foundriesio · ldts · Nov 7, 2024 · Oct 29, 2024 · Oct 29, 2024 · angolini
diff --git a/meta-lmp-base/recipes-bsp/efitools/efitools_git.bb b/meta-lmp-base/recipes-bsp/efitools/efitools_git.bb
@@ -14,10 +14,11 @@ SRC_URI += " \
     file://build-keys-for-lockdown-only.patch \
     file://allow-local-auths.patch \
     file://lockdown.conf \
-    file://unlock.patch \
-    file://unlock.conf \
 "
 
+# UnLock needs the user keys
+SRC_URI:append = "${@bb.utils.contains('UEFI_SIGN_ENABLE', '1', ' file://unlock.patch file://unlock.conf', '', d)}"
+
 COMPATIBLE_HOST = "(i.86|x86_64|arm|aarch64|riscv64).*-linux"
 
 inherit deploy
@@ -42,33 +43,40 @@ python do_prepare_local_auths() {
     dir = d.expand('${UEFI_SIGN_KEYDIR}/')
 
     import shutil
+    import os
 
     # Use auths already generated by the user
     for _ in ('PK', 'KEK', 'DB', 'DBX', 'noPK', 'noKEK'):
-        shutil.copyfile(dir + _ + '.auth', d.expand('${S}/') + _ + '.auth')
+        file = _ + '.auth'
+        src = dir + file
+        if not os.path.isfile(src):
+            bb.fatal("File '%s' not found!" % src)
+        shutil.copyfile(src, d.expand('${S}/') + file)
 
 }
 addtask prepare_local_auths after do_configure before do_compile
 do_prepare_local_auths[vardeps] += "UEFI_SIGN_ENABLE UEFI_SIGN_KEYDIR"
 
 do_deploy() {
     install -d ${DEPLOYDIR}
-    install -m 0600 ${D}${datadir}/efitools/efi/LockDown.efi ${DEPLOYDIR}
+    install -m 0600 ${B}/LockDown.efi ${DEPLOYDIR}
     install -m 0600 ${WORKDIR}/lockdown.conf ${DEPLOYDIR}
 
-    if ! sbsign --key ${UEFI_SIGN_KEYDIR}/DB.key \
-                --cert ${UEFI_SIGN_KEYDIR}/DB.crt \
-		--output ${D}${datadir}/efitools/efi/UnLock-signed.efi \
-		${D}${datadir}/efitools/efi/UnLock.efi; then
-        bbfatal "Failed to sign UnLock.efi"
-    fi
+    if [ "${UEFI_SIGN_ENABLE}" = "1" ]; then
+        if ! sbsign --key ${UEFI_SIGN_KEYDIR}/DB.key \
+                    --cert ${UEFI_SIGN_KEYDIR}/DB.crt \
+                     --output ${WORKDIR}/UnLock-signed.efi \
+                    ${B}/UnLock.efi; then
+            bbfatal "Failed to sign UnLock.efi"
+        fi
 
-    if ! sbverify --cert ${UEFI_SIGN_KEYDIR}/DB.crt \
-                   ${D}${datadir}/efitools/efi/UnLock-signed.efi; then
-        bbfatal "Failed to verify UnLock-signed.efi"
-    fi
+        if ! sbverify --cert ${UEFI_SIGN_KEYDIR}/DB.crt \
+                    ${WORKDIR}/UnLock-signed.efi; then
+            bbfatal "Failed to verify UnLock-signed.efi"
+        fi
 
-    install -m 0600 ${D}${datadir}/efitools/efi/UnLock-signed.efi ${DEPLOYDIR}
-    install -m 0600 ${WORKDIR}/unlock.conf ${DEPLOYDIR}
+        install -m 0600 ${WORKDIR}/UnLock-signed.efi ${DEPLOYDIR}
+        install -m 0600 ${WORKDIR}/unlock.conf ${DEPLOYDIR}
+    fi
 }
 addtask deploy after do_install before do_build