Message ID | 20240829163209.47945-5-javier.tia@linaro.org |
---|---|
State | New |
Headers | show |
Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
On Thu, Aug 29, 2024 at 10:32:00AM -0600, Javier Tia wrote: > Without UEFI keys, signing will fail and the OS will not boot. I think this can be squashed with the previous commit. Thanks, Jon > > Signed-off-by: Javier Tia <javier.tia@linaro.org> > --- > meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass > > diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass > new file mode 100644 > index 00000000..e800b4c6 > --- /dev/null > +++ b/meta-arm/classes/uefi-sb-keys.bbclass > @@ -0,0 +1,24 @@ > +# Validate UEFI keys > +python __anonymous () { > + if d.getVar("UEFI_SB_KEYS_DIR", False) is None: > + raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.") > + > + # keys used for UEFI secure boot > + uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR") > + > + keys_to_check = [ > + uefi_sb_keys + "/PK.esl", > + uefi_sb_keys + "/KEK.esl", > + uefi_sb_keys + "/dbx.esl", > + uefi_sb_keys + "/db.esl", > + uefi_sb_keys + "/db.key", > + uefi_sb_keys + "/db.crt", > + ] > + > + missing_keys = [f for f in keys_to_check if not os.path.exists(f)] > + > + if missing_keys: > + raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), ) > + + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys) > + > +} > -- > 2.46.0 > >
diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass new file mode 100644 index 00000000..e800b4c6 --- /dev/null +++ b/meta-arm/classes/uefi-sb-keys.bbclass @@ -0,0 +1,24 @@ +# Validate UEFI keys +python __anonymous () { + if d.getVar("UEFI_SB_KEYS_DIR", False) is None: + raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.") + + # keys used for UEFI secure boot + uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR") + + keys_to_check = [ + uefi_sb_keys + "/PK.esl", + uefi_sb_keys + "/KEK.esl", + uefi_sb_keys + "/dbx.esl", + uefi_sb_keys + "/db.esl", + uefi_sb_keys + "/db.key", + uefi_sb_keys + "/db.crt", + ] + + missing_keys = [f for f in keys_to_check if not os.path.exists(f)] + + if missing_keys: + raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), ) + + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys) + +}
Without UEFI keys, signing will fail and the OS will not boot. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass