diff mbox series

[v4,04/13] uefi-sb-keys.bbclass: Add class to validate UEFI keys

Message ID 20240829163209.47945-5-javier.tia@linaro.org
State New
Headers show
Series qemuarm64-secureboot: Add UEFI Secure Boot | expand

Commit Message

Javier Tia Aug. 29, 2024, 4:32 p.m. UTC 
Without UEFI keys, signing will fail and the OS will not boot.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass

Comments

Jon Mason Aug. 30, 2024, 2:03 p.m. UTC | #1 
On Thu, Aug 29, 2024 at 10:32:00AM -0600, Javier Tia wrote:
> Without UEFI keys, signing will fail and the OS will not boot.

I think this can be squashed with the previous commit.

Thanks,
Jon

> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
>  create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
> 
> diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass
> new file mode 100644
> index 00000000..e800b4c6
> --- /dev/null
> +++ b/meta-arm/classes/uefi-sb-keys.bbclass
> @@ -0,0 +1,24 @@
> +# Validate UEFI keys
> +python __anonymous () {
> +    if d.getVar("UEFI_SB_KEYS_DIR", False) is None:
> +        raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.")
> +
> +    # keys used for UEFI secure boot
> +    uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR")
> +
> +    keys_to_check = [
> +        uefi_sb_keys + "/PK.esl",
> +        uefi_sb_keys + "/KEK.esl",
> +        uefi_sb_keys + "/dbx.esl",
> +        uefi_sb_keys + "/db.esl",
> +        uefi_sb_keys + "/db.key",
> +        uefi_sb_keys + "/db.crt",
> +    ]
> +
> +    missing_keys = [f for f in keys_to_check if not os.path.exists(f)]
> +
> +    if missing_keys:
> +        raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), )
> +            + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys)
> +
> +}
> -- 
> 2.46.0
> 
>
diff mbox series

Patch

diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass
new file mode 100644
index 00000000..e800b4c6
--- /dev/null
+++ b/meta-arm/classes/uefi-sb-keys.bbclass
@@ -0,0 +1,24 @@ 
+# Validate UEFI keys
+python __anonymous () {
+    if d.getVar("UEFI_SB_KEYS_DIR", False) is None:
+        raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.")
+
+    # keys used for UEFI secure boot
+    uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR")
+
+    keys_to_check = [
+        uefi_sb_keys + "/PK.esl",
+        uefi_sb_keys + "/KEK.esl",
+        uefi_sb_keys + "/dbx.esl",
+        uefi_sb_keys + "/db.esl",
+        uefi_sb_keys + "/db.key",
+        uefi_sb_keys + "/db.crt",
+    ]
+
+    missing_keys = [f for f in keys_to_check if not os.path.exists(f)]
+
+    if missing_keys:
+        raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), )
+            + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys)
+
+}