classes: add tegra-uefi-signing.bbclass

For implementing the common functions and variables needed for signing files/binaries validated by the UEFI bootloader. Signed-off-by: Matt Madison <matt@madison.systems>
2025-10-28 19:12:39 +00:00 · 2023-02-03 12:34:22 -08:00
parent 8d33ab09a6
commit 2134e512c1
1 changed files with 32 additions and 0 deletions
--- a/classes/tegra-uefi-signing.bbclass
+++ b/classes/tegra-uefi-signing.bbclass
@@ -0,0 +1,32 @@
+def tegra_uefi_signing_deps(d, tasks=False):
+    if not d.getVar('TEGRA_UEFI_DB_KEY') or not d.getVar('TEGRA_UEFI_DB_CERT'):
+        return ''
+    deps = ['openssl-native', 'sbsigntool-native', 'coreutils-native']
+    if tasks:
+        return ' '.join([d + ':do_populate_sysroot' for d in deps])
+    return ' '.join(deps)
+
+TEGRA_UEFI_DB_KEY ??= ""
+TEGRA_UEFI_DB_CERT ??= ""
+TEGRA_UEFI_SIGNING_TASKDEPS ?= "${@tegra_uefi_signing_deps(d, tasks=True)}"
+TEGRA_UEFI_SIGNING_DEPENDS ?= "${@tegra_uefi_signing_deps(d)}"
+
+# Standard signing, input file modified with signature
+tegra_uefi_sbsign() {
+    sbsign --key "${TEGRA_UEFI_DB_KEY}" --cert "${TEGRA_UEFI_DB_CERT}" --output "$1" "$1"
+}
+
+# Separate signature file, for NVIDIA's L4TLauncher 
+tegra_uefi_split_sign() {
+    openssl cms -sign -signer "${TEGRA_UEFI_DB_CERT}" -inkey "${TEGRA_UEFI_DB_KEY}" -binary -in "$1" -outform der -out "$1".sig
+}
+
+# Signature attached to end, another NVIDIA special
+# Input file remains intact; output file has ".signed" suffix
+tegra_uefi_attach_sign() {
+    openssl cms -sign -signer "${TEGRA_UEFI_DB_CERT}" -inkey "${TEGRA_UEFI_DB_KEY}" -binary -in "$1" -outform der -out "$1".sig.tmp
+    cp "$1" "$1.signed"
+    truncate --size=%2048 "$1.signed"
+    cat "$1".sig.tmp >> "$1.signed"
+    rm "$1".sig.tmp
+}