summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLans Zhang <jia.zhang@windriver.com>2017-07-12 11:22:40 +0800
committerLans Zhang <jia.zhang@windriver.com>2017-07-12 11:22:40 +0800
commit676968891fb91d858736399418e40c3b049f8cbf (patch)
treebd72ee55d68f0fd0a0fa59d709b62e3a5ad522b2
parent77d7993c43cc25f9d4eda0ae638bf3a643a5e756 (diff)
downloadmeta-secure-core-676968891fb91d858736399418e40c3b049f8cbf.tar.gz
Fix the occurrence of checking the existence of signing keys
packagegroups are not the end consumers of using user-key-store. Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
Diffstat
-rw-r--r--meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb5
-rw-r--r--meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb1
-rw-r--r--meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend1
-rw-r--r--meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb1
-rw-r--r--meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb1
-rw-r--r--meta-efi-secure-boot/recipes-kernel/linux/kernel-initramfs.bbappend1
-rw-r--r--meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc1
-rw-r--r--meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc5
-rw-r--r--meta-signing-key/recipes-support/key-store/key-store_0.1.bb2
9 files changed, 8 insertions, 10 deletions
diff --git a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb
index dd40e6e..ab0281c 100644
--- a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb
+++ b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb
@@ -9,11 +9,6 @@ S = "${WORKDIR}"
9 9
10ALLOW_EMPTY_${PN} = "1" 10ALLOW_EMPTY_${PN} = "1"
11 11
12# Check and deploy keys to ${DEPLOY_DIR_IMAGE}
13inherit user-key-store
14
15do_install[postfuncs] += "check_deploy_keys"
16
17pkgs = "\ 12pkgs = "\
18 grub-efi \ 13 grub-efi \
19 efitools \ 14 efitools \
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb
index 3970757..ea02811 100644
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb
@@ -69,6 +69,7 @@ python do_prepare_signing_keys() {
69 os.utime(d.expand('${S}/DBX.esl'), (time_stamp, time_stamp)) 69 os.utime(d.expand('${S}/DBX.esl'), (time_stamp, time_stamp))
70} 70}
71addtask prepare_signing_keys after do_configure before do_compile 71addtask prepare_signing_keys after do_configure before do_compile
72do_prepare_signing_keys[prefuncs] += "check_deploy_keys"
72 73
73do_install_append() { 74do_install_append() {
74 install -d ${D}${EFI_BOOT_PATH} 75 install -d ${D}${EFI_BOOT_PATH}
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend
index 70ed828..4ff5e63 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend
@@ -126,6 +126,7 @@ fakeroot python do_sign_class-target() {
126fakeroot python do_sign() { 126fakeroot python do_sign() {
127} 127}
128addtask sign after do_install before do_deploy do_package 128addtask sign after do_install before do_deploy do_package
129do_sign[prefuncs] += "check_deploy_keys"
129 130
130# Override the do_deploy() in oe-core. 131# Override the do_deploy() in oe-core.
131do_deploy_class-target() { 132do_deploy_class-target() {
diff --git a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
index 9324cf8..211bc65 100644
--- a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb
@@ -58,6 +58,7 @@ python do_sign() {
58 d.expand('${B}/Bin/Pkcs7VerifyDxe.efi.signed'), d) 58 d.expand('${B}/Bin/Pkcs7VerifyDxe.efi.signed'), d)
59} 59}
60addtask sign after do_compile before do_install 60addtask sign after do_compile before do_install
61do_sign[prefuncs] += "check_deploy_keys"
61 62
62do_install() { 63do_install() {
63 install -d ${D}${EFI_TARGET} 64 install -d ${D}${EFI_TARGET}
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
index d371bd4..4863843 100644
--- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
@@ -94,6 +94,7 @@ python do_prepare_signing_keys() {
94 shutil.copyfile(d.expand('${EV_CERT}'), d.expand('${S}/shim.pem')) 94 shutil.copyfile(d.expand('${EV_CERT}'), d.expand('${S}/shim.pem'))
95} 95}
96addtask prepare_signing_keys after do_configure before do_compile 96addtask prepare_signing_keys after do_configure before do_compile
97do_prepare_signing_keys[prefuncs] += "check_deploy_keys"
97 98
98python do_sign() { 99python do_sign() {
99 # The pre-signed shim binary will override the one built from the 100 # The pre-signed shim binary will override the one built from the
diff --git a/meta-efi-secure-boot/recipes-kernel/linux/kernel-initramfs.bbappend b/meta-efi-secure-boot/recipes-kernel/linux/kernel-initramfs.bbappend
index b68f201..7a82aa7 100644
--- a/meta-efi-secure-boot/recipes-kernel/linux/kernel-initramfs.bbappend
+++ b/meta-efi-secure-boot/recipes-kernel/linux/kernel-initramfs.bbappend
@@ -17,6 +17,7 @@ fakeroot python do_sign() {
17 uks_sel_sign(initramfs, d) 17 uks_sel_sign(initramfs, d)
18} 18}
19addtask sign after do_install before do_deploy do_package 19addtask sign after do_install before do_deploy do_package
20do_sign[prefuncs] += "check_deploy_keys"
20 21
21do_deploy() { 22do_deploy() {
22 initramfs="" 23 initramfs=""
diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc
index 2f4b338..62e869d 100644
--- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc
@@ -37,6 +37,7 @@ fakeroot python do_sign() {
37# Make sure the kernel image has been signed before kernel_do_deploy() 37# Make sure the kernel image has been signed before kernel_do_deploy()
38# which prepares the kernel image for creating usb/iso. 38# which prepares the kernel image for creating usb/iso.
39addtask sign after do_install before do_package do_populate_sysroot do_deploy 39addtask sign after do_install before do_package do_populate_sysroot do_deploy
40do_sign[prefuncs] += "check_deploy_keys"
40 41
41fakeroot python do_sign_bundled_kernel() { 42fakeroot python do_sign_bundled_kernel() {
42 import re 43 import re
diff --git a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc
index cc87dba..e39875b 100644
--- a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc
+++ b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc
@@ -7,11 +7,6 @@ S = "${WORKDIR}"
7 7
8ALLOW_EMPTY_${PN} = "1" 8ALLOW_EMPTY_${PN} = "1"
9 9
10# Check and deploy keys to ${DEPLOY_DIR_IMAGE}
11inherit user-key-store
12
13do_install[postfuncs] += "check_deploy_keys"
14
15RDEPENDS_${PN} = "\ 10RDEPENDS_${PN} = "\
16 ima-evm-utils \ 11 ima-evm-utils \
17" 12"
diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
index 7402219..472cef5 100644
--- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
+++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb
@@ -82,6 +82,8 @@ do_install() {
82 fi 82 fi
83} 83}
84 84
85do_install[prefuncs] += "check_deploy_keys"
86
85SYSROOT_PREPROCESS_FUNCS += "key_store_sysroot_preprocess" 87SYSROOT_PREPROCESS_FUNCS += "key_store_sysroot_preprocess"
86 88
87key_store_sysroot_preprocess() { 89key_store_sysroot_preprocess() {
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-25 22:48:09 +0000