mbox series

[v3,00/13] qemuarm64-secureboot: Add UEFI Secure Boot

Message ID 20240822014335.3394568-1-javier.tia@linaro.org
Headers show
Series qemuarm64-secureboot: Add UEFI Secure Boot | expand

Message

Javier Tia Aug. 22, 2024, 1:43 a.m. UTC
Hi,

Addressing comments from patch series v2.

A backport from meta-ts with the minimal changes to add UEFI Secure Boot
into qemuarm64-secureboot machine.

Requirements:

  - Create a UEFI disk partition to copy EFI apps.

  - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.

  - UEFI keys are to be stored in U-Boot and used to sign systemd-boot
    and Linux kernel images.

  - Add systemd as Init manager to auto-mount efivarfs.

Introduces uefi-secureboot machine feature.

UEFI keys must be genereated in order to be added to U-Boot. Sign both
systemd-boot EFI app and Linux kernel image.

Build and verification steps:

$ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'

---

Changes since v2:
- Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".

Changes since v1:
- Rework all subject commits to follow OE, Yocto, and meta-arm guidelines.
- Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
- Add an OE test to validate UEFI Secure Boot.
- Simplify gen_uefi_keys.sh to avoid code repetition.
- Replace grub with systemd-boot.
- Simplify signing binary images with sbsign class.
- Set OE branch to Scarthgap

Changes since the v0:
- Remove u-boot recipe.
- Split the change in several commits.
- Remove sample UEFI keys.
- Validate UEFI keys exist before building.
- Insolate most of changes under uefi-secureboot machine feature.

Javier Tia (13):
  qemuarm64-secureboot: Introduce uefi-secureboot machine feature
  core-image-base: Use UEFI layout disk partitions
  layer.conf: Introduce UEFI_SB_KEYS_DIR
  uefi-sb-keys.bbclass: Add class to validate UEFI keys
  sbsign.bbclass: Add class to sign binaries
  core-image-base: Inherit uefi-sb-keys
  meta-arm: Introduce gen-uefi-sb-keys.bb recipe
  u-boot: Setup UEFI and Secure Boot
  qemuarm64-secureboot: Add meta-secure-core layer as dependency
  linux-yocto: Setup UEFI and sign kernel image
  systemd: Add UEFI support
  systemd-boot: Use it as bootloader & sign UEFI image
  meta-arm: Add UEFI Secure Boot test

 ci/qemuarm64-secureboot.yml                   | 14 ++++---
 .../core-image-base-uefi-secureboot.inc       | 17 ++++++++
 .../images/core-image-base.bbappend           |  1 +
 .../u-boot/u-boot-qemuarm64-secureboot.inc    | 18 +++++++++
 .../u-boot/u-boot/uefi-secureboot.cfg         | 10 +++++
 .../recipes-bsp/u-boot/u-boot_%.bbappend      |  2 +-
 meta-arm-bsp/wic/efi-disk-no-swap.wks.in      |  2 +-
 meta-arm/classes/sbsign.bbclass               | 39 +++++++++++++++++++
 meta-arm/classes/uefi-sb-keys.bbclass         | 24 ++++++++++++
 meta-arm/conf/layer.conf                      |  2 +
 .../conf/machine/qemuarm64-secureboot.conf    |  8 ++++
 .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++
 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++
 .../systemd/systemd-boot-uefi-secureboot.inc  | 12 ++++++
 .../systemd/systemd-boot_%.bbappend           |  1 +
 meta-arm/recipes-core/systemd/systemd-efi.inc |  1 +
 .../recipes-core/systemd/systemd_%.bbappend   |  1 +
 .../linux/linux-yocto%.bbappend               |  2 +
 .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++
 meta-arm/uefi-sb-keys/.gitignore              |  4 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 33 ++++++++++++++++
 21 files changed, 261 insertions(+), 7 deletions(-)
 create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/images/core-image-base.bbappend
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
 create mode 100644 meta-arm/classes/sbsign.bbclass
 create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
 create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
 create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
 create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
 create mode 100644 meta-arm/uefi-sb-keys/.gitignore
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh