Message ID | 20240904224349.108885-1-javier.tia@linaro.org |
---|---|
Headers | show |
Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
Hi, Reviving this series in case it has been lost under the cracks. A copy at: https://lore.kernel.org/yocto-meta-arm/20240904224349.108885-1-javier.tia@linaro.org/ Thanks, On 9/4/24 4:43 PM, Javier Tia wrote: > Hi, > > Addressing comments from patch series v4. > > A backport from meta-ts with the minimal changes to add UEFI Secure Boot > into qemuarm64-secureboot machine. > > Requirements: > > - Create a UEFI disk partition to copy EFI apps. > > - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel. > > - UEFI keys are to be stored in U-Boot and used to sign systemd-boot > and Linux kernel images. > > - Add systemd as Init manager. systemd's modern architecture, > integrated security features, and enhanced management capabilities > make it a more suitable choice for systems using UEFI Secure Boot > > Introduces uefi-secureboot machine feature. > > UEFI keys must be generated in order to be added to U-Boot. Sign both > systemd-boot EFI app and Linux kernel image. > > Build and verification steps: > > $ kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml > > --- > > Changes since v4: > - Big refactor to only two commits to add Secure Boot in all required > recipes and enable it in qemuarm64-secureboot. > - Fix the generation of SB keys in build time. > - Remove the need to pass the keys in each recipe, as all the keys will > be generated in one directory. > - Introduce uefi-secureboot.yml with all required settings for Secure > Boot. > - Do several renamings to keep name consistency. > - Explain why systemd is used as the Init Manager. > - Revert the change using core-image-minimal; keep using > core-image-base. > > Changes since v3: > - For image creation, use core-image-minimal instead of core-image-base. > > Changes since v2: > - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap". > > Changes since v1: > - Rework all subject commits to follow OE, Yocto, and meta-arm > guidelines. > - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys. > - Add an OE test to validate UEFI Secure Boot. > - Simplify gen_uefi_keys.sh to avoid code repetition. > - Replace grub with systemd-boot. > - Simplify signing binary images with sbsign class. > - Set OE branch to Scarthgap. > > Changes since the v0: > - Remove u-boot recipe. > - Split the change in several commits. > - Remove sample UEFI keys. > - Validate UEFI keys exist before building. > - Insolate most of changes under uefi-secureboot machine feature. > > Javier Tia (2): > Enable Secure Boot in all required recipes > qemuarm64-secureboot: Enable UEFI Secure Boot > > ci/qemuarm64-secureboot.yml | 1 + > ci/uefi-secureboot.yml | 34 +++++++++++++ > .../u-boot/u-boot-uefi-secureboot.inc | 17 +++++++ > .../u-boot/u-boot/uefi-secureboot.cfg | 10 ++++ > .../recipes-bsp/u-boot/u-boot_%.bbappend | 1 + > meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- > meta-arm/classes/sbsign.bbclass | 31 ++++++++++++ > .../lib/oeqa/runtime/cases/uefi_secureboot.py | 29 +++++++++++ > meta-arm/recipes-bsp/uefi/gen-sbkeys.bb | 48 +++++++++++++++++++ > .../recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh | 36 ++++++++++++++ > .../systemd/systemd-boot-uefi-secureboot.inc | 7 +++ > .../systemd/systemd-boot_%.bbappend | 1 + > meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + > .../recipes-core/systemd/systemd_%.bbappend | 1 + > .../linux/linux-yocto%.bbappend | 2 + > .../linux/linux-yocto-uefi-secureboot.inc | 14 ++++++ > 16 files changed, 234 insertions(+), 1 deletion(-) > create mode 100644 ci/uefi-secureboot.yml > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg > create mode 100644 meta-arm/classes/sbsign.bbclass > create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py > create mode 100644 meta-arm/recipes-bsp/uefi/gen-sbkeys.bb > create mode 100755 meta-arm/recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend > create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc > create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend > create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc > ยป Javier Tia