Message ID | 20240829163209.47945-6-javier.tia@linaro.org |
---|---|
State | New |
Headers | show |
Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
On Thu, Aug 29, 2024 at 10:32:01AM -0600, Javier Tia wrote: > A lot of recipes are using these same steps to sign binaries > for UEFI secure boot. Okay, I'm being overly nitpicky here. But SB means "sign binary", right? So this is "sign binary sign"? I have a mild concern of name space of "SB" and I think it would generally be more obvious if "sb" became "signbinary" or something similar. I don't have very strong feelings about it. So feel free to ignore if you disagree. Also, I think this could be squashed with the previous (as I'm having to use a local git branch to review since these patches are split too small). Thanks, Jon > > Authored-by: Mikko Rapeli <mikko.rapeli@linaro.org> > Signed-off-by: Javier Tia <javier.tia@linaro.org> > --- > meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++ > 1 file changed, 39 insertions(+) > create mode 100644 meta-arm/classes/sbsign.bbclass > > diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass > new file mode 100644 > index 00000000..a99c0218 > --- /dev/null > +++ b/meta-arm/classes/sbsign.bbclass > @@ -0,0 +1,39 @@ > +# Sign binaries for UEFI secure boot > +# Usage in recipes: > +# > +# Set key and cert files in recipe or machine/distro config: > +# SBSIGN_KEY = "db.key" > +# SBSIGN_CERT = "db.crt" > +# > +# Set binary to sign per recipe: > +# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign" > +# > +# Then call do_sbsign() in correct stage of the build > +# do_compile:append() { > +# do_sbsign > +# } > + > +DEPENDS += "sbsigntool-native" > + > +SBSIGN_KEY ?= "db.key" > +SBSIGN_CERT ?= "db.crt" > +SBSIGN_TARGET_BINARY ?= "binary_to_sign" > + > +# makes sure changed keys trigger rebuild/re-signing > +SRC_URI += "\ > + file://${SBSIGN_KEY} \ > + file://${SBSIGN_CERT} \ > +" > + > +# not adding as task since recipes may need to sign binaries at different > +# stages. Instead they can call this function when needed by calling this function > +do_sbsign() { > + bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}" > + ${STAGING_BINDIR_NATIVE}/sbsign \ > + --key "${UNPACKDIR}/${SBSIGN_KEY}" \ > + --cert "${UNPACKDIR}/${SBSIGN_CERT}" \ > + --output "${SBSIGN_TARGET_BINARY}.signed" \ > + "${SBSIGN_TARGET_BINARY}" > + cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned" > + cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}" > +} > \ No newline at end of file > -- > 2.46.0 > >
Hi, On Fri, Aug 30, 2024 at 10:12:05AM -0400, Jon Mason wrote: > On Thu, Aug 29, 2024 at 10:32:01AM -0600, Javier Tia wrote: > > A lot of recipes are using these same steps to sign binaries > > for UEFI secure boot. > > Okay, I'm being overly nitpicky here. But SB means "sign binary", > right? So this is "sign binary sign"? I have a mild concern of name > space of "SB" and I think it would generally be more obvious if "sb" > became "signbinary" or something similar. I don't have very strong > feelings about it. So feel free to ignore if you disagree. sbsign is the name of the tool used to sign these binaries. Another tool, pesign can also be used. For example systemd refers to sbsign and defaults to it https://www.freedesktop.org/software/systemd/man/latest/ukify.html#SecureBootSigningTool=SIGNER Hence the name of this class to sbsign and variables with SBSIGN prefix. > Also, I think this could be squashed with the previous (as I'm having > to use a local git branch to review since these patches are split too > small). Ok. Cheers, -Mikko > Thanks, > Jon > > > > > Authored-by: Mikko Rapeli <mikko.rapeli@linaro.org> > > Signed-off-by: Javier Tia <javier.tia@linaro.org> > > --- > > meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++ > > 1 file changed, 39 insertions(+) > > create mode 100644 meta-arm/classes/sbsign.bbclass > > > > diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass > > new file mode 100644 > > index 00000000..a99c0218 > > --- /dev/null > > +++ b/meta-arm/classes/sbsign.bbclass > > @@ -0,0 +1,39 @@ > > +# Sign binaries for UEFI secure boot > > +# Usage in recipes: > > +# > > +# Set key and cert files in recipe or machine/distro config: > > +# SBSIGN_KEY = "db.key" > > +# SBSIGN_CERT = "db.crt" > > +# > > +# Set binary to sign per recipe: > > +# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign" > > +# > > +# Then call do_sbsign() in correct stage of the build > > +# do_compile:append() { > > +# do_sbsign > > +# } > > + > > +DEPENDS += "sbsigntool-native" > > + > > +SBSIGN_KEY ?= "db.key" > > +SBSIGN_CERT ?= "db.crt" > > +SBSIGN_TARGET_BINARY ?= "binary_to_sign" > > + > > +# makes sure changed keys trigger rebuild/re-signing > > +SRC_URI += "\ > > + file://${SBSIGN_KEY} \ > > + file://${SBSIGN_CERT} \ > > +" > > + > > +# not adding as task since recipes may need to sign binaries at different > > +# stages. Instead they can call this function when needed by calling this function > > +do_sbsign() { > > + bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}" > > + ${STAGING_BINDIR_NATIVE}/sbsign \ > > + --key "${UNPACKDIR}/${SBSIGN_KEY}" \ > > + --cert "${UNPACKDIR}/${SBSIGN_CERT}" \ > > + --output "${SBSIGN_TARGET_BINARY}.signed" \ > > + "${SBSIGN_TARGET_BINARY}" > > + cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned" > > + cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}" > > +} > > \ No newline at end of file > > -- > > 2.46.0 > > > >
diff --git a/meta-arm/classes/sbsign.bbclass b/meta-arm/classes/sbsign.bbclass new file mode 100644 index 00000000..a99c0218 --- /dev/null +++ b/meta-arm/classes/sbsign.bbclass @@ -0,0 +1,39 @@ +# Sign binaries for UEFI secure boot +# Usage in recipes: +# +# Set key and cert files in recipe or machine/distro config: +# SBSIGN_KEY = "db.key" +# SBSIGN_CERT = "db.crt" +# +# Set binary to sign per recipe: +# SBSIGN_TARGET_BINARY = "${B}/binary_to_sign" +# +# Then call do_sbsign() in correct stage of the build +# do_compile:append() { +# do_sbsign +# } + +DEPENDS += "sbsigntool-native" + +SBSIGN_KEY ?= "db.key" +SBSIGN_CERT ?= "db.crt" +SBSIGN_TARGET_BINARY ?= "binary_to_sign" + +# makes sure changed keys trigger rebuild/re-signing +SRC_URI += "\ + file://${SBSIGN_KEY} \ + file://${SBSIGN_CERT} \ +" + +# not adding as task since recipes may need to sign binaries at different +# stages. Instead they can call this function when needed by calling this function +do_sbsign() { + bbnote "Signing ${PN} binary ${SBSIGN_TARGET_BINARY} with ${SBSIGN_KEY} and ${SBSIGN_CERT}" + ${STAGING_BINDIR_NATIVE}/sbsign \ + --key "${UNPACKDIR}/${SBSIGN_KEY}" \ + --cert "${UNPACKDIR}/${SBSIGN_CERT}" \ + --output "${SBSIGN_TARGET_BINARY}.signed" \ + "${SBSIGN_TARGET_BINARY}" + cp "${SBSIGN_TARGET_BINARY}" "${SBSIGN_TARGET_BINARY}.unsigned" + cp "${SBSIGN_TARGET_BINARY}.signed" "${SBSIGN_TARGET_BINARY}" +} \ No newline at end of file
A lot of recipes are using these same steps to sign binaries for UEFI secure boot. Authored-by: Mikko Rapeli <mikko.rapeli@linaro.org> Signed-off-by: Javier Tia <javier.tia@linaro.org> --- meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 meta-arm/classes/sbsign.bbclass