mbox series

[v8,0/2] Add UEFI Secure Boot

Message ID 20241003213330.627644-1-javier.tia@linaro.org
Headers show
Series Add UEFI Secure Boot | expand

Message

Javier Tia Oct. 3, 2024, 9:33 p.m. UTC 
Hi,

Addressing comments from patch series v7.

Introduce uefi-secureboot.yml as an addon to add UEFI Secure Boot. Most
of changes are backported from meta-ts.

UEFI Secure Boot requirements:

  - Create a UEFI disk partition to copy EFI apps.

  - Add UEFI settings to U-Boot, systemd-boot, and Linux kernel.

  - Set up UEFI keys that are to be stored in U-Boot and used to sign
    systemd-boot and Linux kernel images.

  - Add systemd as Init manager. systemd's modern architecture,
    integrated security features, and enhanced management capabilities
    make it a more suitable choice for systems using UEFI Secure Boot

Introduce uefi-secureboot machine feature.

Build and verification steps:

$ kas build ci/qemuarm64-secureboot.yml:ci/meta-secure-core.yml:ci/uefi-secureboot.yml:ci/testimage.yml

---

Changes since v7:
- Remove gen-sbkeys recipe. It was merged on meta-secure-core.
- Replace efivar with coreutils command to reduce dependency.

Changes since v6:
- Add optee udev rules to fix OE optee and ftpm tests failures.
- Fix tee-supplicant@.service to make it started in initrd. Disable ftpm
  kernel module after stopping the service. Start service before
  tpm2.target.
- Move u-boot confs from meta-arm-bsp to meta-arm.

Changes since v5:
- Use uefi-secureboot.yml as an addon, taken out of
  qemuarm64-secureboot.yml.
- Comment Secure Boot keys setup in gen-sbkeys.sh.
- Set up CI to build and test UEFI Secure Boot.

Changes since v4:
- Big refactor to only two commits to add Secure Boot in all required
  recipes and enable it in qemuarm64-secureboot.
- Fix the generation of SB keys in build time.
- Remove the need to pass the keys in each recipe, as all the keys will
  be generated in one directory.
- Introduce uefi-secureboot.yml with all required settings for Secure
  Boot.
- Do several renamings to keep name consistency.
- Explain why systemd is used as the Init Manager.
- Revert the change using core-image-minimal; keep using
  core-image-base.

Changes since v3:
- For image creation, use core-image-minimal instead of core-image-base.

Changes since v2:
- Remove commit "qemuarm64-secureboot.yml: Set branch to scarthgap".

Changes since v1:
- Rework all subject commits to follow OE, Yocto, and meta-arm
  guidelines.
- Add gen-uefi-sb-keys.bb recipe to generate UEFI keys.
- Add an OE test to validate UEFI Secure Boot.
- Simplify gen_uefi_keys.sh to avoid code repetition.
- Replace grub with systemd-boot.
- Simplify signing binary images with sbsign class.
- Set OE branch to Scarthgap.

Changes since the v0:
- Remove u-boot recipe.
- Split the change in several commits.
- Remove sample UEFI keys.
- Validate UEFI keys exist before building.
- Insolate most of changes under uefi-secureboot machine feature.

Javier Tia (2):
  arm: Enable Secure Boot in all required recipes
  arm/qemuarm64-secureboot: Enable UEFI Secure Boot

 .gitlab-ci.yml                                |  1 +
 ci/uefi-secureboot.yml                        | 36 +++++++++++++++++++
 meta-arm/classes/sbsign.bbclass               | 31 ++++++++++++++++
 .../lib/oeqa/runtime/cases/uefi_secureboot.py | 29 +++++++++++++++
 .../u-boot/u-boot-uefi-secureboot.inc         | 17 +++++++++
 .../u-boot/u-boot/uefi-secureboot.cfg         | 10 ++++++
 meta-arm/recipes-bsp/u-boot/u-boot_%.bbappend |  2 ++
 .../systemd/systemd-boot-uefi-secureboot.inc  |  7 ++++
 .../systemd/systemd-boot_%.bbappend           |  1 +
 meta-arm/recipes-core/systemd/systemd-efi.inc |  1 +
 .../recipes-core/systemd/systemd_%.bbappend   |  1 +
 .../linux/linux-yocto%.bbappend               |  2 ++
 .../linux/linux-yocto-uefi-secureboot.inc     | 14 ++++++++
 13 files changed, 152 insertions(+)
 create mode 100644 ci/uefi-secureboot.yml
 create mode 100644 meta-arm/classes/sbsign.bbclass
 create mode 100644 meta-arm/lib/oeqa/runtime/cases/uefi_secureboot.py
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-bsp/u-boot/u-boot/uefi-secureboot.cfg
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend
 create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc
 create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend
 create mode 100644 meta-arm/recipes-kernel/linux/linux-yocto-uefi-secureboot.inc

Comments

Jon Mason Oct. 5, 2024, 12:13 a.m. UTC | #1 
On Thu, 03 Oct 2024 15:33:28 -0600, Javier Tia wrote:
> Addressing comments from patch series v7.
> 
> Introduce uefi-secureboot.yml as an addon to add UEFI Secure Boot. Most
> of changes are backported from meta-ts.
> 
> UEFI Secure Boot requirements:
> 
> [...]

Applied, thanks!

[1/2] arm: Enable Secure Boot in all required recipes
      commit: 21d2e50358604c039eeb3935c051c90dd7504a26
[2/2] arm/qemuarm64-secureboot: Enable UEFI Secure Boot
      commit: c9057f9ea1671469c7786b38b3de8fbbb9223459

Best regards,