@@ -21,3 +21,5 @@ HOSTTOOLS_NONFATAL += "telnet"
addpylib ${LAYERDIR}/lib oeqa
WARN_QA:append:layer-meta-arm = " patch-status"
+
+UEFI_SB_KEYS_DIR ??= "${LAYERDIR}/uefi-sb-keys"
\ No newline at end of file
new file mode 100755
@@ -0,0 +1,35 @@
+#/bin/sh
+
+set -eux
+
+#Create PK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout PK.key -out PK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc PK.crt PK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+
+#Create KEK
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout KEK.key -out KEK.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc KEK.crt KEK.esl
+sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+
+#Create DB
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout db.key -out db.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc db.crt db.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+
+#Create DBX
+openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=Linaro_LEDGE/ -keyout dbx.key -out dbx.crt -nodes -days 3650
+cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc dbx.crt dbx.esl
+sign-efi-sig-list -c KEK.crt -k KEK.key dbx dbx.esl dbx.auth
+
+#Sign image
+#sbsign --key db.key --cert db.crt Image
+
+#Digest image
+#hash-to-efi-sig-list Image db_Image.hash
+#sign-efi-sig-list -c KEK.crt -k KEK.key db db_Image.hash db_Image.auth
+
+#Empty cert for testing
+touch noPK.esl
+sign-efi-sig-list -c PK.crt -k PK.key PK noPK.esl noPK.auth
+
UEFI_SB_KEYS_DIR saves UEFI keys path. To avoid security issues, UEFI keys are not provided and they can be generated by gen_uefi_keys.sh script. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- meta-arm/conf/layer.conf | 2 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 35 ++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh