diff mbox series

[3/4] uefi-secureboot.yml: switch to Unified Kernel Image (UKI)

Message ID 20241122133904.202082-4-mikko.rapeli@linaro.org
State New
Headers show
Series uefi secureboot with Unified Kernel Image (UKI) | expand

Commit Message

Mikko Rapeli Nov. 22, 2024, 1:39 p.m. UTC 
Unified Kernel Image includes kernel and initrd which
both are signed with UEFI secure boot. This brings secure
boot closer to userspace.

Use core-image-initramfs-boot to find the real
rootfs and boot systemd init there. No need to hard code
rootfs via qemuboot/runqemu variables.

Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
 ci/uefi-secureboot.yml | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/ci/uefi-secureboot.yml b/ci/uefi-secureboot.yml
index e84d3bc6..4cc4e658 100644
--- a/ci/uefi-secureboot.yml
+++ b/ci/uefi-secureboot.yml
@@ -32,4 +32,20 @@  local_conf_header:
 
     IMAGE_INSTALL:append = " systemd systemd-boot util-linux coreutils"
 
-    TEST_SUITES:append = " uefi_secureboot"
+    TEST_SUITES:append = " uefi_secureboot uki"
+
+    IMAGE_CLASSES += "uki"
+
+    IMAGE_CLASSES += "sbsign"
+    UKI_SB_KEY = "${SBSIGN_KEY}"
+    UKI_SB_CERT = "${SBSIGN_CERT}"
+    QB_KERNEL_ROOT = ""
+    IMAGE_BOOT_FILES:remove = "Image"
+
+    INITRAMFS_IMAGE = "core-image-initramfs-boot"
+    # not for initramfs image recipe
+    IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "uki"
+    IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "sbsign"
+    IMAGE_CLASSES:remove:pn-core-image-initramfs-boot = "testimage"
+    IMAGE_FEATURES:remove:pn-core-image-initramfs-boot = "ssh-server-dropbear"
+    CORE_IMAGE_EXTRA_INSTALL:remove:pn-core-image-initramfs-boot = "ssh-pregen-hostkeys"