diff mbox series

[v1,6/7] qemuarm64-secureboot: Setup UEFI linux-yocto and sign kernel image

Message ID 20240718203526.52214-7-javier.tia@linaro.org
State New
Headers show
Series qemuarm64-secureboot: Enable UEFI Secure Boot | expand

Commit Message

Javier Tia July 18, 2024, 8:35 p.m. UTC
efivarfs kernel module is required to access EFI vars.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../recipes-kernel/linux/linux-yocto%.bbappend |  2 ++
 .../linux/linux-yocto-uefi-secureboot.inc      | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc

Comments

Mikko Rapeli July 19, 2024, 9:36 a.m. UTC | #1
Hi,

Subject should be "linux-yocto: sign kernel image..."

Cheers,

-Mikko
diff mbox series

Patch

diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
index a287d0e1..29c21355 100644
--- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
@@ -25,3 +25,5 @@  SRC_URI:append:qemuarm = " \
 
 FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
 require ${FFA_TRANSPORT_INCLUDE}
+
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
\ No newline at end of file
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
new file mode 100644
index 00000000..3784b3d1
--- /dev/null
+++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
@@ -0,0 +1,18 @@ 
+KERNEL_FEATURES += "cfg/efi-ext.scc"
+
+DEPENDS += "sbsigntool-native"
+
+do_compile:append() {
+    KERNEL_IMAGE=$(find "${B}" -name "${KERNEL_IMAGETYPE}" -print -quit)
+
+    "${STAGING_BINDIR_NATIVE}/sbsign" \
+        --key "${UEFI_SB_KEYS_DIR}/db.key" \
+        --cert "${UEFI_SB_KEYS_DIR}/db.crt" \
+        "${KERNEL_IMAGE}" \
+        --output "${KERNEL_IMAGETYPE}.signed"
+
+	install -m 0644 "${KERNEL_IMAGETYPE}.signed" "${KERNEL_IMAGE}"
+}
+
+RRECOMMENDS:${PN} += "kernel-module-efivarfs"
+RRECOMMENDS:${PN} += "kernel-module-efivars"
\ No newline at end of file