MIRRORS/meta-intel
1
0
Fork 0
mirror of git://git.yoctoproject.org/meta-intel.git synced 2025-07-19 12:59:03 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

recipes: remove secureboot selftest and images

Browse Source 
This no longer works and is not maintained and tested.

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
This commit is contained in:
Anuj Mittal 2024-05-28 11:51:26 +08:00
parent b47467609d
commit f222ac31c5
15 changed files with 0 additions and 784 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

151
classes/uefi-comboapp.bbclass
View File

@ -1,151 +0,0 @@
# This class brings a more generic version of the UEFI combo app from refkit to meta-intel.
# It uses a combo file, containing kernel, initramfs and
# command line, presented to the BIOS as UEFI application, by prepending
# it with the efi stub obtained from systemd-boot.
# Don't add syslinux or build an ISO
PCBIOS:forcevariable = "0"
NOISO:forcevariable = "1"
# image-live.bbclass will default INITRD_LIVE to the image INITRD_IMAGE creates.
# We want behavior to be consistent whether or not "live" is in IMAGE_FSTYPES, so
# we default INITRD_LIVE to the INITRD_IMAGE as well.
INITRD_IMAGE ?= "core-image-minimal-initramfs"
INITRD_LIVE ?= " ${@ ('${DEPLOY_DIR_IMAGE}/' + d.getVar('INITRD_IMAGE', expand=True) + '-${MACHINE}.cpio.gz') if d.getVar('INITRD_IMAGE', True) else ''}"
do_uefiapp[depends] += " \
intel-microcode:do_deploy \
systemd-boot:do_deploy \
virtual/kernel:do_deploy \
"
# INITRD_IMAGE is added to INITRD_LIVE, which we use to create our initrd, so depend on it if it is set
do_uefiapp[depends] += "${@ '${INITRD_IMAGE}:do_image_complete' if d.getVar('INITRD_IMAGE') else ''}"
# The image does without traditional bootloader.
# In its place, instead, it uses a single UEFI executable binary, which is
# composed by:
# - an UEFI stub
# The linux kernel can generate a UEFI stub, however the one from systemd-boot can fetch
# the command line from a separate section of the EFI application, avoiding the need to
# rebuild the kernel.
# - the kernel
# - an initramfs (optional)
def create_uefiapp(d, uuid=None, app_suffix=''):
import glob, re
from subprocess import check_call
build_dir = d.getVar('B')
deploy_dir_image = d.getVar('DEPLOY_DIR_IMAGE')
image_link_name = d.getVar('IMAGE_LINK_NAME')
cmdline = '%s/cmdline.txt' % build_dir
linux = '%s/%s' % (deploy_dir_image, d.getVar('KERNEL_IMAGETYPE'))
initrd = '%s/initrd' % build_dir
stub_path = '%s/linux*.efi.stub' % deploy_dir_image
stub = glob.glob(stub_path)[0]
m = re.match(r"\S*(ia32|x64)(.efi)\S*", os.path.basename(stub))
app = "boot%s%s%s" % (m.group(1), app_suffix, m.group(2))
executable = '%s/%s.%s' % (deploy_dir_image, image_link_name, app)
if d.getVar('INITRD_LIVE'):
with open(initrd, 'wb') as dst:
for cpio in d.getVar('INITRD_LIVE').split():
with open(cpio, 'rb') as src:
dst.write(src.read())
initrd_cmd = "--add-section .initrd=%s --change-section-vma .initrd=0x3000000 " % initrd
else:
initrd_cmd = ""
root = 'root=PARTUUID=%s' % uuid if uuid else ''
with open(cmdline, 'w') as f:
f.write('%s %s' % (d.getVar('APPEND'), root))
objcopy_cmd = ("objcopy "
"--add-section .cmdline=%s --change-section-vma .cmdline=0x30000 "
"--add-section .linux=%s --change-section-vma .linux=0x40000 "
"%s %s %s") % \
(cmdline, linux, initrd_cmd, stub, executable)
check_call(objcopy_cmd, shell=True)
python create_uefiapps () {
# We must clean up anything that matches the expected output pattern, to ensure that
# the next steps do not accidentally use old files.
import glob
pattern = d.expand('${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.boot*.efi')
for old_efi in glob.glob(pattern):
os.unlink(old_efi)
uuid = d.getVar('DISK_SIGNATURE_UUID')
create_uefiapp(d, uuid=uuid)
}
# This is intentionally split into different parts. This way, derived
# classes or images can extend the individual parts. We can also use
# whatever language (shell script or Python) is more suitable.
python do_uefiapp() {
bb.build.exec_func('create_uefiapps', d)
}
do_uefiapp[vardeps] += "APPEND DISK_SIGNATURE_UUID INITRD_LIVE KERNEL_IMAGETYPE IMAGE_LINK_NAME"
uefiapp_deploy_at() {
dest=$1
for i in ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.boot*.efi; do
target=`basename $i`
target=`echo $target | sed -e 's/${IMAGE_LINK_NAME}.//'`
cp --preserve=timestamps -r $i $dest/$target
done
}
fakeroot do_uefiapp_deploy() {
rm -rf ${IMAGE_ROOTFS}/boot/*
dest=${IMAGE_ROOTFS}/boot/EFI/BOOT
mkdir -p $dest
uefiapp_deploy_at $dest
}
do_uefiapp_deploy[depends] += "${PN}:do_uefiapp virtual/fakeroot-native:do_populate_sysroot"
# This decides when/how we add our tasks to the image
python () {
image_fstypes = d.getVar('IMAGE_FSTYPES', True)
initramfs_fstypes = d.getVar('INITRAMFS_FSTYPES', True)
# Don't add any of these tasks to initramfs images
if initramfs_fstypes not in image_fstypes:
bb.build.addtask('uefiapp', 'do_image', 'do_rootfs', d)
bb.build.addtask('uefiapp_deploy', 'do_image', 'do_rootfs', d)
}
SIGN_AFTER ?= "do_uefiapp"
SIGN_BEFORE ?= "do_uefiapp_deploy"
SIGNING_DIR ?= "${DEPLOY_DIR_IMAGE}"
SIGNING_BINARIES ?= "${IMAGE_LINK_NAME}.boot*.efi"
inherit uefi-sign
# Legacy hddimg support below this line
efi_hddimg_populate() {
uefiapp_deploy_at "$1"
}
build_efi_cfg() {
# The command line is built into the combo app, so this is a null op
:
}
populate_kernel:append() {
# The kernel and initrd are built into the app, so we don't need these
if [ -f $dest/initrd ]; then
rm $dest/initrd
fi
if [ -f $dest/vmlinuz ]; then
rm $dest/vmlinuz
fi
}
IMAGE_FEATURES[validitems] += "secureboot"

50
classes/uefi-sign.bbclass
View File

@ -1,50 +0,0 @@
# By default, sign all .efi binaries in ${B} after compiling and before deploying
SIGNING_DIR ?= "${B}"
SIGNING_BINARIES ?= "*.efi"
SIGN_AFTER ?= "do_compile"
SIGN_BEFORE ?= "do_deploy"
python () {
import os
import hashlib
# Ensure that if the signing key or cert change, we rerun the uefiapp process
if bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d):
for varname in ('SECURE_BOOT_SIGNING_CERT', 'SECURE_BOOT_SIGNING_KEY'):
filename = d.getVar(varname)
if filename is None:
bb.fatal('%s is not set.' % varname)
if not os.path.isfile(filename):
bb.fatal('%s=%s is not a file.' % (varname, filename))
with open(filename, 'rb') as f:
data = f.read()
hash = hashlib.sha256(data).hexdigest()
d.setVar('%s_HASH' % varname, hash)
# Must reparse and thus rehash on file changes.
bb.parse.mark_dependency(d, filename)
bb.build.addtask('uefi_sign', d.getVar('SIGN_BEFORE'), d.getVar('SIGN_AFTER'), d)
# Original binary needs to be regenerated if the hash changes since we overwrite it
# SIGN_AFTER isn't necessarily when it gets generated, but its our best guess
d.appendVarFlag(d.getVar('SIGN_AFTER'), 'vardeps', 'SECURE_BOOT_SIGNING_CERT_HASH SECURE_BOOT_SIGNING_KEY_HASH')
}
do_uefi_sign() {
if [ -f ${SECURE_BOOT_SIGNING_KEY} ] && [ -f ${SECURE_BOOT_SIGNING_CERT} ]; then
for i in `find ${SIGNING_DIR}/ -name '${SIGNING_BINARIES}'`; do
sbsign --key ${SECURE_BOOT_SIGNING_KEY} --cert ${SECURE_BOOT_SIGNING_CERT} $i
sbverify --cert ${SECURE_BOOT_SIGNING_CERT} $i.signed
mv $i.signed $i
done
fi
}
do_uefi_sign[depends] += "sbsigntool-native:do_populate_sysroot"
do_uefi_sign[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \
SECURE_BOOT_SIGNING_KEY_HASH \
SIGNING_BINARIES SIGNING_DIR \
SIGN_BEFORE SIGN_AFTER \
"

4
conf/include/maintainers.inc
View File

@ -46,10 +46,6 @@ RECIPE_MAINTAINER:pn-openvino-inference-engine = "Anuj Mittal <anuj.mittal@intel
RECIPE_MAINTAINER:pn-openvino-model-optimizer = "Anuj Mittal <anuj.mittal@intel.com>"
RECIPE_MAINTAINER:pn-openvkl = "Naveen Saini <naveen.kumar.saini@intel.com>"
RECIPE_MAINTAINER:pn-ospray = "Naveen Saini <naveen.kumar.saini@intel.com>"
RECIPE_MAINTAINER:pn-ovmf-shell-image-enrollkeys = "Naveen Saini <naveen.kumar.saini@intel.com>"
RECIPE_MAINTAINER:pn-rkcommon = "Naveen Saini <naveen.kumar.saini@intel.com>"
RECIPE_MAINTAINER:pn-sbsigntool-native = "Anuj Mittal <anuj.mittal@intel.com>"
RECIPE_MAINTAINER:pn-secureboot-selftest-image-signed = "Anuj Mittal <anuj.mittal@intel.com>"
RECIPE_MAINTAINER:pn-secureboot-selftest-image-unsigned = "Anuj Mittal <anuj.mittal@intel.com>"
RECIPE_MAINTAINER:pn-thermald = "Anuj Mittal <anuj.mittal@intel.com>"
RECIPE_MAINTAINER:pn-xf86-video-ast = "Anuj Mittal <anuj.mittal@intel.com>"

176
lib/oeqa/selftest/cases/secureboot.py
View File

@ -1,176 +0,0 @@
#!/usr/bin/env python
# ex:ts=4:sw=4:sts=4:et
# -*- tab-width: 4; c-basic-offset: 4; indent-tabs-mode: nil -*-
#
# Copyright (c) 2017, Intel Corporation.
# All rights reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# AUTHORS
# Mikko Ylinen <mikko.ylinen@linux.intel.com>
#
# Based on meta/lib/oeqa/selftest/* and meta-refkit/lib/oeqa/selftest/*
"""Test cases for secure boot with QEMU running OVMF."""
import os
import unittest
import re
import glob
from shutil import rmtree, copy
from oeqa.core.decorator.depends import OETestDepends
from oeqa.selftest.case import OESelftestTestCase
from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars, runqemu
class SecureBootTests(OESelftestTestCase):
"""Secure Boot test class."""
ovmf_keys_enrolled = False
ovmf_qemuparams = ''
ovmf_dir = ''
test_image_unsigned = 'secureboot-selftest-image-unsigned'
test_image_signed = 'secureboot-selftest-image-signed'
correct_key = 'refkit-db'
incorrect_key = 'incorrect'
@classmethod
def setUpLocal(self):
if not SecureBootTests.ovmf_keys_enrolled:
bitbake('ovmf ovmf-shell-image-enrollkeys', output_log=self.logger)
bb_vars = get_bb_vars(['TMPDIR', 'DEPLOY_DIR_IMAGE'])
SecureBootTests.ovmf_dir = os.path.join(bb_vars['TMPDIR'], 'oeselftest', 'secureboot', 'ovmf')
bb.utils.mkdirhier(SecureBootTests.ovmf_dir)
# Copy (all) OVMF in a temporary location
for src in glob.glob('%s/ovmf.*' % bb_vars['DEPLOY_DIR_IMAGE']):
copy(src, SecureBootTests.ovmf_dir)
SecureBootTests.ovmf_qemuparams = '-drive if=pflash,format=qcow2,file=%s/ovmf.secboot.qcow2' % SecureBootTests.ovmf_dir
cmd = ("runqemu "
"qemuparams='%s' "
"ovmf-shell-image-enrollkeys wic intel-corei7-64 "
"nographic slirp") % SecureBootTests.ovmf_qemuparams
print('Running "%s"' % cmd)
status = runCmd(cmd)
if not re.search('info: success', status.output, re.M):
self.fail('Failed to enroll keys. EFI shell log:\n%s' % status.output)
else:
# keys enrolled in ovmf.secboot.vars
SecureBootTests.ovmf_keys_enrolled = True
@classmethod
def tearDownLocal(self):
# Seems this is mandatory between the tests (a signed image is booted
# when running test_boot_unsigned_image after test_boot_signed_image).
# bitbake('-c clean %s' % test_image, output_log=self.logger)
#
# Whatever the problem was, it no longer seems to be necessary, so
# we can skip the time-consuming clean + full rebuild (5:04 min instead
# of 6:55min here).
pass
@classmethod
def tearDownClass(self):
bitbake('ovmf-shell-image-enrollkeys:do_cleanall', output_log=self.logger)
rmtree(self.ovmf_dir, ignore_errors=True)
def secureboot_with_image(self, boot_timeout=300, signing_key=None):
"""Boot the image with UEFI SecureBoot enabled and see the result. """
config = ""
if signing_key:
test_image = self.test_image_signed
config += 'SECURE_BOOT_SIGNING_KEY = "${THISDIR}/files/%s.key"\n' % signing_key
config += 'SECURE_BOOT_SIGNING_CERT = "${THISDIR}/files/%s.crt"\n' % signing_key
else:
test_image = self.test_image_unsigned
self.write_config(config)
bitbake(test_image, output_log=self.logger)
self.remove_config(config)
# Some of the cases depend on the timeout to expire. Allow overrides
# so that we don't have to wait 1000s which is the default.
overrides = {
'TEST_QEMUBOOT_TIMEOUT': boot_timeout,
}
print('Booting %s' % test_image)
try:
with runqemu(test_image, ssh=False,
runqemuparams='nographic slirp',
qemuparams=self.ovmf_qemuparams,
overrides=overrides,
image_fstype='wic') as qemu:
cmd = 'uname -a'
status, output = qemu.run_serial(cmd)
self.assertTrue(status, 'Could not run \'uname -a\' (status=%s):\n%s' % (status, output))
# if we got this far without a correctly signed image, something went wrong
if signing_key != self.correct_key:
self.fail('The image not give a Security violation when expected. Boot log:\n%s' % output)
except Exception:
# Currently runqemu() fails if 'login:' prompt is not seen and it's
# not possible to login as 'root'. Those conditions aren't met when
# booting to EFI shell (See [YOCTO #11438]). We catch the failure
# and parse the boot log to determine the success. Note: the
# timeout triggers verbose bb.error() but that's normal with some
# of the test cases.
workdir = get_bb_var('WORKDIR', test_image)
bootlog = "%s/testimage/qemu_boot_log" % workdir
with open(bootlog, "r") as log:
# This isn't right but all we can do at this point. The right
# approach would run commands in the EFI shell to determine
# the BIOS rejects unsigned and/or images signed with keys in
# dbx key store but that needs changes in oeqa framework.
output = log.read()
# PASS if we see a security violation on unsigned or incorrectly signed images, otherwise fail
if signing_key == self.correct_key:
self.fail('Correctly signed image failed to boot. Boot log:\n%s' % output)
elif not re.search('Security Violation', output):
self.fail('The image not give a Security violation when expected. Boot log:\n%s' % output)
def test_boot_unsigned_image(self):
""" Boot unsigned image with secureboot enabled in UEFI."""
self.secureboot_with_image(boot_timeout=120, signing_key=None)
@OETestDepends(['secureboot.SecureBootTests.test_boot_unsigned_image'])
def test_boot_incorrectly_signed_image(self):
""" Boot (correctly) signed image with secureboot enabled in UEFI."""
self.secureboot_with_image(boot_timeout=120, signing_key=self.incorrect_key)
@OETestDepends(['secureboot.SecureBootTests.test_boot_incorrectly_signed_image'])
def test_boot_correctly_signed_image(self):
""" Boot (correctly) signed image with secureboot enabled in UEFI."""
self.secureboot_with_image(boot_timeout=150, signing_key=self.correct_key)

129
recipes-core/ovmf/files/0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch
View File

@ -1,129 +0,0 @@
From b2099e7184d48a6d05c8713b6fd5dac0e2e70963 Mon Sep 17 00:00:00 2001
From: Mikko Ylinen <mikko.ylinen@linux.intel.com>
Date: Wed, 2 Mar 2022 10:55:35 +0800
Subject: [PATCH] ovmf: RefkitTestCA: TEST UEFI SecureBoot
This patch adds refkit-db.cer (via xxd -i) in OVMF's db
signature database when used with EnrollDefaultKeys EFI
application. It's used for testing purposes only.
Images signed with refkit-db keys are allowed to boot.
Upstream-Status: Inappropriate
Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com>
Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
---
OvmfPkg/EnrollDefaultKeys/AuthData.c | 69 +++++++++++++++++++
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c | 3 +
OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h | 2 +
3 files changed, 74 insertions(+)
diff --git a/OvmfPkg/EnrollDefaultKeys/AuthData.c b/OvmfPkg/EnrollDefaultKeys/AuthData.c
index 53ee7f7003..127131cd05 100644
--- a/OvmfPkg/EnrollDefaultKeys/AuthData.c
+++ b/OvmfPkg/EnrollDefaultKeys/AuthData.c
@@ -395,6 +395,75 @@ CONST UINT8 mMicrosoftUefiCa[] = {
CONST UINTN mSizeOfMicrosoftUefiCa = sizeof mMicrosoftUefiCa;
+CONST UINT8 mRefkitTestCA[] = {
+ 0x30, 0x82, 0x02, 0xfb, 0x30, 0x82, 0x01, 0xe3, 0xa0, 0x03, 0x02, 0x01,
+ 0x02, 0x02, 0x09, 0x00, 0xd4, 0xf6, 0x48, 0xc2, 0x68, 0x19, 0x91, 0xac,
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+ 0x0b, 0x05, 0x00, 0x30, 0x14, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x09, 0x72, 0x65, 0x66, 0x6b, 0x69, 0x74, 0x2d, 0x64,
+ 0x62, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x34, 0x32, 0x30, 0x31,
+ 0x32, 0x30, 0x36, 0x33, 0x32, 0x5a, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x34,
+ 0x32, 0x30, 0x31, 0x32, 0x30, 0x36, 0x33, 0x32, 0x5a, 0x30, 0x14, 0x31,
+ 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x09, 0x72, 0x65,
+ 0x66, 0x6b, 0x69, 0x74, 0x2d, 0x64, 0x62, 0x30, 0x82, 0x01, 0x22, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01,
+ 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02,
+ 0x82, 0x01, 0x01, 0x00, 0xb4, 0x1c, 0x22, 0xa6, 0x22, 0x01, 0x57, 0xcd,
+ 0xf1, 0x4f, 0xaf, 0x72, 0xe3, 0xd9, 0x01, 0x80, 0x50, 0x55, 0xef, 0x02,
+ 0x5e, 0xeb, 0x99, 0x35, 0xcb, 0x7f, 0x2a, 0x79, 0xff, 0xb5, 0x3e, 0xec,
+ 0x5d, 0x92, 0x06, 0x30, 0x20, 0xe7, 0x95, 0xad, 0xa4, 0x84, 0x2e, 0x3f,
+ 0xfa, 0xd7, 0x46, 0xdd, 0x49, 0xa8, 0xe8, 0xe3, 0x79, 0x49, 0xf6, 0x8f,
+ 0x0b, 0x1d, 0xfe, 0x63, 0xa8, 0xd1, 0x63, 0xa3, 0xd6, 0x0d, 0x4e, 0x6c,
+ 0x66, 0x5c, 0xd6, 0x66, 0x26, 0xd1, 0x26, 0x98, 0xd4, 0x4f, 0x76, 0xc9,
+ 0x65, 0x48, 0x58, 0x13, 0x08, 0x31, 0xbc, 0xe5, 0x47, 0x25, 0x65, 0x95,
+ 0x39, 0x89, 0x5f, 0x02, 0xf1, 0xc5, 0x06, 0x17, 0x58, 0xca, 0x09, 0xfd,
+ 0xf6, 0x1e, 0xc5, 0x97, 0xda, 0xa3, 0x4e, 0x1a, 0x48, 0xbe, 0xcf, 0x96,
+ 0x27, 0x04, 0x4b, 0xb7, 0x6d, 0x67, 0xb6, 0x50, 0x18, 0x04, 0x73, 0x51,
+ 0xd2, 0x6a, 0x2d, 0xdf, 0x3b, 0xab, 0xf2, 0x2d, 0x95, 0xd7, 0xa8, 0xb8,
+ 0xa8, 0x30, 0xa1, 0xab, 0x8b, 0x92, 0x2b, 0x60, 0x3e, 0x3a, 0xe5, 0x86,
+ 0x40, 0x71, 0xc1, 0x3f, 0x2d, 0x2e, 0x90, 0xe7, 0xd6, 0xec, 0xcc, 0xc2,
+ 0x0b, 0x79, 0x83, 0x71, 0x6d, 0xf6, 0xa3, 0xa9, 0x4c, 0xcd, 0x46, 0x81,
+ 0xdc, 0xef, 0xec, 0x51, 0xbe, 0x81, 0x2a, 0xf1, 0x78, 0x73, 0x41, 0xdb,
+ 0x54, 0xce, 0x7c, 0xce, 0xa2, 0xe3, 0x90, 0x4f, 0x45, 0x1a, 0xf9, 0x3d,
+ 0x88, 0xfc, 0x0e, 0xed, 0xd3, 0x69, 0x22, 0x4c, 0xfa, 0x0a, 0x69, 0xd1,
+ 0x48, 0xc0, 0xaa, 0xa9, 0x3a, 0xb3, 0x8f, 0x10, 0x3a, 0x76, 0xa8, 0x0c,
+ 0x7a, 0x3d, 0xd8, 0x79, 0xce, 0x1c, 0x96, 0x62, 0xf4, 0x06, 0xee, 0x47,
+ 0xe8, 0xe0, 0x69, 0x91, 0xae, 0xea, 0x34, 0xcf, 0xda, 0xa8, 0xb4, 0x39,
+ 0x5e, 0xf3, 0x7a, 0xd0, 0x88, 0x48, 0x47, 0x69, 0x02, 0x03, 0x01, 0x00,
+ 0x01, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e,
+ 0x04, 0x16, 0x04, 0x14, 0x68, 0x60, 0x11, 0x25, 0x85, 0x14, 0x78, 0x1b,
+ 0x1a, 0x9f, 0x46, 0x12, 0xe6, 0x21, 0xe4, 0xef, 0xfb, 0x3b, 0xaa, 0xdd,
+ 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80,
+ 0x14, 0x68, 0x60, 0x11, 0x25, 0x85, 0x14, 0x78, 0x1b, 0x1a, 0x9f, 0x46,
+ 0x12, 0xe6, 0x21, 0xe4, 0xef, 0xfb, 0x3b, 0xaa, 0xdd, 0x30, 0x0c, 0x06,
+ 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+ 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x8f, 0xd2, 0x84, 0x7c, 0x43,
+ 0x47, 0xca, 0x6b, 0xfd, 0x87, 0x83, 0xd0, 0xef, 0x75, 0xd3, 0x20, 0x52,
+ 0x73, 0x18, 0xaa, 0x32, 0x71, 0xfb, 0xa5, 0xf4, 0xc9, 0x11, 0xa3, 0x68,
+ 0x4d, 0xb7, 0x9d, 0xe6, 0xd9, 0x46, 0x24, 0xdc, 0xc7, 0xc2, 0x3b, 0xf9,
+ 0xb0, 0x98, 0xfc, 0xee, 0x34, 0x6e, 0x10, 0x9b, 0x3d, 0x44, 0x6e, 0x33,
+ 0x09, 0x11, 0xb8, 0x29, 0xd6, 0x2d, 0x06, 0xcf, 0x67, 0x8f, 0x96, 0x85,
+ 0x9d, 0x63, 0x72, 0xbf, 0x64, 0x5f, 0x0d, 0xe3, 0xc9, 0x63, 0x19, 0x71,
+ 0xd4, 0x7d, 0x4c, 0x9c, 0x77, 0x46, 0xda, 0x20, 0x97, 0x6d, 0xbc, 0xdd,
+ 0xc2, 0x1f, 0xf3, 0x40, 0x38, 0x1e, 0xe7, 0xcc, 0x55, 0x05, 0x72, 0xba,
+ 0x24, 0x4f, 0xb3, 0x8a, 0x93, 0x0c, 0x30, 0x60, 0xda, 0x9f, 0x6f, 0x35,
+ 0xf6, 0xfb, 0xb0, 0x1f, 0xb3, 0x00, 0xdd, 0xc4, 0xa6, 0xbc, 0xe2, 0x37,
+ 0xc1, 0xa3, 0xef, 0xd9, 0xa1, 0x86, 0xf9, 0xeb, 0xa4, 0xa5, 0x45, 0x38,
+ 0xff, 0x4e, 0x87, 0x4a, 0x41, 0xcf, 0x6e, 0x69, 0x7e, 0x97, 0xbe, 0x2d,
+ 0x22, 0xbc, 0x8d, 0xa0, 0x1a, 0x21, 0x8f, 0x4b, 0x72, 0x90, 0x01, 0x5c,
+ 0xba, 0xa5, 0x9c, 0x2d, 0xd7, 0x25, 0x24, 0xfc, 0xff, 0x5c, 0x58, 0x14,
+ 0x46, 0x30, 0x09, 0x7c, 0x55, 0x64, 0x83, 0x0b, 0xb9, 0xdf, 0xcf, 0x25,
+ 0xee, 0xec, 0xf7, 0xcb, 0xdb, 0xd1, 0x5b, 0x93, 0x93, 0xc8, 0x8a, 0x10,
+ 0x46, 0xb8, 0xb0, 0x35, 0x1c, 0x6c, 0x0d, 0x8f, 0x03, 0x6a, 0x8f, 0x1b,
+ 0x36, 0x68, 0xf3, 0x53, 0x89, 0x36, 0x5b, 0x21, 0x80, 0xde, 0xe3, 0x92,
+ 0x52, 0x94, 0x97, 0x9d, 0x49, 0x89, 0x7d, 0x3e, 0xde, 0x29, 0x51, 0xba,
+ 0x11, 0xf7, 0xba, 0x01, 0xf7, 0xab, 0xea, 0xc1, 0xa7, 0x2e, 0xa3, 0x4d,
+ 0x65, 0xfd, 0x40, 0x71, 0xf1, 0xe2, 0x3f, 0x6c, 0x28, 0xcb, 0xd3
+};
+
+CONST UINTN mSizeOfRefkitTestCA = sizeof mRefkitTestCA;
+
//
// The Microsoft.UefiSecureBootLogo.Tests.OutOfBoxConfirmDBXisPresent test case
// of the Secure Boot Logo Test in the Microsoft Hardware Certification Kit
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
index 094e4c821b..0a7eef54dc 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.c
@@ -702,6 +702,9 @@ ShellAppMain (
mMicrosoftUefiCa,
mSizeOfMicrosoftUefiCa,
&gMicrosoftVendorGuid,
+ mRefkitTestCA,
+ mSizeOfRefkitTestCA,
+ &gEfiCallerIdGuid,
NULL
);
}
diff --git a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
index 56da9c71d6..8de1dfe4e0 100644
--- a/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
+++ b/OvmfPkg/EnrollDefaultKeys/EnrollDefaultKeys.h
@@ -133,4 +133,6 @@ extern CONST UINTN mSizeOfMicrosoftUefiCa;
extern CONST UINT8 mSha256OfDevNull[];
extern CONST UINTN mSizeOfSha256OfDevNull;
+extern CONST UINT8 mRefkitTestCA[];
+extern CONST UINTN mSizeOfRefkitTestCA;
#endif /* ENROLL_DEFAULT_KEYS_H_ */
--
2.17.1

13
recipes-core/ovmf/ovmf-shell-image-enrollkeys.bb
View File

@ -1,13 +0,0 @@
require recipes-core/ovmf/ovmf-shell-image.bb
WKS_SEARCH_PATH:append = ":${COREBASE}/meta/recipes-core/ovmf"
QB_DRIVE_TYPE = "/dev/vd"
do_image:append() {
cat > ${IMAGE_ROOTFS}/startup.nsh << EOF
EnrollDefaultKeys
reset
EOF
}

6
recipes-core/ovmf/ovmf_%.bbappend
View File

@ -1,6 +0,0 @@
FILESEXTRAPATHS:prepend:intel-x86-common := "${THISDIR}/files:"
SRC_URI:append:intel-x86-common = " \
file://0001-ovmf-RefkitTestCA-TEST-UEFI-SecureBoot.patch \
"
PACKAGECONFIG:append:intel-x86-common = " secureboot"

19
recipes-selftest/images/files/incorrect.crt
View File

@ -1,19 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDCTCCAfGgAwIBAgIJAIYXAHv3cQNjMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
BAMMEFRlc3QgWW9jdG8gdGhpbmcwHhcNMTcwMTI1MjI1MjI3WhcNMTgwMTI1MjI1
MjI3WjAbMRkwFwYDVQQDDBBUZXN0IFlvY3RvIHRoaW5nMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAukI2ioMeL8qaXxMtryonAT51w+Zre0wB8bDBPuXD
SwDVXNWfiKKTfCVEkLEUnsUEd7jiKswCT5orTwCD7aQK0mTrkAWEi8hEI3MkNoeh
T51gkuTfv7A/HgPkhhlU4UQqipI6XoLf7o7PUV33ZfB43//iKY2kLBdsFvs4ALWE
31hLOkCFb+nqMnfZxq7DgvBwIdxJdLQvaskpDMfkna+zE3QWqkH5v55atW8Bunwk
/6q5kqNhyrjZb4i0BqJ5AHFUEQzlDcjpyFVUtR14r0IxjBFMHZXrx4uLe7KvGf/4
GqpqeFOPqxMsfC5ILJJ7nvwFViqftGgtWg/12bKMTB5saQIDAQABo1AwTjAdBgNV
HQ4EFgQURA8KbgpiGfS2+7MT0H5AvpxeYLowHwYDVR0jBBgwFoAURA8KbgpiGfS2
+7MT0H5AvpxeYLowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAK9n+
9T+hlM2kEpsUgtyihEJbGHzbw+Pj11b0ICntCVuPKewtBMveYp8lejrQwMFNGRMt
ZQe1LFb9HcLeM3MLUz9Lm4BJIjkey3Jfq1AskROYk/bJnFIJIx6P3U9gBa20P46X
LH3g6yub1HR7KZC9nfBsak3FPoJR/SYTJs0HsMeL4878+2IbETA4BL0kbKW48FFW
jF4f6don0eiaF8b4KkfbWKrCaEm+LMxbyBEQ6fIb1cmGY8A9A5houjmgi6YWSkoi
SLpOC9TZ2R51fO9rRsv7XwLK0V9o9YaEYPBg6V/TeJl5nxAZBeVTKVTQbBGZY+l2
nzN0pKsl7RXLf3SRYA==
-----END CERTIFICATE-----

27
recipes-selftest/images/files/incorrect.key
View File

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAukI2ioMeL8qaXxMtryonAT51w+Zre0wB8bDBPuXDSwDVXNWf
iKKTfCVEkLEUnsUEd7jiKswCT5orTwCD7aQK0mTrkAWEi8hEI3MkNoehT51gkuTf
v7A/HgPkhhlU4UQqipI6XoLf7o7PUV33ZfB43//iKY2kLBdsFvs4ALWE31hLOkCF
b+nqMnfZxq7DgvBwIdxJdLQvaskpDMfkna+zE3QWqkH5v55atW8Bunwk/6q5kqNh
yrjZb4i0BqJ5AHFUEQzlDcjpyFVUtR14r0IxjBFMHZXrx4uLe7KvGf/4GqpqeFOP
qxMsfC5ILJJ7nvwFViqftGgtWg/12bKMTB5saQIDAQABAoIBAQCEtAox86s9N6d2
164z3998Zmj3UyL+7K9x6JI2YvMabBSYGOeaLOLRj6fjQxdC63H8brBM958p4di7
Z82XMco4Dok6yoOeJ+hMLYv+gfGvTJxy7DhyVXsSwok99axg9vUsV3TYw3wSdpNF
EKLkcUldpu0W2ADBHUr4sLI85xctHH3Kt0sNDzhgADFa5rDYACXTKHtFOhEqBIwN
FmbuRQirnErUkI3Pczgl2Xy1MlaozH9CB+bLAb5q2FYu4DKgjl4UorC+w2HV41KH
XoL7L36XXqLRHBfEAwOWb8yro+TK8T7gW7aagTI1wgsbbQkjQmOHxclmJACdMOiJ
DjPeR0GBAoGBAO7i2eaEoKa9QlKokN+93uOJD/F6DBi6jF0vGOqWlF8AVTj3kGL3
X8fY/avrSlg7hKZWdei+Q5PyZViKxqmHjq781ZisKck52Tqz4s7ylqRXSgStinZr
UqrkShCqZ3g1W91gIeVPQz0/b+gBskoHzQ5WQHfV5v9S1PaxjzcYtCrRAoGBAMea
LcA2jjuEjqxa5v5fh8ygcHasJMRKJxW1OCKiQ94DjjzPsdVqZ1sJZChLW/N3nxe7
wHlNJmsGbJ2w1zD5+qkkPjLq5Q4B5KAd62NNrWaEHFdEc/PPkn4xP7Zkfuu5K+m2
7z/MF4ibvVh9PvD3HY8FWKEtkqB4rfD8AoUOVd4ZAoGAXxXAsfa8k2Hl0kzyTXyg
CWV3CSERS46FbFngyw9gw2e4hFJWEG5ym3ONlS60iuY16JelmxyQfYUQPewPI0+n
xZMx2fE9OLFj+++6KbF5sLRl6/K/mF8jqo3vxS5uvPRQOo+XLlUcaHalrm1ub/Um
87v1MT3dEmgACKmoXb/hhuECgYAZluiapePiOYJZEmZe4jx0vXTtofAswhz0qYEC
3663vdj0buQrqjKJ91BB4jdtpT5eOpHYe02blv1B0jQkcUfze1QGDxtCineXF37g
Aktiwzkm7v22mjv7tbCnX4buDZVVp0BQ+4dg2iaSO6xgFC5T8amFMGSF8jLKnGRu
ToIvsQKBgADBTse2vnI85NRsYq48ztQuIU2zlGXIAcoPSvGb8Vhty/joc0jWcI5P
raGXBARbuVlcEapK3mDRfO0CQjDaTPK4EYYJwGp8k33Hkkcbgs4kfm308jRsclMr
YeMwQsYyOv45x4iPCwrqZEhpPDvACBi7DB6QvZ0++vJbobTt1jyi
-----END RSA PRIVATE KEY-----

18
recipes-selftest/images/files/refkit-db.crt
View File

@ -1,18 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIC+zCCAeOgAwIBAgIJANT2SMJoGZGsMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
BAMMCXJlZmtpdC1kYjAeFw0xNzA0MjAxMjA2MzJaFw0xODA0MjAxMjA2MzJaMBQx
EjAQBgNVBAMMCXJlZmtpdC1kYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALQcIqYiAVfN8U+vcuPZAYBQVe8CXuuZNct/Knn/tT7sXZIGMCDnla2khC4/
+tdG3Umo6ON5SfaPCx3+Y6jRY6PWDU5sZlzWZibRJpjUT3bJZUhYEwgxvOVHJWWV
OYlfAvHFBhdYygn99h7Fl9qjThpIvs+WJwRLt21ntlAYBHNR0mot3zur8i2V16i4
qDChq4uSK2A+OuWGQHHBPy0ukOfW7MzCC3mDcW32o6lMzUaB3O/sUb6BKvF4c0Hb
VM58zqLjkE9FGvk9iPwO7dNpIkz6CmnRSMCqqTqzjxA6dqgMej3Yec4clmL0Bu5H
6OBpka7qNM/aqLQ5XvN60IhIR2kCAwEAAaNQME4wHQYDVR0OBBYEFGhgESWFFHgb
Gp9GEuYh5O/7O6rdMB8GA1UdIwQYMBaAFGhgESWFFHgbGp9GEuYh5O/7O6rdMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAI/ShHxDR8pr/YeD0O910yBS
cxiqMnH7pfTJEaNoTbed5tlGJNzHwjv5sJj87jRuEJs9RG4zCRG4KdYtBs9nj5aF
nWNyv2RfDePJYxlx1H1MnHdG2iCXbbzdwh/zQDge58xVBXK6JE+zipMMMGDan281
9vuwH7MA3cSmvOI3waPv2aGG+eukpUU4/06HSkHPbml+l74tIryNoBohj0tykAFc
uqWcLdclJPz/XFgURjAJfFVkgwu5388l7uz3y9vRW5OTyIoQRriwNRxsDY8Dao8b
NmjzU4k2WyGA3uOSUpSXnUmJfT7eKVG6Efe6Afer6sGnLqNNZf1AcfHiP2woy9M=
-----END CERTIFICATE-----

28
recipes-selftest/images/files/refkit-db.key
View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0HCKmIgFXzfFP
r3Lj2QGAUFXvAl7rmTXLfyp5/7U+7F2SBjAg55WtpIQuP/rXRt1JqOjjeUn2jwsd
/mOo0WOj1g1ObGZc1mYm0SaY1E92yWVIWBMIMbzlRyVllTmJXwLxxQYXWMoJ/fYe
xZfao04aSL7PlicES7dtZ7ZQGARzUdJqLd87q/ItldeouKgwoauLkitgPjrlhkBx
wT8tLpDn1uzMwgt5g3Ft9qOpTM1Ggdzv7FG+gSrxeHNB21TOfM6i45BPRRr5PYj8
Du3TaSJM+gpp0UjAqqk6s48QOnaoDHo92HnOHJZi9AbuR+jgaZGu6jTP2qi0OV7z
etCISEdpAgMBAAECggEAbtXplKbUgL4hQ9JKN2Cxhc7qMv0YgI92BVaqQw1S8ffu
1Q+tynH5MDRPi06gBJ59SvkA6AsZsvrv8nM7zQWd9ZKh+aLHk1X04upOgDoW9JiX
FV/txlslTUrs/ohIMfsgCrweNXvUSTXZobIi8s8QHyipE4HpXMFjjZYHIV7GTlgA
PRgGu3NygbWfR8hcx5JtzVz/jka7FFFSbk/pMr0TeJHXP55VfqWLeeSBQmWwooj2
QcRfqMXgLKgu6uEggaP5HMcfTuWgWNhbke/596CgsUtQ5Gg64Q6v7cKcPy0/lgn1
PnvfT9uhgEFDLNFkSBxV3ImrNYo73Nqmbp3w5tK9SQKBgQDs/HW7pNnB0LD51qok
pkX0SBvyKxDT1QuU4z0FY9GT7OKOg8Xa0ZGyErt+ZbyFiyUGF5Axc3rJ3DyGslgu
5O+AqcpCQOlOyovGQ6ST9x/gEeVcRnZn1MV4vMxwaOSXtY7u0IGyaDlFn1QWHWCN
imv8OR6YuhivwBIXGzJ16oEqDwKBgQDCj3ls7tlPrLvUQIh8gfjCoInU8fRAqtAe
Ab/OximLsKQPKLDma6xd+X2Fk8Dowdb88GNT99x3VZjHqVJM9URDkiOGKAXA/rBp
jAXhnQwahT8YCzOUHqDYNMMQrXHvbiHqLodGrrO2WjYNmH69prQAk8WYAIwl+hdx
BS70LGLPBwKBgQDU9RinAkBcFjiyieBjBreeCJ50Q5bfhHbf2EOhcE2IbDo6bteB
Bwmxx3uM3cdHCf6/NrVweqFAfBQ3xlPP8BH4wJrsZoBBOWnZRDfEbzHJnMtK3FbS
fzTkhmQAL4Ibgh9rIxspQtcUZVSees+k4VqgUIPaIoDEjgizktEJfS2MqQKBgQDA
rOFtVaRz2PYyHq6LzxMRe3bEIdDn8cEk1kqjdW9TXV07feqiZmNOtXLvRAG4/63u
1Akp8L6ul2Az6qUMfaBa4nC3vQ7lr9P40qhIZATGhsqS/xTXTPWw55999qZsnL6N
cgKZpw1mOzRohmqNWnfMUotOGsywF1n7nUyAlyxLJQKBgElTaNTFYF3MbGfhl1He
fnDXlf8OCOK1i5oIzMLqverb2UN/qp6p0b3SAtcw5cUXcaPlajHrfYgacF/0Qyua
Cerey9GLEdJ7saDWhz0GyJ8yyEXy8CVs0svVaLPWI0s2B7/obzP9+gTb/WE9qZqu
bNoVEpJ/wZhk+IL4+KPmqphu
-----END PRIVATE KEY-----

6
recipes-selftest/images/secureboot-selftest-image-signed.bb
View File

@ -1,6 +0,0 @@
require secureboot-selftest-image-unsigned.bb
IMAGE_FEATURES += "secureboot"
SECURE_BOOT_SIGNING_KEY ?= "${THISDIR}/files/refkit-db.key"
SECURE_BOOT_SIGNING_CERT ?= "${THISDIR}/files/refkit-db.crt"

20
recipes-selftest/images/secureboot-selftest-image-unsigned.bb
View File

@ -1,20 +0,0 @@
require recipes-core/images/core-image-minimal.bb
DEPENDS:remove = "grub-efi"
inherit uefi-comboapp
WKS_FILE = "generic-bootdisk.wks.in"
do_uefiapp_deploy:append() {
for i in ${DEPLOY_DIR_IMAGE}/${IMAGE_LINK_NAME}.boot*.efi; do
target=`basename $i`
target=`echo $target | sed -e 's/${IMAGE_LINK_NAME}.//'`
cat > ${IMAGE_ROOTFS}/boot/startup.nsh << EOF
$target
reset
EOF
break
done
}

83
recipes-support/sbsigntool/sbsigntool-native_git.bb
View File

@ -1,83 +0,0 @@
DESCRIPTION = "Utility for signing and verifying files for UEFI Secure Boot"
LICENSE = "GPL-3.0-only & LGPL-2.1-only & LGPL-3.0-only & MIT"
# sbsigntool statically links to libccan.a which is built with modules
# passed to "create-ccan-tree" (and their dependencies). Therefore,
# we also keep track of all the ccan module licenses.
LIC_FILES_CHKSUM = "file://LICENSE.GPLv3;md5=9eef91148a9b14ec7f9df333daebc746 \
file://COPYING;md5=a7710ac18adec371b84a9594ed04fd20 \
file://lib/ccan.git/ccan/endian/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
file://lib/ccan.git/ccan/htable/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
file://lib/ccan.git/ccan/list/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
file://lib/ccan.git/ccan/read_write_all/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
file://lib/ccan.git/ccan/talloc/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
file://lib/ccan.git/ccan/typesafe_cb/LICENSE;md5=2d5025d4aa3495befef8f17206a5b0a1 \
file://lib/ccan.git/ccan/failtest/LICENSE;md5=6a6a8e020838b23406c81b19c1d46df6 \
file://lib/ccan.git/ccan/tlist/LICENSE;md5=6a6a8e020838b23406c81b19c1d46df6 \
file://lib/ccan.git/ccan/time/LICENSE;md5=838c366f69b72c5df05c96dff79b35f2 \
"
# The original upstream is git://kernel.ubuntu.com/jk/sbsigntool but it has
# not been maintained and many patches have been backported in this repo.
SRC_URI = "git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntools;branch=master \
git://github.com/rustyrussell/ccan.git;protocol=https;destsuffix=git/lib/ccan.git;name=ccan;branch=master \
file://0001-configure-Fixup-build-dependencies-for-cross-compili.patch \
"
SRCREV_sbsigntools ?= "9cfca9fe7aa7a8e29b92fe33ce8433e212c9a8ba"
SRCREV_ccan ?= "b1f28e17227f2320d07fe052a8a48942fe17caa5"
SRCREV_FORMAT = "sbsigntools_ccan"
DEPENDS = "binutils-native gnu-efi-native help2man-native openssl-native util-linux-native"
PV = "0.9.5"
S = "${WORKDIR}/git"
inherit autotools pkgconfig
inherit native
do_configure:prepend() {
cd ${S}
sed -i s#RECIPE_SYSROOT#${RECIPE_SYSROOT_NATIVE}#g configure.ac
if [ ! -e lib/ccan ]; then
# Use empty SCOREDIR because 'make scores' is not run.
# The default setting depends on (non-whitelisted) host tools.
sed -i -e 's#^\(SCOREDIR=\).*#\1#' lib/ccan.git/Makefile
lib/ccan.git/tools/create-ccan-tree \
--build-type=automake lib/ccan \
talloc read_write_all build_assert array_size endian
fi
# Create generatable docs from git
(
echo "Authors of sbsigntool:"
echo
git log --format='%an' | sort -u | sed 's,^,\t,'
) > AUTHORS
# Generate simple ChangeLog
git log --date=short --format='%ad %t %an <%ae>%n%n * %s%n' > ChangeLog
cd ${B}
}
def efi_arch(d):
import re
harch = d.getVar("HOST_ARCH")
if re.match("i[3456789]86", harch):
return "ia32"
return harch
EXTRA_OEMAKE = "\
INCLUDES+='-I${S}/lib/ccan.git/ \
-I${STAGING_INCDIR_NATIVE}/efi \
-I${STAGING_INCDIR_NATIVE} \
-I${STAGING_INCDIR_NATIVE}/efi/${@efi_arch(d)}' \
"
CFLAGS:append = " -Wno-error"

54
recipes-support/sbsigntool/sbsigntool/0001-configure-Fixup-build-dependencies-for-cross-compili.patch
View File

@ -1,54 +0,0 @@
From c3533b8da1e1425801d2fc0bcd231e13d593f16b Mon Sep 17 00:00:00 2001
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Date: Tue, 19 Feb 2019 20:07:45 +0800
Subject: [PATCH] configure: Fixup build dependencies for cross-compiling
When cross-compiling, custom header files and libraries need to be
specified. sbsign assumes that all the dependencies are located
under /usr/include and /usr/lib.
Prepend these paths with a placeholder that can be replaced with the
actual paths once they are resolved.
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
Taken from :
https://github.com/intel/luv-yocto/tree/master/meta-luv/recipes-devtools/sbsigntool/sbsigntool
Corrected typo error and ported to version 0.9.2
Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
---
configure.ac | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1459e91..3e34c8d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -70,7 +70,10 @@ AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "
##
# no consistent view of where gnu-efi should dump the efi stuff, so find it
##
-for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/lib/efi /usr/lib64/efi /usr/lib/gnuefi /usr/lib64/gnuefi ; do
+for path in RECIPE_SYSROOT/lib RECIPE_SYSROOT/lib64 RECIPE_SYSROOT/usr/lib \
+ RECIPE_SYSROOT/usr/lib64 RECIPE_SYSROOT/usr/lib32 \
+ RECIPE_SYSROOT/lib/efi RECIPE_SYSROOT/lib64/efi \
+ RECIPE_SYSROOT/usr/lib/efi RECIPE_SYSROOT/usr/lib64/efi; do
if test -e $path/crt0-efi-$EFI_ARCH.o; then
CRTPATH=$path
fi
@@ -79,7 +82,7 @@ if test -z "$CRTPATH"; then
AC_MSG_ERROR([cannot find the gnu-efi crt path])
fi
-EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
+EFI_CPPFLAGS="-IRECIPE_SYSROOT/usr/include/efi -IRECIPE_SYSROOT/usr/include/efi/$EFI_ARCH \
-DEFI_FUNCTION_WRAPPER"
CPPFLAGS_save="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS $EFI_CPPFLAGS"
--
2.7.4