[v4,10/13] linux-yocto: Setup UEFI and sign kernel image

Message ID	20240829163209.47945-11-javier.tia@linaro.org
State	New
Headers	show Return-Path: <javier.tia@linaro.org> ip: 209.85.128.182, mailfrom: javier.tia@linaro.org) From: Javier Tia <javier.tia@linaro.org> To: meta-arm@lists.yoctoproject.org Cc: Mikko Rapeli <mikko.rapeli@linaro.org>, Ross Burton <Ross.Burton@arm.com>, Jon Mason <jon.mason@arm.com>, Javier Tia <javier.tia@linaro.org> Subject: [PATCH v4 10/13] linux-yocto: Setup UEFI and sign kernel image Date: Thu, 29 Aug 2024 10:32:06 -0600 Message-ID: <20240829163209.47945-11-javier.tia@linaro.org> In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org> References: <20240829163209.47945-1-javier.tia@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	qemuarm64-secureboot: Add UEFI Secure Boot \| expand [v4,00/13] qemuarm64-secureboot: Add UEFI Secure Boot [v4,01/13] qemuarm64-secureboot: Introduce uefi-secureboot machine feature [v4,02/13] core-image-minimal: Use UEFI layout disk partitions [v4,03/13] layer.conf: Introduce UEFI_SB_KEYS_DIR [v4,04/13] uefi-sb-keys.bbclass: Add class to validate UEFI keys [v4,05/13] sbsign.bbclass: Add class to sign binaries [v4,06/13] core-image-minimal: Inherit uefi-sb-keys [v4,07/13] meta-arm: Introduce gen-uefi-sb-keys.bb recipe [v4,08/13] u-boot: Setup UEFI and Secure Boot [v4,09/13] qemuarm64-secureboot: Add meta-secure-core layer as dependency [v4,10/13] linux-yocto: Setup UEFI and sign kernel image [v4,11/13] systemd: Add UEFI support [v4,12/13] systemd-boot: Use it as bootloader & sign UEFI image [v4,13/13] meta-arm: Add UEFI Secure Boot test

Message ID

20240829163209.47945-11-javier.tia@linaro.org

State

New

Headers

From: Javier Tia <javier.tia@linaro.org>
To: meta-arm@lists.yoctoproject.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>,
	Ross Burton <Ross.Burton@arm.com>,
	Jon Mason <jon.mason@arm.com>,
	Javier Tia <javier.tia@linaro.org>
Subject: [PATCH v4 10/13] linux-yocto: Setup UEFI and sign kernel image
Date: Thu, 29 Aug 2024 10:32:06 -0600
Message-ID: <20240829163209.47945-11-javier.tia@linaro.org>
In-Reply-To: <20240829163209.47945-1-javier.tia@linaro.org>
References: <20240829163209.47945-1-javier.tia@linaro.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

qemuarm64-secureboot: Add UEFI Secure Boot | expand

Commit Message

Javier Tia Aug. 29, 2024, 4:32 p.m. UTC

efivarfs kernel module is required to access EFI vars.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../core-image-minimal-uefi-secureboot.inc    |  8 ++++++++
 .../linux/linux-yocto%.bbappend               |  2 ++
 .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc

Comments

Jon Mason Aug. 30, 2024, 3:16 p.m. UTC | #1

On Thu, Aug 29, 2024 at 10:32:06AM -0600, Javier Tia wrote:
> efivarfs kernel module is required to access EFI vars.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  .../core-image-minimal-uefi-secureboot.inc    |  8 ++++++++
>  .../linux/linux-yocto%.bbappend               |  2 ++
>  .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++++++++++++
>  3 files changed, 29 insertions(+)
>  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> 
> diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> index 2232d3b3..06046f6e 100644
> --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> @@ -1,3 +1,11 @@
>  inherit uefi-sb-keys
>  
>  WKS_FILE = "efi-disk-no-swap.wks.in"
> +
> +# Detected by passing kernel parameter
> +QB_KERNEL_ROOT = ""
> +
> +# kernel is in the image, should not be loaded separately
> +QB_DEFAULT_KERNEL = "none"
> +

QB's are qemu testing variables.  I don't think they should be here.
Either move them to the machine conf, or the yml file, or make a
machine just for this based on qemuarm64-secureboot.

> +KERNEL_IMAGETYPE = "Image"
> diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
> index a287d0e1..29c21355 100644
> --- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
> +++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
> @@ -25,3 +25,5 @@ SRC_URI:append:qemuarm = " \
>  
>  FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
>  require ${FFA_TRANSPORT_INCLUDE}
> +
> +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
> \ No newline at end of file
> diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> new file mode 100644
> index 00000000..cb62fdee
> --- /dev/null
> +++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> @@ -0,0 +1,19 @@
> +KERNEL_FEATURES += "cfg/efi-ext.scc"
> +
> +DEPENDS += 'gen-uefi-sb-keys'
> +
> +inherit sbsign
> +
> +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key"
> +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt"
> +
> +# shell variable set inside do_compile task
> +SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
> +
> +do_compile:append() {
> +    KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
> +    do_sbsign
> +}
> +
> +RRECOMMENDS:${PN} += "kernel-module-efivarfs"
> +RRECOMMENDS:${PN} += "kernel-module-efivars"
> -- 
> 2.46.0
> 
>

diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
index 2232d3b3..06046f6e 100644
--- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
+++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
@@ -1,3 +1,11 @@ 
 inherit uefi-sb-keys
 
 WKS_FILE = "efi-disk-no-swap.wks.in"
+
+# Detected by passing kernel parameter
+QB_KERNEL_ROOT = ""
+
+# kernel is in the image, should not be loaded separately
+QB_DEFAULT_KERNEL = "none"
+
+KERNEL_IMAGETYPE = "Image"
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
index a287d0e1..29c21355 100644
--- a/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
+++ b/meta-arm/recipes-kernel/linux/linux-yocto%.bbappend
@@ -25,3 +25,5 @@  SRC_URI:append:qemuarm = " \
 
 FFA_TRANSPORT_INCLUDE = "${@bb.utils.contains('MACHINE_FEATURES', 'arm-ffa', 'arm-ffa-transport.inc', '' , d)}"
 require ${FFA_TRANSPORT_INCLUDE}
+
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'linux-yocto-uefi-secureboot.inc', '', d)}
\ No newline at end of file
diff --git a/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
new file mode 100644
index 00000000..cb62fdee
--- /dev/null
+++ b/meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
@@ -0,0 +1,19 @@ 
+KERNEL_FEATURES += "cfg/efi-ext.scc"
+
+DEPENDS += 'gen-uefi-sb-keys'
+
+inherit sbsign
+
+SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key"
+SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt"
+
+# shell variable set inside do_compile task
+SBSIGN_TARGET_BINARY = "$KERNEL_IMAGE"
+
+do_compile:append() {
+    KERNEL_IMAGE=$(find ${B} -name ${KERNEL_IMAGETYPE} -print -quit)
+    do_sbsign
+}
+
+RRECOMMENDS:${PN} += "kernel-module-efivarfs"
+RRECOMMENDS:${PN} += "kernel-module-efivars"

[v4,10/13] linux-yocto: Setup UEFI and sign kernel image

Commit Message

Comments

Patch