-
Notifications
You must be signed in to change notification settings - Fork 303
[RFC] qcom-firmware-sign: build-time secure-boot signing of Qualcomm firmware #2598
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from 1 commit
5086824
f032556
446e1ec
a998372
8c7a2de
6265560
bb6079a
52c0458
efca6cc
a1ee798
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| SUMMARY = "Qualcomm Sectools v2 -- image signing / verification tool" | ||
| DESCRIPTION = "Qualcomm Security Tools v2: the host \ | ||
| binary used to sign, verify and inspect Qualcomm firmware images (XBL, \ | ||
| TZ, modem, etc.) according to a per-chipset Security Profile XML" | ||
| HOMEPAGE = "https://softwarecenter.qualcomm.com/catalog/item/Qualcomm_Security_Tools" | ||
| LICENSE = "LICENSE.qcom-2" | ||
|
|
||
| LIC_FILES_CHKSUM = "file://${UNPACKDIR}/${ZIP_TOPDIR}/CHANGES.txt;md5=d2a0bb01dcd8befe660b832fbbe05900" | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Drop UNPACKDIR. Also, can we work with the sectools authors to include the licence into the archive? |
||
| ZIP_TOPDIR = "1.48" | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. PV?
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Saw now that the directory is 1.48.0 but the zip is 1.48.zip, not great. |
||
|
|
||
| SRC_URI = "https://softwarecenter.qualcomm.com/api/download/software/tools/Qualcomm_Security_Tools/All/${PV}/${ZIP_TOPDIR}.zip;name=sectools-zip;downloadfilename=qcom-sectools-${PV}.zip" | ||
| SRC_URI[sectools-zip.sha256sum] = "d89773bbfcc9c80c871b628bd2e766460a876277661ed6634d57590b7fd80fba" | ||
|
|
||
| S = "${UNPACKDIR}/${ZIP_TOPDIR}" | ||
|
|
||
| INHIBIT_DEFAULT_DEPS = "1" | ||
|
|
||
| inherit native | ||
|
|
||
| do_configure[noexec] = "1" | ||
| do_compile[noexec] = "1" | ||
|
|
||
| # Pick the per-platform sectools binary that matches the build host. | ||
| SECTOOLS_PLATFORM_DIR = "${@'Linux_aarch64' if d.getVar('BUILD_ARCH') == 'aarch64' else 'Linux'}" | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should also set COMPATIBLE_HOST. |
||
|
|
||
| # Stage the per-platform sectools binary under ${datadir}/sectools/ and | ||
| # drop a thin symlink into ${bindir} so consumers can invoke `sectools` | ||
| # from PATH regardless of which subdir was selected. | ||
| do_install() { | ||
| install -d "${D}${datadir}/sectools/${SECTOOLS_PLATFORM_DIR}" | ||
| install -m 0755 "${S}/${SECTOOLS_PLATFORM_DIR}/sectools" \ | ||
| "${D}${datadir}/sectools/${SECTOOLS_PLATFORM_DIR}/sectools" | ||
|
|
||
| install -d "${D}${bindir}" | ||
| ln -sf "../share/sectools/${SECTOOLS_PLATFORM_DIR}/sectools" \ | ||
| "${D}${bindir}/sectools" | ||
|
|
||
| install -m 0644 "${S}/CHANGES.txt" "${D}${datadir}/sectools/CHANGES.txt" | ||
| } | ||
|
|
||
| do_unpack[postfuncs] += "sectools_chmod_unpacked" | ||
| sectools_chmod_unpacked() { | ||
| chmod -R u+w "${UNPACKDIR}" | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why? |
||
| } | ||
|
|
||
| FILES:${PN} += "${datadir}/sectools" | ||
| INSANE_SKIP:${PN} += "already-stripped" | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Missing EOL. |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not really correct, started an internal thread to see if we can have a license inside the zip file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that was actually the issue (no LICENSE file inside the archive )