| Message ID | 20240829163209.47945-9-javier.tia@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
On Thu, Aug 29, 2024 at 10:32:04AM -0600, Javier Tia wrote: > Add U-Boot minimal UEFI definitions. > > Embedded UEFI variables with the keys previously generated. It's to > enable UEFI Secure Boot and verify the authenticity of the firmware and > operating system. > > When U-Boot is built with UEFI support, it includes a set of efivars > that are used to store the Secure Boot variables. These efivars are > embedded in the U-Boot binary and are stored in the flash memory of the > system. > > Signed-off-by: Javier Tia <javier.tia@linaro.org> > --- > .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 ++++++++++++++++++ > .../u-boot/u-boot/uefi-secureboot.cfg | 10 ++++++++++ > .../recipes-bsp/u-boot/u-boot_%.bbappend | 2 +- > 3 files changed, 29 insertions(+), 1 deletion(-) > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg > > diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc > new file mode 100644 > index 00000000..ffad08e4 > --- /dev/null > +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc > @@ -0,0 +1,18 @@ > +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" > + > +SRC_URI += "file://uefi-secureboot.cfg" > + > +UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm" > +UBOOT_ENV_NAME = "qemu-arm.env" I'm not seeing these variable referenced anywhere (but I could be missing it). Per my comment below, if removed this could be generic. > + > +DEPENDS += 'python3-pyopenssl-native' > + > +do_compile:prepend() { > + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 > + > + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${UEFI_SB_KEYS_DIR}"/PK.esl -t file > + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file > + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${UEFI_SB_KEYS_DIR}"/db.esl -t file > + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file > + "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var > +} > diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg > new file mode 100644 > index 00000000..d2edb5fb > --- /dev/null > +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg > @@ -0,0 +1,10 @@ > +CONFIG_CMD_BOOTMENU=y > +CONFIG_USE_BOOTCOMMAND=y > +CONFIG_BOOTCOMMAND="bootmenu" > +CONFIG_USE_PREBOOT=y > +CONFIG_EFI_VAR_BUF_SIZE=65536 > +CONFIG_FIT_SIGNATURE=y > +CONFIG_EFI_SECURE_BOOT=y > +CONFIG_EFI_VARIABLES_PRESEED=y > +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" > +CONFIG_PREBOOT_DEFINED=y > \ No newline at end of file > diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend > index 11f332ad..ee815b6a 100644 > --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend > +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend > @@ -5,6 +5,6 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc" > MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc" > MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc" > MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc" > +MACHINE_U-BOOT_REQUIRE += "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}" This seems like it should be generic, but references "qemuarm64-secureboot" > > require ${MACHINE_U-BOOT_REQUIRE} > - > -- > 2.46.0 > >
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc new file mode 100644 index 00000000..ffad08e4 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc @@ -0,0 +1,18 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://uefi-secureboot.cfg" + +UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm" +UBOOT_ENV_NAME = "qemu-arm.env" + +DEPENDS += 'python3-pyopenssl-native' + +do_compile:prepend() { + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 + + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${UEFI_SB_KEYS_DIR}"/PK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${UEFI_SB_KEYS_DIR}"/db.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file + "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var +} diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg new file mode 100644 index 00000000..d2edb5fb --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg @@ -0,0 +1,10 @@ +CONFIG_CMD_BOOTMENU=y +CONFIG_USE_BOOTCOMMAND=y +CONFIG_BOOTCOMMAND="bootmenu" +CONFIG_USE_PREBOOT=y +CONFIG_EFI_VAR_BUF_SIZE=65536 +CONFIG_FIT_SIGNATURE=y +CONFIG_EFI_SECURE_BOOT=y +CONFIG_EFI_VARIABLES_PRESEED=y +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" +CONFIG_PREBOOT_DEFINED=y \ No newline at end of file diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend index 11f332ad..ee815b6a 100644 --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend @@ -5,6 +5,6 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc" MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc" MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc" MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc" +MACHINE_U-BOOT_REQUIRE += "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}" require ${MACHINE_U-BOOT_REQUIRE} -
Add U-Boot minimal UEFI definitions. Embedded UEFI variables with the keys previously generated. It's to enable UEFI Secure Boot and verify the authenticity of the firmware and operating system. When U-Boot is built with UEFI support, it includes a set of efivars that are used to store the Secure Boot variables. These efivars are embedded in the U-Boot binary and are stored in the flash memory of the system. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 ++++++++++++++++++ .../u-boot/u-boot/uefi-secureboot.cfg | 10 ++++++++++ .../recipes-bsp/u-boot/u-boot_%.bbappend | 2 +- 3 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg