diff mbox series

[v1,4/7] qemuarm64-secureboot: Setup UEFI and Secure Boot in u-boot

Message ID 20240718203526.52214-5-javier.tia@linaro.org
State New
Headers show
Series qemuarm64-secureboot: Enable UEFI Secure Boot | expand

Commit Message

Javier Tia July 18, 2024, 8:35 p.m. UTC
Add u-boot minimal UEFI definitions. Setup UEFI variables with the keys
previously generated.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
---
 .../u-boot/u-boot-qemuarm64-secureboot.inc     | 18 ++++++++++++++++++
 .../qemuarm64-secureboot.cfg                   | 10 ++++++++++
 .../recipes-bsp/u-boot/u-boot_%.bbappend       |  1 +
 3 files changed, 29 insertions(+)
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
 create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg

Comments

Mikko Rapeli July 19, 2024, 9:33 a.m. UTC | #1
Hi,

On Thu, Jul 18, 2024 at 02:35:23PM -0600, Javier Tia wrote:
> Add u-boot minimal UEFI definitions. Setup UEFI variables with the keys
> previously generated.
> 
> Signed-off-by: Javier Tia <javier.tia@linaro.org>
> ---
>  .../u-boot/u-boot-qemuarm64-secureboot.inc     | 18 ++++++++++++++++++
>  .../qemuarm64-secureboot.cfg                   | 10 ++++++++++
>  .../recipes-bsp/u-boot/u-boot_%.bbappend       |  1 +
>  3 files changed, 29 insertions(+)
>  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
>  create mode 100644 meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
> 
> diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> new file mode 100644
> index 00000000..0a0accd1
> --- /dev/null
> +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
> @@ -0,0 +1,18 @@
> +FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}/${MACHINE}:"
> +
> +SRC_URI += "file://${MACHINE}.cfg"
> +
> +UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm"
> +UBOOT_ENV_NAME = "qemu-arm.env"
> +
> +DEPENDS += 'python3-pyopenssl-native'
> +
> +do_compile:prepend() {
> +    export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
> +
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk  -d "${UEFI_SB_KEYS_DIR}"/PK.esl  -t file
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db  -d "${UEFI_SB_KEYS_DIR}"/db.esl  -t file
> +    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file
> +    "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
> +}
> diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
> new file mode 100644
> index 00000000..d2edb5fb
> --- /dev/null
> +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
> @@ -0,0 +1,10 @@
> +CONFIG_CMD_BOOTMENU=y
> +CONFIG_USE_BOOTCOMMAND=y
> +CONFIG_BOOTCOMMAND="bootmenu"
> +CONFIG_USE_PREBOOT=y
> +CONFIG_EFI_VAR_BUF_SIZE=65536
> +CONFIG_FIT_SIGNATURE=y
> +CONFIG_EFI_SECURE_BOOT=y
> +CONFIG_EFI_VARIABLES_PRESEED=y
> +CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
> +CONFIG_PREBOOT_DEFINED=y
> \ No newline at end of file
> diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
> index 11f332ad..8df993ae 100644
> --- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
> +++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
> @@ -5,6 +5,7 @@ MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc"
>  MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc"
>  MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc"
>  MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc"
> +MACHINE_U-BOOT_REQUIRE:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}"

I think this should be generic to all machines if uefi-secureboot is in
MACHINE_FEATURES.

I know meta-arm will only test qemuarm64-secureboot but users will have different
machine names and would expect this to work there too.

Cheers,

-Mikko

>  require ${MACHINE_U-BOOT_REQUIRE}
>  
> -- 
> 2.45.2
>
diff mbox series

Patch

diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
new file mode 100644
index 00000000..0a0accd1
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot-qemuarm64-secureboot.inc
@@ -0,0 +1,18 @@ 
+FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}/${MACHINE}:"
+
+SRC_URI += "file://${MACHINE}.cfg"
+
+UBOOT_BOARDDIR = "${S}/board/emulation/qemu-arm"
+UBOOT_ENV_NAME = "qemu-arm.env"
+
+DEPENDS += 'python3-pyopenssl-native'
+
+do_compile:prepend() {
+    export CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
+
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n pk  -d "${UEFI_SB_KEYS_DIR}"/PK.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n kek -d "${UEFI_SB_KEYS_DIR}"/KEK.esl -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n db  -d "${UEFI_SB_KEYS_DIR}"/db.esl  -t file
+    "${S}"/tools/efivar.py set -i "${S}"/ubootefi.var -n dbx -d "${UEFI_SB_KEYS_DIR}"/dbx.esl -t file
+    "${S}"/tools/efivar.py print -i "${S}"/ubootefi.var
+}
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
new file mode 100644
index 00000000..d2edb5fb
--- /dev/null
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot/qemuarm64-secureboot/qemuarm64-secureboot.cfg
@@ -0,0 +1,10 @@ 
+CONFIG_CMD_BOOTMENU=y
+CONFIG_USE_BOOTCOMMAND=y
+CONFIG_BOOTCOMMAND="bootmenu"
+CONFIG_USE_PREBOOT=y
+CONFIG_EFI_VAR_BUF_SIZE=65536
+CONFIG_FIT_SIGNATURE=y
+CONFIG_EFI_SECURE_BOOT=y
+CONFIG_EFI_VARIABLES_PRESEED=y
+CONFIG_PREBOOT="setenv bootmenu_0 UEFI Boot Manager=bootefi bootmgr; setenv bootmenu_1 UEFI Maintenance Menu=eficonfig"
+CONFIG_PREBOOT_DEFINED=y
\ No newline at end of file
diff --git a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
index 11f332ad..8df993ae 100644
--- a/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
+++ b/meta-arm-bsp/recipes-bsp/u-boot/u-boot_%.bbappend
@@ -5,6 +5,7 @@  MACHINE_U-BOOT_REQUIRE:corstone1000 = "u-boot-corstone1000.inc"
 MACHINE_U-BOOT_REQUIRE:fvp-base = "u-boot-fvp-base.inc"
 MACHINE_U-BOOT_REQUIRE:juno = "u-boot-juno.inc"
 MACHINE_U-BOOT_REQUIRE:tc = "u-boot-tc.inc"
+MACHINE_U-BOOT_REQUIRE:qemuarm64-secureboot = "${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'u-boot-qemuarm64-secureboot.inc', '', d)}"
 
 require ${MACHINE_U-BOOT_REQUIRE}