| Message ID | 20240718203526.52214-5-javier.tia@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | qemuarm64-secureboot: Enable UEFI Secure Boot | expand |
Hi, On Thu, Jul 18, 2024 at 02:35:23PM -0600, Javier Tia wrote: > Add u-boot minimal UEFI definitions. Setup UEFI variables with the keys > previously generated. > > Signed-off-by: Javier Tia <javier.tia@linaro.org> > --- > .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 ++++++++++++++++++ > .../qemuarm64-secureboot.cfg | 10 ++++++++++ > .../recipes-bsp/u-boot/u-boot_%.bbappend | 1 + > 3 files changed, 29 insertions(+) > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc > create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg > > diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc > new file mode 100644 > index 00000000..0a0accd1 > --- /dev/null > +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc > @@ -0,0 +1,18 @@ > +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}/${MACHINE}:" > + > +SRC_URI += "file://${MACHINE}.cfg" > + > +UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm" > +UBOOT_ENV_NAME = "qemu-arm.env" > + > +DEPENDS += 'python3-pyopenssl-native' > + > +do_compile:prepend() { > + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 > + > + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${UEFI_SB_KEYS_DIR}"/PK.esl -t file > + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file > + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${UEFI_SB_KEYS_DIR}"/db.esl -t file > + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file > + "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var > +} > diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg > new file mode 100644 > index 00000000..d2edb5fb > --- /dev/null > +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg > @@ -0,0 +1,10 @@ > +CONFIG_CMD_BOOTMENU=y > +CONFIG_USE_BOOTCOMMAND=y > +CONFIG_BOOTCOMMAND="bootmenu" > +CONFIG_USE_PREBOOT=y > +CONFIG_EFI_VAR_BUF_SIZE=65536 > +CONFIG_FIT_SIGNATURE=y > +CONFIG_EFI_SECURE_BOOT=y > +CONFIG_EFI_VARIABLES_PRESEED=y > +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" > +CONFIG_PREBOOT_DEFINED=y > \ No newline at end of file > diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend > index 11f332ad..8df993ae 100644 > --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend > +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend > @@ -5,6 +5,7 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc" > MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc" > MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc" > MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc" > +MACHINE_U-BOOT_REQUIRE:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}" I think this should be generic to all machines if uefi-secureboot is in MACHINE_FEATURES. I know meta-arm will only test qemuarm64-secureboot but users will have different machine names and would expect this to work there too. Cheers, -Mikko > require ${MACHINE_U-BOOT_REQUIRE} > > -- > 2.45.2 >
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc new file mode 100644 index 00000000..0a0accd1 --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc @@ -0,0 +1,18 @@ +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}/${MACHINE}:" + +SRC_URI += "file://${MACHINE}.cfg" + +UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm" +UBOOT_ENV_NAME = "qemu-arm.env" + +DEPENDS += 'python3-pyopenssl-native' + +do_compile:prepend() { + export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 + + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk -d "${UEFI_SB_KEYS_DIR}"/PK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db -d "${UEFI_SB_KEYS_DIR}"/db.esl -t file + "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file + "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var +} diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg new file mode 100644 index 00000000..d2edb5fb --- /dev/null +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg @@ -0,0 +1,10 @@ +CONFIG_CMD_BOOTMENU=y +CONFIG_USE_BOOTCOMMAND=y +CONFIG_BOOTCOMMAND="bootmenu" +CONFIG_USE_PREBOOT=y +CONFIG_EFI_VAR_BUF_SIZE=65536 +CONFIG_FIT_SIGNATURE=y +CONFIG_EFI_SECURE_BOOT=y +CONFIG_EFI_VARIABLES_PRESEED=y +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig" +CONFIG_PREBOOT_DEFINED=y \ No newline at end of file diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend index 11f332ad..8df993ae 100644 --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend @@ -5,6 +5,7 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc" MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc" MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc" MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc" +MACHINE_U-BOOT_REQUIRE:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}" require ${MACHINE_U-BOOT_REQUIRE}
Add u-boot minimal UEFI definitions. Setup UEFI variables with the keys previously generated. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- .../u-boot/u-boot-qemuarm64-secureboot.inc | 18 ++++++++++++++++++ .../qemuarm64-secureboot.cfg | 10 ++++++++++ .../recipes-bsp/u-boot/u-boot_%.bbappend | 1 + 3 files changed, 29 insertions(+) create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg