This patch contains an example recipe, core-image-minimal-uki.bb, on how to use
the uki.bbclass. The recipe specifies the need for a config file to be passed to
SRC_URI if the UKI is to be signed. The config file simplifies the usage of the
class by allowing the user to organize, manage, and customize the settings for
signing the UKI (i.e. SecureBoot, PCR signing). See systemd Ukify documentation
for a detailed rundown of the syntax
(https://www.freedesktop.org/software/systemd/man/ukify.html). If the config
file is not present nor specified in the recipe, the UKI will be unsigned when
built.
Signed-off-by: Michelle Lin <michelle.lint...@gmail.com>
---
.../core-image-minimal-uki.bb | 11 +++++++++++
.../core-image-minimal-uki.conf | 19 +++++++++++++++++++
2 files changed, 30 insertions(+)
create mode 100644
meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki.bb
create mode 100644
meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki/core-image-minimal-uki.conf
diff --git
a/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki.bb
b/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki.bb
new file mode 100644
index 0000000000..5cdf46a35c
--- /dev/null
+++ b/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki.bb
@@ -0,0 +1,11 @@
+SUMMARY = "Overlake UKI creation with signing"
+
+require ../../recipes-core/images/core-image-minimal.bb
+inherit uki
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/core-image-minimal-uki:"
+
+# To sign the UKI, you must specify the path to the config file containing the
key/cert filepaths for signing.
+# If SRC_URI doesn't specify the path to the config file, the UKI will build
but remained unsigned.
+
+# SRC_URI:append = " file://core-image-minimal-uki.conf"
diff --git
a/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki/core-image-minimal-uki.conf
b/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki/core-image-minimal-uki.conf
new file mode 100644
index 0000000000..6e331ff1ae
--- /dev/null
+++
b/meta/recipes-extended/core-image-minimal-uki/core-image-minimal-uki/core-image-minimal-uki.conf
@@ -0,0 +1,19 @@
+#
+# This file is your configuration file where settings for signing the UKI can
be specified.
+# You must specify the path to the proper paths to the key/cert files in order
to sign the UKI. Otherwise, the image will be built unsigned.
+#
+# SecureBoot Signing
+#
+[UKI]
+SecureBootPrivateKey=<private-key>
+SecureBootCertificate=<certificate>
+#
+# PCR Signature
+#
+[PCRSignature:initrd]
+PCRPrivateKey=<private-key>
+PCRPublicKey=<public-key>
+
+[PCRSignature:system]
+PCRPrivateKey=<private-key>
+PCRPublicKey=<public-key>
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187018):
https://lists.openembedded.org/g/openembedded-core/message/187018
Mute This Topic: https://lists.openembedded.org/mt/101106101/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
