Message ID | 20240829163209.47945-12-javier.tia@linaro.org |
---|---|
State | New |
Headers | show |
Series | qemuarm64-secureboot: Add UEFI Secure Boot | expand |
On Thu, Aug 29, 2024 at 10:32:07AM -0600, Javier Tia wrote: > Signed-off-by: Javier Tia <javier.tia@linaro.org> I'm going to want a HUGE comment on why systemd is required here. Are there some unique things in systemd that aren't present for sysvinit? Also, I think the systemd patches should be squashed together. Thanks, Jon > --- > meta-arm/conf/machine/qemuarm64-secureboot.conf | 5 +++++ > .../images/core-image-minimal-uefi-secureboot.inc | 2 ++ > meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + > meta-arm/recipes-core/systemd/systemd_%.bbappend | 1 + > 4 files changed, 9 insertions(+) > create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc > create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend > > diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf > index 2483c4ac..542d09a3 100644 > --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf > +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf > @@ -22,4 +22,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" > IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" > > MACHINE_FEATURES += "optee-ftpm" > +MACHINE_FEATURES += "efi" > MACHINE_FEATURES += "uefi-secureboot" > + > +INIT_MANAGER = "systemd" > +DISTRO_FEATURES += "systemd" > +DISTRO_FEATURES_NATIVE += "systemd" > diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > index 06046f6e..07e315a3 100644 > --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > @@ -9,3 +9,5 @@ QB_KERNEL_ROOT = "" > QB_DEFAULT_KERNEL = "none" > > KERNEL_IMAGETYPE = "Image" > + > +IMAGE_INSTALL += "systemd" > diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc > new file mode 100644 > index 00000000..5572e51a > --- /dev/null > +++ b/meta-arm/recipes-core/systemd/systemd-efi.inc > @@ -0,0 +1 @@ > +PACKAGECONFIG:append = " efi" > diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend > new file mode 100644 > index 00000000..660358c2 > --- /dev/null > +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend > @@ -0,0 +1 @@ > +require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)} > -- > 2.46.0 > >
Hi, On Fri, Aug 30, 2024 at 11:24:35AM -0400, Jon Mason wrote: > On Thu, Aug 29, 2024 at 10:32:07AM -0600, Javier Tia wrote: > > Signed-off-by: Javier Tia <javier.tia@linaro.org> > > I'm going to want a HUGE comment on why systemd is required here. Are > there some unique things in systemd that aren't present for sysvinit? > Also, I think the systemd patches should be squashed together. Extending secure boot to userspace is a lot easier with systemd than with sysvinit where custom scripts will need to be written for all use cases. systemd supports dm-verity and TPM devices for encryption usecases out of the box. Enabling them is a lot easier than writing custom scripts for sysvinit. systemd also supports EUFI signing the UKI binaries which merge kernel, command line and initrd which helps in bringing secure boot towards rootfs. Granted, none of these are specific to ARM64 device but these do need UEFI firmware to work which are available from meta-arm for qemu in qemuarm64-secureboot. Cheers, -Mikko > Thanks, > Jon > > > --- > > meta-arm/conf/machine/qemuarm64-secureboot.conf | 5 +++++ > > .../images/core-image-minimal-uefi-secureboot.inc | 2 ++ > > meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + > > meta-arm/recipes-core/systemd/systemd_%.bbappend | 1 + > > 4 files changed, 9 insertions(+) > > create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc > > create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend > > > > diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf > > index 2483c4ac..542d09a3 100644 > > --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf > > +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf > > @@ -22,4 +22,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" > > IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" > > > > MACHINE_FEATURES += "optee-ftpm" > > +MACHINE_FEATURES += "efi" > > MACHINE_FEATURES += "uefi-secureboot" > > + > > +INIT_MANAGER = "systemd" > > +DISTRO_FEATURES += "systemd" > > +DISTRO_FEATURES_NATIVE += "systemd" > > diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > > index 06046f6e..07e315a3 100644 > > --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > > +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc > > @@ -9,3 +9,5 @@ QB_KERNEL_ROOT = "" > > QB_DEFAULT_KERNEL = "none" > > > > KERNEL_IMAGETYPE = "Image" > > + > > +IMAGE_INSTALL += "systemd" > > diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc > > new file mode 100644 > > index 00000000..5572e51a > > --- /dev/null > > +++ b/meta-arm/recipes-core/systemd/systemd-efi.inc > > @@ -0,0 +1 @@ > > +PACKAGECONFIG:append = " efi" > > diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend > > new file mode 100644 > > index 00000000..660358c2 > > --- /dev/null > > +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend > > @@ -0,0 +1 @@ > > +require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)} > > -- > > 2.46.0 > > > >
diff --git a/meta-arm/conf/machine/qemuarm64-secureboot.conf b/meta-arm/conf/machine/qemuarm64-secureboot.conf index 2483c4ac..542d09a3 100644 --- a/meta-arm/conf/machine/qemuarm64-secureboot.conf +++ b/meta-arm/conf/machine/qemuarm64-secureboot.conf @@ -22,4 +22,9 @@ WKS_FILE_DEPENDS = "trusted-firmware-a" IMAGE_BOOT_FILES = "${KERNEL_IMAGETYPE}" MACHINE_FEATURES += "optee-ftpm" +MACHINE_FEATURES += "efi" MACHINE_FEATURES += "uefi-secureboot" + +INIT_MANAGER = "systemd" +DISTRO_FEATURES += "systemd" +DISTRO_FEATURES_NATIVE += "systemd" diff --git a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc index 06046f6e..07e315a3 100644 --- a/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc +++ b/meta-arm/recipes-core/images/core-image-minimal-uefi-secureboot.inc @@ -9,3 +9,5 @@ QB_KERNEL_ROOT = "" QB_DEFAULT_KERNEL = "none" KERNEL_IMAGETYPE = "Image" + +IMAGE_INSTALL += "systemd" diff --git a/meta-arm/recipes-core/systemd/systemd-efi.inc b/meta-arm/recipes-core/systemd/systemd-efi.inc new file mode 100644 index 00000000..5572e51a --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd-efi.inc @@ -0,0 +1 @@ +PACKAGECONFIG:append = " efi" diff --git a/meta-arm/recipes-core/systemd/systemd_%.bbappend b/meta-arm/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 00000000..660358c2 --- /dev/null +++ b/meta-arm/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('MACHINE_FEATURES', 'efi', 'systemd-efi.inc', '', d)}
Signed-off-by: Javier Tia <javier.tia@linaro.org> --- meta-arm/conf/machine/qemuarm64-secureboot.conf | 5 +++++ .../images/core-image-minimal-uefi-secureboot.inc | 2 ++ meta-arm/recipes-core/systemd/systemd-efi.inc | 1 + meta-arm/recipes-core/systemd/systemd_%.bbappend | 1 + 4 files changed, 9 insertions(+) create mode 100644 meta-arm/recipes-core/systemd/systemd-efi.inc create mode 100644 meta-arm/recipes-core/systemd/systemd_%.bbappend