From bfd800fe0287d9130a152cf4ad994178a8432401 Mon Sep 17 00:00:00 2001 From: Jia Zhang Date: Tue, 22 Aug 2017 17:53:49 +0800 Subject: shim: sync up with upstream Signed-off-by: Jia Zhang --- ...6-Prevent-from-removing-intermediate-.efi.patch | 22 +-- ...se-sbsign-to-sign-MokManager-and-fallback.patch | 44 ----- ...ld-build-failure-due-to-the-missing-rule-.patch | 16 +- .../0010-Makefile-do-not-sign-the-efi-file.patch | 35 ---- .../shim/0013-fallback-fix-double-free-of-dp.patch | 35 ---- ...rk-around-the-issue-of-boot-option-creati.patch | 197 --------------------- meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb | 8 +- 7 files changed, 22 insertions(+), 335 deletions(-) delete mode 100644 meta-efi-secure-boot/recipes-bsp/shim/shim/0007-Use-sbsign-to-sign-MokManager-and-fallback.patch delete mode 100644 meta-efi-secure-boot/recipes-bsp/shim/shim/0010-Makefile-do-not-sign-the-efi-file.patch delete mode 100644 meta-efi-secure-boot/recipes-bsp/shim/shim/0013-fallback-fix-double-free-of-dp.patch delete mode 100644 meta-efi-secure-boot/recipes-bsp/shim/shim/0014-fallback-work-around-the-issue-of-boot-option-creati.patch diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0006-Prevent-from-removing-intermediate-.efi.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0006-Prevent-from-removing-intermediate-.efi.patch index 970c992..eb39bb9 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0006-Prevent-from-removing-intermediate-.efi.patch +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim/0006-Prevent-from-removing-intermediate-.efi.patch @@ -1,6 +1,6 @@ -From 8cfbeee2979f0049bf018f207afc01b55d1a7bcd Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Fri, 30 Jun 2017 16:59:34 +0800 +From 4019b6bad6e4e63fdf2079a1637c5f7afa9defbe Mon Sep 17 00:00:00 2001 +From: Jia Zhang +Date: Tue, 22 Aug 2017 17:31:04 +0800 Subject: [PATCH] Prevent from removing intermediate .efi Upstream-Status: Pending @@ -10,24 +10,24 @@ sysroots/x86_64-linux/usr/bin/pesign -n certdb -i MokManager.efi -c "shim" -s -o rm fallback.efi MokManager.efi DEBUG: Shell function do_compile finished -Signed-off-by: Lans Zhang +Signed-off-by: Jia Zhang --- Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile b/Makefile -index 0497e4d..19e1b4f 100644 +index afd6504..0ec2b0b 100644 --- a/Makefile +++ b/Makefile -@@ -108,6 +108,8 @@ ifneq ($(origin ENABLE_HTTPBOOT), undefined) - SOURCES += httpboot.c httpboot.h - endif +@@ -159,6 +159,8 @@ SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c + MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source)) + FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source)) +.PRECIOUS: $(MMNAME).efi $(FBNAME).efi + - all: $(TARGET) + all: $(TARGETS) - shim.crt shim.key: + shim.crt: -- -2.7.5 +2.14.1 diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0007-Use-sbsign-to-sign-MokManager-and-fallback.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0007-Use-sbsign-to-sign-MokManager-and-fallback.patch deleted file mode 100644 index 14fae76..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0007-Use-sbsign-to-sign-MokManager-and-fallback.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 04da6c928d5f15b7adb6c51e55b9aa0a8126063d Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Wed, 21 Sep 2016 11:31:02 +0800 -Subject: [PATCH 07/11] Use sbsign to sign MokManager and fallback - -Upstream-Status: Pending - -pesign is written with -std=gnu11 and thus the host gcc version lower -than 4.7 cannot build out pesign. - -sbsign is another alternate used to sign efi binary and it works well. -Therefore, drop to use sbsign to sign efi binary. - -Signed-off-by: Lans Zhang ---- - Makefile | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/Makefile b/Makefile -index 7c71993..58b4b4c 100644 ---- a/Makefile -+++ b/Makefile -@@ -12,6 +12,7 @@ HEXDUMP ?= hexdump - PK12UTIL ?= pk12util - CERTUTIL ?= certutil - PESIGN ?= pesign -+SBSIGN ?= sbsign - - ARCH = $(shell $(CC) -dumpmachine | cut -f1 -d- | sed s,i[3456789]86,ia32,) - OBJCOPY_GTE224 = $(shell expr `$(OBJCOPY) --version |grep ^"GNU objcopy" | sed 's/^.*\((.*)\|version\) //g' | cut -f1-2 -d.` \>= 2.24) -@@ -190,8 +191,8 @@ endif - -j .note.gnu.build-id \ - $(FORMAT) $^ $@.debug - --%.efi.signed: %.efi certdb/secmod.db -- $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f -+%.efi.signed: %.efi shim.key shim.crt -+ $(SBSIGN) --key shim.key --cert shim.crt --output $@ $< - - clean: - $(MAKE) -C Cryptlib clean --- -2.11.0 - diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch index c53a52f..fbf0f14 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim/0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch @@ -1,6 +1,6 @@ -From 3b4fe6b2eda92c78c80a2c0c1ab5625fd0920811 Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Thu, 3 Aug 2017 09:53:37 +0800 +From 22b58e64a0cd10456f79f146216c899a898ce037 Mon Sep 17 00:00:00 2001 +From: Jia Zhang +Date: Tue, 22 Aug 2017 17:32:47 +0800 Subject: [PATCH] Fix the world build failure due to the missing rule of generating shim.key @@ -12,18 +12,18 @@ for signing. However, the commit 79c0d3ab3964ff03483277a515aaf50016bbe786 forgets to add the rule of generating shim.key, causing the world build failure. -Signed-off-by: Lans Zhang +Signed-off-by: Jia Zhang --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 063578a..96bdf14 100644 +index 0ec2b0b..2fc6c90 100644 --- a/Makefile +++ b/Makefile -@@ -125,7 +125,7 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source)) +@@ -163,7 +163,7 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source)) - all: $(TARGET) + all: $(TARGETS) -shim.crt: +shim.crt shim.key: @@ -31,5 +31,5 @@ index 063578a..96bdf14 100644 shim.cer: shim.crt -- -2.7.5 +2.14.1 diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0010-Makefile-do-not-sign-the-efi-file.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0010-Makefile-do-not-sign-the-efi-file.patch deleted file mode 100644 index 4819a94..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0010-Makefile-do-not-sign-the-efi-file.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b3d57a092d837fe8134e0b3ff408040fa33d4efc Mon Sep 17 00:00:00 2001 -From: Yunguo Wei -Date: Wed, 28 Dec 2016 11:08:37 +0800 -Subject: [PATCH 10/11] Makefile: do not sign the efi file - -Shim tries to sign all the efi binaries at build time, but is not -suitable for us. Because the private key has to be supplied, and this -doesn't make sense to EDSS key. - -We will use a seperated function in bitbake file to -sign these efi binaries, so that we can freely use EDSS key, Wind -River sample key or user key. - -Signed-off-by: Yunguo Wei -Signed-off-by: Lans Zhang ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 24e21a8..0912cd0 100644 ---- a/Makefile -+++ b/Makefile -@@ -92,7 +92,7 @@ endif - - LDFLAGS = --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(EFI_PATH) -L$(LIB_PATH) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 - --TARGET = $(SHIMNAME).efi $(MMNAME).efi.signed $(FBNAME).efi.signed -+TARGET = $(SHIMNAME).efi $(MMNAME).efi $(FBNAME).efi - OBJS = shim.o netboot.o cert.o replacements.o tpm.o version.o - KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer - SOURCES = shim.c shim.h netboot.c include/PeImage.h include/wincert.h include/console.h replacements.c replacements.h tpm.c tpm.h version.c version.h --- -2.11.0 - diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0013-fallback-fix-double-free-of-dp.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0013-fallback-fix-double-free-of-dp.patch deleted file mode 100644 index e9d3b47..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0013-fallback-fix-double-free-of-dp.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 2003b828be0e0fe774e119922e81ee0bb0d2ecdd Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Wed, 9 Aug 2017 16:10:14 +0800 -Subject: [PATCH 1/2] fallback: fix double free of dp - -If the boot option recorded in csv is not in a media device path, the -corresponding full device path will be referred for creating the boot -variable. - -However, the current code logic always frees the full device path -(full_device_path) and the media device path (dp) separately. In order -to resolve this issue, always check whether dp equals to full_device_path -before freeing dp. - -Signed-off-by: Lans Zhang ---- - fallback.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fallback.c b/fallback.c -index 9b64077..2ef1b86 100644 ---- a/fallback.c -+++ b/fallback.c -@@ -482,7 +482,7 @@ add_to_boot_list(CHAR16 *dirname, CHAR16 *filename, CHAR16 *label, CHAR16 *argum - err: - if (full_device_path) - FreePool(full_device_path); -- if (dp) -+ if (dp && dp != full_device_path) - FreePool(dp); - if (fullpath) - FreePool(fullpath); --- -2.13.2 - diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim/0014-fallback-work-around-the-issue-of-boot-option-creati.patch b/meta-efi-secure-boot/recipes-bsp/shim/shim/0014-fallback-work-around-the-issue-of-boot-option-creati.patch deleted file mode 100644 index cad1cc2..0000000 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim/0014-fallback-work-around-the-issue-of-boot-option-creati.patch +++ /dev/null @@ -1,197 +0,0 @@ -From 0fbd5a6375bbfe463979cc1958bc721353e49625 Mon Sep 17 00:00:00 2001 -From: Lans Zhang -Date: Fri, 11 Aug 2017 13:42:20 +0800 -Subject: [PATCH 2/2] fallback: work around the issue of boot option creation - with AMI BIOS - -AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX -variables with ami_masked_device_path_guid. - -Initially, the normal boot option created by fallback looks like this: -00000000 01 00 00 00 5e 00 42 00 6f 00 6f 00 74 00 6c 00 |....^.B.o.o.t.l.| -00000010 6f 00 61 00 64 00 65 00 72 00 20 00 54 00 65 00 |o.a.d.e.r. .T.e.| -00000020 73 00 74 00 20 00 28 00 36 00 34 00 2d 00 62 00 |s.t. .(.6.4.-.b.| -00000030 69 00 74 00 29 00 00 00 04 01 2a 00 01 00 00 00 |i.t.).....*.....| -00000040 00 08 00 00 00 00 00 00 00 00 08 00 00 00 00 00 |................| -00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| -00000060 01 01 04 04 30 00 5c 00 45 00 46 00 49 00 5c 00 |....0.\.E.F.I.\.| -00000070 42 00 4f 00 4f 00 54 00 5c 00 74 00 65 00 73 00 |B.O.O.T.\.t.e.s.| -00000080 74 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 |t.x.6.4...e.f.i.| -00000090 00 00 7f ff 04 00 |......| -00000096 - -after reboot, fallback has to create a new one due to the previous boot -option is hidden and masked by AMI BIOS: -00000000 09 00 00 00 76 00 42 00 6f 00 6f 00 74 00 6c 00 |....v.B.o.o.t.l.| -00000010 6f 00 61 00 64 00 65 00 72 00 20 00 54 00 65 00 |o.a.d.e.r. .T.e.| -00000020 73 00 74 00 20 00 28 00 36 00 34 00 2d 00 62 00 |s.t. .(.6.4.-.b.| -00000030 69 00 74 00 29 00 00 00 01 04 14 00 e7 75 e2 99 |i.t.)........u..| -00000040 a0 75 37 4b a2 e6 c5 38 5e 6c 00 cb 7f ff 04 00 |.u7K...8^l......| -00000050 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 |..*.............| -00000060 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| -00000070 00 00 00 00 00 00 00 00 01 01 04 04 30 00 5c 00 |............0.\.| -00000080 45 00 46 00 49 00 5c 00 42 00 4f 00 4f 00 54 00 |E.F.I.\.B.O.O.T.| -00000090 5c 00 74 00 65 00 73 00 74 00 78 00 36 00 34 00 |\.t.e.s.t.x.6.4.| -000000a0 2e 00 65 00 66 00 69 00 00 00 7f ff 04 00 |..e.f.i.......| -000000ae - -And after several reboot, fallback will have to create more boot options -because AMI BIOS corrupts the previous ones. - -We can get the valid device path if just skipping the masked device path and -its next end path. - -Signed-off-by: Lans Zhang ---- - fallback.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 109 insertions(+), 5 deletions(-) - -diff --git a/fallback.c b/fallback.c -index 2ef1b86..46894af 100644 ---- a/fallback.c -+++ b/fallback.c -@@ -287,6 +287,105 @@ add_boot_option(EFI_DEVICE_PATH *hddp, EFI_DEVICE_PATH *fulldp, - return EFI_OUT_OF_RESOURCES; - } - -+/* -+ * AMI BIOS (e.g, Intel NUC5i3MYHE) may automatically hide and patch BootXXXX -+ * variables with ami_masked_device_path_guid. We can get the valid device path -+ * if just skipping it and its next end path. -+ */ -+ -+static EFI_GUID ami_masked_device_path_guid = { -+ 0x99e275e7, 0x75a0, 0x4b37, -+ { 0xa2, 0xe6, 0xc5, 0x38, 0x5e, 0x6c, 0x0, 0xcb } -+}; -+ -+static unsigned int -+calc_masked_boot_option_size(unsigned int size) -+{ -+ return size + sizeof(EFI_DEVICE_PATH) + -+ sizeof(ami_masked_device_path_guid) + sizeof(EFI_DEVICE_PATH); -+} -+ -+static int -+check_masked_boot_option(CHAR8 *candidate, unsigned int candidate_size, -+ CHAR8 *data, unsigned int data_size) -+{ -+ /* -+ * The patched BootXXXX variables contain a hardware device path and -+ * an end path, preceding the real device path. -+ */ -+ if (calc_masked_boot_option_size(data_size) != candidate_size) -+ return 1; -+ -+ CHAR8 *cursor = candidate; -+ -+ /* Check whether the BootXXXX is patched */ -+ cursor += sizeof(UINT32) + sizeof(UINT16); -+ cursor += StrSize((CHAR16 *)cursor); -+ -+ unsigned int min_valid_size = cursor - candidate + sizeof(EFI_DEVICE_PATH); -+ -+ if (candidate_size <= min_valid_size) -+ return 1; -+ -+ EFI_DEVICE_PATH *dp = (EFI_DEVICE_PATH *)cursor; -+ unsigned int node_size = DevicePathNodeLength(dp) - sizeof(EFI_DEVICE_PATH); -+ -+ min_valid_size += node_size; -+ if (candidate_size <= min_valid_size || -+ DevicePathType(dp) != HARDWARE_DEVICE_PATH || -+ DevicePathSubType(dp) != HW_VENDOR_DP || -+ node_size != sizeof(ami_masked_device_path_guid) || -+ CompareGuid((EFI_GUID *)(cursor + sizeof(EFI_DEVICE_PATH)), -+ &ami_masked_device_path_guid)) -+ return 1; -+ -+ /* Check whether the patched guid is followed by an end path */ -+ min_valid_size += sizeof(EFI_DEVICE_PATH); -+ if (candidate_size <= min_valid_size) -+ return 1; -+ -+ dp = NextDevicePathNode(dp); -+ if (!IsDevicePathEnd(dp)) -+ return 1; -+ -+ /* -+ * OK. We may really get a masked BootXXXX variable. The next -+ * step is to test whether it is hidden. -+ */ -+ UINT32 attrs = *(UINT32 *)candidate; -+#ifndef LOAD_OPTION_HIDDEN -+# define LOAD_OPTION_HIDDEN 0x00000008 -+#endif -+ if (!(attrs & LOAD_OPTION_HIDDEN)) -+ return 1; -+ -+ attrs &= ~LOAD_OPTION_HIDDEN; -+ -+ /* Compare the field Attributes */ -+ if (attrs != *(UINT32 *)data) -+ return 1; -+ -+ /* Compare the field FilePathListLength */ -+ data += sizeof(UINT32); -+ candidate += sizeof(UINT32); -+ if (calc_masked_boot_option_size(*(UINT16 *)data) != -+ *(UINT16 *)candidate) -+ return 1; -+ -+ /* Compare the field Description */ -+ data += sizeof(UINT16); -+ candidate += sizeof(UINT16); -+ if (CompareMem(candidate, data, cursor - candidate)) -+ return 1; -+ -+ /* Compare the filed FilePathList */ -+ cursor = (CHAR8 *)NextDevicePathNode(dp); -+ data += sizeof(UINT16); -+ data += StrSize((CHAR16 *)data); -+ -+ return CompareMem(cursor, data, candidate_size - min_valid_size); -+} -+ - EFI_STATUS - find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, - CHAR16 *filename, CHAR16 *label, CHAR16 *arguments, -@@ -316,7 +415,8 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, - EFI_GUID global = EFI_GLOBAL_VARIABLE; - EFI_STATUS rc; - -- CHAR8 *candidate = AllocateZeroPool(size); -+ UINTN max_candidate_size = calc_masked_boot_option_size(size); -+ CHAR8 *candidate = AllocateZeroPool(max_candidate_size); - if (!candidate) { - FreePool(data); - return EFI_OUT_OF_RESOURCES; -@@ -328,17 +428,21 @@ find_boot_option(EFI_DEVICE_PATH *dp, EFI_DEVICE_PATH *fulldp, - varname[6] = hexmap[(bootorder[i] & 0x00f0) >> 4]; - varname[7] = hexmap[(bootorder[i] & 0x000f) >> 0]; - -- UINTN candidate_size = size; -+ UINTN candidate_size = max_candidate_size; - rc = uefi_call_wrapper(RT->GetVariable, 5, varname, &global, - NULL, &candidate_size, candidate); - if (EFI_ERROR(rc)) - continue; - -- if (candidate_size != size) -+ if (candidate_size != size) { -+ if (check_masked_boot_option(candidate, candidate_size, -+ data, size)) -+ continue; -+ } else if (CompareMem(candidate, data, size)) - continue; - -- if (CompareMem(candidate, data, size)) -- continue; -+ VerbosePrint(L"Found boot entry \"%s\" with label \"%s\" " -+ L"for file \"%s\"\n", varname, label, filename); - - /* at this point, we have duplicate data. */ - if (!first_new_option) { --- -2.13.2 - diff --git a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb index 001de7d..5aeeedb 100644 --- a/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb +++ b/meta-efi-secure-boot/recipes-bsp/shim/shim_git.bb @@ -26,13 +26,9 @@ SRC_URI = "\ file://0001-shim-allow-to-verify-sha1-digest-for-Authenticode.patch;apply=0 \ file://0005-Fix-signing-failure-due-to-not-finding-certificate.patch;apply=0 \ file://0006-Prevent-from-removing-intermediate-.efi.patch \ - file://0007-Use-sbsign-to-sign-MokManager-and-fallback.patch \ file://0008-Fix-the-world-build-failure-due-to-the-missing-rule-.patch \ - file://0010-Makefile-do-not-sign-the-efi-file.patch \ file://0011-Update-verification_method-if-the-loaded-image-is-si.patch;apply=0 \ file://0012-netboot-replace-the-depreciated-EFI_PXE_BASE_CODE.patch \ - file://0013-fallback-fix-double-free-of-dp.patch \ - file://0014-fallback-work-around-the-issue-of-boot-option-creati.patch \ file://0015-fallback-allow-to-search-.csv-in-EFI-BOOT.patch \ file://0016-fallback-don-t-set-the-csv-entry-as-the-first-boot-b.patch \ file://0017-fallback-always-try-to-boot-the-option-recorded-in-c.patch \ @@ -42,7 +38,7 @@ SRC_URI_append_x86-64 = "\ 'file://shim' + d.expand('EFI_ARCH') + '.efi.signed file://LICENSE' \ if uks_signing_model(d) == 'sample' else '', '', d)} \ " -SRCREV = "631265b7e9c447412d423ffed1b39dfd706054cd" +SRCREV = "5202f80c32bdcab0469785e953bf9fa8dd4eaaa1" S = "${WORKDIR}/git" @@ -50,6 +46,7 @@ inherit deploy user-key-store EXTRA_OEMAKE = "\ CROSS_COMPILE="${TARGET_PREFIX}" \ + prefix="${STAGING_DIR_HOST}/${prefix}" \ LIB_GCC="`${CC} -print-libgcc-file-name`" \ LIB_PATH="${STAGING_LIBDIR}" \ EFI_PATH="${STAGING_LIBDIR}" \ @@ -68,6 +65,7 @@ EXTRA_OEMAKE = "\ if uks_signing_model(d) == 'user' else ''} \ ENABLE_HTTPBOOT=1 \ OVERRIDE_SECURITY_POLICY=1 \ + ENABLE_SBSIGN=1 \ " PARALLEL_MAKE = "" -- cgit v1.2.3-54-g00ecf