From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7180261367669063680 X-Received: by 2002:a17:906:5181:b0:886:d56a:fa10 with SMTP id y1-20020a170906518100b00886d56afa10mr2705014ejk.142.1675404355589; Thu, 02 Feb 2023 22:05:55 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:907:86a3:b0:88d:fb85:c454 with SMTP id qa35-20020a17090786a300b0088dfb85c454ls2862344ejc.6.-pod-prod-gmail; Thu, 02 Feb 2023 22:05:53 -0800 (PST) X-Google-Smtp-Source: AK7set/TK76Az0PpFgKpntfVwxWRjkE8X5hZLmLCutIVsKVW3eyt4i9Xgi3OHeSr3XEtAgQy2Y1N X-Received: by 2002:a17:906:cf83:b0:887:6c23:193f with SMTP id um3-20020a170906cf8300b008876c23193fmr8710620ejb.44.1675404353806; Thu, 02 Feb 2023 22:05:53 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1675404353; cv=pass; d=google.com; s=arc-20160816; b=BSsTx9TDY+aZktgVsx93DDCTtKW9u+A65M+1dAEJjtDzJc3tOnCNcSz6Q4zkw2AL6C beEgJtqmwX53U25WkGK8/lMhn+WlQpfjilEY4IB4PNCQMEGCxbhm2jXNyh3xnP0Tdccp mYjdhFCqkA4k71zu6Qr7a3HPIIXh3TVfbF+0zCe+y1kA7wmbuYvT1Z5PkRbvwU4XAusT OqvAbI4aVjQuODkDh31gC6KH0ln4pewWclGfjuIER+yVjc4xkbUFsma9JuSg4Z+Nb7kv /98oD0L3SUjQ08paIXEoaqS/7xTJBS7sOE0TnV5CQCGvRBxqNmmSNdHv0CFYfbMcoJ3P xgag== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:content-transfer-encoding:in-reply-to:from:references :cc:to:content-language:subject:user-agent:date:message-id :dkim-signature; bh=OgRgaQeFvFDhow2MVQGdYu6IMDtf8WxjObt0nX2O7Vc=; b=Hn474beNC/GFOGTTZZOAN1GObs9k4Ox4cJWl+wup0OFxduCZqTazmUc9ufYTBHIwrW mI5Zohq/dMNgTlS65DHJoNpJLdg66qr7PcDaviQ7CRD5uuCiRD1jddWliaRuO7PPhc6s Nt3DkXg/LZP9fRyMdTupNX/lskFgS1ytkMqYflkULXEdJaol3/IYHqPgMYpTtY1lNqWq 1PcFWN9Yh2rtehBjL5taZnE+UxLqR2CSRjEZrKt3PHuFtpmFhW981CsS7tFy8BVuek5J o7gJnrF3QlX/l5xKmmKRqRAAMoR2+Fv/a6AJws3FHlaZxVZ+utLo7UDwywINsgqC6XBV UE8Q== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="hEO1/dwb"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:fe0d::600 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0600.outbound.protection.outlook.com. [2a01:111:f400:fe0d::600]) by gmr-mx.google.com with ESMTPS id sb25-20020a1709076d9900b0088d43b316aasi55321ejc.0.2023.02.02.22.05.53 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 Feb 2023 22:05:53 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:fe0d::600 as permitted sender) client-ip=2a01:111:f400:fe0d::600; Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="hEO1/dwb"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f400:fe0d::600 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dd8aD8T2z3zr635Z/FBJGXpDhCoFSMJ/dRbfn1O7z8gXWpsyqaEYHvRRC6apEwSc3mWKYsQCW7ZK+vq8FeO33Q7zyI0ZGbHBdDkXVSTdZqCrWaqSlB7HQOx7d7VHLDfYVZsokIavZAGMcs8d+iQTxjPZV6oIDolQRxAUIt7os1KZX0zvG1eRVnHSqP07Wit9Rm8mupI3HV80WV33TMuUYQkKjz1tC85lTBrM1/krtip4bsLeSqMO4uMaP+I5Z1QzjAXpLL8rsEVrVzXMOTBAv3WkbP7jVlk3aCEnp0GT5kRhWi9QkrJLthtcbatqTE/OrfitVmcdTYK8+B6Qw9qM2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OgRgaQeFvFDhow2MVQGdYu6IMDtf8WxjObt0nX2O7Vc=; b=UG3POmkdsOwjGPxuYF/5u1H7vWfde3RW7Nhf7juEUth6Ns1PCQOGYHJ/g8vPN7D1hlPR+ELa5bMbZhrbTA4YnYh/74AkJYWoMZwAGVBgZYzzsoonmnUXu34RkE0kFymt947i1DtdkO3SK1XKY0sV5OkLOhThToj69PBt41TqC75yy7dqVFJZPceqD6u8DuZstfEO2TpZkz/SU+dSHMnGIr8k3Gy9nYsUBT241Fbj26evASGZkq1e6Zt9Osh9e8icm9blodtRA9LXRretDi8dI7GBh4KgD9DP3dkPOlAWc1UAsTzQ1Ykr3+ewE28x6UDiTa9w+xvcImFKEbZth8uQVw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OgRgaQeFvFDhow2MVQGdYu6IMDtf8WxjObt0nX2O7Vc=; b=hEO1/dwbZOcMvDnzXxUgsBuubKjSHGygtGOgFAi8ANWAqExKSDJrTqf7dc/wVmFP9Y9EGycSQV9bS1IYO4UeAE1DCqH5n80LPBkcxoJgTQklM6B2zLdMGSOlUYXrgLVlJPwOiBE/o0oseYbJlv9TjAsN+K5PsZY3fFj/bPbNmwc2VseagRNA++vzcGnJKyyglFBDs49HFH+3qsKj6yC6Qe+SrWnT1jakTseAZPih8h7utOzHFlVtqceAEBYBB+i089eUpmND+NkoOtd5p/2pkOx4XQZbRKIzCPWWG4urR+ZaEv8+yIoh5DBUKZR+5K/O1zaox6ZLLDlGCKvE9ku4Sw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) by AS2PR10MB7047.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:595::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6064.25; Fri, 3 Feb 2023 06:05:52 +0000 Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::784b:e95b:b855:dcc5]) by AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::784b:e95b:b855:dcc5%8]) with mapi id 15.20.6043.030; Fri, 3 Feb 2023 06:05:52 +0000 Message-ID: <64b13300-e0d8-b362-e1d4-f90f91d7b84d@siemens.com> Date: Fri, 3 Feb 2023 07:05:50 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.1 Subject: Re: [PATCH 06/10] add example to generated and distribute MOK data Content-Language: en-US To: Felix Moessbauer , isar-users@googlegroups.com Cc: tobias.preclik@siemens.com, christian.storm@siemens.com References: <20221223084058.1899957-1-felix.moessbauer@siemens.com> <20221223084058.1899957-7-felix.moessbauer@siemens.com> From: Jan Kiszka In-Reply-To: <20221223084058.1899957-7-felix.moessbauer@siemens.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-ClientProxiedBy: FR3P281CA0026.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1c::17) To AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) Return-Path: jan.kiszka@siemens.com MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS4PR10MB6181:EE_|AS2PR10MB7047:EE_ X-MS-Office365-Filtering-Correlation-Id: 8baaec52-c38f-49c6-caae-08db05acb41e X-LD-Processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: LsnSLJ12ZJyRRbiYhQizKTnpKjjarceIEGoPb7oT8iUiwymxF1zt4S1bl8odknzw41/VFGG8GhT6n/B+AZRC6Qsp40A4cG3V9HgLIh9HDP6HiFLjuxSdYg4blKEBgZrrhtFGYdLFOZ4Vc/p4uXuVcXGOU8PpBKE6JpAMA9IoPcmu0kw9BuamxYj28atemwZTe3LsXeD+o4UdlEreSMTxe7s1V3TNBNT59DxsG1CfMvP8z3hproUZCEKcpT1BevESwari6KksQbPFrY5myP3Fme0SBN3zuanuG1dUM6V19kHZoc5CclbwkuHoY7+AznOJ/KxFihe+65Vxorf46b4KI6zbmYjcQl3e+K6k/AcscGm8A6Z5LkXXH2QEgMC5vvZ4X/WiBS67EB/ACx2anB01WkA7ZOddmhQgl8mtC/aaqBtlS7W+JbVDow8zo0FGZRZMJwBL5Ffx10Oq0NVPL48UCAxMWA9KwOf+Ej6nChmshUGXTNtYl92jDI2v0LHlPLro8xCKpQTMsAtPT14kSlJqD33k68Z0DRqY1GuSxwcM0ZbjQU7kcRiAN2iOo0JTbGEuUBGuxvzgvIPA5Tm8BjyA7XlsjbYDkRceZ2oHxAQ47KoNeEpyHFh1e5AT4eIX1YUhBfJKKiA7Q6qkOEJ7nQYriXo+TU83Aq8UP8Pp7Ul34pDzcvzfvv5dIJA5SAxnlDhPCassJzScp59iSR6YSJPG9zNuwc6C9z/IBvFbBwwk1TI= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230025)(4636009)(39860400002)(376002)(366004)(396003)(346002)(136003)(451199018)(31686004)(44832011)(5660300002)(2616005)(2906002)(53546011)(186003)(26005)(36756003)(8936002)(41300700001)(6512007)(83380400001)(6506007)(66476007)(4326008)(31696002)(66946007)(66556008)(8676002)(82960400001)(86362001)(107886003)(316002)(38100700002)(478600001)(6486002)(43740500002)(45980500001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?RUdBdEJudWxuVWMyWjNRdzFqaGNlTkNXaTM3NkFld1hsMnowVjB2bnRadnNj?= =?utf-8?B?TzFDYWpEcGIvbUpKelFucHNYdW1zZUNaSzR3K0RsaUUvcU5hN2dIL0c1dGcr?= =?utf-8?B?UEtTaXVpblp4MHJ2eXBuaEQrekg1SzUvZTJzNTIxQVVQSytuQ3RnYUxOVysy?= =?utf-8?B?bDMxRUZqaE1oa2RVQitmRUxjbzZYRHMxTFI0dzVwa1FibG0wS0dITTZBUGZh?= =?utf-8?B?ekJEWXNwcWhGdUZuWDh5U2dCYXlSRCtHZkZGcmdJa0JKWHljQWM5RUxPRmhi?= =?utf-8?B?Z3JnRjlUWnRURkkxMWU5SEorK1dyVGtSMnViWitzbGltRFd2dnF4MkV4VXRO?= =?utf-8?B?RTRQcG1ZWHVVSk43VUljRk9lTjZGT1YxcHlPUU1SSW1uUW9JaC8zZ2RmTm5w?= =?utf-8?B?WktBM2puMEJ2VGU2QzkvRHE5WDRaS2JuRmMyQU5XZ2FXblFUdTAyM3ZXMldv?= =?utf-8?B?aVkxQUphRnVPUlJQeEVlbG5rdEdRNG9yZmV2UCtaNWRRRVc3ZW9JVmdNM2xL?= =?utf-8?B?QWIvNHA5eEpjNGM0ZGh3NnFMd1RyS0dKeThHRmthVExOOVZubmlqOHlKNlpl?= =?utf-8?B?NFd6MWJnL2hObEgyRVAvRFpUNGRvcS9wNFFmNkhPU3hpYmdWWUt2b0ZoQUt0?= =?utf-8?B?MEtsUmREL0dsTFdsTlpzMFVpVWRFbUpWVERsSG9zYXVtWnlzNmluZm5nVGtH?= =?utf-8?B?UStTMEJqNnZ6NHJWZGFkYXhKeDNUMzdLOHloSHZ5ZFJRMEowbFZBU2l1cTNL?= =?utf-8?B?OXRubUdHR291MGVJTXNtcFNIRXF6RGdRZUhyZkFrbVdCdVNOaEV5VkpaQVZL?= =?utf-8?B?YmpSdlZ6clJsTFVMbWY4YnMzZTJtSjg5aHA3NEdIQ3VoakRGZVEydkRjSEg2?= =?utf-8?B?c2d4MEJrcEYyYlVnOElGakhnYVYzdGhYMEtrZkh5MHVVSzB4VlUrWG8rVXBE?= =?utf-8?B?NERLK1hFNmZRYnFpNFZZREd6VzNKdm9HS0tjM1RlTjdKY3BiRzNkQ05CYUhC?= =?utf-8?B?L0NyK3Rrb3dZTEkyaW92c0VXU1VPWFhYemoyNnptZ3NVVGxaMGRwOEkzNXcr?= =?utf-8?B?N1VSUjFCWlFqU2NrcFRsa0JKb0tPdDBNbVZSK043VEUxUFBrb3BEL0xkbkNU?= =?utf-8?B?UHk3SHNIbHBvWW9PWE5NLy9BUFdoTENveGpLL1lTZWxEMURLQ05FVGN0YXBW?= =?utf-8?B?b2tnUlVjYWlSWXByc0Frc2pKMVBUL1BZVDUvd0hVekp3c25Od25Pczh4Y3Rz?= =?utf-8?B?ZEdQSkIvZUxjRzdMSDdTOGhuOFVvVHRVN0NGQ1JzOW9vaG55Y1VnTmM5Q0hx?= =?utf-8?B?VTRmR2ljVk16WlFtL1FjdnBjZGlpVlRuUzdPSE4yM3RiTm9OSTlGUmkyLzFN?= =?utf-8?B?Y3hjSVRjSm9mMzJPVGpwQVRjWFYveHVtNWFiWFRJT3RRSEc2SzhzcUZKNUti?= =?utf-8?B?T0o3UkZmVnU1Y0hzZ01LZExnSm5QM1JoRk11VlIxSlY3bmR4djAvWnF4WmJh?= =?utf-8?B?NEtpVDlyMlZCK3dIanN2ZGd3NGNBVmlXdXV1ajIvL09uUDdkTXhIRC9SUG5N?= =?utf-8?B?dU9oNzA0cUZKUjBqZDlpV2dLb3h6K2xXTVB1RXRXWGFESXhXcG1mckY1MjJL?= =?utf-8?B?SE10SnVEcjVnWDlqQUpkaVpMWlJFTVJWTktnZ2VpcXQzd0xSd0hFUURKVFo1?= =?utf-8?B?aUxLdXJza21iWW5yOGlFcExIQTgzMG1FeWRUMmxSM1Nnb3NLaGc4dzJHNFJX?= =?utf-8?B?aFRmYjVjUVJSd3VoUEJxRjBqYk41UG4zNi9uaENlSUtNZVdZSmpJd0k3QjM4?= =?utf-8?B?dkRNYkoxR2JWUllUbFd2aUFPTndrMkx6Rlk3V3E0SEwwOVQ2MHhlcXh6VDk5?= =?utf-8?B?UTJpYmZzQ2doVi9QQTJWR1ZYT1ZYL0hFZm1CT3RveDJFY3c5RWVuSlVuTktK?= =?utf-8?B?dk1ENjNJNExUdDd5L1dHZU1ySGd6aVcreXIzVlZWQytKMGpoNDhyKzIyREtq?= =?utf-8?B?WkVKdzZ6UWZJK2xTT2NPWVVyWGp5Q0Nvazd1eUhYZ21BdmZNS2pHRUM3RWZ2?= =?utf-8?B?Mk5PMlZQdlJpeFMrK1pGcE1iQnNxQ1pLaXB0a1c2UGtBSWpYYlVVUUVwZExV?= =?utf-8?B?RnNIbUtMdWJPVjFHMkorNkJ6Zk5SRUd6QngwdnpYbCtFVEZRYzI3Q0swTUky?= =?utf-8?B?OHc9PQ==?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8baaec52-c38f-49c6-caae-08db05acb41e X-MS-Exchange-CrossTenant-AuthSource: AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Feb 2023 06:05:51.9050 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: NCYGHyN3+Ot/CZYbkVp6vJqQV3QUf87r/2cEl4S/IOi/qjyW6mV1lzcqy+woYYZE30LCCHbS6X1M+yC4ciT4zw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR10MB7047 X-TUID: hfm16V0eDbLk On 23.12.22 09:40, Felix Moessbauer wrote: > This patch adds two recipes to easily handle a Machine Owner Key (MOK) > that can be used to sign kernel modules or other components. > > The sb-mok-keys package generates a x509 certificate at build time and > adds both the certificate and the private key to a binary package. > This is implemented in a way that the source package does not contain > any keys, but only the binary package does. While this breaks > reproducability, this ensures that the keys never end up in a src > repository. It's still not usable in case of externally managed keys (security tokens, trust centers etc.). This should be made clear, and we still need to invent a pattern for such cases which are more common in production. Jan > > A second package sb-mok-public is provided to distribute the generated > key into the target image (to inject into EFI at runtime). This package > build-depends on the sb-mok-keys, but conflicts at runtime to make sure > that the private key cannot be installed into the target image (given > that the -public package is installed). > > Signed-off-by: Felix Moessbauer > --- > .../sb-mok-keys/files/Makefile.tmpl | 27 +++++++++++++++++++ > .../sb-mok-keys/sb-mok-keys.bb | 23 ++++++++++++++++ > .../sb-mok-public/files/rules | 12 +++++++++ > .../sb-mok-public/sb-mok-public.bb | 17 ++++++++++++ > 4 files changed, 79 insertions(+) > create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl > create mode 100644 meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb > create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/files/rules > create mode 100644 meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb > > diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl b/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl > new file mode 100644 > index 0000000..b377c51 > --- /dev/null > +++ b/meta-isar/recipes-secureboot/sb-mok-keys/files/Makefile.tmpl > @@ -0,0 +1,27 @@ > +# Base image recipe for ISAR > +# > +# This software is a part of ISAR. > +# Copyright (C) 2022 Siemens AG > + > +CN=${COMMON_NAME} > + > +all: create_key > + > +create_key: > + mkdir MOK > + openssl req -new -x509 -newkey rsa:2048 -keyout MOK/MOK.priv -outform DER -out MOK/MOK.der -nodes -days 36500 -subj "/CN=$(CN)/" > + chmod 600 MOK/MOK.priv > + > +install: > + install -d $(DESTDIR)/etc/sb-mok-keys/MOK > + # note that this will later be changed by dh_fixperms > + # this is also required so that the non-privileged sbuild > + # user can read the file > + install -m 644 MOK/MOK.priv $(DESTDIR)/etc/sb-mok-keys/MOK/ > + install -m 644 MOK/MOK.der $(DESTDIR)/etc/sb-mok-keys/MOK/ > + > +clean: > +ifneq (,$(wildcard ./MOK/MOK.priv)) > + shred MOK/MOK.priv > +endif > + rm -rf MOK > diff --git a/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb > new file mode 100644 > index 0000000..6137834 > --- /dev/null > +++ b/meta-isar/recipes-secureboot/sb-mok-keys/sb-mok-keys.bb > @@ -0,0 +1,23 @@ > +# Base image recipe for ISAR > +# > +# This software is a part of ISAR. > +# Copyright (C) 2022 Siemens AG > + > +inherit dpkg > + > + > +SRC_URI = "file://Makefile.tmpl" > +S = "${WORKDIR}/src" > + > +TEMPLATE_VARS = "COMMON_NAME" > +TEMPLATE_FILES = "Makefile.tmpl" > + > +DEBIAN_BUILD_DEPENDS .= ",openssl" > +# common name of x509 certificate used for signing > +COMMON_NAME = "ISAR Builder" > + > +do_prepare_build[cleandirs] += "${S}/debian" > +do_prepare_build() { > + cp ${WORKDIR}/Makefile ${S} > + deb_debianize > +} > diff --git a/meta-isar/recipes-secureboot/sb-mok-public/files/rules b/meta-isar/recipes-secureboot/sb-mok-public/files/rules > new file mode 100644 > index 0000000..305b443 > --- /dev/null > +++ b/meta-isar/recipes-secureboot/sb-mok-public/files/rules > @@ -0,0 +1,12 @@ > +#!/usr/bin/make -f > +# Base image recipe for ISAR > +# > +# This software is a part of ISAR. > +# Copyright (C) 2022 Siemens AG > + > +%: > + dh $@ > + > +override_dh_install: > + install -d debian/sb-mok-public/etc/sb-mok-keys/MOK/ > + install -m 644 /etc/sb-mok-keys/MOK/MOK.der debian/sb-mok-public/etc/sb-mok-keys/MOK/MOK.der > diff --git a/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb b/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb > new file mode 100644 > index 0000000..46fdeed > --- /dev/null > +++ b/meta-isar/recipes-secureboot/sb-mok-public/sb-mok-public.bb > @@ -0,0 +1,17 @@ > +# Base image recipe for ISAR > +# > +# This software is a part of ISAR. > +# Copyright (C) 2022 Siemens AG > + > +inherit dpkg > + > +DEPENDS += "sb-mok-keys" > +DEBIAN_BUILD_DEPENDS .= ",sb-mok-keys" > +DEBIAN_CONFLICTS .= ",sb-mok-keys" > + > +SRC_URI = "file://rules" > + > +do_prepare_build[cleandirs] += "${S}/debian" > +do_prepare_build() { > + deb_debianize > +} -- Siemens AG, Technology Competence Center Embedded Linux