[oe-commits] [openembedded-core] 10/11: ovmf: Generate test Platform key and first Key Exchange Key

git at git.openembedded.org git at git.openembedded.org
Thu Aug 8 09:27:22 UTC 2019 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch master-next
in repository openembedded-core.

commit daaf9d7bd8c3586609ab0eccf49af38dbdb0b02e
Author: Ricardo Neri <ricardo.neri-calderon at linux.intel.com>
AuthorDate: Tue Jul 30 18:28:29 2019 -0400

    ovmf: Generate test Platform key and first Key Exchange Key
    
    Commit from EDK2 be9470b3c91f ("OvmfPkg/EnrollDefaultKeys: enroll
    PK/KEK1 from the Type 11 SMBIOS table") mandates that a Platform Key
    and first Key Exchange Key certificate is provided to the
    EnrollDefaultKeys application.
    
    Previously, the application was using a hard-coded certificate
    from Red Hat embedded in the application.
    
    Create a certificate that can QEMU can subsequently pass to
    EnrollDefaultKeys when running qemu-shell-image.
    
    Cc: Ross Burton <ross.burton at intel.com>
    Cc: Patrick Ohly <patrick.ohly at intel.com>
    Cc: Alexander Kanavin <alex.kanavin at gmail.com>
    Signed-off-by: Ricardo Neri <ricardo.neri-calderon at linux.intel.com>
---
 meta/recipes-core/ovmf/ovmf_git.bb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 834ee32..7944ee9 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -217,6 +217,7 @@ FILES_ovmf-shell-efi = " \
 
 DEPLOYDEP = ""
 DEPLOYDEP_class-target = "qemu-system-native:do_populate_sysroot"
+DEPLOYDEP_class-target += " ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'openssl-native:do_populate_sysroot', '', d)}"
 do_deploy[depends] += "${DEPLOYDEP}"
 
 do_deploy() {
@@ -232,6 +233,13 @@ do_deploy_class-target() {
         ; do
         qemu-img convert -f raw -O qcow2 ${WORKDIR}/ovmf/$i.fd ${DEPLOYDIR}/$i.qcow2
     done
+
+    if ${@bb.utils.contains('PACKAGECONFIG', 'secureboot', 'true', 'false', d)}; then
+        # Create a test Platform Key and first Key Exchange Key to use with EnrollDefaultKeys
+        openssl req -new -x509 -newkey rsa:2048 -keyout ${DEPLOYDIR}/OvmfPkKek1.key \
+                -out ${DEPLOYDIR}/OvmfPkKek1.crt -nodes -days 20 -subj "/CN=OVMFSecBootTest"
+        openssl x509 -in ${DEPLOYDIR}/OvmfPkKek1.crt -out ${DEPLOYDIR}/OvmfPkKek1.pem -outform PEM
+    fi
 }
 addtask do_deploy after do_compile before do_build
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list