omnect · mlilien · Apr 17, 2025 · Jun 10, 2025 · Jun 12, 2025 · Jun 18, 2025
diff --git a/classes/omnect-initramfs-sign.bbclass b/classes/omnect-initramfs-sign.bbclass
@@ -0,0 +1,19 @@
+inherit ${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'user-key-store', '', d)}
+
+fakeroot python sign() {
+    import re
+
+    if (d.expand('${TARGET_ARCH}') != 'x86_64') and (not re.match('i.86', d.expand('${TARGET_ARCH}'))):
+        return
+
+    if d.expand('${UEFI_SB}') != '1':
+        return
+
+    import shutil
+
+    initramfs = d.expand('${IMGDEPLOYDIR}/${IMAGE_NAME}.${OMNECT_INITRAMFS_FSTYPE}')
+    bb.note("initramfs: \"%s\"" % (initramfs))
+    shutil.copy(initramfs, initramfs + '.unsigned')
+    uks_bl_sign(initramfs, d)
+}
+IMAGE_POSTPROCESS_COMMAND:append = "${@bb.utils.contains('DISTRO_FEATURES', 'efi-secure-boot', 'check_deploy_keys;sign;', '', d)}"
diff --git a/classes/u-boot-scr.bbclass b/classes/u-boot-scr.bbclass
@@ -42,7 +42,7 @@ python create_boot_cmd () {
                 f.write("%s\n" % (omnect_boot_scr_test_cmds))
 
             # load kernel
-            f.write("load ${devtype} ${devnum}:${omnect_os_bootpart} ${kernel_addr_r} boot/%s.bin\n" % kernel_imagetype)
+            f.write("load ${devtype} ${devnum}:${omnect_os_bootpart} ${kernel_addr_r} boot/%s\n" % kernel_imagetype)
 
             # load initrd
             f.write("load ${devtype} ${devnum}:${omnect_os_bootpart} ${ramdisk_addr_r} boot/initramfs.%s\n" % omnect_initramfs_fs_type)

diff --git a/conf/machine/genericx86-64.extra.conf b/conf/machine/genericx86-64.extra.conf
@@ -40,9 +40,6 @@ WKS_FILE = "omnect-os.grub.wks.in"
 # size
 OMNECT_PART_SIZE_ROOTFS ?= "${@bb.utils.contains('OMNECT_RELEASE_IMAGE', '1', '900000', '900000', d)}"
 OMNECT_PART_OFFSET_BOOT ?= "2048"
-# where to find initial grubenv
-WICVARS:append = " OMNECT_GRUBENV_FILE"
-OMNECT_GRUBENV_FILE = "${LAYERDIR_omnect}/files/grubenv"
 
 # adu compatibility id
 OMNECT_ADU_DEVICEPROPERTIES_COMPATIBILITY_ID = "0"
@@ -72,6 +69,26 @@ MACHINE_EXTRA_RRECOMMENDS += "linux-firmware-i915 linux-firmware-ath10k linux-fi
 # don't install every available firmware
 MACHINE_EXTRA_RRECOMMENDS:remove = "linux-firmware"
 
+DISTRO_FEATURES:append = " efi-secure-boot modsign"
+
+# for patched wic plugin bootimg-efi.py:
+WICVARS:append = " OMNECT_GRUB_EFI_SB_FILES"
+OMNECT_GRUB_EFI_SB_FILES = " \
+    boot-menu.inc \
+    boot-menu.inc.p7b \
+    efi-secure-boot.inc \
+    efi-secure-boot.inc.p7b \
+    grub.cfg \
+    grub.cfg.p7b \
+    grubenv \
+    omnect_bootloader_version \
+    bootx64.efi \
+    grubx64.efi \
+    LockDown.efi \
+    mmx64.efi \
+    SELoaderx64.efi \
+"
+
 # configure hardware watchdog
 # the maximum watchdog deadline depends on the hardware capabilities
 SYSTEMD_RuntimeWatchdogSec  = "60"
@@ -86,5 +103,5 @@ OMNECT_BOOTLOADER_RECIPE_PATH = "${LAYERDIR_core}/recipes-bsp/grub/grub-efi_2.12
 # OMNECT_BOOTLOADER_CHECKSUM_EXPTECTED:pn-bootloader-versioned - build will fail, if the
 # computed checksum is different to this; set to <oldchecksum> when
 # OMNECT_BOOTLOADER_CHECKSUM_COMPATIBLE:pn-bootloader-versioned is set
-OMNECT_BOOTLOADER_CHECKSUM_EXPECTED:pn-bootloader-versioned = "707f10b656550a4ef294ec0182f162e024d7dde17fd088bf3832ade61194a76a"
+OMNECT_BOOTLOADER_CHECKSUM_EXPECTED:pn-bootloader-versioned = "3d18989e88cc2133d451e904b24b7739dbf18644634ec3830c8bbfc73a3aadeb"
 #OMNECT_BOOTLOADER_CHECKSUM_COMPATIBLE:pn-bootloader-versioned = ""
diff --git a/conf/machine/include/phytec-imx8mm.inc b/conf/machine/include/phytec-imx8mm.inc
@@ -107,3 +107,4 @@ OMNECT_BOOTLOADER_RECIPE_PATH = "${LAYERDIR_phytec}/recipes-bsp/u-boot/u-boot-ph
 # computed checksum is different to this; set to <oldchecksum> when
 # OMNECT_BOOTLOADER_CHECKSUM_COMPATIBLE:pn-bootloader-versioned is set
 OMNECT_BOOTLOADER_CHECKSUM_EXPECTED:pn-bootloader-versioned = "aabb383cafd6f082e0e5c2d7d4eec6f1c5daa10d3613e73d5c659d981be8401a"
+OMNECT_BOOTLOADER_CHECKSUM_COMPATIBLE:pn-bootloader-versioned= "ad08b27e6274141bfe09931eb1f635478f15027cee2e81eee86eebfdd2f62363 aabb383cafd6f082e0e5c2d7d4eec6f1c5daa10d3613e73d5c659d981be8401a"
diff --git a/doc/Variables_Glossary.md b/doc/Variables_Glossary.md
@@ -82,6 +82,9 @@ Name of u-boot device-tree bootscript to be generated for devices using u-boot a
 If value is 1 [flash-mode-2](https://github.com/omnect/meta-omnect?tab=readme-ov-file#flash-mode-2) directly flashes the image. Default is unset.
 Normally we save the incoming image to RAM and verify it before we flash. On devices with a minimal RAM configuration this can fail. In this case you can skip the verifying and flash directly.
 
+# OMNECT_GRUB_EFI_SB_FILES
+Files to add from deploydir to grub-efi dir in boot partition. E.g. "grub.cfg grubenv" etc..
+
 # OMNECT_GRUBENV_FILE
 Path to grubenv file in buildsystem. Defaults to `${LAYERDIR_omnect}/files/grubenv`. Relevant for devices which use grub as bootloader, such as genericx86-64.
 

diff --git a/kas/machine/x86_64/genericx86-64.yaml b/kas/machine/x86_64/genericx86-64.yaml
@@ -10,5 +10,23 @@ repos:
     commit: "7633f51d53f535728fe035fa866416d2e5ba6a9c"
     layers:
       meta-yocto-bsp:
+  ext/meta-secure-core:
+    url: "https://github.com/Wind-River/meta-secure-core.git"
+    branch: "scarthgap"
+    commit: "7a51f091cccfb8f629ce962f13b7b45d23005093"
+    layers:
+      meta-efi-secure-boot:
+      meta-secure-core-common:
+      meta-signing-key:
+    patches:
+      p001:
+        repo: "meta-omnect"
+        path: "kas/patches/meta-efi-secure-boot_layerdir.patch"
+  ext/meta-perl:
+    url: "https://github.com/openembedded/meta-openembedded.git"
+    branch: "scarthgap"
+    commit: "67ad83dd7c2485dae0c90eac345007af6195b84d"
+    layers:
+      meta-perl:
 
 machine: "genericx86-64"
diff --git a/kas/patches/meta-efi-secure-boot_layerdir.patch b/kas/patches/meta-efi-secure-boot_layerdir.patch
@@ -0,0 +1,9 @@
+diff --git a/meta-efi-secure-boot/conf/layer.conf b/meta-efi-secure-boot/conf/layer.conf
+index 0efef32..1ebddf7 100644
+--- a/meta-efi-secure-boot/conf/layer.conf
++++ b/meta-efi-secure-boot/conf/layer.conf
+@@ -20,3 +20,4 @@ LAYERDEPENDS_efi-secure-boot = "\
+ "
+
+ LAYERSERIES_COMPAT_efi-secure-boot = "scarthgap"
++LAYERDIR_efi-secure-boot = "${LAYERDIR}"
diff --git a/kas/patches/oe.patch b/kas/patches/oe.patch
@@ -1,8 +1,8 @@
 diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py
-index 13a9cddf4e..6095c7cc75 100644
+index 7cc5131541..4e899200f1 100644
 --- a/scripts/lib/wic/plugins/source/bootimg-efi.py
 +++ b/scripts/lib/wic/plugins/source/bootimg-efi.py
-@@ -297,113 +297,121 @@ class BootimgEFIPlugin(SourcePlugin):
+@@ -297,113 +297,17 @@ class BootimgEFIPlugin(SourcePlugin):
 
          hdddir = "%s/hdd/boot" % cr_workdir
 
@@ -113,121 +113,17 @@ index 13a9cddf4e..6095c7cc75 100644
 -                install_cmd = "install -m 0644 %s/%s %s/%s" % \
 -                    (staging_kernel_dir, kernel, hdddir, kernel)
 -                exec_cmd(install_cmd)
-+        # kernel = get_bitbake_var("KERNEL_IMAGETYPE")
-+        # if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1":
-+        #     if get_bitbake_var("INITRAMFS_IMAGE"):
-+        #         kernel = "%s-%s.bin" % \
-+        #             (get_bitbake_var("KERNEL_IMAGETYPE"), get_bitbake_var("INITRAMFS_LINK_NAME"))
-+
-+        # if source_params.get('create-unified-kernel-image') == "true":
-+        #     initrd = source_params.get('initrd')
-+        #     if not initrd:
-+        #         raise WicError("initrd= must be specified when create-unified-kernel-image=true, exiting")
-+
-+        #     deploy_dir = get_bitbake_var("DEPLOY_DIR_IMAGE")
-+        #     efi_stub = glob("%s/%s" % (deploy_dir, "linux*.efi.stub"))
-+        #     if len(efi_stub) == 0:
-+        #         raise WicError("Unified Kernel Image EFI stub not found, exiting")
-+        #     efi_stub = efi_stub[0]
-+
-+        #     with tempfile.TemporaryDirectory() as tmp_dir:
-+        #         label = source_params.get('label')
-+        #         label_conf = "root=%s" % creator.rootdev
-+        #         if label:
-+        #             label_conf = "LABEL=%s" % label
-+
-+        #         bootloader = creator.ks.bootloader
-+        #         cmdline = open("%s/cmdline" % tmp_dir, "w")
-+        #         cmdline.write("%s %s" % (label_conf, bootloader.append))
-+        #         cmdline.close()
-+
-+        #         initrds = initrd.split(';')
-+        #         initrd = open("%s/initrd" % tmp_dir, "wb")
-+        #         for f in initrds:
-+        #             with open("%s/%s" % (deploy_dir, f), 'rb') as in_file:
-+        #                 shutil.copyfileobj(in_file, initrd)
-+        #         initrd.close()
-+
-+        #         # Searched by systemd-boot:
-+        #         # https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-images
-+        #         install_cmd = "install -d %s/EFI/Linux" % hdddir
-+        #         exec_cmd(install_cmd)
-+
-+        #         staging_dir_host = get_bitbake_var("STAGING_DIR_HOST")
-+        #         target_sys = get_bitbake_var("TARGET_SYS")
-+
-+        #         objdump_cmd = "%s-objdump" % target_sys
-+        #         objdump_cmd += " -p %s" % efi_stub
-+        #         objdump_cmd += " | awk '{ if ($1 == \"SectionAlignment\"){print $2} }'"
-+
-+        #         ret, align_str = exec_native_cmd(objdump_cmd, native_sysroot)
-+        #         align = int(align_str, 16)
-+
-+        #         objdump_cmd = "%s-objdump" % target_sys
-+        #         objdump_cmd += " -h %s | tail -2" % efi_stub
-+        #         ret, output = exec_native_cmd(objdump_cmd, native_sysroot)
-+
-+        #         offset = int(output.split()[2], 16) + int(output.split()[3], 16)
-+
-+        #         osrel_off = offset + align - offset % align
-+        #         osrel_path = "%s/usr/lib/os-release" % staging_dir_host
-+        #         osrel_sz = os.stat(osrel_path).st_size
-+
-+        #         cmdline_off = osrel_off + osrel_sz
-+        #         cmdline_off = cmdline_off + align - cmdline_off % align
-+        #         cmdline_sz = os.stat(cmdline.name).st_size
-+
-+        #         dtb_off = cmdline_off + cmdline_sz
-+        #         dtb_off = dtb_off + align - dtb_off % align
-+
-+        #         dtb = source_params.get('dtb')
-+        #         if dtb:
-+        #             if ';' in dtb:
-+        #                 raise WicError("Only one DTB supported, exiting")
-+        #             dtb_path = "%s/%s" % (deploy_dir, dtb)
-+        #             dtb_params = '--add-section .dtb=%s --change-section-vma .dtb=0x%x' % \
-+        #                     (dtb_path, dtb_off)
-+        #             linux_off = dtb_off + os.stat(dtb_path).st_size
-+        #             linux_off = linux_off + align - linux_off % align
-+        #         else:
-+        #             dtb_params = ''
-+        #             linux_off = dtb_off
-+
-+        #         linux_path = "%s/%s" % (staging_kernel_dir, kernel)
-+        #         linux_sz = os.stat(linux_path).st_size
-+
-+        #         initrd_off = linux_off + linux_sz
-+        #         initrd_off = initrd_off + align - initrd_off % align
-+
-+        #         # https://www.freedesktop.org/software/systemd/man/systemd-stub.html
-+        #         objcopy_cmd = "%s-objcopy" % target_sys
-+        #         objcopy_cmd += " --enable-deterministic-archives"
-+        #         objcopy_cmd += " --preserve-dates"
-+        #         objcopy_cmd += " --add-section .osrel=%s" % osrel_path
-+        #         objcopy_cmd += " --change-section-vma .osrel=0x%x" % osrel_off
-+        #         objcopy_cmd += " --add-section .cmdline=%s" % cmdline.name
-+        #         objcopy_cmd += " --change-section-vma .cmdline=0x%x" % cmdline_off
-+        #         objcopy_cmd += dtb_params
-+        #         objcopy_cmd += " --add-section .linux=%s" % linux_path
-+        #         objcopy_cmd += " --change-section-vma .linux=0x%x" % linux_off
-+        #         objcopy_cmd += " --add-section .initrd=%s" % initrd.name
-+        #         objcopy_cmd += " --change-section-vma .initrd=0x%x" % initrd_off
-+        #         objcopy_cmd += " %s %s/EFI/Linux/linux.efi" % (efi_stub, hdddir)
-+
-+        #         exec_native_cmd(objcopy_cmd, native_sysroot)
-+        # else:
-+        #     if source_params.get('install-kernel-into-boot-dir') != 'false':
-+        #         install_cmd = "install -m 0644 %s/%s %s/%s" % \
-+        #             (staging_kernel_dir, kernel, hdddir, kernel)
-+        #         exec_cmd(install_cmd)
-+
-+        # install grubenv file
-+        omnect_grubenv_file = get_bitbake_var("OMNECT_GRUBENV_FILE")
-+        grubenv_install_cmd = "install -m 0644 -D %s %s/EFI/BOOT/grubenv" % (omnect_grubenv_file, hdddir)
-+        exec_cmd(grubenv_install_cmd)
 +        deploy_dir_img = get_bitbake_var("DEPLOY_DIR_IMAGE")
 +        bootloader_version_install_cmd = "install -m 0644 -D %s/omnect_bootloader_version %s/EFI/BOOT/omnect_bootloader_version" % (deploy_dir_img, hdddir)
 +        exec_cmd(bootloader_version_install_cmd)
++
++        grub_efi_sb_files = get_bitbake_var("OMNECT_GRUB_EFI_SB_FILES")
++        # get rid of multiple spaces
++        grub_efi_sb_files = ' '.join(grub_efi_sb_files.split());
++        grub_efi_sb_files = grub_efi_sb_files.split()
++        for grub_efi_sb_file in grub_efi_sb_files:
++            efi_install_cmd = "install -m 0644 -D %s/%s %s/EFI/BOOT/%s" % (deploy_dir_img, grub_efi_sb_file, hdddir, grub_efi_sb_file)
++            exec_cmd(efi_install_cmd)
 
          if get_bitbake_var("IMAGE_EFI_BOOT_FILES"):
              for src_path, dst_path in cls.install_task: