1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
require efitools.inc
# The generated native binaries are used during native and target build
DEPENDS += "${BPN}-native gnu-efi openssl"
SRC_URI:append = " \
file://LockDown-enable-the-enrollment-for-DBX.patch \
file://LockDown-show-the-error-message-with-3-sec-timeout.patch \
file://Makefile-do-not-build-signed-efi-image.patch \
file://Build-DBX-by-default.patch \
file://LockDown-disable-the-entrance-into-BIOS-setup-to-re-.patch \
file://Fix-help2man-error.patch \
"
COMPATIBLE_HOST = '(i.86|x86_64).*-linux'
inherit user-key-store deploy
EXTRA_OEMAKE:append = " \
INCDIR_PREFIX='${STAGING_DIR_TARGET}' \
CRTPATH_PREFIX='${STAGING_DIR_TARGET}' \
SIGN_EFI_SIG_LIST='${STAGING_BINDIR_NATIVE}/sign-efi-sig-list' \
CERT_TO_EFI_SIG_LIST='${STAGING_BINDIR_NATIVE}/cert-to-efi-sig-list' \
CERT_TO_EFI_HASH_LIST='${STAGING_BINDIR_NATIVE}/cert-to-efi-hash-list' \
HASH_TO_EFI_SIG_LIST='${STAGING_BINDIR_NATIVE}/hash-to-efi-sig-list' \
MYGUID='${UEFI_SIG_OWNER_GUID}' \
HELP2MAN_PROG_PREFIX='${STAGING_BINDIR_NATIVE}' \
"
python do_prepare_signing_keys() {
if d.expand('${UEFI_SB}') != '1':
return
# Prepare PK, KEK and DB for LockDown.efi.
if uks_signing_model(d) in ('sample', 'user'):
dir = uefi_sb_keys_dir(d)
else:
dir = d.expand('${SAMPLE_UEFI_SB_KEYS_DIR}/')
import shutil
for _ in ('PK', 'KEK', 'DB'):
shutil.copyfile(dir + _ + '.crt', d.expand('${S}/') + _ + '.crt')
shutil.copyfile(dir + _ + '.key', d.expand('${S}/') + _ + '.key')
# Make sure LockDown.efi contains the DB and KEK from Microsoft.
if "${@bb.utils.contains('DISTRO_FEATURES', 'msft', '1', '0', d)}" == '1':
shutil.copyfile(d.expand('${MSFT_DB_CERT}'), d.expand('${S}/DB.crt'))
shutil.copyfile(d.expand('${MSFT_KEK_CERT}'), d.expand('${S}/KEK.crt'))
path = create_uefi_dbx(d)
if path:
with open(d.expand('${S}/DBX.crt'), 'w') as f:
pass
shutil.copyfile(path, d.expand('${S}/DBX.esl'))
# Cheat the Makefile to avoid running this rule:
# %.esl: %.crt cert-to-efi-sig-list
# $(CERT_TO_EFI_SIG_LIST) -g $(MYGUID) $< $@
import time, os
tm = time.strptime('2038-01-01 00:00:00', \
'%Y-%m-%d %H:%M:%S')
time_stamp = time.mktime(tm)
os.utime(d.expand('${S}/DBX.esl'), (time_stamp, time_stamp))
}
addtask prepare_signing_keys after do_configure before do_compile
do_prepare_signing_keys[prefuncs] += "check_deploy_keys"
do_install:append() {
install -d ${D}${EFI_BOOT_PATH}
install -m 0755 ${D}${datadir}/efitools/efi/LockDown.efi ${D}${EFI_BOOT_PATH}
}
do_deploy() {
install -d ${DEPLOYDIR}
install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi "${DEPLOYDIR}"
if [ -e ${D}${EFI_BOOT_PATH}/LockDown.efi.sig ] ; then
install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi.sig "${DEPLOYDIR}"
fi
}
addtask deploy after do_install before do_build
RDEPENDS:${PN}:append = " \
parted mtools coreutils util-linux openssl libcrypto \
"
|
