From 31d2105b7a4b8535f8ddb252857af483e4ab32fd Mon Sep 17 00:00:00 2001
From: Jason Wessel <jason.wessel@windriver.com>
Date: Thu, 24 Oct 2019 14:14:55 -0700
Subject: secure boot: Make SELoader optional and copy sig files when
 GRUB_SIGN_VERIFY=1

This commit makes the SELoader entire optional and allows it to be
removed, with the intended replacement being to use grub's built in
gpg key verification.

It will be possible in a template or local.conf:

UEFI_SELOADER = "0"
GRUB_SIGN_VERIFY = "1"

[ Issue: LINUXEXEC-2450 ]

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
---
 .../packagegroups/packagegroup-efi-secure-boot.bb  |  3 +-
 .../recipes-bsp/efitools/efitools.inc              | 11 ++++++++
 .../recipes-bsp/efitools/efitools_git.bb           |  3 ++
 meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb  |  4 ++-
 .../images/kernel-initramfs-efi-secure-boot.inc    | 30 +++++++++++---------
 .../linux/linux-yocto-efi-secure-boot.inc          | 33 ++++++++++++----------
 meta-signing-key/classes/user-key-store.bbclass    |  8 ++++++
 7 files changed, 62 insertions(+), 30 deletions(-)

diff --git a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb
index 1dee84e..341e767 100644
--- a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb
+++ b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "\
 
 S = "${WORKDIR}"
 
+SELOADER_PKG = "${@'seloader' if d.getVar('UEFI_SELOADER', True) == '1' else ''}"
 ALLOW_EMPTY_${PN} = "1"
 
 pkgs = "\
@@ -13,7 +14,7 @@ pkgs = "\
     efitools \
     efibootmgr \
     mokutil \
-    seloader \
+    ${SELOADER_PKG} \
     shim \
 "
 
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
index a1a1d1d..9006fd3 100644
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc
@@ -59,6 +59,17 @@ do_install() {
     oe_runmake install DESTDIR='${D}${base_prefix}'
 }
 
+fakeroot python do_sign_class-target() {
+    image_dir = d.getVar('D', True)
+    efi_boot_path = d.getVar('EFI_BOOT_PATH', True)
+    uks_boot_sign(os.path.join(image_dir + efi_boot_path, 'LockDown.efi'), d)
+}
+addtask sign after do_install before do_deploy do_package
+do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"
+
+fakeroot python do_sign() {
+}
+
 FILES_${PN} += "${EFI_BOOT_PATH}"
 
 SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/LockDown.efi"
diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb
index efa8674..763ab72 100644
--- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb
@@ -77,6 +77,9 @@ do_deploy() {
     install -d ${DEPLOYDIR}
 
     install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi "${DEPLOYDIR}"
+    if [ -e ${D}${EFI_BOOT_PATH}/LockDown.efi.sig ] ; then
+        install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi.sig "${DEPLOYDIR}"
+    fi
 }
 addtask deploy after do_install before do_build
 
diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
index e7eef0c..6ebe282 100644
--- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
+++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb
@@ -41,6 +41,8 @@ S = "${WORKDIR}/git"
 
 inherit deploy user-key-store
 
+SHIM_DEFAULT_LOADER = "${@'DEFAULT_LOADER=\\\\\\\\\\\\SELoader${EFI_ARCH}.efi' if d.getVar('UEFI_SELOADER', True) == '1' else ''}"
+
 EXTRA_OEMAKE = "\
     CROSS_COMPILE="${TARGET_PREFIX}" \
     prefix="${STAGING_DIR_HOST}/${prefix}" \
@@ -49,9 +51,9 @@ EXTRA_OEMAKE = "\
     EFI_PATH="${STAGING_LIBDIR}" \
     EFI_INCLUDE="${STAGING_INCDIR}/efi" \
     RELEASE="_${DISTRO}_${DISTRO_VERSION}" \
-    DEFAULT_LOADER=\\\\\\SELoader${EFI_ARCH}.efi \
     OPENSSL=${STAGING_BINDIR_NATIVE}/openssl \
     HEXDUMP=${STAGING_BINDIR_NATIVE}/hexdump \
+    ${SHIM_DEFAULT_LOADER} \
     PK12UTIL=${STAGING_BINDIR_NATIVE}/pk12util \
     CERTUTIL=${STAGING_BINDIR_NATIVE}/certutil \
     SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \
diff --git a/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc
index fb073a1..1a7a74f 100644
--- a/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-core/images/kernel-initramfs-efi-secure-boot.inc
@@ -7,31 +7,35 @@ do_install[nostamp] = "1"
 fakeroot python do_sign() {
     if d.getVar('BUNDLE', True) == '0':
         for compr in d.getVar('INITRAMFS_FSTYPES').split():
-            uks_sel_sign(d.expand('${D}/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.') + compr, d)
+            uks_bl_sign(d.expand('${D}/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.') + compr, d)
     else:
-        uks_sel_sign(d.expand('${D}/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}'), d)
+        uks_bl_sign(d.expand('${D}/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}'), d)
 }
 addtask sign after do_install before do_deploy do_package
 do_sign[prefuncs] += "check_deploy_keys"
+do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"
 
 do_deploy() {
     install -d "${DEPLOYDIR}"
-    for SIG in ${D}/boot/*.p7b; do
-        install -m 0644 ${SIG} ${DEPLOYDIR}
-    done
+    if [ "${UEFI_SELOADER}" = "1" ] ; then
+        for SIG in ${D}/boot/*${SB_FILE_EXT}; do
+            install -m 0644 ${SIG} ${DEPLOYDIR}
+        done
+    fi
 }
 addtask deploy after do_install before do_build
 
 python do_package_prepend () {
+    ext = d.expand('${SB_FILE_EXT}')
     if d.getVar('BUNDLE') == '1':
-        d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${KERNEL_IMAGETYPE}' + '-initramfs.p7b'))
-        d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs.p7b'))
-        d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}.p7b'))
-        d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs.p7b', '50101')
+        d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${KERNEL_IMAGETYPE}' + '-initramfs' + ext))
+        d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs' + ext))
+        d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, d.expand('/boot/${KERNEL_IMAGETYPE}-initramfs${INITRAMFS_EXT_NAME}' + ext))
+        d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${KERNEL_IMAGETYPE}') + '-initramfs' + ext, '50101')
     else:
         for compr in d.getVar('INITRAMFS_FSTYPES').split():
-            d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${INITRAMFS_IMAGE}') + '.p7b')
-            d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${INITRAMFS_IMAGE}') + '.p7b', d.expand('/boot/${INITRAMFS_IMAGE}.p7b'))
-            d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${INITRAMFS_IMAGE}') + '.p7b', d.expand('/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.' + compr + '.p7b'))
-            d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${INITRAMFS_IMAGE}') + '.p7b', '50101')
+            d.appendVar(d.expand('ALTERNATIVE_${PN}'), ' ' + d.expand('${INITRAMFS_IMAGE}') + ext)
+            d.setVarFlag('ALTERNATIVE_LINK_NAME', d.expand('${INITRAMFS_IMAGE}') + ext, d.expand('/boot/${INITRAMFS_IMAGE}.p7b'))
+            d.setVarFlag('ALTERNATIVE_TARGET', d.expand('${INITRAMFS_IMAGE}') + ext, d.expand('/boot/${INITRAMFS_IMAGE}${INITRAMFS_EXT_NAME}.' + compr + ext))
+            d.setVarFlag('ALTERNATIVE_PRIORITY', d.expand('${INITRAMFS_IMAGE}') + ext, '50101')
 }
diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc
index df594ba..34b2eb5 100644
--- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc
@@ -29,17 +29,19 @@ fakeroot python do_sign() {
 
         # SELoader signature is always based on the unsigned kernel image,
         # disallowing chainloader to kernel efi-stub.
-        uks_sel_sign(kernel, d)
+        uks_bl_sign(kernel, d)
 
         shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}'))
-        shutil.copyfile(kernel + '.p7b', d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}.p7b'))
-        os.symlink(type + d.expand('-${KERNEL_RELEASE}.p7b'), d.expand('${D}/boot/') + type + '.p7b')
+        ext = d.expand('${SB_FILE_EXT}')
+        shutil.copyfile(kernel + ext, d.expand('${D}/boot/') + type + d.expand('-${KERNEL_RELEASE}' + ext))
+        os.symlink(type + d.expand('-${KERNEL_RELEASE}' + ext), d.expand('${D}/boot/') + type + ext)
 }
 
 # Make sure the kernel image has been signed before kernel_do_deploy()
 # which prepares the kernel image for creating usb/iso.
 addtask sign after do_install before do_package do_populate_sysroot do_deploy
 do_sign[prefuncs] += "check_deploy_keys"
+do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"
 
 fakeroot python do_sign_bundled_kernel() {
     import re
@@ -63,10 +65,11 @@ fakeroot python do_sign_bundled_kernel() {
 
         # SELoader signature is always based on the unsigned kernel image,
         # disallowing chainloader to kernel efi-stub.
-        uks_sel_sign(kernel, d)
+        uks_bl_sign(kernel, d)
 
         shutil.copyfile(kernel, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin'))
-        shutil.copyfile(kernel + '.p7b', d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin.p7b'))
+        ext = d.expand('${SB_FILE_EXT}')
+        shutil.copyfile(kernel + ext, d.expand('${D}/boot/') + type + d.expand('-initramfs-${MACHINE}.bin' + ext))
 }
 addtask sign_bundled_kernel after do_bundle_initramfs before do_deploy
 
@@ -82,24 +85,24 @@ do_deploy_append() {
             install -m 0644 "${B}/$imageType.initramfs.unsigned" "${DEPLOYDIR}/efi-unsigned/$imageType.initramfs"
         fi
 
-        if [ -f "${D}/boot/$imageType-initramfs-${MACHINE}.bin.p7b" ]; then
-            install -m 0644 "${D}/boot/$imageType-initramfs-${MACHINE}.bin.p7b" "${DEPLOYDIR}"
+        if [ -f "${D}/boot/$imageType-initramfs-${MACHINE}.bin${SB_FILE_EXT}" ]; then
+            install -m 0644 "${D}/boot/$imageType-initramfs-${MACHINE}.bin${SB_FILE_EXT}" "${DEPLOYDIR}"
         fi
 
-        if [ -f "${B}/${KERNEL_OUTPUT_DIR}/$imageType.p7b" ]; then
-            base_name="${imageType}-${KERNEL_IMAGE_NAME}.bin.p7b"
+        if [ -f "${B}/${KERNEL_OUTPUT_DIR}/$imageType${SB_FILE_EXT}" ]; then
+            base_name="${imageType}-${KERNEL_IMAGE_NAME}.bin${SB_FILE_EXT}"
 
-            install -m 0644 "${B}/${KERNEL_OUTPUT_DIR}/$imageType.p7b" "${DEPLOYDIR}/$base_name"
-            ln -sf "$base_name" "${DEPLOYDIR}/$imageType-${KERNEL_IMAGE_LINK_NAME}.bin.p7b"
-            ln -sf "$base_name" "${DEPLOYDIR}/$imageType.p7b"
+            install -m 0644 "${B}/${KERNEL_OUTPUT_DIR}/$imageType${SB_FILE_EXT}" "${DEPLOYDIR}/$base_name"
+            ln -sf "$base_name" "${DEPLOYDIR}/$imageType-${KERNEL_IMAGE_LINK_NAME}.bin${SB_FILE_EXT}"
+            ln -sf "$base_name" "${DEPLOYDIR}/$imageType${SB_FILE_EXT}"
         fi
     done
 }
 
-# Ship *.p7b files to related packages
+# Ship *.p7b or *.sig files to related packages
 python do_package_prepend() {
     for type in d.expand('${KERNEL_IMAGETYPES}').split():
         typelower = type.lower()
-        d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('-${KERNEL_VERSION_NAME}.p7b'))
-        d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + '.p7b')
+        d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('-${KERNEL_VERSION_NAME}${SB_FILE_EXT}'))
+        d.appendVar('FILES_kernel-image-' + typelower, ' /boot/' + type + d.expand('${SB_FILE_EXT}'))
 }
diff --git a/meta-signing-key/classes/user-key-store.bbclass b/meta-signing-key/classes/user-key-store.bbclass
index 7abe1cf..f9ca09a 100644
--- a/meta-signing-key/classes/user-key-store.bbclass
+++ b/meta-signing-key/classes/user-key-store.bbclass
@@ -413,6 +413,9 @@ def deploy_keys(name, d):
     bb.build.exec_func('deploy_' + name.lower() + '_keys', d)
 
 def sanity_check_user_keys(name, may_exit, d):
+    if d.getVar('UEFI_SELOADER', True) == '1' and d.getVar('GRUB_SIGN_VERIFY', True) == '1':
+        bb.fatal("UEFI_SELOADER and GRUB_SIGN_VERIFY cannot both be set to '1'")
+
     if name == 'UEFI_SB':
         _ = check_uefi_sb_user_keys(d)
     elif name == 'MOK_SB':
@@ -521,5 +524,10 @@ def boot_sign(input, d):
         bb.fatal('Failed to sign: %s' % (input))
 
 def uks_boot_sign(input, d):
+    boot_sign(input, d)
+
+def uks_bl_sign(input, d):
+    if d.getVar('UEFI_SELOADER', True) == '1':
+        uks_sel_sign(input, d)
     if d.getVar('GRUB_SIGN_VERIFY', True) == '1':
         boot_sign(input, d)
-- 
cgit v1.2.3-54-g00ecf