Message ID | 20220214162458.636845-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
---|---|
State | Handled Elsewhere |
Headers | show |
Series | [isar-cip-core] efibootguard: Do not copy the efi binaries directly into DEPLOY_DIR | expand |
On 14.02.22 17:24, Quirin.Gylstorff@siemens.com wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This allows a rebuild with sstate after `build/tmp` was removed. > > This patch makes efibootguardx64.efi binary to be included in .deb package. > > Also bg_setenv and efibootguardx64.efi are now used from the wic build change root. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > kas/opt/efibootguard.yml | 1 + > .../efibootguard/efibootguard_0.9-git+isar.bb | 5 ----- > .../files/debian/efibootguard.install | 1 + > .../files/debian/efibootguard.links | 1 + > .../wic/plugins/source/efibootguard-boot.py | 3 +-- > .../wic/plugins/source/efibootguard-efi.py | 22 ++++++++++--------- > wic/ebg-signed-bootloader.inc | 2 +- > wic/ebg-sysparts.inc | 2 +- > wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 +- > 9 files changed, 19 insertions(+), 20 deletions(-) > create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.links > > diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml > index 75d4ab1..f5f9169 100644 > --- a/kas/opt/efibootguard.yml > +++ b/kas/opt/efibootguard.yml > @@ -21,6 +21,7 @@ local_conf_header: > SWUPDATE_BOOTLOADER = "efibootguard" > > efibootguard-wic: | > + WIC_IMAGER_INSTALL_append = " efibootguard" > WDOG_TIMEOUT ?= "60" > WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE" > IMAGE_FSTYPES ?= "wic-img" > diff --git a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb > index 2817e5b..171d8d4 100644 > --- a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb > +++ b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb > @@ -39,8 +39,3 @@ do_prepare_build() { > deb_add_changelog > } > > -dpkg_runbuild_append() { > - install -m 0755 -d ${DEPLOY_DIR_IMAGE} > - install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi > - install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv > -} > diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install > index 8a8d9d3..0239953 100644 > --- a/recipes-bsp/efibootguard/files/debian/efibootguard.install > +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install > @@ -1,2 +1,3 @@ > bg_setenv usr/bin > bg_printenv usr/bin > +efibootguardx64.efi usr/share/efibootguard > diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.links b/recipes-bsp/efibootguard/files/debian/efibootguard.links > new file mode 100644 > index 0000000..97bab21 > --- /dev/null > +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.links > @@ -0,0 +1 @@ > +usr/share/efibootguard/efibootguardx64.efi usr/share/efibootguard/bootx64.efi > diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py > index 882729a..05cef4e 100644 > --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py > +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py > @@ -111,9 +111,8 @@ class EfibootguardBootPlugin(SourcePlugin): > > cwd = os.getcwd() > os.chdir(part_rootfs_dir) > - config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \ > + config_cmd = '/usr/bin/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \ > % ( > - deploy_dir, > part.label.upper(), > boot_image, > '-a "%s"' % cmdline if cmdline else "", > diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py > index 9eb2353..613a350 100644 > --- a/scripts/lib/wic/plugins/source/efibootguard-efi.py > +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py > @@ -53,9 +53,9 @@ class EfibootguardEFIPlugin(SourcePlugin): > """ > deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE") > creator.deploy_dir = deploy_dir > - bootloader_files = source_params.get("bootloader") > + bootloader_files = source_params.get("files") > if not bootloader_files: > - bootloader_files = "bootx64.efi" > + bootloader_files = "{}/bootx64.efi".format(deploy_dir) DEPLOY_DIR is no longer used now. Also, why do we need a parameter here? It's about the Isar way of installing the Isar-built EBG binary. All we need is to probe the target architecture. IIRC, we already run over that arch, thus can derive the right bootXXX.efi name from that. > bootloader_files = bootloader_files.split(' ') > part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, > part.label, > @@ -63,18 +63,19 @@ class EfibootguardEFIPlugin(SourcePlugin): > create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir > exec_cmd(create_dir_cmd) > > - for bootloader in bootloader_files: > - signed_bootloader = cls._sign_file(bootloader, > - "{}/{}".format(deploy_dir, > - bootloader > - ), > + for bootloader_path in bootloader_files: > + name = os.path.basename(bootloader_path) > + signed_bootloader = cls._sign_file(name, > + bootloader_path, > cr_workdir, > source_params) > + msger.debug("Copy %s to %s", > + signed_bootloader, part_rootfs_dir) > # important the bootloader in deploy_dir is no longer signed > cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir, > - signed_bootloader, > - part_rootfs_dir, > - bootloader) > + signed_bootloader, > + part_rootfs_dir, > + name) > exec_cmd(cp_cmd, True) > du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir > blocks = int(exec_cmd(du_cmd).split()[0]) > @@ -113,6 +114,7 @@ class EfibootguardEFIPlugin(SourcePlugin): > def _sign_file(cls, name, signee, cr_workdir, source_params): > sign_script = source_params.get("signwith") > if sign_script and os.path.exists(sign_script): > + msger.debug("Sign %s to %s", name, cr_workdir) Intentional addition or debug left-over? > work_name = name.replace(".efi", ".signed.efi") > sign_cmd = "{sign_script} {signee} \ > {cr_workdir}/{work_name}".format(sign_script=sign_script, > diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc > index 667e014..2fd5c0e 100644 > --- a/wic/ebg-signed-bootloader.inc > +++ b/wic/ebg-signed-bootloader.inc > @@ -1,2 +1,2 @@ > # EFI partition containing efibootguard bootloader binary > -part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" > +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "files=/usr/share/efibootguard/bootx64.efi,signwith=/usr/bin/sign_secure_image.sh" > diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc > index dea99e8..18c8508 100644 > --- a/wic/ebg-sysparts.inc > +++ b/wic/ebg-sysparts.inc > @@ -1,7 +1,7 @@ > # default partition layout EFI Boot Guard usage > > # EFI partition containing efibootguard bootloader binary > -part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active > +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "files=/usr/share/efibootguard/bootx64.efi" > > # EFI Boot Guard environment/config partitions plus Kernel files > part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001" > diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in > index 81fd4fe..72a6f8c 100644 > --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in > +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in > @@ -1,5 +1,5 @@ > # EFI partition containing efibootguard bootloader binary > -part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" > +include ebg-signed-bootloader.inc > > # EFI Boot Guard environment/config partitions plus Kernel files > part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" Nice cleanup, but I suspect we can clean even more :) Jan
diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml index 75d4ab1..f5f9169 100644 --- a/kas/opt/efibootguard.yml +++ b/kas/opt/efibootguard.yml @@ -21,6 +21,7 @@ local_conf_header: SWUPDATE_BOOTLOADER = "efibootguard" efibootguard-wic: | + WIC_IMAGER_INSTALL_append = " efibootguard" WDOG_TIMEOUT ?= "60" WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE" IMAGE_FSTYPES ?= "wic-img" diff --git a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb index 2817e5b..171d8d4 100644 --- a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb +++ b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb @@ -39,8 +39,3 @@ do_prepare_build() { deb_add_changelog } -dpkg_runbuild_append() { - install -m 0755 -d ${DEPLOY_DIR_IMAGE} - install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi - install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv -} diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install index 8a8d9d3..0239953 100644 --- a/recipes-bsp/efibootguard/files/debian/efibootguard.install +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install @@ -1,2 +1,3 @@ bg_setenv usr/bin bg_printenv usr/bin +efibootguardx64.efi usr/share/efibootguard diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.links b/recipes-bsp/efibootguard/files/debian/efibootguard.links new file mode 100644 index 0000000..97bab21 --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.links @@ -0,0 +1 @@ +usr/share/efibootguard/efibootguardx64.efi usr/share/efibootguard/bootx64.efi diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py index 882729a..05cef4e 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -111,9 +111,8 @@ class EfibootguardBootPlugin(SourcePlugin): cwd = os.getcwd() os.chdir(part_rootfs_dir) - config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \ + config_cmd = '/usr/bin/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \ % ( - deploy_dir, part.label.upper(), boot_image, '-a "%s"' % cmdline if cmdline else "", diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py index 9eb2353..613a350 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-efi.py +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py @@ -53,9 +53,9 @@ class EfibootguardEFIPlugin(SourcePlugin): """ deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE") creator.deploy_dir = deploy_dir - bootloader_files = source_params.get("bootloader") + bootloader_files = source_params.get("files") if not bootloader_files: - bootloader_files = "bootx64.efi" + bootloader_files = "{}/bootx64.efi".format(deploy_dir) bootloader_files = bootloader_files.split(' ') part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, part.label, @@ -63,18 +63,19 @@ class EfibootguardEFIPlugin(SourcePlugin): create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir exec_cmd(create_dir_cmd) - for bootloader in bootloader_files: - signed_bootloader = cls._sign_file(bootloader, - "{}/{}".format(deploy_dir, - bootloader - ), + for bootloader_path in bootloader_files: + name = os.path.basename(bootloader_path) + signed_bootloader = cls._sign_file(name, + bootloader_path, cr_workdir, source_params) + msger.debug("Copy %s to %s", + signed_bootloader, part_rootfs_dir) # important the bootloader in deploy_dir is no longer signed cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir, - signed_bootloader, - part_rootfs_dir, - bootloader) + signed_bootloader, + part_rootfs_dir, + name) exec_cmd(cp_cmd, True) du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir blocks = int(exec_cmd(du_cmd).split()[0]) @@ -113,6 +114,7 @@ class EfibootguardEFIPlugin(SourcePlugin): def _sign_file(cls, name, signee, cr_workdir, source_params): sign_script = source_params.get("signwith") if sign_script and os.path.exists(sign_script): + msger.debug("Sign %s to %s", name, cr_workdir) work_name = name.replace(".efi", ".signed.efi") sign_cmd = "{sign_script} {signee} \ {cr_workdir}/{work_name}".format(sign_script=sign_script, diff --git a/wic/ebg-signed-bootloader.inc b/wic/ebg-signed-bootloader.inc index 667e014..2fd5c0e 100644 --- a/wic/ebg-signed-bootloader.inc +++ b/wic/ebg-signed-bootloader.inc @@ -1,2 +1,2 @@ # EFI partition containing efibootguard bootloader binary -part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "files=/usr/share/efibootguard/bootx64.efi,signwith=/usr/bin/sign_secure_image.sh" diff --git a/wic/ebg-sysparts.inc b/wic/ebg-sysparts.inc index dea99e8..18c8508 100644 --- a/wic/ebg-sysparts.inc +++ b/wic/ebg-sysparts.inc @@ -1,7 +1,7 @@ # default partition layout EFI Boot Guard usage # EFI partition containing efibootguard bootloader binary -part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active +part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "files=/usr/share/efibootguard/bootx64.efi" # EFI Boot Guard environment/config partitions plus Kernel files part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,root=PARTUUID:fedcba98-7654-3210-cafe-5e0710000001" diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index 81fd4fe..72a6f8c 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -1,5 +1,5 @@ # EFI partition containing efibootguard bootloader binary -part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" +include ebg-signed-bootloader.inc # EFI Boot Guard environment/config partitions plus Kernel files part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"