[v1,3/7] qemuarm64-secureboot: Validate UEFI keys exist

Message ID	20240718203526.52214-4-javier.tia@linaro.org
State	New
Headers	show Return-Path: <javier.tia@linaro.org> ip: 209.85.128.175, mailfrom: javier.tia@linaro.org) From: Javier Tia <javier.tia@linaro.org> To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli <mikko.rapeli@linaro.org>, Ross Burton <Ross.Burton@arm.com>, Javier Tia <javier.tia@linaro.org> Subject: [PATCH v1 3/7] qemuarm64-secureboot: Validate UEFI keys exist Date: Thu, 18 Jul 2024 14:35:22 -0600 Message-ID: <20240718203526.52214-4-javier.tia@linaro.org> In-Reply-To: <20240718203526.52214-1-javier.tia@linaro.org> References: <20240718203526.52214-1-javier.tia@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	qemuarm64-secureboot: Enable UEFI Secure Boot \| expand [v1,0/7] qemuarm64-secureboot: Enable UEFI Secure Boot [v1,1/7] qemuarm64-secureboot: Add poky machine UEFI settings [v1,2/7] qemuarm64-secureboot: Introduce UEFI_SB_KEYS_DIR [v1,3/7] qemuarm64-secureboot: Validate UEFI keys exist [v1,4/7] qemuarm64-secureboot: Setup UEFI and Secure Boot in u-boot [v1,5/7] qemuarm64-secureboot: Setup UEFI grub and sign EFI grub binary [v1,6/7] qemuarm64-secureboot: Setup UEFI linux-yocto and sign kernel image [v1,7/7] qemuarm64-secureboot: Add UEFI systemd support

Message ID

20240718203526.52214-4-javier.tia@linaro.org

State

New

Headers

From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v1 3/7] qemuarm64-secureboot: Validate UEFI keys exist
Date: Thu, 18 Jul 2024 14:35:22 -0600
Message-ID: <20240718203526.52214-4-javier.tia@linaro.org>
In-Reply-To: <20240718203526.52214-1-javier.tia@linaro.org>
References: <20240718203526.52214-1-javier.tia@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

qemuarm64-secureboot: Enable UEFI Secure Boot | expand

Commit Message

Javier Tia July 18, 2024, 8:35 p.m. UTC

Without UEFI keys, signing will fail and UEFI Secure Boot will be
disabled.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../core-image-base-uefi-secureboot.inc       |  2 ++
 meta-arm/classes/uefi-sb-keys.bbclass         | 24 +++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass

diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
index 9f20e3f4..4ab3ecf9 100644
--- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
+++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
@@ -1,3 +1,5 @@ 
+inherit uefi-sb-keys
+
 # Detected by passing kernel parameter
 QB_KERNEL_ROOT = ""
 
diff --git a/meta-arm/classes/uefi-sb-keys.bbclass b/meta-arm/classes/uefi-sb-keys.bbclass
new file mode 100644
index 00000000..e800b4c6
--- /dev/null
+++ b/meta-arm/classes/uefi-sb-keys.bbclass
@@ -0,0 +1,24 @@ 
+# Validate UEFI keys
+python __anonymous () {
+    if d.getVar("UEFI_SB_KEYS_DIR", False) is None:
+        raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.")
+
+    # keys used for UEFI secure boot
+    uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR")
+
+    keys_to_check = [
+        uefi_sb_keys + "/PK.esl",
+        uefi_sb_keys + "/KEK.esl",
+        uefi_sb_keys + "/dbx.esl",
+        uefi_sb_keys + "/db.esl",
+        uefi_sb_keys + "/db.key",
+        uefi_sb_keys + "/db.crt",
+    ]
+
+    missing_keys = [f for f in keys_to_check if not os.path.exists(f)]
+
+    if missing_keys:
+        raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), )
+            + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys)
+
+}

[v1,3/7] qemuarm64-secureboot: Validate UEFI keys exist

Commit Message

Patch