kernel-balena: Only sign initramfs for EFI machines

UEFI firmware in secure boot needs to authenticate the kernel plus initramfs in the chain of trust. Other firmware implements secure boot differently and does not need this. Change-type: patch Signed-off-by: Alex Gonzalez <alexg@balena.io>
balena-os · Jan 12, 2024 · 5e56bc8 · 5e56bc8
1 parent c491f7d
commit 5e56bc8
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/meta-balena-common/classes/kernel-balena.bbclass b/meta-balena-common/classes/kernel-balena.bbclass
@@ -1064,7 +1064,7 @@ do_configure[vardeps] += " \
 
 # Because we chain signatures here, the signed artifact is different for each
 # and defined in :prepend for each task
-SIGNING_ARTIFACTS_BASE = "${B}/${KERNEL_OUTPUT_DIR}/${KERNEL_IMAGETYPE}.initramfs"
+SIGNING_ARTIFACTS_BASE = "${@bb.utils.contains('MACHINE_FEATURES', 'efi', "${B}/${KERNEL_OUTPUT_DIR}/${KERNEL_IMAGETYPE}.initramfs", '', d)}" 
 addtask sign_efi before do_deploy after do_bundle_initramfs
 addtask sign_gpg before do_deploy after do_sign_efi