| Message ID | 20240904224349.108885-1-javier.tia@linaro.org |
|---|---|
| Headers | show |
| Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
Hi, Reviving this series in case it has been lost under the cracks. A copy at: https://lore.kernel.org/yocto-meta-arm/20240904224349.108885-1-javier.tia@linaro.org/ Thanks, On 9/4/24 4:43 PM, Javier Tia wrote: > Hi, > > Addressing comments from patch series v4. > > A backport from meta-ts with the minimal changes to add UEFI Secure Boot > into qemuarm64-secureboot machine. > > Requirements: > > - Create a UEFI disk partition to copy EFI apps. > > - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel. > > - UEFI keys are to be stored in U-Boot and used to sign systemd-boot > and Linux kernel images. > > - Add systemd as Init manager. systemd's modern architecture, > integrated security features, and enhanced management capabilities > make it a more suitable choice for systems using UEFI Secure Boot > > Introduces uefi-secureboot machine feature. > > UEFI keys must be generated in order to be added to U-Boot. Sign both > systemd-boot EFI app and Linux kernel image. > > Build and verification steps: > > $ kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml > > --- > > Changes since v4: > - Big refactor to only two commits to add Secure Boot in all required > recipes and enable it in qemuarm64-secureboot. > - Fix the generation of SB keys in build time. > - Remove the need to pass the keys in each recipe, as all the keys will > be generated in one directory. > - Introduce uefi-secureboot.yml with all required settings for Secure > Boot. > - Do several renamings to keep name consistency. > - Explain why systemd is used as the Init Manager. > - Revert the change using core-image-minimal; keep using > core-image-base. > > Changes since v3: > - For image creation, use core-image-minimal instead of core-image-base. > > Changes since v2: > - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap". > > Changes since v1: > - Rework all subject commits to follow OE, Yocto, and meta-arm > guidelines. > - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys. > - Add an OE test to validate UEFI Secure Boot. > - Simplify gen_uefi_keys.sh to avoid code repetition. > - Replace grub with systemd-boot. > - Simplify signing binary images with sbsign class. > - Set OE branch to Scarthgap. > > Changes since the v0: > - Remove u-boot recipe. > - Split the change in several commits. > - Remove sample UEFI keys. > - Validate UEFI keys exist before building. > - Insolate most of changes under uefi-secureboot machine feature. > > Javier Tia (2): > Enable Secure Boot in all required recipes > qemuarm64-secureboot: Enable UEFI Secure Boot > > ci/qemuarm64-secureboot.yml | 1 + > ci/uefi-secureboot.yml | 34 +++++++++++++ > .../u-boot/u-boot-uefi-secureboot.inc | 17 +++++++ > .../u-boot/u-boot/uefi-secureboot.cfg | 10 ++++ > .../recipes-bsp/u-boot/u-boot_%.bbappend | 1 + > meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- > meta-arm/classes/sbsign.bbclass | 31 ++++++++++++ > .../lib/oeqa/runtime/cases/uefi_secureboot.py | 29 +++++++++++ > meta-arm/recipes-bsp/uefi/gen-sbkeys.bb | 48 +++++++++++++++++++ > .../recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh | 36 ++++++++++++++ > .../systemd/systemd-boot-uefi-secureboot.inc | 7 +++ > .../systemd/systemd-boot_%.bbappend | 1 + > meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + > .../recipes-core/systemd/systemd_%.bbappend | 1 + > .../linux/linux-yocto%.bbappend | 2 + > .../linux/linux-yocto-uefi-secureboot.inc | 14 ++++++ > 16 files changed, 234 insertions(+), 1 deletion(-) > create mode 100644 ci/uefi-secureboot.yml > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg > create mode 100644 meta-arm/classes/sbsign.bbclass > create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py > create mode 100644 meta-arm/recipes-bsp/uefi/gen-sbkeys.bb > create mode 100755 meta-arm/recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc > create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend > create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc > create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend > create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc > ยป Javier Tia
Hi, Addressing comments from patch series v4. A backport from meta-ts with the minimal changes to add UEFI Secure Boot into qemuarm64-secureboot machine. Requirements: - Create a UEFI disk partition to copy EFI apps. - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel. - UEFI keys are to be stored in U-Boot and used to sign systemd-boot and Linux kernel images. - Add systemd as Init manager. systemd's modern architecture, integrated security features, and enhanced management capabilities make it a more suitable choice for systems using UEFI Secure Boot Introduces uefi-secureboot machine feature. UEFI keys must be generated in order to be added to U-Boot. Sign both systemd-boot EFI app and Linux kernel image. Build and verification steps: $ kas build ci/qemuarm64-secureboot.yml:ci/testimage.yml --- Changes since v4: - Big refactor to only two commits to add Secure Boot in all required recipes and enable it in qemuarm64-secureboot. - Fix the generation of SB keys in build time. - Remove the need to pass the keys in each recipe, as all the keys will be generated in one directory. - Introduce uefi-secureboot.yml with all required settings for Secure Boot. - Do several renamings to keep name consistency. - Explain why systemd is used as the Init Manager. - Revert the change using core-image-minimal; keep using core-image-base. Changes since v3: - For image creation, use core-image-minimal instead of core-image-base. Changes since v2: - Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap". Changes since v1: - Rework all subject commits to follow OE, Yocto, and meta-arm guidelines. - Add gen-uefi-sb-keys.bb recipe to generate UEFI keys. - Add an OE test to validate UEFI Secure Boot. - Simplify gen_uefi_keys.sh to avoid code repetition. - Replace grub with systemd-boot. - Simplify signing binary images with sbsign class. - Set OE branch to Scarthgap. Changes since the v0: - Remove u-boot recipe. - Split the change in several commits. - Remove sample UEFI keys. - Validate UEFI keys exist before building. - Insolate most of changes under uefi-secureboot machine feature. Javier Tia (2): Enable Secure Boot in all required recipes qemuarm64-secureboot: Enable UEFI Secure Boot ci/qemuarm64-secureboot.yml | 1 + ci/uefi-secureboot.yml | 34 +++++++++++++ .../u-boot/u-boot-uefi-secureboot.inc | 17 +++++++ .../u-boot/u-boot/uefi-secureboot.cfg | 10 ++++ .../recipes-bsp/u-boot/u-boot_%.bbappend | 1 + meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- meta-arm/classes/sbsign.bbclass | 31 ++++++++++++ .../lib/oeqa/runtime/cases/uefi_secureboot.py | 29 +++++++++++ meta-arm/recipes-bsp/uefi/gen-sbkeys.bb | 48 +++++++++++++++++++ .../recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh | 36 ++++++++++++++ .../systemd/systemd-boot-uefi-secureboot.inc | 7 +++ .../systemd/systemd-boot_%.bbappend | 1 + meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + .../recipes-core/systemd/systemd_%.bbappend | 1 + .../linux/linux-yocto%.bbappend | 2 + .../linux/linux-yocto-uefi-secureboot.inc | 14 ++++++ 16 files changed, 234 insertions(+), 1 deletion(-) create mode 100644 ci/uefi-secureboot.yml create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg create mode 100644 meta-arm/classes/sbsign.bbclass create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py create mode 100644 meta-arm/recipes-bsp/uefi/gen-sbkeys.bb create mode 100755 meta-arm/recipes-bsp/uefi/gen-sbkeys/gen_sbkeys.sh create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc