From 676968891fb91d858736399418e40c3b049f8cbf Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Wed, 12 Jul 2017 11:22:40 +0800 Subject: Fix the occurrence of checking the existence of signing keys packagegroups are not the end consumers of using user-key-store. Signed-off-by: Lans Zhang --- .../recipes-base/packagegroups/packagegroup-efi-secure-boot.bb | 5 ----- meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb | 1 + meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend | 1 + meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb | 1 + meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb | 1 + meta-efi-secure-boot/recipes-kernel/linux/kernel-initramfs.bbappend | 1 + .../recipes-kernel/linux/linux-yocto-efi-secure-boot.inc | 1 + meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc | 5 ----- meta-signing-key/recipes-support/key-store/key-store_0.1.bb | 2 ++ 9 files changed, 8 insertions(+), 10 deletions(-) diff --git a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb index dd40e6e..ab0281c 100644 --- a/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb +++ b/meta-efi-secure-boot/recipes-base/packagegroups/packagegroup-efi-secure-boot.bb @@ -9,11 +9,6 @@ S = "${WORKDIR}" ALLOW_EMPTY_${PN} = "1" -# Check and deploy keys to ${DEPLOY_DIR_IMAGE} -inherit user-key-store - -do_install[postfuncs] += "check_deploy_keys" - pkgs = "\ grub-efi \ efitools \ diff --git a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb index 3970757..ea02811 100644 --- a/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/efitools/efitools_git.bb @@ -69,6 +69,7 @@ python do_prepare_signing_keys() { os.utime(d.expand('${S}/DBX.esl'), (time_stamp, time_stamp)) } addtask prepare_signing_keys after do_configure before do_compile +do_prepare_signing_keys[prefuncs] += "check_deploy_keys" do_install_append() { install -d ${D}${EFI_BOOT_PATH} diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend index 70ed828..4ff5e63 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend @@ -126,6 +126,7 @@ fakeroot python do_sign_class-target() { fakeroot python do_sign() { } addtask sign after do_install before do_deploy do_package +do_sign[prefuncs] += "check_deploy_keys" # Override the do_deploy() in oe-core. do_deploy_class-target() { diff --git a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb index 9324cf8..211bc65 100644 --- a/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb @@ -58,6 +58,7 @@ python do_sign() { d.expand('${B}/Bin/Pkcs7VerifyDxe.efi.signed'), d) } addtask sign after do_compile before do_install +do_sign[prefuncs] += "check_deploy_keys" do_install() { install -d ${D}${EFI_TARGET} diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb index d371bd4..4863843 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb @@ -94,6 +94,7 @@ python do_prepare_signing_keys() { shutil.copyfile(d.expand('${EV_CERT}'), d.expand('${S}/shim.pem')) } addtask prepare_signing_keys after do_configure before do_compile +do_prepare_signing_keys[prefuncs] += "check_deploy_keys" python do_sign() { # The pre-signed shim binary will override the one built from the diff --git a/meta-efi-secure-boot/recipes-kernel/linux/kernel-initramfs.bbappend b/meta-efi-secure-boot/recipes-kernel/linux/kernel-initramfs.bbappend index b68f201..7a82aa7 100644 --- a/meta-efi-secure-boot/recipes-kernel/linux/kernel-initramfs.bbappend +++ b/meta-efi-secure-boot/recipes-kernel/linux/kernel-initramfs.bbappend @@ -17,6 +17,7 @@ fakeroot python do_sign() { uks_sel_sign(initramfs, d) } addtask sign after do_install before do_deploy do_package +do_sign[prefuncs] += "check_deploy_keys" do_deploy() { initramfs="" diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc index 2f4b338..62e869d 100644 --- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-efi-secure-boot.inc @@ -37,6 +37,7 @@ fakeroot python do_sign() { # Make sure the kernel image has been signed before kernel_do_deploy() # which prepares the kernel image for creating usb/iso. addtask sign after do_install before do_package do_populate_sysroot do_deploy +do_sign[prefuncs] += "check_deploy_keys" fakeroot python do_sign_bundled_kernel() { import re diff --git a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc index cc87dba..e39875b 100644 --- a/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc +++ b/meta-integrity/recipes-base/packagegroups/packagegroup-ima.inc @@ -7,11 +7,6 @@ S = "${WORKDIR}" ALLOW_EMPTY_${PN} = "1" -# Check and deploy keys to ${DEPLOY_DIR_IMAGE} -inherit user-key-store - -do_install[postfuncs] += "check_deploy_keys" - RDEPENDS_${PN} = "\ ima-evm-utils \ " diff --git a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb index 7402219..472cef5 100644 --- a/meta-signing-key/recipes-support/key-store/key-store_0.1.bb +++ b/meta-signing-key/recipes-support/key-store/key-store_0.1.bb @@ -82,6 +82,8 @@ do_install() { fi } +do_install[prefuncs] += "check_deploy_keys" + SYSROOT_PREPROCESS_FUNCS += "key_store_sysroot_preprocess" key_store_sysroot_preprocess() { -- cgit v1.2.3-54-g00ecf