNEL_VERSION_NAME}${SB_FILE_EXT}')) |
| 104 | d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + '.p7b') | 107 | d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('${SB_FILE_EXT}')) |
| 105 | } | 108 | } |
diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass index 7abe1cf..f9ca09a 100644 --- a/meta-signing-key/classes/user-key-store.bbclass +++ b/meta-signing-key/classes/user-key-store.bbclass | |||
| @@ -413,6 +413,9 @@ def deploy_keys(name, d): | |||
| 413 | bb.build.exec_func('deploy_' + name.lower() + '_keys', d) | 413 | bb.build.exec_func('deploy_' + name.lower() + '_keys', d) |
| 414 | 414 | ||
| 415 | def sanity_check_user_keys(name, may_exit, d): | 415 | def sanity_check_user_keys(name, may_exit, d): |
| 416 | if d.getVar('UEFI_SELOADER', True) == '1' and d.getVar('GRUB_SIGN_VERIFY', True) == '1': | ||
| 417 | bb.fatal("UEFI_SELOADER and GRUB_SIGN_VERIFY cannot both be set to '1'") | ||
| 418 | |||
| 416 | if name == 'UEFI_SB': | 419 | if name == 'UEFI_SB': |
| 417 | _ = check_uefi_sb_user_keys(d) | 420 | _ = check_uefi_sb_user_keys(d) |
| 418 | elif name == 'MOK_SB': | 421 | elif name == 'MOK_SB': |
| @@ -521,5 +524,10 @@ def boot_sign(input, d): | |||
| 521 | bb.fatal('Failed to sign: %s' % (input)) | 524 | bb.fatal('Failed to sign: %s' % (input)) |
| 522 | 525 | ||
| 523 | def uks_boot_sign(input, d): | 526 | def uks_boot_sign(input, d): |
| 527 | boot_sign(input, d) | ||
| 528 | |||
| 529 | def uks_bl_sign(input, d): | ||
| 530 | if d.getVar('UEFI_SELOADER', True) == '1': | ||
| 531 | uks_sel_sign(input, d) | ||
| 524 | if d.getVar('GRUB_SIGN_VERIFY', True) == '1': | 532 | if d.getVar('GRUB_SIGN_VERIFY', True) == '1': |
| 525 | boot_sign(input, d) | 533 | boot_sign(input, d) |