| Message ID | 20240829163209.47945-1-javier.tia@linaro.org |
|---|---|
| Headers | show |
| Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
Looks like this series is not building for me. I'm seeing the following error: ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found | ETA: 0:00:12 The following paths were searched: /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key ERROR: Parsing halted due to errors, see error messages above | ETA: 0:00:14 ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found The following paths were searched: /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found The following paths were searched: /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key I've not looked into it, but it's being seen on mulitple setups and is trivial to replicate with: kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml Thanks, Jon On Thu, Aug 29, 2024 at 10:31:56AM -0600, Javier Tia wrote: > Hi, > > Addressing comments from patch series v3. > > A backport from meta-ts with the minimal changes to add UEFI Secure Boot > into qemuarm64-secureboot machine. > > Requirements: > > - Create a UEFI disk partition to copy EFI apps. > > - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel. > > - UEFI keys are to be stored in U-Boot and used to sign systemd-boot > and Linux kernel images. > > - Add systemd as Init manager to auto-mount efivarfs. > > Introduces uefi-secureboot machine feature. > > UEFI keys must be genereated in order to be added to U-Boot. Sign both > systemd-boot EFI app and Linux kernel image. > > Build and verification steps: > > $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml' > > --- > > Changes since v3: > - For image creation use core-image-minimal, instead of core-image-base. > > Changes since v2: > - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap". > > Changes since v1: > - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines. > - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys. > - Add an OE test to validate UEFI Secure Boot. > - Simplify gen_uefi_keys.sh to avoid code repetition. > - Replace grub with systemd-boot. > - Simplify signing binary images with sbsign class. > - Set OE branch to Scarthgap. > > Changes since the v0: > - Remove u-boot recipe. > - Split the change in several commits. > - Remove sample UEFI keys. > - Validate UEFI keys exist before building. > - Insolate most of changes under uefi-secureboot machine feature. > > Javier Tia (13): > qemuarm64-secureboot: Introduce uefi-secureboot machine feature > core-image-minimal: Use UEFI layout disk partitions > layer.conf: Introduce UEFI_SB_KEYS_DIR > uefi-sb-keys.bbclass: Add class to validate UEFI keys > sbsign.bbclass: Add class to sign binaries > core-image-minimal: Inherit uefi-sb-keys > meta-arm: Introduce gen-uefi-sb-keys.bb recipe > u-boot: Setup UEFI and Secure Boot > qemuarm64-secureboot: Add meta-secure-core layer as dependency > linux-yocto: Setup UEFI and sign kernel image > systemd: Add UEFI support > systemd-boot: Use it as bootloader & sign UEFI image > meta-arm: Add UEFI Secure Boot test > > ci/qemuarm64-secureboot.yml | 14 ++++--- > .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 +++++++++ > .../u-boot/u-boot/uefi-secureboot.cfg | 10 +++++ > .../recipes-bsp/u-boot/u-boot_%.bbappend | 2 +- > meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- > meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++ > meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++ > meta-arm/conf/layer.conf | 2 + > .../conf/machine/qemuarm64-secureboot.conf | 8 ++++ > .../oeqa/runtime/cases/uefi_secure_boot.py | 32 +++++++++++++++ > meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++ > .../core-image-minimal-uefi-secureboot.inc | 17 ++++++++ > .../images/core-image-minimal.bbappend | 1 + > .../systemd/systemd-boot-uefi-secureboot.inc | 12 ++++++ > .../systemd/systemd-boot_%.bbappend | 1 + > meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + > .../recipes-core/systemd/systemd_%.bbappend | 1 + > .../linux/linux-yocto%.bbappend | 2 + > .../linux/linux-yocto-uefi-secureboot.inc | 19 +++++++++ > meta-arm/uefi-sb-keys/.gitignore | 4 ++ > meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 33 ++++++++++++++++ > 21 files changed, 261 insertions(+), 7 deletions(-) > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg > create mode 100644 meta-arm/classes/sbsign.bbclass > create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass > create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py > create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb > create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend > create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc > create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend > create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc > create mode 100644 meta-arm/uefi-sb-keys/.gitignore > create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh > > -- > 2.46.0 > >
Hi, On Thu, Aug 29, 2024 at 11:06:26PM -0400, Jon Mason wrote: > Looks like this series is not building for me. I'm seeing the > following error: > > ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found | ETA: 0:00:12 > The following paths were searched: > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key > ERROR: Parsing halted due to errors, see error messages above | ETA: 0:00:14 > ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found > The following paths were searched: > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key > ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found > The following paths were searched: > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key > > I've not looked into it, but it's being seen on mulitple setups and is > trivial to replicate with: > kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml I think this is the secure boot key generation. You should run meta-arm/uefi-sb-keys/gen_uefi_keys.sh in meta-arm/uefi-sb-keys before building, or have some other way of distributing the keys to build machines. This could be part of a recipe but that would be fully non-reproducible. Maybe there is some kas way of running this script before bitbake build if the key files are not there? Cheers, -Mikko > Thanks, > Jon > > > On Thu, Aug 29, 2024 at 10:31:56AM -0600, Javier Tia wrote: > > Hi, > > > > Addressing comments from patch series v3. > > > > A backport from meta-ts with the minimal changes to add UEFI Secure Boot > > into qemuarm64-secureboot machine. > > > > Requirements: > > > > - Create a UEFI disk partition to copy EFI apps. > > > > - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel. > > > > - UEFI keys are to be stored in U-Boot and used to sign systemd-boot > > and Linux kernel images. > > > > - Add systemd as Init manager to auto-mount efivarfs. > > > > Introduces uefi-secureboot machine feature. > > > > UEFI keys must be genereated in order to be added to U-Boot. Sign both > > systemd-boot EFI app and Linux kernel image. > > > > Build and verification steps: > > > > $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml' > > > > --- > > > > Changes since v3: > > - For image creation use core-image-minimal, instead of core-image-base. > > > > Changes since v2: > > - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap". > > > > Changes since v1: > > - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines. > > - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys. > > - Add an OE test to validate UEFI Secure Boot. > > - Simplify gen_uefi_keys.sh to avoid code repetition. > > - Replace grub with systemd-boot. > > - Simplify signing binary images with sbsign class. > > - Set OE branch to Scarthgap. > > > > Changes since the v0: > > - Remove u-boot recipe. > > - Split the change in several commits. > > - Remove sample UEFI keys. > > - Validate UEFI keys exist before building. > > - Insolate most of changes under uefi-secureboot machine feature. > > > > Javier Tia (13): > > qemuarm64-secureboot: Introduce uefi-secureboot machine feature > > core-image-minimal: Use UEFI layout disk partitions > > layer.conf: Introduce UEFI_SB_KEYS_DIR > > uefi-sb-keys.bbclass: Add class to validate UEFI keys > > sbsign.bbclass: Add class to sign binaries > > core-image-minimal: Inherit uefi-sb-keys > > meta-arm: Introduce gen-uefi-sb-keys.bb recipe > > u-boot: Setup UEFI and Secure Boot > > qemuarm64-secureboot: Add meta-secure-core layer as dependency > > linux-yocto: Setup UEFI and sign kernel image > > systemd: Add UEFI support > > systemd-boot: Use it as bootloader & sign UEFI image > > meta-arm: Add UEFI Secure Boot test > > > > ci/qemuarm64-secureboot.yml | 14 ++++--- > > .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 +++++++++ > > .../u-boot/u-boot/uefi-secureboot.cfg | 10 +++++ > > .../recipes-bsp/u-boot/u-boot_%.bbappend | 2 +- > > meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- > > meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++ > > meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++ > > meta-arm/conf/layer.conf | 2 + > > .../conf/machine/qemuarm64-secureboot.conf | 8 ++++ > > .../oeqa/runtime/cases/uefi_secure_boot.py | 32 +++++++++++++++ > > meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++ > > .../core-image-minimal-uefi-secureboot.inc | 17 ++++++++ > > .../images/core-image-minimal.bbappend | 1 + > > .../systemd/systemd-boot-uefi-secureboot.inc | 12 ++++++ > > .../systemd/systemd-boot_%.bbappend | 1 + > > meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + > > .../recipes-core/systemd/systemd_%.bbappend | 1 + > > .../linux/linux-yocto%.bbappend | 2 + > > .../linux/linux-yocto-uefi-secureboot.inc | 19 +++++++++ > > meta-arm/uefi-sb-keys/.gitignore | 4 ++ > > meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 33 ++++++++++++++++ > > 21 files changed, 261 insertions(+), 7 deletions(-) > > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc > > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg > > create mode 100644 meta-arm/classes/sbsign.bbclass > > create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass > > create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py > > create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb > > create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > > create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend > > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc > > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend > > create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc > > create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend > > create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc > > create mode 100644 meta-arm/uefi-sb-keys/.gitignore > > create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh > > > > -- > > 2.46.0 > > > >
On Fri, Aug 30, 2024 at 09:10:46AM +0300, Mikko Rapeli wrote: > Hi, > > On Thu, Aug 29, 2024 at 11:06:26PM -0400, Jon Mason wrote: > > Looks like this series is not building for me. I'm seeing the > > following error: > > > > ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found | ETA: 0:00:12 > > The following paths were searched: > > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key > > ERROR: Parsing halted due to errors, see error messages above | ETA: 0:00:14 > > ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found > > The following paths were searched: > > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key > > ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found > > The following paths were searched: > > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key > > > > I've not looked into it, but it's being seen on mulitple setups and is > > trivial to replicate with: > > kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml > > I think this is the secure boot key generation. You should run > meta-arm/uefi-sb-keys/gen_uefi_keys.sh in meta-arm/uefi-sb-keys before > building, or have some other way of distributing the keys to build machines. > > This could be part of a recipe but that would be fully non-reproducible. Honestly, I don't even look at the patches if it doesn't pass CI. It not generating keys as part of the build seems like a deal breaker. > Maybe there is some kas way of running this script before bitbake build > if the key files are not there? It is possible, but trying to add it is going to be difficult based on the rewrites that would be necessary based on the way the .gitlab-ci.yml file is laid out. Also, are we expecting a developer to know to run this and do this every time, or are we expecting to generate the keys once and reuse them? Even if the latter, i think generating them as part of the build is logical (perhaps with a detection for existing keys in the directory or something). Is it not possible to have some kind of bbappend on u-boot that adds a dependency on gen-uefi-sb-keys.bb and calls the script? Thanks, Jon > > Cheers, > > -Mikko > > > Thanks, > > Jon > > > > > > On Thu, Aug 29, 2024 at 10:31:56AM -0600, Javier Tia wrote: > > > Hi, > > > > > > Addressing comments from patch series v3. > > > > > > A backport from meta-ts with the minimal changes to add UEFI Secure Boot > > > into qemuarm64-secureboot machine. > > > > > > Requirements: > > > > > > - Create a UEFI disk partition to copy EFI apps. > > > > > > - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel. > > > > > > - UEFI keys are to be stored in U-Boot and used to sign systemd-boot > > > and Linux kernel images. > > > > > > - Add systemd as Init manager to auto-mount efivarfs. > > > > > > Introduces uefi-secureboot machine feature. > > > > > > UEFI keys must be genereated in order to be added to U-Boot. Sign both > > > systemd-boot EFI app and Linux kernel image. > > > > > > Build and verification steps: > > > > > > $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml' > > > > > > --- > > > > > > Changes since v3: > > > - For image creation use core-image-minimal, instead of core-image-base. > > > > > > Changes since v2: > > > - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap". > > > > > > Changes since v1: > > > - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines. > > > - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys. > > > - Add an OE test to validate UEFI Secure Boot. > > > - Simplify gen_uefi_keys.sh to avoid code repetition. > > > - Replace grub with systemd-boot. > > > - Simplify signing binary images with sbsign class. > > > - Set OE branch to Scarthgap. > > > > > > Changes since the v0: > > > - Remove u-boot recipe. > > > - Split the change in several commits. > > > - Remove sample UEFI keys. > > > - Validate UEFI keys exist before building. > > > - Insolate most of changes under uefi-secureboot machine feature. > > > > > > Javier Tia (13): > > > qemuarm64-secureboot: Introduce uefi-secureboot machine feature > > > core-image-minimal: Use UEFI layout disk partitions > > > layer.conf: Introduce UEFI_SB_KEYS_DIR > > > uefi-sb-keys.bbclass: Add class to validate UEFI keys > > > sbsign.bbclass: Add class to sign binaries > > > core-image-minimal: Inherit uefi-sb-keys > > > meta-arm: Introduce gen-uefi-sb-keys.bb recipe > > > u-boot: Setup UEFI and Secure Boot > > > qemuarm64-secureboot: Add meta-secure-core layer as dependency > > > linux-yocto: Setup UEFI and sign kernel image > > > systemd: Add UEFI support > > > systemd-boot: Use it as bootloader & sign UEFI image > > > meta-arm: Add UEFI Secure Boot test > > > > > > ci/qemuarm64-secureboot.yml | 14 ++++--- > > > .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 +++++++++ > > > .../u-boot/u-boot/uefi-secureboot.cfg | 10 +++++ > > > .../recipes-bsp/u-boot/u-boot_%.bbappend | 2 +- > > > meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- > > > meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++ > > > meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++ > > > meta-arm/conf/layer.conf | 2 + > > > .../conf/machine/qemuarm64-secureboot.conf | 8 ++++ > > > .../oeqa/runtime/cases/uefi_secure_boot.py | 32 +++++++++++++++ > > > meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++ > > > .../core-image-minimal-uefi-secureboot.inc | 17 ++++++++ > > > .../images/core-image-minimal.bbappend | 1 + > > > .../systemd/systemd-boot-uefi-secureboot.inc | 12 ++++++ > > > .../systemd/systemd-boot_%.bbappend | 1 + > > > meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + > > > .../recipes-core/systemd/systemd_%.bbappend | 1 + > > > .../linux/linux-yocto%.bbappend | 2 + > > > .../linux/linux-yocto-uefi-secureboot.inc | 19 +++++++++ > > > meta-arm/uefi-sb-keys/.gitignore | 4 ++ > > > meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 33 ++++++++++++++++ > > > 21 files changed, 261 insertions(+), 7 deletions(-) > > > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc > > > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg > > > create mode 100644 meta-arm/classes/sbsign.bbclass > > > create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass > > > create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py > > > create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb > > > create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > > > create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend > > > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc > > > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend > > > create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc > > > create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend > > > create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc > > > create mode 100644 meta-arm/uefi-sb-keys/.gitignore > > > create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh > > > > > > -- > > > 2.46.0 > > > > > > >
Hi, On 8/30/24 7:24 AM, Jon Mason wrote: > On Fri, Aug 30, 2024 at 09:10:46AM +0300, Mikko Rapeli wrote: >> Hi, >> >> On Thu, Aug 29, 2024 at 11:06:26PM -0400, Jon Mason wrote: >>> Looks like this series is not building for me. I'm seeing the >>> following error: >>> >>> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found | ETA: 0:00:12 >>> The following paths were searched: >>> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key >>> ERROR: Parsing halted due to errors, see error messages above | ETA: 0:00:14 >>> ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found >>> The following paths were searched: >>> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key >>> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found >>> The following paths were searched: >>> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key >>> >>> I've not looked into it, but it's being seen on mulitple setups and is >>> trivial to replicate with: >>> kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml >> >> I think this is the secure boot key generation. You should run >> meta-arm/uefi-sb-keys/gen_uefi_keys.sh in meta-arm/uefi-sb-keys before >> building, or have some other way of distributing the keys to build machines. >> >> This could be part of a recipe but that would be fully non-reproducible. > > Honestly, I don't even look at the patches if it doesn't pass CI. It > not generating keys as part of the build seems like a deal breaker. > >> Maybe there is some kas way of running this script before bitbake build >> if the key files are not there? > > It is possible, but trying to add it is going to be difficult based on > the rewrites that would be necessary based on the way the > .gitlab-ci.yml file is laid out. > > Also, are we expecting a developer to know to run this and do this > every time, or are we expecting to generate the keys once and reuse > them? Even if the latter, i think generating them as part of the > build is logical (perhaps with a detection for existing keys in the > directory or something). > > Is it not possible to have some kind of bbappend on u-boot that adds a > dependency on gen-uefi-sb-keys.bb and calls the script? I have added the keys generation as part of qemu64sb build. If keys are found, it will skip the keys generation. Also, it fixes the CI build error because of a design error in the keys generation. As long as the keys are the same, it will guarantee build reproducibility. Pending to send patch series v5 addressing rest of Jon's comments. ยป Javier Tia
Hi, Addressing comments from patch series v3. A backport from meta-ts with the minimal changes to add UEFI Secure Boot into qemuarm64-secureboot machine. Requirements: - Create a UEFI disk partition to copy EFI apps. - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel. - UEFI keys are to be stored in U-Boot and used to sign systemd-boot and Linux kernel images. - Add systemd as Init manager to auto-mount efivarfs. Introduces uefi-secureboot machine feature. UEFI keys must be genereated in order to be added to U-Boot. Sign both systemd-boot EFI app and Linux kernel image. Build and verification steps: $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml' --- Changes since v3: - For image creation use core-image-minimal, instead of core-image-base. Changes since v2: - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap". Changes since v1: - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines. - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys. - Add an OE test to validate UEFI Secure Boot. - Simplify gen_uefi_keys.sh to avoid code repetition. - Replace grub with systemd-boot. - Simplify signing binary images with sbsign class. - Set OE branch to Scarthgap. Changes since the v0: - Remove u-boot recipe. - Split the change in several commits. - Remove sample UEFI keys. - Validate UEFI keys exist before building. - Insolate most of changes under uefi-secureboot machine feature. Javier Tia (13): qemuarm64-secureboot: Introduce uefi-secureboot machine feature core-image-minimal: Use UEFI layout disk partitions layer.conf: Introduce UEFI_SB_KEYS_DIR uefi-sb-keys.bbclass: Add class to validate UEFI keys sbsign.bbclass: Add class to sign binaries core-image-minimal: Inherit uefi-sb-keys meta-arm: Introduce gen-uefi-sb-keys.bb recipe u-boot: Setup UEFI and Secure Boot qemuarm64-secureboot: Add meta-secure-core layer as dependency linux-yocto: Setup UEFI and sign kernel image systemd: Add UEFI support systemd-boot: Use it as bootloader & sign UEFI image meta-arm: Add UEFI Secure Boot test ci/qemuarm64-secureboot.yml | 14 ++++--- .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 +++++++++ .../u-boot/u-boot/uefi-secureboot.cfg | 10 +++++ .../recipes-bsp/u-boot/u-boot_%.bbappend | 2 +- meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- meta-arm/classes/sbsign.bbclass | 39 +++++++++++++++++++ meta-arm/classes/uefi-sb-keys.bbclass | 24 ++++++++++++ meta-arm/conf/layer.conf | 2 + .../conf/machine/qemuarm64-secureboot.conf | 8 ++++ .../oeqa/runtime/cases/uefi_secure_boot.py | 32 +++++++++++++++ meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++ .../core-image-minimal-uefi-secureboot.inc | 17 ++++++++ .../images/core-image-minimal.bbappend | 1 + .../systemd/systemd-boot-uefi-secureboot.inc | 12 ++++++ .../systemd/systemd-boot_%.bbappend | 1 + meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + .../recipes-core/systemd/systemd_%.bbappend | 1 + .../linux/linux-yocto%.bbappend | 2 + .../linux/linux-yocto-uefi-secureboot.inc | 19 +++++++++ meta-arm/uefi-sb-keys/.gitignore | 4 ++ meta-arm/uefi-sb-keys/gen_uefi_keys.sh | 33 ++++++++++++++++ 21 files changed, 261 insertions(+), 7 deletions(-) create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg create mode 100644 meta-arm/classes/sbsign.bbclass create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc create mode 100644 meta-arm/uefi-sb-keys/.gitignore create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh