@@ -1,3 +1,5 @@
+inherit uefi-sb-keys
+
# Detected by passing kernel parameter
QB_KERNEL_ROOT = ""
new file mode 100644
@@ -0,0 +1,24 @@
+# Validate UEFI keys
+python __anonymous () {
+ if d.getVar("UEFI_SB_KEYS_DIR", False) is None:
+ raise bb.parse.SkipRecipe("UEFI_SB_KEYS_DIR is not set.")
+
+ # keys used for UEFI secure boot
+ uefi_sb_keys = d.getVar("UEFI_SB_KEYS_DIR")
+
+ keys_to_check = [
+ uefi_sb_keys + "/PK.esl",
+ uefi_sb_keys + "/KEK.esl",
+ uefi_sb_keys + "/dbx.esl",
+ uefi_sb_keys + "/db.esl",
+ uefi_sb_keys + "/db.key",
+ uefi_sb_keys + "/db.crt",
+ ]
+
+ missing_keys = [f for f in keys_to_check if not os.path.exists(f)]
+
+ if missing_keys:
+ raise bb.parse.SkipRecipe("Required missing keys: %s" % (", ".join(missing_keys), )
+ + ".\nRun %s/gen_uefi_keys.sh to generate missing keys." % uefi_sb_keys)
+
+}
Without UEFI keys, signing will fail and UEFI Secure Boot will be disabled. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- .../core-image-base-uefi-secureboot.inc | 2 ++ meta-arm/classes/uefi-sb-keys.bbclass | 24 +++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass