Read and measure an EFI file into initrd during init

boards/qemu-linuxboot/qemu-linuxboot.config

@@ -1,6 +1,6 @@
 # Configuration for emulating LinuxBoot+Heads with qemu
 #
-CONFIG_LINUXBOOT=y
+export CONFIG_LINUXBOOT=y
 CONFIG_LINUXBOOT_BOARD=qemu
 CONFIG_LINUX_CONFIG=config/linux-linuxboot.config
 

initrd/bin/cbfs-init

@@ -3,8 +3,8 @@ set -e -o pipefail
 . /etc/functions
 
 # Update initrd with CBFS files
-if [ -z "$CBFS_PCR" ]; then
-	CBFS_PCR=7
+if [ -z "$CONFIG_PCR" ]; then
+	CONFIG_PCR=7
 fi
 
 # Load individual files
@@ -22,13 +22,10 @@ for cbfsname in `echo $cbfsfiles`; do
 			TMPFILE=/tmp/cbfs.$$
 			echo "$filename" > $TMPFILE
 			cat $filename >> $TMPFILE
-			tpm extend -ix "$CBFS_PCR" -if $TMPFILE \
+			tpm extend -ix "$CONFIG_PCR" -if $TMPFILE \
 			|| die "$filename: tpm extend failed"
 		fi
 	fi
 done
 
-# TODO: copy CBFS file named "initrd.tgz" to /tmp, measure and extract
-
-# Post processing of keys
-gpg --import /.gnupg/keys/* 2>/dev/null || true
+# TODO: copy CBFS file named "heads/initrd.tgz" to /tmp, measure and extract

initrd/bin/key-init

@@ -0,0 +1,8 @@
+#!/bin/ash
+set -e -o pipefail
+. /etc/functions
+
+# Post processing of keys
+gpg --import /.gnupg/keys/* 2>/dev/null || true
+
+# TODO: split out gpg keys into multiple rings by function

initrd/bin/uefi-init

@@ -0,0 +1,28 @@
+#!/bin/ash
+set -e -o pipefail
+. /etc/functions
+
+# Update initrd with CBFS files
+if [ -z "$CONFIG_PCR" ]; then
+	CONFIG_PCR=7
+fi
+
+CONFIG_GUID="74696e69-6472-632e-7069-6f2f75736572"
+
+# copy EFI file named $CONFIG_GUID to /tmp, measure and extract
+GUID=`uefi -l | grep "^$CONFIG_GUID"`
+
+if [ -n "GUID" ]; then
+	echo "Loading $GUID from ROM"
+	TMPFILE=/tmp/uefi.$$
+	uefi -r $GUID | gunzip -c > $TMPFILE \
+	|| die "Failed to read config GUID from ROM"
+
+	if [ "$CONFIG_TPM" = "y" ]; then
+		tpm extend -ix "$CONFIG_PCR" -if $TMPFILE \
+		|| die "$filename: tpm extend failed"
+	fi
+
+	( cd / ; cpio -iud < $TMPFILE 2>/dev/null ) \
+	|| die "Failed to extract config GUID"
+fi

initrd/init

@@ -54,6 +54,10 @@ fi
 if [ "$CONFIG_COREBOOT" = "y" ]; then
 	/bin/cbfs-init
 fi
+if [ "$CONFIG_LINUXBOOT" = "y" ]; then
+	/bin/uefi-init
+fi
+/bin/key-init
 
 # Setup recovery serial shell
 if [ ! -z "$CONFIG_BOOT_RECOVERY_SERIAL" ]; then

modules/flashtools

@@ -21,6 +21,7 @@ flashtools_output := \
 	peek \
 	poke \
 	cbfs \
+	uefi \
 
 flashtools_libraries := \
 

modules/linuxboot

@@ -24,10 +24,15 @@ linuxboot_configure := \
 	fi ; \
 	touch .config ; \
 
+ifdef CUSTOM
+	CUSTOMPWD=$(pwd)/$(CUSTOM)
+endif
+
 linuxboot_target := \
 	BOARD=$(linuxboot_board) \
 	KERNEL=$(build)/$(BOARD)/bzImage \
 	INITRD=$(build)/$(BOARD)/initrd.cpio.xz \
+	CUSTOM=$(CUSTOMPWD) \
 	$(if $(CONFIG_LINUXBOOT_ROM), ROM=$(pwd)/$(CONFIG_LINUXBOOT_ROM)) \
 	all
 
@@ -74,4 +79,5 @@ linuxboot.run: $(build)/$(BOARD)/linuxboot.rom
 		BOARD:=$(linuxboot_board) \
 		KERNEL=$(build)/$(BOARD)/bzImage \
 		INITRD=$(build)/$(BOARD)/initrd.cpio.xz \
+		CUSTOM=$(CUSTOMPWD) \
 		run