diff options
author | takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
---|---|---|
committer | takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp> | 2020-11-02 11:07:33 +0900 |
commit | 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf (patch) | |
tree | cd70a267a5ef105ba32f200aa088e281fbd85747 /bsp/meta-intel/classes/uefi-sign.bbclass | |
parent | 4204309872da5cb401cbb2729d9e2d4869a87f42 (diff) |
basesystem-jjsandbox/ToshikazuOhiwa/master-jj
recipes
Diffstat (limited to 'bsp/meta-intel/classes/uefi-sign.bbclass')
-rw-r--r-- | bsp/meta-intel/classes/uefi-sign.bbclass | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/bsp/meta-intel/classes/uefi-sign.bbclass b/bsp/meta-intel/classes/uefi-sign.bbclass deleted file mode 100644 index e8f203b9..00000000 --- a/bsp/meta-intel/classes/uefi-sign.bbclass +++ /dev/null @@ -1,50 +0,0 @@ -# By default, sign all .efi binaries in ${B} after compiling and before deploying -SIGNING_DIR ?= "${B}" -SIGNING_BINARIES ?= "*.efi" -SIGN_AFTER ?= "do_compile" -SIGN_BEFORE ?= "do_deploy" - -python () { - import os - import hashlib - - # Ensure that if the signing key or cert change, we rerun the uefiapp process - if bb.utils.contains('IMAGE_FEATURES', 'secureboot', True, False, d): - for varname in ('SECURE_BOOT_SIGNING_CERT', 'SECURE_BOOT_SIGNING_KEY'): - filename = d.getVar(varname) - if filename is None: - bb.fatal('%s is not set.' % varname) - if not os.path.isfile(filename): - bb.fatal('%s=%s is not a file.' % (varname, filename)) - with open(filename, 'rb') as f: - data = f.read() - hash = hashlib.sha256(data).hexdigest() - d.setVar('%s_HASH' % varname, hash) - - # Must reparse and thus rehash on file changes. - bb.parse.mark_dependency(d, filename) - - bb.build.addtask('uefi_sign', d.getVar('SIGN_BEFORE'), d.getVar('SIGN_AFTER'), d) - - # Original binary needs to be regenerated if the hash changes since we overwrite it - # SIGN_AFTER isn't necessarily when it gets generated, but its our best guess - d.appendVarFlag(d.getVar('SIGN_AFTER'), 'vardeps', 'SECURE_BOOT_SIGNING_CERT_HASH SECURE_BOOT_SIGNING_KEY_HASH') -} - -do_uefi_sign() { - if [ -f ${SECURE_BOOT_SIGNING_KEY} ] && [ -f ${SECURE_BOOT_SIGNING_CERT} ]; then - for i in `find ${SIGNING_DIR}/ -name '${SIGNING_BINARIES}'`; do - sbsign --key ${SECURE_BOOT_SIGNING_KEY} --cert ${SECURE_BOOT_SIGNING_CERT} $i - sbverify --cert ${SECURE_BOOT_SIGNING_CERT} $i.signed - mv $i.signed $i - done - fi -} - -do_uefi_sign[depends] += "sbsigntool-native:do_populate_sysroot" - -do_uefi_sign[vardeps] += "SECURE_BOOT_SIGNING_CERT_HASH \ - SECURE_BOOT_SIGNING_KEY_HASH \ - SIGNING_BINARIES SIGNING_DIR \ - SIGN_BEFORE SIGN_AFTER \ - " |