diff mbox series

[isar-cip-core,09/19] efibootguard: Avoid rename linux.efi when signing it

Message ID 49780064267568514aa991e83602edc83ca2dbeb.1649834193.git.jan.kiszka@siemens.com (mailing list archive)
State New
Headers show
Series SWUpdate & EFI Boot Guard refactorings | expand

Commit Message

Jan Kiszka April 13, 2022, 7:16 a.m. UTC
From: Jan Kiszka <jan.kiszka@siemens.com>

This will simplify handling of secure vs. non-secure configurations.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 .../files/secure-boot/sw-description.tmpl     |  4 ++--
 recipes-core/images/secureboot.inc            |  2 +-
 .../swupdate.handler.efibootguard.ini         |  2 +-
 .../wic/plugins/source/efibootguard-boot.py   | 20 +++++++++----------
 4 files changed, 13 insertions(+), 15 deletions(-)
diff mbox series

Patch

diff --git a/recipes-core/images/files/secure-boot/sw-description.tmpl b/recipes-core/images/files/secure-boot/sw-description.tmpl
index f8e5375..7dc070a 100644
--- a/recipes-core/images/files/secure-boot/sw-description.tmpl
+++ b/recipes-core/images/files/secure-boot/sw-description.tmpl
@@ -23,8 +23,8 @@  software =
             };
     });
     files: ({
-            filename = "linux.signed.efi";
-            path = "linux.signed.efi";
+            filename = "linux.efi";
+            path = "linux.efi";
             type = "roundrobin";
             device = "sda4->BOOT0,sda5->BOOT1";
             filesystem = "vfat";
diff --git a/recipes-core/images/secureboot.inc b/recipes-core/images/secureboot.inc
index e01c834..6182080 100644
--- a/recipes-core/images/secureboot.inc
+++ b/recipes-core/images/secureboot.inc
@@ -18,4 +18,4 @@  TEMPLATE_FILES += "sw-description.tmpl"
 
 TEMPLATE_VARS += "ROOTFS_PARTITION_NAME"
 
-SWU_ADDITIONAL_FILES += "linux.signed.efi ${ROOTFS_PARTITION_NAME}"
+SWU_ADDITIONAL_FILES += "linux.efi ${ROOTFS_PARTITION_NAME}"
diff --git a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
index 4a109b7..b5e8070 100644
--- a/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
+++ b/recipes-core/swupdate-handler-roundrobin/files/secureboot/swupdate.handler.efibootguard.ini
@@ -13,4 +13,4 @@  method=getroot_rrmap
 key=root
 
 [kernel.bootenv]
-kernelfile=C:BOOT${rrindex}:linux.signed.efi
+kernelfile=C:BOOT${rrindex}:linux.efi
diff --git a/scripts/lib/wic/plugins/source/efibootguard-boot.py b/scripts/lib/wic/plugins/source/efibootguard-boot.py
index 4291dc2..909e629 100644
--- a/scripts/lib/wic/plugins/source/efibootguard-boot.py
+++ b/scripts/lib/wic/plugins/source/efibootguard-boot.py
@@ -215,23 +215,21 @@  class EfibootguardBootPlugin(SourcePlugin):
                 uefi_kernel_file=uefi_kernel_file)
         exec_cmd(objcopy_cmd)
 
-        return cls._sign_file(name=uefi_kernel_name,
-                              signee=uefi_kernel_file,
-                              deploy_dir=deploy_dir,
-                              source_params=source_params)
+        cls._sign_file(signee=uefi_kernel_file, source_params=source_params)
+
+        return uefi_kernel_name
 
     @classmethod
-    def _sign_file(cls, name, signee, deploy_dir, source_params):
+    def _sign_file(cls, signee, source_params):
         sign_script = source_params.get("signwith")
         if sign_script and os.path.exists(sign_script):
             msger.info("sign with script %s", sign_script)
-            name = name.replace(".efi", ".signed.efi")
-            sign_cmd = "{sign_script} {signee} {deploy_dir}/{name}"\
-                .format(sign_script=sign_script, signee=signee,
-                        deploy_dir=deploy_dir, name=name)
+            orig_signee = signee + ".unsigned"
+            os.rename(signee, orig_signee)
+            sign_cmd = "{sign_script} {orig_signee} {signee}"\
+                .format(sign_script=sign_script, orig_signee=orig_signee,
+                        signee=signee)
             exec_cmd(sign_cmd)
         elif sign_script and not os.path.exists(sign_script):
             msger.error("Could not find script %s", sign_script)
             exit(1)
-
-        return name