[PATCH 2/2] wic/plugins/bootimg-efi-isar: Add option to sign systemd bootloader and kernel
5 views
Skip to first unread message
Quirin Gylstorff
Nov 20, 2025, 5:15:15 AMNov 20
to isar-...@googlegroups.com
From: Quirin Gylstorff <quirin.g...@siemens.com>
This allows to generate a signed installer image.
Signed-off-by: Quirin Gylstorff <quirin.g...@siemens.com>
---
.../lib/wic/plugins/source/bootimg-efi-isar.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
index 661dcbb4..fd4d6017 100644
--- a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
+++ b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
@@ -310,6 +310,20 @@ class BootimgEFIPlugin(SourcePlugin):
logger.debug("Payload directory: %s", payload_dir)
shutil.copytree(payload_dir, iso_dir, symlinks=True, dirs_exist_ok=True)
+ @classmethod
+ def _sign_file(cls, signee, source_params):
+ sign_script = source_params.get("signwith")
+ if sign_script and os.path.exists(sign_script):
+ logger.info("sign with script %s", sign_script)
+ orig_signee = signee + ".unsigned"
+ os.rename(signee, orig_signee)
+ sign_cmd = "{sign_script} {orig_signee} {signee}"\
+ .format(sign_script=sign_script, orig_signee=orig_signee,
+ signee=signee)
+ exec_cmd(sign_cmd)
+ elif sign_script and not os.path.exists(sign_script):
+ logger.error("Could not find script %s", sign_script)
+ exit(1)
@classmethod
def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
@@ -406,6 +420,8 @@ class BootimgEFIPlugin(SourcePlugin):
install_cmd = isar_populate_boot_cmd(rootfs_dir['ROOTFS_DIR'], hdddir)
exec_cmd(install_cmd)
+ for mod in [x for x in os.listdir(hdddir) if x.startswith("vmlinu")]:
+ cls._sign_file(f"{hdddir}/{mod}", source_params)
cls._install_payload(source_params, hdddir)
@@ -488,6 +504,7 @@ class BootimgEFIPlugin(SourcePlugin):
target = target[:-7]
cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (kernel_dir, mod, hdddir, target)
exec_cmd(cp_cmd, True)
+ cls._sign_file(f"{hdddir}/EFI/BOOT/{mod[8:]}", source_params)
kernel_dir = kernel_dir_orig
else:
--
2.51.2
This allows to generate a signed installer image.
Signed-off-by: Quirin Gylstorff <quirin.g...@siemens.com>
---
.../lib/wic/plugins/source/bootimg-efi-isar.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
index 661dcbb4..fd4d6017 100644
--- a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
+++ b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
@@ -310,6 +310,20 @@ class BootimgEFIPlugin(SourcePlugin):
logger.debug("Payload directory: %s", payload_dir)
shutil.copytree(payload_dir, iso_dir, symlinks=True, dirs_exist_ok=True)
+ @classmethod
+ def _sign_file(cls, signee, source_params):
+ sign_script = source_params.get("signwith")
+ if sign_script and os.path.exists(sign_script):
+ logger.info("sign with script %s", sign_script)
+ orig_signee = signee + ".unsigned"
+ os.rename(signee, orig_signee)
+ sign_cmd = "{sign_script} {orig_signee} {signee}"\
+ .format(sign_script=sign_script, orig_signee=orig_signee,
+ signee=signee)
+ exec_cmd(sign_cmd)
+ elif sign_script and not os.path.exists(sign_script):
+ logger.error("Could not find script %s", sign_script)
+ exit(1)
@classmethod
def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
@@ -406,6 +420,8 @@ class BootimgEFIPlugin(SourcePlugin):
install_cmd = isar_populate_boot_cmd(rootfs_dir['ROOTFS_DIR'], hdddir)
exec_cmd(install_cmd)
+ for mod in [x for x in os.listdir(hdddir) if x.startswith("vmlinu")]:
+ cls._sign_file(f"{hdddir}/{mod}", source_params)
cls._install_payload(source_params, hdddir)
@@ -488,6 +504,7 @@ class BootimgEFIPlugin(SourcePlugin):
target = target[:-7]
cp_cmd = "cp %s/%s %s/EFI/BOOT/%s" % (kernel_dir, mod, hdddir, target)
exec_cmd(cp_cmd, True)
+ cls._sign_file(f"{hdddir}/EFI/BOOT/{mod[8:]}", source_params)
kernel_dir = kernel_dir_orig
else:
--
2.51.2
Quirin Gylstorff
Nov 20, 2025, 5:15:15 AMNov 20
to isar-...@googlegroups.com
From: Quirin Gylstorff <quirin.g...@siemens.com>
This allows to add additional payload to the boot-img partition.
e.g. Additional efi scripts for updating the BIOS.
.../lib/wic/plugins/source/bootimg-efi-isar.py | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
index 446398d0..661dcbb4 100644
--- a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
+++ b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
@@ -298,6 +298,19 @@ class BootimgEFIPlugin(SourcePlugin):
else:
cls.install_task.append((src, dst))
+ @staticmethod
+ def _install_payload(source_params, iso_dir):
+ """
+ Copies contents of payload directory (as specified in 'payload_dir' param) into iso_dir
+ """
+
+ if source_params.get('payload_dir'):
+ payload_dir = source_params['payload_dir']
+
+ logger.debug("Payload directory: %s", payload_dir)
+ shutil.copytree(payload_dir, iso_dir, symlinks=True, dirs_exist_ok=True)
+
+
@@ -394,6 +407,7 @@ class BootimgEFIPlugin(SourcePlugin):
if get_bitbake_var("IMAGE_EFI_BOOT_FILES"):
for src_path, dst_path in cls.install_task:
--
2.51.2
This allows to add additional payload to the boot-img partition.
e.g. Additional efi scripts for updating the BIOS.
.../lib/wic/plugins/source/bootimg-efi-isar.py | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
index 446398d0..661dcbb4 100644
--- a/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
+++ b/meta/scripts/lib/wic/plugins/source/bootimg-efi-isar.py
@@ -298,6 +298,19 @@ class BootimgEFIPlugin(SourcePlugin):
else:
cls.install_task.append((src, dst))
+ @staticmethod
+ def _install_payload(source_params, iso_dir):
+ """
+ Copies contents of payload directory (as specified in 'payload_dir' param) into iso_dir
+ """
+
+ if source_params.get('payload_dir'):
+ payload_dir = source_params['payload_dir']
+
+ logger.debug("Payload directory: %s", payload_dir)
+ shutil.copytree(payload_dir, iso_dir, symlinks=True, dirs_exist_ok=True)
+
+
@classmethod
def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
oe_builddir, bootimg_dir, kernel_dir,
def do_prepare_partition(cls, part, source_params, creator, cr_workdir,
@@ -394,6 +407,7 @@ class BootimgEFIPlugin(SourcePlugin):
install_cmd = isar_populate_boot_cmd(rootfs_dir['ROOTFS_DIR'], hdddir)
exec_cmd(install_cmd)
+ cls._install_payload(source_params, hdddir)
exec_cmd(install_cmd)
if get_bitbake_var("IMAGE_EFI_BOOT_FILES"):
for src_path, dst_path in cls.install_task:
--
2.51.2
Zhihang Wei
Nov 26, 2025, 4:47:36 AMNov 26
to Quirin Gylstorff, isar-...@googlegroups.com
Both were applied to next, thanks.
Reply all
Reply to author
Forward
0 new messages