blob: 5c026dfb5874ab80c3ce5d7bae65538a4f32e9df (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
SUMMARY = "The bootloader capable of authenticating the PE and non-PE files."
DESCRIPTION = "The SELoader is designed to authenticate the non-PE files, \
such as grub configuration, initrd, grub modules, which cannot be verified \
by the MOK Verify Protocol registered by shim loader. \
\
In order to conveniently authenticate the PE file with gBS->LoadImage() \
and gBS->StartImage(), the SELoader hooks EFI Security2 Architectural \
Protocol and employs MOK Verify Protocol to verify the PE file. If only \
UEFI Secure Boot is enabled, the SELoader just simplily calls \
gBS->LoadImage() and gBS->StartImage() to allow BIOS to verify PE file. \
\
The SELoader publishes MOK2 Verify Protocol which provides a flexible \
interface to allow the bootloader to verify the file, file buffer or \
memory buffer without knowing the file format. \
"
AUTHOR = "Jia Zhang"
HOMEPAGE = "https://github.com/jiazhang0/SELoader"
SECTION = "bootloaders"
LICENSE = "BSD-3-Clause"
LIC_FILES_CHKSUM = "file://LICENSE;md5=d9bf404642f21afb4ad89f95d7bc91ee"
DEPENDS += "\
gnu-efi sbsigntool-native openssl-native ovmf \
"
PV = "0.4.6+git${SRCPV}"
SRC_URI = "\
git://github.com/jiazhang0/SELoader.git;branch=master;protocol=https \
"
SRCREV = "8b90f76a8df51d9020e67824026556434f407086"
S = "${WORKDIR}/git"
COMPATIBLE_HOST = '(i.86|x86_64).*-linux'
PARALLEL_MAKE = ""
inherit deploy user-key-store
EXTRA_OEMAKE = "\
CROSS_COMPILE="${TARGET_PREFIX}" \
SBSIGN=${STAGING_BINDIR_NATIVE}/sbsign \
gnuefi_libdir=${STAGING_LIBDIR} \
LIB_GCC="`${CC} -print-libgcc-file-name`" \
"
EFI_ARCH:x86 = "ia32"
EFI_ARCH:x86-64 = "x64"
EFI_TARGET = "/boot/efi/EFI/BOOT"
python do_sign() {
sb_sign(d.expand('${B}/Src/Efi/SELoader.efi'), \
d.expand('${B}/Src/Efi/SELoader.efi.signed'), d)
}
addtask sign after do_compile before do_install
do_sign[prefuncs] += "check_deploy_keys"
do_install() {
install -d ${D}${EFI_TARGET}
oe_runmake install EFI_DESTDIR=${D}${EFI_TARGET}
# Remove precompiled files, now provided by OVMF
rm -f ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
rm -f ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
if [ x"${UEFI_SB}" = x"1" ]; then
if [ x"${MOK_SB}" != x"1" ]; then
mv "${D}${EFI_TARGET}/SELoader${EFI_ARCH}.efi" \
"${D}${EFI_TARGET}/boot${EFI_ARCH}.efi"
fi
fi
}
do_deploy() {
# Deploy the unsigned images for manual signing
install -d "${DEPLOYDIR}/efi-unsigned"
install -m 0600 "${B}/Src/Efi/SELoader.efi" \
"${DEPLOYDIR}/efi-unsigned/SELoader${EFI_ARCH}.efi"
# Deploy the signed images
if [ x"${UEFI_SB}" = x"1" -a x"${MOK_SB}" != x"1" ]; then
SEL_NAME=boot
else
SEL_NAME=SELoader
fi
install -m 0600 "${D}${EFI_TARGET}/${SEL_NAME}${EFI_ARCH}.efi" \
"${DEPLOYDIR}/${SEL_NAME}${EFI_ARCH}.efi"
}
addtask deploy after do_install before do_build
RDEPENDS:${PN} += "ovmf-pkcs7-efi"
FILES:${PN} += "${EFI_TARGET}"
SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/efi-unsigned"
|
