Message ID | 20240829163209.47945-11-javier.tia@linaro.org |
---|---|
State | New |
Headers | show |
Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
On Thu, Aug 29, 2024 at 10:32:06AM -0600, Javier Tia wrote: > efivarfs kernel module is required to access EFI vars. > > Signed-off-by: Javier Tia <javier.tia@linaro.org> > --- > .../core-image-minimal-uefi-secureboot.inc | 8 ++++++++ > .../linux/linux-yocto%.bbappend | 2 ++ > .../linux/linux-yocto-uefi-secureboot.inc | 19 +++++++++++++++++++ > 3 files changed, 29 insertions(+) > create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc > > diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > index 2232d3b3..06046f6e 100644 > --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > @@ -1,3 +1,11 @@ > inherit uefi-sb-keys > > WKS_FILE = "efi-disk-no-swap.wks.in" > + > +# Detected by passing kernel parameter > +QB_KERNEL_ROOT = "" > + > +# kernel is in the image, should not be loaded separately > +QB_DEFAULT_KERNEL = "none" > + QB's are qemu testing variables. I don't think they should be here. Either move them to the machine conf, or the yml file, or make a machine just for this based on qemuarm64-secureboot. > +KERNEL_IMAGETYPE = "Image" > diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend > index a287d0e1..29c21355 100644 > --- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend > +++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend > @@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \ > > FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}" > require ${FFA_TRANSPORT_INCLUDE} > + > +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)} > \ No newline at end of file > diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc > new file mode 100644 > index 00000000..cb62fdee > --- /dev/null > +++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc > @@ -0,0 +1,19 @@ > +KERNEL_FEATURES += "cfg/efi-ext.scc" > + > +DEPENDS += 'gen-uefi-sb-keys' > + > +inherit sbsign > + > +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key" > +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt" > + > +# shell variable set inside do_compile task > +SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE" > + > +do_compile:append() { > + KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit) > + do_sbsign > +} > + > +RRECOMMENDS:${PN} += "kernel-module-efivarfs" > +RRECOMMENDS:${PN} += "kernel-module-efivars" > -- > 2.46.0 > >
diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc index 2232d3b3..06046f6e 100644 --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc @@ -1,3 +1,11 @@ inherit uefi-sb-keys WKS_FILE = "efi-disk-no-swap.wks.in" + +# Detected by passing kernel parameter +QB_KERNEL_ROOT = "" + +# kernel is in the image, should not be loaded separately +QB_DEFAULT_KERNEL = "none" + +KERNEL_IMAGETYPE = "Image" diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend index a287d0e1..29c21355 100644 --- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend +++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend @@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \ FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}" require ${FFA_TRANSPORT_INCLUDE} + +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)} \ No newline at end of file diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc new file mode 100644 index 00000000..cb62fdee --- /dev/null +++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc @@ -0,0 +1,19 @@ +KERNEL_FEATURES += "cfg/efi-ext.scc" + +DEPENDS += 'gen-uefi-sb-keys' + +inherit sbsign + +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key" +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt" + +# shell variable set inside do_compile task +SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE" + +do_compile:append() { + KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit) + do_sbsign +} + +RRECOMMENDS:${PN} += "kernel-module-efivarfs" +RRECOMMENDS:${PN} += "kernel-module-efivars"
efivarfs kernel module is required to access EFI vars. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- .../core-image-minimal-uefi-secureboot.inc | 8 ++++++++ .../linux/linux-yocto%.bbappend | 2 ++ .../linux/linux-yocto-uefi-secureboot.inc | 19 +++++++++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc