meta-efi-secure-boot: switch from EFI_BOOT_PATH to EFI_FILES_PATH

meta-efi-secure-boot/recipes-bsp/efitools/efitools.inc

@@ -43,6 +43,7 @@ COMPATIBLE_HOST = '(i.86|x86_64|aarch64).*-linux'
 S = "${WORKDIR}/git"
 
 inherit perlnative
+require conf/image-uefi.conf
 
 EXTRA_OEMAKE = "\
     OPENSSL='${STAGING_BINDIR_NATIVE}/openssl' \
@@ -57,8 +58,6 @@ EXTRA_OEMAKE:append:x86 = " ARCH=ia32"
 EXTRA_OEMAKE:append:x86-64 = " ARCH=x86_64"
 EXTRA_OEMAKE:append:aarch64 = " ARCH=aarch64"
 
-EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"
-
 do_compile:prepend() {
     sed -i -e "1s:#!.*:#!/usr/bin/env nativeperl:" xxdi.pl 
 }
@@ -72,15 +71,15 @@ fakeroot python do_sign:class-target() {
         return
 
     image_dir = d.getVar('D')
-    efi_boot_path = d.getVar('EFI_BOOT_PATH')
-    uks_boot_sign(os.path.join(image_dir + efi_boot_path, 'LockDown.efi'), d)
+    efi_files_path = d.getVar('EFI_FILES_PATH')
+    uks_boot_sign(os.path.join(image_dir + efi_files_path, 'LockDown.efi'), d)
 }
 addtask sign after do_install before do_deploy do_package
 do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY') == '1' else ''}"
 
 fakeroot python do_sign() {
 }
 
-FILES:${PN} += "${EFI_BOOT_PATH}"
+FILES:${PN} += "${EFI_FILES_PATH}"
 
 SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/LockDown.efi"

meta-efi-secure-boot/recipes-bsp/efitools/efitools_1.9.2.bb

@@ -57,19 +57,19 @@ do_prepare_signing_keys[prefuncs] += "check_deploy_keys"
 
 do_install:append() {
     if [ x"${UEFI_SB}" = x"1" ]; then
-        install -d ${D}${EFI_BOOT_PATH}
-        install -m 0755 ${D}${datadir}/efitools/efi/LockDown.efi ${D}${EFI_BOOT_PATH}
+        install -d ${D}${EFI_FILES_PATH}
+        install -m 0755 ${D}${datadir}/efitools/efi/LockDown.efi ${D}${EFI_FILES_PATH}
     fi
 }
 
 do_deploy() {
     install -d ${DEPLOYDIR}
 
-    if [ -e ${D}${EFI_BOOT_PATH}/LockDown.efi ] ; then
-        install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi "${DEPLOYDIR}"
+    if [ -e ${D}${EFI_FILES_PATH}/LockDown.efi ] ; then
+        install -m 0600 ${D}${EFI_FILES_PATH}/LockDown.efi "${DEPLOYDIR}"
     fi
-    if [ -e ${D}${EFI_BOOT_PATH}/LockDown.efi.sig ] ; then
-        install -m 0600 ${D}${EFI_BOOT_PATH}/LockDown.efi.sig "${DEPLOYDIR}"
+    if [ -e ${D}${EFI_FILES_PATH}/LockDown.efi.sig ] ; then
+        install -m 0600 ${D}${EFI_FILES_PATH}/LockDown.efi.sig "${DEPLOYDIR}"
     fi
 }
 addtask deploy after do_install before do_build

meta-efi-secure-boot/recipes-bsp/grub/grub-bootconf-efi-secure-boot.inc

@@ -0,0 +1,34 @@
+# Set a default root specifier.
+inherit user-key-store
+
+python do_sign:prepend:class-target() {
+    bb.build.exec_func("check_deploy_keys", d)
+    if d.getVar('GRUB_SIGN_VERIFY') == '1':
+        bb.build.exec_func("check_boot_public_key", d)
+}
+
+fakeroot python do_sign:class-target() {
+    image_dir = d.getVar('D')
+    efi_files_path = d.getVar('EFI_FILES_PATH')
+    dir = image_dir + efi_files_path + '/'
+
+    uks_bl_sign(dir + 'grub.cfg', d)
+}
+
+python do_sign() {
+}
+
+addtask sign after do_install before do_deploy do_package
+
+fakeroot do_chownboot() {
+    chown root:root -R "${D}${EFI_FILES_PATH}/grub.cfg${SB_FILE_EXT}"
+}
+
+addtask chownboot after do_deploy before do_package
+
+do_deploy:append:class-target() {
+    # Deploy the stacked grub configs.
+    install -m 0600 "${D}${EFI_FILES_PATH}/grub.cfg${SB_FILE_EXT}" "${DEPLOYDIR}"
+}
+
+FILES:${PN} += "${EFI_FILES_PATH}/grub.cfg${SB_FILE_EXT}"

meta-efi-secure-boot/recipes-bsp/grub/grub-bootconf_%.bbappend

@@ -0,0 +1,22 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/grub-bootconf:"
+
+SRC_URI:append:class-target = " \
+    file://grub-efi.cfg \
+"
+
+inherit deploy
+require ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'grub-bootconf-efi-secure-boot.inc', '', d)}
+
+do_install:append() {
+    rm ${D}${EFI_FILES_PATH}/grub.cfg
+    install -m 0600 "${UNPACKDIR}/grub-efi.cfg" "${D}${EFI_FILES_PATH}/grub.cfg"
+}
+
+do_deploy() {
+    # Deploy the stacked grub configs.
+    install -m 0600 "${D}${EFI_FILES_PATH}/grub.cfg" "${DEPLOYDIR}"
+}
+
+addtask deploy after do_install before do_package
+
+CONFFILES:${PN} += "${EFI_FILES_PATH}/grub.cfg"

meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc

@@ -20,7 +20,6 @@ GRUB_MOKVERIFY_PATCH = " \
 SRC_URI:append:class-target = " \
     file://0001-Add-efivar-module-to-read-EFI-variables.patch \
     file://0002-grub-verify-Add-strict_security-variable.patch \
-    file://grub-efi.cfg \
     file://boot-menu.inc \
     ${@d.getVar('GRUB_MOKVERIFY_PATCH') if d.getVar('UEFI_SELOADER') == '1' else ''} \
     ${EXTRA_SRC_URI} \
@@ -30,7 +29,6 @@ SRC_URI:append:class-target = " \
 COMPATIBLE_HOST:aarch64 = 'null'
 
 GRUB_PREFIX_DIR ?= "/EFI/BOOT"
-EFI_BOOT_PATH ?= "/boot/efi/EFI/BOOT"
 
 GRUB_SECURE_BOOT_MODULES += "${@'efivar password_pbkdf2 ' if d.getVar('UEFI_SB') == '1' else ''}"
 
@@ -118,37 +116,36 @@ do_install:append:class-target() {
     }
 
     # Install the stacked grub configs.
-    install -d "${D}${EFI_BOOT_PATH}"
-    install -m 0600 "${UNPACKDIR}/grub-efi.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg"
-    install -m 0600 "$menu" "${D}${EFI_BOOT_PATH}"
+    install -d "${D}${EFI_FILES_PATH}"
+    install -m 0600 "$menu" "${D}${EFI_FILES_PATH}"
     [ x"${UEFI_SB}" = x"1" ] && {
-        install -m 0600 "${UNPACKDIR}/efi-secure-boot.inc" "${D}${EFI_BOOT_PATH}"
-        install -m 0600 "${UNPACKDIR}/password.inc" "${D}${EFI_BOOT_PATH}"
+        install -m 0600 "${UNPACKDIR}/efi-secure-boot.inc" "${D}${EFI_FILES_PATH}"
+        install -m 0600 "${UNPACKDIR}/password.inc" "${D}${EFI_FILES_PATH}"
     }
 
     # Create the initial environment block with empty item.
-    grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create
+    grub-editenv "${D}${EFI_FILES_PATH}/grubenv" create
 
-    install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi"
+    install -d "${D}${EFI_FILES_PATH}/${GRUB_TARGET}-efi"
     grub-mkimage -c ../cfg -p "${GRUB_PREFIX_DIR}" -d "./grub-core" \
         -O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \
         ${GRUB_BUILDIN} ${GRUB_SECURE_BUILDIN}
 
-    install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}"
+    install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_FILES_PATH}/${GRUB_IMAGE}"
 
     # Install the modules to grub-efi's search path
-    oe_runmake -C grub-core install DESTDIR="${D}${EFI_BOOT_PATH}" pkglibdir=""
+    oe_runmake -C grub-core install DESTDIR="${D}${EFI_FILES_PATH}" pkglibdir=""
 
     # Remove build host references
-    find "${D}${EFI_BOOT_PATH}" -name modinfo.sh -type f -exec \
+    find "${D}${EFI_FILES_PATH}" -name modinfo.sh -type f -exec \
         sed -i \
         -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
         -e 's|${DEBUG_PREFIX_MAP}||g' \
         -e 's:${RECIPE_SYSROOT_NATIVE}::g' \
         {} +
 
     # Remove .module
-    rm -f ${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi/*.module
+    rm -f ${D}${EFI_FILES_PATH}/${GRUB_TARGET}-efi/*.module
 }
 
 python do_sign:prepend:class-target() {
@@ -159,12 +156,11 @@ python do_sign:prepend:class-target() {
 
 fakeroot python do_sign:class-target() {
     image_dir = d.getVar('D')
-    efi_boot_path = d.getVar('EFI_BOOT_PATH')
+    efi_files_path = d.getVar('EFI_FILES_PATH')
     grub_image = d.getVar('GRUB_IMAGE')
-    dir = image_dir + efi_boot_path + '/'
+    dir = image_dir + efi_files_path + '/'
 
     sb_sign(dir + grub_image, dir + grub_image, d)
-    uks_bl_sign(dir + 'grub.cfg', d)
     uks_bl_sign(dir + 'boot-menu.inc', d)
 
     if d.getVar('UEFI_SB') == "1":
@@ -178,45 +174,41 @@ python do_sign() {
 addtask sign after do_install before do_deploy do_package
 
 fakeroot do_chownboot() {
-    chown root:root -R "${D}${EFI_BOOT_PATH}/grub.cfg${SB_FILE_EXT}"
-    chown root:root -R "${D}${EFI_BOOT_PATH}/boot-menu.inc${SB_FILE_EXT}"
+    chown root:root -R "${D}${EFI_FILES_PATH}/boot-menu.inc${SB_FILE_EXT}"
 
     [ x"${UEFI_SB}" = x"1" ] && {
-        chown root:root -R "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc${SB_FILE_EXT}"
-        chown root:root -R "${D}${EFI_BOOT_PATH}/password.inc${SB_FILE_EXT}"
+        chown root:root -R "${D}${EFI_FILES_PATH}/efi-secure-boot.inc${SB_FILE_EXT}"
+        chown root:root -R "${D}${EFI_FILES_PATH}/password.inc${SB_FILE_EXT}"
     }
 }
 
 addtask chownboot after do_deploy before do_package
 
 # Append the do_deploy() in oe-core.
 do_deploy:append:class-target() {
-    install -m 0644 "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}"
+    install -m 0644 "${D}${EFI_FILES_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}"
 
     # Deploy the stacked grub configs.
-    install -m 0600 "${D}${EFI_BOOT_PATH}/grubenv" "${DEPLOYDIR}"
-    install -m 0600 "${D}${EFI_BOOT_PATH}/grub.cfg" "${DEPLOYDIR}"
-    install -m 0600 "${D}${EFI_BOOT_PATH}/boot-menu.inc" "${DEPLOYDIR}"
-    install -m 0600 "${D}${EFI_BOOT_PATH}/grub.cfg${SB_FILE_EXT}" "${DEPLOYDIR}"
-    install -m 0600 "${D}${EFI_BOOT_PATH}/boot-menu.inc${SB_FILE_EXT}" "${DEPLOYDIR}"
+    install -m 0600 "${D}${EFI_FILES_PATH}/grubenv" "${DEPLOYDIR}"
+    install -m 0600 "${D}${EFI_FILES_PATH}/boot-menu.inc" "${DEPLOYDIR}"
+    install -m 0600 "${D}${EFI_FILES_PATH}/boot-menu.inc${SB_FILE_EXT}" "${DEPLOYDIR}"
 
     [ x"${UEFI_SB}" = x"1" ] && {
-        install -m 0600 "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc" "${DEPLOYDIR}"
-        install -m 0600 "${D}${EFI_BOOT_PATH}/password.inc" "${DEPLOYDIR}"
-        install -m 0600 "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc${SB_FILE_EXT}" "${DEPLOYDIR}"
-        install -m 0600 "${D}${EFI_BOOT_PATH}/password.inc${SB_FILE_EXT}" "${DEPLOYDIR}"
+        install -m 0600 "${D}${EFI_FILES_PATH}/efi-secure-boot.inc" "${DEPLOYDIR}"
+        install -m 0600 "${D}${EFI_FILES_PATH}/password.inc" "${DEPLOYDIR}"
+        install -m 0600 "${D}${EFI_FILES_PATH}/efi-secure-boot.inc${SB_FILE_EXT}" "${DEPLOYDIR}"
+        install -m 0600 "${D}${EFI_FILES_PATH}/password.inc${SB_FILE_EXT}" "${DEPLOYDIR}"
     }
 
     install -d "${DEPLOYDIR}/efi-unsigned"
     install -m 0644 "${B}/${GRUB_IMAGE}" "${DEPLOYDIR}/efi-unsigned"
-    PSEUDO_DISABLED=1 cp -af "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned"
+    PSEUDO_DISABLED=1 cp -af "${D}${EFI_FILES_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned"
 }
 
-FILES:${PN} += "${EFI_BOOT_PATH}"
+FILES:${PN} += "${EFI_FILES_PATH}"
 
 CONFFILES:${PN} += "\
-    ${EFI_BOOT_PATH}/grub.cfg \
-    ${EFI_BOOT_PATH}/grubenv \
-    ${EFI_BOOT_PATH}/boot-menu.inc \
-    ${EFI_BOOT_PATH}/efi-secure-boot.inc \
+    ${EFI_FILES_PATH}/grubenv \
+    ${EFI_FILES_PATH}/boot-menu.inc \
+    ${EFI_FILES_PATH}/efi-secure-boot.inc \
 "

meta-efi-secure-boot/recipes-bsp/seloader/seloader_git.bb

@@ -37,6 +37,7 @@ COMPATIBLE_HOST = '(i.86|x86_64).*-linux'
 PARALLEL_MAKE = ""
 
 inherit deploy user-key-store
+require conf/image-uefi.conf
 
 EXTRA_OEMAKE = "\
     CROSS_COMPILE="${TARGET_PREFIX}" \
@@ -48,8 +49,6 @@ EXTRA_OEMAKE = "\
 EFI_ARCH:x86 = "ia32"
 EFI_ARCH:x86-64 = "x64"
 
-EFI_TARGET = "/boot/efi/EFI/BOOT"
-
 python do_sign() {
     sb_sign(d.expand('${B}/Src/Efi/SELoader.efi'), \
             d.expand('${B}/Src/Efi/SELoader.efi.signed'), d)
@@ -63,17 +62,17 @@ do_compile:append() {
 }
 
 do_install() {
-    install -d ${D}${EFI_TARGET}
+    install -d ${D}${EFI_FILES_PATH}
 
-    oe_runmake install EFI_DESTDIR=${D}${EFI_TARGET}
+    oe_runmake install EFI_DESTDIR=${D}${EFI_FILES_PATH}
     # Remove precompiled files, now provided by OVMF
-    rm -f ${D}${EFI_TARGET}/Hash2DxeCrypto.efi
-    rm -f ${D}${EFI_TARGET}/Pkcs7VerifyDxe.efi
+    rm -f ${D}${EFI_FILES_PATH}/Hash2DxeCrypto.efi
+    rm -f ${D}${EFI_FILES_PATH}/Pkcs7VerifyDxe.efi
 
     if [ x"${UEFI_SB}" = x"1" ]; then
         if [ x"${MOK_SB}" != x"1" ]; then
-            mv "${D}${EFI_TARGET}/SELoader${EFI_ARCH}.efi" \
-                "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi"
+            mv "${D}${EFI_FILES_PATH}/SELoader${EFI_ARCH}.efi" \
+                "${D}${EFI_FILES_PATH}/boot${EFI_ARCH}.efi"
         fi
     fi
 }
@@ -91,13 +90,13 @@ do_deploy() {
     else
         SEL_NAME=SELoader
     fi
-    install -m 0600 "${D}${EFI_TARGET}/${SEL_NAME}${EFI_ARCH}.efi" \
+    install -m 0600 "${D}${EFI_FILES_PATH}/${SEL_NAME}${EFI_ARCH}.efi" \
         "${DEPLOYDIR}/${SEL_NAME}${EFI_ARCH}.efi"
 }
 addtask deploy after do_install before do_build
 
 RDEPENDS:${PN} += "${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'ovmf-pkcs7-efi', '', d)}"
 
-FILES:${PN} += "${EFI_TARGET}"
+FILES:${PN} += "${EFI_FILES_PATH}"
 
 SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/efi-unsigned"

meta-efi-secure-boot/recipes-bsp/shim/shim_15.8.bb

@@ -25,6 +25,7 @@ SRC_URI:append:x86-64 = "${@bb.utils.contains('DISTRO_FEATURES', 'msft', \
                         "
 
 inherit deploy user-key-store
+require conf/image-uefi.conf
 
 SHIM_DEFAULT_LOADER = "${@'DEFAULT_LOADER=\\\\\\\\\\\\\\\\SELoader${EFI_ARCH}.efi' if d.getVar('UEFI_SB') == '1' and d.getVar('UEFI_SELOADER') == '1' else ''}"
 
@@ -47,8 +48,6 @@ EXTRA_OEMAKE = "\
 PARALLEL_MAKE = ""
 COMPATIBLE_HOST = '(i.86|x86_64).*-linux'
 
-EFI_TARGET = "/boot/efi/EFI/BOOT"
-
 MSFT = "${@bb.utils.contains('DISTRO_FEATURES', 'msft', '1', '0', d)}"
 
 EFI_ARCH:x86 = "ia32"
@@ -95,15 +94,15 @@ python do_sign() {
 addtask sign after do_compile before do_install
 
 do_install() {
-    install -d "${D}${EFI_TARGET}"
+    install -d "${D}${EFI_FILES_PATH}"
 
-    local shim_dst="${D}${EFI_TARGET}/boot${EFI_ARCH}.efi"
-    local mm_dst="${D}${EFI_TARGET}/mm${EFI_ARCH}.efi"
+    local shim_dst="${D}${EFI_FILES_PATH}/boot${EFI_ARCH}.efi"
+    local mm_dst="${D}${EFI_FILES_PATH}/mm${EFI_ARCH}.efi"
     if [ x"${UEFI_SB}" = x"1" -a x"${MOK_SB}" = x"1" ]; then
         install -m 0600 "${B}/shim${EFI_ARCH}.efi.signed" "$shim_dst"
         install -m 0600 "${B}/mm${EFI_ARCH}.efi.signed" "$mm_dst"
     else
-        install -m 0600 "${B}/shim${EFI_ARCH}.efi" "${D}${EFI_TARGET}/shim${EFI_ARCH}.efi"
+        install -m 0600 "${B}/shim${EFI_ARCH}.efi" "${D}${EFI_FILES_PATH}/shim${EFI_ARCH}.efi"
         install -m 0600 "${B}/mm${EFI_ARCH}.efi" "$mm_dst"
     fi
 }
@@ -118,12 +117,12 @@ do_deploy() {
         "${DEPLOYDIR}/efi-unsigned/mm${EFI_ARCH}.efi"
 
     if [ x"${UEFI_SB}" = x"1" -a x"${MOK_SB}" = x"1" ]; then
-        install -m 0600 "${D}${EFI_TARGET}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}"
+        install -m 0600 "${D}${EFI_FILES_PATH}/boot${EFI_ARCH}.efi" "${DEPLOYDIR}"
     else
-        install -m 0600 "${D}${EFI_TARGET}/shim${EFI_ARCH}.efi" "${DEPLOYDIR}"
+        install -m 0600 "${D}${EFI_FILES_PATH}/shim${EFI_ARCH}.efi" "${DEPLOYDIR}"
     fi
-    install -m 0600 "${D}${EFI_TARGET}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}"
+    install -m 0600 "${D}${EFI_FILES_PATH}/mm${EFI_ARCH}.efi" "${DEPLOYDIR}"
 }
 addtask deploy after do_install before do_build
 
-FILES:${PN} = "${EFI_TARGET}"
+FILES:${PN} = "${EFI_FILES_PATH}"