diff mbox series

[isar-cip-core,v2] efibootguard: Do not copy the efi binaries directly into DEPLOY_DIR

Message ID 20220215150149.1748545-1-Quirin.Gylstorff@siemens.com (mailing list archive)
State New
Headers show
Series [isar-cip-core,v2] efibootguard: Do not copy the efi binaries directly into DEPLOY_DIR | expand

Commit Message

Quirin Gylstorff Feb. 15, 2022, 3:01 p.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This preparing isar-cip-core to integrate the upcomming ISAR features
sstate and sbuild. Sbuild doesn't allow the extraction of build results.

sstate doesn't populate the deploy dir from packages in case of a rebuild.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
Changes v2:
 - use distro_arch to determine binary name
 - remove additional debug message
 - remove deploydir

 kas/opt/efibootguard.yml                      |  1 +
 .../efibootguard/efibootguard_0.9-git+isar.bb |  5 ----
 .../files/debian/efibootguard.install         |  1 +
 .../files/debian/efibootguard.links           |  1 +
 .../wic/plugins/source/efibootguard-boot.py   |  3 +--
 .../wic/plugins/source/efibootguard-efi.py    | 26 +++++++++----------
 wic/qemu-amd64-efibootguard-secureboot.wks.in |  2 +-
 7 files changed, 18 insertions(+), 21 deletions(-)
 create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.links

Comments

Jan Kiszka Feb. 15, 2022, 4:17 p.m. UTC | #1
On 15.02.22 16:01, Q. Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> This preparing isar-cip-core to integrate the upcomming ISAR features
> sstate and sbuild. Sbuild doesn't allow the extraction of build results.
> 
> sstate doesn't populate the deploy dir from packages in case of a rebuild.
> 
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> Changes v2:
>  - use distro_arch to determine binary name
>  - remove additional debug message
>  - remove deploydir
> 
>  kas/opt/efibootguard.yml                      |  1 +
>  .../efibootguard/efibootguard_0.9-git+isar.bb |  5 ----
>  .../files/debian/efibootguard.install         |  1 +
>  .../files/debian/efibootguard.links           |  1 +
>  .../wic/plugins/source/efibootguard-boot.py   |  3 +--
>  .../wic/plugins/source/efibootguard-efi.py    | 26 +++++++++----------
>  wic/qemu-amd64-efibootguard-secureboot.wks.in |  2 +-
>  7 files changed, 18 insertions(+), 21 deletions(-)
>  create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.links
> 
> diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
> index 75d4ab1..f5f9169 100644
> --- a/kas/opt/efibootguard.yml
> +++ b/kas/opt/efibootguard.yml
> @@ -21,6 +21,7 @@ local_conf_header:
>      SWUPDATE_BOOTLOADER = "efibootguard"
>  
>    efibootguard-wic: |
> +    WIC_IMAGER_INSTALL_append = " efibootguard"
>      WDOG_TIMEOUT ?= "60"
>      WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE"
>      IMAGE_FSTYPES ?= "wic-img"
> diff --git a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb
> index 2817e5b..171d8d4 100644
> --- a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb
> +++ b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb
> @@ -39,8 +39,3 @@ do_prepare_build() {
>      deb_add_changelog
>  }
>  
> -dpkg_runbuild_append() {
> -    install -m 0755 -d ${DEPLOY_DIR_IMAGE}
> -    install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi
> -    install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv
> -}
> diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install
> index 8a8d9d3..0239953 100644
> --- a/recipes-bsp/efibootguard/files/debian/efibootguard.install
> +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install
> @@ -1,2 +1,3 @@
>  bg_setenv usr/bin
>  bg_printenv usr/bin
> +efibootguardx64.efi usr/share/efibootguard
> diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.links b/recipes-bsp/efibootguard/files/debian/efibootguard.links
> new file mode 100644
> index 0000000..97bab21
> --- /dev/null
> +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.links
> @@ -0,0 +1 @@
> +usr/share/efibootguard/efibootguardx64.efi usr/share/efibootguard/bootx64.efi
> diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
> index 882729a..05cef4e 100644
> --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
> +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
> @@ -111,9 +111,8 @@ class EfibootguardBootPlugin(SourcePlugin):
>  
>          cwd = os.getcwd()
>          os.chdir(part_rootfs_dir)
> -        config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \
> +        config_cmd = '/usr/bin/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \
>              % (
> -                deploy_dir,
>                  part.label.upper(),
>                  boot_image,
>                  '-a "%s"' % cmdline if cmdline else "",
> diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
> index 9eb2353..cb3a37a 100644
> --- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
> +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
> @@ -51,11 +51,13 @@ class EfibootguardEFIPlugin(SourcePlugin):
>          populate an EFI boot partition containing the EFI Boot Guard
>          bootloader binary.
>          """
> -        deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
> -        creator.deploy_dir = deploy_dir
> -        bootloader_files = source_params.get("bootloader")
> +        distro_arch = get_bitbake_var("DISTRO_ARCH")
> +        # we need to map the distro_arch to uefi values
> +        if "amd64" in distro_arch:
> +            distro_arch = "x64"

How about ia32 and aarch64 (even if the debian package does not support
them yet)?

> +        bootloader_files = source_params.get("files")
>          if not bootloader_files:
> -            bootloader_files = "bootx64.efi"
> +            bootloader_files = "/usr/share/efibootguard/boot{}.efi".format(distro_arch)

Why making this configurable? Why making this a list? Do you see use
cases beyond current EBG releases and recipes already?

>          bootloader_files = bootloader_files.split(' ')
>          part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
>                                               part.label,
> @@ -63,18 +65,16 @@ class EfibootguardEFIPlugin(SourcePlugin):
>          create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir
>          exec_cmd(create_dir_cmd)
>  
> -        for bootloader in bootloader_files:
> -            signed_bootloader = cls._sign_file(bootloader,
> -                                               "{}/{}".format(deploy_dir,
> -                                                              bootloader
> -                                                              ),
> +        for bootloader_path in bootloader_files:
> +            name = os.path.basename(bootloader_path)
> +            signed_bootloader = cls._sign_file(name,
> +                                               bootloader_path,
>                                                 cr_workdir,
>                                                 source_params)
> -            # important the bootloader in deploy_dir is no longer signed
>              cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir,
> -                                                signed_bootloader,
> -                                                part_rootfs_dir,
> -                                                bootloader)
> +                                                  signed_bootloader,
> +                                                  part_rootfs_dir,
> +                                                  name)
>              exec_cmd(cp_cmd, True)
>          du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
>          blocks = int(exec_cmd(du_cmd).split()[0])
> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
> index 81fd4fe..72a6f8c 100644
> --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
> @@ -1,5 +1,5 @@
>  # EFI partition containing efibootguard bootloader binary
> -part --source efibootguard-efi  --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
> +include ebg-signed-bootloader.inc
>  
>  # EFI Boot Guard environment/config partitions plus Kernel files
>  part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"

Jan
Quirin Gylstorff Feb. 18, 2022, 8:58 a.m. UTC | #2
On 2/15/22 17:17, Jan Kiszka wrote:
> On 15.02.22 16:01, Q. Gylstorff wrote:
>> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>>
>> This preparing isar-cip-core to integrate the upcomming ISAR features
>> sstate and sbuild. Sbuild doesn't allow the extraction of build results.
>>
>> sstate doesn't populate the deploy dir from packages in case of a rebuild.
>>
>> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>> ---
>> Changes v2:
>>   - use distro_arch to determine binary name
>>   - remove additional debug message
>>   - remove deploydir
>>
>>   kas/opt/efibootguard.yml                      |  1 +
>>   .../efibootguard/efibootguard_0.9-git+isar.bb |  5 ----
>>   .../files/debian/efibootguard.install         |  1 +
>>   .../files/debian/efibootguard.links           |  1 +
>>   .../wic/plugins/source/efibootguard-boot.py   |  3 +--
>>   .../wic/plugins/source/efibootguard-efi.py    | 26 +++++++++----------
>>   wic/qemu-amd64-efibootguard-secureboot.wks.in |  2 +-
>>   7 files changed, 18 insertions(+), 21 deletions(-)
>>   create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.links
>>
>> diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
>> index 75d4ab1..f5f9169 100644
>> --- a/kas/opt/efibootguard.yml
>> +++ b/kas/opt/efibootguard.yml
>> @@ -21,6 +21,7 @@ local_conf_header:
>>       SWUPDATE_BOOTLOADER = "efibootguard"
>>   
>>     efibootguard-wic: |
>> +    WIC_IMAGER_INSTALL_append = " efibootguard"
>>       WDOG_TIMEOUT ?= "60"
>>       WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE"
>>       IMAGE_FSTYPES ?= "wic-img"
>> diff --git a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb
>> index 2817e5b..171d8d4 100644
>> --- a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb
>> +++ b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb
>> @@ -39,8 +39,3 @@ do_prepare_build() {
>>       deb_add_changelog
>>   }
>>   
>> -dpkg_runbuild_append() {
>> -    install -m 0755 -d ${DEPLOY_DIR_IMAGE}
>> -    install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi
>> -    install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv
>> -}
>> diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install
>> index 8a8d9d3..0239953 100644
>> --- a/recipes-bsp/efibootguard/files/debian/efibootguard.install
>> +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install
>> @@ -1,2 +1,3 @@
>>   bg_setenv usr/bin
>>   bg_printenv usr/bin
>> +efibootguardx64.efi usr/share/efibootguard
>> diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.links b/recipes-bsp/efibootguard/files/debian/efibootguard.links
>> new file mode 100644
>> index 0000000..97bab21
>> --- /dev/null
>> +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.links
>> @@ -0,0 +1 @@
>> +usr/share/efibootguard/efibootguardx64.efi usr/share/efibootguard/bootx64.efi
>> diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
>> index 882729a..05cef4e 100644
>> --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
>> +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
>> @@ -111,9 +111,8 @@ class EfibootguardBootPlugin(SourcePlugin):
>>   
>>           cwd = os.getcwd()
>>           os.chdir(part_rootfs_dir)
>> -        config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \
>> +        config_cmd = '/usr/bin/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \
>>               % (
>> -                deploy_dir,
>>                   part.label.upper(),
>>                   boot_image,
>>                   '-a "%s"' % cmdline if cmdline else "",
>> diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
>> index 9eb2353..cb3a37a 100644
>> --- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
>> +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
>> @@ -51,11 +51,13 @@ class EfibootguardEFIPlugin(SourcePlugin):
>>           populate an EFI boot partition containing the EFI Boot Guard
>>           bootloader binary.
>>           """
>> -        deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
>> -        creator.deploy_dir = deploy_dir
>> -        bootloader_files = source_params.get("bootloader")
>> +        distro_arch = get_bitbake_var("DISTRO_ARCH")
>> +        # we need to map the distro_arch to uefi values
>> +        if "amd64" in distro_arch:
>> +            distro_arch = "x64"
> 
> How about ia32 and aarch64 (even if the debian package does not support
> them yet)?

I will add a dict for them.
> 
>> +        bootloader_files = source_params.get("files")
>>           if not bootloader_files:
>> -            bootloader_files = "bootx64.efi"
>> +            bootloader_files = "/usr/share/efibootguard/boot{}.efi".format(distro_arch)
> 
> Why making this configurable? Why making this a list? Do you see use
> cases beyond current EBG releases and recipes already?

I remember a downstream(internal) usecase which had multiple bootloaders 
added.
I will ask around.
> 
>>           bootloader_files = bootloader_files.split(' ')
>>           part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
>>                                                part.label,
>> @@ -63,18 +65,16 @@ class EfibootguardEFIPlugin(SourcePlugin):
>>           create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir
>>           exec_cmd(create_dir_cmd)
>>   
>> -        for bootloader in bootloader_files:
>> -            signed_bootloader = cls._sign_file(bootloader,
>> -                                               "{}/{}".format(deploy_dir,
>> -                                                              bootloader
>> -                                                              ),
>> +        for bootloader_path in bootloader_files:
>> +            name = os.path.basename(bootloader_path)
>> +            signed_bootloader = cls._sign_file(name,
>> +                                               bootloader_path,
>>                                                  cr_workdir,
>>                                                  source_params)
>> -            # important the bootloader in deploy_dir is no longer signed
>>               cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir,
>> -                                                signed_bootloader,
>> -                                                part_rootfs_dir,
>> -                                                bootloader)
>> +                                                  signed_bootloader,
>> +                                                  part_rootfs_dir,
>> +                                                  name)
>>               exec_cmd(cp_cmd, True)
>>           du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
>>           blocks = int(exec_cmd(du_cmd).split()[0])
>> diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
>> index 81fd4fe..72a6f8c 100644
>> --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
>> +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
>> @@ -1,5 +1,5 @@
>>   # EFI partition containing efibootguard bootloader binary
>> -part --source efibootguard-efi  --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
>> +include ebg-signed-bootloader.inc
>>   
>>   # EFI Boot Guard environment/config partitions plus Kernel files
>>   part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"
> 
> Jan
> 

Quirin
diff mbox series

Patch

diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml
index 75d4ab1..f5f9169 100644
--- a/kas/opt/efibootguard.yml
+++ b/kas/opt/efibootguard.yml
@@ -21,6 +21,7 @@  local_conf_header:
     SWUPDATE_BOOTLOADER = "efibootguard"
 
   efibootguard-wic: |
+    WIC_IMAGER_INSTALL_append = " efibootguard"
     WDOG_TIMEOUT ?= "60"
     WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE"
     IMAGE_FSTYPES ?= "wic-img"
diff --git a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb
index 2817e5b..171d8d4 100644
--- a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb
+++ b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb
@@ -39,8 +39,3 @@  do_prepare_build() {
     deb_add_changelog
 }
 
-dpkg_runbuild_append() {
-    install -m 0755 -d ${DEPLOY_DIR_IMAGE}
-    install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi
-    install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv
-}
diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install
index 8a8d9d3..0239953 100644
--- a/recipes-bsp/efibootguard/files/debian/efibootguard.install
+++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install
@@ -1,2 +1,3 @@ 
 bg_setenv usr/bin
 bg_printenv usr/bin
+efibootguardx64.efi usr/share/efibootguard
diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.links b/recipes-bsp/efibootguard/files/debian/efibootguard.links
new file mode 100644
index 0000000..97bab21
--- /dev/null
+++ b/recipes-bsp/efibootguard/files/debian/efibootguard.links
@@ -0,0 +1 @@ 
+usr/share/efibootguard/efibootguardx64.efi usr/share/efibootguard/bootx64.efi
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 882729a..05cef4e 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -111,9 +111,8 @@  class EfibootguardBootPlugin(SourcePlugin):
 
         cwd = os.getcwd()
         os.chdir(part_rootfs_dir)
-        config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \
+        config_cmd = '/usr/bin/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \
             % (
-                deploy_dir,
                 part.label.upper(),
                 boot_image,
                 '-a "%s"' % cmdline if cmdline else "",
diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py
index 9eb2353..cb3a37a 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-efi.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py
@@ -51,11 +51,13 @@  class EfibootguardEFIPlugin(SourcePlugin):
         populate an EFI boot partition containing the EFI Boot Guard
         bootloader binary.
         """
-        deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
-        creator.deploy_dir = deploy_dir
-        bootloader_files = source_params.get("bootloader")
+        distro_arch = get_bitbake_var("DISTRO_ARCH")
+        # we need to map the distro_arch to uefi values
+        if "amd64" in distro_arch:
+            distro_arch = "x64"
+        bootloader_files = source_params.get("files")
         if not bootloader_files:
-            bootloader_files = "bootx64.efi"
+            bootloader_files = "/usr/share/efibootguard/boot{}.efi".format(distro_arch)
         bootloader_files = bootloader_files.split(' ')
         part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir,
                                              part.label,
@@ -63,18 +65,16 @@  class EfibootguardEFIPlugin(SourcePlugin):
         create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir
         exec_cmd(create_dir_cmd)
 
-        for bootloader in bootloader_files:
-            signed_bootloader = cls._sign_file(bootloader,
-                                               "{}/{}".format(deploy_dir,
-                                                              bootloader
-                                                              ),
+        for bootloader_path in bootloader_files:
+            name = os.path.basename(bootloader_path)
+            signed_bootloader = cls._sign_file(name,
+                                               bootloader_path,
                                                cr_workdir,
                                                source_params)
-            # important the bootloader in deploy_dir is no longer signed
             cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir,
-                                                signed_bootloader,
-                                                part_rootfs_dir,
-                                                bootloader)
+                                                  signed_bootloader,
+                                                  part_rootfs_dir,
+                                                  name)
             exec_cmd(cp_cmd, True)
         du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir
         blocks = int(exec_cmd(du_cmd).split()[0])
diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in
index 81fd4fe..72a6f8c 100644
--- a/wic/qemu-amd64-efibootguard-secureboot.wks.in
+++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in
@@ -1,5 +1,5 @@ 
 # EFI partition containing efibootguard bootloader binary
-part --source efibootguard-efi  --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi   --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh"
+include ebg-signed-bootloader.inc
 
 # EFI Boot Guard environment/config partitions plus Kernel files
 part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"