| Message ID | 20220218152842.1031311-1-Quirin.Gylstorff@siemens.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [isar-cip-core,v3] efibootguard: Do not copy the efi binaries directly into DEPLOY_DIR | expand |
On 18.02.22 16:28, Q. Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > This patch prepares isar-cip-core to integrate the ISAR features > sstate and the upcoming sbuild feature. The features introduce the > following changes: > - Sbuild doesn't easily allow the extraction of build results > - sstate doesn't populate the DEPLOY_DIR from packages in case of a rebuild. > > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > Changes v2: > - use distro_arch to determine binary name > - remove additional debug message > - remove deploydir > > Changes v3: > - add dictionary to map between DISTRO_ARCH and efi architecture idenitifer > - remove handling of source_param `files` > - reword commit message > > kas/opt/efibootguard.yml | 1 + > .../efibootguard/efibootguard_0.9-git+isar.bb | 5 --- > .../files/debian/efibootguard.install | 1 + > .../files/debian/efibootguard.links | 1 + > .../wic/plugins/source/efibootguard-boot.py | 3 +- > .../wic/plugins/source/efibootguard-efi.py | 39 ++++++++++--------- > wic/qemu-amd64-efibootguard-secureboot.wks.in | 2 +- > 7 files changed, 25 insertions(+), 27 deletions(-) > create mode 100644 recipes-bsp/efibootguard/files/debian/efibootguard.links > > diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml > index 75d4ab1..f5f9169 100644 > --- a/kas/opt/efibootguard.yml > +++ b/kas/opt/efibootguard.yml > @@ -21,6 +21,7 @@ local_conf_header: > SWUPDATE_BOOTLOADER = "efibootguard" > > efibootguard-wic: | > + WIC_IMAGER_INSTALL_append = " efibootguard" > WDOG_TIMEOUT ?= "60" > WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE" > IMAGE_FSTYPES ?= "wic-img" > diff --git a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb > index 2817e5b..171d8d4 100644 > --- a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb > +++ b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb > @@ -39,8 +39,3 @@ do_prepare_build() { > deb_add_changelog > } > > -dpkg_runbuild_append() { > - install -m 0755 -d ${DEPLOY_DIR_IMAGE} > - install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi > - install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv > -} > diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install > index 8a8d9d3..0239953 100644 > --- a/recipes-bsp/efibootguard/files/debian/efibootguard.install > +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install > @@ -1,2 +1,3 @@ > bg_setenv usr/bin > bg_printenv usr/bin > +efibootguardx64.efi usr/share/efibootguard > diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.links b/recipes-bsp/efibootguard/files/debian/efibootguard.links > new file mode 100644 > index 0000000..97bab21 > --- /dev/null > +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.links > @@ -0,0 +1 @@ > +usr/share/efibootguard/efibootguardx64.efi usr/share/efibootguard/bootx64.efi > diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py > index 882729a..05cef4e 100644 > --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py > +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py > @@ -111,9 +111,8 @@ class EfibootguardBootPlugin(SourcePlugin): > > cwd = os.getcwd() > os.chdir(part_rootfs_dir) > - config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \ > + config_cmd = '/usr/bin/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \ > % ( > - deploy_dir, > part.label.upper(), > boot_image, > '-a "%s"' % cmdline if cmdline else "", > diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py > index 9eb2353..858fcbf 100644 > --- a/scripts/lib/wic/plugins/source/efibootguard-efi.py > +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py > @@ -51,31 +51,32 @@ class EfibootguardEFIPlugin(SourcePlugin): > populate an EFI boot partition containing the EFI Boot Guard > bootloader binary. > """ > - deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE") > - creator.deploy_dir = deploy_dir > - bootloader_files = source_params.get("bootloader") > - if not bootloader_files: > - bootloader_files = "bootx64.efi" > - bootloader_files = bootloader_files.split(' ') > + # we need to map the distro_arch to uefi values > + distro_to_efi_arch = { > + "amd64": "x64", > + "arm64": "aarch64", > + "i386": "ia32" > + } > + > + distro_arch = get_bitbake_var("DISTRO_ARCH") > + bootloader = "/usr/share/efibootguard/boot{}.efi".format( > + distro_to_efi_arch[distro_arch]) > part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, > part.label, > part.lineno) > create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir > exec_cmd(create_dir_cmd) > > - for bootloader in bootloader_files: > - signed_bootloader = cls._sign_file(bootloader, > - "{}/{}".format(deploy_dir, > - bootloader > - ), > - cr_workdir, > - source_params) > - # important the bootloader in deploy_dir is no longer signed > - cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir, > - signed_bootloader, > - part_rootfs_dir, > - bootloader) > - exec_cmd(cp_cmd, True) > + name = os.path.basename(bootloader) > + signed_bootloader = cls._sign_file(name, > + bootloader, > + cr_workdir, > + source_params) > + cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir, > + signed_bootloader, > + part_rootfs_dir, > + name) > + exec_cmd(cp_cmd, True) > du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir > blocks = int(exec_cmd(du_cmd).split()[0]) > > diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in > index 81fd4fe..72a6f8c 100644 > --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in > +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in > @@ -1,5 +1,5 @@ > # EFI partition containing efibootguard bootloader binary > -part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" > +include ebg-signed-bootloader.inc > > # EFI Boot Guard environment/config partitions plus Kernel files > part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh" Thanks, applied. Jan
diff --git a/kas/opt/efibootguard.yml b/kas/opt/efibootguard.yml index 75d4ab1..f5f9169 100644 --- a/kas/opt/efibootguard.yml +++ b/kas/opt/efibootguard.yml @@ -21,6 +21,7 @@ local_conf_header: SWUPDATE_BOOTLOADER = "efibootguard" efibootguard-wic: | + WIC_IMAGER_INSTALL_append = " efibootguard" WDOG_TIMEOUT ?= "60" WICVARS += "WDOG_TIMEOUT KERNEL_IMAGE INITRD_IMAGE" IMAGE_FSTYPES ?= "wic-img" diff --git a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb index 2817e5b..171d8d4 100644 --- a/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb +++ b/recipes-bsp/efibootguard/efibootguard_0.9-git+isar.bb @@ -39,8 +39,3 @@ do_prepare_build() { deb_add_changelog } -dpkg_runbuild_append() { - install -m 0755 -d ${DEPLOY_DIR_IMAGE} - install -m 0755 ${S}/efibootguardx64.efi ${DEPLOY_DIR_IMAGE}/bootx64.efi - install -m 0755 ${S}/bg_setenv ${DEPLOY_DIR_IMAGE}/bg_setenv -} diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.install b/recipes-bsp/efibootguard/files/debian/efibootguard.install index 8a8d9d3..0239953 100644 --- a/recipes-bsp/efibootguard/files/debian/efibootguard.install +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.install @@ -1,2 +1,3 @@ bg_setenv usr/bin bg_printenv usr/bin +efibootguardx64.efi usr/share/efibootguard diff --git a/recipes-bsp/efibootguard/files/debian/efibootguard.links b/recipes-bsp/efibootguard/files/debian/efibootguard.links new file mode 100644 index 0000000..97bab21 --- /dev/null +++ b/recipes-bsp/efibootguard/files/debian/efibootguard.links @@ -0,0 +1 @@ +usr/share/efibootguard/efibootguardx64.efi usr/share/efibootguard/bootx64.efi diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py index 882729a..05cef4e 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-boot.py +++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py @@ -111,9 +111,8 @@ class EfibootguardBootPlugin(SourcePlugin): cwd = os.getcwd() os.chdir(part_rootfs_dir) - config_cmd = '%s/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \ + config_cmd = '/usr/bin/bg_setenv -f . -k "C:%s:%s" %s -r %s -w %s' \ % ( - deploy_dir, part.label.upper(), boot_image, '-a "%s"' % cmdline if cmdline else "", diff --git a/scripts/lib/wic/plugins/source/efibootguard-efi.py b/scripts/lib/wic/plugins/source/efibootguard-efi.py index 9eb2353..858fcbf 100644 --- a/scripts/lib/wic/plugins/source/efibootguard-efi.py +++ b/scripts/lib/wic/plugins/source/efibootguard-efi.py @@ -51,31 +51,32 @@ class EfibootguardEFIPlugin(SourcePlugin): populate an EFI boot partition containing the EFI Boot Guard bootloader binary. """ - deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE") - creator.deploy_dir = deploy_dir - bootloader_files = source_params.get("bootloader") - if not bootloader_files: - bootloader_files = "bootx64.efi" - bootloader_files = bootloader_files.split(' ') + # we need to map the distro_arch to uefi values + distro_to_efi_arch = { + "amd64": "x64", + "arm64": "aarch64", + "i386": "ia32" + } + + distro_arch = get_bitbake_var("DISTRO_ARCH") + bootloader = "/usr/share/efibootguard/boot{}.efi".format( + distro_to_efi_arch[distro_arch]) part_rootfs_dir = "%s/disk/%s.%s" % (cr_workdir, part.label, part.lineno) create_dir_cmd = "install -d %s/EFI/BOOT" % part_rootfs_dir exec_cmd(create_dir_cmd) - for bootloader in bootloader_files: - signed_bootloader = cls._sign_file(bootloader, - "{}/{}".format(deploy_dir, - bootloader - ), - cr_workdir, - source_params) - # important the bootloader in deploy_dir is no longer signed - cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir, - signed_bootloader, - part_rootfs_dir, - bootloader) - exec_cmd(cp_cmd, True) + name = os.path.basename(bootloader) + signed_bootloader = cls._sign_file(name, + bootloader, + cr_workdir, + source_params) + cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (cr_workdir, + signed_bootloader, + part_rootfs_dir, + name) + exec_cmd(cp_cmd, True) du_cmd = "du --apparent-size -ks %s" % part_rootfs_dir blocks = int(exec_cmd(du_cmd).split()[0]) diff --git a/wic/qemu-amd64-efibootguard-secureboot.wks.in b/wic/qemu-amd64-efibootguard-secureboot.wks.in index 81fd4fe..72a6f8c 100644 --- a/wic/qemu-amd64-efibootguard-secureboot.wks.in +++ b/wic/qemu-amd64-efibootguard-secureboot.wks.in @@ -1,5 +1,5 @@ # EFI partition containing efibootguard bootloader binary -part --source efibootguard-efi --ondisk sda --size 16M --extra-space 0 --overhead-factor 1 --label efi --align 1024 --part-type=EF00 --active --sourceparams "signwith=/usr/bin/sign_secure_image.sh" +include ebg-signed-bootloader.inc # EFI Boot Guard environment/config partitions plus Kernel files part --source efibootguard-boot --ondisk sda --size 32M --extra-space 0 --overhead-factor 1 --label BOOT0 --align 1024 --part-type=0700 --sourceparams "revision=2,unified-kernel=y,signwith=/usr/bin/sign_secure_image.sh"