From ed0de6b2955a849fcc87fcb7b09607e3948faa85 Mon Sep 17 00:00:00 2001 From: Mark Hatle Date: Mon, 4 Sep 2017 21:23:42 -0500 Subject: meta-efi-secure-boot: only apply if efi-secure-boot distro flag set Only apply grub-efi and linux-yocto bbappend if feature efi-secure-boot set Signed-off-by: Mark Hatle Signed-off-by: Yi Zhao --- .../recipes-bsp/grub/grub-efi-efi-secure-boot.inc | 148 ++++++++++++++++++++ .../recipes-bsp/grub/grub-efi_2.%.bbappend | 149 +-------------------- .../recipes-kernel/linux/linux-yocto-rt_%.bbappend | 2 +- .../recipes-kernel/linux/linux-yocto_%.bbappend | 2 +- 4 files changed, 151 insertions(+), 150 deletions(-) create mode 100644 meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc new file mode 100644 index 0000000..da3fda9 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc @@ -0,0 +1,148 @@ +DEPENDS += "openssl-native" +FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:" + +EXTRA_SRC_URI = "\ + ${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \ +" + +SRC_URI += "\ + file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \ + file://0002-shim-add-needed-data-structures.patch \ + file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \ + file://0004-efi-chainloader-port-shim-to-grub.patch \ + file://0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch \ + file://0006-efi-chainloader-boot-the-image-using-shim.patch \ + file://0007-efi-chainloader-take-care-of-unload-undershim.patch \ + file://chainloader-handle-the-unauthenticated-image-by-shim.patch \ + file://chainloader-Don-t-check-empty-section-in-file-like-..patch \ + file://chainloader-Actually-find-the-relocations-correctly-.patch \ + file://efi-chainloader-implemented-for-32-bit.patch \ + file://Grub-get-and-set-efi-variables.patch \ + file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ + file://grub-efi.cfg \ + file://boot-menu.inc \ + ${EXTRA_SRC_URI} \ +" + +# functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet +COMPATIBLE_HOST_aarch64 = 'null' + +EFI_BOOT_PATH = "/boot/efi/EFI/BOOT" + +GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \ + if d.getVar('UEFI_SB', True) == '1' else ''}" + +# For efi_call_foo and efi_shim_exit +CFLAGS_append = " -fno-toplevel-reorder" + +# Set a default root specifier. +inherit user-key-store + +python __anonymous () { + if d.getVar('UEFI_SB', True) != "1": + return + + # Override the default filename if efi-secure-boot enabled. + # grub-efi must be renamed as grub${arch}.efi for working with shim + # or SELoader. + import re + + target = d.getVar('TARGET_ARCH', True) + if target == "x86_64": + grubimage = "grubx64.efi" + elif re.match('i.86', target): + grubimage = "grubia32.efi" + else: + raise bb.parse.SkipPackage("grub-efi is incompatible with target %s" % target) + + d.setVar("GRUB_IMAGE", grubimage) +} + +do_compile_append_class-native() { + make grub-editenv +} + +do_install_append_class-native() { + install -m 0755 grub-editenv "${D}${bindir}" +} + +do_install_append_class-target() { + local menu="${WORKDIR}/boot-menu.inc" + + # Enable the default IMA rules if IMA is enabled and luks is disabled. + # This is because unseal operation will fail when any PCR is extended + # due to updating the aggregate integrity value by the default IMA rules. + [ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && { + ! grep -q "ima_policy=tcb" "$menu" && + sed -i 's/^\s*linux\s\+.*bzImage.*/& ima_policy=tcb/g' "$menu" + } + + # Replace the root parameter in boot command line with BOOT_CMD_ROOT, + # which can be configured. It is helpful when secure boot is enabled. + [ -n "${BOOT_CMD_ROOT}" ] && { + sed -i "s,root=/dev/hda2,root=${BOOT_CMD_ROOT},g" "$menu" + } + + # Install the stacked grub configs. + install -d "${D}${EFI_BOOT_PATH}" + install -m 0600 "${WORKDIR}/grub-efi.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg" + install -m 0600 "$menu" "${D}${EFI_BOOT_PATH}" + [ x"${UEFI_SB}" = x"1" ] && { + install -m 0600 "${WORKDIR}/efi-secure-boot.inc" "${D}${EFI_BOOT_PATH}" + install -m 0600 "${WORKDIR}/password.inc" "${D}${EFI_BOOT_PATH}" + } + + # Create the initial environment block with empty item. + grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create + + install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" + grub-mkimage -p /EFI/BOOT -d "./grub-core" \ + -O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \ + ${GRUB_BUILDIN} + + install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" + + # Install the modules to grub-efi's search path + make -C grub-core install DESTDIR="${D}${EFI_BOOT_PATH}" pkglibdir="" + + # Remove .module + rm -f ${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi/*.module +} + +fakeroot python do_sign_class-target() { + image_dir = d.getVar('D', True) + efi_boot_path = d.getVar('EFI_BOOT_PATH', True) + grub_image = d.getVar('GRUB_IMAGE', True) + dir = image_dir + efi_boot_path + '/' + + sb_sign(dir + grub_image, dir + grub_image, d) + uks_sel_sign(dir + 'grub.cfg', d) + uks_sel_sign(dir + 'boot-menu.inc', d) + + if d.getVar('UEFI_SB', True) == "1": + uks_sel_sign(dir + 'efi-secure-boot.inc', d) + uks_sel_sign(dir + 'password.inc', d) +} + +python do_sign() { +} +addtask sign after do_install before do_deploy do_package +do_sign[prefuncs] += "check_deploy_keys" + +# Override the do_deploy() in oe-core. +do_deploy_class-target() { + install -m 0644 "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}" + + install -d "${DEPLOYDIR}/efi-unsigned" + install -m 0644 "${B}/${GRUB_IMAGE}" "${DEPLOYDIR}/efi-unsigned" + cp -af "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned" +} + +FILES_${PN} += "/boot/efi" + +CONFFILES_${PN} += "\ + ${EFI_BOOT_PATH}/grub.cfg \ + ${EFI_BOOT_PATH}/grubenv \ + ${EFI_BOOT_PATH}/boot-menu.inc \ + ${EFI_BOOT_PATH}/efi-secure-boot.inc \ +" diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend index da3fda9..e14f815 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend @@ -1,148 +1 @@ -DEPENDS += "openssl-native" -FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:" - -EXTRA_SRC_URI = "\ - ${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \ -" - -SRC_URI += "\ - file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \ - file://0002-shim-add-needed-data-structures.patch \ - file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \ - file://0004-efi-chainloader-port-shim-to-grub.patch \ - file://0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch \ - file://0006-efi-chainloader-boot-the-image-using-shim.patch \ - file://0007-efi-chainloader-take-care-of-unload-undershim.patch \ - file://chainloader-handle-the-unauthenticated-image-by-shim.patch \ - file://chainloader-Don-t-check-empty-section-in-file-like-..patch \ - file://chainloader-Actually-find-the-relocations-correctly-.patch \ - file://efi-chainloader-implemented-for-32-bit.patch \ - file://Grub-get-and-set-efi-variables.patch \ - file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ - file://grub-efi.cfg \ - file://boot-menu.inc \ - ${EXTRA_SRC_URI} \ -" - -# functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet -COMPATIBLE_HOST_aarch64 = 'null' - -EFI_BOOT_PATH = "/boot/efi/EFI/BOOT" - -GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \ - if d.getVar('UEFI_SB', True) == '1' else ''}" - -# For efi_call_foo and efi_shim_exit -CFLAGS_append = " -fno-toplevel-reorder" - -# Set a default root specifier. -inherit user-key-store - -python __anonymous () { - if d.getVar('UEFI_SB', True) != "1": - return - - # Override the default filename if efi-secure-boot enabled. - # grub-efi must be renamed as grub${arch}.efi for working with shim - # or SELoader. - import re - - target = d.getVar('TARGET_ARCH', True) - if target == "x86_64": - grubimage = "grubx64.efi" - elif re.match('i.86', target): - grubimage = "grubia32.efi" - else: - raise bb.parse.SkipPackage("grub-efi is incompatible with target %s" % target) - - d.setVar("GRUB_IMAGE", grubimage) -} - -do_compile_append_class-native() { - make grub-editenv -} - -do_install_append_class-native() { - install -m 0755 grub-editenv "${D}${bindir}" -} - -do_install_append_class-target() { - local menu="${WORKDIR}/boot-menu.inc" - - # Enable the default IMA rules if IMA is enabled and luks is disabled. - # This is because unseal operation will fail when any PCR is extended - # due to updating the aggregate integrity value by the default IMA rules. - [ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && { - ! grep -q "ima_policy=tcb" "$menu" && - sed -i 's/^\s*linux\s\+.*bzImage.*/& ima_policy=tcb/g' "$menu" - } - - # Replace the root parameter in boot command line with BOOT_CMD_ROOT, - # which can be configured. It is helpful when secure boot is enabled. - [ -n "${BOOT_CMD_ROOT}" ] && { - sed -i "s,root=/dev/hda2,root=${BOOT_CMD_ROOT},g" "$menu" - } - - # Install the stacked grub configs. - install -d "${D}${EFI_BOOT_PATH}" - install -m 0600 "${WORKDIR}/grub-efi.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg" - install -m 0600 "$menu" "${D}${EFI_BOOT_PATH}" - [ x"${UEFI_SB}" = x"1" ] && { - install -m 0600 "${WORKDIR}/efi-secure-boot.inc" "${D}${EFI_BOOT_PATH}" - install -m 0600 "${WORKDIR}/password.inc" "${D}${EFI_BOOT_PATH}" - } - - # Create the initial environment block with empty item. - grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create - - install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" - grub-mkimage -p /EFI/BOOT -d "./grub-core" \ - -O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \ - ${GRUB_BUILDIN} - - install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" - - # Install the modules to grub-efi's search path - make -C grub-core install DESTDIR="${D}${EFI_BOOT_PATH}" pkglibdir="" - - # Remove .module - rm -f ${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi/*.module -} - -fakeroot python do_sign_class-target() { - image_dir = d.getVar('D', True) - efi_boot_path = d.getVar('EFI_BOOT_PATH', True) - grub_image = d.getVar('GRUB_IMAGE', True) - dir = image_dir + efi_boot_path + '/' - - sb_sign(dir + grub_image, dir + grub_image, d) - uks_sel_sign(dir + 'grub.cfg', d) - uks_sel_sign(dir + 'boot-menu.inc', d) - - if d.getVar('UEFI_SB', True) == "1": - uks_sel_sign(dir + 'efi-secure-boot.inc', d) - uks_sel_sign(dir + 'password.inc', d) -} - -python do_sign() { -} -addtask sign after do_install before do_deploy do_package -do_sign[prefuncs] += "check_deploy_keys" - -# Override the do_deploy() in oe-core. -do_deploy_class-target() { - install -m 0644 "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}" - - install -d "${DEPLOYDIR}/efi-unsigned" - install -m 0644 "${B}/${GRUB_IMAGE}" "${DEPLOYDIR}/efi-unsigned" - cp -af "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned" -} - -FILES_${PN} += "/boot/efi" - -CONFFILES_${PN} += "\ - ${EFI_BOOT_PATH}/grub.cfg \ - ${EFI_BOOT_PATH}/grubenv \ - ${EFI_BOOT_PATH}/boot-menu.inc \ - ${EFI_BOOT_PATH}/efi-secure-boot.inc \ -" +require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'grub-efi-efi-secure-boot.inc', '', d)} diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend index 956a35c..83ea2eb 100644 --- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend +++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto-rt_%.bbappend @@ -1 +1 @@ -require linux-yocto-efi-secure-boot.inc +require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'linux-yocto-efi-secure-boot.inc', '', d)} diff --git a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend index 956a35c..83ea2eb 100644 --- a/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend +++ b/meta-efi-secure-boot/recipes-kernel/linux/linux-yocto_%.bbappend @@ -1 +1 @@ -require linux-yocto-efi-secure-boot.inc +require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'linux-yocto-efi-secure-boot.inc', '', d)} -- cgit v1.2.3-54-g00ecf