Message ID | 20240822014335.3394568-13-javier.tia@linaro.org |
---|---|
State | New |
Headers | show |
Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
diff --git a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc index 07e315a3..e5cf7760 100644 --- a/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc +++ b/meta-arm-bsp/recipes-bsp/images/core-image-base-uefi-secureboot.inc @@ -10,4 +10,4 @@ QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" -IMAGE_INSTALL += "systemd" +IMAGE_INSTALL += "systemd systemd-boot" diff --git a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in index 6ae7ad9d..6d77d3aa 100644 --- a/meta-arm-bsp/wic/efi-disk-no-swap.wks.in +++ b/meta-arm-bsp/wic/efi-disk-no-swap.wks.in @@ -7,4 +7,4 @@ part /boot --source bootimg-efi --sourceparams="loader=${EFI_PROVIDER}" --label part / --source rootfs --fstype=ext4 --label root --align 1024 --use-uuid --exclude-path boot/ -bootloader --ptable gpt --timeout=1 --append="${GRUB_LINUX_APPEND}" +bootloader --ptable gpt --timeout=5 --append="${LINUX_KERNEL_ARGS}" diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index d6a7e22b..2f40d360 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -28,6 +28,8 @@ MACHINE_FEATURES += "optee-ftpm" MACHINE_FEATURES += "efi" MACHINE_FEATURES += "uefi-secureboot" +EFI_PROVIDER = "systemd-boot" + INIT_MANAGER = "systemd" DISTRO_FEATURES += "systemd" DISTRO_FEATURES_NATIVE += "systemd" diff --git a/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc new file mode 100644 index 00000000..c0753614 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc @@ -0,0 +1,12 @@ +DEPENDS += 'gen-uefi-sb-keys' +DEPENDS += "sbsigntool-native" + +inherit sbsign + +SBSIGN_KEY = "${UEFI_SB_KEYS_DIR}/db.key" +SBSIGN_CERT = "${UEFI_SB_KEYS_DIR}/db.crt" +SBSIGN_TARGET_BINARY = "${B}/src/boot/efi/systemd-boot${EFI_ARCH}.efi" + +do_compile:append() { + do_sbsign +} diff --git a/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend new file mode 100644 index 00000000..caba9830 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-boot_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'uefi-secureboot', 'systemd-boot-uefi-secureboot.inc', '', d)} \ No newline at end of file
As qemuarm64-secureboot is already using systemd as Init manager, use too systemd-boot as bootloader. It has a simpler and more intuitive configuration format compared to grub. It uses a single configuration file that is easy to understand and modify. Signed-off-by: Javier Tia <javier.tia@linaro.org> --- .../images/core-image-base-uefi-secureboot.inc | 2 +- meta-arm-bsp/wic/efi-disk-no-swap.wks.in | 2 +- meta-arm/conf/machine/qemuarm64-secureboot.conf | 2 ++ .../systemd/systemd-boot-uefi-secureboot.inc | 12 ++++++++++++ .../recipes-core/systemd/systemd-boot_%.bbappend | 1 + 5 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 meta-arm/recipes-core/systemd/systemd-boot-uefi-secureboot.inc create mode 100644 meta-arm/recipes-core/systemd/systemd-boot_%.bbappend