mbox series

[v4,00/13] qemuarm64-secureboot: Add UEFI Secure Boot

Message ID 20240829163209.47945-1-javier.tia@linaro.org
Headers show
Series qemuarm64-secureboot: Add UEFI Secure Boot | expand

Message

Javier Tia Aug. 29, 2024, 4:31 p.m. UTC
Hi,

Addressing comments from patch series v3.

A backport from meta-ts with the minimal changes to add UEFI Secure Boot
into qemuarm64-secureboot machine.

Requirements:

  - Create a UEFI disk partition to copy EFI apps.

  - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.

  - UEFI keys are to be stored in U-Boot and used to sign systemd-boot
    and Linux kernel images.

  - Add systemd as Init manager to auto-mount efivarfs.

Introduces uefi-secureboot machine feature.

UEFI keys must be genereated in order to be added to U-Boot. Sign both
systemd-boot EFI app and Linux kernel image.

Build and verification steps:

$ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'

---

Changes since v3:
- For image creation use core-image-minimal, instead of core-image-base.

Changes since v2:
- Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".

Changes since v1:
- Rework all subject commits to follow OE, Yocto, and meta-arm guidelines.
- Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
- Add an OE test to validate UEFI Secure Boot.
- Simplify gen_uefi_keys.sh to avoid code repetition.
- Replace grub with systemd-boot.
- Simplify signing binary images with sbsign class.
- Set OE branch to Scarthgap.

Changes since the v0:
- Remove u-boot recipe.
- Split the change in several commits.
- Remove sample UEFI keys.
- Validate UEFI keys exist before building.
- Insolate most of changes under uefi-secureboot machine feature.

Javier Tia (13):
  qemuarm64-secureboot: Introduce uefi-secureboot machine feature
  core-image-minimal: Use UEFI layout disk partitions
  layer.conf: Introduce UEFI_SB_KEYS_DIR
  uefi-sb-keys.bbclass: Add class to validate UEFI keys
  sbsign.bbclass: Add class to sign binaries
  core-image-minimal: Inherit uefi-sb-keys
  meta-arm: Introduce gen-uefi-sb-keys.bb recipe
  u-boot: Setup UEFI and Secure Boot
  qemuarm64-secureboot: Add meta-secure-core layer as dependency
  linux-yocto: Setup UEFI and sign kernel image
  systemd: Add UEFI support
  systemd-boot: Use it as bootloader & sign UEFI image
  meta-arm: Add UEFI Secure Boot test

 ci/qemuarm64-secureboot.yml                   | 14 ++++---
 .../u-boot/u-boot-qemuarm64-secureboot.inc    | 18 +++++++++
 .../u-boot/u-boot/uefi-secureboot.cfg         | 10 +++++
 .../recipes-bsp/u-boot/u-boot_%.bbappend      |  2 +-
 meta-arm-bsp/wic/efi-disk-no-swap.wks.in      |  2 +-
 meta-arm/classes/sbsign.bbclass               | 39 +++++++++++++++++++
 meta-arm/classes/uefi-sb-keys.bbclass         | 24 ++++++++++++
 meta-arm/conf/layer.conf                      |  2 +
 .../conf/machine/qemuarm64-secureboot.conf    |  8 ++++
 .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++
 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++
 .../core-image-minimal-uefi-secureboot.inc    | 17 ++++++++
 .../images/core-image-minimal.bbappend        |  1 +
 .../systemd/systemd-boot-uefi-secureboot.inc  | 12 ++++++
 .../systemd/systemd-boot_%.bbappend           |  1 +
 meta-arm/recipes-core/systemd/systemd-efi.inc |  1 +
 .../recipes-core/systemd/systemd_%.bbappend   |  1 +
 .../linux/linux-yocto%.bbappend               |  2 +
 .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++
 meta-arm/uefi-sb-keys/.gitignore              |  4 ++
 meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 33 ++++++++++++++++
 21 files changed, 261 insertions(+), 7 deletions(-)
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
 create mode 100644 meta-arm/classes/sbsign.bbclass
 create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
 create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
 create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
 create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
 create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
 create mode 100644 meta-arm/uefi-sb-keys/.gitignore
 create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh

Comments

Jon Mason Aug. 30, 2024, 3:06 a.m. UTC | #1
Looks like this series is not building for me.  I'm seeing the
following error:

ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found                     | ETA:  0:00:12
The following paths were searched:
/builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
ERROR: Parsing halted due to errors, see error messages above                                                                                                                                  | ETA:  0:00:14
ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found
The following paths were searched:
/builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found
The following paths were searched:
/builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key

I've not looked into it, but it's being seen on mulitple setups and is
trivial to replicate with:
kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml

Thanks,
Jon


On Thu, Aug 29, 2024 at 10:31:56AM -0600, Javier Tia wrote:
> Hi,
> 
> Addressing comments from patch series v3.
> 
> A backport from meta-ts with the minimal changes to add UEFI Secure Boot
> into qemuarm64-secureboot machine.
> 
> Requirements:
> 
>   - Create a UEFI disk partition to copy EFI apps.
> 
>   - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.
> 
>   - UEFI keys are to be stored in U-Boot and used to sign systemd-boot
>     and Linux kernel images.
> 
>   - Add systemd as Init manager to auto-mount efivarfs.
> 
> Introduces uefi-secureboot machine feature.
> 
> UEFI keys must be genereated in order to be added to U-Boot. Sign both
> systemd-boot EFI app and Linux kernel image.
> 
> Build and verification steps:
> 
> $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'
> 
> ---
> 
> Changes since v3:
> - For image creation use core-image-minimal, instead of core-image-base.
> 
> Changes since v2:
> - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".
> 
> Changes since v1:
> - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines.
> - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
> - Add an OE test to validate UEFI Secure Boot.
> - Simplify gen_uefi_keys.sh to avoid code repetition.
> - Replace grub with systemd-boot.
> - Simplify signing binary images with sbsign class.
> - Set OE branch to Scarthgap.
> 
> Changes since the v0:
> - Remove u-boot recipe.
> - Split the change in several commits.
> - Remove sample UEFI keys.
> - Validate UEFI keys exist before building.
> - Insolate most of changes under uefi-secureboot machine feature.
> 
> Javier Tia (13):
>   qemuarm64-secureboot: Introduce uefi-secureboot machine feature
>   core-image-minimal: Use UEFI layout disk partitions
>   layer.conf: Introduce UEFI_SB_KEYS_DIR
>   uefi-sb-keys.bbclass: Add class to validate UEFI keys
>   sbsign.bbclass: Add class to sign binaries
>   core-image-minimal: Inherit uefi-sb-keys
>   meta-arm: Introduce gen-uefi-sb-keys.bb recipe
>   u-boot: Setup UEFI and Secure Boot
>   qemuarm64-secureboot: Add meta-secure-core layer as dependency
>   linux-yocto: Setup UEFI and sign kernel image
>   systemd: Add UEFI support
>   systemd-boot: Use it as bootloader & sign UEFI image
>   meta-arm: Add UEFI Secure Boot test
> 
>  ci/qemuarm64-secureboot.yml                   | 14 ++++---
>  .../u-boot/u-boot-qemuarm64-secureboot.inc    | 18 +++++++++
>  .../u-boot/u-boot/uefi-secureboot.cfg         | 10 +++++
>  .../recipes-bsp/u-boot/u-boot_%.bbappend      |  2 +-
>  meta-arm-bsp/wic/efi-disk-no-swap.wks.in      |  2 +-
>  meta-arm/classes/sbsign.bbclass               | 39 +++++++++++++++++++
>  meta-arm/classes/uefi-sb-keys.bbclass         | 24 ++++++++++++
>  meta-arm/conf/layer.conf                      |  2 +
>  .../conf/machine/qemuarm64-secureboot.conf    |  8 ++++
>  .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++
>  meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++
>  .../core-image-minimal-uefi-secureboot.inc    | 17 ++++++++
>  .../images/core-image-minimal.bbappend        |  1 +
>  .../systemd/systemd-boot-uefi-secureboot.inc  | 12 ++++++
>  .../systemd/systemd-boot_%.bbappend           |  1 +
>  meta-arm/recipes-core/systemd/systemd-efi.inc |  1 +
>  .../recipes-core/systemd/systemd_%.bbappend   |  1 +
>  .../linux/linux-yocto%.bbappend               |  2 +
>  .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++
>  meta-arm/uefi-sb-keys/.gitignore              |  4 ++
>  meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 33 ++++++++++++++++
>  21 files changed, 261 insertions(+), 7 deletions(-)
>  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
>  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
>  create mode 100644 meta-arm/classes/sbsign.bbclass
>  create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
>  create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
>  create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
>  create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
>  create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend
>  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
>  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
>  create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
>  create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
>  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
>  create mode 100644 meta-arm/uefi-sb-keys/.gitignore
>  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> 
> -- 
> 2.46.0
> 
>
Mikko Rapeli Aug. 30, 2024, 6:10 a.m. UTC | #2
Hi,

On Thu, Aug 29, 2024 at 11:06:26PM -0400, Jon Mason wrote:
> Looks like this series is not building for me.  I'm seeing the
> following error:
> 
> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found                     | ETA:  0:00:12
> The following paths were searched:
> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> ERROR: Parsing halted due to errors, see error messages above                                                                                                                                  | ETA:  0:00:14
> ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found
> The following paths were searched:
> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found
> The following paths were searched:
> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> 
> I've not looked into it, but it's being seen on mulitple setups and is
> trivial to replicate with:
> kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml

I think this is the secure boot key generation. You should run
meta-arm/uefi-sb-keys/gen_uefi_keys.sh in meta-arm/uefi-sb-keys before
building, or have some other way of distributing the keys to build machines.

This could be part of a recipe but that would be fully non-reproducible.

Maybe there is some kas way of running this script before bitbake build
if the key files are not there?

Cheers,

-Mikko
 
> Thanks,
> Jon
> 
> 
> On Thu, Aug 29, 2024 at 10:31:56AM -0600, Javier Tia wrote:
> > Hi,
> > 
> > Addressing comments from patch series v3.
> > 
> > A backport from meta-ts with the minimal changes to add UEFI Secure Boot
> > into qemuarm64-secureboot machine.
> > 
> > Requirements:
> > 
> >   - Create a UEFI disk partition to copy EFI apps.
> > 
> >   - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.
> > 
> >   - UEFI keys are to be stored in U-Boot and used to sign systemd-boot
> >     and Linux kernel images.
> > 
> >   - Add systemd as Init manager to auto-mount efivarfs.
> > 
> > Introduces uefi-secureboot machine feature.
> > 
> > UEFI keys must be genereated in order to be added to U-Boot. Sign both
> > systemd-boot EFI app and Linux kernel image.
> > 
> > Build and verification steps:
> > 
> > $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'
> > 
> > ---
> > 
> > Changes since v3:
> > - For image creation use core-image-minimal, instead of core-image-base.
> > 
> > Changes since v2:
> > - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".
> > 
> > Changes since v1:
> > - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines.
> > - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
> > - Add an OE test to validate UEFI Secure Boot.
> > - Simplify gen_uefi_keys.sh to avoid code repetition.
> > - Replace grub with systemd-boot.
> > - Simplify signing binary images with sbsign class.
> > - Set OE branch to Scarthgap.
> > 
> > Changes since the v0:
> > - Remove u-boot recipe.
> > - Split the change in several commits.
> > - Remove sample UEFI keys.
> > - Validate UEFI keys exist before building.
> > - Insolate most of changes under uefi-secureboot machine feature.
> > 
> > Javier Tia (13):
> >   qemuarm64-secureboot: Introduce uefi-secureboot machine feature
> >   core-image-minimal: Use UEFI layout disk partitions
> >   layer.conf: Introduce UEFI_SB_KEYS_DIR
> >   uefi-sb-keys.bbclass: Add class to validate UEFI keys
> >   sbsign.bbclass: Add class to sign binaries
> >   core-image-minimal: Inherit uefi-sb-keys
> >   meta-arm: Introduce gen-uefi-sb-keys.bb recipe
> >   u-boot: Setup UEFI and Secure Boot
> >   qemuarm64-secureboot: Add meta-secure-core layer as dependency
> >   linux-yocto: Setup UEFI and sign kernel image
> >   systemd: Add UEFI support
> >   systemd-boot: Use it as bootloader & sign UEFI image
> >   meta-arm: Add UEFI Secure Boot test
> > 
> >  ci/qemuarm64-secureboot.yml                   | 14 ++++---
> >  .../u-boot/u-boot-qemuarm64-secureboot.inc    | 18 +++++++++
> >  .../u-boot/u-boot/uefi-secureboot.cfg         | 10 +++++
> >  .../recipes-bsp/u-boot/u-boot_%.bbappend      |  2 +-
> >  meta-arm-bsp/wic/efi-disk-no-swap.wks.in      |  2 +-
> >  meta-arm/classes/sbsign.bbclass               | 39 +++++++++++++++++++
> >  meta-arm/classes/uefi-sb-keys.bbclass         | 24 ++++++++++++
> >  meta-arm/conf/layer.conf                      |  2 +
> >  .../conf/machine/qemuarm64-secureboot.conf    |  8 ++++
> >  .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++
> >  meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++
> >  .../core-image-minimal-uefi-secureboot.inc    | 17 ++++++++
> >  .../images/core-image-minimal.bbappend        |  1 +
> >  .../systemd/systemd-boot-uefi-secureboot.inc  | 12 ++++++
> >  .../systemd/systemd-boot_%.bbappend           |  1 +
> >  meta-arm/recipes-core/systemd/systemd-efi.inc |  1 +
> >  .../recipes-core/systemd/systemd_%.bbappend   |  1 +
> >  .../linux/linux-yocto%.bbappend               |  2 +
> >  .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++
> >  meta-arm/uefi-sb-keys/.gitignore              |  4 ++
> >  meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 33 ++++++++++++++++
> >  21 files changed, 261 insertions(+), 7 deletions(-)
> >  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> >  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
> >  create mode 100644 meta-arm/classes/sbsign.bbclass
> >  create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
> >  create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> >  create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
> >  create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> >  create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
> >  create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
> >  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> >  create mode 100644 meta-arm/uefi-sb-keys/.gitignore
> >  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> > 
> > -- 
> > 2.46.0
> > 
> >
Jon Mason Aug. 30, 2024, 1:24 p.m. UTC | #3
On Fri, Aug 30, 2024 at 09:10:46AM +0300, Mikko Rapeli wrote:
> Hi,
> 
> On Thu, Aug 29, 2024 at 11:06:26PM -0400, Jon Mason wrote:
> > Looks like this series is not building for me.  I'm seeing the
> > following error:
> > 
> > ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found                     | ETA:  0:00:12
> > The following paths were searched:
> > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> > ERROR: Parsing halted due to errors, see error messages above                                                                                                                                  | ETA:  0:00:14
> > ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found
> > The following paths were searched:
> > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> > ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found
> > The following paths were searched:
> > /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
> > 
> > I've not looked into it, but it's being seen on mulitple setups and is
> > trivial to replicate with:
> > kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml
> 
> I think this is the secure boot key generation. You should run
> meta-arm/uefi-sb-keys/gen_uefi_keys.sh in meta-arm/uefi-sb-keys before
> building, or have some other way of distributing the keys to build machines.
> 
> This could be part of a recipe but that would be fully non-reproducible.

Honestly, I don't even look at the patches if it doesn't pass CI.  It
not generating keys as part of the build seems like a deal breaker.

> Maybe there is some kas way of running this script before bitbake build
> if the key files are not there?

It is possible, but trying to add it is going to be difficult based on
the rewrites that would be necessary based on the way the
.gitlab-ci.yml file is laid out.

Also, are we expecting a developer to know to run this and do this
every time, or are we expecting to generate the keys once and reuse
them?  Even if the latter, i think generating them as part of the
build is logical (perhaps with a detection for existing keys in the
directory or something).

Is it not possible to have some kind of bbappend on u-boot that adds a
dependency on gen-uefi-sb-keys.bb and calls the script?

Thanks,
Jon

> 
> Cheers,
> 
> -Mikko
>  
> > Thanks,
> > Jon
> > 
> > 
> > On Thu, Aug 29, 2024 at 10:31:56AM -0600, Javier Tia wrote:
> > > Hi,
> > > 
> > > Addressing comments from patch series v3.
> > > 
> > > A backport from meta-ts with the minimal changes to add UEFI Secure Boot
> > > into qemuarm64-secureboot machine.
> > > 
> > > Requirements:
> > > 
> > >   - Create a UEFI disk partition to copy EFI apps.
> > > 
> > >   - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.
> > > 
> > >   - UEFI keys are to be stored in U-Boot and used to sign systemd-boot
> > >     and Linux kernel images.
> > > 
> > >   - Add systemd as Init manager to auto-mount efivarfs.
> > > 
> > > Introduces uefi-secureboot machine feature.
> > > 
> > > UEFI keys must be genereated in order to be added to U-Boot. Sign both
> > > systemd-boot EFI app and Linux kernel image.
> > > 
> > > Build and verification steps:
> > > 
> > > $ kas build 'ci/qemuarm64-secureboot.yml:ci/testimage.yml'
> > > 
> > > ---
> > > 
> > > Changes since v3:
> > > - For image creation use core-image-minimal, instead of core-image-base.
> > > 
> > > Changes since v2:
> > > - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".
> > > 
> > > Changes since v1:
> > > - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines.
> > > - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
> > > - Add an OE test to validate UEFI Secure Boot.
> > > - Simplify gen_uefi_keys.sh to avoid code repetition.
> > > - Replace grub with systemd-boot.
> > > - Simplify signing binary images with sbsign class.
> > > - Set OE branch to Scarthgap.
> > > 
> > > Changes since the v0:
> > > - Remove u-boot recipe.
> > > - Split the change in several commits.
> > > - Remove sample UEFI keys.
> > > - Validate UEFI keys exist before building.
> > > - Insolate most of changes under uefi-secureboot machine feature.
> > > 
> > > Javier Tia (13):
> > >   qemuarm64-secureboot: Introduce uefi-secureboot machine feature
> > >   core-image-minimal: Use UEFI layout disk partitions
> > >   layer.conf: Introduce UEFI_SB_KEYS_DIR
> > >   uefi-sb-keys.bbclass: Add class to validate UEFI keys
> > >   sbsign.bbclass: Add class to sign binaries
> > >   core-image-minimal: Inherit uefi-sb-keys
> > >   meta-arm: Introduce gen-uefi-sb-keys.bb recipe
> > >   u-boot: Setup UEFI and Secure Boot
> > >   qemuarm64-secureboot: Add meta-secure-core layer as dependency
> > >   linux-yocto: Setup UEFI and sign kernel image
> > >   systemd: Add UEFI support
> > >   systemd-boot: Use it as bootloader & sign UEFI image
> > >   meta-arm: Add UEFI Secure Boot test
> > > 
> > >  ci/qemuarm64-secureboot.yml                   | 14 ++++---
> > >  .../u-boot/u-boot-qemuarm64-secureboot.inc    | 18 +++++++++
> > >  .../u-boot/u-boot/uefi-secureboot.cfg         | 10 +++++
> > >  .../recipes-bsp/u-boot/u-boot_%.bbappend      |  2 +-
> > >  meta-arm-bsp/wic/efi-disk-no-swap.wks.in      |  2 +-
> > >  meta-arm/classes/sbsign.bbclass               | 39 +++++++++++++++++++
> > >  meta-arm/classes/uefi-sb-keys.bbclass         | 24 ++++++++++++
> > >  meta-arm/conf/layer.conf                      |  2 +
> > >  .../conf/machine/qemuarm64-secureboot.conf    |  8 ++++
> > >  .../oeqa/runtime/cases/uefi_secure_boot.py    | 32 +++++++++++++++
> > >  meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb | 26 +++++++++++++
> > >  .../core-image-minimal-uefi-secureboot.inc    | 17 ++++++++
> > >  .../images/core-image-minimal.bbappend        |  1 +
> > >  .../systemd/systemd-boot-uefi-secureboot.inc  | 12 ++++++
> > >  .../systemd/systemd-boot_%.bbappend           |  1 +
> > >  meta-arm/recipes-core/systemd/systemd-efi.inc |  1 +
> > >  .../recipes-core/systemd/systemd_%.bbappend   |  1 +
> > >  .../linux/linux-yocto%.bbappend               |  2 +
> > >  .../linux/linux-yocto-uefi-secureboot.inc     | 19 +++++++++
> > >  meta-arm/uefi-sb-keys/.gitignore              |  4 ++
> > >  meta-arm/uefi-sb-keys/gen_uefi_keys.sh        | 33 ++++++++++++++++
> > >  21 files changed, 261 insertions(+), 7 deletions(-)
> > >  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> > >  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
> > >  create mode 100644 meta-arm/classes/sbsign.bbclass
> > >  create mode 100644 meta-arm/classes/uefi-sb-keys.bbclass
> > >  create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secure_boot.py
> > >  create mode 100644 meta-arm/recipes-bsp/uefi/gen-uefi-sb-keys.bb
> > >  create mode 100644 meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc
> > >  create mode 100644 meta-arm/recipes-core/images/core-image-minimal.bbappend
> > >  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
> > >  create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
> > >  create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
> > >  create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
> > >  create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc
> > >  create mode 100644 meta-arm/uefi-sb-keys/.gitignore
> > >  create mode 100755 meta-arm/uefi-sb-keys/gen_uefi_keys.sh
> > > 
> > > -- 
> > > 2.46.0
> > > 
> > > 
>
Javier Tia Sept. 2, 2024, 5:53 p.m. UTC | #4
Hi,

On 8/30/24 7:24 AM, Jon Mason wrote:
> On Fri, Aug 30, 2024 at 09:10:46AM +0300, Mikko Rapeli wrote:
>> Hi,
>>
>> On Thu, Aug 29, 2024 at 11:06:26PM -0400, Jon Mason wrote:
>>> Looks like this series is not building for me.  I'm seeing the
>>> following error:
>>>
>>> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.10.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found                     | ETA:  0:00:12
>>> The following paths were searched:
>>> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
>>> ERROR: Parsing halted due to errors, see error messages above                                                                                                                                  | ETA:  0:00:14
>>> ERROR: /builder/meta-arm/build/../poky/meta/recipes-core/systemd/systemd-boot_256.5.bb: Unable to get checksum for systemd-boot SRC_URI entry db.key: file could not be found
>>> The following paths were searched:
>>> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
>>> ERROR: /builder/meta-arm/build/../poky/meta/recipes-kernel/linux/linux-yocto_6.6.bb: Unable to get checksum for linux-yocto SRC_URI entry db.key: file could not be found
>>> The following paths were searched:
>>> /builder/meta-arm/build/../meta-arm/uefi-sb-keys/db.key
>>>
>>> I've not looked into it, but it's being seen on mulitple setups and is
>>> trivial to replicate with:
>>> kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml
>>
>> I think this is the secure boot key generation. You should run
>> meta-arm/uefi-sb-keys/gen_uefi_keys.sh in meta-arm/uefi-sb-keys before
>> building, or have some other way of distributing the keys to build machines.
>>
>> This could be part of a recipe but that would be fully non-reproducible.
> 
> Honestly, I don't even look at the patches if it doesn't pass CI.  It
> not generating keys as part of the build seems like a deal breaker.
> 
>> Maybe there is some kas way of running this script before bitbake build
>> if the key files are not there?
> 
> It is possible, but trying to add it is going to be difficult based on
> the rewrites that would be necessary based on the way the
> .gitlab-ci.yml file is laid out.
> 
> Also, are we expecting a developer to know to run this and do this
> every time, or are we expecting to generate the keys once and reuse
> them?  Even if the latter, i think generating them as part of the
> build is logical (perhaps with a detection for existing keys in the
> directory or something).
> 
> Is it not possible to have some kind of bbappend on u-boot that adds a
> dependency on gen-uefi-sb-keys.bb and calls the script?

I have added the keys generation as part of qemu64sb build. If keys are found, it will skip the keys generation. Also, it fixes the CI build error because of a design error in the keys generation. As long as the keys are the same, it will guarantee build reproducibility.

Pending to send patch series v5 addressing rest of Jon's comments.

ยป Javier Tia