From patchwork Mon Sep 2 09:41:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 1232 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6C4FCA0ED3 for ; Mon, 2 Sep 2024 09:41:37 +0000 (UTC) Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com [209.85.167.41]) by mx.groups.io with SMTP id smtpd.web11.35074.1725270095802623838 for ; Mon, 02 Sep 2024 02:41:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=biIQ30gX; spf=pass (domain: linaro.org, ip: 209.85.167.41, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f41.google.com with SMTP id 2adb3069b0e04-5334adf7249so5211865e87.3 for ; Mon, 02 Sep 2024 02:41:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1725270094; x=1725874894; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=xcHVDtH0IfbSzx6qkKsrfTFGIwIoRXgcmR98qW1/Ykg=; b=biIQ30gXdhc1zPqv1ld7GIeBWL7PzljRm994996/u8bVMOTE0sW0z2l1r+SZ6H680/ OYeUDDTmzilKnGmYKj9jW9Y7908e7OlJof59GIvel4gBx8gZzuxISyuPK6j9lWBLxCMN L4as7TdelEY6gyj5e605EBRZpUIwlXvmiducCmX26J+qKD5VXVIkFYghpBQQ2qIdC+wc 9ju2wBPfBdbGjCLYn+C2vHKKLWcGVgv+dafdij/5vcvybE/XFxMbUQP9Cwpn+QIbLJwR bXEoDN0gsuSoUEcZfD5Ro70YCpGQqHlhRe+m/DmEYyatS6tHfFHowESYbGFwxGpVq6pb Bryw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725270094; x=1725874894; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xcHVDtH0IfbSzx6qkKsrfTFGIwIoRXgcmR98qW1/Ykg=; b=lMX5ShpE+eauatRgJazeSs0YbVt8JZ5UkrP17vpQRc54+oVjGUSrRA9N3hNBKwoUt0 rq+EGNjIyF4siC/WoQCegbxYOhvvocAsd2wAOfcdpLlb9q/yEwqEUl6jA22/0+i8yPpl oObYzTNITgOCondkdFtVNHOZTey3Yv7zpZCW1oQoSyKO5WT+kr5UJRGF7820ehKgK4yC 7lUOwb5csng1/BWwF00NL0Mf9VWuDERCDtQ5ouJbFFmbkcx7GEY0JPBTi+jhbgAHnHVi y5apH6ykbWVyqolSu6MyWkAn6D1j3VLquXf1G5ZOTzVMLmlFQ0avGC6ylIvBoV4CNx1m rgmQ== X-Gm-Message-State: AOJu0YxvOOTpGlnIjzT4UD824j2iYm3haFWAVHUzN+xbqmaRxzCFTu0L egscxHN/I0n3ClodRDFF0et7+SjZzTmf5ggZ93WC4wcimuP/+4CMgqIQnxQVc8zp5OazSnoS8j5 J0O4= X-Google-Smtp-Source: AGHT+IHq5WS1A5wSkHD3Lby74QwYYay/X/WTTohH/xjrvXA/j+B9aSBKaPN3ce+UsPTO8PFmM3D2Vg== X-Received: by 2002:ac2:4e06:0:b0:52e:9481:eaa1 with SMTP id 2adb3069b0e04-53546b25d21mr6952895e87.23.1725270093222; Mon, 02 Sep 2024 02:41:33 -0700 (PDT) Received: from localhost.localdomain (87-100-245-199.bb.dnainternet.fi. [87.100.245.199]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-5354084176bsm1528853e87.219.2024.09.02.02.41.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 02 Sep 2024 02:41:32 -0700 (PDT) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: Mikko Rapeli Subject: [PATCH 0/3] systemd uki support Date: Mon, 2 Sep 2024 12:41:14 +0300 Message-ID: <20240902094117.31156-1-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 02 Sep 2024 09:41:37 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/204064 These changes enable building systemd uki images which combine kernel, kernel command line, initrd and possibly signatures to a single UEFI binary. This binary can be booted with UEFI firmware and systemd-boot. No grub is needed and UEFI firmware and/or systemd-boot provide possibilities for boot menus. The uki binary can also be signed for UEFI secure boot so the secure boot extends from firmware to kernel and initrd. Binding secure boot to full userspace is then easier since for example kernel command line and initrd contain the support needed to mount encrypted dm-verity etc partitions, and/or create partitions on demand with systemd-repart using device specific TPM devices for encryption. Tested on qemuarm64-secureboot machine from meta-arm with changes to support secure boot. Slightly different configuration tested on multiple arm64 System Ready boards with UEFI firmware, real and firmware based TPM devices. Erik Schilling (1): systemd-tools: add recipe Michelle Lin (1): uki.bbclass: add class for building Unified Kernel Images (UKI) Mikko Rapeli (1): bitbake.conf: add getopt to HOSTTOOLS meta/classes-recipe/uki.bbclass | 158 ++++++++++++++++++ meta/conf/bitbake.conf | 2 +- .../systemd/systemd-tools_256.5.bb | 41 +++++ 3 files changed, 200 insertions(+), 1 deletion(-) create mode 100644 meta/classes-recipe/uki.bbclass create mode 100644 meta/recipes-core/systemd/systemd-tools_256.5.bb