From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 20 Nov 2025 11:15:22 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-lf1-f58.google.com (mail-lf1-f58.google.com [209.85.167.58]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5AKAFLlZ009414 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 20 Nov 2025 11:15:21 +0100 Received: by mail-lf1-f58.google.com with SMTP id 2adb3069b0e04-5944b3cb6fcsf467284e87.2 for ; Thu, 20 Nov 2025 02:15:21 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1763633716; cv=pass; d=google.com; s=arc-20240605; b=auyxV13CSwCqRz5U/4z/pK9jzYdZd0zPIx9x8BuhaH0kYFbNULzi0v1nk2M8wGcRtn pZrCoHdzHGPprpge1+tTLfyD3pUiDngued/q1c/pyODZeEAxi/mopQnirHYhMlI12S1h oscBr457FNEYEtLSmMGJUbJz7bGpfDcqrt7L8qJyKSxPRiOPcaWkdBvY2FOA7hdEYILy 0p3+9t02kwS3p22LtZYjrD8Pa4u9ZENH9IJ43aDx+7fdU5YwYUSg5663USBn1pKl7jAd M1urHoJSTbMqQHPArhCJ2d5u9BRblBjSLGQuYGoOz79ulGPf9mhNT4PXjEtLiUZCG7Ag +5SQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=UOQM79d0aLEj7QA2LSP2rgyxRbf/U9+rZNdxQxi2N5k=; fh=Pbl7lfScxIFOukDqtS2jIh/CibuHaBfewwo4IrrcvtA=; b=IURs6ZRKiubR/Ptjl+9QSMIp747zfZH7O/BO3DH2lRHKAUXZrXfkmoUIsgzwnRgcyq zyQfxelNAQGN4B7CgAkhXsttasx6dPMWvC1WZF8nC9L6O1maVdTYDhAb3IS3h3CGSwLx YEZiRpy7WVD5fy5AmwtLqEH/voBcAygOT4MQ9MoRI2j1gFIfcNczyd24lC6eN3HaXnKR cPKdfK0El7bjh6mMx2TbeorwZW8uz1KQgn4nHotWfQ2pIxko4ztGCGSgE552yF4OhlPd WF5657zyYQo9XznZv3FeszAfUmuC8foaV4diR7rirypU2EXNI6tkGzR/JjeUk73WSbd5 o0PA==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=mXtpiCsq; spf=pass (google.com: domain of fm-51332-20251120101510674216b04b0002070d-ayt1lk@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-51332-20251120101510674216b04b0002070d-AyT1Lk@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1763633716; x=1764238516; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:to:from :from:to:cc:subject:date:message-id:reply-to; bh=UOQM79d0aLEj7QA2LSP2rgyxRbf/U9+rZNdxQxi2N5k=; b=qecm+czhNd54W2UasdY80V5shndRw4jN40/E2pQjFSGoy21UWYU95iPEY/Xzt7wZSc lczNnzeE5xZhdjHleTyGxnQfnPv9KERDPvH2hM5G7odlkZCJfoBg61oBjZs6YvP2bJxC uM7WP9PWjIXSMgUVxVIxFzQ4tt1ksD4901QWijlcnKIcQJHyM1WveMdew5RsjO2E+MEZ dYA3lh1pzvrNYYA0egxb+mWG9+fard1SOAkttdnXD+mH0F9LfDERcxaG2WFaEMZUTC9R myUvwqOv0cirzpmUopYhNQf2v1j8pP1UYPPsBz5FHro7dLJuOyS7zoiJRLC0vdhRkiPa qQyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763633716; x=1764238516; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:to:from :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UOQM79d0aLEj7QA2LSP2rgyxRbf/U9+rZNdxQxi2N5k=; b=MbdtC2ThycD7RN1r29DjoNkmgEziKVWl7PSOYdWNRlHxeqIx9BwaIx4FJwNZYuyCDL zpRgd3jMxriTAuQGWxBzkSpkCaPsbjM1RTqUuAyqkUOxMzh0OkgXKFVxLKRUbXNEnXOo guyx0tM6jG+MDDmPvHN6jqJp65Sj+ITqF8juIXdy5ZoybSg0vc7hdEWKAfOTkKx8Z6hx IqE6XYFBkXTQnMnvk62dFaHSyCLp3xkPs0wa6XUBhWnQceTAk1obR92LIhPNr5ccMZp9 ZeQm8JfxwZBe0S0XK+EkEcPNOk/K2zfLSDdIjpoAARf+4yJxpBX4C8LxsLoKPsORRVov nbeQ== X-Forwarded-Encrypted: i=2; AJvYcCXabgJ8m9PuH+aqakrL4sIHWip1hRb+Ls3vIdv6Olt52mRFWR3jeJVo/3pyZsWSRqfXembG@ilbers.de X-Gm-Message-State: AOJu0YxbRUg5P5J+TG+Go09C96yo8Td3AKef0FNkbQ65Pc9qB5fsHLEZ sVO6K7c87lzvSY1qcaTVxMaEeFq3iXFDGArUM036AyCQ03vr6y8hiBCg X-Google-Smtp-Source: AGHT+IEWEg/7lx4txc9IS6vrrOb3xTLhMe+zq4z6s/QV75z+sr/BSUiIWsZJWx7Dw2/2N3oPNUf4Tg== X-Received: by 2002:a05:6512:b9d:b0:594:2b58:ab83 with SMTP id 2adb3069b0e04-5969e306a16mr810179e87.40.1763633715487; Thu, 20 Nov 2025 02:15:15 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="Ae8XA+aeu/kXxUcTzQ2cViw09g4E6/aKwWdNoz2k0rWF4W9OvQ==" Received: by 2002:a2e:3c0e:0:b0:378:cfe9:cbdd with SMTP id 38308e7fff4ca-37cc6a06abfls1175631fa.1.-pod-prod-07-eu; Thu, 20 Nov 2025 02:15:11 -0800 (PST) X-Received: by 2002:a05:651c:31cc:b0:336:bd8c:5e53 with SMTP id 38308e7fff4ca-37cc675e707mr7566011fa.5.1763633711595; Thu, 20 Nov 2025 02:15:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763633711; cv=none; d=google.com; s=arc-20240605; b=Z4fMf8bNPszE9toMnsNM4TWO+LfED/W23iolsqEC1jYBkX2Ry6D6qKnIsYUeNcG/vG 0fFvlwEE3ZVWvKUHxmx9eCCptqx0endtVaRf1PqUuytvso4rrWT0tW+eNje1me9O0KkG 9yWFRPui9EmqSGPThI/7D8+9dH8NefXJ5GsjhIUNdFcimsNQiwRjxXWTlZ8M1oDd4zVy 77vUN2IMdh30N15np5ZFJ+2qdJbkDuTve3aaLcHwyAQzzNjhNmkA02uKsIJrCCwGfuNe pe9kzbJ5hCTuNhFjxPm3VThE5ziafrwZT5p/clP19j5zwrrvb/LFVZXhoOYEcN0M2rq6 XRLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:to:from:dkim-signature; bh=sMog+qje3EhqQPEF+w02zB08hV9uLQmBhuLArkirJDo=; fh=7tclEdh7YbwSQowgJ6LNq720O7H5HTEaqj22NJWRE2E=; b=hD5Nmiq6YRWVMcNy0BCLtYA+sUXQyCLJIdVu2m9pO80UFkK+evC9BM90buUbAC5BjS xhxm1uLamldwGPAX2G0Ip+8/UWgT/26OaCUabE/ozvgZPT7Su0EosxYTCF3/GCDAVkt+ V+02Moms992tujFDn84Ljloqo6y6Ek8jgv2PSUfX50MrwruY7EPPOxUoI+6y0nbwKFjv cVXs36RpZBH+P0ubdbFzW2Ynsi+1wz0T2F1F8MOLYFVWajX5OXLlIRqAAA4Mq/HTYgvf ryPcNWYAHqy2+fPC/RD7BR+DJsHvd5rIhQHv/qUx51OT/M3vjKoDc6jaMOCmQtYzzuvK vptg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=mXtpiCsq; spf=pass (google.com: domain of fm-51332-20251120101510674216b04b0002070d-ayt1lk@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-51332-20251120101510674216b04b0002070d-AyT1Lk@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227]) by gmr-mx.google.com with ESMTPS id 38308e7fff4ca-37cc6b974f0si307281fa.7.2025.11.20.02.15.11 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Nov 2025 02:15:11 -0800 (PST) Received-SPF: pass (google.com: domain of fm-51332-20251120101510674216b04b0002070d-ayt1lk@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227; Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20251120101510674216b04b0002070d for ; Thu, 20 Nov 2025 11:15:10 +0100 From: "'Quirin Gylstorff' via isar-users" To: isar-users@googlegroups.com Subject: [PATCH 2/2] wic/plugins/bootimg-efi-isar: Add option to sign systemd bootloader and kernel Date: Thu, 20 Nov 2025 11:12:46 +0100 Message-ID: <20251120101510.2530415-2-Quirin.Gylstorff@siemens.com> In-Reply-To: <20251120101510.2530415-1-Quirin.Gylstorff@siemens.com> References: <20251120101510.2530415-1-Quirin.Gylstorff@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-51332:519-21489:flowmailer X-Original-Sender: quirin.gylstorff@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=mXtpiCsq; spf=pass (google.com: domain of fm-51332-20251120101510674216b04b0002070d-ayt1lk@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-51332-20251120101510674216b04b0002070d-AyT1Lk@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Quirin Gylstorff Reply-To: Quirin Gylstorff Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: 08lQ9E51ziOO From: Quirin Gylstorff This allows to generate a signed installer image. Signed-off-by: Quirin Gylstorff --- .../lib/wic/plugins/source/bootimg-efi-isar.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py index 661dcbb4..fd4d6017 100644 --- a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py +++ b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py @@ -310,6 +310,20 @@ class BootimgEFIPlugin(SourcePlugin): logger.debug("Payload directory: %s", payload_dir) shutil.copytree(payload_dir, iso_dir, symlinks=True, dirs_exist_ok=True) + @classmethod + def _sign_file(cls, signee, source_params): + sign_script = source_params.get("signwith") + if sign_script and os.path.exists(sign_script): + logger.info("sign with script %s", sign_script) + orig_signee = signee + ".unsigned" + os.rename(signee, orig_signee) + sign_cmd = "{sign_script} {orig_signee} {signee}"\ + .format(sign_script=sign_script, orig_signee=orig_signee, + signee=signee) + exec_cmd(sign_cmd) + elif sign_script and not os.path.exists(sign_script): + logger.error("Could not find script %s", sign_script) + exit(1) @classmethod def do_prepare_partition(cls, part, source_params, creator, cr_workdir, @@ -406,6 +420,8 @@ class BootimgEFIPlugin(SourcePlugin): install_cmd = isar_populate_boot_cmd(rootfs_dir['ROOTFS_DIR'], hdddir) exec_cmd(install_cmd) + for mod in [x for x in os.listdir(hdddir) if x.startswith("vmlinu")]: + cls._sign_file(f"{hdddir}/{mod}", source_params) cls._install_payload(source_params, hdddir) @@ -488,6 +504,7 @@ class BootimgEFIPlugin(SourcePlugin): target = target[:-7] cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (kernel_dir, mod, hdddir, target) exec_cmd(cp_cmd, True) + cls._sign_file(f"{hdddir}/EFI/BOOT/{mod[8:]}", source_params) kernel_dir = kernel_dir_orig else: -- 2.51.2 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20251120101510.2530415-2-Quirin.Gylstorff%40siemens.com.