@@ -4,13 +4,15 @@ header:
version: 14
includes:
- ci/base.yml
-
-machine: qemuarm64-secureboot
-
-target:
- - core-image-base
+ - ci/meta-openembedded.yml
+ - ci/meta-secure-core.yml
local_conf_header:
optee: |
IMAGE_INSTALL:append = " optee-test optee-client optee-os-ta"
TEST_SUITES:append = " optee ftpm"
+
+machine: qemuarm64-secureboot
+
+target:
+ - core-image-base
new file mode 100644
@@ -0,0 +1,48 @@
+From 70fe34e1e61e0560af8a2018c5486b07b217f7fc Mon Sep 17 00:00:00 2001
+From: Leo Yan <leo.yan@linaro.org>
+Date: Thu, 22 Dec 2022 15:28:12 +0800
+Subject: [PATCH] verifiers: Don't return error for deferred image
+
+When boot from menu and the flag GRUB_VERIFY_FLAGS_DEFER_AUTH is set,
+grub returns error:
+
+ Booting a command list
+
+ error: verification requested but nobody cares: (hd0,gpt1)/Image.
+
+ Press any key to continue...
+
+In this case, the image should be deferred for authentication, grub
+should return the file handle and pass down to later firmware (e.g.
+U-Boot, etc) for authentication.
+
+For this purpose, rather than returning error, this patch prints log
+and returns file handler.
+
+Upstream-Status: Submitted
+
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+---
+ grub-core/kern/verifiers.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
+index 75d7994cf..ada753e69 100644
+--- a/grub-core/kern/verifiers.c
++++ b/grub-core/kern/verifiers.c
+@@ -115,11 +115,7 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+ if (!ver)
+ {
+ if (defer)
+- {
+- grub_error (GRUB_ERR_ACCESS_DENIED,
+- N_("verification requested but nobody cares: %s"), io->name);
+- goto fail_noclose;
+- }
++ grub_printf("%s verification is deferred\n", io->name);
+
+ /* No verifiers wanted to verify. Just return underlying file. */
+ return io;
+--
+2.35.1
+
new file mode 100644
@@ -0,0 +1,8 @@
+# First partition on first disk, most likely EFI system partition. Set it here
+# as fallback in case the search doesn't find the given UUID.
+set root='hd0,gpt1'
+search --no-floppy --fs-uuid --set=root 7819-74F8
+
+configfile /EFI/BOOT/grub.cfg
+
+# If fail to load config file, it runs into GRUB shell.
new file mode 100644
@@ -0,0 +1,40 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+SRC_URI += "file://grub-initial.cfg"
+SRC_URI += "file://0001-verifiers-Don-t-return-error-for-deferred-image.patch"
+
+DEPENDS += "sbsigntool-native"
+
+GRUB_PREFIX_DIR ?= "/EFI/BOOT"
+EFI_BOOT_PATH ?= "/boot/efi/EFI/BOOT"
+
+do_mkimage() {
+ install -d "${D}${EFI_BOOT_PATH}"
+ install -m 0600 "${UNPACKDIR}/grub-initial.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg"
+
+ grub-mkimage --disable-shim-lock \
+ --prefix="${GRUB_PREFIX_DIR}" \
+ --format="${GRUB_TARGET}-efi" \
+ --directory="${B}/grub-core" \
+ --output="${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}" \
+ ${GRUB_BUILDIN}
+}
+
+fakeroot do_sign() {
+ "${STAGING_BINDIR_NATIVE}/sbsign" \
+ --key "${UEFI_SB_KEYS_DIR}/db.key" \
+ --cert "${UEFI_SB_KEYS_DIR}/db.crt" \
+ "${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}" \
+ --output "${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}.signed"
+
+ install -m 0644 "${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}.signed" "${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}"
+
+ install -d "${D}${EFI_BOOT_PATH}"
+ install -m 0644 "${B}/${GRUB_IMAGE_PREFIX}${GRUB_IMAGE}.signed" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}"
+}
+
+addtask sign after do_install before do_deploy do_package
+
+FILES:${PN} += "${EFI_BOOT_PATH}"
+
+CONFFILES:${PN} += "${EFI_BOOT_PATH}/grub.cfg"
new file mode 100644
@@ -0,0 +1 @@
+require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'grub-efi-uefi-secureboot.inc', '', d)}
\ No newline at end of file
meta-secure-core is required because of sbsigntool. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- ci/qemuarm64-secureboot.yml | 12 +++-- ...on-t-return-error-for-deferred-image.patch | 48 +++++++++++++++++++ .../recipes-bsp/grub/files/grub-initial.cfg | 8 ++++ .../grub/grub-efi-uefi-secureboot.inc | 40 ++++++++++++++++ meta-arm/recipes-bsp/grub/grub-efi_%.bbappend | 1 + 5 files changed, 104 insertions(+), 5 deletions(-) create mode 100644 meta-arm/recipes-bsp/grub/files/0001-verifiers-Don-t-return-error-for-deferred-image.patch create mode 100644 meta-arm/recipes-bsp/grub/files/grub-initial.cfg create mode 100644 meta-arm/recipes-bsp/grub/grub-efi-uefi-secureboot.inc create mode 100644 meta-arm/recipes-bsp/grub/grub-efi_%.bbappend